2006-12-12 17:52:13 +03:00
/*
* idmap_ad : map between Active Directory and RFC 2307 or " Services for Unix " ( SFU ) Accounts
*
* Unix SMB / CIFS implementation .
*
* Winbind ADS backend functions
*
* Copyright ( C ) Andrew Tridgell 2001
* Copyright ( C ) Andrew Bartlett < abartlet @ samba . org > 2003
2007-01-24 04:48:08 +03:00
* Copyright ( C ) Gerald ( Jerry ) Carter 2004 - 2007
2006-12-12 17:52:13 +03:00
* Copyright ( C ) Luke Howard 2001 - 2004
2008-11-27 01:09:49 +03:00
* Copyright ( C ) Michael Adam 2008
2006-12-12 17:52:13 +03:00
*
* This program is free software ; you can redistribute it and / or modify
* it under the terms of the GNU General Public License as published by
2007-07-09 23:25:36 +04:00
* the Free Software Foundation ; either version 3 of the License , or
2006-12-12 17:52:13 +03:00
* ( at your option ) any later version .
*
* This program is distributed in the hope that it will be useful ,
* but WITHOUT ANY WARRANTY ; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
* GNU General Public License for more details .
*
* You should have received a copy of the GNU General Public License
2007-07-10 09:23:25 +04:00
* along with this program ; if not , see < http : //www.gnu.org/licenses/>.
2006-12-12 17:52:13 +03:00
*/
# include "includes.h"
2008-11-27 01:09:49 +03:00
# include "winbindd.h"
2010-07-01 01:38:57 +04:00
# include "../libds/common/flags.h"
2010-07-02 02:32:52 +04:00
# include "ads.h"
2010-07-01 01:48:34 +04:00
# include "libads/ldap_schema.h"
2010-07-01 02:44:15 +04:00
# include "nss_info.h"
2010-08-05 04:25:37 +04:00
# include "secrets.h"
2010-08-18 20:13:42 +04:00
# include "idmap.h"
2010-09-17 06:33:44 +04:00
# include "../libcli/ldap/ldap_ndr.h"
2010-10-12 08:27:50 +04:00
# include "../libcli/security/security.h"
2006-12-12 17:52:13 +03:00
# undef DBGC_CLASS
# define DBGC_CLASS DBGC_IDMAP
# define WINBIND_CCACHE_NAME "MEMORY:winbind_ccache"
2007-01-24 04:48:08 +03:00
# define IDMAP_AD_MAX_IDS 30
# define CHECK_ALLOC_DONE(mem) do { \
if ( ! mem ) { \
DEBUG ( 0 , ( " Out of memory! \n " ) ) ; \
ret = NT_STATUS_NO_MEMORY ; \
goto done ; \
} \
} while ( 0 )
2006-12-12 17:52:13 +03:00
2007-01-24 04:48:08 +03:00
struct idmap_ad_context {
2008-11-27 01:09:49 +03:00
ADS_STRUCT * ads ;
struct posix_schema * ad_schema ;
enum wb_posix_mapping ad_map_type ; /* WB_POSIX_MAP_UNKNOWN */
2007-01-24 04:48:08 +03:00
} ;
2006-12-12 17:52:13 +03:00
2007-01-24 04:48:08 +03:00
NTSTATUS init_module ( void ) ;
2006-12-12 17:52:13 +03:00
2007-01-24 04:48:08 +03:00
/************************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2006-12-12 17:52:13 +03:00
2008-11-27 01:09:49 +03:00
static ADS_STATUS ad_idmap_cached_connection_internal ( struct idmap_domain * dom )
2006-12-12 17:52:13 +03:00
{
ADS_STRUCT * ads ;
ADS_STATUS status ;
2007-10-19 04:40:25 +04:00
bool local = False ;
2007-01-24 04:48:08 +03:00
fstring dc_name ;
2007-10-27 23:15:07 +04:00
struct sockaddr_storage dc_ip ;
2008-11-27 01:09:49 +03:00
struct idmap_ad_context * ctx ;
char * ldap_server = NULL ;
char * realm = NULL ;
struct winbindd_domain * wb_dom ;
DEBUG ( 10 , ( " ad_idmap_cached_connection: called for domain '%s' \n " ,
dom - > name ) ) ;
2006-12-12 17:52:13 +03:00
2008-11-27 01:09:49 +03:00
ctx = talloc_get_type ( dom - > private_data , struct idmap_ad_context ) ;
if ( ctx - > ads ! = NULL ) {
2007-02-08 20:02:39 +03:00
time_t expire ;
time_t now = time ( NULL ) ;
2008-11-27 01:09:49 +03:00
ads = ctx - > ads ;
2006-12-12 17:52:13 +03:00
2007-02-08 20:02:39 +03:00
expire = MIN ( ads - > auth . tgt_expire , ads - > auth . tgs_expire ) ;
2006-12-12 17:52:13 +03:00
/* check for a valid structure */
2007-02-08 20:02:39 +03:00
DEBUG ( 7 , ( " Current tickets expire in %d seconds (at %d, time is now %d) \n " ,
( uint32 ) expire - ( uint32 ) now , ( uint32 ) expire , ( uint32 ) now ) ) ;
2006-12-12 17:52:13 +03:00
2007-02-08 20:02:39 +03:00
if ( ads - > config . realm & & ( expire > time ( NULL ) ) ) {
2008-11-27 01:09:49 +03:00
return ADS_SUCCESS ;
2008-07-11 19:45:09 +04:00
} else {
/* we own this ADS_STRUCT so make sure it goes away */
DEBUG ( 7 , ( " Deleting expired krb5 credential cache \n " ) ) ;
ads - > is_mine = True ;
ads_destroy ( & ads ) ;
ads_kdestroy ( WINBIND_CCACHE_NAME ) ;
2008-11-27 01:09:49 +03:00
ctx - > ads = NULL ;
TALLOC_FREE ( ctx - > ad_schema ) ;
2006-12-12 17:52:13 +03:00
}
}
if ( ! local ) {
/* we don't want this to affect the users ccache */
setenv ( " KRB5CCNAME " , WINBIND_CCACHE_NAME , 1 ) ;
}
2008-11-27 01:09:49 +03:00
/*
* At this point we only have the NetBIOS domain name .
* Check if we can get server nam and realm from SAF cache
* and the domain list .
*/
ldap_server = saf_fetch ( dom - > name ) ;
DEBUG ( 10 , ( " ldap_server from saf cache: '%s' \n " , ldap_server ? ldap_server : " " ) ) ;
wb_dom = find_domain_from_name_noinit ( dom - > name ) ;
if ( wb_dom = = NULL ) {
DEBUG ( 10 , ( " find_domain_from_name_noinit did not find domain '%s' \n " ,
dom - > name ) ) ;
realm = NULL ;
} else {
DEBUG ( 10 , ( " find_domain_from_name_noinit found realm '%s' for "
" domain '%s' \n " , wb_dom - > alt_name , dom - > name ) ) ;
realm = wb_dom - > alt_name ;
}
if ( ( ads = ads_init ( realm , dom - > name , ldap_server ) ) = = NULL ) {
2006-12-12 17:52:13 +03:00
DEBUG ( 1 , ( " ads_init failed \n " ) ) ;
2008-11-27 01:09:49 +03:00
return ADS_ERROR_NT ( NT_STATUS_NO_MEMORY ) ;
2006-12-12 17:52:13 +03:00
}
2008-07-11 19:45:03 +04:00
/* the machine acct password might have change - fetch it every time */
2006-12-12 17:52:13 +03:00
SAFE_FREE ( ads - > auth . password ) ;
ads - > auth . password = secrets_fetch_machine_password ( lp_workgroup ( ) , NULL , NULL ) ;
SAFE_FREE ( ads - > auth . realm ) ;
ads - > auth . realm = SMB_STRDUP ( lp_realm ( ) ) ;
2007-01-24 04:48:08 +03:00
/* setup server affinity */
2008-11-27 01:09:49 +03:00
get_dc_name ( dom - > name , realm , dc_name , & dc_ip ) ;
2008-07-11 19:45:16 +04:00
2006-12-12 17:52:13 +03:00
status = ads_connect ( ads ) ;
if ( ! ADS_ERR_OK ( status ) ) {
DEBUG ( 1 , ( " ad_idmap_init: failed to connect to AD \n " ) ) ;
ads_destroy ( & ads ) ;
2008-11-27 01:09:49 +03:00
return status ;
2006-12-12 17:52:13 +03:00
}
ads - > is_mine = False ;
2008-11-27 01:09:49 +03:00
ctx - > ads = ads ;
2007-01-24 04:48:08 +03:00
2008-11-27 01:09:49 +03:00
return ADS_SUCCESS ;
2007-01-24 04:48:08 +03:00
}
/************************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2008-11-27 01:09:49 +03:00
static ADS_STATUS ad_idmap_cached_connection ( struct idmap_domain * dom )
2007-01-24 04:48:08 +03:00
{
2008-11-27 01:09:49 +03:00
ADS_STATUS status ;
struct idmap_ad_context * ctx ;
status = ad_idmap_cached_connection_internal ( dom ) ;
if ( ! ADS_ERR_OK ( status ) ) {
return status ;
}
ctx = talloc_get_type ( dom - > private_data , struct idmap_ad_context ) ;
2006-12-12 17:52:13 +03:00
2007-01-24 04:48:08 +03:00
/* if we have a valid ADS_STRUCT and the schema model is
defined , then we can return here . */
2008-11-27 01:09:49 +03:00
if ( ctx - > ad_schema ) {
return ADS_SUCCESS ;
}
2007-01-24 04:48:08 +03:00
/* Otherwise, set the schema model */
2008-11-27 01:09:49 +03:00
if ( ( ctx - > ad_map_type = = WB_POSIX_MAP_SFU ) | |
( ctx - > ad_map_type = = WB_POSIX_MAP_SFU20 ) | |
( ctx - > ad_map_type = = WB_POSIX_MAP_RFC2307 ) )
2007-01-24 04:48:08 +03:00
{
2008-11-27 01:09:49 +03:00
status = ads_check_posix_schema_mapping ( NULL , ctx - > ads , ctx - > ad_map_type , & ctx - > ad_schema ) ;
if ( ! ADS_ERR_OK ( status ) ) {
2007-01-24 04:48:08 +03:00
DEBUG ( 2 , ( " ad_idmap_cached_connection: Failed to obtain schema details! \n " ) ) ;
}
}
2008-07-11 19:45:16 +04:00
2008-11-27 01:09:49 +03:00
return status ;
2006-12-12 17:52:13 +03:00
}
2007-01-24 04:48:08 +03:00
/************************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2006-12-12 17:52:13 +03:00
2008-07-13 14:07:40 +04:00
static NTSTATUS idmap_ad_initialize ( struct idmap_domain * dom ,
const char * params )
2006-12-12 17:52:13 +03:00
{
struct idmap_ad_context * ctx ;
char * config_option ;
2007-04-11 01:14:44 +04:00
const char * schema_mode = NULL ;
2006-12-12 17:52:13 +03:00
2010-06-22 16:13:55 +04:00
ctx = TALLOC_ZERO_P ( dom , struct idmap_ad_context ) ;
if ( ctx = = NULL ) {
2006-12-12 17:52:13 +03:00
DEBUG ( 0 , ( " Out of memory! \n " ) ) ;
return NT_STATUS_NO_MEMORY ;
}
2010-06-22 16:13:55 +04:00
config_option = talloc_asprintf ( ctx , " idmap config %s " , dom - > name ) ;
if ( config_option = = NULL ) {
