s3-secrets: only include secrets.h when needed.
[nivanova/samba-autobuild/.git] / source3 / passdb / lookup_sid.c
1 /* 
2    Unix SMB/CIFS implementation.
3    uid/user handling
4    Copyright (C) Andrew Tridgell         1992-1998
5    Copyright (C) Gerald (Jerry) Carter   2003
6    Copyright (C) Volker Lendecke         2005
7    
8    This program is free software; you can redistribute it and/or modify
9    it under the terms of the GNU General Public License as published by
10    the Free Software Foundation; either version 3 of the License, or
11    (at your option) any later version.
12    
13    This program is distributed in the hope that it will be useful,
14    but WITHOUT ANY WARRANTY; without even the implied warranty of
15    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
16    GNU General Public License for more details.
17    
18    You should have received a copy of the GNU General Public License
19    along with this program.  If not, see <http://www.gnu.org/licenses/>.
20 */
21
22 #include "includes.h"
23 #include "../librpc/gen_ndr/ndr_security.h"
24 #include "secrets.h"
25
26 /*****************************************************************
27  Dissect a user-provided name into domain, name, sid and type.
28
29  If an explicit domain name was given in the form domain\user, it
30  has to try that. If no explicit domain name was given, we have
31  to do guesswork.
32 *****************************************************************/  
33
34 bool lookup_name(TALLOC_CTX *mem_ctx,
35                  const char *full_name, int flags,
36                  const char **ret_domain, const char **ret_name,
37                  struct dom_sid *ret_sid, enum lsa_SidType *ret_type)
38 {
39         char *p;
40         const char *tmp;
41         const char *domain = NULL;
42         const char *name = NULL;
43         uint32 rid;
44         struct dom_sid sid;
45         enum lsa_SidType type;
46         TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
47
48         if (tmp_ctx == NULL) {
49                 DEBUG(0, ("talloc_new failed\n"));
50                 return false;
51         }
52
53         p = strchr_m(full_name, '\\');
54
55         if (p != NULL) {
56                 domain = talloc_strndup(tmp_ctx, full_name,
57                                         PTR_DIFF(p, full_name));
58                 name = talloc_strdup(tmp_ctx, p+1);
59         } else {
60                 domain = talloc_strdup(tmp_ctx, "");
61                 name = talloc_strdup(tmp_ctx, full_name);
62         }
63
64         if ((domain == NULL) || (name == NULL)) {
65                 DEBUG(0, ("talloc failed\n"));
66                 TALLOC_FREE(tmp_ctx);
67                 return false;
68         }
69
70         DEBUG(10,("lookup_name: %s => domain=[%s], name=[%s]\n",
71                 full_name, domain, name));
72         DEBUG(10, ("lookup_name: flags = 0x0%x\n", flags));
73
74         if ((flags & LOOKUP_NAME_DOMAIN) &&
75             strequal(domain, get_global_sam_name()))
76         {
77
78                 /* It's our own domain, lookup the name in passdb */
79                 if (lookup_global_sam_name(name, flags, &rid, &type)) {
80                         sid_compose(&sid, get_global_sam_sid(), rid);
81                         goto ok;
82                 }
83                 TALLOC_FREE(tmp_ctx);
84                 return false;
85         }
86
87         if ((flags & LOOKUP_NAME_BUILTIN) &&
88             strequal(domain, builtin_domain_name()))
89         {
90                 if (strlen(name) == 0) {
91                         /* Swap domain and name */
92                         tmp = name; name = domain; domain = tmp;
93                         sid_copy(&sid, &global_sid_Builtin);
94                         type = SID_NAME_DOMAIN;
95                         goto ok;
96                 }
97
98                 /* Explicit request for a name in BUILTIN */
99                 if (lookup_builtin_name(name, &rid)) {
100                         sid_compose(&sid, &global_sid_Builtin, rid);
101                         type = SID_NAME_ALIAS;
102                         goto ok;
103                 }
104                 TALLOC_FREE(tmp_ctx);
105                 return false;
106         }
107
108         /* Try the explicit winbind lookup first, don't let it guess the
109          * domain yet at this point yet. This comes later. */
110
111         if ((domain[0] != '\0') &&
112             (flags & ~(LOOKUP_NAME_DOMAIN|LOOKUP_NAME_ISOLATED)) &&
113             (winbind_lookup_name(domain, name, &sid, &type))) {
114                         goto ok;
115         }
116
117         if (((flags & LOOKUP_NAME_NO_NSS) == 0)
118             && strequal(domain, unix_users_domain_name())) {
119                 if (lookup_unix_user_name(name, &sid)) {
120                         type = SID_NAME_USER;
121                         goto ok;
122                 }
123                 TALLOC_FREE(tmp_ctx);
124                 return false;
125         }
126
127         if (((flags & LOOKUP_NAME_NO_NSS) == 0)
128             && strequal(domain, unix_groups_domain_name())) {
129                 if (lookup_unix_group_name(name, &sid)) {
130                         type = SID_NAME_DOM_GRP;
131                         goto ok;
132                 }
133                 TALLOC_FREE(tmp_ctx);
134                 return false;
135         }
136
137         if ((domain[0] == '\0') && (!(flags & LOOKUP_NAME_ISOLATED))) {
138                 TALLOC_FREE(tmp_ctx);
139                 return false;
140         }
141
142         /* Now the guesswork begins, we haven't been given an explicit
143          * domain. Try the sequence as documented on
144          * http://msdn.microsoft.com/library/en-us/secmgmt/security/lsalookupnames.asp
145          * November 27, 2005 */
146
147         /* 1. well-known names */
148
149         if ((flags & LOOKUP_NAME_WKN) &&
150             lookup_wellknown_name(tmp_ctx, name, &sid, &domain))
151         {
152                 type = SID_NAME_WKN_GRP;
153                 goto ok;
154         }
155
156         /* 2. Builtin domain as such */
157
158         if ((flags & (LOOKUP_NAME_BUILTIN|LOOKUP_NAME_REMOTE)) &&
159             strequal(name, builtin_domain_name()))
160         {
161                 /* Swap domain and name */
162                 tmp = name; name = domain; domain = tmp;
163                 sid_copy(&sid, &global_sid_Builtin);
164                 type = SID_NAME_DOMAIN;
165                 goto ok;
166         }
167
168         /* 3. Account domain */
169
170         if ((flags & LOOKUP_NAME_DOMAIN) &&
171             strequal(name, get_global_sam_name()))
172         {
173                 if (!secrets_fetch_domain_sid(name, &sid)) {
174                         DEBUG(3, ("Could not fetch my SID\n"));
175                         TALLOC_FREE(tmp_ctx);
176                         return false;
177                 }
178                 /* Swap domain and name */
179                 tmp = name; name = domain; domain = tmp;
180                 type = SID_NAME_DOMAIN;
181                 goto ok;
182         }
183
184         /* 4. Primary domain */
185
186         if ((flags & LOOKUP_NAME_DOMAIN) && !IS_DC &&
187             strequal(name, lp_workgroup()))
188         {
189                 if (!secrets_fetch_domain_sid(name, &sid)) {
190                         DEBUG(3, ("Could not fetch the domain SID\n"));
191                         TALLOC_FREE(tmp_ctx);
192                         return false;
193                 }
194                 /* Swap domain and name */
195                 tmp = name; name = domain; domain = tmp;
196                 type = SID_NAME_DOMAIN;
197                 goto ok;
198         }
199
200         /* 5. Trusted domains as such, to me it looks as if members don't do
