2 * Unix SMB/Netbios implementation.
4 * RPC Pipe client / server routines
5 * Copyright (C) Andrew Tridgell 1992-2000,
6 * Copyright (C) Jean François Micouleau 1998-2001.
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 2 of the License, or
11 * (at your option) any later version.
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, write to the Free Software
20 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
25 extern DOM_SID global_sam_sid;
27 static TDB_CONTEXT *tdb; /* used for driver files */
29 #define DATABASE_VERSION 1
30 #define GROUP_PREFIX "UNIXGROUP/"
33 {SE_PRIV_NONE, "no_privs", "No privilege" }, /* this one MUST be first */
34 {SE_PRIV_ADD_MACHINES, "SeMachineAccountPrivilege", "Add workstations to the domain" },
35 {SE_PRIV_SEC_PRIV, "SeSecurityPrivilege", "Manage the audit logs" },
36 {SE_PRIV_TAKE_OWNER, "SeTakeOwnershipPrivilege", "Take ownership of file" },
37 {SE_PRIV_ADD_USERS, "SaAddUsers", "Add users to the domain - Samba" },
38 {SE_PRIV_PRINT_OPERATOR, "SaPrintOp", "Add or remove printers - Samba" },
39 {SE_PRIV_ALL, "SaAllPrivs", "all privileges" }
43 { 2, "SeCreateTokenPrivilege" },
44 { 3, "SeAssignPrimaryTokenPrivilege" },
45 { 4, "SeLockMemoryPrivilege" },
46 { 5, "SeIncreaseQuotaPrivilege" },
47 { 6, "SeMachineAccountPrivilege" },
48 { 7, "SeTcbPrivilege" },
49 { 8, "SeSecurityPrivilege" },
50 { 9, "SeTakeOwnershipPrivilege" },
51 { 10, "SeLoadDriverPrivilege" },
52 { 11, "SeSystemProfilePrivilege" },
53 { 12, "SeSystemtimePrivilege" },
54 { 13, "SeProfileSingleProcessPrivilege" },
55 { 14, "SeIncreaseBasePriorityPrivilege" },
56 { 15, "SeCreatePagefilePrivilege" },
57 { 16, "SeCreatePermanentPrivilege" },
58 { 17, "SeBackupPrivilege" },
59 { 18, "SeRestorePrivilege" },
60 { 19, "SeShutdownPrivilege" },
61 { 20, "SeDebugPrivilege" },
62 { 21, "SeAuditPrivilege" },
63 { 22, "SeSystemEnvironmentPrivilege" },
64 { 23, "SeChangeNotifyPrivilege" },
65 { 24, "SeRemoteShutdownPrivilege" },
66 { 25, "SeUndockPrivilege" },
67 { 26, "SeSyncAgentPrivilege" },
68 { 27, "SeEnableDelegationPrivilege" },
73 * Those are not really privileges like the other ones.
74 * They are handled in a special case and called
78 * SeUnsolicitedInputPrivilege
81 * SeInteractiveLogonRight
82 * SeDenyInteractiveLogonRight
83 * SeDenyNetworkLogonRight
84 * SeDenyBatchLogonRight
85 * SeDenyBatchLogonRight
89 /****************************************************************************
90 check if the user has the required privilege.
