diff options
Diffstat (limited to 'source3/nsswitch')
-rw-r--r-- | source3/nsswitch/idmap.c | 239 | ||||
-rw-r--r-- | source3/nsswitch/idmap_rid.c | 30 |
2 files changed, 128 insertions, 141 deletions
diff --git a/source3/nsswitch/idmap.c b/source3/nsswitch/idmap.c index 2bcff7b717..6e3e125ae4 100644 --- a/source3/nsswitch/idmap.c +++ b/source3/nsswitch/idmap.c @@ -18,7 +18,8 @@ You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software - Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.*/ + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ #include "includes.h" #include "winbindd.h" @@ -225,7 +226,7 @@ NTSTATUS idmap_close(void) static const char *idmap_default_domain[] = { "default domain", NULL }; NTSTATUS idmap_init(void) -{ +{ NTSTATUS ret; struct idmap_domain *dom; const char *compat_backend = NULL; @@ -241,27 +242,23 @@ NTSTATUS idmap_init(void) return NT_STATUS_OK; } - idmap_ctx = talloc_named_const(NULL, 0, "IDMAP MEMORY CONTEXT"); - if ( ! idmap_ctx) { + if ( (idmap_ctx = talloc_named_const(NULL, 0, "idmap_ctx")) == NULL ) { return NT_STATUS_NO_MEMORY; } - /* init cache */ - idmap_cache = idmap_cache_init(idmap_ctx); - if ( ! idmap_cache) { + if ( (idmap_cache = idmap_cache_init(idmap_ctx)) == NULL ) { return NT_STATUS_UNSUCCESSFUL; } - /* register static backends */ static_init_idmap; - if ((dom_list = lp_idmap_domains()) != NULL) { - if (lp_idmap_backend()) { - DEBUG(0, ("WARNING: idmap backend and idmap domains are mutually excusive!\n")); - DEBUGADD(0, (" idmap backend option will be IGNORED!\n")); - } - - } else if (lp_idmap_backend()) { + dom_list = lp_idmap_domains(); + + if ( dom_list && lp_idmap_backend() ) { + DEBUG(0, ("WARNING: idmap backend and idmap domains are " + "mutually excusive!\n")); + DEBUGADD(0,("idmap backend option will be IGNORED!\n")); + } else if ( lp_idmap_backend() ) { const char **compat_list = lp_idmap_backend(); const char *p; @@ -313,19 +310,13 @@ NTSTATUS idmap_init(void) /* default or specific ? */ dom->default_domain = lp_parm_bool(-1, config_option, "default", False); + if (dom->default_domain || strequal(dom_list[i], idmap_default_domain[0])) { - /* the default domain is a cacth all domain - * so no specific domain sid is provided */ - dom->sid = NULL; + /* make sure this is set even when we match idmap_default_domain[0] */ dom->default_domain = True; - if (lp_parm_const_string(-1, config_option, "domain sid", NULL)) { - DEBUG(1, ("WARNING: Can't force a /domain sid/ on the DEFAULT domain, Ignoring!")); - } - - /* only one default domain is permitted */ if (default_already_defined) { DEBUG(1, ("ERROR: Multiple domains defined as default!\n")); ret = NT_STATUS_INVALID_PARAMETER; @@ -334,38 +325,16 @@ NTSTATUS idmap_init(void) default_already_defined = True; - } else { - const char *sid; + } - sid = lp_parm_const_string(-1, config_option, "domain sid", NULL); - if (sid) { - dom->sid = string_sid_talloc(dom, sid); - } else { - struct winbindd_domain *wdom = find_domain_from_name(dom->name); - if (wdom) { - dom->sid = sid_dup_talloc(dom, &wdom->sid); - IDMAP_CHECK_ALLOC(dom->sid); - } - } - - if ( ! dom->sid) { - DEBUG(1, ("ERROR: Could not find DOMAIN SID for domain %s\n", dom->name)); - DEBUGADD(1, (" Consider to set explicitly the /domain sid/ option\n")); - ret = NT_STATUS_NO_SUCH_DOMAIN; - goto done; - } - } - - /* is this a readonly domain ? */ dom->readonly = lp_parm_bool(-1, config_option, "readonly", False); /* find associated backend (default: tdb) */ if (compat) { parm_backend = talloc_strdup(idmap_ctx, compat_backend); } else { - parm_backend = - talloc_strdup(idmap_ctx, - lp_parm_const_string(-1, config_option, "backend", "tdb")); + parm_backend = talloc_strdup(idmap_ctx, + lp_parm_const_string(-1, config_option, "backend", "tdb")); } IDMAP_CHECK_ALLOC(parm_backend); @@ -412,8 +381,8 @@ NTSTATUS idmap_init(void) def_dom_num = i; } - DEBUG(10, ("Domain %s - Sid %s - Backend %s - %sdefault - %sreadonly\n", - dom->name, sid_string_static(dom->sid), parm_backend, + DEBUG(10, ("Domain %s - Backend %s - %sdefault - %sreadonly\n", + dom->name, parm_backend, dom->default_domain?"":"not ", dom->readonly?"":"not ")); talloc_free(config_option); @@ -426,13 +395,6 @@ NTSTATUS idmap_init(void) if ((lp_server_role() == ROLE_DOMAIN_MEMBER) && ( ! pri_dom_is_in_list) && lp_winbind_trusted_domains_only()) { - DOM_SID our_sid; - - if (!secrets_fetch_domain_sid(lp_workgroup(), &our_sid)) { - DEBUG(0, ("Could not fetch our SID - did we join?