summaryrefslogtreecommitdiff
path: root/source3/passdb
diff options
context:
space:
mode:
authorSimo Sorce <idra@samba.org>2003-04-29 03:31:00 +0000
committerSimo Sorce <idra@samba.org>2003-04-29 03:31:00 +0000
commit67a5f62e43f802149e6d2761b0d9f93a1b084a27 (patch)
treeec9015cc519923a104fc77504714e338018cdc7d /source3/passdb
parente64b34cd47e046e9804b9e7774ee8316e9729413 (diff)
downloadsamba-67a5f62e43f802149e6d2761b0d9f93a1b084a27.tar.gz
samba-67a5f62e43f802149e6d2761b0d9f93a1b084a27.tar.bz2
samba-67a5f62e43f802149e6d2761b0d9f93a1b084a27.zip
ok next_rid out as well local_*id_to*id functions
reverted user making function, did not pass the abartlet test :-) idmap is now fully integrated, we only miss user creation and removal of uid and gid from SAM_ACCOUNT (This used to be commit 67af8c26586c4829166795813a373bf9be27b753)
Diffstat (limited to 'source3/passdb')
-rw-r--r--source3/passdb/passdb.c348
-rw-r--r--source3/passdb/pdb_smbpasswd.c1
-rw-r--r--source3/passdb/pdb_tdb.c47
3 files changed, 97 insertions, 299 deletions
diff --git a/source3/passdb/passdb.c b/source3/passdb/passdb.c
index 99f5c228ef..15756b7e22 100644
--- a/source3/passdb/passdb.c
+++ b/source3/passdb/passdb.c
@@ -163,13 +163,7 @@ NTSTATUS pdb_init_sam(SAM_ACCOUNT **user)
NTSTATUS pdb_fill_sam_pw(SAM_ACCOUNT *sam_account, const struct passwd *pwd)
{
- GROUP_MAP map;
-
- const char *guest_account = lp_guestaccount();
- if (!(guest_account && *guest_account)) {
- DEBUG(1, ("NULL guest account!?!?\n"));
- return NT_STATUS_UNSUCCESSFUL;
- }
+ NTSTATUS ret;
if (!pwd) {
return NT_STATUS_UNSUCCESSFUL;
@@ -197,37 +191,8 @@ NTSTATUS pdb_fill_sam_pw(SAM_ACCOUNT *sam_account, const struct passwd *pwd)
-- abartlet 11-May-02
*/
-
- /* Ensure this *must* be set right */
- if (strcmp(pwd->pw_name, guest_account) == 0) {
- if (!pdb_set_user_sid_from_rid(sam_account, DOMAIN_USER_RID_GUEST, PDB_DEFAULT)) {
- return NT_STATUS_UNSUCCESSFUL;
- }
- if (!pdb_set_group_sid_from_rid(sam_account, DOMAIN_GROUP_RID_GUESTS, PDB_DEFAULT)) {
- return NT_STATUS_UNSUCCESSFUL;
- }
- } else {
-
- if (!pdb_set_user_sid_from_rid(sam_account,
- fallback_pdb_uid_to_user_rid(pwd->pw_uid), PDB_SET)) {
- DEBUG(0,("Can't set User SID from RID!\n"));
- return NT_STATUS_INVALID_PARAMETER;
- }
-
- /* call the mapping code here */
- if(pdb_getgrgid(&map, pwd->pw_gid, MAPPING_WITHOUT_PRIV)) {
- if (!pdb_set_group_sid(sam_account,&map.sid, PDB_SET)){
- DEBUG(0,("Can't set Group SID!\n"));
- return NT_STATUS_INVALID_PARAMETER;
- }
- }
- else {
- if (!pdb_set_group_sid_from_rid(sam_account,pdb_gid_to_group_rid(pwd->pw_gid), PDB_SET)) {
- DEBUG(0,("Can't set Group SID\n"));
- return NT_STATUS_INVALID_PARAMETER;
- }
- }
- }
+ ret = pdb_set_sam_sids(sam_account, pwd);
+ if (NT_STATUS_IS_ERR(ret)) return ret;
/* check if this is a user account or a machine account */
if (pwd->pw_name[strlen(pwd->pw_name)-1] != '$')
@@ -371,102 +336,77 @@ NTSTATUS pdb_free_sam(SAM_ACCOUNT **user)
/**************************************************************************
* This function will take care of all the steps needed to correctly
* allocate and set the user SID, please do use this function to create new
- * users and don't add the account to the passdb directly unless you know
- * what are you doing, messing with SIDs is not good.
