2 Unix SMB/CIFS implementation.
4 Winbind daemon - sid related functions
6 Copyright (C) Tim Potter 2000
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
26 #define DBGC_CLASS DBGC_WINBIND
28 /* Convert a string */
30 static void lookupsid_recv(void *private_data, bool success,
31 const char *dom_name, const char *name,
32 enum lsa_SidType type);
34 void winbindd_lookupsid(struct winbindd_cli_state *state)
38 /* Ensure null termination */
39 state->request.data.sid[sizeof(state->request.data.sid)-1]='\0';
41 DEBUG(3, ("[%5lu]: lookupsid %s\n", (unsigned long)state->pid,
42 state->request.data.sid));
44 if (!string_to_sid(&sid, state->request.data.sid)) {
45 DEBUG(5, ("%s not a SID\n", state->request.data.sid));
50 winbindd_lookupsid_async(state->mem_ctx, &sid, lookupsid_recv, state);
53 static void lookupsid_recv(void *private_data, bool success,
54 const char *dom_name, const char *name,
55 enum lsa_SidType type)
57 struct winbindd_cli_state *state =
58 talloc_get_type_abort(private_data, struct winbindd_cli_state);
61 DEBUG(5, ("lookupsid returned an error\n"));
66 fstrcpy(state->response.data.name.dom_name, dom_name);
67 fstrcpy(state->response.data.name.name, name);
68 state->response.data.name.type = type;
73 * Look up the SID for a qualified name.
76 static void lookupname_recv(void *private_data, bool success,
77 const DOM_SID *sid, enum lsa_SidType type);
79 void winbindd_lookupname(struct winbindd_cli_state *state)
81 char *name_domain, *name_user;
84 /* Ensure null termination */
85 state->request.data.name.dom_name[sizeof(state->request.data.name.dom_name)-1]='\0';
87 /* Ensure null termination */
88 state->request.data.name.name[sizeof(state->request.data.name.name)-1]='\0';
90 /* cope with the name being a fully qualified name */
91 p = strstr(state->request.data.name.name, lp_winbind_separator());
94 name_domain = state->request.data.name.name;
97 name_domain = state->request.data.name.dom_name;
98 name_user = state->request.data.name.name;
101 DEBUG(3, ("[%5lu]: lookupname %s%s%s\n", (unsigned long)state->pid,
102 name_domain, lp_winbind_separator(), name_user));
104 winbindd_lookupname_async(state->mem_ctx, name_domain, name_user,
105 lookupname_recv, WINBINDD_LOOKUPNAME,
109 static void lookupname_recv(void *private_data, bool success,
110 const DOM_SID *sid, enum lsa_SidType type)
112 struct winbindd_cli_state *state =
113 talloc_get_type_abort(private_data, struct winbindd_cli_state);
116 DEBUG(5, ("lookupname returned an error\n"));
117 request_error(state);
121 sid_to_fstring(state->response.data.sid.sid, sid);
122 state->response.data.sid.type = type;
127 void winbindd_lookuprids(struct winbindd_cli_state *state)
129 struct winbindd_domain *domain;
132 /* Ensure null termination */
133 state->request.data.sid[sizeof(state->request.data.sid)-1]='\0';
135 DEBUG(10, ("lookup_rids: %s\n", state->request.data.sid));
137 if (!string_to_sid(&domain_sid, state->request.data.sid)) {
138 DEBUG(5, ("Could not convert %s to SID\n",
139 state->request.data.sid));
140 request_error(state);
144 domain = find_lookup_domain_from_sid(&domain_sid);
145 if (domain == NULL) {
146 DEBUG(10, ("Could not find domain for name %s\n",
147 state->request.domain_name));
148 request_error(state);
152 sendto_domain(state, domain);
155 /* Convert a sid to a uid. We assume we only have one rid attached to the
158 static void sid2uid_recv(void *private_data, bool success, uid_t uid)
160 struct winbindd_cli_state *state =
161 talloc_get_type_abort(private_data, struct winbindd_cli_state);
