summaryrefslogtreecommitdiff
path: root/source3
diff options
context:
space:
mode:
Diffstat (limited to 'source3')
-rw-r--r--source3/auth/auth_util.c135
-rw-r--r--source3/groupdb/mapping.c154
-rw-r--r--source3/include/passdb.h4
-rw-r--r--source3/nsswitch/winbindd_dual.c1
-rw-r--r--source3/nsswitch/winbindd_group.c27
-rw-r--r--source3/nsswitch/winbindd_pam.c2
-rw-r--r--source3/nsswitch/winbindd_passdb.c7
-rw-r--r--source3/nsswitch/winbindd_user.c6
-rw-r--r--source3/nsswitch/winbindd_util.c4
-rw-r--r--source3/passdb/pdb_interface.c21
-rw-r--r--source3/passdb/pdb_ldap.c2
-rw-r--r--source3/rpc_server/srv_lsa_nt.c2
-rw-r--r--source3/rpc_server/srv_samr_nt.c12
-rw-r--r--source3/utils/net_groupmap.c7
14 files changed, 253 insertions, 131 deletions
diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index 14aaa4c5ee..5b88945284 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -677,9 +677,68 @@ static NTSTATUS log_nt_token(TALLOC_CTX *tmp_ctx, NT_USER_TOKEN *token)
return NT_STATUS_OK;
}
-/*
- * Create a NT token for the user, expanding local aliases
- */
+/*******************************************************************
+*******************************************************************/
+
+static NTSTATUS add_builtin_administrators( TALLOC_CTX *ctx, struct nt_user_token *token )
+{
+ return NT_STATUS_OK;
+}
+
+/*******************************************************************
+*******************************************************************/
+
+static NTSTATUS create_builtin_administrators( void )
+{
+ NTSTATUS status;
+ DOM_SID dom_admins, root_sid;
+ fstring root_name;
+ enum SID_NAME_USE type;
+ TALLOC_CTX *ctx;
+ BOOL ret;
+
+ status = pdb_create_builtin_alias( BUILTIN_ALIAS_RID_ADMINS );
+ if ( !NT_STATUS_IS_OK(status) ) {
+ DEBUG(0,("create_builtin_administrators: Failed to create Administrators\n"));
+ return status;
+ }
+
+ /* add domain admins */
+ if ((IS_DC || (lp_server_role() == ROLE_DOMAIN_MEMBER))
+ && secrets_fetch_domain_sid(lp_workgroup(), &dom_admins))
+ {
+ sid_append_rid(&dom_admins, DOMAIN_GROUP_RID_ADMINS);
+ status = pdb_add_aliasmem( &global_sid_Builtin_Administrators, &dom_admins );
+ if ( !NT_STATUS_IS_OK(status) ) {
+ DEBUG(0,("create_builtin_administrators: Failed to add Domain Admins"
+ " Administrators\n"));
+ return status;
+ }
+ }
+
+ /* add root */
+ if ( (ctx = talloc_init(NULL)) == NULL ) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ fstr_sprintf( root_name, "%s\\root", get_global_sam_name() );
+ ret = lookup_name( ctx, root_name, 0, NULL, NULL, &root_sid, &type );
+ TALLOC_FREE( ctx );
+
+ if ( ret ) {
+ status = pdb_add_aliasmem( &global_sid_Builtin_Administrators, &root_sid );
+ if ( !NT_STATUS_IS_OK(status) ) {
+ DEBUG(0,("create_builtin_administrators: Failed to add root"
+ " Administrators\n"));
+ return status;
+ }
+ }
+
+ return NT_STATUS_OK;
+}
+
+/*******************************************************************
+ Create a NT token for the user, expanding local aliases
+*******************************************************************/
static struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx,
const DOM_SID *user_sid,
@@ -692,6 +751,7 @@ static struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx,
struct nt_user_token *result = NULL;
int i;
