winbind: Fix UPN handling in parse_domain_user()
[nivanova/samba-autobuild/.git] / source3 / winbindd / winbindd_getgroups.c
1 /*
2    Unix SMB/CIFS implementation.
3    async implementation of WINBINDD_GETGROUPS
4    Copyright (C) Volker Lendecke 2009
5
6    This program is free software; you can redistribute it and/or modify
7    it under the terms of the GNU General Public License as published by
8    the Free Software Foundation; either version 3 of the License, or
9    (at your option) any later version.
10
11    This program is distributed in the hope that it will be useful,
12    but WITHOUT ANY WARRANTY; without even the implied warranty of
13    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
14    GNU General Public License for more details.
15
16    You should have received a copy of the GNU General Public License
17    along with this program.  If not, see <http://www.gnu.org/licenses/>.
18 */
19
20 #include "includes.h"
21 #include "winbindd.h"
22 #include "passdb/lookup_sid.h" /* only for LOOKUP_NAME_NO_NSS flag */
23
24 struct winbindd_getgroups_state {
25         struct tevent_context *ev;
26         fstring namespace;
27         fstring domname;
28         fstring username;
29         struct dom_sid sid;
30         enum lsa_SidType type;
31         int num_sids;
32         struct dom_sid *sids;
33         int num_gids;
34         gid_t *gids;
35 };
36
37 static void winbindd_getgroups_lookupname_done(struct tevent_req *subreq);
38 static void winbindd_getgroups_gettoken_done(struct tevent_req *subreq);
39 static void winbindd_getgroups_sid2gid_done(struct tevent_req *subreq);
40
41 struct tevent_req *winbindd_getgroups_send(TALLOC_CTX *mem_ctx,
42                                            struct tevent_context *ev,
43                                            struct winbindd_cli_state *cli,
44                                            struct winbindd_request *request)
45 {
46         struct tevent_req *req, *subreq;
47         struct winbindd_getgroups_state *state;
48         char *domuser, *mapped_user;
49         NTSTATUS status;
50         bool ok;
51
52         req = tevent_req_create(mem_ctx, &state,
53                                 struct winbindd_getgroups_state);
54         if (req == NULL) {
55                 return NULL;
56         }
57         state->ev = ev;
58
59         /* Ensure null termination */
60         request->data.username[sizeof(request->data.username)-1]='\0';
61
62         DEBUG(3, ("getgroups %s\n", request->data.username));
63
64         domuser = request->data.username;
65
66         status = normalize_name_unmap(state, domuser, &mapped_user);
67
68         if (NT_STATUS_IS_OK(status)
69             || NT_STATUS_EQUAL(status, NT_STATUS_FILE_RENAMED)) {
70                 /* normalize_name_unmapped did something */
71                 domuser = mapped_user;
72         }
73
74         ok = parse_domain_user(domuser,
75                                state->namespace,
76                                state->domname,
77                                state->username);
78         if (!ok) {
79                 DEBUG(5, ("Could not parse domain user: %s\n", domuser));
80                 tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
81                 return tevent_req_post(req, ev);
82         }
83
84         subreq = wb_lookupname_send(state, ev,
85                                     state->namespace,
86                                     state->domname,
87                                     state->username,
88                                     LOOKUP_NAME_NO_NSS);
89         if (tevent_req_nomem(subreq, req)) {
90                 return tevent_req_post(req, ev);
91         }
92         tevent_req_set_callback(subreq, winbindd_getgroups_lookupname_done,
93                                 req);
94         return req;
95 }
96
97 static void winbindd_getgroups_lookupname_done(struct tevent_req *subreq)
98 {
99         struct tevent_req *req = tevent_req_callback_data(
100                 subreq, struct tevent_req);
101         struct winbindd_getgroups_state *state = tevent_req_data(
102                 req, struct winbindd_getgroups_state);
103         NTSTATUS status;
104
105         status = wb_lookupname_recv(subreq, &state->sid, &state->type);
106         TALLOC_FREE(subreq);
107         if (tevent_req_nterror(req, status)) {
108                 return;
109         }
110
111         subreq = wb_gettoken_send(state, state->ev, &state->sid, true);
112         if (tevent_req_nomem(subreq, req)) {
113                 return;
114         }
115         tevent_req_set_callback(subreq, winbindd_getgroups_gettoken_done, req);
116 }
117
118 static void winbindd_getgroups_gettoken_done(struct tevent_req *subreq)
119 {
120         struct tevent_req *req = tevent_req_callback_data(
121                 subreq, struct tevent_req);
122         struct winbindd_getgroups_state *state = tevent_req_data(
123                 req, struct winbindd_getgroups_state);
124         NTSTATUS status;
125
126         status = wb_gettoken_recv(subreq, state, &state->num_sids,
127                                   &state->sids);
128         TALLOC_FREE(subreq);
129         if (tevent_req_nterror(req, status)) {
130                 return;
131         }
132
133         /*
134          * Convert the group SIDs to gids. state->sids[0] contains the user
135          * sid. If the idmap backend uses ID_TYPE_BOTH, we might need the
136          * the id of the user sid in the list of group sids, so map the
137          * complete token.
