summaryrefslogtreecommitdiff
path: root/source3/winbindd
diff options
context:
space:
mode:
authorJeremy Allison <jra@samba.org>2008-05-30 23:49:36 -0700
committerJeremy Allison <jra@samba.org>2008-05-30 23:49:36 -0700
commit346dbc62b826dd126d147107396154c31919da1b (patch)
tree70821f474353fb2716e0f47c56ad90245f477310 /source3/winbindd
parent70b37891f9f3f065254c61ec6c5741592d0b3735 (diff)
downloadsamba-346dbc62b826dd126d147107396154c31919da1b.tar.gz
samba-346dbc62b826dd126d147107396154c31919da1b.tar.bz2
samba-346dbc62b826dd126d147107396154c31919da1b.zip
Split the winbindd_passdb backend into a 'builtin' and a 'sam'
backend. This allows winbindd when running on a Samba PDC to correctly answer wbinfo -u lists and other queries. Jeremy. (This used to be commit e61ad0c1586733ae1d3518ce56d95094d1ac5ef9)
Diffstat (limited to 'source3/winbindd')
-rw-r--r--source3/winbindd/winbindd_cache.c6
-rw-r--r--source3/winbindd/winbindd_ndr.c9
-rw-r--r--source3/winbindd/winbindd_passdb.c441
-rw-r--r--source3/winbindd/winbindd_util.c8
4 files changed, 349 insertions, 115 deletions
diff --git a/source3/winbindd/winbindd_cache.c b/source3/winbindd/winbindd_cache.c
index f0ff0294f3..60403717c1 100644
--- a/source3/winbindd/winbindd_cache.c
+++ b/source3/winbindd/winbindd_cache.c
@@ -8,7 +8,7 @@
Copyright (C) Volker Lendecke 2005
Copyright (C) Guenther Deschner 2005
Copyright (C) Michael Adam 2007
-
+
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
@@ -37,7 +37,7 @@ extern bool opt_nocache;
#ifdef HAVE_ADS
extern struct winbindd_methods ads_methods;
#endif
-extern struct winbindd_methods passdb_methods;
+extern struct winbindd_methods builtin_passdb_methods;
/*
* JRA. KEEP THIS LIST UP TO DATE IF YOU ADD CACHE ENTRIES.
@@ -137,7 +137,7 @@ static struct winbind_cache *get_cache(struct winbindd_domain *domain)
/* We have to know what type of domain we are dealing with first. */
if (domain->internal) {
- domain->backend = &passdb_methods;
+ domain->backend = &builtin_passdb_methods;
domain->initialized = True;
}
if ( !domain->initialized ) {
diff --git a/source3/winbindd/winbindd_ndr.c b/source3/winbindd/winbindd_ndr.c
index 9d1502afa7..3e3ca3225c 100644
--- a/source3/winbindd/winbindd_ndr.c
+++ b/source3/winbindd/winbindd_ndr.c
@@ -74,7 +74,8 @@ void ndr_print_winbindd_cm_conn(struct ndr_print *ndr,
extern struct winbindd_methods ads_methods;
#endif
extern struct winbindd_methods msrpc_methods;
-extern struct winbindd_methods passdb_methods;
+extern struct winbindd_methods builtin_passdb_methods;
+extern struct winbindd_methods sam_passdb_methods;
extern struct winbindd_methods reconnect_methods;
extern struct winbindd_methods cache_methods;
@@ -97,8 +98,10 @@ void ndr_print_winbindd_methods(struct ndr_print *ndr,
} else if (r == &ads_methods) {
ndr_print_string(ndr, name, "ads_methods");
#endif
- } else if (r == &passdb_methods) {
- ndr_print_string(ndr, name, "passdb_methods");
+ } else if (r == &builtin_passdb_methods) {
+ ndr_print_string(ndr, name, "builtin_passdb_methods");
+ } else if (r == &sam_passdb_methods) {
+ ndr_print_string(ndr, name, "sam_passdb_methods");
} else if (r == &reconnect_methods) {
ndr_print_string(ndr, name, "reconnect_methods");
} else if (r == &cache_methods) {
diff --git a/source3/winbindd/winbindd_passdb.c b/source3/winbindd/winbindd_passdb.c
index 7c1d7bd71b..8b2016c031 100644
--- a/source3/winbindd/winbindd_passdb.c
+++ b/source3/winbindd/winbindd_passdb.c
@@ -6,6 +6,7 @@
Copyright (C) Tim Potter 2000-2001,2003
Copyright (C) Simo Sorce 2003
Copyright (C) Volker Lendecke 2004
+ Copyright (C) Jeremy Allison 2008
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@@ -27,20 +28,6 @@
