2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Copyright (C) Andrew Tridgell 1992-2000,
5 * Copyright (C) Jean François Micouleau 1998-2001.
6 * Copyright (C) Volker Lendecke 2006.
7 * Copyright (C) Gerald Carter 2006.
9 * This program is free software; you can redistribute it and/or modify
10 * it under the terms of the GNU General Public License as published by
11 * the Free Software Foundation; either version 2 of the License, or
12 * (at your option) any later version.
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
19 * You should have received a copy of the GNU General Public License
20 * along with this program; if not, write to the Free Software
21 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
25 #include "groupdb/mapping.h"
27 /****************************************************************************
28 initialise first time the mapping list
29 ****************************************************************************/
30 NTSTATUS add_initial_entry(gid_t gid, const char *sid, enum lsa_SidType sid_name_use, const char *nt_name, const char *comment)
34 if(!init_group_mapping()) {
35 DEBUG(0,("failed to initialize group mapping\n"));
36 return NT_STATUS_UNSUCCESSFUL;
40 if (!string_to_sid(&map.sid, sid)) {
41 DEBUG(0, ("string_to_sid failed: %s", sid));
42 return NT_STATUS_UNSUCCESSFUL;
45 map.sid_name_use=sid_name_use;
46 fstrcpy(map.nt_name, nt_name);
47 fstrcpy(map.comment, comment);
49 return pdb_add_group_mapping_entry(&map);
52 static NTSTATUS alias_memberships(const DOM_SID *members, size_t num_members,
53 DOM_SID **sids, size_t *num)
60 for (i=0; i<num_members; i++) {
61 NTSTATUS status = one_alias_membership(&members[i], sids, num);
62 if (!NT_STATUS_IS_OK(status))
68 struct aliasmem_closure {
78 * High level functions
79 * better to use them than the lower ones.
81 * we are checking if the group is in the mapping file
82 * and if the group is an existing unix group
86 /* get a domain group from it's SID */
88 BOOL get_domain_group_from_sid(DOM_SID sid, GROUP_MAP *map)
93 if(!init_group_mapping()) {
94 DEBUG(0,("failed to initialize group mapping\n"));
98 DEBUG(10, ("get_domain_group_from_sid\n"));
100 /* if the group is NOT in the database, it CAN NOT be a domain group */
103 ret = pdb_getgrsid(map, sid);
106 /* special case check for rid 513 */
111 sid_peek_rid( &sid, &rid );
113 if ( rid == DOMAIN_GROUP_RID_USERS ) {
114 fstrcpy( map->nt_name, "None" );
115 fstrcpy( map->comment, "Ordinary Users" );
116 sid_copy( &map->sid, &sid );
117 map->sid_name_use = SID_NAME_DOM_GRP;
125 DEBUG(10, ("get_domain_group_from_sid: SID found in the TDB\n"));
127 /* if it's not a domain group, continue */
128 if (map->sid_name_use!=SID_NAME_DOM_GRP) {
132 DEBUG(10, ("get_domain_group_from_sid: SID is a domain group\n"));
138 DEBUG(10, ("get_domain_group_from_sid: SID is mapped to gid:%lu\n",(unsigned long)map->gid));
140 grp = getgrgid(map->gid);
142 DEBUG(10, ("get_domain_group_from_sid: gid DOESN'T exist in UNIX security\n"));
146 DEBUG(10, ("get_domain_group_from_sid: gid exists in UNIX security\n"));
151 /****************************************************************************
152 Create a UNIX group on demand.
153 ****************************************************************************/
155 int smb_create_group(const char *unix_group, gid_t *new_gid)
163 /* defer to scripts */
165 if ( *lp_addgroup_script() ) {
166 pstrcpy(add_script, lp_addgroup_script());
167 pstring_sub(add_script, "%g", unix_group);
168 ret = smbrun(add_script, &fd);
169 DEBUG(ret ? 0 : 3,("smb_create_group: Running the command `%s' gave %d\n",add_script,ret));
171 smb_nscd_flush_group_cache();
180 if (read(fd, output, sizeof(output)) > 0) {
181 *new_gid = (gid_t)strtoul(output, NULL, 10);
190 struct group *grp = getgrnam(unix_group);
193 *new_gid = grp->gr_gid;
199 /****************************************************************************
