summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--docs/docbook/projdoc/StandAloneServer.xml47
-rw-r--r--source3/nsswitch/winbindd_passdb.c360
-rw-r--r--source3/sam/idmap_util.c377
3 files changed, 784 insertions, 0 deletions
diff --git a/docs/docbook/projdoc/StandAloneServer.xml b/docs/docbook/projdoc/StandAloneServer.xml
new file mode 100644
index 0000000000..c5b5c67250
--- /dev/null
+++ b/docs/docbook/projdoc/StandAloneServer.xml
@@ -0,0 +1,47 @@
+<chapter id="StandAloneServer">
+<chapterinfo>
+ &author.jht;
+</chapterinfo>
+<title>Stand-Alone Servers</title>
+
+<sect1>
+<title>Stand Alone Server</title>
+
+<para>
+The term <emphasis>stand alone server</emphasis> means that the server
+will provide local authentication and access control for all resources
+that are available from it. In general this means that there will be a
+local user database. In more technical terms, it means that resources
+on the machine will either be made available in either SHARE mode or in
+USER mode. SHARE mode and USER mode security are documented under
+discussions regarding "security mode". The smb.conf configuration parameters
+that control security mode are: "security = user" and "security = share".
+</para>
+
+<para>
+No special action is needed other than to create user accounts. Stand-alone
+servers do NOT provide network logon services, meaning that machines that
+use this server do NOT perform a domain logon but instead make use only of
+the MS Windows logon which is local to the MS Windows workstation/server.
+</para>
+
+<para>
+Samba tends to blur the distinction a little in respect of what is
+a stand alone server. This is because the authentication database may be
+local or on a remote server, even if from the samba protocol perspective
+the samba server is NOT a member of a domain security context.
+</para>
+
+<para>
+Through the use of PAM (Pluggable Authentication Modules) and nsswitch
+(the name service switcher) the source of authentication may reside on
+another server. We would be inclined to call this the authentication server.
+This means that the samba server may use the local Unix/Linux system
+password database (/etc/passwd or /etc/shadow), may use a local smbpasswd
+file (/etc/samba/smbpasswd or /usr/local/samba/lib/private/smbpasswd), or
+may use an LDAP back end, or even via PAM and Winbind another CIFS/SMB
+server for authentication.
+</para>
+
+</sect1>
+</chapter>
diff --git a/source3/nsswitch/winbindd_passdb.c b/source3/nsswitch/winbindd_passdb.c
new file mode 100644
index 0000000000..503b97899c
--- /dev/null
+++ b/source3/nsswitch/winbindd_passdb.c
@@ -0,0 +1,360 @@
+/*
+ Unix SMB/CIFS implementation.
+
+ Winbind rpc backend functions
+
+ Copyright (C) Tim Potter 2000-2001,2003
+ Copyright (C) Simo Sorce 2003
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+*/
+
+#include "winbindd.h"
+
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_WINBIND
+
+
+/* Query display info for a domain. This returns enough information plus a
+ bit extra to give an overview of domain users for the User Manager
+ application. */
+static NTSTATUS query_user_list(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ uint32 *num_entries,
+ WINBIND_USERINFO **info)
+{
+ SAM_ACCOUNT *sam_account = NULL;
+ NTSTATUS result;
+ uint32 i;
+
+ DEBUG(3,("pdb: query_user_list\n"));
+
+ if (NT_STATUS_IS_ERR(result = pdb_init_sam(&sam_account))) {
+ return result;
+ }
+
+ i = 0;
+ *info = NULL;
+
+ if (pdb_setsampwent(False)) {
+
+ while (pdb_getsampwent(sam_account)) {
+
+ /* we return only nua accounts, or we will have duplicates */
