2 Unix SMB/CIFS implementation.
4 idmap TDB2 backend, used for clustered Samba setups.
6 This uses dbwrap to access tdb files. The location can be set
7 using tdb:idmap2.tdb =" in smb.conf
9 Copyright (C) Andrew Tridgell 2007
11 This is heavily based upon idmap_tdb.c, which is:
13 Copyright (C) Tim Potter 2000
14 Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2003
15 Copyright (C) Jeremy Allison 2006
16 Copyright (C) Simo Sorce 2003-2006
18 This program is free software; you can redistribute it and/or modify
19 it under the terms of the GNU General Public License as published by
20 the Free Software Foundation; either version 2 of the License, or
21 (at your option) any later version.
23 This program is distributed in the hope that it will be useful,
24 but WITHOUT ANY WARRANTY; without even the implied warranty of
25 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
26 GNU General Public License for more details.
28 You should have received a copy of the GNU General Public License
29 along with this program; if not, write to the Free Software
30 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
37 #define DBGC_CLASS DBGC_IDMAP
39 /* High water mark keys */
40 #define HWM_GROUP "GROUP HWM"
41 #define HWM_USER "USER HWM"
43 static struct idmap_tdb2_state {
44 /* User and group id pool */
45 uid_t low_uid, high_uid; /* Range of uids to allocate */
46 gid_t low_gid, high_gid; /* Range of gids to allocate */
47 const char *idmap_script;
52 /* handle to the permanent tdb */
53 static struct db_context *idmap_tdb2;
55 static NTSTATUS idmap_tdb2_alloc_load(void);
57 static NTSTATUS idmap_tdb2_load_ranges(void)
64 if (!lp_idmap_uid(&low_uid, &high_uid)) {
65 DEBUG(1, ("idmap uid missing\n"));
66 return NT_STATUS_UNSUCCESSFUL;
69 if (!lp_idmap_gid(&low_gid, &high_gid)) {
70 DEBUG(1, ("idmap gid missing\n"));
71 return NT_STATUS_UNSUCCESSFUL;
74 idmap_tdb2_state.low_uid = low_uid;
75 idmap_tdb2_state.high_uid = high_uid;
76 idmap_tdb2_state.low_gid = low_gid;
77 idmap_tdb2_state.high_gid = high_gid;
79 if (idmap_tdb2_state.high_uid <= idmap_tdb2_state.low_uid) {
80 DEBUG(1, ("idmap uid range missing or invalid\n"));
81 DEBUGADD(1, ("idmap will be unable to map foreign SIDs\n"));
82 return NT_STATUS_UNSUCCESSFUL;
85 if (idmap_tdb2_state.high_gid <= idmap_tdb2_state.low_gid) {
86 DEBUG(1, ("idmap gid range missing or invalid\n"));
87 DEBUGADD(1, ("idmap will be unable to map foreign SIDs\n"));
88 return NT_STATUS_UNSUCCESSFUL;
95 open the permanent tdb
97 static NTSTATUS idmap_tdb2_open_db(void)
102 /* its already open */
106 db_path = lp_parm_talloc_string(-1, "tdb", "idmap2.tdb", NULL);
107 if (db_path == NULL) {
108 /* fall back to the private directory, which, despite
109 its name, is usually on shared storage */
110 db_path = talloc_asprintf(NULL, "%s/idmap2.tdb", lp_private_dir());
112 NT_STATUS_HAVE_NO_MEMORY(db_path);
114 /* Open idmap repository */
115 idmap_tdb2 = db_open(NULL, db_path, 0, TDB_DEFAULT, O_RDWR|O_CREAT, 0644);
116 TALLOC_FREE(db_path);
118 if (idmap_tdb2 == NULL) {
