sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-29 21:47:30 +03:00
Code
samba-mirror/source3/libsmb/netlogon_unigrp.c

159 lines
4.6 KiB
C
Raw Normal View History

Many thanks to Alexander Bokovoy <a.bokovoy@sam-solutions.net>. This work was sponsored by Optifacio Software Services, Inc. Andrew Bartlett (various e-mails announcements merged into some form of commit message below:) This patch which adds basics of universal groups support into Samba 3. Currently, only Winbind with RPC calls supports this, ADS support requires additional (possibly huge) work on KRB5 PAC. However, basic infrastructure is here. This patch adds: 1. Storing of universal groups for particular user logged into Samba software (smbd/ two winbind-pam methods) into netlogon_unigrp.tdb as array of uint32 supplemental group rids keyed as DOMAIN_SID/USER_RID in tdb. 2. Fetching of unversal groups for given user rid and domain sid from netlogon_unigrp.tdb. Since this is used in both smbd and winbindd, main code is in source/lib/netlogon_uingrp.c. Dependencies are added to AUTH_OBJ as UNIGRP_OBJ and WINBINDD_OBJ as UNIGRP_OBJ. This patch has had a few versions, the final version in particular: Many thanks to Andrew Bartlett for critics and comments, and partly rewritten code. New: - updated fetching code to changed byte order macros - moved functions to proper namespace - optimized memory usage by reusing caller's memory context - enhanced code to more follow Samba coding rules Todo: - proper universal group expiration after timeout (This used to be commit 80c2aefbe7c1aa363dd286a47d50c5d8b4595f43)
2002-01-12 23:57:10 +00:00
/*
Removed version number from file header. Changed "SMB/Netbios" to "SMB/CIFS" in file header. (This used to be commit 6a58c9bd06d0d7502a24bf5ce5a2faf0a146edfa)
2002-01-30 06:08:46 +00:00
Unix SMB/CIFS implementation.
Many thanks to Alexander Bokovoy <a.bokovoy@sam-solutions.net>. This work was sponsored by Optifacio Software Services, Inc. Andrew Bartlett (various e-mails announcements merged into some form of commit message below:) This patch which adds basics of universal groups support into Samba 3. Currently, only Winbind with RPC calls supports this, ADS support requires additional (possibly huge) work on KRB5 PAC. However, basic infrastructure is here. This patch adds: 1. Storing of universal groups for particular user logged into Samba software (smbd/ two winbind-pam methods) into netlogon_unigrp.tdb as array of uint32 supplemental group rids keyed as DOMAIN_SID/USER_RID in tdb. 2. Fetching of unversal groups for given user rid and domain sid from netlogon_unigrp.tdb. Since this is used in both smbd and winbindd, main code is in source/lib/netlogon_uingrp.c. Dependencies are added to AUTH_OBJ as UNIGRP_OBJ and WINBINDD_OBJ as UNIGRP_OBJ. This patch has had a few versions, the final version in particular: Many thanks to Andrew Bartlett for critics and comments, and partly rewritten code. New: - updated fetching code to changed byte order macros - moved functions to proper namespace - optimized memory usage by reusing caller's memory context - enhanced code to more follow Samba coding rules Todo: - proper universal group expiration after timeout (This used to be commit 80c2aefbe7c1aa363dd286a47d50c5d8b4595f43)
2002-01-12 23:57:10 +00:00
Universal groups helpers
Copyright (C) Alexander Bokovoy 2002.
Copyright (C) Andrew Bartlett 2002.
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
This work was sponsored by Optifacio Software Services, Inc.
