diff options
author | Gerald Carter <jerry@samba.org> | 2004-04-07 12:43:44 +0000 |
---|---|---|
committer | Gerald Carter <jerry@samba.org> | 2004-04-07 12:43:44 +0000 |
commit | a5f89b6f8c6af1fa8156184709a196fe41f46f8a (patch) | |
tree | e94a50dd0252b4fc1f57f04094a1c06e24c80cc4 /source/rpc_server | |
parent | 5f71b7bc783f3c92d199808e45bc2c8b20402552 (diff) | |
download | samba-a5f89b6f8c6af1fa8156184709a196fe41f46f8a.tar.gz |
r116: volker's patch for local group and group nesting
Diffstat (limited to 'source/rpc_server')
-rw-r--r-- | source/rpc_server/srv_lsa_nt.c | 5 | ||||
-rw-r--r-- | source/rpc_server/srv_samr_nt.c | 451 |
2 files changed, 185 insertions, 271 deletions
diff --git a/source/rpc_server/srv_lsa_nt.c b/source/rpc_server/srv_lsa_nt.c index 9801ce47f8f..de4fdceba7a 100644 --- a/source/rpc_server/srv_lsa_nt.c +++ b/source/rpc_server/srv_lsa_nt.c @@ -171,6 +171,11 @@ static void init_lsa_rid2s(DOM_R_REF *ref, DOM_RID2 *rid2, status = lookup_name(dom_name, user, &sid, &name_type); } + if (name_type == SID_NAME_WKN_GRP) { + /* BUILTIN aliases are still aliases :-) */ + name_type = SID_NAME_ALIAS; + } + DEBUG(5, ("init_lsa_rid2s: %s\n", status ? "found" : "not found")); diff --git a/source/rpc_server/srv_samr_nt.c b/source/rpc_server/srv_samr_nt.c index 70ae4d170e4..2e5fe295ecb 100644 --- a/source/rpc_server/srv_samr_nt.c +++ b/source/rpc_server/srv_samr_nt.c @@ -879,7 +879,7 @@ static void make_group_sam_entry_list(TALLOC_CTX *ctx, SAM_ENTRY **sam_pp, UNIST Get the group entries - similar to get_sampwd_entries(). ******************************************************************/ -static NTSTATUS get_group_entries( enum SID_NAME_USE type, TALLOC_CTX *ctx, +static NTSTATUS get_group_domain_entries( TALLOC_CTX *ctx, DOMAIN_GRP **d_grp, DOM_SID *sid, uint32 start_idx, uint32 *p_num_entries, uint32 max_entries ) { @@ -894,7 +894,8 @@ static NTSTATUS get_group_entries( enum SID_NAME_USE type, TALLOC_CTX *ctx, needed for some passdb backends to enumerate groups */ become_root(); - pdb_enum_group_mapping(type, &map, (int *)&group_entries, ENUM_ONLY_MAPPED); + pdb_enum_group_mapping(SID_NAME_DOM_GRP, &map, (int *)&group_entries, + ENUM_ONLY_MAPPED); unbecome_root(); num_entries=group_entries-start_idx; @@ -915,51 +916,57 @@ static NTSTATUS get_group_entries( enum SID_NAME_USE type, TALLOC_CTX *ctx, fstrcpy((*d_grp)[i].name, map[i+start_idx].nt_name); fstrcpy((*d_grp)[i].comment, map[i+start_idx].comment); sid_split_rid(&map[i+start_idx].sid, &(*d_grp)[i].rid); - (*d_grp)[i].attr=type; + (*d_grp)[i].attr=SID_NAME_DOM_GRP; } SAFE_FREE(map); *p_num_entries = num_entries; - DEBUG(10,("get_group_entries: returning %d entries\n", *p_num_entries)); + DEBUG(10,("get_group_domain_entries: returning %d