2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Copyright (C) Andrew Tridgell 1992-2000,
5 * Copyright (C) Jean François Micouleau 1998-2001.
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 2 of the License, or
10 * (at your option) any later version.
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, write to the Free Software
19 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
24 static TDB_CONTEXT
*tdb
; /* used for driver files */
26 #define DATABASE_VERSION_V1 1 /* native byte format. */
27 #define DATABASE_VERSION_V2 2 /* le format. */
29 #define GROUP_PREFIX "UNIXGROUP/"
32 {SE_PRIV_NONE
, "no_privs", "No privilege" }, /* this one MUST be first */
33 {SE_PRIV_ADD_MACHINES
, "SeMachineAccountPrivilege", "Add workstations to the domain" },
34 {SE_PRIV_SEC_PRIV
, "SeSecurityPrivilege", "Manage the audit logs" },
35 {SE_PRIV_TAKE_OWNER
, "SeTakeOwnershipPrivilege", "Take ownership of file" },
36 {SE_PRIV_ADD_USERS
, "SaAddUsers", "Add users to the domain - Samba" },
37 {SE_PRIV_PRINT_OPERATOR
, "SaPrintOp", "Add or remove printers - Samba" },
38 {SE_PRIV_ALL
, "SaAllPrivs", "all privileges" }
42 { 2, "SeCreateTokenPrivilege" },
43 { 3, "SeAssignPrimaryTokenPrivilege" },
44 { 4, "SeLockMemoryPrivilege" },
45 { 5, "SeIncreaseQuotaPrivilege" },
46 { 6, "SeMachineAccountPrivilege" },
47 { 7, "SeTcbPrivilege" },
48 { 8, "SeSecurityPrivilege" },
49 { 9, "SeTakeOwnershipPrivilege" },
50 { 10, "SeLoadDriverPrivilege" },
51 { 11, "SeSystemProfilePrivilege" },
52 { 12, "SeSystemtimePrivilege" },
53 { 13, "SeProfileSingleProcessPrivilege" },
54 { 14, "SeIncreaseBasePriorityPrivilege" },
55 { 15, "SeCreatePagefilePrivilege" },
56 { 16, "SeCreatePermanentPrivilege" },
57 { 17, "SeBackupPrivilege" },
58 { 18, "SeRestorePrivilege" },
59 { 19, "SeShutdownPrivilege" },
60 { 20, "SeDebugPrivilege" },
61 { 21, "SeAuditPrivilege" },
62 { 22, "SeSystemEnvironmentPrivilege" },
63 { 23, "SeChangeNotifyPrivilege" },
64 { 24, "SeRemoteShutdownPrivilege" },
65 { 25, "SeUndockPrivilege" },
66 { 26, "SeSyncAgentPrivilege" },
67 { 27, "SeEnableDelegationPrivilege" },
72 * Those are not really privileges like the other ones.
73 * They are handled in a special case and called
77 * SeUnsolicitedInputPrivilege
80 * SeInteractiveLogonRight
81 * SeDenyInteractiveLogonRight
82 * SeDenyNetworkLogonRight
83 * SeDenyBatchLogonRight
84 * SeDenyBatchLogonRight
88 /****************************************************************************
89 check if the user has the required privilege.
90 ****************************************************************************/
91 static BOOL
se_priv_access_check(NT_USER_TOKEN
*token
, uint32 privilege
)
93 /* no token, no privilege */
97 if ((token
->privilege
& privilege
)==privilege
)
104 /****************************************************************************
105 dump the mapping group mapping to a text file
106 ****************************************************************************/
107 char *decode_sid_name_use(fstring group
, enum SID_NAME_USE name_use
)
109 static fstring group_type
;
113 fstrcpy(group_type
,"User");
115 case SID_NAME_DOM_GRP
:
116 fstrcpy(group_type
,"Domain group");
118 case SID_NAME_DOMAIN
:
119 fstrcpy(group_type
,"Domain");
122 fstrcpy(group_type
,"Local group");
124 case SID_NAME_WKN_GRP
:
125 fstrcpy(group_type
,"Builtin group");
127 case SID_NAME_DELETED
:
128 fstrcpy(group_type
,"Deleted");
130 case SID_NAME_INVALID
:
131 fstrcpy(group_type
,"Invalid");
133 case SID_NAME_UNKNOWN
:
135 fstrcpy(group_type
,"Unknown type");
139 fstrcpy(group
, group_type
);
143 /****************************************************************************
144 initialise first time the mapping list - called from init_group_mapping()
145 ****************************************************************************/
146 static BOOL
default_group_mapping(void)
156 PRIVILEGE_SET privilege_none
;
157 PRIVILEGE_SET privilege_all
;
158 PRIVILEGE_SET privilege_print_op
;
160 init_privilege(&privilege_none
);
161 init_privilege(&privilege_all
);
162 init_privilege(&privilege_print_op
);
166 set
.luid
.low
=SE_PRIV_PRINT_OPERATOR
;
167 add_privilege(&privilege_print_op
, set
);
169 add_all_privilege(&privilege_all
);
171 /* Add the Wellknown groups */
173 add_initial_entry(-1, "S-1-5-32-544", SID_NAME_WKN_GRP
, "Administrators", "", privilege_all
, PR_ACCESS_FROM_NETWORK
|PR_LOG_ON_LOCALLY
);
174 add_initial_entry(-1, "S-1-5-32-545", SID_NAME_WKN_GRP
, "Users", "", privilege_none
, PR_ACCESS_FROM_NETWORK
|PR_LOG_ON_LOCALLY
);
175 add_initial_entry(-1, "S-1-5-32-546", SID_NAME_WKN_GRP
, "Guests", "", privilege_none
, PR_ACCESS_FROM_NETWORK
