source3/winbindd/wb_group_members.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3    async lookupgroupmembers
   4    Copyright (C) Volker Lendecke 2009
   5
   6    This program is free software; you can redistribute it and/or modify
   7    it under the terms of the GNU General Public License as published by
   8    the Free Software Foundation; either version 3 of the License, or
   9    (at your option) any later version.
  10
  11    This program is distributed in the hope that it will be useful,
  12    but WITHOUT ANY WARRANTY; without even the implied warranty of
  13    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  14    GNU General Public License for more details.
  15
  16    You should have received a copy of the GNU General Public License
  17    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  18 */
  19
  20 #include "includes.h"
  21 #include "winbindd.h"
  22 #include "librpc/gen_ndr/ndr_wbint_c.h"
  23 #include "../librpc/gen_ndr/ndr_security.h"
  24 #include "../libcli/security/security.h"
  25
  26 /*
  27  * We have 3 sets of routines here:
  28  *
  29  * wb_lookupgroupmem is the low-level one-group routine
  30  *
  31  * wb_groups_members walks a list of groups
  32  *
  33  * wb_group_members finally is the high-level routine expanding groups
  34  * recursively
  35  */
  36
  37 /*
  38  * TODO: fill_grent_mem_domusers must be re-added
  39  */
  40
  41 /*
  42  * Look up members of a single group. Essentially a wrapper around the
  43  * lookup_groupmem winbindd_methods routine.
  44  */
  45
  46 struct wb_lookupgroupmem_state {
  47         struct dom_sid sid;
  48         struct wbint_Principals members;
  49 };
  50
  51 static void wb_lookupgroupmem_done(struct tevent_req *subreq);
  52
  53 static struct tevent_req *wb_lookupgroupmem_send(TALLOC_CTX *mem_ctx,
  54                                                  struct tevent_context *ev,
  55                                                  const struct dom_sid *group_sid,
  56                                                  enum lsa_SidType type)
  57 {
  58         struct tevent_req *req, *subreq;
  59         struct wb_lookupgroupmem_state *state;
  60         struct winbindd_domain *domain;
  61
  62         req = tevent_req_create(mem_ctx, &state,
  63                                 struct wb_lookupgroupmem_state);
  64         if (req == NULL) {
  65                 return NULL;
  66         }
  67         sid_copy(&state->sid, group_sid);
  68
  69         domain = find_domain_from_sid_noinit(group_sid);
  70         if (domain == NULL) {
  71                 tevent_req_nterror(req, NT_STATUS_NO_SUCH_GROUP);
  72                 return tevent_req_post(req, ev);
  73         }
  74
  75         subreq = dcerpc_wbint_LookupGroupMembers_send(
  76                 state, ev, dom_child_handle(domain), &state->sid, type,
  77                 &state->members);
  78         if (tevent_req_nomem(subreq, req)) {
  79                 return tevent_req_post(req, ev);
  80         }
  81         tevent_req_set_callback(subreq, wb_lookupgroupmem_done, req);
  82         return req;
  83 }
  84
  85 static void wb_lookupgroupmem_done(struct tevent_req *subreq)
  86 {
  87         struct tevent_req *req = tevent_req_callback_data(
  88                 subreq, struct tevent_req);
  89         struct wb_lookupgroupmem_state *state = tevent_req_data(
  90                 req, struct wb_lookupgroupmem_state);
  91         NTSTATUS status, result;
  92
  93         status = dcerpc_wbint_LookupGroupMembers_recv(subreq, state, &result);
  94         TALLOC_FREE(subreq);
  95         if (any_nt_status_not_ok(status, result, &status)) {
  96                 tevent_req_nterror(req, status);
  97                 return;
  98         }
  99         tevent_req_done(req);
 100 }
 101
 102 static NTSTATUS wb_lookupgroupmem_recv(struct tevent_req *req,
 103                                            TALLOC_CTX *mem_ctx,
 104                                            int *num_members,