entries\n", + *p_num_entries)); return NT_STATUS_OK; } /******************************************************************* - Wrapper for enuemrating domain groups + Wrapper for enumerating local groups ******************************************************************/ -static NTSTATUS get_group_domain_entries( TALLOC_CTX *ctx, DOMAIN_GRP **d_grp, - DOM_SID *sid, uint32 start_idx, - uint32 *p_num_entries, uint32 max_entries ) +static NTSTATUS get_alias_entries( TALLOC_CTX *ctx, DOMAIN_GRP **d_grp, + const DOM_SID *sid, uint32 start_idx, + uint32 *p_num_entries, uint32 max_entries ) { - return get_group_entries( SID_NAME_DOM_GRP, ctx, d_grp, sid, start_idx, - p_num_entries, max_entries ); -} + struct acct_info *info; + int i; + BOOL res; -/******************************************************************* - Wrapper for enumerating local groups - ******************************************************************/ + become_root(); + res = pdb_enum_aliases(sid, start_idx, max_entries, + p_num_entries, &info); + unbecome_root(); -static NTSTATUS get_group_alias_entries( TALLOC_CTX *ctx, DOMAIN_GRP **d_grp, - DOM_SID *sid, uint32 start_idx, - uint32 *p_num_entries, uint32 max_entries) -{ - if ( sid_equal(sid, &global_sid_Builtin) ) { - return get_group_entries( SID_NAME_WKN_GRP, ctx, d_grp, - sid, start_idx, p_num_entries, max_entries ); - } - else if ( sid_equal(sid, get_global_sam_sid()) ) { - return get_group_entries( SID_NAME_ALIAS, ctx, d_grp, - sid, start_idx, p_num_entries, max_entries ); + if (!res) + return NT_STATUS_ACCESS_DENIED; + + if (*p_num_entries == 0) + return NT_STATUS_OK; + + *d_grp = talloc(ctx, sizeof(DOMAIN_GRP) * (*p_num_entries)); + + if (*d_grp == NULL) { + SAFE_FREE(info); + return NT_STATUS_NO_MEMORY; } - /* can't do anything with this SID */ - - *p_num_entries = 0; + for (i=0; i<*p_num_entries; i++) { + fstrcpy((*d_grp)[i].name, info[i].acct_name); + fstrcpy((*d_grp)[i].comment, info[i].acct_desc); + (*d_grp)[i].rid = info[i].rid; + (*d_grp)[i].attr = SID_NAME_ALIAS; + } + SAFE_FREE(info); return NT_STATUS_OK; } @@ -1025,9 +1032,9 @@ NTSTATUS _samr_enum_dom_aliases(pipes_struct *p, SAMR_Q_ENUM_DOM_ALIASES *q_u, S sid_to_string(sid_str, &sid); DEBUG(5,("samr_reply_enum_dom_aliases: sid %s\n", sid_str)); - status = get_group_alias_entries(p->mem_ctx, &grp, &sid, q_u->start_idx, - &num_entries, MAX_SAM_ENTRIES); - if (NT_STATUS_IS_ERR(status)) return status; + status = get_alias_entries(p->mem_ctx, &grp, &sid, q_u->start_idx, + &num_entries, MAX_SAM_ENTRIES); + if (!NT_STATUS_IS_OK(status)) return status; make_group_sam_entry_list(p->mem_ctx, &r_u->sam, &r_u->uni_grp_name, num_entries, grp); @@ -1244,7 +1251,7 @@ NTSTATUS _samr_query_dispinfo(pipes_struct *p, SAMR_Q_QUERY_DISPINFO *q_u, NTSTATUS _samr_query_aliasinfo(pipes_struct *p, SAMR_Q_QUERY_ALIASINFO *q_u, SAMR_R_QUERY_ALIASINFO *r_u) { DOM_SID sid; - GROUP_MAP map; + struct acct_info info; uint32 acc_granted; BOOL ret; @@ -1259,12 +1266,8 @@ NTSTATUS _samr_query_aliasinfo(pipes_struct *p, SAMR_Q_QUERY_ALIASINFO *q_u, SAM return r_u->status; } - if (!sid_check_is_in_our_domain(&sid) && - !sid_check_is_in_builtin(&sid)) - return NT_STATUS_OBJECT_TYPE_MISMATCH; - become_root(); - ret = pdb_getgrsid(&map, sid); + ret = pdb_get_aliasinfo(&sid, &info); unbecome_root(); if ( !ret ) @@ -1274,12 +1277,13 @@ NTSTATUS _samr_query_aliasinfo(pipes_struct *p, SAMR_Q_QUERY_ALIASINFO *q_u, SAM case 1: r_u->ptr = 1; r_u->ctr.switch_value1 = 1; - init_samr_alias_info1(&r_u->ctr.alias.info1, map.nt_name, 1, map.comment); + init_samr_alias_info1(&r_u->ctr.alias.info1, + info.acct_name, 1, info.acct_desc); break; case 3: r_u->ptr = 1; r_u->ctr.switch_value1 = 3; - init_samr_alias_info3(&r_u->ctr.alias.info3, map.comment); + init_samr_alias_info3(&r_u->ctr.alias.info3, info.acct_desc); break; default: return NT_STATUS_INVALID_INFO_CLASS; @@ -3191,15 +3195,11 @@ NTSTATUS _samr_query_aliasmem(pipes_struct *p, SAMR_Q_QUERY_ALIASMEM *q_u, SAMR_ { int i; - GROUP_MAP map; int num_sids = 0; DOM_SID2 *sid; DOM_SID *sids=NULL; DOM_SID alias_sid; - DOM_SID als_sid; - uint32 alias_rid; - fstring alias_sid_str; uint32 acc_granted; @@ -3211,35 +3211,12 @@ NTSTATUS _samr_query_aliasmem(pipes_struct *p, SAMR_Q_QUERY_ALIASMEM *q_u, SAMR_ access_check_samr_function(acc_granted, SA_RIGHT_ALIAS_GET_MEMBERS, "_samr_query_aliasmem"))) { return r_u->status; } - - sid_copy(&als_sid, &alias_sid); - sid_to_string(alias_sid_str, &alias_sid); - sid_split_rid(&alias_sid, &alias_rid); - DEBUG(10, ("sid is %s\n", alias_sid_str)); + DEBUG(10, ("sid is %s\n", sid_string_static(&alias_sid))); - if (sid_equal(&alias_sid, &global_sid_Builtin)) { - DEBUG(10, ("lookup on Builtin SID (S-1-5-32)\n")); - if(!get_builtin_group_from_sid(&als_sid, &map)) - return NT_STATUS_NO_SUCH_ALIAS; - } else { - if (sid_equal(&alias_sid, get_global_sam_sid())) { - DEBUG(10, ("lookup on Server SID\n")); - if(!get_local_group_from_sid(&als_sid, &map)) { - fstring alias_sid_string; - DEBUG(10, ("Alias %s not found\n", sid_to_string(alias_sid_string, &als_sid))); - return NT_STATUS_NO_SUCH_ALIAS; - } - } - } - - if (!get_sid_list_of_group(map.gid, &sids, &num_sids)) { - fstring alias_sid_string; - DEBUG(10, ("Alias %s found, but member list unavailable\n", sid_to_string(alias_sid_string, &als_sid))); + if (!pdb_enum_aliasmem(&alias_sid, &sids, &num_sids)) return NT_STATUS_NO_SUCH_ALIAS; - } - DEBUG(10, ("sid is %s\n", alias_sid_str)); sid = (DOM_SID2 *)talloc_zero(p->mem_ctx, sizeof(DOM_SID2) * num_sids); if (num_sids!