1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
samba-mirror/source3/nsswitch/winbindd_sid.c
Volker Lendecke cc146adb26 r2691: Increase a debug level for a quite frequent operation.
Optimization for 'idmap backend = ldap': When asking sid2id for the wrong
type, don't ask ldap when we have the opposite mapping in the local tdb.

Volker
(This used to be commit c91cff3bd3)
2007-10-10 10:52:49 -05:00

505 lines
13 KiB
C

/*
Unix SMB/CIFS implementation.
Winbind daemon - sid related functions
Copyright (C) Tim Potter 2000
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
*/
#include "includes.h"
#include "winbindd.h"
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_WINBIND
/* Convert a string */
enum winbindd_result winbindd_lookupsid(struct winbindd_cli_state *state)
{
enum SID_NAME_USE type;
DOM_SID sid;
fstring name;
fstring dom_name;
/* Ensure null termination */
state->request.data.sid[sizeof(state->request.data.sid)-1]='\0';
DEBUG(3, ("[%5lu]: lookupsid %s\n", (unsigned long)state->pid,
state->request.data.sid));
/* Lookup sid from PDC using lsa_lookup_sids() */
if (!string_to_sid(&sid, state->request.data.sid)) {
DEBUG(5, ("%s not a SID\n", state->request.data.sid));
return WINBINDD_ERROR;
}
/* Lookup the sid */
if (!winbindd_lookup_name_by_sid(&sid, dom_name, name, &type)) {
return WINBINDD_ERROR;
}
fstrcpy(state->response.data.name.dom_name, dom_name);
fstrcpy(state->response.data.name.name, name);
state->response.data.name.type = type;
return WINBINDD_OK;
}
/**
* Look up the SID for a qualified name.
**/
enum winbindd_result winbindd_lookupname(struct winbindd_cli_state *state)
{
enum SID_NAME_USE type;
fstring sid_str;
char *name_domain, *name_user;
DOM_SID sid;
struct winbindd_domain *domain;
char *p;
/* Ensure null termination */
state->request.data.sid[sizeof(state->request.data.name.dom_name)-1]='\0';
/* Ensure null termination */
state->request.data.sid[sizeof(state->request.data.name.name)-1]='\0';
/* cope with the name being a fully qualified name */
p = strstr(state->request.data.name.name, lp_winbind_separator());
if (p) {
*p = 0;
name_domain = state->request.data.name.name;
name_user = p+1;
} else {
name_domain = state->request.data.name.dom_name;
name_user = state->request.data.name.name;
}
DEBUG(3, ("[%5lu]: lookupname %s%s%s\n", (unsigned long)state->pid,
name_domain, lp_winbind_separator(), name_user));
if ((domain = find_lookup_domain_from_name(name_domain)) == NULL) {
DEBUG(0, ("could not find domain entry for domain %s\n",
name_domain));
return WINBINDD_ERROR;
}
/* Lookup name from PDC using lsa_lookup_names() */
if (!winbindd_lookup_sid_by_name(domain, name_domain, name_user, &sid, &type)) {
return WINBINDD_ERROR;
}
sid_to_string(sid_str, &sid);
fstrcpy(state->response.data.sid.sid, sid_str);
state->response.data.sid.type = type;
return WINBINDD_OK;
}
/* Convert a sid to a uid. We assume we only have one rid attached to the
sid. */
enum winbindd_result winbindd_sid_to_uid(struct winbindd_cli_state *state)
{
DOM_SID sid;
NTSTATUS result;
/* Ensure null termination */
state->request.data.sid[sizeof(state->request.data.sid)-1]='\0';
DEBUG(3, ("[%5lu]: sid to uid %s\n", (unsigned long)state->pid,
state->request.data.sid));
if (!string_to_sid(&sid, state->request.data.sid)) {
DEBUG(1, ("Could not get convert sid %s from string\n", state->request.data.sid));
return WINBINDD_ERROR;
}
/* This gets a little tricky. If we assume that usernames are syncd between
/etc/passwd and the windows domain (such as a member of a Samba domain),
the we need to get the uid from the OS and not alocate one ourselves */
if ( lp_winbind_trusted_domains_only() ) {
struct winbindd_domain *domain = NULL;
DOM_SID sid2;
uint32 rid;
domain = find_our_domain();
if ( !domain ) {
DEBUG(0,("winbindd_sid_to_uid: can't find my own domain!\n"));
return WINBINDD_ERROR;
}
sid_copy( &sid2, &sid );
sid_split_rid( &sid2, &rid );
if ( sid_equal( &sid2, &domain->sid ) ) {
fstring domain_name;
fstring user;
enum SID_NAME_USE type;
struct passwd *pw = NULL;
unid_t id;
/* ok...here's we know that we are dealing with our
own domain (the one to which we are joined). And
we know that there must be a UNIX account for this user.
