LOCKING_OBJ = locking/locking.o locking/locking_shm.o locking/locking_slow.o \
locking/shmem.o locking/shmem_sysv.o
-GROUPDB_OBJ = groupdb/groupdb.o groupdb/groupfile.o \
- groupdb/aliasdb.o groupdb/aliasfile.o \
- groupdb/groupunix.o groupdb/aliasunix.o \
+GROUPDB_OBJ = groupdb/groupdb.o groupdb/aliasdb.o groupdb/builtindb.o \
+ groupdb/groupfile.o groupdb/aliasfile.o \
+ groupdb/groupunix.o groupdb/aliasunix.o groupdb/builtinunix.o \
passdb/passgrp.o passdb/smbpassgroup.o \
passdb/smbpassgroupunix.o
int *num_mem, LOCAL_GRP_MEMBER **members);
struct aliasdb_ops *unix_initialise_alias_db(void);
+/*The following definitions come from groupdb/builtindb.c */
+
+BOOL initialise_builtin_db(void);
+LOCAL_GRP *iterate_getbuiltingid(gid_t gid, LOCAL_GRP_MEMBER **mem, int *num_mem);
+LOCAL_GRP *iterate_getbuiltinrid(uint32 rid, LOCAL_GRP_MEMBER **mem, int *num_mem);
+LOCAL_GRP *iterate_getbuiltinntnam(const char *name, LOCAL_GRP_MEMBER **mem, int *num_mem);
+BOOL add_domain_builtin(LOCAL_GRP **blts, int *num_blts, LOCAL_GRP *blt);
+BOOL iterate_getuserbuiltinntnam(const char *user_name, LOCAL_GRP **blts, int *num_blts);
+BOOL enumdombuiltins(LOCAL_GRP **blts, int *num_blts);
+void *startbuiltinent(BOOL update);
+void endbuiltinent(void *vp);
+LOCAL_GRP *getbuiltinent(void *vp, LOCAL_GRP_MEMBER **mem, int *num_mem);
+BOOL add_builtin_entry(LOCAL_GRP *newblt);
+BOOL mod_builtin_entry(LOCAL_GRP* blt);
+LOCAL_GRP *getbuiltinntnam(const char *name, LOCAL_GRP_MEMBER **mem, int *num_mem);
+LOCAL_GRP *getbuiltinrid(uint32 builtin_rid, LOCAL_GRP_MEMBER **mem, int *num_mem);
+LOCAL_GRP *getbuiltingid(gid_t gid, LOCAL_GRP_MEMBER **mem, int *num_mem);
+BOOL getuserbuiltinntnam(const char *user_name, LOCAL_GRP **blt, int *num_blts);
+void bidb_init_blt(LOCAL_GRP *blt);
+BOOL make_builtin_line(char *p, int max_len,
+ LOCAL_GRP *blt,
+ LOCAL_GRP_MEMBER **mem, int *num_mem);
+
+/*The following definitions come from groupdb/builtinunix.c */
+
+BOOL get_unixbuiltin_members(struct group *grp,
+ int *num_mem, LOCAL_GRP_MEMBER **members);
+struct aliasdb_ops *unix_initialise_builtin_db(void);
+
/*The following definitions come from groupdb/groupdb.c */
BOOL initialise_group_db(void);
void get_sam_domain_name(void);
BOOL get_member_domain_sid(void);
void generate_wellknown_sids(void);
-BOOL generate_sam_sid(void);
+BOOL generate_sam_sid(char *domain_name);
BOOL map_domain_name_to_sid(DOM_SID *sid, char **nt_domain);
BOOL map_domain_sid_to_name(DOM_SID *sid, char *nt_domain);
BOOL split_domain_name(char *fullname, char *domain, char *name);
POLICY_HND samr_pol_connect;
POLICY_HND samr_pol_open_domain;
+ POLICY_HND samr_pol_open_builtindom;
POLICY_HND samr_pol_open_user;
struct acct_info *sam;
***************************************************************************/
static BOOL make_mydomain_sid(DOM_NAME_MAP *grp, DOM_MAP_TYPE type)
{
- DEBUG(10,("make_mydomain_sid\n"));
-
if (!map_domain_name_to_sid(&grp->sid, &(grp->nt_domain)))
{
DEBUG(0,("make_mydomain_sid: unknown domain %s\n",
/*
* only builtin aliases are recognised in S-1-5-20
*/
+ DEBUG(10,("make_mydomain_sid: group %s in builtin domain\n",
+ grp->nt_name));
- if (!lookup_builtin_alias_name(grp->nt_name, "BUILTIN", &grp->sid, &grp->type))
