return NT_STATUS_OK;
}
-/*
- * Create a NT token for the user, expanding local aliases
- */
+/*******************************************************************
+*******************************************************************/
+
+static NTSTATUS add_builtin_administrators( TALLOC_CTX *ctx, struct nt_user_token *token )
+{
+ return NT_STATUS_OK;
+}
+
+/*******************************************************************
+*******************************************************************/
+
+static NTSTATUS create_builtin_administrators( void )
+{
+ NTSTATUS status;
+ DOM_SID dom_admins, root_sid;
+ fstring root_name;
+ enum SID_NAME_USE type;
+ TALLOC_CTX *ctx;
+ BOOL ret;
+
+ status = pdb_create_builtin_alias( BUILTIN_ALIAS_RID_ADMINS );
+ if ( !NT_STATUS_IS_OK(status) ) {
+ DEBUG(0,("create_builtin_administrators: Failed to create Administrators\n"));
+ return status;
+ }
+
+ /* add domain admins */
+ if ((IS_DC || (lp_server_role() == ROLE_DOMAIN_MEMBER))
+ && secrets_fetch_domain_sid(lp_workgroup(), &dom_admins))
+ {
+ sid_append_rid(&dom_admins, DOMAIN_GROUP_RID_ADMINS);
+ status = pdb_add_aliasmem( &global_sid_Builtin_Administrators, &dom_admins );
+ if ( !NT_STATUS_IS_OK(status) ) {
+ DEBUG(0,("create_builtin_administrators: Failed to add Domain Admins"
+ " Administrators\n"));
+ return status;
+ }
+ }
+
+ /* add root */
+ if ( (ctx = talloc_init(NULL)) == NULL ) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ fstr_sprintf( root_name, "%s\\root", get_global_sam_name() );
+ ret = lookup_name( ctx, root_name, 0, NULL, NULL, &root_sid, &type );
+ TALLOC_FREE( ctx );
+
+ if ( ret ) {
+ status = pdb_add_aliasmem( &global_sid_Builtin_Administrators, &root_sid );
+ if ( !NT_STATUS_IS_OK(status) ) {
+ DEBUG(0,("create_builtin_administrators: Failed to add root"
+ " Administrators\n"));
+ return status;
+ }
+ }
+
+ return NT_STATUS_OK;
+}
+
+/*******************************************************************
+ Create a NT token for the user, expanding local aliases
+*******************************************************************/
static struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx,
const DOM_SID *user_sid,
struct nt_user_token *result = NULL;
int i;
NTSTATUS status;
+ gid_t gid;
tmp_ctx = talloc_new(mem_ctx);
if (tmp_ctx == NULL) {
goto done;
}
- /* First create the default SIDs */
+ /* Add the user and primary group sid */
add_sid_to_array(result, user_sid,
&result->user_sids, &result->num_sids);
add_sid_to_array(result, group_sid,
&result->user_sids, &result->num_sids);
+
+ /* Add in BUILTIN sids */
+
add_sid_to_array(result, &global_sid_World,
&result->user_sids, &result->num_sids);
add_sid_to_array(result, &global_sid_Network,
add_sid_to_array(result, &global_sid_Authenticated_Users,
&result->user_sids, &result->num_sids);
}
-
+
/* Now the SIDs we got from authentication. These are the ones from
* the info3 struct or from the pdb_enum_group_memberships, depending
* on who authenticated the user. */
add_sid_to_array_unique(result, &groupsids[i],
&result->user_sids, &result->num_sids);
}
+
+ /* Deal with the BUILTIN\Administrators group. If the SID can
+ be resolved then assume that the add_aliasmem( S-1-5-32 )
+ handled it. */
+
+ if ( !sid_to_gid( &global_sid_Builtin_Administrators, &gid ) ) {
+ /* We can only create a mapping if winbind is running
+ and the nested group functionality has been enabled */
+
+ if ( lp_winbind_nested_groups() ) {
+ become_root();
+ status = create_builtin_administrators( );
+ if ( !NT_STATUS_IS_OK(status) ) {
+ DEBUG(0,("create_local_nt_token: Failed to create BUILTIN\\Administrators group!\n"));
