diff options
author | Andrew Bartlett <abartlet@samba.org> | 2002-04-13 09:35:52 +0000 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2002-04-13 09:35:52 +0000 |
commit | 163a855d26106ac9c6eaf945a31a6495204de990 (patch) | |
tree | 508aa6282dac19468cd16635758e82ee98b32810 /source3 | |
parent | cc60b069836cbc355e828675e6f089b6ef22b32e (diff) | |
download | samba-163a855d26106ac9c6eaf945a31a6495204de990.tar.gz samba-163a855d26106ac9c6eaf945a31a6495204de990.tar.bz2 samba-163a855d26106ac9c6eaf945a31a6495204de990.zip |
Better handling of uid/gid -> RID and RID -> uid/gid code.
All uids and gids must create valid RIDs, becouse other code expects this, and
can't handle the failure case. (ACL code in particular)
Allow admins to adjust the base of the RID algorithm, so avoid clashes with
users brought in from NT (for example).
Put all the algorithm code back in one place, so that this change is global.
Better coping with NULL sid pointers - but it still breaks a lot of stuff.
BONUS: manpage entry for new paramater :-)
counter based rids for normal users in tdbsam is disabled for the timebeing,
idra and I will work out some things here soon I hope.
Andrew Bartlett
(This used to be commit 5275c94cdf0c64f347d4282f47088d084b1a7ea5)
Diffstat (limited to 'source3')
-rw-r--r-- | source3/lib/util_sid.c | 17 | ||||
-rw-r--r-- | source3/param/loadparm.c | 5 | ||||
-rw-r--r-- | source3/passdb/passdb.c | 44 | ||||
-rw-r--r-- | source3/passdb/pdb_interface.c | 2 | ||||
-rw-r--r-- | source3/passdb/pdb_ldap.c | 26 | ||||
-rw-r--r-- | source3/passdb/pdb_smbpasswd.c | 28 | ||||
-rw-r--r-- | source3/passdb/pdb_tdb.c | 45 | ||||
-rw-r--r-- | source3/smbd/uid.c | 5 |
8 files changed, 87 insertions, 85 deletions
diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c index cd7b64bb70..100324a047 100644 --- a/source3/lib/util_sid.c +++ b/source3/lib/util_sid.c @@ -197,7 +197,7 @@ void generate_wellknown_sids(void) Turns a domain SID into a name, returned in the nt_domain argument. ***************************************************************************/ -BOOL map_domain_sid_to_name(DOM_SID *sid, char *nt_domain) +BOOL map_domain_sid_to_name(DOM_SID *sid, fstring nt_domain) { fstring sid_str; int i = 0; @@ -344,11 +344,18 @@ char *sid_to_string(fstring sidstr_out, DOM_SID *sid) { char subauth[16]; int i; + uint32 ia; + + if (!sid) { + fstrcpy(sidstr_out, "(NULL SID)"); + return sidstr_out; + } + /* BIG NOTE: this function only does SIDS where the identauth is not >= 2^32 */ - uint32 ia = (sid->id_auth[5]) + - (sid->id_auth[4] << 8 ) + - (sid->id_auth[3] << 16) + - (sid->id_auth[2] << 24); + ia = (sid->id_auth[5]) + + (sid->id_auth[4] << 8 ) + + (sid->id_auth[3] << 16) + + (sid->id_auth[2] << 24); slprintf(sidstr_out, sizeof(fstring) - 1, "S-%u-%lu", (unsigned int)sid->sid_rev_num, (unsigned long)ia); diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c index 462464d68f..39e7ce6e4f 100644 --- a/source3/param/loadparm.c +++ b/source3/param/loadparm.c @@ -151,6 +151,7 @@ typedef struct char *szWinbindUID; char *szWinbindGID; char *szNonUnixAccountRange; + BOOL bAlgorithmicRidBase; char *szTemplateHomedir; char *szTemplateShell; char *szWinbindSeparator; @@ -725,6 +726,7 @@ static struct parm_struct parm_table[] = { {"private dir", P_STRING, P_GLOBAL, &Globals.szPrivateDir, NULL, NULL, 0}, {"passdb backend", P_STRING, P_GLOBAL, &Globals.szPassdbBackend, NULL, NULL, 0}, {"non unix account range", P_STRING, P_GLOBAL, &Globals.szNonUnixAccountRange, handle_non_unix_account_range, NULL, 0}, + {"algorithmic rid base", P_INTEGER, P_GLOBAL, &Globals.bAlgorithmicRidBase, NULL, NULL, 0}, {"root directory", P_STRING, P_GLOBAL, &Globals.szRootdir, NULL, NULL, 0}, {"root dir", P_STRING, P_GLOBAL, &Globals.szRootdir, NULL, NULL, 0}, {"root", P_STRING, P_GLOBAL, &Globals.szRootdir, NULL, NULL, 0}, @@ -1277,6 +1279,8 @@ static void init_globals(void) string_set(&Globals.szNameResolveOrder, "lmhosts wins host bcast"); string_set(&Globals.szPasswordServer, "*"); + Globals.bAlgorithmicRidBase = BASE_RID; + Globals.bLoadPrinters = True; Globals.max_packet = 65535; Globals.mangled_stack = 50; @@ -1796,6 +1800,7 @@ FN_LOCAL_INTEGER(lp_write_cache_size, iWriteCacheSize) FN_LOCAL_CHAR(lp_magicchar, magic_char) FN_GLOBAL_INTEGER(lp_winbind_cache_time, &Globals.winbind_cache_time) FN_GLOBAL_BOOL(lp_hide_local_users, &Globals.bHideLocalUsers) +FN_GLOBAL_BOOL(lp_algorithmic_rid_base, &Globals.bAlgorithmicRidBase) /* local prototypes */ diff --git a/source3/passdb/passdb.c b/source3/passdb/passdb.c index 17aefe1159..d34866fa63 100644 --- a/source3/passdb/passdb.c +++ b/source3/passdb/passdb.c @@ -436,9 +436,10 @@ BOOL pdb_name_to_rid(const char *user_name, uint32 *u_rid, uint32 *g_rid) Converts NT user RID to a UNIX uid. ********************************************************************/ -static uid_t fallback_pdb_user_rid_to_uid(uint32 user_rid) +uid_t fallback_pdb_user_rid_to_uid(uint32 user_rid) { - return (uid_t)(((user_rid & (~USER_RID_TYPE))- 1000)/RID_MULTIPLIER); + int rid_offset = lp_algorithmic_rid_base(); + return (uid_t)(((user_rid & (~USER_RID_TYPE))- rid_offset)/RID_MULTIPLIER); } @@ -446,9 +447,10 @@ static uid_t fallback_pdb_user_rid_to_uid(uint32 user_rid) converts UNIX uid to an NT User RID. ********************************************************************/ -static uint32 fallback_pdb_uid_to_user_rid(uid_t uid) +uint32 fallback_pdb_uid_to_user_rid(uid_t uid) { - return (((((uint32)uid)*RID_MULTIPLIER) + 1000) | USER_RID_TYPE); + int rid_offset = lp_algorithmic_rid_base(); + return (((((uint32)uid)*RID_MULTIPLIER) + rid_offset) | USER_RID_TYPE); } /******************************************************************* @@ -457,7 +459,8 @@ static uint32 fallback_pdb_uid_to_user_rid(uid_t uid) gid_t pdb_group_rid_to_gid(uint32 group_rid) { - return (gid_t)(((group_rid & (~GROUP_RID_TYPE))- 1000)/RID_MULTIPLIER); + int rid_offset = lp_algorithmic_rid_base(); + return (gid_t)(((group_rid & (~GROUP_RID_TYPE))- rid_offset)/RID_MULTIPLIER); } /******************************************************************* @@ -470,7 +473,8 @@ gid_t pdb_group_rid_to_gid(uint32 