mirror of
https://github.com/samba-team/samba.git
synced 2024-12-23 17:34:34 +03:00
cc146adb26
Optimization for 'idmap backend = ldap': When asking sid2id for the wrong
type, don't ask ldap when we have the opposite mapping in the local tdb.
Volker
(This used to be commit c91cff3bd3
)
505 lines
13 KiB
C
505 lines
13 KiB
C
/*
|
|
Unix SMB/CIFS implementation.
|
|
|
|
Winbind daemon - sid related functions
|
|
|
|
Copyright (C) Tim Potter 2000
|
|
|
|
This program is free software; you can redistribute it and/or modify
|
|
it under the terms of the GNU General Public License as published by
|
|
the Free Software Foundation; either version 2 of the License, or
|
|
(at your option) any later version.
|
|
|
|
This program is distributed in the hope that it will be useful,
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
GNU General Public License for more details.
|
|
|
|
You should have received a copy of the GNU General Public License
|
|
along with this program; if not, write to the Free Software
|
|
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
|
|
*/
|
|
|
|
#include "includes.h"
|
|
#include "winbindd.h"
|
|
|
|
#undef DBGC_CLASS
|
|
#define DBGC_CLASS DBGC_WINBIND
|
|
|
|
/* Convert a string */
|
|
|
|
enum winbindd_result winbindd_lookupsid(struct winbindd_cli_state *state)
|
|
{
|
|
enum SID_NAME_USE type;
|
|
DOM_SID sid;
|
|
fstring name;
|
|
fstring dom_name;
|
|
|
|
/* Ensure null termination */
|
|
state->request.data.sid[sizeof(state->request.data.sid)-1]='\0';
|
|
|
|
DEBUG(3, ("[%5lu]: lookupsid %s\n", (unsigned long)state->pid,
|
|
state->request.data.sid));
|
|
|
|
/* Lookup sid from PDC using lsa_lookup_sids() */
|
|
|
|
if (!string_to_sid(&sid, state->request.data.sid)) {
|
|
DEBUG(5, ("%s not a SID\n", state->request.data.sid));
|
|
return WINBINDD_ERROR;
|
|
}
|
|
|
|
/* Lookup the sid */
|
|
|
|
if (!winbindd_lookup_name_by_sid(&sid, dom_name, name, &type)) {
|
|
return WINBINDD_ERROR;
|
|
}
|
|
|
|
fstrcpy(state->response.data.name.dom_name, dom_name);
|
|
fstrcpy(state->response.data.name.name, name);
|
|
|
|
state->response.data.name.type = type;
|
|
|
|
return WINBINDD_OK;
|
|
}
|
|
|
|
|
|
/**
|
|
* Look up the SID for a qualified name.
|
|
**/
|
|
enum winbindd_result winbindd_lookupname(struct winbindd_cli_state *state)
|
|
{
|
|
enum SID_NAME_USE type;
|
|
fstring sid_str;
|
|
char *name_domain, *name_user;
|
|
DOM_SID sid;
|
|
struct winbindd_domain *domain;
|
|
char *p;
|
|
|
|
/* Ensure null termination */
|
|
state->request.data.sid[sizeof(state->request.data.name.dom_name)-1]='\0';
|
|
|
|
/* Ensure null termination */
|
|
state->request.data.sid[sizeof(state->request.data.name.name)-1]='\0';
|
|
|
|
/* cope with the name being a fully qualified name */
|
|
p = strstr(state->request.data.name.name, lp_winbind_separator());