91 ****************************************************************************/
92 static BOOL se_priv_access_check(NT_USER_TOKEN *token, uint32 privilege)
94 /* no token, no privilege */
98 if ((token->privilege & privilege)==privilege)
105 /****************************************************************************
106 dump the mapping group mapping to a text file
107 ****************************************************************************/
108 char *decode_sid_name_use(fstring group, enum SID_NAME_USE name_use)
110 static fstring group_type;
114 fstrcpy(group_type,"User");
116 case SID_NAME_DOM_GRP:
117 fstrcpy(group_type,"Domain group");
119 case SID_NAME_DOMAIN:
120 fstrcpy(group_type,"Domain");
123 fstrcpy(group_type,"Local group");
125 case SID_NAME_WKN_GRP:
126 fstrcpy(group_type,"Builtin group");
128 case SID_NAME_DELETED:
129 fstrcpy(group_type,"Deleted");
131 case SID_NAME_INVALID:
132 fstrcpy(group_type,"Invalid");
134 case SID_NAME_UNKNOWN:
136 fstrcpy(group_type,"Unknown type");
140 fstrcpy(group, group_type);
144 /****************************************************************************
145 open the group mapping tdb
146 ****************************************************************************/
147 BOOL init_group_mapping(void)
149 static pid_t local_pid;
150 char *vstring = "INFO/version";
152 if (tdb && local_pid == sys_getpid()) return True;
153 tdb = tdb_open_log(lock_path("group_mapping.tdb"), 0, TDB_DEFAULT, O_RDWR|O_CREAT, 0600);
155 DEBUG(0,("Failed to open group mapping database\n"));
159 local_pid = sys_getpid();
161 /* handle a Samba upgrade */
162 tdb_lock_bystring(tdb, vstring);
163 if (tdb_fetch_int(tdb, vstring) != DATABASE_VERSION) {
164 tdb_traverse(tdb, (tdb_traverse_func)tdb_delete, NULL);
165 tdb_store_int(tdb, vstring, DATABASE_VERSION);
167 tdb_unlock_bystring(tdb, vstring);
173 /****************************************************************************
174 ****************************************************************************/
175 BOOL add_mapping_entry(GROUP_MAP *map, int flag)
179 fstring string_sid="";
184 sid_to_string(string_sid, &map->sid);
186 len = tdb_pack(buf, sizeof(buf), "ddffd",
187 map->gid, map->sid_name_use, map->nt_name, map->comment, map->systemaccount);
189 /* write the privilege list in the TDB database */
192 len += tdb_pack(buf+len, sizeof(buf)-len, "d", set->count);
193 for (i=0; i<set->count; i++)
194 len += tdb_pack(buf+len, sizeof(buf)-len, "ddd",
195 set->set[i].luid.low, set->set[i].luid.high, set->set[i].attr);
197 if (len > sizeof(buf))
200 slprintf(key, sizeof(key), "%s%s", GROUP_PREFIX, string_sid);
202 kbuf.dsize = strlen(key)+1;
206 if (tdb_store(tdb, kbuf, dbuf, flag) != 0) return False;
211 /****************************************************************************
212 initialise first time the mapping list
213 ****************************************************************************/
214 BOOL add_initial_entry(gid_t gid, fstring sid, enum SID_NAME_USE sid_name_use,
215 fstring nt_name, fstring comment, PRIVILEGE_SET priv_set, uint32 systemaccount)
220 string_to_sid(&map.sid, sid);
221 map.sid_name_use=sid_name_use;
222 fstrcpy(map.nt_name, nt_name);
223 fstrcpy(map.comment, comment);
224 map.systemaccount=systemaccount;
226 map.priv_set.count=priv_set.count;
227 map.priv_set.set=priv_set.set;
229 add_mapping_entry(&map, TDB_INSERT);
