2 Unix SMB/CIFS implementation.
4 Winbind daemon for ntdom nss module
6 Copyright (C) Tim Potter 2000
7 Copyright (C) Jeremy Allison 2001.
8 Copyright (C) Gerald (Jerry) Carter 2003.
9 Copyright (C) Volker Lendecke 2005
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License as published by
13 the Free Software Foundation; either version 2 of the License, or
14 (at your option) any later version.
16 This program is distributed in the hope that it will be useful,
17 but WITHOUT ANY WARRANTY; without even the implied warranty of
18 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 GNU General Public License for more details.
21 You should have received a copy of the GNU General Public License
22 along with this program; if not, write to the Free Software
23 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
29 extern BOOL opt_nocache;
32 #define DBGC_CLASS DBGC_WINBIND
34 /*********************************************************************
35 *********************************************************************/
37 static int gr_mem_buffer( char **buffer, char **members, int num_members )
43 if ( num_members == 0 ) {
48 for ( i=0; i<num_members; i++ )
49 len += strlen(members[i])+1;
51 *buffer = SMB_XMALLOC_ARRAY(char, len);
52 for ( i=0; i<num_members; i++ ) {
53 snprintf( &(*buffer)[idx], len-idx, "%s,", members[i]);
54 idx += strlen(members[i])+1;
56 /* terminate with NULL */
57 (*buffer)[len-1] = '\0';
62 /***************************************************************
63 Empty static struct for negative caching.
64 ****************************************************************/
66 /* Fill a grent structure from various other information */
68 static BOOL fill_grent(struct winbindd_gr *gr, const char *dom_name,
69 const char *gr_name, gid_t unix_gid)
71 fstring full_group_name;
73 fill_domain_username(full_group_name, dom_name, gr_name);
75 gr->gr_gid = unix_gid;
77 /* Group name and password */
79 safe_strcpy(gr->gr_name, full_group_name, sizeof(gr->gr_name) - 1);
80 safe_strcpy(gr->gr_passwd, "x", sizeof(gr->gr_passwd) - 1);
85 /* Fill in the group membership field of a NT group given by group_sid */
87 static BOOL fill_grent_mem(struct winbindd_domain *domain,
89 enum SID_NAME_USE group_name_type,
90 int *num_gr_mem, char **gr_mem, int *gr_mem_len)
92 DOM_SID **sid_mem = NULL;
94 uint32 *name_types = NULL;
95 unsigned int buf_len, buf_ndx, i;
96 char **names = NULL, *buf;
102 if (!(mem_ctx = talloc_init("fill_grent_mem(%s)", domain->name)))
105 /* Initialise group membership information */
107 DEBUG(10, ("group SID %s\n", sid_to_string(sid_string, group_sid)));
111 /* HACK ALERT!! This whole routine does not cope with group members
112 * from more than one domain, ie aliases. Thus we have to work it out
113 * ourselves in a special routine. */
115 if (domain->internal)
116 return fill_passdb_alias_grmem(domain, group_sid,
120 if ( !((group_name_type==SID_NAME_DOM_GRP) ||
121 ((group_name_type==SID_NAME_ALIAS) && domain->primary)) )
123 DEBUG(1, ("SID %s in domain %s isn't a domain group (%d)\n",
124 sid_to_string(sid_string, group_sid), domain->name,
129 /* Lookup group members */
130 status = domain->methods->lookup_groupmem(domain, mem_ctx, group_sid, &num_names,
131 &sid_mem, &names, &name_types);
132 if (!NT_STATUS_IS_OK(status)) {
133 DEBUG(1, ("could not lookup membership for group rid %s in domain %s (error: %s)\n",
134 sid_to_string(sid_string, group_sid), domain->name, nt_errstr(status)));
139 DEBUG(10, ("looked up %d names\n", num_names));
141 if (DEBUGLEVEL >= 10) {
142 for (i = 0; i < num_names; i++)
143 DEBUG(10, ("\t%20s %s %d\n", names[i], sid_to_string(sid_string, sid_mem[i]),
147 /* Add members to list */
150 buf_len = buf_ndx = 0;
154 for (i = 0; i < num_names; i++) {
161 DEBUG(10, ("processing name %s\n", the_name));
163 /* FIXME: need to cope with groups within groups. These
