2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Copyright (C) Andrew Tridgell 1992-2000,
5 * Copyright (C) Jean François Micouleau 1998-2001.
6 * Copyright (C) Volker Lendecke 2006.
7 * Copyright (C) Gerald Carter 2006.
9 * This program is free software; you can redistribute it and/or modify
10 * it under the terms of the GNU General Public License as published by
11 * the Free Software Foundation; either version 3 of the License, or
12 * (at your option) any later version.
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
19 * You should have received a copy of the GNU General Public License
20 * along with this program; if not, see <http://www.gnu.org/licenses/>.
24 #include "groupdb/mapping.h"
26 static const struct mapping_backend *backend;
29 initialise a group mapping backend
31 static BOOL init_group_mapping(void)
33 const char *backend_string;
35 if (backend != NULL) {
36 /* already initialised */
40 /* default to using the ldb backend. This parameter should
41 disappear in future versions of Samba3, but for now it
42 provides a safety net in case any major problems are
43 discovered with ldb after the release */
44 backend_string = lp_parm_const_string(-1, "groupdb", "backend", "ldb");
46 if (strcmp(backend_string, "ldb") == 0) {
47 backend = groupdb_ldb_init();
48 } else if (strcmp(backend_string, "tdb") == 0) {
49 backend = groupdb_tdb_init();
51 DEBUG(0,("Unknown groupdb backend '%s'\n", backend_string));
52 smb_panic("Unknown groupdb backend");
54 return backend != NULL;
57 /****************************************************************************
58 initialise first time the mapping list
59 ****************************************************************************/
60 NTSTATUS add_initial_entry(gid_t gid, const char *sid, enum lsa_SidType sid_name_use, const char *nt_name, const char *comment)
64 if(!init_group_mapping()) {
65 DEBUG(0,("failed to initialize group mapping\n"));
66 return NT_STATUS_UNSUCCESSFUL;
70 if (!string_to_sid(&map.sid, sid)) {
71 DEBUG(0, ("string_to_sid failed: %s", sid));
72 return NT_STATUS_UNSUCCESSFUL;
75 map.sid_name_use=sid_name_use;
76 fstrcpy(map.nt_name, nt_name);
77 fstrcpy(map.comment, comment);
79 return pdb_add_group_mapping_entry(&map);
82 static NTSTATUS alias_memberships(const DOM_SID *members, size_t num_members,
83 DOM_SID **sids, size_t *num)
90 for (i=0; i<num_members; i++) {
91 NTSTATUS status = backend->one_alias_membership(&members[i], sids, num);
92 if (!NT_STATUS_IS_OK(status))
98 struct aliasmem_closure {
108 * High level functions
109 * better to use them than the lower ones.
111 * we are checking if the group is in the mapping file
112 * and if the group is an existing unix group
116 /* get a domain group from it's SID */
118 BOOL get_domain_group_from_sid(DOM_SID sid, GROUP_MAP *map)
123 if(!init_group_mapping()) {
124 DEBUG(0,("failed to initialize group mapping\n"));
128 DEBUG(10, ("get_domain_group_from_sid\n"));
130 /* if the group is NOT in the database, it CAN NOT be a domain group */
133 ret = pdb_getgrsid(map, sid);
136 /* special case check for rid 513 */
141 sid_peek_rid( &sid, &rid );
143 if ( rid == DOMAIN_GROUP_RID_USERS ) {
144 fstrcpy( map->nt_name, "None" );
145 fstrcpy( map->comment, "Ordinary Users" );
146 sid_copy( &map->sid, &sid );
147 map->sid_name_use = SID_NAME_DOM_GRP;
148 map->gid = (gid_t)-1;
156 DEBUG(10, ("get_domain_group_from_sid: SID found in the TDB\n"));
158 /* if it's not a domain group, continue */
159 if (map->sid_name_use!=SID_NAME_DOM_GRP) {
163 DEBUG(10, ("get_domain_group_from_sid: SID is a domain group\n"));
169 DEBUG(10, ("get_domain_group_from_sid: SID is mapped to gid:%lu\n",(unsigned long)map->gid));
171 grp = getgrgid(map->gid);
173 DEBUG(10, ("get_domain_group_from_sid: gid DOESN'T exist in UNIX security\n"));
177 DEBUG(10, ("get_domain_group_from_sid: gid exists in UNIX security\n"));
182 /****************************************************************************