So we lookup the sid and the call getpwnam().*/
/* But first check and see if we don't already have a mapping */
if ( NT_STATUS_IS_OK(idmap_sid_to_uid(&sid, &(state->response.data.uid), ID_QUERY_ONLY)) )
return WINBINDD_OK;
/* now fall back to the hard way */
if ( !winbindd_lookup_name_by_sid(&sid, domain_name, user, &type) )
return WINBINDD_ERROR;
if ( !(pw = getpwnam(user)) ) {
DEBUG(0,("winbindd_sid_to_uid: 'winbind trusted domains only' is "
"set but this user [%s] doesn't exist!\n", user));
return WINBINDD_ERROR;
}
state->response.data.uid = pw->pw_uid;
id.uid = pw->pw_uid;
idmap_set_mapping( &sid, id, ID_USERID );
return WINBINDD_OK;
}
}
/* Find uid for this sid and return it */
result = idmap_sid_to_uid(&sid, &(state->response.data.uid),
ID_QUERY_ONLY);
if (NT_STATUS_IS_OK(result))
return WINBINDD_OK;
if (state->request.flags & WBFLAG_QUERY_ONLY)
return WINBINDD_ERROR;
/* The query-only did not work, allocate a new uid *if* it's a user */
{
fstring dom_name, name;
enum SID_NAME_USE type;
if (!winbindd_lookup_name_by_sid(&sid, dom_name, name, &type))
return WINBINDD_ERROR;
if ((type != SID_NAME_USER) && (type != SID_NAME_COMPUTER))
return WINBINDD_ERROR;
}
result = idmap_sid_to_uid(&sid, &(state->response.data.uid), 0);
if (NT_STATUS_IS_OK(result))
return WINBINDD_OK;
DEBUG(4, ("Could not get uid for sid %s\n", state->request.data.sid));
return WINBINDD_ERROR;
}
/* Convert a sid to a gid. We assume we only have one rid attached to the
sid.*/
enum winbindd_result winbindd_sid_to_gid(struct winbindd_cli_state *state)
{
DOM_SID sid;
NTSTATUS result;
/* Ensure null termination */
state->request.data.sid[sizeof(state->request.data.sid)-1]='\0';
DEBUG(3, ("[%5lu]: sid to gid %s\n", (unsigned long)state->pid,
state->request.data.sid));
if (!string_to_sid(&sid, state->request.data.sid)) {
DEBUG(1, ("Could not cvt string to sid %s\n", state->request.data.sid));
return WINBINDD_ERROR;
}
/* This gets a little tricky. If we assume that usernames are syncd between
/etc/passwd and the windows domain (such as a member of a Samba domain),
the we need to get the uid from the OS and not alocate one ourselves */
if ( lp_winbind_trusted_domains_only() ) {
struct winbindd_domain *domain = NULL;
DOM_SID sid2;
uint32 rid;
unid_t id;
domain = find_our_domain();
if ( !domain ) {
DEBUG(0,("winbindd_sid_to_uid: can't find my own domain!\n"));
return WINBINDD_ERROR;
}
sid_copy( &sid2, &sid );
sid_split_rid( &sid2, &rid );
if ( sid_equal( &sid2, &domain->sid ) ) {
fstring domain_name;
fstring group;
enum SID_NAME_USE type;
struct group *grp = NULL;
/* ok...here's we know that we are dealing with our
own domain (the one to which we are joined). And
we know that there must be a UNIX account for this group.
