2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Copyright (C) Andrew Tridgell 1992-2006,
5 * Copyright (C) Jean François Micouleau 1998-2001.
6 * Copyright (C) Volker Lendecke 2006.
7 * Copyright (C) Gerald Carter 2006.
9 * This program is free software; you can redistribute it and/or modify
10 * it under the terms of the GNU General Public License as published by
11 * the Free Software Foundation; either version 3 of the License, or
12 * (at your option) any later version.
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
19 * You should have received a copy of the GNU General Public License
20 * along with this program; if not, see <http://www.gnu.org/licenses/>.
24 #include "system/filesys.h"
26 #include "groupdb/mapping.h"
29 #include "../libcli/security/security.h"
31 static struct db_context *db; /* used for driver files */
33 static bool enum_group_mapping(const struct dom_sid *domsid,
34 enum lsa_SidType sid_name_use,
36 size_t *p_num_entries,
38 static bool group_map_remove(const struct dom_sid *sid);
40 static bool mapping_switch(const char *ldb_path);
42 /****************************************************************************
43 Open the group mapping tdb.
44 ****************************************************************************/
45 static bool init_group_mapping(void)
53 db = db_open(NULL, state_path("group_mapping.tdb"), 0,
54 TDB_DEFAULT, O_RDWR|O_CREAT, 0600);
56 DEBUG(0, ("Failed to open group mapping database: %s\n",
61 ldb_path = state_path("group_mapping.ldb");
62 if (file_exist(ldb_path) && !mapping_switch(ldb_path)) {
63 unlink(state_path("group_mapping.tdb"));
67 /* handle upgrade from old versions of the database */
68 #if 0 /* -- Needs conversion to dbwrap -- */
69 const char *vstring = "INFO/version";
71 GROUP_MAP *map_table = NULL;
72 size_t num_entries = 0;
74 /* handle a Samba upgrade */
75 tdb_lock_bystring(tdb, vstring);
77 /* Cope with byte-reversed older versions of the db. */
78 vers_id = tdb_fetch_int32(tdb, vstring);
79 if ((vers_id == DATABASE_VERSION_V1)
80 || (IREV(vers_id) == DATABASE_VERSION_V1)) {
82 * Written on a bigendian machine with old fetch_int
85 tdb_store_int32(tdb, vstring, DATABASE_VERSION_V2);
86 vers_id = DATABASE_VERSION_V2;
89 /* if its an unknown version we remove everthing in the db */
91 if (vers_id != DATABASE_VERSION_V2) {
93 tdb_store_int32(tdb, vstring, DATABASE_VERSION_V2);
96 tdb_unlock_bystring(tdb, vstring);
98 /* cleanup any map entries with a gid == -1 */
100 if ( enum_group_mapping( NULL, SID_NAME_UNKNOWN, &map_table,
101 &num_entries, False ) ) {
104 for ( i=0; i<num_entries; i++ ) {
105 if ( map_table[i].gid == -1 ) {
106 group_map_remove( &map_table[i].sid );
110 SAFE_FREE( map_table );
117 static char *group_mapping_key(TALLOC_CTX *mem_ctx, const struct dom_sid *sid)
119 char *sidstr, *result;
121 sidstr = sid_string_talloc(talloc_tos(), sid);
122 if (sidstr == NULL) {
126 result = talloc_asprintf(mem_ctx, "%s%s", GROUP_PREFIX, sidstr);
132 /****************************************************************************
133 ****************************************************************************/
134 static bool add_mapping_entry(GROUP_MAP *map, int flag)
140 key = group_mapping_key(talloc_tos(), &map->sid);
145 len = tdb_pack(NULL, 0, "ddff",
146 map->gid, map->sid_name_use, map->nt_name, map->comment);
148 buf = talloc_array(key, char, len);
153 len = tdb_pack((uint8 *)buf, len, "ddff", map->gid,
154 map->sid_name_use, map->nt_name, map->comment);
156 status = dbwrap_trans_store(
157 db, string_term_tdb_data(key),
158 make_tdb_data((uint8_t *)buf, len), TDB_REPLACE);
162 return NT_STATUS_IS_OK(status);
166 /****************************************************************************