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_WINBIND
-/* Query display info for a domain. This returns enough information plus a
- bit extra to give an overview of domain users for the User Manager
- application. */
-static NTSTATUS query_user_list(struct winbindd_domain *domain,
- TALLOC_CTX *mem_ctx,
- uint32 *num_entries,
- WINBIND_USERINFO **info)
-{
- /* We don't have users */
- *num_entries = 0;
- *info = NULL;
- return NT_STATUS_OK;
-}
-
/* list all domain groups */
static NTSTATUS enum_dom_groups(struct winbindd_domain *domain,
TALLOC_CTX *mem_ctx,
@@ -167,16 +154,75 @@ static NTSTATUS rids_to_names(struct winbindd_domain *domain,
char ***names,
enum lsa_SidType **types)
{
- return NT_STATUS_UNSUCCESSFUL;
-}
+ size_t i;
+ bool have_mapped;
+ bool have_unmapped;
-/* Lookup user information from a rid or username. */
-static NTSTATUS query_user(struct winbindd_domain *domain,
- TALLOC_CTX *mem_ctx,
- const DOM_SID *user_sid,
- WINBIND_USERINFO *user_info)
-{
- return NT_STATUS_NO_SUCH_USER;
+ *domain_name = NULL;
+ *names = NULL;
+ *types = NULL;
+
+ if (!num_rids) {
+ return NT_STATUS_OK;
+ }
+
+ /* Paranoia check */
+ if (!sid_check_is_in_builtin(sid) &&
+ !sid_check_is_in_our_domain(sid) &&
+ !sid_check_is_in_unix_users(sid) &&
+ !sid_check_is_unix_users(sid) &&
+ !sid_check_is_in_unix_groups(sid) &&
+ !sid_check_is_unix_groups(sid) &&
+ !sid_check_is_in_wellknown_domain(sid))
+ {
+ DEBUG(0, ("Possible deadlock: Trying to lookup SID %s with "
+ "passdb backend\n", sid_string_dbg(sid)));
+ return NT_STATUS_NONE_MAPPED;
+ }
+
+ *names = TALLOC_ARRAY(mem_ctx, char *, num_rids);
+ *types = TALLOC_ARRAY(mem_ctx, enum lsa_SidType, num_rids);
+
+ if ((*names == NULL) || (*types == NULL)) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ have_mapped = have_unmapped = false;
+
+ for (i=0; i<num_rids; i++) {
+ DOM_SID lsid;
+ const char *dom = NULL, *nam = NULL;
+ enum lsa_SidType type = SID_NAME_UNKNOWN;
+
+ if (!sid_compose(&lsid, sid, rids[i])) {
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+
+ if (!lookup_sid(mem_ctx, &lsid, &dom, &nam, &type)) {
+ have_unmapped = true;
+ (*types)[i] = SID_NAME_UNKNOWN;
+ (*names)[i] = talloc_strdup(mem_ctx, "");
+ } else {
+ have_mapped = true;
+ (*types)[i] = type;
+ (*names)[i] = CONST_DISCARD(char *, nam);
+ }
+
+ if (domain_name == NULL) {
+ *domain_name = CONST_DISCARD(char *, dom);
+ } else {
+ char *dname = CONST_DISCARD(char *, dom);
+ TALLOC_FREE(dname);
+ }
+ }
+
+ if (!have_mapped) {
+ return NT_STATUS_NONE_MAPPED;
+ }
+ if (!have_unmapped) {
+ return NT_STATUS_OK;
+ }
+ return STATUS_SOME_UNMAPPED;
}
/* Lookup groups a user is a member of. I wish Unix had a call like this! */
@@ -224,8 +270,247 @@ static NTSTATUS lookup_useraliases(struct winbindd_domain *domain,
return result;
}
+/* find the sequence number for a domain */
+static NTSTATUS sequence_number(struct winbindd_domain *domain, uint32 *seq)
+{
+ bool result;
+ time_t seq_num;
+
+ result = pdb_get_seq_num(&seq_num);
+ if (!result) {
+ *seq = 1;
+ }
+
+ *seq = (int) seq_num;
+ /* *seq = 1; */
+ return NT_STATUS_OK;
+}
+
+static NTSTATUS lockout_policy(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ struct samr_DomInfo12 *policy)
+{
+ /* actually we have that */
+ return NT_STATUS_NOT_IMPLEMENTED;
+}
+
+static NTSTATUS password_policy(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ struct samr_DomInfo1 *policy)
+{
+ uint32 min_pass_len,pass_hist,password_properties;
+ time_t u_expire, u_min_age;
+ NTTIME nt_expire, nt_min_age;
+ uint32 account_policy_temp;
+
+ if ((policy = TALLOC_ZERO_P(mem_ctx, struct samr_DomInfo1)) == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ if (!pdb_get_account_policy(AP_MIN_PASSWORD_LEN, &account_policy_temp)) {