164 occur in Universal groups on a Windows 2000 native mode
167 /* make sure to allow machine accounts */
169 if (name_types[i] != SID_NAME_USER && name_types[i] != SID_NAME_COMPUTER) {
170 DEBUG(3, ("name %s isn't a domain user\n", the_name));
174 /* Append domain name */
176 fill_domain_username(name, domain->name, the_name);
180 /* Add to list or calculate buffer length */
183 buf_len += len + 1; /* List is comma separated */
185 DEBUG(10, ("buf_len + %d = %d\n", len + 1, buf_len));
187 DEBUG(10, ("appending %s at ndx %d\n", name, len));
188 safe_strcpy(&buf[buf_ndx], name, len);
195 /* Allocate buffer */
197 if (!buf && buf_len != 0) {
198 if (!(buf = SMB_MALLOC(buf_len))) {
199 DEBUG(1, ("out of memory\n"));
203 memset(buf, 0, buf_len);
207 if (buf && buf_ndx > 0) {
208 buf[buf_ndx - 1] = '\0';
212 *gr_mem_len = buf_len;
214 DEBUG(10, ("num_mem = %d, len = %d, mem = %s\n", *num_gr_mem,
215 buf_len, *num_gr_mem ? buf : "NULL"));
220 talloc_destroy(mem_ctx);
222 DEBUG(10, ("fill_grent_mem returning %d\n", result));
227 /* Return a group structure from a group name */
229 enum winbindd_result winbindd_getgrnam(struct winbindd_cli_state *state)
233 struct winbindd_domain *domain;
234 enum SID_NAME_USE name_type;
235 fstring name_domain, name_group;
240 /* Ensure null termination */
241 state->request.data.groupname[sizeof(state->request.data.groupname)-1]='\0';
243 DEBUG(3, ("[%5lu]: getgrnam %s\n", (unsigned long)state->pid,
244 state->request.data.groupname));
246 /* Parse domain and groupname */
248 memset(name_group, 0, sizeof(fstring));
250 tmp = state->request.data.groupname;
252 parse_domain_user(tmp, name_domain, name_group);
254 /* if no domain or our local domain, then do a local tdb search */
256 if ( (!*name_domain || strequal(name_domain, get_global_sam_name())) &&
257 ((grp = wb_getgrnam(name_group)) != NULL) ) {
261 memcpy( &state->response.data.gr, grp, sizeof(WINBINDD_GR) );
263 gr_mem_len = gr_mem_buffer( &buffer, grp->gr_mem, grp->num_gr_mem );
265 state->response.data.gr.gr_mem_ofs = 0;
266 state->response.length += gr_mem_len;
267 state->response.extra_data = buffer; /* give the memory away */
272 /* if no domain or our local domain and no local tdb group, default to
273 * our local domain for aliases */
275 if ( !*name_domain || strequal(name_domain, get_global_sam_name()) ) {
276 fstrcpy(name_domain, get_global_sam_name());
279 /* Get info for the domain */
281 if ((domain = find_domain_from_name(name_domain)) == NULL) {
282 DEBUG(3, ("could not get domain sid for domain %s\n",
284 return WINBINDD_ERROR;
286 /* should we deal with users for our domain? */
288 if ( lp_winbind_trusted_domains_only() && domain->primary) {
289 DEBUG(7,("winbindd_getgrnam: My domain -- rejecting getgrnam() for %s\\%s.\n",
290 name_domain, name_group));
291 return WINBINDD_ERROR;
294 /* Get rid and name type from name */
296 if (!winbindd_lookup_sid_by_name(domain, domain->name, name_group, &group_sid,
298 DEBUG(1, ("group %s in domain %s does not exist\n",
299 name_group, name_domain));
300 return WINBINDD_ERROR;
303 if ( !((name_type==SID_NAME_DOM_GRP) ||
304 ((name_type==SID_NAME_ALIAS) && domain->primary) ||
305 ((name_type==SID_NAME_ALIAS) && domain->internal)) )
307 DEBUG(1, ("name '%s' is not a local or domain group: %d\n",
308 name_group, name_type));
309 return WINBINDD_ERROR;
312 if (!NT_STATUS_IS_OK(idmap_sid_to_gid(&group_sid, &gid, 0))) {
313 DEBUG(1, ("error converting unix gid to sid\n"));
314 return WINBINDD_ERROR;
317 if (!fill_grent(&state->response.data.gr, name_domain,
319 !fill_grent_mem(domain, &group_sid, name_type,
320 &state->response.data.gr.num_gr_mem,
321 &gr_mem, &gr_mem_len)) {
322 return WINBINDD_ERROR;
325 /* Group membership lives at start of extra data */
327 state->response.data.gr.gr_mem_ofs = 0;
329 state->response.length += gr_mem_len;
330 state->response.extra_data = gr_mem;
335 /* Return a group structure from a gid number */
