diff options
-rw-r--r-- | source3/Makefile.in | 1 | ||||
-rw-r--r-- | source3/winbindd/winbindd.c | 3 | ||||
-rw-r--r-- | source3/winbindd/winbindd_getgroups.c | 222 | ||||
-rw-r--r-- | source3/winbindd/winbindd_group.c | 172 | ||||
-rw-r--r-- | source3/winbindd/winbindd_proto.h | 5 |
5 files changed, 230 insertions, 173 deletions
diff --git a/source3/Makefile.in b/source3/Makefile.in index 92ff64fbda..650e2081c7 100644 --- a/source3/Makefile.in +++ b/source3/Makefile.in @@ -1174,6 +1174,7 @@ WINBINDD_OBJ1 = \ winbindd/winbindd_getpwuid.o \ winbindd/winbindd_getsidaliases.o \ winbindd/winbindd_getuserdomgroups.o \ + winbindd/winbindd_getgroups.o \ auth/token_util.o \ ../nsswitch/libwbclient/wb_reqtrans.o \ smbd/connection.o diff --git a/source3/winbindd/winbindd.c b/source3/winbindd/winbindd.c index 1a5e958d38..348816b39c 100644 --- a/source3/winbindd/winbindd.c +++ b/source3/winbindd/winbindd.c @@ -431,7 +431,6 @@ static struct winbindd_dispatch_table { { WINBINDD_ENDPWENT, winbindd_endpwent, "ENDPWENT" }, { WINBINDD_GETPWENT, winbindd_getpwent, "GETPWENT" }, - { WINBINDD_GETGROUPS, winbindd_getgroups, "GETGROUPS" }, { WINBINDD_GETUSERSIDS, winbindd_getusersids, "GETUSERSIDS" }, /* Group functions */ @@ -533,6 +532,8 @@ static struct winbindd_async_dispatch_table async_nonpriv_table[] = { winbindd_getsidaliases_send, winbindd_getsidaliases_recv }, { WINBINDD_GETUSERDOMGROUPS, "GETUSERDOMGROUPS", winbindd_getuserdomgroups_send, winbindd_getuserdomgroups_recv }, + { WINBINDD_GETGROUPS, "GETGROUPS", + winbindd_getgroups_send, winbindd_getgroups_recv }, { 0, NULL, NULL, NULL } }; diff --git a/source3/winbindd/winbindd_getgroups.c b/source3/winbindd/winbindd_getgroups.c new file mode 100644 index 0000000000..9e6465696e --- /dev/null +++ b/source3/winbindd/winbindd_getgroups.c @@ -0,0 +1,222 @@ +/* + Unix SMB/CIFS implementation. + async implementation of WINBINDD_GETGROUPS + Copyright (C) Volker Lendecke 2009 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include "includes.h" +#include "winbindd.h" + +struct winbindd_getgroups_state { + struct tevent_context *ev; + fstring domname; + fstring username; + struct dom_sid sid; + enum lsa_SidType type; + int num_sids; + struct dom_sid *sids; + int next_sid; + int num_gids; + gid_t *gids; +}; + +static void winbindd_getgroups_lookupname_done(struct tevent_req *subreq); +static void winbindd_getgroups_gettoken_done(struct tevent_req *subreq); +static void winbindd_getgroups_sid2gid_done(struct tevent_req *subreq); + +struct tevent_req *winbindd_getgroups_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct winbindd_request *request) +{ + struct tevent_req *req, *subreq; + struct winbindd_getgroups_state *state; + char *domuser, *mapped_user; + struct winbindd_domain *domain; + NTSTATUS status; + + req = tevent_req_create(mem_ctx, &state, + struct winbindd_getgroups_state); + if (req == NULL) { + return NULL; + } + state->ev = ev; + + /* Ensure null termination */ + request->data.username[sizeof(request->data.username)-1]='\0'; + + DEBUG(3, ("getgroups %s\n", request->data.username)); + + domuser = request->data.username; + + status = normalize_name_unmap(state, domuser, &mapped_user); + + if (NT_STATUS_IS_OK(status) + || NT_STATUS_EQUAL(status, NT_STATUS_FILE_RENAMED)) { + /* normalize_name_unmapped did something */ + domuser = mapped_user; + } + + if (!parse_domain_user(domuser, state->domname, state->username)) { + DEBUG(5, ("Could not parse domain user: %s\n", domuser)); + tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER); + return tevent_req_post(req, ev); + } + + domain = find_domain_from_name_noinit(state->domname); + if (domain == NULL) { + /* Retry with DNS name */ + char *p = strchr(domuser, '@'); + if (p != NULL) { + domain = find_domain_from_name_noinit(p+1); + } + } + if (domain == NULL) { + DEBUG(7, ("could not find domain entry for domain %s\n", + state->domname)); + tevent_req_nterror(req, NT_STATUS_NO_SUCH_USER); + return tevent_req_post(req, ev); + } + + if (lp_winbind_trusted_domains_only() && domain->primary) { + DEBUG(7,("winbindd_getgroups: My domain -- " + "rejecting getgroups() for %s\\%s.