2 Unix SMB/CIFS implementation.
4 Deal with unix elements in the security token
6 Copyright (C) Andrew Tridgell 2004
7 Copyright (C) Andrew Bartlett 2011
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
24 #include "auth/auth.h"
25 #include "libcli/wbclient/wbclient.h"
26 #include "param/param.h"
29 #define DBGC_CLASS DBGC_AUTH
32 form a security_unix_token from the current security_token
34 NTSTATUS security_token_to_unix_token(TALLOC_CTX *mem_ctx,
35 struct security_token *token,
36 struct security_unix_token **sec)
42 /* we can't do unix security without a user and group */
43 if (token->num_sids < 2) {
44 return NT_STATUS_ACCESS_DENIED;
47 *sec = talloc_zero(mem_ctx, struct security_unix_token);
49 return NT_STATUS_NO_MEMORY;
52 ids = talloc_zero_array(mem_ctx, struct id_map, token->num_sids);
53 NT_STATUS_HAVE_NO_MEMORY(ids);
55 for (s=0; s < token->num_sids; s++) {
56 ids[s].sid = &token->sids[s];
57 ids[s].status = ID_UNKNOWN;
60 status = wbc_sids_to_xids(ids, token->num_sids);
61 NT_STATUS_NOT_OK_RETURN(status);
64 if (ids[0].xid.type != ID_TYPE_BOTH) {
68 (*sec)->groups = talloc_array(*sec, gid_t, (*sec)->ngroups);
69 NT_STATUS_HAVE_NO_MEMORY((*sec)->groups);
72 if (ids[0].xid.type == ID_TYPE_BOTH) {
73 (*sec)->uid = ids[0].xid.id;
74 (*sec)->groups[g] = ids[0].xid.id;
76 } else if (ids[0].xid.type == ID_TYPE_UID) {
77 (*sec)->uid = ids[0].xid.id;
79 char *sid_str = dom_sid_string(mem_ctx, ids[0].sid);
80 DEBUG(0, ("Unable to convert first SID (%s) in user token to a UID. Conversion was returned as type %d, full token:\n",
81 sid_str, (int)ids[0].xid.type));
82 security_token_debug(DBGC_AUTH, 0, token);
84 return NT_STATUS_INVALID_SID;
87 if (ids[1].xid.type == ID_TYPE_BOTH ||
88 ids[1].xid.type == ID_TYPE_GID) {
89 (*sec)->gid = ids[1].xid.id;
90 (*sec)->groups[g] = ids[1].xid.id;
93 char *sid_str = dom_sid_string(mem_ctx, ids[1].sid);
94 DEBUG(0, ("Unable to convert second SID (%s) in user token to a GID. Conversion was returned as type %d, full token:\n",
95 sid_str, (int)ids[1].xid.type));
96 security_token_debug(DBGC_AUTH, 0, token);
98 return NT_STATUS_INVALID_SID;
101 for (s=2; s < token->num_sids; s++) {
102 if (ids[s].xid.type == ID_TYPE_BOTH ||
103 ids[s].xid.type == ID_TYPE_GID) {
104 (*sec)->groups[g] = ids[s].xid.id;
107 char *sid_str = dom_sid_string(mem_ctx, ids[s].sid);
108 DEBUG(0, ("Unable to convert SID (%s) at index %u in user token to a GID. Conversion was returned as type %d, full token:\n",
109 sid_str, (unsigned int)s, (int)ids[s].xid.type));
110 security_token_debug(DBGC_AUTH, 0, token);
111 talloc_free(sid_str);
112 return NT_STATUS_INVALID_SID;
116 DEBUG(5, ("Successfully converted security token to a unix token:"));
117 security_token_debug(0, 5, token);
124 Fill in the auth_user_info_unix and auth_unix_token elements in a struct session_info
126 NTSTATUS auth_session_info_fill_unix(struct loadparm_context *lp_ctx,
127 const char *original_user_name,
128 struct auth_session_info *session_info)
132 NTSTATUS status = security_token_to_unix_token(session_info,
133 session_info->security_token,
134 &session_info->unix_token);
135 if (!NT_STATUS_IS_OK(status)) {
139 session_info->unix_info = talloc_zero(session_info, struct auth_user_info_unix);
140 NT_STATUS_HAVE_NO_MEMORY(session_info->unix_info);
142 session_info->unix_info->unix_name = talloc_asprintf(session_info->unix_info,
143 "%s%s%s", session_info->info->domain_name,
144 lpcfg_winbind_separator(lp_ctx),
145 session_info->info->account_name);
146 NT_STATUS_HAVE_NO_MEMORY(session_info->unix_info->unix_name);
148 len = strlen(original_user_name) + 1;
149 session_info->unix_info->sanitized_username = su = talloc_array(session_info->unix_info, char, len);
150 NT_STATUS_HAVE_NO_MEMORY(su);
152 alpha_strcpy(su, original_user_name,