diff options
author | cvs2svn Import User <samba-bugs@samba.org> | 2003-05-03 05:51:55 +0000 |
---|---|---|
committer | cvs2svn Import User <samba-bugs@samba.org> | 2003-05-03 05:51:55 +0000 |
commit | d08844d97b6c86b403145037a0aa652af280ffa1 (patch) | |
tree | fe5543e4267538490393fbc5d7034b3bb67a4332 | |
parent | 24ee1418054e60e60f36009a1845b4b616ee63a1 (diff) | |
parent | 0e97dec5949c5b5401391d3267f04898fa796d56 (diff) | |
download | samba-d08844d97b6c86b403145037a0aa652af280ffa1.tar.gz samba-d08844d97b6c86b403145037a0aa652af280ffa1.tar.bz2 samba-d08844d97b6c86b403145037a0aa652af280ffa1.zip |
This commit was manufactured by cvs2svn to create branch 'SAMBA_3_0'.(This used to be commit f1e59906577a59269f1821d9e438fc56278b9dbe)
-rw-r--r-- | docs/docbook/projdoc/StandAloneServer.xml | 47 | ||||
-rw-r--r-- | source3/nsswitch/winbindd_passdb.c | 360 | ||||
-rw-r--r-- | source3/sam/idmap_util.c | 377 |
3 files changed, 784 insertions, 0 deletions
diff --git a/docs/docbook/projdoc/StandAloneServer.xml b/docs/docbook/projdoc/StandAloneServer.xml new file mode 100644 index 0000000000..c5b5c67250 --- /dev/null +++ b/docs/docbook/projdoc/StandAloneServer.xml @@ -0,0 +1,47 @@ +<chapter id="StandAloneServer"> +<chapterinfo> + &author.jht; +</chapterinfo> +<title>Stand-Alone Servers</title> + +<sect1> +<title>Stand Alone Server</title> + +<para> +The term <emphasis>stand alone server</emphasis> means that the server +will provide local authentication and access control for all resources +that are available from it. In general this means that there will be a +local user database. In more technical terms, it means that resources +on the machine will either be made available in either SHARE mode or in +USER mode. SHARE mode and USER mode security are documented under +discussions regarding "security mode". The smb.conf configuration parameters +that control security mode are: "security = user" and "security = share". +</para> + +<para> +No special action is needed other than to create user accounts. Stand-alone +servers do NOT provide network logon services, meaning that machines that +use this server do NOT perform a domain logon but instead make use only of +the MS Windows logon which is local to the MS Windows workstation/server. +</para> + +<para> +Samba tends to blur the distinction a little in respect of what is +a stand alone server. This is because the authentication database may be +local or on a remote server, even if from the samba protocol perspective +the samba server is NOT a member of a domain security context. +</para> + +<para> +Through the use of PAM (Pluggable Authentication Modules) and nsswitch +(the name service switcher) the source of authentication may reside on +another server. We would be inclined to call this the authentication server. +This means that the samba server may use the local Unix/Linux system +password database (/etc/passwd or /etc/shadow), may use a local smbpasswd +file (/etc/samba/smbpasswd or /usr/local/samba/lib/private/smbpasswd), or +may use an LDAP back end, or even via PAM and Winbind another CIFS/SMB +server for authentication. +</para> + +</sect1> +</chapter> diff --git a/source3/nsswitch/winbindd_passdb.c b/source3/nsswitch/winbindd_passdb.c new file mode 100644 index 0000000000..503b97899c --- /dev/null +++ b/source3/nsswitch/winbindd_passdb.c @@ -0,0 +1,360 @@ +/* + Unix SMB/CIFS implementation. + + Winbind rpc backend functions + + Copyright (C) Tim Potter 2000-2001,2003 + Copyright (C) Simo Sorce 2003 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +#include "winbindd.h" + +#undef DBGC_CLASS +#define DBGC_CLASS DBGC_WINBIND + + +/* Query display info for a domain. This returns enough information plus a + bit extra to give an overview of domain users for the User Manager + application. */ +static NTSTATUS query_user_list(struct winbindd_domain *domain, + TALLOC_CTX *mem_ctx, + uint32 *num_entries, + WINBIND_USERINFO **info) +{ + SAM_ACCOUNT *sam_account = NULL; + NTSTATUS result; + uint32 i; + + DEBUG(3,("pdb: query_user_list\n")); + + if (NT_STATUS_IS_ERR(result = pdb_init_sam(&sam_account))) { + return result; + } + + i = 0; + *info = NULL; + + if (pdb_setsampwent(False)) { + + while (pdb_getsampwent(sam_account)) { + + /* we return only nua accounts, or we will have duplicates */ + if (!idmap_check_sid_is_in_free_range(pdb_get_user_sid(sam_account))) { + continue; + } + + *info = talloc_realloc(mem_ctx, *info, (i + 1) * sizeof(WINBIND_USERINFO)); + if (!(*info)) { + DEBUG(0,("query_user_list: out of memory!\n")); + result = NT_STATUS_NO_MEMORY; + break; + } + + (*info)[i].user_sid = talloc(mem_ctx, sizeof(DOM_SID)); + (*info)[i].group_sid = talloc(mem_ctx, sizeof(DOM_SID)); + if (!((*info)[i].user_sid) || !((*info)[i].group_sid)) { + DEBUG(0,("query_user_list: out of memory!\n")); + result = NT_STATUS_NO_MEMORY; + break; + } + sid_copy((*info)[i].user_sid, pdb_get_user_sid(sam_account)); + sid_copy((*info)[i].group_sid, pdb_get_group_sid(sam_account)); + + (*info)[i].acct_name = talloc_strdup(mem_ctx, pdb_get_username(sam_account)); + (*info)[i].full_name = talloc_strdup(mem_ctx, pdb_get_fullname(sam_account)); + if (!((*info)[i].acct_name) || !((*info)[i].full_name)) { + DEBUG(0,("query_user_list: out of memory!\n")); + result = NT_STATUS_NO_MEMORY; + break; + } + + i++; + + if (NT_STATUS_IS_ERR(pdb_reset_sam(sam_account))) { + result = NT_STATUS_UNSUCCESSFUL; + break; + } + } + + *num_entries = i; + result = NT_STATUS_OK; + + } else { + result = NT_STATUS_UNSUCCESSFUL; + } + + pdb_free_sam(&sam_account); + return result; +} + +/* list all domain groups */ +static NTSTATUS enum_dom_groups(struct winbindd_domain *domain, + TALLOC_CTX *mem_ctx, + uint32 *num_entries, + struct acct_info **info) +{ + NTSTATUS result = NT_STATUS_OK; + + DEBUG(3,("pdb: enum_dom_groups (group support not implemented)\n")); + + *num_entries = 0; + *info = 0; + + return result; +} + +/* List all domain groups */ + +static NTSTATUS enum_local_groups(struct winbindd_domain *domain, + TALLOC_CTX *mem_ctx, + uint32 *num_entries, + struct acct_info **info) +{ + NTSTATUS result = NT_STATUS_OK; + + DEBUG(3,("pdb: enum_local_groups (group support not implemented)\n")); + + *num_entries = 0; + *info = 0; + + return result; +} + +/* convert a single name to a sid in a domain */ +static NTSTATUS name_to_sid(struct winbindd_domain *domain, + TALLOC_CTX *mem_ctx, + const char *name, + DOM_SID *sid, + enum SID_NAME_USE *type) +{ + SAM_ACCOUNT *sam_account = NULL; + NTSTATUS result = NT_STATUS_UNSUCCESSFUL; + + DEBUG(3,("pdb: name_to_sid name=%s (group support not implemented)\n", name)); + + if (NT_STATUS_IS_OK(pdb_init_sam(&sam_account))) { + if (!pdb_getsampwnam(sam_account, name)) { + result = NT_STATUS_UNSUCCESSFUL; + } else { /* it is a sam user */ + sid_copy(sid, pdb_get_user_sid(sam_account)); + *type = SID_NAME_USER; + result = NT_STATUS_OK; + } + } + + pdb_free_sam(&sam_account); + return result; +} + +/* + convert a domain SID to a user or group name +*/ +static NTSTATUS sid_to_name(struct winbindd_domain *domain, + TALLOC_CTX *mem_ctx, + DOM_SID *sid, + char **name, + enum SID_NAME_USE *type) +{ + SAM_ACCOUNT *sam_account = NULL; + NTSTATUS result = NT_STATUS_UNSUCCESSFUL; + uint32 id; + + DEBUG(3,("pdb: sid_to_name sid=%s\n", sid_string_static(sid))); + + if (NT_STATUS_IS_OK(sid_to_uid(sid, &id))) { /* this is a user */ + + if (NT_STATUS_IS_ERR(result = pdb_init_sam(&sam_account))) { + return result; + } + + if (!pdb_getsampwsid(sam_account, sid)) { + pdb_free_sam(&sam_account); + return NT_STATUS_UNSUCCESSFUL; + } + + *name = talloc_strdup(mem_ctx, pdb_get_username(sam_account)); + if (!