2 Unix SMB/Netbios implementation.
4 Samba utility functions
5 Copyright (C) Andrew Tridgell 1992-1998
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 2 of the License, or
10 (at your option) any later version.
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
17 You should have received a copy of the GNU General Public License
18 along with this program; if not, write to the Free Software
19 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
25 extern int DEBUGLEVEL;
27 extern pstring global_myname;
30 * This is set on startup - it defines the SID for this
31 * machine, and therefore the SAM database for which it is
35 DOM_SID global_sam_sid;
38 * This is the name associated with the SAM database for
39 * which this machine is responsible. In the case of a PDC
40 * or PDC, this name is the same as the workgroup. In the
41 * case of "security = domain" mode, this is the same as
42 * the name of the server (global_myname).
45 fstring global_sam_name;
48 * This is obtained on startup - it defines the SID for which
49 * this machine is a member. It is therefore only set, and
50 * used, in "security = domain" mode.
53 DOM_SID global_member_sid;
56 * note the lack of a "global_member_name" - this is because
57 * this is the same as "global_myworkgroup".
60 extern fstring global_myworkgroup;
61 /* fstring global_member_dom_name; */
67 DOM_SID global_sid_S_1_5_20; /* local well-known domain */
68 DOM_SID global_sid_S_1_1; /* everyone */
69 DOM_SID global_sid_S_1_3; /* Creator Owner */
70 DOM_SID global_sid_S_1_5; /* NT Authority */
72 static struct sid_name_map_info
80 { &global_sid_S_1_5_20, "BUILTIN" },
81 { &global_sid_S_1_1 , "Everyone" },
82 { &global_sid_S_1_3 , "Creator Owner" },
83 { &global_sid_S_1_5 , "NT Authority" },
84 { &global_sam_sid , global_sam_name },
85 { &global_member_sid , global_myworkgroup },
89 /****************************************************************************
90 Read the machine SID from a file.
91 ****************************************************************************/
93 static BOOL read_sid_from_file(int fd, char *sid_file)
98 memset(fline, '\0', sizeof(fline));
100 if (read(fd, fline, sizeof(fline) -1 ) < 0) {
101 DEBUG(0,("unable to read file %s. Error was %s\n",
102 sid_file, strerror(errno) ));
107 * Convert to the machine SID.
110 fline[sizeof(fline)-1] = '\0';
111 if (!string_to_sid( &global_sam_sid, fline)) {
112 DEBUG(0,("unable to generate machine SID.\n"));
116 sid_to_string(sid_str, &global_sam_sid);
117 DEBUG(5,("read_sid_from_file: sid %s\n", sid_str));
122 /****************************************************************************
123 sets up the name associated with the SAM database for which we are responsible
124 ****************************************************************************/
125 void get_sam_domain_name(void)
127 switch (lp_server_role())
129 case ROLE_DOMAIN_PDC:
130 case ROLE_DOMAIN_BDC:
132 /* we are PDC (or BDC) for a Domain */
133 fstrcpy(global_sam_name, lp_workgroup());
136 case ROLE_DOMAIN_MEMBER:
138 /* we are a "PDC", but FOR LOCAL SAM DATABASE ONLY */
139 fstrcpy(global_sam_name, global_myname);
144 /* no domain role, probably due to "security = share" */
145 memset(global_sam_name, 0, sizeof(global_sam_name));
151 /****************************************************************************
152 obtain the sid from the PDC. do some verification along the way...
153 ****************************************************************************/
154 BOOL get_member_domain_sid(void)
158 struct cli_state cli;
165 switch (lp_server_role())
167 case ROLE_DOMAIN_NONE:
169 ZERO_STRUCT(global_member_sid);
172 case ROLE_DOMAIN_PDC:
174 sid_copy(&global_member_sid, &global_sam_sid);
179 /* member or BDC, we're going for connection to PDC */
184 if (!cli_connect_serverlist(&cli, lp_passwordserver()))
186 DEBUG(0,("get_member_domain_sid: unable to initialise client connection.\n"));
191 * Ok - we have an anonymous connection to the IPC$ share.
192 * Now start the NT Domain stuff :-).