+ return NT_STATUS_ACCESS_DENIED;
+ }
+ min_pass_len = account_policy_temp;
+
+ if (!pdb_get_account_policy(AP_PASSWORD_HISTORY, &account_policy_temp)) {
+ return NT_STATUS_ACCESS_DENIED;
+ }
+ pass_hist = account_policy_temp;
+
+ if (!pdb_get_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS, &account_policy_temp)) {
+ return NT_STATUS_ACCESS_DENIED;
+ }
+ password_properties = account_policy_temp;
+
+ if (!pdb_get_account_policy(AP_MAX_PASSWORD_AGE, &account_policy_temp)) {
+ return NT_STATUS_ACCESS_DENIED;
+ }
+ u_expire = account_policy_temp;
+
+ if (!pdb_get_account_policy(AP_MIN_PASSWORD_AGE, &account_policy_temp)) {
+ return NT_STATUS_ACCESS_DENIED;
+ }
+ u_min_age = account_policy_temp;
+
+ unix_to_nt_time_abs(&nt_expire, u_expire);
+ unix_to_nt_time_abs(&nt_min_age, u_min_age);
+
+ init_samr_DomInfo1(policy,
+ (uint16)min_pass_len,
+ (uint16)pass_hist,
+ password_properties,
+ nt_expire,
+ nt_min_age);
+
+ return NT_STATUS_OK;
+}
+
+/*********************************************************************
+ BUILTIN specific functions.
+*********************************************************************/
+
+/* Query display info for a domain. This returns enough information plus a
+ bit extra to give an overview of domain users for the User Manager
+ application. */
+static NTSTATUS builtin_query_user_list(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ uint32 *num_entries,
+ WINBIND_USERINFO **info)
+{
+ /* We don't have users */
+ *num_entries = 0;
+ *info = NULL;
+ return NT_STATUS_OK;
+}
+
+/* Lookup user information from a rid or username. */
+static NTSTATUS builtin_query_user(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ const DOM_SID *user_sid,
+ WINBIND_USERINFO *user_info)
+{
+ return NT_STATUS_NO_SUCH_USER;
+}
+
+static NTSTATUS builtin_lookup_groupmem(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ const DOM_SID *group_sid, uint32 *num_names,
+ DOM_SID **sid_mem, char ***names,
+ uint32 **name_types)
+{
+ *num_names = 0;
+ *sid_mem = NULL;
+ *names = NULL;
+ *name_types = 0;
+ return NT_STATUS_NO_SUCH_GROUP;
+}
+
+/* get a list of trusted domains - builtin domain */
+static NTSTATUS builtin_trusted_domains(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ uint32 *num_domains,
+ char ***names,
+ char ***alt_names,
+ DOM_SID **dom_sids)
+{
+ *num_domains = 0;
+ *names = NULL;
+ *alt_names = NULL;
+ *dom_sids = NULL;
+ return NT_STATUS_OK;
+}
+
+/*********************************************************************
+ SAM specific functions.
+*********************************************************************/
+
+static NTSTATUS sam_query_user_list(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ uint32 *num_entries,
+ WINBIND_USERINFO **info)
+{
+ struct pdb_search *ps = pdb_search_users(ACB_NORMAL);
+ struct samr_displayentry *entries = NULL;
+ uint32 i;
+
+ *num_entries = 0;
+ *info = NULL;
+
+ if (!ps) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ *num_entries = pdb_search_entries(ps,
+ 1, 0xffffffff,
+ &entries);
+
+ *info = TALLOC_ZERO_ARRAY(mem_ctx, WINBIND_USERINFO, *num_entries);
+ if (!(*info)) {
+ pdb_search_destroy(ps);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ for (i = 0; i < *num_entries; i++) {
+ struct samr_displayentry *e = &entries[i];
+
+ (*info)[i].acct_name = talloc_strdup(mem_ctx, e->account_name );
+ (*info)[i].full_name = talloc_strdup(mem_ctx, e->fullname );
+ (*info)[i].homedir = NULL;
+ (*info)[i].shell = NULL;
+ sid_compose(&(*info)[i].user_sid, &domain->sid, e->rid);
+
+ /* For the moment we set the primary group for
+ every user to be the Domain Users group.
