2 Unix SMB/CIFS implementation.
4 Winbind daemon - user related functions
6 Copyright (C) Tim Potter 2000
7 Copyright (C) Jeremy Allison 2001.
8 Copyright (C) Gerald (Jerry) Carter 2003.
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
28 #define DBGC_CLASS DBGC_WINBIND
30 static BOOL fillup_pw_field(const char *lp_template,
43 /* The substitution of %U and %D in the 'template
44 homedir' is done by talloc_sub_specified() below.
45 If we have an in string (which means the value has already
46 been set in the nss_info backend), then use that.
47 Otherwise use the template value passed in. */
49 if ( in && !strequal(in,"") && lp_security() == SEC_ADS ) {
50 templ = talloc_sub_specified(NULL, in,
54 templ = talloc_sub_specified(NULL, lp_template,
62 safe_strcpy(out, templ, sizeof(fstring) - 1);
68 /* Fill a pwent structure with information we have obtained */
70 static BOOL winbindd_fill_pwent(char *dom_name, char *user_name,
71 DOM_SID *user_sid, DOM_SID *group_sid,
72 char *full_name, char *homedir, char *shell,
73 struct winbindd_pw *pw)
75 fstring output_username;
78 if (!pw || !dom_name || !user_name)
81 /* Resolve the uid number */
83 if (!NT_STATUS_IS_OK(idmap_sid_to_uid(user_sid, &pw->pw_uid))) {
84 DEBUG(1, ("error getting user id for sid %s\n", sid_to_string(sid_string, user_sid)));
88 /* Resolve the gid number */
90 if (!NT_STATUS_IS_OK(idmap_sid_to_gid(group_sid, &pw->pw_gid))) {
91 DEBUG(1, ("error getting group id for sid %s\n", sid_to_string(sid_string, group_sid)));
95 strlower_m(user_name);
99 fill_domain_username(output_username, dom_name, user_name, True);
101 safe_strcpy(pw->pw_name, output_username, sizeof(pw->pw_name) - 1);
103 /* Full name (gecos) */
105 safe_strcpy(pw->pw_gecos, full_name, sizeof(pw->pw_gecos) - 1);
107 /* Home directory and shell */
109 if (!fillup_pw_field(lp_template_homedir(), user_name, dom_name,
110 pw->pw_uid, pw->pw_gid, homedir, pw->pw_dir))
113 if (!fillup_pw_field(lp_template_shell(), user_name, dom_name,
114 pw->pw_uid, pw->pw_gid, shell, pw->pw_shell))
117 /* Password - set to "*" as we can't generate anything useful here.
118 Authentication can be done using the pam_winbind module. */
120 safe_strcpy(pw->pw_passwd, "*", sizeof(pw->pw_passwd) - 1);
125 /* Wrapper for domain->methods->query_user, only on the parent->child pipe */
127 enum winbindd_result winbindd_dual_userinfo(struct winbindd_domain *domain,
128 struct winbindd_cli_state *state)
131 WINBIND_USERINFO user_info;
134 /* Ensure null termination */
135 state->request.data.sid[sizeof(state->request.data.sid)-1]='\0';
137 DEBUG(3, ("[%5lu]: lookupsid %s\n", (unsigned long)state->pid,
138 state->request.data.sid));
140 if (!string_to_sid(&sid, state->request.data.sid)) {
141 DEBUG(5, ("%s not a SID\n", state->request.data.sid));
142 return WINBINDD_ERROR;
145 status = domain->methods->query_user(domain, state->mem_ctx,
147 if (!NT_STATUS_IS_OK(status)) {
148 DEBUG(1, ("error getting user info for sid %s\n",
149 sid_string_static(&sid)));
150 return WINBINDD_ERROR;
153 fstrcpy(state->response.data.user_info.acct_name, user_info.acct_name);
154 fstrcpy(state->response.data.user_info.full_name, user_info.full_name);
155 fstrcpy(state->response.data.user_info.homedir, user_info.homedir);
156 fstrcpy(state->response.data.user_info.shell, user_info.shell);
157 state->response.data.user_info.primary_gid = user_info.primary_gid;
158 if (!sid_peek_check_rid(&domain->sid, &user_info.group_sid,
159 &state->response.data.user_info.group_rid)) {
160 DEBUG(1, ("Could not extract group rid out of %s\n",
161 sid_string_static(&sid)));
162 return WINBINDD_ERROR;
168 struct getpwsid_state {
169 struct winbindd_cli_state *state;
170 struct winbindd_domain *domain;
181 static void getpwsid_queryuser_recv(void *private_data, BOOL success,
182 const char *acct_name,
183 const char *full_name,
