2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Copyright (C) Andrew Tridgell 1992-2000,
5 * Copyright (C) Jean François Micouleau 1998-2001.
6 * Copyright (C) Gerald Carter 2003,
7 * Copyright (C) Volker Lendecke 2004
9 * This program is free software; you can redistribute it and/or modify
10 * it under the terms of the GNU General Public License as published by
11 * the Free Software Foundation; either version 3 of the License, or
12 * (at your option) any later version.
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
19 * You should have received a copy of the GNU General Public License
20 * along with this program; if not, see <http://www.gnu.org/licenses/>.
25 #include "system/passwd.h"
26 #include "utils/net.h"
27 #include "../libcli/security/security.h"
29 /*********************************************************
30 Figure out if the input was an NT group or a SID string.
32 **********************************************************/
33 static bool get_sid_from_input(struct dom_sid *sid, char *input)
37 if (StrnCaseCmp( input, "S-", 2)) {
38 /* Perhaps its the NT group name? */
39 if (!pdb_getgrnam(&map, input)) {
40 printf(_("NT Group %s doesn't exist in mapping DB\n"),
47 if (!string_to_sid(sid, input)) {
48 printf(_("converting sid %s from a string failed!\n"),
56 /*********************************************************
57 Dump a GROUP_MAP entry to stdout (long or short listing)
58 **********************************************************/
60 static void print_map_entry (const GROUP_MAP *map, bool long_list)
63 d_printf("%s (%s) -> %s\n", map->nt_name,
64 sid_string_tos(&map->sid), gidtoname(map->gid));
66 d_printf("%s\n", map->nt_name);
67 d_printf(_("\tSID : %s\n"), sid_string_tos(&map->sid));
68 d_printf(_("\tUnix gid : %u\n"), (unsigned int)map->gid);
69 d_printf(_("\tUnix group: %s\n"), gidtoname(map->gid));
70 d_printf(_("\tGroup type: %s\n"),
71 sid_type_lookup(map->sid_name_use));
72 d_printf(_("\tComment : %s\n"), map->comment);
76 /*********************************************************
78 **********************************************************/
79 static int net_groupmap_list(struct net_context *c, int argc, const char **argv)
82 bool long_list = false;
85 fstring sid_string = "";
86 const char list_usage_str[] = N_("net groupmap list [verbose] "
87 "[ntgroup=NT group] [sid=SID]\n"
88 " verbose\tPrint verbose list\n"
89 " ntgroup\tNT group to list\n"
90 " sid\tSID of group to list");
92 if (c->display_usage) {
93 d_printf("%s\n%s\n", _("Usage: "), list_usage_str);
97 if (c->opt_verbose || c->opt_long_list_entries)
100 /* get the options */
101 for ( i=0; i<argc; i++ ) {
102 if ( !StrCaseCmp(argv[i], "verbose")) {
105 else if ( !StrnCaseCmp(argv[i], "ntgroup", strlen("ntgroup")) ) {
106 fstrcpy( ntgroup, get_string_param( argv[i] ) );
108 d_fprintf(stderr, _("must supply a name\n"));
112 else if ( !StrnCaseCmp(argv[i], "sid", strlen("sid")) ) {
113 fstrcpy( sid_string, get_string_param( argv[i] ) );
114 if ( !sid_string[0] ) {
115 d_fprintf(stderr, _("must supply a SID\n"));
120 d_fprintf(stderr, _("Bad option: %s\n"), argv[i]);
121 d_printf("%s\n%s\n", _("Usage:"), list_usage_str);
126 /* list a single group is given a name */
127 if ( ntgroup[0] || sid_string[0] ) {
132 fstrcpy( ntgroup, sid_string);
134 if (!get_sid_from_input(&sid, ntgroup)) {
138 /* Get the current mapping from the database */
139 if(!pdb_getgrsid(&map, sid)) {
141 _("Failure to local group SID in the "
146 print_map_entry(&map, long_list );
150 /* enumerate all group mappings */
151 if (!pdb_enum_group_mapping(NULL, SID_NAME_UNKNOWN, &map, &entries, ENUM_ALL_MAPPED))