119 DEBUG(0, ("Unable to open idmap_tdb2 database '%s'\n",
121 return NT_STATUS_UNSUCCESSFUL;
124 /* load the ranges and high/low water marks */
125 return idmap_tdb2_alloc_load();
130 load the idmap allocation ranges and high/low water marks
132 static NTSTATUS idmap_tdb2_alloc_load(void)
137 /* see if a idmap script is configured */
138 idmap_tdb2_state.idmap_script = lp_parm_const_string(-1, "idmap",
141 if (idmap_tdb2_state.idmap_script) {
142 DEBUG(1, ("using idmap script '%s'\n",
143 idmap_tdb2_state.idmap_script));
148 status = idmap_tdb2_load_ranges();
149 if (!NT_STATUS_IS_OK(status)) {
153 /* Create high water marks for group and user id */
155 low_id = dbwrap_fetch_int32(idmap_tdb2, HWM_USER);
156 if ((low_id == -1) || (low_id < idmap_tdb2_state.low_uid)) {
157 if (!NT_STATUS_IS_OK(dbwrap_trans_store_int32(
158 idmap_tdb2, HWM_USER,
159 idmap_tdb2_state.low_uid))) {
160 DEBUG(0, ("Unable to initialise user hwm in idmap "
162 return NT_STATUS_INTERNAL_DB_ERROR;
166 low_id = dbwrap_fetch_int32(idmap_tdb2, HWM_GROUP);
167 if ((low_id == -1) || (low_id < idmap_tdb2_state.low_gid)) {
168 if (!NT_STATUS_IS_OK(dbwrap_trans_store_int32(
169 idmap_tdb2, HWM_GROUP,
170 idmap_tdb2_state.low_gid))) {
171 DEBUG(0, ("Unable to initialise group hwm in idmap "
173 return NT_STATUS_INTERNAL_DB_ERROR;
182 Initialise idmap alloc database.
184 static NTSTATUS idmap_tdb2_alloc_init(const char *params)
186 /* nothing to do - we want to avoid opening the permanent
187 database if possible. Instead we load the params when we
196 static NTSTATUS idmap_tdb2_allocate_id(struct unixid *xid)
206 status = idmap_tdb2_open_db();
207 NT_STATUS_NOT_OK_RETURN(status);
209 /* Get current high water mark */
215 high_hwm = idmap_tdb2_state.high_uid;
221 high_hwm = idmap_tdb2_state.high_gid;
225 DEBUG(2, ("Invalid ID type (0x%x)\n", xid->type));
226 return NT_STATUS_INVALID_PARAMETER;
229 res = idmap_tdb2->transaction_start(idmap_tdb2);
231 DEBUG(1,(__location__ " Failed to start transaction\n"));
232 return NT_STATUS_UNSUCCESSFUL;
235 if ((hwm = dbwrap_fetch_int32(idmap_tdb2, hwmkey)) == -1) {
236 idmap_tdb2->transaction_cancel(idmap_tdb2);
237 return NT_STATUS_INTERNAL_DB_ERROR;
240 /* check it is in the range */
241 if (hwm > high_hwm) {
242 DEBUG(1, ("Fatal Error: %s range full!! (max: %lu)\n",
243 hwmtype, (unsigned long)high_hwm));
244 idmap_tdb2->transaction_cancel(idmap_tdb2);
245 return NT_STATUS_UNSUCCESSFUL;
248 /* fetch a new id and increment it */
249 ret = dbwrap_change_uint32_atomic(idmap_tdb2, hwmkey, &hwm, 1);
251 DEBUG(1, ("Fatal error while fetching a new %s value\n!", hwmtype));
252 idmap_tdb2->transaction_cancel(idmap_tdb2);
253 return NT_STATUS_UNSUCCESSFUL;
256 /* recheck it is in the range */
257 if (hwm > high_hwm) {
258 DEBUG(1, ("Fatal Error: %s range full!! (max: %lu)\n",
259 hwmtype, (unsigned long)high_hwm));
260 idmap_tdb2->transaction_cancel(idmap_tdb2);
261 return NT_STATUS_UNSUCCESSFUL;
264 res = idmap_tdb2->transaction_commit(idmap_tdb2);
266 DEBUG(1,(__location__ " Failed to commit transaction\n"));
267 return NT_STATUS_UNSUCCESSFUL;
