passdb.c

samba-3.0.22.tar.gz 编译smb服务器的源码

 length = length of string to encode into (including terminating
 null). length *MUST BE MORE THAN 2* !
 **********************************************************/

char *pdb_encode_acct_ctrl(uint16 acct_ctrl, size_t length)
{
	static fstring acct_str;

	size_t i = 0;

	SMB_ASSERT(length <= sizeof(acct_str));

	acct_str[i++] = '[';

	if (acct_ctrl & ACB_PWNOTREQ ) acct_str[i++] = 'N';
	if (acct_ctrl & ACB_DISABLED ) acct_str[i++] = 'D';
	if (acct_ctrl & ACB_HOMDIRREQ) acct_str[i++] = 'H';
	if (acct_ctrl & ACB_TEMPDUP  ) acct_str[i++] = 'T'; 
	if (acct_ctrl & ACB_NORMAL   ) acct_str[i++] = 'U';
	if (acct_ctrl & ACB_MNS      ) acct_str[i++] = 'M';
	if (acct_ctrl & ACB_WSTRUST  ) acct_str[i++] = 'W';
	if (acct_ctrl & ACB_SVRTRUST ) acct_str[i++] = 'S';
	if (acct_ctrl & ACB_AUTOLOCK ) acct_str[i++] = 'L';
	if (acct_ctrl & ACB_PWNOEXP  ) acct_str[i++] = 'X';
	if (acct_ctrl & ACB_DOMTRUST ) acct_str[i++] = 'I';

	for ( ; i < length - 2 ; i++ )
		acct_str[i] = ' ';

	i = length - 2;
	acct_str[i++] = ']';
	acct_str[i++] = '\0';

	return acct_str;
}     

/**********************************************************
 Decode the account control bits from a string.
 **********************************************************/

uint16 pdb_decode_acct_ctrl(const char *p)
{
	uint16 acct_ctrl = 0;
	BOOL finished = False;

	/*
	 * Check if the account type bits have been encoded after the
	 * NT password (in the form [NDHTUWSLXI]).
	 */

	if (*p != '[')
		return 0;

	for (p++; *p && !finished; p++) {
		switch (*p) {
			case 'N': { acct_ctrl |= ACB_PWNOTREQ ; break; /* 'N'o password. */ }
			case 'D': { acct_ctrl |= ACB_DISABLED ; break; /* 'D'isabled. */ }
			case 'H': { acct_ctrl |= ACB_HOMDIRREQ; break; /* 'H'omedir required. */ }
			case 'T': { acct_ctrl |= ACB_TEMPDUP  ; break; /* 'T'emp account. */ } 
			case 'U': { acct_ctrl |= ACB_NORMAL   ; break; /* 'U'ser account (normal). */ } 
			case 'M': { acct_ctrl |= ACB_MNS      ; break; /* 'M'NS logon user account. What is this ? */ } 
			case 'W': { acct_ctrl |= ACB_WSTRUST  ; break; /* 'W'orkstation account. */ } 
			case 'S': { acct_ctrl |= ACB_SVRTRUST ; break; /* 'S'erver account. */ } 
			case 'L': { acct_ctrl |= ACB_AUTOLOCK ; break; /* 'L'ocked account. */ } 
			case 'X': { acct_ctrl |= ACB_PWNOEXP  ; break; /* No 'X'piry on password */ } 
			case 'I': { acct_ctrl |= ACB_DOMTRUST ; break; /* 'I'nterdomain trust account. */ }
            case ' ': { break; }
			case ':':
			case '\n':
			case '\0': 
			case ']':
			default:  { finished = True; }
		}
	}

	return acct_ctrl;
}

/*************************************************************
 Routine to set 32 hex password characters from a 16 byte array.
**************************************************************/

void pdb_sethexpwd(char *p, const unsigned char *pwd, uint16 acct_ctrl)
{
	if (pwd != NULL) {
		int i;
		for (i = 0; i < 16; i++)
			slprintf(&p[i*2], 3, "%02X", pwd[i]);
	} else {
		if (acct_ctrl & ACB_PWNOTREQ)
			safe_strcpy(p, "NO PASSWORDXXXXXXXXXXXXXXXXXXXXX", 33);
		else
			safe_strcpy(p, "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX", 33);
	}
}

/*************************************************************
 Routine to get the 32 hex characters and turn them
 into a 16 byte array.
**************************************************************/

BOOL pdb_gethexpwd(const char *p, unsigned char *pwd)
{
	int i;
	unsigned char   lonybble, hinybble;
	const char      *hexchars = "0123456789ABCDEF";
	char           *p1, *p2;
	
	if (!p)
		return (False);
	
	for (i = 0; i < 32; i += 2) {
		hinybble = toupper_ascii(p[i]);
		lonybble = toupper_ascii(p[i + 1]);

		p1 = strchr(hexchars, hinybble);
		p2 = strchr(hexchars, lonybble);

		if (!p1 || !p2)
			return (False);

		hinybble = PTR_DIFF(p1, hexchars);
		lonybble = PTR_DIFF(p2, hexchars);

		pwd[i / 2] = (hinybble << 4) | lonybble;
	}
	return (True);
}

/*************************************************************
 Routine to set 42 hex hours characters from a 21 byte array.
**************************************************************/

void pdb_sethexhours(char *p, const unsigned char *hours)
{
	if (hours != NULL) {
		int i;
		for (i = 0; i < 21; i++) {
			slprintf(&p[i*2], 3, "%02X", hours[i]);
		}
	} else {
		safe_strcpy(p, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", 43);
	}
}

