benny/wmic
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

wmi-1.3.16 from opsview.com

Browse Source
This commit is contained in:
Are Casilla
2019-02-16 00:16:52 +01:00
parent 163fdd3d1b
commit 17b3af2911
2146 changed files with 678824 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Samba/source/dsdb/common/flag_mapping.c
+144
View File
@@ -0,0 +1,144 @@
/*
Unix SMB/CIFS implementation.
helper mapping functions for the SAMDB server
Copyright (C) Stefan (metze) Metzmacher 2002
Copyright (C) Andrew Tridgell 2004
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
*/
#include "includes.h"
#include "librpc/gen_ndr/samr.h"
#include "dsdb/common/flags.h"
/*
translated the ACB_CTRL Flags to UserFlags (userAccountControl)
*/
/* mapping between ADS userAccountControl and SAMR acct_flags */
static const struct {
uint32_t uf;
uint32_t acb;
} acct_flags_map[] = {
{ UF_ACCOUNTDISABLE, ACB_DISABLED },
{ UF_HOMEDIR_REQUIRED, ACB_HOMDIRREQ },
{ UF_PASSWD_NOTREQD, ACB_PWNOTREQ },
{ UF_TEMP_DUPLICATE_ACCOUNT, ACB_TEMPDUP },
{ UF_NORMAL_ACCOUNT, ACB_NORMAL },
{ UF_MNS_LOGON_ACCOUNT, ACB_MNS },
{ UF_INTERDOMAIN_TRUST_ACCOUNT, ACB_DOMTRUST },
{ UF_WORKSTATION_TRUST_ACCOUNT, ACB_WSTRUST },
{ UF_SERVER_TRUST_ACCOUNT, ACB_SVRTRUST },
{ UF_DONT_EXPIRE_PASSWD, ACB_PWNOEXP },
{ UF_LOCKOUT, ACB_AUTOLOCK },
{ UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED, ACB_ENC_TXT_PWD_ALLOWED },
{ UF_SMARTCARD_REQUIRED, ACB_SMARTCARD_REQUIRED },
{ UF_TRUSTED_FOR_DELEGATION, ACB_TRUSTED_FOR_DELEGATION },
{ UF_NOT_DELEGATED, ACB_NOT_DELEGATED },
{ UF_USE_DES_KEY_ONLY, ACB_USE_DES_KEY_ONLY},
{ UF_DONT_REQUIRE_PREAUTH, ACB_DONT_REQUIRE_PREAUTH },
{ UF_PASSWORD_EXPIRED, ACB_PW_EXPIRED },
{ UF_NO_AUTH_DATA_REQUIRED, ACB_NO_AUTH_DATA_REQD }
};
uint32_t samdb_acb2uf(uint32_t acb)
{
uint32_t i, ret = 0;
for (i=0;i<ARRAY_SIZE(acct_flags_map);i++) {
if (acct_flags_map[i].acb & acb) {
ret |= acct_flags_map[i].uf;
}
}
return ret;
}
/*
translated the UserFlags (userAccountControl) to ACB_CTRL Flags
*/
uint32_t samdb_uf2acb(uint32_t uf)
{
uint32_t i;
uint32_t ret = 0;
for (i=0;i<ARRAY_SIZE(acct_flags_map);i++) {
if (acct_flags_map[i].uf & uf) {
ret |= acct_flags_map[i].acb;
}
}
return ret;
}
/*
get the accountType from the UserFlags
*/
uint32_t samdb_uf2atype(uint32_t uf)
{
uint32_t atype = 0x00000000;
if (uf & UF_NORMAL_ACCOUNT) atype = ATYPE_NORMAL_ACCOUNT;
else if (uf & UF_TEMP_DUPLICATE_ACCOUNT) atype = ATYPE_NORMAL_ACCOUNT;
else if (uf & UF_SERVER_TRUST_ACCOUNT) atype = ATYPE_WORKSTATION_TRUST;
else if (uf & UF_WORKSTATION_TRUST_ACCOUNT) atype = ATYPE_WORKSTATION_TRUST;