337 enum winbindd_result winbindd_getgrgid(struct winbindd_cli_state *state)
339 struct winbindd_domain *domain;
342 enum SID_NAME_USE name_type;
348 DEBUG(3, ("[%5lu]: getgrgid %lu\n", (unsigned long)state->pid,
349 (unsigned long)state->request.data.gid));
351 /* Bug out if the gid isn't in the winbind range */
353 if ((state->request.data.gid < server_state.gid_low) ||
354 (state->request.data.gid > server_state.gid_high))
355 return WINBINDD_ERROR;
357 /* alway try local tdb lookup first */
358 if ( ( grp=wb_getgrgid(state->request.data.gid)) != NULL ) {
361 memcpy( &state->response.data.gr, grp, sizeof(WINBINDD_GR) );
363 gr_mem_len = gr_mem_buffer( &buffer, grp->gr_mem, grp->num_gr_mem );
365 state->response.data.gr.gr_mem_ofs = 0;
366 state->response.length += gr_mem_len;
367 state->response.extra_data = buffer; /* give away the memory */
372 /* Get rid from gid */
373 if (!NT_STATUS_IS_OK(idmap_gid_to_sid(&group_sid, state->request.data.gid))) {
374 DEBUG(1, ("could not convert gid %lu to rid\n",
375 (unsigned long)state->request.data.gid));
376 return WINBINDD_ERROR;
379 /* Get name from sid */
381 if (!winbindd_lookup_name_by_sid(&group_sid, dom_name, group_name, &name_type)) {
382 DEBUG(1, ("could not lookup sid\n"));
383 return WINBINDD_ERROR;
386 /* Fill in group structure */
388 domain = find_domain_from_sid(&group_sid);
391 DEBUG(1,("Can't find domain from sid\n"));
392 return WINBINDD_ERROR;
395 if ( !((name_type==SID_NAME_DOM_GRP) ||
396 ((name_type==SID_NAME_ALIAS) && domain->primary) ||
397 ((name_type==SID_NAME_ALIAS) && domain->internal)) )
399 DEBUG(1, ("name '%s' is not a local or domain group: %d\n",
400 group_name, name_type));
401 return WINBINDD_ERROR;
404 if (!fill_grent(&state->response.data.gr, dom_name, group_name,
405 state->request.data.gid) ||
406 !fill_grent_mem(domain, &group_sid, name_type,
407 &state->response.data.gr.num_gr_mem,
408 &gr_mem, &gr_mem_len))
409 return WINBINDD_ERROR;
411 /* Group membership lives at start of extra data */
413 state->response.data.gr.gr_mem_ofs = 0;
415 state->response.length += gr_mem_len;
416 state->response.extra_data = gr_mem;
422 * set/get/endgrent functions
425 /* "Rewind" file pointer for group database enumeration */
427 enum winbindd_result winbindd_setgrent(struct winbindd_cli_state *state)
429 struct winbindd_domain *domain;
431 DEBUG(3, ("[%5lu]: setgrent\n", (unsigned long)state->pid));
433 /* Check user has enabled this */
435 if (!lp_winbind_enum_groups())
436 return WINBINDD_ERROR;
438 /* Free old static data if it exists */
440 if (state->getgrent_state != NULL) {
441 free_getent_state(state->getgrent_state);
442 state->getgrent_state = NULL;
445 /* Create sam pipes for each domain we know about */
447 for (domain = domain_list(); domain != NULL; domain = domain->next) {
448 struct getent_state *domain_state;
450 /* Create a state record for this domain */
452 /* don't add our domaina if we are a PDC or if we
453 are a member of a Samba domain */
455 if ( lp_winbind_trusted_domains_only() && domain->primary )
461 if ((domain_state = SMB_MALLOC_P(struct getent_state)) == NULL) {
462 DEBUG(1, ("winbindd_setgrent: malloc failed for domain_state!\n"));
463 return WINBINDD_ERROR;
466 ZERO_STRUCTP(domain_state);
468 fstrcpy(domain_state->domain_name, domain->name);
470 /* Add to list of open domains */
472 DLIST_ADD(state->getgrent_state, domain_state);
475 state->getgrent_initialized = True;
480 /* Close file pointer to ntdom group database */
482 enum winbindd_result winbindd_endgrent(struct winbindd_cli_state *state)
484 DEBUG(3, ("[%5lu]: endgrent\n", (unsigned long)state->pid));
486 free_getent_state(state->getgrent_state);
487 state->getgrent_initialized = False;
488 state->getgrent_state = NULL;
493 /* Get the list of domain groups and domain aliases for a domain. We fill in
494 the sam_entries and num_sam_entries fields with domain group information.