=0 && sid == NULL) { SAFE_FREE(sids); @@ -3250,7 +3227,6 @@ NTSTATUS _samr_query_aliasmem(pipes_struct *p, SAMR_Q_QUERY_ALIASMEM *q_u, SAMR_ init_dom_sid2(&sid[i], &sids[i]); } - DEBUG(10, ("sid is %s\n", alias_sid_str)); init_samr_r_query_aliasmem(r_u, num_sids, sid, NT_STATUS_OK); SAFE_FREE(sids); @@ -3258,20 +3234,89 @@ NTSTATUS _samr_query_aliasmem(pipes_struct *p, SAMR_Q_QUERY_ALIASMEM *q_u, SAMR_ return NT_STATUS_OK; } +static void add_uid_to_array_unique(uid_t uid, uid_t **uids, int *num) +{ + int i; + + if ((*num) >= groups_max()) + return; + + for (i=0; i<*num; i++) { + if ((*uids)[i] == uid) + return; + } + + *uids = Realloc(*uids, (*num+1) * sizeof(uid_t)); + + if (*uids == NULL) + return; + + (*uids)[*num] = uid; + *num += 1; +} + + +static BOOL get_memberuids(gid_t gid, uid_t **uids, int *num) +{ + struct group *grp; + char **gr; + struct sys_pwent *userlist, *user; + + *uids = NULL; + *num = 0; + + /* We only look at our own sam, so don't care about imported stuff */ + + winbind_off(); + + if ((grp = getgrgid(gid)) == NULL) { + winbind_on(); + return False; + } + + /* Primary group members */ + + userlist = getpwent_list(); + + for (user = userlist; user != NULL; user = user->next) { + if (user->pw_gid != gid) + continue; + add_uid_to_array_unique(user->pw_uid, uids, num); + } + + pwent_free(userlist); + + /* Secondary group members */ + + gr = grp->gr_mem; + while ((*gr != NULL) && ((*gr)[0] != '\0')) { + struct passwd *pw = getpwnam(*gr); + + if (pw == NULL) + continue; + + add_uid_to_array_unique(pw->pw_uid, uids, num); + + gr += 1; + } + + winbind_on(); + + return True; +} + /********************************************************************* _samr_query_groupmem *********************************************************************/ NTSTATUS _samr_query_groupmem(pipes_struct *p, SAMR_Q_QUERY_GROUPMEM *q_u, SAMR_R_QUERY_GROUPMEM *r_u) { - int num_sids = 0; - int final_num_sids = 0; - int i; + int final_num_rids, i; DOM_SID group_sid; fstring group_sid_str; - DOM_SID *sids=NULL; - - GROUP_MAP map; + uid_t *uids; + int num; + gid_t gid; uint32 *rid=NULL; uint32 *attr=NULL; @@ -3296,35 +3341,46 @@ NTSTATUS _samr_query_groupmem(pipes_struct *p, SAMR_Q_QUERY_GROUPMEM *q_u, SAMR_ DEBUG(10, ("lookup on Domain SID\n")); - if(!get_domain_group_from_sid(group_sid, &map)) + if (!NT_STATUS_IS_OK(sid_to_gid(&group_sid, &gid))) return NT_STATUS_NO_SUCH_GROUP; - if(!get_sid_list_of_group(map.gid, &sids, &num_sids)) + if(!get_memberuids(gid, &uids, &num)) return NT_STATUS_NO_SUCH_GROUP; - rid=talloc_zero(p->mem_ctx, sizeof(uint32)*num_sids); - attr=talloc_zero(p->mem_ctx, sizeof(uint32)*num_sids); + rid=talloc_zero(p->mem_ctx, sizeof(uint32)*num); + attr=talloc_zero(p->mem_ctx, sizeof(uint32)*num); - if (num_sids!