2007-09-10 20:56:51 +04:00
/*
2006-12-12 17:52:13 +03:00
Unix SMB / CIFS implementation .
ID Mapping
Copyright ( C ) Tim Potter 2000
Copyright ( C ) Jim McDonough < jmcd @ us . ibm . com > 2003
2007-09-10 20:56:51 +04:00
Copyright ( C ) Simo Sorce 2003 - 2007
2006-12-12 17:52:13 +03:00
Copyright ( C ) Jeremy Allison 2006
2011-01-03 00:04:53 +03:00
Copyright ( C ) Michael Adam 2010
2006-12-12 17:52:13 +03:00
This program is free software ; you can redistribute it and / or modify
it under the terms of the GNU General Public License as published by
2007-07-09 23:25:36 +04:00
the Free Software Foundation ; either version 3 of the License , or
2006-12-12 17:52:13 +03:00
( at your option ) any later version .
This program is distributed in the hope that it will be useful ,
but WITHOUT ANY WARRANTY ; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
GNU General Public License for more details .
You should have received a copy of the GNU General Public License
2007-07-10 04:52:41 +04:00
along with this program . If not , see < http : //www.gnu.org/licenses/>.
2007-01-22 19:54:02 +03:00
*/
2006-12-12 17:52:13 +03:00
# include "includes.h"
# include "winbindd.h"
2010-08-18 20:13:42 +04:00
# include "idmap.h"
2012-11-30 19:27:59 +04:00
# include "lib/util_sid_passdb.h"
2014-03-28 06:37:19 +04:00
# include "passdb.h"
2006-12-12 17:52:13 +03:00
# undef DBGC_CLASS
# define DBGC_CLASS DBGC_IDMAP
static_decl_idmap ;
2010-05-31 12:57:52 +04:00
static void idmap_init ( void )
{
static bool initialized ;
if ( initialized ) {
return ;
}
DEBUG ( 10 , ( " idmap_init(): calling static_init_idmap \n " ) ) ;
static_init_idmap ;
initialized = true ;
}
2008-07-17 15:32:28 +04:00
/**
* Pointer to the backend methods . Modules register themselves here via
* smb_register_idmap .
*/
2006-12-12 17:52:13 +03:00
struct idmap_backend {
const char * name ;
struct idmap_methods * methods ;
struct idmap_backend * prev , * next ;
} ;
2008-07-17 15:32:28 +04:00
static struct idmap_backend * backends = NULL ;
2006-12-12 17:52:13 +03:00
2008-07-17 15:32:28 +04:00
/**
* Default idmap domain configured via " idmap backend " .
2008-07-13 14:07:40 +04:00
*/
static struct idmap_domain * default_idmap_domain ;
2008-07-17 15:32:28 +04:00
/**
* Passdb idmap domain , not configurable . winbind must always give passdb a
* chance to map ids .
*/
2008-07-13 14:07:40 +04:00
static struct idmap_domain * passdb_idmap_domain ;
2008-07-17 15:32:28 +04:00
/**
* List of specially configured idmap domains . This list is filled on demand
* in the winbind idmap child when the parent winbind figures out via the
* special range parameter or via the domain SID that a special " idmap config
* domain " configuration is present.
