2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Copyright (C) Andrew Tridgell 1992-2000,
5 * Copyright (C) Jean François Micouleau 1998-2001.
6 * Copyright (C) Gerald Carter 2003,
7 * Copyright (C) Volker Lendecke 2004
9 * This program is free software; you can redistribute it and/or modify
10 * it under the terms of the GNU General Public License as published by
11 * the Free Software Foundation; either version 3 of the License, or
12 * (at your option) any later version.
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
19 * You should have received a copy of the GNU General Public License
20 * along with this program; if not, see <http://www.gnu.org/licenses/>.
25 #include "system/passwd.h"
26 #include "utils/net.h"
27 #include "../libcli/security/security.h"
30 /*********************************************************
31 Figure out if the input was an NT group or a SID string.
33 **********************************************************/
34 static bool get_sid_from_input(struct dom_sid *sid, char *input)
38 map = talloc_zero(NULL, GROUP_MAP);
43 if (strncasecmp_m( input, "S-", 2)) {
44 /* Perhaps its the NT group name? */
45 if (!pdb_getgrnam(map, input)) {
46 printf(_("NT Group %s doesn't exist in mapping DB\n"),
54 if (!string_to_sid(sid, input)) {
55 printf(_("converting sid %s from a string failed!\n"),
65 /*********************************************************
66 Dump a GROUP_MAP entry to stdout (long or short listing)
67 **********************************************************/
69 static void print_map_entry (const GROUP_MAP *map, bool long_list)
71 struct dom_sid_buf buf;
74 d_printf("%s (%s) -> %s\n", map->nt_name,
75 dom_sid_str_buf(&map->sid, &buf),
78 d_printf("%s\n", map->nt_name);
79 d_printf(_("\tSID : %s\n"),
80 dom_sid_str_buf(&map->sid, &buf));
81 d_printf(_("\tUnix gid : %u\n"), (unsigned int)map->gid);
82 d_printf(_("\tUnix group: %s\n"), gidtoname(map->gid));
83 d_printf(_("\tGroup type: %s\n"),
84 sid_type_lookup(map->sid_name_use));
85 d_printf(_("\tComment : %s\n"), map->comment);
89 /*********************************************************
91 **********************************************************/
92 static int net_groupmap_list(struct net_context *c, int argc, const char **argv)
95 bool long_list = false;
98 fstring sid_string = "";
99 const char list_usage_str[] = N_("net groupmap list [verbose] "
100 "[ntgroup=NT group] [sid=SID]\n"
101 " verbose\tPrint verbose list\n"
102 " ntgroup\tNT group to list\n"
103 " sid\tSID of group to list");
105 if (c->display_usage) {
106 d_printf("%s\n%s\n", _("Usage: "), list_usage_str);
110 if (c->opt_verbose || c->opt_long_list_entries)
113 /* get the options */
114 for ( i=0; i<argc; i++ ) {
115 if ( !strcasecmp_m(argv[i], "verbose")) {
118 else if ( !strncasecmp_m(argv[i], "ntgroup", strlen("ntgroup")) ) {
119 fstrcpy( ntgroup, get_string_param( argv[i] ) );
121 d_fprintf(stderr, _("must supply a name\n"));
125 else if ( !strncasecmp_m(argv[i], "sid", strlen("sid")) ) {
126 fstrcpy( sid_string, get_string_param( argv[i] ) );
127 if ( !sid_string[0] ) {
128 d_fprintf(stderr, _("must supply a SID\n"));
133 d_fprintf(stderr, _("Bad option: %s\n"), argv[i]);
