passdb.c

samba-3.0.22.tar.gz 编译smb服务器的源码

		grp = getgrnam(user);
		if(!grp) {
			unbecome_root();		/* ---> exit form block */	
			return False;
		}
		
		/* 
		 *check if it's mapped, if it is reply it doesn't exist
		 *
		 * that's to prevent this case:
		 *
		 * unix group ug is mapped to nt group ng
		 * someone does a lookup on ug
		 * we must not reply as it doesn't "exist" anymore
		 * for NT. For NT only ng exists.
		 * JFM, 30/11/2001
		 */
		
		if (pdb_getgrgid(&map, grp->gr_gid)){
			unbecome_root();		/* ---> exit form block */
			return False;
		}
		
		sid_append_rid( &local_sid, pdb_gid_to_group_rid(grp->gr_gid));
		*psid_name_use = SID_NAME_ALIAS;
	}
	unbecome_root();
	/* END ROOT BLOCK */

	sid_copy( psid, &local_sid);

	return True;
}

/*************************************************************
 Change a password entry in the local smbpasswd file.
 *************************************************************/

BOOL local_password_change(const char *user_name, int local_flags,
			   const char *new_passwd, 
			   char *err_str, size_t err_str_len,
			   char *msg_str, size_t msg_str_len)
{
	SAM_ACCOUNT 	*sam_pass=NULL;
	uint16 other_acb;

	*err_str = '\0';
	*msg_str = '\0';

	/* Get the smb passwd entry for this user */
	pdb_init_sam(&sam_pass);

	become_root();
	if(!pdb_getsampwnam(sam_pass, user_name)) {
		unbecome_root();
		pdb_free_sam(&sam_pass);
		
		if ((local_flags & LOCAL_ADD_USER) || (local_flags & LOCAL_DELETE_USER)) {
			/* Might not exist in /etc/passwd.  Use rid algorithm here */
			if (!NT_STATUS_IS_OK(pdb_init_sam_new(&sam_pass, user_name, 0))) {
				slprintf(err_str, err_str_len-1, "Failed to initialise SAM_ACCOUNT for user %s. Does this user exist in the UNIX password database ?\n", user_name);
				return False;
			}
		} else {
			slprintf(err_str, err_str_len-1,"Failed to find entry for user %s.\n", user_name);
			return False;
		}
	} else {
		unbecome_root();
		/* the entry already existed */
		local_flags &= ~LOCAL_ADD_USER;
	}

	/* the 'other' acb bits not being changed here */
	other_acb =  (pdb_get_acct_ctrl(sam_pass) & (!(ACB_WSTRUST|ACB_DOMTRUST|ACB_SVRTRUST|ACB_NORMAL)));
	if (local_flags & LOCAL_TRUST_ACCOUNT) {
		if (!pdb_set_acct_ctrl(sam_pass, ACB_WSTRUST | other_acb, PDB_CHANGED) ) {
			slprintf(err_str, err_str_len - 1, "Failed to set 'trusted workstation account' flags for user %s.\n", user_name);
			pdb_free_sam(&sam_pass);
			return False;
		}
	} else if (local_flags & LOCAL_INTERDOM_ACCOUNT) {
		if (!pdb_set_acct_ctrl(sam_pass, ACB_DOMTRUST | other_acb, PDB_CHANGED)) {
			slprintf(err_str, err_str_len - 1, "Failed to set 'domain trust account' flags for user %s.\n", user_name);
			pdb_free_sam(&sam_pass);
			return False;
		}
	} else {
		if (!pdb_set_acct_ctrl(sam_pass, ACB_NORMAL | other_acb, PDB_CHANGED)) {
			slprintf(err_str, err_str_len - 1, "Failed to set 'normal account' flags for user %s.\n", user_name);
			pdb_free_sam(&sam_pass);
			return False;
		}
	}

