diff options
Diffstat (limited to 'source3/passdb/passdb.c')
| -rw-r--r-- | source3/passdb/passdb.c | 348 |
1 files changed, 52 insertions, 296 deletions
diff --git a/source3/passdb/passdb.c b/source3/passdb/passdb.c index 99f5c228ef..15756b7e22 100644 --- a/source3/passdb/passdb.c +++ b/source3/passdb/passdb.c @@ -163,13 +163,7 @@ NTSTATUS pdb_init_sam(SAM_ACCOUNT **user) NTSTATUS pdb_fill_sam_pw(SAM_ACCOUNT *sam_account, const struct passwd *pwd) { - GROUP_MAP map; - - const char *guest_account = lp_guestaccount(); - if (!(guest_account && *guest_account)) { - DEBUG(1, ("NULL guest account!?!?\n")); - return NT_STATUS_UNSUCCESSFUL; - } + NTSTATUS ret; if (!pwd) { return NT_STATUS_UNSUCCESSFUL; @@ -197,37 +191,8 @@ NTSTATUS pdb_fill_sam_pw(SAM_ACCOUNT *sam_account, const struct passwd *pwd) -- abartlet 11-May-02 */ - - /* Ensure this *must* be set right */ - if (strcmp(pwd->pw_name, guest_account) == 0) { - if (!pdb_set_user_sid_from_rid(sam_account, DOMAIN_USER_RID_GUEST, PDB_DEFAULT)) { - return NT_STATUS_UNSUCCESSFUL; - } - if (!pdb_set_group_sid_from_rid(sam_account, DOMAIN_GROUP_RID_GUESTS, PDB_DEFAULT)) { - return NT_STATUS_UNSUCCESSFUL; - } - } else { - - if (!pdb_set_user_sid_from_rid(sam_account, - fallback_pdb_uid_to_user_rid(pwd->pw_uid), PDB_SET)) { - DEBUG(0,("Can't set User SID from RID!\n")); - return NT_STATUS_INVALID_PARAMETER; - } - - /* call the mapping code here */ - if(pdb_getgrgid(&map, pwd->pw_gid, MAPPING_WITHOUT_PRIV)) { - if (!pdb_set_group_sid(sam_account,&map.sid, PDB_SET)){ - DEBUG(0,("Can't set Group SID!\n")); - return NT_STATUS_INVALID_PARAMETER; - } - } - else { - if (!pdb_set_group_sid_from_rid(sam_account,pdb_gid_to_group_rid(pwd->pw_gid), PDB_SET)) { - DEBUG(0,("Can't set Group SID\n")); - return NT_STATUS_INVALID_PARAMETER; - } - } - } + ret = pdb_set_sam_sids(sam_account, pwd); + if (NT_STATUS_IS_ERR(ret)) return ret; /* check if this is a user account or a machine account */ if (pwd->pw_name[strlen(pwd->pw_name)-1] != '$') @@ -371,102 +336,77 @@ NTSTATUS pdb_free_sam(SAM_ACCOUNT **user) /************************************************************************** * This function will take care of all the steps needed to correctly * allocate and set the user SID, please do use this function to create new - * users and don't add the account to the passdb directly unless you know - * what are you doing, messing with SIDs is not good. - * - * account_data must be provided initialized. But values may be discarded if - * free RIDs are not in use. - * - * ATTENTION: Please pay attention to leave any ID field to NULL unless you - * really know what you are doing + * users, messing with SIDs is not good. * + * account_data must be provided initialized, pwd may be null. * SSS ***************************************************************************/ -NTSTATUS pdb_create_new_user_account(char *username, SAM_ACCOUNT *account_data) +NTSTATUS pdb_set_sam_sids(SAM_ACCOUNT *account_data, const struct passwd *pwd) { + const char *guest_account = lp_guestaccount(); NTSTATUS ret = NT_STATUS_UNSUCCESSFUL; - SAM_ACCOUNT test; - DOM_SID u_sid, g_sid; - struct passwd *pw; - if (!username || !account_data) { + if (!account_data || (!pwd && !(pdb_get_free_rid_base() && lp_idmap_only()))) { return NT_STATUS_INVALID_PARAMETER; } - if (pdb_getsampwnam(&test, username)) { - DEBUG(3, ("pdb_create_new_user_account: User already exist in SAM! Aborting...\n")); + /* this is a hack this thing should not be set + this way --SSS */ + if (!(guest_account && *guest_account)) { + DEBUG(1, ("NULL guest account!?!?\n")); return NT_STATUS_UNSUCCESSFUL; + } else { + /* Ensure this *must* be set right */ + if (strcmp(pwd->pw_name, guest_account) == 0) { + if (!pdb_set_user_sid_from_rid(account_data, DOMAIN_USER_RID_GUEST, PDB_DEFAULT)) { + return NT_STATUS_UNSUCCESSFUL; + } + if (!pdb_set_group_sid_from_rid(account_data, DOMAIN_GROUP_RID_GUESTS, PDB_DEFAULT)) { + return NT_STATUS_UNSUCCESSFUL; + } + return NT_STATUS_OK; + } } - pw = getpwnam_alloc(username); - - if (pdb_get_free_rid_base()) { - unid_t idval; - int idtype; + if (pwd) { + GROUP_MAP map; - if (!pdb_set_username(account_data, username, PDB_CHANGED)) { - goto done; + if (!pdb_set_user_sid_from_rid(account_data, fallback_pdb_uid_to_user_rid(pwd->pw_uid), PDB_SET)) { + DEBUG(0,("Can't set User SID from RID!