188 static void getpwsid_sid2uid_recv(void *private_data, BOOL success, uid_t uid);
189 static void getpwsid_sid2gid_recv(void *private_data, BOOL success, gid_t gid);
191 static void winbindd_getpwsid(struct winbindd_cli_state *state,
194 struct getpwsid_state *s;
196 s = TALLOC_ZERO_P(state->mem_ctx, struct getpwsid_state);
198 DEBUG(0, ("talloc failed\n"));
203 s->domain = find_domain_from_sid_noinit(sid);
204 if (s->domain == NULL) {
205 DEBUG(3, ("Could not find domain for sid %s\n",
206 sid_string_static(sid)));
210 sid_copy(&s->user_sid, sid);
212 query_user_async(s->state->mem_ctx, s->domain, sid,
213 getpwsid_queryuser_recv, s);
217 request_error(state);
220 static void getpwsid_queryuser_recv(void *private_data, BOOL success,
221 const char *acct_name,
222 const char *full_name,
229 struct getpwsid_state *s =
230 talloc_get_type_abort(private_data, struct getpwsid_state);
233 DEBUG(5, ("Could not query domain %s SID %s\n", s->domain->name,
234 sid_string_static(&s->user_sid)));
235 request_error(s->state);
239 if ( acct_name && *acct_name ) {
240 fstrcpy( username, acct_name );
242 char *domain_name = NULL;
243 enum lsa_SidType type;
244 char *user_name = NULL;
245 struct winbindd_domain *domain = NULL;
247 domain = find_lookup_domain_from_sid(&s->user_sid);
248 winbindd_lookup_name_by_sid(s->state->mem_ctx, domain,
249 &s->user_sid, &domain_name,
252 /* If this still fails we ar4e done. Just error out */
254 DEBUG(5,("Could not obtain a name for SID %s\n",
255 sid_string_static(&s->user_sid)));
256 request_error(s->state);
260 fstrcpy( username, user_name );
263 strlower_m( username );
264 s->username = talloc_strdup(s->state->mem_ctx, username);
266 ws_name_replace( s->username, WB_REPLACE_CHAR );
268 s->fullname = talloc_strdup(s->state->mem_ctx, full_name);
269 s->homedir = talloc_strdup(s->state->mem_ctx, homedir);
270 s->shell = talloc_strdup(s->state->mem_ctx, shell);
272 sid_copy(&s->group_sid, &s->domain->sid);
273 sid_append_rid(&s->group_sid, group_rid);
275 winbindd_sid2uid_async(s->state->mem_ctx, &s->user_sid,
276 getpwsid_sid2uid_recv, s);
279 static void getpwsid_sid2uid_recv(void *private_data, BOOL success, uid_t uid)
281 struct getpwsid_state *s =
282 talloc_get_type_abort(private_data, struct getpwsid_state);
285 DEBUG(5, ("Could not query uid for user %s\\%s\n",
286 s->domain->name, s->username));
287 request_error(s->state);
292 winbindd_sid2gid_async(s->state->mem_ctx, &s->group_sid,
293 getpwsid_sid2gid_recv, s);
296 static void getpwsid_sid2gid_recv(void *private_data, BOOL success, gid_t gid)
298 struct getpwsid_state *s =
299 talloc_get_type_abort(private_data, struct getpwsid_state);
300 struct winbindd_pw *pw;
301 fstring output_username;
303 /* allow the nss backend to override the primary group ID.
304 If the gid has already been set, then keep it.
305 This makes me feel dirty. If the nss backend already
306 gave us a gid, we don't really care whether the sid2gid()
307 call worked or not. --jerry */
309 if ( s->gid == (gid_t)-1 ) {
312 DEBUG(5, ("Could not query gid for user %s\\%s\n",
313 s->domain->name, s->username));
317 /* take what the sid2gid() call gave us */
321 pw = &s->state->response.data.pw;
324 fill_domain_username(output_username, s->domain->name, s->username, True);
325 safe_strcpy(pw->pw_name, output_username, sizeof(pw->pw_name) - 1);
326 safe_strcpy(pw->pw_gecos, s->fullname, sizeof(pw->pw_gecos) - 1);
328 if (!fillup_pw_field(lp_template_homedir(), s->username, s->domain->name,
329 pw->pw_uid, pw->pw_gid, s->homedir, pw->pw_dir)) {
330 DEBUG(5, ("Could not compose homedir\n"));
334 if (!fillup_pw_field(lp_template_shell(), s->username, s->domain->name,
335 pw->pw_uid, pw->pw_gid, s->shell, pw->pw_shell)) {
336 DEBUG(5, ("Could not compose shell\n"));
340 /* Password - set to "*" as we can't generate anything useful here.
