2 Unix SMB/CIFS implementation.
4 Map SIDs to unixids and back
6 Copyright (C) Kai Blin 2008
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
23 #include "auth/auth.h"
24 #include "librpc/gen_ndr/lsa.h"
25 #include "librpc/gen_ndr/samr.h"
26 #include "librpc/gen_ndr/ndr_security.h"
27 #include "lib/ldb/include/ldb.h"
28 #include "lib/ldb/include/ldb_errors.h"
29 #include "lib/ldb_wrap.h"
30 #include "param/param.h"
31 #include "winbind/idmap.h"
32 #include "libcli/security/proto.h"
33 #include "libcli/ldap/ldap_ndr.h"
36 * Get uid/gid bounds from idmap database
38 * \param idmap_ctx idmap context to use
39 * \param low lower uid/gid bound is stored here
40 * \param high upper uid/gid bound is stored here
41 * \return 0 on success, nonzero on failure
43 static int idmap_get_bounds(struct idmap_context *idmap_ctx, uint32_t *low,
47 struct ldb_context *ldb = idmap_ctx->ldb_ctx;
49 struct ldb_result *res = NULL;
50 TALLOC_CTX *tmp_ctx = talloc_new(idmap_ctx);
51 uint32_t lower_bound = (uint32_t) -1;
52 uint32_t upper_bound = (uint32_t) -1;
54 dn = ldb_dn_new(tmp_ctx, ldb, "CN=CONFIG");
55 if (dn == NULL) goto failed;
57 ret = ldb_search(ldb, dn, LDB_SCOPE_BASE, NULL, NULL, &res);
58 if (ret != LDB_SUCCESS) goto failed;
60 talloc_steal(tmp_ctx, res);
62 if (res->count != 1) {
67 lower_bound = ldb_msg_find_attr_as_uint(res->msgs[0], "lowerBound", -1);
68 if (lower_bound != (uint32_t) -1) {
75 upper_bound = ldb_msg_find_attr_as_uint(res->msgs[0], "upperBound", -1);
76 if (upper_bound != (uint32_t) -1) {
90 * Add a dom_sid structure to a ldb_message
91 * \param idmap_ctx idmap context to use
92 * \param mem_ctx talloc context to use
93 * \param ldb_message ldb message to add dom_sid to
94 * \param attr_name name of the attribute to store the dom_sid in
95 * \param sid dom_sid to store
96 * \return 0 on success, an ldb error code on failure.
98 static int idmap_msg_add_dom_sid(struct idmap_context *idmap_ctx,
99 TALLOC_CTX *mem_ctx, struct ldb_message *msg,
100 const char *attr_name, const struct dom_sid *sid)
103 enum ndr_err_code ndr_err;
105 ndr_err = ndr_push_struct_blob(&val, mem_ctx,
106 lp_iconv_convenience(idmap_ctx->lp_ctx),
108 (ndr_push_flags_fn_t)ndr_push_dom_sid);
110 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
114 return ldb_msg_add_value(msg, attr_name, &val, NULL);
118 * Get a dom_sid structure from a ldb message.
120 * \param mem_ctx talloc context to allocate dom_sid memory in
121 * \param msg ldb_message to get dom_sid from
122 * \param attr_name key that has the dom_sid as data
123 * \return dom_sid structure on success, NULL on failure
125 static struct dom_sid *idmap_msg_get_dom_sid(TALLOC_CTX *mem_ctx,
126 struct ldb_message *msg, const char *attr_name)
129 const struct ldb_val *val;
130 enum ndr_err_code ndr_err;
132 val = ldb_msg_find_ldb_val(msg, attr_name);
137 sid = talloc(mem_ctx, struct dom_sid);
142 ndr_err = ndr_pull_struct_blob(val, sid, NULL, sid,
143 (ndr_pull_flags_fn_t)ndr_pull_dom_sid);
144 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
153 * Initialize idmap context
155 * talloc_free to close.
157 * \param mem_ctx talloc context to use.
