2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Copyright (C) Andrew Tridgell 1992-2000,
5 * Copyright (C) Jean François Micouleau 1998-2001.
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 2 of the License, or
10 * (at your option) any later version.
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, write to the Free Software
19 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
24 static TDB_CONTEXT *tdb; /* used for driver files */
26 #define DATABASE_VERSION_V1 1 /* native byte format. */
27 #define DATABASE_VERSION_V2 2 /* le format. */
29 #define GROUP_PREFIX "UNIXGROUP/"
31 /* Alias memberships are stored reverse, as memberships. The performance
32 * critical operation is to determine the aliases a SID is member of, not
33 * listing alias members. So we store a list of alias SIDs a SID is member of
34 * hanging of the member as key.
36 #define MEMBEROF_PREFIX "MEMBEROF/"
38 /****************************************************************************
39 initialise first time the mapping list - called from init_group_mapping()
40 ****************************************************************************/
41 static BOOL default_group_mapping(void)
50 /* Add the Wellknown groups */
52 add_initial_entry(-1, "S-1-5-32-544", SID_NAME_WKN_GRP, "Administrators", "");
53 add_initial_entry(-1, "S-1-5-32-545", SID_NAME_WKN_GRP, "Users", "");
54 add_initial_entry(-1, "S-1-5-32-546", SID_NAME_WKN_GRP, "Guests", "");
55 add_initial_entry(-1, "S-1-5-32-547", SID_NAME_WKN_GRP, "Power Users", "");
56 add_initial_entry(-1, "S-1-5-32-548", SID_NAME_WKN_GRP, "Account Operators", "");
57 add_initial_entry(-1, "S-1-5-32-549", SID_NAME_WKN_GRP, "System Operators", "");
58 add_initial_entry(-1, "S-1-5-32-550", SID_NAME_WKN_GRP, "Print Operators", "");
59 add_initial_entry(-1, "S-1-5-32-551", SID_NAME_WKN_GRP, "Backup Operators", "");
60 add_initial_entry(-1, "S-1-5-32-552", SID_NAME_WKN_GRP, "Replicators", "");
62 /* Add the defaults domain groups */
64 sid_copy(&sid_admins, get_global_sam_sid());
65 sid_append_rid(&sid_admins, DOMAIN_GROUP_RID_ADMINS);
66 sid_to_string(str_admins, &sid_admins);
67 add_initial_entry(-1, str_admins, SID_NAME_DOM_GRP, "Domain Admins", "");
69 sid_copy(&sid_users, get_global_sam_sid());
70 sid_append_rid(&sid_users, DOMAIN_GROUP_RID_USERS);
71 sid_to_string(str_users, &sid_users);
72 add_initial_entry(-1, str_users, SID_NAME_DOM_GRP, "Domain Users", "");
74 sid_copy(&sid_guests, get_global_sam_sid());
75 sid_append_rid(&sid_guests, DOMAIN_GROUP_RID_GUESTS);
76 sid_to_string(str_guests, &sid_guests);
77 add_initial_entry(-1, str_guests, SID_NAME_DOM_GRP, "Domain Guests", "");
