diff options
Diffstat (limited to 'source3/groupdb')
| -rw-r--r-- | source3/groupdb/aliasdb.c | 385 | ||||
| -rw-r--r-- | source3/groupdb/aliasfile.c | 290 | ||||
| -rw-r--r-- | source3/groupdb/groupdb.c | 381 | ||||
| -rw-r--r-- | source3/groupdb/groupfile.c | 285 | ||||
| -rw-r--r-- | source3/groupdb/mapping.c | 1225 |
5 files changed, 2566 insertions, 0 deletions
diff --git a/source3/groupdb/aliasdb.c b/source3/groupdb/aliasdb.c new file mode 100644 index 0000000000..718bf1d7ce --- /dev/null +++ b/source3/groupdb/aliasdb.c @@ -0,0 +1,385 @@ +/* + Unix SMB/CIFS implementation. + Password and authentication handling + Copyright (C) Jeremy Allison 1996-1998 + Copyright (C) Luke Kenneth Caseson Leighton 1996-1998 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mases Ave, Cambridge, MA 02139, USA. +*/ + +#include "includes.h" + +extern fstring global_sam_name; + +/* + * NOTE. All these functions are abstracted into a structure + * that points to the correct function for the selected database. JRA. + */ + +static struct aliasdb_ops *aldb_ops; + +/*************************************************************** + Initialise the alias db operations. +***************************************************************/ + +BOOL initialise_alias_db(void) +{ + if (aldb_ops) + { + return True; + } + +#ifdef WITH_NISPLUS + aldb_ops = nisplus_initialise_alias_db(); +#elif defined(WITH_LDAP) + aldb_ops = ldap_initialise_alias_db(); +#else + aldb_ops = file_initialise_alias_db(); +#endif + + return (aldb_ops != NULL); +} + +/* + * Functions that return/manipulate a LOCAL_GRP. + */ + +/************************************************************************ + Utility function to search alias database by gid: the LOCAL_GRP + structure does not have a gid member, so we have to convert here + from gid to alias rid. +*************************************************************************/ +LOCAL_GRP *iterate_getaliasgid(gid_t gid, LOCAL_GRP_MEMBER **mem, int *num_mem) +{ + return iterate_getaliasrid(pwdb_gid_to_alias_rid(gid), mem, num_mem); +} + +/************************************************************************ + Utility function to search alias database by rid. use this if your database + does not have search facilities. +*************************************************************************/ +LOCAL_GRP *iterate_getaliasrid(uint32 rid, LOCAL_GRP_MEMBER **mem, int *num_mem) +{ + LOCAL_GRP *als = NULL; + void *fp = NULL; + + DEBUG(10, ("search by rid: 0x%x\n", rid)); + + /* Open the alias database file - not for update. */ + fp = startaliasent(False); + + if (fp == NULL) + { + DEBUG(0, ("unable to open alias database.\n")); + return NULL; + } + + while ((als = getaliasent(fp, mem, num_mem)) != NULL && als->rid != rid) + { + } + + if (als != NULL) + { + DEBUG(10, ("found alias %s by rid: 0x%x\n", als->name, rid)); + } + + endaliasent(fp); + return als; +} + +/************************************************************************ + Utility function to search alias database by name. use this if your database + does not have search facilities. +*************************************************************************/ +LOCAL_GRP *iterate_getaliasnam(char *name, LOCAL_GRP_MEMBER **mem, int *num_mem) +{ + LOCAL_GRP *als = NULL; + void *fp = NULL; + + DEBUG(10, ("search by name: %s\n", name)); + + /* Open the alias database file - not for update. */ + fp = startaliasent(False); + + if (fp == NULL) + { + DEBUG(0, ("unable to open alias database.\n")); + return NULL; + } + + while ((als = getaliasent(fp, mem, num_mem)) != NULL && !strequal(als->name, name)) + { + } + + if (als != NULL) + { + DEBUG(10, ("found by name: %s\n", name)); + } + + endaliasent(fp); + return als; +} + +/************************************************************************* + Routine to return the next entry in the smbdomainalias list. + *************************************************************************/ +BOOL add_domain_alias(LOCAL_GRP **alss, int *num_alss, LOCAL_GRP *als) +{ + LOCAL_GRP *talss; + + if (alss == NULL || num_alss == NULL || als == NULL) + return False; + + talss = Realloc((*alss), ((*num_alss)+1) * sizeof(LOCAL_GRP)); + if (talss == NULL) { + SAFE_FREE(*alss); + return False; + } else + (*alss) = talss; + + DEBUG(10,("adding alias %s(%s)\n", als->name, als->comment)); + + fstrcpy((*alss)[(*num_alss)].name , als->name); + fstrcpy((*alss)[(*num_alss)].comment, als->comment); + (*alss)[(*num_alss)].rid = als->rid; + + (*num_alss)++; + + return True; +} + +/************************************************************************* + checks to see if a user is a member of a domain alias + *************************************************************************/ +static BOOL user_is_member(char *user_name, LOCAL_GRP_MEMBER *mem, int num_mem) +{ + int i; + pstring name; + slprintf(name, sizeof(name)-1, "\\%s\\%s", global_sam_name, user_name); + + for (i = 0; i < num_mem; i++) + { + DEBUG(10,("searching against user %s...\n", mem[i].name)); + if (strequal(mem[i].name, name)) + { + DEBUG(10,("searching for user %s: found\n", name)); + return True; + } + } + DEBUG(10,("searching for user %s: not found\n", name)); + return False; +} + +/************************************************************************* + gets an array of aliases that a user is in. use this if your database + does not have search facilities + *************************************************************************/ +BOOL iterate_getuseraliasnam(char *user_name, LOCAL_GRP **alss, int *num_alss) +{ + LOCAL_GRP *als; + LOCAL_GRP_MEMBER *mem = NULL; + int num_mem = 0; + void *fp = NULL; + + DEBUG(10, ("search for useralias by name: %s\n", user_name)); + + if (user_name == NULL || als == NULL || num_alss == NULL) + { + return False; + } + + (*alss) = NULL; + (*num_alss) = 0; + + /* Open the alias database file - not for update. */ + fp = startaliasent(False); + + if (fp == NULL) + { + DEBUG(0, ("unable to open alias database.\n")); + return False; + } + + /* iterate through all aliases. search members for required user */ + while ((als = getaliasent(fp, &mem, &num_mem)) != NULL) + { + DEBUG(5,("alias name %s members: %d\n", als->name, num_mem)); + if (num_mem != 0 && mem != NULL) + { + BOOL ret = True; + if (user_is_member(user_name, mem, num_mem)) + { + ret = add_domain_alias(alss, num_alss, als); + } + + SAFE_FREE(mem); + num_mem = 0; + + if (!ret) + { + (*num_alss) = 0; + break; + } + } + } + + if ((*num_alss) != 0) + { + DEBUG(10, ("found %d user aliases:\n", (*num_alss))); + } + + endaliasent(fp); + return True; +} + +/************************************************************************* + gets an array of aliases that a user is in. use this if your database + does not have search facilities + *************************************************************************/ +BOOL enumdomaliases(LOCAL_GRP **alss, int *num_alss) +{ + LOCAL_GRP *als; + void *fp = NULL; + + DEBUG(10, ("enum user aliases\n")); + + if (als == NULL || num_alss == NULL) + { + return False; + } + + (*alss) = NULL; + (*num_alss) = 0; + + /* Open the alias database file - not for update. */ + fp = startaliasent(False); + + if (fp == NULL) + { + DEBUG(0, ("unable to open alias database.\n")); + return False; + } + + /* iterate through all aliases. */ + while ((als = getaliasent(fp, NULL, NULL)) != NULL) + { + if (!add_domain_alias(alss, num_alss, als)) + { + DEBUG(0,("unable to add alias while enumerating\n")); + return False; + } + } + + if ((*num_alss) != 0) + { + DEBUG(10, ("found %d user aliases:\n", (*num_alss))); + } + + endaliasent(fp); + return True; +} + +/*************************************************************** + Start to enumerate the alias database list. Returns a void pointer + to ensure no modification outside this module. +****************************************************************/ + +void *startaliasent(BOOL update) +{ + return aldb_ops->startaliasent(update); +} + +/*************************************************************** + End enumeration of the alias database list. +****************************************************************/ + +void endaliasent(void *vp) +{ + aldb_ops->endaliasent(vp); +} + +/************************************************************************* + Routine to return the next entry in the alias database list. + *************************************************************************/ + +LOCAL_GRP *getaliasent(void *vp, LOCAL_GRP_MEMBER **mem, int *num_mem) +{ + return aldb_ops->getaliasent(vp, mem, num_mem); +} + +/************************************************************************ + Routine to add an entry to the alias database