diff options
Diffstat (limited to 'source3')
-rw-r--r-- | source3/auth/auth_util.c | 135 | ||||
-rw-r--r-- | source3/groupdb/mapping.c | 154 | ||||
-rw-r--r-- | source3/include/passdb.h | 4 | ||||
-rw-r--r-- | source3/nsswitch/winbindd_dual.c | 1 | ||||
-rw-r--r-- | source3/nsswitch/winbindd_group.c | 27 | ||||
-rw-r--r-- | source3/nsswitch/winbindd_pam.c | 2 | ||||
-rw-r--r-- | source3/nsswitch/winbindd_passdb.c | 7 | ||||
-rw-r--r-- | source3/nsswitch/winbindd_user.c | 6 | ||||
-rw-r--r-- | source3/nsswitch/winbindd_util.c | 4 | ||||
-rw-r--r-- | source3/passdb/pdb_interface.c | 21 | ||||
-rw-r--r-- | source3/passdb/pdb_ldap.c | 2 | ||||
-rw-r--r-- | source3/rpc_server/srv_lsa_nt.c | 2 | ||||
-rw-r--r-- | source3/rpc_server/srv_samr_nt.c | 12 | ||||
-rw-r--r-- | source3/utils/net_groupmap.c | 7 |
14 files changed, 253 insertions, 131 deletions
diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 14aaa4c5ee..5b88945284 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -677,9 +677,68 @@ static NTSTATUS log_nt_token(TALLOC_CTX *tmp_ctx, NT_USER_TOKEN *token) return NT_STATUS_OK; } -/* - * Create a NT token for the user, expanding local aliases - */ +/******************************************************************* +*******************************************************************/ + +static NTSTATUS add_builtin_administrators( TALLOC_CTX *ctx, struct nt_user_token *token ) +{ + return NT_STATUS_OK; +} + +/******************************************************************* +*******************************************************************/ + +static NTSTATUS create_builtin_administrators( void ) +{ + NTSTATUS status; + DOM_SID dom_admins, root_sid; + fstring root_name; + enum SID_NAME_USE type; + TALLOC_CTX *ctx; + BOOL ret; + + status = pdb_create_builtin_alias( BUILTIN_ALIAS_RID_ADMINS ); + if ( !NT_STATUS_IS_OK(status) ) { + DEBUG(0,("create_builtin_administrators: Failed to create Administrators\n")); + return status; + } + + /* add domain admins */ + if ((IS_DC || (lp_server_role() == ROLE_DOMAIN_MEMBER)) + && secrets_fetch_domain_sid(lp_workgroup(), &dom_admins)) + { + sid_append_rid(&dom_admins, DOMAIN_GROUP_RID_ADMINS); + status = pdb_add_aliasmem( &global_sid_Builtin_Administrators, &dom_admins ); + if ( !NT_STATUS_IS_OK(status) ) { + DEBUG(0,("create_builtin_administrators: Failed to add Domain Admins" + " Administrators\n")); + return status; + } + } + + /* add root */ + if ( (ctx = talloc_init(NULL)) == NULL ) { + return NT_STATUS_NO_MEMORY; + } + fstr_sprintf( root_name, "%s\\root", get_global_sam_name() ); + ret = lookup_name( ctx, root_name, 0, NULL, NULL, &root_sid, &type ); + TALLOC_FREE( ctx ); + + if ( ret ) { + status = pdb_add_aliasmem( &global_sid_Builtin_Administrators, &root_sid ); + if ( !NT_STATUS_IS_OK(status) ) { + DEBUG(0,("create_builtin_administrators: Failed to add root" + " Administrators\n")); + return status; + } + } + + return NT_STATUS_OK; +} + +/******************************************************************* + Create a NT token for the user, expanding local aliases +*******************************************************************/ static struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx, const DOM_SID *user_sid, @@ -692,6 +751,7 @@ static struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx, struct nt_user_token *result = NULL; int i; NTSTATUS status; + gid_t gid; tmp_ctx = talloc_new(mem_ctx); if (tmp_ctx == NULL) { @@ -705,12 +765,15 @@ static struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx, goto done; } - /* First create the default SIDs */ + /* Add the user and primary group sid */ add_sid_to_array(result, user_sid, &result->user_sids, &result->num_sids); add_sid_to_array(result, group_sid, &result->user_sids, &result->num_sids); + + /* Add in BUILTIN sids */ + add_sid_to_array(result, &global_sid_World, &result->user_sids, &result->num_sids); add_sid_to_array(result, &global_sid_Network, @@ -723,7 +786,7 @@ static struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx, add_sid_to_array(result, &global_sid_Authenticated_Users, &result->user_sids, &result->num_sids); } - + /* Now the SIDs we got from authentication. These are the ones from * the info3 struct or from the pdb_enum_group_memberships, depending * on who authenticated the user. */ @@ -732,7 +795,35 @@ static struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx, add_sid_to_array_unique(result, &groupsids[i], &result->user_sids, &result->num_sids); } + + /* Deal with the BUILTIN\Administrators group. If the SID can + be resolved then assume that the add_aliasmem( S-1-5-32 ) + handled it. */ + + if ( !sid_to_gid( &global_sid_Builtin_Administrators, &gid ) ) { + /* We can only create a mapping if winbind is running + and the nested group functionality has been enabled */ + + if ( lp_winbind_nested_groups() ) { + become_root(); + status = create_builtin_administrators( ); + if ( !NT_STATUS_IS_OK(status) ) { + DEBUG(0,("create_local_nt_token: Failed to create BUILTIN\\Administrators group!\n")); + /* don't fail, just log the message */ + } + unbecome_root(); + } + else { + status = add_builtin_administrators( tmp_ctx, result ); + if ( !NT_STATUS_IS_OK(status) ) { + result = NULL; + goto done; + } + } + } + /* Deal with local groups */ + if (lp_winbind_nested_groups()) { /* Now add the aliases. First the one from our local SAM */ @@ -752,40 +843,8 @@ static struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx, result = NULL; goto done; } - } else { - - /* Play jerry's trick to auto-add local admins if we're a - * domain admin. */ - - DOM_SID dom_admins; - BOOL domain_mode = False; - - if (IS_DC) { - sid_compose(&dom_admins, get_global_sam_sid(), - DOMAIN_GROUP_RID_ADMINS); - domain_mode = True; - } - if ((lp_server_role() == ROLE_DOMAIN_MEMBER) && - (secrets_fetch_domain_sid(lp_workgroup(), &dom_admins))) { - sid_append_rid(&dom_admins, DOMAIN_GROUP_RID_ADMINS); - domain_mode = True; - } + } - if (domain_mode) { - for (i=0; i<result->num_sids; i++) { - if (sid_equal(&dom_admins, - &result->user_sids[i])) { - add_sid_to_array_unique( - result, - &global_sid_Builtin_Administrators, - &result->user_sids, - &result->num_sids); - break; - } - } - - } - } get_privileges_for_sids(&result->privileges, result->user_sids, result->num_sids); diff --git a/source3/groupdb/mapping.c b/source3/groupdb/mapping.c index 93e7169204..04471f9d43 100644 --- a/source3/groupdb/mapping.c +++ b/source3/groupdb/mapping.c @@ -3,6 +3,8 @@ * RPC Pipe client / server routines * Copyright (C) Andrew Tridgell 1992-2000, * Copyright (C) Jean Fran�ois Micouleau 1998-2001. + * Copyright (C) Volker Lendecke 2006. + * Copyright (C) Gerald Carter 2006. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -35,50 +37,11 @@ static TDB_CONTEXT *tdb; /* used for driver files */ */ #define MEMBEROF_PREFIX "MEMBEROF/" -/**************************************************************************** -initialise first time the mapping list - called from init_group_mapping() -****************************************************************************/ -static BOOL default_group_mapping(void) -{ - DOM_SID sid_admins; - DOM_SID sid_users; - DOM_SID sid_guests; - fstring str_admins; - fstring str_users; - fstring str_guests; - - /* Add the Wellknown groups */ - - add_initial_entry(-1, "S-1-5-32-544", SID_NAME_WKN_GRP, "Administrators", ""); - add_initial_entry(-1, "S-1-5-32-545", SID_NAME_WKN_GRP, "Users", ""); - add_initial_entry(-1, "S-1-5-32-546", SID_NAME_WKN_GRP, "Guests", ""); - add_initial_entry(-1, "S-1-5-32-547", SID_NAME_WKN_GRP, "Power Users", ""); - add_initial_entry(-1, "S-1-5-32-548", SID_NAME_WKN_GRP, "Account Operators", ""); - add_initial_entry(-1, "S-1-5-32-549", SID_NAME_WKN_GRP, "System Operators", ""); - add_initial_entry(-1, "S-1-5-32-550", SID_NAME_WKN_GRP, "Print Operators", ""); - add_initial_entry(-1, "S-1-5-32-551", SID_NAME_WKN_GRP, "Backup Operators", ""); - add_initial_entry(-1, "S-1-5-32-552", SID_NAME_WKN_GRP, "Replicators", ""); - - /* Add the defaults domain groups */ - - sid_copy(&sid_admins, get_global_sam_sid()); - sid_append_rid(&sid_admins, DOMAIN_GROUP_RID_ADMINS); - sid_to_string(str_admins, &sid_admins); - add_initial_entry(-1, str_admins, SID_NAME_DOM_GRP, "Domain Admins", ""); - - sid_copy(&sid_users, get_global_sam_sid()); - sid_append_rid(&sid_users, DOMAIN_GROUP_RID_USERS); - sid_to_string(str_users, &sid_users); - add_initial_entry(-1, str_users, SID_NAME_DOM_GRP, "Domain Users", ""); - - sid_copy(&sid_guests, get_global_sam_sid()); - sid_append_rid(&sid_guests, DOMAIN_GROUP_RID_GUESTS); - sid_to_string(str_guests, &sid_guests); - add_initial_entry(-1, str_guests, SID_NAME_DOM_GRP, "Domain Guests", ""); - - return True; -} +static BOOL enum_group_mapping(const DOM_SID *sid, enum SID_NAME_USE sid_name_use, GROUP_MAP **pp_rmap, + size_t *p_num_entries, BOOL unix_only); +static BOOL group_map_remove(const DOM_SID *sid); + /**************************************************************************** Open the group mapping tdb. ****************************************************************************/ @@ -87,9 +50,12 @@ static BOOL init_group_mapping(void) { const char *vstring = "INFO/version"; int32 vers_id; + GROUP_MAP *map_table = NULL; + size_t num_entries = 0; if (tdb) return True; + tdb = tdb_open_log(lock_path("group_mapping.tdb"), 0, TDB_DEFAULT, O_RDWR|O_CREAT, 0600); if (!tdb) { DEBUG(0,("Failed to open group mapping database\n")); @@ -107,6 +73,8 @@ static BOOL init_group_mapping(void) vers_id = DATABASE_VERSION_V2; } + /* if its an unknown version we remove everthing in the db */ + if (vers_id != DATABASE_VERSION_V2) { tdb_traverse(tdb, tdb_traverse_delete_fn, NULL); tdb_store_int32(tdb, vstring, DATABASE_VERSION_V2); @@ -114,9 +82,20 @@ static BOOL init_group_mapping(void) tdb_unlock_bystring(tdb, vstring); - /* write a list of default groups */ - if(!default_group_mapping()) - return False; + /* cleanup any map entries with a gid == -1 */ + + if ( enum_group_mapping( NULL, SID_NAME_UNKNOWN, &map_table, &num_entries, False ) ) { + int i; + + for ( i=0; i<num_entries; i++ ) { + if ( map_table[i].gid == -1 ) { + group_map_remove( &map_table[i].sid ); + } + } + + SAFE_FREE( map_table ); + } + return True; } @@ -274,7 +253,7 @@ static BOOL get_group_map_from_sid(DOM_SID sid, GROUP_MAP *map) DEBUG(3,("get_group_map_from_sid: tdb_unpack failure\n")); return False; } - + sid_copy(&map->sid, &sid); return True; @@ -371,7 +350,7 @@ static BOOL get_group_map_from_ntname(const char *name, GROUP_MAP *map) return False; } - if (StrCaseCmp(name, map->nt_name)==0) { + if ( strequal(name, map->nt_name) ) { SAFE_FREE(kbuf.dptr); return True; } @@ -419,7 +398,7 @@ static BOOL group_map_remove(const DOM_SID *sid) Enumerate the group mapping. ****************************************************************************/ -static BOOL enum_group_mapping(enum SID_NAME_USE sid_name_use, GROUP_MAP **pp_rmap, +static BOOL enum_group_mapping(const DOM_SID *domsid, enum SID_NAME_USE sid_name_use, GROUP_MAP **pp_rmap, size_t *p_num_entries, BOOL unix_only) { TDB_DATA kbuf, dbuf, newkey; @@ -428,6 +407,8 @@ static BOOL enum_group_mapping(enum SID_NAME_USE sid_name_use, GROUP_MAP **pp_rm GROUP_MAP *mapt; int ret; size_t entries=0; + DOM_SID grpsid; + uint32 rid; if(!init_group_mapping()) { DEBUG(0,("failed to initialize group mapping\n")); @@ -471,8 +452,19 @@ static BOOL enum_group_mapping(enum SID_NAME_USE sid_name_use, GROUP_MAP **pp_rm continue; } - string_to_sid(&map.sid, string_sid); + string_to_sid(&grpsid, string_sid); + sid_copy( &map.sid, &grpsid ); + sid_split_rid( &grpsid, &rid ); + + /* Only check the domain if we were given one */ + + if ( domsid && !sid_equal( domsid, &grpsid ) ) { + DEBUG(11,("enum_group_mapping: group %s is not in domain %s\n", + string_sid, sid_string_static(domsid))); + continue; + } + DEBUG(11,("enum_group_mapping: returning group %s of " "type %s\n", map.nt_name, sid_type_lookup(map.sid_name_use))); @@ -1032,11 +1024,11 @@ NTSTATUS pdb_default_delete_group_mapping_entry(struct pdb_methods *methods, } NTSTATUS pdb_default_enum_group_mapping(struct pdb_methods *methods, - enum SID_NAME_USE sid_name_use, + const DOM_SID *sid, enum SID_NAME_USE sid_name_use, GROUP_MAP **pp_rmap, size_t *p_num_entries, BOOL unix_only) { - return enum_group_mapping(sid_name_use, pp_rmap, p_num_entries, unix_only) ? + return enum_group_mapping(sid, sid_name_use, pp_rmap, p_num_entries, unix_only) ? NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL; } @@ -1301,4 +1293,62 @@ BOOL pdb_set_dom_grp_info(const DOM_SID *sid, const struct acct_info *info) return NT_STATUS_IS_OK(pdb_update_group_mapping_entry(&map)); } +/******************************************************************** + Really just intended to be called by smbd +********************************************************************/ + +NTSTATUS pdb_create_builtin_alias(uint32 rid) +{ + DOM_SID sid; + enum SID_NAME_USE type; + gid_t gid; + GROUP_MAP map; + TALLOC_CTX *mem_ctx; + NTSTATUS status; + const char *name = NULL; + fstring groupname; + + DEBUG(10, ("Trying to create builtin alias %d\n", rid)); + + if ( !sid_compose( &sid, &global_sid_Builtin, rid ) ) { + return NT_STATUS_NO_SUCH_ALIAS; + } + + if ( (mem_ctx = talloc_new(NULL)) == NULL ) { + return NT_STATUS_NO_MEMORY; + } + + if ( !lookup_sid(mem_ctx, &sid, NULL, &name, &type) ) { + TALLOC_FREE( mem_ctx ); + return NT_STATUS_NO_SUCH_ALIAS; + } + + /* validate RID so copy the name and move on */ + + fstrcpy( groupname, name ); + TALLOC_FREE( mem_ctx ); + + if (!winbind_allocate_gid(&gid)) { + DEBUG(3, ("pdb_create_builtin_alias: Could not get a gid out of winbind\n")); + return NT_STATUS_ACCESS_DENIED; + } + + DEBUG(10,("Creating alias %s with gid %d\n", name, gid)); + + map.gid = gid; + sid_copy(&map.sid, &sid); + map.sid_name_use = SID_NAME_ALIAS; + fstrcpy(map.nt_name, name); + fstrcpy(map.comment, ""); + + status = pdb_add_group_mapping_entry(&map); + + if (!NT_STATUS_IS_OK(status)) { + DEBUG(0, ("pdb_create_builtin_alias: Could not add group mapping entry for alias %d " + "(%s)\n", rid, nt_errstr(status))); + } + + return status; +} + diff --git a/source3/include/passdb.h b/source3/include/passdb.h index a9688c6f81..432976412d 100644 --- a/source3/include/passdb.h +++ b/source3/include/passdb.h @@ -242,7 +242,7 @@ struct pdb_search { * the pdb module. Remove the latter, this might happen more often. VL. */ -#define PASSDB_INTERFACE_VERSION 12 +#define PASSDB_INTERFACE_VERSION 13 struct pdb_methods { @@ -298,7 +298,7 @@ struct pdb_methods DOM_SID sid); NTSTATUS (*enum_group_mapping)(struct pdb_methods *methods, - enum SID_NAME_USE sid_name_use, + const DOM_SID *sid, enum SID_NAME_USE sid_name_use, GROUP_MAP **pp_rmap, size_t *p_num_entries, BOOL unix_only); diff --git a/source3/nsswitch/winbindd_dual.c b/source3/nsswitch/winbindd_dual.c index d1ad3330d4..14e0ef4ce2 100644 --- a/source3/nsswitch/winbindd_dual.c +++ b/source3/nsswitch/winbindd_dual.c @@ -559,7 +559,6 @@ static void child_msg_offline(int msg_type, struct process_id src, void *buf, si static void child_msg_online(int msg_type, struct process_id src, void *buf, size_t len) { struct winbindd_domain *domain; - int ret; DEBUG(5,("child_msg_online received.\n")); diff --git a/source3/nsswitch/winbindd_group.c b/source3/nsswitch/winbindd_group.c index 38d47ca3d7..6e7a242379 100644 --- a/source3/nsswitch/winbindd_group.c +++ b/source3/nsswitch/winbindd_group.c @@ -41,8 +41,8 @@ static BOOL fill_grent(struct winbindd_gr *gr, const char *dom_name, const char *gr_name, gid_t unix_gid) { fstring full_group_name; - /* Fill in uid/gid */ - fill_domain_username(full_group_name, dom_name, gr_name); + + fill_domain_username( full_group_name, dom_name, gr_name, False); gr->gr_gid = unix_gid; @@ -146,7 +146,7 @@ static BOOL fill_grent_mem(struct winbindd_domain *domain, /* Append domain name */ - fill_domain_username(name, domain->name, the_name); + fill_domain_username(name, domain->name, the_name, False); len = strlen(name); @@ -201,7 +201,8 @@ done: void winbindd_getgrnam(struct winbindd_cli_state *state) { - DOM_SID group_sid; + DOM_SID group_sid, tmp_sid; + uint32 grp_rid; struct winbindd_domain *domain; enum SID_NAME_USE name_type; fstring name_domain, name_group; @@ -270,6 +271,20 @@ void winbindd_getgrnam(struct winbindd_cli_state *state) return; } + /* Make sure that the group SID is within the domain of the + original domain */ + + sid_copy( &tmp_sid, &group_sid ); + sid_split_rid( &tmp_sid, &grp_rid ); + if ( !sid_equal( &tmp_sid, &domain->sid ) ) { + DEBUG(3,("winbindd_getgrnam: group %s resolves to a SID in the wrong domain [%s]\n", + state->request.data.groupname, sid_string_static(&group_sid))); + request_error(state); + return; + } + + + /* Try to get the GID */ status = idmap_sid_to_gid(&group_sid, &gid, 0); @@ -731,7 +746,7 @@ void winbindd_getgrent(struct winbindd_cli_state *state) /* Fill in group entry */ fill_domain_username(domain_group_name, ent->domain_name, - name_list[ent->sam_entry_index].acct_name); + name_list[ent->sam_entry_index].acct_name, False); result = fill_grent(&group_list[group_list_ndx], ent->domain_name, @@ -905,7 +920,7 @@ void winbindd_list_groups(struct winbindd_cli_state *state) groups.sam_entries)[i].acct_name; fstring name; - fill_domain_username(name, domain->name, group_name); + fill_domain_username(name, domain->name, group_name, False); /* Append to extra data */ memcpy(&extra_data[extra_data_len], name, strlen(name)); diff --git a/source3/nsswitch/winbindd_pam.c b/source3/nsswitch/winbindd_pam.c index 3e30d70522..d460c14769 100644 --- a/source3/nsswitch/winbindd_pam.c +++ b/source3/nsswitch/winbindd_pam.c @@ -1515,7 +1515,7 @@ enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain, nt_domain = name_domain; } - fill_domain_username(username_out, nt_domain, nt_username); + fill_domain_username(username_out, nt_domain, nt_username, True); DEBUG(5, ("Setting unix username to [%s]\n", username_out)); diff --git a/source3/nsswitch/winbindd_passdb.c b/source3/nsswitch/winbindd_passdb.c index 96a85a4f3a..73020cd6bc 100644 --- a/source3/nsswitch/winbindd_passdb.c +++ b/source3/nsswitch/winbindd_passdb.c @@ -33,7 +33,7 @@ static void add_member(const char *domain, const char *user, { fstring name; - fill_domain_username(name, domain, user); + fill_domain_username(name, domain, user, True); safe_strcat(name, ",", sizeof(name)-1); string_append(pp_members, name); *p_num_members += 1; @@ -248,10 +248,7 @@ static NTSTATUS name_to_sid(struct winbindd_domain *domain, if (!pdb_find_alias(name, sid)) return NT_STATUS_NONE_MAPPED; - if (sid_check_is_in_builtin(sid)) - *type = SID_NAME_WKN_GRP; - else - *type = SID_NAME_ALIAS; + *type = SID_NAME_ALIAS; return NT_STATUS_OK; } diff --git a/source3/nsswitch/winbindd_user.c b/source3/nsswitch/winbindd_user.c index b48284a031..9b0796fb67 100644 --- a/source3/nsswitch/winbindd_user.c +++ b/source3/nsswitch/winbindd_user.c @@ -97,7 +97,7 @@ static BOOL winbindd_fill_pwent(char *dom_name, char *user_name, /* Username */ - fill_domain_username(output_username, dom_name, user_name); + fill_domain_username(output_username, dom_name, user_name, True); safe_strcpy(pw->pw_name, output_username, sizeof(pw->pw_name) - 1); @@ -289,7 +289,7 @@ static void getpwsid_sid2gid_recv(void *private_data, BOOL success, gid_t gid) pw = &s->state->response.data.pw; pw->pw_uid = s->uid; pw->pw_gid = s->gid; - fill_domain_username(output_username, s->domain->name, s->username); + fill_domain_username(output_username, s->domain->name, s->username, True); safe_strcpy(pw->pw_name, output_username, sizeof(pw->pw_name) - 1); safe_strcpy(pw->pw_gecos, s->fullname, sizeof(pw->pw_gecos) - 1); @@ -781,7 +781,7 @@ void winbindd_list_users(struct winbindd_cli_state *state) fstrcpy(acct_name, info[i].acct_name); } - fill_domain_username(name, domain->name, acct_name); + fill_domain_username(name, domain->name, acct_name, True); /* Append to extra data */ memcpy(&extra_data[extra_data_len], name, diff --git a/source3/nsswitch/winbindd_util.c b/source3/nsswitch/winbindd_util.c index 0678376e8f..64b4dd27a3 100644 --- a/source3/nsswitch/winbindd_util.c +++ b/source3/nsswitch/winbindd_util.c @@ -877,14 +877,14 @@ BOOL parse_domain_user_talloc(TALLOC_CTX *mem_ctx, const char *domuser, username is then unqualified in unix */ -void fill_domain_username(fstring name, const char *domain, const char *user) +void fill_domain_username(fstring name, const char *domain, const char *user, BOOL can_assume) { fstring tmp_user; fstrcpy(tmp_user, user); strlower_m(tmp_user); - if (assume_domain(domain)) { + if (can_assume && assume_domain(domain)) { strlcpy(name, user, sizeof(fstring)); } else { slprintf(name, sizeof(fstring) - 1, "%s%c%s", diff --git a/source3/passdb/pdb_interface.c b/source3/passdb/pdb_interface.c index 8645c12bce..4061e7b5db 100644 --- a/source3/passdb/pdb_interface.c +++ b/source3/passdb/pdb_interface.c @@ -715,7 +715,7 @@ NTSTATUS pdb_delete_group_mapping_entry(DOM_SID sid) return pdb->delete_group_mapping_entry(pdb, sid); } -BOOL pdb_enum_group_mapping(enum SID_NAME_USE sid_name_use, GROUP_MAP **pp_rmap, +BOOL pdb_enum_group_mapping(const DOM_SID *sid, enum SID_NAME_USE sid_name_use, GROUP_MAP **pp_rmap, size_t *p_num_entries, BOOL unix_only) { struct pdb_methods *pdb = pdb_get_methods(); @@ -724,7 +724,7 @@ BOOL pdb_enum_group_mapping(enum SID_NAME_USE sid_name_use, GROUP_MAP **pp_rmap, return False; } - return NT_STATUS_IS_OK(pdb-> enum_group_mapping(pdb, sid_name_use, + return NT_STATUS_IS_OK(pdb-> enum_group_mapping(pdb, sid, sid_name_use, pp_rmap, p_num_entries, unix_only)); } @@ -1631,7 +1631,7 @@ static BOOL lookup_global_sam_rid(TALLOC_CTX *mem_ctx, uint32 rid, if ( rid == DOMAIN_GROUP_RID_USERS ) { *name = talloc_strdup(mem_ctx, "None" ); - *psid_name_use = IS_DC ? SID_NAME_DOM_GRP : SID_NAME_ALIAS; + *psid_name_use = SID_NAME_DOM_GRP; return True; } @@ -1919,7 +1919,7 @@ static void search_end_groups(struct pdb_search *search) } static BOOL pdb_search_grouptype(struct pdb_search *search, - enum SID_NAME_USE type) + const DOM_SID *sid, enum SID_NAME_USE type) { struct group_search *state; @@ -1929,7 +1929,7 @@ static BOOL pdb_search_grouptype(struct pdb_search *search, return False; } - if (!pdb_enum_group_mapping(type, &state->groups, &state->num_groups, + if (!pdb_enum_group_mapping(sid, type, &state->groups, &state->num_groups, True)) { DEBUG(0, ("Could not enum groups\n")); return False; @@ -1945,7 +1945,7 @@ static BOOL pdb_search_grouptype(struct pdb_search *search, static BOOL pdb_default_search_groups(struct pdb_methods *methods, struct pdb_search *search) { - return pdb_search_grouptype(search, SID_NAME_DOM_GRP); + return pdb_search_grouptype(search, get_global_sam_sid(), SID_NAME_DOM_GRP); } static BOOL pdb_default_search_aliases(struct pdb_methods *methods, @@ -1953,14 +1953,7 @@ static BOOL pdb_default_search_aliases(struct pdb_methods *methods, const DOM_SID *sid) { - if (sid_equal(sid, get_global_sam_sid())) - return pdb_search_grouptype(search, SID_NAME_ALIAS); - - if (sid_equal(sid, &global_sid_Builtin)) - return pdb_search_grouptype(search, SID_NAME_WKN_GRP); - - DEBUG(3, ("unknown domain sid: %s\n", sid_string_static(sid))); - return False; + return pdb_search_grouptype(search, sid, SID_NAME_ALIAS); } static struct