From 8b232cbb3e44179bb48fe000c9236678f65b8c25 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Sat, 3 May 2003 01:29:18 +0000 Subject: fixes to *_util.c files add winbindd_passdb backend this makes it possible to have nua accounts on security = user servers to show up in unic through nss_winbind.so the problem is that we do not have group support, so nss group support is not very good at this time (read: totally absent) we NEED group support in passdb (This used to be commit 921215cf4bfbd4d7457f81e181bb1a74a4531ca1) --- source3/Makefile.in | 3 +- source3/nsswitch/winbindd_cache.c | 7 +- source3/nsswitch/winbindd_passdb.c | 360 +++++++++++++++++++++++++++++++++++++ source3/sam/idmap_util.c | 61 +++++-- 4 files changed, 416 insertions(+), 15 deletions(-) create mode 100644 source3/nsswitch/winbindd_passdb.c (limited to 'source3') diff --git a/source3/Makefile.in b/source3/Makefile.in index f9e4ee8038..5e28f6eb4f 100644 --- a/source3/Makefile.in +++ b/source3/Makefile.in @@ -600,7 +600,8 @@ WINBINDD_OBJ1 = \ nsswitch/winbindd_wins.o \ nsswitch/winbindd_rpc.o \ nsswitch/winbindd_ads.o \ - nsswitch/winbindd_dual.o + nsswitch/winbindd_dual.o \ + nsswitch/winbindd_passdb.o WINBINDD_OBJ = \ $(WINBINDD_OBJ1) $(PASSDB_OBJ) $(GROUPDB_OBJ) \ diff --git a/source3/nsswitch/winbindd_cache.c b/source3/nsswitch/winbindd_cache.c index 5eabcfca20..27e168b6f9 100644 --- a/source3/nsswitch/winbindd_cache.c +++ b/source3/nsswitch/winbindd_cache.c @@ -100,7 +100,12 @@ static struct winbind_cache *get_cache(struct winbindd_domain *domain) ret = smb_xmalloc(sizeof(*ret)); ZERO_STRUCTP(ret); - switch (lp_security()) { + + if (!strcmp(domain->name, lp_workgroup()) && (lp_security() == SEC_USER)) { + extern struct winbindd_methods passdb_methods; + ret->backend = &passdb_methods; + + } else switch (lp_security()) { #ifdef HAVE_ADS case SEC_ADS: { extern struct winbindd_methods ads_methods; diff --git a/source3/nsswitch/winbindd_passdb.c b/source3/nsswitch/winbindd_passdb.c new file mode 100644 index 0000000000..503b97899c --- /dev/null +++ b/source3/nsswitch/winbindd_passdb.c @@ -0,0 +1,360 @@ +/* + Unix SMB/CIFS implementation. + + Winbind rpc backend functions + + Copyright (C) Tim Potter 2000-2001,2003 + Copyright (C) Simo Sorce 2003 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +#include "winbindd.h" + +#undef DBGC_CLASS +#define DBGC_CLASS DBGC_WINBIND + + +/* Query display info for a domain. This returns enough information plus a + bit extra to give an overview of domain users for the User Manager + application. */ +static NTSTATUS query_user_list(struct winbindd_domain *domain, + TALLOC_CTX *mem_ctx, + uint32 *num_entries, + WINBIND_USERINFO **info) +{ + SAM_ACCOUNT *sam_account = NULL; + NTSTATUS result; + uint32 i; + + DEBUG(3,("pdb: query_user_list\n")); + + if (NT_STATUS_IS_ERR(result = pdb_init_sam(&sam_account))) { + return result; + } + + i = 0; + *info = NULL; + + if (pdb_setsampwent(False)) { + + while (pdb_getsampwent(sam_account)) { + + /* we return only nua accounts, or we will have duplicates */ + if (!idmap_check_sid_is_in_free_range(pdb_get_user_sid(sam_account))) { + continue; + } + + *info = talloc_realloc(mem_ctx, *info, (i + 1) * sizeof(WINBIND_USERINFO)); + if (!(*info)) { + DEBUG(0,("query_user_list: out of memory!\n")); + result = NT_STATUS_NO_MEMORY; + break; + } + + (*info)[i].user_sid = talloc(mem_ctx, sizeof(DOM_SID)); + (*info)[i].group_sid = talloc(mem_ctx, sizeof(DOM_SID)); + if (!