271 DEBUG(10,("New %s = %d\n", hwmtype, hwm));
277 Get current highest id.
279 static NTSTATUS idmap_tdb2_get_hwm(struct unixid *xid)
287 status = idmap_tdb2_open_db();
288 NT_STATUS_NOT_OK_RETURN(status);
290 /* Get current high water mark */
296 high_hwm = idmap_tdb2_state.high_uid;
302 high_hwm = idmap_tdb2_state.high_gid;
306 return NT_STATUS_INVALID_PARAMETER;
309 if ((hwm = dbwrap_fetch_int32(idmap_tdb2, hwmkey)) == -1) {
310 return NT_STATUS_INTERNAL_DB_ERROR;
315 /* Warn if it is out of range */
316 if (hwm >= high_hwm) {
317 DEBUG(0, ("Warning: %s range full!! (max: %lu)\n",
318 hwmtype, (unsigned long)high_hwm));
327 static NTSTATUS idmap_tdb2_set_hwm(struct unixid *xid)
329 /* not supported, or we would invalidate the cache tdb on
331 DEBUG(0,("idmap_tdb2_set_hwm not supported\n"));
332 return NT_STATUS_NOT_SUPPORTED;
338 static NTSTATUS idmap_tdb2_alloc_close(void)
340 /* don't actually close it */
345 IDMAP MAPPING TDB BACKEND
347 struct idmap_tdb2_context {
348 uint32_t filter_low_id;
349 uint32_t filter_high_id;
353 Initialise idmap database.
355 static NTSTATUS idmap_tdb2_db_init(struct idmap_domain *dom,
359 struct idmap_tdb2_context *ctx;
360 char *config_option = NULL;
364 status = idmap_tdb2_open_db();
365 NT_STATUS_NOT_OK_RETURN(status);
367 ctx = talloc(dom, struct idmap_tdb2_context);
369 DEBUG(0, ("Out of memory!\n"));
370 return NT_STATUS_NO_MEMORY;
373 config_option = talloc_asprintf(ctx, "idmap config %s", dom->name);
374 if ( ! config_option) {
375 DEBUG(0, ("Out of memory!\n"));
376 ret = NT_STATUS_NO_MEMORY;
380 range = lp_parm_const_string(-1, config_option, "range", NULL);
382 (sscanf(range, "%u - %u", &ctx->filter_low_id, &ctx->filter_high_id) != 2) ||
383 (ctx->filter_low_id > ctx->filter_high_id)) {
384 ctx->filter_low_id = 0;
385 ctx->filter_high_id = 0;
388 dom->private_data = ctx;
390 talloc_free(config_option);
400 run a script to perform a mapping
402 The script should the following command lines:
408 and should return one of the following as a single line of text
414 static NTSTATUS idmap_tdb2_script(struct idmap_tdb2_context *ctx, struct id_map *map,
415 const char *fmt, ...)
423 cmd = talloc_asprintf(ctx, "%s ", idmap_tdb2_state.idmap_script);
424 NT_STATUS_HAVE_NO_MEMORY(cmd);
427 cmd = talloc_vasprintf_append(cmd, fmt, ap);
429 NT_STATUS_HAVE_NO_MEMORY(cmd);
434 return NT_STATUS_NONE_MAPPED;
437 if (fgets(line, sizeof(line)-1, p) == NULL) {
439 return NT_STATUS_NONE_MAPPED;
443 DEBUG(10,("idmap script gave: %s\n", line));
445 if (sscanf(line, "UID:%lu", &v) == 1) {
447 map->xid.type = ID_TYPE_UID;
448 } else if (sscanf(line, "GID:%lu", &v) == 1) {
450 map->xid.type = ID_TYPE_GID;
451 } else if (strncmp(line, "SID:S-", 6) == 0) {
452 if (!string_to_sid(map->sid, &line[4])) {
453 DEBUG(0,("Bad SID in '%s' from idmap script %s\n",
454 line, idmap_tdb2_state.idmap_script));
455 return NT_STATUS_NONE_MAPPED;
458 DEBUG(0,("Bad reply '%s' from idmap script %s\n",
459 line, idmap_tdb2_state.idmap_script));
460 return NT_STATUS_NONE_MAPPED;