);
176 add_initial_entry(-1, "S-1-5-32-547", SID_NAME_WKN_GRP
, "Power Users", "", privilege_none
, PR_ACCESS_FROM_NETWORK
|PR_LOG_ON_LOCALLY
);
178 add_initial_entry(-1, "S-1-5-32-548", SID_NAME_WKN_GRP
, "Account Operators", "", privilege_none
, PR_ACCESS_FROM_NETWORK
|PR_LOG_ON_LOCALLY
);
179 add_initial_entry(-1, "S-1-5-32-549", SID_NAME_WKN_GRP
, "System Operators", "", privilege_none
, PR_ACCESS_FROM_NETWORK
|PR_LOG_ON_LOCALLY
);
180 add_initial_entry(-1, "S-1-5-32-550", SID_NAME_WKN_GRP
, "Print Operators", "", privilege_print_op
, PR_ACCESS_FROM_NETWORK
|PR_LOG_ON_LOCALLY
);
181 add_initial_entry(-1, "S-1-5-32-551", SID_NAME_WKN_GRP
, "Backup Operators", "", privilege_none
, PR_ACCESS_FROM_NETWORK
|PR_LOG_ON_LOCALLY
);
183 add_initial_entry(-1, "S-1-5-32-552", SID_NAME_WKN_GRP
, "Replicators", "", privilege_none
, PR_ACCESS_FROM_NETWORK
);
185 /* Add the defaults domain groups */
187 sid_copy(&sid_admins
, get_global_sam_sid());
188 sid_append_rid(&sid_admins
, DOMAIN_GROUP_RID_ADMINS
);
189 sid_to_string(str_admins
, &sid_admins
);
190 add_initial_entry(-1, str_admins
, SID_NAME_DOM_GRP
, "Domain Admins", "", privilege_all
, PR_ACCESS_FROM_NETWORK
|PR_LOG_ON_LOCALLY
);
192 sid_copy(&sid_users
, get_global_sam_sid());
193 sid_append_rid(&sid_users
, DOMAIN_GROUP_RID_USERS
);
194 sid_to_string(str_users
, &sid_users
);
195 add_initial_entry(-1, str_users
, SID_NAME_DOM_GRP
, "Domain Users", "", privilege_none
, PR_ACCESS_FROM_NETWORK
|PR_LOG_ON_LOCALLY
);
197 sid_copy(&sid_guests
, get_global_sam_sid());
198 sid_append_rid(&sid_guests
, DOMAIN_GROUP_RID_GUESTS
);
199 sid_to_string(str_guests
, &sid_guests
);
200 add_initial_entry(-1, str_guests
, SID_NAME_DOM_GRP
, "Domain Guests", "", privilege_none
, PR_ACCESS_FROM_NETWORK
);
205 /****************************************************************************
206 Open the group mapping tdb.
207 ****************************************************************************/
209 static BOOL
init_group_mapping(void)
211 static pid_t local_pid
;
212 const char *vstring
= "INFO/version";
215 if (tdb
&& local_pid
== sys_getpid())
217 tdb
= tdb_open_log(lock_path("group_mapping.tdb"), 0, TDB_DEFAULT
, O_RDWR
|O_CREAT
, 0600);
219 DEBUG(0,("Failed to open group mapping database\n"));
223 local_pid
= sys_getpid();
225 /* handle a Samba upgrade */
226 tdb_lock_bystring(tdb
, vstring
, 0);
228 /* Cope with byte-reversed older versions of the db. */
229 vers_id
= tdb_fetch_int32(tdb
, vstring
);
230 if ((vers_id
== DATABASE_VERSION_V1
) || (IREV(vers_id
) == DATABASE_VERSION_V1
)) {
231 /* Written on a bigendian machine with old fetch_int code. Save as le. */
232 tdb_store_int32(tdb
, vstring
, DATABASE_VERSION_V2
);
233 vers_id
= DATABASE_VERSION_V2
;
236 if (vers_id
!= DATABASE_VERSION_V2
) {
237 tdb_traverse(tdb
, tdb_traverse_delete_fn
, NULL
);
238 tdb_store_int32(tdb
, vstring
, DATABASE_VERSION_V2
);
241 tdb_unlock_bystring(tdb
, vstring
);
243 /* write a list of default groups */
244 if(!default_group_mapping())
250 /****************************************************************************
251 ****************************************************************************/
252 static BOOL
add_mapping_entry(GROUP_MAP
*map
, int flag
)
256 fstring string_sid
="";
261 if(!init_group_mapping()) {
262 DEBUG(0,("failed to initialize group mapping"));
266 sid_to_string(string_sid
, &map
->sid
);
268 len
= tdb_pack(buf
, sizeof(buf
), "ddffd",
269 map
->gid
, map
->sid_name_use
, map
->nt_name
, map
->comment
, map
->systemaccount
);
271 /* write the privilege list in the TDB database */
274 len
+= tdb_pack(buf
+len
, sizeof(buf
)-len
, "d", set
->count
);
275 for (i
=0; i
<set
->count
; i
++)
276 len
+= tdb_pack(buf
+len
, sizeof(buf
)-len
, "ddd",
277 set
->set
[i
].luid
.low
, set
->set
[i
].luid
.high
, set
->set
[i
].attr
);
279 if (len
> sizeof(buf
))
282 slprintf(key
, sizeof(key
), "%s%s", GROUP_PREFIX
, string_sid
);
284 kbuf
.dsize
= strlen(key
)+1;
288 if (tdb_store(tdb
, kbuf
, dbuf
, flag
) != 0) return False
;
293 /****************************************************************************
294 initialise first time the mapping list
295 ****************************************************************************/
296 BOOL
add_initial_entry(gid_t gid
, const char *sid
, enum SID_NAME_USE sid_name_use
,
297 const char *nt_name
, const char *comment
, PRIVILEGE_SET priv_set
, uint32 systemaccount
)
301 if(!init_group_mapping()) {
302 DEBUG(0,("failed to initialize group mapping"));
307 if (!string_to_sid(&map
.sid
, sid
)) {
308 DEBUG(0, ("string_to_sid failed: %s", sid
));
312 map
.sid_name_use
=sid_name_use
;
313 fstrcpy(map