(*name)) { + DEBUG(0,("query_user: out of memory!\n")); + pdb_free_sam(&sam_account); + return NT_STATUS_NO_MEMORY; + } + + pdb_free_sam(&sam_account); + *type = SID_NAME_USER; + result = NT_STATUS_OK; + + } else if (NT_STATUS_IS_OK(sid_to_gid(sid, &id))) { /* this is a group */ + + DEBUG(3,("pdb: sid_to_name: group support not implemented\n")); + result = NT_STATUS_UNSUCCESSFUL; + } + + return result; +} + +/* Lookup user information from a rid or username. */ +static NTSTATUS query_user(struct winbindd_domain *domain, + TALLOC_CTX *mem_ctx, + DOM_SID *user_sid, + WINBIND_USERINFO *user_info) +{ + SAM_ACCOUNT *sam_account = NULL; + NTSTATUS result; + + DEBUG(3,("pdb: query_user sid=%s\n", sid_string_static(user_sid))); + + if (NT_STATUS_IS_ERR(result = pdb_init_sam(&sam_account))) { + return result; + } + + if (!pdb_getsampwsid(sam_account, user_sid)) { + pdb_free_sam(&sam_account); + return NT_STATUS_UNSUCCESSFUL; + } + + /* we return only nua accounts, or we will have duplicates */ + if (!idmap_check_sid_is_in_free_range(user_sid)) { + pdb_free_sam(&sam_account); + return NT_STATUS_UNSUCCESSFUL; + } + + user_info->user_sid = talloc(mem_ctx, sizeof(DOM_SID)); + user_info->group_sid = talloc(mem_ctx, sizeof(DOM_SID)); + if (!(user_info->user_sid) || !(user_info->group_sid)) { + DEBUG(0,("query_user: out of memory!\n")); + pdb_free_sam(&sam_account); + return NT_STATUS_NO_MEMORY; + } + sid_copy(user_info->user_sid, pdb_get_user_sid(sam_account)); + sid_copy(user_info->group_sid, pdb_get_group_sid(sam_account)); + + user_info->acct_name = talloc_strdup(mem_ctx, pdb_get_username(sam_account)); + user_info->full_name = talloc_strdup(mem_ctx, pdb_get_fullname(sam_account)); + if (!(user_info->acct_name) || !(user_info->full_name)) { + DEBUG(0,("query_user: out of memory!\n")); + pdb_free_sam(&sam_account); + return NT_STATUS_NO_MEMORY; + } + + pdb_free_sam(&sam_account); + return NT_STATUS_OK; +} + +/* Lookup groups a user is a member of. I wish Unix had a call like this! */ +static NTSTATUS lookup_usergroups(struct winbindd_domain *domain, + TALLOC_CTX *mem_ctx, + DOM_SID *user_sid, + uint32 *num_groups, DOM_SID ***user_gids) +{ + NTSTATUS result = NT_STATUS_OK; + + DEBUG(3,("pdb: lookup_usergroups (group support not implemented)\n")); + + num_groups = 0; + user_gids = 0; + + return result; +} + + +/* Lookup group membership given a rid. */ +static NTSTATUS lookup_groupmem(struct winbindd_domain *domain, + TALLOC_CTX *mem_ctx, + DOM_SID *group_sid, uint32 *num_names, + DOM_SID ***sid_mem, char ***names, + uint32 **name_types) +{ + NTSTATUS result = NT_STATUS_NOT_IMPLEMENTED; + + DEBUG(3,("pdb: lookup_groupmem (group support not implemented)\n")); + + num_names = 0; + sid_mem = 0; + names = 0; + name_types = 0; + + return result; +} + +/* find the sequence number for a domain */ +static NTSTATUS sequence_number(struct winbindd_domain *domain, uint32 *seq) +{ + /* FIXME: we fake up the seq_num untill our passdb support it */ + static uint32 seq_num; + + DEBUG(3,("pdb: sequence_number\n")); + + *seq = seq_num++; + + return NT_STATUS_OK; +} + +/* get a list of trusted domains */ +static NTSTATUS trusted_domains(struct winbindd_domain *domain, + TALLOC_CTX *mem_ctx, + uint32 *num_domains, + char ***names, + char ***alt_names, + DOM_SID **dom_sids) +{ + NTSTATUS result = NT_STATUS_NOT_IMPLEMENTED; + + DEBUG(3,("pdb: trusted_domains (todo!)