summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGerald Carter <jerry@samba.org>2003-07-09 16:44:47 +0000
committerGerald Carter <jerry@samba.org>2003-07-09 16:44:47 +0000
commit16ff7b26f6b9d288cbd1d39e075b637e24da13a6 (patch)
treeb20088c7adac8df8823defc6649db0a9607c0c6a
parent816724fb39ba1d13f553704b2deaa3e8e716c5ab (diff)
downloadsamba-16ff7b26f6b9d288cbd1d39e075b637e24da13a6.tar.gz
samba-16ff7b26f6b9d288cbd1d39e075b637e24da13a6.tar.bz2
samba-16ff7b26f6b9d288cbd1d39e075b637e24da13a6.zip
Large set of changes to add UNIX account/group management
to winbindd. See README.idmap-and-winbind-changes for details. (This used to be commit 1111bc7b0c7165e1cdf8d90eb49f4c368d2eded6)
-rw-r--r--docs/README.idmap-and-winbind-changes73
-rw-r--r--packaging/RedHat/samba.spec.tmpl10
-rw-r--r--source3/Makefile.in3
-rw-r--r--source3/auth/auth_util.c13
-rw-r--r--source3/groupdb/mapping.c177
-rw-r--r--source3/include/idmap.h3
-rw-r--r--source3/nsswitch/wb_client.c144
-rw-r--r--source3/nsswitch/wbinfo.c175
-rw-r--r--source3/nsswitch/winbindd.c11
-rw-r--r--source3/nsswitch/winbindd_acct.c946
-rw-r--r--source3/nsswitch/winbindd_group.c87
-rw-r--r--source3/nsswitch/winbindd_idmap.c194
-rw-r--r--source3/nsswitch/winbindd_idmap_tdb.c459
-rw-r--r--source3/nsswitch/winbindd_nss.h55
-rw-r--r--source3/nsswitch/winbindd_pam.c8
-rw-r--r--source3/nsswitch/winbindd_passdb.c360
-rw-r--r--source3/nsswitch/winbindd_user.c34
-rw-r--r--source3/nsswitch/winbindd_util.c16
-rw-r--r--source3/param/loadparm.c8
-rw-r--r--source3/rpc_server/srv_samr_nt.c28
-rw-r--r--source3/sam/idmap.c15
-rw-r--r--source3/sam/idmap_ldap.c1
-rw-r--r--source3/sam/idmap_tdb.c17
-rw-r--r--source3/script/mkproto.awk4
-rw-r--r--source3/smbd/uid.c23
-rw-r--r--source3/utils/net_rpc_samsync.c15
26 files changed, 1731 insertions, 1148 deletions
diff --git a/docs/README.idmap-and-winbind-changes b/docs/README.idmap-and-winbind-changes
new file mode 100644
index 0000000000..a892343c6e
--- /dev/null
+++ b/docs/README.idmap-and-winbind-changes
@@ -0,0 +1,73 @@
+## Date : 2003-07-09
+## Author: Gerald (Jerry) Carter <jerry@samba.org>
+## Title: README.idmap-and-winbind-changes
+
+Introduction
+------------
+
+Beginning with Samba3.0.0beta3, winbindd has been given new account
+manage functionality equivalent to the 'add user script' family of
+smb.conf parameters. The idmap design has also been changed to centralize
+control of foreign SID lookups and matching to UNIX uids and gids.
+
+
+Brief Description of Changes
+----------------------------
+
+1) The sid_to_uid() family of functions (smbd/uid.c) have been reverted
+ to the 2.2.x design. This means that when resolving a SID to a UID
+ or similar mapping:
+
+ a) First consult winbindd
+ b) perform a local lookup only if winbindd fails to
+ return a successful answer
+
+ There are some variations to this, but these two rules generally
+ apply.
+
+2) All idmap lookups have been moved into winbindd. This means that
+ a server must run winbindd (and support NSS) in order to achieve
+ any mappings of SID to dynamically allocated UNIX ids. This was
+ a conscious design choice.
+
+3) New functions have been added to winbindd to emulate the 'add user script'
+ family of smbd functions without requiring that external scripts
+ be defined. This functionality is controlled by the 'winbind enable local
+ accounts' smb.conf parameter (enabled by default).
+
+ However, this account management functionality is only supported in
+ a local tdb (winbindd_idmap.tdb). If these new UNIX accounts must be
+ shared among multiple Samba servers (such as a PDC and BDCs), it
+ will be necessary to define your own 'add user script', et. al.
+ programs that place the accounts/groups in some form of directory
+ such as NIS or LDAP. This requirement was deemed beyond the scope
+ of winbind's account management functions. Solutions for distributing
+ UNIX system information have been deployed and tested for many years.
+ We saw no need to reinvent the wheel.
+
+4) A member of a Samba controlled domain running winbindd is now able to
+ map domain users directly onto existing UNIX accounts while still
+ automatically creating accounts for trusted users and groups. This
+ behavior is controlled by the 'winbind trusted domains only' smb.conf
+ parameter (disabled by default to provide 2.2.x winbind behavior).
+
+5) Group mapping support is wrapped in the local_XX_to_XX() functions
+ in smbd/uid.c. The reason that group mappings are not included
+ in winbindd is because the purpose of Samba's group map is to
+ match any Windows SID with an existing UNIX group. These UNIX
+ groups can be created by winbindd (see next section), but the
+ SID<->gid mapping is retreived by smbd, not winbindd.
+
+
+Examples
+--------
+
+* security = server running winbindd to allocate accounts on demand
+
+* Samba PDC running winbindd to handle the automatic creation of UNIX
+ identities for machine trust accounts
+
+* Automtically creating UNIX user and groups when migrating a Windows NT
+ 4.0 PDC to a Samba PDC. Winbindd must be running when executing
+ 'net rpc vampire' for this to work.
+
diff --git a/packaging/RedHat/samba.spec.tmpl b/packaging/RedHat/samba.spec.tmpl
index d7b1750772..4c5a480a27 100644
--- a/packaging/RedHat/samba.spec.tmpl
+++ b/packaging/RedHat/samba.spec.tmpl
@@ -182,10 +182,12 @@ find $RPM_BUILD_ROOT -name "*.old" -exec rm -f {} \;
rm -rf $RPM_BUILD_ROOT
%post
-/sbin/chkconfig --add smb
-/sbin/chkconfig --add winbind
-/sbin/chkconfig smb off
-/sbin/chkconfig winbind off
+if [ "$1" -eq "1" ]; then
+ /sbin/chkconfig --add smb
+ /sbin/chkconfig --add winbind
+ /sbin/chkconfig smb off
+ /sbin/chkconfig winbind off
+fi
echo "Looking for old /etc/smb.conf..."
if [ -f /etc/smb.conf -a ! -f /etc/samba/smb.conf ]; then
diff --git a/source3/Makefile.in b/source3/Makefile.in
index 1e8f27ba07..b2ba1a1b79 100644
--- a/source3/Makefile.in
+++ b/source3/Makefile.in
@@ -593,7 +593,8 @@ WINBINDD_OBJ1 = \
nsswitch/winbindd_wins.o \
nsswitch/winbindd_rpc.o \
nsswitch/winbindd_ads.o \
- nsswitch/winbindd_dual.o
+ nsswitch/winbindd_dual.o \
+ nsswitch/winbindd_acct.o
WINBINDD_OBJ = \
$(WINBINDD_OBJ1) $(PASSDB_OBJ) $(GROUPDB_OBJ) \
diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index 6fc1d772ec..51cd1994f9 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -60,16 +60,23 @@ static int smb_create_user(const char *domain, const char *unix_username, const
void auth_add_user_script(const char *domain, const char *username)
{
- struct passwd *pwd=NULL;
-
/*
* User validated ok against Domain controller.
* If the admin wants us to try and create a UNIX
* user on the fly, do so.
*/
- if(lp_adduser_script() && !(pwd = Get_Pwnam(username))) {
+ if ( lp_adduser_script() )
smb_create_user(domain, username, NULL);
+ else {
+ DEBUG(10,("auth_add_user_script: no 'add user script'. Asking winbindd\n"));
+
+ /* should never get here is we a re a domain member running winbindd
+ However, a host set for 'security = server' might run winbindd for
+ account allocation */
+
+ if ( !winbind_create_user(username) )
+ DEBUG(5,("auth_add_user_script: winbindd_create_user() failed\n"));
}
}
diff --git a/source3/groupdb/mapping.c b/source3/groupdb/mapping.c
index 5d2d28f152..e769b4dd9d 100644
--- a/source3/groupdb/mapping.c
+++ b/source3/groupdb/mapping.c
@@ -719,37 +719,50 @@ int smb_create_group(char *unix_group, gid_t *new_gid)
int ret;
int fd = 0;
- pstrcpy(add_script, lp_addgroup_script());
- if (! *add_script) return -1;
- pstring_sub(add_script, "%g", unix_group);
- ret = smbrun(add_script, (new_gid!=NULL) ? &fd : NULL);
- DEBUG(3,("smb_create_group: Running the command `%s' gave %d\n",add_script,ret));
- if (ret != 0)
- return ret;
-
- if (fd != 0) {
- fstring output;
-
- *new_gid = 0;
- if (read(fd, output, sizeof(output)) > 0) {
- *new_gid = (gid_t)strtoul(output, NULL, 10);
- }
- close(fd);
-
- if (*new_gid == 0) {
- /* The output was garbage. We assume nobody
- will create group 0 via smbd. Now we try to
- get the group via getgrnam. */
-
- struct group *grp = getgrnam(unix_group);
- if (grp != NULL)
- *new_gid = grp->gr_gid;
- else
- return 1;
+ /* defer to scripts */
+
+ if ( *lp_addgroup_script() ) {
+ pstrcpy(add_script, lp_addgroup_script());
+ pstring_sub(add_script, "%g", unix_group);
+ ret = smbrun(add_script, (new_gid!=NULL) ? &fd : NULL);
+ DEBUG(3,("smb_create_group: Running the command `%s' gave %d\n",add_script,ret));
+ if (ret != 0)
+ return ret;
+
+ if (fd != 0) {
+ fstring output;
+
+ *new_gid = 0;
+ if (read(fd, output, sizeof(output)) > 0) {
+ *new_gid = (gid_t)strtoul(output, NULL, 10);
+ }
+ close(fd);
+
+ if (*new_gid == 0) {
+ /* The output was garbage. We assume nobody
+ will create group 0 via smbd. Now we try to
+ get the group via getgrnam. */
+
+ struct group *grp = getgrnam(unix_group);
+ if (grp != NULL)
+ *new_gid = grp->gr_gid;
+ else
+ return 1;
+ }
}
+
+ return 0;
}
- return ret;
+ /* Try winbindd */
+
+ if ( winbind_create_group( unix_group ) ) {
+ DEBUG(3,("smb_create_group: winbindd created the group (%s)\n",
+ unix_group));
+ return 0;
+ }
+
+ return -1;
}
/****************************************************************************
@@ -761,12 +774,25 @@ int smb_delete_group(char *unix_group)
pstring del_script;
int ret;
- pstrcpy(del_script, lp_delgroup_script());
- if (! *del_script) return -1;
- pstring_sub(del_script, "%g", unix_group);
- ret = smbrun(del_script,NULL);
- DEBUG(3,("smb_delete_group: Running the command `%s' gave %d\n",del_script,ret));
- return ret;
+ /* defer to scripts */
+
+ if ( *lp_delgroup_script() ) {
+ pstrcpy(del_script, lp_delgroup_script());
+ pstring_sub(del_script, "%g", unix_group);
+ ret = smbrun(del_script,NULL);
+ DEBUG(3,("smb_delete_group: Running the command `%s' gave %d\n",del_script,ret));
+ return ret;
+ }
+#if 0
+ if ( winbind_delete_group( unix_group ) ) {
+ DEBUG(3,("smb_delete_group: winbindd deleted the group (%s)\n",
+ unix_group));
+ return 0;
+ }
+
+#endif
+
+ return -1;
}
/****************************************************************************
@@ -777,14 +803,27 @@ int smb_set_primary_group(const char *unix_group, const char* unix_user)
pstring add_script;
int ret;
- pstrcpy(add_script, lp_setprimarygroup_script());
- if (! *add_script) return -1;
- all_string_sub(add_script, "%g", unix_group, sizeof(add_script));
- all_string_sub(add_script, "%u", unix_user, sizeof(add_script));
- ret = smbrun(add_script,NULL);
- DEBUG(3,("smb_set_primary_group: "
- "Running the command `%s' gave %d\n",add_script,ret));
- return ret;
+ /* defer to scripts */
+
+ if ( *lp_setprimarygroup_script() ) {
+ pstrcpy(add_script, lp_setprimarygroup_script());
+ all_string_sub(add_script, "%g", unix_group, sizeof(add_script));
+ all_string_sub(add_script, "%u", unix_user, sizeof(add_script));
+ ret = smbrun(add_script,NULL);
+ DEBUG(3,("smb_set_primary_group: "
+ "Running the command `%s' gave %d\n",add_script,ret));
+ return ret;
+ }
+
+ /* Try winbindd */
+
+ if ( winbind_set_user_primary_group( unix_user, unix_group ) ) {
+ DEBUG(3,("smb_delete_group: winbindd set the group (%s) as the primary group for user (%s)\n",
+ unix_group, unix_user));
+ return 0;
+ }
+
+ return -1;
}
/****************************************************************************
@@ -796,13 +835,26 @@ int smb_add_user_group(char *unix_group, char *unix_user)
pstring add_script;
int ret;
- pstrcpy(add_script, lp_addusertogroup_script());
- if (! *add_script) return -1;
- pstring_sub(add_script, "%g", unix_group);
- pstring_sub(add_script, "%u", unix_user);
- ret = smbrun(add_script,NULL);
- DEBUG(3,("smb_add_user_group: Running the command `%s' gave %d\n",add_script,ret));
- return ret;
+ /* defer to scripts */
+
+ if ( *lp_addusertogroup_script() ) {
+ pstrcpy(add_script, lp_addusertogroup_script());
+ pstring_sub(add_script, "%g", unix_group);
+ pstring_sub(add_script, "%u", unix_user);
+ ret = smbrun(add_script,NULL);
+ DEBUG(3,("smb_add_user_group: Running the command `%s' gave %d\n",add_script,ret));
+ return ret;
+ }
+
+ /* Try winbindd */
+
+ if ( winbind_add_user_to_group( unix_user, unix_group ) ) {
+ DEBUG(3,("smb_delete_group: winbindd added user (%s) to the group (%s)\n",
+ unix_user, unix_group));
+ return -1;
+ }
+
+ return -1;
}
/****************************************************************************
@@ -814,13 +866,26 @@ int smb_delete_user_group(const char *unix_group, const char *unix_user)
pstring del_script;
int ret;
- pstrcpy(del_script, lp_deluserfromgroup_script());
- if (! *del_script) return -1;
- pstring_sub(del_script, "%g", unix_group);
- pstring_sub(del_script, "%u", unix_user);
- ret = smbrun(del_script,NULL);
- DEBUG(3,("smb_delete_user_group: Running the command `%s' gave %d\n",del_script,ret));
- return ret;
+ /* defer to scripts */
+
+ if ( *lp_deluserfromgroup_script() ) {
+ pstrcpy(del_script, lp_deluserfromgroup_script());
+ pstring_sub(del_script, "%g", unix_group);
+ pstring_sub(del_script, "%u", unix_user);
+ ret = smbrun(del_script,NULL);
+ DEBUG(3,("smb_delete_user_group: Running the command `%s' gave %d\n",del_script,ret));
+ return ret;
+ }
+
+ /* Try winbindd */
+
+ if ( winbind_remove_user_from_group( unix_user, unix_group ) ) {
+ DEBUG(3,("smb_delete_group: winbindd removed user (%s) from the group (%s)\n",
+ unix_user, unix_group));
+ return 0;
+ }
+
+ return -1;
}
diff --git a/source3/include/idmap.h b/source3/include/idmap.h
index 47f396e637..7da3718d19 100644
--- a/source3/include/idmap.h
+++ b/source3/include/idmap.h
@@ -24,7 +24,7 @@
Boston, MA 02111-1307, USA.