2006-12-12 17:52:13 +03:00
DEBUG ( 0 , ( " Out of memory! \n " ) ) ;
talloc_free ( ctx ) ;
return NT_STATUS_NO_MEMORY ;
}
2008-11-27 01:09:49 +03:00
/* default map type */
ctx - > ad_map_type = WB_POSIX_MAP_RFC2307 ;
2007-04-11 01:14:44 +04:00
/* schema mode */
schema_mode = lp_parm_const_string ( - 1 , config_option , " schema_mode " , NULL ) ;
if ( schema_mode & & schema_mode [ 0 ] ) {
if ( strequal ( schema_mode , " sfu " ) )
2008-11-27 01:09:49 +03:00
ctx - > ad_map_type = WB_POSIX_MAP_SFU ;
2007-06-26 13:15:37 +04:00
else if ( strequal ( schema_mode , " sfu20 " ) )
2008-11-27 01:09:49 +03:00
ctx - > ad_map_type = WB_POSIX_MAP_SFU20 ;
2007-04-11 01:14:44 +04:00
else if ( strequal ( schema_mode , " rfc2307 " ) )
2008-11-27 01:09:49 +03:00
ctx - > ad_map_type = WB_POSIX_MAP_RFC2307 ;
2007-04-11 01:14:44 +04:00
else
DEBUG ( 0 , ( " idmap_ad_initialize: Unknown schema_mode (%s) \n " ,
schema_mode ) ) ;
}
2006-12-12 17:52:13 +03:00
dom - > private_data = ctx ;
talloc_free ( config_option ) ;
2007-01-24 04:48:08 +03:00
2006-12-12 17:52:13 +03:00
return NT_STATUS_OK ;
}
2007-01-24 04:48:08 +03:00
/************************************************************************
Search up to IDMAP_AD_MAX_IDS entries in maps for a match .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2006-12-12 17:52:13 +03:00
static struct id_map * find_map_by_id ( struct id_map * * maps , enum id_type type , uint32_t id )
{
int i ;
2007-01-24 04:48:08 +03:00
for ( i = 0 ; maps [ i ] & & i < IDMAP_AD_MAX_IDS ; i + + ) {
2006-12-12 17:52:13 +03:00
if ( ( maps [ i ] - > xid . type = = type ) & & ( maps [ i ] - > xid . id = = id ) ) {
return maps [ i ] ;
}
}
return NULL ;
}
2007-01-24 04:48:08 +03:00
/************************************************************************
Search up to IDMAP_AD_MAX_IDS entries in maps for a match
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2010-05-21 05:25:01 +04:00
static struct id_map * find_map_by_sid ( struct id_map * * maps , struct dom_sid * sid )
2007-01-24 04:48:08 +03:00
{
int i ;
for ( i = 0 ; maps [ i ] & & i < IDMAP_AD_MAX_IDS ; i + + ) {
2010-08-26 17:48:50 +04:00
if ( dom_sid_equal ( maps [ i ] - > sid , sid ) ) {
2007-01-24 04:48:08 +03:00
return maps [ i ] ;
}
}
return NULL ;
}
/************************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2006-12-12 17:52:13 +03:00
static NTSTATUS idmap_ad_unixids_to_sids ( struct idmap_domain * dom , struct id_map * * ids )
{
NTSTATUS ret ;
TALLOC_CTX * memctx ;
struct idmap_ad_context * ctx ;
ADS_STATUS rc ;
const char * attrs [ ] = { " sAMAccountType " ,
" objectSid " ,
2007-01-24 04:48:08 +03:00
NULL , /* uidnumber */
NULL , /* gidnumber */
2006-12-12 17:52:13 +03:00
NULL } ;
LDAPMessage * res = NULL ;
2007-04-11 16:32:58 +04:00
LDAPMessage * entry = NULL ;
2006-12-12 17:52:13 +03:00
char * filter = NULL ;
int idx = 0 ;
int bidx = 0 ;
int count ;
int i ;
2007-01-24 04:48:08 +03:00
char * u_filter = NULL ;
char * g_filter = NULL ;
2006-12-12 17:52:13 +03:00
2009-03-02 09:19:50 +03:00
/* initialize the status to avoid suprise */
for ( i = 0 ; ids [ i ] ; i + + ) {
ids [ i ] - > status = ID_UNKNOWN ;
}
2007-04-19 01:10:37 +04:00
/* Only do query if we are online */
if ( idmap_is_offline ( ) ) {
return NT_STATUS_FILE_IS_OFFLINE ;
}
2007-01-24 04:48:08 +03:00
ctx = talloc_get_type ( dom - > private_data , struct idmap_ad_context ) ;
2006-12-12 17:52:13 +03:00
2007-01-24 04:48:08 +03:00
if ( ( memctx = talloc_new ( ctx ) ) = = NULL ) {
2006-12-12 17:52:13 +03:00
DEBUG ( 0 , ( " Out of memory! \n " ) ) ;
return NT_STATUS_NO_MEMORY ;
}
2008-11-27 01:09:49 +03:00
rc = ad_idmap_cached_connection ( dom ) ;
if ( ! ADS_ERR_OK ( rc ) ) {
DEBUG ( 1 , ( " ADS uninitialized: %s \n " , ads_errstr ( rc ) ) ) ;
2006-12-12 17:52:13 +03:00
ret = NT_STATUS_UNSUCCESSFUL ;
2008-11-27 01:09:49 +03:00
/* ret = ads_ntstatus(rc); */
2006-12-12 17:52:13 +03:00
goto done ;
}
2008-11-27 01:09:49 +03:00
attrs [ 2 ] = ctx - > ad_schema - > posix_uidnumber_attr ;
attrs [ 3 ] = ctx - > ad_schema - > posix_gidnumber_attr ;
2006-12-12 17:52:13 +03:00
2007-01-24 04:48:08 +03:00
again :
bidx = idx ;
for ( i = 0 ; ( i < IDMAP_AD_MAX_IDS ) & & ids [ idx ] ; i + + , idx + + ) {
switch ( ids [ idx ] - > xid . type ) {
case ID_TYPE_UID :
if ( ! u_filter ) {
u_filter = talloc_asprintf ( memctx , " (&(| "
" (sAMAccountType=%d) "
" (sAMAccountType=%d) "
" (sAMAccountType=%d))(| " ,
ATYPE_NORMAL_ACCOUNT ,
ATYPE_WORKSTATION_TRUST ,
ATYPE_INTERDOMAIN_TRUST ) ;
}
2007-09-14 21:42:10 +04:00
u_filter = talloc_asprintf_append_buffer ( u_filter , " (%s=%lu) " ,
2008-11-27 01:09:49 +03:00
ctx - > ad_schema - > posix_uidnumber_attr ,
2007-01-24 04:48:08 +03:00
( unsigned long ) ids [ idx ] - > xid . id ) ;
CHECK_ALLOC_DONE ( u_filter ) ;
2006-12-12 17:52:13 +03:00
break ;
2008-07-11 19:45:16 +04:00
2006-12-12 17:52:13 +03:00
case ID_TYPE_GID :
2007-01-24 04:48:08 +03:00
if ( ! g_filter ) {
g_filter = talloc_asprintf ( memctx , " (&(| "
" (sAMAccountType=%d) "
" (sAMAccountType=%d))(| " ,
ATYPE_SECURITY_GLOBAL_GROUP ,
ATYPE_SECURITY_LOCAL_GROUP ) ;
}
2007-09-14 21:42:10 +04:00
g_filter = talloc_asprintf_append_buffer ( g_filter , " (%s=%lu) " ,
2008-11-27 01:09:49 +03:00
ctx - > ad_schema - > posix_gidnumber_attr ,
2007-01-24 04:48:08 +03:00
( unsigned long ) ids [ idx ] - > xid . id ) ;
CHECK_ALLOC_DONE ( g_filter ) ;
2006-12-12 17:52:13 +03:00
break ;
2007-01-24 04:48:08 +03:00
2006-12-12 17:52:13 +03:00
default :
2007-04-19 01:10:37 +04:00
DEBUG ( 3 , ( " Error: mapping requested but Unknown ID type \n " ) ) ;
2007-01-24 04:48:08 +03:00
ids [ idx ] - > status = ID_UNKNOWN ;
continue ;
2006-12-12 17:52:13 +03:00
}
}
2007-01-24 04:48:08 +03:00
filter = talloc_asprintf ( memctx , " (| " ) ;
CHECK_ALLOC_DONE ( filter ) ;
if ( u_filter ) {
2007-09-14 21:42:10 +04:00
filter = talloc_asprintf_append_buffer ( filter , " %s)) " , u_filter ) ;
2006-12-12 17:52:13 +03:00
CHECK_ALLOC_DONE ( filter ) ;
2008-07-11 19:44:35 +04:00
TALLOC_FREE ( u_filter ) ;
2007-01-24 04:48:08 +03:00
}
if ( g_filter ) {
2007-09-14 21:42:10 +04:00
filter = talloc_asprintf_append_buffer ( filter , " %s)) " , g_filter ) ;
2006-12-12 17:52:13 +03:00
CHECK_ALLOC_DONE ( filter ) ;
2007-01-24 04:48:08 +03:00
TALLOC_FREE ( g_filter ) ;
2006-12-12 17:52:13 +03:00
}
2007-09-14 21:42:10 +04:00
filter = talloc_asprintf_append_buffer ( filter , " ) " ) ;
2007-01-24 04:48:08 +03:00
CHECK_ALLOC_DONE ( filter ) ;
2007-04-11 16:32:58 +04:00
2008-11-27 01:09:49 +03:00
rc = ads_search_retry ( ctx - > ads , & res , filter , attrs ) ;
2006-12-12 17:52:13 +03:00
if ( ! ADS_ERR_OK ( rc ) ) {
DEBUG ( 1 , ( " ERROR: ads search returned: %s \n " , ads_errstr ( rc ) ) ) ;
ret = NT_STATUS_UNSUCCESSFUL ;
goto done ;
}
2008-11-27 01:09:49 +03:00
if ( ( count = ads_count_replies ( ctx - > ads , res ) ) = = 0 ) {
2006-12-12 17:52:13 +03:00
DEBUG ( 10 , ( " No IDs found \n " ) ) ;
}
2007-04-11 16:32:58 +04:00
entry = res ;
for ( i = 0 ; ( i < count ) & & entry ; i + + ) {
2010-05-21 05:25:01 +04:00
struct dom_sid sid ;
2006-12-12 17:52:13 +03:00
enum id_type type ;
struct id_map * map ;
uint32_t id ;
uint32_t atype ;
if ( i = = 0 ) { /* first entry */
2008-11-27 01:09:49 +03:00
entry = ads_first_entry ( ctx - > ads , entry ) ;
2006-12-12 17:52:13 +03:00
} else { /* following ones */
2008-11-27 01:09:49 +03:00
entry = ads_next_entry ( ctx - > ads , entry ) ;
2006-12-12 17:52:13 +03:00
}
2007-04-11 16:32:58 +04:00
if ( ! entry ) {
2006-12-12 17:52:13 +03:00
DEBUG ( 2 , ( " ERROR: Unable to fetch ldap entries from results \n " ) ) ;
2007-04-11 16:32:58 +04:00
break ;
2006-12-12 17:52:13 +03:00
}
/* first check if the SID is present */
2008-11-27 01:09:49 +03:00
if ( ! ads_pull_sid ( ctx - > ads , entry , " objectSid " , & sid ) ) {
2006-12-12 17:52:13 +03:00
DEBUG ( 2 , ( " Could not retrieve SID from entry \n " ) ) ;
continue ;
}
/* get type */
2008-11-27 01:09:49 +03:00
if ( ! ads_pull_uint32 ( ctx - > ads , entry , " sAMAccountType " , & atype ) ) {
2006-12-12 17:52:13 +03:00
DEBUG ( 1 , ( " could not get SAM account type \n " ) ) ;
continue ;
}
switch ( atype & 0xF0000000 ) {
case ATYPE_SECURITY_GLOBAL_GROUP :
case ATYPE_SECURITY_LOCAL_GROUP :
type = ID_TYPE_GID ;
break ;
case ATYPE_NORMAL_ACCOUNT :
case ATYPE_WORKSTATION_TRUST :
case ATYPE_INTERDOMAIN_TRUST :
type = ID_TYPE_UID ;
break ;
default :
DEBUG ( 1 , ( " unrecognized SAM account type %08x \n " , atype ) ) ;
continue ;
}
2008-11-27 01:09:49 +03:00
if ( ! ads_pull_uint32 ( ctx - > ads , entry , ( type = = ID_TYPE_UID ) ?
