2 Unix SMB/CIFS implementation.
4 Winbind daemon for ntdom nss module
6 Copyright (C) Tim Potter 2000
7 Copyright (C) Jeremy Allison 2001.
8 Copyright (C) Gerald (Jerry) Carter 2003.
9 Copyright (C) Volker Lendecke 2005
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License as published by
13 the Free Software Foundation; either version 3 of the License, or
14 (at your option) any later version.
16 This program is distributed in the hope that it will be useful,
17 but WITHOUT ANY WARRANTY; without even the implied warranty of
18 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 GNU General Public License for more details.
21 You should have received a copy of the GNU General Public License
22 along with this program. If not, see <http://www.gnu.org/licenses/>.
29 #define DBGC_CLASS DBGC_WINBIND
31 static void add_member(const char *domain, const char *user,
32 char **pp_members, size_t *p_num_members)
37 fill_domain_username(name, domain, user, True);
41 safe_strcat(name, ",", sizeof(name)-1);
42 string_append(pp_members, name);
46 /**********************************************************************
47 Add member users resulting from sid. Expand if it is a domain group.
48 **********************************************************************/
50 static void add_expanded_sid(const DOM_SID *sid,
52 size_t *p_num_members)
56 struct winbindd_domain *domain;
59 char *domain_name = NULL;
61 enum lsa_SidType type;
70 TALLOC_CTX *mem_ctx = talloc_init("add_expanded_sid");
72 if (mem_ctx == NULL) {
73 DEBUG(1, ("talloc_init failed\n"));
77 sid_copy(&dom_sid, sid);
78 sid_split_rid(&dom_sid, &rid);
80 domain = find_lookup_domain_from_sid(sid);
83 DEBUG(3, ("Could not find domain for sid %s\n",
84 sid_string_dbg(sid)));
88 result = domain->methods->sid_to_name(domain, mem_ctx, sid,
89 &domain_name, &name, &type);
91 if (!NT_STATUS_IS_OK(result)) {
92 DEBUG(3, ("sid_to_name failed for sid %s\n",
93 sid_string_dbg(sid)));
97 DEBUG(10, ("Found name %s, type %d\n", name, type));
99 if (type == SID_NAME_USER) {
100 add_member(domain_name, name, pp_members, p_num_members);
104 if (type != SID_NAME_DOM_GRP) {
105 DEBUG(10, ("Alias member %s neither user nor group, ignore\n",
110 /* Expand the domain group, this must be done via the target domain */
112 domain = find_domain_from_sid(sid);
114 if (domain == NULL) {
115 DEBUG(3, ("Could not find domain from SID %s\n",
116 sid_string_dbg(sid)));
120 result = domain->methods->lookup_groupmem(domain, mem_ctx,
125 if (!NT_STATUS_IS_OK(result)) {
126 DEBUG(10, ("Could not lookup group members for %s: %s\n",
127 name, nt_errstr(result)));
131 for (i=0; i<num_names; i++) {
132 DEBUG(10, ("Adding group member SID %s\n",
133 sid_string_dbg(&sid_mem[i])));
135 if (types[i] != SID_NAME_USER) {
136 DEBUG(1, ("Hmmm. Member %s of group %s is no user. "
137 "Ignoring.\n", names[i], name));
141 add_member(NULL, names[i], pp_members, p_num_members);
145 talloc_destroy(mem_ctx);
149 static bool fill_passdb_alias_grmem(struct winbindd_domain *domain,
150 DOM_SID *group_sid, size_t *num_gr_mem,
151 char **gr_mem, size_t *gr_mem_len)
154 size_t i, num_members;
160 if (!NT_STATUS_IS_OK(pdb_enum_aliasmem(group_sid, talloc_tos(),
161 &members, &num_members)))
164 for (i=0; i<num_members; i++) {
165 add_expanded_sid(&members[i], gr_mem, num_gr_mem);
168 TALLOC_FREE(members);
170 if (*gr_mem != NULL) {
173 /* We have at least one member, strip off the last "," */
174 len = strlen(*gr_mem);
175 (*gr_mem)[len-1] = '\0';
182 /* Fill a grent structure from various other information */
184 bool fill_grent(TALLOC_CTX *mem_ctx, struct winbindd_gr *gr,
185 const char *dom_name, const char *gr_name, gid_t unix_gid)
187 fstring full_group_name;
188 char *mapped_name = NULL;
189 struct winbindd_domain *domain = find_domain_from_name_noinit(dom_name);
190 NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
192 nt_status = normalize_name_map(mem_ctx, domain, gr_name,
195 /* Basic whitespace replacement */
196 if (NT_STATUS_IS_OK(nt_status)) {
197 fill_domain_username(full_group_name, dom_name,
200 /* Mapped to an aliase */
201 else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_FILE_RENAMED)) {
202 fstrcpy(full_group_name, mapped_name);
206 fill_domain_username( full_group_name, dom_name,
210 gr->gr_gid = unix_gid;
212 /* Group name and password */
214 safe_strcpy(gr->gr_name, full_group_name, sizeof(gr->gr_name) - 1);
215 safe_strcpy(gr->gr_passwd, "x", sizeof(gr->gr_passwd) - 1);
220 /***********************************************************************
221 If "enum users" is set to false, and the group being looked
222 up is the Domain Users SID: S-1-5-domain-513, then for the
223 list of members check if the querying user is in that group,
224 and if so only return that user as the gr_mem array.
