From 8761f5dcc4db5c825a600fe25792ec47cb6cbdc7 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Sun, 24 Sep 2006 02:52:25 +0000 Subject: r18867: change the group mapping code to use ldb instead of tdb See the discussion of this on the samba-technical list (This used to be commit 4ad1436ceae0128e187222fce0fc79adb3049d3f) --- source3/groupdb/mapping_ldb.c | 670 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 670 insertions(+) create mode 100644 source3/groupdb/mapping_ldb.c (limited to 'source3/groupdb/mapping_ldb.c') diff --git a/source3/groupdb/mapping_ldb.c b/source3/groupdb/mapping_ldb.c new file mode 100644 index 0000000000..c8824674e1 --- /dev/null +++ b/source3/groupdb/mapping_ldb.c @@ -0,0 +1,670 @@ +/* + * Unix SMB/CIFS implementation. + * + * group mapping code on top of ldb + * + * Copyright (C) Andrew Tridgell 2006 + * + * based on tdb group mapping code from groupdb/mapping.c + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + */ + +#include "includes.h" +#include "groupdb/mapping.h" +#include "lib/ldb/include/includes.h" +#include "lib/ldb/include/ldb_errors.h" + +static struct ldb_context *ldb; + +static BOOL mapping_upgrade(const char *tdb_path); + +/* + connect to the group mapping ldb +*/ + BOOL init_group_mapping(void) +{ + BOOL existed; + const char *init_ldif[] = + { "dn: @ATTRIBUTES\n" \ + "ntName: CASE_INSENSITIVE\n" \ + "\n", + "dn: @INDEXLIST\n" \ + "@IDXATTR: gidNumber\n" \ + "@IDXATTR: ntName\n" \ + "@IDXATTR: memberOf\n" }; + const char *db_path, *tdb_path; + int ret; + int flags = 0; + + if (ldb != NULL) { + return True; + } + + /* this is needed as Samba3 doesn't have the auto init code yet */ + ldb_tdb_init(); + + db_path = lock_path("group_mapping.ldb"); + + ldb = ldb_init(NULL); + if (ldb == NULL) goto failed; + + existed = file_exist(db_path, NULL); + + if (lp_parm_bool(-1, "groupmap", "nosync", False)) { + flags |= LDB_FLG_NOSYNC; + } + + ret = ldb_connect(ldb, db_path, flags, NULL); + if (ret != LDB_SUCCESS) { + goto failed; + } + + if (!existed) { + /* initialise the ldb with an index */ + struct ldb_ldif *ldif; + int i; + for (i=0;imsg); + talloc_free(ldif); + if (ret == -1) goto failed; + } + } + + /* possibly upgrade */ + tdb_path = lock_path("group_mapping.tdb"); + if (file_exist(tdb_path, NULL) && !mapping_upgrade(tdb_path)) { + unlink(lock_path("group_mapping.ldb")); + goto failed; + } + + return True; + +failed: + DEBUG(0,("Failed to open group mapping ldb '%s' - '%s'\n", + db_path, ldb?ldb_errstring(ldb):strerror(errno))); + talloc_free(ldb); + ldb = NULL; + return False; +} + + +/* + form the DN for a mapping entry from a SID + */ +static struct ldb_dn *mapping_dn(TALLOC_CTX *mem_ctx, const DOM_SID *sid) +{ + fstring string_sid; + uint32_t rid; + DOM_SID domsid; + + sid_copy(&domsid, sid); + if (!sid_split_rid(&domsid, &rid)) { + return NULL; + } + if (!sid_to_string(string_sid, &domsid)) { + return NULL; + } + /* we split by domain and rid so we can do a subtree search + when we only want one domain */ + return ldb_dn_string_compose(mem_ctx, NULL, "domain=%s,rid=%u", + string_sid, rid); +} + +/* + add a group mapping entry + */ + BOOL add_mapping_entry(GROUP_MAP *map, int flag) +{ + struct ldb_message *msg; + int ret, i; + fstring string_sid; + + if (!init_group_mapping()) { + return False; + } + + msg = ldb_msg_new(ldb); + if (msg == NULL) return False; + + msg->dn = mapping_dn(msg, &map->sid); + if (msg->dn == NULL) goto failed; + + if (ldb_msg_add_string(msg, "objectClass", "groupMap") != LDB_SUCCESS || + ldb_msg_add_string(msg, "sid", + sid_to_string(string_sid, &map->sid)) != LDB_SUCCESS || + ldb_msg_add_fmt(msg, "gidNumber", "%u", (unsigned)map->gid) != LDB_SUCCESS || + ldb_msg_add_fmt(msg, "sidNameUse", "%u", (unsigned)map->sid_name_use) != LDB_SUCCESS || + ldb_msg_add_string(msg, "ntName", map->nt_name) != LDB_SUCCESS || + ldb_msg_add_string(msg, "comment", map->comment) != LDB_SUCCESS) { + goto failed; + } + + ret = ldb_add(ldb, msg); + + /* if it exists we update it. This is a hangover from the semantics the + tdb backend had */ + if (ret == LDB_ERR_ENTRY_ALREADY_EXISTS) { + for (i=0;inum_elements;i++) { + msg->elements[i].flags = LDB_FLAG_MOD_REPLACE; + } + ret = ldb_modify(ldb, msg); + } + + talloc_free(msg); + + return ret == LDB_SUCCESS; + +failed: + talloc_free(msg); + return False; +} + +/* + unpack a ldb message into a GROUP_MAP structure +*/ +static BOOL msg_to_group_map(struct ldb_message *msg, GROUP_MAP *map) +{ + const char *sidstr; + + map->gid = ldb_msg_find_attr_as_int(msg, "gidNumber", -1); + map->sid_name_use = ldb_msg_find_attr_as_int(msg, "sidNameUse", -1); + fstrcpy(map->nt_name, ldb_msg_find_attr_as_string(msg, "ntName", NULL)); + fstrcpy(map->comment, ldb_msg_find_attr_as_string(msg, "comment", NULL)); + sidstr = ldb_msg_find_attr_as_string(msg, "sid", NULL); + + if (!string_to_sid(&map->sid, sidstr) || + map->gid == (gid_t)-1 || + map->sid_name_use == (enum lsa_SidType)-1) { + DEBUG(0,("Unable to unpack group mapping\n")); + return False; + } + + return True; +} + +/* + return a group map entry for a given sid +*/ + BOOL get_group_map_from_sid(DOM_SID sid, GROUP_MAP *map) +{ + int ret; + struct ldb_dn *dn; + struct ldb_result *res=NULL; + + if (!init_group_mapping()) { + return False; + } + + dn = mapping_dn(ldb, &sid); + if (dn == NULL) goto failed; + + ret = ldb_search(ldb, dn, LDB_SCOPE_BASE, NULL, NULL, &res); + talloc_steal(dn, res); + if (ret != LDB_SUCCESS || res->count != 1) { + goto failed; + } + + if (!msg_to_group_map(res->msgs[0], map)) goto failed; + + talloc_free(dn); + return True; + +failed: + talloc_free(dn); + return False; +} + +/* + return a group map entry for a given gid +*/ + BOOL get_group_map_from_gid(gid_t gid, GROUP_MAP *map) +{ + int ret; + char *expr; + struct ldb_result *res=NULL; + + if (!init_group_mapping()) { + return False; + } + + expr = talloc_asprintf(ldb, "(&(gidNumber=%u)(objectClass=groupMap))", + (unsigned)gid); + if (expr == NULL) goto failed; + + ret = ldb_search(ldb, NULL, LDB_SCOPE_SUBTREE, expr, NULL, &res); + talloc_steal(expr, res); + if (ret != LDB_SUCCESS || res->count != 1) goto failed; + + if (!msg_to_group_map(res->msgs[0], map)) goto failed; + + talloc_free(expr); + return True; + +failed: + talloc_free(expr); + return False; +} + +/* + Return the sid and the type of the unix group. +*/ + BOOL get_group_map_from_ntname(const char *name, GROUP_MAP *map) +{ + int ret; + char *expr; + struct ldb_result *res=NULL; + + if (!init_group_mapping()) { + return False; + } + + expr = talloc_asprintf(ldb, "(&(ntName=%s)(objectClass=groupMap))", name); + if (expr == NULL) goto failed; + + ret = ldb_search(ldb, NULL, LDB_SCOPE_SUBTREE, expr, NULL, &res); + talloc_steal(expr, res); + if (ret != LDB_SUCCESS || res->count != 1) goto