import HEAD into svn+ssh://svn.samba.org/home/svn/samba/trunk
[metze/old/v3-2-winbind-ndr.git] / source / rpc_server / srv_util.c
1 /* 
2  *  Unix SMB/CIFS implementation.
3  *  RPC Pipe client / server routines
4  *  Copyright (C) Andrew Tridgell              1992-1998
5  *  Copyright (C) Luke Kenneth Casson Leighton 1996-1998,
6  *  Copyright (C) Paul Ashton                  1997-1998.
7  *  
8  *  This program is free software; you can redistribute it and/or modify
9  *  it under the terms of the GNU General Public License as published by
10  *  the Free Software Foundation; either version 2 of the License, or
11  *  (at your option) any later version.
12  *  
13  *  This program is distributed in the hope that it will be useful,
14  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
15  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
16  *  GNU General Public License for more details.
17  *  
18  *  You should have received a copy of the GNU General Public License
19  *  along with this program; if not, write to the Free Software
20  *  Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
21  */
22
23 /*  this module apparently provides an implementation of DCE/RPC over a
24  *  named pipe (IPC$ connection using SMBtrans).  details of DCE/RPC
25  *  documentation are available (in on-line form) from the X-Open group.
26  *
27  *  this module should provide a level of abstraction between SMB
28  *  and DCE/RPC, while minimising the amount of mallocs, unnecessary
29  *  data copies, and network traffic.
30  *
31  *  in this version, which takes a "let's learn what's going on and
32  *  get something running" approach, there is additional network
33  *  traffic generated, but the code should be easier to understand...
34  *
35  *  ... if you read the docs.  or stare at packets for weeks on end.
36  *
37  */
38
39 #include "includes.h"
40
41 #undef DBGC_CLASS
42 #define DBGC_CLASS DBGC_RPC_SRV
43
44 /*
45  * A list of the rids of well known BUILTIN and Domain users
46  * and groups.
47  */
48
49 rid_name builtin_alias_rids[] =
50 {  
51     { BUILTIN_ALIAS_RID_ADMINS       , "Administrators" },
52     { BUILTIN_ALIAS_RID_USERS        , "Users" },
53     { BUILTIN_ALIAS_RID_GUESTS       , "Guests" },
54     { BUILTIN_ALIAS_RID_POWER_USERS  , "Power Users" },
55    
56     { BUILTIN_ALIAS_RID_ACCOUNT_OPS  , "Account Operators" },
57     { BUILTIN_ALIAS_RID_SYSTEM_OPS   , "System Operators" },
58     { BUILTIN_ALIAS_RID_PRINT_OPS    , "Print Operators" },
59     { BUILTIN_ALIAS_RID_BACKUP_OPS   , "Backup Operators" },
60     { BUILTIN_ALIAS_RID_REPLICATOR   , "Replicator" },
61     { 0                             , NULL }
62 };
63
64 /* array lookup of well-known Domain RID users. */
65 rid_name domain_user_rids[] =
66 {  
67     { DOMAIN_USER_RID_ADMIN         , "Administrator" },
68     { DOMAIN_USER_RID_GUEST         , "Guest" },
69     { 0                             , NULL }
70 };
71
72 /* array lookup of well-known Domain RID groups. */
73 rid_name domain_group_rids[] =
74 {  
75     { DOMAIN_GROUP_RID_ADMINS       , "Domain Admins" },
76     { DOMAIN_GROUP_RID_USERS        , "Domain Users" },
77     { DOMAIN_GROUP_RID_GUESTS       , "Domain Guests" },
78     { 0                             , NULL }
79 };
80
81 /*******************************************************************
82  gets a domain user's groups
83  ********************************************************************/
84 NTSTATUS get_alias_user_groups(TALLOC_CTX *ctx, DOM_SID *sid, int *numgroups, uint32 **prids, DOM_SID *q_sid)
85 {
86         SAM_ACCOUNT *sam_pass=NULL;
87         int i, cur_rid=0;
88         gid_t gid;
89         gid_t *groups = NULL;
90         int num_groups;
91         GROUP_MAP map;
92         DOM_SID tmp_sid;
93         fstring user_name;
94         fstring str_domsid, str_qsid;
95         uint32 rid,grid;
96         uint32 *rids=NULL, *new_rids=NULL;
97         gid_t winbind_gid_low, winbind_gid_high;
98         BOOL ret;
99         BOOL winbind_groups_exist;
100
101         /*
102          * this code is far from perfect.
103          * first it enumerates the full /etc/group and that can be slow.
