2 Unix SMB/CIFS implementation.
4 common functions for TDB based idmapping backends
6 Copyright (C) Christian Ambach 2012
8 These functions were initially copied over from idmap_tdb.c and idmap_tdb2.c
11 Copyright (C) Tim Potter 2000
12 Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2003
13 Copyright (C) Jeremy Allison 2006
14 Copyright (C) Simo Sorce 2003-2006
15 Copyright (C) Michael Adam 2009-2010
16 Copyright (C) Andrew Tridgell 2007
18 This program is free software; you can redistribute it and/or modify
19 it under the terms of the GNU General Public License as published by
20 the Free Software Foundation; either version 2 of the License, or
21 (at your option) any later version.
23 This program is distributed in the hope that it will be useful,
24 but WITHOUT ANY WARRANTY; without even the implied warranty of
25 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
26 GNU General Public License for more details.
28 You should have received a copy of the GNU General Public License
29 along with this program; if not, write to the Free Software
30 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
34 #include "idmap_tdb_common.h"
35 #include "dbwrap/dbwrap.h"
38 #include "../libcli/security/dom_sid.h"
41 #define DBGC_CLASS DBGC_IDMAP
43 struct idmap_tdb_common_allocate_id_context {
50 static NTSTATUS idmap_tdb_common_allocate_id_action(struct db_context *db,
54 struct idmap_tdb_common_allocate_id_context *state = private_data;
57 ret = dbwrap_fetch_uint32_bystring(db, state->hwmkey, &hwm);
58 if (!NT_STATUS_IS_OK(ret)) {
59 ret = NT_STATUS_INTERNAL_DB_ERROR;
63 /* check it is in the range */
64 if (hwm > state->high_hwm) {
65 DEBUG(1, ("Fatal Error: %s range full!! (max: %lu)\n",
66 state->hwmtype, (unsigned long)state->high_hwm));
67 ret = NT_STATUS_UNSUCCESSFUL;
71 /* fetch a new id and increment it */
72 ret = dbwrap_change_uint32_atomic_bystring(db, state->hwmkey, &hwm, 1);
73 if (!NT_STATUS_IS_OK(ret)) {
74 DEBUG(1, ("Fatal error while fetching a new %s value\n!",
79 /* recheck it is in the range */
80 if (hwm > state->high_hwm) {
81 DEBUG(1, ("Fatal Error: %s range full!! (max: %lu)\n",
82 state->hwmtype, (unsigned long)state->high_hwm));
83 ret = NT_STATUS_UNSUCCESSFUL;
94 static NTSTATUS idmap_tdb_common_allocate_id(struct idmap_domain *dom,
101 struct idmap_tdb_common_allocate_id_context state;
102 struct idmap_tdb_common_context *ctx;
105 talloc_get_type_abort(dom->private_data,
106 struct idmap_tdb_common_context);
108 /* Get current high water mark */
112 hwmkey = ctx->hwmkey_uid;
117 hwmkey = ctx->hwmkey_gid;
123 * This is not supported here yet and
124 * already handled in idmap_rw_new_mapping()
127 case ID_TYPE_NOT_SPECIFIED:
129 * This is handled in idmap_rw_new_mapping()
133 DEBUG(2, ("Invalid ID type (0x%x)\n", xid->type));
134 return NT_STATUS_INVALID_PARAMETER;
138 state.high_hwm = ctx->max_id;
139 state.hwmtype = hwmtype;
140 state.hwmkey = hwmkey;
142 status = dbwrap_trans_do(ctx->db, idmap_tdb_common_allocate_id_action,
145 if (NT_STATUS_IS_OK(status)) {
147 DEBUG(10, ("New %s = %d\n", hwmtype, state.hwm));
149 DEBUG(1, ("Error allocating a new %s\n", hwmtype));
156 * Allocate a new unix-ID.
157 * For now this is for the default idmap domain only.
158 * Should be extended later on.
160 NTSTATUS idmap_tdb_common_get_new_id(struct idmap_domain * dom,
165 if (!strequal(dom->name, "*")) {
166 DEBUG(3, ("idmap_tdb_common_get_new_id: "
167 "Refusing allocation of a new unixid for domain'%s'. "
168 "Currently only supported for the default "
169 "domain \"*\".\n", dom->name));
170 return NT_STATUS_NOT_IMPLEMENTED;
173 ret = idmap_tdb_common_allocate_id(dom, id);
179 * store a mapping in the database.