NTSTATUS status;
+ gid_t gid;
tmp_ctx = talloc_new(mem_ctx);
if (tmp_ctx == NULL) {
@@ -705,12 +765,15 @@ static struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx,
goto done;
}
- /* First create the default SIDs */
+ /* Add the user and primary group sid */
add_sid_to_array(result, user_sid,
&result->user_sids, &result->num_sids);
add_sid_to_array(result, group_sid,
&result->user_sids, &result->num_sids);
+
+ /* Add in BUILTIN sids */
+
add_sid_to_array(result, &global_sid_World,
&result->user_sids, &result->num_sids);
add_sid_to_array(result, &global_sid_Network,
@@ -723,7 +786,7 @@ static struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx,
add_sid_to_array(result, &global_sid_Authenticated_Users,
&result->user_sids, &result->num_sids);
}
-
+
/* Now the SIDs we got from authentication. These are the ones from
* the info3 struct or from the pdb_enum_group_memberships, depending
* on who authenticated the user. */
@@ -732,7 +795,35 @@ static struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx,
add_sid_to_array_unique(result, &groupsids[i],
&result->user_sids, &result->num_sids);
}
+
+ /* Deal with the BUILTIN\Administrators group. If the SID can
+ be resolved then assume that the add_aliasmem( S-1-5-32 )
+ handled it. */
+
+ if ( !sid_to_gid( &global_sid_Builtin_Administrators, &gid ) ) {
+ /* We can only create a mapping if winbind is running
+ and the nested group functionality has been enabled */
+
+ if ( lp_winbind_nested_groups() ) {
+ become_root();
+ status = create_builtin_administrators( );
+ if ( !NT_STATUS_IS_OK(status) ) {
+ DEBUG(0,("create_local_nt_token: Failed to create BUILTIN\\Administrators group!\n"));
+ /* don't fail, just log the message */
+ }
+ unbecome_root();
+ }
+ else {
+ status = add_builtin_administrators( tmp_ctx, result );
+ if ( !NT_STATUS_IS_OK(status) ) {
+ result = NULL;
+ goto done;
+ }
+ }
+ }
+ /* Deal with local groups */
+
if (lp_winbind_nested_groups()) {
/* Now add the aliases. First the one from our local SAM */
@@ -752,40 +843,8 @@ static struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx,
result = NULL;
goto done;
}
- } else {
-
- /* Play jerry's trick to auto-add local admins if we're a
- * domain admin. */
-
- DOM_SID dom_admins;
- BOOL domain_mode = False;
-
- if (IS_DC) {
- sid_compose(&dom_admins, get_global_sam_sid(),
- DOMAIN_GROUP_RID_ADMINS);
- domain_mode = True;
- }
- if ((lp_server_role() == ROLE_DOMAIN_MEMBER) &&
- (secrets_fetch_domain_sid(lp_workgroup(), &dom_admins))) {
- sid_append_rid(&dom_admins, DOMAIN_GROUP_RID_ADMINS);
- domain_mode = True;
- }
+ }
- if (domain_mode) {
- for (i=0; i<result->num_sids; i++) {
- if (sid_equal(&dom_admins,
- &result->user_sids[i])) {
- add_sid_to_array_unique(
- result,
- &global_sid_Builtin_Administrators,
- &result->user_sids,
- &result->num_sids);
- break;
- }
- }
-
- }
- }
get_privileges_for_sids(&result->privileges, result->user_sids,
result->num_sids);
diff --git a/source3/groupdb/mapping.c b/source3/groupdb/mapping.c
index 93e7169204..04471f9d43 100644
--- a/source3/groupdb/mapping.c
+++ b/source3/groupdb/mapping.c
@@ -3,6 +3,8 @@
* RPC Pipe client / server routines
* Copyright (C) Andrew Tridgell 1992-2000,
* Copyright (C) Jean Fran�ois Micouleau 1998-2001.
+ * Copyright (C) Volker Lendecke 2006.
