#include "includes.h"
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_RPC_SRV
rid_name builtin_alias_rids[] =
{
{ BUILTIN_ALIAS_RID_ADMINS , "Administrators" },
{ BUILTIN_ALIAS_RID_USERS , "Users" },
{ BUILTIN_ALIAS_RID_GUESTS , "Guests" },
{ BUILTIN_ALIAS_RID_POWER_USERS , "Power Users" },
{ BUILTIN_ALIAS_RID_ACCOUNT_OPS , "Account Operators" },
{ BUILTIN_ALIAS_RID_SYSTEM_OPS , "System Operators" },
{ BUILTIN_ALIAS_RID_PRINT_OPS , "Print Operators" },
{ BUILTIN_ALIAS_RID_BACKUP_OPS , "Backup Operators" },
{ BUILTIN_ALIAS_RID_REPLICATOR , "Replicator" },
{ 0 , NULL }
};
rid_name domain_user_rids[] =
{
{ DOMAIN_USER_RID_ADMIN , "Administrator" },
{ DOMAIN_USER_RID_GUEST , "Guest" },
{ 0 , NULL }
};
rid_name domain_group_rids[] =
{
{ DOMAIN_GROUP_RID_ADMINS , "Domain Admins" },
{ DOMAIN_GROUP_RID_USERS , "Domain Users" },
{ DOMAIN_GROUP_RID_GUESTS , "Domain Guests" },
{ 0 , NULL }
};
NTSTATUS get_alias_user_groups(TALLOC_CTX *ctx, DOM_SID *sid, int *numgroups, uint32 **prids, DOM_SID *q_sid)
{
SAM_ACCOUNT *sam_pass=NULL;
int i, cur_rid=0;
gid_t gid;
gid_t *groups = NULL;
int num_groups;
GROUP_MAP map;
DOM_SID tmp_sid;
fstring user_name;
fstring str_domsid, str_qsid;
uint32 rid,grid;
uint32 *rids=NULL, *new_rids=NULL;
gid_t winbind_gid_low, winbind_gid_high;
BOOL ret;
BOOL winbind_groups_exist;
*prids=NULL;
*numgroups=0;
winbind_groups_exist = lp_idmap_gid(&winbind_gid_low, &winbind_gid_high);
DEBUG(10,("get_alias_user_groups: looking if SID %s is a member of groups in the SID domain %s\n",
sid_to_string(str_qsid, q_sid), sid_to_string(str_domsid, sid)));
pdb_init_sam(&sam_pass);
become_root();
ret = pdb_getsampwsid(sam_pass, q_sid);
unbecome_root();
if (ret == False) {
pdb_free_sam(&sam_pass);
return NT_STATUS_NO_SUCH_USER;
}
fstrcpy(user_name, pdb_get_username(sam_pass));
grid=pdb_get_group_rid(sam_pass);
if (!NT_STATUS_IS_OK(sid_to_gid(pdb_get_group_sid(sam_pass), &gid))) {
DEBUG(2,("get_alias_user_groups: sid_to_gid failed!\n"));
pdb_free_sam(&sam_pass);
return NT_STATUS_UNSUCCESSFUL;
}
become_root();
num_groups = getgroups_user(user_name, &groups);
unbecome_root();
if (num_groups == -1) {
DEBUG(2,("get_alias_user_groups: getgroups_user failed\n"));
pdb_free_sam(&sam_pass);
return NT_STATUS_UNSUCCESSFUL;
}
for (i=0;i<num_groups;i++) {
if (!get_group_from_gid(groups[i], &map)) {
DEBUG(10,("get_alias_user_groups: gid %d. not found\n", (int)groups[i]));
continue;
}
if (map.sid_name_use != SID_NAME_ALIAS) {
DEBUG(10,("get_alias_user_groups: not returing %s, not an ALIAS group.\n", map.nt_name));
continue;
}
sid_copy(&tmp_sid, &map.sid);
sid_split_rid(&tmp_sid, &rid);
if (!sid_equal(&tmp_sid, sid)) {
DEBUG(10,("get_alias_user_groups: not returing %s, not in the domain SID.\n", map.nt_name));
continue;
}
if (winbind_groups_exist && (groups[i] >= winbind_gid_low) && (groups[i] <= winbind_gid_high)) {
DEBUG(10,("get_alias_user_groups: not returing %s, not local.\n", map.nt_name));
continue;
}
if (Get_Pwnam(map.nt_name) != 0) {
DEBUG(10,("get_alias_user_groups: not returing %s, clashes with user.\n", map.nt_name));
continue;
}
new_rids=(uint32 *)Realloc(rids, sizeof(uint32)*(cur_rid+1));
if (new_rids==NULL) {
DEBUG(10,("get_alias_user_groups: could not realloc memory\n"));
pdb_free_sam(&sam_pass);
free(groups);
return NT_STATUS_NO_MEMORY;
}
rids=new_rids;
sid_peek_rid(&map.sid, &(rids[cur_rid]));
