1
0
mirror of https://github.com/samba-team/samba.git synced 2025-01-05 09:18:06 +03:00
samba-mirror/source3/winbindd/idmap_rfc2307.c
Pavel Filipenský 04d4bc5494 s3: Zero memory of idmap_fetch_secret() users
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2022-08-26 07:59:32 +00:00

849 lines
19 KiB
C

/*
* Unix SMB/CIFS implementation.
*
* Id mapping using LDAP records as defined in RFC 2307
*
* The SID<->uid/gid mapping is performed in two steps: 1) Query the
* AD server for the name<->sid mapping. 2) Query an LDAP server
* according to RFC 2307 for the name<->uid/gid mapping.
*
* Copyright (C) Christof Schmitt 2012,2013
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, see <http://www.gnu.org/licenses/>.
*/
#include "includes.h"
#include "winbindd.h"
#include "winbindd_ads.h"
#include "idmap.h"
#include "smbldap.h"
#include "nsswitch/winbind_client.h"
#include "lib/winbind_util.h"
#include "libcli/security/dom_sid.h"
#include "lib/global_contexts.h"
/*
* Config and connection info per domain.
*/
struct idmap_rfc2307_context {
const char *bind_path_user;
const char *bind_path_group;
const char *ldap_domain;
bool user_cn;
const char *realm;
/*
* Pointer to ldap struct in ads or smbldap_state, has to be
* updated after connecting to server
*/
LDAP *ldap;
/* Optional function to check connection to server */
NTSTATUS (*check_connection)(struct idmap_domain *dom);
/* Issue ldap query */
NTSTATUS (*search)(struct idmap_rfc2307_context *ctx,
const char *bind_path, const char *expr,
const char **attrs, LDAPMessage **res);
/* Access to LDAP in AD server */
ADS_STRUCT *ads;
/* Access to stand-alone LDAP server */
struct smbldap_state *smbldap_state;
};
/*
* backend functions for LDAP queries through ADS
*/
static NTSTATUS idmap_rfc2307_ads_check_connection(struct idmap_domain *dom)
{
struct idmap_rfc2307_context *ctx;
const char *dom_name = dom->name;
ADS_STATUS status;
DEBUG(10, ("ad_idmap_cached_connection: called for domain '%s'\n",
dom->name));
ctx = talloc_get_type(dom->private_data, struct idmap_rfc2307_context);
dom_name = ctx->ldap_domain ? ctx->ldap_domain : dom->name;
status = ads_idmap_cached_connection(dom_name, ctx, &ctx->ads);
if (ADS_ERR_OK(status)) {
ctx->ldap = ctx->ads->ldap.ld;
} else {
DEBUG(1, ("Could not connect to domain %s: %s\n", dom->name,
ads_errstr(status)));
}
return ads_ntstatus(status);
}
static NTSTATUS idmap_rfc2307_ads_search(struct idmap_rfc2307_context *ctx,
const char *bind_path,
const char *expr,
const char **attrs,
LDAPMessage **result)
{
ADS_STATUS status;
status = ads_do_search_retry(ctx->ads, bind_path,
LDAP_SCOPE_SUBTREE, expr, attrs, result);
if (!ADS_ERR_OK(status)) {
return ads_ntstatus(status);
}
ctx->ldap = ctx->ads->ldap.ld;
return ads_ntstatus(status);
}
static NTSTATUS idmap_rfc2307_init_ads(struct idmap_rfc2307_context *ctx,
const char *domain_name)
{
const char *ldap_domain;
ctx->search = idmap_rfc2307_ads_search;
ctx->check_connection = idmap_rfc2307_ads_check_connection;
ldap_domain = idmap_config_const_string(domain_name, "ldap_domain",
NULL);
if (ldap_domain) {
ctx->ldap_domain = talloc_strdup(ctx, ldap_domain);
if (ctx->ldap_domain == NULL) {
return NT_STATUS_NO_MEMORY;
}
}
return NT_STATUS_OK;
}
/*
* backend function for LDAP queries through stand-alone LDAP server
*/
static NTSTATUS idmap_rfc2307_ldap_search(struct idmap_rfc2307_context *ctx,
const char *bind_path,
const char *expr,
const char **attrs,