201               this, tested an XP workstation in a NT domain -- vl */
202
203         if ((flags & LOOKUP_NAME_REMOTE) && IS_DC &&
204             (pdb_get_trusteddom_pw(name, NULL, &sid, NULL)))
205         {
206                 /* Swap domain and name */
207                 tmp = name; name = domain; domain = tmp;
208                 type = SID_NAME_DOMAIN;
209                 goto ok;
210         }
211
212         /* 6. Builtin aliases */        
213
214         if ((flags & LOOKUP_NAME_BUILTIN) &&
215             lookup_builtin_name(name, &rid))
216         {
217                 domain = talloc_strdup(tmp_ctx, builtin_domain_name());
218                 sid_compose(&sid, &global_sid_Builtin, rid);
219                 type = SID_NAME_ALIAS;
220                 goto ok;
221         }
222
223         /* 7. Local systems' SAM (DCs don't have a local SAM) */
224         /* 8. Primary SAM (On members, this is the domain) */
225
226         /* Both cases are done by looking at our passdb */
227
228         if ((flags & LOOKUP_NAME_DOMAIN) &&
229             lookup_global_sam_name(name, flags, &rid, &type))
230         {
231                 domain = talloc_strdup(tmp_ctx, get_global_sam_name());
232                 sid_compose(&sid, get_global_sam_sid(), rid);
233                 goto ok;
234         }
235
236         /* Now our local possibilities are exhausted. */
237
238         if (!(flags & LOOKUP_NAME_REMOTE)) {
239                 TALLOC_FREE(tmp_ctx);
240                 return false;
241         }
242
243         /* If we are not a DC, we have to ask in our primary domain. Let
244          * winbind do that. */
245
246         if (!IS_DC &&
247             (winbind_lookup_name(lp_workgroup(), name, &sid, &type))) {
248                 domain = talloc_strdup(tmp_ctx, lp_workgroup());
249                 goto ok;
250         }
251
252         /* 9. Trusted domains */
253
254         /* If we're a DC we have to ask all trusted DC's. Winbind does not do
255          * that (yet), but give it a chance. */
256
257         if (IS_DC && winbind_lookup_name("", name, &sid, &type)) {
258                 struct dom_sid dom_sid;
259                 uint32 tmp_rid;
260                 enum lsa_SidType domain_type;
261                 
262                 if (type == SID_NAME_DOMAIN) {
263                         /* Swap name and type */
264                         tmp = name; name = domain; domain = tmp;
265                         goto ok;
266                 }
267
268                 /* Here we have to cope with a little deficiency in the
269                  * winbind API: We have to ask it again for the name of the
270                  * domain it figured out itself. Maybe fix that later... */
271
272                 sid_copy(&dom_sid, &sid);
273                 sid_split_rid(&dom_sid, &tmp_rid);
274
275                 if (!winbind_lookup_sid(tmp_ctx, &dom_sid, &domain, NULL,
276                                         &domain_type) ||
277                     (domain_type != SID_NAME_DOMAIN)) {
278                         DEBUG(2, ("winbind could not find the domain's name "
279                                   "it just looked up for us\n"));
280                         TALLOC_FREE(tmp_ctx);
281                         return false;
282                 }
283                 goto ok;
284         }
285
286         /* 10. Don't translate */
287
288         /* 11. Ok, windows would end here. Samba has two more options:
289                Unmapped users and unmapped groups */
290
291         if (((flags & LOOKUP_NAME_NO_NSS) == 0)
292             && lookup_unix_user_name(name, &sid)) {
293                 domain = talloc_strdup(tmp_ctx, unix_users_domain_name());
294                 type = SID_NAME_USER;
295                 goto ok;
296         }
297
298         if (((flags & LOOKUP_NAME_NO_NSS) == 0)
299             && lookup_unix_group_name(name, &sid)) {
300                 domain = talloc_strdup(tmp_ctx, unix_groups_domain_name());
301                 type = SID_NAME_DOM_GRP;
302                 goto ok;
303         }
304
305         /*
306          * Ok, all possibilities tried. Fail.
307          */
308
309         TALLOC_FREE(tmp_ctx);
310         return false;
311
312  ok:
313         if ((domain == NULL) || (name == NULL)) {
314                 DEBUG(0, ("talloc failed\n"));
315                 TALLOC_FREE(tmp_ctx);
316                 return false;
317         }
318
319         /*
320          * Hand over the results to the talloc context we've been given.
321          */
322
323         if ((ret_name != NULL) &&
324             !(*ret_name = talloc_strdup(mem_ctx, name))) {
325                 DEBUG(0, ("talloc failed\n"));
326                 TALLOC_FREE(tmp_ctx);
327                 return false;
328         }
329
330         if (ret_domain != NULL) {
331                 char *tmp_dom;
332                 if (!(tmp_dom = talloc_strdup(mem_ctx, domain))) {
333                         DEBUG(0, ("talloc failed\n"));
334                         TALLOC_FREE(tmp_ctx);
335                         return false;
336                 }
337                 strupper_m(tmp_dom);
338                 *ret_domain = tmp_dom;
339         }
340
341         if (ret_sid != NULL) {
342                 sid_copy(ret_sid, &sid);
343         }
344
345         if (ret_type != NULL) {
346                 *ret_type = type;
347         }
348
349         TALLOC_FREE(tmp_ctx);
350         return true;
351 }
352
353 /************************************************************************
354  Names from smb.conf can be unqualified. eg. valid users = foo
355  These names should never map to a remote name. Try global_sam_name()\foo,
356  and then "Unix Users"\foo (or "Unix Groups"\foo).
357 ************************************************************************/
358
359 bool lookup_name_smbconf(TALLOC_CTX *mem_ctx,
360                  const char *full_name, int flags,
361                  const char **ret_domain, const char **ret_name,
362                  struct dom_sid *ret_sid, enum lsa_SidType *ret_type)
363 {
364         char *qualified_name;
365         const char *p;
366
367         /* NB. No winbindd_separator here as lookup_name needs \\' */
368         if ((p = strchr_m(full_name, *lp_winbind_separator())) != NULL) {
369
370                 /* The name is already qualified with a domain. */
371
372                 if (*lp_winbind_separator() != '\\') {
373                         char *tmp;
374
375                         /* lookup_name() needs '\\' as a separator */
376
377                         tmp = talloc_strdup(mem_ctx, full_name);
378                         if (!tmp) {
379                                 return false;
380                         }
381                         tmp[p - full_name] = '\\';
382                         full_name = tmp;
383                 }
384
385                 return lookup_name(mem_ctx, full_name, flags,
386                                 ret_domain, ret_name,
387                                 ret_sid, ret_type);
388         }
389
390         /* Try with our own SAM name. */
391         qualified_name = talloc_asprintf(mem_ctx, "%s\\%s",
392                                 get_global_sam_name(),
393                                 full_name );
394         if (!qualified_name) {
395                 return false;
396         }
397
398         if (lookup_name(mem_ctx, qualified_name, flags,
399                                 ret_domain, ret_name,
400                                 ret_sid, ret_type)) {
401                 return true;
402         }
403         
404         /* Finally try with "Unix Users" or "Unix Group" */
405         qualified_name = talloc_asprintf(mem_ctx, "%s\\%s",
406                                 flags & LOOKUP_NAME_GROUP ?