.nt_name
, nt_name
);
314 fstrcpy(map
.comment
, comment
);
315 map
.systemaccount
=systemaccount
;
317 map
.priv_set
.count
=priv_set
.count
;
318 map
.priv_set
.set
=priv_set
.set
;
320 pdb_add_group_mapping_entry(&map
);
325 /****************************************************************************
326 initialise a privilege list
327 ****************************************************************************/
328 void init_privilege(PRIVILEGE_SET
*priv_set
)
335 /****************************************************************************
336 free a privilege list
337 ****************************************************************************/
338 BOOL
free_privilege(PRIVILEGE_SET
*priv_set
)
340 if (priv_set
->count
==0) {
341 DEBUG(100,("free_privilege: count=0, nothing to clear ?\n"));
345 if (priv_set
->set
==NULL
) {
346 DEBUG(0,("free_privilege: list ptr is NULL, very strange !\n"));
350 safe_free(priv_set
->set
);
358 /****************************************************************************
359 add a privilege to a privilege array
360 ****************************************************************************/
361 BOOL
add_privilege(PRIVILEGE_SET
*priv_set
, LUID_ATTR set
)
365 /* check if the privilege is not already in the list */
366 if (check_priv_in_privilege(priv_set
, set
))
369 /* we can allocate memory to add the new privilege */
371 new_set
=(LUID_ATTR
*)Realloc(priv_set
->set
, (priv_set
->count
+1)*(sizeof(LUID_ATTR
)));
373 DEBUG(0,("add_privilege: could not Realloc memory to add a new privilege\n"));
377 new_set
[priv_set
->count
].luid
.high
=set
.luid
.high
;
378 new_set
[priv_set
->count
].luid
.low
=set
.luid
.low
;
379 new_set
[priv_set
->count
].attr
=set
.attr
;
382 priv_set
->set
=new_set
;
387 /****************************************************************************
388 add all the privileges to a privilege array
389 ****************************************************************************/
390 BOOL
add_all_privilege(PRIVILEGE_SET
*priv_set
)
397 set
.luid
.low
=SE_PRIV_ADD_USERS
;
398 add_privilege(priv_set
, set
);
400 set
.luid
.low
=SE_PRIV_ADD_MACHINES
;
401 add_privilege(priv_set
, set
);
403 set
.luid
.low
=SE_PRIV_PRINT_OPERATOR
;
404 add_privilege(priv_set
, set
);
409 /****************************************************************************
410 check if the privilege list is empty
411 ****************************************************************************/
412 BOOL
check_empty_privilege(PRIVILEGE_SET
*priv_set
)
414 return (priv_set
->count
== 0);
417 /****************************************************************************
418 check if the privilege is in the privilege list
419 ****************************************************************************/
420 BOOL
check_priv_in_privilege(PRIVILEGE_SET
*priv_set
, LUID_ATTR set
)
424 /* if the list is empty, obviously we can't have it */
425 if (check_empty_privilege(priv_set
))
428 for (i
=0; i
<priv_set
->count
; i
++) {
431 cur_set
=&priv_set
->set
[i
];
432 /* check only the low and high part. Checking the attr field has no meaning */
433 if( (cur_set
->luid
.low
==set
.luid
.low
) && (cur_set
->luid
.high
==set
.luid
.high
) )
440 /****************************************************************************
441 remove a privilege from a privilege array
442 ****************************************************************************/
443 BOOL
remove_privilege(PRIVILEGE_SET
*priv_set
, LUID_ATTR set
)
449 /* check if the privilege is in the list */
450 if (!check_priv_in_privilege(priv_set
, set
))
453 /* special case if it's the only privilege in the list */
454 if (priv_set
->count
==1) {
455 free_privilege(priv_set
);
456 init_privilege(priv_set
);
462 * the privilege is there, create a new list,
463 * and copy the other privileges
466 old_set
=priv_set
->set
;
468 new_set
=(LUID_ATTR
*)malloc((priv_set
->count
-1)*(sizeof(LUID_ATTR
)));
470 DEBUG(0,("remove_privilege: could not malloc memory for new privilege list\n"));
474 for (i
=0, j
=0; i
<priv_set
->count
; i
++) {
475 if ((old_set
[i
].luid
.low
==set
.luid
.low
) &&
476 (old_set
[i
].luid
.high
==set
.luid
.high
)) {
480 new_set
[j
].luid
.low
=old_set
[i
].luid
.low
;
481 new_set
[j
].luid
.high
=old_set
[i
].luid
.high
;
482 new_set
[j
].attr
=old_set
[i
].attr
;
487 if (j
!=priv_set
->count
-1) {
488 DEBUG(0,("remove_privilege: mismatch ! difference is not -1\n"));
489 DEBUGADD(0,("old count:%d, new count:%d\n", priv_set
->count
, j
));
494 /* ok everything is fine */
497 priv_set
->set
=new_set
;
504 /****************************************************************************