82 /****************************************************************************
83 Open the group mapping tdb.
84 ****************************************************************************/
86 static BOOL init_group_mapping(void)
88 const char *vstring = "INFO/version";
93 tdb = tdb_open_log(lock_path("group_mapping.tdb"), 0, TDB_DEFAULT, O_RDWR|O_CREAT, 0600);
95 DEBUG(0,("Failed to open group mapping database\n"));
99 /* handle a Samba upgrade */
100 tdb_lock_bystring(tdb, vstring, 0);
102 /* Cope with byte-reversed older versions of the db. */
103 vers_id = tdb_fetch_int32(tdb, vstring);
104 if ((vers_id == DATABASE_VERSION_V1) || (IREV(vers_id) == DATABASE_VERSION_V1)) {
105 /* Written on a bigendian machine with old fetch_int code. Save as le. */
106 tdb_store_int32(tdb, vstring, DATABASE_VERSION_V2);
107 vers_id = DATABASE_VERSION_V2;
110 if (vers_id != DATABASE_VERSION_V2) {
111 tdb_traverse(tdb, tdb_traverse_delete_fn, NULL);
112 tdb_store_int32(tdb, vstring, DATABASE_VERSION_V2);
115 tdb_unlock_bystring(tdb, vstring);
117 /* write a list of default groups */
118 if(!default_group_mapping())
124 /****************************************************************************
125 ****************************************************************************/
126 static BOOL add_mapping_entry(GROUP_MAP *map, int flag)
130 fstring string_sid="";
133 if(!init_group_mapping()) {
134 DEBUG(0,("failed to initialize group mapping\n"));
138 sid_to_string(string_sid, &map->sid);
140 len = tdb_pack(buf, sizeof(buf), "ddff",
141 map->gid, map->sid_name_use, map->nt_name, map->comment);
143 if (len > sizeof(buf))
146 slprintf(key, sizeof(key), "%s%s", GROUP_PREFIX, string_sid);
148 kbuf.dsize = strlen(key)+1;
152 if (tdb_store(tdb, kbuf, dbuf, flag) != 0) return False;
157 /****************************************************************************
158 initialise first time the mapping list
159 ****************************************************************************/
160 BOOL add_initial_entry(gid_t gid, const char *sid, enum SID_NAME_USE sid_name_use, const char *nt_name, const char *comment)
164 if(!init_group_mapping()) {
165 DEBUG(0,("failed to initialize group mapping\n"));
170 if (!string_to_sid(&map.sid, sid)) {
171 DEBUG(0, ("string_to_sid failed: %s", sid));
175 map.sid_name_use=sid_name_use;
176 fstrcpy(map.nt_name, nt_name);
177 fstrcpy(map.comment, comment);
179 return NT_STATUS_IS_OK(pdb_add_group_mapping_entry(&map));
182 /****************************************************************************
183 Map a unix group to a newly created mapping
184 ****************************************************************************/
185 NTSTATUS map_unix_group(const struct group *grp, GROUP_MAP *pmap)
189 const char *grpname, *dom, *name;
192 if (pdb_getgrgid(&map, grp->gr_gid)) {
193 return NT_STATUS_GROUP_EXISTS;
196 map.gid = grp->gr_gid;
197 grpname = grp->gr_name;
199 if (lookup_name(tmp_talloc_ctx(), grpname, LOOKUP_NAME_ISOLATED,
200 &dom, &name, NULL, NULL)) {
202 const char *tmp = talloc_asprintf(
203 tmp_talloc_ctx(), "Unix Group %s", grp->gr_name);
205 DEBUG(5, ("%s exists as %s\\%s, retrying as \"%s\"\n",
206 grpname, dom, name, tmp));
210 if (lookup_name(tmp_talloc_ctx(), grpname, LOOKUP_NAME_ISOLATED,
211 NULL, NULL, NULL, NULL)) {
212 DEBUG(3, ("\"%s\" exists, can't map it\n", grp->gr_name));
213 return NT_STATUS_GROUP_EXISTS;
216 fstrcpy(map.nt_name, grpname);
218 if (pdb_rid_algorithm()) {
219 rid = pdb_gid_to_group_rid( grp->gr_gid );
221 if (!pdb_new_rid(&rid)) {
222 DEBUG(3, ("Could not get a new RID for %s\n",
224 return NT_STATUS_ACCESS_DENIED;
228 sid_compose(&map.sid, get_global_sam_sid(), rid);
229 map.sid_name_use = SID_NAME_DOM_GRP;
230 fstrcpy(map.comment, talloc_asprintf(tmp_talloc_ctx(), "Unix Group %s",
233 status = pdb_add_group_mapping_entry(&map);
234 if (NT_STATUS_IS_OK(status)) {
240 /****************************************************************************
241 Return the sid and the type of the unix group.
242 ****************************************************************************/
244 static BOOL get_group_map_from_sid(DOM_SID sid, GROUP_MAP *map)
251 if(!init_group_mapping()) {
252 DEBUG(0,("failed to initialize group mapping\n"));
256 /* the key is the SID, retrieving is direct */
258 sid_to_string(string_sid, &sid);
259 slprintf(key, sizeof(key), "%s%s", GROUP_PREFIX, string_sid);
262 kbuf.dsize = strlen(key)+1;
264 dbuf = tdb_fetch(tdb, kbuf);
268 ret = tdb_unpack(dbuf.dptr, dbuf.dsize, "ddff",
269 &map->gid, &map->sid_name_use, &map->nt_name, &map->comment);
271 SAFE_FREE(dbuf.dptr);
274 DEBUG(3,("get_group_map_from_sid: tdb_unpack failure\n"));
278 sid_copy(&map->sid, &sid);
283 /****************************************************************************
