summaryrefslogtreecommitdiff
path: root/source3/nsswitch
diff options
context:
space:
mode:
authorGerald Carter <jerry@samba.org>2007-01-24 01:48:08 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 12:17:23 -0500
commitb9b26be1744b792a54f0a77af140237b4dc5a870 (patch)
tree96501a60f415248f226902f790420dec7758a540 /source3/nsswitch
parent78f5f4b260d877ce615dbbdc2bccbb0cd251f08a (diff)
downloadsamba-b9b26be1744b792a54f0a77af140237b4dc5a870.tar.gz
samba-b9b26be1744b792a54f0a77af140237b4dc5a870.tar.bz2
samba-b9b26be1744b792a54f0a77af140237b4dc5a870.zip
r20986: Commit the prototype of the nss_info plugin interface.
This allows a provider to supply the homedirectory, etc... attributes for a user without requiring support in core winbindd code. The idmap_ad.c module has been modified to provide the idmap 'ad' library as well as the rfc2307 and sfu "winbind nss info" support. The SID/id mapping is working in idmap_ad but the nss_info still has a few quirks that I'm in the process of resolving. (This used to be commit aaec0115e2c96935499052d9a637a20c6445986e)
Diffstat (limited to 'source3/nsswitch')
-rw-r--r--source3/nsswitch/idmap_ad.c604
-rw-r--r--source3/nsswitch/nss_info.c340
-rw-r--r--source3/nsswitch/nss_info_template.c84
-rw-r--r--source3/nsswitch/winbindd.c2
-rw-r--r--source3/nsswitch/winbindd.h2
-rw-r--r--source3/nsswitch/winbindd_ads.c74
-rw-r--r--source3/nsswitch/winbindd_async.c10
-rw-r--r--source3/nsswitch/winbindd_cache.c4
-rw-r--r--source3/nsswitch/winbindd_nss.h1
-rw-r--r--source3/nsswitch/winbindd_user.c22
10 files changed, 754 insertions, 389 deletions
diff --git a/source3/nsswitch/idmap_ad.c b/source3/nsswitch/idmap_ad.c
index 252e2159aa..208ccc2d4d 100644
--- a/source3/nsswitch/idmap_ad.c
+++ b/source3/nsswitch/idmap_ad.c
@@ -7,7 +7,7 @@
*
* Copyright (C) Andrew Tridgell 2001
* Copyright (C) Andrew Bartlett <abartlet@samba.org> 2003
- * Copyright (C) Gerald (Jerry) Carter 2004
+ * Copyright (C) Gerald (Jerry) Carter 2004-2007
* Copyright (C) Luke Howard 2001-2004
*
* This program is free software; you can redistribute it and/or modify
@@ -32,56 +32,36 @@
#define WINBIND_CCACHE_NAME "MEMORY:winbind_ccache"
-NTSTATUS init_module(void);
-
-static ADS_STRUCT *ad_idmap_ads = NULL;
-
-static char *attr_uidnumber = NULL;
-static char *attr_gidnumber = NULL;
-
-static ADS_STATUS ad_idmap_check_attr_mapping(ADS_STRUCT *ads)
-{
- ADS_STATUS status;
- enum wb_posix_mapping map_type;
-
- if (attr_uidnumber != NULL && attr_gidnumber != NULL) {
- return ADS_ERROR(LDAP_SUCCESS);
- }
-
- SMB_ASSERT(ads->server.workgroup);
+#define IDMAP_AD_MAX_IDS 30
+#define CHECK_ALLOC_DONE(mem) do { \
+ if (!mem) { \
+ DEBUG(0, ("Out of memory!\n")); \
+ ret = NT_STATUS_NO_MEMORY; \
+ goto done; \
+ } \
+} while (0)
- map_type = get_nss_info(ads->server.workgroup);
+struct idmap_ad_context {
+ uint32_t filter_low_id;
+ uint32_t filter_high_id;
+};
- if ((map_type == WB_POSIX_MAP_SFU) ||
- (map_type == WB_POSIX_MAP_RFC2307)) {
+NTSTATUS init_module(void);
- status = ads_check_posix_schema_mapping(ads, map_type);
- if (ADS_ERR_OK(status)) {
- attr_uidnumber = SMB_STRDUP(ads->schema.posix_uidnumber_attr);
- attr_gidnumber = SMB_STRDUP(ads->schema.posix_gidnumber_attr);
- ADS_ERROR_HAVE_NO_MEMORY(attr_uidnumber);
- ADS_ERROR_HAVE_NO_MEMORY(attr_gidnumber);
- return ADS_ERROR(LDAP_SUCCESS);
- } else {
- DEBUG(0,("ads_check_posix_schema_mapping failed: %s\n", ads_errstr(status)));
- /* return status; */
- }
- }
-
- /* fallback to XAD defaults */
- attr_uidnumber = SMB_STRDUP("uidNumber");
- attr_gidnumber = SMB_STRDUP("gidNumber");
- ADS_ERROR_HAVE_NO_MEMORY(attr_uidnumber);
- ADS_ERROR_HAVE_NO_MEMORY(attr_gidnumber);
+static ADS_STRUCT *ad_idmap_ads = NULL;
+static struct posix_schema *ad_schema = NULL;
+static enum wb_posix_mapping ad_map_type = WB_POSIX_MAP_UNKNOWN;
- return ADS_ERROR(LDAP_SUCCESS);
-}
+/************************************************************************
+ ***********************************************************************/
-static ADS_STRUCT *ad_idmap_cached_connection(void)
+static ADS_STRUCT *ad_idmap_cached_connection_internal(void)
{
ADS_STRUCT *ads;
ADS_STATUS status;
BOOL local = False;
+ fstring dc_name;
+ struct in_addr dc_ip;
if (ad_idmap_ads != NULL) {
ads = ad_idmap_ads;
@@ -98,6 +78,7 @@ static ADS_STRUCT *ad_idmap_cached_connection(void)
ads_destroy( &ads );
ads_kdestroy(WINBIND_CCACHE_NAME);
ad_idmap_ads = NULL;
+ TALLOC_FREE( ad_schema );
}
}
@@ -106,8 +87,7 @@ static ADS_STRUCT *ad_idmap_cached_connection(void)
setenv("KRB5CCNAME", WINBIND_CCACHE_NAME, 1);
}
- ads = ads_init(lp_realm(), lp_workgroup(), NULL);
- if (!ads) {
+ if ( (ads = ads_init(lp_realm(), lp_workgroup(), NULL)) == NULL ) {
DEBUG(1,("ads_init failed\n"));
return NULL;
}
@@ -119,6 +99,10 @@ static ADS_STRUCT *ad_idmap_cached_connection(void)
SAFE_FREE(ads->auth.realm);
ads->auth.realm = SMB_STRDUP(lp_realm());
+ /* setup server affinity */
+
+ get_dc_name( NULL, ads->auth.realm, dc_name, &dc_ip );
+
status = ads_connect(ads);
if (!ADS_ERR_OK(status)) {
DEBUG(1, ("ad_idmap_init: failed to connect to AD\n"));
@@ -128,21 +112,47 @@ static ADS_STRUCT *ad_idmap_cached_connection(void)
ads->is_mine = False;
- status = ad_idmap_check_attr_mapping(ads);
- if (!ADS_ERR_OK(status)) {
- DEBUG(1, ("ad_idmap_init: failed to check attribute mapping\n"));
+ ad_idmap_ads = ads;
+
+ return ads;
+}
+
+/************************************************************************
+ ***********************************************************************/
+
+static ADS_STRUCT *ad_idmap_cached_connection(void)
+{
+ ADS_STRUCT *ads = ad_idmap_cached_connection_internal();
+
+ if ( !ads )
return NULL;
- }
- ad_idmap_ads = ads;
+ /* if we have a valid ADS_STRUCT and the schema model is
+ defined, then we can return here. */
+
+ if ( ad_schema )
+ return ads;
+
+ /* Otherwise, set the schema model */
+
+ if ( (ad_map_type == WB_POSIX_MAP_SFU) ||
+ (ad_map_type == WB_POSIX_MAP_RFC2307) )
+ {
+ ADS_STATUS schema_status;
+
+ schema_status = ads_check_posix_schema_mapping( NULL, ads, ad_map_type, &ad_schema);
+ if ( !ADS_ERR_OK(schema_status) ) {
+ DEBUG(2,("ad_idmap_cached_connection: Failed to obtain schema details!\n"));
+ return NULL;
+ }
+ }
+
return ads;
}
-struct idmap_ad_context {
- uint32_t filter_low_id, filter_high_id; /* Filter range */
-};