154 for (i=0; i<entries; i++) {
155 print_map_entry(&map[i], long_list);
164 /*********************************************************
165 Add a new group mapping entry
166 **********************************************************/
168 static int net_groupmap_add(struct net_context *c, int argc, const char **argv)
171 fstring ntgroup = "";
172 fstring unixgrp = "";
173 fstring string_sid = "";
175 fstring ntcomment = "";
176 enum lsa_SidType sid_type = SID_NAME_DOM_GRP;
182 const char *name_type;
183 const char add_usage_str[] = N_("net groupmap add "
184 "{rid=<int>|sid=<string>}"
185 " unixgroup=<string> "
186 "[type=<domain|local|builtin>] "
187 "[ntgroup=<string>] "
188 "[comment=<string>]");
192 /* Default is domain group. */
193 map.sid_name_use = SID_NAME_DOM_GRP;
194 name_type = "domain group";
196 if (c->display_usage) {
197 d_printf("%s\n%s\n", _("Usage:\n"), add_usage_str);
201 /* get the options */
202 for ( i=0; i<argc; i++ ) {
203 if ( !StrnCaseCmp(argv[i], "rid", strlen("rid")) ) {
204 rid = get_int_param(argv[i]);
205 if ( rid < DOMAIN_RID_ADMINS ) {
207 _("RID must be greater than %d\n"),
208 (uint32)DOMAIN_RID_ADMINS-1);
212 else if ( !StrnCaseCmp(argv[i], "unixgroup", strlen("unixgroup")) ) {
213 fstrcpy( unixgrp, get_string_param( argv[i] ) );
215 d_fprintf(stderr,_( "must supply a name\n"));
219 else if ( !StrnCaseCmp(argv[i], "ntgroup", strlen("ntgroup")) ) {
220 fstrcpy( ntgroup, get_string_param( argv[i] ) );
222 d_fprintf(stderr, _("must supply a name\n"));
226 else if ( !StrnCaseCmp(argv[i], "sid", strlen("sid")) ) {
227 fstrcpy( string_sid, get_string_param( argv[i] ) );
228 if ( !string_sid[0] ) {
229 d_fprintf(stderr, _("must supply a SID\n"));
233 else if ( !StrnCaseCmp(argv[i], "comment", strlen("comment")) ) {
234 fstrcpy( ntcomment, get_string_param( argv[i] ) );
235 if ( !ntcomment[0] ) {
237 _("must supply a comment string\n"));
241 else if ( !StrnCaseCmp(argv[i], "type", strlen("type")) ) {
242 fstrcpy( type, get_string_param( argv[i] ) );
246 sid_type = SID_NAME_WKN_GRP;
247 name_type = "wellknown group";
251 sid_type = SID_NAME_DOM_GRP;
252 name_type = "domain group";
256 sid_type = SID_NAME_ALIAS;
257 name_type = "alias (local) group";
261 _("unknown group type %s\n"),
267 d_fprintf(stderr, _("Bad option: %s\n"), argv[i]);
273 d_printf("%s\n%s\n", _("Usage:\n"), add_usage_str);
277 if ( (gid = nametogid(unixgrp)) == (gid_t)-1 ) {
278 d_fprintf(stderr, _("Can't lookup UNIX group %s\n"), unixgrp);
283 if (pdb_getgrgid(&map, gid)) {
284 d_printf(_("Unix group %s already mapped to SID %s\n"),
285 unixgrp, sid_string_tos(&map.sid));
290 if ( (rid == 0) && (string_sid[0] == '\0') ) {
291 d_printf(_("No rid or sid specified, choosing a RID\n"));
292 if (pdb_capabilities() & PDB_CAP_STORE_RIDS) {
293 if (!pdb_new_rid(&rid)) {
294 d_printf(_("Could not get new RID\n"));
297 rid = algorithmic_pdb_gid_to_group_rid(gid);
299 d_printf(_("Got RID %d\n"), rid);
302 /* append the rid to our own domain/machine SID if we don't have a full SID */
303 if ( !string_sid[0] ) {
304 sid_compose(&sid, get_global_sam_sid(), rid);
305 sid_to_fstring(string_sid, &sid);
310 case SID_NAME_WKN_GRP:
311 fstrcpy(ntcomment, "Wellknown Unix group");
313 case SID_NAME_DOM_GRP:
314 fstrcpy(ntcomment, "Domain Unix group");
317 fstrcpy(ntcomment, "Local Unix group");
320 fstrcpy(ntcomment, "Unix group");
326 fstrcpy( ntgroup, unixgrp );
328 if (!NT_STATUS_IS_OK(add_initial_entry(gid, string_sid, sid_type, ntgroup, ntcomment))) {
329 d_fprintf(stderr, _("adding entry for group %s failed!\n"), ntgroup);