\n", + state->domname, state->username)); + tevent_req_nterror(req, NT_STATUS_NO_SUCH_USER); + return tevent_req_post(req, ev); + } + + subreq = wb_lookupname_send(state, ev, state->domname, state->username, + LOOKUP_NAME_NO_NSS); + if (tevent_req_nomem(subreq, req)) { + return tevent_req_post(req, ev); + } + tevent_req_set_callback(subreq, winbindd_getgroups_lookupname_done, + req); + return req; +} + +static void winbindd_getgroups_lookupname_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data( + subreq, struct tevent_req); + struct winbindd_getgroups_state *state = tevent_req_data( + req, struct winbindd_getgroups_state); + NTSTATUS status; + + status = wb_lookupname_recv(subreq, &state->sid, &state->type); + TALLOC_FREE(subreq); + if (!NT_STATUS_IS_OK(status)) { + tevent_req_nterror(req, status); + return; + } + + subreq = wb_gettoken_send(state, state->ev, &state->sid); + if (tevent_req_nomem(subreq, req)) { + return; + } + tevent_req_set_callback(subreq, winbindd_getgroups_gettoken_done, req); +} + +static void winbindd_getgroups_gettoken_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data( + subreq, struct tevent_req); + struct winbindd_getgroups_state *state = tevent_req_data( + req, struct winbindd_getgroups_state); + NTSTATUS status; + + status = wb_gettoken_recv(subreq, state, &state->num_sids, + &state->sids); + TALLOC_FREE(subreq); + if (!NT_STATUS_IS_OK(status)) { + tevent_req_nterror(req, status); + return; + } + + /* + * Convert the group SIDs to gids. state->sids[0] contains the user + * sid, so start at index 1. + */ + + state->gids = talloc_array(state, gid_t, state->num_sids-1); + if (tevent_req_nomem(state->gids, req)) { + return; + } + state->num_gids = 0; + state->next_sid = 1; + + subreq = wb_sid2gid_send(state, state->ev, + &state->sids[state->next_sid]); + if (tevent_req_nomem(subreq, req)) { + return; + } + tevent_req_set_callback(subreq, winbindd_getgroups_sid2gid_done, req); +} + +static void winbindd_getgroups_sid2gid_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data( + subreq, struct tevent_req); + struct winbindd_getgroups_state *state = tevent_req_data( + req, struct winbindd_getgroups_state); + NTSTATUS status; + + status = wb_sid2gid_recv(subreq, &state->gids[state->num_gids]); + TALLOC_FREE(subreq); + + /* + * In case of failure, just continue with the next gid + */ + if (NT_STATUS_IS_OK(status)) { + state->num_gids += 1; + } + state->next_sid += 1; + + if (state->next_sid >= state->num_sids) { + tevent_req_done(req); + return; + } + + subreq = wb_sid2gid_send(state, state->ev, + &state->sids[state->next_sid]); + if (tevent_req_nomem(subreq, req)) { + return; + } + tevent_req_set_callback(subreq, winbindd_getgroups_sid2gid_done, req); +} + +NTSTATUS winbindd_getgroups_recv(struct tevent_req *req, + struct winbindd_response *response) +{ + struct winbindd_getgroups_state *state = tevent_req_data( + req, struct winbindd_getgroups_state); + NTSTATUS status; + + if (tevent_req_is_nterror(req, &status)) { + DEBUG(5, ("Could not convert sid %s: %s\n", + sid_string_dbg(&state->sid), nt_errstr(status))); + return status; + } + + response->data.num_entries = state->num_gids; + + if (state->num_gids > 0) { + response->extra_data.data = talloc_move(response, + &state->gids); + response->length += state->num_gids * sizeof(gid_t); + } + return NT_STATUS_OK; +} diff --git a/source3/winbindd/winbindd_group.c b/source3/winbindd/winbindd_group.c index 12067f553f..c1a898d73b 100644 --- a/source3/winbindd/winbindd_group.c +++ b/source3/winbindd/winbindd_group.c @@ -1559,178 +1559,6 @@ struct getgroups_state { size_t num_token_gids; }; -static void getgroups_usersid_recv(void *private_data, bool success, - const DOM_SID *sid, enum lsa_SidType type); -static void getgroups_tokensids_recv(void *private_data, bool success, - DOM_SID *token_sids, size_t num_token_sids); -static void getgroups_sid2gid_recv(void *private_data, bool success, gid_t gid); - -void winbindd_getgroups(struct winbindd_cli_state *state) -{ - struct getgroups_state *s; - char *real_name = NULL; - NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL; - - /* Ensure null termination */ - state->request->data.username - [sizeof(state->request->data.username)-1]='\0'; - - DEBUG(3, ("[%5lu]: getgroups %s\n", (unsigned long)state->pid, - state->request->data.username)); - - /* Parse domain and username */ - - s = TALLOC_P(state->mem_ctx, struct getgroups_state); - if (s == NULL) { - DEBUG(0, ("talloc