+ * Copyright (C) Gerald Carter 2006.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@@ -35,50 +37,11 @@ static TDB_CONTEXT *tdb; /* used for driver files */
*/
#define MEMBEROF_PREFIX "MEMBEROF/"
-/****************************************************************************
-initialise first time the mapping list - called from init_group_mapping()
-****************************************************************************/
-static BOOL default_group_mapping(void)
-{
- DOM_SID sid_admins;
- DOM_SID sid_users;
- DOM_SID sid_guests;
- fstring str_admins;
- fstring str_users;
- fstring str_guests;
-
- /* Add the Wellknown groups */
-
- add_initial_entry(-1, "S-1-5-32-544", SID_NAME_WKN_GRP, "Administrators", "");
- add_initial_entry(-1, "S-1-5-32-545", SID_NAME_WKN_GRP, "Users", "");
- add_initial_entry(-1, "S-1-5-32-546", SID_NAME_WKN_GRP, "Guests", "");
- add_initial_entry(-1, "S-1-5-32-547", SID_NAME_WKN_GRP, "Power Users", "");
- add_initial_entry(-1, "S-1-5-32-548", SID_NAME_WKN_GRP, "Account Operators", "");
- add_initial_entry(-1, "S-1-5-32-549", SID_NAME_WKN_GRP, "System Operators", "");
- add_initial_entry(-1, "S-1-5-32-550", SID_NAME_WKN_GRP, "Print Operators", "");
- add_initial_entry(-1, "S-1-5-32-551", SID_NAME_WKN_GRP, "Backup Operators", "");
- add_initial_entry(-1, "S-1-5-32-552", SID_NAME_WKN_GRP, "Replicators", "");
-
- /* Add the defaults domain groups */
-
- sid_copy(&sid_admins, get_global_sam_sid());
- sid_append_rid(&sid_admins, DOMAIN_GROUP_RID_ADMINS);
- sid_to_string(str_admins, &sid_admins);
- add_initial_entry(-1, str_admins, SID_NAME_DOM_GRP, "Domain Admins", "");
-
- sid_copy(&sid_users, get_global_sam_sid());
- sid_append_rid(&sid_users, DOMAIN_GROUP_RID_USERS);
- sid_to_string(str_users, &sid_users);
- add_initial_entry(-1, str_users, SID_NAME_DOM_GRP, "Domain Users", "");
-
- sid_copy(&sid_guests, get_global_sam_sid());
- sid_append_rid(&sid_guests, DOMAIN_GROUP_RID_GUESTS);
- sid_to_string(str_guests, &sid_guests);
- add_initial_entry(-1, str_guests, SID_NAME_DOM_GRP, "Domain Guests", "");
-
- return True;
-}
+static BOOL enum_group_mapping(const DOM_SID *sid, enum SID_NAME_USE sid_name_use, GROUP_MAP **pp_rmap,
+ size_t *p_num_entries, BOOL unix_only);
+static BOOL group_map_remove(const DOM_SID *sid);
+
/****************************************************************************
Open the group mapping tdb.
****************************************************************************/
@@ -87,9 +50,12 @@ static BOOL init_group_mapping(void)
{
const char *vstring = "INFO/version";
int32 vers_id;
+ GROUP_MAP *map_table = NULL;
+ size_t num_entries = 0;
if (tdb)
return True;
+
tdb = tdb_open_log(lock_path("group_mapping.tdb"), 0, TDB_DEFAULT, O_RDWR|O_CREAT, 0600);
if (!tdb) {
DEBUG(0,("Failed to open group mapping database\n"));
@@ -107,6 +73,8 @@ static BOOL init_group_mapping(void)
vers_id = DATABASE_VERSION_V2;
}
+ /* if its an unknown version we remove everthing in the db */
+
if (vers_id != DATABASE_VERSION_V2) {
tdb_traverse(tdb, tdb_traverse_delete_fn, NULL);
tdb_store_int32(tdb, vstring, DATABASE_VERSION_V2);
@@ -114,9 +82,20 @@ static BOOL init_group_mapping(void)
tdb_unlock_bystring(tdb, vstring);
- /* write a list of default groups */
- if(!default_group_mapping())
- return False;
+ /* cleanup any map entries with a gid == -1 */
+
+ if ( enum_group_mapping( NULL, SID_NAME_UNKNOWN, &map_table, &num_entries, False ) ) {
+ int i;
+
+ for ( i=0; i<num_entries; i++ ) {
+ if ( map_table[i].gid == -1 ) {
+ group_map_remove( &map_table[i].sid );
+ }
+ }
+
+ SAFE_FREE( map_table );
+ }
+
return True;
}
@@ -274,7 +253,7 @@ static BOOL get_group_map_from_sid(DOM_SID sid, GROUP_MAP *map)
DEBUG(3,("get_group_map_from_sid: tdb_unpack failure\n"));
return False;
}
-
+
sid_copy(&map->sid, &sid);
return True;
@@ -371,7 +350,7 @@ static BOOL get_group_map_from_ntname(const char *name, GROUP_MAP *map)
return False;
}
- if (StrCaseCmp(name, map->nt_name)==0) {
+ if ( strequal(name, map->nt_name) ) {
SAFE_FREE(kbuf.dptr);
return True;
}
@@ -419,7 +398,7 @@ static BOOL group_map_remove(const DOM_SID *sid)
Enumerate the group mapping.