167 Return the sid and the type of the unix group.
168 ****************************************************************************/
170 static bool get_group_map_from_sid(struct dom_sid sid, GROUP_MAP *map)
176 /* the key is the SID, retrieving is direct */
178 key = group_mapping_key(talloc_tos(), &sid);
183 dbuf = dbwrap_fetch_bystring(db, key, key);
184 if (dbuf.dptr == NULL) {
189 ret = tdb_unpack(dbuf.dptr, dbuf.dsize, "ddff",
190 &map->gid, &map->sid_name_use,
191 &map->nt_name, &map->comment);
196 DEBUG(3,("get_group_map_from_sid: tdb_unpack failure\n"));
200 sid_copy(&map->sid, &sid);
205 static bool dbrec2map(const struct db_record *rec, GROUP_MAP *map)
207 if ((rec->key.dsize < strlen(GROUP_PREFIX))
208 || (strncmp((char *)rec->key.dptr, GROUP_PREFIX,
209 GROUP_PREFIX_LEN) != 0)) {
213 if (!string_to_sid(&map->sid, (const char *)rec->key.dptr
214 + GROUP_PREFIX_LEN)) {
218 return tdb_unpack(rec->value.dptr, rec->value.dsize, "ddff",
219 &map->gid, &map->sid_name_use, &map->nt_name,
220 &map->comment) != -1;
223 struct find_map_state {
225 const char *name; /* If != NULL, look for name */
226 gid_t gid; /* valid iff name == NULL */
230 static int find_map(struct db_record *rec, void *private_data)
232 struct find_map_state *state = (struct find_map_state *)private_data;
234 if (!dbrec2map(rec, state->map)) {
235 DEBUG(10, ("failed to unpack map\n"));
239 if (state->name != NULL) {
240 if (strequal(state->name, state->map->nt_name)) {
246 if (state->map->gid == state->gid) {
255 /****************************************************************************
256 Return the sid and the type of the unix group.
257 ****************************************************************************/
259 static bool get_group_map_from_gid(gid_t gid, GROUP_MAP *map)
261 struct find_map_state state;
264 state.name = NULL; /* Indicate we're looking for gid */
268 db->traverse_read(db, find_map, (void *)&state);
273 /****************************************************************************
274 Return the sid and the type of the unix group.
275 ****************************************************************************/
277 static bool get_group_map_from_ntname(const char *name, GROUP_MAP *map)
279 struct find_map_state state;
285 db->traverse_read(db, find_map, (void *)&state);
290 /****************************************************************************
291 Remove a group mapping entry.
292 ****************************************************************************/
294 static bool group_map_remove(const struct dom_sid *sid)
299 key = group_mapping_key(talloc_tos(), sid);
304 status = dbwrap_trans_delete(db, string_term_tdb_data(key));
307 return NT_STATUS_IS_OK(status);
310 /****************************************************************************
311 Enumerate the group mapping.
312 ****************************************************************************/
314 struct enum_map_state {
315 const struct dom_sid *domsid;
316 enum lsa_SidType sid_name_use;
323 static int collect_map(struct db_record *rec, void *private_data)
325 struct enum_map_state *state = (struct enum_map_state *)private_data;
329 if (!dbrec2map(rec, &map)) {
332 /* list only the type or everything if UNKNOWN */
333 if (state->sid_name_use != SID_NAME_UNKNOWN
334 && state->sid_name_use != map.sid_name_use) {
335 DEBUG(11,("enum_group_mapping: group %s is not of the "
336 "requested type\n", map.nt_name));
340 if ((state->unix_only == ENUM_ONLY_MAPPED) && (map.gid == -1)) {
341 DEBUG(11,("enum_group_mapping: group %s is non mapped\n",
346 if ((state->domsid != NULL) &&
