2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Copyright (C) Andrew Tridgell 1992-1998
5 * Copyright (C) Luke Kenneth Casson Leighton 1996-1998,
6 * Copyright (C) Paul Ashton 1997-1998.
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 2 of the License, or
11 * (at your option) any later version.
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, write to the Free Software
20 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
23 /* this module apparently provides an implementation of DCE/RPC over a
24 * named pipe (IPC$ connection using SMBtrans). details of DCE/RPC
25 * documentation are available (in on-line form) from the X-Open group.
27 * this module should provide a level of abstraction between SMB
28 * and DCE/RPC, while minimising the amount of mallocs, unnecessary
29 * data copies, and network traffic.
31 * in this version, which takes a "let's learn what's going on and
32 * get something running" approach, there is additional network
33 * traffic generated, but the code should be easier to understand...
35 * ... if you read the docs. or stare at packets for weeks on end.
42 * A list of the rids of well known BUILTIN and Domain users
46 rid_name builtin_alias_rids[] =
48 { BUILTIN_ALIAS_RID_ADMINS , "Administrators" },
49 { BUILTIN_ALIAS_RID_USERS , "Users" },
50 { BUILTIN_ALIAS_RID_GUESTS , "Guests" },
51 { BUILTIN_ALIAS_RID_POWER_USERS , "Power Users" },
53 { BUILTIN_ALIAS_RID_ACCOUNT_OPS , "Account Operators" },
54 { BUILTIN_ALIAS_RID_SYSTEM_OPS , "System Operators" },
55 { BUILTIN_ALIAS_RID_PRINT_OPS , "Print Operators" },
56 { BUILTIN_ALIAS_RID_BACKUP_OPS , "Backup Operators" },
57 { BUILTIN_ALIAS_RID_REPLICATOR , "Replicator" },
61 /* array lookup of well-known Domain RID users. */
62 rid_name domain_user_rids[] =
64 { DOMAIN_USER_RID_ADMIN , "Administrator" },
65 { DOMAIN_USER_RID_GUEST , "Guest" },
69 /* array lookup of well-known Domain RID groups. */
70 rid_name domain_group_rids[] =
72 { DOMAIN_GROUP_RID_ADMINS , "Domain Admins" },
73 { DOMAIN_GROUP_RID_USERS , "Domain Users" },
74 { DOMAIN_GROUP_RID_GUESTS , "Domain Guests" },
78 /*******************************************************************
79 gets a domain user's groups
80 ********************************************************************/
81 NTSTATUS get_alias_user_groups(TALLOC_CTX *ctx, DOM_SID *sid, int *numgroups, uint32 **prids, DOM_SID *q_sid)
83 SAM_ACCOUNT *sam_pass=NULL;
84 struct sys_grent *glist;
85 struct sys_grent *grp;
86 int i, num, cur_rid=0;
91 fstring str_domsid, str_qsid;
93 uint32 *rids=NULL, *new_rids=NULL;
94 gid_t winbind_gid_low, winbind_gid_high;
96 BOOL winbind_groups_exist;
99 * this code is far from perfect.
100 * first it enumerates the full /etc/group and that can be slow.
101 * second, it works only with users' SIDs
102 * whereas the day we support nested groups, it will have to
103 * support both users's SIDs and domain groups' SIDs
105 * having our own ldap backend would be so much faster !
106 * we're far from that, but hope one day ;-) JFM.