|
|
if (p) {
|
|
*p = 0;
|
|
name_domain = state->request.data.name.name;
|
|
name_user = p+1;
|
|
} else {
|
|
name_domain = state->request.data.name.dom_name;
|
|
name_user = state->request.data.name.name;
|
|
}
|
|
|
|
DEBUG(3, ("[%5lu]: lookupname %s%s%s\n", (unsigned long)state->pid,
|
|
name_domain, lp_winbind_separator(), name_user));
|
|
|
|
if ((domain = find_lookup_domain_from_name(name_domain)) == NULL) {
|
|
DEBUG(0, ("could not find domain entry for domain %s\n",
|
|
name_domain));
|
|
return WINBINDD_ERROR;
|
|
}
|
|
|
|
/* Lookup name from PDC using lsa_lookup_names() */
|
|
if (!winbindd_lookup_sid_by_name(domain, name_domain, name_user, &sid, &type)) {
|
|
return WINBINDD_ERROR;
|
|
}
|
|
|
|
sid_to_string(sid_str, &sid);
|
|
fstrcpy(state->response.data.sid.sid, sid_str);
|
|
state->response.data.sid.type = type;
|
|
|
|
return WINBINDD_OK;
|
|
}
|
|
|
|
/* Convert a sid to a uid. We assume we only have one rid attached to the
|
|
sid. */
|
|
|
|
enum winbindd_result winbindd_sid_to_uid(struct winbindd_cli_state *state)
|
|
{
|
|
DOM_SID sid;
|
|
NTSTATUS result;
|
|
|
|
/* Ensure null termination */
|
|
state->request.data.sid[sizeof(state->request.data.sid)-1]='\0';
|
|
|
|
DEBUG(3, ("[%5lu]: sid to uid %s\n", (unsigned long)state->pid,
|
|
state->request.data.sid));
|
|
|
|
if (!string_to_sid(&sid, state->request.data.sid)) {
|
|
DEBUG(1, ("Could not get convert sid %s from string\n", state->request.data.sid));
|
|
return WINBINDD_ERROR;
|
|
}
|
|
|
|
/* This gets a little tricky. If we assume that usernames are syncd between
|
|
/etc/passwd and the windows domain (such as a member of a Samba domain),
|
|
the we need to get the uid from the OS and not alocate one ourselves */
|
|
|
|
if ( lp_winbind_trusted_domains_only() ) {
|
|
struct winbindd_domain *domain = NULL;
|
|
DOM_SID sid2;
|
|
uint32 rid;
|
|
|
|
domain = find_our_domain();
|
|
if ( !domain ) {
|
|
DEBUG(0,("winbindd_sid_to_uid: can't find my own domain!\n"));
|
|
return WINBINDD_ERROR;
|
|
}
|
|
|
|
sid_copy( &sid2, &sid );
|
|
sid_split_rid( &sid2, &rid );
|
|
|
|
if ( sid_equal( &sid2, &domain->sid ) ) {
|
|
|
|
fstring domain_name;
|
|
fstring user;
|
|
enum SID_NAME_USE type;
|
|
struct passwd *pw = NULL;
|
|
unid_t id;
|
|
|
|
/* ok...here's we know that we are dealing with our
|
|
own domain (the one to which we are joined). And
|
|
we know that there must be a UNIX account for this user.
|
|
So we lookup the sid and the call getpwnam().*/
|
|
|
|
|
|
/* But first check and see if we don't already have a mapping */
|
|
|
|
if ( NT_STATUS_IS_OK(idmap_sid_to_uid(&sid, &(state->response.data.uid), ID_QUERY_ONLY)) )
|
|
return WINBINDD_OK;
|
|
|
|
/* now fall back to the hard way */
|
|
|
|
if ( !winbindd_lookup_name_by_sid(&sid, domain_name, user, &type) )
