2
Unix SMB/CIFS implementation.
4
Winbind rpc backend functions
6
Copyright (C) Tim Potter 2000-2001,2003
7
Copyright (C) Simo Sorce 2003
8
Copyright (C) Volker Lendecke 2004
10
This program is free software; you can redistribute it and/or modify
11
it under the terms of the GNU General Public License as published by
12
the Free Software Foundation; either version 2 of the License, or
13
(at your option) any later version.
15
This program is distributed in the hope that it will be useful,
16
but WITHOUT ANY WARRANTY; without even the implied warranty of
17
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18
GNU General Public License for more details.
20
You should have received a copy of the GNU General Public License
21
along with this program; if not, write to the Free Software
22
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
29
#define DBGC_CLASS DBGC_WINBIND
31
static void add_member(const char *domain, const char *user,
32
char **pp_members, size_t *p_num_members)
36
fill_domain_username(name, domain, user, True);
37
safe_strcat(name, ",", sizeof(name)-1);
38
string_append(pp_members, name);
42
/**********************************************************************
43
Add member users resulting from sid. Expand if it is a domain group.
44
**********************************************************************/
46
static void add_expanded_sid(const DOM_SID *sid, char **pp_members, size_t *p_num_members)
50
struct winbindd_domain *domain;
53
char *domain_name = NULL;
55
enum SID_NAME_USE type;
64
TALLOC_CTX *mem_ctx = talloc_init("add_expanded_sid");
66
if (mem_ctx == NULL) {
67
DEBUG(1, ("talloc_init failed\n"));
71
sid_copy(&dom_sid, sid);
72
sid_split_rid(&dom_sid, &rid);
74
domain = find_lookup_domain_from_sid(sid);
77
DEBUG(3, ("Could not find domain for sid %s\n",
78
sid_string_static(sid)));
82
result = domain->methods->sid_to_name(domain, mem_ctx, sid,
83
&domain_name, &name, &type);
85
if (!NT_STATUS_IS_OK(result)) {
86
DEBUG(3, ("sid_to_name failed for sid %s\n",
87
sid_string_static(sid)));
91
DEBUG(10, ("Found name %s, type %d\n", name, type));
93
if (type == SID_NAME_USER) {
94
add_member(domain_name, name, pp_members, p_num_members);
98
if (type != SID_NAME_DOM_GRP) {
99
DEBUG(10, ("Alias member %s neither user nor group, ignore\n",
104
/* Expand the domain group, this must be done via the target domain */
106
domain = find_domain_from_sid(sid);
108
if (domain == NULL) {
109
DEBUG(3, ("Could not find domain from SID %s\n",
110
sid_string_static(sid)));
114
result = domain->methods->lookup_groupmem(domain, mem_ctx,
119
if (!NT_STATUS_IS_OK(result)) {
120
DEBUG(10, ("Could not lookup group members for %s: %s\n",
121
name, nt_errstr(result)));
125
for (i=0; i<num_names; i++) {
126
DEBUG(10, ("Adding group member SID %s\n",
127
sid_string_static(&sid_mem[i])));
129
if (types[i] != SID_NAME_USER) {
130
DEBUG(1, ("Hmmm. Member %s of group %s is no user. "
131
"Ignoring.\n", names[i], name));
135
add_member(domain->name, names[i], pp_members, p_num_members);
139
talloc_destroy(mem_ctx);
143
BOOL fill_passdb_alias_grmem(struct winbindd_domain *domain,
145
size_t *num_gr_mem, char **gr_mem, size_t *gr_mem_len)
148
size_t i, num_members;
154
if (!NT_STATUS_IS_OK(pdb_enum_aliasmem(group_sid, &members,
158
for (i=0; i<num_members; i++) {
159
add_expanded_sid(&members[i], gr_mem, num_gr_mem);
164
if (*gr_mem != NULL) {
167
/* We have at least one member, strip off the last "," */
168
len = strlen(*gr_mem);
169
(*gr_mem)[len-1] = '\0';
176
/* Query display info for a domain. This returns enough information plus a
177
bit extra to give an overview of domain users for the User Manager
179
static NTSTATUS query_user_list(struct winbindd_domain *domain,
182
WINBIND_USERINFO **info)
184
/* We don't have users */
190
/* list all domain groups */
191
static NTSTATUS enum_dom_groups(struct winbindd_domain *domain,
194
struct acct_info **info)
