2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Copyright (C) Andrew Tridgell 1992-2000,
5 * Copyright (C) Jean François Micouleau 1998-2001.
6 * Copyright (C) Gerald Carter 2003,
7 * Copyright (C) Volker Lendecke 2004
9 * This program is free software; you can redistribute it and/or modify
10 * it under the terms of the GNU General Public License as published by
11 * the Free Software Foundation; either version 3 of the License, or
12 * (at your option) any later version.
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
19 * You should have received a copy of the GNU General Public License
20 * along with this program; if not, see <http://www.gnu.org/licenses/>.
25 #include "system/passwd.h"
26 #include "utils/net.h"
27 #include "../libcli/security/security.h"
30 /*********************************************************
31 Figure out if the input was an NT group or a SID string.
33 **********************************************************/
34 static bool get_sid_from_input(struct dom_sid *sid, char *input)
38 if (StrnCaseCmp( input, "S-", 2)) {
39 /* Perhaps its the NT group name? */
40 if (!pdb_getgrnam(&map, input)) {
41 printf(_("NT Group %s doesn't exist in mapping DB\n"),
48 if (!string_to_sid(sid, input)) {
49 printf(_("converting sid %s from a string failed!\n"),
57 /*********************************************************
58 Dump a GROUP_MAP entry to stdout (long or short listing)
59 **********************************************************/
61 static void print_map_entry (const GROUP_MAP *map, bool long_list)
64 d_printf("%s (%s) -> %s\n", map->nt_name,
65 sid_string_tos(&map->sid), gidtoname(map->gid));
67 d_printf("%s\n", map->nt_name);
68 d_printf(_("\tSID : %s\n"), sid_string_tos(&map->sid));
69 d_printf(_("\tUnix gid : %u\n"), (unsigned int)map->gid);
70 d_printf(_("\tUnix group: %s\n"), gidtoname(map->gid));
71 d_printf(_("\tGroup type: %s\n"),
72 sid_type_lookup(map->sid_name_use));
73 d_printf(_("\tComment : %s\n"), map->comment);
77 /*********************************************************
79 **********************************************************/
80 static int net_groupmap_list(struct net_context *c, int argc, const char **argv)
83 bool long_list = false;
86 fstring sid_string = "";
87 const char list_usage_str[] = N_("net groupmap list [verbose] "
88 "[ntgroup=NT group] [sid=SID]\n"
89 " verbose\tPrint verbose list\n"
90 " ntgroup\tNT group to list\n"
91 " sid\tSID of group to list");
93 if (c->display_usage) {
94 d_printf("%s\n%s\n", _("Usage: "), list_usage_str);
98 if (c->opt_verbose || c->opt_long_list_entries)
101 /* get the options */
102 for ( i=0; i<argc; i++ ) {
103 if ( !strcasecmp_m(argv[i], "verbose")) {
106 else if ( !StrnCaseCmp(argv[i], "ntgroup", strlen("ntgroup")) ) {
107 fstrcpy( ntgroup, get_string_param( argv[i] ) );
109 d_fprintf(stderr, _("must supply a name\n"));
113 else if ( !StrnCaseCmp(argv[i], "sid", strlen("sid")) ) {
114 fstrcpy( sid_string, get_string_param( argv[i] ) );
115 if ( !sid_string[0] ) {
116 d_fprintf(stderr, _("must supply a SID\n"));
121 d_fprintf(stderr, _("Bad option: %s\n"), argv[i]);
122 d_printf("%s\n%s\n", _("Usage:"), list_usage_str);
127 /* list a single group is given a name */
128 if ( ntgroup[0] || sid_string[0] ) {
133 strlcpy(ntgroup, sid_string, sizeof(ntgroup));
135 if (!get_sid_from_input(&sid, ntgroup)) {
139 /* Get the current mapping from the database */
140 if(!pdb_getgrsid(&map, sid)) {
142 _("Failure to local group SID in the "
147 print_map_entry(&map, long_list );
151 /* enumerate all group mappings */
152 if (!pdb_enum_group_mapping(NULL, SID_NAME_UNKNOWN, &map, &entries, ENUM_ALL_MAPPED))
