/* Unix SMB/CIFS implementation. mapping routines for SID <-> unix uid/gid Copyright (C) Andrew Tridgell 2004 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see <http://www.gnu.org/licenses/>. */ #include "includes.h" #include "system/passwd.h" #include "dsdb/common/flags.h" #include "dsdb/samdb/samdb.h" #include "auth/auth.h" #include "libcli/ldap/ldap_ndr.h" #include "lib/ldb/include/ldb.h" #include "util/util_ldb.h" #include "libcli/security/security.h" #include "param/param.h" /* these are used for the fallback local uid/gid to sid mapping code. */ #define SIDMAP_LOCAL_USER_BASE 0x80000000 #define SIDMAP_LOCAL_GROUP_BASE 0xC0000000 #define SIDMAP_MAX_LOCAL_UID 0x3fffffff #define SIDMAP_MAX_LOCAL_GID 0x3fffffff /* private context for sid mapping routines */ struct sidmap_context { struct ldb_context *samctx; }; /* open a sidmap context - use talloc_free to close */ _PUBLIC_ struct sidmap_context *sidmap_open(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx) { struct sidmap_context *sidmap; sidmap = talloc(mem_ctx, struct sidmap_context); if (sidmap == NULL) { return NULL; } sidmap->samctx = samdb_connect(sidmap, lp_ctx, system_session(sidmap, lp_ctx)); if (sidmap->samctx == NULL) { talloc_free(sidmap); return NULL; } return sidmap; } /* check the sAMAccountType field of a search result to see if the account is a user account */ static bool is_user_account(struct ldb_message *res) { uint_t atype = samdb_result_uint(res, "sAMAccountType", 0); if (atype && (!(atype & ATYPE_ACCOUNT))) { return false; } return true; } /* check the sAMAccountType field of a search result to see if the account is a group account */ static bool is_group_account(struct ldb_message *res) { uint_t atype = samdb_result_uint(res, "sAMAccountType", 0); if (atype && atype == ATYPE_NORMAL_ACCOUNT) { return false; } return true; } /* return the dom_sid of our primary domain */ static NTSTATUS sidmap_primary_domain_sid(struct sidmap_context *sidmap, TALLOC_CTX *mem_ctx, struct dom_sid **sid) { const char *attrs[] = { "objectSid", NULL }; int ret; struct ldb_message **res = NULL; ret = gendb_search_dn(sidmap->samctx, mem_ctx, NULL, &res, attrs); if (ret != 1) { talloc_free(res); return NT_STATUS_NO_SUCH_DOMAIN; } *sid = samdb_result_dom_sid(mem_ctx, res[0], "objectSid"); talloc_free(res); if (*sid == NULL) { return NT_STATUS_NO_MEMORY; } return NT_STATUS_OK; } /* map a sid to a unix uid */ _PUBLIC_ NTSTATUS sidmap_sid_to_unixuid(struct sidmap_context *sidmap, const struct dom_sid *sid, uid_t *uid) { const char *attrs[] = { "sAMAccountName", "uidNumber", "sAMAccountType", "unixName", NULL }; int ret; const char *s; TALLOC_CTX *tmp_ctx; struct ldb_message **res; struct dom_sid *domain_sid; NTSTATUS status; tmp_ctx = talloc_new(sidmap); ret = gendb_search(sidmap->samctx, tmp_ctx, NULL, &res, attrs, "objectSid=%s", ldap_encode_ndr_dom_sid(tmp_ctx, sid)); if (ret != 1) { goto allocated_sid; } /* make sure its a user, not a group */ if (!is_user_account(res[0])) { DEBUG(0,("sid_to_unixuid: sid %s is not an account!