diff options
author | Günther Deschner <gd@samba.org> | 2004-10-23 13:23:54 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 10:53:02 -0500 |
commit | 94bfc6ff0fdeef9afb4de703e5da802db497f75f (patch) | |
tree | 681dcc03aa0139f0e7b81dd6957668b507672c8d /source3 | |
parent | 98ed2ecc1c585f1ebe8bef54faf07486ccc8306e (diff) | |
download | samba-94bfc6ff0fdeef9afb4de703e5da802db497f75f.tar.gz samba-94bfc6ff0fdeef9afb4de703e5da802db497f75f.tar.bz2 samba-94bfc6ff0fdeef9afb4de703e5da802db497f75f.zip |
r3145: Add experimental idmap_rid-Plugin.
Written by Sumit Bose <sbose@suse.de> and myself a while ago.
idmap_rid does a direct, static mapping between RIDs and UIDs/GIDs using
the idmap-range as offset. It does thus allow to have a unified mapping
over several winbindd-systems without having the need of a central
LDAP-Server (and all related dependencies and problems this solution can
bring).
Compile:
./configure --with-shared-modules=idmap_rid
Usage:
idmap backend = idmap_rid
idmp_rid does even allow you to have multiple mappings (for trusted
domains). This is a rather problemtic feature and will be turned off by
default rather soon. The problem is that ranges can quickly overlap when
not measured with caution.
idmap backend = idmap_rid:"MYDOMAIN=1000-9999 OTHER=10000-19999"
Will valgrind idmap_rid later today and fix a couple of things.
Guenther
(This used to be commit 49a238bd37105bf1a33d4a230ca594c4cf304dd3)
Diffstat (limited to 'source3')
-rw-r--r-- | source3/Makefile.in | 5 | ||||
-rw-r--r-- | source3/configure.in | 1 | ||||
-rw-r--r-- | source3/sam/idmap_rid.c | 513 |
3 files changed, 519 insertions, 0 deletions
diff --git a/source3/Makefile.in b/source3/Makefile.in index b6fe22b593..3a32bab1ba 100644 --- a/source3/Makefile.in +++ b/source3/Makefile.in @@ -1137,6 +1137,11 @@ bin/smbpasswd.@SHLIBEXT@: passdb/pdb_smbpasswd.@PICSUFFIX@ @$(SHLD) $(LDSHFLAGS) -o $@ passdb/pdb_smbpasswd.@PICSUFFIX@ \ @SONAMEFLAG@`basename $@` +bin/idmap_rid.@SHLIBEXT@: sam/idmap_rid.@PICSUFFIX@ + @echo "Building plugin $@" + @$(SHLD) $(LDSHFLAGS) -o $@ sam/idmap_rid.@PICSUFFIX@ \ + @SONAMEFLAG@`basename $@` + bin/weird.@SHLIBEXT@: $(DEVEL_HELP_WEIRD_OBJ:.o=.@PICSUFFIX@) @echo "Building plugin $@" @$(SHLD) $(LDSHFLAGS) -o $@ $(DEVEL_HELP_WEIRD_OBJ:.o=.@PICSUFFIX@) \ diff --git a/source3/configure.in b/source3/configure.in index 6a36fbcdea..df78765559 100644 --- a/source3/configure.in +++ b/source3/configure.in @@ -4457,6 +4457,7 @@ SMB_SUBSYSTEM(RPC,smbd/server.o) SMB_MODULE(idmap_ldap, sam/idmap_ldap.o, "bin/idmap_ldap.$SHLIBEXT", IDMAP) SMB_MODULE(idmap_tdb, sam/idmap_tdb.o, "bin/idmap_tdb.$SHLIBEXT", IDMAP) +SMB_MODULE(idmap_rid, sam/idmap_rid.o, "bin/idmap_rid.$SHLIBEXT", IDMAP) SMB_SUBSYSTEM(IDMAP,sam/idmap.o) SMB_MODULE(charset_weird, modules/weird.o, "bin/weird.