2 Unix SMB/CIFS implementation.
4 Copyright (C) Andrew Tridgell 1992-1998
5 Copyright (C) Gerald (Jerry) Carter 2003
6 Copyright (C) Volker Lendecke 2005
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
24 /*****************************************************************
25 Dissect a user-provided name into domain, name, sid and type.
27 If an explicit domain name was given in the form domain\user, it
28 has to try that. If no explicit domain name was given, we have
30 *****************************************************************/
32 bool lookup_name(TALLOC_CTX *mem_ctx,
33 const char *full_name, int flags,
34 const char **ret_domain, const char **ret_name,
35 DOM_SID *ret_sid, enum lsa_SidType *ret_type)
39 const char *domain = NULL;
40 const char *name = NULL;
43 enum lsa_SidType type;
44 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
46 if (tmp_ctx == NULL) {
47 DEBUG(0, ("talloc_new failed\n"));
51 p = strchr_m(full_name, '\\');
54 domain = talloc_strndup(tmp_ctx, full_name,
55 PTR_DIFF(p, full_name));
56 name = talloc_strdup(tmp_ctx, p+1);
58 domain = talloc_strdup(tmp_ctx, "");
59 name = talloc_strdup(tmp_ctx, full_name);
62 if ((domain == NULL) || (name == NULL)) {
63 DEBUG(0, ("talloc failed\n"));
68 DEBUG(10,("lookup_name: %s => %s (domain), %s (name)\n",
69 full_name, domain, name));
70 DEBUG(10, ("lookup_name: flags = 0x0%x\n", flags));
72 if ((flags & LOOKUP_NAME_DOMAIN) &&
73 strequal(domain, get_global_sam_name()))
76 /* It's our own domain, lookup the name in passdb */
77 if (lookup_global_sam_name(name, flags, &rid, &type)) {
78 sid_copy(&sid, get_global_sam_sid());
79 sid_append_rid(&sid, rid);
86 if ((flags & LOOKUP_NAME_BUILTIN) &&
87 strequal(domain, builtin_domain_name()))
89 if (strlen(name) == 0) {
90 /* Swap domain and name */
91 tmp = name; name = domain; domain = tmp;
92 sid_copy(&sid, &global_sid_Builtin);
93 type = SID_NAME_DOMAIN;
97 /* Explicit request for a name in BUILTIN */
98 if (lookup_builtin_name(name, &rid)) {
99 sid_copy(&sid, &global_sid_Builtin);
100 sid_append_rid(&sid, rid);
101 type = SID_NAME_ALIAS;
104 TALLOC_FREE(tmp_ctx);
108 /* Try the explicit winbind lookup first, don't let it guess the
109 * domain yet at this point yet. This comes later. */
111 if ((domain[0] != '\0') &&
112 (flags & ~(LOOKUP_NAME_DOMAIN|LOOKUP_NAME_ISOLATED)) &&
113 (winbind_lookup_name(domain, name, &sid, &type))) {
117 if (((flags & LOOKUP_NAME_NO_NSS) == 0)
118 && strequal(domain, unix_users_domain_name())) {
119 if (lookup_unix_user_name(name, &sid)) {
120 type = SID_NAME_USER;
123 TALLOC_FREE(tmp_ctx);
127 if (((flags & LOOKUP_NAME_NO_NSS) == 0)
128 && strequal(domain, unix_groups_domain_name())) {
129 if (lookup_unix_group_name(name, &sid)) {
130 type = SID_NAME_DOM_GRP;
133 TALLOC_FREE(tmp_ctx);
137 if ((domain[0] == '\0') && (!(flags & LOOKUP_NAME_ISOLATED))) {
138 TALLOC_FREE(tmp_ctx);
142 /* Now the guesswork begins, we haven't been given an explicit
143 * domain. Try the sequence as documented on
144 * http://msdn.microsoft.com/library/en-us/secmgmt/security/lsalookupnames.asp
145 * November 27, 2005 */
147 /* 1. well-known names */
149 if ((flags & LOOKUP_NAME_WKN) &&
150 lookup_wellknown_name(tmp_ctx, name, &sid, &domain))
152 type = SID_NAME_WKN_GRP;
156 /* 2. Builtin domain as such */
158 if ((flags & (LOOKUP_NAME_BUILTIN|LOOKUP_NAME_REMOTE)) &&
159 strequal(name, builtin_domain_name()))
161 /* Swap domain and name */
162 tmp = name; name = domain; domain = tmp;
163 sid_copy(&sid, &global_sid_Builtin);
164 type = SID_NAME_DOMAIN;
168 /* 3. Account domain */
170 if ((flags & LOOKUP_NAME_DOMAIN) &&
171 strequal(name, get_global_sam_name()))
173 if (!secrets_fetch_domain_sid(name, &sid)) {
174 DEBUG(3, ("Could not fetch my SID\n"));
175 TALLOC_FREE(tmp_ctx);
178 /* Swap domain and name */
179 tmp = name; name = domain; domain = tmp;
180 type = SID_NAME_DOMAIN;
184 /* 4. Primary domain */
