2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Copyright (C) Andrew Tridgell 1992-2000,
5 * Copyright (C) Jean François Micouleau 1998-2001.
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 2 of the License, or
10 * (at your option) any later version.
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, write to the Free Software
19 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
24 static TDB_CONTEXT *tdb; /* used for driver files */
26 #define DATABASE_VERSION_V1 1 /* native byte format. */
27 #define DATABASE_VERSION_V2 2 /* le format. */
29 #define GROUP_PREFIX "UNIXGROUP/"
32 {SE_PRIV_NONE, "no_privs", "No privilege" }, /* this one MUST be first */
33 {SE_PRIV_ADD_MACHINES, "SeMachineAccountPrivilege", "Add workstations to the domain" },
34 {SE_PRIV_SEC_PRIV, "SeSecurityPrivilege", "Manage the audit logs" },
35 {SE_PRIV_TAKE_OWNER, "SeTakeOwnershipPrivilege", "Take ownership of file" },
36 {SE_PRIV_ADD_USERS, "SaAddUsers", "Add users to the domain - Samba" },
37 {SE_PRIV_PRINT_OPERATOR, "SaPrintOp", "Add or remove printers - Samba" },
38 {SE_PRIV_ALL, "SaAllPrivs", "all privileges" }
42 { 2, "SeCreateTokenPrivilege" },
43 { 3, "SeAssignPrimaryTokenPrivilege" },
44 { 4, "SeLockMemoryPrivilege" },
45 { 5, "SeIncreaseQuotaPrivilege" },
46 { 6, "SeMachineAccountPrivilege" },
47 { 7, "SeTcbPrivilege" },
48 { 8, "SeSecurityPrivilege" },
49 { 9, "SeTakeOwnershipPrivilege" },
50 { 10, "SeLoadDriverPrivilege" },
51 { 11, "SeSystemProfilePrivilege" },
52 { 12, "SeSystemtimePrivilege" },
53 { 13, "SeProfileSingleProcessPrivilege" },
54 { 14, "SeIncreaseBasePriorityPrivilege" },
55 { 15, "SeCreatePagefilePrivilege" },
56 { 16, "SeCreatePermanentPrivilege" },
57 { 17, "SeBackupPrivilege" },
58 { 18, "SeRestorePrivilege" },
59 { 19, "SeShutdownPrivilege" },
60 { 20, "SeDebugPrivilege" },
61 { 21, "SeAuditPrivilege" },
62 { 22, "SeSystemEnvironmentPrivilege" },
63 { 23, "SeChangeNotifyPrivilege" },
64 { 24, "SeRemoteShutdownPrivilege" },
65 { 25, "SeUndockPrivilege" },
66 { 26, "SeSyncAgentPrivilege" },
67 { 27, "SeEnableDelegationPrivilege" },
72 * Those are not really privileges like the other ones.
73 * They are handled in a special case and called
77 * SeUnsolicitedInputPrivilege
80 * SeInteractiveLogonRight
81 * SeDenyInteractiveLogonRight
82 * SeDenyNetworkLogonRight
83 * SeDenyBatchLogonRight
84 * SeDenyBatchLogonRight
88 /****************************************************************************
89 check if the user has the required privilege.
90 ****************************************************************************/
91 static BOOL se_priv_access_check(NT_USER_TOKEN *token, uint32 privilege)
93 /* no token, no privilege */
97 if ((token->privilege & privilege)==privilege)
104 /****************************************************************************
105 dump the mapping group mapping to a text file
106 ****************************************************************************/
107 char *decode_sid_name_use(fstring group, enum SID_NAME_USE name_use)
109 static fstring group_type;
113 fstrcpy(group_type,"User");
115 case SID_NAME_DOM_GRP:
116 fstrcpy(group_type,"Domain group");
118 case SID_NAME_DOMAIN:
119 fstrcpy(group_type,"Domain");
122 fstrcpy(group_type,"Local group");