ctx - > ad_schema - > posix_uidnumber_attr :
ctx - > ad_schema - > posix_gidnumber_attr ,
2008-11-25 17:24:43 +03:00
& id ) )
2007-01-24 04:48:08 +03:00
{
2006-12-12 17:52:13 +03:00
DEBUG ( 1 , ( " Could not get unix ID \n " ) ) ;
continue ;
}
2007-01-24 04:48:08 +03:00
2010-06-22 15:13:57 +04:00
if ( ! idmap_unix_id_is_in_range ( id , dom ) ) {
2006-12-12 17:52:13 +03:00
DEBUG ( 5 , ( " Requested id (%u) out of range (%u - %u). Filtered! \n " ,
2010-06-22 15:13:57 +04:00
id , dom - > low_id , dom - > high_id ) ) ;
2006-12-12 17:52:13 +03:00
continue ;
}
map = find_map_by_id ( & ids [ bidx ] , type , id ) ;
if ( ! map ) {
DEBUG ( 2 , ( " WARNING: couldn't match result with requested ID \n " ) ) ;
continue ;
}
sid_copy ( map - > sid , & sid ) ;
/* mapped */
2007-01-14 20:58:24 +03:00
map - > status = ID_MAPPED ;
2006-12-12 17:52:13 +03:00
2007-12-15 23:11:36 +03:00
DEBUG ( 10 , ( " Mapped %s -> %lu (%d) \n " , sid_string_dbg ( map - > sid ) ,
2006-12-12 17:52:13 +03:00
( unsigned long ) map - > xid . id ,
map - > xid . type ) ) ;
}
if ( res ) {
2008-11-27 01:09:49 +03:00
ads_msgfree ( ctx - > ads , res ) ;
2006-12-12 17:52:13 +03:00
}
2007-01-24 04:48:08 +03:00
if ( ids [ idx ] ) { /* still some values to map */
2006-12-12 17:52:13 +03:00
goto again ;
}
ret = NT_STATUS_OK ;
2007-01-14 20:58:24 +03:00
2007-04-19 01:10:37 +04:00
/* mark all unknown/expired ones as unmapped */
2007-01-14 20:58:24 +03:00
for ( i = 0 ; ids [ i ] ; i + + ) {
2007-04-19 01:10:37 +04:00
if ( ids [ i ] - > status ! = ID_MAPPED )
2007-01-24 04:48:08 +03:00
ids [ i ] - > status = ID_UNMAPPED ;
2007-01-14 20:58:24 +03:00
}
2006-12-12 17:52:13 +03:00
done :
talloc_free ( memctx ) ;
return ret ;
}
2007-01-24 04:48:08 +03:00
/************************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2006-12-12 17:52:13 +03:00
static NTSTATUS idmap_ad_sids_to_unixids ( struct idmap_domain * dom , struct id_map * * ids )
{
NTSTATUS ret ;
TALLOC_CTX * memctx ;
struct idmap_ad_context * ctx ;
ADS_STATUS rc ;
const char * attrs [ ] = { " sAMAccountType " ,
" objectSid " ,
NULL , /* attr_uidnumber */
NULL , /* attr_gidnumber */
NULL } ;
LDAPMessage * res = NULL ;
2007-04-11 16:32:58 +04:00
LDAPMessage * entry = NULL ;
2006-12-12 17:52:13 +03:00
char * filter = NULL ;
int idx = 0 ;
int bidx = 0 ;
int count ;
int i ;
2007-01-24 04:48:08 +03:00
char * sidstr ;
2006-12-12 17:52:13 +03:00
2009-03-02 09:19:50 +03:00
/* initialize the status to avoid suprise */
for ( i = 0 ; ids [ i ] ; i + + ) {
ids [ i ] - > status = ID_UNKNOWN ;
}
2007-04-19 01:10:37 +04:00
/* Only do query if we are online */
if ( idmap_is_offline ( ) ) {
return NT_STATUS_FILE_IS_OFFLINE ;
}
2006-12-12 17:52:13 +03:00
ctx = talloc_get_type ( dom - > private_data , struct idmap_ad_context ) ;
2007-01-24 04:48:08 +03:00
if ( ( memctx = talloc_new ( ctx ) ) = = NULL ) {
2006-12-12 17:52:13 +03:00
DEBUG ( 0 , ( " Out of memory! \n " ) ) ;
return NT_STATUS_NO_MEMORY ;
}
2008-11-27 01:09:49 +03:00
rc = ad_idmap_cached_connection ( dom ) ;
if ( ! ADS_ERR_OK ( rc ) ) {
DEBUG ( 1 , ( " ADS uninitialized: %s \n " , ads_errstr ( rc ) ) ) ;
ret = NT_STATUS_UNSUCCESSFUL ;
/* ret = ads_ntstatus(rc); */
goto done ;
}
if ( ctx - > ad_schema = = NULL ) {
DEBUG ( 0 , ( " haven't got ctx->ad_schema ! \n " ) ) ;
2006-12-12 17:52:13 +03:00
ret = NT_STATUS_UNSUCCESSFUL ;
goto done ;
}
2008-11-27 01:09:49 +03:00
attrs [ 2 ] = ctx - > ad_schema - > posix_uidnumber_attr ;
attrs [ 3 ] = ctx - > ad_schema - > posix_gidnumber_attr ;
2006-12-12 17:52:13 +03:00
again :
2007-01-24 04:48:08 +03:00
filter = talloc_asprintf ( memctx , " (&(| "
" (sAMAccountType=%d)(sAMAccountType=%d)(sAMAccountType=%d) " /* user account types */
" (sAMAccountType=%d)(sAMAccountType=%d) " /* group account types */
" )(| " ,
ATYPE_NORMAL_ACCOUNT , ATYPE_WORKSTATION_TRUST , ATYPE_INTERDOMAIN_TRUST ,
ATYPE_SECURITY_GLOBAL_GROUP , ATYPE_SECURITY_LOCAL_GROUP ) ;
2008-07-11 19:45:16 +04:00
2007-01-24 04:48:08 +03:00
CHECK_ALLOC_DONE ( filter ) ;
2006-12-12 17:52:13 +03:00
2007-01-24 04:48:08 +03:00
bidx = idx ;
for ( i = 0 ; ( i < IDMAP_AD_MAX_IDS ) & & ids [ idx ] ; i + + , idx + + ) {
2006-12-12 17:52:13 +03:00
2008-10-20 20:25:13 +04:00
ids [ idx ] - > status = ID_UNKNOWN ;
2010-09-17 06:33:44 +04:00
sidstr = ldap_encode_ndr_dom_sid ( talloc_tos ( ) , ids [ idx ] - > sid ) ;
2007-09-14 21:42:10 +04:00
filter = talloc_asprintf_append_buffer ( filter , " (objectSid=%s) " , sidstr ) ;
2008-07-11 19:45:16 +04:00
2009-05-28 13:18:22 +04:00
TALLOC_FREE ( sidstr ) ;
2006-12-12 17:52:13 +03:00
CHECK_ALLOC_DONE ( filter ) ;
}
2007-09-14 21:42:10 +04:00
filter = talloc_asprintf_append_buffer ( filter , " )) " ) ;
2007-01-24 04:48:08 +03:00
CHECK_ALLOC_DONE ( filter ) ;
DEBUG ( 10 , ( " Filter: [%s] \n " , filter ) ) ;
2006-12-12 17:52:13 +03:00
2008-11-27 01:09:49 +03:00
rc = ads_search_retry ( ctx - > ads , & res , filter , attrs ) ;
2006-12-12 17:52:13 +03:00
if ( ! ADS_ERR_OK ( rc ) ) {
DEBUG ( 1 , ( " ERROR: ads search returned: %s \n " , ads_errstr ( rc ) ) ) ;
ret = NT_STATUS_UNSUCCESSFUL ;
goto done ;
}
2008-11-27 01:09:49 +03:00
if ( ( count = ads_count_replies ( ctx - > ads , res ) ) = = 0 ) {
2006-12-12 17:52:13 +03:00
DEBUG ( 10 , ( " No IDs found \n " ) ) ;
}
2007-04-11 16:32:58 +04:00
entry = res ;
for ( i = 0 ; ( i < count ) & & entry ; i + + ) {
2010-05-21 05:25:01 +04:00
struct dom_sid sid ;
2006-12-12 17:52:13 +03:00
enum id_type type ;
struct id_map * map ;
uint32_t id ;
uint32_t atype ;
if ( i = = 0 ) { /* first entry */
2008-11-27 01:09:49 +03:00
entry = ads_first_entry ( ctx - > ads , entry ) ;
2006-12-12 17:52:13 +03:00
} else { /* following ones */
2008-11-27 01:09:49 +03:00
entry = ads_next_entry ( ctx - > ads , entry ) ;
2006-12-12 17:52:13 +03:00
}
2007-04-11 16:32:58 +04:00
if ( ! entry ) {
2006-12-12 17:52:13 +03:00
DEBUG ( 2 , ( " ERROR: Unable to fetch ldap entries from results \n " ) ) ;
2007-04-11 16:32:58 +04:00
break ;
2006-12-12 17:52:13 +03:00
}
/* first check if the SID is present */
2008-11-27 01:09:49 +03:00
if ( ! ads_pull_sid ( ctx - > ads , entry , " objectSid " , & sid ) ) {
2006-12-12 17:52:13 +03:00
DEBUG ( 2 , ( " Could not retrieve SID from entry \n " ) ) ;
continue ;
}
map = find_map_by_sid ( & ids [ bidx ] , & sid ) ;
if ( ! map ) {
DEBUG ( 2 , ( " WARNING: couldn't match result with requested SID \n " ) ) ;
continue ;
}
/* get type */
2008-11-27 01:09:49 +03:00
if ( ! ads_pull_uint32 ( ctx - > ads , entry , " sAMAccountType " , & atype ) ) {
2006-12-12 17:52:13 +03:00
DEBUG ( 1 , ( " could not get SAM account type \n " ) ) ;
continue ;
}
switch ( atype & 0xF0000000 ) {
case ATYPE_SECURITY_GLOBAL_GROUP :
case ATYPE_SECURITY_LOCAL_GROUP :
type = ID_TYPE_GID ;
break ;
case ATYPE_NORMAL_ACCOUNT :
case ATYPE_WORKSTATION_TRUST :
case ATYPE_INTERDOMAIN_TRUST :
type = ID_TYPE_UID ;
break ;
default :
DEBUG ( 1 , ( " unrecognized SAM account type %08x \n " , atype ) ) ;
continue ;
}
2008-11-27 01:09:49 +03:00
if ( ! ads_pull_uint32 ( ctx - > ads , entry , ( type = = ID_TYPE_UID ) ?