file. +*************************************************************************/ + +BOOL add_alias_entry(LOCAL_GRP *newals) +{ + return aldb_ops->add_alias_entry(newals); +} + +/************************************************************************ + Routine to search the alias database file for an entry matching the aliasname. + and then replace the entry. +************************************************************************/ + +BOOL mod_alias_entry(LOCAL_GRP* als) +{ + return aldb_ops->mod_alias_entry(als); +} + +/************************************************************************ + Routine to search alias database by name. +*************************************************************************/ + +LOCAL_GRP *getaliasnam(char *name, LOCAL_GRP_MEMBER **mem, int *num_mem) +{ + return aldb_ops->getaliasnam(name, mem, num_mem); +} + +/************************************************************************ + Routine to search alias database by alias rid. +*************************************************************************/ + +LOCAL_GRP *getaliasrid(uint32 alias_rid, LOCAL_GRP_MEMBER **mem, int *num_mem) +{ + return aldb_ops->getaliasrid(alias_rid, mem, num_mem); +} + +/************************************************************************ + Routine to search alias database by gid. +*************************************************************************/ + +LOCAL_GRP *getaliasgid(gid_t gid, LOCAL_GRP_MEMBER **mem, int *num_mem) +{ + return aldb_ops->getaliasgid(gid, mem, num_mem); +} + +/************************************************************************* + gets an array of aliases that a user is in. + *************************************************************************/ +BOOL getuseraliasnam(char *user_name, LOCAL_GRP **als, int *num_alss) +{ + return aldb_ops->getuseraliasnam(user_name, als, num_alss); +} + +/************************************************************* + initialises a LOCAL_GRP. + **************************************************************/ + +void aldb_init_als(LOCAL_GRP *als) +{ + if (als == NULL) return; + ZERO_STRUCTP(als); +} + diff --git a/source3/groupdb/aliasfile.c b/source3/groupdb/aliasfile.c new file mode 100644 index 0000000000..77189fd822 --- /dev/null +++ b/source3/groupdb/aliasfile.c @@ -0,0 +1,290 @@ +/* + * Unix SMB/CIFS implementation. + * SMB parameters and setup + * Copyright (C) Andrew Tridgell 1992-1998 Modified by Jeremy Allison 1995. + * + * This program is free software; you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free + * Software Foundation; either version 2 of the License, or (at your option) + * any later version. + * + * This program is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for + * more details. + * + * You should have received a copy of the GNU General Public License along with + * this program; if not, write to the Free Software Foundation, Inc., 675 + * Mass Ave, Cambridge, MA 02139, USA. + */ + +#include "includes.h" + +#ifdef USE_SMBPASS_DB + +static int al_file_lock_depth = 0; + +static char s_readbuf[1024]; + +/*************************************************************** + Start to enumerate the aliasdb list. Returns a void pointer + to ensure no modification outside this module. +****************************************************************/ + +static void *startalsfilepwent(BOOL update) +{ + return startfilepwent(lp_smb_alias_file(), + s_readbuf, sizeof(s_readbuf), + &al_file_lock_depth, update); +} + +/*************************************************************** + End enumeration of the aliasdb list. +****************************************************************/ + +static void endalsfilepwent(void *vp) +{ + endfilepwent(vp, &al_file_lock_depth); +} + +/************************************************************************* + Return the current position in the aliasdb list as an SMB_BIG_UINT. + This must be treated as an opaque token. +*************************************************************************/ +static SMB_BIG_UINT getalsfilepwpos(void *vp) +{ + return getfilepwpos(vp); +} + +/************************************************************************* + Set the current position in the aliasdb list from an SMB_BIG_UINT. + This must be treated as an opaque token. +*************************************************************************/ +static BOOL setalsfilepwpos(void *vp, SMB_BIG_UINT tok) +{ + return setfilepwpos(vp, tok); +} + +static BOOL make_alias_line(char *p, int max_len, + LOCAL_GRP *als, + LOCAL_GRP_MEMBER **mem, int *num_mem) +{ + int i; + int len; + len = slprintf(p, max_len-1, "%s:%s:%d:", als->name, als->comment, als->rid); + + if (len == -1) + { + DEBUG(0,("make_alias_line: cannot create entry\n")); + return False; + } + + p += len; + max_len -= len; + + if (mem == NULL || num_mem == NULL) + { + return True; + } + + for (i = 0; i < (*num_mem); i++) + { + len = strlen((*mem)[i].name); + p = safe_strcpy(p, (*mem)[i].name, max_len); + + if (p == NULL) + { + DEBUG(0, ("make_alias_line: out of space for aliases!\n")); + return False; + } + + max_len -= len; + + if (i != (*num_mem)-1) + { + *p = ','; + p++; + max_len--; + } + } + + return True; +} + +/************************************************************************* + Routine to return the next entry in the smbdomainalias list. + *************************************************************************/ +static char *get_alias_members(char *p, int *num_mem, LOCAL_GRP_MEMBER **members) +{ + fstring name; + + if (num_mem == NULL || members == NULL) + return NULL; + + (*num_mem) = 0; + (*members) = NULL; + + while (next_token(&p, name, ",", sizeof(fstring))) { + LOCAL_GRP_MEMBER *mbrs; + DOM_SID sid; + uint8 type; + + if (lookup_sid(name, &sid, &type)) { + mbrs = Realloc((*members), ((*num_mem)+1) * sizeof(LOCAL_GRP_MEMBER)); + (*num_mem)++; + } else { + DEBUG(0,("alias database: could not resolve alias named %s\n", name)); + continue; + } + if (mbrs == NULL) { + SAFE_FREE(*members); + return NULL; + } else + (*members) = mbrs; + + fstrcpy((*members)[(*num_mem)-1].name, name); + (*members)[(*num_mem)-1].sid_use = type; + sid_copy(&(*members)[(*num_mem)-1].sid, &sid); + } + return p; +} + +/************************************************************************* + Routine to return the next entry in the smbdomainalias list. + *************************************************************************/ +static LOCAL_GRP *getalsfilepwent(void *vp, LOCAL_GRP_MEMBER **mem, int *num_mem) +{ + /* Static buffers we will return. */ + static LOCAL_GRP al_buf; + + int gidval; + + pstring linebuf; + char *p; + size_t linebuf_len; + + aldb_init_als(&al_buf); + + /* + * Scan the file, a line at a time and check if the name matches. + */ + while ((linebuf_len = getfileline(vp, linebuf, sizeof(linebuf))) > 0) + { + /* get alias name */ + + p = strncpyn(al_buf.name, linebuf, sizeof(al_buf.name), ':'); + if (p == NULL) + { + DEBUG(0, ("getalsfilepwent: malformed alias entry (no :)\n")); + continue; + } + + /* Go past ':' */ + p++; + + /* get alias comment */ + + p = strncpyn(al_buf.comment, p, sizeof(al_buf.comment), ':'); + if (p == NULL) + { + DEBUG(0, ("getalsfilepwent: malformed alias entry (no :)\n")); + continue; + } + + /* Go past ':' */ + p++; + + /* Get alias gid. */ + + p = Atoic(p, &gidval, ":"); + + if (p == NULL) + { + DEBUG(0, ("getalsfilepwent: malformed alias entry (no : after uid)\n")); + continue; + } + + /* Go past ':' */ + p++; + + /* now get the user's aliases. there are a maximum of 32 */ + + if (mem != NULL && num_mem != NULL) + { + (*mem) = NULL; + (*num_mem) = 0; + + p = get_alias_members(p, num_mem, mem); + if (p == NULL) + { + DEBUG(0, ("getalsfilepwent: malformed alias entry (no : after members)\n")); + } + } + + /* ok, set up the static data structure and return it */ + + al_buf.rid = pwdb_gid_to_alias_rid((gid_t)gidval); + + make_alias_line(linebuf, sizeof(linebuf), &al_buf, mem, num_mem); + DEBUG(10,("line: '%s'\n", linebuf)); + + return &al_buf; + } + + DEBUG(5,("getalsfilepwent: end of file reached.