495 The dispinfo_ndx field is incremented to the index of the next group to
496 fetch. Return True if some groups were returned, False otherwise. */
498 static BOOL get_sam_group_entries(struct getent_state *ent)
502 struct acct_info *name_list = NULL, *tmp_name_list = NULL;
505 struct acct_info *sam_grp_entries = NULL;
506 struct winbindd_domain *domain;
508 if (ent->got_sam_entries)
511 if (!(mem_ctx = talloc_init("get_sam_group_entries(%s)",
512 ent->domain_name))) {
513 DEBUG(1, ("get_sam_group_entries: could not create talloc context!\n"));
517 /* Free any existing group info */
519 SAFE_FREE(ent->sam_entries);
520 ent->num_sam_entries = 0;
521 ent->got_sam_entries = True;
523 /* Enumerate domain groups */
527 if (!(domain = find_domain_from_name(ent->domain_name))) {
528 DEBUG(3, ("no such domain %s in get_sam_group_entries\n", ent->domain_name));
532 /* always get the domain global groups */
534 status = domain->methods->enum_dom_groups(domain, mem_ctx, &num_entries, &sam_grp_entries);
536 if (!NT_STATUS_IS_OK(status)) {
537 DEBUG(3, ("get_sam_group_entries: could not enumerate domain groups! Error: %s\n", nt_errstr(status)));
542 /* Copy entries into return buffer */
545 if ( !(name_list = SMB_MALLOC_ARRAY(struct acct_info, num_entries)) ) {
546 DEBUG(0,("get_sam_group_entries: Failed to malloc memory for %d domain groups!\n",
551 memcpy( name_list, sam_grp_entries, num_entries * sizeof(struct acct_info) );
554 ent->num_sam_entries = num_entries;
556 /* get the domain local groups if we are a member of a native win2k domain
557 and are not using LDAP to get the groups */
559 if ( ( lp_security() != SEC_ADS && domain->native_mode
560 && domain->primary) || domain->internal )
562 DEBUG(4,("get_sam_group_entries: Native Mode 2k domain; enumerating local groups as well\n"));
564 status = domain->methods->enum_local_groups(domain, mem_ctx, &num_entries, &sam_grp_entries);
566 if ( !NT_STATUS_IS_OK(status) ) {
567 DEBUG(3,("get_sam_group_entries: Failed to enumerate domain local groups!\n"));
571 DEBUG(4,("get_sam_group_entries: Returned %d local groups\n", num_entries));
573 /* Copy entries into return buffer */
576 if ( !(tmp_name_list = SMB_REALLOC_ARRAY( name_list, struct acct_info, ent->num_sam_entries+num_entries)) )
578 DEBUG(0,("get_sam_group_entries: Failed to realloc more memory for %d local groups!\n",
581 SAFE_FREE( name_list );
585 name_list = tmp_name_list;
587 memcpy( &name_list[ent->num_sam_entries], sam_grp_entries,
588 num_entries * sizeof(struct acct_info) );
591 ent->num_sam_entries += num_entries;
595 /* Fill in remaining fields */
597 ent->sam_entries = name_list;
598 ent->sam_entry_index = 0;
600 result = (ent->num_sam_entries > 0);
603 talloc_destroy(mem_ctx);
608 /* Fetch next group entry from ntdom database */
610 #define MAX_GETGRENT_GROUPS 500
612 enum winbindd_result winbindd_getgrent(struct winbindd_cli_state *state)
614 struct getent_state *ent;
615 struct winbindd_gr *group_list = NULL;
616 int num_groups, group_list_ndx = 0, i, gr_mem_list_len = 0;
617 char *new_extra_data, *gr_mem_list = NULL;
619 DEBUG(3, ("[%5lu]: getgrent\n", (unsigned long)state->pid));
621 /* Check user has enabled this */
623 if (!lp_winbind_enum_groups())
624 return WINBINDD_ERROR;
626 num_groups = MIN(MAX_GETGRENT_GROUPS, state->request.data.num_entries);
628 if ((state->response.extra_data = SMB_MALLOC_ARRAY(struct winbindd_gr, num_groups)) == NULL)
629 return WINBINDD_ERROR;
631 memset(state->response.extra_data, '\0',
632 num_groups * sizeof(struct winbindd_gr) );
634 state->response.data.num_entries = 0;
636 group_list = (struct winbindd_gr *)state->response.extra_data;
638 if (!state->getgrent_initialized)
639 winbindd_setgrent(state);
641 if (!(ent = state->getgrent_state))
642 return WINBINDD_ERROR;
644 /* Start sending back groups */
646 for (i = 0; i < num_groups; i++) {
647 struct acct_info *name_list = NULL;
648 fstring domain_group_name;
652 char *gr_mem, *new_gr_mem_list;
654 struct winbindd_domain *domain;