group_rid) uint32 pdb_gid_to_group_rid(gid_t gid) { - return (((((uint32)gid)*RID_MULTIPLIER) + 1000) | GROUP_RID_TYPE); + int rid_offset = lp_algorithmic_rid_base(); + return (((((uint32)gid)*RID_MULTIPLIER) + rid_offset) | GROUP_RID_TYPE); } /******************************************************************* @@ -479,7 +483,10 @@ uint32 pdb_gid_to_group_rid(gid_t gid) static BOOL pdb_rid_is_well_known(uint32 rid) { - return (rid < 1000); + /* Not using rid_offset here, becouse this is the actual + NT fixed value (1000) */ + + return (rid < BASE_RID); } /******************************************************************* @@ -817,13 +824,14 @@ BOOL local_sid_to_uid(uid_t *puid, DOM_SID *psid, enum SID_NAME_USE *name_type) DEBUG(10,("local_sid_to_uid: SID %s -> uid (%u) (%s).\n", sid_to_string( str, psid), (unsigned int)*puid, pdb_get_username(sam_user))); } else { - if (pdb_rid_is_user(rid)) { + if ((pdb_rid_is_user(rid))) { *puid = fallback_pdb_user_rid_to_uid(rid); DEBUG(10,("local_sid_to_uid: SID %s -> uid (%u) (non-passdb user).\n", sid_to_string( str, psid), (unsigned int)*puid)); } else { + DEBUG(5,("local_sid_to_uid: SID %s not mapped becouse RID isn't a user.\n", sid_to_string( str, psid))); pdb_free_sam(&sam_user); - return False; + return False; } } pdb_free_sam(&sam_user); @@ -846,7 +854,7 @@ DOM_SID *local_gid_to_sid(DOM_SID *psid, gid_t gid) if (get_group_map_from_gid(gid, &map, MAPPING_WITHOUT_PRIV)) { sid_copy(psid, &map.sid); - } + } else { sid_append_rid(psid, pdb_gid_to_group_rid(gid)); } @@ -864,7 +872,6 @@ BOOL local_sid_to_gid(gid_t *pgid, DOM_SID *psid, enum SID_NAME_USE *name_type) DOM_SID dom_sid; uint32 rid; fstring str; - struct group *grp; GROUP_MAP map; *name_type = SID_NAME_UNKNOWN; @@ -891,24 +898,19 @@ BOOL local_sid_to_gid(gid_t *pgid, DOM_SID *psid, enum SID_NAME_USE *name_type) sid_peek_rid(&map.sid, &rid); *pgid = map.gid; *name_type = map.sid_name_use; + DEBUG(10,("local_sid_to_gid: mapped SID %s (%s) -> gid (%u).\n", sid_to_string( str, psid), + map.nt_name, (unsigned int)*pgid)); + } else { if (pdb_rid_is_user(rid)) return False; *pgid = pdb_group_rid_to_gid(rid); *name_type = SID_NAME_ALIAS; + DEBUG(10,("local_sid_to_gid: SID %s -> gid (%u).\n", sid_to_string( str, psid), + (unsigned int)*pgid)); } - /* - * Ensure this gid really does exist. - */ - - if(!(grp = getgrgid(*pgid))) - return False; - - DEBUG(10,("local_sid_to_gid: SID %s -> gid (%u) (%s).\n", sid_to_string( str, psid), - (unsigned int)*pgid, grp->gr_name )); - return True; } diff --git a/source3/passdb/pdb_interface.c b/source3/passdb/pdb_interface.c index e454bf3c25..a19bf254e7 100644 --- a/source3/passdb/pdb_interface.c +++ b/source3/passdb/pdb_interface.c @@ -240,7 +240,7 @@ static NTSTATUS make_pdb_methods_name(struct pdb_methods **methods, struct pdb_c { DEBUG(5,("Found pdb backend %s (at pos %d)\n", module_name, i)); if (NT_STATUS_IS_OK(nt_status - = builtin_pdb_init_functions[i].init(context, methods, module_location))) { + = builtin_pdb_init_functions[i].init(context, methods, module_location))) { DEBUG(5,("pdb