284 Return the sid and the type of the unix group.
285 ****************************************************************************/
287 static BOOL get_group_map_from_gid(gid_t gid, GROUP_MAP *map)
289 TDB_DATA kbuf, dbuf, newkey;
293 if(!init_group_mapping()) {
294 DEBUG(0,("failed to initialize group mapping\n"));
298 /* we need to enumerate the TDB to find the GID */
300 for (kbuf = tdb_firstkey(tdb);
302 newkey = tdb_nextkey(tdb, kbuf), safe_free(kbuf.dptr), kbuf=newkey) {
304 if (strncmp(kbuf.dptr, GROUP_PREFIX, strlen(GROUP_PREFIX)) != 0) continue;
306 dbuf = tdb_fetch(tdb, kbuf);
310 fstrcpy(string_sid, kbuf.dptr+strlen(GROUP_PREFIX));
312 string_to_sid(&map->sid, string_sid);
314 ret = tdb_unpack(dbuf.dptr, dbuf.dsize, "ddff",
315 &map->gid, &map->sid_name_use, &map->nt_name, &map->comment);
317 SAFE_FREE(dbuf.dptr);
320 DEBUG(3,("get_group_map_from_gid: tdb_unpack failure\n"));
325 SAFE_FREE(kbuf.dptr);
333 /****************************************************************************
334 Return the sid and the type of the unix group.
335 ****************************************************************************/
337 static BOOL get_group_map_from_ntname(const char *name, GROUP_MAP *map)
339 TDB_DATA kbuf, dbuf, newkey;
343 if(!init_group_mapping()) {
344 DEBUG(0,("get_group_map_from_ntname:failed to initialize group mapping\n"));
348 /* we need to enumerate the TDB to find the name */
350 for (kbuf = tdb_firstkey(tdb);
352 newkey = tdb_nextkey(tdb, kbuf), safe_free(kbuf.dptr), kbuf=newkey) {
354 if (strncmp(kbuf.dptr, GROUP_PREFIX, strlen(GROUP_PREFIX)) != 0) continue;
356 dbuf = tdb_fetch(tdb, kbuf);
360 fstrcpy(string_sid, kbuf.dptr+strlen(GROUP_PREFIX));
362 string_to_sid(&map->sid, string_sid);
364 ret = tdb_unpack(dbuf.dptr, dbuf.dsize, "ddff",
365 &map->gid, &map->sid_name_use, &map->nt_name, &map->comment);
367 SAFE_FREE(dbuf.dptr);
370 DEBUG(3,("get_group_map_from_ntname: tdb_unpack failure\n"));
374 if (StrCaseCmp(name, map->nt_name)==0) {
375 SAFE_FREE(kbuf.dptr);
383 /****************************************************************************
384 Remove a group mapping entry.
385 ****************************************************************************/
387 static BOOL group_map_remove(const DOM_SID *sid)
393 if(!init_group_mapping()) {
394 DEBUG(0,("failed to initialize group mapping\n"));
398 /* the key is the SID, retrieving is direct */
400 sid_to_string(string_sid, sid);
401 slprintf(key, sizeof(key), "%s%s", GROUP_PREFIX, string_sid);
404 kbuf.dsize = strlen(key)+1;
406 dbuf = tdb_fetch(tdb, kbuf);
410 SAFE_FREE(dbuf.dptr);
412 if(tdb_delete(tdb, kbuf) != TDB_SUCCESS)
418 /****************************************************************************
