And finally IDMAP in 3_0

We really need idmap_ldap to have a good solution with ldapsam, porting it from the prvious code is beeing made, the code is really simple to do so I am confident it is not a problem to commit this code in. Not committing it would have been worst. I really would have been able to finish also the group code, maybe we can put it into a followin release after 3.0.0 even if it may be an upgrade problem. The code has been tested and seem to work right, more testing is needed for corner cases. Currently winbind pdc (working only for users and not for groups) is disabled as I was not able to make a complete group code replacement that works somewhat in a week (I have a complete patch, but there are bugs) Simo. (This used to be commit 0e58085978f984436815114a2ec347cf7899a89d)
author: Simo Sorce <idra@samba.org> 2003-05-12 18:12:31 +0000
committer: Simo Sorce <idra@samba.org> 2003-05-12 18:12:31 +0000
commit: c823b191ab476fc2583d6d6aaa1e2edb09cbb88e (patch)
tree: de7a7bc704024faf8e9b5dc750eed0cec6684ebb /source3/passdb/passdb.c
parent: 9308eaf77d53b2d86c071ef07a8e32d9d83b6d12 (diff)
download: samba-c823b191ab476fc2583d6d6aaa1e2edb09cbb88e.tar.gz
samba-c823b191ab476fc2583d6d6aaa1e2edb09cbb88e.tar.bz2
samba-c823b191ab476fc2583d6d6aaa1e2edb09cbb88e.zip
1 files changed, 84 insertions, 238 deletions
diff --git a/source3/passdb/passdb.c b/source3/passdb/passdb.c
index 3fef3ea745..d3554cdbde 100644
--- a/source3/passdb/passdb.c
+++ b/source3/passdb/passdb.c
@@ -5,6 +5,7 @@
    Copyright (C) Luke Kenneth Casson Leighton 	1996-1998
    Copyright (C) Gerald (Jerry) Carter		2000-2001
    Copyright (C) Andrew Bartlett		2001-2002
+   Copyright (C) Simo Sorce			2003
       
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -34,11 +35,17 @@ const char *get_global_sam_name(void)
 	return global_myname();
 }
 
+/*
+ * This is set on startup - it defines the SID for this
+ * machine, and therefore the SAM database for which it is
+ * responsible.
+ */
+
 /************************************************************
  Fill the SAM_ACCOUNT with default values.
  ***********************************************************/
 
-static void pdb_fill_default_sam(SAM_ACCOUNT *user)
+void pdb_fill_default_sam(SAM_ACCOUNT *user)
 {
 	ZERO_STRUCT(user->private); /* Don't touch the talloc context */
 
@@ -48,8 +55,6 @@ static void pdb_fill_default_sam(SAM_ACCOUNT *user)
         /* Don't change these timestamp settings without a good reason.
            They are important for NT member server compatibility. */
 
-	user->private.uid = user->private.gid	    = -1;
-
 	user->private.logon_time            = (time_t)0;
 	user->private.pass_last_set_time    = (time_t)0;
 	user->private.pass_can_change_time  = (time_t)0;
@@ -165,13 +170,7 @@ NTSTATUS pdb_init_sam(SAM_ACCOUNT **user)
 
 NTSTATUS pdb_fill_sam_pw(SAM_ACCOUNT *sam_account, const struct passwd *pwd)
 {
-	GROUP_MAP map;
-
-	const char *guest_account = lp_guestaccount();
-	if (!(guest_account && *guest_account)) {
-		DEBUG(1, ("NULL guest account!?!?\n"));
-		return NT_STATUS_UNSUCCESSFUL;
-	}
+	NTSTATUS ret;
 
 	if (!pwd) {
 		return NT_STATUS_UNSUCCESSFUL;
@@ -184,10 +183,7 @@ NTSTATUS pdb_fill_sam_pw(SAM_ACCOUNT *sam_account, const struct passwd *pwd)
 
 	pdb_set_unix_homedir(sam_account, pwd->pw_dir, PDB_SET);
 