225 We can change this to a different parameter than "enum users"
226 if neccessaey, or parameterize the group list we do this for.
227 ***********************************************************************/
229 static bool fill_grent_mem_domusers( TALLOC_CTX *mem_ctx,
230 struct winbindd_domain *domain,
231 struct winbindd_cli_state *state,
233 enum lsa_SidType group_name_type,
234 size_t *num_gr_mem, char **gr_mem,
237 DOM_SID querying_user_sid;
238 DOM_SID *pquerying_user_sid = NULL;
239 uint32 num_groups = 0;
240 DOM_SID *user_sids = NULL;
241 bool u_in_group = False;
244 unsigned int buf_len = 0;
247 DEBUG(10,("fill_grent_mem_domain_users: domain %s\n",
251 uid_t ret_uid = (uid_t)-1;
252 if (sys_getpeereid(state->sock, &ret_uid)==0) {
253 /* We know who's asking - look up their SID if
254 it's one we've mapped before. */
255 status = idmap_uid_to_sid(domain->name,
256 &querying_user_sid, ret_uid);
257 if (NT_STATUS_IS_OK(status)) {
258 pquerying_user_sid = &querying_user_sid;
259 DEBUG(10,("fill_grent_mem_domain_users: "
260 "querying uid %u -> %s\n",
261 (unsigned int)ret_uid,
262 sid_string_dbg(pquerying_user_sid)));
267 /* Only look up if it was a winbindd user in this domain. */
268 if (pquerying_user_sid &&
269 (sid_compare_domain(pquerying_user_sid, &domain->sid) == 0)) {
271 DEBUG(10,("fill_grent_mem_domain_users: querying user = %s\n",
272 sid_string_dbg(pquerying_user_sid) ));
274 status = domain->methods->lookup_usergroups(domain,
279 if (!NT_STATUS_IS_OK(status)) {
280 DEBUG(1, ("fill_grent_mem_domain_users: "
281 "lookup_usergroups failed "
282 "for sid %s in domain %s (error: %s)\n",
283 sid_string_dbg(pquerying_user_sid),
289 for (i = 0; i < num_groups; i++) {
290 if (sid_equal(group_sid, &user_sids[i])) {
291 /* User is in Domain Users, add their name
292 as the only group member. */
301 char *domainname = NULL;
302 char *username = NULL;
304 char *mapped_name = NULL;
305 enum lsa_SidType type;
306 struct winbindd_domain *target_domain = NULL;
307 NTSTATUS name_map_status = NT_STATUS_UNSUCCESSFUL;
309 DEBUG(10,("fill_grent_mem_domain_users: "
310 "sid %s in 'Domain Users' in domain %s\n",
311 sid_string_dbg(pquerying_user_sid),
314 status = domain->methods->sid_to_name(domain, mem_ctx,
319 if (!NT_STATUS_IS_OK(status)) {
320 DEBUG(1, ("could not lookup username for user "
321 "sid %s in domain %s (error: %s)\n",
322 sid_string_dbg(pquerying_user_sid),
328 target_domain = find_domain_from_name_noinit(domainname);
329 name_map_status = normalize_name_map(mem_ctx, target_domain,
330 username, &mapped_name);
332 /* Basic whitespace replacement */
333 if (NT_STATUS_IS_OK(name_map_status)) {
334 fill_domain_username(name, domainname, mapped_name, true);
336 /* Mapped to an alias */
337 else if (NT_STATUS_EQUAL(name_map_status, NT_STATUS_FILE_RENAMED)) {
338 fstrcpy(name, mapped_name);
340 /* no mapping done...use original name */
342 fill_domain_username(name, domainname, username, true);
347 if (!(buf = (char *)SMB_MALLOC(buf_len))) {
348 DEBUG(1, ("out of memory\n"));
351 memcpy(buf, name, buf_len);
353 DEBUG(10,("fill_grent_mem_domain_users: user %s in "
354 "'Domain Users' in domain %s\n",
355 name, domain->name ));
357 /* user is the only member */
362 *gr_mem_len = buf_len;
364 DEBUG(10, ("fill_grent_mem_domain_users: "
365 "num_mem = %u, len = %u, mem = %s\n",
366 (unsigned int)*num_gr_mem,
367 (unsigned int)buf_len, *num_gr_mem ? buf : "NULL"));
372 /***********************************************************************
373 Add names to a list. Assumes a canonical version of the string
375 ***********************************************************************/
377 static int namecmp( const void *a, const void *b )
379 return StrCaseCmp( * (char * const *) a, * (char * const *) b);
382 static void sort_unique_list(char ***list, uint32 *n_list)
386 /* search for duplicates for sorting and looking for matching