419 Enumerate the group mapping.
420 ****************************************************************************/
422 static BOOL enum_group_mapping(enum SID_NAME_USE sid_name_use, GROUP_MAP **pp_rmap,
423 size_t *p_num_entries, BOOL unix_only)
425 TDB_DATA kbuf, dbuf, newkey;
432 if(!init_group_mapping()) {
433 DEBUG(0,("failed to initialize group mapping\n"));
440 for (kbuf = tdb_firstkey(tdb);
442 newkey = tdb_nextkey(tdb, kbuf), safe_free(kbuf.dptr), kbuf=newkey) {
444 if (strncmp(kbuf.dptr, GROUP_PREFIX, strlen(GROUP_PREFIX)) != 0)
447 dbuf = tdb_fetch(tdb, kbuf);
451 fstrcpy(string_sid, kbuf.dptr+strlen(GROUP_PREFIX));
453 ret = tdb_unpack(dbuf.dptr, dbuf.dsize, "ddff",
454 &map.gid, &map.sid_name_use, &map.nt_name, &map.comment);
456 SAFE_FREE(dbuf.dptr);
459 DEBUG(3,("enum_group_mapping: tdb_unpack failure\n"));
463 /* list only the type or everything if UNKNOWN */
464 if (sid_name_use!=SID_NAME_UNKNOWN && sid_name_use!=map.sid_name_use) {
465 DEBUG(11,("enum_group_mapping: group %s is not of the requested type\n", map.nt_name));
469 if (unix_only==ENUM_ONLY_MAPPED && map.gid==-1) {
470 DEBUG(11,("enum_group_mapping: group %s is non mapped\n", map.nt_name));
474 string_to_sid(&map.sid, string_sid);
476 DEBUG(11,("enum_group_mapping: returning group %s of "
477 "type %s\n", map.nt_name,
478 sid_type_lookup(map.sid_name_use)));
480 mapt= SMB_REALLOC_ARRAY((*pp_rmap), GROUP_MAP, entries+1);
482 DEBUG(0,("enum_group_mapping: Unable to enlarge group map!\n"));
489 mapt[entries].gid = map.gid;
490 sid_copy( &mapt[entries].sid, &map.sid);
491 mapt[entries].sid_name_use = map.sid_name_use;
492 fstrcpy(mapt[entries].nt_name, map.nt_name);
493 fstrcpy(mapt[entries].comment, map.comment);
499 *p_num_entries=entries;
504 /* This operation happens on session setup, so it should better be fast. We
505 * store a list of aliases a SID is member of hanging off MEMBEROF/SID. */
507 static NTSTATUS one_alias_membership(const DOM_SID *member,
508 DOM_SID **sids, size_t *num)
510 fstring key, string_sid;
514 if (!init_group_mapping()) {
515 DEBUG(0,("failed to initialize group mapping\n"));
516 return NT_STATUS_ACCESS_DENIED;
519 sid_to_string(string_sid, member);
520 slprintf(key, sizeof(key), "%s%s", MEMBEROF_PREFIX, string_sid);
522 kbuf.dsize = strlen(key)+1;
525 dbuf = tdb_fetch(tdb, kbuf);
527 if (dbuf.dptr == NULL) {
533 while (next_token(&p, string_sid, " ", sizeof(string_sid))) {
537 if (!string_to_sid(&alias, string_sid))
540 add_sid_to_array_unique(NULL, &alias, sids, num);
543 return NT_STATUS_NO_MEMORY;
546 SAFE_FREE(dbuf.dptr);
550 static NTSTATUS alias_memberships(const DOM_SID *members, size_t num_members,
551 DOM_SID **sids, size_t *num)
558 for (i=0; i<num_members; i++) {
559 NTSTATUS status = one_alias_membership(&members[i], sids, num);
560 if (!NT_STATUS_IS_OK(status))
566 static BOOL is_aliasmem(const DOM_SID *alias, const DOM_SID *member)
571 /* This feels the wrong way round, but the on-disk data structure
572 * dictates it this way. */
573 if (!NT_STATUS_IS_OK(alias_memberships(member, 1, &sids, &num)))
576 for (i=0; i<num; i++) {
577 if (sid_compare(alias, &sids[i]) == 0) {
586 static NTSTATUS add_aliasmem(const DOM_SID *alias, const DOM_SID *member)
592 char *new_memberstring;
595 if(!init_group_mapping()) {
596 DEBUG(0,("failed to initialize group mapping\n"));
597 return NT_STATUS_ACCESS_DENIED;
600 if (!get_group_map_from_sid(*alias, &map))
601 return NT_STATUS_NO_SUCH_ALIAS;
