summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--source3/Makefile.in3
-rw-r--r--source3/nsswitch/winbindd_cache.c7
-rw-r--r--source3/nsswitch/winbindd_passdb.c360
-rw-r--r--source3/sam/idmap_util.c61
4 files changed, 416 insertions, 15 deletions
diff --git a/source3/Makefile.in b/source3/Makefile.in
index f9e4ee8038..5e28f6eb4f 100644
--- a/source3/Makefile.in
+++ b/source3/Makefile.in
@@ -600,7 +600,8 @@ WINBINDD_OBJ1 = \
nsswitch/winbindd_wins.o \
nsswitch/winbindd_rpc.o \
nsswitch/winbindd_ads.o \
- nsswitch/winbindd_dual.o
+ nsswitch/winbindd_dual.o \
+ nsswitch/winbindd_passdb.o
WINBINDD_OBJ = \
$(WINBINDD_OBJ1) $(PASSDB_OBJ) $(GROUPDB_OBJ) \
diff --git a/source3/nsswitch/winbindd_cache.c b/source3/nsswitch/winbindd_cache.c
index 5eabcfca20..27e168b6f9 100644
--- a/source3/nsswitch/winbindd_cache.c
+++ b/source3/nsswitch/winbindd_cache.c
@@ -100,7 +100,12 @@ static struct winbind_cache *get_cache(struct winbindd_domain *domain)
ret = smb_xmalloc(sizeof(*ret));
ZERO_STRUCTP(ret);
- switch (lp_security()) {
+
+ if (!strcmp(domain->name, lp_workgroup()) && (lp_security() == SEC_USER)) {
+ extern struct winbindd_methods passdb_methods;
+ ret->backend = &passdb_methods;
+
+ } else switch (lp_security()) {
#ifdef HAVE_ADS
case SEC_ADS: {
extern struct winbindd_methods ads_methods;
diff --git a/source3/nsswitch/winbindd_passdb.c b/source3/nsswitch/winbindd_passdb.c
new file mode 100644
index 0000000000..503b97899c
--- /dev/null
+++ b/source3/nsswitch/winbindd_passdb.c
@@ -0,0 +1,360 @@
+/*
+ Unix SMB/CIFS implementation.
+
+ Winbind rpc backend functions
+
+ Copyright (C) Tim Potter 2000-2001,2003
+ Copyright (C) Simo Sorce 2003
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+*/
+
+#include "winbindd.h"
+
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_WINBIND
+
+
+/* Query display info for a domain. This returns enough information plus a
+ bit extra to give an overview of domain users for the User Manager
+ application. */
+static NTSTATUS query_user_list(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ uint32 *num_entries,
+ WINBIND_USERINFO **info)
+{
+ SAM_ACCOUNT *sam_account = NULL;
+ NTSTATUS result;
+ uint32 i;
+
+ DEBUG(3,("pdb: query_user_list\n"));
+
+ if (NT_STATUS_IS_ERR(result = pdb_init_sam(&sam_account))) {
+ return result;
+ }
+
+ i = 0;
+ *info = NULL;
+
+ if (pdb_setsampwent(False)) {
+
+ while (pdb_getsampwent(sam_account)) {
+
+ /* we return only nua accounts, or we will have duplicates */
+ if (!idmap_check_sid_is_in_free_range(pdb_get_user_sid(sam_account))) {
+ continue;
+ }
+
+ *info = talloc_realloc(mem_ctx, *info, (i + 1) * sizeof(WINBIND_USERINFO));
+ if (!(*info)) {
+ DEBUG(0,("query_user_list: out of memory!\n"));
+ result = NT_STATUS_NO_MEMORY;
+ break;
+ }
+
+ (*info)[i].user_sid = talloc(mem_ctx, sizeof(DOM_SID));
+ (*info)[i].group_sid = talloc(mem_ctx, sizeof(DOM_SID));
+ if (!((*info)[i].user_sid) || !((*info)[i].group_sid)) {
+ DEBUG(0,("query_user_list: out of memory!\n"));
+ result = NT_STATUS_NO_MEMORY;
+ break;
+ }
+ sid_copy((*info)[i].user_sid, pdb_get_user_sid(sam_account));
+ sid_copy((*info)[i].group_sid, pdb_get_group_sid(sam_account));
+
+ (*info)[i].acct_name = talloc_strdup(mem_ctx, pdb_get_username(sam_account));
