summaryrefslogtreecommitdiff
path: root/source3/sam
diff options
context:
space:
mode:
Diffstat (limited to 'source3/sam')
-rw-r--r--source3/sam/idmap.c379
-rw-r--r--source3/sam/idmap_ad.c380
-rw-r--r--source3/sam/idmap_ldap.c542
-rw-r--r--source3/sam/idmap_rid.c561
-rw-r--r--source3/sam/idmap_smbldap.c447
-rw-r--r--source3/sam/idmap_tdb.c693
-rw-r--r--source3/sam/idmap_util.c127
-rw-r--r--source3/sam/nss_info.c111
8 files changed, 0 insertions, 3240 deletions
diff --git a/source3/sam/idmap.c b/source3/sam/idmap.c
deleted file mode 100644
index e8ebd9272c..0000000000
--- a/source3/sam/idmap.c
+++ /dev/null
@@ -1,379 +0,0 @@
-/*
- Unix SMB/CIFS implementation.
- ID Mapping
- Copyright (C) Tim Potter 2000
- Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2003
- Copyright (C) Simo Sorce 2003
- Copyright (C) Jeremy Allison 2006
-
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 2 of the License, or
- (at your option) any later version.
-
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
-
- You should have received a copy of the GNU General Public License
- along with this program; if not, write to the Free Software
- Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.*/
-
-#include "includes.h"
-
-#undef DBGC_CLASS
-#define DBGC_CLASS DBGC_IDMAP
-
-static_decl_idmap;
-
-struct idmap_function_entry {
- const char *name;
- struct idmap_methods *methods;
- struct idmap_function_entry *prev,*next;
-};
-
-static struct idmap_function_entry *backends = NULL;
-
-static struct idmap_methods *cache_map;
-static struct idmap_methods *remote_map;
-
-static BOOL proxyonly = False;
-
-/**********************************************************************
- Get idmap methods. Don't allow tdb to be a remote method.
-**********************************************************************/
-
-static struct idmap_methods *get_methods(const char *name, BOOL cache_method)
-{
- struct idmap_function_entry *entry = backends;
-
- for(entry = backends; entry; entry = entry->next) {
- if (!cache_method && strequal(entry->name, "tdb"))
- continue; /* tdb is only cache method. */
- if (strequal(entry->name, name))
- return entry->methods;
- }
-
- return NULL;
-}
-
-/**********************************************************************
- Allow a module to register itself as a method.
-**********************************************************************/
-
-NTSTATUS smb_register_idmap(int version, const char *name, struct idmap_methods *methods)
-{
- struct idmap_function_entry *entry;
-
- if ((version != SMB_IDMAP_INTERFACE_VERSION)) {
- DEBUG(0, ("smb_register_idmap: Failed to register idmap module.\n"
- "The module was compiled against SMB_IDMAP_INTERFACE_VERSION %d,\n"
- "current SMB_IDMAP_INTERFACE_VERSION is %d.\n"
- "Please recompile against the current version of samba!\n",
- version, SMB_IDMAP_INTERFACE_VERSION));
- return NT_STATUS_OBJECT_TYPE_MISMATCH;
- }
-
- if (!name || !name[0] || !methods) {
- DEBUG(0,("smb_register_idmap: called with NULL pointer or empty name!\n"));
- return NT_STATUS_INVALID_PARAMETER;
- }
-
- if (get_methods(name, False)) {
- DEBUG(0,("smb_register_idmap: idmap module %s already registered!\n", name));
- return NT_STATUS_OBJECT_NAME_COLLISION;
- }
-
- entry = SMB_XMALLOC_P(struct idmap_function_entry);
- entry->name = smb_xstrdup(name);
- entry->methods = methods;
-
- DLIST_ADD(backends, entry);
- DEBUG(5, ("smb_register_idmap: Successfully added idmap backend '%s'\n", name));
- return NT_STATUS_OK;
-}
-
-/**********************************************************************
- Initialise idmap cache and a remote backend (if configured).
-**********************************************************************/
-
-BOOL idmap_init(const char **remote_backend)
-{
- if (!backends)
- static_init_idmap;
-
- if (!cache_map) {
- cache_map = get_methods("tdb", True);
-
- if (!cache_map) {
- DEBUG(0, ("idmap_init: could not find tdb cache backend!\n"));
- return False;
- }
-
- if (!NT_STATUS_IS_OK(cache_map->init( NULL ))) {
- DEBUG(0, ("idmap_init: could not initialise tdb cache backend!\n"));
- return False;
- }
- }
-
- if ((remote_map == NULL) && (remote_backend != NULL) &&
- (*remote_backend != NULL) && (**remote_backend != '\0')) {
- char *rem_backend = smb_xstrdup(*remote_backend);
- fstring params = "";
- char *pparams;
- BOOL idmap_prefix_workaround = False;
-
- /* get any mode parameters passed in */
-
- if ( (pparams = strchr( rem_backend, ':' )) != NULL ) {
- *pparams = '\0';
- pparams++;
- fstrcpy( params, pparams );
- }
-
- /* strip any leading idmap_ prefix of */
- if ( strncmp( rem_backend, "idmap_", 6) == 0 ) {
- rem_backend += 6;
- idmap_prefix_workaround = True;
- DEBUG(0, ("idmap_init: idmap backend uses deprecated 'idmap_' prefix. Please replace 'idmap_%s' by '%s' in %s\n", rem_backend, rem_backend, dyn_CONFIGFILE));
- }
-
- DEBUG(3, ("idmap_init: using '%s' as remote backend\n", rem_backend));
-
- if((remote_map = get_methods(rem_backend, False)) ||
- (NT_STATUS_IS_OK(smb_probe_module("idmap", rem_backend)) &&
- (remote_map = get_methods(rem_backend, False)))) {
- if (!NT_STATUS_IS_OK(remote_map->init(params))) {
- DEBUG(0, ("idmap_init: failed to initialize remote backend!\n"));
- return False;
- }
- } else {
- DEBUG(0, ("idmap_init: could not load remote backend '%s'\n", rem_backend));
- if (idmap_prefix_workaround)
- rem_backend -= 6;
- SAFE_FREE(rem_backend);
- return False;
- }
- if (idmap_prefix_workaround)
- rem_backend -= 6;
- SAFE_FREE(rem_backend);
- }
-
- return True;
-}
-
-/**************************************************************************
- Don't do id mapping. This is used to make winbind a netlogon proxy only.
-**************************************************************************/
-
-void idmap_set_proxyonly(void)
-{
- proxyonly = True;
-}
-
-BOOL idmap_proxyonly(void)
-{
- return proxyonly;
-}
-
-/**************************************************************************
- This is a rare operation, designed to allow an explicit mapping to be
- set up for a sid to a POSIX id.
-**************************************************************************/
-
-NTSTATUS idmap_set_mapping(const DOM_SID *sid, unid_t id, enum idmap_type id_type)
-{
- struct idmap_methods *map = remote_map;
- DOM_SID tmp_sid;
-
- if (proxyonly) {
- return NT_STATUS_UNSUCCESSFUL;
- }
-
- if (sid_check_is_in_our_domain(sid)) {
- DEBUG(3, ("Refusing to add SID %s to idmap, it's our own "
- "domain\n", sid_string_static(sid)));
- return NT_STATUS_ACCESS_DENIED;
- }
-
- if (sid_check_is_in_builtin(sid)) {
- DEBUG(3, ("Refusing to add SID %s to idmap, it's our builtin "
- "domain\n", sid_string_static(sid)));
- return NT_STATUS_ACCESS_DENIED;
- }
-
- DEBUG(10, ("idmap_set_mapping: Set %s to %s %lu\n",
- sid_string_static(sid),
- (id_type == ID_USERID) ? "UID" : "GID",
- (id_type == ID_USERID) ? (unsigned long)id.uid :
- (unsigned long)id.gid));
-
- if ( (NT_STATUS_IS_OK(cache_map->get_sid_from_id(&tmp_sid, id, id_type, IDMAP_FLAG_QUERY_ONLY))) &&
- sid_equal(sid, &tmp_sid) ) {
- /* Nothing to do, we already have that mapping */
- DEBUG(10, ("idmap_set_mapping: Mapping already there\n"));
- return NT_STATUS_OK;
- }
-
- if (map == NULL) {
- /* Ok, we don't have a authoritative remote
- mapping. So update our local cache only. */
- map = cache_map;
- }
-
- return map->set_mapping(sid, id, id_type);
-}
-
-/**************************************************************************
- Get ID from SID. This can create a mapping for a SID to a POSIX id.
-**************************************************************************/
-
-NTSTATUS idmap_get_id_from_sid(unid_t *id, enum idmap_type *id_type, const DOM_SID *sid, int flags)
-{
- NTSTATUS ret;
- int cache_flags = flags;
-
- if (proxyonly) {
- return NT_STATUS_UNSUCCESSFUL;
- }
-
- if (sid_check_is_in_our_domain(sid)) {
- DEBUG(9, ("sid %s is in our domain -- go look in passdb\n",
- sid_string_static(sid)));
- return NT_STATUS_NONE_MAPPED;
- }
-
- if (sid_check_is_in_builtin(sid)) {
- DEBUG(9, ("sid %s is in builtin domain -- go look in passdb\n",
- sid_string_static(sid)));
- return NT_STATUS_NONE_MAPPED;
- }
-
- if (remote_map) {
- /* We have a central remote idmap so only look in
- cache, ensure we don't allocate */
- cache_flags |= IDMAP_FLAG_QUERY_ONLY;
- }
-
- ret = cache_map->get_id_from_sid(id, id_type, sid, cache_flags);
- if (NT_STATUS_IS_OK(ret)) {
- return NT_STATUS_OK;
- }
-
- if ((remote_map == NULL) || (flags & IDMAP_FLAG_CACHE_ONLY)) {
- return ret;
- }
-
- /* Ok, the mapping was not in the cache, give the remote map a try. */
-
- ret = remote_map->get_id_from_sid(id, id_type, sid, flags);
-
- if (NT_STATUS_IS_OK(ret)) {
- /* The remote backend gave us a valid mapping, cache it. */
- ret = cache_map->set_mapping(sid, *id, *id_type);
- }
-
- return ret;
-}
-
-/**************************************************************************
- Get SID from ID. This must have been created before.
-**************************************************************************/
-
-NTSTATUS idmap_get_sid_from_id(DOM_SID *sid, unid_t id, enum idmap_type id_type, int flags)
-{
- NTSTATUS ret;
- int cache_flags = flags;
-
- if (proxyonly) {
- return NT_STATUS_UNSUCCESSFUL;
- }
-
- if (remote_map) {
- /* We have a central remote idmap so only look in
- cache, ensure we don't allocate */
- cache_flags |= IDMAP_FLAG_QUERY_ONLY;
- }
-
- ret = cache_map->get_sid_from_id(sid, id, id_type, cache_flags);
-
- if (NT_STATUS_IS_OK(ret)) {
- return ret;
- }
-
- if ((remote_map == NULL) || (flags & IDMAP_FLAG_CACHE_ONLY)) {
- return ret;
- }
-
- /* Not in cache, ask our authoritative backend */
-
- ret = remote_map->get_sid_from_id(sid, id, id_type, flags);
-
- if (NT_STATUS_IS_OK(ret)) {
- /* The remote backend gave us a valid mapping, cache it. */
- ret = cache_map->set_mapping(sid, id, id_type);
- }
-
- return ret;
-}
-
-/**************************************************************************
- Alloocate a new UNIX uid/gid
-**************************************************************************/
-
-NTSTATUS idmap_allocate_id(unid_t *id, enum idmap_type id_type)
-{
- /* we have to allocate from the authoritative backend */
-
- if (proxyonly) {
- return NT_STATUS_UNSUCCESSFUL;
- }
-
- if ( remote_map ) {
- return remote_map->allocate_id( id, id_type );
- }
-
- return cache_map->allocate_id( id, id_type );
-}
-
-/**************************************************************************
- Shutdown maps.
-**************************************************************************/
-
-NTSTATUS idmap_close(void)
-{
- NTSTATUS ret;
-
- if (proxyonly) {
- return NT_STATUS_OK;
- }
-
- ret = cache_map->close_fn();
- if (!NT_STATUS_IS_OK(ret)) {
- DEBUG(3, ("idmap_close: failed to close local tdb cache!\n"));
- }
- cache_map = NULL;
-
- if (remote_map) {
- ret = remote_map->close_fn();
- if (!NT_STATUS_IS_OK(ret)) {
- DEBUG(3, ("idmap_close: failed to close remote idmap repository!\n"));
- }
- remote_map = NULL;
- }
-
- return ret;
-}
-
-/**************************************************************************
- Dump backend status.
-**************************************************************************/
-
-void idmap_status(void)
-{
- cache_map->status();
- if (remote_map) {
- remote_map->status();
- }
-}
diff --git a/source3/sam/idmap_ad.c b/source3/sam/idmap_ad.c
deleted file mode 100644
index bb48c41131..0000000000
--- a/source3/sam/idmap_ad.c
+++ /dev/null
@@ -1,380 +0,0 @@
-/*
- * idmap_ad: map between Active Directory and RFC 2307 or "Services for Unix" (SFU) Accounts
- *
- * Unix SMB/CIFS implementation.