164 DEBUG(5, ("Could not convert sid %s\n",
165 state->request.data.sid));
166 request_error(state);
170 state->response.data.uid = uid;
174 static void sid2uid_lookupsid_recv( void *private_data, bool success,
175 const char *domain_name,
177 enum lsa_SidType type)
179 struct winbindd_cli_state *state =
180 talloc_get_type_abort(private_data, struct winbindd_cli_state);
184 DEBUG(5, ("sid2uid_lookupsid_recv Could not convert get sid type for %s\n",
185 state->request.data.sid));
186 request_error(state);
190 if ( (type!=SID_NAME_USER) && (type!=SID_NAME_COMPUTER) ) {
191 DEBUG(5,("sid2uid_lookupsid_recv: Sid %s is not a user or a computer.\n",
192 state->request.data.sid));
193 request_error(state);
197 if (!string_to_sid(&sid, state->request.data.sid)) {
198 DEBUG(1, ("sid2uid_lookupsid_recv: Could not get convert sid %s from string\n",
199 state->request.data.sid));
200 request_error(state);
204 /* always use the async interface (may block) */
205 winbindd_sid2uid_async(state->mem_ctx, &sid, sid2uid_recv, state);
208 void winbindd_sid_to_uid(struct winbindd_cli_state *state)
212 /* Ensure null termination */
213 state->request.data.sid[sizeof(state->request.data.sid)-1]='\0';
215 DEBUG(3, ("[%5lu]: sid to uid %s\n", (unsigned long)state->pid,
216 state->request.data.sid));
218 if (!string_to_sid(&sid, state->request.data.sid)) {
219 DEBUG(1, ("Could not get convert sid %s from string\n",
220 state->request.data.sid));
221 request_error(state);
225 /* Validate the SID as a user. Hopefully this will hit cache.
226 Needed to prevent DoS by exhausting the uid allocation
227 range from random SIDs. */
229 winbindd_lookupsid_async( state->mem_ctx, &sid, sid2uid_lookupsid_recv, state );
232 /* Convert a sid to a gid. We assume we only have one rid attached to the
235 static void sid2gid_recv(void *private_data, bool success, gid_t gid)
237 struct winbindd_cli_state *state =
238 talloc_get_type_abort(private_data, struct winbindd_cli_state);
241 DEBUG(5, ("Could not convert sid %s\n",
242 state->request.data.sid));
243 request_error(state);
247 state->response.data.gid = gid;
251 static void sid2gid_lookupsid_recv( void *private_data, bool success,
252 const char *domain_name,
254 enum lsa_SidType type)
256 struct winbindd_cli_state *state =
257 talloc_get_type_abort(private_data, struct winbindd_cli_state);
261 DEBUG(5, ("sid2gid_lookupsid_recv: Could not get sid type for %s\n",
262 state->request.data.sid));
263 request_error(state);
267 if ( (type!=SID_NAME_DOM_GRP) &&
268 (type!=SID_NAME_ALIAS) &&
269 (type!=SID_NAME_WKN_GRP) )
271 DEBUG(5,("sid2gid_lookupsid_recv: Sid %s is not a group.\n",
272 state->request.data.sid));
273 request_error(state);
277 if (!string_to_sid(&sid, state->request.data.sid)) {
278 DEBUG(1, ("sid2gid_lookupsid_recv: Could not get convert sid %s from string\n",
279 state->request.data.sid));
280 request_error(state);
284 /* always use the async interface (may block) */
285 winbindd_sid2gid_async(state->mem_ctx, &sid, sid2gid_recv, state);
288 void winbindd_sid_to_gid(struct winbindd_cli_state *state)
292 /* Ensure null termination */
293 state->request.data.sid[sizeof(state->request.data.sid)-1]='\0';
295 DEBUG(3, ("[%5lu]: sid to gid %s\n", (unsigned long)state->pid,
296 state->request.data.sid));
298 if (!string_to_sid(&sid, state->request.data.sid)) {
299 DEBUG(1, ("Could not get convert sid %s from string\n",
300 state->request.data.sid));
301 request_error(state);
305 /* Validate the SID as a group. Hopefully this will hit cache.