((*info)[i].user_sid) || !((*info)[i].group_sid)) { + DEBUG(0,("query_user_list: out of memory!\n")); + result = NT_STATUS_NO_MEMORY; + break; + } + sid_copy((*info)[i].user_sid, pdb_get_user_sid(sam_account)); + sid_copy((*info)[i].group_sid, pdb_get_group_sid(sam_account)); + + (*info)[i].acct_name = talloc_strdup(mem_ctx, pdb_get_username(sam_account)); + (*info)[i].full_name = talloc_strdup(mem_ctx, pdb_get_fullname(sam_account)); + if (!((*info)[i].acct_name) || !((*info)[i].full_name)) { + DEBUG(0,("query_user_list: out of memory!\n")); + result = NT_STATUS_NO_MEMORY; + break; + } + + i++; + + if (NT_STATUS_IS_ERR(pdb_reset_sam(sam_account))) { + result = NT_STATUS_UNSUCCESSFUL; + break; + } + } + + *num_entries = i; + result = NT_STATUS_OK; + + } else { + result = NT_STATUS_UNSUCCESSFUL; + } + + pdb_free_sam(&sam_account); + return result; +} + +/* list all domain groups */ +static NTSTATUS enum_dom_groups(struct winbindd_domain *domain, + TALLOC_CTX *mem_ctx, + uint32 *num_entries, + struct acct_info **info) +{ + NTSTATUS result = NT_STATUS_OK; + + DEBUG(3,("pdb: enum_dom_groups (group support not implemented)\n")); + + *num_entries = 0; + *info = 0; + + return result; +} + +/* List all domain groups */ + +static NTSTATUS enum_local_groups(struct winbindd_domain *domain, + TALLOC_CTX *mem_ctx, + uint32 *num_entries, + struct acct_info **info) +{ + NTSTATUS result = NT_STATUS_OK; + + DEBUG(3,("pdb: enum_local_groups (group support not implemented)\n")); + + *num_entries = 0; + *info = 0; + + return result; +} + +/* convert a single name to a sid in a domain */ +static NTSTATUS name_to_sid(struct winbindd_domain *domain, + TALLOC_CTX *mem_ctx, + const char *name, + DOM_SID *sid, + enum SID_NAME_USE *type) +{ + SAM_ACCOUNT *sam_account = NULL; + NTSTATUS result = NT_STATUS_UNSUCCESSFUL; + + DEBUG(3,("pdb: name_to_sid name=%s (group support not implemented)\n", name)); + + if (NT_STATUS_IS_OK(pdb_init_sam(&sam_account))) { + if (!pdb_getsampwnam(sam_account, name)) { + result = NT_STATUS_UNSUCCESSFUL; + } else { /* it is a sam user */ + sid_copy(sid, pdb_get_user_sid(sam_account)); + *type = SID_NAME_USER; + result = NT_STATUS_OK; + } + } + + pdb_free_sam(&sam_account); + return result; +} + +/* + convert a domain SID to a user or group name +*/ +static NTSTATUS sid_to_name(struct winbindd_domain *domain, + TALLOC_CTX *mem_ctx, + DOM_SID *sid, + char **name, + enum SID_NAME_USE *type) +{ + SAM_ACCOUNT *sam_account = NULL; + NTSTATUS result = NT_STATUS_UNSUCCESSFUL; + uint32 id; + + DEBUG(3,("pdb: sid_to_name sid=%s\n", sid_string_static(sid))); + + if (NT_STATUS_IS_OK(sid_to_uid(sid, &id))) { /* this is a user */ + + if (NT_STATUS_IS_ERR(result = pdb_init_sam(&sam_account))) { + return result; + } + + if (!pdb_getsampwsid(sam_account, sid)) { + pdb_free_sam(&sam_account); + return NT_STATUS_UNSUCCESSFUL; + } + + *name = talloc_strdup(mem_ctx, pdb_get_username(sam_account)); + if (!(*name)) { + DEBUG(0,("query_user: out of memory!