+ if (lookup_builtin_alias_name(grp->nt_name, "BUILTIN", &grp->sid, &grp->type) != 0x0)
{
DEBUG(0,("unix group %s mapped to an unrecognised BUILTIN domain name %s\n",
grp->unix_name, grp->nt_name));
if (!*unixname)
continue;
- DEBUG(5,("unixname = %s, ntname = %s.\n",
- unixname, nt_name));
-
p = strchr(nt_name, '\\');
if (p == NULL)
fstrcpy(nt_group , p);
}
- if (make_name_entry(&new_ep, nt_domain, nt_name, unixname, type))
+ if (make_name_entry(&new_ep, nt_domain, nt_group, unixname, type))
{
ubi_slAddTail(map_list, (ubi_slNode *)new_ep);
+ DEBUG(5,("unixname = %s, ntname = %s\\%s type = %d\n",
+ unixname, nt_domain, nt_group, new_ep->grp.type));
}
}
}
/****************************************************************************
- Generate the global machine sid. Look for the MACHINE.SID file first, if
- not found then look in smb.conf and use it to create the MACHINE.SID file.
+ Generate the global machine sid. Look for the DOMAINNAME.SID file first, if
+ not found then look in smb.conf and use it to create the DOMAINNAME.SID file.
****************************************************************************/
-BOOL generate_sam_sid(void)
+BOOL generate_sam_sid(char *domain_name)
{
int fd;
int i;
char *p;
pstring sid_file;
fstring sid_string;
+ fstring file_name;
SMB_STRUCT_STAT st;
uchar raw_sid_data[12];
pstrcpy(sid_file, lp_smb_passwd_file());
p = strrchr(sid_file, '/');
- if (p != NULL) {
+ if (p != NULL)
+ {
*++p = '\0';
}
}
}
- pstrcat(sid_file, "MACHINE.SID");
+ slprintf(file_name, sizeof(file_name)-1, "%s.SID", domain_name);
+ strupper(file_name);
+ pstrcat(sid_file, file_name);
if ((fd = sys_open(sid_file, O_RDWR | O_CREAT, 0644)) == -1) {
DEBUG(0,("unable to open or create file %s. Error was %s\n",
rid = builtin_alias_rids[i].rid;
als_name = builtin_alias_rids[i].name;
- i++;
-
if (strequal(als_name, alias_name))
{
if (sid != NULL)
return 0x0;
}
+ i++;
+
} while (als_name != NULL);
return 0xC0000000 | NT_STATUS_NONE_MAPPED;
generate_wellknown_sids();
- if (!generate_sam_sid())
+ if (!generate_sam_sid(global_sam_name))
{
- DEBUG(0,("ERROR: Samba cannot create a SAM SID.\n"));
+ DEBUG(0,("ERROR: Samba cannot create a SAM SID for its domain (%s).\n",
+ global_sam_name));
return False;
}
extern fstring global_sam_name;
extern DOM_SID global_member_sid;
extern fstring global_myworkgroup;
-extern DOM_SID global_sid_S_1_1;
-extern DOM_SID global_sid_S_1_3;
-extern DOM_SID global_sid_S_1_5;
+extern DOM_SID global_sid_S_1_5_20;
/***************************************************************************
lsa_reply_open_policy2
else if (sid_split_rid (&find_sid, &rid) &&
map_domain_sid_to_name(&find_sid, dom_name))
{
- if (sid_equal(&find_sid, &global_sam_sid))
+ if (sid_equal(&find_sid, &global_sam_sid) ||
+ sid_equal(&find_sid, &global_sid_S_1_5_20))
{
status = lookup_sid(&tmp_sid, name, &sid_name_use);
}
{
/* Static buffers we will return. */
static struct smb_passwd pw_buf;
- static pstring nt_name;
+ static pstring unix_name;
static unsigned char smbpwd[16];
static unsigned char smbntpwd[16];
char linebuf[256];
* As 256 is shorter than a pstring we don't need to check
* length here - if this ever changes....