ctx - > ad_schema - > posix_uidnumber_attr :
ctx - > ad_schema - > posix_gidnumber_attr ,
2008-11-25 17:24:43 +03:00
& id ) )
2007-01-24 04:48:08 +03:00
{
2006-12-12 17:52:13 +03:00
DEBUG ( 1 , ( " Could not get unix ID \n " ) ) ;
continue ;
}
2010-06-22 16:09:57 +04:00
if ( ! idmap_unix_id_is_in_range ( id , dom ) ) {
2006-12-12 17:52:13 +03:00
DEBUG ( 5 , ( " Requested id (%u) out of range (%u - %u). Filtered! \n " ,
2010-06-22 16:09:57 +04:00
id , dom - > low_id , dom - > high_id ) ) ;
2006-12-12 17:52:13 +03:00
continue ;
}
/* mapped */
map - > xid . type = type ;
map - > xid . id = id ;
2007-01-14 20:58:24 +03:00
map - > status = ID_MAPPED ;
2006-12-12 17:52:13 +03:00
2007-12-15 23:11:36 +03:00
DEBUG ( 10 , ( " Mapped %s -> %lu (%d) \n " , sid_string_dbg ( map - > sid ) ,
2006-12-12 17:52:13 +03:00
( unsigned long ) map - > xid . id ,
map - > xid . type ) ) ;
}
if ( res ) {
2008-11-27 01:09:49 +03:00
ads_msgfree ( ctx - > ads , res ) ;
2006-12-12 17:52:13 +03:00
}
2007-01-24 04:48:08 +03:00
if ( ids [ idx ] ) { /* still some values to map */
2006-12-12 17:52:13 +03:00
goto again ;
}
ret = NT_STATUS_OK ;
2007-01-14 20:58:24 +03:00
2007-04-19 01:10:37 +04:00
/* mark all unknwoni/expired ones as unmapped */
2007-01-14 20:58:24 +03:00
for ( i = 0 ; ids [ i ] ; i + + ) {
2007-04-19 01:10:37 +04:00
if ( ids [ i ] - > status ! = ID_MAPPED )
2007-01-24 04:48:08 +03:00
ids [ i ] - > status = ID_UNMAPPED ;
2007-01-14 20:58:24 +03:00
}
2006-12-12 17:52:13 +03:00
done :
talloc_free ( memctx ) ;
return ret ;
}
2007-01-24 04:48:08 +03:00
/************************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2006-12-12 17:52:13 +03:00
static NTSTATUS idmap_ad_close ( struct idmap_domain * dom )
{
2008-11-27 01:09:49 +03:00
struct idmap_ad_context * ctx ;
ctx = talloc_get_type ( dom - > private_data , struct idmap_ad_context ) ;
2006-12-12 17:52:13 +03:00
2008-11-27 01:09:49 +03:00
if ( ctx - > ads ! = NULL ) {
2006-12-12 17:52:13 +03:00
/* we own this ADS_STRUCT so make sure it goes away */
2008-11-27 01:09:49 +03:00
ctx - > ads - > is_mine = True ;
ads_destroy ( & ctx - > ads ) ;
ctx - > ads = NULL ;
2006-12-12 17:52:13 +03:00
}
2008-11-27 01:09:49 +03:00
TALLOC_FREE ( ctx - > ad_schema ) ;
2008-07-11 19:45:16 +04:00
2007-01-24 04:48:08 +03:00
return NT_STATUS_OK ;
}
/*
2007-06-26 13:15:37 +04:00
* nss_info_ { sfu , sfu20 , rfc2307 }
2007-01-24 04:48:08 +03:00
*/
/************************************************************************
2007-06-26 13:41:14 +04:00
Initialize the { sfu , sfu20 , rfc2307 } state
2007-01-24 04:48:08 +03:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2008-11-27 00:23:34 +03:00
static const char * wb_posix_map_unknown_string = " WB_POSIX_MAP_UNKNOWN " ;
static const char * wb_posix_map_template_string = " WB_POSIX_MAP_TEMPLATE " ;
static const char * wb_posix_map_sfu_string = " WB_POSIX_MAP_SFU " ;
static const char * wb_posix_map_sfu20_string = " WB_POSIX_MAP_SFU20 " ;
static const char * wb_posix_map_rfc2307_string = " WB_POSIX_MAP_RFC2307 " ;
static const char * wb_posix_map_unixinfo_string = " WB_POSIX_MAP_UNIXINFO " ;
static const char * ad_map_type_string ( enum wb_posix_mapping map_type )
2007-01-24 04:48:08 +03:00
{
2008-11-27 00:23:34 +03:00
switch ( map_type ) {
case WB_POSIX_MAP_TEMPLATE :
return wb_posix_map_template_string ;
case WB_POSIX_MAP_SFU :
return wb_posix_map_sfu_string ;
case WB_POSIX_MAP_SFU20 :
return wb_posix_map_sfu20_string ;
case WB_POSIX_MAP_RFC2307 :
return wb_posix_map_rfc2307_string ;
case WB_POSIX_MAP_UNIXINFO :
return wb_posix_map_unixinfo_string ;
default :
2008-11-27 01:09:49 +03:00
return wb_posix_map_unknown_string ;
2007-01-24 04:48:08 +03:00
}
}
2008-11-27 00:23:34 +03:00
static NTSTATUS nss_ad_generic_init ( struct nss_domain_entry * e ,
enum wb_posix_mapping new_ad_map_type )
2007-06-26 13:15:37 +04:00
{
2008-11-27 01:09:49 +03:00
struct idmap_domain * dom ;
struct idmap_ad_context * ctx ;
if ( e - > state ! = NULL ) {
dom = talloc_get_type ( e - > state , struct idmap_domain ) ;
} else {
dom = TALLOC_ZERO_P ( e , struct idmap_domain ) ;
if ( dom = = NULL ) {
DEBUG ( 0 , ( " Out of memory! \n " ) ) ;
return NT_STATUS_NO_MEMORY ;
}
e - > state = dom ;
}
if ( e - > domain ! = NULL ) {
dom - > name = talloc_strdup ( dom , e - > domain ) ;
if ( dom - > name = = NULL ) {
DEBUG ( 0 , ( " Out of memory! \n " ) ) ;
return NT_STATUS_NO_MEMORY ;
}
}
2007-06-26 13:15:37 +04:00
2008-11-27 01:09:49 +03:00
if ( dom - > private_data ! = NULL ) {
ctx = talloc_get_type ( dom - > private_data ,
struct idmap_ad_context ) ;
} else {
ctx = TALLOC_ZERO_P ( dom , struct idmap_ad_context ) ;
if ( ctx = = NULL ) {
DEBUG ( 0 , ( " Out of memory! \n " ) ) ;
return NT_STATUS_NO_MEMORY ;
}
ctx - > ad_map_type = WB_POSIX_MAP_RFC2307 ;
dom - > private_data = ctx ;
}
if ( ( ctx - > ad_map_type ! = WB_POSIX_MAP_UNKNOWN ) & &
( ctx - > ad_map_type ! = new_ad_map_type ) )
2007-06-26 13:15:37 +04:00
{
2008-11-27 01:09:49 +03:00
DEBUG ( 2 , ( " nss_ad_generic_init: "
" Warning: overriding previously set posix map type "
" %s for domain %s with map type %s. \n " ,
ad_map_type_string ( ctx - > ad_map_type ) ,
dom - > name ,
ad_map_type_string ( new_ad_map_type ) ) ) ;
2007-06-26 13:15:37 +04:00
}
2008-11-27 00:23:34 +03:00
2008-11-27 01:09:49 +03:00
ctx - > ad_map_type = new_ad_map_type ;
2007-06-26 13:15:37 +04:00
return NT_STATUS_OK ;
}
2007-06-26 13:41:14 +04:00
2008-11-27 00:23:34 +03:00
static NTSTATUS nss_sfu_init ( struct nss_domain_entry * e )
2007-01-24 04:48:08 +03:00
{
2008-11-27 00:23:34 +03:00
return nss_ad_generic_init ( e , WB_POSIX_MAP_SFU ) ;
}
2007-01-24 04:48:08 +03:00
2008-11-27 00:23:34 +03:00
static NTSTATUS nss_sfu20_init ( struct nss_domain_entry * e )
{
return nss_ad_generic_init ( e , WB_POSIX_MAP_SFU20 ) ;
}
static NTSTATUS nss_rfc2307_init ( struct nss_domain_entry * e )
{
return nss_ad_generic_init ( e , WB_POSIX_MAP_RFC2307 ) ;
2007-01-24 04:48:08 +03:00
}
/************************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2008-11-27 01:09:49 +03:00
2007-01-24 04:48:08 +03:00
static NTSTATUS nss_ad_get_info ( struct nss_domain_entry * e ,
2010-05-21 05:25:01 +04:00
const struct dom_sid * sid ,
2008-11-26 17:16:22 +03:00
TALLOC_CTX * mem_ctx ,
2007-01-24 04:48:08 +03:00
ADS_STRUCT * ads ,
LDAPMessage * msg ,
2009-08-01 18:38:13 +04:00
const char * * homedir ,
const char * * shell ,
const char * * gecos ,
2007-01-24 04:48:08 +03:00
uint32 * gid )
{
2008-09-15 21:38:36 +04:00
const char * attrs [ ] = { NULL , /* attr_homedir */
NULL , /* attr_shell */
NULL , /* attr_gecos */
NULL , /* attr_gidnumber */
NULL } ;
char * filter = NULL ;
LDAPMessage * msg_internal = NULL ;
ADS_STATUS ads_status = ADS_ERROR_NT ( NT_STATUS_UNSUCCESSFUL ) ;
NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL ;
char * sidstr = NULL ;
2008-11-27 01:09:49 +03:00
struct idmap_domain * dom ;
struct idmap_ad_context * ctx ;
2007-01-24 04:48:08 +03:00
2008-12-01 00:50:26 +03:00
DEBUG ( 10 , ( " nss_ad_get_info called for sid [%s] in domain '%s' \n " ,
sid_string_dbg ( sid ) , e - > domain ? e - > domain : " NULL " ) ) ;
2007-04-20 03:15:33 +04:00
/* Only do query if we are online */
if ( idmap_is_offline ( ) ) {
return NT_STATUS_FILE_IS_OFFLINE ;
}
2008-11-27 01:09:49 +03:00
dom = talloc_get_type ( e - > state , struct idmap_domain ) ;
ctx = talloc_get_type ( dom - > private_data , struct idmap_ad_context ) ;
2007-01-27 06:27:34 +03:00
2008-11-27 01:09:49 +03:00
ads_status = ad_idmap_cached_connection ( dom ) ;
if ( ! ADS_ERR_OK ( ads_status ) ) {
return NT_STATUS_OBJECT_NAME_NOT_FOUND ;
}
2007-01-27 06:27:34 +03:00
2008-11-27 01:09:49 +03:00
if ( ! ctx - > ad_schema ) {
DEBUG ( 10 , ( " nss_ad_get_info: no ad_schema configured! \n " ) ) ;
2007-01-24 04:48:08 +03:00
return NT_STATUS_OBJECT_NAME_NOT_FOUND ;
2008-09-15 21:38:36 +04:00
}
if ( ! sid | | ! homedir | | ! shell | | ! gecos ) {