+/************************************************************************
+ ***********************************************************************/
-/* Initialize and check conf is appropriate */
static NTSTATUS idmap_ad_initialize(struct idmap_domain *dom, const char *params)
{
struct idmap_ad_context *ctx;
@@ -151,19 +161,16 @@ static NTSTATUS idmap_ad_initialize(struct idmap_domain *dom, const char *params
ADS_STRUCT *ads;
/* verify AD is reachable (not critical, we may just be offline at start) */
- ads = ad_idmap_cached_connection();
- if (ads == NULL) {
+ if ( (ads = ad_idmap_cached_connection()) == NULL ) {
DEBUG(1, ("WARNING: Could not init an AD connection! Mapping might not work.\n"));
}
- ctx = talloc_zero(dom, struct idmap_ad_context);
- if ( ! ctx) {
+ if ( (ctx = talloc_zero(dom, struct idmap_ad_context)) == NULL ) {
DEBUG(0, ("Out of memory!\n"));
return NT_STATUS_NO_MEMORY;
}
- config_option = talloc_asprintf(ctx, "idmap config %s", dom->name);
- if ( ! config_option) {
+ if ( (config_option = talloc_asprintf(ctx, "idmap config %s", dom->name)) == NULL ) {
DEBUG(0, ("Out of memory!\n"));
talloc_free(ctx);
return NT_STATUS_NO_MEMORY;
@@ -194,29 +201,28 @@ static NTSTATUS idmap_ad_initialize(struct idmap_domain *dom, const char *params
"NOTE: make sure the ranges do not overlap\n",
dom->name, dom->name, dom->name, dom->name));
}
- if ( ! dom->readonly) {
+
+ if ( !dom->readonly ) {
DEBUG(1, ("WARNING: forcing to readonly, as idmap_ad can't write on AD.\n"));
- dom->readonly = true; /* force readonly */
+ dom->readonly = true;
}
dom->private_data = ctx;
talloc_free(config_option);
+
return NT_STATUS_OK;
}
-#define IDMAP_AD_MAX_IDS 30
-#define CHECK_ALLOC_DONE(mem) do { if (!mem) { DEBUG(0, ("Out of memory!\n")); ret = NT_STATUS_NO_MEMORY; goto done; } } while (0)
+/************************************************************************
+ Search up to IDMAP_AD_MAX_IDS entries in maps for a match.
+ ***********************************************************************/
-/* this function searches up to IDMAP_AD_MAX_IDS entries in maps for a match */
static struct id_map *find_map_by_id(struct id_map **maps, enum id_type type, uint32_t id)
{
int i;
- for (i = 0; i < IDMAP_AD_MAX_IDS; i++) {
- if (maps[i] == NULL) { /* end of the run */
- return NULL;
- }
+ for (i = 0; maps[i] && i<IDMAP_AD_MAX_IDS; i++) {
if ((maps[i]->xid.type == type) && (maps[i]->xid.id == id)) {
return maps[i];
}
@@ -225,6 +231,26 @@ static struct id_map *find_map_by_id(struct id_map **maps, enum id_type type, ui
return NULL;
}
+/************************************************************************
+ Search up to IDMAP_AD_MAX_IDS entries in maps for a match
+ ***********************************************************************/
+
+static struct id_map *find_map_by_sid(struct id_map **maps, DOM_SID *sid)
+{
+ int i;
+
+ for (i = 0; maps[i] && i<IDMAP_AD_MAX_IDS; i++) {
+ if (sid_equal(maps[i]->sid, sid)) {
+ return maps[i];
+ }
+ }
+
+ return NULL;
+}
+
+/************************************************************************
+ ***********************************************************************/
+
static NTSTATUS idmap_ad_unixids_to_sids(struct idmap_domain *dom, struct id_map **ids)
{
NTSTATUS ret;
@@ -234,132 +260,89 @@ static NTSTATUS idmap_ad_unixids_to_sids(struct idmap_domain *dom, struct id_map
ADS_STRUCT *ads;
const char *attrs[] = { "sAMAccountType",
"objectSid",
- NULL, /* attr_uidnumber */
- NULL, /* attr_gidnumber */
+ NULL, /* uidnumber */
+ NULL, /* gidnumber */
NULL };
LDAPMessage *res = NULL;
char *filter = NULL;
- BOOL multi = False;
int idx = 0;
int bidx = 0;
int count;
int i;
+ char *u_filter = NULL;
+ char *g_filter = NULL;
- ctx = talloc_get_type(dom->private_data, struct idmap_ad_context);
+ ctx = talloc_get_type(dom->private_data, struct idmap_ad_context);
- memctx = talloc_new(ctx);
- if ( ! memctx) {
+ if ( (memctx = talloc_new(ctx)) == NULL ) {
DEBUG(0, ("Out of memory!\n"));
return NT_STATUS_NO_MEMORY;
}
- ads = ad_idmap_cached_connection();
- if (ads == NULL) {
+ if ( (ads = ad_idmap_cached_connection()) == NULL ) {
DEBUG(1, ("ADS uninitialized\n"));
ret = NT_STATUS_UNSUCCESSFUL;
goto done;
}
- /* attr_uidnumber and attr_gidnumber are surely successfully initialized now */
- attrs[2] = attr_uidnumber;
- attrs[3] = attr_gidnumber;
-
- if ( ! ids[1]) {
- /* if we are requested just one mapping use the simple filter */
- switch (ids[0]->xid.type) {
- case ID_TYPE_UID:
+ attrs[2] = ad_schema->posix_uidnumber_attr;
+ attrs[3] = ad_schema->posix_gidnumber_attr;
- filter = talloc_asprintf(memctx,
- "(&(|(sAMAccountType=%d)(sAMAccountType=%d)(sAMAccountType=%d))(%s=%lu))",
- ATYPE_NORMAL_ACCOUNT, ATYPE_WORKSTATION_TRUST, ATYPE_INTERDOMAIN_TRUST,
- attr_uidnumber,
- (unsigned long)ids[0]->xid.id);
+again:
+ bidx = idx;
+ for (i = 0; (i < IDMAP_AD_MAX_IDS) && ids[idx]; i++, idx++) {
+ switch (ids[idx]->xid.type) {
+ case ID_TYPE_UID:
+ if ( ! u_filter) {
+ u_filter = talloc_asprintf(memctx, "(&(|"
+ "(sAMAccountType=%d)"
+ "(sAMAccountType=%d)"
+ "(sAMAccountType=%d))(|",
+ ATYPE_NORMAL_ACCOUNT,
+ ATYPE_WORKSTATION_TRUST,
+ ATYPE_INTERDOMAIN_TRUST);
+ }
+ u_filter = talloc_asprintf_append(u_filter, "(%s=%lu)",
+ ad_schema->posix_uidnumber_attr,
+ (unsigned long)ids[idx]->xid.id);
+ CHECK_ALLOC_DONE(u_filter);
break;
+
case ID_TYPE_GID:
-
- filter = talloc_asprintf(memctx,
- "(&(|(sAMAccountType=%d)(sAMAccountType=%d))(%s=%lu))",
- ATYPE_SECURITY_GLOBAL_GROUP, ATYPE_SECURITY_LOCAL_GROUP,
- attr_gidnumber,
- (unsigned long)ids[0]->xid.id);
+ if ( ! g_filter) {
+ g_filter = talloc_asprintf(memctx, "(&(|"
+ "(sAMAccountType=%d)"
+ "(sAMAccountType=%d))(|",
+ ATYPE_SECURITY_GLOBAL_GROUP,
+ ATYPE_SECURITY_LOCAL_GROUP);
+ }
+ g_filter = talloc_asprintf_append(g_filter, "(%s=%lu)",
+ ad_schema->posix_gidnumber_attr,
+ (unsigned long)ids[idx]->xid.id);
+ CHECK_ALLOC_DONE(g_filter);
break;
+
default:
DEBUG(3, ("Unknown ID type\n"));
- ret = NT_STATUS_INVALID_PARAMETER;
- goto done;
+ ids[idx]->status = ID_UNKNOWN;
+ continue;
}
- CHECK_ALLOC_DONE(filter);
- DEBUG(10, ("Filter: [%s]\n", filter));
- } else {
- /* multiple mappings */
- multi = True;
}
-
-again:
- if (multi) {
- char *u_filter = NULL;
- char *g_filter = NULL;
-
- bidx = idx;
- for (i = 0; (i < IDMAP_AD_MAX_IDS) && ids[idx]; i++, idx++) {
- switch (ids[idx]->xid.type) {