****************************************************************************/
-static BOOL enum_group_mapping(enum SID_NAME_USE sid_name_use, GROUP_MAP **pp_rmap,
+static BOOL enum_group_mapping(const DOM_SID *domsid, enum SID_NAME_USE sid_name_use, GROUP_MAP **pp_rmap,
size_t *p_num_entries, BOOL unix_only)
{
TDB_DATA kbuf, dbuf, newkey;
@@ -428,6 +407,8 @@ static BOOL enum_group_mapping(enum SID_NAME_USE sid_name_use, GROUP_MAP **pp_rm
GROUP_MAP *mapt;
int ret;
size_t entries=0;
+ DOM_SID grpsid;
+ uint32 rid;
if(!init_group_mapping()) {
DEBUG(0,("failed to initialize group mapping\n"));
@@ -471,8 +452,19 @@ static BOOL enum_group_mapping(enum SID_NAME_USE sid_name_use, GROUP_MAP **pp_rm
continue;
}
- string_to_sid(&map.sid, string_sid);
+ string_to_sid(&grpsid, string_sid);
+ sid_copy( &map.sid, &grpsid );
+ sid_split_rid( &grpsid, &rid );
+
+ /* Only check the domain if we were given one */
+
+ if ( domsid && !sid_equal( domsid, &grpsid ) ) {
+ DEBUG(11,("enum_group_mapping: group %s is not in domain %s\n",
+ string_sid, sid_string_static(domsid)));
+ continue;
+ }
+
DEBUG(11,("enum_group_mapping: returning group %s of "
"type %s\n", map.nt_name,
sid_type_lookup(map.sid_name_use)));
@@ -1032,11 +1024,11 @@ NTSTATUS pdb_default_delete_group_mapping_entry(struct pdb_methods *methods,
}
NTSTATUS pdb_default_enum_group_mapping(struct pdb_methods *methods,
- enum SID_NAME_USE sid_name_use,
+ const DOM_SID *sid, enum SID_NAME_USE sid_name_use,
GROUP_MAP **pp_rmap, size_t *p_num_entries,
BOOL unix_only)
{
- return enum_group_mapping(sid_name_use, pp_rmap, p_num_entries, unix_only) ?
+ return enum_group_mapping(sid, sid_name_use, pp_rmap, p_num_entries, unix_only) ?
NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL;
}
@@ -1301,4 +1293,62 @@ BOOL pdb_set_dom_grp_info(const DOM_SID *sid, const struct acct_info *info)
return NT_STATUS_IS_OK(pdb_update_group_mapping_entry(&map));
}
+/********************************************************************
+ Really just intended to be called by smbd
+********************************************************************/
+
+NTSTATUS pdb_create_builtin_alias(uint32 rid)
+{
+ DOM_SID sid;
+ enum SID_NAME_USE type;
+ gid_t gid;
+ GROUP_MAP map;
+ TALLOC_CTX *mem_ctx;
+ NTSTATUS status;
+ const char *name = NULL;
+ fstring groupname;
+
+ DEBUG(10, ("Trying to create builtin alias %d\n", rid));
+
+ if ( !sid_compose( &sid, &global_sid_Builtin, rid ) ) {
+ return NT_STATUS_NO_SUCH_ALIAS;
+ }
+
+ if ( (mem_ctx = talloc_new(NULL)) == NULL ) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ if ( !lookup_sid(mem_ctx, &sid, NULL, &name, &type) ) {
+ TALLOC_FREE( mem_ctx );
+ return NT_STATUS_NO_SUCH_ALIAS;
+ }
+
+ /* validate RID so copy the name and move on */
+
+ fstrcpy( groupname, name );
+ TALLOC_FREE( mem_ctx );
+
+ if (!winbind_allocate_gid(&gid)) {
+ DEBUG(3, ("pdb_create_builtin_alias: Could not get a gid out of winbind\n"));
+ return NT_STATUS_ACCESS_DENIED;
+ }
+
+ DEBUG(10,("Creating alias %s with gid %d\n", name, gid));
+
+ map.gid = gid;
+ sid_copy(&map.sid, &sid);
+ map.sid_name_use = SID_NAME_ALIAS;
+ fstrcpy(map.nt_name, name);
+ fstrcpy(map.comment, "");
+
+ status = pdb_add_group_mapping_entry(&map);
+
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0, ("pdb_create_builtin_alias: Could not add group mapping entry for alias %d "
+ "(%s)\n", rid, nt_errstr(status)));
+ }
+
+ return status;
+}
+
diff --git a/source3/include/passdb.h b/source3/include/passdb.h
index a9688c6f81..432976412d 100644
--- a/source3/include/passdb.h
+++ b/source3/include/passdb.h
@@ -242,7 +242,7 @@ struct pdb_search {
* the pdb module. Remove the latter, this might happen more often. VL.
