2 Unix SMB/CIFS implementation.
4 Copyright (C) Tim Potter 2000
5 Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2003
6 Copyright (C) Simo Sorce 2003
7 Copyright (C) Jeremy Allison 2006
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 2 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program; if not, write to the Free Software
21 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
28 #define DBGC_CLASS DBGC_IDMAP
32 struct idmap_backend {
34 struct idmap_methods *methods;
35 struct idmap_backend *prev, *next;
38 struct idmap_alloc_backend {
40 struct idmap_alloc_methods *methods;
41 struct idmap_alloc_backend *prev, *next;
44 struct idmap_cache_ctx;
46 static TALLOC_CTX *idmap_ctx = NULL;
47 static struct idmap_cache_ctx *idmap_cache;
49 static struct idmap_backend *backends = NULL;
50 static struct idmap_domain **idmap_domains = NULL;
51 static int num_domains = 0;
52 static int pdb_dom_num = -1;
53 static int def_dom_num = -1;
55 static struct idmap_alloc_backend *alloc_backends = NULL;
56 static struct idmap_alloc_methods *alloc_methods = NULL;
58 #define IDMAP_CHECK_RET(ret) do { if ( ! NT_STATUS_IS_OK(ret)) { DEBUG(2, ("ERROR: NTSTATUS = 0x%08x\n", NT_STATUS_V(ret))); goto done; } } while(0)
59 #define IDMAP_CHECK_ALLOC(mem) do { if (!mem) { DEBUG(0, ("Out of memory!\n")); ret = NT_STATUS_NO_MEMORY; goto done; } } while(0)
61 static struct idmap_methods *get_methods(struct idmap_backend *be, const char *name)
63 struct idmap_backend *b;
65 for (b = be; b; b = b->next) {
66 if (strequal(b->name, name)) {
74 static struct idmap_alloc_methods *get_alloc_methods(struct idmap_alloc_backend *be, const char *name)
76 struct idmap_alloc_backend *b;
78 for (b = be; b; b = b->next) {
79 if (strequal(b->name, name)) {
87 /**********************************************************************
88 Allow a module to register itself as a method.
89 **********************************************************************/
91 NTSTATUS smb_register_idmap(int version, const char *name, struct idmap_methods *methods)
93 struct idmap_methods *test;
94 struct idmap_backend *entry;
97 return NT_STATUS_INTERNAL_DB_ERROR;
100 if ((version != SMB_IDMAP_INTERFACE_VERSION)) {
101 DEBUG(0, ("Failed to register idmap module.\n"
102 "The module was compiled against SMB_IDMAP_INTERFACE_VERSION %d,\n"
103 "current SMB_IDMAP_INTERFACE_VERSION is %d.\n"
104 "Please recompile against the current version of samba!\n",
105 version, SMB_IDMAP_INTERFACE_VERSION));
106 return NT_STATUS_OBJECT_TYPE_MISMATCH;
109 if (!name || !name[0] || !methods) {
110 DEBUG(0,("Called with NULL pointer or empty name!\n"));
111 return NT_STATUS_INVALID_PARAMETER;
114 test = get_methods(backends, name);
116 DEBUG(0,("Idmap module %s already registered!\n", name));
117 return NT_STATUS_OBJECT_NAME_COLLISION;
120 entry = talloc(idmap_ctx, struct idmap_backend);
122 DEBUG(0,("Out of memory!\n"));
123 return NT_STATUS_NO_MEMORY;
125 entry->name = talloc_strdup(idmap_ctx, name);
126 if ( ! entry->name) {
127 DEBUG(0,("Out of memory!\n"));
128 return NT_STATUS_NO_MEMORY;
130 entry->methods = methods;