 105                                            struct wbint_Principal **members)
 106 {
 107         struct wb_lookupgroupmem_state *state = tevent_req_data(
 108                 req, struct wb_lookupgroupmem_state);
 109         NTSTATUS status;
 110
 111         if (tevent_req_is_nterror(req, &status)) {
 112                 return status;
 113         }
 114
 115         *num_members = state->members.num_principals;
 116         *members = talloc_move(mem_ctx, &state->members.principals);
 117         return NT_STATUS_OK;
 118 }
 119
 120 /*
 121  * Same as wb_lookupgroupmem for a list of groups
 122  */
 123
 124 struct wb_groups_members_state {
 125         struct tevent_context *ev;
 126         struct wbint_Principal *groups;
 127         int num_groups;
 128         int next_group;
 129         struct wbint_Principal *all_members;
 130 };
 131
 132 static NTSTATUS wb_groups_members_next_subreq(
 133         struct wb_groups_members_state *state,
 134         TALLOC_CTX *mem_ctx, struct tevent_req **psubreq);
 135 static void wb_groups_members_done(struct tevent_req *subreq);
 136
 137 static struct tevent_req *wb_groups_members_send(TALLOC_CTX *mem_ctx,
 138                                                  struct tevent_context *ev,
 139                                                  int num_groups,
 140                                                  struct wbint_Principal *groups)
 141 {
 142         struct tevent_req *req, *subreq;
 143         struct wb_groups_members_state *state;
 144         NTSTATUS status;
 145
 146         req = tevent_req_create(mem_ctx, &state,
 147                                 struct wb_groups_members_state);
 148         if (req == NULL) {
 149                 return NULL;
 150         }
 151         state->ev = ev;
 152         state->groups = groups;
 153         state->num_groups = num_groups;
 154         state->next_group = 0;
 155         state->all_members = NULL;
 156
 157         status = wb_groups_members_next_subreq(state, state, &subreq);
 158         if (tevent_req_nterror(req, status)) {
 159                 return tevent_req_post(req, ev);
 160         }
 161         if (subreq == NULL) {
 162                 tevent_req_done(req);
 163                 return tevent_req_post(req, ev);
 164         }
 165         tevent_req_set_callback(subreq, wb_groups_members_done, req);
 166         return req;
 167 }
 168
 169 static NTSTATUS wb_groups_members_next_subreq(
 170         struct wb_groups_members_state *state,
 171         TALLOC_CTX *mem_ctx, struct tevent_req **psubreq)
 172 {
 173         struct tevent_req *subreq;
 174         struct wbint_Principal *g;
 175
 176         if (state->next_group >= state->num_groups) {
 177                 *psubreq = NULL;
 178                 return NT_STATUS_OK;
 179         }
 180
 181         g = &state->groups[state->next_group];
 182         state->next_group += 1;
 183
 184         subreq = wb_lookupgroupmem_send(mem_ctx, state->ev, &g->sid, g->type);
 185         if (subreq == NULL) {
 186                 return NT_STATUS_NO_MEMORY;
 187         }
 188         *psubreq = subreq;
 189         return NT_STATUS_OK;
 190 }
 191
 192 static void wb_groups_members_done(struct tevent_req *subreq)
 193 {
 194         struct tevent_req *req = tevent_req_callback_data(
 195                 subreq, struct tevent_req);
 196         struct wb_groups_members_state *state = tevent_req_data(
 197                 req, struct wb_groups_members_state);
 198         int i, num_all_members;
 199         int num_members = 0;
 200         struct wbint_Principal *members = NULL;
 201         NTSTATUS status;
 202
 203         status = wb_lookupgroupmem_recv(subreq, state, &num_members,
 204                                             &members);
 205         TALLOC_FREE(subreq);
 206
 207         /*
 208          * In this error handling here we might have to be a bit more generous
 209          * and just continue if an error occured.