505 Return the sid and the type of the unix group.
506 ****************************************************************************/
508 static BOOL
get_group_map_from_sid(DOM_SID sid
, GROUP_MAP
*map
, BOOL with_priv
)
517 if(!init_group_mapping()) {
518 DEBUG(0,("failed to initialize group mapping"));
522 /* the key is the SID, retrieving is direct */
524 sid_to_string(string_sid
, &sid
);
525 slprintf(key
, sizeof(key
), "%s%s", GROUP_PREFIX
, string_sid
);
528 kbuf
.dsize
= strlen(key
)+1;
530 dbuf
= tdb_fetch(tdb
, kbuf
);
534 ret
= tdb_unpack(dbuf
.dptr
, dbuf
.dsize
, "ddffd",
535 &map
->gid
, &map
->sid_name_use
, &map
->nt_name
, &map
->comment
, &map
->systemaccount
);
539 ret
+= tdb_unpack(dbuf
.dptr
+ret
, dbuf
.dsize
-ret
, "d", &set
->count
);
541 DEBUG(10,("get_group_map_from_sid: %d privileges\n", map
->priv_set
.count
));
545 set
->set
=(LUID_ATTR
*)smb_xmalloc(set
->count
*sizeof(LUID_ATTR
));
548 for (i
=0; i
<set
->count
; i
++)
549 ret
+= tdb_unpack(dbuf
.dptr
+ret
, dbuf
.dsize
-ret
, "ddd",
550 &(set
->set
[i
].luid
.low
), &(set
->set
[i
].luid
.high
), &(set
->set
[i
].attr
));
552 SAFE_FREE(dbuf
.dptr
);
553 if (ret
!= dbuf
.dsize
) {
554 DEBUG(0,("get_group_map_from_sid: group mapping TDB corrupted ?\n"));
559 /* we don't want the privileges */
560 if (with_priv
==MAPPING_WITHOUT_PRIV
)
563 sid_copy(&map
->sid
, &sid
);
568 /****************************************************************************
569 Return the sid and the type of the unix group.
570 ****************************************************************************/
572 static BOOL
get_group_map_from_gid(gid_t gid
, GROUP_MAP
*map
, BOOL with_priv
)
574 TDB_DATA kbuf
, dbuf
, newkey
;
580 if(!init_group_mapping()) {
581 DEBUG(0,("failed to initialize group mapping"));
585 /* we need to enumerate the TDB to find the GID */
587 for (kbuf
= tdb_firstkey(tdb
);
589 newkey
= tdb_nextkey(tdb
, kbuf
), safe_free(kbuf
.dptr
), kbuf
=newkey
) {
591 if (strncmp(kbuf
.dptr
, GROUP_PREFIX
, strlen(GROUP_PREFIX
)) != 0) continue;
593 dbuf
= tdb_fetch(tdb
, kbuf
);
597 fstrcpy(string_sid
, kbuf
.dptr
+strlen(GROUP_PREFIX
));
599 string_to_sid(&map
->sid
, string_sid
);
601 ret
= tdb_unpack(dbuf
.dptr
, dbuf
.dsize
, "ddffd",
602 &map
->gid
, &map
->sid_name_use
, &map
->nt_name
, &map
->comment
, &map
->systemaccount
);
605 ret
+= tdb_unpack(dbuf
.dptr
+ret
, dbuf
.dsize
-ret
, "d", &set
->count
);
608 set
->set
=(LUID_ATTR
*)smb_xmalloc(set
->count
*sizeof(LUID_ATTR
));
611 for (i
=0; i
<set
->count
; i
++)
612 ret
+= tdb_unpack(dbuf
.dptr
+ret
, dbuf
.dsize
-ret
, "ddd",
613 &(set
->set
[i
].luid
.low
), &(set
->set
[i
].luid
.high
), &(set
->set
[i
].attr
));
615 SAFE_FREE(dbuf
.dptr
);
616 if (ret
!= dbuf
.dsize
){
623 free_privilege(&map
->priv_set
);
633 /****************************************************************************
