diff options
Diffstat (limited to 'source3')
-rw-r--r-- | source3/nsswitch/idmap.c | 415 |
1 files changed, 255 insertions, 160 deletions
diff --git a/source3/nsswitch/idmap.c b/source3/nsswitch/idmap.c index ebbf24e3f6..009d7a610b 100644 --- a/source3/nsswitch/idmap.c +++ b/source3/nsswitch/idmap.c @@ -1,9 +1,9 @@ -/* +/* Unix SMB/CIFS implementation. ID Mapping Copyright (C) Tim Potter 2000 Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2003 - Copyright (C) Simo Sorce 2003 + Copyright (C) Simo Sorce 2003-2007 Copyright (C) Jeremy Allison 2006 This program is free software; you can redistribute it and/or modify @@ -60,11 +60,23 @@ static int def_dom_num = -1; static struct idmap_alloc_backend *alloc_backends = NULL; static struct idmap_alloc_context *idmap_alloc_ctx = NULL; -#define IDMAP_CHECK_RET(ret) do { if ( ! NT_STATUS_IS_OK(ret)) { DEBUG(2, ("ERROR: NTSTATUS = 0x%08x\n", NT_STATUS_V(ret))); goto done; } } while(0) -#define IDMAP_REPORT_RET(ret) do { if ( ! NT_STATUS_IS_OK(ret)) { DEBUG(2, ("ERROR: NTSTATUS = 0x%08x\n", NT_STATUS_V(ret))); } } while(0) -#define IDMAP_CHECK_ALLOC(mem) do { if (!mem) { DEBUG(0, ("Out of memory!\n")); ret = NT_STATUS_NO_MEMORY; goto done; } } while(0) - -static struct idmap_methods *get_methods(struct idmap_backend *be, const char *name) +#define IDMAP_CHECK_RET(ret) do { \ + if ( ! NT_STATUS_IS_OK(ret)) { \ + DEBUG(2, ("ERROR: NTSTATUS = 0x%08x\n", NT_STATUS_V(ret))); \ + goto done; \ + } } while(0) +#define IDMAP_REPORT_RET(ret) do { \ + if ( ! NT_STATUS_IS_OK(ret)) { \ + DEBUG(2, ("ERROR: NTSTATUS = 0x%08x\n", NT_STATUS_V(ret))); \ + } } while(0) +#define IDMAP_CHECK_ALLOC(mem) do { \ + if (!mem) { \ + DEBUG(0, ("Out of memory!\n")); ret = NT_STATUS_NO_MEMORY; \ + goto done; \ + } } while(0) + +static struct idmap_methods *get_methods(struct idmap_backend *be, + const char *name) { struct idmap_backend *b; @@ -77,7 +89,9 @@ static struct idmap_methods *get_methods(struct idmap_backend *be, const char *n return NULL; } -static struct idmap_alloc_methods *get_alloc_methods(struct idmap_alloc_backend *be, const char *name) +static struct idmap_alloc_methods *get_alloc_methods( + struct idmap_alloc_backend *be, + const char *name) { struct idmap_alloc_backend *b; @@ -100,7 +114,8 @@ BOOL idmap_is_offline(void) Allow a module to register itself as a method. **********************************************************************/ -NTSTATUS smb_register_idmap(int version, const char *name, struct idmap_methods *methods) +NTSTATUS smb_register_idmap(int version, const char *name, + struct idmap_methods *methods) { struct idmap_methods *test; struct idmap_backend *entry; @@ -111,9 +126,11 @@ NTSTATUS smb_register_idmap(int version, const char *name, struct idmap_methods if ((version != SMB_IDMAP_INTERFACE_VERSION)) { DEBUG(0, ("Failed to register idmap module.\n" - "The module was compiled against SMB_IDMAP_INTERFACE_VERSION %d,\n" + "The module was compiled against " + "SMB_IDMAP_INTERFACE_VERSION %d,\n" "current SMB_IDMAP_INTERFACE_VERSION is %d.\n" - "Please recompile against the current version of samba!\n", + "Please recompile against the current version " + "of samba!\n", version, SMB_IDMAP_INTERFACE_VERSION)); return NT_STATUS_OBJECT_TYPE_MISMATCH; } @@ -150,7 +167,8 @@ NTSTATUS smb_register_idmap(int version, const char *name, struct idmap_methods Allow a module to register itself as a method. **********************************************************************/ -NTSTATUS smb_register_idmap_alloc(int version, const char *name, struct idmap_alloc_methods *methods) +NTSTATUS smb_register_idmap_alloc(int version, const char *name, + struct idmap_alloc_methods *methods) { struct idmap_alloc_methods *test; struct idmap_alloc_backend *entry; @@ -161,9 +179,11 @@ NTSTATUS smb_register_idmap_alloc(int version, const char *name, struct idmap_al if ((version != SMB_IDMAP_INTERFACE_VERSION)) { DEBUG(0, ("Failed to register idmap alloc module.\n" - "The module was compiled against SMB_IDMAP_INTERFACE_VERSION %d,\n" + "The module was compiled against " + "SMB_IDMAP_INTERFACE_VERSION %d,\n" "current SMB_IDMAP_INTERFACE_VERSION is %d.