LDAPMessage **result)
{
int ret;
ret = smbldap_search(ctx->smbldap_state, bind_path, LDAP_SCOPE_SUBTREE,
expr, attrs, 0, result);
ctx->ldap = smbldap_get_ldap(ctx->smbldap_state);
if (ret == LDAP_SUCCESS) {
return NT_STATUS_OK;
}
return NT_STATUS_LDAP(ret);
}
static bool idmap_rfc2307_get_uint32(LDAP *ldap, LDAPMessage *entry,
const char *field, uint32_t *value)
{
bool b;
char str[20];
b = smbldap_get_single_attribute(ldap, entry, field, str, sizeof(str));
if (b) {
*value = atoi(str);
}
return b;
}
static NTSTATUS idmap_rfc2307_init_ldap(struct idmap_rfc2307_context *ctx,
const char *domain_name)
{
NTSTATUS ret;
char *url;
char *secret = NULL;
const char *ldap_url, *user_dn;
TALLOC_CTX *mem_ctx = ctx;
ldap_url = idmap_config_const_string(domain_name, "ldap_url", NULL);
if (!ldap_url) {
DEBUG(1, ("ERROR: missing idmap ldap url\n"));
return NT_STATUS_UNSUCCESSFUL;
}
url = talloc_strdup(talloc_tos(), ldap_url);
user_dn = idmap_config_const_string(domain_name, "ldap_user_dn", NULL);
if (user_dn) {
secret = idmap_fetch_secret("ldap", domain_name, user_dn);
if (!secret) {
ret = NT_STATUS_ACCESS_DENIED;
goto done;
}
}
/* assume anonymous if we don't have a specified user */
ret = smbldap_init(mem_ctx, global_event_context(), url,
(user_dn == NULL), user_dn, secret,
&ctx->smbldap_state);
BURN_FREE_STR(secret);
if (!NT_STATUS_IS_OK(ret)) {
DEBUG(1, ("ERROR: smbldap_init (%s) failed!\n", url));
goto done;
}
ctx->search = idmap_rfc2307_ldap_search;
done:
talloc_free(url);
return ret;
}
/*
* common code for stand-alone LDAP and ADS
*/
static void idmap_rfc2307_map_sid_results(struct idmap_rfc2307_context *ctx,
TALLOC_CTX *mem_ctx,
struct id_map **ids,
LDAPMessage *result,
const char *dom_name,
const char **attrs, int type)
{
int count, i;
LDAPMessage *entry;
count = ldap_count_entries(ctx->ldap, result);
for (i = 0; i < count; i++) {
char *name;
struct dom_sid sid;
enum lsa_SidType lsa_type;
struct id_map *map;
uint32_t id;
bool b;
if (i == 0) {
entry = ldap_first_entry(ctx->ldap, result);
} else {
entry = ldap_next_entry(ctx->ldap, entry);
}
if (!entry) {
DEBUG(2, ("Unable to fetch entry.\n"));
break;
}
name = smbldap_talloc_single_attribute(ctx->ldap, entry,
attrs[0], mem_ctx);
if (!name) {
DEBUG(1, ("Could not get user name\n"));
continue;
}
b = idmap_rfc2307_get_uint32(ctx->ldap, entry, attrs[1], &id);
if (!b) {
DEBUG(1, ("Could not pull id for record %s\n", name));
continue;
}
map = idmap_find_map_by_id(ids, type, id);
if (!map) {
DEBUG(1, ("Could not find id %d, name %s\n", id, name));
continue;
}
if (ctx->realm != NULL) {
/* Strip @realm from user or group name */
char *delim;
delim = strchr(name, '@');
if (delim) {
*delim = '\0';
}
}
/* by default calls to winbindd are disabled
the following call will not recurse so this is safe */
(void)winbind_on();
/* Lookup name from PDC using lsa_lookup_names() */
b = winbind_lookup_name(dom_name, name, &sid, &lsa_type);
(void)winbind_off();
if (!b) {
DEBUG(1, ("SID lookup failed for id %d, %s\n",
id, name));
continue;
}
if (type == ID_TYPE_UID && lsa_type != SID_NAME_USER) {
DEBUG(1, ("Wrong type %d for user name %s\n",
type, name));
continue;
}
if (type == ID_TYPE_GID && lsa_type != SID_NAME_DOM_GRP &&
lsa_type != SID_NAME_ALIAS &&
lsa_type != SID_NAME_WKN_GRP) {
DEBUG(1, ("Wrong type %d for group name %s\n",
type, name));
continue;
}
map->status = ID_MAPPED;
sid_copy(map->sid, &sid);
}
}
/*
* Map unixids to names and then to sids.