134 d_printf("%s\n%s\n", _("Usage:"), list_usage_str);
139 /* list a single group is given a name */
140 if ( ntgroup[0] || sid_string[0] ) {
145 strlcpy(ntgroup, sid_string, sizeof(ntgroup));
147 if (!get_sid_from_input(&sid, ntgroup)) {
151 map = talloc_zero(NULL, GROUP_MAP);
156 /* Get the current mapping from the database */
157 if(!pdb_getgrsid(map, sid)) {
159 _("Failure to local group SID in the "
165 print_map_entry(map, long_list );
169 GROUP_MAP **maps = NULL;
171 /* enumerate all group mappings */
172 ok = pdb_enum_group_mapping(NULL, SID_NAME_UNKNOWN,
179 for (i=0; i<entries; i++) {
180 print_map_entry(maps[i], long_list);
189 /*********************************************************
190 Add a new group mapping entry
191 **********************************************************/
193 static int net_groupmap_add(struct net_context *c, int argc, const char **argv)
196 fstring ntgroup = "";
197 fstring unixgrp = "";
198 fstring string_sid = "";
200 fstring ntcomment = "";
201 enum lsa_SidType sid_type = SID_NAME_DOM_GRP;
207 const char *name_type;
208 const char add_usage_str[] = N_("net groupmap add "
209 "{rid=<int>|sid=<string>}"
210 " unixgroup=<string> "
211 "[type=<domain|local|builtin>] "
212 "[ntgroup=<string>] "
213 "[comment=<string>]");
215 name_type = "domain group";
217 if (c->display_usage) {
218 d_printf("%s\n%s\n", _("Usage:\n"), add_usage_str);
222 /* get the options */
223 for ( i=0; i<argc; i++ ) {
224 if ( !strncasecmp_m(argv[i], "rid", strlen("rid")) ) {
225 rid = get_int_param(argv[i]);
226 if ( rid < DOMAIN_RID_ADMINS ) {
228 _("RID must be greater than %d\n"),
229 (uint32_t)DOMAIN_RID_ADMINS-1);
233 else if ( !strncasecmp_m(argv[i], "unixgroup", strlen("unixgroup")) ) {
234 fstrcpy( unixgrp, get_string_param( argv[i] ) );
236 d_fprintf(stderr,_( "must supply a name\n"));
240 else if ( !strncasecmp_m(argv[i], "ntgroup", strlen("ntgroup")) ) {
241 fstrcpy( ntgroup, get_string_param( argv[i] ) );
243 d_fprintf(stderr, _("must supply a name\n"));
247 else if ( !strncasecmp_m(argv[i], "sid", strlen("sid")) ) {
248 fstrcpy( string_sid, get_string_param( argv[i] ) );
249 if ( !string_sid[0] ) {
250 d_fprintf(stderr, _("must supply a SID\n"));
254 else if ( !strncasecmp_m(argv[i], "comment", strlen("comment")) ) {
255 fstrcpy( ntcomment, get_string_param( argv[i] ) );
256 if ( !ntcomment[0] ) {
258 _("must supply a comment string\n"));
262 else if ( !strncasecmp_m(argv[i], "type", strlen("type")) ) {
263 fstrcpy( type, get_string_param( argv[i] ) );
267 sid_type = SID_NAME_WKN_GRP;
268 name_type = "wellknown group";
272 sid_type = SID_NAME_DOM_GRP;
273 name_type = "domain group";
277 sid_type = SID_NAME_ALIAS;
278 name_type = "alias (local) group";
282 _("unknown group type %s\n"),
288 d_fprintf(stderr, _("Bad option: %s\n"), argv[i]);
294 d_printf("%s\n%s\n", _("Usage:\n"), add_usage_str);
298 if ( (gid = nametogid(unixgrp)) == (gid_t)-1 ) {
299 d_fprintf(stderr, _("Can't lookup UNIX group %s\n"), unixgrp);
303 map = talloc_zero(NULL, GROUP_MAP);
307 /* Default is domain group. */
308 map->sid_name_use = SID_NAME_DOM_GRP;
309 if (pdb_getgrgid(map, gid)) {
310 struct dom_sid_buf buf;