$SHLIBEXT", CHARSET) diff --git a/source3/sam/idmap_rid.c b/source3/sam/idmap_rid.c new file mode 100644 index 0000000000..0a81475378 --- /dev/null +++ b/source3/sam/idmap_rid.c @@ -0,0 +1,513 @@ +/* + * idmap_rid: static map between Active Directory/NT RIDs and RFC 2307 accounts + * Copyright (C) Guenther Deschner, 2004 + * Copyright (C) Sumit Bose, 2004 + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * TODO: + * - use str_list_copy to work on a either space or comma-separated list + * - assure somehow that we cannot swap uids/gids (difficult without any + * knowledge about the sid-type) + * - fix memory allocation + * - further cleanup + * - add spnego-login + */ + +#include "includes.h" + +#undef DBGC_CLASS +#define DBGC_CLASS DBGC_IDMAP + +NTSTATUS init_module(void); + +struct dom_entry { + char *name; + char *sid; + int min_id; + int max_id; +}; + +typedef struct trust_dom_array { + int number; + struct dom_entry *dom; +} trust_dom_array; + +static trust_dom_array trust; + +static NTSTATUS rid_idmap_parse(char *init_param, + uint32 num_domains, + char **domain_names, + DOM_SID *domain_sids, + uid_t u_low, + uid_t u_high) +{ + char *p, *e; + int i; + trust.number = 0; + trust.dom = NULL; + fstring sid_str; + BOOL known_domain = False; + p = init_param; + + /* init sizes */ + trust.dom = (struct dom_entry *) malloc(sizeof(struct dom_entry)); + if (trust.dom == NULL) + return NT_STATUS_NO_MEMORY; + + trust.dom[0].sid = (char *) malloc(strlen(sid_str)); + if (trust.dom[0].sid == NULL) + return NT_STATUS_NO_MEMORY; + + trust.dom[0].name = (char *) malloc(strlen(p)); + if (trust.dom[0].name == NULL) + return NT_STATUS_NO_MEMORY; + + /* falling back to automatic mapping when there were no options given */ + if (!*init_param) { + + DEBUG(3,("rid_idmap_parse: no domain list given, falling back to automatic mapping for own domain:\n")); + + sid_to_string(sid_str, &domain_sids[num_domains-1]); + trust.dom[0].name = domain_names[num_domains-1]; + trust.dom[0].sid = strdup(sid_str); + trust.dom[0].min_id = u_low; + trust.dom[0].max_id = u_high; + trust.number = 1; + DEBUGADD(3,("rid_idmap_parse:\tdomain: [%s], sid: [%s], range=[%d-%d]\n", + trust.dom[0].name, trust.dom[0].sid, trust.dom[0].min_id, trust.dom[0].max_id)); + return NT_STATUS_OK; + } + + /* scan through the init_param-list */ + for(;;) { + + DEBUG(3,("rid_idmap_parse: parsing entry: %d\n", trust.number)); + + /* reinit sizes */ + trust.dom = (struct dom_entry *) realloc(trust.dom,sizeof(struct dom_entry)*(trust.number+1)); + if ( trust.dom == NULL ) + return NT_STATUS_NO_MEMORY; + + trust.dom[trust.number].sid = (char *) malloc(strlen(p)); + trust.dom[trust.number].name = (char *) malloc(strlen(p)); + if (trust.dom[trust.number].sid == NULL || trust.dom[trust.number].name == NULL) + return NT_STATUS_NO_MEMORY; + + + if ( (e = strchr(p,'=')) == NULL ) { + DEBUG(0, ("rid_idmap_parse: no '=' sign found in domain list [%s]\n", init_param)); + return NT_STATUS_INVALID_PARAMETER; + } + *e = '\0'; + + /* add the name */ + i=0; + do { + if ( *p != ' ' && *p != '\t' ) { + trust.dom[trust.number].name[i++] = *p; + } + p++; + } while(*p); + + trust.dom[trust.number].name[i++] = '\0'; + DEBUGADD(3,("rid_idmap_parse:\tentry %d has name: [%s]\n", trust.number, trust.dom[trust.number].name)); + + /* add the domain-sid */ + for (i=0; i<num_domains; i++) { + known_domain = False; + if (strequal(domain_names[i],trust.dom[trust.number].name)) { + sid_to_string(sid_str, &domain_sids[i]); + trust.dom[trust.number].sid = strdup(sid_str); + DEBUGADD(3,("rid_idmap_parse:\tentry %d has sid: [%s]\n", trust.number, trust.dom[trust.number].sid)); + known_domain = True; + } + } + + if (!known_domain) { + DEBUG(0,("rid_idmap_parse: your DC does not know anything about: [%s]\n", trust.dom[trust.number].name)); + return NT_STATUS_INVALID_PARAMETER; + } + + p = e + 1; + if ( (e = strchr(p,'-')) == NULL ) + return NT_STATUS_INVALID_PARAMETER; + + *e = '\0'; + + /* add min_id */ + trust.dom[trust.number].min_id = atoi(p); + DEBUGADD(3,("rid_idmap_parse:\tentry %d has min_id: [%d]\n", trust.number, trust.dom[trust.number].min_id)); + p = e + 1; + + /* add max_id */ + trust.dom[trust.number].max_id = atoi(p); + DEBUGADD(3,("rid_idmap_parse:\tentry %d has max_id: [%d]\n", trust.number, trust.dom[trust.number].max_id)); + trust.number++; + + if ( (e = strchr(p,',')) == NULL ) { + break; + } else { + *e = '\0'; + p = e + 1; + } + + } + return NT_STATUS_OK; + +} + +static NTSTATUS rid_idmap_get_domains(uint32 *num_domains, char ***domain_names, DOM_SID **domain_sids) +{ + NTSTATUS status = NT_STATUS_UNSUCCESSFUL; + struct cli_state *cli; + TALLOC_CTX *mem_ctx; + POLICY_HND pol; + uint32 des_access = SEC_RIGHTS_MAXIMUM_ALLOWED; + uint32 enum_ctx = 0; + fstring dc_name; + struct in_addr dc_ip; + + char *password = NULL; + char *username = NULL; + char *domain = NULL; + uint32 info_class = 5; + char *domain_name = NULL; + DOM_SID *domain_sid; + fstring sid_str; + int i; + uint32 trusted_num_domains = 0; + char **trusted_domain_names; + DOM_SID *trusted_domain_sids; + + /* create mem_ctx */ + if (!(mem_ctx = talloc_init("rid_idmap_get_trusted_domains"))) { + DEBUG(0, ("rid_idmap_get_domains: talloc_init() failed\n")); + return NT_STATUS_NO_MEMORY; + } + + if (!get_dc_name(lp_workgroup(), 0, dc_name, &dc_ip)) { + DEBUG(1, ("rid_idmap_get_domains: could not get dc-name\n")); + return NT_STATUS_UNSUCCESSFUL; + } + + /* open a connection to the dc */ + username = secrets_fetch(SECRETS_AUTH_USER, NULL); + password = secrets_fetch(SECRETS_AUTH_PASSWORD, NULL); + domain = secrets_fetch(SECRETS_AUTH_DOMAIN, NULL); + + if (username) { + + if (!domain) + domain = smb_xstrdup(lp_workgroup()); + + if (!password) + password = smb_xstrdup(""); + + DEBUG(3, ("rid_idmap_get_domains: IPC$ connections done by user %s\\%s\n", domain, username)); + + } else { + + DEBUG(3, ("rid_idmap_get_domains: IPC$ connections done anonymously\n")); + username = smb_xstrdup(""); + domain = smb_xstrdup(""); + password = smb_xstrdup(""); + } + + DEBUG(10, ("rid_idmap_get_domains: opening connection to [%s]\n", dc_name)); + status = cli_full_connection(&cli, global_myname(), dc_name, + NULL, 