-	pdb_set_domain (sam_account, get_global_sam_name(), PDB_DEFAULT);
-
-	pdb_set_uid(sam_account, pwd->pw_uid, PDB_SET);
-	pdb_set_gid(sam_account, pwd->pw_gid, PDB_SET);
+	pdb_set_domain (sam_account, lp_workgroup(), PDB_DEFAULT);
 	
 	/* When we get a proper uid -> SID and SID -> uid allocation
 	   mechinism, we should call it here.  
@@ -199,37 +195,8 @@ NTSTATUS pdb_fill_sam_pw(SAM_ACCOUNT *sam_account, const struct passwd *pwd)
 	   -- abartlet 11-May-02
 	*/
 
-
-	/* Ensure this *must* be set right */
-	if (strcmp(pwd->pw_name, guest_account) == 0) {
-		if (!pdb_set_user_sid_from_rid(sam_account, DOMAIN_USER_RID_GUEST, PDB_SET)) {
-			return NT_STATUS_UNSUCCESSFUL;
-		}
-		if (!pdb_set_group_sid_from_rid(sam_account, DOMAIN_GROUP_RID_GUESTS, PDB_SET)) {
-			return NT_STATUS_UNSUCCESSFUL;
-		}
-	} else {
-
-		if (!pdb_set_user_sid_from_rid(sam_account, 
-					       fallback_pdb_uid_to_user_rid(pwd->pw_uid), PDB_SET)) {
-			DEBUG(0,("Can't set User SID from RID!\n"));
-			return NT_STATUS_INVALID_PARAMETER;
-		}
-		
-		/* call the mapping code here */
-		if(pdb_getgrgid(&map, pwd->pw_gid, MAPPING_WITHOUT_PRIV)) {
-			if (!pdb_set_group_sid(sam_account,&map.sid, PDB_SET)){
-				DEBUG(0,("Can't set Group SID!\n"));
-				return NT_STATUS_INVALID_PARAMETER;
-			}
-		} 
-		else {
-			if (!pdb_set_group_sid_from_rid(sam_account,pdb_gid_to_group_rid(pwd->pw_gid), PDB_SET)) {
-				DEBUG(0,("Can't set Group SID\n"));
-				return NT_STATUS_INVALID_PARAMETER;
-			}
-		}
-	}
+	ret = pdb_set_sam_sids(sam_account, pwd);
+	if (NT_STATUS_IS_ERR(ret)) return ret;
 
 	/* check if this is a user account or a machine account */
 	if (pwd->pw_name[strlen(pwd->pw_name)-1] != '$')
@@ -322,6 +289,7 @@ NTSTATUS pdb_init_sam_new(SAM_ACCOUNT **new_sam_acct, const char *username)
 			return nt_status;
 		}
 	} else {
+		DOM_SID g_sid;
 		if (!NT_STATUS_IS_OK(nt_status = pdb_init_sam(new_sam_acct))) {
 			*new_sam_acct = NULL;
 			return nt_status;
@@ -330,6 +298,13 @@ NTSTATUS pdb_init_sam_new(SAM_ACCOUNT **new_sam_acct, const char *username)
 			pdb_free_sam(new_sam_acct);
 			return nt_status;
 		}
+
+		pdb_set_domain (*new_sam_acct, lp_workgroup(), PDB_DEFAULT);
+
+		/* set Domain Users by default ! */
+		sid_copy(&g_sid, get_global_sam_sid());
+		sid_append_rid(&g_sid, DOMAIN_GROUP_RID_USERS);
+		pdb_set_group_sid(*new_sam_acct, &g_sid, PDB_SET);
 	}
 	return NT_STATUS_OK;
 }
@@ -402,6 +377,63 @@ NTSTATUS pdb_free_sam(SAM_ACCOUNT **user)
 	return NT_STATUS_OK;	
 }
 