So we lookup the sid and the call getpwnam().*/
/* But first check and see if we don't already have a mapping */
if ( NT_STATUS_IS_OK(idmap_sid_to_gid(&sid, &(state->response.data.gid), ID_QUERY_ONLY)) )
return WINBINDD_OK;
/* now fall back to the hard way */
if ( !winbindd_lookup_name_by_sid(&sid, domain_name, group, &type) )
return WINBINDD_ERROR;
if ( !(grp = getgrnam(group)) ) {
DEBUG(0,("winbindd_sid_to_uid: 'winbind trusted domains only' is "
"set but this group [%s] doesn't exist!\n", group));
return WINBINDD_ERROR;
}
state->response.data.gid = grp->gr_gid;
id.gid = grp->gr_gid;
idmap_set_mapping( &sid, id, ID_GROUPID );
return WINBINDD_OK;
}
}
/* Find gid for this sid and return it */
result = idmap_sid_to_gid(&sid, &(state->response.data.gid),
ID_QUERY_ONLY);
if (NT_STATUS_IS_OK(result))
return WINBINDD_OK;
if (state->request.flags & WBFLAG_QUERY_ONLY)
return WINBINDD_ERROR;
/* The query-only did not work, allocate a new gid *if* it's a group */
{
fstring dom_name, name;
enum SID_NAME_USE type;
if (sid_check_is_in_our_domain(&sid)) {
/* This is for half-created aliases... */
type = SID_NAME_ALIAS;
} else {
/* Foreign domains need to be looked up by the DC if
* it's the right type */
if (!winbindd_lookup_name_by_sid(&sid, dom_name, name,
&type))
return WINBINDD_ERROR;
}
if ((type != SID_NAME_DOM_GRP) && (type != SID_NAME_ALIAS) &&
(type != SID_NAME_WKN_GRP))
return WINBINDD_ERROR;
}
result = idmap_sid_to_gid(&sid, &(state->response.data.gid), 0);
if (NT_STATUS_IS_OK(result))
return WINBINDD_OK;
DEBUG(4, ("Could not get gid for sid %s\n", state->request.data.sid));
return WINBINDD_ERROR;
}
/* Convert a uid to a sid */
enum winbindd_result winbindd_uid_to_sid(struct winbindd_cli_state *state)
{
DOM_SID sid;
DEBUG(3, ("[%5lu]: uid to sid %lu\n", (unsigned long)state->pid,
(unsigned long)state->request.data.uid));
if ( (state->request.data.uid < server_state.uid_low )
|| (state->request.data.uid > server_state.uid_high) )
{
struct passwd *pw = NULL;
enum SID_NAME_USE type;
unid_t id;
struct winbindd_domain *domain;
/* SPECIAL CASE FOR MEMBERS OF SAMBA DOMAINS */
/* if we don't trust /etc/password then when can't know
anything about this uid */
if ( !lp_winbind_trusted_domains_only() )
return WINBINDD_ERROR;
/* look for an idmap entry first */
if ( NT_STATUS_IS_OK(idmap_uid_to_sid(&sid, state->request.data.uid)) )
goto done;
/* if users exist in /etc/passwd, we should try to
use that uid. Get the username and the lookup the SID */
if ( !(pw = getpwuid(state->request.data.uid)) )
return WINBINDD_ERROR;
if ( !(domain = find_our_domain()) ) {
DEBUG(0,("winbindd_uid_to_sid: can't find my own domain!\n"));
return WINBINDD_ERROR;
}
if ( !winbindd_lookup_sid_by_name(domain, domain->name, pw->pw_name, &sid, &type) )
return WINBINDD_ERROR;