341 Authentication can be done using the pam_winbind module. */
343 safe_strcpy(pw->pw_passwd, "*", sizeof(pw->pw_passwd) - 1);
345 request_ok(s->state);
349 request_error(s->state);
352 /* Return a password structure from a username. */
354 static void getpwnam_name2sid_recv(void *private_data, BOOL success,
355 const DOM_SID *sid, enum lsa_SidType type);
357 void winbindd_getpwnam(struct winbindd_cli_state *state)
359 struct winbindd_domain *domain;
360 fstring domname, username;
362 /* Ensure null termination */
363 state->request.data.username[sizeof(state->request.data.username)-1]='\0';
365 DEBUG(3, ("[%5lu]: getpwnam %s\n", (unsigned long)state->pid,
366 state->request.data.username));
368 ws_name_return( state->request.data.username, WB_REPLACE_CHAR );
370 if (!parse_domain_user(state->request.data.username, domname,
372 DEBUG(5, ("Could not parse domain user: %s\n",
373 state->request.data.username));
374 request_error(state);
378 /* Get info for the domain */
380 domain = find_domain_from_name(domname);
382 if (domain == NULL) {
383 DEBUG(7, ("could not find domain entry for domain %s. "
384 "Using primary domain\n", domname));
385 if ( (domain = find_our_domain()) == NULL ) {
386 DEBUG(0,("Cannot find my primary domain structure!\n"));
387 request_error(state);
392 if ( strequal(domname, lp_workgroup()) && lp_winbind_trusted_domains_only() ) {
393 DEBUG(7,("winbindd_getpwnam: My domain -- rejecting getpwnam() for %s\\%s.\n",
395 request_error(state);
399 /* Get rid and name type from name. The following costs 1 packet */
401 winbindd_lookupname_async(state->mem_ctx, domname, username,
402 getpwnam_name2sid_recv, WINBINDD_GETPWNAM,
406 static void getpwnam_name2sid_recv(void *private_data, BOOL success,
407 const DOM_SID *sid, enum lsa_SidType type)
409 struct winbindd_cli_state *state =
410 (struct winbindd_cli_state *)private_data;
411 fstring domname, username;
414 DEBUG(5, ("Could not lookup name for user %s\n",
415 state->request.data.username));
416 request_error(state);
420 if ((type != SID_NAME_USER) && (type != SID_NAME_COMPUTER)) {
421 DEBUG(5, ("%s is not a user\n", state->request.data.username));
422 request_error(state);
426 if ( parse_domain_user(state->request.data.username, domname, username) ) {
427 check_domain_trusted( domname, sid );
432 winbindd_getpwsid(state, sid);
435 static void getpwuid_recv(void *private_data, BOOL success, const char *sid)
437 struct winbindd_cli_state *state =
438 (struct winbindd_cli_state *)private_data;
442 DEBUG(10,("uid2sid_recv: uid [%lu] to sid mapping failed\n.",
443 (unsigned long)(state->request.data.uid)));
444 request_error(state);
448 DEBUG(10,("uid2sid_recv: uid %lu has sid %s\n",
449 (unsigned long)(state->request.data.uid), sid));
451 string_to_sid(&user_sid, sid);
452 winbindd_getpwsid(state, &user_sid);
455 /* Return a password structure given a uid number */
456 void winbindd_getpwuid(struct winbindd_cli_state *state)
458 DEBUG(3, ("[%5lu]: getpwuid %lu\n", (unsigned long)state->pid,
459 (unsigned long)state->request.data.uid));
461 /* always query idmap via the async interface */
462 /* if this turns to be too slow we will add here a direct query to the cache */
463 winbindd_uid2sid_async(state->mem_ctx, state->request.data.uid, getpwuid_recv, state);
467 * set/get/endpwent functions
470 /* Rewind file pointer for ntdom passwd database */
472 static BOOL winbindd_setpwent_internal(struct winbindd_cli_state *state)
474 struct winbindd_domain *domain;
476 DEBUG(3, ("[%5lu]: setpwent\n", (unsigned long)state->pid));
478 /* Check user has enabled this */
480 if (!lp_winbind_enum_users()) {
484 /* Free old static data if it exists */
486 if (state->getpwent_state != NULL) {
487 free_getent_state(state->getpwent_state);
488 state->getpwent_state = NULL;
492 /* add any local users we have */
494 if ( (domain_state = (struct getent_state *)malloc(sizeof(struct getent_state))) == NULL )