469 Single id to sid lookup function.
471 static NTSTATUS idmap_tdb2_id_to_sid(struct idmap_tdb2_context *ctx, struct id_map *map)
478 status = idmap_tdb2_open_db();
479 NT_STATUS_NOT_OK_RETURN(status);
482 return NT_STATUS_INVALID_PARAMETER;
485 /* apply filters before checking */
486 if ((ctx->filter_low_id && (map->xid.id < ctx->filter_low_id)) ||
487 (ctx->filter_high_id && (map->xid.id > ctx->filter_high_id))) {
488 DEBUG(5, ("Requested id (%u) out of range (%u - %u). Filtered!\n",
489 map->xid.id, ctx->filter_low_id, ctx->filter_high_id));
490 return NT_STATUS_NONE_MAPPED;
493 switch (map->xid.type) {
496 keystr = talloc_asprintf(ctx, "UID %lu", (unsigned long)map->xid.id);
500 keystr = talloc_asprintf(ctx, "GID %lu", (unsigned long)map->xid.id);
504 DEBUG(2, ("INVALID unix ID type: 0x02%x\n", map->xid.type));
505 return NT_STATUS_INVALID_PARAMETER;
508 /* final SAFE_FREE safe */
511 if (keystr == NULL) {
512 DEBUG(0, ("Out of memory!\n"));
513 ret = NT_STATUS_NO_MEMORY;
517 DEBUG(10,("Fetching record %s\n", keystr));
519 /* Check if the mapping exists */
520 data = dbwrap_fetch_bystring(idmap_tdb2, keystr, keystr);
525 DEBUG(10,("Record %s not found\n", keystr));
526 if (idmap_tdb2_state.idmap_script == NULL) {
527 ret = NT_STATUS_NONE_MAPPED;
531 ret = idmap_tdb2_script(ctx, map, "IDTOSID %s", keystr);
533 /* store it on shared storage */
534 if (!NT_STATUS_IS_OK(ret)) {
538 if (sid_to_fstring(sidstr, map->sid)) {
539 /* both forward and reverse mappings */
540 dbwrap_store_bystring(idmap_tdb2, keystr,
541 string_term_tdb_data(sidstr),
543 dbwrap_store_bystring(idmap_tdb2, sidstr,
544 string_term_tdb_data(keystr),
550 if (!string_to_sid(map->sid, (const char *)data.dptr)) {
551 DEBUG(10,("INVALID SID (%s) in record %s\n",
552 (const char *)data.dptr, keystr));
553 ret = NT_STATUS_INTERNAL_DB_ERROR;
557 DEBUG(10,("Found record %s -> %s\n", keystr, (const char *)data.dptr));
567 Single sid to id lookup function.
569 static NTSTATUS idmap_tdb2_sid_to_id(struct idmap_tdb2_context *ctx, struct id_map *map)
574 unsigned long rec_id = 0;
575 TALLOC_CTX *tmp_ctx = talloc_stackframe();
577 ret = idmap_tdb2_open_db();
578 NT_STATUS_NOT_OK_RETURN(ret);
580 keystr = sid_string_talloc(tmp_ctx, map->sid);
581 if (keystr == NULL) {
582 DEBUG(0, ("Out of memory!\n"));
583 ret = NT_STATUS_NO_MEMORY;
587 DEBUG(10,("Fetching record %s\n", keystr));
589 /* Check if sid is present in database */
590 data = dbwrap_fetch_bystring(idmap_tdb2, tmp_ctx, keystr);
594 DEBUG(10,(__location__ " Record %s not found\n", keystr));
596 if (idmap_tdb2_state.idmap_script == NULL) {
597 ret = NT_STATUS_NONE_MAPPED;
601 ret = idmap_tdb2_script(ctx, map, "SIDTOID %s", keystr);
602 /* store it on shared storage */
603 if (!NT_STATUS_IS_OK(ret)) {
607 snprintf(idstr, sizeof(idstr), "%cID %lu",
608 map->xid.type == ID_TYPE_UID?'U':'G',
609 (unsigned long)map->xid.id);
610 /* store both forward and reverse mappings */
611 dbwrap_store_bystring(idmap_tdb2, keystr, string_term_tdb_data(idstr),
613 dbwrap_store_bystring(idmap_tdb2, idstr, string_term_tdb_data(keystr),