186 if ((flags & LOOKUP_NAME_DOMAIN) && !IS_DC &&
187 strequal(name, lp_workgroup()))
189 if (!secrets_fetch_domain_sid(name, &sid)) {
190 DEBUG(3, ("Could not fetch the domain SID\n"));
191 TALLOC_FREE(tmp_ctx);
194 /* Swap domain and name */
195 tmp = name; name = domain; domain = tmp;
196 type = SID_NAME_DOMAIN;
200 /* 5. Trusted domains as such, to me it looks as if members don't do
201 this, tested an XP workstation in a NT domain -- vl */
203 if ((flags & LOOKUP_NAME_REMOTE) && IS_DC &&
204 (pdb_get_trusteddom_pw(name, NULL, &sid, NULL)))
206 /* Swap domain and name */
207 tmp = name; name = domain; domain = tmp;
208 type = SID_NAME_DOMAIN;
212 /* 6. Builtin aliases */
214 if ((flags & LOOKUP_NAME_BUILTIN) &&
215 lookup_builtin_name(name, &rid))
217 domain = talloc_strdup(tmp_ctx, builtin_domain_name());
218 sid_copy(&sid, &global_sid_Builtin);
219 sid_append_rid(&sid, rid);
220 type = SID_NAME_ALIAS;
224 /* 7. Local systems' SAM (DCs don't have a local SAM) */
225 /* 8. Primary SAM (On members, this is the domain) */
227 /* Both cases are done by looking at our passdb */
229 if ((flags & LOOKUP_NAME_DOMAIN) &&
230 lookup_global_sam_name(name, flags, &rid, &type))
232 domain = talloc_strdup(tmp_ctx, get_global_sam_name());
233 sid_copy(&sid, get_global_sam_sid());
234 sid_append_rid(&sid, rid);
238 /* Now our local possibilities are exhausted. */
240 if (!(flags & LOOKUP_NAME_REMOTE)) {
241 TALLOC_FREE(tmp_ctx);
245 /* If we are not a DC, we have to ask in our primary domain. Let
246 * winbind do that. */
249 (winbind_lookup_name(lp_workgroup(), name, &sid, &type))) {
250 domain = talloc_strdup(tmp_ctx, lp_workgroup());
254 /* 9. Trusted domains */
256 /* If we're a DC we have to ask all trusted DC's. Winbind does not do
257 * that (yet), but give it a chance. */
259 if (IS_DC && winbind_lookup_name("", name, &sid, &type)) {
262 enum lsa_SidType domain_type;
264 if (type == SID_NAME_DOMAIN) {
265 /* Swap name and type */
266 tmp = name; name = domain; domain = tmp;
270 /* Here we have to cope with a little deficiency in the
271 * winbind API: We have to ask it again for the name of the
272 * domain it figured out itself. Maybe fix that later... */
274 sid_copy(&dom_sid, &sid);
275 sid_split_rid(&dom_sid, &tmp_rid);
277 if (!winbind_lookup_sid(tmp_ctx, &dom_sid, &domain, NULL,
279 (domain_type != SID_NAME_DOMAIN)) {
280 DEBUG(2, ("winbind could not find the domain's name "
281 "it just looked up for us\n"));
282 TALLOC_FREE(tmp_ctx);
288 /* 10. Don't translate */
290 /* 11. Ok, windows would end here. Samba has two more options:
291 Unmapped users and unmapped groups */
293 if (((flags & LOOKUP_NAME_NO_NSS) == 0)
294 && lookup_unix_user_name(name, &sid)) {
295 domain = talloc_strdup(tmp_ctx, unix_users_domain_name());
296 type = SID_NAME_USER;
300 if (((flags & LOOKUP_NAME_NO_NSS) == 0)
301 && lookup_unix_group_name(name, &sid)) {
302 domain = talloc_strdup(tmp_ctx, unix_groups_domain_name());
303 type = SID_NAME_DOM_GRP;
308 * Ok, all possibilities tried. Fail.
311 TALLOC_FREE(tmp_ctx);
315 if ((domain == NULL) || (name == NULL)) {
316 DEBUG(0, ("talloc failed\n"));
317 TALLOC_FREE(tmp_ctx);
322 * Hand over the results to the talloc context we've been given.
325 if ((ret_name != NULL) &&
326 !(*ret_name = talloc_strdup(mem_ctx, name))) {
327 DEBUG(0, ("talloc failed\n"));
328 TALLOC_FREE(tmp_ctx);
332 if (ret_domain != NULL) {
334 if (!(tmp_dom = talloc_strdup(mem_ctx, domain))) {
335 DEBUG(0, ("talloc failed\n"));
336 TALLOC_FREE(tmp_ctx);
340 *ret_domain = tmp_dom;
343 if (ret_sid != NULL) {
344 sid_copy(ret_sid, &sid);
347 if (ret_type != NULL) {
351 TALLOC_FREE(tmp_ctx);
355 /************************************************************************
356 Names from smb.conf can be unqualified. eg. valid users = foo
357 These names should never map to a remote name. Try global_sam_name()\foo,
358 and then "Unix Users"\foo (or "Unix Groups"\foo).
