2 Unix SMB/CIFS implementation.
4 Copyright (C) Andrew Tridgell 1992-1998
5 Copyright (C) Gerald (Jerry) Carter 2003
6 Copyright (C) Volker Lendecke 2005
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
24 /*****************************************************************
25 Dissect a user-provided name into domain, name, sid and type.
27 If an explicit domain name was given in the form domain\user, it
28 has to try that. If no explicit domain name was given, we have
30 *****************************************************************/
32 bool lookup_name(TALLOC_CTX *mem_ctx,
33 const char *full_name, int flags,
34 const char **ret_domain, const char **ret_name,
35 DOM_SID *ret_sid, enum lsa_SidType *ret_type)
39 const char *domain = NULL;
40 const char *name = NULL;
43 enum lsa_SidType type;
44 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
46 if (tmp_ctx == NULL) {
47 DEBUG(0, ("talloc_new failed\n"));
51 p = strchr_m(full_name, '\\');
54 domain = talloc_strndup(tmp_ctx, full_name,
55 PTR_DIFF(p, full_name));
56 name = talloc_strdup(tmp_ctx, p+1);
58 domain = talloc_strdup(tmp_ctx, "");
59 name = talloc_strdup(tmp_ctx, full_name);
62 if ((domain == NULL) || (name == NULL)) {
63 DEBUG(0, ("talloc failed\n"));
68 DEBUG(10,("lookup_name: %s => %s (domain), %s (name)\n",
69 full_name, domain, name));
70 DEBUG(10, ("lookup_name: flags = 0x0%x\n", flags));
72 if ((flags & LOOKUP_NAME_DOMAIN) &&
73 strequal(domain, get_global_sam_name()))
76 /* It's our own domain, lookup the name in passdb */
77 if (lookup_global_sam_name(name, flags, &rid, &type)) {
78 sid_copy(&sid, get_global_sam_sid());
79 sid_append_rid(&sid, rid);
86 if ((flags & LOOKUP_NAME_BUILTIN) &&
87 strequal(domain, builtin_domain_name()))
89 /* Explicit request for a name in BUILTIN */
90 if (lookup_builtin_name(name, &rid)) {
91 sid_copy(&sid, &global_sid_Builtin);
92 sid_append_rid(&sid, rid);
93 type = SID_NAME_ALIAS;
100 /* Try the explicit winbind lookup first, don't let it guess the
101 * domain yet at this point yet. This comes later. */
103 if ((domain[0] != '\0') &&
104 (flags & ~(LOOKUP_NAME_DOMAIN|LOOKUP_NAME_ISOLATED)) &&
105 (winbind_lookup_name(domain, name, &sid, &type))) {
109 if (!(flags & LOOKUP_NAME_EXPLICIT) && strequal(domain, unix_users_domain_name())) {
110 if (lookup_unix_user_name(name, &sid)) {
111 type = SID_NAME_USER;
114 TALLOC_FREE(tmp_ctx);
118 if (!(flags & LOOKUP_NAME_EXPLICIT) && strequal(domain, unix_groups_domain_name())) {
119 if (lookup_unix_group_name(name, &sid)) {
120 type = SID_NAME_DOM_GRP;
123 TALLOC_FREE(tmp_ctx);
127 if ((domain[0] == '\0') && (!(flags & LOOKUP_NAME_ISOLATED))) {
128 TALLOC_FREE(tmp_ctx);
132 /* Now the guesswork begins, we haven't been given an explicit
133 * domain. Try the sequence as documented on
134 * http://msdn.microsoft.com/library/en-us/secmgmt/security/lsalookupnames.asp
135 * November 27, 2005 */
137 /* 1. well-known names */
139 if ((flags & LOOKUP_NAME_WKN) &&
140 lookup_wellknown_name(tmp_ctx, name, &sid, &domain))
142 type = SID_NAME_WKN_GRP;
146 /* 2. Builtin domain as such */
148 if ((flags & (LOOKUP_NAME_BUILTIN|LOOKUP_NAME_REMOTE)) &&
149 strequal(name, builtin_domain_name()))
151 /* Swap domain and name */
152 tmp = name; name = domain; domain = tmp;
153 sid_copy(&sid, &global_sid_Builtin);
154 type = SID_NAME_DOMAIN;
158 /* 3. Account domain */
160 if ((flags & LOOKUP_NAME_DOMAIN) &&
161 strequal(name, get_global_sam_name()))
163 if (!secrets_fetch_domain_sid(name, &sid)) {
164 DEBUG(3, ("Could not fetch my SID\n"));
165 TALLOC_FREE(tmp_ctx);
168 /* Swap domain and name */
169 tmp = name; name = domain; domain = tmp;
170 type = SID_NAME_DOMAIN;
174 /* 4. Primary domain */
176 if ((flags & LOOKUP_NAME_DOMAIN) && !IS_DC &&
177 strequal(name, lp_workgroup()))
179 if (!secrets_fetch_domain_sid(name, &sid)) {