333 d_printf(_("Successfully added group %s to the mapping db as a %s\n"),
338 static int net_groupmap_modify(struct net_context *c, int argc, const char **argv)
342 fstring ntcomment = "";
344 fstring ntgroup = "";
345 fstring unixgrp = "";
346 fstring sid_string = "";
347 enum lsa_SidType sid_type = SID_NAME_UNKNOWN;
350 const char modify_usage_str[] = N_("net groupmap modify "
351 "{ntgroup=<string>|sid=<SID>} "
352 "[comment=<string>] "
353 "[unixgroup=<string>] "
354 "[type=<domain|local>]");
356 if (c->display_usage) {
357 d_printf("%s\n%s\n", _("Usage:\n"), modify_usage_str);
361 /* get the options */
362 for ( i=0; i<argc; i++ ) {
363 if ( !StrnCaseCmp(argv[i], "ntgroup", strlen("ntgroup")) ) {
364 fstrcpy( ntgroup, get_string_param( argv[i] ) );
366 d_fprintf(stderr, _("must supply a name\n"));
370 else if ( !StrnCaseCmp(argv[i], "sid", strlen("sid")) ) {
371 fstrcpy( sid_string, get_string_param( argv[i] ) );
372 if ( !sid_string[0] ) {
373 d_fprintf(stderr, _("must supply a name\n"));
377 else if ( !StrnCaseCmp(argv[i], "comment", strlen("comment")) ) {
378 fstrcpy( ntcomment, get_string_param( argv[i] ) );
379 if ( !ntcomment[0] ) {
381 _("must supply a comment string\n"));
385 else if ( !StrnCaseCmp(argv[i], "unixgroup", strlen("unixgroup")) ) {
386 fstrcpy( unixgrp, get_string_param( argv[i] ) );
389 _("must supply a group name\n"));
393 else if ( !StrnCaseCmp(argv[i], "type", strlen("type")) ) {
394 fstrcpy( type, get_string_param( argv[i] ) );
398 sid_type = SID_NAME_DOM_GRP;
402 sid_type = SID_NAME_ALIAS;
407 d_fprintf(stderr, _("Bad option: %s\n"), argv[i]);
412 if ( !ntgroup[0] && !sid_string[0] ) {
413 d_printf("%s\n%s\n", _("Usage:\n"), modify_usage_str);
417 /* give preference to the SID; if both the ntgroup name and SID
418 are defined, use the SID and assume that the group name could be a
421 if ( sid_string[0] ) {
422 if (!get_sid_from_input(&sid, sid_string)) {
427 if (!get_sid_from_input(&sid, ntgroup)) {
432 /* Get the current mapping from the database */
433 if(!pdb_getgrsid(&map, sid)) {
435 _("Failed to find local group SID in the database\n"));
440 * Allow changing of group type only between domain and local
441 * We disallow changing Builtin groups !!! (SID problem)
443 if (sid_type == SID_NAME_UNKNOWN) {
444 d_fprintf(stderr, _("Can't map to an unknown group type.\n"));
448 if (map.sid_name_use == SID_NAME_WKN_GRP) {
450 _("You can only change between domain and local "
455 map.sid_name_use=sid_type;
457 /* Change comment if new one */
459 fstrcpy( map.comment, ntcomment );
462 fstrcpy( map.nt_name, ntgroup );
465 gid = nametogid( unixgrp );
467 d_fprintf(stderr, _("Unable to lookup UNIX group %s. "
468 "Make sure the group exists.\n"),
476 if ( !NT_STATUS_IS_OK(pdb_update_group_mapping_entry(&map)) ) {
477 d_fprintf(stderr, _("Could not update group database\n"));
481 d_printf(_("Updated mapping entry for %s\n"), map.nt_name);
486 static int net_groupmap_delete(struct net_context *c, int argc, const char **argv)
489 fstring ntgroup = "";
490 fstring sid_string = "";
492 const char delete_usage_str[] = N_("net groupmap delete "
493 "{ntgroup=<string>|sid=<SID>}");
495 if (c->display_usage) {
496 d_printf("%s\n%s\n", _("Usage:\n"), delete_usage_str);
500 /* get the options */
501 for ( i=0; i<argc; i++ ) {
502 if ( !StrnCaseCmp(argv[i], "ntgroup", strlen("ntgroup")) ) {
503 fstrcpy( ntgroup, get_string_param( argv[i] ) );
505 d_fprintf(stderr, _("must supply a name\n"));
509 else if ( !StrnCaseCmp(argv[i], "sid", strlen("sid")) ) {
510 fstrcpy( sid_string, get_string_param( argv[i] ) );
511 if ( !sid_string[0] ) {