+ /* don't fail, just log the message */
+ }
+ unbecome_root();
+ }
+ else {
+ status = add_builtin_administrators( tmp_ctx, result );
+ if ( !NT_STATUS_IS_OK(status) ) {
+ result = NULL;
+ goto done;
+ }
+ }
+ }
+ /* Deal with local groups */
+
if (lp_winbind_nested_groups()) {
/* Now add the aliases. First the one from our local SAM */
result = NULL;
goto done;
}
- } else {
-
- /* Play jerry's trick to auto-add local admins if we're a
- * domain admin. */
-
- DOM_SID dom_admins;
- BOOL domain_mode = False;
-
- if (IS_DC) {
- sid_compose(&dom_admins, get_global_sam_sid(),
- DOMAIN_GROUP_RID_ADMINS);
- domain_mode = True;
- }
- if ((lp_server_role() == ROLE_DOMAIN_MEMBER) &&
- (secrets_fetch_domain_sid(lp_workgroup(), &dom_admins))) {
- sid_append_rid(&dom_admins, DOMAIN_GROUP_RID_ADMINS);
- domain_mode = True;
- }
+ }
- if (domain_mode) {
- for (i=0; i<result->num_sids; i++) {
- if (sid_equal(&dom_admins,
- &result->user_sids[i])) {
- add_sid_to_array_unique(
- result,
- &global_sid_Builtin_Administrators,
- &result->user_sids,
- &result->num_sids);
- break;
- }
- }
-
- }
- }
get_privileges_for_sids(&result->privileges, result->user_sids,
result->num_sids);
* RPC Pipe client / server routines
* Copyright (C) Andrew Tridgell 1992-2000,
* Copyright (C) Jean François Micouleau 1998-2001.
+ * Copyright (C) Volker Lendecke 2006.
+ * Copyright (C) Gerald Carter 2006.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
*/
#define MEMBEROF_PREFIX "MEMBEROF/"
-/****************************************************************************
-initialise first time the mapping list - called from init_group_mapping()
-****************************************************************************/
-static BOOL default_group_mapping(void)
-{
- DOM_SID sid_admins;
- DOM_SID sid_users;
- DOM_SID sid_guests;
- fstring str_admins;
- fstring str_users;
- fstring str_guests;
-
- /* Add the Wellknown groups */
-
- add_initial_entry(-1, "S-1-5-32-544", SID_NAME_WKN_GRP, "Administrators", "");
- add_initial_entry(-1, "S-1-5-32-545", SID_NAME_WKN_GRP, "Users", "");
- add_initial_entry(-1, "S-1-5-32-546", SID_NAME_WKN_GRP, "Guests", "");
- add_initial_entry(-1, "S-1-5-32-547", SID_NAME_WKN_GRP, "Power Users", "");
- add_initial_entry(-1, "S-1-5-32-548", SID_NAME_WKN_GRP, "Account Operators", "");
- add_initial_entry(-1, "S-1-5-32-549", SID_NAME_WKN_GRP, "System Operators", "");
- add_initial_entry(-1, "S-1-5-32-550", SID_NAME_WKN_GRP, "Print Operators", "");
- add_initial_entry(-1, "S-1-5-32-551", SID_NAME_WKN_GRP, "Backup Operators", "");
- add_initial_entry(-1, "S-1-5-32-552", SID_NAME_WKN_GRP, "Replicators", "");
-
- /* Add the defaults domain groups */
-
- sid_copy(&sid_admins, get_global_sam_sid());
- sid_append_rid(&sid_admins, DOMAIN_GROUP_RID_ADMINS);
- sid_to_string(str_admins, &sid_admins);
- add_initial_entry(-1, str_admins, SID_NAME_DOM_GRP, "Domain Admins", "");
-
- sid_copy(&sid_users, get_global_sam_sid());
- sid_append_rid(&sid_users, DOMAIN_GROUP_RID_USERS);
- sid_to_string(str_users, &sid_users);
- add_initial_entry(-1, str_users, SID_NAME_DOM_GRP, "Domain Users", "");
-
- sid_copy(&sid_guests, get_global_sam_sid());
- sid_append_rid(&sid_guests, DOMAIN_GROUP_RID_GUESTS);
- sid_to_string(str_guests, &sid_guests);
- add_initial_entry(-1, str_guests, SID_NAME_DOM_GRP, "Domain Guests", "");
-
- return True;
-}
+static BOOL enum_group_mapping(const DOM_SID *sid, enum SID_NAME_USE sid_name_use, GROUP_MAP **pp_rmap,
+ size_t *p_num_entries, BOOL unix_only);
+static BOOL group_map_remove(const DOM_SID *sid);
+
/****************************************************************************
Open the group mapping tdb.
