2 Unix SMB/CIFS implementation.
4 idmap TDB2 backend, used for clustered Samba setups.
6 This uses dbwrap to access tdb files. The location can be set
7 using tdb:idmap2.tdb =" in smb.conf
9 Copyright (C) Andrew Tridgell 2007
11 This is heavily based upon idmap_tdb.c, which is:
13 Copyright (C) Tim Potter 2000
14 Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2003
15 Copyright (C) Jeremy Allison 2006
16 Copyright (C) Simo Sorce 2003-2006
17 Copyright (C) Michael Adam 2009-2010
19 This program is free software; you can redistribute it and/or modify
20 it under the terms of the GNU General Public License as published by
21 the Free Software Foundation; either version 2 of the License, or
22 (at your option) any later version.
24 This program is distributed in the hope that it will be useful,
25 but WITHOUT ANY WARRANTY; without even the implied warranty of
26 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
27 GNU General Public License for more details.
29 You should have received a copy of the GNU General Public License
30 along with this program; if not, write to the Free Software
31 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
35 #include "system/filesys.h"
40 #include "../libcli/security/dom_sid.h"
44 #define DBGC_CLASS DBGC_IDMAP
46 struct idmap_tdb2_context {
47 struct db_context *db;
48 const char *script; /* script to provide idmaps */
49 struct idmap_rw_ops *rw_ops;
52 /* High water mark keys */
53 #define HWM_GROUP "GROUP HWM"
54 #define HWM_USER "USER HWM"
58 * check and initialize high/low water marks in the db
60 static NTSTATUS idmap_tdb2_init_hwm(struct idmap_domain *dom)
64 struct idmap_tdb2_context *ctx;
66 ctx = talloc_get_type(dom->private_data, struct idmap_tdb2_context);
68 /* Create high water marks for group and user id */
70 low_id = dbwrap_fetch_int32(ctx->db, HWM_USER);
71 if ((low_id == -1) || (low_id < dom->low_id)) {
72 status = dbwrap_trans_store_int32(ctx->db, HWM_USER,
74 if (!NT_STATUS_IS_OK(status)) {
75 DEBUG(0, ("Unable to initialise user hwm in idmap "
76 "database: %s\n", nt_errstr(status)));
77 return NT_STATUS_INTERNAL_DB_ERROR;
81 low_id = dbwrap_fetch_int32(ctx->db, HWM_GROUP);
82 if ((low_id == -1) || (low_id < dom->low_id)) {
83 status = dbwrap_trans_store_int32(ctx->db, HWM_GROUP,
85 if (!NT_STATUS_IS_OK(status)) {
86 DEBUG(0, ("Unable to initialise group hwm in idmap "
87 "database: %s\n", nt_errstr(status)));
88 return NT_STATUS_INTERNAL_DB_ERROR;
97 open the permanent tdb
99 static NTSTATUS idmap_tdb2_open_db(struct idmap_domain *dom)
102 struct idmap_tdb2_context *ctx;
104 ctx = talloc_get_type(dom->private_data, struct idmap_tdb2_context);
107 /* its already open */
111 db_path = talloc_asprintf(NULL, "%s/idmap2.tdb", lp_private_dir());
112 NT_STATUS_HAVE_NO_MEMORY(db_path);
114 /* Open idmap repository */
115 ctx->db = db_open(ctx, db_path, 0, TDB_DEFAULT, O_RDWR|O_CREAT, 0644);
116 TALLOC_FREE(db_path);
118 if (ctx->db == NULL) {
119 DEBUG(0, ("Unable to open idmap_tdb2 database '%s'\n",
121 return NT_STATUS_UNSUCCESSFUL;
124 return idmap_tdb2_init_hwm(dom);
132 struct idmap_tdb2_allocate_id_context {
139 static NTSTATUS idmap_tdb2_allocate_id_action(struct db_context *db,
143 struct idmap_tdb2_allocate_id_context *state;
146 state = (struct idmap_tdb2_allocate_id_context *)private_data;
148 hwm = dbwrap_fetch_int32(db, state->hwmkey);
150 ret = NT_STATUS_INTERNAL_DB_ERROR;
