2 * Unix SMB/Netbios implementation.
4 * RPC Pipe client / server routines
5 * Copyright (C) Andrew Tridgell 1992-2000,
6 * Copyright (C) Jean François Micouleau 1998-2001.
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 2 of the License, or
11 * (at your option) any later version.
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, write to the Free Software
20 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
25 extern DOM_SID global_sam_sid;
27 static TDB_CONTEXT *tdb; /* used for driver files */
29 #define DATABASE_VERSION 1
30 #define GROUP_PREFIX "UNIXGROUP/"
33 {SE_PRIV_NONE, "no_privs", "No privilege"},
34 {SE_PRIV_ADD_USERS, "add_users", "add users"},
35 {SE_PRIV_ADD_MACHINES, "add_computers", "add computers to domain"},
36 {SE_PRIV_PRINT_OPERATOR, "print_op", "printer operator"},
37 {SE_PRIV_ALL, "all_privs", "all privileges"}
41 { 2, "SeCreateTokenPrivilege" },
42 { 3, "SeAssignPrimaryTokenPrivilege" },
43 { 4, "SeLockMemoryPrivilege" },
44 { 5, "SeIncreaseQuotaPrivilege" },
45 { 6, "SeMachineAccountPrivilege" },
46 { 7, "SeTcbPrivilege" },
47 { 8, "SeSecurityPrivilege" },
48 { 9, "SeTakeOwnershipPrivilege" },
49 { 10, "SeLoadDriverPrivilege" },
50 { 11, "SeSystemProfilePrivilege" },
51 { 12, "SeSystemtimePrivilege" },
52 { 13, "SeProfileSingleProcessPrivilege" },
53 { 14, "SeIncreaseBasePriorityPrivilege" },
54 { 15, "SeCreatePagefilePrivilege" },
55 { 16, "SeCreatePermanentPrivilege" },
56 { 17, "SeBackupPrivilege" },
57 { 18, "SeRestorePrivilege" },
58 { 19, "SeShutdownPrivilege" },
59 { 20, "SeDebugPrivilege" },
60 { 21, "SeAuditPrivilege" },
61 { 22, "SeSystemEnvironmentPrivilege" },
62 { 23, "SeChangeNotifyPrivilege" },
63 { 24, "SeRemoteShutdownPrivilege" },
68 /****************************************************************************
69 check if the user has the required privilege.
70 ****************************************************************************/
71 static BOOL se_priv_access_check(NT_USER_TOKEN *token, uint32 privilege)
73 /* no token, no privilege */
77 if ((token->privilege & privilege)==privilege)
84 /****************************************************************************
85 dump the mapping group mapping to a text file
86 ****************************************************************************/
87 char *decode_sid_name_use(fstring group, enum SID_NAME_USE name_use)
89 static fstring group_type;
93 fstrcpy(group_type,"User");
95 case SID_NAME_DOM_GRP:
96 fstrcpy(group_type,"Domain group");
99 fstrcpy(group_type,"Domain");
102 fstrcpy(group_type,"Local group");
104 case SID_NAME_WKN_GRP:
105 fstrcpy(group_type,"Builtin group");
107 case SID_NAME_DELETED:
108 fstrcpy(group_type,"Deleted");
110 case SID_NAME_INVALID:
111 fstrcpy(group_type,"Invalid");
113 case SID_NAME_UNKNOWN:
115 fstrcpy(group_type,"Unknown type");
119 fstrcpy(group, group_type);
123 /****************************************************************************
124 open the group mapping tdb
125 ****************************************************************************/
126 BOOL init_group_mapping(void)
128 static pid_t local_pid;
129 char *vstring = "INFO/version";
131 if (tdb && local_pid == sys_getpid()) return True;
132 tdb = tdb_open_log(lock_path("group_mapping.tdb"), 0, TDB_DEFAULT, O_RDWR|O_CREAT, 0600);
134 DEBUG(0,("Failed to open group mapping database\n"));
138 local_pid = sys_getpid();
140 /* handle a Samba upgrade */
141 tdb_lock_bystring(tdb, vstring);