234 /****************************************************************************
235 initialise a privilege list
236 ****************************************************************************/
237 void init_privilege(PRIVILEGE_SET *priv_set)
244 /****************************************************************************
245 free a privilege list
246 ****************************************************************************/
247 BOOL free_privilege(PRIVILEGE_SET *priv_set)
249 if (priv_set->count==0) {
250 DEBUG(10,("free_privilege: count=0, nothing to clear ?\n"));
254 if (priv_set->set==NULL) {
255 DEBUG(0,("free_privilege: list ptr is NULL, very strange !\n"));
259 safe_free(priv_set->set);
267 /****************************************************************************
268 add a privilege to a privilege array
269 ****************************************************************************/
270 BOOL add_privilege(PRIVILEGE_SET *priv_set, LUID_ATTR set)
274 /* check if the privilege is not already in the list */
275 if (check_priv_in_privilege(priv_set, set))
278 /* we can allocate memory to add the new privilege */
280 new_set=(LUID_ATTR *)Realloc(priv_set->set, (priv_set->count+1)*(sizeof(LUID_ATTR)));
282 DEBUG(0,("add_privilege: could not Realloc memory to add a new privilege\n"));
286 new_set[priv_set->count].luid.high=set.luid.high;
287 new_set[priv_set->count].luid.low=set.luid.low;
288 new_set[priv_set->count].attr=set.attr;
291 priv_set->set=new_set;
296 /****************************************************************************
297 add all the privileges to a privilege array
298 ****************************************************************************/
299 BOOL add_all_privilege(PRIVILEGE_SET *priv_set)
306 set.luid.low=SE_PRIV_ADD_USERS;
307 add_privilege(priv_set, set);
309 set.luid.low=SE_PRIV_ADD_MACHINES;
310 add_privilege(priv_set, set);
312 set.luid.low=SE_PRIV_PRINT_OPERATOR;
313 add_privilege(priv_set, set);
318 /****************************************************************************
319 check if the privilege list is empty
320 ****************************************************************************/
321 BOOL check_empty_privilege(PRIVILEGE_SET *priv_set)
324 if (priv_set->count!=0)
330 /****************************************************************************
331 check if the privilege is in the privilege list
332 ****************************************************************************/
333 BOOL check_priv_in_privilege(PRIVILEGE_SET *priv_set, LUID_ATTR set)
337 /* if the list is empty, obviously we can't have it */
338 if (check_empty_privilege(priv_set))
341 for (i=0; i<priv_set->count; i++) {
344 cur_set=&priv_set->set[i];
345 /* check only the low and high part. Checking the attr field has no meaning */
346 if( (cur_set->luid.low==set.luid.low) && (cur_set->luid.high==set.luid.high) )
353 /****************************************************************************
354 remove a privilege to a privilege array
355 ****************************************************************************/
356 BOOL remove_privilege(PRIVILEGE_SET *priv_set, LUID_ATTR set)
362 /* check if the privilege is in the list */
363 if (!check_priv_in_privilege(priv_set, set))
366 /* special case if it's the only privilege in the list */
367 if (priv_set->count==1) {
368 free_privilege(priv_set);
