2 Unix SMB/CIFS implementation.
4 Copyright (C) Simo Sorce 2003
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 2 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program; if not, write to the Free Software
18 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.*/
23 #define DBGC_CLASS DBGC_IDMAP
25 /**********************************************************************
26 **********************************************************************/
28 BOOL idmap_get_free_ugid_range(uint32 *low, uint32 *high)
33 if (!lp_idmap_uid(&u_low, &u_high) || !lp_idmap_gid(&g_low, &g_high)) {
37 *low = (u_low < g_low) ? u_low : g_low;
38 *high = (u_high < g_high) ? u_high : g_high;
43 /******************************************************************
44 Get the the non-algorithmic RID range if idmap range are defined
45 ******************************************************************/
47 BOOL idmap_get_free_rid_range(uint32 *low, uint32 *high)
49 uint32 id_low, id_high;
51 if (!lp_enable_rid_algorithm()) {
56 if (!idmap_get_free_ugid_range(&id_low, &id_high)) {
60 *low = fallback_pdb_uid_to_user_rid(id_low);
61 if (fallback_pdb_user_rid_to_uid((uint32)-1) < id_high) {
64 *high = fallback_pdb_uid_to_user_rid(id_high);
70 /**********************************************************************
71 Get the free RID base if idmap is configured, otherwise return 0
72 **********************************************************************/
74 uint32 idmap_get_free_rid_base(void)
77 if (idmap_get_free_rid_range(&low, &high)) {
83 /**********************************************************************
84 **********************************************************************/
86 BOOL idmap_check_ugid_is_in_free_range(uint32 id)
90 if (!idmap_get_free_ugid_range(&low, &high)) {
93 if (id < low || id > high) {
99 /**********************************************************************
100 **********************************************************************/
102 BOOL idmap_check_rid_is_in_free_range(uint32 rid)
106 if (!idmap_get_free_rid_range(&low, &high)) {
109 if (rid < algorithmic_rid_base()) {
113 if (rid < low || rid > high) {
120 /**********************************************************************
121 if it is a foreign SID or if the SID is in the free range, return true
122 **********************************************************************/
124 BOOL idmap_check_sid_is_in_free_range(const DOM_SID *sid)
126 if (sid_compare_domain(get_global_sam_sid(), sid) == 0) {
130 if (sid_peek_rid(sid, &rid)) {
131 return idmap_check_rid_is_in_free_range(rid);
140 /*****************************************************************
142 *****************************************************************/
144 NTSTATUS idmap_uid_to_sid(DOM_SID *sid, uid_t uid)
149 DEBUG(10,("idmap_uid_to_sid: uid = [%d]\n", uid));
154 return idmap_get_sid_from_id(sid, id, flags);
157 /*****************************************************************
158 Group mapping is used for gids that maps to Wellknown SIDs
160 *****************************************************************/
162 NTSTATUS idmap_gid_to_sid(DOM_SID *sid, gid_t gid)
167 DEBUG(10,("idmap_gid_to_sid: gid = [%d]\n", gid));
171 if (!idmap_check_ugid_is_in_free_range(gid)) {
172 flags |= ID_QUERY_ONLY;
176 return idmap_get_sid_from_id(sid, id, flags);
179 /*****************************************************************
180 if it is a foreign sid or it is in idmap rid range check idmap,
181 otherwise falls back to the legacy algorithmic mapping.
182 Returns True if this name is a user sid and the conversion
183 was done correctly, False if not.
184 *****************************************************************/
186 NTSTATUS idmap_sid_to_uid(const DOM_SID *sid, uid_t *uid, uint32 flags)
188 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
191 DEBUG(10,("idmap_sid_to_uid: sid = [%s]\n", sid_string_static(sid)));
195 ret = idmap_get_id_from_sid(&id, &flags, sid);
197 if ( NT_STATUS_IS_OK(ret) ) {
198 DEBUG(10,("idmap_sid_to_uid: uid = [%d]\n", id.uid));
206 /*****************************************************************
207 *THE CANONICAL* convert SID to gid function.
208 if it is a foreign sid or it is in idmap rid range check idmap,
209 otherwise falls back to the legacy algorithmic mapping.
210 Group mapping is used for gids that maps to Wellknown SIDs
211 Returns True if this name is a user sid and the conversion
212 was done correctly, False if not.
