2 * Unix SMB/Netbios implementation.
4 * RPC Pipe client / server routines
5 * Copyright (C) Andrew Tridgell 1992-1998
6 * Copyright (C) Luke Kenneth Casson Leighton 1996-1998,
7 * Copyright (C) Paul Ashton 1997-1998.
9 * This program is free software; you can redistribute it and/or modify
10 * it under the terms of the GNU General Public License as published by
11 * the Free Software Foundation; either version 2 of the License, or
12 * (at your option) any later version.
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
19 * You should have received a copy of the GNU General Public License
20 * along with this program; if not, write to the Free Software
21 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
24 /* this module apparently provides an implementation of DCE/RPC over a
25 * named pipe (IPC$ connection using SMBtrans). details of DCE/RPC
26 * documentation are available (in on-line form) from the X-Open group.
28 * this module should provide a level of abstraction between SMB
29 * and DCE/RPC, while minimising the amount of mallocs, unnecessary
30 * data copies, and network traffic.
32 * in this version, which takes a "let's learn what's going on and
33 * get something running" approach, there is additional network
34 * traffic generated, but the code should be easier to understand...
36 * ... if you read the docs. or stare at packets for weeks on end.
43 * A list of the rids of well known BUILTIN and Domain users
47 rid_name builtin_alias_rids[] =
49 { BUILTIN_ALIAS_RID_ADMINS , "Administrators" },
50 { BUILTIN_ALIAS_RID_USERS , "Users" },
51 { BUILTIN_ALIAS_RID_GUESTS , "Guests" },
52 { BUILTIN_ALIAS_RID_POWER_USERS , "Power Users" },
54 { BUILTIN_ALIAS_RID_ACCOUNT_OPS , "Account Operators" },
55 { BUILTIN_ALIAS_RID_SYSTEM_OPS , "System Operators" },
56 { BUILTIN_ALIAS_RID_PRINT_OPS , "Print Operators" },
57 { BUILTIN_ALIAS_RID_BACKUP_OPS , "Backup Operators" },
58 { BUILTIN_ALIAS_RID_REPLICATOR , "Replicator" },
62 /* array lookup of well-known Domain RID users. */
63 rid_name domain_user_rids[] =
65 { DOMAIN_USER_RID_ADMIN , "Administrator" },
66 { DOMAIN_USER_RID_GUEST , "Guest" },
70 /* array lookup of well-known Domain RID groups. */
71 rid_name domain_group_rids[] =
73 { DOMAIN_GROUP_RID_ADMINS , "Domain Admins" },
74 { DOMAIN_GROUP_RID_USERS , "Domain Users" },
75 { DOMAIN_GROUP_RID_GUESTS , "Domain Guests" },
79 /*******************************************************************
80 gets a domain user's groups
81 ********************************************************************/
82 NTSTATUS get_alias_user_groups(TALLOC_CTX *ctx, DOM_SID *sid, int *numgroups, uint32 **prids, DOM_SID *q_sid)
84 SAM_ACCOUNT *sam_pass=NULL;
86 struct sys_grent *glist;
87 struct sys_grent *grp;
88 int i, num, cur_rid=0;
93 fstring str_domsid, str_qsid;
95 uint32 *rids=NULL, *new_rids=NULL;
99 * this code is far from perfect.
100 * first it enumerates the full /etc/group and that can be slow.
101 * second, it works only with users' SIDs
102 * whereas the day we support nested groups, it will have to
103 * support both users's SIDs and domain groups' SIDs
105 * having our own ldap backend would be so much faster !
106 * we're far from that, but hope one day ;-) JFM.
