diff options
Diffstat (limited to 'source3/sam')
-rw-r--r-- | source3/sam/idmap_tdb.c | 32 | ||||
-rw-r--r-- | source3/sam/idmap_util.c | 230 |
2 files changed, 168 insertions, 94 deletions
diff --git a/source3/sam/idmap_tdb.c b/source3/sam/idmap_tdb.c index 13e3affbd6..f85d2db086 100644 --- a/source3/sam/idmap_tdb.c +++ b/source3/sam/idmap_tdb.c @@ -301,30 +301,30 @@ static NTSTATUS db_idmap_init(void) } /* Create high water marks for group and user id */ - if (tdb_fetch_int32(idmap_tdb, HWM_USER) == -1) { - if (tdb_store_int32(idmap_tdb, HWM_USER, idmap_state.uid_low) == -1) { - DEBUG(0, ("idmap_init: Unable to initialise user hwm in idmap database\n")); - return NT_STATUS_INTERNAL_DB_ERROR; - } - } - - if (tdb_fetch_int32(idmap_tdb, HWM_GROUP) == -1) { - if (tdb_store_int32(idmap_tdb, HWM_GROUP, idmap_state.gid_low) == -1) { - DEBUG(0, ("idmap_init: Unable to initialise group hwm in idmap database\n")); - return NT_STATUS_INTERNAL_DB_ERROR; - } - } - if (!lp_idmap_uid(&idmap_state.uid_low, &idmap_state.uid_high)) { DEBUG(0, ("idmap uid range missing or invalid\n")); DEBUGADD(0, ("idmap will be unable to map foreign SIDs\n")); + } else { + if (tdb_fetch_int32(idmap_tdb, HWM_USER) == -1) { + if (tdb_store_int32(idmap_tdb, HWM_USER, idmap_state.uid_low) == -1) { + DEBUG(0, ("idmap_init: Unable to initialise user hwm in idmap database\n")); + return NT_STATUS_INTERNAL_DB_ERROR; + } + } } - + if (!lp_idmap_gid(&idmap_state.gid_low, &idmap_state.gid_high)) { DEBUG(0, ("idmap gid range missing or invalid\n")); DEBUGADD(0, ("idmap will be unable to map foreign SIDs\n")); + } else { + if (tdb_fetch_int32(idmap_tdb, HWM_GROUP) == -1) { + if (tdb_store_int32(idmap_tdb, HWM_GROUP, idmap_state.gid_low) == -1) { + DEBUG(0, ("idmap_init: Unable to initialise group hwm in idmap database\n")); + return NT_STATUS_INTERNAL_DB_ERROR; + } + } } - + return NT_STATUS_OK; } diff --git a/source3/sam/idmap_util.c b/source3/sam/idmap_util.c index b282d2ef83..3086ee2113 100644 --- a/source3/sam/idmap_util.c +++ b/source3/sam/idmap_util.c @@ -22,35 +22,119 @@ #undef DBGC_CLASS #define DBGC_CLASS DBGC_IDMAP + +/****************************************************************** + * Get the free RID base if idmap is configured, otherwise return 0 + ******************************************************************/ + +uint32 idmap_get_free_rid_base(void) +{ + uint32 low, high; + if (idmap_get_free_rid_range(&low, &high)) { + return low; + } + return 0; +} + +BOOL idmap_check_ugid_is_in_free_range(uint32 id) +{ + uint32 low, high; + + if (!idmap_get_free_ugid_range(&low, &high)) { + return False; + } + if (id < low || id > high) { + return False; + } + return True; +} + +BOOL idmap_check_rid_is_in_free_range(uint32 rid) +{ + uint32 low, high; + + if (!idmap_get_free_rid_range(&low, &high)) { + return False; + } + if (rid < low || rid > high) { + return False; + } + return True; +} + +/****************************************************************** + * Get the the non-algorithmic RID range if idmap range are defined + ******************************************************************/ + +BOOL idmap_get_free_rid_range(uint32 *low, uint32 *high) +{ + uint32 id_low, id_high; + + if (lp_idmap_only()) { + *low = BASE_RID; + *high = (uint32)-1; + } + + if (!idmap_get_free_ugid_range(&id_low, &id_high)) { + return False; + } + + *low = fallback_pdb_uid_to_user_rid(id_low); + if (fallback_pdb_user_rid_to_uid((uint32)-1) < id_high) { + *high = (uint32)-1; + } else { + *high = fallback_pdb_uid_to_user_rid(id_high); + } + + return True; +} + +BOOL idmap_get_free_ugid_range(uint32 *low, uint32 *high) +{ + uid_t u_low, u_high; + gid_t g_low, g_high; + + if (!lp_idmap_uid(&u_low, &u_high) || !lp_idmap_gid(&g_low, &g_high)) { + return False; + } + if (u_low < g_low) { + *low = u_low; + } else { + *low = g_low; + } + if (u_high < g_high) { + *high = g_high; + } else { + *high = u_high; + } + return True; +} + /***************************************************************** *THE CANONICAL* convert uid_t to SID function. Tries winbind first - then uses local lookup. Returns SID pointer. *****************************************************************/ -DOM_SID *uid_to_sid(DOM_SID *psid, uid_t uid) +DOM_SID *uid_to_sid(DOM_SID *sid, uid_t uid) { unid_t id; DEBUG(10,("uid_to_sid: uid = [%d]\n", uid)); - id.uid = uid; - if (NT_STATUS_IS_OK(idmap_get_sid_from_id(psid, id, ID_USERID))) { - DEBUG(10, ("uid_to_sid: sid = [%s]\n", sid_string_static(psid))); - return psid; + if (idmap_check_ugid_is_in_free_range(uid)) { + id.uid = uid; + if (NT_STATUS_IS_ERR(idmap_get_sid_from_id(sid, id, ID_USERID))) { + DEBUG(10, ("uid_to_sid: Failed to map sid = [%s]\n", sid_string_static(sid))); + return NULL; + } + } else { + sid_copy(sid, get_global_sam_sid()); + sid_append_rid(sid, fallback_pdb_uid_to_user_rid(uid)); + + DEBUG(10,("uid_to_sid: algorithmic %u -> %s\n", (unsigned int)uid, sid_string_static(sid))); } - - /* If mapping is not found in idmap try with traditional method, - then stores the result in idmap. - We may add a switch in future to allow smooth migrations to - idmap-only db ---Simo */ - - sid_copy(psid, get_global_sam_sid()); - sid_append_rid(psid, fallback_pdb_uid_to_user_rid(uid)); - - DEBUG(10,("uid_to_sid: algorithmic %u -> %s\n", (unsigned int)uid, sid_string_static(psid))); - - return psid; + return sid; } @@ -60,34 +144,31 @@ DOM_SID *uid_to_sid(DOM_SID *psid, uid_t uid) Returns SID pointer. *****************************************************************/ -DOM_SID *gid_to_sid(DOM_SID *psid, gid_t gid) +DOM_SID *gid_to_sid(DOM_SID *sid, gid_t gid) { GROUP_MAP map; unid_t id; DEBUG(10,("gid_to_sid: gid = [%d]\n", gid)); + if (idmap_check_ugid_is_in_free_range(gid)) { id.gid = gid; - if (NT_STATUS_IS_OK(idmap_get_sid_from_id(psid, id, ID_GROUPID))) { - DEBUG(10, ("gid_to_sid: sid = [%s]\n", sid_string_static(psid))); - return psid; - } - - /* If mapping is not found in idmap try with traditional method, - then stores the result in idmap. - We may add a switch in future to allow smooth migrations to - idmap-only db ---Simo */ - - if (pdb_getgrgid(&map, gid, MAPPING_WITHOUT_PRIV)) { - sid_copy(psid, &map.sid); + if (NT_STATUS_IS_ERR(idmap_get_sid_from_id(sid, id, ID_GROUPID))) { + DEBUG(10, ("gid_to_sid: Failed to map sid = [%s]\n", sid_string_static(sid))); + return NULL; + } } else { - sid_copy(psid, get_global_sam_sid()); - sid_append_rid(psid, pdb_gid_to_group_rid(gid)); - } + if (pdb_getgrgid(&map, gid, MAPPING_WITHOUT_PRIV)) { + sid_copy(sid, &map.sid); + } else { + sid_copy(sid, get_global_sam_sid()); + sid_append_rid(sid, pdb_gid_to_group_rid(gid)); + } - DEBUG(10,("gid_to_sid: algorithmic %u -> %s\n", (unsigned int)gid, sid_string_static(psid))); + DEBUG(10,("gid_to_sid: algorithmic %u -> %s\n", (unsigned