2 Unix SMB/CIFS implementation.
4 Winbind daemon for ntdom nss module
6 Copyright (C) Tim Potter 2000
7 Copyright (C) Jeremy Allison 2001.
8 Copyright (C) Gerald (Jerry) Carter 2003.
9 Copyright (C) Volker Lendecke 2005
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License as published by
13 the Free Software Foundation; either version 2 of the License, or
14 (at your option) any later version.
16 This program is distributed in the hope that it will be useful,
17 but WITHOUT ANY WARRANTY; without even the implied warranty of
18 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 GNU General Public License for more details.
21 You should have received a copy of the GNU General Public License
22 along with this program; if not, write to the Free Software
23 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
29 extern BOOL opt_nocache;
32 #define DBGC_CLASS DBGC_WINBIND
34 /*********************************************************************
35 *********************************************************************/
37 static int gr_mem_buffer( char **buffer, char **members, int num_members )
43 if ( num_members == 0 ) {
48 for ( i=0; i<num_members; i++ )
49 len += strlen(members[i])+1;
51 *buffer = SMB_XMALLOC_ARRAY(char, len);
52 for ( i=0; i<num_members; i++ ) {
53 snprintf( &(*buffer)[idx], len-idx, "%s,", members[i]);
54 idx += strlen(members[i])+1;
56 /* terminate with NULL */
57 (*buffer)[len-1] = '\0';
62 /***************************************************************
63 Empty static struct for negative caching.
64 ****************************************************************/
66 /* Fill a grent structure from various other information */
68 static BOOL fill_grent(struct winbindd_gr *gr, const char *dom_name,
69 const char *gr_name, gid_t unix_gid)
71 fstring full_group_name;
73 fill_domain_username(full_group_name, dom_name, gr_name);
75 gr->gr_gid = unix_gid;
77 /* Group name and password */
79 safe_strcpy(gr->gr_name, full_group_name, sizeof(gr->gr_name) - 1);
80 safe_strcpy(gr->gr_passwd, "x", sizeof(gr->gr_passwd) - 1);
85 /* Fill in the group membership field of a NT group given by group_sid */
87 static BOOL fill_grent_mem(struct winbindd_domain *domain,
89 enum SID_NAME_USE group_name_type,
90 int *num_gr_mem, char **gr_mem, int *gr_mem_len)
92 DOM_SID **sid_mem = NULL;
94 uint32 *name_types = NULL;
95 unsigned int buf_len, buf_ndx, i;
96 char **names = NULL, *buf;
102 if (!(mem_ctx = talloc_init("fill_grent_mem(%s)", domain->name)))
105 /* Initialise group membership information */
107 DEBUG(10, ("group SID %s\n", sid_to_string(sid_string, group_sid)));
111 /* HACK ALERT!! This whole routine does not cope with group members
112 * from more than one domain, ie aliases. Thus we have to work it out
113 * ourselves in a special routine. */
115 if (domain->internal)
116 return fill_passdb_alias_grmem(domain, group_sid,
120 if ( !((group_name_type==SID_NAME_DOM_GRP) ||
121 ((group_name_type==SID_NAME_ALIAS) && domain->primary)) )
123 DEBUG(1, ("SID %s in domain %s isn't a domain group (%d)\n",
124 sid_to_string(sid_string, group_sid), domain->name,
129 /* Lookup group members */
130 status = domain->methods->lookup_groupmem(domain, mem_ctx, group_sid, &num_names,
131 &sid_mem, &names, &name_types);
132 if (!NT_STATUS_IS_OK(status)) {
133 DEBUG(1, ("could not lookup membership for group rid %s in domain %s (error: %s)\n",
134 sid_to_string(sid_string, group_sid), domain->name, nt_errstr(status)));
139 DEBUG(10, ("looked up %d names\n", num_names));
141 if (DEBUGLEVEL >= 10) {
142 for (i = 0; i < num_names; i++)
143 DEBUG(10, ("\t%20s %s %d\n", names[i], sid_to_string(sid_string, sid_mem[i]),
147 /* Add members to list */
150 buf_len = buf_ndx = 0;
154 for (i = 0; i < num_names; i++) {
161 DEBUG(10, ("processing name %s\n", the_name));
163 /* FIXME: need to cope with groups within groups. These
