2015-08-20 17:07:47 +02:00
/*
* Unix SMB / CIFS implementation .
* async xids2sids
* Copyright ( C ) Volker Lendecke 2015
*
* This program is free software ; you can redistribute it and / or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation ; either version 3 of the License , or
* ( at your option ) any later version .
*
* This program is distributed in the hope that it will be useful ,
* but WITHOUT ANY WARRANTY ; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
* GNU General Public License for more details .
*
* You should have received a copy of the GNU General Public License
* along with this program . If not , see < http : //www.gnu.org/licenses/>.
*/
# include "includes.h"
# include "winbindd.h"
# include "../libcli/security/security.h"
# include "idmap_cache.h"
# include "librpc/gen_ndr/ndr_winbind_c.h"
2016-01-12 21:21:17 +01:00
# include "librpc/gen_ndr/ndr_netlogon.h"
2017-09-25 13:25:57 +02:00
# include "passdb/lookup_sid.h"
2015-08-20 17:07:47 +02:00
2016-03-01 14:34:26 +01:00
struct wb_xids2sids_dom_map {
unsigned low_id ;
unsigned high_id ;
const char * name ;
2017-09-25 13:25:57 +02:00
struct dom_sid sid ;
2016-03-01 14:34:26 +01:00
} ;
/*
* Map idmap ranges to domain names , taken from smb . conf . This is
* stored in the parent winbind and used to assemble xid2sid calls
* into per - idmap - domain chunks .
*/
static struct wb_xids2sids_dom_map * dom_maps ;
static bool wb_xids2sids_add_dom ( const char * domname ,
void * private_data )
{
struct wb_xids2sids_dom_map * map = NULL ;
size_t num_maps = talloc_array_length ( dom_maps ) ;
size_t i ;
const char * range ;
unsigned low_id , high_id ;
int ret ;
2017-01-07 14:55:41 +00:00
range = idmap_config_const_string ( domname , " range " , NULL ) ;
2016-03-01 14:34:26 +01:00
if ( range = = NULL ) {
DBG_DEBUG ( " No range for domain %s found \n " , domname ) ;
return false ;
}
ret = sscanf ( range , " %u - %u " , & low_id , & high_id ) ;
if ( ret ! = 2 ) {
DBG_DEBUG ( " Invalid range spec \" %s \" for domain %s \n " ,
range , domname ) ;
return false ;
}
if ( low_id > high_id ) {
DBG_DEBUG ( " Invalid range %u - %u for domain %s \n " ,
low_id , high_id , domname ) ;
return false ;
}
for ( i = 0 ; i < num_maps ; i + + ) {
if ( strequal ( domname , dom_maps [ i ] . name ) ) {
map = & dom_maps [ i ] ;
break ;
}
}
if ( map = = NULL ) {
struct wb_xids2sids_dom_map * tmp ;
char * name ;
name = talloc_strdup ( talloc_tos ( ) , domname ) ;
if ( name = = NULL ) {
DBG_DEBUG ( " talloc failed \n " ) ;
return false ;
}
tmp = talloc_realloc (
NULL , dom_maps , struct wb_xids2sids_dom_map ,
num_maps + 1 ) ;
if ( tmp = = NULL ) {
TALLOC_FREE ( name ) ;
return false ;
}
dom_maps = tmp ;
map = & dom_maps [ num_maps ] ;
2017-09-25 13:25:57 +02:00
ZERO_STRUCTP ( map ) ;
2016-03-01 14:34:26 +01:00
map - > name = talloc_move ( dom_maps , & name ) ;
}
map - > low_id = low_id ;
map - > high_id = high_id ;
return false ;
}
2017-09-25 13:25:57 +02:00
struct wb_xids2sids_init_dom_maps_state {
struct tevent_context * ev ;
struct tevent_req * req ;
size_t dom_idx ;
} ;
static void wb_xids2sids_init_dom_maps_lookupname_next (
struct wb_xids2sids_init_dom_maps_state * state ) ;
static void wb_xids2sids_init_dom_maps_lookupname_done (
struct tevent_req * subreq ) ;
static struct tevent_req * wb_xids2sids_init_dom_maps_send (
TALLOC_CTX * mem_ctx , struct tevent_context * ev )
2016-03-01 14:34:26 +01:00
{
2017-09-25 13:25:57 +02:00
struct tevent_req * req = NULL ;
struct wb_xids2sids_init_dom_maps_state * state = NULL ;
req = tevent_req_create ( mem_ctx , & state ,
struct wb_xids2sids_init_dom_maps_state ) ;
if ( req = = NULL ) {
return NULL ;
2016-03-01 14:34:26 +01:00
}
2017-09-25 13:25:57 +02:00
* state = ( struct wb_xids2sids_init_dom_maps_state ) {
. ev = ev ,
. req = req ,
. dom_idx = 0 ,
} ;
2016-03-01 14:34:26 +01:00
2017-09-25 13:25:57 +02:00
if ( dom_maps ! = NULL ) {
tevent_req_done ( req ) ;
return tevent_req_post ( req , ev ) ;
}
2016-03-01 14:34:26 +01:00
/*
* Put the passdb idmap domain first . We always need to try
* there first .