104          * second, it works only with users' SIDs
105          * whereas the day we support nested groups, it will have to
106          * support both users's SIDs and domain groups' SIDs
107          *
108          * having our own ldap backend would be so much faster !
109          * we're far from that, but hope one day ;-) JFM.
110          */
111
112         *prids=NULL;
113         *numgroups=0;
114
115         winbind_groups_exist = lp_idmap_gid(&winbind_gid_low, &winbind_gid_high);
116
117
118         DEBUG(10,("get_alias_user_groups: looking if SID %s is a member of groups in the SID domain %s\n", 
119                   sid_to_string(str_qsid, q_sid), sid_to_string(str_domsid, sid)));
120
121         pdb_init_sam(&sam_pass);
122         become_root();
123         ret = pdb_getsampwsid(sam_pass, q_sid);
124         unbecome_root();
125         if (ret == False) {
126                 pdb_free_sam(&sam_pass);
127                 return NT_STATUS_NO_SUCH_USER;
128         }
129
130         fstrcpy(user_name, pdb_get_username(sam_pass));
131         grid=pdb_get_group_rid(sam_pass);
132         if (!NT_STATUS_IS_OK(sid_to_gid(pdb_get_group_sid(sam_pass), &gid))) {
133                 /* this should never happen */
134                 DEBUG(2,("get_alias_user_groups: sid_to_gid failed!\n"));
135                 pdb_free_sam(&sam_pass);
136                 return NT_STATUS_UNSUCCESSFUL;
137         }
138
139         become_root();
140         /* on some systems this must run as root */
141         num_groups = getgroups_user(user_name, &groups);        
142         unbecome_root();
143         if (num_groups == -1) {
144                 /* this should never happen */
145                 DEBUG(2,("get_alias_user_groups: getgroups_user failed\n"));
146                 pdb_free_sam(&sam_pass);
147                 return NT_STATUS_UNSUCCESSFUL;
148         }
149
150         for (i=0;i<num_groups;i++) {
151
152                 become_root();
153                 ret = get_group_from_gid(groups[i], &map);
154                 unbecome_root();
155                 
156                 if ( !ret ) {
157                         DEBUG(10,("get_alias_user_groups: gid %d. not found\n", (int)groups[i]));
158                         continue;
159                 }
160                 
161                 /* if it's not an alias, continue */
162                 if (map.sid_name_use != SID_NAME_ALIAS) {
163                         DEBUG(10,("get_alias_user_groups: not returing %s, not an ALIAS group.\n", map.nt_name));
164                         continue;
165                 }
166
167                 sid_copy(&tmp_sid, &map.sid);
168                 sid_split_rid(&tmp_sid, &rid);
169                 
170                 /* if the sid is not in the correct domain, continue */
171                 if (!sid_equal(&tmp_sid, sid)) {
172                         DEBUG(10,("get_alias_user_groups: not returing %s, not in the domain SID.\n", map.nt_name));
173                         continue;
174                 }
175
176                 /* Don't return winbind groups as they are not local! */
177                 if (winbind_groups_exist && (groups[i] >= winbind_gid_low) && (groups[i] <= winbind_gid_high)) {
178                         DEBUG(10,("get_alias_user_groups: not returing %s, not local.\n", map.nt_name));
179                         continue;
180                 }
181
182                 /* Don't return user private groups... */
183                 if (Get_Pwnam(map.nt_name) != 0) {
184                         DEBUG(10,("get_alias_user_groups: not returing %s, clashes with user.\n", map.nt_name));
185                         continue;                       
186                 }
187                 
188                 new_rids=(uint32 *)Realloc(rids, sizeof(uint32)*(cur_rid+1));
189                 if (new_rids==NULL) {
190                         DEBUG(10,("get_alias_user_groups: could not realloc memory\n"));
191                         pdb_free_sam(&sam_pass);
192                         free(groups);
193                         return NT_STATUS_NO_MEMORY;
194                 }
195                 rids=new_rids;
196                 
197                 sid_peek_rid(&map.sid, &(rids[cur_rid]));
