2022-04-26 08:10:56 +03:00
/*
2003-08-28 00:52:56 +04:00
Unix SMB / CIFS implementation .
uid / user handling
Copyright ( C ) Andrew Tridgell 1992 - 1998
Copyright ( C ) Gerald ( Jerry ) Carter 2003
2006-02-04 01:19:41 +03:00
Copyright ( C ) Volker Lendecke 2005
2011-02-21 22:51:21 +03:00
2003-08-28 00:52:56 +04:00
This program is free software ; you can redistribute it and / or modify
it under the terms of the GNU General Public License as published by
2007-07-09 23:25:36 +04:00
the Free Software Foundation ; either version 3 of the License , or
2003-08-28 00:52:56 +04:00
( at your option ) any later version .
2011-02-21 22:51:21 +03:00
2003-08-28 00:52:56 +04:00
This program is distributed in the hope that it will be useful ,
but WITHOUT ANY WARRANTY ; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
GNU General Public License for more details .
2011-02-21 22:51:21 +03:00
2003-08-28 00:52:56 +04:00
You should have received a copy of the GNU General Public License
2007-07-10 04:52:41 +04:00
along with this program . If not , see < http : //www.gnu.org/licenses/>.
2003-08-28 00:52:56 +04:00
*/
# include "includes.h"
2011-03-18 20:58:37 +03:00
# include "passdb.h"
2016-12-27 15:52:00 +03:00
# include "lib/util_unixsids.h"
2010-05-28 04:19:32 +04:00
# include "../librpc/gen_ndr/ndr_security.h"
2010-08-05 04:25:37 +04:00
# include "secrets.h"
2014-07-17 14:58:34 +04:00
# include "../lib/util/memcache.h"
2010-08-18 20:13:42 +04:00
# include "idmap_cache.h"
2010-10-12 08:27:50 +04:00
# include "../libcli/security/security.h"
2011-02-25 00:30:16 +03:00
# include "lib/winbind_util.h"
2012-03-16 02:16:23 +04:00
# include "../librpc/gen_ndr/idmap.h"
2021-02-20 17:50:12 +03:00
# include "lib/util/bitmap.h"
2003-08-28 00:52:56 +04:00
2016-12-27 15:57:23 +03:00
static bool lookup_unix_user_name ( const char * name , struct dom_sid * sid )
{
struct passwd * pwd ;
bool ret ;
pwd = Get_Pwnam_alloc ( talloc_tos ( ) , name ) ;
if ( pwd = = NULL ) {
return False ;
}
/*
* For 64 - bit uid ' s we have enough space in the whole SID ,
* should they become necessary
*/
ret = sid_compose ( sid , & global_sid_Unix_Users , pwd - > pw_uid ) ;
TALLOC_FREE ( pwd ) ;
return ret ;
}
static bool lookup_unix_group_name ( const char * name , struct dom_sid * sid )
{
struct group * grp ;
grp = getgrnam ( name ) ;
if ( grp = = NULL ) {
return False ;
}
/*
* For 64 - bit gid ' s we have enough space in the whole SID ,
* should they become necessary
*/
return sid_compose ( sid , & global_sid_Unix_Groups , grp - > gr_gid ) ;
}
2003-08-28 00:52:56 +04:00
/*****************************************************************
2005-12-03 21:34:13 +03:00
Dissect a user - provided name into domain , name , sid and type .
If an explicit domain name was given in the form domain \ user , it
has to try that . If no explicit domain name was given , we have
to do guesswork .
2022-04-26 08:10:56 +03:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2003-08-28 00:52:56 +04:00
2007-10-19 04:40:25 +04:00
bool lookup_name ( TALLOC_CTX * mem_ctx ,
2005-12-03 21:34:13 +03:00
const char * full_name , int flags ,
2005-12-10 14:22:01 +03:00
const char * * ret_domain , const char * * ret_name ,
2010-05-21 05:25:01 +04:00
struct dom_sid * ret_sid , enum lsa_SidType * ret_type )
2003-08-28 00:52:56 +04:00
{
2020-11-04 20:21:24 +03:00
char * p ;
2008-09-03 22:36:43 +04:00
const char * tmp ;
const char * domain = NULL ;
const char * name = NULL ;
2015-05-09 23:34:31 +03:00
uint32_t rid ;
2010-05-21 05:25:01 +04:00
struct dom_sid sid ;
2008-09-03 22:36:43 +04:00
enum lsa_SidType type ;
TALLOC_CTX * tmp_ctx = talloc_new ( mem_ctx ) ;
if ( tmp_ctx = = NULL ) {
DEBUG ( 0 , ( " talloc_new failed \n " ) ) ;
return false ;
}
2005-12-03 21:34:13 +03:00
2020-11-04 20:21:24 +03:00
p = strchr_m ( full_name , ' \\ ' ) ;
if ( p ! = NULL ) {
domain = talloc_strndup ( tmp_ctx , full_name ,
PTR_DIFF ( p , full_name ) ) ;
name = talloc_strdup ( tmp_ctx , p + 1 ) ;
} else {
2022-04-26 08:12:02 +03:00
char * q = strchr_m ( full_name , ' @ ' ) ;
/* Set the domain for UPNs */
if ( q ! = NULL ) {
name = talloc_strndup ( tmp_ctx ,
full_name ,
PTR_DIFF ( q , full_name ) ) ;
domain = talloc_strdup ( tmp_ctx , q + 1 ) ;
} else {
domain = talloc_strdup ( tmp_ctx , " " ) ;
name = talloc_strdup ( tmp_ctx , full_name ) ;
}
2005-12-03 21:34:13 +03:00
}
2020-11-04 20:21:24 +03:00
if ( ( domain = = NULL ) | | ( name = = NULL ) ) {
DEBUG ( 0 , ( " talloc failed \n " ) ) ;
2008-09-03 22:36:43 +04:00
TALLOC_FREE ( tmp_ctx ) ;
2007-11-27 18:36:06 +03:00
return false ;
2005-12-03 21:34:13 +03:00
}
2003-08-28 00:52:56 +04:00
2010-04-28 12:54:57 +04:00
DEBUG ( 10 , ( " lookup_name: %s => domain=[%s], name=[%s] \n " ,
2008-09-03 22:36:43 +04:00
full_name , domain , name ) ) ;
2007-12-12 20:03:20 +03:00
DEBUG ( 10 , ( " lookup_name: flags = 0x0%x \n " , flags ) ) ;
lookup_name: allow lookup names prefixed with DNS forest root for FreeIPA DC
In FreeIPA deployment with active Global Catalog service, when a two-way
trust to Active Directory forest is established, Windows systems can
look up FreeIPA users and groups. When using a security tab in Windows
Explorer on AD side, a lookup over a trusted forest might come as
realm\name instead of NetBIOS domain name:
--------------------------------------------------------------------
[2020/01/13 11:12:39.859134, 1, pid=33253, effective(1732401004, 1732401004), real(1732401004, 0), class=rpc_parse] ../../librpc/ndr/ndr.c:471(ndr_print_function_debug)
lsa_LookupNames3: struct lsa_LookupNames3
in: struct lsa_LookupNames3
handle : *
handle: struct policy_handle
handle_type : 0x00000000 (0)
uuid : 0000000e-0000-0000-1c5e-a750e5810000
num_names : 0x00000001 (1)
names: ARRAY(1)
names: struct lsa_String
length : 0x001e (30)
size : 0x0020 (32)
string : *
string : 'ipa.test\admins'
sids : *
sids: struct lsa_TransSidArray3
count : 0x00000000 (0)
sids : NULL
level : LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY2 (6)
count : *
count : 0x00000000 (0)
lookup_options : LSA_LOOKUP_OPTION_SEARCH_ISOLATED_NAMES (0)
client_revision : LSA_CLIENT_REVISION_2 (2)
--------------------------------------------------------------------
If we are running as a DC and PASSDB supports returning domain info
(pdb_get_domain_info() returns a valid structure), check domain of the
name in lookup_name() against DNS forest name and allow the request to
be done against the primary domain. This corresponds to FreeIPA's use of
Samba as a DC. For normal domain members a realm-based lookup falls back
to a lookup over to its own domain controller with the help of winbindd.
Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Alexander Bokovoy <ab@samba.org>
Autobuild-Date(master): Wed Nov 11 10:59:01 UTC 2020 on sn-devel-184
2020-11-10 18:35:24 +03:00
if ( ( flags & LOOKUP_NAME_DOMAIN ) | | ( flags = = 0 ) ) {
bool check_global_sam = false ;
2005-12-03 21:34:13 +03:00
lookup_name: allow lookup names prefixed with DNS forest root for FreeIPA DC
In FreeIPA deployment with active Global Catalog service, when a two-way
trust to Active Directory forest is established, Windows systems can
look up FreeIPA users and groups. When using a security tab in Windows
Explorer on AD side, a lookup over a trusted forest might come as
realm\name instead of NetBIOS domain name:
--------------------------------------------------------------------
[2020/01/13 11:12:39.859134, 1, pid=33253, effective(1732401004, 1732401004), real(1732401004, 0), class=rpc_parse] ../../librpc/ndr/ndr.c:471(ndr_print_function_debug)
lsa_LookupNames3: struct lsa_LookupNames3
in: struct lsa_LookupNames3
handle : *
handle: struct policy_handle
handle_type : 0x00000000 (0)
uuid : 0000000e-0000-0000-1c5e-a750e5810000
num_names : 0x00000001 (1)
names: ARRAY(1)
names: struct lsa_String
length : 0x001e (30)
size : 0x0020 (32)
string : *
string : 'ipa.test\admins'
sids : *
sids: struct lsa_TransSidArray3
count : 0x00000000 (0)
sids : NULL
level : LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY2 (6)
count : *
count : 0x00000000 (0)
lookup_options : LSA_LOOKUP_OPTION_SEARCH_ISOLATED_NAMES (0)
client_revision : LSA_CLIENT_REVISION_2 (2)
--------------------------------------------------------------------
If we are running as a DC and PASSDB supports returning domain info
(pdb_get_domain_info() returns a valid structure), check domain of the
name in lookup_name() against DNS forest name and allow the request to
be done against the primary domain. This corresponds to FreeIPA's use of
Samba as a DC. For normal domain members a realm-based lookup falls back
to a lookup over to its own domain controller with the help of winbindd.
Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Alexander Bokovoy <ab@samba.org>
Autobuild-Date(master): Wed Nov 11 10:59:01 UTC 2020 on sn-devel-184
2020-11-10 18:35:24 +03:00
check_global_sam = strequal ( domain , get_global_sam_name ( ) ) ;
/* If we are running on a DC that has PASSDB module with domain
* information , check if DNS forest name is matching the domain
2020-11-11 19:50:45 +03:00
* name . This is the case of IPA domain controller when
lookup_name: allow lookup names prefixed with DNS forest root for FreeIPA DC
In FreeIPA deployment with active Global Catalog service, when a two-way
trust to Active Directory forest is established, Windows systems can
look up FreeIPA users and groups. When using a security tab in Windows
Explorer on AD side, a lookup over a trusted forest might come as
realm\name instead of NetBIOS domain name:
--------------------------------------------------------------------
[2020/01/13 11:12:39.859134, 1, pid=33253, effective(1732401004, 1732401004), real(1732401004, 0), class=rpc_parse] ../../librpc/ndr/ndr.c:471(ndr_print_function_debug)
lsa_LookupNames3: struct lsa_LookupNames3
in: struct lsa_LookupNames3
handle : *
handle: struct policy_handle
handle_type : 0x00000000 (0)
uuid : 0000000e-0000-0000-1c5e-a750e5810000
num_names : 0x00000001 (1)
names: ARRAY(1)
names: struct lsa_String
length : 0x001e (30)
size : 0x0020 (32)
string : *
string : 'ipa.test\admins'
sids : *
sids: struct lsa_TransSidArray3
count : 0x00000000 (0)
sids : NULL
level : LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY2 (6)
count : *
count : 0x00000000 (0)
lookup_options : LSA_LOOKUP_OPTION_SEARCH_ISOLATED_NAMES (0)
client_revision : LSA_CLIENT_REVISION_2 (2)
--------------------------------------------------------------------
If we are running as a DC and PASSDB supports returning domain info
(pdb_get_domain_info() returns a valid structure), check domain of the
name in lookup_name() against DNS forest name and allow the request to
be done against the primary domain. This corresponds to FreeIPA's use of
Samba as a DC. For normal domain members a realm-based lookup falls back
to a lookup over to its own domain controller with the help of winbindd.
Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Alexander Bokovoy <ab@samba.org>
Autobuild-Date(master): Wed Nov 11 10:59:01 UTC 2020 on sn-devel-184
2020-11-10 18:35:24 +03:00
* trusted AD DC looks up users found in a Global Catalog of
* the forest root domain . */
if ( ! check_global_sam & & ( IS_DC ) ) {
struct pdb_domain_info * dom_info = NULL ;
dom_info = pdb_get_domain_info ( tmp_ctx ) ;
if ( ( dom_info ! = NULL ) & & ( dom_info - > dns_forest ! = NULL ) ) {
check_global_sam = strequal ( domain , dom_info - > dns_forest ) ;
}
TALLOC_FREE ( dom_info ) ;
}
if ( check_global_sam ) {
/* It's our own domain, lookup the name in passdb */
if ( lookup_global_sam_name ( name , flags , & rid , & type ) ) {
sid_compose ( & sid , get_global_sam_sid ( ) , rid ) ;
goto ok ;
}
TALLOC_FREE ( tmp_ctx ) ;
return false ;
2003-08-28 00:52:56 +04:00
}
2005-12-03 21:34:13 +03:00
}
2007-12-12 20:03:20 +03:00
if ( ( flags & LOOKUP_NAME_BUILTIN ) & &
strequal ( domain , builtin_domain_name ( ) ) )
{
2009-10-20 17:13:56 +04:00
if ( strlen ( name ) = = 0 ) {
/* Swap domain and name */
tmp = name ; name = domain ; domain = tmp ;
sid_copy ( & sid , & global_sid_Builtin ) ;
type = SID_NAME_DOMAIN ;
goto ok ;
}
2005-12-03 21:34:13 +03:00
/* Explicit request for a name in BUILTIN */
if ( lookup_builtin_name ( name , & rid ) ) {
2010-01-10 19:39:27 +03:00
sid_compose ( & sid , & global_sid_Builtin , rid ) ;
2005-12-03 21:34:13 +03:00
type = SID_NAME_ALIAS ;
goto ok ;
2003-08-28 00:52:56 +04:00
}
2006-07-11 22:01:26 +04:00
TALLOC_FREE ( tmp_ctx ) ;
2007-11-27 18:36:06 +03:00
return false ;
2003-08-28 00:52:56 +04:00
}
2005-12-03 21:34:13 +03:00
2006-02-04 01:19:41 +03:00
/* Try the explicit winbind lookup first, don't let it guess the
2008-09-03 22:36:43 +04:00
* domain yet at this point yet . This comes later . */
2006-02-04 01:19:41 +03:00
if ( ( domain [ 0 ] ! = ' \0 ' ) & &
2007-12-12 20:03:20 +03:00
( flags & ~ ( LOOKUP_NAME_DOMAIN | LOOKUP_NAME_ISOLATED ) ) & &
2006-02-04 01:19:41 +03:00
( winbind_lookup_name ( domain , name , & sid , & type ) ) ) {
goto ok ;
}
2015-07-22 01:17:30 +03:00
if ( ( ( flags & ( LOOKUP_NAME_NO_NSS | LOOKUP_NAME_GROUP ) ) = = 0 )
2009-08-01 01:17:54 +04:00
& & strequal ( domain , unix_users_domain_name ( ) ) ) {
2006-02-04 01:19:41 +03:00
if ( lookup_unix_user_name ( name , & sid ) ) {
type = SID_NAME_USER ;
goto ok ;
}
2006-07-11 22:01:26 +04:00
TALLOC_FREE ( tmp_ctx ) ;
2007-11-27 18:36:06 +03:00
return false ;
2006-02-04 01:19:41 +03:00
}
2009-08-01 01:17:54 +04:00
if ( ( ( flags & LOOKUP_NAME_NO_NSS ) = = 0 )
& & strequal ( domain , unix_groups_domain_name ( ) ) ) {
2006-02-04 01:19:41 +03:00
if ( lookup_unix_group_name ( name , & sid ) ) {
type = SID_NAME_DOM_GRP ;
2005-12-03 21:34:13 +03:00
goto ok ;
}
2006-07-11 22:01:26 +04:00
TALLOC_FREE ( tmp_ctx ) ;
2007-11-27 18:36:06 +03:00
return false ;
2005-12-03 21:34:13 +03:00
}
2015-10-15 19:20:58 +03:00
/*
* Finally check for a well known domain name ( " NT Authority " ) ,
2017-08-04 15:47:17 +03:00
* this is being taken care of in lookup_wellknown_name ( ) .
2015-10-15 19:20:58 +03:00
*/
if ( ( domain [ 0 ] ! = ' \0 ' ) & &
( flags & LOOKUP_NAME_WKN ) & &
lookup_wellknown_name ( tmp_ctx , name , & sid , & domain ) )
{
type = SID_NAME_WKN_GRP ;
goto ok ;
}
/*
* If we ' re told not to look up ' isolated ' names then we ' re
* done .
*/
if ( ! ( flags & LOOKUP_NAME_ISOLATED ) ) {
TALLOC_FREE ( tmp_ctx ) ;
return false ;
}
/*
* No domain names beyond this point
*/
if ( domain [ 0 ] ! = ' \0 ' ) {
2006-07-11 22:01:26 +04:00
TALLOC_FREE ( tmp_ctx ) ;
2007-11-27 18:36:06 +03:00
return false ;
2005-12-03 21:34:13 +03:00
}
/* Now the guesswork begins, we haven't been given an explicit
* domain . Try the sequence as documented on
* http : //msdn.microsoft.com/library/en-us/secmgmt/security/lsalookupnames.asp
* November 27 , 2005 */
/* 1. well-known names */
2015-10-15 19:20:58 +03:00
/*
* Check for well known names without a domain name .
* e . g . \ Creator Owner .
*/
2007-12-12 20:03:20 +03:00
if ( ( flags & LOOKUP_NAME_WKN ) & &
2008-09-03 22:36:43 +04:00
lookup_wellknown_name ( tmp_ctx , name , & sid , & domain ) )
2007-12-12 20:03:20 +03:00
{
2006-02-24 23:50:13 +03:00
type = SID_NAME_WKN_GRP ;
goto ok ;
2005-12-03 21:34:13 +03:00
}
/* 2. Builtin domain as such */
2007-12-12 20:03:20 +03:00
if ( ( flags & ( LOOKUP_NAME_BUILTIN | LOOKUP_NAME_REMOTE ) ) & &
strequal ( name , builtin_domain_name ( ) ) )
{
2005-12-03 21:34:13 +03:00
/* Swap domain and name */
tmp = name ; name = domain ; domain = tmp ;
sid_copy ( & sid , & global_sid_Builtin ) ;
type = SID_NAME_DOMAIN ;
goto ok ;
}
/* 3. Account domain */
2007-12-12 20:03:20 +03:00
if ( ( flags & LOOKUP_NAME_DOMAIN ) & &
strequal ( name , get_global_sam_name ( ) ) )
{
2005-12-03 21:34:13 +03:00
if ( ! secrets_fetch_domain_sid ( name , & sid ) ) {
DEBUG ( 3 , ( " Could not fetch my SID \n " ) ) ;
2006-07-11 22:01:26 +04:00
TALLOC_FREE ( tmp_ctx ) ;
2007-11-27 18:36:06 +03:00
return false ;
2005-12-03 21:34:13 +03:00
}
/* Swap domain and name */
tmp = name ; name = domain ; domain = tmp ;
type = SID_NAME_DOMAIN ;
goto ok ;
}
/* 4. Primary domain */
2007-12-12 20:03:20 +03:00
if ( ( flags & LOOKUP_NAME_DOMAIN ) & & ! IS_DC & &
strequal ( name , lp_workgroup ( ) ) )
{
2005-12-03 21:34:13 +03:00
if ( ! secrets_fetch_domain_sid ( name , & sid ) ) {
DEBUG ( 3 , ( " Could not fetch the domain SID \n " ) ) ;
2006-07-11 22:01:26 +04:00
TALLOC_FREE ( tmp_ctx ) ;
2007-11-27 18:36:06 +03:00
return false ;
2005-12-03 21:34:13 +03:00
}
/* Swap domain and name */
tmp = name ; name = domain ; domain = tmp ;
type = SID_NAME_DOMAIN ;
goto ok ;
}
/* 5. Trusted domains as such, to me it looks as if members don't do
this , tested an XP workstation in a NT domain - - vl */
2007-12-12 20:03:20 +03:00