*/
2017-09-25 13:25:57 +02:00
dom_maps = talloc_zero_array ( NULL , struct wb_xids2sids_dom_map , 1 ) ;
if ( tevent_req_nomem ( dom_maps , req ) ) {
return tevent_req_post ( req , ev ) ;
2016-03-01 14:34:26 +01:00
}
dom_maps [ 0 ] . low_id = 0 ;
dom_maps [ 0 ] . high_id = UINT_MAX ;
dom_maps [ 0 ] . name = talloc_strdup ( dom_maps , get_global_sam_name ( ) ) ;
2017-09-25 13:25:57 +02:00
if ( tevent_req_nomem ( dom_maps [ 0 ] . name , req ) ) {
2016-03-01 14:34:26 +01:00
TALLOC_FREE ( dom_maps ) ;
2017-09-25 13:25:57 +02:00
return tevent_req_post ( req , ev ) ;
2016-03-01 14:34:26 +01:00
}
lp_scan_idmap_domains ( wb_xids2sids_add_dom , NULL ) ;
2017-09-25 13:25:57 +02:00
wb_xids2sids_init_dom_maps_lookupname_next ( state ) ;
if ( ! tevent_req_is_in_progress ( req ) ) {
tevent_req_post ( req , ev ) ;
}
return req ;
}
static void wb_xids2sids_init_dom_maps_lookupname_next (
struct wb_xids2sids_init_dom_maps_state * state )
{
struct tevent_req * subreq = NULL ;
if ( state - > dom_idx = = talloc_array_length ( dom_maps ) ) {
tevent_req_done ( state - > req ) ;
return ;
}
if ( strequal ( dom_maps [ state - > dom_idx ] . name , " * " ) ) {
state - > dom_idx + + ;
if ( state - > dom_idx = = talloc_array_length ( dom_maps ) ) {
tevent_req_done ( state - > req ) ;
return ;
}
}
subreq = wb_lookupname_send ( state ,
state - > ev ,
dom_maps [ state - > dom_idx ] . name ,
2018-02-22 14:10:28 +01:00
dom_maps [ state - > dom_idx ] . name ,
2017-09-25 13:25:57 +02:00
" " ,
LOOKUP_NAME_NO_NSS ) ;
if ( tevent_req_nomem ( subreq , state - > req ) ) {
return ;
}
tevent_req_set_callback ( subreq ,
wb_xids2sids_init_dom_maps_lookupname_done ,
state - > req ) ;
}
static void wb_xids2sids_init_dom_maps_lookupname_done (
struct tevent_req * subreq )
{
struct tevent_req * req = tevent_req_callback_data (
subreq , struct tevent_req ) ;
struct wb_xids2sids_init_dom_maps_state * state = tevent_req_data (
req , struct wb_xids2sids_init_dom_maps_state ) ;
enum lsa_SidType type ;
NTSTATUS status ;
status = wb_lookupname_recv ( subreq ,
& dom_maps [ state - > dom_idx ] . sid ,
& type ) ;
TALLOC_FREE ( subreq ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
DBG_WARNING ( " Lookup domain name '%s' failed '%s' \n " ,
dom_maps [ state - > dom_idx ] . name ,
nt_errstr ( status ) ) ;
state - > dom_idx + + ;
wb_xids2sids_init_dom_maps_lookupname_next ( state ) ;
return ;
}
if ( type ! = SID_NAME_DOMAIN ) {
DBG_WARNING ( " SID %s for idmap domain name '%s' "
" not a domain SID \n " ,
sid_string_dbg ( & dom_maps [ state - > dom_idx ] . sid ) ,
dom_maps [ state - > dom_idx ] . name ) ;
ZERO_STRUCT ( dom_maps [ state - > dom_idx ] . sid ) ;
}
state - > dom_idx + + ;
wb_xids2sids_init_dom_maps_lookupname_next ( state ) ;
return ;
}
static NTSTATUS wb_xids2sids_init_dom_maps_recv ( struct tevent_req * req )
{
return tevent_req_simple_recv_ntstatus ( req ) ;
2016-03-01 14:34:26 +01:00
}
struct wb_xids2sids_dom_state {
2016-01-12 21:21:17 +01:00
struct tevent_context * ev ;
2016-03-01 14:34:26 +01:00
struct unixid * all_xids ;
size_t num_all_xids ;
struct dom_sid * all_sids ;
struct wb_xids2sids_dom_map * dom_map ;
2016-01-12 21:21:17 +01:00
bool tried_dclookup ;
2016-03-01 14:34:26 +01:00
size_t num_dom_xids ;
struct unixid * dom_xids ;
struct dom_sid * dom_sids ;
} ;
static void wb_xids2sids_dom_done ( struct tevent_req * subreq ) ;
2016-01-12 21:21:17 +01:00
static void wb_xids2sids_dom_gotdc ( struct tevent_req * subreq ) ;
2016-03-01 14:34:26 +01:00
static struct tevent_req * wb_xids2sids_dom_send (
TALLOC_CTX * mem_ctx , struct tevent_context * ev ,