+ if (!idmap_check_sid_is_in_free_range(pdb_get_user_sid(sam_account))) {
+ continue;
+ }
+
+ *info = talloc_realloc(mem_ctx, *info, (i + 1) * sizeof(WINBIND_USERINFO));
+ if (!(*info)) {
+ DEBUG(0,("query_user_list: out of memory!\n"));
+ result = NT_STATUS_NO_MEMORY;
+ break;
+ }
+
+ (*info)[i].user_sid = talloc(mem_ctx, sizeof(DOM_SID));
+ (*info)[i].group_sid = talloc(mem_ctx, sizeof(DOM_SID));
+ if (!((*info)[i].user_sid) || !((*info)[i].group_sid)) {
+ DEBUG(0,("query_user_list: out of memory!\n"));
+ result = NT_STATUS_NO_MEMORY;
+ break;
+ }
+ sid_copy((*info)[i].user_sid, pdb_get_user_sid(sam_account));
+ sid_copy((*info)[i].group_sid, pdb_get_group_sid(sam_account));
+
+ (*info)[i].acct_name = talloc_strdup(mem_ctx, pdb_get_username(sam_account));
+ (*info)[i].full_name = talloc_strdup(mem_ctx, pdb_get_fullname(sam_account));
+ if (!((*info)[i].acct_name) || !((*info)[i].full_name)) {
+ DEBUG(0,("query_user_list: out of memory!\n"));
+ result = NT_STATUS_NO_MEMORY;
+ break;
+ }
+
+ i++;
+
+ if (NT_STATUS_IS_ERR(pdb_reset_sam(sam_account))) {
+ result = NT_STATUS_UNSUCCESSFUL;
+ break;
+ }
+ }
+
+ *num_entries = i;
+ result = NT_STATUS_OK;
+
+ } else {
+ result = NT_STATUS_UNSUCCESSFUL;
+ }
+
+ pdb_free_sam(&sam_account);
+ return result;
+}
+
+/* list all domain groups */
+static NTSTATUS enum_dom_groups(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ uint32 *num_entries,
+ struct acct_info **info)
+{
+ NTSTATUS result = NT_STATUS_OK;
+
+ DEBUG(3,("pdb: enum_dom_groups (group support not implemented)\n"));
+
+ *num_entries = 0;
+ *info = 0;
+
+ return result;
+}
+
+/* List all domain groups */
+
+static NTSTATUS enum_local_groups(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ uint32 *num_entries,
+ struct acct_info **info)
+{
+ NTSTATUS result = NT_STATUS_OK;
+
+ DEBUG(3,("pdb: enum_local_groups (group support not implemented)\n"));
+
+ *num_entries = 0;
+ *info = 0;
+
+ return result;
+}
+
+/* convert a single name to a sid in a domain */
+static NTSTATUS name_to_sid(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ const char *name,
+ DOM_SID *sid,
+ enum SID_NAME_USE *type)
+{
+ SAM_ACCOUNT *sam_account = NULL;
+ NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
+
+ DEBUG(3,("pdb: name_to_sid name=%s (group support not implemented)\n", name));
+
+ if (NT_STATUS_IS_OK(pdb_init_sam(&sam_account))) {
+ if (!pdb_getsampwnam(sam_account, name)) {
+ result = NT_STATUS_UNSUCCESSFUL;
+ } else { /* it is a sam user */
+ sid_copy(sid, pdb_get_user_sid(sam_account));
+ *type = SID_NAME_USER;
+ result = NT_STATUS_OK;
+ }
+ }
+
+ pdb_free_sam(&sam_account);
+ return result;
+}
+
+/*
+ convert a domain SID to a user or group name
+*/
+static NTSTATUS sid_to_name(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ DOM_SID *sid,
+ char **name,
+ enum SID_NAME_USE *type)
+{
+ SAM_ACCOUNT *sam_account = NULL;
+ NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
+ uint32 id;
+
+ DEBUG(3,("pdb: sid_to_name sid=%s\n", sid_string_static(sid)));
+
+ if (NT_STATUS_IS_OK(sid_to_uid(sid, &id))) { /* this is a user */
+
+ if (NT_STATUS_IS_ERR(result = pdb_init_sam(&sam_account))) {
+ return result;
+ }
+
+ if (!pdb_getsampwsid(sam_account, sid)) {
+ pdb_free_sam(&sam_account);
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ *name = talloc_strdup(mem_ctx, pdb_get_username(sam_account));
+ if (!(*name)) {
+ DEBUG(0,("query_user: out of memory!\n"));
+ pdb_free_sam(&sam_account);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ pdb_free_sam(&sam_account);
+ *type = SID_NAME_USER;
+ result = NT_STATUS_OK;
+
+ } else if (NT_STATUS_IS_OK(sid_to_gid(sid, &id))) { /* this is a group */
