From 4225f9a4bd5eece4d57820bbabb7b882610aa7cc Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Tue, 12 Dec 2006 14:52:13 +0000 Subject: r20116: Start merging in the work done to create the new idmap subsystem. Simo. (This used to be commit 50cd8bffeeed2cac755f75fc3d76fe41c451976b) --- source3/passdb/lookup_sid.c | 223 ++++++++++++++++++++++++----------------- source3/passdb/pdb_interface.c | 35 +++++-- source3/passdb/secrets.c | 42 ++++++++ 3 files changed, 202 insertions(+), 98 deletions(-) (limited to 'source3/passdb') diff --git a/source3/passdb/lookup_sid.c b/source3/passdb/lookup_sid.c index 758fe968fc..d1d0f425ad 100644 --- a/source3/passdb/lookup_sid.c +++ b/source3/passdb/lookup_sid.c @@ -1112,29 +1112,16 @@ void store_gid_sid_cache(const DOM_SID *psid, gid_t gid) } /***************************************************************** - *THE CANONICAL* convert uid_t to SID function. + *THE LEGACY* convert uid_t to SID function. *****************************************************************/ -void uid_to_sid(DOM_SID *psid, uid_t uid) +void legacy_uid_to_sid(DOM_SID *psid, uid_t uid) { - uid_t low, high; uint32 rid; BOOL ret; ZERO_STRUCTP(psid); - if (fetch_sid_from_uid_cache(psid, uid)) - return; - - if ((lp_winbind_trusted_domains_only() || - (lp_idmap_uid(&low, &high) && (uid >= low) && (uid <= high))) && - winbind_uid_to_sid(psid, uid)) { - - DEBUG(10,("uid_to_sid: winbindd %u -> %s\n", - (unsigned int)uid, sid_string_static(psid))); - goto done; - } - become_root_uid_only(); ret = pdb_uid_to_rid(uid, &rid); unbecome_root_uid_only(); @@ -1151,36 +1138,22 @@ void uid_to_sid(DOM_SID *psid, uid_t uid) uid_to_unix_users_sid(uid, psid); done: - DEBUG(10,("uid_to_sid: local %u -> %s\n", (unsigned int)uid, + DEBUG(10,("LEGACY: uid %u -> sid %s\n", (unsigned int)uid, sid_string_static(psid))); - store_uid_sid_cache(psid, uid); return; } /***************************************************************** - *THE CANONICAL* convert gid_t to SID function. + *THE LEGACY* convert gid_t to SID function. *****************************************************************/ -void gid_to_sid(DOM_SID *psid, gid_t gid) +void legacy_gid_to_sid(DOM_SID *psid, gid_t gid) { BOOL ret; - gid_t low, high; ZERO_STRUCTP(psid); - if (fetch_sid_from_gid_cache(psid, gid)) - return; - - if ((lp_winbind_trusted_domains_only() || - (lp_idmap_gid(&low, &high) && (gid >= low) && (gid <= high))) && - winbind_gid_to_sid(psid, gid)) { - - DEBUG(10,("gid_to_sid: winbindd %u -> %s\n", - (unsigned int)gid, sid_string_static(psid))); - goto done; - } - become_root_uid_only(); ret = pdb_gid_to_sid(gid, psid); unbecome_root_uid_only(); @@ -1195,29 +1168,20 @@ void gid_to_sid(DOM_SID *psid, gid_t gid) gid_to_unix_groups_sid(gid, psid); done: - DEBUG(10,("gid_to_sid: local %u -> %s\n", (unsigned int)gid, + DEBUG(10,("LEGACY: gid %u -> sid %s\n", (unsigned int)gid, sid_string_static(psid))); - store_gid_sid_cache(psid, gid); return; } /***************************************************************** - *THE CANONICAL* convert SID to uid function. + *THE LEGACY* convert SID to uid function. *****************************************************************/ -BOOL sid_to_uid(const DOM_SID *psid, uid_t *puid) +BOOL legacy_sid_to_uid(const DOM_SID *psid, uid_t *puid) { enum lsa_SidType type; uint32 rid; - gid_t gid; - - if (fetch_uid_from_cache(puid, psid)) - return True; - - if (fetch_gid_from_cache(&gid, psid)) { - return False; - } if (sid_peek_check_rid(&global_sid_Unix_Users, psid, &rid)) { uid_t uid = rid; @@ -1249,55 +1213,26 @@ BOOL sid_to_uid(const DOM_SID *psid, uid_t *puid) return False; } - if (winbind_lookup_sid(NULL, psid, NULL, NULL, &type)) { - - if (type != SID_NAME_USER) { - DEBUG(10, ("sid_to_uid: sid %s is a %s\n", - sid_string_static(psid), - sid_type_lookup(type))); - return False; - } - - if (!winbind_sid_to_uid(puid, psid)) { - DEBUG(5, ("sid_to_uid: winbind failed to allocate a " - "new uid for sid %s\n", - sid_string_static(psid))); - return False; - } - goto done; - } - - /* TODO: Here would be the place to allocate both a gid and a uid for - * the SID in question */ - return False; done: - DEBUG(10,("sid_to_uid: %s -> %u\n", sid_string_static(psid), + DEBUG(10,("LEGACY: sid %s -> uid %u\n", sid_string_static(psid), (unsigned int)*puid )); - store_uid_sid_cache(psid, *puid); return True; } /***************************************************************** - *THE CANONICAL* convert SID to gid function. + *THE LEGACY* convert SID to gid function. Group mapping is used for gids that maps to Wellknown SIDs *****************************************************************/ -BOOL sid_to_gid(const DOM_SID *psid, gid_t *pgid) +BOOL legacy_sid_to_gid(const DOM_SID *psid, gid_t *pgid) { uint32 rid; GROUP_MAP map; union unid_t id; enum lsa_SidType type; - uid_t uid; - - if (fetch_gid_from_cache(pgid, psid)) - return True; - - if (fetch_uid_from_cache(&uid, psid)) - return False; if (sid_peek_check_rid(&global_sid_Unix_Groups, psid, &rid)) { gid_t gid = rid; @@ -1344,33 +1279,137 @@ BOOL sid_to_gid(const DOM_SID *psid, gid_t *pgid) return False; } - if (!winbind_lookup_sid(NULL, psid, NULL, NULL, &type)) { - DEBUG(11,("sid_to_gid: no one knows the SID %s (tried local, " - "then winbind)\n", sid_string_static(psid))); - + done: + DEBUG(10,("LEGACY: sid %s -> gid %u\n", sid_string_static(psid), + (unsigned int)*pgid )); + + return True; +} + +/***************************************************************** + *THE CANONICAL* convert uid_t to SID function. +*****************************************************************/ + +void uid_to_sid(DOM_SID *psid, uid_t uid) +{ + ZERO_STRUCTP(psid); + + if (fetch_sid_from_uid_cache(psid, uid)) + return; + + if (!winbind_uid_to_sid(psid, uid)) { + if (!winbind_ping()) { + DEBUG(2, ("WARNING: Winbindd not running, mapping ids with legacy code")); + return legacy_uid_to_sid(psid, uid); + } + + DEBUG(5, ("uid_to_sid: winbind failed to find a sid for uid %u\n", + uid)); + return; + } + + DEBUG(10,("uid %u -> sid %s\n", + (unsigned int)uid, sid_string_static(psid))); + + store_uid_sid_cache(psid, uid); + return; +} + +/***************************************************************** + *THE CANONICAL* convert gid_t to SID function. +*****************************************************************/ + +void gid_to_sid(DOM_SID *psid, gid_t gid) +{ + ZERO_STRUCTP(psid); + + if (fetch_sid_from_gid_cache(psid, gid)) + return; + + if (!winbind_gid_to_sid(psid, gid)) { + if (!winbind_ping()) { + DEBUG(2, ("WARNING: Winbindd not running, mapping ids with legacy code")); + return legacy_gid_to_sid(psid, gid); + } + + DEBUG(5, ("gid_to_sid: winbind failed to find a sid for gid %u\n", + gid)); + return; + } + + DEBUG(10,("gid %u -> sid %s\n", + (unsigned int)gid, sid_string_static(psid))); + + store_gid_sid_cache(psid, gid); + return; +} + +/***************************************************************** + *THE CANONICAL* convert SID to uid function. +*****************************************************************/ + +BOOL sid_to_uid(const DOM_SID *psid, uid_t *puid) +{ + gid_t gid; + + if (fetch_uid_from_cache(puid, psid)) + return True; + + if (fetch_gid_from_cache(&gid, psid)) { return False; } - /* winbindd knows it; Ensure this is a group sid */ + if (!winbind_sid_to_uid(puid, psid)) { + if (!winbind_ping()) { + DEBUG(2, ("WARNING: Winbindd not running, mapping ids with legacy code")); + return legacy_sid_to_uid(psid, puid); + } - if ((type != SID_NAME_DOM_GRP) && (type != SID_NAME_ALIAS) && - (type != SID_NAME_WKN_GRP)) { - DEBUG(10,("sid_to_gid: winbind lookup succeeded but SID is " - "a %s\n", sid_type_lookup(type))); + DEBUG(5, ("winbind failed to find a uid for sid %s\n", + sid_string_static(psid))); return False; } - - /* winbindd knows it and it is a type of group; sid_to_gid must succeed - or we are dead in the water */ + + /* TODO: Here would be the place to allocate both a gid and a uid for + * the SID in question */ + + DEBUG(10,("sid %s -> uid %u\n", sid_string_static(psid), + (unsigned int)*puid )); + + store_uid_sid_cache(psid, *puid); + return True; +} + +/***************************************************************** + *THE CANONICAL* convert SID to gid function. + Group mapping is used for gids that maps to Wellknown SIDs +*****************************************************************/ + +BOOL sid_to_gid(const DOM_SID *psid, gid_t *pgid) +{ + uid_t uid; + + if (fetch_gid_from_cache(pgid, psid)) + return True; + + if (fetch_uid_from_cache(&uid, psid)) + return False; + + /* Ask winbindd if it can map this sid to a gid. + * (Idmap will check it is a valid SID and of the right type) */ if ( !winbind_sid_to_gid(pgid, psid) ) { - DEBUG(10,("sid_to_gid: winbind failed to allocate a new gid " - "for sid %s\n", sid_string_static(psid))); + if (!winbind_ping()) { + DEBUG(2, ("WARNING: Winbindd not running, mapping ids with legacy code")); + return legacy_sid_to_uid(psid, pgid); + } + + DEBUG(10,("winbind failed to find a gid for sid %s\n", + sid_string_static(psid))); return False; } - done: - DEBUG(10,("sid_to_gid: %s -> %u\n", sid_string_static(psid), + DEBUG(10,("sid %s -> gid %u\n", sid_string_static(psid), (unsigned int)*pgid )); store_gid_sid_cache(psid, *pgid); diff --git a/source3/passdb/pdb_interface.c b/source3/passdb/pdb_interface.c index b84b0bfaff..478d1ac036 100644 --- a/source3/passdb/pdb_interface.c +++ b/source3/passdb/pdb_interface.c @@ -995,6 +995,12 @@ BOOL pdb_uid_to_rid(uid_t uid, uint32 *rid) return pdb->uid_to_rid(pdb, uid, rid); } +BOOL pdb_uid_to_sid(uid_t uid, DOM_SID *sid) +{ + struct pdb_methods *pdb = pdb_get_methods(); + return pdb->uid_to_sid(pdb, uid, sid); +} + BOOL pdb_gid_to_sid(gid_t gid, DOM_SID *sid) { struct pdb_methods *pdb = pdb_get_methods(); @@ -1161,8 +1167,8 @@ static NTSTATUS pdb_default_get_seq_num(struct pdb_methods *methods, time_t *seq return NT_STATUS_OK; } -static BOOL pdb_default_uid_to_rid(struct pdb_methods *methods, uid_t uid, - uint32 *rid) +static BOOL pdb_default_uid_to_sid(struct pdb_methods *methods, uid_t uid, + DOM_SID *sid) { struct samu *sampw = NULL; struct passwd *unix_pw; @@ -1193,15 +1199,31 @@ static BOOL pdb_default_uid_to_rid(struct pdb_methods *methods, uid_t uid, return False; } - ret = sid_peek_check_rid(get_global_sam_sid(), - pdb_get_user_sid(sampw), rid); + sid_copy(sid, pdb_get_user_sid(sampw)); + + TALLOC_FREE(sampw); + + return True; +} + +static BOOL pdb_default_uid_to_rid(struct pdb_methods *methods, uid_t uid, + uint32 *rid) +{ + DOM_SID sid; + BOOL ret; + + ret = pdb_default_uid_to_sid(methods, uid, &sid); + if (!ret) { + return ret; + } + + ret = sid_peek_check_rid(get_global_sam_sid(), &sid, rid); if (!ret) { DEBUG(1, ("Could not peek rid out of sid %s\n", - sid_string_static(pdb_get_user_sid(sampw)))); + sid_string_static(&sid))); } - TALLOC_FREE(sampw); return ret; } @@ -2015,6 +2037,7 @@ NTSTATUS make_pdb_method( struct pdb_methods **methods ) (*methods)->set_account_policy = pdb_default_set_account_policy; (*methods)->get_seq_num = pdb_default_get_seq_num; (*methods)->uid_to_rid = pdb_default_uid_to_rid; + (*methods)->uid_to_sid = pdb_default_uid_to_sid; (*methods)->gid_to_sid = pdb_default_gid_to_sid; (*methods)->sid_to_id = pdb_default_sid_to_id; diff --git a/source3/passdb/secrets.c b/source3/passdb/secrets.c index a1be400c46..d169ffa329 100644 --- a/source3/passdb/secrets.c +++ b/source3/passdb/secrets.c @@ -1252,3 +1252,45 @@ BOOL secrets_restore_schannel_session_info(TALLOC_CTX *mem_ctx, return True; } + +BOOL secrets_store_generic(const char *owner, const char *key, const char *secret) +{ + char *tdbkey = NULL; + BOOL ret; + + if (asprintf(&tdbkey, "SECRETS/GENERIC/%s/%s", owner, key) < 0) { + DEBUG(0, ("asprintf failed!\n")); + return False; + } + + ret = secrets_store(tdbkey, secret, strlen(secret)+1); + + SAFE_FREE(tdbkey); + return ret; +} + +/******************************************************************* + Find the ldap password. +******************************************************************/ + +char *secrets_fetch_generic(const char *owner, const char *key) +{ + char *secret = NULL; + char *tdbkey = NULL; + + if (( ! owner) || ( ! key)) { + DEBUG(1, ("Invalid Paramters")); + return NULL; + } + + if (asprintf(&tdbkey, "SECRETS/GENERIC/%s/%s", owner, key) < 0) { + DEBUG(0, ("Out of memory!\n")); + return NULL; + } + + secret = (char *)secrets_fetch(tdbkey, NULL); + SAFE_FREE(tdbkey); + + return secret; +} + -- cgit