\n")); + return NULL; +} + +/************************************************************************ + Routine to add an entry to the aliasdb file. +*************************************************************************/ + +static BOOL add_alsfileals_entry(LOCAL_GRP *newals) +{ + DEBUG(0, ("add_alsfileals_entry: NOT IMPLEMENTED\n")); + return False; +} + +/************************************************************************ + Routine to search the aliasdb file for an entry matching the aliasname. + and then modify its alias entry. We can't use the startalspwent()/ + getalspwent()/endalspwent() interfaces here as we depend on looking + in the actual file to decide how much room we have to write data. + override = False, normal + override = True, override XXXXXXXX'd out alias or NO PASS +************************************************************************/ + +static BOOL mod_alsfileals_entry(LOCAL_GRP* als) +{ + DEBUG(0, ("mod_alsfileals_entry: NOT IMPLEMENTED\n")); + return False; +} + + +static struct aliasdb_ops file_ops = +{ + startalsfilepwent, + endalsfilepwent, + getalsfilepwpos, + setalsfilepwpos, + + iterate_getaliasnam, /* In aliasdb.c */ + iterate_getaliasgid, /* In aliasdb.c */ + iterate_getaliasrid, /* In aliasdb.c */ + getalsfilepwent, + + add_alsfileals_entry, + mod_alsfileals_entry, + + iterate_getuseraliasnam /* in aliasdb.c */ +}; + +struct aliasdb_ops *file_initialise_alias_db(void) +{ + return &file_ops; +} + +#else + /* Do *NOT* make this function static. It breaks the compile on gcc. JRA */ + void als_dummy_function(void) { } /* stop some compilers complaining */ +#endif /* USE_SMBPASS_DB */ diff --git a/source3/groupdb/groupdb.c b/source3/groupdb/groupdb.c new file mode 100644 index 0000000000..c18463741d --- /dev/null +++ b/source3/groupdb/groupdb.c @@ -0,0 +1,381 @@ +/* + Unix SMB/CIFS implementation. + Password and authentication handling + Copyright (C) Jeremy Allison 1996-1998 + Copyright (C) Luke Kenneth Casson Leighton 1996-1998 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +#include "includes.h" + +/* + * NOTE. All these functions are abstracted into a structure + * that points to the correct function for the selected database. JRA. + */ + +static struct groupdb_ops *gpdb_ops; + +/*************************************************************** + Initialise the group db operations. +***************************************************************/ + +BOOL initialise_group_db(void) +{ + if (gpdb_ops) + { + return True; + } + +#ifdef WITH_NISPLUS + gpdb_ops = nisplus_initialise_group_db(); +#elif defined(WITH_LDAP) + gpdb_ops = ldap_initialise_group_db(); +#else + gpdb_ops = file_initialise_group_db(); +#endif + + return (gpdb_ops != NULL); +} + +/* + * Functions that return/manipulate a DOMAIN_GRP. + */ + +/************************************************************************ + Utility function to search group database by gid: the DOMAIN_GRP + structure does not have a gid member, so we have to convert here + from gid to group rid. +*************************************************************************/ +DOMAIN_GRP *iterate_getgroupgid(gid_t gid, DOMAIN_GRP_MEMBER **mem, int *num_mem) +{ + return iterate_getgrouprid(pwdb_gid_to_group_rid(gid), mem, num_mem); +} + +/************************************************************************ + Utility function to search group database by rid. use this if your database + does not have search facilities. +*************************************************************************/ +DOMAIN_GRP *iterate_getgrouprid(uint32 rid, DOMAIN_GRP_MEMBER **mem, int *num_mem) +{ + DOMAIN_GRP *grp = NULL; + void *fp = NULL; + + DEBUG(10, ("search by rid: 0x%x\n", rid)); + + /* Open the group database file - not for update. */ + fp = startgroupent(False); + + if (fp == NULL) + { + DEBUG(0, ("unable to open group database.\n")); + return NULL; + } + + while ((grp = getgroupent(fp, mem, num_mem)) != NULL && grp->rid != rid) + { + } + + if (grp != NULL) + { + DEBUG(10, ("found group %s by rid: 0x%x\n", grp->name, rid)); + } + + endgroupent(fp); + return grp; +} + +/************************************************************************ + Utility function to search group database by name. use this if your database + does not have search facilities. +*************************************************************************/ +DOMAIN_GRP *iterate_getgroupnam(char *name, DOMAIN_GRP_MEMBER **mem, int *num_mem) +{ + DOMAIN_GRP *grp = NULL; + void *fp = NULL; + + DEBUG(10, ("search by name: %s\n", name)); + + /* Open the group database file - not for update. */ + fp = startgroupent(False); + + if (fp == NULL) + { + DEBUG(0, ("unable to open group database.\n")); + return NULL; + } + + while ((grp = getgroupent(fp, mem, num_mem)) != NULL && !strequal(grp->name, name)) + { + } + + if (grp != NULL) + { + DEBUG(10, ("found by name: %s\n", name)); + } + + endgroupent(fp); + return grp; +} + +/************************************************************************* + Routine to return the next entry in the smbdomaingroup list. + *************************************************************************/ +BOOL add_domain_group(DOMAIN_GRP **grps, int *num_grps, DOMAIN_GRP *grp) +{ + DOMAIN_GRP *tgrps; + + if (grps == NULL || num_grps == NULL || grp == NULL) + return False; + + tgrps = Realloc((*grps), ((*num_grps)+1) * sizeof(DOMAIN_GRP)); + if (tgrps == NULL) { + SAFE_FREE(*grps); + return False; + } else + (*grps) = tgrps; + + DEBUG(10,("adding group %s(%s)\n", grp->name, grp->comment)); + + fstrcpy((*grps)[(*num_grps)].name , grp->name); + fstrcpy((*grps)[(*num_grps)].comment, grp->comment); + (*grps)[(*num_grps)].attr = grp->attr; + (*grps)[(*num_grps)].rid = grp->rid ; + + (*num_grps)++; + + return True; +} + +/************************************************************************* + checks to see if a user is a member of a domain group + *************************************************************************/ +static BOOL user_is_member(char *user_name, DOMAIN_GRP_MEMBER *mem, int num_mem) +{ + int i; + for (i = 0; i < num_mem; i++) + { + DEBUG(10,("searching against user %s...\n", mem[i].name)); + if (strequal(mem[i].name, user_name)) + { + DEBUG(10,("searching for user %s: found\n", user_name)); + return True; + } + } + DEBUG(10,("searching for user %s: not found\n", user_name)); + return False; +} + +/************************************************************************* + gets an array of groups that a user is in. use this if your database + does not have search facilities + *************************************************************************/ +BOOL iterate_getusergroupsnam(char *user_name, DOMAIN_GRP **grps, int *num_grps) +{ + DOMAIN_GRP *grp; + DOMAIN_GRP_MEMBER *mem = NULL; + int num_mem = 0; + void *fp = NULL; + + DEBUG(10, ("search for usergroups by name: %s\n", user_name)); + + if (user_name == NULL || grp == NULL || num_grps == NULL) + { + return False; + } + + (*grps) = NULL; + (*num_grps) = 0; + + /* Open the group database file - not for update. */ + fp = startgroupent(False); + + if (fp == NULL) + { + DEBUG(0, ("unable to open group database.\n")); + return False; + } + + /* iterate through all groups. search members for required user */ + while ((grp = getgroupent(fp, &mem, &num_mem)) != NULL) + { + DEBUG(5,("group name %s members: %d\n", grp->name, num_mem)); + if (num_mem != 0 && mem != NULL) + { + BOOL ret = True; + if (user_is_member(user_name, mem, num_mem)) + { + ret = add_domain_group(grps, num_grps, grp); + } + + SAFE_FREE(mem); + num_mem = 0; + + if (!ret) + { + (*num_grps) = 0; + break; + } + } + } + + if ((*num_grps) != 0) + { + DEBUG(10, ("found %d user groups:\n", (*num_grps))); + } + + endgroupent(fp); + return True; +} + +/************************************************************************* + gets an array of groups that a user is in. use this if your database + does not have search facilities + *************************************************************************/ +BOOL enumdomgroups(DOMAIN_GRP **grps, int *num_grps) +{ + DOMAIN_GRP *grp; + void *fp = NULL; + + DEBUG(10, ("enum user groups\n")); + + if (grp == NULL || num_grps == NULL) + { + return False; + } + + (*grps) = NULL; + (*num_grps) = 0; + + /* Open the group database file - not for update. */ + fp = startgroupent(False); + + if (fp == NULL) + { + DEBUG(0, ("unable to open group database.