else if (uf & UF_INTERDOMAIN_TRUST_ACCOUNT) atype = ATYPE_INTERDOMAIN_TRUST;
return atype;
}
/*
get the accountType from the groupType
*/
uint32_t samdb_gtype2atype(uint32_t gtype)
{
uint32_t atype = 0x00000000;
switch(gtype) {
case GTYPE_SECURITY_BUILTIN_LOCAL_GROUP:
atype = ATYPE_SECURITY_LOCAL_GROUP;
break;
case GTYPE_SECURITY_DOMAIN_LOCAL_GROUP:
atype = ATYPE_SECURITY_LOCAL_GROUP;
break;
case GTYPE_SECURITY_GLOBAL_GROUP:
atype = ATYPE_SECURITY_GLOBAL_GROUP;
break;
case GTYPE_DISTRIBUTION_GLOBAL_GROUP:
atype = ATYPE_DISTRIBUTION_GLOBAL_GROUP;
break;
case GTYPE_DISTRIBUTION_DOMAIN_LOCAL_GROUP:
atype = ATYPE_DISTRIBUTION_UNIVERSAL_GROUP;
break;
case GTYPE_DISTRIBUTION_UNIVERSAL_GROUP:
atype = ATYPE_DISTRIBUTION_LOCAL_GROUP;
break;
}
return atype;
}
/* turn a sAMAccountType into a SID_NAME_USE */
enum lsa_SidType samdb_atype_map(uint32_t atype)
{
switch (atype & 0xF0000000) {
case ATYPE_GLOBAL_GROUP:
return SID_NAME_DOM_GRP;
case ATYPE_SECURITY_LOCAL_GROUP:
return SID_NAME_ALIAS;
case ATYPE_ACCOUNT:
return SID_NAME_USER;
default:
DEBUG(1,("hmm, need to map account type 0x%x\n", atype));
}
return SID_NAME_UNKNOWN;
}
Samba/source/dsdb/common/flags.h
+119
View File
@@ -0,0 +1,119 @@
/*
Unix SMB/CIFS implementation.
User/Group specific flags
Copyright (C) Andrew Tridgell 2001-2003
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
*/
/* UserFlags for userAccountControl */
#define UF_SCRIPT 0x00000001
#define UF_ACCOUNTDISABLE 0x00000002
#define UF_00000004 0x00000004
#define UF_HOMEDIR_REQUIRED 0x00000008
#define UF_LOCKOUT 0x00000010
#define UF_PASSWD_NOTREQD 0x00000020
#define UF_PASSWD_CANT_CHANGE 0x00000040
#define UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED 0x00000080
#define UF_TEMP_DUPLICATE_ACCOUNT 0x00000100
#define UF_NORMAL_ACCOUNT 0x00000200
#define UF_00000400 0x00000400
#define UF_INTERDOMAIN_TRUST_ACCOUNT 0x00000800
#define UF_WORKSTATION_TRUST_ACCOUNT 0x00001000
#define UF_SERVER_TRUST_ACCOUNT 0x00002000
#define UF_00004000 0x00004000
#define UF_00008000 0x00008000
#define UF_DONT_EXPIRE_PASSWD 0x00010000
#define UF_MNS_LOGON_ACCOUNT 0x00020000
#define UF_SMARTCARD_REQUIRED 0x00040000
#define UF_TRUSTED_FOR_DELEGATION 0x00080000
#define UF_NOT_DELEGATED 0x00100000
#define UF_USE_DES_KEY_ONLY 0x00200000
#define UF_DONT_REQUIRE_PREAUTH 0x00400000
#define UF_PASSWORD_EXPIRED 0x00800000
#define UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION 0x01000000
#define UF_NO_AUTH_DATA_REQUIRED 0x02000000
/* sAMAccountType */
#define ATYPE_NORMAL_ACCOUNT 0x30000000 /* 805306368 */
#define ATYPE_WORKSTATION_TRUST 0x30000001 /* 805306369 */