183 Create a UNIX group on demand.
184 ****************************************************************************/
186 int smb_create_group(const char *unix_group, gid_t *new_gid)
194 /* defer to scripts */
196 if ( *lp_addgroup_script() ) {
197 pstrcpy(add_script, lp_addgroup_script());
198 pstring_sub(add_script, "%g", unix_group);
199 ret = smbrun(add_script, &fd);
200 DEBUG(ret ? 0 : 3,("smb_create_group: Running the command `%s' gave %d\n",add_script,ret));
202 smb_nscd_flush_group_cache();
211 if (read(fd, output, sizeof(output)) > 0) {
212 *new_gid = (gid_t)strtoul(output, NULL, 10);
221 struct group *grp = getgrnam(unix_group);
224 *new_gid = grp->gr_gid;
230 /****************************************************************************
231 Delete a UNIX group on demand.
232 ****************************************************************************/
234 int smb_delete_group(const char *unix_group)
239 /* defer to scripts */
241 if ( *lp_delgroup_script() ) {
242 pstrcpy(del_script, lp_delgroup_script());
243 pstring_sub(del_script, "%g", unix_group);
244 ret = smbrun(del_script,NULL);
245 DEBUG(ret ? 0 : 3,("smb_delete_group: Running the command `%s' gave %d\n",del_script,ret));
247 smb_nscd_flush_group_cache();
255 /****************************************************************************
256 Set a user's primary UNIX group.
257 ****************************************************************************/
258 int smb_set_primary_group(const char *unix_group, const char* unix_user)
263 /* defer to scripts */
265 if ( *lp_setprimarygroup_script() ) {
266 pstrcpy(add_script, lp_setprimarygroup_script());
267 all_string_sub(add_script, "%g", unix_group, sizeof(add_script));
268 all_string_sub(add_script, "%u", unix_user, sizeof(add_script));
269 ret = smbrun(add_script,NULL);
271 DEBUG(ret ? 0 : 3,("smb_set_primary_group: "
272 "Running the command `%s' gave %d\n",add_script,ret));
274 smb_nscd_flush_group_cache();
282 /****************************************************************************
283 Add a user to a UNIX group.
284 ****************************************************************************/
286 int smb_add_user_group(const char *unix_group, const char *unix_user)
291 /* defer to scripts */
293 if ( *lp_addusertogroup_script() ) {
294 pstrcpy(add_script, lp_addusertogroup_script());
295 pstring_sub(add_script, "%g", unix_group);
296 pstring_sub(add_script, "%u", unix_user);
297 ret = smbrun(add_script,NULL);
298 DEBUG(ret ? 0 : 3,("smb_add_user_group: Running the command `%s' gave %d\n",add_script,ret));
300 smb_nscd_flush_group_cache();
308 /****************************************************************************
309 Delete a user from a UNIX group
310 ****************************************************************************/
312 int smb_delete_user_group(const char *unix_group, const char *unix_user)
317 /* defer to scripts */
319 if ( *lp_deluserfromgroup_script() ) {
320 pstrcpy(del_script, lp_deluserfromgroup_script());
321 pstring_sub(del_script, "%g", unix_group);
322 pstring_sub(del_script, "%u", unix_user);
323 ret = smbrun(del_script,NULL);
324 DEBUG(ret ? 0 : 3,("smb_delete_user_group: Running the command `%s' gave %d\n",del_script,ret));
326 smb_nscd_flush_group_cache();
335 NTSTATUS pdb_default_getgrsid(struct pdb_methods *methods, GROUP_MAP *map,
338 if (!init_group_mapping()) {
339 DEBUG(0,("failed to initialize group mapping\n"));
340 return NT_STATUS_UNSUCCESSFUL;
342 return backend->get_group_map_from_sid(sid, map) ?
