2 Unix SMB/CIFS implementation.
3 GUMS backends helper functions
4 Copyright (C) Simo Sorce 2002
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 2 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program; if not, write to the Free Software
18 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
23 extern DOM_SID global_sid_World;
24 extern DOM_SID global_sid_Builtin;
25 extern DOM_SID global_sid_Builtin_Administrators;
26 extern DOM_SID global_sid_Builtin_Power_Users;
27 extern DOM_SID global_sid_Builtin_Account_Operators;
28 extern DOM_SID global_sid_Builtin_Server_Operators;
29 extern DOM_SID global_sid_Builtin_Print_Operators;
30 extern DOM_SID global_sid_Builtin_Backup_Operators;
31 extern DOM_SID global_sid_Builtin_Replicator;
32 extern DOM_SID global_sid_Builtin_Users;
33 extern DOM_SID global_sid_Builtin_Guests;
38 #define ALLOC_CHECK(str, ptr, err, label) do { if ((ptr) == NULL) { DEBUG(0, ("%s: out of memory!\n", str)); err = NT_STATUS_NO_MEMORY; goto label; } } while(0)
39 #define NTSTATUS_CHECK(err, label, str1, str2) do { if (NT_STATUS_IS_ERR(err)) { DEBUG(0, ("%s: %s\n", str1, str2)); } } while(0)
41 /****************************************************************************
42 Check if a user is a mapped group.
44 This function will check if the group SID is mapped onto a
45 system managed gid or onto a winbind manged sid.
46 In the first case it will be threated like a mapped group
47 and the backend should take the member list with a getgrgid
48 and ignore any user that have been possibly set into the group
51 In the second case, the group is a fully SAM managed group
52 served back to the system through winbind. In this case the
53 members of a Local group are "unrolled" to cope with the fact
54 that unix cannot contain groups inside groups.
55 The backend MUST never call any getgr* / getpw* function or
56 loops with winbind may happen.
57 ****************************************************************************/
60 NTSTATUS is_mapped_group(BOOL *mapped, const DOM_SID *sid)
65 /* look if mapping exist, do not make idmap alloc an uid if SID is not found */
66 result = idmap_get_gid_from_sid(&id, sid, False);
67 if (NT_STATUS_IS_OK(result)) {
68 *mapped = gid_is_in_winbind_range(id);
77 #define ALIAS_DEFAULT_SACL_SA_RIGHTS 0x01050013
78 #define ALIAS_DEFAULT_DACL_SA_RIGHTS \
79 (READ_CONTROL_ACCESS | \
80 SA_RIGHT_ALIAS_LOOKUP_INFO | \
81 SA_RIGHT_ALIAS_GET_MEMBERS) /* 0x0002000c */
83 #define ALIAS_DEFAULT_SACL_SEC_ACE_FLAG (SEC_ACE_FLAG_FAILED_ACCESS | SEC_ACE_FLAG_SUCCESSFUL_ACCESS) /* 0xc0 */
86 NTSTATUS create_builtin_alias_default_sec_desc(SEC_DESC **sec_desc, TALLOC_CTX *ctx)
88 DOM_SID *world = &global_sid_World;
89 DOM_SID *admins = &global_sid_Builtin_Administrators;
97 init_sec_access(&sa, ALIAS_DEFAULT_SACL_SA_RIGHTS);
98 init_sec_ace(&sacl_ace, world, SEC_ACE_TYPE_SYSTEM_AUDIT, sa, ALIAS_DEFAULT_SACL_SEC_ACE_FLAG);
100 sacl = make_sec_acl(ctx, NT4_ACL_REVISION, 1, &sacl_ace);
