2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Copyright (C) Andrew Tridgell 1992-2000,
5 * Copyright (C) Jean François Micouleau 1998-2001.
6 * Copyright (C) Gerald Carter 2003,
7 * Copyright (C) Volker Lendecke 2004
9 * This program is free software; you can redistribute it and/or modify
10 * it under the terms of the GNU General Public License as published by
11 * the Free Software Foundation; either version 3 of the License, or
12 * (at your option) any later version.
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
19 * You should have received a copy of the GNU General Public License
20 * along with this program; if not, see <http://www.gnu.org/licenses/>.
25 #include "utils/net.h"
27 /*********************************************************
28 Figure out if the input was an NT group or a SID string.
30 **********************************************************/
31 static bool get_sid_from_input(DOM_SID *sid, char *input)
35 if (StrnCaseCmp( input, "S-", 2)) {
36 /* Perhaps its the NT group name? */
37 if (!pdb_getgrnam(&map, input)) {
38 printf(_("NT Group %s doesn't exist in mapping DB\n"),
45 if (!string_to_sid(sid, input)) {
46 printf(_("converting sid %s from a string failed!\n"),
54 /*********************************************************
55 Dump a GROUP_MAP entry to stdout (long or short listing)
56 **********************************************************/
58 static void print_map_entry ( GROUP_MAP map, bool long_list )
61 d_printf("%s (%s) -> %s\n", map.nt_name,
62 sid_string_tos(&map.sid), gidtoname(map.gid));
64 d_printf("%s\n", map.nt_name);
65 d_printf(_("\tSID : %s\n"), sid_string_tos(&map.sid));
66 d_printf(_("\tUnix gid : %u\n"), (unsigned int)map.gid);
67 d_printf(_("\tUnix group: %s\n"), gidtoname(map.gid));
68 d_printf(_("\tGroup type: %s\n"),
69 sid_type_lookup(map.sid_name_use));
70 d_printf(_("\tComment : %s\n"), map.comment);
74 /*********************************************************
76 **********************************************************/
77 static int net_groupmap_list(struct net_context *c, int argc, const char **argv)
80 bool long_list = false;
83 fstring sid_string = "";
84 const char list_usage_str[] = N_("net groupmap list [verbose] "
85 "[ntgroup=NT group] [sid=SID]\n"
86 " verbose\tPrint verbose list\n"
87 " ntgroup\tNT group to list\n"
88 " sid\tSID of group to list");
90 if (c->display_usage) {
91 d_printf(_("Usage:\n%s\n"), list_usage_str);
95 if (c->opt_verbose || c->opt_long_list_entries)
99 for ( i=0; i<argc; i++ ) {
100 if ( !StrCaseCmp(argv[i], "verbose")) {
103 else if ( !StrnCaseCmp(argv[i], "ntgroup", strlen("ntgroup")) ) {
104 fstrcpy( ntgroup, get_string_param( argv[i] ) );
106 d_fprintf(stderr, _("must supply a name\n"));
110 else if ( !StrnCaseCmp(argv[i], "sid", strlen("sid")) ) {
111 fstrcpy( sid_string, get_string_param( argv[i] ) );
112 if ( !sid_string[0] ) {
113 d_fprintf(stderr, _("must supply a SID\n"));
118 d_fprintf(stderr, _("Bad option: %s\n"), argv[i]);
119 d_printf("Usage:\n%s\n", list_usage_str);
124 /* list a single group is given a name */
125 if ( ntgroup[0] || sid_string[0] ) {
130 fstrcpy( ntgroup, sid_string);
132 if (!get_sid_from_input(&sid, ntgroup)) {
136 /* Get the current mapping from the database */
137 if(!pdb_getgrsid(&map, sid)) {
139 _("Failure to local group SID in the "
144 print_map_entry( map, long_list );
148 /* enumerate all group mappings */
149 if (!pdb_enum_group_mapping(NULL, SID_NAME_UNKNOWN, &map, &entries, ENUM_ALL_MAPPED))
152 for (i=0; i<entries; i++) {
153 print_map_entry( map[i], long_list );
162 /*********************************************************