*/
2006-12-12 17:52:13 +03:00
static struct idmap_domain * * idmap_domains = NULL ;
static int num_domains = 0 ;
2008-09-05 01:35:27 +04:00
static struct idmap_methods * get_methods ( const char * name )
2006-12-12 17:52:13 +03:00
{
struct idmap_backend * b ;
2008-09-05 01:35:27 +04:00
for ( b = backends ; b ; b = b - > next ) {
2006-12-12 17:52:13 +03:00
if ( strequal ( b - > name , name ) ) {
return b - > methods ;
}
}
return NULL ;
}
2007-10-19 04:40:25 +04:00
bool idmap_is_offline ( void )
2007-04-19 01:10:37 +04:00
{
return ( lp_winbind_offline_logon ( ) & &
get_global_winbindd_state_offline ( ) ) ;
}
2008-07-13 14:07:40 +04:00
bool idmap_is_online ( void )
{
return ! idmap_is_offline ( ) ;
}
2006-12-12 17:52:13 +03:00
/**********************************************************************
Allow a module to register itself as a method .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2007-09-10 20:56:51 +04:00
NTSTATUS smb_register_idmap ( int version , const char * name ,
struct idmap_methods * methods )
2006-12-12 17:52:13 +03:00
{
struct idmap_backend * entry ;
if ( ( version ! = SMB_IDMAP_INTERFACE_VERSION ) ) {
DEBUG ( 0 , ( " Failed to register idmap module. \n "
2007-09-10 20:56:51 +04:00
" The module was compiled against "
" SMB_IDMAP_INTERFACE_VERSION %d, \n "
2006-12-12 17:52:13 +03:00
" current SMB_IDMAP_INTERFACE_VERSION is %d. \n "
2007-09-10 20:56:51 +04:00
" Please recompile against the current version "
" of samba! \n " ,
2006-12-12 17:52:13 +03:00
version , SMB_IDMAP_INTERFACE_VERSION ) ) ;
return NT_STATUS_OBJECT_TYPE_MISMATCH ;
}
if ( ! name | | ! name [ 0 ] | | ! methods ) {
DEBUG ( 0 , ( " Called with NULL pointer or empty name! \n " ) ) ;
return NT_STATUS_INVALID_PARAMETER ;
}
2008-07-13 14:07:40 +04:00
for ( entry = backends ; entry ! = NULL ; entry = entry - > next ) {
if ( strequal ( entry - > name , name ) ) {
2012-07-23 16:34:11 +04:00
DEBUG ( 5 , ( " Idmap module %s already registered! \n " ,
2008-07-17 15:32:28 +04:00
name ) ) ;
2008-07-13 14:07:40 +04:00
return NT_STATUS_OBJECT_NAME_COLLISION ;
}
2006-12-12 17:52:13 +03:00
}
2008-07-13 14:07:40 +04:00
entry = talloc ( NULL , struct idmap_backend ) ;
2006-12-12 17:52:13 +03:00
if ( ! entry ) {
DEBUG ( 0 , ( " Out of memory! \n " ) ) ;
2008-07-13 05:13:44 +04:00
TALLOC_FREE ( entry ) ;
2006-12-12 17:52:13 +03:00
return NT_STATUS_NO_MEMORY ;
}
2008-07-13 14:07:40 +04:00
entry - > name = talloc_strdup ( entry , name ) ;
2006-12-12 17:52:13 +03:00
if ( ! entry - > name ) {
DEBUG ( 0 , ( " Out of memory! \n " ) ) ;
2008-07-13 05:13:44 +04:00
TALLOC_FREE ( entry ) ;
2006-12-12 17:52:13 +03:00
return NT_STATUS_NO_MEMORY ;
}
entry - > methods = methods ;
DLIST_ADD ( backends , entry ) ;
DEBUG ( 5 , ( " Successfully added idmap backend '%s' \n " , name ) ) ;
return NT_STATUS_OK ;
}
2008-07-17 15:32:28 +04:00
/**
* Initialize a domain structure
* @ param [ in ] mem_ctx memory context for the result
* @ param [ in ] domainname which domain is this for
* @ param [ in ] modulename which backend module
2010-06-22 18:29:13 +04:00
* @ param [ in ] check_range whether range checking should be done
2008-07-17 15:32:28 +04:00
* @ result The initialized structure
*/
2008-07-13 14:07:40 +04:00
static struct idmap_domain * idmap_init_domain ( TALLOC_CTX * mem_ctx ,
const char * domainname ,
const char * modulename ,
2010-06-22 18:29:13 +04:00
bool check_range )
2007-09-10 20:56:51 +04:00
{
2008-07-13 14:07:40 +04:00
struct idmap_domain * result ;
NTSTATUS status ;
2011-03-02 17:41:06 +03:00
char * config_option = NULL ;
const char * range ;
2015-01-22 15:08:52 +03:00
unsigned low_id , high_id ;
2006-12-12 17:52:13 +03:00
2008-07-13 14:07:40 +04:00
result = talloc_zero ( mem_ctx , struct idmap_domain ) ;
if ( result = = NULL ) {
DEBUG ( 0 , ( " talloc failed \n " ) ) ;
return NULL ;
2007-05-07 01:04:30 +04:00
}
2007-09-10 20:56:51 +04:00
2008-07-13 14:07:40 +04:00
result - > name = talloc_strdup ( result , domainname ) ;
if ( result - > name = = NULL ) {
DEBUG ( 0 , ( " talloc failed \n " ) ) ;
goto fail ;
2007-05-07 01:04:30 +04:00
}
2006-12-12 17:52:13 +03:00
2014-07-20 13:53:32 +04:00
/*
* Check whether the requested backend module exists and
* load the methods .