2007-01-24 04:48:08 +03:00
return NT_STATUS_INVALID_PARAMETER ;
2008-09-15 21:38:36 +04:00
}
/* See if we can use the ADS connection struct swe were given */
2007-01-24 04:48:08 +03:00
2008-09-15 21:38:36 +04:00
if ( ads ) {
2008-11-27 01:09:49 +03:00
DEBUG ( 10 , ( " nss_ad_get_info: using given ads connection and "
" LDAP message (%p) \n " , msg ) ) ;
* homedir = ads_pull_string ( ads , mem_ctx , msg , ctx - > ad_schema - > posix_homedir_attr ) ;
* shell = ads_pull_string ( ads , mem_ctx , msg , ctx - > ad_schema - > posix_shell_attr ) ;
* gecos = ads_pull_string ( ads , mem_ctx , msg , ctx - > ad_schema - > posix_gecos_attr ) ;
2008-09-15 21:38:36 +04:00
if ( gid ) {
2008-11-27 01:09:49 +03:00
if ( ! ads_pull_uint32 ( ads , msg , ctx - > ad_schema - > posix_gidnumber_attr , gid ) )
2008-09-15 21:38:36 +04:00
* gid = ( uint32 ) - 1 ;
}
nt_status = NT_STATUS_OK ;
goto done ;
2007-01-24 04:48:08 +03:00
}
2008-09-15 21:38:36 +04:00
/* Have to do our own query */
2008-11-27 01:09:49 +03:00
DEBUG ( 10 , ( " nss_ad_get_info: no ads connection given, doing our "
" own query \n " ) ) ;
attrs [ 0 ] = ctx - > ad_schema - > posix_homedir_attr ;
attrs [ 1 ] = ctx - > ad_schema - > posix_shell_attr ;
attrs [ 2 ] = ctx - > ad_schema - > posix_gecos_attr ;
attrs [ 3 ] = ctx - > ad_schema - > posix_gidnumber_attr ;
2008-09-15 21:38:36 +04:00
2010-09-17 06:33:44 +04:00
sidstr = ldap_encode_ndr_dom_sid ( mem_ctx , sid ) ;
2008-11-26 17:16:22 +03:00
filter = talloc_asprintf ( mem_ctx , " (objectSid=%s) " , sidstr ) ;
2009-05-28 13:18:22 +04:00
TALLOC_FREE ( sidstr ) ;
2008-09-15 21:38:36 +04:00
if ( ! filter ) {
nt_status = NT_STATUS_NO_MEMORY ;
goto done ;
}
2008-11-27 01:09:49 +03:00
ads_status = ads_search_retry ( ctx - > ads , & msg_internal , filter , attrs ) ;
2008-09-15 21:38:36 +04:00
if ( ! ADS_ERR_OK ( ads_status ) ) {
nt_status = ads_ntstatus ( ads_status ) ;
goto done ;
}
2008-11-27 01:09:49 +03:00
* homedir = ads_pull_string ( ctx - > ads , mem_ctx , msg_internal , ctx - > ad_schema - > posix_homedir_attr ) ;
* shell = ads_pull_string ( ctx - > ads , mem_ctx , msg_internal , ctx - > ad_schema - > posix_shell_attr ) ;
* gecos = ads_pull_string ( ctx - > ads , mem_ctx , msg_internal , ctx - > ad_schema - > posix_gecos_attr ) ;
2008-09-15 21:38:36 +04:00
if ( gid ) {
2008-11-27 01:09:49 +03:00
if ( ! ads_pull_uint32 ( ctx - > ads , msg_internal , ctx - > ad_schema - > posix_gidnumber_attr , gid ) )
2008-09-15 21:38:36 +04:00
* gid = ( uint32 ) - 1 ;
}
nt_status = NT_STATUS_OK ;
done :
if ( msg_internal ) {
2008-11-27 01:09:49 +03:00
ads_msgfree ( ctx - > ads , msg_internal ) ;
2008-09-15 21:38:36 +04:00
}
return nt_status ;
2007-01-24 04:48:08 +03:00
}
* Allow an admin to define the "uid" attribute for a RFC2307
user object in AD to be the username alias.
For example:
$ net ads search "(uid=coffeedude)"
distinguishedName: CN=Gerald W. Carter,CN=Users,DC=pink,DC=plainjoe,DC=org
sAMAccountName: gcarter
memberOf: CN=UnixUsers,CN=Users,DC=pink,DC=plainjoe,DC=org
memberOf: CN=Domain Admins,CN=Users,DC=pink,DC=plainjoe,DC=org
memberOf: CN=Enterprise Admins,CN=Users,DC=pink,DC=plainjoe,DC=org
memberOf: CN=Schema Admins,CN=Users,DC=pink,DC=plainjoe,DC=org
uid: coffeedude
uidNumber: 10000
gidNumber: 10000
unixHomeDirectory: /home/gcarter
loginShell: /bin/bash
$ ssh coffeedude@192.168.56.91
Password:
coffeedude@orville:~$ id
uid=10000(coffeedude) gid=10000(PINK\unixusers) groups=10000(PINK\unixusers)
$ getent passwd PINK\\gcarter
coffeedude:*:10000:10000::/home/gcarter:/bin/bash
$ getent passwd coffeedude
coffeedude:*:10000:10000::/home/gcarter:/bin/bash
$ getent group PINK\\Unixusers
PINK\unixusers:x:10000:coffeedude
2008-09-16 21:35:21 +04:00
/**********************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
static NTSTATUS nss_ad_map_to_alias ( TALLOC_CTX * mem_ctx ,
2008-12-01 06:17:55 +03:00
struct nss_domain_entry * e ,
* Allow an admin to define the "uid" attribute for a RFC2307
user object in AD to be the username alias.
For example:
$ net ads search "(uid=coffeedude)"
distinguishedName: CN=Gerald W. Carter,CN=Users,DC=pink,DC=plainjoe,DC=org
sAMAccountName: gcarter
memberOf: CN=UnixUsers,CN=Users,DC=pink,DC=plainjoe,DC=org
memberOf: CN=Domain Admins,CN=Users,DC=pink,DC=plainjoe,DC=org
memberOf: CN=Enterprise Admins,CN=Users,DC=pink,DC=plainjoe,DC=org
memberOf: CN=Schema Admins,CN=Users,DC=pink,DC=plainjoe,DC=org
uid: coffeedude
uidNumber: 10000
gidNumber: 10000
unixHomeDirectory: /home/gcarter
loginShell: /bin/bash
$ ssh coffeedude@192.168.56.91
Password:
coffeedude@orville:~$ id
uid=10000(coffeedude) gid=10000(PINK\unixusers) groups=10000(PINK\unixusers)
$ getent passwd PINK\\gcarter
coffeedude:*:10000:10000::/home/gcarter:/bin/bash
$ getent passwd coffeedude
coffeedude:*:10000:10000::/home/gcarter:/bin/bash
$ getent group PINK\\Unixusers
PINK\unixusers:x:10000:coffeedude
2008-09-16 21:35:21 +04:00
const char * name ,
char * * alias )
{
const char * attrs [ ] = { NULL , /* attr_uid */
NULL } ;
char * filter = NULL ;
LDAPMessage * msg = NULL ;
ADS_STATUS ads_status = ADS_ERROR_NT ( NT_STATUS_UNSUCCESSFUL ) ;
NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL ;
2008-11-27 01:09:49 +03:00
struct idmap_domain * dom ;
2008-12-02 08:56:59 +03:00
struct idmap_ad_context * ctx = NULL ;
* Allow an admin to define the "uid" attribute for a RFC2307
user object in AD to be the username alias.
For example:
$ net ads search "(uid=coffeedude)"
distinguishedName: CN=Gerald W. Carter,CN=Users,DC=pink,DC=plainjoe,DC=org
sAMAccountName: gcarter
memberOf: CN=UnixUsers,CN=Users,DC=pink,DC=plainjoe,DC=org
memberOf: CN=Domain Admins,CN=Users,DC=pink,DC=plainjoe,DC=org
memberOf: CN=Enterprise Admins,CN=Users,DC=pink,DC=plainjoe,DC=org
memberOf: CN=Schema Admins,CN=Users,DC=pink,DC=plainjoe,DC=org
uid: coffeedude
uidNumber: 10000
gidNumber: 10000
unixHomeDirectory: /home/gcarter
loginShell: /bin/bash
$ ssh coffeedude@192.168.56.91
Password:
coffeedude@orville:~$ id
uid=10000(coffeedude) gid=10000(PINK\unixusers) groups=10000(PINK\unixusers)
$ getent passwd PINK\\gcarter
coffeedude:*:10000:10000::/home/gcarter:/bin/bash
$ getent passwd coffeedude
coffeedude:*:10000:10000::/home/gcarter:/bin/bash
$ getent group PINK\\Unixusers
PINK\unixusers:x:10000:coffeedude
2008-09-16 21:35:21 +04:00
/* Check incoming parameters */
2008-12-01 06:17:55 +03:00
if ( ! e | | ! e - > domain | | ! name | | ! * alias ) {
* Allow an admin to define the "uid" attribute for a RFC2307
user object in AD to be the username alias.
For example:
$ net ads search "(uid=coffeedude)"
distinguishedName: CN=Gerald W. Carter,CN=Users,DC=pink,DC=plainjoe,DC=org
sAMAccountName: gcarter
memberOf: CN=UnixUsers,CN=Users,DC=pink,DC=plainjoe,DC=org
memberOf: CN=Domain Admins,CN=Users,DC=pink,DC=plainjoe,DC=org
memberOf: CN=Enterprise Admins,CN=Users,DC=pink,DC=plainjoe,DC=org
memberOf: CN=Schema Admins,CN=Users,DC=pink,DC=plainjoe,DC=org
uid: coffeedude
uidNumber: 10000
gidNumber: 10000
unixHomeDirectory: /home/gcarter
loginShell: /bin/bash
$ ssh coffeedude@192.168.56.91
Password:
coffeedude@orville:~$ id
uid=10000(coffeedude) gid=10000(PINK\unixusers) groups=10000(PINK\unixusers)
$ getent passwd PINK\\gcarter
coffeedude:*:10000:10000::/home/gcarter:/bin/bash
$ getent passwd coffeedude
coffeedude:*:10000:10000::/home/gcarter:/bin/bash
$ getent group PINK\\Unixusers
PINK\unixusers:x:10000:coffeedude
2008-09-16 21:35:21 +04:00
nt_status = NT_STATUS_INVALID_PARAMETER ;
goto done ;
}
/* Only do query if we are online */
if ( idmap_is_offline ( ) ) {
nt_status = NT_STATUS_FILE_IS_OFFLINE ;
goto done ;
}
2008-11-27 01:09:49 +03:00
dom = talloc_get_type ( e - > state , struct idmap_domain ) ;
ctx = talloc_get_type ( dom - > private_data , struct idmap_ad_context ) ;
* Allow an admin to define the "uid" attribute for a RFC2307
user object in AD to be the username alias.