\n" - "Please recompile against the current version of samba!\n", + "Please recompile against the current version " + "of samba!\n", version, SMB_IDMAP_INTERFACE_VERSION)); return NT_STATUS_OBJECT_TYPE_MISMATCH; } @@ -241,14 +261,14 @@ static const char *idmap_default_domain[] = { "default domain", NULL }; ****************************************************************************/ NTSTATUS idmap_init_cache(void) -{ +{ /* Always initialize the cache. We'll have to delay initialization of backends if we are offline */ if ( idmap_ctx ) { return NT_STATUS_OK; - } - + } + if ( (idmap_ctx = talloc_named_const(NULL, 0, "idmap_ctx")) == NULL ) { return NT_STATUS_NO_MEMORY; } @@ -264,7 +284,7 @@ NTSTATUS idmap_init_cache(void) ****************************************************************************/ NTSTATUS idmap_init(void) -{ +{ NTSTATUS ret; static NTSTATUS idmap_init_status = NT_STATUS_UNSUCCESSFUL; struct idmap_domain *dom; @@ -278,15 +298,15 @@ NTSTATUS idmap_init(void) int i; ret = idmap_init_cache(); - if ( !NT_STATUS_IS_OK(ret) ) + if (!NT_STATUS_IS_OK(ret)) return ret; - if (NT_STATUS_IS_OK(idmap_init_status)) { + if (NT_STATUS_IS_OK(idmap_init_status)) { return NT_STATUS_OK; } - - /* We can't reliably call intialization code here unless - we are online. But return NT_STATUS_OK so the upper + + /* We can't reliably call intialization code here unless + we are online. But return NT_STATUS_OK so the upper level code doesn't abort idmap lookups. */ if ( get_global_winbindd_state_offline() ) { @@ -297,46 +317,48 @@ NTSTATUS idmap_init(void) static_init_idmap; dom_list = lp_idmap_domains(); - + if ( lp_idmap_backend() ) { const char **compat_list = lp_idmap_backend(); char *p = NULL; - const char *q = NULL; + const char *q = NULL; - if ( dom_list ) { - DEBUG(0, ("WARNING: idmap backend and idmap domains are " - "mutually exclusive!\n")); + if ( dom_list ) { + DEBUG(0, ("WARNING: idmap backend and idmap domains are" + " mutually exclusive!\n")); DEBUGADD(0,("idmap backend option will be IGNORED!\n")); } else { compat = 1; - if ( (compat_backend = talloc_strdup( idmap_ctx, *compat_list )) == NULL ) { + compat_backend = talloc_strdup(idmap_ctx, *compat_list); + if (compat_backend == NULL ) { ret = NT_STATUS_NO_MEMORY; goto done; } - + /* strip any leading idmap_ prefix of */ if (strncmp(*compat_list, "idmap_", 6) == 0 ) { q = *compat_list += 6; - DEBUG(0, ("WARNING: idmap backend uses obsolete and " - "deprecated 'idmap_' prefix.\n" - "Please replace 'idmap_%s' by '%s' in %s\n", - q, q, dyn_CONFIGFILE)); - compat_backend = talloc_strdup( idmap_ctx, q); + DEBUG(0, ("WARNING: idmap backend uses obsolete" + " and deprecated 'idmap_' prefix.\n" + "Please replace 'idmap_%s' by '%s' in" + " %s\n", q, q, dyn_CONFIGFILE)); + compat_backend = talloc_strdup(idmap_ctx, q); } else { - compat_backend = talloc_strdup( idmap_ctx, *compat_list); + compat_backend = talloc_strdup(idmap_ctx, + *compat_list); } - + /* separate the backend and module arguements */ if ((p = strchr(compat_backend, ':')) != NULL) { - *p = '\0'; + *p = '\0'; compat_params = p + 1; } - } + } } else if ( !dom_list ) { /* Back compatible: without idmap domains and explicit idmap backend. Taking default idmap backend: tdb */ - + compat = 1; compat_backend = talloc_strdup( idmap_ctx, "tdb"); compat_params = compat_backend; @@ -345,7 +367,7 @@ NTSTATUS idmap_init(void) if ( ! dom_list) { dom_list = idmap_default_domain; } - + /*************************** * initialize idmap domains */ @@ -356,10 +378,10 @@ NTSTATUS idmap_init(void) char *config_option; /* ignore BUILTIN and local MACHINE domains */ - if ( strequal(dom_list[i], "BUILTIN") - || strequal(dom_list[i], get_global_sam_name() ) ) + if (strequal(dom_list[i], "BUILTIN") + || strequal(dom_list[i], get_global_sam_name())) { - DEBUG(0,("idmap_init: Ignoring invalid domain %s\n", + DEBUG(0,("idmap_init: Ignoring invalid domain %s\n", dom_list[i])); continue; } @@ -368,44 +390,50 @@ NTSTATUS idmap_init(void) pri_dom_is_in_list = True; } /* init domain */ - + dom = TALLOC_ZERO_P(idmap_ctx, struct idmap_domain); IDMAP_CHECK_ALLOC(dom); dom->name = talloc_strdup(dom, dom_list[i]); IDMAP_CHECK_ALLOC(dom->name); - config_option = talloc_asprintf(dom, "idmap config %s", dom->name); + config_option = talloc_asprintf(dom, "idmap config %s", + dom->name); IDMAP_CHECK_ALLOC(config_option); /* default or specific ? */ - dom->default_domain = lp_parm_bool(-1, config_option, "default", False); + dom->default_domain = lp_parm_bool(-1, config_option, + "default", False); if (dom->default_domain || strequal(dom_list[i], idmap_default_domain[0])) { - /* make sure this is set even when we match idmap_default_domain[0] */ + /* make sure this is set even when we match + * idmap_default_domain[0] */ dom->default_domain = True; if (default_already_defined) { - DEBUG(1, ("ERROR: Multiple domains defined as default!\n")); + DEBUG(1, ("ERROR: Multiple domains defined as" + " default!\n")); ret = NT_STATUS_INVALID_PARAMETER; goto done; } default_already_defined = True; - } + } - dom->readonly = lp_parm_bool(-1, config_option, "readonly", False); + dom->readonly = lp_parm_bool(-1, config_option, + "readonly", False); /* find associated backend (default: tdb) */ if (compat) { parm_backend = talloc_strdup(idmap_ctx, compat_backend); } else { - parm_backend = talloc_strdup(idmap_ctx, - lp_parm_const_string(-1, config_option, "backend", "tdb")); + char *backend = lp_parm_const_string(-1, config_option, + "backend", "tdb"); + parm_backend = talloc_strdup(idmap_ctx, backend); } IDMAP_CHECK_ALLOC(parm_backend); @@ -415,22 +443,27 @@ NTSTATUS idmap_init(void) if ( ! dom->methods) { ret = smb_probe_module("idmap", parm_backend); if (NT_STATUS_IS_OK(ret)) { - dom->methods = get_methods(backends, parm_backend); + dom->methods = get_methods(backends, + parm_backend); } } if ( ! dom->methods) { - DEBUG(0, ("ERROR: Could not get methods for backend %s\n", parm_backend)); + DEBUG(0, ("ERROR: Could not get methods for " + "backend %s\n", parm_backend)); ret = NT_STATUS_UNSUCCESSFUL; goto done; } - /* check the set_mapping function exists otherwise mark the module as readonly */ + /* check the set_mapping function exists otherwise mark the + * module as readonly */ if ( ! dom->methods->set_mapping) { - DEBUG(5, ("Forcing to readonly, as this module can't store arbitrary mappings.\n")); + DEBUG(5, ("Forcing to readonly, as this module can't" + " store arbitrary mappings.\n")); dom->readonly = True; } - /* now that we have methods, set the destructor for this domain */ + /* now that we have methods, + * set the destructor for this domain */ talloc_set_destructor(dom, close_domain_destructor); if (compat_params) { @@ -443,10 +476,12 @@ NTSTATUS idmap_init(void) /* Finally instance a backend copy for this domain */ ret = dom->methods->init(dom); if ( ! NT_STATUS_IS_OK(ret)) { - DEBUG(0, ("ERROR: Initialization failed for backend %s (domain %s), deferred!\n", - parm_backend, dom->name)); + DEBUG(0, ("ERROR: Initialization failed for backend " + "%s (domain %s), deferred!\n", + parm_backend, dom->name)); } - idmap_domains = talloc_realloc(idmap_ctx, idmap_domains, struct idmap_domain *, i+1); + idmap_domains = talloc_realloc(idmap_ctx, idmap_domains, + struct idmap_domain *, i+1); if ( ! idmap_domains) { DEBUG(0, ("Out of memory!\n")); ret = NT_STATUS_NO_MEMORY; @@ -454,13 +489,15 @@ NTSTATUS idmap_init(void) } idmap_domains[i] = dom; - if (dom->default_domain) { /* save default domain position for future uses */ + /* save default domain position for future uses */ + if (dom->default_domain) { def_dom_num = i; } DEBUG(10, ("Domain %s - Backend %s - %sdefault - %sreadonly\n", dom->name, parm_backend, - dom->default_domain?"":"not ", dom->readonly?"":"not ")); + dom->default_domain?"":"not ", + dom->readonly?"":"not ")); talloc_free(config_option); } @@ -487,12 +524,13 @@ NTSTATUS idmap_init(void) /* (the nss module is always statically linked) */ if ( ! dom->methods) { - DEBUG(0, ("ERROR: Could not get methods for idmap_nss ?!\n")); + DEBUG(0, ("ERROR: No methods for idmap_nss ?!\n")); ret = NT_STATUS_UNSUCCESSFUL; goto done; } - /* now that we have methods, set the destructor for this domain */ + /* now that we have methods, + * set the destructor for this domain */ talloc_set_destructor(dom, close_domain_destructor); if (compat_params) { @@ -505,12 +543,15 @@ NTSTATUS idmap_init(void) /* Finally instance a backend copy for this domain */ ret = dom->methods->init(dom); if ( ! NT_STATUS_IS_OK(ret)) { - DEBUG(0, ("ERROR: Initialization failed for idmap_nss ?!