- case ID_TYPE_UID:
-
- if ( ! u_filter) {
- u_filter = talloc_asprintf(memctx, "(&(|"
- "(sAMAccountType=%d)"
- "(sAMAccountType=%d)"
- "(sAMAccountType=%d))(|",
- ATYPE_NORMAL_ACCOUNT,
- ATYPE_WORKSTATION_TRUST,
- ATYPE_INTERDOMAIN_TRUST);
- }
- u_filter = talloc_asprintf_append(u_filter, "(%s=%lu)",
- attr_uidnumber,
- (unsigned long)ids[idx]->xid.id);
- CHECK_ALLOC_DONE(u_filter);
- break;
-
- case ID_TYPE_GID:
- if ( ! g_filter) {
- g_filter = talloc_asprintf(memctx, "(&(|"
- "(sAMAccountType=%d)"
- "(sAMAccountType=%d))(|",
- ATYPE_SECURITY_GLOBAL_GROUP,
- ATYPE_SECURITY_LOCAL_GROUP);
- }
- g_filter = talloc_asprintf_append(g_filter, "(%s=%lu)",
- attr_gidnumber,
- (unsigned long)ids[idx]->xid.id);
- CHECK_ALLOC_DONE(g_filter);
- break;
-
- default:
- DEBUG(3, ("Unknown ID type\n"));
- ids[idx]->status = ID_UNKNOWN;
- continue;
- }
- }
- filter = talloc_asprintf(memctx, "(|");
+ filter = talloc_asprintf(memctx, "(|");
+ CHECK_ALLOC_DONE(filter);
+ if ( u_filter) {
+ filter = talloc_asprintf_append(filter, "%s))", u_filter);
CHECK_ALLOC_DONE(filter);
- if ( u_filter) {
- filter = talloc_asprintf_append(filter, "%s))", u_filter);
- CHECK_ALLOC_DONE(filter);
TALLOC_FREE(u_filter);
- }
- if ( g_filter) {
- filter = talloc_asprintf_append(filter, "%s))", g_filter);
- CHECK_ALLOC_DONE(filter);
- TALLOC_FREE(g_filter);
- }
- filter = talloc_asprintf_append(filter, ")");
+ }
+ if ( g_filter) {
+ filter = talloc_asprintf_append(filter, "%s))", g_filter);
CHECK_ALLOC_DONE(filter);
- DEBUG(10, ("Filter: [%s]\n", filter));
- } else {
- bidx = 0;
- idx = 1;
+ TALLOC_FREE(g_filter);
}
-
+ filter = talloc_asprintf_append(filter, ")");
+ CHECK_ALLOC_DONE(filter);
+ DEBUG(10, ("Filter: [%s]\n", filter));
rc = ads_search_retry(ads, &res, filter, attrs);
if (!ADS_ERR_OK(rc)) {
DEBUG(1, ("ERROR: ads search returned: %s\n", ads_errstr(rc)));
@@ -367,8 +350,7 @@ again:
goto done;
}
- count = ads_count_replies(ads, res);
- if (count == 0) {
+ if ( (count = ads_count_replies(ads, res)) == 0 ) {
DEBUG(10, ("No IDs found\n"));
}
@@ -417,10 +399,15 @@ again:
continue;
}
- if (!ads_pull_uint32(ads, entry, (type==ID_TYPE_UID)?attr_uidnumber:attr_gidnumber, &id)) {
+ if (!ads_pull_uint32(ads, entry, (type==ID_TYPE_UID) ?
+ ad_schema->posix_uidnumber_attr :
+ ad_schema->posix_gidnumber_attr,
+ &id))
+ {
DEBUG(1, ("Could not get unix ID\n"));
continue;
}
+
if ((id == 0) ||
(ctx->filter_low_id && (id < ctx->filter_low_id)) ||
(ctx->filter_high_id && (id > ctx->filter_high_id))) {
@@ -450,15 +437,16 @@ again:
ads_msgfree(ads, res);
}
- if (multi && ids[idx]) { /* still some values to map */
+ if (ids[idx]) { /* still some values to map */
goto again;
}
ret = NT_STATUS_OK;
- /* mark all unknwon ones as unmapped */
+ /* mark all unknown ones as unmapped */
for (i = 0; ids[i]; i++) {
- if (ids[i]->status == ID_UNKNOWN) ids[i]->status = ID_UNMAPPED;
+ if (ids[i]->status == ID_UNKNOWN)
+ ids[i]->status = ID_UNMAPPED;
}
done:
@@ -466,22 +454,8 @@ done:
return ret;
}
-/* this function searches up to IDMAP_AD_MAX_IDS entries in maps for a match */
-static struct id_map *find_map_by_sid(struct id_map **maps, DOM_SID *sid)
-{
- int i;
-
- for (i = 0; i < IDMAP_AD_MAX_IDS; i++) {
- if (maps[i] == NULL) { /* end of the run */
- return NULL;
- }
- if (sid_equal(maps[i]->sid, sid)) {
- return maps[i];
- }
- }
-
- return NULL;
-}
+/************************************************************************
+ ***********************************************************************/
static NTSTATUS idmap_ad_sids_to_unixids(struct idmap_domain *dom, struct id_map **ids)
{
@@ -497,85 +471,50 @@ static NTSTATUS idmap_ad_sids_to_unixids(struct idmap_domain *dom, struct id_map
NULL };
LDAPMessage *res = NULL;
char *filter = NULL;
- BOOL multi = False;
int idx = 0;
int bidx = 0;
int count;
int i;
+ char *sidstr;
ctx = talloc_get_type(dom->private_data, struct idmap_ad_context);
- memctx = talloc_new(ctx);
- if ( ! memctx) {
+ if ( (memctx = talloc_new(ctx)) == NULL ) {
DEBUG(0, ("Out of memory!\n"));
return NT_STATUS_NO_MEMORY;
}
- ads = ad_idmap_cached_connection();
- if (ads == NULL) {
+ if ( (ads = ad_idmap_cached_connection()) == NULL ) {
DEBUG(1, ("ADS uninitialized\n"));
ret = NT_STATUS_UNSUCCESSFUL;
goto done;
}
- /* attr_uidnumber and attr_gidnumber are surely successfully initialized now */
- attrs[2] = attr_uidnumber;
- attrs[3] = attr_gidnumber;
-
-
- if ( ! ids[1]) {
- /* if we are requested just one mapping use the simple filter */
- char *sidstr;
-
- sidstr = sid_binstring(ids[0]->sid);
- filter = talloc_asprintf(memctx, "(&(objectSid=%s)(|" /* the requested Sid */
- "(sAMAccountType=%d)(sAMAccountType=%d)(sAMAccountType=%d)" /* user account types */
- "(sAMAccountType=%d)(sAMAccountType=%d)))", /* group account types */
- sidstr,
- ATYPE_NORMAL_ACCOUNT, ATYPE_WORKSTATION_TRUST, ATYPE_INTERDOMAIN_TRUST,
- ATYPE_SECURITY_GLOBAL_GROUP, ATYPE_SECURITY_LOCAL_GROUP);
- if (! filter) {
- free(sidstr);
- ret = NT_STATUS_NO_MEMORY;
- goto done;
- }
- CHECK_ALLOC_DONE(filter);
- DEBUG(10, ("Filter: [%s]\n", filter));
- } else {
- /* multiple mappings */
- multi = True;
- }
+ attrs[2] = ad_schema->posix_uidnumber_attr;
+ attrs[3] = ad_schema->posix_gidnumber_attr;
again:
- if (multi) {
- char *sidstr;
-
- filter = talloc_asprintf(memctx,
- "(&(|"
- "(sAMAccountType=%d)(sAMAccountType=%d)(sAMAccountType=%d)" /* user account types */
- "(sAMAccountType=%d)(sAMAccountType=%d)" /* group account types */
- ")(|",
- ATYPE_NORMAL_ACCOUNT, ATYPE_WORKSTATION_TRUST, ATYPE_INTERDOMAIN_TRUST,
- ATYPE_SECURITY_GLOBAL_GROUP, ATYPE_SECURITY_LOCAL_GROUP);
+ filter = talloc_asprintf(memctx, "(&(|"
+ "(sAMAccountType=%d)(sAMAccountType=%d)(sAMAccountType=%d)" /* user account types */
+ "(sAMAccountType=%d)(sAMAccountType=%d)" /* group account types */
+ ")(|",
+ ATYPE_NORMAL_ACCOUNT, ATYPE_WORKSTATION_TRUST, ATYPE_INTERDOMAIN_TRUST,
+ ATYPE_SECURITY_GLOBAL_GROUP, ATYPE_SECURITY_LOCAL_GROUP);
- CHECK_ALLOC_DONE(filter);
+ CHECK_ALLOC_DONE(filter);
- bidx = idx;
- for (i = 0; (i < IDMAP_AD_MAX_IDS) && ids[idx]; i++, idx++) {
+ bidx = idx;
+ for (i = 0; (i < IDMAP_AD_MAX_IDS) && ids[idx]; i++, idx++) {
- sidstr = sid_binstring(ids[idx]->sid);
- filter = talloc_asprintf_append(filter, "(objectSid=%s)", sidstr);
+ sidstr = sid_binstring(ids[idx]->sid);
