2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Copyright (C) Andrew Tridgell 1992-2006,
5 * Copyright (C) Jean François Micouleau 1998-2001.
6 * Copyright (C) Volker Lendecke 2006.
7 * Copyright (C) Gerald Carter 2006.
9 * This program is free software; you can redistribute it and/or modify
10 * it under the terms of the GNU General Public License as published by
11 * the Free Software Foundation; either version 3 of the License, or
12 * (at your option) any later version.
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
19 * You should have received a copy of the GNU General Public License
20 * along with this program; if not, see <http://www.gnu.org/licenses/>.
24 #include "system/filesys.h"
26 #include "groupdb/mapping.h"
27 #include "dbwrap/dbwrap.h"
28 #include "dbwrap/dbwrap_open.h"
30 #include "../libcli/security/security.h"
31 #include "groupdb/mapping_tdb.h"
33 static struct db_context *db; /* used for driver files */
35 static bool enum_group_mapping(const struct dom_sid *domsid,
36 enum lsa_SidType sid_name_use,
38 size_t *p_num_entries,
40 static bool group_map_remove(const struct dom_sid *sid);
42 static bool mapping_switch(const char *ldb_path);
44 /****************************************************************************
45 Open the group mapping tdb.
46 ****************************************************************************/
47 static bool init_group_mapping(void)
56 tdb_path = state_path("group_mapping.tdb");
57 if (tdb_path == NULL) {
60 db = db_open(NULL, tdb_path, 0,
61 TDB_DEFAULT, O_RDWR|O_CREAT, 0600,
62 DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
64 DEBUG(0, ("Failed to open group mapping database: %s\n",
66 talloc_free(tdb_path);
70 ldb_path = state_path("group_mapping.ldb");
71 if (ldb_path == NULL) {
72 talloc_free(tdb_path);
75 if (file_exist(ldb_path) && !mapping_switch(ldb_path)) {
77 talloc_free(tdb_path);
78 talloc_free(ldb_path);
82 /* handle upgrade from old versions of the database */
83 #if 0 /* -- Needs conversion to dbwrap -- */
84 const char *vstring = "INFO/version";
86 GROUP_MAP *map_table = NULL;
87 size_t num_entries = 0;
89 /* handle a Samba upgrade */
90 tdb_lock_bystring(tdb, vstring);
92 /* Cope with byte-reversed older versions of the db. */
93 vers_id = tdb_fetch_int32(tdb, vstring);
94 if ((vers_id == DATABASE_VERSION_V1)
95 || (IREV(vers_id) == DATABASE_VERSION_V1)) {
97 * Written on a bigendian machine with old fetch_int
100 tdb_store_int32(tdb, vstring, DATABASE_VERSION_V2);
101 vers_id = DATABASE_VERSION_V2;
104 /* if its an unknown version we remove everything in the db */
106 if (vers_id != DATABASE_VERSION_V2) {
108 tdb_store_int32(tdb, vstring, DATABASE_VERSION_V2);
111 tdb_unlock_bystring(tdb, vstring);
113 /* cleanup any map entries with a gid == -1 */
115 if ( enum_group_mapping( NULL, SID_NAME_UNKNOWN, &map_table,
116 &num_entries, False ) ) {
119 for ( i=0; i<num_entries; i++ ) {
120 if ( map_table[i].gid == -1 ) {
121 group_map_remove( &map_table[i].sid );
125 SAFE_FREE( map_table );
129 talloc_free(tdb_path);
130 talloc_free(ldb_path);
134 static char *group_mapping_key(TALLOC_CTX *mem_ctx, const struct dom_sid *sid)
136 char sidstr[DOM_SID_STR_BUFLEN];
139 len = dom_sid_string_buf(sid, sidstr, sizeof(sidstr));
140 if (len >= sizeof(sidstr)) {
144 return talloc_asprintf(mem_ctx, "%s%s", GROUP_PREFIX, sidstr);
147 /****************************************************************************
148 ****************************************************************************/
149 static bool add_mapping_entry(GROUP_MAP *map, int flag)
155 key = group_mapping_key(talloc_tos(), &map->sid);
160 len = tdb_pack(NULL, 0, "ddff",
161 map->gid, map->sid_name_use, map->nt_name, map->comment);
163 buf = talloc_array(key, char, len);
168 len = tdb_pack((uint8_t *)buf, len, "ddff", map->gid,
169 map->sid_name_use, map->nt_name, map->comment);
171 status = dbwrap_trans_store(
172 db, string_term_tdb_data(key),
173 make_tdb_data((uint8_t *)buf, len), TDB_REPLACE);
177 return NT_STATUS_IS_OK(status);
181 /****************************************************************************