if ( ( flags & LOOKUP_NAME_REMOTE ) & & IS_DC & &
2007-12-17 16:51:37 +03:00
( pdb_get_trusteddom_pw ( name , NULL , & sid , NULL ) ) )
2007-12-12 20:03:20 +03:00
{
2005-12-03 21:34:13 +03:00
/* Swap domain and name */
tmp = name ; name = domain ; domain = tmp ;
type = SID_NAME_DOMAIN ;
goto ok ;
}
2022-04-26 08:10:56 +03:00
/* 6. Builtin aliases */
2005-12-03 21:34:13 +03:00
2007-12-12 20:03:20 +03:00
if ( ( flags & LOOKUP_NAME_BUILTIN ) & &
lookup_builtin_name ( name , & rid ) )
{
2008-09-03 22:36:43 +04:00
domain = talloc_strdup ( tmp_ctx , builtin_domain_name ( ) ) ;
2010-01-10 19:39:27 +03:00
sid_compose ( & sid , & global_sid_Builtin , rid ) ;
2005-12-03 21:34:13 +03:00
type = SID_NAME_ALIAS ;
goto ok ;
}
/* 7. Local systems' SAM (DCs don't have a local SAM) */
/* 8. Primary SAM (On members, this is the domain) */
/* Both cases are done by looking at our passdb */
2007-12-12 20:03:20 +03:00
if ( ( flags & LOOKUP_NAME_DOMAIN ) & &
lookup_global_sam_name ( name , flags , & rid , & type ) )
{
2008-09-03 22:36:43 +04:00
domain = talloc_strdup ( tmp_ctx , get_global_sam_name ( ) ) ;
2010-01-10 19:39:27 +03:00
sid_compose ( & sid , get_global_sam_sid ( ) , rid ) ;
2005-12-03 21:34:13 +03:00
goto ok ;
}
/* Now our local possibilities are exhausted. */
if ( ! ( flags & LOOKUP_NAME_REMOTE ) ) {
2006-07-11 22:01:26 +04:00
TALLOC_FREE ( tmp_ctx ) ;
2007-11-27 18:36:06 +03:00
return false ;
2005-12-03 21:34:13 +03:00
}
/* If we are not a DC, we have to ask in our primary domain. Let
* winbind do that . */
if ( ! IS_DC & &
( winbind_lookup_name ( lp_workgroup ( ) , name , & sid , & type ) ) ) {
2008-09-03 22:36:43 +04:00
domain = talloc_strdup ( tmp_ctx , lp_workgroup ( ) ) ;
2005-12-03 21:34:13 +03:00
goto ok ;
}
/* 9. Trusted domains */
/* If we're a DC we have to ask all trusted DC's. Winbind does not do
* that ( yet ) , but give it a chance . */
if ( IS_DC & & winbind_lookup_name ( " " , name , & sid , & type ) ) {
2010-05-21 05:25:01 +04:00
struct dom_sid dom_sid ;
2006-09-08 18:28:06 +04:00
enum lsa_SidType domain_type ;
2011-02-21 22:51:21 +03:00
2005-12-03 21:34:13 +03:00
if ( type = = SID_NAME_DOMAIN ) {
/* Swap name and type */
tmp = name ; name = domain ; domain = tmp ;
goto ok ;
}
/* Here we have to cope with a little deficiency in the
* winbind API : We have to ask it again for the name of the
* domain it figured out itself . Maybe fix that later . . . */
sid_copy ( & dom_sid , & sid ) ;
2011-03-10 18:19:17 +03:00
sid_split_rid ( & dom_sid , NULL ) ;
2005-12-03 21:34:13 +03:00
2005-12-10 14:22:01 +03:00
if ( ! winbind_lookup_sid ( tmp_ctx , & dom_sid , & domain , NULL ,
2005-12-03 21:34:13 +03:00
& domain_type ) | |
( domain_type ! = SID_NAME_DOMAIN ) ) {
2005-12-10 14:22:01 +03:00
DEBUG ( 2 , ( " winbind could not find the domain's name "
" it just looked up for us \n " ) ) ;
2006-07-11 22:01:26 +04:00
TALLOC_FREE ( tmp_ctx ) ;
2007-11-27 18:36:06 +03:00
return false ;
2005-12-03 21:34:13 +03:00
}
goto ok ;
}
/* 10. Don't translate */
2006-02-04 01:19:41 +03:00
/* 11. Ok, windows would end here. Samba has two more options:
Unmapped users and unmapped groups */
2015-07-22 01:17:30 +03:00
if ( ( ( flags & ( LOOKUP_NAME_NO_NSS | LOOKUP_NAME_GROUP ) ) = = 0 )
2009-08-01 01:17:54 +04:00
& & lookup_unix_user_name ( name , & sid ) ) {
2008-09-03 22:36:43 +04:00
domain = talloc_strdup ( tmp_ctx , unix_users_domain_name ( ) ) ;
2006-02-04 01:19:41 +03:00
type = SID_NAME_USER ;
goto ok ;
}
2009-08-01 01:17:54 +04:00
if ( ( ( flags & LOOKUP_NAME_NO_NSS ) = = 0 )
& & lookup_unix_group_name ( name , & sid ) ) {
2008-09-03 22:36:43 +04:00
domain = talloc_strdup ( tmp_ctx , unix_groups_domain_name ( ) ) ;
2006-02-04 01:19:41 +03:00
type = SID_NAME_DOM_GRP ;
goto ok ;
}
2006-07-11 22:01:26 +04:00
/*
* Ok , all possibilities tried . Fail .
*/
2006-02-20 20:59:58 +03:00
TALLOC_FREE ( tmp_ctx ) ;
2007-11-27 18:36:06 +03:00
return false ;
2005-12-03 21:34:13 +03:00
ok :
2008-09-03 22:36:43 +04:00
if ( ( domain = = NULL ) | | ( name = = NULL ) ) {
DEBUG ( 0 , ( " talloc failed \n " ) ) ;
TALLOC_FREE ( tmp_ctx ) ;
return false ;
}
2006-07-11 22:01:26 +04:00
/*
* Hand over the results to the talloc context we ' ve been given .
*/
if ( ( ret_name ! = NULL ) & &
! ( * ret_name = talloc_strdup ( mem_ctx , name ) ) ) {
DEBUG ( 0 , ( " talloc failed \n " ) ) ;
TALLOC_FREE ( tmp_ctx ) ;
2007-11-27 18:36:06 +03:00
return false ;
2005-12-03 21:34:13 +03:00
}
if ( ret_domain ! = NULL ) {
2006-07-11 22:01:26 +04:00
char * tmp_dom ;
2008-09-03 22:36:43 +04:00
if ( ! ( tmp_dom = talloc_strdup ( mem_ctx , domain ) ) ) {
DEBUG ( 0 , ( " talloc failed \n " ) ) ;
TALLOC_FREE ( tmp_ctx ) ;
return false ;
2006-07-11 22:01:26 +04:00
}
2012-08-09 02:35:28 +04:00
if ( ! strupper_m ( tmp_dom ) ) {
TALLOC_FREE ( tmp_ctx ) ;
return false ;
}
2006-07-11 22:01:26 +04:00
* ret_domain = tmp_dom ;
2005-12-03 21:34:13 +03:00
}
if ( ret_sid ! = NULL ) {
sid_copy ( ret_sid , & sid ) ;
}
if ( ret_type ! = NULL ) {
* ret_type = type ;
}
2006-02-20 20:59:58 +03:00
TALLOC_FREE ( tmp_ctx ) ;
2007-11-27 18:36:06 +03:00
return true ;
2003-08-28 00:52:56 +04:00
}
2006-08-05 00:35:52 +04:00
/************************************************************************
Names from smb . conf can be unqualified . eg . valid users = foo
2006-08-05 00:43:21 +04:00
These names should never map to a remote name . Try global_sam_name ( ) \ foo ,
2006-08-05 00:35:52 +04:00
and then " Unix Users " \ foo ( or " Unix Groups " \ foo ) .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2007-10-19 04:40:25 +04:00
bool lookup_name_smbconf ( TALLOC_CTX * mem_ctx ,
2006-08-05 00:35:52 +04:00
const char * full_name , int flags ,
const char * * ret_domain , const char * * ret_name ,
2010-05-21 05:25:01 +04:00
struct dom_sid * ret_sid , enum lsa_SidType * ret_type )
2006-08-05 00:35:52 +04:00
{
2022-04-26 13:26:25 +03:00
char * qualified_name = NULL ;
2022-04-26 08:24:10 +03:00
const char * p = strchr_m ( full_name , * lp_winbind_separator ( ) ) ;
2022-04-26 08:39:12 +03:00
bool is_qualified = p ! = NULL | | strchr_m ( full_name , ' @ ' ) ! = NULL ;
2006-08-05 01:07:32 +04:00
2022-04-26 08:39:12 +03:00
/* For DOMAIN\user or user@REALM directly call lookup_name(). */
2022-04-26 08:24:10 +03:00
if ( is_qualified ) {
2006-08-05 01:07:32 +04:00
2008-09-03 22:36:43 +04:00
/* The name is already qualified with a domain. */
2022-04-26 08:24:10 +03:00
if ( p ! = NULL & & * lp_winbind_separator ( ) ! = ' \\ ' ) {
2008-09-03 22:36:43 +04:00
/* lookup_name() needs '\\' as a separator */
2022-04-26 13:26:25 +03:00
qualified_name = talloc_strdup ( mem_ctx , full_name ) ;
if ( qualified_name = = NULL ) {
2008-09-03 22:36:43 +04:00
return false ;
}
2022-04-26 13:26:25 +03:00
qualified_name [ p - full_name ] = ' \\ ' ;
full_name = qualified_name ;
2006-08-05 01:07:32 +04:00
}
2008-09-03 22:36:43 +04:00
return lookup_name ( mem_ctx , full_name , flags ,
ret_domain , ret_name ,
ret_sid , ret_type ) ;
2006-08-05 00:35:52 +04:00
}
2015-03-31 19:15:51 +03:00
/* Try with winbind default domain name. */
if ( lp_winbind_use_default_domain ( ) ) {
bool ok ;
qualified_name = talloc_asprintf ( mem_ctx ,
" %s \\ %s " ,
lp_workgroup ( ) ,
full_name ) ;
if ( qualified_name = = NULL ) {
return false ;
}
ok = lookup_name ( mem_ctx ,
qualified_name ,
flags ,
ret_domain ,
ret_name ,
ret_sid ,
ret_type ) ;
if ( ok ) {
return true ;
}
}
2006-08-05 00:43:21 +04:00
/* Try with our own SAM name. */
2008-09-03 22:36:43 +04:00
qualified_name = talloc_asprintf ( mem_ctx , " %s \\ %s " ,
get_global_sam_name ( ) ,
full_name ) ;
if ( ! qualified_name ) {
return false ;
2006-08-05 00:35:52 +04:00
}
2008-08-18 03:54:41 +04:00
2008-09-03 22:36:43 +04:00
if ( lookup_name ( mem_ctx , qualified_name , flags ,
ret_domain , ret_name ,
ret_sid , ret_type ) ) {
return true ;
}
2011-02-21 22:51:21 +03:00
2006-08-05 00:35:52 +04:00
/* Finally try with "Unix Users" or "Unix Group" */
2008-09-03 22:36:43 +04:00
qualified_name = talloc_asprintf ( mem_ctx , " %s \\ %s " ,
2006-08-05 00:35:52 +04:00
flags & LOOKUP_NAME_GROUP ?
