diff options
author | Jeremy Allison <jra@samba.org> | 2008-05-30 23:49:36 -0700 |
---|---|---|
committer | Jeremy Allison <jra@samba.org> | 2008-05-30 23:49:36 -0700 |
commit | 346dbc62b826dd126d147107396154c31919da1b (patch) | |
tree | 70821f474353fb2716e0f47c56ad90245f477310 /source3/winbindd | |
parent | 70b37891f9f3f065254c61ec6c5741592d0b3735 (diff) | |
download | samba-346dbc62b826dd126d147107396154c31919da1b.tar.gz samba-346dbc62b826dd126d147107396154c31919da1b.tar.bz2 samba-346dbc62b826dd126d147107396154c31919da1b.zip |
Split the winbindd_passdb backend into a 'builtin' and a 'sam'
backend. This allows winbindd when running on a Samba PDC to
correctly answer wbinfo -u lists and other queries.
Jeremy.
(This used to be commit e61ad0c1586733ae1d3518ce56d95094d1ac5ef9)
Diffstat (limited to 'source3/winbindd')
-rw-r--r-- | source3/winbindd/winbindd_cache.c | 6 | ||||
-rw-r--r-- | source3/winbindd/winbindd_ndr.c | 9 | ||||
-rw-r--r-- | source3/winbindd/winbindd_passdb.c | 441 | ||||
-rw-r--r-- | source3/winbindd/winbindd_util.c | 8 |
4 files changed, 349 insertions, 115 deletions
diff --git a/source3/winbindd/winbindd_cache.c b/source3/winbindd/winbindd_cache.c index f0ff0294f3..60403717c1 100644 --- a/source3/winbindd/winbindd_cache.c +++ b/source3/winbindd/winbindd_cache.c @@ -8,7 +8,7 @@ Copyright (C) Volker Lendecke 2005 Copyright (C) Guenther Deschner 2005 Copyright (C) Michael Adam 2007 - + This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 3 of the License, or @@ -37,7 +37,7 @@ extern bool opt_nocache; #ifdef HAVE_ADS extern struct winbindd_methods ads_methods; #endif -extern struct winbindd_methods passdb_methods; +extern struct winbindd_methods builtin_passdb_methods; /* * JRA. KEEP THIS LIST UP TO DATE IF YOU ADD CACHE ENTRIES. @@ -137,7 +137,7 @@ static struct winbind_cache *get_cache(struct winbindd_domain *domain) /* We have to know what type of domain we are dealing with first. */ if (domain->internal) { - domain->backend = &passdb_methods; + domain->backend = &builtin_passdb_methods; domain->initialized = True; } if ( !domain->initialized ) { diff --git a/source3/winbindd/winbindd_ndr.c b/source3/winbindd/winbindd_ndr.c index 9d1502afa7..3e3ca3225c 100644 --- a/source3/winbindd/winbindd_ndr.c +++ b/source3/winbindd/winbindd_ndr.c @@ -74,7 +74,8 @@ void ndr_print_winbindd_cm_conn(struct ndr_print *ndr, extern struct winbindd_methods ads_methods; #endif extern struct winbindd_methods msrpc_methods; -extern struct winbindd_methods passdb_methods; +extern struct winbindd_methods builtin_passdb_methods; +extern struct winbindd_methods sam_passdb_methods; extern struct winbindd_methods reconnect_methods; extern struct winbindd_methods cache_methods; @@ -97,8 +98,10 @@ void ndr_print_winbindd_methods(struct ndr_print *ndr, } else if (r == &ads_methods) { ndr_print_string(ndr, name, "ads_methods"); #endif - } else if (r == &passdb_methods) { - ndr_print_string(ndr, name, "passdb_methods"); + } else if (r == &builtin_passdb_methods) { + ndr_print_string(ndr, name, "builtin_passdb_methods"); + } else if (r == &sam_passdb_methods) { + ndr_print_string(ndr, name, "sam_passdb_methods"); } else if (r == &reconnect_methods) { ndr_print_string(ndr, name, "reconnect_methods"); } else if (r == &cache_methods) { diff --git a/source3/winbindd/winbindd_passdb.c b/source3/winbindd/winbindd_passdb.c index 7c1d7bd71b..8b2016c031 100644 --- a/source3/winbindd/winbindd_passdb.c +++ b/source3/winbindd/winbindd_passdb.c @@ -6,6 +6,7 @@ Copyright (C) Tim Potter 2000-2001,2003 Copyright (C) Simo Sorce 2003 Copyright (C) Volker Lendecke 2004 + Copyright (C) Jeremy Allison 2008 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -27,20 +28,6 @@ #undef DBGC_CLASS #define DBGC_CLASS DBGC_WINBIND -/* Query display info for a domain. This returns enough information plus a - bit extra to give an overview of domain users for the User Manager - application. */ -static NTSTATUS query_user_list(struct winbindd_domain *domain, - TALLOC_CTX *mem_ctx, - uint32 *num_entries, - WINBIND_USERINFO **info) -{ - /* We don't have users */ - *num_entries = 0; - *info = NULL; - return NT_STATUS_OK; -} - /* list all domain groups */ static NTSTATUS enum_dom_groups(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx, @@ -167,16 +154,75 @@ static NTSTATUS rids_to_names(struct winbindd_domain *domain, char ***names, enum lsa_SidType **types) { - return NT_STATUS_UNSUCCESSFUL; -} + size_t i; + bool have_mapped; + bool have_unmapped; -/* Lookup user information from a rid or username. */ -static NTSTATUS query_user(struct winbindd_domain *domain, - TALLOC_CTX *mem_ctx, - const DOM_SID *user_sid, - WINBIND_USERINFO *user_info) -{ - return NT_STATUS_NO_SUCH_USER; + *domain_name = NULL; + *names = NULL; + *types = NULL; + + if (!num_rids) { + return NT_STATUS_OK; + } + + /* Paranoia check */ + if (!sid_check_is_in_builtin(sid) && + !sid_check_is_in_our_domain(sid) && + !sid_check_is_in_unix_users(sid) && + !sid_check_is_unix_users(sid) && + !sid_check_is_in_unix_groups(sid) && + !sid_check_is_unix_groups(sid) && + !sid_check_is_in_wellknown_domain(sid)) + { + DEBUG(0, ("Possible deadlock: Trying to lookup SID %s with " + "passdb backend\n", sid_string_dbg(sid))); + return NT_STATUS_NONE_MAPPED; + } + + *names = TALLOC_ARRAY(mem_ctx, char *, num_rids); + *types = TALLOC_ARRAY(mem_ctx, enum lsa_SidType, num_rids); + + if ((*names == NULL) || (*types == NULL)) { + return NT_STATUS_NO_MEMORY; + } + + have_mapped = have_unmapped = false; + + for (i=0; i<num_rids; i++) { + DOM_SID lsid; + const char *dom = NULL, *nam = NULL; + enum lsa_SidType type = SID_NAME_UNKNOWN; + + if (!sid_compose(&lsid, sid, rids[i])) { + return NT_STATUS_INTERNAL_ERROR; + } + + if (!lookup_sid(mem_ctx, &lsid, &dom, &nam, &type)) { + have_unmapped = true; + (*types)[i] = SID_NAME_UNKNOWN; + (*names)[i] = talloc_strdup(mem_ctx, ""); + } else { + have_mapped = true; + (*types)[i] = type; + (*names)[i] = CONST_DISCARD(char *, nam); + } + + if (domain_name == NULL) { + *domain_name = CONST_DISCARD(char *, dom); + } else { + char *dname = CONST_DISCARD(char *, dom); + TALLOC_FREE(dname); + } + } + + if (!have_mapped) { + return NT_STATUS_NONE_MAPPED; + } + if (!have_unmapped) { + return NT_STATUS_OK; + } + return STATUS_SOME_UNMAPPED; } /* Lookup groups a user is a member of. I wish Unix had a call like this! */ @@ -224,8 +270,247 @@ static NTSTATUS lookup_useraliases(struct winbindd_domain *domain, return result; } +/* find the sequence number for a domain */ +static NTSTATUS sequence_number(struct winbindd_domain *domain, uint32 *seq) +{ + bool result; + time_t seq_num; + + result = pdb_get_seq_num(&seq_num); + if (!result) { + *seq = 1; + } + + *seq = (int) seq_num; + /* *seq = 1; */ + return NT_STATUS_OK; +} + +static NTSTATUS lockout_policy(struct winbindd_domain *domain, + TALLOC_CTX *mem_ctx, + struct samr_DomInfo12 *policy) +{ + /* actually we have that */ + return NT_STATUS_NOT_IMPLEMENTED; +} + +static NTSTATUS