369 init_privilege(priv_set);
375 * the privilege is there, create a new list,
376 * and copy the other privileges
379 old_set=priv_set->set;
381 new_set=(LUID_ATTR *)malloc((priv_set->count-1)*(sizeof(LUID_ATTR)));
383 DEBUG(0,("remove_privilege: could not malloc memory for new privilege list\n"));
387 for (i=0, j=0; i<priv_set->count; i++) {
388 if ((old_set[i].luid.low==set.luid.low) &&
389 (old_set[i].luid.high==set.luid.high)) {
393 new_set[j].luid.low=old_set[i].luid.low;
394 new_set[j].luid.high=old_set[i].luid.high;
395 new_set[j].attr=old_set[i].attr;
400 if (j!=priv_set->count-1) {
401 DEBUG(0,("remove_privilege: mismatch ! difference is not -1\n"));
402 DEBUGADD(0,("old count:%d, new count:%d\n", priv_set->count, j));
407 /* ok everything is fine */
410 priv_set->set=new_set;
417 /****************************************************************************
418 initialise first time the mapping list
419 ****************************************************************************/
420 BOOL default_group_mapping(void)
430 PRIVILEGE_SET privilege_none;
431 PRIVILEGE_SET privilege_all;
432 PRIVILEGE_SET privilege_print_op;
434 init_privilege(&privilege_none);
435 init_privilege(&privilege_all);
436 init_privilege(&privilege_print_op);
440 set.luid.low=SE_PRIV_PRINT_OPERATOR;
441 add_privilege(&privilege_print_op, set);
443 add_all_privilege(&privilege_all);
445 /* Add the Wellknown groups */
447 add_initial_entry(-1, "S-1-5-32-544", SID_NAME_WKN_GRP, "Administrators", "", privilege_all, PR_ACCESS_FROM_NETWORK|PR_LOG_ON_LOCALLY);
448 add_initial_entry(-1, "S-1-5-32-545", SID_NAME_WKN_GRP, "Users", "", privilege_none, PR_ACCESS_FROM_NETWORK|PR_LOG_ON_LOCALLY);
449 add_initial_entry(-1, "S-1-5-32-546", SID_NAME_WKN_GRP, "Guests", "", privilege_none, PR_ACCESS_FROM_NETWORK);
450 add_initial_entry(-1, "S-1-5-32-547", SID_NAME_WKN_GRP, "Power Users", "", privilege_none, PR_ACCESS_FROM_NETWORK|PR_LOG_ON_LOCALLY);
452 add_initial_entry(-1, "S-1-5-32-548", SID_NAME_WKN_GRP, "Account Operators", "", privilege_none, PR_ACCESS_FROM_NETWORK|PR_LOG_ON_LOCALLY);
453 add_initial_entry(-1, "S-1-5-32-549", SID_NAME_WKN_GRP, "System Operators", "", privilege_none, PR_ACCESS_FROM_NETWORK|PR_LOG_ON_LOCALLY);
454 add_initial_entry(-1, "S-1-5-32-550", SID_NAME_WKN_GRP, "Print Operators", "", privilege_print_op, PR_ACCESS_FROM_NETWORK|PR_LOG_ON_LOCALLY);
455 add_initial_entry(-1, "S-1-5-32-551", SID_NAME_WKN_GRP, "Backup Operators", "", privilege_none, PR_ACCESS_FROM_NETWORK|PR_LOG_ON_LOCALLY);
457 add_initial_entry(-1, "S-1-5-32-552", SID_NAME_WKN_GRP, "Replicators", "", privilege_none, PR_ACCESS_FROM_NETWORK);
459 /* Add the defaults domain groups */
461 sid_copy(&sid_admins, &global_sam_sid);
462 sid_append_rid(&sid_admins, DOMAIN_GROUP_RID_ADMINS);
463 sid_to_string(str_admins, &sid_admins);
464 add_initial_entry(-1, str_admins, SID_NAME_DOM_GRP, "Domain Admins", "", privilege_all, PR_ACCESS_FROM_NETWORK|PR_LOG_ON_LOCALLY);
466 sid_copy(&sid_users, &global_sam_sid);
467 sid_append_rid(&sid_users, DOMAIN_GROUP_RID_USERS);
468 sid_to_string(str_users, &sid_users);
469 add_initial_entry(-1, str_users, SID_NAME_DOM_GRP, "Domain Users", "", privilege_none, PR_ACCESS_FROM_NETWORK|PR_LOG_ON_LOCALLY);
471 sid_copy(&sid_guests, &global_sam_sid);
472 sid_append_rid(&sid_guests, DOMAIN_GROUP_RID_GUESTS);
473 sid_to_string(str_guests, &sid_guests);