634 Return the sid and the type of the unix group.
635 ****************************************************************************/
637 static BOOL
get_group_map_from_ntname(char *name
, GROUP_MAP
*map
, BOOL with_priv
)
639 TDB_DATA kbuf
, dbuf
, newkey
;
645 if(!init_group_mapping()) {
646 DEBUG(0,("get_group_map_from_ntname:failed to initialize group mapping"));
650 /* we need to enumerate the TDB to find the name */
652 for (kbuf
= tdb_firstkey(tdb
);
654 newkey
= tdb_nextkey(tdb
, kbuf
), safe_free(kbuf
.dptr
), kbuf
=newkey
) {
656 if (strncmp(kbuf
.dptr
, GROUP_PREFIX
, strlen(GROUP_PREFIX
)) != 0) continue;
658 dbuf
= tdb_fetch(tdb
, kbuf
);
662 fstrcpy(string_sid
, kbuf
.dptr
+strlen(GROUP_PREFIX
));
664 string_to_sid(&map
->sid
, string_sid
);
666 ret
= tdb_unpack(dbuf
.dptr
, dbuf
.dsize
, "ddffd",
667 &map
->gid
, &map
->sid_name_use
, &map
->nt_name
, &map
->comment
, &map
->systemaccount
);
670 ret
+= tdb_unpack(dbuf
.dptr
+ret
, dbuf
.dsize
-ret
, "d", &set
->count
);
672 set
->set
=(LUID_ATTR
*)malloc(set
->count
*sizeof(LUID_ATTR
));
673 if (set
->set
==NULL
) {
674 DEBUG(0,("get_group_map_from_ntname: could not allocate memory for privileges\n"));
678 for (i
=0; i
<set
->count
; i
++)
679 ret
+= tdb_unpack(dbuf
.dptr
+ret
, dbuf
.dsize
-ret
, "ddd",
680 &(set
->set
[i
].luid
.low
), &(set
->set
[i
].luid
.high
), &(set
->set
[i
].attr
));
682 SAFE_FREE(dbuf
.dptr
);
683 if (ret
!= dbuf
.dsize
) {
688 if (StrCaseCmp(name
, map
->nt_name
)==0) {
690 free_privilege(&map
->priv_set
);
700 /****************************************************************************
701 Remove a group mapping entry.
702 ****************************************************************************/
704 static BOOL
group_map_remove(DOM_SID sid
)
710 if(!init_group_mapping()) {
711 DEBUG(0,("failed to initialize group mapping"));
715 /* the key is the SID, retrieving is direct */
717 sid_to_string(string_sid
, &sid
);
718 slprintf(key
, sizeof(key
), "%s%s", GROUP_PREFIX
, string_sid
);
721 kbuf
.dsize
= strlen(key
)+1;
723 dbuf
= tdb_fetch(tdb
, kbuf
);
727 SAFE_FREE(dbuf
.dptr
);
729 if(tdb_delete(tdb
, kbuf
) != TDB_SUCCESS
)
735 /****************************************************************************
736 Enumerate the group mapping.
737 ****************************************************************************/
739 static BOOL
enum_group_mapping(enum SID_NAME_USE sid_name_use
, GROUP_MAP
**rmap
,
740 int *num_entries
, BOOL unix_only
, BOOL with_priv
)
742 TDB_DATA kbuf
, dbuf
, newkey
;
752 if(!init_group_mapping()) {
753 DEBUG(0,("failed to initialize group mapping"));
760 for (kbuf
= tdb_firstkey(tdb
);
762 newkey
= tdb_nextkey(tdb
, kbuf
), safe_free(kbuf
.dptr
), kbuf
=newkey
) {
764 if (strncmp(kbuf
.dptr
, GROUP_PREFIX
, strlen(GROUP_PREFIX
)) != 0)
767 dbuf
= tdb_fetch(tdb
, kbuf
);
771 fstrcpy(string_sid
, kbuf
.dptr
+strlen(GROUP_PREFIX
));
773 ret
= tdb_unpack(dbuf
.dptr
, dbuf
.dsize
, "ddffd",
774 &map
.gid
, &map
.sid_name_use
, &map
.nt_name
, &map
.comment
, &map
.systemaccount
);
779 ret
+= tdb_unpack(dbuf
.dptr
+ret
, dbuf
.dsize
-ret
, "d", &set
->count
);
782 set
->set
=(LUID_ATTR
*)malloc(set
->count
*sizeof(LUID_ATTR
));
783 if (set
->set
==NULL
) {
784 DEBUG(0,("enum_group_mapping: could not allocate memory for privileges\n"));
789 for (i
=0; i
<set
->count
; i
++)
790 ret
+= tdb_unpack(dbuf
.dptr
+ret
, dbuf
.dsize
-ret
, "ddd",
791 &(set
->set
[i
].luid
.low
), &(set
->set
[i
].luid
.high
), &(set
->set
[i
].attr
));
793 SAFE_FREE(dbuf
.dptr
);
794 if (ret
!= dbuf
.dsize
) {
795 DEBUG(11,("enum_group_mapping: error in memory size\n"));
800 /* list only the type or everything if UNKNOWN */
801 if (sid_name_use
!=SID_NAME_UNKNOWN
&& sid_name_use
!=map
.sid_name_use
) {
802 DEBUG(11,("enum_group_mapping: group %s is not of the requested type\n", map
.nt_name
));
807 if (unix_only
==ENUM_ONLY_MAPPED
&& map
.gid
==-1) {
808 DEBUG(11,("enum_group_mapping: group %s is non mapped\n", map
.nt_name
));
813 string_to_sid(&map
.sid
, string_sid
);
815 decode_sid_name_use(group_type
, map
.sid_name_use
);
816 DEBUG(11,("enum_group_mapping: returning group %s of type %s\n", map
.nt_name
,group_type
));
818 mapt
=(GROUP_MAP
*)Realloc((*rmap
), (entries
+1)*sizeof(GROUP_MAP
));
820 DEBUG(0,("enum_group_mapping: Unable to enlarge group map!\n"));
828 mapt
[entries
].gid
= map
.gid
;
829 sid_copy( &mapt
[entries
].sid
, &map
.sid
);
830 mapt
