Copyright (C) Tim Potter 2000-2001,2003
Copyright (C) Simo Sorce 2003
Copyright (C) Volker Lendecke 2004
+ Copyright (C) Jeremy Allison 2008
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_WINBIND
-/* Query display info for a domain. This returns enough information plus a
- bit extra to give an overview of domain users for the User Manager
- application. */
-static NTSTATUS query_user_list(struct winbindd_domain *domain,
- TALLOC_CTX *mem_ctx,
- uint32 *num_entries,
- WINBIND_USERINFO **info)
-{
- /* We don't have users */
- *num_entries = 0;
- *info = NULL;
- return NT_STATUS_OK;
-}
-
-/* list all domain groups */
-static NTSTATUS enum_dom_groups(struct winbindd_domain *domain,
+static NTSTATUS enum_groups_internal(struct winbindd_domain *domain,
TALLOC_CTX *mem_ctx,
uint32 *num_entries,
- struct acct_info **info)
-{
- /* We don't have domain groups */
- *num_entries = 0;
- *info = NULL;
- return NT_STATUS_OK;
-}
-
-/* List all domain groups */
-
-static NTSTATUS enum_local_groups(struct winbindd_domain *domain,
- TALLOC_CTX *mem_ctx,
- uint32 *num_entries,
- struct acct_info **info)
+ struct acct_info **info,
+ enum lsa_SidType sidtype)
{
struct pdb_search *search;
- struct samr_displayentry *aliases;
+ struct samr_displayentry *entries;
int i;
NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
- search = pdb_search_aliases(&domain->sid);
+ if (sidtype == SID_NAME_ALIAS) {
+ search = pdb_search_aliases(&domain->sid);
+ } else {
+ search = pdb_search_groups();
+ }
+
if (search == NULL) goto done;
- *num_entries = pdb_search_entries(search, 0, 0xffffffff, &aliases);
- if (*num_entries == 0) goto done;
+ *num_entries = pdb_search_entries(search, 0, 0xffffffff, &entries);
+ if (*num_entries == 0) {
+ /* Zero entries isn't an error */
+ result = NT_STATUS_OK;
+ goto done;
+ }
*info = TALLOC_ARRAY(mem_ctx, struct acct_info, *num_entries);
if (*info == NULL) {
}
for (i=0; i<*num_entries; i++) {
- fstrcpy((*info)[i].acct_name, aliases[i].account_name);
- fstrcpy((*info)[i].acct_desc, aliases[i].description);
- (*info)[i].rid = aliases[i].rid;
+ fstrcpy((*info)[i].acct_name, entries[i].account_name);
+ fstrcpy((*info)[i].acct_desc, entries[i].description);
+ (*info)[i].rid = entries[i].rid;
}
result = NT_STATUS_OK;
return result;
}
+/* List all local groups (aliases) */
+static NTSTATUS enum_local_groups(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ uint32 *num_entries,
+ struct acct_info **info)
+{
+ return enum_groups_internal(domain,
+ mem_ctx,
+ num_entries,
+ info,
+ SID_NAME_ALIAS);
+}
+
/* convert a single name to a sid in a domain */
static NTSTATUS name_to_sid(struct winbindd_domain *domain,
TALLOC_CTX *mem_ctx,
DOM_SID *sid,
enum lsa_SidType *type)
{
+ const char *fullname;
uint32 flags = LOOKUP_NAME_ALL;
switch ( original_cmd ) {
break;
}
- DEBUG(10, ("Finding name %s\n", name));
+ if (domain_name && domain_name[0] && strchr_m(name, '\\') == NULL) {
+ fullname = talloc_asprintf(mem_ctx, "%s\\%s",
+ domain_name, name);
+ if (fullname == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ } else {
+ fullname = name;
+ }
+
+ DEBUG(10, ("Finding fullname %s\n", fullname));
