2003-04-29 15:40:52 +04:00
/*
Unix SMB / CIFS implementation .
ID Mapping
Copyright ( C ) Simo Sorce 2003
This program is free software ; you can redistribute it and / or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation ; either version 2 of the License , or
( at your option ) any later version .
This program is distributed in the hope that it will be useful ,
but WITHOUT ANY WARRANTY ; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
GNU General Public License for more details .
You should have received a copy of the GNU General Public License
along with this program ; if not , write to the Free Software
Foundation , Inc . , 675 Mass Ave , Cambridge , MA 0213 9 , USA . */
# include "includes.h"
# undef DBGC_CLASS
# define DBGC_CLASS DBGC_IDMAP
2003-08-13 04:08:28 +04:00
#if 0 /* NOT USED */
2003-07-11 09:33:40 +04:00
/**********************************************************************
Get the free RID base if idmap is configured , otherwise return 0
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
uint32 idmap_get_free_rid_base ( void )
{
uint32 low , high ;
if ( idmap_get_free_rid_range ( & low , & high ) ) {
return low ;
}
return 0 ;
}
/**********************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
BOOL idmap_check_ugid_is_in_free_range ( uint32 id )
{
uint32 low , high ;
if ( ! idmap_get_free_ugid_range ( & low , & high ) ) {
return False ;
}
if ( id < low | | id > high ) {
return False ;
}
return True ;
}
/**********************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
BOOL idmap_check_rid_is_in_free_range ( uint32 rid )
{
uint32 low , high ;
if ( ! idmap_get_free_rid_range ( & low , & high ) ) {
return False ;
}
if ( rid < algorithmic_rid_base ( ) ) {
return True ;
}
if ( rid < low | | rid > high ) {
return False ;
}
return True ;
}
/**********************************************************************
if it is a foreign SID or if the SID is in the free range , return true
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
BOOL idmap_check_sid_is_in_free_range ( const DOM_SID * sid )
{
if ( sid_compare_domain ( get_global_sam_sid ( ) , sid ) = = 0 ) {
uint32 rid ;
if ( sid_peek_rid ( sid , & rid ) ) {
return idmap_check_rid_is_in_free_range ( rid ) ;
}
return False ;
}
return True ;
}
2003-04-30 20:35:17 +04:00
2003-08-13 04:08:28 +04:00
# endif /* NOT USED */
2003-04-29 15:40:52 +04:00
/*****************************************************************
2003-07-08 00:00:29 +04:00
Returns SID pointer .
2003-04-29 15:40:52 +04:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2003-07-07 09:11:10 +04:00
NTSTATUS idmap_uid_to_sid ( DOM_SID * sid , uid_t uid )
2003-04-29 15:40:52 +04:00
{
unid_t id ;
2003-05-01 15:47:48 +04:00
int flags ;
2003-04-29 15:40:52 +04:00
2003-07-22 08:31:20 +04:00
DEBUG ( 10 , ( " idmap_uid_to_sid: uid = [%lu] \n " , ( unsigned long ) uid ) ) ;
2003-04-29 15:40:52 +04:00
2003-05-01 15:47:48 +04:00
flags = ID_USERID ;
id . uid = uid ;
2003-07-07 09:11:10 +04:00
return idmap_get_sid_from_id ( sid , id , flags ) ;
2003-04-29 15:40:52 +04:00
}
/*****************************************************************
2003-05-01 15:47:48 +04:00
Group mapping is used for gids that maps to Wellknown SIDs
2003-04-29 15:40:52 +04:00
Returns SID pointer .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2003-07-07 09:11:10 +04:00
NTSTATUS idmap_gid_to_sid ( DOM_SID * sid , gid_t gid )
2003-04-29 15:40:52 +04:00
{
unid_t id ;
2003-05-01 15:47:48 +04:00
int flags ;
2003-04-29 15:40:52 +04:00
2003-07-22 08:31:20 +04:00
DEBUG ( 10 , ( " idmap_gid_to_sid: gid = [%lu] \n " , ( unsigned long ) gid ) ) ;
2003-04-29 15:40:52 +04:00
2003-05-01 15:47:48 +04:00
flags = ID_GROUPID ;
2003-07-08 00:11:53 +04:00
#if 0 /* JERRY */
2003-07-07 09:11:10 +04:00
if ( ! idmap_check_ugid_is_in_free_range ( gid ) ) {
2003-06-27 03:48:46 +04:00
flags | = ID_QUERY_ONLY ;
2003-05-01 15:47:48 +04:00
}
2003-07-08 00:11:53 +04:00
# endif
2003-05-01 15:47:48 +04:00
id . gid = gid ;
2003-07-07 09:11:10 +04:00
return idmap_get_sid_from_id ( sid , id , flags ) ;
2003-04-29 15:40:52 +04:00
}
/*****************************************************************
2003-05-01 15:47:48 +04:00
if it is a foreign sid or it is in idmap rid range check idmap ,
otherwise falls back to the legacy algorithmic mapping .