\n")); + DEBUG(0, ("ERROR: Init. failed for idmap_nss ?!\n")); ret = NT_STATUS_UNSUCCESSFUL; goto done; } - idmap_domains = talloc_realloc(idmap_ctx, idmap_domains, struct idmap_domain *, num_domains+1); + idmap_domains = talloc_realloc(idmap_ctx, + idmap_domains, + struct idmap_domain *, + num_domains+1); if ( ! idmap_domains) { DEBUG(0, ("Out of memory!\n")); ret = NT_STATUS_NO_MEMORY; @@ -518,7 +559,8 @@ NTSTATUS idmap_init(void) } idmap_domains[num_domains] = dom; - DEBUG(10, ("Domain %s - Backend nss - not default - readonly\n", dom->name )); + DEBUG(10, ("Domain %s - Backend nss - not default - readonly\n", + dom->name )); num_domains++; } @@ -538,7 +580,7 @@ NTSTATUS idmap_init(void) /* (the passdb module is always statically linked) */ if ( ! dom->methods) { - DEBUG(0, ("ERROR: Could not get methods for idmap_passdb ?!\n")); + DEBUG(0, ("ERROR: No methods for idmap_passdb ?!\n")); ret = NT_STATUS_UNSUCCESSFUL; goto done; } @@ -556,12 +598,15 @@ NTSTATUS idmap_init(void) /* Finally instance a backend copy for this domain */ ret = dom->methods->init(dom); if ( ! NT_STATUS_IS_OK(ret)) { - DEBUG(0, ("ERROR: Initialization failed for idmap_passdb ?!\n")); + DEBUG(0, ("ERROR: Init. failed for idmap_passdb ?!\n")); ret = NT_STATUS_UNSUCCESSFUL; goto done; } - idmap_domains = talloc_realloc(idmap_ctx, idmap_domains, struct idmap_domain *, num_domains+1); + idmap_domains = talloc_realloc(idmap_ctx, + idmap_domains, + struct idmap_domain *, + num_domains+1); if ( ! idmap_domains) { DEBUG(0, ("Out of memory!\n")); ret = NT_STATUS_NO_MEMORY; @@ -572,14 +617,16 @@ NTSTATUS idmap_init(void) /* needed to handle special BUILTIN and wellknown SIDs cases */ pdb_dom_num = num_domains; - DEBUG(10, ("Domain %s - Backend passdb - not default - readonly\n", dom->name)); + DEBUG(10, ("Domain %s - Backend passdb - not default - readonly\n", + dom->name)); num_domains++; /**** finished adding idmap_passdb backend ****/ /* sort domains so that the default is the last one */ /* don't sort if no default domain defined */ - if (def_dom_num != -1 && def_dom_num != num_domains-1) { /* default is not last, move it */ + if (def_dom_num != -1 && def_dom_num != num_domains-1) { + /* default is not last, move it */ struct idmap_domain *tmp; if (pdb_dom_num > def_dom_num) { @@ -608,28 +655,35 @@ NTSTATUS idmap_init(void) alloc_backend = talloc_strdup(idmap_ctx, compat_backend); } else { char *ab = lp_idmap_alloc_backend(); - + if (ab && (ab[0] != '\0')) { - alloc_backend = talloc_strdup(idmap_ctx, lp_idmap_alloc_backend()); + alloc_backend = talloc_strdup(idmap_ctx, + lp_idmap_alloc_backend()); } } if ( alloc_backend ) { - - idmap_alloc_ctx = TALLOC_ZERO_P(idmap_ctx, struct idmap_alloc_context); + + idmap_alloc_ctx = TALLOC_ZERO_P(idmap_ctx, + struct idmap_alloc_context); IDMAP_CHECK_ALLOC(idmap_alloc_ctx); - idmap_alloc_ctx->methods = get_alloc_methods(alloc_backends, alloc_backend); + idmap_alloc_ctx->methods = get_alloc_methods(alloc_backends, + alloc_backend); if ( ! idmap_alloc_ctx->methods) { ret = smb_probe_module("idmap", alloc_backend); if (NT_STATUS_IS_OK(ret)) { - idmap_alloc_ctx->methods = get_alloc_methods(alloc_backends, alloc_backend); + idmap_alloc_ctx->methods = + get_alloc_methods(alloc_backends, + alloc_backend); } } if (idmap_alloc_ctx->methods) { if (compat_params) { - idmap_alloc_ctx->params = talloc_strdup(idmap_alloc_ctx, compat_params); + idmap_alloc_ctx->params = + talloc_strdup(idmap_alloc_ctx, + compat_params); IDMAP_CHECK_ALLOC(idmap_alloc_ctx->params); } else { idmap_alloc_ctx->params = NULL; @@ -637,13 +691,15 @@ NTSTATUS idmap_init(void) ret = idmap_alloc_ctx->methods->init(idmap_alloc_ctx->params); if ( ! NT_STATUS_IS_OK(ret)) { - DEBUG(0, ("ERROR: Initialization failed for alloc " - "backend %s, deferred!\n", alloc_backend)); + DEBUG(0, ("ERROR: Initialization failed for " + "alloc backend %s, deferred!