154 /* check it is in the range */
155 if (hwm > state->high_hwm) {
156 DEBUG(1, ("Fatal Error: %s range full!! (max: %lu)\n",
157 state->hwmtype, (unsigned long)state->high_hwm));
158 ret = NT_STATUS_UNSUCCESSFUL;
162 /* fetch a new id and increment it */
163 ret = dbwrap_trans_change_uint32_atomic(db, state->hwmkey, &hwm, 1);
164 if (!NT_STATUS_IS_OK(ret)) {
165 DEBUG(1, ("Fatal error while fetching a new %s value\n!",
170 /* recheck it is in the range */
171 if (hwm > state->high_hwm) {
172 DEBUG(1, ("Fatal Error: %s range full!! (max: %lu)\n",
173 state->hwmtype, (unsigned long)state->high_hwm));
174 ret = NT_STATUS_UNSUCCESSFUL;
185 static NTSTATUS idmap_tdb2_allocate_id(struct idmap_domain *dom,
193 struct idmap_tdb2_allocate_id_context state;
194 struct idmap_tdb2_context *ctx;
196 status = idmap_tdb2_open_db(dom);
197 NT_STATUS_NOT_OK_RETURN(status);
199 ctx = talloc_get_type(dom->private_data, struct idmap_tdb2_context);
201 /* Get current high water mark */
215 DEBUG(2, ("Invalid ID type (0x%x)\n", xid->type));
216 return NT_STATUS_INVALID_PARAMETER;
219 high_hwm = dom->high_id;
222 state.high_hwm = high_hwm;
223 state.hwmtype = hwmtype;
224 state.hwmkey = hwmkey;
226 status = dbwrap_trans_do(ctx->db, idmap_tdb2_allocate_id_action,
229 if (NT_STATUS_IS_OK(status)) {
231 DEBUG(10,("New %s = %d\n", hwmtype, state.hwm));
233 DEBUG(1, ("Error allocating a new %s\n", hwmtype));
240 * Allocate a new unix-ID.
241 * For now this is for the default idmap domain only.
242 * Should be extended later on.
244 static NTSTATUS idmap_tdb2_get_new_id(struct idmap_domain *dom,
249 if (!strequal(dom->name, "*")) {
250 DEBUG(3, ("idmap_tdb2_get_new_id: "
251 "Refusing creation of mapping for domain'%s'. "
252 "Currently only supported for the default "
255 return NT_STATUS_NOT_IMPLEMENTED;
258 ret = idmap_tdb2_allocate_id(dom, id);
264 IDMAP MAPPING TDB BACKEND
267 static NTSTATUS idmap_tdb2_set_mapping(struct idmap_domain *dom,
268 const struct id_map *map);
271 Initialise idmap database.
273 static NTSTATUS idmap_tdb2_db_init(struct idmap_domain *dom)
276 struct idmap_tdb2_context *ctx;
277 char *config_option = NULL;
278 const char * idmap_script = NULL;
280 ctx = talloc_zero(dom, struct idmap_tdb2_context);
282 DEBUG(0, ("Out of memory!\n"));
283 return NT_STATUS_NO_MEMORY;
286 config_option = talloc_asprintf(ctx, "idmap config %s", dom->name);
287 if (config_option == NULL) {
288 DEBUG(0, ("Out of memory!\n"));
289 ret = NT_STATUS_NO_MEMORY;
292 ctx->script = lp_parm_const_string(-1, config_option, "script", "NULL");
293 talloc_free(config_option);
295 idmap_script = lp_parm_const_string(-1, "idmap", "script", NULL);
296 if (idmap_script != NULL) {
297 DEBUG(0, ("Warning: 'idmap:script' is deprecated. "
298 " Please use 'idmap config * : script' instead!\n"));
301 if (strequal(dom->name, "*") && ctx->script == NULL) {
302 /* fall back to idmap:script for backwards compatibility */
303 ctx->script = idmap_script;
307 DEBUG(1, ("using idmap script '%s'\n", ctx->script));
310 ctx->rw_ops = talloc_zero(ctx, struct idmap_rw_ops);
311 if (ctx->rw_ops == NULL) {
312 DEBUG(0, ("Out of memory!\n"));
313 ret = NT_STATUS_NO_MEMORY;
317 ctx->rw_ops->get_new_id = idmap_tdb2_get_new_id;
318 ctx->rw_ops->set_mapping = idmap_tdb2_set_mapping;
320 dom->private_data = ctx;
322 ret = idmap_tdb2_open_db(dom);
323 if (!NT_STATUS_IS_OK(ret)) {
336 * store a mapping in the database.