#define ATYPE_INTERDOMAIN_TRUST 0x30000002 /* 805306370 */
#define ATYPE_SECURITY_GLOBAL_GROUP 0x10000000 /* 268435456 */
#define ATYPE_DISTRIBUTION_GLOBAL_GROUP 0x10000001 /* 268435457 */
#define ATYPE_DISTRIBUTION_UNIVERSAL_GROUP ATYPE_DISTRIBUTION_GLOBAL_GROUP
#define ATYPE_SECURITY_LOCAL_GROUP 0x20000000 /* 536870912 */
#define ATYPE_DISTRIBUTION_LOCAL_GROUP 0x20000001 /* 536870913 */
#define ATYPE_ACCOUNT ATYPE_NORMAL_ACCOUNT /* 0x30000000 805306368 */
#define ATYPE_GLOBAL_GROUP ATYPE_SECURITY_GLOBAL_GROUP /* 0x10000000 268435456 */
#define ATYPE_LOCAL_GROUP ATYPE_SECURITY_LOCAL_GROUP /* 0x20000000 536870912 */
/* groupType */
#define GROUP_TYPE_BUILTIN_LOCAL_GROUP 0x00000001
#define GROUP_TYPE_ACCOUNT_GROUP 0x00000002
#define GROUP_TYPE_RESOURCE_GROUP 0x00000004
#define GROUP_TYPE_UNIVERSAL_GROUP 0x00000008
#define GROUP_TYPE_APP_BASIC_GROUP 0x00000010
#define GROUP_TYPE_APP_QUERY_GROUP 0x00000020
#define GROUP_TYPE_SECURITY_ENABLED 0x80000000
#define GTYPE_SECURITY_BUILTIN_LOCAL_GROUP ( \
/* 0x80000005 -2147483643 */ \
GROUP_TYPE_BUILTIN_LOCAL_GROUP| \
GROUP_TYPE_RESOURCE_GROUP| \
GROUP_TYPE_SECURITY_ENABLED \
)
#define GTYPE_SECURITY_DOMAIN_LOCAL_GROUP ( \
/* 0x80000004 -2147483644 */ \
GROUP_TYPE_RESOURCE_GROUP| \
GROUP_TYPE_SECURITY_ENABLED \
)
#define GTYPE_SECURITY_GLOBAL_GROUP ( \
/* 0x80000002 -2147483646 */ \
GROUP_TYPE_ACCOUNT_GROUP| \
GROUP_TYPE_SECURITY_ENABLED \
)
#define GTYPE_DISTRIBUTION_GLOBAL_GROUP 0x00000002 /* 2 */
#define GTYPE_DISTRIBUTION_DOMAIN_LOCAL_GROUP 0x00000004 /* 4 */
#define GTYPE_DISTRIBUTION_UNIVERSAL_GROUP 0x00000008 /* 8 */
#define INSTANCE_TYPE_IS_NC_HEAD 0x00000001
#define INSTANCE_TYPE_UNINSTANT 0x00000002
#define INSTANCE_TYPE_WRITE 0x00000004
#define INSTANCE_TYPE_NC_ABOVE 0x00000008
#define INSTANCE_TYPE_NC_COMING 0x00000010
#define INSTANCE_TYPE_NC_GOING 0x00000020
#define SYSTEM_FLAG_CR_NTDS_NC 0x00000001
#define SYSTEM_FLAG_CR_NTDS_DOMAIN 0x00000002
#define SYSTEM_FLAG_CR_NTDS_NOT_GC_REPLICATED 0x00000004
#define SYSTEM_FLAG_SCHEMA_BASE_OBJECT 0x00000010
#define SYSTEM_FLAG_DISALLOW_MOVE_ON_DELETE 0x02000000
#define SYSTEM_FLAG_DOMAIN_DISALLOW_MOVE 0x04000000
#define SYSTEM_FLAG_DOMAIN_DISALLOW_RENAME 0x08000000
#define SYSTEM_FLAG_CONFIG_ALLOW_LIMITED_MOVE 0x10000000
#define SYSTEM_FLAG_CONFIG_ALLOW_MOVE 0x20000000
#define SYSTEM_FLAG_CONFIG_ALLOW_RENAME 0x40000000
#define SYSTEM_FLAG_DISALLOW_DELTE 0x80000000
#define DS_BEHAVIOR_WIN2000 0
#define DS_BEHAVIOR_WIN2003 2
Samba/source/dsdb/common/sidmap.c
+605
View File
@@ -0,0 +1,605 @@
/*
Unix SMB/CIFS implementation.
