2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Copyright (C) Andrew Tridgell 1992-2000,
5 * Copyright (C) Jean François Micouleau 1998-2001.
6 * Copyright (C) Gerald Carter 2003,
7 * Copyright (C) Volker Lendecke 2004
9 * This program is free software; you can redistribute it and/or modify
10 * it under the terms of the GNU General Public License as published by
11 * the Free Software Foundation; either version 3 of the License, or
12 * (at your option) any later version.
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
19 * You should have received a copy of the GNU General Public License
20 * along with this program; if not, see <http://www.gnu.org/licenses/>.
25 #include "utils/net.h"
26 #include "../libcli/security/security.h"
28 /*********************************************************
29 Figure out if the input was an NT group or a SID string.
31 **********************************************************/
32 static bool get_sid_from_input(struct dom_sid *sid, char *input)
36 if (StrnCaseCmp( input, "S-", 2)) {
37 /* Perhaps its the NT group name? */
38 if (!pdb_getgrnam(&map, input)) {
39 printf(_("NT Group %s doesn't exist in mapping DB\n"),
46 if (!string_to_sid(sid, input)) {
47 printf(_("converting sid %s from a string failed!\n"),
55 /*********************************************************
56 Dump a GROUP_MAP entry to stdout (long or short listing)
57 **********************************************************/
59 static void print_map_entry ( GROUP_MAP map, bool long_list )
62 d_printf("%s (%s) -> %s\n", map.nt_name,
63 sid_string_tos(&map.sid), gidtoname(map.gid));
65 d_printf("%s\n", map.nt_name);
66 d_printf(_("\tSID : %s\n"), sid_string_tos(&map.sid));
67 d_printf(_("\tUnix gid : %u\n"), (unsigned int)map.gid);
68 d_printf(_("\tUnix group: %s\n"), gidtoname(map.gid));
69 d_printf(_("\tGroup type: %s\n"),
70 sid_type_lookup(map.sid_name_use));
71 d_printf(_("\tComment : %s\n"), map.comment);
75 /*********************************************************
77 **********************************************************/
78 static int net_groupmap_list(struct net_context *c, int argc, const char **argv)
81 bool long_list = false;
84 fstring sid_string = "";
85 const char list_usage_str[] = N_("net groupmap list [verbose] "
86 "[ntgroup=NT group] [sid=SID]\n"
87 " verbose\tPrint verbose list\n"
88 " ntgroup\tNT group to list\n"
89 " sid\tSID of group to list");
91 if (c->display_usage) {
92 d_printf("%s\n%s\n", _("Usage: "), list_usage_str);
96 if (c->opt_verbose || c->opt_long_list_entries)
100 for ( i=0; i<argc; i++ ) {
101 if ( !StrCaseCmp(argv[i], "verbose")) {
104 else if ( !StrnCaseCmp(argv[i], "ntgroup", strlen("ntgroup")) ) {
105 fstrcpy( ntgroup, get_string_param( argv[i] ) );
107 d_fprintf(stderr, _("must supply a name\n"));
111 else if ( !StrnCaseCmp(argv[i], "sid", strlen("sid")) ) {
112 fstrcpy( sid_string, get_string_param( argv[i] ) );
113 if ( !sid_string[0] ) {
114 d_fprintf(stderr, _("must supply a SID\n"));
119 d_fprintf(stderr, _("Bad option: %s\n"), argv[i]);
120 d_printf("%s\n%s\n", _("Usage:"), list_usage_str);
125 /* list a single group is given a name */
126 if ( ntgroup[0] || sid_string[0] ) {
131 fstrcpy( ntgroup, sid_string);
133 if (!get_sid_from_input(&sid, ntgroup)) {
137 /* Get the current mapping from the database */
138 if(!pdb_getgrsid(&map, sid)) {
140 _("Failure to local group SID in the "
145 print_map_entry( map, long_list );
149 /* enumerate all group mappings */
150 if (!pdb_enum_group_mapping(NULL, SID_NAME_UNKNOWN, &map, &entries, ENUM_ALL_MAPPED))
153 for (i=0; i<entries; i++) {