124 case SID_NAME_WKN_GRP:
125 fstrcpy(group_type,"Builtin group");
127 case SID_NAME_DELETED:
128 fstrcpy(group_type,"Deleted");
130 case SID_NAME_INVALID:
131 fstrcpy(group_type,"Invalid");
133 case SID_NAME_UNKNOWN:
135 fstrcpy(group_type,"Unknown type");
139 fstrcpy(group, group_type);
143 /****************************************************************************
144 initialise first time the mapping list - called from init_group_mapping()
145 ****************************************************************************/
146 static BOOL default_group_mapping(void)
156 PRIVILEGE_SET privilege_none;
157 PRIVILEGE_SET privilege_all;
158 PRIVILEGE_SET privilege_print_op;
160 init_privilege(&privilege_none);
161 init_privilege(&privilege_all);
162 init_privilege(&privilege_print_op);
166 set.luid.low=SE_PRIV_PRINT_OPERATOR;
167 add_privilege(&privilege_print_op, set);
169 add_all_privilege(&privilege_all);
171 /* Add the Wellknown groups */
173 add_initial_entry(-1, "S-1-5-32-544", SID_NAME_WKN_GRP, "Administrators", "", privilege_all, PR_ACCESS_FROM_NETWORK|PR_LOG_ON_LOCALLY);
174 add_initial_entry(-1, "S-1-5-32-545", SID_NAME_WKN_GRP, "Users", "", privilege_none, PR_ACCESS_FROM_NETWORK|PR_LOG_ON_LOCALLY);
175 add_initial_entry(-1, "S-1-5-32-546", SID_NAME_WKN_GRP, "Guests", "", privilege_none, PR_ACCESS_FROM_NETWORK);
176 add_initial_entry(-1, "S-1-5-32-547", SID_NAME_WKN_GRP, "Power Users", "", privilege_none, PR_ACCESS_FROM_NETWORK|PR_LOG_ON_LOCALLY);
178 add_initial_entry(-1, "S-1-5-32-548", SID_NAME_WKN_GRP, "Account Operators", "", privilege_none, PR_ACCESS_FROM_NETWORK|PR_LOG_ON_LOCALLY);
179 add_initial_entry(-1, "S-1-5-32-549", SID_NAME_WKN_GRP, "System Operators", "", privilege_none, PR_ACCESS_FROM_NETWORK|PR_LOG_ON_LOCALLY);
180 add_initial_entry(-1, "S-1-5-32-550", SID_NAME_WKN_GRP, "Print Operators", "", privilege_print_op, PR_ACCESS_FROM_NETWORK|PR_LOG_ON_LOCALLY);
181 add_initial_entry(-1, "S-1-5-32-551", SID_NAME_WKN_GRP, "Backup Operators", "", privilege_none, PR_ACCESS_FROM_NETWORK|PR_LOG_ON_LOCALLY);
183 add_initial_entry(-1, "S-1-5-32-552", SID_NAME_WKN_GRP, "Replicators", "", privilege_none, PR_ACCESS_FROM_NETWORK);
185 /* Add the defaults domain groups */
187 sid_copy(&sid_admins, get_global_sam_sid());
188 sid_append_rid(&sid_admins, DOMAIN_GROUP_RID_ADMINS);
189 sid_to_string(str_admins, &sid_admins);
190 add_initial_entry(-1, str_admins, SID_NAME_DOM_GRP, "Domain Admins", "", privilege_all, PR_ACCESS_FROM_NETWORK|PR_LOG_ON_LOCALLY);
192 sid_copy(&sid_users, get_global_sam_sid());
193 sid_append_rid(&sid_users, DOMAIN_GROUP_RID_USERS);
194 sid_to_string(str_users, &sid_users);
195 add_initial_entry(-1, str_users, SID_NAME_DOM_GRP, "Domain Users", "", privilege_none, PR_ACCESS_FROM_NETWORK|PR_LOG_ON_LOCALLY);
197 sid_copy(&sid_guests, get_global_sam_sid());
198 sid_append_rid(&sid_guests, DOMAIN_GROUP_RID_GUESTS);
199 sid_to_string(str_guests, &sid_guests);
200 add_initial_entry(-1, str_guests, SID_NAME_DOM_GRP, "Domain Guests", "", privilege_none, PR_ACCESS_FROM_NETWORK);
202 free_privilege(&privilege_none);
203 free_privilege(&privilege_all);
204 free_privilege(&privilege_print_op);
209 /****************************************************************************
