sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2024-12-25 23:21:54 +03:00
Code

This commit was manufactured by cvs2svn to create branch 'SAMBA_3_0'.

Browse Source
This commit is contained in:
cvs2svn Import User 0001-01-01 00:00:00 +00:00
commit f1e5990657
3 changed files with 784 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

47
docs/docbook/projdoc/StandAloneServer.xml Normal file
View File

@ -0,0 +1,47 @@
<chapter id="StandAloneServer">
<chapterinfo>
&author.jht;
</chapterinfo>
<title>Stand-Alone Servers</title>
<sect1>
<title>Stand Alone Server</title>
<para>
The term <emphasis>stand alone server</emphasis> means that the server
will provide local authentication and access control for all resources
that are available from it. In general this means that there will be a
local user database. In more technical terms, it means that resources
on the machine will either be made available in either SHARE mode or in
USER mode. SHARE mode and USER mode security are documented under
discussions regarding "security mode". The smb.conf configuration parameters
that control security mode are: "security = user" and "security = share".
</para>
<para>
No special action is needed other than to create user accounts. Stand-alone
servers do NOT provide network logon services, meaning that machines that
use this server do NOT perform a domain logon but instead make use only of
the MS Windows logon which is local to the MS Windows workstation/server.
</para>
<para>
Samba tends to blur the distinction a little in respect of what is
a stand alone server. This is because the authentication database may be
local or on a remote server, even if from the samba protocol perspective
the samba server is NOT a member of a domain security context.
</para>
<para>
Through the use of PAM (Pluggable Authentication Modules) and nsswitch
(the name service switcher) the source of authentication may reside on
another server. We would be inclined to call this the authentication server.
This means that the samba server may use the local Unix/Linux system
password database (/etc/passwd or /etc/shadow), may use a local smbpasswd
file (/etc/samba/smbpasswd or /usr/local/samba/lib/private/smbpasswd), or
may use an LDAP back end, or even via PAM and Winbind another CIFS/SMB
server for authentication.
</para>
</sect1>
</chapter>

360
source/nsswitch/winbindd_passdb.c Normal file
View File

@ -0,0 +1,360 @@
/*
Unix SMB/CIFS implementation.
Winbind rpc backend functions
Copyright (C) Tim Potter 2000-2001,2003
Copyright (C) Simo Sorce 2003
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
*/
#include "winbindd.h"
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_WINBIND
/* Query display info for a domain. This returns enough information plus a
bit extra to give an overview of domain users for the User Manager
application. */
static NTSTATUS query_user_list(struct winbindd_domain *domain,
TALLOC_CTX *mem_ctx,
uint32 *num_entries,
WINBIND_USERINFO **info)
{
SAM_ACCOUNT *sam_account = NULL;
NTSTATUS result;
uint32 i;
DEBUG(3,("pdb: query_user_list\n"));
if (NT_STATUS_IS_ERR(result = pdb_init_sam(&sam_account))) {
return result;
}
i = 0;
*info = NULL;
if (pdb_setsampwent(False)) {
while (pdb_getsampwent(sam_account)) {
/* we return only nua accounts, or we will have duplicates */