359 ************************************************************************/
361 bool lookup_name_smbconf(TALLOC_CTX *mem_ctx,
362 const char *full_name, int flags,
363 const char **ret_domain, const char **ret_name,
364 DOM_SID *ret_sid, enum lsa_SidType *ret_type)
366 char *qualified_name;
369 /* NB. No winbindd_separator here as lookup_name needs \\' */
370 if ((p = strchr_m(full_name, *lp_winbind_separator())) != NULL) {
372 /* The name is already qualified with a domain. */
374 if (*lp_winbind_separator() != '\\') {
377 /* lookup_name() needs '\\' as a separator */
379 tmp = talloc_strdup(mem_ctx, full_name);
383 tmp[p - full_name] = '\\';
387 return lookup_name(mem_ctx, full_name, flags,
388 ret_domain, ret_name,
392 /* Try with our own SAM name. */
393 qualified_name = talloc_asprintf(mem_ctx, "%s\\%s",
394 get_global_sam_name(),
396 if (!qualified_name) {
400 if (lookup_name(mem_ctx, qualified_name, flags,
401 ret_domain, ret_name,
402 ret_sid, ret_type)) {
406 /* Finally try with "Unix Users" or "Unix Group" */
407 qualified_name = talloc_asprintf(mem_ctx, "%s\\%s",
408 flags & LOOKUP_NAME_GROUP ?
409 unix_groups_domain_name() :
410 unix_users_domain_name(),
412 if (!qualified_name) {
416 return lookup_name(mem_ctx, qualified_name, flags,
417 ret_domain, ret_name,
421 static bool wb_lookup_rids(TALLOC_CTX *mem_ctx,
422 const DOM_SID *domain_sid,
423 int num_rids, uint32 *rids,
424 const char **domain_name,
425 const char **names, enum lsa_SidType *types)
428 const char **my_names;
429 enum lsa_SidType *my_types;
432 if (!(tmp_ctx = talloc_init("wb_lookup_rids"))) {
436 if (!winbind_lookup_rids(tmp_ctx, domain_sid, num_rids, rids,
437 domain_name, &my_names, &my_types)) {
439 for (i=0; i<num_rids; i++) {
441 types[i] = SID_NAME_UNKNOWN;
443 TALLOC_FREE(tmp_ctx);
447 if (!(*domain_name = talloc_strdup(mem_ctx, *domain_name))) {
448 TALLOC_FREE(tmp_ctx);
453 * winbind_lookup_rids allocates its own array. We've been given the
454 * array, so copy it over
457 for (i=0; i<num_rids; i++) {
458 if (my_names[i] == NULL) {
459 TALLOC_FREE(tmp_ctx);
462 if (!(names[i] = talloc_strdup(names, my_names[i]))) {
463 TALLOC_FREE(tmp_ctx);
466 types[i] = my_types[i];
468 TALLOC_FREE(tmp_ctx);
472 static bool lookup_rids(TALLOC_CTX *mem_ctx, const DOM_SID *domain_sid,
473 int num_rids, uint32_t *rids,
474 const char **domain_name,
475 const char ***names, enum lsa_SidType **types)
479 DEBUG(10, ("lookup_rids called for domain sid '%s'\n",
480 sid_string_dbg(domain_sid)));
483 *names = TALLOC_ZERO_ARRAY(mem_ctx, const char *, num_rids);
484 *types = TALLOC_ARRAY(mem_ctx, enum lsa_SidType, num_rids);
486 if ((*names == NULL) || (*types == NULL)) {
490 for (i = 0; i < num_rids; i++)
491 (*types)[i] = SID_NAME_UNKNOWN;
497 if (sid_check_is_domain(domain_sid)) {
500 if (*domain_name == NULL) {
501 *domain_name = talloc_strdup(
502 mem_ctx, get_global_sam_name());
505 if (*domain_name == NULL) {
510 result = pdb_lookup_rids(domain_sid, num_rids, rids,
514 return (NT_STATUS_IS_OK(result) ||
515 NT_STATUS_EQUAL(result, NT_STATUS_NONE_MAPPED) ||
516 NT_STATUS_EQUAL(result, STATUS_SOME_UNMAPPED));
519 if (sid_check_is_builtin(domain_sid)) {
521 if (*domain_name == NULL) {
522 *domain_name = talloc_strdup(
523 mem_ctx, builtin_domain_name());
526 if (*domain_name == NULL) {
530 for (i=0; i<num_rids; i++) {
531 if (lookup_builtin_rid(*names, rids[i],
533 if ((*names)[i] == NULL) {
536 (*types)[i] = SID_NAME_ALIAS;
538 (*types)[i] = SID_NAME_UNKNOWN;
544 if (sid_check_is_wellknown_domain(domain_sid, NULL)) {
545 for (i=0; i<num_rids; i++) {
547 sid_copy(&sid, domain_sid);
548 sid_append_rid(&sid, rids[i]);
549 if (lookup_wellknown_sid(mem_ctx, &sid,
550 domain_name, &(*names)[i])) {
551 if ((*names)[i] == NULL) {
554 (*types)[i] = SID_NAME_WKN_GRP;
556 (*types)[i] = SID_NAME_UNKNOWN;
562 if (sid_check_is_unix_users(domain_sid)) {
563 if (*domain_name == NULL) {
564 *domain_name = talloc_strdup(
565 mem_ctx, unix_users_domain_name());
566 if (*domain_name == NULL) {
570 for (i=0; i<num_rids; i++) {
571 (*names)[i] = talloc_strdup(
572 (*names), uidtoname(rids[i]));
573 if ((*names)[i] == NULL) {
576 (*types)[i] = SID_NAME_USER;
581 if (sid_check_is_unix_groups(domain_sid)) {
582 if (*domain_name == NULL) {
583 *domain_name = talloc_strdup(
584 mem_ctx, unix_groups_domain_name());
585 if (*domain_name == NULL) {
589 for (i=0; i<num_rids; i++) {
590 (*names)[i] = talloc_strdup(
591 (*names), gidtoname(rids[i]));
592 if ((*names)[i] == NULL) {
595 (*types)[i] = SID_NAME_DOM_GRP;
600 return wb_lookup_rids(mem_ctx, domain_sid, num_rids, rids,
601 domain_name, *names, *types);
605 * Is the SID a domain as such? If yes, lookup its name.