158 * \return allocated idmap_context on success, NULL on error
160 struct idmap_context *idmap_init(TALLOC_CTX *mem_ctx,
161 struct loadparm_context *lp_ctx)
163 struct idmap_context *idmap_ctx;
165 idmap_ctx = talloc(mem_ctx, struct idmap_context);
166 if (idmap_ctx == NULL) {
170 idmap_ctx->lp_ctx = lp_ctx;
172 idmap_ctx->ldb_ctx = ldb_wrap_connect(mem_ctx, lp_ctx,
173 lp_idmap_url(lp_ctx),
174 system_session(mem_ctx, lp_ctx),
176 if (idmap_ctx->ldb_ctx == NULL) {
180 idmap_ctx->unix_groups_sid = dom_sid_parse_talloc(mem_ctx, "S-1-22-2");
181 if (idmap_ctx->unix_groups_sid == NULL) {
185 idmap_ctx->unix_users_sid = dom_sid_parse_talloc(mem_ctx, "S-1-22-1");
186 if (idmap_ctx->unix_users_sid == NULL) {
194 * Convert an unixid to the corresponding SID
196 * \param idmap_ctx idmap context to use
197 * \param mem_ctx talloc context the memory for the struct dom_sid is allocated
199 * \param unixid pointer to a unixid struct to convert
200 * \param sid pointer that will take the struct dom_sid pointer if the mapping
202 * \return NT_STATUS_OK on success, NT_STATUS_NONE_MAPPED if mapping not
203 * possible or some other NTSTATUS that is more descriptive on failure.
206 NTSTATUS idmap_xid_to_sid(struct idmap_context *idmap_ctx, TALLOC_CTX *mem_ctx,
207 const struct unixid *unixid, struct dom_sid **sid)
210 NTSTATUS status = NT_STATUS_NONE_MAPPED;
211 struct ldb_context *ldb = idmap_ctx->ldb_ctx;
212 struct ldb_result *res = NULL;
214 struct dom_sid *unix_sid, *new_sid;
215 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
217 ret = ldb_search_exp_fmt(ldb, tmp_ctx, &res, NULL, LDB_SCOPE_SUBTREE,
218 NULL, "(&(objectClass=sidMap)(xidNumber=%u))",
220 if (ret != LDB_SUCCESS) {
221 DEBUG(1, ("Search failed: %s\n", ldb_errstring(ldb)));
222 status = NT_STATUS_NONE_MAPPED;
226 if (res->count == 1) {
227 *sid = idmap_msg_get_dom_sid(mem_ctx, res->msgs[0],
230 DEBUG(1, ("Failed to get sid from db: %u\n", ret));
231 status = NT_STATUS_NONE_MAPPED;
234 talloc_free(tmp_ctx);
238 DEBUG(6, ("xid not found in idmap db, trying to allocate SID.\n"));
240 /* Now redo the search to make sure noone added a mapping for that SID
241 * while we weren't looking.*/
242 ret = ldb_search_exp_fmt(ldb, tmp_ctx, &res, NULL, LDB_SCOPE_SUBTREE,
243 NULL, "(&(objectClass=sidMap)(xidNumber=%u))",
245 if (ret != LDB_SUCCESS) {
246 DEBUG(1, ("Search failed: %s\n", ldb_errstring(ldb)));
247 status = NT_STATUS_NONE_MAPPED;
251 if (res->count > 0) {
252 DEBUG(1, ("sidMap modified while trying to add a mapping.\n"));
253 status = NT_STATUS_RETRY;
257 ret = idmap_get_bounds(idmap_ctx, &low, &high);
258 if (ret != LDB_SUCCESS) {
259 DEBUG(1, ("Failed to get id bounds from db: %u\n", ret));
260 status = NT_STATUS_NONE_MAPPED;
264 if (unixid->id >= low && unixid->id <= high) {
265 /* An existing xid would have been mapped before */
266 status = NT_STATUS_NONE_MAPPED;
270 /* For local users, we just create a rid = uid +1, so root doesn't end
272 if (unixid->type == ID_TYPE_UID) {
273 unix_sid = dom_sid_parse_talloc(tmp_ctx, "S-1-22-1");
275 unix_sid = dom_sid_parse_talloc(tmp_ctx, "S-1-22-2");
277 if (unix_sid == NULL) {
278 status = NT_STATUS_NO_MEMORY;
282 new_sid = dom_sid_add_rid(mem_ctx, unix_sid, unixid->id + 1);
283 if (new_sid == NULL) {
284 status = NT_STATUS_NO_MEMORY;
289 talloc_free(tmp_ctx);
293 talloc_free(tmp_ctx);
299 * Map a SID to an unixid struct.
301 * If no mapping exists, a new mapping will be created.