unix_groups_domain_name ( ) :
unix_users_domain_name ( ) ,
2008-09-03 22:36:43 +04:00
full_name ) ;
if ( ! qualified_name ) {
return false ;
}
2006-08-05 00:35:52 +04:00
2008-09-03 22:36:43 +04:00
return lookup_name ( mem_ctx , qualified_name , flags ,
ret_domain , ret_name ,
ret_sid , ret_type ) ;
2006-08-05 00:35:52 +04:00
}
2007-10-19 04:40:25 +04:00
static bool wb_lookup_rids ( TALLOC_CTX * mem_ctx ,
2010-05-21 05:25:01 +04:00
const struct dom_sid * domain_sid ,
2015-05-09 23:34:31 +03:00
int num_rids , uint32_t * rids ,
2006-07-11 22:01:26 +04:00
const char * * domain_name ,
2006-09-08 18:28:06 +04:00
const char * * names , enum lsa_SidType * types )
2006-02-04 01:19:41 +03:00
{
int i ;
2006-07-11 22:01:26 +04:00
const char * * my_names ;
2006-09-08 18:28:06 +04:00
enum lsa_SidType * my_types ;
2006-07-11 22:01:26 +04:00
TALLOC_CTX * tmp_ctx ;
2006-02-04 01:19:41 +03:00
2006-07-11 22:01:26 +04:00
if ( ! ( tmp_ctx = talloc_init ( " wb_lookup_rids " ) ) ) {
2007-11-27 18:36:06 +03:00
return false ;
2006-07-11 22:01:26 +04:00
}
2006-02-04 01:19:41 +03:00
2006-07-11 22:01:26 +04:00
if ( ! winbind_lookup_rids ( tmp_ctx , domain_sid , num_rids , rids ,
domain_name , & my_names , & my_types ) ) {
2006-11-29 11:11:33 +03:00
* domain_name = " " ;
2006-07-11 22:01:26 +04:00
for ( i = 0 ; i < num_rids ; i + + ) {
2006-11-29 11:11:33 +03:00
names [ i ] = " " ;
2006-02-04 01:19:41 +03:00
types [ i ] = SID_NAME_UNKNOWN ;
}
2007-03-10 21:04:47 +03:00
TALLOC_FREE ( tmp_ctx ) ;
2007-11-27 18:36:06 +03:00
return true ;
2006-07-11 22:01:26 +04:00
}
2007-03-16 16:09:09 +03:00
if ( ! ( * domain_name = talloc_strdup ( mem_ctx , * domain_name ) ) ) {
TALLOC_FREE ( tmp_ctx ) ;
2007-11-27 18:36:06 +03:00
return false ;
2007-03-16 16:09:09 +03:00
}
2006-07-11 22:01:26 +04:00
/*
* winbind_lookup_rids allocates its own array . We ' ve been given the
* array , so copy it over
*/
for ( i = 0 ; i < num_rids ; i + + ) {
if ( my_names [ i ] = = NULL ) {
TALLOC_FREE ( tmp_ctx ) ;
2007-11-27 18:36:06 +03:00
return false ;
2006-07-11 22:01:26 +04:00
}
if ( ! ( names [ i ] = talloc_strdup ( names , my_names [ i ] ) ) ) {
TALLOC_FREE ( tmp_ctx ) ;
2007-11-27 18:36:06 +03:00
return false ;
2006-07-11 22:01:26 +04:00
}
types [ i ] = my_types [ i ] ;
2006-02-04 01:19:41 +03:00
}
2006-07-11 22:01:26 +04:00
TALLOC_FREE ( tmp_ctx ) ;
2007-11-27 18:36:06 +03:00
return true ;
2006-02-04 01:19:41 +03:00
}
2003-08-28 00:52:56 +04:00
2010-05-21 05:25:01 +04:00
static bool lookup_rids ( TALLOC_CTX * mem_ctx , const struct dom_sid * domain_sid ,
2006-02-04 01:19:41 +03:00
int num_rids , uint32_t * rids ,
const char * * domain_name ,
2006-09-08 18:28:06 +04:00
const char * * * names , enum lsa_SidType * * types )
2003-08-28 00:52:56 +04:00
{
2006-02-04 01:19:41 +03:00
int i ;
2018-12-11 19:00:48 +03:00
struct dom_sid_buf buf ;
2005-12-10 14:22:01 +03:00
2008-01-25 01:44:05 +03:00
DEBUG ( 10 , ( " lookup_rids called for domain sid '%s' \n " ,
2018-12-11 19:00:48 +03:00
dom_sid_str_buf ( domain_sid , & buf ) ) ) ;
2008-01-25 01:44:05 +03:00
2007-04-30 06:39:34 +04:00
if ( num_rids ) {
2011-06-07 05:58:39 +04:00
* names = talloc_zero_array ( mem_ctx , const char * , num_rids ) ;
2011-06-07 05:30:12 +04:00
* types = talloc_array ( mem_ctx , enum lsa_SidType , num_rids ) ;
2003-08-28 00:52:56 +04:00
2007-04-30 06:39:34 +04:00
if ( ( * names = = NULL ) | | ( * types = = NULL ) ) {
2007-11-27 18:36:06 +03:00
return false ;
2007-04-30 06:39:34 +04:00
}
2009-05-06 02:07:40 +04:00
for ( i = 0 ; i < num_rids ; i + + )
( * types ) [ i ] = SID_NAME_UNKNOWN ;
2007-04-30 06:39:34 +04:00
} else {
* names = NULL ;
* types = NULL ;
2005-12-10 14:22:01 +03:00
}
2012-07-12 17:55:21 +04:00
if ( sid_check_is_our_sam ( domain_sid ) ) {
2006-02-04 01:19:41 +03:00
NTSTATUS result ;
if ( * domain_name = = NULL ) {
* domain_name = talloc_strdup (
mem_ctx , get_global_sam_name ( ) ) ;
}
if ( * domain_name = = NULL ) {
2007-11-27 18:36:06 +03:00
return false ;
2006-02-04 01:19:41 +03:00
}
2007-04-06 03:56:10 +04:00
become_root ( ) ;
2006-02-04 01:19:41 +03:00
result = pdb_lookup_rids ( domain_sid , num_rids , rids ,
* names , * types ) ;
2007-04-06 03:56:10 +04:00
unbecome_root ( ) ;
2006-02-04 01:19:41 +03:00
return ( NT_STATUS_IS_OK ( result ) | |
NT_STATUS_EQUAL ( result , NT_STATUS_NONE_MAPPED ) | |
NT_STATUS_EQUAL ( result , STATUS_SOME_UNMAPPED ) ) ;
2004-11-19 16:26:17 +03:00
}
2006-02-04 01:19:41 +03:00
if ( sid_check_is_builtin ( domain_sid ) ) {
2005-11-27 00:02:48 +03:00
2006-02-04 01:19:41 +03:00
if ( * domain_name = = NULL ) {
* domain_name = talloc_strdup (
mem_ctx , builtin_domain_name ( ) ) ;
2005-12-03 21:34:13 +03:00
}
2006-02-04 01:19:41 +03:00
if ( * domain_name = = NULL ) {
2007-11-27 18:36:06 +03:00
return false ;
2006-02-04 01:19:41 +03:00
}
for ( i = 0 ; i < num_rids ; i + + ) {
if ( lookup_builtin_rid ( * names , rids [ i ] ,
& ( * names ) [ i ] ) ) {
if ( ( * names ) [ i ] = = NULL ) {
2007-11-27 18:36:06 +03:00
return false ;
2006-02-04 01:19:41 +03:00
}
( * types ) [ i ] = SID_NAME_ALIAS ;
} else {
( * types ) [ i ] = SID_NAME_UNKNOWN ;
}
}
2007-11-27 18:36:06 +03:00
return true ;
2006-02-04 01:19:41 +03:00
}
if ( sid_check_is_wellknown_domain ( domain_sid , NULL ) ) {
for ( i = 0 ; i < num_rids ; i + + ) {
2010-05-21 05:25:01 +04:00
struct dom_sid sid ;
2010-01-10 19:39:27 +03:00
sid_compose ( & sid , domain_sid , rids [ i ] ) ;
2006-02-04 01:19:41 +03:00
if ( lookup_wellknown_sid ( mem_ctx , & sid ,
domain_name , & ( * names ) [ i ] ) ) {
if ( ( * names ) [ i ] = = NULL ) {
2007-11-27 18:36:06 +03:00
return false ;
2006-02-04 01:19:41 +03:00
}
( * types ) [ i ] = SID_NAME_WKN_GRP ;
} else {
( * types ) [ i ] = SID_NAME_UNKNOWN ;
}
}
2007-11-27 18:36:06 +03:00
return true ;
2006-02-04 01:19:41 +03:00
}
if ( sid_check_is_unix_users ( domain_sid ) ) {
if ( * domain_name = = NULL ) {
* domain_name = talloc_strdup (
mem_ctx , unix_users_domain_name ( ) ) ;
2008-02-06 05:05:59 +03:00
if ( * domain_name = = NULL ) {
return false ;
}
2006-02-04 01:19:41 +03:00
}
for ( i = 0 ; i < num_rids ; i + + ) {
( * names ) [ i ] = talloc_strdup (
( * names ) , uidtoname ( rids [ i ] ) ) ;
2008-02-06 05:05:59 +03:00
if ( ( * names ) [ i ] = = NULL ) {
return false ;
}
2006-02-04 01:19:41 +03:00
( * types ) [ i ] = SID_NAME_USER ;
}
2007-11-27 18:36:06 +03:00
return true ;
2006-02-04 01:19:41 +03:00
}
if ( sid_check_is_unix_groups ( domain_sid ) ) {
if ( * domain_name = = NULL ) {
* domain_name = talloc_strdup (
mem_ctx , unix_groups_domain_name ( ) ) ;
2008-02-06 05:05:59 +03:00
if ( * domain_name = = NULL ) {
return false ;
}
2006-02-04 01:19:41 +03:00
}
for ( i = 0 ; i < num_rids ; i + + ) {
( * names ) [ i ] = talloc_strdup (
( * names ) , gidtoname ( rids [ i ] ) ) ;
2008-02-06 05:05:59 +03:00
if ( ( * names ) [ i ] = = NULL ) {
return false ;
}
2006-02-04 01:19:41 +03:00
( * types ) [ i ] = SID_NAME_DOM_GRP ;
}
2007-11-27 18:36:06 +03:00
return true ;
2006-02-04 01:19:41 +03:00
}
2006-07-11 22:01:26 +04:00
return wb_lookup_rids ( mem_ctx , domain_sid , num_rids , rids ,
domain_name , * names , * types ) ;
2006-02-04 01:19:41 +03:00
}
/*
* Is the SID a domain as such ? If yes , lookup its name .
*/
2010-05-21 05:25:01 +04:00
static bool lookup_as_domain ( const struct dom_sid * sid , TALLOC_CTX * mem_ctx ,
2006-02-04 01:19:41 +03:00
const char * * name )
{
const char * tmp ;
2006-09-08 18:28:06 +04:00
enum lsa_SidType type ;
2006-02-04 01:19:41 +03:00
2012-07-12 17:55:21 +04:00
if ( sid_check_is_our_sam ( sid ) ) {
2006-02-04 01:19:41 +03:00
* name = talloc_strdup ( mem_ctx , get_global_sam_name ( ) ) ;
2007-11-27 18:36:06 +03:00
return true ;
2005-11-27 00:02:48 +03:00
}
2005-11-26 23:28:12 +03:00
if ( sid_check_is_builtin ( sid ) ) {
2006-02-04 01:19:41 +03:00
* name = talloc_strdup ( mem_ctx , builtin_domain_name ( ) ) ;
2007-11-27 18:36:06 +03:00
return true ;
2006-02-04 01:19:41 +03:00
}
2003-08-28 00:52:56 +04:00
2006-02-04 01:19:41 +03:00
if ( sid_check_is_wellknown_domain ( sid , & tmp ) ) {
* name = talloc_strdup ( mem_ctx , tmp ) ;
2007-11-27 18:36:06 +03:00
return true ;
2006-02-04 01:19:41 +03:00
}
2003-08-28 00:52:56 +04:00
2008-01-25 03:40:42 +03:00
if ( sid_check_is_unix_users ( sid ) ) {
* name = talloc_strdup ( mem_ctx , unix_users_domain_name ( ) ) ;
return true ;
}
if ( sid_check_is_unix_groups ( sid ) ) {
* name = talloc_strdup ( mem_ctx , unix_groups_domain_name ( ) ) ;
return true ;
}
2006-02-04 01:19:41 +03:00
if ( sid - > num_auths ! = 4 ) {
/* This can't be a domain */
2007-11-27 18:36:06 +03:00
return false ;
2005-11-26 23:28:12 +03:00
}
2006-02-04 01:19:41 +03:00
if ( IS_DC ) {
2015-05-09 23:34:31 +03:00
uint32_t i , num_domains ;
2006-02-04 01:19:41 +03:00
struct trustdom_info * * domains ;
2005-11-27 00:02:48 +03:00
2006-02-04 01:19:41 +03:00
/* This is relatively expensive, but it happens only on DCs
* and for SIDs that have 4 sub - authorities and thus look like
* domains */
2005-11-26 23:28:12 +03:00
2007-01-16 11:17:26 +03:00
if ( ! NT_STATUS_IS_OK ( pdb_enum_trusteddoms ( mem_ctx ,
& num_domains ,
& domains ) ) ) {
2007-11-27 18:36:06 +03:00
return false ;
2005-12-03 21:34:13 +03:00
}
2005-11-27 00:02:48 +03:00
2006-02-04 01:19:41 +03:00
for ( i = 0 ; i < num_domains ; i + + ) {
2010-08-26 17:48:50 +04:00
if ( dom_sid_equal ( sid , & domains [ i ] - > sid ) ) {
2006-02-04 01:19:41 +03:00
* name = talloc_strdup ( mem_ctx ,
domains [ i ] - > name ) ;
2007-11-27 18:36:06 +03:00
return true ;
2006-02-04 01:19:41 +03:00
}
}
2007-11-27 18:36:06 +03:00
return false ;
2006-02-04 01:19:41 +03:00
}
2005-11-27 00:02:48 +03:00
2006-02-04 01:19:41 +03:00
if ( winbind_lookup_sid ( mem_ctx , sid , & tmp , NULL , & type ) & &
( type = = SID_NAME_DOMAIN ) ) {
* name = tmp ;
2007-11-27 18:36:06 +03:00
return true ;
2003-08-28 00:52:56 +04:00
}
2007-11-27 18:36:06 +03:00
return false ;
2006-02-04 01:19:41 +03:00
}
/*
* This tries to implement the rather weird rules for the lsa_lookup level
* parameter .
