2009-02-01 18:08:45 +03:00
/*
2004-04-07 11:20:53 +04:00
Unix SMB / CIFS implementation .
2004-11-17 17:35:29 +03:00
Samba utility functions
2004-11-18 01:12:46 +03:00
Copyright ( C ) Stefan ( metze ) Metzmacher 2002 - 2004
2004-11-17 17:35:29 +03:00
Copyright ( C ) Andrew Tridgell 1992 - 2004
Copyright ( C ) Jeremy Allison 1999
2009-02-01 18:08:45 +03:00
2004-04-07 11:20:53 +04:00
This program is free software ; you can redistribute it and / or modify
it under the terms of the GNU General Public License as published by
2007-07-10 06:07:03 +04:00
the Free Software Foundation ; either version 3 of the License , or
2004-04-07 11:20:53 +04:00
( at your option ) any later version .
2009-02-01 18:08:45 +03:00
2004-04-07 11:20:53 +04:00
This program is distributed in the hope that it will be useful ,
but WITHOUT ANY WARRANTY ; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
GNU General Public License for more details .
2009-02-01 18:08:45 +03:00
2004-04-07 11:20:53 +04:00
You should have received a copy of the GNU General Public License
2007-07-10 06:07:03 +04:00
along with this program . If not , see < http : //www.gnu.org/licenses/>.
2004-04-07 11:20:53 +04:00
*/
# include "includes.h"
2006-03-18 18:42:57 +03:00
# include "librpc/gen_ndr/security.h"
2009-02-14 19:42:51 +03:00
# include "dom_sid.h"
2004-11-17 17:35:29 +03:00
/*****************************************************************
Compare the auth portion of two sids .
2009-02-01 18:08:45 +03:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2004-11-17 17:35:29 +03:00
2009-02-01 18:08:45 +03:00
static int dom_sid_compare_auth ( const struct dom_sid * sid1 ,
const struct dom_sid * sid2 )
2004-11-17 17:35:29 +03:00
{
int i ;
if ( sid1 = = sid2 )
return 0 ;
if ( ! sid1 )
return - 1 ;
if ( ! sid2 )
return 1 ;
if ( sid1 - > sid_rev_num ! = sid2 - > sid_rev_num )
return sid1 - > sid_rev_num - sid2 - > sid_rev_num ;
for ( i = 0 ; i < 6 ; i + + )
if ( sid1 - > id_auth [ i ] ! = sid2 - > id_auth [ i ] )
return sid1 - > id_auth [ i ] - sid2 - > id_auth [ i ] ;
return 0 ;
}
/*****************************************************************
Compare two sids .
2009-02-01 18:08:45 +03:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2004-11-17 17:35:29 +03:00
2008-12-22 01:05:35 +03:00
int dom_sid_compare ( const struct dom_sid * sid1 , const struct dom_sid * sid2 )
2004-11-17 17:35:29 +03:00
{
int i ;
if ( sid1 = = sid2 )
return 0 ;
if ( ! sid1 )
return - 1 ;
if ( ! sid2 )
return 1 ;
/* Compare most likely different rids, first: i.e start at end */
if ( sid1 - > num_auths ! = sid2 - > num_auths )
return sid1 - > num_auths - sid2 - > num_auths ;
for ( i = sid1 - > num_auths - 1 ; i > = 0 ; - - i )
if ( sid1 - > sub_auths [ i ] ! = sid2 - > sub_auths [ i ] )
return sid1 - > sub_auths [ i ] - sid2 - > sub_auths [ i ] ;
return dom_sid_compare_auth ( sid1 , sid2 ) ;
}
/*****************************************************************
Compare two sids .