303 * \todo Check if SIDs can be resolved if lp_idmap_trusted_only() == true
304 * \todo Fix backwards compatibility for Samba3
306 * \param idmap_ctx idmap context to use
307 * \param mem_ctx talloc context to use
308 * \param sid SID to map to an unixid struct
309 * \param unixid pointer to a unixid struct pointer
310 * \return NT_STATUS_OK on success, NT_STATUS_INVALID_SID if the sid is not from
311 * a trusted domain and idmap trusted only = true, NT_STATUS_NONE_MAPPED if the
314 NTSTATUS idmap_sid_to_xid(struct idmap_context *idmap_ctx, TALLOC_CTX *mem_ctx,
315 const struct dom_sid *sid, struct unixid **unixid)
318 NTSTATUS status = NT_STATUS_NONE_MAPPED;
319 struct ldb_context *ldb = idmap_ctx->ldb_ctx;
321 struct ldb_message *hwm_msg, *map_msg;
322 struct ldb_result *res = NULL;
324 uint32_t low, high, hwm, new_xid;
325 char *sid_string, *unixid_string, *hwm_string;
326 bool hwm_entry_exists;
327 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
329 ret = ldb_search_exp_fmt(ldb, tmp_ctx, &res, NULL, LDB_SCOPE_SUBTREE,
330 NULL, "(&(objectClass=sidMap)(objectSid=%s))",
331 ldap_encode_ndr_dom_sid(tmp_ctx, sid));
332 if (ret != LDB_SUCCESS) {
333 DEBUG(1, ("Search failed: %s\n", ldb_errstring(ldb)));
334 status = NT_STATUS_NONE_MAPPED;
338 if (res->count == 1) {
339 new_xid = ldb_msg_find_attr_as_uint(res->msgs[0], "xidNumber",
341 if (new_xid == (uint32_t) -1) {
342 DEBUG(1, ("Invalid xid mapping.\n"));
343 status = NT_STATUS_NONE_MAPPED;
347 *unixid = talloc(mem_ctx, struct unixid);
348 if (*unixid == NULL) {
349 status = NT_STATUS_NO_MEMORY;
353 (*unixid)->id = new_xid;
354 (*unixid)->type = ID_TYPE_BOTH;
356 talloc_free(tmp_ctx);
360 DEBUG(6, ("No existing mapping found, attempting to create one.\n"));
362 if (dom_sid_in_domain(idmap_ctx->unix_users_sid, sid)) {
364 DEBUG(6, ("This is a local unix uid, just calculate that.\n"));
365 status = dom_sid_split_rid(tmp_ctx, sid, NULL, &rid);
366 if (!NT_STATUS_IS_OK(status)) goto failed;
368 *unixid = talloc(mem_ctx, struct unixid);
369 if (*unixid == NULL) {
370 status = NT_STATUS_NO_MEMORY;
373 (*unixid)->id = rid - 1;
374 (*unixid)->type = ID_TYPE_UID;
376 talloc_free(tmp_ctx);
380 if (dom_sid_in_domain(idmap_ctx->unix_groups_sid, sid)) {
382 DEBUG(6, ("This is a local unix gid, just calculate that.\n"));
383 status = dom_sid_split_rid(tmp_ctx, sid, NULL, &rid);
384 if (!NT_STATUS_IS_OK(status)) goto failed;
386 *unixid = talloc(mem_ctx, struct unixid);
387 if (*unixid == NULL) {
388 status = NT_STATUS_NO_MEMORY;
391 (*unixid)->id = rid - 1;
392 (*unixid)->type = ID_TYPE_GID;
394 talloc_free(tmp_ctx);
398 trans = ldb_transaction_start(ldb);
399 if (trans != LDB_SUCCESS) {
400 status = NT_STATUS_NONE_MAPPED;
404 /* Redo the search to make sure noone changed the mapping while we
406 ret = ldb_search_exp_fmt(ldb, tmp_ctx, &res, NULL, LDB_SCOPE_SUBTREE,
407 NULL, "(&(objectClass=sidMap)(objectSid=%s))",
408 ldap_encode_ndr_dom_sid(tmp_ctx, sid));
409 if (ret != LDB_SUCCESS) {
410 DEBUG(1, ("Search failed: %s\n", ldb_errstring(ldb)));
411 status = NT_STATUS_NONE_MAPPED;
415 if (res->count > 0) {
416 DEBUG(1, ("Database changed while trying to add a sidmap.\n"));