mapping routines for SID <-> unix uid/gid
Copyright (C) Andrew Tridgell 2004
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
*/
#include "includes.h"
#include "system/passwd.h"
#include "dsdb/common/flags.h"
#include "dsdb/samdb/samdb.h"
#include "auth/auth.h"
#include "libcli/ldap/ldap.h"
#include "db_wrap.h"
#include "libcli/security/security.h"
/*
these are used for the fallback local uid/gid to sid mapping
code.
*/
#define SIDMAP_LOCAL_USER_BASE 0x80000000
#define SIDMAP_LOCAL_GROUP_BASE 0xC0000000
#define SIDMAP_MAX_LOCAL_UID 0x3fffffff
#define SIDMAP_MAX_LOCAL_GID 0x3fffffff
/*
private context for sid mapping routines
*/
struct sidmap_context {
struct ldb_context *samctx;
};
/*
open a sidmap context - use talloc_free to close
*/
_PUBLIC_ struct sidmap_context *sidmap_open(TALLOC_CTX *mem_ctx)
{
struct sidmap_context *sidmap;
sidmap = talloc(mem_ctx, struct sidmap_context);
if (sidmap == NULL) {
return NULL;
}
sidmap->samctx = samdb_connect(sidmap, system_session(sidmap));
if (sidmap->samctx == NULL) {
talloc_free(sidmap);
return NULL;
}
return sidmap;
}
/*
check the sAMAccountType field of a search result to see if
the account is a user account
*/
static BOOL is_user_account(struct ldb_message *res)
{
uint_t atype = samdb_result_uint(res, "sAMAccountType", 0);
if (atype && (!(atype & ATYPE_ACCOUNT))) {
return False;
}
return True;
}
/*
check the sAMAccountType field of a search result to see if
the account is a group account
*/
static BOOL is_group_account(struct ldb_message *res)
{
uint_t atype = samdb_result_uint(res, "sAMAccountType", 0);
if (atype && atype == ATYPE_NORMAL_ACCOUNT) {
return False;
}
return True;
}
/*
return the dom_sid of our primary domain
*/
static NTSTATUS sidmap_primary_domain_sid(struct sidmap_context *sidmap,
TALLOC_CTX *mem_ctx, struct dom_sid **sid)
{
const char *attrs[] = { "objectSid", NULL };
int ret;
struct ldb_message **res = NULL;
ret = gendb_search_dn(sidmap->samctx, mem_ctx, NULL, &res, attrs);
if (ret != 1) {
talloc_free(res);
return NT_STATUS_NO_SUCH_DOMAIN;
}
*sid = samdb_result_dom_sid(mem_ctx, res[0], "objectSid");
talloc_free(res);
if (*sid == NULL) {
return NT_STATUS_NO_MEMORY;
}
return NT_STATUS_OK;
}
/*
map a sid to a unix uid
*/
_PUBLIC_ NTSTATUS sidmap_sid_to_unixuid(struct sidmap_context *sidmap,