200 Delete a UNIX group on demand.
201 ****************************************************************************/
203 int smb_delete_group(const char *unix_group)
208 /* defer to scripts */
210 if ( *lp_delgroup_script() ) {
211 pstrcpy(del_script, lp_delgroup_script());
212 pstring_sub(del_script, "%g", unix_group);
213 ret = smbrun(del_script,NULL);
214 DEBUG(ret ? 0 : 3,("smb_delete_group: Running the command `%s' gave %d\n",del_script,ret));
216 smb_nscd_flush_group_cache();
224 /****************************************************************************
225 Set a user's primary UNIX group.
226 ****************************************************************************/
227 int smb_set_primary_group(const char *unix_group, const char* unix_user)
232 /* defer to scripts */
234 if ( *lp_setprimarygroup_script() ) {
235 pstrcpy(add_script, lp_setprimarygroup_script());
236 all_string_sub(add_script, "%g", unix_group, sizeof(add_script));
237 all_string_sub(add_script, "%u", unix_user, sizeof(add_script));
238 ret = smbrun(add_script,NULL);
240 DEBUG(ret ? 0 : 3,("smb_set_primary_group: "
241 "Running the command `%s' gave %d\n",add_script,ret));
243 smb_nscd_flush_group_cache();
251 /****************************************************************************
252 Add a user to a UNIX group.
253 ****************************************************************************/
255 int smb_add_user_group(const char *unix_group, const char *unix_user)
260 /* defer to scripts */
262 if ( *lp_addusertogroup_script() ) {
263 pstrcpy(add_script, lp_addusertogroup_script());
264 pstring_sub(add_script, "%g", unix_group);
265 pstring_sub(add_script, "%u", unix_user);
266 ret = smbrun(add_script,NULL);
267 DEBUG(ret ? 0 : 3,("smb_add_user_group: Running the command `%s' gave %d\n",add_script,ret));
269 smb_nscd_flush_group_cache();
277 /****************************************************************************
278 Delete a user from a UNIX group
279 ****************************************************************************/
281 int smb_delete_user_group(const char *unix_group, const char *unix_user)
286 /* defer to scripts */
288 if ( *lp_deluserfromgroup_script() ) {
289 pstrcpy(del_script, lp_deluserfromgroup_script());
290 pstring_sub(del_script, "%g", unix_group);
291 pstring_sub(del_script, "%u", unix_user);
292 ret = smbrun(del_script,NULL);
293 DEBUG(ret ? 0 : 3,("smb_delete_user_group: Running the command `%s' gave %d\n",del_script,ret));
295 smb_nscd_flush_group_cache();
304 NTSTATUS pdb_default_getgrsid(struct pdb_methods *methods, GROUP_MAP *map,
307 return get_group_map_from_sid(sid, map) ?
308 NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL;
311 NTSTATUS pdb_default_getgrgid(struct pdb_methods *methods, GROUP_MAP *map,
314 return get_group_map_from_gid(gid, map) ?
315 NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL;
318 NTSTATUS pdb_default_getgrnam(struct pdb_methods *methods, GROUP_MAP *map,
321 return get_group_map_from_ntname(name, map) ?
322 NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL;
325 NTSTATUS pdb_default_add_group_mapping_entry(struct pdb_methods *methods,
328 return add_mapping_entry(map, TDB_INSERT) ?
329 NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL;
332 NTSTATUS pdb_default_update_group_mapping_entry(struct pdb_methods *methods,
335 return add_mapping_entry(map, TDB_REPLACE) ?
336 NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL;
339 NTSTATUS pdb_default_delete_group_mapping_entry(struct pdb_methods *methods,
342 return group_map_remove(&sid) ?
343 NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL;
346 NTSTATUS pdb_default_enum_group_mapping(struct pdb_methods *methods,
347 const DOM_SID *sid, enum lsa_SidType sid_name_use,
348 GROUP_MAP **pp_rmap, size_t *p_num_entries,
351 return enum_group_mapping(sid, sid_name_use, pp_rmap, p_num_entries, unix_only) ?