failed\n")); - request_error(state); - return; - } - - s->state = state; - - nt_status = normalize_name_unmap(state->mem_ctx, - state->request->data.username, - &real_name); - - /* Reset the real_name pointer if we didn't do anything - productive in the above call */ - if (!NT_STATUS_IS_OK(nt_status) && - !NT_STATUS_EQUAL(nt_status, NT_STATUS_FILE_RENAMED)) - { - real_name = state->request->data.username; - } - - if (!parse_domain_user_talloc(state->mem_ctx, real_name, - &s->domname, &s->username)) { - DEBUG(5, ("Could not parse domain user: %s\n", - real_name)); - - /* error out if we do not have nested group support */ - - if ( !lp_winbind_nested_groups() ) { - request_error(state); - return; - } - - s->domname = talloc_strdup(state->mem_ctx, - get_global_sam_name()); - s->username = talloc_strdup(state->mem_ctx, - state->request->data.username); - } - - /* Get info for the domain (either by short domain name or - DNS name in the case of a UPN) */ - - s->domain = find_domain_from_name_noinit(s->domname); - if (!s->domain) { - char *p = strchr(s->username, '@'); - - if (p) { - s->domain = find_domain_from_name_noinit(p+1); - } - - } - - if (s->domain == NULL) { - DEBUG(7, ("could not find domain entry for domain %s\n", - s->domname)); - request_error(state); - return; - } - - if ( s->domain->primary && lp_winbind_trusted_domains_only()) { - DEBUG(7,("winbindd_getgroups: My domain -- rejecting " - "getgroups() for %s\\%s.\n", s->domname, - s->username)); - request_error(state); - return; - } - - /* Get rid and name type from name. The following costs 1 packet */ - - winbindd_lookupname_async(state->mem_ctx, - s->domname, s->username, - getgroups_usersid_recv, - WINBINDD_GETGROUPS, s); -} - -static void getgroups_usersid_recv(void *private_data, bool success, - const DOM_SID *sid, enum lsa_SidType type) -{ - struct getgroups_state *s = - (struct getgroups_state *)private_data; - - if ((!success) || - ((type != SID_NAME_USER) && (type != SID_NAME_COMPUTER))) { - request_error(s->state); - return; - } - - sid_copy(&s->user_sid, sid); - - winbindd_gettoken_async(s->state->mem_ctx, &s->user_sid, - getgroups_tokensids_recv, s); -} - -static void getgroups_tokensids_recv(void *private_data, bool success, - DOM_SID *token_sids, size_t num_token_sids) -{ - struct getgroups_state *s = - (struct getgroups_state *)private_data; - - /* We need at least the user sid and the primary group in the token, - * otherwise it's an error */ - - if ((!success) || (num_token_sids < 2)) { - request_error(s->state); - return; - } - - s->token_sids = token_sids; - s->num_token_sids = num_token_sids; - s->i = 0; - - s->token_gids = NULL; - s->num_token_gids = 0; - - getgroups_sid2gid_recv(s, False, 0); -} - -static void getgroups_sid2gid_recv(void *private_data, bool success, gid_t gid) -{ - struct getgroups_state *s = - (struct getgroups_state *)private_data; - - if (success) { - if (!add_gid_to_array_unique(s->state->mem_ctx, gid, - &s->token_gids, - &s->num_token_gids)) { - return; - } - } - - if (s->i < s->num_token_sids) { - const DOM_SID *sid = &s->token_sids[s->i]; - s->i += 1; - - if (sid_equal(sid, &s->user_sid)) { - getgroups_sid2gid_recv(s, False, 0); - return; - } - - winbindd_sid2gid_async(s->state->mem_ctx, sid, - getgroups_sid2gid_recv, s); - return; - } - - s->state->response->data.num_entries = s->num_token_gids; - if (s->num_token_gids) { - s->state->response->extra_data.data = s->token_gids; - s->state->response->length += s->num_token_gids * sizeof(gid_t); - } - request_ok(s->state); -} /* Get user supplementary sids. This is equivalent to the winbindd_getgroups() function but it involves a SID->SIDs mapping diff --git a/source3/winbindd/winbindd_proto.h b/source3/winbindd/winbindd_proto.h index df6df12dc3..a9a374a532 100644 --- a/source3/winbindd/winbindd_proto.h +++ b/source3/winbindd/winbindd_proto.h @@ -761,6 +761,11 @@ struct tevent_req *wb_gettoken_send(TALLOC_CTX *mem_ctx, const struct dom_sid *sid); NTSTATUS wb_gettoken_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx, int *num_sids, struct dom_sid **sids); +struct tevent_req *winbindd_getgroups_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct winbindd_request *request); +NTSTATUS winbindd_getgroups_recv(struct tevent_req *req, + struct winbindd_response *response); |