343 NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL;
346 NTSTATUS pdb_default_getgrgid(struct pdb_methods *methods, GROUP_MAP *map,
349 if (!init_group_mapping()) {
350 DEBUG(0,("failed to initialize group mapping\n"));
351 return NT_STATUS_UNSUCCESSFUL;
353 return backend->get_group_map_from_gid(gid, map) ?
354 NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL;
357 NTSTATUS pdb_default_getgrnam(struct pdb_methods *methods, GROUP_MAP *map,
360 if (!init_group_mapping()) {
361 DEBUG(0,("failed to initialize group mapping\n"));
362 return NT_STATUS_UNSUCCESSFUL;
364 return backend->get_group_map_from_ntname(name, map) ?
365 NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL;
368 NTSTATUS pdb_default_add_group_mapping_entry(struct pdb_methods *methods,
371 if (!init_group_mapping()) {
372 DEBUG(0,("failed to initialize group mapping\n"));
373 return NT_STATUS_UNSUCCESSFUL;
375 return backend->add_mapping_entry(map, TDB_INSERT) ?
376 NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL;
379 NTSTATUS pdb_default_update_group_mapping_entry(struct pdb_methods *methods,
382 if (!init_group_mapping()) {
383 DEBUG(0,("failed to initialize group mapping\n"));
384 return NT_STATUS_UNSUCCESSFUL;
386 return backend->add_mapping_entry(map, TDB_REPLACE) ?
387 NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL;
390 NTSTATUS pdb_default_delete_group_mapping_entry(struct pdb_methods *methods,
393 if (!init_group_mapping()) {
394 DEBUG(0,("failed to initialize group mapping\n"));
395 return NT_STATUS_UNSUCCESSFUL;
397 return backend->group_map_remove(&sid) ?
398 NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL;
401 NTSTATUS pdb_default_enum_group_mapping(struct pdb_methods *methods,
402 const DOM_SID *sid, enum lsa_SidType sid_name_use,
403 GROUP_MAP **pp_rmap, size_t *p_num_entries,
406 if (!init_group_mapping()) {
407 DEBUG(0,("failed to initialize group mapping\n"));
408 return NT_STATUS_UNSUCCESSFUL;
410 return backend->enum_group_mapping(sid, sid_name_use, pp_rmap, p_num_entries, unix_only) ?
411 NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL;
414 NTSTATUS pdb_default_create_alias(struct pdb_methods *methods,
415 const char *name, uint32 *rid)
418 enum lsa_SidType type;
426 DEBUG(10, ("Trying to create alias %s\n", name));
428 mem_ctx = talloc_new(NULL);
429 if (mem_ctx == NULL) {
430 return NT_STATUS_NO_MEMORY;
433 exists = lookup_name(mem_ctx, name, LOOKUP_NAME_ISOLATED,
434 NULL, NULL, &sid, &type);
435 TALLOC_FREE(mem_ctx);
438 return NT_STATUS_ALIAS_EXISTS;
441 if (!winbind_allocate_gid(&gid)) {
442 DEBUG(3, ("Could not get a gid out of winbind\n"));
443 return NT_STATUS_ACCESS_DENIED;
446 if (!pdb_new_rid(&new_rid)) {
447 DEBUG(0, ("Could not allocate a RID -- wasted a gid :-(\n"));
448 return NT_STATUS_ACCESS_DENIED;
451 DEBUG(10, ("Creating alias %s with gid %d and rid %d\n",
452 name, gid, new_rid));
454 sid_copy(&sid, get_global_sam_sid());
455 sid_append_rid(&sid, new_rid);
458 sid_copy(&map.sid, &sid);
459 map.sid_name_use = SID_NAME_ALIAS;
460 fstrcpy(map.nt_name, name);