112 winbind_groups_exist = lp_winbind_gid(&winbind_gid_low, &winbind_gid_high);
115 DEBUG(10,("get_alias_user_groups: looking if SID %s is a member of groups in the SID domain %s\n",
116 sid_to_string(str_qsid, q_sid), sid_to_string(str_domsid, sid)));
118 pdb_init_sam(&sam_pass);
120 ret = pdb_getsampwsid(sam_pass, q_sid);
123 pdb_free_sam(&sam_pass);
124 return NT_STATUS_NO_SUCH_USER;
127 fstrcpy(user_name, pdb_get_username(sam_pass));
128 grid=pdb_get_group_rid(sam_pass);
129 gid=pdb_get_gid(sam_pass);
131 grp = glist = getgrent_list();
133 pdb_free_sam(&sam_pass);
134 return NT_STATUS_NO_MEMORY;
137 for (; grp != NULL; grp = grp->next) {
138 if(!get_group_from_gid(grp->gr_gid, &map, MAPPING_WITHOUT_PRIV)) {
139 DEBUG(10,("get_alias_user_groups: gid %d. not found\n", (int)grp->gr_gid));
143 /* if it's not an alias, continue */
144 if (map.sid_name_use!=SID_NAME_ALIAS) {
145 DEBUG(10,("get_alias_user_groups: not returing %s, not an ALIAS group.\n", map.nt_name));
149 sid_copy(&tmp_sid, &map.sid);
150 sid_split_rid(&tmp_sid, &rid);
152 /* if the sid is not in the correct domain, continue */
153 if (!sid_equal(&tmp_sid, sid)) {
154 DEBUG(10,("get_alias_user_groups: not returing %s, not in the domain SID.\n", map.nt_name));
158 /* Don't return winbind groups as they are not local! */
159 if (winbind_groups_exist && (grp->gr_gid >= winbind_gid_low) && (grp->gr_gid <= winbind_gid_high)) {
160 DEBUG(10,("get_alias_user_groups: not returing %s, not local.\n", map.nt_name));
164 /* Don't return user private groups... */
165 if (Get_Pwnam(map.nt_name) != 0) {
166 DEBUG(10,("get_alias_user_groups: not returing %s, clashes with user.\n", map.nt_name));
170 /* the group is fine, we can check if there is the user we're looking for */
171 DEBUG(10,("get_alias_user_groups: checking if the user is a member of %s.\n", map.nt_name));
173 for(num=0; grp->gr_mem[num]!=NULL; num++) {
174 if(strcmp(grp->gr_mem[num], user_name)==0) {
175 /* we found the user, add the group to the list */
177 new_rids=(uint32 *)Realloc(rids, sizeof(uint32)*(cur_rid+1));
178 if (new_rids==NULL) {
179 DEBUG(10,("get_alias_user_groups: could not realloc memory\n"));
180 pdb_free_sam(&sam_pass);
181 return NT_STATUS_NO_MEMORY;
185 sid_peek_rid(&map.sid, &(rids[cur_rid]));
186 DEBUG(10,("get_alias_user_groups: user found in group %s\n", map.nt_name));
195 /* now check for the user's gid (the primary group rid) */
196 for (i=0; i<cur_rid && grid!=rids[i]; i++)
199 /* the user's gid is already there */
201 DEBUG(10,("get_alias_user_groups: user is already in the list. good.\n"));
205 DEBUG(10,("get_alias_user_groups: looking for gid %d of user %s\n", (int)gid, user_name));
207 if(!get_group_from_gid(gid, &map, MAPPING_WITHOUT_PRIV)) {
208 DEBUG(0,("get_alias_user_groups: gid of user %s doesn't exist. Check your /etc/passwd and /etc/group files\n", user_name));
212 /* the primary group isn't an alias */
213 if (map.sid_name_use!=SID_NAME_ALIAS) {
214 DEBUG(10,("get_alias_user_groups: not returing %s, not an ALIAS group.\n", map.nt_name));
218 sid_copy(&tmp_sid, &map.sid);
219 sid_split_rid(&tmp_sid, &rid);
221 /* if the sid is not in the correct domain, continue */
222 if (!sid_equal(&tmp_sid, sid)) {
223 DEBUG(10,("get_alias_user_groups: not returing %s, not in the domain SID.\n", map.nt_name));
227 /* Don't return winbind groups as they are not local! */
228 if (winbind_groups_exist && (gid >= winbind_gid_low) && (gid <= winbind_gid_high)) {
229 DEBUG(10,("get_alias_user_groups: not returing %s, not local.\n", map.nt_name ));