- *
- * Winbind ADS backend functions
- *
- * Copyright (C) Andrew Tridgell 2001
- * Copyright (C) Andrew Bartlett <abartlet@samba.org> 2003
- * Copyright (C) Gerald (Jerry) Carter 2004
- * Copyright (C) Luke Howard 2001-2004
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
- */
-
-#include "includes.h"
-
-#undef DBGC_CLASS
-#define DBGC_CLASS DBGC_IDMAP
-
-#define WINBIND_CCACHE_NAME "MEMORY:winbind_ccache"
-
-NTSTATUS init_module(void);
-
-static ADS_STRUCT *ad_idmap_ads = NULL;
-
-static char *attr_uidnumber = NULL;
-static char *attr_gidnumber = NULL;
-
-static ADS_STATUS ad_idmap_check_attr_mapping(ADS_STRUCT *ads)
-{
- ADS_STATUS status;
- enum wb_posix_mapping map_type;
-
- if (attr_uidnumber != NULL && attr_gidnumber != NULL) {
- return ADS_ERROR(LDAP_SUCCESS);
- }
-
- SMB_ASSERT(ads->server.workgroup);
-
- map_type = get_nss_info(ads->server.workgroup);
-
- if ((map_type == WB_POSIX_MAP_SFU) ||
- (map_type == WB_POSIX_MAP_RFC2307)) {
-
- status = ads_check_posix_schema_mapping(ads, map_type);
- if (ADS_ERR_OK(status)) {
- attr_uidnumber = SMB_STRDUP(ads->schema.posix_uidnumber_attr);
- attr_gidnumber = SMB_STRDUP(ads->schema.posix_gidnumber_attr);
- ADS_ERROR_HAVE_NO_MEMORY(attr_uidnumber);
- ADS_ERROR_HAVE_NO_MEMORY(attr_gidnumber);
- return ADS_ERROR(LDAP_SUCCESS);
- } else {
- DEBUG(0,("ads_check_posix_schema_mapping failed: %s\n", ads_errstr(status)));
- /* return status; */
- }
- }
-
- /* fallback to XAD defaults */
- attr_uidnumber = SMB_STRDUP("uidNumber");
- attr_gidnumber = SMB_STRDUP("gidNumber");
- ADS_ERROR_HAVE_NO_MEMORY(attr_uidnumber);
- ADS_ERROR_HAVE_NO_MEMORY(attr_gidnumber);
-
- return ADS_ERROR(LDAP_SUCCESS);
-}
-
-static ADS_STRUCT *ad_idmap_cached_connection(void)
-{
- ADS_STRUCT *ads;
- ADS_STATUS status;
- BOOL local = False;
-
- if (ad_idmap_ads != NULL) {
- ads = ad_idmap_ads;
-
- /* check for a valid structure */
-
- DEBUG(7, ("Current tickets expire at %d, time is now %d\n",
- (uint32) ads->auth.expire, (uint32) time(NULL)));
- if ( ads->config.realm && (ads->auth.expire > time(NULL))) {
- return ads;
- } else {
- /* we own this ADS_STRUCT so make sure it goes away */
- ads->is_mine = True;
- ads_destroy( &ads );
- ads_kdestroy(WINBIND_CCACHE_NAME);
- ad_idmap_ads = NULL;
- }
- }
-
- if (!local) {
- /* we don't want this to affect the users ccache */
- setenv("KRB5CCNAME", WINBIND_CCACHE_NAME, 1);
- }
-
- ads = ads_init(lp_realm(), lp_workgroup(), NULL);
- if (!ads) {
- DEBUG(1,("ads_init failed\n"));
- return NULL;
- }
-
- /* the machine acct password might have change - fetch it every time */
- SAFE_FREE(ads->auth.password);
- ads->auth.password = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL);
-
- SAFE_FREE(ads->auth.realm);
- ads->auth.realm = SMB_STRDUP(lp_realm());
-
- status = ads_connect(ads);
- if (!ADS_ERR_OK(status)) {
- DEBUG(1, ("ad_idmap_init: failed to connect to AD\n"));
- ads_destroy(&ads);
- return NULL;
- }
-
- ads->is_mine = False;
-
- status = ad_idmap_check_attr_mapping(ads);
- if (!ADS_ERR_OK(status)) {
- DEBUG(1, ("ad_idmap_init: failed to check attribute mapping\n"));
- return NULL;
- }
-
- ad_idmap_ads = ads;
- return ads;
-}
-
-/* no op */
-static NTSTATUS ad_idmap_init(const char *uri)
-{
- return NT_STATUS_OK;
-}
-
-static NTSTATUS ad_idmap_get_sid_from_id(DOM_SID *sid, unid_t unid, enum idmap_type id_type, int flags)
-{
- ADS_STATUS rc;
- NTSTATUS status = NT_STATUS_NONE_MAPPED;
- const char *attrs[] = { "objectSid", NULL };
- LDAPMessage *res = NULL;
- LDAPMessage *msg = NULL;
- char *expr = NULL;
- fstring sid_string;
- int count;
- ADS_STRUCT *ads;
-
- if (sid == NULL) {
- return NT_STATUS_INVALID_PARAMETER;
- }
-
- ads = ad_idmap_cached_connection();
- if (ads == NULL) {
- DEBUG(1, ("ad_idmap_get_id_from_sid ADS uninitialized\n"));
- return NT_STATUS_NOT_SUPPORTED;
- }
-
- switch (id_type) {
- case ID_USERID:
- if (asprintf(&expr, "(&(|(sAMAccountType=%d)(sAMAccountType=%d)(sAMAccountType=%d))(%s=%d))",
- ATYPE_NORMAL_ACCOUNT, ATYPE_WORKSTATION_TRUST, ATYPE_INTERDOMAIN_TRUST,
- ads->schema.posix_uidnumber_attr, (int)unid.uid) == -1) {
- return NT_STATUS_NO_MEMORY;
- }
- break;
- case ID_GROUPID:
- if (asprintf(&expr, "(&(|(sAMAccountType=%d)(sAMAccountType=%d))(%s=%d))",
- ATYPE_SECURITY_GLOBAL_GROUP, ATYPE_SECURITY_LOCAL_GROUP,
- ads->schema.posix_gidnumber_attr, (int)unid.gid) == -1) {
- return NT_STATUS_NO_MEMORY;
- }
- break;
- default:
- return NT_STATUS_INVALID_PARAMETER;
- break;
- }
-
- rc = ads_search_retry(ads, &res, expr, attrs);
- free(expr);
- if (!ADS_ERR_OK(rc)) {
- DEBUG(1, ("ad_idmap_get_sid_from_id: ads_search: %s\n", ads_errstr(rc)));
- goto done;
- }
-
- count = ads_count_replies(ads, res);
- if (count == 0) {
- DEBUG(1, ("ad_idmap_get_sid_from_id: ads_count_replies: no results\n"));
- goto done;
- } else if (count != 1) {
- DEBUG(1, ("ad_idmap_get_sid_from_id: ads_count_replies: incorrect cardinality\n"));
- goto done;
- }
-
- msg = ads_first_entry(ads, res);
- if (msg == NULL) {
- DEBUG(1, ("ad_idmap_get_sid_from_id: ads_first_entry: could not retrieve search result\n"));
- goto done;
- }
-
- if (!ads_pull_sid(ads, msg, "objectSid", sid)) {
- DEBUG(1, ("ad_idmap_get_sid_from_id: ads_pull_sid: could not retrieve SID from entry\n"));
- goto done;
- }
-
- status = NT_STATUS_OK;
- DEBUG(1, ("ad_idmap_get_sid_from_id mapped POSIX %s %d to SID [%s]\n",
- (id_type == ID_GROUPID) ? "GID" : "UID", (int)unid.uid,
- sid_to_string(sid_string, sid)));
-
-done:
- if (res != NULL) {
- ads_msgfree(ads, res);
- }
-
- return status;
-}
-
-static NTSTATUS ad_idmap_get_id_from_sid(unid_t *unid, enum idmap_type *id_type, const DOM_SID *sid, int flags)
-{
- ADS_STATUS rc;
- NTSTATUS status = NT_STATUS_NONE_MAPPED;
- const char *attrs[] = { "sAMAccountType", ADS_ATTR_SFU_UIDNUMBER_OID,
- ADS_ATTR_SFU_GIDNUMBER_OID,
- ADS_ATTR_RFC2307_UIDNUMBER_OID,
- ADS_ATTR_RFC2307_GIDNUMBER_OID,
- NULL };
- LDAPMessage *res = NULL;
- LDAPMessage *msg = NULL;
- char *expr = NULL;
- uint32 atype, uid;
- char *sidstr;
- fstring sid_string;
- int count;
- ADS_STRUCT *ads;
-
- if (unid == NULL) {
- return NT_STATUS_INVALID_PARAMETER;
- }
-
- ads = ad_idmap_cached_connection();
- if (ads == NULL) {
- DEBUG(1, ("ad_idmap_get_id_from_sid ADS uninitialized\n"));
- return NT_STATUS_NOT_SUPPORTED;
- }
-
- sidstr = sid_binstring(sid);
- if (asprintf(&expr, "(objectSid=%s)", sidstr) == -1) {
- free(sidstr);
- return NT_STATUS_NO_MEMORY;
- }
-
- rc = ads_search_retry(ads, &res, expr, attrs);
- free(sidstr);
- free(expr);
- if (!ADS_ERR_OK(rc)) {
- DEBUG(1, ("ad_idmap_get_id_from_sid: ads_search: %s\n", ads_errstr(rc)));
- goto done;
- }
-
- count = ads_count_replies(ads, res);
- if (count == 0) {
- DEBUG(1, ("ad_idmap_get_id_from_sid: ads_count_replies: no results\n"));
- goto done;
- } else if (count != 1) {
- DEBUG(1, ("ad_idmap_get_id_from_sid: ads_count_replies: incorrect cardinality\n"));
- goto done;
- }
-
- msg = ads_first_entry(ads, res);
- if (msg == NULL) {
- DEBUG(1, ("ad_idmap_get_id_from_sid: ads_first_entry: could not retrieve search result\n"));
- goto done;
- }
-
- if (!ads_pull_uint32(ads, msg, "sAMAccountType", &atype)) {
- DEBUG(1, ("ad_idmap_get_id_from_sid: ads_pull_uint32: could not read SAM account type\n"));
- goto done;
- }
-
- switch (atype & 0xF0000000) {
- case ATYPE_SECURITY_GLOBAL_GROUP:
- case ATYPE_SECURITY_LOCAL_GROUP:
- *id_type = ID_GROUPID;
- break;
- case ATYPE_NORMAL_ACCOUNT:
- case ATYPE_WORKSTATION_TRUST:
- case ATYPE_INTERDOMAIN_TRUST:
- *id_type = ID_USERID;
- break;
- default:
- DEBUG(1, ("ad_idmap_get_id_from_sid: unrecognized SAM account type %08x\n", atype));
- goto done;
- break;
- }
-
- if (!ads_pull_uint32(ads, msg, (*id_type == ID_GROUPID) ? attr_gidnumber : attr_uidnumber, &uid)) {
- DEBUG(1, ("ad_idmap_get_id_from_sid: ads_pull_uint32: could not read attribute '%s'\n",
- (*id_type == ID_GROUPID) ? attr_gidnumber : attr_uidnumber));
- goto done;
- }
-
- unid->uid = (uid_t)uid;
-
- status = NT_STATUS_OK;
- DEBUG(1, ("ad_idmap_get_id_from_sid mapped SID [%s] to POSIX %s %d\n",
- sid_to_string(sid_string, sid),
- (*id_type == ID_GROUPID) ? "GID" : "UID", uid));
-
-done:
- if (res != NULL) {
- ads_msgfree(ads, res);
- }
-
- return status;
-
-}
-
-static NTSTATUS ad_idmap_set_mapping(const DOM_SID *sid, unid_t id, enum idmap_type id_type)
-{
- /* Not supported, and probably won't be... */
- /* (It's not particularly feasible with a single-master model.) */
-
- return NT_STATUS_NOT_IMPLEMENTED;
-}
-
-static NTSTATUS ad_idmap_close(void)
-{
- ADS_STRUCT *ads = ad_idmap_ads;
-
- if (ads != NULL) {
- /* we own this ADS_STRUCT so make sure it goes away */
- ads->is_mine = True;
- ads_destroy( &ads );
- ad_idmap_ads = NULL;
- }
-
- SAFE_FREE(attr_uidnumber);
- SAFE_FREE(attr_gidnumber);
-
- return NT_STATUS_OK;
-}
-
-static NTSTATUS ad_idmap_allocate_id(unid_t *id, enum idmap_type id_type)
-{
- return NT_STATUS_NOT_IMPLEMENTED;
-}
-
-static void ad_idmap_status(void)
-{
- DEBUG(0, ("AD IDMAP Status not available\n"));
-}
-
-static struct idmap_methods ad_methods = {
- ad_idmap_init,
- ad_idmap_allocate_id,
- ad_idmap_get_sid_from_id,
- ad_idmap_get_id_from_sid,
- ad_idmap_set_mapping,
- ad_idmap_close,
- ad_idmap_status
-};
-
-
-/* support for new authentication subsystem */
-NTSTATUS idmap_ad_init(void)
-{
- return smb_register_idmap(SMB_IDMAP_INTERFACE_VERSION, "ad", &ad_methods);
-}
-
diff --git a/source3/sam/idmap_ldap.c b/source3/sam/idmap_ldap.c
deleted file mode 100644
index 3fec3a142b..0000000000
--- a/source3/sam/idmap_ldap.c
+++ /dev/null
@@ -1,542 +0,0 @@
-/*
- Unix SMB/CIFS implementation.
-
- idmap LDAP backend
-
- Copyright (C) Tim Potter 2000
- Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2003
- Copyright (C) Simo Sorce 2003
- Copyright (C) Gerald Carter 2003
-
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 2 of the License, or
- (at your option) any later version.