*
* This is as close as we can get to what W2k3 does . With this we survive the
* RPC - LSALOOKUP samba4 test as of 2006 - 01 - 08. NT4 as a PDC is a bit more
* different , but I assume that ' s just being too liberal . For example , W2k3
* replies to everything else but the levels 1 - 6 with INVALID_PARAMETER
* whereas NT4 does the same as level 1 ( I think ) . I did not fully test that
* with NT4 , this is what w2k3 does .
*
* Level 1 : Ask everywhere
* Level 2 : Ask domain and trusted domains , no builtin and wkn
* Level 3 : Only ask domain
* Level 4 : W2k3ad : Only ask AD trusts
2007-06-27 16:35:12 +04:00
* Level 5 : Only ask transitive forest trusts
2006-02-04 01:19:41 +03:00
* Level 6 : Like 4
*/
2010-05-21 05:25:01 +04:00
static bool check_dom_sid_to_level ( const struct dom_sid * sid , int level )
2006-02-04 01:19:41 +03:00
{
2018-12-11 19:00:48 +03:00
struct dom_sid_buf buf ;
2007-11-27 18:36:06 +03:00
int ret = false ;
2006-02-04 01:19:41 +03:00
switch ( level ) {
case 1 :
2007-11-27 18:36:06 +03:00
ret = true ;
2006-02-04 01:19:41 +03:00
break ;
case 2 :
ret = ( ! sid_check_is_builtin ( sid ) & &
! sid_check_is_wellknown_domain ( sid , NULL ) ) ;
break ;
case 3 :
case 4 :
case 6 :
2012-07-12 17:55:21 +04:00
ret = sid_check_is_our_sam ( sid ) ;
2006-02-04 01:19:41 +03:00
break ;
case 5 :
2007-11-27 18:36:06 +03:00
ret = false ;
2006-02-04 01:19:41 +03:00
break ;
2005-09-30 21:13:37 +04:00
}
2003-08-28 00:52:56 +04:00
2006-02-04 01:19:41 +03:00
DEBUG ( 10 , ( " %s SID %s in level %d \n " ,
ret ? " Accepting " : " Rejecting " ,
2018-12-11 19:00:48 +03:00
dom_sid_str_buf ( sid , & buf ) ,
level ) ) ;
2006-02-04 01:19:41 +03:00
return ret ;
}
2003-08-28 00:52:56 +04:00
2006-02-04 01:19:41 +03:00
/*
* Lookup a bunch of SIDs . This is modeled after lsa_lookup_sids with
* references to domains , it is explicitly made for this .
*
* This attempts to be as efficient as possible : It collects all SIDs
* belonging to a domain and hands them in bulk to the appropriate lookup
* function . In particular pdb_lookup_rids with ldapsam_trusted benefits
2011-03-03 17:26:12 +03:00
* * hugely * from this .
2006-02-04 01:19:41 +03:00
*/
NTSTATUS lookup_sids ( TALLOC_CTX * mem_ctx , int num_sids ,
2010-05-21 05:25:01 +04:00
const struct dom_sid * * sids , int level ,
2006-02-04 01:19:41 +03:00
struct lsa_dom_info * * ret_domains ,
struct lsa_name_info * * ret_names )
{
TALLOC_CTX * tmp_ctx ;
2019-09-05 16:40:16 +03:00
NTSTATUS result ;
2006-02-04 01:19:41 +03:00
struct lsa_name_info * name_infos ;
2007-04-30 21:19:49 +04:00
struct lsa_dom_info * dom_infos = NULL ;
2006-02-04 01:19:41 +03:00
int i , j ;
2006-07-11 22:01:26 +04:00
if ( ! ( tmp_ctx = talloc_new ( mem_ctx ) ) ) {
2006-02-04 01:19:41 +03:00
DEBUG ( 0 , ( " talloc_new failed \n " ) ) ;
return NT_STATUS_NO_MEMORY ;
2003-08-28 00:52:56 +04:00
}
2005-09-30 21:13:37 +04:00
2007-04-30 06:39:34 +04:00
if ( num_sids ) {
2011-06-07 05:30:12 +04:00
name_infos = talloc_array ( mem_ctx , struct lsa_name_info , num_sids ) ;
2007-04-30 06:39:34 +04:00
if ( name_infos = = NULL ) {
result = NT_STATUS_NO_MEMORY ;
goto fail ;
}
} else {
name_infos = NULL ;
}
2011-06-07 05:58:39 +04:00
dom_infos = talloc_zero_array ( mem_ctx , struct lsa_dom_info ,
2008-10-24 04:01:16 +04:00
LSA_REF_DOMAIN_LIST_MULTIPLIER ) ;
2007-04-30 06:39:34 +04:00
if ( dom_infos = = NULL ) {
2006-02-04 01:19:41 +03:00
result = NT_STATUS_NO_MEMORY ;
2006-07-11 22:01:26 +04:00
goto fail ;
2006-02-04 01:19:41 +03:00
}
/* First build up the data structures:
2022-04-26 08:10:56 +03:00
*
2006-02-04 01:19:41 +03:00
* dom_infos is a list of domains referenced in the list of
* SIDs . Later we will walk the list of domains and look up the RIDs
* in bulk .
*
* name_infos is a shadow - copy of the SIDs array to collect the real
* data .
*
* dom_info - > idxs is an index into the name_infos array . The
* difficulty we have here is that we need to keep the SIDs the client
* asked for in the same order for the reply
*/
for ( i = 0 ; i < num_sids ; i + + ) {
2010-05-21 05:25:01 +04:00
struct dom_sid sid ;
2010-06-07 12:03:50 +04:00
uint32_t rid = 0 ;
2006-02-04 01:19:41 +03:00
const char * domain_name = NULL ;
sid_copy ( & sid , sids [ i ] ) ;
name_infos [ i ] . type = SID_NAME_USE_NONE ;
if ( lookup_as_domain ( & sid , name_infos , & domain_name ) ) {
/* We can't push that through the normal lookup
* process , as this would reference illegal
* domains .
*
* For example S - 1 - 5 - 32 would end up referencing
* domain S - 1 - 5 - with RID 32 which is clearly wrong .
*/
if ( domain_name = = NULL ) {
result = NT_STATUS_NO_MEMORY ;
2006-07-11 22:01:26 +04:00
goto fail ;
2006-02-04 01:19:41 +03:00
}
2011-02-21 22:51:21 +03:00
2006-02-04 01:19:41 +03:00
name_infos [ i ] . rid = 0 ;
name_infos [ i ] . type = SID_NAME_DOMAIN ;
name_infos [ i ] . name = NULL ;
if ( sid_check_is_builtin ( & sid ) ) {
/* Yes, W2k3 returns "BUILTIN" both as domain
* and name here */
name_infos [ i ] . name = talloc_strdup (
name_infos , builtin_domain_name ( ) ) ;
if ( name_infos [ i ] . name = = NULL ) {
result = NT_STATUS_NO_MEMORY ;
2006-07-11 22:01:26 +04:00
goto fail ;
2006-02-04 01:19:41 +03:00
}
}
} else {
/* This is a normal SID with rid component */
if ( ! sid_split_rid ( & sid , & rid ) ) {
2009-03-24 13:07:16 +03:00
result = NT_STATUS_INVALID_SID ;
2006-07-11 22:01:26 +04:00
goto fail ;
2006-02-04 01:19:41 +03:00
}
}
if ( ! check_dom_sid_to_level ( & sid , level ) ) {
name_infos [ i ] . rid = 0 ;
name_infos [ i ] . type = SID_NAME_UNKNOWN ;
name_infos [ i ] . name = NULL ;
continue ;
}
2008-10-24 04:01:16 +04:00
for ( j = 0 ; j < LSA_REF_DOMAIN_LIST_MULTIPLIER ; j + + ) {
2006-02-04 01:19:41 +03:00
if ( ! dom_infos [ j ] . valid ) {
break ;
}
2010-08-26 17:48:50 +04:00
if ( dom_sid_equal ( & sid , & dom_infos [ j ] . sid ) ) {
2006-02-04 01:19:41 +03:00
break ;
}
}
2008-10-24 04:01:16 +04:00
if ( j = = LSA_REF_DOMAIN_LIST_MULTIPLIER ) {
2006-02-04 01:19:41 +03:00
/* TODO: What's the right error message here? */
result = NT_STATUS_NONE_MAPPED ;
2006-07-11 22:01:26 +04:00
goto fail ;
2006-02-04 01:19:41 +03:00
}
if ( ! dom_infos [ j ] . valid ) {
/* We found a domain not yet referenced, create a new
* ref . */
2007-11-27 18:36:06 +03:00
dom_infos [ j ] . valid = true ;
2006-02-04 01:19:41 +03:00
sid_copy ( & dom_infos [ j ] . sid , & sid ) ;
if ( domain_name ! = NULL ) {
/* This name was being found above in the case
* when we found a domain SID */
dom_infos [ j ] . name =
2006-07-11 22:01:26 +04:00
talloc_strdup ( dom_infos , domain_name ) ;
if ( dom_infos [ j ] . name = = NULL ) {
result = NT_STATUS_NO_MEMORY ;
goto fail ;
}
2006-02-04 01:19:41 +03:00
} else {
/* lookup_rids will take care of this */
dom_infos [ j ] . name = NULL ;
}
}
name_infos [ i ] . dom_idx = j ;
if ( name_infos [ i ] . type = = SID_NAME_USE_NONE ) {
name_infos [ i ] . rid = rid ;
ADD_TO_ARRAY ( dom_infos , int , i , & dom_infos [ j ] . idxs ,
& dom_infos [ j ] . num_idxs ) ;
if ( dom_infos [ j ] . idxs = = NULL ) {
result = NT_STATUS_NO_MEMORY ;
2006-07-11 22:01:26 +04:00
goto fail ;
2006-02-04 01:19:41 +03:00
}
}
}
/* Iterate over the domains found */
2008-10-24 04:01:16 +04:00
for ( i = 0 ; i < LSA_REF_DOMAIN_LIST_MULTIPLIER ; i + + ) {
2006-02-04 01:19:41 +03:00
uint32_t * rids ;
2006-07-11 22:01:26 +04:00
const char * domain_name = NULL ;
2006-02-04 01:19:41 +03:00
const char * * names ;
2006-09-08 18:28:06 +04:00
enum lsa_SidType * types ;
2006-02-04 01:19:41 +03:00
struct lsa_dom_info * dom = & dom_infos [ i ] ;
if ( ! dom - > valid ) {
/* No domains left, we're done */
break ;
}
2014-02-20 19:57:21 +04:00
if ( dom - > num_idxs = = 0 ) {
/*
* This happens only if the only sid related to
* this domain is the domain sid itself , which
* is mapped to SID_NAME_DOMAIN above .