+
+ DEBUG(3,("pdb: sid_to_name: group support not implemented\n"));
+ result = NT_STATUS_UNSUCCESSFUL;
+ }
+
+ return result;
+}
+
+/* Lookup user information from a rid or username. */
+static NTSTATUS query_user(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ DOM_SID *user_sid,
+ WINBIND_USERINFO *user_info)
+{
+ SAM_ACCOUNT *sam_account = NULL;
+ NTSTATUS result;
+
+ DEBUG(3,("pdb: query_user sid=%s\n", sid_string_static(user_sid)));
+
+ if (NT_STATUS_IS_ERR(result = pdb_init_sam(&sam_account))) {
+ return result;
+ }
+
+ if (!pdb_getsampwsid(sam_account, user_sid)) {
+ pdb_free_sam(&sam_account);
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ /* we return only nua accounts, or we will have duplicates */
+ if (!idmap_check_sid_is_in_free_range(user_sid)) {
+ pdb_free_sam(&sam_account);
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ user_info->user_sid = talloc(mem_ctx, sizeof(DOM_SID));
+ user_info->group_sid = talloc(mem_ctx, sizeof(DOM_SID));
+ if (!(user_info->user_sid) || !(user_info->group_sid)) {
+ DEBUG(0,("query_user: out of memory!\n"));
+ pdb_free_sam(&sam_account);
+ return NT_STATUS_NO_MEMORY;
+ }
+ sid_copy(user_info->user_sid, pdb_get_user_sid(sam_account));
+ sid_copy(user_info->group_sid, pdb_get_group_sid(sam_account));
+
+ user_info->acct_name = talloc_strdup(mem_ctx, pdb_get_username(sam_account));
+ user_info->full_name = talloc_strdup(mem_ctx, pdb_get_fullname(sam_account));
+ if (!(user_info->acct_name) || !(user_info->full_name)) {
+ DEBUG(0,("query_user: out of memory!\n"));
+ pdb_free_sam(&sam_account);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ pdb_free_sam(&sam_account);
+ return NT_STATUS_OK;
+}
+
+/* Lookup groups a user is a member of. I wish Unix had a call like this! */
+static NTSTATUS lookup_usergroups(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ DOM_SID *user_sid,
+ uint32 *num_groups, DOM_SID ***user_gids)
+{
+ NTSTATUS result = NT_STATUS_OK;
+
+ DEBUG(3,("pdb: lookup_usergroups (group support not implemented)\n"));
+
+ num_groups = 0;
+ user_gids = 0;
+
+ return result;
+}
+
+
+/* Lookup group membership given a rid. */
+static NTSTATUS lookup_groupmem(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ DOM_SID *group_sid, uint32 *num_names,
+ DOM_SID ***sid_mem, char ***names,
+ uint32 **name_types)
+{
+ NTSTATUS result = NT_STATUS_NOT_IMPLEMENTED;
+
+ DEBUG(3,("pdb: lookup_groupmem (group support not implemented)\n"));
+
+ num_names = 0;
+ sid_mem = 0;
+ names = 0;
+ name_types = 0;
+
+ return result;
+}
+
+/* find the sequence number for a domain */
+static NTSTATUS sequence_number(struct winbindd_domain *domain, uint32 *seq)
+{
+ /* FIXME: we fake up the seq_num untill our passdb support it */
+ static uint32 seq_num;
+
+ DEBUG(3,("pdb: sequence_number\n"));
+
+ *seq = seq_num++;
+
+ return NT_STATUS_OK;
+}
+
+/* get a list of trusted domains */
+static NTSTATUS trusted_domains(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ uint32 *num_domains,
+ char ***names,
+ char ***alt_names,
+ DOM_SID **dom_sids)
+{
+ NTSTATUS result = NT_STATUS_NOT_IMPLEMENTED;
+
+ DEBUG(3,("pdb: trusted_domains (todo!)\n"));
+
+ return result;
+}
+
+/* find the domain sid for a domain */
+static NTSTATUS domain_sid(struct winbindd_domain *domain, DOM_SID *sid)
+{
+ DEBUG(3,("pdb: domain_sid\n"));
+
+ if (strcmp(domain->name, lp_workgroup())) {
+ return NT_STATUS_INVALID_PARAMETER;
+ } else {
+ sid_copy(sid, get_global_sam_sid());
+ return NT_STATUS_OK;
+ }
+}
+
+/* find alternate names list for the domain
+ * should we look for netbios aliases??