182 Return the sid and the type of the unix group.
183 ****************************************************************************/
185 static bool get_group_map_from_sid(struct dom_sid sid, GROUP_MAP *map)
194 /* the key is the SID, retrieving is direct */
196 key = group_mapping_key(talloc_tos(), &sid);
201 status = dbwrap_fetch_bystring(db, key, key, &dbuf);
202 if (!NT_STATUS_IS_OK(status)) {
207 ret = tdb_unpack(dbuf.dptr, dbuf.dsize, "ddff",
208 &map->gid, &map->sid_name_use,
214 DEBUG(3,("get_group_map_from_sid: tdb_unpack failure\n"));
218 sid_copy(&map->sid, &sid);
220 map->nt_name = talloc_strdup(map, nt_name);
224 map->comment = talloc_strdup(map, comment);
232 static bool dbrec2map(const struct db_record *rec, GROUP_MAP *map)
234 TDB_DATA key = dbwrap_record_get_key(rec);
235 TDB_DATA value = dbwrap_record_get_value(rec);
240 if ((key.dsize < strlen(GROUP_PREFIX))
241 || (strncmp((char *)key.dptr, GROUP_PREFIX,
242 GROUP_PREFIX_LEN) != 0)) {
246 if (!string_to_sid(&map->sid, (const char *)key.dptr
247 + GROUP_PREFIX_LEN)) {
251 ret = tdb_unpack(value.dptr, value.dsize, "ddff",
252 &map->gid, &map->sid_name_use,
256 DEBUG(3, ("dbrec2map: tdb_unpack failure\n"));
260 map->nt_name = talloc_strdup(map, nt_name);
264 map->comment = talloc_strdup(map, comment);
272 struct find_map_state {
274 const char *name; /* If != NULL, look for name */
275 gid_t gid; /* valid iff name == NULL */
279 static int find_map(struct db_record *rec, void *private_data)
281 struct find_map_state *state = (struct find_map_state *)private_data;
283 if (!dbrec2map(rec, state->map)) {
284 DEBUG(10, ("failed to unpack map\n"));
288 if (state->name != NULL) {
289 if (strequal(state->name, state->map->nt_name)) {
295 if (state->map->gid == state->gid) {
304 /****************************************************************************
305 Return the sid and the type of the unix group.
306 ****************************************************************************/
308 static bool get_group_map_from_gid(gid_t gid, GROUP_MAP *map)
310 struct find_map_state state;
313 state.name = NULL; /* Indicate we're looking for gid */
317 dbwrap_traverse_read(db, find_map, (void *)&state, NULL);
322 /****************************************************************************
323 Return the sid and the type of the unix group.
324 ****************************************************************************/
326 static bool get_group_map_from_ntname(const char *name, GROUP_MAP *map)
328 struct find_map_state state;
334 dbwrap_traverse_read(db, find_map, (void *)&state, NULL);
339 /****************************************************************************
340 Remove a group mapping entry.
341 ****************************************************************************/
343 static bool group_map_remove(const struct dom_sid *sid)
348 key = group_mapping_key(talloc_tos(), sid);
353 status = dbwrap_trans_delete(db, string_term_tdb_data(key));
356 return NT_STATUS_IS_OK(status);
359 /****************************************************************************