|
|
return WINBINDD_ERROR;
|
|
|
|
if ( !(pw = getpwnam(user)) ) {
|
|
DEBUG(0,("winbindd_sid_to_uid: 'winbind trusted domains only' is "
|
|
"set but this user [%s] doesn't exist!\n", user));
|
|
return WINBINDD_ERROR;
|
|
}
|
|
|
|
state->response.data.uid = pw->pw_uid;
|
|
|
|
id.uid = pw->pw_uid;
|
|
idmap_set_mapping( &sid, id, ID_USERID );
|
|
|
|
return WINBINDD_OK;
|
|
}
|
|
|
|
}
|
|
|
|
/* Find uid for this sid and return it */
|
|
|
|
result = idmap_sid_to_uid(&sid, &(state->response.data.uid),
|
|
ID_QUERY_ONLY);
|
|
|
|
if (NT_STATUS_IS_OK(result))
|
|
return WINBINDD_OK;
|
|
|
|
if (state->request.flags & WBFLAG_QUERY_ONLY)
|
|
return WINBINDD_ERROR;
|
|
|
|
/* The query-only did not work, allocate a new uid *if* it's a user */
|
|
|
|
{
|
|
fstring dom_name, name;
|
|
enum SID_NAME_USE type;
|
|
|
|
if (!winbindd_lookup_name_by_sid(&sid, dom_name, name, &type))
|
|
return WINBINDD_ERROR;
|
|
|
|
if ((type != SID_NAME_USER) && (type != SID_NAME_COMPUTER))
|
|
return WINBINDD_ERROR;
|
|
}
|
|
|
|
result = idmap_sid_to_uid(&sid, &(state->response.data.uid), 0);
|
|
|
|
if (NT_STATUS_IS_OK(result))
|
|
return WINBINDD_OK;
|
|
|
|
DEBUG(4, ("Could not get uid for sid %s\n", state->request.data.sid));
|
|
return WINBINDD_ERROR;
|
|
}
|
|
|
|
/* Convert a sid to a gid. We assume we only have one rid attached to the
|
|
sid.*/
|
|
|
|
enum winbindd_result winbindd_sid_to_gid(struct winbindd_cli_state *state)
|
|
{
|
|
DOM_SID sid;
|
|
NTSTATUS result;
|
|
|
|
/* Ensure null termination */
|
|
state->request.data.sid[sizeof(state->request.data.sid)-1]='\0';
|
|
|
|
DEBUG(3, ("[%5lu]: sid to gid %s\n", (unsigned long)state->pid,
|
|
state->request.data.sid));
|
|
|
|
if (!string_to_sid(&sid, state->request.data.sid)) {
|
|
DEBUG(1, ("Could not cvt string to sid %s\n", state->request.data.sid));
|
|
return WINBINDD_ERROR;
|
|
}
|
|
|
|
/* This gets a little tricky. If we assume that usernames are syncd between
|
|
/etc/passwd and the windows domain (such as a member of a Samba domain),
|
|
the we need to get the uid from the OS and not alocate one ourselves */
|
|
|
|
if ( lp_winbind_trusted_domains_only() ) {
|
|
struct winbindd_domain *domain = NULL;
|
|
DOM_SID sid2;
|
|
uint32 rid;
|
|
unid_t id;
|
|
|
|
domain = find_our_domain();
|
|
if ( !domain ) {
|
|
DEBUG(0,("winbindd_sid_to_uid: can't find my own domain!\n"));
|
|
return WINBINDD_ERROR;
|
|
}
|
|
|
|
sid_copy( &sid2, &sid );
|
|
sid_split_rid( &sid2, &rid );
|
|
|
|
if ( sid_equal( &sid2, &domain->sid ) ) {
|
|
|
|
fstring domain_name;
|
|
fstring group;
|
|
enum SID_NAME_USE type;
|
|
struct group *grp = NULL;
|
|
|
|
/* ok...here's we know that we are dealing with our
|
|
own domain (the one to which we are joined). And
|
|
we know that there must be a UNIX account for this group.