if (!idmap_check_sid_is_in_free_range(pdb_get_user_sid(sam_account))) {
continue;
}
*info = talloc_realloc(mem_ctx, *info, (i + 1) * sizeof(WINBIND_USERINFO));
if (!(*info)) {
DEBUG(0,("query_user_list: out of memory!\n"));
result = NT_STATUS_NO_MEMORY;
break;
}
(*info)[i].user_sid = talloc(mem_ctx, sizeof(DOM_SID));
(*info)[i].group_sid = talloc(mem_ctx, sizeof(DOM_SID));
if (!((*info)[i].user_sid) || !((*info)[i].group_sid)) {
DEBUG(0,("query_user_list: out of memory!\n"));
result = NT_STATUS_NO_MEMORY;
break;
}
sid_copy((*info)[i].user_sid, pdb_get_user_sid(sam_account));
sid_copy((*info)[i].group_sid, pdb_get_group_sid(sam_account));
(*info)[i].acct_name = talloc_strdup(mem_ctx, pdb_get_username(sam_account));
(*info)[i].full_name = talloc_strdup(mem_ctx, pdb_get_fullname(sam_account));
if (!((*info)[i].acct_name) || !((*info)[i].full_name)) {
DEBUG(0,("query_user_list: out of memory!\n"));
result = NT_STATUS_NO_MEMORY;
break;
}
i++;
if (NT_STATUS_IS_ERR(pdb_reset_sam(sam_account))) {
result = NT_STATUS_UNSUCCESSFUL;
break;
}
}
*num_entries = i;
result = NT_STATUS_OK;
} else {
result = NT_STATUS_UNSUCCESSFUL;
}
pdb_free_sam(&sam_account);
return result;
}
/* list all domain groups */
static NTSTATUS enum_dom_groups(struct winbindd_domain *domain,
TALLOC_CTX *mem_ctx,
uint32 *num_entries,
struct acct_info **info)
{
NTSTATUS result = NT_STATUS_OK;
DEBUG(3,("pdb: enum_dom_groups (group support not implemented)\n"));
*num_entries = 0;
*info = 0;
return result;
}
/* List all domain groups */
static NTSTATUS enum_local_groups(struct winbindd_domain *domain,
TALLOC_CTX *mem_ctx,
uint32 *num_entries,
struct acct_info **info)
{
NTSTATUS result = NT_STATUS_OK;
DEBUG(3,("pdb: enum_local_groups (group support not implemented)\n"));
*num_entries = 0;
*info = 0;
return result;
}
/* convert a single name to a sid in a domain */
static NTSTATUS name_to_sid(struct winbindd_domain *domain,
TALLOC_CTX *mem_ctx,
const char *name,
DOM_SID *sid,
enum SID_NAME_USE *type)
{
SAM_ACCOUNT *sam_account = NULL;
NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
DEBUG(3,("pdb: name_to_sid name=%s (group support not implemented)\n", name));
if (NT_STATUS_IS_OK(pdb_init_sam(&sam_account))) {
if (!pdb_getsampwnam(sam_account, name)) {
result = NT_STATUS_UNSUCCESSFUL;
} else { /* it is a sam user */
sid_copy(sid, pdb_get_user_sid(sam_account));
*type = SID_NAME_USER;
result = NT_STATUS_OK;
}
}
pdb_free_sam(&sam_account);
return result;
}
/*
convert a domain SID to a user or group name
*/
static NTSTATUS sid_to_name(struct winbindd_domain *domain,
TALLOC_CTX *mem_ctx,
DOM_SID *sid,
char **name,
enum SID_NAME_USE *type)
{
SAM_ACCOUNT *sam_account = NULL;
NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
uint32 id;
DEBUG(3,("pdb: sid_to_name sid=%s\n", sid_string_static(sid)));
if (NT_STATUS_IS_OK(sid_to_uid(sid, &id))) { /* this is a user */
if (NT_STATUS_IS_ERR(result = pdb_init_sam(&sam_account))) {
return result;
}
if (!pdb_getsampwsid(sam_account, sid)) {
pdb_free_sam(&sam_account);
return NT_STATUS_UNSUCCESSFUL;
}
*name = talloc_strdup(mem_ctx, pdb_get_username(sam_account));
if (!(*name)) {
DEBUG(0,("query_user: out of memory!\n"));
pdb_free_sam(&sam_account);
return NT_STATUS_NO_MEMORY;
}
pdb_free_sam(&sam_account);
*type = SID_NAME_USER;
result = NT_STATUS_OK;
} else if (NT_STATUS_IS_OK(sid_to_gid(sid, &id))) { /* this is a group */