*/
result - > methods = get_methods ( modulename ) ;
if ( result - > methods = = NULL ) {
DEBUG ( 3 , ( " idmap backend %s not found \n " , modulename ) ) ;
status = smb_probe_module ( " idmap " , modulename ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
DEBUG ( 3 , ( " Could not probe idmap module %s \n " ,
modulename ) ) ;
goto fail ;
}
result - > methods = get_methods ( modulename ) ;
}
if ( result - > methods = = NULL ) {
DEBUG ( 1 , ( " idmap backend %s not found \n " , modulename ) ) ;
goto fail ;
}
2010-06-16 18:07:55 +04:00
/*
* load ranges and read only information from the config
*/
2011-03-02 17:41:06 +03:00
config_option = talloc_asprintf ( result , " idmap config %s " ,
result - > name ) ;
if ( config_option = = NULL ) {
DEBUG ( 0 , ( " Out of memory! \n " ) ) ;
goto fail ;
}
2010-06-16 18:07:55 +04:00
2014-07-20 14:11:16 +04:00
result - > read_only = lp_parm_bool ( - 1 , config_option , " read only " , false ) ;
2011-03-02 17:41:06 +03:00
range = lp_parm_const_string ( - 1 , config_option , " range " , NULL ) ;
2014-07-20 14:11:16 +04:00
talloc_free ( config_option ) ;
2011-03-02 17:41:06 +03:00
if ( range = = NULL ) {
if ( check_range ) {
2014-07-20 13:49:37 +04:00
DEBUG ( 1 , ( " idmap range not specified for domain %s \n " ,
result - > name ) ) ;
2010-06-16 18:07:55 +04:00
goto fail ;
}
2015-01-22 15:08:52 +03:00
} else if ( sscanf ( range , " %u - %u " , & low_id , & high_id ) ! = 2 )
2011-03-02 17:41:06 +03:00
{
DEBUG ( 1 , ( " invalid range '%s' specified for domain "
" '%s' \n " , range , result - > name ) ) ;
if ( check_range ) {
goto fail ;
2010-06-16 18:07:55 +04:00
}
2015-01-22 15:08:52 +03:00
} else if ( low_id > high_id ) {
DEBUG ( 1 , ( " Error: invalid idmap range detected: %u - %u \n " ,
low_id , high_id ) ) ;
2010-06-22 18:29:13 +04:00
if ( check_range ) {
goto fail ;
}
2010-06-16 18:07:55 +04:00
}
2015-01-22 15:08:52 +03:00
result - > low_id = low_id ;
result - > high_id = high_id ;
2011-03-03 01:00:58 +03:00
status = result - > methods - > init ( result ) ;
2008-07-13 14:07:40 +04:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
DEBUG ( 1 , ( " idmap initialization returned %s \n " ,
nt_errstr ( status ) ) ) ;
goto fail ;
}
2006-12-12 17:52:13 +03:00
2008-07-13 14:07:40 +04:00
return result ;
2006-12-12 17:52:13 +03:00
2008-07-13 14:07:40 +04:00
fail :
TALLOC_FREE ( result ) ;
return NULL ;
}
2006-12-12 17:52:13 +03:00
2008-07-17 15:32:28 +04:00
/**
* Initialize a named domain structure
* @ param [ in ] mem_ctx memory context for the result
* @ param [ in ] domname the domain name
* @ result The default domain structure
*
* This routine looks at the " idmap config <domname> " parameters to figure out
* the configuration .