164 occur in Universal groups on a Windows 2000 native mode
167 /* make sure to allow machine accounts */
169 if (name_types[i] != SID_NAME_USER && name_types[i] != SID_NAME_COMPUTER) {
170 DEBUG(3, ("name %s isn't a domain user\n", the_name));
174 /* Append domain name */
176 fill_domain_username(name, domain->name, the_name);
180 /* Add to list or calculate buffer length */
183 buf_len += len + 1; /* List is comma separated */
185 DEBUG(10, ("buf_len + %d = %d\n", len + 1, buf_len));
187 DEBUG(10, ("appending %s at ndx %d\n", name, len));
188 safe_strcpy(&buf[buf_ndx], name, len);
195 /* Allocate buffer */
197 if (!buf && buf_len != 0) {
198 if (!(buf = SMB_MALLOC(buf_len))) {
199 DEBUG(1, ("out of memory\n"));
203 memset(buf, 0, buf_len);
207 if (buf && buf_ndx > 0) {
208 buf[buf_ndx - 1] = '\0';
212 *gr_mem_len = buf_len;
214 DEBUG(10, ("num_mem = %d, len = %d, mem = %s\n", *num_gr_mem,
215 buf_len, *num_gr_mem ? buf : "NULL"));
220 talloc_destroy(mem_ctx);
222 DEBUG(10, ("fill_grent_mem returning %d\n", result));
227 /* Return a group structure from a group name */
229 enum winbindd_result winbindd_getgrnam(struct winbindd_cli_state *state)
233 struct winbindd_domain *domain;
234 enum SID_NAME_USE name_type;
235 fstring name_domain, name_group;
240 /* Ensure null termination */
241 state->request.data.groupname[sizeof(state->request.data.groupname)-1]='\0';
243 DEBUG(3, ("[%5lu]: getgrnam %s\n", (unsigned long)state->pid,
244 state->request.data.groupname));
246 /* Parse domain and groupname */
248 memset(name_group, 0, sizeof(fstring));
250 tmp = state->request.data.groupname;
252 parse_domain_user(tmp, name_domain, name_group);
254 /* if no domain or our local domain, then do a local tdb search */
256 if ( (!*name_domain || strequal(name_domain, get_global_sam_name())) &&
257 ((grp = wb_getgrnam(name_group)) != NULL) ) {
261 memcpy( &state->response.data.gr, grp, sizeof(WINBINDD_GR) );
263 gr_mem_len = gr_mem_buffer( &buffer, grp->gr_mem, grp->num_gr_mem );
265 state->response.data.gr.gr_mem_ofs = 0;
266 state->response.length += gr_mem_len;
267 state->response.extra_data = buffer; /* give the memory away */
272 /* if no domain or our local domain and no local tdb group, default to
273 * our local domain for aliases */
275 if ( !*name_domain || strequal(name_domain, get_global_sam_name()) ) {
276 fstrcpy(name_domain, get_global_sam_name());
279 /* Get info for the domain */
281 if ((domain = find_domain_from_name(name_domain)) == NULL) {
282 DEBUG(3, ("could not get domain sid for domain %s\n",
284 return WINBINDD_ERROR;
286 /* should we deal with users for our domain? */
288 if ( lp_winbind_trusted_domains_only() && domain->primary) {
289 DEBUG(7,("winbindd_getgrnam: My domain -- rejecting getgrnam() for %s\\%s.\n",
290 name_domain, name_group));
291 return WINBINDD_ERROR;
294 /* Get rid and name type from name */
296 if (!winbindd_lookup_sid_by_name(domain, domain->name, name_group, &group_sid,
298 DEBUG(1, ("group %s in domain %s does not exist\n",
299 name_group, name_domain));
300 return WINBINDD_ERROR;
303 if ( !((name_type==SID_NAME_DOM_GRP) ||
304 ((name_type==SID_NAME_ALIAS) && domain->primary) ||
305 ((name_type==SID_NAME_ALIAS) && domain->internal)) )
307 DEBUG(1, ("name '%s' is not a local or domain group: %d\n",
308 name_group, name_type));
309 return WINBINDD_ERROR;
312 if (!NT_STATUS_IS_OK(idmap_sid_to_gid(&group_sid, &gid, 0))) {
313 DEBUG(1, ("error converting unix gid to sid\n"));
314 return WINBINDD_ERROR;
317 if (!fill_grent(&state->response.data.gr, name_domain,
319 !fill_grent_mem(domain, &group_sid, name_type,
320 &state->response.data.gr.num_gr_mem,
321 &gr_mem, &gr_mem_len)) {
322 return WINBINDD_ERROR;
325 /* Group membership lives at start of extra data */
327 state->response.data.gr.gr_mem_ofs = 0;
329 state->response.length += gr_mem_len;
330 state->response.extra_data = gr_mem;
335 /* Return a group structure from a gid number */