\n")); + + return result; +} + +/* find the domain sid for a domain */ +static NTSTATUS domain_sid(struct winbindd_domain *domain, DOM_SID *sid) +{ + DEBUG(3,("pdb: domain_sid\n")); + + if (strcmp(domain->name, lp_workgroup())) { + return NT_STATUS_INVALID_PARAMETER; + } else { + sid_copy(sid, get_global_sam_sid()); + return NT_STATUS_OK; + } +} + +/* find alternate names list for the domain + * should we look for netbios aliases?? + SSS */ +static NTSTATUS alternate_name(struct winbindd_domain *domain) +{ + DEBUG(3,("pdb: alternate_name\n")); + + return NT_STATUS_OK; +} + + +/* the rpc backend methods are exposed via this structure */ +struct winbindd_methods passdb_methods = { + False, + query_user_list, + enum_dom_groups, + enum_local_groups, + name_to_sid, + sid_to_name, + query_user, + lookup_usergroups, + lookup_groupmem, + sequence_number, + trusted_domains, + domain_sid, + alternate_name +}; diff --git a/source3/sam/idmap_util.c b/source3/sam/idmap_util.c new file mode 100644 index 0000000000..e0c492542b --- /dev/null +++ b/source3/sam/idmap_util.c @@ -0,0 +1,377 @@ +/* + Unix SMB/CIFS implementation. + ID Mapping + Copyright (C) Simo Sorce 2003 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.*/ + +#include "includes.h" + +#undef DBGC_CLASS +#define DBGC_CLASS DBGC_IDMAP + + +/****************************************************************** + * Get the free RID base if idmap is configured, otherwise return 0 + ******************************************************************/ + +uint32 idmap_get_free_rid_base(void) +{ + uint32 low, high; + if (idmap_get_free_rid_range(&low, &high)) { + return low; + } + return 0; +} + +BOOL idmap_check_ugid_is_in_free_range(uint32 id) +{ + uint32 low, high; + + if (!idmap_get_free_ugid_range(&low, &high)) { + return False; + } + if (id < low || id > high) { + return False; + } + return True; +} + +BOOL idmap_check_rid_is_in_free_range(uint32 rid) +{ + uint32 low, high; + + if (!idmap_get_free_rid_range(&low, &high)) { + return False; + } + if (rid < low || rid > high) { + return False; + } + return True; +} + +/* if it is a foreign SID or if the SID is in the free range, return true */ + +BOOL idmap_check_sid_is_in_free_range(const DOM_SID *sid) +{ + if (sid_compare_domain(get_global_sam_sid(), sid) == 0) { + + uint32 rid; + + if (sid_peek_rid(sid, &rid)) { + return idmap_check_rid_is_in_free_range(rid); + } + + return False; + } + + return True; +} + +/****************************************************************** + * Get the the non-algorithmic RID range if idmap range are defined + ******************************************************************/ + +BOOL idmap_get_free_rid_range(uint32 *low, uint32 *high) +{ + uint32 id_low, id_high; + + if (lp_idmap_only()) { + *low = BASE_RID; + *high = (uint32)-1; + } + + if (!idmap_get_free_ugid_range(&id_low, &id_high)) { + return False; + } + + *low = fallback_pdb_uid_to_user_rid(id_low); + if (fallback_pdb_user_rid_to_uid((uint32)-1) < id_high) { + *high = (uint32)-1; + } else { + *high = fallback_pdb_uid_to_user_rid(id_high); + } + + return True; +} + +BOOL idmap_get_free_ugid_range(uint32 *low, uint32 *high) +{ + uid_t u_low, u_high; + gid_t g_low, g_high; + + if (!lp_idmap_uid(&u_low, &u_high) || !lp_idmap_gid(&g_low, &g_high)) { + return False; + } + if (u_low < g_low) { + *low = u_low; + } else { + *low = g_low; + } + if (u_high < g_high) { + *high = g_high; + } else { + *high = u_high; + } + return True; +} + +/***************************************************************** + *THE CANONICAL* convert uid_t to SID function. + check idmap if uid is in idmap range, otherwise falls back to + the legacy algorithmic mapping. + A special cache is used for uids that maps to Wellknown SIDs + Returns SID pointer. +*****************************************************************/ + +NTSTATUS uid_to_sid(DOM_SID *sid, uid_t uid) +{ + NTSTATUS ret = NT_STATUS_UNSUCCESSFUL; + unid_t id; + int flags; + + DEBUG(10,("uid_to_sid: uid = [%d]\n", uid)); + + flags = ID_USERID; + if (!lp_idmap_only() && !idmap_check_ugid_is_in_free_range(uid)) { + flags |= ID_NOMAP; + } + + id.uid = uid; + if (NT_STATUS_IS_ERR(ret = idmap_get_sid_from_id(sid, id, flags))) { + DEBUG(10, ("uid_to_sid: Failed to map uid = [%u]\n", (unsigned int)uid)); + if (flags & ID_NOMAP) { + sid_copy(sid, get_global_sam_sid()); + sid_append_rid(sid, fallback_pdb_uid_to_user_rid(uid)); + + DEBUG(10,("uid_to_sid: Fall back to algorithmic mapping: %u -> %s\n", (unsigned int)uid, sid_string_static(sid))); + ret = NT_STATUS_OK; + } + } + + return ret; +} + +/***************************************************************** + *THE CANONICAL* convert gid_t to SID function. + check idmap if gid is in idmap range, otherwise falls back to + the legacy algorithmic mapping. + Group mapping is used for gids that maps to Wellknown SIDs + Returns SID pointer. +*****************************************************************/ + +NTSTATUS gid_to_sid(DOM_SID *sid, gid_t gid) +{ + NTSTATUS ret = NT_STATUS_UNSUCCESSFUL; + GROUP_MAP map; + unid_t id; + int flags; + + DEBUG(10,("gid_to_sid: gid = [%d]\n", gid)); + + flags = ID_GROUPID; + if (!lp_idmap_only() && !idmap_check_ugid_is_in_free_range(gid)) { + flags |= ID_NOMAP; + } + + id.gid = gid; + if (NT_STATUS_IS_ERR(ret = idmap_get_sid_from_id(sid, id, flags))) { + DEBUG(10, ("gid_to_sid: Failed to map gid = [%u]\n", (unsigned int)gid)); + if (flags & ID_NOMAP) { + sid_copy(sid, get_global_sam_sid()); + sid_append_rid(sid, pdb_gid_to_group_rid(gid)); + + DEBUG(10,("gid_to_sid: Fall back to algorithmic mapping: %u -> %s\n", (unsigned int)gid, sid_string_static(sid))); + ret = NT_STATUS_OK; + } + } + + return ret; +} + +/***************************************************************** + *THE CANONICAL* convert SID to uid function. + if it is a foreign sid or it is in idmap rid range check idmap, + otherwise falls back to the legacy algorithmic mapping. + A special cache is used for uids that maps to Wellknown SIDs + Returns True if this name is a user sid and the conversion + was done correctly, False if not. +*****************************************************************/ + +NTSTATUS sid_to_uid(const DOM_SID *sid, uid_t *uid) +{ + NTSTATUS ret = NT_STATUS_UNSUCCESSFUL; + BOOL fallback = False; + unid_t id; + int flags; + + DEBUG(10,("sid_to_uid: sid = [%s]\n", sid_string_static(sid))); + + flags = ID_USERID; + if (!lp_idmap_only()) { + if (!idmap_check_sid_is_in_free_range(sid)) { + flags |= ID_NOMAP; + fallback = True; + } + } + + if (NT_STATUS_IS_OK(idmap_get_id_from_sid(&id, &flags, sid))) { + + DEBUG(10,("sid_to_uid: uid = [%d]\n", id.uid)); + + *uid = id.uid; + ret = NT_STATUS_OK; + + } else if (fallback) { + uint32 rid; + + if (!sid_peek_rid(sid, &rid)) { + DEBUG(10,("sid_to_uid: invalid SID!