For example:
$ net ads search "(uid=coffeedude)"
distinguishedName: CN=Gerald W. Carter,CN=Users,DC=pink,DC=plainjoe,DC=org
sAMAccountName: gcarter
memberOf: CN=UnixUsers,CN=Users,DC=pink,DC=plainjoe,DC=org
memberOf: CN=Domain Admins,CN=Users,DC=pink,DC=plainjoe,DC=org
memberOf: CN=Enterprise Admins,CN=Users,DC=pink,DC=plainjoe,DC=org
memberOf: CN=Schema Admins,CN=Users,DC=pink,DC=plainjoe,DC=org
uid: coffeedude
uidNumber: 10000
gidNumber: 10000
unixHomeDirectory: /home/gcarter
loginShell: /bin/bash
$ ssh coffeedude@192.168.56.91
Password:
coffeedude@orville:~$ id
uid=10000(coffeedude) gid=10000(PINK\unixusers) groups=10000(PINK\unixusers)
$ getent passwd PINK\\gcarter
coffeedude:*:10000:10000::/home/gcarter:/bin/bash
$ getent passwd coffeedude
coffeedude:*:10000:10000::/home/gcarter:/bin/bash
$ getent group PINK\\Unixusers
PINK\unixusers:x:10000:coffeedude
2008-09-16 21:35:21 +04:00
2008-11-27 01:09:49 +03:00
ads_status = ad_idmap_cached_connection ( dom ) ;
if ( ! ADS_ERR_OK ( ads_status ) ) {
return NT_STATUS_OBJECT_NAME_NOT_FOUND ;
}
if ( ! ctx - > ad_schema ) {
* Allow an admin to define the "uid" attribute for a RFC2307
user object in AD to be the username alias.
For example:
$ net ads search "(uid=coffeedude)"
distinguishedName: CN=Gerald W. Carter,CN=Users,DC=pink,DC=plainjoe,DC=org
sAMAccountName: gcarter
memberOf: CN=UnixUsers,CN=Users,DC=pink,DC=plainjoe,DC=org
memberOf: CN=Domain Admins,CN=Users,DC=pink,DC=plainjoe,DC=org
memberOf: CN=Enterprise Admins,CN=Users,DC=pink,DC=plainjoe,DC=org
memberOf: CN=Schema Admins,CN=Users,DC=pink,DC=plainjoe,DC=org
uid: coffeedude
uidNumber: 10000
gidNumber: 10000
unixHomeDirectory: /home/gcarter
loginShell: /bin/bash
$ ssh coffeedude@192.168.56.91
Password:
coffeedude@orville:~$ id
uid=10000(coffeedude) gid=10000(PINK\unixusers) groups=10000(PINK\unixusers)
$ getent passwd PINK\\gcarter
coffeedude:*:10000:10000::/home/gcarter:/bin/bash
$ getent passwd coffeedude
coffeedude:*:10000:10000::/home/gcarter:/bin/bash
$ getent group PINK\\Unixusers
PINK\unixusers:x:10000:coffeedude
2008-09-16 21:35:21 +04:00
nt_status = NT_STATUS_OBJECT_PATH_NOT_FOUND ;
goto done ;
}
2008-11-27 01:09:49 +03:00
attrs [ 0 ] = ctx - > ad_schema - > posix_uid_attr ;
* Allow an admin to define the "uid" attribute for a RFC2307
user object in AD to be the username alias.
For example:
$ net ads search "(uid=coffeedude)"
distinguishedName: CN=Gerald W. Carter,CN=Users,DC=pink,DC=plainjoe,DC=org
sAMAccountName: gcarter
memberOf: CN=UnixUsers,CN=Users,DC=pink,DC=plainjoe,DC=org
memberOf: CN=Domain Admins,CN=Users,DC=pink,DC=plainjoe,DC=org
memberOf: CN=Enterprise Admins,CN=Users,DC=pink,DC=plainjoe,DC=org
memberOf: CN=Schema Admins,CN=Users,DC=pink,DC=plainjoe,DC=org
uid: coffeedude
uidNumber: 10000
gidNumber: 10000
unixHomeDirectory: /home/gcarter
loginShell: /bin/bash
$ ssh coffeedude@192.168.56.91
Password:
coffeedude@orville:~$ id
uid=10000(coffeedude) gid=10000(PINK\unixusers) groups=10000(PINK\unixusers)
$ getent passwd PINK\\gcarter
coffeedude:*:10000:10000::/home/gcarter:/bin/bash
$ getent passwd coffeedude
coffeedude:*:10000:10000::/home/gcarter:/bin/bash
$ getent group PINK\\Unixusers
PINK\unixusers:x:10000:coffeedude
2008-09-16 21:35:21 +04:00
filter = talloc_asprintf ( mem_ctx ,
" (sAMAccountName=%s) " ,
name ) ;
if ( ! filter ) {
nt_status = NT_STATUS_NO_MEMORY ;
goto done ;
}
2008-11-27 01:09:49 +03:00
ads_status = ads_search_retry ( ctx - > ads , & msg , filter , attrs ) ;
* Allow an admin to define the "uid" attribute for a RFC2307
user object in AD to be the username alias.
For example:
$ net ads search "(uid=coffeedude)"
distinguishedName: CN=Gerald W. Carter,CN=Users,DC=pink,DC=plainjoe,DC=org
sAMAccountName: gcarter
memberOf: CN=UnixUsers,CN=Users,DC=pink,DC=plainjoe,DC=org
memberOf: CN=Domain Admins,CN=Users,DC=pink,DC=plainjoe,DC=org
memberOf: CN=Enterprise Admins,CN=Users,DC=pink,DC=plainjoe,DC=org
memberOf: CN=Schema Admins,CN=Users,DC=pink,DC=plainjoe,DC=org
uid: coffeedude
uidNumber: 10000
gidNumber: 10000
unixHomeDirectory: /home/gcarter
loginShell: /bin/bash
$ ssh coffeedude@192.168.56.91
Password:
coffeedude@orville:~$ id
uid=10000(coffeedude) gid=10000(PINK\unixusers) groups=10000(PINK\unixusers)
$ getent passwd PINK\\gcarter
coffeedude:*:10000:10000::/home/gcarter:/bin/bash
$ getent passwd coffeedude
coffeedude:*:10000:10000::/home/gcarter:/bin/bash
$ getent group PINK\\Unixusers
PINK\unixusers:x:10000:coffeedude
2008-09-16 21:35:21 +04:00
if ( ! ADS_ERR_OK ( ads_status ) ) {
nt_status = ads_ntstatus ( ads_status ) ;
goto done ;
}
2008-11-27 01:09:49 +03:00
* alias = ads_pull_string ( ctx - > ads , mem_ctx , msg , ctx - > ad_schema - > posix_uid_attr ) ;
* Allow an admin to define the "uid" attribute for a RFC2307
user object in AD to be the username alias.
For example:
$ net ads search "(uid=coffeedude)"
distinguishedName: CN=Gerald W. Carter,CN=Users,DC=pink,DC=plainjoe,DC=org
sAMAccountName: gcarter
memberOf: CN=UnixUsers,CN=Users,DC=pink,DC=plainjoe,DC=org
memberOf: CN=Domain Admins,CN=Users,DC=pink,DC=plainjoe,DC=org
memberOf: CN=Enterprise Admins,CN=Users,DC=pink,DC=plainjoe,DC=org
memberOf: CN=Schema Admins,CN=Users,DC=pink,DC=plainjoe,DC=org
uid: coffeedude
uidNumber: 10000
gidNumber: 10000
unixHomeDirectory: /home/gcarter
loginShell: /bin/bash
$ ssh coffeedude@192.168.56.91
Password:
coffeedude@orville:~$ id
uid=10000(coffeedude) gid=10000(PINK\unixusers) groups=10000(PINK\unixusers)
$ getent passwd PINK\\gcarter
coffeedude:*:10000:10000::/home/gcarter:/bin/bash
$ getent passwd coffeedude
coffeedude:*:10000:10000::/home/gcarter:/bin/bash
$ getent group PINK\\Unixusers
PINK\unixusers:x:10000:coffeedude
2008-09-16 21:35:21 +04:00
if ( ! * alias ) {
return NT_STATUS_OBJECT_NAME_NOT_FOUND ;
}
nt_status = NT_STATUS_OK ;
done :
if ( filter ) {
talloc_destroy ( filter ) ;
}
if ( msg ) {
2008-11-27 01:09:49 +03:00
ads_msgfree ( ctx - > ads , msg ) ;
* Allow an admin to define the "uid" attribute for a RFC2307
user object in AD to be the username alias.
For example:
$ net ads search "(uid=coffeedude)"
distinguishedName: CN=Gerald W. Carter,CN=Users,DC=pink,DC=plainjoe,DC=org
sAMAccountName: gcarter
memberOf: CN=UnixUsers,CN=Users,DC=pink,DC=plainjoe,DC=org
memberOf: CN=Domain Admins,CN=Users,DC=pink,DC=plainjoe,DC=org
memberOf: CN=Enterprise Admins,CN=Users,DC=pink,DC=plainjoe,DC=org
memberOf: CN=Schema Admins,CN=Users,DC=pink,DC=plainjoe,DC=org
uid: coffeedude
uidNumber: 10000
gidNumber: 10000
unixHomeDirectory: /home/gcarter
loginShell: /bin/bash
$ ssh coffeedude@192.168.56.91
Password:
coffeedude@orville:~$ id
uid=10000(coffeedude) gid=10000(PINK\unixusers) groups=10000(PINK\unixusers)
$ getent passwd PINK\\gcarter
coffeedude:*:10000:10000::/home/gcarter:/bin/bash
$ getent passwd coffeedude
coffeedude:*:10000:10000::/home/gcarter:/bin/bash
$ getent group PINK\\Unixusers
PINK\unixusers:x:10000:coffeedude
2008-09-16 21:35:21 +04:00
}
return nt_status ;
}
/**********************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
static NTSTATUS nss_ad_map_from_alias ( TALLOC_CTX * mem_ctx ,
2008-12-01 06:17:55 +03:00
struct nss_domain_entry * e ,
* Allow an admin to define the "uid" attribute for a RFC2307
user object in AD to be the username alias.