struct dom_sid *sid, uid_t *uid)
{
const char *attrs[] = { "sAMAccountName", "uidNumber",
"sAMAccountType", "unixName", NULL };
int ret;
const char *s;
TALLOC_CTX *tmp_ctx;
struct ldb_message **res;
struct dom_sid *domain_sid;
NTSTATUS status;
tmp_ctx = talloc_new(sidmap);
ret = gendb_search(sidmap->samctx, tmp_ctx, NULL, &res, attrs,
"objectSid=%s", ldap_encode_ndr_dom_sid(tmp_ctx, sid));
if (ret != 1) {
goto allocated_sid;
}
/* make sure its a user, not a group */
if (!is_user_account(res[0])) {
DEBUG(0,("sid_to_unixuid: sid %s is not an account!\n",
dom_sid_string(tmp_ctx, sid)));
talloc_free(tmp_ctx);
return NT_STATUS_INVALID_SID;
}
/* first try to get the uid directly */
s = samdb_result_string(res[0], "uidNumber", NULL);
if (s != NULL) {
*uid = strtoul(s, NULL, 0);
talloc_free(tmp_ctx);
return NT_STATUS_OK;
}
/* next try via the UnixName attribute */
s = samdb_result_string(res[0], "unixName", NULL);
if (s != NULL) {
struct passwd *pwd = getpwnam(s);
if (!pwd) {
DEBUG(0,("unixName %s for sid %s does not exist as a local user\n", s,
dom_sid_string(tmp_ctx, sid)));
talloc_free(tmp_ctx);
return NT_STATUS_NO_SUCH_USER;
}
*uid = pwd->pw_uid;
talloc_free(tmp_ctx);
return NT_STATUS_OK;
}
/* finally try via the sAMAccountName attribute */
s = samdb_result_string(res[0], "sAMAccountName", NULL);
if (s != NULL) {
struct passwd *pwd = getpwnam(s);
if (!pwd) {
DEBUG(0,("sAMAccountName '%s' for sid %s does not exist as a local user\n",
s, dom_sid_string(tmp_ctx, sid)));
talloc_free(tmp_ctx);
return NT_STATUS_NO_SUCH_USER;
}
*uid = pwd->pw_uid;
talloc_free(tmp_ctx);
return NT_STATUS_OK;
}
allocated_sid:
status = sidmap_primary_domain_sid(sidmap, tmp_ctx, &domain_sid);
if (!NT_STATUS_IS_OK(status)) {
talloc_free(tmp_ctx);
return NT_STATUS_NO_SUCH_DOMAIN;
}
if (dom_sid_in_domain(domain_sid, sid)) {
uint32_t rid = sid->sub_auths[sid->num_auths-1];
if (rid >= SIDMAP_LOCAL_USER_BASE &&
rid < SIDMAP_LOCAL_GROUP_BASE) {
*uid = rid - SIDMAP_LOCAL_USER_BASE;
talloc_free(tmp_ctx);
return NT_STATUS_OK;
}
}
DEBUG(0,("sid_to_unixuid: no uidNumber, unixName or sAMAccountName for sid %s\n",
dom_sid_string(tmp_ctx, sid)));
talloc_free(tmp_ctx);
return NT_STATUS_INVALID_SID;
}
/*
see if a sid is a group - very inefficient!