198                 cur_rid++;
199                 break;
200         }
201
202         if(num_groups) 
203                 free(groups);
204
205         /* now check for the user's gid (the primary group rid) */
206         for (i=0; i<cur_rid && grid!=rids[i]; i++)
207                 ;
208
209         /* the user's gid is already there */
210         if (i!=cur_rid) {
211                 DEBUG(10,("get_alias_user_groups: user is already in the list. good.\n"));
212                 goto done;
213         }
214
215         DEBUG(10,("get_alias_user_groups: looking for gid %d of user %s\n", (int)gid, user_name));
216
217         if(!get_group_from_gid(gid, &map)) {
218                 DEBUG(0,("get_alias_user_groups: gid of user %s doesn't exist. Check your "
219                 "/etc/passwd and /etc/group files\n", user_name));
220                 goto done;
221         }       
222
223         /* the primary group isn't an alias */
224         if (map.sid_name_use!=SID_NAME_ALIAS) {
225                 DEBUG(10,("get_alias_user_groups: not returing %s, not an ALIAS group.\n", map.nt_name));
226                 goto done;
227         }
228
229         sid_copy(&tmp_sid, &map.sid);
230         sid_split_rid(&tmp_sid, &rid);
231
232         /* if the sid is not in the correct domain, continue */
233         if (!sid_equal(&tmp_sid, sid)) {
234                 DEBUG(10,("get_alias_user_groups: not returing %s, not in the domain SID.\n", map.nt_name));
235                 goto done;
236         }
237
238         /* Don't return winbind groups as they are not local! */
239         if (winbind_groups_exist && (gid >= winbind_gid_low) && (gid <= winbind_gid_high)) {
240                 DEBUG(10,("get_alias_user_groups: not returing %s, not local.\n", map.nt_name ));
241                 goto done;
242         }
243
244         /* Don't return user private groups... */
245         if (Get_Pwnam(map.nt_name) != 0) {
246                 DEBUG(10,("get_alias_user_groups: not returing %s, clashes with user.\n", map.nt_name ));
247                 goto done;                      
248         }
249
250         new_rids=(uint32 *)Realloc(rids, sizeof(uint32)*(cur_rid+1));
251         if (new_rids==NULL) {
252                 DEBUG(10,("get_alias_user_groups: could not realloc memory\n"));
253                 pdb_free_sam(&sam_pass);
254                 return NT_STATUS_NO_MEMORY;
255         }
256         rids=new_rids;
257
258         sid_peek_rid(&map.sid, &(rids[cur_rid]));
259         cur_rid++;
260
261 done:
262         *prids=rids;
263         *numgroups=cur_rid;
264         pdb_free_sam(&sam_pass);
265
266         return NT_STATUS_OK;
267 }
268
269
270 /*******************************************************************
271  gets a domain user's groups
272  ********************************************************************/
273 BOOL get_domain_user_groups(TALLOC_CTX *ctx, int *numgroups, DOM_GID **pgids, SAM_ACCOUNT *sam_pass)
274 {
275         GROUP_MAP *map=NULL;
276         int i, num, num_entries, cur_gid=0;
277         struct group *grp;
278         DOM_GID *gids;
279         fstring user_name;
280         uint32 grid;
281         uint32 tmp_rid;
282         BOOL ret;
283
284         *numgroups= 0;
285
286         fstrcpy(user_name, pdb_get_username(sam_pass));
287         grid=pdb_get_group_rid(sam_pass);
288
289         DEBUG(10,("get_domain_user_groups: searching domain groups [%s] is a member of\n", user_name));
290
291         /* we must wrap this is become/unbecome root for ldap backends */
292         
293         become_root();
294         /* first get the list of the domain groups */
295         ret = pdb_enum_group_mapping(SID_NAME_DOM_GRP, &map, &num_entries, ENUM_ONLY_MAPPED);
296         
297         unbecome_root();
298
299         /* end wrapper for group enumeration */
300
301         
302         if ( !ret )
303                 return False;
304                 
305         DEBUG(10,("get_domain_user_groups: there are %d mapped groups\n", num_entries));
306
307
308         /* 
309          * alloc memory. In the worse case, we alloc memory for nothing.
310          * but I prefer to alloc for nothing
311          * than reallocing everytime.