\n")); + return False; + } + + /* iterate through all groups. */ + while ((grp = getgroupent(fp, NULL, NULL)) != NULL) + { + if (!add_domain_group(grps, num_grps, grp)) + { + DEBUG(0,("unable to add group while enumerating\n")); + return False; + } + } + + if ((*num_grps) != 0) + { + DEBUG(10, ("found %d user groups:\n", (*num_grps))); + } + + endgroupent(fp); + return True; +} + +/*************************************************************** + Start to enumerate the group database list. Returns a void pointer + to ensure no modification outside this module. +****************************************************************/ + +void *startgroupent(BOOL update) +{ + return gpdb_ops->startgroupent(update); +} + +/*************************************************************** + End enumeration of the group database list. +****************************************************************/ + +void endgroupent(void *vp) +{ + gpdb_ops->endgroupent(vp); +} + +/************************************************************************* + Routine to return the next entry in the group database list. + *************************************************************************/ + +DOMAIN_GRP *getgroupent(void *vp, DOMAIN_GRP_MEMBER **mem, int *num_mem) +{ + return gpdb_ops->getgroupent(vp, mem, num_mem); +} + +/************************************************************************ + Routine to add an entry to the group database file. +*************************************************************************/ + +BOOL add_group_entry(DOMAIN_GRP *newgrp) +{ + return gpdb_ops->add_group_entry(newgrp); +} + +/************************************************************************ + Routine to search the group database file for an entry matching the groupname. + and then replace the entry. +************************************************************************/ + +BOOL mod_group_entry(DOMAIN_GRP* grp) +{ + return gpdb_ops->mod_group_entry(grp); +} + +/************************************************************************ + Routine to search group database by name. +*************************************************************************/ + +DOMAIN_GRP *getgroupnam(char *name, DOMAIN_GRP_MEMBER **mem, int *num_mem) +{ + return gpdb_ops->getgroupnam(name, mem, num_mem); +} + +/************************************************************************ + Routine to search group database by group rid. +*************************************************************************/ + +DOMAIN_GRP *getgrouprid(uint32 group_rid, DOMAIN_GRP_MEMBER **mem, int *num_mem) +{ + return gpdb_ops->getgrouprid(group_rid, mem, num_mem); +} + +/************************************************************************ + Routine to search group database by gid. +*************************************************************************/ + +DOMAIN_GRP *getgroupgid(gid_t gid, DOMAIN_GRP_MEMBER **mem, int *num_mem) +{ + return gpdb_ops->getgroupgid(gid, mem, num_mem); +} + +/************************************************************************* + gets an array of groups that a user is in. + *************************************************************************/ +BOOL getusergroupsnam(char *user_name, DOMAIN_GRP **grp, int *num_grps) +{ + return gpdb_ops->getusergroupsnam(user_name, grp, num_grps); +} + +/************************************************************* + initialises a DOMAIN_GRP. + **************************************************************/ + +void gpdb_init_grp(DOMAIN_GRP *grp) +{ + if (grp == NULL) return; + ZERO_STRUCTP(grp); +} + diff --git a/source3/groupdb/groupfile.c b/source3/groupdb/groupfile.c new file mode 100644 index 0000000000..4502b190aa --- /dev/null +++ b/source3/groupdb/groupfile.c @@ -0,0 +1,285 @@ +/* + * Unix SMB/CIFS implementation. + * SMB parameters and setup + * Copyright (C) Andrew Tridgell 1992-1998 Modified by Jeremy Allison 1995. + * + * This program is free software; you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free + * Software Foundation; either version 2 of the License, or (at your option) + * any later version. + * + * This program is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for + * more details. + * + * You should have received a copy of the GNU General Public License along with + * this program; if not, write to the Free Software Foundation, Inc., 675 + * Mass Ave, Cambridge, MA 02139, USA. + */ + +#include "includes.h" + +#ifdef USE_SMBPASS_DB + +static int gp_file_lock_depth = 0; + +static char s_readbuf[1024]; + +/*************************************************************** + Start to enumerate the grppasswd list. Returns a void pointer + to ensure no modification outside this module. +****************************************************************/ + +static void *startgrpfilepwent(BOOL update) +{ + return startfilepwent(lp_smb_group_file(), + s_readbuf, sizeof(s_readbuf), + &gp_file_lock_depth, update); +} + +/*************************************************************** + End enumeration of the grppasswd list. +****************************************************************/ + +static void endgrpfilepwent(void *vp) +{ + endfilepwent(vp, &gp_file_lock_depth); +} + +/************************************************************************* + Return the current position in the grppasswd list as an SMB_BIG_UINT. + This must be treated as an opaque token. +*************************************************************************/ +static SMB_BIG_UINT getgrpfilepwpos(void *vp) +{ + return getfilepwpos(vp); +} + +/************************************************************************* + Set the current position in the grppasswd list from an SMB_BIG_UINT. + This must be treated as an opaque token. +*************************************************************************/ +static BOOL setgrpfilepwpos(void *vp, SMB_BIG_UINT tok) +{ + return setfilepwpos(vp, tok); +} + +static BOOL make_group_line(char *p, int max_len, + DOMAIN_GRP *grp, + DOMAIN_GRP_MEMBER **mem, int *num_mem) +{ + int i; + int len; + len = slprintf(p, max_len-1, "%s:%s:%d:", grp->name, grp->comment, grp->rid); + + if (len == -1) + { + DEBUG(0,("make_group_line: cannot create entry\n")); + return False; + } + + p += len; + max_len -= len; + + if (mem == NULL || num_mem == NULL) + { + return True; + } + + for (i = 0; i < (*num_mem); i++) + { + len = strlen((*mem)[i].name); + p = safe_strcpy(p, (*mem)[i].name, max_len); + + if (p == NULL) + { + DEBUG(0, ("make_group_line: out of space for groups!\n")); + return False; + } + + max_len -= len; + + if (i != (*num_mem)-1) + { + *p = ','; + p++; + max_len--; + } + } + + return True; +} + +/************************************************************************* + Routine to return the next entry in the smbdomaingroup list. + *************************************************************************/ +static char *get_group_members(char *p, int *num_mem, DOMAIN_GRP_MEMBER **members) +{ + fstring name; + + if (num_mem == NULL || members == NULL) + { + return NULL; + } + + (*num_mem) = 0; + (*members) = NULL; + + while (next_token(&p, name, ",", sizeof(fstring))) + { + DOMAIN_GRP_MEMBER *mbrs; + + mbrs = Realloc((*members), ((*num_mem)+1) * sizeof(DOMAIN_GRP_MEMBER)); + if (mbrs == NULL) { + SAFE_FREE(*members); + return NULL; + } + else (*members) = mbrs; + fstrcpy((*members)[(*num_mem)].name, name); + (*members)[(*num_mem)].attr = 0x07; + (*num_mem)++; + } + return p; +} + +/************************************************************************* + Routine to return the next entry in the smbdomaingroup list. + *************************************************************************/ +static DOMAIN_GRP *getgrpfilepwent(void *vp, DOMAIN_GRP_MEMBER **mem, int *num_mem) +{ + /* Static buffers we will return. */ + static DOMAIN_GRP gp_buf; + + int gidval; + + pstring linebuf; + char *p; + size_t linebuf_len; + + gpdb_init_grp(&gp_buf); + + /* + * Scan the file, a line at a time and check if the name matches. + */ + while ((linebuf_len = getfileline(vp, linebuf, sizeof(linebuf))) > 0) + { + /* get group name */ + + p = strncpyn(gp_buf.name, linebuf, sizeof(gp_buf.name), ':'); + if (p == NULL) + { + DEBUG(0, ("getgrpfilepwent: malformed group entry (no :)\n")); + continue; + } + + /* Go past ':' */ + p++; + + /* get group comment */ + + p = strncpyn(gp_buf.comment, p, sizeof(gp_buf.comment), ':'); + if (p == NULL) + { + DEBUG(0, ("getgrpfilepwent: malformed group entry (no :)\n")); + continue; + } + + /* Go past ':' */ + p++; + + /* Get group gid. */ + + p = Atoic(p, &gidval, ":"); + + if (p == NULL) + { + DEBUG(0, ("getgrpfilepwent: malformed group entry (no : after uid)\n")); + continue; + } + + /* Go past ':' */ + p++; + + /* now get the user's groups. there are a maximum of 32 */ + + if (mem != NULL && num_mem != NULL) + { + (*mem) = NULL; + (*num_mem) = 0; + + p = get_group_members(p, num_mem, mem); + if (p == NULL) + { + DEBUG(0, ("getgrpfilepwent: malformed group entry (no : after members)\n")); + } + } + + /* ok, set up the static data structure and return it */ + + gp_buf.rid = pwdb_gid_to_group_rid((gid_t)gidval); + gp_buf.attr = 0x07; + + make_group_line(linebuf, sizeof(linebuf), &gp_buf, mem, num_mem); + DEBUG(10,("line: '%s'\n", linebuf)); + + return &gp_buf; + } + + DEBUG(5,("getgrpfilepwent: end of file reached.