337 enum winbindd_result winbindd_getgrgid(struct winbindd_cli_state *state)
339 struct winbindd_domain *domain;
342 enum SID_NAME_USE name_type;
348 DEBUG(3, ("[%5lu]: getgrgid %lu\n", (unsigned long)state->pid,
349 (unsigned long)state->request.data.gid));
351 /* Bug out if the gid isn't in the winbind range */
353 if ((state->request.data.gid < server_state.gid_low) ||
354 (state->request.data.gid > server_state.gid_high))
355 return WINBINDD_ERROR;
357 /* alway try local tdb lookup first */
358 if ( ( grp=wb_getgrgid(state->request.data.gid)) != NULL ) {
361 memcpy( &state->response.data.gr, grp, sizeof(WINBINDD_GR) );
363 gr_mem_len = gr_mem_buffer( &buffer, grp->gr_mem, grp->num_gr_mem );
365 state->response.data.gr.gr_mem_ofs = 0;
366 state->response.length += gr_mem_len;
367 state->response.extra_data = buffer; /* give away the memory */
372 /* Get rid from gid */
373 if (!NT_STATUS_IS_OK(idmap_gid_to_sid(&group_sid, state->request.data.gid))) {
374 DEBUG(1, ("could not convert gid %lu to rid\n",
375 (unsigned long)state->request.data.gid));
376 return WINBINDD_ERROR;
379 /* Get name from sid */
381 if (!winbindd_lookup_name_by_sid(&group_sid, dom_name, group_name, &name_type)) {
382 DEBUG(1, ("could not lookup sid\n"));
383 return WINBINDD_ERROR;
386 /* Fill in group structure */
388 domain = find_domain_from_sid(&group_sid);
391 DEBUG(1,("Can't find domain from sid\n"));
392 return WINBINDD_ERROR;
395 if ( !((name_type==SID_NAME_DOM_GRP) ||
396 ((name_type==SID_NAME_ALIAS) && domain->primary) ||
397 ((name_type==SID_NAME_ALIAS) && domain->internal)) )
399 DEBUG(1, ("name '%s' is not a local or domain group: %d\n",
400 group_name, name_type));
401 return WINBINDD_ERROR;
404 if (!fill_grent(&state->response.data.gr, dom_name, group_name,
405 state->request.data.gid) ||
406 !fill_grent_mem(domain, &group_sid, name_type,
407 &state->response.data.gr.num_gr_mem,
408 &gr_mem, &gr_mem_len))
409 return WINBINDD_ERROR;
411 /* Group membership lives at start of extra data */
413 state->response.data.gr.gr_mem_ofs = 0;
415 state->response.length += gr_mem_len;
416 state->response.extra_data = gr_mem;
422 * set/get/endgrent functions
425 /* "Rewind" file pointer for group database enumeration */
427 enum winbindd_result winbindd_setgrent(struct winbindd_cli_state *state)
429 struct winbindd_domain *domain;
431 DEBUG(3, ("[%5lu]: setgrent\n", (unsigned long)state->pid));
433 /* Check user has enabled this */
435 if (!lp_winbind_enum_groups())
436 return WINBINDD_ERROR;
438 /* Free old static data if it exists */
440 if (state->getgrent_state != NULL) {
441 free_getent_state(state->getgrent_state);
442 state->getgrent_state = NULL;
445 /* Create sam pipes for each domain we know about */
447 for (domain = domain_list(); domain != NULL; domain = domain->next) {
448 struct getent_state *domain_state;
450 /* Create a state record for this domain */
452 /* don't add our domaina if we are a PDC or if we
453 are a member of a Samba domain */
455 if ( lp_winbind_trusted_domains_only() && domain->primary )
461 if ((domain_state = SMB_MALLOC_P(struct getent_state)) == NULL) {
462 DEBUG(1, ("winbindd_setgrent: malloc failed for domain_state!\n"));
463 return WINBINDD_ERROR;
466 ZERO_STRUCTP(domain_state);
468 fstrcpy(domain_state->domain_name, domain->name);
470 /* Add to list of open domains */
472 DLIST_ADD(state->getgrent_state, domain_state);
475 state->getgrent_initialized = True;
480 /* Close file pointer to ntdom group database */
482 enum winbindd_result winbindd_endgrent(struct winbindd_cli_state *state)
484 DEBUG(3, ("[%5lu]: endgrent\n", (unsigned long)state->pid));
486 free_getent_state(state->getgrent_state);
487 state->getgrent_initialized = False;
488 state->getgrent_state = NULL;
493 /* Get the list of domain groups and domain aliases for a domain. We fill in
494 the sam_entries and num_sam_entries fields with domain group information.
