2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Copyright (C) Andrew Tridgell 1992-2006,
5 * Copyright (C) Jean François Micouleau 1998-2001.
6 * Copyright (C) Volker Lendecke 2006.
7 * Copyright (C) Gerald Carter 2006.
9 * This program is free software; you can redistribute it and/or modify
10 * it under the terms of the GNU General Public License as published by
11 * the Free Software Foundation; either version 3 of the License, or
12 * (at your option) any later version.
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
19 * You should have received a copy of the GNU General Public License
20 * along with this program; if not, write to the Free Software
21 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
25 #include "groupdb/mapping.h"
27 static TDB_CONTEXT *tdb; /* used for driver files */
29 static BOOL enum_group_mapping(const DOM_SID *domsid, enum lsa_SidType sid_name_use, GROUP_MAP **pp_rmap,
30 size_t *p_num_entries, BOOL unix_only);
31 static BOOL group_map_remove(const DOM_SID *sid);
33 /****************************************************************************
34 Open the group mapping tdb.
35 ****************************************************************************/
36 static BOOL init_group_mapping(void)
38 const char *vstring = "INFO/version";
40 GROUP_MAP *map_table = NULL;
41 size_t num_entries = 0;
46 tdb = tdb_open_log(lock_path("group_mapping.tdb"), 0, TDB_DEFAULT, O_RDWR|O_CREAT, 0600);
48 DEBUG(0,("Failed to open group mapping database\n"));
52 /* handle a Samba upgrade */
53 tdb_lock_bystring(tdb, vstring);
55 /* Cope with byte-reversed older versions of the db. */
56 vers_id = tdb_fetch_int32(tdb, vstring);
57 if ((vers_id == DATABASE_VERSION_V1) || (IREV(vers_id) == DATABASE_VERSION_V1)) {
58 /* Written on a bigendian machine with old fetch_int code. Save as le. */
59 tdb_store_int32(tdb, vstring, DATABASE_VERSION_V2);
60 vers_id = DATABASE_VERSION_V2;
63 /* if its an unknown version we remove everthing in the db */
65 if (vers_id != DATABASE_VERSION_V2) {
66 tdb_traverse(tdb, tdb_traverse_delete_fn, NULL);
67 tdb_store_int32(tdb, vstring, DATABASE_VERSION_V2);
70 tdb_unlock_bystring(tdb, vstring);
72 /* cleanup any map entries with a gid == -1 */
74 if ( enum_group_mapping( NULL, SID_NAME_UNKNOWN, &map_table, &num_entries, False ) ) {
77 for ( i=0; i<num_entries; i++ ) {
78 if ( map_table[i].gid == -1 ) {
79 group_map_remove( &map_table[i].sid );
83 SAFE_FREE( map_table );
90 /****************************************************************************
91 ****************************************************************************/
92 static BOOL add_mapping_entry(GROUP_MAP *map, int flag)
96 fstring string_sid="";
99 sid_to_string(string_sid, &map->sid);
101 len = tdb_pack((uint8 *)buf, sizeof(buf), "ddff",
102 map->gid, map->sid_name_use, map->nt_name, map->comment);
104 if (len > sizeof(buf))
107 slprintf(key, sizeof(key), "%s%s", GROUP_PREFIX, string_sid);
110 dbuf.dptr = (uint8 *)buf;
111 if (tdb_store_bystring(tdb, key, dbuf, flag) != 0) return False;
117 /****************************************************************************
118 Return the sid and the type of the unix group.
119 ****************************************************************************/
121 static BOOL get_group_map_from_sid(DOM_SID sid, GROUP_MAP *map)
128 /* the key is the SID, retrieving is direct */
130 sid_to_string(string_sid, &sid);
131 slprintf(key, sizeof(key), "%s%s", GROUP_PREFIX, string_sid);
133 dbuf = tdb_fetch_bystring(tdb, key);
137 ret = tdb_unpack(dbuf.dptr, dbuf.dsize, "ddff",
138 &map->gid, &map->sid_name_use, &map->nt_name, &map->comment);
140 SAFE_FREE(dbuf.dptr);
143 DEBUG(3,("get_group_map_from_sid: tdb_unpack failure\n"));
147 sid_copy(&map->sid, &sid);
152 /****************************************************************************