2009-02-01 18:08:45 +03:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2004-11-17 17:35:29 +03:00
2007-09-08 17:27:14 +04:00
bool dom_sid_equal ( const struct dom_sid * sid1 , const struct dom_sid * sid2 )
2004-11-17 17:35:29 +03:00
{
return dom_sid_compare ( sid1 , sid2 ) = = 0 ;
}
2004-04-07 11:20:53 +04:00
2010-09-04 08:09:17 +04:00
/*****************************************************************
Add a rid to the end of a sid
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2010-01-25 18:44:38 +03:00
2010-09-04 08:09:17 +04:00
bool sid_append_rid ( struct dom_sid * sid , uint32_t rid )
2004-04-07 11:20:53 +04:00
{
2010-09-04 08:09:17 +04:00
if ( sid - > num_auths < ARRAY_SIZE ( sid - > sub_auths ) ) {
sid - > sub_auths [ sid - > num_auths + + ] = rid ;
return true ;
}
return false ;
}
/*****************************************************************
Convert a string to a SID . Returns True on success , False on fail .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2009-02-01 18:08:45 +03:00
2010-09-04 08:09:17 +04:00
bool string_to_sid ( struct dom_sid * sidout , const char * sidstr )
{
const char * p ;
char * q ;
/* BIG NOTE: this function only does SIDS where the identauth is not >= 2^32 */
uint32_t conv ;
if ( ( sidstr [ 0 ] ! = ' S ' & & sidstr [ 0 ] ! = ' s ' ) | | sidstr [ 1 ] ! = ' - ' ) {
goto format_error ;
2004-04-07 11:20:53 +04:00
}
2010-09-04 08:09:17 +04:00
ZERO_STRUCTP ( sidout ) ;
2004-04-07 11:20:53 +04:00
2010-09-04 08:09:17 +04:00
/* Get the revision number. */
p = sidstr + 2 ;
if ( ! isdigit ( * p ) ) {
goto format_error ;
2004-04-07 11:20:53 +04:00
}
2010-09-04 08:09:17 +04:00
conv = ( uint32_t ) strtoul ( p , & q , 10 ) ;
if ( ! q | | ( * q ! = ' - ' ) ) {
goto format_error ;
2004-04-07 11:20:53 +04:00
}
2010-09-04 08:09:17 +04:00
sidout - > sid_rev_num = ( uint8_t ) conv ;
q + + ;
2004-04-07 11:20:53 +04:00
2010-09-04 08:09:17 +04:00
if ( ! isdigit ( * q ) ) {
goto format_error ;
2004-04-07 11:20:53 +04:00
}
2010-09-04 08:09:17 +04:00
/* get identauth */
conv = ( uint32_t ) strtoul ( q , & q , 10 ) ;
if ( ! q ) {
goto format_error ;
} else if ( * q = = ' \0 ' ) {
/* Just id_auth, no subauths */
} else if ( * q ! = ' - ' ) {
goto format_error ;
}
/* identauth in decimal should be < 2^32 */
/* NOTE - the conv value is in big-endian format. */
sidout - > id_auth [ 0 ] = 0 ;
sidout - > id_auth [ 1 ] = 0 ;
sidout - > id_auth [ 2 ] = ( conv & 0xff000000 ) > > 24 ;
sidout - > id_auth [ 3 ] = ( conv & 0x00ff0000 ) > > 16 ;
sidout - > id_auth [ 4 ] = ( conv & 0x0000ff00 ) > > 8 ;
sidout - > id_auth [ 5 ] = ( conv & 0x000000ff ) ;
sidout - > num_auths = 0 ;
if ( * q = = ' \0 ' ) {
return true ;
}
q + + ;
while ( true ) {
char * end ;
if ( ! isdigit ( * q ) ) {
goto format_error ;
}
conv = strtoul ( q , & end , 10 ) ;
if ( end = = q ) {
goto format_error ;
2004-04-07 11:20:53 +04:00
}
2010-09-04 08:09:17 +04:00
if ( ! sid_append_rid ( sidout , conv ) ) {
DEBUG ( 3 , ( " Too many sid auths in %s \n " , sidstr ) ) ;
2008-12-21 23:10:40 +03:00
return false ;
2004-04-07 11:20:53 +04:00
}
2010-09-04 08:09:17 +04:00
q = end ;
if ( * q = = ' \0 ' ) {
break ;
}
if ( * q ! = ' - ' ) {
goto format_error ;
}
q + = 1 ;
}
2008-12-21 23:10:40 +03:00
return true ;
2010-09-04 08:09:17 +04:00
format_error :
DEBUG ( 3 , ( " string_to_sid: SID %s is not in a valid format \n " , sidstr ) ) ;
return false ;
}
bool dom_sid_parse ( const char * sidstr , struct dom_sid * ret )
