diff options
Diffstat (limited to 'source3/passdb')
-rw-r--r-- | source3/passdb/pdb_compat.c | 104 | ||||
-rw-r--r-- | source3/passdb/pdb_unix.c | 127 | ||||
-rw-r--r-- | source3/passdb/util_sam_sid.c | 275 |
3 files changed, 506 insertions, 0 deletions
diff --git a/source3/passdb/pdb_compat.c b/source3/passdb/pdb_compat.c new file mode 100644 index 0000000000..713c92e3ac --- /dev/null +++ b/source3/passdb/pdb_compat.c @@ -0,0 +1,104 @@ +/* + Unix SMB/CIFS implementation. + SAM_ACCOUNT access routines + Copyright (C) Jeremy Allison 1996-2001 + Copyright (C) Luke Kenneth Casson Leighton 1996-1998 + Copyright (C) Gerald (Jerry) Carter 2000-2001 + Copyright (C) Andrew Bartlett 2001-2002 + Copyright (C) Stefan (metze) Metzmacher 2002 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +#include "includes.h" + +#undef DBGC_CLASS +#define DBGC_CLASS DBGC_PASSDB + +uint32 pdb_get_user_rid (const SAM_ACCOUNT *sampass) +{ + uint32 u_rid; + + if (sampass) + if (sid_peek_check_rid(get_global_sam_sid(), pdb_get_user_sid(sampass),&u_rid)) + return u_rid; + + return (0); +} + +uint32 pdb_get_group_rid (const SAM_ACCOUNT *sampass) +{ + uint32 g_rid; + + if (sampass) + if (sid_peek_check_rid(get_global_sam_sid(), pdb_get_group_sid(sampass),&g_rid)) + return g_rid; + return (0); +} + +BOOL pdb_set_user_sid_from_rid (SAM_ACCOUNT *sampass, uint32 rid) +{ + DOM_SID u_sid; + const DOM_SID *global_sam_sid; + + if (!sampass) + return False; + + if (!(global_sam_sid = get_global_sam_sid())) { + DEBUG(1, ("pdb_set_user_sid_from_rid: Could not read global sam sid!\n")); + return False; + } + + sid_copy(&u_sid, global_sam_sid); + + if (!sid_append_rid(&u_sid, rid)) + return False; + + if (!pdb_set_user_sid(sampass, &u_sid)) + return False; + + DEBUG(10, ("pdb_set_user_sid_from_rid:\n\tsetting user sid %s from rid %d\n", + sid_string_static(&u_sid),rid)); + + return True; +} + +BOOL pdb_set_group_sid_from_rid (SAM_ACCOUNT *sampass, uint32 grid) +{ + DOM_SID g_sid; + const DOM_SID *global_sam_sid; + + if (!sampass) + return False; + + if (!(global_sam_sid = get_global_sam_sid())) { + DEBUG(1, ("pdb_set_user_sid_from_rid: Could not read global sam sid!\n")); + return False; + } + + sid_copy(&g_sid, global_sam_sid); + + if (!sid_append_rid(&g_sid, grid)) + return False; + + if (!pdb_set_group_sid(sampass, &g_sid)) + return False; + + DEBUG(10, ("pdb_set_group_sid_from_rid:\n\tsetting group sid %s from rid %d\n", + sid_string_static(&g_sid), grid)); + + return True; +} + diff --git a/source3/passdb/pdb_unix.c b/source3/passdb/pdb_unix.c new file mode 100644 index 0000000000..b4092b88f8 --- /dev/null +++ b/source3/passdb/pdb_unix.c @@ -0,0 +1,127 @@ +/* + * Unix password backend for samba + * Copyright (C) Jelmer Vernooij 2002 + * + * This program is free software; you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free + * Software Foundation; either version 2 of the License, or (at your option) + * any later version. + * + * This program is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for + * more details. + * + * You should have received a copy of the GNU General Public License along with + * this program; if not, write to the Free Software Foundation, Inc., 675 + * Mass Ave, Cambridge, MA 02139, USA. + */ + +#include "includes.h" + +/****************************************************************** + Lookup a name in the SAM database + ******************************************************************/ + +static BOOL unixsam_getsampwnam (struct pdb_methods *methods, SAM_ACCOUNT *user, const char *sname) +{ + struct passwd *pass; + if (!methods) { + DEBUG(0,("invalid