+ (*info)[i].full_name = talloc_strdup(mem_ctx, pdb_get_fullname(sam_account));
+ if (!((*info)[i].acct_name) || !((*info)[i].full_name)) {
+ DEBUG(0,("query_user_list: out of memory!\n"));
+ result = NT_STATUS_NO_MEMORY;
+ break;
+ }
+
+ i++;
+
+ if (NT_STATUS_IS_ERR(pdb_reset_sam(sam_account))) {
+ result = NT_STATUS_UNSUCCESSFUL;
+ break;
+ }
+ }
+
+ *num_entries = i;
+ result = NT_STATUS_OK;
+
+ } else {
+ result = NT_STATUS_UNSUCCESSFUL;
+ }
+
+ pdb_free_sam(&sam_account);
+ return result;
+}
+
+/* list all domain groups */
+static NTSTATUS enum_dom_groups(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ uint32 *num_entries,
+ struct acct_info **info)
+{
+ NTSTATUS result = NT_STATUS_OK;
+
+ DEBUG(3,("pdb: enum_dom_groups (group support not implemented)\n"));
+
+ *num_entries = 0;
+ *info = 0;
+
+ return result;
+}
+
+/* List all domain groups */
+
+static NTSTATUS enum_local_groups(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ uint32 *num_entries,
+ struct acct_info **info)
+{
+ NTSTATUS result = NT_STATUS_OK;
+
+ DEBUG(3,("pdb: enum_local_groups (group support not implemented)\n"));
+
+ *num_entries = 0;
+ *info = 0;
+
+ return result;
+}
+
+/* convert a single name to a sid in a domain */
+static NTSTATUS name_to_sid(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ const char *name,
+ DOM_SID *sid,
+ enum SID_NAME_USE *type)
+{
+ SAM_ACCOUNT *sam_account = NULL;
+ NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
+
+ DEBUG(3,("pdb: name_to_sid name=%s (group support not implemented)\n", name));
+
+ if (NT_STATUS_IS_OK(pdb_init_sam(&sam_account))) {
+ if (!pdb_getsampwnam(sam_account, name)) {
+ result = NT_STATUS_UNSUCCESSFUL;
+ } else { /* it is a sam user */
+ sid_copy(sid, pdb_get_user_sid(sam_account));
+ *type = SID_NAME_USER;
+ result = NT_STATUS_OK;
+ }
+ }
+
+ pdb_free_sam(&sam_account);
+ return result;
+}
+
+/*
+ convert a domain SID to a user or group name
+*/
+static NTSTATUS sid_to_name(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ DOM_SID *sid,
+ char **name,
+ enum SID_NAME_USE *type)
+{
+ SAM_ACCOUNT *sam_account = NULL;
+ NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
+ uint32 id;
+
+ DEBUG(3,("pdb: sid_to_name sid=%s\n", sid_string_static(sid)));
+
+ if (NT_STATUS_IS_OK(sid_to_uid(sid, &id))) { /* this is a user */
+
+ if (NT_STATUS_IS_ERR(result = pdb_init_sam(&sam_account))) {
+ return result;
+ }
+
+ if (!pdb_getsampwsid(sam_account, sid)) {
+ pdb_free_sam(&sam_account);
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ *name = talloc_strdup(mem_ctx, pdb_get_username(sam_account));
+ if (!(*name)) {
+ DEBUG(0,("query_user: out of memory!\n"));
+ pdb_free_sam(&sam_account);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ pdb_free_sam(&sam_account);
+ *type = SID_NAME_USER;
+ result = NT_STATUS_OK;
+
+ } else if (NT_STATUS_IS_OK(sid_to_gid(sid, &id))) { /* this is a group */
+
+ DEBUG(3,("pdb: sid_to_name: group support not implemented\n"));
+ result = NT_STATUS_UNSUCCESSFUL;
+ }
+
+ return result;
+}
+
+/* Lookup user information from a rid or username. */
+static NTSTATUS query_user(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ DOM_SID *user_sid,
+ WINBIND_USERINFO *user_info)
+{
