From 9c7f714962bdfe280baed42ed6a1e35a422a0267 Mon Sep 17 00:00:00 2001 From: Kai Blin Date: Mon, 18 Feb 2008 14:30:17 +0100 Subject: idmap: Handle gid->SID mapping (This used to be commit 6f2d95030cd7b4b22d1b75d15b76881449eda697) --- source4/winbind/idmap.c | 157 ++++++++++++++++++++++++++++++++++++++++++- source4/winbind/wb_gid2sid.c | 13 ++-- 2 files changed, 163 insertions(+), 7 deletions(-) diff --git a/source4/winbind/idmap.c b/source4/winbind/idmap.c index b14885213e..af026a4d5c 100644 --- a/source4/winbind/idmap.c +++ b/source4/winbind/idmap.c @@ -354,8 +354,6 @@ failed: /** * Map a Unix gid to the corresponding SID * - * \todo Create a SID from the S-1-22-2 range for unmapped groups - * * \param idmap_ctx idmap context to use * \param mem_ctx talloc context the memory for the struct dom_sid is allocated * from. @@ -368,7 +366,160 @@ failed: NTSTATUS idmap_gid_to_sid(struct idmap_context *idmap_ctx, TALLOC_CTX *mem_ctx, const gid_t gid, struct dom_sid **sid) { - return NT_STATUS_NONE_MAPPED; + int ret; + NTSTATUS status = NT_STATUS_NONE_MAPPED; + struct ldb_context *ldb = idmap_ctx->ldb_ctx; + struct ldb_message *msg; + struct ldb_result *res = NULL; + int trans = -1; + gid_t low, high; + char *sid_string, *gid_string; + struct dom_sid *unix_groups_sid, *new_sid; + TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); + + ret = ldb_search_exp_fmt(ldb, tmp_ctx, &res, NULL, LDB_SCOPE_SUBTREE, + NULL, "(&(objectClass=sidMap)(gidNumber=%u))", gid); + if (ret != LDB_SUCCESS) { + DEBUG(1, ("Search failed: %s\n", ldb_errstring(ldb))); + status = NT_STATUS_NONE_MAPPED; + goto failed; + } + + if (res->count == 1) { + *sid = idmap_msg_get_dom_sid(mem_ctx, res->msgs[0], + "objectSid"); + if (*sid == NULL) { + DEBUG(1, ("Failed to get sid from db: %u\n", ret)); + status = NT_STATUS_NONE_MAPPED; + goto failed; + } + /* No change, so cancel the transaction */ + ldb_transaction_cancel(ldb); + talloc_free(tmp_ctx); + return NT_STATUS_OK; + } + + DEBUG(6, ("gid not found in idmap db, trying to allocate SID.\n")); + + trans = ldb_transaction_start(ldb); + if (trans != LDB_SUCCESS) { + status = NT_STATUS_NONE_MAPPED; + goto failed; + } + + /* Now redo the search to make sure noone added a mapping for that SID + * while we weren't looking.*/ + ret = ldb_search_exp_fmt(ldb, tmp_ctx, &res, NULL, LDB_SCOPE_SUBTREE, + NULL, "(&(objectClass=sidMap)(gidNumber=%u))", + gid); + if (ret != LDB_SUCCESS) { + DEBUG(1, ("Search failed: %s\n", ldb_errstring(ldb))); + status = NT_STATUS_NONE_MAPPED; + goto failed; + } + + if (res->count > 0) { + DEBUG(1, ("sidMap modified while trying to add a mapping.