182 struct idmap_tdb_common_set_mapping_context {
187 static NTSTATUS idmap_tdb_common_set_mapping_action(struct db_context *db,
192 struct idmap_tdb_common_set_mapping_context *state = private_data;
193 TALLOC_CTX *tmp_ctx = talloc_stackframe();
195 DEBUG(10, ("Storing %s <-> %s map\n", state->ksidstr, state->kidstr));
197 /* check whether sid mapping is already present in db */
198 ret = dbwrap_fetch_bystring(db, tmp_ctx, state->ksidstr, &data);
199 if (NT_STATUS_IS_OK(ret)) {
200 ret = NT_STATUS_OBJECT_NAME_COLLISION;
204 ret = dbwrap_store_bystring(db, state->ksidstr,
205 string_term_tdb_data(state->kidstr),
207 if (!NT_STATUS_IS_OK(ret)) {
208 DEBUG(0, ("Error storing SID -> ID: %s\n", nt_errstr(ret)));
212 ret = dbwrap_store_bystring(db, state->kidstr,
213 string_term_tdb_data(state->ksidstr),
215 if (!NT_STATUS_IS_OK(ret)) {
216 DEBUG(0, ("Error storing ID -> SID: %s\n", nt_errstr(ret)));
217 /* try to remove the previous stored SID -> ID map */
218 dbwrap_delete_bystring(db, state->ksidstr);
222 DEBUG(10, ("Stored %s <-> %s\n", state->ksidstr, state->kidstr));
225 talloc_free(tmp_ctx);
229 NTSTATUS idmap_tdb_common_set_mapping(struct idmap_domain * dom,
230 const struct id_map * map)
232 struct idmap_tdb_common_context *ctx;
233 struct idmap_tdb_common_set_mapping_context state;
235 struct dom_sid_buf ksidstr;
238 if (!map || !map->sid) {
239 return NT_STATUS_INVALID_PARAMETER;
242 /* TODO: should we filter a set_mapping using low/high filters ? */
245 talloc_get_type_abort(dom->private_data,
246 struct idmap_tdb_common_context);
248 switch (map->xid.type) {
252 talloc_asprintf(ctx, "UID %lu", (unsigned long)map->xid.id);
257 talloc_asprintf(ctx, "GID %lu", (unsigned long)map->xid.id);
261 DEBUG(2, ("INVALID unix ID type: 0x%02x\n", map->xid.type));
262 return NT_STATUS_INVALID_PARAMETER;
265 if (kidstr == NULL) {
266 DEBUG(0, ("ERROR: Out of memory!\n"));
267 ret = NT_STATUS_NO_MEMORY;
271 state.ksidstr = dom_sid_str_buf(map->sid, &ksidstr);
272 state.kidstr = kidstr;
274 ret = dbwrap_trans_do(ctx->db, idmap_tdb_common_set_mapping_action,
283 * Create a new mapping for an unmapped SID, also allocating a new ID.
284 * This should be run inside a transaction.
287 * Properly integrate this with multi domain idmap config:
288 * Currently, the allocator is default-config only.
290 NTSTATUS idmap_tdb_common_new_mapping(struct idmap_domain * dom,
294 struct idmap_tdb_common_context *ctx;
297 talloc_get_type_abort(dom->private_data,
298 struct idmap_tdb_common_context);
300 ret = idmap_rw_new_mapping(dom, ctx->rw_ops, map);
306 lookup a set of unix ids
308 NTSTATUS idmap_tdb_common_unixids_to_sids(struct idmap_domain * dom,
309 struct id_map ** ids)
312 size_t i, num_mapped = 0;
313 struct idmap_tdb_common_context *ctx;
315 NTSTATUS(*unixid_to_sid_fn) (struct idmap_domain * dom,
316 struct id_map * map);
318 talloc_get_type_abort(dom->private_data,
319 struct idmap_tdb_common_context);
321 if (ctx->unixid_to_sid_fn == NULL) {
322 unixid_to_sid_fn = idmap_tdb_common_unixid_to_sid;
324 unixid_to_sid_fn = ctx->unixid_to_sid_fn;
327 /* initialize the status to avoid surprise */
328 for (i = 0; ids[i]; i++) {
329 ids[i]->status = ID_UNKNOWN;
332 for (i = 0; ids[i]; i++) {
333 ret = unixid_to_sid_fn(dom, ids[i]);
334 if (!NT_STATUS_IS_OK(ret)) {