512 d_fprintf(stderr, _("must supply a SID\n"));
517 d_fprintf(stderr, _("Bad option: %s\n"), argv[i]);
522 if ( !ntgroup[0] && !sid_string[0]) {
523 d_printf("%s\n%s\n", _("Usage:\n"), delete_usage_str);
527 /* give preference to the SID if we have that */
530 fstrcpy( ntgroup, sid_string );
532 if ( !get_sid_from_input(&sid, ntgroup) ) {
533 d_fprintf(stderr, _("Unable to resolve group %s to a SID\n"),
538 if ( !NT_STATUS_IS_OK(pdb_delete_group_mapping_entry(sid)) ) {
540 _("Failed to remove group %s from the mapping db!\n"),
545 d_printf(_("Sucessfully removed %s from the mapping db\n"), ntgroup);
550 static int net_groupmap_set(struct net_context *c, int argc, const char **argv)
552 const char *ntgroup = NULL;
553 struct group *grp = NULL;
555 bool have_map = false;
557 if ((argc < 1) || (argc > 2) || c->display_usage) {
560 _(" net groupmap set \"NT Group\" "
561 "[\"unix group\"] [-C \"comment\"] [-L] [-D]\n"));
565 if ( c->opt_localgroup && c->opt_domaingroup ) {
566 d_printf(_("Can only specify -L or -D, not both\n"));
573 grp = getgrnam(argv[1]);
576 d_fprintf(stderr, _("Could not find unix group %s\n"),
582 have_map = pdb_getgrnam(&map, ntgroup);
586 have_map = ( (strncmp(ntgroup, "S-", 2) == 0) &&
587 string_to_sid(&sid, ntgroup) &&
588 pdb_getgrsid(&map, sid) );
597 _("Could not find group mapping for %s\n"),
602 map.gid = grp->gr_gid;
604 if (c->opt_rid == 0) {
605 if ( pdb_capabilities() & PDB_CAP_STORE_RIDS ) {
606 if ( !pdb_new_rid((uint32*)&c->opt_rid) ) {
608 _("Could not allocate new RID\n"));
612 c->opt_rid = algorithmic_pdb_gid_to_group_rid(map.gid);
616 sid_compose(&map.sid, get_global_sam_sid(), c->opt_rid);
618 map.sid_name_use = SID_NAME_DOM_GRP;
619 fstrcpy(map.nt_name, ntgroup);
620 fstrcpy(map.comment, "");
622 if (!NT_STATUS_IS_OK(pdb_add_group_mapping_entry(&map))) {
624 _("Could not add mapping entry for %s\n"),
630 /* Now we have a mapping entry, update that stuff */
632 if ( c->opt_localgroup || c->opt_domaingroup ) {
633 if (map.sid_name_use == SID_NAME_WKN_GRP) {
635 _("Can't change type of the BUILTIN "
642 if (c->opt_localgroup)
643 map.sid_name_use = SID_NAME_ALIAS;
645 if (c->opt_domaingroup)
646 map.sid_name_use = SID_NAME_DOM_GRP;
648 /* The case (opt_domaingroup && opt_localgroup) was tested for above */
650 if ((c->opt_comment != NULL) && (strlen(c->opt_comment) > 0)) {
651 fstrcpy(map.comment, c->opt_comment);
654 if ((c->opt_newntname != NULL) && (strlen(c->opt_newntname) > 0)) {
655 fstrcpy(map.nt_name, c->opt_newntname);
659 map.gid = grp->gr_gid;
661 if (!NT_STATUS_IS_OK(pdb_update_group_mapping_entry(&map))) {
662 d_fprintf(stderr, _("Could not update group mapping for %s\n"),
670 static int net_groupmap_cleanup(struct net_context *c, int argc, const char **argv)
672 GROUP_MAP *map = NULL;
675 if (c->display_usage) {
677 "net groupmap cleanup\n"
680 _("Delete all group mappings"));
684 if (!pdb_enum_group_mapping(NULL, SID_NAME_UNKNOWN, &map, &entries,
686 d_fprintf(stderr, _("Could not list group mappings\n"));
690 for (i=0; i<entries; i++) {
692 if (map[i].gid == -1)
693 printf(_("Group %s is not mapped\n"), map[i].nt_name);
695 if (!sid_check_is_in_our_domain(&map[i].sid)) {
696 printf(_("Deleting mapping for NT Group %s, sid %s\n"),
698 sid_string_tos(&map[i].sid));
699 pdb_delete_group_mapping_entry(map[i].sid);
708 static int net_groupmap_addmem(struct net_context *c, int argc, const char **argv)
710 struct dom_sid alias, member;
714 !string_to_sid(&alias, argv[0]) ||
715 !string_to_sid(&member, argv[1]) ) {
718 _("net groupmap addmem alias-sid member-sid\n"));
722 if (!NT_STATUS_IS_OK(pdb_add_aliasmem(&alias, &member))) {