608 static bool lookup_as_domain(const DOM_SID *sid, TALLOC_CTX *mem_ctx,
612 enum lsa_SidType type;
614 if (sid_check_is_domain(sid)) {
615 *name = talloc_strdup(mem_ctx, get_global_sam_name());
619 if (sid_check_is_builtin(sid)) {
620 *name = talloc_strdup(mem_ctx, builtin_domain_name());
624 if (sid_check_is_wellknown_domain(sid, &tmp)) {
625 *name = talloc_strdup(mem_ctx, tmp);
629 if (sid_check_is_unix_users(sid)) {
630 *name = talloc_strdup(mem_ctx, unix_users_domain_name());
634 if (sid_check_is_unix_groups(sid)) {
635 *name = talloc_strdup(mem_ctx, unix_groups_domain_name());
639 if (sid->num_auths != 4) {
640 /* This can't be a domain */
645 uint32 i, num_domains;
646 struct trustdom_info **domains;
648 /* This is relatively expensive, but it happens only on DCs
649 * and for SIDs that have 4 sub-authorities and thus look like
652 if (!NT_STATUS_IS_OK(pdb_enum_trusteddoms(mem_ctx,
658 for (i=0; i<num_domains; i++) {
659 if (sid_equal(sid, &domains[i]->sid)) {
660 *name = talloc_strdup(mem_ctx,
668 if (winbind_lookup_sid(mem_ctx, sid, &tmp, NULL, &type) &&
669 (type == SID_NAME_DOMAIN)) {
678 * This tries to implement the rather weird rules for the lsa_lookup level
681 * This is as close as we can get to what W2k3 does. With this we survive the
682 * RPC-LSALOOKUP samba4 test as of 2006-01-08. NT4 as a PDC is a bit more
683 * different, but I assume that's just being too liberal. For example, W2k3
684 * replies to everything else but the levels 1-6 with INVALID_PARAMETER
685 * whereas NT4 does the same as level 1 (I think). I did not fully test that
686 * with NT4, this is what w2k3 does.
688 * Level 1: Ask everywhere
689 * Level 2: Ask domain and trusted domains, no builtin and wkn
690 * Level 3: Only ask domain
691 * Level 4: W2k3ad: Only ask AD trusts
692 * Level 5: Only ask transitive forest trusts
696 static bool check_dom_sid_to_level(const DOM_SID *sid, int level)
705 ret = (!sid_check_is_builtin(sid) &&
706 !sid_check_is_wellknown_domain(sid, NULL));
711 ret = sid_check_is_domain(sid);
718 DEBUG(10, ("%s SID %s in level %d\n",
719 ret ? "Accepting" : "Rejecting",
720 sid_string_dbg(sid), level));
725 * Lookup a bunch of SIDs. This is modeled after lsa_lookup_sids with
726 * references to domains, it is explicitly made for this.
728 * This attempts to be as efficient as possible: It collects all SIDs
729 * belonging to a domain and hands them in bulk to the appropriate lookup
730 * function. In particular pdb_lookup_rids with ldapsam_trusted benefits
731 * *hugely* from this. Winbind is going to be extended with a lookup_rids
732 * interface as well, so on a DC we can do a bulk lsa_lookuprids to the
736 NTSTATUS lookup_sids(TALLOC_CTX *mem_ctx, int num_sids,
737 const DOM_SID **sids, int level,
738 struct lsa_dom_info **ret_domains,
739 struct lsa_name_info **ret_names)
742 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
743 struct lsa_name_info *name_infos;
744 struct lsa_dom_info *dom_infos = NULL;
748 if (!(tmp_ctx = talloc_new(mem_ctx))) {
749 DEBUG(0, ("talloc_new failed\n"));
750 return NT_STATUS_NO_MEMORY;
754 name_infos = TALLOC_ARRAY(mem_ctx, struct lsa_name_info, num_sids);
755 if (name_infos == NULL) {
756 result = NT_STATUS_NO_MEMORY;
763 dom_infos = TALLOC_ZERO_ARRAY(mem_ctx, struct lsa_dom_info,
764 LSA_REF_DOMAIN_LIST_MULTIPLIER);
765 if (dom_infos == NULL) {
766 result = NT_STATUS_NO_MEMORY;
770 /* First build up the data structures:
772 * dom_infos is a list of domains referenced in the list of
773 * SIDs. Later we will walk the list of domains and look up the RIDs
776 * name_infos is a shadow-copy of the SIDs array to collect the real
779 * dom_info->idxs is an index into the name_infos array. The
780 * difficulty we have here is that we need to keep the SIDs the client
781 * asked for in the same order for the reply
784 for (i=0; i<num_sids; i++) {
787 const char *domain_name = NULL;
789 sid_copy(&sid, sids[i]);
790 name_infos[i].type = SID_NAME_USE_NONE;
792 if (lookup_as_domain(&sid, name_infos, &domain_name)) {
793 /* We can't push that through the normal lookup
794 * process, as this would reference illegal
797 * For example S-1-5-32 would end up referencing
798 * domain S-1-5- with RID 32 which is clearly wrong.