samr_displayentry *pdb_search_getentry(struct pdb_search *search, diff --git a/source3/passdb/pdb_ldap.c b/source3/passdb/pdb_ldap.c index 72ec883aca..b4f7e2b55c 100644 --- a/source3/passdb/pdb_ldap.c +++ b/source3/passdb/pdb_ldap.c @@ -3070,7 +3070,7 @@ static NTSTATUS ldapsam_getsamgrent(struct pdb_methods *my_methods, *********************************************************************/ static NTSTATUS ldapsam_enum_group_mapping(struct pdb_methods *methods, - enum SID_NAME_USE sid_name_use, + const DOM_SID *domsid, enum SID_NAME_USE sid_name_use, GROUP_MAP **pp_rmap, size_t *p_num_entries, BOOL unix_only) diff --git a/source3/rpc_server/srv_lsa_nt.c b/source3/rpc_server/srv_lsa_nt.c index 80c86a3079..7fe42efefb 100644 --- a/source3/rpc_server/srv_lsa_nt.c +++ b/source3/rpc_server/srv_lsa_nt.c @@ -1071,7 +1071,7 @@ NTSTATUS _lsa_lookup_names(pipes_struct *p,LSA_Q_LOOKUP_NAMES *q_u, LSA_R_LOOKUP done: - if (NT_STATUS_IS_OK(r_u->status)) { + if (NT_STATUS_IS_OK(r_u->status) && (num_entries != 0) ) { if (mapped_count == 0) r_u->status = NT_STATUS_NONE_MAPPED; else if (mapped_count != num_entries) diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index e4dc92c08d..6a4c9f7133 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -1650,6 +1650,10 @@ NTSTATUS _samr_lookup_rids(pipes_struct *p, SAMR_Q_LOOKUP_RIDS *q_u, SAMR_R_LOOK names, attrs); unbecome_root(); + if ( NT_STATUS_EQUAL(r_u->status, NT_STATUS_NONE_MAPPED) && (num_rids == 0) ) { + r_u->status = NT_STATUS_OK; + } + if(!make_samr_lookup_rids(p->mem_ctx, num_rids, names, &hdr_name, &uni_name)) return NT_STATUS_NO_MEMORY; @@ -2914,6 +2918,7 @@ NTSTATUS _samr_open_alias(pipes_struct *p, SAMR_Q_OPEN_ALIAS *q_u, SAMR_R_OPEN_A /* Check we actually have the requested alias */ enum SID_NAME_USE type; BOOL result; + gid_t gid; become_root(); result = lookup_sid(NULL, &sid, NULL, NULL, &type); @@ -2922,6 +2927,13 @@ NTSTATUS _samr_open_alias(pipes_struct *p, SAMR_Q_OPEN_ALIAS *q_u, SAMR_R_OPEN_A if (!result || (type != SID_NAME_ALIAS)) { return NT_STATUS_NO_SUCH_ALIAS; } + + /* make sure there is a mapping */ + + if ( !sid_to_gid( &sid, &gid ) ) { + return NT_STATUS_NO_SUCH_ALIAS; + } + } /* associate the alias SID with the new handle. */ diff --git a/source3/utils/net_groupmap.c b/source3/utils/net_groupmap.c index fa60fcbd08..a96ac526bf 100644 --- a/source3/utils/net_groupmap.c +++ b/source3/utils/net_groupmap.c @@ -163,7 +163,7 @@ static int net_groupmap_list(int argc, const char **argv) else { GROUP_MAP *map=NULL; /* enumerate all group mappings */ - if (!pdb_enum_group_mapping(SID_NAME_UNKNOWN, &map, &entries, ENUM_ALL_MAPPED)) + if (!pdb_enum_group_mapping(NULL, SID_NAME_UNKNOWN, &map, &entries, ENUM_ALL_MAPPED)) return -1; for (i=0; i<entries; i++) { @@ -612,7 +612,7 @@ static int net_groupmap_cleanup(int argc, const char **argv) GROUP_MAP *map = NULL; size_t i, entries; - if (!pdb_enum_group_mapping(SID_NAME_UNKNOWN, &map, &entries, + if (!pdb_enum_group_mapping(NULL, SID_NAME_UNKNOWN, &map, &entries, ENUM_ALL_MAPPED)) { d_fprintf(stderr, "Could not list group mappings\n"); return -1; @@ -620,9 +620,6 @@ static int net_groupmap_cleanup(int argc, const char **argv) for (i=0; i<entries; i++) { - if (map[i].sid_name_use == SID_NAME_WKN_GRP) - continue; - if (map[i].gid == -1) printf("Group %s is not mapped\n", map[i].nt_name); |