618 /* What type of record is this ? */
619 if (sscanf((const char *)data.dptr, "UID %lu", &rec_id) == 1) { /* Try a UID record. */
620 map->xid.id = rec_id;
621 map->xid.type = ID_TYPE_UID;
622 DEBUG(10,("Found uid record %s -> %s \n", keystr, (const char *)data.dptr ));
625 } else if (sscanf((const char *)data.dptr, "GID %lu", &rec_id) == 1) { /* Try a GID record. */
626 map->xid.id = rec_id;
627 map->xid.type = ID_TYPE_GID;
628 DEBUG(10,("Found gid record %s -> %s \n", keystr, (const char *)data.dptr ));
631 } else { /* Unknown record type ! */
632 DEBUG(2, ("Found INVALID record %s -> %s\n", keystr, (const char *)data.dptr));
633 ret = NT_STATUS_INTERNAL_DB_ERROR;
636 /* apply filters before returning result */
637 if ((ctx->filter_low_id && (map->xid.id < ctx->filter_low_id)) ||
638 (ctx->filter_high_id && (map->xid.id > ctx->filter_high_id))) {
639 DEBUG(5, ("Requested id (%u) out of range (%u - %u). Filtered!\n",
640 map->xid.id, ctx->filter_low_id, ctx->filter_high_id));
641 ret = NT_STATUS_NONE_MAPPED;
645 talloc_free(tmp_ctx);
650 lookup a set of unix ids.
652 static NTSTATUS idmap_tdb2_unixids_to_sids(struct idmap_domain *dom, struct id_map **ids)
654 struct idmap_tdb2_context *ctx;
658 ctx = talloc_get_type(dom->private_data, struct idmap_tdb2_context);
660 for (i = 0; ids[i]; i++) {
661 ret = idmap_tdb2_id_to_sid(ctx, ids[i]);
662 if ( ! NT_STATUS_IS_OK(ret)) {
664 /* if it is just a failed mapping continue */
665 if (NT_STATUS_EQUAL(ret, NT_STATUS_NONE_MAPPED)) {
667 /* make sure it is marked as unmapped */
668 ids[i]->status = ID_UNMAPPED;
672 /* some fatal error occurred, return immediately */
676 /* all ok, id is mapped */
677 ids[i]->status = ID_MAPPED;
687 lookup a set of sids.
689 static NTSTATUS idmap_tdb2_sids_to_unixids(struct idmap_domain *dom, struct id_map **ids)
691 struct idmap_tdb2_context *ctx;
695 ctx = talloc_get_type(dom->private_data, struct idmap_tdb2_context);
697 for (i = 0; ids[i]; i++) {
698 ret = idmap_tdb2_sid_to_id(ctx, ids[i]);
699 if ( ! NT_STATUS_IS_OK(ret)) {
701 /* if it is just a failed mapping continue */
702 if (NT_STATUS_EQUAL(ret, NT_STATUS_NONE_MAPPED)) {
704 /* make sure it is marked as unmapped */
705 ids[i]->status = ID_UNMAPPED;
709 /* some fatal error occurred, return immediately */
713 /* all ok, id is mapped */
714 ids[i]->status = ID_MAPPED;
727 static NTSTATUS idmap_tdb2_set_mapping(struct idmap_domain *dom, const struct id_map *map)
729 struct idmap_tdb2_context *ctx;
732 char *ksidstr, *kidstr;
734 bool started_transaction = false;
736 if (!map || !map->sid) {
737 return NT_STATUS_INVALID_PARAMETER;
740 ksidstr = kidstr = NULL;
742 /* TODO: should we filter a set_mapping using low/high filters ? */
744 ctx = talloc_get_type(dom->private_data, struct idmap_tdb2_context);
746 switch (map->xid.type) {
749 kidstr = talloc_asprintf(ctx, "UID %lu", (unsigned long)map->xid.id);
753 kidstr = talloc_asprintf(ctx, "GID %lu", (unsigned long)map->xid.id);
757 DEBUG(2, ("INVALID unix ID type: 0x02%x\n", map->xid.type));