\n", + alloc_backend)); } else { idmap_alloc_ctx->initialized = True; } } else { - DEBUG(2, ("idmap_init: Unable to get methods for alloc backend %s\n", + DEBUG(2, ("idmap_init: Unable to get methods for " + "alloc backend %s\n", alloc_backend)); /* certain compat backends are just readonly */ if ( compat ) { @@ -654,12 +710,12 @@ NTSTATUS idmap_init(void) } } } - + /* cleanpu temporary strings */ TALLOC_FREE( compat_backend ); idmap_init_status = NT_STATUS_OK; - + return ret; done: @@ -757,16 +813,16 @@ static struct idmap_domain* find_idmap_domain_from_sid( DOM_SID *account_sid ) uint32 rid; struct winbindd_domain *domain = NULL; int i; - + /* 1. Handle BUILTIN or Special SIDs and prevent them from falling into the default domain space (if we have a configured passdb backend. */ - if ( (pdb_dom_num != -1) && + if ( (pdb_dom_num != -1) && (sid_check_is_in_builtin(account_sid) || sid_check_is_in_wellknown_domain(account_sid) || sid_check_is_in_unix_groups(account_sid) || - sid_check_is_in_unix_users(account_sid)) ) + sid_check_is_in_unix_users(account_sid)) ) { return idmap_domains[pdb_dom_num]; } @@ -774,8 +830,8 @@ static struct idmap_domain* find_idmap_domain_from_sid( DOM_SID *account_sid ) /* 2. Lookup the winbindd_domain from the account_sid */ sid_copy( &domain_sid, account_sid ); - sid_split_rid( &domain_sid, &rid ); - domain = find_domain_from_sid_noinit( &domain_sid ); + sid_split_rid( &domain_sid, &rid ); + domain = find_domain_from_sid_noinit( &domain_sid ); for (i = 0; domain && i < num_domains; i++) { if ( strequal( idmap_domains[i]->name, domain->name ) ) { @@ -799,13 +855,13 @@ static struct idmap_domain* find_idmap_domain_from_sid( DOM_SID *account_sid ) static uint32 find_idmap_domain_index( struct idmap_domain *id_domain) { int i; - + for (i = 0; i < num_domains; i++) { if ( idmap_domains[i] == id_domain ) - return i; + return i; } - return -1; + return -1; } @@ -813,18 +869,21 @@ static uint32 find_idmap_domain_index( struct idmap_domain *id_domain) Check if creating a mapping is permitted for the domain *********************************************************/ -static NTSTATUS idmap_can_map(const struct id_map *map, struct idmap_domain **ret_dom) +static NTSTATUS idmap_can_map(const struct id_map *map, + struct idmap_domain **ret_dom) { struct idmap_domain *dom; - /* Check we do not create mappings for our own local domain, or BUILTIN or special SIDs */ + /* Check we do not create mappings for our own local domain, + * or BUILTIN or special SIDs */ if ((sid_compare_domain(map->sid, get_global_sam_sid()) == 0) || sid_check_is_in_builtin(map->sid) || sid_check_is_in_wellknown_domain(map->sid) || sid_check_is_in_unix_users(map->sid) || - sid_check_is_in_unix_groups(map->sid) ) + sid_check_is_in_unix_groups(map->sid) ) { - DEBUG(10, ("We are not supposed to create mappings for our own domains (local, builtin, specials)\n")); + DEBUG(10, ("We are not supposed to create mappings for our own " + "domains (local, builtin, specials)\n")); return NT_STATUS_UNSUCCESSFUL; } @@ -832,21 +891,28 @@ static NTSTATUS idmap_can_map(const struct id_map *map, struct idmap_domain **re if (lp_winbind_trusted_domains_only()) { struct winbindd_domain *wdom = find_our_domain(); if (wdom && (sid_compare_domain(map->sid, &wdom->sid) == 0)) { - DEBUG(10, ("We are not supposed to create mappings for our primary domain when <trusted domain only> is True\n")); - DEBUGADD(10, ("Leave [%s] unmapped\n", sid_string_static(map->sid))); + DEBUG(10, ("We are not supposed to create mappings for " + "our primary domain when <trusted domain " + "only> is True\n")); + DEBUGADD(10, ("Leave [%s] unmapped\n", + sid_string_static(map->sid))); return NT_STATUS_UNSUCCESSFUL; } } if ( (dom = find_idmap_domain_from_sid( map->sid )) == NULL ) { - /* huh, couldn't find a suitable domain, let's just leave it unmapped */ - DEBUG(10, ("Could not find idmap backend for SID %s", sid_string_static(map->sid))); + /* huh, couldn't find a suitable domain, + * let's just leave it unmapped */ + DEBUG(10, ("Could not find idmap backend for SID %s", + sid_string_static(map->sid))); return NT_STATUS_NO_SUCH_DOMAIN; } if (dom->readonly) { - /* ouch the domain is read only, let's just leave it unmapped */ - DEBUG(10, ("idmap backend for SID %s is READONLY!