For example:
$ net ads search "(uid=coffeedude)"
distinguishedName: CN=Gerald W. Carter,CN=Users,DC=pink,DC=plainjoe,DC=org
sAMAccountName: gcarter
memberOf: CN=UnixUsers,CN=Users,DC=pink,DC=plainjoe,DC=org
memberOf: CN=Domain Admins,CN=Users,DC=pink,DC=plainjoe,DC=org
memberOf: CN=Enterprise Admins,CN=Users,DC=pink,DC=plainjoe,DC=org
memberOf: CN=Schema Admins,CN=Users,DC=pink,DC=plainjoe,DC=org
uid: coffeedude
uidNumber: 10000
gidNumber: 10000
unixHomeDirectory: /home/gcarter
loginShell: /bin/bash
$ ssh coffeedude@192.168.56.91
Password:
coffeedude@orville:~$ id
uid=10000(coffeedude) gid=10000(PINK\unixusers) groups=10000(PINK\unixusers)
$ getent passwd PINK\\gcarter
coffeedude:*:10000:10000::/home/gcarter:/bin/bash
$ getent passwd coffeedude
coffeedude:*:10000:10000::/home/gcarter:/bin/bash
$ getent group PINK\\Unixusers
PINK\unixusers:x:10000:coffeedude
2008-09-16 21:35:21 +04:00
const char * alias ,
char * * name )
{
const char * attrs [ ] = { " sAMAccountName " ,
NULL } ;
char * filter = NULL ;
LDAPMessage * msg = NULL ;
ADS_STATUS ads_status = ADS_ERROR_NT ( NT_STATUS_UNSUCCESSFUL ) ;
NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL ;
char * username ;
2008-11-27 01:09:49 +03:00
struct idmap_domain * dom ;
2008-12-02 08:56:59 +03:00
struct idmap_ad_context * ctx = NULL ;
* Allow an admin to define the "uid" attribute for a RFC2307
user object in AD to be the username alias.
For example:
$ net ads search "(uid=coffeedude)"
distinguishedName: CN=Gerald W. Carter,CN=Users,DC=pink,DC=plainjoe,DC=org
sAMAccountName: gcarter
memberOf: CN=UnixUsers,CN=Users,DC=pink,DC=plainjoe,DC=org
memberOf: CN=Domain Admins,CN=Users,DC=pink,DC=plainjoe,DC=org
memberOf: CN=Enterprise Admins,CN=Users,DC=pink,DC=plainjoe,DC=org
memberOf: CN=Schema Admins,CN=Users,DC=pink,DC=plainjoe,DC=org
uid: coffeedude
uidNumber: 10000
gidNumber: 10000
unixHomeDirectory: /home/gcarter
loginShell: /bin/bash
$ ssh coffeedude@192.168.56.91
Password:
coffeedude@orville:~$ id
uid=10000(coffeedude) gid=10000(PINK\unixusers) groups=10000(PINK\unixusers)
$ getent passwd PINK\\gcarter
coffeedude:*:10000:10000::/home/gcarter:/bin/bash
$ getent passwd coffeedude
coffeedude:*:10000:10000::/home/gcarter:/bin/bash
$ getent group PINK\\Unixusers
PINK\unixusers:x:10000:coffeedude
2008-09-16 21:35:21 +04:00
/* Check incoming parameters */
if ( ! alias | | ! name ) {
nt_status = NT_STATUS_INVALID_PARAMETER ;
goto done ;
}
/* Only do query if we are online */
if ( idmap_is_offline ( ) ) {
nt_status = NT_STATUS_FILE_IS_OFFLINE ;
goto done ;
}
2008-11-27 01:09:49 +03:00
dom = talloc_get_type ( e - > state , struct idmap_domain ) ;
ctx = talloc_get_type ( dom - > private_data , struct idmap_ad_context ) ;
ads_status = ad_idmap_cached_connection ( dom ) ;
if ( ! ADS_ERR_OK ( ads_status ) ) {
return NT_STATUS_OBJECT_NAME_NOT_FOUND ;
}
* Allow an admin to define the "uid" attribute for a RFC2307
user object in AD to be the username alias.
For example:
$ net ads search "(uid=coffeedude)"
distinguishedName: CN=Gerald W. Carter,CN=Users,DC=pink,DC=plainjoe,DC=org
sAMAccountName: gcarter
memberOf: CN=UnixUsers,CN=Users,DC=pink,DC=plainjoe,DC=org
memberOf: CN=Domain Admins,CN=Users,DC=pink,DC=plainjoe,DC=org
memberOf: CN=Enterprise Admins,CN=Users,DC=pink,DC=plainjoe,DC=org
memberOf: CN=Schema Admins,CN=Users,DC=pink,DC=plainjoe,DC=org
uid: coffeedude
uidNumber: 10000
gidNumber: 10000
unixHomeDirectory: /home/gcarter
loginShell: /bin/bash
$ ssh coffeedude@192.168.56.91
Password:
coffeedude@orville:~$ id
uid=10000(coffeedude) gid=10000(PINK\unixusers) groups=10000(PINK\unixusers)
$ getent passwd PINK\\gcarter
coffeedude:*:10000:10000::/home/gcarter:/bin/bash
$ getent passwd coffeedude
coffeedude:*:10000:10000::/home/gcarter:/bin/bash
$ getent group PINK\\Unixusers
PINK\unixusers:x:10000:coffeedude
2008-09-16 21:35:21 +04:00
2008-11-27 01:09:49 +03:00
if ( ! ctx - > ad_schema ) {
* Allow an admin to define the "uid" attribute for a RFC2307
user object in AD to be the username alias.
For example:
$ net ads search "(uid=coffeedude)"
distinguishedName: CN=Gerald W. Carter,CN=Users,DC=pink,DC=plainjoe,DC=org
sAMAccountName: gcarter
memberOf: CN=UnixUsers,CN=Users,DC=pink,DC=plainjoe,DC=org
memberOf: CN=Domain Admins,CN=Users,DC=pink,DC=plainjoe,DC=org
memberOf: CN=Enterprise Admins,CN=Users,DC=pink,DC=plainjoe,DC=org
memberOf: CN=Schema Admins,CN=Users,DC=pink,DC=plainjoe,DC=org
uid: coffeedude
uidNumber: 10000
gidNumber: 10000
unixHomeDirectory: /home/gcarter
loginShell: /bin/bash
$ ssh coffeedude@192.168.56.91
Password:
coffeedude@orville:~$ id
uid=10000(coffeedude) gid=10000(PINK\unixusers) groups=10000(PINK\unixusers)
$ getent passwd PINK\\gcarter
coffeedude:*:10000:10000::/home/gcarter:/bin/bash
$ getent passwd coffeedude
coffeedude:*:10000:10000::/home/gcarter:/bin/bash
$ getent group PINK\\Unixusers
PINK\unixusers:x:10000:coffeedude
2008-09-16 21:35:21 +04:00
nt_status = NT_STATUS_OBJECT_PATH_NOT_FOUND ;
goto done ;
}
filter = talloc_asprintf ( mem_ctx ,
" (%s=%s) " ,
2008-11-27 01:09:49 +03:00
ctx - > ad_schema - > posix_uid_attr ,
* Allow an admin to define the "uid" attribute for a RFC2307
user object in AD to be the username alias.
For example:
$ net ads search "(uid=coffeedude)"
distinguishedName: CN=Gerald W. Carter,CN=Users,DC=pink,DC=plainjoe,DC=org
sAMAccountName: gcarter
memberOf: CN=UnixUsers,CN=Users,DC=pink,DC=plainjoe,DC=org
memberOf: CN=Domain Admins,CN=Users,DC=pink,DC=plainjoe,DC=org
memberOf: CN=Enterprise Admins,CN=Users,DC=pink,DC=plainjoe,DC=org
memberOf: CN=Schema Admins,CN=Users,DC=pink,DC=plainjoe,DC=org
uid: coffeedude
uidNumber: 10000
gidNumber: 10000
unixHomeDirectory: /home/gcarter
loginShell: /bin/bash
$ ssh coffeedude@192.168.56.91
Password:
coffeedude@orville:~$ id
uid=10000(coffeedude) gid=10000(PINK\unixusers) groups=10000(PINK\unixusers)
$ getent passwd PINK\\gcarter
coffeedude:*:10000:10000::/home/gcarter:/bin/bash
$ getent passwd coffeedude
coffeedude:*:10000:10000::/home/gcarter:/bin/bash
$ getent group PINK\\Unixusers
PINK\unixusers:x:10000:coffeedude
2008-09-16 21:35:21 +04:00
alias ) ;
if ( ! filter ) {
nt_status = NT_STATUS_NO_MEMORY ;
goto done ;
}
2008-11-27 01:09:49 +03:00
ads_status = ads_search_retry ( ctx - > ads , & msg , filter , attrs ) ;
* Allow an admin to define the "uid" attribute for a RFC2307
user object in AD to be the username alias.
For example:
$ net ads search "(uid=coffeedude)"
distinguishedName: CN=Gerald W. Carter,CN=Users,DC=pink,DC=plainjoe,DC=org
sAMAccountName: gcarter
memberOf: CN=UnixUsers,CN=Users,DC=pink,DC=plainjoe,DC=org
memberOf: CN=Domain Admins,CN=Users,DC=pink,DC=plainjoe,DC=org
memberOf: CN=Enterprise Admins,CN=Users,DC=pink,DC=plainjoe,DC=org
memberOf: CN=Schema Admins,CN=Users,DC=pink,DC=plainjoe,DC=org
uid: coffeedude
uidNumber: 10000
gidNumber: 10000
unixHomeDirectory: /home/gcarter
loginShell: /bin/bash
$ ssh coffeedude@192.168.56.91
Password:
coffeedude@orville:~$ id
uid=10000(coffeedude) gid=10000(PINK\unixusers) groups=10000(PINK\unixusers)
$ getent passwd PINK\\gcarter
coffeedude:*:10000:10000::/home/gcarter:/bin/bash
$ getent passwd coffeedude
coffeedude:*:10000:10000::/home/gcarter:/bin/bash
$ getent group PINK\\Unixusers
PINK\unixusers:x:10000:coffeedude
2008-09-16 21:35:21 +04:00
if ( ! ADS_ERR_OK ( ads_status ) ) {
nt_status = ads_ntstatus ( ads_status ) ;
goto done ;
}
2008-11-27 01:09:49 +03:00
username = ads_pull_string ( ctx - > ads , mem_ctx , msg ,
* Allow an admin to define the "uid" attribute for a RFC2307
user object in AD to be the username alias.