password_policy(struct winbindd_domain *domain, + TALLOC_CTX *mem_ctx, + struct samr_DomInfo1 *policy) +{ + uint32 min_pass_len,pass_hist,password_properties; + time_t u_expire, u_min_age; + NTTIME nt_expire, nt_min_age; + uint32 account_policy_temp; + + if ((policy = TALLOC_ZERO_P(mem_ctx, struct samr_DomInfo1)) == NULL) { + return NT_STATUS_NO_MEMORY; + } + + if (!pdb_get_account_policy(AP_MIN_PASSWORD_LEN, &account_policy_temp)) { + return NT_STATUS_ACCESS_DENIED; + } + min_pass_len = account_policy_temp; + + if (!pdb_get_account_policy(AP_PASSWORD_HISTORY, &account_policy_temp)) { + return NT_STATUS_ACCESS_DENIED; + } + pass_hist = account_policy_temp; + + if (!pdb_get_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS, &account_policy_temp)) { + return NT_STATUS_ACCESS_DENIED; + } + password_properties = account_policy_temp; + + if (!pdb_get_account_policy(AP_MAX_PASSWORD_AGE, &account_policy_temp)) { + return NT_STATUS_ACCESS_DENIED; + } + u_expire = account_policy_temp; + + if (!pdb_get_account_policy(AP_MIN_PASSWORD_AGE, &account_policy_temp)) { + return NT_STATUS_ACCESS_DENIED; + } + u_min_age = account_policy_temp; + + unix_to_nt_time_abs(&nt_expire, u_expire); + unix_to_nt_time_abs(&nt_min_age, u_min_age); + + init_samr_DomInfo1(policy, + (uint16)min_pass_len, + (uint16)pass_hist, + password_properties, + nt_expire, + nt_min_age); + + return NT_STATUS_OK; +} + +/********************************************************************* + BUILTIN specific functions. +*********************************************************************/ + +/* Query display info for a domain. This returns enough information plus a + bit extra to give an overview of domain users for the User Manager + application. */ +static NTSTATUS builtin_query_user_list(struct winbindd_domain *domain, + TALLOC_CTX *mem_ctx, + uint32 *num_entries, + WINBIND_USERINFO **info) +{ + /* We don't have users */ + *num_entries = 0; + *info = NULL; + return NT_STATUS_OK; +} + +/* Lookup user information from a rid or username. */ +static NTSTATUS builtin_query_user(struct winbindd_domain *domain, + TALLOC_CTX *mem_ctx, + const DOM_SID *user_sid, + WINBIND_USERINFO *user_info) +{ + return NT_STATUS_NO_SUCH_USER; +} + +static NTSTATUS builtin_lookup_groupmem(struct winbindd_domain *domain, + TALLOC_CTX *mem_ctx, + const DOM_SID *group_sid, uint32 *num_names, + DOM_SID **sid_mem, char ***names, + uint32 **name_types) +{ + *num_names = 0; + *sid_mem = NULL; + *names = NULL; + *name_types = 0; + return NT_STATUS_NO_SUCH_GROUP; +} + +/* get a list of trusted domains - builtin domain */ +static NTSTATUS builtin_trusted_domains(struct winbindd_domain *domain, + TALLOC_CTX *mem_ctx, + uint32 *num_domains, + char ***names, + char ***alt_names, + DOM_SID **dom_sids) +{ + *num_domains = 0; + *names = NULL; + *alt_names = NULL; + *dom_sids = NULL; + return NT_STATUS_OK; +} + +/********************************************************************* + SAM specific functions. +*********************************************************************/ + +static NTSTATUS sam_query_user_list(struct winbindd_domain *domain, + TALLOC_CTX *mem_ctx, + uint32 *num_entries, + WINBIND_USERINFO **info) +{ + struct pdb_search *ps = pdb_search_users(ACB_NORMAL); + struct samr_displayentry *entries = NULL; + uint32 i; + + *num_entries = 0; + *info = NULL; + + if (!ps) { + return NT_STATUS_NO_MEMORY; + } + + *num_entries = pdb_search_entries(ps, + 1, 0xffffffff, + &entries); + + *info = TALLOC_ZERO_ARRAY(mem_ctx, WINBIND_USERINFO, *num_entries); + if (!