347 (dom_sid_compare_domain(state->domsid, &map.sid) != 0)) {
348 DEBUG(11,("enum_group_mapping: group %s is not in domain\n",
349 sid_string_dbg(&map.sid)));
353 if (!(tmp = SMB_REALLOC_ARRAY(state->maps, GROUP_MAP,
354 state->num_maps+1))) {
355 DEBUG(0,("enum_group_mapping: Unable to enlarge group "
361 state->maps[state->num_maps] = map;
366 static bool enum_group_mapping(const struct dom_sid *domsid,
367 enum lsa_SidType sid_name_use,
369 size_t *p_num_entries, bool unix_only)
371 struct enum_map_state state;
373 state.domsid = domsid;
374 state.sid_name_use = sid_name_use;
375 state.unix_only = unix_only;
379 if (db->traverse_read(db, collect_map, (void *)&state) < 0) {
383 *pp_rmap = state.maps;
384 *p_num_entries = state.num_maps;
389 /* This operation happens on session setup, so it should better be fast. We
390 * store a list of aliases a SID is member of hanging off MEMBEROF/SID. */
392 static NTSTATUS one_alias_membership(const struct dom_sid *member,
393 struct dom_sid **sids, size_t *num)
400 NTSTATUS status = NT_STATUS_OK;
401 TALLOC_CTX *frame = talloc_stackframe();
403 slprintf(key, sizeof(key), "%s%s", MEMBEROF_PREFIX,
404 sid_to_fstring(tmp, member));
406 dbuf = dbwrap_fetch_bystring(db, frame, key);
407 if (dbuf.dptr == NULL) {
412 p = (const char *)dbuf.dptr;
414 while (next_token_talloc(frame, &p, &string_sid, " ")) {
415 struct dom_sid alias;
418 if (!string_to_sid(&alias, string_sid))
422 status= add_sid_to_array_unique(NULL, &alias, sids, &num_sids);
423 if (!NT_STATUS_IS_OK(status)) {
434 static NTSTATUS alias_memberships(const struct dom_sid *members, size_t num_members,
435 struct dom_sid **sids, size_t *num)
442 for (i=0; i<num_members; i++) {
443 NTSTATUS status = one_alias_membership(&members[i], sids, num);
444 if (!NT_STATUS_IS_OK(status))
450 static bool is_aliasmem(const struct dom_sid *alias, const struct dom_sid *member)
452 struct dom_sid *sids;
456 /* This feels the wrong way round, but the on-disk data structure
457 * dictates it this way. */
458 if (!NT_STATUS_IS_OK(alias_memberships(member, 1, &sids, &num)))
461 for (i=0; i<num; i++) {
462 if (dom_sid_compare(alias, &sids[i]) == 0) {
472 static NTSTATUS add_aliasmem(const struct dom_sid *alias, const struct dom_sid *member)
477 char *new_memberstring;
478 struct db_record *rec;
481 if (!get_group_map_from_sid(*alias, &map))
482 return NT_STATUS_NO_SUCH_ALIAS;
484 if ( (map.sid_name_use != SID_NAME_ALIAS) &&
485 (map.sid_name_use != SID_NAME_WKN_GRP) )
486 return NT_STATUS_NO_SUCH_ALIAS;
488 if (is_aliasmem(alias, member))
489 return NT_STATUS_MEMBER_IN_ALIAS;
491 sid_to_fstring(string_sid, member);
493 key = talloc_asprintf(talloc_tos(), "%s%s", MEMBEROF_PREFIX,
496 return NT_STATUS_NO_MEMORY;
499 if (db->transaction_start(db) != 0) {
500 DEBUG(0, ("transaction_start failed\n"));
501 return NT_STATUS_INTERNAL_DB_CORRUPTION;
504 rec = db->fetch_locked(db, key, string_term_tdb_data(key));
507 DEBUG(10, ("fetch_lock failed\n"));
509 status = NT_STATUS_INTERNAL_DB_CORRUPTION;
513 sid_to_fstring(string_sid, alias);
515 if (rec->value.dptr != NULL) {
516 new_memberstring = talloc_asprintf(
517 key, "%s %s", (char *)(rec->value.dptr), string_sid);
519 new_memberstring = talloc_strdup(key, string_sid);
522 if (new_memberstring == NULL) {
524 status = NT_STATUS_NO_MEMORY;
528 status = rec->store(rec, string_term_tdb_data(new_memberstring), 0);
532 if (!NT_STATUS_IS_OK(status)) {
533 DEBUG(10, ("Could not store record: %s\n", nt_errstr(status)));
537 if (db->transaction_commit(db) != 0) {
538 DEBUG(0, ("transaction_commit failed\n"));
539 status = NT_STATUS_INTERNAL_DB_CORRUPTION;
546 if (db->transaction_cancel(db) != 0) {