0, + "IPC$", "IPC", + username, + lp_workgroup(), + password, + CLI_FULL_CONNECTION_ANNONYMOUS_FALLBACK, True, NULL); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(1, ("rid_idmap_get_domains: could not setup connection to dc\n")); + return status; + } + + /* query the lsa-pipe */ + if (!cli_nt_session_open (cli, PI_LSARPC)) { + DEBUG(1, ("rid_idmap_get_domains: could not setup connection to dc\n")); + goto out; + } + + /* query policies */ + status = cli_lsa_open_policy(cli, mem_ctx, False, des_access, &pol); + if (!NT_STATUS_IS_OK(status)) { + goto out; + } + status = cli_lsa_query_info_policy(cli, mem_ctx, &pol, info_class, &domain_name, &domain_sid); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(1, ("rid_idmap_get_domains: cannot retrieve domain-info\n")); + goto out; + } + + sid_to_string(sid_str, domain_sid); + DEBUG(10,("rid_idmap_get_domains: my domain: [%s], sid: [%s]\n", domain_name, sid_str)); + + /* scan trusted domains */ + DEBUG(10, ("rid_idmap_get_domains: enumerating trusted domains\n")); + status = cli_lsa_enum_trust_dom(cli, mem_ctx, &pol, &enum_ctx, + &trusted_num_domains, + &trusted_domain_names, + &trusted_domain_sids); + + if (!NT_STATUS_IS_OK(status) && + !NT_STATUS_EQUAL(status, NT_STATUS_NO_MORE_ENTRIES) && + !NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES)) { + DEBUG(1, ("rid_idmap_get_domains: could not enumerate trusted domains\n")); + goto out; + } + + /* show trusted domains */ + DEBUG(10,("rid_idmap_get_domains: scan for domains gave %d results:\n", trusted_num_domains)); + for (i=0;i<trusted_num_domains;i++) { + sid_to_string(sid_str, &trusted_domain_sids[i]); + DEBUGADD(10,("rid_idmap_get_domains:\t#%d\tDOMAIN: [%s], SID: [%s]\n", + i, trusted_domain_names[i], sid_str)); + } + + /* put the results together */ + *num_domains = trusted_num_domains + 1; + *domain_names = (char **) malloc(sizeof(char *) * *num_domains); + *domain_sids = (DOM_SID *) malloc(sizeof(DOM_SID) * *num_domains); + + /* first add myself at the end*/ + (*domain_names)[*num_domains-1] = strdup(domain_name); + sid_copy(&(*domain_sids)[*num_domains-1], domain_sid); + + /* add trusted domains */ + for (i=0;i<trusted_num_domains;i++) { + (*domain_names)[i] = strdup(trusted_domain_names[i]); + sid_copy(&((*domain_sids)[i]), &(trusted_domain_sids[i])); + } + + /* show complete domain list */ + DEBUG(5,("rid_idmap_get_domains: complete domain-list has %d entries:\n", *num_domains)); + for (i=0;i<*num_domains;i++) { + sid_to_string(sid_str, &((*domain_sids)[i])); + DEBUGADD(5,("rid_idmap_get_domains:\t#%d\tdomain: [%s], sid: [%s]\n", + i, (*domain_names)[i], sid_str )); + } + + status = NT_STATUS_OK; + +out: + cli_lsa_close(cli, mem_ctx, &pol); + cli_nt_session_close(cli); + talloc_destroy(mem_ctx); + cli_shutdown(cli); + return status; +} + +static NTSTATUS rid_idmap_init(char *init_param) +{ + int i, j; + uid_t u_low, u_high; + gid_t g_low, g_high; + uint32 num_domains = 0; + char **domain_names; + DOM_SID *domain_sids; + NTSTATUS nt_status; + + /* basic sanity checks */ + if (!lp_idmap_uid(&u_low, &u_high) || !lp_idmap_gid(&g_low, &g_high)) { + DEBUG(0, ("rid_idmap_init: cannot get global idmap-ranges.