389 qsort(*list, *n_list, sizeof(char*), QSORT_CAST namecmp);
391 for (i=1; i < *n_list; i++) {
392 if (strcmp((*list)[i-1], (*list)[i]) == 0) {
393 memmove(&((*list)[i-1]), &((*list)[i]),
394 sizeof(char*)*((*n_list)-i));
400 static NTSTATUS add_names_to_list( TALLOC_CTX *ctx,
401 char ***list, uint32 *n_list,
402 char **names, uint32 n_names )
404 char **new_list = NULL;
405 uint32 n_new_list = 0;
408 if ( !names || (n_names == 0) )
411 /* Alloc the maximum size we'll need */
413 if ( *list == NULL ) {
414 if ((new_list = TALLOC_ARRAY(ctx, char *, n_names)) == NULL) {
415 return NT_STATUS_NO_MEMORY;
417 n_new_list = n_names;
419 new_list = TALLOC_REALLOC_ARRAY( ctx, *list, char *,
420 (*n_list) + n_names );
422 return NT_STATUS_NO_MEMORY;
423 n_new_list = (*n_list) + n_names;
428 for ( i=*n_list, j=0; i<n_new_list; i++, j++ ) {
429 new_list[i] = talloc_strdup( new_list, names[j] );
433 *n_list = n_new_list;
438 /***********************************************************************
439 ***********************************************************************/
441 static NTSTATUS expand_groups( TALLOC_CTX *ctx,
442 struct winbindd_domain *d,
443 DOM_SID *glist, uint32 n_glist,
444 DOM_SID **new_glist, uint32 *n_new_glist,
445 char ***members, uint32 *n_members )
448 NTSTATUS status = NT_STATUS_OK;
449 uint32 num_names = 0;
450 uint32 *name_types = NULL;
452 DOM_SID *sid_mem = NULL;
453 TALLOC_CTX *tmp_ctx = NULL;
454 DOM_SID *new_groups = NULL;
455 size_t new_groups_size = 0;
462 DEBUG(10,("expand_groups:\n"));
464 for ( i=0; i<n_glist; i++ ) {
466 NTSTATUS lookup_status;
468 tmp_ctx = talloc_new( ctx );
470 /* Lookup the group membership */
472 lookup_status = d->methods->lookup_groupmem(d, tmp_ctx,
473 &glist[i], &num_names,
476 if (!NT_STATUS_IS_OK(lookup_status)) {
477 DEBUG(10,("expand_groups: lookup_groupmem for "
478 "sid %s failed with: %s\n",
479 sid_string_dbg(&glist[i]),
480 nt_errstr(lookup_status)));
482 /* we might have hit a logic error when called for an
483 * alias, in that case just continue with group
484 * expansion - Guenther */
486 if (NT_STATUS_EQUAL(lookup_status, NT_STATUS_NO_SUCH_GROUP)) {
489 status = lookup_status;
493 /* Separate users and groups into two lists */
495 for ( j=0; j<num_names; j++ ) {
498 if ( name_types[j] == SID_NAME_USER ||
499 name_types[j] == SID_NAME_COMPUTER )
501 status = add_names_to_list( ctx, members,
504 if ( !NT_STATUS_IS_OK(status) )
511 if ( name_types[j] == SID_NAME_DOM_GRP ||
512 name_types[j] == SID_NAME_ALIAS )
514 status = add_sid_to_array_unique(ctx,
518 if (!NT_STATUS_IS_OK(status)) {
526 TALLOC_FREE( tmp_ctx );
529 *new_glist = new_groups;
530 *n_new_glist = (uint32)new_groups_size;
533 TALLOC_FREE( tmp_ctx );
535 if (!NT_STATUS_IS_OK(status)) {
536 DEBUG(10,("expand_groups: returning with %s\n",
543 /***********************************************************************
544 Fill in the group membership field of a NT group given by group_sid
545 ***********************************************************************/
547 static bool fill_grent_mem(struct winbindd_domain *domain,
548 struct winbindd_cli_state *state,
550 enum lsa_SidType group_name_type,
551 size_t *num_gr_mem, char **gr_mem,
554 uint32 num_names = 0;
555 unsigned int buf_len = 0, buf_ndx = 0, i;
556 char **names = NULL, *buf = NULL;
560 DOM_SID *glist = NULL;
561 DOM_SID *new_glist = NULL;
562 uint32 n_glist, n_new_glist;
563 int max_depth = lp_winbind_expand_groups();
565 if (!(mem_ctx = talloc_init("fill_grent_mem(%s)", domain->name)))
568 DEBUG(10, ("group SID %s\n", sid_string_dbg(group_sid)));
570 /* Initialize with no members */
574 /* HACK ALERT!! This whole routine does not cope with group members
575 * from more than one domain, ie aliases. Thus we have to work it out
576 * ourselves in a special routine. */
578 if (domain->internal) {
579 result = fill_passdb_alias_grmem(domain, group_sid,
585 /* Verify name type */
587 if ( !((group_name_type==SID_NAME_DOM_GRP) ||
