2 Unix SMB/CIFS implementation.
3 Samba utility functions
4 Copyright (C) Andrew Tridgell 1992-1998
5 Copyright (C) Luke Kenneth Caseson Leighton 1998-1999
6 Copyright (C) Jeremy Allison 1999
7 Copyright (C) Stefan (metze) Metzmacher 2002
8 Copyright (C) Simo Sorce 2002
9 Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2005
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License as published by
13 the Free Software Foundation; either version 2 of the License, or
14 (at your option) any later version.
16 This program is distributed in the hope that it will be useful,
17 but WITHOUT ANY WARRANTY; without even the implied warranty of
18 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 GNU General Public License for more details.
21 You should have received a copy of the GNU General Public License
22 along with this program; if not, write to the Free Software
23 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
33 const DOM_SID global_sid_World_Domain
= /* Everyone domain */
34 { 1, 0, {0,0,0,0,0,1}, {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0}};
35 const DOM_SID global_sid_World
= /* Everyone */
36 { 1, 1, {0,0,0,0,0,1}, {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0}};
37 const DOM_SID global_sid_Creator_Owner_Domain
= /* Creator Owner domain */
38 { 1, 0, {0,0,0,0,0,3}, {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0}};
39 const DOM_SID global_sid_NT_Authority
= /* NT Authority */
40 { 1, 0, {0,0,0,0,0,5}, {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0}};
41 const DOM_SID global_sid_System
= /* System */
42 { 1, 1, {0,0,0,0,0,5}, {18,0,0,0,0,0,0,0,0,0,0,0,0,0,0}};
43 const DOM_SID global_sid_NULL
= /* NULL sid */
44 { 1, 1, {0,0,0,0,0,0}, {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0}};
45 const DOM_SID global_sid_Authenticated_Users
= /* All authenticated rids */
46 { 1, 1, {0,0,0,0,0,5}, {11,0,0,0,0,0,0,0,0,0,0,0,0,0,0}};
47 const DOM_SID global_sid_Network
= /* Network rids */
48 { 1, 1, {0,0,0,0,0,5}, {2,0,0,0,0,0,0,0,0,0,0,0,0,0,0}};
50 const DOM_SID global_sid_Creator_Owner
= /* Creator Owner */
51 { 1, 1, {0,0,0,0,0,3}, {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0}};
52 const DOM_SID global_sid_Creator_Group
= /* Creator Group */
53 { 1, 1, {0,0,0,0,0,3}, {1,0,0,0,0,0,0,0,0,0,0,0,0,0,0}};
54 const DOM_SID global_sid_Anonymous
= /* Anonymous login */
55 { 1, 1, {0,0,0,0,0,5}, {7,0,0,0,0,0,0,0,0,0,0,0,0,0,0}};
57 const DOM_SID global_sid_Builtin
= /* Local well-known domain */
58 { 1, 1, {0,0,0,0,0,5}, {32,0,0,0,0,0,0,0,0,0,0,0,0,0,0}};
59 const DOM_SID global_sid_Builtin_Administrators
= /* Builtin administrators */
60 { 1, 2, {0,0,0,0,0,5}, {32,544,0,0,0,0,0,0,0,0,0,0,0,0,0}};
61 const DOM_SID global_sid_Builtin_Users
= /* Builtin users */
62 { 1, 2, {0,0,0,0,0,5}, {32,545,0,0,0,0,0,0,0,0,0,0,0,0,0}};
63 const DOM_SID global_sid_Builtin_Guests
= /* Builtin guest users */
64 { 1, 2, {0,0,0,0,0,5}, {32,546,0,0,0,0,0,0,0,0,0,0,0,0,0}};
65 const DOM_SID global_sid_Builtin_Power_Users
= /* Builtin power users */
66 { 1, 2, {0,0,0,0,0,5}, {32,547,0,0,0,0,0,0,0,0,0,0,0,0,0}};
67 const DOM_SID global_sid_Builtin_Account_Operators
= /* Builtin account operators */
68 { 1, 2, {0,0,0,0,0,5}, {32,548,0,0,0,0,0,0,0,0,0,0,0,0,0}};
69 const DOM_SID global_sid_Builtin_Server_Operators
= /* Builtin server operators */
70 { 1, 2, {0,0,0,0,0,5}, {32,549,0,0,0,0,0,0,0,0,0,0,0,0,0}};
71 const DOM_SID global_sid_Builtin_Print_Operators
= /* Builtin print operators */
72 { 1, 2, {0,0,0,0,0,5}, {32,550,0,0,0,0,0,0,0,0,0,0,0,0,0}};
73 const DOM_SID global_sid_Builtin_Backup_Operators
= /* Builtin backup operators */
74 { 1, 2, {0,0,0,0,0,5}, {32,551,0,0,0,0,0,0,0,0,0,0,0,0,0}};
75 const DOM_SID global_sid_Builtin_Replicator
= /* Builtin replicator */
76 { 1, 2, {0,0,0,0,0,5}, {32,552,0,0,0,0,0,0,0,0,0,0,0,0,0}};
78 #define SECURITY_NULL_SID_AUTHORITY 0
79 #define SECURITY_WORLD_SID_AUTHORITY 1
80 #define SECURITY_LOCAL_SID_AUTHORITY 2
81 #define SECURITY_CREATOR_SID_AUTHORITY 3
82 #define SECURITY_NT_AUTHORITY 5
85 * An NT compatible anonymous token.
