1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
Commit Graph

137 Commits

Author SHA1 Message Date
Stefan Metzmacher
493f5d6b07 winbindd: allow idmap backends to mark entries with ID_[TYPE_WB_]REQUIRE_TYPE
This must only be used between winbindd parent and child!
It must not leak into outside world.

Some backends require ID_TYPE_UID or ID_TYPE_GID as type_hint,
while others may only need ID_TYPE_BOTH in order to validate that
the domain exists.

This will allow us to skip the wb_lookupsids_send/recv in the winbindd parent
in future and only do that on demand.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14539

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2020-10-23 03:25:37 +00:00
Stefan Metzmacher
95b0dac0af winbindd/idmap: apply const to struct idmap_methods pointers
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14539

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2020-10-23 03:25:35 +00:00
Matthew DeVore
c2ac923c6a s3: safe_string: do not include string_wrappers.h
Rather than have safe_string.h #include string_wrappers.h, make users of
string_wrappers.h include it explicitly.

includes.h now no longer includes string_wrappers.h transitively. Still
allow includes.h to #include safe_string.h for now so that as many
modules as possible get the safety checks in it.

Signed-off-by: Matthew DeVore <matvore@google.com>
Reviewed-by: David Mulder <dmulder@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2020-08-28 00:56:34 +00:00
Volker Lendecke
a74946e300 winbind: Fix a typo
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2019-01-08 03:40:27 +01:00
Volker Lendecke
58f76ab137 winbindd: Use dom_sid_str_buf
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2018-12-20 23:40:25 +01:00
Volker Lendecke
c2ea100777 lib: Pass mem_ctx to state_path()
Fix a confusing API: Many places TALLOC_FREE the path where it's not
clear you have to do it.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-08-17 11:30:11 +02:00
Andreas Schneider
7619442a79 s3:winbindd: Add FALL_THROUGH statements in idmap_autorid.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-03-01 04:37:43 +01:00
Christian Ambach
9f5dbdec75 s3:winbindd:idmap_autorid remove a stray comment
Signed-off-by: Christian Ambach <ambi@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed May  3 03:35:34 CEST 2017 on sn-devel-144
2017-05-03 03:35:34 +02:00
Jeremy Allison
306783d6f5 lib: modules: Change XXX_init interface from XXX_init(void) to XXX_init(TALLOC_CTX *)
Not currently used - no logic changes inside.

This will make it possible to pass down a long-lived talloc
context from the loading function for modules to use instead
of having them internally all use talloc_autofree_context()
which is a hidden global.

Updated all known module interface numbers, and added a
WHATSNEW.

Signed-off-by: Jeremy Allison <jra@samba.org>
Signed-off-by: Ralph Böhme <slow@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Apr 22 01:17:00 CEST 2017 on sn-devel-144
2017-04-22 01:17:00 +02:00
Volker Lendecke
55546fe458 idmap_autorid: Use idmap_config_int
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Mon Mar 20 23:28:38 CET 2017 on sn-devel-144
2017-03-20 23:28:37 +01:00
Volker Lendecke
0b05785de6 idmap_autorid: Use idmap_config_bool
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2017-03-20 19:36:22 +01:00
Stefan Metzmacher
e015748657 idmap_autorid: allocate new domain range if the callers knows the sid is valid
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12613

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Mar  8 04:06:59 CET 2017 on sn-devel-144
2017-03-08 04:06:59 +01:00
Volker Lendecke
3d875e7e9e idmap_autorid: Add the error string in a debug
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
2016-12-27 14:21:28 +01:00
Volker Lendecke
a04cec5c62 idmap_autorid: Use acquire_range directly
idmap_autorid_get_domainrange is reading again for an existing mapping. We
know we need to allocate here, so avoid passing down that r/o boolean :-)

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-12-16 17:38:20 +01:00
Volker Lendecke
ba231d250a idmap_autorid: Fix checks for valid domains to allocate ranges for
The tdc cache is not reliable. The main dynamic check is
netsamlogon_cache_have: The only reliable way to see a domain as valid
for allocating a range for is a successful login. With a recent addition
to netsamlogon_cache_store, we can now reliably tell from there whether
a domain is trusted.