360 Enumerate the group mapping.
361 ****************************************************************************/
363 struct enum_map_state {
364 const struct dom_sid *domsid;
365 enum lsa_SidType sid_name_use;
372 static int collect_map(struct db_record *rec, void *private_data)
374 struct enum_map_state *state = (struct enum_map_state *)private_data;
378 map = talloc_zero(NULL, GROUP_MAP);
380 DEBUG(0, ("Unable to allocate group map!\n"));
384 if (!dbrec2map(rec, map)) {
388 /* list only the type or everything if UNKNOWN */
389 if (state->sid_name_use != SID_NAME_UNKNOWN
390 && state->sid_name_use != map->sid_name_use) {
391 DEBUG(11,("enum_group_mapping: group %s is not of the "
392 "requested type\n", map->nt_name));
397 if ((state->unix_only == ENUM_ONLY_MAPPED) && (map->gid == -1)) {
398 DEBUG(11,("enum_group_mapping: group %s is non mapped\n",
404 if ((state->domsid != NULL) &&
405 (dom_sid_compare_domain(state->domsid, &map->sid) != 0)) {
406 DEBUG(11,("enum_group_mapping: group %s is not in domain\n",
407 sid_string_dbg(&map->sid)));
412 tmp = talloc_realloc(NULL, state->maps, GROUP_MAP *,
413 state->num_maps + 1);
415 DEBUG(0,("enum_group_mapping: Unable to enlarge group "
422 state->maps[state->num_maps] = talloc_move(state->maps, &map);
427 static bool enum_group_mapping(const struct dom_sid *domsid,
428 enum lsa_SidType sid_name_use,
429 GROUP_MAP ***pp_rmap,
430 size_t *p_num_entries, bool unix_only)
432 struct enum_map_state state;
435 state.domsid = domsid;
436 state.sid_name_use = sid_name_use;
437 state.unix_only = unix_only;
441 status = dbwrap_traverse_read(db, collect_map, (void *)&state, NULL);
442 if (!NT_STATUS_IS_OK(status)) {
443 TALLOC_FREE(state.maps);
447 *pp_rmap = state.maps;
448 *p_num_entries = state.num_maps;
453 /* This operation happens on session setup, so it should better be fast. We
454 * store a list of aliases a SID is member of hanging off MEMBEROF/SID. */
456 static NTSTATUS one_alias_membership(const struct dom_sid *member,
457 struct dom_sid **sids, size_t *num)
464 NTSTATUS status = NT_STATUS_OK;
465 TALLOC_CTX *frame = talloc_stackframe();
467 slprintf(key, sizeof(key), "%s%s", MEMBEROF_PREFIX,
468 sid_to_fstring(tmp, member));
470 status = dbwrap_fetch_bystring(db, frame, key, &dbuf);
471 if (!NT_STATUS_IS_OK(status)) {
476 p = (const char *)dbuf.dptr;
478 while (next_token_talloc(frame, &p, &string_sid, " ")) {
479 struct dom_sid alias;
482 if (!string_to_sid(&alias, string_sid))
486 status= add_sid_to_array_unique(NULL, &alias, sids, &num_sids);
487 if (!NT_STATUS_IS_OK(status)) {
498 static NTSTATUS alias_memberships(const struct dom_sid *members, size_t num_members,
499 struct dom_sid **sids, size_t *num)
506 for (i=0; i<num_members; i++) {
507 NTSTATUS status = one_alias_membership(&members[i], sids, num);
508 if (!NT_STATUS_IS_OK(status))
514 static bool is_aliasmem(const struct dom_sid *alias, const struct dom_sid *member)
516 struct dom_sid *sids;
520 /* This feels the wrong way round, but the on-disk data structure
521 * dictates it this way. */
522 if (!NT_STATUS_IS_OK(alias_memberships(member, 1, &sids, &num)))