603 if ( (map.sid_name_use != SID_NAME_ALIAS) &&
604 (map.sid_name_use != SID_NAME_WKN_GRP) )
605 return NT_STATUS_NO_SUCH_ALIAS;
607 if (is_aliasmem(alias, member))
608 return NT_STATUS_MEMBER_IN_ALIAS;
610 sid_to_string(string_sid, member);
611 slprintf(key, sizeof(key), "%s%s", MEMBEROF_PREFIX, string_sid);
613 kbuf.dsize = strlen(key)+1;
616 dbuf = tdb_fetch(tdb, kbuf);
618 sid_to_string(string_sid, alias);
620 if (dbuf.dptr != NULL) {
621 asprintf(&new_memberstring, "%s %s", (char *)(dbuf.dptr),
624 new_memberstring = SMB_STRDUP(string_sid);
627 if (new_memberstring == NULL)
628 return NT_STATUS_NO_MEMORY;
630 SAFE_FREE(dbuf.dptr);
631 dbuf.dsize = strlen(new_memberstring)+1;
632 dbuf.dptr = new_memberstring;
634 result = tdb_store(tdb, kbuf, dbuf, 0);
636 SAFE_FREE(new_memberstring);
638 return (result == 0 ? NT_STATUS_OK : NT_STATUS_ACCESS_DENIED);
641 struct aliasmem_closure {
642 const DOM_SID *alias;
647 static int collect_aliasmem(TDB_CONTEXT *tdb_ctx, TDB_DATA key, TDB_DATA data,
650 struct aliasmem_closure *closure = (struct aliasmem_closure *)state;
652 fstring alias_string;
654 if (strncmp(key.dptr, MEMBEROF_PREFIX,
655 strlen(MEMBEROF_PREFIX)) != 0)
660 while (next_token(&p, alias_string, " ", sizeof(alias_string))) {
662 DOM_SID alias, member;
663 const char *member_string;
666 if (!string_to_sid(&alias, alias_string))
669 if (sid_compare(closure->alias, &alias) != 0)
672 /* Ok, we found the alias we're looking for in the membership
673 * list currently scanned. The key represents the alias
674 * member. Add that. */
676 member_string = strchr(key.dptr, '/');
678 /* Above we tested for MEMBEROF_PREFIX which includes the
681 SMB_ASSERT(member_string != NULL);
684 if (!string_to_sid(&member, member_string))
687 add_sid_to_array(NULL, &member, closure->sids, closure->num);
693 static NTSTATUS enum_aliasmem(const DOM_SID *alias, DOM_SID **sids, size_t *num)
696 struct aliasmem_closure closure;
698 if(!init_group_mapping()) {
699 DEBUG(0,("failed to initialize group mapping\n"));
700 return NT_STATUS_ACCESS_DENIED;
703 if (!get_group_map_from_sid(*alias, &map))
704 return NT_STATUS_NO_SUCH_ALIAS;
706 if ( (map.sid_name_use != SID_NAME_ALIAS) &&
707 (map.sid_name_use != SID_NAME_WKN_GRP) )
708 return NT_STATUS_NO_SUCH_ALIAS;
713 closure.alias = alias;
717 tdb_traverse(tdb, collect_aliasmem, &closure);
721 static NTSTATUS del_aliasmem(const DOM_SID *alias, const DOM_SID *member)
732 result = alias_memberships(member, 1, &sids, &num);
734 if (!NT_STATUS_IS_OK(result))
737 for (i=0; i<num; i++) {
738 if (sid_compare(&sids[i], alias) == 0) {
746 return NT_STATUS_MEMBER_NOT_IN_ALIAS;
750 sids[i] = sids[num-1];
754 sid_to_string(sid_string, member);
755 slprintf(key, sizeof(key), "%s%s", MEMBEROF_PREFIX, sid_string);
757 kbuf.dsize = strlen(key)+1;
761 return tdb_delete(tdb, kbuf) == 0 ?
762 NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL;
764 member_string = SMB_STRDUP("");
766 if (member_string == NULL) {
768 return NT_STATUS_NO_MEMORY;
771 for (i=0; i<num; i++) {
772 char *s = member_string;
774 sid_to_string(sid_string, &sids[i]);
775 asprintf(&member_string, "%s %s", s, sid_string);
778 if (member_string == NULL) {
780 return NT_STATUS_NO_MEMORY;
784 dbuf.dsize = strlen(member_string)+1;
785 dbuf.dptr = member_string;
787 result = tdb_store(tdb, kbuf, dbuf, 0) == 0 ?
788 NT_STATUS_OK : NT_STATUS_ACCESS_DENIED;
791 SAFE_FREE(member_string);
798 * High level functions
799 * better to use them than the lower ones.
