/src/samba/source3/passdb/pdb_util.c
Line | Count | Source |
1 | | /* |
2 | | * Unix SMB/CIFS implementation. |
3 | | * Authentication utility functions |
4 | | * Copyright (C) Andrew Tridgell 1992-1998 |
5 | | * Copyright (C) Andrew Bartlett 2001 |
6 | | * Copyright (C) Jeremy Allison 2000-2001 |
7 | | * Copyright (C) Rafal Szczesniak 2002 |
8 | | * Copyright (C) Volker Lendecke 2006 |
9 | | * Copyright (C) Michael Adam 2007 |
10 | | * |
11 | | * This program is free software; you can redistribute it and/or modify |
12 | | * it under the terms of the GNU General Public License as published by |
13 | | * the Free Software Foundation; either version 3 of the License, or |
14 | | * (at your option) any later version. |
15 | | * |
16 | | * This program is distributed in the hope that it will be useful, |
17 | | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
18 | | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
19 | | * GNU General Public License for more details. |
20 | | * |
21 | | * You should have received a copy of the GNU General Public License |
22 | | * along with this program; if not, see <http://www.gnu.org/licenses/>. |
23 | | */ |
24 | | |
25 | | #include "includes.h" |
26 | | #include "../libcli/security/security.h" |
27 | | #include "passdb.h" |
28 | | #include "lib/winbind_util.h" |
29 | | #include "../librpc/gen_ndr/idmap.h" |
30 | | |
31 | | /** |
32 | | * Add sid as a member of builtin_sid. |
33 | | * |
34 | | * @param[in] builtin_sid An existing builtin group. |
35 | | * @param[in] dom_sid sid to add as a member of builtin_sid. |
36 | | * @return Normal NTSTATUS return |
37 | | */ |
38 | | static NTSTATUS add_sid_to_builtin(const struct dom_sid *builtin_sid, |
39 | | const struct dom_sid *dom_sid) |
40 | 0 | { |
41 | 0 | NTSTATUS status; |
42 | |
|
43 | 0 | if (!dom_sid || !builtin_sid) { |
44 | 0 | return NT_STATUS_INVALID_PARAMETER; |
45 | 0 | } |
46 | | |
47 | 0 | status = pdb_add_aliasmem(builtin_sid, dom_sid); |
48 | |
|
49 | 0 | if (NT_STATUS_EQUAL(status, NT_STATUS_MEMBER_IN_ALIAS)) { |
50 | 0 | struct dom_sid_buf buf1, buf2; |
51 | 0 | DEBUG(5, ("add_sid_to_builtin %s is already a member of %s\n", |
52 | 0 | dom_sid_str_buf(dom_sid, &buf1), |
53 | 0 | dom_sid_str_buf(builtin_sid, &buf2))); |
54 | 0 | return NT_STATUS_OK; |
55 | 0 | } |
56 | | |
57 | 0 | if (!NT_STATUS_IS_OK(status)) { |
58 | 0 | struct dom_sid_buf buf1, buf2; |
59 | 0 | DEBUG(4, ("add_sid_to_builtin %s could not be added to %s: " |
60 | 0 | "%s\n", |
61 | 0 | dom_sid_str_buf(dom_sid, &buf1), |
62 | 0 | dom_sid_str_buf(builtin_sid, &buf2), |
63 | 0 | nt_errstr(status))); |
64 | 0 | } |
65 | 0 | return status; |
66 | 0 | } |
67 | | |
68 | | /** |
69 | | * Create the requested BUILTIN if it doesn't already exist. This requires |
70 | | * winbindd to be running. |
71 | | * |
72 | | * @param[in] rid BUILTIN rid to create |
73 | | * @return Normal NTSTATUS return. |
74 | | */ |
75 | | NTSTATUS pdb_create_builtin(uint32_t rid) |
