2 * idmap_ad: map between Active Directory and RFC 2307 or "Services for Unix" (SFU) Accounts
4 * Unix SMB/CIFS implementation.
6 * Winbind ADS backend functions
8 * Copyright (C) Andrew Tridgell 2001
9 * Copyright (C) Andrew Bartlett <abartlet@samba.org> 2003
10 * Copyright (C) Gerald (Jerry) Carter 2004-2007
11 * Copyright (C) Luke Howard 2001-2004
13 * This program is free software; you can redistribute it and/or modify
14 * it under the terms of the GNU General Public License as published by
15 * the Free Software Foundation; either version 2 of the License, or
16 * (at your option) any later version.
18 * This program is distributed in the hope that it will be useful,
19 * but WITHOUT ANY WARRANTY; without even the implied warranty of
20 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
21 * GNU General Public License for more details.
23 * You should have received a copy of the GNU General Public License
24 * along with this program; if not, write to the Free Software
25 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
31 #define DBGC_CLASS DBGC_IDMAP
33 #define WINBIND_CCACHE_NAME "MEMORY:winbind_ccache"
35 #define IDMAP_AD_MAX_IDS 30
36 #define CHECK_ALLOC_DONE(mem) do { \
38 DEBUG(0, ("Out of memory!\n")); \
39 ret = NT_STATUS_NO_MEMORY; \
44 struct idmap_ad_context {
45 uint32_t filter_low_id;
46 uint32_t filter_high_id;
49 NTSTATUS init_module(void);
51 static ADS_STRUCT *ad_idmap_ads = NULL;
52 static struct posix_schema *ad_schema = NULL;
53 static enum wb_posix_mapping ad_map_type = WB_POSIX_MAP_UNKNOWN;
55 /************************************************************************
56 ***********************************************************************/
58 static ADS_STRUCT *ad_idmap_cached_connection_internal(void)
66 if (ad_idmap_ads != NULL) {
69 /* check for a valid structure */
71 DEBUG(7, ("Current tickets expire at %d, time is now %d\n",
72 (uint32) ads->auth.expire, (uint32) time(NULL)));
73 if ( ads->config.realm && (ads->auth.expire > time(NULL))) {
76 /* we own this ADS_STRUCT so make sure it goes away */
79 ads_kdestroy(WINBIND_CCACHE_NAME);
81 TALLOC_FREE( ad_schema );
86 /* we don't want this to affect the users ccache */
87 setenv("KRB5CCNAME", WINBIND_CCACHE_NAME, 1);
90 if ( (ads = ads_init(lp_realm(), lp_workgroup(), NULL)) == NULL ) {
91 DEBUG(1,("ads_init failed\n"));
95 /* the machine acct password might have change - fetch it every time */
96 SAFE_FREE(ads->auth.password);
97 ads->auth.password = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL);
99 SAFE_FREE(ads->auth.realm);
100 ads->auth.realm = SMB_STRDUP(lp_realm());
102 /* setup server affinity */
104 get_dc_name( NULL, ads->auth.realm, dc_name, &dc_ip );
106 status = ads_connect(ads);
107 if (!ADS_ERR_OK(status)) {
108 DEBUG(1, ("ad_idmap_init: failed to connect to AD\n"));
113 ads->is_mine = False;
120 /************************************************************************
121 ***********************************************************************/
123 static ADS_STRUCT *ad_idmap_cached_connection(void)
125 ADS_STRUCT *ads = ad_idmap_cached_connection_internal();
130 /* if we have a valid ADS_STRUCT and the schema model is
131 defined, then we can return here. */
136 /* Otherwise, set the schema model */