methods\n")); + return False; + } + if (!sname) { + DEBUG(0,("invalid name specified")); + return False; + } + pass = Get_Pwnam(sname); + + return NT_STATUS_IS_OK(pdb_fill_sam_pw(user, pass)); +} + + +/*************************************************************************** + Search by rid + **************************************************************************/ + +static BOOL unixsam_getsampwrid (struct pdb_methods *methods, + SAM_ACCOUNT *user, uint32 rid) +{ + struct passwd *pass; + BOOL ret = False; + if (!methods) { + DEBUG(0,("invalid methods\n")); + return False; + } + + if (pdb_rid_is_user(rid)) { + pass = getpwuid_alloc(fallback_pdb_user_rid_to_uid (rid)); + + if (pass) { + ret = NT_STATUS_IS_OK(pdb_fill_sam_pw(user, pass)); + passwd_free(&pass); + } + } + return ret; +} + +static BOOL unixsam_getsampwsid(struct pdb_methods *my_methods, SAM_ACCOUNT * user, DOM_SID *sid) +{ + uint32 rid; + if (!sid_peek_check_rid(get_global_sam_sid(), sid, &rid)) + return False; + return unixsam_getsampwrid(my_methods, user, rid); +} + +/*************************************************************************** + Adds an existing SAM_ACCOUNT + ****************************************************************************/ + +static BOOL unixsam_add_sam_account (struct pdb_methods *methods, SAM_ACCOUNT *newpwd) +{ + DEBUG(0,("pdb_unix should not be listed as the first passdb backend! You can't add users to it.\n")); + return False; +} + +/*************************************************************************** + Updates a SAM_ACCOUNT + + This isn't a particulary practical option for pdb_unix. We certainly don't + want to twidde the filesystem, so what should we do? + + Current plan is to transparently add the account. It should appear + as if the pdb_unix version was modified, but its actually stored somehwere. + ****************************************************************************/ + +static BOOL unixsam_update_sam_account (struct pdb_methods *methods, SAM_ACCOUNT *newpwd) +{ + return methods->parent->pdb_add_sam_account(methods->parent, newpwd); +} + +NTSTATUS pdb_init_unixsam(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method, const char *location) +{ + NTSTATUS nt_status; + + if (!pdb_context) { + DEBUG(0, ("invalid pdb_context specified\n")); + return NT_STATUS_UNSUCCESSFUL; + } + + if (!NT_STATUS_IS_OK(nt_status = make_pdb_methods(pdb_context->mem_ctx, pdb_method))) { + return nt_status; + } + + (*pdb_method)->name = "unixsam"; + + (*pdb_method)->setsampwent = NULL; + (*pdb_method)->endsampwent = NULL; + (*pdb_method)->getsampwent = NULL; + (*pdb_method)->getsampwnam = unixsam_getsampwnam; + (*pdb_method)->getsampwsid = unixsam_getsampwsid; + (*pdb_method)->add_sam_account = unixsam_add_sam_account; + (*pdb_method)->update_sam_account = unixsam_update_sam_account; + (*pdb_method)->delete_sam_account = NULL; + + /* There's not very much to initialise here */ + return NT_STATUS_OK; +} diff --git a/source3/passdb/util_sam_sid.c b/source3/passdb/util_sam_sid.c new file mode 100644 index 0000000000..2c574f4a61 --- /dev/null +++ b/source3/passdb/util_sam_sid.c @@ -0,0 +1,275 @@ +/* + Unix SMB/CIFS implementation. + Samba utility functions + Copyright (C) Andrew Tridgell 1992-1998 + Copyright (C) Luke Kenneth Caseson Leighton 1998-1999 + Copyright (C) Jeremy Allison 1999 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +#include "includes.h" + +extern pstring global_myname; +extern fstring global_myworkgroup; + +#define MAX_SID_NAMES 7 + +typedef struct _known_sid_users { + uint32 rid; + enum SID_NAME_USE sid_name_use; + char *known_user_name; +} known_sid_users; + +static