 210          */
 211
 212         if (!NT_STATUS_IS_OK(status)) {
 213                 if (!NT_STATUS_EQUAL(
 214                             status, NT_STATUS_TRUSTED_DOMAIN_FAILURE)) {
 215                         tevent_req_nterror(req, status);
 216                         return;
 217                 }
 218                 num_members = 0;
 219         }
 220
 221         num_all_members = talloc_array_length(state->all_members);
 222
 223         state->all_members = talloc_realloc(
 224                 state, state->all_members, struct wbint_Principal,
 225                 num_all_members + num_members);
 226         if ((num_all_members + num_members != 0)
 227             && tevent_req_nomem(state->all_members, req)) {
 228                 return;
 229         }
 230         for (i=0; i<num_members; i++) {
 231                 struct wbint_Principal *src, *dst;
 232                 src = &members[i];
 233                 dst = &state->all_members[num_all_members + i];
 234                 sid_copy(&dst->sid, &src->sid);
 235                 dst->name = talloc_move(state->all_members, &src->name);
 236                 dst->type = src->type;
 237         }
 238         TALLOC_FREE(members);
 239
 240         status = wb_groups_members_next_subreq(state, state, &subreq);
 241         if (tevent_req_nterror(req, status)) {
 242                 return;
 243         }
 244         if (subreq == NULL) {
 245                 tevent_req_done(req);
 246                 return;
 247         }
 248         tevent_req_set_callback(subreq, wb_groups_members_done, req);
 249 }
 250
 251 static NTSTATUS wb_groups_members_recv(struct tevent_req *req,
 252                                        TALLOC_CTX *mem_ctx,
 253                                        int *num_members,
 254                                        struct wbint_Principal **members)
 255 {
 256         struct wb_groups_members_state *state = tevent_req_data(
 257                 req, struct wb_groups_members_state);
 258         NTSTATUS status;
 259
 260         if (tevent_req_is_nterror(req, &status)) {
 261                 return status;
 262         }
 263         *num_members = talloc_array_length(state->all_members);
 264         *members = talloc_move(mem_ctx, &state->all_members);
 265         return NT_STATUS_OK;
 266 }
 267
 268
 269 /*
 270  * This is the routine expanding a list of groups up to a certain level. We
 271  * collect the users in a talloc_dict: We have to add them without duplicates,
 272  * and talloc_dict is an indexed (here indexed by SID) data structure.
 273  */
 274
 275 struct wb_group_members_state {
 276         struct tevent_context *ev;
 277         int depth;
 278         struct talloc_dict *users;
 279         struct wbint_Principal *groups;
 280 };
 281
 282 static NTSTATUS wb_group_members_next_subreq(
 283         struct wb_group_members_state *state,
 284         TALLOC_CTX *mem_ctx, struct tevent_req **psubreq);
 285 static void wb_group_members_done(struct tevent_req *subreq);
 286
 287 struct tevent_req *wb_group_members_send(TALLOC_CTX *mem_ctx,
 288                                          struct tevent_context *ev,
 289                                          const struct dom_sid *sid,
 290                                          enum lsa_SidType type,
 291                                          int max_depth)
 292 {
 293         struct tevent_req *req, *subreq;
 294         struct wb_group_members_state *state;
 295         NTSTATUS status;
 296
 297         req = tevent_req_create(mem_ctx, &state,
 298                                 struct wb_group_members_state);
 299         if (req == NULL) {
 300                 return NULL;
 301         }
 302         state->ev = ev;
 303         state->depth = max_depth;
 304         state->users = talloc_dict_init(state);
 305         if (tevent_req_nomem(state->users, req)) {
 306                 return tevent_req_post(req, ev);
 307         }
 308
 309         state->groups = talloc(state, struct wbint_Principal);
 310         if (tevent_req_nomem(state->groups, req)) {
 311                 return tevent_req_post(req, ev);
 312         }
 313         state->groups->name = NULL;
 314         sid_copy(&state->groups->sid, sid);
 315         state->groups->type = type;
 316
 317         status = wb_group_members_next_subreq(state, state, &subreq);
 318         if (tevent_req_nterror(req, status)) {
 319                 return tevent_req_post(req, ev);
 320         }
 321         if (subreq == NULL) {
 322                 tevent_req_done(req);
 323                 return tevent_req_post(req, ev);
 324         }
 325         tevent_req_set_callback(subreq, wb_group_members_done, req);
 326         return req;
 327 }
 328
 329 static NTSTATUS wb_group_members_next_subreq(
 330         struct wb_group_members_state *state,
 331         TALLOC_CTX *mem_ctx, struct tevent_req **psubreq)
 332 {
 333         struct tevent_req *subreq;
 334
 335         if ((talloc_array_length(state->groups) == 0)
 336             || (state->depth <= 0)) {
 337                 *psubreq = NULL;