+ There are serious problems with determining
+ the actual primary group for large domains.
+ This should really be made into a 'winbind
+ force group' smb.conf parameter or
+ something like that. */
+
+ sid_compose(&(*info)[i].group_sid, &domain->sid,
+ DOMAIN_GROUP_RID_USERS);
+ }
+
+ pdb_search_destroy(ps);
+ return NT_STATUS_OK;
+}
+
+/* Lookup user information from a rid or username. */
+static NTSTATUS sam_query_user(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ const DOM_SID *user_sid,
+ WINBIND_USERINFO *user_info)
+{
+ struct samu *sampass = NULL;
+
+ ZERO_STRUCTP(user_info);
+
+ if (!sid_check_is_in_our_domain(user_sid)) {
+ return NT_STATUS_NO_SUCH_USER;
+ }
+
+ DEBUG(10,("sam_query_user: getting samu info for sid %s\n",
+ sid_string_dbg(user_sid) ));
+
+ if (!(sampass = samu_new(mem_ctx))) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ if (!pdb_getsampwsid(sampass, user_sid)) {
+ TALLOC_FREE(sampass);
+ return NT_STATUS_NO_SUCH_USER;
+ }
+
+ if (pdb_get_group_sid(sampass) == NULL) {
+ TALLOC_FREE(sampass);
+ return NT_STATUS_NO_SUCH_GROUP;
+ }
+
+ DEBUG(10,("sam_query_user: group sid %s\n",
+ sid_string_dbg(sampass->group_sid) ));
+
+ sid_copy(&user_info->user_sid, user_sid);
+ sid_copy(&user_info->group_sid, sampass->group_sid);
+
+ user_info->acct_name = talloc_strdup(mem_ctx, sampass->username ?
+ sampass->username : "");
+ user_info->full_name = talloc_strdup(mem_ctx, sampass->full_name ?
+ sampass->full_name : "");
+ user_info->homedir = talloc_strdup(mem_ctx, sampass->home_dir ?
+ sampass->home_dir : "");
+ if (sampass->unix_pw && sampass->unix_pw->pw_shell) {
+ user_info->shell = talloc_strdup(mem_ctx, sampass->unix_pw->pw_shell);
+ } else {
+ user_info->shell = talloc_strdup(mem_ctx, "");
+ }
+ user_info->primary_gid = sampass->unix_pw ? sampass->unix_pw->pw_gid : (gid_t)-1;
+
+ TALLOC_FREE(sampass);
+ return NT_STATUS_OK;
+}
+
/* Lookup group membership given a rid. */
-static NTSTATUS lookup_groupmem(struct winbindd_domain *domain,
+static NTSTATUS sam_lookup_groupmem(struct winbindd_domain *domain,
TALLOC_CTX *mem_ctx,
const DOM_SID *group_sid, uint32 *num_names,
DOM_SID **sid_mem, char ***names,
@@ -320,83 +605,8 @@ static NTSTATUS lookup_groupmem(struct winbindd_domain *domain,
return NT_STATUS_OK;
}
-/* find the sequence number for a domain */
-static NTSTATUS sequence_number(struct winbindd_domain *domain, uint32 *seq)
-{
- bool result;
- time_t seq_num;
-
- result = pdb_get_seq_num(&seq_num);
- if (!result) {
- *seq = 1;
- }
-
- *seq = (int) seq_num;
- /* *seq = 1; */
- return NT_STATUS_OK;
-}
-
-static NTSTATUS lockout_policy(struct winbindd_domain *domain,
- TALLOC_CTX *mem_ctx,
- struct samr_DomInfo12 *policy)
-{
- /* actually we have that */
- return NT_STATUS_NOT_IMPLEMENTED;
-}
-
-static NTSTATUS password_policy(struct winbindd_domain *domain,
- TALLOC_CTX *mem_ctx,
- struct samr_DomInfo1 *policy)
-{
- uint32 min_pass_len,pass_hist,password_properties;
- time_t u_expire, u_min_age;
- NTTIME nt_expire, nt_min_age;
- uint32 account_policy_temp;
-
- if ((policy = TALLOC_ZERO_P(mem_ctx, struct samr_DomInfo1)) == NULL) {
- return NT_STATUS_NO_MEMORY;
- }
-
- if (!pdb_get_account_policy(AP_MIN_PASSWORD_LEN, &account_policy_temp)) {