[entries
].sid_name_use
= map
.sid_name_use
;
831 fstrcpy(mapt
[entries
].nt_name
, map
.nt_name
);
832 fstrcpy(mapt
[entries
].comment
, map
.comment
);
833 mapt
[entries
].systemaccount
=map
.systemaccount
;
834 mapt
[entries
].priv_set
.count
=set
->count
;
835 mapt
[entries
].priv_set
.control
=set
->control
;
836 mapt
[entries
].priv_set
.set
=set
->set
;
838 free_privilege(&(mapt
[entries
].priv_set
));
844 *num_entries
=entries
;
850 /****************************************************************************
851 convert a privilege string to a privilege array
852 ****************************************************************************/
853 void convert_priv_from_text(PRIVILEGE_SET
*se_priv
, char *privilege
)
856 const char *p
= privilege
;
860 /* By default no privilege */
861 init_privilege(se_priv
);
866 while(next_token(&p
, tok
, " ", sizeof(tok
)) ) {
867 for (i
=0; i
<=PRIV_ALL_INDEX
; i
++) {
868 if (StrCaseCmp(privs
[i
].priv
, tok
)==0) {
871 set
.luid
.low
=privs
[i
].se_priv
;
872 add_privilege(se_priv
, set
);
878 /****************************************************************************
879 convert a privilege array to a privilege string
880 ****************************************************************************/
881 void convert_priv_to_text(PRIVILEGE_SET
*se_priv
, char *privilege
)
888 ZERO_STRUCTP(privilege
);
890 if (check_empty_privilege(se_priv
)) {
891 fstrcat(privilege
, "No privilege");
895 for(i
=0; i
<se_priv
->count
; i
++) {
897 while (privs
[j
].se_priv
!=se_priv
->set
[i
].luid
.low
&& j
<=PRIV_ALL_INDEX
) {
901 fstrcat(privilege
, privs
[j
].priv
);
902 fstrcat(privilege
, " ");
909 * High level functions
910 * better to use them than the lower ones.
912 * we are checking if the group is in the mapping file
913 * and if the group is an existing unix group
917 /* get a domain group from it's SID */
919 BOOL
get_domain_group_from_sid(DOM_SID sid
, GROUP_MAP
*map
, BOOL with_priv
)
923 if(!init_group_mapping()) {
924 DEBUG(0,("failed to initialize group mapping"));
928 DEBUG(10, ("get_domain_group_from_sid\n"));
930 /* if the group is NOT in the database, it CAN NOT be a domain group */
931 if(!pdb_getgrsid(map
, sid
, with_priv
))
934 DEBUG(10, ("get_domain_group_from_sid: SID found in the TDB\n"));
936 /* if it's not a domain group, continue */
937 if (map
->sid_name_use
!=SID_NAME_DOM_GRP
) {
939 free_privilege(&map
->priv_set
);
943 DEBUG(10, ("get_domain_group_from_sid: SID is a domain group\n"));
947 free_privilege(&map
->priv_set
);
951 DEBUG(10, ("get_domain_group_from_sid: SID is mapped to gid:%d\n",map
->gid
));
953 if ( (grp
=getgrgid(map
->gid
)) == NULL
) {
954 DEBUG(10, ("get_domain_group_from_sid: gid DOESN'T exist in UNIX security\n"));
956 free_privilege(&map
->priv_set
);
960 DEBUG(10, ("get_domain_group_from_sid: gid exists in UNIX security\n"));
966 /* get a local (alias) group from it's SID */
968 BOOL
get_local_group_from_sid(DOM_SID sid
, GROUP_MAP
*map
, BOOL with_priv
)
972 if(!init_group_mapping()) {
973 DEBUG(0,("failed to initialize group mapping"));
977 /* The group is in the mapping table */
978 if(pdb_getgrsid(map
, sid
, with_priv
)) {
979 if (map
->sid_name_use
!=SID_NAME_ALIAS
) {
981 free_privilege(&map
->priv_set
);
987 free_privilege(&map
->priv_set
);
991 if ( (grp
=getgrgid(map
->gid
)) == NULL
) {
993 free_privilege(&map
->priv_set
);
997 /* the group isn't in the mapping table.
998 * make one based on the unix information */
1001 sid_peek_rid(&sid
, &alias_rid
);
1002 map
->gid
=pdb_group_rid_to_gid(alias_rid
);
1004 if ((grp
=getgrgid(map
->gid
)) == NULL
)
1007 map
->sid_name_use
=SID_NAME_ALIAS
;
1008 map
->systemaccount
=PR_ACCESS_FROM_NETWORK
;
1010 fstrcpy(map
->nt_name
, grp
->gr_name
);
1011 fstrcpy(map
->comment
, "Local Unix Group");
1013 init_privilege(&map
->priv_set
);
1015 sid_copy(&map
->sid
, &sid
);
1021 /* get a builtin group from it's SID */
1023 BOOL
get_builtin_group_from_sid(DOM_SID sid
, GROUP_MAP
*map
, BOOL with_priv
)
1027 if(!init_group_mapping()) {
1028 DEBUG(0,("failed to initialize group mapping"));
1032 if(!pdb_getgrsid(map
, sid
, with_priv
))
1035 if (map
->sid_name_use
!=SID_NAME_WKN_GRP
) {
1037 free_privilege(&map
->priv_set
);
1043 free_privilege(&map
->priv_set
);
1047 if ( (grp
=getgrgid(map
->gid
)) == NULL
) {
1049 free_privilege(&map
->priv_set
);
1058 /****************************************************************************