407                                         unix_groups_domain_name() :
408                                         unix_users_domain_name(),
409                                 full_name );
410         if (!qualified_name) {
411                 return false;
412         }
413
414         return lookup_name(mem_ctx, qualified_name, flags,
415                                 ret_domain, ret_name,
416                                 ret_sid, ret_type);
417 }
418
419 static bool wb_lookup_rids(TALLOC_CTX *mem_ctx,
420                            const struct dom_sid *domain_sid,
421                            int num_rids, uint32 *rids,
422                            const char **domain_name,
423                            const char **names, enum lsa_SidType *types)
424 {
425         int i;
426         const char **my_names;
427         enum lsa_SidType *my_types;
428         TALLOC_CTX *tmp_ctx;
429
430         if (!(tmp_ctx = talloc_init("wb_lookup_rids"))) {
431                 return false;
432         }
433
434         if (!winbind_lookup_rids(tmp_ctx, domain_sid, num_rids, rids,
435                                  domain_name, &my_names, &my_types)) {
436                 *domain_name = "";
437                 for (i=0; i<num_rids; i++) {
438                         names[i] = "";
439                         types[i] = SID_NAME_UNKNOWN;
440                 }
441                 TALLOC_FREE(tmp_ctx);
442                 return true;
443         }
444
445         if (!(*domain_name = talloc_strdup(mem_ctx, *domain_name))) {
446                 TALLOC_FREE(tmp_ctx);
447                 return false;
448         }
449
450         /*
451          * winbind_lookup_rids allocates its own array. We've been given the
452          * array, so copy it over
453          */
454
455         for (i=0; i<num_rids; i++) {
456                 if (my_names[i] == NULL) {
457                         TALLOC_FREE(tmp_ctx);
458                         return false;
459                 }
460                 if (!(names[i] = talloc_strdup(names, my_names[i]))) {
461                         TALLOC_FREE(tmp_ctx);
462                         return false;
463                 }
464                 types[i] = my_types[i];
465         }
466         TALLOC_FREE(tmp_ctx);
467         return true;
468 }
469
470 static bool lookup_rids(TALLOC_CTX *mem_ctx, const struct dom_sid *domain_sid,
471                         int num_rids, uint32_t *rids,
472                         const char **domain_name,
473                         const char ***names, enum lsa_SidType **types)
474 {
475         int i;
476
477         DEBUG(10, ("lookup_rids called for domain sid '%s'\n",
478                    sid_string_dbg(domain_sid)));
479
480         if (num_rids) {
481                 *names = TALLOC_ZERO_ARRAY(mem_ctx, const char *, num_rids);
482                 *types = TALLOC_ARRAY(mem_ctx, enum lsa_SidType, num_rids);
483
484                 if ((*names == NULL) || (*types == NULL)) {
485                         return false;
486                 }
487
488                 for (i = 0; i < num_rids; i++)
489                         (*types)[i] = SID_NAME_UNKNOWN;
490         } else {
491                 *names = NULL;
492                 *types = NULL;
493         }
494
495         if (sid_check_is_domain(domain_sid)) {
496                 NTSTATUS result;
497
498                 if (*domain_name == NULL) {
499                         *domain_name = talloc_strdup(
500                                 mem_ctx, get_global_sam_name());
501                 }
502
503                 if (*domain_name == NULL) {
504                         return false;
505                 }
506
507                 become_root();
508                 result = pdb_lookup_rids(domain_sid, num_rids, rids,
509                                          *names, *types);
510                 unbecome_root();
511
512                 return (NT_STATUS_IS_OK(result) ||
513                         NT_STATUS_EQUAL(result, NT_STATUS_NONE_MAPPED) ||
514                         NT_STATUS_EQUAL(result, STATUS_SOME_UNMAPPED));
515         }
516
517         if (sid_check_is_builtin(domain_sid)) {
518
519                 if (*domain_name == NULL) {
520                         *domain_name = talloc_strdup(
521                                 mem_ctx, builtin_domain_name());
522                 }
523
524                 if (*domain_name == NULL) {
525                         return false;
526                 }
527
528                 for (i=0; i<num_rids; i++) {
529                         if (lookup_builtin_rid(*names, rids[i],
530                                                &(*names)[i])) {
531                                 if ((*names)[i] == NULL) {
532                                         return false;
533                                 }
534                                 (*types)[i] = SID_NAME_ALIAS;
535                         } else {
536                                 (*types)[i] = SID_NAME_UNKNOWN;
537                         }
538                 }
539                 return true;
540         }
541
542         if (sid_check_is_wellknown_domain(domain_sid, NULL)) {
543                 for (i=0; i<num_rids; i++) {
544                         struct dom_sid sid;
545                         sid_compose(&sid, domain_sid, rids[i]);
546                         if (lookup_wellknown_sid(mem_ctx, &sid,
547                                                  domain_name, &(*names)[i])) {
548                                 if ((*names)[i] == NULL) {
549                                         return false;
550                                 }
551                                 (*types)[i] = SID_NAME_WKN_GRP;
552                         } else {
553                                 (*types)[i] = SID_NAME_UNKNOWN;
554                         }
555                 }
556                 return true;
557         }
558
559         if (sid_check_is_unix_users(domain_sid)) {
560                 if (*domain_name == NULL) {
561                         *domain_name = talloc_strdup(
562                                 mem_ctx, unix_users_domain_name());
563                         if (*domain_name == NULL) {
564                                 return false;
565                         }
566                 }
567                 for (i=0; i<num_rids; i++) {
568                         (*names)[i] = talloc_strdup(
569                                 (*names), uidtoname(rids[i]));
570                         if ((*names)[i] == NULL) {
571                                 return false;
572                         }
573                         (*types)[i] = SID_NAME_USER;
574                 }
575                 return true;
576         }
577
578         if (sid_check_is_unix_groups(domain_sid)) {
579                 if (*domain_name == NULL) {
580                         *domain_name = talloc_strdup(
581                                 mem_ctx, unix_groups_domain_name());
582                         if (*domain_name == NULL) {
583                                 return false;
584                         }
585                 }
586                 for (i=0; i<num_rids; i++) {
587                         (*names)[i] = talloc_strdup(
588                                 (*names), gidtoname(rids[i]));
589                         if ((*names)[i] == NULL) {
590                                 return false;
591                         }
592                         (*types)[i] = SID_NAME_DOM_GRP;
593                 }
594                 return true;
595         }
596
597         return wb_lookup_rids(mem_ctx, domain_sid, num_rids, rids,
598                               domain_name, *names, *types);
599 }
600
601 /*
602  * Is the SID a domain as such? If yes, lookup its name.