102 DEBUG(0, ("build_init_sec_desc: Failed to make SEC_ACL.\n"));
103 return NT_STATUS_NO_MEMORY;
106 init_sec_access(&sa, ALIAS_DEFAULT_DACL_SA_RIGHTS);
107 init_sec_ace(&(dacl_aces[0]), world, SEC_ACE_TYPE_ACCESS_ALLOWED, sa, 0);
108 init_sec_access(&sa, SA_RIGHT_ALIAS_ALL_ACCESS);
109 init_sec_ace(&(dacl_aces[1]), admins, SEC_ACE_TYPE_ACCESS_ALLOWED, sa, 0);
111 dacl = make_sec_acl(ctx, NT4_ACL_REVISION, 2, dacl_aces);
113 DEBUG(0, ("build_init_sec_desc: Failed to make SEC_ACL.\n"));
114 return NT_STATUS_NO_MEMORY;
117 *sec_desc = make_sec_desc(ctx, SEC_DESC_REVISION, SEC_DESC_SELF_RELATIVE, admins, admins, sacl, dacl, &psize);
119 DEBUG(0,("get_share_security: Failed to make SEC_DESC.\n"));
120 return NT_STATUS_NO_MEMORY;
126 NTSTATUS sec_desc_add_ace_to_dacl(SEC_DESC *sec_desc, TALLOC_CTX *ctx, DOM_SID *sid, uint32 mask)
133 num_aces = sec_desc->dacl->num_aces + 1;
134 result = sec_ace_add_sid(ctx, &new_aces, sec_desc->dacl->ace, &num_aces, sid, mask);
135 if (NT_STATUS_IS_OK(result)) {
136 sec_desc->dacl->ace = new_aces;
137 sec_desc->dacl->num_aces = num_aces;
138 sec_desc->dacl->size = SEC_ACL_HEADER_SIZE;
139 for (i = 0; i < num_aces; i++) {
140 sec_desc->dacl->size += sec_desc->dacl->ace[i].size;
146 NTSTATUS gums_make_domain(DOM_SID *sid, const char *name, const char *description)
152 if (!NT_STATUS_IS_OK(ret = get_gums_fns(&fns)))
155 if (!NT_STATUS_IS_OK(ret = gums_create_object(&go, GUMS_OBJ_DOMAIN)))
158 ret = gums_set_object_sid(go, sid);
159 NTSTATUS_CHECK(ret, done, "gums_make_alias", "unable to set sid!");
161 ret = gums_set_object_name(go, name);
162 NTSTATUS_CHECK(ret, done, "gums_make_alias", "unable to set name!");
165 ret = gums_set_object_description(go, description);
166 NTSTATUS_CHECK(ret, done, "gums_make_alias", "unable to set description!");
169 /* make security descriptor * /
170 ret = create_builtin_alias_default_sec_desc(&((*go).sec_desc), (*go).mem_ctx);
171 NTSTATUS_CHECK(ret, error, "gums_init_backend", "create_builtin_alias_default_sec_desc");
174 ret = fns->set_object(go);
176 gums_destroy_object(&go);
180 NTSTATUS gums_make_alias(DOM_SID *sid, const char *name, const char *description)
186 if (!NT_STATUS_IS_OK(ret = get_gums_fns(&fns)))
189 if (!NT_STATUS_IS_OK(ret = gums_create_object(&go, GUMS_OBJ_ALIAS)))
192 ret = gums_set_object_sid(go, sid);
193 NTSTATUS_CHECK(ret, done, "gums_make_alias", "unable to set sid!");
195 ret = gums_set_object_name(go, name);
196 NTSTATUS_CHECK(ret, done, "gums_make_alias", "unable to set name!");
199 ret = gums_set_object_description(go, description);
200 NTSTATUS_CHECK(ret, done, "gums_make_alias", "unable to set description!");
203 /* make security descriptor * /
204 ret = create_builtin_alias_default_sec_desc(&((*go).sec_desc), (*go).mem_ctx);
205 NTSTATUS_CHECK(ret, error, "gums_init_backend", "create_builtin_alias_default_sec_desc");
208 ret = fns->set_object(go);
210 gums_destroy_object(&go);
214 NTSTATUS gums_init_domain(DOM_SID *sid, const char *name, const char * description)