306 Needed to prevent DoS by exhausting the uid allocation
307 range from random SIDs. */
309 winbindd_lookupsid_async( state->mem_ctx, &sid, sid2gid_lookupsid_recv, state );
312 static void winbindd_set_mapping_recv(TALLOC_CTX *mem_ctx, bool success,
313 struct winbindd_ndr_call *c,
318 struct winbindd_cli_state *state =
319 talloc_get_type_abort(private_data, struct winbindd_cli_state);
320 struct winbind_set_idmap *r =
321 talloc_get_type_abort(c->ndr.r, struct winbind_set_idmap);
324 DEBUG(5, ("Could not set_idmap(set_mapping)\n"));
325 request_error(state);
329 if (r->out.result != WINBIND_STATUS_OK) {
330 DEBUG(5, ("set_idmap(set_mapping) returned an error:0x%08X\n",
332 request_error(state);
339 void winbindd_set_mapping(struct winbindd_cli_state *state)
341 struct winbind_set_idmap *r = NULL;
343 DEBUG(3, ("[%5lu]: set id map\n", (unsigned long)state->pid));
345 if ( ! state->privileged) {
346 DEBUG(0, ("Only root is allowed to set mappings!\n"));
347 request_error(state);
351 r = TALLOC_P(state->mem_ctx, struct winbind_set_idmap);
353 r->in.level = TALLOC_P(r, enum winbind_set_idmap_level);
354 if (!r->in.level) goto nomem;
356 *r->in.level = WINBIND_SET_IDMAP_LEVEL_SET_MAPPING;
357 r->in.req.mapping.sid = string_sid_talloc(r,
358 state->request.data.dual_idmapset.sid);
359 if (!r->in.req.mapping.sid) {
360 DEBUG(1, ("Could not get convert sid %s from string\n",
361 state->request.data.dual_idmapset.sid));
364 r->in.req.mapping.xid.id = state->request.data.dual_idmapset.id;
365 r->in.req.mapping.xid.type = state->request.data.dual_idmapset.type;
366 r->in.req.mapping.status = ID_MAPPED;
368 do_async_ndr(state->mem_ctx, idmap_child(),
369 NDR_WINBIND_SET_IDMAP, r,
370 winbindd_set_mapping_recv, state,
374 request_error(state);
378 static void set_hwm_recv(void *private_data, bool success)
380 struct winbindd_cli_state *state =
381 talloc_get_type_abort(private_data, struct winbindd_cli_state);
384 DEBUG(5, ("Could not set sid mapping\n"));
385 request_error(state);
392 void winbindd_set_hwm(struct winbindd_cli_state *state)
396 DEBUG(3, ("[%5lu]: set hwm\n", (unsigned long)state->pid));
398 if ( ! state->privileged) {
399 DEBUG(0, ("Only root is allowed to set mappings!\n"));
400 request_error(state);
404 xid.id = state->request.data.dual_idmapset.id;
405 xid.type = state->request.data.dual_idmapset.type;
407 winbindd_set_hwm_async(state->mem_ctx, &xid, set_hwm_recv, state);
410 /* Convert a uid to a sid */
412 static void uid2sid_recv(void *private_data, bool success, const char *sid)
414 struct winbindd_cli_state *state =
415 (struct winbindd_cli_state *)private_data;
418 DEBUG(10,("uid2sid: uid %lu has sid %s\n",
419 (unsigned long)(state->request.data.uid), sid));
420 fstrcpy(state->response.data.sid.sid, sid);
421 state->response.data.sid.type = SID_NAME_USER;
426 request_error(state);
430 void winbindd_uid_to_sid(struct winbindd_cli_state *state)
432 DEBUG(3, ("[%5lu]: uid to sid %lu\n", (unsigned long)state->pid,
433 (unsigned long)state->request.data.uid));
435 /* always go via the async interface (may block) */
436 winbindd_uid2sid_async(state->mem_ctx, state->request.data.uid, uid2sid_recv, state);
439 /* Convert a gid to a sid */
441 static void gid2sid_recv(void *private_data, bool success, const char *sid)