(*info)) { + pdb_search_destroy(ps); + return NT_STATUS_NO_MEMORY; + } + + for (i = 0; i < *num_entries; i++) { + struct samr_displayentry *e = &entries[i]; + + (*info)[i].acct_name = talloc_strdup(mem_ctx, e->account_name ); + (*info)[i].full_name = talloc_strdup(mem_ctx, e->fullname ); + (*info)[i].homedir = NULL; + (*info)[i].shell = NULL; + sid_compose(&(*info)[i].user_sid, &domain->sid, e->rid); + + /* For the moment we set the primary group for + every user to be the Domain Users group. + There are serious problems with determining + the actual primary group for large domains. + This should really be made into a 'winbind + force group' smb.conf parameter or + something like that. */ + + sid_compose(&(*info)[i].group_sid, &domain->sid, + DOMAIN_GROUP_RID_USERS); + } + + pdb_search_destroy(ps); + return NT_STATUS_OK; +} + +/* Lookup user information from a rid or username. */ +static NTSTATUS sam_query_user(struct winbindd_domain *domain, + TALLOC_CTX *mem_ctx, + const DOM_SID *user_sid, + WINBIND_USERINFO *user_info) +{ + struct samu *sampass = NULL; + + ZERO_STRUCTP(user_info); + + if (!sid_check_is_in_our_domain(user_sid)) { + return NT_STATUS_NO_SUCH_USER; + } + + DEBUG(10,("sam_query_user: getting samu info for sid %s\n", + sid_string_dbg(user_sid) )); + + if (!(sampass = samu_new(mem_ctx))) { + return NT_STATUS_NO_MEMORY; + } + + if (!pdb_getsampwsid(sampass, user_sid)) { + TALLOC_FREE(sampass); + return NT_STATUS_NO_SUCH_USER; + } + + if (pdb_get_group_sid(sampass) == NULL) { + TALLOC_FREE(sampass); + return NT_STATUS_NO_SUCH_GROUP; + } + + DEBUG(10,("sam_query_user: group sid %s\n", + sid_string_dbg(sampass->group_sid) )); + + sid_copy(&user_info->user_sid, user_sid); + sid_copy(&user_info->group_sid, sampass->group_sid); + + user_info->acct_name = talloc_strdup(mem_ctx, sampass->username ? + sampass->username : ""); + user_info->full_name = talloc_strdup(mem_ctx, sampass->full_name ? + sampass->full_name : ""); + user_info->homedir = talloc_strdup(mem_ctx, sampass->home_dir ? + sampass->home_dir : ""); + if (sampass->unix_pw && sampass->unix_pw->pw_shell) { + user_info->shell = talloc_strdup(mem_ctx, sampass->unix_pw->pw_shell); + } else { + user_info->shell = talloc_strdup(mem_ctx, ""); + } + user_info->primary_gid = sampass->unix_pw ? sampass->unix_pw->pw_gid : (gid_t)-1; + + TALLOC_FREE(sampass); + return NT_STATUS_OK; +} + /* Lookup group membership given a rid. */ -static NTSTATUS lookup_groupmem(struct winbindd_domain *domain, +static NTSTATUS sam_lookup_groupmem(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx, const DOM_SID *group_sid, uint32 *num_names, DOM_SID **sid_mem, char ***names, @@ -320,83 +605,8 @@ static NTSTATUS lookup_groupmem(struct winbindd_domain *domain, return NT_STATUS_OK; } -/* find the sequence number for a domain */ -static NTSTATUS sequence_number(struct winbindd_domain *domain, uint32 *seq) -{ - bool result; - time_t seq_num; - - result = pdb_get_seq_num(&seq_num); - if (!result) { - *seq = 1; - } - - *seq = (int) seq_num; - /* *seq = 1; */ - return NT_STATUS_OK; -} - -static NTSTATUS lockout_policy(struct winbindd_domain *domain, - TALLOC_CTX *mem_ctx, - struct samr_DomInfo12 *policy) -{ - /* actually we have that */ - return NT_STATUS_NOT_IMPLEMENTED; -} - -static NTSTATUS password_policy(struct winbindd_domain *domain, - TALLOC_CTX *mem_ctx, - struct samr_DomInfo1 *policy) -{ - uint32 min_pass_len,pass_hist,password_properties; - time_t