- return NT_STATUS_ACCESS_DENIED;
- }
- min_pass_len = account_policy_temp;
-
- if (!pdb_get_account_policy(AP_PASSWORD_HISTORY, &account_policy_temp)) {
- return NT_STATUS_ACCESS_DENIED;
- }
- pass_hist = account_policy_temp;
-
- if (!pdb_get_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS, &account_policy_temp)) {
- return NT_STATUS_ACCESS_DENIED;
- }
- password_properties = account_policy_temp;
-
- if (!pdb_get_account_policy(AP_MAX_PASSWORD_AGE, &account_policy_temp)) {
- return NT_STATUS_ACCESS_DENIED;
- }
- u_expire = account_policy_temp;
-
- if (!pdb_get_account_policy(AP_MIN_PASSWORD_AGE, &account_policy_temp)) {
- return NT_STATUS_ACCESS_DENIED;
- }
- u_min_age = account_policy_temp;
-
- unix_to_nt_time_abs(&nt_expire, u_expire);
- unix_to_nt_time_abs(&nt_min_age, u_min_age);
-
- init_samr_DomInfo1(policy,
- (uint16)min_pass_len,
- (uint16)pass_hist,
- password_properties,
- nt_expire,
- nt_min_age);
-
- return NT_STATUS_OK;
-}
-
/* get a list of trusted domains */
-static NTSTATUS trusted_domains(struct winbindd_domain *domain,
+static NTSTATUS sam_trusted_domains(struct winbindd_domain *domain,
TALLOC_CTX *mem_ctx,
uint32 *num_domains,
char ***names,
@@ -453,20 +663,39 @@ static NTSTATUS trusted_domains(struct winbindd_domain *domain,
}
/* the rpc backend methods are exposed via this structure */
-struct winbindd_methods passdb_methods = {
- False,
- query_user_list,
+struct winbindd_methods builtin_passdb_methods = {
+ false,
+ builtin_query_user_list,
+ enum_dom_groups,
+ enum_local_groups,
+ name_to_sid,
+ sid_to_name,
+ rids_to_names,
+ builtin_query_user,
+ lookup_usergroups,
+ lookup_useraliases,
+ builtin_lookup_groupmem,
+ sequence_number,
+ lockout_policy,
+ password_policy,
+ builtin_trusted_domains,
+};
+
+/* the rpc backend methods are exposed via this structure */
+struct winbindd_methods sam_passdb_methods = {
+ false,
+ sam_query_user_list,
enum_dom_groups,
enum_local_groups,
name_to_sid,
sid_to_name,
rids_to_names,
- query_user,
+ sam_query_user,
lookup_usergroups,
lookup_useraliases,
- lookup_groupmem,
+ sam_lookup_groupmem,
sequence_number,
lockout_policy,
password_policy,
- trusted_domains,
+ sam_trusted_domains,
};
diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
index 9008cf8122..6a96070f42 100644
--- a/source3/winbindd/winbindd_util.c
+++ b/source3/winbindd/winbindd_util.c
@@ -27,7 +27,9 @@
#define DBGC_CLASS DBGC_WINBIND
extern struct winbindd_methods cache_methods;
-extern struct winbindd_methods passdb_methods;
+extern struct winbindd_methods builtin_passdb_methods;
+extern struct winbindd_methods sam_passdb_methods;
+
/**
* @file winbindd_util.c
@@ -695,7 +697,7 @@ bool init_domain_list(void)
/* BUILTIN domain */
- domain = add_trusted_domain("BUILTIN", NULL, &passdb_methods,
+ domain = add_trusted_domain("BUILTIN", NULL, &builtin_passdb_methods,
&global_sid_Builtin);
if (domain) {
setup_domain_child(domain,
@@ -705,7 +707,7 @@ bool init_domain_list(void)
/* Local SAM */
domain = add_trusted_domain(get_global_sam_name(), NULL,
- &passdb_methods, get_global_sam_sid());
+ &sam_passdb_methods, get_global_sam_sid());
if (domain) {
if ( role != ROLE_DOMAIN_MEMBER ) {
domain->primary = True;