88 static DOM_SID anon_sid_array
[3] =
89 { { 1, 1, {0,0,0,0,0,1}, {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0}},
90 { 1, 1, {0,0,0,0,0,5}, {2,0,0,0,0,0,0,0,0,0,0,0,0,0,0}},
91 { 1, 1, {0,0,0,0,0,5}, {7,0,0,0,0,0,0,0,0,0,0,0,0,0,0}} };
92 NT_USER_TOKEN anonymous_token
= { 3, anon_sid_array
, SE_NONE
};
94 static DOM_SID system_sid_array
[1] =
95 { { 1, 1, {0,0,0,0,0,5}, {18,0,0,0,0,0,0,0,0,0,0,0,0,0,0}} };
96 NT_USER_TOKEN system_token
= { 1, system_sid_array
, SE_ALL_PRIVS
};
98 /****************************************************************************
99 Lookup string names for SID types.
100 ****************************************************************************/
102 static const struct {
103 enum SID_NAME_USE sid_type
;
105 } sid_name_type
[] = {
106 {SID_NAME_USER
, "User"},
107 {SID_NAME_DOM_GRP
, "Domain Group"},
108 {SID_NAME_DOMAIN
, "Domain"},
109 {SID_NAME_ALIAS
, "Local Group"},
110 {SID_NAME_WKN_GRP
, "Well-known Group"},
111 {SID_NAME_DELETED
, "Deleted Account"},
112 {SID_NAME_INVALID
, "Invalid Account"},
113 {SID_NAME_UNKNOWN
, "UNKNOWN"},
114 {SID_NAME_COMPUTER
, "Computer"},
116 {(enum SID_NAME_USE
)0, NULL
}
119 const char *sid_type_lookup(uint32 sid_type
)
123 /* Look through list */
124 while(sid_name_type
[i
].sid_type
!= 0) {
125 if (sid_name_type
[i
].sid_type
== sid_type
)
126 return sid_name_type
[i
].string
;
131 return "SID *TYPE* is INVALID";
134 /**************************************************************************
135 Create the SYSTEM token.
136 ***************************************************************************/
138 NT_USER_TOKEN
*get_system_token(void)
140 return &system_token
;
143 /******************************************************************
144 get the default domain/netbios name to be used when dealing
145 with our passdb list of accounts
146 ******************************************************************/
148 const char *get_global_sam_name(void)
150 if ((lp_server_role() == ROLE_DOMAIN_PDC
) || (lp_server_role() == ROLE_DOMAIN_BDC
)) {
151 return lp_workgroup();
153 return global_myname();
156 /**************************************************************************
157 Splits a name of format \DOMAIN\name or name into its two components.
158 Sets the DOMAIN name to global_myname() if it has not been specified.
159 ***************************************************************************/
161 void split_domain_name(const char *fullname
, char *domain
, char *name
)
167 sep
= lp_winbind_separator();
169 *domain
= *name
= '\0';
171 if (fullname
[0] == sep
[0] || fullname
[0] == '\\')
174 pstrcpy(full_name
, fullname
);
175 p
= strchr_m(full_name
+1, '\\');
176 if (!p
) p
= strchr_m(full_name
+1, sep
[0]);
180 fstrcpy(domain
, full_name
);
183 fstrcpy(domain
, get_global_sam_name());
184 fstrcpy(name
, full_name
);
187 DEBUG(10,("split_domain_name:name '%s' split into domain :'%s' and user :'%s'\n",
188 fullname
, domain
, name
));
191 /****************************************************************************