*/
- p = strncpyn(nt_name, linebuf, sizeof(nt_name), ':');
+ p = strncpyn(unix_name, linebuf, sizeof(unix_name), ':');
/* Go past ':' */
p++;
p = Atoic( p, &uidval, ":");
- pw_buf.nt_name = nt_name;
+ pw_buf.unix_name = unix_name;
pw_buf.unix_uid = uidval;
/*
if (*p == '*' || *p == 'X')
{
/* Password deliberately invalid - end here. */
- DEBUG(10, ("getsmbfilepwent: entry invalidated for nt user %s\n", nt_name));
+ DEBUG(10, ("getsmbfilepwent: entry invalidated for unix user %s\n", unix_name));
pw_buf.smb_nt_passwd = NULL;
pw_buf.smb_passwd = NULL;
pw_buf.acct_ctrl |= ACB_DISABLED;
p += 33;
}
- DEBUG(5,("getsmbfilepwent: returning passwd entry for nt user %s, unix uid %d\n",
- nt_name, uidval));
+ DEBUG(5,("getsmbfilepwent: returning passwd entry for unix user %s, unix uid %d\n",
+ unix_name, uidval));
if (*p == '[')
{
* password file as 'normal accounts'. If this changes
* we will have to fix this code. JRA.
*/
- if (pw_buf.nt_name[strlen(pw_buf.nt_name) - 1] == '$')
+ if (pw_buf.unix_name[strlen(pw_buf.unix_name) - 1] == '$')
{
pw_buf.acct_ctrl &= ~ACB_NORMAL;
pw_buf.acct_ctrl |= ACB_WSTRUST;
*/
while ((pwd = getsmbfilepwent(fp)) != NULL) {
- if (strequal(newpwd->nt_name, pwd->nt_name)) {
- DEBUG(0, ("add_smbfilepwd_entry: entry with nt name %s already exists\n", pwd->nt_name));
+ if (strequal(newpwd->unix_name, pwd->unix_name)) {
+ DEBUG(0, ("add_smbfilepwd_entry: entry with unix name %s already exists\n", pwd->unix_name));
endsmbfilepwent(fp);
return False;
}
if((offpos = sys_lseek(fd, 0, SEEK_END)) == -1) {
DEBUG(0, ("add_smbfilepwd_entry(sys_lseek): Failed to add entry for user %s to file %s. \
-Error was %s\n", newpwd->nt_name, pfile, strerror(errno)));
+Error was %s\n", newpwd->unix_name, pfile, strerror(errno)));
endsmbfilepwent(fp);
return False;
}
- new_entry_length = strlen(newpwd->nt_name) + 1 + 15 + 1 + 32 + 1 + 32 + 1 + NEW_PW_FORMAT_SPACE_PADDED_LEN + 1 + 13 + 2;
+ new_entry_length = strlen(newpwd->unix_name) + 1 + 15 + 1 + 32 + 1 + 32 + 1 + NEW_PW_FORMAT_SPACE_PADDED_LEN + 1 + 13 + 2;
if((new_entry = (char *)malloc( new_entry_length )) == NULL) {
DEBUG(0, ("add_smbfilepwd_entry(malloc): Failed to add entry for user %s to file %s. \
-Error was %s\n", newpwd->nt_name, pfile, strerror(errno)));
+Error was %s\n", newpwd->unix_name, pfile, strerror(errno)));
endsmbfilepwent(fp);
return False;
}
- slprintf(new_entry, new_entry_length - 1, "%s:%u:", newpwd->nt_name, (unsigned)newpwd->unix_uid);
+ slprintf(new_entry, new_entry_length - 1, "%s:%u:", newpwd->unix_name, (unsigned)newpwd->unix_uid);
p = &new_entry[strlen(new_entry)];
if(newpwd->smb_passwd != NULL) {
if ((wr_len = write(fd, new_entry, strlen(new_entry))) != strlen(new_entry)) {
DEBUG(0, ("add_smbfilepwd_entry(write): %d Failed to add entry for user %s to file %s. \
-Error was %s\n", wr_len, newpwd->nt_name, pfile, strerror(errno)));
+Error was %s\n", wr_len, newpwd->unix_name, pfile, strerror(errno)));
/* Remove the entry we just wrote. */
if(sys_ftruncate(fd, offpos) == -1) {
DEBUG(0, ("add_smbfilepwd_entry: ERROR failed to ftruncate file %s. \
Error was %s. Password file may be corrupt ! Please examine by hand !\n",
- newpwd->nt_name, strerror(errno)));
+ newpwd->unix_name, strerror(errno)));
}
endsmbfilepwent(fp);
static BOOL mod_smbfilepwd_entry(struct smb_passwd* pwd, BOOL override)
{
/* Static buffers we will return. */
- static pstring nt_name;
+ static pstring unix_name;
char linebuf[256];
char readbuf[1024];
* As 256 is shorter than a pstring we don't need to check
* length here - if this ever changes....