*/
_PUBLIC_ BOOL sidmap_sid_is_group(struct sidmap_context *sidmap, struct dom_sid *sid)
{
const char *attrs[] = { "sAMAccountType", NULL };
int ret;
TALLOC_CTX *tmp_ctx;
struct ldb_message **res;
NTSTATUS status;
struct dom_sid *domain_sid;
BOOL is_group;
tmp_ctx = talloc_new(sidmap);
ret = gendb_search(sidmap->samctx, tmp_ctx, NULL, &res, attrs,
"objectSid=%s", ldap_encode_ndr_dom_sid(tmp_ctx, sid));
if (ret == 1) {
is_group = is_group_account(res[0]);
talloc_free(tmp_ctx);
return is_group;
}
status = sidmap_primary_domain_sid(sidmap, tmp_ctx, &domain_sid);
if (!NT_STATUS_IS_OK(status)) {
talloc_free(tmp_ctx);
return False;
}
if (dom_sid_in_domain(domain_sid, sid)) {
uint32_t rid = sid->sub_auths[sid->num_auths-1];
if (rid >= SIDMAP_LOCAL_GROUP_BASE) {
talloc_free(tmp_ctx);
return True;
}
}
talloc_free(tmp_ctx);
return False;
}
/*
map a sid to a unix gid
*/
_PUBLIC_ NTSTATUS sidmap_sid_to_unixgid(struct sidmap_context *sidmap,
struct dom_sid *sid, gid_t *gid)
{
const char *attrs[] = { "sAMAccountName", "gidNumber",
"unixName", "sAMAccountType", NULL };
int ret;
const char *s;
TALLOC_CTX *tmp_ctx;
struct ldb_message **res;
NTSTATUS status;
struct dom_sid *domain_sid;
tmp_ctx = talloc_new(sidmap);
ret = gendb_search(sidmap->samctx, tmp_ctx, NULL, &res, attrs,
"objectSid=%s", ldap_encode_ndr_dom_sid(tmp_ctx, sid));
if (ret != 1) {
goto allocated_sid;
}
/* make sure its not a user */
if (!is_group_account(res[0])) {
DEBUG(0,("sid_to_unixgid: sid %s is a ATYPE_NORMAL_ACCOUNT\n",
dom_sid_string(tmp_ctx, sid)));
talloc_free(tmp_ctx);
return NT_STATUS_INVALID_SID;
}
/* first try to get the gid directly */
s = samdb_result_string(res[0], "gidNumber", NULL);
if (s != NULL) {
*gid = strtoul(s, NULL, 0);
talloc_free(tmp_ctx);
return NT_STATUS_OK;
}
/* next try via the UnixName attribute */
s = samdb_result_string(res[0], "unixName", NULL);
if (s != NULL) {
struct group *grp = getgrnam(s);
if (!grp) {
DEBUG(0,("unixName '%s' for sid %s does not exist as a local group\n",
s, dom_sid_string(tmp_ctx, sid)));
talloc_free(tmp_ctx);
return NT_STATUS_NO_SUCH_GROUP;
}
*gid = grp->gr_gid;
talloc_free(tmp_ctx);
return NT_STATUS_OK;
}
/* finally try via the sAMAccountName attribute */
s = samdb_result_string(res[0], "sAMAccountName", NULL);
if (s != NULL) {
struct group *grp = getgrnam(s);
if (!grp) {
DEBUG(0,("sAMAccountName '%s' for sid %s does not exist as a local group\n", s, dom_sid_string(tmp_ctx, sid)));
talloc_free(tmp_ctx);
return NT_STATUS_NO_SUCH_GROUP;
}
*gid = grp->gr_gid;
talloc_free(tmp_ctx);
return NT_STATUS_OK;
}
allocated_sid:
status = sidmap_primary_domain_sid(sidmap, tmp_ctx, &domain_sid);
if (!NT_STATUS_IS_OK(status)) {
talloc_free(tmp_ctx);
return NT_STATUS_NO_SUCH_DOMAIN;
}
if (dom_sid_in_domain(domain_sid, sid)) {
uint32_t rid = sid->sub_auths[sid->num_auths-1];
if (rid >= SIDMAP_LOCAL_GROUP_BASE) {
*gid = rid - SIDMAP_LOCAL_GROUP_BASE;
talloc_free(tmp_ctx);
return NT_STATUS_OK;
}
}
DEBUG(0,("sid_to_unixgid: no gidNumber, unixName or sAMAccountName for sid %s\n",