struct wb_xids2sids_dom_map * dom_map ,
struct unixid * xids , size_t num_xids , struct dom_sid * sids )
{
struct tevent_req * req , * subreq ;
struct wb_xids2sids_dom_state * state ;
struct winbindd_child * child ;
size_t i ;
req = tevent_req_create ( mem_ctx , & state ,
struct wb_xids2sids_dom_state ) ;
if ( req = = NULL ) {
return NULL ;
}
2016-01-12 21:21:17 +01:00
state - > ev = ev ;
2016-03-01 14:34:26 +01:00
state - > all_xids = xids ;
state - > num_all_xids = num_xids ;
state - > all_sids = sids ;
state - > dom_map = dom_map ;
state - > dom_xids = talloc_array ( state , struct unixid , num_xids ) ;
if ( tevent_req_nomem ( state - > dom_xids , req ) ) {
return tevent_req_post ( req , ev ) ;
}
state - > dom_sids = talloc_array ( state , struct dom_sid , num_xids ) ;
if ( tevent_req_nomem ( state - > dom_sids , req ) ) {
return tevent_req_post ( req , ev ) ;
}
for ( i = 0 ; i < num_xids ; i + + ) {
struct unixid id = state - > all_xids [ i ] ;
if ( ( id . id < dom_map - > low_id ) | | ( id . id > dom_map - > high_id ) ) {
/* out of range */
continue ;
}
if ( ! is_null_sid ( & state - > all_sids [ i ] ) ) {
/* already mapped */
continue ;
}
state - > dom_xids [ state - > num_dom_xids + + ] = id ;
}
if ( state - > num_dom_xids = = 0 ) {
tevent_req_done ( req ) ;
return tevent_req_post ( req , ev ) ;
}
child = idmap_child ( ) ;
subreq = dcerpc_wbint_UnixIDs2Sids_send (
2017-09-25 15:39:39 +02:00
state , ev , child - > binding_handle , dom_map - > name , dom_map - > sid ,
2016-03-01 14:34:26 +01:00
state - > num_dom_xids , state - > dom_xids , state - > dom_sids ) ;
if ( tevent_req_nomem ( subreq , req ) ) {
return tevent_req_post ( req , ev ) ;
}
tevent_req_set_callback ( subreq , wb_xids2sids_dom_done , req ) ;
return req ;
}
static void wb_xids2sids_dom_done ( struct tevent_req * subreq )
{
struct tevent_req * req = tevent_req_callback_data (
subreq , struct tevent_req ) ;
struct wb_xids2sids_dom_state * state = tevent_req_data (
req , struct wb_xids2sids_dom_state ) ;
struct wb_xids2sids_dom_map * dom_map = state - > dom_map ;
NTSTATUS status , result ;
size_t i ;
size_t dom_sid_idx ;
status = dcerpc_wbint_UnixIDs2Sids_recv ( subreq , state , & result ) ;
TALLOC_FREE ( subreq ) ;
if ( tevent_req_nterror ( req , status ) ) {
return ;
}
2016-01-12 21:21:17 +01:00
if ( NT_STATUS_EQUAL ( result , NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND ) & &
! state - > tried_dclookup ) {
subreq = wb_dsgetdcname_send (
state , state - > ev , state - > dom_map - > name , NULL , NULL ,
DS_RETURN_DNS_NAME ) ;
if ( tevent_req_nomem ( subreq , req ) ) {
return ;
}
tevent_req_set_callback ( subreq , wb_xids2sids_dom_gotdc , req ) ;
return ;
}
2016-03-01 14:34:26 +01:00
if ( ! NT_STATUS_EQUAL ( result , NT_STATUS_NONE_MAPPED ) & &
tevent_req_nterror ( req , result ) ) {
return ;
}
dom_sid_idx = 0 ;
for ( i = 0 ; i < state - > num_all_xids ; i + + ) {
struct unixid id = state - > all_xids [ i ] ;
if ( ( id . id < dom_map - > low_id ) | | ( id . id > dom_map - > high_id ) ) {
/* out of range */
continue ;
}
if ( ! is_null_sid ( & state - > all_sids [ i ] ) ) {
/* already mapped */
continue ;
}
2016-12-20 16:22:48 +01:00
sid_copy ( & state - > all_sids [ i ] , & state - > dom_sids [ dom_sid_idx ] ) ;
/*
* Prime the cache after an xid2sid call . It ' s
* important that we use state - > dom_xids for the xid
* value , not state - > all_xids : state - > all_xids carries
* what we asked for , e . g . a
* ID_TYPE_UID . state - > dom_xids holds something the
* idmap child possibly changed to ID_TYPE_BOTH .
