summaryrefslogtreecommitdiff
path: root/source3/modules
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2012-05-07 08:48:24 +1000
committerJeremy Allison <jra@samba.org>2012-08-11 01:17:36 +0200
commitf36e28d1316bc0bd210933bbdb77241376fe3500 (patch)
tree81f56011436d8e615e4c4929828f8d14250cd1a0 /source3/modules
parentc991ac0ebf13bf7832b33dffca388f6f14755fbb (diff)
downloadsamba-f36e28d1316bc0bd210933bbdb77241376fe3500.tar.gz
samba-f36e28d1316bc0bd210933bbdb77241376fe3500.tar.bz2
samba-f36e28d1316bc0bd210933bbdb77241376fe3500.zip
s3-nfs4acls: Remove lookup_sid and sidmap from NFSv4 ACL mapping and check gid first
By checking just the IDMAP, and by removing the sidmap and lookup_sid calls, we support IDMAP_BOTH. This is because by checking for a mapping to a GID first, we can rely on the fact that IDMAP_BOTH will resolve to a GID. If the sidmap idea is valued - it allows multiple SIDs to map to a single unix ID, this should be done in the IDMAP layer. Andrew Bartlett Signed-off-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Sat Aug 11 01:17:36 CEST 2012 on sn-devel-104
Diffstat (limited to 'source3/modules')
-rw-r--r--source3/modules/nfs4_acls.c128
1 files changed, 13 insertions, 115 deletions
diff --git a/source3/modules/nfs4_acls.c b/source3/modules/nfs4_acls.c
index bcc7937abe..ac56bfb7e1 100644
--- a/source3/modules/nfs4_acls.c
+++ b/source3/modules/nfs4_acls.c
@@ -461,7 +461,6 @@ typedef struct _smbacl4_vfs_params {
enum smbacl4_mode_enum mode;
bool do_chown;
enum smbacl4_acedup_enum acedup;
- struct db_context *sid_mapping_table;
} smbacl4_vfs_params;
/*
@@ -572,64 +571,6 @@ static SMB_ACE4PROP_T *smbacl4_find_equal_special(
return NULL;
}
-static bool nfs4_map_sid(smbacl4_vfs_params *params, const struct dom_sid *src,
- struct dom_sid *dst)
-{
- static struct db_context *mapping_db = NULL;
- TDB_DATA data;
- NTSTATUS status;
-
- if (mapping_db == NULL) {
- const char *dbname = lp_parm_const_string(
- -1, SMBACL4_PARAM_TYPE_NAME, "sidmap", NULL);
-
- if (dbname == NULL) {
- DEBUG(10, ("%s:sidmap not defined\n",
- SMBACL4_PARAM_TYPE_NAME));
- return False;
- }
-
- become_root();
- mapping_db = db_open(NULL, dbname, 0, TDB_DEFAULT,
- O_RDONLY, 0600,
- DBWRAP_LOCK_ORDER_1);
- unbecome_root();
-
- if (mapping_db == NULL) {
- DEBUG(1, ("could not open sidmap: %s\n",
- strerror(errno)));
- return False;
- }
- }
-
- status = dbwrap_fetch(mapping_db, NULL,
- string_term_tdb_data(sid_string_tos(src)),
- &data);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(10, ("could not find mapping for SID %s\n",
- sid_string_dbg(src)));
- return False;
- }
-
- if ((data.dptr == NULL) || (data.dsize <= 0)
- || (data.dptr[data.dsize-1] != '\0')) {
- DEBUG(5, ("invalid mapping for SID %s\n",
- sid_string_dbg(src)));
- TALLOC_FREE(data.dptr);
- return False;
- }
-
- if (!string_to_sid(dst, (char *)data.dptr)) {
- DEBUG(1, ("invalid mapping %s for SID %s\n",
- (char *)data.dptr, sid_string_dbg(src)));
- TALLOC_FREE(data.dptr);
- return False;
- }
-
- TALLOC_FREE(data.dptr);
-
- return True;
-}
static bool smbacl4_fill_ace4(
TALLOC_CTX *mem_ctx,
@@ -667,65 +608,10 @@ static bool smbacl4_fill_ace4(
ace_v4->who.special_id = SMB_ACE4_WHO_EVERYONE;
ace_v4->flags |= SMB_ACE4_ID_SPECIAL;
} else {
- const char *dom, *name;
- enum lsa_SidType type;
uid_t uid;
gid_t gid;
- struct dom_sid sid;
-
- sid_copy(&sid, &ace_nt->trustee);
-
- if (!lookup_sid(mem_ctx, &sid, &dom, &name, &type)) {
-
- struct dom_sid mapped;
-
- if (!nfs4_map_sid(params, &sid, &mapped)) {
- DEBUG(1, ("nfs4_acls.c: file [%s]: SID %s "
- "unknown\n", filename,
- sid_string_dbg(&sid)));
- errno = EINVAL;
- return False;
- }
-
- DEBUG(2, ("nfs4_acls.c: file [%s]: mapped SID %s "
- "to %s\n", filename, sid_string_dbg(&sid),
- sid_string_dbg(&mapped)));
-
- if (!lookup_sid(mem_ctx, &mapped, &dom,
- &name, &type)) {
- DEBUG(1, ("nfs4_acls.c: file [%s]: SID %s "
- "mapped from %s is unknown\n",
- filename, sid_string_dbg(&mapped),
- sid_string_dbg(&sid)));
- errno = EINVAL;
- return False;
- }
-
- sid_copy(&sid, &mapped);
- }
-
- if (type == SID_NAME_USER) {
- if (!sid_to_uid(&sid, &uid)) {
- DEBUG(1, ("nfs4_acls.c: file [%s]: could not "
- "convert %s to uid\n", filename,
- sid_string_dbg(&sid)));
- return False;
- }
-
- if (params->mode==e_special && uid==ownerUID) {
- ace_v4->flags |= SMB_ACE4_ID_SPECIAL;
- ace_v4->who.special_id = SMB_ACE4_WHO_OWNER;
- } else {
- ace_v4->who.uid = uid;
- }
- } else { /* else group? - TODO check it... */
- if (!sid_to_gid(&sid, &gid)) {
- DEBUG(1, ("nfs4_acls.c: file [%s]: could not "
- "convert %s to gid\n", filename,
- sid_string_dbg(&sid)));
- return False;
- }
+ if (sid_to_gid(&ace_nt->trustee, &gid)) {
ace_v4->aceFlags |= SMB_ACE4_IDENTIFIER_GROUP;
if (params->mode==e_special && gid==ownerGID) {
@@ -734,6 +620,18 @@ static bool smbacl4_fill_ace4(
} else {
ace_v4->who.gid = gid;
}
+ } else if (sid_to_uid(&ace_nt->trustee, &uid)) {
+ if (params->mode==e_special && uid==ownerUID) {
+ ace_v4->flags |= SMB_ACE4_ID_SPECIAL;
+ ace_v4->who.special_id = SMB_ACE4_WHO_OWNER;
+ } else {
+ ace_v4->who.uid = uid;
+ }
+ } else {
+ DEBUG(1, ("nfs4_acls.c: file [%s]: could not "
+ "convert %s to uid or gid\n", filename,
+ sid_string_dbg(&ace_nt->trustee)));
+ return False;
}
}