801 * we are checking if the group is in the mapping file
802 * and if the group is an existing unix group
806 /* get a domain group from it's SID */
808 BOOL get_domain_group_from_sid(DOM_SID sid, GROUP_MAP *map)
813 if(!init_group_mapping()) {
814 DEBUG(0,("failed to initialize group mapping\n"));
818 DEBUG(10, ("get_domain_group_from_sid\n"));
820 /* if the group is NOT in the database, it CAN NOT be a domain group */
823 ret = pdb_getgrsid(map, sid);
829 DEBUG(10, ("get_domain_group_from_sid: SID found in the TDB\n"));
831 /* if it's not a domain group, continue */
832 if (map->sid_name_use!=SID_NAME_DOM_GRP) {
836 DEBUG(10, ("get_domain_group_from_sid: SID is a domain group\n"));
842 DEBUG(10, ("get_domain_group_from_sid: SID is mapped to gid:%lu\n",(unsigned long)map->gid));
844 grp = getgrgid(map->gid);
846 DEBUG(10, ("get_domain_group_from_sid: gid DOESN'T exist in UNIX security\n"));
850 DEBUG(10, ("get_domain_group_from_sid: gid exists in UNIX security\n"));
855 /****************************************************************************
856 Create a UNIX group on demand.
857 ****************************************************************************/
859 int smb_create_group(char *unix_group, gid_t *new_gid)
867 /* defer to scripts */
869 if ( *lp_addgroup_script() ) {
870 pstrcpy(add_script, lp_addgroup_script());
871 pstring_sub(add_script, "%g", unix_group);
872 ret = smbrun(add_script, (new_gid!=NULL) ? &fd : NULL);
873 DEBUG(ret ? 0 : 3,("smb_create_group: Running the command `%s' gave %d\n",add_script,ret));
881 if (read(fd, output, sizeof(output)) > 0) {
882 *new_gid = (gid_t)strtoul(output, NULL, 10);
891 struct group *grp = getgrnam(unix_group);
894 *new_gid = grp->gr_gid;
900 /****************************************************************************
901 Delete a UNIX group on demand.
902 ****************************************************************************/
904 int smb_delete_group(char *unix_group)
909 /* defer to scripts */
911 if ( *lp_delgroup_script() ) {
912 pstrcpy(del_script, lp_delgroup_script());
913 pstring_sub(del_script, "%g", unix_group);
914 ret = smbrun(del_script,NULL);
915 DEBUG(ret ? 0 : 3,("smb_delete_group: Running the command `%s' gave %d\n",del_script,ret));
922 /****************************************************************************
923 Set a user's primary UNIX group.
924 ****************************************************************************/
925 int smb_set_primary_group(const char *unix_group, const char* unix_user)
930 /* defer to scripts */
932 if ( *lp_setprimarygroup_script() ) {
933 pstrcpy(add_script, lp_setprimarygroup_script());
934 all_string_sub(add_script, "%g", unix_group, sizeof(add_script));
935 all_string_sub(add_script, "%u", unix_user, sizeof(add_script));
936 ret = smbrun(add_script,NULL);
938 DEBUG(ret ? 0 : 3,("smb_set_primary_group: "
939 "Running the command `%s' gave %d\n",add_script,ret));
946 /****************************************************************************
947 Add a user to a UNIX group.
948 ****************************************************************************/
950 int smb_add_user_group(char *unix_group, char *unix_user)
955 /* defer to scripts */
957 if ( *lp_addusertogroup_script() ) {
958 pstrcpy(add_script, lp_addusertogroup_script());
959 pstring_sub(add_script, "%g", unix_group);
960 pstring_sub(add_script, "%u", unix_user);
961 ret = smbrun(add_script,NULL);
962 DEBUG(ret ? 0 : 3,("smb_add_user_group: Running the command `%s' gave %d\n",add_script,ret));
969 /****************************************************************************
970 Delete a user from a UNIX group
971 ****************************************************************************/
973 int smb_delete_user_group(const char *unix_group, const char *unix_user)
978 /* defer to scripts */
980 if ( *lp_deluserfromgroup_script() ) {
981 pstrcpy(del_script, lp_deluserfromgroup_script());
982 pstring_sub(del_script, "%g", unix_group);
983 pstring_sub(del_script, "%u", unix_user);
984 ret = smbrun(del_script,NULL);
985 DEBUG(ret ? 0 : 3,("smb_delete_user_group: Running the command `%s' gave %d\n",del_script,ret));
993 NTSTATUS pdb_default_getgrsid(struct pdb_methods *methods, GROUP_MAP *map,
996 return get_group_map_from_sid(sid, map) ?
997 NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL;
1000 NTSTATUS pdb_default_getgrgid(struct pdb_methods *methods, GROUP_MAP *map,
1003 return get_group_map_from_gid(gid, map) ?
1004 NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL;
1007 NTSTATUS pdb_default_getgrnam(struct pdb_methods *methods, GROUP_MAP *map,
1010 return get_group_map_from_ntname(name, map) ?
1011 NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL;
1014 NTSTATUS pdb_default_add_group_mapping_entry(struct pdb_methods *methods,
1017 return add_mapping_entry(map, TDB_INSERT) ?