\n")); + return NULL; +} + +/************************************************************************ + Routine to add an entry to the grppasswd file. +*************************************************************************/ + +static BOOL add_grpfilegrp_entry(DOMAIN_GRP *newgrp) +{ + DEBUG(0, ("add_grpfilegrp_entry: NOT IMPLEMENTED\n")); + return False; +} + +/************************************************************************ + Routine to search the grppasswd file for an entry matching the groupname. + and then modify its group entry. We can't use the startgrppwent()/ + getgrppwent()/endgrppwent() interfaces here as we depend on looking + in the actual file to decide how much room we have to write data. + override = False, normal + override = True, override XXXXXXXX'd out group or NO PASS +************************************************************************/ + +static BOOL mod_grpfilegrp_entry(DOMAIN_GRP* grp) +{ + DEBUG(0, ("mod_grpfilegrp_entry: NOT IMPLEMENTED\n")); + return False; +} + + +static struct groupdb_ops file_ops = +{ + startgrpfilepwent, + endgrpfilepwent, + getgrpfilepwpos, + setgrpfilepwpos, + + iterate_getgroupnam, /* In groupdb.c */ + iterate_getgroupgid, /* In groupdb.c */ + iterate_getgrouprid, /* In groupdb.c */ + getgrpfilepwent, + + add_grpfilegrp_entry, + mod_grpfilegrp_entry, + + iterate_getusergroupsnam /* in groupdb.c */ +}; + +struct groupdb_ops *file_initialise_group_db(void) +{ + return &file_ops; +} + +#else + /* Do *NOT* make this function static. It breaks the compile on gcc. JRA */ + void grppass_dummy_function(void) { } /* stop some compilers complaining */ +#endif /* USE_SMBPASS_DB */ diff --git a/source3/groupdb/mapping.c b/source3/groupdb/mapping.c new file mode 100644 index 0000000000..99ccffb464 --- /dev/null +++ b/source3/groupdb/mapping.c @@ -0,0 +1,1225 @@ +/* + * Unix SMB/CIFS implementation. + * RPC Pipe client / server routines + * Copyright (C) Andrew Tridgell 1992-2000, + * Copyright (C) Jean François Micouleau 1998-2001. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + */ + +#include "includes.h" + +extern DOM_SID global_sam_sid; + +static TDB_CONTEXT *tdb; /* used for driver files */ + +#define DATABASE_VERSION_V1 1 /* native byte format. */ +#define DATABASE_VERSION_V2 2 /* le format. */ + +#define GROUP_PREFIX "UNIXGROUP/" + +PRIVS privs[] = { + {SE_PRIV_NONE, "no_privs", "No privilege" }, /* this one MUST be first */ + {SE_PRIV_ADD_MACHINES, "SeMachineAccountPrivilege", "Add workstations to the domain" }, + {SE_PRIV_SEC_PRIV, "SeSecurityPrivilege", "Manage the audit logs" }, + {SE_PRIV_TAKE_OWNER, "SeTakeOwnershipPrivilege", "Take ownership of file" }, + {SE_PRIV_ADD_USERS, "SaAddUsers", "Add users to the domain - Samba" }, + {SE_PRIV_PRINT_OPERATOR, "SaPrintOp", "Add or remove printers - Samba" }, + {SE_PRIV_ALL, "SaAllPrivs", "all privileges" } +}; +/* +PRIVS privs[] = { + { 2, "SeCreateTokenPrivilege" }, + { 3, "SeAssignPrimaryTokenPrivilege" }, + { 4, "SeLockMemoryPrivilege" }, + { 5, "SeIncreaseQuotaPrivilege" }, + { 6, "SeMachineAccountPrivilege" }, + { 7, "SeTcbPrivilege" }, + { 8, "SeSecurityPrivilege" }, + { 9, "SeTakeOwnershipPrivilege" }, + { 10, "SeLoadDriverPrivilege" }, + { 11, "SeSystemProfilePrivilege" }, + { 12, "SeSystemtimePrivilege" }, + { 13, "SeProfileSingleProcessPrivilege" }, + { 14, "SeIncreaseBasePriorityPrivilege" }, + { 15, "SeCreatePagefilePrivilege" }, + { 16, "SeCreatePermanentPrivilege" }, + { 17, "SeBackupPrivilege" }, + { 18, "SeRestorePrivilege" }, + { 19, "SeShutdownPrivilege" }, + { 20, "SeDebugPrivilege" }, + { 21, "SeAuditPrivilege" }, + { 22, "SeSystemEnvironmentPrivilege" }, + { 23, "SeChangeNotifyPrivilege" }, + { 24, "SeRemoteShutdownPrivilege" }, + { 25, "SeUndockPrivilege" }, + { 26, "SeSyncAgentPrivilege" }, + { 27, "SeEnableDelegationPrivilege" }, +}; +*/ + + /* + * Those are not really privileges like the other ones. + * They are handled in a special case and called + * system privileges. + * + * SeNetworkLogonRight + * SeUnsolicitedInputPrivilege + * SeBatchLogonRight + * SeServiceLogonRight + * SeInteractiveLogonRight + * SeDenyInteractiveLogonRight + * SeDenyNetworkLogonRight + * SeDenyBatchLogonRight + * SeDenyBatchLogonRight + */ + +#if 0 +/**************************************************************************** +check if the user has the required privilege. +****************************************************************************/ +static BOOL se_priv_access_check(NT_USER_TOKEN *token, uint32 privilege) +{ + /* no token, no privilege */ + if (token==NULL) + return False; + + if ((token->privilege & privilege)==privilege) + return True; + + return False; +} +#endif + +/**************************************************************************** +dump the mapping group mapping to a text file +****************************************************************************/ +char *decode_sid_name_use(fstring group, enum SID_NAME_USE name_use) +{ + static fstring group_type; + + switch(name_use) { + case SID_NAME_USER: + fstrcpy(group_type,"User"); + break; + case SID_NAME_DOM_GRP: + fstrcpy(group_type,"Domain group"); + break; + case SID_NAME_DOMAIN: + fstrcpy(group_type,"Domain"); + break; + case SID_NAME_ALIAS: + fstrcpy(group_type,"Local group"); + break; + case SID_NAME_WKN_GRP: + fstrcpy(group_type,"Builtin group"); + break; + case SID_NAME_DELETED: + fstrcpy(group_type,"Deleted"); + break; + case SID_NAME_INVALID: + fstrcpy(group_type,"Invalid"); + break; + case SID_NAME_UNKNOWN: + default: + fstrcpy(group_type,"Unknown type"); + break; + } + + fstrcpy(group, group_type); + return group_type; +} + +/**************************************************************************** +initialise first time the mapping list - called from init_group_mapping() +****************************************************************************/ +static BOOL default_group_mapping(void) +{ + DOM_SID sid_admins; + DOM_SID sid_users; + DOM_SID sid_guests; + fstring str_admins; + fstring str_users; + fstring str_guests; + LUID_ATTR set; + + PRIVILEGE_SET privilege_none; + PRIVILEGE_SET privilege_all; + PRIVILEGE_SET privilege_print_op; + + init_privilege(&privilege_none); + init_privilege(&privilege_all); + init_privilege(&privilege_print_op); + + set.attr=0; + set.luid.high=0; + set.luid.low=SE_PRIV_PRINT_OPERATOR; + add_privilege(&privilege_print_op, set); + + add_all_privilege(&privilege_all); + + /* Add the Wellknown groups */ + + add_initial_entry(-1, "S-1-5-32-544", SID_NAME_ALIAS, "Administrators", "", privilege_all, PR_ACCESS_FROM_NETWORK|PR_LOG_ON_LOCALLY); + add_initial_entry(-1, "S-1-5-32-545", SID_NAME_ALIAS, "Users", "", privilege_none, PR_ACCESS_FROM_NETWORK|PR_LOG_ON_LOCALLY); + add_initial_entry(-1, "S-1-5-32-546", SID_NAME_ALIAS, "Guests", "", privilege_none, PR_ACCESS_FROM_NETWORK); + add_initial_entry(-1, "S-1-5-32-547", SID_NAME_ALIAS, "Power Users", "", privilege_none, PR_ACCESS_FROM_NETWORK|PR_LOG_ON_LOCALLY); + + add_initial_entry(-1, "S-1-5-32-548", SID_NAME_ALIAS, "Account Operators", "", privilege_none, PR_ACCESS_FROM_NETWORK|PR_LOG_ON_LOCALLY); + add_initial_entry(-1, "S-1-5-32-549", SID_NAME_ALIAS, "System Operators", "", privilege_none, PR_ACCESS_FROM_NETWORK|PR_LOG_ON_LOCALLY); + add_initial_entry(-1, "S-1-5-32-550", SID_NAME_ALIAS, "Print Operators", "", privilege_print_op, PR_ACCESS_FROM_NETWORK|PR_LOG_ON_LOCALLY); + add_initial_entry(-1, "S-1-5-32-551", SID_NAME_ALIAS, "Backup Operators", "", privilege_none, PR_ACCESS_FROM_NETWORK|PR_LOG_ON_LOCALLY); + + add_initial_entry(-1, "S-1-5-32-552", SID_NAME_ALIAS, "Replicators", "", privilege_none, PR_ACCESS_FROM_NETWORK); + + /* Add the defaults domain groups */ + + sid_copy(&sid_admins, &global_sam_sid); + sid_append_rid(&sid_admins, DOMAIN_GROUP_RID_ADMINS); + sid_to_string(str_admins, &sid_admins); + add_initial_entry(-1, str_admins, SID_NAME_DOM_GRP, "Domain Admins", "", privilege_all, PR_ACCESS_FROM_NETWORK|PR_LOG_ON_LOCALLY); + + sid_copy(&sid_users, &global_sam_sid); + sid_append_rid(&sid_users, DOMAIN_GROUP_RID_USERS); + sid_to_string(str_users, &sid_users); + add_initial_entry(-1, str_users, SID_NAME_DOM_GRP, "Domain Users", "", privilege_none, PR_ACCESS_FROM_NETWORK|PR_LOG_ON_LOCALLY); + + sid_copy(&sid_guests, &global_sam_sid); + sid_append_rid(&sid_guests, DOMAIN_GROUP_RID_GUESTS); + sid_to_string(str_guests, &sid_guests); + add_initial_entry(-1, str_guests, SID_NAME_DOM_GRP, "Domain Guests", "", privilege_none, PR_ACCESS_FROM_NETWORK); + + return True; +} + +/**************************************************************************** + Open the group mapping tdb. +****************************************************************************/ + +static BOOL init_group_mapping(void) +{ + static pid_t local_pid; + char *vstring = "INFO/version"; + int32 vers_id; + + if (tdb && local_pid == sys_getpid()) + return True; + tdb = tdb_open_log(lock_path("group_mapping.tdb"), 0, TDB_DEFAULT, O_RDWR|O_CREAT, 