- if ( !lookup_name( mem_ctx, name, flags, NULL, NULL, sid, type ) ) {
+ if ( !lookup_name( mem_ctx, fullname, flags, NULL, NULL, sid, type ) ) {
return NT_STATUS_NONE_MAPPED;
}
+ DEBUG(10, ("name_to_sid for %s returned %s (%s)\n",
+ fullname,
+ sid_string_dbg(sid),
+ sid_type_lookup((uint32)*type)));
+
return NT_STATUS_OK;
}
char ***names,
enum lsa_SidType **types)
{
- return NT_STATUS_UNSUCCESSFUL;
-}
+ size_t i;
+ bool have_mapped;
+ bool have_unmapped;
-/* Lookup user information from a rid or username. */
-static NTSTATUS query_user(struct winbindd_domain *domain,
- TALLOC_CTX *mem_ctx,
- const DOM_SID *user_sid,
- WINBIND_USERINFO *user_info)
-{
- return NT_STATUS_NO_SUCH_USER;
+ *domain_name = NULL;
+ *names = NULL;
+ *types = NULL;
+
+ if (!num_rids) {
+ return NT_STATUS_OK;
+ }
+
+ /* Paranoia check */
+ if (!sid_check_is_in_builtin(sid) &&
+ !sid_check_is_in_our_domain(sid) &&
+ !sid_check_is_in_unix_users(sid) &&
+ !sid_check_is_unix_users(sid) &&
+ !sid_check_is_in_unix_groups(sid) &&
+ !sid_check_is_unix_groups(sid) &&
+ !sid_check_is_in_wellknown_domain(sid))
+ {
+ DEBUG(0, ("Possible deadlock: Trying to lookup SID %s with "
+ "passdb backend\n", sid_string_dbg(sid)));
+ return NT_STATUS_NONE_MAPPED;
+ }
+
+ *names = TALLOC_ARRAY(mem_ctx, char *, num_rids);
+ *types = TALLOC_ARRAY(mem_ctx, enum lsa_SidType, num_rids);
+
+ if ((*names == NULL) || (*types == NULL)) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ have_mapped = have_unmapped = false;
+
+ for (i=0; i<num_rids; i++) {
+ DOM_SID lsid;
+ const char *dom = NULL, *nam = NULL;
+ enum lsa_SidType type = SID_NAME_UNKNOWN;
+
+ if (!sid_compose(&lsid, sid, rids[i])) {
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+
+ if (!lookup_sid(mem_ctx, &lsid, &dom, &nam, &type)) {
+ have_unmapped = true;
+ (*types)[i] = SID_NAME_UNKNOWN;
+ (*names)[i] = talloc_strdup(mem_ctx, "");
+ } else {
+ have_mapped = true;
+ (*types)[i] = type;
+ (*names)[i] = CONST_DISCARD(char *, nam);
+ }
+
+ if (*domain_name == NULL) {
+ *domain_name = CONST_DISCARD(char *, dom);
+ } else {
+ char *dname = CONST_DISCARD(char *, dom);
+ TALLOC_FREE(dname);
+ }
+ }
+
+ if (!have_mapped) {
+ return NT_STATUS_NONE_MAPPED;
+ }
+ if (!have_unmapped) {
+ return NT_STATUS_OK;
+ }
+ return STATUS_SOME_UNMAPPED;
}
/* Lookup groups a user is a member of. I wish Unix had a call like this! */
}
if ( !pdb_getsampwsid( user, user_sid ) ) {
+ TALLOC_FREE( user );
return NT_STATUS_NO_SUCH_USER;
}
return result;
}
+/* find the sequence number for a domain */
+static NTSTATUS sequence_number(struct winbindd_domain *domain, uint32 *seq)
+{
+ bool result;
+ time_t seq_num;
+
+ result = pdb_get_seq_num(&seq_num);
+ if (!result) {
+ *seq = 1;
+ }
+
+ *seq = (int) seq_num;
+ /* *seq = 1; */
+ return NT_STATUS_OK;
+}
+
+static NTSTATUS lockout_policy(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ struct samr_DomInfo12 *policy)
+{
+ /* actually we have that */
+ return NT_STATUS_NOT_IMPLEMENTED;
+}
+
+static NTSTATUS password_policy(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ struct samr_DomInfo1 *policy)
+{