311 d_printf(_("Unix group %s already mapped to SID %s\n"),
312 unixgrp, dom_sid_str_buf(&map->sid, &buf));
318 if ( (rid == 0) && (string_sid[0] == '\0') ) {
319 d_printf(_("No rid or sid specified, choosing a RID\n"));
320 if (pdb_capabilities() & PDB_CAP_STORE_RIDS) {
321 if (!pdb_new_rid(&rid)) {
322 d_printf(_("Could not get new RID\n"));
325 rid = algorithmic_pdb_gid_to_group_rid(gid);
327 d_printf(_("Got RID %d\n"), rid);
330 /* append the rid to our own domain/machine SID if we don't have a full SID */
331 if ( !string_sid[0] ) {
332 sid_compose(&sid, get_global_sam_sid(), rid);
333 sid_to_fstring(string_sid, &sid);
338 case SID_NAME_WKN_GRP:
339 fstrcpy(ntcomment, "Wellknown Unix group");
341 case SID_NAME_DOM_GRP:
342 fstrcpy(ntcomment, "Domain Unix group");
345 fstrcpy(ntcomment, "Local Unix group");
348 fstrcpy(ntcomment, "Unix group");
354 strlcpy(ntgroup, unixgrp, sizeof(ntgroup));
356 if (!NT_STATUS_IS_OK(add_initial_entry(gid, string_sid, sid_type, ntgroup, ntcomment))) {
357 d_fprintf(stderr, _("adding entry for group %s failed!\n"), ntgroup);
361 d_printf(_("Successfully added group %s to the mapping db as a %s\n"),
366 static int net_groupmap_modify(struct net_context *c, int argc, const char **argv)
369 GROUP_MAP *map = NULL;
370 fstring ntcomment = "";
372 fstring ntgroup = "";
373 fstring unixgrp = "";
374 fstring sid_string = "";
375 enum lsa_SidType sid_type = SID_NAME_UNKNOWN;
378 const char modify_usage_str[] = N_("net groupmap modify "
379 "{ntgroup=<string>|sid=<SID>} "
380 "[comment=<string>] "
381 "[unixgroup=<string>] "
382 "[type=<domain|local>]");
384 if (c->display_usage) {
385 d_printf("%s\n%s\n", _("Usage:\n"), modify_usage_str);
389 /* get the options */
390 for ( i=0; i<argc; i++ ) {
391 if ( !strncasecmp_m(argv[i], "ntgroup", strlen("ntgroup")) ) {
392 fstrcpy( ntgroup, get_string_param( argv[i] ) );
394 d_fprintf(stderr, _("must supply a name\n"));
398 else if ( !strncasecmp_m(argv[i], "sid", strlen("sid")) ) {
399 fstrcpy( sid_string, get_string_param( argv[i] ) );
400 if ( !sid_string[0] ) {
401 d_fprintf(stderr, _("must supply a name\n"));
405 else if ( !strncasecmp_m(argv[i], "comment", strlen("comment")) ) {
406 fstrcpy( ntcomment, get_string_param( argv[i] ) );
407 if ( !ntcomment[0] ) {
409 _("must supply a comment string\n"));
413 else if ( !strncasecmp_m(argv[i], "unixgroup", strlen("unixgroup")) ) {
414 fstrcpy( unixgrp, get_string_param( argv[i] ) );
417 _("must supply a group name\n"));
421 else if ( !strncasecmp_m(argv[i], "type", strlen("type")) ) {
422 fstrcpy( type, get_string_param( argv[i] ) );
426 sid_type = SID_NAME_DOM_GRP;
430 sid_type = SID_NAME_ALIAS;
435 d_fprintf(stderr, _("Bad option: %s\n"), argv[i]);
440 if ( !ntgroup[0] && !sid_string[0] ) {
441 d_printf("%s\n%s\n", _("Usage:\n"), modify_usage_str);
445 /* give preference to the SID; if both the ntgroup name and SID
446 are defined, use the SID and assume that the group name could be a
449 if ( sid_string[0] ) {
450 if (!get_sid_from_input(&sid, sid_string)) {
455 if (!get_sid_from_input(&sid, ntgroup)) {
460 map = talloc_zero(NULL, GROUP_MAP);
465 /* Get the current mapping from the database */