*/
-#define SMB_IDMAP_INTERFACE_VERSION 1
+#define SMB_IDMAP_INTERFACE_VERSION 2
#define ID_EMPTY 0x00
@@ -42,6 +42,7 @@ struct idmap_methods {
/* Called when backend is first loaded */
NTSTATUS (*init)( char *params );
+ NTSTATUS (*allocate_id)(unid_t *id, int id_type);
NTSTATUS (*get_sid_from_id)(DOM_SID *sid, unid_t id, int id_type);
NTSTATUS (*get_id_from_sid)(unid_t *id, int *id_type, const DOM_SID *sid);
NTSTATUS (*set_mapping)(const DOM_SID *sid, unid_t id, int id_type);
diff --git a/source3/nsswitch/wb_client.c b/source3/nsswitch/wb_client.c
index 67548592b2..26a0e58191 100644
--- a/source3/nsswitch/wb_client.c
+++ b/source3/nsswitch/wb_client.c
@@ -367,3 +367,147 @@ BOOL winbind_ping( void )
return result == NSS_STATUS_SUCCESS;
}
+/**********************************************************************
+ Ask winbindd to create a local user
+**********************************************************************/
+
+BOOL winbind_create_user( const char *name )
+{
+ struct winbindd_request request;
+ struct winbindd_response response;
+ NSS_STATUS result;
+
+ if ( !lp_winbind_enable_local_accounts() )
+ return False;
+
+ if ( !name )
+ return False;
+
+ DEBUG(10,("winbind_create_user: %s\n", name));
+
+ fstrcpy( request.data.acct_mgt.username, name );
+ fstrcpy( request.data.acct_mgt.groupname, "" );
+
+ ZERO_STRUCT(response);
+
+ result = winbindd_request( WINBINDD_CREATE_USER, &request, &response);
+
+ return result == NSS_STATUS_SUCCESS;
+}
+
+/**********************************************************************
+ Ask winbindd to create a local group
+**********************************************************************/
+
+BOOL winbind_create_group( const char *name )
+{
+ struct winbindd_request request;
+ struct winbindd_response response;
+ NSS_STATUS result;
+
+ if ( !lp_winbind_enable_local_accounts() )
+ return False;
+
+ if ( !name )
+ return False;
+
+ DEBUG(10,("winbind_create_group: %s\n", name));
+
+ fstrcpy( request.data.acct_mgt.groupname, name );
+
+ ZERO_STRUCT(response);
+
+ result = winbindd_request( WINBINDD_CREATE_GROUP, &request, &response);
+
+ return result == NSS_STATUS_SUCCESS;
+}
+
+/**********************************************************************
+ Ask winbindd to add a user to a local group
+**********************************************************************/
+
+BOOL winbind_add_user_to_group( const char *user, const char *group )
+{
+ struct winbindd_request request;
+ struct winbindd_response response;
+ NSS_STATUS result;
+
+ if ( !lp_winbind_enable_local_accounts() )
+ return False;
+
+ if ( !user || !group )
+ return False;
+
+ DEBUG(10,("winbind_add_user_to_group: user(%s), group(%s) \n",
+ user, group));
+
+ fstrcpy( request.data.acct_mgt.username, user );
+ fstrcpy( request.data.acct_mgt.groupname, group );
+
+ ZERO_STRUCT(response);
+
+ result = winbindd_request( WINBINDD_ADD_USER_TO_GROUP, &request, &response);
+
+ return result == NSS_STATUS_SUCCESS;
+}
+
+/**********************************************************************
+ Ask winbindd to remove a user to a local group
+**********************************************************************/
+
+BOOL winbind_remove_user_from_group( const char *user, const char *group )
+{
+ struct winbindd_request request;
+ struct winbindd_response response;
+ NSS_STATUS result;
+
+ if ( !lp_winbind_enable_local_accounts() )
+ return False;
+
+ if ( !user || !group )
+ return False;
+
+ DEBUG(10,("winbind_remove_user_from_group: user(%s), group(%s) \n",
+ user, group));
+
+ fstrcpy( request.data.acct_mgt.username, user );
+ fstrcpy( request.data.acct_mgt.groupname, group );
+
+ ZERO_STRUCT(response);
+
+ result = winbindd_request( WINBINDD_REMOVE_USER_FROM_GROUP, &request, &response);
+
+ return result == NSS_STATUS_SUCCESS;
+}
+
+/**********************************************************************
+ Ask winbindd to set the primary group for a user local user
+**********************************************************************/
+
+BOOL winbind_set_user_primary_group( const char *user, const char *group )
+{
+ struct winbindd_request request;
+ struct winbindd_response response;
+ NSS_STATUS result;
+
+ if ( !lp_winbind_enable_local_accounts() )
+ return False;
+
+ if ( !user || !group )
+ return False;
+
+ DEBUG(10,("winbind_set_user_primary_group: user(%s), group(%s) \n",
+ user, group));
+
+ fstrcpy( request.data.acct_mgt.username, user );
+ fstrcpy( request.data.acct_mgt.groupname, group );
+
+ ZERO_STRUCT(response);
+
+ result = winbindd_request( WINBINDD_SET_USER_PRIMARY_GROUP, &request, &response);
+
+ return result == NSS_STATUS_SUCCESS;
+}
+
+
+
diff --git a/source3/nsswitch/wbinfo.c b/source3/nsswitch/wbinfo.c
index 9be74c12de..6ebf6effa7 100644
--- a/source3/nsswitch/wbinfo.c
+++ b/source3/nsswitch/wbinfo.c
@@ -511,6 +511,151 @@ static BOOL wbinfo_auth_crap(char *username)
return result == NSS_STATUS_SUCCESS;
}
+/******************************************************************
+ create a winbindd user
+******************************************************************/
+
+static BOOL wbinfo_create_user(char *username)
+{
+ struct winbindd_request request;
+ struct winbindd_response response;
+ NSS_STATUS result;
+
+ /* Send off request */
+
+ ZERO_STRUCT(request);
+ ZERO_STRUCT(response);
+
+ fstrcpy(request.data.acct_mgt.username, username);
+
+ result = winbindd_request(WINBINDD_CREATE_USER, &request, &response);
+
+ if (response.data.auth.nt_status)
+ d_printf("error code was %s (0x%x)\nerror messsage was: %s\n",
+ response.data.auth.nt_status_string,
+ response.data.auth.nt_status,
+ response.data.auth.error_string);
+
+ return result == NSS_STATUS_SUCCESS;
+}
+
+/******************************************************************
+ create a winbindd group
+******************************************************************/
+
+static BOOL wbinfo_create_group(char *groupname)
+{
+ struct winbindd_request request;
+ struct winbindd_response response;
+ NSS_STATUS result;
+
+ /* Send off request */
+
+ ZERO_STRUCT(request);
+ ZERO_STRUCT(response);
+
+ fstrcpy(request.data.acct_mgt.groupname, groupname);
+
+ result = winbindd_request(WINBINDD_CREATE_GROUP, &request, &response);
+
+ if (response.data.auth.nt_status)
+ d_printf("error code was %s (0x%x)\nerror messsage was: %s\n",
+ response.data.auth.nt_status_string,
+ response.data.auth.nt_status,
+ response.data.auth.error_string);
+
+ return result == NSS_STATUS_SUCCESS;
+}
+
+/******************************************************************
+ parse a string in the form user:group
+******************************************************************/
+
+static BOOL parse_user_group( const char *string, fstring user, fstring group )
+{
+ char *p;
+
+ if ( !string )
+ return False;
+
+ if ( !(p = strchr( string, ':' )) )
+ return False;
+
+ *p = '\0';
+ p++;
+
+ fstrcpy( user, string );
+ fstrcpy( group, p );
+
+ return True;
+}
+
+/******************************************************************
+ add a user to a winbindd group
+******************************************************************/
+
+static BOOL wbinfo_add_user_to_group(char *string)
+{
+ struct winbindd_request request;
+ struct winbindd_response response;
+ NSS_STATUS result;
+
+ /* Send off request */
+
+ ZERO_STRUCT(request);
+ ZERO_STRUCT(response);
+
+ if ( !parse_user_group( string, request.data.acct_mgt.username,
+ request.data.acct_mgt.groupname))
+ {
+ d_printf("Can't parse user:group from %s\n", string);
+ return False;
+ }
+
+ result = winbindd_request(WINBINDD_ADD_USER_TO_GROUP, &request, &response);
+
+ if (response.data.auth.nt_status)
+ d_printf("error code was %s (0x%x)\nerror messsage was: %s\n",
+ response.data.auth.nt_status_string,
+ response.data.auth.nt_status,
+ response.data.auth.error_string);
+
+ return result == NSS_STATUS_SUCCESS;
+}
+
+/******************************************************************
+ remove a user from a winbindd group
+******************************************************************/
+
+static BOOL wbinfo_remove_user_from_group(char *string)
+{
+ struct winbindd_request request;
+ struct winbindd_response response;
+ NSS_STATUS result;
+
+ /* Send off request */
+
+ ZERO_STRUCT(request);
+ ZERO_STRUCT(response);
+
+ if ( !parse_user_group( string, request.data.acct_mgt.username,
+ request.data.acct_mgt.groupname))
+ {
+ d_printf("Can't parse user:group from %s\n", string);
+ return False;
+ }
+
+ result = winbindd_request(WINBINDD_REMOVE_USER_FROM_GROUP, &request, &response);
+
+ if (response.data.auth.nt_status)
+ d_printf("error code was %s (0x%x)\nerror messsage was: %s\n",
+ response.data.auth.nt_status_string,
+ response.data.auth.nt_status,
+ response.data.auth.error_string);
+
+ return result == NSS_STATUS_SUCCESS;
+}
+
/* Print domain users */
static BOOL print_domain_users(void)
@@ -705,6 +850,10 @@ int main(int argc, char **argv)
{ "gid-to-sid", 'G', POPT_ARG_INT, &int_arg, 'G', "Converts gid to sid", "GID" },
{ "sid-to-uid", 'S', POPT_ARG_STRING, &string_arg, 'S', "Converts sid to uid", "SID" },
{ "sid-to-gid", 'Y', POPT_ARG_STRING, &string_arg, 'Y', "Converts sid to gid", "SID" },
+ { "create-user", 'c', POPT_ARG_STRING, &string_arg, 'c', "Create a local user account", "name" },
+ { "create-group", 'C', POPT_ARG_STRING, &string_arg, 'C', "Create a local group", "name" },
+ { "add-to-group", 'o', POPT_ARG_STRING, &string_arg, 'o', "Add user to group", "user:group" },
+ { "del-from-group", 'O', POPT_ARG_STRING, &string_arg, 'O', "Remove user from group", "user:group" },
{ "check-secret", 't', POPT_ARG_NONE, 0, 't', "Check shared secret" },
{ "trusted-domains", 'm', POPT_ARG_NONE, 0, 'm', "List trusted domains" },
{ "sequence", 0, POPT_ARG_NONE, 0, OPT_SEQUENCE, "Show sequence numbers of all domains" },
@@ -863,7 +1012,31 @@ int main(int argc, char **argv)
goto done;
break;
}
- case 'p':
+ case 'c':
+ if ( !wbinfo_create_user(string_arg) ) {
+ d_printf("Could not create user account\n");
+ goto done;
+ }
+ break;
+ case 'C':
+ if ( !wbinfo_create_group(string_arg) ) {
+ d_printf("Could not create group\n");
+ goto done;
+ }
+ break;
+ case 'o':
+ if ( !wbinfo_add_user_to_group(string_arg) ) {
+ d_printf("Could not add user to group\n");
+ goto done;
+ }
+ break;
+ case 'O':
+ if ( !wbinfo_remove_user_from_group(string_arg) ) {
+ d_printf("Could not remove user kfrom group\n");
+ goto done;
+ }
+ break;
+ case 'P':
if (!wbinfo_ping()) {
d_printf("could not ping winbindd!\n");
goto done;
diff --git a/source3/nsswitch/winbindd.c b/source3/nsswitch/winbindd.c
index e65b03c30e..507b5f7ef7 100644
--- a/source3/nsswitch/winbindd.c
+++ b/source3/nsswitch/winbindd.c
@@ -268,7 +268,16 @@ static struct dispatch_table dispatch_table[] = {
{ WINBINDD_WINS_BYNAME, winbindd_wins_byname, "WINS_BYNAME" },
{ WINBINDD_WINS_BYIP, winbindd_wins_byip, "WINS_BYIP" },
-
+
+ /* UNIX account management functions */
+ { WINBINDD_CREATE_USER, winbindd_create_user, "CREATE_USER" },
+ { WINBINDD_CREATE_GROUP, winbindd_create_group, "CREATE_GROUP" },
+ { WINBINDD_ADD_USER_TO_GROUP, winbindd_add_user_to_group, "ADD_USER_TO_GROUP" },
+ { WINBINDD_REMOVE_USER_FROM_GROUP, winbindd_remove_user_from_group,"REMOVE_USER_FROM_GROUP"},
+ { WINBINDD_SET_USER_PRIMARY_GROUP, winbindd_set_user_primary_group,"SET_USER_PRIMARY_GROUP"},
+ { WINBINDD_DELETE_USER, winbindd_delete_user, "DELETE_USER" },
+ { WINBINDD_DELETE_GROUP, winbindd_delete_group, "DELETE_GROUP" },
+
/* End of list */
{ WINBINDD_NUM_CMDS, NULL, "NONE" }
diff --git a/source3/nsswitch/winbindd_acct.c b/source3/nsswitch/winbindd_acct.c
new file mode 100644
index 0000000000..7f4353c0ee
--- /dev/null
+++ b/source3/nsswitch/winbindd_acct.c
@@ -0,0 +1,946 @@
+/*
+ Unix SMB/CIFS implementation.