*/
- strncpy(nt_name, linebuf, PTR_DIFF(p, linebuf));
- nt_name[PTR_DIFF(p, linebuf)] = '\0';
- if (strequal(nt_name, pwd->nt_name)) {
+ strncpy(unix_name, linebuf, PTR_DIFF(p, linebuf));
+ unix_name[PTR_DIFF(p, linebuf)] = '\0';
+ if (strequal(unix_name, pwd->unix_name)) {
found_entry = True;
break;
}
if (!override && (*p == '*' || *p == 'X')) {
/* Password deliberately invalid - end here. */
- DEBUG(10, ("mod_smbfilepwd_entry: entry invalidated for nt user %s\n", nt_name));
+ DEBUG(10, ("mod_smbfilepwd_entry: entry invalidated for unix user %s\n", unix_name));
file_unlock(lockfd, &pw_file_lock_depth);
fclose(fp);
return False;
if (als_rids == NULL && grp_rids == NULL)
{
+ /* they didn't want to know the members. */
return pwdb_sam_to_smb(pw_buf);
}
* find the unix name for each user's group.
* assume the unix group is an nt name (alias? group? user?)
* (user or not our own domain will be an error).
+ *
+ * oh, oh, can anyone spot what's missing heeere?
+ * you guessed it: built-in aliases. those are in
+ * Domain S-1-5-20, and NT Domain Users can only
+ * have lists of RIDs as groups.
+ *
+ * doesn't stop you making NT Domain Users a member
+ * of a BUILTIN Alias (e.g "Administrators" or "Power Users")
+ * it's just that there's no way to tell that from this
+ * API call: wrong domain, sorry.
+ *
*/
DOM_NAME_MAP gmep;
if (dom_idx != 0xffffffff)
{
- fstrcpy(dom_name, unistr2(ref.ref_dom[dom_idx].uni_dom_name.buffer));
- fstrcpy(name , unistr2(t_names.uni_name[i].buffer));
+ fstrcpy(dom_name, unistr2_to_str(&ref.ref_dom[dom_idx].uni_dom_name));
+ fstrcpy(name , unistr2_to_str(&t_names.uni_name[i]));
- slprintf(full_name, sizeof(full_name), "%s\\%s",
+ memset(full_name, 0, sizeof(full_name));
+ slprintf(full_name, sizeof(full_name)-1, "%s\\%s",
dom_name, name);
(*names)[i] = strdup(full_name);
extern fstring global_sam_name;
extern DOM_SID global_member_sid;
extern fstring global_myworkgroup;
-extern DOM_SID global_sid_S_1_1;
-extern DOM_SID global_sid_S_1_3;
-extern DOM_SID global_sid_S_1_5;
+extern DOM_SID global_sid_S_1_5_20;
/***************************************************************************
lsa_reply_open_policy2
else if (sid_split_rid (&find_sid, &rid) &&
map_domain_sid_to_name(&find_sid, dom_name))
{
- if (sid_equal(&find_sid, &global_sam_sid))
+ if (sid_equal(&find_sid, &global_sam_sid) ||
+ sid_equal(&find_sid, &global_sid_S_1_5_20))
{
status = lookup_sid(&tmp_sid, name, &sid_name_use);
}
{
uint32 status = 0;
+ LOCAL_GRP *mem_grp = NULL;
uint32 *rid = NULL;
int num_rids = 0;
struct sam_passwd *sam_pass;
if (status == 0x0)
{
+ DEBUG(10,("sid is %s\n", dom_sid_str));
+
if (sid_equal(&dom_sid, &global_sid_S_1_5_20))
{
DEBUG(10,("lookup on S-1-5-20\n"));
+
+ become_root(True);
+ getuserbuiltinntnam(sam_pass->nt_name, &mem_grp, &num_rids);
+ unbecome_root(True);
}
else if (sid_equal(&dom_sid, &usr_sid))
{
- LOCAL_GRP *mem_grp = NULL;
- num_rids = 0;
-
DEBUG(10,("lookup on Domain SID\n"));
become_root(True);