failed; + + if (!msg_to_group_map(res->msgs[0], map)) goto failed; + + talloc_free(expr); + return True; + +failed: + talloc_free(expr); + return False; +} + +/* + Remove a group mapping entry. +*/ + BOOL group_map_remove(const DOM_SID *sid) +{ + struct ldb_dn *dn; + int ret; + + if (!init_group_mapping()) { + return False; + } + + dn = mapping_dn(ldb, sid); + ret = ldb_delete(ldb, dn); + talloc_free(dn); + + return ret == LDB_SUCCESS; +} + + +/* + Enumerate the group mappings for a domain +*/ + BOOL enum_group_mapping(const DOM_SID *domsid, enum lsa_SidType sid_name_use, + GROUP_MAP **pp_rmap, + size_t *p_num_entries, BOOL unix_only) +{ + int i, ret; + char *expr; + fstring name; + struct ldb_result *res; + struct ldb_dn *basedn=NULL; + TALLOC_CTX *tmp_ctx; + + if (!init_group_mapping()) { + return False; + } + + tmp_ctx = talloc_new(ldb); + if (tmp_ctx == NULL) goto failed; + + if (sid_name_use == SID_NAME_UNKNOWN) { + expr = talloc_asprintf(tmp_ctx, "(&(objectClass=groupMap))"); + } else { + expr = talloc_asprintf(tmp_ctx, "(&(sidNameUse=%u)(objectClass=groupMap))", + sid_name_use); + } + if (expr == NULL) goto failed; + + /* we do a subtree search on the domain */ + if (domsid != NULL) { + sid_to_string(name, domsid); + basedn = ldb_dn_string_compose(tmp_ctx, NULL, "domain=%s", name); + if (basedn == NULL) goto failed; + } + + ret = ldb_search(ldb, basedn, LDB_SCOPE_SUBTREE, expr, NULL, &res); + if (ret != LDB_SUCCESS) goto failed; + + (*pp_rmap) = NULL; + *p_num_entries = 0; + + for (i=0;icount;i++) { + (*pp_rmap) = SMB_REALLOC_ARRAY((*pp_rmap), GROUP_MAP, + (*p_num_entries)+1); + if (!(*pp_rmap)) goto failed; + + if (!msg_to_group_map(res->msgs[i], &(*pp_rmap)[*p_num_entries])) { + goto failed; + } + + (*p_num_entries)++; + } + + talloc_free(tmp_ctx); + return True; + +failed: + talloc_free(tmp_ctx); + return False; +} + +/* + This operation happens on session setup, so it should better be fast. We + store a list of aliases a SID is member of hanging off MEMBEROF/SID. +*/ + NTSTATUS one_alias_membership(const DOM_SID *member, + DOM_SID **sids, size_t *num) +{ + const char *attrs[] = { + "sid", + NULL + }; + DOM_SID alias; + char *expr; + int ret, i; + struct ldb_result *res=NULL; + fstring string_sid; + NTSTATUS status = NT_STATUS_INTERNAL_DB_CORRUPTION; + + if (!init_group_mapping()) { + return NT_STATUS_ACCESS_DENIED; + } + + *sids = NULL; + *num = 0; + + if (!sid_to_string(string_sid, member)) { + return NT_STATUS_INVALID_PARAMETER; + } + + expr = talloc_asprintf(ldb, "(&(memberOf=%s)(objectClass=groupMap))", + string_sid); + if (expr == NULL) goto failed; + + ret = ldb_search(ldb, NULL, LDB_SCOPE_SUBTREE, expr, attrs, &res); + talloc_steal(expr, res); + if (ret != LDB_SUCCESS) { + goto failed; + } + + for (i=0;icount;i++) { + struct ldb_message_element *el; + el = ldb_msg_find_element(res->msgs[i], "sid"); + if (el == NULL || el->num_values != 1) { + status = NT_STATUS_INTERNAL_DB_CORRUPTION; + goto failed; + } + string_to_sid(&alias, (char *)el->values[0].data); + add_sid_to_array_unique(NULL, &alias, sids, num); + if (sids == NULL) { + status = NT_STATUS_NO_MEMORY; + goto failed; + } + } + + talloc_free(expr); + return NT_STATUS_OK; + +failed: + talloc_free(expr); + return status; +} + +/* + add/remove a memberOf field +*/ +static NTSTATUS modify_aliasmem(const DOM_SID *alias, const DOM_SID *member, + int operation) +{ + fstring string_sid; + int ret; + struct ldb_message msg; + struct ldb_message_element el; + struct ldb_val val; + TALLOC_CTX *tmp_ctx; + GROUP_MAP map; + + if (!init_group_mapping()) { + return NT_STATUS_ACCESS_DENIED; + } + + if (!get_group_map_from_sid(*alias, &map)) { + sid_to_string(string_sid, alias); + return NT_STATUS_NO_SUCH_ALIAS; + } + + if ((map.sid_name_use != SID_NAME_ALIAS) && + (map.sid_name_use != SID_NAME_WKN_GRP)) { + DEBUG(0,("sid_name_use=%d\n", map.sid_name_use)); + return NT_STATUS_NO_SUCH_ALIAS; + } + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + return NT_STATUS_NO_MEMORY; + } + + msg.dn = mapping_dn(tmp_ctx, alias); + msg.num_elements = 1; + msg.elements = ⪙ + el.flags = operation; + el.name = talloc_strdup(tmp_ctx, "memberOf"); + el.num_values = 1; + el.values = &val; + sid_to_string(string_sid, member); + val.data = (uint8_t *)string_sid; + val.length = strlen(string_sid); + + ret = ldb_modify(ldb, &msg); + talloc_free(tmp_ctx); + + if (ret == LDB_ERR_NO_SUCH_OBJECT) { + return NT_STATUS_NO_SUCH_ALIAS; + } + + if (operation == LDB_FLAG_MOD_ADD && + ret == LDB_ERR_ATTRIBUTE_OR_VALUE_EXISTS) { + return NT_STATUS_MEMBER_IN_ALIAS; + } + + return (ret == LDB_SUCCESS ? NT_STATUS_OK : NT_STATUS_ACCESS_DENIED); +} + + NTSTATUS add_aliasmem(const DOM_SID *alias, const DOM_SID *member) +{ + return modify_aliasmem(alias, member, LDB_FLAG_MOD_ADD); +} + + NTSTATUS del_aliasmem(const DOM_SID *alias, const DOM_SID *member) +{ + return modify_aliasmem(alias, member, LDB_FLAG_MOD_DELETE); +} + + +/* + enumerate sids that have the given alias set in memberOf +*/ + NTSTATUS enum_aliasmem(const DOM_SID *alias, DOM_SID **sids, size_t *num) +{ + const char *attrs[] = { + "memberOf", + NULL + }; + int ret, i; + struct ldb_result *res=NULL; + struct ldb_dn *dn; + struct ldb_message_element *el; + + if (!init_group_mapping()) { + return NT_STATUS_ACCESS_DENIED; + } + + *sids = NULL; + *num = 0; + + dn = mapping_dn(ldb, alias); + + ret = ldb_search(ldb, dn, LDB_SCOPE_BASE, NULL, attrs, &res); + talloc_steal(dn, res); + if (ret == LDB_SUCCESS && res->count == 0) { + talloc_free(dn); + return NT_STATUS_OK; + } + if (ret != LDB_SUCCESS) { + talloc_free(dn); + return NT_STATUS_INTERNAL_DB_CORRUPTION; + } + + el = ldb_msg_find_element(res->msgs[0], "memberOf"); + if (el == NULL) { + talloc_free(dn); + return NT_STATUS_INTERNAL_DB_CORRUPTION; + } + + for (i=0;inum_values;i++) { + DOM_SID sid; + string_to_sid(&sid, (const char *)el->values[i].data); + add_sid_to_array_unique(NULL, &sid, sids, num); + if (sids == NULL) { + talloc_free(dn); + return NT_STATUS_NO_MEMORY; + } + } + talloc_free(dn); + + return NT_STATUS_OK; +} + +/* + upgrade one group mapping record from the old tdb format +*/ +static int upgrade_map_record(TDB_CONTEXT *tdb_ctx, TDB_DATA key, + TDB_DATA data, void *state) +{ + int ret; + GROUP_MAP map; + + if (strncmp(key.dptr, GROUP_PREFIX, + MIN(key.dsize, strlen(GROUP_PREFIX))) != 0) { + return 0; + } + + if (!string_to_sid(&map.sid, strlen(GROUP_PREFIX) + (const char *)key.dptr)) { + DEBUG(0,("Bad sid key '%s' during upgrade\n", (const char *)key.dptr)); + *(int *)state = -1; + return -1; + } + + ret = tdb_unpack(data.dptr, data.dsize, "ddff", + &map.gid, &map.sid_name_use, &map.nt_name, &map.comment); + if (ret == -1) { + DEBUG(0,("Failed to unpack group map record during upgrade\n")); + *(int *)state = -1; + return -1; + } + + if (!add_mapping_entry(&map, 0)) { + DEBUG(0,("Failed to add mapping entry during upgrade\n")); + *(int *)state = -1; + return -1; + } + + return 0; +} + +/* + upgrade one alias record from the old tdb format +*/ +static int upgrade_alias_record(TDB_CONTEXT *tdb_ctx, TDB_DATA key, + TDB_DATA data, void *state) +{ + const char *p = data.dptr; + fstring string_sid; + DOM_SID member; + + if (strncmp(key.dptr, MEMBEROF_PREFIX, + MIN(key.dsize, strlen(MEMBEROF_PREFIX))) != 0) { + return 0; + } + + if (!string_to_sid(&member, strlen(MEMBEROF_PREFIX) + (const char *)key.dptr)) { + DEBUG(0,("Bad alias key %s during upgrade\n", + (const char *)key.dptr)); + *(int *)state = -1; + } + + while (next_token(&p, string_sid, " ", sizeof(string_sid))) { + DOM_SID alias; + NTSTATUS status; + string_to_sid(&alias, string_sid); + status = add_aliasmem(&alias, &member); + if (NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_ALIAS)) { + DEBUG(0,("Ignoring orphaned alias record '%s'\n", + string_sid)); + } else if (!NT_STATUS_IS_OK(status)) { + DEBUG(0,("Failed to add alias member during upgrade - %s\n", + nt_errstr(status))); + *(int *)state = -1; + return -1; + } + } + + return 0; +} + +/* + upgrade from a old style tdb +*/ +static BOOL mapping_upgrade(const char *tdb_path) +{ + static TDB_CONTEXT *tdb; + int ret, status=0; + + tdb = tdb_open_log(tdb_path, 0, TDB_DEFAULT, O_RDWR, 0600); + if (tdb == NULL) goto failed; + + /* we have to do the map records first, as alias records may + reference them */ + ret = tdb_traverse(tdb, upgrade_map_record, &status); + if (ret == -1 || status == -1) goto failed; + + ret = tdb_traverse(tdb, upgrade_alias_record, &status); + if (ret == -1 || status == -1) goto failed; + + if (tdb) tdb_close(tdb); + + if (unlink(tdb_path) != 0) { + DEBUG(0,("Failed to delete old group mapping database\n")); + goto failed; + } + return True; + +failed: + DEBUG(0,("Failed to upgrade group mapping database\n")); + if (tdb) tdb_close(tdb); + return False; +} -- cgit From 3cf367f0e76f44c7b14a54e0fcf510cc79a15c6a Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Sun, 24 Sep 2006 02:58:58 +0000 Subject: r18868: just in case there is a disaster (with our code? never ...) use a rename to group_mapping.tdb.upgraded rather than an unlink when upgrading. So if we absolutely have to go back to the tdb, we can change mapping_ldb.o to mapping_tdb.o in Makefile.in and recover peoples group mappings. We could go one step futher and make the backend configurable. Any opinions on that? (This used to be commit 203fc0b03c7397f7339a917456cb1701ed592f32) --- source3/groupdb/mapping_ldb.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) (limited to 'source3/groupdb/mapping_ldb.c') diff --git a/source3/groupdb/mapping_ldb.c b/source3/groupdb/mapping_ldb.c index c8824674e1..6368e41a06 100644 --- a/source3/groupdb/mapping_ldb.c +++ b/source3/groupdb/mapping_ldb.c @@ -643,6 +643,8 @@ static BOOL mapping_upgrade(const char *tdb_path) { static TDB_CONTEXT *tdb; int ret, status=0; + pstring old_path; + pstring new_path; tdb = tdb_open_log(tdb_path, 0, TDB_DEFAULT, O_RDWR, 0600); if (tdb == NULL) goto failed; @@ -657,8 +659,11 @@ static BOOL mapping_upgrade(const char *tdb_path) if (tdb) tdb_close(tdb); - if (unlink(tdb_path) != 0) { - DEBUG(0,("Failed to delete old group mapping database\n")); + pstrcpy(old_path, tdb_path); + pstrcpy(new_path, lock_path("group_mapping.tdb.upgraded")); + + if (rename(old_path, new_path) != 0) { + DEBUG(0,("Failed to rename old group mapping database\n")); goto failed; } return True; -- cgit From 7c5f1f28db117e97014f760086464acb0b49c2ee Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Sun, 24 Sep 2006 07:11:34 +0000 Subject: r18870: - enable the ldb ldap backend properly based on configure tests for ldap - use ldb_global_init() instead of the backend specific ldb_tdb_init(). (This used to be commit a6c53e58616d7731a1df9af33f78ccf0c774296e) --- source3/groupdb/mapping_ldb.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/groupdb/mapping_ldb.c') diff --git a/source3/groupdb/mapping_ldb.c b/source3/groupdb/mapping_ldb.c index 6368e41a06..bfff98e87f 100644 --- a/source3/groupdb/mapping_ldb.c +++ b/source3/groupdb/mapping_ldb.c @@ -53,8 +53,8 @@ static BOOL mapping_upgrade(const char *tdb_path); return True; } - /* this is needed as Samba3 doesn't have the auto init code yet */ - ldb_tdb_init(); + /* this is needed as Samba3 doesn't have this globally yet */ + ldb_global_init(); db_path = lock_path("group_mapping.ldb"); -- cgit From 6f3c6a46f95eba3cd53ea4ca03a8dc3d64dccf55 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sun, 24 Sep 2006 22:10:48 +0000 Subject: r18875: The comment field can be empty (This used to be commit 6d5d7bf4bbcfee77853776af59e00d006fd86dc9) --- source3/groupdb/mapping_ldb.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) (limited to 'source3/groupdb/mapping_ldb.c') diff --git a/source3/groupdb/mapping_ldb.c b/source3/groupdb/mapping_ldb.c index bfff98e87f..c6ff6ca2af 100644 --- a/source3/groupdb/mapping_ldb.c +++ b/source3/groupdb/mapping_ldb.c @@ -149,8 +149,12 @@ static struct ldb_dn *mapping_dn(TALLOC_CTX *mem_ctx, const DOM_SID *sid) sid_to_string(string_sid, &map->sid)) != LDB_SUCCESS || ldb_msg_add_fmt(msg, "gidNumber", "%u", (unsigned)map->gid) != LDB_SUCCESS || ldb_msg_add_fmt(msg, "sidNameUse", "%u", (unsigned)map->sid_name_use) != LDB_SUCCESS || - ldb_msg_add_string(msg, "ntName", map->nt_name) != LDB_SUCCESS || - ldb_msg_add_string(msg, "comment", map->comment) != LDB_SUCCESS) { + ldb_msg_add_string(msg, "ntName", map->nt_name) != LDB_SUCCESS) { + goto failed; + } + + if ((map->comment[0] != '\0') && + (ldb_msg_add_string(msg, "ntName", map->nt_name) != LDB_SUCCESS)) { goto failed; } -- cgit From cda3a18f2343d4c2f5ff8b08be6015eec37647c3 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Tue, 26 Sep 2006 02:49:16 +0000 Subject: r18912: we don't need the special case for comments now in the This also fixes comments in group mappings, as the code accidentially put in "ntName" in the comment field :-) (This used to be commit 7f1f5d6056da8ac55a41db54b68bf25967f81aaf) --- source3/groupdb/mapping_ldb.c | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) (limited to 'source3/groupdb/mapping_ldb.c') diff --git a/source3/groupdb/mapping_ldb.c b/source3/groupdb/mapping_ldb.c index c6ff6ca2af..fd59e0f438 100644 --- a/source3/groupdb/mapping_ldb.c +++ b/source3/groupdb/mapping_ldb.c @@ -149,15 +149,11 @@ static struct ldb_dn *mapping_dn(TALLOC_CTX *mem_ctx, const DOM_SID *sid) sid_to_string(string_sid, &map->sid)) != LDB_SUCCESS || ldb_msg_add_fmt(msg, "gidNumber", "%u", (unsigned)map->gid) != LDB_SUCCESS || ldb_msg_add_fmt(msg, "sidNameUse", "%u", (unsigned)map->sid_name_use) != LDB_SUCCESS || + ldb_msg_add_string(msg, "comment", map->comment) != LDB_SUCCESS || ldb_msg_add_string(msg, "ntName", map->nt_name) != LDB_SUCCESS) { goto failed; } - if ((map->comment[0] != '\0') && - (ldb_msg_add_string(msg, "ntName", map->nt_name) != LDB_SUCCESS)) { - goto failed; - } - ret = ldb_add(ldb, msg); /* if it exists we update it. This is a hangover from the semantics the -- cgit From afbc8a1faa63eadbd99fb4b5ff262b1df80d13dc Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Wed, 27 Sep 2006 03:29:38 +0000 Subject: r18938: fixed a group map bug reported by Jerry. The caller in mapping.c relies on appending to this list. Unfortunately this can't be tested using 'net groupmap' (This used to be commit a8d398edf0ce08b2a53342e80c2017f1805908d5) --- source3/groupdb/mapping_ldb.c | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) (limited to 'source3/groupdb/mapping_ldb.c') diff --git a/source3/groupdb/mapping_ldb.c b/source3/groupdb/mapping_ldb.c index fd59e0f438..1b0053da47 100644 --- a/source3/groupdb/mapping_ldb.c +++ b/source3/groupdb/mapping_ldb.c @@ -389,14 +389,11 @@ failed: struct ldb_result *res=NULL; fstring string_sid; NTSTATUS status = NT_STATUS_INTERNAL_DB_CORRUPTION; - + if (!init_group_mapping()) { return NT_STATUS_ACCESS_DENIED; } - *sids = NULL; - *num = 0; - if (!sid_to_string(string_sid, member)) { return NT_STATUS_INVALID_PARAMETER; } -- cgit From 638a16900cddacc4399c77c8e26ba43e93341499 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Wed, 4 Oct 2006 19:40:25 +0000 Subject: r19073: mapping_dn can fail (This used to be commit d234f39c79e0e50f784826d0920ebd21cc9a283d) --- source3/groupdb/mapping_ldb.c | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) (limited to 'source3/groupdb/mapping_ldb.c') diff --git a/source3/groupdb/mapping_ldb.c b/source3/groupdb/mapping_ldb.c index 1b0053da47..23b800a378 100644 --- a/source3/groupdb/mapping_ldb.c +++ b/source3/groupdb/mapping_ldb.c @@ -139,10 +139,14 @@ static struct ldb_dn *mapping_dn(TALLOC_CTX *mem_ctx, const DOM_SID *sid) } msg = ldb_msg_new(ldb); - if (msg == NULL) return False; + if (msg == NULL) { + return False; + } msg->dn = mapping_dn(msg, &map->sid); - if (msg->dn == NULL) goto failed; + if (msg->dn == NULL) { + goto failed; + } if (ldb_msg_add_string(msg, "objectClass", "groupMap") != LDB_SUCCESS || ldb_msg_add_string(msg, "sid", @@ -303,6 +307,9 @@ failed: } dn = mapping_dn(ldb, sid); + if (dn == NULL) { + return False; + } ret = ldb_delete(ldb, dn); talloc_free(dn); @@ -466,6 +473,9 @@ static NTSTATUS modify_aliasmem(const DOM_SID *alias, const DOM_SID *member, } msg.dn = mapping_dn(tmp_ctx, alias); + if (msg.dn == NULL) { + return NT_STATUS_NO_MEMORY; + } msg.num_elements = 1; msg.elements = ⪙ el.flags = operation; @@ -524,6 +534,9 @@ static NTSTATUS modify_aliasmem(const DOM_SID *alias, const DOM_SID *member, *num = 0; dn = mapping_dn(ldb, alias); + if (dn == NULL) { + return NT_STATUS_NO_MEMORY; + } ret = ldb_search(ldb, dn, LDB_SCOPE_BASE, NULL, attrs, &res); talloc_steal(dn, res); -- cgit From 2c14cf3b2b74c5696145efdfecb134e6091eee89 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Tue, 31 Oct 2006 12:57:56 +0000 Subject: r19516: Fix the DN, to make searches using the domain as base the DN must be rid,domain and not domain,rid Also use member and not memberOf for group members following conventions. (This used to be commit 7c0ea791d21d914e882b56a849766d966ce8ed1a) --- source3/groupdb/mapping_ldb.c | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) (limited to 'source3/groupdb/mapping_ldb.c') diff --git a/source3/groupdb/mapping_ldb.c b/source3/groupdb/mapping_ldb.c index 23b800a378..5d350e477c 100644 --- a/source3/groupdb/mapping_ldb.c +++ b/source3/groupdb/mapping_ldb.c @@ -44,7 +44,7 @@ static BOOL mapping_upgrade(const char *tdb_path); "dn: @INDEXLIST\n" \ "@IDXATTR: gidNumber\n" \ "@IDXATTR: ntName\n" \ - "@IDXATTR: memberOf\n" }; + "@IDXATTR: member\n" }; const char *db_path, *tdb_path; int ret; int flags = 0; @@ -121,8 +121,8 @@ static struct ldb_dn *mapping_dn(TALLOC_CTX *mem_ctx, const DOM_SID *sid) } /* we split by domain and rid so we can do a subtree search when we only want one domain */ - return ldb_dn_string_compose(mem_ctx, NULL, "domain=%s,rid=%u", - string_sid, rid); + return ldb_dn_string_compose(mem_ctx, NULL, "rid=%u,domain=%s", + rid, string_sid); } /* @@ -405,7 +405,7 @@ failed: return NT_STATUS_INVALID_PARAMETER; } - expr = talloc_asprintf(ldb, "(&(memberOf=%s)(objectClass=groupMap))", + expr = talloc_asprintf(ldb, "(&(member=%s)(objectClass=groupMap))", string_sid); if (expr == NULL) goto failed; @@ -439,7 +439,7 @@ failed: } /* - add/remove a memberOf field + add/remove a member field */ static NTSTATUS modify_aliasmem(const DOM_SID *alias, const DOM_SID *member, int operation) @@ -479,7 +479,7 @@ static NTSTATUS modify_aliasmem(const DOM_SID *alias, const DOM_SID *member, msg.num_elements = 1; msg.elements = ⪙ el.flags = operation; - el.name = talloc_strdup(tmp_ctx, "memberOf"); + el.name = talloc_strdup(tmp_ctx, "member"); el.num_values = 1; el.values = &val; sid_to_string(string_sid, member); @@ -513,12 +513,12 @@ static NTSTATUS modify_aliasmem(const DOM_SID *alias, const DOM_SID *member, /* - enumerate sids that have the given alias set in memberOf + enumerate sids that have the given alias set in member */ NTSTATUS enum_aliasmem(const DOM_SID *alias, DOM_SID **sids, size_t *num) { const char *attrs[] = { - "memberOf", + "member", NULL }; int ret, i; @@ -549,7 +549,7 @@ static NTSTATUS modify_aliasmem(const DOM_SID *alias, const DOM_SID *member, return NT_STATUS_INTERNAL_DB_CORRUPTION; } - el = ldb_msg_find_element(res->msgs[0], "memberOf"); + el = ldb_msg_find_element(res->msgs[0], "member"); if (el == NULL) { talloc_free(dn); return NT_STATUS_INTERNAL_DB_CORRUPTION; -- cgit From 78a0932145780d835d2ae7b7057328fc2c799a2a Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Tue, 28 Nov 2006 08:11:04 +0000 Subject: r19927: Fix klokwork ID 4702 (This used to be commit 820a64af25799c19f1731a08b8e4651aea8a516b) --- source3/groupdb/mapping_ldb.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'source3/groupdb/mapping_ldb.c') diff --git a/source3/groupdb/mapping_ldb.c b/source3/groupdb/mapping_ldb.c index 5d350e477c..29d5b49edf 100644 --- a/source3/groupdb/mapping_ldb.c +++ b/source3/groupdb/mapping_ldb.c @@ -667,7 +667,10 @@ static BOOL mapping_upgrade(const char *tdb_path) ret = tdb_traverse(tdb, upgrade_alias_record, &status); if (ret == -1 || status == -1) goto failed; - if (tdb) tdb_close(tdb); + if (tdb) { + tdb_close(tdb); + tdb = NULL; + } pstrcpy(old_path, tdb_path); pstrcpy(new_path, lock_path("group_mapping.tdb.upgraded")); -- cgit From 63609fbb04d2ce620338b4b79e7c1abf39f08ef8 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Sat, 9 Dec 2006 02:58:18 +0000 Subject: r20090: Fix a class of bugs found by James Peach. Ensure we never mix malloc and talloc'ed contexts in the add_XX_to_array() and add_XX_to_array_unique() calls. Ensure that these calls always return False on out of memory, True otherwise and always check them. Ensure that the relevent parts of the conn struct and the nt_user_tokens are TALLOC_DESTROYED not SAFE_FREE'd. James - this should fix your crash bug in both branches. Jeremy. (This used to be commit 0ffca7559e07500bd09a64b775e230d448ce5c24) --- source3/groupdb/mapping_ldb.