525 for (i=0; i<num; i++) {
526 if (dom_sid_compare(alias, &sids[i]) == 0) {
536 static NTSTATUS add_aliasmem(const struct dom_sid *alias, const struct dom_sid *member)
541 char *new_memberstring;
542 struct db_record *rec;
546 map = talloc_zero(talloc_tos(), GROUP_MAP);
548 return NT_STATUS_NO_MEMORY;
551 if (!get_group_map_from_sid(*alias, map)) {
553 return NT_STATUS_NO_SUCH_ALIAS;
556 if ((map->sid_name_use != SID_NAME_ALIAS) &&
557 (map->sid_name_use != SID_NAME_WKN_GRP)) {
559 return NT_STATUS_NO_SUCH_ALIAS;
564 if (is_aliasmem(alias, member))
565 return NT_STATUS_MEMBER_IN_ALIAS;
567 sid_to_fstring(string_sid, member);
569 key = talloc_asprintf(talloc_tos(), "%s%s", MEMBEROF_PREFIX,
572 return NT_STATUS_NO_MEMORY;
575 if (dbwrap_transaction_start(db) != 0) {
576 DEBUG(0, ("transaction_start failed\n"));
577 return NT_STATUS_INTERNAL_DB_CORRUPTION;
580 rec = dbwrap_fetch_locked(db, key, string_term_tdb_data(key));
583 DEBUG(10, ("fetch_lock failed\n"));
585 status = NT_STATUS_INTERNAL_DB_CORRUPTION;
589 value = dbwrap_record_get_value(rec);
591 sid_to_fstring(string_sid, alias);
593 if (value.dptr != NULL) {
594 new_memberstring = talloc_asprintf(
595 key, "%s %s", (char *)(value.dptr), string_sid);
597 new_memberstring = talloc_strdup(key, string_sid);
600 if (new_memberstring == NULL) {
602 status = NT_STATUS_NO_MEMORY;
606 status = dbwrap_record_store(rec, string_term_tdb_data(new_memberstring), 0);
610 if (!NT_STATUS_IS_OK(status)) {
611 DEBUG(10, ("Could not store record: %s\n", nt_errstr(status)));
615 if (dbwrap_transaction_commit(db) != 0) {
616 DEBUG(0, ("transaction_commit failed\n"));
617 status = NT_STATUS_INTERNAL_DB_CORRUPTION;
624 if (dbwrap_transaction_cancel(db) != 0) {
625 smb_panic("transaction_cancel failed");
631 struct aliasmem_state {
633 const struct dom_sid *alias;
634 struct dom_sid **sids;
638 static int collect_aliasmem(struct db_record *rec, void *priv)
640 struct aliasmem_state *state = (struct aliasmem_state *)priv;
644 TDB_DATA key = dbwrap_record_get_key(rec);
645 TDB_DATA value = dbwrap_record_get_value(rec);
647 if (strncmp((const char *)key.dptr, MEMBEROF_PREFIX,
648 MEMBEROF_PREFIX_LEN) != 0)
651 p = (const char *)value.dptr;
653 frame = talloc_stackframe();
655 while (next_token_talloc(frame, &p, &alias_string, " ")) {
656 struct dom_sid alias, member;
657 const char *member_string;
660 if (!string_to_sid(&alias, alias_string))
663 if (dom_sid_compare(state->alias, &alias) != 0)
666 /* Ok, we found the alias we're looking for in the membership
667 * list currently scanned. The key represents the alias
668 * member. Add that. */
670 member_string = strchr((const char *)key.dptr, '/');
672 /* Above we tested for MEMBEROF_PREFIX which includes the
675 SMB_ASSERT(member_string != NULL);
678 if (!string_to_sid(&member, member_string))
681 num_sids = *state->num;
682 if (!NT_STATUS_IS_OK(add_sid_to_array(state->mem_ctx, &member,
689 *state->num = num_sids;
696 static NTSTATUS enum_aliasmem(const struct dom_sid *alias, TALLOC_CTX *mem_ctx,
697 struct dom_sid **sids, size_t *num)
700 struct aliasmem_state state;
702 map = talloc_zero(talloc_tos(), GROUP_MAP);
