summaryrefslogtreecommitdiff
path: root/source3/passdb
diff options
context:
space:
mode:
authorGerald Carter <jerry@samba.org>2003-07-07 05:11:10 +0000
committerGerald Carter <jerry@samba.org>2003-07-07 05:11:10 +0000
commit0b18acb841f6a372b3aa285d4734875e5e35fe3b (patch)
treeadd4afee2b70d87bfd96b7702d9d6a2476ac7e74 /source3/passdb
parentb5cd4a8643169b276a3af8a9272d212d76a54dd3 (diff)
downloadsamba-0b18acb841f6a372b3aa285d4734875e5e35fe3b.tar.gz
samba-0b18acb841f6a372b3aa285d4734875e5e35fe3b.tar.bz2
samba-0b18acb841f6a372b3aa285d4734875e5e35fe3b.zip
and so it begins....
* remove idmap_XX_to_XX calls from smbd. Move back to the the winbind_XXX and local_XXX calls used in 2.2 * all uid/gid allocation must involve winbindd now * move flags field around in winbindd_request struct * add WBFLAG_QUERY_ONLY option to winbindd_sid_to_[ug]id() to prevent automatic allocation for unknown SIDs * add 'winbind trusted domains only' parameter to force a domain member server to use matching users names from /etc/passwd for its domain (needed for domain member of a Samba domain) * rename 'idmap only' to 'enable rid algorithm' for better clarity (defaults to "yes") code has been tested on * domain member of native mode 2k domain * ads domain member of native mode 2k domain * domain member of NT4 domain * domain member of Samba domain * Samba PDC running winbindd with trusts Logons tested using 2k clients and smbclient as domain users and trusted users. Tested both 'winbind trusted domains only = [yes|no]' This will be a long week of changes. The next item on the list is winbindd_passdb.c & machine trust accounts not in /etc/passwd (done via winbindd_passdb) (This used to be commit 8266dffab4aedba12a33289ff32880037ce950a8)
Diffstat (limited to 'source3/passdb')
-rw-r--r--source3/passdb/passdb.c202
-rw-r--r--source3/passdb/pdb_ldap.c10
2 files changed, 206 insertions, 6 deletions
diff --git a/source3/passdb/passdb.c b/source3/passdb/passdb.c
index de919ef6f9..4c50b05107 100644
--- a/source3/passdb/passdb.c
+++ b/source3/passdb/passdb.c
@@ -892,10 +892,6 @@ BOOL local_lookup_name(const char *c_user, DOM_SID *psid, enum SID_NAME_USE *psi
/*************************************************************
Change a password entry in the local smbpasswd file.
-
-It is currently being called by SWAT and by smbpasswd.
-
- --jerry
*************************************************************/
BOOL local_password_change(const char *user_name, int local_flags,
@@ -1040,3 +1036,201 @@ BOOL local_password_change(const char *user_name, int local_flags,
pdb_free_sam(&sam_pass);
return True;
}
+
+/****************************************************************************
+ Convert a uid to SID - locally.
+****************************************************************************/
+
+DOM_SID *local_uid_to_sid(DOM_SID *psid, uid_t uid)
+{
+ SAM_ACCOUNT *sampw = NULL;
+ struct passwd *unix_pw;
+
+
+
+ winbind_off();
+ unix_pw = sys_getpwuid( uid );
+ winbind_on();
+
+ if ( !unix_pw ) {
+ DEBUG(4,("local_uid_to_sid: host has know idea of uid %d\n", uid));
+ return NULL;
+ }
+
+ if ( !NT_STATUS_IS_OK(pdb_init_sam(&sampw)) ) {
+ DEBUG(0,("local_uid_to_sid: failed to allocate SAM_ACCOUTN object\n"));
+ return NULL;
+ }
+
+ if ( !pdb_getsampwnam( sampw, unix_pw->pw_name ) ) {
+ DEBUG(4,("local_uid_to_sid: User %s [uid == %d] has no samba account\n",
+ unix_pw->pw_name, uid));
+ return NULL;
+ }
+
+ sid_copy( psid, pdb_get_user_sid(sampw) );
+
+ DEBUG(10,("local_uid_to_sid: uid (%d) -> SID %s (%s).\n",
+ (unsigned int)uid, sid_string_static(psid), unix_pw->pw_name));
+
+ return psid;
+}
+
+/****************************************************************************
+ Convert a SID to uid - locally.
+****************************************************************************/
+
+BOOL local_sid_to_uid(uid_t *puid, DOM_SID *psid, enum SID_NAME_USE *name_type)
+{
+ DOM_SID dom_sid;
+ uint32 rid;
+ SAM_ACCOUNT *sampw = NULL;
+ struct passwd *unix_pw;
+ const char *user_name;
+
+ *name_type = SID_NAME_UNKNOWN;
+
+ sid_copy(&dom_sid, psid);
+ sid_split_rid(&dom_sid, &rid);
+
+ /*
+ * We can only convert to a uid if this is our local
+ * Domain SID (ie. we are the controling authority).
