-/*
+/*
Unix SMB/CIFS implementation.
idmap NSS backend
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_IDMAP
+struct idmap_nss_context {
+ struct idmap_domain *dom;
+ bool use_upn;
+};
+
+static int idmap_nss_context_destructor(struct idmap_nss_context *ctx)
+{
+ if ((ctx->dom != NULL) && (ctx->dom->private_data == ctx)) {
+ ctx->dom->private_data = NULL;
+ }
+ return 0;
+}
+
+static NTSTATUS idmap_nss_context_create(TALLOC_CTX *mem_ctx,
+ struct idmap_domain *dom,
+ struct idmap_nss_context **pctx)
+{
+ struct idmap_nss_context *ctx = NULL;
+
+ ctx = talloc_zero(mem_ctx, struct idmap_nss_context);
+ if (ctx == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ ctx->dom = dom;
+
+ talloc_set_destructor(ctx, idmap_nss_context_destructor);
+
+ ctx->use_upn = idmap_config_bool(dom->name, "use_upn", false);
+
+ *pctx = ctx;
+ return NT_STATUS_OK;
+}
+
+static NTSTATUS idmap_nss_get_context(struct idmap_domain *dom,
+ struct idmap_nss_context **pctx)
+{
+ struct idmap_nss_context *ctx = NULL;
+ NTSTATUS status;
+
+ if (dom->private_data != NULL) {
+ *pctx = talloc_get_type_abort(dom->private_data,
+ struct idmap_nss_context);
+ return NT_STATUS_OK;
+ }
+
+ status = idmap_nss_context_create(dom, dom, &ctx);
+ if (!NT_STATUS_IS_OK(status)) {
+ DBG_WARNING("idmap_nss_context_create failed: %s\n",
+ nt_errstr(status));
+ return status;
+ }
+
+ dom->private_data = ctx;
+ *pctx = ctx;
+ return NT_STATUS_OK;
+}
+
/*****************************
Initialise idmap database.
*****************************/
static NTSTATUS idmap_nss_int_init(struct idmap_domain *dom)
{
+ struct idmap_nss_context *ctx = NULL;
+ NTSTATUS status;
+
+ status = idmap_nss_context_create(dom, dom, &ctx);
+ if (NT_STATUS_IS_ERR(status)) {
+ return status;
+ }
+
+ dom->private_data = ctx;
+
+ return status;
+}
+
+static NTSTATUS idmap_nss_lookup_name(const char *namespace,
+ const char *username,
+ struct dom_sid *sid,
+ enum lsa_SidType *type)
+{
+ bool ret;
+
+ /*
+ * By default calls to winbindd are disabled
+ * the following call will not recurse so this is safe
+ */
+ (void)winbind_on();
+ ret = winbind_lookup_name(namespace, username, sid, type);
+ (void)winbind_off();
+
+ if (!ret) {
+ DBG_NOTICE("Failed to lookup name [%s] in namespace [%s]\n",
+ username, namespace);
+ return NT_STATUS_NOT_FOUND;
+ }
+
return NT_STATUS_OK;
}
static NTSTATUS idmap_nss_unixids_to_sids(struct idmap_domain *dom, struct id_map **ids)
{
+ struct idmap_nss_context *ctx = NULL;
+ NTSTATUS status;
int i;
+ status = idmap_nss_get_context(dom, &ctx);
+ if (NT_STATUS_IS_ERR(status)) {
+ DBG_WARNING("Failed to get idmap nss context: %s\n",
+ nt_errstr(status));
+ return status;
+ }
+
/* initialize the status to avoid surprise */
for (i = 0; ids[i]; i++) {
ids[i]->status = ID_UNKNOWN;
const char *name;
struct dom_sid sid;
enum lsa_SidType type;
- bool ret;
switch (ids[i]->xid.type) {
case ID_TYPE_UID:
continue;
}
- /* by default calls to winbindd are disabled
- the following call will not recurse so this is safe */
- (void)winbind_on();
/* Lookup name from PDC using lsa_lookup_names() */
- ret = winbind_lookup_name(dom->name, name, &sid, &type);
- (void)winbind_off();
+ if (ctx->use_upn) {
+ char *p = NULL;
+ const char *namespace = NULL;
+ const char *domname = NULL;
+ const char *domuser = NULL;
+
+ p = strstr(name, lp_winbind_separator());
+ if (p != NULL) {
+ *p = '\0';
+ domname = name;
+ namespace = domname;
+ domuser = p + 1;
+ } else {
+ p = strchr(name, '@');
+ if (p != NULL) {
+ *p = '\0';
+ namespace = p + 1;
+ domname = "";
+ domuser = name;
+ } else {
+ namespace = dom->name;
+ domuser = name;
+ }
+ }
- if (!ret) {
- /* TODO: how do we know if the name is really not mapped,
- * or something just failed ? */
+ DBG_DEBUG("Using namespace [%s] from UPN instead "
+ "of [%s] to lookup the name [%s]\n",
+ namespace, dom->name, domuser);
+
+ status = idmap_nss_lookup_name(namespace,
+ domuser,
+ &sid,
+ &type);
+ } else {
+ status = idmap_nss_lookup_name(dom->name,
+ name,
+ &sid,
+ &type);
+ }
+
+ if (NT_STATUS_IS_ERR(status)) {
+ /*
+ * TODO: how do we know if the name is really
+ * not mapped, or something just failed ?
+ */
ids[i]->status = ID_UNMAPPED;
continue;
}
static NTSTATUS idmap_nss_sids_to_unixids(struct idmap_domain *dom, struct id_map **ids)
{
+ struct idmap_nss_context *ctx = NULL;
+ NTSTATUS status;
int i;
+ status = idmap_nss_get_context(dom, &ctx);
+ if (NT_STATUS_IS_ERR(status)) {
+ DBG_WARNING("Failed to get idmap nss context: %s\n",
+ nt_errstr(status));
+ return status;
+ }
+
/* initialize the status to avoid surprise */
for (i = 0; ids[i]; i++) {
ids[i]->status = ID_UNKNOWN;
const char *_name = NULL;
char *domain = NULL;
char *name = NULL;
+ char *fqdn = NULL;
+ char *sname = NULL;
bool ret;
/* by default calls to winbindd are disabled
continue;
}
+ if (ctx->use_upn) {
+ fqdn = talloc_asprintf(talloc_tos(),
+ "%s%s%s",
+ domain,
+ lp_winbind_separator(),
+ name);
+ if (fqdn == NULL) {
+ DBG_ERR("No memory\n");
+ ids[i]->status = ID_UNMAPPED;
+ continue;
+ }
+ DBG_DEBUG("Using UPN [%s] instead of plain name [%s]\n",
+ fqdn, name);
+ sname = fqdn;
+ } else {
+ sname = name;
+ }
+
switch (type) {
case SID_NAME_USER: {
struct passwd *pw;
/* this will find also all lower case name and use username level */
-
- pw = Get_Pwnam_alloc(talloc_tos(), name);
+ pw = Get_Pwnam_alloc(talloc_tos(), sname);
if (pw) {
ids[i]->xid.id = pw->pw_uid;
ids[i]->xid.type = ID_TYPE_UID;
case SID_NAME_ALIAS:
case SID_NAME_WKN_GRP:
- gr = getgrnam(name);
+ gr = getgrnam(sname);
if (gr) {
ids[i]->xid.id = gr->gr_gid;
ids[i]->xid.type = ID_TYPE_GID;
}
TALLOC_FREE(domain);
TALLOC_FREE(name);
+ TALLOC_FREE(fqdn);
}
return NT_STATUS_OK;
}