588 ((group_name_type==SID_NAME_ALIAS) && domain->primary)) )
590 DEBUG(1, ("SID %s in domain %s isn't a domain group (%d)\n",
591 sid_string_dbg(group_sid),
592 domain->name, group_name_type));
596 /* OPTIMIZATION / HACK. See comment in
597 fill_grent_mem_domusers() */
599 sid_peek_rid( group_sid, &group_rid );
600 if (!lp_winbind_enum_users() && group_rid == DOMAIN_GROUP_RID_USERS) {
601 result = fill_grent_mem_domusers( mem_ctx, domain, state,
602 group_sid, group_name_type,
608 /* Real work goes here. Create a list of group names to
609 expand starting with the initial one. Pass that to
610 expand_groups() which returns a list of more group names
611 to expand. Do this up to the max search depth. */
613 if ( (glist = TALLOC_ARRAY(mem_ctx, DOM_SID, 1 )) == NULL ) {
615 DEBUG(0,("fill_grent_mem: talloc failure!\n"));
618 sid_copy( &glist[0], group_sid );
621 for ( i=0; i<max_depth && glist; i++ ) {
622 uint32 n_members = 0;
623 char **members = NULL;
627 nt_status = expand_groups( mem_ctx, domain,
629 &new_glist, &n_new_glist,
630 &members, &n_members);
631 if ( !NT_STATUS_IS_OK(nt_status) ) {
636 /* Add new group members to list. Pass through the
637 alias mapping function */
639 for (j=0; j<n_members; j++) {
640 fstring name_domain, name_acct;
641 fstring qualified_name;
642 char *mapped_name = NULL;
643 NTSTATUS name_map_status = NT_STATUS_UNSUCCESSFUL;
644 struct winbindd_domain *target_domain = NULL;
646 if (parse_domain_user(members[j], name_domain, name_acct)) {
647 target_domain = find_domain_from_name_noinit(name_domain);
650 if (!target_domain) {
651 target_domain = domain;
654 name_map_status = normalize_name_map(members, target_domain,
655 name_acct, &mapped_name);
657 /* Basic whitespace replacement */
658 if (NT_STATUS_IS_OK(name_map_status)) {
659 fill_domain_username(qualified_name, name_domain,
661 mapped_name = qualified_name;
663 /* no mapping at all */
664 else if (!NT_STATUS_EQUAL(name_map_status, NT_STATUS_FILE_RENAMED)) {
665 mapped_name = members[j];
668 nt_status = add_names_to_list( mem_ctx, &names,
671 if ( !NT_STATUS_IS_OK(nt_status) ) {
677 TALLOC_FREE( members );
679 /* If we have no more groups to expand, break out
682 if (new_glist == NULL)
688 n_glist = n_new_glist;
690 TALLOC_FREE( glist );
692 sort_unique_list(&names, &num_names);
694 DEBUG(10, ("looked up %d names\n", num_names));
697 /* Add members to list */
699 for (i = 0; i < num_names; i++) {
702 DEBUG(10, ("processing name %s\n", names[i]));
704 len = strlen(names[i]);
706 /* Add to list or calculate buffer length */
709 buf_len += len + 1; /* List is comma separated */
711 DEBUG(10, ("buf_len + %d = %d\n", len + 1, buf_len));
713 DEBUG(10, ("appending %s at ndx %d\n",
715 parse_add_domuser(&buf[buf_ndx], names[i], &len);
722 /* Allocate buffer */
724 if (!buf && buf_len != 0) {
725 if (!(buf = (char *)SMB_MALLOC(buf_len))) {
726 DEBUG(1, ("out of memory\n"));
730 memset(buf, 0, buf_len);
736 if (buf && buf_ndx > 0) {
737 buf[buf_ndx - 1] = '\0';
741 *gr_mem_len = buf_len;
743 DEBUG(10, ("num_mem = %u, len = %u, mem = %s\n",
744 (unsigned int)*num_gr_mem,
745 (unsigned int)buf_len, *num_gr_mem ? buf : "NULL"));
750 talloc_destroy(mem_ctx);
752 DEBUG(10,("fill_grent_mem returning %s\n",
753 result == true ? "true" : "false"));
759 * set/get/endgrent functions
762 /* "Rewind" file pointer for group database enumeration */
764 static bool winbindd_setgrent_internal(struct winbindd_cli_state *state)
766 struct winbindd_domain *domain;
768 DEBUG(3, ("[%5lu]: setgrent\n", (unsigned long)state->pid));
770 /* Check user has enabled this */
772 if (!lp_winbind_enum_groups()) {
776 /* Free old static data if it exists */
778 if (state->getgrent_state != NULL) {
779 free_getent_state(state->getgrent_state);
780 state->getgrent_state = NULL;
783 /* Create sam pipes for each domain we know about */
785 for (domain = domain_list(); domain != NULL; domain = domain->next) {