155 for (i=0; i<entries; i++) {
156 print_map_entry(&map[i], long_list);
165 /*********************************************************
166 Add a new group mapping entry
167 **********************************************************/
169 static int net_groupmap_add(struct net_context *c, int argc, const char **argv)
172 fstring ntgroup = "";
173 fstring unixgrp = "";
174 fstring string_sid = "";
176 fstring ntcomment = "";
177 enum lsa_SidType sid_type = SID_NAME_DOM_GRP;
183 const char *name_type;
184 const char add_usage_str[] = N_("net groupmap add "
185 "{rid=<int>|sid=<string>}"
186 " unixgroup=<string> "
187 "[type=<domain|local|builtin>] "
188 "[ntgroup=<string>] "
189 "[comment=<string>]");
193 /* Default is domain group. */
194 map.sid_name_use = SID_NAME_DOM_GRP;
195 name_type = "domain group";
197 if (c->display_usage) {
198 d_printf("%s\n%s\n", _("Usage:\n"), add_usage_str);
202 /* get the options */
203 for ( i=0; i<argc; i++ ) {
204 if ( !StrnCaseCmp(argv[i], "rid", strlen("rid")) ) {
205 rid = get_int_param(argv[i]);
206 if ( rid < DOMAIN_RID_ADMINS ) {
208 _("RID must be greater than %d\n"),
209 (uint32)DOMAIN_RID_ADMINS-1);
213 else if ( !StrnCaseCmp(argv[i], "unixgroup", strlen("unixgroup")) ) {
214 fstrcpy( unixgrp, get_string_param( argv[i] ) );
216 d_fprintf(stderr,_( "must supply a name\n"));
220 else if ( !StrnCaseCmp(argv[i], "ntgroup", strlen("ntgroup")) ) {
221 fstrcpy( ntgroup, get_string_param( argv[i] ) );
223 d_fprintf(stderr, _("must supply a name\n"));
227 else if ( !StrnCaseCmp(argv[i], "sid", strlen("sid")) ) {
228 fstrcpy( string_sid, get_string_param( argv[i] ) );
229 if ( !string_sid[0] ) {
230 d_fprintf(stderr, _("must supply a SID\n"));
234 else if ( !StrnCaseCmp(argv[i], "comment", strlen("comment")) ) {
235 fstrcpy( ntcomment, get_string_param( argv[i] ) );
236 if ( !ntcomment[0] ) {
238 _("must supply a comment string\n"));
242 else if ( !StrnCaseCmp(argv[i], "type", strlen("type")) ) {
243 fstrcpy( type, get_string_param( argv[i] ) );
247 sid_type = SID_NAME_WKN_GRP;
248 name_type = "wellknown group";
252 sid_type = SID_NAME_DOM_GRP;
253 name_type = "domain group";
257 sid_type = SID_NAME_ALIAS;
258 name_type = "alias (local) group";
262 _("unknown group type %s\n"),
268 d_fprintf(stderr, _("Bad option: %s\n"), argv[i]);
274 d_printf("%s\n%s\n", _("Usage:\n"), add_usage_str);
278 if ( (gid = nametogid(unixgrp)) == (gid_t)-1 ) {
279 d_fprintf(stderr, _("Can't lookup UNIX group %s\n"), unixgrp);
284 if (pdb_getgrgid(&map, gid)) {
285 d_printf(_("Unix group %s already mapped to SID %s\n"),
286 unixgrp, sid_string_tos(&map.sid));
291 if ( (rid == 0) && (string_sid[0] == '\0') ) {
292 d_printf(_("No rid or sid specified, choosing a RID\n"));
293 if (pdb_capabilities() & PDB_CAP_STORE_RIDS) {
294 if (!pdb_new_rid(&rid)) {
295 d_printf(_("Could not get new RID\n"));
298 rid = algorithmic_pdb_gid_to_group_rid(gid);
300 d_printf(_("Got RID %d\n"), rid);
303 /* append the rid to our own domain/machine SID if we don't have a full SID */
304 if ( !string_sid[0] ) {
305 sid_compose(&sid, get_global_sam_sid(), rid);
306 sid_to_fstring(string_sid, &sid);
311 case SID_NAME_WKN_GRP:
312 fstrcpy(ntcomment, "Wellknown Unix group");
314 case SID_NAME_DOM_GRP:
315 fstrcpy(ntcomment, "Domain Unix group");
318 fstrcpy(ntcomment, "Local Unix group");
321 fstrcpy(ntcomment, "Unix group");
327 strlcpy(ntgroup, unixgrp, sizeof(ntgroup));
329 if (!NT_STATUS_IS_OK(add_initial_entry(gid, string_sid, sid_type, ntgroup, ntcomment))) {
330 d_fprintf(stderr, _("adding entry for group %s failed!\n"), ntgroup);