1059 Returns a GROUP_MAP struct based on the gid.
1060 ****************************************************************************/
1061 BOOL
get_group_from_gid(gid_t gid
, GROUP_MAP
*map
, BOOL with_priv
)
1065 if(!init_group_mapping()) {
1066 DEBUG(0,("failed to initialize group mapping"));
1070 if ( (grp
=getgrgid(gid
)) == NULL
)
1074 * make a group map from scratch if doesn't exist.
1076 if (!pdb_getgrgid(map
, gid
, with_priv
)) {
1078 map
->sid_name_use
=SID_NAME_ALIAS
;
1079 map
->systemaccount
=PR_ACCESS_FROM_NETWORK
;
1080 init_privilege(&map
->priv_set
);
1082 /* interim solution until we have a last RID allocated */
1084 sid_copy(&map
->sid
, get_global_sam_sid());
1085 sid_append_rid(&map
->sid
, pdb_gid_to_group_rid(gid
));
1087 fstrcpy(map
->nt_name
, grp
->gr_name
);
1088 fstrcpy(map
->comment
, "Local Unix Group");
1097 /****************************************************************************
1098 Get the member users of a group and
1099 all the users who have that group as primary.
1101 give back an array of uid
1102 return the grand number of users
1105 TODO: sort the list and remove duplicate. JFM.
1107 ****************************************************************************/
1109 BOOL
get_uid_list_of_group(gid_t gid
, uid_t
**uid
, int *num_uids
)
1117 if(!init_group_mapping()) {
1118 DEBUG(0,("failed to initialize group mapping"));
1125 if ( (grp
=getgrgid(gid
)) == NULL
)
1128 gr
= grp
->gr_mem
[0];
1129 DEBUG(10, ("getting members\n"));
1131 while (gr
&& (*gr
!= (char)'\0')) {
1132 u
= Realloc((*uid
), sizeof(uid_t
)*(*num_uids
+1));
1134 DEBUG(0,("get_uid_list_of_group: unable to enlarge uid list!\n"));
1139 if( (pwd
=getpwnam_alloc(gr
)) !=NULL
) {
1140 (*uid
)[*num_uids
]=pwd
->pw_uid
;
1144 gr
= grp
->gr_mem
[++i
];
1146 DEBUG(10, ("got [%d] members\n", *num_uids
));
1149 while ((pwd
=getpwent()) != NULL
) {
1150 if (pwd
->pw_gid
==gid
) {
1151 u
= Realloc((*uid
), sizeof(uid_t
)*(*num_uids
+1));
1153 DEBUG(0,("get_uid_list_of_group: unable to enlarge uid list!\n"));
1157 (*uid
)[*num_uids
]=pwd
->pw_uid
;
1163 DEBUG(10, ("got primary groups, members: [%d]\n", *num_uids
));
1168 /****************************************************************************
1169 Create a UNIX group on demand.
1170 ****************************************************************************/
1172 int smb_create_group(char *unix_group
, gid_t
*new_gid
)
1178 pstrcpy(add_script
, lp_addgroup_script());
1179 if (! *add_script
) return -1;
1180 pstring_sub(add_script
, "%g", unix_group
);
1181 ret
= smbrun(add_script
, (new_gid
!=NULL
) ? &fd
: NULL
);
1182 DEBUG(3,("smb_create_group: Running the command `%s' gave %d\n",add_script
,ret
));
1190 if (read(fd
, output
, sizeof(output
)) > 0) {
1191 *new_gid
= (gid_t
)strtoul(output
, NULL
, 10);
1195 if (*new_gid
== 0) {
1196 /* The output was garbage. We assume nobody
1197 will create group 0 via smbd. Now we try to
1198 get the group via getgrnam. */
1200 struct group
*grp
= getgrnam(unix_group
);
1202 *new_gid
= grp
->gr_gid
;
1211 /****************************************************************************
1212 Delete a UNIX group on demand.
1213 ****************************************************************************/
1215 int smb_delete_group(char *unix_group
)
1220 pstrcpy(del_script
, lp_delgroup_script());
1221 if (! *del_script
) return -1;
1222 pstring_sub(del_script
, "%g", unix_group
);
1223 ret
= smbrun(del_script
,NULL
);
1224 DEBUG(3,("smb_delete_group: Running the command `%s' gave %d\n",del_script
,ret
));
1228 /****************************************************************************
1229 Set a user's primary UNIX group.
1230 ****************************************************************************/
1231 int smb_set_primary_group(const char *unix_group
, const char* unix_user
)
1236 pstrcpy(add_script
, lp_setprimarygroup_script());
1237 if (! *add_script
) return -1;
1238 all_string_sub(add_script
, "%g", unix_group
, sizeof(add_script
));
1239 all_string_sub(add_script
, "%u", unix_user
, sizeof(add_script
));
1240 ret
= smbrun(add_script
,NULL
);
1241 DEBUG(3,("smb_set_primary_group: "
1242 "Running the command `%s' gave %d\n",add_script
,ret
));
1246 /****************************************************************************