233 /* Don't return user private groups... */
234 if (Get_Pwnam(map.nt_name) != 0) {
235 DEBUG(10,("get_alias_user_groups: not returing %s, clashes with user.\n", map.nt_name ));
239 new_rids=(uint32 *)Realloc(rids, sizeof(uint32)*(cur_rid+1));
240 if (new_rids==NULL) {
241 DEBUG(10,("get_alias_user_groups: could not realloc memory\n"));
242 pdb_free_sam(&sam_pass);
243 return NT_STATUS_NO_MEMORY;
247 sid_peek_rid(&map.sid, &(rids[cur_rid]));
253 pdb_free_sam(&sam_pass);
259 /*******************************************************************
260 gets a domain user's groups
261 ********************************************************************/
262 BOOL get_domain_user_groups(TALLOC_CTX *ctx, int *numgroups, DOM_GID **pgids, SAM_ACCOUNT *sam_pass)
265 int i, num, num_entries, cur_gid=0;
274 fstrcpy(user_name, pdb_get_username(sam_pass));
275 grid=pdb_get_group_rid(sam_pass);
277 DEBUG(10,("get_domain_user_groups: searching domain groups [%s] is a member of\n", user_name));
279 /* first get the list of the domain groups */
280 if (!enum_group_mapping(SID_NAME_DOM_GRP, &map, &num_entries, ENUM_ONLY_MAPPED, MAPPING_WITHOUT_PRIV))
282 DEBUG(10,("get_domain_user_groups: there are %d mapped groups\n", num_entries));
285 * alloc memory. In the worse case, we alloc memory for nothing.
286 * but I prefer to alloc for nothing
287 * than reallocing everytime.
289 gids = (DOM_GID *)talloc(ctx, sizeof(DOM_GID) * num_entries);
291 /* for each group, check if the user is a member of*/
292 for(i=0; i<num_entries; i++) {
293 if ((grp=getgrgid(map[i].gid)) == NULL) {
295 DEBUG(5,("get_domain_user_groups: gid %d doesn't exist anymore !\n", (int)map[i].gid));
299 for(num=0; grp->gr_mem[num]!=NULL; num++) {
300 if(strcmp(grp->gr_mem[num], user_name)==0) {
301 /* we found the user, add the group to the list */
302 sid_peek_rid(&map[i].sid, &(gids[cur_gid].g_rid));
303 gids[cur_gid].attr=7;
304 DEBUG(10,("get_domain_user_groups: user found in group %s\n", map[i].nt_name));
311 /* we have checked the groups */
312 /* we must now check the gid of the user or the primary group rid, that's the same */
313 for (i=0; i<cur_gid && grid!=gids[i].g_rid; i++)
316 /* the user's gid is already there */
319 * the primary group of the user but be the first one in the list
322 gids[i].g_rid=gids[0].g_rid;
327 for(i=0; i<num_entries; i++) {
328 sid_peek_rid(&map[i].sid, &tmp_rid);
331 * the primary group of the user but be the first one in the list
334 gids[cur_gid].g_rid=gids[0].g_rid;
335 gids[0].g_rid=tmp_rid;
336 gids[cur_gid].attr=7;
337 DEBUG(10,("get_domain_user_groups: primary gid of user found in group %s\n", map[i].nt_name));
339 goto done; /* leave the loop early */
343 DEBUG(0,("get_domain_user_groups: primary gid of user [%s] is not a Domain group !\n", user_name));
344 DEBUGADD(0,("get_domain_user_groups: You should fix it, NT doesn't like that\n"));
354 /*******************************************************************
355 Look up a local (domain) rid and return a name and type.
356 ********************************************************************/
357 NTSTATUS local_lookup_group_name(uint32 rid, char *group_name, uint32 *type)
360 (*type) = SID_NAME_DOM_GRP;
362 DEBUG(5,("lookup_group_name: rid: %d", rid));
364 while (domain_group_rids[i].rid != rid && domain_group_rids[i].rid != 0)
369 if (domain_group_rids[i].rid != 0)
371 fstrcpy(group_name, domain_group_rids[i].name);
372 DEBUG(5,(" = %s\n", group_name));
376 DEBUG(5,(" none mapped\n"));
377 return NT_STATUS_NONE_MAPPED;