2003-04-29 15:40:52 +04:00
Returns True if this name is a user sid and the conversion
2003-05-01 15:47:48 +04:00
was done correctly , False if not .
2003-04-29 15:40:52 +04:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2003-07-07 09:11:10 +04:00
NTSTATUS idmap_sid_to_uid ( const DOM_SID * sid , uid_t * uid , uint32 flags )
2003-04-29 15:40:52 +04:00
{
2003-05-01 15:47:48 +04:00
NTSTATUS ret = NT_STATUS_UNSUCCESSFUL ;
2003-04-29 15:40:52 +04:00
unid_t id ;
2003-07-07 09:11:10 +04:00
DEBUG ( 10 , ( " idmap_sid_to_uid: sid = [%s] \n " , sid_string_static ( sid ) ) ) ;
2003-05-03 05:29:18 +04:00
2003-07-07 09:11:10 +04:00
flags | = ID_USERID ;
2003-05-03 05:29:18 +04:00
2003-08-15 08:42:05 +04:00
ret = idmap_get_id_from_sid ( & id , ( int * ) & flags , sid ) ;
2003-07-07 09:11:10 +04:00
if ( NT_STATUS_IS_OK ( ret ) ) {
2003-07-22 08:31:20 +04:00
DEBUG ( 10 , ( " idmap_sid_to_uid: uid = [%lu] \n " , ( unsigned long ) id . uid ) ) ;
2003-04-30 20:35:17 +04:00
* uid = id . uid ;
2003-07-07 09:11:10 +04:00
}
2003-05-03 05:29:18 +04:00
2003-05-01 15:47:48 +04:00
return ret ;
2003-07-07 09:11:10 +04:00
2003-04-29 15:40:52 +04:00
}
/*****************************************************************
* THE CANONICAL * convert SID to gid function .
2003-05-01 15:47:48 +04:00
if it is a foreign sid or it is in idmap rid range check idmap ,
otherwise falls back to the legacy algorithmic mapping .
Group mapping is used for gids that maps to Wellknown SIDs
2003-04-29 15:40:52 +04:00
Returns True if this name is a user sid and the conversion
was done correctly , False if not .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2003-07-07 09:11:10 +04:00
NTSTATUS idmap_sid_to_gid ( const DOM_SID * sid , gid_t * gid , uint32 flags )
2003-04-29 15:40:52 +04:00
{
2003-05-01 15:47:48 +04:00
NTSTATUS ret = NT_STATUS_UNSUCCESSFUL ;
2003-04-29 15:40:52 +04:00
unid_t id ;
2003-04-30 20:35:17 +04:00
DEBUG ( 10 , ( " sid_to_gid: sid = [%s] \n " , sid_string_static ( sid ) ) ) ;
2003-04-29 15:40:52 +04:00
2003-07-07 09:11:10 +04:00
flags | = ID_GROUPID ;
2003-05-01 15:47:48 +04:00
2003-08-15 08:42:05 +04:00
ret = idmap_get_id_from_sid ( & id , ( int * ) & flags , sid ) ;
2003-07-07 09:11:10 +04:00
if ( NT_STATUS_IS_OK ( ret ) )
{
2003-07-22 08:31:20 +04:00
DEBUG ( 10 , ( " idmap_sid_to_gid: gid = [%lu] \n " , ( unsigned long ) id . gid ) ) ;
2003-05-01 15:47:48 +04:00
* gid = id . gid ;
2003-04-29 15:40:52 +04:00
}
2003-05-01 15:47:48 +04:00
return ret ;
2003-04-29 15:40:52 +04:00
}
2003-05-01 18:08:00 +04:00
2003-07-07 09:11:10 +04:00
2003-07-03 02:32:05 +04:00
/***************************************************************************
Check first , call set_mapping if it doesn ' t already exist .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
static NTSTATUS wellknown_id_init ( DOM_SID * sid , unid_t id , int flags )
{
unid_t storedid ;
int qflags = flags | ID_QUERY_ONLY ;
if ( ! NT_STATUS_IS_OK ( idmap_get_id_from_sid ( & storedid , & qflags , sid ) ) ) {
return idmap_set_mapping ( sid , id , flags ) ;
} else {
if ( flags = = ID_USERID & & id . uid ! = storedid . uid ) {
DEBUG ( 0 , ( " wellknown_id_init: WARNING ! Stored uid %u for SID %s is not the same as the requested uid %u \n " ,
( unsigned int ) storedid . uid , sid_string_static ( sid ) , ( unsigned int ) id . uid ) ) ;
DEBUG ( 0 , ( " wellknown_id_init: Attempting to overwrite old mapping with new. \n " ) ) ;
return idmap_set_mapping ( sid , id , flags ) ;
} else if ( flags = = ID_GROUPID & & id . gid ! = storedid . gid ) {
DEBUG ( 0 , ( " wellknown_id_init: WARNING ! Stored gid %u for SID %s is not the same as the requested gid %u \n " ,
( unsigned int ) storedid . gid , sid_string_static ( sid ) , ( unsigned int ) id . gid ) ) ;
DEBUG ( 0 , ( " wellknown_id_init: Attempting to overwrite old mapping with new. \n " ) ) ;
return idmap_set_mapping ( sid , id , flags ) ;
}
}
return NT_STATUS_OK ;
}