192 Test if a SID is wellknown and resolvable.
193 ****************************************************************************/
195 BOOL
resolvable_wellknown_sid(DOM_SID
*sid
)
197 uint32 ia
= (sid
->id_auth
[5]) +
198 (sid
->id_auth
[4] << 8 ) +
199 (sid
->id_auth
[3] << 16) +
200 (sid
->id_auth
[2] << 24);
202 if (sid
->sid_rev_num
!= SEC_DESC_REVISION
|| sid
->num_auths
< 1)
205 return (ia
== SECURITY_WORLD_SID_AUTHORITY
||
206 ia
== SECURITY_CREATOR_SID_AUTHORITY
);
209 /*****************************************************************
210 Convert a SID to an ascii string.
211 *****************************************************************/
213 char *sid_to_string(fstring sidstr_out
, const DOM_SID
*sid
)
220 fstrcpy(sidstr_out
, "(NULL SID)");
225 * BIG NOTE: this function only does SIDS where the identauth is not >= 2^32
226 * in a range of 2^48.
228 ia
= (sid
->id_auth
[5]) +
229 (sid
->id_auth
[4] << 8 ) +
230 (sid
->id_auth
[3] << 16) +
231 (sid
->id_auth
[2] << 24);
233 slprintf(sidstr_out
, sizeof(fstring
) - 1, "S-%u-%lu", (unsigned int)sid
->sid_rev_num
, (unsigned long)ia
);
235 for (i
= 0; i
< sid
->num_auths
; i
++) {
236 slprintf(subauth
, sizeof(subauth
)-1, "-%lu", (unsigned long)sid
->sub_auths
[i
]);
237 fstrcat(sidstr_out
, subauth
);
243 /*****************************************************************
244 Useful function for debug lines.
245 *****************************************************************/
247 const char *sid_string_static(const DOM_SID
*sid
)
249 static fstring sid_str
;
250 sid_to_string(sid_str
, sid
);
254 /*****************************************************************
255 Convert a string to a SID. Returns True on success, False on fail.
256 *****************************************************************/
258 BOOL
string_to_sid(DOM_SID
*sidout
, const char *sidstr
)
262 /* BIG NOTE: this function only does SIDS where the identauth is not >= 2^32 */
265 if (StrnCaseCmp( sidstr
, "S-", 2)) {
266 DEBUG(0,("string_to_sid: Sid %s does not start with 'S-'.\n", sidstr
));
270 ZERO_STRUCTP(sidout
);
272 /* Get the revision number. */
274 conv
= (uint32
) strtoul(p
, &q
, 10);
275 if (!q
|| (*q
!= '-')) {
276 DEBUG(0,("string_to_sid: Sid %s is not in a valid format.\n", sidstr
));
279 sidout
->sid_rev_num
= (uint8
) conv
;
283 conv
= (uint32
) strtoul(q
, &q
, 10);
284 if (!q
|| (*q
!= '-')) {
285 DEBUG(0,("string_to_sid: Sid %s is not in a valid format.\n", sidstr
));
288 /* identauth in decimal should be < 2^32 */
289 /* NOTE - the conv value is in big-endian format. */
290 sidout
->id_auth
[0] = 0;
291 sidout
->id_auth
[1] = 0;
292 sidout
->id_auth
[2] = (conv
& 0xff000000) >> 24;
293 sidout
->id_auth
[3] = (conv
& 0x00ff0000) >> 16;
294 sidout
->id_auth
[4] = (conv
& 0x0000ff00) >> 8;
295 sidout
->id_auth
[5] = (conv
& 0x000000ff);
298 sidout
->num_auths
= 0;
300 for(conv
= (uint32
) strtoul(q
, &q
, 10);
301 q
&& (*q
=='-' || *q
=='\0') && (sidout
->num_auths
< MAXSUBAUTHS
);
302 conv
= (uint32
) strtoul(q
, &q
, 10)) {
303 sid_append_rid(sidout
, conv
);
312 DOM_SID
*string_sid_talloc(TALLOC_CTX
*mem_ctx
, const char *sidstr
)
314 DOM_SID
*result
= TALLOC_P(mem_ctx
, DOM_SID
);
319 if (!string_to_sid(result
, sidstr
))
325 /*****************************************************************
326 Add a rid to the end of a sid
327 *****************************************************************/
329 BOOL
sid_append_rid(DOM_SID
*sid
, uint32 rid
)
331 if (sid
->num_auths
< MAXSUBAUTHS
) {
332 sid
->sub_auths
[sid
->num_auths
++] = rid
;
338 BOOL
sid_compose(DOM_SID
*dst
, const DOM_SID
*domain_sid
, uint32 rid
)
340 sid_copy(dst
, domain_sid
);
341 return sid_append_rid(dst
, rid
);
344 /*****************************************************************
345 Removes the last rid from the end of a sid
346 *****************************************************************/
348 BOOL
sid_split_rid(DOM_SID
*sid
, uint32
*rid
)
350 if (sid
->num_auths
> 0) {
352 *rid
= sid
->sub_auths
[sid
->num_auths
];
358 /*****************************************************************
