2 Unix SMB/CIFS implementation.
4 Deal with unix elements in the security token
6 Copyright (C) Andrew Tridgell 2004
7 Copyright (C) Andrew Bartlett 2011
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
24 #include "auth/auth.h"
25 #include "libcli/wbclient/wbclient.h"
26 #include "param/param.h"
29 form a security_unix_token from the current security_token
31 NTSTATUS
security_token_to_unix_token(TALLOC_CTX
*mem_ctx
,
32 struct wbc_context
*wbc_ctx
,
33 struct security_token
*token
,
34 struct security_unix_token
**sec
)
39 struct composite_context
*ctx
;
41 /* we can't do unix security without a user and group */
42 if (token
->num_sids
< 2) {
43 return NT_STATUS_ACCESS_DENIED
;
46 *sec
= talloc_zero(mem_ctx
, struct security_unix_token
);
48 return NT_STATUS_NO_MEMORY
;
51 ids
= talloc_zero_array(mem_ctx
, struct id_map
, token
->num_sids
);
52 NT_STATUS_HAVE_NO_MEMORY(ids
);
54 for (s
=0; s
< token
->num_sids
; s
++) {
55 ids
[s
].sid
= &token
->sids
[s
];
56 ids
[s
].status
= ID_UNKNOWN
;
59 ctx
= wbc_sids_to_xids_send(wbc_ctx
, ids
, token
->num_sids
, ids
);
60 NT_STATUS_HAVE_NO_MEMORY(ctx
);
62 status
= wbc_sids_to_xids_recv(ctx
, &ids
);
63 NT_STATUS_NOT_OK_RETURN(status
);
66 if (ids
[0].xid
.type
!= ID_TYPE_BOTH
) {
70 (*sec
)->groups
= talloc_array(*sec
, gid_t
, (*sec
)->ngroups
);
71 NT_STATUS_HAVE_NO_MEMORY((*sec
)->groups
);
74 if (ids
[0].xid
.type
== ID_TYPE_BOTH
) {
75 (*sec
)->uid
= ids
[0].xid
.id
;
76 (*sec
)->groups
[g
] = ids
[0].xid
.id
;
78 } else if (ids
[0].xid
.type
== ID_TYPE_UID
) {
79 (*sec
)->uid
= ids
[0].xid
.id
;
81 char *sid_str
= dom_sid_string(mem_ctx
, ids
[0].sid
);
82 DEBUG(0, ("Unable to convert first SID (%s) in user token to a UID. Conversion was returned as type %d, full token:\n",
83 sid_str
, (int)ids
[0].xid
.type
));
84 security_token_debug(0, 0, token
);
86 return NT_STATUS_INVALID_SID
;
89 if (ids
[1].xid
.type
== ID_TYPE_BOTH
||
90 ids
[1].xid
.type
== ID_TYPE_GID
) {
91 (*sec
)->gid
= ids
[1].xid
.id
;
92 (*sec
)->groups
[g
] = ids
[1].xid
.id
;
95 char *sid_str
= dom_sid_string(mem_ctx
, ids
[1].sid
);
96 DEBUG(0, ("Unable to convert second SID (%s) in user token to a GID. Conversion was returned as type %d, full token:\n",
97 sid_str
, (int)ids
[1].xid
.type
));
98 security_token_debug(0, 0, token
);
100 return NT_STATUS_INVALID_SID
;
103 for (s
=2; s
< token
->num_sids
; s
++) {
104 if (ids
[s
].xid
.type
== ID_TYPE_BOTH
||
105 ids
[s
].xid
.type
== ID_TYPE_GID
) {
106 (*sec
)->groups
[g
] = ids
[s
].xid
.id
;
109 char *sid_str
= dom_sid_string(mem_ctx
, ids
[s
].sid
);
110 DEBUG(0, ("Unable to convert SID (%s) at index %u in user token to a GID. Conversion was returned as type %d, full token:\n",
111 sid_str
, (unsigned int)s
, (int)ids
[s
].xid
.type
));
112 security_token_debug(0, 0, token
);
113 talloc_free(sid_str
);
114 return NT_STATUS_INVALID_SID
;
118 DEBUG(5, ("Successfully converted security token to a unix token:"));
119 security_token_debug(0, 5, token
);
126 Fill in the auth_user_info_unix and auth_unix_token elements in a struct session_info
128 NTSTATUS
auth_session_info_fill_unix(struct wbc_context
*wbc_ctx
,
129 struct loadparm_context
*lp_ctx
,
130 const char *original_user_name
,
131 struct auth_session_info
*session_info
)
135 NTSTATUS status
= security_token_to_unix_token(session_info
, wbc_ctx
,
136 session_info
->security_token
,
137 &session_info
->unix_token
);
138 if (!NT_STATUS_IS_OK(status
)) {
142 session_info
->unix_info
= talloc_zero(session_info
, struct auth_user_info_unix
);
143 NT_STATUS_HAVE_NO_MEMORY(session_info
->unix_info
);
145 session_info
->unix_info
->system
= security_token_is_system(session_info
->security_token
);
147 session_info
->unix_info
->unix_name
= talloc_asprintf(session_info
->unix_info
,
148 "%s%s%s", session_info
->info
->domain_name
,
149 lpcfg_winbind_separator(lp_ctx
),
150 session_info
->info
->account_name
);
151 NT_STATUS_HAVE_NO_MEMORY(session_info
->unix_info
->unix_name
);
153 len
= strlen(original_user_name
) + 1;
154 session_info
->unix_info
->sanitized_username
= su
= talloc_array(session_info
->unix_info
, char, len
);
155 NT_STATUS_HAVE_NO_MEMORY(su
);
157 alpha_strcpy(su
, original_user_name
,