+/**************************************************************************
+ * This function will take care of all the steps needed to correctly
+ * allocate and set the user SID, please do use this function to create new
+ * users, messing with SIDs is not good.
+ *
+ * account_data must be provided initialized, pwd may be null.
+ * 									SSS
+ ***************************************************************************/
+
+NTSTATUS pdb_set_sam_sids(SAM_ACCOUNT *account_data, const struct passwd *pwd)
+{
+	const char *guest_account = lp_guestaccount();
+	GROUP_MAP map;
+	
+	if (!account_data || !pwd) {
+		return NT_STATUS_INVALID_PARAMETER;
+	}
+
+	/* this is a hack this thing should not be set
+	   this way --SSS */
+	if (!(guest_account && *guest_account)) {
+		DEBUG(1, ("NULL guest account!?!?\n"));
+		return NT_STATUS_UNSUCCESSFUL;
+	} else {
+		/* Ensure this *must* be set right */
+		if (strcmp(pwd->pw_name, guest_account) == 0) {
+			if (!pdb_set_user_sid_from_rid(account_data, DOMAIN_USER_RID_GUEST, PDB_DEFAULT)) {
+				return NT_STATUS_UNSUCCESSFUL;
+			}
+			if (!pdb_set_group_sid_from_rid(account_data, DOMAIN_GROUP_RID_GUESTS, PDB_DEFAULT)) {
+				return NT_STATUS_UNSUCCESSFUL;
+			}
+			return NT_STATUS_OK;
+		}
+	}
+
+	if (!pdb_set_user_sid_from_rid(account_data, fallback_pdb_uid_to_user_rid(pwd->pw_uid), PDB_SET)) {
+		DEBUG(0,("Can't set User SID from RID!\n"));
+		return NT_STATUS_INVALID_PARAMETER;
+	}
+	
+	/* call the mapping code here */
+	if(pdb_getgrgid(&map, pwd->pw_gid, MAPPING_WITHOUT_PRIV)) {
+		if (!pdb_set_group_sid(account_data, &map.sid, PDB_SET)){
+			DEBUG(0,("Can't set Group SID!\n"));
+			return NT_STATUS_INVALID_PARAMETER;
+		}
+	} 
+	else {
+		if (!pdb_set_group_sid_from_rid(account_data, pdb_gid_to_group_rid(pwd->pw_gid), PDB_SET)) {
+			DEBUG(0,("Can't set Group SID\n"));
+			return NT_STATUS_INVALID_PARAMETER;
+		}
+	}
+
+	return NT_STATUS_OK;
+}
 
 /**********************************************************
  Encode the account control bits into a string.
@@ -531,10 +563,6 @@ BOOL pdb_gethexpwd(const char *p, unsigned char *pwd)
 	return (True);
 }
 
-/*******************************************************************
- Converts NT user RID to a UNIX uid.
- ********************************************************************/
-
 static int algorithmic_rid_base(void)
 {
 	static int rid_offset = 0;
@@ -557,14 +585,16 @@ static int algorithmic_rid_base(void)
 	return rid_offset;
 }
 
+/*******************************************************************
+ Converts NT user RID to a UNIX uid.
+ ********************************************************************/
 
 uid_t fallback_pdb_user_rid_to_uid(uint32 user_rid)
 {
 	int rid_offset = algorithmic_rid_base();
-	return (uid_t)(((user_rid & (~USER_RID_TYPE))- rid_offset)/RID_MULTIPLIER);
+	return (uid_t)(((user_rid & (~USER_RID_TYPE)) - rid_offset)/RID_MULTIPLIER);
 }
 
-
 /*******************************************************************
  converts UNIX uid to an NT User RID.
  ********************************************************************/
@@ -615,7 +645,7 @@ static BOOL pdb_rid_is_well_known(uint32 rid)
  Decides if a RID is a user or group RID.
  ********************************************************************/
 
-BOOL pdb_rid_is_user(uint32 rid)
+BOOL fallback_pdb_rid_is_user(uint32 rid)
 {
   /* lkcl i understand that NT attaches an enumeration to a RID
    * such that it can be identified as either a user, group etc
@@ -648,7 +678,7 @@ BOOL local_lookup_sid(DOM_SID *sid, char *name, enum SID_NAME_USE *psid_name_use
 	GROUP_MAP map;
 
 	if (!sid_peek_check_rid(get_global_sam_sid(), sid, &rid)){
-		DEBUG(0,("local_sid_to_gid: sid_peek_check_rid return False! SID: %s\n",
+		DEBUG(0,("local_lookup_sid: sid_peek_check_rid return False! SID: %s\n",
 			sid_string_static(&map.sid)));
 		return False;
 	}	
@@ -705,7 +735,7 @@ BOOL local_lookup_sid(DOM_SID *sid, char *name, enum SID_NAME_USE *psid_name_use
 		return True;
 	}
 