****************************************************************************/
{
const char *vstring = "INFO/version";
int32 vers_id;
+ GROUP_MAP *map_table = NULL;
+ size_t num_entries = 0;
if (tdb)
return True;
+
tdb = tdb_open_log(lock_path("group_mapping.tdb"), 0, TDB_DEFAULT, O_RDWR|O_CREAT, 0600);
if (!tdb) {
DEBUG(0,("Failed to open group mapping database\n"));
vers_id = DATABASE_VERSION_V2;
}
+ /* if its an unknown version we remove everthing in the db */
+
if (vers_id != DATABASE_VERSION_V2) {
tdb_traverse(tdb, tdb_traverse_delete_fn, NULL);
tdb_store_int32(tdb, vstring, DATABASE_VERSION_V2);
tdb_unlock_bystring(tdb, vstring);
- /* write a list of default groups */
- if(!default_group_mapping())
- return False;
+ /* cleanup any map entries with a gid == -1 */
+
+ if ( enum_group_mapping( NULL, SID_NAME_UNKNOWN, &map_table, &num_entries, False ) ) {
+ int i;
+
+ for ( i=0; i<num_entries; i++ ) {
+ if ( map_table[i].gid == -1 ) {
+ group_map_remove( &map_table[i].sid );
+ }
+ }
+
+ SAFE_FREE( map_table );
+ }
+
return True;
}
DEBUG(3,("get_group_map_from_sid: tdb_unpack failure\n"));
return False;
}
-
+
sid_copy(&map->sid, &sid);
return True;
return False;
}
- if (StrCaseCmp(name, map->nt_name)==0) {
+ if ( strequal(name, map->nt_name) ) {
SAFE_FREE(kbuf.dptr);
return True;
}
Enumerate the group mapping.
****************************************************************************/
-static BOOL enum_group_mapping(enum SID_NAME_USE sid_name_use, GROUP_MAP **pp_rmap,
+static BOOL enum_group_mapping(const DOM_SID *domsid, enum SID_NAME_USE sid_name_use, GROUP_MAP **pp_rmap,
size_t *p_num_entries, BOOL unix_only)
{
TDB_DATA kbuf, dbuf, newkey;
GROUP_MAP *mapt;
int ret;
size_t entries=0;
+ DOM_SID grpsid;
+ uint32 rid;
if(!init_group_mapping()) {
DEBUG(0,("failed to initialize group mapping\n"));
continue;
}
- string_to_sid(&map.sid, string_sid);
+ string_to_sid(&grpsid, string_sid);
+ sid_copy( &map.sid, &grpsid );
+ sid_split_rid( &grpsid, &rid );
+
+ /* Only check the domain if we were given one */
+
+ if ( domsid && !sid_equal( domsid, &grpsid ) ) {
+ DEBUG(11,("enum_group_mapping: group %s is not in domain %s\n",
+ string_sid, sid_string_static(domsid)));
+ continue;
+ }
+
DEBUG(11,("enum_group_mapping: returning group %s of "
"type %s\n", map.nt_name,
sid_type_lookup(map.sid_name_use)));
}
NTSTATUS pdb_default_enum_group_mapping(struct pdb_methods *methods,
- enum SID_NAME_USE sid_name_use,
+ const DOM_SID *sid, enum SID_NAME_USE sid_name_use,
GROUP_MAP **pp_rmap, size_t *p_num_entries,
BOOL unix_only)
{
- return enum_group_mapping(sid_name_use, pp_rmap, p_num_entries, unix_only) ?