180 DEBUG(3, ("Could not fetch the domain SID\n"));
181 TALLOC_FREE(tmp_ctx);
184 /* Swap domain and name */
185 tmp = name; name = domain; domain = tmp;
186 type = SID_NAME_DOMAIN;
190 /* 5. Trusted domains as such, to me it looks as if members don't do
191 this, tested an XP workstation in a NT domain -- vl */
193 if ((flags & LOOKUP_NAME_REMOTE) && IS_DC &&
194 (secrets_fetch_trusted_domain_password(name, NULL, &sid, NULL)))
196 /* Swap domain and name */
197 tmp = name; name = domain; domain = tmp;
198 type = SID_NAME_DOMAIN;
202 /* 6. Builtin aliases */
204 if ((flags & LOOKUP_NAME_BUILTIN) &&
205 lookup_builtin_name(name, &rid))
207 domain = talloc_strdup(tmp_ctx, builtin_domain_name());
208 sid_copy(&sid, &global_sid_Builtin);
209 sid_append_rid(&sid, rid);
210 type = SID_NAME_ALIAS;
214 /* 7. Local systems' SAM (DCs don't have a local SAM) */
215 /* 8. Primary SAM (On members, this is the domain) */
217 /* Both cases are done by looking at our passdb */
219 if ((flags & LOOKUP_NAME_DOMAIN) &&
220 lookup_global_sam_name(name, flags, &rid, &type))
222 domain = talloc_strdup(tmp_ctx, get_global_sam_name());
223 sid_copy(&sid, get_global_sam_sid());
224 sid_append_rid(&sid, rid);
228 /* Now our local possibilities are exhausted. */
230 if (!(flags & LOOKUP_NAME_REMOTE)) {
231 TALLOC_FREE(tmp_ctx);
235 /* If we are not a DC, we have to ask in our primary domain. Let
236 * winbind do that. */
239 (winbind_lookup_name(lp_workgroup(), name, &sid, &type))) {
240 domain = talloc_strdup(tmp_ctx, lp_workgroup());
244 /* 9. Trusted domains */
246 /* If we're a DC we have to ask all trusted DC's. Winbind does not do
247 * that (yet), but give it a chance. */
249 if (IS_DC && winbind_lookup_name("", name, &sid, &type)) {
252 enum lsa_SidType domain_type;
254 if (type == SID_NAME_DOMAIN) {
255 /* Swap name and type */
256 tmp = name; name = domain; domain = tmp;
260 /* Here we have to cope with a little deficiency in the
261 * winbind API: We have to ask it again for the name of the
262 * domain it figured out itself. Maybe fix that later... */
264 sid_copy(&dom_sid, &sid);
265 sid_split_rid(&dom_sid, &tmp_rid);
267 if (!winbind_lookup_sid(tmp_ctx, &dom_sid, &domain, NULL,
269 (domain_type != SID_NAME_DOMAIN)) {
270 DEBUG(2, ("winbind could not find the domain's name "
271 "it just looked up for us\n"));
272 TALLOC_FREE(tmp_ctx);
278 /* 10. Don't translate */
280 /* 11. Ok, windows would end here. Samba has two more options:
281 Unmapped users and unmapped groups */
283 if (!(flags & LOOKUP_NAME_EXPLICIT) && lookup_unix_user_name(name, &sid)) {
284 domain = talloc_strdup(tmp_ctx, unix_users_domain_name());
285 type = SID_NAME_USER;
289 if (!(flags & LOOKUP_NAME_EXPLICIT) && lookup_unix_group_name(name, &sid)) {
290 domain = talloc_strdup(tmp_ctx, unix_groups_domain_name());
291 type = SID_NAME_DOM_GRP;
296 * Ok, all possibilities tried. Fail.
299 TALLOC_FREE(tmp_ctx);
303 if ((domain == NULL) || (name == NULL)) {
304 DEBUG(0, ("talloc failed\n"));
305 TALLOC_FREE(tmp_ctx);
310 * Hand over the results to the talloc context we've been given.
313 if ((ret_name != NULL) &&
314 !(*ret_name = talloc_strdup(mem_ctx, name))) {
315 DEBUG(0, ("talloc failed\n"));
316 TALLOC_FREE(tmp_ctx);
320 if (ret_domain != NULL) {
322 if (!(tmp_dom = talloc_strdup(mem_ctx, domain))) {
323 DEBUG(0, ("talloc failed\n"));
324 TALLOC_FREE(tmp_ctx);
328 *ret_domain = tmp_dom;
331 if (ret_sid != NULL) {
332 sid_copy(ret_sid, &sid);
335 if (ret_type != NULL) {
339 TALLOC_FREE(tmp_ctx);
343 /************************************************************************
344 Names from smb.conf can be unqualified. eg. valid users = foo
345 These names should never map to a remote name. Try global_sam_name()\foo,
346 and then "Unix Users"\foo (or "Unix Groups"\foo).