\n")); + return NT_STATUS_INVALID_PARAMETER; + } + + if (u_low != g_low || u_high != g_high) { + DEBUG(0, ("rid_idmap_init: range defined in \"idmap uid\" must match range of \"idmap gid\".\n")); + return NT_STATUS_INVALID_PARAMETER; + } + + /* retrieve full domain list */ + nt_status = rid_idmap_get_domains(&num_domains, &domain_names, &domain_sids); + if (!NT_STATUS_IS_OK(nt_status) && + !NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_MORE_ENTRIES) && + !NT_STATUS_EQUAL(nt_status, STATUS_MORE_ENTRIES)) { + DEBUG(0, ("rid_idmap_init: cannot fetch sids for domain and/or trusted-domains from domain-controller.\n")); + return NT_STATUS_INVALID_PARAMETER; + } + + /* parse the init string */ + nt_status = rid_idmap_parse(init_param, num_domains, domain_names, domain_sids, u_low, u_high); + if (!NT_STATUS_IS_OK(nt_status)) { + DEBUG(0, ("rid_idmap_init: cannot parse module-configuration\n")); + return NT_STATUS_INVALID_PARAMETER; + } + + /* some basic sanity checks */ + for(i=0;i<trust.number;i++) { + DEBUG(10,("rid_idmap_init: sanity checks on mapping of domain: [%s]\n", trust.dom[i].name)); + if (trust.dom[i].min_id > trust.dom[i].max_id) { + DEBUG(0, ("rid_idmap_init: min_id has to be smaller than max_id for %s\n",trust.dom[i].name)); + return NT_STATUS_INVALID_PARAMETER; + } + if (trust.dom[i].min_id < u_low || trust.dom[i].max_id > u_high) { + DEBUG(0, ("rid_idmap_init: mapping of domain %s (%d-%d) has to fit into global idmap range (%d-%d).\n", + trust.dom[i].name, trust.dom[i].min_id, trust.dom[i].max_id, u_low, u_high)); + return NT_STATUS_INVALID_PARAMETER; + } + } + + /* check for overlaps */ + for(i=0;i<trust.number-1;i++) { + for(j=i+1;j<trust.number;j++) { + if (trust.dom[i].min_id <= trust.dom[j].max_id && trust.dom[j].min_id <= trust.dom[i].max_id) { + DEBUG(0, ("rid_idmap_init: the ranges of %s and %s overlap\n", + trust.dom[i+1].name, trust.dom[i].name)); + return NT_STATUS_INVALID_PARAMETER; + } + } + } + + DEBUG(3, ("rid_idmap_init: using the %d following mappings:\n", trust.number)); + for(i=0;i<trust.number;i++) { + DEBUGADD(3, ("rid_idmap_init:\tdomain: [%s], sid: [%s], min_id: [%d], max_id: [%d]\n", + trust.dom[i].name, trust.dom[i].sid, trust.dom[i].min_id, trust.dom[i].max_id)); + } + + return NT_STATUS_OK; +} + +static NTSTATUS rid_idmap_get_sid_from_id(DOM_SID *sid, unid_t unid, int id_type) +{ + fstring sid_string; + int i; + DOM_SID sidstr; + + if (sid == NULL) { + return NT_STATUS_INVALID_PARAMETER; + } + + /* find range */ + for(i=0;i<trust.number;i++) { + if (trust.dom[i].min_id <= unid.uid && trust.dom[i].max_id >= unid.uid ) + break; + } + + if (i == trust.number) { + DEBUG(0,("no range found for uid: %d\n",unid.uid)); + return NT_STATUS_NOT_IMPLEMENTED; + } + + /* use lower-end of idmap-range as