\n", dom_sid_string(tmp_ctx, sid))); talloc_free(tmp_ctx); return NT_STATUS_INVALID_SID; } /* first try to get the uid directly */ s = samdb_result_string(res[0], "uidNumber", NULL); if (s != NULL) { *uid = strtoul(s, NULL, 0); talloc_free(tmp_ctx); return NT_STATUS_OK; } /* next try via the UnixName attribute */ s = samdb_result_string(res[0], "unixName", NULL); if (s != NULL) { struct passwd *pwd = getpwnam(s); if (!pwd) { DEBUG(0,("unixName %s for sid %s does not exist as a local user\n", s, dom_sid_string(tmp_ctx, sid))); talloc_free(tmp_ctx); return NT_STATUS_NO_SUCH_USER; } *uid = pwd->pw_uid; talloc_free(tmp_ctx); return NT_STATUS_OK; } /* finally try via the sAMAccountName attribute */ s = samdb_result_string(res[0], "sAMAccountName", NULL); if (s != NULL) { struct passwd *pwd = getpwnam(s); if (!pwd) { DEBUG(0,("sAMAccountName '%s' for sid %s does not exist as a local user\n", s, dom_sid_string(tmp_ctx, sid))); talloc_free(tmp_ctx); return NT_STATUS_NO_SUCH_USER; } *uid = pwd->pw_uid; talloc_free(tmp_ctx); return NT_STATUS_OK; } allocated_sid: status = sidmap_primary_domain_sid(sidmap, tmp_ctx, &domain_sid); if (!NT_STATUS_IS_OK(status)) { talloc_free(tmp_ctx); return NT_STATUS_NO_SUCH_DOMAIN; } if (dom_sid_in_domain(domain_sid, sid)) { uint32_t rid = sid->sub_auths[sid->num_auths-1]; if (rid >= SIDMAP_LOCAL_USER_BASE && rid < SIDMAP_LOCAL_GROUP_BASE) { *uid = rid - SIDMAP_LOCAL_USER_BASE; talloc_free(tmp_ctx); return NT_STATUS_OK; } } DEBUG(0,("sid_to_unixuid: no uidNumber, unixName or sAMAccountName for sid %s\n", dom_sid_string(tmp_ctx, sid))); talloc_free(tmp_ctx); return NT_STATUS_NONE_MAPPED; } /* see if a sid is a group - very inefficient! */ _PUBLIC_ bool sidmap_sid_is_group(struct sidmap_context *sidmap, struct dom_sid *sid) { const char *attrs[] = { "sAMAccountType", NULL }; int ret; TALLOC_CTX *tmp_ctx; struct ldb_message **res; NTSTATUS status; struct dom_sid *domain_sid; bool is_group; tmp_ctx = talloc_new(sidmap); ret = gendb_search(sidmap->samctx, tmp_ctx, NULL, &res, attrs, "objectSid=%s", ldap_encode_ndr_dom_sid(tmp_ctx, sid)); if (ret == 1) { is_group = is_group_account(res[0]); talloc_free(tmp_ctx); return is_group; } status = sidmap_primary_domain_sid(sidmap, tmp_ctx, &domain_sid); if (!NT_STATUS_IS_OK(status)) { talloc_free(tmp_ctx); return false; } if (dom_sid_in_domain(domain_sid, sid)) { uint32_t rid = sid->sub_auths[sid->num_auths-1]; if (rid >= SIDMAP_LOCAL_GROUP_BASE) { talloc_free(tmp_ctx); return true; } } talloc_free(tmp_ctx); return false; } /* map a sid to a unix gid */ _PUBLIC_ NTSTATUS sidmap_sid_to_unixgid(struct sidmap_context *sidmap, const struct dom_sid *sid, gid_t *gid) { const char *attrs[] = { "sAMAccountName", "gidNumber", "unixName", "sAMAccountType", NULL }; int ret; const char *s; TALLOC_CTX *tmp_ctx; struct ldb_message **res; NTSTATUS status; struct dom_sid *domain_sid; tmp_ctx = talloc_new(sidmap); ret = gendb_search(sidmap->samctx, tmp_ctx, NULL, &res, attrs, "objectSid=%s", ldap_encode_ndr_dom_sid(tmp_ctx, sid)); if (ret != 1) { goto allocated_sid; } /* make sure its not a user */ if (!is_group_account(res[0])) { DEBUG(0,("sid_to_unixgid: sid %s is a ATYPE_NORMAL_ACCOUNT\n", dom_sid_string(tmp_ctx, sid))); talloc_free(tmp_ctx); return NT_STATUS_INVALID_SID; } /* first try to get the gid directly */ s = samdb_result_string(res[0], "gidNumber", NULL); if (s != NULL) { *gid = strtoul(s, NULL, 0); talloc_free(tmp_ctx); return NT_STATUS_OK; } /* next try via the UnixName attribute */ s = samdb_result_string(res[0], "unixName", NULL); if (s != NULL) { struct group *grp = getgrnam(s); if (!grp) { DEBUG(0,("unixName '%s' for sid %s does not exist as a local group\n", s, dom_sid_string(tmp_ctx, sid))); talloc_free(tmp_ctx); return NT_STATUS_NO_SUCH_GROUP; } *gid = grp->gr_gid; talloc_free(tmp_ctx); return NT_STATUS_OK; } /* finally try via the sAMAccountName attribute */ s = samdb_result_string(res[0], "sAMAccountName", NULL); if (s != NULL) { struct group *grp = getgrnam(s); if (!grp) { DEBUG(0,("sAMAccountName '%s' for sid %s does not exist as a local group\n", s, dom_sid_string(tmp_ctx, sid))); talloc_free(tmp_ctx); return NT_STATUS_NO_SUCH_GROUP; } *gid = grp->gr_gid; talloc_free(tmp_ctx); return NT_STATUS_OK; } allocated_sid: status = sidmap_primary_domain_sid(sidmap, tmp_ctx, &domain_sid); if (!NT_STATUS_IS_OK(status)) { talloc_free(tmp_ctx); return NT_STATUS_NO_SUCH_DOMAIN; } if (dom_sid_in_domain(domain_sid, sid)) { uint32_t rid = sid->sub_auths[sid->num_auths-1]; if (rid >= SIDMAP_LOCAL_GROUP_BASE) { *gid = rid - SIDMAP_LOCAL_GROUP_BASE; talloc_free(tmp_ctx); return NT_STATUS_OK; } } DEBUG(0,("sid_to_unixgid: no gidNumber, unixName or sAMAccountName for sid %s\n", dom_sid_string(tmp_ctx, sid))); talloc_free(tmp_ctx); return NT_STATUS_NONE_MAPPED; } /* map a unix uid to a dom_sid the returned sid is allocated in the supplied mem_ctx */ _PUBLIC_ NTSTATUS sidmap_uid_to_sid(struct sidmap_context *sidmap, TALLOC_CTX *mem_ctx, const uid_t uid, struct dom_sid **sid) { const char *attrs[] = { "sAMAccountName", "objectSid", "sAMAccountType", NULL }; int ret, i; TALLOC_CTX *tmp_ctx; struct ldb_message **res; struct passwd *pwd; struct dom_sid *domain_sid; NTSTATUS status; /* we search for the mapping in the following order: - check if the uid is in the dynamic uid range assigned for winbindd use. If it is, then look in winbindd sid mapping database (not implemented yet) - look for a user account in samdb that has uidNumber set to the given uid - look for a user account in samdb that has unixName or sAMAccountName set to the name given by getpwuid() - assign a SID by adding the uid to SIDMAP_LOCAL_USER_BASE in the local domain */ tmp_ctx = talloc_new(mem_ctx); /* step 2: look for a user account in samdb that has uidNumber set to the given uid */ ret = gendb_search(sidmap->samctx, tmp_ctx, NULL, &res, attrs, "uidNumber=%u", (unsigned int)uid); for (i=0;i<ret;i++) { if (!is_user_account(res[i])) continue; *sid = samdb_result_dom_sid(mem_ctx, res[i], "objectSid"); talloc_free(tmp_ctx); NT_STATUS_HAVE_NO_MEMORY(*sid); return NT_STATUS_OK; } /* step 3: look for a user account in samdb that has unixName or sAMAccountName set to the name given by getpwuid() */ pwd = getpwuid(uid); if (pwd == NULL) { goto allocate_sid; } ret = gendb_search(sidmap->samctx, tmp_ctx, NULL, &res, attrs, "(|(unixName=%s)(sAMAccountName=%s))", pwd->pw_name, pwd->pw_name); for (i=0;i<ret;i++) { if (!is_user_account(res[i])) continue; *sid = samdb_result_dom_sid(mem_ctx, res[i], "objectSid"); talloc_free(tmp_ctx); NT_STATUS_HAVE_NO_MEMORY(*sid); return NT_STATUS_OK; } /* step 4: assign a SID by adding the uid to SIDMAP_LOCAL_USER_BASE in the local domain */ allocate_sid: if (uid > SIDMAP_MAX_LOCAL_UID) { return NT_STATUS_NONE_MAPPED; } status = sidmap_primary_domain_sid(sidmap, tmp_ctx, &domain_sid); if (!NT_STATUS_IS_OK(status)) { talloc_free(tmp_ctx); return status; } *sid = dom_sid_add_rid(mem_ctx, domain_sid, SIDMAP_LOCAL_USER_BASE + uid); talloc_free(tmp_ctx); if (*sid == NULL) { return NT_STATUS_NO_MEMORY; } return NT_STATUS_OK; } /* map a unix gid to a dom_sid the returned sid is allocated in the supplied mem_ctx */ _PUBLIC_ NTSTATUS sidmap_gid_to_sid(struct sidmap_context *sidmap, TALLOC_CTX *mem_ctx, const gid_t gid, struct dom_sid **sid) { const char *attrs[] = { "sAMAccountName", "objectSid", "sAMAccountType", NULL }; int ret, i; TALLOC_CTX *tmp_ctx; struct ldb_message **res; struct group *grp; struct dom_sid *domain_sid; NTSTATUS status; /* we search for the mapping in the following order: - check if the gid is in the dynamic gid range assigned for winbindd use. If it is, then look in winbindd sid mapping database (not implemented yet) - look for a group account in samdb that has gidNumber set to the given gid - look for a group account in samdb that has unixName or sAMAccountName set to the name given by getgrgid() - assign a SID by adding the gid to SIDMAP_LOCAL_GROUP_BASE in the local domain */ tmp_ctx = talloc_new(sidmap); /* step 2: look for a group account in samdb that has gidNumber set to the given gid */ ret = gendb_search(sidmap->samctx, tmp_ctx, NULL, &res, attrs, "gidNumber=%u", (unsigned int)gid); for (i=0;i<ret;i++) { if (!is_group_account(res[i])) continue; *sid = samdb_result_dom_sid(mem_ctx, res[i], "objectSid"); talloc_free(tmp_ctx); NT_STATUS_HAVE_NO_MEMORY(*sid); return NT_STATUS_OK; } /* step 3: look for a group account in samdb that has unixName or sAMAccountName set to the name given by getgrgid() */ grp = getgrgid(gid); if (grp == NULL) { goto allocate_sid; } ret = gendb_search(sidmap->samctx, tmp_ctx, NULL, &res, attrs, "(|(unixName=%s)(sAMAccountName=%s))", grp->gr_name, grp->gr_name); for (i=0;i<ret;i++) { if (!is_group_account(res[i])) continue; *sid = samdb_result_dom_sid(mem_ctx, res[i], "objectSid"); talloc_free(tmp_ctx); NT_STATUS_HAVE_NO_MEMORY(*sid); return NT_STATUS_OK; } /* step 4: assign a SID by adding the gid to SIDMAP_LOCAL_GROUP_BASE in the local domain */ allocate_sid: if (gid > SIDMAP_MAX_LOCAL_GID) { return NT_STATUS_NONE_MAPPED; } status = sidmap_primary_domain_sid(sidmap, tmp_ctx, &domain_sid); if (!NT_STATUS_IS_OK(status)) { talloc_free(tmp_ctx); return status; } *sid = dom_sid_add_rid(mem_ctx, domain_sid, SIDMAP_LOCAL_GROUP_BASE + gid); talloc_free(tmp_ctx); if (*sid == NULL) { return NT_STATUS_NO_MEMORY; } return NT_STATUS_OK; } /* check if a sid is in the range of auto-allocated SIDs from our primary domain, and if it is, then return the name and atype */ _PUBLIC_ NTSTATUS sidmap_allocated_sid_lookup(struct sidmap_context *sidmap, TALLOC_CTX *mem_ctx, const struct dom_sid *sid, const char **name, enum lsa_SidType *rtype) { NTSTATUS status; struct dom_sid *domain_sid; TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); uint32_t rid, atype; status = sidmap_primary_domain_sid(sidmap, tmp_ctx, &domain_sid); if (!NT_STATUS_IS_OK(status)) { return NT_STATUS_NO_SUCH_DOMAIN; } if (!dom_sid_in_domain(domain_sid, sid)) { talloc_free(tmp_ctx); return NT_STATUS_NONE_MAPPED; } talloc_free(tmp_ctx); rid = sid->sub_auths[sid->num_auths-1]; if (rid < SIDMAP_LOCAL_USER_BASE) { return NT_STATUS_NONE_MAPPED; } if (rid < SIDMAP_LOCAL_GROUP_BASE) { struct passwd *pwd; uid_t uid = rid - SIDMAP_LOCAL_USER_BASE; atype = ATYPE_NORMAL_ACCOUNT; *rtype = samdb_atype_map(atype); pwd = getpwuid(uid); if (pwd == NULL) { *name = talloc_asprintf(mem_ctx, "uid%u", uid); } else { *name = talloc_strdup(mem_ctx, pwd->pw_name); } } else { struct group *grp; gid_t gid = rid - SIDMAP_LOCAL_GROUP_BASE; atype = ATYPE_LOCAL_GROUP; *rtype = samdb_atype_map(atype); grp = getgrgid(gid); if (grp == NULL) { *name = talloc_asprintf(mem_ctx, "gid%u", gid); } else { *name = talloc_strdup(mem_ctx, grp->gr_name); } } if (*name == NULL) { return NT_STATUS_NO_MEMORY; } return NT_STATUS_OK; }