138 if ( (ad_map_type == WB_POSIX_MAP_SFU) ||
139 (ad_map_type == WB_POSIX_MAP_RFC2307) )
141 ADS_STATUS schema_status;
143 schema_status = ads_check_posix_schema_mapping( NULL, ads, ad_map_type, &ad_schema);
144 if ( !ADS_ERR_OK(schema_status) ) {
145 DEBUG(2,("ad_idmap_cached_connection: Failed to obtain schema details!\n"));
153 /************************************************************************
154 ***********************************************************************/
156 static NTSTATUS idmap_ad_initialize(struct idmap_domain *dom, const char *params)
158 struct idmap_ad_context *ctx;
163 /* verify AD is reachable (not critical, we may just be offline at start) */
164 if ( (ads = ad_idmap_cached_connection()) == NULL ) {
165 DEBUG(1, ("WARNING: Could not init an AD connection! Mapping might not work.\n"));
168 if ( (ctx = talloc_zero(dom, struct idmap_ad_context)) == NULL ) {
169 DEBUG(0, ("Out of memory!\n"));
170 return NT_STATUS_NO_MEMORY;
173 if ( (config_option = talloc_asprintf(ctx, "idmap config %s", dom->name)) == NULL ) {
174 DEBUG(0, ("Out of memory!\n"));
176 return NT_STATUS_NO_MEMORY;
180 range = lp_parm_const_string(-1, config_option, "range", NULL);
181 if (range && range[0]) {
182 if ((sscanf(range, "%u - %u", &ctx->filter_low_id, &ctx->filter_high_id) != 2) ||
183 (ctx->filter_low_id > ctx->filter_high_id)) {
184 DEBUG(1, ("ERROR: invalid filter range [%s]", range));
185 ctx->filter_low_id = 0;
186 ctx->filter_high_id = 0;
190 /* idmap AD can work well only if it is the default module (trusts)
191 * with additional BUILTIN and alloc using TDB */
192 if ( ! dom->default_domain) {
193 DEBUG(1, ("WARNING: idmap_ad is not configured as the default domain.\n"
194 "For best results we suggest you to configure this module as\n"
195 "default and configure BULTIN to use idmap_tdb\n"
196 "ex: idmap domains = BUILTIN %s\n"
197 " idmap alloc config: range = 5000 - 9999\n"
198 " idmap config %s: default = yes\n"
199 " idmap config %s: backend = ad\n"
200 " idmap config %s: range = 10000 - 10000000 #this is optional\n"
201 "NOTE: make sure the ranges do not overlap\n",
202 dom->name, dom->name, dom->name, dom->name));
205 if ( !dom->readonly ) {
206 DEBUG(1, ("WARNING: forcing to readonly, as idmap_ad can't write on AD.\n"));
207 dom->readonly = true;
210 dom->private_data = ctx;
212 talloc_free(config_option);
217 /************************************************************************
218 Search up to IDMAP_AD_MAX_IDS entries in maps for a match.
219 ***********************************************************************/
221 static struct id_map *find_map_by_id(struct id_map **maps, enum id_type type, uint32_t id)
225 for (i = 0; maps[i] && i<IDMAP_AD_MAX_IDS; i++) {
226 if ((maps[i]->xid.type == type) && (maps[i]->xid.id == id)) {
234 /************************************************************************
235 Search up to IDMAP_AD_MAX_IDS entries in maps for a match
236 ***********************************************************************/
238 static struct id_map *find_map_by_sid(struct id_map **maps, DOM_SID *sid)
242 for (i = 0; maps[i] && i<IDMAP_AD_MAX_IDS; i++) {
243 if (sid_equal(maps[i]->sid, sid)) {
251 /************************************************************************
