#include "includes.h"
#include "winbindd/winbindd.h"
+#include "idmap.h"
#include "idmap_hash.h"
+#include "ads.h"
+#include "nss_info.h"
+#include "../libcli/security/dom_sid.h"
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_IDMAP
struct sid_hash_table {
- DOM_SID *sid;
+ struct dom_sid *sid;
};
-struct sid_hash_table *hashed_domains = NULL;
-
/*********************************************************************
Hash a domain SID (S-1-5-12-aaa-bbb-ccc) to a 12bit number
********************************************************************/
-static uint32_t hash_domain_sid(const DOM_SID *sid)
+static uint32_t hash_domain_sid(const struct dom_sid *sid)
{
uint32_t hash;
/*********************************************************************
********************************************************************/
-static NTSTATUS be_init(struct idmap_domain *dom,
- const char *params)
+static NTSTATUS idmap_hash_initialize(struct idmap_domain *dom)
{
+ struct sid_hash_table *hashed_domains;
NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
struct winbindd_tdc_domain *dom_list = NULL;
size_t num_domains = 0;
- int i;
+ size_t i;
+
+ DBG_ERR("The idmap_hash module is deprecated and should not be used. "
+ "Please migrate to a different plugin. This module will be "
+ "removed in a future version of Samba\n");
+
+ if (!strequal(dom->name, "*")) {
+ DBG_ERR("Error: idmap_hash configured for domain '%s'. "
+ "But the hash module can only be used for the default "
+ "idmap configuration.\n", dom->name);
+ return NT_STATUS_INVALID_PARAMETER;
+ }
- /* If the domain SID hash talbe has been initialized, assume
+ /* If the domain SID hash table has been initialized, assume
that we completed this function previously */
- if ( hashed_domains ) {
+ if (dom->private_data != NULL) {
nt_status = NT_STATUS_OK;
goto done;
}
/* Create the hash table of domain SIDs */
- hashed_domains = TALLOC_ZERO_ARRAY(NULL, struct sid_hash_table, 4096);
+ hashed_domains = talloc_zero_array(dom, struct sid_hash_table, 4096);
BAIL_ON_PTR_NT_ERROR(hashed_domains, nt_status);
/* create the hash table of domain SIDs */
if (is_null_sid(&dom_list[i].sid))
continue;
+
+ /*
+ * Check if the domain from the list is not already configured
+ * to use another idmap backend. Not checking this makes the
+ * idmap_hash module map IDs for *all* domains implicitly. This
+ * is quite dangerous in setups that use multiple idmap
+ * configurations.
+ */
+
+ if (domain_has_idmap_config(dom_list[i].domain_name)) {
+ continue;
+ }
+
if ((hash = hash_domain_sid(&dom_list[i].sid)) == 0)
continue;
- DEBUG(5,("hash:be_init() Adding %s (%s) -> %d\n",
+ DBG_INFO("Adding %s (%s) -> %d\n",
dom_list[i].domain_name,
sid_string_dbg(&dom_list[i].sid),
- hash));
+ hash);
- hashed_domains[hash].sid = talloc(hashed_domains, DOM_SID);
+ hashed_domains[hash].sid = talloc(hashed_domains, struct dom_sid);
sid_copy(hashed_domains[hash].sid, &dom_list[i].sid);
}
+ dom->private_data = hashed_domains;
+
done:
return nt_status;
}
static NTSTATUS unixids_to_sids(struct idmap_domain *dom,
struct id_map **ids)
{
+ struct sid_hash_table *hashed_domains = talloc_get_type_abort(
+ dom->private_data, struct sid_hash_table);
NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
int i;
+ if (!ids) {
+ nt_status = NT_STATUS_INVALID_PARAMETER;
+ BAIL_ON_NTSTATUS_ERROR(nt_status);
+ }
+
/* initialize the status to avoid suprise */
for (i = 0; ids[i]; i++) {
ids[i]->status = ID_UNKNOWN;
}
-
- nt_status = be_init(dom, NULL);
- BAIL_ON_NTSTATUS_ERROR(nt_status);
