From 0b18acb841f6a372b3aa285d4734875e5e35fe3b Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Mon, 7 Jul 2003 05:11:10 +0000 Subject: and so it begins.... * remove idmap_XX_to_XX calls from smbd. Move back to the the winbind_XXX and local_XXX calls used in 2.2 * all uid/gid allocation must involve winbindd now * move flags field around in winbindd_request struct * add WBFLAG_QUERY_ONLY option to winbindd_sid_to_[ug]id() to prevent automatic allocation for unknown SIDs * add 'winbind trusted domains only' parameter to force a domain member server to use matching users names from /etc/passwd for its domain (needed for domain member of a Samba domain) * rename 'idmap only' to 'enable rid algorithm' for better clarity (defaults to "yes") code has been tested on * domain member of native mode 2k domain * ads domain member of native mode 2k domain * domain member of NT4 domain * domain member of Samba domain * Samba PDC running winbindd with trusts Logons tested using 2k clients and smbclient as domain users and trusted users. Tested both 'winbind trusted domains only = [yes|no]' This will be a long week of changes. The next item on the list is winbindd_passdb.c & machine trust accounts not in /etc/passwd (done via winbindd_passdb) (This used to be commit 8266dffab4aedba12a33289ff32880037ce950a8) --- source3/passdb/passdb.c | 202 +++++++++++++++++++++++++++++++++++++++++++++- source3/passdb/pdb_ldap.c | 10 ++- 2 files changed, 206 insertions(+), 6 deletions(-) (limited to 'source3/passdb') diff --git a/source3/passdb/passdb.c b/source3/passdb/passdb.c index de919ef6f9..4c50b05107 100644 --- a/source3/passdb/passdb.c +++ b/source3/passdb/passdb.c @@ -892,10 +892,6 @@ BOOL local_lookup_name(const char *c_user, DOM_SID *psid, enum SID_NAME_USE *psi /************************************************************* Change a password entry in the local smbpasswd file. - -It is currently being called by SWAT and by smbpasswd. - - --jerry *************************************************************/ BOOL local_password_change(const char *user_name, int local_flags, @@ -1040,3 +1036,201 @@ BOOL local_password_change(const char *user_name, int local_flags, pdb_free_sam(&sam_pass); return True; } + +/**************************************************************************** + Convert a uid to SID - locally. +****************************************************************************/ + +DOM_SID *local_uid_to_sid(DOM_SID *psid, uid_t uid) +{ + SAM_ACCOUNT *sampw = NULL; + struct passwd *unix_pw; + + + + winbind_off(); + unix_pw = sys_getpwuid( uid ); + winbind_on(); + + if ( !unix_pw ) { + DEBUG(4,("local_uid_to_sid: host has know idea of uid %d\n", uid)); + return NULL; + } + + if ( !NT_STATUS_IS_OK(pdb_init_sam(&sampw)) ) { + DEBUG(0,("local_uid_to_sid: failed to allocate SAM_ACCOUTN object\n")); + return NULL; + } + + if ( !pdb_getsampwnam( sampw, unix_pw->pw_name ) ) { + DEBUG(4,("local_uid_to_sid: User %s [uid == %d] has no samba account\n", + unix_pw->pw_name, uid)); + return NULL; + } + + sid_copy( psid, pdb_get_user_sid(sampw) ); + + DEBUG(10,("local_uid_to_sid: uid (%d) -> SID %s (%s).\n", + (unsigned int)uid, sid_string_static(psid), unix_pw->pw_name)); + + return psid; +} + +/**************************************************************************** + Convert a SID to uid - locally. +****************************************************************************/ + +BOOL local_sid_to_uid(uid_t *puid, DOM_SID *psid, enum SID_NAME_USE *name_type) +{ + DOM_SID dom_sid; + uint32 rid; + SAM_ACCOUNT *sampw = NULL; + struct passwd *unix_pw; + const char *user_name; + + *name_type = SID_NAME_UNKNOWN; + + sid_copy(&dom_sid, psid); + sid_split_rid(&dom_sid, &rid); + + /* + * We can only convert to a uid if this is our local + * Domain SID (ie. we are the controling authority). + */ + if ( !sid_equal(get_global_sam_sid(), &dom_sid) ) + return False; + + + /* lookup the user account */ + + if ( !NT_STATUS_IS_OK(pdb_init_sam(&sampw)) ) { + DEBUG(0,("local_sid_to_uid: Failed to allocate memory for SAM_ACCOUNT object\n")); + return False; + } + + if ( !pdb_getsampwsid(sampw, psid) ) { + DEBUG(8,("local_sid_to_uid: Could not find SID %s in passdb\n", + sid_string_static(psid))); + return False; + } + + user_name = pdb_get_username(sampw); + + winbind_off(); + unix_pw = sys_getpwnam( user_name ); + winbind_on(); + + if ( !unix_pw ) { + DEBUG(0,("local_sid_to_uid: %s found in passdb but getpwnam() return NULL!