*/
2008-07-13 14:07:40 +04:00
static struct idmap_domain * idmap_init_named_domain ( TALLOC_CTX * mem_ctx ,
const char * domname )
{
struct idmap_domain * result = NULL ;
char * config_option ;
const char * backend ;
2008-04-02 02:25:47 +04:00
2011-03-11 01:41:17 +03:00
idmap_init ( ) ;
2008-07-13 14:07:40 +04:00
config_option = talloc_asprintf ( talloc_tos ( ) , " idmap config %s " ,
domname ) ;
if ( config_option = = NULL ) {
DEBUG ( 0 , ( " talloc failed \n " ) ) ;
goto fail ;
}
2008-04-02 02:25:47 +04:00
2008-07-13 14:07:40 +04:00
backend = lp_parm_const_string ( - 1 , config_option , " backend " , NULL ) ;
if ( backend = = NULL ) {
2013-03-04 15:52:26 +04:00
DEBUG ( 10 , ( " no idmap backend configured for domain '%s' \n " ,
domname ) ) ;
2008-07-13 14:07:40 +04:00
goto fail ;
2008-04-02 02:25:47 +04:00
}
2011-03-03 19:40:36 +03:00
result = idmap_init_domain ( mem_ctx , domname , backend , true ) ;
2008-07-13 14:07:40 +04:00
if ( result = = NULL ) {
goto fail ;
}
2006-12-12 17:52:13 +03:00
2008-07-13 14:07:40 +04:00
TALLOC_FREE ( config_option ) ;
return result ;
2006-12-12 17:52:13 +03:00
2008-07-13 14:07:40 +04:00
fail :
TALLOC_FREE ( config_option ) ;
TALLOC_FREE ( result ) ;
return NULL ;
}
2006-12-12 17:52:13 +03:00
2011-03-03 19:48:43 +03:00
/**
* Initialize the default domain structure
* @ param [ in ] mem_ctx memory context for the result
* @ result The default domain structure
*
* This routine takes the module name from the " idmap backend " parameter ,
* passing a possible parameter like ldap : ldap : //ldap-url/ to the module.
*/
static struct idmap_domain * idmap_init_default_domain ( TALLOC_CTX * mem_ctx )
{
return idmap_init_named_domain ( mem_ctx , " * " ) ;
}
2008-07-17 15:32:28 +04:00
/**
* Initialize the passdb domain structure
* @ param [ in ] mem_ctx memory context for the result
* @ result The default domain structure
*
* No config , passdb has its own configuration .