-
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
-
- You should have received a copy of the GNU General Public License
- along with this program; if not, write to the Free Software
- Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-*/
-
-#include "includes.h"
-
-#undef DBGC_CLASS
-#define DBGC_CLASS DBGC_IDMAP
-
-
-#include <lber.h>
-#include <ldap.h>
-
-#include "smbldap.h"
-
-struct ldap_idmap_state {
- struct smbldap_state *smbldap_state;
- TALLOC_CTX *mem_ctx;
-};
-
-static struct ldap_idmap_state ldap_state;
-
-/* number tries while allocating new id */
-#define LDAP_MAX_ALLOC_ID 128
-
-
-/***********************************************************************
- This function cannot be called to modify a mapping, only set a new one
-***********************************************************************/
-
-static NTSTATUS ldap_set_mapping(const DOM_SID *sid, unid_t id, enum idmap_type id_type)
-{
- pstring dn;
- pstring id_str;
- fstring type;
- LDAPMod **mods = NULL;
- int rc = -1;
- int ldap_op;
- fstring sid_string;
- LDAPMessage *entry = NULL;
-
- sid_to_string( sid_string, sid );
-
- ldap_op = LDAP_MOD_ADD;
- pstr_sprintf(dn, "%s=%s,%s", get_attr_key2string( sidmap_attr_list, LDAP_ATTR_SID),
- sid_string, lp_ldap_idmap_suffix());
-
- if ( id_type == ID_USERID ) {
- fstrcpy( type, get_attr_key2string( sidmap_attr_list, LDAP_ATTR_UIDNUMBER ) );
- } else {
- fstrcpy( type, get_attr_key2string( sidmap_attr_list, LDAP_ATTR_GIDNUMBER ) );
- }
-
- pstr_sprintf(id_str, "%lu", ((id_type == ID_USERID) ? (unsigned long)id.uid :
- (unsigned long)id.gid));
-
- smbldap_set_mod( &mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_IDMAP_ENTRY );
-
- smbldap_make_mod( ldap_state.smbldap_state->ldap_struct,
- entry, &mods, type, id_str );
-
- smbldap_make_mod( ldap_state.smbldap_state->ldap_struct,
- entry, &mods,
- get_attr_key2string(sidmap_attr_list, LDAP_ATTR_SID),
- sid_string );
-
- /* There may well be nothing at all to do */
-
- if (mods) {
- smbldap_set_mod( &mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_SID_ENTRY );
- rc = smbldap_add(ldap_state.smbldap_state, dn, mods);
- ldap_mods_free( mods, True );
- } else {
- rc = LDAP_SUCCESS;
- }
-
- if (rc != LDAP_SUCCESS) {
- char *ld_error = NULL;
- ldap_get_option(ldap_state.smbldap_state->ldap_struct, LDAP_OPT_ERROR_STRING,
- &ld_error);
- DEBUG(0,("ldap_set_mapping_internals: Failed to %s mapping from %s to %lu [%s]\n",
- (ldap_op == LDAP_MOD_ADD) ? "add" : "replace",
- sid_string, (unsigned long)((id_type & ID_USERID) ? id.uid : id.gid), type));
- DEBUG(0, ("ldap_set_mapping_internals: Error was: %s (%s)\n",
- ld_error ? ld_error : "(NULL)", ldap_err2string (rc)));
- return NT_STATUS_UNSUCCESSFUL;
- }
-
- DEBUG(10,("ldap_set_mapping: Successfully created mapping from %s to %lu [%s]\n",
- sid_string, ((id_type & ID_USERID) ? (unsigned long)id.uid :
- (unsigned long)id.gid), type));
-
- return NT_STATUS_OK;
-}
-
-/*****************************************************************************
- Allocate a new uid or gid
-*****************************************************************************/
-
-static NTSTATUS ldap_allocate_id(unid_t *id, enum idmap_type id_type)
-{
- NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
- int rc = LDAP_SERVER_DOWN;
- int count = 0;
- LDAPMessage *result = NULL;
- LDAPMessage *entry = NULL;
- pstring id_str, new_id_str;
- LDAPMod **mods = NULL;
- const char *type;
- char *dn = NULL;
- const char **attr_list;
- pstring filter;
- uid_t luid, huid;
- gid_t lgid, hgid;
-
- if (id_type != ID_USERID && id_type != ID_GROUPID) {
- return NT_STATUS_INVALID_PARAMETER;
- }
-
- type = (id_type == ID_USERID) ?
- get_attr_key2string( idpool_attr_list, LDAP_ATTR_UIDNUMBER ) :
- get_attr_key2string( idpool_attr_list, LDAP_ATTR_GIDNUMBER );
-
- pstr_sprintf(filter, "(objectClass=%s)", LDAP_OBJ_IDPOOL);
-
- attr_list = get_attr_list( NULL, idpool_attr_list );
-
- rc = smbldap_search(ldap_state.smbldap_state, lp_ldap_idmap_suffix(),
- LDAP_SCOPE_SUBTREE, filter,
- attr_list, 0, &result);
- TALLOC_FREE( attr_list );
-
- if (rc != LDAP_SUCCESS) {
- DEBUG(0,("ldap_allocate_id: %s object not found\n", LDAP_OBJ_IDPOOL));
- goto out;
- }
-
- count = ldap_count_entries(ldap_state.smbldap_state->ldap_struct, result);
- if (count != 1) {
- DEBUG(0,("ldap_allocate_id: single %s object not found\n", LDAP_OBJ_IDPOOL));
- goto out;
- }
-
- dn = smbldap_get_dn(ldap_state.smbldap_state->ldap_struct, result);
- if (!dn) {
- goto out;
- }
- entry = ldap_first_entry(ldap_state.smbldap_state->ldap_struct, result);
-
- if (!smbldap_get_single_pstring(ldap_state.smbldap_state->ldap_struct, entry, type, id_str)) {
- DEBUG(0,("ldap_allocate_id: %s attribute not found\n",
- type));
- goto out;
- }
-
- /* this must succeed or else we wouldn't have initialized */
-
- lp_idmap_uid( &luid, &huid);
- lp_idmap_gid( &lgid, &hgid);
-
- /* make sure we still have room to grow */
-
- if (id_type == ID_USERID) {
- id->uid = strtoul(id_str, NULL, 10);
- if (id->uid > huid ) {
- DEBUG(0,("ldap_allocate_id: Cannot allocate uid above %lu!\n",
- (unsigned long)huid));
- goto out;
- }
- } else {
- id->gid = strtoul(id_str, NULL, 10);
- if (id->gid > hgid ) {
- DEBUG(0,("ldap_allocate_id: Cannot allocate gid above %lu!\n",
- (unsigned long)hgid));
- goto out;
- }
- }
-
- pstr_sprintf(new_id_str, "%lu",
- ((id_type == ID_USERID) ? (unsigned long)id->uid :
- (unsigned long)id->gid) + 1);
-
- smbldap_set_mod( &mods, LDAP_MOD_DELETE, type, id_str );
- smbldap_set_mod( &mods, LDAP_MOD_ADD, type, new_id_str );
-
- if (mods == NULL) {
- DEBUG(0,("ldap_allocate_id: smbldap_set_mod() failed.\n"));
- goto out;
- }
-
- rc = smbldap_modify(ldap_state.smbldap_state, dn, mods);
-
- ldap_mods_free( mods, True );
- if (rc != LDAP_SUCCESS) {
- DEBUG(1,("ldap_allocate_id: Failed to allocate new %s. ldap_modify() failed.\n",
- type));
- goto out;
- }
-
- ret = NT_STATUS_OK;
-out:
- SAFE_FREE(dn);
- if (result != NULL)
- ldap_msgfree(result);
-
- return ret;
-}
-
-/*****************************************************************************
- get a sid from an id
-*****************************************************************************/
-
-static NTSTATUS ldap_get_sid_from_id(DOM_SID *sid, unid_t id, enum idmap_type id_type, int flags)
-{
- LDAPMessage *result = NULL;
- LDAPMessage *entry = NULL;
- pstring sid_str;
- pstring filter;
- pstring suffix;
- const char *type;
- int rc;
- int count;
- NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
- const char **attr_list;
-
- if ( id_type == ID_USERID )
- type = get_attr_key2string( idpool_attr_list, LDAP_ATTR_UIDNUMBER );
- else
- type = get_attr_key2string( idpool_attr_list, LDAP_ATTR_GIDNUMBER );
-
- pstrcpy( suffix, lp_ldap_idmap_suffix() );
- pstr_sprintf(filter, "(&(objectClass=%s)(%s=%lu))",
- LDAP_OBJ_IDMAP_ENTRY, type,
- ((id_type & ID_USERID) ? (unsigned long)id.uid : (unsigned long)id.gid));
-
- attr_list = get_attr_list( NULL, sidmap_attr_list );
- rc = smbldap_search(ldap_state.smbldap_state, suffix, LDAP_SCOPE_SUBTREE,
- filter, attr_list, 0, &result);
-
- if (rc != LDAP_SUCCESS) {
- DEBUG(3,("ldap_get_isd_from_id: Failure looking up entry (%s)\n",
- ldap_err2string(rc) ));
- goto out;
- }
-
- count = ldap_count_entries(ldap_state.smbldap_state->ldap_struct, result);
-
- if (count != 1) {
- DEBUG(0,("ldap_get_sid_from_id: mapping not found for %s: %lu\n",
- type, ((id_type & ID_USERID) ? (unsigned long)id.uid :
- (unsigned long)id.gid)));
- goto out;
- }
-
- entry = ldap_first_entry(ldap_state.smbldap_state->ldap_struct, result);
-
- if ( !smbldap_get_single_pstring(ldap_state.smbldap_state->ldap_struct, entry, LDAP_ATTRIBUTE_SID, sid_str) )
- goto out;
-
- if (!string_to_sid(sid, sid_str))
- goto out;
-
- ret = NT_STATUS_OK;
-out:
- TALLOC_FREE( attr_list );
-
- if (result)
- ldap_msgfree(result);
-
- return ret;
-}
-
-/***********************************************************************
- Get an id from a sid - urg. This is assuming the *output* parameter id_type
- has been initialized with the correct needed type - ID_USERID or ID_GROUPID.
- This *sucks* and is bad design and needs fixing. JRA.
-***********************************************************************/
-
-static NTSTATUS ldap_get_id_from_sid(unid_t *id, enum idmap_type *id_type, const DOM_SID *sid, int flags)
-{
- LDAPMessage *result = NULL;
- LDAPMessage *entry = NULL;
- pstring sid_str;
- pstring filter;
- pstring id_str;
- const char *suffix;
- const char *type;
- int rc;
- int count;
- const char **attr_list;
- char *dn = NULL;
- NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
-
- sid_to_string(sid_str, sid);
-
- DEBUG(8,("ldap_get_id_from_sid: %s (%s)\n", sid_str,
- (*id_type & ID_GROUPID ? "group" : "user") ));
-
- suffix = lp_ldap_idmap_suffix();
- pstr_sprintf(filter, "(&(objectClass=%s)(%s=%s))",
- LDAP_OBJ_IDMAP_ENTRY, LDAP_ATTRIBUTE_SID, sid_str);
-
- if ( *id_type == ID_GROUPID )
- type = get_attr_key2string( sidmap_attr_list, LDAP_ATTR_GIDNUMBER );
- else
- type = get_attr_key2string( sidmap_attr_list, LDAP_ATTR_UIDNUMBER );
-
- /* do the search and check for errors */
-
- attr_list = get_attr_list( NULL, sidmap_attr_list );
- rc = smbldap_search(ldap_state.smbldap_state, suffix, LDAP_SCOPE_SUBTREE,
- filter, attr_list, 0, &result);
-
- if (rc != LDAP_SUCCESS) {
- DEBUG(3,("ldap_get_id_from_sid: Failure looking up idmap entry (%s)\n",
- ldap_err2string(rc) ));
- goto out;
- }
-
- /* check for the number of entries returned */
-
- count = ldap_count_entries(ldap_state.smbldap_state->ldap_struct, result);
-
- if ( count > 1 ) {
- DEBUG(0, ("ldap_get_id_from_sid: (2nd) search %s returned [%d] entries!\n",
- filter, count));
- goto out;
- }
-
- /* try to allocate a new id if we still haven't found one */
-
- if ( !count ) {
- int i;
-
- if (flags & IDMAP_FLAG_QUERY_ONLY) {
- DEBUG(5,("ldap_get_id_from_sid: No matching entry found and QUERY_ONLY flag set\n"));
- goto out;
- }
-
- DEBUG(8,("ldap_get_id_from_sid: Allocating new id\n"));
-
- for (i = 0; i < LDAP_MAX_ALLOC_ID; i++) {
- ret = ldap_allocate_id(id, *id_type);
- if ( NT_STATUS_IS_OK(ret) )
- break;
- }
-
- if ( !NT_STATUS_IS_OK(ret) ) {
- DEBUG(0,("ldap_allocate_id: cannot acquire id lock!\n"));
- goto out;
- }
-
- DEBUG(10,("ldap_get_id_from_sid: Allocated new %cid [%ul]\n",
- (*id_type & ID_GROUPID ? 'g' : 'u'), (uint32)id->uid ));
-
- ret = ldap_set_mapping(sid, *id, *id_type);
-
- /* all done */
-
- goto out;
- }
-
- DEBUG(10,("ldap_get_id_from_sid: success\n"));
-
- entry = ldap_first_entry(ldap_state.smbldap_state->ldap_struct, result);
-
- dn = smbldap_get_dn(ldap_state.smbldap_state->ldap_struct, result);
- if (!dn)
- goto out;
-
- DEBUG(10, ("Found mapping entry at dn=%s, looking for %s\n", dn, type));
-
- if ( smbldap_get_single_pstring(ldap_state.smbldap_state->ldap_struct, entry, type, id_str) ) {
- if ( (*id_type == ID_USERID) )
- id->uid = strtoul(id_str, NULL, 10);
- else
- id->gid = strtoul(id_str, NULL, 10);
-
- ret = NT_STATUS_OK;
- goto out;
- }
-
-out:
- TALLOC_FREE( attr_list );
- if (result)
- ldap_msgfree(result);
- SAFE_FREE(dn);
-
- return ret;
-}
-
-/**********************************************************************
- Verify the sambaUnixIdPool entry in the directiry.
-**********************************************************************/
-
-static NTSTATUS verify_idpool( void )
-{
- fstring filter;
- int rc;
- const char **attr_list;
- LDAPMessage *result = NULL;
- LDAPMod **mods = NULL;
- int count;
-
- fstr_sprintf( filter, "(objectclass=%s)", LDAP_OBJ_IDPOOL );
-
- attr_list = get_attr_list( NULL, idpool_attr_list );
- rc = smbldap_search(ldap_state.smbldap_state, lp_ldap_idmap_suffix(),
- LDAP_SCOPE_SUBTREE, filter, attr_list, 0, &result);
- TALLOC_FREE( attr_list );
-
- if (rc != LDAP_SUCCESS)
- return NT_STATUS_UNSUCCESSFUL;
-
- count = ldap_count_entries(ldap_state.smbldap_state->ldap_struct, result);
-
- ldap_msgfree(result);
-
- if ( count > 1 ) {
- DEBUG(0,("ldap_idmap_init: multiple entries returned from %s (base == %s)\n",
- filter, lp_ldap_idmap_suffix() ));
- return NT_STATUS_UNSUCCESSFUL;
- }
- else if (count == 0) {
- uid_t luid, huid;
- gid_t lgid, hgid;
- fstring uid_str, gid_str;
-
- if ( !lp_idmap_uid(&luid, &huid) || !lp_idmap_gid( &lgid, &hgid ) ) {
- DEBUG(0,("ldap_idmap_init: idmap uid/gid parameters not specified\n"));
- return NT_STATUS_UNSUCCESSFUL;
- }
-
- fstr_sprintf( uid_str, "%lu", (unsigned long)luid );
- fstr_sprintf( gid_str, "%lu", (unsigned long)lgid );
-
- smbldap_set_mod( &mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_IDPOOL );
- smbldap_set_mod( &mods, LDAP_MOD_ADD,
- get_attr_key2string(idpool_attr_list, LDAP_ATTR_UIDNUMBER), uid_str );
- smbldap_set_mod( &mods, LDAP_MOD_ADD,
- get_attr_key2string(idpool_attr_list, LDAP_ATTR_GIDNUMBER), gid_str );
- if (mods) {
- rc = smbldap_modify(ldap_state.smbldap_state, lp_ldap_idmap_suffix(), mods);
- ldap_mods_free( mods, True );
- } else {
- return NT_STATUS_UNSUCCESSFUL;
- }
- }
-
- return ( rc==LDAP_SUCCESS ? NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL );
-}
-
-/*****************************************************************************
- Initialise idmap database.