474 add_initial_entry(-1, str_guests, SID_NAME_DOM_GRP, "Domain Guests", "", privilege_none, PR_ACCESS_FROM_NETWORK);
480 /****************************************************************************
481 return the sid and the type of the unix group
482 ****************************************************************************/
483 BOOL get_group_map_from_sid(DOM_SID sid, GROUP_MAP *map)
492 /* the key is the SID, retrieving is direct */
494 sid_to_string(string_sid, &sid);
495 slprintf(key, sizeof(key), "%s%s", GROUP_PREFIX, string_sid);
498 kbuf.dsize = strlen(key)+1;
500 dbuf = tdb_fetch(tdb, kbuf);
501 if (!dbuf.dptr) return False;
503 ret = tdb_unpack(dbuf.dptr, dbuf.dsize, "ddffd",
504 &map->gid, &map->sid_name_use, &map->nt_name, &map->comment, &map->systemaccount);
508 ret += tdb_unpack(dbuf.dptr+ret, dbuf.dsize-ret, "d", &set->count);
510 DEBUG(10,("get_group_map_from_sid: %d privileges\n", map->priv_set.count));
512 set->set=(LUID_ATTR *)malloc(set->count*sizeof(LUID_ATTR));
513 if (set->set==NULL) {
514 DEBUG(0,("get_group_map_from_sid: could not allocate memory for privileges\n"));
518 for (i=0; i<set->count; i++)
519 ret += tdb_unpack(dbuf.dptr+ret, dbuf.dsize-ret, "ddd",
520 &(set->set[i].luid.low), &(set->set[i].luid.high), &(set->set[i].attr));
522 SAFE_FREE(dbuf.dptr);
523 if (ret != dbuf.dsize) {
524 DEBUG(0,("get_group_map_from_sid: group mapping TDB corrupted ?\n"));
529 sid_copy(&map->sid, &sid);
535 /****************************************************************************
536 return the sid and the type of the unix group
537 ****************************************************************************/
538 BOOL get_group_map_from_gid(gid_t gid, GROUP_MAP *map)
540 TDB_DATA kbuf, dbuf, newkey;
546 /* we need to enumerate the TDB to find the GID */
548 for (kbuf = tdb_firstkey(tdb);
550 newkey = tdb_nextkey(tdb, kbuf), safe_free(kbuf.dptr), kbuf=newkey) {
552 if (strncmp(kbuf.dptr, GROUP_PREFIX, strlen(GROUP_PREFIX)) != 0) continue;
554 dbuf = tdb_fetch(tdb, kbuf);
555 if (!dbuf.dptr) continue;
557 fstrcpy(string_sid, kbuf.dptr+strlen(GROUP_PREFIX));
559 string_to_sid(&map->sid, string_sid);
561 ret = tdb_unpack(dbuf.dptr, dbuf.dsize, "ddffd",
562 &map->gid, &map->sid_name_use, &map->nt_name, &map->comment, &map->systemaccount);
565 ret += tdb_unpack(dbuf.dptr+ret, dbuf.dsize-ret, "d", &set->count);
567 set->set=(LUID_ATTR *)malloc(set->count*sizeof(LUID_ATTR));
568 if (set->set==NULL) {
569 DEBUG(0,("get_group_map_from_sid: could not allocate memory for privileges\n"));
573 for (i=0; i<set->count; i++)
574 ret += tdb_unpack(dbuf.dptr+ret, dbuf.dsize-ret, "ddd",
575 &(set->set[i].luid.low), &(set->set[i].luid.high), &(set->set[i].attr));
577 SAFE_FREE(dbuf.dptr);
578 if (ret != dbuf.dsize){
592 /****************************************************************************
593 return the sid and the type of the unix group
594 ****************************************************************************/
595 BOOL get_group_map_from_ntname(char *name, GROUP_MAP *map)
597 TDB_DATA kbuf, dbuf, newkey;
603 /* we need to enumerate the TDB to find the name */
605 for (kbuf = tdb_firstkey(tdb);
607 newkey = tdb_nextkey(tdb, kbuf), safe_free(kbuf.dptr), kbuf=newkey) {
609 if (strncmp(kbuf.dptr, GROUP_PREFIX, strlen(GROUP_PREFIX)) != 0) continue;
611 dbuf = tdb_fetch(tdb, kbuf);
612 if (!dbuf.dptr) continue;