132 DLIST_ADD(backends, entry);
133 DEBUG(5, ("Successfully added idmap backend '%s'\n", name));
137 /**********************************************************************
138 Allow a module to register itself as a method.
139 **********************************************************************/
141 NTSTATUS smb_register_idmap_alloc(int version, const char *name, struct idmap_alloc_methods *methods)
143 struct idmap_alloc_methods *test;
144 struct idmap_alloc_backend *entry;
147 return NT_STATUS_INTERNAL_DB_ERROR;
150 if ((version != SMB_IDMAP_INTERFACE_VERSION)) {
151 DEBUG(0, ("Failed to register idmap alloc module.\n"
152 "The module was compiled against SMB_IDMAP_INTERFACE_VERSION %d,\n"
153 "current SMB_IDMAP_INTERFACE_VERSION is %d.\n"
154 "Please recompile against the current version of samba!\n",
155 version, SMB_IDMAP_INTERFACE_VERSION));
156 return NT_STATUS_OBJECT_TYPE_MISMATCH;
159 if (!name || !name[0] || !methods) {
160 DEBUG(0,("Called with NULL pointer or empty name!\n"));
161 return NT_STATUS_INVALID_PARAMETER;
164 test = get_alloc_methods(alloc_backends, name);
166 DEBUG(0,("idmap_alloc module %s already registered!\n", name));
167 return NT_STATUS_OBJECT_NAME_COLLISION;
170 entry = talloc(idmap_ctx, struct idmap_alloc_backend);
172 DEBUG(0,("Out of memory!\n"));
173 return NT_STATUS_NO_MEMORY;
175 entry->name = talloc_strdup(idmap_ctx, name);
176 if ( ! entry->name) {
177 DEBUG(0,("Out of memory!\n"));
178 return NT_STATUS_NO_MEMORY;
180 entry->methods = methods;
182 DLIST_ADD(alloc_backends, entry);
183 DEBUG(5, ("Successfully added idmap alloc backend '%s'\n", name));
187 static int close_domain_destructor(struct idmap_domain *dom)
191 ret = dom->methods->close_fn(dom);
192 if (!NT_STATUS_IS_OK(ret)) {
193 DEBUG(3, ("Failed to close idmap domain [%s]!\n", dom->name));
199 /**************************************************************************
201 **************************************************************************/
203 NTSTATUS idmap_close(void)
205 /* close the alloc backend first before freeing idmap_ctx */
207 alloc_methods->close_fn();
208 alloc_methods = NULL;
210 alloc_backends = NULL;
212 /* this talloc_free call will fire the talloc destructors
213 * that will free all active backends resources */
214 TALLOC_FREE(idmap_ctx);
216 idmap_domains = NULL;
222 /**********************************************************************
223 Initialise idmap cache and a remote backend (if configured).
224 **********************************************************************/
226 static const char *idmap_default_domain[] = { "default domain", NULL };
228 /****************************************************************************
229 ****************************************************************************/
231 NTSTATUS idmap_init_cache(void)
233 /* Always initialize the cache. We'll have to delay initialization
234 of backends if we are offline */
240 if ( (idmap_ctx = talloc_named_const(NULL, 0, "idmap_ctx")) == NULL ) {
241 return NT_STATUS_NO_MEMORY;
244 if ( (idmap_cache = idmap_cache_init(idmap_ctx)) == NULL ) {
245 return NT_STATUS_UNSUCCESSFUL;
251 /****************************************************************************
252 ****************************************************************************/
254 NTSTATUS idmap_init(void)
257 static NTSTATUS backend_init_status = NT_STATUS_UNSUCCESSFUL;
258 struct idmap_domain *dom;
259 char *compat_backend = NULL;
260 char *compat_params = NULL;
261 const char **dom_list = NULL;
262 char *alloc_backend = NULL;
263 BOOL default_already_defined = False;
264 BOOL pri_dom_is_in_list = False;
268 /* Always initialize the cache. We'll have to delay initialization
269 of backends if we are offline */
271 ret = idmap_init_cache();
272 if ( !NT_STATUS_IS_OK(ret) )
275 if ( NT_STATUS_IS_OK(backend_init_status) ) {
279 /* We can't reliably call intialization code here unless
282 if ( get_global_winbindd_state_offline() ) {
283 backend_init_status = NT_STATUS_FILE_IS_OFFLINE;
284 return backend_init_status;
289 dom_list = lp_idmap_domains();
291 if ( dom_list && lp_idmap_backend() ) {
292 DEBUG(0, ("WARNING: idmap backend and idmap domains are "
293 "mutually excusive!\n"));
294 DEBUGADD(0,("idmap backend option will be IGNORED!\n"));
295 } else if ( lp_idmap_backend() ) {
296 const char **compat_list = lp_idmap_backend();
298 const char *q = NULL;
302 if ( (compat_backend = talloc_strdup( idmap_ctx, *compat_list )) == NULL ) {