347 ************************************************************************/
349 bool lookup_name_smbconf(TALLOC_CTX *mem_ctx,
350 const char *full_name, int flags,
351 const char **ret_domain, const char **ret_name,
352 DOM_SID *ret_sid, enum lsa_SidType *ret_type)
354 char *qualified_name;
357 /* NB. No winbindd_separator here as lookup_name needs \\' */
358 if ((p = strchr_m(full_name, *lp_winbind_separator())) != NULL) {
360 /* The name is already qualified with a domain. */
362 if (*lp_winbind_separator() != '\\') {
365 /* lookup_name() needs '\\' as a separator */
367 tmp = talloc_strdup(mem_ctx, full_name);
371 tmp[p - full_name] = '\\';
375 return lookup_name(mem_ctx, full_name, flags,
376 ret_domain, ret_name,
380 /* Try with our own SAM name. */
381 qualified_name = talloc_asprintf(mem_ctx, "%s\\%s",
382 get_global_sam_name(),
384 if (!qualified_name) {
388 if (lookup_name(mem_ctx, qualified_name, flags,
389 ret_domain, ret_name,
390 ret_sid, ret_type)) {
394 /* Finally try with "Unix Users" or "Unix Group" */
395 qualified_name = talloc_asprintf(mem_ctx, "%s\\%s",
396 flags & LOOKUP_NAME_GROUP ?
397 unix_groups_domain_name() :
398 unix_users_domain_name(),
400 if (!qualified_name) {
404 return lookup_name(mem_ctx, qualified_name, flags,
405 ret_domain, ret_name,
409 static bool wb_lookup_rids(TALLOC_CTX *mem_ctx,
410 const DOM_SID *domain_sid,
411 int num_rids, uint32 *rids,
412 const char **domain_name,
413 const char **names, enum lsa_SidType *types)
416 const char **my_names;
417 enum lsa_SidType *my_types;
420 if (!(tmp_ctx = talloc_init("wb_lookup_rids"))) {
424 if (!winbind_lookup_rids(tmp_ctx, domain_sid, num_rids, rids,
425 domain_name, &my_names, &my_types)) {
427 for (i=0; i<num_rids; i++) {
429 types[i] = SID_NAME_UNKNOWN;
431 TALLOC_FREE(tmp_ctx);
435 if (!(*domain_name = talloc_strdup(mem_ctx, *domain_name))) {
436 TALLOC_FREE(tmp_ctx);
441 * winbind_lookup_rids allocates its own array. We've been given the
442 * array, so copy it over
445 for (i=0; i<num_rids; i++) {
446 if (my_names[i] == NULL) {
447 TALLOC_FREE(tmp_ctx);
450 if (!(names[i] = talloc_strdup(names, my_names[i]))) {
451 TALLOC_FREE(tmp_ctx);
454 types[i] = my_types[i];
456 TALLOC_FREE(tmp_ctx);
460 static bool lookup_rids(TALLOC_CTX *mem_ctx, const DOM_SID *domain_sid,
461 int num_rids, uint32_t *rids,
462 const char **domain_name,
463 const char ***names, enum lsa_SidType **types)
468 *names = TALLOC_ARRAY(mem_ctx, const char *, num_rids);
469 *types = TALLOC_ARRAY(mem_ctx, enum lsa_SidType, num_rids);
471 if ((*names == NULL) || (*types == NULL)) {
479 if (sid_check_is_domain(domain_sid)) {
482 if (*domain_name == NULL) {
483 *domain_name = talloc_strdup(
484 mem_ctx, get_global_sam_name());
487 if (*domain_name == NULL) {
492 result = pdb_lookup_rids(domain_sid, num_rids, rids,
496 return (NT_STATUS_IS_OK(result) ||
497 NT_STATUS_EQUAL(result, NT_STATUS_NONE_MAPPED) ||
498 NT_STATUS_EQUAL(result, STATUS_SOME_UNMAPPED));
501 if (sid_check_is_builtin(domain_sid)) {
503 if (*domain_name == NULL) {
504 *domain_name = talloc_strdup(
505 mem_ctx, builtin_domain_name());
508 if (*domain_name == NULL) {
512 for (i=0; i<num_rids; i++) {
513 if (lookup_builtin_rid(*names, rids[i],
515 if ((*names)[i] == NULL) {
518 (*types)[i] = SID_NAME_ALIAS;
520 (*types)[i] = SID_NAME_UNKNOWN;
526 if (sid_check_is_wellknown_domain(domain_sid, NULL)) {
527 for (i=0; i<num_rids; i++) {
529 sid_copy(&sid, domain_sid);
530 sid_append_rid(&sid, rids[i]);
531 if (lookup_wellknown_sid(mem_ctx, &sid,
532 domain_name, &(*names)[i])) {
533 if ((*names)[i] == NULL) {
536 (*types)[i] = SID_NAME_WKN_GRP;
538 (*types)[i] = SID_NAME_UNKNOWN;
544 if (sid_check_is_unix_users(domain_sid)) {
545 if (*domain_name == NULL) {
546 *domain_name = talloc_strdup(
547 mem_ctx, unix_users_domain_name());
549 for (i=0; i<num_rids; i++) {
550 (*names)[i] = talloc_strdup(
551 (*names), uidtoname(rids[i]));
552 (*types)[i] = SID_NAME_USER;
557 if (sid_check_is_unix_groups(domain_sid)) {
558 if (*domain_name == NULL) {
559 *domain_name = talloc_strdup(
560 mem_ctx, unix_groups_domain_name());
562 for (i=0; i<num_rids; i++) {
563 (*names)[i] = talloc_strdup(
564 (*names), gidtoname(rids[i]));
565 (*types)[i] = SID_NAME_DOM_GRP;
570 return wb_lookup_rids(mem_ctx, domain_sid, num_rids, rids,
571 domain_name, *names, *types);
575 * Is the SID a domain as such? If yes, lookup its name.
