2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Copyright (C) Andrew Tridgell 1992-2000,
5 * Copyright (C) Jean François Micouleau 1998-2001.
6 * Copyright (C) Volker Lendecke 2006.
7 * Copyright (C) Gerald Carter 2006.
9 * This program is free software; you can redistribute it and/or modify
10 * it under the terms of the GNU General Public License as published by
11 * the Free Software Foundation; either version 3 of the License, or
12 * (at your option) any later version.
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
19 * You should have received a copy of the GNU General Public License
20 * along with this program; if not, see <http://www.gnu.org/licenses/>.
24 #include "system/passwd.h"
26 #include "groupdb/mapping.h"
27 #include "../libcli/security/security.h"
28 #include "lib/winbind_util.h"
30 #include "groupdb/mapping_tdb.h"
32 static const struct mapping_backend *backend;
35 initialise a group mapping backend
37 static bool init_group_mapping(void)
39 if (backend != NULL) {
40 /* already initialised */
44 backend = groupdb_tdb_init();
46 return backend != NULL;
49 /****************************************************************************
50 initialise first time the mapping list
51 ****************************************************************************/
52 NTSTATUS add_initial_entry(gid_t gid, const char *sid, enum lsa_SidType sid_name_use, const char *nt_name, const char *comment)
57 if(!init_group_mapping()) {
58 DEBUG(0,("failed to initialize group mapping\n"));
59 return NT_STATUS_UNSUCCESSFUL;
62 map = talloc_zero(NULL, GROUP_MAP);
64 return NT_STATUS_NO_MEMORY;
68 if (!string_to_sid(&map->sid, sid)) {
69 DEBUG(0, ("string_to_sid failed: %s", sid));
70 status = NT_STATUS_UNSUCCESSFUL;
74 map->sid_name_use=sid_name_use;
75 map->nt_name = talloc_strdup(map, nt_name);
77 status = NT_STATUS_NO_MEMORY;
82 map->comment = talloc_strdup(map, comment);
84 map->comment = talloc_strdup(map, "");
87 status = NT_STATUS_NO_MEMORY;
91 status = pdb_add_group_mapping_entry(map);
98 static NTSTATUS alias_memberships(const struct dom_sid *members, size_t num_members,
99 struct dom_sid **sids, size_t *num)
106 for (i=0; i<num_members; i++) {
107 NTSTATUS status = backend->one_alias_membership(&members[i], sids, num);
108 if (!NT_STATUS_IS_OK(status))
114 struct aliasmem_closure {
115 const struct dom_sid *alias;
116 struct dom_sid **sids;
124 * High level functions
125 * better to use them than the lower ones.
127 * we are checking if the group is in the mapping file
128 * and if the group is an existing unix group
132 /* get a domain group from it's SID */
134 bool get_domain_group_from_sid(struct dom_sid sid, GROUP_MAP *map)
139 if(!init_group_mapping()) {
140 DEBUG(0,("failed to initialize group mapping\n"));
144 DEBUG(10, ("get_domain_group_from_sid\n"));
146 /* if the group is NOT in the database, it CAN NOT be a domain group */
149 ret = pdb_getgrsid(map, sid);
152 /* special case check for rid 513 */
157 sid_peek_rid( &sid, &rid );
159 if ( rid == DOMAIN_RID_USERS ) {
160 map->nt_name = talloc_strdup(map, "None");
164 map->comment = talloc_strdup(map, "Ordinary Users");
168 sid_copy( &map->sid, &sid );
169 map->sid_name_use = SID_NAME_DOM_GRP;
170 map->gid = (gid_t)-1;
176 DEBUG(10, ("get_domain_group_from_sid: SID found in passdb\n"));
178 /* if it's not a domain group, continue */
179 if (map->sid_name_use!=SID_NAME_DOM_GRP) {
183 DEBUG(10, ("get_domain_group_from_sid: SID is a domain group\n"));
189 DEBUG(10, ("get_domain_group_from_sid: SID is mapped to gid:%lu\n",(unsigned long)map->gid));
191 grp = getgrgid(map->gid);
193 DEBUG(10, ("get_domain_group_from_sid: gid DOESN'T exist in UNIX security\n"));
197 DEBUG(10, ("get_domain_group_from_sid: gid exists in UNIX security\n"));
202 /****************************************************************************