495 The dispinfo_ndx field is incremented to the index of the next group to
496 fetch. Return True if some groups were returned, False otherwise. */
498 static BOOL get_sam_group_entries(struct getent_state *ent)
502 struct acct_info *name_list = NULL, *tmp_name_list = NULL;
505 struct acct_info *sam_grp_entries = NULL;
506 struct winbindd_domain *domain;
508 if (ent->got_sam_entries)
511 if (!(mem_ctx = talloc_init("get_sam_group_entries(%s)",
512 ent->domain_name))) {
513 DEBUG(1, ("get_sam_group_entries: could not create talloc context!\n"));
517 /* Free any existing group info */
519 SAFE_FREE(ent->sam_entries);
520 ent->num_sam_entries = 0;
521 ent->got_sam_entries = True;
523 /* Enumerate domain groups */
527 if (!(domain = find_domain_from_name(ent->domain_name))) {
528 DEBUG(3, ("no such domain %s in get_sam_group_entries\n", ent->domain_name));
532 /* always get the domain global groups */
534 status = domain->methods->enum_dom_groups(domain, mem_ctx, &num_entries, &sam_grp_entries);
536 if (!NT_STATUS_IS_OK(status)) {
537 DEBUG(3, ("get_sam_group_entries: could not enumerate domain groups! Error: %s\n", nt_errstr(status)));
542 /* Copy entries into return buffer */
545 if ( !(name_list = SMB_MALLOC_ARRAY(struct acct_info, num_entries)) ) {
546 DEBUG(0,("get_sam_group_entries: Failed to malloc memory for %d domain groups!\n",
551 memcpy( name_list, sam_grp_entries, num_entries * sizeof(struct acct_info) );
554 ent->num_sam_entries = num_entries;
556 /* get the domain local groups if we are a member of a native win2k domain
557 and are not using LDAP to get the groups */
559 if ( ( lp_security() != SEC_ADS && domain->native_mode
560 && domain->primary) || domain->internal )
562 DEBUG(4,("get_sam_group_entries: Native Mode 2k domain; enumerating local groups as well\n"));
564 status = domain->methods->enum_local_groups(domain, mem_ctx, &num_entries, &sam_grp_entries);
566 if ( !NT_STATUS_IS_OK(status) ) {
567 DEBUG(3,("get_sam_group_entries: Failed to enumerate domain local groups!\n"));
571 DEBUG(4,("get_sam_group_entries: Returned %d local groups\n", num_entries));
573 /* Copy entries into return buffer */
576 if ( !(tmp_name_list = SMB_REALLOC_ARRAY( name_list, struct acct_info, ent->num_sam_entries+num_entries)) )
578 DEBUG(0,("get_sam_group_entries: Failed to realloc more memory for %d local groups!\n",
581 SAFE_FREE( name_list );
585 name_list = tmp_name_list;
587 memcpy( &name_list[ent->num_sam_entries], sam_grp_entries,
588 num_entries * sizeof(struct acct_info) );
591 ent->num_sam_entries += num_entries;
595 /* Fill in remaining fields */
597 ent->sam_entries = name_list;
598 ent->sam_entry_index = 0;
600 result = (ent->num_sam_entries > 0);
603 talloc_destroy(mem_ctx);
608 /* Fetch next group entry from ntdom database */
610 #define MAX_GETGRENT_GROUPS 500
612 enum winbindd_result winbindd_getgrent(struct winbindd_cli_state *state)
614 struct getent_state *ent;
615 struct winbindd_gr *group_list = NULL;
616 int num_groups, group_list_ndx = 0, i, gr_mem_list_len = 0;
617 char *new_extra_data, *gr_mem_list = NULL;
619 DEBUG(3, ("[%5lu]: getgrent\n", (unsigned long)state->pid));
621 /* Check user has enabled this */
623 if (!lp_winbind_enum_groups())
624 return WINBINDD_ERROR;
626 num_groups = MIN(MAX_GETGRENT_GROUPS, state->request.data.num_entries);
628 if ((state->response.extra_data = SMB_MALLOC_ARRAY(struct winbindd_gr, num_groups)) == NULL)
629 return WINBINDD_ERROR;
631 memset(state->response.extra_data, '\0',
632 num_groups * sizeof(struct winbindd_gr) );
634 state->response.data.num_entries = 0;
636 group_list = (struct winbindd_gr *)state->response.extra_data;
638 if (!state->getgrent_initialized)
639 winbindd_setgrent(state);
641 if (!(ent = state->getgrent_state))
642 return WINBINDD_ERROR;
644 /* Start sending back groups */