+ SSS */
+static NTSTATUS alternate_name(struct winbindd_domain *domain)
+{
+ DEBUG(3,("pdb: alternate_name\n"));
+
+ return NT_STATUS_OK;
+}
+
+
+/* the rpc backend methods are exposed via this structure */
+struct winbindd_methods passdb_methods = {
+ False,
+ query_user_list,
+ enum_dom_groups,
+ enum_local_groups,
+ name_to_sid,
+ sid_to_name,
+ query_user,
+ lookup_usergroups,
+ lookup_groupmem,
+ sequence_number,
+ trusted_domains,
+ domain_sid,
+ alternate_name
+};
diff --git a/source3/sam/idmap_util.c b/source3/sam/idmap_util.c
new file mode 100644
index 0000000000..e0c492542b
--- /dev/null
+++ b/source3/sam/idmap_util.c
@@ -0,0 +1,377 @@
+/*
+ Unix SMB/CIFS implementation.
+ ID Mapping
+ Copyright (C) Simo Sorce 2003
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.*/
+
+#include "includes.h"
+
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_IDMAP
+
+
+/******************************************************************
+ * Get the free RID base if idmap is configured, otherwise return 0
+ ******************************************************************/
+
+uint32 idmap_get_free_rid_base(void)
+{
+ uint32 low, high;
+ if (idmap_get_free_rid_range(&low, &high)) {
+ return low;
+ }
+ return 0;
+}
+
+BOOL idmap_check_ugid_is_in_free_range(uint32 id)
+{
+ uint32 low, high;
+
+ if (!idmap_get_free_ugid_range(&low, &high)) {
+ return False;
+ }
+ if (id < low || id > high) {
+ return False;
+ }
+ return True;
+}
+
+BOOL idmap_check_rid_is_in_free_range(uint32 rid)
+{
+ uint32 low, high;
+
+ if (!idmap_get_free_rid_range(&low, &high)) {
+ return False;
+ }
+ if (rid < low || rid > high) {
+ return False;
+ }
+ return True;
+}
+
+/* if it is a foreign SID or if the SID is in the free range, return true */
+
+BOOL idmap_check_sid_is_in_free_range(const DOM_SID *sid)
+{
+ if (sid_compare_domain(get_global_sam_sid(), sid) == 0) {
+
+ uint32 rid;
+
+ if (sid_peek_rid(sid, &rid)) {
+ return idmap_check_rid_is_in_free_range(rid);
+ }
+
+ return False;
+ }
+
+ return True;
+}
+
+/******************************************************************
+ * Get the the non-algorithmic RID range if idmap range are defined
+ ******************************************************************/
+
+BOOL idmap_get_free_rid_range(uint32 *low, uint32 *high)
+{
+ uint32 id_low, id_high;
+
+ if (lp_idmap_only()) {
+ *low = BASE_RID;
+ *high = (uint32)-1;
+ }
+
+ if (!idmap_get_free_ugid_range(&id_low, &id_high)) {
+ return False;
+ }
+
+ *low = fallback_pdb_uid_to_user_rid(id_low);
+ if (fallback_pdb_user_rid_to_uid((uint32)-1) < id_high) {
+ *high = (uint32)-1;
+ } else {
+ *high = fallback_pdb_uid_to_user_rid(id_high);
+ }
+
+ return True;
+}
+
+BOOL idmap_get_free_ugid_range(uint32 *low, uint32 *high)
+{
+ uid_t u_low, u_high;
+ gid_t g_low, g_high;
+
+ if (!lp_idmap_uid(&u_low, &u_high) || !lp_idmap_gid(&g_low, &g_high)) {
+ return False;
+ }
+ if (u_low < g_low) {
+ *low = u_low;
+ } else {
+ *low = g_low;
+ }
+ if (u_high < g_high) {
+ *high = g_high;
+ } else {
+ *high = u_high;
+ }
+ return True;
+}
+
+/*****************************************************************
+ *THE CANONICAL* convert uid_t to SID function.
+ check idmap if uid is in idmap range, otherwise falls back to
+ the legacy algorithmic mapping.
+ A special cache is used for uids that maps to Wellknown SIDs
+ Returns SID pointer.