203 Create a UNIX group on demand.
204 ****************************************************************************/
206 int smb_create_group(const char *unix_group, gid_t *new_gid)
208 char *add_script = NULL;
214 /* defer to scripts */
216 if ( *lp_add_group_script(talloc_tos()) ) {
217 TALLOC_CTX *ctx = talloc_tos();
219 add_script = talloc_strdup(ctx,
220 lp_add_group_script(ctx));
224 add_script = talloc_string_sub(ctx,
225 add_script, "%g", unix_group);
230 ret = smbrun(add_script, &fd, NULL);
231 DEBUG(ret ? 0 : 3,("smb_create_group: Running the command `%s' gave %d\n",add_script,ret));
233 smb_nscd_flush_group_cache();
244 nread = read(fd, output, sizeof(output)-1);
246 output[nread] = '\0';
247 *new_gid = (gid_t)strtoul(output, NULL, 10);
256 struct group *grp = getgrnam(unix_group);
259 *new_gid = grp->gr_gid;
265 /****************************************************************************
266 Delete a UNIX group on demand.
267 ****************************************************************************/
269 int smb_delete_group(const char *unix_group)
271 char *del_script = NULL;
274 /* defer to scripts */
276 if ( *lp_delete_group_script(talloc_tos()) ) {
277 TALLOC_CTX *ctx = talloc_tos();
279 del_script = talloc_strdup(ctx,
280 lp_delete_group_script(ctx));
284 del_script = talloc_string_sub(ctx,
285 del_script, "%g", unix_group);
289 ret = smbrun(del_script, NULL, NULL);
290 DEBUG(ret ? 0 : 3,("smb_delete_group: Running the command `%s' gave %d\n",del_script,ret));
292 smb_nscd_flush_group_cache();
300 /****************************************************************************
301 Set a user's primary UNIX group.
302 ****************************************************************************/
304 int smb_set_primary_group(const char *unix_group, const char* unix_user)
306 char *add_script = NULL;
309 /* defer to scripts */
311 if ( *lp_set_primary_group_script(talloc_tos()) ) {
312 TALLOC_CTX *ctx = talloc_tos();
314 add_script = talloc_strdup(ctx,
315 lp_set_primary_group_script(ctx));
319 add_script = talloc_all_string_sub(ctx,
320 add_script, "%g", unix_group);
324 add_script = talloc_string_sub(ctx,
325 add_script, "%u", unix_user);
329 ret = smbrun(add_script, NULL, NULL);
331 DEBUG(ret ? 0 : 3,("smb_set_primary_group: "
332 "Running the command `%s' gave %d\n",add_script,ret));
334 smb_nscd_flush_group_cache();
342 /****************************************************************************
343 Add a user to a UNIX group.
344 ****************************************************************************/
346 int smb_add_user_group(const char *unix_group, const char *unix_user)
348 char *add_script = NULL;
351 /* defer to scripts */
353 if ( *lp_add_user_to_group_script(talloc_tos()) ) {
354 TALLOC_CTX *ctx = talloc_tos();
356 add_script = talloc_strdup(ctx,
357 lp_add_user_to_group_script(ctx));
361 add_script = talloc_string_sub(ctx,
362 add_script, "%g", unix_group);
366 add_script = talloc_string_sub2(ctx,
367 add_script, "%u", unix_user, true, false, true);
371 ret = smbrun(add_script, NULL, NULL);
372 DEBUG(ret ? 0 : 3,("smb_add_user_group: Running the command `%s' gave %d\n",add_script,ret));
374 smb_nscd_flush_group_cache();
382 /****************************************************************************
383 Delete a user from a UNIX group
384 ****************************************************************************/
386 int smb_delete_user_group(const char *unix_group, const char *unix_user)
388 char *del_script = NULL;
391 /* defer to scripts */
393 if ( *lp_delete_user_from_group_script(talloc_tos()) ) {
394 TALLOC_CTX *ctx = talloc_tos();
396 del_script = talloc_strdup(ctx,
397 lp_delete_user_from_group_script(ctx));
401 del_script = talloc_string_sub(ctx,
402 del_script, "%g", unix_group);
406 del_script = talloc_string_sub2(ctx,
407 del_script, "%u", unix_user, true, false, true);
411 ret = smbrun(del_script, NULL, NULL);
412 DEBUG(ret ? 0 : 3,("smb_delete_user_group: Running the command `%s' gave %d\n",del_script,ret));
414 smb_nscd_flush_group_cache();
423 NTSTATUS pdb_default_getgrsid(struct pdb_methods *methods, GROUP_MAP *map,
426 if (!init_group_mapping()) {
427 DEBUG(0,("failed to initialize group mapping\n"));
428 return NT_STATUS_UNSUCCESSFUL;
430 return backend->get_group_map_from_sid(sid, map) ?