417 status = NT_STATUS_RETRY;
421 /*FIXME: if lp_idmap_trusted_only() == true, check if SID can be
424 ret = idmap_get_bounds(idmap_ctx, &low, &high);
425 if (ret != LDB_SUCCESS) {
426 status = NT_STATUS_NONE_MAPPED;
430 dn = ldb_dn_new(tmp_ctx, ldb, "CN=CONFIG");
432 status = NT_STATUS_NO_MEMORY;
436 ret = ldb_search(ldb, dn, LDB_SCOPE_BASE, NULL, NULL, &res);
437 if (ret != LDB_SUCCESS) {
438 DEBUG(1, ("Search failed: %s\n", ldb_errstring(ldb)));
439 status = NT_STATUS_NONE_MAPPED;
443 talloc_steal(tmp_ctx, res);
445 if (res->count != 1) {
446 DEBUG(1, ("No CN=CONFIG record, idmap database is broken.\n"));
447 status = NT_STATUS_NONE_MAPPED;
451 hwm = ldb_msg_find_attr_as_uint(res->msgs[0], "xidNumber", -1);
452 if (hwm == (uint32_t)-1) {
454 hwm_entry_exists = false;
456 hwm_entry_exists = true;
460 DEBUG(1, ("Out of xids to allocate.\n"));
461 status = NT_STATUS_NONE_MAPPED;
465 hwm_msg = ldb_msg_new(tmp_ctx);
466 if (hwm_msg == NULL) {
467 DEBUG(1, ("Out of memory when creating ldb_message\n"));
468 status = NT_STATUS_NO_MEMORY;
477 hwm_string = talloc_asprintf(tmp_ctx, "%u", hwm);
478 if (hwm_string == NULL) {
479 status = NT_STATUS_NO_MEMORY;
483 sid_string = dom_sid_string(tmp_ctx, sid);
484 if (sid_string == NULL) {
485 status = NT_STATUS_NO_MEMORY;
489 unixid_string = talloc_asprintf(tmp_ctx, "%u", new_xid);
490 if (unixid_string == NULL) {
491 status = NT_STATUS_NO_MEMORY;
495 if (hwm_entry_exists) {
496 struct ldb_message_element *els;
497 struct ldb_val *vals;
499 /* We're modifying the entry, not just adding a new one. */
500 els = talloc_array(tmp_ctx, struct ldb_message_element, 2);
502 status = NT_STATUS_NO_MEMORY;
506 vals = talloc_array(tmp_ctx, struct ldb_val, 2);
508 status = NT_STATUS_NO_MEMORY;
512 hwm_msg->num_elements = 2;
513 hwm_msg->elements = els;
515 els[0].num_values = 1;
516 els[0].values = &vals[0];
517 els[0].flags = LDB_FLAG_MOD_DELETE;
518 els[0].name = talloc_strdup(tmp_ctx, "xidNumber");
519 if (els[0].name == NULL) {
520 status = NT_STATUS_NO_MEMORY;
524 els[1].num_values = 1;
525 els[1].values = &vals[1];
526 els[1].flags = LDB_FLAG_MOD_ADD;
527 els[1].name = els[0].name;
529 vals[0].data = (uint8_t *)unixid_string;
530 vals[0].length = strlen(unixid_string);
531 vals[1].data = (uint8_t *)hwm_string;
532 vals[1].length = strlen(hwm_string);
534 ret = ldb_msg_add_empty(hwm_msg, "xidNumber", LDB_FLAG_MOD_ADD,
536 if (ret != LDB_SUCCESS) {
537 status = NT_STATUS_NONE_MAPPED;
541 ret = ldb_msg_add_string(hwm_msg, "xidNumber", hwm_string);
542 if (ret != LDB_SUCCESS)
544 status = NT_STATUS_NONE_MAPPED;
549 ret = ldb_modify(ldb, hwm_msg);
550 if (ret != LDB_SUCCESS) {
551 DEBUG(1, ("Updating the xid high water mark failed: %s\n",
552 ldb_errstring(ldb)));
553 status = NT_STATUS_NONE_MAPPED;
557 map_msg = ldb_msg_new(tmp_ctx);
558 if (map_msg == NULL) {
559 status = NT_STATUS_NO_MEMORY;
563 map_msg->dn = ldb_dn_new_fmt(tmp_ctx, ldb, "CN=%s", sid_string);
564 if (map_msg->dn == NULL) {
565 status = NT_STATUS_NO_MEMORY;
569 ret = ldb_msg_add_string(map_msg, "xidNumber", unixid_string);
570 if (ret != LDB_SUCCESS) {
571 status = NT_STATUS_NONE_MAPPED;
575 ret = idmap_msg_add_dom_sid(idmap_ctx, tmp_ctx, map_msg, "objectSid",