646 for (i = 0; i < num_groups; i++) {
647 struct acct_info *name_list = NULL;
648 fstring domain_group_name;
652 char *gr_mem, *new_gr_mem_list;
654 struct winbindd_domain *domain;
656 /* Do we need to fetch another chunk of groups? */
660 DEBUG(10, ("entry_index = %d, num_entries = %d\n",
661 ent->sam_entry_index, ent->num_sam_entries));
663 if (ent->num_sam_entries == ent->sam_entry_index) {
665 while(ent && !get_sam_group_entries(ent)) {
666 struct getent_state *next_ent;
668 DEBUG(10, ("freeing state info for domain %s\n", ent->domain_name));
670 /* Free state information for this domain */
672 SAFE_FREE(ent->sam_entries);
674 next_ent = ent->next;
675 DLIST_REMOVE(state->getgrent_state, ent);
681 /* No more domains */
687 name_list = ent->sam_entries;
690 find_domain_from_name(ent->domain_name))) {
691 DEBUG(3, ("No such domain %s in winbindd_getgrent\n", ent->domain_name));
696 /* Lookup group info */
698 sid_copy(&group_sid, &domain->sid);
699 sid_append_rid(&group_sid, name_list[ent->sam_entry_index].rid);
701 if (!NT_STATUS_IS_OK(idmap_sid_to_gid(&group_sid, &group_gid, 0))) {
703 DEBUG(1, ("could not look up gid for group %s\n",
704 name_list[ent->sam_entry_index].acct_name));
706 ent->sam_entry_index++;
710 DEBUG(10, ("got gid %lu for group %lu\n", (unsigned long)group_gid,
711 (unsigned long)name_list[ent->sam_entry_index].rid));
713 /* Fill in group entry */
715 fill_domain_username(domain_group_name, ent->domain_name,
716 name_list[ent->sam_entry_index].acct_name);
718 result = fill_grent(&group_list[group_list_ndx],
720 name_list[ent->sam_entry_index].acct_name,
723 /* Fill in group membership entry */
727 group_list[group_list_ndx].num_gr_mem = 0;
731 /* Get group membership */
732 if (state->request.cmd == WINBINDD_GETGRLST) {
735 sid_copy(&member_sid, &domain->sid);
736 sid_append_rid(&member_sid, name_list[ent->sam_entry_index].rid);
737 result = fill_grent_mem(
741 &group_list[group_list_ndx].num_gr_mem,
742 &gr_mem, &gr_mem_len);
747 /* Append to group membership list */
748 new_gr_mem_list = SMB_REALLOC( gr_mem_list, gr_mem_list_len + gr_mem_len);
750 if (!new_gr_mem_list && (group_list[group_list_ndx].num_gr_mem != 0)) {
751 DEBUG(0, ("out of memory\n"));
752 SAFE_FREE(gr_mem_list);
757 DEBUG(10, ("list_len = %d, mem_len = %d\n",
758 gr_mem_list_len, gr_mem_len));
760 gr_mem_list = new_gr_mem_list;
762 memcpy(&gr_mem_list[gr_mem_list_len], gr_mem,
767 group_list[group_list_ndx].gr_mem_ofs =
770 gr_mem_list_len += gr_mem_len;
773 ent->sam_entry_index++;
775 /* Add group to return list */
779 DEBUG(10, ("adding group num_entries = %d\n",
780 state->response.data.num_entries));
783 state->response.data.num_entries++;
785 state->response.length +=
786 sizeof(struct winbindd_gr);
789 DEBUG(0, ("could not lookup domain group %s\n",
794 /* Copy the list of group memberships to the end of the extra data */
796 if (group_list_ndx == 0)
799 new_extra_data = SMB_REALLOC(
800 state->response.extra_data,
801 group_list_ndx * sizeof(struct winbindd_gr) + gr_mem_list_len);
803 if (!new_extra_data) {
804 DEBUG(0, ("out of memory\n"));
806 SAFE_FREE(state->response.extra_data);
807 SAFE_FREE(gr_mem_list);
809 return WINBINDD_ERROR;
812 state->response.extra_data = new_extra_data;
814 memcpy(&((char *)state->response.extra_data)
815 [group_list_ndx * sizeof(struct winbindd_gr)],
816 gr_mem_list, gr_mem_list_len);
818 SAFE_FREE(gr_mem_list);
820 state->response.length += gr_mem_list_len;
822 DEBUG(10, ("returning %d groups, length = %d\n",
823 group_list_ndx, gr_mem_list_len));
829 return (group_list_ndx > 0) ? WINBINDD_OK : WINBINDD_ERROR;
832 /* List domain groups without mapping to unix ids */
834 enum winbindd_result winbindd_list_groups(struct winbindd_cli_state *state)
836 uint32 total_entries = 0;
837 struct winbindd_domain *domain;