	/*
	 * We are root - just write the new password
	 * and the valid last change time.
	 */

	if (local_flags & LOCAL_DISABLE_USER) {
		if (!pdb_set_acct_ctrl (sam_pass, pdb_get_acct_ctrl(sam_pass)|ACB_DISABLED, PDB_CHANGED)) {
			slprintf(err_str, err_str_len-1, "Failed to set 'disabled' flag for user %s.\n", user_name);
			pdb_free_sam(&sam_pass);
			return False;
		}
	} else if (local_flags & LOCAL_ENABLE_USER) {
		if (!pdb_set_acct_ctrl (sam_pass, pdb_get_acct_ctrl(sam_pass)&(~ACB_DISABLED), PDB_CHANGED)) {
			slprintf(err_str, err_str_len-1, "Failed to unset 'disabled' flag for user %s.\n", user_name);
			pdb_free_sam(&sam_pass);
			return False;
		}
	}
	
	if (local_flags & LOCAL_SET_NO_PASSWORD) {
		if (!pdb_set_acct_ctrl (sam_pass, pdb_get_acct_ctrl(sam_pass)|ACB_PWNOTREQ, PDB_CHANGED)) {
			slprintf(err_str, err_str_len-1, "Failed to set 'no password required' flag for user %s.\n", user_name);
			pdb_free_sam(&sam_pass);
			return False;
		}
	} else if (local_flags & LOCAL_SET_PASSWORD) {
		/*
		 * If we're dealing with setting a completely empty user account
		 * ie. One with a password of 'XXXX', but not set disabled (like
		 * an account created from scratch) then if the old password was
		 * 'XX's then getsmbpwent will have set the ACB_DISABLED flag.
		 * We remove that as we're giving this user their first password
		 * and the decision hasn't really been made to disable them (ie.
		 * don't create them disabled). JRA.
		 */
		if ((pdb_get_lanman_passwd(sam_pass)==NULL) && (pdb_get_acct_ctrl(sam_pass)&ACB_DISABLED)) {
			if (!pdb_set_acct_ctrl (sam_pass, pdb_get_acct_ctrl(sam_pass)&(~ACB_DISABLED), PDB_CHANGED)) {
				slprintf(err_str, err_str_len-1, "Failed to unset 'disabled' flag for user %s.\n", user_name);
				pdb_free_sam(&sam_pass);
				return False;
			}
		}
		if (!pdb_set_acct_ctrl (sam_pass, pdb_get_acct_ctrl(sam_pass)&(~ACB_PWNOTREQ), PDB_CHANGED)) {
			slprintf(err_str, err_str_len-1, "Failed to unset 'no password required' flag for user %s.\n", user_name);
			pdb_free_sam(&sam_pass);
			return False;
		}
		
		if (!pdb_set_plaintext_passwd (sam_pass, new_passwd)) {
			slprintf(err_str, err_str_len-1, "Failed to set password for user %s.\n", user_name);
			pdb_free_sam(&sam_pass);
			return False;
		}
	}	

	if (local_flags & LOCAL_ADD_USER) {
		if (pdb_add_sam_account(sam_pass)) {
			slprintf(msg_str, msg_str_len-1, "Added user %s.\n", user_name);
			pdb_free_sam(&sam_pass);
			return True;
		} else {
			slprintf(err_str, err_str_len-1, "Failed to add entry for user %s.\n", user_name);
			pdb_free_sam(&sam_pass);
			return False;
		}
	} else if (local_flags & LOCAL_DELETE_USER) {
		if (!pdb_delete_sam_account(sam_pass)) {
			slprintf(err_str,err_str_len-1, "Failed to delete entry for user %s.\n", user_name);
			pdb_free_sam(&sam_pass);
			return False;
		}
		slprintf(msg_str, msg_str_len-1, "Deleted user %s.\n", user_name);
	} else {
		if(!pdb_update_sam_account(sam_pass)) {
			slprintf(err_str, err_str_len-1, "Failed to modify entry for user %s.\n", user_name);
			pdb_free_sam(&sam_pass);
			return False;
		}
		if(local_flags & LOCAL_DISABLE_USER)
			slprintf(msg_str, msg_str_len-1, "Disabled user %s.\n", user_name);
		else if (local_flags & LOCAL_ENABLE_USER)
			slprintf(msg_str, msg_str_len-1, "Enabled user %s.\n", user_name);
		else if (local_flags & LOCAL_SET_NO_PASSWORD)
			slprintf(msg_str, msg_str_len-1, "User %s password set to none.\n", user_name);
	}

	pdb_free_sam(&sam_pass);
	return True;
}

/****************************************************************************
 Convert a uid to SID - algorithmic.
****************************************************************************/

DOM_SID *algorithmic_uid_to_sid(DOM_SID *psid, uid_t uid)
{
	if ( !lp_enable_rid_algorithm() )
		return NULL;