*/
#include "includes.h"
/*
Handle for netlogon_unigrp.tdb database. It is used internally
in cli_store_uni_groups_*() and cli_fetch_uni_groups()
and is initialized on first call to cli_store_uni_groups_*()
*/
static TDB_CONTEXT *netlogon_unigrp_tdb = NULL;
/*
Store universal groups info into netlogon_unigrp.tdb for
later usage. We use 'domain_SID/user_rid' as key and
array of uint32 where array[0] is number of elements
and elements are array[1] ... array[array[0]]
*/
Fix up a security issue with the way we handle domain groups retuned on the info3. These are RIDs, and it only makes sense to combine them with the domain SID returned with them. This is important for trusted domains, where that sid might be other than the one we currently reterive from the secrets.tdb. Also remove the become_root()/unbecome_root() wrapper from around both remaining TDB users: Both are now initialised at smbd startup. Andrew Bartlett (This used to be commit 554842e0a55155193f25aefca6480b89d5c512ca)
2002-01-26 06:24:53 +00:00
BOOL uni_group_cache_init(void)
{
if (!netlogon_unigrp_tdb) {
netlogon_unigrp_tdb = tdb_open_log(lock_path("netlogon_unigrp.tdb"), 0,
this tdb was being opened without locking, which is unsafe for shared databases (This used to be commit 1394e6ed318af5fc740aa5622919f9fd26d5a8d2)
2002-03-15 09:19:51 +00:00
TDB_DEFAULT, O_RDWR | O_CREAT, 0644);
Fix up a security issue with the way we handle domain groups retuned on the info3. These are RIDs, and it only makes sense to combine them with the domain SID returned with them. This is important for trusted domains, where that sid might be other than the one we currently reterive from the secrets.tdb. Also remove the become_root()/unbecome_root() wrapper from around both remaining TDB users: Both are now initialised at smbd startup. Andrew Bartlett (This used to be commit 554842e0a55155193f25aefca6480b89d5c512ca)
2002-01-26 06:24:53 +00:00
}
return (netlogon_unigrp_tdb != NULL);
}
Many thanks to Alexander Bokovoy <a.bokovoy@sam-solutions.net>. This work was sponsored by Optifacio Software Services, Inc. Andrew Bartlett (various e-mails announcements merged into some form of commit message below:) This patch which adds basics of universal groups support into Samba 3. Currently, only Winbind with RPC calls supports this, ADS support requires additional (possibly huge) work on KRB5 PAC. However, basic infrastructure is here. This patch adds: 1. Storing of universal groups for particular user logged into Samba software (smbd/ two winbind-pam methods) into netlogon_unigrp.tdb as array of uint32 supplemental group rids keyed as DOMAIN_SID/USER_RID in tdb. 2. Fetching of unversal groups for given user rid and domain sid from netlogon_unigrp.tdb. Since this is used in both smbd and winbindd, main code is in source/lib/netlogon_uingrp.c. Dependencies are added to AUTH_OBJ as UNIGRP_OBJ and WINBINDD_OBJ as UNIGRP_OBJ. This patch has had a few versions, the final version in particular: Many thanks to Andrew Bartlett for critics and comments, and partly rewritten code. New: - updated fetching code to changed byte order macros - moved functions to proper namespace - optimized memory usage by reusing caller's memory context - enhanced code to more follow Samba coding rules Todo: - proper universal group expiration after timeout (This used to be commit 80c2aefbe7c1aa363dd286a47d50c5d8b4595f43)
2002-01-12 23:57:10 +00:00
void uni_group_cache_store_netlogon(TALLOC_CTX *mem_ctx, NET_USER_INFO_3 *user)
{
TDB_DATA key,data;
fstring keystr;
int i;
Fix up a security issue with the way we handle domain groups retuned on the info3. These are RIDs, and it only makes sense to combine them with the domain SID returned with them. This is important for trusted domains, where that sid might be other than the one we currently reterive from the secrets.tdb. Also remove the become_root()/unbecome_root() wrapper from around both remaining TDB users: Both are now initialised at smbd startup. Andrew Bartlett (This used to be commit 554842e0a55155193f25aefca6480b89d5c512ca)
2002-01-26 06:24:53 +00:00
if (!uni_group_cache_init()) {
