2
* Unix SMB/CIFS implementation.
3
* RPC Pipe client / server routines
4
* Copyright (C) Andrew Tridgell 1992-2000,
5
* Copyright (C) Jean Fran�ois Micouleau 1998-2001.
6
* Copyright (C) Volker Lendecke 2006.
7
* Copyright (C) Gerald Carter 2006.
9
* This program is free software; you can redistribute it and/or modify
10
* it under the terms of the GNU General Public License as published by
11
* the Free Software Foundation; either version 3 of the License, or
12
* (at your option) any later version.
14
* This program is distributed in the hope that it will be useful,
15
* but WITHOUT ANY WARRANTY; without even the implied warranty of
16
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17
* GNU General Public License for more details.
19
* You should have received a copy of the GNU General Public License
20
* along with this program; if not, see <http://www.gnu.org/licenses/>.
24
#include "groupdb/mapping.h"
26
static const struct mapping_backend *backend;
29
initialise a group mapping backend
31
static bool init_group_mapping(void)
33
const char *backend_string;
35
if (backend != NULL) {
36
/* already initialised */
41
* default to using the ldb backend. This parameter should
42
* disappear in future versions of Samba3.
44
* But it's needed for cluster setups, because it's
45
* not yet possible to distribute a ldb inside a cluster.
47
backend_string = lp_parm_const_string(-1, "groupdb", "backend", "ldb");
49
if (strcmp(backend_string, "ldb") == 0) {
50
backend = groupdb_ldb_init();
51
} else if (strcmp(backend_string, "tdb") == 0) {
52
backend = groupdb_tdb_init();
54
DEBUG(0,("Unknown groupdb backend '%s'\n", backend_string));
55
smb_panic("Unknown groupdb backend");
58
return backend != NULL;
61
/****************************************************************************
62
initialise first time the mapping list
63
****************************************************************************/
64
NTSTATUS add_initial_entry(gid_t gid, const char *sid, enum lsa_SidType sid_name_use, const char *nt_name, const char *comment)
68
if(!init_group_mapping()) {
69
DEBUG(0,("failed to initialize group mapping\n"));
70
return NT_STATUS_UNSUCCESSFUL;
74
if (!string_to_sid(&map.sid, sid)) {
75
DEBUG(0, ("string_to_sid failed: %s", sid));
76
return NT_STATUS_UNSUCCESSFUL;
79
map.sid_name_use=sid_name_use;
80
fstrcpy(map.nt_name, nt_name);
81
fstrcpy(map.comment, comment);
83
return pdb_add_group_mapping_entry(&map);
86
static NTSTATUS alias_memberships(const DOM_SID *members, size_t num_members,
87
DOM_SID **sids, size_t *num)
94
for (i=0; i<num_members; i++) {
95
NTSTATUS status = backend->one_alias_membership(&members[i], sids, num);
96
if (!NT_STATUS_IS_OK(status))
102
struct aliasmem_closure {
103
const DOM_SID *alias;
112
* High level functions
113
* better to use them than the lower ones.
115
* we are checking if the group is in the mapping file
116
* and if the group is an existing unix group
120
/* get a domain group from it's SID */
122
bool get_domain_group_from_sid(DOM_SID sid, GROUP_MAP *map)
127
if(!init_group_mapping()) {
128
DEBUG(0,("failed to initialize group mapping\n"));
132
DEBUG(10, ("get_domain_group_from_sid\n"));
134
/* if the group is NOT in the database, it CAN NOT be a domain group */
137
ret = pdb_getgrsid(map, sid);
140
/* special case check for rid 513 */
145
sid_peek_rid( &sid, &rid );
147
if ( rid == DOMAIN_GROUP_RID_USERS ) {
148
fstrcpy( map->nt_name, "None" );
149
fstrcpy( map->comment, "Ordinary Users" );
150
sid_copy( &map->sid, &sid );
151
map->sid_name_use = SID_NAME_DOM_GRP;
152
map->gid = (gid_t)-1;
160
DEBUG(10, ("get_domain_group_from_sid: SID found in the TDB\n"));
162
/* if it's not a domain group, continue */
163
if (map->sid_name_use!=SID_NAME_DOM_GRP) {
167
DEBUG(10, ("get_domain_group_from_sid: SID is a domain group\n"));
173
DEBUG(10, ("get_domain_group_from_sid: SID is mapped to gid:%lu\n",(unsigned long)map->gid));
175
grp = getgrgid(map->gid);
177
DEBUG(10, ("get_domain_group_from_sid: gid DOESN'T exist in UNIX security\n"));
181
DEBUG(10, ("get_domain_group_from_sid: gid exists in UNIX security\n"));
186
/****************************************************************************
187
Create a UNIX group on demand.