334 d_printf(_("Successfully added group %s to the mapping db as a %s\n"),
339 static int net_groupmap_modify(struct net_context *c, int argc, const char **argv)
343 fstring ntcomment = "";
345 fstring ntgroup = "";
346 fstring unixgrp = "";
347 fstring sid_string = "";
348 enum lsa_SidType sid_type = SID_NAME_UNKNOWN;
351 const char modify_usage_str[] = N_("net groupmap modify "
352 "{ntgroup=<string>|sid=<SID>} "
353 "[comment=<string>] "
354 "[unixgroup=<string>] "
355 "[type=<domain|local>]");
357 if (c->display_usage) {
358 d_printf("%s\n%s\n", _("Usage:\n"), modify_usage_str);
362 /* get the options */
363 for ( i=0; i<argc; i++ ) {
364 if ( !StrnCaseCmp(argv[i], "ntgroup", strlen("ntgroup")) ) {
365 fstrcpy( ntgroup, get_string_param( argv[i] ) );
367 d_fprintf(stderr, _("must supply a name\n"));
371 else if ( !StrnCaseCmp(argv[i], "sid", strlen("sid")) ) {
372 fstrcpy( sid_string, get_string_param( argv[i] ) );
373 if ( !sid_string[0] ) {
374 d_fprintf(stderr, _("must supply a name\n"));
378 else if ( !StrnCaseCmp(argv[i], "comment", strlen("comment")) ) {
379 fstrcpy( ntcomment, get_string_param( argv[i] ) );
380 if ( !ntcomment[0] ) {
382 _("must supply a comment string\n"));
386 else if ( !StrnCaseCmp(argv[i], "unixgroup", strlen("unixgroup")) ) {
387 fstrcpy( unixgrp, get_string_param( argv[i] ) );
390 _("must supply a group name\n"));
394 else if ( !StrnCaseCmp(argv[i], "type", strlen("type")) ) {
395 fstrcpy( type, get_string_param( argv[i] ) );
399 sid_type = SID_NAME_DOM_GRP;
403 sid_type = SID_NAME_ALIAS;
408 d_fprintf(stderr, _("Bad option: %s\n"), argv[i]);
413 if ( !ntgroup[0] && !sid_string[0] ) {
414 d_printf("%s\n%s\n", _("Usage:\n"), modify_usage_str);
418 /* give preference to the SID; if both the ntgroup name and SID
419 are defined, use the SID and assume that the group name could be a
422 if ( sid_string[0] ) {
423 if (!get_sid_from_input(&sid, sid_string)) {
428 if (!get_sid_from_input(&sid, ntgroup)) {
433 /* Get the current mapping from the database */
434 if(!pdb_getgrsid(&map, sid)) {
436 _("Failed to find local group SID in the database\n"));
441 * Allow changing of group type only between domain and local
442 * We disallow changing Builtin groups !!! (SID problem)
444 if (sid_type == SID_NAME_UNKNOWN) {
445 d_fprintf(stderr, _("Can't map to an unknown group type.\n"));
449 if (map.sid_name_use == SID_NAME_WKN_GRP) {
451 _("You can only change between domain and local "
456 map.sid_name_use=sid_type;
458 /* Change comment if new one */
460 strlcpy(map.comment, ntcomment, sizeof(map.comment));
463 strlcpy(map.nt_name, ntgroup, sizeof(map.nt_name));
466 gid = nametogid( unixgrp );
468 d_fprintf(stderr, _("Unable to lookup UNIX group %s. "
469 "Make sure the group exists.\n"),
477 if ( !NT_STATUS_IS_OK(pdb_update_group_mapping_entry(&map)) ) {
478 d_fprintf(stderr, _("Could not update group database\n"));
482 d_printf(_("Updated mapping entry for %s\n"), map.nt_name);
487 static int net_groupmap_delete(struct net_context *c, int argc, const char **argv)
490 fstring ntgroup = "";
491 fstring sid_string = "";
493 const char delete_usage_str[] = N_("net groupmap delete "
494 "{ntgroup=<string>|sid=<SID>}");
496 if (c->display_usage) {
497 d_printf("%s\n%s\n", _("Usage:\n"), delete_usage_str);
501 /* get the options */
502 for ( i=0; i<argc; i++ ) {
503 if ( !StrnCaseCmp(argv[i], "ntgroup", strlen("ntgroup")) ) {
504 fstrcpy( ntgroup, get_string_param( argv[i] ) );
506 d_fprintf(stderr, _("must supply a name\n"));
510 else if ( !StrnCaseCmp(argv[i], "sid", strlen("sid")) ) {
511 fstrcpy( sid_string, get_string_param( argv[i] ) );
512 if ( !sid_string[0] ) {