466 if(!pdb_getgrsid(map, sid)) {
468 _("Failed to find local group SID in the database\n"));
474 * Allow changing of group type only between domain and local
475 * We disallow changing Builtin groups !!! (SID problem)
477 if (sid_type == SID_NAME_UNKNOWN) {
478 d_fprintf(stderr, _("Can't map to an unknown group type.\n"));
483 if (map->sid_name_use == SID_NAME_WKN_GRP) {
485 _("You can only change between domain and local "
491 map->sid_name_use = sid_type;
493 /* Change comment if new one */
495 map->comment = talloc_strdup(map, ntcomment);
497 d_fprintf(stderr, _("Out of memory!\n"));
503 map->nt_name = talloc_strdup(map, ntgroup);
505 d_fprintf(stderr, _("Out of memory!\n"));
511 gid = nametogid( unixgrp );
513 d_fprintf(stderr, _("Unable to lookup UNIX group %s. "
514 "Make sure the group exists.\n"),
523 if (!NT_STATUS_IS_OK(pdb_update_group_mapping_entry(map))) {
524 d_fprintf(stderr, _("Could not update group database\n"));
529 d_printf(_("Updated mapping entry for %s\n"), map->nt_name);
535 static int net_groupmap_delete(struct net_context *c, int argc, const char **argv)
538 fstring ntgroup = "";
539 fstring sid_string = "";
541 const char delete_usage_str[] = N_("net groupmap delete "
542 "{ntgroup=<string>|sid=<SID>}");
544 if (c->display_usage) {
545 d_printf("%s\n%s\n", _("Usage:\n"), delete_usage_str);
549 /* get the options */
550 for ( i=0; i<argc; i++ ) {
551 if ( !strncasecmp_m(argv[i], "ntgroup", strlen("ntgroup")) ) {
552 fstrcpy( ntgroup, get_string_param( argv[i] ) );
554 d_fprintf(stderr, _("must supply a name\n"));
558 else if ( !strncasecmp_m(argv[i], "sid", strlen("sid")) ) {
559 fstrcpy( sid_string, get_string_param( argv[i] ) );
560 if ( !sid_string[0] ) {
561 d_fprintf(stderr, _("must supply a SID\n"));
566 d_fprintf(stderr, _("Bad option: %s\n"), argv[i]);
571 if ( !ntgroup[0] && !sid_string[0]) {
572 d_printf("%s\n%s\n", _("Usage:\n"), delete_usage_str);
576 /* give preference to the SID if we have that */
579 strlcpy(ntgroup, sid_string, sizeof(ntgroup));
581 if ( !get_sid_from_input(&sid, ntgroup) ) {
582 d_fprintf(stderr, _("Unable to resolve group %s to a SID\n"),
587 if ( !NT_STATUS_IS_OK(pdb_delete_group_mapping_entry(sid)) ) {
589 _("Failed to remove group %s from the mapping db!\n"),
594 d_printf(_("Successfully removed %s from the mapping db\n"), ntgroup);
599 static int net_groupmap_set(struct net_context *c, int argc, const char **argv)
601 const char *ntgroup = NULL;
602 struct group *grp = NULL;
604 bool have_map = false;
606 if ((argc < 1) || (argc > 2) || c->display_usage) {
609 _(" net groupmap set \"NT Group\" "
610 "[\"unix group\"] [-C \"comment\"] [-L] [-D]\n"));
614 if ( c->opt_localgroup && c->opt_domaingroup ) {
615 d_printf(_("Can only specify -L or -D, not both\n"));
622 grp = getgrnam(argv[1]);
625 d_fprintf(stderr, _("Could not find unix group %s\n"),
631 map = talloc_zero(NULL, GROUP_MAP);
633 d_printf(_("Out of memory!\n"));
637 have_map = pdb_getgrnam(map, ntgroup);
641 have_map = ( (strncmp(ntgroup, "S-", 2) == 0) &&
642 string_to_sid(&sid, ntgroup) &&
643 pdb_getgrsid(map, sid) );
652 _("Could not find group mapping for %s\n"),
658 map->gid = grp->gr_gid;