struct sid_name_map_info +{ + DOM_SID *sid; + char *name; + known_sid_users *known_users; +} sid_name_map[MAX_SID_NAMES]; + +extern DOM_SID global_sid_Builtin; /* Local well-known domain */ +extern DOM_SID global_sid_World_Domain; /* Everyone domain */ +extern DOM_SID global_sid_Creator_Owner_Domain; /* Creator Owner domain */ +extern DOM_SID global_sid_NT_Authority; /* NT Authority */ + + +static BOOL sid_name_map_initialized = False; +/* static known_sid_users no_users[] = {{0, 0, NULL}}; */ + +static known_sid_users everyone_users[] = { + { 0, SID_NAME_WKN_GRP, "Everyone" }, + {0, (enum SID_NAME_USE)0, NULL}}; + +static known_sid_users creator_owner_users[] = { + { 0, SID_NAME_ALIAS, "Creator Owner" }, + {0, (enum SID_NAME_USE)0, NULL}}; + +static known_sid_users nt_authority_users[] = { + { 1, SID_NAME_ALIAS, "Dialup" }, + { 2, SID_NAME_ALIAS, "Network"}, + { 3, SID_NAME_ALIAS, "Batch"}, + { 4, SID_NAME_ALIAS, "Interactive"}, + { 6, SID_NAME_ALIAS, "Service"}, + { 7, SID_NAME_ALIAS, "AnonymousLogon"}, + { 8, SID_NAME_ALIAS, "Proxy"}, + { 9, SID_NAME_ALIAS, "ServerLogon"}, + { 11, SID_NAME_ALIAS, "Authenticated Users"}, + { 18, SID_NAME_ALIAS, "SYSTEM"}, + { 0, (enum SID_NAME_USE)0, NULL}}; + +static known_sid_users builtin_groups[] = { + { BUILTIN_ALIAS_RID_ADMINS, SID_NAME_ALIAS, "Administrators" }, + { BUILTIN_ALIAS_RID_USERS, SID_NAME_ALIAS, "Users" }, + { BUILTIN_ALIAS_RID_GUESTS, SID_NAME_ALIAS, "Guests" }, + { BUILTIN_ALIAS_RID_ACCOUNT_OPS, SID_NAME_ALIAS, "Account Operators" }, + { BUILTIN_ALIAS_RID_SYSTEM_OPS, SID_NAME_ALIAS, "Server Operators" }, + { BUILTIN_ALIAS_RID_PRINT_OPS, SID_NAME_ALIAS, "Print Operators" }, + { BUILTIN_ALIAS_RID_BACKUP_OPS, SID_NAME_ALIAS, "Backup Operators" }, + { 0, (enum SID_NAME_USE)0, NULL}}; + + + +/************************************************************************** + quick init function + *************************************************************************/ +static void init_sid_name_map (void) +{ + int i = 0; + + if (sid_name_map_initialized) return; + + generate_wellknown_sids(); + + if ((lp_security() == SEC_USER) && lp_domain_logons()) { + sid_name_map[i].sid = get_global_sam_sid(); + sid_name_map[i].name = global_myworkgroup; + sid_name_map[i].known_users = NULL; + i++; + sid_name_map[i].sid = get_global_sam_sid(); + sid_name_map[i].name = global_myname; + sid_name_map[i].known_users = NULL; + i++; + } + else { + sid_name_map[i].sid = get_global_sam_sid(); + sid_name_map[i].name = global_myname; + sid_name_map[i].known_users = NULL; + i++; + } + + sid_name_map[i].sid = &global_sid_Builtin; + sid_name_map[i].name = "BUILTIN"; + sid_name_map[i].known_users = &builtin_groups[0]; + i++; + + sid_name_map[i].sid = &global_sid_World_Domain; + sid_name_map[i].name = ""; + sid_name_map[i].known_users = &everyone_users[0]; + i++; + + sid_name_map[i].sid = &global_sid_Creator_Owner_Domain; + sid_name_map[i].name = ""; + sid_name_map[i].known_users = &creator_owner_users[0]; + i++; + + sid_name_map[i].sid = &global_sid_NT_Authority; + sid_name_map[i].name = "NT Authority"; + sid_name_map[i].known_users = &nt_authority_users[0]; + i++; + + + /* end of array */ + sid_name_map[i].sid = NULL; + sid_name_map[i].name = NULL; + sid_name_map[i].known_users = NULL; + + sid_name_map_initialized = True; + + return; + +} + +/************************************************************************** + Turns a domain SID into a name, returned in the nt_domain argument. +***************************************************************************/ + +BOOL map_domain_sid_to_name(DOM_SID *sid, fstring