200 fstrcpy(srv_name, "\\\\");
201 fstrcat(srv_name, global_myname);
204 /* open LSARPC session. */
205 res = res ? cli_nt_session_open(&cli, PIPE_LSARPC) : False;
207 /* lookup domain controller; receive a policy handle */
208 res = res ? do_lsa_open_policy(&cli, srv_name, &pol, False) : False;
210 /* send client info query, level 3. receive domain name and sid */
211 res = res ? do_lsa_query_info_pol(&cli, &pol, 3, dom3, &sid3) : False;
213 /* send client info query, level 5. receive domain name and sid */
214 res = res ? do_lsa_query_info_pol(&cli, &pol, 5, dom5, &sid5) : False;
216 /* close policy handle */
217 res = res ? do_lsa_close(&cli, &pol) : False;
219 /* close the session */
220 cli_nt_session_close(&cli);
227 DEBUG(2,("LSA Query Info Policy\n"));
228 sid_to_string(sid, &sid3);
229 DEBUG(2,("Domain Member - Domain: %s SID: %s\n", dom3, sid));
230 sid_to_string(sid, &sid5);
231 DEBUG(2,("Domain Controller - Domain: %s SID: %s\n", dom5, sid));
233 if (!strequal(dom3, global_myworkgroup) ||
234 !strequal(dom5, global_myworkgroup))
236 DEBUG(0,("get_member_domain_sid: %s is a DC for %s not %s\n",
237 cli.desthost, dom5, global_myworkgroup));
243 DEBUG(1,("lsa query info failed\n"));
248 DEBUG(0,("get_member_domain_sid: unable to obtain Domain member SID\n"));
252 /* this is a _lot_ of trouble to go to for just this info: */
253 global_member_sid = sid5;
259 /****************************************************************************
260 creates some useful well known sids
261 ****************************************************************************/
262 void generate_wellknown_sids(void)
264 string_to_sid(&global_sid_S_1_5_20, "S-1-5-32");
265 string_to_sid(&global_sid_S_1_1 , "S-1-1" );
266 string_to_sid(&global_sid_S_1_3 , "S-1-3" );
267 string_to_sid(&global_sid_S_1_5 , "S-1-5" );
270 /****************************************************************************
271 Generate the global machine sid. Look for the DOMAINNAME.SID file first, if
272 not found then look in smb.conf and use it to create the DOMAINNAME.SID file.
273 ****************************************************************************/
274 BOOL generate_sam_sid(char *domain_name)
283 uchar raw_sid_data[12];
285 pstrcpy(sid_file, lp_smb_passwd_file());
287 if (sid_file[0] == 0)
289 DEBUG(0,("cannot find smb passwd file\n"));
293 p = strrchr(sid_file, '/');
299 if (!directory_exist(sid_file, NULL)) {
300 if (dos_mkdir(sid_file, 0700) != 0) {
301 DEBUG(0,("can't create private directory %s : %s\n",
302 sid_file, strerror(errno)));
307 slprintf(file_name, sizeof(file_name)-1, "%s.SID", domain_name);
309 pstrcat(sid_file, file_name);
311 if ((fd = sys_open(sid_file, O_RDWR | O_CREAT, 0644)) == -1) {
312 DEBUG(0,("unable to open or create file %s. Error was %s\n",
313 sid_file, strerror(errno) ));
318 * Check if the file contains data.
321 if (sys_fstat( fd, &st) < 0) {
322 DEBUG(0,("unable to stat file %s. Error was %s\n",
323 sid_file, strerror(errno) ));
328 if (st.st_size > 0) {
330 * We have a valid SID - read it.
332 if (!read_sid_from_file( fd, sid_file)) {
333 DEBUG(0,("unable to read file %s. Error was %s\n",
334 sid_file, strerror(errno) ));
343 * Generate the new sid data & turn it into a string.
345 generate_random_buffer( raw_sid_data, 12, True);
347 fstrcpy( sid_string, "S-1-5-21");
348 for( i = 0; i < 3; i++) {
350 slprintf( tmp_string, sizeof(tmp_string) - 1, "-%u", IVAL(raw_sid_data, i*4));
351 fstrcat( sid_string, tmp_string);
354 fstrcat(sid_string, "\n");
357 * Ensure our new SID is valid.
360 if (!string_to_sid( &global_sam_sid, sid_string)) {
361 DEBUG(0,("unable to generate machine SID.\n"));
366 * Do an exclusive blocking lock on the file.