+ return enum_group_mapping(sid, sid_name_use, pp_rmap, p_num_entries, unix_only) ?
NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL;
}
return NT_STATUS_IS_OK(pdb_update_group_mapping_entry(&map));
}
+/********************************************************************
+ Really just intended to be called by smbd
+********************************************************************/
+
+NTSTATUS pdb_create_builtin_alias(uint32 rid)
+{
+ DOM_SID sid;
+ enum SID_NAME_USE type;
+ gid_t gid;
+ GROUP_MAP map;
+ TALLOC_CTX *mem_ctx;
+ NTSTATUS status;
+ const char *name = NULL;
+ fstring groupname;
+
+ DEBUG(10, ("Trying to create builtin alias %d\n", rid));
+
+ if ( !sid_compose( &sid, &global_sid_Builtin, rid ) ) {
+ return NT_STATUS_NO_SUCH_ALIAS;
+ }
+
+ if ( (mem_ctx = talloc_new(NULL)) == NULL ) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ if ( !lookup_sid(mem_ctx, &sid, NULL, &name, &type) ) {
+ TALLOC_FREE( mem_ctx );
+ return NT_STATUS_NO_SUCH_ALIAS;
+ }
+
+ /* validate RID so copy the name and move on */
+
+ fstrcpy( groupname, name );
+ TALLOC_FREE( mem_ctx );
+
+ if (!winbind_allocate_gid(&gid)) {
+ DEBUG(3, ("pdb_create_builtin_alias: Could not get a gid out of winbind\n"));
+ return NT_STATUS_ACCESS_DENIED;
+ }
+
+ DEBUG(10,("Creating alias %s with gid %d\n", name, gid));
+
+ map.gid = gid;
+ sid_copy(&map.sid, &sid);
+ map.sid_name_use = SID_NAME_ALIAS;
+ fstrcpy(map.nt_name, name);
+ fstrcpy(map.comment, "");
+
+ status = pdb_add_group_mapping_entry(&map);
+
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0, ("pdb_create_builtin_alias: Could not add group mapping entry for alias %d "
+ "(%s)\n", rid, nt_errstr(status)));
+ }
+
+ return status;
+}
+
* the pdb module. Remove the latter, this might happen more often. VL.
*/
-#define PASSDB_INTERFACE_VERSION 12
+#define PASSDB_INTERFACE_VERSION 13
struct pdb_methods
{
DOM_SID sid);
NTSTATUS (*enum_group_mapping)(struct pdb_methods *methods,
- enum SID_NAME_USE sid_name_use,
+ const DOM_SID *sid, enum SID_NAME_USE sid_name_use,
GROUP_MAP **pp_rmap, size_t *p_num_entries,
BOOL unix_only);
static void child_msg_online(int msg_type, struct process_id src, void *buf, size_t len)
{
struct winbindd_domain *domain;
- int ret;
DEBUG(5,("child_msg_online received.\n"));
const char *gr_name, gid_t unix_gid)
{
fstring full_group_name;
- /* Fill in uid/gid */
- fill_domain_username(full_group_name, dom_name, gr_name);
+
+ fill_domain_username( full_group_name, dom_name, gr_name, False);
gr->gr_gid = unix_gid;
/* Append domain name */
- fill_domain_username(name, domain->name, the_name);
+ fill_domain_username(name, domain->name, the_name, False);
len = strlen(name);
void winbindd_getgrnam(struct winbindd_cli_state *state)
{
- DOM_SID group_sid;
+ DOM_SID group_sid, tmp_sid;
+ uint32 grp_rid;
struct winbindd_domain *domain;
enum SID_NAME_USE name_type;
fstring name_domain, name_group;
return;
}
+ /* Make sure that the group SID is within the domain of the
+ original domain */
+
+ sid_copy( &tmp_sid, &group_sid );
+ sid_split_rid( &tmp_sid, &grp_rid );
+ if ( !sid_equal( &tmp_sid, &domain->sid ) ) {
+ DEBUG(3,("winbindd_getgrnam: group %s resolves to a SID in the wrong domain [%s]\n",