577 if (ret != LDB_SUCCESS) {
578 status = NT_STATUS_NONE_MAPPED;
582 ret = ldb_msg_add_string(map_msg, "objectClass", "sidMap");
583 if (ret != LDB_SUCCESS) {
584 status = NT_STATUS_NONE_MAPPED;
588 ret = ldb_msg_add_string(map_msg, "cn", sid_string);
589 if (ret != LDB_SUCCESS) {
590 status = NT_STATUS_NONE_MAPPED;
594 ret = ldb_add(ldb, map_msg);
595 if (ret != LDB_SUCCESS) {
596 DEBUG(1, ("Adding a sidmap failed: %s\n", ldb_errstring(ldb)));
597 status = NT_STATUS_NONE_MAPPED;
601 trans = ldb_transaction_commit(ldb);
602 if (trans != LDB_SUCCESS) {
603 DEBUG(1, ("Transaction failed: %s\n", ldb_errstring(ldb)));
604 status = NT_STATUS_NONE_MAPPED;
608 *unixid = talloc(mem_ctx, struct unixid);
609 if (*unixid == NULL) {
610 status = NT_STATUS_NO_MEMORY;
614 (*unixid)->id = new_xid;
615 (*unixid)->type = ID_TYPE_BOTH;
616 talloc_free(tmp_ctx);
620 if (trans == LDB_SUCCESS) ldb_transaction_cancel(ldb);
621 talloc_free(tmp_ctx);
626 * Convert an array of unixids to the corresponding array of SIDs
628 * \param idmap_ctx idmap context to use
629 * \param mem_ctx talloc context the memory for the dom_sids is allocated
631 * \param count length of id_mapping array.
632 * \param id array of id_mappings.
633 * \return NT_STATUS_OK on success, NT_STATUS_NONE_MAPPED if mapping is not
634 * possible at all, NT_STATUS_SOME_UNMAPPED if some mappings worked and some
638 NTSTATUS idmap_xids_to_sids(struct idmap_context *idmap_ctx,
639 TALLOC_CTX *mem_ctx, int count,
640 struct id_mapping *id)
645 for (i = 0; i < count; ++i) {
646 id[i].status = idmap_xid_to_sid(idmap_ctx, mem_ctx,
647 id[i].unixid, &id[i].sid);
648 if (NT_STATUS_EQUAL(id[i].status, NT_STATUS_RETRY)) {
649 id[i].status = idmap_xid_to_sid(idmap_ctx, mem_ctx,
653 if (!NT_STATUS_IS_OK(id[i].status)) {
654 DEBUG(1, ("idmapping failed for id[%d]\n", i));
659 if (error_count == count) {
660 /* Mapping did not work at all. */
661 return NT_STATUS_NONE_MAPPED;
662 } else if (error_count > 0) {
663 /* Some mappings worked, some did not. */
664 return STATUS_SOME_UNMAPPED;
671 * Convert an array of SIDs to the corresponding array of unixids
673 * \param idmap_ctx idmap context to use
674 * \param mem_ctx talloc context the memory for the unixids is allocated
676 * \param count length of id_mapping array.
677 * \param id array of id_mappings.
678 * \return NT_STATUS_OK on success, NT_STATUS_NONE_MAPPED if mapping is not
679 * possible at all, NT_STATUS_SOME_UNMAPPED if some mappings worked and some
683 NTSTATUS idmap_sids_to_xids(struct idmap_context *idmap_ctx,
684 TALLOC_CTX *mem_ctx, int count,
685 struct id_mapping *id)
690 for (i = 0; i < count; ++i) {
691 id[i].status = idmap_sid_to_xid(idmap_ctx, mem_ctx,
692 id[i].sid, &id[i].unixid);
693 if (NT_STATUS_EQUAL(id[i].status, NT_STATUS_RETRY)) {
694 id[i].status = idmap_sid_to_xid(idmap_ctx, mem_ctx,
698 if (!NT_STATUS_IS_OK(id[i].status)) {
699 DEBUG(1, ("idmapping failed for id[%d]\n", i));
704 if (error_count == count) {
705 /* Mapping did not work at all. */
706 return NT_STATUS_NONE_MAPPED;
707 } else if (error_count > 0) {
708 /* Some mappings worked, some did not. */
709 return STATUS_SOME_UNMAPPED;