-	if (pdb_rid_is_user(rid)) {
+	if (fallback_pdb_rid_is_user(rid)) {
 		uid_t uid;
 
 		DEBUG(5, ("assuming RID %u is a user\n", (unsigned)rid));
@@ -838,190 +868,6 @@ BOOL local_lookup_name(const char *c_user, DOM_SID *psid, enum SID_NAME_USE *psi
 	return True;
 }
 
-/****************************************************************************
- Convert a uid to SID - locally.
-****************************************************************************/
-
-DOM_SID *local_uid_to_sid(DOM_SID *psid, uid_t uid)
-{
-	struct passwd *pass;
-	SAM_ACCOUNT *sam_user = NULL;
-	fstring str; /* sid string buffer */
-
-	sid_copy(psid, get_global_sam_sid());
-
-	if((pass = getpwuid_alloc(uid))) {
-
-		if (NT_STATUS_IS_ERR(pdb_init_sam(&sam_user))) {
-			passwd_free(&pass);
-			return NULL;
-		}
-		
-		if (pdb_getsampwnam(sam_user, pass->pw_name)) {
-			sid_copy(psid, pdb_get_user_sid(sam_user));
-		} else {
-			sid_append_rid(psid, fallback_pdb_uid_to_user_rid(uid));
-		}
-
-		DEBUG(10,("local_uid_to_sid: uid %u -> SID (%s) (%s).\n", 
-			  (unsigned)uid, sid_to_string( str, psid),
-			  pass->pw_name ));
-
-		passwd_free(&pass);
-		pdb_free_sam(&sam_user);
-	
-	} else {
-		sid_append_rid(psid, fallback_pdb_uid_to_user_rid(uid));
-
-		DEBUG(10,("local_uid_to_sid: uid %u -> SID (%s) (unknown user).\n", 
-			  (unsigned)uid, sid_to_string( str, psid)));
-	}
-
-	return psid;
-}
-
-/****************************************************************************
- Convert a SID to uid - locally.
-****************************************************************************/
-
-BOOL local_sid_to_uid(uid_t *puid, const DOM_SID *psid, enum SID_NAME_USE *name_type)
-{
-	fstring str;
-	SAM_ACCOUNT *sam_user = NULL;
-
-	*name_type = SID_NAME_UNKNOWN;
-
-	if (NT_STATUS_IS_ERR(pdb_init_sam(&sam_user)))
-		return False;
-	
-	if (pdb_getsampwsid(sam_user, psid)) {
-		
-		if (!IS_SAM_SET(sam_user,PDB_UID)&&!IS_SAM_CHANGED(sam_user,PDB_UID)) {
-			pdb_free_sam(&sam_user);
-			return False;
-		}
-
-		*puid = pdb_get_uid(sam_user);
-			
-		DEBUG(10,("local_sid_to_uid: SID %s -> uid (%u) (%s).\n", sid_to_string( str, psid),
-			  (unsigned int)*puid, pdb_get_username(sam_user)));
-		pdb_free_sam(&sam_user);
-	} else {
-
-		DOM_SID dom_sid;
-		uint32 rid;
-		GROUP_MAP map;
-
-		pdb_free_sam(&sam_user);  
-
-		if (pdb_getgrsid(&map, *psid, MAPPING_WITHOUT_PRIV)) {
-			DEBUG(3, ("local_sid_to_uid: SID '%s' is a group, not a user... \n", sid_to_string(str, psid)));
-			/* It's a group, not a user... */
-			return False;
-		}
-
-		sid_copy(&dom_sid, psid);
-		if (!sid_peek_check_rid(get_global_sam_sid(), psid, &rid)) {
-			DEBUG(3, ("sid_peek_rid failed - sid '%s' is not in our domain\n", sid_to_string(str, psid)));
-			return False;
-		}
-
-		if (!pdb_rid_is_user(rid)) {
-			DEBUG(3, ("local_sid_to_uid: sid '%s' cannot be mapped to a uid algorithmicly becouse it is a group\n", sid_to_string(str, psid)));
-			return False;
-		}
-		