188
****************************************************************************/
190
int smb_create_group(const char *unix_group, gid_t *new_gid)
192
char *add_script = NULL;
198
/* defer to scripts */
200
if ( *lp_addgroup_script() ) {
201
TALLOC_CTX *ctx = talloc_tos();
203
add_script = talloc_strdup(ctx,
204
lp_addgroup_script());
208
add_script = talloc_string_sub(ctx,
209
add_script, "%g", unix_group);
214
ret = smbrun(add_script, &fd);
215
DEBUG(ret ? 0 : 3,("smb_create_group: Running the command `%s' gave %d\n",add_script,ret));
217
smb_nscd_flush_group_cache();
226
if (read(fd, output, sizeof(output)) > 0) {
227
*new_gid = (gid_t)strtoul(output, NULL, 10);
236
struct group *grp = getgrnam(unix_group);
239
*new_gid = grp->gr_gid;
245
/****************************************************************************
246
Delete a UNIX group on demand.
247
****************************************************************************/
249
int smb_delete_group(const char *unix_group)
251
char *del_script = NULL;
254
/* defer to scripts */
256
if ( *lp_delgroup_script() ) {
257
TALLOC_CTX *ctx = talloc_tos();
259
del_script = talloc_strdup(ctx,
260
lp_delgroup_script());
264
del_script = talloc_string_sub(ctx,
265
del_script, "%g", unix_group);
269
ret = smbrun(del_script,NULL);
270
DEBUG(ret ? 0 : 3,("smb_delete_group: Running the command `%s' gave %d\n",del_script,ret));
272
smb_nscd_flush_group_cache();
280
/****************************************************************************
281
Set a user's primary UNIX group.
282
****************************************************************************/
284
int smb_set_primary_group(const char *unix_group, const char* unix_user)
286
char *add_script = NULL;
289
/* defer to scripts */
291
if ( *lp_setprimarygroup_script() ) {
292
TALLOC_CTX *ctx = talloc_tos();
294
add_script = talloc_strdup(ctx,
295
lp_setprimarygroup_script());
299
add_script = talloc_all_string_sub(ctx,
300
add_script, "%g", unix_group);
304
add_script = talloc_string_sub(ctx,
305
add_script, "%u", unix_user);
309
ret = smbrun(add_script,NULL);
311
DEBUG(ret ? 0 : 3,("smb_set_primary_group: "
312
"Running the command `%s' gave %d\n",add_script,ret));
314
smb_nscd_flush_group_cache();
322
/****************************************************************************
323
Add a user to a UNIX group.
324
****************************************************************************/
326
int smb_add_user_group(const char *unix_group, const char *unix_user)
328
char *add_script = NULL;
331
/* defer to scripts */
333
if ( *lp_addusertogroup_script() ) {
334
TALLOC_CTX *ctx = talloc_tos();
336
add_script = talloc_strdup(ctx,
337
lp_addusertogroup_script());
341
add_script = talloc_string_sub(ctx,
342
add_script, "%g", unix_group);
346
add_script = talloc_string_sub(ctx,
347
add_script, "%u", unix_user);
351
ret = smbrun(add_script,NULL);
352
DEBUG(ret ? 0 : 3,("smb_add_user_group: Running the command `%s' gave %d\n",add_script,ret));
354
smb_nscd_flush_group_cache();
362
/****************************************************************************
363
Delete a user from a UNIX group
364
****************************************************************************/
366
int smb_delete_user_group(const char *unix_group, const char *unix_user)
368
char *del_script = NULL;
371
/* defer to scripts */
373
if ( *lp_deluserfromgroup_script() ) {
374
TALLOC_CTX *ctx = talloc_tos();
376
del_script = talloc_strdup(ctx,
377
lp_deluserfromgroup_script());
381
del_script = talloc_string_sub(ctx,
382
del_script, "%g", unix_group);
386
del_script = talloc_string_sub(ctx,
387
del_script, "%u", unix_user);
391
ret = smbrun(del_script,NULL);
392
DEBUG(ret ? 0 : 3,("smb_delete_user_group: Running the command `%s' gave %d\n",del_script,ret));
394
smb_nscd_flush_group_cache();
403
NTSTATUS pdb_default_getgrsid(struct pdb_methods *methods, GROUP_MAP *map,
406
if (!init_group_mapping()) {
407
DEBUG(0,("failed to initialize group mapping\n"));
408
return NT_STATUS_UNSUCCESSFUL;
410
return backend->get_group_map_from_sid(sid, map) ?