=0 && (rid==NULL || attr==NULL)) + if (num!=0 && (rid==NULL || attr==NULL)) return NT_STATUS_NO_MEMORY; - for (i=0; i<num_sids; i++) { - uint32 urid; + final_num_rids = 0; - if (sid_peek_check_rid(get_global_sam_sid(), &sids[i], &urid)) { - rid[final_num_sids] = urid; - attr[final_num_sids] = SID_NAME_USER; - final_num_sids++; - } else { - fstring user_sid_str, domain_sid_str; - DEBUG(1, ("_samr_query_groupmem: SID %s in group %s is not in our domain %s\n", - sid_to_string(user_sid_str, &sids[i]), - sid_to_string(group_sid_str, &group_sid), - sid_to_string(domain_sid_str, get_global_sam_sid()))); + for (i=0; i<num; i++) { + DOM_SID sid; + + if (!NT_STATUS_IS_OK(uid_to_sid(&sid, uids[i]))) { + DEBUG(1, ("Could not map member uid to SID\n")); + continue; } + + if (!sid_check_is_in_our_domain(&sid)) { + DEBUG(1, ("Inconsistent SAM -- group member uid not " + "in our domain\n")); + continue; + } + + sid_peek_rid(&sid, &rid[final_num_rids]); + + /* Hmm. In a trace I got the constant 7 here from NT. */ + attr[final_num_rids] = SID_NAME_USER; + + final_num_rids += 1; } - init_samr_r_query_groupmem(r_u, final_num_sids, rid, attr, NT_STATUS_OK); + SAFE_FREE(uids); + + init_samr_r_query_groupmem(r_u, final_num_rids, rid, attr, + NT_STATUS_OK); return NT_STATUS_OK; } @@ -3336,15 +3392,6 @@ NTSTATUS _samr_query_groupmem(pipes_struct *p, SAMR_Q_QUERY_GROUPMEM *q_u, SAMR_ NTSTATUS _samr_add_aliasmem(pipes_struct *p, SAMR_Q_ADD_ALIASMEM *q_u, SAMR_R_ADD_ALIASMEM *r_u) { DOM_SID alias_sid; - fstring alias_sid_str; - uid_t uid; - struct passwd *pwd; - struct group *grp; - fstring grp_name; - GROUP_MAP map; - NTSTATUS ret; - SAM_ACCOUNT *sam_user = NULL; - BOOL check; uint32 acc_granted; /* Find the policy handle. Open a policy on it. */ @@ -3355,74 +3402,11 @@ NTSTATUS _samr_add_aliasmem(pipes_struct *p, SAMR_Q_ADD_ALIASMEM *q_u, SAMR_R_AD return r_u->status; } - sid_to_string(alias_sid_str, &alias_sid); - DEBUG(10, ("sid is %s\n", alias_sid_str)); - - if (sid_compare(&alias_sid, get_global_sam_sid())>0) { - DEBUG(10, ("adding member on Server SID\n")); - if(!get_local_group_from_sid(&alias_sid, &map)) - return NT_STATUS_NO_SUCH_ALIAS; - - } else { - if (sid_compare(&alias_sid, &global_sid_Builtin)>0) { - DEBUG(10, ("adding member on BUILTIN SID\n")); - if( !get_builtin_group_from_sid(&alias_sid, &map)) - return NT_STATUS_NO_SUCH_ALIAS; - - } else - return NT_STATUS_NO_SUCH_ALIAS; - } + DEBUG(10, ("sid is %s\n", sid_string_static(&alias_sid))); - ret = pdb_init_sam(&sam_user); - if (!NT_STATUS_IS_OK(ret)) - return ret; - - check = pdb_getsampwsid(sam_user, &q_u->sid.sid); - - if (check != True) { - pdb_free_sam(&sam_user); - return NT_STATUS_NO_SUCH_USER; - } - - /* check a real user exist before we run the script to add