786 struct getent_state *domain_state;
788 /* Create a state record for this domain */
790 /* don't add our domaina if we are a PDC or if we
791 are a member of a Samba domain */
793 if ( lp_winbind_trusted_domains_only() && domain->primary )
798 domain_state = SMB_MALLOC_P(struct getent_state);
800 DEBUG(1, ("winbindd_setgrent: "
801 "malloc failed for domain_state!\n"));
805 ZERO_STRUCTP(domain_state);
807 fstrcpy(domain_state->domain_name, domain->name);
809 /* Add to list of open domains */
811 DLIST_ADD(state->getgrent_state, domain_state);
814 state->getgrent_initialized = True;
818 void winbindd_setgrent(struct winbindd_cli_state *state)
820 if (winbindd_setgrent_internal(state)) {
823 request_error(state);
827 /* Close file pointer to ntdom group database */
829 void winbindd_endgrent(struct winbindd_cli_state *state)
831 DEBUG(3, ("[%5lu]: endgrent\n", (unsigned long)state->pid));
833 free_getent_state(state->getgrent_state);
834 state->getgrent_initialized = False;
835 state->getgrent_state = NULL;
839 /* Get the list of domain groups and domain aliases for a domain. We fill in
840 the sam_entries and num_sam_entries fields with domain group information.
841 Return True if some groups were returned, False otherwise. */
843 bool get_sam_group_entries(struct getent_state *ent)
847 struct acct_info *name_list = NULL;
850 struct acct_info *sam_grp_entries = NULL;
851 struct winbindd_domain *domain;
853 if (ent->got_sam_entries)
856 if (!(mem_ctx = talloc_init("get_sam_group_entries(%s)",
857 ent->domain_name))) {
858 DEBUG(1, ("get_sam_group_entries: "
859 "could not create talloc context!\n"));
863 /* Free any existing group info */
865 SAFE_FREE(ent->sam_entries);
866 ent->num_sam_entries = 0;
867 ent->got_sam_entries = True;
869 /* Enumerate domain groups */
873 if (!(domain = find_domain_from_name(ent->domain_name))) {
874 DEBUG(3, ("no such domain %s in get_sam_group_entries\n",
879 /* always get the domain global groups */
881 status = domain->methods->enum_dom_groups(domain, mem_ctx, &num_entries,
884 if (!NT_STATUS_IS_OK(status)) {
885 DEBUG(3, ("get_sam_group_entries: "
886 "could not enumerate domain groups! Error: %s\n",
892 /* Copy entries into return buffer */
895 name_list = SMB_MALLOC_ARRAY(struct acct_info, num_entries);
897 DEBUG(0,("get_sam_group_entries: Failed to malloc "
898 "memory for %d domain groups!\n",
903 memcpy(name_list, sam_grp_entries,
904 num_entries * sizeof(struct acct_info));
907 ent->num_sam_entries = num_entries;
909 /* get the domain local groups if we are a member of a native win2k
910 * domain and are not using LDAP to get the groups */
912 if ( ( lp_security() != SEC_ADS && domain->native_mode
913 && domain->primary) || domain->internal )
915 DEBUG(4,("get_sam_group_entries: %s domain; "
916 "enumerating local groups as well\n",
917 domain->native_mode ? "Native Mode 2k":
918 "BUILTIN or local"));
920 status = domain->methods->enum_local_groups(domain, mem_ctx,
924 if ( !NT_STATUS_IS_OK(status) ) {
925 DEBUG(3,("get_sam_group_entries: "
926 "Failed to enumerate "
927 "domain local groups with error %s!\n",
932 DEBUG(4,("get_sam_group_entries: "
933 "Returned %d local groups\n",
936 /* Copy entries into return buffer */
939 name_list = SMB_REALLOC_ARRAY(name_list,
941 ent->num_sam_entries+
944 DEBUG(0,("get_sam_group_entries: "
945 "Failed to realloc more memory "
946 "for %d local groups!\n",
952 memcpy(&name_list[ent->num_sam_entries],
954 num_entries * sizeof(struct acct_info));
957 ent->num_sam_entries += num_entries;
961 /* Fill in remaining fields */
963 ent->sam_entries = name_list;
964 ent->sam_entry_index = 0;
966 result = (ent->num_sam_entries > 0);
969 talloc_destroy(mem_ctx);
974 /* Fetch next group entry from ntdom database */
976 #define MAX_GETGRENT_GROUPS 500
978 void winbindd_getgrent(struct winbindd_cli_state *state)
980 struct getent_state *ent;
981 struct winbindd_gr *group_list = NULL;