backend %s has a valid init\n", selected)); } else { DEBUG(0,("pdb backend %s did not correctly init (error was %s)\n", selected, nt_errstr(nt_status))); diff --git a/source3/passdb/pdb_ldap.c b/source3/passdb/pdb_ldap.c index dc6b9f97ff..d0280269aa 100644 --- a/source3/passdb/pdb_ldap.c +++ b/source3/passdb/pdb_ldap.c @@ -72,24 +72,6 @@ struct ldapsam_privates { static uint32 ldapsam_get_next_available_nua_rid(struct ldapsam_privates *ldap_state); /******************************************************************* - Converts NT user RID to a UNIX uid. - ********************************************************************/ - -static uid_t pdb_user_rid_to_uid(uint32 user_rid) -{ - return (uid_t)(((user_rid & (~USER_RID_TYPE))- 1000)/RID_MULTIPLIER); -} - -/******************************************************************* - converts UNIX uid to an NT User RID. - ********************************************************************/ - -static uint32 pdb_uid_to_user_rid(uid_t uid) -{ - return (((((uint32)uid)*RID_MULTIPLIER) + 1000) | USER_RID_TYPE); -} - -/******************************************************************* find the ldap password ******************************************************************/ static BOOL fetch_ldapsam_pw(char *dn, char* pw, int len) @@ -347,7 +329,7 @@ static int ldapsam_search_one_user_by_rid (struct ldapsam_privates *ldap_state, if (rc != LDAP_SUCCESS) rc = ldapsam_search_one_user_by_uid(ldap_state, ldap_struct, - pdb_user_rid_to_uid(rid), + fallback_user_rid_to_uid(rid), result); return rc; @@ -754,7 +736,7 @@ static BOOL init_ldap_from_sam (struct ldapsam_privates *ldap_state, if ( pdb_get_user_rid(sampass) ) { rid = pdb_get_user_rid(sampass); } else if (IS_SAM_SET(sampass, FLAG_SAM_UID)) { - rid = pdb_uid_to_user_rid(pdb_get_uid(sampass)); + rid = fallback_uid_to_user_rid(pdb_get_uid(sampass)); } else if (ldap_state->permit_non_unix_accounts) { rid = ldapsam_get_next_available_nua_rid(ldap_state); if (rid == 0) { @@ -1511,9 +1493,9 @@ NTSTATUS pdb_init_ldapsam_nua(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method return NT_STATUS_UNSUCCESSFUL; } - ldap_state->low_nua_rid=pdb_uid_to_user_rid(low_nua_uid); + ldap_state->low_nua_rid=fallback_uid_to_user_rid(low_nua_uid); - ldap_state->high_nua_rid=pdb_uid_to_user_rid(high_nua_uid); + ldap_state->high_nua_rid=fallback_uid_to_user_rid(high_nua_uid); return NT_STATUS_OK; } diff --git a/source3/passdb/pdb_smbpasswd.c b/source3/passdb/pdb_smbpasswd.c index 18c949c592..9f37cadfe8 100644 --- a/source3/passdb/pdb_smbpasswd.c +++ b/source3/passdb/pdb_smbpasswd.c @@ -69,24 +69,6 @@ struct smbpasswd_privates enum pwf_access_type { PWF_READ, PWF_UPDATE, PWF_CREATE }; -/******************************************************************* - Converts NT user RID to a UNIX uid. - ********************************************************************/ - -static uid_t pdb_user_rid_to_uid(uint32 user_rid) -{ - return (uid_t)(((user_rid & (~USER_RID_TYPE))- 1000)/RID_MULTIPLIER); -} - -/******************************************************************* - converts