	DEBUG(8,("algorithmic_uid_to_sid: falling back to RID algorithm\n"));
	sid_copy( psid, get_global_sam_sid() );
	sid_append_rid( psid, algorithmic_pdb_uid_to_user_rid(uid) );
	DEBUG(10,("algorithmic_uid_to_sid:  uid (%d) -> SID %s.\n",
		(unsigned int)uid, sid_string_static(psid) ));

	return psid;
}

/****************************************************************************
 Convert a uid to SID - locally.
****************************************************************************/

DOM_SID *local_uid_to_sid(DOM_SID *psid, uid_t uid)
{
	SAM_ACCOUNT *sampw = NULL;
	struct passwd *unix_pw;
	BOOL ret;
	
	unix_pw = sys_getpwuid( uid );

	if ( !unix_pw ) {
		DEBUG(4,("local_uid_to_sid: host has no idea of uid %lu\n", (unsigned long)uid));
		return algorithmic_uid_to_sid( psid, uid);
	}
	
	if ( !NT_STATUS_IS_OK(pdb_init_sam(&sampw)) ) {
		DEBUG(0,("local_uid_to_sid: failed to allocate SAM_ACCOUNT object\n"));
		return NULL;
	}
	
	become_root();
	ret = pdb_getsampwnam( sampw, unix_pw->pw_name );
	unbecome_root();
	
	if ( ret )
		sid_copy( psid, pdb_get_user_sid(sampw) );
	else {
		DEBUG(4,("local_uid_to_sid: User %s [uid == %lu] has no samba account\n",
			unix_pw->pw_name, (unsigned long)uid));

		algorithmic_uid_to_sid( psid, uid);
	}

	pdb_free_sam(&sampw);

	DEBUG(10,("local_uid_to_sid:  uid (%d) -> SID %s (%s).\n", 
		(unsigned int)uid, sid_string_static(psid), unix_pw->pw_name));
	
	return psid;
}

/****************************************************************************
 Convert a SID to uid - locally.
****************************************************************************/

BOOL local_sid_to_uid(uid_t *puid, const DOM_SID *psid, enum SID_NAME_USE *name_type)
{
	SAM_ACCOUNT *sampw = NULL;	
	struct passwd *unix_pw;
	const char *user_name;

	*name_type = SID_NAME_UNKNOWN;

	/*
	 * We can only convert to a uid if this is our local
	 * Domain SID (ie. we are the controling authority).
	 */
	if (!sid_check_is_in_our_domain(psid) ) {
		DEBUG(5,("local_sid_to_uid: this SID (%s) is not from our domain\n", sid_string_static(psid)));
		return False;
	}

	/* lookup the user account */
	
	if ( !NT_STATUS_IS_OK(pdb_init_sam(&sampw)) ) {
		DEBUG(0,("local_sid_to_uid: Failed to allocate memory for SAM_ACCOUNT object\n"));
		return False;
	}
		
	become_root();
	if ( !pdb_getsampwsid(sampw, psid) ) {
		unbecome_root();
		pdb_free_sam(&sampw);
		DEBUG(8,("local_sid_to_uid: Could not find SID %s in passdb\n",
			sid_string_static(psid)));
		return False;
	}
	unbecome_root();
	
	user_name = pdb_get_username(sampw);

	unix_pw = sys_getpwnam( user_name );

	if ( !unix_pw ) {
		DEBUG(0,("local_sid_to_uid: %s found in passdb but getpwnam() return NULL!\n",
			user_name));
		pdb_free_sam( &sampw );
		return False;
	}
		
	*puid = unix_pw->pw_uid;
	
	DEBUG(10,("local_sid_to_uid: SID %s -> uid (%u) (%s).\n", sid_string_static(psid),
		(unsigned int)*puid, user_name ));

	*name_type = SID_NAME_USER;
	pdb_free_sam( &sampw );
	return True;
}

/****************************************************************************
 Convert a gid to SID - locally.
****************************************************************************/

DOM_SID *local_gid_to_sid(DOM_SID *psid, gid_t gid)
{
	GROUP_MAP group;
	BOOL ret;
	
	/* we don't need to disable winbindd since the gid is stored in 
	   the GROUP_MAP object */
	   
	/* done as root since ldap backend requires root to open a connection */

	become_root();
	ret = pdb_getgrgid( &group, gid );
	unbecome_root();
	
	if ( !ret ) {

		/* fallback to rid mapping if enabled */

		if ( lp_enable_rid_algorithm() ) {
			sid_copy(psid, get_global_sam_sid());
			sid_append_rid(psid, pdb_gid_to_group_rid(gid));