0600); + if (!tdb) { + DEBUG(0,("Failed to open group mapping database\n")); + return False; + } + + local_pid = sys_getpid(); + + /* handle a Samba upgrade */ + tdb_lock_bystring(tdb, vstring); + + /* Cope with byte-reversed older versions of the db. */ + vers_id = tdb_fetch_int32(tdb, vstring); + if ((vers_id == DATABASE_VERSION_V1) || (IREV(vers_id) == DATABASE_VERSION_V1)) { + /* Written on a bigendian machine with old fetch_int code. Save as le. */ + tdb_store_int32(tdb, vstring, DATABASE_VERSION_V2); + vers_id = DATABASE_VERSION_V2; + } + + if (vers_id != DATABASE_VERSION_V2) { + tdb_traverse(tdb, tdb_traverse_delete_fn, NULL); + tdb_store_int32(tdb, vstring, DATABASE_VERSION_V2); + } + + tdb_unlock_bystring(tdb, vstring); + + /* write a list of default groups */ + if(!default_group_mapping()) + return False; + + return True; +} + +/**************************************************************************** +****************************************************************************/ +BOOL add_mapping_entry(GROUP_MAP *map, int flag) +{ + TDB_DATA kbuf, dbuf; + pstring key, buf; + fstring string_sid=""; + int len; + int i; + PRIVILEGE_SET *set; + + if(!init_group_mapping()) { + DEBUG(0,("failed to initialize group mapping")); + return(False); + } + + sid_to_string(string_sid, &map->sid); + + len = tdb_pack(buf, sizeof(buf), "ddffd", + map->gid, map->sid_name_use, map->nt_name, map->comment, map->systemaccount); + + /* write the privilege list in the TDB database */ + + set=&map->priv_set; + len += tdb_pack(buf+len, sizeof(buf)-len, "d", set->count); + for (i=0; i<set->count; i++) + len += tdb_pack(buf+len, sizeof(buf)-len, "ddd", + set->set[i].luid.low, set->set[i].luid.high, set->set[i].attr); + + if (len > sizeof(buf)) + return False; + + slprintf(key, sizeof(key), "%s%s", GROUP_PREFIX, string_sid); + + kbuf.dsize = strlen(key)+1; + kbuf.dptr = key; + dbuf.dsize = len; + dbuf.dptr = buf; + if (tdb_store(tdb, kbuf, dbuf, flag) != 0) return False; + + return True; +} + +/**************************************************************************** +initialise first time the mapping list +****************************************************************************/ +BOOL add_initial_entry(gid_t gid, fstring sid, enum SID_NAME_USE sid_name_use, + fstring nt_name, fstring comment, PRIVILEGE_SET priv_set, uint32 systemaccount) +{ + GROUP_MAP map; + + if(!init_group_mapping()) { + DEBUG(0,("failed to initialize group mapping")); + return(False); + } + + map.gid=gid; + string_to_sid(&map.sid, sid); + map.sid_name_use=sid_name_use; + fstrcpy(map.nt_name, nt_name); + fstrcpy(map.comment, comment); + map.systemaccount=systemaccount; + + map.priv_set.count=priv_set.count; + map.priv_set.set=priv_set.set; + + add_mapping_entry(&map, TDB_INSERT); + + return True; +} + +/**************************************************************************** +initialise a privilege list +****************************************************************************/ +void init_privilege(PRIVILEGE_SET *priv_set) +{ + priv_set->count=0; + priv_set->control=0; + priv_set->set=NULL; +} + +/**************************************************************************** +free a privilege list +****************************************************************************/ +BOOL free_privilege(PRIVILEGE_SET *priv_set) +{ + if (priv_set->count==0) { + DEBUG(100,("free_privilege: count=0, nothing to clear ?\n")); + return False; + } + + if (priv_set->set==NULL) { + DEBUG(0,("free_privilege: list ptr is NULL, very strange !\n")); + return False; + } + + safe_free(priv_set->set); + priv_set->count=0; + priv_set->control=0; + priv_set->set=NULL; + + return True; +} + +/**************************************************************************** +add a privilege to a privilege array +****************************************************************************/ +BOOL add_privilege(PRIVILEGE_SET *priv_set, LUID_ATTR set) +{ + LUID_ATTR *new_set; + + /* check if the privilege is not already in the list */ + if (check_priv_in_privilege(priv_set, set)) + return False; + + /* we can allocate memory to add the new privilege */ + + new_set=(LUID_ATTR *)Realloc(priv_set->set, (priv_set->count+1)*(sizeof(LUID_ATTR))); + if (new_set==NULL) { + DEBUG(0,("add_privilege: could not Realloc memory to add a new privilege\n")); + return False; + } + + new_set[priv_set->count].luid.high=set.luid.high; + new_set[priv_set->count].luid.low=set.luid.low; + new_set[priv_set->count].attr=set.attr; + + priv_set->count++; + priv_set->set=new_set; + + return True; +} + +/**************************************************************************** +add all the privileges to a privilege array +****************************************************************************/ +BOOL add_all_privilege(PRIVILEGE_SET *priv_set) +{ + LUID_ATTR set; + + set.attr=0; + set.luid.high=0; + + set.luid.low=SE_PRIV_ADD_USERS; + add_privilege(priv_set, set); + + set.luid.low=SE_PRIV_ADD_MACHINES; + add_privilege(priv_set, set); + + set.luid.low=SE_PRIV_PRINT_OPERATOR; + add_privilege(priv_set, set); + + return True; +} + +/**************************************************************************** +check if the privilege list is empty +****************************************************************************/ +BOOL check_empty_privilege(PRIVILEGE_SET *priv_set) +{ + return (priv_set->count == 0); +} + +/**************************************************************************** +check if the privilege is in the privilege list +****************************************************************************/ +BOOL check_priv_in_privilege(PRIVILEGE_SET *priv_set, LUID_ATTR set) +{ + int i; + + /* if the list is empty, obviously we can't have it */ + if (check_empty_privilege(priv_set)) + return False; + + for (i=0; i<priv_set->count; i++) { + LUID_ATTR *cur_set; + + cur_set=&priv_set->set[i]; + /* check only the low and high part. Checking the attr field has no meaning */ + if( (cur_set->luid.low==set.luid.low) && (cur_set->luid.high==set.luid.high) ) + return True; + } + + return False; +} + +/**************************************************************************** +remove a privilege to a privilege array +****************************************************************************/ +BOOL remove_privilege(PRIVILEGE_SET *priv_set, LUID_ATTR set) +{ + LUID_ATTR *new_set; + LUID_ATTR *old_set; + int i,j; + + /* check if the privilege is in the list */ + if (!check_priv_in_privilege(priv_set, set)) + return False; + + /* special case if it's the only privilege in the list */ + if (priv_set->count==1) { + free_privilege(priv_set); + init_privilege(priv_set); + + return True; + } + + /* + * the privilege is there, create a new list, + * and copy the other privileges + */ + + old_set=priv_set->set; + + new_set=(LUID_ATTR *)malloc((priv_set->count-1)*(sizeof(LUID_ATTR))); + if (new_set==NULL) { + DEBUG(0,("remove_privilege: could not malloc memory for new privilege list\n")); + return False; + } + + for (i=0, j=0; i<priv_set->count; i++) { + if ((old_set[i].luid.low==set.luid.low) && + (old_set[i].luid.high==set.luid.high)) { + continue; + } + + new_set[j].luid.low=old_set[i].luid.low; + new_set[j].luid.high=old_set[i].luid.high; + new_set[j].attr=old_set[i].attr; + + j++; + } + + if (j!=priv_set->count-1) { + DEBUG(0,("remove_privilege: mismatch ! difference is not -1\n")); + DEBUGADD(0,("old count:%d, new count:%d\n", priv_set->count, j)); + safe_free(new_set); + return False; + } + + /* ok everything is fine */ + + priv_set->count--; + priv_set->set=new_set; + + safe_free(old_set); + + return True; +} + +/**************************************************************************** +return the sid and the type of the unix group +****************************************************************************/ +BOOL get_group_map_from_sid(DOM_SID sid, GROUP_MAP *map, BOOL with_priv) +{ + TDB_DATA kbuf, dbuf; + pstring key; + fstring string_sid; + int ret; + int i; + PRIVILEGE_SET *set; + + if(!init_group_mapping()) { + DEBUG(0,("failed to initialize group mapping")); + return(False); + } + + /* the key is the SID, retrieving is direct */ + + sid_to_string(string_sid, &sid); + slprintf(key, sizeof(key), "%s%s", GROUP_PREFIX, string_sid); + + kbuf.dptr = key; + kbuf.dsize = strlen(key)+1; + + dbuf = tdb_fetch(tdb, kbuf); + if (!dbuf.dptr) return False; + + ret = tdb_unpack(dbuf.dptr, dbuf.dsize, "ddffd", + &map->gid, &map->sid_name_use, &map->nt_name, &map->comment, &map->systemaccount); + + set=&map->priv_set; + init_privilege(set); + ret += tdb_unpack(dbuf.dptr+ret, dbuf.dsize-ret, "d", &set->count); + + DEBUG(10,("get_group_map_from_sid: %d privileges\n", map->priv_set.count)); + + set->set = NULL; + if (set->count) { + set->set=(LUID_ATTR *)smb_xmalloc(set->count*sizeof(LUID_ATTR)); + } + + for (i=0; i<set->count; i++) + ret += tdb_unpack(dbuf.dptr+ret, dbuf.dsize-ret, "ddd", + &(set->set[i].luid.low), &(set->set[i].luid.high), &(set->set[i].attr)); + + SAFE_FREE(dbuf.dptr); + if (ret != dbuf.dsize) { + DEBUG(0,("get_group_map_from_sid: group mapping TDB corrupted ?