/* *  idmap_rid: static map between Active Directory/NT RIDs and RFC 2307 accounts *  Copyright (C) Guenther Deschner, 2004 *  Copyright (C) Sumit Bose, 2004 * *  This program is free software; you can redistribute it and/or modify *  it under the terms of the GNU General Public License as published by *  the Free Software Foundation; either version 2 of the License, or *  (at your option) any later version. * *  This program is distributed in the hope that it will be useful, *  but WITHOUT ANY WARRANTY; without even the implied warranty of *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the *  GNU General Public License for more details. * *  You should have received a copy of the GNU General Public License *  along with this program; if not, write to the Free Software *  Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * */#include "includes.h"#undef DBGC_CLASS#define DBGC_CLASS DBGC_IDMAPNTSTATUS init_module(void);struct dom_entry {	fstring name;	fstring sid;	uint32 min_id;	uint32 max_id;};typedef struct trust_dom_array {	int number;	struct dom_entry *dom;} trust_dom_array;static trust_dom_array trust;static NTSTATUS rid_idmap_parse(const char *init_param, 				uint32 num_domains, 				fstring *domain_names, 				DOM_SID *domain_sids, 				uid_t u_low, 				uid_t u_high) {	const char *p;	int i;	fstring sid_str;	BOOL known_domain = False;	fstring tok;	p = init_param;	trust.number = 0;	/* falling back to automatic mapping when there were no options given */	if (!*init_param) {		DEBUG(3,("rid_idmap_parse: no domain list given or trusted domain-support deactivated, falling back to automatic mapping for own domain:\n"));		sid_to_string(sid_str, &domain_sids[0]);		fstrcpy(trust.dom[0].name, domain_names[0]);		fstrcpy(trust.dom[0].sid, sid_str);		trust.dom[0].min_id = u_low; 		trust.dom[0].max_id = u_high;		trust.number = 1;		DEBUGADD(3,("rid_idmap_parse:\tdomain: [%s], sid: [%s], range=[%d-%d]\n", 				trust.dom[0].name, trust.dom[0].sid, trust.dom[0].min_id, trust.dom[0].max_id));		return NT_STATUS_OK;	}	/* scan through the init_param-list */	while (next_token(&init_param, tok, LIST_SEP, sizeof(tok))) {		p = tok;		DEBUG(3,("rid_idmap_parse: parsing entry: %d\n", trust.number));		/* reinit sizes */		trust.dom = SMB_REALLOC_ARRAY(trust.dom, struct dom_entry,					      trust.number+1);		if ( trust.dom == NULL ) {			return NT_STATUS_NO_MEMORY;		}				if (!next_token(&p, tok, "=", sizeof(tok))) {			DEBUG(0, ("rid_idmap_parse: no '=' sign found in domain list [%s]\n", init_param));			return NT_STATUS_UNSUCCESSFUL;		}		/* add the name */		fstrcpy(trust.dom[trust.number].name, tok);		DEBUGADD(3,("rid_idmap_parse:\tentry %d has name: [%s]\n", trust.number, trust.dom[trust.number].name));		/* add the domain-sid */		for (i=0; i<num_domains; i++) {			known_domain = False;			if (strequal(domain_names[i], trust.dom[trust.number].name)) {				sid_to_string(sid_str, &domain_sids[i]);				fstrcpy(trust.dom[trust.number].sid, sid_str);				DEBUGADD(3,("rid_idmap_parse:\tentry %d has sid: [%s]\n", trust.number, trust.dom[trust.number].sid));				known_domain = True;				break;			} 		}		if (!known_domain) {			DEBUG(0,("rid_idmap_parse: your DC does not know anything about domain: [%s]\n", trust.dom[trust.number].name));			return NT_STATUS_INVALID_PARAMETER;		}		if (!next_token(&p, tok, "-", sizeof(tok))) {			DEBUG(0,("rid_idmap_parse: no mapping-range defined\n"));			return NT_STATUS_INVALID_PARAMETER;		}		/* add min_id */		trust.dom[trust.number].min_id = atoi(tok);		DEBUGADD(3,("rid_idmap_parse:\tentry %d has min_id: [%d]\n", trust.number, trust.dom[trust.number].min_id));		/* add max_id */		trust.dom[trust.number].max_id = atoi(p);		DEBUGADD(3,("rid_idmap_parse:\tentry %d has max_id: [%d]\n", trust.number, trust.dom[trust.number].max_id));		trust.number++;	}	return NT_STATUS_OK;}static NTSTATUS rid_idmap_get_domains(uint32 *num_domains, fstring **domain_names, DOM_SID **domain_sids) {	NTSTATUS status = NT_STATUS_UNSUCCESSFUL;	struct cli_state *cli;	struct rpc_pipe_client *pipe_hnd;	TALLOC_CTX *mem_ctx;	POLICY_HND pol;	uint32 des_access = SEC_RIGHTS_MAXIMUM_ALLOWED;	fstring dc_name;	struct in_addr dc_ip;	const char *password = NULL;	const char *username = NULL;	const char *domain = NULL;	uint32 info_class = 5;	char *domain_name = NULL;	DOM_SID *domain_sid, sid;	fstring sid_str;	int i;	uint32 trusted_num_domains = 0;	char **trusted_domain_names;	DOM_SID *trusted_domain_sids;	uint32 enum_ctx = 0;	int own_domains = 2;	/* put the results together */	*num_domains = 2;	*domain_names = SMB_MALLOC_ARRAY(fstring, *num_domains);	*domain_sids = SMB_MALLOC_ARRAY(DOM_SID, *num_domains);	/* avoid calling a DC when trusted domains are not allowed anyway */	if (!lp_allow_trusted_domains()) {		fstrcpy((*domain_names)[0], lp_workgroup());		if (!secrets_fetch_domain_sid(lp_workgroup(), &sid)) {			DEBUG(0,("rid_idmap_get_domains: failed to retrieve domain sid\n"));			return status;		}		sid_copy(&(*domain_sids)[0], &sid);		/* add BUILTIN */		fstrcpy((*domain_names)[1], "BUILTIN");		sid_copy(&(*domain_sids)[1], &global_sid_Builtin);		return NT_STATUS_OK;	}	/* create mem_ctx */	if (!(mem_ctx = talloc_init("rid_idmap_get_trusted_domains"))) {		DEBUG(0, ("rid_idmap_get_domains: talloc_init() failed\n"));		return NT_STATUS_NO_MEMORY;	}	if (!get_dc_name(lp_workgroup(), 0, dc_name, &dc_ip)) {		DEBUG(1, ("rid_idmap_get_domains: could not get dc-name\n"));		return NT_STATUS_UNSUCCESSFUL;	}	/* open a connection to the dc */	username = secrets_fetch(SECRETS_AUTH_USER, NULL);	password = secrets_fetch(SECRETS_AUTH_PASSWORD, NULL);	domain =   secrets_fetch(SECRETS_AUTH_DOMAIN, NULL);	if (username) {		if (!domain)			domain = smb_xstrdup(lp_workgroup());		if (!password)			password = smb_xstrdup("");		DEBUG(3, ("rid_idmap_get_domains: IPC$ connections done by user %s\\%s\n", domain, username));	} else {		DEBUG(3, ("rid_idmap_get_domains: IPC$ connections done anonymously\n"));		username = "";		domain = "";		password = "";	}	DEBUG(10, ("rid_idmap_get_domains: opening connection to [%s]\n", dc_name));	status = cli_full_connection(&cli, global_myname(), dc_name, 			NULL, 0,			"IPC$", "IPC",			username,			lp_workgroup(),			password,			CLI_FULL_CONNECTION_ANNONYMOUS_FALLBACK, True, NULL);	if (!NT_STATUS_IS_OK(status)) {		DEBUG(1, ("rid_idmap_get_domains: could not setup connection to dc\n"));		return status;	}		/* query the lsa-pipe */	pipe_hnd = cli_rpc_pipe_open_noauth(cli, PI_LSARPC, &status);	if (!NT_STATUS_IS_OK(status)) {		DEBUG(1, ("rid_idmap_get_domains: could not setup connection to dc\n"));		goto out;	}	/* query policies */	status = rpccli_lsa_open_policy(pipe_hnd, mem_ctx, False, des_access,					&pol);	if (!NT_STATUS_IS_OK(status)) {		goto out;	}	status = rpccli_lsa_query_info_policy(pipe_hnd, mem_ctx, &pol,					      info_class, &domain_name,					      &domain_sid);	if (!NT_STATUS_IS_OK(status)) {		DEBUG(1, ("rid_idmap_get_domains: cannot retrieve domain-info\n"));		goto out;	}	sid_to_string(sid_str, domain_sid);	DEBUG(10,("rid_idmap_get_domains: my domain: [%s], sid: [%s]\n", domain_name, sid_str));	/* scan trusted domains */	DEBUG(10, ("rid_idmap_get_domains: enumerating trusted domains\n"));	status = rpccli_lsa_enum_trust_dom(pipe_hnd, mem_ctx, &pol, &enum_ctx,					   &trusted_num_domains,					   &trusted_domain_names, 					   &trusted_domain_sids);	if (!NT_STATUS_IS_OK(status) &&	    !NT_STATUS_EQUAL(status, NT_STATUS_NO_MORE_ENTRIES) &&	    !NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES)) {		DEBUG(1, ("rid_idmap_get_domains: could not enumerate trusted domains\n"));		goto out;	}	/* show trusted domains */	DEBUG(10,("rid_idmap_get_domains: scan for trusted domains gave %d results:\n", trusted_num_domains));	for (i=0; i<trusted_num_domains; i++) {		sid_to_string(sid_str, &trusted_domain_sids[i]);		DEBUGADD(10,("rid_idmap_get_domains:\t#%d\tDOMAIN: [%s], SID: [%s]\n", 					i, trusted_domain_names[i], sid_str));	}