*/
continue ;
}
2015-05-09 23:34:31 +03:00
if ( ! ( rids = talloc_array ( tmp_ctx , uint32_t , dom - > num_idxs ) ) ) {
2014-02-20 19:57:21 +04:00
result = NT_STATUS_NO_MEMORY ;
goto fail ;
2006-02-04 01:19:41 +03:00
}
for ( j = 0 ; j < dom - > num_idxs ; j + + ) {
rids [ j ] = name_infos [ dom - > idxs [ j ] ] . rid ;
}
if ( ! lookup_rids ( tmp_ctx , & dom - > sid ,
2006-07-11 22:01:26 +04:00
dom - > num_idxs , rids , & domain_name ,
2006-02-04 01:19:41 +03:00
& names , & types ) ) {
result = NT_STATUS_NO_MEMORY ;
2006-07-11 22:01:26 +04:00
goto fail ;
2006-02-04 01:19:41 +03:00
}
2006-07-11 22:01:26 +04:00
if ( ! ( dom - > name = talloc_strdup ( dom_infos , domain_name ) ) ) {
result = NT_STATUS_NO_MEMORY ;
goto fail ;
}
2011-02-21 22:51:21 +03:00
2006-02-04 01:19:41 +03:00
for ( j = 0 ; j < dom - > num_idxs ; j + + ) {
int idx = dom - > idxs [ j ] ;
name_infos [ idx ] . type = types [ j ] ;
if ( types [ j ] ! = SID_NAME_UNKNOWN ) {
name_infos [ idx ] . name =
2006-07-11 22:01:26 +04:00
talloc_strdup ( name_infos , names [ j ] ) ;
if ( name_infos [ idx ] . name = = NULL ) {
result = NT_STATUS_NO_MEMORY ;
goto fail ;
}
2006-02-04 01:19:41 +03:00
} else {
name_infos [ idx ] . name = NULL ;
}
}
}
2006-07-11 22:01:26 +04:00
* ret_domains = dom_infos ;
* ret_names = name_infos ;
2007-10-27 04:58:28 +04:00
TALLOC_FREE ( tmp_ctx ) ;
2006-07-11 22:01:26 +04:00
return NT_STATUS_OK ;
2006-02-04 01:19:41 +03:00
2006-07-11 22:01:26 +04:00
fail :
TALLOC_FREE ( dom_infos ) ;
TALLOC_FREE ( name_infos ) ;
2006-02-20 20:59:58 +03:00
TALLOC_FREE ( tmp_ctx ) ;
2006-02-04 01:19:41 +03:00
return result ;
}
2005-12-03 21:34:13 +03:00
2006-02-04 01:19:41 +03:00
/*****************************************************************
* THE CANONICAL * convert SID to name function .
2022-04-26 08:10:56 +03:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2005-12-03 21:34:13 +03:00
2010-05-21 05:25:01 +04:00
bool lookup_sid ( TALLOC_CTX * mem_ctx , const struct dom_sid * sid ,
2006-02-04 01:19:41 +03:00
const char * * ret_domain , const char * * ret_name ,
2006-09-08 18:28:06 +04:00
enum lsa_SidType * ret_type )
2006-02-04 01:19:41 +03:00
{
struct lsa_dom_info * domain ;
struct lsa_name_info * name ;
2018-12-11 19:00:48 +03:00
struct dom_sid_buf buf ;
2006-02-04 01:19:41 +03:00
TALLOC_CTX * tmp_ctx ;
2007-11-27 18:36:06 +03:00
bool ret = false ;
2006-02-04 01:19:41 +03:00
2018-12-11 19:00:48 +03:00
DEBUG ( 10 , ( " lookup_sid called for SID '%s' \n " ,
dom_sid_str_buf ( sid , & buf ) ) ) ;
2008-01-25 03:40:01 +03:00
2006-07-11 22:01:26 +04:00
if ( ! ( tmp_ctx = talloc_new ( mem_ctx ) ) ) {
2006-02-04 01:19:41 +03:00
DEBUG ( 0 , ( " talloc_new failed \n " ) ) ;
2007-11-27 18:36:06 +03:00
return false ;
2005-12-03 21:34:13 +03:00
}
2006-02-04 01:19:41 +03:00
if ( ! NT_STATUS_IS_OK ( lookup_sids ( tmp_ctx , 1 , & sid , 1 ,
& domain , & name ) ) ) {
goto done ;
}
if ( name - > type = = SID_NAME_UNKNOWN ) {
goto done ;
}
2006-07-11 22:01:26 +04:00
if ( ( ret_domain ! = NULL ) & &
! ( * ret_domain = talloc_strdup ( mem_ctx , domain - > name ) ) ) {
goto done ;
2005-12-03 21:34:13 +03:00
}
2022-04-26 08:10:56 +03:00
if ( ( ret_name ! = NULL ) & &
2006-07-11 22:01:26 +04:00
! ( * ret_name = talloc_strdup ( mem_ctx , name - > name ) ) ) {
goto done ;
2005-12-03 21:34:13 +03:00
}
if ( ret_type ! = NULL ) {
2006-02-04 01:19:41 +03:00
* ret_type = name - > type ;
2005-12-03 21:34:13 +03:00
}
2007-11-27 18:36:06 +03:00
ret = true ;
2006-02-04 01:19:41 +03:00
done :
if ( ret ) {
2018-12-11 19:00:48 +03:00
DEBUG ( 10 , ( " Sid %s -> %s \\ %s(%d) \n " ,
dom_sid_str_buf ( sid , & buf ) ,
2007-12-15 23:11:36 +03:00
domain - > name , name - > name , name - > type ) ) ;
2006-02-04 01:19:41 +03:00
} else {
2018-12-11 19:00:48 +03:00
DEBUG ( 10 , ( " failed to lookup sid %s \n " ,
dom_sid_str_buf ( sid , & buf ) ) ) ;
2006-02-04 01:19:41 +03:00
}
2006-02-20 20:59:58 +03:00
TALLOC_FREE ( tmp_ctx ) ;
2006-02-04 01:19:41 +03:00
return ret ;
2003-08-28 00:52:56 +04:00
}
/*****************************************************************
2012-03-16 02:16:23 +04:00
* THE LEGACY * convert SID to id function .
2022-04-26 08:10:56 +03:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2003-08-28 00:52:56 +04:00
2012-03-23 09:51:47 +04:00
static bool legacy_sid_to_unixid ( const struct dom_sid * psid , struct unixid * id )
2003-08-28 00:52:56 +04:00
{
2012-08-21 08:56:45 +04:00
bool ret ;
2012-08-31 16:41:44 +04:00
2012-08-21 08:56:45 +04:00
become_root ( ) ;
ret = pdb_sid_to_id ( psid , id ) ;
unbecome_root ( ) ;
2012-08-31 16:41:44 +04:00
2012-12-03 11:34:43 +04:00
if ( ! ret ) {
2018-12-11 19:00:48 +03:00
struct dom_sid_buf buf ;
2007-12-15 23:11:36 +03:00
DEBUG ( 10 , ( " LEGACY: mapping failed for sid %s \n " ,
2018-12-11 19:00:48 +03:00
dom_sid_str_buf ( psid , & buf ) ) ) ;
2007-11-27 18:36:06 +03:00
return false ;
2006-02-04 01:19:41 +03:00
}
2003-08-28 00:52:56 +04:00
2007-11-27 18:36:06 +03:00
return true ;
2006-12-12 17:52:13 +03:00
}
2012-03-16 02:16:23 +04:00
static bool legacy_sid_to_gid ( const struct dom_sid * psid , gid_t * pgid )
{
struct unixid id ;
2012-03-23 09:51:47 +04:00
if ( ! legacy_sid_to_unixid ( psid , & id ) ) {
2012-03-16 02:16:23 +04:00
return false ;
}
if ( id . type = = ID_TYPE_GID | | id . type = = ID_TYPE_BOTH ) {
* pgid = id . id ;
return true ;
}
return false ;
}
static bool legacy_sid_to_uid ( const struct dom_sid * psid , uid_t * puid )
{
struct unixid id ;
2012-03-23 09:51:47 +04:00
if ( ! legacy_sid_to_unixid ( psid , & id ) ) {
2012-03-16 02:16:23 +04:00
return false ;
}
if ( id . type = = ID_TYPE_UID | | id . type = = ID_TYPE_BOTH ) {
* puid = id . id ;
return true ;
}
return false ;
}
2019-02-26 17:10:21 +03:00
void xid_to_sid ( struct dom_sid * psid , const struct unixid * xid )
{
bool expired = true ;
bool ret ;
struct dom_sid_buf buf ;
SMB_ASSERT ( xid - > type = = ID_TYPE_UID | | xid - > type = = ID_TYPE_GID ) ;
* psid = ( struct dom_sid ) { 0 } ;
ret = idmap_cache_find_xid2sid ( xid , psid , & expired ) ;
if ( ret & & ! expired ) {
DBG_DEBUG ( " %cID % " PRIu32 " -> %s from cache \n " ,
xid - > type = = ID_TYPE_UID ? ' U ' : ' G ' ,
xid - > id ,
dom_sid_str_buf ( psid , & buf ) ) ;
goto done ;
}
ret = winbind_xid_to_sid ( psid , xid ) ;
if ( ret ) {
/*
* winbind can return an explicit negative mapping
* here . It ' s up to winbind to prime the cache either
* positively or negatively , don ' t mess with the cache
* here .
*/
DBG_DEBUG ( " %cID % " PRIu32 " -> %s from cache \n " ,
xid - > type = = ID_TYPE_UID ? ' U ' : ' G ' ,
xid - > id ,
dom_sid_str_buf ( psid , & buf ) ) ;
goto done ;
}
{
/*
* Make a copy , pdb_id_to_sid might want to turn
* xid - > type into ID_TYPE_BOTH , which we ignore here .
*/
struct unixid rw_xid = * xid ;
become_root ( ) ;
ret = pdb_id_to_sid ( & rw_xid , psid ) ;
unbecome_root ( ) ;
}
if ( ret ) {
DBG_DEBUG ( " %cID % " PRIu32 " -> %s from passdb \n " ,
xid - > type = = ID_TYPE_UID ? ' U ' : ' G ' ,
xid - > id ,
dom_sid_str_buf ( psid , & buf ) ) ;
goto done ;
}
done :
if ( is_null_sid ( psid ) ) {
/*
* Nobody found anything : Return S - 1 - 22 - xx - yy . Don ' t
* store that in caches , this is up to the layers
* beneath us .