513 d_fprintf(stderr, _("must supply a SID\n"));
518 d_fprintf(stderr, _("Bad option: %s\n"), argv[i]);
523 if ( !ntgroup[0] && !sid_string[0]) {
524 d_printf("%s\n%s\n", _("Usage:\n"), delete_usage_str);
528 /* give preference to the SID if we have that */
531 strlcpy(ntgroup, sid_string, sizeof(ntgroup));
533 if ( !get_sid_from_input(&sid, ntgroup) ) {
534 d_fprintf(stderr, _("Unable to resolve group %s to a SID\n"),
539 if ( !NT_STATUS_IS_OK(pdb_delete_group_mapping_entry(sid)) ) {
541 _("Failed to remove group %s from the mapping db!\n"),
546 d_printf(_("Sucessfully removed %s from the mapping db\n"), ntgroup);
551 static int net_groupmap_set(struct net_context *c, int argc, const char **argv)
553 const char *ntgroup = NULL;
554 struct group *grp = NULL;
556 bool have_map = false;
558 if ((argc < 1) || (argc > 2) || c->display_usage) {
561 _(" net groupmap set \"NT Group\" "
562 "[\"unix group\"] [-C \"comment\"] [-L] [-D]\n"));
566 if ( c->opt_localgroup && c->opt_domaingroup ) {
567 d_printf(_("Can only specify -L or -D, not both\n"));
574 grp = getgrnam(argv[1]);
577 d_fprintf(stderr, _("Could not find unix group %s\n"),
583 have_map = pdb_getgrnam(&map, ntgroup);
587 have_map = ( (strncmp(ntgroup, "S-", 2) == 0) &&
588 string_to_sid(&sid, ntgroup) &&
589 pdb_getgrsid(&map, sid) );
598 _("Could not find group mapping for %s\n"),
603 map.gid = grp->gr_gid;
605 if (c->opt_rid == 0) {
606 if ( pdb_capabilities() & PDB_CAP_STORE_RIDS ) {
607 if ( !pdb_new_rid((uint32*)&c->opt_rid) ) {
609 _("Could not allocate new RID\n"));
613 c->opt_rid = algorithmic_pdb_gid_to_group_rid(map.gid);
617 sid_compose(&map.sid, get_global_sam_sid(), c->opt_rid);
619 map.sid_name_use = SID_NAME_DOM_GRP;
620 fstrcpy(map.nt_name, ntgroup);
621 fstrcpy(map.comment, "");
623 if (!NT_STATUS_IS_OK(pdb_add_group_mapping_entry(&map))) {
625 _("Could not add mapping entry for %s\n"),
631 /* Now we have a mapping entry, update that stuff */
633 if ( c->opt_localgroup || c->opt_domaingroup ) {
634 if (map.sid_name_use == SID_NAME_WKN_GRP) {
636 _("Can't change type of the BUILTIN "
643 if (c->opt_localgroup)
644 map.sid_name_use = SID_NAME_ALIAS;
646 if (c->opt_domaingroup)
647 map.sid_name_use = SID_NAME_DOM_GRP;
649 /* The case (opt_domaingroup && opt_localgroup) was tested for above */
651 if ((c->opt_comment != NULL) && (strlen(c->opt_comment) > 0)) {
652 fstrcpy(map.comment, c->opt_comment);
655 if ((c->opt_newntname != NULL) && (strlen(c->opt_newntname) > 0)) {
656 fstrcpy(map.nt_name, c->opt_newntname);
660 map.gid = grp->gr_gid;
662 if (!NT_STATUS_IS_OK(pdb_update_group_mapping_entry(&map))) {
663 d_fprintf(stderr, _("Could not update group mapping for %s\n"),
671 static int net_groupmap_cleanup(struct net_context *c, int argc, const char **argv)
673 GROUP_MAP *map = NULL;
676 if (c->display_usage) {
678 "net groupmap cleanup\n"
681 _("Delete all group mappings"));
685 if (!pdb_enum_group_mapping(NULL, SID_NAME_UNKNOWN, &map, &entries,
687 d_fprintf(stderr, _("Could not list group mappings\n"));
691 for (i=0; i<entries; i++) {
693 if (map[i].gid == -1)
694 printf(_("Group %s is not mapped\n"), map[i].nt_name);
696 if (!sid_check_is_in_our_domain(&map[i].sid)) {
697 printf(_("Deleting mapping for NT Group %s, sid %s\n"),
699 sid_string_tos(&map[i].sid));
700 pdb_delete_group_mapping_entry(map[i].sid);
709 static int net_groupmap_addmem(struct net_context *c, int argc, const char **argv)
711 struct dom_sid alias, member;
715 !string_to_sid(&alias, argv[0]) ||
716 !string_to_sid(&member, argv[1]) ) {
719 _("net groupmap addmem alias-sid member-sid\n"));