800 if (domain_name == NULL) {
801 result = NT_STATUS_NO_MEMORY;
805 name_infos[i].rid = 0;
806 name_infos[i].type = SID_NAME_DOMAIN;
807 name_infos[i].name = NULL;
809 if (sid_check_is_builtin(&sid)) {
810 /* Yes, W2k3 returns "BUILTIN" both as domain
812 name_infos[i].name = talloc_strdup(
813 name_infos, builtin_domain_name());
814 if (name_infos[i].name == NULL) {
815 result = NT_STATUS_NO_MEMORY;
820 /* This is a normal SID with rid component */
821 if (!sid_split_rid(&sid, &rid)) {
822 result = NT_STATUS_INVALID_SID;
827 if (!check_dom_sid_to_level(&sid, level)) {
828 name_infos[i].rid = 0;
829 name_infos[i].type = SID_NAME_UNKNOWN;
830 name_infos[i].name = NULL;
834 for (j=0; j<LSA_REF_DOMAIN_LIST_MULTIPLIER; j++) {
835 if (!dom_infos[j].valid) {
838 if (sid_equal(&sid, &dom_infos[j].sid)) {
843 if (j == LSA_REF_DOMAIN_LIST_MULTIPLIER) {
844 /* TODO: What's the right error message here? */
845 result = NT_STATUS_NONE_MAPPED;
849 if (!dom_infos[j].valid) {
850 /* We found a domain not yet referenced, create a new
852 dom_infos[j].valid = true;
853 sid_copy(&dom_infos[j].sid, &sid);
855 if (domain_name != NULL) {
856 /* This name was being found above in the case
857 * when we found a domain SID */
859 talloc_strdup(dom_infos, domain_name);
860 if (dom_infos[j].name == NULL) {
861 result = NT_STATUS_NO_MEMORY;
865 /* lookup_rids will take care of this */
866 dom_infos[j].name = NULL;
870 name_infos[i].dom_idx = j;
872 if (name_infos[i].type == SID_NAME_USE_NONE) {
873 name_infos[i].rid = rid;
875 ADD_TO_ARRAY(dom_infos, int, i, &dom_infos[j].idxs,
876 &dom_infos[j].num_idxs);
878 if (dom_infos[j].idxs == NULL) {
879 result = NT_STATUS_NO_MEMORY;
885 /* Iterate over the domains found */
887 for (i=0; i<LSA_REF_DOMAIN_LIST_MULTIPLIER; i++) {
889 const char *domain_name = NULL;
891 enum lsa_SidType *types;
892 struct lsa_dom_info *dom = &dom_infos[i];
895 /* No domains left, we're done */
900 if (!(rids = TALLOC_ARRAY(tmp_ctx, uint32, dom->num_idxs))) {
901 result = NT_STATUS_NO_MEMORY;
908 for (j=0; j<dom->num_idxs; j++) {
909 rids[j] = name_infos[dom->idxs[j]].rid;
912 if (!lookup_rids(tmp_ctx, &dom->sid,
913 dom->num_idxs, rids, &domain_name,
915 result = NT_STATUS_NO_MEMORY;
919 if (!(dom->name = talloc_strdup(dom_infos, domain_name))) {
920 result = NT_STATUS_NO_MEMORY;
924 for (j=0; j<dom->num_idxs; j++) {
925 int idx = dom->idxs[j];
926 name_infos[idx].type = types[j];
927 if (types[j] != SID_NAME_UNKNOWN) {
928 name_infos[idx].name =
929 talloc_strdup(name_infos, names[j]);
930 if (name_infos[idx].name == NULL) {
931 result = NT_STATUS_NO_MEMORY;
935 name_infos[idx].name = NULL;
940 *ret_domains = dom_infos;
941 *ret_names = name_infos;
942 TALLOC_FREE(tmp_ctx);
946 TALLOC_FREE(dom_infos);
947 TALLOC_FREE(name_infos);
948 TALLOC_FREE(tmp_ctx);
952 /*****************************************************************
953 *THE CANONICAL* convert SID to name function.