u_expire, u_min_age; - NTTIME nt_expire, nt_min_age; - uint32 account_policy_temp; - - if ((policy = TALLOC_ZERO_P(mem_ctx, struct samr_DomInfo1)) == NULL) { - return NT_STATUS_NO_MEMORY; - } - - if (!pdb_get_account_policy(AP_MIN_PASSWORD_LEN, &account_policy_temp)) { - return NT_STATUS_ACCESS_DENIED; - } - min_pass_len = account_policy_temp; - - if (!pdb_get_account_policy(AP_PASSWORD_HISTORY, &account_policy_temp)) { - return NT_STATUS_ACCESS_DENIED; - } - pass_hist = account_policy_temp; - - if (!pdb_get_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS, &account_policy_temp)) { - return NT_STATUS_ACCESS_DENIED; - } - password_properties = account_policy_temp; - - if (!pdb_get_account_policy(AP_MAX_PASSWORD_AGE, &account_policy_temp)) { - return NT_STATUS_ACCESS_DENIED; - } - u_expire = account_policy_temp; - - if (!pdb_get_account_policy(AP_MIN_PASSWORD_AGE, &account_policy_temp)) { - return NT_STATUS_ACCESS_DENIED; - } - u_min_age = account_policy_temp; - - unix_to_nt_time_abs(&nt_expire, u_expire); - unix_to_nt_time_abs(&nt_min_age, u_min_age); - - init_samr_DomInfo1(policy, - (uint16)min_pass_len, - (uint16)pass_hist, - password_properties, - nt_expire, - nt_min_age); - - return NT_STATUS_OK; -} - /* get a list of trusted domains */ -static NTSTATUS trusted_domains(struct winbindd_domain *domain, +static NTSTATUS sam_trusted_domains(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx, uint32 *num_domains, char ***names, @@ -453,20 +663,39 @@ static NTSTATUS trusted_domains(struct winbindd_domain *domain, } /* the rpc backend methods are exposed via this structure */ -struct winbindd_methods passdb_methods = { - False, - query_user_list, +struct winbindd_methods builtin_passdb_methods = { + false, + builtin_query_user_list, + enum_dom_groups, + enum_local_groups, + name_to_sid, + sid_to_name, + rids_to_names, + builtin_query_user, + lookup_usergroups, + lookup_useraliases, + builtin_lookup_groupmem, + sequence_number, + lockout_policy, + password_policy, + builtin_trusted_domains, +}; + +/* the rpc backend methods are exposed via this structure */ +struct winbindd_methods sam_passdb_methods = { + false, + sam_query_user_list, enum_dom_groups, enum_local_groups, name_to_sid, sid_to_name, rids_to_names, - query_user, + sam_query_user, lookup_usergroups, lookup_useraliases, - lookup_groupmem, + sam_lookup_groupmem, sequence_number, lockout_policy, password_policy, - trusted_domains, + sam_trusted_domains, }; diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c index 9008cf8122..6a96070f42 100644 --- a/source3/winbindd/winbindd_util.c +++ b/source3/winbindd/winbindd_util.c @@ -27,7 +27,9 @@ #define DBGC_CLASS DBGC_WINBIND extern struct winbindd_methods cache_methods; -extern struct winbindd_methods passdb_methods; +extern struct winbindd_methods builtin_passdb_methods; +extern struct winbindd_methods sam_passdb_methods; + /** * @file winbindd_util.c @@ -695,7 +697,7 @@ bool init_domain_list(void) /* BUILTIN domain */ - domain = add_trusted_domain("BUILTIN", NULL, &passdb_methods, + domain = add_trusted_domain("BUILTIN", NULL, &builtin_passdb_methods, &global_sid_Builtin); if (domain) { setup_domain_child(domain, @@ -705,7 +707,7 @@ bool init_domain_list(void) /* Local SAM */ domain = add_trusted_domain(get_global_sam_name(), NULL, - &passdb_methods, get_global_sam_sid()); + &sam_passdb_methods, get_global_sam_sid()); if (domain) { if ( role != ROLE_DOMAIN_MEMBER ) { domain->primary = True; |