a user to a group */ - if (!NT_STATUS_IS_OK(sid_to_uid(pdb_get_user_sid(sam_user), &uid))) { - pdb_free_sam(&sam_user); - return NT_STATUS_NO_SUCH_USER; - } - - pdb_free_sam(&sam_user); - - if ((pwd=getpwuid_alloc(uid)) == NULL) { - return NT_STATUS_NO_SUCH_USER; - } - - if ((grp=getgrgid(map.gid)) == NULL) { - passwd_free(&pwd); - return NT_STATUS_NO_SUCH_ALIAS; - } - - /* we need to copy the name otherwise it's overloaded in user_in_group_list */ - fstrcpy(grp_name, grp->gr_name); - - /* if the user is already in the group */ - if(user_in_unix_group_list(pwd->pw_name, grp_name)) { - passwd_free(&pwd); - return NT_STATUS_MEMBER_IN_ALIAS; - } - - /* - * ok, the group exist, the user exist, the user is not in the group, - * we can (finally) add it to the group ! - */ - smb_add_user_group(grp_name, pwd->pw_name); - - /* check if the user has been added then ... */ - if(!user_in_unix_group_list(pwd->pw_name, grp_name)) { - passwd_free(&pwd); - return NT_STATUS_MEMBER_NOT_IN_ALIAS; /* don't know what to reply else */ - } + if (!pdb_add_aliasmem(&alias_sid, &q_u->sid.sid)) + return NT_STATUS_ACCESS_DENIED; - passwd_free(&pwd); return NT_STATUS_OK; } @@ -3433,11 +3417,6 @@ NTSTATUS _samr_add_aliasmem(pipes_struct *p, SAMR_Q_ADD_ALIASMEM *q_u, SAMR_R_AD NTSTATUS _samr_del_aliasmem(pipes_struct *p, SAMR_Q_DEL_ALIASMEM *q_u, SAMR_R_DEL_ALIASMEM *r_u) { DOM_SID alias_sid; - fstring alias_sid_str; - struct group *grp; - fstring grp_name; - GROUP_MAP map; - SAM_ACCOUNT *sam_pass=NULL; uint32 acc_granted; /* Find the policy handle. Open a policy on it. */ @@ -3448,47 +3427,12 @@ NTSTATUS _samr_del_aliasmem(pipes_struct *p, SAMR_Q_DEL_ALIASMEM *q_u, SAMR_R_DE return r_u->status; } - sid_to_string(alias_sid_str, &alias_sid); - DEBUG(10, ("_samr_del_aliasmem:sid is %s\n", alias_sid_str)); - - if (!sid_check_is_in_our_domain(&alias_sid) && - !sid_check_is_in_builtin(&alias_sid)) { - DEBUG(10, ("_samr_del_aliasmem:invalid alias group\n")); - return NT_STATUS_NO_SUCH_ALIAS; - } - - if( !get_local_group_from_sid(&alias_sid, &map)) - return NT_STATUS_NO_SUCH_ALIAS; - - if ((grp=getgrgid(map.gid)) == NULL) - return NT_STATUS_NO_SUCH_ALIAS; - - /* we need to copy the name otherwise it's overloaded in user_in_unix_group_list */ - fstrcpy(grp_name, grp->gr_name); - - /* check if the user exists before trying to remove it from the group */ - pdb_init_sam(&sam_pass); - if(!pdb_getsampwsid(sam_pass, &q_u->sid.sid)) { - DEBUG(5,("_samr_del_aliasmem:User %s doesn't exist.