2 Unix SMB/CIFS implementation.
3 async implementation of WINBINDD_GETGROUPS
4 Copyright (C) Volker Lendecke 2009
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 #include "passdb/lookup_sid.h" /* only for LOOKUP_NAME_NO_NSS flag */
23 #include "libcli/security/dom_sid.h"
25 struct winbindd_getgroups_state {
26 struct tevent_context *ev;
31 enum lsa_SidType type;
38 static void winbindd_getgroups_lookupname_done(struct tevent_req *subreq);
39 static void winbindd_getgroups_gettoken_done(struct tevent_req *subreq);
40 static void winbindd_getgroups_sid2gid_done(struct tevent_req *subreq);
42 struct tevent_req *winbindd_getgroups_send(TALLOC_CTX *mem_ctx,
43 struct tevent_context *ev,
44 struct winbindd_cli_state *cli,
45 struct winbindd_request *request)
47 struct tevent_req *req, *subreq;
48 struct winbindd_getgroups_state *state;
49 char *domuser, *mapped_user;
53 req = tevent_req_create(mem_ctx, &state,
54 struct winbindd_getgroups_state);
60 /* Ensure null termination */
61 request->data.username[sizeof(request->data.username)-1]='\0';
63 DBG_NOTICE("[%s (%u)] getgroups %s\n",
65 (unsigned int)cli->pid,
66 request->data.username);
68 domuser = request->data.username;
70 status = normalize_name_unmap(state, domuser, &mapped_user);
72 if (NT_STATUS_IS_OK(status)
73 || NT_STATUS_EQUAL(status, NT_STATUS_FILE_RENAMED)) {
74 /* normalize_name_unmapped did something */
75 domuser = mapped_user;
78 ok = parse_domain_user(domuser,
83 DEBUG(5, ("Could not parse domain user: %s\n", domuser));
84 tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
85 return tevent_req_post(req, ev);
88 subreq = wb_lookupname_send(state, ev,
93 if (tevent_req_nomem(subreq, req)) {
94 return tevent_req_post(req, ev);
96 tevent_req_set_callback(subreq, winbindd_getgroups_lookupname_done,
101 static void winbindd_getgroups_lookupname_done(struct tevent_req *subreq)
103 struct tevent_req *req = tevent_req_callback_data(
104 subreq, struct tevent_req);
105 struct winbindd_getgroups_state *state = tevent_req_data(
106 req, struct winbindd_getgroups_state);
109 status = wb_lookupname_recv(subreq, &state->sid, &state->type);
111 if (tevent_req_nterror(req, status)) {
115 subreq = wb_gettoken_send(state, state->ev, &state->sid, true);
116 if (tevent_req_nomem(subreq, req)) {
119 tevent_req_set_callback(subreq, winbindd_getgroups_gettoken_done, req);
122 static void winbindd_getgroups_gettoken_done(struct tevent_req *subreq)
124 struct tevent_req *req = tevent_req_callback_data(
125 subreq, struct tevent_req);
126 struct winbindd_getgroups_state *state = tevent_req_data(
127 req, struct winbindd_getgroups_state);
130 status = wb_gettoken_recv(subreq, state, &state->num_sids,
133 if (tevent_req_nterror(req, status)) {
138 * Convert the group SIDs to gids. state->sids[0] contains the user
139 * sid. If the idmap backend uses ID_TYPE_BOTH, we might need the
140 * the id of the user sid in the list of group sids, so map the
144 subreq = wb_sids2xids_send(state, state->ev,
145 state->sids, state->num_sids);
146 if (tevent_req_nomem(subreq, req)) {
149 tevent_req_set_callback(subreq, winbindd_getgroups_sid2gid_done, req);
152 static void winbindd_getgroups_sid2gid_done(struct tevent_req *subreq)
154 struct tevent_req *req = tevent_req_callback_data(
155 subreq, struct tevent_req);
156 struct winbindd_getgroups_state *state = tevent_req_data(
157 req, struct winbindd_getgroups_state);
162 xids = talloc_array(state, struct unixid, state->num_sids);
163 if (tevent_req_nomem(xids, req)) {
166 for (i=0; i < state->num_sids; i++) {
167 xids[i].type = ID_TYPE_NOT_SPECIFIED;
168 xids[i].id = UINT32_MAX;
171 status = wb_sids2xids_recv(subreq, xids, state->num_sids);
173 if (NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED) ||
174 NT_STATUS_EQUAL(status, STATUS_SOME_UNMAPPED))
176 status = NT_STATUS_OK;
178 if (tevent_req_nterror(req, status)) {
182 state->gids = talloc_array(state, gid_t, state->num_sids);
183 if (tevent_req_nomem(state->gids, req)) {
188 for (i=0; i < state->num_sids; i++) {
189 bool include_gid = false;
190 const char *debug_missing = NULL;
192 switch (xids[i].type) {
193 case ID_TYPE_NOT_SPECIFIED:
194 debug_missing = "not specified";
198 debug_missing = "uid";
208 struct dom_sid_buf sidbuf;
210 if (debug_missing == NULL) {
214 DEBUG(10, ("WARNING: skipping unix id (%u) for sid %s "
215 "from group list because the idmap type "
217 "This might be a security problem when ACLs "
218 "contain DENY ACEs!\n",
219 (unsigned)xids[i].id,
220 dom_sid_str_buf(&state->sids[i], &sidbuf),
225 state->gids[state->num_gids] = (gid_t)xids[i].id;
226 state->num_gids += 1;
230 * This should not fail, as it does not do any reallocation,
231 * just updating the talloc size.
233 state->gids = talloc_realloc(state, state->gids, gid_t, state->num_gids);
234 if (tevent_req_nomem(state->gids, req)) {
238 tevent_req_done(req);
241 NTSTATUS winbindd_getgroups_recv(struct tevent_req *req,
242 struct winbindd_response *response)
244 struct winbindd_getgroups_state *state = tevent_req_data(
245 req, struct winbindd_getgroups_state);
248 if (tevent_req_is_nterror(req, &status)) {
249 struct dom_sid_buf buf;
250 DEBUG(5, ("Could not convert sid %s: %s\n",
251 dom_sid_str_buf(&state->sid, &buf),
256 response->data.num_entries = state->num_gids;
258 if (state->num_gids > 0) {
259 response->extra_data.data = talloc_move(response,
261 response->length += state->num_gids * sizeof(gid_t);