76 | 0 | { |
77 | 0 | NTSTATUS status = NT_STATUS_OK; |
78 | 0 | struct dom_sid sid; |
79 | 0 | gid_t gid; |
80 | 0 | bool mapresult; |
81 | |
|
82 | 0 | if (!sid_compose(&sid, &global_sid_Builtin, rid)) { |
83 | 0 | return NT_STATUS_NO_SUCH_ALIAS; |
84 | 0 | } |
85 | | |
86 | 0 | if (!pdb_is_responsible_for_builtin()) { |
87 | | /* |
88 | | * if this backend is not responsible for BUILTIN |
89 | | * |
90 | | * Use the gid from the mapping request for entry. |
91 | | * If the mapping fails, bail out |
92 | | */ |
93 | 0 | mapresult = sid_to_gid(&sid, &gid); |
94 | 0 | if (!mapresult) { |
95 | 0 | status = NT_STATUS_NO_SUCH_GROUP; |
96 | 0 | } else { |
97 | 0 | status = pdb_create_builtin_alias(rid, gid); |
98 | 0 | } |
99 | 0 | } else { |
100 | | /* |
101 | | * this backend is responsible for BUILTIN |
102 | | * |
103 | | * a failed mapping result means that the entry |
104 | | * does not exist yet, so create it |
105 | | * |
106 | | * we use pdb_sid_to_id intentionally here to |
107 | | * directly query the passdb backend (sid_to_gid |
108 | | * would finally do the same) |
109 | | */ |
110 | 0 | struct unixid id; |
111 | 0 | mapresult = pdb_sid_to_id(&sid, &id); |
112 | 0 | if (!mapresult) { |
113 | 0 | if (!lp_winbind_nested_groups() || !winbind_ping()) { |
114 | 0 | return NT_STATUS_PROTOCOL_UNREACHABLE; |
115 | 0 | } |
116 | 0 | status = pdb_create_builtin_alias(rid, 0); |
117 | 0 | } |
118 | 0 | } |
119 | 0 | return status; |
120 | 0 | } |
121 | | |
122 | | /******************************************************************* |
123 | | *******************************************************************/ |
124 | | |
125 | | NTSTATUS create_builtin_users(const struct dom_sid *dom_sid) |
126 | 0 | { |
127 | 0 | NTSTATUS status; |
128 | 0 | struct dom_sid dom_users; |
129 | |
|
130 | 0 | status = pdb_create_builtin(BUILTIN_RID_USERS); |
131 | 0 | if ( !NT_STATUS_IS_OK(status) ) { |
132 | 0 | DEBUG(5,("create_builtin_users: Failed to create Users\n")); |
133 | 0 | return status; |
134 | 0 | } |
135 | | |
136 | | /* add domain users */ |
137 | 0 | if ((IS_DC || (lp_server_role() == ROLE_DOMAIN_MEMBER)) && |
138 | 0 | (dom_sid != NULL) && |
139 | 0 | sid_compose(&dom_users, dom_sid, DOMAIN_RID_USERS)) |
140 | 0 | { |
141 | 0 | status = add_sid_to_builtin(&global_sid_Builtin_Users, |
142 | 0 | &dom_users); |
143 | 0 | } |
144 | |
|
145 | 0 | return status; |
146 | 0 | } |
147 | | |
148 | | /******************************************************************* |
149 | | *******************************************************************/ |
150 | | |
151 | | NTSTATUS create_builtin_administrators(const struct dom_sid *dom_sid) |
152 | 0 | { |
153 | 0 | NTSTATUS status; |
154 | 0 | struct dom_sid dom_admins, root_sid; |
155 | 0 | fstring root_name; |
156 | 0 | enum lsa_SidType type; |
157 | 0 | TALLOC_CTX *ctx; |
158 | 0 | bool ret; |
159 | |
|
160 | 0 | status = pdb_create_builtin(BUILTIN_RID_ADMINISTRATORS); |