954 *****************************************************************/
956 bool lookup_sid(TALLOC_CTX *mem_ctx, const DOM_SID *sid,
957 const char **ret_domain, const char **ret_name,
958 enum lsa_SidType *ret_type)
960 struct lsa_dom_info *domain;
961 struct lsa_name_info *name;
965 DEBUG(10, ("lookup_sid called for SID '%s'\n", sid_string_dbg(sid)));
967 if (!(tmp_ctx = talloc_new(mem_ctx))) {
968 DEBUG(0, ("talloc_new failed\n"));
972 if (!NT_STATUS_IS_OK(lookup_sids(tmp_ctx, 1, &sid, 1,
977 if (name->type == SID_NAME_UNKNOWN) {
981 if ((ret_domain != NULL) &&
982 !(*ret_domain = talloc_strdup(mem_ctx, domain->name))) {
986 if ((ret_name != NULL) &&
987 !(*ret_name = talloc_strdup(mem_ctx, name->name))) {
991 if (ret_type != NULL) {
992 *ret_type = name->type;
999 DEBUG(10, ("Sid %s -> %s\\%s(%d)\n", sid_string_dbg(sid),
1000 domain->name, name->name, name->type));
1002 DEBUG(10, ("failed to lookup sid %s\n", sid_string_dbg(sid)));
1004 TALLOC_FREE(tmp_ctx);
1008 /*****************************************************************
1009 Id mapping cache. This is to avoid Winbind mappings already
1010 seen by smbd to be queried too frequently, keeping winbindd
1011 busy, and blocking smbd while winbindd is busy with other
1012 stuff. Written by Michael Steffens <michael.steffens@hp.com>,
1013 modified to use linked lists by jra.
1014 *****************************************************************/
1016 /*****************************************************************
1017 Find a SID given a uid.
1018 *****************************************************************/
1020 static bool fetch_sid_from_uid_cache(DOM_SID *psid, uid_t uid)
1022 DATA_BLOB cache_value;
1024 if (!memcache_lookup(NULL, UID_SID_CACHE,
1025 data_blob_const(&uid, sizeof(uid)),
1030 memcpy(psid, cache_value.data, MIN(sizeof(*psid), cache_value.length));
1031 SMB_ASSERT(cache_value.length >= offsetof(struct dom_sid, id_auth));
1032 SMB_ASSERT(cache_value.length == ndr_size_dom_sid(psid, NULL, 0));
1037 /*****************************************************************
1038 Find a uid given a SID.
1039 *****************************************************************/
1041 static bool fetch_uid_from_cache( uid_t *puid, const DOM_SID *psid )
1043 DATA_BLOB cache_value;
1045 if (!memcache_lookup(NULL, SID_UID_CACHE,
1046 data_blob_const(psid, ndr_size_dom_sid(psid, NULL, 0)),
1051 SMB_ASSERT(cache_value.length == sizeof(*puid));
1052 memcpy(puid, cache_value.data, sizeof(*puid));
1057 /*****************************************************************
1058 Store uid to SID mapping in cache.
1059 *****************************************************************/
1061 void store_uid_sid_cache(const DOM_SID *psid, uid_t uid)
1063 memcache_add(NULL, SID_UID_CACHE,
1064 data_blob_const(psid, ndr_size_dom_sid(psid, NULL, 0)),
1065 data_blob_const(&uid, sizeof(uid)));
1066 memcache_add(NULL, UID_SID_CACHE,
1067 data_blob_const(&uid, sizeof(uid)),
1068 data_blob_const(psid, ndr_size_dom_sid(psid, NULL, 0)));
1071 /*****************************************************************
1072 Find a SID given a gid.
1073 *****************************************************************/
1075 static bool fetch_sid_from_gid_cache(DOM_SID *psid, gid_t gid)
1077 DATA_BLOB cache_value;
1079 if (!memcache_lookup(NULL, GID_SID_CACHE,
1080 data_blob_const(&gid, sizeof(gid)),
1085 memcpy(psid, cache_value.data, MIN(sizeof(*psid), cache_value.length));
1086 SMB_ASSERT(cache_value.length >= offsetof(struct dom_sid, id_auth));
1087 SMB_ASSERT(cache_value.length == ndr_size_dom_sid(psid, NULL, 0));
1092 /*****************************************************************
1093 Find a gid given a SID.
1094 *****************************************************************/
1096 static bool fetch_gid_from_cache(gid_t *pgid, const DOM_SID *psid)
1098 DATA_BLOB cache_value;
1100 if (!memcache_lookup(NULL, SID_GID_CACHE,
1101 data_blob_const(psid, ndr_size_dom_sid(psid, NULL, 0)),
1106 SMB_ASSERT(cache_value.length == sizeof(*pgid));
1107 memcpy(pgid, cache_value.data, sizeof(*pgid));
1112 /*****************************************************************
1113 Store gid to SID mapping in cache.
1114 *****************************************************************/
1116 void store_gid_sid_cache(const DOM_SID *psid, gid_t gid)
1118 memcache_add(NULL, SID_GID_CACHE,
1119 data_blob_const(psid, ndr_size_dom_sid(psid, NULL, 0)),
1120 data_blob_const(&gid, sizeof(gid)));
1121 memcache_add(NULL, GID_SID_CACHE,
1122 data_blob_const(&gid, sizeof(gid)),
1123 data_blob_const(psid, ndr_size_dom_sid(psid, NULL, 0)));
1126 /*****************************************************************
1127 *THE LEGACY* convert uid_t to SID function.