+*****************************************************************/
+
+NTSTATUS uid_to_sid(DOM_SID *sid, uid_t uid)
+{
+ NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
+ unid_t id;
+ int flags;
+
+ DEBUG(10,("uid_to_sid: uid = [%d]\n", uid));
+
+ flags = ID_USERID;
+ if (!lp_idmap_only() && !idmap_check_ugid_is_in_free_range(uid)) {
+ flags |= ID_NOMAP;
+ }
+
+ id.uid = uid;
+ if (NT_STATUS_IS_ERR(ret = idmap_get_sid_from_id(sid, id, flags))) {
+ DEBUG(10, ("uid_to_sid: Failed to map uid = [%u]\n", (unsigned int)uid));
+ if (flags & ID_NOMAP) {
+ sid_copy(sid, get_global_sam_sid());
+ sid_append_rid(sid, fallback_pdb_uid_to_user_rid(uid));
+
+ DEBUG(10,("uid_to_sid: Fall back to algorithmic mapping: %u -> %s\n", (unsigned int)uid, sid_string_static(sid)));
+ ret = NT_STATUS_OK;
+ }
+ }
+
+ return ret;
+}
+
+/*****************************************************************
+ *THE CANONICAL* convert gid_t to SID function.
+ check idmap if gid is in idmap range, otherwise falls back to
+ the legacy algorithmic mapping.
+ Group mapping is used for gids that maps to Wellknown SIDs
+ Returns SID pointer.
+*****************************************************************/
+
+NTSTATUS gid_to_sid(DOM_SID *sid, gid_t gid)
+{
+ NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
+ GROUP_MAP map;
+ unid_t id;
+ int flags;
+
+ DEBUG(10,("gid_to_sid: gid = [%d]\n", gid));
+
+ flags = ID_GROUPID;
+ if (!lp_idmap_only() && !idmap_check_ugid_is_in_free_range(gid)) {
+ flags |= ID_NOMAP;
+ }
+
+ id.gid = gid;
+ if (NT_STATUS_IS_ERR(ret = idmap_get_sid_from_id(sid, id, flags))) {
+ DEBUG(10, ("gid_to_sid: Failed to map gid = [%u]\n", (unsigned int)gid));
+ if (flags & ID_NOMAP) {
+ sid_copy(sid, get_global_sam_sid());
+ sid_append_rid(sid, pdb_gid_to_group_rid(gid));
+
+ DEBUG(10,("gid_to_sid: Fall back to algorithmic mapping: %u -> %s\n", (unsigned int)gid, sid_string_static(sid)));
+ ret = NT_STATUS_OK;
+ }
+ }
+
+ return ret;
+}
+
+/*****************************************************************
+ *THE CANONICAL* convert SID to uid function.
+ if it is a foreign sid or it is in idmap rid range check idmap,
+ otherwise falls back to the legacy algorithmic mapping.
+ A special cache is used for uids that maps to Wellknown SIDs
+ Returns True if this name is a user sid and the conversion
+ was done correctly, False if not.
+*****************************************************************/
+
+NTSTATUS sid_to_uid(const DOM_SID *sid, uid_t *uid)
+{
+ NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
+ BOOL fallback = False;
+ unid_t id;
+ int flags;
+
+ DEBUG(10,("sid_to_uid: sid = [%s]\n", sid_string_static(sid)));
+
+ flags = ID_USERID;
+ if (!lp_idmap_only()) {
+ if (!idmap_check_sid_is_in_free_range(sid)) {
+ flags |= ID_NOMAP;
+ fallback = True;
+ }
+ }
+
+ if (NT_STATUS_IS_OK(idmap_get_id_from_sid(&id, &flags, sid))) {
+
+ DEBUG(10,("sid_to_uid: uid = [%d]\n", id.uid));
+
+ *uid = id.uid;
+ ret = NT_STATUS_OK;
+
+ } else if (fallback) {
+ uint32 rid;
+
+ if (!sid_peek_rid(sid, &rid)) {
+ DEBUG(10,("sid_to_uid: invalid SID!\n"));
+ ret = NT_STATUS_INVALID_PARAMETER;
+ goto done;
+ }
+
+ DEBUG(10,("sid_to_uid: Fall back to algorithmic mapping\n"));
+
+ if (!fallback_pdb_rid_is_user(rid)) {
+ DEBUG(3, ("sid_to_uid: SID %s is *NOT* a user\n", sid_string_static(sid)));
+ ret = NT_STATUS_UNSUCCESSFUL;
+ } else {
+ *uid = fallback_pdb_user_rid_to_uid(rid);
+ DEBUG(10,("sid_to_uid: mapping: %s -> %u\n", sid_string_static(sid), (unsigned int)(*uid)));
+ ret = NT_STATUS_OK;
+ }
+ }
+
+done:
+ return ret;
+}
+
+/*****************************************************************
+ *THE CANONICAL* convert SID to gid function.