213 *****************************************************************/
215 NTSTATUS idmap_sid_to_gid(const DOM_SID *sid, gid_t *gid, uint32 flags)
217 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
220 DEBUG(10,("sid_to_gid: sid = [%s]\n", sid_string_static(sid)));
224 ret = idmap_get_id_from_sid(&id, &flags, sid);
226 if ( NT_STATUS_IS_OK(ret) )
228 DEBUG(10,("idmap_sid_to_gid: gid = [%d]\n", id.gid));
236 /***************************************************************************
237 Check first, call set_mapping if it doesn't already exist.
238 ***************************************************************************/
240 static NTSTATUS wellknown_id_init(DOM_SID *sid, unid_t id, int flags)
243 int qflags = flags | ID_QUERY_ONLY;
245 if (!NT_STATUS_IS_OK(idmap_get_id_from_sid(&storedid, &qflags, sid))) {
246 return idmap_set_mapping(sid, id, flags);
248 if (flags == ID_USERID && id.uid != storedid.uid) {
249 DEBUG(0,("wellknown_id_init: WARNING ! Stored uid %u for SID %s is not the same as the requested uid %u\n",
250 (unsigned int)storedid.uid, sid_string_static(sid), (unsigned int)id.uid ));
251 DEBUG(0,("wellknown_id_init: Attempting to overwrite old mapping with new.\n"));
252 return idmap_set_mapping(sid, id, flags);
253 } else if (flags == ID_GROUPID && id.gid != storedid.gid) {
254 DEBUG(0,("wellknown_id_init: WARNING ! Stored gid %u for SID %s is not the same as the requested gid %u\n",
255 (unsigned int)storedid.gid, sid_string_static(sid), (unsigned int)id.gid ));
256 DEBUG(0,("wellknown_id_init: Attempting to overwrite old mapping with new.\n"));
257 return idmap_set_mapping(sid, id, flags);
263 /***************************************************************************
264 Initialize idmap withWellknown SIDs like Guest, that are necessary
265 to make samba run properly.
266 ***************************************************************************/
268 BOOL idmap_init_wellknown_sids(void)
270 const char *guest_account = lp_guestaccount();
278 if (!(guest_account && *guest_account)) {
279 DEBUG(1, ("NULL guest account!?!?\n"));
283 pass = getpwnam_alloc(guest_account);
288 /* Fill in the SID for the guest account. */
289 id.uid = pass->pw_uid;
290 sid_copy(&sid, get_global_sam_sid());
291 sid_append_rid(&sid, DOMAIN_USER_RID_GUEST);
293 if (!NT_STATUS_IS_OK(wellknown_id_init(&sid, id, ID_USERID))) {
294 DEBUG(0, ("Failed to setup UID mapping for GUEST (%s) to (%u)\n",
295 sid_to_string(sid_string, &sid), (unsigned int)id.uid));
300 /* check if DOMAIN_GROUP_RID_GUESTS SID is set, if not store the
301 * guest account gid as mapping */
302 id.gid = pass->pw_gid;
303 sid_copy(&sid, get_global_sam_sid());
304 sid_append_rid(&sid, DOMAIN_GROUP_RID_GUESTS);
305 if (!NT_STATUS_IS_OK(wellknown_id_init(&sid, id, ID_GROUPID))) {
306 DEBUG(0, ("Failed to setup GID mapping for Group DOMAIN GUESTS (%s) to (%u)\n",
307 sid_to_string(sid_string, &sid), (unsigned int)id.gid));
313 /* now fill in group mappings */
314 if(pdb_enum_group_mapping(SID_NAME_UNKNOWN, &map, &num_entries, ENUM_ONLY_MAPPED)) {
317 for (i = 0; i < num_entries; i++) {
319 wellknown_id_init(&map[i].sid, id, ID_GROUPID);
324 /* Fill in the SID for the administrator account. */
326 sid_copy(&sid, get_global_sam_sid());
327 sid_append_rid(&sid, DOMAIN_USER_RID_ADMIN);
329 if (!NT_STATUS_IS_OK(wellknown_id_init(&sid, id, ID_USERID))) {
330 DEBUG(0, ("Failed to setup UID mapping for ADMINISTRATOR (%s) to (%u)\n",
331 sid_to_string(sid_string, &sid), (unsigned int)id.uid));