cur_rid++;
break;
}
if(num_groups)
free(groups);
for (i=0; i<cur_rid && grid!=rids[i]; i++)
;
if (i!=cur_rid) {
DEBUG(10,("get_alias_user_groups: user is already in the list. good.\n"));
goto done;
}
DEBUG(10,("get_alias_user_groups: looking for gid %d of user %s\n", (int)gid, user_name));
if(!get_group_from_gid(gid, &map)) {
DEBUG(0,("get_alias_user_groups: gid of user %s doesn't exist. Check your "
"/etc/passwd and /etc/group files\n", user_name));
goto done;
}
if (map.sid_name_use!=SID_NAME_ALIAS) {
DEBUG(10,("get_alias_user_groups: not returing %s, not an ALIAS group.\n", map.nt_name));
goto done;
}
sid_copy(&tmp_sid, &map.sid);
sid_split_rid(&tmp_sid, &rid);
if (!sid_equal(&tmp_sid, sid)) {
DEBUG(10,("get_alias_user_groups: not returing %s, not in the domain SID.\n", map.nt_name));
goto done;
}
if (winbind_groups_exist && (gid >= winbind_gid_low) && (gid <= winbind_gid_high)) {
DEBUG(10,("get_alias_user_groups: not returing %s, not local.\n", map.nt_name ));
goto done;
}
if (Get_Pwnam(map.nt_name) != 0) {
DEBUG(10,("get_alias_user_groups: not returing %s, clashes with user.\n", map.nt_name ));
goto done;
}
new_rids=(uint32 *)Realloc(rids, sizeof(uint32)*(cur_rid+1));
if (new_rids==NULL) {
DEBUG(10,("get_alias_user_groups: could not realloc memory\n"));
pdb_free_sam(&sam_pass);
return NT_STATUS_NO_MEMORY;
}
rids=new_rids;
sid_peek_rid(&map.sid, &(rids[cur_rid]));
cur_rid++;
done:
*prids=rids;
*numgroups=cur_rid;
pdb_free_sam(&sam_pass);
return NT_STATUS_OK;
}
BOOL get_domain_user_groups(TALLOC_CTX *ctx, int *numgroups, DOM_GID **pgids, SAM_ACCOUNT *sam_pass)
{
GROUP_MAP *map=NULL;
int i, num, num_entries, cur_gid=0;
struct group *grp;
DOM_GID *gids;
fstring user_name;
uint32 grid;
uint32 tmp_rid;
BOOL ret;
*numgroups= 0;
fstrcpy(user_name, pdb_get_username(sam_pass));
grid=pdb_get_group_rid(sam_pass);
DEBUG(10,("get_domain_user_groups: searching domain groups [%s] is a member of\n", user_name));
become_root();
ret = pdb_enum_group_mapping(SID_NAME_DOM_GRP, &map, &num_entries, ENUM_ONLY_MAPPED);
unbecome_root();
if ( !ret )
return False;
DEBUG(10,("get_domain_user_groups: there are %d mapped groups\n", num_entries));
gids = (DOM_GID *)talloc(ctx, sizeof(DOM_GID) * num_entries);
for(i=0; i<num_entries; i++) {
if ( !sid_check_is_in_our_domain(&map[i].sid) ) {
DEBUG(10,("get_domain_user_groups: skipping check of %s since it is not in our domain\n",
map[i].nt_name));
continue;
}
if ((grp=getgrgid(map[i].gid)) == NULL) {
DEBUG(5,("get_domain_user_groups: gid %d doesn't exist anymore !\n", (int)map[i].gid));
continue;
}
for(num=0; grp->gr_mem[num]!=NULL; num++) {
if(strcmp(grp->gr_mem[num], user_name)==0) {
sid_peek_rid(&map[i].sid, &(gids[cur_gid].g_rid));
gids[cur_gid].attr=7;
DEBUG(10,("get_domain_user_groups: user found in group %s\n", map[i].nt_name));
cur_gid++;
break;
}
}
}
for (i=0; i<cur_gid && grid!=gids[i].g_rid; i++)
;
if (i!=cur_gid) {
gids[i].g_rid=gids[0].g_rid;
gids[0].g_rid=grid;
goto done;
}
for(i=0; i<num_entries; i++) {
sid_peek_rid(&map[i].sid, &tmp_rid);
if (tmp_rid==grid) {
gids[cur_gid].g_rid=gids[0].g_rid;
gids[0].g_rid=tmp_rid;
gids[cur_gid].attr=7;
DEBUG(10,("get_domain_user_groups: primary gid of user found in group %s\n", map[i].nt_name));
cur_gid++;
goto done;
}
}
DEBUG(0,("get_domain_user_groups: primary gid of user [%s] is not a Domain group !\n", user_name));