*/
if ( xid - > type = = ID_TYPE_UID ) {
uid_to_unix_users_sid ( xid - > id , psid ) ;
} else {
gid_to_unix_groups_sid ( xid - > id , psid ) ;
}
DBG_DEBUG ( " %cID % " PRIu32 " -> %s fallback \n " ,
xid - > type = = ID_TYPE_UID ? ' U ' : ' G ' ,
xid - > id ,
dom_sid_str_buf ( psid , & buf ) ) ;
}
}
2019-02-26 17:17:36 +03:00
void uid_to_sid ( struct dom_sid * psid , uid_t uid )
{
struct unixid xid = { . type = ID_TYPE_UID , . id = uid } ;
xid_to_sid ( psid , & xid ) ;
}
void gid_to_sid ( struct dom_sid * psid , gid_t gid )
{
struct unixid xid = { . type = ID_TYPE_GID , . id = gid } ;
xid_to_sid ( psid , & xid ) ;
}
2012-05-02 11:48:28 +04:00
bool sids_to_unixids ( const struct dom_sid * sids , uint32_t num_sids ,
struct unixid * ids )
2011-03-23 20:31:38 +03:00
{
struct wbcDomainSid * wbc_sids = NULL ;
struct wbcUnixId * wbc_ids = NULL ;
2021-02-20 17:50:12 +03:00
struct bitmap * found = NULL ;
2011-03-23 20:31:38 +03:00
uint32_t i , num_not_cached ;
2021-02-20 17:50:12 +03:00
uint32_t wbc_ids_size = 0 ;
2011-03-23 20:31:38 +03:00
wbcErr err ;
bool ret = false ;
2011-06-07 05:30:12 +04:00
wbc_sids = talloc_array ( talloc_tos ( ) , struct wbcDomainSid , num_sids ) ;
2011-03-23 20:31:38 +03:00
if ( wbc_sids = = NULL ) {
return false ;
}
2021-02-20 17:50:12 +03:00
found = bitmap_talloc ( wbc_sids , num_sids ) ;
if ( found = = NULL ) {
goto fail ;
}
/*
* We go through the requested SID array three times .
* First time to look for global_sid_Unix_Users
* and global_sid_Unix_Groups SIDS , and to look
* for mappings cached in the idmap_cache .
*
* Use bitmap_set ( ) to mark an ids [ ] array entry as
* being mapped .
*/
2011-03-23 20:31:38 +03:00
num_not_cached = 0 ;
for ( i = 0 ; i < num_sids ; i + + ) {
bool expired ;
uint32_t rid ;
if ( sid_peek_check_rid ( & global_sid_Unix_Users ,
& sids [ i ] , & rid ) ) {
2012-03-23 10:30:34 +04:00
ids [ i ] . type = ID_TYPE_UID ;
ids [ i ] . id = rid ;
2021-02-20 17:50:12 +03:00
bitmap_set ( found , i ) ;
2011-03-23 20:31:38 +03:00
continue ;
}
if ( sid_peek_check_rid ( & global_sid_Unix_Groups ,
& sids [ i ] , & rid ) ) {
2012-03-23 10:30:34 +04:00
ids [ i ] . type = ID_TYPE_GID ;
ids [ i ] . id = rid ;
2021-02-20 17:50:12 +03:00
bitmap_set ( found , i ) ;
2011-03-23 20:31:38 +03:00
continue ;
}
2012-03-23 14:11:33 +04:00
if ( idmap_cache_find_sid2unixid ( & sids [ i ] , & ids [ i ] , & expired )
& & ! expired )
{
2021-02-20 17:50:12 +03:00
bitmap_set ( found , i ) ;
2011-03-23 20:31:38 +03:00
continue ;
}
2012-03-23 10:30:34 +04:00
ids [ i ] . type = ID_TYPE_NOT_SPECIFIED ;
2011-03-23 20:31:38 +03:00
memcpy ( & wbc_sids [ num_not_cached ] , & sids [ i ] ,
ndr_size_dom_sid ( & sids [ i ] , 0 ) ) ;
num_not_cached + = 1 ;
}
if ( num_not_cached = = 0 ) {
goto done ;
}
2021-02-20 17:50:12 +03:00
/*
* For the ones that we couldn ' t map in the loop above , query winbindd
* via wbcSidsToUnixIds ( ) .
*/
wbc_ids_size = num_not_cached ;
wbc_ids = talloc_array ( talloc_tos ( ) , struct wbcUnixId , wbc_ids_size ) ;
2011-03-23 20:31:38 +03:00
if ( wbc_ids = = NULL ) {
goto fail ;
}
2021-02-20 17:50:12 +03:00
for ( i = 0 ; i < wbc_ids_size ; i + + ) {
2011-03-23 20:31:38 +03:00
wbc_ids [ i ] . type = WBC_ID_TYPE_NOT_SPECIFIED ;
2021-02-20 17:50:12 +03:00
wbc_ids [ i ] . id . gid = ( uint32_t ) - 1 ;
2011-03-23 20:31:38 +03:00
}
2021-02-20 17:50:12 +03:00
err = wbcSidsToUnixIds ( wbc_sids , wbc_ids_size , wbc_ids ) ;
2011-03-23 20:31:38 +03:00
if ( ! WBC_ERROR_IS_OK ( err ) ) {
DEBUG ( 10 , ( " wbcSidsToUnixIds returned %s \n " ,
wbcErrorString ( err ) ) ) ;
}
2021-02-20 17:50:12 +03:00
/*
* Second time through the SID array , replace
* the ids [ ] entries that wbcSidsToUnixIds ( ) was able to
* map .
*
* Use bitmap_set ( ) to mark an ids [ ] array entry as
* being mapped .
*/
2011-03-23 20:31:38 +03:00
num_not_cached = 0 ;
for ( i = 0 ; i < num_sids ; i + + ) {
2021-02-20 17:50:12 +03:00
if ( bitmap_query ( found , i ) ) {
continue ;
}
SMB_ASSERT ( num_not_cached < wbc_ids_size ) ;
switch ( wbc_ids [ num_not_cached ] . type ) {
case WBC_ID_TYPE_UID :
ids [ i ] . type = ID_TYPE_UID ;
ids [ i ] . id = wbc_ids [ num_not_cached ] . id . uid ;
bitmap_set ( found , i ) ;
break ;
case WBC_ID_TYPE_GID :
ids [ i ] . type = ID_TYPE_GID ;
ids [ i ] . id = wbc_ids [ num_not_cached ] . id . gid ;
bitmap_set ( found , i ) ;
break ;
case WBC_ID_TYPE_BOTH :
ids [ i ] . type = ID_TYPE_BOTH ;
ids [ i ] . id = wbc_ids [ num_not_cached ] . id . uid ;
bitmap_set ( found , i ) ;
break ;
case WBC_ID_TYPE_NOT_SPECIFIED :
/*
* wbcSidsToUnixIds ( ) wasn ' t able to map this
* so we still need to check legacy_sid_to_XXX ( )
* below . Don ' t mark the bitmap entry
* as being found so the final loop knows
* to try and map this entry .
*/
ids [ i ] . type = ID_TYPE_NOT_SPECIFIED ;
ids [ i ] . id = ( uint32_t ) - 1 ;
break ;
default :
/*
* A successful return from wbcSidsToUnixIds ( )
* cannot return anything other than the values
* checked for above . Ensure this is so .
*/
smb_panic ( __location__ ) ;
break ;
2011-03-23 20:31:38 +03:00
}
2021-02-20 17:50:12 +03:00
num_not_cached + = 1 ;
2011-03-23 20:31:38 +03:00
}
2021-02-20 17:50:12 +03:00
/*
* Third and final time through the SID array ,
* try legacy_sid_to_gid ( ) / legacy_sid_to_uid ( )
* for entries we haven ' t already been able to
* map .
*
* Use bitmap_set ( ) to mark an ids [ ] array entry as
* being mapped .
*/
2011-03-23 20:31:38 +03:00
for ( i = 0 ; i < num_sids ; i + + ) {
2021-02-20 17:50:12 +03:00
if ( bitmap_query ( found , i ) ) {
2011-03-23 20:31:38 +03:00
continue ;
}
2012-03-23 10:30:34 +04:00
if ( legacy_sid_to_gid ( & sids [ i ] , & ids [ i ] . id ) ) {
ids [ i ] . type = ID_TYPE_GID ;
2021-02-20 17:50:12 +03:00
bitmap_set ( found , i ) ;
2011-03-23 20:31:38 +03:00
continue ;
}
2012-03-23 10:30:34 +04:00
if ( legacy_sid_to_uid ( & sids [ i ] , & ids [ i ] . id ) ) {
ids [ i ] . type = ID_TYPE_UID ;
2021-02-20 17:50:12 +03:00
bitmap_set ( found , i ) ;
2011-03-23 20:31:38 +03:00
continue ;
}
}
done :
2021-02-20 17:50:12 +03:00
/*
* Pass through the return array for consistency .
* Any ids [ ] . id mapped to ( uint32_t ) - 1 must be returned
* as ID_TYPE_NOT_SPECIFIED .
*/
2012-05-24 05:42:26 +04:00
for ( i = 0 ; i < num_sids ; i + + ) {
switch ( ids [ i ] . type ) {
2020-09-15 17:46:44 +03:00
case ID_TYPE_GID :
case ID_TYPE_UID :
case ID_TYPE_BOTH :
2021-02-20 17:50:12 +03:00
if ( ids [ i ] . id = = ( uint32_t ) - 1 ) {
2012-05-24 05:42:26 +04:00
ids [ i ] . type = ID_TYPE_NOT_SPECIFIED ;
}
break ;
2020-09-15 17:46:44 +03:00
case ID_TYPE_NOT_SPECIFIED :
2012-05-24 05:42:26 +04:00
break ;
2020-09-15 18:26:11 +03:00
case ID_TYPE_WB_REQUIRE_TYPE :
/*
* these are internal between winbindd
* parent and child .
*/
smb_panic ( __location__ ) ;
break ;
2012-05-24 05:42:26 +04:00
}
}
2011-03-23 20:31:38 +03:00
ret = true ;
fail :
TALLOC_FREE ( wbc_ids ) ;
TALLOC_FREE ( wbc_sids ) ;
return ret ;
}
2006-12-12 17:52:13 +03:00
/*****************************************************************
2008-07-11 19:44:44 +04:00
* THE CANONICAL * convert SID to uid function .