614 fstrcpy(string_sid, kbuf.dptr+strlen(GROUP_PREFIX));
616 string_to_sid(&map->sid, string_sid);
618 ret = tdb_unpack(dbuf.dptr, dbuf.dsize, "ddffd",
619 &map->gid, &map->sid_name_use, &map->nt_name, &map->comment, &map->systemaccount);
622 ret += tdb_unpack(dbuf.dptr+ret, dbuf.dsize-ret, "d", &set->count);
624 set->set=(LUID_ATTR *)malloc(set->count*sizeof(LUID_ATTR));
625 if (set->set==NULL) {
626 DEBUG(0,("get_group_map_from_sid: could not allocate memory for privileges\n"));
630 for (i=0; i<set->count; i++)
631 ret += tdb_unpack(dbuf.dptr+ret, dbuf.dsize-ret, "ddd",
632 &(set->set[i].luid.low), &(set->set[i].luid.high), &(set->set[i].attr));
634 SAFE_FREE(dbuf.dptr);
635 if (ret != dbuf.dsize) {
640 if (StrCaseCmp(name, map->nt_name)==0)
649 /****************************************************************************
650 remove a group mapping entry
651 ****************************************************************************/
652 BOOL group_map_remove(DOM_SID sid)
658 /* the key is the SID, retrieving is direct */
660 sid_to_string(string_sid, &sid);
661 slprintf(key, sizeof(key), "%s%s", GROUP_PREFIX, string_sid);
664 kbuf.dsize = strlen(key)+1;
666 dbuf = tdb_fetch(tdb, kbuf);
667 if (!dbuf.dptr) return False;
669 SAFE_FREE(dbuf.dptr);
671 if(tdb_delete(tdb, kbuf) != TDB_SUCCESS)
678 /****************************************************************************
679 enumerate the group mapping
680 ****************************************************************************/
681 BOOL enum_group_mapping(enum SID_NAME_USE sid_name_use, GROUP_MAP **rmap,
682 int *num_entries, BOOL unix_only)
684 TDB_DATA kbuf, dbuf, newkey;
697 for (kbuf = tdb_firstkey(tdb);
699 newkey = tdb_nextkey(tdb, kbuf), safe_free(kbuf.dptr), kbuf=newkey) {
701 if (strncmp(kbuf.dptr, GROUP_PREFIX, strlen(GROUP_PREFIX)) != 0)
704 dbuf = tdb_fetch(tdb, kbuf);
708 fstrcpy(string_sid, kbuf.dptr+strlen(GROUP_PREFIX));
710 ret = tdb_unpack(dbuf.dptr, dbuf.dsize, "ddffd",
711 &map.gid, &map.sid_name_use, &map.nt_name, &map.comment, &map.systemaccount);
716 ret += tdb_unpack(dbuf.dptr+ret, dbuf.dsize-ret, "d", &set->count);
719 set->set=(LUID_ATTR *)malloc(set->count*sizeof(LUID_ATTR));
720 if (set->set==NULL) {
721 DEBUG(0,("enum_group_mapping: could not allocate memory for privileges\n"));
726 for (i=0; i<set->count; i++)
727 ret += tdb_unpack(dbuf.dptr+ret, dbuf.dsize-ret, "ddd",
728 &(set->set[i].luid.low), &(set->set[i].luid.high), &(set->set[i].attr));
730 SAFE_FREE(dbuf.dptr);
731 if (ret != dbuf.dsize) {
736 /* list only the type or everything if UNKNOWN */
737 if (sid_name_use!=SID_NAME_UNKNOWN && sid_name_use!=map.sid_name_use) {
742 if (unix_only==ENUM_ONLY_MAPPED && map.gid==-1) {
747 string_to_sid(&map.sid, string_sid);
749 decode_sid_name_use(group_type, map.sid_name_use);
751 mapt=(GROUP_MAP *)Realloc((*rmap), (entries+1)*sizeof(GROUP_MAP));
753 DEBUG(0,("enum_group_mapping: Unable to enlarge group map!\n"));
761 mapt[entries].gid = map.gid;
762 sid_copy( &mapt[entries].sid, &map.sid);
763 mapt[entries].sid_name_use = map.sid_name_use;
764 fstrcpy(mapt[entries].nt_name, map.nt_name);
765 fstrcpy(mapt[entries].comment, map.comment);
766 mapt[entries].systemaccount=map.systemaccount;
767 mapt[entries].priv_set.count=set->count;
768 mapt[entries].priv_set.control=set->control;
769 mapt[entries].priv_set.set=set->set;