+ filter = talloc_asprintf_append(filter, "(objectSid=%s)", sidstr);
- free(sidstr);
- CHECK_ALLOC_DONE(filter);
- }
- filter = talloc_asprintf_append(filter, "))");
+ free(sidstr);
CHECK_ALLOC_DONE(filter);
- DEBUG(10, ("Filter: [%s]\n", filter));
- } else {
- bidx = 0;
- idx = 1;
}
+ filter = talloc_asprintf_append(filter, "))");
+ CHECK_ALLOC_DONE(filter);
+ DEBUG(10, ("Filter: [%s]\n", filter));
rc = ads_search_retry(ads, &res, filter, attrs);
if (!ADS_ERR_OK(rc)) {
@@ -584,8 +523,7 @@ again:
goto done;
}
- count = ads_count_replies(ads, res);
- if (count == 0) {
+ if ( (count = ads_count_replies(ads, res)) == 0 ) {
DEBUG(10, ("No IDs found\n"));
}
@@ -640,7 +578,11 @@ again:
continue;
}
- if (!ads_pull_uint32(ads, entry, (type==ID_TYPE_UID)?attr_uidnumber:attr_gidnumber, &id)) {
+ if (!ads_pull_uint32(ads, entry, (type==ID_TYPE_UID) ?
+ ad_schema->posix_uidnumber_attr :
+ ad_schema->posix_gidnumber_attr,
+ &id))
+ {
DEBUG(1, ("Could not get unix ID\n"));
continue;
}
@@ -667,7 +609,7 @@ again:
ads_msgfree(ads, res);
}
- if (multi && ids[idx]) { /* still some values to map */
+ if (ids[idx]) { /* still some values to map */
goto again;
}
@@ -675,7 +617,8 @@ again:
/* mark all unknwon ones as unmapped */
for (i = 0; ids[i]; i++) {
- if (ids[i]->status == ID_UNKNOWN) ids[i]->status = ID_UNMAPPED;
+ if (ids[i]->status == ID_UNKNOWN)
+ ids[i]->status = ID_UNMAPPED;
}
done:
@@ -683,6 +626,9 @@ done:
return ret;
}
+/************************************************************************
+ ***********************************************************************/
+
static NTSTATUS idmap_ad_close(struct idmap_domain *dom)
{
ADS_STRUCT *ads = ad_idmap_ads;
@@ -694,22 +640,176 @@ static NTSTATUS idmap_ad_close(struct idmap_domain *dom)
ad_idmap_ads = NULL;
}
- SAFE_FREE(attr_uidnumber);
- SAFE_FREE(attr_gidnumber);
+ TALLOC_FREE( ad_schema );
+
+ return NT_STATUS_OK;
+}
+
+/*
+ * nss_info_{sfu,rfc2307}
+ */
+
+/************************************************************************
+ Initialize the {sfu,rfc2307} state
+ ***********************************************************************/
+
+static NTSTATUS nss_sfu_init( struct nss_domain_entry *e )
+{
+ /* Sanity check if we have previously been called with a
+ different schema model */
+
+ if ( (ad_map_type != WB_POSIX_MAP_UNKNOWN) &&
+ (ad_map_type != WB_POSIX_MAP_SFU) )
+ {
+ DEBUG(0,("nss_sfu_init: Posix Map type has already been set. "
+ "Mixed schema models not supported!\n"));
+ return NT_STATUS_NOT_SUPPORTED;
+ }
+
+ ad_map_type = WB_POSIX_MAP_SFU;
+
+ if ( !ad_idmap_ads )
+ return idmap_ad_initialize( NULL, NULL );
+
+ return NT_STATUS_OK;
+}
+
+static NTSTATUS nss_rfc2307_init( struct nss_domain_entry *e )
+{
+ /* Sanity check if we have previously been called with a
+ different schema model */
+
+ if ( (ad_map_type != WB_POSIX_MAP_UNKNOWN) &&
+ (ad_map_type != WB_POSIX_MAP_RFC2307) )
+ {
+ DEBUG(0,("nss_rfc2307_init: Posix Map type has already been set. "
+ "Mixed schema models not supported!\n"));
+ return NT_STATUS_NOT_SUPPORTED;
+ }
+
+ ad_map_type = WB_POSIX_MAP_RFC2307;
+
+ if ( !ad_idmap_ads )
+ return idmap_ad_initialize( NULL, NULL );
+
+ return NT_STATUS_OK;
+}
+
+
+/************************************************************************
+ ***********************************************************************/
+static NTSTATUS nss_ad_get_info( struct nss_domain_entry *e,
+ const DOM_SID *sid,
+ TALLOC_CTX *ctx,
+ ADS_STRUCT *ads,
+ LDAPMessage *msg,
+ char **homedir,
+ char **shell,
+ char **gecos,
+ uint32 *gid )
+{
+ char *home, *sh, *gec;
+
+ if ( !ad_schema )
+ return NT_STATUS_OBJECT_NAME_NOT_FOUND;
+
+ if ( !homedir || !shell || !gecos )
+ return NT_STATUS_INVALID_PARAMETER;
+
+ home = ads_pull_string( ads, ctx, msg, ad_schema->posix_homedir_attr );
+ sh = ads_pull_string( ads, ctx, msg, ad_schema->posix_shell_attr );
+ gec = ads_pull_string( ads, ctx, msg, ad_schema->posix_gecos_attr );
+
+ if ( gid ) {
+ if ( !ads_pull_uint32(ads, msg, ad_schema->posix_gidnumber_attr, gid ) )
+ *gid = 0;
+ }
+
+ if ( home )
+ *homedir = talloc_strdup( ctx, home );
+ if ( sh )
+ *shell = talloc_strdup( ctx, sh );
+ if ( gec )
+ *gecos = talloc_strdup( ctx, gec );
+ SAFE_FREE( home );
+ SAFE_FREE( sh );
+ SAFE_FREE( gec );
+
+ return NT_STATUS_OK;
+}
+
+/************************************************************************
+ ***********************************************************************/
+
+static NTSTATUS nss_ad_close( void )
+{
+ /* nothing to do. All memory is free()'d by the idmap close_fn() */
+
return NT_STATUS_OK;
}
+/************************************************************************
+ Function dispatch tables for the idmap and nss plugins
+ ***********************************************************************/
+
static struct idmap_methods ad_methods = {
- .init = idmap_ad_initialize,
+ .init = idmap_ad_initialize,
.unixids_to_sids = idmap_ad_unixids_to_sids,
.sids_to_unixids = idmap_ad_sids_to_unixids,
- .close_fn = idmap_ad_close
+ .close_fn = idmap_ad_close
+};
+
+/* The SFU and RFC2307 NSS plugins share everything but the init
+ function which sets the intended schema model to use */
+
+static struct nss_info_methods nss_rfc2307_methods = {
+ .init = nss_rfc2307_init,
+ .get_nss_info = nss_ad_get_info,
+ .close_fn = nss_ad_close
+};
+
+static struct nss_info_methods nss_sfu_methods = {
+ .init = nss_sfu_init,
+ .get_nss_info = nss_ad_get_info,
+ .close_fn = nss_ad_close
};
-/* support for new authentication subsystem */
+
+/************************************************************************
+ Initialize the plugins
+ ***********************************************************************/
+
NTSTATUS idmap_ad_init(void)
{
- return smb_register_idmap(SMB_IDMAP_INTERFACE_VERSION, "ad", &ad_methods);
+ static NTSTATUS status_idmap_ad = NT_STATUS_UNSUCCESSFUL;
+ static NTSTATUS status_nss_rfc2307 = NT_STATUS_UNSUCCESSFUL;
+ static NTSTATUS status_nss_sfu = NT_STATUS_UNSUCCESSFUL;
+
+ /* Always register the AD method first in order to get the
+ idmap_domain interface called */
+
+ if ( !NT_STATUS_IS_OK(status_idmap_ad) ) {
+ status_idmap_ad = smb_register_idmap(SMB_IDMAP_INTERFACE_VERSION,
+ "ad", &ad_methods);
+ if ( !NT_STATUS_IS_OK(status_idmap_ad) )
+ return status_idmap_ad;
+ }
+
+ if ( !NT_STATUS_IS_OK( status_nss_rfc2307 ) ) {