982 int num_groups, group_list_ndx, gr_mem_list_len = 0;
983 char *gr_mem_list = NULL;
985 DEBUG(3, ("[%5lu]: getgrent\n", (unsigned long)state->pid));
987 /* Check user has enabled this */
989 if (!lp_winbind_enum_groups()) {
990 request_error(state);
994 num_groups = MIN(MAX_GETGRENT_GROUPS, state->request->data.num_entries);
996 if (num_groups == 0) {
997 request_error(state);
1001 group_list = talloc_zero_array(state->mem_ctx, struct winbindd_gr,
1004 request_error(state);
1007 state->response->extra_data.data = group_list;
1009 state->response->data.num_entries = 0;
1011 if (!state->getgrent_initialized)
1012 winbindd_setgrent_internal(state);
1014 if (!(ent = state->getgrent_state)) {
1015 request_error(state);
1019 /* Start sending back groups */
1021 for (group_list_ndx = 0; group_list_ndx < num_groups; ) {
1022 struct acct_info *name_list = NULL;
1023 fstring domain_group_name;
1029 struct winbindd_domain *domain;
1031 /* Do we need to fetch another chunk of groups? */
1035 DEBUG(10, ("entry_index = %d, num_entries = %d\n",
1036 ent->sam_entry_index, ent->num_sam_entries));
1038 if (ent->num_sam_entries == ent->sam_entry_index) {
1040 while(ent && !get_sam_group_entries(ent)) {
1041 struct getent_state *next_ent;
1043 DEBUG(10, ("freeing state info for domain %s\n",
1046 /* Free state information for this domain */
1048 SAFE_FREE(ent->sam_entries);
1050 next_ent = ent->next;
1051 DLIST_REMOVE(state->getgrent_state, ent);
1057 /* No more domains */
1063 name_list = (struct acct_info *)ent->sam_entries;
1065 if (!(domain = find_domain_from_name(ent->domain_name))) {
1066 DEBUG(3, ("No such domain %s in winbindd_getgrent\n",
1072 /* Lookup group info */
1074 sid_copy(&group_sid, &domain->sid);
1075 sid_append_rid(&group_sid, name_list[ent->sam_entry_index].rid);
1077 if (!NT_STATUS_IS_OK(idmap_sid_to_gid(domain->have_idmap_config
1078 ? domain->name : "",
1079 &group_sid, &group_gid)))
1082 enum lsa_SidType type;
1084 DEBUG(10, ("SID %s not in idmap\n",
1085 sid_string_dbg(&group_sid)));
1087 if (!pdb_sid_to_id(&group_sid, &id, &type)) {
1088 DEBUG(1,("could not look up gid for group %s\n",
1089 name_list[ent->sam_entry_index].acct_name));
1090 ent->sam_entry_index++;
1094 if ((type != SID_NAME_DOM_GRP) &&
1095 (type != SID_NAME_ALIAS) &&
1096 (type != SID_NAME_WKN_GRP)) {
1097 DEBUG(1, ("Group %s is a %s, not a group\n",
1098 sid_type_lookup(type),
1099 name_list[ent->sam_entry_index].acct_name));
1100 ent->sam_entry_index++;
1106 DEBUG(10, ("got gid %lu for group %lu\n",
1107 (unsigned long)group_gid,
1108 (unsigned long)name_list[ent->sam_entry_index].rid));
1110 /* Fill in group entry */
1112 fill_domain_username(domain_group_name, ent->domain_name,
1113 name_list[ent->sam_entry_index].acct_name, True);
1115 result = fill_grent(state->mem_ctx, &group_list[group_list_ndx],
1117 name_list[ent->sam_entry_index].acct_name,
1120 /* Fill in group membership entry */
1123 size_t num_gr_mem = 0;
1125 group_list[group_list_ndx].num_gr_mem = 0;
1129 /* Get group membership */
1130 if (state->request->cmd == WINBINDD_GETGRLST) {
1133 sid_copy(&member_sid, &domain->sid);
1134 sid_append_rid(&member_sid, name_list[ent->sam_entry_index].rid);
1135 result = fill_grent_mem(
1141 &gr_mem, &gr_mem_len);
1143 group_list[group_list_ndx].num_gr_mem = (uint32)num_gr_mem;
1148 /* Append to group membership list */
1149 gr_mem_list = (char *)SMB_REALLOC(
1150 gr_mem_list, gr_mem_list_len + gr_mem_len);
1153 (group_list[group_list_ndx].num_gr_mem != 0)) {
1154 DEBUG(0, ("out of memory\n"));
1155 gr_mem_list_len = 0;
1159 DEBUG(10, ("list_len = %d, mem_len = %u\n",
1160 gr_mem_list_len, (unsigned int)gr_mem_len));
1162 memcpy(&gr_mem_list[gr_mem_list_len], gr_mem,
1167 group_list[group_list_ndx].gr_mem_ofs =
1170 gr_mem_list_len += gr_mem_len;
1173 ent->sam_entry_index++;
1175 /* Add group to return list */
1179 DEBUG(10, ("adding group num_entries = %d\n",