352 NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL;
355 NTSTATUS pdb_default_create_alias(struct pdb_methods *methods,
356 const char *name, uint32 *rid)
359 enum lsa_SidType type;
367 DEBUG(10, ("Trying to create alias %s\n", name));
369 mem_ctx = talloc_new(NULL);
370 if (mem_ctx == NULL) {
371 return NT_STATUS_NO_MEMORY;
374 exists = lookup_name(mem_ctx, name, LOOKUP_NAME_ISOLATED,
375 NULL, NULL, &sid, &type);
376 TALLOC_FREE(mem_ctx);
379 return NT_STATUS_ALIAS_EXISTS;
382 if (!winbind_allocate_gid(&gid)) {
383 DEBUG(3, ("Could not get a gid out of winbind\n"));
384 return NT_STATUS_ACCESS_DENIED;
387 if (!pdb_new_rid(&new_rid)) {
388 DEBUG(0, ("Could not allocate a RID -- wasted a gid :-(\n"));
389 return NT_STATUS_ACCESS_DENIED;
392 DEBUG(10, ("Creating alias %s with gid %d and rid %d\n",
393 name, gid, new_rid));
395 sid_copy(&sid, get_global_sam_sid());
396 sid_append_rid(&sid, new_rid);
399 sid_copy(&map.sid, &sid);
400 map.sid_name_use = SID_NAME_ALIAS;
401 fstrcpy(map.nt_name, name);
402 fstrcpy(map.comment, "");
404 status = pdb_add_group_mapping_entry(&map);
406 if (!NT_STATUS_IS_OK(status)) {
407 DEBUG(0, ("Could not add group mapping entry for alias %s "
408 "(%s)\n", name, nt_errstr(status)));
417 NTSTATUS pdb_default_delete_alias(struct pdb_methods *methods,
420 return pdb_delete_group_mapping_entry(*sid);
423 NTSTATUS pdb_default_get_aliasinfo(struct pdb_methods *methods,
425 struct acct_info *info)
429 if (!pdb_getgrsid(&map, *sid))
430 return NT_STATUS_NO_SUCH_ALIAS;
432 if ((map.sid_name_use != SID_NAME_ALIAS) &&
433 (map.sid_name_use != SID_NAME_WKN_GRP)) {
434 DEBUG(2, ("%s is a %s, expected an alias\n",
435 sid_string_static(sid),
436 sid_type_lookup(map.sid_name_use)));
437 return NT_STATUS_NO_SUCH_ALIAS;
440 fstrcpy(info->acct_name, map.nt_name);
441 fstrcpy(info->acct_desc, map.comment);
442 sid_peek_rid(&map.sid, &info->rid);
446 NTSTATUS pdb_default_set_aliasinfo(struct pdb_methods *methods,
448 struct acct_info *info)
452 if (!pdb_getgrsid(&map, *sid))
453 return NT_STATUS_NO_SUCH_ALIAS;
455 fstrcpy(map.nt_name, info->acct_name);
456 fstrcpy(map.comment, info->acct_desc);
458 return pdb_update_group_mapping_entry(&map);
461 NTSTATUS pdb_default_add_aliasmem(struct pdb_methods *methods,
462 const DOM_SID *alias, const DOM_SID *member)
464 return add_aliasmem(alias, member);
467 NTSTATUS pdb_default_del_aliasmem(struct pdb_methods *methods,
468 const DOM_SID *alias, const DOM_SID *member)
470 return del_aliasmem(alias, member);
473 NTSTATUS pdb_default_enum_aliasmem(struct pdb_methods *methods,
474 const DOM_SID *alias, DOM_SID **pp_members,
475 size_t *p_num_members)
477 return enum_aliasmem(alias, pp_members, p_num_members);
480 NTSTATUS pdb_default_alias_memberships(struct pdb_methods *methods,
482 const DOM_SID *domain_sid,
483 const DOM_SID *members,
485 uint32 **pp_alias_rids,
486 size_t *p_num_alias_rids)
489 size_t i, num_alias_sids;
495 result = alias_memberships(members, num_members,
496 &alias_sids, &num_alias_sids);
498 if (!NT_STATUS_IS_OK(result))
501 *p_num_alias_rids = 0;
503 if (num_alias_sids == 0) {
504 TALLOC_FREE(alias_sids);
508 *pp_alias_rids = TALLOC_ARRAY(mem_ctx, uint32, num_alias_sids);
509 if (*pp_alias_rids == NULL)
510 return NT_STATUS_NO_MEMORY;
512 for (i=0; i<num_alias_sids; i++) {