-*****************************************************************************/
-
-static NTSTATUS ldap_idmap_init( const char *params )
-{
- NTSTATUS nt_status;
-
- ldap_state.mem_ctx = talloc_init("idmap_ldap");
- if (!ldap_state.mem_ctx) {
- return NT_STATUS_NO_MEMORY;
- }
-
- /* assume location is the only parameter */
- if (!NT_STATUS_IS_OK(nt_status =
- smbldap_init(ldap_state.mem_ctx, params,
- &ldap_state.smbldap_state))) {
- talloc_destroy(ldap_state.mem_ctx);
- return nt_status;
- }
-
- /* see if the idmap suffix and sub entries exists */
-
- nt_status = verify_idpool();
- if ( !NT_STATUS_IS_OK(nt_status) )
- return nt_status;
-
- return NT_STATUS_OK;
-}
-
-/*****************************************************************************
- End the LDAP session
-*****************************************************************************/
-
-static NTSTATUS ldap_idmap_close(void)
-{
-
- smbldap_free_struct(&(ldap_state).smbldap_state);
- talloc_destroy(ldap_state.mem_ctx);
-
- DEBUG(5,("The connection to the LDAP server was closed\n"));
- /* maybe free the results here --metze */
-
- return NT_STATUS_OK;
-}
-
-
-/* This function doesn't make as much sense in an LDAP world since the calling
- node doesn't really control the ID ranges */
-static void ldap_idmap_status(void)
-{
- DEBUG(0, ("LDAP IDMAP Status not available\n"));
-}
-
-static struct idmap_methods ldap_methods = {
- ldap_idmap_init,
- ldap_allocate_id,
- ldap_get_sid_from_id,
- ldap_get_id_from_sid,
- ldap_set_mapping,
- ldap_idmap_close,
- ldap_idmap_status
-
-};
-
-NTSTATUS idmap_ldap_init(void)
-{
- return smb_register_idmap(SMB_IDMAP_INTERFACE_VERSION, "ldap", &ldap_methods);
-}
diff --git a/source3/sam/idmap_rid.c b/source3/sam/idmap_rid.c
deleted file mode 100644
index 84b32e3d3f..0000000000
--- a/source3/sam/idmap_rid.c
+++ /dev/null
@@ -1,561 +0,0 @@
-/*
- * idmap_rid: static map between Active Directory/NT RIDs and RFC 2307 accounts
- * Copyright (C) Guenther Deschner, 2004
- * Copyright (C) Sumit Bose, 2004
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
- *
- */
-
-#include "includes.h"
-
-#undef DBGC_CLASS
-#define DBGC_CLASS DBGC_IDMAP
-
-NTSTATUS init_module(void);
-
-struct dom_entry {
- fstring name;
- fstring sid;
- uint32 min_id;
- uint32 max_id;
-};
-
-typedef struct trust_dom_array {
- int number;
- struct dom_entry *dom;
-} trust_dom_array;
-
-static trust_dom_array trust;
-
-static NTSTATUS rid_idmap_parse(const char *init_param,
- uint32 num_domains,
- fstring *domain_names,
- DOM_SID *domain_sids,
- uid_t u_low,
- uid_t u_high)
-{
- const char *p;
- int i;
- fstring sid_str;
- BOOL known_domain = False;
- fstring tok;
-
- p = init_param;
- trust.number = 0;
-
- /* falling back to automatic mapping when there were no options given */
- if (!*init_param) {
-
- DEBUG(3,("rid_idmap_parse: no domain list given or trusted domain-support deactivated, falling back to automatic mapping for own domain:\n"));
-
- sid_to_string(sid_str, &domain_sids[0]);
-
- fstrcpy(trust.dom[0].name, domain_names[0]);
- fstrcpy(trust.dom[0].sid, sid_str);
- trust.dom[0].min_id = u_low;
- trust.dom[0].max_id = u_high;
- trust.number = 1;
-
- DEBUGADD(3,("rid_idmap_parse:\tdomain: [%s], sid: [%s], range=[%d-%d]\n",
- trust.dom[0].name, trust.dom[0].sid, trust.dom[0].min_id, trust.dom[0].max_id));
- return NT_STATUS_OK;
- }
-
- /* scan through the init_param-list */
- while (next_token(&init_param, tok, LIST_SEP, sizeof(tok))) {
-
- p = tok;
- DEBUG(3,("rid_idmap_parse: parsing entry: %d\n", trust.number));
-
- /* reinit sizes */
- trust.dom = SMB_REALLOC_ARRAY(trust.dom, struct dom_entry,
- trust.number+1);
-
- if ( trust.dom == NULL ) {
- return NT_STATUS_NO_MEMORY;
- }
-
- if (!next_token(&p, tok, "=", sizeof(tok))) {
- DEBUG(0, ("rid_idmap_parse: no '=' sign found in domain list [%s]\n", init_param));
- return NT_STATUS_UNSUCCESSFUL;
- }
-
- /* add the name */
- fstrcpy(trust.dom[trust.number].name, tok);
- DEBUGADD(3,("rid_idmap_parse:\tentry %d has name: [%s]\n", trust.number, trust.dom[trust.number].name));
-
- /* add the domain-sid */
- for (i=0; i<num_domains; i++) {
-
- known_domain = False;
-
- if (strequal(domain_names[i], trust.dom[trust.number].name)) {
-
- sid_to_string(sid_str, &domain_sids[i]);
- fstrcpy(trust.dom[trust.number].sid, sid_str);
-
- DEBUGADD(3,("rid_idmap_parse:\tentry %d has sid: [%s]\n", trust.number, trust.dom[trust.number].sid));
- known_domain = True;
- break;
- }
- }
-
- if (!known_domain) {
- DEBUG(0,("rid_idmap_parse: your DC does not know anything about domain: [%s]\n", trust.dom[trust.number].name));
- return NT_STATUS_INVALID_PARAMETER;
- }
-
- if (!next_token(&p, tok, "-", sizeof(tok))) {
- DEBUG(0,("rid_idmap_parse: no mapping-range defined\n"));
- return NT_STATUS_INVALID_PARAMETER;
- }
-
- /* add min_id */
- trust.dom[trust.number].min_id = atoi(tok);
- DEBUGADD(3,("rid_idmap_parse:\tentry %d has min_id: [%d]\n", trust.number, trust.dom[trust.number].min_id));
-
- /* add max_id */
- trust.dom[trust.number].max_id = atoi(p);
- DEBUGADD(3,("rid_idmap_parse:\tentry %d has max_id: [%d]\n", trust.number, trust.dom[trust.number].max_id));
-
- trust.number++;
- }
-
- return NT_STATUS_OK;
-
-}
-
-static NTSTATUS rid_idmap_get_domains(uint32 *num_domains, fstring **domain_names, DOM_SID **domain_sids)
-{
- NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
- struct cli_state *cli;
- struct rpc_pipe_client *pipe_hnd;
- TALLOC_CTX *mem_ctx;
- POLICY_HND pol;
- uint32 des_access = SEC_RIGHTS_MAXIMUM_ALLOWED;
- fstring dc_name;
- struct in_addr dc_ip;
- const char *password = NULL;
- const char *username = NULL;
- const char *domain = NULL;
- uint32 info_class = 5;
- char *domain_name = NULL;
- DOM_SID *domain_sid, sid;
- fstring sid_str;
- int i;
- uint32 trusted_num_domains = 0;
- char **trusted_domain_names;
- DOM_SID *trusted_domain_sids;
- uint32 enum_ctx = 0;
- int own_domains = 2;
-
- /* put the results together */
- *num_domains = 2;
- *domain_names = SMB_MALLOC_ARRAY(fstring, *num_domains);
- *domain_sids = SMB_MALLOC_ARRAY(DOM_SID, *num_domains);
-
- /* avoid calling a DC when trusted domains are not allowed anyway */
- if (!lp_allow_trusted_domains()) {
-
- fstrcpy((*domain_names)[0], lp_workgroup());
- if (!secrets_fetch_domain_sid(lp_workgroup(), &sid)) {
- DEBUG(0,("rid_idmap_get_domains: failed to retrieve domain sid\n"));
- return status;
- }
- sid_copy(&(*domain_sids)[0], &sid);
-
- /* add BUILTIN */
- fstrcpy((*domain_names)[1], "BUILTIN");
- sid_copy(&(*domain_sids)[1], &global_sid_Builtin);
-
- return NT_STATUS_OK;
- }
-
- /* create mem_ctx */
- if (!(mem_ctx = talloc_init("rid_idmap_get_trusted_domains"))) {
- DEBUG(0, ("rid_idmap_get_domains: talloc_init() failed\n"));
- return NT_STATUS_NO_MEMORY;
- }
-
- if (!get_dc_name(lp_workgroup(), 0, dc_name, &dc_ip)) {
- DEBUG(1, ("rid_idmap_get_domains: could not get dc-name\n"));
- return NT_STATUS_UNSUCCESSFUL;
- }
-
- /* open a connection to the dc */
- username = (char *)secrets_fetch(SECRETS_AUTH_USER, NULL);
- password = (char *)secrets_fetch(SECRETS_AUTH_PASSWORD, NULL);
- domain = (char *)secrets_fetch(SECRETS_AUTH_DOMAIN, NULL);
-
- if (username) {
-
- if (!domain)
- domain = smb_xstrdup(lp_workgroup());
-
- if (!password)
- password = smb_xstrdup("");
-
- DEBUG(3, ("rid_idmap_get_domains: IPC$ connections done by user %s\\%s\n", domain, username));
-
- } else {
-
- DEBUG(3, ("rid_idmap_get_domains: IPC$ connections done anonymously\n"));
- username = "";
- domain = "";
- password = "";
- }
-
- DEBUG(10, ("rid_idmap_get_domains: opening connection to [%s]\n", dc_name));
-
- status = cli_full_connection(&cli, global_myname(), dc_name,
- NULL, 0,
- "IPC$", "IPC",
- username,
- lp_workgroup(),
- password,
- CLI_FULL_CONNECTION_ANONYMOUS_FALLBACK, True, NULL);
-
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(1, ("rid_idmap_get_domains: could not setup connection to dc\n"));
- return status;
- }
-
- /* query the lsa-pipe */
- pipe_hnd = cli_rpc_pipe_open_noauth(cli, PI_LSARPC, &status);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(1, ("rid_idmap_get_domains: could not setup connection to dc\n"));
- goto out;
- }
-
- /* query policies */
- status = rpccli_lsa_open_policy(pipe_hnd, mem_ctx, False, des_access,
- &pol);
- if (!NT_STATUS_IS_OK(status)) {
- goto out;
- }
-
- status = rpccli_lsa_query_info_policy(pipe_hnd, mem_ctx, &pol,
- info_class, &domain_name,
- &domain_sid);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(1, ("rid_idmap_get_domains: cannot retrieve domain-info\n"));
- goto out;
- }
-
- sid_to_string(sid_str, domain_sid);
- DEBUG(10,("rid_idmap_get_domains: my domain: [%s], sid: [%s]\n", domain_name, sid_str));
-
- /* scan trusted domains */
- DEBUG(10, ("rid_idmap_get_domains: enumerating trusted domains\n"));
- status = rpccli_lsa_enum_trust_dom(pipe_hnd, mem_ctx, &pol, &enum_ctx,
- &trusted_num_domains,
- &trusted_domain_names,
- &trusted_domain_sids);
-
- if (!NT_STATUS_IS_OK(status) &&
- !NT_STATUS_EQUAL(status, NT_STATUS_NO_MORE_ENTRIES) &&
- !NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES)) {
- DEBUG(1, ("rid_idmap_get_domains: could not enumerate trusted domains\n"));
- goto out;
- }
-
- /* show trusted domains */
- DEBUG(10,("rid_idmap_get_domains: scan for trusted domains gave %d results:\n", trusted_num_domains));
- for (i=0; i<trusted_num_domains; i++) {
- sid_to_string(sid_str, &trusted_domain_sids[i]);
- DEBUGADD(10,("rid_idmap_get_domains:\t#%d\tDOMAIN: [%s], SID: [%s]\n",
- i, trusted_domain_names[i], sid_str));
- }
-
- if (!sid_equal(domain_sid, get_global_sam_sid()))
- ++own_domains;
-
- /* put the results together */
- *num_domains = trusted_num_domains + own_domains;
- *domain_names = SMB_REALLOC_ARRAY(*domain_names, fstring,
- *num_domains);
- if (!*domain_names) {
- goto out;
- }
- *domain_sids = SMB_REALLOC_ARRAY(*domain_sids, DOM_SID, *num_domains);
- if (!*domain_sids) {
- goto out;
- }
-
- /* first add mydomain */
- fstrcpy((*domain_names)[0], domain_name);
- sid_copy(&(*domain_sids)[0], domain_sid);
-
- /* then add BUILTIN */
- fstrcpy((*domain_names)[1], "BUILTIN");
- sid_copy(&(*domain_sids)[1], &global_sid_Builtin);
-
- /* then add my local sid */
- if (!sid_equal(domain_sid, get_global_sam_sid())) {
- fstrcpy((*domain_names)[2], global_myname());
- sid_copy(&(*domain_sids)[2], get_global_sam_sid());
- }
-
- /* add trusted domains */
- for (i=0; i<trusted_num_domains; i++) {
- fstrcpy((*domain_names)[i+own_domains], trusted_domain_names[i]);
- sid_copy(&((*domain_sids)[i+own_domains]), &(trusted_domain_sids[i]));
- }
-
- /* show complete domain list */
- DEBUG(5,("rid_idmap_get_domains: complete domain-list has %d entries:\n", *num_domains));
- for (i=0; i<*num_domains; i++) {
- sid_to_string(sid_str, &((*domain_sids)[i]));
- DEBUGADD(5,("rid_idmap_get_domains:\t#%d\tdomain: [%s], sid: [%s]\n",
- i, (*domain_names)[i], sid_str ));
- }
-
- status = NT_STATUS_OK;
-
-out:
- rpccli_lsa_Close(pipe_hnd, mem_ctx, &pol);
- cli_rpc_pipe_close(pipe_hnd);
- talloc_destroy(mem_ctx);
- cli_shutdown(cli);
-
- return status;
-}
-
-static NTSTATUS rid_idmap_init(const char *init_param)
-{
- int i, j;
- uid_t u_low, u_high;
- gid_t g_low, g_high;
- uint32 num_domains = 0;
- fstring *domain_names;
- DOM_SID *domain_sids;
- NTSTATUS nt_status = NT_STATUS_INVALID_PARAMETER;
- trust.dom = NULL;
-
- /* basic sanity checks */
- if (!lp_idmap_uid(&u_low, &u_high) || !lp_idmap_gid(&g_low, &g_high)) {
- DEBUG(0, ("rid_idmap_init: cannot get required global idmap-ranges.\n"));
- return nt_status;
- }
-