578 static bool lookup_as_domain(const DOM_SID *sid, TALLOC_CTX *mem_ctx,
582 enum lsa_SidType type;
584 if (sid_check_is_domain(sid)) {
585 *name = talloc_strdup(mem_ctx, get_global_sam_name());
589 if (sid_check_is_builtin(sid)) {
590 *name = talloc_strdup(mem_ctx, builtin_domain_name());
594 if (sid_check_is_wellknown_domain(sid, &tmp)) {
595 *name = talloc_strdup(mem_ctx, tmp);
599 if (sid->num_auths != 4) {
600 /* This can't be a domain */
605 uint32 i, num_domains;
606 struct trustdom_info **domains;
608 /* This is relatively expensive, but it happens only on DCs
609 * and for SIDs that have 4 sub-authorities and thus look like
612 if (!NT_STATUS_IS_OK(pdb_enum_trusteddoms(mem_ctx,
618 for (i=0; i<num_domains; i++) {
619 if (sid_equal(sid, &domains[i]->sid)) {
620 *name = talloc_strdup(mem_ctx,
628 if (winbind_lookup_sid(mem_ctx, sid, &tmp, NULL, &type) &&
629 (type == SID_NAME_DOMAIN)) {
638 * This tries to implement the rather weird rules for the lsa_lookup level
641 * This is as close as we can get to what W2k3 does. With this we survive the
642 * RPC-LSALOOKUP samba4 test as of 2006-01-08. NT4 as a PDC is a bit more
643 * different, but I assume that's just being too liberal. For example, W2k3
644 * replies to everything else but the levels 1-6 with INVALID_PARAMETER
645 * whereas NT4 does the same as level 1 (I think). I did not fully test that
646 * with NT4, this is what w2k3 does.
648 * Level 1: Ask everywhere
649 * Level 2: Ask domain and trusted domains, no builtin and wkn
650 * Level 3: Only ask domain
651 * Level 4: W2k3ad: Only ask AD trusts
652 * Level 5: Only ask transitive forest trusts
656 static bool check_dom_sid_to_level(const DOM_SID *sid, int level)
665 ret = (!sid_check_is_builtin(sid) &&
666 !sid_check_is_wellknown_domain(sid, NULL));
671 ret = sid_check_is_domain(sid);
678 DEBUG(10, ("%s SID %s in level %d\n",
679 ret ? "Accepting" : "Rejecting",
680 sid_string_static(sid), level));
685 * Lookup a bunch of SIDs. This is modeled after lsa_lookup_sids with
686 * references to domains, it is explicitly made for this.
688 * This attempts to be as efficient as possible: It collects all SIDs
689 * belonging to a domain and hands them in bulk to the appropriate lookup
690 * function. In particular pdb_lookup_rids with ldapsam_trusted benefits
691 * *hugely* from this. Winbind is going to be extended with a lookup_rids
692 * interface as well, so on a DC we can do a bulk lsa_lookuprids to the
696 NTSTATUS lookup_sids(TALLOC_CTX *mem_ctx, int num_sids,
697 const DOM_SID **sids, int level,
698 struct lsa_dom_info **ret_domains,
699 struct lsa_name_info **ret_names)
702 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
703 struct lsa_name_info *name_infos;
704 struct lsa_dom_info *dom_infos = NULL;
708 if (!(tmp_ctx = talloc_new(mem_ctx))) {
709 DEBUG(0, ("talloc_new failed\n"));
710 return NT_STATUS_NO_MEMORY;
714 name_infos = TALLOC_ARRAY(mem_ctx, struct lsa_name_info, num_sids);
715 if (name_infos == NULL) {
716 result = NT_STATUS_NO_MEMORY;
723 dom_infos = TALLOC_ZERO_ARRAY(mem_ctx, struct lsa_dom_info,
725 if (dom_infos == NULL) {
726 result = NT_STATUS_NO_MEMORY;
730 /* First build up the data structures:
732 * dom_infos is a list of domains referenced in the list of
733 * SIDs. Later we will walk the list of domains and look up the RIDs
736 * name_infos is a shadow-copy of the SIDs array to collect the real
739 * dom_info->idxs is an index into the name_infos array. The
740 * difficulty we have here is that we need to keep the SIDs the client
741 * asked for in the same order for the reply
744 for (i=0; i<num_sids; i++) {
747 const char *domain_name = NULL;
749 sid_copy(&sid, sids[i]);
750 name_infos[i].type = SID_NAME_USE_NONE;
752 if (lookup_as_domain(&sid, name_infos, &domain_name)) {
753 /* We can't push that through the normal lookup
754 * process, as this would reference illegal
757 * For example S-1-5-32 would end up referencing
758 * domain S-1-5- with RID 32 which is clearly wrong.