offset for users and groups*/ + (unsigned long)unid.uid -= trust.dom[i].min_id; + + string_to_sid(&sidstr,trust.dom[i].sid); + sid_copy(sid, &sidstr); + if (!sid_append_rid( sid, (unsigned long)unid.uid )) { + DEBUG(0,("rid_idmap_get_sid_from_id: could not append rid to domain sid\n")); + return NT_STATUS_NO_MEMORY; + } + + DEBUG(3, ("rid_idmap_get_sid_from_id: mapped POSIX %s %d to SID [%s]\n", + (id_type == ID_GROUPID) ? "GID" : "UID", unid.uid, + sid_to_string(sid_string, sid))); + + return NT_STATUS_OK; +} + +static NTSTATUS rid_idmap_get_id_from_sid(unid_t *unid, int *id_type, const DOM_SID *sid) +{ + fstring sid_string; + int i; + uint32 rid; + DOM_SID sidstr; + + if (unid == NULL) { + return NT_STATUS_INVALID_PARAMETER; + } + + /* check if we have a mapping for the sid*/ + for(i=0;i<trust.number;i++) { + string_to_sid(&sidstr,trust.dom[i].sid); + if ( sid_compare_domain(sid, &sidstr) == 0 ) + break; + } + + if (i == trust.number) { + DEBUG(0,("rid_idmap_get_id_from_sid: we have no mapping for sid: [%s] in domain: [%s]\n", + sid_to_string(sid_string, sid), trust.dom[i].name)); + return NT_STATUS_NOT_IMPLEMENTED; + } + + if (!sid_peek_rid(sid, &rid)) { + DEBUG(0,("rid_idmap_get_id_from_sid: could not peek rid\n")); + return NT_STATUS_NOT_IMPLEMENTED; + } + + /* use lower-end of idmap-range as offset for users and groups */ + (unsigned long)unid->uid = rid + trust.dom[i].min_id; + + if (unid->uid > trust.dom[i].max_id) { + DEBUG(0,("rid_idmap_get_id_from_sid: rid: %d too high for mapping of domain: %s\n", rid, trust.dom[i].name)); + return NT_STATUS_INVALID_PARAMETER; + } + if (unid->uid < trust.dom[i].min_id) { + DEBUG(0,("rid_idmap_get_id_from_sid: rid: %d too low for mapping of domain: %s\n", rid, trust.dom[i].name)); + return NT_STATUS_INVALID_PARAMETER; + } + + DEBUG(3,("rid_idmap_get_id_from_sid: mapped SID [%s] to POSIX %s %d\n", + sid_to_string(sid_string, sid), + (*id_type == ID_GROUPID) ? "GID" : "UID", unid->uid)); + + return NT_STATUS_OK; + +} + +static NTSTATUS rid_idmap_set_mapping(const DOM_SID *sid, unid_t id, int id_type) +{ + return NT_STATUS_NOT_IMPLEMENTED; +} + +static NTSTATUS rid_idmap_close(void) +{ + int i; + for(i=0;i<trust.number;i++) { + free(trust.dom[i].sid); + free(trust.dom[i].name); + } + free(trust.dom); + + return NT_STATUS_OK; +} + +static NTSTATUS rid_idmap_allocate_rid(uint32 *rid, int rid_type) +{ + return NT_STATUS_NOT_IMPLEMENTED; +} + +static NTSTATUS rid_idmap_allocate_id(unid_t *id, int id_type) +{ + return NT_STATUS_NOT_IMPLEMENTED; +} + +static void rid_idmap_status(void) +{ + DEBUG(0, ("RID IDMAP Status not available\n")); +} + +static struct idmap_methods rid_methods = { + rid_idmap_init, + rid_idmap_allocate_rid, + rid_idmap_allocate_id, + rid_idmap_get_sid_from_id, + rid_idmap_get_id_from_sid, + rid_idmap_set_mapping, + rid_idmap_close, + rid_idmap_status +}; + +NTSTATUS init_module(void) +{ + return smb_register_idmap(SMB_IDMAP_INTERFACE_VERSION, "idmap_rid", &rid_methods); +} + |