/*************************************************************
 Routine to get the 42 hex characters and turn them
 into a 21 byte array.
**************************************************************/

BOOL pdb_gethexhours(const char *p, unsigned char *hours)
{
	int i;
	unsigned char   lonybble, hinybble;
	const char      *hexchars = "0123456789ABCDEF";
	char           *p1, *p2;

	if (!p) {
		return (False);
	}

	for (i = 0; i < 42; i += 2) {
		hinybble = toupper_ascii(p[i]);
		lonybble = toupper_ascii(p[i + 1]);

		p1 = strchr(hexchars, hinybble);
		p2 = strchr(hexchars, lonybble);

		if (!p1 || !p2) {
			return (False);
		}

		hinybble = PTR_DIFF(p1, hexchars);
		lonybble = PTR_DIFF(p2, hexchars);

		hours[i / 2] = (hinybble << 4) | lonybble;
	}
	return (True);
}

int algorithmic_rid_base(void)
{
	static int rid_offset = 0;

	if (rid_offset != 0)
		return rid_offset;

	rid_offset = lp_algorithmic_rid_base();

	if (rid_offset < BASE_RID) {  
		/* Try to prevent admin foot-shooting, we can't put algorithmic
		   rids below 1000, that's the 'well known RIDs' on NT */
		DEBUG(0, ("'algorithmic rid base' must be equal to or above %ld\n", BASE_RID));
		rid_offset = BASE_RID;
	}
	if (rid_offset & 1) {
		DEBUG(0, ("algorithmic rid base must be even\n"));
		rid_offset += 1;
	}
	return rid_offset;
}

/*******************************************************************
 Converts NT user RID to a UNIX uid.
 ********************************************************************/

uid_t algorithmic_pdb_user_rid_to_uid(uint32 user_rid)
{
	int rid_offset = algorithmic_rid_base();
	return (uid_t)(((user_rid & (~USER_RID_TYPE)) - rid_offset)/RID_MULTIPLIER);
}

/*******************************************************************
 converts UNIX uid to an NT User RID.
 ********************************************************************/

uint32 algorithmic_pdb_uid_to_user_rid(uid_t uid)
{
	int rid_offset = algorithmic_rid_base();
	return (((((uint32)uid)*RID_MULTIPLIER) + rid_offset) | USER_RID_TYPE);
}

/*******************************************************************
 Converts NT group RID to a UNIX gid.
 ********************************************************************/

gid_t pdb_group_rid_to_gid(uint32 group_rid)
{
	int rid_offset = algorithmic_rid_base();
	return (gid_t)(((group_rid & (~GROUP_RID_TYPE))- rid_offset)/RID_MULTIPLIER);
}

/*******************************************************************
 converts NT Group RID to a UNIX uid.
 
 warning: you must not call that function only
 you must do a call to the group mapping first.
 there is not anymore a direct link between the gid and the rid.
 ********************************************************************/

uint32 pdb_gid_to_group_rid(gid_t gid)
{
	int rid_offset = algorithmic_rid_base();
	return (((((uint32)gid)*RID_MULTIPLIER) + rid_offset) | GROUP_RID_TYPE);
}

/*******************************************************************
 Decides if a RID is a well known RID.
 ********************************************************************/

static BOOL pdb_rid_is_well_known(uint32 rid)
{
	/* Not using rid_offset here, because this is the actual
	   NT fixed value (1000) */

	return (rid < BASE_RID);
}

/*******************************************************************
 Decides if a RID is a user or group RID.
 ********************************************************************/

BOOL algorithmic_pdb_rid_is_user(uint32 rid)
{
	if(pdb_rid_is_well_known(rid)) {
		/*
		 * The only well known user RIDs are DOMAIN_USER_RID_ADMIN
		 * and DOMAIN_USER_RID_GUEST.
		 */
		if(rid == DOMAIN_USER_RID_ADMIN || rid == DOMAIN_USER_RID_GUEST)
			return True;
	} else if((rid & RID_TYPE_MASK) == USER_RID_TYPE) {
		return True;
	}
	return False;
}

/*******************************************************************
 Look up a rid in the SAM we're responsible for (i.e. passdb)
 ********************************************************************/

BOOL lookup_global_sam_rid(uint32 rid, fstring name,
			   enum SID_NAME_USE *psid_name_use)
{
	SAM_ACCOUNT *sam_account = NULL;
	GROUP_MAP map;
	BOOL ret;
	DOM_SID sid;

	*psid_name_use = SID_NAME_UNKNOWN;
	
	DEBUG(5,("lookup_global_sam_rid: looking up RID %u.\n",
		 (unsigned int)rid));

	sid_copy(&sid, get_global_sam_sid());
	sid_append_rid(&sid, rid);
	