dom_sid_string(tmp_ctx, sid)));
talloc_free(tmp_ctx);
return NT_STATUS_INVALID_SID;
}
/*
map a unix uid to a dom_sid
the returned sid is allocated in the supplied mem_ctx
*/
_PUBLIC_ NTSTATUS sidmap_uid_to_sid(struct sidmap_context *sidmap,
TALLOC_CTX *mem_ctx,
uid_t uid, struct dom_sid **sid)
{
const char *attrs[] = { "sAMAccountName", "objectSid", "sAMAccountType", NULL };
int ret, i;
TALLOC_CTX *tmp_ctx;
struct ldb_message **res;
struct passwd *pwd;
struct dom_sid *domain_sid;
NTSTATUS status;
/*
we search for the mapping in the following order:
- check if the uid is in the dynamic uid range assigned for winbindd
use. If it is, then look in winbindd sid mapping
database (not implemented yet)
- look for a user account in samdb that has uidNumber set to the
given uid
- look for a user account in samdb that has unixName or
sAMAccountName set to the name given by getpwuid()
- assign a SID by adding the uid to SIDMAP_LOCAL_USER_BASE in the local
domain
*/
tmp_ctx = talloc_new(mem_ctx);
/*
step 2: look for a user account in samdb that has uidNumber set to the
given uid
*/
ret = gendb_search(sidmap->samctx, tmp_ctx, NULL, &res, attrs,
"uidNumber=%u", (unsigned int)uid);
for (i=0;i<ret;i++) {
if (!is_user_account(res[i])) continue;
*sid = samdb_result_dom_sid(mem_ctx, res[i], "objectSid");
talloc_free(tmp_ctx);
NT_STATUS_HAVE_NO_MEMORY(*sid);
return NT_STATUS_OK;
}
/*
step 3: look for a user account in samdb that has unixName
or sAMAccountName set to the name given by getpwuid()
*/
pwd = getpwuid(uid);
if (pwd == NULL) {
goto allocate_sid;
}
ret = gendb_search(sidmap->samctx, tmp_ctx, NULL, &res, attrs,
"(|(unixName=%s)(sAMAccountName=%s))",
pwd->pw_name, pwd->pw_name);
for (i=0;i<ret;i++) {
if (!is_user_account(res[i])) continue;
*sid = samdb_result_dom_sid(mem_ctx, res[i], "objectSid");
talloc_free(tmp_ctx);
NT_STATUS_HAVE_NO_MEMORY(*sid);
return NT_STATUS_OK;
}
/*
step 4: assign a SID by adding the uid to
SIDMAP_LOCAL_USER_BASE in the local domain
*/
allocate_sid:
if (uid > SIDMAP_MAX_LOCAL_UID) {
return NT_STATUS_INVALID_SID;
}
status = sidmap_primary_domain_sid(sidmap, tmp_ctx, &domain_sid);
if (!NT_STATUS_IS_OK(status)) {
talloc_free(tmp_ctx);
return status;
}
*sid = dom_sid_add_rid(mem_ctx, domain_sid, SIDMAP_LOCAL_USER_BASE + uid);
talloc_free(tmp_ctx);
if (*sid == NULL) {
return NT_STATUS_NO_MEMORY;
}
return NT_STATUS_OK;
}
/*
map a unix gid to a dom_sid
the returned sid is allocated in the supplied mem_ctx
*/
_PUBLIC_ NTSTATUS sidmap_gid_to_sid(struct sidmap_context *sidmap,
TALLOC_CTX *mem_ctx,
gid_t gid, struct dom_sid **sid)
{
const char *attrs[] = { "sAMAccountName", "objectSid", "sAMAccountType", NULL };
int ret, i;
TALLOC_CTX *tmp_ctx;
struct ldb_message **res;
struct group *grp;
struct dom_sid *domain_sid;
NTSTATUS status;
/*
we search for the mapping in the following order:
- check if the gid is in the dynamic gid range assigned for winbindd
use. If it is, then look in winbindd sid mapping
database (not implemented yet)