\n", + user_name)); + pdb_free_sam( &sampw ); + return False; + } + + *puid = unix_pw->pw_uid; + + DEBUG(10,("local_sid_to_uid: SID %s -> uid (%u) (%s).\n", sid_string_static(psid), + (unsigned int)*puid, user_name )); + + *name_type = SID_NAME_USER; + + return True; +} + +/**************************************************************************** + Convert a gid to SID - locally. +****************************************************************************/ + +DOM_SID *local_gid_to_sid(DOM_SID *psid, gid_t gid) +{ + GROUP_MAP group; + + /* we don't need to disable winbindd since the gid is stored in + the GROUP_MAP object */ + + if ( !pdb_getgrgid( &group, gid ) ) { + + /* fallback to rid mapping if enabled */ + + if ( lp_enable_rid_algorithm() ) { + sid_copy(psid, get_global_sam_sid()); + sid_append_rid(psid, pdb_gid_to_group_rid(gid)); + + DEBUG(10,("local_gid_to_sid: Fall back to algorithmic mapping: %u -> %s\n", + (unsigned int)gid, sid_string_static(psid))); + + return psid; + } + else + return NULL; + } + + sid_copy( psid, &group.sid ); + + DEBUG(10,("local_gid_to_sid: gid (%d) -> SID %s.\n", + (unsigned int)gid, sid_string_static(psid))); + + return psid; +} + +/**************************************************************************** + Convert a SID to gid - locally. +****************************************************************************/ + +BOOL local_sid_to_gid(gid_t *pgid, DOM_SID *psid, enum SID_NAME_USE *name_type) +{ + DOM_SID dom_sid; + uint32 rid; + GROUP_MAP group; + + *name_type = SID_NAME_UNKNOWN; + + /* This call can enumerate grou mappings for foreign sids as well. + So don't check for a match against our domain SID */ + + /* we don't need to disable winbindd since the gid is stored in + the GROUP_MAP object */ + + if ( !pdb_getgrsid(&group, *psid) ) { + + /* fallback to rid mapping if enabled */ + + if ( lp_enable_rid_algorithm() ) { + sid_copy(&dom_sid, psid); + sid_split_rid(&dom_sid, &rid); + + if (!sid_equal(get_global_sam_sid(), &dom_sid) ) { + DEBUG(5,("local_sid_to_gid: RID algorithm only supported for our domain (not %s)\n", + sid_string_static(&dom_sid))); + return False; + } + + if (!sid_peek_rid(psid, &rid)) { + DEBUG(10,("local_sid_to_uid: invalid SID!\n")); + return False; + } + + DEBUG(10,("local_sid_to_gid: Fall back to algorithmic mapping\n")); + + if (fallback_pdb_rid_is_user(rid)) { + DEBUG(3, ("local_sid_to_gid: SID %s is *NOT* a group\n", sid_string_static(psid))); + return False; + } else { + *pgid = pdb_group_rid_to_gid(rid); + DEBUG(10,("local_sid_to_gid: mapping: %s -> %u\n", sid_string_static(psid), (unsigned int)(*pgid))); + return True; + } + } + + return False; + } + + *pgid = group.gid; + + DEBUG(10,("local_sid_to_gid: SID %s -> gid (%u)\n", sid_string_static(psid), + (unsigned int)*pgid)); + + return True; +} + + diff --git a/source3/passdb/pdb_ldap.c b/source3/passdb/pdb_ldap.c index 698365f42c..886fd809f3 100644 --- a/source3/passdb/pdb_ldap.c +++ b/source3/passdb/pdb_ldap.c @@ -2217,7 +2217,7 @@ static NTSTATUS ldapsam_getgroup(struct pdb_methods *methods, count = ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result); if (count < 1) { - DEBUG(4, ("Did not find group for filter %s\n", filter)); + DEBUG(4, ("Did not find group\n")); return NT_STATUS_NO_SUCH_GROUP; } @@ -2327,6 +2327,7 @@ static NTSTATUS ldapsam_add_group_mapping_entry(struct pdb_methods *methods, (struct ldapsam_privates *)methods->private_data; LDAPMessage *result = NULL; LDAPMod **mods = NULL; + int count; char *tmp; pstring dn; @@ -2347,7 +2348,12 @@ static NTSTATUS ldapsam_add_group_mapping_entry(struct pdb_methods *methods, return NT_STATUS_UNSUCCESSFUL; } - if (ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result) != 1) { + count = ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result); + + if ( count == 0 ) + return NT_STATUS_UNSUCCESSFUL; + + if (count > 1) { DEBUG(2, ("Group %i must exist exactly once in LDAP\n", map->gid)); ldap_msgfree(result); -- cgit