+
+ Winbind account management functions
+
+ Copyright (C) by Gerald (Jerry) Carter 2003
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+*/
+
+#include "winbindd.h"
+
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_WINBIND
+
+#define WBKEY_PASSWD "WBA_PASSWD"
+#define WBKEY_GROUP "WBA_GROUP"
+
+#define NUM_PW_FIELDS 7
+#define NUM_GRP_FIELDS 4
+
+/* Globals */
+
+static TDB_CONTEXT *account_tdb;
+
+extern userdom_struct current_user_info;
+
+/*****************************************************************************
+ Initialise auto-account database.
+*****************************************************************************/
+
+static BOOL winbindd_accountdb_init(void)
+{
+ /* see if we've already opened the tdb */
+
+ if ( account_tdb )
+ return True;
+
+ /* Nope. Try to open it */
+
+ if (!(account_tdb = tdb_open_log(lock_path("winbindd_idmap.tdb"), 0,
+ TDB_DEFAULT, O_RDWR | O_CREAT, 0600)))
+ {
+ /* last chance -- maybe idmap has already opened it */
+ if ( !(account_tdb = idmap_tdb_handle()) ) {
+
+ DEBUG(0, ("winbindd_idmap_init: Unable to open idmap database\n"));
+ return False;
+ }
+ }
+
+ /* yeah! */
+
+ return True;
+}
+
+/**********************************************************************
+ Convert a string in /etc/passwd format to a struct passwd* entry
+**********************************************************************/
+
+static WINBINDD_PW* string2passwd( char *string )
+{
+ static WINBINDD_PW pw;
+ char *p, *str;
+ char *fields[NUM_PW_FIELDS];
+ int i;
+
+ if ( !string )
+ return NULL;
+
+ ZERO_STRUCTP( &pw );
+
+ DEBUG(10,("string2passwd: converting \"%s\"\n", string));
+
+ ZERO_STRUCT( fields );
+
+ for ( i=0, str=string; i<NUM_PW_FIELDS-1; i++ ) {
+ if ( !(p = strchr( str, ':' )) ) {
+ DEBUG(0,("string2passwd: parsing failure\n"));
+ return NULL;
+ }
+ *p = '\0';
+ if ( str )
+ fields[i] = str;
+ str = p + 1;
+ }
+ if ( str )
+ fields[i] = str;
+
+ /* copy fields */
+
+ fstrcpy( pw.pw_name, fields[0] );
+ fstrcpy( pw.pw_passwd, fields[1] );
+ pw.pw_uid = atoi( fields[2] );
+ pw.pw_gid = atoi( fields[3] );
+ fstrcpy( pw.pw_gecos, fields[4] );
+ fstrcpy( pw.pw_dir, fields[5] );
+ fstrcpy( pw.pw_shell, fields[6] );
+
+
+ /* last minute sanity checks */
+
+ if ( pw.pw_uid==0 || pw.pw_gid==0 ) {
+ DEBUG(0,("string2passwd: Failure! uid==%d, gid==%d\n",
+ pw.pw_uid, pw.pw_gid));
+ return NULL;
+ }
+
+ DEBUG(10,("string2passwd: Success\n"));
+
+ return &pw;
+}
+
+/**********************************************************************
+ Convert a struct passwd* to a string formatted for /etc/passwd
+**********************************************************************/
+
+static char* passwd2string( const WINBINDD_PW *pw )
+{
+ static pstring string;
+ int ret;
+
+ if ( !pw || !pw->pw_name )
+ return NULL;
+
+ DEBUG(10,("passwd2string: converting passwd struct for %s\n",
+ pw->pw_name));
+
+ ret = snprintf( string, sizeof(string), "%s:%s:%d:%d:%s:%s:%s",
+ pw->pw_name,
+ pw->pw_passwd ? pw->pw_passwd : "x",
+ pw->pw_uid,
+ pw->pw_gid,
+ pw->pw_gecos,
+ pw->pw_dir,
+ pw->pw_shell );
+
+ if ( ret < 0 ) {
+ DEBUG(0,("passwd2string: snprintf() failed!\n"));
+ return NULL;
+ }
+
+ return string;
+}
+
+/**********************************************************************
+ Convert a string in /etc/group format to a struct group* entry
+**********************************************************************/
+
+static WINBINDD_GR* string2group( char *string )
+{
+ static WINBINDD_GR grp;
+ char *p, *str;
+ char *fields[NUM_GRP_FIELDS];
+ int i;
+ char **gr_members = NULL;
+ int num_gr_members = 0;
+
+ if ( !string )
+ return NULL;
+
+ ZERO_STRUCTP( &grp );
+
+ DEBUG(10,("string2group: converting \"%s\"\n", string));
+
+ ZERO_STRUCT( fields );
+
+ for ( i=0, str=string; i<NUM_GRP_FIELDS-1; i++ ) {
+ if ( !(p = strchr( str, ':' )) ) {
+ DEBUG(0,("string2group: parsing failure\n"));
+ return NULL;
+ }
+ *p = '\0';
+ if ( str )
+ fields[i] = str;
+ str = p + 1;
+ }
+
+ /* group members */
+
+ if ( *str ) {
+ /* we already know we have a non-empty string */
+
+ num_gr_members = count_chars(str, ',') + 1;
+
+ /* if there was at least one comma, then there
+ are n+1 members */
+ if ( num_gr_members ) {
+ fstring buffer;
+
+ gr_members = (char**)smb_xmalloc(sizeof(char*)*num_gr_members+1);
+
+ i = 0;
+ while ( next_token(&str, buffer, ",", sizeof(buffer)) && i<num_gr_members ) {
+ gr_members[i++] = smb_xstrdup(buffer);
+ }
+
+ gr_members[i] = NULL;
+ }
+ }
+
+
+ /* copy fields */
+
+ fstrcpy( grp.gr_name, fields[0] );
+ fstrcpy( grp.gr_passwd, fields[1] );
+ grp.gr_gid = atoi( fields[2] );
+
+ grp.num_gr_mem = num_gr_members;
+ grp.gr_mem = gr_members;
+
+ /* last minute sanity checks */
+
+ if ( grp.gr_gid == 0 ) {
+ DEBUG(0,("string2group: Failure! gid==%d\n", grp.gr_gid));
+ SAFE_FREE( gr_members );
+ return NULL;
+ }
+
+ DEBUG(10,("string2group: Success\n"));
+
+ return &grp;
+}
+
+/**********************************************************************
+ Convert a struct group* to a string formatted for /etc/group
+**********************************************************************/
+
+static char* group2string( const WINBINDD_GR *grp )
+{
+ static pstring string;
+ int ret;
+ char *member, *gr_mem_str;
+ int num_members;
+ int i, size;
+
+ if ( !grp || !grp->gr_name )
+ return NULL;
+
+ DEBUG(10,("group2string: converting passwd struct for %s\n",
+ grp->gr_name));
+
+ if ( grp->num_gr_mem ) {
+ int idx = 0;
+
+ member = grp->gr_mem[0];
+ size = 0;
+ num_members = 0;
+
+ while ( member ) {
+ size += strlen(member) + 1;
+ num_members++;
+ member = grp->gr_mem[num_members];
+ }
+
+ gr_mem_str = smb_xmalloc(size);
+
+ for ( i=0; i<num_members; i++ ) {
+ snprintf( &gr_mem_str[idx], size-idx, "%s,", grp->gr_mem[i] );
+ idx += strlen(grp->gr_mem[i]) + 1;
+ }
+ /* add trailing NULL (also removes trailing ',' */
+ gr_mem_str[size-1] = '\0';
+ }
+ else {
+ /* no members */
+ gr_mem_str = smb_xmalloc(sizeof(fstring));
+ fstrcpy( gr_mem_str, "" );
+ }
+
+ ret = snprintf( string, sizeof(string)-1, "%s:%s:%d:%s",
+ grp->gr_name,
+ grp->gr_passwd ? grp->gr_passwd : "*",
+ grp->gr_gid,
+ gr_mem_str );
+
+ SAFE_FREE( gr_mem_str );
+
+ if ( ret < 0 ) {
+ DEBUG(0,("group2string: snprintf() failed!\n"));
+ return NULL;
+ }
+
+ return string;
+}
+
+/**********************************************************************
+**********************************************************************/
+
+static char* acct_userkey_byname( const char *name )
+{
+ static fstring key;
+
+ snprintf( key, sizeof(key), "%s/NAME/%s", WBKEY_PASSWD, name );
+
+ return key;
+}
+
+/**********************************************************************
+**********************************************************************/
+
+static char* acct_userkey_byuid( uid_t uid )
+{
+ static fstring key;
+
+ snprintf( key, sizeof(key), "%s/UID/%d", WBKEY_PASSWD, uid );
+
+ return key;
+}
+
+/**********************************************************************
+**********************************************************************/
+
+static char* acct_groupkey_byname( const char *name )
+{
+ static fstring key;
+
+ snprintf( key, sizeof(key), "%s/NAME/%s", WBKEY_GROUP, name );
+
+ return key;
+}
+
+/**********************************************************************
+**********************************************************************/
+
+static char* acct_groupkey_bygid( gid_t gid )
+{
+ static fstring key;
+
+ snprintf( key, sizeof(key), "%s/GID/%d", WBKEY_GROUP, gid );
+
+ return key;
+}
+
+/**********************************************************************
+**********************************************************************/
+
+WINBINDD_PW* wb_getpwnam( const char * name )
+{
+ char *keystr;
+ TDB_DATA data;
+ static WINBINDD_PW *pw;
+
+ if ( !account_tdb && !winbindd_accountdb_init() ) {
+ DEBUG(0,("wb_getpwnam: Failed to open winbindd account db\n"));
+ return NULL;
+ }
+
+
+ keystr = acct_userkey_byname( name );
+
+ data = tdb_fetch_by_string( account_tdb, keystr );
+
+ pw = NULL;
+
+ if ( data.dptr ) {
+ pw = string2passwd( data.dptr );
+ SAFE_FREE( data.dptr );
+ }
+
+ DEBUG(5,("wb_getpwnam: %s user (%s)\n",
+ (pw ? "Found" : "Did not find"), name ));
+
+ return pw;
+}
+
+/**********************************************************************
+**********************************************************************/
+
+WINBINDD_PW* wb_getpwuid( const uid_t uid )
+{
+ char *keystr;
+ TDB_DATA data;
+ static WINBINDD_PW *pw;
+
+ if ( !account_tdb && !winbindd_accountdb_init() ) {
+ DEBUG(0,("wb_getpwuid: Failed to open winbindd account db\n"));
+ return NULL;
+ }
+
+ data = tdb_fetch_by_string( account_tdb, acct_userkey_byuid(uid) );
+ if ( !data.dptr ) {
+ DEBUG(4,("wb_getpwuid: failed to locate uid == %d\n", uid));
+ return NULL;
+ }
+ keystr = acct_userkey_byname( data.dptr );
+
+ SAFE_FREE( data.dptr );
+
+ data = tdb_fetch_by_string( account_tdb, keystr );
+
+ pw = NULL;
+
+ if ( data.dptr ) {
+ pw = string2passwd( data.dptr );
+ SAFE_FREE( data.dptr );
+ }
+
+ DEBUG(5,("wb_getpwuid: %s user (uid == %d)\n",
+ (pw ? "Found" : "Did not find"), uid ));
+
+ return pw;
+}
+
+/**********************************************************************
+**********************************************************************/
+
+BOOL wb_storepwnam( const WINBINDD_PW *pw )
+{
+ char *namekey, *uidkey;
+ TDB_DATA data;
+ char *str;
+ int ret = 0;
+ fstring username;
+
+ if ( !account_tdb && !winbindd_accountdb_init() ) {
+ DEBUG(0,("wb_storepwnam: Failed to open winbindd account db\n"));
+ return False;
+ }
+
+ namekey = acct_userkey_byname( pw->pw_name );
+
+ /* lock the main entry first */
+
+ if ( tdb_lock_bystring(account_tdb, namekey, 0) == -1 ) {
+ DEBUG(0,("wb_storepwnam: Failed to lock %s\n", namekey));
+ return False;
+ }
+
+ str = passwd2string( pw );
+
+ data.dptr = str;
+ data.dsize = strlen(str) + 1;
+
+ if ( (tdb_store_by_string(account_tdb, namekey, data, TDB_REPLACE)) == -1 ) {
+ DEBUG(0,("wb_storepwnam: Failed to store \"%s\"\n", str));
+ ret = -1;
+ goto done;
+ }
+
+ /* store the uid index */
+
+ uidkey = acct_userkey_byuid(pw->pw_uid);
+
+ fstrcpy( username, pw->pw_name );
+ data.dptr = username;
+ data.dsize = strlen(username) + 1;
+
+ if ( (tdb_store_by_string(account_tdb, uidkey, data, TDB_REPLACE)) == -1 ) {
+ DEBUG(0,("wb_storepwnam: Failed to store uid key \"%s\"\n", str));
+ tdb_delete_by_string(account_tdb, namekey);
+ ret = -1;
+ goto done;
+ }
+
+ DEBUG(10,("wb_storepwnam: Success -> \"%s\"\n", str));
+
+done:
+ tdb_unlock_bystring( account_tdb, namekey );
+
+ return ( ret == 0 );
+}
+
+/**********************************************************************
+**********************************************************************/
+
+WINBINDD_GR* wb_getgrnam( const char * name )
+{
+ char *keystr;
+ TDB_DATA data;
+ static WINBINDD_GR *grp;
+
+ if ( !account_tdb && !winbindd_accountdb_init() ) {
+ DEBUG(0,("wb_getgrnam: Failed to open winbindd account db\n"));
+ return NULL;
+ }
+
+
+ keystr = acct_groupkey_byname( name );
+
+ data = tdb_fetch_by_string( account_tdb, keystr );
+
+ grp = NULL;
+
+ if ( data.dptr ) {
+ grp = string2group( data.dptr );
+ SAFE_FREE( data.dptr );
+ }
+
+ DEBUG(5,("wb_getgrnam: %s group (%s)\n",
+ (grp ? "Found" : "Did not find"), name ));
+
+ return grp;
+}
+
+/**********************************************************************
+**********************************************************************/
+
+WINBINDD_GR* wb_getgrgid( gid_t gid )
+{
+ char *keystr;
+ TDB_DATA data;
+ static WINBINDD_GR *grp;
+
+ if ( !account_tdb && !winbindd_accountdb_init() ) {
+ DEBUG(0,("wb_getgrgid: Failed to open winbindd account db\n"));
+ return NULL;
+ }
+
+ data = tdb_fetch_by_string( account_tdb, acct_groupkey_bygid(gid) );
+ if ( !data.dptr ) {
+ DEBUG(4,("wb_getgrgid: failed to locate gid == %d\n", gid));
+ return NULL;
+ }
+ keystr = acct_groupkey_byname( data.dptr );
+
+ SAFE_FREE( data.dptr );
+
+ data = tdb_fetch_by_string( account_tdb, keystr );
+
+ grp = NULL;
+
+ if ( data.dptr ) {
+ grp = string2group( data.dptr );
+ SAFE_FREE( data.dptr );
+ }
+
+ DEBUG(5,("wb_getgrgid: %s group (gid == %d)\n",
+ (grp ? "Found" : "Did not find"), gid ));
+
+ return grp;
+}
+
+/**********************************************************************