- if (u_low != g_low || u_high != g_high) {
- DEBUG(0, ("rid_idmap_init: range defined in \"idmap uid\" must match range of \"idmap gid\".\n"));
- return nt_status;
- }
-
- if (lp_allow_trusted_domains()) {
-#if IDMAP_RID_SUPPORT_TRUSTED_DOMAINS
- DEBUG(3,("rid_idmap_init: enabling trusted-domain-mapping\n"));
-#else
- DEBUG(0,("rid_idmap_init: idmap_rid does not work with trusted domains\n"));
- DEBUGADD(0,("rid_idmap_init: please set \"allow trusted domains\" to \"no\" when using idmap_rid\n"));
- return nt_status;
-#endif
- }
-
- /* init sizes */
- trust.dom = SMB_MALLOC_P(struct dom_entry);
- if (trust.dom == NULL) {
- return NT_STATUS_NO_MEMORY;
- }
-
- /* retrieve full domain list */
- nt_status = rid_idmap_get_domains(&num_domains, &domain_names, &domain_sids);
- if (!NT_STATUS_IS_OK(nt_status) &&
- !NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_MORE_ENTRIES) &&
- !NT_STATUS_EQUAL(nt_status, STATUS_MORE_ENTRIES)) {
- DEBUG(0, ("rid_idmap_init: cannot fetch sids for domain and/or trusted-domains from domain-controller.\n"));
- return nt_status;
- }
-
- /* parse the init string */
- nt_status = rid_idmap_parse(init_param, num_domains, domain_names, domain_sids, u_low, u_high);
- if (!NT_STATUS_IS_OK(nt_status)) {
- DEBUG(0, ("rid_idmap_init: cannot parse module-configuration\n"));
- goto out;
- }
-
- nt_status = NT_STATUS_INVALID_PARAMETER;
-
- /* some basic sanity checks */
- for (i=0; i<trust.number; i++) {
-
- if (trust.dom[i].min_id > trust.dom[i].max_id) {
- DEBUG(0, ("rid_idmap_init: min_id (%d) has to be smaller than max_id (%d) for domain [%s]\n",
- trust.dom[i].min_id, trust.dom[i].max_id, trust.dom[i].name));
- goto out;
- }
-
- if (trust.dom[i].min_id < u_low || trust.dom[i].max_id > u_high) {
- DEBUG(0, ("rid_idmap_init: mapping of domain [%s] (%d-%d) has to fit into global idmap range (%d-%d).\n",
- trust.dom[i].name, trust.dom[i].min_id, trust.dom[i].max_id, u_low, u_high));
- goto out;
- }
- }
-
- /* check for overlaps */
- for (i=0; i<trust.number-1; i++) {
- for (j=i+1; j<trust.number; j++) {
- if (trust.dom[i].min_id <= trust.dom[j].max_id && trust.dom[j].min_id <= trust.dom[i].max_id) {
- DEBUG(0, ("rid_idmap_init: the ranges of domain [%s] and [%s] overlap\n",
- trust.dom[i+1].name, trust.dom[i].name));
- goto out;
- }
- }
- }
-
- DEBUG(3, ("rid_idmap_init: using %d mappings:\n", trust.number));
- for (i=0; i<trust.number; i++) {
- DEBUGADD(3, ("rid_idmap_init:\tdomain: [%s], sid: [%s], min_id: [%d], max_id: [%d]\n",
- trust.dom[i].name, trust.dom[i].sid, trust.dom[i].min_id, trust.dom[i].max_id));
- }
-
- nt_status = NT_STATUS_OK;
-
-out:
- SAFE_FREE(domain_names);
- SAFE_FREE(domain_sids);
-
- return nt_status;
-}
-
-static NTSTATUS rid_idmap_get_sid_from_id(DOM_SID *sid, unid_t unid, enum idmap_type id_type, int flags)
-
-{
- fstring sid_string;
- int i;
- DOM_SID sidstr;
-
- /* find range */
- for (i=0; i<trust.number; i++) {
- if (trust.dom[i].min_id <= unid.uid && trust.dom[i].max_id >= unid.uid )
- break;
- }
-
- if (i == trust.number) {
- DEBUG(0,("rid_idmap_get_sid_from_id: no suitable range available for id: %d\n", unid.uid));
- return NT_STATUS_INVALID_PARAMETER;
- }
-
- /* use lower-end of idmap-range as offset for users and groups*/
- unid.uid -= trust.dom[i].min_id;
-
- if (!trust.dom[i].sid)
- return NT_STATUS_INVALID_PARAMETER;
-
- string_to_sid(&sidstr, trust.dom[i].sid);
- sid_copy(sid, &sidstr);
- if (!sid_append_rid( sid, (unsigned long)unid.uid )) {
- DEBUG(0,("rid_idmap_get_sid_from_id: could not append rid to domain sid\n"));
- return NT_STATUS_NO_MEMORY;
- }
-
- DEBUG(3, ("rid_idmap_get_sid_from_id: mapped POSIX %s %d to SID [%s]\n",
- (id_type == ID_GROUPID) ? "GID" : "UID", unid.uid,
- sid_to_string(sid_string, sid)));
-
- return NT_STATUS_OK;
-}
-
-static NTSTATUS rid_idmap_get_id_from_sid(unid_t *unid, enum idmap_type *id_type, const DOM_SID *sid, int flags)
-{
- fstring sid_string;
- int i;
- uint32 rid;
- DOM_SID sidstr;
-
- /* check if we have a mapping for the sid */
- for (i=0; i<trust.number; i++) {
- if (!trust.dom[i].sid) {
- return NT_STATUS_INVALID_PARAMETER;
- }
- string_to_sid(&sidstr, trust.dom[i].sid);
- if ( sid_compare_domain(sid, &sidstr) == 0 )
- break;
- }
-
- if (i == trust.number) {
- DEBUG(0,("rid_idmap_get_id_from_sid: no suitable range available for sid: %s\n",
- sid_string_static(sid)));
- return NT_STATUS_INVALID_PARAMETER;
- }
-
- if (!sid_peek_rid(sid, &rid)) {
- DEBUG(0,("rid_idmap_get_id_from_sid: could not peek rid\n"));
- return NT_STATUS_INVALID_PARAMETER;
- }
-
- /* use lower-end of idmap-range as offset for users and groups */
- unid->uid = rid + trust.dom[i].min_id;
-
- if (unid->uid > trust.dom[i].max_id) {
- DEBUG(0,("rid_idmap_get_id_from_sid: rid: %d (%s: %d) too high for mapping of domain: %s (%d-%d)\n",
- rid, (*id_type == ID_GROUPID) ? "GID" : "UID", unid->uid, trust.dom[i].name,
- trust.dom[i].min_id, trust.dom[i].max_id));
- return NT_STATUS_INVALID_PARAMETER;
- }
- if (unid->uid < trust.dom[i].min_id) {
- DEBUG(0,("rid_idmap_get_id_from_sid: rid: %d (%s: %d) too low for mapping of domain: %s (%d-%d)\n",
- rid, (*id_type == ID_GROUPID) ? "GID" : "UID", unid->uid,
- trust.dom[i].name, trust.dom[i].min_id, trust.dom[i].max_id));
- return NT_STATUS_INVALID_PARAMETER;
- }
-
- DEBUG(3,("rid_idmap_get_id_from_sid: mapped SID [%s] to POSIX %s %d\n",
- sid_to_string(sid_string, sid),
- (*id_type == ID_GROUPID) ? "GID" : "UID", unid->uid));
-
- return NT_STATUS_OK;
-
-}
-
-static NTSTATUS rid_idmap_set_mapping(const DOM_SID *sid, unid_t id, enum idmap_type id_type)
-{
- return NT_STATUS_NOT_IMPLEMENTED;
-}
-
-static NTSTATUS rid_idmap_close(void)
-{
- SAFE_FREE(trust.dom);
-
- return NT_STATUS_OK;
-}
-
-static NTSTATUS rid_idmap_allocate_id(unid_t *id, enum idmap_type id_type)
-{
- return NT_STATUS_NOT_IMPLEMENTED;
-}
-
-static void rid_idmap_status(void)
-{
- DEBUG(0, ("RID IDMAP Status not available\n"));
-}
-
-static struct idmap_methods rid_methods = {
- rid_idmap_init,
- rid_idmap_allocate_id,
- rid_idmap_get_sid_from_id,
- rid_idmap_get_id_from_sid,
- rid_idmap_set_mapping,
- rid_idmap_close,
- rid_idmap_status
-};
-
-NTSTATUS idmap_rid_init(void)
-{
- return smb_register_idmap(SMB_IDMAP_INTERFACE_VERSION, "rid", &rid_methods);
-}
-
diff --git a/source3/sam/idmap_smbldap.c b/source3/sam/idmap_smbldap.c
deleted file mode 100644
index 9850921fa3..0000000000
--- a/source3/sam/idmap_smbldap.c
+++ /dev/null
@@ -1,447 +0,0 @@
-/*
- Unix SMB/CIFS implementation.
-
- idmap LDAP backend
-
- Copyright (C) Tim Potter 2000
- Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2003
- Copyright (C) Simo Sorce 2003
- Copyright (C) Gerald Carter 2003
-
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 2 of the License, or
- (at your option) any later version.
-
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
-
- You should have received a copy of the GNU General Public License
- along with this program; if not, write to the Free Software
- Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-*/
-
-#include "includes.h"
-
-#undef DBGC_CLASS
-#define DBGC_CLASS DBGC_IDMAP
-
-struct ldap_connection *ldap_conn = NULL;
-
-/* number tries while allocating new id */
-#define LDAP_MAX_ALLOC_ID 128
-
-
-/***********************************************************************
- This function cannot be called to modify a mapping, only set a new one
-***********************************************************************/
-
-static NTSTATUS ldap_set_mapping(const DOM_SID *sid, unid_t id, int id_type)
-{
- NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
- pstring id_str;
- const char *type;
- fstring sid_string;
- struct ldap_message *msg;
- struct ldap_message *mod_res = NULL;
- char *mod;
-
- type = (id_type & ID_USERID) ? "uidNumber" : "gidNumber";
-
- sid_to_string( sid_string, sid );
-
- pstr_sprintf(id_str, "%lu",
- ((id_type & ID_USERID) ?
- (unsigned long)id.uid : (unsigned long)id.gid));
-
- asprintf(&mod,
- "dn: sambaSID=%s,%s\n"
- "changetype: add\n"
- "objectClass: sambaIdmapEntry\n"
- "objectClass: sambaSidEntry\n"
- "sambaSID: %s\n"
- "%s: %lu\n",
- sid_string, lp_ldap_idmap_suffix(), sid_string, type,
- ((id_type & ID_USERID) ?
- (unsigned long)id.uid : (unsigned long)id.gid));
-
- msg = ldap_ldif2msg(mod);
-
- SAFE_FREE(mod);
-
- if (msg == NULL)
- return NT_STATUS_NO_MEMORY;
-
- mod_res = ldap_transaction(ldap_conn, msg);
-
- if ((mod_res == NULL) || (mod_res->r.ModifyResponse.resultcode != 0))
- goto out;
-
- ret = NT_STATUS_OK;
- out:
- destroy_ldap_message(msg);
- destroy_ldap_message(mod_res);
- return ret;
-}
-
-/*****************************************************************************
- Allocate a new uid or gid
-*****************************************************************************/
-
-static NTSTATUS ldap_allocate_id(unid_t *id, enum idmap_type id_type)
-{
- NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
- uid_t luid, huid;
- gid_t lgid, hgid;
- const char *attrs[] = { "uidNumber", "gidNumber" };
- struct ldap_message *idpool_s = NULL;
- struct ldap_message *idpool = NULL;
- struct ldap_message *mod_msg = NULL;
- struct ldap_message *mod_res = NULL;
- int value;
- const char *id_attrib;
- char *mod;
-
- if (id_type != ID_USERID && id_type != ID_GROUPID) {
- return NT_STATUS_INVALID_PARAMETER;
- }
-
- id_attrib = (id_type == ID_USERID) ? "uidNumber" : "gidNumber";
-
- idpool_s = new_ldap_search_message(lp_ldap_suffix(),
- LDAP_SEARCH_SCOPE_SUB,
- "(objectclass=sambaUnixIdPool)",
- 2, attrs);
-
- if (idpool_s == NULL)
- return NT_STATUS_NO_MEMORY;
-
- idpool = ldap_searchone(ldap_conn, idpool_s, NULL);
-
- if (idpool == NULL)
- goto out;
-
- if (!ldap_find_single_int(idpool, id_attrib, &value))
- goto out;
-
- /* this must succeed or else we wouldn't have initialized */
-
- lp_idmap_uid( &luid, &huid);
- lp_idmap_gid( &lgid, &hgid);
-
- /* make sure we still have room to grow */
-
- if (id_type == ID_USERID) {
- id->uid = value;
- if (id->uid > huid ) {
- DEBUG(0,("ldap_allocate_id: Cannot allocate uid "
- "above %lu!\n", (unsigned long)huid));
- goto out;
- }
- }
- else {
- id->gid = value;
- if (id->gid > hgid ) {
- DEBUG(0,("ldap_allocate_id: Cannot allocate gid "
- "above %lu!\n", (unsigned long)hgid));
- goto out;
- }
- }
-
- asprintf(&mod,
- "dn: %s\n"
- "changetype: modify\n"
- "delete: %s\n"
- "%s: %d\n"
- "-\n"
- "add: %s\n"
- "%s: %d\n",
- idpool->r.SearchResultEntry.dn, id_attrib, id_attrib, value,
- id_attrib, id_attrib, value+1);
-
- mod_msg = ldap_ldif2msg(mod);
-
- SAFE_FREE(mod);
-
- if (mod_msg == NULL)
- goto out;
-
- mod_res = ldap_transaction(ldap_conn, mod_msg);
-
- if ((mod_res == NULL) || (mod_res->r.ModifyResponse.resultcode != 0))
- goto out;
-
- ret = NT_STATUS_OK;
-out:
- destroy_ldap_message(idpool_s);
- destroy_ldap_message(idpool);
- destroy_ldap_message(mod_msg);
- destroy_ldap_message(mod_res);
-
- return ret;
-}
-
-/*****************************************************************************
- get a sid from an id
-*****************************************************************************/
-
-static NTSTATUS ldap_get_sid_from_id(DOM_SID *sid, unid_t id, int id_type)
-{
- pstring filter;
- const char *type;
- NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
- const char *attr_list[] = { "sambaSID" };
- struct ldap_message *msg;
- struct ldap_message *entry = NULL;
- char *sid_str;
-
- type = (id_type & ID_USERID) ? "uidNumber" : "gidNumber";
-
- pstr_sprintf(filter, "(&(objectClass=%s)(%s=%lu))", "sambaIdmapEntry",
- type,
- ((id_type & ID_USERID) ?