758 return NT_STATUS_INVALID_PARAMETER;
761 if (kidstr == NULL) {
762 DEBUG(0, ("ERROR: Out of memory!\n"));
763 ret = NT_STATUS_NO_MEMORY;
767 if (!(ksidstr = sid_string_talloc(ctx, map->sid))) {
768 DEBUG(0, ("Out of memory!\n"));
769 ret = NT_STATUS_NO_MEMORY;
773 DEBUG(10, ("Storing %s <-> %s map\n", ksidstr, kidstr));
775 res = idmap_tdb2->transaction_start(idmap_tdb2);
777 DEBUG(1,(__location__ " Failed to start transaction\n"));
778 ret = NT_STATUS_UNSUCCESSFUL;
782 started_transaction = true;
784 /* check wheter sid mapping is already present in db */
785 data = dbwrap_fetch_bystring(idmap_tdb2, ksidstr, ksidstr);
787 ret = NT_STATUS_OBJECT_NAME_COLLISION;
791 ret = dbwrap_store_bystring(idmap_tdb2, ksidstr, string_term_tdb_data(kidstr),
793 if (!NT_STATUS_IS_OK(ret)) {
794 DEBUG(0, ("Error storing SID -> ID: %s\n", nt_errstr(ret)));
797 ret = dbwrap_store_bystring(idmap_tdb2, kidstr, string_term_tdb_data(ksidstr),
799 if (!NT_STATUS_IS_OK(ret)) {
800 DEBUG(0, ("Error storing ID -> SID: %s\n", nt_errstr(ret)));
801 /* try to remove the previous stored SID -> ID map */
802 dbwrap_delete_bystring(idmap_tdb2, ksidstr);
806 started_transaction = false;
808 res = idmap_tdb2->transaction_commit(idmap_tdb2);
810 DEBUG(1,(__location__ " Failed to commit transaction\n"));
811 ret = NT_STATUS_UNSUCCESSFUL;
815 DEBUG(10,("Stored %s <-> %s\n", ksidstr, kidstr));
819 if (started_transaction) {
820 idmap_tdb2->transaction_cancel(idmap_tdb2);
822 talloc_free(ksidstr);
830 static NTSTATUS idmap_tdb2_remove_mapping(struct idmap_domain *dom, const struct id_map *map)
832 /* not supported as it would invalidate the cache tdb on other
834 DEBUG(0,("idmap_tdb2_remove_mapping not supported\n"));
835 return NT_STATUS_NOT_SUPPORTED;
839 Close the idmap tdb instance
841 static NTSTATUS idmap_tdb2_close(struct idmap_domain *dom)
843 /* don't do anything */
849 Dump all mappings out
851 static NTSTATUS idmap_tdb2_dump_data(struct idmap_domain *dom, struct id_map **maps, int *num_maps)
853 DEBUG(0,("idmap_tdb2_dump_data not supported\n"));
854 return NT_STATUS_NOT_SUPPORTED;
857 static struct idmap_methods db_methods = {
858 .init = idmap_tdb2_db_init,
859 .unixids_to_sids = idmap_tdb2_unixids_to_sids,
860 .sids_to_unixids = idmap_tdb2_sids_to_unixids,
861 .set_mapping = idmap_tdb2_set_mapping,
862 .remove_mapping = idmap_tdb2_remove_mapping,
863 .dump_data = idmap_tdb2_dump_data,
864 .close_fn = idmap_tdb2_close
867 static struct idmap_alloc_methods db_alloc_methods = {
868 .init = idmap_tdb2_alloc_init,
869 .allocate_id = idmap_tdb2_allocate_id,
870 .get_id_hwm = idmap_tdb2_get_hwm,
871 .set_id_hwm = idmap_tdb2_set_hwm,
872 .close_fn = idmap_tdb2_alloc_close
875 NTSTATUS idmap_tdb2_init(void)
879 /* register both backends */
880 ret = smb_register_idmap_alloc(SMB_IDMAP_INTERFACE_VERSION, "tdb2", &db_alloc_methods);
881 if (! NT_STATUS_IS_OK(ret)) {
882 DEBUG(0, ("Unable to register idmap alloc tdb2 module: %s\n", get_friendly_nt_error_msg(ret)));
886 return smb_register_idmap(SMB_IDMAP_INTERFACE_VERSION, "tdb2", &db_methods);