359 Return the last rid from the end of a sid
360 *****************************************************************/
362 BOOL
sid_peek_rid(const DOM_SID
*sid
, uint32
*rid
)
367 if (sid
->num_auths
> 0) {
368 *rid
= sid
->sub_auths
[sid
->num_auths
- 1];
374 /*****************************************************************
375 Return the last rid from the end of a sid
376 and check the sid against the exp_dom_sid
377 *****************************************************************/
379 BOOL
sid_peek_check_rid(const DOM_SID
*exp_dom_sid
, const DOM_SID
*sid
, uint32
*rid
)
381 if (!exp_dom_sid
|| !sid
|| !rid
)
384 if (sid
->num_auths
!= (exp_dom_sid
->num_auths
+1)) {
388 if (sid_compare_domain(exp_dom_sid
, sid
)!=0){
393 return sid_peek_rid(sid
, rid
);
396 /*****************************************************************
398 *****************************************************************/
400 void sid_copy(DOM_SID
*dst
, const DOM_SID
*src
)
406 dst
->sid_rev_num
= src
->sid_rev_num
;
407 dst
->num_auths
= src
->num_auths
;
409 memcpy(&dst
->id_auth
[0], &src
->id_auth
[0], sizeof(src
->id_auth
));
411 for (i
= 0; i
< src
->num_auths
; i
++)
412 dst
->sub_auths
[i
] = src
->sub_auths
[i
];
415 /*****************************************************************
416 Write a sid out into on-the-wire format.
417 *****************************************************************/
419 BOOL
sid_linearize(char *outbuf
, size_t len
, const DOM_SID
*sid
)
423 if (len
< sid_size(sid
))
426 SCVAL(outbuf
,0,sid
->sid_rev_num
);
427 SCVAL(outbuf
,1,sid
->num_auths
);
428 memcpy(&outbuf
[2], sid
->id_auth
, 6);
429 for(i
= 0; i
< sid
->num_auths
; i
++)
430 SIVAL(outbuf
, 8 + (i
*4), sid
->sub_auths
[i
]);
435 /*****************************************************************
436 Parse a on-the-wire SID to a DOM_SID.
437 *****************************************************************/
439 BOOL
sid_parse(const char *inbuf
, size_t len
, DOM_SID
*sid
)
447 sid
->sid_rev_num
= CVAL(inbuf
, 0);
448 sid
->num_auths
= CVAL(inbuf
, 1);
449 memcpy(sid
->id_auth
, inbuf
+2, 6);
450 if (len
< 8 + sid
->num_auths
*4)
452 for (i
=0;i
<sid
->num_auths
;i
++)
453 sid
->sub_auths
[i
] = IVAL(inbuf
, 8+i
*4);
457 /*****************************************************************
458 Compare the auth portion of two sids.
459 *****************************************************************/
461 static int sid_compare_auth(const DOM_SID
*sid1
, const DOM_SID
*sid2
)
472 if (sid1
->sid_rev_num
!= sid2
->sid_rev_num
)
473 return sid1
->sid_rev_num
- sid2
->sid_rev_num
;
475 for (i
= 0; i
< 6; i
++)
476 if (sid1
->id_auth
[i
] != sid2
->id_auth
[i
])
477 return sid1
->id_auth
[i
] - sid2
->id_auth
[i
];
482 /*****************************************************************
484 *****************************************************************/
486 int sid_compare(const DOM_SID
*sid1
, const DOM_SID
*sid2
)
497 /* Compare most likely different rids, first: i.e start at end */
498 if (sid1
->num_auths
!= sid2
->num_auths
)
499 return sid1
->num_auths
- sid2
->num_auths
;
501 for (i
= sid1
->num_auths
-1; i
>= 0; --i
)
502 if (sid1
->sub_auths
[i
] != sid2
->sub_auths
[i
])
503 return sid1
->sub_auths
[i
] - sid2
->sub_auths
[i
];
505 return sid_compare_auth(sid1
, sid2
);
508 /*****************************************************************
509 See if 2 SIDs are in the same domain
510 this just compares the leading sub-auths
511 *****************************************************************/
513 int sid_compare_domain(const DOM_SID
*sid1
, const DOM_SID
*sid2
)
517 n
= MIN(sid1
->num_auths
, sid2
->num_auths
);
519 for (i
= n
-1; i
>= 0; --i
)
520 if (sid1
->sub_auths
[i
] != sid2
->sub_auths
[i
])
521 return sid1
->sub_auths
[i
] - sid2
->sub_auths
[i
];
523 return sid_compare_auth(sid1
, sid2
);
526 /*****************************************************************
528 *****************************************************************/
530 BOOL
sid_equal(const DOM_SID
*sid1
, const DOM_SID
*sid2
)
532 return sid_compare(sid1
, sid2
) == 0;