+**********************************************************************/
+
+BOOL wb_storegrnam( const WINBINDD_GR *grp )
+{
+ char *namekey, *gidkey;
+ TDB_DATA data;
+ char *str;
+ int ret = 0;
+ fstring groupname;
+
+ if ( !account_tdb && !winbindd_accountdb_init() ) {
+ DEBUG(0,("wb_storepwnam: Failed to open winbindd account db\n"));
+ return False;
+ }
+
+ namekey = acct_groupkey_byname( grp->gr_name );
+
+ /* lock the main entry first */
+
+ if ( tdb_lock_bystring(account_tdb, namekey, 0) == -1 ) {
+ DEBUG(0,("wb_storegrnam: Failed to lock %s\n", namekey));
+ return False;
+ }
+
+ str = group2string( grp );
+
+ data.dptr = str;
+ data.dsize = strlen(str) + 1;
+
+ if ( (tdb_store_by_string(account_tdb, namekey, data, TDB_REPLACE)) == -1 ) {
+ DEBUG(0,("wb_storegrnam: Failed to store \"%s\"\n", str));
+ ret = -1;
+ goto done;
+ }
+
+ /* store the gid index */
+
+ gidkey = acct_groupkey_bygid(grp->gr_gid);
+
+ fstrcpy( groupname, grp->gr_name );
+ data.dptr = groupname;
+ data.dsize = strlen(groupname) + 1;
+
+ if ( (tdb_store_by_string(account_tdb, gidkey, data, TDB_REPLACE)) == -1 ) {
+ DEBUG(0,("wb_storegrnam: Failed to store gid key \"%s\"\n", str));
+ tdb_delete_by_string(account_tdb, namekey);
+ ret = -1;
+ goto done;
+ }
+
+ DEBUG(10,("wb_storegrnam: Success -> \"%s\"\n", str));
+
+done:
+ tdb_unlock_bystring( account_tdb, namekey );
+
+ return ( ret == 0 );
+}
+
+/**********************************************************************
+**********************************************************************/
+
+static BOOL wb_addgrpmember( WINBINDD_GR *grp, const char *user )
+{
+ int i;
+ char **members;
+
+ if ( !grp || !user )
+ return False;
+
+ for ( i=0; i<grp->num_gr_mem; i++ ) {
+ if ( StrCaseCmp( grp->gr_mem[i], user ) == 0 )
+ return True;
+ }
+
+ /* add one new slot and keep an extra for the terminating NULL */
+ members = Realloc( grp->gr_mem, (grp->num_gr_mem+2)*sizeof(char*) );
+ if ( !members )
+ return False;
+
+ grp->gr_mem = members;
+ grp->gr_mem[grp->num_gr_mem++] = smb_xstrdup(user);
+ grp->gr_mem[grp->num_gr_mem] = NULL;
+
+ return True;
+}
+
+/**********************************************************************
+**********************************************************************/
+
+static BOOL wb_delgrpmember( WINBINDD_GR *grp, const char *user )
+{
+ int i;
+ BOOL found = False;
+
+ if ( !grp || !user )
+ return False;
+
+ for ( i=0; i<grp->num_gr_mem && !found; i++ ) {
+ if ( StrCaseCmp( grp->gr_mem[i], user ) == 0 )
+ found = True;
+ }
+
+ if ( !found )
+ return False;
+
+ memmove( grp->gr_mem[i], grp->gr_mem[i+1], sizeof(char*)*(grp->num_gr_mem-(i+1)) );
+ grp->num_gr_mem--;
+
+ return True;
+}
+
+/**********************************************************************
+**********************************************************************/
+
+static void free_winbindd_gr( WINBINDD_GR *grp )
+{
+ int i;
+
+ if ( !grp )
+ return;
+
+ for ( i=0; i<grp->num_gr_mem; i++ )
+ SAFE_FREE( grp->gr_mem[i] );
+
+ SAFE_FREE( grp->gr_mem );
+
+ return;
+}
+
+/**********************************************************************
+ Create a new "UNIX" user for the system given a username
+**********************************************************************/
+
+enum winbindd_result winbindd_create_user(struct winbindd_cli_state *state)
+{
+ char *user, *group;
+ unid_t id;
+ WINBINDD_PW pw;
+ WINBINDD_GR *wb_grp;
+ struct group *unix_grp;
+ gid_t primary_gid;
+
+ if ( !state->privileged ) {
+ DEBUG(2, ("winbindd_create_user: non-privileged access denied!\n"));
+ return WINBINDD_ERROR;
+ }
+
+ /* Ensure null termination */
+ state->request.data.acct_mgt.username[sizeof(state->request.data.acct_mgt.username)-1]='\0';
+ state->request.data.acct_mgt.groupname[sizeof(state->request.data.acct_mgt.groupname)-1]='\0';
+
+ user = state->request.data.acct_mgt.username;
+ group = state->request.data.acct_mgt.groupname;
+
+ DEBUG(3, ("[%5d]: create_user user=>(%s), group=>(%s)\n",
+ state->pid, user, group));
+
+ if ( !*group )
+ group = lp_template_primary_group();
+
+ /* validate the primary group
+ 1) lookup in local tdb first
+ 2) call getgrnam() as a last resort */
+
+ if ( (wb_grp=wb_getgrnam(group)) != NULL ) {
+ primary_gid = wb_grp->gr_gid;
+ free_winbindd_gr( wb_grp );
+ }
+ else if ( (unix_grp=sys_getgrnam(group)) != NULL ) {
+ primary_gid = unix_grp->gr_gid;
+ }
+ else {
+ DEBUG(2,("winbindd_create_user: Cannot validate gid for group (%s)\n", group));
+ return WINBINDD_ERROR;
+ }
+
+ /* get a new uid */
+
+ if ( !NT_STATUS_IS_OK(idmap_allocate_id( &id, ID_USERID)) ) {
+ DEBUG(0,("winbindd_create_user: idmap_allocate_id() failed!\n"));
+ return WINBINDD_ERROR;
+ }
+
+ /* The substitution of %U and %D in the 'template homedir' is done
+ by lp_string() calling standard_sub_basic(). */
+
+ fstrcpy( current_user_info.smb_name, user );
+ sub_set_smb_name( user );
+ fstrcpy( current_user_info.domain, get_global_sam_name() );
+
+ /* fill in the passwd struct */
+
+ fstrcpy( pw.pw_name, user );
+ fstrcpy( pw.pw_passwd, "x" );
+ fstrcpy( pw.pw_gecos, user);
+ fstrcpy( pw.pw_dir, lp_template_homedir() );
+ fstrcpy( pw.pw_shell, lp_template_shell() );
+
+ pw.pw_uid = id.uid;
+ pw.pw_gid = primary_gid;
+
+ return ( wb_storepwnam(&pw) ? WINBINDD_OK : WINBINDD_ERROR );
+}
+
+/**********************************************************************
+ Create a new "UNIX" group for the system given a username
+**********************************************************************/
+
+enum winbindd_result winbindd_create_group(struct winbindd_cli_state *state)
+{
+ char *group;
+ unid_t id;
+ WINBINDD_GR grp;
+
+ if ( !state->privileged ) {
+ DEBUG(2, ("winbindd_create_group: non-privileged access denied!\n"));
+ return WINBINDD_ERROR;
+ }
+
+ /* Ensure null termination */
+ state->request.data.acct_mgt.groupname[sizeof(state->request.data.acct_mgt.groupname)-1]='\0';
+ group = state->request.data.acct_mgt.groupname;
+
+ DEBUG(3, ("[%5d]: create_group (%s)\n", state->pid, group));
+
+ /* get a new uid */
+
+ if ( !NT_STATUS_IS_OK(idmap_allocate_id( &id, ID_GROUPID)) ) {
+ DEBUG(0,("winbindd_create_group: idmap_allocate_id() failed!\n"));
+ return WINBINDD_ERROR;
+ }
+
+ /* fill in the group struct */
+
+ fstrcpy( grp.gr_name, group );
+ fstrcpy( grp.gr_passwd, "*" );
+
+ grp.gr_gid = id.gid;
+ grp.gr_mem = NULL; /* start with no members */
+ grp.num_gr_mem = 0;
+
+ return ( wb_storegrnam(&grp) ? WINBINDD_OK : WINBINDD_ERROR );
+}
+
+/**********************************************************************
+ Add a user to the membership for a group.
+**********************************************************************/
+
+enum winbindd_result winbindd_add_user_to_group(struct winbindd_cli_state *state)
+{
+ WINBINDD_PW *pw;
+ WINBINDD_GR *grp;
+ char *user, *group;
+ BOOL ret;
+
+ if ( !state->privileged ) {
+ DEBUG(2, ("winbindd_add_user_to_group: non-privileged access denied!\n"));
+ return WINBINDD_ERROR;
+ }
+
+ /* Ensure null termination */
+ state->request.data.acct_mgt.groupname[sizeof(state->request.data.acct_mgt.groupname)-1]='\0';
+ state->request.data.acct_mgt.username[sizeof(state->request.data.acct_mgt.username)-1]='\0';
+ group = state->request.data.acct_mgt.groupname;
+ user = state->request.data.acct_mgt.username;
+
+ DEBUG(3, ("[%5d]: add_user_to_group add %s to %s\n", state->pid,
+ user, group));
+
+ /* make sure it is a valid user */
+
+ if ( !(pw = wb_getpwnam( user )) ) {
+ DEBUG(4,("winbindd_add_user_to_group: Cannot add a non-existent user\n"));
+ return WINBINDD_ERROR;
+ }
+
+ /* make sure it is a valid group */
+
+ if ( !(grp = wb_getgrnam( group )) ) {
+ DEBUG(4,("winbindd_add_user_to_group: Cannot add a user to a non-extistent group\n"));
+ return WINBINDD_ERROR;
+ }
+
+ if ( !wb_addgrpmember( grp, user ) )
+ return WINBINDD_ERROR;
+
+ ret = wb_storegrnam(grp);
+
+ free_winbindd_gr( grp );
+
+ return ( ret ? WINBINDD_OK : WINBINDD_ERROR );
+}
+
+/**********************************************************************
+ Remove a user from the membership of a group
+**********************************************************************/
+
+enum winbindd_result winbindd_remove_user_from_group(struct winbindd_cli_state *state)
+{
+ WINBINDD_GR *grp;
+ char *user, *group;
+ BOOL ret;
+
+ if ( !state->privileged ) {
+ DEBUG(2, ("winbindd_remove_user_from_group: non-privileged access denied!\n"));
+ return WINBINDD_ERROR;
+ }
+
+ /* Ensure null termination */
+ state->request.data.acct_mgt.groupname[sizeof(state->request.data.acct_mgt.groupname)-1]='\0';
+ state->request.data.acct_mgt.username[sizeof(state->request.data.acct_mgt.username)-1]='\0';
+ group = state->request.data.acct_mgt.groupname;
+ user = state->request.data.acct_mgt.username;
+
+ DEBUG(3, ("[%5d]: remove_user_to_group delete %s from %s\n", state->pid,
+ user, group));
+
+ /* don't worry about checking the username since we're removing it anyways */
+
+ /* make sure it is a valid group */
+
+ if ( !(grp = wb_getgrnam( group )) ) {
+ DEBUG(4,("winbindd_remove_user_to_group: Cannot remove a user to a non-extistent group\n"));
+ return WINBINDD_ERROR;
+ }
+
+ if ( !wb_delgrpmember( grp, user ) )
+ return WINBINDD_ERROR;
+
+ ret = wb_storegrnam(grp);
+
+ free_winbindd_gr( grp );
+
+ return ( ret ? WINBINDD_OK : WINBINDD_ERROR );
+}
+
+/**********************************************************************
+ Set the primary group membership of a user
+**********************************************************************/
+
+enum winbindd_result winbindd_set_user_primary_group(struct winbindd_cli_state *state)
+{
+ WINBINDD_PW *pw;
+ WINBINDD_GR *grp;
+ char *user, *group;
+
+ if ( !state->privileged ) {
+ DEBUG(2, ("winbindd_set_user_primary_group: non-privileged access denied!\n"));
+ return WINBINDD_ERROR;
+ }
+
+ /* Ensure null termination */
+ state->request.data.acct_mgt.groupname[sizeof(state->request.data.acct_mgt.groupname)-1]='\0';
+ state->request.data.acct_mgt.username[sizeof(state->request.data.acct_mgt.username)-1]='\0';
+ group = state->request.data.acct_mgt.groupname;
+ user = state->request.data.acct_mgt.username;
+
+ DEBUG(3, ("[%5d]: set_user_primary_group group %s for user %s\n", state->pid,
+ group, user));
+
+ /* make sure it is a valid user */
+
+ if ( !(pw = wb_getpwnam( user )) ) {
+ DEBUG(4,("winbindd_add_user_to_group: Cannot add a non-existent user\n"));
+ return WINBINDD_ERROR;
+ }
+
+ /* make sure it is a valid group */
+
+ if ( !(grp = wb_getgrnam( group )) ) {
+ DEBUG(4,("winbindd_add_user_to_group: Cannot add a user to a non-extistent group\n"));
+ return WINBINDD_ERROR;
+ }
+
+ pw->pw_gid = grp->gr_gid;
+
+ free_winbindd_gr( grp );
+
+ return ( wb_storepwnam(pw) ? WINBINDD_OK : WINBINDD_ERROR );
+}
+
+/**********************************************************************
+ Set the primary group membership of a user
+**********************************************************************/
+
+enum winbindd_result winbindd_delete_user(struct winbindd_cli_state *state)
+{
+ return WINBINDD_ERROR;
+}
+
+/**********************************************************************
+ Set the primary group membership of a user
+**********************************************************************/
+
+enum winbindd_result winbindd_delete_group(struct winbindd_cli_state *state)
+{
+ return WINBINDD_ERROR;
+}
+
+
diff --git a/source3/nsswitch/winbindd_group.c b/source3/nsswitch/winbindd_group.c
index 9a969abeaa..d67d48d506 100644
--- a/source3/nsswitch/winbindd_group.c
+++ b/source3/nsswitch/winbindd_group.c
@@ -27,6 +27,34 @@
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_WINBIND
+/*********************************************************************
+*********************************************************************/
+
+static int gr_mem_buffer( char **buffer, char **members, int num_members )
+{
+ int i;
+ int len = 0;
+ int idx = 0;
+
+ if ( num_members == 0 ) {
+ *buffer = NULL;
+ return 0;
+ }
+
+ for ( i=0; i<num_members; i++ )
+ len += strlen(members[i])+1;
+
+ *buffer = (char*)smb_xmalloc(len);
+ for ( i=0; i<num_members; i++ ) {
+ snprintf( &(*buffer)[idx], len-idx, "%s,", members[i]);
+ idx += strlen(members[i])+1;
+ }
+ /* terminate with NULL */
+ (*buffer)[len-1] = '\0';
+
+ return len;
+}
+
/***************************************************************
Empty static struct for negative caching.