704 return NT_STATUS_NO_MEMORY;
707 if (!get_group_map_from_sid(*alias, map)) {
709 return NT_STATUS_NO_SUCH_ALIAS;
712 if ((map->sid_name_use != SID_NAME_ALIAS) &&
713 (map->sid_name_use != SID_NAME_WKN_GRP)) {
715 return NT_STATUS_NO_SUCH_ALIAS;
726 state.mem_ctx = mem_ctx;
728 dbwrap_traverse_read(db, collect_aliasmem, &state, NULL);
732 static NTSTATUS del_aliasmem(const struct dom_sid *alias, const struct dom_sid *member)
735 struct dom_sid *sids;
742 if (dbwrap_transaction_start(db) != 0) {
743 DEBUG(0, ("transaction_start failed\n"));
744 return NT_STATUS_INTERNAL_DB_CORRUPTION;
747 status = alias_memberships(member, 1, &sids, &num);
749 if (!NT_STATUS_IS_OK(status)) {
753 for (i=0; i<num; i++) {
754 if (dom_sid_compare(&sids[i], alias) == 0) {
762 status = NT_STATUS_MEMBER_NOT_IN_ALIAS;
767 sids[i] = sids[num-1];
771 sid_to_fstring(sid_string, member);
773 key = talloc_asprintf(sids, "%s%s", MEMBEROF_PREFIX, sid_string);
776 status = NT_STATUS_NO_MEMORY;
781 status = dbwrap_delete_bystring(db, key);
785 member_string = talloc_strdup(sids, "");
786 if (member_string == NULL) {
788 status = NT_STATUS_NO_MEMORY;
792 for (i=0; i<num; i++) {
794 sid_to_fstring(sid_string, &sids[i]);
796 member_string = talloc_asprintf_append_buffer(
797 member_string, " %s", sid_string);
799 if (member_string == NULL) {
801 status = NT_STATUS_NO_MEMORY;
806 status = dbwrap_store_bystring(
807 db, key, string_term_tdb_data(member_string), 0);
811 if (!NT_STATUS_IS_OK(status)) {
812 DEBUG(10, ("dbwrap_store_bystring failed: %s\n",
817 if (dbwrap_transaction_commit(db) != 0) {
818 DEBUG(0, ("transaction_commit failed\n"));
819 status = NT_STATUS_INTERNAL_DB_CORRUPTION;
826 if (dbwrap_transaction_cancel(db) != 0) {
827 smb_panic("transaction_cancel failed");
833 /* -- ldb->tdb switching code -------------------------------------------- */
835 /* change this if the data format ever changes */
836 #define LTDB_PACKING_FORMAT 0x26011967
838 /* old packing formats (not supported for now,
839 * it was never used for group mapping AFAIK) */
840 #define LTDB_PACKING_FORMAT_NODN 0x26011966
842 static unsigned int pull_uint32(uint8_t *p, int ofs)
845 return p[0] | (p[1]<<8) | (p[2]<<16) | (p[3]<<24);
849 unpack a ldb message from a linear buffer in TDB_DATA
851 static int convert_ldb_record(TDB_CONTEXT *ltdb, TDB_DATA key,
852 TDB_DATA data, void *ptr)
854 TALLOC_CTX *tmp_ctx = talloc_tos();
855 GROUP_MAP *map = NULL;
859 unsigned int remaining;
865 uint32_t num_mem = 0;
866 struct dom_sid *members = NULL;
868 p = (uint8_t *)data.dptr;
869 if (data.dsize < 8) {
874 format = pull_uint32(p, 0);
875 num_el = pull_uint32(p, 4);
878 remaining = data.dsize - 8;
881 case LTDB_PACKING_FORMAT:
882 len = strnlen((char *)p, remaining);
883 if (len == remaining) {
889 /* ignore special LDB attributes */
893 if (strncmp((char *)p, "rid=", 4)) {
894 /* unknown entry, ignore */
895 DEBUG(3, ("Found unknown entry in group mapping "
896 "database named [%s]\n", (char *)p));
900 remaining -= len + 1;
904 case LTDB_PACKING_FORMAT_NODN:
911 /* bad entry, ignore */
915 if (num_el > remaining / 6) {