{
return string_to_sid ( ret , sidstr ) ;
2008-12-21 23:10:40 +03:00
}
/*
convert a string to a dom_sid , returning a talloc ' d dom_sid
*/
struct dom_sid * dom_sid_parse_talloc ( TALLOC_CTX * mem_ctx , const char * sidstr )
{
struct dom_sid * ret ;
ret = talloc ( mem_ctx , struct dom_sid ) ;
if ( ! ret ) {
return NULL ;
}
if ( ! dom_sid_parse ( sidstr , ret ) ) {
talloc_free ( ret ) ;
return NULL ;
}
2004-04-07 11:20:53 +04:00
return ret ;
2008-08-21 13:24:58 +04:00
}
/*
convert a string to a dom_sid , returning a talloc ' d dom_sid
*/
struct dom_sid * dom_sid_parse_length ( TALLOC_CTX * mem_ctx , const DATA_BLOB * sid )
{
struct dom_sid * ret ;
2008-12-19 07:23:58 +03:00
char * p = talloc_strndup ( mem_ctx , ( char * ) sid - > data , sid - > length ) ;
2008-08-21 13:24:58 +04:00
if ( ! p ) {
return NULL ;
}
ret = dom_sid_parse_talloc ( mem_ctx , p ) ;
talloc_free ( p ) ;
return ret ;
2004-04-07 11:20:53 +04:00
}
2004-06-07 12:54:49 +04:00
/*
2004-11-18 04:02:27 +03:00
copy a dom_sid structure
2004-06-07 12:54:49 +04:00
*/
2004-11-17 17:35:29 +03:00
struct dom_sid * dom_sid_dup ( TALLOC_CTX * mem_ctx , const struct dom_sid * dom_sid )
2004-06-07 12:54:49 +04:00
{
struct dom_sid * ret ;
int i ;
2009-02-01 18:08:45 +03:00
r12858: This moves the libnet_LookupPdc code to use a GetDC request to find
the remote server's name, or in the absence of a local nbt_server to
communicate with (or without root access), a node status request.
The result is that we are in a better position to use kerberos, as well
as to remove the 'password server' mandatory parameter for the samsync
and samdump commands. (I need this to put these into SWAT).
The only problem I have is that I must create a messaging context, which
requires a server ID. As a client process, I don't expect to get
messages, but it is currently required for replies, so I generate a
random() number. We probably need the servers to accept connections on
streamed sockets too, for client-only tasks that want IRPC.
Because I wanted to test this code, I have put the NET-API-* tests into
our test scripts, to ensure they pass and keep passing. They are good
frontends onto the libnet system, and I see no reason not to test them.
In doing so the NET-API-RPCCONNECT test was simplified to take a
binding string on the command line, removing duplicate code, and
testing the combinations in the scripts instead.
(I have done a bit of work on the list shares code in libnet_share.c
to make it pass 'make test')
In the future, I would like to extend the libcli/findds.c code (based
off volker's winbind/wb_async_helpers.c, which is why it shows up a bit
odd in the patch) to handle getting multiple name replies, sending a
getdc request to each in turn.
(posted to samba-technical for review, and I'll happily update with
any comments)
Andrew Bartlett
(This used to be commit 7ccddfd3515fc2c0d6f447c768ccbf7a220c3380)
2006-01-12 06:02:00 +03:00
if ( ! dom_sid ) {
return NULL ;
}
2005-01-27 10:08:20 +03:00
ret = talloc ( mem_ctx , struct dom_sid ) ;
2004-06-07 12:54:49 +04:00
if ( ! ret ) {
return NULL ;
}
ret - > sid_rev_num = dom_sid - > sid_rev_num ;
ret - > id_auth [ 0 ] = dom_sid - > id_auth [ 0 ] ;
ret - > id_auth [ 1 ] = dom_sid - > id_auth [ 1 ] ;
ret - > id_auth [ 2 ] = dom_sid - > id_auth [ 2 ] ;
ret - > id_auth [ 3 ] = dom_sid - > id_auth [ 3 ] ;
ret - > id_auth [ 4 ] = dom_sid - > id_auth [ 4 ] ;
ret - > id_auth [ 5 ] = dom_sid - > id_auth [ 5 ] ;