*/
2012-11-22 19:21:53 +04:00
static struct idmap_domain * idmap_passdb_domain ( TALLOC_CTX * mem_ctx )
2008-07-13 14:07:40 +04:00
{
2010-05-31 12:57:52 +04:00
idmap_init ( ) ;
2010-05-24 08:55:17 +04:00
2014-03-28 06:37:19 +04:00
if ( ! pdb_is_responsible_for_everything_else ( ) ) {
/*
* Always init the default domain , we can ' t go without one
*/
if ( default_idmap_domain = = NULL ) {
default_idmap_domain = idmap_init_default_domain ( NULL ) ;
}
if ( default_idmap_domain = = NULL ) {
return NULL ;
}
2010-11-09 00:38:13 +03:00
}
2008-07-13 14:07:40 +04:00
if ( passdb_idmap_domain ! = NULL ) {
return passdb_idmap_domain ;
}
2006-12-12 17:52:13 +03:00
2014-07-23 13:42:57 +04:00
passdb_idmap_domain = idmap_init_domain ( mem_ctx , get_global_sam_name ( ) ,
2011-03-03 19:40:36 +03:00
" passdb " , false ) ;
2008-07-13 14:07:40 +04:00
if ( passdb_idmap_domain = = NULL ) {
DEBUG ( 1 , ( " Could not init passdb idmap domain \n " ) ) ;
}
2006-12-12 17:52:13 +03:00
2008-07-13 14:07:40 +04:00
return passdb_idmap_domain ;
}
2006-12-12 17:52:13 +03:00
2008-07-17 15:32:28 +04:00
/**
* Find a domain struct according to a domain name
* @ param [ in ] domname Domain name to get the config for
* @ result The default domain structure that fits
*
* This is the central routine in the winbindd - idmap child to pick the correct
* domain for looking up IDs . If domname is NULL or empty , we use the default
* domain . If it contains something , we try to use idmap_init_named_domain ( )
* to fetch the correct backend .
*
* The choice about " domname " is being made by the winbind parent , look at the
* " have_idmap_config " of " struct winbindd_domain " which is set in
* add_trusted_domain .
*/
2012-11-27 04:11:16 +04:00
static struct idmap_domain * idmap_find_domain ( const char * domname )
2008-07-13 14:07:40 +04:00
{
struct idmap_domain * result ;
int i ;
2006-12-12 17:52:13 +03:00
2008-11-28 12:08:46 +03:00
DEBUG ( 10 , ( " idmap_find_domain called for domain '%s' \n " ,
domname ? domname : " NULL " ) ) ;
2011-03-11 01:41:17 +03:00
idmap_init ( ) ;
2008-07-13 14:07:40 +04:00
/*
* Always init the default domain , we can ' t go without one
*/
if ( default_idmap_domain = = NULL ) {
default_idmap_domain = idmap_init_default_domain ( NULL ) ;
}
if ( default_idmap_domain = = NULL ) {
return NULL ;
}
2007-04-19 01:10:37 +04:00
2008-07-13 14:07:40 +04:00
if ( ( domname = = NULL ) | | ( domname [ 0 ] = = ' \0 ' ) ) {
return default_idmap_domain ;
}
2006-12-12 17:52:13 +03:00
2008-07-13 14:07:40 +04:00
for ( i = 0 ; i < num_domains ; i + + ) {
if ( strequal ( idmap_domains [ i ] - > name , domname ) ) {
return idmap_domains [ i ] ;
2006-12-12 17:52:13 +03:00
}
2008-07-13 14:07:40 +04:00
}
2006-12-12 17:52:13 +03:00
2008-07-13 14:07:40 +04:00
if ( idmap_domains = = NULL ) {
/*
* talloc context for all idmap domains
*/
2011-06-07 05:30:12 +04:00
idmap_domains = talloc_array ( NULL , struct idmap_domain * , 1 ) ;
2008-07-13 14:07:40 +04:00
}
2006-12-12 17:52:13 +03:00
2008-07-13 14:07:40 +04:00
if ( idmap_domains = = NULL ) {
DEBUG ( 0 , ( " talloc failed \n " ) ) ;
return NULL ;
2006-12-12 17:52:13 +03:00
}
2008-07-13 14:07:40 +04:00