*/
static NTSTATUS idmap_rfc2307_unixids_to_sids(struct idmap_domain *dom,
struct id_map **ids)
{
struct idmap_rfc2307_context *ctx;
char *fltr_usr = NULL, *fltr_grp = NULL;
TALLOC_CTX *mem_ctx;
int cnt_usr = 0, cnt_grp = 0, idx = 0, bidx = 0;
LDAPMessage *result = NULL;
NTSTATUS ret;
ctx = talloc_get_type(dom->private_data, struct idmap_rfc2307_context);
mem_ctx = talloc_new(ctx);
if (!mem_ctx) {
return NT_STATUS_NO_MEMORY;
}
if (ctx->check_connection) {
ret = ctx->check_connection(dom);
if (!NT_STATUS_IS_OK(ret)) {
goto out;
}
}
again:
bidx = idx;
if (!fltr_usr) {
/* prepare new user query, see getpwuid() in RFC2307 */
fltr_usr = talloc_asprintf(mem_ctx,
"(&(objectClass=posixAccount)(|");
}
if (!fltr_grp) {
/* prepare new group query, see getgrgid() in RFC2307 */
fltr_grp = talloc_asprintf(mem_ctx,
"(&(objectClass=posixGroup)(|");
}
if (!fltr_usr || !fltr_grp) {
ret = NT_STATUS_NO_MEMORY;
goto out;
}
while (cnt_usr < IDMAP_LDAP_MAX_IDS &&
cnt_grp < IDMAP_LDAP_MAX_IDS && ids[idx]) {
switch (ids[idx]->xid.type) {
case ID_TYPE_UID:
fltr_usr = talloc_asprintf_append_buffer(fltr_usr,
"(uidNumber=%d)", ids[idx]->xid.id);
cnt_usr++;
break;
case ID_TYPE_GID:
fltr_grp = talloc_asprintf_append_buffer(fltr_grp,
"(gidNumber=%d)", ids[idx]->xid.id);
cnt_grp++;
break;
default:
DEBUG(3, ("Error: unknown ID type %d\n",
ids[idx]->xid.type));
ret = NT_STATUS_UNSUCCESSFUL;
goto out;
}
if (!fltr_usr || !fltr_grp) {
ret = NT_STATUS_NO_MEMORY;
goto out;
}
idx++;
}
if (cnt_usr == IDMAP_LDAP_MAX_IDS || (cnt_usr != 0 && !ids[idx])) {
const char *attrs[] = { NULL, /* uid or cn */
"uidNumber",
NULL };
fltr_usr = talloc_strdup_append(fltr_usr, "))");
if (!fltr_usr) {
ret = NT_STATUS_NO_MEMORY;
goto out;
}
attrs[0] = ctx->user_cn ? "cn" : "uid";
ret = ctx->search(ctx, ctx->bind_path_user, fltr_usr, attrs,
&result);
if (!NT_STATUS_IS_OK(ret)) {
goto out;
}
idmap_rfc2307_map_sid_results(ctx, mem_ctx, &ids[bidx], result,
dom->name, attrs, ID_TYPE_UID);
cnt_usr = 0;
TALLOC_FREE(fltr_usr);
}
if (cnt_grp == IDMAP_LDAP_MAX_IDS || (cnt_grp != 0 && !ids[idx])) {
const char *attrs[] = { "cn", "gidNumber", NULL };
fltr_grp = talloc_strdup_append(fltr_grp, "))");
if (!fltr_grp) {
ret = NT_STATUS_NO_MEMORY;
goto out;
}
ret = ctx->search(ctx, ctx->bind_path_group, fltr_grp, attrs,
&result);
if (!NT_STATUS_IS_OK(ret)) {
goto out;
}
idmap_rfc2307_map_sid_results(ctx, mem_ctx, &ids[bidx], result,
dom->name, attrs, ID_TYPE_GID);
cnt_grp = 0;
TALLOC_FREE(fltr_grp);
}
if (ids[idx]) {
goto again;
}
ret = NT_STATUS_OK;
out:
talloc_free(mem_ctx);
return ret;
}
struct idmap_rfc2307_map {
struct id_map *map;
const char *name;
enum id_type type;
};
/*
* Lookup names for SIDS and store the data in the local mapping
* array.