461 fstrcpy(map.comment, "");
463 status = pdb_add_group_mapping_entry(&map);
465 if (!NT_STATUS_IS_OK(status)) {
466 DEBUG(0, ("Could not add group mapping entry for alias %s "
467 "(%s)\n", name, nt_errstr(status)));
476 NTSTATUS pdb_default_delete_alias(struct pdb_methods *methods,
479 return pdb_delete_group_mapping_entry(*sid);
482 NTSTATUS pdb_default_get_aliasinfo(struct pdb_methods *methods,
484 struct acct_info *info)
488 if (!pdb_getgrsid(&map, *sid))
489 return NT_STATUS_NO_SUCH_ALIAS;
491 if ((map.sid_name_use != SID_NAME_ALIAS) &&
492 (map.sid_name_use != SID_NAME_WKN_GRP)) {
493 DEBUG(2, ("%s is a %s, expected an alias\n",
494 sid_string_static(sid),
495 sid_type_lookup(map.sid_name_use)));
496 return NT_STATUS_NO_SUCH_ALIAS;
499 fstrcpy(info->acct_name, map.nt_name);
500 fstrcpy(info->acct_desc, map.comment);
501 sid_peek_rid(&map.sid, &info->rid);
505 NTSTATUS pdb_default_set_aliasinfo(struct pdb_methods *methods,
507 struct acct_info *info)
511 if (!pdb_getgrsid(&map, *sid))
512 return NT_STATUS_NO_SUCH_ALIAS;
514 fstrcpy(map.nt_name, info->acct_name);
515 fstrcpy(map.comment, info->acct_desc);
517 return pdb_update_group_mapping_entry(&map);
520 NTSTATUS pdb_default_add_aliasmem(struct pdb_methods *methods,
521 const DOM_SID *alias, const DOM_SID *member)
523 if (!init_group_mapping()) {
524 DEBUG(0,("failed to initialize group mapping\n"));
525 return NT_STATUS_UNSUCCESSFUL;
527 return backend->add_aliasmem(alias, member);
530 NTSTATUS pdb_default_del_aliasmem(struct pdb_methods *methods,
531 const DOM_SID *alias, const DOM_SID *member)
533 if (!init_group_mapping()) {
534 DEBUG(0,("failed to initialize group mapping\n"));
535 return NT_STATUS_UNSUCCESSFUL;
537 return backend->del_aliasmem(alias, member);
540 NTSTATUS pdb_default_enum_aliasmem(struct pdb_methods *methods,
541 const DOM_SID *alias, DOM_SID **pp_members,
542 size_t *p_num_members)
544 if (!init_group_mapping()) {
545 DEBUG(0,("failed to initialize group mapping\n"));
546 return NT_STATUS_UNSUCCESSFUL;
548 return backend->enum_aliasmem(alias, pp_members, p_num_members);
551 NTSTATUS pdb_default_alias_memberships(struct pdb_methods *methods,
553 const DOM_SID *domain_sid,
554 const DOM_SID *members,
556 uint32 **pp_alias_rids,
557 size_t *p_num_alias_rids)
560 size_t i, num_alias_sids;
563 if (!init_group_mapping()) {
564 DEBUG(0,("failed to initialize group mapping\n"));
565 return NT_STATUS_UNSUCCESSFUL;
571 result = alias_memberships(members, num_members,
572 &alias_sids, &num_alias_sids);
574 if (!NT_STATUS_IS_OK(result))
577 *p_num_alias_rids = 0;
579 if (num_alias_sids == 0) {
580 TALLOC_FREE(alias_sids);
584 *pp_alias_rids = TALLOC_ARRAY(mem_ctx, uint32, num_alias_sids);
585 if (*pp_alias_rids == NULL)
586 return NT_STATUS_NO_MEMORY;
588 for (i=0; i<num_alias_sids; i++) {
589 if (!sid_peek_check_rid(domain_sid, &alias_sids[i],
590 &(*pp_alias_rids)[*p_num_alias_rids]))
592 *p_num_alias_rids += 1;
595 TALLOC_FREE(alias_sids);
600 /**********************************************************************