ret - > num_auths = dom_sid - > num_auths ;
for ( i = 0 ; i < dom_sid - > num_auths ; i + + ) {
ret - > sub_auths [ i ] = dom_sid - > sub_auths [ i ] ;
}
return ret ;
}
2004-10-29 12:31:27 +04:00
/*
2004-11-29 06:19:28 +03:00
add a rid to a domain dom_sid to make a full dom_sid . This function
2008-12-12 21:52:06 +03:00
returns a new sid in the supplied memory context
2004-10-29 12:31:27 +04:00
*/
2009-02-01 18:08:45 +03:00
struct dom_sid * dom_sid_add_rid ( TALLOC_CTX * mem_ctx ,
const struct dom_sid * domain_sid ,
2004-10-29 12:31:27 +04:00
uint32_t rid )
{
struct dom_sid * sid ;
2005-01-27 10:08:20 +03:00
sid = talloc ( mem_ctx , struct dom_sid ) ;
2004-10-29 12:31:27 +04:00
if ( ! sid ) return NULL ;
* sid = * domain_sid ;
2004-11-29 06:19:28 +03:00
2004-10-29 12:31:27 +04:00
sid - > sub_auths [ sid - > num_auths ] = rid ;
sid - > num_auths + + ;
2004-11-29 06:19:28 +03:00
2004-10-29 12:31:27 +04:00
return sid ;
}
2004-11-26 15:30:39 +03:00
2006-07-17 12:05:02 +04:00
/*
Split up a SID into its domain and RID part
*/
NTSTATUS dom_sid_split_rid ( TALLOC_CTX * mem_ctx , const struct dom_sid * sid ,
struct dom_sid * * domain , uint32_t * rid )
{
if ( sid - > num_auths = = 0 ) {
return NT_STATUS_INVALID_PARAMETER ;
}
2007-02-13 12:27:56 +03:00
if ( domain ) {
if ( ! ( * domain = dom_sid_dup ( mem_ctx , sid ) ) ) {
return NT_STATUS_NO_MEMORY ;
}
( * domain ) - > num_auths - = 1 ;
}
if ( rid ) {
* rid = sid - > sub_auths [ sid - > num_auths - 1 ] ;
2006-07-17 12:05:02 +04:00
}
return NT_STATUS_OK ;
}
2004-11-26 15:30:39 +03:00
/*
2007-10-07 02:28:14 +04:00
return true if the 2 nd sid is in the domain given by the first sid
2004-11-26 15:30:39 +03:00
*/
2009-02-01 18:08:45 +03:00
bool dom_sid_in_domain ( const struct dom_sid * domain_sid ,
2004-11-26 15:30:39 +03:00
const struct dom_sid * sid )
{
int i ;
if ( ! domain_sid | | ! sid ) {
2007-10-07 02:28:14 +04:00
return false ;
2004-11-26 15:30:39 +03:00
}
if ( domain_sid - > num_auths > sid - > num_auths ) {
2007-10-07 02:28:14 +04:00
return false ;
2004-11-26 15:30:39 +03:00
}
for ( i = domain_sid - > num_auths - 1 ; i > = 0 ; - - i ) {
if ( domain_sid - > sub_auths [ i ] ! = sid - > sub_auths [ i ] ) {
2007-10-07 02:28:14 +04:00
return false ;
2004-11-26 15:30:39 +03:00
}
}
return dom_sid_compare_auth ( domain_sid , sid ) = = 0 ;
}
2006-04-29 21:34:49 +04:00
/*
convert a dom_sid to a string
*/
char * dom_sid_string ( TALLOC_CTX * mem_ctx , const struct dom_sid * sid )
{
int i , ofs , maxlen ;
uint32_t ia ;
char * ret ;
2009-02-01 18:08:45 +03:00
2006-04-29 21:34:49 +04:00
if ( ! sid ) {
return talloc_strdup ( mem_ctx , " (NULL SID) " ) ;
}
maxlen = sid - > num_auths * 11 + 25 ;
2007-09-07 19:08:14 +04:00
ret = talloc_array ( mem_ctx , char , maxlen ) ;
2006-04-29 21:34:49 +04:00
if ( ! ret ) return talloc_strdup ( mem_ctx , " (SID ERR) " ) ;
ia = ( sid - > id_auth [ 5 ] ) +
( sid - > id_auth [ 4 ] < < 8 ) +
( sid - > id_auth [ 3 ] < < 16 ) +
( sid - > id_auth [ 2 ] < < 24 ) ;
2009-02-01 18:08:45 +03:00
ofs = snprintf ( ret , maxlen , " S-%u-%lu " ,
2006-05-05 17:02:14 +04:00
( unsigned int ) sid - > sid_rev_num , ( unsigned long ) ia ) ;
2006-04-29 21:34:49 +04:00
for ( i = 0 ; i < sid - > num_auths ; i + + ) {
2009-02-01 18:08:45 +03:00
ofs + = snprintf ( ret + ofs , maxlen - ofs , " -%lu " ,
( unsigned long ) sid - > sub_auths [ i ] ) ;
2006-04-29 21:34:49 +04:00
}
2009-02-01 18:08:45 +03:00
2006-04-29 21:34:49 +04:00
return ret ;
}