\n")); + free_privilege(set); + return False; + } + + /* we don't want the privileges */ + if (with_priv==MAPPING_WITHOUT_PRIV) + free_privilege(set); + + sid_copy(&map->sid, &sid); + + return True; +} + + +/**************************************************************************** +return the sid and the type of the unix group +****************************************************************************/ +BOOL get_group_map_from_gid(gid_t gid, GROUP_MAP *map, BOOL with_priv) +{ + TDB_DATA kbuf, dbuf, newkey; + fstring string_sid; + int ret; + int i; + PRIVILEGE_SET *set; + + if(!init_group_mapping()) { + DEBUG(0,("failed to initialize group mapping")); + return(False); + } + + /* we need to enumerate the TDB to find the GID */ + + for (kbuf = tdb_firstkey(tdb); + kbuf.dptr; + newkey = tdb_nextkey(tdb, kbuf), safe_free(kbuf.dptr), kbuf=newkey) { + + if (strncmp(kbuf.dptr, GROUP_PREFIX, strlen(GROUP_PREFIX)) != 0) continue; + + dbuf = tdb_fetch(tdb, kbuf); + if (!dbuf.dptr) continue; + + fstrcpy(string_sid, kbuf.dptr+strlen(GROUP_PREFIX)); + + string_to_sid(&map->sid, string_sid); + + ret = tdb_unpack(dbuf.dptr, dbuf.dsize, "ddffd", + &map->gid, &map->sid_name_use, &map->nt_name, &map->comment, &map->systemaccount); + + set=&map->priv_set; + ret += tdb_unpack(dbuf.dptr+ret, dbuf.dsize-ret, "d", &set->count); + set->set = NULL; + if (set->count) { + set->set=(LUID_ATTR *)smb_xmalloc(set->count*sizeof(LUID_ATTR)); + } + + for (i=0; i<set->count; i++) + ret += tdb_unpack(dbuf.dptr+ret, dbuf.dsize-ret, "ddd", + &(set->set[i].luid.low), &(set->set[i].luid.high), &(set->set[i].attr)); + + SAFE_FREE(dbuf.dptr); + if (ret != dbuf.dsize){ + free_privilege(set); + continue; + } + + if (gid==map->gid) { + if (!with_priv) + free_privilege(&map->priv_set); + return True; + } + + free_privilege(set); + } + + return False; +} + +/**************************************************************************** +return the sid and the type of the unix group +****************************************************************************/ +BOOL get_group_map_from_ntname(char *name, GROUP_MAP *map, BOOL with_priv) +{ + TDB_DATA kbuf, dbuf, newkey; + fstring string_sid; + int ret; + int i; + PRIVILEGE_SET *set; + + if(!init_group_mapping()) { + DEBUG(0,("failed to initialize group mapping")); + return(False); + } + + /* we need to enumerate the TDB to find the name */ + + for (kbuf = tdb_firstkey(tdb); + kbuf.dptr; + newkey = tdb_nextkey(tdb, kbuf), safe_free(kbuf.dptr), kbuf=newkey) { + + if (strncmp(kbuf.dptr, GROUP_PREFIX, strlen(GROUP_PREFIX)) != 0) continue; + + dbuf = tdb_fetch(tdb, kbuf); + if (!dbuf.dptr) continue; + + fstrcpy(string_sid, kbuf.dptr+strlen(GROUP_PREFIX)); + + string_to_sid(&map->sid, string_sid); + + ret = tdb_unpack(dbuf.dptr, dbuf.dsize, "ddffd", + &map->gid, &map->sid_name_use, &map->nt_name, &map->comment, &map->systemaccount); + + set=&map->priv_set; + ret += tdb_unpack(dbuf.dptr+ret, dbuf.dsize-ret, "d", &set->count); + + set->set=(LUID_ATTR *)malloc(set->count*sizeof(LUID_ATTR)); + if (set->set==NULL) { + DEBUG(0,("get_group_map_from_ntname: could not allocate memory for privileges\n")); + return False; + } + + for (i=0; i<set->count; i++) + ret += tdb_unpack(dbuf.dptr+ret, dbuf.dsize-ret, "ddd", + &(set->set[i].luid.low), &(set->set[i].luid.high), &(set->set[i].attr)); + + SAFE_FREE(dbuf.dptr); + if (ret != dbuf.dsize) { + free_privilege(set); + continue; + } + + if (StrCaseCmp(name, map->nt_name)==0) { + if (!with_priv) + free_privilege(&map->priv_set); + return True; + } + + free_privilege(set); + } + + return False; +} + +/**************************************************************************** + remove a group mapping entry +****************************************************************************/ +BOOL group_map_remove(DOM_SID sid) +{ + TDB_DATA kbuf, dbuf; + pstring key; + fstring string_sid; + + if(!init_group_mapping()) { + DEBUG(0,("failed to initialize group mapping")); + return(False); + } + + /* the key is the SID, retrieving is direct */ + + sid_to_string(string_sid, &sid); + slprintf(key, sizeof(key), "%s%s", GROUP_PREFIX, string_sid); + + kbuf.dptr = key; + kbuf.dsize = strlen(key)+1; + + dbuf = tdb_fetch(tdb, kbuf); + if (!dbuf.dptr) return False; + + SAFE_FREE(dbuf.dptr); + + if(tdb_delete(tdb, kbuf) != TDB_SUCCESS) + return False; + + return True; +} + + +/**************************************************************************** +enumerate the group mapping +****************************************************************************/ +BOOL enum_group_mapping(enum SID_NAME_USE sid_name_use, GROUP_MAP **rmap, + int *num_entries, BOOL unix_only, BOOL with_priv) +{ + TDB_DATA kbuf, dbuf, newkey; + fstring string_sid; + fstring group_type; + GROUP_MAP map; + GROUP_MAP *mapt; + int ret; + int entries=0; + int i; + PRIVILEGE_SET *set; + + if(!init_group_mapping()) { + DEBUG(0,("failed to initialize group mapping")); + return(False); + } + + *num_entries=0; + *rmap=NULL; + + for (kbuf = tdb_firstkey(tdb); + kbuf.dptr; + newkey = tdb_nextkey(tdb, kbuf), safe_free(kbuf.dptr), kbuf=newkey) { + + if (strncmp(kbuf.dptr, GROUP_PREFIX, strlen(GROUP_PREFIX)) != 0) + continue; + + dbuf = tdb_fetch(tdb, kbuf); + if (!dbuf.dptr) + continue; + + fstrcpy(string_sid, kbuf.dptr+strlen(GROUP_PREFIX)); + + ret = tdb_unpack(dbuf.dptr, dbuf.dsize, "ddffd", + &map.gid, &map.sid_name_use, &map.nt_name, &map.comment, &map.systemaccount); + + set=&map.priv_set; + init_privilege(set); + + ret += tdb_unpack(dbuf.dptr+ret, dbuf.dsize-ret, "d", &set->count); + + if (set->count!=0) { + set->set=(LUID_ATTR *)malloc(set->count*sizeof(LUID_ATTR)); + if (set->set==NULL) { + DEBUG(0,("enum_group_mapping: could not allocate memory for privileges\n")); + return False; + } + } + + for (i=0; i<set->count; i++) + ret += tdb_unpack(dbuf.dptr+ret, dbuf.dsize-ret, "ddd", + &(set->set[i].luid.low), &(set->set[i].luid.high), &(set->set[i].attr)); + + SAFE_FREE(dbuf.dptr); + if (ret != dbuf.dsize) { + DEBUG(11,("enum_group_mapping: error in memory size\n")); + free_privilege(set); + continue; + } + + /* list only the type or everything if UNKNOWN */ + if (sid_name_use!=SID_NAME_UNKNOWN && sid_name_use!=map.sid_name_use) { + DEBUG(11,("enum_group_mapping: group %s is not of the requested type\n", map.nt_name)); + free_privilege(set); + continue; + } + + if (unix_only==ENUM_ONLY_MAPPED && map.gid==-1) { + DEBUG(11,("enum_group_mapping: group %s is non mapped\n", map.nt_name)); + free_privilege(set); + continue; + } + + string_to_sid(&map.sid, string_sid); + + decode_sid_name_use(group_type, map.sid_name_use); + DEBUG(11,("enum_group_mapping: returning group %s of type %s\n", map.nt_name ,group_type)); + + mapt=(GROUP_MAP *)Realloc((*rmap), (entries+1)*sizeof(GROUP_MAP)); + if (!mapt) { + DEBUG(0,("enum_group_mapping: Unable to enlarge group map!\n")); + SAFE_FREE(*rmap); + free_privilege(set); + return False; + } + else + (*rmap) = mapt; + + mapt[entries].gid = map.gid; + sid_copy( &mapt[entries].sid, &map.sid); + mapt[entries].sid_name_use = map.sid_name_use; + fstrcpy(mapt[entries].nt_name, map.nt_name); + fstrcpy(mapt[entries].comment, map.comment); + mapt[entries].systemaccount=map.systemaccount; + mapt[entries].priv_set.count=set->count; + mapt[entries].priv_set.control=set->control; + mapt[entries].priv_set.set=set->set; + if (!with_priv) + free_privilege(&(mapt[entries].priv_set)); + + entries++; + } + + *num_entries=entries; + return True; +} + + +/**************************************************************************** +convert a privilege string to a privilege array +****************************************************************************/ +void convert_priv_from_text(PRIVILEGE_SET *se_priv, char *privilege) +{ + pstring tok; + char *p = privilege; + int i; + LUID_ATTR set; + + /* By default no privilege */ + init_privilege(se_priv); + + if (privilege==NULL) + return; + + while(next_token(&p, tok, " ", sizeof(tok)) ) { + for (i=0; i<=PRIV_ALL_INDEX; i++) { + if (StrCaseCmp(privs[i].priv, tok)==0) { + set.attr=0; + set.luid.high=0; + set.luid.low=privs[i].se_priv; + add_privilege(se_priv, set); + } + } + } +} + +/**************************************************************************** +convert a privilege array to a privilege string +****************************************************************************/ +void convert_priv_to_text(PRIVILEGE_SET *se_priv, char *privilege) +{ + int i,j; + + if (privilege==NULL) + return; + + ZERO_STRUCTP(privilege); + + if (check_empty_privilege(se_priv)) { + fstrcat(privilege, "No privilege"); + return; + } + + for(i=0; i<se_priv->count; i++) { + j=1; + while (privs[j].se_priv!