252 ***********************************************************************/
254 static NTSTATUS idmap_ad_unixids_to_sids(struct idmap_domain *dom, struct id_map **ids)
258 struct idmap_ad_context *ctx;
261 const char *attrs[] = { "sAMAccountType",
263 NULL, /* uidnumber */
264 NULL, /* gidnumber */
266 LDAPMessage *res = NULL;
272 char *u_filter = NULL;
273 char *g_filter = NULL;
275 ctx = talloc_get_type(dom->private_data, struct idmap_ad_context);
277 if ( (memctx = talloc_new(ctx)) == NULL ) {
278 DEBUG(0, ("Out of memory!\n"));
279 return NT_STATUS_NO_MEMORY;
282 if ( (ads = ad_idmap_cached_connection()) == NULL ) {
283 DEBUG(1, ("ADS uninitialized\n"));
284 ret = NT_STATUS_UNSUCCESSFUL;
288 attrs[2] = ad_schema->posix_uidnumber_attr;
289 attrs[3] = ad_schema->posix_gidnumber_attr;
293 for (i = 0; (i < IDMAP_AD_MAX_IDS) && ids[idx]; i++, idx++) {
294 switch (ids[idx]->xid.type) {
297 u_filter = talloc_asprintf(memctx, "(&(|"
298 "(sAMAccountType=%d)"
299 "(sAMAccountType=%d)"
300 "(sAMAccountType=%d))(|",
301 ATYPE_NORMAL_ACCOUNT,
302 ATYPE_WORKSTATION_TRUST,
303 ATYPE_INTERDOMAIN_TRUST);
305 u_filter = talloc_asprintf_append(u_filter, "(%s=%lu)",
306 ad_schema->posix_uidnumber_attr,
307 (unsigned long)ids[idx]->xid.id);
308 CHECK_ALLOC_DONE(u_filter);
313 g_filter = talloc_asprintf(memctx, "(&(|"
314 "(sAMAccountType=%d)"
315 "(sAMAccountType=%d))(|",
316 ATYPE_SECURITY_GLOBAL_GROUP,
317 ATYPE_SECURITY_LOCAL_GROUP);
319 g_filter = talloc_asprintf_append(g_filter, "(%s=%lu)",
320 ad_schema->posix_gidnumber_attr,
321 (unsigned long)ids[idx]->xid.id);
322 CHECK_ALLOC_DONE(g_filter);
326 DEBUG(3, ("Unknown ID type\n"));
327 ids[idx]->status = ID_UNKNOWN;
331 filter = talloc_asprintf(memctx, "(|");
332 CHECK_ALLOC_DONE(filter);
334 filter = talloc_asprintf_append(filter, "%s))", u_filter);
335 CHECK_ALLOC_DONE(filter);
336 TALLOC_FREE(u_filter);
339 filter = talloc_asprintf_append(filter, "%s))", g_filter);
340 CHECK_ALLOC_DONE(filter);
341 TALLOC_FREE(g_filter);
343 filter = talloc_asprintf_append(filter, ")");
344 CHECK_ALLOC_DONE(filter);
345 DEBUG(10, ("Filter: [%s]\n", filter));
346 rc = ads_search_retry(ads, &res, filter, attrs);
347 if (!ADS_ERR_OK(rc)) {
348 DEBUG(1, ("ERROR: ads search returned: %s\n", ads_errstr(rc)));
349 ret = NT_STATUS_UNSUCCESSFUL;
353 if ( (count = ads_count_replies(ads, res)) == 0 ) {
354 DEBUG(10, ("No IDs found\n"));
357 for (i = 0; i < count; i++) {
358 LDAPMessage *entry = NULL;
365 if (i == 0) { /* first entry */
366 entry = ads_first_entry(ads, res);
367 } else { /* following ones */
368 entry = ads_next_entry(ads, entry);
371 DEBUG(2, ("ERROR: Unable to fetch ldap entries from results\n"));
375 /* first check if the SID is present */
376 if (!ads_pull_sid(ads, entry, "objectSid", &sid)) {
377 DEBUG(2, ("Could not retrieve SID from entry\n"));
382 if (!ads_pull_uint32(ads, entry, "sAMAccountType", &atype)) {
383 DEBUG(1, ("could not get SAM account type\n"));
387 switch (atype & 0xF0000000) {
388 case ATYPE_SECURITY_GLOBAL_GROUP:
389 case ATYPE_SECURITY_LOCAL_GROUP:
392 case ATYPE_NORMAL_ACCOUNT:
393 case ATYPE_WORKSTATION_TRUST:
394 case ATYPE_INTERDOMAIN_TRUST:
398 DEBUG(1, ("unrecognized SAM account type %08x\n", atype));
402 if (!ads_pull_uint32(ads, entry, (type==ID_TYPE_UID) ?