112 sep = lp_winbind_separator();
115 DEBUG(10,("get_alias_user_groups: looking if SID %s is a member of groups in the SID domain %s\n",
116 sid_to_string(str_qsid, q_sid), sid_to_string(str_domsid, sid)));
118 sid_peek_rid(q_sid, &rid);
120 pdb_init_sam(&sam_pass);
122 ret = pdb_getsampwrid(sam_pass, rid);
125 pdb_free_sam(&sam_pass);
126 return NT_STATUS_NO_SUCH_USER;
129 fstrcpy(user_name, pdb_get_username(sam_pass));
130 grid=pdb_get_group_rid(sam_pass);
131 gid=pdb_get_gid(sam_pass);
133 grp = glist = getgrent_list();
135 pdb_free_sam(&sam_pass);
136 return NT_STATUS_NO_MEMORY;
139 for (; grp != NULL; grp = grp->next) {
140 if(!get_group_from_gid(grp->gr_gid, &map, MAPPING_WITHOUT_PRIV)) {
141 DEBUG(10,("get_alias_user_groups: gid %d. not found\n", (int)grp->gr_gid));
145 /* if it's not an alias, continue */
146 if (map.sid_name_use!=SID_NAME_ALIAS) {
147 DEBUG(10,("get_alias_user_groups: not returing %s, not an ALIAS group.\n", map.nt_name));
151 sid_copy(&tmp_sid, &map.sid);
152 sid_split_rid(&tmp_sid, &rid);
154 /* if the sid is not in the correct domain, continue */
155 if (!sid_equal(&tmp_sid, sid)) {
156 DEBUG(10,("get_alias_user_groups: not returing %s, not in the domain SID.\n", map.nt_name));
160 /* Don't return winbind groups as they are not local! */
161 if (strchr_m(map.nt_name, *sep) != NULL) {
162 DEBUG(10,("get_alias_user_groups: not returing %s, not local.\n", map.nt_name));
166 /* Don't return user private groups... */
167 if (Get_Pwnam(map.nt_name) != 0) {
168 DEBUG(10,("get_alias_user_groups: not returing %s, clashes with user.\n", map.nt_name));
172 /* the group is fine, we can check if there is the user we're looking for */
173 DEBUG(10,("get_alias_user_groups: checking if the user is a member of %s.\n", map.nt_name));
175 for(num=0; grp->gr_mem[num]!=NULL; num++) {
176 if(strcmp(grp->gr_mem[num], user_name)==0) {
177 /* we found the user, add the group to the list */
179 new_rids=(uint32 *)Realloc(rids, sizeof(uint32)*(cur_rid+1));
180 if (new_rids==NULL) {
181 DEBUG(10,("get_alias_user_groups: could not realloc memory\n"));
182 pdb_free_sam(&sam_pass);
183 return NT_STATUS_NO_MEMORY;
187 sid_peek_rid(&map.sid, &(rids[cur_rid]));
188 DEBUG(10,("get_alias_user_groups: user found in group %s\n", map.nt_name));
197 /* now check for the user's gid (the primary group rid) */
198 for (i=0; i<cur_rid && grid!=rids[i]; i++)
201 /* the user's gid is already there */
203 DEBUG(10,("get_alias_user_groups: user is already in the list. good.\n"));
207 DEBUG(10,("get_alias_user_groups: looking for gid %d of user %s\n", (int)*gid, user_name));
209 if(!get_group_from_gid(*gid, &map, MAPPING_WITHOUT_PRIV)) {
210 DEBUG(0,("get_alias_user_groups: gid of user %s doesn't exist. Check your /etc/passwd and /etc/group files\n", user_name));
214 /* the primary group isn't an alias */
215 if (map.sid_name_use!=SID_NAME_ALIAS) {
216 DEBUG(10,("get_alias_user_groups: not returing %s, not an ALIAS group.\n", map.nt_name));