547 smb_panic("transaction_cancel failed");
553 struct aliasmem_state {
555 const struct dom_sid *alias;
556 struct dom_sid **sids;
560 static int collect_aliasmem(struct db_record *rec, void *priv)
562 struct aliasmem_state *state = (struct aliasmem_state *)priv;
567 if (strncmp((const char *)rec->key.dptr, MEMBEROF_PREFIX,
568 MEMBEROF_PREFIX_LEN) != 0)
571 p = (const char *)rec->value.dptr;
573 frame = talloc_stackframe();
575 while (next_token_talloc(frame, &p, &alias_string, " ")) {
576 struct dom_sid alias, member;
577 const char *member_string;
580 if (!string_to_sid(&alias, alias_string))
583 if (dom_sid_compare(state->alias, &alias) != 0)
586 /* Ok, we found the alias we're looking for in the membership
587 * list currently scanned. The key represents the alias
588 * member. Add that. */
590 member_string = strchr((const char *)rec->key.dptr, '/');
592 /* Above we tested for MEMBEROF_PREFIX which includes the
595 SMB_ASSERT(member_string != NULL);
598 if (!string_to_sid(&member, member_string))
601 num_sids = *state->num;
602 if (!NT_STATUS_IS_OK(add_sid_to_array(state->mem_ctx, &member,
609 *state->num = num_sids;
616 static NTSTATUS enum_aliasmem(const struct dom_sid *alias, TALLOC_CTX *mem_ctx,
617 struct dom_sid **sids, size_t *num)
620 struct aliasmem_state state;
622 if (!get_group_map_from_sid(*alias, &map))
623 return NT_STATUS_NO_SUCH_ALIAS;
625 if ( (map.sid_name_use != SID_NAME_ALIAS) &&
626 (map.sid_name_use != SID_NAME_WKN_GRP) )
627 return NT_STATUS_NO_SUCH_ALIAS;
635 state.mem_ctx = mem_ctx;
637 db->traverse_read(db, collect_aliasmem, &state);
641 static NTSTATUS del_aliasmem(const struct dom_sid *alias, const struct dom_sid *member)
644 struct dom_sid *sids;
651 if (db->transaction_start(db) != 0) {
652 DEBUG(0, ("transaction_start failed\n"));
653 return NT_STATUS_INTERNAL_DB_CORRUPTION;
656 status = alias_memberships(member, 1, &sids, &num);
658 if (!NT_STATUS_IS_OK(status)) {
662 for (i=0; i<num; i++) {
663 if (dom_sid_compare(&sids[i], alias) == 0) {
671 status = NT_STATUS_MEMBER_NOT_IN_ALIAS;
676 sids[i] = sids[num-1];
680 sid_to_fstring(sid_string, member);
682 key = talloc_asprintf(sids, "%s%s", MEMBEROF_PREFIX, sid_string);
685 status = NT_STATUS_NO_MEMORY;
690 status = dbwrap_delete_bystring(db, key);
694 member_string = talloc_strdup(sids, "");
695 if (member_string == NULL) {
697 status = NT_STATUS_NO_MEMORY;
701 for (i=0; i<num; i++) {
703 sid_to_fstring(sid_string, &sids[i]);
705 member_string = talloc_asprintf_append_buffer(
706 member_string, " %s", sid_string);
708 if (member_string == NULL) {
710 status = NT_STATUS_NO_MEMORY;
715 status = dbwrap_store_bystring(
716 db, key, string_term_tdb_data(member_string), 0);
720 if (!NT_STATUS_IS_OK(status)) {
721 DEBUG(10, ("dbwrap_store_bystring failed: %s\n",
726 if (db->transaction_commit(db) != 0) {
727 DEBUG(0, ("transaction_commit failed\n"));
728 status = NT_STATUS_INTERNAL_DB_CORRUPTION;
735 if (db->transaction_cancel(db) != 0) {
736 smb_panic("transaction_cancel failed");
742 /* -- ldb->tdb switching code -------------------------------------------- */
744 /* change this if the data format ever changes */
745 #define LTDB_PACKING_FORMAT 0x26011967
747 /* old packing formats (not supported for now,
748 * it was never used for group mapping AFAIK) */
749 #define LTDB_PACKING_FORMAT_NODN 0x26011966
751 static unsigned int pull_uint32(uint8_t *p, int ofs)
754 return p[0] | (p[1]<<8) | (p[2]<<16) | (p[3]<<24);
758 unpack a ldb message from a linear buffer in TDB_DATA
760 static int convert_ldb_record(TDB_CONTEXT *ltdb, TDB_DATA key,
761 TDB_DATA data, void *ptr)