218 /* Add the weelknown Builtin Domain */
219 if (!NT_STATUS_IS_OK(ret = gums_make_domain(
227 /* Add default users and groups */
230 Domain Administrators
238 NTSTATUS gums_init_builtin_domain(void)
242 generate_wellknown_sids();
244 /* Add the weelknown Builtin Domain */
245 if (!NT_STATUS_IS_OK(ret = gums_make_domain(
253 /* Add the well known Builtin Local Groups */
256 if (!NT_STATUS_IS_OK(ret = gums_make_alias(
257 &global_sid_Builtin_Administrators,
259 "Members can fully administer the computer/domain"
263 /* Administrator privilege set */
264 /* From BDC join trace:
265 SeSecurityPrivilege, SeBackupPrivilege, SeRestorePrivilege,
266 SeSystemtimePrivilege, SeShutdownPrivilege,
267 SeRemoteShutdownPrivilege, SeTakeOwnershipPrivilege,
268 SeDebugPrivilege, SeSystemEnvironmentPrivilege,
269 SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege,
270 SeIncreaseBasePriorityPrivilege, SeLocalDriverPrivilege,
271 SeCreatePagefilePrivilege, SeIncreaseQuotaPrivilege
275 /* Domain Controllers Does NOT have Power Users (?) */
276 if (!NT_STATUS_IS_OK(ret = gums_make_alias(
277 &global_sid_Builtin_Power_Users,
284 /* Power Users privilege set */
287 /* Account Operators */
288 if (!NT_STATUS_IS_OK(ret = gums_make_alias(
289 &global_sid_Builtin_Account_Operators,
291 "Members can administer domain user and group accounts"
296 /* make privilege set */
297 /* From BDC join trace:
301 /* Server Operators */
302 if (!NT_STATUS_IS_OK(ret = gums_make_alias(
303 &global_sid_Builtin_Server_Operators,
305 "Members can administer domain servers"
310 /* make privilege set */
311 /* From BDC join trace:
312 SeBackupPrivilege, SeRestorePrivilege, SeSystemtimePrivilege,
313 SeShutdownPrivilege, SeRemoteShutdownPrivilege
316 /* Print Operators */
317 if (!NT_STATUS_IS_OK(ret = gums_make_alias(
318 &global_sid_Builtin_Print_Operators,
320 "Members can administer domain printers"
325 /* make privilege set */
326 /* From BDC join trace:
330 /* Backup Operators */
331 if (!NT_STATUS_IS_OK(ret = gums_make_alias(
332 &global_sid_Builtin_Backup_Operators,
334 "Members can bypass file security to backup files"
339 /* make privilege set */
340 /* From BDC join trace:
341 SeBackupPrivilege, SeRestorePrivilege, SeShutdownPrivilege
345 if (!NT_STATUS_IS_OK(ret = gums_make_alias(
346 &global_sid_Builtin_Replicator,
348 "Supports file replication in a domain"
353 /* make privilege set */
354 /* From BDC join trace:
355 SeBackupPrivilege, SeRestorePrivilege, SeShutdownPrivilege
359 if (!NT_STATUS_IS_OK(ret = gums_make_alias(
360 &global_sid_Builtin_Users,
367 /* Users specific ACEs * /
368 sec_desc_add_ace_to_dacl(go->sec_desc, go->mem_ctx, &global_sid_Builtin_Account_Operators, ALIAS_DEFAULT_DACL_SA_RIGHTS);
369 sec_desc_add_ace_to_dacl(go->sec_desc, go->mem_ctx, &global_sid_Builtin_Power_Users, ALIAS_DEFAULT_DACL_SA_RIGHTS);
373 if (!NT_STATUS_IS_OK(ret = gums_make_alias(
374 &global_sid_Builtin_Guests,
376 "Users granted guest access to the computer/domain"