163 Add a new group mapping entry
164 **********************************************************/
166 static int net_groupmap_add(struct net_context *c, int argc, const char **argv)
169 fstring ntgroup = "";
170 fstring unixgrp = "";
171 fstring string_sid = "";
173 fstring ntcomment = "";
174 enum lsa_SidType sid_type = SID_NAME_DOM_GRP;
180 const char *name_type;
181 const char add_usage_str[] = N_("net groupmap add "
182 "{rid=<int>|sid=<string>}"
183 " unixgroup=<string> "
184 "[type=<domain|local|builtin>] "
185 "[ntgroup=<string>] "
186 "[comment=<string>]");
190 /* Default is domain group. */
191 map.sid_name_use = SID_NAME_DOM_GRP;
192 name_type = "domain group";
194 if (c->display_usage) {
195 d_printf(_("Usage\n%s\n"), add_usage_str);
199 /* get the options */
200 for ( i=0; i<argc; i++ ) {
201 if ( !StrnCaseCmp(argv[i], "rid", strlen("rid")) ) {
202 rid = get_int_param(argv[i]);
203 if ( rid < DOMAIN_GROUP_RID_ADMINS ) {
205 _("RID must be greater than %d\n"),
206 (uint32)DOMAIN_GROUP_RID_ADMINS-1);
210 else if ( !StrnCaseCmp(argv[i], "unixgroup", strlen("unixgroup")) ) {
211 fstrcpy( unixgrp, get_string_param( argv[i] ) );
213 d_fprintf(stderr,_( "must supply a name\n"));
217 else if ( !StrnCaseCmp(argv[i], "ntgroup", strlen("ntgroup")) ) {
218 fstrcpy( ntgroup, get_string_param( argv[i] ) );
220 d_fprintf(stderr, _("must supply a name\n"));
224 else if ( !StrnCaseCmp(argv[i], "sid", strlen("sid")) ) {
225 fstrcpy( string_sid, get_string_param( argv[i] ) );
226 if ( !string_sid[0] ) {
227 d_fprintf(stderr, _("must supply a SID\n"));
231 else if ( !StrnCaseCmp(argv[i], "comment", strlen("comment")) ) {
232 fstrcpy( ntcomment, get_string_param( argv[i] ) );
233 if ( !ntcomment[0] ) {
235 _("must supply a comment string\n"));
239 else if ( !StrnCaseCmp(argv[i], "type", strlen("type")) ) {
240 fstrcpy( type, get_string_param( argv[i] ) );
244 sid_type = SID_NAME_WKN_GRP;
245 name_type = "wellknown group";
249 sid_type = SID_NAME_DOM_GRP;
250 name_type = "domain group";
254 sid_type = SID_NAME_ALIAS;
255 name_type = "alias (local) group";
259 _("unknown group type %s\n"),
265 d_fprintf(stderr, _("Bad option: %s\n"), argv[i]);
271 d_printf(_("Usage:\n%s\n"), add_usage_str);
275 if ( (gid = nametogid(unixgrp)) == (gid_t)-1 ) {
276 d_fprintf(stderr, _("Can't lookup UNIX group %s\n"), unixgrp);
281 if (pdb_getgrgid(&map, gid)) {
282 d_printf(_("Unix group %s already mapped to SID %s\n"),
283 unixgrp, sid_string_tos(&map.sid));
288 if ( (rid == 0) && (string_sid[0] == '\0') ) {
289 d_printf(_("No rid or sid specified, choosing a RID\n"));
290 if (pdb_capabilities() & PDB_CAP_STORE_RIDS) {
291 if (!pdb_new_rid(&rid)) {
292 d_printf(_("Could not get new RID\n"));
295 rid = algorithmic_pdb_gid_to_group_rid(gid);
297 d_printf(_("Got RID %d\n"), rid);
300 /* append the rid to our own domain/machine SID if we don't have a full SID */
301 if ( !string_sid[0] ) {
302 sid_copy(&sid, get_global_sam_sid());
303 sid_append_rid(&sid, rid);
304 sid_to_fstring(string_sid, &sid);
309 case SID_NAME_WKN_GRP:
310 fstrcpy(ntcomment, "Wellknown Unix group");
312 case SID_NAME_DOM_GRP:
313 fstrcpy(ntcomment, "Domain Unix group");
316 fstrcpy(ntcomment, "Local Unix group");
319 fstrcpy(ntcomment, "Unix group");
325 fstrcpy( ntgroup, unixgrp );
327 if (!NT_STATUS_IS_OK(add_initial_entry(gid, string_sid, sid_type, ntgroup, ntcomment))) {
328 d_fprintf(stderr, _("adding entry for group %s failed!\n"), ntgroup);
332 d_printf(_("Successfully added group %s to the mapping db as a %s\n"),
337 static int net_groupmap_modify(struct net_context *c, int argc, const char **argv)
341 fstring ntcomment = "";