- *
- * account_data must be provided initialized. But values may be discarded if
- * free RIDs are not in use.
- *
- * ATTENTION: Please pay attention to leave any ID field to NULL unless you
- * really know what you are doing
+ * users, messing with SIDs is not good.
*
+ * account_data must be provided initialized, pwd may be null.
* SSS
***************************************************************************/
-NTSTATUS pdb_create_new_user_account(char *username, SAM_ACCOUNT *account_data)
+NTSTATUS pdb_set_sam_sids(SAM_ACCOUNT *account_data, const struct passwd *pwd)
{
+ const char *guest_account = lp_guestaccount();
NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
- SAM_ACCOUNT test;
- DOM_SID u_sid, g_sid;
- struct passwd *pw;
- if (!username || !account_data) {
+ if (!account_data || (!pwd && !(pdb_get_free_rid_base() && lp_idmap_only()))) {
return NT_STATUS_INVALID_PARAMETER;
}
- if (pdb_getsampwnam(&test, username)) {
- DEBUG(3, ("pdb_create_new_user_account: User already exist in SAM! Aborting...\n"));
+ /* this is a hack this thing should not be set
+ this way --SSS */
+ if (!(guest_account && *guest_account)) {
+ DEBUG(1, ("NULL guest account!?!?\n"));
return NT_STATUS_UNSUCCESSFUL;
+ } else {
+ /* Ensure this *must* be set right */
+ if (strcmp(pwd->pw_name, guest_account) == 0) {
+ if (!pdb_set_user_sid_from_rid(account_data, DOMAIN_USER_RID_GUEST, PDB_DEFAULT)) {
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+ if (!pdb_set_group_sid_from_rid(account_data, DOMAIN_GROUP_RID_GUESTS, PDB_DEFAULT)) {
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+ return NT_STATUS_OK;
+ }
}
- pw = getpwnam_alloc(username);
-
- if (pdb_get_free_rid_base()) {
- unid_t idval;
- int idtype;
+ if (pwd) {
+ GROUP_MAP map;
- if (!pdb_set_username(account_data, username, PDB_CHANGED)) {
- goto done;
+ if (!pdb_set_user_sid_from_rid(account_data, fallback_pdb_uid_to_user_rid(pwd->pw_uid), PDB_SET)) {
+ DEBUG(0,("Can't set User SID from RID!\n"));
+ return NT_STATUS_INVALID_PARAMETER;
}
-
- if (lp_idmap_only() || !pw) {
- if (pdb_get_init_flags(account_data, PDB_USERSID) == PDB_DEFAULT) {
- if (!pdb_get_next_sid(&u_sid)) {
- goto done;
- }
- pdb_set_user_sid(account_data, &u_sid, PDB_SET);
- }
- /* make a mapping in idmap */
- idtype = ID_USERID;
- idmap_get_id_from_sid(&idval, &idtype, &u_sid);
- if (pdb_get_init_flags(account_data, PDB_GROUPSID) == PDB_DEFAULT) {
- /* set Domain Users by default ! */
- sid_copy(&g_sid, get_global_sam_sid());
- sid_append_rid(&u_sid, DOMAIN_GROUP_RID_USERS);
- pdb_set_group_sid(account_data, &g_sid, PDB_SET);
- }
- /* make a mapping in idmap */
- idtype = ID_GROUPID;
- idmap_get_id_from_sid(&idval, &idtype, &g_sid);
- } else {
- GROUP_MAP map;
-
- if (!pdb_set_user_sid_from_rid(account_data, fallback_pdb_uid_to_user_rid(pw->pw_uid), PDB_SET)) {
- DEBUG(0,("Can't set User SID from RID!\n"));
- ret = NT_STATUS_INVALID_PARAMETER;