210 Open the group mapping tdb.
211 ****************************************************************************/
213 static BOOL init_group_mapping(void)
215 static pid_t local_pid;
216 const char *vstring = "INFO/version";
219 if (tdb && local_pid == sys_getpid())
221 tdb = tdb_open_log(lock_path("group_mapping.tdb"), 0, TDB_DEFAULT, O_RDWR|O_CREAT, 0600);
223 DEBUG(0,("Failed to open group mapping database\n"));
227 local_pid = sys_getpid();
229 /* handle a Samba upgrade */
230 tdb_lock_bystring(tdb, vstring, 0);
232 /* Cope with byte-reversed older versions of the db. */
233 vers_id = tdb_fetch_int32(tdb, vstring);
234 if ((vers_id == DATABASE_VERSION_V1) || (IREV(vers_id) == DATABASE_VERSION_V1)) {
235 /* Written on a bigendian machine with old fetch_int code. Save as le. */
236 tdb_store_int32(tdb, vstring, DATABASE_VERSION_V2);
237 vers_id = DATABASE_VERSION_V2;
240 if (vers_id != DATABASE_VERSION_V2) {
241 tdb_traverse(tdb, tdb_traverse_delete_fn, NULL);
242 tdb_store_int32(tdb, vstring, DATABASE_VERSION_V2);
245 tdb_unlock_bystring(tdb, vstring);
247 /* write a list of default groups */
248 if(!default_group_mapping())
254 /****************************************************************************
255 ****************************************************************************/
256 static BOOL add_mapping_entry(GROUP_MAP *map, int flag)
260 fstring string_sid="";
265 if(!init_group_mapping()) {
266 DEBUG(0,("failed to initialize group mapping"));
270 sid_to_string(string_sid, &map->sid);
272 len = tdb_pack(buf, sizeof(buf), "ddffd",
273 map->gid, map->sid_name_use, map->nt_name, map->comment, map->systemaccount);
275 /* write the privilege list in the TDB database */
278 len += tdb_pack(buf+len, sizeof(buf)-len, "d", set->count);
279 for (i=0; i<set->count; i++)
280 len += tdb_pack(buf+len, sizeof(buf)-len, "ddd",
281 set->set[i].luid.low, set->set[i].luid.high, set->set[i].attr);
283 if (len > sizeof(buf))
286 slprintf(key, sizeof(key), "%s%s", GROUP_PREFIX, string_sid);
288 kbuf.dsize = strlen(key)+1;
292 if (tdb_store(tdb, kbuf, dbuf, flag) != 0) return False;
297 /****************************************************************************
298 initialise first time the mapping list
299 ****************************************************************************/
300 BOOL add_initial_entry(gid_t gid, const char *sid, enum SID_NAME_USE sid_name_use,
301 const char *nt_name, const char *comment, PRIVILEGE_SET priv_set, uint32 systemaccount)
305 if(!init_group_mapping()) {
306 DEBUG(0,("failed to initialize group mapping"));
311 if (!string_to_sid(&map.sid, sid)) {
312 DEBUG(0, ("string_to_sid failed: %s", sid));
316 map.sid_name_use=sid_name_use;
317 fstrcpy(map.nt_name, nt_name);
318 fstrcpy(map.comment, comment);
319 map.systemaccount=systemaccount;
321 map.priv_set.count=priv_set.count;
322 map.priv_set.set=priv_set.set;
324 pdb_add_group_mapping_entry(&map);
329 /****************************************************************************
330 initialise a privilege list
331 ****************************************************************************/
332 void init_privilege(PRIVILEGE_SET *priv_set)
339 /****************************************************************************
340 free a privilege list
341 ****************************************************************************/
342 BOOL free_privilege(PRIVILEGE_SET *priv_set)
344 if (priv_set->count==0) {
345 DEBUG(100,("free_privilege: count=0, nothing to clear ?\n"));
349 if (priv_set->set==NULL) {
350 DEBUG(0,("free_privilege: list ptr is NULL, very strange !\n"));
354 safe_free(priv_set->set);
362 /****************************************************************************
363 add a privilege to a privilege array
364 ****************************************************************************/
365 BOOL add_privilege(PRIVILEGE_SET *priv_set, LUID_ATTR set)
369 /* check if the privilege is not already in the list */
370 if (check_priv_in_privilege(priv_set, set))
373 /* we can allocate memory to add the new privilege */
375 new_set=(LUID_ATTR *)Realloc(priv_set->set, (priv_set->count+1)*(sizeof(LUID_ATTR)));
377 DEBUG(0,("add_privilege: could not Realloc memory to add a new privilege\n"));
381 new_set[priv_set->count].luid.high=set.luid.high;
382 new_set[priv_set->count].luid.low=set.luid.low;
383 new_set[priv_set->count].attr=set.attr;
386 priv_set->set=new_set;
391 /****************************************************************************
392 add all the privileges to a privilege array
393 ****************************************************************************/
394 BOOL add_all_privilege(PRIVILEGE_SET *priv_set)
401 set.luid.low=SE_PRIV_ADD_USERS;
402 add_privilege(priv_set, set);
404 set.luid.low=SE_PRIV_ADD_MACHINES;
405 add_privilege(priv_set, set);
407 set.luid.low=SE_PRIV_PRINT_OPERATOR;
408 add_privilege(priv_set, set);
413 /****************************************************************************
414 check if the privilege list is empty
415 ****************************************************************************/
416 BOOL check_empty_privilege(PRIVILEGE_SET *priv_set)
418 return (priv_set->count == 0);
421 /****************************************************************************
422 check if the privilege is in the privilege list
423 ****************************************************************************/
424 BOOL check_priv_in_privilege(PRIVILEGE_SET *priv_set, LUID_ATTR set)
428 /* if the list is empty, obviously we can't have it */
429 if (check_empty_privilege(priv_set))
432 for (i=0; i<priv_set->count; i++) {
435 cur_set=&priv_set->set[i];
436 /* check only the low and high part. Checking the attr field has no meaning */
437 if( (cur_set->luid.low==set.luid.low) && (cur_set->luid.high==set.luid.high) )
444 /****************************************************************************
445 remove a privilege from a privilege array
446 ****************************************************************************/
447 BOOL remove_privilege(PRIVILEGE_SET *priv_set, LUID_ATTR set)
453 /* check if the privilege is in the list */
454 if (!check_priv_in_privilege(priv_set, set))
457 /* special case if it's the only privilege in the list */
458 if (priv_set->count==1) {
459 free_privilege(priv_set);
460 init_privilege(priv_set);
466 * the privilege is there, create a new list,
467 * and copy the other privileges
470 old_set=priv_set->set;
472 new_set=(LUID_ATTR *)malloc((priv_set->count-1)*(sizeof(LUID_ATTR)));
474 DEBUG(0,("remove_privilege: could not malloc memory for new privilege list\n"));
478 for (i=0, j=0; i<priv_set->count; i++) {
479 if ((old_set[i].luid.low==set.luid.low) &&
480 (old_set[i].luid.high==set.luid.high)) {
484 new_set[j].luid.low=old_set[i].luid.low;
485 new_set[j].luid.high=old_set[i].luid.high;
486 new_set[j].attr=old_set[i].attr;
491 if (j!=priv_set->count-1) {
492 DEBUG(0,("remove_privilege: mismatch ! difference is not -1\n"));
493 DEBUGADD(0,("old count:%d, new count:%d\n", priv_set->count, j));
498 /* ok everything is fine */
501 priv_set->set=new_set;
508 /****************************************************************************