154 print_map_entry( map[i], long_list );
163 /*********************************************************
164 Add a new group mapping entry
165 **********************************************************/
167 static int net_groupmap_add(struct net_context *c, int argc, const char **argv)
170 fstring ntgroup = "";
171 fstring unixgrp = "";
172 fstring string_sid = "";
174 fstring ntcomment = "";
175 enum lsa_SidType sid_type = SID_NAME_DOM_GRP;
181 const char *name_type;
182 const char add_usage_str[] = N_("net groupmap add "
183 "{rid=<int>|sid=<string>}"
184 " unixgroup=<string> "
185 "[type=<domain|local|builtin>] "
186 "[ntgroup=<string>] "
187 "[comment=<string>]");
191 /* Default is domain group. */
192 map.sid_name_use = SID_NAME_DOM_GRP;
193 name_type = "domain group";
195 if (c->display_usage) {
196 d_printf("%s\n%s\n", _("Usage:\n"), add_usage_str);
200 /* get the options */
201 for ( i=0; i<argc; i++ ) {
202 if ( !StrnCaseCmp(argv[i], "rid", strlen("rid")) ) {
203 rid = get_int_param(argv[i]);
204 if ( rid < DOMAIN_RID_ADMINS ) {
206 _("RID must be greater than %d\n"),
207 (uint32)DOMAIN_RID_ADMINS-1);
211 else if ( !StrnCaseCmp(argv[i], "unixgroup", strlen("unixgroup")) ) {
212 fstrcpy( unixgrp, get_string_param( argv[i] ) );
214 d_fprintf(stderr,_( "must supply a name\n"));
218 else if ( !StrnCaseCmp(argv[i], "ntgroup", strlen("ntgroup")) ) {
219 fstrcpy( ntgroup, get_string_param( argv[i] ) );
221 d_fprintf(stderr, _("must supply a name\n"));
225 else if ( !StrnCaseCmp(argv[i], "sid", strlen("sid")) ) {
226 fstrcpy( string_sid, get_string_param( argv[i] ) );
227 if ( !string_sid[0] ) {
228 d_fprintf(stderr, _("must supply a SID\n"));
232 else if ( !StrnCaseCmp(argv[i], "comment", strlen("comment")) ) {
233 fstrcpy( ntcomment, get_string_param( argv[i] ) );
234 if ( !ntcomment[0] ) {
236 _("must supply a comment string\n"));
240 else if ( !StrnCaseCmp(argv[i], "type", strlen("type")) ) {
241 fstrcpy( type, get_string_param( argv[i] ) );
245 sid_type = SID_NAME_WKN_GRP;
246 name_type = "wellknown group";
250 sid_type = SID_NAME_DOM_GRP;
251 name_type = "domain group";
255 sid_type = SID_NAME_ALIAS;
256 name_type = "alias (local) group";
260 _("unknown group type %s\n"),
266 d_fprintf(stderr, _("Bad option: %s\n"), argv[i]);
272 d_printf("%s\n%s\n", _("Usage:\n"), add_usage_str);
276 if ( (gid = nametogid(unixgrp)) == (gid_t)-1 ) {
277 d_fprintf(stderr, _("Can't lookup UNIX group %s\n"), unixgrp);
282 if (pdb_getgrgid(&map, gid)) {
283 d_printf(_("Unix group %s already mapped to SID %s\n"),
284 unixgrp, sid_string_tos(&map.sid));
289 if ( (rid == 0) && (string_sid[0] == '\0') ) {
290 d_printf(_("No rid or sid specified, choosing a RID\n"));
291 if (pdb_capabilities() & PDB_CAP_STORE_RIDS) {
292 if (!pdb_new_rid(&rid)) {
293 d_printf(_("Could not get new RID\n"));
296 rid = algorithmic_pdb_gid_to_group_rid(gid);
298 d_printf(_("Got RID %d\n"), rid);
301 /* append the rid to our own domain/machine SID if we don't have a full SID */
302 if ( !string_sid[0] ) {
303 sid_compose(&sid, get_global_sam_sid(), rid);
304 sid_to_fstring(string_sid, &sid);
309 case SID_NAME_WKN_GRP:
310 fstrcpy(ntcomment, "Wellknown Unix group");
312 case SID_NAME_DOM_GRP:
313 fstrcpy(ntcomment, "Domain Unix group");
316 fstrcpy(ntcomment, "Local Unix group");
319 fstrcpy(ntcomment, "Unix group");
325 fstrcpy( ntgroup, unixgrp );
327 if (!NT_STATUS_IS_OK(add_initial_entry(gid, string_sid, sid_type, ntgroup, ntcomment))) {
328 d_fprintf(stderr, _("adding entry for group %s failed!\n"), ntgroup);
332 d_printf(_("Successfully added group %s to the mapping db as a %s\n"),