763 TALLOC_CTX *tmp_ctx = talloc_tos();
768 unsigned int remaining;
774 uint32_t num_mem = 0;
775 struct dom_sid *members = NULL;
777 p = (uint8_t *)data.dptr;
778 if (data.dsize < 8) {
783 format = pull_uint32(p, 0);
784 num_el = pull_uint32(p, 4);
787 remaining = data.dsize - 8;
790 case LTDB_PACKING_FORMAT:
791 len = strnlen((char *)p, remaining);
792 if (len == remaining) {
798 /* ignore special LDB attributes */
802 if (strncmp((char *)p, "rid=", 4)) {
803 /* unknown entry, ignore */
804 DEBUG(3, ("Found unknown entry in group mapping "
805 "database named [%s]\n", (char *)p));
809 remaining -= len + 1;
813 case LTDB_PACKING_FORMAT_NODN:
820 /* bad entry, ignore */
824 if (num_el > remaining / 6) {
831 for (i = 0; i < num_el; i++) {
834 if (remaining < 10) {
838 len = strnlen((char *)p, remaining - 6);
839 if (len == remaining - 6) {
843 name = talloc_strndup(tmp_ctx, (char *)p, len);
848 remaining -= len + 1;
851 num_vals = pull_uint32(p, 0);
852 if (strcasecmp_m(name, "member") == 0) {
854 members = talloc_array(tmp_ctx, struct dom_sid, num_mem);
855 if (members == NULL) {
859 } else if (num_vals != 1) {
867 for (j = 0; j < num_vals; j++) {
868 len = pull_uint32(p, 0);
869 if (len > remaining-5) {
874 val = talloc_strndup(tmp_ctx, (char *)(p + 4), len);
880 remaining -= len+4+1;
883 /* we ignore unknown or uninteresting attributes
884 * (objectclass, etc.) */
885 if (strcasecmp_m(name, "gidNumber") == 0) {
886 map.gid = strtoul(val, &q, 10);
891 } else if (strcasecmp_m(name, "sid") == 0) {
892 if (!string_to_sid(&map.sid, val)) {
896 } else if (strcasecmp_m(name, "sidNameUse") == 0) {
897 map.sid_name_use = strtoul(val, &q, 10);
902 } else if (strcasecmp_m(name, "ntname") == 0) {
903 strlcpy(map.nt_name, val,
904 sizeof(map.nt_name));
905 } else if (strcasecmp_m(name, "comment") == 0) {
906 strlcpy(map.comment, val,
907 sizeof(map.comment));
908 } else if (strcasecmp_m(name, "member") == 0) {
909 if (!string_to_sid(&members[j], val)) {
921 if (!add_mapping_entry(&map, 0)) {
927 for (j = 0; j < num_mem; j++) {
929 status = add_aliasmem(&map.sid, &members[j]);
930 if (!NT_STATUS_IS_OK(status)) {
937 if (remaining != 0) {
938 DEBUG(0, ("Errror: %d bytes unread in ltdb_unpack_data\n",
948 static bool mapping_switch(const char *ldb_path)
955 frame = talloc_stackframe();
957 ltdb = tdb_open_log(ldb_path, 0, TDB_DEFAULT, O_RDONLY, 0600);
958 if (ltdb == NULL) goto failed;
960 /* ldb is just a very fancy tdb, read out raw data and perform
962 ret = tdb_traverse(ltdb, convert_ldb_record, NULL);
963 if (ret == -1) goto failed;
970 /* now rename the old db out of the way */
971 new_path = state_path("group_mapping.ldb.replaced");
975 if (rename(ldb_path, new_path) != 0) {
976 DEBUG(0,("Failed to rename old group mapping database\n"));
983 DEBUG(0, ("Failed to switch to tdb group mapping database\n"));
984 if (ltdb) tdb_close(ltdb);
989 static const struct mapping_backend tdb_backend = {
990 .add_mapping_entry = add_mapping_entry,
991 .get_group_map_from_sid = get_group_map_from_sid,
992 .get_group_map_from_gid = get_group_map_from_gid,
993 .get_group_map_from_ntname = get_group_map_from_ntname,
994 .group_map_remove = group_map_remove,
995 .enum_group_mapping = enum_group_mapping,
996 .one_alias_membership = one_alias_membership,
997 .add_aliasmem = add_aliasmem,
998 .del_aliasmem = del_aliasmem,
999 .enum_aliasmem = enum_aliasmem
1003 initialise the tdb mapping backend
1005 const struct mapping_backend *groupdb_tdb_init(void)
1007 if (!init_group_mapping()) {
1008 DEBUG(0,("Failed to initialise tdb mapping backend\n"));
1012 return &tdb_backend;
git.samba.org / samba.git / blob