+ state->request.data.groupname, sid_string_static(&group_sid)));
+ request_error(state);
+ return;
+ }
+
+
+
/* Try to get the GID */
status = idmap_sid_to_gid(&group_sid, &gid, 0);
/* Fill in group entry */
fill_domain_username(domain_group_name, ent->domain_name,
- name_list[ent->sam_entry_index].acct_name);
+ name_list[ent->sam_entry_index].acct_name, False);
result = fill_grent(&group_list[group_list_ndx],
ent->domain_name,
groups.sam_entries)[i].acct_name;
fstring name;
- fill_domain_username(name, domain->name, group_name);
+ fill_domain_username(name, domain->name, group_name, False);
/* Append to extra data */
memcpy(&extra_data[extra_data_len], name,
strlen(name));
nt_domain = name_domain;
}
- fill_domain_username(username_out, nt_domain, nt_username);
+ fill_domain_username(username_out, nt_domain, nt_username, True);
DEBUG(5, ("Setting unix username to [%s]\n", username_out));
{
fstring name;
- fill_domain_username(name, domain, user);
+ fill_domain_username(name, domain, user, True);
safe_strcat(name, ",", sizeof(name)-1);
string_append(pp_members, name);
*p_num_members += 1;
if (!pdb_find_alias(name, sid))
return NT_STATUS_NONE_MAPPED;
- if (sid_check_is_in_builtin(sid))
- *type = SID_NAME_WKN_GRP;
- else
- *type = SID_NAME_ALIAS;
+ *type = SID_NAME_ALIAS;
return NT_STATUS_OK;
}
/* Username */
- fill_domain_username(output_username, dom_name, user_name);
+ fill_domain_username(output_username, dom_name, user_name, True);
safe_strcpy(pw->pw_name, output_username, sizeof(pw->pw_name) - 1);
pw = &s->state->response.data.pw;
pw->pw_uid = s->uid;
pw->pw_gid = s->gid;
- fill_domain_username(output_username, s->domain->name, s->username);
+ fill_domain_username(output_username, s->domain->name, s->username, True);
safe_strcpy(pw->pw_name, output_username, sizeof(pw->pw_name) - 1);
safe_strcpy(pw->pw_gecos, s->fullname, sizeof(pw->pw_gecos) - 1);
fstrcpy(acct_name, info[i].acct_name);
}
- fill_domain_username(name, domain->name, acct_name);
+ fill_domain_username(name, domain->name, acct_name, True);
/* Append to extra data */
memcpy(&extra_data[extra_data_len], name,
username is then unqualified in unix
*/
-void fill_domain_username(fstring name, const char *domain, const char *user)
+void fill_domain_username(fstring name, const char *domain, const char *user, BOOL can_assume)
{
fstring tmp_user;
fstrcpy(tmp_user, user);
strlower_m(tmp_user);
- if (assume_domain(domain)) {
+ if (can_assume && assume_domain(domain)) {
strlcpy(name, user, sizeof(fstring));
} else {
slprintf(name, sizeof(fstring) - 1, "%s%c%s",
return pdb->delete_group_mapping_entry(pdb, sid);
}
-BOOL pdb_enum_group_mapping(enum SID_NAME_USE sid_name_use, GROUP_MAP **pp_rmap,
+BOOL pdb_enum_group_mapping(const DOM_SID *sid, enum SID_NAME_USE sid_name_use, GROUP_MAP **pp_rmap,
size_t *p_num_entries, BOOL unix_only)
{
struct pdb_methods *pdb = pdb_get_methods();
return False;
}
- return NT_STATUS_IS_OK(pdb-> enum_group_mapping(pdb, sid_name_use,
+ return NT_STATUS_IS_OK(pdb-> enum_group_mapping(pdb, sid, sid_name_use,
pp_rmap, p_num_entries, unix_only));
}
if ( rid == DOMAIN_GROUP_RID_USERS ) {