431 NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL;
434 NTSTATUS pdb_default_getgrgid(struct pdb_methods *methods, GROUP_MAP *map,
437 if (!init_group_mapping()) {
438 DEBUG(0,("failed to initialize group mapping\n"));
439 return NT_STATUS_UNSUCCESSFUL;
441 return backend->get_group_map_from_gid(gid, map) ?
442 NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL;
445 NTSTATUS pdb_default_getgrnam(struct pdb_methods *methods, GROUP_MAP *map,
448 if (!init_group_mapping()) {
449 DEBUG(0,("failed to initialize group mapping\n"));
450 return NT_STATUS_UNSUCCESSFUL;
452 return backend->get_group_map_from_ntname(name, map) ?
453 NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL;
456 NTSTATUS pdb_default_add_group_mapping_entry(struct pdb_methods *methods,
459 if (!init_group_mapping()) {
460 DEBUG(0,("failed to initialize group mapping\n"));
461 return NT_STATUS_UNSUCCESSFUL;
463 return backend->add_mapping_entry(map, TDB_INSERT) ?
464 NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL;
467 NTSTATUS pdb_default_update_group_mapping_entry(struct pdb_methods *methods,
470 if (!init_group_mapping()) {
471 DEBUG(0,("failed to initialize group mapping\n"));
472 return NT_STATUS_UNSUCCESSFUL;
474 return backend->add_mapping_entry(map, TDB_REPLACE) ?
475 NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL;
478 NTSTATUS pdb_default_delete_group_mapping_entry(struct pdb_methods *methods,
481 if (!init_group_mapping()) {
482 DEBUG(0,("failed to initialize group mapping\n"));
483 return NT_STATUS_UNSUCCESSFUL;
485 return backend->group_map_remove(&sid) ?
486 NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL;
489 NTSTATUS pdb_default_enum_group_mapping(struct pdb_methods *methods,
490 const struct dom_sid *sid,
491 enum lsa_SidType sid_name_use,
492 GROUP_MAP ***pp_rmap,
493 size_t *p_num_entries,
496 if (!init_group_mapping()) {
497 DEBUG(0,("failed to initialize group mapping\n"));
498 return NT_STATUS_UNSUCCESSFUL;
500 return backend->enum_group_mapping(sid, sid_name_use, pp_rmap, p_num_entries, unix_only) ?
501 NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL;
504 NTSTATUS pdb_default_create_alias(struct pdb_methods *methods,
505 const char *name, uint32_t *rid)
508 enum lsa_SidType type;
516 DEBUG(10, ("Trying to create alias %s\n", name));
518 mem_ctx = talloc_new(NULL);
519 if (mem_ctx == NULL) {
520 return NT_STATUS_NO_MEMORY;
523 exists = lookup_name(mem_ctx, name, LOOKUP_NAME_LOCAL,
524 NULL, NULL, &sid, &type);
527 status = NT_STATUS_ALIAS_EXISTS;
531 if (!pdb_new_rid(&new_rid)) {
532 DEBUG(0, ("Could not allocate a RID.\n"));
533 status = NT_STATUS_ACCESS_DENIED;
537 sid_compose(&sid, get_global_sam_sid(), new_rid);
539 if (!winbind_allocate_gid(&gid)) {
540 DEBUG(3, ("Could not get a gid out of winbind - "
541 "wasted a rid :-(\n"));
542 status = NT_STATUS_ACCESS_DENIED;
546 DEBUG(10, ("Creating alias %s with gid %u and rid %u\n",
547 name, (unsigned int)gid, (unsigned int)new_rid));
549 map = talloc_zero(mem_ctx, GROUP_MAP);
551 status = NT_STATUS_NO_MEMORY;
556 sid_copy(&map->sid, &sid);
557 map->sid_name_use = SID_NAME_ALIAS;