336 /* if it is just a failed mapping continue */
337 if (NT_STATUS_EQUAL(ret, NT_STATUS_NONE_MAPPED)) {
339 /* make sure it is marked as unmapped */
340 ids[i]->status = ID_UNMAPPED;
344 /* some fatal error occurred, return immediately */
348 /* all ok, id is mapped */
349 ids[i]->status = ID_MAPPED;
357 if (NT_STATUS_IS_OK(ret)) {
358 if (i == 0 || num_mapped == 0) {
359 ret = NT_STATUS_NONE_MAPPED;
360 } else if (num_mapped < i) {
361 ret = STATUS_SOME_UNMAPPED;
371 default single id to sid lookup function
373 NTSTATUS idmap_tdb_common_unixid_to_sid(struct idmap_domain * dom,
379 struct idmap_tdb_common_context *ctx;
382 return NT_STATUS_INVALID_PARAMETER;
386 talloc_get_type_abort(dom->private_data,
387 struct idmap_tdb_common_context);
389 /* apply filters before checking */
390 if (!idmap_unix_id_is_in_range(map->xid.id, dom)) {
392 ("Requested id (%u) out of range (%u - %u). Filtered!\n",
393 map->xid.id, dom->low_id, dom->high_id));
394 return NT_STATUS_NONE_MAPPED;
397 switch (map->xid.type) {
401 talloc_asprintf(ctx, "UID %lu", (unsigned long)map->xid.id);
406 talloc_asprintf(ctx, "GID %lu", (unsigned long)map->xid.id);
410 DEBUG(2, ("INVALID unix ID type: 0x%02x\n", map->xid.type));
411 return NT_STATUS_INVALID_PARAMETER;
414 if (keystr == NULL) {
415 DEBUG(0, ("Out of memory!\n"));
416 ret = NT_STATUS_NO_MEMORY;
420 DEBUG(10, ("Fetching record %s\n", keystr));
422 /* Check if the mapping exists */
423 ret = dbwrap_fetch_bystring(ctx->db, keystr, keystr, &data);
425 if (!NT_STATUS_IS_OK(ret)) {
426 DEBUG(10, ("Record %s not found\n", keystr));
427 ret = NT_STATUS_NONE_MAPPED;
431 if ((data.dsize == 0) || (data.dptr[data.dsize-1] != '\0')) {
432 DBG_DEBUG("Invalid record length %zu\n", data.dsize);
433 ret = NT_STATUS_INTERNAL_DB_ERROR;
437 if (!string_to_sid(map->sid, (const char *)data.dptr)) {
438 DEBUG(10, ("INVALID SID (%s) in record %s\n",
439 (const char *)data.dptr, keystr));
440 ret = NT_STATUS_INTERNAL_DB_ERROR;
444 DEBUG(10, ("Found record %s -> %s\n", keystr, (const char *)data.dptr));
452 /**********************************
453 Single sid to id lookup function.
454 **********************************/
456 NTSTATUS idmap_tdb_common_sid_to_unixid(struct idmap_domain * dom,
461 struct dom_sid_buf keystr;
462 unsigned long rec_id = 0;
463 struct idmap_tdb_common_context *ctx;
464 TALLOC_CTX *tmp_ctx = talloc_stackframe();
467 talloc_free(tmp_ctx);
468 return NT_STATUS_INVALID_PARAMETER;
472 talloc_get_type_abort(dom->private_data,
473 struct idmap_tdb_common_context);
475 dom_sid_str_buf(map->sid, &keystr);
477 DEBUG(10, ("Fetching record %s\n", keystr.buf));
479 /* Check if sid is present in database */
480 ret = dbwrap_fetch_bystring(ctx->db, tmp_ctx, keystr.buf, &data);
481 if (!NT_STATUS_IS_OK(ret)) {
482 DEBUG(10, ("Record %s not found\n", keystr.buf));
483 ret = NT_STATUS_NONE_MAPPED;
487 /* What type of record is this ? */
488 if (sscanf((const char *)data.dptr, "UID %lu", &rec_id) == 1) {
489 /* Try a UID record. */
490 map->xid.id = rec_id;
491 map->xid.type = ID_TYPE_UID;
493 ("Found uid record %s -> %s \n", keystr.buf,
494 (const char *)data.dptr));
497 } else if (sscanf((const char *)data.dptr, "GID %lu", &rec_id) == 1) {
498 /* Try a GID record. */
499 map->xid.id = rec_id;
500 map->xid.type = ID_TYPE_GID;