+ */
+ if ( !sid_equal(get_global_sam_sid(), &dom_sid) )
+ return False;
+
+
+ /* lookup the user account */
+
+ if ( !NT_STATUS_IS_OK(pdb_init_sam(&sampw)) ) {
+ DEBUG(0,("local_sid_to_uid: Failed to allocate memory for SAM_ACCOUNT object\n"));
+ return False;
+ }
+
+ if ( !pdb_getsampwsid(sampw, psid) ) {
+ DEBUG(8,("local_sid_to_uid: Could not find SID %s in passdb\n",
+ sid_string_static(psid)));
+ return False;
+ }
+
+ user_name = pdb_get_username(sampw);
+
+ winbind_off();
+ unix_pw = sys_getpwnam( user_name );
+ winbind_on();
+
+ if ( !unix_pw ) {
+ DEBUG(0,("local_sid_to_uid: %s found in passdb but getpwnam() return NULL!\n",
+ user_name));
+ pdb_free_sam( &sampw );
+ return False;
+ }
+
+ *puid = unix_pw->pw_uid;
+
+ DEBUG(10,("local_sid_to_uid: SID %s -> uid (%u) (%s).\n", sid_string_static(psid),
+ (unsigned int)*puid, user_name ));
+
+ *name_type = SID_NAME_USER;
+
+ return True;
+}
+
+/****************************************************************************
+ Convert a gid to SID - locally.
+****************************************************************************/
+
+DOM_SID *local_gid_to_sid(DOM_SID *psid, gid_t gid)
+{
+ GROUP_MAP group;
+
+ /* we don't need to disable winbindd since the gid is stored in
+ the GROUP_MAP object */
+
+ if ( !pdb_getgrgid( &group, gid ) ) {
+
+ /* fallback to rid mapping if enabled */
+
+ if ( lp_enable_rid_algorithm() ) {
+ sid_copy(psid, get_global_sam_sid());
+ sid_append_rid(psid, pdb_gid_to_group_rid(gid));
+
+ DEBUG(10,("local_gid_to_sid: Fall back to algorithmic mapping: %u -> %s\n",
+ (unsigned int)gid, sid_string_static(psid)));
+
+ return psid;
+ }
+ else
+ return NULL;
+ }
+
+ sid_copy( psid, &group.sid );
+
+ DEBUG(10,("local_gid_to_sid: gid (%d) -> SID %s.\n",
+ (unsigned int)gid, sid_string_static(psid)));
+
+ return psid;
+}
+
+/****************************************************************************
+ Convert a SID to gid - locally.
+****************************************************************************/
+
+BOOL local_sid_to_gid(gid_t *pgid, DOM_SID *psid, enum SID_NAME_USE *name_type)
+{
+ DOM_SID dom_sid;
+ uint32 rid;
+ GROUP_MAP group;
+
+ *name_type = SID_NAME_UNKNOWN;
+
+ /* This call can enumerate grou mappings for foreign sids as well.
+ So don't check for a match against our domain SID */
+
+ /* we don't need to disable winbindd since the gid is stored in
+ the GROUP_MAP object */
+
+ if ( !pdb_getgrsid(&group, *psid) ) {
+
+ /* fallback to rid mapping if enabled */
+
+ if ( lp_enable_rid_algorithm() ) {
+ sid_copy(&dom_sid, psid);
+ sid_split_rid(&dom_sid, &rid);
+
+ if (!sid_equal(get_global_sam_sid(), &dom_sid) ) {
+ DEBUG(5,("local_sid_to_gid: RID algorithm only supported for our domain (not %s)\n",
+ sid_string_static(&dom_sid)));
+ return False;
+ }
+
+ if (!sid_peek_rid(psid, &rid)) {
+ DEBUG(10,("local_sid_to_uid: invalid SID!\n"));
+ return False;
+ }
+
+ DEBUG(10,("local_sid_to_gid: Fall back to algorithmic mapping\n"));
+
+ if (fallback_pdb_rid_is_user(rid)) {
+ DEBUG(3, ("local_sid_to_gid: SID %s is *NOT* a group\n", sid_string_static(psid)));
+ return False;
+ } else {
+ *pgid = pdb_group_rid_to_gid(rid);
+ DEBUG(10,("local_sid_to_gid: mapping: %s -> %u\n", sid_string_static(psid), (unsigned int)(*pgid)));
+ return True;
+ }
+ }
+
+ return False;
+ }
+
+ *pgid = group.gid;
+
+ DEBUG(10,("local_sid_to_gid: SID %s -> gid (%u)\n", sid_string_static(psid),
+ (unsigned int)*pgid));
+
+ return True;
+}
+
+
diff --git a/source3/passdb/pdb_ldap.c b/source3/passdb/pdb_ldap.c
index 698365f42c..886fd809f3 100644
--- a/source3/passdb/pdb_ldap.c
+++ b/source3/passdb/pdb_ldap.c
@@ -2217,7 +2217,7 @@ static NTSTATUS ldapsam_getgroup(struct pdb_methods *methods,
count = ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result);
if (count < 1) {
- DEBUG(4, ("Did not find group for filter %s\n", filter));
+ DEBUG(4, ("Did not find group\n"));
return NT_STATUS_NO_SUCH_GROUP;
}
@@ -2327,6 +2327,7 @@ static NTSTATUS ldapsam_add_group_mapping_entry(struct pdb_methods *methods,
(struct ldapsam_privates *)methods->private_data;
LDAPMessage *result = NULL;
LDAPMod **mods = NULL;
+ int count;
char *tmp;
pstring dn;
@@ -2347,7 +2348,12 @@ static NTSTATUS ldapsam_add_group_mapping_entry(struct pdb_methods *methods,
return NT_STATUS_UNSUCCESSFUL;
}
- if (ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result) != 1) {
+ count = ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result);
+
+ if ( count == 0 )
+ return NT_STATUS_UNSUCCESSFUL;
+
+ if (count > 1) {
DEBUG(2, ("Group %i must exist exactly once in LDAP\n",
map->gid));
ldap_msgfree(result);