153 Return the sid and the type of the unix group.
154 ****************************************************************************/
156 static BOOL get_group_map_from_gid(gid_t gid, GROUP_MAP *map)
158 TDB_DATA kbuf, dbuf, newkey;
162 /* we need to enumerate the TDB to find the GID */
164 for (kbuf = tdb_firstkey(tdb);
166 newkey = tdb_nextkey(tdb, kbuf), safe_free(kbuf.dptr), kbuf=newkey) {
168 if (strncmp((const char *)kbuf.dptr, GROUP_PREFIX, strlen(GROUP_PREFIX)) != 0) continue;
170 dbuf = tdb_fetch(tdb, kbuf);
174 fstrcpy(string_sid, (const char *)kbuf.dptr+strlen(GROUP_PREFIX));
176 string_to_sid(&map->sid, string_sid);
178 ret = tdb_unpack(dbuf.dptr, dbuf.dsize, "ddff",
179 &map->gid, &map->sid_name_use, &map->nt_name, &map->comment);
181 SAFE_FREE(dbuf.dptr);
184 DEBUG(3,("get_group_map_from_gid: tdb_unpack failure\n"));
189 SAFE_FREE(kbuf.dptr);
197 /****************************************************************************
198 Return the sid and the type of the unix group.
199 ****************************************************************************/
201 static BOOL get_group_map_from_ntname(const char *name, GROUP_MAP *map)
203 TDB_DATA kbuf, dbuf, newkey;
207 /* we need to enumerate the TDB to find the name */
209 for (kbuf = tdb_firstkey(tdb);
211 newkey = tdb_nextkey(tdb, kbuf), safe_free(kbuf.dptr), kbuf=newkey) {
213 if (strncmp((const char *)kbuf.dptr, GROUP_PREFIX, strlen(GROUP_PREFIX)) != 0) continue;
215 dbuf = tdb_fetch(tdb, kbuf);
219 fstrcpy(string_sid, (const char *)kbuf.dptr+strlen(GROUP_PREFIX));
221 string_to_sid(&map->sid, string_sid);
223 ret = tdb_unpack(dbuf.dptr, dbuf.dsize, "ddff",
224 &map->gid, &map->sid_name_use, &map->nt_name, &map->comment);
226 SAFE_FREE(dbuf.dptr);
229 DEBUG(3,("get_group_map_from_ntname: tdb_unpack failure\n"));
233 if ( strequal(name, map->nt_name) ) {
234 SAFE_FREE(kbuf.dptr);
242 /****************************************************************************
243 Remove a group mapping entry.
244 ****************************************************************************/
246 static BOOL group_map_remove(const DOM_SID *sid)
252 /* the key is the SID, retrieving is direct */
254 sid_to_string(string_sid, sid);
255 slprintf(key, sizeof(key), "%s%s", GROUP_PREFIX, string_sid);
257 dbuf = tdb_fetch_bystring(tdb, key);
261 SAFE_FREE(dbuf.dptr);
263 if(tdb_delete_bystring(tdb, key) != TDB_SUCCESS)
269 /****************************************************************************