142 if (tdb_fetch_int(tdb, vstring) != DATABASE_VERSION) {
143 tdb_traverse(tdb, (tdb_traverse_func)tdb_delete, NULL);
144 tdb_store_int(tdb, vstring, DATABASE_VERSION);
146 tdb_unlock_bystring(tdb, vstring);
152 /****************************************************************************
153 ****************************************************************************/
154 BOOL add_mapping_entry(GROUP_MAP *map, int flag)
158 fstring string_sid="";
161 sid_to_string(string_sid, &map->sid);
163 len = tdb_pack(buf, sizeof(buf), "ddffd",
164 map->gid, map->sid_name_use, map->nt_name, map->comment, map->privilege);
166 if (len > sizeof(buf)) return False;
168 slprintf(key, sizeof(key), "%s%s", GROUP_PREFIX, string_sid);
170 kbuf.dsize = strlen(key)+1;
174 if (tdb_store(tdb, kbuf, dbuf, flag) != 0) return False;
179 /****************************************************************************
180 initialise first time the mapping list
181 ****************************************************************************/
182 BOOL add_initial_entry(gid_t gid, fstring sid, enum SID_NAME_USE sid_name_use,
183 fstring nt_name, fstring comment, uint32 privilege)
188 string_to_sid(&map.sid, sid);
189 map.sid_name_use=sid_name_use;
190 fstrcpy(map.nt_name, nt_name);
191 fstrcpy(map.comment, comment);
192 map.privilege=privilege;
194 add_mapping_entry(&map, TDB_INSERT);
199 /****************************************************************************
200 initialise first time the mapping list
201 ****************************************************************************/
202 BOOL default_group_mapping(void)
212 /* Add the Wellknown groups */
214 add_initial_entry(-1, "S-1-5-32-544", SID_NAME_WKN_GRP, "Administrators", "", SE_PRIV_ALL);
215 add_initial_entry(-1, "S-1-5-32-545", SID_NAME_WKN_GRP, "Users", "", SE_PRIV_NONE);
216 add_initial_entry(-1, "S-1-5-32-546", SID_NAME_WKN_GRP, "Guests", "", SE_PRIV_NONE);
217 add_initial_entry(-1, "S-1-5-32-547", SID_NAME_WKN_GRP, "Power Users", "", SE_PRIV_NONE);
219 add_initial_entry(-1, "S-1-5-32-548", SID_NAME_WKN_GRP, "Account Operators", "", SE_PRIV_NONE);
220 add_initial_entry(-1, "S-1-5-32-549", SID_NAME_WKN_GRP, "System Operators", "", SE_PRIV_NONE);
221 add_initial_entry(-1, "S-1-5-32-550", SID_NAME_WKN_GRP, "Print Operators", "", SE_PRIV_PRINT_OPERATOR);
222 add_initial_entry(-1, "S-1-5-32-551", SID_NAME_WKN_GRP, "Backup Operators", "", SE_PRIV_NONE);
224 add_initial_entry(-1, "S-1-5-32-552", SID_NAME_WKN_GRP, "Replicators", "", SE_PRIV_NONE);
226 /* Add the defaults domain groups */
228 sid_copy(&sid_admins, &global_sam_sid);
229 sid_append_rid(&sid_admins, DOMAIN_GROUP_RID_ADMINS);
230 sid_to_string(str_admins, &sid_admins);
231 add_initial_entry(-1, str_admins, SID_NAME_DOM_GRP, "Domain Admins", "", SE_PRIV_ALL);
233 sid_copy(&sid_users, &global_sam_sid);
234 sid_append_rid(&sid_users, DOMAIN_GROUP_RID_USERS);
235 sid_to_string(str_users, &sid_users);
236 add_initial_entry(-1, str_users, SID_NAME_DOM_GRP, "Domain Users", "", SE_PRIV_NONE);
238 sid_copy(&sid_guests, &global_sam_sid);
239 sid_append_rid(&sid_guests, DOMAIN_GROUP_RID_GUESTS);
240 sid_to_string(str_guests, &sid_guests);
241 add_initial_entry(-1, str_guests, SID_NAME_DOM_GRP, "Domain Guests", "", SE_PRIV_NONE);
247 /****************************************************************************
248 return the sid and the type of the unix group
249 ****************************************************************************/