*/
-#define PASSDB_INTERFACE_VERSION 12
+#define PASSDB_INTERFACE_VERSION 13
struct pdb_methods
{
@@ -298,7 +298,7 @@ struct pdb_methods
DOM_SID sid);
NTSTATUS (*enum_group_mapping)(struct pdb_methods *methods,
- enum SID_NAME_USE sid_name_use,
+ const DOM_SID *sid, enum SID_NAME_USE sid_name_use,
GROUP_MAP **pp_rmap, size_t *p_num_entries,
BOOL unix_only);
diff --git a/source3/nsswitch/winbindd_dual.c b/source3/nsswitch/winbindd_dual.c
index d1ad3330d4..14e0ef4ce2 100644
--- a/source3/nsswitch/winbindd_dual.c
+++ b/source3/nsswitch/winbindd_dual.c
@@ -559,7 +559,6 @@ static void child_msg_offline(int msg_type, struct process_id src, void *buf, si
static void child_msg_online(int msg_type, struct process_id src, void *buf, size_t len)
{
struct winbindd_domain *domain;
- int ret;
DEBUG(5,("child_msg_online received.\n"));
diff --git a/source3/nsswitch/winbindd_group.c b/source3/nsswitch/winbindd_group.c
index 38d47ca3d7..6e7a242379 100644
--- a/source3/nsswitch/winbindd_group.c
+++ b/source3/nsswitch/winbindd_group.c
@@ -41,8 +41,8 @@ static BOOL fill_grent(struct winbindd_gr *gr, const char *dom_name,
const char *gr_name, gid_t unix_gid)
{
fstring full_group_name;
- /* Fill in uid/gid */
- fill_domain_username(full_group_name, dom_name, gr_name);
+
+ fill_domain_username( full_group_name, dom_name, gr_name, False);
gr->gr_gid = unix_gid;
@@ -146,7 +146,7 @@ static BOOL fill_grent_mem(struct winbindd_domain *domain,
/* Append domain name */
- fill_domain_username(name, domain->name, the_name);
+ fill_domain_username(name, domain->name, the_name, False);
len = strlen(name);
@@ -201,7 +201,8 @@ done:
void winbindd_getgrnam(struct winbindd_cli_state *state)
{
- DOM_SID group_sid;
+ DOM_SID group_sid, tmp_sid;
+ uint32 grp_rid;
struct winbindd_domain *domain;
enum SID_NAME_USE name_type;
fstring name_domain, name_group;
@@ -270,6 +271,20 @@ void winbindd_getgrnam(struct winbindd_cli_state *state)
return;
}
+ /* Make sure that the group SID is within the domain of the
+ original domain */
+
+ sid_copy( &tmp_sid, &group_sid );
+ sid_split_rid( &tmp_sid, &grp_rid );
+ if ( !sid_equal( &tmp_sid, &domain->sid ) ) {
+ DEBUG(3,("winbindd_getgrnam: group %s resolves to a SID in the wrong domain [%s]\n",
+ state->request.data.groupname, sid_string_static(&group_sid)));
+ request_error(state);
+ return;
+ }
+
+
+
/* Try to get the GID */
status = idmap_sid_to_gid(&group_sid, &gid, 0);
@@ -731,7 +746,7 @@ void winbindd_getgrent(struct winbindd_cli_state *state)
/* Fill in group entry */
fill_domain_username(domain_group_name, ent->domain_name,
- name_list[ent->sam_entry_index].acct_name);
+ name_list[ent->sam_entry_index].acct_name, False);
result = fill_grent(&group_list[group_list_ndx],
ent->domain_name,
@@ -905,7 +920,7 @@ void winbindd_list_groups(struct winbindd_cli_state *state)
groups.sam_entries)[i].acct_name;
fstring name;
- fill_domain_username(name, domain->name, group_name);
+ fill_domain_username(name, domain->name, group_name, False);
/* Append to extra data */
memcpy(&extra_data[extra_data_len], name,
strlen(name));