\n")); + status = NT_STATUS_RETRY; + goto failed; + } + + ret = idmap_get_bounds(idmap_ctx, &low, &high); + if (ret != LDB_SUCCESS) { + DEBUG(1, ("Failed to get id bounds from db: %u\n", ret)); + status = NT_STATUS_NONE_MAPPED; + goto failed; + } + + if (gid >= low && gid <= high) { + /* An existing group would have been mapped before */ + status = NT_STATUS_NO_SUCH_USER; + goto failed; + } + + /* For local groups, we just create a rid = gid +1, so root doesn't end + * up with a 0 rid */ + unix_groups_sid = dom_sid_parse_talloc(tmp_ctx, "S-1-22-2"); + if (unix_groups_sid == NULL) { + status = NT_STATUS_NO_MEMORY; + goto failed; + } + + new_sid = dom_sid_add_rid(mem_ctx, unix_groups_sid, gid + 1); + if (new_sid == NULL) { + status = NT_STATUS_NO_MEMORY; + goto failed; + } + + sid_string = dom_sid_string(tmp_ctx, new_sid); + if (sid_string == NULL) { + status = NT_STATUS_NO_MEMORY; + goto failed; + } + + gid_string = talloc_asprintf(tmp_ctx, "%u", gid); + if (gid_string == NULL) { + status = NT_STATUS_NO_MEMORY; + goto failed; + } + + msg = ldb_msg_new(tmp_ctx); + if (msg == NULL) { + status = NT_STATUS_NO_MEMORY; + goto failed; + } + + msg->dn = ldb_dn_new_fmt(tmp_ctx, ldb, "CN=%s", sid_string); + if (msg->dn == NULL) { + status = NT_STATUS_NO_MEMORY; + goto failed; + } + + ret = ldb_msg_add_string(msg, "gidNumber", gid_string); + if (ret != LDB_SUCCESS) { + status = NT_STATUS_NONE_MAPPED; + goto failed; + } + + ret = idmap_msg_add_dom_sid(idmap_ctx, tmp_ctx, msg, "objectSid", + new_sid); + if (ret != LDB_SUCCESS) { + status = NT_STATUS_NONE_MAPPED; + goto failed; + } + + ret = ldb_msg_add_string(msg, "objectClass", "sidMap"); + if (ret != LDB_SUCCESS) { + status = NT_STATUS_NONE_MAPPED; + goto failed; + } + + ret = ldb_msg_add_string(msg, "cn", sid_string); + if (ret != LDB_SUCCESS) { + status = NT_STATUS_NONE_MAPPED; + goto failed; + } + + ret = ldb_add(ldb, msg); + if (ret != LDB_SUCCESS) { + status = NT_STATUS_NONE_MAPPED; + goto failed; + } + + trans = ldb_transaction_commit(ldb); + if (trans != LDB_SUCCESS) { + status = NT_STATUS_NONE_MAPPED; + goto failed; + } + + *sid = new_sid; + talloc_free(tmp_ctx); + return NT_STATUS_OK; + +failed: + if (trans == LDB_SUCCESS) ldb_transaction_cancel(ldb); + talloc_free(tmp_ctx); + return status; } /** diff --git a/source4/winbind/wb_gid2sid.c b/source4/winbind/wb_gid2sid.c index 5c0b87118d..f2577029aa 100644 --- a/source4/winbind/wb_gid2sid.c +++ b/source4/winbind/wb_gid2sid.c @@ -25,6 +25,7 @@ #include "smbd/service_task.h" #include "winbind/wb_helper.h" #include "libcli/security/proto.h" +#include "winbind/idmap.h" struct gid2sid_state { struct composite_context *ctx; @@ -50,10 +51,14 @@ struct composite_context *wb_gid2sid_send(TALLOC_CTX *mem_ctx, result->private_data = state; state->service = service; - /* FIXME: This is a stub so far. - * We cheat by just using the gid as RID with the domain SID.*/ - state->sid = dom_sid_add_rid(result, service->primary_sid, gid); - if (composite_nomem(state->sid, state->ctx)) return result; + state->ctx->status = idmap_gid_to_sid(service->idmap_ctx, mem_ctx, gid, + &state->sid); + if (NT_STATUS_EQUAL(state->ctx->status, NT_STATUS_RETRY)) { + state->ctx->status = idmap_gid_to_sid(service->idmap_ctx, + mem_ctx, gid, + &state->sid); + } + if (!composite_is_ok(state->ctx)) return result; composite_done(state->ctx); return result; -- cgit