- (unsigned long)id.uid : (unsigned long)id.gid));
-
- msg = new_ldap_search_message(lp_ldap_idmap_suffix(),
- LDAP_SEARCH_SCOPE_SUB,
- filter, 1, attr_list);
-
- if (msg == NULL)
- return NT_STATUS_NO_MEMORY;
-
- entry = ldap_searchone(ldap_conn, msg, NULL);
-
- if (entry == NULL)
- goto out;
-
- if (!ldap_find_single_string(entry, "sambaSID", entry->mem_ctx,
- &sid_str))
- goto out;
-
- if (!string_to_sid(sid, sid_str))
- goto out;
-
- ret = NT_STATUS_OK;
-out:
- destroy_ldap_message(msg);
- destroy_ldap_message(entry);
-
- return ret;
-}
-
-/***********************************************************************
- Get an id from a sid
-***********************************************************************/
-
-static NTSTATUS ldap_get_id_from_sid(unid_t *id, int *id_type,
- const DOM_SID *sid)
-{
- pstring filter;
- const char *type;
- NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
- struct ldap_message *msg;
- struct ldap_message *entry = NULL;
- int i;
-
- DEBUG(8,("ldap_get_id_from_sid: %s (%s)\n", sid_string_static(sid),
- (*id_type & ID_GROUPID ? "group" : "user") ));
-
- type = ((*id_type) & ID_USERID) ? "uidNumber" : "gidNumber";
-
- pstr_sprintf(filter, "(&(objectClass=%s)(%s=%s))",
- "sambaIdmapEntry", "sambaSID", sid_string_static(sid));
-
- msg = new_ldap_search_message(lp_ldap_idmap_suffix(),
- LDAP_SEARCH_SCOPE_SUB,
- filter, 1, &type);
-
- if (msg == NULL)
- return NT_STATUS_NO_MEMORY;
-
- entry = ldap_searchone(ldap_conn, msg, NULL);
-
- if (entry != NULL) {
- int value;
-
- if (!ldap_find_single_int(entry, type, &value))
- goto out;
-
- if ((*id_type) & ID_USERID)
- id->uid = value;
- else
- id->gid = value;
-
- ret = NT_STATUS_OK;
- goto out;
- }
-
- if ((*id_type) & ID_QUERY_ONLY)
- goto out;
-
- /* Allocate a new RID */
-
- for (i = 0; i < LDAP_MAX_ALLOC_ID; i++) {
- ret = ldap_allocate_id(id, *id_type);
- if ( NT_STATUS_IS_OK(ret) )
- break;
- }
-
- if ( !NT_STATUS_IS_OK(ret) ) {
- DEBUG(0,("Could not allocate id\n"));
- goto out;
- }
-
- DEBUG(10,("ldap_get_id_from_sid: Allocated new %cid [%ul]\n",
- (*id_type & ID_GROUPID ? 'g' : 'u'), (uint32)id->uid ));
-
- ret = ldap_set_mapping(sid, *id, *id_type);
-
-out:
- destroy_ldap_message(msg);
- destroy_ldap_message(entry);
-
- return ret;
-}
-
-/**********************************************************************
- Verify the sambaUnixIdPool entry in the directory.
-**********************************************************************/
-static NTSTATUS verify_idpool(void)
-{
- const char *attr_list[3] = { "uidnumber", "gidnumber", "objectclass" };
- BOOL result;
- char *mod;
- struct ldap_message *msg, *entry, *res;
-
- uid_t luid, huid;
- gid_t lgid, hgid;
-
- msg = new_ldap_search_message(lp_ldap_suffix(),
- LDAP_SEARCH_SCOPE_SUB,
- "(objectClass=sambaUnixIdPool)",
- 3, attr_list);
-
- if (msg == NULL)
- return NT_STATUS_NO_MEMORY;
-
- entry = ldap_searchone(ldap_conn, msg, NULL);
-
- result = (entry != NULL);
-
- destroy_ldap_message(msg);
- destroy_ldap_message(entry);
-
- if (result)
- return NT_STATUS_OK;
-
- if ( !lp_idmap_uid(&luid, &huid) || !lp_idmap_gid( &lgid, &hgid ) ) {
- DEBUG(3,("ldap_idmap_init: idmap uid/gid parameters not "
- "specified\n"));
- return NT_STATUS_UNSUCCESSFUL;
- }
-
- asprintf(&mod,
- "dn: %s\n"
- "changetype: modify\n"
- "add: objectClass\n"
- "objectClass: sambaUnixIdPool\n"
- "-\n"
- "add: uidNumber\n"
- "uidNumber: %lu\n"
- "-\n"
- "add: gidNumber\n"
- "gidNumber: %lu\n",
- lp_ldap_idmap_suffix(),
- (unsigned long)luid, (unsigned long)lgid);
-
- msg = ldap_ldif2msg(mod);
-
- SAFE_FREE(mod);
-
- if (msg == NULL)
- return NT_STATUS_NO_MEMORY;
-
- res = ldap_transaction(ldap_conn, msg);
-
- if ((res == NULL) || (res->r.ModifyResponse.resultcode != 0)) {
- destroy_ldap_message(msg);
- destroy_ldap_message(res);
- DEBUG(5, ("Could not add sambaUnixIdPool\n"));
- return NT_STATUS_UNSUCCESSFUL;
- }
-
- destroy_ldap_message(msg);
- destroy_ldap_message(res);
- return NT_STATUS_OK;
-}
-
-/*****************************************************************************
- Initialise idmap database.
-*****************************************************************************/
-
-static NTSTATUS ldap_idmap_init( char *params )
-{
- NTSTATUS nt_status;
- char *dn, *pw;
-
- ldap_conn = new_ldap_connection();
-
- if (!fetch_ldap_pw(&dn, &pw))
- return NT_STATUS_UNSUCCESSFUL;
-
- ldap_conn->auth_dn = talloc_strdup(ldap_conn->mem_ctx, dn);
- ldap_conn->simple_pw = talloc_strdup(ldap_conn->mem_ctx, pw);
-
- SAFE_FREE(dn);
- SAFE_FREE(pw);
-
- if (!ldap_setup_connection(ldap_conn, params, NULL, NULL))
- return NT_STATUS_UNSUCCESSFUL;
-
- /* see if the idmap suffix and sub entries exists */
-
- nt_status = verify_idpool();
- if ( !NT_STATUS_IS_OK(nt_status) )
- return nt_status;
-
- return NT_STATUS_OK;
-}
-
-/*****************************************************************************
- End the LDAP session
-*****************************************************************************/
-
-static NTSTATUS ldap_idmap_close(void)
-{
-
- DEBUG(5,("The connection to the LDAP server was closed\n"));
- /* maybe free the results here --metze */
-
- return NT_STATUS_OK;
-}
-
-
-/* This function doesn't make as much sense in an LDAP world since the calling
- node doesn't really control the ID ranges */
-static void ldap_idmap_status(void)
-{
- DEBUG(0, ("LDAP IDMAP Status not available\n"));
-}
-
-static struct idmap_methods ldap_methods = {
- ldap_idmap_init,
- ldap_allocate_id,
- ldap_get_sid_from_id,
- ldap_get_id_from_sid,
- ldap_set_mapping,
- ldap_idmap_close,
- ldap_idmap_status
-
-};
-
-NTSTATUS idmap_smbldap_init(void)
-{
- return smb_register_idmap(SMB_IDMAP_INTERFACE_VERSION, "smbldap", &ldap_methods);
-}
diff --git a/source3/sam/idmap_tdb.c b/source3/sam/idmap_tdb.c
deleted file mode 100644
index 02a3178d61..0000000000
--- a/source3/sam/idmap_tdb.c
+++ /dev/null
@@ -1,693 +0,0 @@
-/*
- Unix SMB/CIFS implementation.
-
- idmap TDB backend
-
- Copyright (C) Tim Potter 2000
- Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2003
- Copyright (C) Simo Sorce 2003
- Copyright (C) Jeremy Allison 2006
-
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 2 of the License, or
- (at your option) any later version.
-
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
-
- You should have received a copy of the GNU General Public License
- along with this program; if not, write to the Free Software
- Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-*/
-
-#include "includes.h"
-
-#undef DBGC_CLASS
-#define DBGC_CLASS DBGC_IDMAP
-
-/* High water mark keys */
-#define HWM_GROUP "GROUP HWM"
-#define HWM_USER "USER HWM"
-
-/* Globals */
-static TDB_CONTEXT *idmap_tdb;
-
-static struct idmap_state {
-
- /* User and group id pool */
-
- uid_t uid_low, uid_high; /* Range of uids to allocate */
- gid_t gid_low, gid_high; /* Range of gids to allocate */
-} idmap_state;
-
-/**********************************************************************
- Allocate either a user or group id from the pool
-**********************************************************************/
-
-static NTSTATUS db_allocate_id(unid_t *id, enum idmap_type id_type)
-{
- BOOL ret;
- int hwm;
-
- /* Get current high water mark */
- switch (id_type) {
- case ID_USERID:
-
- if ((hwm = tdb_fetch_int32(idmap_tdb, HWM_USER)) == -1) {
- return NT_STATUS_INTERNAL_DB_ERROR;
- }
-
- /* check it is in the range */
- if (hwm > idmap_state.uid_high) {
- DEBUG(0, ("idmap Fatal Error: UID range full!! (max: %lu)\n",
- (unsigned long)idmap_state.uid_high));
- return NT_STATUS_UNSUCCESSFUL;
- }
-
- /* fetch a new id and increment it */
- ret = tdb_change_uint32_atomic(idmap_tdb, HWM_USER, (unsigned int *)&hwm, 1);
- if (!ret) {
- DEBUG(0, ("idmap_tdb: Fatal error while fetching a new id\n!"));
- return NT_STATUS_UNSUCCESSFUL;
- }
-
- /* recheck it is in the range */
- if (hwm > idmap_state.uid_high) {
- DEBUG(0, ("idmap Fatal Error: UID range full!! (max: %lu)\n",
- (unsigned long)idmap_state.uid_high));
- return NT_STATUS_UNSUCCESSFUL;
- }
-
- (*id).uid = hwm;
- DEBUG(10,("db_allocate_id: ID_USERID (*id).uid = %d\n", (unsigned int)hwm));
-
- break;
- case ID_GROUPID:
- if ((hwm = tdb_fetch_int32(idmap_tdb, HWM_GROUP)) == -1) {
- return NT_STATUS_INTERNAL_DB_ERROR;
- }
-
- /* check it is in the range */
- if (hwm > idmap_state.gid_high) {
- DEBUG(0, ("idmap Fatal Error: GID range full!! (max: %lu)\n",
- (unsigned long)idmap_state.gid_high));
- return NT_STATUS_UNSUCCESSFUL;
- }
-
- /* fetch a new id and increment it */
- ret = tdb_change_uint32_atomic(idmap_tdb, HWM_GROUP, (unsigned int *)&hwm, 1);
-
- if (!ret) {
- DEBUG(0, ("idmap_tdb: Fatal error while fetching a new id\n!"));
- return NT_STATUS_UNSUCCESSFUL;
- }
-
- /* recheck it is in the range */
- if (hwm > idmap_state.gid_high) {
- DEBUG(0, ("idmap Fatal Error: GID range full!! (max: %lu)\n",
- (unsigned long)idmap_state.gid_high));
- return NT_STATUS_UNSUCCESSFUL;
- }
-
- (*id).gid = hwm;
- DEBUG(10,("db_allocate_id: ID_GROUPID (*id).gid = %d\n", (unsigned int)hwm));
-
- break;
- default:
- return NT_STATUS_INVALID_PARAMETER;
- }
-
- return NT_STATUS_OK;
-}
-
-/* Get a sid from an id - internal non-reverse map checking function. */
-
-static NTSTATUS db_internal_get_sid_from_id(DOM_SID *sid, unid_t id, enum idmap_type id_type)
-{
- TDB_DATA key, data;
- TALLOC_CTX *memctx;
- NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
-
- if ((memctx = talloc_new(NULL)) == NULL) {
- DEBUG(0, ("ERROR: Out of memory!\n"));
- return NT_STATUS_NO_MEMORY;
- }
-
- switch (id_type) {
- case ID_USERID:
- key.dptr = talloc_asprintf(memctx, "UID %lu", (unsigned long)id.uid);
- break;
- case ID_GROUPID:
- key.dptr = talloc_asprintf(memctx, "GID %lu", (unsigned long)id.gid);
- break;
- default:
- ret = NT_STATUS_INVALID_PARAMETER;
- goto done;
- }
-
- if (key.dptr == NULL) {
- DEBUG(0, ("ERROR: Out of memory!\n"));
- ret = NT_STATUS_NO_MEMORY;
- goto done;
- }
-
- key.dsize = strlen(key.dptr) + 1;
-
- DEBUG(10,("db_internal_get_sid_from_id: fetching record %s\n", key.dptr));
-