558 map->nt_name = talloc_strdup(map, name);
560 status = NT_STATUS_NO_MEMORY;
563 map->comment = talloc_strdup(map, "");
565 status = NT_STATUS_NO_MEMORY;
569 status = pdb_add_group_mapping_entry(map);
571 if (!NT_STATUS_IS_OK(status)) {
572 DEBUG(0, ("Could not add group mapping entry for alias %s "
573 "(%s)\n", name, nt_errstr(status)));
580 TALLOC_FREE(mem_ctx);
584 NTSTATUS pdb_default_delete_alias(struct pdb_methods *methods,
585 const struct dom_sid *sid)
587 return pdb_delete_group_mapping_entry(*sid);
590 NTSTATUS pdb_default_get_aliasinfo(struct pdb_methods *methods,
591 const struct dom_sid *sid,
592 struct acct_info *info)
594 NTSTATUS status = NT_STATUS_OK;
597 map = talloc_zero(NULL, GROUP_MAP);
599 return NT_STATUS_NO_MEMORY;
602 if (!pdb_getgrsid(map, *sid)) {
603 status = NT_STATUS_NO_SUCH_ALIAS;
607 if ((map->sid_name_use != SID_NAME_ALIAS) &&
608 (map->sid_name_use != SID_NAME_WKN_GRP)) {
609 struct dom_sid_buf buf;
610 DEBUG(2, ("%s is a %s, expected an alias\n",
611 dom_sid_str_buf(sid, &buf),
612 sid_type_lookup(map->sid_name_use)));
613 status = NT_STATUS_NO_SUCH_ALIAS;
617 info->acct_name = talloc_move(info, &map->nt_name);
618 if (!info->acct_name) {
619 status = NT_STATUS_NO_MEMORY;
622 info->acct_desc = talloc_move(info, &map->comment);
623 if (!info->acct_desc) {
624 status = NT_STATUS_NO_MEMORY;
627 sid_peek_rid(&map->sid, &info->rid);
634 NTSTATUS pdb_default_set_aliasinfo(struct pdb_methods *methods,
635 const struct dom_sid *sid,
636 struct acct_info *info)
638 NTSTATUS status = NT_STATUS_OK;
641 map = talloc_zero(NULL, GROUP_MAP);
643 return NT_STATUS_NO_MEMORY;
646 if (!pdb_getgrsid(map, *sid)) {
647 status = NT_STATUS_NO_SUCH_ALIAS;
651 map->nt_name = talloc_strdup(map, info->acct_name);
653 status = NT_STATUS_NO_MEMORY;
656 map->comment = talloc_strdup(map, info->acct_desc);
658 status = NT_STATUS_NO_MEMORY;
662 status = pdb_update_group_mapping_entry(map);
669 NTSTATUS pdb_default_add_aliasmem(struct pdb_methods *methods,
670 const struct dom_sid *alias, const struct dom_sid *member)
672 if (!init_group_mapping()) {
673 DEBUG(0,("failed to initialize group mapping\n"));
674 return NT_STATUS_UNSUCCESSFUL;
676 return backend->add_aliasmem(alias, member);
679 NTSTATUS pdb_default_del_aliasmem(struct pdb_methods *methods,
680 const struct dom_sid *alias, const struct dom_sid *member)
682 if (!init_group_mapping()) {
683 DEBUG(0,("failed to initialize group mapping\n"));
684 return NT_STATUS_UNSUCCESSFUL;
686 return backend->del_aliasmem(alias, member);
689 NTSTATUS pdb_default_enum_aliasmem(struct pdb_methods *methods,
690 const struct dom_sid *alias, TALLOC_CTX *mem_ctx,
691 struct dom_sid **pp_members, size_t *p_num_members)
693 if (!init_group_mapping()) {
694 DEBUG(0,("failed to initialize group mapping\n"));
695 return NT_STATUS_UNSUCCESSFUL;
697 return backend->enum_aliasmem(alias, mem_ctx, pp_members,
701 NTSTATUS pdb_default_alias_memberships(struct pdb_methods *methods,
703 const struct dom_sid *domain_sid,
704 const struct dom_sid *members,
706 uint32_t **pp_alias_rids,
707 size_t *p_num_alias_rids)
709 struct dom_sid *alias_sids;