/***************************************************************************
Initialize idmap withWellknown SIDs like Guest , that are necessary
to make samba run properly .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2003-05-01 18:08:00 +04:00
BOOL idmap_init_wellknown_sids ( void )
{
const char * guest_account = lp_guestaccount ( ) ;
struct passwd * pass ;
2003-05-01 18:32:24 +04:00
GROUP_MAP * map = NULL ;
int num_entries = 0 ;
2003-05-01 18:08:00 +04:00
DOM_SID sid ;
unid_t id ;
This patch cleans up some of our ldap code, for better behaviour:
We now always read the Domain SID out of LDAP. If the local secrets.tdb
is ever different to LDAP, it is overwritten out of LDAP. We also
store the 'algorithmic rid base' into LDAP, and assert if it changes.
(This ensures cross-host synchronisation, and allows for possible
integration with idmap). If we fail to read/add the domain entry, we just
fallback to the old behaviour.
We always use an existing DN when adding IDMAP entries to LDAP, unless
no suitable entry is available. This means that a user's posixAccount
will have a SID added to it, or a user's sambaSamAccount will have a UID
added. Where we cannot us an existing DN, we use
'sambaSid=S-x-y-z,....' as the DN.
The code now allows modifications to the ID mapping in many cases.
Likewise, we now check more carefully when adding new user entires to LDAP,
to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount
onto the idmap entry for that user, if it is already established (ensuring
we do not duplicate sambaSid entries in the directory).
The allocated UID code has been expanded to take into account the space
between '1000 - algorithmic rid base'. This much better fits into what
an NT4 does - allocating in the bottom part of the RID range.
On the code cleanup side of things, we now share as much code as
possible between idmap_ldap and pdb_ldap.
We also no longer use the race-prone 'enumerate all users' method for
finding the next RID to allocate. Instead, we just start at the bottom
of the range, and increment again if the user already exists. The first
time this is run, it may well take a long time, but next time will just
be able to use the next Rid.
Thanks to metze and AB for double-checking parts of this.
Andrew Bartlett
(This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
fstring sid_string ;
2003-05-01 18:08:00 +04:00
if ( ! ( guest_account & & * guest_account ) ) {
DEBUG ( 1 , ( " NULL guest account!?!? \n " ) ) ;
return False ;
}
pass = getpwnam_alloc ( guest_account ) ;
if ( ! pass ) {
return False ;
}
2003-07-03 02:32:05 +04:00
/* Fill in the SID for the guest account. */
2003-05-01 18:08:00 +04:00
id . uid = pass - > pw_uid ;
sid_copy ( & sid , get_global_sam_sid ( ) ) ;
sid_append_rid ( & sid , DOMAIN_USER_RID_GUEST ) ;
2003-07-03 02:32:05 +04:00
if ( ! NT_STATUS_IS_OK ( wellknown_id_init ( & sid , id , ID_USERID ) ) ) {
This patch cleans up some of our ldap code, for better behaviour:
We now always read the Domain SID out of LDAP. If the local secrets.tdb
is ever different to LDAP, it is overwritten out of LDAP. We also
store the 'algorithmic rid base' into LDAP, and assert if it changes.
(This ensures cross-host synchronisation, and allows for possible
integration with idmap). If we fail to read/add the domain entry, we just
fallback to the old behaviour.
We always use an existing DN when adding IDMAP entries to LDAP, unless
no suitable entry is available. This means that a user's posixAccount
will have a SID added to it, or a user's sambaSamAccount will have a UID
added. Where we cannot us an existing DN, we use
'sambaSid=S-x-y-z,....' as the DN.
The code now allows modifications to the ID mapping in many cases.
Likewise, we now check more carefully when adding new user entires to LDAP,
to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount
onto the idmap entry for that user, if it is already established (ensuring
we do not duplicate sambaSid entries in the directory).