diff --git a/source3/nsswitch/winbindd_pam.c b/source3/nsswitch/winbindd_pam.c
index 3e30d70522..d460c14769 100644
--- a/source3/nsswitch/winbindd_pam.c
+++ b/source3/nsswitch/winbindd_pam.c
@@ -1515,7 +1515,7 @@ enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain,
nt_domain = name_domain;
}
- fill_domain_username(username_out, nt_domain, nt_username);
+ fill_domain_username(username_out, nt_domain, nt_username, True);
DEBUG(5, ("Setting unix username to [%s]\n", username_out));
diff --git a/source3/nsswitch/winbindd_passdb.c b/source3/nsswitch/winbindd_passdb.c
index 96a85a4f3a..73020cd6bc 100644
--- a/source3/nsswitch/winbindd_passdb.c
+++ b/source3/nsswitch/winbindd_passdb.c
@@ -33,7 +33,7 @@ static void add_member(const char *domain, const char *user,
{
fstring name;
- fill_domain_username(name, domain, user);
+ fill_domain_username(name, domain, user, True);
safe_strcat(name, ",", sizeof(name)-1);
string_append(pp_members, name);
*p_num_members += 1;
@@ -248,10 +248,7 @@ static NTSTATUS name_to_sid(struct winbindd_domain *domain,
if (!pdb_find_alias(name, sid))
return NT_STATUS_NONE_MAPPED;
- if (sid_check_is_in_builtin(sid))
- *type = SID_NAME_WKN_GRP;
- else
- *type = SID_NAME_ALIAS;
+ *type = SID_NAME_ALIAS;
return NT_STATUS_OK;
}
diff --git a/source3/nsswitch/winbindd_user.c b/source3/nsswitch/winbindd_user.c
index b48284a031..9b0796fb67 100644
--- a/source3/nsswitch/winbindd_user.c
+++ b/source3/nsswitch/winbindd_user.c
@@ -97,7 +97,7 @@ static BOOL winbindd_fill_pwent(char *dom_name, char *user_name,
/* Username */
- fill_domain_username(output_username, dom_name, user_name);
+ fill_domain_username(output_username, dom_name, user_name, True);
safe_strcpy(pw->pw_name, output_username, sizeof(pw->pw_name) - 1);
@@ -289,7 +289,7 @@ static void getpwsid_sid2gid_recv(void *private_data, BOOL success, gid_t gid)
pw = &s->state->response.data.pw;
pw->pw_uid = s->uid;
pw->pw_gid = s->gid;
- fill_domain_username(output_username, s->domain->name, s->username);
+ fill_domain_username(output_username, s->domain->name, s->username, True);
safe_strcpy(pw->pw_name, output_username, sizeof(pw->pw_name) - 1);
safe_strcpy(pw->pw_gecos, s->fullname, sizeof(pw->pw_gecos) - 1);
@@ -781,7 +781,7 @@ void winbindd_list_users(struct winbindd_cli_state *state)
fstrcpy(acct_name, info[i].acct_name);
}
- fill_domain_username(name, domain->name, acct_name);
+ fill_domain_username(name, domain->name, acct_name, True);
/* Append to extra data */
memcpy(&extra_data[extra_data_len], name,
diff --git a/source3/nsswitch/winbindd_util.c b/source3/nsswitch/winbindd_util.c
index 0678376e8f..64b4dd27a3 100644
--- a/source3/nsswitch/winbindd_util.c
+++ b/source3/nsswitch/winbindd_util.c
@@ -877,14 +877,14 @@ BOOL parse_domain_user_talloc(TALLOC_CTX *mem_ctx, const char *domuser,
username is then unqualified in unix
*/
-void fill_domain_username(fstring name, const char *domain, const char *user)
+void fill_domain_username(fstring name, const char *domain, const char *user, BOOL can_assume)
{
fstring tmp_user;
fstrcpy(tmp_user, user);