****************************************************************/
@@ -193,6 +221,7 @@ done:
enum winbindd_result winbindd_getgrnam(struct winbindd_cli_state *state)
{
DOM_SID group_sid;
+ WINBINDD_GR *grp;
struct winbindd_domain *domain;
enum SID_NAME_USE name_type;
fstring name_domain, name_group;
@@ -211,18 +240,38 @@ enum winbindd_result winbindd_getgrnam(struct winbindd_cli_state *state)
memset(name_group, 0, sizeof(fstring));
tmp = state->request.data.groupname;
- if (!parse_domain_user(tmp, name_domain, name_group))
- return WINBINDD_ERROR;
+
+ parse_domain_user(tmp, name_domain, name_group);
+
+ /* if no domain or our local domain, then do a local tdb search */
+
+ if ( !*name_domain || strequal(name_domain, get_global_sam_name()) ) {
+ char *buffer = NULL;
+
+ if ( !(grp=wb_getgrnam(name_group)) ) {
+ DEBUG(5,("winbindd_getgrnam: lookup for %s\\%s failed\n",
+ name_domain, name_group));
+ return WINBINDD_ERROR;
+ }
+ memcpy( &state->response.data.gr, grp, sizeof(WINBINDD_GR) );
- /* don't handle our own domain if we are a DC ( or a member of a Samba domain
- that shares UNIX accounts). This code handles cases where
- the account doesn't exist anywhere and gets passed on down the NSS layer */
+ gr_mem_len = gr_mem_buffer( &buffer, grp->gr_mem, grp->num_gr_mem );
+
+ state->response.data.gr.gr_mem_ofs = 0;
+ state->response.length += gr_mem_len;
+ state->response.extra_data = buffer; /* give the memory away */
+
+ return WINBINDD_OK;
+ }
- if ( (IS_DC || lp_winbind_trusted_domains_only()) && strequal(name_domain, lp_workgroup()) ) {
- DEBUG(7,("winbindd_getgrnam: rejecting getpwnam() for %s\\%s since I am on the PDC for this domain\n",
+ /* should we deal with users for our domain? */
+
+ if ( lp_winbind_trusted_domains_only() && strequal(name_domain, lp_workgroup())) {
+ DEBUG(7,("winbindd_getgrnam: My domain -- rejecting getgrnam() for %s\\%s.\n",
name_domain, name_group));
return WINBINDD_ERROR;
}
+
/* Get info for the domain */
@@ -277,6 +326,7 @@ enum winbindd_result winbindd_getgrnam(struct winbindd_cli_state *state)
enum winbindd_result winbindd_getgrgid(struct winbindd_cli_state *state)
{
struct winbindd_domain *domain;
+ WINBINDD_GR *grp;
DOM_SID group_sid;
enum SID_NAME_USE name_type;
fstring dom_name;
@@ -293,6 +343,21 @@ enum winbindd_result winbindd_getgrgid(struct winbindd_cli_state *state)
(state->request.data.gid > server_state.gid_high))
return WINBINDD_ERROR;
+ /* alway try local tdb lookup first */
+ if ( ( grp=wb_getgrgid(state->request.data.gid)) != NULL ) {
+ char *buffer = NULL;
+
+ memcpy( &state->response.data.gr, grp, sizeof(WINBINDD_GR) );
+
+ gr_mem_len = gr_mem_buffer( &buffer, grp->gr_mem, grp->num_gr_mem );
+
+ state->response.data.gr.gr_mem_ofs = 0;
+ state->response.length += gr_mem_len;
+ state->response.extra_data = buffer; /* give away the memory */
+
+ return WINBINDD_OK;
+ }
+
/* Get rid from gid */
if (!NT_STATUS_IS_OK(idmap_gid_to_sid(&group_sid, state->request.data.gid))) {
DEBUG(1, ("could not convert gid %d to rid\n",
@@ -859,8 +924,12 @@ enum winbindd_result winbindd_getgroups(struct winbindd_cli_state *state)
/* Parse domain and username */
- if (!parse_domain_user(state->request.data.username, name_domain,
- name_user))
+ parse_domain_user(state->request.data.username,
+ name_domain, name_user);
+
+ /* bail if there is no domain */
+
+ if ( !*name_domain )
goto done;
/* Get info for the domain */
diff --git a/source3/nsswitch/winbindd_idmap.c b/source3/nsswitch/winbindd_idmap.c
deleted file mode 100644
index 3b23089200..0000000000
--- a/source3/nsswitch/winbindd_idmap.c
+++ /dev/null
@@ -1,194 +0,0 @@
-/*
- Unix SMB/CIFS implementation.
- Winbind ID Mapping
- Copyright (C) Tim Potter 2000
- Copyright (C) Anthony Liguori <aliguor@us.ibm.com> 2003
-
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 2 of the License, or
- (at your option) any later version.
-
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
-
- You should have received a copy of the GNU General Public License
- along with this program; if not, write to the Free Software
- Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-*/
-
-#include "winbindd.h"
-
-static struct {
- const char *name;
- /* Function to create a member of the idmap_methods list */
- BOOL (*reg_meth)(struct winbindd_idmap_methods **methods);
- struct winbindd_idmap_methods *methods;
-} builtin_winbindd_idmap_functions[] = {
- { "tdb", winbind_idmap_reg_tdb, NULL },
- { NULL, NULL, NULL }
-};
-
-/* singleton pattern: uberlazy evaluation */
-static struct winbindd_idmap_methods *impl;
-
-static struct winbindd_idmap_methods *get_impl(const char *name)
-{
- int i = 0;
- struct winbindd_idmap_methods *ret = NULL;
-
- while (builtin_winbindd_idmap_functions[i].name &&
- strcmp(builtin_winbindd_idmap_functions[i].name, name)) {
- i++;
- }
-
- if (builtin_winbindd_idmap_functions[i].name) {
- if (!builtin_winbindd_idmap_functions[i].methods) {
- builtin_winbindd_idmap_functions[i].reg_meth(&builtin_winbindd_idmap_functions[i].methods);
- }
-
- ret = builtin_winbindd_idmap_functions[i].methods;
- }
-
- return ret;
-}
-
-/* Initialize backend */
-BOOL winbindd_idmap_init(void)
-{
- BOOL ret = False;
-
- DEBUG(3, ("winbindd_idmap_init: using '%s' as backend\n",
- lp_winbind_backend()));
-
- if (!impl) {
- impl = get_impl(lp_winbind_backend());
- if (!impl) {
- DEBUG(0, ("winbindd_idmap_init: could not load backend '%s'\n",
- lp_winbind_backend()));
- }
- }
-
- if (impl) {
- ret = impl->init();
- }
-
- DEBUG(3, ("winbind_idmap_init: returning %s\n", ret ? "true" : "false"));
-
- return ret;
-}
-
-/* Get UID from SID */
-BOOL winbindd_idmap_get_uid_from_sid(DOM_SID *sid, uid_t *uid)
-{
- BOOL ret = False;
-
- if (!impl) {
- impl = get_impl(lp_winbind_backend());
- if (!impl) {
- DEBUG(0, ("winbindd_idmap_init: could not load backend '%s'\n",
- lp_winbind_backend()));
- }
- }
-
- if (impl) {
- ret = impl->get_uid_from_sid(sid, uid);
- }
-
- return ret;
-}
-
-/* Get GID from SID */
-BOOL winbindd_idmap_get_gid_from_sid(DOM_SID *sid, gid_t *gid)
-{
- BOOL ret = False;
-
- if (!impl) {
- impl = get_impl(lp_winbind_backend());
- if (!impl) {
- DEBUG(0, ("winbindd_idmap_init: could not load backend '%s'\n",
- lp_winbind_backend()));
- }
- }
-
- if (impl) {
- ret = impl->get_gid_from_sid(sid, gid);
- }
-
- return ret;
-}
-
-/* Get SID from UID */
-BOOL winbindd_idmap_get_sid_from_uid(uid_t uid, DOM_SID *sid)
-{
- BOOL ret = False;
-
- if (!impl) {
- impl = get_impl(lp_winbind_backend());
- if (!impl) {
- DEBUG(0, ("winbindd_idmap_init: could not load backend '%s'\n",
- lp_winbind_backend()));
- }
- }
-
- if (impl) {
- ret = impl->get_sid_from_uid(uid, sid);
- }
-
- return ret;
-}
-
-/* Get SID from GID */
-BOOL winbindd_idmap_get_sid_from_gid(gid_t gid, DOM_SID *sid)
-{
- BOOL ret = False;
-
- if (!impl) {
- impl = get_impl(lp_winbind_backend());
- }
-
- if (impl) {
- ret = impl->get_sid_from_gid(gid, sid);
- } else {
- DEBUG(0, ("winbindd_idmap_init: could not load backend '%s'\n",
- lp_winbind_backend()));
- }
-
- return ret;
-}
-
-/* Close backend */
-BOOL winbindd_idmap_close(void)
-{
- BOOL ret = False;
-
- if (!impl) {
- impl = get_impl(lp_winbind_backend());
- }
-
- if (impl) {
- ret = impl->close();
- } else {
- DEBUG(0, ("winbindd_idmap_init: could not load backend '%s'\n",
- lp_winbind_backend()));
- }
-
- return ret;
-}
-
-/* Dump backend status */
-void winbindd_idmap_status(void)
-{
- if (!impl) {
- impl = get_impl(lp_winbind_backend());
- }
-
- if (impl) {
- impl->status();
- } else {
- DEBUG(0, ("winbindd_idmap_init: could not load backend '%s'\n",
- lp_winbind_backend()));
- }
-}
diff --git a/source3/nsswitch/winbindd_idmap_tdb.c b/source3/nsswitch/winbindd_idmap_tdb.c
deleted file mode 100644
index 12d6972bae..0000000000
--- a/source3/nsswitch/winbindd_idmap_tdb.c
+++ /dev/null
@@ -1,459 +0,0 @@
-/*
- Unix SMB/CIFS implementation.
-
- Winbind daemon - user related function
-
- Copyright (C) Tim Potter 2000
- Copyright (C) Anthony Liguori 2003
-
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 2 of the License, or
- (at your option) any later version.
-
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
-
- You should have received a copy of the GNU General Public License
- along with this program; if not, write to the Free Software
- Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-*/
-
-#include "winbindd.h"
-
-#undef DBGC_CLASS
-#define DBGC_CLASS DBGC_WINBIND
-
-/* High water mark keys */
-#define HWM_GROUP "GROUP HWM"
-#define HWM_USER "USER HWM"
-
-/* idmap version determines auto-conversion */
-#define IDMAP_VERSION 2
-
-/* Globals */
-static TDB_CONTEXT *idmap_tdb;
-
-/* convert one record to the new format */
-static int tdb_convert_fn(TDB_CONTEXT * tdb, TDB_DATA key, TDB_DATA data,
- void *ignored)
-{
- struct winbindd_domain *domain;
- char *p;
- DOM_SID sid;
- uint32 rid;
- fstring keystr;
- fstring dom_name;
- TDB_DATA key2;
-
- p = strchr(key.dptr, '/');
- if (!p)
- return 0;
-
- *p = 0;
- fstrcpy(dom_name, key.dptr);
- *p++ = '/';
-
- domain = find_domain_from_name(dom_name);
- if (!domain) {
- /* We must delete the old record. */
- DEBUG(0,
- ("winbindd: tdb_convert_fn : Unable to find domain %s\n",
- dom_name));
- DEBUG(0,
- ("winbindd: tdb_convert_fn : deleting record %s\n",
- key.dptr));
- tdb_delete(idmap_tdb, key);
- return 0;
- }
-
- rid = atoi(p);
-
- sid_copy(&sid, &domain->sid);
- sid_append_rid(&sid, rid);
-
- sid_to_string(keystr, &sid);
- key2.dptr = keystr;
- key2.dsize = strlen(keystr) + 1;
-
- if (tdb_store(idmap_tdb, key2, data, TDB_INSERT) != 0) {
- /* not good! */
- DEBUG(0,
- ("winbindd: tdb_convert_fn : Unable to update record %s\n",
- key2.dptr));
- DEBUG(0,
- ("winbindd: tdb_convert_fn : conversion failed - idmap corrupt ?\n"));
- return -1;
- }
-
- if (tdb_store(idmap_tdb, data, key2, TDB_REPLACE) != 0) {
- /* not good! */
- DEBUG(0,
- ("winbindd: tdb_convert_fn : Unable to update record %s\n",
- data.dptr));
- DEBUG(0,
- ("winbindd: tdb_convert_fn : conversion failed - idmap corrupt ?\n"));
- return -1;
- }
-
- tdb_delete(idmap_tdb, key);
-
- return 0;
-}
-
-/*****************************************************************************
- Convert the idmap database from an older version.
