summaryrefslogtreecommitdiff
path: root/source3/sam
diff options
context:
space:
mode:
Diffstat (limited to 'source3/sam')
-rw-r--r--source3/sam/idmap.c212
-rw-r--r--source3/sam/idmap_tdb.c443
2 files changed, 655 insertions, 0 deletions
diff --git a/source3/sam/idmap.c b/source3/sam/idmap.c
new file mode 100644
index 0000000000..9695e7b764
--- /dev/null
+++ b/source3/sam/idmap.c
@@ -0,0 +1,212 @@
+/*
+ Unix SMB/CIFS implementation.
+ ID Mapping
+ Copyright (C) Tim Potter 2000
+ Copyright (C) Anthony Liguori <aliguor@us.ibm.com> 2003
+ Copyright (C) Simo Sorce 2003
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.*/
+
+#include "includes.h"
+
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_IDMAP
+
+static struct {
+
+ const char *name;
+ /* Function to create a member of the idmap_methods list */
+ NTSTATUS (*reg_meth)(struct idmap_methods **methods);
+ struct idmap_methods *methods;
+
+} remote_idmap_functions[] = {
+ { NULL, NULL, NULL }
+};
+
+static struct idmap_methods *local_map;
+static struct idmap_methods *remote_map;
+
+static void lazy_initialize_idmap(void)
+{
+ static BOOL initialized = False;
+ if (initialized) return;
+ idmap_init();
+ initialized = True;
+}
+
+
+
+static struct idmap_methods *get_methods(const char *name)
+{
+ int i = 0;
+ struct idmap_methods *ret = NULL;
+
+ while (remote_idmap_functions[i].name && strcmp(remote_idmap_functions[i].name, name)) {
+ i++;
+ }
+
+ if (remote_idmap_functions[i].name) {
+
+ if (!remote_idmap_functions[i].methods) {
+ remote_idmap_functions[i].reg_meth(&remote_idmap_functions[i].methods);
+ }
+
+ ret = remote_idmap_functions[i].methods;
+ }
+
+ return ret;
+}
+
+/* Initialize backend */
+BOOL idmap_init(void)
+{
+ const char *remote_backend = lp_idmap_backend();
+
+ if (!local_map) {
+ idmap_reg_tdb(&local_map);
+ if (NT_STATUS_IS_ERR(local_map->init())) {
+ DEBUG(0, ("idmap_init: could not load or create local backend!\n"));
+ return False;
+ }
+ }
+
+ if (!remote_map && remote_backend && *remote_backend != 0) {
+ DEBUG(3, ("idmap_init: using '%s' as remote backend\n", remote_backend));
+
+ remote_map = get_methods(remote_backend);
+ if (!remote_map) {
+ DEBUG(0, ("idmap_init: could not load remote backend '%s'\n", remote_backend));
+ return False;
+ }
+ remote_map->init();
+ }
+
+ return True;
+}
+
+NTSTATUS idmap_set_mapping(const DOM_SID *sid, unid_t id, int id_type)
+{
+ NTSTATUS ret;
+
+ lazy_initialize_idmap();
+
+ ret = local_map->set_mapping(sid, id, id_type);
+ if (NT_STATUS_IS_ERR(ret)) {
+ DEBUG (0, ("idmap_set_mapping: Error, unable to modify local cache!\n"));
+ DEBUGADD(0, ("Error: %s", nt_errstr(ret)));
+ return ret;
+ }
+
+ /* Being able to update the remote cache is seldomly right.