138          */
139
140         subreq = wb_sids2xids_send(state, state->ev,
141                                    state->sids, state->num_sids);
142         if (tevent_req_nomem(subreq, req)) {
143                 return;
144         }
145         tevent_req_set_callback(subreq, winbindd_getgroups_sid2gid_done, req);
146 }
147
148 static void winbindd_getgroups_sid2gid_done(struct tevent_req *subreq)
149 {
150         struct tevent_req *req = tevent_req_callback_data(
151                 subreq, struct tevent_req);
152         struct winbindd_getgroups_state *state = tevent_req_data(
153                 req, struct winbindd_getgroups_state);
154         NTSTATUS status;
155         struct unixid *xids;
156         int i;
157
158         xids = talloc_array(state, struct unixid, state->num_sids);
159         if (tevent_req_nomem(xids, req)) {
160                 return;
161         }
162         for (i=0; i < state->num_sids; i++) {
163                 xids[i].type = ID_TYPE_NOT_SPECIFIED;
164                 xids[i].id = UINT32_MAX;
165         }
166
167         status = wb_sids2xids_recv(subreq, xids, state->num_sids);
168         TALLOC_FREE(subreq);
169         if (NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED) ||
170             NT_STATUS_EQUAL(status, STATUS_SOME_UNMAPPED))
171         {
172                 status = NT_STATUS_OK;
173         }
174         if (tevent_req_nterror(req, status)) {
175                 return;
176         }
177
178         state->gids = talloc_array(state, gid_t, state->num_sids);
179         if (tevent_req_nomem(state->gids, req)) {
180                 return;
181         }
182         state->num_gids = 0;
183
184         for (i=0; i < state->num_sids; i++) {
185                 bool include_gid = false;
186                 const char *debug_missing = NULL;
187
188                 switch (xids[i].type) {
189                 case ID_TYPE_NOT_SPECIFIED:
190                         debug_missing = "not specified";
191                         break;
192                 case ID_TYPE_UID:
193                         if (i != 0) {
194                                 debug_missing = "uid";
195                         }
196                         break;
197                 case ID_TYPE_GID:
198                 case ID_TYPE_BOTH:
199                         include_gid = true;
200                         break;
201                 }
202
203                 if (!include_gid) {
204                         if (debug_missing == NULL) {
205                                 continue;
206                         }
207
208                         DEBUG(10, ("WARNING: skipping unix id (%u) for sid %s "
209                                    "from group list because the idmap type "
210                                    "is %s. "
211                                    "This might be a security problem when ACLs "
212                                    "contain DENY ACEs!\n",
213                                    (unsigned)xids[i].id,
214                                    sid_string_tos(&state->sids[i]),
215                                    debug_missing));
216                         continue;
217                 }
218
219                 state->gids[state->num_gids] = (gid_t)xids[i].id;
220                 state->num_gids += 1;
221         }
222
223         /*
224          * This should not fail, as it does not do any reallocation,
225          * just updating the talloc size.
226          */
227         state->gids = talloc_realloc(state, state->gids, gid_t, state->num_gids);
228         if (tevent_req_nomem(state->gids, req)) {
229                 return;
230         }
231
232         tevent_req_done(req);
233 }
234
235 NTSTATUS winbindd_getgroups_recv(struct tevent_req *req,
236                                  struct winbindd_response *response)
237 {
238         struct winbindd_getgroups_state *state = tevent_req_data(
239                 req, struct winbindd_getgroups_state);
240         NTSTATUS status;
241
242         if (tevent_req_is_nterror(req, &status)) {
243                 DEBUG(5, ("Could not convert sid %s: %s\n",
244                           sid_string_dbg(&state->sid), nt_errstr(status)));
245                 return status;
246         }
247
248         response->data.num_entries = state->num_gids;
249
250         if (state->num_gids > 0) {
251                 response->extra_data.data = talloc_move(response,
252                                                         &state->gids);
253                 response->length += state->num_gids * sizeof(gid_t);
254         }
255         return NT_STATUS_OK;
256 }