312          */
313         gids = (DOM_GID *)talloc(ctx, sizeof(DOM_GID) *  num_entries);  
314
315         /* for each group, check if the user is a member of.  Only include groups 
316            from this domain */
317         
318         for(i=0; i<num_entries; i++) {
319         
320                 if ( !sid_check_is_in_our_domain(&map[i].sid) ) {
321                         DEBUG(10,("get_domain_user_groups: skipping check of %s since it is not in our domain\n",
322                                 map[i].nt_name));
323                         continue;
324                 }
325                         
326                 if ((grp=getgrgid(map[i].gid)) == NULL) {
327                         /* very weird !!! */
328                         DEBUG(5,("get_domain_user_groups: gid %d doesn't exist anymore !\n", (int)map[i].gid));
329                         continue;
330                 }
331
332                 for(num=0; grp->gr_mem[num]!=NULL; num++) {
333                         if(strcmp(grp->gr_mem[num], user_name)==0) {
334                                 /* we found the user, add the group to the list */
335                                 sid_peek_rid(&map[i].sid, &(gids[cur_gid].g_rid));
336                                 gids[cur_gid].attr=7;
337                                 DEBUG(10,("get_domain_user_groups: user found in group %s\n", map[i].nt_name));
338                                 cur_gid++;
339                                 break;
340                         }
341                 }
342         }
343
344         /* we have checked the groups */
345         /* we must now check the gid of the user or the primary group rid, that's the same */
346         for (i=0; i<cur_gid && grid!=gids[i].g_rid; i++)
347                 ;
348         
349         /* the user's gid is already there */
350         if (i!=cur_gid) {
351                 /* 
352                  * the primary group of the user but be the first one in the list
353                  * don't ask ! JFM.
354                  */
355                 gids[i].g_rid=gids[0].g_rid;
356                 gids[0].g_rid=grid;
357                 goto done;
358         }
359
360         for(i=0; i<num_entries; i++) {
361                 sid_peek_rid(&map[i].sid, &tmp_rid);
362                 if (tmp_rid==grid) {
363                         /* 
364                          * the primary group of the user but be the first one in the list
365                          * don't ask ! JFM.
366                          */
367                         gids[cur_gid].g_rid=gids[0].g_rid;
368                         gids[0].g_rid=tmp_rid;
369                         gids[cur_gid].attr=7;
370                         DEBUG(10,("get_domain_user_groups: primary gid of user found in group %s\n", map[i].nt_name));
371                         cur_gid++;
372                         goto done; /* leave the loop early */
373                 }
374         }
375
376         DEBUG(0,("get_domain_user_groups: primary gid of user [%s] is not a Domain group !\n", user_name));
377         DEBUGADD(0,("get_domain_user_groups: You should fix it, NT doesn't like that\n"));
378
379
380  done:
381         *pgids=gids;
382         *numgroups=cur_gid;
383         SAFE_FREE(map);
384
385         return True;
386 }
387
388 /*******************************************************************
389  gets a domain user's groups from their already-calculated NT_USER_TOKEN
390  ********************************************************************/
391 NTSTATUS nt_token_to_group_list(TALLOC_CTX *mem_ctx, const DOM_SID *domain_sid, 
392                                 const NT_USER_TOKEN *nt_token,
393                                 int *numgroups, DOM_GID **pgids) 
394 {
395         DOM_GID *gids;
396         int i;
397
398         gids = (DOM_GID *)talloc(mem_ctx, sizeof(*gids) * nt_token->num_sids);
399
400         if (!gids) {
401                 return NT_STATUS_NO_MEMORY;
402         }
403
404         *numgroups=0;
405
406         for (i=PRIMARY_GROUP_SID_INDEX; i < nt_token->num_sids; i++) {
407                 if (sid_compare_domain(domain_sid, &nt_token->user_sids[i])==0) {
408                         sid_peek_rid(&nt_token->user_sids[i], &(gids[*numgroups].g_rid));
409                         gids[*numgroups].attr=7;
410                         (*numgroups)++;
411                 }
412         }
413         *pgids = gids; 
414         return NT_STATUS_OK;
415 }
416
417 /*******************************************************************
418  Look up a local (domain) rid and return a name and type.
419  ********************************************************************/
420 NTSTATUS local_lookup_group_name(uint32 rid, char *group_name, uint32 *type)
421 {
422         int i = 0; 
423         (*type) = SID_NAME_DOM_GRP;
424
425         DEBUG(5,("lookup_group_name: rid: %d", rid));
426
427         while (domain_group_rids[i].rid != rid && domain_group_rids[i].rid != 0)
428         {
429                 i++;
430         }
431
432         if (domain_group_rids[i].rid != 0)
433         {
434                 fstrcpy(group_name, domain_group_rids[i].name);
435                 DEBUG(5,(" = %s\n", group_name));
436                 return NT_STATUS_OK;
437         }
438
439         DEBUG(5,(" none mapped\n"));
440         return NT_STATUS_NONE_MAPPED;