509 Return the sid and the type of the unix group.
510 ****************************************************************************/
512 static BOOL get_group_map_from_sid(DOM_SID sid, GROUP_MAP *map, BOOL with_priv)
521 if(!init_group_mapping()) {
522 DEBUG(0,("failed to initialize group mapping"));
526 /* the key is the SID, retrieving is direct */
528 sid_to_string(string_sid, &sid);
529 slprintf(key, sizeof(key), "%s%s", GROUP_PREFIX, string_sid);
532 kbuf.dsize = strlen(key)+1;
534 dbuf = tdb_fetch(tdb, kbuf);
538 ret = tdb_unpack(dbuf.dptr, dbuf.dsize, "ddffd",
539 &map->gid, &map->sid_name_use, &map->nt_name, &map->comment, &map->systemaccount);
543 ret += tdb_unpack(dbuf.dptr+ret, dbuf.dsize-ret, "d", &set->count);
545 DEBUG(10,("get_group_map_from_sid: %d privileges\n", map->priv_set.count));
549 set->set=(LUID_ATTR *)smb_xmalloc(set->count*sizeof(LUID_ATTR));
552 for (i=0; i<set->count; i++)
553 ret += tdb_unpack(dbuf.dptr+ret, dbuf.dsize-ret, "ddd",
554 &(set->set[i].luid.low), &(set->set[i].luid.high), &(set->set[i].attr));
556 SAFE_FREE(dbuf.dptr);
557 if (ret != dbuf.dsize) {
558 DEBUG(0,("get_group_map_from_sid: group mapping TDB corrupted ?\n"));
563 /* we don't want the privileges */
564 if (with_priv==MAPPING_WITHOUT_PRIV)
567 sid_copy(&map->sid, &sid);
572 /****************************************************************************
573 Return the sid and the type of the unix group.
574 ****************************************************************************/
576 static BOOL get_group_map_from_gid(gid_t gid, GROUP_MAP *map, BOOL with_priv)
578 TDB_DATA kbuf, dbuf, newkey;
584 if(!init_group_mapping()) {
585 DEBUG(0,("failed to initialize group mapping"));
589 /* we need to enumerate the TDB to find the GID */
591 for (kbuf = tdb_firstkey(tdb);
593 newkey = tdb_nextkey(tdb, kbuf), safe_free(kbuf.dptr), kbuf=newkey) {
595 if (strncmp(kbuf.dptr, GROUP_PREFIX, strlen(GROUP_PREFIX)) != 0) continue;
597 dbuf = tdb_fetch(tdb, kbuf);
601 fstrcpy(string_sid, kbuf.dptr+strlen(GROUP_PREFIX));
603 string_to_sid(&map->sid, string_sid);
605 ret = tdb_unpack(dbuf.dptr, dbuf.dsize, "ddffd",
606 &map->gid, &map->sid_name_use, &map->nt_name, &map->comment, &map->systemaccount);
609 ret += tdb_unpack(dbuf.dptr+ret, dbuf.dsize-ret, "d", &set->count);
612 set->set=(LUID_ATTR *)smb_xmalloc(set->count*sizeof(LUID_ATTR));
615 for (i=0; i<set->count; i++)
616 ret += tdb_unpack(dbuf.dptr+ret, dbuf.dsize-ret, "ddd",
617 &(set->set[i].luid.low), &(set->set[i].luid.high), &(set->set[i].attr));
619 SAFE_FREE(dbuf.dptr);
620 if (ret != dbuf.dsize){
627 free_privilege(&map->priv_set);
628 SAFE_FREE(kbuf.dptr);
638 /****************************************************************************