|
|
So we lookup the sid and the call getpwnam().*/
|
|
|
|
/* But first check and see if we don't already have a mapping */
|
|
|
|
if ( NT_STATUS_IS_OK(idmap_sid_to_gid(&sid, &(state->response.data.gid), ID_QUERY_ONLY)) )
|
|
return WINBINDD_OK;
|
|
|
|
/* now fall back to the hard way */
|
|
|
|
if ( !winbindd_lookup_name_by_sid(&sid, domain_name, group, &type) )
|
|
return WINBINDD_ERROR;
|
|
|
|
if ( !(grp = getgrnam(group)) ) {
|
|
DEBUG(0,("winbindd_sid_to_uid: 'winbind trusted domains only' is "
|
|
"set but this group [%s] doesn't exist!\n", group));
|
|
return WINBINDD_ERROR;
|
|
}
|
|
|
|
state->response.data.gid = grp->gr_gid;
|
|
|
|
id.gid = grp->gr_gid;
|
|
idmap_set_mapping( &sid, id, ID_GROUPID );
|
|
|
|
return WINBINDD_OK;
|
|
}
|
|
|
|
}
|
|
|
|
/* Find gid for this sid and return it */
|
|
|
|
result = idmap_sid_to_gid(&sid, &(state->response.data.gid),
|
|
ID_QUERY_ONLY);
|
|
|
|
if (NT_STATUS_IS_OK(result))
|
|
return WINBINDD_OK;
|
|
|
|
if (state->request.flags & WBFLAG_QUERY_ONLY)
|
|
return WINBINDD_ERROR;
|
|
|
|
/* The query-only did not work, allocate a new gid *if* it's a group */
|
|
|
|
{
|
|
fstring dom_name, name;
|
|
enum SID_NAME_USE type;
|
|
|
|
if (sid_check_is_in_our_domain(&sid)) {
|
|
/* This is for half-created aliases... */
|
|
type = SID_NAME_ALIAS;
|
|
} else {
|
|
/* Foreign domains need to be looked up by the DC if
|
|
* it's the right type */
|
|
if (!winbindd_lookup_name_by_sid(&sid, dom_name, name,
|
|
&type))
|
|
return WINBINDD_ERROR;
|
|
}
|
|
|
|
if ((type != SID_NAME_DOM_GRP) && (type != SID_NAME_ALIAS) &&
|
|
(type != SID_NAME_WKN_GRP))
|
|
return WINBINDD_ERROR;
|
|
}
|
|
|
|
result = idmap_sid_to_gid(&sid, &(state->response.data.gid), 0);
|
|
|
|
if (NT_STATUS_IS_OK(result))
|
|
return WINBINDD_OK;
|
|
|
|
DEBUG(4, ("Could not get gid for sid %s\n", state->request.data.sid));
|
|
return WINBINDD_ERROR;
|
|
}
|
|
|
|
/* Convert a uid to a sid */
|
|
|
|
enum winbindd_result winbindd_uid_to_sid(struct winbindd_cli_state *state)
|
|
{
|
|
DOM_SID sid;
|
|
|
|
DEBUG(3, ("[%5lu]: uid to sid %lu\n", (unsigned long)state->pid,
|
|
(unsigned long)state->request.data.uid));
|
|
|
|
if ( (state->request.data.uid < server_state.uid_low )
|
|
|| (state->request.data.uid > server_state.uid_high) )
|
|
{
|
|
struct passwd *pw = NULL;
|
|
enum SID_NAME_USE type;
|
|
unid_t id;
|
|
struct winbindd_domain *domain;
|
|
|
|
/* SPECIAL CASE FOR MEMBERS OF SAMBA DOMAINS */
|
|
|
|
/* if we don't trust /etc/password then when can't know
|
|
anything about this uid */
|
|
|
|
if ( !lp_winbind_trusted_domains_only() )
|
|
return WINBINDD_ERROR;
|
|
|
|
|
|
/* look for an idmap entry first */
|
|
|
|
if ( NT_STATUS_IS_OK(idmap_uid_to_sid(&sid, state->request.data.uid)) )
|
|
goto done;
|
|
|
|
/* if users exist in /etc/passwd, we should try to
|
|
use that uid. Get the username and the lookup the SID */
|
|
|
|
if ( !(pw = getpwuid(state->request.data.uid)) )
|
|
return WINBINDD_ERROR;
|
|
|
|
if ( !(domain = find_our_domain()) ) {
|
|
DEBUG(0,("winbindd_uid_to_sid: can't find my own domain!\n"));
|
|
return WINBINDD_ERROR;
|
|
}
|
|
|
|
if ( !winbindd_lookup_sid_by_name(domain, domain->name, pw->pw_name, &sid, &type) )
|
|
return WINBINDD_ERROR;
|
|
|