601 no ops for passdb backends that don't implement group mapping
602 *********************************************************************/
604 NTSTATUS pdb_nop_getgrsid(struct pdb_methods *methods, GROUP_MAP *map,
607 return NT_STATUS_UNSUCCESSFUL;
610 NTSTATUS pdb_nop_getgrgid(struct pdb_methods *methods, GROUP_MAP *map,
613 return NT_STATUS_UNSUCCESSFUL;
616 NTSTATUS pdb_nop_getgrnam(struct pdb_methods *methods, GROUP_MAP *map,
619 return NT_STATUS_UNSUCCESSFUL;
622 NTSTATUS pdb_nop_add_group_mapping_entry(struct pdb_methods *methods,
625 return NT_STATUS_UNSUCCESSFUL;
628 NTSTATUS pdb_nop_update_group_mapping_entry(struct pdb_methods *methods,
631 return NT_STATUS_UNSUCCESSFUL;
634 NTSTATUS pdb_nop_delete_group_mapping_entry(struct pdb_methods *methods,
637 return NT_STATUS_UNSUCCESSFUL;
640 NTSTATUS pdb_nop_enum_group_mapping(struct pdb_methods *methods,
641 enum lsa_SidType sid_name_use,
642 GROUP_MAP **rmap, size_t *num_entries,
645 return NT_STATUS_UNSUCCESSFUL;
648 /****************************************************************************
649 These need to be redirected through pdb_interface.c
650 ****************************************************************************/
651 BOOL pdb_get_dom_grp_info(const DOM_SID *sid, struct acct_info *info)
657 res = get_domain_group_from_sid(*sid, &map);
663 fstrcpy(info->acct_name, map.nt_name);
664 fstrcpy(info->acct_desc, map.comment);
665 sid_peek_rid(sid, &info->rid);
669 BOOL pdb_set_dom_grp_info(const DOM_SID *sid, const struct acct_info *info)
673 if (!get_domain_group_from_sid(*sid, &map))
676 fstrcpy(map.nt_name, info->acct_name);
677 fstrcpy(map.comment, info->acct_desc);
679 return NT_STATUS_IS_OK(pdb_update_group_mapping_entry(&map));
682 /********************************************************************
683 Really just intended to be called by smbd
684 ********************************************************************/
686 NTSTATUS pdb_create_builtin_alias(uint32 rid)
689 enum lsa_SidType type;
694 const char *name = NULL;
697 DEBUG(10, ("Trying to create builtin alias %d\n", rid));
699 if ( !sid_compose( &sid, &global_sid_Builtin, rid ) ) {
700 return NT_STATUS_NO_SUCH_ALIAS;
703 if ( (mem_ctx = talloc_new(NULL)) == NULL ) {
704 return NT_STATUS_NO_MEMORY;
707 if ( !lookup_sid(mem_ctx, &sid, NULL, &name, &type) ) {
708 TALLOC_FREE( mem_ctx );
709 return NT_STATUS_NO_SUCH_ALIAS;
712 /* validate RID so copy the name and move on */
714 fstrcpy( groupname, name );
715 TALLOC_FREE( mem_ctx );
717 if (!winbind_allocate_gid(&gid)) {
718 DEBUG(3, ("pdb_create_builtin_alias: Could not get a gid out of winbind\n"));
719 return NT_STATUS_ACCESS_DENIED;
722 DEBUG(10,("Creating alias %s with gid %d\n", name, gid));
725 sid_copy(&map.sid, &sid);
726 map.sid_name_use = SID_NAME_ALIAS;
727 fstrcpy(map.nt_name, name);
728 fstrcpy(map.comment, "");
730 status = pdb_add_group_mapping_entry(&map);
732 if (!NT_STATUS_IS_OK(status)) {
733 DEBUG(0, ("pdb_create_builtin_alias: Could not add group mapping entry for alias %d "
734 "(%s)\n", rid, nt_errstr(status)));