639 Return the sid and the type of the unix group.
640 ****************************************************************************/
642 static BOOL get_group_map_from_ntname(char *name, GROUP_MAP *map, BOOL with_priv)
644 TDB_DATA kbuf, dbuf, newkey;
650 if(!init_group_mapping()) {
651 DEBUG(0,("get_group_map_from_ntname:failed to initialize group mapping"));
655 /* we need to enumerate the TDB to find the name */
657 for (kbuf = tdb_firstkey(tdb);
659 newkey = tdb_nextkey(tdb, kbuf), safe_free(kbuf.dptr), kbuf=newkey) {
661 if (strncmp(kbuf.dptr, GROUP_PREFIX, strlen(GROUP_PREFIX)) != 0) continue;
663 dbuf = tdb_fetch(tdb, kbuf);
667 fstrcpy(string_sid, kbuf.dptr+strlen(GROUP_PREFIX));
669 string_to_sid(&map->sid, string_sid);
671 ret = tdb_unpack(dbuf.dptr, dbuf.dsize, "ddffd",
672 &map->gid, &map->sid_name_use, &map->nt_name, &map->comment, &map->systemaccount);
675 ret += tdb_unpack(dbuf.dptr+ret, dbuf.dsize-ret, "d", &set->count);
677 set->set=(LUID_ATTR *)malloc(set->count*sizeof(LUID_ATTR));
678 if (set->set==NULL) {
679 DEBUG(0,("get_group_map_from_ntname: could not allocate memory for privileges\n"));
683 for (i=0; i<set->count; i++)
684 ret += tdb_unpack(dbuf.dptr+ret, dbuf.dsize-ret, "ddd",
685 &(set->set[i].luid.low), &(set->set[i].luid.high), &(set->set[i].attr));
687 SAFE_FREE(dbuf.dptr);
688 if (ret != dbuf.dsize) {
693 if (StrCaseCmp(name, map->nt_name)==0) {
695 free_privilege(&map->priv_set);
696 SAFE_FREE(kbuf.dptr);
706 /****************************************************************************
707 Remove a group mapping entry.
708 ****************************************************************************/
710 static BOOL group_map_remove(DOM_SID sid)
716 if(!init_group_mapping()) {
717 DEBUG(0,("failed to initialize group mapping"));
721 /* the key is the SID, retrieving is direct */
723 sid_to_string(string_sid, &sid);
724 slprintf(key, sizeof(key), "%s%s", GROUP_PREFIX, string_sid);
727 kbuf.dsize = strlen(key)+1;
729 dbuf = tdb_fetch(tdb, kbuf);
733 SAFE_FREE(dbuf.dptr);
735 if(tdb_delete(tdb, kbuf) != TDB_SUCCESS)
741 /****************************************************************************
742 Enumerate the group mapping.
743 ****************************************************************************/
745 static BOOL enum_group_mapping(enum SID_NAME_USE sid_name_use, GROUP_MAP **rmap,
746 int *num_entries, BOOL unix_only, BOOL with_priv)
748 TDB_DATA kbuf, dbuf, newkey;
758 if(!init_group_mapping()) {
759 DEBUG(0,("failed to initialize group mapping"));
766 for (kbuf = tdb_firstkey(tdb);
768 newkey = tdb_nextkey(tdb, kbuf), safe_free(kbuf.dptr), kbuf=newkey) {
770 if (strncmp(kbuf.dptr, GROUP_PREFIX, strlen(GROUP_PREFIX)) != 0)
773 dbuf = tdb_fetch(tdb, kbuf);
777 fstrcpy(string_sid, kbuf.dptr+strlen(GROUP_PREFIX));
779 ret = tdb_unpack(dbuf.dptr, dbuf.dsize, "ddffd",
780 &map.gid, &map.sid_name_use, &map.nt_name, &map.comment, &map.systemaccount);
785 ret += tdb_unpack(dbuf.dptr+ret, dbuf.dsize-ret, "d", &set->count);
788 set->set=(LUID_ATTR *)malloc(set->count*sizeof(LUID_ATTR));
789 if (set->set==NULL) {
790 DEBUG(0,("enum_group_mapping: could not allocate memory for privileges\n"));
795 for (i=0; i<set->count; i++)
796 ret += tdb_unpack(dbuf.dptr+ret, dbuf.dsize-ret, "ddd",
797 &(set->set[i].luid.low), &(set->set[i].luid.high), &(set->set[i].attr));
799 SAFE_FREE(dbuf.dptr);
800 if (ret != dbuf.dsize) {
801 DEBUG(11,("enum_group_mapping: error in memory size\n"));
806 /* list only the type or everything if UNKNOWN */
807 if (sid_name_use!=SID_NAME_UNKNOWN && sid_name_use!=map.sid_name_use) {
808 DEBUG(11,("enum_group_mapping: group %s is not of the requested type\n", map.nt_name));
813 if (unix_only==ENUM_ONLY_MAPPED && map.gid==-1) {