-*****************************************************************************/
-static BOOL tdb_idmap_convert(void)
-{
- int32 vers = tdb_fetch_int32(idmap_tdb, "IDMAP_VERSION");
- BOOL bigendianheader =
- (idmap_tdb->flags & TDB_BIGENDIAN) ? True : False;
-
- if (vers == IDMAP_VERSION)
- return True;
-
- if (((vers == -1) && bigendianheader)
- || (IREV(vers) == IDMAP_VERSION)) {
- /* Arrggghh ! Bytereversed or old big-endian - make order independent ! */
- /*
- * high and low records were created on a
- * big endian machine and will need byte-reversing.
- */
-
- int32 wm;
-
- wm = tdb_fetch_int32(idmap_tdb, HWM_USER);
-
- if (wm != -1) {
- wm = IREV(wm);
- } else
- wm = server_state.uid_low;
-
- if (tdb_store_int32(idmap_tdb, HWM_USER, wm) == -1) {
- DEBUG(0,
- ("tdb_idmap_convert: Unable to byteswap user hwm in idmap database\n"));
- return False;
- }
-
- wm = tdb_fetch_int32(idmap_tdb, HWM_GROUP);
- if (wm != -1) {
- wm = IREV(wm);
- } else
- wm = server_state.gid_low;
-
- if (tdb_store_int32(idmap_tdb, HWM_GROUP, wm) == -1) {
- DEBUG(0,
- ("tdb_idmap_convert: Unable to byteswap group hwm in idmap database\n"));
- return False;
- }
- }
-
- /* the old format stored as DOMAIN/rid - now we store the SID direct */
- tdb_traverse(idmap_tdb, tdb_convert_fn, NULL);
-
- if (tdb_store_int32(idmap_tdb, "IDMAP_VERSION", IDMAP_VERSION) ==
- -1) {
- DEBUG(0,
- ("tdb_idmap_convert: Unable to byteswap group hwm in idmap database\n"));
- return False;
- }
-
- return True;
-}
-
-/* Allocate either a user or group id from the pool */
-static BOOL tdb_allocate_id(uid_t * id, BOOL isgroup)
-{
- int hwm;
-
- /* Get current high water mark */
- if ((hwm = tdb_fetch_int32(idmap_tdb,
- isgroup ? HWM_GROUP : HWM_USER)) ==
- -1) {
- return False;
- }
-
- /* Return next available uid in list */
- if ((isgroup && (hwm > server_state.gid_high)) ||
- (!isgroup && (hwm > server_state.uid_high))) {
- DEBUG(0,
- ("winbind %sid range full!\n", isgroup ? "g" : "u"));
- return False;
- }
-
- if (id) {
- *id = hwm;
- }
-
- hwm++;
-
- /* Store new high water mark */
- tdb_store_int32(idmap_tdb, isgroup ? HWM_GROUP : HWM_USER, hwm);
-
- return True;
-}
-
-/* Get a sid from an id */
-static BOOL tdb_get_sid_from_id(int id, DOM_SID * sid, BOOL isgroup)
-{
- TDB_DATA key, data;
- fstring keystr;
- BOOL result = False;
-
- slprintf(keystr, sizeof(keystr), "%s %d", isgroup ? "GID" : "UID",
- id);
-
- key.dptr = keystr;
- key.dsize = strlen(keystr) + 1;
-
- data = tdb_fetch(idmap_tdb, key);
-
- if (data.dptr) {
- result = string_to_sid(sid, data.dptr);
- SAFE_FREE(data.dptr);
- }
-
- return result;
-}
-
-/* Get an id from a sid */
-static BOOL tdb_get_id_from_sid(DOM_SID * sid, uid_t * id, BOOL isgroup)
-{
- TDB_DATA data, key;
- fstring keystr;
- BOOL result = False;
-
- /* Check if sid is present in database */
- sid_to_string(keystr, sid);
-
- key.dptr = keystr;
- key.dsize = strlen(keystr) + 1;
-
- data = tdb_fetch(idmap_tdb, key);
-
- if (data.dptr) {
- fstring scanstr;
- int the_id;
-
- /* Parse and return existing uid */
- fstrcpy(scanstr, isgroup ? "GID" : "UID");
- fstrcat(scanstr, " %d");
-
- if (sscanf(data.dptr, scanstr, &the_id) == 1) {
- /* Store uid */
- if (id) {
- *id = the_id;
- }
-
- result = True;
- }
-
- SAFE_FREE(data.dptr);
- } else {
-
- /* Allocate a new id for this sid */
- if (id && tdb_allocate_id(id, isgroup)) {
- fstring keystr2;
-
- /* Store new id */
- slprintf(keystr2, sizeof(keystr2), "%s %d",
- isgroup ? "GID" : "UID", *id);
-
- data.dptr = keystr2;
- data.dsize = strlen(keystr2) + 1;
-
- tdb_store(idmap_tdb, key, data, TDB_REPLACE);
- tdb_store(idmap_tdb, data, key, TDB_REPLACE);
-
- result = True;
- }
- }
-
- return result;
-}
-
-/*****************************************************************************
- Initialise idmap database.
-*****************************************************************************/
-static BOOL tdb_idmap_init(void)
-{
- SMB_STRUCT_STAT stbuf;
-
- /* move to the new database on first startup */
- if (!file_exist(lock_path("idmap.tdb"), &stbuf)) {
- if (file_exist(lock_path("winbindd_idmap.tdb"), &stbuf)) {
- char *cmd = NULL;
-
- /* lazy file copy */
- if (asprintf(&cmd, "cp -p %s/winbindd_idmap.tdb %s/idmap.tdb", lp_lockdir(), lp_lockdir()) != -1) {
- system(cmd);
- free(cmd);
- }
- if (!file_exist(lock_path("idmap.tdb"), &stbuf)) {
- DEBUG(0, ("idmap_init: Unable to make a new database copy\n"));
- return False;
- }
- }
- }
-
- /* Open tdb cache */
- if (!(idmap_tdb = tdb_open_log(lock_path("idmap.tdb"), 0,
- TDB_DEFAULT, O_RDWR | O_CREAT,
- 0600))) {
- DEBUG(0,
- ("winbindd_idmap_init: Unable to open idmap database\n"));
- return False;
- }
-
- /* possibly convert from an earlier version */
- if (!tdb_idmap_convert()) {
- DEBUG(0, ("winbindd_idmap_init: Unable to open idmap database\n"));
- return False;
- }
-
- /* Create high water marks for group and user id */
- if (tdb_fetch_int32(idmap_tdb, HWM_USER) == -1) {
- if (tdb_store_int32
- (idmap_tdb, HWM_USER, server_state.uid_low) == -1) {
- DEBUG(0,
- ("winbindd_idmap_init: Unable to initialise user hwm in idmap database\n"));
- return False;
- }
- }
-
- if (tdb_fetch_int32(idmap_tdb, HWM_GROUP) == -1) {
- if (tdb_store_int32
- (idmap_tdb, HWM_GROUP, server_state.gid_low) == -1) {
- DEBUG(0,
- ("winbindd_idmap_init: Unable to initialise group hwm in idmap database\n"));
- return False;
- }
- }
-
- return True;
-}
-
-/* Get a sid from a uid */
-static BOOL tdb_get_sid_from_uid(uid_t uid, DOM_SID * sid)
-{
- return tdb_get_sid_from_id((int) uid, sid, False);
-}
-
-/* Get a sid from a gid */
-static BOOL tdb_get_sid_from_gid(gid_t gid, DOM_SID * sid)
-{
- return tdb_get_sid_from_id((int) gid, sid, True);
-}
-
-/* Get a uid from a sid */
-static BOOL tdb_get_uid_from_sid(DOM_SID * sid, uid_t * uid)
-{
- return tdb_get_id_from_sid(sid, uid, False);
-}
-
-/* Get a gid from a group sid */
-static BOOL tdb_get_gid_from_sid(DOM_SID * sid, gid_t * gid)
-{
- return tdb_get_id_from_sid(sid, gid, True);
-}
-
-/* Close the tdb */
-static BOOL tdb_idmap_close(void)
-{
- if (idmap_tdb)
- return (tdb_close(idmap_tdb) == 0);
- return True;
-}
-
-
-/* Dump status information to log file. Display different stuff based on
- the debug level:
-
- Debug Level Information Displayed
- =================================================================
- 0 Percentage of [ug]id range allocated
- 0 High water marks (next allocated ids)
-*/
-
-#define DUMP_INFO 0
-
-static void tdb_idmap_status(void)
-{
- int user_hwm, group_hwm;
-
- DEBUG(0, ("winbindd idmap status:\n"));
-
- /* Get current high water marks */
-
- if ((user_hwm = tdb_fetch_int32(idmap_tdb, HWM_USER)) == -1) {
- DEBUG(DUMP_INFO,
- ("\tCould not get userid high water mark!\n"));
- }
-
- if ((group_hwm = tdb_fetch_int32(idmap_tdb, HWM_GROUP)) == -1) {
- DEBUG(DUMP_INFO,
- ("\tCould not get groupid high water mark!\n"));
- }
-
- /* Display next ids to allocate */
-
- if (user_hwm != -1) {
- DEBUG(DUMP_INFO,
- ("\tNext userid to allocate is %d\n", user_hwm));
- }
-
- if (group_hwm != -1) {
- DEBUG(DUMP_INFO,
- ("\tNext groupid to allocate is %d\n", group_hwm));
- }
-
- /* Display percentage of id range already allocated. */
-
- if (user_hwm != -1) {
- int num_users = user_hwm - server_state.uid_low;
- int total_users =
- server_state.uid_high - server_state.uid_low;
-
- DEBUG(DUMP_INFO,
- ("\tUser id range is %d%% full (%d of %d)\n",
- num_users * 100 / total_users, num_users,
- total_users));
- }
-
- if (group_hwm != -1) {
- int num_groups = group_hwm - server_state.gid_low;
- int total_groups =
- server_state.gid_high - server_state.gid_low;
-
- DEBUG(DUMP_INFO,
- ("\tGroup id range is %d%% full (%d of %d)\n",
- num_groups * 100 / total_groups, num_groups,
- total_groups));
- }
-
- /* Display complete mapping of users and groups to rids */
-}
-
-struct winbindd_idmap_methods tdb_idmap_methods = {
- tdb_idmap_init,
-
- tdb_get_sid_from_uid,
- tdb_get_sid_from_gid,
-
- tdb_get_uid_from_sid,
- tdb_get_gid_from_sid,
-
- tdb_idmap_close,
-
- tdb_idmap_status
-};
-
-BOOL winbind_idmap_reg_tdb(struct winbindd_idmap_methods **meth)
-{
- *meth = &tdb_idmap_methods;
-
- return True;
-}
diff --git a/source3/nsswitch/winbindd_nss.h b/source3/nsswitch/winbindd_nss.h
index 1ddfb2174e..a2d9e82c7c 100644
--- a/source3/nsswitch/winbindd_nss.h
+++ b/source3/nsswitch/winbindd_nss.h
@@ -36,7 +36,7 @@
/* Update this when you change the interface. */
-#define WINBIND_INTERFACE_VERSION 7
+#define WINBIND_INTERFACE_VERSION 8
/* Socket commands */
@@ -99,6 +99,16 @@ enum winbindd_cmd {
WINBINDD_WINS_BYIP,
WINBINDD_WINS_BYNAME,
+ /* account management commands */
+
+ WINBINDD_CREATE_USER,
+ WINBINDD_CREATE_GROUP,
+ WINBINDD_ADD_USER_TO_GROUP,
+ WINBINDD_REMOVE_USER_FROM_GROUP,
+ WINBINDD_SET_USER_PRIMARY_GROUP,
+ WINBINDD_DELETE_USER,
+ WINBINDD_DELETE_GROUP,
+
/* this is like GETGRENT but gives an empty group list */
WINBINDD_GETGRLST,
@@ -111,6 +121,27 @@ enum winbindd_cmd {
WINBINDD_NUM_CMDS
};
+typedef struct winbindd_pw {
+ fstring pw_name;
+ fstring pw_passwd;
+ uid_t pw_uid;
+ gid_t pw_gid;
+ fstring pw_gecos;
+ fstring pw_dir;
+ fstring pw_shell;
+} WINBINDD_PW;
+
+
+typedef struct winbindd_gr {
+ fstring gr_name;
+ fstring gr_passwd;
+ gid_t gr_gid;
+ int num_gr_mem;
+ int gr_mem_ofs; /* offset to group membership */
+ char **gr_mem;
+} WINBINDD_GR;
+
+
#define WBFLAG_PAM_INFO3_NDR 0x0001
#define WBFLAG_PAM_INFO3_TEXT 0x0002
#define WBFLAG_PAM_NTKEY 0x0004
@@ -160,6 +191,10 @@ struct winbindd_request {
fstring name;
} name;
uint32 num_entries; /* getpwent, getgrent */
+ struct {
+ fstring username;
+ fstring groupname;
+ } acct_mgt;
} data;
char null_term;
};
@@ -189,25 +224,11 @@ struct winbindd_response {
/* getpwnam, getpwuid */
- struct winbindd_pw {
- fstring pw_name;
- fstring pw_passwd;
- uid_t pw_uid;
- gid_t pw_gid;
- fstring pw_gecos;
- fstring pw_dir;
- fstring pw_shell;
- } pw;
+ struct winbindd_pw pw;
/* getgrnam, getgrgid */
- struct winbindd_gr {
- fstring gr_name;
- fstring gr_passwd;
- gid_t gr_gid;
- int num_gr_mem;
- int gr_mem_ofs; /* offset to group membership */
- } gr;
+ struct winbindd_gr gr;
uint32 num_entries; /* getpwent, getgrent */
struct winbindd_sid {
diff --git a/source3/nsswitch/winbindd_pam.c b/source3/nsswitch/winbindd_pam.c
index 6aaf3bc715..8df0f621c0 100644
--- a/source3/nsswitch/winbindd_pam.c
+++ b/source3/nsswitch/winbindd_pam.c
@@ -142,8 +142,8 @@ enum winbindd_result winbindd_pam_auth(struct winbindd_cli_state *state)
/* Parse domain and username */
- if (!parse_domain_user(state->request.data.auth.user, name_domain,
- name_user)) {
+ parse_domain_user(state->request.data.auth.user, name_domain, name_user);
+ if ( !name_domain ) {
DEBUG(5,("no domain separator (%s) in username (%s) - failing auth\n", lp_winbind_separator(), state->request.data.auth.user));
result = NT_STATUS_INVALID_PARAMETER;
goto done;
@@ -444,8 +444,8 @@ enum winbindd_result winbindd_pam_chauthtok(struct winbindd_cli_state *state)
if (state == NULL)
return WINBINDD_ERROR;
- if (!parse_domain_user(state->request.data.chauthtok.user, domain,
- user)) {
+ parse_domain_user(state->request.data.chauthtok.user, domain, user);
+ if ( !*domain ) {
result = NT_STATUS_INVALID_PARAMETER;
goto done;
}
diff --git a/source3/nsswitch/winbindd_passdb.c b/source3/nsswitch/winbindd_passdb.c
deleted file mode 100644
index 456b1afeab..0000000000
--- a/source3/nsswitch/winbindd_passdb.c
+++ /dev/null
@@ -1,360 +0,0 @@
-/*
- Unix SMB/CIFS implementation.