1128 *****************************************************************/
1130 static void legacy_uid_to_sid(DOM_SID *psid, uid_t uid)
1137 ret = pdb_uid_to_sid(uid, psid);
1141 /* This is a mapped user */
1145 /* This is an unmapped user */
1147 uid_to_unix_users_sid(uid, psid);
1150 DEBUG(10,("LEGACY: uid %u -> sid %s\n", (unsigned int)uid,
1151 sid_string_dbg(psid)));
1153 store_uid_sid_cache(psid, uid);
1157 /*****************************************************************
1158 *THE LEGACY* convert gid_t to SID function.
1159 *****************************************************************/
1161 static void legacy_gid_to_sid(DOM_SID *psid, gid_t gid)
1168 ret = pdb_gid_to_sid(gid, psid);
1172 /* This is a mapped group */
1176 /* This is an unmapped group */
1178 gid_to_unix_groups_sid(gid, psid);
1181 DEBUG(10,("LEGACY: gid %u -> sid %s\n", (unsigned int)gid,
1182 sid_string_dbg(psid)));
1184 store_gid_sid_cache(psid, gid);
1188 /*****************************************************************
1189 *THE LEGACY* convert SID to uid function.
1190 *****************************************************************/
1192 static bool legacy_sid_to_uid(const DOM_SID *psid, uid_t *puid)
1194 enum lsa_SidType type;
1197 if (sid_peek_check_rid(get_global_sam_sid(), psid, &rid)) {
1202 ret = pdb_sid_to_id(psid, &id, &type);
1206 if (type != SID_NAME_USER) {
1207 DEBUG(5, ("sid %s is a %s, expected a user\n",
1208 sid_string_dbg(psid),
1209 sid_type_lookup(type)));
1216 /* This was ours, but it was not mapped. Fail */
1219 DEBUG(10,("LEGACY: mapping failed for sid %s\n",
1220 sid_string_dbg(psid)));
1224 DEBUG(10,("LEGACY: sid %s -> uid %u\n", sid_string_dbg(psid),
1225 (unsigned int)*puid ));
1227 store_uid_sid_cache(psid, *puid);
1231 /*****************************************************************
1232 *THE LEGACY* convert SID to gid function.
1233 Group mapping is used for gids that maps to Wellknown SIDs
1234 *****************************************************************/
1236 static bool legacy_sid_to_gid(const DOM_SID *psid, gid_t *pgid)
1241 enum lsa_SidType type;
1243 if ((sid_check_is_in_builtin(psid) ||
1244 sid_check_is_in_wellknown_domain(psid))) {
1248 ret = pdb_getgrsid(&map, *psid);
1255 DEBUG(10,("LEGACY: mapping failed for sid %s\n",
1256 sid_string_dbg(psid)));
1260 if (sid_peek_check_rid(get_global_sam_sid(), psid, &rid)) {
1264 ret = pdb_sid_to_id(psid, &id, &type);
1268 if ((type != SID_NAME_DOM_GRP) &&
1269 (type != SID_NAME_ALIAS)) {
1270 DEBUG(5, ("LEGACY: sid %s is a %s, expected "
1271 "a group\n", sid_string_dbg(psid),
1272 sid_type_lookup(type)));
1279 /* This was ours, but it was not mapped. Fail */
1282 DEBUG(10,("LEGACY: mapping failed for sid %s\n",
1283 sid_string_dbg(psid)));
1287 DEBUG(10,("LEGACY: sid %s -> gid %u\n", sid_string_dbg(psid),
1288 (unsigned int)*pgid ));
1290 store_gid_sid_cache(psid, *pgid);
1295 /*****************************************************************
1296 *THE CANONICAL* convert uid_t to SID function.
1297 *****************************************************************/
1299 void uid_to_sid(DOM_SID *psid, uid_t uid)
1301 bool expired = true;
1305 if (fetch_sid_from_uid_cache(psid, uid))
1308 /* Check the winbindd cache directly. */
1309 ret = idmap_cache_find_uid2sid(uid, psid, &expired);
1311 if (ret && !expired && is_null_sid(psid)) {
1313 * Negative cache entry, we already asked.
1316 legacy_uid_to_sid(psid, uid);
1320 if (!ret || expired) {
1321 /* Not in cache. Ask winbindd. */
1322 if (!winbind_uid_to_sid(psid, uid)) {
1324 * We shouldn't return the NULL SID
1325 * here if winbind was running and
1326 * couldn't map, as winbind will have
1327 * added a negative entry that will
1328 * cause us to go though the
1329 * legacy_uid_to_sid()
1330 * function anyway in the case above
1331 * the next time we ask.