760 if (domain_name == NULL) {
761 result = NT_STATUS_NO_MEMORY;
765 name_infos[i].rid = 0;
766 name_infos[i].type = SID_NAME_DOMAIN;
767 name_infos[i].name = NULL;
769 if (sid_check_is_builtin(&sid)) {
770 /* Yes, W2k3 returns "BUILTIN" both as domain
772 name_infos[i].name = talloc_strdup(
773 name_infos, builtin_domain_name());
774 if (name_infos[i].name == NULL) {
775 result = NT_STATUS_NO_MEMORY;
780 /* This is a normal SID with rid component */
781 if (!sid_split_rid(&sid, &rid)) {
782 result = NT_STATUS_INVALID_PARAMETER;
787 if (!check_dom_sid_to_level(&sid, level)) {
788 name_infos[i].rid = 0;
789 name_infos[i].type = SID_NAME_UNKNOWN;
790 name_infos[i].name = NULL;
794 for (j=0; j<MAX_REF_DOMAINS; j++) {
795 if (!dom_infos[j].valid) {
798 if (sid_equal(&sid, &dom_infos[j].sid)) {
803 if (j == MAX_REF_DOMAINS) {
804 /* TODO: What's the right error message here? */
805 result = NT_STATUS_NONE_MAPPED;
809 if (!dom_infos[j].valid) {
810 /* We found a domain not yet referenced, create a new
812 dom_infos[j].valid = true;
813 sid_copy(&dom_infos[j].sid, &sid);
815 if (domain_name != NULL) {
816 /* This name was being found above in the case
817 * when we found a domain SID */
819 talloc_strdup(dom_infos, domain_name);
820 if (dom_infos[j].name == NULL) {
821 result = NT_STATUS_NO_MEMORY;
825 /* lookup_rids will take care of this */
826 dom_infos[j].name = NULL;
830 name_infos[i].dom_idx = j;
832 if (name_infos[i].type == SID_NAME_USE_NONE) {
833 name_infos[i].rid = rid;
835 ADD_TO_ARRAY(dom_infos, int, i, &dom_infos[j].idxs,
836 &dom_infos[j].num_idxs);
838 if (dom_infos[j].idxs == NULL) {
839 result = NT_STATUS_NO_MEMORY;
845 /* Iterate over the domains found */
847 for (i=0; i<MAX_REF_DOMAINS; i++) {
849 const char *domain_name = NULL;
851 enum lsa_SidType *types;
852 struct lsa_dom_info *dom = &dom_infos[i];
855 /* No domains left, we're done */
860 if (!(rids = TALLOC_ARRAY(tmp_ctx, uint32, dom->num_idxs))) {
861 result = NT_STATUS_NO_MEMORY;
868 for (j=0; j<dom->num_idxs; j++) {
869 rids[j] = name_infos[dom->idxs[j]].rid;
872 if (!lookup_rids(tmp_ctx, &dom->sid,
873 dom->num_idxs, rids, &domain_name,
875 result = NT_STATUS_NO_MEMORY;
879 if (!(dom->name = talloc_strdup(dom_infos, domain_name))) {
880 result = NT_STATUS_NO_MEMORY;
884 for (j=0; j<dom->num_idxs; j++) {
885 int idx = dom->idxs[j];
886 name_infos[idx].type = types[j];
887 if (types[j] != SID_NAME_UNKNOWN) {
888 name_infos[idx].name =
889 talloc_strdup(name_infos, names[j]);
890 if (name_infos[idx].name == NULL) {
891 result = NT_STATUS_NO_MEMORY;
895 name_infos[idx].name = NULL;
900 *ret_domains = dom_infos;
901 *ret_names = name_infos;
902 TALLOC_FREE(tmp_ctx);
906 TALLOC_FREE(dom_infos);
907 TALLOC_FREE(name_infos);
908 TALLOC_FREE(tmp_ctx);
912 /*****************************************************************
913 *THE CANONICAL* convert SID to name function.