*name = talloc_strdup(mem_ctx, "None" );
- *psid_name_use = IS_DC ? SID_NAME_DOM_GRP : SID_NAME_ALIAS;
+ *psid_name_use = SID_NAME_DOM_GRP;
return True;
}
}
static BOOL pdb_search_grouptype(struct pdb_search *search,
- enum SID_NAME_USE type)
+ const DOM_SID *sid, enum SID_NAME_USE type)
{
struct group_search *state;
return False;
}
- if (!pdb_enum_group_mapping(type, &state->groups, &state->num_groups,
+ if (!pdb_enum_group_mapping(sid, type, &state->groups, &state->num_groups,
True)) {
DEBUG(0, ("Could not enum groups\n"));
return False;
static BOOL pdb_default_search_groups(struct pdb_methods *methods,
struct pdb_search *search)
{
- return pdb_search_grouptype(search, SID_NAME_DOM_GRP);
+ return pdb_search_grouptype(search, get_global_sam_sid(), SID_NAME_DOM_GRP);
}
static BOOL pdb_default_search_aliases(struct pdb_methods *methods,
const DOM_SID *sid)
{
- if (sid_equal(sid, get_global_sam_sid()))
- return pdb_search_grouptype(search, SID_NAME_ALIAS);
-
- if (sid_equal(sid, &global_sid_Builtin))
- return pdb_search_grouptype(search, SID_NAME_WKN_GRP);
-
- DEBUG(3, ("unknown domain sid: %s\n", sid_string_static(sid)));
- return False;
+ return pdb_search_grouptype(search, sid, SID_NAME_ALIAS);
}
static struct samr_displayentry *pdb_search_getentry(struct pdb_search *search,
*********************************************************************/
static NTSTATUS ldapsam_enum_group_mapping(struct pdb_methods *methods,
- enum SID_NAME_USE sid_name_use,
+ const DOM_SID *domsid, enum SID_NAME_USE sid_name_use,
GROUP_MAP **pp_rmap,
size_t *p_num_entries,
BOOL unix_only)
done:
- if (NT_STATUS_IS_OK(r_u->status)) {
+ if (NT_STATUS_IS_OK(r_u->status) && (num_entries != 0) ) {
if (mapped_count == 0)
r_u->status = NT_STATUS_NONE_MAPPED;
else if (mapped_count != num_entries)
names, attrs);
unbecome_root();
+ if ( NT_STATUS_EQUAL(r_u->status, NT_STATUS_NONE_MAPPED) && (num_rids == 0) ) {
+ r_u->status = NT_STATUS_OK;
+ }
+
if(!make_samr_lookup_rids(p->mem_ctx, num_rids, names,
&hdr_name, &uni_name))
return NT_STATUS_NO_MEMORY;
/* Check we actually have the requested alias */
enum SID_NAME_USE type;
BOOL result;
+ gid_t gid;
become_root();
result = lookup_sid(NULL, &sid, NULL, NULL, &type);
if (!result || (type != SID_NAME_ALIAS)) {
return NT_STATUS_NO_SUCH_ALIAS;
}
+
+ /* make sure there is a mapping */
+
+ if ( !sid_to_gid( &sid, &gid ) ) {
+ return NT_STATUS_NO_SUCH_ALIAS;
+ }
+
}
/* associate the alias SID with the new handle. */
else {
GROUP_MAP *map=NULL;
/* enumerate all group mappings */
- if (!pdb_enum_group_mapping(SID_NAME_UNKNOWN, &map, &entries, ENUM_ALL_MAPPED))
+ if (!pdb_enum_group_mapping(NULL, SID_NAME_UNKNOWN, &map, &entries, ENUM_ALL_MAPPED))
return -1;
for (i=0; i<entries; i++) {
GROUP_MAP *map = NULL;
size_t i, entries;
- if (!pdb_enum_group_mapping(SID_NAME_UNKNOWN, &map, &entries,
+ if (!pdb_enum_group_mapping(NULL, SID_NAME_UNKNOWN, &map, &entries,
ENUM_ALL_MAPPED)) {
d_fprintf(stderr, "Could not list group mappings\n");
return -1;
for (i=0; i<entries; i++) {
- if (map[i].sid_name_use == SID_NAME_WKN_GRP)
- continue;
-
if (map[i].gid == -1)
printf("Group %s is not mapped\n", map[i].nt_name);