UNIX uid to an NT User RID. - ********************************************************************/ - -static uint32 pdb_uid_to_user_rid(uid_t uid) -{ - return (((((uint32)uid)*RID_MULTIPLIER) + 1000) | USER_RID_TYPE); -} - /*************************************************************** Lock an fd. Abandon after waitsecs seconds. ****************************************************************/ @@ -1195,7 +1177,7 @@ static BOOL build_smb_pass (struct smb_passwd *smb_pw, const SAM_ACCOUNT *sampas uid = pdb_get_uid(sampass); /* If the user specified a RID, make sure its able to be both stored and retreived */ - if (rid && uid != pdb_user_rid_to_uid(rid)) { + if (rid && uid != fallback_pdb_user_rid_to_uid(rid)) { DEBUG(0,("build_sam_pass: Failing attempt to store user with non-uid based user RID. \n")); return False; } @@ -1249,7 +1231,7 @@ static BOOL build_sam_account(struct smbpasswd_privates *smbpasswd_state, SAM_AC && (pw_buf->smb_userid >= smbpasswd_state->low_nua_userid) && (pw_buf->smb_userid <= smbpasswd_state->high_nua_userid)) { - pdb_set_user_rid(sam_pass, pdb_uid_to_user_rid (pw_buf->smb_userid)); + pdb_set_user_rid(sam_pass, fallback_pdb_uid_to_user_rid (pw_buf->smb_userid)); /* lkclXXXX this is OBSERVED behaviour by NT PDCs, enforced here. @@ -1269,7 +1251,7 @@ static BOOL build_sam_account(struct smbpasswd_privates *smbpasswd_state, SAM_AC --jerry */ pwfile = getpwnam_alloc(pw_buf->smb_name); if (pwfile == NULL) { - DEBUG(0,("build_sam_account: smbpasswd database is corrupt! username %s not in unix passwd database!\n", pw_buf->smb_name)); + DEBUG(0,("build_sam_account: smbpasswd database is corrupt! username %s with uid %u is not in unix passwd database!\n", pw_buf->smb_name, pw_buf->smb_userid)); return False; } @@ -1278,7 +1260,7 @@ static BOOL build_sam_account(struct smbpasswd_privates *smbpasswd_state, SAM_AC pdb_set_fullname(sam_pass, pwfile->pw_gecos); - pdb_set_user_rid(sam_pass, pdb_uid_to_user_rid (pwfile->pw_uid)); + pdb_set_user_rid(sam_pass, fallback_pdb_uid_to_user_rid (pwfile->pw_uid)); if (get_group_map_from_gid(pwfile->pw_gid, &map, MAPPING_WITHOUT_PRIV)) { sid_peek_rid(&map.sid, &grid); @@ -1505,7 +1487,7 @@ static BOOL smbpasswd_getsampwrid(struct pdb_methods *my_methods, SAM_ACCOUNT *s return False; } - while ( ((smb_pw=getsmbfilepwent(smbpasswd_state, fp)) != NULL) && (pdb_uid_to_user_rid(smb_pw->smb_userid) != rid) ) + while ( ((smb_pw=getsmbfilepwent(smbpasswd_state, fp)) != NULL) && (fallback_pdb_uid_to_user_rid(smb_pw->smb_userid) != rid) ) /* do nothing */ ; endsmbfilepwent(fp, &(smbpasswd_state->pw_file_lock_depth)); diff --git a/source3/passdb/pdb_tdb.c b/source3/passdb/pdb_tdb.c index 7092caa15e..3a9bc894bb 100644 --- a/source3/passdb/pdb_tdb.c +++ b/source3/passdb/pdb_tdb.c @@ -41,8 +41,10 @@ struct tdbsam_privates { BOOL permit_non_unix_accounts; -/* uint32 low_nua_rid; - uint32 high_nua_rid; */ + BOOL algorithmic_rids; + + uint32 low_nua_rid; + uint32 high_nua_rid; }; /********************************************************************** @@ -717,7 +719,7 @@ static BOOL tdb_update_sam(struct pdb_methods *my_methods, const SAM_ACCOUNT* ne fstring name; BOOL ret = True; uint32 user_rid; - int32 tdb_ret; + BOOL tdb_ret; /* invalidate the existing TDB iterator if it is open */ if (tdb_state->passwd_tdb) { @@ -736,13 +738,32 @@ static BOOL tdb_update_sam(struct pdb_methods *my_methods, const SAM_ACCOUNT* ne /* if flag == TDB_INSERT then make up a new RID else throw an error. */ if (!