nt_domain) +{ + fstring sid_str; + int i = 0; + + sid_to_string(sid_str, sid); + + if (!sid_name_map_initialized) + init_sid_name_map(); + + DEBUG(5,("map_domain_sid_to_name: %s\n", sid_str)); + + if (nt_domain == NULL) + return False; + + while (sid_name_map[i].sid != NULL) { + sid_to_string(sid_str, sid_name_map[i].sid); + DEBUG(5,("map_domain_sid_to_name: compare: %s\n", sid_str)); + if (sid_equal(sid_name_map[i].sid, sid)) { + fstrcpy(nt_domain, sid_name_map[i].name); + DEBUG(5,("map_domain_sid_to_name: found '%s'\n", nt_domain)); + return True; + } + i++; + } + + DEBUG(5,("map_domain_sid_to_name: mapping for %s not found\n", sid_str)); + + return False; +} + +/************************************************************************** + Looks up a known username from one of the known domains. +***************************************************************************/ + +BOOL lookup_known_rid(DOM_SID *sid, uint32 rid, char *name, enum SID_NAME_USE *psid_name_use) +{ + int i = 0; + struct sid_name_map_info *psnm; + + if (!sid_name_map_initialized) + init_sid_name_map(); + + for(i = 0; sid_name_map[i].sid != NULL; i++) { + psnm = &sid_name_map[i]; + if(sid_equal(psnm->sid, sid)) { + int j; + for(j = 0; psnm->known_users && psnm->known_users[j].known_user_name != NULL; j++) { + if(rid == psnm->known_users[j].rid) { + DEBUG(5,("lookup_builtin_rid: rid = %u, domain = '%s', user = '%s'\n", + (unsigned int)rid, psnm->name, psnm->known_users[j].known_user_name )); + fstrcpy( name, psnm->known_users[j].known_user_name); + *psid_name_use = psnm->known_users[j].sid_name_use; + return True; + } + } + } + } + + return False; +} + +/************************************************************************** + Turns a domain name into a SID. + *** side-effect: if the domain name is NULL, it is set to our domain *** +***************************************************************************/ + +BOOL map_domain_name_to_sid(DOM_SID *sid, char *nt_domain) +{ + int i = 0; + + if (nt_domain == NULL) { + DEBUG(5,("map_domain_name_to_sid: mapping NULL domain to our SID.\n")); + sid_copy(sid, get_global_sam_sid()); + return True; + } + + if (nt_domain[0] == 0) { + fstrcpy(nt_domain, global_myname); + DEBUG(5,("map_domain_name_to_sid: overriding blank name to %s\n", nt_domain)); + sid_copy(sid, get_global_sam_sid()); + return True; + } + + DEBUG(5,("map_domain_name_to_sid: %s\n", nt_domain)); + + if (!sid_name_map_initialized) + init_sid_name_map(); + + while (sid_name_map[i].name != NULL) { + DEBUG(5,("map_domain_name_to_sid: compare: %s\n", sid_name_map[i].name)); + if (strequal(sid_name_map[i].name, nt_domain)) { + fstring sid_str; + sid_copy(sid, sid_name_map[i].sid); + sid_to_string(sid_str, sid_name_map[i].sid); + DEBUG(5,("map_domain_name_to_sid: found %s\n", sid_str)); + return True; + } + i++; + } + + DEBUG(0,("map_domain_name_to_sid: mapping to %s not found.\n", nt_domain)); + return False; +} + +/***************************************************************** + Check if the SID is our domain SID (S-1-5-21-x-y-z). +*****************************************************************/ +BOOL sid_check_is_domain(const DOM_SID *sid) +{ + return sid_equal(sid, get_global_sam_sid()); +} + +/***************************************************************** + Check if the SID is our domain SID (S-1-5-21-x-y-z). +*****************************************************************/ +BOOL sid_check_is_in_our_domain(const DOM_SID *sid) +{ + DOM_SID dom_sid; + uint32 rid; + + sid_copy(&dom_sid, sid); + sid_split_rid(&dom_sid, &rid); + + return sid_equal(&dom_sid, get_global_sam_sid()); +} + |