*/
static NTSTATUS idmap_rfc_2307_sids_to_names(TALLOC_CTX *mem_ctx,
struct id_map **ids,
struct idmap_rfc2307_map *maps,
struct idmap_rfc2307_context *ctx)
{
int i;
for (i = 0; ids[i]; i++) {
const char *domain, *name;
enum lsa_SidType lsa_type;
struct id_map *id = ids[i];
struct idmap_rfc2307_map *map = &maps[i];
struct dom_sid_buf buf;
bool b;
/* by default calls to winbindd are disabled
the following call will not recurse so this is safe */
(void)winbind_on();
b = winbind_lookup_sid(mem_ctx, ids[i]->sid, &domain, &name,
&lsa_type);
(void)winbind_off();
if (!b) {
DEBUG(1, ("Lookup sid %s failed.\n",
dom_sid_str_buf(ids[i]->sid, &buf)));
continue;
}
switch(lsa_type) {
case SID_NAME_USER:
id->xid.type = map->type = ID_TYPE_UID;
if (ctx->user_cn && ctx->realm != NULL) {
name = talloc_asprintf(mem_ctx, "%s@%s",
name, ctx->realm);
}
id->xid.type = map->type = ID_TYPE_UID;
break;
case SID_NAME_DOM_GRP:
case SID_NAME_ALIAS:
case SID_NAME_WKN_GRP:
if (ctx->realm != NULL) {
name = talloc_asprintf(mem_ctx, "%s@%s",
name, ctx->realm);
}
id->xid.type = map->type = ID_TYPE_GID;
break;
default:
DEBUG(1, ("Unknown lsa type %d for sid %s\n",
lsa_type,
dom_sid_str_buf(id->sid, &buf)));
id->status = ID_UNMAPPED;
continue;
}
map->map = id;
id->status = ID_UNKNOWN;
map->name = strupper_talloc(mem_ctx, name);
if (!map->name) {
return NT_STATUS_NO_MEMORY;
}
}
return NT_STATUS_OK;
}
/*
* Find id_map entry by looking up the name in the internal
* mapping array.
*/
static struct id_map* idmap_rfc2307_find_map(struct idmap_rfc2307_map *maps,
enum id_type type,
const char *name)
{
int i;
DEBUG(10, ("Looking for name %s, type %d\n", name, type));
for (i = 0; maps[i].map != NULL; i++) {
DEBUG(10, ("Entry %d: name %s, type %d\n",
i, maps[i].name, maps[i].type));
if (type == maps[i].type && strcmp(name, maps[i].name) == 0) {
return maps[i].map;
}
}
return NULL;
}
static void idmap_rfc2307_map_xid_results(struct idmap_rfc2307_context *ctx,
TALLOC_CTX *mem_ctx,
struct idmap_rfc2307_map *maps,
LDAPMessage *result,
struct idmap_domain *dom,
const char **attrs, enum id_type type)
{
int count, i;
LDAPMessage *entry;
count = ldap_count_entries(ctx->ldap, result);
for (i = 0; i < count; i++) {
uint32_t id;
char *name;
bool b;
struct id_map *id_map;
if (i == 0) {
entry = ldap_first_entry(ctx->ldap, result);
} else {
entry = ldap_next_entry(ctx->ldap, entry);
}
if (!entry) {
DEBUG(2, ("Unable to fetch entry.\n"));
break;
}
name = smbldap_talloc_single_attribute(ctx->ldap, entry,
attrs[0], mem_ctx);
if (!name) {
DEBUG(1, ("Could not get user name\n"));
continue;
}
b = idmap_rfc2307_get_uint32(ctx->ldap, entry, attrs[1], &id);
if (!b) {
DEBUG(5, ("Could not pull id for record %s\n", name));
continue;
}
if (!idmap_unix_id_is_in_range(id, dom)) {
DEBUG(5, ("Requested id (%u) out of range (%u - %u).\n",
id, dom->low_id, dom->high_id));
continue;
}
if (!strupper_m(name)) {
DEBUG(5, ("Could not convert %s to uppercase\n", name));
continue;
}
id_map = idmap_rfc2307_find_map(maps, type, name);
if (!id_map) {
DEBUG(0, ("Could not find mapping entry for name %s\n",
name));
continue;
}
id_map->xid.id = id;
id_map->status = ID_MAPPED;
}
}
/*
* Map sids to names and then to unixids.
