From 0bc85d32e196acb50dfece16d63410e04c58b712 Mon Sep 17 00:00:00 2001
From: Simo Sorce <idra@samba.org>
Date: Sat, 26 Apr 2003 14:43:33 +0000
Subject: add idmap only parameter make idmap not map SIDs outside the uid/gid
 range defined by default this is to keep backward compatibility (This used to
 be commit bec45093c379915082d7b7f44113f5c17110d123)

---
 source3/param/loadparm.c |  6 +++++-
 source3/sam/idmap.c      | 29 +++++++++++++++++++++++++++++
 2 files changed, 34 insertions(+), 1 deletion(-)

diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index c80c71d98d..60ba76a32f 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -164,6 +164,7 @@ typedef struct
 	char *szSourceEnv;
 	char *szIdmapUID;
 	char *szIdmapGID;
+	BOOL *bIdmapOnly;
 	char *szNonUnixAccountRange;
 	int AlgorithmicRidBase;
 	char *szTemplateHomedir;
@@ -756,7 +757,6 @@ static struct parm_struct parm_table[] = {
 	{"server schannel", P_ENUM, P_GLOBAL, &Globals.serverSchannel, NULL, enum_bool_auto, FLAG_BASIC},
 	{"allow trusted domains", P_BOOL, P_GLOBAL, &Globals.bAllowTrustedDomains, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
 	{"hosts equiv", P_STRING, P_GLOBAL, &Globals.szHostsEquiv, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
-	{"idmap backend", P_STRING, P_GLOBAL, &Globals.szIdmapBackend, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
 	{"min passwd length", P_INTEGER, P_GLOBAL, &Globals.min_passwd_length, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
 	{"min password length", P_INTEGER, P_GLOBAL, &Globals.min_passwd_length, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
 	{"map to guest", P_ENUM, P_GLOBAL, &Globals.map_to_guest, NULL, enum_map_to_guest, FLAG_ADVANCED | FLAG_DEVELOPER},
@@ -1120,6 +1120,8 @@ static struct parm_struct parm_table[] = {
 
 	{"Winbind options", P_SEP, P_SEPARATOR},
 
+	{"idmap only", P_BOOL, P_GLOBAL, &Globals.bIdmapOnly, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
+	{"idmap backend", P_STRING, P_GLOBAL, &Globals.szIdmapBackend, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
 	{"idmap uid", P_STRING, P_GLOBAL, &Globals.szIdmapUID, handle_idmap_uid, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
 	{"winbind uid", P_STRING, P_GLOBAL, &Globals.szIdmapUID, handle_idmap_uid, NULL, FLAG_ADVANCED | FLAG_DEVELOPER | FLAG_HIDE},
 	{"idmap gid", P_STRING, P_GLOBAL, &Globals.szIdmapGID, handle_idmap_gid, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
@@ -1478,6 +1480,7 @@ static void init_globals(void)
 	Globals.bWinbindEnumGroups = True;
 	Globals.bWinbindUseDefaultDomain = False;
 
+	Globals.bIdmapOnly = False;
 	string_set(&Globals.szWinbindBackend, "tdb");
 
 	Globals.name_cache_timeout = 660; /* In seconds */
@@ -1657,6 +1660,7 @@ FN_GLOBAL_BOOL(lp_winbind_use_default_domain, &Globals.bWinbindUseDefaultDomain)
 FN_GLOBAL_STRING(lp_winbind_backend, &Globals.szWinbindBackend)
 
 FN_GLOBAL_STRING(lp_idmap_backend, &Globals.szIdmapBackend)
+FN_GLOBAL_BOOL(lp_idmap_only, &Globals.bIdmapOnly)
 
 #ifdef WITH_LDAP_SAMCONFIG
 FN_GLOBAL_STRING(lp_ldap_server, &Globals.szLdapServer)
diff --git a/source3/sam/idmap.c b/source3/sam/idmap.c
index 771f4169a2..c2b966cfbe 100644
--- a/source3/sam/idmap.c
+++ b/source3/sam/idmap.c
@@ -91,6 +91,35 @@ NTSTATUS idmap_set_mapping(const DOM_SID *sid, unid_t id, int id_type)
 {
 	NTSTATUS ret;
 
+	if (!lp_idmap_only()) {
+		if (id_type & ID_USERID) {
+			uid_t low, high;
+			if (!lp_idmap_uid(&low, &high)) {
+				DEBUG(0, ("idmap uid range missing or invalid\n"));
+				DEBUGADD(0, ("idmap will be unable to map SIDs\n"));
+				return NT_STATUS_UNSUCCESSFUL;
+			}
+			if (low > id.uid || high < id.uid) {
+				DEBUG(0, ("uid not in range and idmap only is flase - not storing the mapping\n"));
+				return NT_STATUS_UNSUCCESSFUL;
+			}
+		} else if (id_type & ID_GROUPID) {
+			gid_t low, high;
+			if (!lp_idmap_gid(&low, &high)) {
+				DEBUG(0, ("idmap gid range missing or invalid\n"));
+				DEBUGADD(0, ("idmap will be unable to map SIDs\n"));
+				return NT_STATUS_UNSUCCESSFUL;
+			}
+			if (low > id.gid || high < id.gid) {
+				DEBUG(0, ("uid not in range and idmap only is flase - not storing the mapping\n"));
+				return NT_STATUS_UNSUCCESSFUL;
+			}
+		} else {
+			DEBUG(0, ("Wrong ID Type, mapping failed!"));
+			return NT_STATUS_UNSUCCESSFUL;
+		}
+	}
+	
 	ret = local_map->set_mapping(sid, id, id_type);
 	if (NT_STATUS_IS_ERR(ret)) {
 		DEBUG (0, ("idmap_set_mapping: Error, unable to modify local cache!\n"));
-- 
cgit