DEBUG(3,("pdb: sid_to_name: group support not implemented\n"));
result = NT_STATUS_UNSUCCESSFUL;
}
return result;
}
/* Lookup user information from a rid or username. */
static NTSTATUS query_user(struct winbindd_domain *domain,
TALLOC_CTX *mem_ctx,
DOM_SID *user_sid,
WINBIND_USERINFO *user_info)
{
SAM_ACCOUNT *sam_account = NULL;
NTSTATUS result;
DEBUG(3,("pdb: query_user sid=%s\n", sid_string_static(user_sid)));
if (NT_STATUS_IS_ERR(result = pdb_init_sam(&sam_account))) {
return result;
}
if (!pdb_getsampwsid(sam_account, user_sid)) {
pdb_free_sam(&sam_account);
return NT_STATUS_UNSUCCESSFUL;
}
/* we return only nua accounts, or we will have duplicates */
if (!idmap_check_sid_is_in_free_range(user_sid)) {
pdb_free_sam(&sam_account);
return NT_STATUS_UNSUCCESSFUL;
}
user_info->user_sid = talloc(mem_ctx, sizeof(DOM_SID));
user_info->group_sid = talloc(mem_ctx, sizeof(DOM_SID));
if (!(user_info->user_sid) || !(user_info->group_sid)) {
DEBUG(0,("query_user: out of memory!\n"));
pdb_free_sam(&sam_account);
return NT_STATUS_NO_MEMORY;
}
sid_copy(user_info->user_sid, pdb_get_user_sid(sam_account));
sid_copy(user_info->group_sid, pdb_get_group_sid(sam_account));
user_info->acct_name = talloc_strdup(mem_ctx, pdb_get_username(sam_account));
user_info->full_name = talloc_strdup(mem_ctx, pdb_get_fullname(sam_account));
if (!(user_info->acct_name) || !(user_info->full_name)) {
DEBUG(0,("query_user: out of memory!\n"));
pdb_free_sam(&sam_account);
return NT_STATUS_NO_MEMORY;
}
pdb_free_sam(&sam_account);
return NT_STATUS_OK;
}
/* Lookup groups a user is a member of. I wish Unix had a call like this! */
static NTSTATUS lookup_usergroups(struct winbindd_domain *domain,
TALLOC_CTX *mem_ctx,
DOM_SID *user_sid,
uint32 *num_groups, DOM_SID ***user_gids)
{
NTSTATUS result = NT_STATUS_OK;
DEBUG(3,("pdb: lookup_usergroups (group support not implemented)\n"));
num_groups = 0;
user_gids = 0;
return result;
}
/* Lookup group membership given a rid. */
static NTSTATUS lookup_groupmem(struct winbindd_domain *domain,
TALLOC_CTX *mem_ctx,
DOM_SID *group_sid, uint32 *num_names,
DOM_SID ***sid_mem, char ***names,
uint32 **name_types)
{
NTSTATUS result = NT_STATUS_NOT_IMPLEMENTED;
DEBUG(3,("pdb: lookup_groupmem (group support not implemented)\n"));
num_names = 0;
sid_mem = 0;
names = 0;
name_types = 0;
return result;
}
/* find the sequence number for a domain */
static NTSTATUS sequence_number(struct winbindd_domain *domain, uint32 *seq)
{
/* FIXME: we fake up the seq_num untill our passdb support it */
static uint32 seq_num;
DEBUG(3,("pdb: sequence_number\n"));
*seq = seq_num++;
return NT_STATUS_OK;
}
/* get a list of trusted domains */
static NTSTATUS trusted_domains(struct winbindd_domain *domain,
TALLOC_CTX *mem_ctx,
uint32 *num_domains,
char ***names,
char ***alt_names,
DOM_SID **dom_sids)
{
NTSTATUS result = NT_STATUS_NOT_IMPLEMENTED;
DEBUG(3,("pdb: trusted_domains (todo!)\n"));
return result;
}
/* find the domain sid for a domain */
static NTSTATUS domain_sid(struct winbindd_domain *domain, DOM_SID *sid)
{
DEBUG(3,("pdb: domain_sid\n"));
if (strcmp(domain->name, lp_workgroup())) {
return NT_STATUS_INVALID_PARAMETER;
} else {
sid_copy(sid, get_global_sam_sid());
return NT_STATUS_OK;
}
}
/* find alternate names list for the domain
* should we look for netbios aliases??