\n", pdb_get_username(sam_pass))); - pdb_free_sam(&sam_pass); - return NT_STATUS_NO_SUCH_USER; - } - - /* if the user is not in the group */ - if(!user_in_unix_group_list(pdb_get_username(sam_pass), grp_name)) { - pdb_free_sam(&sam_pass); - return NT_STATUS_MEMBER_NOT_IN_ALIAS; - } - - smb_delete_user_group(grp_name, pdb_get_username(sam_pass)); - - /* check if the user has been removed then ... */ - if(user_in_unix_group_list(pdb_get_username(sam_pass), grp_name)) { - pdb_free_sam(&sam_pass); - return NT_STATUS_MEMBER_NOT_IN_ALIAS; /* don't know what to reply else */ - } + DEBUG(10, ("_samr_del_aliasmem:sid is %s\n", + sid_string_static(&alias_sid))); - pdb_free_sam(&sam_pass); + if (!pdb_del_aliasmem(&alias_sid, &q_u->sid.sid)) + return NT_STATUS_ACCESS_DENIED; + return NT_STATUS_OK; } @@ -3815,12 +3759,6 @@ NTSTATUS _samr_delete_dom_group(pipes_struct *p, SAMR_Q_DELETE_DOM_GROUP *q_u, S NTSTATUS _samr_delete_dom_alias(pipes_struct *p, SAMR_Q_DELETE_DOM_ALIAS *q_u, SAMR_R_DELETE_DOM_ALIAS *r_u) { DOM_SID alias_sid; - DOM_SID dom_sid; - uint32 alias_rid; - fstring alias_sid_str; - gid_t gid; - struct group *grp; - GROUP_MAP map; uint32 acc_granted; DEBUG(5, ("_samr_delete_dom_alias: %d\n", __LINE__)); @@ -3832,38 +3770,18 @@ NTSTATUS _samr_delete_dom_alias(pipes_struct *p, SAMR_Q_DELETE_DOM_ALIAS *q_u, S if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, STD_RIGHT_DELETE_ACCESS, "_samr_delete_dom_alias"))) { return r_u->status; } - - sid_copy(&dom_sid, &alias_sid); - sid_to_string(alias_sid_str, &dom_sid); - sid_split_rid(&dom_sid, &alias_rid); - DEBUG(10, ("sid is %s\n", alias_sid_str)); + DEBUG(10, ("sid is %s\n", sid_string_static(&alias_sid))); - /* we check if it's our SID before deleting */ - if (!sid_equal(&dom_sid, get_global_sam_sid())) + if (!sid_check_is_in_our_domain(&alias_sid)) return NT_STATUS_NO_SUCH_ALIAS; - + DEBUG(10, ("lookup on Local SID\n")); - if(!get_local_group_from_sid(&alias_sid, &map)) - return NT_STATUS_NO_SUCH_ALIAS; - - gid=map.gid; - - /* check if group really exists */ - if ( (grp=getgrgid(gid)) == NULL) - return NT_STATUS_NO_SUCH_ALIAS; - - /* we can delete the UNIX group */ - smb_delete_group(grp->gr_name); - - /* check if the group has been successfully deleted */ - if ( (grp=getgrgid(gid)) != NULL) + /* Have passdb delete the alias */ + if (!pdb_delete_alias(&alias_sid)) return NT_STATUS_ACCESS_DENIED; - /* don't check if we removed it as it could be an un-mapped group */ - pdb_delete_group_mapping_entry(alias_sid); - if (!close_policy_hnd(p, &q_u->alias_pol)) return NT_STATUS_OBJECT_NAME_INVALID; @@ -3941,7 +3859,6 @@ NTSTATUS _samr_create_dom_alias(pipes_struct *p, SAMR_Q_CREATE_DOM_ALIAS *q_u, S DOM_SID dom_sid; DOM_SID info_sid; fstring name; - fstring sid_string; struct group *grp; struct samr_info *info; uint32 acc_granted; @@ -3962,26 +3879,18 @@ NTSTATUS _samr_create_dom_alias(pipes_struct *p, SAMR_Q_CREATE_DOM_ALIAS *q_u, S unistr2_to_ascii(name, &q_u->uni_acct_desc, sizeof(name)-1); - /* check if group already exists */ - if ( (grp=getgrnam(name)) != NULL) - return NT_STATUS_ALIAS_EXISTS; - - /* we can create the UNIX group */ - if (smb_create_group(name, &gid) != 0) - return NT_STATUS_ACCESS_DENIED; - - /* check if the group has been successfully created */ - if ((grp=getgrgid(gid)) == NULL) + /* Have passdb create the alias */ + if (!pdb_create_alias(name, &r_u->rid)) return NT_STATUS_ACCESS_DENIED; - r_u->rid=pdb_gid_to_group_rid(grp->gr_gid); - sid_copy(&info_sid, get_global_sam_sid()); sid_append_rid(&info_sid, r_u->rid); - sid_to_string(sid_string, &info_sid); - /* add the group to the mapping table */ - if(!add_initial_entry(grp->gr_gid, sid_string, SID_NAME_ALIAS, name, NULL)) + if (!NT_STATUS_IS_OK(sid_to_gid(&info_sid, &gid))) + return NT_STATUS_ACCESS_DENIED; + + /* check if the group has been successfully created */ + if ((grp=getgrgid(gid)) == NULL) return NT_STATUS_ACCESS_DENIED; if ((info = get_samr_info_by_sid(&info_sid)) == NULL) @@ -4006,7 +3915,8 @@ NTSTATUS _samr_query_groupinfo(pipes_struct *p, SAMR_Q_QUERY_GROUPINFO *q_u, SAM DOM_SID group_sid; GROUP_MAP map; DOM_SID *sids=NULL; - int num_sids=0; + uid_t *uids; + int num=0; GROUP_INFO_CTR *ctr; uint32 acc_granted; BOOL ret; @@ -4031,9 +3941,10 @@ NTSTATUS _samr_query_groupinfo(pipes_struct *p, SAMR_Q_QUERY_GROUPINFO *q_u, SAM switch (q_u->switch_level) { case 1: ctr->switch_value1 = 1; - if(!get_sid_list_of_group(map.gid, &sids, &num_sids)) + if(!get_memberuids(map.gid, &uids, &num)) return NT_STATUS_NO_SUCH_GROUP; - init_samr_group_info1(&ctr->group.info1, map.nt_name, map.comment, num_sids); + SAFE_FREE(uids); + init_samr_group_info1(&ctr->group.info1, map.nt_name, map.comment, num); SAFE_FREE(sids); break; case 3: @@ -4105,7 +4016,7 @@ NTSTATUS _samr_set_groupinfo(pipes_struct *p, SAMR_Q_SET_GROUPINFO *q_u, SAMR_R_ NTSTATUS _samr_set_aliasinfo(pipes_struct *p, SAMR_Q_SET_ALIASINFO *q_u, SAMR_R_SET_ALIASINFO *r_u) { DOM_SID group_sid; - GROUP_MAP map; + struct acct_info info; ALIAS_INFO_CTR *ctr; uint32 acc_granted; @@ -4116,22 +4027,20 @@ NTSTATUS _samr_set_aliasinfo(pipes_struct *p, SAMR_Q_SET_ALIASINFO *q_u, SAMR_R_ return r_u->status; } - if (!get_local_group_from_sid(&group_sid, &map) && - !get_builtin_group_from_sid(&group_sid, &map)) - return NT_STATUS_NO_SUCH_GROUP; - ctr=&q_u->ctr; switch (ctr->switch_value1) { case 3: - unistr2_to_ascii(map.comment, &(ctr->alias.info3.uni_acct_desc), sizeof(map.comment)-1); + unistr2_to_ascii(info.acct_desc, + &(ctr->alias.info3.uni_acct_desc), + sizeof(info.acct_desc)-1); break; default: return NT_STATUS_INVALID_INFO_CLASS; } - if(!pdb_update_group_mapping_entry(&map)) { - return NT_STATUS_NO_SUCH_GROUP; + if(!pdb_set_aliasinfo(&group_sid, &info)) { + return NT_STATUS_ACCESS_DENIED; } return NT_STATUS_OK; |