Line data Source code
1 : /*
2 : * Unix SMB/CIFS implementation.
3 : * Authentication utility functions
4 : * Copyright (C) Andrew Tridgell 1992-1998
5 : * Copyright (C) Andrew Bartlett 2001
6 : * Copyright (C) Jeremy Allison 2000-2001
7 : * Copyright (C) Rafal Szczesniak 2002
8 : * Copyright (C) Volker Lendecke 2006
9 : * Copyright (C) Michael Adam 2007
10 : *
11 : * This program is free software; you can redistribute it and/or modify
12 : * it under the terms of the GNU General Public License as published by
13 : * the Free Software Foundation; either version 3 of the License, or
14 : * (at your option) any later version.
15 : *
16 : * This program is distributed in the hope that it will be useful,
17 : * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 : * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 : * GNU General Public License for more details.
20 : *
21 : * You should have received a copy of the GNU General Public License
22 : * along with this program; if not, see <http://www.gnu.org/licenses/>.
23 : */
24 :
25 : #include "includes.h"
26 : #include "../libcli/security/security.h"
27 : #include "passdb.h"
28 : #include "lib/winbind_util.h"
29 : #include "../librpc/gen_ndr/idmap.h"
30 :
31 : /**
32 : * Add sid as a member of builtin_sid.
33 : *
34 : * @param[in] builtin_sid An existing builtin group.
35 : * @param[in] dom_sid sid to add as a member of builtin_sid.
36 : * @return Normal NTSTATUS return
37 : */
38 63 : static NTSTATUS add_sid_to_builtin(const struct dom_sid *builtin_sid,
39 : const struct dom_sid *dom_sid)
40 : {
41 0 : NTSTATUS status;
42 :
43 63 : if (!dom_sid || !builtin_sid) {
44 0 : return NT_STATUS_INVALID_PARAMETER;
45 : }
46 :
47 63 : status = pdb_add_aliasmem(builtin_sid, dom_sid);
48 :
49 63 : if (NT_STATUS_EQUAL(status, NT_STATUS_MEMBER_IN_ALIAS)) {
50 0 : struct dom_sid_buf buf1, buf2;
51 14 : DEBUG(5, ("add_sid_to_builtin %s is already a member of %s\n",
52 : dom_sid_str_buf(dom_sid, &buf1),
53 : dom_sid_str_buf(builtin_sid, &buf2)));
54 14 : return NT_STATUS_OK;
55 : }
56 :
57 49 : if (!NT_STATUS_IS_OK(status)) {
58 0 : struct dom_sid_buf buf1, buf2;
59 0 : DEBUG(4, ("add_sid_to_builtin %s could not be added to %s: "
60 : "%s\n",
61 : dom_sid_str_buf(dom_sid, &buf1),
62 : dom_sid_str_buf(builtin_sid, &buf2),
63 : nt_errstr(status)));
64 : }
65 49 : return status;
66 : }
67 :
68 : /**
69 : * Create the requested BUILTIN if it doesn't already exist. This requires
70 : * winbindd to be running.
71 : *
72 : * @param[in] rid BUILTIN rid to create
73 : * @return Normal NTSTATUS return.
74 : */
75 33772 : NTSTATUS pdb_create_builtin(uint32_t rid)
76 : {
77 33772 : NTSTATUS status = NT_STATUS_OK;
78 0 : struct dom_sid sid;
79 0 : gid_t gid;
80 0 : bool mapresult;
81 :
82 33772 : if (!sid_compose(&sid, &global_sid_Builtin, rid)) {
83 0 : return NT_STATUS_NO_SUCH_ALIAS;
84 : }
85 :
86 33772 : if (!pdb_is_responsible_for_builtin()) {
87 : /*
88 : * if this backend is not responsible for BUILTIN
89 : *
90 : * Use the gid from the mapping request for entry.