+ Generally this is a forbidden operation. */
+ if (!(id_type & ID_CACHE) && (remote_map != NULL)) {
+ remote_map->set_mapping(sid, id, id_type);
+ if (NT_STATUS_IS_ERR(ret)) {
+ DEBUG (0, ("idmap_set_mapping: Error, unable to modify remote cache!\n"));
+ DEBUGADD(0, ("Error: %s", nt_errstr(ret)));
+ }
+ }
+
+ return ret;
+}
+
+/* Get ID from SID */
+NTSTATUS idmap_get_id_from_sid(unid_t *id, int *id_type, const DOM_SID *sid)
+{
+ NTSTATUS ret;
+ int loc_type;
+
+ lazy_initialize_idmap();
+
+ loc_type = *id_type;
+ if (remote_map) { /* We have a central remote idmap */
+ loc_type |= ID_NOMAP;
+ }
+ ret = local_map->get_id_from_sid(id, &loc_type, sid);
+ if (NT_STATUS_IS_ERR(ret)) {
+ if (remote_map) {
+ ret = remote_map->get_id_from_sid(id, id_type, sid);
+ if (NT_STATUS_IS_ERR(ret)) {
+ DEBUG(3, ("idmap_get_id_from_sid: error fetching id!\n"));
+ return ret;
+ } else {
+ loc_type |= ID_CACHE;
+ idmap_set_mapping(sid, *id, loc_type);
+ }
+ }
+ } else {
+ *id_type = loc_type & ID_TYPEMASK;
+ }
+
+ return ret;
+}
+
+/* Get SID from ID */
+NTSTATUS idmap_get_sid_from_id(DOM_SID *sid, unid_t id, int id_type)
+{
+ NTSTATUS ret;
+ int loc_type;
+
+ lazy_initialize_idmap();
+
+ loc_type = id_type;
+ if (remote_map) {
+ loc_type = id_type | ID_NOMAP;
+ }
+ ret = local_map->get_sid_from_id(sid, id, loc_type);
+ if (NT_STATUS_IS_ERR(ret)) {
+ if (remote_map) {
+ ret = remote_map->get_sid_from_id(sid, id, id_type);
+ if (NT_STATUS_IS_ERR(ret)) {
+ DEBUG(3, ("idmap_get_sid_from_id: unable to fetch sid!\n"));
+ return ret;
+ } else {
+ loc_type |= ID_CACHE;
+ idmap_set_mapping(sid, id, loc_type);
+ }
+ }
+ }
+
+ return ret;
+}
+
+/* Close backend */
+NTSTATUS idmap_close(void)
+{
+ NTSTATUS ret;
+
+ ret = local_map->close();
+ if (NT_STATUS_IS_ERR(ret)) {
+ DEBUG(3, ("idmap_close: failed to close local cache!\n"));
+ }
+
+ if (remote_map) {
+ ret = remote_map->close();
+ if (NT_STATUS_IS_ERR(ret)) {
+ DEBUG(3, ("idmap_close: failed to close remote idmap repository!\n"));
+ }
+ }
+
+ return ret;
+}
+
+/* Dump backend status */
+void idmap_status(void)
+{
+ lazy_initialize_idmap();
+
+ local_map->status();
+ if (remote_map) remote_map->status();
+}
diff --git a/source3/sam/idmap_tdb.c b/source3/sam/idmap_tdb.c
new file mode 100644
index 0000000000..ab86eaf4eb
--- /dev/null
+++ b/source3/sam/idmap_tdb.c
@@ -0,0 +1,443 @@
+/*
+ Unix SMB/CIFS implementation.
+
+ idmap TDB backend
+
+ Copyright (C) Tim Potter 2000
+ Copyright (C) Anthony Liguori 2003
+ Copyright (C) Simo Sorce 2003
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+*/
+
+#include "includes.h"
+
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_IDMAP
+
+/* High water mark keys */
+#define HWM_GROUP "GROUP HWM"
+#define HWM_USER "USER HWM"
+
+/* idmap version determines auto-conversion */
+#define IDMAP_VERSION 2
+
+/* Globals */
+static TDB_CONTEXT *idmap_tdb;
+
+static struct idmap_state {
+
+ /* User and group id pool */
+
+ uid_t uid_low, uid_high; /* Range of uids to allocate */
+ gid_t gid_low, gid_high; /* Range of gids to allocate */
+} idmap_state;
+
+/* Allocate either a user or group id from the pool */
+static NTSTATUS db_allocate_id(unid_t *id, int id_type)
+{
+ int hwm;
+
+ if (!id) return NT_STATUS_INVALID_PARAMETER;
+
+ /* Get current high water mark */
+ switch (id_type & ID_TYPEMASK) {
+ case ID_USERID:
+ if ((hwm = tdb_fetch_int32(idmap_tdb, HWM_USER)) == -1) {
+ return NT_STATUS_INTERNAL_DB_ERROR;
+ }
+
+ if (hwm > idmap_state.uid_high) {
+ DEBUG(0, ("idmap Fatal Error: UID range full!! (max: %u)\n", idmap_state.uid_high));
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ (*id).uid = hwm++;
+
+ /* Store new high water mark */
+ tdb_store_int32(idmap_tdb, HWM_USER, hwm);
+ break;
+ case ID_GROUPID:
+ if ((hwm = tdb_fetch_int32(idmap_tdb, HWM_GROUP)) == -1) {