337 static int net_groupmap_modify(struct net_context *c, int argc, const char **argv)
341 fstring ntcomment = "";
343 fstring ntgroup = "";
344 fstring unixgrp = "";
345 fstring sid_string = "";
346 enum lsa_SidType sid_type = SID_NAME_UNKNOWN;
349 const char modify_usage_str[] = N_("net groupmap modify "
350 "{ntgroup=<string>|sid=<SID>} "
351 "[comment=<string>] "
352 "[unixgroup=<string>] "
353 "[type=<domain|local>]");
355 if (c->display_usage) {
356 d_printf("%s\n%s\n", _("Usage:\n"), modify_usage_str);
360 /* get the options */
361 for ( i=0; i<argc; i++ ) {
362 if ( !StrnCaseCmp(argv[i], "ntgroup", strlen("ntgroup")) ) {
363 fstrcpy( ntgroup, get_string_param( argv[i] ) );
365 d_fprintf(stderr, _("must supply a name\n"));
369 else if ( !StrnCaseCmp(argv[i], "sid", strlen("sid")) ) {
370 fstrcpy( sid_string, get_string_param( argv[i] ) );
371 if ( !sid_string[0] ) {
372 d_fprintf(stderr, _("must supply a name\n"));
376 else if ( !StrnCaseCmp(argv[i], "comment", strlen("comment")) ) {
377 fstrcpy( ntcomment, get_string_param( argv[i] ) );
378 if ( !ntcomment[0] ) {
380 _("must supply a comment string\n"));
384 else if ( !StrnCaseCmp(argv[i], "unixgroup", strlen("unixgroup")) ) {
385 fstrcpy( unixgrp, get_string_param( argv[i] ) );
388 _("must supply a group name\n"));
392 else if ( !StrnCaseCmp(argv[i], "type", strlen("type")) ) {
393 fstrcpy( type, get_string_param( argv[i] ) );
397 sid_type = SID_NAME_DOM_GRP;
401 sid_type = SID_NAME_ALIAS;
406 d_fprintf(stderr, _("Bad option: %s\n"), argv[i]);
411 if ( !ntgroup[0] && !sid_string[0] ) {
412 d_printf("%s\n%s\n", _("Usage:\n"), modify_usage_str);
416 /* give preference to the SID; if both the ntgroup name and SID
417 are defined, use the SID and assume that the group name could be a
420 if ( sid_string[0] ) {
421 if (!get_sid_from_input(&sid, sid_string)) {
426 if (!get_sid_from_input(&sid, ntgroup)) {
431 /* Get the current mapping from the database */
432 if(!pdb_getgrsid(&map, sid)) {
434 _("Failed to find local group SID in the database\n"));
439 * Allow changing of group type only between domain and local
440 * We disallow changing Builtin groups !!! (SID problem)
442 if (sid_type == SID_NAME_UNKNOWN) {
443 d_fprintf(stderr, _("Can't map to an unknown group type.\n"));
447 if (map.sid_name_use == SID_NAME_WKN_GRP) {
449 _("You can only change between domain and local "
454 map.sid_name_use=sid_type;
456 /* Change comment if new one */
458 fstrcpy( map.comment, ntcomment );
461 fstrcpy( map.nt_name, ntgroup );
464 gid = nametogid( unixgrp );
466 d_fprintf(stderr, _("Unable to lookup UNIX group %s. "
467 "Make sure the group exists.\n"),
475 if ( !NT_STATUS_IS_OK(pdb_update_group_mapping_entry(&map)) ) {
476 d_fprintf(stderr, _("Could not update group database\n"));
480 d_printf(_("Updated mapping entry for %s\n"), map.nt_name);
485 static int net_groupmap_delete(struct net_context *c, int argc, const char **argv)
488 fstring ntgroup = "";
489 fstring sid_string = "";
491 const char delete_usage_str[] = N_("net groupmap delete "
492 "{ntgroup=<string>|sid=<SID>}");
494 if (c->display_usage) {
495 d_printf("%s\n%s\n", _("Usage:\n"), delete_usage_str);
499 /* get the options */
500 for ( i=0; i<argc; i++ ) {
501 if ( !StrnCaseCmp(argv[i], "ntgroup", strlen("ntgroup")) ) {
502 fstrcpy( ntgroup, get_string_param( argv[i] ) );
504 d_fprintf(stderr, _("must supply a name\n"));
508 else if ( !StrnCaseCmp(argv[i], "sid", strlen("sid")) ) {
509 fstrcpy( sid_string, get_string_param( argv[i] ) );
510 if ( !sid_string[0] ) {
511 d_fprintf(stderr, _("must supply a SID\n"));