914 *****************************************************************/
916 bool lookup_sid(TALLOC_CTX *mem_ctx, const DOM_SID *sid,
917 const char **ret_domain, const char **ret_name,
918 enum lsa_SidType *ret_type)
920 struct lsa_dom_info *domain;
921 struct lsa_name_info *name;
925 if (!(tmp_ctx = talloc_new(mem_ctx))) {
926 DEBUG(0, ("talloc_new failed\n"));
930 if (!NT_STATUS_IS_OK(lookup_sids(tmp_ctx, 1, &sid, 1,
935 if (name->type == SID_NAME_UNKNOWN) {
939 if ((ret_domain != NULL) &&
940 !(*ret_domain = talloc_strdup(mem_ctx, domain->name))) {
944 if ((ret_name != NULL) &&
945 !(*ret_name = talloc_strdup(mem_ctx, name->name))) {
949 if (ret_type != NULL) {
950 *ret_type = name->type;
957 DEBUG(10, ("Sid %s -> %s\\%s(%d)\n",
958 sid_string_static(sid), domain->name,
959 name->name, name->type));
961 DEBUG(10, ("failed to lookup sid %s\n",
962 sid_string_static(sid)));
964 TALLOC_FREE(tmp_ctx);
968 /*****************************************************************
969 Id mapping cache. This is to avoid Winbind mappings already
970 seen by smbd to be queried too frequently, keeping winbindd
971 busy, and blocking smbd while winbindd is busy with other
972 stuff. Written by Michael Steffens <michael.steffens@hp.com>,
973 modified to use linked lists by jra.
974 *****************************************************************/
976 #define MAX_UID_SID_CACHE_SIZE 100
977 #define TURNOVER_UID_SID_CACHE_SIZE 10
978 #define MAX_GID_SID_CACHE_SIZE 100
979 #define TURNOVER_GID_SID_CACHE_SIZE 10
981 static size_t n_uid_sid_cache = 0;
982 static size_t n_gid_sid_cache = 0;
984 static struct uid_sid_cache {
985 struct uid_sid_cache *next, *prev;
988 enum lsa_SidType sidtype;
989 } *uid_sid_cache_head;
991 static struct gid_sid_cache {
992 struct gid_sid_cache *next, *prev;
995 enum lsa_SidType sidtype;
996 } *gid_sid_cache_head;
998 /*****************************************************************
999 Find a SID given a uid.
1000 *****************************************************************/
1002 static bool fetch_sid_from_uid_cache(DOM_SID *psid, uid_t uid)
1004 struct uid_sid_cache *pc;
1006 for (pc = uid_sid_cache_head; pc; pc = pc->next) {
1007 if (pc->uid == uid) {
1009 DEBUG(3,("fetch sid from uid cache %u -> %s\n",
1010 (unsigned int)uid, sid_string_static(psid)));
1011 DLIST_PROMOTE(uid_sid_cache_head, pc);
1018 /*****************************************************************
1019 Find a uid given a SID.
1020 *****************************************************************/
1022 static bool fetch_uid_from_cache( uid_t *puid, const DOM_SID *psid )
1024 struct uid_sid_cache *pc;
1026 for (pc = uid_sid_cache_head; pc; pc = pc->next) {
1027 if (sid_compare(&pc->sid, psid) == 0) {
1029 DEBUG(3,("fetch uid from cache %u -> %s\n",
1030 (unsigned int)*puid, sid_string_static(psid)));
1031 DLIST_PROMOTE(uid_sid_cache_head, pc);
1038 /*****************************************************************
1039 Store uid to SID mapping in cache.
1040 *****************************************************************/
1042 void store_uid_sid_cache(const DOM_SID *psid, uid_t uid)
1044 struct uid_sid_cache *pc;
1046 /* do not store SIDs in the "Unix Group" domain */
1048 if ( sid_check_is_in_unix_users( psid ) )
1051 if (n_uid_sid_cache >= MAX_UID_SID_CACHE_SIZE && n_uid_sid_cache > TURNOVER_UID_SID_CACHE_SIZE) {
1052 /* Delete the last TURNOVER_UID_SID_CACHE_SIZE entries. */
1053 struct uid_sid_cache *pc_next;
1056 for (i = 0, pc = uid_sid_cache_head; i < (n_uid_sid_cache - TURNOVER_UID_SID_CACHE_SIZE); i++, pc = pc->next)
1058 for(; pc; pc = pc_next) {
1060 DLIST_REMOVE(uid_sid_cache_head,pc);
1066 pc = SMB_MALLOC_P(struct uid_sid_cache);
1070 sid_copy(&pc->sid, psid);
1071 DLIST_ADD(uid_sid_cache_head, pc);
1075 /*****************************************************************
1076 Find a SID given a gid.
1077 *****************************************************************/
1079 static bool fetch_sid_from_gid_cache(DOM_SID *psid, gid_t gid)
1081 struct gid_sid_cache *pc;
1083 for (pc = gid_sid_cache_head; pc; pc = pc->next) {
1084 if (pc->gid == gid) {
1086 DEBUG(3,("fetch sid from gid cache %u -> %s\n",
1087 (unsigned int)gid, sid_string_static(psid)));