220 sid_copy(&tmp_sid, &map.sid);
221 sid_split_rid(&tmp_sid, &rid);
223 /* if the sid is not in the correct domain, continue */
224 if (!sid_equal(&tmp_sid, sid)) {
225 DEBUG(10,("get_alias_user_groups: not returing %s, not in the domain SID.\n", map.nt_name));
229 /* Don't return winbind groups as they are not local! */
230 if (strchr_m(map.nt_name, *sep) != NULL) {
231 DEBUG(10,("get_alias_user_groups: not returing %s, not local.\n", map.nt_name ));
235 /* Don't return user private groups... */
236 if (Get_Pwnam(map.nt_name) != 0) {
237 DEBUG(10,("get_alias_user_groups: not returing %s, clashes with user.\n", map.nt_name ));
241 new_rids=(uint32 *)Realloc(rids, sizeof(uint32)*(cur_rid+1));
242 if (new_rids==NULL) {
243 DEBUG(10,("get_alias_user_groups: could not realloc memory\n"));
244 pdb_free_sam(&sam_pass);
245 return NT_STATUS_NO_MEMORY;
249 sid_peek_rid(&map.sid, &(rids[cur_rid]));
255 pdb_free_sam(&sam_pass);
261 /*******************************************************************
262 gets a domain user's groups
263 ********************************************************************/
264 BOOL get_domain_user_groups(TALLOC_CTX *ctx, int *numgroups, DOM_GID **pgids, SAM_ACCOUNT *sam_pass)
267 int i, num, num_entries, cur_gid=0;
276 fstrcpy(user_name, pdb_get_username(sam_pass));
277 grid=pdb_get_group_rid(sam_pass);
279 DEBUG(10,("get_domain_user_groups: searching domain groups [%s] is a member of\n", user_name));
281 /* first get the list of the domain groups */
282 if (!enum_group_mapping(SID_NAME_DOM_GRP, &map, &num_entries, ENUM_ONLY_MAPPED, MAPPING_WITHOUT_PRIV))
284 DEBUG(10,("get_domain_user_groups: there are %d mapped groups\n", num_entries));
287 * alloc memory. In the worse case, we alloc memory for nothing.
288 * but I prefer to alloc for nothing
289 * than reallocing everytime.
291 gids = (DOM_GID *)talloc(ctx, sizeof(DOM_GID) * num_entries);
293 /* for each group, check if the user is a member of*/
294 for(i=0; i<num_entries; i++) {
295 if ((grp=getgrgid(map[i].gid)) == NULL) {
297 DEBUG(5,("get_domain_user_groups: gid %d doesn't exist anymore !\n", (int)map[i].gid));
301 for(num=0; grp->gr_mem[num]!=NULL; num++) {
302 if(strcmp(grp->gr_mem[num], user_name)==0) {
303 /* we found the user, add the group to the list */
304 sid_peek_rid(&map[i].sid, &(gids[cur_gid].g_rid));
305 gids[cur_gid].attr=7;
306 DEBUG(10,("get_domain_user_groups: user found in group %s\n", map[i].nt_name));
313 /* we have checked the groups */
314 /* we must now check the gid of the user or the primary group rid, that's the same */
315 for (i=0; i<cur_gid && grid!=gids[i].g_rid; i++)
318 /* the user's gid is already there */
321 * the primary group of the user but be the first one in the list
324 gids[i].g_rid=gids[0].g_rid;
329 for(i=0; i<num_entries; i++) {
330 sid_peek_rid(&map[i].sid, &tmp_rid);
333 * the primary group of the user but be the first one in the list
336 gids[cur_gid].g_rid=gids[0].g_rid;
337 gids[0].g_rid=tmp_rid;
338 gids[cur_gid].attr=7;