SSS */
static NTSTATUS alternate_name(struct winbindd_domain *domain)
{
DEBUG(3,("pdb: alternate_name\n"));
return NT_STATUS_OK;
}
/* the rpc backend methods are exposed via this structure */
struct winbindd_methods passdb_methods = {
False,
query_user_list,
enum_dom_groups,
enum_local_groups,
name_to_sid,
sid_to_name,
query_user,
lookup_usergroups,
lookup_groupmem,
sequence_number,
trusted_domains,
domain_sid,
alternate_name
};

377
source/sam/idmap_util.c Normal file
View File

@ -0,0 +1,377 @@
/*
Unix SMB/CIFS implementation.
ID Mapping
Copyright (C) Simo Sorce 2003
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.*/
#include "includes.h"
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_IDMAP
/******************************************************************
* Get the free RID base if idmap is configured, otherwise return 0
******************************************************************/
uint32 idmap_get_free_rid_base(void)
{
uint32 low, high;
if (idmap_get_free_rid_range(&low, &high)) {
return low;
}
return 0;
}
BOOL idmap_check_ugid_is_in_free_range(uint32 id)
{
uint32 low, high;
if (!idmap_get_free_ugid_range(&low, &high)) {
return False;
}
if (id < low || id > high) {
return False;
}
return True;
}
BOOL idmap_check_rid_is_in_free_range(uint32 rid)
{
uint32 low, high;
if (!idmap_get_free_rid_range(&low, &high)) {
return False;
}
if (rid < low || rid > high) {
return False;
}
return True;
}
/* if it is a foreign SID or if the SID is in the free range, return true */
BOOL idmap_check_sid_is_in_free_range(const DOM_SID *sid)
{
if (sid_compare_domain(get_global_sam_sid(), sid) == 0) {
uint32 rid;
if (sid_peek_rid(sid, &rid)) {
return idmap_check_rid_is_in_free_range(rid);
}
return False;
}
return True;
}
/******************************************************************
* Get the the non-algorithmic RID range if idmap range are defined
******************************************************************/
BOOL idmap_get_free_rid_range(uint32 *low, uint32 *high)
{
uint32 id_low, id_high;
if (lp_idmap_only()) {
*low = BASE_RID;
*high = (uint32)-1;
}
if (!idmap_get_free_ugid_range(&id_low, &id_high)) {
return False;
}
*low = fallback_pdb_uid_to_user_rid(id_low);
if (fallback_pdb_user_rid_to_uid((uint32)-1) < id_high) {
*high = (uint32)-1;
} else {
*high = fallback_pdb_uid_to_user_rid(id_high);
}
return True;
}
BOOL idmap_get_free_ugid_range(uint32 *low, uint32 *high)
{
uid_t u_low, u_high;
gid_t g_low, g_high;
if (!lp_idmap_uid(&u_low, &u_high) || !lp_idmap_gid(&g_low, &g_high)) {
return False;
}
if (u_low < g_low) {
*low = u_low;
} else {
*low = g_low;
}
if (u_high < g_high) {
*high = g_high;
} else {
*high = u_high;
}
return True;
}
/*****************************************************************
*THE CANONICAL* convert uid_t to SID function.
check idmap if uid is in idmap range, otherwise falls back to
the legacy algorithmic mapping.
A special cache is used for uids that maps to Wellknown SIDs
Returns SID pointer.