strlower_m(tmp_user);
- if (assume_domain(domain)) {
+ if (can_assume && assume_domain(domain)) {
strlcpy(name, user, sizeof(fstring));
} else {
slprintf(name, sizeof(fstring) - 1, "%s%c%s",
diff --git a/source3/passdb/pdb_interface.c b/source3/passdb/pdb_interface.c
index 8645c12bce..4061e7b5db 100644
--- a/source3/passdb/pdb_interface.c
+++ b/source3/passdb/pdb_interface.c
@@ -715,7 +715,7 @@ NTSTATUS pdb_delete_group_mapping_entry(DOM_SID sid)
return pdb->delete_group_mapping_entry(pdb, sid);
}
-BOOL pdb_enum_group_mapping(enum SID_NAME_USE sid_name_use, GROUP_MAP **pp_rmap,
+BOOL pdb_enum_group_mapping(const DOM_SID *sid, enum SID_NAME_USE sid_name_use, GROUP_MAP **pp_rmap,
size_t *p_num_entries, BOOL unix_only)
{
struct pdb_methods *pdb = pdb_get_methods();
@@ -724,7 +724,7 @@ BOOL pdb_enum_group_mapping(enum SID_NAME_USE sid_name_use, GROUP_MAP **pp_rmap,
return False;
}
- return NT_STATUS_IS_OK(pdb-> enum_group_mapping(pdb, sid_name_use,
+ return NT_STATUS_IS_OK(pdb-> enum_group_mapping(pdb, sid, sid_name_use,
pp_rmap, p_num_entries, unix_only));
}
@@ -1631,7 +1631,7 @@ static BOOL lookup_global_sam_rid(TALLOC_CTX *mem_ctx, uint32 rid,
if ( rid == DOMAIN_GROUP_RID_USERS ) {
*name = talloc_strdup(mem_ctx, "None" );
- *psid_name_use = IS_DC ? SID_NAME_DOM_GRP : SID_NAME_ALIAS;
+ *psid_name_use = SID_NAME_DOM_GRP;
return True;
}
@@ -1919,7 +1919,7 @@ static void search_end_groups(struct pdb_search *search)
}
static BOOL pdb_search_grouptype(struct pdb_search *search,
- enum SID_NAME_USE type)
+ const DOM_SID *sid, enum SID_NAME_USE type)
{
struct group_search *state;
@@ -1929,7 +1929,7 @@ static BOOL pdb_search_grouptype(struct pdb_search *search,
return False;
}
- if (!pdb_enum_group_mapping(type, &state->groups, &state->num_groups,
+ if (!pdb_enum_group_mapping(sid, type, &state->groups, &state->num_groups,
True)) {
DEBUG(0, ("Could not enum groups\n"));
return False;
@@ -1945,7 +1945,7 @@ static BOOL pdb_search_grouptype(struct pdb_search *search,
static BOOL pdb_default_search_groups(struct pdb_methods *methods,
struct pdb_search *search)
{
- return pdb_search_grouptype(search, SID_NAME_DOM_GRP);
+ return pdb_search_grouptype(search, get_global_sam_sid(), SID_NAME_DOM_GRP);
}
static BOOL pdb_default_search_aliases(struct pdb_methods *methods,
@@ -1953,14 +1953,7 @@ static BOOL pdb_default_search_aliases(struct pdb_methods *methods,
const DOM_SID *sid)
{
- if (sid_equal(sid, get_global_sam_sid()))
- return pdb_search_grouptype(search, SID_NAME_ALIAS);
-
- if (sid_equal(sid, &global_sid_Builtin))
- return pdb_search_grouptype(search, SID_NAME_WKN_GRP);
-
- DEBUG(3, ("unknown domain sid: %s\n", sid_string_static(sid)));
- return False;
+ return pdb_search_grouptype(search, sid, SID_NAME_ALIAS);
}
static struct samr_displayentry *pdb_search_getentry(struct pdb_search *search,
diff --git a/source3/passdb/pdb_ldap.c b/source3/passdb/pdb_ldap.c
index 72ec883aca..b4f7e2b55c 100644
--- a/source3/passdb/pdb_ldap.c
+++ b/source3/passdb/pdb_ldap.c
@@ -3070,7 +3070,7 @@ static NTSTATUS ldapsam_getsamgrent(struct pdb_methods *my_methods,