303 ret = NT_STATUS_NO_MEMORY;
307 /* strip any leading idmap_ prefix of */
308 if (strncmp(*compat_list, "idmap_", 6) == 0 ) {
309 q = *compat_list += 6;
310 DEBUG(0, ("WARNING: idmap backend uses obsolete and "
311 "deprecated 'idmap_' prefix.\n"
312 "Please replace 'idmap_%s' by '%s' in %s\n",
313 q, q, dyn_CONFIGFILE));
314 compat_backend = talloc_strdup( idmap_ctx, q);
316 compat_backend = talloc_strdup( idmap_ctx, *compat_list);
319 /* separate the backend and module arguements */
320 if ((p = strchr(compat_backend, ':')) != NULL) {
322 compat_params = p + 1;
327 dom_list = idmap_default_domain;
330 /***************************
331 * initialize idmap domains
333 DEBUG(1, ("Initializing idmap domains\n"));
335 for (i = 0; dom_list[i]; i++) {
336 const char *parm_backend;
339 /* ignore BUILTIN and local MACHINE domains */
340 if ( strequal(dom_list[i], "BUILTIN")
341 || strequal(dom_list[i], get_global_sam_name() ) )
343 DEBUG(0,("idmap_init: Ignoring invalid domain %s\n",
348 if (strequal(dom_list[i], lp_workgroup())) {
349 pri_dom_is_in_list = True;
353 dom = talloc_zero(idmap_ctx, struct idmap_domain);
354 IDMAP_CHECK_ALLOC(dom);
356 dom->name = talloc_strdup(dom, dom_list[i]);
357 IDMAP_CHECK_ALLOC(dom->name);
359 config_option = talloc_asprintf(dom, "idmap config %s", dom->name);
360 IDMAP_CHECK_ALLOC(config_option);
362 /* default or specific ? */
364 dom->default_domain = lp_parm_bool(-1, config_option, "default", False);
366 if (dom->default_domain ||
367 strequal(dom_list[i], idmap_default_domain[0])) {
369 /* make sure this is set even when we match idmap_default_domain[0] */
370 dom->default_domain = True;
372 if (default_already_defined) {
373 DEBUG(1, ("ERROR: Multiple domains defined as default!\n"));
374 ret = NT_STATUS_INVALID_PARAMETER;
378 default_already_defined = True;
382 dom->readonly = lp_parm_bool(-1, config_option, "readonly", False);
384 /* find associated backend (default: tdb) */
386 parm_backend = talloc_strdup(idmap_ctx, compat_backend);
388 parm_backend = talloc_strdup(idmap_ctx,
389 lp_parm_const_string(-1, config_option, "backend", "tdb"));
391 IDMAP_CHECK_ALLOC(parm_backend);
393 /* get the backend methods for this domain */
394 dom->methods = get_methods(backends, parm_backend);
396 if ( ! dom->methods) {
397 ret = smb_probe_module("idmap", parm_backend);
398 if (NT_STATUS_IS_OK(ret)) {
399 dom->methods = get_methods(backends, parm_backend);
402 if ( ! dom->methods) {
403 DEBUG(0, ("ERROR: Could not get methods for backend %s\n", parm_backend));
404 ret = NT_STATUS_UNSUCCESSFUL;
408 /* check the set_mapping function exists otherwise mark the module as readonly */
409 if ( ! dom->methods->set_mapping) {
410 DEBUG(5, ("Forcing to readonly, as ithis module can't store arbitrary mappings.\n"));
411 dom->readonly = True;
414 /* now that we have methods, set the destructor for this domain */
415 talloc_set_destructor(dom, close_domain_destructor);
417 /* Finally instance a backend copy for this domain */
418 ret = dom->methods->init(dom, compat_params);
419 if ( ! NT_STATUS_IS_OK(ret)) {
420 DEBUG(0, ("ERROR: Initialization failed for backend %s (domain %s)\n",
421 parm_backend, dom->name));
422 ret = NT_STATUS_UNSUCCESSFUL;
425 idmap_domains = talloc_realloc(idmap_ctx, idmap_domains, struct idmap_domain *, i+1);
426 if ( ! idmap_domains) {
427 DEBUG(0, ("Out of memory!\n"));
428 ret = NT_STATUS_NO_MEMORY;
431 idmap_domains[i] = dom;
433 if (dom->default_domain) { /* save default domain position for future uses */
437 DEBUG(10, ("Domain %s - Backend %s - %sdefault - %sreadonly\n",
438 dom->name, parm_backend,
439 dom->default_domain?"":"not ", dom->readonly?"":"not "));
441 talloc_free(config_option);
444 /* save the number of domains we have */
447 /* automatically add idmap_nss backend if needed */
448 if ((lp_server_role() == ROLE_DOMAIN_MEMBER) &&
449 ( ! pri_dom_is_in_list) &&
450 lp_winbind_trusted_domains_only()) {
452 dom = talloc_zero(idmap_ctx, struct idmap_domain);
453 IDMAP_CHECK_ALLOC(dom);
455 dom->name = talloc_strdup(dom, lp_workgroup());
456 IDMAP_CHECK_ALLOC(dom->name);
458 dom->default_domain = False;
459 dom->readonly = True;
461 /* get the backend methods for passdb */
462 dom->methods = get_methods(backends, "nss");
464 /* (the nss module is always statically linked) */
465 if ( ! dom->methods) {
466 DEBUG(0, ("ERROR: Could not get methods for idmap_nss ?!\n"));
467 ret = NT_STATUS_UNSUCCESSFUL;
471 /* now that we have methods, set the destructor for this domain */