710 size_t i, num_alias_sids;
713 if (!init_group_mapping()) {
714 DEBUG(0,("failed to initialize group mapping\n"));
715 return NT_STATUS_UNSUCCESSFUL;
721 result = alias_memberships(members, num_members,
722 &alias_sids, &num_alias_sids);
724 if (!NT_STATUS_IS_OK(result))
727 *p_num_alias_rids = 0;
729 if (num_alias_sids == 0) {
730 TALLOC_FREE(alias_sids);
734 *pp_alias_rids = talloc_array(mem_ctx, uint32_t, num_alias_sids);
735 if (*pp_alias_rids == NULL)
736 return NT_STATUS_NO_MEMORY;
738 for (i=0; i<num_alias_sids; i++) {
739 if (!sid_peek_check_rid(domain_sid, &alias_sids[i],
740 &(*pp_alias_rids)[*p_num_alias_rids]))
742 *p_num_alias_rids += 1;
745 TALLOC_FREE(alias_sids);
750 /**********************************************************************
751 no ops for passdb backends that don't implement group mapping
752 *********************************************************************/
754 NTSTATUS pdb_nop_getgrsid(struct pdb_methods *methods, GROUP_MAP *map,
757 return NT_STATUS_UNSUCCESSFUL;
760 NTSTATUS pdb_nop_getgrgid(struct pdb_methods *methods, GROUP_MAP *map,
763 return NT_STATUS_UNSUCCESSFUL;
766 NTSTATUS pdb_nop_getgrnam(struct pdb_methods *methods, GROUP_MAP *map,
769 return NT_STATUS_UNSUCCESSFUL;
772 NTSTATUS pdb_nop_add_group_mapping_entry(struct pdb_methods *methods,
775 return NT_STATUS_UNSUCCESSFUL;
778 NTSTATUS pdb_nop_update_group_mapping_entry(struct pdb_methods *methods,
781 return NT_STATUS_UNSUCCESSFUL;
784 NTSTATUS pdb_nop_delete_group_mapping_entry(struct pdb_methods *methods,
787 return NT_STATUS_UNSUCCESSFUL;
790 NTSTATUS pdb_nop_enum_group_mapping(struct pdb_methods *methods,
791 enum lsa_SidType sid_name_use,
792 GROUP_MAP **rmap, size_t *num_entries,
795 return NT_STATUS_UNSUCCESSFUL;
799 * @brief Add a new group mapping
801 * @param[in] gid gid to use to store the mapping. If gid is 0,
802 * new gid will be allocated from winbind
804 * @return Normal NTSTATUS return
806 NTSTATUS pdb_create_builtin_alias(uint32_t rid, gid_t gid)
809 enum lsa_SidType type;
813 const char *name = NULL;
815 DEBUG(10, ("Trying to create builtin alias %d\n", rid));
817 if ( !sid_compose( &sid, &global_sid_Builtin, rid ) ) {
818 return NT_STATUS_NO_SUCH_ALIAS;
821 /* use map as overall temp mem context */
822 map = talloc_zero(NULL, GROUP_MAP);
824 return NT_STATUS_NO_MEMORY;
827 if (!lookup_sid(map, &sid, NULL, &name, &type)) {
828 status = NT_STATUS_NO_SUCH_ALIAS;
833 if (!winbind_allocate_gid(&gidformap)) {
834 DEBUG(3, ("pdb_create_builtin_alias: Could not get a "
835 "gid out of winbind\n"));
836 status = NT_STATUS_ACCESS_DENIED;
843 DEBUG(10, ("Creating alias %s with gid %u\n", name,
844 (unsigned) gidformap));
846 map->gid = gidformap;
847 sid_copy(&map->sid, &sid);
848 map->sid_name_use = SID_NAME_ALIAS;
849 map->nt_name = talloc_strdup(map, name);
851 status = NT_STATUS_NO_MEMORY;
854 map->comment = talloc_strdup(map, "");
856 status = NT_STATUS_NO_MEMORY;
860 status = pdb_add_group_mapping_entry(map);
862 if (!NT_STATUS_IS_OK(status)) {
863 DEBUG(0, ("pdb_create_builtin_alias: Could not add group mapping entry for alias %d "
864 "(%s)\n", rid, nt_errstr(status)));