Many thanks to Alexander Bokovoy <a.bokovoy@sam-solutions.net>. This work was sponsored by Optifacio Software Services, Inc. Andrew Bartlett (various e-mails announcements merged into some form of commit message below:) This patch which adds basics of universal groups support into Samba 3. Currently, only Winbind with RPC calls supports this, ADS support requires additional (possibly huge) work on KRB5 PAC. However, basic infrastructure is here. This patch adds: 1. Storing of universal groups for particular user logged into Samba software (smbd/ two winbind-pam methods) into netlogon_unigrp.tdb as array of uint32 supplemental group rids keyed as DOMAIN_SID/USER_RID in tdb. 2. Fetching of unversal groups for given user rid and domain sid from netlogon_unigrp.tdb. Since this is used in both smbd and winbindd, main code is in source/lib/netlogon_uingrp.c. Dependencies are added to AUTH_OBJ as UNIGRP_OBJ and WINBINDD_OBJ as UNIGRP_OBJ. This patch has had a few versions, the final version in particular: Many thanks to Andrew Bartlett for critics and comments, and partly rewritten code. New: - updated fetching code to changed byte order macros - moved functions to proper namespace - optimized memory usage by reusing caller's memory context - enhanced code to more follow Samba coding rules Todo: - proper universal group expiration after timeout (This used to be commit 80c2aefbe7c1aa363dd286a47d50c5d8b4595f43)
2002-01-12 23:57:10 +00:00
DEBUG(0,("uni_group_cache_store_netlogon: cannot open netlogon_unigrp.tdb for write!\n"));
return;
}
/* Prepare key as DOMAIN-SID/USER-RID string */
slprintf(keystr, sizeof(keystr), "%s/%d",
sid_string_static(&user->dom_sid.sid), user->user_rid);
key.dptr = keystr;
key.dsize = strlen(keystr) + 1;
/* Prepare data */
data.dsize = (user->num_groups2+1)*sizeof(uint32);
data.dptr = talloc(mem_ctx, data.dsize);
if(!data.dptr) {
DEBUG(0,("uni_group_cache_store_netlogon: cannot allocate memory!\n"));
talloc_destroy(mem_ctx);
return;
}
/* Store data in byteorder-independent format */
SIVAL(&((uint32*)data.dptr)[0],0,user->num_groups2);
for(i=1; i<=user->num_groups2; i++) {
SIVAL(&((uint32*)data.dptr)[i],0,user->gids[i-1].g_rid);
}
tdb_store(netlogon_unigrp_tdb, key, data, TDB_REPLACE);
}
/*
Fetch universal groups info from netlogon_unigrp.tdb for given
domain sid and user rid and allocate it using given mem_ctx.
Universal groups are returned as array of uint32 elements
and elements are array[0] ... array[num_elements-1]
*/
uint32* uni_group_cache_fetch(DOM_SID *domain, uint32 user_rid,
TALLOC_CTX *mem_ctx, uint32 *num_groups)
{
TDB_DATA key,data;
fstring keystr;
uint32 *groups;
uint32 i;
uint32 group_count;
if (!domain) {
DEBUG(1,("uni_group_cache_fetch: expected non-null domain sid\n"));
return NULL;
}
if (!mem_ctx) {
DEBUG(1,("uni_group_cache_fetch: expected non-null memory context\n"));
return NULL;
}
if (!num_groups) {
DEBUG(1,("uni_group_cache_fetch: expected non-null num_groups\n"));
return NULL;
}
if (!netlogon_unigrp_tdb) {
netlogon_unigrp_tdb = tdb_open_log(lock_path("netlogon_unigrp.tdb"), 0,
this tdb was being opened without locking, which is unsafe for shared databases (This used to be commit 1394e6ed318af5fc740aa5622919f9fd26d5a8d2)
2002-03-15 09:19:51 +00:00
TDB_DEFAULT, O_RDWR, 0644);
Many thanks to Alexander Bokovoy <a.bokovoy@sam-solutions.net>. This work was sponsored by Optifacio Software Services, Inc. Andrew Bartlett (various e-mails announcements merged into some form of commit message below:) This patch which adds basics of universal groups support into Samba 3. Currently, only Winbind with RPC calls supports this, ADS support requires additional (possibly huge) work on KRB5 PAC. However, basic infrastructure is here. This patch adds: 1. Storing of universal groups for particular user logged into Samba software (smbd/ two winbind-pam methods) into netlogon_unigrp.tdb as array of uint32 supplemental group rids keyed as DOMAIN_SID/USER_RID in tdb. 2. Fetching of unversal groups for given user rid and domain sid from netlogon_unigrp.tdb. Since this is used in both smbd and winbindd, main code is in source/lib/netlogon_uingrp.c. Dependencies are added to AUTH_OBJ as UNIGRP_OBJ and WINBINDD_OBJ as UNIGRP_OBJ. This patch has had a few versions, the final version in particular: Many thanks to Andrew Bartlett for critics and comments, and partly rewritten code. New: - updated fetching code to changed byte order macros - moved functions to proper namespace - optimized memory usage by reusing caller's memory context - enhanced code to more follow Samba coding rules Todo: - proper universal group expiration after timeout (This used to be commit 80c2aefbe7c1aa363dd286a47d50c5d8b4595f43)
2002-01-12 23:57:10 +00:00
}
if (!netlogon_unigrp_tdb) {
DEBUG(5,("uni_group_cache_fetch: cannot open netlogon_unigrp.tdb for read - normal if not created yet\n"));
return NULL;
}
*num_groups = 0;
/* Fetch universal groups */