411
NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL;
414
NTSTATUS pdb_default_getgrgid(struct pdb_methods *methods, GROUP_MAP *map,
417
if (!init_group_mapping()) {
418
DEBUG(0,("failed to initialize group mapping\n"));
419
return NT_STATUS_UNSUCCESSFUL;
421
return backend->get_group_map_from_gid(gid, map) ?
422
NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL;
425
NTSTATUS pdb_default_getgrnam(struct pdb_methods *methods, GROUP_MAP *map,
428
if (!init_group_mapping()) {
429
DEBUG(0,("failed to initialize group mapping\n"));
430
return NT_STATUS_UNSUCCESSFUL;
432
return backend->get_group_map_from_ntname(name, map) ?
433
NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL;
436
NTSTATUS pdb_default_add_group_mapping_entry(struct pdb_methods *methods,
439
if (!init_group_mapping()) {
440
DEBUG(0,("failed to initialize group mapping\n"));
441
return NT_STATUS_UNSUCCESSFUL;
443
return backend->add_mapping_entry(map, TDB_INSERT) ?
444
NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL;
447
NTSTATUS pdb_default_update_group_mapping_entry(struct pdb_methods *methods,
450
if (!init_group_mapping()) {
451
DEBUG(0,("failed to initialize group mapping\n"));
452
return NT_STATUS_UNSUCCESSFUL;
454
return backend->add_mapping_entry(map, TDB_REPLACE) ?
455
NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL;
458
NTSTATUS pdb_default_delete_group_mapping_entry(struct pdb_methods *methods,
461
if (!init_group_mapping()) {
462
DEBUG(0,("failed to initialize group mapping\n"));
463
return NT_STATUS_UNSUCCESSFUL;
465
return backend->group_map_remove(&sid) ?
466
NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL;
469
NTSTATUS pdb_default_enum_group_mapping(struct pdb_methods *methods,
470
const DOM_SID *sid, enum lsa_SidType sid_name_use,
471
GROUP_MAP **pp_rmap, size_t *p_num_entries,
474
if (!init_group_mapping()) {
475
DEBUG(0,("failed to initialize group mapping\n"));
476
return NT_STATUS_UNSUCCESSFUL;
478
return backend->enum_group_mapping(sid, sid_name_use, pp_rmap, p_num_entries, unix_only) ?