1018 NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL;
1021 NTSTATUS pdb_default_update_group_mapping_entry(struct pdb_methods *methods,
1024 return add_mapping_entry(map, TDB_REPLACE) ?
1025 NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL;
1028 NTSTATUS pdb_default_delete_group_mapping_entry(struct pdb_methods *methods,
1031 return group_map_remove(&sid) ?
1032 NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL;
1035 NTSTATUS pdb_default_enum_group_mapping(struct pdb_methods *methods,
1036 enum SID_NAME_USE sid_name_use,
1037 GROUP_MAP **pp_rmap, size_t *p_num_entries,
1040 return enum_group_mapping(sid_name_use, pp_rmap, p_num_entries, unix_only) ?
1041 NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL;
1044 NTSTATUS pdb_default_find_alias(struct pdb_methods *methods,
1045 const char *name, DOM_SID *sid)
1049 if (!pdb_getgrnam(&map, name))
1050 return NT_STATUS_NO_SUCH_ALIAS;
1052 if ((map.sid_name_use != SID_NAME_WKN_GRP) &&
1053 (map.sid_name_use != SID_NAME_ALIAS))
1054 return NT_STATUS_OBJECT_TYPE_MISMATCH;
1056 sid_copy(sid, &map.sid);
1057 return NT_STATUS_OK;
1060 NTSTATUS pdb_default_create_alias(struct pdb_methods *methods,
1061 const char *name, uint32 *rid)
1064 enum SID_NAME_USE type;
1069 TALLOC_CTX *mem_ctx;
1072 DEBUG(10, ("Trying to create alias %s\n", name));
1074 mem_ctx = talloc_new(NULL);
1075 if (mem_ctx == NULL) {
1076 return NT_STATUS_NO_MEMORY;
1079 exists = lookup_name(mem_ctx, name, LOOKUP_NAME_ISOLATED,
1080 NULL, NULL, &sid, &type);
1081 talloc_free(mem_ctx);
1084 return NT_STATUS_ALIAS_EXISTS;
1087 if (!winbind_allocate_gid(&gid)) {
1088 DEBUG(3, ("Could not get a gid out of winbind\n"));
1089 return NT_STATUS_ACCESS_DENIED;
1092 if (!pdb_new_rid(&new_rid)) {
1093 DEBUG(0, ("Could not allocate a RID -- wasted a gid :-(\n"));
1094 return NT_STATUS_ACCESS_DENIED;
1097 DEBUG(10, ("Creating alias %s with gid %d and rid %d\n",
1098 name, gid, new_rid));
1100 sid_copy(&sid, get_global_sam_sid());
1101 sid_append_rid(&sid, new_rid);
1104 sid_copy(&map.sid, &sid);
1105 map.sid_name_use = SID_NAME_ALIAS;
1106 fstrcpy(map.nt_name, name);
1107 fstrcpy(map.comment, "");
1109 status = pdb_add_group_mapping_entry(&map);
1111 if (!NT_STATUS_IS_OK(status)) {
1112 DEBUG(0, ("Could not add group mapping entry for alias %s "
1113 "(%s)\n", name, nt_errstr(status)));
1119 return NT_STATUS_OK;
1122 NTSTATUS pdb_default_delete_alias(struct pdb_methods *methods,
1125 return pdb_delete_group_mapping_entry(*sid) ?