+ status_nss_rfc2307 = smb_register_idmap_nss(SMB_NSS_INFO_INTERFACE_VERSION,
+ "rfc2307", &nss_rfc2307_methods );
+ if ( !NT_STATUS_IS_OK(status_nss_rfc2307) )
+ return status_nss_rfc2307;
+ }
+
+ if ( !NT_STATUS_IS_OK( status_nss_sfu ) ) {
+ status_nss_sfu = smb_register_idmap_nss(SMB_NSS_INFO_INTERFACE_VERSION,
+ "sfu", &nss_sfu_methods );
+ if ( !NT_STATUS_IS_OK(status_nss_sfu) )
+ return status_nss_sfu;
+ }
+
+ return NT_STATUS_OK;
}
diff --git a/source3/nsswitch/nss_info.c b/source3/nsswitch/nss_info.c
index 6d01916754..127484f537 100644
--- a/source3/nsswitch/nss_info.c
+++ b/source3/nsswitch/nss_info.c
@@ -1,111 +1,305 @@
/*
Unix SMB/CIFS implementation.
- nss info helpers
- Copyright (C) Guenther Deschner 2006
+ Idmap NSS headers
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 2 of the License, or
- (at your option) any later version.
+ Copyright (C) Gerald Carter 2006
- This program is distributed in the hope that it will be useful,
+ This library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Library General Public
+ License as published by the Free Software Foundation; either
+ version 2 of the License, or (at your option) any later version.
+
+ This library is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
-
- You should have received a copy of the GNU General Public License
- along with this program; if not, write to the Free Software
- Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.*/
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Library General Public License for more details.
+
+ You should have received a copy of the GNU Library General Public
+ License along with this library; if not, write to the
+ Free Software Foundation, Inc., 59 Temple Place - Suite 330,
+ Boston, MA 02111-1307, USA.
+*/
#include "includes.h"
+#include "nss_info.h"
+
+static struct nss_function_entry *backends = NULL;
+static struct nss_domain_entry *nss_domain_list = NULL;
-#undef DBGC_CLASS
-#define DBGC_CLASS DBGC_IDMAP
+/**********************************************************************
+ **********************************************************************/
-static enum wb_posix_mapping wb_posix_map_type(const char *map_str)
+const char *wb_posix_map_str(enum wb_posix_mapping mtype)
{
- if (strequal(map_str, "template"))
- return WB_POSIX_MAP_TEMPLATE;
- else if (strequal(map_str, "sfu"))
- return WB_POSIX_MAP_SFU;
- else if (strequal(map_str, "rfc2307"))
- return WB_POSIX_MAP_RFC2307;
- else if (strequal(map_str, "unixinfo"))
- return WB_POSIX_MAP_UNIXINFO;
-
- return WB_POSIX_MAP_UNKNOWN;
+ switch (mtype) {
+ case WB_POSIX_MAP_SFU:
+ return "sfu";
+ case WB_POSIX_MAP_RFC2307:
+ return "rfc2307";
+ default:
+ break;
+ }
+ return NULL;
}
-/* winbind nss info = rfc2307 SO36:sfu FHAIN:rfc2307 PANKOW:template
- *
- * syntax is:
- * 1st param: default setting
- * following ":" separated list elements:
- * DOMAIN:setting
- * setting can be one of "sfu", "rfc2307", "template", "unixinfo"
- */
-enum wb_posix_mapping get_nss_info(const char *domain_name)
+/**********************************************************************
+ Get idmap nss methods.
+**********************************************************************/
+
+static struct nss_function_entry *nss_get_backend(const char *name )
{
- const char **list = lp_winbind_nss_info();
- enum wb_posix_mapping map_templ = WB_POSIX_MAP_TEMPLATE;
- int i;
+ struct nss_function_entry *entry = backends;
+
+ for(entry = backends; entry; entry = entry->next) {
+ if ( strequal(entry->name, name) )
+ return entry;
+ }
+
+ return NULL;
+}
+
+/*********************************************************************
+ Allow a module to register itself as a backend.
+**********************************************************************/
+
+NTSTATUS smb_register_idmap_nss(int version, const char *name, struct nss_info_methods *methods)
+{
+ struct nss_function_entry *entry;
+
+ if ((version != SMB_NSS_INFO_INTERFACE_VERSION)) {
+ DEBUG(0, ("smb_register_idmap_nss: Failed to register idmap_nss module.\n"
+ "The module was compiled against SMB_NSS_INFO_INTERFACE_VERSION %d,\n"
+ "current SMB_NSS_INFO_INTERFACE_VERSION is %d.\n"
+ "Please recompile against the current version of samba!\n",
+ version, SMB_NSS_INFO_INTERFACE_VERSION));
+ return NT_STATUS_OBJECT_TYPE_MISMATCH;
+ }
+
+ if (!name || !name[0] || !methods) {
+ DEBUG(0,("smb_register_idmap_nss: called with NULL pointer or empty name!\n"));
+ return NT_STATUS_INVALID_PARAMETER;
+ }
- DEBUG(11,("get_nss_info for %s\n", domain_name));
+ if ( nss_get_backend(name) ) {
+ DEBUG(0,("smb_register_idmap_nss: idmap module %s "
+ "already registered!\n", name));
+ return NT_STATUS_OBJECT_NAME_COLLISION;
+ }
+
+ entry = SMB_XMALLOC_P(struct nss_function_entry);
+ entry->name = smb_xstrdup(name);
+ entry->methods = methods;
- if (!lp_winbind_nss_info() || !*lp_winbind_nss_info()) {
- return WB_POSIX_MAP_TEMPLATE;
+ DLIST_ADD(backends, entry);
+ DEBUG(5, ("smb_register_idmap_nss: Successfully added idmap "
+ "nss backend '%s'\n", name));
+
+ return NT_STATUS_OK;
+}
+
+/********************************************************************
+ *******************************************************************/
+
+static BOOL parse_nss_parm( const char *config, char **backend, char **domain )
+{
+ char *p;
+ char *q;
+ int len;
+
+ *backend = *domain = NULL;
+
+ if ( !config )
+ return False;
+
+ p = strchr( config, ':' );
+
+ /* if no : then the string must be the backend name only */
+
+ if ( !p ) {
+ *backend = SMB_STRDUP( config );
+ return (*backend != NULL);
}
- if ((map_templ = wb_posix_map_type(list[0])) == WB_POSIX_MAP_UNKNOWN) {
- DEBUG(0,("get_nss_info: invalid setting: %s\n", list[0]));
- return WB_POSIX_MAP_TEMPLATE;
+ /* split the string and return the two parts */
+
+ if ( strlen(p+1) > 0 ) {
+ *domain = SMB_STRDUP( p+1 );
}
+
+ len = PTR_DIFF(p,config)+1;
+ if ( (q = SMB_MALLOC_ARRAY( char, len )) == NULL ) {
+ SAFE_FREE( *backend );
+ return False;
+ }
+
+ StrnCpy( q, config, len-1);
+ q[len-1] = '\0';
+ *backend = q;
- DEBUG(11,("get_nss_info: using \"%s\" by default\n", list[0]));
+ return True;
+}
- for (i=0; list[i]; i++) {
+/********************************************************************
+ Each nss backend must not store global state, but rather be able
+ to initialize the state on a per domain basis.