- if (!ids) {
- nt_status = NT_STATUS_INVALID_PARAMETER;
- BAIL_ON_NTSTATUS_ERROR(nt_status);
- }
+ nt_status = idmap_hash_initialize(dom);
+ BAIL_ON_NTSTATUS_ERROR(nt_status);
for (i=0; ids[i]; i++) {
uint32_t h_domain, h_rid;
if (!hashed_domains[h_domain].sid)
continue;
- sid_copy(ids[i]->sid, hashed_domains[h_domain].sid);
- sid_append_rid(ids[i]->sid, h_rid);
+ sid_compose(ids[i]->sid, hashed_domains[h_domain].sid, h_rid);
ids[i]->status = ID_MAPPED;
}
NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
int i;
+ if (!ids) {
+ nt_status = NT_STATUS_INVALID_PARAMETER;
+ BAIL_ON_NTSTATUS_ERROR(nt_status);
+ }
+
/* initialize the status to avoid suprise */
for (i = 0; ids[i]; i++) {
ids[i]->status = ID_UNKNOWN;
}
-
- nt_status = be_init(dom, NULL);
- BAIL_ON_NTSTATUS_ERROR(nt_status);
- if (!ids) {
- nt_status = NT_STATUS_INVALID_PARAMETER;
- BAIL_ON_NTSTATUS_ERROR(nt_status);
- }
+ nt_status = idmap_hash_initialize(dom);
+ BAIL_ON_NTSTATUS_ERROR(nt_status);
for (i=0; ids[i]; i++) {
- DOM_SID sid;
+ struct dom_sid sid;
uint32_t rid;
uint32_t h_domain, h_rid;
return nt_status;
}
-/*********************************************************************
- ********************************************************************/
-
-static NTSTATUS be_close(struct idmap_domain *dom)
-{
- if (hashed_domains)
- talloc_free(hashed_domains);
-
- return NT_STATUS_OK;
-}
-
/*********************************************************************
********************************************************************/
static NTSTATUS nss_hash_init(struct nss_domain_entry *e )
{
- return be_init(NULL, NULL);
-}
-
-/**********************************************************************
- *********************************************************************/
-
-static NTSTATUS nss_hash_get_info(struct nss_domain_entry *e,
- const DOM_SID *sid,
- TALLOC_CTX *ctx,
- ADS_STRUCT *ads,
- LDAPMessage *msg,
- const char **homedir,
- const char **shell,
- const char **gecos,
- gid_t *p_gid )
-{
- NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
-
- nt_status = nss_hash_init(e);
- BAIL_ON_NTSTATUS_ERROR(nt_status);
-
- if (!homedir || !shell || !gecos) {
- nt_status = NT_STATUS_INVALID_PARAMETER;
- BAIL_ON_NTSTATUS_ERROR(nt_status);
- }
-
- *homedir = talloc_strdup(ctx, lp_template_homedir());
- BAIL_ON_PTR_NT_ERROR(*homedir, nt_status);
-
- *shell = talloc_strdup(ctx, lp_template_shell());
- BAIL_ON_PTR_NT_ERROR(*shell, nt_status);
-
- *gecos = NULL;
-
- /* Initialize the gid so that the upper layer fills
- in the proper Windows primary group */
-
- if (*p_gid) {
- *p_gid = (gid_t)-1;
- }
-
-done:
- return nt_status;
+ return NT_STATUS_OK;
}
/**********************************************************************
********************************************************************/
static struct idmap_methods hash_idmap_methods = {
- .init = be_init,
+ .init = idmap_hash_initialize,
.unixids_to_sids = unixids_to_sids,
.sids_to_unixids = sids_to_unixids,
- .close_fn = be_close
};
static struct nss_info_methods hash_nss_methods = {
.init = nss_hash_init,
- .get_nss_info = nss_hash_get_info,
.map_to_alias = nss_hash_map_to_alias,
.map_from_alias = nss_hash_map_from_alias,
.close_fn = nss_hash_close
state.
**********************************************************************/
-NTSTATUS idmap_hash_init(void)
+static_decl_idmap;
+NTSTATUS idmap_hash_init(TALLOC_CTX *ctx)
{
static NTSTATUS idmap_status = NT_STATUS_UNSUCCESSFUL;
static NTSTATUS nss_status = NT_STATUS_UNSUCCESSFUL;