723 if (!NT_STATUS_IS_OK(pdb_add_aliasmem(&alias, &member))) {
724 d_fprintf(stderr, _("Could not add sid %s to alias %s\n"),
732 static int net_groupmap_delmem(struct net_context *c, int argc, const char **argv)
734 struct dom_sid alias, member;
738 !string_to_sid(&alias, argv[0]) ||
739 !string_to_sid(&member, argv[1]) ) {
742 _("net groupmap delmem alias-sid member-sid\n"));
746 if (!NT_STATUS_IS_OK(pdb_del_aliasmem(&alias, &member))) {
747 d_fprintf(stderr, _("Could not delete sid %s from alias %s\n"),
755 static int net_groupmap_listmem(struct net_context *c, int argc, const char **argv)
757 struct dom_sid alias;
758 struct dom_sid *members;
763 !string_to_sid(&alias, argv[0]) ) {
766 _("net groupmap listmem alias-sid\n"));
773 if (!NT_STATUS_IS_OK(pdb_enum_aliasmem(&alias, talloc_tos(),
775 d_fprintf(stderr, _("Could not list members for sid %s\n"),
780 for (i = 0; i < num; i++) {
781 printf("%s\n", sid_string_tos(&(members[i])));
784 TALLOC_FREE(members);
789 static bool print_alias_memberships(TALLOC_CTX *mem_ctx,
790 const struct dom_sid *domain_sid,
791 const struct dom_sid *member)
794 size_t i, num_alias_rids;
799 if (!NT_STATUS_IS_OK(pdb_enum_alias_memberships(
800 mem_ctx, domain_sid, member, 1,
801 &alias_rids, &num_alias_rids))) {
802 d_fprintf(stderr, _("Could not list memberships for sid %s\n"),
803 sid_string_tos(member));
807 for (i = 0; i < num_alias_rids; i++) {
808 struct dom_sid alias;
809 sid_compose(&alias, domain_sid, alias_rids[i]);
810 printf("%s\n", sid_string_tos(&alias));
816 static int net_groupmap_memberships(struct net_context *c, int argc, const char **argv)
819 struct dom_sid *domain_sid, member;
823 !string_to_sid(&member, argv[0]) ) {
826 _("net groupmap memberof sid\n"));
830 mem_ctx = talloc_init("net_groupmap_memberships");
831 if (mem_ctx == NULL) {
832 d_fprintf(stderr, _("talloc_init failed\n"));
836 domain_sid = get_global_sam_sid();
837 if (domain_sid == NULL) {
838 d_fprintf(stderr, _("Could not get domain sid\n"));
842 if (!print_alias_memberships(mem_ctx, domain_sid, &member) ||
843 !print_alias_memberships(mem_ctx, &global_sid_Builtin, &member))
846 talloc_destroy(mem_ctx);
851 /***********************************************************
852 migrated functionality from smbgroupedit
853 **********************************************************/
854 int net_groupmap(struct net_context *c, int argc, const char **argv)
856 struct functable func[] = {
861 N_("Create a new group mapping"),
862 N_("net groupmap add\n"
863 " Create a new group mapping")
869 N_("Update a group mapping"),
870 N_("net groupmap modify\n"
871 " Modify an existing group mapping")
877 N_("Remove a group mapping"),
878 N_("net groupmap delete\n"
879 " Remove a group mapping")
885 N_("Set group mapping"),
886 N_("net groupmap set\n"
887 " Set a group mapping")
891 net_groupmap_cleanup,
893 N_("Remove foreign group mapping entries"),
894 N_("net groupmap cleanup\n"
895 " Remove foreign group mapping entries")
901 N_("Add a foreign alias member"),
902 N_("net groupmap addmem\n"
903 " Add a foreign alias member")
909 N_("Delete foreign alias member"),
910 N_("net groupmap delmem\n"
911 " Delete foreign alias member")
915 net_groupmap_listmem,
917 N_("List foreign group members"),
918 N_("net groupmap listmem\n"
919 " List foreign alias members")
923 net_groupmap_memberships,
925 N_("List foreign group memberships"),
926 N_("net groupmap memberships\n"
927 " List foreign group memberships")
933 N_("List current group map"),
934 N_("net groupmap list\n"
935 " List current group map")
937 {NULL, NULL, 0, NULL, NULL}
940 return net_run_function(c,argc, argv, "net groupmap", func);