- goto done;
+ /* call the mapping code here */
+ if(pdb_getgrgid(&map, pwd->pw_gid, MAPPING_WITHOUT_PRIV)) {
+ if (!pdb_set_group_sid(account_data, &map.sid, PDB_SET)){
+ DEBUG(0,("Can't set Group SID!\n"));
+ return NT_STATUS_INVALID_PARAMETER;
}
-
- /* call the mapping code here */
- if(pdb_getgrgid(&map, pw->pw_gid, MAPPING_WITHOUT_PRIV)) {
- if (!pdb_set_group_sid(account_data, &map.sid, PDB_SET)){
- DEBUG(0,("Can't set Group SID!\n"));
- ret = NT_STATUS_INVALID_PARAMETER;
- goto done;
- }
- }
- else {
- if (!pdb_set_group_sid_from_rid(account_data, pdb_gid_to_group_rid(pw->pw_gid), PDB_SET)) {
- DEBUG(0,("Can't set Group SID\n"));
- ret = NT_STATUS_INVALID_PARAMETER;
- goto done;
- }
+ }
+ else {
+ if (!pdb_set_group_sid_from_rid(account_data, pdb_gid_to_group_rid(pwd->pw_gid), PDB_SET)) {
+ DEBUG(0,("Can't set Group SID\n"));
+ return NT_STATUS_INVALID_PARAMETER;
}
- }
- } else {
- if (!pw || NT_STATUS_IS_ERR(pdb_fill_sam_pw(account_data, pw))) {
- goto done;
}
- }
+ } else {
+ unid_t idval;
+ int idtype;
- if (pdb_add_sam_account(account_data)) {
- ret = NT_STATUS_OK;
+ /* this is a hack this thing should not be set
+ here --SSS */
+ if (pdb_get_init_flags(account_data, PDB_GROUPSID) == PDB_DEFAULT) {
+ DOM_SID g_sid;
+
+ /* set Domain Users by default ! */
+ sid_copy(&g_sid, get_global_sam_sid());
+ sid_append_rid(&g_sid, DOMAIN_GROUP_RID_USERS);
+ pdb_set_group_sid(account_data, &g_sid, PDB_SET);
+ }
}
-done:
- passwd_free(&pw);
- return ret;
+ return NT_STATUS_OK;
}
/******************************************************************
@@ -957,190 +897,6 @@ BOOL local_lookup_name(const char *c_user, DOM_SID *psid, enum SID_NAME_USE *psi
return True;
}
-/****************************************************************************
- Convert a uid to SID - locally.
-****************************************************************************/
-
-DOM_SID *local_uid_to_sid(DOM_SID *psid, uid_t uid)
-{
- struct passwd *pass;
- SAM_ACCOUNT *sam_user = NULL;
- fstring str; /* sid string buffer */
-
- sid_copy(psid, get_global_sam_sid());
-
- if((pass = getpwuid_alloc(uid))) {
-
- if (NT_STATUS_IS_ERR(pdb_init_sam(&sam_user))) {
- passwd_free(&pass);
- return NULL;
- }
-
- if (pdb_getsampwnam(sam_user, pass->pw_name)) {
- sid_copy(psid, pdb_get_user_sid(sam_user));
- } else {
- sid_append_rid(psid, fallback_pdb_uid_to_user_rid(uid));
- }
-
- DEBUG(10,("local_uid_to_sid: uid %u -> SID (%s) (%s).\n",
- (unsigned)uid, sid_to_string( str, psid),
- pass->pw_name ));
-
- passwd_free(&pass);
- pdb_free_sam(&sam_user);
-
- } else {
- sid_append_rid(psid, fallback_pdb_uid_to_user_rid(uid));
-
- DEBUG(10,("local_uid_to_sid: uid %u -> SID (%s) (unknown user).\n",
- (unsigned)uid, sid_to_string( str, psid)));
- }
-
- return psid;
-}
-
-/****************************************************************************
- Convert a SID to uid - locally.