2022-04-26 08:10:56 +03:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2006-12-12 17:52:13 +03:00
2010-05-21 05:25:01 +04:00
bool sid_to_uid ( const struct dom_sid * psid , uid_t * puid )
2006-12-12 17:52:13 +03:00
{
2008-08-27 01:52:11 +04:00
bool expired = true ;
2008-08-27 02:51:56 +04:00
bool ret ;
2015-05-09 23:34:31 +03:00
uint32_t rid ;
2018-12-11 19:00:48 +03:00
struct dom_sid_buf buf ;
2006-12-12 17:52:13 +03:00
2007-05-22 00:51:15 +04:00
/* Optimize for the Unix Users Domain
* as the conversion is straightforward */
2008-07-11 19:44:52 +04:00
if ( sid_peek_check_rid ( & global_sid_Unix_Users , psid , & rid ) ) {
uid_t uid = rid ;
* puid = uid ;
2007-05-22 00:51:15 +04:00
/* return here, don't cache */
2018-12-11 19:00:48 +03:00
DEBUG ( 10 , ( " sid %s -> uid %u \n " ,
dom_sid_str_buf ( psid , & buf ) ,
( unsigned int ) * puid ) ) ;
2007-11-27 18:36:06 +03:00
return true ;
2007-05-22 00:51:15 +04:00
}
2019-02-06 19:02:53 +03:00
if ( sid_check_is_in_unix_groups ( psid ) ) {
DBG_DEBUG ( " SID %s is a group, failing \n " ,
dom_sid_str_buf ( psid , & buf ) ) ;
return false ;
}
2008-08-27 01:52:11 +04:00
/* Check the winbindd cache directly. */
2008-08-27 02:51:56 +04:00
ret = idmap_cache_find_sid2uid ( psid , puid , & expired ) ;
2003-08-28 00:52:56 +04:00
2008-08-27 05:05:34 +04:00
if ( ret & & ! expired & & ( * puid = = ( uid_t ) - 1 ) ) {
2008-08-27 03:14:25 +04:00
/*
* Negative cache entry , we already asked .
* do legacy .
*/
return legacy_sid_to_uid ( psid , puid ) ;
}
if ( ! ret | | expired ) {
2008-08-27 01:52:11 +04:00
/* Not in cache. Ask winbindd. */
if ( ! winbind_sid_to_uid ( puid , psid ) ) {
DEBUG ( 5 , ( " winbind failed to find a uid for sid %s \n " ,
2018-12-11 19:00:48 +03:00
dom_sid_str_buf ( psid , & buf ) ) ) ;
2009-04-17 00:42:40 +04:00
/* winbind failed. do legacy */
return legacy_sid_to_uid ( psid , puid ) ;
2008-08-27 01:52:11 +04:00
}
2003-08-28 00:52:56 +04:00
}
2006-12-12 17:52:13 +03:00
/* TODO: Here would be the place to allocate both a gid and a uid for
* the SID in question */
2018-12-11 19:00:48 +03:00
DEBUG ( 10 , ( " sid %s -> uid %u \n " ,
dom_sid_str_buf ( psid , & buf ) ,
2006-12-12 17:52:13 +03:00
( unsigned int ) * puid ) ) ;
2007-11-27 18:36:06 +03:00
return true ;
2006-12-12 17:52:13 +03:00
}
/*****************************************************************
2008-07-11 19:44:44 +04:00
* THE CANONICAL * convert SID to gid function .
Group mapping is used for gids that maps to Wellknown SIDs
2022-04-26 08:10:56 +03:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2006-12-12 17:52:13 +03:00
2010-05-21 05:25:01 +04:00
bool sid_to_gid ( const struct dom_sid * psid , gid_t * pgid )
2006-12-12 17:52:13 +03:00
{
2008-08-27 01:52:11 +04:00
bool expired = true ;
2008-08-27 02:51:56 +04:00
bool ret ;
2015-05-09 23:34:31 +03:00
uint32_t rid ;
2018-12-11 19:00:48 +03:00
struct dom_sid_buf buf ;
2006-12-12 17:52:13 +03:00
2007-05-22 00:51:15 +04:00
/* Optimize for the Unix Groups Domain
* as the conversion is straightforward */
2008-07-11 19:44:52 +04:00
if ( sid_peek_check_rid ( & global_sid_Unix_Groups , psid , & rid ) ) {
gid_t gid = rid ;
* pgid = gid ;
2007-05-22 00:51:15 +04:00
/* return here, don't cache */
2018-12-11 19:00:48 +03:00
DEBUG ( 10 , ( " sid %s -> gid %u \n " ,
dom_sid_str_buf ( psid , & buf ) ,
2008-07-11 19:44:52 +04:00
( unsigned int ) * pgid ) ) ;
2007-11-27 18:36:06 +03:00
return true ;
2007-05-22 00:51:15 +04:00
}
2019-02-06 19:02:53 +03:00
if ( sid_check_is_in_unix_users ( psid ) ) {
DBG_DEBUG ( " SID %s is a user, failing \n " ,
dom_sid_str_buf ( psid , & buf ) ) ;
return false ;
}
2008-08-27 01:52:11 +04:00
/* Check the winbindd cache directly. */
2008-08-27 02:51:56 +04:00
ret = idmap_cache_find_sid2gid ( psid , pgid , & expired ) ;
2003-08-28 00:52:56 +04:00
2008-08-27 05:05:34 +04:00
if ( ret & & ! expired & & ( * pgid = = ( gid_t ) - 1 ) ) {
2008-08-27 03:14:25 +04:00
/*
* Negative cache entry , we already asked .
* do legacy .
*/
return legacy_sid_to_gid ( psid , pgid ) ;
}
if ( ! ret | | expired ) {
2008-08-27 02:51:56 +04:00
/* Not in cache or negative. Ask winbindd. */
2008-08-27 01:52:11 +04:00
/* Ask winbindd if it can map this sid to a gid.
* ( Idmap will check it is a valid SID and of the right type ) */
2006-12-12 17:52:13 +03:00
2008-08-27 01:52:11 +04:00
if ( ! winbind_sid_to_gid ( pgid , psid ) ) {
2006-12-12 17:52:13 +03:00
2008-08-27 01:52:11 +04:00
DEBUG ( 10 , ( " winbind failed to find a gid for sid %s \n " ,
2018-12-11 19:00:48 +03:00
dom_sid_str_buf ( psid , & buf ) ) ) ;
2009-04-17 00:42:40 +04:00
/* winbind failed. do legacy */
return legacy_sid_to_gid ( psid , pgid ) ;
2008-08-27 01:52:11 +04:00
}
2003-08-28 00:52:56 +04:00
}
2018-12-11 19:00:48 +03:00
DEBUG ( 10 , ( " sid %s -> gid %u \n " ,
dom_sid_str_buf ( psid , & buf ) ,
2005-12-03 21:34:13 +03:00
( unsigned int ) * pgid ) ) ;
2003-08-28 00:52:56 +04:00
2007-11-27 18:36:06 +03:00
return true ;
2003-08-28 00:52:56 +04:00
}
2010-05-29 18:51:40 +04:00
/**
* @ brief This function gets the primary group SID mapping the primary
* GID of the user as obtained by an actual getpwnam ( ) call .
* This is necessary to avoid issues with arbitrary group SIDs
* stored in passdb . We try as hard as we can to get the SID
* corresponding to the GID , including trying group mapping .
* If nothing else works , we will force " Domain Users " as the
* primary group .
* This is needed because we must always be able to lookup the
* primary group SID , so we cannot settle for an arbitrary SID .
*
* This call can be expensive . Use with moderation .
* If you have a " samu " struct around use pdb_get_group_sid ( )
* instead as it does properly cache results .
*
* @ param mem_ctx [ in ] The memory context iused to allocate the result .
* @ param username [ in ] The user ' s name
* @ param _pwd [ in | out ] If available , pass in user ' s passwd struct .
* It will contain a tallocated passwd if NULL was
* passed in .
* @ param _group_sid [ out ] The user ' s Primary Group SID
*
* @ return NTSTATUS error code .
*/
NTSTATUS get_primary_group_sid ( TALLOC_CTX * mem_ctx ,
const char * username ,
struct passwd * * _pwd ,
struct dom_sid * * _group_sid )
{
TALLOC_CTX * tmp_ctx ;
bool need_lookup_sid = false ;
struct dom_sid * group_sid ;
struct passwd * pwd = * _pwd ;
tmp_ctx = talloc_new ( mem_ctx ) ;
if ( ! tmp_ctx ) {
return NT_STATUS_NO_MEMORY ;
}
if ( ! pwd ) {
pwd = Get_Pwnam_alloc ( mem_ctx , username ) ;
if ( ! pwd ) {
2014-08-08 21:19:41 +04:00
DEBUG ( 0 , ( " Failed to find a Unix account for %s \n " ,
2010-05-29 18:51:40 +04:00
username ) ) ;
TALLOC_FREE ( tmp_ctx ) ;
return NT_STATUS_NO_SUCH_USER ;
}
}
group_sid = talloc_zero ( mem_ctx , struct dom_sid ) ;
if ( ! group_sid ) {
TALLOC_FREE ( tmp_ctx ) ;
return NT_STATUS_NO_MEMORY ;
}
gid_to_sid ( group_sid , pwd - > pw_gid ) ;
if ( ! is_null_sid ( group_sid ) ) {
struct dom_sid domain_sid ;
uint32_t rid ;
/* We need a sid within our domain */
sid_copy ( & domain_sid , group_sid ) ;
sid_split_rid ( & domain_sid , & rid ) ;
2010-08-26 17:48:50 +04:00
if ( dom_sid_equal ( & domain_sid , get_global_sam_sid ( ) ) ) {
2010-05-29 18:51:40 +04:00
/*
* As shortcut for the expensive lookup_sid call
* compare the domain sid part
*/
switch ( rid ) {
case DOMAIN_RID_ADMINS :
case DOMAIN_RID_USERS :
goto done ;
default :
need_lookup_sid = true ;
break ;
}
} else {
/* Try group mapping */
2014-11-25 04:45:26 +03:00
struct unixid id ;
id . id = pwd - > pw_gid ;
id . type = ID_TYPE_GID ;
2010-05-29 18:51:40 +04:00
ZERO_STRUCTP ( group_sid ) ;
2014-11-25 04:45:26 +03:00
if ( pdb_id_to_sid ( & id , group_sid ) ) {
2010-05-29 18:51:40 +04:00
need_lookup_sid = true ;
}
}
}
/* We must verify that this is a valid SID that resolves to a
* group of the correct type */
if ( need_lookup_sid ) {
enum lsa_SidType type = SID_NAME_UNKNOWN ;
bool lookup_ret ;
2018-12-11 19:00:48 +03:00
struct dom_sid_buf buf ;
2010-05-29 18:51:40 +04:00
DEBUG ( 10 , ( " do lookup_sid(%s) for group of user %s \n " ,
2018-12-11 19:00:48 +03:00
dom_sid_str_buf ( group_sid , & buf ) ,
username ) ) ;
2010-05-29 18:51:40 +04:00
/* Now check that it's actually a domain group and
* not something else */
lookup_ret = lookup_sid ( tmp_ctx , group_sid ,
NULL , NULL , & type ) ;
if ( lookup_ret & & ( type = = SID_NAME_DOM_GRP ) ) {
goto done ;
}
DEBUG ( 3 , ( " Primary group %s for user %s is "
" a %s and not a domain group \n " ,
2018-12-11 19:00:48 +03:00
dom_sid_str_buf ( group_sid , & buf ) ,
username ,
2010-05-29 18:51:40 +04:00
sid_type_lookup ( type ) ) ) ;
}
/* Everything else, failed.
* Just set it to the ' Domain Users ' RID of 513 which will
always resolve to a name */
DEBUG ( 3 , ( " Forcing Primary Group to 'Domain Users' for %s \n " ,
username ) ) ;
sid_compose ( group_sid , get_global_sam_sid ( ) , DOMAIN_RID_USERS ) ;
done :
* _pwd = talloc_move ( mem_ctx , & pwd ) ;
* _group_sid = talloc_move ( mem_ctx , & group_sid ) ;
TALLOC_FREE ( tmp_ctx ) ;
return NT_STATUS_OK ;
}
2011-02-18 16:42:18 +03:00