1247 Add a user to a UNIX group.
1248 ****************************************************************************/
1250 int smb_add_user_group(char *unix_group
, char *unix_user
)
1255 pstrcpy(add_script
, lp_addusertogroup_script());
1256 if (! *add_script
) return -1;
1257 pstring_sub(add_script
, "%g", unix_group
);
1258 pstring_sub(add_script
, "%u", unix_user
);
1259 ret
= smbrun(add_script
,NULL
);
1260 DEBUG(3,("smb_add_user_group: Running the command `%s' gave %d\n",add_script
,ret
));
1264 /****************************************************************************
1265 Delete a user from a UNIX group
1266 ****************************************************************************/
1268 int smb_delete_user_group(const char *unix_group
, const char *unix_user
)
1273 pstrcpy(del_script
, lp_deluserfromgroup_script());
1274 if (! *del_script
) return -1;
1275 pstring_sub(del_script
, "%g", unix_group
);
1276 pstring_sub(del_script
, "%u", unix_user
);
1277 ret
= smbrun(del_script
,NULL
);
1278 DEBUG(3,("smb_delete_user_group: Running the command `%s' gave %d\n",del_script
,ret
));
1283 NTSTATUS
pdb_default_getgrsid(struct pdb_methods
*methods
, GROUP_MAP
*map
,
1284 DOM_SID sid
, BOOL with_priv
)
1286 return get_group_map_from_sid(sid
, map
, with_priv
) ?
1287 NT_STATUS_OK
: NT_STATUS_UNSUCCESSFUL
;
1290 NTSTATUS
pdb_default_getgrgid(struct pdb_methods
*methods
, GROUP_MAP
*map
,
1291 gid_t gid
, BOOL with_priv
)
1293 return get_group_map_from_gid(gid
, map
, with_priv
) ?
1294 NT_STATUS_OK
: NT_STATUS_UNSUCCESSFUL
;
1297 NTSTATUS
pdb_default_getgrnam(struct pdb_methods
*methods
, GROUP_MAP
*map
,
1298 char *name
, BOOL with_priv
)
1300 return get_group_map_from_ntname(name
, map
, with_priv
) ?
1301 NT_STATUS_OK
: NT_STATUS_UNSUCCESSFUL
;
1304 NTSTATUS
pdb_default_add_group_mapping_entry(struct pdb_methods
*methods
,
1307 return add_mapping_entry(map
, TDB_INSERT
) ?
1308 NT_STATUS_OK
: NT_STATUS_UNSUCCESSFUL
;
1311 NTSTATUS
pdb_default_update_group_mapping_entry(struct pdb_methods
*methods
,
1314 return add_mapping_entry(map
, TDB_REPLACE
) ?
1315 NT_STATUS_OK
: NT_STATUS_UNSUCCESSFUL
;
1318 NTSTATUS
pdb_default_delete_group_mapping_entry(struct pdb_methods
*methods
,
1321 return group_map_remove(sid
) ?
1322 NT_STATUS_OK
: NT_STATUS_UNSUCCESSFUL
;
1325 NTSTATUS
pdb_default_enum_group_mapping(struct pdb_methods
*methods
,
1326 enum SID_NAME_USE sid_name_use
,
1327 GROUP_MAP
**rmap
, int *num_entries
,
1328 BOOL unix_only
, BOOL with_priv
)
1330 return enum_group_mapping(sid_name_use
, rmap
, num_entries
, unix_only
,
1332 NT_STATUS_OK
: NT_STATUS_UNSUCCESSFUL
;
1335 /**********************************************************************
1336 no ops for passdb backends that don't implement group mapping
1337 *********************************************************************/
1339 NTSTATUS
pdb_nop_getgrsid(struct pdb_methods
*methods
, GROUP_MAP
*map
,
1340 DOM_SID sid
, BOOL with_priv
)
1342 return NT_STATUS_UNSUCCESSFUL
;
1345 NTSTATUS
pdb_nop_getgrgid(struct pdb_methods
*methods
, GROUP_MAP
*map
,
1346 gid_t gid
, BOOL with_priv
)
1348 return NT_STATUS_UNSUCCESSFUL
;
1351 NTSTATUS
pdb_nop_getgrnam(struct pdb_methods
*methods
, GROUP_MAP
*map
,
1352 char *name
, BOOL with_priv
)
1354 return NT_STATUS_UNSUCCESSFUL
;
1357 NTSTATUS
pdb_nop_add_group_mapping_entry(struct pdb_methods
*methods
,
1360 return NT_STATUS_UNSUCCESSFUL
;
1363 NTSTATUS
pdb_nop_update_group_mapping_entry(struct pdb_methods
*methods
,
1366 return NT_STATUS_UNSUCCESSFUL
;
1369 NTSTATUS
pdb_nop_delete_group_mapping_entry(struct pdb_methods
*methods
,
1372 return NT_STATUS_UNSUCCESSFUL
;
1375 NTSTATUS
pdb_nop_enum_group_mapping(struct pdb_methods
*methods
,
1376 enum SID_NAME_USE sid_name_use
,
1377 GROUP_MAP
**rmap
, int *num_entries
,
1378 BOOL unix_only
, BOOL with_priv
)
1380 return NT_STATUS_UNSUCCESSFUL
;