270 Enumerate the group mapping.
271 ****************************************************************************/
273 static BOOL enum_group_mapping(const DOM_SID *domsid, enum lsa_SidType sid_name_use, GROUP_MAP **pp_rmap,
274 size_t *p_num_entries, BOOL unix_only)
276 TDB_DATA kbuf, dbuf, newkey;
288 for (kbuf = tdb_firstkey(tdb);
290 newkey = tdb_nextkey(tdb, kbuf), safe_free(kbuf.dptr), kbuf=newkey) {
292 if (strncmp((const char *)kbuf.dptr, GROUP_PREFIX, strlen(GROUP_PREFIX)) != 0)
295 dbuf = tdb_fetch(tdb, kbuf);
299 fstrcpy(string_sid, (const char *)kbuf.dptr+strlen(GROUP_PREFIX));
301 ret = tdb_unpack(dbuf.dptr, dbuf.dsize, "ddff",
302 &map.gid, &map.sid_name_use, &map.nt_name, &map.comment);
304 SAFE_FREE(dbuf.dptr);
307 DEBUG(3,("enum_group_mapping: tdb_unpack failure\n"));
311 /* list only the type or everything if UNKNOWN */
312 if (sid_name_use!=SID_NAME_UNKNOWN && sid_name_use!=map.sid_name_use) {
313 DEBUG(11,("enum_group_mapping: group %s is not of the requested type\n", map.nt_name));
317 if (unix_only==ENUM_ONLY_MAPPED && map.gid==-1) {
318 DEBUG(11,("enum_group_mapping: group %s is non mapped\n", map.nt_name));
322 string_to_sid(&grpsid, string_sid);
323 sid_copy( &map.sid, &grpsid );
325 sid_split_rid( &grpsid, &rid );
327 /* Only check the domain if we were given one */
329 if ( domsid && !sid_equal( domsid, &grpsid ) ) {
330 DEBUG(11,("enum_group_mapping: group %s is not in domain %s\n",
331 string_sid, sid_string_static(domsid)));
335 DEBUG(11,("enum_group_mapping: returning group %s of "
336 "type %s\n", map.nt_name,
337 sid_type_lookup(map.sid_name_use)));
339 (*pp_rmap) = SMB_REALLOC_ARRAY((*pp_rmap), GROUP_MAP, entries+1);
341 DEBUG(0,("enum_group_mapping: Unable to enlarge group map!\n"));
347 mapt[entries].gid = map.gid;
348 sid_copy( &mapt[entries].sid, &map.sid);
349 mapt[entries].sid_name_use = map.sid_name_use;
350 fstrcpy(mapt[entries].nt_name, map.nt_name);
351 fstrcpy(mapt[entries].comment, map.comment);
357 *p_num_entries=entries;
362 /* This operation happens on session setup, so it should better be fast. We
363 * store a list of aliases a SID is member of hanging off MEMBEROF/SID. */
365 static NTSTATUS one_alias_membership(const DOM_SID *member,
366 DOM_SID **sids, size_t *num)
368 fstring key, string_sid;
372 sid_to_string(string_sid, member);
373 slprintf(key, sizeof(key), "%s%s", MEMBEROF_PREFIX, string_sid);
375 dbuf = tdb_fetch_bystring(tdb, key);
377 if (dbuf.dptr == NULL) {
381 p = (const char *)dbuf.dptr;
383 while (next_token(&p, string_sid, " ", sizeof(string_sid))) {
387 if (!string_to_sid(&alias, string_sid))
390 if (!add_sid_to_array_unique(NULL, &alias, sids, num)) {
391 return NT_STATUS_NO_MEMORY;
395 SAFE_FREE(dbuf.dptr);
399 static NTSTATUS alias_memberships(const DOM_SID *members, size_t num_members,
400 DOM_SID **sids, size_t *num)
407 for (i=0; i<num_members; i++) {
408 NTSTATUS status = one_alias_membership(&members[i], sids, num);
409 if (!NT_STATUS_IS_OK(status))
415 static BOOL is_aliasmem(const DOM_SID *alias, const DOM_SID *member)
420 /* This feels the wrong way round, but the on-disk data structure
421 * dictates it this way. */
422 if (!NT_STATUS_IS_OK(alias_memberships(member, 1, &sids, &num)))
425 for (i=0; i<num; i++) {
426 if (sid_compare(alias, &sids[i]) == 0) {
436 static NTSTATUS add_aliasmem(const DOM_SID *alias, const DOM_SID *member)
442 char *new_memberstring;
445 if (!get_group_map_from_sid(*alias, &map))
446 return NT_STATUS_NO_SUCH_ALIAS;
448 if ( (map.sid_name_use != SID_NAME_ALIAS) &&
449 (map.sid_name_use != SID_NAME_WKN_GRP) )
450 return NT_STATUS_NO_SUCH_ALIAS;
452 if (is_aliasmem(alias, member))
453 return NT_STATUS_MEMBER_IN_ALIAS;
455 sid_to_string(string_sid, member);