+ SAM_ACCOUNT *sam_account = NULL;
+ NTSTATUS result;
+
+ DEBUG(3,("pdb: query_user sid=%s\n", sid_string_static(user_sid)));
+
+ if (NT_STATUS_IS_ERR(result = pdb_init_sam(&sam_account))) {
+ return result;
+ }
+
+ if (!pdb_getsampwsid(sam_account, user_sid)) {
+ pdb_free_sam(&sam_account);
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ /* we return only nua accounts, or we will have duplicates */
+ if (!idmap_check_sid_is_in_free_range(user_sid)) {
+ pdb_free_sam(&sam_account);
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ user_info->user_sid = talloc(mem_ctx, sizeof(DOM_SID));
+ user_info->group_sid = talloc(mem_ctx, sizeof(DOM_SID));
+ if (!(user_info->user_sid) || !(user_info->group_sid)) {
+ DEBUG(0,("query_user: out of memory!\n"));
+ pdb_free_sam(&sam_account);
+ return NT_STATUS_NO_MEMORY;
+ }
+ sid_copy(user_info->user_sid, pdb_get_user_sid(sam_account));
+ sid_copy(user_info->group_sid, pdb_get_group_sid(sam_account));
+
+ user_info->acct_name = talloc_strdup(mem_ctx, pdb_get_username(sam_account));
+ user_info->full_name = talloc_strdup(mem_ctx, pdb_get_fullname(sam_account));
+ if (!(user_info->acct_name) || !(user_info->full_name)) {
+ DEBUG(0,("query_user: out of memory!\n"));
+ pdb_free_sam(&sam_account);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ pdb_free_sam(&sam_account);
+ return NT_STATUS_OK;
+}
+
+/* Lookup groups a user is a member of. I wish Unix had a call like this! */
+static NTSTATUS lookup_usergroups(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ DOM_SID *user_sid,
+ uint32 *num_groups, DOM_SID ***user_gids)
+{
+ NTSTATUS result = NT_STATUS_OK;
+
+ DEBUG(3,("pdb: lookup_usergroups (group support not implemented)\n"));
+
+ num_groups = 0;
+ user_gids = 0;
+
+ return result;
+}
+
+
+/* Lookup group membership given a rid. */
+static NTSTATUS lookup_groupmem(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ DOM_SID *group_sid, uint32 *num_names,
+ DOM_SID ***sid_mem, char ***names,
+ uint32 **name_types)
+{
+ NTSTATUS result = NT_STATUS_NOT_IMPLEMENTED;
+
+ DEBUG(3,("pdb: lookup_groupmem (group support not implemented)\n"));
+
+ num_names = 0;
+ sid_mem = 0;
+ names = 0;
+ name_types = 0;
+
+ return result;
+}
+
+/* find the sequence number for a domain */
+static NTSTATUS sequence_number(struct winbindd_domain *domain, uint32 *seq)
+{
+ /* FIXME: we fake up the seq_num untill our passdb support it */
+ static uint32 seq_num;
+
+ DEBUG(3,("pdb: sequence_number\n"));
+
+ *seq = seq_num++;
+
+ return NT_STATUS_OK;
+}
+
+/* get a list of trusted domains */
+static NTSTATUS trusted_domains(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ uint32 *num_domains,
+ char ***names,
+ char ***alt_names,
+ DOM_SID **dom_sids)
+{
+ NTSTATUS result = NT_STATUS_NOT_IMPLEMENTED;
+
+ DEBUG(3,("pdb: trusted_domains (todo!)\n"));
+
+ return result;
+}
+
+/* find the domain sid for a domain */
+static NTSTATUS domain_sid(struct winbindd_domain *domain, DOM_SID *sid)
+{
+ DEBUG(3,("pdb: domain_sid\n"));
+
+ if (strcmp(domain->name, lp_workgroup())) {
+ return NT_STATUS_INVALID_PARAMETER;
+ } else {
+ sid_copy(sid, get_global_sam_sid());
+ return NT_STATUS_OK;
+ }
+}
+
+/* find alternate names list for the domain
+ * should we look for netbios aliases??