656 /* Do we need to fetch another chunk of groups? */
660 DEBUG(10, ("entry_index = %d, num_entries = %d\n",
661 ent->sam_entry_index, ent->num_sam_entries));
663 if (ent->num_sam_entries == ent->sam_entry_index) {
665 while(ent && !get_sam_group_entries(ent)) {
666 struct getent_state *next_ent;
668 DEBUG(10, ("freeing state info for domain %s\n", ent->domain_name));
670 /* Free state information for this domain */
672 SAFE_FREE(ent->sam_entries);
674 next_ent = ent->next;
675 DLIST_REMOVE(state->getgrent_state, ent);
681 /* No more domains */
687 name_list = ent->sam_entries;
690 find_domain_from_name(ent->domain_name))) {
691 DEBUG(3, ("No such domain %s in winbindd_getgrent\n", ent->domain_name));
696 /* Lookup group info */
698 sid_copy(&group_sid, &domain->sid);
699 sid_append_rid(&group_sid, name_list[ent->sam_entry_index].rid);
701 if (!NT_STATUS_IS_OK(idmap_sid_to_gid(&group_sid, &group_gid, 0))) {
703 DEBUG(1, ("could not look up gid for group %s\n",
704 name_list[ent->sam_entry_index].acct_name));
706 ent->sam_entry_index++;
710 DEBUG(10, ("got gid %lu for group %lu\n", (unsigned long)group_gid,
711 (unsigned long)name_list[ent->sam_entry_index].rid));
713 /* Fill in group entry */
715 fill_domain_username(domain_group_name, ent->domain_name,
716 name_list[ent->sam_entry_index].acct_name);
718 result = fill_grent(&group_list[group_list_ndx],
720 name_list[ent->sam_entry_index].acct_name,
723 /* Fill in group membership entry */
727 group_list[group_list_ndx].num_gr_mem = 0;
731 /* Get group membership */
732 if (state->request.cmd == WINBINDD_GETGRLST) {
735 sid_copy(&member_sid, &domain->sid);
736 sid_append_rid(&member_sid, name_list[ent->sam_entry_index].rid);
737 result = fill_grent_mem(
741 &group_list[group_list_ndx].num_gr_mem,
742 &gr_mem, &gr_mem_len);
747 /* Append to group membership list */
748 new_gr_mem_list = SMB_REALLOC( gr_mem_list, gr_mem_list_len + gr_mem_len);
750 if (!new_gr_mem_list && (group_list[group_list_ndx].num_gr_mem != 0)) {
751 DEBUG(0, ("out of memory\n"));
752 SAFE_FREE(gr_mem_list);
757 DEBUG(10, ("list_len = %d, mem_len = %d\n",
758 gr_mem_list_len, gr_mem_len));
760 gr_mem_list = new_gr_mem_list;
762 memcpy(&gr_mem_list[gr_mem_list_len], gr_mem,
767 group_list[group_list_ndx].gr_mem_ofs =
770 gr_mem_list_len += gr_mem_len;
773 ent->sam_entry_index++;
775 /* Add group to return list */
779 DEBUG(10, ("adding group num_entries = %d\n",
780 state->response.data.num_entries));
783 state->response.data.num_entries++;
785 state->response.length +=
786 sizeof(struct winbindd_gr);
789 DEBUG(0, ("could not lookup domain group %s\n",
794 /* Copy the list of group memberships to the end of the extra data */
796 if (group_list_ndx == 0)
799 new_extra_data = SMB_REALLOC(
800 state->response.extra_data,
801 group_list_ndx * sizeof(struct winbindd_gr) + gr_mem_list_len);
803 if (!new_extra_data) {
804 DEBUG(0, ("out of memory\n"));
806 SAFE_FREE(state->response.extra_data);
807 SAFE_FREE(gr_mem_list);
809 return WINBINDD_ERROR;
812 state->response.extra_data = new_extra_data;
814 memcpy(&((char *)state->response.extra_data)
815 [group_list_ndx * sizeof(struct winbindd_gr)],
816 gr_mem_list, gr_mem_list_len);
818 SAFE_FREE(gr_mem_list);
820 state->response.length += gr_mem_list_len;
822 DEBUG(10, ("returning %d groups, length = %d\n",
823 group_list_ndx, gr_mem_list_len));
829 return (group_list_ndx > 0) ? WINBINDD_OK : WINBINDD_ERROR;
832 /* List domain groups without mapping to unix ids */
834 enum winbindd_result winbindd_list_groups(struct winbindd_cli_state *state)
836 uint32 total_entries = 0;
837 struct winbindd_domain *domain;
838 const char *which_domain;
839 char *extra_data = NULL;
841 unsigned int extra_data_len = 0, i;
843 DEBUG(3, ("[%5lu]: list groups\n", (unsigned long)state->pid));
845 /* Ensure null termination */
846 state->request.domain_name[sizeof(state->request.domain_name)-1]='\0';
847 which_domain = state->request.domain_name;
849 /* Enumerate over trusted domains */