774 *num_entries=entries;
779 /****************************************************************************
780 convert a privilege string to a privilege array
781 ****************************************************************************/
782 void convert_priv_from_text(PRIVILEGE_SET *se_priv, char *privilege)
789 /* By default no privilege */
790 init_privilege(se_priv);
795 while(next_token(&p, tok, " ", sizeof(tok)) ) {
796 for (i=0; i<=PRIV_ALL_INDEX; i++) {
797 if (StrCaseCmp(privs[i].priv, tok)==0) {
800 set.luid.low=privs[i].se_priv;
801 add_privilege(se_priv, set);
807 /****************************************************************************
808 convert a privilege array to a privilege string
809 ****************************************************************************/
810 void convert_priv_to_text(PRIVILEGE_SET *se_priv, char *privilege)
817 ZERO_STRUCTP(privilege);
819 if (check_empty_privilege(se_priv)) {
820 fstrcat(privilege, "No privilege");
824 for(i=0; i<se_priv->count; i++) {
826 while (privs[j].se_priv!=se_priv->set[i].luid.low && j<=PRIV_ALL_INDEX) {
830 fstrcat(privilege, privs[j].priv);
831 fstrcat(privilege, " ");
838 * High level functions
839 * better to use them than the lower ones.
841 * we are checking if the group is in the mapping file
842 * and if the group is an existing unix group
846 /* get a domain group from it's SID */
848 BOOL get_domain_group_from_sid(DOM_SID sid, GROUP_MAP *map)
852 DEBUG(10, ("get_domain_group_from_sid\n"));
854 /* if the group is NOT in the database, it CAN NOT be a domain group */
855 if(!get_group_map_from_sid(sid, map))
858 DEBUG(10, ("get_domain_group_from_sid: SID found in the TDB\n"));
860 /* if it's not a domain group, continue */
861 if (map->sid_name_use!=SID_NAME_DOM_GRP)
864 DEBUG(10, ("get_domain_group_from_sid: SID is a domain group\n"));
869 DEBUG(10, ("get_domain_group_from_sid: SID is mapped to gid:%d\n",map->gid));
871 if ( (grp=getgrgid(map->gid)) == NULL)
874 DEBUG(10, ("get_domain_group_from_sid: gid exists in UNIX security\n"));
880 /* get a local (alias) group from it's SID */
882 BOOL get_local_group_from_sid(DOM_SID sid, GROUP_MAP *map)
886 /* The group is in the mapping table */
887 if(get_group_map_from_sid(sid, map)) {
888 if (map->sid_name_use!=SID_NAME_ALIAS)
894 if ( (grp=getgrgid(map->gid)) == NULL)
897 /* the group isn't in the mapping table.
898 * make one based on the unix information */
901 sid_peek_rid(&sid, &alias_rid);
902 map->gid=pdb_user_rid_to_gid(alias_rid);
904 if ((grp=getgrgid(map->gid)) == NULL)
907 map->sid_name_use=SID_NAME_ALIAS;
908 map->systemaccount=PR_ACCESS_FROM_NETWORK;
910 fstrcpy(map->nt_name, grp->gr_name);
911 fstrcpy(map->comment, "Local Unix Group");
913 init_privilege(&map->priv_set);
915 sid_copy(&map->sid, &sid);
921 /* get a builtin group from it's SID */
923 BOOL get_builtin_group_from_sid(DOM_SID sid, GROUP_MAP *map)
927 if(!get_group_map_from_sid(sid, map))
930 if (map->sid_name_use!=SID_NAME_WKN_GRP)
936 if ( (grp=getgrgid(map->gid)) == NULL)
944 /****************************************************************************
945 Returns a GROUP_MAP struct based on the gid.
946 ****************************************************************************/
947 BOOL get_group_from_gid(gid_t gid, GROUP_MAP *map)
951 if ( (grp=getgrgid(gid)) == NULL)
955 * make a group map from scratch if doesn't exist.