660 if (c->opt_rid == 0) {
661 if ( pdb_capabilities() & PDB_CAP_STORE_RIDS ) {
662 if ( !pdb_new_rid((uint32_t *)&c->opt_rid) ) {
664 _("Could not allocate new RID\n"));
669 c->opt_rid = algorithmic_pdb_gid_to_group_rid(map->gid);
673 sid_compose(&map->sid, get_global_sam_sid(), c->opt_rid);
675 map->sid_name_use = SID_NAME_DOM_GRP;
676 map->nt_name = talloc_strdup(map, ntgroup);
677 map->comment = talloc_strdup(map, "");
678 if (!map->nt_name || !map->comment) {
679 d_printf(_("Out of memory!\n"));
684 if (!NT_STATUS_IS_OK(pdb_add_group_mapping_entry(map))) {
686 _("Could not add mapping entry for %s\n"),
693 /* Now we have a mapping entry, update that stuff */
695 if ( c->opt_localgroup || c->opt_domaingroup ) {
696 if (map->sid_name_use == SID_NAME_WKN_GRP) {
698 _("Can't change type of the BUILTIN "
706 if (c->opt_localgroup)
707 map->sid_name_use = SID_NAME_ALIAS;
709 if (c->opt_domaingroup)
710 map->sid_name_use = SID_NAME_DOM_GRP;
712 /* The case (opt_domaingroup && opt_localgroup) was tested for above */
714 if ((c->opt_comment != NULL) && (strlen(c->opt_comment) > 0)) {
715 map->comment = talloc_strdup(map, c->opt_comment);
717 d_printf(_("Out of memory!\n"));
723 if ((c->opt_newntname != NULL) && (strlen(c->opt_newntname) > 0)) {
724 map->nt_name = talloc_strdup(map, c->opt_newntname);
726 d_printf(_("Out of memory!\n"));
733 map->gid = grp->gr_gid;
735 if (!NT_STATUS_IS_OK(pdb_update_group_mapping_entry(map))) {
736 d_fprintf(stderr, _("Could not update group mapping for %s\n"),
746 static int net_groupmap_cleanup(struct net_context *c, int argc, const char **argv)
748 GROUP_MAP **maps = NULL;
751 if (c->display_usage) {
753 "net groupmap cleanup\n"
756 _("Delete all group mappings"));
760 if (!pdb_enum_group_mapping(NULL, SID_NAME_UNKNOWN, &maps, &entries,
762 d_fprintf(stderr, _("Could not list group mappings\n"));
766 for (i=0; i<entries; i++) {
768 if (maps[i]->gid == -1)
769 printf(_("Group %s is not mapped\n"),
772 if (!sid_check_is_in_our_sam(&maps[i]->sid) &&
773 !sid_check_is_in_builtin(&maps[i]->sid))
775 struct dom_sid_buf buf;
776 printf(_("Deleting mapping for NT Group %s, sid %s\n"),
778 dom_sid_str_buf(&maps[i]->sid, &buf));
779 pdb_delete_group_mapping_entry(maps[i]->sid);
787 static int net_groupmap_addmem(struct net_context *c, int argc, const char **argv)
789 struct dom_sid alias, member;
793 !string_to_sid(&alias, argv[0]) ||
794 !string_to_sid(&member, argv[1]) ) {
797 _("net groupmap addmem alias-sid member-sid\n"));
801 if (!NT_STATUS_IS_OK(pdb_add_aliasmem(&alias, &member))) {
802 d_fprintf(stderr, _("Could not add sid %s to alias %s\n"),
810 static int net_groupmap_delmem(struct net_context *c, int argc, const char **argv)
812 struct dom_sid alias, member;
816 !string_to_sid(&alias, argv[0]) ||
817 !string_to_sid(&member, argv[1]) ) {
820 _("net groupmap delmem alias-sid member-sid\n"));
824 if (!NT_STATUS_IS_OK(pdb_del_aliasmem(&alias, &member))) {
825 d_fprintf(stderr, _("Could not delete sid %s from alias %s\n"),
833 static int net_groupmap_listmem(struct net_context *c, int argc, const char **argv)
835 struct dom_sid alias;
836 struct dom_sid *members;
841 !string_to_sid(&alias, argv[0]) ) {