- look for a group account in samdb that has gidNumber set to the
given gid
- look for a group account in samdb that has unixName or
sAMAccountName set to the name given by getgrgid()
- assign a SID by adding the gid to SIDMAP_LOCAL_GROUP_BASE in the local
domain
*/
tmp_ctx = talloc_new(sidmap);
/*
step 2: look for a group account in samdb that has gidNumber set to the
given gid
*/
ret = gendb_search(sidmap->samctx, tmp_ctx, NULL, &res, attrs,
"gidNumber=%u", (unsigned int)gid);
for (i=0;i<ret;i++) {
if (!is_group_account(res[i])) continue;
*sid = samdb_result_dom_sid(mem_ctx, res[i], "objectSid");
talloc_free(tmp_ctx);
NT_STATUS_HAVE_NO_MEMORY(*sid);
return NT_STATUS_OK;
}
/*
step 3: look for a group account in samdb that has unixName
or sAMAccountName set to the name given by getgrgid()
*/
grp = getgrgid(gid);
if (grp == NULL) {
goto allocate_sid;
}
ret = gendb_search(sidmap->samctx, tmp_ctx, NULL, &res, attrs,
"(|(unixName=%s)(sAMAccountName=%s))",
grp->gr_name, grp->gr_name);
for (i=0;i<ret;i++) {
if (!is_group_account(res[i])) continue;
*sid = samdb_result_dom_sid(mem_ctx, res[i], "objectSid");
talloc_free(tmp_ctx);
NT_STATUS_HAVE_NO_MEMORY(*sid);
return NT_STATUS_OK;
}
/*
step 4: assign a SID by adding the gid to
SIDMAP_LOCAL_GROUP_BASE in the local domain
*/
allocate_sid:
if (gid > SIDMAP_MAX_LOCAL_GID) {
return NT_STATUS_INVALID_SID;
}
status = sidmap_primary_domain_sid(sidmap, tmp_ctx, &domain_sid);
if (!NT_STATUS_IS_OK(status)) {
talloc_free(tmp_ctx);
return status;
}
*sid = dom_sid_add_rid(mem_ctx, domain_sid, SIDMAP_LOCAL_GROUP_BASE + gid);
talloc_free(tmp_ctx);
if (*sid == NULL) {
return NT_STATUS_NO_MEMORY;
}
return NT_STATUS_OK;
}
/*
check if a sid is in the range of auto-allocated SIDs from our primary domain,
and if it is, then return the name and atype
*/
_PUBLIC_ NTSTATUS sidmap_allocated_sid_lookup(struct sidmap_context *sidmap,
TALLOC_CTX *mem_ctx,
const struct dom_sid *sid,
const char **name,
uint32_t *atype)
{
NTSTATUS status;
struct dom_sid *domain_sid;
TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
uint32_t rid;
status = sidmap_primary_domain_sid(sidmap, tmp_ctx, &domain_sid);
if (!NT_STATUS_IS_OK(status)) {
return NT_STATUS_NO_SUCH_DOMAIN;
}
if (!dom_sid_in_domain(domain_sid, sid)) {
talloc_free(tmp_ctx);
return NT_STATUS_INVALID_SID;
}
talloc_free(tmp_ctx);
rid = sid->sub_auths[sid->num_auths-1];
if (rid < SIDMAP_LOCAL_USER_BASE) {
return NT_STATUS_INVALID_SID;
}
if (rid < SIDMAP_LOCAL_GROUP_BASE) {
struct passwd *pwd;
uid_t uid = rid - SIDMAP_LOCAL_USER_BASE;
*atype = ATYPE_NORMAL_ACCOUNT;
pwd = getpwuid(uid);
if (pwd == NULL) {
*name = talloc_asprintf(mem_ctx, "uid%u", uid);
} else {
*name = talloc_strdup(mem_ctx, pwd->pw_name);
}
} else {
struct group *grp;
gid_t gid = rid - SIDMAP_LOCAL_GROUP_BASE;
*atype = ATYPE_LOCAL_GROUP;
grp = getgrgid(gid);
if (grp == NULL) {
*name = talloc_asprintf(mem_ctx, "gid%u", gid);
} else {
*name = talloc_strdup(mem_ctx, grp->gr_name);
}
}
if (*name == NULL) {
return NT_STATUS_NO_MEMORY;
}
return NT_STATUS_OK;
}