339 struct idmap_tdb2_set_mapping_context {
344 static NTSTATUS idmap_tdb2_set_mapping_action(struct db_context *db,
349 struct idmap_tdb2_set_mapping_context *state;
350 TALLOC_CTX *tmp_ctx = talloc_stackframe();
352 state = (struct idmap_tdb2_set_mapping_context *)private_data;
354 DEBUG(10, ("Storing %s <-> %s map\n", state->ksidstr, state->kidstr));
356 /* check wheter sid mapping is already present in db */
357 data = dbwrap_fetch_bystring(db, tmp_ctx, state->ksidstr);
359 ret = NT_STATUS_OBJECT_NAME_COLLISION;
363 ret = dbwrap_store_bystring(db, state->ksidstr,
364 string_term_tdb_data(state->kidstr),
366 if (!NT_STATUS_IS_OK(ret)) {
367 DEBUG(0, ("Error storing SID -> ID: %s\n", nt_errstr(ret)));
371 ret = dbwrap_store_bystring(db, state->kidstr,
372 string_term_tdb_data(state->ksidstr),
374 if (!NT_STATUS_IS_OK(ret)) {
375 DEBUG(0, ("Error storing ID -> SID: %s\n", nt_errstr(ret)));
376 /* try to remove the previous stored SID -> ID map */
377 dbwrap_delete_bystring(db, state->ksidstr);
381 DEBUG(10,("Stored %s <-> %s\n", state->ksidstr, state->kidstr));
384 talloc_free(tmp_ctx);
388 static NTSTATUS idmap_tdb2_set_mapping(struct idmap_domain *dom, const struct id_map *map)
390 struct idmap_tdb2_context *ctx;
392 char *ksidstr, *kidstr;
393 struct idmap_tdb2_set_mapping_context state;
395 if (!map || !map->sid) {
396 return NT_STATUS_INVALID_PARAMETER;
399 ksidstr = kidstr = NULL;
401 /* TODO: should we filter a set_mapping using low/high filters ? */
403 ctx = talloc_get_type(dom->private_data, struct idmap_tdb2_context);
405 switch (map->xid.type) {
408 kidstr = talloc_asprintf(ctx, "UID %lu", (unsigned long)map->xid.id);
412 kidstr = talloc_asprintf(ctx, "GID %lu", (unsigned long)map->xid.id);
416 DEBUG(2, ("INVALID unix ID type: 0x02%x\n", map->xid.type));
417 return NT_STATUS_INVALID_PARAMETER;
420 if (kidstr == NULL) {
421 DEBUG(0, ("ERROR: Out of memory!\n"));
422 ret = NT_STATUS_NO_MEMORY;
426 ksidstr = sid_string_talloc(ctx, map->sid);
427 if (ksidstr == NULL) {
428 DEBUG(0, ("Out of memory!\n"));
429 ret = NT_STATUS_NO_MEMORY;
433 state.ksidstr = ksidstr;
434 state.kidstr = kidstr;
436 ret = dbwrap_trans_do(ctx->db, idmap_tdb2_set_mapping_action,
440 talloc_free(ksidstr);
446 * Create a new mapping for an unmapped SID, also allocating a new ID.
447 * This should be run inside a transaction.