343 fstring ntgroup = "";
344 fstring unixgrp = "";
345 fstring sid_string = "";
346 enum lsa_SidType sid_type = SID_NAME_UNKNOWN;
349 const char modify_usage_str[] = N_("net groupmap modify "
350 "{ntgroup=<string>|sid=<SID>} "
351 "[comment=<string>] "
352 "[unixgroup=<string>] "
353 "[type=<domain|local>]");
355 if (c->display_usage) {
356 d_printf(_("Usage:\n%s\n"), modify_usage_str);
360 /* get the options */
361 for ( i=0; i<argc; i++ ) {
362 if ( !StrnCaseCmp(argv[i], "ntgroup", strlen("ntgroup")) ) {
363 fstrcpy( ntgroup, get_string_param( argv[i] ) );
365 d_fprintf(stderr, _("must supply a name\n"));
369 else if ( !StrnCaseCmp(argv[i], "sid", strlen("sid")) ) {
370 fstrcpy( sid_string, get_string_param( argv[i] ) );
371 if ( !sid_string[0] ) {
372 d_fprintf(stderr, _("must supply a name\n"));
376 else if ( !StrnCaseCmp(argv[i], "comment", strlen("comment")) ) {
377 fstrcpy( ntcomment, get_string_param( argv[i] ) );
378 if ( !ntcomment[0] ) {
380 _("must supply a comment string\n"));
384 else if ( !StrnCaseCmp(argv[i], "unixgroup", strlen("unixgroup")) ) {
385 fstrcpy( unixgrp, get_string_param( argv[i] ) );
388 _("must supply a group name\n"));
392 else if ( !StrnCaseCmp(argv[i], "type", strlen("type")) ) {
393 fstrcpy( type, get_string_param( argv[i] ) );
397 sid_type = SID_NAME_DOM_GRP;
401 sid_type = SID_NAME_ALIAS;
406 d_fprintf(stderr, _("Bad option: %s\n"), argv[i]);
411 if ( !ntgroup[0] && !sid_string[0] ) {
412 d_printf(_("Usage:\n%s\n"), modify_usage_str);
416 /* give preference to the SID; if both the ntgroup name and SID
417 are defined, use the SID and assume that the group name could be a
420 if ( sid_string[0] ) {
421 if (!get_sid_from_input(&sid, sid_string)) {
426 if (!get_sid_from_input(&sid, ntgroup)) {
431 /* Get the current mapping from the database */
432 if(!pdb_getgrsid(&map, sid)) {
434 _("Failed to find local group SID in the database\n"));
439 * Allow changing of group type only between domain and local
440 * We disallow changing Builtin groups !!! (SID problem)
442 if (sid_type == SID_NAME_UNKNOWN) {
443 d_fprintf(stderr, _("Can't map to an unknown group type.\n"));
447 if (map.sid_name_use == SID_NAME_WKN_GRP) {
449 _("You can only change between domain and local "
454 map.sid_name_use=sid_type;
456 /* Change comment if new one */
458 fstrcpy( map.comment, ntcomment );
461 fstrcpy( map.nt_name, ntgroup );
464 gid = nametogid( unixgrp );
466 d_fprintf(stderr, _("Unable to lookup UNIX group %s. "
467 "Make sure the group exists.\n"),
475 if ( !NT_STATUS_IS_OK(pdb_update_group_mapping_entry(&map)) ) {
476 d_fprintf(stderr, _("Could not update group database\n"));
480 d_printf(_("Updated mapping entry for %s\n"), map.nt_name);
485 static int net_groupmap_delete(struct net_context *c, int argc, const char **argv)
488 fstring ntgroup = "";
489 fstring sid_string = "";
491 const char delete_usage_str[] = N_("net groupmap delete "
492 "{ntgroup=<string>|sid=<SID>}");
494 if (c->display_usage) {
495 d_printf(_("Usage:\n%s\n"), delete_usage_str);
499 /* get the options */
500 for ( i=0; i<argc; i++ ) {
501 if ( !StrnCaseCmp(argv[i], "ntgroup", strlen("ntgroup")) ) {
502 fstrcpy( ntgroup, get_string_param( argv[i] ) );
504 d_fprintf(stderr, _("must supply a name\n"));
508 else if ( !StrnCaseCmp(argv[i], "sid", strlen("sid")) ) {
509 fstrcpy( sid_string, get_string_param( argv[i] ) );
510 if ( !sid_string[0] ) {
511 d_fprintf(stderr, _("must supply a SID\n"));
516 d_fprintf(stderr, _("Bad option: %s\n"), argv[i]);
521 if ( !ntgroup[0] && !sid_string[0]) {
522 d_printf(_("Usage:\n%s\n"), delete_usage_str);
526 /* give preference to the SID if we have that */