250 BOOL get_group_map_from_sid(DOM_SID sid, GROUP_MAP *map)
257 /* the key is the SID, retrieving is direct */
259 sid_to_string(string_sid, &sid);
260 slprintf(key, sizeof(key), "%s%s", GROUP_PREFIX, string_sid);
263 kbuf.dsize = strlen(key)+1;
265 dbuf = tdb_fetch(tdb, kbuf);
266 if (!dbuf.dptr) return False;
268 ret = tdb_unpack(dbuf.dptr, dbuf.dsize, "ddffd",
269 &map->gid, &map->sid_name_use, &map->nt_name, &map->comment, &map->privilege);
271 SAFE_FREE(dbuf.dptr);
272 if (ret != dbuf.dsize) {
273 DEBUG(0,("get_group_map_from_sid: mapping TDB corrupted ?\n"));
277 sid_copy(&map->sid, &sid);
283 /****************************************************************************
284 return the sid and the type of the unix group
285 ****************************************************************************/
286 BOOL get_group_map_from_gid(gid_t gid, GROUP_MAP *map)
288 TDB_DATA kbuf, dbuf, newkey;
292 /* we need to enumerate the TDB to find the GID */
294 for (kbuf = tdb_firstkey(tdb);
296 newkey = tdb_nextkey(tdb, kbuf), safe_free(kbuf.dptr), kbuf=newkey) {
298 if (strncmp(kbuf.dptr, GROUP_PREFIX, strlen(GROUP_PREFIX)) != 0) continue;
300 dbuf = tdb_fetch(tdb, kbuf);
301 if (!dbuf.dptr) continue;
303 fstrcpy(string_sid, kbuf.dptr+strlen(GROUP_PREFIX));
305 string_to_sid(&map->sid, string_sid);
307 ret = tdb_unpack(dbuf.dptr, dbuf.dsize, "ddffd",
308 &map->gid, &map->sid_name_use, &map->nt_name, &map->comment, &map->privilege);
310 SAFE_FREE(dbuf.dptr);
311 if (ret != dbuf.dsize) continue;
320 /****************************************************************************
321 return the sid and the type of the unix group
322 ****************************************************************************/
323 BOOL get_group_map_from_ntname(char *name, GROUP_MAP *map)
325 TDB_DATA kbuf, dbuf, newkey;
329 /* we need to enumerate the TDB to find the GID */
331 for (kbuf = tdb_firstkey(tdb);
333 newkey = tdb_nextkey(tdb, kbuf), safe_free(kbuf.dptr), kbuf=newkey) {
335 if (strncmp(kbuf.dptr, GROUP_PREFIX, strlen(GROUP_PREFIX)) != 0) continue;
337 dbuf = tdb_fetch(tdb, kbuf);
338 if (!dbuf.dptr) continue;
340 fstrcpy(string_sid, kbuf.dptr+strlen(GROUP_PREFIX));
342 string_to_sid(&map->sid, string_sid);
344 ret = tdb_unpack(dbuf.dptr, dbuf.dsize, "ddffd",
345 &map->gid, &map->sid_name_use, &map->nt_name, &map->comment, &map->privilege);
347 SAFE_FREE(dbuf.dptr);
348 if (ret != dbuf.dsize) continue;
350 if (StrCaseCmp(name, map->nt_name)==0)
358 /****************************************************************************
359 enumerate the group mapping
360 ****************************************************************************/
361 BOOL group_map_remove(DOM_SID sid)
367 /* the key is the SID, retrieving is direct */
369 sid_to_string(string_sid, &sid);
370 slprintf(key, sizeof(key), "%s%s", GROUP_PREFIX, string_sid);
373 kbuf.dsize = strlen(key)+1;
375 dbuf = tdb_fetch(tdb, kbuf);
376 if (!dbuf.dptr) return False;
378 SAFE_FREE(dbuf.dptr);
380 if(tdb_delete(tdb, kbuf) != TDB_SUCCESS)
387 /****************************************************************************
388 enumerate the group mapping
389 ****************************************************************************/
390 BOOL enum_group_mapping(enum SID_NAME_USE sid_name_use, GROUP_MAP **rmap,
391 int *num_entries, BOOL unix_only)
393 TDB_DATA kbuf, dbuf, newkey;
404 for (kbuf = tdb_firstkey(tdb);