|
if ( type != SID_NAME_USER )
|
|
return WINBINDD_ERROR;
|
|
|
|
/* don't fail if we can't store it */
|
|
|
|
id.uid = pw->pw_uid;
|
|
idmap_set_mapping( &sid, id, ID_USERID );
|
|
|
|
goto done;
|
|
}
|
|
|
|
/* Lookup rid for this uid */
|
|
|
|
if (!NT_STATUS_IS_OK(idmap_uid_to_sid(&sid, state->request.data.uid))) {
|
|
DEBUG(1, ("Could not convert uid %lu to rid\n",
|
|
(unsigned long)state->request.data.uid));
|
|
return WINBINDD_ERROR;
|
|
}
|
|
|
|
done:
|
|
sid_to_string(state->response.data.sid.sid, &sid);
|
|
state->response.data.sid.type = SID_NAME_USER;
|
|
|
|
return WINBINDD_OK;
|
|
}
|
|
|
|
/* Convert a gid to a sid */
|
|
|
|
enum winbindd_result winbindd_gid_to_sid(struct winbindd_cli_state *state)
|
|
{
|
|
DOM_SID sid;
|
|
|
|
DEBUG(3, ("[%5lu]: gid to sid %lu\n", (unsigned long)state->pid,
|
|
(unsigned long)state->request.data.gid));
|
|
|
|
if ( (state->request.data.gid < server_state.gid_low)
|
|
|| (state->request.data.gid > server_state.gid_high) )
|
|
{
|
|
struct group *grp = NULL;
|
|
enum SID_NAME_USE type;
|
|
unid_t id;
|
|
struct winbindd_domain *domain;
|
|
|
|
/* SPECIAL CASE FOR MEMBERS OF SAMBA DOMAINS */
|
|
|
|
/* if we don't trust /etc/group then when can't know
|
|
anything about this gid */
|
|
|
|
if ( !lp_winbind_trusted_domains_only() )
|
|
return WINBINDD_ERROR;
|
|
|
|
/* look for an idmap entry first */
|
|
|
|
if ( NT_STATUS_IS_OK(idmap_gid_to_sid(&sid, state->request.data.gid)) )
|
|
goto done;
|
|
|
|
/* if users exist in /etc/group, we should try to
|
|
use that gid. Get the username and the lookup the SID */
|
|
|
|
if ( !(grp = getgrgid(state->request.data.gid)) )
|
|
return WINBINDD_ERROR;
|
|
|
|
if ( !(domain = find_our_domain()) ) {
|
|
DEBUG(0,("winbindd_uid_to_sid: can't find my own domain!\n"));
|
|
return WINBINDD_ERROR;
|
|
}
|
|
|
|
if ( !winbindd_lookup_sid_by_name(domain, domain->name, grp->gr_name, &sid, &type) )
|
|
return WINBINDD_ERROR;
|
|
|
|
if ( type!=SID_NAME_DOM_GRP && type!=SID_NAME_ALIAS )
|
|
return WINBINDD_ERROR;
|
|
|
|
/* don't fail if we can't store it */
|
|
|
|
id.gid = grp->gr_gid;
|
|
idmap_set_mapping( &sid, id, ID_GROUPID );
|
|
|
|
goto done;
|
|
}
|
|
|
|
/* Lookup sid for this uid */
|
|
|
|
if (!NT_STATUS_IS_OK(idmap_gid_to_sid(&sid, state->request.data.gid))) {
|
|
DEBUG(1, ("Could not convert gid %lu to sid\n",
|
|
(unsigned long)state->request.data.gid));
|
|
return WINBINDD_ERROR;
|
|
}
|
|
|
|
done:
|
|
/* Construct sid and return it */
|
|
sid_to_string(state->response.data.sid.sid, &sid);
|
|
state->response.data.sid.type = SID_NAME_DOM_GRP;
|
|
|
|
return WINBINDD_OK;
|
|
}
|
|
|
|
enum winbindd_result winbindd_allocate_rid(struct winbindd_cli_state *state)
|
|
{
|
|
if ( !state->privileged ) {
|
|
DEBUG(2, ("winbindd_allocate_rid: non-privileged access "
|
|
"denied!\n"));
|
|
return WINBINDD_ERROR;
|
|
}
|
|
|
|
/* We tell idmap to always allocate a user RID. There might be a good
|
|
* reason to keep RID allocation for users to even and groups to
|
|
* odd. This needs discussion I think. For now only allocate user
|
|
* rids. */
|
|
|
|
if (!NT_STATUS_IS_OK(idmap_allocate_rid(&state->response.data.rid,
|
|
USER_RID_TYPE)))
|
|
return WINBINDD_ERROR;
|
|
|
|
return WINBINDD_OK;
|
|
}
|