+ return NT_STATUS_INTERNAL_DB_ERROR;
+ }
+
+ if (hwm > idmap_state.gid_high) {
+ DEBUG(0, ("idmap Fatal Error: GID range full!! (max: %u)\n", idmap_state.gid_high));
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ (*id).gid = hwm++;
+
+ /* Store new high water mark */
+ tdb_store_int32(idmap_tdb, HWM_GROUP, hwm);
+ break;
+ default:
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ return NT_STATUS_OK;
+}
+
+/* Get a sid from an id */
+static NTSTATUS db_get_sid_from_id(DOM_SID *sid, unid_t id, int id_type)
+{
+ TDB_DATA key, data;
+ fstring keystr;
+ NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
+
+ if (!sid) return NT_STATUS_INVALID_PARAMETER;
+
+ switch (id_type & ID_TYPEMASK) {
+ case ID_USERID:
+ slprintf(keystr, sizeof(keystr), "UID %d", id.uid);
+ break;
+ case ID_GROUPID:
+ slprintf(keystr, sizeof(keystr), "GID %d", id.gid);
+ break;
+ default:
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ key.dptr = keystr;
+ key.dsize = strlen(keystr) + 1;
+
+ data = tdb_fetch(idmap_tdb, key);
+
+ if (data.dptr) {
+ if (string_to_sid(sid, data.dptr)) {
+ ret = NT_STATUS_OK;
+ }
+ SAFE_FREE(data.dptr);
+ }
+
+ return ret;
+}
+
+/* Get an id from a sid */
+static NTSTATUS db_get_id_from_sid(unid_t *id, int *id_type, const DOM_SID *sid)
+{
+ TDB_DATA data, key;
+ fstring keystr;
+ NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
+
+ if (!sid || !id || !id_type) return NT_STATUS_INVALID_PARAMETER;
+
+ /* Check if sid is present in database */
+ sid_to_string(keystr, sid);
+
+ key.dptr = keystr;
+ key.dsize = strlen(keystr) + 1;
+
+ data = tdb_fetch(idmap_tdb, key);
+
+ if (data.dptr) {
+ int type = *id_type & ID_TYPEMASK;
+ fstring scanstr;
+
+ if (type == ID_EMPTY || type == ID_USERID) {
+ /* Parse and return existing uid */
+ fstrcpy(scanstr, "UID %d");
+
+ if (sscanf(data.dptr, scanstr, &((*id).uid)) == 1) {
+ /* uid ok? */
+ if (type == ID_EMPTY) {
+ *id_type = ID_USERID;
+ }
+ ret = NT_STATUS_OK;
+ goto idok;
+ }
+ }
+
+ if (type == ID_EMPTY || type == ID_GROUPID) {
+ /* Parse and return existing gid */
+ fstrcpy(scanstr, "GID %d");
+
+ if (sscanf(data.dptr, scanstr, &((*id).gid)) == 1) {
+ /* gid ok? */
+ if (type == ID_EMPTY) {
+ *id_type = ID_GROUPID;
+ }
+ ret = NT_STATUS_OK;
+ }
+ }
+idok:
+ SAFE_FREE(data.dptr);
+
+ } else if (!(*id_type & ID_NOMAP) &&
+ (((*id_type & ID_TYPEMASK) == ID_USERID)
+ || (*id_type & ID_TYPEMASK) == ID_GROUPID)) {
+
+ /* Allocate a new id for this sid */
+ ret = db_allocate_id(id, *id_type);
+ if (NT_STATUS_IS_OK(ret)) {
+ fstring keystr2;
+
+ /* Store new id */
+ if (*id_type & ID_USERID) {
+ slprintf(keystr2, sizeof(keystr2), "UID %d", (*id).uid);
+ } else {
+ slprintf(keystr2, sizeof(keystr2), "GID %d", (*id).gid);
+ }
+
+ data.dptr = keystr2;
+ data.dsize = strlen(keystr2) + 1;
+
+ if (tdb_store(idmap_tdb, key, data, TDB_REPLACE) == -1) {
+ /* TODO: print tdb error !! */
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+ if (tdb_store(idmap_tdb, data, key, TDB_REPLACE) == -1) {
+ /* TODO: print tdb error !! */
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ ret = NT_STATUS_OK;
+ }
+ }
+
+ return ret;
+}
+
+static NTSTATUS db_set_mapping(const DOM_SID *sid, unid_t id, int id_type)
+{
+ TDB_DATA ksid, kid, data;
+ fstring ksidstr;
+ fstring kidstr;
+
+ if (!sid) return NT_STATUS_INVALID_PARAMETER;
+
+ sid_to_string(ksidstr, sid);
+
+ ksid.dptr = ksidstr;
+ ksid.dsize = strlen(ksidstr) + 1;
+
+ if (id_type & ID_USERID) {
+ slprintf(kidstr, sizeof(kidstr), "UID %d", id.uid);
+ } else if (id_type & ID_GROUPID) {
+ slprintf(kidstr, sizeof(kidstr), "GID %d", id.gid);
+ } else {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ kid.dptr = kidstr;
+ kid.dsize = strlen(kidstr) + 1;
+
+ /* *DELETE* prevoius mappings if any.