838 const char *which_domain;
839 char *extra_data = NULL;
841 unsigned int extra_data_len = 0, i;
843 DEBUG(3, ("[%5lu]: list groups\n", (unsigned long)state->pid));
845 /* Ensure null termination */
846 state->request.domain_name[sizeof(state->request.domain_name)-1]='\0';
847 which_domain = state->request.domain_name;
849 /* Enumerate over trusted domains */
851 for (domain = domain_list(); domain; domain = domain->next) {
852 struct getent_state groups;
854 /* if we have a domain name restricting the request and this
855 one in the list doesn't match, then just bypass the remainder
858 if ( *which_domain && !strequal(which_domain, domain->name) )
861 if ( !domain->initialized )
862 set_dc_type_and_flags( domain );
867 /* Get list of sam groups */
869 fstrcpy(groups.domain_name, domain->name);
871 get_sam_group_entries(&groups);
873 if (groups.num_sam_entries == 0) {
874 /* this domain is empty or in an error state */
878 /* keep track the of the total number of groups seen so
879 far over all domains */
880 total_entries += groups.num_sam_entries;
882 /* Allocate some memory for extra data. Note that we limit
883 account names to sizeof(fstring) = 128 characters. */
884 ted = SMB_REALLOC(extra_data, sizeof(fstring) * total_entries);
887 DEBUG(0,("failed to enlarge buffer!\n"));
888 SAFE_FREE(extra_data);
889 return WINBINDD_ERROR;
893 /* Pack group list into extra data fields */
894 for (i = 0; i < groups.num_sam_entries; i++) {
895 char *group_name = ((struct acct_info *)
896 groups.sam_entries)[i].acct_name;
899 fill_domain_username(name, domain->name, group_name);
900 /* Append to extra data */
901 memcpy(&extra_data[extra_data_len], name,
903 extra_data_len += strlen(name);
904 extra_data[extra_data_len++] = ',';
907 SAFE_FREE(groups.sam_entries);
910 /* Assign extra_data fields in response structure */
912 extra_data[extra_data_len - 1] = '\0';
913 state->response.extra_data = extra_data;
914 state->response.length += extra_data_len;
917 /* No domains may have responded but that's still OK so don't
923 static void add_local_gids_from_sid(DOM_SID *sid, gid_t **gids, int *num)
929 DEBUG(10, ("Adding local gids from SID: %s\n",
930 sid_string_static(sid)));
932 /* Don't expand aliases if not explicitly activated -- for now
935 if (!lp_winbind_nested_groups())
938 /* Add nested group memberships */
940 if (!pdb_enum_alias_memberships(sid, 1, &aliases, &num_aliases))
943 for (j=0; j<num_aliases; j++) {
944 enum SID_NAME_USE type;
946 if (!local_sid_to_gid(&gid, &aliases[j], &type)) {
947 DEBUG(1, ("Got an alias membership with no alias\n"));
951 if ((type != SID_NAME_ALIAS) && (type != SID_NAME_WKN_GRP)) {
952 DEBUG(1, ("Got an alias membership in a non-alias\n"));
956 add_gid_to_array_unique(gid, gids, num);
961 static void add_gids_from_user_sid(DOM_SID *sid, gid_t **gids, int *num)
963 DEBUG(10, ("Adding gids from user SID: %s\n",
964 sid_string_static(sid)));
966 add_local_gids_from_sid(sid, gids, num);
969 static void add_gids_from_group_sid(DOM_SID *sid, gid_t **gids, int *num)
973 DEBUG(10, ("Adding gids from group SID: %s\n",
974 sid_string_static(sid)));
976 if (NT_STATUS_IS_OK(idmap_sid_to_gid(sid, &gid, 0)))
977 add_gid_to_array_unique(gid, gids, num);
979 add_local_gids_from_sid(sid, gids, num);
982 /* Get user supplementary groups. This is much quicker than trying to
983 invert the groups database. We merge the groups from the gids and
984 other_sids info3 fields as trusted domain, universal group
985 memberships, and nested groups (win2k native mode only) are not
986 returned by the getgroups RPC call but are present in the info3. */
988 enum winbindd_result winbindd_getgroups(struct winbindd_cli_state *state)
990 fstring name_domain, name_user;
991 DOM_SID user_sid, group_sid;
992 enum SID_NAME_USE name_type;
993 uint32 num_groups = 0;