The allocated UID code has been expanded to take into account the space
between '1000 - algorithmic rid base'. This much better fits into what
an NT4 does - allocating in the bottom part of the RID range.
On the code cleanup side of things, we now share as much code as
possible between idmap_ldap and pdb_ldap.
We also no longer use the race-prone 'enumerate all users' method for
finding the next RID to allocate. Instead, we just start at the bottom
of the range, and increment again if the user already exists. The first
time this is run, it may well take a long time, but next time will just
be able to use the next Rid.
Thanks to metze and AB for double-checking parts of this.
Andrew Bartlett
(This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
DEBUG ( 0 , ( " Failed to setup UID mapping for GUEST (%s) to (%u) \n " ,
sid_to_string ( sid_string , & sid ) , ( unsigned int ) id . uid ) ) ;
2003-05-01 18:08:00 +04:00
passwd_free ( & pass ) ;
return False ;
}
2003-07-03 02:32:05 +04:00
/* check if DOMAIN_GROUP_RID_GUESTS SID is set, if not store the
* guest account gid as mapping */
id . gid = pass - > pw_gid ;
sid_copy ( & sid , get_global_sam_sid ( ) ) ;
sid_append_rid ( & sid , DOMAIN_GROUP_RID_GUESTS ) ;
if ( ! NT_STATUS_IS_OK ( wellknown_id_init ( & sid , id , ID_GROUPID ) ) ) {
This patch cleans up some of our ldap code, for better behaviour:
We now always read the Domain SID out of LDAP. If the local secrets.tdb
is ever different to LDAP, it is overwritten out of LDAP. We also
store the 'algorithmic rid base' into LDAP, and assert if it changes.
(This ensures cross-host synchronisation, and allows for possible
integration with idmap). If we fail to read/add the domain entry, we just
fallback to the old behaviour.
We always use an existing DN when adding IDMAP entries to LDAP, unless
no suitable entry is available. This means that a user's posixAccount
will have a SID added to it, or a user's sambaSamAccount will have a UID
added. Where we cannot us an existing DN, we use
'sambaSid=S-x-y-z,....' as the DN.
The code now allows modifications to the ID mapping in many cases.
Likewise, we now check more carefully when adding new user entires to LDAP,
to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount
onto the idmap entry for that user, if it is already established (ensuring
we do not duplicate sambaSid entries in the directory).
The allocated UID code has been expanded to take into account the space
between '1000 - algorithmic rid base'. This much better fits into what
an NT4 does - allocating in the bottom part of the RID range.
On the code cleanup side of things, we now share as much code as
possible between idmap_ldap and pdb_ldap.
We also no longer use the race-prone 'enumerate all users' method for
finding the next RID to allocate. Instead, we just start at the bottom
of the range, and increment again if the user already exists. The first
time this is run, it may well take a long time, but next time will just
be able to use the next Rid.
Thanks to metze and AB for double-checking parts of this.
Andrew Bartlett
(This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 17:29:42 +04:00
DEBUG ( 0 , ( " Failed to setup GID mapping for Group DOMAIN GUESTS (%s) to (%u) \n " ,
sid_to_string ( sid_string , & sid ) , ( unsigned int ) id . gid ) ) ;
2003-07-03 02:32:05 +04:00
passwd_free ( & pass ) ;
return False ;
}
passwd_free ( & pass ) ;
2003-05-01 18:32:24 +04:00
/* now fill in group mappings */
2003-06-18 19:24:10 +04:00
if ( pdb_enum_group_mapping ( SID_NAME_UNKNOWN , & map , & num_entries , ENUM_ONLY_MAPPED ) ) {
2003-05-01 18:32:24 +04:00
int i ;
for ( i = 0 ; i < num_entries ; i + + ) {
id . gid = map [ i ] . gid ;
2003-07-03 02:32:05 +04:00
wellknown_id_init ( & map [ i ] . sid , id , ID_GROUPID ) ;
2003-05-01 18:32:24 +04:00
}
2003-06-17 16:31:02 +04:00
SAFE_FREE ( map ) ;
2003-05-01 18:32:24 +04:00
}
2003-07-05 13:46:12 +04:00
/* Fill in the SID for the administrator account. */
id . uid = 0 ;
sid_copy ( & sid , get_global_sam_sid ( ) ) ;
sid_append_rid ( & sid , DOMAIN_USER_RID_ADMIN ) ;
if ( ! NT_STATUS_IS_OK ( wellknown_id_init ( & sid , id , ID_USERID ) ) ) {
DEBUG ( 0 , ( " Failed to setup UID mapping for ADMINISTRATOR (%s) to (%u) \n " ,
sid_to_string ( sid_string , & sid ) , ( unsigned int ) id . uid ) ) ;
return False ;
}
2003-05-01 18:08:00 +04:00
return True ;
}