(user_rid = pdb_get_user_rid(newpwd))) { if (flag & TDB_INSERT) { - user_rid = BASE_RID; - tdb_ret = tdb_change_int32_atomic(pwd_tdb, "RID_COUNTER", &user_rid, RID_MULTIPLIER); - if (tdb_ret == -1) { - ret = False; - goto done; + if (IS_SAM_UNIX_USER(newpwd)) { + if (tdb_state->algorithmic_rids) { + user_rid = fallback_pdb_uid_to_user_rid(pdb_get_uid(newpwd)); + } else { + user_rid = BASE_RID; + tdb_ret = tdb_change_uint32_atomic(pwd_tdb, "RID_COUNTER", &user_rid, RID_MULTIPLIER); + if (!tdb_ret) { + ret = False; + goto done; + } + } + pdb_set_user_rid(newpwd, user_rid); + } else { + user_rid = tdb_state->low_nua_rid; + tdb_ret = tdb_change_uint32_atomic(pwd_tdb, "NUA_RID_COUNTER", &user_rid, RID_MULTIPLIER); + if (!tdb_ret) { + ret = False; + goto done; + } + if (user_rid > tdb_state->high_nua_rid) { + DEBUG(0, ("tdbsam: no NUA rids available, cannot add user %s!\n", pdb_get_username(newpwd))); + ret = False; + goto done; + } + pdb_set_user_rid(newpwd, user_rid); } - pdb_set_user_rid(newpwd, user_rid); } else { DEBUG (0,("tdb_update_sam: Failing to store a SAM_ACCOUNT for [%s] without a RID\n",pdb_get_username(newpwd))); ret = False; @@ -884,6 +905,8 @@ NTSTATUS pdb_init_tdbsam(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method, con tdb_state->tdbsam_location = talloc_strdup(pdb_context->mem_ctx, tdbfile); } + tdb_state->algorithmic_rids = True; + (*pdb_method)->private_data = tdb_state; (*pdb_method)->free_private_data = free_private_data; @@ -912,10 +935,10 @@ NTSTATUS pdb_init_tdbsam_nua(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method, return NT_STATUS_UNSUCCESSFUL; } -/* tdb_state->low_nua_rid=fallback_pdb_uid_to_user_rid(low_nua_uid); + tdb_state->low_nua_rid=fallback_pdb_uid_to_user_rid(low_nua_uid); tdb_state->high_nua_rid=fallback_pdb_uid_to_user_rid(high_nua_uid); -*/ + return NT_STATUS_OK; } diff --git a/source3/smbd/uid.c b/source3/smbd/uid.c index ac0b535c13..8b0ffbd73f 100644 --- a/source3/smbd/uid.c +++ b/source3/smbd/uid.c @@ -521,7 +521,7 @@ BOOL lookup_sid(DOM_SID *sid, fstring dom_name, fstring name, enum SID_NAME_USE sid_copy(&tmp_sid, sid); sid_split_rid(&tmp_sid, &rid); return map_domain_sid_to_name(&tmp_sid, dom_name) && - lookup_known_rid(&tmp_sid, rid, name, name_type); + lookup_known_rid(&tmp_sid, rid, name, name_type); } return True; } @@ -578,7 +578,8 @@ DOM_SID *gid_to_sid(DOM_SID *psid, gid_t gid) } } - local_gid_to_sid(psid, gid); + /* Make sure we report failure, (when psid == NULL) */ + psid = local_gid_to_sid(psid, gid); DEBUG(10,("gid_to_sid: local %u -> %s\n", (unsigned int)gid, sid_to_string(sid, psid))); |