-		*puid = fallback_pdb_user_rid_to_uid(rid);
-		
-		DEBUG(5,("local_sid_to_uid: SID %s algorithmicly mapped to %ld mapped becouse SID was not found in passdb.\n", 
-			 sid_to_string(str, psid), (signed long int)(*puid)));
-	}
-
-	*name_type = SID_NAME_USER;
-
-	return True;
-}
-
-/****************************************************************************
- Convert a gid to SID - locally.
-****************************************************************************/
-
-DOM_SID *local_gid_to_sid(DOM_SID *psid, gid_t gid)
-{
-	GROUP_MAP map;
-
-	sid_copy(psid, get_global_sam_sid());
-	
-	if (pdb_getgrgid(&map, gid, MAPPING_WITHOUT_PRIV)) {
-		sid_copy(psid, &map.sid);
-	} 
-	else {
-		sid_append_rid(psid, pdb_gid_to_group_rid(gid));
-	}
-
-	return psid;
-}
-
-/****************************************************************************
- Convert a SID to gid - locally.
-****************************************************************************/
-
-BOOL local_sid_to_gid(gid_t *pgid, const DOM_SID *psid, enum SID_NAME_USE *name_type)
-{
-	fstring str;
-	GROUP_MAP map;
-
-	*name_type = SID_NAME_UNKNOWN;
-
-	/*
-	 * We can only convert to a gid if this is our local
-	 * Domain SID (ie. we are the controling authority).
-	 *
-	 * Or in the Builtin SID too. JFM, 11/30/2001
-	 */
-
-	if (pdb_getgrsid(&map, *psid, MAPPING_WITHOUT_PRIV)) {
-		
-		/* the SID is in the mapping table but not mapped */
-		if (map.gid==(gid_t)-1)
-			return False;
-
-		*pgid = map.gid;
-		*name_type = map.sid_name_use;
-		DEBUG(10,("local_sid_to_gid: mapped SID %s (%s) -> gid (%u).\n", 
-			  sid_to_string( str, psid),
-			  map.nt_name, (unsigned int)*pgid));
-
-	} else {
-		uint32 rid;
-		SAM_ACCOUNT *sam_user = NULL;
-		if (NT_STATUS_IS_ERR(pdb_init_sam(&sam_user)))
-			return False;
-		
-		if (pdb_getsampwsid(sam_user, psid)) {
-			return False;
-			pdb_free_sam(&sam_user);
-		}
-
-		pdb_free_sam(&sam_user);
-
-		if (!sid_peek_check_rid(get_global_sam_sid(), psid, &rid)) {
-			DEBUG(3, ("sid_peek_rid failed - sid '%s' is not in our domain\n", sid_to_string(str, psid)));
-			return False;
-		}
-
-		if (pdb_rid_is_user(rid))
-			return False;
-		
-		*pgid = pdb_group_rid_to_gid(rid);
-		*name_type = SID_NAME_ALIAS;
-		DEBUG(10,("local_sid_to_gid: SID %s -> gid (%u).\n", sid_to_string( str, psid),
-			  (unsigned int)*pgid));
-	}
-	
-	return True;
-}
-
 /*************************************************************
  Change a password entry in the local smbpasswd file.
author	Simo Sorce <idra@samba.org>	2003-05-12 18:12:31 +0000
committer	Simo Sorce <idra@samba.org>	2003-05-12 18:12:31 +0000
commit	c823b191ab476fc2583d6d6aaa1e2edb09cbb88e (patch)
tree	de7a7bc704024faf8e9b5dc750eed0cec6684ebb /source3/passdb/passdb.c
parent	9308eaf77d53b2d86c071ef07a8e32d9d83b6d12 (diff)
download	samba-c823b191ab476fc2583d6d6aaa1e2edb09cbb88e.tar.gz samba-c823b191ab476fc2583d6d6aaa1e2edb09cbb88e.tar.bz2 samba-c823b191ab476fc2583d6d6aaa1e2edb09cbb88e.zip