\n")); + return NT_STATUS_INVALID_PARAMETER; } - - if (lp_idmap_only() || !pw) { - if (pdb_get_init_flags(account_data, PDB_USERSID) == PDB_DEFAULT) { - if (!pdb_get_next_sid(&u_sid)) { - goto done; - } - pdb_set_user_sid(account_data, &u_sid, PDB_SET); - } - /* make a mapping in idmap */ - idtype = ID_USERID; - idmap_get_id_from_sid(&idval, &idtype, &u_sid); - if (pdb_get_init_flags(account_data, PDB_GROUPSID) == PDB_DEFAULT) { - /* set Domain Users by default ! */ - sid_copy(&g_sid, get_global_sam_sid()); - sid_append_rid(&u_sid, DOMAIN_GROUP_RID_USERS); - pdb_set_group_sid(account_data, &g_sid, PDB_SET); - } - /* make a mapping in idmap */ - idtype = ID_GROUPID; - idmap_get_id_from_sid(&idval, &idtype, &g_sid); - } else { - GROUP_MAP map; - - if (!pdb_set_user_sid_from_rid(account_data, fallback_pdb_uid_to_user_rid(pw->pw_uid), PDB_SET)) { - DEBUG(0,("Can't set User SID from RID!\n")); - ret = NT_STATUS_INVALID_PARAMETER; - goto done; + /* call the mapping code here */ + if(pdb_getgrgid(&map, pwd->pw_gid, MAPPING_WITHOUT_PRIV)) { + if (!pdb_set_group_sid(account_data, &map.sid, PDB_SET)){ + DEBUG(0,("Can't set Group SID!\n")); + return NT_STATUS_INVALID_PARAMETER; } - - /* call the mapping code here */ - if(pdb_getgrgid(&map, pw->pw_gid, MAPPING_WITHOUT_PRIV)) { - if (!pdb_set_group_sid(account_data, &map.sid, PDB_SET)){ - DEBUG(0,("Can't set Group SID!\n")); - ret = NT_STATUS_INVALID_PARAMETER; - goto done; - } - } - else { - if (!pdb_set_group_sid_from_rid(account_data, pdb_gid_to_group_rid(pw->pw_gid), PDB_SET)) { - DEBUG(0,("Can't set Group SID\n")); - ret = NT_STATUS_INVALID_PARAMETER; - goto done; - } + } + else { + if (!pdb_set_group_sid_from_rid(account_data, pdb_gid_to_group_rid(pwd->pw_gid), PDB_SET)) { + DEBUG(0,("Can't set Group SID\n")); + return NT_STATUS_INVALID_PARAMETER; } - } - } else { - if (!pw || NT_STATUS_IS_ERR(pdb_fill_sam_pw(account_data, pw))) { - goto done; } - } + } else { + unid_t idval; + int idtype; - if (pdb_add_sam_account(account_data)) { - ret = NT_STATUS_OK; + /* this is a hack this thing should not be set + here --SSS */ + if (pdb_get_init_flags(account_data, PDB_GROUPSID) == PDB_DEFAULT) { + DOM_SID g_sid; + + /* set Domain Users by default ! */ + sid_copy(&g_sid, get_global_sam_sid()); + sid_append_rid(&g_sid, DOMAIN_GROUP_RID_USERS); + pdb_set_group_sid(account_data, &g_sid, PDB_SET); + } } -done: - passwd_free(&pw); - return ret; + return NT_STATUS_OK; } /****************************************************************** @@ -957,190 +897,6 @@ BOOL local_lookup_name(const char *c_user, DOM_SID *psid, enum SID_NAME_USE *psi return True; } -/**************************************************************************** - Convert a uid to SID - locally. -****************************************************************************/ - -DOM_SID *local_uid_to_sid(DOM_SID *psid, uid_t uid) -{ - struct passwd *pass; - SAM_ACCOUNT *sam_user = NULL; - fstring str; /* sid string buffer */ - - sid_copy(psid, get_global_sam_sid()); - - if((pass = getpwuid_alloc(uid))) { - - if (NT_STATUS_IS_ERR(pdb_init_sam(&sam_user))) { - passwd_free(&pass); - return NULL; - } - - if (pdb_getsampwnam(sam_user, pass->pw_name)) { - sid_copy(psid, pdb_get_user_sid(sam_user)); - } else { - sid_append_rid(psid, fallback_pdb_uid_to_user_rid(uid)); - } - - DEBUG(10,("local_uid_to_sid: uid %u -> SID (%s) (%s).\n", - (unsigned)uid, sid_to_string( str, psid), - pass->pw_name )); - - passwd_free(&pass); - pdb_free_sam(&sam_user); - - } else { - sid_append_rid(psid, fallback_pdb_uid_to_user_rid(uid)); - - DEBUG(10,("local_uid_to_sid: uid %u -> SID (%s) (unknown user).