-
- Winbind rpc backend functions
-
- Copyright (C) Tim Potter 2000-2001,2003
- Copyright (C) Simo Sorce 2003
-
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 2 of the License, or
- (at your option) any later version.
-
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
-
- You should have received a copy of the GNU General Public License
- along with this program; if not, write to the Free Software
- Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-*/
-
-#include "winbindd.h"
-
-#undef DBGC_CLASS
-#define DBGC_CLASS DBGC_WINBIND
-
-
-/* Query display info for a domain. This returns enough information plus a
- bit extra to give an overview of domain users for the User Manager
- application. */
-static NTSTATUS query_user_list(struct winbindd_domain *domain,
- TALLOC_CTX *mem_ctx,
- uint32 *num_entries,
- WINBIND_USERINFO **info)
-{
- SAM_ACCOUNT *sam_account = NULL;
- NTSTATUS result;
- uint32 i;
-
- DEBUG(3,("pdb: query_user_list\n"));
-
- if (!NT_STATUS_IS_OK(result = pdb_init_sam(&sam_account))) {
- return result;
- }
-
- i = 0;
- *info = NULL;
-
- if (pdb_setsampwent(False)) {
-
- while (pdb_getsampwent(sam_account)) {
-
- /* we return only nua accounts, or we will have duplicates */
- if (!idmap_check_sid_is_in_free_range(pdb_get_user_sid(sam_account))) {
- continue;
- }
-
- *info = talloc_realloc(mem_ctx, *info, (i + 1) * sizeof(WINBIND_USERINFO));
- if (!(*info)) {
- DEBUG(0,("query_user_list: out of memory!\n"));
- result = NT_STATUS_NO_MEMORY;
- break;
- }
-
- (*info)[i].user_sid = talloc(mem_ctx, sizeof(DOM_SID));
- (*info)[i].group_sid = talloc(mem_ctx, sizeof(DOM_SID));
- if (!((*info)[i].user_sid) || !((*info)[i].group_sid)) {
- DEBUG(0,("query_user_list: out of memory!\n"));
- result = NT_STATUS_NO_MEMORY;
- break;
- }
- sid_copy((*info)[i].user_sid, pdb_get_user_sid(sam_account));
- sid_copy((*info)[i].group_sid, pdb_get_group_sid(sam_account));
-
- (*info)[i].acct_name = talloc_strdup(mem_ctx, pdb_get_username(sam_account));
- (*info)[i].full_name = talloc_strdup(mem_ctx, pdb_get_fullname(sam_account));
- if (!((*info)[i].acct_name) || !((*info)[i].full_name)) {
- DEBUG(0,("query_user_list: out of memory!\n"));
- result = NT_STATUS_NO_MEMORY;
- break;
- }
-
- i++;
-
- if (!NT_STATUS_IS_OK(pdb_reset_sam(sam_account))) {
- result = NT_STATUS_UNSUCCESSFUL;
- break;
- }
- }
-
- *num_entries = i;
- result = NT_STATUS_OK;
-
- } else {
- result = NT_STATUS_UNSUCCESSFUL;
- }
-
- pdb_free_sam(&sam_account);
- return result;
-}
-
-/* list all domain groups */
-static NTSTATUS enum_dom_groups(struct winbindd_domain *domain,
- TALLOC_CTX *mem_ctx,
- uint32 *num_entries,
- struct acct_info **info)
-{
- NTSTATUS result = NT_STATUS_OK;
-
- DEBUG(3,("pdb: enum_dom_groups (group support not implemented)\n"));
-
- *num_entries = 0;
- *info = 0;
-
- return result;
-}
-
-/* List all domain groups */
-
-static NTSTATUS enum_local_groups(struct winbindd_domain *domain,
- TALLOC_CTX *mem_ctx,
- uint32 *num_entries,
- struct acct_info **info)
-{
- NTSTATUS result = NT_STATUS_OK;
-
- DEBUG(3,("pdb: enum_local_groups (group support not implemented)\n"));
-
- *num_entries = 0;
- *info = 0;
-
- return result;
-}
-
-/* convert a single name to a sid in a domain */
-static NTSTATUS name_to_sid(struct winbindd_domain *domain,
- TALLOC_CTX *mem_ctx,
- const char *name,
- DOM_SID *sid,
- enum SID_NAME_USE *type)
-{
- SAM_ACCOUNT *sam_account = NULL;
- NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
-
- DEBUG(3,("pdb: name_to_sid name=%s (group support not implemented)\n", name));
-
- if (NT_STATUS_IS_OK(pdb_init_sam(&sam_account))) {
- if (!pdb_getsampwnam(sam_account, name)) {
- result = NT_STATUS_UNSUCCESSFUL;
- } else { /* it is a sam user */
- sid_copy(sid, pdb_get_user_sid(sam_account));
- *type = SID_NAME_USER;
- result = NT_STATUS_OK;
- }
- }
-
- pdb_free_sam(&sam_account);
- return result;
-}
-
-/*
- convert a domain SID to a user or group name
-*/
-static NTSTATUS sid_to_name(struct winbindd_domain *domain,
- TALLOC_CTX *mem_ctx,
- DOM_SID *sid,
- char **name,
- enum SID_NAME_USE *type)
-{
- SAM_ACCOUNT *sam_account = NULL;
- NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
- uint32 id;
-
- DEBUG(3,("pdb: sid_to_name sid=%s\n", sid_string_static(sid)));
-
- if (NT_STATUS_IS_OK(idmap_sid_to_uid(sid, &id, 0))) { /* this is a user */
-
- if (!NT_STATUS_IS_OK(result = pdb_init_sam(&sam_account))) {
- return result;
- }
-
- if (!pdb_getsampwsid(sam_account, sid)) {
- pdb_free_sam(&sam_account);
- return NT_STATUS_UNSUCCESSFUL;
- }
-
- *name = talloc_strdup(mem_ctx, pdb_get_username(sam_account));
- if (!(*name)) {
- DEBUG(0,("query_user: out of memory!\n"));
- pdb_free_sam(&sam_account);
- return NT_STATUS_NO_MEMORY;
- }
-
- pdb_free_sam(&sam_account);
- *type = SID_NAME_USER;
- result = NT_STATUS_OK;
-
- } else if (NT_STATUS_IS_OK(idmap_sid_to_gid(sid, &id, 0))) { /* this is a group */
-
- DEBUG(3,("pdb: sid_to_name: group support not implemented\n"));
- result = NT_STATUS_UNSUCCESSFUL;
- }
-
- return result;
-}
-
-/* Lookup user information from a rid or username. */
-static NTSTATUS query_user(struct winbindd_domain *domain,
- TALLOC_CTX *mem_ctx,
- DOM_SID *user_sid,
- WINBIND_USERINFO *user_info)
-{
- SAM_ACCOUNT *sam_account = NULL;
- NTSTATUS result;
-
- DEBUG(3,("pdb: query_user sid=%s\n", sid_string_static(user_sid)));
-
- if (!NT_STATUS_IS_OK(result = pdb_init_sam(&sam_account))) {
- return result;
- }
-
- if (!pdb_getsampwsid(sam_account, user_sid)) {
- pdb_free_sam(&sam_account);
- return NT_STATUS_UNSUCCESSFUL;
- }
-
- /* we return only nua accounts, or we will have duplicates */
- if (!idmap_check_sid_is_in_free_range(user_sid)) {
- pdb_free_sam(&sam_account);
- return NT_STATUS_UNSUCCESSFUL;
- }
-
- user_info->user_sid = talloc(mem_ctx, sizeof(DOM_SID));
- user_info->group_sid = talloc(mem_ctx, sizeof(DOM_SID));
- if (!(user_info->user_sid) || !(user_info->group_sid)) {
- DEBUG(0,("query_user: out of memory!\n"));
- pdb_free_sam(&sam_account);
- return NT_STATUS_NO_MEMORY;
- }
- sid_copy(user_info->user_sid, pdb_get_user_sid(sam_account));
- sid_copy(user_info->group_sid, pdb_get_group_sid(sam_account));
-
- user_info->acct_name = talloc_strdup(mem_ctx, pdb_get_username(sam_account));
- user_info->full_name = talloc_strdup(mem_ctx, pdb_get_fullname(sam_account));
- if (!(user_info->acct_name) || !(user_info->full_name)) {
- DEBUG(0,("query_user: out of memory!\n"));
- pdb_free_sam(&sam_account);
- return NT_STATUS_NO_MEMORY;
- }
-
- pdb_free_sam(&sam_account);
- return NT_STATUS_OK;
-}
-
-/* Lookup groups a user is a member of. I wish Unix had a call like this! */
-static NTSTATUS lookup_usergroups(struct winbindd_domain *domain,
- TALLOC_CTX *mem_ctx,
- DOM_SID *user_sid,
- uint32 *num_groups, DOM_SID ***user_gids)
-{
- NTSTATUS result = NT_STATUS_OK;
-
- DEBUG(3,("pdb: lookup_usergroups (group support not implemented)\n"));
-
- num_groups = 0;
- user_gids = 0;
-
- return result;
-}
-
-
-/* Lookup group membership given a rid. */
-static NTSTATUS lookup_groupmem(struct winbindd_domain *domain,
- TALLOC_CTX *mem_ctx,
- DOM_SID *group_sid, uint32 *num_names,
- DOM_SID ***sid_mem, char ***names,
- uint32 **name_types)
-{
- NTSTATUS result = NT_STATUS_NOT_IMPLEMENTED;
-
- DEBUG(3,("pdb: lookup_groupmem (group support not implemented)\n"));
-
- num_names = 0;
- sid_mem = 0;
- names = 0;
- name_types = 0;
-
- return result;
-}
-
-/* find the sequence number for a domain */
-static NTSTATUS sequence_number(struct winbindd_domain *domain, uint32 *seq)
-{
- /* FIXME: we fake up the seq_num untill our passdb support it */
- static uint32 seq_num;
-
- DEBUG(3,("pdb: sequence_number\n"));
-
- *seq = seq_num++;
-
- return NT_STATUS_OK;
-}
-
-/* get a list of trusted domains */
-static NTSTATUS trusted_domains(struct winbindd_domain *domain,
- TALLOC_CTX *mem_ctx,
- uint32 *num_domains,
- char ***names,
- char ***alt_names,
- DOM_SID **dom_sids)
-{
- NTSTATUS result = NT_STATUS_NOT_IMPLEMENTED;
-
- DEBUG(3,("pdb: trusted_domains (todo!)\n"));
-
- return result;
-}
-
-/* find the domain sid for a domain */
-static NTSTATUS domain_sid(struct winbindd_domain *domain, DOM_SID *sid)
-{
- DEBUG(3,("pdb: domain_sid\n"));
-
- if (strcmp(domain->name, lp_workgroup())) {
- return NT_STATUS_INVALID_PARAMETER;
- } else {
- sid_copy(sid, get_global_sam_sid());
- return NT_STATUS_OK;
- }
-}
-
-/* find alternate names list for the domain
- * should we look for netbios aliases??