603  */
604
605 static bool lookup_as_domain(const struct dom_sid *sid, TALLOC_CTX *mem_ctx,
606                              const char **name)
607 {
608         const char *tmp;
609         enum lsa_SidType type;
610
611         if (sid_check_is_domain(sid)) {
612                 *name = talloc_strdup(mem_ctx, get_global_sam_name());
613                 return true;
614         }
615
616         if (sid_check_is_builtin(sid)) {
617                 *name = talloc_strdup(mem_ctx, builtin_domain_name());
618                 return true;
619         }
620
621         if (sid_check_is_wellknown_domain(sid, &tmp)) {
622                 *name = talloc_strdup(mem_ctx, tmp);
623                 return true;
624         }
625
626         if (sid_check_is_unix_users(sid)) {
627                 *name = talloc_strdup(mem_ctx, unix_users_domain_name());
628                 return true;
629         }
630
631         if (sid_check_is_unix_groups(sid)) {
632                 *name = talloc_strdup(mem_ctx, unix_groups_domain_name());
633                 return true;
634         }
635
636         if (sid->num_auths != 4) {
637                 /* This can't be a domain */
638                 return false;
639         }
640
641         if (IS_DC) {
642                 uint32 i, num_domains;
643                 struct trustdom_info **domains;
644
645                 /* This is relatively expensive, but it happens only on DCs
646                  * and for SIDs that have 4 sub-authorities and thus look like
647                  * domains */
648
649                 if (!NT_STATUS_IS_OK(pdb_enum_trusteddoms(mem_ctx,
650                                                           &num_domains,
651                                                           &domains))) {
652                         return false;
653                 }
654
655                 for (i=0; i<num_domains; i++) {
656                         if (sid_equal(sid, &domains[i]->sid)) {
657                                 *name = talloc_strdup(mem_ctx,
658                                                       domains[i]->name);
659                                 return true;
660                         }
661                 }
662                 return false;
663         }
664
665         if (winbind_lookup_sid(mem_ctx, sid, &tmp, NULL, &type) &&
666             (type == SID_NAME_DOMAIN)) {
667                 *name = tmp;
668                 return true;
669         }
670
671         return false;
672 }
673
674 /*
675  * This tries to implement the rather weird rules for the lsa_lookup level
676  * parameter.
677  *
678  * This is as close as we can get to what W2k3 does. With this we survive the
679  * RPC-LSALOOKUP samba4 test as of 2006-01-08. NT4 as a PDC is a bit more
680  * different, but I assume that's just being too liberal. For example, W2k3
681  * replies to everything else but the levels 1-6 with INVALID_PARAMETER
682  * whereas NT4 does the same as level 1 (I think). I did not fully test that
683  * with NT4, this is what w2k3 does.
684  *
685  * Level 1: Ask everywhere
686  * Level 2: Ask domain and trusted domains, no builtin and wkn
687  * Level 3: Only ask domain
688  * Level 4: W2k3ad: Only ask AD trusts
689  * Level 5: Only ask transitive forest trusts
690  * Level 6: Like 4
691  */
692
693 static bool check_dom_sid_to_level(const struct dom_sid *sid, int level)
694 {
695         int ret = false;
696
697         switch(level) {
698         case 1:
699                 ret = true;
700                 break;
701         case 2:
702                 ret = (!sid_check_is_builtin(sid) &&
703                        !sid_check_is_wellknown_domain(sid, NULL));
704                 break;
705         case 3:
706         case 4:
707         case 6:
708                 ret = sid_check_is_domain(sid);
709                 break;
710         case 5:
711                 ret = false;
712                 break;
713         }
714
715         DEBUG(10, ("%s SID %s in level %d\n",
716                    ret ? "Accepting" : "Rejecting",
717                    sid_string_dbg(sid), level));
718         return ret;
719 }
720
721 /*
722  * Lookup a bunch of SIDs. This is modeled after lsa_lookup_sids with
723  * references to domains, it is explicitly made for this.
724  *
725  * This attempts to be as efficient as possible: It collects all SIDs
726  * belonging to a domain and hands them in bulk to the appropriate lookup
727  * function. In particular pdb_lookup_rids with ldapsam_trusted benefits
728  * *hugely* from this. Winbind is going to be extended with a lookup_rids
729  * interface as well, so on a DC we can do a bulk lsa_lookuprids to the
730  * appropriate DC.
731  */
732
733 NTSTATUS lookup_sids(TALLOC_CTX *mem_ctx, int num_sids,
734                      const struct dom_sid **sids, int level,
735                      struct lsa_dom_info **ret_domains,
736                      struct lsa_name_info **ret_names)
737 {
738         TALLOC_CTX *tmp_ctx;
739         NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
740         struct lsa_name_info *name_infos;
741         struct lsa_dom_info *dom_infos = NULL;
742
743         int i, j;
744
745         if (!(tmp_ctx = talloc_new(mem_ctx))) {
746                 DEBUG(0, ("talloc_new failed\n"));
747                 return NT_STATUS_NO_MEMORY;
748         }
749
750         if (num_sids) {
751                 name_infos = TALLOC_ARRAY(mem_ctx, struct lsa_name_info, num_sids);
752                 if (name_infos == NULL) {
753                         result = NT_STATUS_NO_MEMORY;
754                         goto fail;
755                 }
756         } else {
757                 name_infos = NULL;
758         }
759
760         dom_infos = TALLOC_ZERO_ARRAY(mem_ctx, struct lsa_dom_info,
761                                       LSA_REF_DOMAIN_LIST_MULTIPLIER);
762         if (dom_infos == NULL) {
763                 result = NT_STATUS_NO_MEMORY;
764                 goto fail;
765         }
766
767         /* First build up the data structures:
768          * 
769          * dom_infos is a list of domains referenced in the list of
770          * SIDs. Later we will walk the list of domains and look up the RIDs
771          * in bulk.
772          *
773          * name_infos is a shadow-copy of the SIDs array to collect the real
774          * data.
775          *
776          * dom_info->idxs is an index into the name_infos array. The
777          * difficulty we have here is that we need to keep the SIDs the client
778          * asked for in the same order for the reply
779          */
780
781         for (i=0; i<num_sids; i++) {
782                 struct dom_sid sid;
783                 uint32_t rid = 0;
784                 const char *domain_name = NULL;
785
786                 sid_copy(&sid, sids[i]);
787                 name_infos[i].type = SID_NAME_USE_NONE;
788
789                 if (lookup_as_domain(&sid, name_infos, &domain_name)) {
790                         /* We can't push that through the normal lookup
791                          * process, as this would reference illegal
792                          * domains.
793                          *
794                          * For example S-1-5-32 would end up referencing
795                          * domain S-1-5- with RID 32 which is clearly wrong.