450 * Properly integrate this with multi domain idmap config:
451 * Currently, the allocator is default-config only.
453 static NTSTATUS idmap_tdb2_new_mapping(struct idmap_domain *dom, struct id_map *map)
456 struct idmap_tdb2_context *ctx;
458 ctx = talloc_get_type(dom->private_data, struct idmap_tdb2_context);
460 ret = idmap_rw_new_mapping(dom, ctx->rw_ops, map);
467 run a script to perform a mapping
469 The script should the following command lines:
475 and should return one of the following as a single line of text
481 static NTSTATUS idmap_tdb2_script(struct idmap_tdb2_context *ctx, struct id_map *map,
482 const char *fmt, ...)
490 cmd = talloc_asprintf(ctx, "%s ", ctx->script);
491 NT_STATUS_HAVE_NO_MEMORY(cmd);
494 cmd = talloc_vasprintf_append(cmd, fmt, ap);
496 NT_STATUS_HAVE_NO_MEMORY(cmd);
501 return NT_STATUS_NONE_MAPPED;
504 if (fgets(line, sizeof(line)-1, p) == NULL) {
506 return NT_STATUS_NONE_MAPPED;
510 DEBUG(10,("idmap script gave: %s\n", line));
512 if (sscanf(line, "UID:%lu", &v) == 1) {
514 map->xid.type = ID_TYPE_UID;
515 } else if (sscanf(line, "GID:%lu", &v) == 1) {
517 map->xid.type = ID_TYPE_GID;
518 } else if (strncmp(line, "SID:S-", 6) == 0) {
519 if (!string_to_sid(map->sid, &line[4])) {
520 DEBUG(0,("Bad SID in '%s' from idmap script %s\n",
522 return NT_STATUS_NONE_MAPPED;
525 DEBUG(0,("Bad reply '%s' from idmap script %s\n",
527 return NT_STATUS_NONE_MAPPED;
536 Single id to sid lookup function.
538 static NTSTATUS idmap_tdb2_id_to_sid(struct idmap_domain *dom, struct id_map *map)
544 struct idmap_tdb2_context *ctx;
548 return NT_STATUS_INVALID_PARAMETER;
551 status = idmap_tdb2_open_db(dom);
552 NT_STATUS_NOT_OK_RETURN(status);
554 ctx = talloc_get_type(dom->private_data, struct idmap_tdb2_context);
556 /* apply filters before checking */
557 if (!idmap_unix_id_is_in_range(map->xid.id, dom)) {
558 DEBUG(5, ("Requested id (%u) out of range (%u - %u). Filtered!\n",
559 map->xid.id, dom->low_id, dom->high_id));
560 return NT_STATUS_NONE_MAPPED;
563 switch (map->xid.type) {
566 keystr = talloc_asprintf(ctx, "UID %lu", (unsigned long)map->xid.id);
570 keystr = talloc_asprintf(ctx, "GID %lu", (unsigned long)map->xid.id);
574 DEBUG(2, ("INVALID unix ID type: 0x02%x\n", map->xid.type));
575 return NT_STATUS_INVALID_PARAMETER;
578 if (keystr == NULL) {
579 DEBUG(0, ("Out of memory!\n"));
580 ret = NT_STATUS_NO_MEMORY;
584 DEBUG(10,("Fetching record %s\n", keystr));
586 /* Check if the mapping exists */
587 data = dbwrap_fetch_bystring(ctx->db, keystr, keystr);
591 struct idmap_tdb2_set_mapping_context store_state;
593 DEBUG(10,("Record %s not found\n", keystr));
594 if (ctx->script == NULL) {
595 ret = NT_STATUS_NONE_MAPPED;
599 ret = idmap_tdb2_script(ctx, map, "IDTOSID %s", keystr);
600 if (!NT_STATUS_IS_OK(ret)) {
604 sidstr = sid_string_talloc(keystr, map->sid);
606 ret = NT_STATUS_NO_MEMORY;
610 store_state.ksidstr = sidstr;
611 store_state.kidstr = keystr;
613 ret = dbwrap_trans_do(ctx->db, idmap_tdb2_set_mapping_action,
618 if (!string_to_sid(map->sid, (const char *)data.dptr)) {
619 DEBUG(10,("INVALID SID (%s) in record %s\n",
620 (const char *)data.dptr, keystr));
621 ret = NT_STATUS_INTERNAL_DB_ERROR;