This also adds a few heuristic checks, such as allocation for the local
domains and additional ranges where we already have a mapping for range
index 0 for.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-12-16 17:38:20 +01:00
Volker Lendecke
55daaf10dd idmap_autorid: Add ntstatus to a debug message
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-12-16 17:38:20 +01:00
Volker Lendecke
9fe42eb58e idmap_autorid: Only look at the tdc cache when allocating ranges
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-12-16 17:38:20 +01:00
Volker Lendecke
4cfd824fd3 idmap_autorid: Do a readonly attempt before looking at the tdc cache
If autorid.tdb already has a mapping for a domain range, we can just
return that. Even if the volatile tdc cache at this point does not have
the domain, we should return a correct mapping.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-12-16 17:38:20 +01:00
Volker Lendecke
941d235f70 idmap_autorid: idmap_autorid_sid_to_id_rid only uses rangesize from "global"
Simplification -- from the callers perspective looks like a complex
routine which it is not

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-12-16 17:38:20 +01:00
Volker Lendecke
3ae832de47 idmap_autorid: idmap_autorid_sid_to_id_rid only uses low_id from "range"
Simplification -- from the callers perspective looks like a complex
routine which it is not

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-12-16 17:38:19 +01:00
Volker Lendecke
f5c9f27e62 idmap_autorid: Tighten idmap_autorid_id_to_sid a bit
We should only allow '#' as a sid/range-number separator in autorid.tdb.

The logic might be a bit clumsy. But the switch statement with failure
fall thru was the clearest I could come up with.

Signed-off-by: Volker Lendecke <vl@samba.org>
2016-12-16 17:38:19 +01:00
Volker Lendecke
751f598043 idmap_autorid: Fix a comment
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-12-16 17:38:19 +01:00
Volker Lendecke
f1c126c2f6 idmap_autorid: Protect against dsize==0
Not sure it can happen, but you never know...

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-12-16 17:38:19 +01:00
Volker Lendecke
5ee846fabf idmap_autorid: Slightly simplify idmap_autorid_unixids_to_sids
Avoid an else branch where it's not necessary

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-12-16 17:38:19 +01:00
Volker Lendecke
5bded5b483 idmap_autorid: dom_sid_parse_endp always initializes "endp" when ok
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-12-06 20:24:22 +01:00
Volker Lendecke
61d5009888 idmap_autorid: Add a {} pair in an if-statement
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-12-06 20:24:22 +01:00
Volker Lendecke
980f8cfe30 idmap_autorid: Protect against corrupt databases
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-03-07 22:16:20 +01:00
Volker Lendecke
5652810295 idmap_autorid: Fix a use-after-free
Parsing the domain_range_index references data.dptr

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-03-07 22:16:20 +01:00
Stefan Metzmacher
bbd82b0fee s3:winbindd/idmap_*: make function prototypes available via static_decl_idmap;
This allows the static build of the modules.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2015-08-20 16:06:21 +02:00
David Disseldorp
364d55ccab idmap_autorid: don't leak state_path onto talloc tos
Also check for allocation failures.

Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2014-11-03 23:46:05 +01:00
Michael Adam
2372bd7d0c autorid: Add allocation from above in alloc range for well known sids
This way, we achieve a better determinism for the id mappings
of the well knowns without wasting a separate range.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Fri Apr 25 17:52:10 CEST 2014 on sn-devel-104
2014-04-25 17:52:10 +02:00
Michael Adam
90d9445da4 autorid: use dbwrap_trans_do() in idmap_autorid_sid_to_id_alloc()
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-04-25 15:35:09 +02:00
Michael Adam
a1adc881cf autorid: reserve 500 IDs at the top of the ALLOC range.
The wellknowns are now allocated into this sub-range.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-04-25 15:35:09 +02:00
Michael Adam
57e49d90f2 autorid: reverse order of arguments of idmap_autorid_sid_to_id_alloc()
for consistency