			DEBUG(10,("local_gid_to_sid: Fall back to algorithmic mapping: %u -> %s\n", 
				(unsigned int)gid, sid_string_static(psid)));
				
			return psid;
		}
		else
			return NULL;
	}
	
	sid_copy( psid, &group.sid );
	
	DEBUG(10,("local_gid_to_sid:  gid (%d) -> SID %s.\n", 
		(unsigned int)gid, sid_string_static(psid)));	
	
	return psid;
}

/****************************************************************************
 Convert a SID to gid - locally.
****************************************************************************/

BOOL local_sid_to_gid(gid_t *pgid, const DOM_SID *psid, enum SID_NAME_USE *name_type)
{
	uint32 rid;
	GROUP_MAP group;
	BOOL ret;

	*name_type = SID_NAME_UNKNOWN;

	/* This call can enumerate group mappings for foreign sids as well.
	   So don't check for a match against our domain SID */

	/* we don't need to disable winbindd since the gid is stored in 
	   the GROUP_MAP object */
	   
	become_root();
	ret = pdb_getgrsid(&group, *psid);
	unbecome_root();
	
	if ( !ret ) {

		/* Fallback to algorithmic rid mapping if enabled */

		if ( lp_enable_rid_algorithm() ) {

			if (!sid_check_is_in_our_domain(psid) ) {
				DEBUG(5,("local_sid_to_gid: RID algorithm only supported for our domain (%s is not)\n", sid_string_static(psid)));
				return False;
			}

			if (!sid_peek_rid(psid, &rid)) {
				DEBUG(10,("local_sid_to_gid: invalid SID!\n"));
					return False;
			}

			DEBUG(10,("local_sid_to_gid: Fall back to algorithmic mapping\n"));

			if (algorithmic_pdb_rid_is_user(rid)) {
				DEBUG(3, ("local_sid_to_gid: SID %s is *NOT* a group\n", sid_string_static(psid)));
				return False;
			} else {
				*pgid = pdb_group_rid_to_gid(rid);
				DEBUG(10,("local_sid_to_gid: mapping: %s -> %u\n", sid_string_static(psid), (unsigned int)(*pgid)));
				return True;
			}
		}
		
		return False;
	}

	*pgid = group.gid;
	*name_type = group.sid_name_use;

	DEBUG(10,("local_sid_to_gid: SID %s -> gid (%u)\n", sid_string_static(psid),
		(unsigned int)*pgid));

	return True;
}

/**********************************************************************
 Marshall/unmarshall SAM_ACCOUNT structs.
 *********************************************************************/

#define TDB_FORMAT_STRING_V0       "ddddddBBBBBBBBBBBBddBBwdwdBwwd"
#define TDB_FORMAT_STRING_V1       "dddddddBBBBBBBBBBBBddBBwdwdBwwd"
#define TDB_FORMAT_STRING_V2       "dddddddBBBBBBBBBBBBddBBBwwdBwwd"

/**********************************************************************
 Intialize a SAM_ACCOUNT struct from a BYTE buffer of size len
 *********************************************************************/

BOOL init_sam_from_buffer(SAM_ACCOUNT *sampass, uint8 *buf, uint32 buflen)
{
	return(init_sam_from_buffer_v2(sampass, buf, buflen));
}

/**********************************************************************
 Intialize a BYTE buffer from a SAM_ACCOUNT struct
 *********************************************************************/

uint32 init_buffer_from_sam (uint8 **buf, const SAM_ACCOUNT *sampass, BOOL size_only)
{
	return(init_buffer_from_sam_v2(buf, sampass, size_only));
}


BOOL init_sam_from_buffer_v0(SAM_ACCOUNT *sampass, uint8 *buf, uint32 buflen)
{

	/* times are stored as 32bit integer
	   take care on system with 64bit wide time_t
	   --SSS */
	uint32	logon_time,
		logoff_time,
		kickoff_time,
		pass_last_set_time,
		pass_can_change_time,
		pass_must_change_time;
	char *username = NULL;
	char *domain = NULL;
	char *nt_username = NULL;
	char *dir_drive = NULL;
	char *unknown_str = NULL;
	char *munged_dial = NULL;
	char *fullname = NULL;