472 talloc_set_destructor(dom, close_domain_destructor);
474 /* Finally instance a backend copy for this domain */
475 ret = dom->methods->init(dom, compat_params);
476 if ( ! NT_STATUS_IS_OK(ret)) {
477 DEBUG(0, ("ERROR: Initialization failed for idmap_nss ?!\n"));
478 ret = NT_STATUS_UNSUCCESSFUL;
482 idmap_domains = talloc_realloc(idmap_ctx, idmap_domains, struct idmap_domain *, num_domains+1);
483 if ( ! idmap_domains) {
484 DEBUG(0, ("Out of memory!\n"));
485 ret = NT_STATUS_NO_MEMORY;
488 idmap_domains[num_domains] = dom;
490 DEBUG(10, ("Domain %s - Backend nss - not default - readonly\n", dom->name ));
495 /**** automatically add idmap_passdb backend ****/
496 dom = talloc_zero(idmap_ctx, struct idmap_domain);
497 IDMAP_CHECK_ALLOC(dom);
499 dom->name = talloc_strdup(dom, get_global_sam_name());
500 IDMAP_CHECK_ALLOC(dom->name);
502 dom->default_domain = False;
503 dom->readonly = True;
505 /* get the backend methods for passdb */
506 dom->methods = get_methods(backends, "passdb");
508 /* (the passdb module is always statically linked) */
509 if ( ! dom->methods) {
510 DEBUG(0, ("ERROR: Could not get methods for idmap_passdb ?!\n"));
511 ret = NT_STATUS_UNSUCCESSFUL;
515 /* now that we have methods, set the destructor for this domain */
516 talloc_set_destructor(dom, close_domain_destructor);
518 /* Finally instance a backend copy for this domain */
519 ret = dom->methods->init(dom, compat_params);
520 if ( ! NT_STATUS_IS_OK(ret)) {
521 DEBUG(0, ("ERROR: Initialization failed for idmap_passdb ?!\n"));
522 ret = NT_STATUS_UNSUCCESSFUL;
526 idmap_domains = talloc_realloc(idmap_ctx, idmap_domains, struct idmap_domain *, num_domains+1);
527 if ( ! idmap_domains) {
528 DEBUG(0, ("Out of memory!\n"));
529 ret = NT_STATUS_NO_MEMORY;
532 idmap_domains[num_domains] = dom;
534 /* needed to handle special BUILTIN and wellknown SIDs cases */
535 pdb_dom_num = num_domains;
537 DEBUG(10, ("Domain %s - Backend passdb - not default - readonly\n", dom->name));
540 /**** finished adding idmap_passdb backend ****/
542 /* sort domains so that the default is the last one */
543 /* don't sort if no default domain defined */
544 if (def_dom_num != -1 && def_dom_num != num_domains-1) { /* default is not last, move it */
545 struct idmap_domain *tmp;
547 if (pdb_dom_num > def_dom_num) {
550 } else if (pdb_dom_num == def_dom_num) { /* ?? */
551 pdb_dom_num = num_domains - 1;
554 tmp = idmap_domains[def_dom_num];
556 for (i = def_dom_num; i < num_domains-1; i++) {
557 idmap_domains[i] = idmap_domains[i+1];
559 idmap_domains[i] = tmp;
564 /* Initialize alloc module */
566 DEBUG(3, ("Initializing idmap alloc module\n"));
568 alloc_backend = NULL;
570 alloc_backend = talloc_strdup(idmap_ctx, compat_backend);
572 char *ab = lp_idmap_alloc_backend();
574 if (ab && (ab[0] != '\0')) {
575 alloc_backend = talloc_strdup(idmap_ctx, lp_idmap_alloc_backend());
579 if ( alloc_backend ) {
581 alloc_methods = get_alloc_methods(alloc_backends, alloc_backend);
582 if ( ! alloc_methods) {
583 ret = smb_probe_module("idmap", alloc_backend);
584 if (NT_STATUS_IS_OK(ret)) {
585 alloc_methods = get_alloc_methods(alloc_backends, alloc_backend);
588 if ( alloc_methods) {
589 ret = alloc_methods->init(compat_params);
590 if ( ! NT_STATUS_IS_OK(ret)) {
591 DEBUG(0, ("idmap_init: Initialization failed for alloc "
592 "backend %s\n", alloc_backend));
593 ret = NT_STATUS_UNSUCCESSFUL;
597 DEBUG(2, ("idmap_init: Unable to get methods for alloc backend %s\n",
599 /* certain compat backends are just readonly */
603 ret = NT_STATUS_UNSUCCESSFUL;
607 /* cleanpu temporary strings */
608 TALLOC_FREE( compat_backend );
610 backend_init_status = NT_STATUS_OK;
615 DEBUG(0, ("Aborting IDMAP Initialization ...\n"));
618 /* save the init status for later checks */
619 backend_init_status = ret;
624 /**************************************************************************
625 idmap allocator interface functions
626 **************************************************************************/
628 NTSTATUS idmap_allocate_uid(struct unixid *id)
632 if (! NT_STATUS_IS_OK(ret = idmap_init())) {
636 if ( !alloc_methods )
637 return NT_STATUS_NOT_SUPPORTED;
639 id->type = ID_TYPE_UID;
640 return alloc_methods->allocate_id(id);
643 NTSTATUS idmap_allocate_gid(struct unixid *id)
647 if (! NT_STATUS_IS_OK(ret = idmap_init())) {
651 if ( !alloc_methods )
652 return NT_STATUS_NOT_SUPPORTED;
654 id->type = ID_TYPE_GID;
655 return alloc_methods->allocate_id(id);