-****************************************************************************/
-
-BOOL local_sid_to_uid(uid_t *puid, const DOM_SID *psid, enum SID_NAME_USE *name_type)
-{
- fstring str;
- SAM_ACCOUNT *sam_user = NULL;
-
- *name_type = SID_NAME_UNKNOWN;
-
- if (NT_STATUS_IS_ERR(pdb_init_sam(&sam_user)))
- return False;
-
- if (pdb_getsampwsid(sam_user, psid)) {
-
- if (!IS_SAM_SET(sam_user,PDB_UID)&&!IS_SAM_CHANGED(sam_user,PDB_UID)) {
- pdb_free_sam(&sam_user);
- return False;
- }
-
- *puid = pdb_get_uid(sam_user);
-
- DEBUG(10,("local_sid_to_uid: SID %s -> uid (%u) (%s).\n", sid_to_string( str, psid),
- (unsigned int)*puid, pdb_get_username(sam_user)));
- pdb_free_sam(&sam_user);
- } else {
-
- DOM_SID dom_sid;
- uint32 rid;
- GROUP_MAP map;
-
- pdb_free_sam(&sam_user);
-
- if (pdb_getgrsid(&map, *psid, MAPPING_WITHOUT_PRIV)) {
- DEBUG(3, ("local_sid_to_uid: SID '%s' is a group, not a user... \n", sid_to_string(str, psid)));
- /* It's a group, not a user... */
- return False;
- }
-
- sid_copy(&dom_sid, psid);
- if (!sid_peek_check_rid(get_global_sam_sid(), psid, &rid)) {
- DEBUG(3, ("sid_peek_rid failed - sid '%s' is not in our domain\n", sid_to_string(str, psid)));
- return False;
- }
-
- if (!pdb_rid_is_user(rid)) {
- DEBUG(3, ("local_sid_to_uid: sid '%s' cannot be mapped to a uid algorithmicly becouse it is a group\n", sid_to_string(str, psid)));
- return False;
- }
-
- *puid = fallback_pdb_user_rid_to_uid(rid);
-
- DEBUG(5,("local_sid_to_uid: SID %s algorithmicly mapped to %ld mapped becouse SID was not found in passdb.\n",
- sid_to_string(str, psid), (signed long int)(*puid)));
- }
-
- *name_type = SID_NAME_USER;
-
- return True;
-}
-
-/****************************************************************************
- Convert a gid to SID - locally.
-****************************************************************************/
-
-DOM_SID *local_gid_to_sid(DOM_SID *psid, gid_t gid)
-{
- GROUP_MAP map;
-
- sid_copy(psid, get_global_sam_sid());
-
- if (pdb_getgrgid(&map, gid, MAPPING_WITHOUT_PRIV)) {
- sid_copy(psid, &map.sid);
- }
- else {
- sid_append_rid(psid, pdb_gid_to_group_rid(gid));
- }
-
- return psid;
-}
-
-/****************************************************************************
- Convert a SID to gid - locally.
-****************************************************************************/
-
-BOOL local_sid_to_gid(gid_t *pgid, const DOM_SID *psid, enum SID_NAME_USE *name_type)
-{
- fstring str;
- GROUP_MAP map;
-
- *name_type = SID_NAME_UNKNOWN;
-
- /*
- * We can only convert to a gid if this is our local
- * Domain SID (ie. we are the controling authority).