\n", sid_string_static(map->sid))); + /* ouch the domain is read only, + * let's just leave it unmapped */ + DEBUG(10, ("idmap backend for SID %s is READONLY!\n", + sid_string_static(map->sid))); return NT_STATUS_UNSUCCESSFUL; } @@ -875,7 +941,8 @@ static NTSTATUS idmap_new_mapping(TALLOC_CTX *ctx, struct id_map *map) ret = idmap_allocate_uid(&map->xid); if ( ! NT_STATUS_IS_OK(ret)) { /* can't allocate id, let's just leave it unmapped */ - DEBUG(2, ("uid allocation failed! Can't create mapping\n")); + DEBUG(2, ("uid allocation failed! " + "Can't create mapping\n")); return NT_STATUS_NONE_MAPPED; } break; @@ -883,14 +950,15 @@ static NTSTATUS idmap_new_mapping(TALLOC_CTX *ctx, struct id_map *map) ret = idmap_allocate_gid(&map->xid); if ( ! NT_STATUS_IS_OK(ret)) { /* can't allocate id, let's just leave it unmapped */ - DEBUG(2, ("gid allocation failed! Can't create mapping\n")); + DEBUG(2, ("gid allocation failed! " + "Can't create mapping\n")); return NT_STATUS_NONE_MAPPED; } break; default: /* invalid sid, let's just leave it unmapped */ DEBUG(3,("idmap_new_mapping: Refusing to create a " - "mapping for an unspecified ID type.\n")); + "mapping for an unspecified ID type.\n")); return NT_STATUS_NONE_MAPPED; } @@ -907,7 +975,7 @@ static NTSTATUS idmap_new_mapping(TALLOC_CTX *ctx, struct id_map *map) /* something wrong here :-( */ DEBUG(2, ("Failed to commit mapping\n!")); - /* TODO: would it make sense to have an "unalloc_id function?" */ + /* TODO: would it make sense to have an "unalloc_id function?" */ return NT_STATUS_NONE_MAPPED; } @@ -930,7 +998,7 @@ static NTSTATUS idmap_backends_set_mapping(const struct id_map *map) return ret; } - DEBUG(10,("set_mapping for domain %s\n", dom->name )); + DEBUG(10,("set_mapping for domain %s\n", dom->name )); return dom->methods->set_mapping(dom, map); } @@ -968,7 +1036,7 @@ static NTSTATUS idmap_backends_unixids_to_sids(struct id_map **ids) dom = idmap_domains[n]; DEBUG(10, ("Query sids from domain %s\n", dom->name)); - + ret = dom->methods->unixids_to_sids(dom, _ids); IDMAP_REPORT_RET(ret); @@ -976,7 +1044,8 @@ static NTSTATUS idmap_backends_unixids_to_sids(struct id_map **ids) for (i = 0, u = 0; _ids[i]; i++) { if (_ids[i]->status != ID_MAPPED) { - unmapped = talloc_realloc(ctx, unmapped, struct id_map *, u + 2); + unmapped = talloc_realloc(ctx, unmapped, + struct id_map *, u + 2); IDMAP_CHECK_ALLOC(unmapped); unmapped[u] = _ids[i]; u++; @@ -990,21 +1059,27 @@ static NTSTATUS idmap_backends_unixids_to_sids(struct id_map **ids) } _ids = unmapped; - + } if (unmapped) { - /* there are still unmapped ids, map them to the unix users/groups domains */ - /* except for expired entries, these will be returned as valid (offline mode) */ + /* there are still unmapped ids, + * map them to the unix users/groups domains */ + /* except for expired entries, + * these will be returned as valid (offline mode) */ for (i = 0; unmapped[i]; i++) { if (unmapped[i]->status == ID_EXPIRED) continue; switch (unmapped[i]->xid.type) { case ID_TYPE_UID: - uid_to_unix_users_sid((uid_t)unmapped[i]->xid.id, unmapped[i]->sid); + uid_to_unix_users_sid( + (uid_t)unmapped[i]->xid.id, + unmapped[i]->sid); unmapped[i]->status = ID_MAPPED; break; case ID_TYPE_GID: - gid_to_unix_groups_sid((gid_t)unmapped[i]->xid.id, unmapped[i]->sid); + gid_to_unix_groups_sid( + (gid_t)unmapped[i]->xid.id, + unmapped[i]->sid); unmapped[i]->status = ID_MAPPED; break; default: /* what?! */ @@ -1019,7 +1094,7 @@ static NTSTATUS idmap_backends_unixids_to_sids(struct id_map **ids) done: talloc_free(ctx); return ret; -} +} static NTSTATUS idmap_backends_sids_to_unixids(struct id_map **ids) { @@ -1050,22 +1125,23 @@ static NTSTATUS idmap_backends_sids_to_unixids(struct id_map **ids) /* partition the requests by domain */ for (i = 0; ids[i]; i++) { - uint32 idx; + uint32 idx; - if ( (dom = find_idmap_domain_from_sid( ids[i]->sid )) == NULL ) { + if ((dom = find_idmap_domain_from_sid(ids[i]->sid)) == NULL) { /* no available idmap_domain. Move on */ continue; } - DEBUG(10,("SID %s is being handled by %s\n", - sid_string_static(ids[i]->sid), + DEBUG(10,("SID %s is being handled by %s\n", + sid_string_static(ids[i]->sid), dom ? dom->name : "none" )); idx = find_idmap_domain_index( dom ); SMB_ASSERT( idx != -1 ); - - dom_ids[idx] = talloc_realloc(ctx, dom_ids[idx], - struct id_map *, counters[idx] + 2); + + dom_ids[idx] = talloc_realloc(ctx, dom_ids[idx], + struct id_map *, + counters[idx] + 2); IDMAP_CHECK_ALLOC(dom_ids[idx]); dom_ids[idx][counters[idx]] = ids[i]; @@ -1091,13 +1167,15 @@ static NTSTATUS idmap_backends_sids_to_unixids(struct id_map **ids) for (i = 0; ids[i]; i++) { /* NOTE: this will NOT touch ID_EXPIRED entries that the backend * was not able to confirm/deny (offline mode) */ - if (ids[i]->status == ID_UNKNOWN || ids[i]->status == ID_UNMAPPED) { + if (ids[i]->status == ID_UNKNOWN || + ids[i]->status == ID_UNMAPPED) { /* ok this is an unmapped one, see if we can map it */ ret = idmap_new_mapping(ctx, ids[i]); if (NT_STATUS_IS_OK(ret)) { /* successfully mapped */ ids[i]->status = ID_MAPPED; - } else if (NT_STATUS_EQUAL(ret, NT_STATUS_NONE_MAPPED)) { + } else + if (NT_STATUS_EQUAL(ret, NT_STATUS_NONE_MAPPED)) { /* could not map it */ ids[i]->status = ID_UNMAPPED; } else { @@ -1113,7 +1191,7 @@ static NTSTATUS idmap_backends_sids_to_unixids(struct id_map **ids) done: talloc_free(ctx); return ret; -} +} /************************************************************************** idmap interface functions @@ -1126,7 +1204,7 @@ NTSTATUS idmap_unixids_to_sids(struct id_map **ids) struct id_map **bids; int i, bi; int bn = 0; - struct winbindd_domain *our_domain = find_our_domain(); + struct winbindd_domain *our_domain = find_our_domain(); if (! NT_STATUS_IS_OK(ret = idmap_init())) { return ret; @@ -1146,7 +1224,7 @@ NTSTATUS idmap_unixids_to_sids(struct id_map **ids) /* no ids to be asked to the backends by default */ bids = NULL; bi = 0; - + for (i = 0; ids[i]; i++) { if ( ! ids[i]->sid) { @@ -1160,7 +1238,8 @@ NTSTATUS idmap_unixids_to_sids(struct id_map **ids) if ( ! NT_STATUS_IS_OK(ret)) { if ( ! bids) { - /* alloc space for ids to be resolved by backends (realloc ten by ten) */ + /* alloc space for ids to be resolved by + * backends (realloc ten by ten) */ bids = TALLOC_ARRAY(ctx, struct id_map *, 10); if ( ! bids) { DEBUG(1, ("Out of memory!\n")); @@ -1170,14 +1249,17 @@ NTSTATUS idmap_unixids_to_sids(struct id_map **ids) bn = 10; } - /* add this id to the ones to be retrieved from the backends */ + /* add this id to the ones to be retrieved + * from the backends */ bids[bi] = ids[i]; bi++; - - /* check if we need to allocate new space on the rids array */ + + /* check if we need to allocate new space + * on the rids array */ if (bi == bn) { bn += 10; - bids = talloc_realloc(ctx, bids, struct id_map *, bn); + bids = talloc_realloc(ctx, bids, + struct id_map *, bn); if ( ! bids) { DEBUG(1, ("Out of memory!\n")); talloc_free(ctx); @@ -1190,7 +1272,8 @@ NTSTATUS idmap_unixids_to_sids(struct id_map **ids) } } - /* let's see if there is any id mapping to be retieved from the backends */ + /* let's see if there is any id mapping to be retieved + * from the backends */ if (bi) { /* Only do query if we are online */ if ( IS_DOMAIN_OFFLINE(our_domain) ) { @@ -1206,18 +1289,21 @@ NTSTATUS idmap_unixids_to_sids(struct id_map **ids) if (bids[i]->status == ID_MAPPED) { ret = idmap_cache_set(idmap_cache, bids[i]); } else if (bids[i]->status == ID_EXPIRED) { - /* the cache returned an expired entry and the backend was - * was not able to clear the situation (offline). - * This handles a previous NT_STATUS_SYNCHRONIZATION_REQUIRED + /* the cache returned an expired entry and the + * backend was not able to clear the situation + * (offline). This handles a previous + * NT_STATUS_SYNCHRONIZATION_REQUIRED * for disconnected mode, */ bids[i]->status = ID_MAPPED; } else if (bids[i]->status == ID_UNKNOWN) { - /* something bad here. We were not able to handle this for some - * reason, mark it as unmapped and hope next time things will + /* something bad here. We were not able to + * handle this for some reason, mark it as + * unmapped and hope next time things will * settle down. */ bids[i]->status = ID_UNMAPPED; } else { /* unmapped */ - ret = idmap_cache_set_negative_id(idmap_cache, bids[i]); + ret = idmap_cache_set_negative_id(idmap_cache, + bids[i]); } IDMAP_CHECK_RET(ret); } @@ -1236,7 +1322,7 @@ NTSTATUS idmap_sids_to_unixids(struct id_map **ids) struct id_map **bids; int i, bi; int bn = 0; - struct winbindd_domain *our_domain = find_our_domain(); + struct winbindd_domain *our_domain = find_our_domain(); if (! NT_STATUS_IS_OK(ret = idmap_init())) { return ret; @@ -1256,7 +1342,7 @@ NTSTATUS idmap_sids_to_unixids(struct id_map **ids) /* no ids to be asked to the backends by default */ bids = NULL; bi = 0; - + for (i = 0; ids[i]; i++) { if ( ! ids[i]->sid) { @@ -1281,14 +1367,17 @@ NTSTATUS idmap_sids_to_unixids(struct id_map **ids) bn = 10; } - /* add this id to the ones to be retrieved from the backends */ + /* add this id to the ones to be retrieved + * from the backends */ bids[bi] = ids[i]; bi++; - /* check if we need to allocate new space on the ids array */ + /* check if we need to allocate new space + * on the ids array */ if (bi == bn) { bn += 10; - bids = talloc_realloc(ctx, bids, struct id_map *, bn); + bids = talloc_realloc(ctx, bids, + struct id_map *, bn); if ( ! bids) { DEBUG(1, ("Out of memory!\n")); talloc_free(ctx); @@ -1301,14 +1390,15 @@ NTSTATUS idmap_sids_to_unixids(struct id_map **ids) } } - /* let's see if there is any id mapping to be retieved from the backends */ + /* let's see if there is any id mapping to be retieved + * from the backends */ if (bids) { /* Only do query if we are online */ if ( IS_DOMAIN_OFFLINE(our_domain) ) { ret = NT_STATUS_FILE_IS_OFFLINE; goto done; } - + ret = idmap_backends_sids_to_unixids(bids); IDMAP_CHECK_RET(ret); @@ -1317,18 +1407,21 @@ NTSTATUS idmap_sids_to_unixids(struct id_map **ids) if (bids[i]->status == ID_MAPPED) { ret = idmap_cache_set(idmap_cache, bids[i]); } else if (bids[i]->status == ID_EXPIRED) { - /* the cache returned an expired entry and the backend was - * was not able to clear the situation (offline). - * This handles a previous NT_STATUS_SYNCHRONIZATION_REQUIRED + /* the cache returned an expired entry and the + * backend was not able to clear the situation + * (offline). This handles a previous + * NT_STATUS_SYNCHRONIZATION_REQUIRED * for disconnected mode, */ bids[i]->status = ID_MAPPED; } else if (bids[i]->status == ID_UNKNOWN) { - /* something bad here. We were not able to handle this for some - * reason, mark it as unmapped and hope next time things will + /* something bad here. We were not able to + * handle this for some reason, mark it as + * unmapped and hope next time things will * settle down. */ bids[i]->status = ID_UNMAPPED; } else { /* unmapped */ - ret = idmap_cache_set_negative_sid(idmap_cache, bids[i]); + ret = idmap_cache_set_negative_sid(idmap_cache, + bids[i]); } IDMAP_CHECK_RET(ret); } @@ -1395,28 +1488,30 @@ void idmap_dump_maps(char *logfile) dump = fopen(logfile, "w"); if ( ! dump) { - DEBUG(0, ("Unable to open open stream for file [%s], errno: %d\n", logfile, errno)); + DEBUG(0, ("Unable to open open stream for file [%s], " + "errno: %d\n", logfile, errno)); return; } - if (NT_STATUS_IS_OK(ret = idmap_alloc_init())) { + if (NT_STATUS_IS_OK(ret = idmap_alloc_init())) { allid.type = ID_TYPE_UID; allid.id = 0; idmap_alloc_ctx->methods->get_id_hwm(&allid); fprintf(dump, "USER HWM %lu\n", (unsigned long)allid.id); - + allid.type = ID_TYPE_GID; allid.id = 0; idmap_alloc_ctx->methods->get_id_hwm(&allid); fprintf(dump, "GROUP HWM %lu\n", (unsigned long)allid.id); } - + maps = talloc(idmap_ctx, struct id_map); num_maps = 0; for (i = 0; i < num_domains; i++) { if (idmap_domains[i]->methods->dump_data) { - idmap_domains[i]->methods->dump_data(idmap_domains[i], &maps, &num_maps); + idmap_domains[i]->methods->dump_data(idmap_domains[i], + &maps, &num_maps); } } @@ -1453,13 +1548,13 @@ char *idmap_fetch_secret(const char *backend, bool alloc, r = asprintf(&tmp, "IDMAP_%s_%s", backend, domain); } - if (r < 0) + if (r < 0) return NULL; strupper_m(tmp); /* make sure the key is case insensitive */ ret = secrets_fetch_generic(tmp, identity); - SAFE_FREE( tmp ); + SAFE_FREE(tmp); return ret; } |