#include "includes.h"
#include "winbindd.h"
-#include "librpc/gen_ndr/ndr_wbint_c.h"
+#include "librpc/gen_ndr/ndr_winbind_c.h"
#include "../libcli/security/security.h"
+#include "lib/dbwrap/dbwrap_rbt.h"
struct wb_getgrsid_state {
struct tevent_context *ev;
const char *name;
enum lsa_SidType type;
gid_t gid;
- struct talloc_dict *members;
+ struct db_context *members;
};
static void wb_getgrsid_lookupsid_done(struct tevent_req *subreq);
state->ev = ev;
state->max_nesting = max_nesting;
- if (lp_winbind_trusted_domains_only()) {
- struct winbindd_domain *our_domain = find_our_domain();
-
- if (dom_sid_compare_domain(group_sid, &our_domain->sid) == 0) {
- DEBUG(7, ("winbindd_getgrsid: My domain -- rejecting "
- "getgrsid() for %s\n", sid_string_tos(group_sid)));
- tevent_req_nterror(req, NT_STATUS_NO_SUCH_GROUP);
- return tevent_req_post(req, ev);
- }
+ if (dom_sid_in_domain(&global_sid_Unix_Groups, group_sid)) {
+ /* unmapped Unix groups must be resolved locally */
+ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
+ return tevent_req_post(req, ev);
}
subreq = wb_lookupsid_send(state, ev, &state->sid);
case SID_NAME_DOM_GRP:
case SID_NAME_ALIAS:
case SID_NAME_WKN_GRP:
+ /*
+ * also treat user-type SIDS (they might map to ID_TYPE_BOTH)
+ */
+ case SID_NAME_USER:
+ case SID_NAME_COMPUTER:
break;
default:
tevent_req_nterror(req, NT_STATUS_NO_SUCH_GROUP);
return;
}
- subreq = wb_sid2gid_send(state, state->ev, &state->sid);
+ subreq = wb_sids2xids_send(state, state->ev, &state->sid, 1);
if (tevent_req_nomem(subreq, req)) {
return;
}
struct wb_getgrsid_state *state = tevent_req_data(
req, struct wb_getgrsid_state);
NTSTATUS status;
+ struct unixid xids[1];
- status = wb_sid2gid_recv(subreq, &state->gid);
+ status = wb_sids2xids_recv(subreq, xids, ARRAY_SIZE(xids));
TALLOC_FREE(subreq);
if (tevent_req_nterror(req, status)) {
return;
}
+
+ /*
+ * We are filtering further down in sids2xids, but that filtering
+ * depends on the actual type of the sid handed in (as determined
+ * by lookupsids). Here we need to filter for the type of object
+ * actually requested, in this case uid.
+ */
+ if (!(xids[0].type == ID_TYPE_GID || xids[0].type == ID_TYPE_BOTH)) {
+ tevent_req_nterror(req, NT_STATUS_NONE_MAPPED);
+ return;
+ }
+
+ state->gid = (gid_t)xids[0].id;
+
+ if (state->type == SID_NAME_USER || state->type == SID_NAME_COMPUTER) {
+ /*
+ * special treatment for a user sid that is
+ * mapped to ID_TYPE_BOTH:
+ * create a group with the sid/xid as only member
+ */
+ const char *name;
+
+ if (xids[0].type != ID_TYPE_BOTH) {
+ tevent_req_nterror(req, NT_STATUS_NO_SUCH_GROUP);
+ return;
+ }
+
+ state->members = db_open_rbt(state);
+ if (tevent_req_nomem(state->members, req)) {
+ return;
+ }
+
+ name = fill_domain_username_talloc(talloc_tos(),
+ state->domname,
+ state->name,
+ true /* can_assume */);
+ if (tevent_req_nomem(name, req)) {
+ return;
+ }
+
+ status = add_member_to_db(state->members, &state->sid, name);
+ if (!NT_STATUS_IS_OK(status)) {
+ tevent_req_nterror(req, status);
+ return;
+ }
+
+ tevent_req_done(req);
+ return;
+ }
+
+ /*
+ * the "regular" case of a group type sid.
+ */
+
subreq = wb_group_members_send(state, state->ev, &state->sid,
state->type, state->max_nesting);
if (tevent_req_nomem(subreq, req)) {
NTSTATUS wb_getgrsid_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
const char **domname, const char **name, gid_t *gid,
- struct talloc_dict **members)
+ struct db_context **members)
{
struct wb_getgrsid_state *state = tevent_req_data(
req, struct wb_getgrsid_state);