658 NTSTATUS idmap_set_uid_hwm(struct unixid *id)
662 if (! NT_STATUS_IS_OK(ret = idmap_init())) {
666 if ( !alloc_methods )
667 return NT_STATUS_NOT_SUPPORTED;
669 id->type = ID_TYPE_UID;
670 return alloc_methods->set_id_hwm(id);
673 NTSTATUS idmap_set_gid_hwm(struct unixid *id)
677 if (! NT_STATUS_IS_OK(ret = idmap_init())) {
681 if ( !alloc_methods )
682 return NT_STATUS_NOT_SUPPORTED;
684 id->type = ID_TYPE_GID;
685 return alloc_methods->set_id_hwm(id);
688 /******************************************************************************
689 Lookup an idmap_domain give a full user or group SID
690 ******************************************************************************/
692 static struct idmap_domain* find_idmap_domain_from_sid( DOM_SID *account_sid )
696 struct winbindd_domain *domain = NULL;
699 /* 1. Handle BUILTIN or Special SIDs and prevent them from
700 falling into the default domain space (if we have a
701 configured passdb backend. */
703 if ( (pdb_dom_num != -1) &&
704 (sid_check_is_in_builtin(account_sid) ||
705 sid_check_is_in_wellknown_domain(account_sid) ||
706 sid_check_is_in_unix_groups(account_sid) ||
707 sid_check_is_in_unix_users(account_sid)) )
709 return idmap_domains[pdb_dom_num];
712 /* 2. Lookup the winbindd_domain from the account_sid */
714 sid_copy( &domain_sid, account_sid );
715 sid_split_rid( &domain_sid, &rid );
716 domain = find_domain_from_sid_noinit( &domain_sid );
718 for (i = 0; domain && i < num_domains; i++) {
719 if ( strequal( idmap_domains[i]->name, domain->name ) ) {
720 return idmap_domains[i];
724 /* 3. Fall back to the default domain */
726 if ( def_dom_num != -1 ) {
727 return idmap_domains[def_dom_num];
733 /******************************************************************************
734 Lookup an index given an idmap_domain pointer
735 ******************************************************************************/
737 static uint32 find_idmap_domain_index( struct idmap_domain *id_domain)
741 for (i = 0; i < num_domains; i++) {
742 if ( idmap_domains[i] == id_domain )
750 /*********************************************************
751 Check if creating a mapping is permitted for the domain
752 *********************************************************/
754 static NTSTATUS idmap_can_map(const struct id_map *map, struct idmap_domain **ret_dom)
756 struct idmap_domain *dom;
758 /* Check we do not create mappings for our own local domain, or BUILTIN or special SIDs */
759 if ((sid_compare_domain(map->sid, get_global_sam_sid()) == 0) ||
760 sid_check_is_in_builtin(map->sid) ||
761 sid_check_is_in_wellknown_domain(map->sid)) {
762 DEBUG(10, ("We are not supposed to create mappings for our own domains (local, builtin, specials)\n"));
763 return NT_STATUS_UNSUCCESSFUL;
766 /* Special check for trusted domain only = Yes */
767 if (lp_winbind_trusted_domains_only()) {
768 struct winbindd_domain *wdom = find_our_domain();
769 if (wdom && (sid_compare_domain(map->sid, &wdom->sid) == 0)) {
770 DEBUG(10, ("We are not supposed to create mappings for our primary domain when <trusted domain only> is True\n"));
771 DEBUGADD(10, ("Leave [%s] unmapped\n", sid_string_static(map->sid)));
772 return NT_STATUS_UNSUCCESSFUL;
776 if ( (dom = find_idmap_domain_from_sid( map->sid )) == NULL ) {
777 /* huh, couldn't find a suitable domain, let's just leave it unmapped */
778 DEBUG(10, ("Could not find idmap backend for SID %s", sid_string_static(map->sid)));
779 return NT_STATUS_NO_SUCH_DOMAIN;
783 /* ouch the domain is read only, let's just leave it unmapped */
784 DEBUG(10, ("idmap backend for SID %s is READONLY!\n", sid_string_static(map->sid)));
785 return NT_STATUS_UNSUCCESSFUL;
792 static NTSTATUS idmap_new_mapping(TALLOC_CTX *ctx, struct id_map *map)
795 struct idmap_domain *dom;
796 const char *domname, *name;
797 enum lsa_SidType sid_type;
800 ret = idmap_can_map(map, &dom);
801 if ( ! NT_STATUS_IS_OK(ret)) {
802 return NT_STATUS_NONE_MAPPED;
805 /* by default calls to winbindd are disabled
806 the following call will not recurse so this is safe */
808 wbret = winbind_lookup_sid(ctx, map->sid, &domname, &name, &sid_type);
811 /* check if this is a valid SID and then map it */
815 ret = idmap_allocate_uid(&map->xid);
816 if ( ! NT_STATUS_IS_OK(ret)) {
817 /* can't allocate id, let's just leave it unmapped */
818 DEBUG(2, ("uid allocation failed! Can't create mapping\n"));
819 return NT_STATUS_NONE_MAPPED;
822 case SID_NAME_DOM_GRP:
824 case SID_NAME_WKN_GRP:
825 ret = idmap_allocate_gid(&map->xid);
826 if ( ! NT_STATUS_IS_OK(ret)) {
827 /* can't allocate id, let's just leave it unmapped */
828 DEBUG(2, ("gid allocation failed! Can't create mapping\n"));
829 return NT_STATUS_NONE_MAPPED;
833 /* invalid sid, let's just leave it unmapped */
834 DEBUG(10, ("SID %s is UNKNOWN, skip mapping\n", sid_string_static(map->sid)));
835 return NT_STATUS_NONE_MAPPED;
838 /* ok, got a new id, let's set a mapping */
839 map->status = ID_MAPPED;
841 DEBUG(10, ("Setting mapping: %s <-> %s %lu\n",
842 sid_string_static(map->sid),
843 (map->xid.type == ID_TYPE_UID) ? "UID" : "GID",
844 (unsigned long)map->xid.id));
845 ret = dom->methods->set_mapping(dom, map);
847 if ( ! NT_STATUS_IS_OK(ret)) {
848 /* something wrong here :-( */
849 DEBUG(2, ("Failed to commit mapping\n!"));
851 /* TODO: would it make sense to have an "unalloc_id function?" */
853 return NT_STATUS_NONE_MAPPED;
856 DEBUG(2,("Invalid SID, not mapping %s (type %d)\n",
857 sid_string_static(map->sid), sid_type));
858 return NT_STATUS_NONE_MAPPED;
864 static NTSTATUS idmap_backends_set_mapping(const struct id_map *map)
866 struct idmap_domain *dom;
869 DEBUG(10, ("Setting mapping %s <-> %s %lu\n",
870 sid_string_static(map->sid),
871 (map->xid.type == ID_TYPE_UID) ? "UID" : "GID",
872 (unsigned long)map->xid.id));
874 ret = idmap_can_map(map, &dom);
875 if ( ! NT_STATUS_IS_OK(ret)) {
879 DEBUG(10,("set_mapping for domain %s\n", dom->name ));
881 return dom->methods->set_mapping(dom, map);
884 static NTSTATUS idmap_backends_unixids_to_sids(struct id_map **ids)
886 struct idmap_domain *dom;
887 struct id_map **unmapped;
888 struct id_map **_ids;
894 DEBUG(1, ("Invalid list of maps\n"));
895 return NT_STATUS_INVALID_PARAMETER;
898 ctx = talloc_named_const(NULL, 0, "idmap_backends_unixids_to_sids ctx");
900 DEBUG(0, ("Out of memory!\n"));
901 return NT_STATUS_NO_MEMORY;
904 DEBUG(10, ("Query backends to map ids->sids\n"));
906 /* start from the default (the last one) and then if there are still
907 * unmapped entries cycle through the others */
911 /* make sure all maps are marked as in UNKNOWN status */
912 for (i = 0; _ids[i]; i++) {
913 _ids[i]->status = ID_UNKNOWN;
917 for (n = num_domains-1; n >= 0; n--) { /* cycle backwards */
919 dom = idmap_domains[n];
921 DEBUG(10, ("Query sids from domain %s\n", dom->name));
923 ret = dom->methods->unixids_to_sids(dom, _ids);
924 IDMAP_CHECK_RET(ret);
928 for (i = 0, u = 0; _ids[i]; i++) {
929 if (_ids[i]->status == ID_UNKNOWN || _ids[i]->status == ID_UNMAPPED) {
930 unmapped = talloc_realloc(ctx, unmapped, struct id_map *, u + 2);
931 IDMAP_CHECK_ALLOC(unmapped);
932 unmapped[u] = _ids[i];
937 /* terminate the unmapped list */
939 } else { /* no more entries, get out */
948 /* there are still unmapped ids, map them to the unix users/groups domains */
949 for (i = 0; unmapped[i]; i++) {
950 switch (unmapped[i]->xid.type) {
952 uid_to_unix_users_sid((uid_t)unmapped[i]->xid.id, unmapped[i]->sid);
953 unmapped[i]->status = ID_MAPPED;
956 gid_to_unix_groups_sid((gid_t)unmapped[i]->xid.id, unmapped[i]->sid);
957 unmapped[i]->status = ID_MAPPED;
959 default: /* what?! */
960 unmapped[i]->status = ID_UNKNOWN;
973 static NTSTATUS idmap_backends_sids_to_unixids(struct id_map **ids)
975 struct id_map ***dom_ids;
976 struct idmap_domain *dom;
981 if ( (ctx = talloc_named_const(NULL, 0, "be_sids_to_ids")) == NULL ) {
982 DEBUG(1, ("failed to allocate talloc context, OOM?\n"));
983 return NT_STATUS_NO_MEMORY;
986 DEBUG(10, ("Query backends to map sids->ids\n"));
988 /* split list per domain */
990 dom_ids = talloc_zero_array(ctx, struct id_map **, num_domains);
991 IDMAP_CHECK_ALLOC(dom_ids);
992 counters = talloc_zero_array(ctx, int, num_domains);
994 /* partition the requests by domain */
996 for (i = 0; ids[i]; i++) {
999 /* make sure they are unknown to start off */
1000 ids[i]->status = ID_UNKNOWN;
1002 if ( (dom = find_idmap_domain_from_sid( ids[i]->sid )) == NULL ) {
1003 /* no vailable idmap_domain. Move on */
1007 DEBUG(10,("SID %s is being handled by %s\n",
1008 sid_string_static(ids[i]->sid),
1009 dom ? dom->name : "none" ));
1011 idx = find_idmap_domain_index( dom );
1012 SMB_ASSERT( idx != -1 );
1014 dom_ids[idx] = talloc_realloc(ctx, dom_ids[idx],
1015 struct id_map *, counters[idx] + 2);
1016 IDMAP_CHECK_ALLOC(dom_ids[idx]);
1018 dom_ids[idx][counters[idx]] = ids[i];
1020 dom_ids[idx][counters[idx]] = NULL;
1023 /* All the ids have been dispatched in the right queues.