851 for (domain = domain_list(); domain; domain = domain->next) {
852 struct getent_state groups;
854 /* if we have a domain name restricting the request and this
855 one in the list doesn't match, then just bypass the remainder
858 if ( *which_domain && !strequal(which_domain, domain->name) )
861 if ( !domain->initialized )
862 set_dc_type_and_flags( domain );
867 /* Get list of sam groups */
869 fstrcpy(groups.domain_name, domain->name);
871 get_sam_group_entries(&groups);
873 if (groups.num_sam_entries == 0) {
874 /* this domain is empty or in an error state */
878 /* keep track the of the total number of groups seen so
879 far over all domains */
880 total_entries += groups.num_sam_entries;
882 /* Allocate some memory for extra data. Note that we limit
883 account names to sizeof(fstring) = 128 characters. */
884 ted = SMB_REALLOC(extra_data, sizeof(fstring) * total_entries);
887 DEBUG(0,("failed to enlarge buffer!\n"));
888 SAFE_FREE(extra_data);
889 return WINBINDD_ERROR;
893 /* Pack group list into extra data fields */
894 for (i = 0; i < groups.num_sam_entries; i++) {
895 char *group_name = ((struct acct_info *)
896 groups.sam_entries)[i].acct_name;
899 fill_domain_username(name, domain->name, group_name);
900 /* Append to extra data */
901 memcpy(&extra_data[extra_data_len], name,
903 extra_data_len += strlen(name);
904 extra_data[extra_data_len++] = ',';
907 SAFE_FREE(groups.sam_entries);
910 /* Assign extra_data fields in response structure */
912 extra_data[extra_data_len - 1] = '\0';
913 state->response.extra_data = extra_data;
914 state->response.length += extra_data_len;
917 /* No domains may have responded but that's still OK so don't
923 static BOOL enum_alias_memberships(const DOM_SID *member_sid,
924 DOM_SID **aliases, int *num_aliases)
926 TALLOC_CTX *mem_ctx = talloc_init("enum_alias_memberships");
940 if (!pdb_enum_alias_memberships(mem_ctx, get_global_sam_sid(),
941 member_sid, 1, &rids, &num_rids))
944 for (i=0; i<num_rids; i++) {
946 sid_copy(&alias_sid, get_global_sam_sid());
947 sid_append_rid(&alias_sid, rids[i]);
948 add_sid_to_array(NULL, &alias_sid, aliases, num_aliases);
951 string_to_sid(&builtin_sid, "S-1-5-32");
953 if (!pdb_enum_alias_memberships(mem_ctx, &builtin_sid,
954 member_sid, 1, &rids, &num_rids))
957 for (i=0; i<num_rids; i++) {
959 sid_copy(&alias_sid, &builtin_sid);
960 sid_append_rid(&alias_sid, rids[i]);
961 add_sid_to_array(NULL, &alias_sid, aliases, num_aliases);
967 talloc_destroy(mem_ctx);
972 static void add_local_gids_from_sid(DOM_SID *sid, gid_t **gids, int *num)
978 DEBUG(10, ("Adding local gids from SID: %s\n",
979 sid_string_static(sid)));
981 /* Don't expand aliases if not explicitly activated -- for now
984 if (!lp_winbind_nested_groups())
987 /* Add nested group memberships */
989 if (!enum_alias_memberships(sid, &aliases, &num_aliases))
992 for (j=0; j<num_aliases; j++) {
993 enum SID_NAME_USE type;
995 if (!local_sid_to_gid(&gid, &aliases[j], &type)) {
996 DEBUG(1, ("Got an alias membership with no alias\n"));
1000 if ((type != SID_NAME_ALIAS) && (type != SID_NAME_WKN_GRP)) {
1001 DEBUG(1, ("Got an alias membership in a non-alias\n"));
1005 add_gid_to_array_unique(NULL, gid, gids, num);
1010 static void add_gids_from_user_sid(DOM_SID *sid, gid_t **gids, int *num)
1012 DEBUG(10, ("Adding gids from user SID: %s\n",
1013 sid_string_static(sid)));
1015 add_local_gids_from_sid(sid, gids, num);
1018 static void add_gids_from_group_sid(DOM_SID *sid, gid_t **gids, int *num)
1022 DEBUG(10, ("Adding gids from group SID: %s\n",
1023 sid_string_static(sid)));
1025 if (NT_STATUS_IS_OK(idmap_sid_to_gid(sid, &gid, 0)))
1026 add_gid_to_array_unique(NULL, gid, gids, num);
1028 add_local_gids_from_sid(sid, gids, num);
1031 /* Get user supplementary groups. This is much quicker than trying to
1032 invert the groups database. We merge the groups from the gids and
1033 other_sids info3 fields as trusted domain, universal group
1034 memberships, and nested groups (win2k native mode only) are not