161 | 0 | if ( !NT_STATUS_IS_OK(status) ) { |
162 | 0 | DEBUG(5,("create_builtin_administrators: Failed to create Administrators\n")); |
163 | 0 | return status; |
164 | 0 | } |
165 | | |
166 | | /* add domain admins */ |
167 | 0 | if ((IS_DC || (lp_server_role() == ROLE_DOMAIN_MEMBER)) && |
168 | 0 | (dom_sid != NULL) && |
169 | 0 | sid_compose(&dom_admins, dom_sid, DOMAIN_RID_ADMINS)) |
170 | 0 | { |
171 | 0 | status = add_sid_to_builtin(&global_sid_Builtin_Administrators, |
172 | 0 | &dom_admins); |
173 | 0 | if (!NT_STATUS_IS_OK(status)) { |
174 | 0 | return status; |
175 | 0 | } |
176 | 0 | } |
177 | | |
178 | | /* add root */ |
179 | 0 | if ( (ctx = talloc_init("create_builtin_administrators")) == NULL ) { |
180 | 0 | return NT_STATUS_NO_MEMORY; |
181 | 0 | } |
182 | 0 | fstr_sprintf( root_name, "%s\\root", get_global_sam_name() ); |
183 | 0 | ret = lookup_name(ctx, root_name, LOOKUP_NAME_DOMAIN, NULL, NULL, |
184 | 0 | &root_sid, &type); |
185 | 0 | TALLOC_FREE( ctx ); |
186 | |
|
187 | 0 | if ( ret ) { |
188 | 0 | status = add_sid_to_builtin(&global_sid_Builtin_Administrators, |
189 | 0 | &root_sid); |
190 | 0 | } |
191 | |
|
192 | 0 | return status; |
193 | 0 | } |
194 | | |
195 | | /******************************************************************* |
196 | | *******************************************************************/ |
197 | | |
198 | | NTSTATUS create_builtin_guests(const struct dom_sid *dom_sid) |
199 | 0 | { |
200 | 0 | NTSTATUS status; |
201 | 0 | struct dom_sid tmp_sid = { 0, }; |
202 | |
|
203 | 0 | status = pdb_create_builtin(BUILTIN_RID_GUESTS); |
204 | 0 | if (!NT_STATUS_IS_OK(status)) { |
205 | 0 | DEBUG(5,("create_builtin_guests: Failed to create Guests\n")); |
206 | 0 | return status; |
207 | 0 | } |
208 | | |
209 | | /* add local guest */ |
210 | 0 | if (sid_compose(&tmp_sid, get_global_sam_sid(), DOMAIN_RID_GUEST)) { |
211 | 0 | status = add_sid_to_builtin(&global_sid_Builtin_Guests, |
212 | 0 | &tmp_sid); |
213 | 0 | if (!NT_STATUS_IS_OK(status)) { |
214 | 0 | return status; |
215 | 0 | } |
216 | 0 | } |
217 | | |
218 | | /* add local guests */ |
219 | 0 | if (sid_compose(&tmp_sid, get_global_sam_sid(), DOMAIN_RID_GUESTS)) { |
220 | 0 | status = add_sid_to_builtin(&global_sid_Builtin_Guests, |
221 | 0 | &tmp_sid); |
222 | 0 | if (!NT_STATUS_IS_OK(status)) { |
223 | 0 | return status; |
224 | 0 | } |
225 | 0 | } |
226 | | |
227 | 0 | if (lp_server_role() != ROLE_DOMAIN_MEMBER) { |
228 | 0 | return NT_STATUS_OK; |
229 | 0 | } |
230 | | |
231 | 0 | if (dom_sid == NULL) { |
232 | 0 | return NT_STATUS_INTERNAL_ERROR; |
233 | 0 | } |
234 | | |
235 | | /* add domain guests */ |
236 | 0 | if (sid_compose(&tmp_sid, dom_sid, DOMAIN_RID_GUESTS)) { |
237 | 0 | status = add_sid_to_builtin(&global_sid_Builtin_Guests, |
238 | 0 | &tmp_sid); |
239 | 0 | if (!NT_STATUS_IS_OK(status)) { |
240 | 0 | return status; |
241 | 0 | } |
242 | 0 | } |
243 | | |
244 | 0 | return NT_STATUS_OK; |
245 | 0 | } |