196
/* We don't have domain groups */
202
/* List all domain groups */
204
static NTSTATUS enum_local_groups(struct winbindd_domain *domain,
207
struct acct_info **info)
209
struct pdb_search *search;
210
struct samr_displayentry *aliases;
212
NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
214
search = pdb_search_aliases(&domain->sid);
215
if (search == NULL) goto done;
217
*num_entries = pdb_search_entries(search, 0, 0xffffffff, &aliases);
218
if (*num_entries == 0) goto done;
220
*info = TALLOC_ARRAY(mem_ctx, struct acct_info, *num_entries);
222
result = NT_STATUS_NO_MEMORY;
226
for (i=0; i<*num_entries; i++) {
227
fstrcpy((*info)[i].acct_name, aliases[i].account_name);
228
fstrcpy((*info)[i].acct_desc, aliases[i].description);
229
(*info)[i].rid = aliases[i].rid;
232
result = NT_STATUS_OK;
234
pdb_search_destroy(search);
238
/* convert a single name to a sid in a domain */
239
static NTSTATUS name_to_sid(struct winbindd_domain *domain,
241
const char *domain_name,
244
enum SID_NAME_USE *type)
246
DEBUG(10, ("Finding name %s\n", name));
248
if ( !lookup_name( mem_ctx, name, LOOKUP_NAME_ALL,
249
NULL, NULL, sid, type ) )
251
return NT_STATUS_NONE_MAPPED;
258
convert a domain SID to a user or group name
260
static NTSTATUS sid_to_name(struct winbindd_domain *domain,
265
enum SID_NAME_USE *type)
267
const char *dom, *nam;
269
DEBUG(10, ("Converting SID %s\n", sid_string_static(sid)));
272
if (!sid_check_is_in_builtin(sid) &&
273
!sid_check_is_in_our_domain(sid)) {
274
DEBUG(0, ("Possible deadlock: Trying to lookup SID %s with "
275
"passdb backend\n", sid_string_static(sid)));
276
return NT_STATUS_NONE_MAPPED;
279
if (!lookup_sid(mem_ctx, sid, &dom, &nam, type)) {
280
return NT_STATUS_NONE_MAPPED;
283
*domain_name = talloc_strdup(mem_ctx, dom);
284
*name = talloc_strdup(mem_ctx, nam);
289
static NTSTATUS rids_to_names(struct winbindd_domain *domain,
296
enum SID_NAME_USE **types)
298
return NT_STATUS_UNSUCCESSFUL;
301
/* Lookup user information from a rid or username. */
302
static NTSTATUS query_user(struct winbindd_domain *domain,
304
const DOM_SID *user_sid,
305
WINBIND_USERINFO *user_info)
307
return NT_STATUS_NO_SUCH_USER;
310
/* Lookup groups a user is a member of. I wish Unix had a call like this! */
311
static NTSTATUS lookup_usergroups(struct winbindd_domain *domain,
313
const DOM_SID *user_sid,
314
uint32 *num_groups, DOM_SID **user_gids)
317
DOM_SID *groups = NULL;
322
if ( (user = samu_new(mem_ctx)) == NULL ) {
323
return NT_STATUS_NO_MEMORY;
326
if ( !pdb_getsampwsid( user, user_sid ) ) {
327
return NT_STATUS_NO_SUCH_USER;
330
result = pdb_enum_group_memberships( mem_ctx, user, &groups, &gids, &ngroups );
334
*num_groups = (uint32)ngroups;
340
static NTSTATUS lookup_useraliases(struct winbindd_domain *domain,
342
uint32 num_sids, const DOM_SID *sids,
343
uint32 *p_num_aliases, uint32 **rids)
346
size_t num_aliases = 0;
348
result = pdb_enum_alias_memberships(mem_ctx, &domain->sid,
349
sids, num_sids, rids, &num_aliases);
351
*p_num_aliases = num_aliases;
355
/* Lookup group membership given a rid. */
356
static NTSTATUS lookup_groupmem(struct winbindd_domain *domain,
358
const DOM_SID *group_sid, uint32 *num_names,
359
DOM_SID **sid_mem, char ***names,
362
size_t i, num_members, num_mapped;
365
const DOM_SID **sids;
366
struct lsa_dom_info *lsa_domains;
367
struct lsa_name_info *lsa_names;
370
if (!sid_check_is_in_our_domain(group_sid)) {
371
/* There's no groups, only aliases in BUILTIN */
372
return NT_STATUS_NO_SUCH_GROUP;
375
if (!(tmp_ctx = talloc_init("lookup_groupmem"))) {
376
return NT_STATUS_NO_MEMORY;
379
result = pdb_enum_group_members(tmp_ctx, group_sid, &rids,
381
if (!NT_STATUS_IS_OK(result)) {
382
TALLOC_FREE(tmp_ctx);
386
if (num_members == 0) {
391
TALLOC_FREE(tmp_ctx);
395
*sid_mem = TALLOC_ARRAY(mem_ctx, DOM_SID, num_members);
396
*names = TALLOC_ARRAY(mem_ctx, char *, num_members);
397