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) (limited to 'source3/groupdb/mapping_ldb.c') diff --git a/source3/groupdb/mapping_ldb.c b/source3/groupdb/mapping_ldb.c index 29d5b49edf..a743c2456e 100644 --- a/source3/groupdb/mapping_ldb.c +++ b/source3/groupdb/mapping_ldb.c @@ -423,8 +423,7 @@ failed: goto failed; } string_to_sid(&alias, (char *)el->values[0].data); - add_sid_to_array_unique(NULL, &alias, sids, num); - if (sids == NULL) { + if (!add_sid_to_array_unique(NULL, &alias, sids, num)) { status = NT_STATUS_NO_MEMORY; goto failed; } @@ -558,8 +557,7 @@ static NTSTATUS modify_aliasmem(const DOM_SID *alias, const DOM_SID *member, for (i=0;inum_values;i++) { DOM_SID sid; string_to_sid(&sid, (const char *)el->values[i].data); - add_sid_to_array_unique(NULL, &sid, sids, num); - if (sids == NULL) { + if (!add_sid_to_array_unique(NULL, &sid, sids, num)) { talloc_free(dn); return NT_STATUS_NO_MEMORY; } -- cgit From 248a82c0f28a5e1df957726558b795cf98d29097 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Mon, 4 Jun 2007 01:51:18 +0000 Subject: r23323: merged ldb changes from 3.0.26 (This used to be commit 7c9a5c2a3f012a06e9550dc0de7df460c2fd943b) --- source3/groupdb/mapping_ldb.c | 98 ++++++++++++++++++++----------------------- 1 file changed, 45 insertions(+), 53 deletions(-) (limited to 'source3/groupdb/mapping_ldb.c') diff --git a/source3/groupdb/mapping_ldb.c b/source3/groupdb/mapping_ldb.c index a743c2456e..8eafc2532b 100644 --- a/source3/groupdb/mapping_ldb.c +++ b/source3/groupdb/mapping_ldb.c @@ -34,7 +34,7 @@ static BOOL mapping_upgrade(const char *tdb_path); /* connect to the group mapping ldb */ - BOOL init_group_mapping(void) +static BOOL init_group_mapping(void) { BOOL existed; const char *init_ldif[] = @@ -128,16 +128,12 @@ static struct ldb_dn *mapping_dn(TALLOC_CTX *mem_ctx, const DOM_SID *sid) /* add a group mapping entry */ - BOOL add_mapping_entry(GROUP_MAP *map, int flag) +static BOOL add_mapping_entry(GROUP_MAP *map, int flag) { struct ldb_message *msg; int ret, i; fstring string_sid; - if (!init_group_mapping()) { - return False; - } - msg = ldb_msg_new(ldb); if (msg == NULL) { return False; @@ -204,16 +200,12 @@ static BOOL msg_to_group_map(struct ldb_message *msg, GROUP_MAP *map) /* return a group map entry for a given sid */ - BOOL get_group_map_from_sid(DOM_SID sid, GROUP_MAP *map) +static BOOL get_group_map_from_sid(DOM_SID sid, GROUP_MAP *map) { int ret; struct ldb_dn *dn; struct ldb_result *res=NULL; - if (!init_group_mapping()) { - return False; - } - dn = mapping_dn(ldb, &sid); if (dn == NULL) goto failed; @@ -236,16 +228,12 @@ failed: /* return a group map entry for a given gid */ - BOOL get_group_map_from_gid(gid_t gid, GROUP_MAP *map) +static BOOL get_group_map_from_gid(gid_t gid, GROUP_MAP *map) { int ret; char *expr; struct ldb_result *res=NULL; - if (!init_group_mapping()) { - return False; - } - expr = talloc_asprintf(ldb, "(&(gidNumber=%u)(objectClass=groupMap))", (unsigned)gid); if (expr == NULL) goto failed; @@ -267,16 +255,12 @@ failed: /* Return the sid and the type of the unix group. */ - BOOL get_group_map_from_ntname(const char *name, GROUP_MAP *map) +static BOOL get_group_map_from_ntname(const char *name, GROUP_MAP *map) { int ret; char *expr; struct ldb_result *res=NULL; - if (!init_group_mapping()) { - return False; - } - expr = talloc_asprintf(ldb, "(&(ntName=%s)(objectClass=groupMap))", name); if (expr == NULL) goto failed; @@ -297,15 +281,11 @@ failed: /* Remove a group mapping entry. */ - BOOL group_map_remove(const DOM_SID *sid) +static BOOL group_map_remove(const DOM_SID *sid) { struct ldb_dn *dn; int ret; - if (!init_group_mapping()) { - return False; - } - dn = mapping_dn(ldb, sid); if (dn == NULL) { return False; @@ -320,9 +300,9 @@ failed: /* Enumerate the group mappings for a domain */ - BOOL enum_group_mapping(const DOM_SID *domsid, enum lsa_SidType sid_name_use, - GROUP_MAP **pp_rmap, - size_t *p_num_entries, BOOL unix_only) +static BOOL enum_group_mapping(const DOM_SID *domsid, enum lsa_SidType sid_name_use, + GROUP_MAP **pp_rmap, + size_t *p_num_entries, BOOL unix_only) { int i, ret; char *expr; @@ -331,10 +311,6 @@ failed: struct ldb_dn *basedn=NULL; TALLOC_CTX *tmp_ctx; - if (!init_group_mapping()) { - return False; - } - tmp_ctx = talloc_new(ldb); if (tmp_ctx == NULL) goto failed; @@ -383,8 +359,8 @@ failed: This operation happens on session setup, so it should better be fast. We store a list of aliases a SID is member of hanging off MEMBEROF/SID. */ - NTSTATUS one_alias_membership(const DOM_SID *member, - DOM_SID **sids, size_t *num) +static NTSTATUS one_alias_membership(const DOM_SID *member, + DOM_SID **sids, size_t *num) { const char *attrs[] = { "sid", @@ -397,10 +373,6 @@ failed: fstring string_sid; NTSTATUS status = NT_STATUS_INTERNAL_DB_CORRUPTION; - if (!init_group_mapping()) { - return NT_STATUS_ACCESS_DENIED; - } - if (!sid_to_string(string_sid, member)) { return NT_STATUS_INVALID_PARAMETER; } @@ -451,10 +423,6 @@ static NTSTATUS modify_aliasmem(const DOM_SID *alias, const DOM_SID *member, TALLOC_CTX *tmp_ctx; GROUP_MAP map; - if (!init_group_mapping()) { - return NT_STATUS_ACCESS_DENIED; - } - if (!get_group_map_from_sid(*alias, &map)) { sid_to_string(string_sid, alias); return NT_STATUS_NO_SUCH_ALIAS; @@ -500,12 +468,12 @@ static NTSTATUS modify_aliasmem(const DOM_SID *alias, const DOM_SID *member, return (ret == LDB_SUCCESS ? NT_STATUS_OK : NT_STATUS_ACCESS_DENIED); } - NTSTATUS add_aliasmem(const DOM_SID *alias, const DOM_SID *member) +static NTSTATUS add_aliasmem(const DOM_SID *alias, const DOM_SID *member) { return modify_aliasmem(alias, member, LDB_FLAG_MOD_ADD); } - NTSTATUS del_aliasmem(const DOM_SID *alias, const DOM_SID *member) +static NTSTATUS del_aliasmem(const DOM_SID *alias, const DOM_SID *member) { return modify_aliasmem(alias, member, LDB_FLAG_MOD_DELETE); } @@ -514,7 +482,7 @@ static NTSTATUS modify_aliasmem(const DOM_SID *alias, const DOM_SID *member, /* enumerate sids that have the given alias set in member */ - NTSTATUS enum_aliasmem(const DOM_SID *alias, DOM_SID **sids, size_t *num) +static NTSTATUS enum_aliasmem(const DOM_SID *alias, DOM_SID **sids, size_t *num) { const char *attrs[] = { "member", @@ -525,10 +493,6 @@ static NTSTATUS modify_aliasmem(const DOM_SID *alias, const DOM_SID *member, struct ldb_dn *dn; struct ldb_message_element *el; - if (!init_group_mapping()) { - return NT_STATUS_ACCESS_DENIED; - } - *sids = NULL; *num = 0; @@ -576,7 +540,7 @@ static int upgrade_map_record(TDB_CONTEXT *tdb_ctx, TDB_DATA key, int ret; GROUP_MAP map; - if (strncmp(key.dptr, GROUP_PREFIX, + if (strncmp((char *)key.dptr, GROUP_PREFIX, MIN(key.dsize, strlen(GROUP_PREFIX))) != 0) { return 0; } @@ -610,11 +574,11 @@ static int upgrade_map_record(TDB_CONTEXT *tdb_ctx, TDB_DATA key, static int upgrade_alias_record(TDB_CONTEXT *tdb_ctx, TDB_DATA key, TDB_DATA data, void *state) { - const char *p = data.dptr; + const char *p = (const char *)data.dptr; fstring string_sid; DOM_SID member; - if (strncmp(key.dptr, MEMBEROF_PREFIX, + if (strncmp((char *)key.dptr, MEMBEROF_PREFIX, MIN(key.dsize, strlen(MEMBEROF_PREFIX))) != 0) { return 0; } @@ -684,3 +648,31 @@ failed: if (tdb) tdb_close(tdb); return False; } + + + +static const struct mapping_backend ldb_backend = { + .add_mapping_entry = add_mapping_entry, + .get_group_map_from_sid = get_group_map_from_sid, + .get_group_map_from_gid = get_group_map_from_gid, + .get_group_map_from_ntname = get_group_map_from_ntname, + .group_map_remove = group_map_remove, + .enum_group_mapping = enum_group_mapping, + .one_alias_membership = one_alias_membership, + .add_aliasmem = add_aliasmem, + .del_aliasmem = del_aliasmem, + .enum_aliasmem = enum_aliasmem +}; + +/* + initialise the ldb mapping backend + */ +const struct mapping_backend *groupdb_ldb_init(void) +{ + if (!init_group_mapping()) { + DEBUG(0,("Failed to initialise ldb mapping backend\n")); + return NULL; + } + + return &ldb_backend; +} -- cgit From 422722aad2e50465627a2f7b249c251652297a7b Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Wed, 6 Jun 2007 13:02:14 +0000 Subject: r23367: check the "use mmap" option for ldb too (This used to be commit 15345bbc73b28d07c069fde33d3d4c1f21f107d3) --- source3/groupdb/mapping_ldb.c | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'source3/groupdb/mapping_ldb.c') diff --git a/source3/groupdb/mapping_ldb.c b/source3/groupdb/mapping_ldb.c index 8eafc2532b..4f3aa18534 100644 --- a/source3/groupdb/mapping_ldb.c +++ b/source3/groupdb/mapping_ldb.c @@ -67,6 +67,10 @@ static BOOL init_group_mapping(void) flags |= LDB_FLG_NOSYNC; } + if (!lp_use_mmap()) { + flags |= LDB_FLG_NOMMAP; + } + ret = ldb_connect(ldb, db_path, flags, NULL); if (ret != LDB_SUCCESS) { goto failed; -- cgit From d824b98f80ba186030cbb70b3a1e5daf80469ecd Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Mon, 9 Jul 2007 19:25:36 +0000 Subject: r23779: Change from v2 or later to v3 or later. Jeremy. (This used to be commit 407e6e695b8366369b7c76af1ff76869b45347b3) --- source3/groupdb/mapping_ldb.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/groupdb/mapping_ldb.c') diff --git a/source3/groupdb/mapping_ldb.c b/source3/groupdb/mapping_ldb.c index 4f3aa18534..21da363a53 100644 --- a/source3/groupdb/mapping_ldb.c +++ b/source3/groupdb/mapping_ldb.c @@ -9,7 +9,7 @@ * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or + * the Free Software Foundation; either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, -- cgit From 153cfb9c83534b09f15cc16205d7adb19b394928 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Tue, 10 Jul 2007 05:23:25 +0000 Subject: r23801: The FSF has moved around a lot. This fixes their Mass Ave address. (This used to be commit 87c91e4362c51819032bfbebbb273c52e203b227) --- source3/groupdb/mapping_ldb.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'source3/groupdb/mapping_ldb.c') diff --git a/source3/groupdb/mapping_ldb.c b/source3/groupdb/mapping_ldb.c index 21da363a53..cfa717057c 100644 --- a/source3/groupdb/mapping_ldb.c +++ b/source3/groupdb/mapping_ldb.c @@ -18,8 +18,7 @@ * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + * along with this program; if not, see . */ #include "includes.h" -- cgit From 30191d1a5704ad2b158386b511558972d539ce47 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 18 Oct 2007 17:40:25 -0700 Subject: RIP BOOL. Convert BOOL -> bool. I found a few interesting bugs in various places whilst doing this (places that assumed BOOL == int). I also need to fix the Samba4 pidl generation (next checkin). Jeremy. (This used to be commit f35a266b3cbb3e5fa6a86be60f34fe340a3ca71f) --- source3/groupdb/mapping_ldb.c | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) (limited to 'source3/groupdb/mapping_ldb.c') diff --git a/source3/groupdb/mapping_ldb.c b/source3/groupdb/mapping_ldb.c index cfa717057c..c0b2e82a29 100644 --- a/source3/groupdb/mapping_ldb.c +++ b/source3/groupdb/mapping_ldb.c @@ -28,14 +28,14 @@ static struct ldb_context *ldb; -static BOOL mapping_upgrade(const char *tdb_path); +static bool mapping_upgrade(const char *tdb_path); /* connect to the group mapping ldb */ -static BOOL init_group_mapping(void) +static bool init_group_mapping(void) { - BOOL existed; + bool existed; const char *init_ldif[] = { "dn: @ATTRIBUTES\n" \ "ntName: CASE_INSENSITIVE\n" \ @@ -131,7 +131,7 @@ static struct ldb_dn *mapping_dn(TALLOC_CTX *mem_ctx, const DOM_SID *sid) /* add a group mapping entry */ -static BOOL add_mapping_entry(GROUP_MAP *map, int flag) +static bool add_mapping_entry(GROUP_MAP *map, int flag) { struct ldb_message *msg; int ret, i; @@ -180,7 +180,7 @@ failed: /* unpack a ldb message into a GROUP_MAP structure */ -static BOOL msg_to_group_map(struct ldb_message *msg, GROUP_MAP *map) +static bool msg_to_group_map(struct ldb_message *msg, GROUP_MAP *map) { const char *sidstr; @@ -203,7 +203,7 @@ static BOOL msg_to_group_map(struct ldb_message *msg, GROUP_MAP *map) /* return a group map entry for a given sid */ -static BOOL get_group_map_from_sid(DOM_SID sid, GROUP_MAP *map) +static bool get_group_map_from_sid(DOM_SID sid, GROUP_MAP *map) { int ret; struct ldb_dn *dn; @@ -231,7 +231,7 @@ failed: /* return a group map entry for a given gid */ -static BOOL get_group_map_from_gid(gid_t gid, GROUP_MAP *map) +static bool get_group_map_from_gid(gid_t gid, GROUP_MAP *map) { int ret; char *expr; @@ -258,7 +258,7 @@ failed: /* Return the sid and the type of the unix group. */ -static BOOL get_group_map_from_ntname(const char *name, GROUP_MAP *map) +static bool get_group_map_from_ntname(const char *name, GROUP_MAP *map) { int ret; char *expr; @@ -284,7 +284,7 @@ failed: /* Remove a group mapping entry. */ -static BOOL group_map_remove(const DOM_SID *sid) +static bool group_map_remove(const DOM_SID *sid) { struct ldb_dn *dn; int ret; @@ -303,9 +303,9 @@ static BOOL group_map_remove(const DOM_SID *sid) /* Enumerate the group mappings for a domain */ -static BOOL enum_group_mapping(const DOM_SID *domsid, enum