1024 Let's cycle through the filled ones */
1026 for (i = 0; i < num_domains; i++) {
1028 dom = idmap_domains[i];
1029 DEBUG(10, ("Query ids from domain %s\n", dom->name));
1030 ret = dom->methods->sids_to_unixids(dom, dom_ids[i]);
1031 IDMAP_CHECK_RET(ret);
1035 /* ok all the backends have been contacted at this point */
1036 /* let's see if we have any unmapped SID left and act accordingly */
1038 for (i = 0; ids[i]; i++) {
1039 if (ids[i]->status == ID_UNKNOWN || ids[i]->status == ID_UNMAPPED) {
1040 /* ok this is an unmapped one, see if we can map it */
1041 ret = idmap_new_mapping(ctx, ids[i]);
1042 if (NT_STATUS_IS_OK(ret)) {
1043 /* successfully mapped */
1044 ids[i]->status = ID_MAPPED;
1045 } else if (NT_STATUS_EQUAL(ret, NT_STATUS_NONE_MAPPED)) {
1046 /* could not map it */
1047 ids[i]->status = ID_UNMAPPED;
1049 /* Something very bad happened down there */
1050 ids[i]->status = ID_UNKNOWN;
1062 /**************************************************************************
1063 idmap interface functions
1064 **************************************************************************/
1066 NTSTATUS idmap_unixids_to_sids(struct id_map **ids)
1070 struct id_map **bids;
1074 if (! NT_STATUS_IS_OK(ret = idmap_init())) {
1078 if (!ids || !*ids) {
1079 DEBUG(1, ("Invalid list of maps\n"));
1080 return NT_STATUS_INVALID_PARAMETER;
1083 ctx = talloc_named_const(NULL, 0, "idmap_unixids_to_sids ctx");
1085 DEBUG(1, ("failed to allocate talloc context, OOM?\n"));
1086 return NT_STATUS_NO_MEMORY;
1089 /* no ids to be asked to the backends by default */
1093 for (i = 0; ids[i]; i++) {
1095 if ( ! ids[i]->sid) {
1096 DEBUG(1, ("invalid null SID in id_map array"));
1098 return NT_STATUS_INVALID_PARAMETER;
1101 ret = idmap_cache_map_id(idmap_cache, ids[i]);
1103 if ( ! NT_STATUS_IS_OK(ret)) {
1106 /* alloc space for ids to be resolved by backends (realloc ten by ten) */
1107 bids = talloc_array(ctx, struct id_map *, 10);
1109 DEBUG(1, ("Out of memory!\n"));
1111 return NT_STATUS_NO_MEMORY;
1116 /* add this id to the ones to be retrieved from the backends */
1120 /* check if we need to allocate new space on the rids array */
1123 bids = talloc_realloc(ctx, bids, struct id_map *, bn);
1125 DEBUG(1, ("Out of memory!\n"));
1127 return NT_STATUS_NO_MEMORY;
1131 /* make sure the last element is NULL */
1136 /* let's see if there is any id mapping to be retieved from the backends */
1138 /* Only do query if we are online */
1139 if ( lp_winbind_offline_logon() &&
1140 get_global_winbindd_state_offline() )
1142 ret = NT_STATUS_FILE_IS_OFFLINE;
1146 ret = idmap_backends_unixids_to_sids(bids);
1147 IDMAP_CHECK_RET(ret);
1149 /* update the cache */
1150 for (i = 0; i < bi; i++) {
1151 if (bids[i]->status == ID_MAPPED) {
1152 ret = idmap_cache_set(idmap_cache, bids[i]);
1153 } else if (bids[i]->status == ID_UNKNOWN) {
1154 /* return an expired entry in the cache or an unknown */
1155 /* this handles a previous NT_STATUS_SYNCHRONIZATION_REQUIRED
1156 * for disconnected mode */
1157 idmap_cache_map_id(idmap_cache, ids[i]);
1158 } else { /* unmapped */
1159 ret = idmap_cache_set_negative_id(idmap_cache, bids[i]);
1161 IDMAP_CHECK_RET(ret);
1171 NTSTATUS idmap_sids_to_unixids(struct id_map **ids)
1175 struct id_map **bids;
1179 if (! NT_STATUS_IS_OK(ret = idmap_init())) {
1183 if (!ids || !*ids) {
1184 DEBUG(1, ("Invalid list of maps\n"));
1185 return NT_STATUS_INVALID_PARAMETER;
1188 ctx = talloc_named_const(NULL, 0, "idmap_sids_to_unixids ctx");
1190 DEBUG(1, ("failed to allocate talloc context, OOM?\n"));
1191 return NT_STATUS_NO_MEMORY;
1194 /* no ids to be asked to the backends by default */
1198 for (i = 0; ids[i]; i++) {
1200 if ( ! ids[i]->sid) {
1201 DEBUG(1, ("invalid null SID in id_map array\n"));