- SSS */
-static NTSTATUS alternate_name(struct winbindd_domain *domain)
-{
- DEBUG(3,("pdb: alternate_name\n"));
-
- return NT_STATUS_OK;
-}
-
-
-/* the rpc backend methods are exposed via this structure */
-struct winbindd_methods passdb_methods = {
- False,
- query_user_list,
- enum_dom_groups,
- enum_local_groups,
- name_to_sid,
- sid_to_name,
- query_user,
- lookup_usergroups,
- lookup_groupmem,
- sequence_number,
- trusted_domains,
- domain_sid,
- alternate_name
-};
diff --git a/source3/nsswitch/winbindd_user.c b/source3/nsswitch/winbindd_user.c
index 37d9245075..7c95ba8470 100644
--- a/source3/nsswitch/winbindd_user.c
+++ b/source3/nsswitch/winbindd_user.c
@@ -97,6 +97,7 @@ static BOOL winbindd_fill_pwent(char *dom_name, char *user_name,
enum winbindd_result winbindd_getpwnam(struct winbindd_cli_state *state)
{
WINBIND_USERINFO user_info;
+ WINBINDD_PW *pw;
DOM_SID user_sid;
NTSTATUS status;
fstring name_domain, name_user;
@@ -112,16 +113,25 @@ enum winbindd_result winbindd_getpwnam(struct winbindd_cli_state *state)
/* Parse domain and username */
- if (!parse_domain_user(state->request.data.username, name_domain,
- name_user))
- return WINBINDD_ERROR;
+ parse_domain_user(state->request.data.username,
+ name_domain, name_user);
+
+ /* if this is our local domain (or no domain), the do a local tdb search */
- /* don't handle our own domain if we are a DC ( or a member of a Samba domain
- that shares UNIX accounts). This code handles cases where
- the account doesn't exist anywhere and gets passed on down the NSS layer */
+ if ( !*name_domain || strequal(name_domain, get_global_sam_name()) ) {
+ if ( !(pw = wb_getpwnam(name_user)) ) {
+ DEBUG(5,("winbindd_getpwnam: lookup for %s\\%s failed\n",
+ name_domain, name_user));
+ return WINBINDD_ERROR;
+ }
+ memcpy( &state->response.data.pw, pw, sizeof(WINBINDD_PW) );
+ return WINBINDD_OK;
+ }
- if ( (IS_DC || lp_winbind_trusted_domains_only()) && strequal(name_domain, lp_workgroup()) ) {
- DEBUG(7,("winbindd_getpwnam: rejecting getpwnam() for %s\\%s since I am on the PDC for this domain\n",
+ /* should we deal with users for our domain? */
+
+ if ( lp_winbind_trusted_domains_only() && strequal(name_domain, lp_workgroup())) {
+ DEBUG(7,("winbindd_getpenam: My domain -- rejecting getpwnam() for %s\\%s.\n",
name_domain, name_user));
return WINBINDD_ERROR;
}
@@ -184,6 +194,7 @@ enum winbindd_result winbindd_getpwuid(struct winbindd_cli_state *state)
{
DOM_SID user_sid;
struct winbindd_domain *domain;
+ WINBINDD_PW *pw;
fstring dom_name;
fstring user_name;
enum SID_NAME_USE name_type;
@@ -200,6 +211,13 @@ enum winbindd_result winbindd_getpwuid(struct winbindd_cli_state *state)
DEBUG(3, ("[%5d]: getpwuid %d\n", state->pid,
state->request.data.uid));
+
+ /* always try local tdb first */
+
+ if ( (pw = wb_getpwuid(state->request.data.uid)) != NULL ) {
+ memcpy( &state->response.data.pw, pw, sizeof(WINBINDD_PW) );
+ return WINBINDD_OK;
+ }
/* Get rid from uid */
diff --git a/source3/nsswitch/winbindd_util.c b/source3/nsswitch/winbindd_util.c
index 28da415b9c..1f123e896f 100644
--- a/source3/nsswitch/winbindd_util.c
+++ b/source3/nsswitch/winbindd_util.c
@@ -415,18 +415,22 @@ BOOL parse_domain_user(const char *domuser, fstring domain, fstring user)
{
char *p = strchr(domuser,*lp_winbind_separator());
- if (!(p || lp_winbind_use_default_domain()))
- return False;
-
- if(!p && lp_winbind_use_default_domain()) {
+ if ( !p ) {
fstrcpy(user, domuser);
- fstrcpy(domain, lp_workgroup());
- } else {
+
+ if ( lp_winbind_use_default_domain() )
+ fstrcpy(domain, lp_workgroup());
+ else
+ fstrcpy( domain, "" );
+ }
+ else {
fstrcpy(user, p+1);
fstrcpy(domain, domuser);
domain[PTR_DIFF(p, domuser)] = 0;
}
+
strupper_m(domain);
+
return True;
}
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index e7adce7193..9194274a61 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -165,9 +165,11 @@ typedef struct
char *szIdmapGID;
BOOL bEnableRidAlgorithm;
int AlgorithmicRidBase;
+ char *szTemplatePrimaryGroup;
char *szTemplateHomedir;
char *szTemplateShell;
char *szWinbindSeparator;
+ BOOL bWinbindEnableLocalAccounts;
BOOL bWinbindEnumUsers;
BOOL bWinbindEnumGroups;
BOOL bWinbindUseDefaultDomain;
@@ -1123,10 +1125,12 @@ static struct parm_struct parm_table[] = {
{"winbind uid", P_STRING, P_GLOBAL, &Globals.szIdmapUID, handle_idmap_uid, NULL, FLAG_ADVANCED | FLAG_DEVELOPER },
{"idmap gid", P_STRING, P_GLOBAL, &Globals.szIdmapGID, handle_idmap_gid, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
{"winbind gid", P_STRING, P_GLOBAL, &Globals.szIdmapGID, handle_idmap_gid, NULL, FLAG_ADVANCED | FLAG_DEVELOPER },
+ {"template primary group", P_STRING, P_GLOBAL, &Globals.szTemplatePrimaryGroup, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
{"template homedir", P_STRING, P_GLOBAL, &Globals.szTemplateHomedir, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
{"template shell", P_STRING, P_GLOBAL, &Globals.szTemplateShell, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
{"winbind separator", P_STRING, P_GLOBAL, &Globals.szWinbindSeparator, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
{"winbind cache time", P_INTEGER, P_GLOBAL, &Globals.winbind_cache_time, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
+ {"winbind enable local accounts", P_BOOL, P_GLOBAL, &Globals.bWinbindEnableLocalAccounts, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
{"winbind enum users", P_BOOL, P_GLOBAL, &Globals.bWinbindEnumUsers, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
{"winbind enum groups", P_BOOL, P_GLOBAL, &Globals.bWinbindEnumGroups, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
{"winbind use default domain", P_BOOL, P_GLOBAL, &Globals.bWinbindUseDefaultDomain, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
@@ -1465,10 +1469,12 @@ static void init_globals(void)
string_set(&Globals.szTemplateShell, "/bin/false");
string_set(&Globals.szTemplateHomedir, "/home/%D/%U");
+ string_set(&Globals.szTemplatePrimaryGroup, "nobody");
string_set(&Globals.szWinbindSeparator, "\\");
string_set(&Globals.szAclCompat, "");
Globals.winbind_cache_time = 300; /* 5 minutes */
+ Globals.bWinbindEnableLocalAccounts = True;
Globals.bWinbindEnumUsers = True;
Globals.bWinbindEnumGroups = True;
Globals.bWinbindUseDefaultDomain = False;
@@ -1632,10 +1638,12 @@ FN_GLOBAL_STRING(lp_abort_shutdown_script, &Globals.szAbortShutdownScript)
FN_GLOBAL_STRING(lp_wins_hook, &Globals.szWINSHook)
FN_GLOBAL_STRING(lp_wins_partners, &Globals.szWINSPartners)
+FN_GLOBAL_STRING(lp_template_primary_group, &Globals.szTemplatePrimaryGroup)
FN_GLOBAL_STRING(lp_template_homedir, &Globals.szTemplateHomedir)
FN_GLOBAL_STRING(lp_template_shell, &Globals.szTemplateShell)
FN_GLOBAL_CONST_STRING(lp_winbind_separator, &Globals.szWinbindSeparator)
FN_GLOBAL_STRING(lp_acl_compatibility, &Globals.szAclCompat)
+FN_GLOBAL_BOOL(lp_winbind_enable_local_accounts, &Globals.bWinbindEnableLocalAccounts)
FN_GLOBAL_BOOL(lp_winbind_enum_users, &Globals.bWinbindEnumUsers)
FN_GLOBAL_BOOL(lp_winbind_enum_groups, &Globals.bWinbindEnumGroups)
FN_GLOBAL_BOOL(lp_winbind_use_default_domain, &Globals.bWinbindUseDefaultDomain)
diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c
index e43cf4f759..dfa3a8b62e 100644
--- a/source3/rpc_server/srv_samr_nt.c
+++ b/source3/rpc_server/srv_samr_nt.c
@@ -2259,17 +2259,13 @@ NTSTATUS _api_samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_
*/
DEBUG(10,("checking account %s at pos %d for $ termination\n",account, strlen(account)-1));
-#if 0
- if ((acb_info & ACB_WSTRUST) && (account[strlen(account)-1] == '$')) {
- pstrcpy(add_script, lp_addmachine_script());
- } else if ((!(acb_info & ACB_WSTRUST)) && (account[strlen(account)-1] != '$')) {
- pstrcpy(add_script, lp_adduser_script());
- } else {
- DEBUG(0, ("_api_samr_create_user: mismatch between trust flags and $ termination\n"));
- pdb_free_sam(&sam_pass);
- return NT_STATUS_UNSUCCESSFUL;
- }
-#endif
+
+ /*
+ * we used to have code here that made sure the acb_info flags
+ * matched with the users named (e.g. an account flags as a machine
+ * trust account ended in '$'). It has been ifdef'd out for a long
+ * time, so I replaced it with this comment. --jerry
+ */
/* the passdb lookup has failed; check to see if we need to run the
add user/machine script */
@@ -2295,11 +2291,17 @@ NTSTATUS _api_samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_
add_ret = smbrun(add_script,NULL);
DEBUG(3,("_api_samr_create_user: Running the command `%s' gave %d\n", add_script, add_ret));
}
+ else /* no add user script -- ask winbindd to do it */
+ {
+ if ( !winbind_create_user( account ) )
+ DEBUG(3,("_api_samr_create_user: winbind_create_user(%s) failed\n", account));
+ }
}
- nt_status = pdb_init_sam_new(&sam_pass, account);
- if (!NT_STATUS_IS_OK(nt_status))
+ /* implicit call to getpwnam() next */
+
+ if ( !NT_STATUS_IS_OK(nt_status = pdb_init_sam_new(&sam_pass, account)) )
return nt_status;
pdb_set_acct_ctrl(sam_pass, acb_info, PDB_CHANGED);
diff --git a/source3/sam/idmap.c b/source3/sam/idmap.c
index a8c47ab9ae..1db89eba24 100644
--- a/source3/sam/idmap.c
+++ b/source3/sam/idmap.c
@@ -252,6 +252,21 @@ NTSTATUS idmap_get_sid_from_id(DOM_SID *sid, unid_t id, int id_type)
}
/**************************************************************************
+ Get ID from SID. This can create a mapping for a SID to a POSIX id.
+**************************************************************************/
+
+NTSTATUS idmap_allocate_id(unid_t *id, int id_type)
+{
+ /* we have to allocate from the authoritative backend */
+
+ if ( remote_map )
+ return remote_map->allocate_id( id, id_type );
+
+ return cache_map->allocate_id( id, id_type );
+}
+
+
+/**************************************************************************
Shutdown maps.
**************************************************************************/
diff --git a/source3/sam/idmap_ldap.c b/source3/sam/idmap_ldap.c
index d0010d8cd9..2901b1fc49 100644
--- a/source3/sam/idmap_ldap.c
+++ b/source3/sam/idmap_ldap.c
@@ -675,6 +675,7 @@ static void ldap_idmap_status(void)
static struct idmap_methods ldap_methods = {
ldap_idmap_init,
+ ldap_allocate_id,
ldap_get_sid_from_id,
ldap_get_id_from_sid,
ldap_set_mapping,
diff --git a/source3/sam/idmap_tdb.c b/source3/sam/idmap_tdb.c
index 18a082cb84..4643b7db59 100644
--- a/source3/sam/idmap_tdb.c
+++ b/source3/sam/idmap_tdb.c
@@ -45,6 +45,20 @@ static struct idmap_state {
gid_t gid_low, gid_high; /* Range of gids to allocate */
} idmap_state;
+/**********************************************************************
+ Return the TDB_CONTEXT* for winbindd_idmap. I **really** feel
+ dirty doing this, but not so dirty that I want to create another
+ tdb
+***********************************************************************/
+
+TDB_CONTEXT *idmap_tdb_handle( void )
+{
+ if ( idmap_tdb )
+ return idmap_tdb;
+
+ return NULL;
+}
+
/* Allocate either a user or group id from the pool */
static NTSTATUS db_allocate_id(unid_t *id, int id_type)
{
@@ -111,7 +125,7 @@ static NTSTATUS db_allocate_id(unid_t *id, int id_type)
}
(*id).gid = hwm;
- DEBUG(10,("db_allocate_id: ID_GROUPID (*id).uid = %d\n", (unsigned int)hwm));
+ DEBUG(10,("db_allocate_id: ID_GROUPID (*id).gid = %d\n", (unsigned int)hwm));
break;
default:
@@ -595,6 +609,7 @@ static void db_idmap_status(void)
static struct idmap_methods db_methods = {
db_idmap_init,
+ db_allocate_id,
db_get_sid_from_id,
db_get_id_from_sid,
db_set_mapping,
diff --git a/source3/script/mkproto.awk b/source3/script/mkproto.awk
index 194a373caa..e91b42a73a 100644
--- a/source3/script/mkproto.awk
+++ b/source3/script/mkproto.awk
@@ -146,6 +146,10 @@ END {
gotstart = 1;
}
+ if( $0 ~ /^WINBINDD_PW|^WINBINDD_GR/ ) {
+ gotstart = 1;
+ }
+
if(!gotstart) {
next;
}
diff --git a/source3/smbd/uid.c b/source3/smbd/uid.c
index 6ca2aa336d..8d8ce136a9 100644
--- a/source3/smbd/uid.c
+++ b/source3/smbd/uid.c
@@ -809,17 +809,28 @@ NTSTATUS sid_to_uid(const DOM_SID *psid, uid_t *puid)
if (fetch_uid_from_cache(puid, psid))
return NT_STATUS_OK;
- /*
- * First we must look up the name and decide if this is a user sid.
- */
+ /* if this is our DIS then go straight to a local lookup */
+
+ if ( sid_compare_domain(get_global_sam_sid(), psid) == 0 ) {
+ DEBUG(10,("sid_to_uid: my domain (%s) - trying local.\n",
+ sid_string_static(psid) ));
+
+ if ( (ret = local_sid_to_uid(puid, psid, &name_type)) == True )
+ store_uid_sid_cache(psid, *puid);
+
+ return (ret ? NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL);
+ }
+
+
+ /* look up the name and decide if this is a user sid */
if ( (!winbind_lookup_sid(psid, dom_name, name, &name_type)) || (name_type != SID_NAME_USER) ) {
DEBUG(10,("sid_to_uid: winbind lookup for sid %s failed - trying local.\n",
- sid_to_string(sid_str, psid) ));
+ sid_string_static(psid) ));
- ret = local_sid_to_uid(puid, psid, &name_type);
- if (ret)
+ if ( (ret = local_sid_to_uid(puid, psid, &name_type)) == True )
store_uid_sid_cache(psid, *puid);
+
return (ret ? NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL);
}
diff --git a/source3/utils/net_rpc_samsync.c b/source3/utils/net_rpc_samsync.c
index 2831645550..4b31c061f3 100644
--- a/source3/utils/net_rpc_samsync.c
+++ b/source3/utils/net_rpc_samsync.c
@@ -441,10 +441,17 @@ fetch_account_info(uint32 rid, SAM_ACCOUNT_INFO *delta)
add_ret = smbrun(add_script,NULL);
DEBUG(1,("fetch_account: Running the command `%s' "
"gave %d\n", add_script, add_ret));
-
- /* try and find the possible unix account again */
- passwd = Get_Pwnam(account);
}
+ else {
+ DEBUG(8,("fetch_account_info: no add user/machine script. Asking winbindd\n"));
+ if ( !winbind_create_user( account ) )
+ DEBUG(4,("fetch_account_info: winbind_create_user() failed\n"));
+ }
+
+ /* try and find the possible unix account again */
+ if ( !(passwd = Get_Pwnam(account)) )
+ return NT_STATUS_NO_SUCH_USER;
+
}
sid_copy(&user_sid, get_global_sam_sid());
@@ -912,7 +919,7 @@ fetch_sam_entry(SAM_DELTA_HDR *hdr_delta, SAM_DELTA_CTR *delta,
&delta->als_mem_info, dom_sid);
break;
case SAM_DELTA_DOMAIN_INFO:
- d_printf("SAMBA_DELTA_DOMAIN_INFO not handled\n");
+ d_printf("SAM_DELTA_DOMAIN_INFO not handled\n");
break;
default:
d_printf("Unknown delta record type %d\n", hdr_delta->type);