814 DEBUG(11,("enum_group_mapping: group %s is non mapped\n", map.nt_name));
819 string_to_sid(&map.sid, string_sid);
821 decode_sid_name_use(group_type, map.sid_name_use);
822 DEBUG(11,("enum_group_mapping: returning group %s of type %s\n", map.nt_name ,group_type));
824 mapt=(GROUP_MAP *)Realloc((*rmap), (entries+1)*sizeof(GROUP_MAP));
826 DEBUG(0,("enum_group_mapping: Unable to enlarge group map!\n"));
834 mapt[entries].gid = map.gid;
835 sid_copy( &mapt[entries].sid, &map.sid);
836 mapt[entries].sid_name_use = map.sid_name_use;
837 fstrcpy(mapt[entries].nt_name, map.nt_name);
838 fstrcpy(mapt[entries].comment, map.comment);
839 mapt[entries].systemaccount=map.systemaccount;
840 mapt[entries].priv_set.count=set->count;
841 mapt[entries].priv_set.control=set->control;
842 mapt[entries].priv_set.set=set->set;
844 free_privilege(&(mapt[entries].priv_set));
850 *num_entries=entries;
856 /****************************************************************************
857 convert a privilege string to a privilege array
858 ****************************************************************************/
859 void convert_priv_from_text(PRIVILEGE_SET *se_priv, char *privilege)
862 const char *p = privilege;
866 /* By default no privilege */
867 init_privilege(se_priv);
872 while(next_token(&p, tok, " ", sizeof(tok)) ) {
873 for (i=0; i<=PRIV_ALL_INDEX; i++) {
874 if (StrCaseCmp(privs[i].priv, tok)==0) {
877 set.luid.low=privs[i].se_priv;
878 add_privilege(se_priv, set);
884 /****************************************************************************
885 convert a privilege array to a privilege string
886 ****************************************************************************/
887 void convert_priv_to_text(PRIVILEGE_SET *se_priv, char *privilege)
894 ZERO_STRUCTP(privilege);
896 if (check_empty_privilege(se_priv)) {
897 fstrcat(privilege, "No privilege");
901 for(i=0; i<se_priv->count; i++) {
903 while (privs[j].se_priv!=se_priv->set[i].luid.low && j<=PRIV_ALL_INDEX) {
907 fstrcat(privilege, privs[j].priv);
908 fstrcat(privilege, " ");
915 * High level functions
916 * better to use them than the lower ones.
918 * we are checking if the group is in the mapping file
919 * and if the group is an existing unix group
923 /* get a domain group from it's SID */
925 BOOL get_domain_group_from_sid(DOM_SID sid, GROUP_MAP *map, BOOL with_priv)
929 if(!init_group_mapping()) {
930 DEBUG(0,("failed to initialize group mapping"));
934 DEBUG(10, ("get_domain_group_from_sid\n"));
936 /* if the group is NOT in the database, it CAN NOT be a domain group */
937 if(!pdb_getgrsid(map, sid, with_priv))
940 DEBUG(10, ("get_domain_group_from_sid: SID found in the TDB\n"));
942 /* if it's not a domain group, continue */
943 if (map->sid_name_use!=SID_NAME_DOM_GRP) {
945 free_privilege(&map->priv_set);
949 DEBUG(10, ("get_domain_group_from_sid: SID is a domain group\n"));
953 free_privilege(&map->priv_set);
957 DEBUG(10, ("get_domain_group_from_sid: SID is mapped to gid:%d\n",map->gid));
959 if ( (grp=getgrgid(map->gid)) == NULL) {
960 DEBUG(10, ("get_domain_group_from_sid: gid DOESN'T exist in UNIX security\n"));
962 free_privilege(&map->priv_set);
966 DEBUG(10, ("get_domain_group_from_sid: gid exists in UNIX security\n"));
972 /* get a local (alias) group from it's SID */
974 BOOL get_local_group_from_sid(DOM_SID sid, GROUP_MAP *map, BOOL with_priv)
978 if(!init_group_mapping()) {
979 DEBUG(0,("failed to initialize group mapping"));
983 /* The group is in the mapping table */
984 if(pdb_getgrsid(map, sid, with_priv)) {
985 if (map->sid_name_use!=SID_NAME_ALIAS) {
987 free_privilege(&map->priv_set);
993 free_privilege(&map->priv_set);
997 if ( (grp=getgrgid(map->gid)) == NULL) {
999 free_privilege(&map->priv_set);
1003 /* the group isn't in the mapping table.