339 DEBUG(10,("get_domain_user_groups: primary gid of user found in group %s\n", map[i].nt_name));
341 goto done; /* leave the loop early */
345 DEBUG(0,("get_domain_user_groups: primary gid of user [%s] is not a Domain group !\n", user_name));
346 DEBUGADD(0,("get_domain_user_groups: You should fix it, NT doesn't like that\n"));
356 /*******************************************************************
357 Look up a local (domain) rid and return a name and type.
358 ********************************************************************/
359 NTSTATUS local_lookup_group_name(uint32 rid, char *group_name, uint32 *type)
362 (*type) = SID_NAME_DOM_GRP;
364 DEBUG(5,("lookup_group_name: rid: %d", rid));
366 while (domain_group_rids[i].rid != rid && domain_group_rids[i].rid != 0)
371 if (domain_group_rids[i].rid != 0)
373 fstrcpy(group_name, domain_group_rids[i].name);
374 DEBUG(5,(" = %s\n", group_name));
378 DEBUG(5,(" none mapped\n"));
379 return NT_STATUS_NONE_MAPPED;
382 /*******************************************************************
383 Look up a local alias rid and return a name and type.
384 ********************************************************************/
385 NTSTATUS local_lookup_alias_name(uint32 rid, char *alias_name, uint32 *type)
388 (*type) = SID_NAME_WKN_GRP;
390 DEBUG(5,("lookup_alias_name: rid: %d", rid));
392 while (builtin_alias_rids[i].rid != rid && builtin_alias_rids[i].rid != 0)
397 if (builtin_alias_rids[i].rid != 0)
399 fstrcpy(alias_name, builtin_alias_rids[i].name);
400 DEBUG(5,(" = %s\n", alias_name));
404 DEBUG(5,(" none mapped\n"));
405 return NT_STATUS_NONE_MAPPED;
408 /*******************************************************************
409 Look up a local user rid and return a name and type.
410 ********************************************************************/
411 NTSTATUS local_lookup_user_name(uint32 rid, char *user_name, uint32 *type)
413 SAM_ACCOUNT *sampwd=NULL;
417 (*type) = SID_NAME_USER;
419 DEBUG(5,("lookup_user_name: rid: %d", rid));
421 /* look up the well-known domain user rids first */
422 while (domain_user_rids[i].rid != rid && domain_user_rids[i].rid != 0)
427 if (domain_user_rids[i].rid != 0) {
428 fstrcpy(user_name, domain_user_rids[i].name);
429 DEBUG(5,(" = %s\n", user_name));
433 pdb_init_sam(&sampwd);
435 /* ok, it's a user. find the user account */
437 ret = pdb_getsampwrid(sampwd, rid);
441 fstrcpy(user_name, pdb_get_username(sampwd) );
442 DEBUG(5,(" = %s\n", user_name));
443 pdb_free_sam(&sampwd);
447 DEBUG(5,(" none mapped\n"));
448 pdb_free_sam(&sampwd);
449 return NT_STATUS_NONE_MAPPED;
452 /*******************************************************************
453 Look up a local (domain) group name and return a rid
454 ********************************************************************/
455 NTSTATUS local_lookup_group_rid(char *group_name, uint32 *rid)
458 int i = -1; /* start do loop at -1 */
460 do /* find, if it exists, a group rid for the group name*/
463 (*rid) = domain_group_rids[i].rid;
464 grp_name = domain_group_rids[i].name;
466 } while (grp_name != NULL && !strequal(grp_name, group_name));
468 return (grp_name != NULL) ? NT_STATUS_OK : NT_STATUS_NONE_MAPPED;
471 /*******************************************************************
472 Look up a local (BUILTIN) alias name and return a rid
473 ********************************************************************/
474 NTSTATUS local_lookup_alias_rid(char *alias_name, uint32 *rid)
477 int i = -1; /* start do loop at -1 */
479 do /* find, if it exists, a alias rid for the alias name*/
482 (*rid) = builtin_alias_rids[i].rid;
483 als_name = builtin_alias_rids[i].name;
485 } while (als_name != NULL && !strequal(als_name, alias_name));
487 return (als_name != NULL) ? NT_STATUS_OK : NT_STATUS_NONE_MAPPED;
490 /*******************************************************************
491 Look up a local user name and return a rid
492 ********************************************************************/
493 NTSTATUS local_lookup_user_rid(char *user_name, uint32 *rid)
495 SAM_ACCOUNT *sampass=NULL;
500 pdb_init_sam(&sampass);
502 /* find the user account */
504 ret = pdb_getsampwnam(sampass, user_name);
508 (*rid) = pdb_get_user_rid(sampass);
509 pdb_free_sam(&sampass);
513 pdb_free_sam(&sampass);
514 return NT_STATUS_NONE_MAPPED;