*name_types = TALLOC_ARRAY(mem_ctx, uint32, num_members);
398
sids = TALLOC_ARRAY(tmp_ctx, const DOM_SID *, num_members);
400
if (((*sid_mem) == NULL) || ((*names) == NULL) ||
401
((*name_types) == NULL) || (sids == NULL)) {
402
TALLOC_FREE(tmp_ctx);
403
return NT_STATUS_NO_MEMORY;
407
* Prepare an array of sid pointers for the lookup_sids calling
411
for (i=0; i<num_members; i++) {
412
DOM_SID *sid = &((*sid_mem)[i]);
413
if (!sid_compose(sid, &domain->sid, rids[i])) {
414
TALLOC_FREE(tmp_ctx);
415
return NT_STATUS_INTERNAL_ERROR;
420
result = lookup_sids(tmp_ctx, num_members, sids, 1,
421
&lsa_domains, &lsa_names);
422
if (!NT_STATUS_IS_OK(result)) {
423
TALLOC_FREE(tmp_ctx);
428
for (i=0; i<num_members; i++) {
429
if (lsa_names[i].type != SID_NAME_USER) {
430
DEBUG(2, ("Got %s as group member -- ignoring\n",
431
sid_type_lookup(lsa_names[i].type)));
434
if (!((*names)[i] = talloc_strdup((*names),
435
lsa_names[i].name))) {
436
TALLOC_FREE(tmp_ctx);
437
return NT_STATUS_NO_MEMORY;
440
(*name_types)[i] = lsa_names[i].type;
445
*num_names = num_mapped;
447
TALLOC_FREE(tmp_ctx);
451
/* find the sequence number for a domain */
452
static NTSTATUS sequence_number(struct winbindd_domain *domain, uint32 *seq)
457
result = pdb_get_seq_num(&seq_num);
462
*seq = (int) seq_num;
467
static NTSTATUS lockout_policy(struct winbindd_domain *domain,
469
SAM_UNK_INFO_12 *policy)
471
/* actually we have that */
472
return NT_STATUS_NOT_IMPLEMENTED;
475
static NTSTATUS password_policy(struct winbindd_domain *domain,
477
SAM_UNK_INFO_1 *policy)
479
uint32 min_pass_len,pass_hist,password_properties;
480
time_t u_expire, u_min_age;
481
NTTIME nt_expire, nt_min_age;
482
uint32 account_policy_temp;
484
if ((policy = TALLOC_ZERO_P(mem_ctx, SAM_UNK_INFO_1)) == NULL) {
485
return NT_STATUS_NO_MEMORY;
488
if (!pdb_get_account_policy(AP_MIN_PASSWORD_LEN, &account_policy_temp)) {
489
return NT_STATUS_ACCESS_DENIED;
491
min_pass_len = account_policy_temp;
493
if (!pdb_get_account_policy(AP_PASSWORD_HISTORY, &account_policy_temp)) {
494
return NT_STATUS_ACCESS_DENIED;
496
pass_hist = account_policy_temp;
498
if (!pdb_get_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS, &account_policy_temp)) {
499
return NT_STATUS_ACCESS_DENIED;
501
password_properties = account_policy_temp;
503
if (!pdb_get_account_policy(AP_MAX_PASSWORD_AGE, &account_policy_temp)) {
504
return NT_STATUS_ACCESS_DENIED;
506
u_expire = account_policy_temp;
508
if (!pdb_get_account_policy(AP_MIN_PASSWORD_AGE, &account_policy_temp)) {
509
return NT_STATUS_ACCESS_DENIED;
511
u_min_age = account_policy_temp;
513
unix_to_nt_time_abs(&nt_expire, u_expire);
514
unix_to_nt_time_abs(&nt_min_age, u_min_age);
516
init_unk_info1(policy, (uint16)min_pass_len, (uint16)pass_hist,
517
password_properties, nt_expire, nt_min_age);
522
/* get a list of trusted domains */
523
static NTSTATUS trusted_domains(struct winbindd_domain *domain,
531
struct trustdom_info **domains;
540
if (!(tmp_ctx = talloc_init("trusted_domains"))) {
541
return NT_STATUS_NO_MEMORY;
544
nt_status = secrets_trusted_domains(tmp_ctx, num_domains,
546
if (!NT_STATUS_IS_OK(nt_status)) {
547
TALLOC_FREE(tmp_ctx);
551
*names = TALLOC_ARRAY(mem_ctx, char *, *num_domains);
552
*alt_names = TALLOC_ARRAY(mem_ctx, char *, *num_domains);
553
*dom_sids = TALLOC_ARRAY(mem_ctx, DOM_SID, *num_domains);
555
if ((*alt_names == NULL) || (*names == NULL) || (*dom_sids == NULL)) {
556
TALLOC_FREE(tmp_ctx);
557
return NT_STATUS_NO_MEMORY;
560
for (i=0; i<*num_domains; i++) {
561
(*alt_names)[i] = NULL;
562
if (!((*names)[i] = talloc_strdup((*names),
563
domains[i]->name))) {
564
TALLOC_FREE(tmp_ctx);
565
return NT_STATUS_NO_MEMORY;
567
sid_copy(&(*dom_sids)[i], &domains[i]->sid);
570
TALLOC_FREE(tmp_ctx);
574
/* the rpc backend methods are exposed via this structure */
575
struct winbindd_methods passdb_methods = {
added
removed
source/nsswitch/winbindd_passdb.c