\n")); - ret = NT_STATUS_UNSUCCESSFUL; - goto done; - } dom = talloc_zero(idmap_ctx, struct idmap_domain); IDMAP_CHECK_ALLOC(dom); @@ -443,9 +405,6 @@ NTSTATUS idmap_init(void) dom->default_domain = False; dom->readonly = True; - dom->sid = sid_dup_talloc(dom, &our_sid); - IDMAP_CHECK_ALLOC(dom->sid); - /* get the backend methods for passdb */ dom->methods = get_methods(backends, "nss"); @@ -475,8 +434,7 @@ NTSTATUS idmap_init(void) } idmap_domains[num_domains] = dom; - DEBUG(10, ("Domain %s - Sid %s - Backend nss - not default - readonly\n", - dom->name, sid_string_static(dom->sid))); + DEBUG(10, ("Domain %s - Backend nss - not default - readonly\n", dom->name )); num_domains++; } @@ -491,9 +449,6 @@ NTSTATUS idmap_init(void) dom->default_domain = False; dom->readonly = True; - dom->sid = sid_dup_talloc(dom, get_global_sam_sid()); - IDMAP_CHECK_ALLOC(dom->sid); - /* get the backend methods for passdb */ dom->methods = get_methods(backends, "passdb"); @@ -526,9 +481,7 @@ NTSTATUS idmap_init(void) /* needed to handle special BUILTIN and wellknown SIDs cases */ pdb_dom_num = num_domains; - DEBUG(10, ("Domain %s - Sid %s - Backend passdb - not default - readonly\n", - dom->name, sid_string_static(dom->sid))); - DEBUGADD(10, (" (special: includes handling BUILTIN and Wellknown SIDs as well)\n")); + DEBUG(10, ("Domain %s - Backend passdb - not default - readonly\n", dom->name)); num_domains++; /**** finished adding idmap_passdb backend ****/ @@ -652,6 +605,66 @@ NTSTATUS idmap_set_gid_hwm(struct unixid *id) return alloc_methods->set_id_hwm(id); } +/****************************************************************************** + Lookup an idmap_domain give a full user or group SID + ******************************************************************************/ + +static struct idmap_domain* find_idmap_domain_from_sid( DOM_SID *account_sid ) +{ + DOM_SID domain_sid; + uint32 rid; + struct winbindd_domain *domain = NULL; + int i; + + /* 1. Handle BUILTIN or Special SIDs and prevent them from + falling into the default domain space (if we have a + configured passdb backend. */ + + if ( (pdb_dom_num != -1) && + (sid_check_is_in_builtin(account_sid) || + sid_check_is_in_wellknown_domain(account_sid)) ) + { + return idmap_domains[pdb_dom_num]; + } + + /* 2. Lookup the winbindd_domain from the account_sid */ + + sid_copy( &domain_sid, account_sid ); + sid_split_rid( &domain_sid, &rid ); + domain = find_domain_from_sid_noinit( &domain_sid ); + + for (i = 0; domain && i < num_domains; i++) { + if ( strequal( idmap_domains[i]->name, domain->name ) ) { + return idmap_domains[i]; + } + } + + /* 3. Fall back to the default domain */ + + if ( def_dom_num != -1 ) { + return idmap_domains[def_dom_num]; + } + + return NULL; +} + +/****************************************************************************** + Lookup an index given an idmap_domain pointer + ******************************************************************************/ + +static uint32 find_idmap_domain_index( struct idmap_domain *id_domain) +{ + int i; + + for (i = 0; i < num_domains; i++) { + if ( idmap_domains[i] == id_domain ) + return i; + } + + return -1; +} + + /********************************************************* Check if creating a mapping is permitted for the domain *********************************************************/ @@ -659,7 +672,6 @@ NTSTATUS idmap_set_gid_hwm(struct unixid *id) static NTSTATUS