- data = tdb_fetch(idmap_tdb, key);
-
- if (data.dptr) {
- if (string_to_sid(sid, data.dptr)) {
- DEBUG(10,("db_internal_get_sid_from_id: fetching record %s -> %s\n", key.dptr, data.dptr ));
- ret = NT_STATUS_OK;
- }
- SAFE_FREE(data.dptr);
- }
-
-done:
- talloc_free(memctx);
- return ret;
-}
-
-/* Get an id from a sid - internal non-reverse map checking function. */
-
-static NTSTATUS db_internal_get_id_from_sid(unid_t *id, enum idmap_type *id_type, const DOM_SID *sid)
-{
- NTSTATUS ret;
- TDB_DATA key, data;
- TALLOC_CTX *memctx;
- unsigned long rec_id;
-
- if ((memctx = talloc_new(NULL)) == NULL) {
- DEBUG(0, ("ERROR: Out of memory!\n"));
- return NT_STATUS_NO_MEMORY;
- }
-
- /* Check if sid is present in database */
- if ((key.dptr = talloc_asprintf(memctx, "%s", sid_string_static(sid))) == NULL) {
- DEBUG(0, ("ERROR: Out of memory!\n"));
- ret = NT_STATUS_NO_MEMORY;
- goto done;
- }
-
- key.dsize = strlen(key.dptr) + 1;
-
- DEBUG(10,("db_internal_get_id_from_sid: fetching record %s\n", key.dptr));
-
- data = tdb_fetch(idmap_tdb, key);
- if (!data.dptr) {
- DEBUG(10,("db_internal_get_id_from_sid: record %s not found\n", key.dptr));
- ret = NT_STATUS_NO_SUCH_USER;
- goto done;
- } else {
- DEBUG(10,("db_internal_get_id_from_sid: record %s -> %s\n", key.dptr, data.dptr));
- }
-
- /* What type of record is this ? */
-
- /* Try and parse and return a uid */
- if (sscanf(data.dptr, "UID %lu", &rec_id) == 1) {
- id->uid = (uid_t)rec_id;
- *id_type = ID_USERID;
- DEBUG(10,("db_internal_get_id_from_sid: fetching uid record %s -> %s \n",
- key.dptr, data.dptr ));
- ret = NT_STATUS_OK;
- } else if (sscanf(data.dptr, "GID %lu", &rec_id) == 1) { /* Try a GID record. */
- id->gid = (uid_t)rec_id;
- *id_type = ID_GROUPID;
- DEBUG(10,("db_internal_get_id_from_sid: fetching gid record %s -> %s \n",
- key.dptr, data.dptr ));
- ret = NT_STATUS_OK;
- } else {
- /* Unknown record type ! */
- ret = NT_STATUS_INTERNAL_DB_ERROR;
- }
-
- SAFE_FREE(data.dptr);
-
-done:
- talloc_free(memctx);
- return ret;
-}
-
-/* Get a sid from an id - internal non-reverse map checking function. */
-
-static NTSTATUS db_get_sid_from_id(DOM_SID *sid, unid_t id, enum idmap_type id_type, int flags)
-{
- NTSTATUS ret;
- unid_t tmp_id;
- enum idmap_type tmp_id_type;
-
- ret = db_internal_get_sid_from_id(sid, id, id_type);
-
- if (!NT_STATUS_IS_OK(ret)) {
- return ret;
- }
-
- /* Ensure the reverse mapping exists. */
-
- ret = db_internal_get_id_from_sid(&tmp_id, &tmp_id_type, sid);
- if (NT_STATUS_IS_OK(ret)) {
- /* Check the reverse mapping is the same. */
- if (tmp_id.uid != id.uid || tmp_id_type != id_type) {
- DEBUG(10,("db_get_sid_from_id: reverse mapping mismatch "
- "tmp_id = %u, id = %u, tmp_id_type = %u, id_type = %u\n",
- (unsigned int)tmp_id.uid, (unsigned int)id.uid,
- (unsigned int)tmp_id_type, (unsigned int)id_type ));
- return NT_STATUS_NO_SUCH_USER;
- }
- }
-
- return ret;
-}
-
-/***********************************************************************
- Why is this function internal and not part of the interface ?????
- This *sucks* and is bad design and needs fixing. JRA.
-***********************************************************************/
-
-static NTSTATUS db_internal_allocate_new_id_for_sid(unid_t *id, enum idmap_type *id_type, const DOM_SID *sid)
-{
- NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
- TDB_DATA sid_data;
- TDB_DATA ugid_data;
- TALLOC_CTX *memctx;
-
- if ((memctx = talloc_new(NULL)) == NULL) {
- DEBUG(0, ("ERROR: Out of memory!\n"));
- return NT_STATUS_NO_MEMORY;
- }
-
- if ((sid_data.dptr = talloc_asprintf(memctx, "%s", sid_string_static(sid))) == NULL) {
- DEBUG(0, ("ERROR: Out of memory!\n"));
- talloc_free(memctx);
- return NT_STATUS_NO_MEMORY;
- }
-
- sid_data.dsize = strlen(sid_data.dptr) + 1;
-
- /* Lock the record for this SID. */
- if (tdb_chainlock(idmap_tdb, sid_data) != 0) {
- DEBUG(10,("db_internal_allocate_new_id_for_sid: failed to lock record %s. Error %s\n",
- sid_data.dptr, tdb_errorstr(idmap_tdb) ));
- talloc_free(memctx);
- return NT_STATUS_UNSUCCESSFUL;
- }
-
- do {
- /* Allocate a new id for this sid */
- ret = db_allocate_id(id, *id_type);
- if (!NT_STATUS_IS_OK(ret)) {
- goto done;
- }
-
- /* Store the UID side */
- /* Store new id */
- if (*id_type == ID_USERID) {
- ugid_data.dptr = talloc_asprintf(memctx, "UID %lu",
- (unsigned long)((*id).uid));
- } else {
- ugid_data.dptr = talloc_asprintf(memctx, "GID %lu",
- (unsigned long)((*id).gid));
- }
-
- if (ugid_data.dptr == NULL) {
- DEBUG(0, ("ERROR: Out of memory!\n"));
- ret = NT_STATUS_NO_MEMORY;
- goto done;
- }
-
- ugid_data.dsize = strlen(ugid_data.dptr) + 1;
-
- DEBUG(10,("db_internal_allocate_new_id_for_sid: storing %s -> %s\n",
- ugid_data.dptr, sid_data.dptr ));
-
- if (tdb_store(idmap_tdb, ugid_data, sid_data, TDB_INSERT) != -1) {
- ret = NT_STATUS_OK;
- break;
- }
- if (tdb_error(idmap_tdb) != TDB_ERR_EXISTS) {
- DEBUG(10,("db_internal_allocate_new_id_for_sid: error %s\n", tdb_errorstr(idmap_tdb)));
- }
-
- ret = NT_STATUS_INTERNAL_DB_ERROR;
-
- } while (tdb_error(idmap_tdb) == TDB_ERR_EXISTS);
-
- if (NT_STATUS_IS_OK(ret)) {
- DEBUG(10,("db_internal_allocate_new_id_for_sid: storing %s -> %s\n",
- sid_data.dptr, ugid_data.dptr ));
-
- if (tdb_store(idmap_tdb, sid_data, ugid_data, TDB_REPLACE) == -1) {
- DEBUG(10,("db_internal_allocate_new_id_for_sid: error %s\n", tdb_errorstr(idmap_tdb) ));
- ret = NT_STATUS_INTERNAL_DB_ERROR;
- }
- }
-
- done:
-
- tdb_chainunlock(idmap_tdb, sid_data);
- talloc_free(memctx);
-
- return ret;
-}
-
-/***********************************************************************
- Get an id from a sid - urg. This is assuming the *output* parameter id_type
- has been initialized with the correct needed type - ID_USERID or ID_GROUPID.
- This function also allocates new mappings ! WTF ??????
- This *sucks* and is bad design and needs fixing. JRA.
-***********************************************************************/
-
-static NTSTATUS db_get_id_from_sid(unid_t *id, enum idmap_type *id_type, const DOM_SID *sid, int flags)
-{
- NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
- enum idmap_type tmp_id_type = *id_type;
-
- DEBUG(10,("db_get_id_from_sid %s\n", sid_string_static(sid)));
-
- ret = db_internal_get_id_from_sid(id, &tmp_id_type, sid);
-
- if (NT_STATUS_IS_OK(ret)) {
- DOM_SID sid_tmp;
-
- /* Check the reverse mapping is the same. Remember *id_type was set as a parameter
- to this call... */
- if (tmp_id_type != *id_type) {
- DEBUG(10,("db_get_sid_from_id: sid %s reverse mapping mismatch "
- "tmp_id_type = %u, id_type = %u\n",
- sid_string_static(sid),
- (unsigned int)tmp_id_type, (unsigned int)(*id_type) ));
- return NT_STATUS_NO_SUCH_USER;
- }
-
- ret = db_internal_get_sid_from_id(&sid_tmp, *id, *id_type);
- if (NT_STATUS_IS_OK(ret)) {
- if (!sid_equal(&sid_tmp, sid)) {
- DEBUG(10,("db_get_sid_from_id: sid %s reverse mapping SID mismatch"
- "id = %u, id_type = %u\n",
- sid_string_static(sid),
- (unsigned int)id->uid, (unsigned int)(*id_type) ));
- return NT_STATUS_NO_SUCH_USER;
- }
- }
- return ret;
- }
-
- if (flags & IDMAP_FLAG_QUERY_ONLY) {
- return ret;
- }
-
- /* We're in to bad design territory.... This call is now
- *allocating* and storing a new mapping for sid -> id. This SHOULD
- NOT BE DONE HERE ! There needs to be a separate upper
- level call for this... I think the reason this was badly
- designed this way was the desire to reuse cache code with
- a tdb idmap implementation. They MUST be separated ! JRA */
-
- return db_internal_allocate_new_id_for_sid(id, id_type, sid);
-}
-
-static NTSTATUS db_set_mapping(const DOM_SID *sid, unid_t id, enum idmap_type id_type)
-{
- NTSTATUS ret;
- TDB_DATA ksid, kid, data;
- TALLOC_CTX *memctx;
-
- DEBUG(10,("db_set_mapping: id_type = 0x%x\n", (unsigned int)id_type));
-
- if ((memctx = talloc_new(NULL)) == NULL) {
- DEBUG(0, ("ERROR: Out of memory!\n"));
- return NT_STATUS_NO_MEMORY;
- }
-
- if ((ksid.dptr = talloc_asprintf(memctx, "%s", sid_string_static(sid))) == NULL) {
- DEBUG(0, ("ERROR: Out of memory!\n"));
- ret = NT_STATUS_NO_MEMORY;
- goto done;
- }
- ksid.dsize = strlen(ksid.dptr) + 1;
-
- if (id_type == ID_USERID) {
- kid.dptr = talloc_asprintf(memctx, "UID %lu", (unsigned long)id.uid);
- } else {
- kid.dptr = talloc_asprintf(memctx, "GID %lu", (unsigned long)id.gid);
- }
-
- if (kid.dptr == NULL) {
- DEBUG(0, ("ERROR: Out of memory!\n"));
- ret = NT_STATUS_NO_MEMORY;
- goto done;
- }
- kid.dsize = strlen(kid.dptr) + 1;
-
- /* *DELETE* prevoius mappings if any.
- * This is done both SID and [U|G]ID passed in */
-
- /* Lock the record for this SID. */
- if (tdb_chainlock(idmap_tdb, ksid) != 0) {
- DEBUG(10,("db_set_mapping: failed to lock record %s. Error %s\n",
- ksid.dptr, tdb_errorstr(idmap_tdb) ));
- return NT_STATUS_UNSUCCESSFUL;
- }
-
- DEBUG(10,("db_set_mapping: fetching %s\n", ksid.dptr));
-
- data = tdb_fetch(idmap_tdb, ksid);
- if (data.dptr) {
- DEBUG(10,("db_set_mapping: deleting %s and %s\n", data.dptr, ksid.dptr ));
- tdb_delete(idmap_tdb, data);
- tdb_delete(idmap_tdb, ksid);
- SAFE_FREE(data.dptr);
- }
- data = tdb_fetch(idmap_tdb, kid);
- if (data.dptr) {
- DEBUG(10,("db_set_mapping: deleting %s and %s\n", data.dptr, kid.dptr ));
- tdb_delete(idmap_tdb, data);
- tdb_delete(idmap_tdb, kid);
- SAFE_FREE(data.dptr);
- }
-
- if (tdb_store(idmap_tdb, ksid, kid, TDB_INSERT) == -1) {
- DEBUG(0, ("idb_set_mapping: tdb_store 1 error: %s\n", tdb_errorstr(idmap_tdb)));
- tdb_chainunlock(idmap_tdb, ksid);
- ret = NT_STATUS_UNSUCCESSFUL;
- goto done;
- }
- if (tdb_store(idmap_tdb, kid, ksid, TDB_INSERT) == -1) {
- DEBUG(0, ("idb_set_mapping: tdb_store 2 error: %s\n", tdb_errorstr(idmap_tdb)));
- tdb_chainunlock(idmap_tdb, ksid);
- ret = NT_STATUS_UNSUCCESSFUL;
- goto done;
- }
-
- tdb_chainunlock(idmap_tdb, ksid);
- DEBUG(10,("db_set_mapping: stored %s -> %s and %s -> %s\n", ksid.dptr, kid.dptr, kid.dptr, ksid.dptr ));
- ret = NT_STATUS_OK;
-done:
- talloc_free(memctx);
- return ret;
-}
-
-/*****************************************************************************
- Initialise idmap database.