+ *******************************************************************/
+
+NTSTATUS nss_init( const char **nss_list )
+{
+ NTSTATUS status;
+ int i;
+ char *backend, *domain;
+ struct nss_function_entry *nss_backend;
+ struct nss_domain_entry *nss_domain;
- const char *p = list[i];
- fstring tok;
+ /* The "template" backend should alqays be registered as it
+ is a static module */
- if (!next_token(&p, tok, ":", sizeof(tok))) {
- DEBUG(0,("get_nss_info: no \":\" delimitier found\n"));
- continue;
+ if ( (nss_backend = nss_get_backend( "template" )) == NULL ) {
+ static_init_nss_info;
+ }
+
+ /* Create the list of nss_domains (loading any shared plugins
+ as necessary) */
+
+ for ( i=0; nss_list && nss_list[i]; i++ ) {
+
+ if ( !parse_nss_parm(nss_list[i], &backend, &domain) ) {
+ DEBUG(0,("nss_init: failed to parse \"%s\"!\n",
+ nss_list[0]));
+ continue;
}
- if (strequal(tok, domain_name)) {
-
- enum wb_posix_mapping type;
+ /* validate the backend */
+
+ if ( (nss_backend = nss_get_backend( backend )) == NULL ) {
+ /* attempt to register the backend */
+ status = smb_probe_module( "nss_info", backend );
+ if ( !NT_STATUS_IS_OK(status) ) {
+ continue;
+ }
- if ((type = wb_posix_map_type(p)) == WB_POSIX_MAP_UNKNOWN) {
- DEBUG(0,("get_nss_info: invalid setting: %s\n", p));
- /* return WB_POSIX_MAP_TEMPLATE; */
+ /* try again */
+ if ( (nss_backend = nss_get_backend( backend )) == NULL ) {
+ DEBUG(0,("nss_init: unregistered backend %s!. Skipping\n",
+ backend));
continue;
}
- DEBUG(11,("get_nss_info: using \"%s\" for domain: %s\n", p, tok));
-
- return type;
}
+
+ /* fill in the nss_domain_entry and add it to the
+ list of domains */
+
+ nss_domain = TALLOC_ZERO_P( nss_domain_list, struct nss_domain_entry );
+ if ( !nss_domain ) {
+ DEBUG(0,("nss_init: talloc() failure!\n"));
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ nss_domain->backend = nss_backend;
+ nss_domain->domain = talloc_strdup( nss_domain, domain );
+
+ status = nss_domain->backend->methods->init( nss_domain );
+ if ( NT_STATUS_IS_OK( status ) ) {
+ DLIST_ADD( nss_domain_list, nss_domain );
+ } else {
+ DEBUG(0,("nss_init: Failed to init backend for %s domain!\n",
+ nss_domain->domain));
+ }
+
+ /* cleanup */
+
+ SAFE_FREE( backend );
+ SAFE_FREE( domain );
}
- return map_templ;
+ if ( !nss_domain_list ) {
+ DEBUG(3,("nss_init: no nss backends configured. "
+ "Defaulting to \"template\".\n"));
+
+
+ /* we shouild default to use template here */
+ }
+
+
+ return NT_STATUS_OK;
}
-const char *wb_posix_map_str(enum wb_posix_mapping mtype)
+/********************************************************************
+ *******************************************************************/
+
+NTSTATUS nss_get_info( const char *domain, const DOM_SID *user_sid,
+ TALLOC_CTX *ctx,
+ ADS_STRUCT *ads, LDAPMessage *msg,
+ char **homedir, char **shell, char **gecos,
+ gid_t *p_gid)
{
- switch (mtype) {
- case WB_POSIX_MAP_TEMPLATE:
- return "template";
- case WB_POSIX_MAP_SFU:
- return "sfu";
- case WB_POSIX_MAP_RFC2307:
- return "rfc2307";
- case WB_POSIX_MAP_UNIXINFO:
- return "unixinfo";
- default:
+ struct nss_domain_entry *p;
+ struct nss_info_methods *m;
+
+ for ( p=nss_domain_list; p; p=p->next ) {
+ if ( strequal( p->domain, domain ) )
break;
}
- return NULL;
+
+ /* If we didn't find a match, then use the default nss info */
+
+ if ( !p ) {
+ if ( !nss_domain_list ) {
+ return NT_STATUS_NOT_FOUND;
+ }
+
+ p = nss_domain_list;
+ }
+
+ m = p->backend->methods;
+
+ return m->get_nss_info( p, user_sid, ctx, ads, msg,
+ homedir, shell, gecos, p_gid );
}
+
+/********************************************************************
+ *******************************************************************/
+
+NTSTATUS nss_close( const char *parameters )
+{
+ struct nss_domain_entry *p = nss_domain_list;
+ struct nss_domain_entry *q;
+
+ while ( p && p->backend && p->backend->methods ) {
+ /* close the backend */
+ p->backend->methods->close_fn();
+
+ /* free the memory */
+ q = p;
+ p = p->next;
+ TALLOC_FREE( q );
+ }
+
+ return NT_STATUS_OK;
+}
+
+/********************************************************************
+ Invoke the init function for a given domain's backend
+ *******************************************************************/
+
+NTSTATUS idmap_nss_init_domain( const char *domain )
+{
+ struct nss_domain_entry *p;
+
+ DEBUG(10,("idmap_nss_init_domain: Searching for %s's init() function\n",
+ domain));
+
+ for ( p=nss_domain_list; p; p=p->next ) {
+ if ( strequal( p->domain, domain ) ) {
+ DEBUG(10,("idmap_nss_init_domain: Calling init function for %s\n",
+ domain));
+ return p->backend->methods->init( p );
+ }
+ }
+
+ return NT_STATUS_NO_SUCH_DOMAIN;
+}
+
diff --git a/source3/nsswitch/nss_info_template.c b/source3/nsswitch/nss_info_template.c
new file mode 100644
index 0000000000..e1076fbeaf
--- /dev/null
+++ b/source3/nsswitch/nss_info_template.c
@@ -0,0 +1,84 @@
+/*
+ Unix SMB/CIFS implementation.
+ idMap nss template plugin
+
+ Copyright (C) Gerald Carter 2006
+
+ This library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Library General Public
+ License as published by the Free Software Foundation; either
+ version 2 of the License, or (at your option) any later version.
+
+ This library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Library General Public License for more details.
+
+ You should have received a copy of the GNU Library General Public
+ License along with this library; if not, write to the
+ Free Software Foundation, Inc., 59 Temple Place - Suite 330,
+ Boston, MA 02111-1307, USA.