1004 * make one based on the unix information */
1007 sid_peek_rid(&sid, &alias_rid);
1008 map->gid=pdb_group_rid_to_gid(alias_rid);
1010 if ((grp=getgrgid(map->gid)) == NULL)
1013 map->sid_name_use=SID_NAME_ALIAS;
1014 map->systemaccount=PR_ACCESS_FROM_NETWORK;
1016 fstrcpy(map->nt_name, grp->gr_name);
1017 fstrcpy(map->comment, "Local Unix Group");
1019 init_privilege(&map->priv_set);
1021 sid_copy(&map->sid, &sid);
1027 /* get a builtin group from it's SID */
1029 BOOL get_builtin_group_from_sid(DOM_SID sid, GROUP_MAP *map, BOOL with_priv)
1033 if(!init_group_mapping()) {
1034 DEBUG(0,("failed to initialize group mapping"));
1038 if(!pdb_getgrsid(map, sid, with_priv))
1041 if (map->sid_name_use!=SID_NAME_WKN_GRP) {
1043 free_privilege(&map->priv_set);
1049 free_privilege(&map->priv_set);
1053 if ( (grp=getgrgid(map->gid)) == NULL) {
1055 free_privilege(&map->priv_set);
1064 /****************************************************************************
1065 Returns a GROUP_MAP struct based on the gid.
1066 ****************************************************************************/
1067 BOOL get_group_from_gid(gid_t gid, GROUP_MAP *map, BOOL with_priv)
1071 if(!init_group_mapping()) {
1072 DEBUG(0,("failed to initialize group mapping"));
1076 if ( (grp=getgrgid(gid)) == NULL)
1080 * make a group map from scratch if doesn't exist.
1082 if (!pdb_getgrgid(map, gid, with_priv)) {
1084 map->sid_name_use=SID_NAME_ALIAS;
1085 map->systemaccount=PR_ACCESS_FROM_NETWORK;
1086 init_privilege(&map->priv_set);
1088 /* interim solution until we have a last RID allocated */
1090 sid_copy(&map->sid, get_global_sam_sid());
1091 sid_append_rid(&map->sid, pdb_gid_to_group_rid(gid));
1093 fstrcpy(map->nt_name, grp->gr_name);
1094 fstrcpy(map->comment, "Local Unix Group");
1103 /****************************************************************************
1104 Get the member users of a group and
1105 all the users who have that group as primary.
1107 give back an array of uid
1108 return the grand number of users
1111 TODO: sort the list and remove duplicate. JFM.
1113 ****************************************************************************/
1115 BOOL get_uid_list_of_group(gid_t gid, uid_t **uid, int *num_uids)
1123 if(!init_group_mapping()) {
1124 DEBUG(0,("failed to initialize group mapping"));
1131 if ( (grp=getgrgid(gid)) == NULL)
1134 gr = grp->gr_mem[0];
1135 DEBUG(10, ("getting members\n"));
1137 while (gr && (*gr != (char)'\0')) {
1138 u = Realloc((*uid), sizeof(uid_t)*(*num_uids+1));
1140 DEBUG(0,("get_uid_list_of_group: unable to enlarge uid list!\n"));
1145 if( (pwd=getpwnam_alloc(gr)) !=NULL) {
1146 (*uid)[*num_uids]=pwd->pw_uid;
1150 gr = grp->gr_mem[++i];
1152 DEBUG(10, ("got [%d] members\n", *num_uids));
1155 while ((pwd=getpwent()) != NULL) {
1156 if (pwd->pw_gid==gid) {
1157 u = Realloc((*uid), sizeof(uid_t)*(*num_uids+1));
1159 DEBUG(0,("get_uid_list_of_group: unable to enlarge uid list!\n"));
1163 (*uid)[*num_uids]=pwd->pw_uid;
1169 DEBUG(10, ("got primary groups, members: [%d]\n", *num_uids));
1174 /****************************************************************************
1175 Create a UNIX group on demand.
1176 ****************************************************************************/
1178 int smb_create_group(char *unix_group, gid_t *new_gid)
1184 pstrcpy(add_script, lp_addgroup_script());
1185 if (! *add_script) return -1;
1186 pstring_sub(add_script, "%g", unix_group);
1187 ret = smbrun(add_script, (new_gid!=NULL) ? &fd : NULL);
1188 DEBUG(3,("smb_create_group: Running the command `%s' gave %d\n",add_script,ret));
1196 if (read(fd, output, sizeof(output)) > 0) {
1197 *new_gid = (gid_t)strtoul(output, NULL, 10);
1201 if (*new_gid == 0) {
1202 /* The output was garbage. We assume nobody
1203 will create group 0 via smbd. Now we try to
1204 get the group via getgrnam. */
1206 struct group *grp = getgrnam(unix_group);
1208 *new_gid = grp->gr_gid;
1217 /****************************************************************************
1218 Delete a UNIX group on demand.
1219 ****************************************************************************/
1221 int smb_delete_group(char *unix_group)
1226 pstrcpy(del_script, lp_delgroup_script());
1227 if (! *del_script) return -1;
1228 pstring_sub(del_script, "%g", unix_group);
1229 ret = smbrun(del_script,NULL);
1230 DEBUG(3,("smb_delete_group: Running the command `%s' gave %d\n",del_script,ret));
1234 /****************************************************************************