*****************************************************************/
NTSTATUS uid_to_sid(DOM_SID *sid, uid_t uid)
{
NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
unid_t id;
int flags;
DEBUG(10,("uid_to_sid: uid = [%d]\n", uid));
flags = ID_USERID;
if (!lp_idmap_only() && !idmap_check_ugid_is_in_free_range(uid)) {
flags |= ID_NOMAP;
}
id.uid = uid;
if (NT_STATUS_IS_ERR(ret = idmap_get_sid_from_id(sid, id, flags))) {
DEBUG(10, ("uid_to_sid: Failed to map uid = [%u]\n", (unsigned int)uid));
if (flags & ID_NOMAP) {
sid_copy(sid, get_global_sam_sid());
sid_append_rid(sid, fallback_pdb_uid_to_user_rid(uid));
DEBUG(10,("uid_to_sid: Fall back to algorithmic mapping: %u -> %s\n", (unsigned int)uid, sid_string_static(sid)));
ret = NT_STATUS_OK;
}
}
return ret;
}
/*****************************************************************
*THE CANONICAL* convert gid_t to SID function.
check idmap if gid is in idmap range, otherwise falls back to
the legacy algorithmic mapping.
Group mapping is used for gids that maps to Wellknown SIDs
Returns SID pointer.
*****************************************************************/
NTSTATUS gid_to_sid(DOM_SID *sid, gid_t gid)
{
NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
GROUP_MAP map;
unid_t id;
int flags;
DEBUG(10,("gid_to_sid: gid = [%d]\n", gid));
flags = ID_GROUPID;
if (!lp_idmap_only() && !idmap_check_ugid_is_in_free_range(gid)) {
flags |= ID_NOMAP;
}
id.gid = gid;
if (NT_STATUS_IS_ERR(ret = idmap_get_sid_from_id(sid, id, flags))) {
DEBUG(10, ("gid_to_sid: Failed to map gid = [%u]\n", (unsigned int)gid));
if (flags & ID_NOMAP) {
sid_copy(sid, get_global_sam_sid());
sid_append_rid(sid, pdb_gid_to_group_rid(gid));
DEBUG(10,("gid_to_sid: Fall back to algorithmic mapping: %u -> %s\n", (unsigned int)gid, sid_string_static(sid)));
ret = NT_STATUS_OK;
}
}
return ret;
}
/*****************************************************************
*THE CANONICAL* convert SID to uid function.
if it is a foreign sid or it is in idmap rid range check idmap,
otherwise falls back to the legacy algorithmic mapping.
A special cache is used for uids that maps to Wellknown SIDs
Returns True if this name is a user sid and the conversion
was done correctly, False if not.
*****************************************************************/
NTSTATUS sid_to_uid(const DOM_SID *sid, uid_t *uid)
{
NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
BOOL fallback = False;
unid_t id;
int flags;
DEBUG(10,("sid_to_uid: sid = [%s]\n", sid_string_static(sid)));
flags = ID_USERID;
if (!lp_idmap_only()) {
if (!idmap_check_sid_is_in_free_range(sid)) {
flags |= ID_NOMAP;
fallback = True;
}
}
if (NT_STATUS_IS_OK(idmap_get_id_from_sid(&id, &flags, sid))) {
DEBUG(10,("sid_to_uid: uid = [%d]\n", id.uid));
*uid = id.uid;
ret = NT_STATUS_OK;
} else if (fallback) {
uint32 rid;
if (!sid_peek_rid(sid, &rid)) {
DEBUG(10,("sid_to_uid: invalid SID!\n"));
ret = NT_STATUS_INVALID_PARAMETER;
goto done;
}
DEBUG(10,("sid_to_uid: Fall back to algorithmic mapping\n"));
if (!fallback_pdb_rid_is_user(rid)) {
DEBUG(3, ("sid_to_uid: SID %s is *NOT* a user\n", sid_string_static(sid)));
ret = NT_STATUS_UNSUCCESSFUL;
} else {
*uid = fallback_pdb_user_rid_to_uid(rid);
DEBUG(10,("sid_to_uid: mapping: %s -> %u\n", sid_string_static(sid), (unsigned int)(*uid)));
ret = NT_STATUS_OK;
}
}
done:
return ret;
}
/*****************************************************************
*THE CANONICAL* convert SID to gid function.
if it is a foreign sid or it is in idmap rid range check idmap,
otherwise falls back to the legacy algorithmic mapping.