796                          */
797                         if (domain_name == NULL) {
798                                 result = NT_STATUS_NO_MEMORY;
799                                 goto fail;
800                         }
801                                 
802                         name_infos[i].rid = 0;
803                         name_infos[i].type = SID_NAME_DOMAIN;
804                         name_infos[i].name = NULL;
805
806                         if (sid_check_is_builtin(&sid)) {
807                                 /* Yes, W2k3 returns "BUILTIN" both as domain
808                                  * and name here */
809                                 name_infos[i].name = talloc_strdup(
810                                         name_infos, builtin_domain_name());
811                                 if (name_infos[i].name == NULL) {
812                                         result = NT_STATUS_NO_MEMORY;
813                                         goto fail;
814                                 }
815                         }
816                 } else {
817                         /* This is a normal SID with rid component */
818                         if (!sid_split_rid(&sid, &rid)) {
819                                 result = NT_STATUS_INVALID_SID;
820                                 goto fail;
821                         }
822                 }
823
824                 if (!check_dom_sid_to_level(&sid, level)) {
825                         name_infos[i].rid = 0;
826                         name_infos[i].type = SID_NAME_UNKNOWN;
827                         name_infos[i].name = NULL;
828                         continue;
829                 }
830
831                 for (j=0; j<LSA_REF_DOMAIN_LIST_MULTIPLIER; j++) {
832                         if (!dom_infos[j].valid) {
833                                 break;
834                         }
835                         if (sid_equal(&sid, &dom_infos[j].sid)) {
836                                 break;
837                         }
838                 }
839
840                 if (j == LSA_REF_DOMAIN_LIST_MULTIPLIER) {
841                         /* TODO: What's the right error message here? */
842                         result = NT_STATUS_NONE_MAPPED;
843                         goto fail;
844                 }
845
846                 if (!dom_infos[j].valid) {
847                         /* We found a domain not yet referenced, create a new
848                          * ref. */
849                         dom_infos[j].valid = true;
850                         sid_copy(&dom_infos[j].sid, &sid);
851
852                         if (domain_name != NULL) {
853                                 /* This name was being found above in the case
854                                  * when we found a domain SID */
855                                 dom_infos[j].name =
856                                         talloc_strdup(dom_infos, domain_name);
857                                 if (dom_infos[j].name == NULL) {
858                                         result = NT_STATUS_NO_MEMORY;
859                                         goto fail;
860                                 }
861                         } else {
862                                 /* lookup_rids will take care of this */
863                                 dom_infos[j].name = NULL;
864                         }
865                 }
866
867                 name_infos[i].dom_idx = j;
868
869                 if (name_infos[i].type == SID_NAME_USE_NONE) {
870                         name_infos[i].rid = rid;
871
872                         ADD_TO_ARRAY(dom_infos, int, i, &dom_infos[j].idxs,
873                                      &dom_infos[j].num_idxs);
874
875                         if (dom_infos[j].idxs == NULL) {
876                                 result = NT_STATUS_NO_MEMORY;
877                                 goto fail;
878                         }
879                 }
880         }
881
882         /* Iterate over the domains found */
883
884         for (i=0; i<LSA_REF_DOMAIN_LIST_MULTIPLIER; i++) {
885                 uint32_t *rids;
886                 const char *domain_name = NULL;
887                 const char **names;
888                 enum lsa_SidType *types;
889                 struct lsa_dom_info *dom = &dom_infos[i];
890
891                 if (!dom->valid) {
892                         /* No domains left, we're done */
893                         break;
894                 }
895
896                 if (dom->num_idxs) {
897                         if (!(rids = TALLOC_ARRAY(tmp_ctx, uint32, dom->num_idxs))) {
898                                 result = NT_STATUS_NO_MEMORY;
899                                 goto fail;
900                         }
901                 } else {
902                         rids = NULL;
903                 }
904
905                 for (j=0; j<dom->num_idxs; j++) {
906                         rids[j] = name_infos[dom->idxs[j]].rid;
907                 }
908
909                 if (!lookup_rids(tmp_ctx, &dom->sid,
910                                  dom->num_idxs, rids, &domain_name,
911                                  &names, &types)) {
912                         result = NT_STATUS_NO_MEMORY;
913                         goto fail;
914                 }
915
916                 if (!(dom->name = talloc_strdup(dom_infos, domain_name))) {
917                         result = NT_STATUS_NO_MEMORY;
918                         goto fail;
919                 }
920                         
921                 for (j=0; j<dom->num_idxs; j++) {
922                         int idx = dom->idxs[j];
923                         name_infos[idx].type = types[j];
924                         if (types[j] != SID_NAME_UNKNOWN) {
925                                 name_infos[idx].name =
926                                         talloc_strdup(name_infos, names[j]);
927                                 if (name_infos[idx].name == NULL) {
928                                         result = NT_STATUS_NO_MEMORY;
929                                         goto fail;
930                                 }
931                         } else {
932                                 name_infos[idx].name = NULL;
933                         }
934                 }
935         }
936
937         *ret_domains = dom_infos;
938         *ret_names = name_infos;
939         TALLOC_FREE(tmp_ctx);
940         return NT_STATUS_OK;
941
942  fail:
943         TALLOC_FREE(dom_infos);
944         TALLOC_FREE(name_infos);
945         TALLOC_FREE(tmp_ctx);
946         return result;
947 }
948
949 /*****************************************************************
950  *THE CANONICAL* convert SID to name function.
951 *****************************************************************/  
952
953 bool lookup_sid(TALLOC_CTX *mem_ctx, const struct dom_sid *sid,
954                 const char **ret_domain, const char **ret_name,
955                 enum lsa_SidType *ret_type)
956 {
957         struct lsa_dom_info *domain;
958         struct lsa_name_info *name;
959         TALLOC_CTX *tmp_ctx;
960         bool ret = false;
961
962         DEBUG(10, ("lookup_sid called for SID '%s'\n", sid_string_dbg(sid)));
963
964         if (!(tmp_ctx = talloc_new(mem_ctx))) {
965                 DEBUG(0, ("talloc_new failed\n"));
966                 return false;
967         }
968
969         if (!NT_STATUS_IS_OK(lookup_sids(tmp_ctx, 1, &sid, 1,
970                                          &domain, &name))) {
971                 goto done;
972         }
973
974         if (name->type == SID_NAME_UNKNOWN) {
975                 goto done;
976         }
977
978         if ((ret_domain != NULL) &&
979             !(*ret_domain = talloc_strdup(mem_ctx, domain->name))) {
980                 goto done;
981         }
982
983         if ((ret_name != NULL) && 
984             !(*ret_name = talloc_strdup(mem_ctx, name->name))) {
985                 goto done;
986         }
987
988         if (ret_type != NULL) {
989                 *ret_type = name->type;
990         }
991
992         ret = true;
993
994  done:
995         if (ret) {
996                 DEBUG(10, ("Sid %s -> %s\\%s(%d)\n", sid_string_dbg(sid),
997                            domain->name, name->name, name->type));
998         } else {
999                 DEBUG(10, ("failed to lookup sid %s\n", sid_string_dbg(sid)));
1000         }
1001         TALLOC_FREE(tmp_ctx);
1002         return ret;
1003 }
1004
1005 /*****************************************************************
1006  Id mapping cache.  This is to avoid Winbind mappings already
1007  seen by smbd to be queried too frequently, keeping winbindd
1008  busy, and blocking smbd while winbindd is busy with other
1009  stuff. Written by Michael Steffens <michael.steffens@hp.com>,
1010  modified to use linked lists by jra.