+ * This is done both SID and [U|G]ID passed in */
+
+ data = tdb_fetch(idmap_tdb, ksid);
+ if (data.dptr) {
+ tdb_delete(idmap_tdb, data);
+ tdb_delete(idmap_tdb, ksid);
+ }
+ data = tdb_fetch(idmap_tdb, kid);
+ if (data.dptr) {
+ tdb_delete(idmap_tdb, data);
+ tdb_delete(idmap_tdb, kid);
+ }
+
+ if (tdb_store(idmap_tdb, ksid, kid, TDB_INSERT) == -1) {
+ DEBUG(0, ("idb_set_mapping: tdb_store 1 error: %s\n", tdb_errorstr(idmap_tdb)));
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+ if (tdb_store(idmap_tdb, kid, ksid, TDB_INSERT) == -1) {
+ DEBUG(0, ("idb_set_mapping: tdb_store 2 error: %s\n", tdb_errorstr(idmap_tdb)));
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+ return NT_STATUS_OK;
+}
+
+/*****************************************************************************
+ Initialise idmap database.
+*****************************************************************************/
+static NTSTATUS db_idmap_init(void)
+{
+ SMB_STRUCT_STAT stbuf;
+ char *tdbfile = NULL;
+ int32 version;
+ BOOL tdb_is_new = False;
+
+ /* use the old database if present */
+ if (!file_exist(lock_path("idmap.tdb"), &stbuf)) {
+ if (file_exist(lock_path("winbindd_idmap.tdb"), &stbuf)) {
+ DEBUG(0, ("idmap_init: using winbindd_idmap.tdb file!\n"));
+ tdbfile = strdup(lock_path("winbindd_idmap.tdb"));
+ if (!tdbfile) {
+ DEBUG(0, ("idmap_init: out of memory!\n"));
+ return NT_STATUS_NO_MEMORY;
+ }
+ } else {
+ tdb_is_new = True;
+ }
+ }
+ if (!tdbfile) {
+ tdbfile = strdup(lock_path("idmap.tdb"));
+ if (!tdbfile) {
+ DEBUG(0, ("idmap_init: out of memory!\n"));
+ return NT_STATUS_NO_MEMORY;
+ }
+ }
+
+ /* Open tdb cache */
+ if (!(idmap_tdb = tdb_open_log(tdbfile, 0,
+ TDB_DEFAULT, O_RDWR | O_CREAT,
+ 0600))) {
+ DEBUG(0, ("idmap_init: Unable to open idmap database\n"));
+ SAFE_FREE(tdbfile);
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ SAFE_FREE(tdbfile);
+
+ /* check against earlier versions */
+ if (tdb_is_new) {
+ /* TODO: delete the file if this fail */
+ tdb_store_int32(idmap_tdb, "IDMAP_VERSION", IDMAP_VERSION);
+ } else {
+ version = tdb_fetch_int32(idmap_tdb, "IDMAP_VERSION");
+ if (version != IDMAP_VERSION) {
+ DEBUG(0, ("idmap_init: Unable to open idmap database, it's in an old format!\n"));
+ return NT_STATUS_INTERNAL_DB_ERROR;
+ }
+ }
+
+ /* Create high water marks for group and user id */
+ if (!lp_idmap_uid(&idmap_state.uid_low, &idmap_state.uid_high)) {
+ DEBUG(0, ("idmap uid range missing or invalid\n"));
+ DEBUGADD(0, ("idmap will be unable to map foreign SIDs\n"));
+ } else {
+ if (tdb_fetch_int32(idmap_tdb, HWM_USER) == -1) {
+ if (tdb_store_int32(idmap_tdb, HWM_USER, idmap_state.uid_low) == -1) {
+ DEBUG(0, ("idmap_init: Unable to initialise user hwm in idmap database\n"));