1333 DEBUG(5, ("uid_to_sid: winbind failed to find a sid "
1334 "for uid %u\n", (unsigned int)uid));
1336 legacy_uid_to_sid(psid, uid);
1341 DEBUG(10,("uid %u -> sid %s\n", (unsigned int)uid,
1342 sid_string_dbg(psid)));
1344 store_uid_sid_cache(psid, uid);
1348 /*****************************************************************
1349 *THE CANONICAL* convert gid_t to SID function.
1350 *****************************************************************/
1352 void gid_to_sid(DOM_SID *psid, gid_t gid)
1354 bool expired = true;
1358 if (fetch_sid_from_gid_cache(psid, gid))
1361 /* Check the winbindd cache directly. */
1362 ret = idmap_cache_find_gid2sid(gid, psid, &expired);
1364 if (ret && !expired && is_null_sid(psid)) {
1366 * Negative cache entry, we already asked.
1369 legacy_gid_to_sid(psid, gid);
1373 if (!ret || expired) {
1374 /* Not in cache. Ask winbindd. */
1375 if (!winbind_gid_to_sid(psid, gid)) {
1377 * We shouldn't return the NULL SID
1378 * here if winbind was running and
1379 * couldn't map, as winbind will have
1380 * added a negative entry that will
1381 * cause us to go though the
1382 * legacy_gid_to_sid()
1383 * function anyway in the case above
1384 * the next time we ask.
1386 DEBUG(5, ("gid_to_sid: winbind failed to find a sid "
1387 "for gid %u\n", (unsigned int)gid));
1389 legacy_gid_to_sid(psid, gid);
1394 DEBUG(10,("gid %u -> sid %s\n", (unsigned int)gid,
1395 sid_string_dbg(psid)));
1397 store_gid_sid_cache(psid, gid);
1401 /*****************************************************************
1402 *THE CANONICAL* convert SID to uid function.
1403 *****************************************************************/
1405 bool sid_to_uid(const DOM_SID *psid, uid_t *puid)
1407 bool expired = true;
1412 if (fetch_uid_from_cache(puid, psid))
1415 if (fetch_gid_from_cache(&gid, psid)) {
1419 /* Optimize for the Unix Users Domain
1420 * as the conversion is straightforward */
1421 if (sid_peek_check_rid(&global_sid_Unix_Users, psid, &rid)) {
1425 /* return here, don't cache */
1426 DEBUG(10,("sid %s -> uid %u\n", sid_string_dbg(psid),
1427 (unsigned int)*puid ));
1431 /* Check the winbindd cache directly. */
1432 ret = idmap_cache_find_sid2uid(psid, puid, &expired);
1434 if (ret && !expired && (*puid == (uid_t)-1)) {
1436 * Negative cache entry, we already asked.
1439 return legacy_sid_to_uid(psid, puid);
1442 if (!ret || expired) {
1443 /* Not in cache. Ask winbindd. */
1444 if (!winbind_sid_to_uid(puid, psid)) {
1445 DEBUG(5, ("winbind failed to find a uid for sid %s\n",
1446 sid_string_dbg(psid)));
1447 /* winbind failed. do legacy */
1448 return legacy_sid_to_uid(psid, puid);
1452 /* TODO: Here would be the place to allocate both a gid and a uid for
1453 * the SID in question */
1455 DEBUG(10,("sid %s -> uid %u\n", sid_string_dbg(psid),
1456 (unsigned int)*puid ));
1458 store_uid_sid_cache(psid, *puid);
1462 /*****************************************************************
1463 *THE CANONICAL* convert SID to gid function.
1464 Group mapping is used for gids that maps to Wellknown SIDs
1465 *****************************************************************/
1467 bool sid_to_gid(const DOM_SID *psid, gid_t *pgid)
1469 bool expired = true;
1474 if (fetch_gid_from_cache(pgid, psid))
1477 if (fetch_uid_from_cache(&uid, psid))
1480 /* Optimize for the Unix Groups Domain
1481 * as the conversion is straightforward */
1482 if (sid_peek_check_rid(&global_sid_Unix_Groups, psid, &rid)) {
1486 /* return here, don't cache */
1487 DEBUG(10,("sid %s -> gid %u\n", sid_string_dbg(psid),
1488 (unsigned int)*pgid ));
1492 /* Check the winbindd cache directly. */
1493 ret = idmap_cache_find_sid2gid(psid, pgid, &expired);
1495 if (ret && !expired && (*pgid == (gid_t)-1)) {
1497 * Negative cache entry, we already asked.
1500 return legacy_sid_to_gid(psid, pgid);
1503 if (!ret || expired) {
1504 /* Not in cache or negative. Ask winbindd. */
1505 /* Ask winbindd if it can map this sid to a gid.
1506 * (Idmap will check it is a valid SID and of the right type) */
1508 if ( !winbind_sid_to_gid(pgid, psid) ) {
1510 DEBUG(10,("winbind failed to find a gid for sid %s\n",
1511 sid_string_dbg(psid)));
1512 /* winbind failed. do legacy */
1513 return legacy_sid_to_gid(psid, pgid);
1517 DEBUG(10,("sid %s -> gid %u\n", sid_string_dbg(psid),
1518 (unsigned int)*pgid ));
1520 store_gid_sid_cache(psid, *pgid);
git.samba.org / samba.git / blob