441 }
442
443 /*******************************************************************
444  Look up a local alias rid and return a name and type.
445  ********************************************************************/
446 NTSTATUS local_lookup_alias_name(uint32 rid, char *alias_name, uint32 *type)
447 {
448         int i = 0; 
449         (*type) = SID_NAME_WKN_GRP;
450
451         DEBUG(5,("lookup_alias_name: rid: %d", rid));
452
453         while (builtin_alias_rids[i].rid != rid && builtin_alias_rids[i].rid != 0)
454         {
455                 i++;
456         }
457
458         if (builtin_alias_rids[i].rid != 0)
459         {
460                 fstrcpy(alias_name, builtin_alias_rids[i].name);
461                 DEBUG(5,(" = %s\n", alias_name));
462                 return NT_STATUS_OK;
463         }
464
465         DEBUG(5,(" none mapped\n"));
466         return NT_STATUS_NONE_MAPPED;
467 }
468
469
470 #if 0 /*Nobody uses this function just now*/
471 /*******************************************************************
472  Look up a local user rid and return a name and type.
473  ********************************************************************/
474 NTSTATUS local_lookup_user_name(uint32 rid, char *user_name, uint32 *type)
475 {
476         SAM_ACCOUNT *sampwd=NULL;
477         int i = 0;
478         BOOL ret;
479         
480         (*type) = SID_NAME_USER;
481
482         DEBUG(5,("lookup_user_name: rid: %d", rid));
483
484         /* look up the well-known domain user rids first */
485         while (domain_user_rids[i].rid != rid && domain_user_rids[i].rid != 0)
486         {
487                 i++;
488         }
489
490         if (domain_user_rids[i].rid != 0) {
491                 fstrcpy(user_name, domain_user_rids[i].name);
492                 DEBUG(5,(" = %s\n", user_name));
493                 return NT_STATUS_OK;
494         }
495
496         pdb_init_sam(&sampwd);
497
498         /* ok, it's a user.  find the user account */
499         become_root();
500         ret = pdb_getsampwrid(sampwd, rid);
501         unbecome_root();
502
503         if (ret == True) {
504                 fstrcpy(user_name, pdb_get_username(sampwd) );
505                 DEBUG(5,(" = %s\n", user_name));
506                 pdb_free_sam(&sampwd);
507                 return NT_STATUS_OK;
508         }
509
510         DEBUG(5,(" none mapped\n"));
511         pdb_free_sam(&sampwd);
512         return NT_STATUS_NONE_MAPPED;
513 }
514
515 #endif
516
517 /*******************************************************************
518  Look up a local (domain) group name and return a rid
519  ********************************************************************/
520 NTSTATUS local_lookup_group_rid(char *group_name, uint32 *rid)
521 {
522         const char *grp_name;
523         int i = -1; /* start do loop at -1 */
524
525         do /* find, if it exists, a group rid for the group name*/
526         {
527                 i++;
528                 (*rid) = domain_group_rids[i].rid;
529                 grp_name = domain_group_rids[i].name;
530
531         } while (grp_name != NULL && !strequal(grp_name, group_name));
532
533         return (grp_name != NULL) ? NT_STATUS_OK : NT_STATUS_NONE_MAPPED;
534 }
535
536 /*******************************************************************
537  Look up a local (BUILTIN) alias name and return a rid
538  ********************************************************************/
539 NTSTATUS local_lookup_alias_rid(const char *alias_name, uint32 *rid)
540 {
541         const char *als_name;
542         int i = -1; /* start do loop at -1 */
543
544         do /* find, if it exists, a alias rid for the alias name*/
545         {
546                 i++;
547                 (*rid) = builtin_alias_rids[i].rid;
548                 als_name = builtin_alias_rids[i].name;
549
550         } while (als_name != NULL && !strequal(als_name, alias_name));
551
552         return (als_name != NULL) ? NT_STATUS_OK : NT_STATUS_NONE_MAPPED;
553 }
554
555 /*******************************************************************
556  Look up a local user name and return a rid
557  ********************************************************************/
558 NTSTATUS local_lookup_user_rid(char *user_name, uint32 *rid)
559 {
560         SAM_ACCOUNT *sampass=NULL;
561         BOOL ret;
562
563         (*rid) = 0;
564
565         pdb_init_sam(&sampass);
566
567         /* find the user account */
568         become_root();
569         ret = pdb_getsampwnam(sampass, user_name);
570         unbecome_root();
571
572         if (ret == True) {
573                 (*rid) = pdb_get_user_rid(sampass);
574                 pdb_free_sam(&sampass);
575                 return NT_STATUS_OK;
576         }
577
578         pdb_free_sam(&sampass);
579         return NT_STATUS_NONE_MAPPED;
580 }