1011 *****************************************************************/  
1012
1013 /*****************************************************************
1014   Find a SID given a uid.
1015 *****************************************************************/
1016
1017 static bool fetch_sid_from_uid_cache(struct dom_sid *psid, uid_t uid)
1018 {
1019         DATA_BLOB cache_value;
1020
1021         if (!memcache_lookup(NULL, UID_SID_CACHE,
1022                              data_blob_const(&uid, sizeof(uid)),
1023                              &cache_value)) {
1024                 return false;
1025         }
1026
1027         memcpy(psid, cache_value.data, MIN(sizeof(*psid), cache_value.length));
1028         SMB_ASSERT(cache_value.length >= offsetof(struct dom_sid, id_auth));
1029         SMB_ASSERT(cache_value.length == ndr_size_dom_sid(psid, 0));
1030
1031         return true;
1032 }
1033
1034 /*****************************************************************
1035   Find a uid given a SID.
1036 *****************************************************************/
1037
1038 static bool fetch_uid_from_cache( uid_t *puid, const struct dom_sid *psid )
1039 {
1040         DATA_BLOB cache_value;
1041
1042         if (!memcache_lookup(NULL, SID_UID_CACHE,
1043                              data_blob_const(psid, ndr_size_dom_sid(psid, 0)),
1044                              &cache_value)) {
1045                 return false;
1046         }
1047
1048         SMB_ASSERT(cache_value.length == sizeof(*puid));
1049         memcpy(puid, cache_value.data, sizeof(*puid));
1050
1051         return true;
1052 }
1053
1054 /*****************************************************************
1055  Store uid to SID mapping in cache.
1056 *****************************************************************/
1057
1058 void store_uid_sid_cache(const struct dom_sid *psid, uid_t uid)
1059 {
1060         memcache_add(NULL, SID_UID_CACHE,
1061                      data_blob_const(psid, ndr_size_dom_sid(psid, 0)),
1062                      data_blob_const(&uid, sizeof(uid)));
1063         memcache_add(NULL, UID_SID_CACHE,
1064                      data_blob_const(&uid, sizeof(uid)),
1065                      data_blob_const(psid, ndr_size_dom_sid(psid, 0)));
1066 }
1067
1068 /*****************************************************************
1069   Find a SID given a gid.
1070 *****************************************************************/
1071
1072 static bool fetch_sid_from_gid_cache(struct dom_sid *psid, gid_t gid)
1073 {
1074         DATA_BLOB cache_value;
1075
1076         if (!memcache_lookup(NULL, GID_SID_CACHE,
1077                              data_blob_const(&gid, sizeof(gid)),
1078                              &cache_value)) {
1079                 return false;
1080         }
1081
1082         memcpy(psid, cache_value.data, MIN(sizeof(*psid), cache_value.length));
1083         SMB_ASSERT(cache_value.length >= offsetof(struct dom_sid, id_auth));
1084         SMB_ASSERT(cache_value.length == ndr_size_dom_sid(psid, 0));
1085
1086         return true;
1087 }
1088
1089 /*****************************************************************
1090   Find a gid given a SID.
1091 *****************************************************************/
1092
1093 static bool fetch_gid_from_cache(gid_t *pgid, const struct dom_sid *psid)
1094 {
1095         DATA_BLOB cache_value;
1096
1097         if (!memcache_lookup(NULL, SID_GID_CACHE,
1098                              data_blob_const(psid, ndr_size_dom_sid(psid, 0)),
1099                              &cache_value)) {
1100                 return false;
1101         }
1102
1103         SMB_ASSERT(cache_value.length == sizeof(*pgid));
1104         memcpy(pgid, cache_value.data, sizeof(*pgid));
1105
1106         return true;
1107 }
1108
1109 /*****************************************************************
1110  Store gid to SID mapping in cache.
1111 *****************************************************************/
1112
1113 void store_gid_sid_cache(const struct dom_sid *psid, gid_t gid)
1114 {
1115         memcache_add(NULL, SID_GID_CACHE,
1116                      data_blob_const(psid, ndr_size_dom_sid(psid, 0)),
1117                      data_blob_const(&gid, sizeof(gid)));
1118         memcache_add(NULL, GID_SID_CACHE,
1119                      data_blob_const(&gid, sizeof(gid)),
1120                      data_blob_const(psid, ndr_size_dom_sid(psid, 0)));
1121 }
1122
1123 /*****************************************************************
1124  *THE LEGACY* convert uid_t to SID function.
1125 *****************************************************************/  
1126
1127 static void legacy_uid_to_sid(struct dom_sid *psid, uid_t uid)
1128 {
1129         bool ret;
1130
1131         ZERO_STRUCTP(psid);
1132
1133         become_root();
1134         ret = pdb_uid_to_sid(uid, psid);
1135         unbecome_root();
1136
1137         if (ret) {
1138                 /* This is a mapped user */
1139                 goto done;
1140         }
1141
1142         /* This is an unmapped user */
1143
1144         uid_to_unix_users_sid(uid, psid);
1145
1146  done:
1147         DEBUG(10,("LEGACY: uid %u -> sid %s\n", (unsigned int)uid,
1148                   sid_string_dbg(psid)));
1149
1150         store_uid_sid_cache(psid, uid);
1151         return;
1152 }
1153
1154 /*****************************************************************
1155  *THE LEGACY* convert gid_t to SID function.
1156 *****************************************************************/  
1157
1158 static void legacy_gid_to_sid(struct dom_sid *psid, gid_t gid)
1159 {
1160         bool ret;
1161
1162         ZERO_STRUCTP(psid);
1163
1164         become_root();
1165         ret = pdb_gid_to_sid(gid, psid);
1166         unbecome_root();
1167
1168         if (ret) {
1169                 /* This is a mapped group */
1170                 goto done;
1171         }
1172         
1173         /* This is an unmapped group */
1174
1175         gid_to_unix_groups_sid(gid, psid);
1176
1177  done:
1178         DEBUG(10,("LEGACY: gid %u -> sid %s\n", (unsigned int)gid,
1179                   sid_string_dbg(psid)));
1180
1181         store_gid_sid_cache(psid, gid);
1182         return;
1183 }
1184
1185 /*****************************************************************
1186  *THE LEGACY* convert SID to uid function.
1187 *****************************************************************/  
1188
1189 static bool legacy_sid_to_uid(const struct dom_sid *psid, uid_t *puid)
1190 {
1191         enum lsa_SidType type;
1192
1193         if (sid_check_is_in_our_domain(psid)) {
1194                 union unid_t id;
1195                 bool ret;
1196
1197                 become_root();
1198                 ret = pdb_sid_to_id(psid, &id, &type);
1199                 unbecome_root();
1200
1201                 if (ret) {
1202                         if (type != SID_NAME_USER) {
1203                                 DEBUG(5, ("sid %s is a %s, expected a user\n",
1204                                           sid_string_dbg(psid),
1205                                           sid_type_lookup(type)));
1206                                 return false;
1207                         }
1208                         *puid = id.uid;
1209                         goto done;
1210                 }
1211
1212                 /* This was ours, but it was not mapped.  Fail */
1213         }
1214
1215         DEBUG(10,("LEGACY: mapping failed for sid %s\n",
1216                   sid_string_dbg(psid)));
1217         return false;
1218
1219 done:
1220         DEBUG(10,("LEGACY: sid %s -> uid %u\n", sid_string_dbg(psid),
1221                   (unsigned int)*puid ));
1222
1223         store_uid_sid_cache(psid, *puid);
1224         return true;
1225 }
1226
1227 /*****************************************************************
1228  *THE LEGACY* convert SID to gid function.