1180 state->response->data.num_entries));
1183 state->response->data.num_entries++;
1185 state->response->length +=
1186 sizeof(struct winbindd_gr);
1189 DEBUG(0, ("could not lookup domain group %s\n",
1190 domain_group_name));
1194 /* Copy the list of group memberships to the end of the extra data */
1196 if (group_list_ndx == 0)
1199 state->response->extra_data.data = talloc_realloc_size(
1200 state->mem_ctx, state->response->extra_data.data,
1201 group_list_ndx * sizeof(struct winbindd_gr) + gr_mem_list_len);
1203 if (!state->response->extra_data.data) {
1204 DEBUG(0, ("out of memory\n"));
1206 SAFE_FREE(gr_mem_list);
1207 request_error(state);
1211 memcpy(&((char *)state->response->extra_data.data)
1212 [group_list_ndx * sizeof(struct winbindd_gr)],
1213 gr_mem_list, gr_mem_list_len);
1215 state->response->length += gr_mem_list_len;
1217 DEBUG(10, ("returning %d groups, length = %d\n",
1218 group_list_ndx, gr_mem_list_len));
1220 /* Out of domains */
1224 SAFE_FREE(gr_mem_list);
1226 if (group_list_ndx > 0)
1229 request_error(state);
1232 /* List domain groups without mapping to unix ids */
1233 void winbindd_list_groups(struct winbindd_cli_state *state)
1235 winbindd_list_ent(state, LIST_GROUPS);
1238 /* Get user supplementary groups. This is much quicker than trying to
1239 invert the groups database. We merge the groups from the gids and
1240 other_sids info3 fields as trusted domain, universal group
1241 memberships, and nested groups (win2k native mode only) are not
1242 returned by the getgroups RPC call but are present in the info3. */
1244 struct getgroups_state {
1245 struct winbindd_cli_state *state;
1246 struct winbindd_domain *domain;
1251 const DOM_SID *token_sids;
1252 size_t i, num_token_sids;
1255 size_t num_token_gids;
1259 /* Get user supplementary sids. This is equivalent to the
1260 winbindd_getgroups() function but it involves a SID->SIDs mapping
1261 rather than a NAME->SID->SIDS->GIDS mapping, which means we avoid
1262 idmap. This call is designed to be used with applications that need
1263 to do ACL evaluation themselves. Note that the cached info3 data is
1266 this function assumes that the SID that comes in is a user SID. If
1267 you pass in another type of SID then you may get unpredictable
1271 static void getusersids_recv(void *private_data, bool success, DOM_SID *sids,
1274 void winbindd_getusersids(struct winbindd_cli_state *state)
1278 /* Ensure null termination */
1279 state->request->data.sid[sizeof(state->request->data.sid)-1]='\0';
1281 user_sid = TALLOC_P(state->mem_ctx, DOM_SID);
1282 if (user_sid == NULL) {
1283 DEBUG(1, ("talloc failed\n"));
1284 request_error(state);
1288 if (!string_to_sid(user_sid, state->request->data.sid)) {
1289 DEBUG(1, ("Could not get convert sid %s from string\n",
1290 state->request->data.sid));
1291 request_error(state);
1295 winbindd_gettoken_async(state->mem_ctx, user_sid, getusersids_recv,
1299 static void getusersids_recv(void *private_data, bool success, DOM_SID *sids,
1302 struct winbindd_cli_state *state =
1303 (struct winbindd_cli_state *)private_data;
1305 unsigned ofs, ret_size = 0;
1309 request_error(state);
1313 /* work out the response size */
1314 for (i = 0; i < num_sids; i++) {
1316 sid_to_fstring(s, &sids[i]);
1317 ret_size += strlen(s) + 1;
1320 /* build the reply */
1321 ret = talloc_array(state->mem_ctx, char, ret_size);
1323 DEBUG(0, ("malloc failed\n"));
1324 request_error(state);
1328 for (i = 0; i < num_sids; i++) {
1330 sid_to_fstring(s, &sids[i]);
1331 safe_strcpy(ret + ofs, s, ret_size - ofs - 1);
1332 ofs += strlen(ret+ofs) + 1;
1335 /* Send data back to client */
1336 state->response->data.num_entries = num_sids;
1337 state->response->extra_data.data = ret;
1338 state->response->length += ret_size;
1342 enum winbindd_result winbindd_dual_getuserdomgroups(struct winbindd_domain *domain,
1343 struct winbindd_cli_state *state)
1353 /* Ensure null termination */