Group mapping is used for gids that maps to Wellknown SIDs
Returns True if this name is a user sid and the conversion
was done correctly, False if not.
*****************************************************************/
NTSTATUS sid_to_gid(const DOM_SID *sid, gid_t *gid)
{
NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
BOOL fallback = False;
uint32 rid;
unid_t id;
int flags;
DEBUG(10,("sid_to_gid: sid = [%s]\n", sid_string_static(sid)));
flags = ID_GROUPID;
if (!lp_idmap_only()) {
if (!idmap_check_sid_is_in_free_range(sid)) {
flags |= ID_NOMAP;
fallback = True;
}
}
if (NT_STATUS_IS_OK(idmap_get_id_from_sid(&id, &flags, sid))) {
DEBUG(10,("sid_to_gid: gid = [%d]\n", id.gid));
*gid = id.gid;
ret = NT_STATUS_OK;
} else if (fallback) {
uint32 rid;
if (!sid_peek_rid(sid, &rid)) {
DEBUG(10,("sid_to_uid: invalid SID!\n"));
ret = NT_STATUS_INVALID_PARAMETER;
goto done;
}
DEBUG(10,("sid_to_gid: Fall back to algorithmic mapping\n"));
if (fallback_pdb_rid_is_user(rid)) {
DEBUG(3, ("sid_to_gid: SID %s is *NOT* a group\n", sid_string_static(sid)));
ret = NT_STATUS_UNSUCCESSFUL;
} else {
*gid = pdb_group_rid_to_gid(rid);
DEBUG(10,("sid_to_gid: mapping: %s -> %u\n", sid_string_static(sid), (unsigned int)(*gid)));
ret = NT_STATUS_OK;
}
}
done:
return ret;
}
/* Initialize idmap withWellknown SIDs like Guest, that are necessary
* to make samba run properly */
BOOL idmap_init_wellknown_sids(void)
{
const char *guest_account = lp_guestaccount();
struct passwd *pass;
GROUP_MAP *map=NULL;
int num_entries=0;
DOM_SID sid;
unid_t id;
int flags;
if (!(guest_account && *guest_account)) {
DEBUG(1, ("NULL guest account!?!?\n"));
return False;
}
pass = getpwnam_alloc(guest_account);
if (!pass) {
return False;
}
flags = ID_USERID;
id.uid = pass->pw_uid;
sid_copy(&sid, get_global_sam_sid());
sid_append_rid(&sid, DOMAIN_USER_RID_GUEST);
if (NT_STATUS_IS_ERR(idmap_set_mapping(&sid, id, flags))) {
passwd_free(&pass);
return False;
}
/* now fill in group mappings */
if(pdb_enum_group_mapping(SID_NAME_UNKNOWN, &map, &num_entries, ENUM_ONLY_MAPPED, MAPPING_WITHOUT_PRIV)) {
int i;
for (i = 0; i < num_entries; i++) {
id.gid = map[i].gid;
idmap_set_mapping(&(map[i].sid), id, ID_GROUPID);
}
}
/* check if DOMAIN_GROUP_RID_GUESTS SID is set, if not store the
* guest account gid as mapping */
flags = ID_GROUPID | ID_NOMAP;
sid_copy(&sid, get_global_sam_sid());
sid_append_rid(&sid, DOMAIN_GROUP_RID_GUESTS);
if (NT_STATUS_IS_ERR(idmap_get_id_from_sid(&id, &flags, &sid))) {
flags = ID_GROUPID;
id.gid = pass->pw_gid;
if (NT_STATUS_IS_ERR(idmap_set_mapping(&sid, id, flags))) {
passwd_free(&pass);
return False;
}
}
passwd_free(&pass);
return True;
}