1229  Group mapping is used for gids that maps to Wellknown SIDs
1230 *****************************************************************/  
1231
1232 static bool legacy_sid_to_gid(const struct dom_sid *psid, gid_t *pgid)
1233 {
1234         GROUP_MAP map;
1235         union unid_t id;
1236         enum lsa_SidType type;
1237
1238         if ((sid_check_is_in_builtin(psid) ||
1239              sid_check_is_in_wellknown_domain(psid))) {
1240                 bool ret;
1241
1242                 become_root();
1243                 ret = pdb_getgrsid(&map, *psid);
1244                 unbecome_root();
1245
1246                 if (ret) {
1247                         *pgid = map.gid;
1248                         goto done;
1249                 }
1250                 DEBUG(10,("LEGACY: mapping failed for sid %s\n",
1251                           sid_string_dbg(psid)));
1252                 return false;
1253         }
1254
1255         if (sid_check_is_in_our_domain(psid)) {
1256                 bool ret;
1257
1258                 become_root();
1259                 ret = pdb_sid_to_id(psid, &id, &type);
1260                 unbecome_root();
1261
1262                 if (ret) {
1263                         if ((type != SID_NAME_DOM_GRP) &&
1264                             (type != SID_NAME_ALIAS)) {
1265                                 DEBUG(5, ("LEGACY: sid %s is a %s, expected "
1266                                           "a group\n", sid_string_dbg(psid),
1267                                           sid_type_lookup(type)));
1268                                 return false;
1269                         }
1270                         *pgid = id.gid;
1271                         goto done;
1272                 }
1273         
1274                 /* This was ours, but it was not mapped.  Fail */
1275         }
1276
1277         DEBUG(10,("LEGACY: mapping failed for sid %s\n",
1278                   sid_string_dbg(psid)));
1279         return false;
1280         
1281  done:
1282         DEBUG(10,("LEGACY: sid %s -> gid %u\n", sid_string_dbg(psid),
1283                   (unsigned int)*pgid ));
1284
1285         store_gid_sid_cache(psid, *pgid);
1286
1287         return true;
1288 }
1289
1290 /*****************************************************************
1291  *THE CANONICAL* convert uid_t to SID function.
1292 *****************************************************************/  
1293
1294 void uid_to_sid(struct dom_sid *psid, uid_t uid)
1295 {
1296         bool expired = true;
1297         bool ret;
1298         ZERO_STRUCTP(psid);
1299
1300         if (fetch_sid_from_uid_cache(psid, uid))
1301                 return;
1302
1303         /* Check the winbindd cache directly. */
1304         ret = idmap_cache_find_uid2sid(uid, psid, &expired);
1305
1306         if (ret && !expired && is_null_sid(psid)) {
1307                 /*
1308                  * Negative cache entry, we already asked.
1309                  * do legacy.
1310                  */
1311                 legacy_uid_to_sid(psid, uid);
1312                 return;
1313         }
1314
1315         if (!ret || expired) {
1316                 /* Not in cache. Ask winbindd. */
1317                 if (!winbind_uid_to_sid(psid, uid)) {
1318                         /*
1319                          * We shouldn't return the NULL SID
1320                          * here if winbind was running and
1321                          * couldn't map, as winbind will have
1322                          * added a negative entry that will
1323                          * cause us to go though the
1324                          * legacy_uid_to_sid()
1325                          * function anyway in the case above
1326                          * the next time we ask.
1327                          */
1328                         DEBUG(5, ("uid_to_sid: winbind failed to find a sid "
1329                                   "for uid %u\n", (unsigned int)uid));
1330
1331                         legacy_uid_to_sid(psid, uid);
1332                         return;
1333                 }
1334         }
1335
1336         DEBUG(10,("uid %u -> sid %s\n", (unsigned int)uid,
1337                   sid_string_dbg(psid)));
1338
1339         store_uid_sid_cache(psid, uid);
1340         return;
1341 }
1342
1343 /*****************************************************************
1344  *THE CANONICAL* convert gid_t to SID function.
1345 *****************************************************************/  
1346
1347 void gid_to_sid(struct dom_sid *psid, gid_t gid)
1348 {
1349         bool expired = true;
1350         bool ret;
1351         ZERO_STRUCTP(psid);
1352
1353         if (fetch_sid_from_gid_cache(psid, gid))
1354                 return;
1355
1356         /* Check the winbindd cache directly. */
1357         ret = idmap_cache_find_gid2sid(gid, psid, &expired);
1358
1359         if (ret && !expired && is_null_sid(psid)) {
1360                 /*
1361                  * Negative cache entry, we already asked.
1362                  * do legacy.
1363                  */
1364                 legacy_gid_to_sid(psid, gid);
1365                 return;
1366         }
1367
1368         if (!ret || expired) {
1369                 /* Not in cache. Ask winbindd. */
1370                 if (!winbind_gid_to_sid(psid, gid)) {
1371                         /*
1372                          * We shouldn't return the NULL SID
1373                          * here if winbind was running and
1374                          * couldn't map, as winbind will have
1375                          * added a negative entry that will
1376                          * cause us to go though the
1377                          * legacy_gid_to_sid()
1378                          * function anyway in the case above
1379                          * the next time we ask.
1380                          */
1381                         DEBUG(5, ("gid_to_sid: winbind failed to find a sid "
1382                                   "for gid %u\n", (unsigned int)gid));
1383
1384                         legacy_gid_to_sid(psid, gid);
1385                         return;
1386                 }
1387         }
1388
1389         DEBUG(10,("gid %u -> sid %s\n", (unsigned int)gid,
1390                   sid_string_dbg(psid)));
1391
1392         store_gid_sid_cache(psid, gid);
1393         return;
1394 }
1395
1396 /*****************************************************************
1397  *THE CANONICAL* convert SID to uid function.
1398 *****************************************************************/  
1399
1400 bool sid_to_uid(const struct dom_sid *psid, uid_t *puid)
1401 {
1402         bool expired = true;
1403         bool ret;
1404         uint32 rid;
1405         gid_t gid;
1406
1407         if (fetch_uid_from_cache(puid, psid))
1408                 return true;
1409
1410         if (fetch_gid_from_cache(&gid, psid)) {
1411                 return false;
1412         }
1413
1414         /* Optimize for the Unix Users Domain
1415          * as the conversion is straightforward */
1416         if (sid_peek_check_rid(&global_sid_Unix_Users, psid, &rid)) {
1417                 uid_t uid = rid;
1418                 *puid = uid;
1419
1420                 /* return here, don't cache */
1421                 DEBUG(10,("sid %s -> uid %u\n", sid_string_dbg(psid),
1422                         (unsigned int)*puid ));
1423                 return true;
1424         }
1425
1426         /* Check the winbindd cache directly. */
1427         ret = idmap_cache_find_sid2uid(psid, puid, &expired);
1428
1429         if (ret && !expired && (*puid == (uid_t)-1)) {
1430                 /*
1431                  * Negative cache entry, we already asked.
1432                  * do legacy.
1433                  */
1434                 return legacy_sid_to_uid(psid, puid);
1435         }
1436
1437         if (!ret || expired) {
1438                 /* Not in cache. Ask winbindd. */
1439                 if (!winbind_sid_to_uid(puid, psid)) {
1440                         DEBUG(5, ("winbind failed to find a uid for sid %s\n",
1441                                   sid_string_dbg(psid)));
1442                         /* winbind failed. do legacy */
1443                         return legacy_sid_to_uid(psid, puid);
1444                 }
1445         }
1446
1447         /* TODO: Here would be the place to allocate both a gid and a uid for
1448          * the SID in question */
1449
1450         DEBUG(10,("sid %s -> uid %u\n", sid_string_dbg(psid),
1451                 (unsigned int)*puid ));
1452
1453         store_uid_sid_cache(psid, *puid);
1454         return true;
1455 }
1456
1457 /*****************************************************************
1458  *THE CANONICAL* convert SID to gid function.