516 d_fprintf(stderr, _("Bad option: %s\n"), argv[i]);
521 if ( !ntgroup[0] && !sid_string[0]) {
522 d_printf("%s\n%s\n", _("Usage:\n"), delete_usage_str);
526 /* give preference to the SID if we have that */
529 fstrcpy( ntgroup, sid_string );
531 if ( !get_sid_from_input(&sid, ntgroup) ) {
532 d_fprintf(stderr, _("Unable to resolve group %s to a SID\n"),
537 if ( !NT_STATUS_IS_OK(pdb_delete_group_mapping_entry(sid)) ) {
539 _("Failed to remove group %s from the mapping db!\n"),
544 d_printf(_("Sucessfully removed %s from the mapping db\n"), ntgroup);
549 static int net_groupmap_set(struct net_context *c, int argc, const char **argv)
551 const char *ntgroup = NULL;
552 struct group *grp = NULL;
554 bool have_map = false;
556 if ((argc < 1) || (argc > 2) || c->display_usage) {
559 _(" net groupmap set \"NT Group\" "
560 "[\"unix group\"] [-C \"comment\"] [-L] [-D]\n"));
564 if ( c->opt_localgroup && c->opt_domaingroup ) {
565 d_printf(_("Can only specify -L or -D, not both\n"));
572 grp = getgrnam(argv[1]);
575 d_fprintf(stderr, _("Could not find unix group %s\n"),
581 have_map = pdb_getgrnam(&map, ntgroup);
585 have_map = ( (strncmp(ntgroup, "S-", 2) == 0) &&
586 string_to_sid(&sid, ntgroup) &&
587 pdb_getgrsid(&map, sid) );
596 _("Could not find group mapping for %s\n"),
601 map.gid = grp->gr_gid;
603 if (c->opt_rid == 0) {
604 if ( pdb_capabilities() & PDB_CAP_STORE_RIDS ) {
605 if ( !pdb_new_rid((uint32*)&c->opt_rid) ) {
607 _("Could not allocate new RID\n"));
611 c->opt_rid = algorithmic_pdb_gid_to_group_rid(map.gid);
615 sid_compose(&map.sid, get_global_sam_sid(), c->opt_rid);
617 map.sid_name_use = SID_NAME_DOM_GRP;
618 fstrcpy(map.nt_name, ntgroup);
619 fstrcpy(map.comment, "");
621 if (!NT_STATUS_IS_OK(pdb_add_group_mapping_entry(&map))) {
623 _("Could not add mapping entry for %s\n"),
629 /* Now we have a mapping entry, update that stuff */
631 if ( c->opt_localgroup || c->opt_domaingroup ) {
632 if (map.sid_name_use == SID_NAME_WKN_GRP) {
634 _("Can't change type of the BUILTIN "
641 if (c->opt_localgroup)
642 map.sid_name_use = SID_NAME_ALIAS;
644 if (c->opt_domaingroup)
645 map.sid_name_use = SID_NAME_DOM_GRP;
647 /* The case (opt_domaingroup && opt_localgroup) was tested for above */
649 if ((c->opt_comment != NULL) && (strlen(c->opt_comment) > 0)) {
650 fstrcpy(map.comment, c->opt_comment);
653 if ((c->opt_newntname != NULL) && (strlen(c->opt_newntname) > 0)) {
654 fstrcpy(map.nt_name, c->opt_newntname);
658 map.gid = grp->gr_gid;
660 if (!NT_STATUS_IS_OK(pdb_update_group_mapping_entry(&map))) {
661 d_fprintf(stderr, _("Could not update group mapping for %s\n"),
669 static int net_groupmap_cleanup(struct net_context *c, int argc, const char **argv)
671 GROUP_MAP *map = NULL;
674 if (c->display_usage) {
676 "net groupmap cleanup\n"
679 _("Delete all group mappings"));
683 if (!pdb_enum_group_mapping(NULL, SID_NAME_UNKNOWN, &map, &entries,
685 d_fprintf(stderr, _("Could not list group mappings\n"));
689 for (i=0; i<entries; i++) {
691 if (map[i].gid == -1)
692 printf(_("Group %s is not mapped\n"), map[i].nt_name);
694 if (!sid_check_is_in_our_domain(&map[i].sid)) {
695 printf(_("Deleting mapping for NT Group %s, sid %s\n"),
697 sid_string_tos(&map[i].sid));
698 pdb_delete_group_mapping_entry(map[i].sid);
707 static int net_groupmap_addmem(struct net_context *c, int argc, const char **argv)
709 struct dom_sid alias, member;
713 !string_to_sid(&alias, argv[0]) ||
714 !string_to_sid(&member, argv[1]) ) {
717 _("net groupmap addmem alias-sid member-sid\n"));
721 if (!NT_STATUS_IS_OK(pdb_add_aliasmem(&alias, &member))) {