1354 state->request->data.sid[sizeof(state->request->data.sid)-1]='\0';
1356 if (!string_to_sid(&user_sid, state->request->data.sid)) {
1357 DEBUG(1, ("Could not get convert sid %s from string\n",
1358 state->request->data.sid));
1359 return WINBINDD_ERROR;
1362 status = domain->methods->lookup_usergroups(domain, state->mem_ctx,
1363 &user_sid, &num_groups,
1365 if (!NT_STATUS_IS_OK(status))
1366 return WINBINDD_ERROR;
1368 if (num_groups == 0) {
1369 state->response->data.num_entries = 0;
1370 state->response->extra_data.data = NULL;
1374 if (!print_sidlist(state->mem_ctx,
1376 &sidstring, &len)) {
1377 DEBUG(0, ("talloc failed\n"));
1378 return WINBINDD_ERROR;
1381 state->response->extra_data.data = sidstring;
1382 state->response->length += len+1;
1383 state->response->data.num_entries = num_groups;
1388 enum winbindd_result winbindd_dual_getsidaliases(struct winbindd_domain *domain,
1389 struct winbindd_cli_state *state)
1391 DOM_SID *sids = NULL;
1392 size_t num_sids = 0;
1393 char *sidstr = NULL;
1400 DEBUG(3, ("[%5lu]: getsidaliases\n", (unsigned long)state->pid));
1402 sidstr = state->request->extra_data.data;
1403 if (sidstr == NULL) {
1404 sidstr = talloc_strdup(state->mem_ctx, "\n"); /* No SID */
1406 DEBUG(0, ("Out of memory\n"));
1407 return WINBINDD_ERROR;
1411 DEBUG(10, ("Sidlist: %s\n", sidstr));
1413 if (!parse_sidlist(state->mem_ctx, sidstr, &sids, &num_sids)) {
1414 DEBUG(0, ("Could not parse SID list: %s\n", sidstr));
1415 return WINBINDD_ERROR;
1421 result = domain->methods->lookup_useraliases(domain,
1427 if (!NT_STATUS_IS_OK(result)) {
1428 DEBUG(3, ("Could not lookup_useraliases: %s\n",
1429 nt_errstr(result)));
1430 return WINBINDD_ERROR;
1437 DEBUG(10, ("Got %d aliases\n", num_aliases));
1439 for (i=0; i<num_aliases; i++) {
1441 DEBUGADD(10, (" rid %d\n", alias_rids[i]));
1442 sid_copy(&sid, &domain->sid);
1443 sid_append_rid(&sid, alias_rids[i]);
1444 result = add_sid_to_array(state->mem_ctx, &sid, &sids,
1446 if (!NT_STATUS_IS_OK(result)) {
1447 return WINBINDD_ERROR;
1452 if (!print_sidlist(state->mem_ctx, sids, num_sids, &sidstr, &len)) {
1453 DEBUG(0, ("Could not print_sidlist\n"));
1454 state->response->extra_data.data = NULL;
1455 return WINBINDD_ERROR;
1458 state->response->extra_data.data = NULL;
1461 state->response->extra_data.data = sidstr;
1462 DEBUG(10, ("aliases_list: %s\n",
1463 (char *)state->response->extra_data.data));
1464 state->response->length += len+1;
1465 state->response->data.num_entries = num_sids;
1471 struct getgr_countmem {
1476 static int getgr_calc_memberlen(DATA_BLOB key, void *data, void *priv)
1478 struct wbint_GroupMember *m = talloc_get_type_abort(
1479 data, struct wbint_GroupMember);
1480 struct getgr_countmem *buf = (struct getgr_countmem *)priv;
1483 buf->len += strlen(m->name) + 1;
1487 struct getgr_stringmem {
1492 static int getgr_unparse_members(DATA_BLOB key, void *data, void *priv)
1494 struct wbint_GroupMember *m = talloc_get_type_abort(
1495 data, struct wbint_GroupMember);
1496 struct getgr_stringmem *buf = (struct getgr_stringmem *)priv;
1499 len = strlen(m->name);
1501 memcpy(buf->buf + buf->ofs, m->name, len);
1503 buf->buf[buf->ofs] = ',';
1508 NTSTATUS winbindd_print_groupmembers(struct talloc_dict *members,
1509 TALLOC_CTX *mem_ctx,
1510 int *num_members, char **result)
1512 struct getgr_countmem c;
1513 struct getgr_stringmem m;
1519 res = talloc_dict_traverse(members, getgr_calc_memberlen, &c);
1521 DEBUG(5, ("talloc_dict_traverse failed\n"));
1522 return NT_STATUS_INTERNAL_ERROR;
1526 m.buf = talloc_array(mem_ctx, char, c.len);
1527 if (m.buf == NULL) {
1528 DEBUG(5, ("talloc failed\n"));
1529 return NT_STATUS_NO_MEMORY;
1532 res = talloc_dict_traverse(members, getgr_unparse_members, &m);
1534 DEBUG(5, ("talloc_dict_traverse failed\n"));
1536 return NT_STATUS_INTERNAL_ERROR;
1538 m.buf[c.len-1] = '\0';
1540 *num_members = c.num;
1542 return NT_STATUS_OK;
git.samba.org / metze / samba / wip.git / blob