1459  Group mapping is used for gids that maps to Wellknown SIDs
1460 *****************************************************************/  
1461
1462 bool sid_to_gid(const struct dom_sid *psid, gid_t *pgid)
1463 {
1464         bool expired = true;
1465         bool ret;
1466         uint32 rid;
1467         uid_t uid;
1468
1469         if (fetch_gid_from_cache(pgid, psid))
1470                 return true;
1471
1472         if (fetch_uid_from_cache(&uid, psid))
1473                 return false;
1474
1475         /* Optimize for the Unix Groups Domain
1476          * as the conversion is straightforward */
1477         if (sid_peek_check_rid(&global_sid_Unix_Groups, psid, &rid)) {
1478                 gid_t gid = rid;
1479                 *pgid = gid;
1480
1481                 /* return here, don't cache */
1482                 DEBUG(10,("sid %s -> gid %u\n", sid_string_dbg(psid),
1483                         (unsigned int)*pgid ));
1484                 return true;
1485         }
1486
1487         /* Check the winbindd cache directly. */
1488         ret = idmap_cache_find_sid2gid(psid, pgid, &expired);
1489
1490         if (ret && !expired && (*pgid == (gid_t)-1)) {
1491                 /*
1492                  * Negative cache entry, we already asked.
1493                  * do legacy.
1494                  */
1495                 return legacy_sid_to_gid(psid, pgid);
1496         }
1497
1498         if (!ret || expired) {
1499                 /* Not in cache or negative. Ask winbindd. */
1500                 /* Ask winbindd if it can map this sid to a gid.
1501                  * (Idmap will check it is a valid SID and of the right type) */
1502
1503                 if ( !winbind_sid_to_gid(pgid, psid) ) {
1504
1505                         DEBUG(10,("winbind failed to find a gid for sid %s\n",
1506                                   sid_string_dbg(psid)));
1507                         /* winbind failed. do legacy */
1508                         return legacy_sid_to_gid(psid, pgid);
1509                 }
1510         }
1511
1512         DEBUG(10,("sid %s -> gid %u\n", sid_string_dbg(psid),
1513                   (unsigned int)*pgid ));
1514
1515         store_gid_sid_cache(psid, *pgid);
1516         return true;
1517 }
1518
1519 /**
1520  * @brief This function gets the primary group SID mapping the primary
1521  *        GID of the user as obtained by an actual getpwnam() call.
1522  *        This is necessary to avoid issues with arbitrary group SIDs
1523  *        stored in passdb. We try as hard as we can to get the SID
1524  *        corresponding to the GID, including trying group mapping.
1525  *        If nothing else works, we will force "Domain Users" as the
1526  *        primary group.
1527  *        This is needed because we must always be able to lookup the
1528  *        primary group SID, so we cannot settle for an arbitrary SID.
1529  *
1530  *        This call can be expensive. Use with moderation.
1531  *        If you have a "samu" struct around use pdb_get_group_sid()
1532  *        instead as it does properly cache results.
1533  *
1534  * @param mem_ctx[in]     The memory context iused to allocate the result.
1535  * @param username[in]    The user's name
1536  * @param _pwd[in|out]    If available, pass in user's passwd struct.
1537  *                        It will contain a tallocated passwd if NULL was
1538  *                        passed in.
1539  * @param _group_sid[out] The user's Primary Group SID
1540  *
1541  * @return NTSTATUS error code.
1542  */
1543 NTSTATUS get_primary_group_sid(TALLOC_CTX *mem_ctx,
1544                                 const char *username,
1545                                 struct passwd **_pwd,
1546                                 struct dom_sid **_group_sid)
1547 {
1548         TALLOC_CTX *tmp_ctx;
1549         bool need_lookup_sid = false;
1550         struct dom_sid *group_sid;
1551         struct passwd *pwd = *_pwd;
1552
1553         tmp_ctx = talloc_new(mem_ctx);
1554         if (!tmp_ctx) {
1555                 return NT_STATUS_NO_MEMORY;
1556         }
1557
1558         if (!pwd) {
1559                 pwd = Get_Pwnam_alloc(mem_ctx, username);
1560                 if (!pwd) {
1561                         DEBUG(0, ("Failed to find a Unix account for %s",
1562                                   username));
1563                         TALLOC_FREE(tmp_ctx);
1564                         return NT_STATUS_NO_SUCH_USER;
1565                 }
1566         }
1567
1568         group_sid = talloc_zero(mem_ctx, struct dom_sid);
1569         if (!group_sid) {
1570                 TALLOC_FREE(tmp_ctx);
1571                 return NT_STATUS_NO_MEMORY;
1572         }
1573
1574         gid_to_sid(group_sid, pwd->pw_gid);
1575         if (!is_null_sid(group_sid)) {
1576                 struct dom_sid domain_sid;
1577                 uint32_t rid;
1578
1579                 /* We need a sid within our domain */
1580                 sid_copy(&domain_sid, group_sid);
1581                 sid_split_rid(&domain_sid, &rid);
1582                 if (sid_equal(&domain_sid, get_global_sam_sid())) {
1583                         /*
1584                          * As shortcut for the expensive lookup_sid call
1585                          * compare the domain sid part
1586                          */
1587                         switch (rid) {
1588                         case DOMAIN_RID_ADMINS:
1589                         case DOMAIN_RID_USERS:
1590                                 goto done;
1591                         default:
1592                                 need_lookup_sid = true;
1593                                 break;
1594                         }
1595                 } else {
1596                         /* Try group mapping */
1597                         ZERO_STRUCTP(group_sid);
1598                         if (pdb_gid_to_sid(pwd->pw_gid, group_sid)) {
1599                                 need_lookup_sid = true;
1600                         }
1601                 }
1602         }
1603
1604         /* We must verify that this is a valid SID that resolves to a
1605          * group of the correct type */
1606         if (need_lookup_sid) {
1607                 enum lsa_SidType type = SID_NAME_UNKNOWN;
1608                 bool lookup_ret;
1609
1610                 DEBUG(10, ("do lookup_sid(%s) for group of user %s\n",
1611                            sid_string_dbg(group_sid), username));
1612
1613                 /* Now check that it's actually a domain group and
1614                  * not something else */
1615                 lookup_ret = lookup_sid(tmp_ctx, group_sid,
1616                                         NULL, NULL, &type);
1617
1618                 if (lookup_ret && (type == SID_NAME_DOM_GRP)) {
1619                         goto done;
1620                 }
1621
1622                 DEBUG(3, ("Primary group %s for user %s is"
1623                           " a %s and not a domain group\n",
1624                           sid_string_dbg(group_sid), username,
1625                           sid_type_lookup(type)));
1626         }
1627
1628         /* Everything else, failed.
1629          * Just set it to the 'Domain Users' RID of 513 which will
1630            always resolve to a name */
1631         DEBUG(3, ("Forcing Primary Group to 'Domain Users' for %s\n",
1632                   username));
1633
1634         sid_compose(group_sid, get_global_sam_sid(), DOMAIN_RID_USERS);
1635
1636 done:
1637         *_pwd = talloc_move(mem_ctx, &pwd);
1638         *_group_sid = talloc_move(mem_ctx, &group_sid);
1639         TALLOC_FREE(tmp_ctx);
1640         return NT_STATUS_OK;
1641 }