479
NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL;
482
NTSTATUS pdb_default_create_alias(struct pdb_methods *methods,
483
const char *name, uint32 *rid)
486
enum lsa_SidType type;
494
DEBUG(10, ("Trying to create alias %s\n", name));
496
mem_ctx = talloc_new(NULL);
497
if (mem_ctx == NULL) {
498
return NT_STATUS_NO_MEMORY;
501
exists = lookup_name(mem_ctx, name, LOOKUP_NAME_LOCAL,
502
NULL, NULL, &sid, &type);
503
TALLOC_FREE(mem_ctx);
506
return NT_STATUS_ALIAS_EXISTS;
509
if (!winbind_allocate_gid(&gid)) {
510
DEBUG(3, ("Could not get a gid out of winbind\n"));
511
return NT_STATUS_ACCESS_DENIED;
514
if (!pdb_new_rid(&new_rid)) {
515
DEBUG(0, ("Could not allocate a RID -- wasted a gid :-(\n"));
516
return NT_STATUS_ACCESS_DENIED;
519
DEBUG(10, ("Creating alias %s with gid %u and rid %u\n",
520
name, (unsigned int)gid, (unsigned int)new_rid));
522
sid_copy(&sid, get_global_sam_sid());
523
sid_append_rid(&sid, new_rid);
526
sid_copy(&map.sid, &sid);
527
map.sid_name_use = SID_NAME_ALIAS;
528
fstrcpy(map.nt_name, name);
529
fstrcpy(map.comment, "");
531
status = pdb_add_group_mapping_entry(&map);
533
if (!NT_STATUS_IS_OK(status)) {
534
DEBUG(0, ("Could not add group mapping entry for alias %s "
535
"(%s)\n", name, nt_errstr(status)));
544
NTSTATUS pdb_default_delete_alias(struct pdb_methods *methods,
547
return pdb_delete_group_mapping_entry(*sid);
550
NTSTATUS pdb_default_get_aliasinfo(struct pdb_methods *methods,
552
struct acct_info *info)
556
if (!pdb_getgrsid(&map, *sid))
557
return NT_STATUS_NO_SUCH_ALIAS;
559
if ((map.sid_name_use != SID_NAME_ALIAS) &&
560
(map.sid_name_use != SID_NAME_WKN_GRP)) {
561
DEBUG(2, ("%s is a %s, expected an alias\n",
563
sid_type_lookup(map.sid_name_use)));
564
return NT_STATUS_NO_SUCH_ALIAS;
567
fstrcpy(info->acct_name, map.nt_name);
568
fstrcpy(info->acct_desc, map.comment);
569
sid_peek_rid(&map.sid, &info->rid);
573
NTSTATUS pdb_default_set_aliasinfo(struct pdb_methods *methods,
575
struct acct_info *info)
579
if (!pdb_getgrsid(&map, *sid))
580
return NT_STATUS_NO_SUCH_ALIAS;
582
fstrcpy(map.nt_name, info->acct_name);
583
fstrcpy(map.comment, info->acct_desc);
585
return pdb_update_group_mapping_entry(&map);
588
NTSTATUS pdb_default_add_aliasmem(struct pdb_methods *methods,
589
const DOM_SID *alias, const DOM_SID *member)
591
if (!init_group_mapping()) {
592
DEBUG(0,("failed to initialize group mapping\n"));
593
return NT_STATUS_UNSUCCESSFUL;
595
return backend->add_aliasmem(alias, member);
598
NTSTATUS pdb_default_del_aliasmem(struct pdb_methods *methods,
599
const DOM_SID *alias, const DOM_SID *member)
601
if (!init_group_mapping()) {
602
DEBUG(0,("failed to initialize group mapping\n"));
603
return NT_STATUS_UNSUCCESSFUL;
605
return backend->del_aliasmem(alias, member);
608
NTSTATUS pdb_default_enum_aliasmem(struct pdb_methods *methods,
609
const DOM_SID *alias, DOM_SID **pp_members,
610
size_t *p_num_members)
612
if (!init_group_mapping()) {
613
DEBUG(0,("failed to initialize group mapping\n"));
614
return NT_STATUS_UNSUCCESSFUL;
616
return backend->enum_aliasmem(alias, pp_members, p_num_members);
619
NTSTATUS pdb_default_alias_memberships(struct pdb_methods *methods,
621
const DOM_SID *domain_sid,
622
const DOM_SID *members,
624
uint32 **pp_alias_rids,
625
size_t *p_num_alias_rids)
628
size_t i, num_alias_sids;
631
if (!init_group_mapping()) {
632
DEBUG(0,("failed to initialize group mapping\n"));
633
return NT_STATUS_UNSUCCESSFUL;
639
result = alias_memberships(members, num_members,
640
&alias_sids, &num_alias_sids);
642
if (!NT_STATUS_IS_OK(result))
645