529 fstrcpy( ntgroup, sid_string );
531 if ( !get_sid_from_input(&sid, ntgroup) ) {
532 d_fprintf(stderr, _("Unable to resolve group %s to a SID\n"),
537 if ( !NT_STATUS_IS_OK(pdb_delete_group_mapping_entry(sid)) ) {
539 _("Failed to remove group %s from the mapping db!\n"),
544 d_printf(_("Sucessfully removed %s from the mapping db\n"), ntgroup);
549 static int net_groupmap_set(struct net_context *c, int argc, const char **argv)
551 const char *ntgroup = NULL;
552 struct group *grp = NULL;
554 bool have_map = false;
556 if ((argc < 1) || (argc > 2) || c->display_usage) {
557 d_printf(_("Usage: net groupmap set \"NT Group\" "
558 "[\"unix group\"] [-C \"comment\"] [-L] [-D]\n"));
562 if ( c->opt_localgroup && c->opt_domaingroup ) {
563 d_printf(_("Can only specify -L or -D, not both\n"));
570 grp = getgrnam(argv[1]);
573 d_fprintf(stderr, _("Could not find unix group %s\n"),
579 have_map = pdb_getgrnam(&map, ntgroup);
583 have_map = ( (strncmp(ntgroup, "S-", 2) == 0) &&
584 string_to_sid(&sid, ntgroup) &&
585 pdb_getgrsid(&map, sid) );
594 _("Could not find group mapping for %s\n"),
599 map.gid = grp->gr_gid;
601 if (c->opt_rid == 0) {
602 if ( pdb_capabilities() & PDB_CAP_STORE_RIDS ) {
603 if ( !pdb_new_rid((uint32*)&c->opt_rid) ) {
605 _("Could not allocate new RID\n"));
609 c->opt_rid = algorithmic_pdb_gid_to_group_rid(map.gid);
613 sid_copy(&map.sid, get_global_sam_sid());
614 sid_append_rid(&map.sid, c->opt_rid);
616 map.sid_name_use = SID_NAME_DOM_GRP;
617 fstrcpy(map.nt_name, ntgroup);
618 fstrcpy(map.comment, "");
620 if (!NT_STATUS_IS_OK(pdb_add_group_mapping_entry(&map))) {
622 _("Could not add mapping entry for %s\n"),
628 /* Now we have a mapping entry, update that stuff */
630 if ( c->opt_localgroup || c->opt_domaingroup ) {
631 if (map.sid_name_use == SID_NAME_WKN_GRP) {
633 _("Can't change type of the BUILTIN "
640 if (c->opt_localgroup)
641 map.sid_name_use = SID_NAME_ALIAS;
643 if (c->opt_domaingroup)
644 map.sid_name_use = SID_NAME_DOM_GRP;
646 /* The case (opt_domaingroup && opt_localgroup) was tested for above */
648 if ((c->opt_comment != NULL) && (strlen(c->opt_comment) > 0)) {
649 fstrcpy(map.comment, c->opt_comment);
652 if ((c->opt_newntname != NULL) && (strlen(c->opt_newntname) > 0)) {
653 fstrcpy(map.nt_name, c->opt_newntname);
657 map.gid = grp->gr_gid;
659 if (!NT_STATUS_IS_OK(pdb_update_group_mapping_entry(&map))) {
660 d_fprintf(stderr, _("Could not update group mapping for %s\n"),
668 static int net_groupmap_cleanup(struct net_context *c, int argc, const char **argv)
670 GROUP_MAP *map = NULL;
673 if (c->display_usage) {
674 d_printf(_("Usage:\n"
675 "net groupmap cleanup\n"
676 " Delete all group mappings\n"));
680 if (!pdb_enum_group_mapping(NULL, SID_NAME_UNKNOWN, &map, &entries,
682 d_fprintf(stderr, _("Could not list group mappings\n"));
686 for (i=0; i<entries; i++) {
688 if (map[i].gid == -1)
689 printf(_("Group %s is not mapped\n"), map[i].nt_name);
691 if (!sid_check_is_in_our_domain(&map[i].sid)) {
692 printf(_("Deleting mapping for NT Group %s, sid %s\n"),
694 sid_string_tos(&map[i].sid));
695 pdb_delete_group_mapping_entry(map[i].sid);
704 static int net_groupmap_addmem(struct net_context *c, int argc, const char **argv)
706 DOM_SID alias, member;
710 !string_to_sid(&alias, argv[0]) ||
711 !string_to_sid(&member, argv[1]) ) {
712 d_printf(_("Usage: net groupmap addmem alias-sid member-sid\n"));
716 if (!NT_STATUS_IS_OK(pdb_add_aliasmem(&alias, &member))) {
717 d_fprintf(stderr, _("Could not add sid %s to alias %s\n"),
725 static int net_groupmap_delmem(struct net_context *c, int argc, const char **argv)