idmap_can_map(const struct id_map *map, struct idmap_domain **ret_dom) { struct idmap_domain *dom; - int i; /* Check we do not create mappings for our own local domain, or BUILTIN or special SIDs */ if ((sid_compare_domain(map->sid, get_global_sam_sid()) == 0) || @@ -679,23 +691,15 @@ static NTSTATUS idmap_can_map(const struct id_map *map, struct idmap_domain **re } } - for (i = 0, dom = NULL; i < num_domains; i++) { - if ((idmap_domains[i]->default_domain) || /* ok set it into the default domain */ - (sid_compare_domain(idmap_domains[i]->sid, map->sid) == 0)) { /* ok found a specific domain */ - dom = idmap_domains[i]; - break; - } - } - - if (! dom) { + if ( (dom = find_idmap_domain_from_sid( map->sid )) == NULL ) { /* huh, couldn't find a suitable domain, let's just leave it unmapped */ - DEBUG(10, ("Could not find imdap backend for SID %s", sid_string_static(map->sid))); + DEBUG(10, ("Could not find idmap backend for SID %s", sid_string_static(map->sid))); return NT_STATUS_NO_SUCH_DOMAIN; } if (dom->readonly) { /* ouch the domain is read only, let's just leave it unmapped */ - DEBUG(10, ("imdap backend for SID %s is READONLY!\n", sid_string_static(map->sid))); + DEBUG(10, ("idmap backend for SID %s is READONLY!\n", sid_string_static(map->sid))); return NT_STATUS_UNSUCCESSFUL; } @@ -790,7 +794,7 @@ static NTSTATUS idmap_backends_set_mapping(const struct id_map *map) return ret; } - DEBUG(10, ("set_mapping for domain %s(%s)\n", dom->name, sid_string_static(dom->sid))); + DEBUG(10,("set_mapping for domain %s\n", dom->name )); return dom->methods->set_mapping(dom, map); } @@ -832,7 +836,7 @@ static NTSTATUS idmap_backends_unixids_to_sids(struct id_map **ids) dom = idmap_domains[n]; - DEBUG(10, ("Query sids from domain %s(%s)\n", dom->name, sid_string_static(dom->sid))); + DEBUG(10, ("Query sids from domain %s\n", dom->name)); ret = dom->methods->unixids_to_sids(dom, _ids); IDMAP_CHECK_RET(ret); @@ -892,13 +896,7 @@ static NTSTATUS idmap_backends_sids_to_unixids(struct id_map **ids) NTSTATUS ret; int i, *counters; - if (!ids || !*ids) { - DEBUG(1, ("Invalid list of maps\n")); - return NT_STATUS_INVALID_PARAMETER; - } - - ctx = talloc_named_const(NULL, 0, "idmap_backends_sids_to_unixids ctx"); - if ( ! ctx) { + if ( (ctx = talloc_named_const(NULL, 0, "be_sids_to_ids")) == NULL ) { DEBUG(1, ("failed to allocate talloc context, OOM?\n")); return NT_STATUS_NO_MEMORY; } @@ -906,66 +904,47 @@ static NTSTATUS idmap_backends_sids_to_unixids(struct id_map **ids) DEBUG(10, ("Query backends to map sids->ids\n")); /* split list per domain */ + dom_ids = talloc_zero_array(ctx, struct id_map **, num_domains); IDMAP_CHECK_ALLOC(dom_ids); counters = talloc_zero_array(ctx, int, num_domains); + /* partition the requests by domain */ + for (i = 0; ids[i]; i++) { - int dom_num; + uint32 idx; /* make sure they are unknown to start off */ ids[i]->status = ID_UNKNOWN; - for (dom_num = 0, dom = NULL; dom_num < num_domains; dom_num++) { - if (idmap_domains[dom_num]->default_domain) { - /* we got to the default domain */ - dom = idmap_domains[dom_num]; - break; - } - if (sid_compare_domain(idmap_domains[dom_num]->sid, ids[i]->sid) == 0) { - dom = idmap_domains[dom_num]; - break; - } - } - if (( ! dom) || dom->default_domain) { - /* handle BUILTIN or Special SIDs - * and prevent them from falling into the default domain space */ - if ((sid_check_is_in_builtin(ids[i]->sid) || - sid_check_is_in_wellknown_domain(ids[i]->sid))) { - - if (pdb_dom_num != -1) { - dom = idmap_domains[pdb_dom_num]; - dom_num = pdb_dom_num; - } else { - dom = NULL; - } - } - } - if ( ! dom) { - /* no dom move on */ + if ( (dom = find_idmap_domain_from_sid( ids[i]->sid )) == NULL ) { + /* no vailable idmap_domain. Move on */ continue; } - DEBUG(10, ("SID %s is being handled by %s(%d)\n", - sid_string_static(ids[i]->sid), - dom?dom->name:"none", - dom_num)); + DEBUG(10,("SID %s is being handled by %s\n", + sid_string_static(ids[i]->sid), + dom ? dom->name : "none" )); - dom_ids[dom_num] = talloc_realloc(ctx, dom_ids[dom_num], struct id_map *, counters[dom_num] + 2); - IDMAP_CHECK_ALLOC(dom_ids[dom_num]); + idx = find_idmap_domain_index( dom ); + SMB_ASSERT( idx != -1 ); + + dom_ids[idx] = talloc_realloc(ctx, dom_ids[idx], + struct id_map *, counters[idx] + 2); + IDMAP_CHECK_ALLOC(dom_ids[idx]); - dom_ids[dom_num][counters[dom_num]] = ids[i]; - counters[dom_num]++; - dom_ids[dom_num][counters[dom_num]] = NULL; + dom_ids[idx][counters[idx]] = ids[i]; + counters[idx]++; + dom_ids[idx][counters[idx]] = NULL; } - /* ok all the ids have been dispatched in the right queues - * let's cycle through the filled ones */ + /* All the ids have been dispatched in the right queues. + Let's cycle through the filled ones */ for (i = 0; i < num_domains; i++) { - if (dom_ids[i]) { /* ok, we have ids in this one */ + if (dom_ids[i]) { dom = idmap_domains[i]; - DEBUG(10, ("Query ids from domain %s(%s)\n", dom->name, sid_string_static(dom->sid))); + DEBUG(10, ("Query ids from domain %s\n", dom->name)); ret = dom->methods->sids_to_unixids(dom, dom_ids[i]); IDMAP_CHECK_RET(ret); } diff --git a/source3/nsswitch/idmap_rid.c b/source3/nsswitch/idmap_rid.c index 5949aa4ba5..298d6fed35 100644 --- a/source3/nsswitch/idmap_rid.c +++ b/source3/nsswitch/idmap_rid.c @@ -26,13 +26,17 @@ #define DBGC_CLASS DBGC_IDMAP struct idmap_rid_context { - DOM_SID dom_sid; + const char *domain_name; uint32_t low_id; uint32_t high_id; uint32_t base_rid; }; -/* compat params can't be used because of the completely different way we support multiple domains in the new idmap */ +/****************************************************************************** + compat params can't be used because of the completely different way + we support multiple domains in the new idmap + *****************************************************************************/ + static NTSTATUS idmap_rid_initialize(struct idmap_domain *dom, const char *compat_params) { NTSTATUS ret; @@ -40,8 +44,7 @@ static NTSTATUS idmap_rid_initialize(struct idmap_domain *dom, const char *compa char *config_option = NULL; const char *range; - ctx = talloc_zero(dom, struct idmap_rid_context); - if ( ! ctx) { + if ( (ctx = talloc_zero(dom, struct idmap_rid_context)) == NULL ) { DEBUG(0, ("Out of memory!\n")); return NT_STATUS_NO_MEMORY; } @@ -54,23 +57,23 @@ static NTSTATUS idmap_rid_initialize(struct idmap_domain *dom, const char *compa } range = lp_parm_const_string(-1, config_option, "range", NULL); - if (( ! range) || + if ( !range || (sscanf(range, "%u - %u", &ctx->low_id, &ctx->high_id) != 2) || - (ctx->low_id > ctx->high_id)) { + (ctx->low_id > ctx->high_id)) + { ctx->low_id = 0; ctx->high_id = 0; } - if (( ! ctx->low_id) || ( ! ctx->high_id)) { + if ( !ctx->low_id || !ctx->high_id ) { DEBUG(1, ("ERROR: Invalid configuration, ID range missing\n")); ret = NT_STATUS_UNSUCCESSFUL; goto failed; } ctx->base_rid = lp_parm_int(-1, config_option, "base_rid", 0); - - sid_copy(&ctx->dom_sid, dom->sid); - + ctx->domain_name = talloc_strdup( ctx, dom->name ); + dom->private_data = ctx; talloc_free(config_option); @@ -86,6 +89,7 @@ static NTSTATUS idmap_rid_id_to_sid(TALLOC_CTX *memctx, struct idmap_rid_context const char *domname, *name; enum lsa_SidType sid_type; BOOL ret; + struct winbindd_domain *domain; /* apply filters before checking */ if ((map->xid.id < ctx->low_id) || (map->xid.id > ctx->high_id)) { @@ -94,7 +98,11 @@ static NTSTATUS idmap_rid_id_to_sid(TALLOC_CTX *memctx, struct idmap_rid_context return NT_STATUS_NONE_MAPPED; } - sid_compose(map->sid, &ctx->dom_sid, map->xid.id - ctx->low_id + ctx->base_rid); + if ( (domain = find_domain_from_name_noinit(ctx->domain_name)) == NULL ) { + return NT_STATUS_NO_SUCH_DOMAIN; + } + + sid_compose(map->sid, &domain->sid, map->xid.id - ctx->low_id + ctx->base_rid); /* by default calls to winbindd are disabled the following call will not recurse so this is safe */ |