+ uint32 min_pass_len,pass_hist,password_properties;
+ time_t u_expire, u_min_age;
+ NTTIME nt_expire, nt_min_age;
+ uint32 account_policy_temp;
+
+ if ((policy = TALLOC_ZERO_P(mem_ctx, struct samr_DomInfo1)) == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ if (!pdb_get_account_policy(AP_MIN_PASSWORD_LEN, &account_policy_temp)) {
+ return NT_STATUS_ACCESS_DENIED;
+ }
+ min_pass_len = account_policy_temp;
+
+ if (!pdb_get_account_policy(AP_PASSWORD_HISTORY, &account_policy_temp)) {
+ return NT_STATUS_ACCESS_DENIED;
+ }
+ pass_hist = account_policy_temp;
+
+ if (!pdb_get_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS, &account_policy_temp)) {
+ return NT_STATUS_ACCESS_DENIED;
+ }
+ password_properties = account_policy_temp;
+
+ if (!pdb_get_account_policy(AP_MAX_PASSWORD_AGE, &account_policy_temp)) {
+ return NT_STATUS_ACCESS_DENIED;
+ }
+ u_expire = account_policy_temp;
+
+ if (!pdb_get_account_policy(AP_MIN_PASSWORD_AGE, &account_policy_temp)) {
+ return NT_STATUS_ACCESS_DENIED;
+ }
+ u_min_age = account_policy_temp;
+
+ unix_to_nt_time_abs(&nt_expire, u_expire);
+ unix_to_nt_time_abs(&nt_min_age, u_min_age);
+
+ init_samr_DomInfo1(policy,
+ (uint16)min_pass_len,
+ (uint16)pass_hist,
+ password_properties,
+ nt_expire,
+ nt_min_age);
+
+ return NT_STATUS_OK;
+}
+
+/*********************************************************************
+ BUILTIN specific functions.
+*********************************************************************/
+
+/* list all domain groups */
+static NTSTATUS builtin_enum_dom_groups(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ uint32 *num_entries,
+ struct acct_info **info)
+{
+ /* BUILTIN doesn't have domain groups */
+ *num_entries = 0;
+ *info = NULL;
+ return NT_STATUS_OK;
+}
+
+/* Query display info for a domain. This returns enough information plus a
+ bit extra to give an overview of domain users for the User Manager
+ application. */
+static NTSTATUS builtin_query_user_list(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ uint32 *num_entries,
+ WINBIND_USERINFO **info)
+{
+ /* We don't have users */
+ *num_entries = 0;
+ *info = NULL;
+ return NT_STATUS_OK;
+}
+
+/* Lookup user information from a rid or username. */
+static NTSTATUS builtin_query_user(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ const DOM_SID *user_sid,
+ WINBIND_USERINFO *user_info)
+{
+ return NT_STATUS_NO_SUCH_USER;
+}
+
+static NTSTATUS builtin_lookup_groupmem(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ const DOM_SID *group_sid, uint32 *num_names,
+ DOM_SID **sid_mem, char ***names,
+ uint32 **name_types)
+{
+ *num_names = 0;
+ *sid_mem = NULL;
+ *names = NULL;
+ *name_types = 0;
+ return NT_STATUS_NO_SUCH_GROUP;
+}
+
+/* get a list of trusted domains - builtin domain */
+static NTSTATUS builtin_trusted_domains(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ uint32 *num_domains,
+ char ***names,
+ char ***alt_names,
+ DOM_SID **dom_sids)
+{
+ *num_domains = 0;
+ *names = NULL;
+ *alt_names = NULL;
+ *dom_sids = NULL;
+ return NT_STATUS_OK;
+}
+
+/*********************************************************************
+ SAM specific functions.