996 DOM_SID **user_grpsids;
997 struct winbindd_domain *domain;
998 enum winbindd_result result = WINBINDD_ERROR;
999 gid_t *gid_list = NULL;
1001 TALLOC_CTX *mem_ctx;
1002 NET_USER_INFO_3 *info3 = NULL;
1004 /* Ensure null termination */
1005 state->request.data.username[sizeof(state->request.data.username)-1]='\0';
1007 DEBUG(3, ("[%5lu]: getgroups %s\n", (unsigned long)state->pid,
1008 state->request.data.username));
1010 if (!(mem_ctx = talloc_init("winbindd_getgroups(%s)",
1011 state->request.data.username)))
1012 return WINBINDD_ERROR;
1014 /* Parse domain and username */
1016 parse_domain_user(state->request.data.username,
1017 name_domain, name_user);
1019 /* Get info for the domain */
1021 if ((domain = find_domain_from_name(name_domain)) == NULL) {
1022 DEBUG(7, ("could not find domain entry for domain %s\n",
1027 if ( domain->primary && lp_winbind_trusted_domains_only()) {
1028 DEBUG(7,("winbindd_getpwnam: My domain -- rejecting getgroups() for %s\\%s.\n",
1029 name_domain, name_user));
1030 return WINBINDD_ERROR;
1033 /* Get rid and name type from name. The following costs 1 packet */
1035 if (!winbindd_lookup_sid_by_name(domain, domain->name, name_user, &user_sid,
1037 DEBUG(4, ("user '%s' does not exist\n", name_user));
1041 if (name_type != SID_NAME_USER && name_type != SID_NAME_COMPUTER) {
1042 DEBUG(1, ("name '%s' is not a user name: %d\n",
1043 name_user, name_type));
1047 add_gids_from_user_sid(&user_sid, &gid_list, &num_gids);
1049 /* Treat the info3 cache as authoritative as the
1050 lookup_usergroups() function may return cached data. */
1052 if ( !opt_nocache && (info3 = netsamlogon_cache_get(mem_ctx, &user_sid))) {
1054 DEBUG(10, ("winbindd_getgroups: info3 has %d groups, %d other sids\n",
1055 info3->num_groups2, info3->num_other_sids));
1057 num_groups = info3->num_other_sids + info3->num_groups2;
1059 /* Go through each other sid and convert it to a gid */
1061 for (i = 0; i < info3->num_other_sids; i++) {
1064 enum SID_NAME_USE sid_type;
1066 /* Is this sid known to us? It can either be
1067 a trusted domain sid or a foreign sid. */
1069 if (!winbindd_lookup_name_by_sid( &info3->other_sids[i].sid,
1070 dom_name, name, &sid_type))
1072 DEBUG(10, ("winbindd_getgroups: could not lookup name for %s\n",
1073 sid_string_static(&info3->other_sids[i].sid)));
1077 /* Check it is a domain group or an alias (domain local group)
1078 in a win2k native mode domain. */
1080 if ( !((sid_type==SID_NAME_DOM_GRP) ||
1081 ((sid_type==SID_NAME_ALIAS) && domain->primary)) )
1083 DEBUG(10, ("winbindd_getgroups: sid type %d "
1084 "for %s is not a domain group\n",
1087 &info3->other_sids[i].sid)));
1091 add_gids_from_group_sid(&info3->other_sids[i].sid,
1092 &gid_list, &num_gids);
1095 for (i = 0; i < info3->num_groups2; i++) {
1097 /* create the group SID */
1099 sid_copy( &group_sid, &domain->sid );
1100 sid_append_rid( &group_sid, info3->gids[i].g_rid );
1102 add_gids_from_group_sid(&group_sid, &gid_list,
1109 status = domain->methods->lookup_usergroups(domain, mem_ctx,
1110 &user_sid, &num_groups,
1112 if (!NT_STATUS_IS_OK(status))
1115 if (state->response.extra_data)
1118 for (i = 0; i < num_groups; i++) {
1119 add_gids_from_group_sid(user_grpsids[i],
1120 &gid_list, &num_gids);
1124 /* We want at least one group... */
1125 if (gid_list == NULL)
1128 remove_duplicate_gids( &num_gids, gid_list );
1130 /* Send data back to client */
1132 state->response.data.num_entries = num_gids;
1133 state->response.extra_data = gid_list;
1134 state->response.length += num_gids * sizeof(gid_t);
1136 result = WINBINDD_OK;
1140 talloc_destroy(mem_ctx);
1145 static void add_sid_to_parray_unique(TALLOC_CTX *mem_ctx, const DOM_SID *sid,
1146 DOM_SID ***sids, int *num_sids)
1150 for (i=0; i<(*num_sids); i++) {
1151 if (sid_compare(sid, (*sids)[i]) == 0)