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-04-25 15:35:09 +02:00
Michael Adam
3f1297f363 autorid: introduce idmap_autorid_domsid_is_for_alloc()
Currently, this checks if the sid is a wellknown domain sid.
But the code reads more nicely and more domains might be added
in the future.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-04-25 15:35:09 +02:00
Michael Adam
eaf770a611 autorid: factor idmap_autorid_sid_to_id() out of idmap_autorid_sids_to_unixids()
- reduces indentation
- unifies error code paths and bumping counters
- makes the code more easy to read

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-04-25 15:35:09 +02:00
Michael Adam
64e267c2fe autorid: make the checks for bumping num_mapped identical for alloc and rid case
in idmap_autorid_sids_to_unixids()

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-04-25 15:35:09 +02:00
Michael Adam
5d7b1363f0 autorid: explicitly return NTSTATUS_OK in idmap_autorid_sid_to_id_alloc().
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-04-25 15:35:09 +02:00
Michael Adam
79a245808c autorid: more explicitly and reasonably set map->state in idmap_autorid_sid_to_id_alloc
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-04-25 15:35:09 +02:00
Michael Adam
e32f6a278d autorid: rename idmap_autorid_sid_to_id() -> idmap_autorid_sid_to_id_rid()
For consistency. This is the function that does the calculation
if the sid is treated by a rid range.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-04-25 15:35:09 +02:00
Michael Adam
31241beec6 autorid: rename idmap_autorid_map_sid_to_id() -> idmap_autorid_sid_to_id_alloc()
for consistency. this is the sid->id function for the alloc range.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-04-25 15:35:09 +02:00
Michael Adam
22f712628b autorid: rename idmap_autorid_map_id_to_sid() -> idmap_autorid_id_to_sid_alloc()
for consistency. This is the function that maps id to sid
for the alloc range.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-04-25 15:35:09 +02:00
Michael Adam
5d9d4c73d7 autorid: factor idmap_autorid_get_alloc_range() out of idmap_autorid_allocate_id()
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-04-25 15:35:09 +02:00
Michael Adam
04a4dc961e autorid: improve a debug message in idmap_autorid_map_sid_to_id()
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-04-25 15:35:09 +02:00
Michael Adam
840813793a autorid: remove a legacy comment from sid_to_id
With the introduction of the ID_TYPE_BOTH mapping
to idmap_autorid, it is not a deficiency but a
virtue of the autorid backend that it does not
care about the existence or type of the
sid to be mapped.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-04-25 15:35:08 +02:00
Michael Adam
375d46791c autorid: use the db argument in the initialize traverse action.
By a copy and paste error, the global autorid_db was used.
This was not currently a problem in behaviour, because this
autorid_db is passed as the argument.

This change fixes the callback function for consistency.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Apr  3 08:36:55 CEST 2014 on sn-devel-104
2014-04-03 08:36:55 +02:00
Michael Adam
5cf6e9c852 autorid: make the whole initialization atomic with one transaction.
Originally, there were several writing operations:

- store the range HWM
- store the alloc uid HWM
- store the alloc gid HWM
- store the config
- create mappings for a whole list of wellknown sids

Each of these consisted of its own transaction,
the wellknown preallocation even of one transaction per sid.

This change wrapps all of these in one big transaction.
Thereby making the whole initialization atomic, and
with respect to the creation of the wellknown mappings
also more deterministic.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Apr  3 02:41:25 CEST 2014 on sn-devel-104
2014-04-03 02:41:25 +02:00
Michael Adam
fc987cf289 autorid: initialize: fix typo in and further improve a debug message.
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2014-04-03 00:26:28 +02:00
Michael Adam
e9796edaa8 autorid: initialize: use the split db_open and init_hwms function instead of db_init
This way, we can later put all of the storing functions inside one transaction.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2014-04-03 00:26:28 +02:00
Michael Adam
90d8e0f8bc autorid: initialize: open the autorid db as late as possible.
But make sure to link the db context to commonconfig afterwards.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2014-04-03 00:26:28 +02:00