1088 DLIST_PROMOTE(gid_sid_cache_head, pc);
1095 /*****************************************************************
1096 Find a gid given a SID.
1097 *****************************************************************/
1099 static bool fetch_gid_from_cache(gid_t *pgid, const DOM_SID *psid)
1101 struct gid_sid_cache *pc;
1103 for (pc = gid_sid_cache_head; pc; pc = pc->next) {
1104 if (sid_compare(&pc->sid, psid) == 0) {
1106 DEBUG(3,("fetch gid from cache %u -> %s\n",
1107 (unsigned int)*pgid, sid_string_static(psid)));
1108 DLIST_PROMOTE(gid_sid_cache_head, pc);
1115 /*****************************************************************
1116 Store gid to SID mapping in cache.
1117 *****************************************************************/
1119 void store_gid_sid_cache(const DOM_SID *psid, gid_t gid)
1121 struct gid_sid_cache *pc;
1123 /* do not store SIDs in the "Unix Group" domain */
1125 if ( sid_check_is_in_unix_groups( psid ) )
1128 if (n_gid_sid_cache >= MAX_GID_SID_CACHE_SIZE && n_gid_sid_cache > TURNOVER_GID_SID_CACHE_SIZE) {
1129 /* Delete the last TURNOVER_GID_SID_CACHE_SIZE entries. */
1130 struct gid_sid_cache *pc_next;
1133 for (i = 0, pc = gid_sid_cache_head; i < (n_gid_sid_cache - TURNOVER_GID_SID_CACHE_SIZE); i++, pc = pc->next)
1135 for(; pc; pc = pc_next) {
1137 DLIST_REMOVE(gid_sid_cache_head,pc);
1143 pc = SMB_MALLOC_P(struct gid_sid_cache);
1147 sid_copy(&pc->sid, psid);
1148 DLIST_ADD(gid_sid_cache_head, pc);
1150 DEBUG(3,("store_gid_sid_cache: gid %u in cache -> %s\n", (unsigned int)gid,
1151 sid_string_static(psid)));
1156 /*****************************************************************
1157 *THE LEGACY* convert uid_t to SID function.
1158 *****************************************************************/
1160 static void legacy_uid_to_sid(DOM_SID *psid, uid_t uid)
1168 ret = pdb_uid_to_rid(uid, &rid);
1172 /* This is a mapped user */
1173 sid_copy(psid, get_global_sam_sid());
1174 sid_append_rid(psid, rid);
1178 /* This is an unmapped user */
1180 uid_to_unix_users_sid(uid, psid);
1183 DEBUG(10,("LEGACY: uid %u -> sid %s\n", (unsigned int)uid,
1184 sid_string_static(psid)));
1186 store_uid_sid_cache(psid, uid);
1190 /*****************************************************************
1191 *THE LEGACY* convert gid_t to SID function.
1192 *****************************************************************/
1194 static void legacy_gid_to_sid(DOM_SID *psid, gid_t gid)
1201 ret = pdb_gid_to_sid(gid, psid);
1205 /* This is a mapped group */
1209 /* This is an unmapped group */
1211 gid_to_unix_groups_sid(gid, psid);
1214 DEBUG(10,("LEGACY: gid %u -> sid %s\n", (unsigned int)gid,
1215 sid_string_static(psid)));
1217 store_gid_sid_cache(psid, gid);
1221 /*****************************************************************
1222 *THE LEGACY* convert SID to uid function.
1223 *****************************************************************/
1225 static bool legacy_sid_to_uid(const DOM_SID *psid, uid_t *puid)
1227 enum lsa_SidType type;
1230 if (sid_peek_check_rid(get_global_sam_sid(), psid, &rid)) {
1235 ret = pdb_sid_to_id(psid, &id, &type);
1239 if (type != SID_NAME_USER) {
1240 DEBUG(5, ("sid %s is a %s, expected a user\n",
1241 sid_string_static(psid),
1242 sid_type_lookup(type)));
1249 /* This was ours, but it was not mapped. Fail */
1252 DEBUG(10,("LEGACY: mapping failed for sid %s\n", sid_string_static(psid)));
1256 DEBUG(10,("LEGACY: sid %s -> uid %u\n", sid_string_static(psid),
1257 (unsigned int)*puid ));
1259 store_uid_sid_cache(psid, *puid);
1263 /*****************************************************************
1264 *THE LEGACY* convert SID to gid function.