406 newkey = tdb_nextkey(tdb, kbuf), safe_free(kbuf.dptr), kbuf=newkey) {
408 if (strncmp(kbuf.dptr, GROUP_PREFIX, strlen(GROUP_PREFIX)) != 0)
411 dbuf = tdb_fetch(tdb, kbuf);
415 fstrcpy(string_sid, kbuf.dptr+strlen(GROUP_PREFIX));
417 ret = tdb_unpack(dbuf.dptr, dbuf.dsize, "ddffd",
418 &map.gid, &map.sid_name_use, &map.nt_name, &map.comment, &map.privilege);
420 SAFE_FREE(dbuf.dptr);
421 if (ret != dbuf.dsize)
424 /* list only the type or everything if UNKNOWN */
425 if (sid_name_use!=SID_NAME_UNKNOWN && sid_name_use!=map.sid_name_use)
428 if (unix_only==ENUM_ONLY_MAPPED && map.gid==-1)
431 string_to_sid(&map.sid, string_sid);
433 decode_sid_name_use(group_type, map.sid_name_use);
435 mapt=(GROUP_MAP *)Realloc((*rmap), (entries+1)*sizeof(GROUP_MAP));
437 DEBUG(0,("enum_group_mapping: Unable to enlarge group map!\n"));
443 mapt[entries].gid = map.gid;
444 sid_copy( &mapt[entries].sid, &map.sid);
445 mapt[entries].sid_name_use = map.sid_name_use;
446 fstrcpy(mapt[entries].nt_name, map.nt_name);
447 fstrcpy(mapt[entries].comment, map.comment);
448 mapt[entries].privilege = map.privilege;
453 *num_entries=entries;
458 /****************************************************************************
459 convert a privilege list to a privilege value
460 ****************************************************************************/
461 void convert_priv_from_text(uint32 *se_priv, char *privilege)
467 /* By default no privilege */
473 while(next_token(&p, tok, " ", sizeof(tok)) ) {
474 for (i=0; i<=PRIV_ALL_INDEX; i++) {
475 if (StrCaseCmp(privs[i].priv, tok)==0)
476 (*se_priv)+=privs[i].se_priv;
481 /****************************************************************************
482 convert a privilege value to a privilege list
483 ****************************************************************************/
484 void convert_priv_to_text(uint32 se_priv, char *privilege)
491 ZERO_STRUCTP(privilege);
493 if (se_priv==SE_PRIV_NONE) {
494 fstrcat(privilege, privs[0].priv);
498 if (se_priv==SE_PRIV_ALL) {
499 fstrcat(privilege, privs[PRIV_ALL_INDEX].priv);
503 for (i=1; privs[i].se_priv!=SE_PRIV_ALL; i++) {
504 if ( (se_priv & privs[i].se_priv) == privs[i].se_priv) {
505 fstrcat(privilege, privs[i].priv);
506 fstrcat(privilege, " ");
514 * High level functions
515 * better to use them than the lower ones.
517 * we are checking if the group is in the mapping file
518 * and if the group is an existing unix group
522 /* get a domain group from it's SID */
524 BOOL get_domain_group_from_sid(DOM_SID sid, GROUP_MAP *map)
528 DEBUG(10, ("get_domain_group_from_sid\n"));
530 /* if the group is NOT in the database, it CAN NOT be a domain group */
531 if(!get_group_map_from_sid(sid, map))
534 DEBUG(10, ("get_domain_group_from_sid: SID found in the TDB\n"));
536 /* if it's not a domain group, continue */
537 if (map->sid_name_use!=SID_NAME_DOM_GRP)
540 DEBUG(10, ("get_domain_group_from_sid: SID is a domain group\n"));
545 DEBUG(10, ("get_domain_group_from_sid: SID is mapped to gid:%d\n",map->gid));
547 if ( (grp=getgrgid(map->gid)) == NULL)
550 DEBUG(10, ("get_domain_group_from_sid: gid exists in UNIX security\n"));
556 /* get a local (alias) group from it's SID */
558 BOOL get_local_group_from_sid(DOM_SID sid, GROUP_MAP *map)
562 /* The group is in the mapping table */
563 if(get_group_map_from_sid(sid, map)) {
564 if (map->sid_name_use!=SID_NAME_ALIAS)
570 if ( (grp=getgrgid(map->gid)) == NULL)
573 /* the group isn't in the mapping table.