+*********************************************************************/
+
+/* list all domain groups */
+static NTSTATUS sam_enum_dom_groups(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ uint32 *num_entries,
+ struct acct_info **info)
+{
+ return enum_groups_internal(domain,
+ mem_ctx,
+ num_entries,
+ info,
+ SID_NAME_DOM_GRP);
+}
+
+static NTSTATUS sam_query_user_list(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ uint32 *num_entries,
+ WINBIND_USERINFO **info)
+{
+ struct pdb_search *ps = pdb_search_users(ACB_NORMAL);
+ struct samr_displayentry *entries = NULL;
+ uint32 i;
+
+ *num_entries = 0;
+ *info = NULL;
+
+ if (!ps) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ *num_entries = pdb_search_entries(ps,
+ 1, 0xffffffff,
+ &entries);
+
+ *info = TALLOC_ZERO_ARRAY(mem_ctx, WINBIND_USERINFO, *num_entries);
+ if (!(*info)) {
+ pdb_search_destroy(ps);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ for (i = 0; i < *num_entries; i++) {
+ struct samr_displayentry *e = &entries[i];
+
+ (*info)[i].acct_name = talloc_strdup(mem_ctx, e->account_name );
+ (*info)[i].full_name = talloc_strdup(mem_ctx, e->fullname );
+ (*info)[i].homedir = NULL;
+ (*info)[i].shell = NULL;
+ sid_compose(&(*info)[i].user_sid, &domain->sid, e->rid);
+
+ /* For the moment we set the primary group for
+ every user to be the Domain Users group.
+ There are serious problems with determining
+ the actual primary group for large domains.
+ This should really be made into a 'winbind
+ force group' smb.conf parameter or
+ something like that. */
+
+ sid_compose(&(*info)[i].group_sid, &domain->sid,
+ DOMAIN_GROUP_RID_USERS);
+ }
+
+ pdb_search_destroy(ps);
+ return NT_STATUS_OK;
+}
+
+/* Lookup user information from a rid or username. */
+static NTSTATUS sam_query_user(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ const DOM_SID *user_sid,
+ WINBIND_USERINFO *user_info)
+{
+ struct samu *sampass = NULL;
+
+ ZERO_STRUCTP(user_info);
+
+ if (!sid_check_is_in_our_domain(user_sid)) {
+ return NT_STATUS_NO_SUCH_USER;
+ }
+
+ DEBUG(10,("sam_query_user: getting samu info for sid %s\n",
+ sid_string_dbg(user_sid) ));
+
+ if (!(sampass = samu_new(mem_ctx))) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ if (!pdb_getsampwsid(sampass, user_sid)) {
+ TALLOC_FREE(sampass);
+ return NT_STATUS_NO_SUCH_USER;
+ }
+
+ if (pdb_get_group_sid(sampass) == NULL) {
+ TALLOC_FREE(sampass);
+ return NT_STATUS_NO_SUCH_GROUP;
+ }
+
+ DEBUG(10,("sam_query_user: group sid %s\n",
+ sid_string_dbg(sampass->group_sid) ));
+
+ sid_copy(&user_info->user_sid, user_sid);
+ sid_copy(&user_info->group_sid, sampass->group_sid);
+
+ user_info->acct_name = talloc_strdup(mem_ctx, sampass->username ?
+ sampass->username : "");
+ user_info->full_name = talloc_strdup(mem_ctx, sampass->full_name ?
+ sampass->full_name : "");
+ user_info->homedir = talloc_strdup(mem_ctx, sampass->home_dir ?