\n")); + ret = NT_STATUS_INVALID_PARAMETER; + goto done; + } + + DEBUG(10,("sid_to_uid: Fall back to algorithmic mapping\n")); + + if (!fallback_pdb_rid_is_user(rid)) { + DEBUG(3, ("sid_to_uid: SID %s is *NOT* a user\n", sid_string_static(sid))); + ret = NT_STATUS_UNSUCCESSFUL; + } else { + *uid = fallback_pdb_user_rid_to_uid(rid); + DEBUG(10,("sid_to_uid: mapping: %s -> %u\n", sid_string_static(sid), (unsigned int)(*uid))); + ret = NT_STATUS_OK; + } + } + +done: + return ret; +} + +/***************************************************************** + *THE CANONICAL* convert SID to gid function. + if it is a foreign sid or it is in idmap rid range check idmap, + otherwise falls back to the legacy algorithmic mapping. + Group mapping is used for gids that maps to Wellknown SIDs + Returns True if this name is a user sid and the conversion + was done correctly, False if not. +*****************************************************************/ + +NTSTATUS sid_to_gid(const DOM_SID *sid, gid_t *gid) +{ + NTSTATUS ret = NT_STATUS_UNSUCCESSFUL; + BOOL fallback = False; + uint32 rid; + unid_t id; + int flags; + + DEBUG(10,("sid_to_gid: sid = [%s]\n", sid_string_static(sid))); + + flags = ID_GROUPID; + if (!lp_idmap_only()) { + if (!idmap_check_sid_is_in_free_range(sid)) { + flags |= ID_NOMAP; + fallback = True; + } + } + + if (NT_STATUS_IS_OK(idmap_get_id_from_sid(&id, &flags, sid))) { + + DEBUG(10,("sid_to_gid: gid = [%d]\n", id.gid)); + *gid = id.gid; + ret = NT_STATUS_OK; + + } else if (fallback) { + uint32 rid; + + if (!sid_peek_rid(sid, &rid)) { + DEBUG(10,("sid_to_uid: invalid SID!\n")); + ret = NT_STATUS_INVALID_PARAMETER; + goto done; + } + + DEBUG(10,("sid_to_gid: Fall back to algorithmic mapping\n")); + + if (fallback_pdb_rid_is_user(rid)) { + DEBUG(3, ("sid_to_gid: SID %s is *NOT* a group\n", sid_string_static(sid))); + ret = NT_STATUS_UNSUCCESSFUL; + } else { + *gid = pdb_group_rid_to_gid(rid); + DEBUG(10,("sid_to_gid: mapping: %s -> %u\n", sid_string_static(sid), (unsigned int)(*gid))); + ret = NT_STATUS_OK; + } + } + +done: + return ret; +} + +/* Initialize idmap withWellknown SIDs like Guest, that are necessary + * to make samba run properly */ +BOOL idmap_init_wellknown_sids(void) +{ + const char *guest_account = lp_guestaccount(); + struct passwd *pass; + GROUP_MAP *map=NULL; + int num_entries=0; + DOM_SID sid; + unid_t id; + int flags; + + if (!(guest_account && *guest_account)) { + DEBUG(1, ("NULL guest account!?!?\n")); + return False; + } + + pass = getpwnam_alloc(guest_account); + if (!pass) { + return False; + } + + flags = ID_USERID; + id.uid = pass->pw_uid; + sid_copy(&sid, get_global_sam_sid()); + sid_append_rid(&sid, DOMAIN_USER_RID_GUEST); + if (NT_STATUS_IS_ERR(idmap_set_mapping(&sid, id, flags))) { + passwd_free(&pass); + return False; + } + + /* now fill in group mappings */ + if(pdb_enum_group_mapping(SID_NAME_UNKNOWN, &map, &num_entries, ENUM_ONLY_MAPPED, MAPPING_WITHOUT_PRIV)) { + int i; + + for (i = 0; i < num_entries; i++) { + id.gid = map[i].gid; + idmap_set_mapping(&(map[i].sid), id, ID_GROUPID); + } + } + + /* check if DOMAIN_GROUP_RID_GUESTS SID is set, if not store the + * guest account gid as mapping */ + flags = ID_GROUPID | ID_NOMAP; + sid_copy(&sid, get_global_sam_sid()); + sid_append_rid(&sid, DOMAIN_GROUP_RID_GUESTS); + if (NT_STATUS_IS_ERR(idmap_get_id_from_sid(&id, &flags, &sid))) { + flags = ID_GROUPID; + id.gid = pass->pw_gid; + if (NT_STATUS_IS_ERR(idmap_set_mapping(&sid, id, flags))) { + passwd_free(&pass); + return False; + } + } + + passwd_free(&pass); + return True; +} |