502 ("Found gid record %s -> %s \n", keystr.buf,
503 (const char *)data.dptr));
506 } else { /* Unknown record type ! */
508 ("Found INVALID record %s -> %s\n", keystr.buf,
509 (const char *)data.dptr));
510 ret = NT_STATUS_INTERNAL_DB_ERROR;
514 /* apply filters before returning result */
515 if (!idmap_unix_id_is_in_range(map->xid.id, dom)) {
517 ("Requested id (%u) out of range (%u - %u). Filtered!\n",
518 map->xid.id, dom->low_id, dom->high_id));
519 ret = NT_STATUS_NONE_MAPPED;
523 talloc_free(tmp_ctx);
527 /**********************************
529 **********************************/
531 struct idmap_tdb_common_sids_to_unixids_context {
532 struct idmap_domain *dom;
534 bool allocate_unmapped;
535 NTSTATUS(*sid_to_unixid_fn) (struct idmap_domain * dom,
536 struct id_map * map);
539 static NTSTATUS idmap_tdb_common_sids_to_unixids_action(struct db_context *db,
542 struct idmap_tdb_common_sids_to_unixids_context *state = private_data;
543 size_t i, num_mapped = 0, num_required = 0;
544 NTSTATUS ret = NT_STATUS_OK;
546 DEBUG(10, ("idmap_tdb_common_sids_to_unixids: "
547 " domain: [%s], allocate: %s\n",
548 state->dom->name, state->allocate_unmapped ? "yes" : "no"));
550 for (i = 0; state->ids[i]; i++) {
551 if ((state->ids[i]->status == ID_UNKNOWN) ||
552 /* retry if we could not map in previous run: */
553 (state->ids[i]->status == ID_UNMAPPED)) {
556 ret2 = state->sid_to_unixid_fn(state->dom,
559 if (!NT_STATUS_IS_OK(ret2)) {
561 /* if it is just a failed mapping, continue */
563 (ret2, NT_STATUS_NONE_MAPPED)) {
565 /* make sure it is marked as unmapped */
566 state->ids[i]->status = ID_UNMAPPED;
567 ret = STATUS_SOME_UNMAPPED;
570 * some fatal error occurred,
577 /* all ok, id is mapped */
578 state->ids[i]->status = ID_MAPPED;
582 if (state->ids[i]->status == ID_MAPPED) {
586 if ((state->ids[i]->status == ID_UNMAPPED) &&
587 state->allocate_unmapped) {
589 idmap_tdb_common_new_mapping(state->dom,
591 DBG_DEBUG("idmap_tdb_common_new_mapping returned %s\n",
593 if (NT_STATUS_EQUAL(ret, STATUS_SOME_UNMAPPED)) {
594 if (state->ids[i]->status == ID_REQUIRE_TYPE) {
599 if (!NT_STATUS_IS_OK(ret)) {
600 ret = STATUS_SOME_UNMAPPED;
609 if (NT_STATUS_IS_OK(ret) ||
610 NT_STATUS_EQUAL(ret, STATUS_SOME_UNMAPPED)) {
611 if (i == 0 || num_mapped == 0) {
612 ret = NT_STATUS_NONE_MAPPED;
613 } else if (num_mapped < i) {
614 ret = STATUS_SOME_UNMAPPED;
618 if (num_required > 0) {
619 ret = STATUS_SOME_UNMAPPED;
626 NTSTATUS idmap_tdb_common_sids_to_unixids(struct idmap_domain * dom,
627 struct id_map ** ids)
631 struct idmap_tdb_common_sids_to_unixids_context state;
632 struct idmap_tdb_common_context *ctx;
635 talloc_get_type_abort(dom->private_data,
636 struct idmap_tdb_common_context);
638 /* initialize the status to avoid surprise */
639 for (i = 0; ids[i]; i++) {
640 ids[i]->status = ID_UNKNOWN;
645 state.allocate_unmapped = false;
646 if (ctx->sid_to_unixid_fn == NULL) {
647 state.sid_to_unixid_fn = idmap_tdb_common_sid_to_unixid;
649 state.sid_to_unixid_fn = ctx->sid_to_unixid_fn;
652 ret = idmap_tdb_common_sids_to_unixids_action(ctx->db, &state);
654 if ( (NT_STATUS_EQUAL(ret, STATUS_SOME_UNMAPPED) ||
655 NT_STATUS_EQUAL(ret, NT_STATUS_NONE_MAPPED)) &&
657 state.allocate_unmapped = true;
658 ret = dbwrap_trans_do(ctx->db,
659 idmap_tdb_common_sids_to_unixids_action,