+*/
+
+#include "includes.h"
+#include "nss_info.h"
+
+/************************************************************************
+ ***********************************************************************/
+
+static NTSTATUS nss_template_init( struct nss_domain_entry *e )
+{
+ return NT_STATUS_OK;
+}
+
+/************************************************************************
+ ***********************************************************************/
+
+static NTSTATUS nss_template_get_info( struct nss_domain_entry *e,
+ const DOM_SID *sid,
+ TALLOC_CTX *ctx,
+ ADS_STRUCT *ads,
+ LDAPMessage *msg,
+ char **homedir,
+ char **shell,
+ char **gecos,
+ uint32 *gid )
+{
+ if ( !homedir || !shell || !gecos )
+ return NT_STATUS_INVALID_PARAMETER;
+
+ *homedir = talloc_strdup( ctx, lp_template_homedir() );
+ *shell = talloc_strdup( ctx, lp_template_shell() );
+ *gecos = NULL;
+
+ if ( !*homedir || !*shell ) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ return NT_STATUS_OK;
+}
+
+/************************************************************************
+ ***********************************************************************/
+
+static NTSTATUS nss_template_close( void )
+{
+ return NT_STATUS_OK;
+}
+
+
+/************************************************************************
+ ***********************************************************************/
+
+static struct nss_info_methods nss_template_methods = {
+ nss_template_init,
+ nss_template_get_info,
+ nss_template_close
+};
+
+NTSTATUS nss_info_template_init( void )
+{
+ return smb_register_idmap_nss(SMB_NSS_INFO_INTERFACE_VERSION,
+ "template",
+ &nss_template_methods);
+}
diff --git a/source3/nsswitch/winbindd.c b/source3/nsswitch/winbindd.c
index c8c5496ebf..ce39df350f 100644
--- a/source3/nsswitch/winbindd.c
+++ b/source3/nsswitch/winbindd.c
@@ -1009,6 +1009,8 @@ int main(int argc, char **argv, char **envp)
DEBUG(1, ("Could not init idmap! - Sid/[UG]id mapping will not be available\n"));
}
+ nss_init( lp_winbind_nss_info() );
+
/* Unblock all signals we are interested in as they may have been
blocked by the parent process. */
diff --git a/source3/nsswitch/winbindd.h b/source3/nsswitch/winbindd.h
index 59557c4942..b9e07a2321 100644
--- a/source3/nsswitch/winbindd.h
+++ b/source3/nsswitch/winbindd.h
@@ -112,6 +112,8 @@ typedef struct {
char *full_name;
char *homedir;
char *shell;
+ gid_t primary_gid; /* allow the nss_info
+ backend to set the primary group */
DOM_SID user_sid; /* NT user and primary group SIDs */
DOM_SID group_sid;
} WINBIND_USERINFO;
diff --git a/source3/nsswitch/winbindd_ads.c b/source3/nsswitch/winbindd_ads.c
index 8cb60806f8..fc6308deed 100644
--- a/source3/nsswitch/winbindd_ads.c
+++ b/source3/nsswitch/winbindd_ads.c
@@ -40,7 +40,6 @@ static ADS_STRUCT *ads_cached_connection(struct winbindd_domain *domain)
{
ADS_STRUCT *ads;
ADS_STATUS status;
- enum wb_posix_mapping map_type;
DEBUG(10,("ads_cached_connection\n"));
@@ -126,17 +125,9 @@ static ADS_STRUCT *ads_cached_connection(struct winbindd_domain *domain)
return NULL;
}
- map_type = get_nss_info(domain->name);
+ /* initialize the nss backend for this domain */
- if ((map_type == WB_POSIX_MAP_RFC2307)||
- (map_type == WB_POSIX_MAP_SFU)) {
-
- status = ads_check_posix_schema_mapping(ads, map_type);
- if (!ADS_ERR_OK(status)) {
- DEBUG(10,("ads_check_posix_schema_mapping failed "
- "with: %s\n", ads_errstr(status)));
- }
- }
+ idmap_nss_init_domain( domain->name );
/* set the flag that says we don't own the memory even
though we do so that ads_destroy() won't destroy the
@@ -156,17 +147,7 @@ static NTSTATUS query_user_list(struct winbindd_domain *domain,
WINBIND_USERINFO **info)
{
ADS_STRUCT *ads = NULL;
- const char *attrs[] = {"userPrincipalName",
- "sAMAccountName",
- "name", "objectSid", "primaryGroupID",
- "sAMAccountType",
- ADS_ATTR_SFU_HOMEDIR_OID,
- ADS_ATTR_SFU_SHELL_OID,
- ADS_ATTR_SFU_GECOS_OID,
- ADS_ATTR_RFC2307_HOMEDIR_OID,
- ADS_ATTR_RFC2307_SHELL_OID,
- ADS_ATTR_RFC2307_GECOS_OID,
- NULL};
+ const char *attrs[] = { "*", NULL };
int i, count;
ADS_STATUS rc;
LDAPMessage *res = NULL;
@@ -210,6 +191,8 @@ static NTSTATUS query_user_list(struct winbindd_domain *domain,
char *shell = NULL;
uint32 group;
uint32 atype;
+ DOM_SID user_sid;
+ gid_t primary_gid = (gid_t)-1;
if (!ads_pull_uint32(ads, msg, "sAMAccountType", &atype) ||
ads_atype_map(atype) != SID_NAME_USER) {
@@ -219,17 +202,10 @@ static NTSTATUS query_user_list(struct winbindd_domain *domain,
name = ads_pull_username(ads, mem_ctx, msg);
- if (get_nss_info(domain->name) && ads->schema.map_type) {
-
- DEBUG(10,("pulling posix attributes (%s schema)\n",
- wb_posix_map_str(ads->schema.map_type)));
-
- homedir = ads_pull_string(ads, mem_ctx, msg,
- ads->schema.posix_homedir_attr);
- shell = ads_pull_string(ads, mem_ctx, msg,
- ads->schema.posix_shell_attr);
- gecos = ads_pull_string(ads, mem_ctx, msg,
- ads->schema.posix_gecos_attr);
+ if ( ads_pull_sid( ads, msg, "objectSid", &user_sid ) ) {
+ status = nss_get_info( domain->name, &user_sid, mem_ctx,
+ ads, msg, &homedir, &shell, &gecos,
+ &primary_gid );
}
if (gecos == NULL) {
@@ -250,6 +226,7 @@ static NTSTATUS query_user_list(struct winbindd_domain *domain,
(*info)[i].full_name = gecos;
(*info)[i].homedir = homedir;
(*info)[i].shell = shell;
+ (*info)[i].primary_gid = primary_gid;
sid_compose(&(*info)[i].group_sid, &domain->sid, group);
i++;
}
@@ -454,17 +431,7 @@ static NTSTATUS query_user(struct winbindd_domain *domain,
WINBIND_USERINFO *info)
{
ADS_STRUCT *ads = NULL;
- const char *attrs[] = {"userPrincipalName",
- "sAMAccountName",
- "name",
- "primaryGroupID",
- ADS_ATTR_SFU_HOMEDIR_OID,
- ADS_ATTR_SFU_SHELL_OID,
- ADS_ATTR_SFU_GECOS_OID,
- ADS_ATTR_RFC2307_HOMEDIR_OID,
- ADS_ATTR_RFC2307_SHELL_OID,
- ADS_ATTR_RFC2307_GECOS_OID,
- NULL};
+ const char *attrs[] = { "*", NULL };
ADS_STATUS rc;
int count;
LDAPMessage *msg = NULL;
@@ -475,9 +442,7 @@ static NTSTATUS query_user(struct winbindd_domain *domain,
DEBUG(3,("ads: query_user\n"));
- ads = ads_cached_connection(domain);
-
- if (!ads) {
+ if ( (ads = ads_cached_connection(domain)) == NULL ) {
domain->last_status = NT_STATUS_SERVER_DISABLED;
goto done;
}
@@ -502,18 +467,9 @@ static NTSTATUS query_user(struct winbindd_domain *domain,
info->acct_name = ads_pull_username(ads, mem_ctx, msg);
- if (get_nss_info(domain->name) && ads->schema.map_type) {
-
- DEBUG(10,("pulling posix attributes (%s schema)\n",
- wb_posix_map_str(ads->schema.map_type)));
-
- info->homedir = ads_pull_string(ads, mem_ctx, msg,