723 d_fprintf(stderr, _("Could not add sid %s to alias %s\n"),
731 static int net_groupmap_delmem(struct net_context *c, int argc, const char **argv)
733 struct dom_sid alias, member;
737 !string_to_sid(&alias, argv[0]) ||
738 !string_to_sid(&member, argv[1]) ) {
741 _("net groupmap delmem alias-sid member-sid\n"));
745 if (!NT_STATUS_IS_OK(pdb_del_aliasmem(&alias, &member))) {
746 d_fprintf(stderr, _("Could not delete sid %s from alias %s\n"),
754 static int net_groupmap_listmem(struct net_context *c, int argc, const char **argv)
756 struct dom_sid alias;
757 struct dom_sid *members;
762 !string_to_sid(&alias, argv[0]) ) {
765 _("net groupmap listmem alias-sid\n"));
772 if (!NT_STATUS_IS_OK(pdb_enum_aliasmem(&alias, talloc_tos(),
774 d_fprintf(stderr, _("Could not list members for sid %s\n"),
779 for (i = 0; i < num; i++) {
780 printf("%s\n", sid_string_tos(&(members[i])));
783 TALLOC_FREE(members);
788 static bool print_alias_memberships(TALLOC_CTX *mem_ctx,
789 const struct dom_sid *domain_sid,
790 const struct dom_sid *member)
793 size_t i, num_alias_rids;
798 if (!NT_STATUS_IS_OK(pdb_enum_alias_memberships(
799 mem_ctx, domain_sid, member, 1,
800 &alias_rids, &num_alias_rids))) {
801 d_fprintf(stderr, _("Could not list memberships for sid %s\n"),
802 sid_string_tos(member));
806 for (i = 0; i < num_alias_rids; i++) {
807 struct dom_sid alias;
808 sid_compose(&alias, domain_sid, alias_rids[i]);
809 printf("%s\n", sid_string_tos(&alias));
815 static int net_groupmap_memberships(struct net_context *c, int argc, const char **argv)
818 struct dom_sid *domain_sid, member;
822 !string_to_sid(&member, argv[0]) ) {
825 _("net groupmap memberof sid\n"));
829 mem_ctx = talloc_init("net_groupmap_memberships");
830 if (mem_ctx == NULL) {
831 d_fprintf(stderr, _("talloc_init failed\n"));
835 domain_sid = get_global_sam_sid();
836 if (domain_sid == NULL) {
837 d_fprintf(stderr, _("Could not get domain sid\n"));
841 if (!print_alias_memberships(mem_ctx, domain_sid, &member) ||
842 !print_alias_memberships(mem_ctx, &global_sid_Builtin, &member))
845 talloc_destroy(mem_ctx);
850 /***********************************************************
851 migrated functionality from smbgroupedit
852 **********************************************************/
853 int net_groupmap(struct net_context *c, int argc, const char **argv)
855 struct functable func[] = {
860 N_("Create a new group mapping"),
861 N_("net groupmap add\n"
862 " Create a new group mapping")
868 N_("Update a group mapping"),
869 N_("net groupmap modify\n"
870 " Modify an existing group mapping")
876 N_("Remove a group mapping"),
877 N_("net groupmap delete\n"
878 " Remove a group mapping")
884 N_("Set group mapping"),
885 N_("net groupmap set\n"
886 " Set a group mapping")
890 net_groupmap_cleanup,
892 N_("Remove foreign group mapping entries"),
893 N_("net groupmap cleanup\n"
894 " Remove foreign group mapping entries")
900 N_("Add a foreign alias member"),
901 N_("net groupmap addmem\n"
902 " Add a foreign alias member")
908 N_("Delete foreign alias member"),
909 N_("net groupmap delmem\n"
910 " Delete foreign alias member")
914 net_groupmap_listmem,
916 N_("List foreign group members"),
917 N_("net groupmap listmem\n"
918 " List foreign alias members")
922 net_groupmap_memberships,
924 N_("List foreign group memberships"),
925 N_("net groupmap memberships\n"
926 " List foreign group memberships")
932 N_("List current group map"),
933 N_("net groupmap list\n"
934 " List current group map")
936 {NULL, NULL, 0, NULL, NULL}
939 return net_run_function(c,argc, argv, "net groupmap", func);