\n")); + pdb_free_sam(&sam_account); + return NT_STATUS_NO_MEMORY; + } + + pdb_free_sam(&sam_account); + *type = SID_NAME_USER; + result = NT_STATUS_OK; + + } else if (NT_STATUS_IS_OK(sid_to_gid(sid, &id))) { /* this is a group */ + + DEBUG(3,("pdb: sid_to_name: group support not implemented\n")); + result = NT_STATUS_UNSUCCESSFUL; + } + + return result; +} + +/* Lookup user information from a rid or username. */ +static NTSTATUS query_user(struct winbindd_domain *domain, + TALLOC_CTX *mem_ctx, + DOM_SID *user_sid, + WINBIND_USERINFO *user_info) +{ + SAM_ACCOUNT *sam_account = NULL; + NTSTATUS result; + + DEBUG(3,("pdb: query_user sid=%s\n", sid_string_static(user_sid))); + + if (NT_STATUS_IS_ERR(result = pdb_init_sam(&sam_account))) { + return result; + } + + if (!pdb_getsampwsid(sam_account, user_sid)) { + pdb_free_sam(&sam_account); + return NT_STATUS_UNSUCCESSFUL; + } + + /* we return only nua accounts, or we will have duplicates */ + if (!idmap_check_sid_is_in_free_range(user_sid)) { + pdb_free_sam(&sam_account); + return NT_STATUS_UNSUCCESSFUL; + } + + user_info->user_sid = talloc(mem_ctx, sizeof(DOM_SID)); + user_info->group_sid = talloc(mem_ctx, sizeof(DOM_SID)); + if (!(user_info->user_sid) || !(user_info->group_sid)) { + DEBUG(0,("query_user: out of memory!\n")); + pdb_free_sam(&sam_account); + return NT_STATUS_NO_MEMORY; + } + sid_copy(user_info->user_sid, pdb_get_user_sid(sam_account)); + sid_copy(user_info->group_sid, pdb_get_group_sid(sam_account)); + + user_info->acct_name = talloc_strdup(mem_ctx, pdb_get_username(sam_account)); + user_info->full_name = talloc_strdup(mem_ctx, pdb_get_fullname(sam_account)); + if (!(user_info->acct_name) || !(user_info->full_name)) { + DEBUG(0,("query_user: out of memory!\n")); + pdb_free_sam(&sam_account); + return NT_STATUS_NO_MEMORY; + } + + pdb_free_sam(&sam_account); + return NT_STATUS_OK; +} + +/* Lookup groups a user is a member of. I wish Unix had a call like this! */ +static NTSTATUS lookup_usergroups(struct winbindd_domain *domain, + TALLOC_CTX *mem_ctx, + DOM_SID *user_sid, + uint32 *num_groups, DOM_SID ***user_gids) +{ + NTSTATUS result = NT_STATUS_OK; + + DEBUG(3,("pdb: lookup_usergroups (group support not implemented)\n")); + + num_groups = 0; + user_gids = 0; + + return result; +} + + +/* Lookup group membership given a rid. */ +static NTSTATUS lookup_groupmem(struct winbindd_domain *domain, + TALLOC_CTX *mem_ctx, + DOM_SID *group_sid, uint32 *num_names, + DOM_SID ***sid_mem, char ***names, + uint32 **name_types) +{ + NTSTATUS result = NT_STATUS_NOT_IMPLEMENTED; + + DEBUG(3,("pdb: lookup_groupmem (group support not implemented)\n")); + + num_names = 0; + sid_mem = 0; + names = 0; + name_types = 0; + + return result; +} + +/* find the sequence number for a domain */ +static NTSTATUS sequence_number(struct winbindd_domain *domain, uint32 *seq) +{ + /* FIXME: we fake up the seq_num untill our passdb support it */ + static uint32 seq_num; + + DEBUG(3,("pdb: sequence_number\n")); + + *seq = seq_num++; + + return NT_STATUS_OK; +} + +/* get a list of trusted domains */ +static NTSTATUS trusted_domains(struct winbindd_domain *domain, + TALLOC_CTX *mem_ctx, + uint32 *num_domains, + char ***names, + char ***alt_names, + DOM_SID **dom_sids) +{ + NTSTATUS result = NT_STATUS_NOT_IMPLEMENTED; + + DEBUG(3,("pdb: trusted_domains (todo!)