slprintf(keystr, sizeof(keystr), "%s/%d",
sid_string_static(domain), user_rid);
key.dptr = keystr;
key.dsize = strlen(keystr) + 1;
data = tdb_fetch(netlogon_unigrp_tdb, key);
/* There is no cached universal groups in netlogon_unigrp.tdb */
/* for this user. */
Lots of fixes for error paths where tdb_fetch() data need freeing. Found via a post from Arcady Chernyak <Arcady.Chernyak@efi.com>. Jeremy. (This used to be commit 19f86f1f72aca924e9e320e20a175b5d21de45ad)
2002-11-23 02:52:38 +00:00
if (!data.dptr)
return NULL;
Many thanks to Alexander Bokovoy <a.bokovoy@sam-solutions.net>. This work was sponsored by Optifacio Software Services, Inc. Andrew Bartlett (various e-mails announcements merged into some form of commit message below:) This patch which adds basics of universal groups support into Samba 3. Currently, only Winbind with RPC calls supports this, ADS support requires additional (possibly huge) work on KRB5 PAC. However, basic infrastructure is here. This patch adds: 1. Storing of universal groups for particular user logged into Samba software (smbd/ two winbind-pam methods) into netlogon_unigrp.tdb as array of uint32 supplemental group rids keyed as DOMAIN_SID/USER_RID in tdb. 2. Fetching of unversal groups for given user rid and domain sid from netlogon_unigrp.tdb. Since this is used in both smbd and winbindd, main code is in source/lib/netlogon_uingrp.c. Dependencies are added to AUTH_OBJ as UNIGRP_OBJ and WINBINDD_OBJ as UNIGRP_OBJ. This patch has had a few versions, the final version in particular: Many thanks to Andrew Bartlett for critics and comments, and partly rewritten code. New: - updated fetching code to changed byte order macros - moved functions to proper namespace - optimized memory usage by reusing caller's memory context - enhanced code to more follow Samba coding rules Todo: - proper universal group expiration after timeout (This used to be commit 80c2aefbe7c1aa363dd286a47d50c5d8b4595f43)
2002-01-12 23:57:10 +00:00
/* Transfer data to receiver's memory context */
group_count = IVAL(&((uint32*)data.dptr)[0],0);
groups = talloc(mem_ctx, (group_count)*sizeof(uint32));
if (groups) {
for(i=0; i<group_count; i++) {
groups[i] = IVAL(&((uint32*)data.dptr)[i+1],0);
}
} else {
DEBUG(1,("uni_group_cache_fetch: cannot allocate uni groups in receiver's memory context\n"));
}
SAFE_FREE(data.dptr);
*num_groups = group_count;
return groups;
}
/* Shutdown netlogon_unigrp database */
void uni_group_cache_shutdown(void)
{
Fix up a security issue with the way we handle domain groups retuned on the info3. These are RIDs, and it only makes sense to combine them with the domain SID returned with them. This is important for trusted domains, where that sid might be other than the one we currently reterive from the secrets.tdb. Also remove the become_root()/unbecome_root() wrapper from around both remaining TDB users: Both are now initialised at smbd startup. Andrew Bartlett (This used to be commit 554842e0a55155193f25aefca6480b89d5c512ca)
2002-01-26 06:24:53 +00:00
if(netlogon_unigrp_tdb) {
tdb_close(netlogon_unigrp_tdb);
}
Many thanks to Alexander Bokovoy <a.bokovoy@sam-solutions.net>. This work was sponsored by Optifacio Software Services, Inc. Andrew Bartlett (various e-mails announcements merged into some form of commit message below:) This patch which adds basics of universal groups support into Samba 3. Currently, only Winbind with RPC calls supports this, ADS support requires additional (possibly huge) work on KRB5 PAC. However, basic infrastructure is here. This patch adds: 1. Storing of universal groups for particular user logged into Samba software (smbd/ two winbind-pam methods) into netlogon_unigrp.tdb as array of uint32 supplemental group rids keyed as DOMAIN_SID/USER_RID in tdb. 2. Fetching of unversal groups for given user rid and domain sid from netlogon_unigrp.tdb. Since this is used in both smbd and winbindd, main code is in source/lib/netlogon_uingrp.c. Dependencies are added to AUTH_OBJ as UNIGRP_OBJ and WINBINDD_OBJ as UNIGRP_OBJ. This patch has had a few versions, the final version in particular: Many thanks to Andrew Bartlett for critics and comments, and partly rewritten code. New: - updated fetching code to changed byte order macros - moved functions to proper namespace - optimized memory usage by reusing caller's memory context - enhanced code to more follow Samba coding rules Todo: - proper universal group expiration after timeout (This used to be commit 80c2aefbe7c1aa363dd286a47d50c5d8b4595f43)
2002-01-12 23:57:10 +00:00
}
Copy Permalink