1265 Group mapping is used for gids that maps to Wellknown SIDs
1266 *****************************************************************/
1268 static bool legacy_sid_to_gid(const DOM_SID *psid, gid_t *pgid)
1273 enum lsa_SidType type;
1275 if ((sid_check_is_in_builtin(psid) ||
1276 sid_check_is_in_wellknown_domain(psid))) {
1280 ret = pdb_getgrsid(&map, *psid);
1287 DEBUG(10,("LEGACY: mapping failed for sid %s\n", sid_string_static(psid)));
1291 if (sid_peek_check_rid(get_global_sam_sid(), psid, &rid)) {
1295 ret = pdb_sid_to_id(psid, &id, &type);
1299 if ((type != SID_NAME_DOM_GRP) &&
1300 (type != SID_NAME_ALIAS)) {
1301 DEBUG(5, ("LEGACY: sid %s is a %s, expected a group\n",
1302 sid_string_static(psid),
1303 sid_type_lookup(type)));
1310 /* This was ours, but it was not mapped. Fail */
1313 DEBUG(10,("LEGACY: mapping failed for sid %s\n", sid_string_static(psid)));
1317 DEBUG(10,("LEGACY: sid %s -> gid %u\n", sid_string_static(psid),
1318 (unsigned int)*pgid ));
1320 store_gid_sid_cache(psid, *pgid);
1325 /*****************************************************************
1326 *THE CANONICAL* convert uid_t to SID function.
1327 *****************************************************************/
1329 void uid_to_sid(DOM_SID *psid, uid_t uid)
1333 if (fetch_sid_from_uid_cache(psid, uid))
1336 if (!winbind_uid_to_sid(psid, uid)) {
1337 if (!winbind_ping()) {
1338 legacy_uid_to_sid(psid, uid);
1342 DEBUG(5, ("uid_to_sid: winbind failed to find a sid for uid %u\n",
1347 DEBUG(10,("uid %u -> sid %s\n",
1348 (unsigned int)uid, sid_string_static(psid)));
1350 store_uid_sid_cache(psid, uid);
1354 /*****************************************************************
1355 *THE CANONICAL* convert gid_t to SID function.
1356 *****************************************************************/
1358 void gid_to_sid(DOM_SID *psid, gid_t gid)
1362 if (fetch_sid_from_gid_cache(psid, gid))
1365 if (!winbind_gid_to_sid(psid, gid)) {
1366 if (!winbind_ping()) {
1367 legacy_gid_to_sid(psid, gid);
1371 DEBUG(5, ("gid_to_sid: winbind failed to find a sid for gid %u\n",
1376 DEBUG(10,("gid %u -> sid %s\n",
1377 (unsigned int)gid, sid_string_static(psid)));
1379 store_gid_sid_cache(psid, gid);
1383 /*****************************************************************
1384 *THE CANONICAL* convert SID to uid function.
1385 *****************************************************************/
1387 bool sid_to_uid(const DOM_SID *psid, uid_t *puid)
1392 if (fetch_uid_from_cache(puid, psid))
1395 if (fetch_gid_from_cache(&gid, psid)) {
1399 /* Optimize for the Unix Users Domain
1400 * as the conversion is straightforward */
1401 if (sid_peek_check_rid(&global_sid_Unix_Users, psid, &rid)) {
1405 /* return here, don't cache */
1406 DEBUG(10,("sid %s -> uid %u\n", sid_string_static(psid),
1407 (unsigned int)*puid ));
1411 if (!winbind_sid_to_uid(puid, psid)) {
1412 if (!winbind_ping()) {
1413 return legacy_sid_to_uid(psid, puid);
1416 DEBUG(5, ("winbind failed to find a uid for sid %s\n",
1417 sid_string_static(psid)));
1421 /* TODO: Here would be the place to allocate both a gid and a uid for
1422 * the SID in question */
1424 DEBUG(10,("sid %s -> uid %u\n", sid_string_static(psid),
1425 (unsigned int)*puid ));
1427 store_uid_sid_cache(psid, *puid);
1431 /*****************************************************************
1432 *THE CANONICAL* convert SID to gid function.
1433 Group mapping is used for gids that maps to Wellknown SIDs
1434 *****************************************************************/
1436 bool sid_to_gid(const DOM_SID *psid, gid_t *pgid)
1441 if (fetch_gid_from_cache(pgid, psid))
1444 if (fetch_uid_from_cache(&uid, psid))
1447 /* Optimize for the Unix Groups Domain
1448 * as the conversion is straightforward */
1449 if (sid_peek_check_rid(&global_sid_Unix_Groups, psid, &rid)) {
1453 /* return here, don't cache */
1454 DEBUG(10,("sid %s -> gid %u\n", sid_string_static(psid),
1455 (unsigned int)*pgid ));
1459 /* Ask winbindd if it can map this sid to a gid.
1460 * (Idmap will check it is a valid SID and of the right type) */
1462 if ( !winbind_sid_to_gid(pgid, psid) ) {
1463 if (!winbind_ping()) {
1464 return legacy_sid_to_gid(psid, pgid);
1467 DEBUG(10,("winbind failed to find a gid for sid %s\n",
1468 sid_string_static(psid)));
1472 DEBUG(10,("sid %s -> gid %u\n", sid_string_static(psid),
1473 (unsigned int)*pgid ));
1475 store_gid_sid_cache(psid, *pgid);
git.samba.org / metze / samba / wip.git / blob