574 * make one based on the unix information */
577 sid_peek_rid(&sid, &alias_rid);
578 map->gid=pdb_user_rid_to_gid(alias_rid);
580 if ((grp=getgrgid(map->gid)) == NULL)
583 map->sid_name_use=SID_NAME_ALIAS;
585 fstrcpy(map->nt_name, grp->gr_name);
586 fstrcpy(map->comment, "Local Unix Group");
588 map->privilege=SE_PRIV_NONE;
590 sid_copy(&map->sid, &sid);
596 /* get a builtin group from it's SID */
598 BOOL get_builtin_group_from_sid(DOM_SID sid, GROUP_MAP *map)
602 if(!get_group_map_from_sid(sid, map))
605 if (map->sid_name_use!=SID_NAME_WKN_GRP)
611 if ( (grp=getgrgid(map->gid)) == NULL)
619 /****************************************************************************
620 Returns a GROUP_MAP struct based on the gid.
621 ****************************************************************************/
622 BOOL get_group_from_gid(gid_t gid, GROUP_MAP *map)
626 if ( (grp=getgrgid(gid)) == NULL)
630 * make a group map from scratch if doesn't exist.
632 if (!get_group_map_from_gid(gid, map)) {
634 map->sid_name_use=SID_NAME_ALIAS;
635 map->privilege=SE_PRIV_NONE;
637 sid_copy(&map->sid, &global_sam_sid);
638 sid_append_rid(&map->sid, pdb_gid_to_group_rid(gid));
640 fstrcpy(map->nt_name, grp->gr_name);
641 fstrcpy(map->comment, "Local Unix Group");
650 /****************************************************************************
651 Get the member users of a group and
652 all the users who have that group as primary.
654 give back an array of uid
655 return the grand number of users
658 TODO: sort the list and remove duplicate. JFM.
660 ****************************************************************************/
662 BOOL get_uid_list_of_group(gid_t gid, uid_t **uid, int *num_uids)
673 if ( (grp=getgrgid(gid)) == NULL)
677 DEBUG(10, ("getting members\n"));
679 while (gr && (*gr != (char)'\0')) {
680 u = Realloc((*uid), sizeof(uid_t)*(*num_uids+1));
682 DEBUG(0,("get_uid_list_of_group: unable to enlarge uid list!\n"));
687 if( (pwd=getpwnam(gr)) !=NULL) {
688 (*uid)[*num_uids]=pwd->pw_uid;
691 gr = grp->gr_mem[++i];
693 DEBUG(10, ("got [%d] members\n", *num_uids));
696 while ((pwd=getpwent()) != NULL) {
697 if (pwd->pw_gid==gid) {
698 u = Realloc((*uid), sizeof(uid_t)*(*num_uids+1));
700 DEBUG(0,("get_uid_list_of_group: unable to enlarge uid list!\n"));
704 (*uid)[*num_uids]=pwd->pw_uid;
710 DEBUG(10, ("got primary groups, members: [%d]\n", *num_uids));
715 /****************************************************************************
716 Create a UNIX group on demand.
717 ****************************************************************************/
719 int smb_create_group(char *unix_group)
724 pstrcpy(add_script, lp_addgroup_script());
725 if (! *add_script) return -1;
726 pstring_sub(add_script, "%g", unix_group);
727 ret = smbrun(add_script,NULL);
728 DEBUG(3,("smb_create_group: Running the command `%s' gave %d\n",add_script,ret));
732 /****************************************************************************
733 Delete a UNIX group on demand.
734 ****************************************************************************/
736 int smb_delete_group(char *unix_group)
741 pstrcpy(del_script, lp_delgroup_script());
742 if (! *del_script) return -1;
743 pstring_sub(del_script, "%g", unix_group);
744 ret = smbrun(del_script,NULL);
745 DEBUG(3,("smb_delete_group: Running the command `%s' gave %d\n",del_script,ret));
749 /****************************************************************************
750 Create a UNIX group on demand.
751 ****************************************************************************/
753 int smb_add_user_group(char *unix_group, char *unix_user)
758 pstrcpy(add_script, lp_addusertogroup_script());
759 if (! *add_script) return -1;
760 pstring_sub(add_script, "%g", unix_group);
761 pstring_sub(add_script, "%u", unix_user);
762 ret = smbrun(add_script,NULL);
763 DEBUG(3,("smb_add_user_group: Running the command `%s' gave %d\n",add_script,ret));
767 /****************************************************************************
768 Delete a UNIX group on demand.
769 ****************************************************************************/
771 int smb_delete_user_group(char *unix_group, char *unix_user)
776 pstrcpy(del_script, lp_deluserfromgroup_script());
777 if (! *del_script) return -1;
778 pstring_sub(del_script, "%g", unix_group);
779 pstring_sub(del_script, "%u", unix_user);
780 ret = smbrun(del_script,NULL);
781 DEBUG(3,("smb_delete_user_group: Running the command `%s' gave %d\n",del_script,ret));