456 slprintf(key, sizeof(key), "%s%s", MEMBEROF_PREFIX, string_sid);
458 dbuf = tdb_fetch_bystring(tdb, key);
460 sid_to_string(string_sid, alias);
462 if (dbuf.dptr != NULL) {
463 asprintf(&new_memberstring, "%s %s", (char *)(dbuf.dptr),
466 new_memberstring = SMB_STRDUP(string_sid);
469 if (new_memberstring == NULL)
470 return NT_STATUS_NO_MEMORY;
472 SAFE_FREE(dbuf.dptr);
473 dbuf = string_term_tdb_data(new_memberstring);
475 result = tdb_store_bystring(tdb, key, dbuf, 0);
477 SAFE_FREE(new_memberstring);
479 return (result == 0 ? NT_STATUS_OK : NT_STATUS_ACCESS_DENIED);
482 struct aliasmem_closure {
483 const DOM_SID *alias;
488 static int collect_aliasmem(TDB_CONTEXT *tdb_ctx, TDB_DATA key, TDB_DATA data,
491 struct aliasmem_closure *closure = (struct aliasmem_closure *)state;
493 fstring alias_string;
495 if (strncmp((const char *)key.dptr, MEMBEROF_PREFIX,
496 strlen(MEMBEROF_PREFIX)) != 0)
499 p = (const char *)data.dptr;
501 while (next_token(&p, alias_string, " ", sizeof(alias_string))) {
503 DOM_SID alias, member;
504 const char *member_string;
507 if (!string_to_sid(&alias, alias_string))
510 if (sid_compare(closure->alias, &alias) != 0)
513 /* Ok, we found the alias we're looking for in the membership
514 * list currently scanned. The key represents the alias
515 * member. Add that. */
517 member_string = strchr((const char *)key.dptr, '/');
519 /* Above we tested for MEMBEROF_PREFIX which includes the
522 SMB_ASSERT(member_string != NULL);
525 if (!string_to_sid(&member, member_string))
528 if (!add_sid_to_array(NULL, &member, closure->sids, closure->num)) {
537 static NTSTATUS enum_aliasmem(const DOM_SID *alias, DOM_SID **sids, size_t *num)
540 struct aliasmem_closure closure;
542 if (!get_group_map_from_sid(*alias, &map))
543 return NT_STATUS_NO_SUCH_ALIAS;
545 if ( (map.sid_name_use != SID_NAME_ALIAS) &&
546 (map.sid_name_use != SID_NAME_WKN_GRP) )
547 return NT_STATUS_NO_SUCH_ALIAS;
552 closure.alias = alias;
556 tdb_traverse(tdb, collect_aliasmem, &closure);
560 static NTSTATUS del_aliasmem(const DOM_SID *alias, const DOM_SID *member)
571 result = alias_memberships(member, 1, &sids, &num);
573 if (!NT_STATUS_IS_OK(result))
576 for (i=0; i<num; i++) {
577 if (sid_compare(&sids[i], alias) == 0) {
585 return NT_STATUS_MEMBER_NOT_IN_ALIAS;
589 sids[i] = sids[num-1];
593 sid_to_string(sid_string, member);
594 slprintf(key, sizeof(key), "%s%s", MEMBEROF_PREFIX, sid_string);
597 return tdb_delete_bystring(tdb, key) == 0 ?
598 NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL;
600 member_string = SMB_STRDUP("");
602 if (member_string == NULL) {
604 return NT_STATUS_NO_MEMORY;
607 for (i=0; i<num; i++) {
608 char *s = member_string;
610 sid_to_string(sid_string, &sids[i]);
611 asprintf(&member_string, "%s %s", s, sid_string);
614 if (member_string == NULL) {
616 return NT_STATUS_NO_MEMORY;
620 dbuf = string_term_tdb_data(member_string);
622 result = tdb_store_bystring(tdb, key, dbuf, 0) == 0 ?
623 NT_STATUS_OK : NT_STATUS_ACCESS_DENIED;
626 SAFE_FREE(member_string);
632 static const struct mapping_backend tdb_backend = {
633 .add_mapping_entry = add_mapping_entry,
634 .get_group_map_from_sid = get_group_map_from_sid,
635 .get_group_map_from_gid = get_group_map_from_gid,
636 .get_group_map_from_ntname = get_group_map_from_ntname,
637 .group_map_remove = group_map_remove,
638 .enum_group_mapping = enum_group_mapping,
639 .one_alias_membership = one_alias_membership,
640 .add_aliasmem = add_aliasmem,
641 .del_aliasmem = del_aliasmem,
642 .enum_aliasmem = enum_aliasmem
646 initialise the tdb mapping backend
648 const struct mapping_backend *groupdb_tdb_init(void)
650 if (!init_group_mapping()) {
651 DEBUG(0,("Failed to initialise tdb mapping backend\n"));
git.samba.org / samba.git / blob