*/
idmap_cache_set_sid2unixid (
& state - > all_sids [ i ] , & state - > dom_xids [ dom_sid_idx ] ) ;
dom_sid_idx + = 1 ;
2016-03-01 14:34:26 +01:00
}
tevent_req_done ( req ) ;
}
2016-01-12 21:21:17 +01:00
static void wb_xids2sids_dom_gotdc ( struct tevent_req * subreq )
{
struct tevent_req * req = tevent_req_callback_data (
subreq , struct tevent_req ) ;
struct wb_xids2sids_dom_state * state = tevent_req_data (
req , struct wb_xids2sids_dom_state ) ;
struct winbindd_child * child = idmap_child ( ) ;
struct netr_DsRGetDCNameInfo * dcinfo ;
NTSTATUS status ;
status = wb_dsgetdcname_recv ( subreq , state , & dcinfo ) ;
TALLOC_FREE ( subreq ) ;
if ( tevent_req_nterror ( req , status ) ) {
return ;
}
state - > tried_dclookup = true ;
status = wb_dsgetdcname_gencache_set ( state - > dom_map - > name , dcinfo ) ;
if ( tevent_req_nterror ( req , status ) ) {
return ;
}
child = idmap_child ( ) ;
subreq = dcerpc_wbint_UnixIDs2Sids_send (
state , state - > ev , child - > binding_handle , state - > dom_map - > name ,
2017-09-25 15:39:39 +02:00
state - > dom_map - > sid , state - > num_dom_xids ,
state - > dom_xids , state - > dom_sids ) ;
2016-01-12 21:21:17 +01:00
if ( tevent_req_nomem ( subreq , req ) ) {
return ;
}
tevent_req_set_callback ( subreq , wb_xids2sids_dom_done , req ) ;
}
2016-03-01 14:34:26 +01:00
static NTSTATUS wb_xids2sids_dom_recv ( struct tevent_req * req )
{
return tevent_req_simple_recv_ntstatus ( req ) ;
}
2015-08-20 17:07:47 +02:00
struct wb_xids2sids_state {
2016-03-01 14:34:26 +01:00
struct tevent_context * ev ;
struct unixid * xids ;
size_t num_xids ;
2015-08-20 17:07:47 +02:00
struct dom_sid * sids ;
2016-03-01 14:34:26 +01:00
size_t dom_idx ;
2015-08-20 17:07:47 +02:00
} ;
static void wb_xids2sids_done ( struct tevent_req * subreq ) ;
2017-09-25 13:25:57 +02:00
static void wb_xids2sids_init_dom_maps_done ( struct tevent_req * subreq ) ;
2015-08-20 17:07:47 +02:00
struct tevent_req * wb_xids2sids_send ( TALLOC_CTX * mem_ctx ,
struct tevent_context * ev ,
struct unixid * xids ,
uint32_t num_xids )
{
struct tevent_req * req , * subreq ;
struct wb_xids2sids_state * state ;
req = tevent_req_create ( mem_ctx , & state ,
struct wb_xids2sids_state ) ;
if ( req = = NULL ) {
return NULL ;
}
2016-03-01 14:34:26 +01:00
state - > ev = ev ;
state - > xids = xids ;
state - > num_xids = num_xids ;
2015-08-20 17:07:47 +02:00
2016-03-01 14:34:26 +01:00
state - > sids = talloc_zero_array ( state , struct dom_sid , num_xids ) ;
2015-08-20 17:07:47 +02:00
if ( tevent_req_nomem ( state - > sids , req ) ) {
return tevent_req_post ( req , ev ) ;
}
2016-12-27 10:19:17 +00:00
if ( winbindd_use_idmap_cache ( ) ) {
uint32_t i ;
for ( i = 0 ; i < num_xids ; i + + ) {
struct dom_sid sid ;
bool ok , expired ;
switch ( xids [ i ] . type ) {
case ID_TYPE_UID :
ok = idmap_cache_find_uid2sid (
xids [ i ] . id , & sid , & expired ) ;
break ;
case ID_TYPE_GID :
ok = idmap_cache_find_gid2sid (