lsa_SidType sid_name_use, +static bool enum_group_mapping(const DOM_SID *domsid, enum lsa_SidType sid_name_use, GROUP_MAP **pp_rmap, - size_t *p_num_entries, BOOL unix_only) + size_t *p_num_entries, bool unix_only) { int i, ret; char *expr; @@ -614,7 +614,7 @@ static int upgrade_alias_record(TDB_CONTEXT *tdb_ctx, TDB_DATA key, /* upgrade from a old style tdb */ -static BOOL mapping_upgrade(const char *tdb_path) +static bool mapping_upgrade(const char *tdb_path) { static TDB_CONTEXT *tdb; int ret, status=0; -- cgit From 88ee61625a5de5e443d14c54eab91a90d87cda85 Mon Sep 17 00:00:00 2001 From: "Gerald (Jerry) Carter" Date: Thu, 1 Nov 2007 15:53:44 -0400 Subject: Patch 2 of 3 from Debian Samba packagers: The point is doing the following associations: - non discardable state data (all TDB files that may need to be backed up) go to statedir - shared data (codepage stuff) go to codepagedir The patch *does not change* the default location for these directories. So, there is no behaviour change when applying it. The main change is for samba developers who have to think when dealing with files that previously pertained to libdir whether they: - go in statedir - go in codepagedir - stay in libdir (This used to be commit d6cdbfd875bb2653e831d314726c3240beb0a96b) --- source3/groupdb/mapping_ldb.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'source3/groupdb/mapping_ldb.c') diff --git a/source3/groupdb/mapping_ldb.c b/source3/groupdb/mapping_ldb.c index c0b2e82a29..be1f1593fb 100644 --- a/source3/groupdb/mapping_ldb.c +++ b/source3/groupdb/mapping_ldb.c @@ -55,7 +55,7 @@ static bool init_group_mapping(void) /* this is needed as Samba3 doesn't have this globally yet */ ldb_global_init(); - db_path = lock_path("group_mapping.ldb"); + db_path = state_path("group_mapping.ldb"); ldb = ldb_init(NULL); if (ldb == NULL) goto failed; @@ -89,9 +89,9 @@ static bool init_group_mapping(void) } /* possibly upgrade */ - tdb_path = lock_path("group_mapping.tdb"); + tdb_path = state_path("group_mapping.tdb"); if (file_exist(tdb_path, NULL) && !mapping_upgrade(tdb_path)) { - unlink(lock_path("group_mapping.ldb")); + unlink(state_path("group_mapping.ldb")); goto failed; } @@ -638,7 +638,7 @@ static bool mapping_upgrade(const char *tdb_path) } pstrcpy(old_path, tdb_path); - pstrcpy(new_path, lock_path("group_mapping.tdb.upgraded")); + pstrcpy(new_path, state_path("group_mapping.tdb.upgraded")); if (rename(old_path, new_path) != 0) { DEBUG(0,("Failed to rename old group mapping database\n")); -- cgit From e2eaf24f7b04984fd3ea0514c32b743e9ca479c9 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 13 Nov 2007 15:00:48 -0800 Subject: Remove all pstring from groupdb/ Jeremy. (This used to be commit 6959c5c7e3e95604c66788b86d5789757e18cc36) --- source3/groupdb/mapping_ldb.c | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) (limited to 'source3/groupdb/mapping_ldb.c') diff --git a/source3/groupdb/mapping_ldb.c b/source3/groupdb/mapping_ldb.c index be1f1593fb..ab7ac0b913 100644 --- a/source3/groupdb/mapping_ldb.c +++ b/source3/groupdb/mapping_ldb.c @@ -618,8 +618,6 @@ static bool mapping_upgrade(const char *tdb_path) { static TDB_CONTEXT *tdb; int ret, status=0; - pstring old_path; - pstring new_path; tdb = tdb_open_log(tdb_path, 0, TDB_DEFAULT, O_RDWR, 0600); if (tdb == NULL) goto failed; @@ -637,12 +635,17 @@ static bool mapping_upgrade(const char *tdb_path) tdb = NULL; } - pstrcpy(old_path, tdb_path); - pstrcpy(new_path, state_path("group_mapping.tdb.upgraded")); + { + const char *old_path = tdb_path; + char *new_path = state_path("group_mapping.tdb.upgraded"); - if (rename(old_path, new_path) != 0) { - DEBUG(0,("Failed to rename old group mapping database\n")); - goto failed; + if (!new_path) { + goto failed; + } + if (rename(old_path, new_path) != 0) { + DEBUG(0,("Failed to rename old group mapping database\n")); + goto failed; + } } return True; -- cgit From 42cfffae80480eae4381902fff3f7c61f858a933 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 7 Dec 2007 17:32:32 -0800 Subject: Remove next_token - all uses must now be next_token_talloc. No more temptations to use static length strings. Jeremy. (This used to be commit ec003f39369910dee852b7cafb883ddaa321c2de) --- source3/groupdb/mapping_ldb.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) (limited to 'source3/groupdb/mapping_ldb.c') diff --git a/source3/groupdb/mapping_ldb.c b/source3/groupdb/mapping_ldb.c index ab7ac0b913..205111e5ac 100644 --- a/source3/groupdb/mapping_ldb.c +++ b/source3/groupdb/mapping_ldb.c @@ -578,8 +578,9 @@ static int upgrade_alias_record(TDB_CONTEXT *tdb_ctx, TDB_DATA key, TDB_DATA data, void *state) { const char *p = (const char *)data.dptr; - fstring string_sid; + char *string_sid; DOM_SID member; + TALLOC_CTX *frame; if (strncmp((char *)key.dptr, MEMBEROF_PREFIX, MIN(key.dsize, strlen(MEMBEROF_PREFIX))) != 0) { @@ -592,7 +593,8 @@ static int upgrade_alias_record(TDB_CONTEXT *tdb_ctx, TDB_DATA key, *(int *)state = -1; } - while (next_token(&p, string_sid, " ", sizeof(string_sid))) { + frame = talloc_stackframe(); + while (next_token_talloc(frame,&p, &string_sid, " ")) { DOM_SID alias; NTSTATUS status; string_to_sid(&alias, string_sid); @@ -604,10 +606,11 @@ static int upgrade_alias_record(TDB_CONTEXT *tdb_ctx, TDB_DATA key, DEBUG(0,("Failed to add alias member during upgrade - %s\n", nt_errstr(status))); *(int *)state = -1; + TALLOC_FREE(frame); return -1; } } - + TALLOC_FREE(frame); return 0; } -- cgit From 2e07c2ade89f4ff281c61f74cb88e09990cf5f46 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sat, 15 Dec 2007 22:47:30 +0100 Subject: s/sid_to_string/sid_to_fstring/ least surprise for callers (This used to be commit eb523ba77697346a365589101aac379febecd546) --- source3/groupdb/mapping_ldb.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) (limited to 'source3/groupdb/mapping_ldb.c') diff --git a/source3/groupdb/mapping_ldb.c b/source3/groupdb/mapping_ldb.c index 205111e5ac..ea46777598 100644 --- a/source3/groupdb/mapping_ldb.c +++ b/source3/groupdb/mapping_ldb.c @@ -119,7 +119,7 @@ static struct ldb_dn *mapping_dn(TALLOC_CTX *mem_ctx, const DOM_SID *sid) if (!sid_split_rid(&domsid, &rid)) { return NULL; } - if (!sid_to_string(string_sid, &domsid)) { + if (!sid_to_fstring(string_sid, &domsid)) { return NULL; } /* we split by domain and rid so we can do a subtree search @@ -149,7 +149,7 @@ static bool add_mapping_entry(GROUP_MAP *map, int flag) if (ldb_msg_add_string(msg, "objectClass", "groupMap") != LDB_SUCCESS || ldb_msg_add_string(msg, "sid", - sid_to_string(string_sid, &map->sid)) != LDB_SUCCESS || + sid_to_fstring(string_sid, &map->sid)) != LDB_SUCCESS || ldb_msg_add_fmt(msg, "gidNumber", "%u", (unsigned)map->gid) != LDB_SUCCESS || ldb_msg_add_fmt(msg, "sidNameUse", "%u", (unsigned)map->sid_name_use) != LDB_SUCCESS || ldb_msg_add_string(msg, "comment", map->comment) != LDB_SUCCESS || @@ -327,7 +327,7 @@ static bool enum_group_mapping(const DOM_SID *domsid, enum lsa_SidType sid_name_ /* we do a subtree search on the domain */ if (domsid != NULL) { - sid_to_string(name, domsid); + sid_to_fstring(name, domsid); basedn = ldb_dn_string_compose(tmp_ctx, NULL, "domain=%s", name); if (basedn == NULL) goto failed; } @@ -376,7 +376,7 @@ static NTSTATUS one_alias_membership(const DOM_SID *member, fstring string_sid; NTSTATUS status = NT_STATUS_INTERNAL_DB_CORRUPTION; - if (!sid_to_string(string_sid, member)) { + if (!sid_to_fstring(string_sid, member)) { return NT_STATUS_INVALID_PARAMETER; } @@ -427,7 +427,7 @@ static NTSTATUS modify_aliasmem(const DOM_SID *alias, const DOM_SID *member, GROUP_MAP map; if (!get_group_map_from_sid(*alias, &map)) { - sid_to_string(string_sid, alias); + sid_to_fstring(string_sid, alias); return NT_STATUS_NO_SUCH_ALIAS; } @@ -452,7 +452,7 @@ static NTSTATUS modify_aliasmem(const DOM_SID *alias, const DOM_SID *member, el.name = talloc_strdup(tmp_ctx, "member"); el.num_values = 1; el.values = &val; - sid_to_string(string_sid, member); + sid_to_fstring(string_sid, member); val.data = (uint8_t *)string_sid; val.length = strlen(string_sid); -- cgit From f3603d5a5ab878d45b67bf0f33e2beca50d0af2d Mon Sep 17 00:00:00 2001 From: Michael Adam Date: Wed, 9 Jan 2008 00:11:31 +0100 Subject: Convert add_sid_to_array() add_sid_to_array_unique() to return NTSTATUS. Michael (This used to be commit 6b2b9a60ef857ec31da5fea631535205fbdede4a) --- source3/groupdb/mapping_ldb.c | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) (limited to 'source3/groupdb/mapping_ldb.c') diff --git a/source3/groupdb/mapping_ldb.c b/source3/groupdb/mapping_ldb.c index ea46777598..05056eabd2 100644 --- a/source3/groupdb/mapping_ldb.c +++ b/source3/groupdb/mapping_ldb.c @@ -398,8 +398,8 @@ static NTSTATUS one_alias_membership(const DOM_SID *member, goto failed; } string_to_sid(&alias, (char *)el->values[0].data); - if (!add_sid_to_array_unique(NULL, &alias, sids, num)) { - status = NT_STATUS_NO_MEMORY; + status = add_sid_to_array_unique(NULL, &alias, sids, num); + if (!NT_STATUS_IS_OK(status)) { goto failed; } } @@ -492,6 +492,7 @@ static NTSTATUS enum_aliasmem(const DOM_SID *alias, DOM_SID **sids, size_t *num) NULL }; int ret, i; + NTSTATUS status; struct ldb_result *res=NULL; struct ldb_dn *dn; struct ldb_message_element *el; @@ -524,14 +525,15 @@ static NTSTATUS enum_aliasmem(const DOM_SID *alias, DOM_SID **sids, size_t *num) for (i=0;inum_values;i++) { DOM_SID sid; string_to_sid(&sid, (const char *)el->values[i].data); - if (!add_sid_to_array_unique(NULL, &sid, sids, num)) { - talloc_free(dn); - return NT_STATUS_NO_MEMORY; + status = add_sid_to_array_unique(NULL, &sid, sids, num); + if (!NT_STATUS_IS_OK(status)) { + goto done; } } - talloc_free(dn); - return NT_STATUS_OK; +done: + talloc_free(dn); + return status; } /* -- cgit From ddabc2b00c8b01dfd1c019e2d3a946a766fe4e51 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 15 Jan 2008 15:09:13 -0800 Subject: Fix "status used uninitialized" warnings. Jeremy. (This used to be commit e57856fff2ef86481ac6770c7d010a26666d8bdd) --- source3/groupdb/mapping_ldb.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/groupdb/mapping_ldb.c') diff --git a/source3/groupdb/mapping_ldb.c b/source3/groupdb/mapping_ldb.c index 05056eabd2..454fe467a9 100644 --- a/source3/groupdb/mapping_ldb.c +++ b/source3/groupdb/mapping_ldb.c @@ -492,7 +492,7 @@ static NTSTATUS enum_aliasmem(const DOM_SID *alias, DOM_SID **sids, size_t *num) NULL }; int ret, i; - NTSTATUS status; + NTSTATUS status = NT_STATUS_OK; struct ldb_result *res=NULL; struct ldb_dn *dn; struct ldb_message_element *el; -- cgit From e191b0edd534d13e9bdbe62a56d41a240f33f001 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Fri, 28 Mar 2008 15:06:56 +0100 Subject: mapping_ldb: fix memory leak in group enumeration metze (This used to be commit 235c056a0ecbb70b21a2572d42c32067dd699988) --- source3/groupdb/mapping_ldb.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'source3/groupdb/mapping_ldb.c') diff --git a/source3/groupdb/mapping_ldb.c b/source3/groupdb/mapping_ldb.c index 454fe467a9..6775f612e7 100644 --- a/source3/groupdb/mapping_ldb.c +++ b/source3/groupdb/mapping_ldb.c @@ -310,7 +310,7 @@ static bool enum_group_mapping(const DOM_SID *domsid, enum lsa_SidType sid_name_ int i, ret; char *expr; fstring name; - struct ldb_result *res; + struct ldb_result *res = NULL; struct ldb_dn *basedn=NULL; TALLOC_CTX *tmp_ctx; @@ -333,6 +333,7 @@ static bool enum_group_mapping(const DOM_SID *domsid, enum lsa_SidType sid_name_ } ret = ldb_search(ldb, basedn, LDB_SCOPE_SUBTREE, expr, NULL, &res); + talloc_steal(tmp_ctx, res); if (ret != LDB_SUCCESS) goto failed; (*pp_rmap) = NULL; -- cgit From 9a89e30229442ae6336328c9e37b3121c188df01 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Wed, 27 Aug 2008 10:45:43 +0200 Subject: ldb: Fix permissions of group_mapping.ldb. This one fixes bug #5715 and CVE-2008-3789. (cherry picked from commit a94f44c49f668fcf12f4566777a668043326bf97) (This used to be commit 2eaf4ed62220246bcc1a9702166b0b4f381fdae3) --- source3/groupdb/mapping_ldb.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) (limited to 'source3/groupdb/mapping_ldb.c') diff --git a/source3/groupdb/mapping_ldb.c b/source3/groupdb/mapping_ldb.c index 6775f612e7..ce65d7c46d 100644 --- a/source3/groupdb/mapping_ldb.c +++ b/source3/groupdb/mapping_ldb.c @@ -74,7 +74,13 @@ static bool init_group_mapping(void) if (ret != LDB_SUCCESS) { goto failed; } - + + /* force the permissions on the ldb to 0600 - this will fix + existing databases as well as new ones */ + if (chmod(db_path, 0600) != 0) { + goto failed; + } + if (!existed) { /* initialise the ldb with an index */ struct ldb_ldif *ldif; -- cgit From e588f0bc36b1f199afc41389b052d991453af3f8 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 27 Aug 2008 11:28:18 -0700 Subject: Be explicit about setting perms for the ldb. Helps others who may use this api. Jeremy. (This used to be commit f0ea0f3502037db878238942ee0729f6940e0b01) --- source3/groupdb/mapping_ldb.c | 3 +++ 1 file changed, 3 insertions(+) (limited to 'source3/groupdb/mapping_ldb.c') diff --git a/source3/groupdb/mapping_ldb.c b/source3/groupdb/mapping_ldb.c index ce65d7c46d..7ce879fb6e 100644 --- a/source3/groupdb/mapping_ldb.c +++ b/source3/groupdb/mapping_ldb.c @@ -60,6 +60,9 @@ static bool init_group_mapping(void) ldb = ldb_init(NULL); if (ldb == NULL) goto failed; + /* Ensure this db is created read/write for root only. */ + ldb_set_create_perms(ldb, 0600); + existed = file_exist(db_path, NULL); if (lp_parm_bool(-1, "groupmap", "nosync", False)) { -- cgit