91 : * If the mapping fails, bail out
92 : */
93 0 : mapresult = sid_to_gid(&sid, &gid);
94 0 : if (!mapresult) {
95 0 : status = NT_STATUS_NO_SUCH_GROUP;
96 : } else {
97 0 : status = pdb_create_builtin_alias(rid, gid);
98 : }
99 : } else {
100 : /*
101 : * this backend is responsible for BUILTIN
102 : *
103 : * a failed mapping result means that the entry
104 : * does not exist yet, so create it
105 : *
106 : * we use pdb_sid_to_id intentionally here to
107 : * directly query the passdb backend (sid_to_gid
108 : * would finally do the same)
109 : */
110 0 : struct unixid id;
111 33772 : mapresult = pdb_sid_to_id(&sid, &id);
112 33772 : if (!mapresult) {
113 33760 : if (!lp_winbind_nested_groups() || !winbind_ping()) {
114 33586 : return NT_STATUS_PROTOCOL_UNREACHABLE;
115 : }
116 174 : status = pdb_create_builtin_alias(rid, 0);
117 : }
118 : }
119 186 : return status;
120 : }
121 :
122 : /*******************************************************************
123 : *******************************************************************/
124 :
125 11251 : NTSTATUS create_builtin_users(const struct dom_sid *dom_sid)
126 : {
127 0 : NTSTATUS status;
128 0 : struct dom_sid dom_users;
129 :
130 11251 : status = pdb_create_builtin(BUILTIN_RID_USERS);
131 11251 : if ( !NT_STATUS_IS_OK(status) ) {
132 11242 : DEBUG(5,("create_builtin_users: Failed to create Users\n"));
133 11242 : return status;
134 : }
135 :
136 : /* add domain users */
137 9 : if ((IS_DC || (lp_server_role() == ROLE_DOMAIN_MEMBER)) &&
138 9 : (dom_sid != NULL) &&
139 9 : sid_compose(&dom_users, dom_sid, DOMAIN_RID_USERS))
140 : {
141 9 : status = add_sid_to_builtin(&global_sid_Builtin_Users,
142 : &dom_users);
143 : }
144 :
145 9 : return status;
146 : }
147 :
148 : /*******************************************************************
149 : *******************************************************************/
150 :
151 11250 : NTSTATUS create_builtin_administrators(const struct dom_sid *dom_sid)
152 : {
153 0 : NTSTATUS status;
154 0 : struct dom_sid dom_admins, root_sid;
155 0 : fstring root_name;
156 0 : enum lsa_SidType type;
157 0 : TALLOC_CTX *ctx;
158 0 : bool ret;
159 :
160 11250 : status = pdb_create_builtin(BUILTIN_RID_ADMINISTRATORS);
161 11250 : if ( !NT_STATUS_IS_OK(status) ) {
162 11234 : DEBUG(5,("create_builtin_administrators: Failed to create Administrators\n"));
163 11234 : return status;
164 : }
165 :
166 : /* add domain admins */
167 16 : if ((IS_DC || (lp_server_role() == ROLE_DOMAIN_MEMBER)) &&
168 16 : (dom_sid != NULL) &&
169 16 : sid_compose(&dom_admins, dom_sid, DOMAIN_RID_ADMINS))
170 : {
171 16 : status = add_sid_to_builtin(&global_sid_Builtin_Administrators,
172 : &dom_admins);
173 16 : if (!NT_STATUS_IS_OK(status)) {
174 0 : return status;
175 : }
176 : }
177 :
178 : /* add root */
179 16 : if ( (ctx = talloc_init("create_builtin_administrators")) == NULL ) {
180 0 : return NT_STATUS_NO_MEMORY;
181 : }
182 16 : fstr_sprintf( root_name, "%s\\root", get_global_sam_name() );
183 16 : ret = lookup_name(ctx, root_name, LOOKUP_NAME_DOMAIN, NULL, NULL,
184 : &root_sid, &type);
185 16 : TALLOC_FREE( ctx );
186 :
187 16 : if ( ret ) {
188 0 : status = add_sid_to_builtin(&global_sid_Builtin_Administrators,
189 : &root_sid);
190 : }
191 :
192 16 : return status;
193 : }
194 :
195 : /*******************************************************************
196 : *******************************************************************/
197 :
198 11258 : NTSTATUS create_builtin_guests(const struct dom_sid *dom_sid)
199 : {
200 0 : NTSTATUS status;
201 11258 : struct dom_sid tmp_sid = { 0, };
202 :
203 11258 : status = pdb_create_builtin(BUILTIN_RID_GUESTS);
204 11258 : if (!NT_STATUS_IS_OK(status)) {
205 11242 : DEBUG(5,("create_builtin_guests: Failed to create Guests\n"));
206 11242 : return status;
207 : }
208 :
209 : /* add local guest */
210 16 : if (sid_compose(&tmp_sid, get_global_sam_sid(), DOMAIN_RID_GUEST)) {
211 16 : status = add_sid_to_builtin(&global_sid_Builtin_Guests,
212 : &tmp_sid);
213 16 : if (!NT_STATUS_IS_OK(status)) {
214 0 : return status;
215 : }
216 : }
217 :
218 : /* add local guests */
219 16 : if (sid_compose(&tmp_sid, get_global_sam_sid(), DOMAIN_RID_GUESTS)) {
220 16 : status = add_sid_to_builtin(&global_sid_Builtin_Guests,
221 : &tmp_sid);
222 16 : if (!NT_STATUS_IS_OK(status)) {
223 0 : return status;
224 : }
225 : }
226 :
227 16 : if (lp_server_role() != ROLE_DOMAIN_MEMBER) {
228 10 : return NT_STATUS_OK;
229 : }
230 :
231 6 : if (dom_sid == NULL) {
232 0 : return NT_STATUS_INTERNAL_ERROR;
233 : }
234 :
235 : /* add domain guests */
236 6 : if (sid_compose(&tmp_sid, dom_sid, DOMAIN_RID_GUESTS)) {
237 6 : status = add_sid_to_builtin(&global_sid_Builtin_Guests,
238 : &tmp_sid);
239 6 : if (!NT_STATUS_IS_OK(status)) {
240 0 : return status;
241 : }
242 : }
243 :
244 6 : return NT_STATUS_OK;
245 : }
|