result = idmap_init_named_domain ( idmap_domains , domname ) ;
if ( result = = NULL ) {
/*
* Could not init that domain - - try the default one
*/
return default_idmap_domain ;
}
2006-12-12 17:52:13 +03:00
2008-07-13 14:07:40 +04:00
ADD_TO_ARRAY ( idmap_domains , struct idmap_domain * , result ,
& idmap_domains , & num_domains ) ;
return result ;
}
2006-12-12 17:52:13 +03:00
2012-11-22 21:16:31 +04:00
struct idmap_domain * idmap_find_domain_with_sid ( const char * domname ,
const struct dom_sid * sid )
{
idmap_init ( ) ;
2012-11-30 19:27:59 +04:00
if ( sid_check_is_for_passdb ( sid ) ) {
2012-11-22 21:16:31 +04:00
return idmap_passdb_domain ( NULL ) ;
}
return idmap_find_domain ( domname ) ;
}
2008-07-13 14:07:40 +04:00
void idmap_close ( void )
{
TALLOC_FREE ( default_idmap_domain ) ;
TALLOC_FREE ( passdb_idmap_domain ) ;
TALLOC_FREE ( idmap_domains ) ;
num_domains = 0 ;
}
2006-12-12 17:52:13 +03:00
/**************************************************************************
idmap allocator interface functions
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2010-05-30 23:40:44 +04:00
static NTSTATUS idmap_allocate_unixid ( struct unixid * id )
2006-12-12 17:52:13 +03:00
{
2010-07-30 01:20:21 +04:00
struct idmap_domain * dom ;
2006-12-12 17:52:13 +03:00
NTSTATUS ret ;
2010-07-30 01:20:21 +04:00
dom = idmap_find_domain ( NULL ) ;
if ( dom = = NULL ) {
return NT_STATUS_UNSUCCESSFUL ;
}
if ( dom - > methods - > allocate_id = = NULL ) {
return NT_STATUS_NOT_IMPLEMENTED ;
2006-12-12 17:52:13 +03:00
}
2010-07-30 01:20:21 +04:00
ret = dom - > methods - > allocate_id ( dom , id ) ;
return ret ;
2006-12-12 17:52:13 +03:00
}
2010-05-30 23:40:44 +04:00
NTSTATUS idmap_allocate_uid ( struct unixid * id )
{
id - > type = ID_TYPE_UID ;
return idmap_allocate_unixid ( id ) ;
}
2006-12-12 17:52:13 +03:00
2010-05-30 23:40:44 +04:00
NTSTATUS idmap_allocate_gid ( struct unixid * id )
{
2006-12-12 17:52:13 +03:00
id - > type = ID_TYPE_GID ;
2010-05-30 23:40:44 +04:00
return idmap_allocate_unixid ( id ) ;
2006-12-12 17:52:13 +03:00
}
2008-07-13 14:07:40 +04:00
NTSTATUS idmap_backends_unixid_to_sid ( const char * domname , struct id_map * id )
2008-07-14 14:32:18 +04:00
{
2008-07-13 14:07:40 +04:00
struct idmap_domain * dom ;
2008-07-14 14:32:18 +04:00
struct id_map * maps [ 2 ] ;
2008-11-28 12:40:01 +03:00
DEBUG ( 10 , ( " idmap_backend_unixid_to_sid: domain = '%s', xid = %d "
" (type %d) \n " ,
domname ? domname : " NULL " , id - > xid . id , id - > xid . type ) ) ;
2008-07-14 14:32:18 +04:00
maps [ 0 ] = id ;
maps [ 1 ] = NULL ;
2009-01-02 16:51:23 +03:00
/*
* Always give passdb a chance first
*/
2012-11-22 19:21:53 +04:00
dom = idmap_passdb_domain ( NULL ) ;
2009-01-02 16:51:23 +03:00
if ( ( dom ! = NULL )
2009-01-02 16:53:26 +03:00
& & NT_STATUS_IS_OK ( dom - > methods - > unixids_to_sids ( dom , maps ) )
& & id - > status = = ID_MAPPED ) {
2009-01-02 16:51:23 +03:00
return NT_STATUS_OK ;
2009-01-02 16:51:06 +03:00
}
2008-07-13 14:07:40 +04:00
dom = idmap_find_domain ( domname ) ;
if ( dom = = NULL ) {
return NT_STATUS_NONE_MAPPED ;
2008-07-14 14:32:18 +04:00
}
2008-07-13 14:07:40 +04:00
return dom - > methods - > unixids_to_sids ( dom , maps ) ;
2008-07-14 14:32:18 +04:00
}