625 DEBUG(10,("Found record %s -> %s\n", keystr, (const char *)data.dptr));
635 Single sid to id lookup function.
637 static NTSTATUS idmap_tdb2_sid_to_id(struct idmap_domain *dom, struct id_map *map)
642 unsigned long rec_id = 0;
643 struct idmap_tdb2_context *ctx;
644 TALLOC_CTX *tmp_ctx = talloc_stackframe();
646 ret = idmap_tdb2_open_db(dom);
647 NT_STATUS_NOT_OK_RETURN(ret);
649 ctx = talloc_get_type(dom->private_data, struct idmap_tdb2_context);
651 keystr = sid_string_talloc(tmp_ctx, map->sid);
652 if (keystr == NULL) {
653 DEBUG(0, ("Out of memory!\n"));
654 ret = NT_STATUS_NO_MEMORY;
658 DEBUG(10,("Fetching record %s\n", keystr));
660 /* Check if sid is present in database */
661 data = dbwrap_fetch_bystring(ctx->db, tmp_ctx, keystr);
664 struct idmap_tdb2_set_mapping_context store_state;
666 DEBUG(10,(__location__ " Record %s not found\n", keystr));
668 if (ctx->script == NULL) {
669 ret = NT_STATUS_NONE_MAPPED;
673 ret = idmap_tdb2_script(ctx, map, "SIDTOID %s", keystr);
674 if (!NT_STATUS_IS_OK(ret)) {
678 /* apply filters before returning result */
679 if (!idmap_unix_id_is_in_range(map->xid.id, dom)) {
680 DEBUG(5, ("Script returned id (%u) out of range "
681 "(%u - %u). Filtered!\n",
682 map->xid.id, dom->low_id, dom->high_id));
683 ret = NT_STATUS_NONE_MAPPED;
687 idstr = talloc_asprintf(tmp_ctx, "%cID %lu",
688 map->xid.type == ID_TYPE_UID?'U':'G',
689 (unsigned long)map->xid.id);
691 ret = NT_STATUS_NO_MEMORY;
695 store_state.ksidstr = keystr;
696 store_state.kidstr = idstr;
698 ret = dbwrap_trans_do(ctx->db, idmap_tdb2_set_mapping_action,
703 /* What type of record is this ? */
704 if (sscanf((const char *)data.dptr, "UID %lu", &rec_id) == 1) { /* Try a UID record. */
705 map->xid.id = rec_id;
706 map->xid.type = ID_TYPE_UID;
707 DEBUG(10,("Found uid record %s -> %s \n", keystr, (const char *)data.dptr ));
710 } else if (sscanf((const char *)data.dptr, "GID %lu", &rec_id) == 1) { /* Try a GID record. */
711 map->xid.id = rec_id;
712 map->xid.type = ID_TYPE_GID;
713 DEBUG(10,("Found gid record %s -> %s \n", keystr, (const char *)data.dptr ));
716 } else { /* Unknown record type ! */
717 DEBUG(2, ("Found INVALID record %s -> %s\n", keystr, (const char *)data.dptr));
718 ret = NT_STATUS_INTERNAL_DB_ERROR;
722 /* apply filters before returning result */
723 if (!idmap_unix_id_is_in_range(map->xid.id, dom)) {
724 DEBUG(5, ("Requested id (%u) out of range (%u - %u). Filtered!\n",
725 map->xid.id, dom->low_id, dom->high_id));
726 ret = NT_STATUS_NONE_MAPPED;
730 talloc_free(tmp_ctx);
735 lookup a set of unix ids.