1235 Set a user's primary UNIX group.
1236 ****************************************************************************/
1237 int smb_set_primary_group(const char *unix_group, const char* unix_user)
1242 pstrcpy(add_script, lp_setprimarygroup_script());
1243 if (! *add_script) return -1;
1244 all_string_sub(add_script, "%g", unix_group, sizeof(add_script));
1245 all_string_sub(add_script, "%u", unix_user, sizeof(add_script));
1246 ret = smbrun(add_script,NULL);
1247 DEBUG(3,("smb_set_primary_group: "
1248 "Running the command `%s' gave %d\n",add_script,ret));
1252 /****************************************************************************
1253 Add a user to a UNIX group.
1254 ****************************************************************************/
1256 int smb_add_user_group(char *unix_group, char *unix_user)
1261 pstrcpy(add_script, lp_addusertogroup_script());
1262 if (! *add_script) return -1;
1263 pstring_sub(add_script, "%g", unix_group);
1264 pstring_sub(add_script, "%u", unix_user);
1265 ret = smbrun(add_script,NULL);
1266 DEBUG(3,("smb_add_user_group: Running the command `%s' gave %d\n",add_script,ret));
1270 /****************************************************************************
1271 Delete a user from a UNIX group
1272 ****************************************************************************/
1274 int smb_delete_user_group(const char *unix_group, const char *unix_user)
1279 pstrcpy(del_script, lp_deluserfromgroup_script());
1280 if (! *del_script) return -1;
1281 pstring_sub(del_script, "%g", unix_group);
1282 pstring_sub(del_script, "%u", unix_user);
1283 ret = smbrun(del_script,NULL);
1284 DEBUG(3,("smb_delete_user_group: Running the command `%s' gave %d\n",del_script,ret));
1289 NTSTATUS pdb_default_getgrsid(struct pdb_methods *methods, GROUP_MAP *map,
1290 DOM_SID sid, BOOL with_priv)
1292 return get_group_map_from_sid(sid, map, with_priv) ?
1293 NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL;
1296 NTSTATUS pdb_default_getgrgid(struct pdb_methods *methods, GROUP_MAP *map,
1297 gid_t gid, BOOL with_priv)
1299 return get_group_map_from_gid(gid, map, with_priv) ?
1300 NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL;
1303 NTSTATUS pdb_default_getgrnam(struct pdb_methods *methods, GROUP_MAP *map,
1304 char *name, BOOL with_priv)
1306 return get_group_map_from_ntname(name, map, with_priv) ?
1307 NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL;
1310 NTSTATUS pdb_default_add_group_mapping_entry(struct pdb_methods *methods,
1313 return add_mapping_entry(map, TDB_INSERT) ?
1314 NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL;
1317 NTSTATUS pdb_default_update_group_mapping_entry(struct pdb_methods *methods,
1320 return add_mapping_entry(map, TDB_REPLACE) ?
1321 NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL;
1324 NTSTATUS pdb_default_delete_group_mapping_entry(struct pdb_methods *methods,
1327 return group_map_remove(sid) ?
1328 NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL;
1331 NTSTATUS pdb_default_enum_group_mapping(struct pdb_methods *methods,
1332 enum SID_NAME_USE sid_name_use,
1333 GROUP_MAP **rmap, int *num_entries,
1334 BOOL unix_only, BOOL with_priv)
1336 return enum_group_mapping(sid_name_use, rmap, num_entries, unix_only,
1338 NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL;
1341 /**********************************************************************
1342 no ops for passdb backends that don't implement group mapping
1343 *********************************************************************/
1345 NTSTATUS pdb_nop_getgrsid(struct pdb_methods *methods, GROUP_MAP *map,
1346 DOM_SID sid, BOOL with_priv)
1348 return NT_STATUS_UNSUCCESSFUL;
1351 NTSTATUS pdb_nop_getgrgid(struct pdb_methods *methods, GROUP_MAP *map,
1352 gid_t gid, BOOL with_priv)
1354 return NT_STATUS_UNSUCCESSFUL;
1357 NTSTATUS pdb_nop_getgrnam(struct pdb_methods *methods, GROUP_MAP *map,
1358 char *name, BOOL with_priv)
1360 return NT_STATUS_UNSUCCESSFUL;
1363 NTSTATUS pdb_nop_add_group_mapping_entry(struct pdb_methods *methods,
1366 return NT_STATUS_UNSUCCESSFUL;
1369 NTSTATUS pdb_nop_update_group_mapping_entry(struct pdb_methods *methods,
1372 return NT_STATUS_UNSUCCESSFUL;
1375 NTSTATUS pdb_nop_delete_group_mapping_entry(struct pdb_methods *methods,
1378 return NT_STATUS_UNSUCCESSFUL;
1381 NTSTATUS pdb_nop_enum_group_mapping(struct pdb_methods *methods,
1382 enum SID_NAME_USE sid_name_use,
1383 GROUP_MAP **rmap, int *num_entries,
1384 BOOL unix_only, BOOL with_priv)
1386 return NT_STATUS_UNSUCCESSFUL;