844 _("net groupmap listmem alias-sid\n"));
851 if (!NT_STATUS_IS_OK(pdb_enum_aliasmem(&alias, talloc_tos(),
853 d_fprintf(stderr, _("Could not list members for sid %s\n"),
858 for (i = 0; i < num; i++) {
859 struct dom_sid_buf buf;
860 printf("%s\n", dom_sid_str_buf(&(members[i]), &buf));
863 TALLOC_FREE(members);
868 static bool print_alias_memberships(TALLOC_CTX *mem_ctx,
869 const struct dom_sid *domain_sid,
870 const struct dom_sid *member)
872 uint32_t *alias_rids;
873 size_t i, num_alias_rids;
874 struct dom_sid_buf buf;
879 if (!NT_STATUS_IS_OK(pdb_enum_alias_memberships(
880 mem_ctx, domain_sid, member, 1,
881 &alias_rids, &num_alias_rids))) {
882 d_fprintf(stderr, _("Could not list memberships for sid %s\n"),
883 dom_sid_str_buf(member, &buf));
887 for (i = 0; i < num_alias_rids; i++) {
888 struct dom_sid alias;
889 sid_compose(&alias, domain_sid, alias_rids[i]);
890 printf("%s\n", dom_sid_str_buf(&alias, &buf));
896 static int net_groupmap_memberships(struct net_context *c, int argc, const char **argv)
899 struct dom_sid *domain_sid, member;
903 !string_to_sid(&member, argv[0]) ) {
906 _("net groupmap memberships sid\n"));
910 mem_ctx = talloc_init("net_groupmap_memberships");
911 if (mem_ctx == NULL) {
912 d_fprintf(stderr, _("talloc_init failed\n"));
916 domain_sid = get_global_sam_sid();
917 if (domain_sid == NULL) {
918 d_fprintf(stderr, _("Could not get domain sid\n"));
922 if (!print_alias_memberships(mem_ctx, domain_sid, &member) ||
923 !print_alias_memberships(mem_ctx, &global_sid_Builtin, &member))
926 talloc_destroy(mem_ctx);
931 /***********************************************************
932 migrated functionality from smbgroupedit
933 **********************************************************/
934 int net_groupmap(struct net_context *c, int argc, const char **argv)
936 struct functable func[] = {
941 N_("Create a new group mapping"),
942 N_("net groupmap add\n"
943 " Create a new group mapping")
949 N_("Update a group mapping"),
950 N_("net groupmap modify\n"
951 " Modify an existing group mapping")
957 N_("Remove a group mapping"),
958 N_("net groupmap delete\n"
959 " Remove a group mapping")
965 N_("Set group mapping"),
966 N_("net groupmap set\n"
967 " Set a group mapping")
971 net_groupmap_cleanup,
973 N_("Remove foreign group mapping entries"),
974 N_("net groupmap cleanup\n"
975 " Remove foreign group mapping entries")
981 N_("Add a foreign alias member"),
982 N_("net groupmap addmem\n"
983 " Add a foreign alias member")
989 N_("Delete foreign alias member"),
990 N_("net groupmap delmem\n"
991 " Delete foreign alias member")
995 net_groupmap_listmem,
997 N_("List foreign group members"),
998 N_("net groupmap listmem\n"
999 " List foreign alias members")
1003 net_groupmap_memberships,
1004 NET_TRANSPORT_LOCAL,
1005 N_("List foreign group memberships"),
1006 N_("net groupmap memberships\n"
1007 " List foreign group memberships")
1012 NET_TRANSPORT_LOCAL,
1013 N_("List current group map"),
1014 N_("net groupmap list\n"
1015 " List current group map")
1017 {NULL, NULL, 0, NULL, NULL}
1020 return net_run_function(c,argc, argv, "net groupmap", func);
git.samba.org / garming / samba-autobuild / .git / blob