1126 NT_STATUS_OK : NT_STATUS_ACCESS_DENIED;
1129 NTSTATUS pdb_default_get_aliasinfo(struct pdb_methods *methods,
1131 struct acct_info *info)
1135 if (!pdb_getgrsid(&map, *sid))
1136 return NT_STATUS_NO_SUCH_ALIAS;
1138 if ((map.sid_name_use != SID_NAME_ALIAS) &&
1139 (map.sid_name_use != SID_NAME_WKN_GRP)) {
1140 DEBUG(2, ("%s is a %s, expected an alias\n",
1141 sid_string_static(sid),
1142 sid_type_lookup(map.sid_name_use)));
1143 return NT_STATUS_NO_SUCH_ALIAS;
1146 fstrcpy(info->acct_name, map.nt_name);
1147 fstrcpy(info->acct_desc, map.comment);
1148 sid_peek_rid(&map.sid, &info->rid);
1149 return NT_STATUS_OK;
1152 NTSTATUS pdb_default_set_aliasinfo(struct pdb_methods *methods,
1154 struct acct_info *info)
1158 if (!pdb_getgrsid(&map, *sid))
1159 return NT_STATUS_NO_SUCH_ALIAS;
1161 fstrcpy(map.comment, info->acct_desc);
1163 return pdb_update_group_mapping_entry(&map);
1166 NTSTATUS pdb_default_add_aliasmem(struct pdb_methods *methods,
1167 const DOM_SID *alias, const DOM_SID *member)
1169 return add_aliasmem(alias, member);
1172 NTSTATUS pdb_default_del_aliasmem(struct pdb_methods *methods,
1173 const DOM_SID *alias, const DOM_SID *member)
1175 return del_aliasmem(alias, member);
1178 NTSTATUS pdb_default_enum_aliasmem(struct pdb_methods *methods,
1179 const DOM_SID *alias, DOM_SID **pp_members,
1180 size_t *p_num_members)
1182 return enum_aliasmem(alias, pp_members, p_num_members);
1185 NTSTATUS pdb_default_alias_memberships(struct pdb_methods *methods,
1186 TALLOC_CTX *mem_ctx,
1187 const DOM_SID *domain_sid,
1188 const DOM_SID *members,
1190 uint32 **pp_alias_rids,
1191 size_t *p_num_alias_rids)
1193 DOM_SID *alias_sids;
1194 size_t i, num_alias_sids;
1200 result = alias_memberships(members, num_members,
1201 &alias_sids, &num_alias_sids);
1203 if (!NT_STATUS_IS_OK(result))
1206 *pp_alias_rids = TALLOC_ARRAY(mem_ctx, uint32, num_alias_sids);
1207 if (*pp_alias_rids == NULL)
1208 return NT_STATUS_NO_MEMORY;
1210 *p_num_alias_rids = 0;
1212 for (i=0; i<num_alias_sids; i++) {
1213 if (!sid_peek_check_rid(domain_sid, &alias_sids[i],
1214 &(*pp_alias_rids)[*p_num_alias_rids]))
1216 *p_num_alias_rids += 1;
1219 SAFE_FREE(alias_sids);
1221 return NT_STATUS_OK;
1224 /**********************************************************************
1225 no ops for passdb backends that don't implement group mapping
1226 *********************************************************************/
1228 NTSTATUS pdb_nop_getgrsid(struct pdb_methods *methods, GROUP_MAP *map,
1231 return NT_STATUS_UNSUCCESSFUL;
1234 NTSTATUS pdb_nop_getgrgid(struct pdb_methods *methods, GROUP_MAP *map,
1237 return NT_STATUS_UNSUCCESSFUL;
1240 NTSTATUS pdb_nop_getgrnam(struct pdb_methods *methods, GROUP_MAP *map,
1243 return NT_STATUS_UNSUCCESSFUL;
1246 NTSTATUS pdb_nop_add_group_mapping_entry(struct pdb_methods *methods,
1249 return NT_STATUS_UNSUCCESSFUL;
1252 NTSTATUS pdb_nop_update_group_mapping_entry(struct pdb_methods *methods,
1255 return NT_STATUS_UNSUCCESSFUL;
1258 NTSTATUS pdb_nop_delete_group_mapping_entry(struct pdb_methods *methods,
1261 return NT_STATUS_UNSUCCESSFUL;
1264 NTSTATUS pdb_nop_enum_group_mapping(struct pdb_methods *methods,
1265 enum SID_NAME_USE sid_name_use,
1266 GROUP_MAP **rmap, size_t *num_entries,
1269 return NT_STATUS_UNSUCCESSFUL;
1272 /****************************************************************************
1273 These need to be redirected through pdb_interface.c
1274 ****************************************************************************/
1275 BOOL pdb_get_dom_grp_info(const DOM_SID *sid, struct acct_info *info)
1281 res = get_domain_group_from_sid(*sid, &map);
1287 fstrcpy(info->acct_name, map.nt_name);
1288 fstrcpy(info->acct_desc, map.comment);
1289 sid_peek_rid(sid, &info->rid);
1293 BOOL pdb_set_dom_grp_info(const DOM_SID *sid, const struct acct_info *info)
1297 if (!get_domain_group_from_sid(*sid, &map))
1300 fstrcpy(map.nt_name, info->acct_name);
1301 fstrcpy(map.comment, info->acct_desc);
1303 return NT_STATUS_IS_OK(pdb_update_group_mapping_entry(&map));
git.samba.org / metze / samba / wip.git / blob