	/* see if the passdb can help us with the name of the user */
	if (!NT_STATUS_IS_OK(pdb_init_sam(&sam_account))) {
		return False;
	}

	/* BEING ROOT BLLOCK */
	become_root();
	if (pdb_getsampwsid(sam_account, &sid)) {
		unbecome_root();		/* -----> EXIT BECOME_ROOT() */
		fstrcpy(name, pdb_get_username(sam_account));
		*psid_name_use = SID_NAME_USER;

		pdb_free_sam(&sam_account);
			
		return True;
	}
	pdb_free_sam(&sam_account);
	
	ret = pdb_getgrsid(&map, sid);
	unbecome_root();
	/* END BECOME_ROOT BLOCK */
	
	if ( ret ) {
		if (map.gid!=(gid_t)-1) {
			DEBUG(5,("lookup_global_sam_rid: mapped group %s to "
				 "gid %u\n", map.nt_name,
				 (unsigned int)map.gid));
		} else {
			DEBUG(5,("lookup_global_sam_rid: mapped group %s to "
				 "no unix gid.  Returning name.\n",
				 map.nt_name));
		}

		fstrcpy(name, map.nt_name);
		*psid_name_use = map.sid_name_use;
		return True;
	}

	if (rid == DOMAIN_USER_RID_ADMIN) {
		*psid_name_use = SID_NAME_USER;
		fstrcpy(name, "Administrator");
		return True;
	}

	if (algorithmic_pdb_rid_is_user(rid)) {
		uid_t uid;
		struct passwd *pw = NULL;

		DEBUG(5, ("assuming RID %u is a user\n", (unsigned)rid));

       		uid = algorithmic_pdb_user_rid_to_uid(rid);
		pw = sys_getpwuid( uid );
		
		DEBUG(5,("lookup_global_sam_rid: looking up uid %u %s\n",
			 (unsigned int)uid, pw ? "succeeded" : "failed" ));
			 
		if ( !pw )
			fstr_sprintf(name, "unix_user.%u", (unsigned int)uid);
		else 
			fstrcpy( name, pw->pw_name );
			
		DEBUG(5,("lookup_global_sam_rid: found user %s for rid %u\n",
			 name, (unsigned int)rid ));
			 
		*psid_name_use = SID_NAME_USER;
		
		return ( pw != NULL );
	} else {
		gid_t gid;
		struct group *gr; 
			
		DEBUG(5, ("assuming RID %u is a group\n", (unsigned)rid));

		gid = pdb_group_rid_to_gid(rid);
		gr = getgrgid(gid);
			
		DEBUG(5,("lookup_global_sam_rid: looking up gid %u %s\n",
			 (unsigned int)gid, gr ? "succeeded" : "failed" ));
			
		if( !gr )
			fstr_sprintf(name, "unix_group.%u", (unsigned int)gid);
		else
			fstrcpy( name, gr->gr_name);
			
		DEBUG(5,("lookup_global_sam_rid: found group %s for rid %u\n",
			 name, (unsigned int)rid ));
		
		/* assume algorithmic groups are domain global groups */
		
		*psid_name_use = SID_NAME_DOM_GRP;
		
		return ( gr != NULL );
	}
}

/*******************************************************************
 Convert a name into a SID. Used in the lookup name rpc.
 ********************************************************************/

BOOL local_lookup_name(const char *c_user, DOM_SID *psid, enum SID_NAME_USE *psid_name_use)
{
	DOM_SID local_sid;
	DOM_SID sid;
	fstring user;
	SAM_ACCOUNT *sam_account = NULL;
	struct group *grp;
	GROUP_MAP map;

	*psid_name_use = SID_NAME_UNKNOWN;

	/*
	 * user may be quoted a const string, and map_username and
	 * friends can modify it. Make a modifiable copy. JRA.
	 */

	fstrcpy(user, c_user);

	sid_copy(&local_sid, get_global_sam_sid());

	if (map_name_to_wellknown_sid(&sid, psid_name_use, user)){
		fstring sid_str;
		sid_copy( psid, &sid);
		sid_to_string(sid_str, &sid);
		DEBUG(10,("lookup_name: name %s = SID %s, type = %u\n", user, sid_str,
			(unsigned int)*psid_name_use ));
		return True;
	}

	(void)map_username(user);

	if (!NT_STATUS_IS_OK(pdb_init_sam(&sam_account))) {
		return False;
	}
	
	/* BEGIN ROOT BLOCK */
	
	become_root();
	if (pdb_getsampwnam(sam_account, user)) {
		unbecome_root();
		sid_copy(psid, pdb_get_user_sid(sam_account));
		*psid_name_use = SID_NAME_USER;
		
		pdb_free_sam(&sam_account);
		return True;
	}

	pdb_free_sam(&sam_account);

	/*
	 * Maybe it was a group ?
	 */

	/* check if it's a mapped group */
	if (pdb_getgrnam(&map, user)) {
		/* yes it's a mapped group */
		sid_copy(&local_sid, &map.sid);
		*psid_name_use = map.sid_name_use;
	} else {
		/* it's not a mapped group */