727 DOM_SID alias, member;
731 !string_to_sid(&alias, argv[0]) ||
732 !string_to_sid(&member, argv[1]) ) {
733 d_printf(_("Usage: net groupmap delmem alias-sid member-sid\n"));
737 if (!NT_STATUS_IS_OK(pdb_del_aliasmem(&alias, &member))) {
738 d_fprintf(stderr, _("Could not delete sid %s from alias %s\n"),
746 static int net_groupmap_listmem(struct net_context *c, int argc, const char **argv)
754 !string_to_sid(&alias, argv[0]) ) {
755 d_printf(_("Usage: net groupmap listmem alias-sid\n"));
762 if (!NT_STATUS_IS_OK(pdb_enum_aliasmem(&alias, talloc_tos(),
764 d_fprintf(stderr, _("Could not list members for sid %s\n"),
769 for (i = 0; i < num; i++) {
770 printf("%s\n", sid_string_tos(&(members[i])));
773 TALLOC_FREE(members);
778 static bool print_alias_memberships(TALLOC_CTX *mem_ctx,
779 const DOM_SID *domain_sid,
780 const DOM_SID *member)
783 size_t i, num_alias_rids;
788 if (!NT_STATUS_IS_OK(pdb_enum_alias_memberships(
789 mem_ctx, domain_sid, member, 1,
790 &alias_rids, &num_alias_rids))) {
791 d_fprintf(stderr, _("Could not list memberships for sid %s\n"),
792 sid_string_tos(member));
796 for (i = 0; i < num_alias_rids; i++) {
798 sid_copy(&alias, domain_sid);
799 sid_append_rid(&alias, alias_rids[i]);
800 printf("%s\n", sid_string_tos(&alias));
806 static int net_groupmap_memberships(struct net_context *c, int argc, const char **argv)
809 DOM_SID *domain_sid, *builtin_sid, member;
813 !string_to_sid(&member, argv[0]) ) {
814 d_printf(_("Usage: net groupmap memberof sid\n"));
818 mem_ctx = talloc_init("net_groupmap_memberships");
819 if (mem_ctx == NULL) {
820 d_fprintf(stderr, _("talloc_init failed\n"));
824 domain_sid = get_global_sam_sid();
825 builtin_sid = string_sid_talloc(mem_ctx, "S-1-5-32");
826 if ((domain_sid == NULL) || (builtin_sid == NULL)) {
827 d_fprintf(stderr, _("Could not get domain sid\n"));
831 if (!print_alias_memberships(mem_ctx, domain_sid, &member) ||
832 !print_alias_memberships(mem_ctx, builtin_sid, &member))
835 talloc_destroy(mem_ctx);
840 /***********************************************************
841 migrated functionality from smbgroupedit
842 **********************************************************/
843 int net_groupmap(struct net_context *c, int argc, const char **argv)
845 struct functable func[] = {
850 N_("Create a new group mapping"),
851 N_("net groupmap add\n"
852 " Create a new group mapping")
858 N_("Update a group mapping"),
859 N_("net groupmap modify\n"
860 " Modify an existing group mapping")
866 N_("Remove a group mapping"),
867 N_("net groupmap delete\n"
868 " Remove a group mapping")
874 N_("Set group mapping"),
875 N_("net groupmap set\n"
876 " Set a group mapping")
880 net_groupmap_cleanup,
882 N_("Remove foreign group mapping entries"),
883 N_("net groupmap cleanup\n"
884 " Remove foreign group mapping entries")
890 N_("Add a foreign alias member"),
891 N_("net groupmap addmem\n"
892 " Add a foreign alias member")
898 N_("Delete foreign alias member"),
899 N_("net groupmap delmem\n"
900 " Delete foreign alias member")
904 net_groupmap_listmem,
906 N_("List foreign group members"),
907 N_("net groupmap listmem\n"
908 " List foreign alias members")
912 net_groupmap_memberships,
914 N_("List foreign group memberships"),
915 N_("net groupmap memberships\n"
916 " List foreign group memberships")
922 N_("List current group map"),
923 N_("net groupmap list\n"
924 " List current group map")
926 {NULL, NULL, 0, NULL, NULL}
929 /* we shouldn't have silly checks like this */
932 _("You must be root to edit group mappings.\n"));
936 return net_run_function(c,argc, argv, "net groupmap", func);
git.samba.org / mat / samba.git / blob