+ return NT_STATUS_INTERNAL_DB_ERROR;
+ }
+ }
+ }
+
+ if (!lp_idmap_gid(&idmap_state.gid_low, &idmap_state.gid_high)) {
+ DEBUG(0, ("idmap gid range missing or invalid\n"));
+ DEBUGADD(0, ("idmap will be unable to map foreign SIDs\n"));
+ } else {
+ if (tdb_fetch_int32(idmap_tdb, HWM_GROUP) == -1) {
+ if (tdb_store_int32(idmap_tdb, HWM_GROUP, idmap_state.gid_low) == -1) {
+ DEBUG(0, ("idmap_init: Unable to initialise group hwm in idmap database\n"));
+ return NT_STATUS_INTERNAL_DB_ERROR;
+ }
+ }
+ }
+
+ return NT_STATUS_OK;
+}
+
+/* Close the tdb */
+static NTSTATUS db_idmap_close(void)
+{
+ if (idmap_tdb) {
+ if (tdb_close(idmap_tdb) == 0) {
+ return NT_STATUS_OK;
+ } else {
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+ }
+ return NT_STATUS_OK;
+}
+
+
+/* Dump status information to log file. Display different stuff based on
+ the debug level:
+
+ Debug Level Information Displayed
+ =================================================================
+ 0 Percentage of [ug]id range allocated
+ 0 High water marks (next allocated ids)
+*/
+
+#define DUMP_INFO 0
+
+static void db_idmap_status(void)
+{
+ int user_hwm, group_hwm;
+
+ DEBUG(0, ("winbindd idmap status:\n"));
+
+ /* Get current high water marks */
+
+ if ((user_hwm = tdb_fetch_int32(idmap_tdb, HWM_USER)) == -1) {
+ DEBUG(DUMP_INFO,
+ ("\tCould not get userid high water mark!\n"));
+ }
+
+ if ((group_hwm = tdb_fetch_int32(idmap_tdb, HWM_GROUP)) == -1) {
+ DEBUG(DUMP_INFO,
+ ("\tCould not get groupid high water mark!\n"));
+ }
+
+ /* Display next ids to allocate */
+
+ if (user_hwm != -1) {
+ DEBUG(DUMP_INFO,
+ ("\tNext userid to allocate is %d\n", user_hwm));
+ }
+
+ if (group_hwm != -1) {
+ DEBUG(DUMP_INFO,
+ ("\tNext groupid to allocate is %d\n", group_hwm));
+ }
+
+ /* Display percentage of id range already allocated. */
+
+ if (user_hwm != -1) {
+ int num_users = user_hwm - idmap_state.uid_low;
+ int total_users =
+ idmap_state.uid_high - idmap_state.uid_low;
+
+ DEBUG(DUMP_INFO,
+ ("\tUser id range is %d%% full (%d of %d)\n",
+ num_users * 100 / total_users, num_users,
+ total_users));
+ }
+
+ if (group_hwm != -1) {
+ int num_groups = group_hwm - idmap_state.gid_low;
+ int total_groups =
+ idmap_state.gid_high - idmap_state.gid_low;
+
+ DEBUG(DUMP_INFO,
+ ("\tGroup id range is %d%% full (%d of %d)\n",
+ num_groups * 100 / total_groups, num_groups,
+ total_groups));
+ }
+
+ /* Display complete mapping of users and groups to rids */
+}
+
+struct idmap_methods db_methods = {
+
+ db_idmap_init,
+ db_get_sid_from_id,
+ db_get_id_from_sid,
+ db_set_mapping,
+ db_idmap_close,
+ db_idmap_status
+
+};
+
+NTSTATUS idmap_reg_tdb(struct idmap_methods **meth)
+{
+ *meth = &db_methods;
+
+ return NT_STATUS_OK;
+}