443 struct winbindd_cli_state *state =
444 (struct winbindd_cli_state *)private_data;
447 DEBUG(10,("gid2sid: gid %lu has sid %s\n",
448 (unsigned long)(state->request.data.gid), sid));
449 fstrcpy(state->response.data.sid.sid, sid);
450 state->response.data.sid.type = SID_NAME_DOM_GRP;
455 request_error(state);
460 void winbindd_gid_to_sid(struct winbindd_cli_state *state)
462 DEBUG(3, ("[%5lu]: gid to sid %lu\n", (unsigned long)state->pid,
463 (unsigned long)state->request.data.gid));
465 /* always use async calls (may block) */
466 winbindd_gid2sid_async(state->mem_ctx, state->request.data.gid, gid2sid_recv, state);
469 static void winbindd_allocate_uid_recv(TALLOC_CTX *mem_ctx, bool success,
470 struct winbindd_ndr_call *c,
475 struct winbindd_cli_state *state =
476 talloc_get_type_abort(private_data, struct winbindd_cli_state);
477 struct winbind_set_idmap *r =
478 talloc_get_type_abort(c->ndr.r, struct winbind_set_idmap);
481 DEBUG(5, ("Could not set_idmap(allocate_uid)\n"));
482 request_error(state);
486 if (r->out.result != WINBIND_STATUS_OK) {
487 DEBUG(5, ("set_idmap(allocate_uid) returned an error:0x%08X\n",
489 request_error(state);
493 if (r->out.rep->uid > UINT32_MAX) {
494 DEBUG(1, ("set_idmap(allocate_uid) returned a 64bit uid %llu\n",
495 (unsigned long long)r->out.rep->uid));
496 request_error(state);
500 state->response.data.uid = r->out.rep->uid;
504 void winbindd_allocate_uid(struct winbindd_cli_state *state)
506 struct winbind_set_idmap *r = NULL;
508 if ( !state->privileged ) {
509 DEBUG(2, ("winbindd_allocate_uid: non-privileged access "
511 request_error(state);
515 r = TALLOC_P(state->mem_ctx, struct winbind_set_idmap);
517 r->in.level = TALLOC_P(r, enum winbind_set_idmap_level);
518 if (!r->in.level) goto nomem;
520 *r->in.level = WINBIND_SET_IDMAP_LEVEL_ALLOCATE_UID;
522 do_async_ndr(state->mem_ctx, idmap_child(),
523 NDR_WINBIND_SET_IDMAP, r,
524 winbindd_allocate_uid_recv, state,
528 request_error(state);
532 static void winbindd_allocate_gid_recv(TALLOC_CTX *mem_ctx, bool success,
533 struct winbindd_ndr_call *c,
538 struct winbindd_cli_state *state =
539 talloc_get_type_abort(private_data, struct winbindd_cli_state);
540 struct winbind_set_idmap *r =
541 talloc_get_type_abort(c->ndr.r, struct winbind_set_idmap);
544 DEBUG(5, ("Could not set_idmap(allocate_gid)\n"));
545 request_error(state);
549 if (r->out.result != WINBIND_STATUS_OK) {
550 DEBUG(5, ("set_idmap(allocate_gid) returned an error:0x%08X\n",
552 request_error(state);
556 if (r->out.rep->gid > UINT32_MAX) {
557 DEBUG(1, ("set_idmap(allocate_gid) returned a 64bit gid %llu\n",
558 (unsigned long long)r->out.rep->gid));
559 request_error(state);
563 state->response.data.gid = r->out.rep->gid;
567 void winbindd_allocate_gid(struct winbindd_cli_state *state)
569 struct winbind_set_idmap *r = NULL;
571 if ( !state->privileged ) {
572 DEBUG(2, ("winbindd_allocate_gid: non-privileged access "
574 request_error(state);
578 r = TALLOC_P(state->mem_ctx, struct winbind_set_idmap);
580 r->in.level = TALLOC_P(r, enum winbind_set_idmap_level);
581 if (!r->in.level) goto nomem;
583 *r->in.level = WINBIND_SET_IDMAP_LEVEL_ALLOCATE_GID;
585 do_async_ndr(state->mem_ctx, idmap_child(),
586 NDR_WINBIND_SET_IDMAP, r,
587 winbindd_allocate_gid_recv, state,
591 request_error(state);