497 ZERO_STRUCTP(domain_state);
499 /* Add to list of open domains */
501 DLIST_ADD(state->getpwent_state, domain_state);
504 /* Create sam pipes for each domain we know about */
506 for(domain = domain_list(); domain != NULL; domain = domain->next) {
507 struct getent_state *domain_state;
510 /* don't add our domaina if we are a PDC or if we
511 are a member of a Samba domain */
513 if ( (IS_DC || lp_winbind_trusted_domains_only())
514 && strequal(domain->name, lp_workgroup()) )
519 /* Create a state record for this domain */
521 if ((domain_state = SMB_MALLOC_P(struct getent_state)) == NULL) {
522 DEBUG(0, ("malloc failed\n"));
526 ZERO_STRUCTP(domain_state);
528 fstrcpy(domain_state->domain_name, domain->name);
530 /* Add to list of open domains */
532 DLIST_ADD(state->getpwent_state, domain_state);
535 state->getpwent_initialized = True;
539 void winbindd_setpwent(struct winbindd_cli_state *state)
541 if (winbindd_setpwent_internal(state)) {
544 request_error(state);
548 /* Close file pointer to ntdom passwd database */
550 void winbindd_endpwent(struct winbindd_cli_state *state)
552 DEBUG(3, ("[%5lu]: endpwent\n", (unsigned long)state->pid));
554 free_getent_state(state->getpwent_state);
555 state->getpwent_initialized = False;
556 state->getpwent_state = NULL;
560 /* Get partial list of domain users for a domain. We fill in the sam_entries,
561 and num_sam_entries fields with domain user information. The dispinfo_ndx
562 field is incremented to the index of the next user to fetch. Return True if
563 some users were returned, False otherwise. */
565 static BOOL get_sam_user_entries(struct getent_state *ent, TALLOC_CTX *mem_ctx)
569 WINBIND_USERINFO *info;
570 struct getpwent_user *name_list = NULL;
571 struct winbindd_domain *domain;
572 struct winbindd_methods *methods;
575 if (ent->num_sam_entries)
578 if (!(domain = find_domain_from_name(ent->domain_name))) {
579 DEBUG(3, ("no such domain %s in get_sam_user_entries\n",
584 methods = domain->methods;
586 /* Free any existing user info */
588 SAFE_FREE(ent->sam_entries);
589 ent->num_sam_entries = 0;
591 /* Call query_user_list to get a list of usernames and user rids */
595 status = methods->query_user_list(domain, mem_ctx, &num_entries,
598 if (!NT_STATUS_IS_OK(status)) {
599 DEBUG(10,("get_sam_user_entries: query_user_list failed with %s\n",
600 nt_errstr(status) ));
605 name_list = SMB_REALLOC_ARRAY(name_list, struct getpwent_user, ent->num_sam_entries + num_entries);
608 DEBUG(0,("get_sam_user_entries realloc failed.\n"));
613 for (i = 0; i < num_entries; i++) {
614 /* Store account name and gecos */
615 if (!info[i].acct_name) {
616 fstrcpy(name_list[ent->num_sam_entries + i].name, "");
618 fstrcpy(name_list[ent->num_sam_entries + i].name,
621 if (!info[i].full_name) {
622 fstrcpy(name_list[ent->num_sam_entries + i].gecos, "");
624 fstrcpy(name_list[ent->num_sam_entries + i].gecos,
627 if (!info[i].homedir) {
628 fstrcpy(name_list[ent->num_sam_entries + i].homedir, "");
630 fstrcpy(name_list[ent->num_sam_entries + i].homedir,
633 if (!info[i].shell) {
634 fstrcpy(name_list[ent->num_sam_entries + i].shell, "");
636 fstrcpy(name_list[ent->num_sam_entries + i].shell,
641 /* User and group ids */
642 sid_copy(&name_list[ent->num_sam_entries+i].user_sid,
644 sid_copy(&name_list[ent->num_sam_entries+i].group_sid,
648 ent->num_sam_entries += num_entries;
650 /* Fill in remaining fields */
652 ent->sam_entries = name_list;
653 ent->sam_entry_index = 0;
654 return ent->num_sam_entries > 0;
657 /* Fetch next passwd entry from ntdom database */
659 #define MAX_GETPWENT_USERS 500
661 void winbindd_getpwent(struct winbindd_cli_state *state)
663 struct getent_state *ent;
664 struct winbindd_pw *user_list;
665 int num_users, user_list_ndx;
667 DEBUG(3, ("[%5lu]: getpwent\n", (unsigned long)state->pid));
669 /* Check user has enabled this */
671 if (!lp_winbind_enum_users()) {
672 request_error(state);