 338                 return NT_STATUS_OK;
 339         }
 340         state->depth -= 1;
 341
 342         subreq = wb_groups_members_send(
 343                 mem_ctx, state->ev, talloc_array_length(state->groups),
 344                 state->groups);
 345         if (subreq == NULL) {
 346                 return NT_STATUS_NO_MEMORY;
 347         }
 348         *psubreq = subreq;
 349         return NT_STATUS_OK;
 350 }
 351
 352 static void wb_group_members_done(struct tevent_req *subreq)
 353 {
 354         struct tevent_req *req = tevent_req_callback_data(
 355                 subreq, struct tevent_req);
 356         struct wb_group_members_state *state = tevent_req_data(
 357                 req, struct wb_group_members_state);
 358         int i, num_groups, new_groups;
 359         int num_members = 0;
 360         struct wbint_Principal *members = NULL;
 361         NTSTATUS status;
 362
 363         status = wb_groups_members_recv(subreq, state, &num_members, &members);
 364         TALLOC_FREE(subreq);
 365         if (tevent_req_nterror(req, status)) {
 366                 return;
 367         }
 368
 369         new_groups = 0;
 370         for (i=0; i<num_members; i++) {
 371                 switch (members[i].type) {
 372                 case SID_NAME_DOM_GRP:
 373                 case SID_NAME_ALIAS:
 374                 case SID_NAME_WKN_GRP:
 375                         new_groups += 1;
 376                         break;
 377                 default:
 378                         /* Ignore everything else */
 379                         break;
 380                 }
 381         }
 382
 383         num_groups = 0;
 384         TALLOC_FREE(state->groups);
 385         state->groups = talloc_array(state, struct wbint_Principal,
 386                                      new_groups);
 387
 388         /*
 389          * Collect the users into state->users and the groups into
 390          * state->groups for the next iteration.
 391          */
 392
 393         for (i=0; i<num_members; i++) {
 394                 switch (members[i].type) {
 395                 case SID_NAME_USER:
 396                 case SID_NAME_COMPUTER: {
 397                         /*
 398                          * Add a copy of members[i] to state->users
 399                          */
 400                         struct wbint_Principal *m;
 401                         struct dom_sid *sid;
 402                         DATA_BLOB key;
 403
 404                         m = talloc(talloc_tos(), struct wbint_Principal);
 405                         if (tevent_req_nomem(m, req)) {
 406                                 return;
 407                         }
 408                         sid_copy(&m->sid, &members[i].sid);
 409                         m->name = talloc_move(m, &members[i].name);
 410                         m->type = members[i].type;
 411
 412                         sid = &members[i].sid;
 413                         key = data_blob_const(
 414                                 sid, ndr_size_dom_sid(sid, 0));
 415
 416                         if (!talloc_dict_set(state->users, key, &m)) {
 417                                 tevent_req_nterror(req, NT_STATUS_NO_MEMORY);
 418                                 return;
 419                         }
 420                         break;
 421                 }
 422                 case SID_NAME_DOM_GRP:
 423                 case SID_NAME_ALIAS:
 424                 case SID_NAME_WKN_GRP: {
 425                         struct wbint_Principal *g;
 426                         /*
 427                          * Save members[i] for the next round
 428                          */
 429                         g = &state->groups[num_groups];
 430                         sid_copy(&g->sid, &members[i].sid);
 431                         g->name = talloc_move(state->groups, &members[i].name);
 432                         g->type = members[i].type;
 433                         num_groups += 1;
 434                         break;
 435                 }
 436                 default:
 437                         /* Ignore everything else */
 438                         break;
 439                 }
 440         }
 441
 442         status = wb_group_members_next_subreq(state, state, &subreq);
 443         if (tevent_req_nterror(req, status)) {
 444                 return;
 445         }
 446         if (subreq == NULL) {
 447                 tevent_req_done(req);
 448                 return;
 449         }
 450         tevent_req_set_callback(subreq, wb_group_members_done, req);
 451 }
 452
 453 NTSTATUS wb_group_members_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
 454                                struct talloc_dict **members)
 455 {
 456         struct wb_group_members_state *state = tevent_req_data(
 457                 req, struct wb_group_members_state);
 458         NTSTATUS status;
 459
 460         if (tevent_req_is_nterror(req, &status)) {
 461                 return status;
 462         }
 463         *members = talloc_move(mem_ctx, &state->users);
 464         return NT_STATUS_OK;
 465 }