380 /*******************************************************************
381 Look up a local alias rid and return a name and type.
382 ********************************************************************/
383 NTSTATUS local_lookup_alias_name(uint32 rid, char *alias_name, uint32 *type)
386 (*type) = SID_NAME_WKN_GRP;
388 DEBUG(5,("lookup_alias_name: rid: %d", rid));
390 while (builtin_alias_rids[i].rid != rid && builtin_alias_rids[i].rid != 0)
395 if (builtin_alias_rids[i].rid != 0)
397 fstrcpy(alias_name, builtin_alias_rids[i].name);
398 DEBUG(5,(" = %s\n", alias_name));
402 DEBUG(5,(" none mapped\n"));
403 return NT_STATUS_NONE_MAPPED;
407 #if 0 /*Nobody uses this function just now*/
408 /*******************************************************************
409 Look up a local user rid and return a name and type.
410 ********************************************************************/
411 NTSTATUS local_lookup_user_name(uint32 rid, char *user_name, uint32 *type)
413 SAM_ACCOUNT *sampwd=NULL;
417 (*type) = SID_NAME_USER;
419 DEBUG(5,("lookup_user_name: rid: %d", rid));
421 /* look up the well-known domain user rids first */
422 while (domain_user_rids[i].rid != rid && domain_user_rids[i].rid != 0)
427 if (domain_user_rids[i].rid != 0) {
428 fstrcpy(user_name, domain_user_rids[i].name);
429 DEBUG(5,(" = %s\n", user_name));
433 pdb_init_sam(&sampwd);
435 /* ok, it's a user. find the user account */
437 ret = pdb_getsampwrid(sampwd, rid);
441 fstrcpy(user_name, pdb_get_username(sampwd) );
442 DEBUG(5,(" = %s\n", user_name));
443 pdb_free_sam(&sampwd);
447 DEBUG(5,(" none mapped\n"));
448 pdb_free_sam(&sampwd);
449 return NT_STATUS_NONE_MAPPED;
454 /*******************************************************************
455 Look up a local (domain) group name and return a rid
456 ********************************************************************/
457 NTSTATUS local_lookup_group_rid(char *group_name, uint32 *rid)
460 int i = -1; /* start do loop at -1 */
462 do /* find, if it exists, a group rid for the group name*/
465 (*rid) = domain_group_rids[i].rid;
466 grp_name = domain_group_rids[i].name;
468 } while (grp_name != NULL && !strequal(grp_name, group_name));
470 return (grp_name != NULL) ? NT_STATUS_OK : NT_STATUS_NONE_MAPPED;
473 /*******************************************************************
474 Look up a local (BUILTIN) alias name and return a rid
475 ********************************************************************/
476 NTSTATUS local_lookup_alias_rid(char *alias_name, uint32 *rid)
479 int i = -1; /* start do loop at -1 */
481 do /* find, if it exists, a alias rid for the alias name*/
484 (*rid) = builtin_alias_rids[i].rid;
485 als_name = builtin_alias_rids[i].name;
487 } while (als_name != NULL && !strequal(als_name, alias_name));
489 return (als_name != NULL) ? NT_STATUS_OK : NT_STATUS_NONE_MAPPED;
492 /*******************************************************************
493 Look up a local user name and return a rid
494 ********************************************************************/
495 NTSTATUS local_lookup_user_rid(char *user_name, uint32 *rid)
497 SAM_ACCOUNT *sampass=NULL;
502 pdb_init_sam(&sampass);
504 /* find the user account */
506 ret = pdb_getsampwnam(sampass, user_name);
510 (*rid) = pdb_get_user_rid(sampass);
511 pdb_free_sam(&sampass);
515 pdb_free_sam(&sampass);
516 return NT_STATUS_NONE_MAPPED;