737 static NTSTATUS idmap_tdb2_unixids_to_sids(struct idmap_domain *dom, struct id_map **ids)
742 /* initialize the status to avoid suprise */
743 for (i = 0; ids[i]; i++) {
744 ids[i]->status = ID_UNKNOWN;
747 for (i = 0; ids[i]; i++) {
748 ret = idmap_tdb2_id_to_sid(dom, ids[i]);
749 if ( ! NT_STATUS_IS_OK(ret)) {
751 /* if it is just a failed mapping continue */
752 if (NT_STATUS_EQUAL(ret, NT_STATUS_NONE_MAPPED)) {
754 /* make sure it is marked as unmapped */
755 ids[i]->status = ID_UNMAPPED;
759 /* some fatal error occurred, return immediately */
763 /* all ok, id is mapped */
764 ids[i]->status = ID_MAPPED;
774 lookup a set of sids.
777 struct idmap_tdb2_sids_to_unixids_context {
778 struct idmap_domain *dom;
780 bool allocate_unmapped;
783 static NTSTATUS idmap_tdb2_sids_to_unixids_action(struct db_context *db,
786 struct idmap_tdb2_sids_to_unixids_context *state;
788 NTSTATUS ret = NT_STATUS_OK;
790 state = (struct idmap_tdb2_sids_to_unixids_context *)private_data;
792 DEBUG(10, ("idmap_tdb2_sids_to_unixids_action: "
793 " domain: [%s], allocate: %s\n",
795 state->allocate_unmapped ? "yes" : "no"));
797 for (i = 0; state->ids[i]; i++) {
798 if ((state->ids[i]->status == ID_UNKNOWN) ||
799 /* retry if we could not map in previous run: */
800 (state->ids[i]->status == ID_UNMAPPED))
804 ret2 = idmap_tdb2_sid_to_id(state->dom, state->ids[i]);
805 if (!NT_STATUS_IS_OK(ret2)) {
807 /* if it is just a failed mapping, continue */
808 if (NT_STATUS_EQUAL(ret2, NT_STATUS_NONE_MAPPED)) {
810 /* make sure it is marked as unmapped */
811 state->ids[i]->status = ID_UNMAPPED;
812 ret = STATUS_SOME_UNMAPPED;
814 /* some fatal error occurred, return immediately */
819 /* all ok, id is mapped */
820 state->ids[i]->status = ID_MAPPED;
824 if ((state->ids[i]->status == ID_UNMAPPED) &&
825 state->allocate_unmapped)
827 ret = idmap_tdb2_new_mapping(state->dom, state->ids[i]);
828 if (!NT_STATUS_IS_OK(ret)) {
838 static NTSTATUS idmap_tdb2_sids_to_unixids(struct idmap_domain *dom, struct id_map **ids)
842 struct idmap_tdb2_sids_to_unixids_context state;
843 struct idmap_tdb2_context *ctx;
845 ctx = talloc_get_type(dom->private_data, struct idmap_tdb2_context);
847 /* initialize the status to avoid suprise */
848 for (i = 0; ids[i]; i++) {
849 ids[i]->status = ID_UNKNOWN;
854 state.allocate_unmapped = false;
856 ret = idmap_tdb2_sids_to_unixids_action(ctx->db, &state);
858 if (NT_STATUS_EQUAL(ret, STATUS_SOME_UNMAPPED) && !dom->read_only) {
859 state.allocate_unmapped = true;
860 ret = dbwrap_trans_do(ctx->db,
861 idmap_tdb2_sids_to_unixids_action,
869 static struct idmap_methods db_methods = {
870 .init = idmap_tdb2_db_init,
871 .unixids_to_sids = idmap_tdb2_unixids_to_sids,
872 .sids_to_unixids = idmap_tdb2_sids_to_unixids,
873 .allocate_id = idmap_tdb2_get_new_id
876 NTSTATUS idmap_tdb2_init(void)
878 return smb_register_idmap(SMB_IDMAP_INTERFACE_VERSION, "tdb2", &db_methods);
git.samba.org / ira / wip.git / blob