int)gid, sid_string_static(sid))); + } - return psid; + return sid; } /***************************************************************** @@ -97,37 +178,32 @@ DOM_SID *gid_to_sid(DOM_SID *psid, gid_t gid) was done correctly, False if not. sidtype is set by this function. *****************************************************************/ -BOOL sid_to_uid(const DOM_SID *psid, uid_t *puid) +BOOL sid_to_uid(const DOM_SID *sid, uid_t *uid) { + uint32 rid; unid_t id; int type; - DEBUG(10,("sid_to_uid: sid = [%s]\n", sid_string_static(psid))); + DEBUG(10,("sid_to_uid: sid = [%s]\n", sid_string_static(sid))); + + if (sid_peek_check_rid(get_global_sam_sid(), sid, &rid)) { + if (!idmap_check_rid_is_in_free_range(rid)) { + if (!fallback_pdb_rid_is_user(rid)) { + DEBUG(3, ("sid_to_uid: RID %u is *NOT* a user\n", (unsigned)rid)); + return False; + } + *uid = fallback_pdb_user_rid_to_uid(rid); + return True; + } + } type = ID_USERID; - if (NT_STATUS_IS_OK(idmap_get_id_from_sid(&id, &type, psid))) { + if (NT_STATUS_IS_OK(idmap_get_id_from_sid(&id, &type, sid))) { DEBUG(10,("sid_to_uid: uid = [%d]\n", id.uid)); - *puid = id.uid; + *uid = id.uid; return True; } - if (sid_compare_domain(get_global_sam_sid(), psid) == 0) { - BOOL result; - uint32 rid; - - DEBUG(10,("sid_to_uid: sid is local [%s]\n", sid_string_static(get_global_sam_sid()))); - - if (!sid_peek_rid(psid, &rid)) { - DEBUG(0, ("sid_to_uid: Error extracting RID from SID\n!")); - return False; - } - if (!fallback_pdb_rid_is_user(rid)) { - DEBUG(3, ("sid_to_uid: RID %u is *NOT* a user\n", (unsigned)rid)); - return False; - } - *puid = fallback_pdb_user_rid_to_uid(rid); - return True; - } return False; } @@ -138,46 +214,44 @@ BOOL sid_to_uid(const DOM_SID *psid, uid_t *puid) was done correctly, False if not. *****************************************************************/ -BOOL sid_to_gid(const DOM_SID *psid, gid_t *pgid) +BOOL sid_to_gid(const DOM_SID *sid, gid_t *gid) { + uint32 rid; unid_t id; int type; - DEBUG(10,("sid_to_gid: sid = [%s]\n", sid_string_static(psid))); - - type = ID_GROUPID; - if (NT_STATUS_IS_OK(idmap_get_id_from_sid(&id, &type, psid))) { - DEBUG(10,("sid_to_gid: gid = [%d]\n", id.gid)); - *pgid = id.gid; - return True; - } + DEBUG(10,("sid_to_gid: sid = [%s]\n", sid_string_static(sid))); - if (sid_compare_domain(get_global_sam_sid(), psid) == 0) { + if (sid_peek_check_rid(get_global_sam_sid(), sid, &rid)) { GROUP_MAP map; BOOL result; - if (pdb_getgrsid(&map, *psid, MAPPING_WITHOUT_PRIV)) { + if (pdb_getgrsid(&map, *sid, MAPPING_WITHOUT_PRIV)) { /* the SID is in the mapping table but not mapped */ if (map.gid==(gid_t)-1) return False; - *pgid = map.gid; + *gid = map.gid; return True; } else { - uint32 rid; - - if (!sid_peek_rid(psid, &rid)) { - DEBUG(0, ("sid_to_gid: Error extracting RID from SID\n!")); - return False; - } - if (fallback_pdb_rid_is_user(rid)) { - DEBUG(3, ("sid_to_gid: RID %u is *NOT* a group\n", (unsigned)rid)); - return False; + if (!idmap_check_rid_is_in_free_range(rid)) { + if (fallback_pdb_rid_is_user(rid)) { + DEBUG(3, ("sid_to_gid: RID %u is *NOT* a group\n", (unsigned)rid)); + return False; + } + *gid = pdb_group_rid_to_gid(rid); + return True; } - *pgid = pdb_group_rid_to_gid(rid); } } + type = ID_GROUPID; + if (NT_STATUS_IS_OK(idmap_get_id_from_sid(&id, &type, sid))) { + DEBUG(10,("sid_to_gid: gid = [%d]\n", id.gid)); + *gid = id.gid; + return True; + } + return False; } |