369 if (!do_file_lock( fd, 60, F_WRLCK)) {
370 DEBUG(0,("unable to lock file %s. Error was %s\n",
371 sid_file, strerror(errno) ));
377 * At this point we have a blocking lock on the SID
378 * file - check if in the meantime someone else wrote
379 * SID data into the file. If so - they were here first,
383 if (sys_fstat( fd, &st) < 0) {
384 DEBUG(0,("unable to stat file %s. Error was %s\n",
385 sid_file, strerror(errno) ));
390 if (st.st_size > 0) {
392 * Unlock as soon as possible to reduce
393 * contention on the exclusive lock.
395 do_file_lock( fd, 60, F_UNLCK);
398 * We have a valid SID - read it.
401 if (!read_sid_from_file( fd, sid_file)) {
402 DEBUG(0,("unable to read file %s. Error was %s\n",
403 sid_file, strerror(errno) ));
412 * The file is still empty and we have an exlusive lock on it.
413 * Write out out SID data into the file.
416 if (fchmod(fd, 0644) < 0) {
417 DEBUG(0,("unable to set correct permissions on file %s. \
418 Error was %s\n", sid_file, strerror(errno) ));
423 if (write( fd, sid_string, strlen(sid_string)) != strlen(sid_string)) {
424 DEBUG(0,("unable to write file %s. Error was %s\n",
425 sid_file, strerror(errno) ));
434 do_file_lock( fd, 60, F_UNLCK);
439 /**************************************************************************
440 turns a domain name into a SID.
442 *** side-effect: if the domain name is NULL, it is set to our domain ***
444 ***************************************************************************/
445 BOOL map_domain_name_to_sid(DOM_SID *sid, char **nt_domain)
449 if (nt_domain == NULL)
451 sid_copy(sid, &global_sam_sid);
455 if ((*nt_domain) == NULL)
457 DEBUG(5,("map_domain_name_to_sid: overriding NULL name to %s\n",
459 (*nt_domain) = strdup(global_sam_name);
460 sid_copy(sid, &global_sam_sid);
464 if ((*nt_domain)[0] == 0)
467 (*nt_domain) = strdup(global_sam_name);
468 DEBUG(5,("map_domain_name_to_sid: overriding blank name to %s\n",
470 sid_copy(sid, &global_sam_sid);
474 DEBUG(5,("map_domain_name_to_sid: %s\n", (*nt_domain)));
476 while (sid_name_map[i].name != NULL)
478 DEBUG(5,("compare: %s\n", sid_name_map[i].name));
479 if (strequal(sid_name_map[i].name, (*nt_domain)))
482 sid_copy(sid, sid_name_map[i].sid);
483 sid_to_string(sid_str, sid_name_map[i].sid);
484 DEBUG(5,("found %s\n", sid_str));
490 DEBUG(0,("map_domain_name_to_sid: mapping to %s NOT IMPLEMENTED\n",
495 /**************************************************************************
496 turns a domain SID into a name.
498 ***************************************************************************/
499 BOOL map_domain_sid_to_name(DOM_SID *sid, char *nt_domain)
503 sid_to_string(sid_str, sid);
505 DEBUG(5,("map_domain_sid_to_name: %s\n", sid_str));
507 if (nt_domain == NULL)
512 while (sid_name_map[i].sid != NULL)
514 sid_to_string(sid_str, sid_name_map[i].sid);
515 DEBUG(5,("compare: %s\n", sid_str));
516 if (sid_equal(sid_name_map[i].sid, sid))
518 fstrcpy(nt_domain, sid_name_map[i].name);
519 DEBUG(5,("found %s\n", nt_domain));
525 DEBUG(0,("map_domain_sid_to_name: mapping NOT IMPLEMENTED\n"));
530 /**************************************************************************
531 splits a name of format \DOMAIN\name into its two components.
532 sets the DOMAIN name to global_sam_name if it has not been specified.
533 ***************************************************************************/
534 BOOL split_domain_name(char *fullname, char *domain, char *name)
539 if (fullname == NULL || domain == NULL || name == NULL)
544 if (fullname[0] == '\\')
548 fstrcpy(full_name, fullname);
549 p = strchr(full_name+1, '\\');
554 fstrcpy(domain, full_name);
559 fstrcpy(domain, global_sam_name);
560 fstrcpy(name, full_name);
563 DEBUG(5,("name '%s' split into '%s\\%s'\n", fullname, domain, name));
git.samba.org / nivanova / samba-autobuild / .git / blob