\n")); + + return result; +} + +/* find the domain sid for a domain */ +static NTSTATUS domain_sid(struct winbindd_domain *domain, DOM_SID *sid) +{ + DEBUG(3,("pdb: domain_sid\n")); + + if (strcmp(domain->name, lp_workgroup())) { + return NT_STATUS_INVALID_PARAMETER; + } else { + sid_copy(sid, get_global_sam_sid()); + return NT_STATUS_OK; + } +} + +/* find alternate names list for the domain + * should we look for netbios aliases?? + SSS */ +static NTSTATUS alternate_name(struct winbindd_domain *domain) +{ + DEBUG(3,("pdb: alternate_name\n")); + + return NT_STATUS_OK; +} + + +/* the rpc backend methods are exposed via this structure */ +struct winbindd_methods passdb_methods = { + False, + query_user_list, + enum_dom_groups, + enum_local_groups, + name_to_sid, + sid_to_name, + query_user, + lookup_usergroups, + lookup_groupmem, + sequence_number, + trusted_domains, + domain_sid, + alternate_name +}; diff --git a/source3/sam/idmap_util.c b/source3/sam/idmap_util.c index 5d7adcdc04..e0c492542b 100644 --- a/source3/sam/idmap_util.c +++ b/source3/sam/idmap_util.c @@ -62,6 +62,24 @@ BOOL idmap_check_rid_is_in_free_range(uint32 rid) return True; } +/* if it is a foreign SID or if the SID is in the free range, return true */ + +BOOL idmap_check_sid_is_in_free_range(const DOM_SID *sid) +{ + if (sid_compare_domain(get_global_sam_sid(), sid) == 0) { + + uint32 rid; + + if (sid_peek_rid(sid, &rid)) { + return idmap_check_rid_is_in_free_range(rid); + } + + return False; + } + + return True; +} + /****************************************************************** * Get the the non-algorithmic RID range if idmap range are defined ******************************************************************/ @@ -196,7 +214,6 @@ NTSTATUS sid_to_uid(const DOM_SID *sid, uid_t *uid) { NTSTATUS ret = NT_STATUS_UNSUCCESSFUL; BOOL fallback = False; - uint32 rid; unid_t id; int flags; @@ -204,20 +221,30 @@ NTSTATUS sid_to_uid(const DOM_SID *sid, uid_t *uid) flags = ID_USERID; if (!lp_idmap_only()) { - if (sid_peek_check_rid(get_global_sam_sid(), sid, &rid)) { - if (!idmap_check_rid_is_in_free_range(rid)) { - flags |= ID_NOMAP; - fallback = True; - } + if (!idmap_check_sid_is_in_free_range(sid)) { + flags |= ID_NOMAP; + fallback = True; } } if (NT_STATUS_IS_OK(idmap_get_id_from_sid(&id, &flags, sid))) { + DEBUG(10,("sid_to_uid: uid = [%d]\n", id.uid)); + *uid = id.uid; ret = NT_STATUS_OK; + } else if (fallback) { + uint32 rid; + + if (!sid_peek_rid(sid, &rid)) { + DEBUG(10,("sid_to_uid: invalid SID!\n")); + ret = NT_STATUS_INVALID_PARAMETER; + goto done; + } + DEBUG(10,("sid_to_uid: Fall back to algorithmic mapping\n")); + if (!fallback_pdb_rid_is_user(rid)) { DEBUG(3, ("sid_to_uid: SID %s is *NOT* a user\n", sid_string_static(sid))); ret = NT_STATUS_UNSUCCESSFUL; @@ -228,6 +255,7 @@ NTSTATUS sid_to_uid(const DOM_SID *sid, uid_t *uid) } } +done: return ret; } @@ -252,21 +280,26 @@ NTSTATUS sid_to_gid(const DOM_SID *sid, gid_t *gid) flags = ID_GROUPID; if (!lp_idmap_only()) { - if (sid_peek_check_rid(get_global_sam_sid(), sid, &rid)) { - if (!idmap_check_rid_is_in_free_range(rid)) { - flags |= ID_NOMAP; - fallback = True; - } + if (!idmap_check_sid_is_in_free_range(sid)) { + flags |= ID_NOMAP; + fallback = True; } } if (NT_STATUS_IS_OK(idmap_get_id_from_sid(&id, &flags, sid))) { + DEBUG(10,("sid_to_gid: gid = [%d]\n", id.gid)); *gid = id.gid; ret = NT_STATUS_OK; + } else if (fallback) { - GROUP_MAP map; - BOOL result; + uint32 rid; + + if (!sid_peek_rid(sid, &rid)) { + DEBUG(10,("sid_to_uid: invalid SID!\n")); + ret = NT_STATUS_INVALID_PARAMETER; + goto done; + } DEBUG(10,("sid_to_gid: Fall back to algorithmic mapping\n")); @@ -280,6 +313,7 @@ NTSTATUS sid_to_gid(const DOM_SID *sid, gid_t *gid) } } +done: return ret; } @@ -338,5 +372,6 @@ BOOL idmap_init_wellknown_sids(void) } } + passwd_free(&pass); return True; } -- cgit