+ if it is a foreign sid or it is in idmap rid range check idmap,
+ otherwise falls back to the legacy algorithmic mapping.
+ Group mapping is used for gids that maps to Wellknown SIDs
+ Returns True if this name is a user sid and the conversion
+ was done correctly, False if not.
+*****************************************************************/
+
+NTSTATUS sid_to_gid(const DOM_SID *sid, gid_t *gid)
+{
+ NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
+ BOOL fallback = False;
+ uint32 rid;
+ unid_t id;
+ int flags;
+
+ DEBUG(10,("sid_to_gid: sid = [%s]\n", sid_string_static(sid)));
+
+ flags = ID_GROUPID;
+ if (!lp_idmap_only()) {
+ if (!idmap_check_sid_is_in_free_range(sid)) {
+ flags |= ID_NOMAP;
+ fallback = True;
+ }
+ }
+
+ if (NT_STATUS_IS_OK(idmap_get_id_from_sid(&id, &flags, sid))) {
+
+ DEBUG(10,("sid_to_gid: gid = [%d]\n", id.gid));
+ *gid = id.gid;
+ ret = NT_STATUS_OK;
+
+ } else if (fallback) {
+ uint32 rid;
+
+ if (!sid_peek_rid(sid, &rid)) {
+ DEBUG(10,("sid_to_uid: invalid SID!\n"));
+ ret = NT_STATUS_INVALID_PARAMETER;
+ goto done;
+ }
+
+ DEBUG(10,("sid_to_gid: Fall back to algorithmic mapping\n"));
+
+ if (fallback_pdb_rid_is_user(rid)) {
+ DEBUG(3, ("sid_to_gid: SID %s is *NOT* a group\n", sid_string_static(sid)));
+ ret = NT_STATUS_UNSUCCESSFUL;
+ } else {
+ *gid = pdb_group_rid_to_gid(rid);
+ DEBUG(10,("sid_to_gid: mapping: %s -> %u\n", sid_string_static(sid), (unsigned int)(*gid)));
+ ret = NT_STATUS_OK;
+ }
+ }
+
+done:
+ return ret;
+}
+
+/* Initialize idmap withWellknown SIDs like Guest, that are necessary
+ * to make samba run properly */
+BOOL idmap_init_wellknown_sids(void)
+{
+ const char *guest_account = lp_guestaccount();
+ struct passwd *pass;
+ GROUP_MAP *map=NULL;
+ int num_entries=0;
+ DOM_SID sid;
+ unid_t id;
+ int flags;
+
+ if (!(guest_account && *guest_account)) {
+ DEBUG(1, ("NULL guest account!?!?\n"));
+ return False;
+ }
+
+ pass = getpwnam_alloc(guest_account);
+ if (!pass) {
+ return False;
+ }
+
+ flags = ID_USERID;
+ id.uid = pass->pw_uid;
+ sid_copy(&sid, get_global_sam_sid());
+ sid_append_rid(&sid, DOMAIN_USER_RID_GUEST);
+ if (NT_STATUS_IS_ERR(idmap_set_mapping(&sid, id, flags))) {
+ passwd_free(&pass);
+ return False;
+ }
+
+ /* now fill in group mappings */
+ if(pdb_enum_group_mapping(SID_NAME_UNKNOWN, &map, &num_entries, ENUM_ONLY_MAPPED, MAPPING_WITHOUT_PRIV)) {
+ int i;
+
+ for (i = 0; i < num_entries; i++) {
+ id.gid = map[i].gid;
+ idmap_set_mapping(&(map[i].sid), id, ID_GROUPID);
+ }
+ }
+
+ /* check if DOMAIN_GROUP_RID_GUESTS SID is set, if not store the
+ * guest account gid as mapping */
+ flags = ID_GROUPID | ID_NOMAP;
+ sid_copy(&sid, get_global_sam_sid());
+ sid_append_rid(&sid, DOMAIN_GROUP_RID_GUESTS);
+ if (NT_STATUS_IS_ERR(idmap_get_id_from_sid(&id, &flags, &sid))) {
+ flags = ID_GROUPID;
+ id.gid = pass->pw_gid;
+ if (NT_STATUS_IS_ERR(idmap_set_mapping(&sid, id, flags))) {
+ passwd_free(&pass);
+ return False;
+ }
+ }
+
+ passwd_free(&pass);
+ return True;
+}