535 /*****************************************************************
536 Check if the SID is the builtin SID (S-1-5-32).
537 *****************************************************************/
539 BOOL
sid_check_is_builtin(const DOM_SID
*sid
)
541 return sid_equal(sid
, &global_sid_Builtin
);
544 /*****************************************************************
545 Check if the SID is one of the builtin SIDs (S-1-5-32-a).
546 *****************************************************************/
548 BOOL
sid_check_is_in_builtin(const DOM_SID
*sid
)
553 sid_copy(&dom_sid
, sid
);
554 sid_split_rid(&dom_sid
, &rid
);
556 return sid_equal(&dom_sid
, &global_sid_Builtin
);
559 /*****************************************************************
560 Calculates size of a sid.
561 *****************************************************************/
563 size_t sid_size(const DOM_SID
*sid
)
568 return sid
->num_auths
* sizeof(uint32
) + 8;
571 /*****************************************************************
572 Returns true if SID is internal (and non-mappable).
573 *****************************************************************/
575 BOOL
non_mappable_sid(DOM_SID
*sid
)
581 sid_split_rid(&dom
, &rid
);
583 if (sid_equal(&dom
, &global_sid_Builtin
))
586 if (sid_equal(&dom
, &global_sid_NT_Authority
))
592 /*****************************************************************
593 Return the binary string representation of a DOM_SID.
595 *****************************************************************/
597 char *sid_binstring(const DOM_SID
*sid
)
600 int len
= sid_size(sid
);
601 buf
= SMB_MALLOC(len
);
604 sid_linearize(buf
, len
, sid
);
605 s
= binary_string(buf
, len
);
610 /*******************************************************************
611 Tallocs a duplicate SID.
612 ********************************************************************/
614 DOM_SID
*sid_dup_talloc(TALLOC_CTX
*ctx
, const DOM_SID
*src
)
621 if((dst
= TALLOC_ZERO_P(ctx
, DOM_SID
)) != NULL
) {
628 /********************************************************************
629 Add SID to an array SIDs
630 ********************************************************************/
632 void add_sid_to_array(TALLOC_CTX
*mem_ctx
, const DOM_SID
*sid
,
633 DOM_SID
**sids
, size_t *num
)
636 *sids
= TALLOC_REALLOC_ARRAY(mem_ctx
, *sids
, DOM_SID
,
639 *sids
= SMB_REALLOC_ARRAY(*sids
, DOM_SID
, (*num
)+1);
644 sid_copy(&((*sids
)[*num
]), sid
);
651 /********************************************************************
652 Add SID to an array SIDs ensuring that it is not already there
653 ********************************************************************/
655 void add_sid_to_array_unique(TALLOC_CTX
*mem_ctx
, const DOM_SID
*sid
,
656 DOM_SID
**sids
, size_t *num_sids
)
660 for (i
=0; i
<(*num_sids
); i
++) {
661 if (sid_compare(sid
, &(*sids
)[i
]) == 0)
665 add_sid_to_array(mem_ctx
, sid
, sids
, num_sids
);
668 /********************************************************************
669 Remove SID from an array
670 ********************************************************************/
672 void del_sid_from_array(const DOM_SID
*sid
, DOM_SID
**sids
, size_t *num
)
674 DOM_SID
*sid_list
= *sids
;
677 for ( i
=0; i
<*num
; i
++ ) {
679 /* if we find the SID, then decrement the count
680 and break out of the loop */
682 if ( sid_equal(sid
, &sid_list
[i
]) ) {
688 /* This loop will copy the remainder of the array
689 if i < num of sids ni the array */
691 for ( ; i
<*num
; i
++ )
692 sid_copy( &sid_list
[i
], &sid_list
[i
+1] );