xids [ i ] . id , & sid , & expired ) ;
break ;
default :
ok = false ;
}
if ( ok & & ! expired ) {
sid_copy ( & state - > sids [ i ] , & sid ) ;
}
}
}
2017-09-25 13:25:57 +02:00
subreq = wb_xids2sids_init_dom_maps_send (
state , state - > ev ) ;
if ( tevent_req_nomem ( subreq , req ) ) {
return tevent_req_post ( req , ev ) ;
}
tevent_req_set_callback ( subreq , wb_xids2sids_init_dom_maps_done , req ) ;
return req ;
}
static void wb_xids2sids_init_dom_maps_done ( struct tevent_req * subreq )
{
struct tevent_req * req = tevent_req_callback_data (
subreq , struct tevent_req ) ;
struct wb_xids2sids_state * state = tevent_req_data (
req , struct wb_xids2sids_state ) ;
size_t num_domains ;
NTSTATUS status ;
status = wb_xids2sids_init_dom_maps_recv ( subreq ) ;
TALLOC_FREE ( subreq ) ;
if ( tevent_req_nterror ( req , status ) ) {
return ;
}
2015-08-20 17:07:47 +02:00
2017-09-25 13:25:57 +02:00
num_domains = talloc_array_length ( dom_maps ) ;
2016-03-01 14:34:26 +01:00
if ( num_domains = = 0 ) {
tevent_req_done ( req ) ;
2017-09-25 13:25:57 +02:00
return ;
2016-03-01 14:34:26 +01:00
}
subreq = wb_xids2sids_dom_send (
state , state - > ev , & dom_maps [ state - > dom_idx ] ,
state - > xids , state - > num_xids , state - > sids ) ;
2015-08-20 17:07:47 +02:00
if ( tevent_req_nomem ( subreq , req ) ) {
2017-09-25 13:25:57 +02:00
return ;
2015-08-20 17:07:47 +02:00
}
tevent_req_set_callback ( subreq , wb_xids2sids_done , req ) ;
2017-09-25 13:25:57 +02:00
return ;
2015-08-20 17:07:47 +02:00
}
static void wb_xids2sids_done ( struct tevent_req * subreq )
{
struct tevent_req * req = tevent_req_callback_data (
subreq , struct tevent_req ) ;
struct wb_xids2sids_state * state = tevent_req_data (
req , struct wb_xids2sids_state ) ;
2016-03-01 14:34:26 +01:00
size_t num_domains = talloc_array_length ( dom_maps ) ;
NTSTATUS status ;
2015-08-20 17:07:47 +02:00
2016-03-01 14:34:26 +01:00
status = wb_xids2sids_dom_recv ( subreq ) ;
2015-08-20 17:07:47 +02:00
TALLOC_FREE ( subreq ) ;
2016-03-01 14:34:26 +01:00
if ( tevent_req_nterror ( req , status ) ) {
2015-08-20 17:07:47 +02:00
return ;
}
2016-03-01 14:34:26 +01:00
state - > dom_idx + = 1 ;
if ( state - > dom_idx > = num_domains ) {
tevent_req_done ( req ) ;
return ;
}
subreq = wb_xids2sids_dom_send (
state , state - > ev , & dom_maps [ state - > dom_idx ] ,
state - > xids , state - > num_xids , state - > sids ) ;
if ( tevent_req_nomem ( subreq , req ) ) {
return ;
}
tevent_req_set_callback ( subreq , wb_xids2sids_done , req ) ;
2015-08-20 17:07:47 +02:00
}
NTSTATUS wb_xids2sids_recv ( struct tevent_req * req , TALLOC_CTX * mem_ctx ,
struct dom_sid * * sids )
{
struct wb_xids2sids_state * state = tevent_req_data (
req , struct wb_xids2sids_state ) ;
NTSTATUS status ;
if ( tevent_req_is_nterror ( req , & status ) ) {
DEBUG ( 5 , ( " wb_sids_to_xids failed: %s \n " , nt_errstr ( status ) ) ) ;
return status ;
}
* sids = talloc_move ( mem_ctx , & state - > sids ) ;
return NT_STATUS_OK ;
}