*********************************************************************/
static NTSTATUS ldapsam_enum_group_mapping(struct pdb_methods *methods,
- enum SID_NAME_USE sid_name_use,
+ const DOM_SID *domsid, enum SID_NAME_USE sid_name_use,
GROUP_MAP **pp_rmap,
size_t *p_num_entries,
BOOL unix_only)
diff --git a/source3/rpc_server/srv_lsa_nt.c b/source3/rpc_server/srv_lsa_nt.c
index 80c86a3079..7fe42efefb 100644
--- a/source3/rpc_server/srv_lsa_nt.c
+++ b/source3/rpc_server/srv_lsa_nt.c
@@ -1071,7 +1071,7 @@ NTSTATUS _lsa_lookup_names(pipes_struct *p,LSA_Q_LOOKUP_NAMES *q_u, LSA_R_LOOKUP
done:
- if (NT_STATUS_IS_OK(r_u->status)) {
+ if (NT_STATUS_IS_OK(r_u->status) && (num_entries != 0) ) {
if (mapped_count == 0)
r_u->status = NT_STATUS_NONE_MAPPED;
else if (mapped_count != num_entries)
diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c
index e4dc92c08d..6a4c9f7133 100644
--- a/source3/rpc_server/srv_samr_nt.c
+++ b/source3/rpc_server/srv_samr_nt.c
@@ -1650,6 +1650,10 @@ NTSTATUS _samr_lookup_rids(pipes_struct *p, SAMR_Q_LOOKUP_RIDS *q_u, SAMR_R_LOOK
names, attrs);
unbecome_root();
+ if ( NT_STATUS_EQUAL(r_u->status, NT_STATUS_NONE_MAPPED) && (num_rids == 0) ) {
+ r_u->status = NT_STATUS_OK;
+ }
+
if(!make_samr_lookup_rids(p->mem_ctx, num_rids, names,
&hdr_name, &uni_name))
return NT_STATUS_NO_MEMORY;
@@ -2914,6 +2918,7 @@ NTSTATUS _samr_open_alias(pipes_struct *p, SAMR_Q_OPEN_ALIAS *q_u, SAMR_R_OPEN_A
/* Check we actually have the requested alias */
enum SID_NAME_USE type;
BOOL result;
+ gid_t gid;
become_root();
result = lookup_sid(NULL, &sid, NULL, NULL, &type);
@@ -2922,6 +2927,13 @@ NTSTATUS _samr_open_alias(pipes_struct *p, SAMR_Q_OPEN_ALIAS *q_u, SAMR_R_OPEN_A
if (!result || (type != SID_NAME_ALIAS)) {
return NT_STATUS_NO_SUCH_ALIAS;
}
+
+ /* make sure there is a mapping */
+
+ if ( !sid_to_gid( &sid, &gid ) ) {
+ return NT_STATUS_NO_SUCH_ALIAS;
+ }
+
}
/* associate the alias SID with the new handle. */
diff --git a/source3/utils/net_groupmap.c b/source3/utils/net_groupmap.c
index fa60fcbd08..a96ac526bf 100644
--- a/source3/utils/net_groupmap.c
+++ b/source3/utils/net_groupmap.c
@@ -163,7 +163,7 @@ static int net_groupmap_list(int argc, const char **argv)
else {
GROUP_MAP *map=NULL;
/* enumerate all group mappings */
- if (!pdb_enum_group_mapping(SID_NAME_UNKNOWN, &map, &entries, ENUM_ALL_MAPPED))
+ if (!pdb_enum_group_mapping(NULL, SID_NAME_UNKNOWN, &map, &entries, ENUM_ALL_MAPPED))
return -1;
for (i=0; i<entries; i++) {
@@ -612,7 +612,7 @@ static int net_groupmap_cleanup(int argc, const char **argv)
GROUP_MAP *map = NULL;
size_t i, entries;
- if (!pdb_enum_group_mapping(SID_NAME_UNKNOWN, &map, &entries,
+ if (!pdb_enum_group_mapping(NULL, SID_NAME_UNKNOWN, &map, &entries,
ENUM_ALL_MAPPED)) {
d_fprintf(stderr, "Could not list group mappings\n");
return -1;
@@ -620,9 +620,6 @@ static int net_groupmap_cleanup(int argc, const char **argv)
for (i=0; i<entries; i++) {
- if (map[i].sid_name_use == SID_NAME_WKN_GRP)
- continue;
-
if (map[i].gid == -1)
printf("Group %s is not mapped\n", map[i].nt_name);