-*****************************************************************************/
-
-static NTSTATUS db_idmap_init( const char *params )
-{
- SMB_STRUCT_STAT stbuf;
- char *tdbfile = NULL;
- int32 version;
- BOOL tdb_is_new = False;
-
- /* use the old database if present */
- tdbfile = SMB_STRDUP(lock_path("winbindd_idmap.tdb"));
- if (!tdbfile) {
- DEBUG(0, ("idmap_init: out of memory!\n"));
- return NT_STATUS_NO_MEMORY;
- }
-
- if (!file_exist(tdbfile, &stbuf)) {
- tdb_is_new = True;
- }
-
- DEBUG(10,("db_idmap_init: Opening tdbfile %s\n", tdbfile ));
-
- /* Open idmap repository */
- if (!(idmap_tdb = tdb_open_log(tdbfile, 0,
- TDB_DEFAULT, O_RDWR | O_CREAT,
- 0644))) {
- DEBUG(0, ("idmap_init: Unable to open idmap database\n"));
- SAFE_FREE(tdbfile);
- return NT_STATUS_UNSUCCESSFUL;
- }
-
- SAFE_FREE(tdbfile);
-
- if (tdb_is_new) {
- /* the file didn't existed before opening it, let's
- * store idmap version as nobody else yet opened and
- * stored it. I do not like this method but didn't
- * found a way to understand if an opened tdb have
- * been just created or not --- SSS */
- tdb_store_int32(idmap_tdb, "IDMAP_VERSION", IDMAP_VERSION);
- }
-
- /* check against earlier versions */
- version = tdb_fetch_int32(idmap_tdb, "IDMAP_VERSION");
- if (version != IDMAP_VERSION) {
- DEBUG(0, ("idmap_init: Unable to open idmap database, it's in an old format!\n"));
- return NT_STATUS_INTERNAL_DB_ERROR;
- }
-
- /* Create high water marks for group and user id */
- if (!lp_idmap_uid(&idmap_state.uid_low, &idmap_state.uid_high)) {
- DEBUG(1, ("idmap uid range missing or invalid\n"));
- DEBUGADD(1, ("idmap will be unable to map foreign SIDs\n"));
- } else {
- if (tdb_fetch_int32(idmap_tdb, HWM_USER) == -1) {
- if (tdb_store_int32(idmap_tdb, HWM_USER, idmap_state.uid_low) == -1) {
- DEBUG(0, ("idmap_init: Unable to initialise user hwm in idmap database\n"));
- return NT_STATUS_INTERNAL_DB_ERROR;
- }
- }
- }
-
- if (!lp_idmap_gid(&idmap_state.gid_low, &idmap_state.gid_high)) {
- DEBUG(1, ("idmap gid range missing or invalid\n"));
- DEBUGADD(1, ("idmap will be unable to map foreign SIDs\n"));
- } else {
- if (tdb_fetch_int32(idmap_tdb, HWM_GROUP) == -1) {
- if (tdb_store_int32(idmap_tdb, HWM_GROUP, idmap_state.gid_low) == -1) {
- DEBUG(0, ("idmap_init: Unable to initialise group hwm in idmap database\n"));
- return NT_STATUS_INTERNAL_DB_ERROR;
- }
- }
- }
-
- return NT_STATUS_OK;
-}
-
-/* Close the tdb */
-static NTSTATUS db_idmap_close(void)
-{
- if (idmap_tdb) {
- if (tdb_close(idmap_tdb) == 0) {
- return NT_STATUS_OK;
- } else {
- return NT_STATUS_UNSUCCESSFUL;
- }
- }
- return NT_STATUS_OK;
-}
-
-
-/* Dump status information to log file. Display different stuff based on
- the debug level:
-
- Debug Level Information Displayed
- =================================================================
- 0 Percentage of [ug]id range allocated
- 0 High water marks (next allocated ids)
-*/
-
-#define DUMP_INFO 0
-
-static void db_idmap_status(void)
-{
- int user_hwm, group_hwm;
-
- DEBUG(0, ("winbindd idmap status:\n"));
-
- /* Get current high water marks */
-
- if ((user_hwm = tdb_fetch_int32(idmap_tdb, HWM_USER)) == -1) {
- DEBUG(DUMP_INFO,
- ("\tCould not get userid high water mark!\n"));
- }
-
- if ((group_hwm = tdb_fetch_int32(idmap_tdb, HWM_GROUP)) == -1) {
- DEBUG(DUMP_INFO,
- ("\tCould not get groupid high water mark!\n"));
- }
-
- /* Display next ids to allocate */
-
- if (user_hwm != -1) {
- DEBUG(DUMP_INFO,
- ("\tNext userid to allocate is %d\n", user_hwm));
- }
-
- if (group_hwm != -1) {
- DEBUG(DUMP_INFO,
- ("\tNext groupid to allocate is %d\n", group_hwm));
- }
-
- /* Display percentage of id range already allocated. */
-
- if (user_hwm != -1) {
- int num_users = user_hwm - idmap_state.uid_low;
- int total_users =
- idmap_state.uid_high - idmap_state.uid_low;
-
- DEBUG(DUMP_INFO,
- ("\tUser id range is %d%% full (%d of %d)\n",
- num_users * 100 / total_users, num_users,
- total_users));
- }
-
- if (group_hwm != -1) {
- int num_groups = group_hwm - idmap_state.gid_low;
- int total_groups =
- idmap_state.gid_high - idmap_state.gid_low;
-
- DEBUG(DUMP_INFO,
- ("\tGroup id range is %d%% full (%d of %d)\n",
- num_groups * 100 / total_groups, num_groups,
- total_groups));
- }
-
- /* Display complete mapping of users and groups to rids */
-}
-
-/**********************************************************************
- Return the TDB_CONTEXT* for winbindd_idmap. I **really** feel
- dirty doing this, but not so dirty that I want to create another
- tdb
-***********************************************************************/
-
-TDB_CONTEXT *idmap_tdb_handle( void )
-{
- if ( idmap_tdb )
- return idmap_tdb;
-
- /* go ahead an open it; db_idmap_init() doesn't use any params
- right now */
-
- db_idmap_init( NULL );
- if ( idmap_tdb )
- return idmap_tdb;
-
- return NULL;
-}
-
-static struct idmap_methods db_methods = {
-
- db_idmap_init,
- db_allocate_id,
- db_get_sid_from_id,
- db_get_id_from_sid,
- db_set_mapping,
- db_idmap_close,
- db_idmap_status
-
-};
-
-NTSTATUS idmap_tdb_init(void)
-{
- return smb_register_idmap(SMB_IDMAP_INTERFACE_VERSION, "tdb", &db_methods);
-}
diff --git a/source3/sam/idmap_util.c b/source3/sam/idmap_util.c
deleted file mode 100644
index 8320b294f8..0000000000
--- a/source3/sam/idmap_util.c
+++ /dev/null
@@ -1,127 +0,0 @@
-/*
- Unix SMB/CIFS implementation.
- ID Mapping
- Copyright (C) Simo Sorce 2003
- Copyright (C) Jeremy Allison 2006
-
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 2 of the License, or
- (at your option) any later version.
-
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
-
- You should have received a copy of the GNU General Public License
- along with this program; if not, write to the Free Software
- Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.*/
-
-#include "includes.h"
-
-#undef DBGC_CLASS
-#define DBGC_CLASS DBGC_IDMAP
-
-/*****************************************************************
- Returns SID pointer.
-*****************************************************************/
-
-NTSTATUS idmap_uid_to_sid(DOM_SID *sid, uid_t uid, int flags)
-{
- unid_t id;
-
- DEBUG(10,("idmap_uid_to_sid: uid = [%lu]\n", (unsigned long)uid));
-
- id.uid = uid;
-
- return idmap_get_sid_from_id(sid, id, ID_USERID, flags);
-}
-
-/*****************************************************************
- Group mapping is used for gids that maps to Wellknown SIDs
- Returns SID pointer.
-*****************************************************************/
-
-NTSTATUS idmap_gid_to_sid(DOM_SID *sid, gid_t gid, int flags)
-{
- unid_t id;
-
- DEBUG(10,("idmap_gid_to_sid: gid = [%lu]\n", (unsigned long)gid));
-
- id.gid = gid;
-
- return idmap_get_sid_from_id(sid, id, ID_GROUPID, flags);
-}
-
-/*****************************************************************
- if it is a foreign sid or it is in idmap rid range check idmap,
- otherwise falls back to the legacy algorithmic mapping.
- Returns True if this name is a user sid and the conversion
- was done correctly, False if not.
-*****************************************************************/
-
-NTSTATUS idmap_sid_to_uid(const DOM_SID *sid, uid_t *uid, int flags)
-{
- NTSTATUS ret;
- enum idmap_type id_type;
- unid_t id;
-
- DEBUG(10,("idmap_sid_to_uid: sid = [%s]\n", sid_string_static(sid)));
-
- /* For the LDAP and tdb backends we must *KNOW* what we're looking for.
- This interface design *SUCKS* ! JRA. */
-
- id_type = ID_USERID;
- ret = idmap_get_id_from_sid(&id, &id_type, sid, flags);
-
- if (!NT_STATUS_IS_OK(ret)) {
- return ret;
- }
-
- if (id_type != ID_USERID) {
- return NT_STATUS_NONE_MAPPED;
- }
-
- DEBUG(10,("idmap_sid_to_uid: uid = [%lu]\n", (unsigned long)id.uid));
- *uid = id.uid;
-
- return NT_STATUS_OK;
-}
-
-/*****************************************************************
- *THE CANONICAL* convert SID to gid function.
- if it is a foreign sid or it is in idmap rid range check idmap,
- otherwise falls back to the legacy algorithmic mapping.
- Group mapping is used for gids that maps to Wellknown SIDs
- Returns True if this name is a user sid and the conversion
- was done correctly, False if not.
-*****************************************************************/
-
-NTSTATUS idmap_sid_to_gid(const DOM_SID *sid, gid_t *gid, int flags)
-{
- NTSTATUS ret;
- enum idmap_type id_type;
- unid_t id;
-
- DEBUG(10,("sid_to_gid: sid = [%s]\n", sid_string_static(sid)));
-
- /* For the LDAP and tdb backends we must *KNOW* what we're looking for.
- This interface design *SUCKS* ! JRA. */
-
- id_type = ID_GROUPID;
- ret = idmap_get_id_from_sid(&id, &id_type, sid, flags);
-
- if (!NT_STATUS_IS_OK(ret)) {
- return ret;
- }
-
- if (id_type != ID_GROUPID) {
- return NT_STATUS_NONE_MAPPED;
- }
-
- DEBUG(10,("idmap_sid_to_gid: gid = [%lu]\n", (unsigned long)id.gid));
- *gid = id.gid;
-
- return NT_STATUS_OK;
-}
diff --git a/source3/sam/nss_info.c b/source3/sam/nss_info.c
deleted file mode 100644
index 6d01916754..0000000000
--- a/source3/sam/nss_info.c
+++ /dev/null
@@ -1,111 +0,0 @@
-/*
- Unix SMB/CIFS implementation.
- nss info helpers
- Copyright (C) Guenther Deschner 2006
-
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 2 of the License, or
- (at your option) any later version.
-
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
-
- You should have received a copy of the GNU General Public License
- along with this program; if not, write to the Free Software
- Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.*/
-
-#include "includes.h"
-
-#undef DBGC_CLASS
-#define DBGC_CLASS DBGC_IDMAP
-
-static enum wb_posix_mapping wb_posix_map_type(const char *map_str)
-{
- if (strequal(map_str, "template"))
- return WB_POSIX_MAP_TEMPLATE;
- else if (strequal(map_str, "sfu"))
- return WB_POSIX_MAP_SFU;
- else if (strequal(map_str, "rfc2307"))
- return WB_POSIX_MAP_RFC2307;
- else if (strequal(map_str, "unixinfo"))
- return WB_POSIX_MAP_UNIXINFO;
-
- return WB_POSIX_MAP_UNKNOWN;
-}
-
-/* winbind nss info = rfc2307 SO36:sfu FHAIN:rfc2307 PANKOW:template
- *
- * syntax is:
- * 1st param: default setting
- * following ":" separated list elements:
- * DOMAIN:setting
- * setting can be one of "sfu", "rfc2307", "template", "unixinfo"
- */
-
-enum wb_posix_mapping get_nss_info(const char *domain_name)
-{
- const char **list = lp_winbind_nss_info();
- enum wb_posix_mapping map_templ = WB_POSIX_MAP_TEMPLATE;
- int i;
-
- DEBUG(11,("get_nss_info for %s\n", domain_name));
-
- if (!lp_winbind_nss_info() || !*lp_winbind_nss_info()) {
- return WB_POSIX_MAP_TEMPLATE;
- }
-
- if ((map_templ = wb_posix_map_type(list[0])) == WB_POSIX_MAP_UNKNOWN) {
- DEBUG(0,("get_nss_info: invalid setting: %s\n", list[0]));
- return WB_POSIX_MAP_TEMPLATE;
- }
-
- DEBUG(11,("get_nss_info: using \"%s\" by default\n", list[0]));
-
- for (i=0; list[i]; i++) {
-
- const char *p = list[i];
- fstring tok;
-
- if (!next_token(&p, tok, ":", sizeof(tok))) {
- DEBUG(0,("get_nss_info: no \":\" delimitier found\n"));
- continue;
- }
-
- if (strequal(tok, domain_name)) {
-
- enum wb_posix_mapping type;
-
- if ((type = wb_posix_map_type(p)) == WB_POSIX_MAP_UNKNOWN) {
- DEBUG(0,("get_nss_info: invalid setting: %s\n", p));
- /* return WB_POSIX_MAP_TEMPLATE; */
- continue;
- }
-
- DEBUG(11,("get_nss_info: using \"%s\" for domain: %s\n", p, tok));
-
- return type;
- }
- }
-
- return map_templ;
-}
-
-const char *wb_posix_map_str(enum wb_posix_mapping mtype)
-{
- switch (mtype) {
- case WB_POSIX_MAP_TEMPLATE:
- return "template";
- case WB_POSIX_MAP_SFU:
- return "sfu";
- case WB_POSIX_MAP_RFC2307:
- return "rfc2307";
- case WB_POSIX_MAP_UNIXINFO:
- return "unixinfo";
- default:
- break;
- }
- return NULL;
-}
generated by cgit (git 2.34.1) at 2024-08-23 08:04:02 +0000