957 if (!get_group_map_from_gid(gid, map)) {
959 map->sid_name_use=SID_NAME_ALIAS;
960 map->systemaccount=PR_ACCESS_FROM_NETWORK;
961 init_privilege(&map->priv_set);
963 sid_copy(&map->sid, &global_sam_sid);
964 sid_append_rid(&map->sid, pdb_gid_to_group_rid(gid));
966 fstrcpy(map->nt_name, grp->gr_name);
967 fstrcpy(map->comment, "Local Unix Group");
976 /****************************************************************************
977 Get the member users of a group and
978 all the users who have that group as primary.
980 give back an array of uid
981 return the grand number of users
984 TODO: sort the list and remove duplicate. JFM.
986 ****************************************************************************/
988 BOOL get_uid_list_of_group(gid_t gid, uid_t **uid, int *num_uids)
999 if ( (grp=getgrgid(gid)) == NULL)
1002 gr = grp->gr_mem[0];
1003 DEBUG(10, ("getting members\n"));
1005 while (gr && (*gr != (char)'\0')) {
1006 u = Realloc((*uid), sizeof(uid_t)*(*num_uids+1));
1008 DEBUG(0,("get_uid_list_of_group: unable to enlarge uid list!\n"));
1013 if( (pwd=getpwnam(gr)) !=NULL) {
1014 (*uid)[*num_uids]=pwd->pw_uid;
1017 gr = grp->gr_mem[++i];
1019 DEBUG(10, ("got [%d] members\n", *num_uids));
1022 while ((pwd=getpwent()) != NULL) {
1023 if (pwd->pw_gid==gid) {
1024 u = Realloc((*uid), sizeof(uid_t)*(*num_uids+1));
1026 DEBUG(0,("get_uid_list_of_group: unable to enlarge uid list!\n"));
1030 (*uid)[*num_uids]=pwd->pw_uid;
1036 DEBUG(10, ("got primary groups, members: [%d]\n", *num_uids));
1041 /****************************************************************************
1042 Create a UNIX group on demand.
1043 ****************************************************************************/
1045 int smb_create_group(char *unix_group)
1050 pstrcpy(add_script, lp_addgroup_script());
1051 if (! *add_script) return -1;
1052 pstring_sub(add_script, "%g", unix_group);
1053 ret = smbrun(add_script,NULL);
1054 DEBUG(3,("smb_create_group: Running the command `%s' gave %d\n",add_script,ret));
1058 /****************************************************************************
1059 Delete a UNIX group on demand.
1060 ****************************************************************************/
1062 int smb_delete_group(char *unix_group)
1067 pstrcpy(del_script, lp_delgroup_script());
1068 if (! *del_script) return -1;
1069 pstring_sub(del_script, "%g", unix_group);
1070 ret = smbrun(del_script,NULL);
1071 DEBUG(3,("smb_delete_group: Running the command `%s' gave %d\n",del_script,ret));
1075 /****************************************************************************
1076 Create a UNIX group on demand.
1077 ****************************************************************************/
1079 int smb_add_user_group(char *unix_group, char *unix_user)
1084 pstrcpy(add_script, lp_addusertogroup_script());
1085 if (! *add_script) return -1;
1086 pstring_sub(add_script, "%g", unix_group);
1087 pstring_sub(add_script, "%u", unix_user);
1088 ret = smbrun(add_script,NULL);
1089 DEBUG(3,("smb_add_user_group: Running the command `%s' gave %d\n",add_script,ret));
1093 /****************************************************************************
1094 Delete a UNIX group on demand.
1095 ****************************************************************************/
1097 int smb_delete_user_group(char *unix_group, char *unix_user)
1102 pstrcpy(del_script, lp_deluserfromgroup_script());
1103 if (! *del_script) return -1;
1104 pstring_sub(del_script, "%g", unix_group);
1105 pstring_sub(del_script, "%u", unix_user);
1106 ret = smbrun(del_script,NULL);
1107 DEBUG(3,("smb_delete_user_group: Running the command `%s' gave %d\n",del_script,ret));