DEBUGADD(0,("get_domain_user_groups: You should fix it, NT doesn't like that\n"));
done:
*pgids=gids;
*numgroups=cur_gid;
SAFE_FREE(map);
return True;
}
NTSTATUS nt_token_to_group_list(TALLOC_CTX *mem_ctx, const DOM_SID *domain_sid,
const NT_USER_TOKEN *nt_token,
int *numgroups, DOM_GID **pgids)
{
DOM_GID *gids;
int i;
gids = (DOM_GID *)talloc(mem_ctx, sizeof(*gids) * nt_token->num_sids);
if (!gids) {
return NT_STATUS_NO_MEMORY;
}
*numgroups=0;
for (i=PRIMARY_GROUP_SID_INDEX; i < nt_token->num_sids; i++) {
if (sid_compare_domain(domain_sid, &nt_token->user_sids[i])==0) {
sid_peek_rid(&nt_token->user_sids[i], &(gids[*numgroups].g_rid));
gids[*numgroups].attr=7;
(*numgroups)++;
}
}
*pgids = gids;
return NT_STATUS_OK;
}
NTSTATUS local_lookup_group_name(uint32 rid, char *group_name, uint32 *type)
{
int i = 0;
(*type) = SID_NAME_DOM_GRP;
DEBUG(5,("lookup_group_name: rid: %d", rid));
while (domain_group_rids[i].rid != rid && domain_group_rids[i].rid != 0)
{
i++;
}
if (domain_group_rids[i].rid != 0)
{
fstrcpy(group_name, domain_group_rids[i].name);
DEBUG(5,(" = %s\n", group_name));
return NT_STATUS_OK;
}
DEBUG(5,(" none mapped\n"));
return NT_STATUS_NONE_MAPPED;
}
NTSTATUS local_lookup_alias_name(uint32 rid, char *alias_name, uint32 *type)
{
int i = 0;
(*type) = SID_NAME_WKN_GRP;
DEBUG(5,("lookup_alias_name: rid: %d", rid));
while (builtin_alias_rids[i].rid != rid && builtin_alias_rids[i].rid != 0)
{
i++;
}
if (builtin_alias_rids[i].rid != 0)
{
fstrcpy(alias_name, builtin_alias_rids[i].name);
DEBUG(5,(" = %s\n", alias_name));
return NT_STATUS_OK;
}
DEBUG(5,(" none mapped\n"));
return NT_STATUS_NONE_MAPPED;
}
#if 0
NTSTATUS local_lookup_user_name(uint32 rid, char *user_name, uint32 *type)
{
SAM_ACCOUNT *sampwd=NULL;
int i = 0;
BOOL ret;
(*type) = SID_NAME_USER;
DEBUG(5,("lookup_user_name: rid: %d", rid));
while (domain_user_rids[i].rid != rid && domain_user_rids[i].rid != 0)
{
i++;
}
if (domain_user_rids[i].rid != 0) {
fstrcpy(user_name, domain_user_rids[i].name);
DEBUG(5,(" = %s\n", user_name));
return NT_STATUS_OK;
}
pdb_init_sam(&sampwd);
become_root();
ret = pdb_getsampwrid(sampwd, rid);
unbecome_root();
if (ret == True) {
fstrcpy(user_name, pdb_get_username(sampwd) );
DEBUG(5,(" = %s\n", user_name));
pdb_free_sam(&sampwd);
return NT_STATUS_OK;
}
DEBUG(5,(" none mapped\n"));
pdb_free_sam(&sampwd);
return NT_STATUS_NONE_MAPPED;
}
#endif
NTSTATUS local_lookup_group_rid(char *group_name, uint32 *rid)
{
const char *grp_name;
int i = -1;
do
{
i++;
(*rid) = domain_group_rids[i].rid;
grp_name = domain_group_rids[i].name;
} while (grp_name != NULL && !strequal(grp_name, group_name));
return (grp_name != NULL) ? NT_STATUS_OK : NT_STATUS_NONE_MAPPED;
}
NTSTATUS local_lookup_alias_rid(const char *alias_name, uint32 *rid)
{
const char *als_name;
int i = -1;
do
{
i++;
(*rid) = builtin_alias_rids[i].rid;
als_name = builtin_alias_rids[i].name;
} while (als_name != NULL && !strequal(als_name, alias_name));
return (als_name != NULL) ? NT_STATUS_OK : NT_STATUS_NONE_MAPPED;
}
NTSTATUS local_lookup_user_rid(char *user_name, uint32 *rid)
{
SAM_ACCOUNT *sampass=NULL;
BOOL ret;
(*rid) = 0;
pdb_init_sam(&sampass);
become_root();
ret = pdb_getsampwnam(sampass, user_name);
unbecome_root();
if (ret == True) {
(*rid) = pdb_get_user_rid(sampass);
pdb_free_sam(&sampass);
return NT_STATUS_OK;
}
pdb_free_sam(&sampass);
return NT_STATUS_NONE_MAPPED;
}