*/
static NTSTATUS idmap_rfc2307_sids_to_unixids(struct idmap_domain *dom,
struct id_map **ids)
{
struct idmap_rfc2307_context *ctx;
TALLOC_CTX *mem_ctx;
struct idmap_rfc2307_map *int_maps;
int cnt_usr = 0, cnt_grp = 0, idx = 0;
char *fltr_usr = NULL, *fltr_grp = NULL;
NTSTATUS ret;
int i;
ctx = talloc_get_type(dom->private_data, struct idmap_rfc2307_context);
mem_ctx = talloc_new(talloc_tos());
if (!mem_ctx) {
return NT_STATUS_NO_MEMORY;
}
if (ctx->check_connection) {
ret = ctx->check_connection(dom);
if (!NT_STATUS_IS_OK(ret)) {
goto out;
}
}
for (i = 0; ids[i]; i++);
int_maps = talloc_zero_array(mem_ctx, struct idmap_rfc2307_map, i);
if (!int_maps) {
ret = NT_STATUS_NO_MEMORY;
goto out;
}
ret = idmap_rfc_2307_sids_to_names(mem_ctx, ids, int_maps, ctx);
if (!NT_STATUS_IS_OK(ret)) {
goto out;
}
again:
if (!fltr_usr) {
/* prepare new user query, see getpwuid() in RFC2307 */
fltr_usr = talloc_asprintf(mem_ctx,
"(&(objectClass=posixAccount)(|");
}
if (!fltr_grp) {
/* prepare new group query, see getgrgid() in RFC2307 */
fltr_grp = talloc_asprintf(mem_ctx,
"(&(objectClass=posixGroup)(|");
}
if (!fltr_usr || !fltr_grp) {
ret = NT_STATUS_NO_MEMORY;
goto out;
}
while (cnt_usr < IDMAP_LDAP_MAX_IDS &&
cnt_grp < IDMAP_LDAP_MAX_IDS && ids[idx]) {
struct id_map *id = ids[idx];
struct idmap_rfc2307_map *map = &int_maps[idx];
switch(id->xid.type) {
case ID_TYPE_UID:
fltr_usr = talloc_asprintf_append_buffer(fltr_usr,
"(%s=%s)", (ctx->user_cn ? "cn" : "uid"),
map->name);
cnt_usr++;
break;
case ID_TYPE_GID:
fltr_grp = talloc_asprintf_append_buffer(fltr_grp,
"(cn=%s)", map->name);
cnt_grp++;
break;
default:
break;
}
if (!fltr_usr || !fltr_grp) {
ret = NT_STATUS_NO_MEMORY;
goto out;
}
idx++;
}
if (cnt_usr == IDMAP_LDAP_MAX_IDS || (cnt_usr != 0 && !ids[idx])) {
const char *attrs[] = { NULL, /* uid or cn */
"uidNumber",
NULL };
LDAPMessage *result;
fltr_usr = talloc_strdup_append(fltr_usr, "))");
if (!fltr_usr) {
ret = NT_STATUS_NO_MEMORY;
goto out;
}
attrs[0] = ctx->user_cn ? "cn" : "uid";
ret = ctx->search(ctx, ctx->bind_path_user, fltr_usr, attrs,
&result);
if (!NT_STATUS_IS_OK(ret)) {
goto out;
}
idmap_rfc2307_map_xid_results(ctx, mem_ctx, int_maps,
result, dom, attrs, ID_TYPE_UID);
cnt_usr = 0;
TALLOC_FREE(fltr_usr);
}
if (cnt_grp == IDMAP_LDAP_MAX_IDS || (cnt_grp != 0 && !ids[idx])) {
const char *attrs[] = {"cn", "gidNumber", NULL };
LDAPMessage *result;
fltr_grp = talloc_strdup_append(fltr_grp, "))");
if (!fltr_grp) {
ret = NT_STATUS_NO_MEMORY;
goto out;
}
ret = ctx->search(ctx, ctx->bind_path_group, fltr_grp, attrs,