For example:
$ net ads search "(uid=coffeedude)"
distinguishedName: CN=Gerald W. Carter,CN=Users,DC=pink,DC=plainjoe,DC=org
sAMAccountName: gcarter
memberOf: CN=UnixUsers,CN=Users,DC=pink,DC=plainjoe,DC=org
memberOf: CN=Domain Admins,CN=Users,DC=pink,DC=plainjoe,DC=org
memberOf: CN=Enterprise Admins,CN=Users,DC=pink,DC=plainjoe,DC=org
memberOf: CN=Schema Admins,CN=Users,DC=pink,DC=plainjoe,DC=org
uid: coffeedude
uidNumber: 10000
gidNumber: 10000
unixHomeDirectory: /home/gcarter
loginShell: /bin/bash
$ ssh coffeedude@192.168.56.91
Password:
coffeedude@orville:~$ id
uid=10000(coffeedude) gid=10000(PINK\unixusers) groups=10000(PINK\unixusers)
$ getent passwd PINK\\gcarter
coffeedude:*:10000:10000::/home/gcarter:/bin/bash
$ getent passwd coffeedude
coffeedude:*:10000:10000::/home/gcarter:/bin/bash
$ getent group PINK\\Unixusers
PINK\unixusers:x:10000:coffeedude
2008-09-16 21:35:21 +04:00
" sAMAccountName " ) ;
if ( ! username ) {
return NT_STATUS_OBJECT_NAME_NOT_FOUND ;
}
* name = talloc_asprintf ( mem_ctx , " %s \\ %s " ,
lp_workgroup ( ) ,
username ) ;
if ( ! * name ) {
nt_status = NT_STATUS_NO_MEMORY ;
goto done ;
}
nt_status = NT_STATUS_OK ;
done :
if ( filter ) {
talloc_destroy ( filter ) ;
}
if ( msg ) {
2008-11-27 01:09:49 +03:00
ads_msgfree ( ctx - > ads , msg ) ;
* Allow an admin to define the "uid" attribute for a RFC2307
user object in AD to be the username alias.
For example:
$ net ads search "(uid=coffeedude)"
distinguishedName: CN=Gerald W. Carter,CN=Users,DC=pink,DC=plainjoe,DC=org
sAMAccountName: gcarter
memberOf: CN=UnixUsers,CN=Users,DC=pink,DC=plainjoe,DC=org
memberOf: CN=Domain Admins,CN=Users,DC=pink,DC=plainjoe,DC=org
memberOf: CN=Enterprise Admins,CN=Users,DC=pink,DC=plainjoe,DC=org
memberOf: CN=Schema Admins,CN=Users,DC=pink,DC=plainjoe,DC=org
uid: coffeedude
uidNumber: 10000
gidNumber: 10000
unixHomeDirectory: /home/gcarter
loginShell: /bin/bash
$ ssh coffeedude@192.168.56.91
Password:
coffeedude@orville:~$ id
uid=10000(coffeedude) gid=10000(PINK\unixusers) groups=10000(PINK\unixusers)
$ getent passwd PINK\\gcarter
coffeedude:*:10000:10000::/home/gcarter:/bin/bash
$ getent passwd coffeedude
coffeedude:*:10000:10000::/home/gcarter:/bin/bash
$ getent group PINK\\Unixusers
PINK\unixusers:x:10000:coffeedude
2008-09-16 21:35:21 +04:00
}
return nt_status ;
}
2007-01-24 04:48:08 +03:00
/************************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
static NTSTATUS nss_ad_close ( void )
{
/* nothing to do. All memory is free()'d by the idmap close_fn() */
2006-12-12 17:52:13 +03:00
return NT_STATUS_OK ;
}
2007-01-24 04:48:08 +03:00
/************************************************************************
Function dispatch tables for the idmap and nss plugins
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2006-12-12 17:52:13 +03:00
static struct idmap_methods ad_methods = {
2007-01-24 04:48:08 +03:00
. init = idmap_ad_initialize ,
2006-12-12 17:52:13 +03:00
. unixids_to_sids = idmap_ad_unixids_to_sids ,
. sids_to_unixids = idmap_ad_sids_to_unixids ,
2007-01-24 04:48:08 +03:00
. close_fn = idmap_ad_close
} ;
/* The SFU and RFC2307 NSS plugins share everything but the init
function which sets the intended schema model to use */
2008-07-11 19:45:16 +04:00
2007-01-24 04:48:08 +03:00
static struct nss_info_methods nss_rfc2307_methods = {
* Allow an admin to define the "uid" attribute for a RFC2307
user object in AD to be the username alias.
For example:
$ net ads search "(uid=coffeedude)"
distinguishedName: CN=Gerald W. Carter,CN=Users,DC=pink,DC=plainjoe,DC=org
sAMAccountName: gcarter
memberOf: CN=UnixUsers,CN=Users,DC=pink,DC=plainjoe,DC=org
memberOf: CN=Domain Admins,CN=Users,DC=pink,DC=plainjoe,DC=org
memberOf: CN=Enterprise Admins,CN=Users,DC=pink,DC=plainjoe,DC=org
memberOf: CN=Schema Admins,CN=Users,DC=pink,DC=plainjoe,DC=org
uid: coffeedude
uidNumber: 10000
gidNumber: 10000
unixHomeDirectory: /home/gcarter
loginShell: /bin/bash
$ ssh coffeedude@192.168.56.91
Password:
coffeedude@orville:~$ id
uid=10000(coffeedude) gid=10000(PINK\unixusers) groups=10000(PINK\unixusers)
$ getent passwd PINK\\gcarter
coffeedude:*:10000:10000::/home/gcarter:/bin/bash
$ getent passwd coffeedude
coffeedude:*:10000:10000::/home/gcarter:/bin/bash
$ getent group PINK\\Unixusers
PINK\unixusers:x:10000:coffeedude
2008-09-16 21:35:21 +04:00
. init = nss_rfc2307_init ,
. get_nss_info = nss_ad_get_info ,
. map_to_alias = nss_ad_map_to_alias ,
. map_from_alias = nss_ad_map_from_alias ,
. close_fn = nss_ad_close
2007-01-24 04:48:08 +03:00
} ;
static struct nss_info_methods nss_sfu_methods = {
* Allow an admin to define the "uid" attribute for a RFC2307
user object in AD to be the username alias.
For example:
$ net ads search "(uid=coffeedude)"
distinguishedName: CN=Gerald W. Carter,CN=Users,DC=pink,DC=plainjoe,DC=org
sAMAccountName: gcarter
memberOf: CN=UnixUsers,CN=Users,DC=pink,DC=plainjoe,DC=org
memberOf: CN=Domain Admins,CN=Users,DC=pink,DC=plainjoe,DC=org
memberOf: CN=Enterprise Admins,CN=Users,DC=pink,DC=plainjoe,DC=org
memberOf: CN=Schema Admins,CN=Users,DC=pink,DC=plainjoe,DC=org
uid: coffeedude
uidNumber: 10000
gidNumber: 10000
unixHomeDirectory: /home/gcarter
loginShell: /bin/bash
$ ssh coffeedude@192.168.56.91
Password:
coffeedude@orville:~$ id
uid=10000(coffeedude) gid=10000(PINK\unixusers) groups=10000(PINK\unixusers)
$ getent passwd PINK\\gcarter
coffeedude:*:10000:10000::/home/gcarter:/bin/bash
$ getent passwd coffeedude
coffeedude:*:10000:10000::/home/gcarter:/bin/bash
$ getent group PINK\\Unixusers
PINK\unixusers:x:10000:coffeedude
2008-09-16 21:35:21 +04:00
. init = nss_sfu_init ,
. get_nss_info = nss_ad_get_info ,
. map_to_alias = nss_ad_map_to_alias ,
. map_from_alias = nss_ad_map_from_alias ,
. close_fn = nss_ad_close
2006-12-12 17:52:13 +03:00
} ;
2007-06-26 13:15:37 +04:00
static struct nss_info_methods nss_sfu20_methods = {
* Allow an admin to define the "uid" attribute for a RFC2307
user object in AD to be the username alias.
For example:
$ net ads search "(uid=coffeedude)"
distinguishedName: CN=Gerald W. Carter,CN=Users,DC=pink,DC=plainjoe,DC=org
sAMAccountName: gcarter
memberOf: CN=UnixUsers,CN=Users,DC=pink,DC=plainjoe,DC=org
memberOf: CN=Domain Admins,CN=Users,DC=pink,DC=plainjoe,DC=org
memberOf: CN=Enterprise Admins,CN=Users,DC=pink,DC=plainjoe,DC=org
memberOf: CN=Schema Admins,CN=Users,DC=pink,DC=plainjoe,DC=org
uid: coffeedude
uidNumber: 10000
gidNumber: 10000
unixHomeDirectory: /home/gcarter
loginShell: /bin/bash
$ ssh coffeedude@192.168.56.91
Password:
coffeedude@orville:~$ id
uid=10000(coffeedude) gid=10000(PINK\unixusers) groups=10000(PINK\unixusers)
$ getent passwd PINK\\gcarter
coffeedude:*:10000:10000::/home/gcarter:/bin/bash
$ getent passwd coffeedude
coffeedude:*:10000:10000::/home/gcarter:/bin/bash
$ getent group PINK\\Unixusers
PINK\unixusers:x:10000:coffeedude
2008-09-16 21:35:21 +04:00
. init = nss_sfu20_init ,
. get_nss_info = nss_ad_get_info ,
. map_to_alias = nss_ad_map_to_alias ,
. map_from_alias = nss_ad_map_from_alias ,
. close_fn = nss_ad_close
2007-06-26 13:15:37 +04:00
} ;
2007-01-24 04:48:08 +03:00
/************************************************************************
Initialize the plugins
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2006-12-12 17:52:13 +03:00
NTSTATUS idmap_ad_init ( void )
{
2007-01-24 04:48:08 +03:00
static NTSTATUS status_idmap_ad = NT_STATUS_UNSUCCESSFUL ;
static NTSTATUS status_nss_rfc2307 = NT_STATUS_UNSUCCESSFUL ;
static NTSTATUS status_nss_sfu = NT_STATUS_UNSUCCESSFUL ;
2007-06-26 13:15:37 +04:00
static NTSTATUS status_nss_sfu20 = NT_STATUS_UNSUCCESSFUL ;
2007-01-24 04:48:08 +03:00
/* Always register the AD method first in order to get the
idmap_domain interface called */
if ( ! NT_STATUS_IS_OK ( status_idmap_ad ) ) {
status_idmap_ad = smb_register_idmap ( SMB_IDMAP_INTERFACE_VERSION ,
" ad " , & ad_methods ) ;
if ( ! NT_STATUS_IS_OK ( status_idmap_ad ) )
return status_idmap_ad ;
}
2008-07-11 19:45:16 +04:00
2007-01-24 04:48:08 +03:00
if ( ! NT_STATUS_IS_OK ( status_nss_rfc2307 ) ) {
status_nss_rfc2307 = smb_register_idmap_nss ( SMB_NSS_INFO_INTERFACE_VERSION ,
" rfc2307 " , & nss_rfc2307_methods ) ;
if ( ! NT_STATUS_IS_OK ( status_nss_rfc2307 ) )
return status_nss_rfc2307 ;
}
if ( ! NT_STATUS_IS_OK ( status_nss_sfu ) ) {
status_nss_sfu = smb_register_idmap_nss ( SMB_NSS_INFO_INTERFACE_VERSION ,
" sfu " , & nss_sfu_methods ) ;
if ( ! NT_STATUS_IS_OK ( status_nss_sfu ) )
return status_nss_sfu ;
}
2007-06-26 13:15:37 +04:00
if ( ! NT_STATUS_IS_OK ( status_nss_sfu20 ) ) {
status_nss_sfu20 = smb_register_idmap_nss ( SMB_NSS_INFO_INTERFACE_VERSION ,
" sfu20 " , & nss_sfu20_methods ) ;
if ( ! NT_STATUS_IS_OK ( status_nss_sfu20 ) )
return status_nss_sfu20 ;
}
2007-01-24 04:48:08 +03:00
return NT_STATUS_OK ;
2006-12-12 17:52:13 +03:00
}