1203 return NT_STATUS_INVALID_PARAMETER;
1206 ret = idmap_cache_map_sid(idmap_cache, ids[i]);
1208 if ( ! NT_STATUS_IS_OK(ret)) {
1211 /* alloc space for ids to be resolved
1212 by backends (realloc ten by ten) */
1213 bids = talloc_array(ctx, struct id_map *, 10);
1215 DEBUG(1, ("Out of memory!\n"));
1217 return NT_STATUS_NO_MEMORY;
1222 /* add this id to the ones to be retrieved from the backends */
1226 /* check if we need to allocate new space on the ids array */
1229 bids = talloc_realloc(ctx, bids, struct id_map *, bn);
1231 DEBUG(1, ("Out of memory!\n"));
1233 return NT_STATUS_NO_MEMORY;
1237 /* make sure the last element is NULL */
1242 /* let's see if there is any id mapping to be retieved from the backends */
1244 /* Only do query if we are online */
1245 if ( lp_winbind_offline_logon() &&
1246 get_global_winbindd_state_offline() )
1248 ret = NT_STATUS_FILE_IS_OFFLINE;
1252 ret = idmap_backends_sids_to_unixids(bids);
1253 IDMAP_CHECK_RET(ret);
1255 /* update the cache */
1256 for (i = 0; bids[i]; i++) {
1257 if (bids[i]->status == ID_MAPPED) {
1258 ret = idmap_cache_set(idmap_cache, bids[i]);
1259 } else if (bids[i]->status == ID_UNKNOWN) {
1260 /* return an expired entry in the cache or an unknown */
1261 /* this handles a previous NT_STATUS_SYNCHRONIZATION_REQUIRED
1262 * for disconnected mode */
1263 idmap_cache_map_id(idmap_cache, ids[i]);
1265 ret = idmap_cache_set_negative_sid(idmap_cache, bids[i]);
1267 IDMAP_CHECK_RET(ret);
1277 NTSTATUS idmap_set_mapping(const struct id_map *id)
1282 if (! NT_STATUS_IS_OK(ret = idmap_init())) {
1287 if ((id->sid == NULL) || (id->status != ID_MAPPED)) {
1288 DEBUG(1, ("NULL SID or unmapped entry\n"));
1289 return NT_STATUS_INVALID_PARAMETER;
1292 /* TODO: check uid/gid range ? */
1294 ctx = talloc_named_const(NULL, 0, "idmap_set_mapping ctx");
1296 DEBUG(1, ("failed to allocate talloc context, OOM?\n"));
1297 return NT_STATUS_NO_MEMORY;
1300 /* set the new mapping */
1301 ret = idmap_backends_set_mapping(id);
1302 IDMAP_CHECK_RET(ret);
1304 /* set the mapping in the cache */
1305 ret = idmap_cache_set(idmap_cache, id);
1306 IDMAP_CHECK_RET(ret);
1313 /**************************************************************************
1314 Dump backend status.
1315 **************************************************************************/
1317 void idmap_dump_maps(char *logfile)
1320 struct unixid allid;
1321 struct id_map *maps;
1326 if (! NT_STATUS_IS_OK(ret = idmap_init())) {
1330 dump = fopen(logfile, "w");
1332 DEBUG(0, ("Unable to open open stream for file [%s], errno: %d\n", logfile, errno));
1336 if ( alloc_methods ) {
1337 allid.type = ID_TYPE_UID;
1339 alloc_methods->get_id_hwm(&allid);
1340 fprintf(dump, "USER HWM %lu\n", (unsigned long)allid.id);
1342 allid.type = ID_TYPE_GID;
1344 alloc_methods->get_id_hwm(&allid);
1345 fprintf(dump, "GROUP HWM %lu\n", (unsigned long)allid.id);
1348 maps = talloc(idmap_ctx, struct id_map);
1351 for (i = 0; i < num_domains; i++) {
1352 if (idmap_domains[i]->methods->dump_data) {
1353 idmap_domains[i]->methods->dump_data(idmap_domains[i], &maps, &num_maps);
1357 for (i = 0; i < num_maps; i++) {
1358 switch (maps[i].xid.type) {
1360 fprintf(dump, "UID %lu %s\n",
1361 (unsigned long)maps[i].xid.id,
1362 sid_string_static(maps[i].sid));
1365 fprintf(dump, "GID %lu %s\n",
1366 (unsigned long)maps[i].xid.id,
1367 sid_string_static(maps[i].sid));
1376 char *idmap_fetch_secret(const char *backend, bool alloc,
1377 const char *domain, const char *identity)
1383 r = asprintf(&tmp, "IDMAP_ALLOC_%s", backend);
1385 r = asprintf(&tmp, "IDMAP_%s_%s", backend, domain);
1391 strupper_m(tmp); /* make sure the key is case insensitive */
1392 ret = secrets_fetch_generic(tmp, identity);