getuseraliasntnam(sam_pass->nt_name, &mem_grp, &num_rids);
unbecome_root(True);
+ }
+ else
+ {
+ status = 0xC0000000 | NT_STATUS_NO_SUCH_USER;
+ }
+ }
+ if (status == 0x0 && num_rids > 0)
+ {
rid = malloc(num_rids * sizeof(uint32));
if (mem_grp != NULL && rid != NULL)
{
rid[i] = mem_grp[i].rid;
}
free(mem_grp);
- }
- }
- else
- {
- status = 0xC0000000 | NT_STATUS_NO_SUCH_USER;
}
}
fstring domain;
fstring sid;
DOM_SID sid1;
+ DOM_SID sid_1_5_20;
int user_idx;
BOOL res = True;
+ BOOL res1 = True;
BOOL request_user_info = False;
BOOL request_group_info = False;
BOOL request_alias_info = False;
request_group_info |= strequal(tmp, "-g");
request_alias_info |= strequal(tmp, "-a");
}
+ else
+ {
+ break;
+ }
}
#ifdef DEBUG_TESTING
}
#endif
+ string_to_sid(&sid_1_5_20, "S-1-5-32");
+
fprintf(out_hnd, "SAM Enumerate Users\n");
fprintf(out_hnd, "From: %s To: %s Domain: %s SID: %s\n",
info->myhostname, srv_name, domain, sid);
&info->dom.samr_pol_connect, admin_rid, &sid1,
&info->dom.samr_pol_open_domain) : False;
+ /* connect to the S-1-5-20 domain */
+ res1 = res ? do_samr_open_domain(smb_cli,
+ &info->dom.samr_pol_connect, admin_rid, &sid_1_5_20,
+ &info->dom.samr_pol_open_builtindom) : False;
+
/* read some users */
res = res ? do_samr_enum_dom_users(smb_cli,
&info->dom.samr_pol_open_domain,
fprintf(out_hnd, "No users\n");
}
- if (request_user_info || request_group_info || request_alias_info)
- {
/* query all the users */
- user_idx = 0;
-
- while (res && user_idx < info->dom.num_sam_entries)
+ for (user_idx = 0; res && user_idx < info->dom.num_sam_entries; user_idx++)
{
uint32 user_rid = info->dom.sam[user_idx].user_rid;
SAM_USER_INFO_21 usr;
&info->dom.samr_pol_open_domain,
&als_sid, &num_aliases, rid))
{
- display_alias_rid_info(out_hnd, ACTION_HEADER , &als_sid, num_aliases, rid);
- display_alias_rid_info(out_hnd, ACTION_ENUMERATE, &als_sid, num_aliases, rid);
- display_alias_rid_info(out_hnd, ACTION_FOOTER , &als_sid, num_aliases, rid);
- }
+ display_alias_rid_info(out_hnd, ACTION_HEADER , &sid1, num_aliases, rid);
+ display_alias_rid_info(out_hnd, ACTION_ENUMERATE, &sid1, num_aliases, rid);
+ display_alias_rid_info(out_hnd, ACTION_FOOTER , &sid1, num_aliases, rid);
}
- user_idx++;
+ /* send user alias query */
+ if (res1 && do_samr_query_useraliases(smb_cli,
+ &info->dom.samr_pol_open_builtindom,
+ &als_sid, &num_aliases, rid))
+ {
+ display_alias_rid_info(out_hnd, ACTION_HEADER , &sid_1_5_20, num_aliases, rid);
+ display_alias_rid_info(out_hnd, ACTION_ENUMERATE, &sid_1_5_20, num_aliases, rid);
+ display_alias_rid_info(out_hnd, ACTION_FOOTER , &sid_1_5_20, num_aliases, rid);
+ }
}
}
+ res1 = res1 ? do_samr_close(smb_cli,
+ &info->dom.samr_pol_open_builtindom) : False;
+
res = res ? do_samr_close(smb_cli,
&info->dom.samr_pol_open_domain) : False;
exit(1);
}
+ if(!initialise_builtin_db())
+ {
+ exit(1);
+ }
+
if (!get_member_domain_sid())
{
DEBUG(0,("ERROR: Samba cannot obtain PDC SID from PDC(s) %s.\n",
git.samba.org / kai / samba-autobuild / .git / commitdiff