920 map = talloc_zero(NULL, GROUP_MAP);
926 for (i = 0; i < num_el; i++) {
929 if (remaining < 10) {
933 len = strnlen((char *)p, remaining - 6);
934 if (len == remaining - 6) {
938 name = talloc_strndup(tmp_ctx, (char *)p, len);
943 remaining -= len + 1;
946 num_vals = pull_uint32(p, 0);
947 if (strcasecmp_m(name, "member") == 0) {
949 members = talloc_array(tmp_ctx, struct dom_sid, num_mem);
950 if (members == NULL) {
954 } else if (num_vals != 1) {
962 for (j = 0; j < num_vals; j++) {
963 len = pull_uint32(p, 0);
964 if (len > remaining-5) {
969 val = talloc_strndup(tmp_ctx, (char *)(p + 4), len);
975 remaining -= len+4+1;
978 /* we ignore unknown or uninteresting attributes
979 * (objectclass, etc.) */
980 if (strcasecmp_m(name, "gidNumber") == 0) {
981 map->gid = strtoul(val, &q, 10);
986 } else if (strcasecmp_m(name, "sid") == 0) {
987 if (!string_to_sid(&map->sid, val)) {
991 } else if (strcasecmp_m(name, "sidNameUse") == 0) {
992 map->sid_name_use = strtoul(val, &q, 10);
997 } else if (strcasecmp_m(name, "ntname") == 0) {
998 map->nt_name = talloc_strdup(map, val);
1003 } else if (strcasecmp_m(name, "comment") == 0) {
1004 map->comment = talloc_strdup(map, val);
1005 if (!map->comment) {
1009 } else if (strcasecmp_m(name, "member") == 0) {
1010 if (!string_to_sid(&members[j], val)) {
1022 if (map->nt_name == NULL) {
1027 if (map->comment == NULL) {
1028 map->comment = talloc_strdup(map, "");
1030 if (map->comment == NULL) {
1035 if (!add_mapping_entry(map, 0)) {
1041 for (j = 0; j < num_mem; j++) {
1043 status = add_aliasmem(&map->sid, &members[j]);
1044 if (!NT_STATUS_IS_OK(status)) {
1051 if (remaining != 0) {
1052 DEBUG(0, ("Errror: %d bytes unread in ltdb_unpack_data\n",
1064 static bool mapping_switch(const char *ldb_path)
1071 frame = talloc_stackframe();
1073 ltdb = tdb_open_log(ldb_path, 0, TDB_DEFAULT, O_RDONLY, 0600);
1074 if (ltdb == NULL) goto failed;
1076 /* ldb is just a very fancy tdb, read out raw data and perform
1078 ret = tdb_traverse(ltdb, convert_ldb_record, NULL);
1079 if (ret < 0) goto failed;
1086 /* now rename the old db out of the way */
1087 new_path = state_path("group_mapping.ldb.replaced");
1091 if (rename(ldb_path, new_path) != 0) {
1092 DEBUG(0,("Failed to rename old group mapping database\n"));
1099 DEBUG(0, ("Failed to switch to tdb group mapping database\n"));
1100 if (ltdb) tdb_close(ltdb);
1105 static const struct mapping_backend tdb_backend = {
1106 .add_mapping_entry = add_mapping_entry,
1107 .get_group_map_from_sid = get_group_map_from_sid,
1108 .get_group_map_from_gid = get_group_map_from_gid,
1109 .get_group_map_from_ntname = get_group_map_from_ntname,
1110 .group_map_remove = group_map_remove,
1111 .enum_group_mapping = enum_group_mapping,
1112 .one_alias_membership = one_alias_membership,
1113 .add_aliasmem = add_aliasmem,
1114 .del_aliasmem = del_aliasmem,
1115 .enum_aliasmem = enum_aliasmem
1119 initialise the tdb mapping backend
1121 const struct mapping_backend *groupdb_tdb_init(void)
1123 if (!init_group_mapping()) {
1124 DEBUG(0,("Failed to initialise tdb mapping backend\n"));
1128 return &tdb_backend;
git.samba.org / samba.git / blob