&result);
if (!NT_STATUS_IS_OK(ret)) {
goto out;
}
idmap_rfc2307_map_xid_results(ctx, mem_ctx, int_maps, result,
dom, attrs, ID_TYPE_GID);
cnt_grp = 0;
TALLOC_FREE(fltr_grp);
}
if (ids[idx]) {
goto again;
}
ret = NT_STATUS_OK;
out:
talloc_free(mem_ctx);
return ret;
}
static int idmap_rfc2307_context_destructor(struct idmap_rfc2307_context *ctx)
{
TALLOC_FREE(ctx->ads);
if (ctx->smbldap_state != NULL) {
smbldap_free_struct(&ctx->smbldap_state);
}
return 0;
}
static NTSTATUS idmap_rfc2307_initialize(struct idmap_domain *domain)
{
struct idmap_rfc2307_context *ctx;
const char *bind_path_user, *bind_path_group, *ldap_server, *realm;
NTSTATUS status;
ctx = talloc_zero(domain, struct idmap_rfc2307_context);
if (ctx == NULL) {
return NT_STATUS_NO_MEMORY;
}
talloc_set_destructor(ctx, idmap_rfc2307_context_destructor);
bind_path_user = idmap_config_const_string(
domain->name, "bind_path_user", NULL);
if (bind_path_user == NULL) {
status = NT_STATUS_INVALID_PARAMETER;
goto err;
}
ctx->bind_path_user = talloc_strdup(ctx, bind_path_user);
if (ctx->bind_path_user == NULL) {
status = NT_STATUS_NO_MEMORY;
goto err;
}
bind_path_group = idmap_config_const_string(
domain->name, "bind_path_group", NULL);
if (bind_path_group == NULL) {
status = NT_STATUS_INVALID_PARAMETER;
goto err;
}
ctx->bind_path_group = talloc_strdup(ctx, bind_path_group);
if (ctx->bind_path_group == NULL) {
status = NT_STATUS_NO_MEMORY;
goto err;
}
ldap_server = idmap_config_const_string(
domain->name, "ldap_server", NULL);
if (!ldap_server) {
status = NT_STATUS_INVALID_PARAMETER;
goto err;
}
if (strcmp(ldap_server, "stand-alone") == 0) {
status = idmap_rfc2307_init_ldap(ctx, domain->name);
} else if (strcmp(ldap_server, "ad") == 0) {
status = idmap_rfc2307_init_ads(ctx, domain->name);
} else {
status = NT_STATUS_INVALID_PARAMETER;
}
if (!NT_STATUS_IS_OK(status)) {
goto err;
}
realm = idmap_config_const_string(domain->name, "realm", NULL);
if (realm) {
ctx->realm = talloc_strdup(ctx, realm);
if (ctx->realm == NULL) {
status = NT_STATUS_NO_MEMORY;
goto err;
}
}
ctx->user_cn = idmap_config_bool(domain->name, "user_cn", false);
domain->private_data = ctx;
return NT_STATUS_OK;
err:
talloc_free(ctx);
return status;
}
static const struct idmap_methods rfc2307_methods = {
.init = idmap_rfc2307_initialize,
.unixids_to_sids = idmap_rfc2307_unixids_to_sids,
.sids_to_unixids = idmap_rfc2307_sids_to_unixids,
};
static_decl_idmap;
NTSTATUS idmap_rfc2307_init(TALLOC_CTX *ctx)
{
return smb_register_idmap(SMB_IDMAP_INTERFACE_VERSION, "rfc2307",
&rfc2307_methods);
}