513 if (!sid_peek_check_rid(domain_sid, &alias_sids[i],
514 &(*pp_alias_rids)[*p_num_alias_rids]))
516 *p_num_alias_rids += 1;
519 TALLOC_FREE(alias_sids);
524 /**********************************************************************
525 no ops for passdb backends that don't implement group mapping
526 *********************************************************************/
528 NTSTATUS pdb_nop_getgrsid(struct pdb_methods *methods, GROUP_MAP *map,
531 return NT_STATUS_UNSUCCESSFUL;
534 NTSTATUS pdb_nop_getgrgid(struct pdb_methods *methods, GROUP_MAP *map,
537 return NT_STATUS_UNSUCCESSFUL;
540 NTSTATUS pdb_nop_getgrnam(struct pdb_methods *methods, GROUP_MAP *map,
543 return NT_STATUS_UNSUCCESSFUL;
546 NTSTATUS pdb_nop_add_group_mapping_entry(struct pdb_methods *methods,
549 return NT_STATUS_UNSUCCESSFUL;
552 NTSTATUS pdb_nop_update_group_mapping_entry(struct pdb_methods *methods,
555 return NT_STATUS_UNSUCCESSFUL;
558 NTSTATUS pdb_nop_delete_group_mapping_entry(struct pdb_methods *methods,
561 return NT_STATUS_UNSUCCESSFUL;
564 NTSTATUS pdb_nop_enum_group_mapping(struct pdb_methods *methods,
565 enum lsa_SidType sid_name_use,
566 GROUP_MAP **rmap, size_t *num_entries,
569 return NT_STATUS_UNSUCCESSFUL;
572 /****************************************************************************
573 These need to be redirected through pdb_interface.c
574 ****************************************************************************/
575 BOOL pdb_get_dom_grp_info(const DOM_SID *sid, struct acct_info *info)
581 res = get_domain_group_from_sid(*sid, &map);
587 fstrcpy(info->acct_name, map.nt_name);
588 fstrcpy(info->acct_desc, map.comment);
589 sid_peek_rid(sid, &info->rid);
593 BOOL pdb_set_dom_grp_info(const DOM_SID *sid, const struct acct_info *info)
597 if (!get_domain_group_from_sid(*sid, &map))
600 fstrcpy(map.nt_name, info->acct_name);
601 fstrcpy(map.comment, info->acct_desc);
603 return NT_STATUS_IS_OK(pdb_update_group_mapping_entry(&map));
606 /********************************************************************
607 Really just intended to be called by smbd
608 ********************************************************************/
610 NTSTATUS pdb_create_builtin_alias(uint32 rid)
613 enum lsa_SidType type;
618 const char *name = NULL;
621 DEBUG(10, ("Trying to create builtin alias %d\n", rid));
623 if ( !sid_compose( &sid, &global_sid_Builtin, rid ) ) {
624 return NT_STATUS_NO_SUCH_ALIAS;
627 if ( (mem_ctx = talloc_new(NULL)) == NULL ) {
628 return NT_STATUS_NO_MEMORY;
631 if ( !lookup_sid(mem_ctx, &sid, NULL, &name, &type) ) {
632 TALLOC_FREE( mem_ctx );
633 return NT_STATUS_NO_SUCH_ALIAS;
636 /* validate RID so copy the name and move on */
638 fstrcpy( groupname, name );
639 TALLOC_FREE( mem_ctx );
641 if (!winbind_allocate_gid(&gid)) {
642 DEBUG(3, ("pdb_create_builtin_alias: Could not get a gid out of winbind\n"));
643 return NT_STATUS_ACCESS_DENIED;
646 DEBUG(10,("Creating alias %s with gid %d\n", name, gid));
649 sid_copy(&map.sid, &sid);
650 map.sid_name_use = SID_NAME_ALIAS;
651 fstrcpy(map.nt_name, name);
652 fstrcpy(map.comment, "");
654 status = pdb_add_group_mapping_entry(&map);
656 if (!NT_STATUS_IS_OK(status)) {
657 DEBUG(0, ("pdb_create_builtin_alias: Could not add group mapping entry for alias %d "
658 "(%s)\n", rid, nt_errstr(status)));