1155 *sids = TALLOC_REALLOC_ARRAY(mem_ctx, *sids, DOM_SID *, *num_sids+1);
1160 (*sids)[*num_sids] = TALLOC_P(mem_ctx, DOM_SID);
1161 sid_copy((*sids)[*num_sids], sid);
1166 static void add_local_sids_from_sid(TALLOC_CTX *mem_ctx, const DOM_SID *sid,
1167 DOM_SID ***user_grpsids,
1170 DOM_SID *aliases = NULL;
1171 int i, num_aliases = 0;
1173 if (!pdb_enum_alias_memberships(sid, 1, &aliases, &num_aliases))
1176 if (num_aliases == 0)
1179 for (i=0; i<num_aliases; i++)
1180 add_sid_to_parray_unique(mem_ctx, &aliases[i], user_grpsids,
1188 /* Get user supplementary sids. This is equivalent to the
1189 winbindd_getgroups() function but it involves a SID->SIDs mapping
1190 rather than a NAME->SID->SIDS->GIDS mapping, which means we avoid
1191 idmap. This call is designed to be used with applications that need
1192 to do ACL evaluation themselves. Note that the cached info3 data is
1195 this function assumes that the SID that comes in is a user SID. If
1196 you pass in another type of SID then you may get unpredictable
1199 enum winbindd_result winbindd_getusersids(struct winbindd_cli_state *state)
1203 DOM_SID **user_grpsids;
1204 struct winbindd_domain *domain;
1205 enum winbindd_result result = WINBINDD_ERROR;
1207 TALLOC_CTX *mem_ctx;
1210 unsigned ofs, ret_size = 0;
1212 /* Ensure null termination */
1213 state->request.data.sid[sizeof(state->request.data.sid)-1]='\0';
1215 if (!string_to_sid(&user_sid, state->request.data.sid)) {
1216 DEBUG(1, ("Could not get convert sid %s from string\n", state->request.data.sid));
1217 return WINBINDD_ERROR;
1220 if (!(mem_ctx = talloc_init("winbindd_getusersids(%s)",
1221 state->request.data.username))) {
1222 return WINBINDD_ERROR;
1225 /* Get info for the domain */
1226 if ((domain = find_domain_from_sid(&user_sid)) == NULL) {
1227 DEBUG(0,("could not find domain entry for sid %s\n",
1228 sid_string_static(&user_sid)));
1232 status = domain->methods->lookup_usergroups(domain, mem_ctx,
1233 &user_sid, &num_groups,
1235 if (!NT_STATUS_IS_OK(status))
1238 if (num_groups == 0) {
1242 domain = find_our_domain();
1244 if (domain == NULL) {
1245 DEBUG(0, ("Could not find our domain\n"));
1249 /* Note that I do not check for AD or its mode. XP in a real NT4
1250 * domain also asks for this info. -- vl */
1253 uint32 *alias_rids = NULL;
1256 /* We need to include the user SID to expand */
1257 user_grpsids = TALLOC_REALLOC_ARRAY(mem_ctx, user_grpsids,
1258 DOM_SID *, num_groups+1);
1259 user_grpsids[num_groups] = &user_sid;
1261 status = domain->methods->lookup_useraliases(domain, mem_ctx,
1267 if (!NT_STATUS_IS_OK(status)) {
1268 DEBUG(3, ("Could not expand alias sids: %s\n",
1269 nt_errstr(status)));
1273 for (i=0; i<num_aliases; i++) {
1275 sid_copy(&sid, &domain->sid);
1276 sid_append_rid(&sid, alias_rids[i]);
1277 add_sid_to_parray_unique(mem_ctx, &sid, &user_grpsids,
1282 if (lp_winbind_nested_groups()) {
1284 /* num_groups is changed during the loop, that's why we have
1285 to count down here.*/
1287 for (k=num_groups-1; k>=0; k--) {
1288 add_local_sids_from_sid(mem_ctx, user_grpsids[k],
1289 &user_grpsids, &num_groups);
1292 add_local_sids_from_sid(mem_ctx, &user_sid, &user_grpsids,
1296 /* work out the response size */
1297 for (i = 0; i < num_groups; i++) {
1298 const char *s = sid_string_static(user_grpsids[i]);
1299 ret_size += strlen(s) + 1;
1302 /* build the reply */
1303 ret = SMB_MALLOC(ret_size);
1304 if (!ret) goto done;
1306 for (i = 0; i < num_groups; i++) {
1307 const char *s = sid_string_static(user_grpsids[i]);
1308 safe_strcpy(ret + ofs, s, ret_size - ofs - 1);
1309 ofs += strlen(ret+ofs) + 1;
1313 /* Send data back to client */
1314 state->response.data.num_entries = num_groups;
1315 state->response.extra_data = ret;
1316 state->response.length += ret_size;
1317 result = WINBINDD_OK;
1320 talloc_destroy(mem_ctx);