if ( type != SID_NAME_USER )
return WINBINDD_ERROR;
/* don't fail if we can't store it */
id.uid = pw->pw_uid;
idmap_set_mapping( &sid, id, ID_USERID );
goto done;
}
/* Lookup rid for this uid */
if (!NT_STATUS_IS_OK(idmap_uid_to_sid(&sid, state->request.data.uid))) {
DEBUG(1, ("Could not convert uid %lu to rid\n",
(unsigned long)state->request.data.uid));
return WINBINDD_ERROR;
}
done:
sid_to_string(state->response.data.sid.sid, &sid);
state->response.data.sid.type = SID_NAME_USER;
return WINBINDD_OK;
}
/* Convert a gid to a sid */
enum winbindd_result winbindd_gid_to_sid(struct winbindd_cli_state *state)
{
DOM_SID sid;
DEBUG(3, ("[%5lu]: gid to sid %lu\n", (unsigned long)state->pid,
(unsigned long)state->request.data.gid));
if ( (state->request.data.gid < server_state.gid_low)
|| (state->request.data.gid > server_state.gid_high) )
{
struct group *grp = NULL;
enum SID_NAME_USE type;
unid_t id;
struct winbindd_domain *domain;
/* SPECIAL CASE FOR MEMBERS OF SAMBA DOMAINS */
/* if we don't trust /etc/group then when can't know
anything about this gid */
if ( !lp_winbind_trusted_domains_only() )
return WINBINDD_ERROR;
/* look for an idmap entry first */
if ( NT_STATUS_IS_OK(idmap_gid_to_sid(&sid, state->request.data.gid)) )
goto done;
/* if users exist in /etc/group, we should try to
use that gid. Get the username and the lookup the SID */
if ( !(grp = getgrgid(state->request.data.gid)) )
return WINBINDD_ERROR;
if ( !(domain = find_our_domain()) ) {
DEBUG(0,("winbindd_uid_to_sid: can't find my own domain!\n"));
return WINBINDD_ERROR;
}
if ( !winbindd_lookup_sid_by_name(domain, domain->name, grp->gr_name, &sid, &type) )
return WINBINDD_ERROR;
if ( type!=SID_NAME_DOM_GRP && type!=SID_NAME_ALIAS )
return WINBINDD_ERROR;
/* don't fail if we can't store it */
id.gid = grp->gr_gid;
idmap_set_mapping( &sid, id, ID_GROUPID );
goto done;
}
/* Lookup sid for this uid */
if (!NT_STATUS_IS_OK(idmap_gid_to_sid(&sid, state->request.data.gid))) {
DEBUG(1, ("Could not convert gid %lu to sid\n",
(unsigned long)state->request.data.gid));
return WINBINDD_ERROR;
}
done:
/* Construct sid and return it */
sid_to_string(state->response.data.sid.sid, &sid);
state->response.data.sid.type = SID_NAME_DOM_GRP;
return WINBINDD_OK;
}
enum winbindd_result winbindd_allocate_rid(struct winbindd_cli_state *state)
{
if ( !state->privileged ) {
DEBUG(2, ("winbindd_allocate_rid: non-privileged access "
"denied!\n"));
return WINBINDD_ERROR;
}
/* We tell idmap to always allocate a user RID. There might be a good
* reason to keep RID allocation for users to even and groups to
* odd. This needs discussion I think. For now only allocate user
* rids. */
if (!NT_STATUS_IS_OK(idmap_allocate_rid(&state->response.data.rid,
USER_RID_TYPE)))
return WINBINDD_ERROR;
return WINBINDD_OK;
}