676 /* Allocate space for returning a chunk of users */
678 num_users = MIN(MAX_GETPWENT_USERS, state->request.data.num_entries);
680 if (num_users == 0) {
681 request_error(state);
685 if ((state->response.extra_data.data = SMB_MALLOC_ARRAY(struct winbindd_pw, num_users)) == NULL) {
686 request_error(state);
690 memset(state->response.extra_data.data, 0, num_users *
691 sizeof(struct winbindd_pw));
693 user_list = (struct winbindd_pw *)state->response.extra_data.data;
695 if (!state->getpwent_initialized)
696 winbindd_setpwent_internal(state);
698 if (!(ent = state->getpwent_state)) {
699 request_error(state);
703 /* Start sending back users */
705 for (user_list_ndx = 0; user_list_ndx < num_users; ) {
706 struct getpwent_user *name_list = NULL;
709 /* Do we need to fetch another chunk of users? */
711 if (ent->num_sam_entries == ent->sam_entry_index) {
714 !get_sam_user_entries(ent, state->mem_ctx)) {
715 struct getent_state *next_ent;
717 /* Free state information for this domain */
719 SAFE_FREE(ent->sam_entries);
721 next_ent = ent->next;
722 DLIST_REMOVE(state->getpwent_state, ent);
728 /* No more domains */
734 name_list = (struct getpwent_user *)ent->sam_entries;
736 /* Lookup user info */
738 result = winbindd_fill_pwent(
740 name_list[ent->sam_entry_index].name,
741 &name_list[ent->sam_entry_index].user_sid,
742 &name_list[ent->sam_entry_index].group_sid,
743 name_list[ent->sam_entry_index].gecos,
744 name_list[ent->sam_entry_index].homedir,
745 name_list[ent->sam_entry_index].shell,
746 &user_list[user_list_ndx]);
748 /* Add user to return list */
753 state->response.data.num_entries++;
754 state->response.length +=
755 sizeof(struct winbindd_pw);
758 DEBUG(1, ("could not lookup domain user %s\n",
759 name_list[ent->sam_entry_index].name));
761 ent->sam_entry_index++;
767 if (user_list_ndx > 0)
770 request_error(state);
773 /* List domain users without mapping to unix ids */
775 void winbindd_list_users(struct winbindd_cli_state *state)
777 struct winbindd_domain *domain;
778 WINBIND_USERINFO *info;
779 const char *which_domain;
780 uint32 num_entries = 0, total_entries = 0;
781 char *extra_data = NULL;
782 int extra_data_len = 0;
783 enum winbindd_result rv = WINBINDD_ERROR;
785 DEBUG(3, ("[%5lu]: list users\n", (unsigned long)state->pid));
787 /* Ensure null termination */
788 state->request.domain_name[sizeof(state->request.domain_name)-1]='\0';
789 which_domain = state->request.domain_name;
791 /* Enumerate over trusted domains */
793 for (domain = domain_list(); domain; domain = domain->next) {
795 struct winbindd_methods *methods;
798 /* if we have a domain name restricting the request and this
799 one in the list doesn't match, then just bypass the remainder
802 if ( *which_domain && !strequal(which_domain, domain->name) )
805 methods = domain->methods;
807 /* Query display info */
808 status = methods->query_user_list(domain, state->mem_ctx,
809 &num_entries, &info);
811 if (!NT_STATUS_IS_OK(status)) {
815 if (num_entries == 0)
818 /* Allocate some memory for extra data */
819 total_entries += num_entries;
821 extra_data = (char *)SMB_REALLOC(
822 extra_data, sizeof(fstring) * total_entries);
825 DEBUG(0,("failed to enlarge buffer!\n"));
829 /* Pack user list into extra data fields */
831 for (i = 0; i < num_entries; i++) {
832 fstring acct_name, name;
834 if (!info[i].acct_name) {
835 fstrcpy(acct_name, "");
837 fstrcpy(acct_name, info[i].acct_name);
840 fill_domain_username(name, domain->name, acct_name, True);
842 /* Append to extra data */
843 memcpy(&extra_data[extra_data_len], name,
845 extra_data_len += strlen(name);
846 extra_data[extra_data_len++] = ',';
850 /* Assign extra_data fields in response structure */
853 extra_data[extra_data_len - 1] = '\0';
854 state->response.extra_data.data = extra_data;
855 state->response.length += extra_data_len;
858 /* No domains responded but that's still OK so don't return an
865 if (rv == WINBINDD_OK)
868 request_error(state);