- ads->schema.posix_homedir_attr);
- info->shell = ads_pull_string(ads, mem_ctx, msg,
- ads->schema.posix_shell_attr);
- info->full_name = ads_pull_string(ads, mem_ctx, msg,
- ads->schema.posix_gecos_attr);
- }
+ info->primary_gid = (gid_t)-1;
+ nss_get_info( domain->name, sid, mem_ctx, ads, msg,
+ &info->homedir, &info->shell, &info->full_name, &info->primary_gid );
if (info->full_name == NULL) {
info->full_name = ads_pull_string(ads, mem_ctx, msg, "name");
diff --git a/source3/nsswitch/winbindd_async.c b/source3/nsswitch/winbindd_async.c
index d70d6a0806..ee81b14f2f 100644
--- a/source3/nsswitch/winbindd_async.c
+++ b/source3/nsswitch/winbindd_async.c
@@ -764,7 +764,9 @@ enum winbindd_result winbindd_dual_lookupsid(struct winbindd_domain *domain,
}
fstrcpy(state->response.data.name.dom_name, dom_name);
+ TALLOC_FREE(dom_name);
fstrcpy(state->response.data.name.name, name);
+ TALLOC_FREE(name);
state->response.data.name.type = type;
TALLOC_FREE(dom_name);
@@ -1397,13 +1399,13 @@ static void query_user_recv(TALLOC_CTX *mem_ctx, BOOL success,
{
void (*cont)(void *priv, BOOL succ, const char *acct_name,
const char *full_name, const char *homedir,
- const char *shell, uint32 group_rid) =
+ const char *shell, uint32 gid, uint32 group_rid) =
(void (*)(void *, BOOL, const char *, const char *,
- const char *, const char *, uint32))c;
+ const char *, const char *, uint32, uint32))c;
if (!success) {
DEBUG(5, ("Could not trigger query_user\n"));
- cont(private_data, False, NULL, NULL, NULL, NULL, -1);
+ cont(private_data, False, NULL, NULL, NULL, NULL, -1, -1);
return;
}
@@ -1411,6 +1413,7 @@ static void query_user_recv(TALLOC_CTX *mem_ctx, BOOL success,
response->data.user_info.full_name,
response->data.user_info.homedir,
response->data.user_info.shell,
+ response->data.user_info.primary_gid,
response->data.user_info.group_rid);
}
@@ -1421,6 +1424,7 @@ void query_user_async(TALLOC_CTX *mem_ctx, struct winbindd_domain *domain,
const char *full_name,
const char *homedir,
const char *shell,
+ gid_t gid,
uint32 group_rid),
void *private_data)
{
diff --git a/source3/nsswitch/winbindd_cache.c b/source3/nsswitch/winbindd_cache.c
index 0587d8b2b3..423e625ced 100644
--- a/source3/nsswitch/winbindd_cache.c
+++ b/source3/nsswitch/winbindd_cache.c
@@ -827,6 +827,7 @@ static void wcache_save_user(struct winbindd_domain *domain, NTSTATUS status, WI
centry_put_string(centry, info->full_name);
centry_put_string(centry, info->homedir);
centry_put_string(centry, info->shell);
+ centry_put_uint32(centry, info->primary_gid);
centry_put_sid(centry, &info->user_sid);
centry_put_sid(centry, &info->group_sid);
centry_end(centry, "U/%s", sid_to_string(sid_string, &info->user_sid));
@@ -854,7 +855,7 @@ static void wcache_save_lockout_policy(struct winbindd_domain *domain, NTSTATUS
}
static void wcache_save_password_policy(struct winbindd_domain *domain, NTSTATUS status, SAM_UNK_INFO_1 *policy)
-{
+ {
struct cache_entry *centry;
centry = centry_start(domain, status);
@@ -1589,6 +1590,7 @@ static NTSTATUS query_user(struct winbindd_domain *domain,
info->full_name = centry_string(centry, mem_ctx);
info->homedir = centry_string(centry, mem_ctx);
info->shell = centry_string(centry, mem_ctx);
+ info->primary_gid = centry_uint32(centry);
centry_sid(centry, mem_ctx, &info->user_sid);
centry_sid(centry, mem_ctx, &info->group_sid);
status = centry->status;
diff --git a/source3/nsswitch/winbindd_nss.h b/source3/nsswitch/winbindd_nss.h
index 9584e18e06..95992181f5 100644
--- a/source3/nsswitch/winbindd_nss.h
+++ b/source3/nsswitch/winbindd_nss.h
@@ -447,6 +447,7 @@ struct winbindd_response {
fstring full_name;
fstring homedir;
fstring shell;
+ uint32 primary_gid;
uint32 group_rid;
} user_info;
struct {
diff --git a/source3/nsswitch/winbindd_user.c b/source3/nsswitch/winbindd_user.c
index f82b03df07..76cf9d44bd 100644
--- a/source3/nsswitch/winbindd_user.c
+++ b/source3/nsswitch/winbindd_user.c
@@ -41,7 +41,7 @@ static BOOL fillup_pw_field(const char *lp_template,
if (out == NULL)
return False;
- if (in && !strequal(in,"") && lp_security() == SEC_ADS && (get_nss_info(domname))) {
+ if ( in && !strequal(in,"") && lp_security() == SEC_ADS ) {
safe_strcpy(out, in, sizeof(fstring) - 1);
return True;
}
@@ -156,6 +156,7 @@ enum winbindd_result winbindd_dual_userinfo(struct winbindd_domain *domain,
fstrcpy(state->response.data.user_info.full_name, user_info.full_name);
fstrcpy(state->response.data.user_info.homedir, user_info.homedir);
fstrcpy(state->response.data.user_info.shell, user_info.shell);
+ state->response.data.user_info.primary_gid = user_info.primary_gid;
if (!sid_peek_check_rid(&domain->sid, &user_info.group_sid,
&state->response.data.user_info.group_rid)) {
DEBUG(1, ("Could not extract group rid out of %s\n",
@@ -184,6 +185,7 @@ static void getpwsid_queryuser_recv(void *private_data, BOOL success,
const char *full_name,
const char *homedir,
const char *shell,
+ uint32 gid,
uint32 group_rid);
static void getpwsid_sid2uid_recv(void *private_data, BOOL success, uid_t uid);
static void getpwsid_sid2gid_recv(void *private_data, BOOL success, gid_t gid);
@@ -222,6 +224,7 @@ static void getpwsid_queryuser_recv(void *private_data, BOOL success,
const char *full_name,
const char *homedir,
const char *shell,
+ uint32 gid,
uint32 group_rid)
{
fstring username;
@@ -241,6 +244,7 @@ static void getpwsid_queryuser_recv(void *private_data, BOOL success,
s->fullname = talloc_strdup(s->state->mem_ctx, full_name);
s->homedir = talloc_strdup(s->state->mem_ctx, homedir);
s->shell = talloc_strdup(s->state->mem_ctx, shell);
+ s->gid = gid;
sid_copy(&s->group_sid, &s->domain->sid);
sid_append_rid(&s->group_sid, group_rid);
@@ -272,13 +276,29 @@ static void getpwsid_sid2gid_recv(void *private_data, BOOL success, gid_t gid)
struct winbindd_pw *pw;
fstring output_username;
+ /* allow the nss backend to override the primary group ID.
+ If the gid has already been set, then keep it.
+ This makes me feel dirty. If the nss backend already
+ gave us a gid, we don't really care whether the sid2gid()
+ call worked or not. --jerry */
+
+ if ( s->gid == (gid_t)-1 ) {
if (!success) {
DEBUG(5, ("Could not query user's %s\\%s\n gid",
s->domain->name, s->username));
goto failed;
}
+ /* take what the sid2gid() call gave us */
s->gid = gid;
+ }
+
+ /* allow the nss backend to override the primary group ID.
+ If the gid has already been set, then keep it */
+
+ if ( s->gid == (gid_t)-1 ) {
+ s->gid = gid;
+ }
pw = &s->state->response.data.pw;
pw->pw_uid = s->uid;