1035 returned by the getgroups RPC call but are present in the info3. */
1037 enum winbindd_result winbindd_getgroups(struct winbindd_cli_state *state)
1039 fstring name_domain, name_user;
1040 DOM_SID user_sid, group_sid;
1041 enum SID_NAME_USE name_type;
1042 uint32 num_groups = 0;
1043 uint32 num_gids = 0;
1045 DOM_SID **user_grpsids;
1046 struct winbindd_domain *domain;
1047 enum winbindd_result result = WINBINDD_ERROR;
1048 gid_t *gid_list = NULL;
1050 TALLOC_CTX *mem_ctx;
1051 NET_USER_INFO_3 *info3 = NULL;
1053 /* Ensure null termination */
1054 state->request.data.username[sizeof(state->request.data.username)-1]='\0';
1056 DEBUG(3, ("[%5lu]: getgroups %s\n", (unsigned long)state->pid,
1057 state->request.data.username));
1059 if (!(mem_ctx = talloc_init("winbindd_getgroups(%s)",
1060 state->request.data.username)))
1061 return WINBINDD_ERROR;
1063 /* Parse domain and username */
1065 parse_domain_user(state->request.data.username,
1066 name_domain, name_user);
1068 /* Get info for the domain */
1070 if ((domain = find_domain_from_name(name_domain)) == NULL) {
1071 DEBUG(7, ("could not find domain entry for domain %s\n",
1076 if ( domain->primary && lp_winbind_trusted_domains_only()) {
1077 DEBUG(7,("winbindd_getpwnam: My domain -- rejecting getgroups() for %s\\%s.\n",
1078 name_domain, name_user));
1079 return WINBINDD_ERROR;
1082 /* Get rid and name type from name. The following costs 1 packet */
1084 if (!winbindd_lookup_sid_by_name(domain, domain->name, name_user, &user_sid,
1086 DEBUG(4, ("user '%s' does not exist\n", name_user));
1090 if (name_type != SID_NAME_USER && name_type != SID_NAME_COMPUTER) {
1091 DEBUG(1, ("name '%s' is not a user name: %d\n",
1092 name_user, name_type));
1096 add_gids_from_user_sid(&user_sid, &gid_list, &num_gids);
1098 /* Treat the info3 cache as authoritative as the
1099 lookup_usergroups() function may return cached data. */
1101 if ( !opt_nocache && (info3 = netsamlogon_cache_get(mem_ctx, &user_sid))) {
1103 DEBUG(10, ("winbindd_getgroups: info3 has %d groups, %d other sids\n",
1104 info3->num_groups2, info3->num_other_sids));
1106 num_groups = info3->num_other_sids + info3->num_groups2;
1108 /* Go through each other sid and convert it to a gid */
1110 for (i = 0; i < info3->num_other_sids; i++) {
1113 enum SID_NAME_USE sid_type;
1115 /* Is this sid known to us? It can either be
1116 a trusted domain sid or a foreign sid. */
1118 if (!winbindd_lookup_name_by_sid( &info3->other_sids[i].sid,
1119 dom_name, name, &sid_type))
1121 DEBUG(10, ("winbindd_getgroups: could not lookup name for %s\n",
1122 sid_string_static(&info3->other_sids[i].sid)));
1126 /* Check it is a domain group or an alias (domain local group)
1127 in a win2k native mode domain. */
1129 if ( !((sid_type==SID_NAME_DOM_GRP) ||
1130 ((sid_type==SID_NAME_ALIAS) && domain->primary)) )
1132 DEBUG(10, ("winbindd_getgroups: sid type %d "
1133 "for %s is not a domain group\n",
1136 &info3->other_sids[i].sid)));
1140 add_gids_from_group_sid(&info3->other_sids[i].sid,
1141 &gid_list, &num_gids);
1144 for (i = 0; i < info3->num_groups2; i++) {
1146 /* create the group SID */
1148 sid_copy( &group_sid, &domain->sid );
1149 sid_append_rid( &group_sid, info3->gids[i].g_rid );
1151 add_gids_from_group_sid(&group_sid, &gid_list,
1158 status = domain->methods->lookup_usergroups(domain, mem_ctx,
1159 &user_sid, &num_groups,
1161 if (!NT_STATUS_IS_OK(status))
1164 if (state->response.extra_data)
1167 for (i = 0; i < num_groups; i++) {
1168 add_gids_from_group_sid(user_grpsids[i],
1169 &gid_list, &num_gids);
1173 /* We want at least one group... */
1174 if (gid_list == NULL)
1177 remove_duplicate_gids( &num_gids, gid_list );
1179 /* Send data back to client */
1181 state->response.data.num_entries = num_gids;
1182 state->response.extra_data = gid_list;
1183 state->response.length += num_gids * sizeof(gid_t);
1185 result = WINBINDD_OK;
1189 talloc_destroy(mem_ctx);