\n", - (unsigned)uid, sid_to_string( str, psid))); - } - - return psid; -} - -/**************************************************************************** - Convert a SID to uid - locally. -****************************************************************************/ - -BOOL local_sid_to_uid(uid_t *puid, const DOM_SID *psid, enum SID_NAME_USE *name_type) -{ - fstring str; - SAM_ACCOUNT *sam_user = NULL; - - *name_type = SID_NAME_UNKNOWN; - - if (NT_STATUS_IS_ERR(pdb_init_sam(&sam_user))) - return False; - - if (pdb_getsampwsid(sam_user, psid)) { - - if (!IS_SAM_SET(sam_user,PDB_UID)&&!IS_SAM_CHANGED(sam_user,PDB_UID)) { - pdb_free_sam(&sam_user); - return False; - } - - *puid = pdb_get_uid(sam_user); - - DEBUG(10,("local_sid_to_uid: SID %s -> uid (%u) (%s).\n", sid_to_string( str, psid), - (unsigned int)*puid, pdb_get_username(sam_user))); - pdb_free_sam(&sam_user); - } else { - - DOM_SID dom_sid; - uint32 rid; - GROUP_MAP map; - - pdb_free_sam(&sam_user); - - if (pdb_getgrsid(&map, *psid, MAPPING_WITHOUT_PRIV)) { - DEBUG(3, ("local_sid_to_uid: SID '%s' is a group, not a user... \n", sid_to_string(str, psid))); - /* It's a group, not a user... */ - return False; - } - - sid_copy(&dom_sid, psid); - if (!sid_peek_check_rid(get_global_sam_sid(), psid, &rid)) { - DEBUG(3, ("sid_peek_rid failed - sid '%s' is not in our domain\n", sid_to_string(str, psid))); - return False; - } - - if (!pdb_rid_is_user(rid)) { - DEBUG(3, ("local_sid_to_uid: sid '%s' cannot be mapped to a uid algorithmicly becouse it is a group\n", sid_to_string(str, psid))); - return False; - } - - *puid = fallback_pdb_user_rid_to_uid(rid); - - DEBUG(5,("local_sid_to_uid: SID %s algorithmicly mapped to %ld mapped becouse SID was not found in passdb.\n", - sid_to_string(str, psid), (signed long int)(*puid))); - } - - *name_type = SID_NAME_USER; - - return True; -} - -/**************************************************************************** - Convert a gid to SID - locally. -****************************************************************************/ - -DOM_SID *local_gid_to_sid(DOM_SID *psid, gid_t gid) -{ - GROUP_MAP map; - - sid_copy(psid, get_global_sam_sid()); - - if (pdb_getgrgid(&map, gid, MAPPING_WITHOUT_PRIV)) { - sid_copy(psid, &map.sid); - } - else { - sid_append_rid(psid, pdb_gid_to_group_rid(gid)); - } - - return psid; -} - -/**************************************************************************** - Convert a SID to gid - locally. -****************************************************************************/ - -BOOL local_sid_to_gid(gid_t *pgid, const DOM_SID *psid, enum SID_NAME_USE *name_type) -{ - fstring str; - GROUP_MAP map; - - *name_type = SID_NAME_UNKNOWN; - - /* - * We can only convert to a gid if this is our local - * Domain SID (ie. we are the controling authority). - * - * Or in the Builtin SID too. JFM, 11/30/2001 - */ - - if (pdb_getgrsid(&map, *psid, MAPPING_WITHOUT_PRIV)) { - - /* the SID is in the mapping table but not mapped */ - if (map.gid==(gid_t)-1) - return False; - - *pgid = map.gid; - *name_type = map.sid_name_use; - DEBUG(10,("local_sid_to_gid: mapped SID %s (%s) -> gid (%u).\n", - sid_to_string( str, psid), - map.nt_name, (unsigned int)*pgid)); - - } else { - uint32 rid; - SAM_ACCOUNT *sam_user = NULL; - if (NT_STATUS_IS_ERR(pdb_init_sam(&sam_user))) - return False; - - if (pdb_getsampwsid(sam_user, psid)) { - return False; - pdb_free_sam(&sam_user); - } - - pdb_free_sam(&sam_user); - - if (!sid_peek_check_rid(get_global_sam_sid(), psid, &rid)) { - DEBUG(3, ("sid_peek_rid failed - sid '%s' is not in our domain\n", sid_to_string(str, psid))); - return False; - } - - if (pdb_rid_is_user(rid)) - return False; - - *pgid = pdb_group_rid_to_gid(rid); - *name_type = SID_NAME_ALIAS; - DEBUG(10,("local_sid_to_gid: SID %s -> gid (%u).\n", sid_to_string( str, psid), - (unsigned int)*pgid)); - } - - return True; -} - /************************************************************* Change a password entry in the local smbpasswd file. |