- *
- * Or in the Builtin SID too. JFM, 11/30/2001
- */
-
- if (pdb_getgrsid(&map, *psid, MAPPING_WITHOUT_PRIV)) {
-
- /* the SID is in the mapping table but not mapped */
- if (map.gid==(gid_t)-1)
- return False;
-
- *pgid = map.gid;
- *name_type = map.sid_name_use;
- DEBUG(10,("local_sid_to_gid: mapped SID %s (%s) -> gid (%u).\n",
- sid_to_string( str, psid),
- map.nt_name, (unsigned int)*pgid));
-
- } else {
- uint32 rid;
- SAM_ACCOUNT *sam_user = NULL;
- if (NT_STATUS_IS_ERR(pdb_init_sam(&sam_user)))
- return False;
-
- if (pdb_getsampwsid(sam_user, psid)) {
- return False;
- pdb_free_sam(&sam_user);
- }
-
- pdb_free_sam(&sam_user);
-
- if (!sid_peek_check_rid(get_global_sam_sid(), psid, &rid)) {
- DEBUG(3, ("sid_peek_rid failed - sid '%s' is not in our domain\n", sid_to_string(str, psid)));
- return False;
- }
-
- if (pdb_rid_is_user(rid))
- return False;
-
- *pgid = pdb_group_rid_to_gid(rid);
- *name_type = SID_NAME_ALIAS;
- DEBUG(10,("local_sid_to_gid: SID %s -> gid (%u).\n", sid_to_string( str, psid),
- (unsigned int)*pgid));
- }
-
- return True;
-}
-
/*************************************************************
Change a password entry in the local smbpasswd file.
diff --git a/source3/passdb/pdb_smbpasswd.c b/source3/passdb/pdb_smbpasswd.c
index 38bb61957c..637f40f8c6 100644
--- a/source3/passdb/pdb_smbpasswd.c
+++ b/source3/passdb/pdb_smbpasswd.c
@@ -1507,7 +1507,6 @@ static void free_private_data(void **vp)
/* No need to free any further, as it is talloc()ed */
}
-
NTSTATUS pdb_init_smbpasswd(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method, const char *location)
{
NTSTATUS nt_status;
diff --git a/source3/passdb/pdb_tdb.c b/source3/passdb/pdb_tdb.c
index 41c6bbd429..32ddd189db 100644
--- a/source3/passdb/pdb_tdb.c
+++ b/source3/passdb/pdb_tdb.c
@@ -874,6 +874,49 @@ done:
return (ret);
}
+#if 0
+/***************************************************************************
+ Allocates a new RID and returns it to the caller as a domain sid
+
+ NOTE: Use carefullt, do not waste RIDs they are a limited resource!
+ - SSS
+ ***************************************************************************/
+
+static NTSTATUS tdbsam_get_next_sid (struct pdb_methods *my_methods, DOM_SID *sid)
+{
+ NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
+ struct tdbsam_privates *tdb_state = (struct tdbsam_privates *)my_methods->private_data;
+ TDB_CONTEXT *pwd_tdb;
+ uint32 rid;
+
+ if (sid == NULL) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ pwd_tdb = tdb_open_log(tdb_state->tdbsam_location, 0, TDB_DEFAULT, O_RDWR | O_CREAT, 0600);
+ if (!pwd_tdb)
+ {
+ DEBUG(0, ("tdbsam_get_next_sid: Unable to open TDB passwd (%s)!\n", tdb_state->tdbsam_location));
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ rid = BASE_RID;
+ if (tdb_change_uint32_atomic(pwd_tdb, "RID_COUNTER", &rid, 1)) {
+
+ sid_copy(sid, get_global_sam_sid());
+ if (!sid_append_rid(sid, rid)) {
+ goto done;
+ }
+
+ ret = NT_STATUS_OK;
+ }
+
+done:
+ tdb_close (pwd_tdb);
+ return ret;
+}
+#endif
+
/***************************************************************************
Modifies an existing SAM_ACCOUNT
****************************************************************************/
@@ -946,8 +989,6 @@ NTSTATUS pdb_init_tdbsam(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method, con
tdb_state->tdbsam_location = talloc_strdup(pdb_context->mem_ctx, tdbfile);
}
- tdb_state->algorithmic_rids = True;
-
(*pdb_method)->private_data = tdb_state;
(*pdb_method)->free_private_data = free_private_data;
@@ -961,6 +1002,8 @@ NTSTATUS pdb_init_tdbsam(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method, con
tdb_state->high_nua_rid=fallback_pdb_uid_to_user_rid(high_nua_uid);
+ } else {
+ tdb_state->algorithmic_rids = True;
}
return NT_STATUS_OK;