1194 static void add_sid_to_parray_unique(TALLOC_CTX *mem_ctx, const DOM_SID *sid,
1195 DOM_SID ***sids, int *num_sids)
1199 for (i=0; i<(*num_sids); i++) {
1200 if (sid_compare(sid, (*sids)[i]) == 0)
1204 *sids = TALLOC_REALLOC_ARRAY(mem_ctx, *sids, DOM_SID *, *num_sids+1);
1209 (*sids)[*num_sids] = TALLOC_P(mem_ctx, DOM_SID);
1210 sid_copy((*sids)[*num_sids], sid);
1215 static void add_local_sids_from_sid(TALLOC_CTX *mem_ctx, const DOM_SID *sid,
1216 DOM_SID ***user_grpsids,
1219 DOM_SID *aliases = NULL;
1220 int i, num_aliases = 0;
1222 if (!enum_alias_memberships(sid, &aliases, &num_aliases))
1225 if (num_aliases == 0)
1228 for (i=0; i<num_aliases; i++)
1229 add_sid_to_parray_unique(mem_ctx, &aliases[i], user_grpsids,
1237 /* Get user supplementary sids. This is equivalent to the
1238 winbindd_getgroups() function but it involves a SID->SIDs mapping
1239 rather than a NAME->SID->SIDS->GIDS mapping, which means we avoid
1240 idmap. This call is designed to be used with applications that need
1241 to do ACL evaluation themselves. Note that the cached info3 data is
1244 this function assumes that the SID that comes in is a user SID. If
1245 you pass in another type of SID then you may get unpredictable
1248 enum winbindd_result winbindd_getusersids(struct winbindd_cli_state *state)
1252 DOM_SID **user_grpsids;
1253 struct winbindd_domain *domain;
1254 enum winbindd_result result = WINBINDD_ERROR;
1256 TALLOC_CTX *mem_ctx;
1259 unsigned ofs, ret_size = 0;
1261 /* Ensure null termination */
1262 state->request.data.sid[sizeof(state->request.data.sid)-1]='\0';
1264 if (!string_to_sid(&user_sid, state->request.data.sid)) {
1265 DEBUG(1, ("Could not get convert sid %s from string\n", state->request.data.sid));
1266 return WINBINDD_ERROR;
1269 if (!(mem_ctx = talloc_init("winbindd_getusersids(%s)",
1270 state->request.data.username))) {
1271 return WINBINDD_ERROR;
1274 /* Get info for the domain */
1275 if ((domain = find_domain_from_sid(&user_sid)) == NULL) {
1276 DEBUG(0,("could not find domain entry for sid %s\n",
1277 sid_string_static(&user_sid)));
1281 status = domain->methods->lookup_usergroups(domain, mem_ctx,
1282 &user_sid, &num_groups,
1284 if (!NT_STATUS_IS_OK(status))
1287 if (num_groups == 0) {
1291 domain = find_our_domain();
1293 if (domain == NULL) {
1294 DEBUG(0, ("Could not find our domain\n"));
1298 /* Note that I do not check for AD or its mode. XP in a real NT4
1299 * domain also asks for this info. -- vl */
1302 uint32 *alias_rids = NULL;
1305 /* We need to include the user SID to expand */
1306 user_grpsids = TALLOC_REALLOC_ARRAY(mem_ctx, user_grpsids,
1307 DOM_SID *, num_groups+1);
1308 user_grpsids[num_groups] = &user_sid;
1310 status = domain->methods->lookup_useraliases(domain, mem_ctx,
1316 if (!NT_STATUS_IS_OK(status)) {
1317 DEBUG(3, ("Could not expand alias sids: %s\n",
1318 nt_errstr(status)));
1322 for (i=0; i<num_aliases; i++) {
1324 sid_copy(&sid, &domain->sid);
1325 sid_append_rid(&sid, alias_rids[i]);
1326 add_sid_to_parray_unique(mem_ctx, &sid, &user_grpsids,
1331 if (lp_winbind_nested_groups()) {
1333 /* num_groups is changed during the loop, that's why we have
1334 to count down here.*/
1336 for (k=num_groups-1; k>=0; k--) {
1337 add_local_sids_from_sid(mem_ctx, user_grpsids[k],
1338 &user_grpsids, &num_groups);
1341 add_local_sids_from_sid(mem_ctx, &user_sid, &user_grpsids,
1345 /* work out the response size */
1346 for (i = 0; i < num_groups; i++) {
1347 const char *s = sid_string_static(user_grpsids[i]);
1348 ret_size += strlen(s) + 1;
1351 /* build the reply */
1352 ret = SMB_MALLOC(ret_size);
1353 if (!ret) goto done;
1355 for (i = 0; i < num_groups; i++) {
1356 const char *s = sid_string_static(user_grpsids[i]);
1357 safe_strcpy(ret + ofs, s, ret_size - ofs - 1);
1358 ofs += strlen(ret+ofs) + 1;
1362 /* Send data back to client */
1363 state->response.data.num_entries = num_groups;
1364 state->response.extra_data = ret;
1365 state->response.length += ret_size;
1366 result = WINBINDD_OK;
1369 talloc_destroy(mem_ctx);