=se_priv->set[i].luid.low && j<=PRIV_ALL_INDEX) { + j++; + } + + fstrcat(privilege, privs[j].priv); + fstrcat(privilege, " "); + } +} + + +/* + * + * High level functions + * better to use them than the lower ones. + * + * we are checking if the group is in the mapping file + * and if the group is an existing unix group + * + */ + +/* get a domain group from it's SID */ + +BOOL get_domain_group_from_sid(DOM_SID sid, GROUP_MAP *map, BOOL with_priv) +{ + struct group *grp; + + if(!init_group_mapping()) { + DEBUG(0,("failed to initialize group mapping")); + return(False); + } + + DEBUG(10, ("get_domain_group_from_sid\n")); + + /* if the group is NOT in the database, it CAN NOT be a domain group */ + if(!get_group_map_from_sid(sid, map, with_priv)) + return False; + + DEBUG(10, ("get_domain_group_from_sid: SID found in the TDB\n")); + + /* if it's not a domain group, continue */ + if (map->sid_name_use!=SID_NAME_DOM_GRP) { + if (with_priv) + free_privilege(&map->priv_set); + return False; + } + + DEBUG(10, ("get_domain_group_from_sid: SID is a domain group\n")); + + if (map->gid==-1) { + if (with_priv) + free_privilege(&map->priv_set); + return False; + } + + DEBUG(10, ("get_domain_group_from_sid: SID is mapped to gid:%d\n",map->gid)); + + if ( (grp=getgrgid(map->gid)) == NULL) { + DEBUG(10, ("get_domain_group_from_sid: gid DOESN'T exist in UNIX security\n")); + if (with_priv) + free_privilege(&map->priv_set); + return False; + } + + DEBUG(10, ("get_domain_group_from_sid: gid exists in UNIX security\n")); + + return True; +} + + +/* get a local (alias) group from it's SID */ + +BOOL get_local_group_from_sid(DOM_SID sid, GROUP_MAP *map, BOOL with_priv) +{ + struct group *grp; + + if(!init_group_mapping()) { + DEBUG(0,("failed to initialize group mapping")); + return(False); + } + + /* The group is in the mapping table */ + if(get_group_map_from_sid(sid, map, with_priv)) { + if (map->sid_name_use!=SID_NAME_ALIAS) { + if (with_priv) + free_privilege(&map->priv_set); + return False; + } + + if (map->gid==-1) { + if (with_priv) + free_privilege(&map->priv_set); + return False; + } + + if ( (grp=getgrgid(map->gid)) == NULL) { + if (with_priv) + free_privilege(&map->priv_set); + return False; + } + } else { + /* the group isn't in the mapping table. + * make one based on the unix information */ + uint32 alias_rid; + + sid_peek_rid(&sid, &alias_rid); + map->gid=pdb_group_rid_to_gid(alias_rid); + + if ((grp=getgrgid(map->gid)) == NULL) + return False; + + map->sid_name_use=SID_NAME_ALIAS; + map->systemaccount=PR_ACCESS_FROM_NETWORK; + + fstrcpy(map->nt_name, grp->gr_name); + fstrcpy(map->comment, "Local Unix Group"); + + init_privilege(&map->priv_set); + + sid_copy(&map->sid, &sid); + } + + return True; +} + +/* get a builtin group from it's SID */ + +BOOL get_builtin_group_from_sid(DOM_SID sid, GROUP_MAP *map, BOOL with_priv) +{ + struct group *grp; + + if(!init_group_mapping()) { + DEBUG(0,("failed to initialize group mapping")); + return(False); + } + + if(!get_group_map_from_sid(sid, map, with_priv)) + return False; + + if (map->sid_name_use!=SID_NAME_WKN_GRP) { + if (with_priv) + free_privilege(&map->priv_set); + return False; + } + + if (map->gid==-1) { + if (with_priv) + free_privilege(&map->priv_set); + return False; + } + + if ( (grp=getgrgid(map->gid)) == NULL) { + if (with_priv) + free_privilege(&map->priv_set); + return False; + } + + return True; +} + + + +/**************************************************************************** +Returns a GROUP_MAP struct based on the gid. +****************************************************************************/ +BOOL get_group_from_gid(gid_t gid, GROUP_MAP *map, BOOL with_priv) +{ + struct group *grp; + + if(!init_group_mapping()) { + DEBUG(0,("failed to initialize group mapping")); + return(False); + } + + if ( (grp=getgrgid(gid)) == NULL) + return False; + + /* + * make a group map from scratch if doesn't exist. + */ + if (!get_group_map_from_gid(gid, map, with_priv)) { + map->gid=gid; + map->sid_name_use=SID_NAME_ALIAS; + map->systemaccount=PR_ACCESS_FROM_NETWORK; + init_privilege(&map->priv_set); + + /* interim solution until we have a last RID allocated */ + + sid_copy(&map->sid, &global_sam_sid); + sid_append_rid(&map->sid, pdb_gid_to_group_rid(gid)); + + fstrcpy(map->nt_name, grp->gr_name); + fstrcpy(map->comment, "Local Unix Group"); + } + + return True; +} + + + + +/**************************************************************************** + Get the member users of a group and + all the users who have that group as primary. + + give back an array of uid + return the grand number of users + + + TODO: sort the list and remove duplicate. JFM. + +****************************************************************************/ + +BOOL get_uid_list_of_group(gid_t gid, uid_t **uid, int *num_uids) +{ + struct group *grp; + struct passwd *pwd; + int i=0; + char *gr; + uid_t *u; + + if(!init_group_mapping()) { + DEBUG(0,("failed to initialize group mapping")); + return(False); + } + + *num_uids = 0; + *uid=NULL; + + if ( (grp=getgrgid(gid)) == NULL) + return False; + + gr = grp->gr_mem[0]; + DEBUG(10, ("getting members\n")); + + while (gr && (*gr != (char)'\0')) { + u = Realloc((*uid), sizeof(uid_t)*(*num_uids+1)); + if (!u) { + DEBUG(0,("get_uid_list_of_group: unable to enlarge uid list!\n")); + return False; + } + else (*uid) = u; + + if( (pwd=getpwnam_alloc(gr)) !=NULL) { + (*uid)[*num_uids]=pwd->pw_uid; + (*num_uids)++; + } + passwd_free(&pwd); + gr = grp->gr_mem[++i]; + } + DEBUG(10, ("got [%d] members\n", *num_uids)); + + setpwent(); + while ((pwd=getpwent()) != NULL) { + if (pwd->pw_gid==gid) { + u = Realloc((*uid), sizeof(uid_t)*(*num_uids+1)); + if (!u) { + DEBUG(0,("get_uid_list_of_group: unable to enlarge uid list!\n")); + return False; + } + else (*uid) = u; + (*uid)[*num_uids]=pwd->pw_uid; + + (*num_uids)++; + } + } + endpwent(); + DEBUG(10, ("got primary groups, members: [%d]\n", *num_uids)); + + return True; +} + +/**************************************************************************** + Create a UNIX group on demand. +****************************************************************************/ + +int smb_create_group(char *unix_group) +{ + pstring add_script; + int ret; + + pstrcpy(add_script, lp_addgroup_script()); + if (! *add_script) return -1; + pstring_sub(add_script, "%g", unix_group); + ret = smbrun(add_script,NULL); + DEBUG(3,("smb_create_group: Running the command `%s' gave %d\n",add_script,ret)); + return ret; +} + +/**************************************************************************** + Delete a UNIX group on demand. +****************************************************************************/ + +int smb_delete_group(char *unix_group) +{ + pstring del_script; + int ret; + + pstrcpy(del_script, lp_delgroup_script()); + if (! *del_script) return -1; + pstring_sub(del_script, "%g", unix_group); + ret = smbrun(del_script,NULL); + DEBUG(3,("smb_delete_group: Running the command `%s' gave %d\n",del_script,ret)); + return ret; +} + +/**************************************************************************** + Create a UNIX group on demand. +****************************************************************************/ + +int smb_add_user_group(char *unix_group, char *unix_user) +{ + pstring add_script; + int ret; + + pstrcpy(add_script, lp_addusertogroup_script()); + if (! *add_script) return -1; + pstring_sub(add_script, "%g", unix_group); + pstring_sub(add_script, "%u", unix_user); + ret = smbrun(add_script,NULL); + DEBUG(3,("smb_add_user_group: Running the command `%s' gave %d\n",add_script,ret)); + return ret; +} + +/**************************************************************************** + Delete a UNIX group on demand. +****************************************************************************/ + +int smb_delete_user_group(const char *unix_group, const char *unix_user) +{ + pstring del_script; + int ret; + + pstrcpy(del_script, lp_deluserfromgroup_script()); + if (! *del_script) return -1; + pstring_sub(del_script, "%g", unix_group); + pstring_sub(del_script, "%u", unix_user); + ret = smbrun(del_script,NULL); + DEBUG(3,("smb_delete_user_group: Running the command `%s' gave %d\n",del_script,ret)); + return ret; +} |