*p_num_alias_rids = 0;
647
if (num_alias_sids == 0) {
648
TALLOC_FREE(alias_sids);
652
*pp_alias_rids = TALLOC_ARRAY(mem_ctx, uint32, num_alias_sids);
653
if (*pp_alias_rids == NULL)
654
return NT_STATUS_NO_MEMORY;
656
for (i=0; i<num_alias_sids; i++) {
657
if (!sid_peek_check_rid(domain_sid, &alias_sids[i],
658
&(*pp_alias_rids)[*p_num_alias_rids]))
660
*p_num_alias_rids += 1;
663
TALLOC_FREE(alias_sids);
668
/**********************************************************************
669
no ops for passdb backends that don't implement group mapping
670
*********************************************************************/
672
NTSTATUS pdb_nop_getgrsid(struct pdb_methods *methods, GROUP_MAP *map,
675
return NT_STATUS_UNSUCCESSFUL;
678
NTSTATUS pdb_nop_getgrgid(struct pdb_methods *methods, GROUP_MAP *map,
681
return NT_STATUS_UNSUCCESSFUL;
684
NTSTATUS pdb_nop_getgrnam(struct pdb_methods *methods, GROUP_MAP *map,
687
return NT_STATUS_UNSUCCESSFUL;
690
NTSTATUS pdb_nop_add_group_mapping_entry(struct pdb_methods *methods,
693
return NT_STATUS_UNSUCCESSFUL;
696
NTSTATUS pdb_nop_update_group_mapping_entry(struct pdb_methods *methods,
699
return NT_STATUS_UNSUCCESSFUL;
702
NTSTATUS pdb_nop_delete_group_mapping_entry(struct pdb_methods *methods,
705
return NT_STATUS_UNSUCCESSFUL;
708
NTSTATUS pdb_nop_enum_group_mapping(struct pdb_methods *methods,
709
enum lsa_SidType sid_name_use,
710
GROUP_MAP **rmap, size_t *num_entries,
713
return NT_STATUS_UNSUCCESSFUL;
716
/****************************************************************************
717
These need to be redirected through pdb_interface.c
718
****************************************************************************/
719
bool pdb_get_dom_grp_info(const DOM_SID *sid, struct acct_info *info)
725
res = get_domain_group_from_sid(*sid, &map);
731
fstrcpy(info->acct_name, map.nt_name);
732
fstrcpy(info->acct_desc, map.comment);
733
sid_peek_rid(sid, &info->rid);
737
bool pdb_set_dom_grp_info(const DOM_SID *sid, const struct acct_info *info)
741
if (!get_domain_group_from_sid(*sid, &map))
744
fstrcpy(map.nt_name, info->acct_name);
745
fstrcpy(map.comment, info->acct_desc);
747
return NT_STATUS_IS_OK(pdb_update_group_mapping_entry(&map));
750
/********************************************************************
751
Really just intended to be called by smbd
752
********************************************************************/
754
NTSTATUS pdb_create_builtin_alias(uint32 rid)
757
enum lsa_SidType type;
762
const char *name = NULL;
765
DEBUG(10, ("Trying to create builtin alias %d\n", rid));
767
if ( !sid_compose( &sid, &global_sid_Builtin, rid ) ) {
768
return NT_STATUS_NO_SUCH_ALIAS;
771
if ( (mem_ctx = talloc_new(NULL)) == NULL ) {
772
return NT_STATUS_NO_MEMORY;
775
if ( !lookup_sid(mem_ctx, &sid, NULL, &name, &type) ) {
776
TALLOC_FREE( mem_ctx );
777
return NT_STATUS_NO_SUCH_ALIAS;
780
/* validate RID so copy the name and move on */
782
fstrcpy( groupname, name );
783
TALLOC_FREE( mem_ctx );
785
if (!winbind_allocate_gid(&gid)) {
786
DEBUG(3, ("pdb_create_builtin_alias: Could not get a gid out of winbind\n"));
787
return NT_STATUS_ACCESS_DENIED;
790
DEBUG(10,("Creating alias %s with gid %u\n", groupname, (unsigned int)gid));
793
sid_copy(&map.sid, &sid);
794
map.sid_name_use = SID_NAME_ALIAS;
795
fstrcpy(map.nt_name, groupname);
796
fstrcpy(map.comment, "");
798
status = pdb_add_group_mapping_entry(&map);
800
if (!NT_STATUS_IS_OK(status)) {
801
DEBUG(0, ("pdb_create_builtin_alias: Could not add group mapping entry for alias %d "
802
"(%s)\n", rid, nt_errstr(status)));