722 d_fprintf(stderr, _("Could not add sid %s to alias %s\n"),
730 static int net_groupmap_delmem(struct net_context *c, int argc, const char **argv)
732 struct dom_sid alias, member;
736 !string_to_sid(&alias, argv[0]) ||
737 !string_to_sid(&member, argv[1]) ) {
740 _("net groupmap delmem alias-sid member-sid\n"));
744 if (!NT_STATUS_IS_OK(pdb_del_aliasmem(&alias, &member))) {
745 d_fprintf(stderr, _("Could not delete sid %s from alias %s\n"),
753 static int net_groupmap_listmem(struct net_context *c, int argc, const char **argv)
755 struct dom_sid alias;
756 struct dom_sid *members;
761 !string_to_sid(&alias, argv[0]) ) {
764 _("net groupmap listmem alias-sid\n"));
771 if (!NT_STATUS_IS_OK(pdb_enum_aliasmem(&alias, talloc_tos(),
773 d_fprintf(stderr, _("Could not list members for sid %s\n"),
778 for (i = 0; i < num; i++) {
779 printf("%s\n", sid_string_tos(&(members[i])));
782 TALLOC_FREE(members);
787 static bool print_alias_memberships(TALLOC_CTX *mem_ctx,
788 const struct dom_sid *domain_sid,
789 const struct dom_sid *member)
792 size_t i, num_alias_rids;
797 if (!NT_STATUS_IS_OK(pdb_enum_alias_memberships(
798 mem_ctx, domain_sid, member, 1,
799 &alias_rids, &num_alias_rids))) {
800 d_fprintf(stderr, _("Could not list memberships for sid %s\n"),
801 sid_string_tos(member));
805 for (i = 0; i < num_alias_rids; i++) {
806 struct dom_sid alias;
807 sid_compose(&alias, domain_sid, alias_rids[i]);
808 printf("%s\n", sid_string_tos(&alias));
814 static int net_groupmap_memberships(struct net_context *c, int argc, const char **argv)
817 struct dom_sid *domain_sid, member;
821 !string_to_sid(&member, argv[0]) ) {
824 _("net groupmap memberof sid\n"));
828 mem_ctx = talloc_init("net_groupmap_memberships");
829 if (mem_ctx == NULL) {
830 d_fprintf(stderr, _("talloc_init failed\n"));
834 domain_sid = get_global_sam_sid();
835 if (domain_sid == NULL) {
836 d_fprintf(stderr, _("Could not get domain sid\n"));
840 if (!print_alias_memberships(mem_ctx, domain_sid, &member) ||
841 !print_alias_memberships(mem_ctx, &global_sid_Builtin, &member))
844 talloc_destroy(mem_ctx);
849 /***********************************************************
850 migrated functionality from smbgroupedit
851 **********************************************************/
852 int net_groupmap(struct net_context *c, int argc, const char **argv)
854 struct functable func[] = {
859 N_("Create a new group mapping"),
860 N_("net groupmap add\n"
861 " Create a new group mapping")
867 N_("Update a group mapping"),
868 N_("net groupmap modify\n"
869 " Modify an existing group mapping")
875 N_("Remove a group mapping"),
876 N_("net groupmap delete\n"
877 " Remove a group mapping")
883 N_("Set group mapping"),
884 N_("net groupmap set\n"
885 " Set a group mapping")
889 net_groupmap_cleanup,
891 N_("Remove foreign group mapping entries"),
892 N_("net groupmap cleanup\n"
893 " Remove foreign group mapping entries")
899 N_("Add a foreign alias member"),
900 N_("net groupmap addmem\n"
901 " Add a foreign alias member")
907 N_("Delete foreign alias member"),
908 N_("net groupmap delmem\n"
909 " Delete foreign alias member")
913 net_groupmap_listmem,
915 N_("List foreign group members"),
916 N_("net groupmap listmem\n"
917 " List foreign alias members")
921 net_groupmap_memberships,
923 N_("List foreign group memberships"),
924 N_("net groupmap memberships\n"
925 " List foreign group memberships")
931 N_("List current group map"),
932 N_("net groupmap list\n"
933 " List current group map")
935 {NULL, NULL, 0, NULL, NULL}
938 return net_run_function(c,argc, argv, "net groupmap", func);
git.samba.org / amitay / samba.git / blob