+ SSS */
+static NTSTATUS alternate_name(struct winbindd_domain *domain)
+{
+ DEBUG(3,("pdb: alternate_name\n"));
+
+ return NT_STATUS_OK;
+}
+
+
+/* the rpc backend methods are exposed via this structure */
+struct winbindd_methods passdb_methods = {
+ False,
+ query_user_list,
+ enum_dom_groups,
+ enum_local_groups,
+ name_to_sid,
+ sid_to_name,
+ query_user,
+ lookup_usergroups,
+ lookup_groupmem,
+ sequence_number,
+ trusted_domains,
+ domain_sid,
+ alternate_name
+};
diff --git a/source3/sam/idmap_util.c b/source3/sam/idmap_util.c
index 5d7adcdc04..e0c492542b 100644
--- a/source3/sam/idmap_util.c
+++ b/source3/sam/idmap_util.c
@@ -62,6 +62,24 @@ BOOL idmap_check_rid_is_in_free_range(uint32 rid)
return True;
}
+/* if it is a foreign SID or if the SID is in the free range, return true */
+
+BOOL idmap_check_sid_is_in_free_range(const DOM_SID *sid)
+{
+ if (sid_compare_domain(get_global_sam_sid(), sid) == 0) {
+
+ uint32 rid;
+
+ if (sid_peek_rid(sid, &rid)) {
+ return idmap_check_rid_is_in_free_range(rid);
+ }
+
+ return False;
+ }
+
+ return True;
+}
+
/******************************************************************
* Get the the non-algorithmic RID range if idmap range are defined
******************************************************************/
@@ -196,7 +214,6 @@ NTSTATUS sid_to_uid(const DOM_SID *sid, uid_t *uid)
{
NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
BOOL fallback = False;
- uint32 rid;
unid_t id;
int flags;
@@ -204,20 +221,30 @@ NTSTATUS sid_to_uid(const DOM_SID *sid, uid_t *uid)
flags = ID_USERID;
if (!lp_idmap_only()) {
- if (sid_peek_check_rid(get_global_sam_sid(), sid, &rid)) {
- if (!idmap_check_rid_is_in_free_range(rid)) {
- flags |= ID_NOMAP;
- fallback = True;
- }
+ if (!idmap_check_sid_is_in_free_range(sid)) {
+ flags |= ID_NOMAP;
+ fallback = True;
}
}
if (NT_STATUS_IS_OK(idmap_get_id_from_sid(&id, &flags, sid))) {
+
DEBUG(10,("sid_to_uid: uid = [%d]\n", id.uid));
+
*uid = id.uid;
ret = NT_STATUS_OK;
+
} else if (fallback) {
+ uint32 rid;
+
+ if (!sid_peek_rid(sid, &rid)) {
+ DEBUG(10,("sid_to_uid: invalid SID!\n"));
+ ret = NT_STATUS_INVALID_PARAMETER;
+ goto done;
+ }
+
DEBUG(10,("sid_to_uid: Fall back to algorithmic mapping\n"));
+
if (!fallback_pdb_rid_is_user(rid)) {
DEBUG(3, ("sid_to_uid: SID %s is *NOT* a user\n", sid_string_static(sid)));
ret = NT_STATUS_UNSUCCESSFUL;
@@ -228,6 +255,7 @@ NTSTATUS sid_to_uid(const DOM_SID *sid, uid_t *uid)
}
}
+done:
return ret;
}
@@ -252,21 +280,26 @@ NTSTATUS sid_to_gid(const DOM_SID *sid, gid_t *gid)
flags = ID_GROUPID;
if (!lp_idmap_only()) {
- if (sid_peek_check_rid(get_global_sam_sid(), sid, &rid)) {
- if (!idmap_check_rid_is_in_free_range(rid)) {
- flags |= ID_NOMAP;
- fallback = True;
- }
+ if (!idmap_check_sid_is_in_free_range(sid)) {
+ flags |= ID_NOMAP;
+ fallback = True;
}
}
if (NT_STATUS_IS_OK(idmap_get_id_from_sid(&id, &flags, sid))) {
+
DEBUG(10,("sid_to_gid: gid = [%d]\n", id.gid));
*gid = id.gid;
ret = NT_STATUS_OK;
+
} else if (fallback) {
- GROUP_MAP map;
- BOOL result;
+ uint32 rid;
+
+ if (!sid_peek_rid(sid, &rid)) {
+ DEBUG(10,("sid_to_uid: invalid SID!\n"));
+ ret = NT_STATUS_INVALID_PARAMETER;
+ goto done;
+ }
DEBUG(10,("sid_to_gid: Fall back to algorithmic mapping\n"));
@@ -280,6 +313,7 @@ NTSTATUS sid_to_gid(const DOM_SID *sid, gid_t *gid)
}
}
+done:
return ret;
}
@@ -338,5 +372,6 @@ BOOL idmap_init_wellknown_sids(void)
}
}
+ passwd_free(&pass);
return True;
}