+ sampass->home_dir : "");
+ if (sampass->unix_pw && sampass->unix_pw->pw_shell) {
+ user_info->shell = talloc_strdup(mem_ctx, sampass->unix_pw->pw_shell);
+ } else {
+ user_info->shell = talloc_strdup(mem_ctx, "");
+ }
+ user_info->primary_gid = sampass->unix_pw ? sampass->unix_pw->pw_gid : (gid_t)-1;
+
+ TALLOC_FREE(sampass);
+ return NT_STATUS_OK;
+}
+
/* Lookup group membership given a rid. */
-static NTSTATUS lookup_groupmem(struct winbindd_domain *domain,
+static NTSTATUS sam_lookup_groupmem(struct winbindd_domain *domain,
TALLOC_CTX *mem_ctx,
const DOM_SID *group_sid, uint32 *num_names,
DOM_SID **sid_mem, char ***names,
return NT_STATUS_OK;
}
-/* find the sequence number for a domain */
-static NTSTATUS sequence_number(struct winbindd_domain *domain, uint32 *seq)
-{
- bool result;
- time_t seq_num;
-
- result = pdb_get_seq_num(&seq_num);
- if (!result) {
- *seq = 1;
- }
-
- *seq = (int) seq_num;
- /* *seq = 1; */
- return NT_STATUS_OK;
-}
-
-static NTSTATUS lockout_policy(struct winbindd_domain *domain,
- TALLOC_CTX *mem_ctx,
- struct samr_DomInfo12 *policy)
-{
- /* actually we have that */
- return NT_STATUS_NOT_IMPLEMENTED;
-}
-
-static NTSTATUS password_policy(struct winbindd_domain *domain,
- TALLOC_CTX *mem_ctx,
- struct samr_DomInfo1 *policy)
-{
- uint32 min_pass_len,pass_hist,password_properties;
- time_t u_expire, u_min_age;
- NTTIME nt_expire, nt_min_age;
- uint32 account_policy_temp;
-
- if ((policy = TALLOC_ZERO_P(mem_ctx, struct samr_DomInfo1)) == NULL) {
- return NT_STATUS_NO_MEMORY;
- }
-
- if (!pdb_get_account_policy(AP_MIN_PASSWORD_LEN, &account_policy_temp)) {
- return NT_STATUS_ACCESS_DENIED;
- }
- min_pass_len = account_policy_temp;
-
- if (!pdb_get_account_policy(AP_PASSWORD_HISTORY, &account_policy_temp)) {
- return NT_STATUS_ACCESS_DENIED;
- }
- pass_hist = account_policy_temp;
-
- if (!pdb_get_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS, &account_policy_temp)) {
- return NT_STATUS_ACCESS_DENIED;
- }
- password_properties = account_policy_temp;
-
- if (!pdb_get_account_policy(AP_MAX_PASSWORD_AGE, &account_policy_temp)) {
- return NT_STATUS_ACCESS_DENIED;
- }
- u_expire = account_policy_temp;
-
- if (!pdb_get_account_policy(AP_MIN_PASSWORD_AGE, &account_policy_temp)) {
- return NT_STATUS_ACCESS_DENIED;
- }
- u_min_age = account_policy_temp;
-
- unix_to_nt_time_abs(&nt_expire, u_expire);
- unix_to_nt_time_abs(&nt_min_age, u_min_age);
-
- init_samr_DomInfo1(policy,
- (uint16)min_pass_len,
- (uint16)pass_hist,
- password_properties,
- nt_expire,
- nt_min_age);
-
- return NT_STATUS_OK;
-}
-
/* get a list of trusted domains */
-static NTSTATUS trusted_domains(struct winbindd_domain *domain,
+static NTSTATUS sam_trusted_domains(struct winbindd_domain *domain,
TALLOC_CTX *mem_ctx,
uint32 *num_domains,
char ***names,
}
/* the rpc backend methods are exposed via this structure */
-struct winbindd_methods passdb_methods = {
- False,
- query_user_list,
- enum_dom_groups,
+struct winbindd_methods builtin_passdb_methods = {
+ false,
+ builtin_query_user_list,
+ builtin_enum_dom_groups,
+ enum_local_groups,
+ name_to_sid,
+ sid_to_name,
+ rids_to_names,
+ builtin_query_user,
+ lookup_usergroups,
+ lookup_useraliases,
+ builtin_lookup_groupmem,
+ sequence_number,
+ lockout_policy,
+ password_policy,
+ builtin_trusted_domains,
+};
+
+/* the rpc backend methods are exposed via this structure */
+struct winbindd_methods sam_passdb_methods = {
+ false,
+ sam_query_user_list,
+ sam_enum_dom_groups,
enum_local_groups,
name_to_sid,
sid_to_name,
rids_to_names,
- query_user,
+ sam_query_user,
lookup_usergroups,
lookup_useraliases,
- lookup_groupmem,
+ sam_lookup_groupmem,
sequence_number,
lockout_policy,
password_policy,
- trusted_domains,
+ sam_trusted_domains,
};
git.samba.org / jra / samba / .git / blobdiff