403 ad_schema->posix_uidnumber_attr :
404 ad_schema->posix_gidnumber_attr,
407 DEBUG(1, ("Could not get unix ID\n"));
412 (ctx->filter_low_id && (id < ctx->filter_low_id)) ||
413 (ctx->filter_high_id && (id > ctx->filter_high_id))) {
414 DEBUG(5, ("Requested id (%u) out of range (%u - %u). Filtered!\n",
415 id, ctx->filter_low_id, ctx->filter_high_id));
419 map = find_map_by_id(&ids[bidx], type, id);
421 DEBUG(2, ("WARNING: couldn't match result with requested ID\n"));
425 sid_copy(map->sid, &sid);
428 map->status = ID_MAPPED;
430 DEBUG(10, ("Mapped %s -> %lu (%d)\n",
431 sid_string_static(map->sid),
432 (unsigned long)map->xid.id,
437 ads_msgfree(ads, res);
440 if (ids[idx]) { /* still some values to map */
446 /* mark all unknown ones as unmapped */
447 for (i = 0; ids[i]; i++) {
448 if (ids[i]->status == ID_UNKNOWN)
449 ids[i]->status = ID_UNMAPPED;
457 /************************************************************************
458 ***********************************************************************/
460 static NTSTATUS idmap_ad_sids_to_unixids(struct idmap_domain *dom, struct id_map **ids)
464 struct idmap_ad_context *ctx;
467 const char *attrs[] = { "sAMAccountType",
469 NULL, /* attr_uidnumber */
470 NULL, /* attr_gidnumber */
472 LDAPMessage *res = NULL;
480 ctx = talloc_get_type(dom->private_data, struct idmap_ad_context);
482 if ( (memctx = talloc_new(ctx)) == NULL ) {
483 DEBUG(0, ("Out of memory!\n"));
484 return NT_STATUS_NO_MEMORY;
487 if ( (ads = ad_idmap_cached_connection()) == NULL ) {
488 DEBUG(1, ("ADS uninitialized\n"));
489 ret = NT_STATUS_UNSUCCESSFUL;
493 attrs[2] = ad_schema->posix_uidnumber_attr;
494 attrs[3] = ad_schema->posix_gidnumber_attr;
497 filter = talloc_asprintf(memctx, "(&(|"
498 "(sAMAccountType=%d)(sAMAccountType=%d)(sAMAccountType=%d)" /* user account types */
499 "(sAMAccountType=%d)(sAMAccountType=%d)" /* group account types */
501 ATYPE_NORMAL_ACCOUNT, ATYPE_WORKSTATION_TRUST, ATYPE_INTERDOMAIN_TRUST,
502 ATYPE_SECURITY_GLOBAL_GROUP, ATYPE_SECURITY_LOCAL_GROUP);
504 CHECK_ALLOC_DONE(filter);
507 for (i = 0; (i < IDMAP_AD_MAX_IDS) && ids[idx]; i++, idx++) {
509 sidstr = sid_binstring(ids[idx]->sid);
510 filter = talloc_asprintf_append(filter, "(objectSid=%s)", sidstr);
513 CHECK_ALLOC_DONE(filter);
515 filter = talloc_asprintf_append(filter, "))");
516 CHECK_ALLOC_DONE(filter);
517 DEBUG(10, ("Filter: [%s]\n", filter));
519 rc = ads_search_retry(ads, &res, filter, attrs);
520 if (!ADS_ERR_OK(rc)) {
521 DEBUG(1, ("ERROR: ads search returned: %s\n", ads_errstr(rc)));
522 ret = NT_STATUS_UNSUCCESSFUL;
526 if ( (count = ads_count_replies(ads, res)) == 0 ) {
527 DEBUG(10, ("No IDs found\n"));
530 for (i = 0; i < count; i++) {
531 LDAPMessage *entry = NULL;
538 if (i == 0) { /* first entry */
539 entry = ads_first_entry(ads, res);
540 } else { /* following ones */
541 entry = ads_next_entry(ads, entry);
544 DEBUG(2, ("ERROR: Unable to fetch ldap entries from results\n"));
548 /* first check if the SID is present */
549 if (!ads_pull_sid(ads, entry, "objectSid", &sid)) {
550 DEBUG(2, ("Could not retrieve SID from entry\n"));
554 map = find_map_by_sid(&ids[bidx], &sid);
556 DEBUG(2, ("WARNING: couldn't match result with requested SID\n"));
561 if (!ads_pull_uint32(ads, entry, "sAMAccountType", &atype)) {
562 DEBUG(1, ("could not get SAM account type\n"));
566 switch (atype & 0xF0000000) {
567 case ATYPE_SECURITY_GLOBAL_GROUP:
568 case ATYPE_SECURITY_LOCAL_GROUP:
571 case ATYPE_NORMAL_ACCOUNT:
572 case ATYPE_WORKSTATION_TRUST:
573 case ATYPE_INTERDOMAIN_TRUST:
577 DEBUG(1, ("unrecognized SAM account type %08x\n", atype));
581 if (!ads_pull_uint32(ads, entry, (type==ID_TYPE_UID) ?
582 ad_schema->posix_uidnumber_attr :
583 ad_schema->posix_gidnumber_attr,
586 DEBUG(1, ("Could not get unix ID\n"));
590 (ctx->filter_low_id && (id < ctx->filter_low_id)) ||
591 (ctx->filter_high_id && (id > ctx->filter_high_id))) {
592 DEBUG(5, ("Requested id (%u) out of range (%u - %u). Filtered!\n",
593 id, ctx->filter_low_id, ctx->filter_high_id));
598 map->xid.type = type;
600 map->status = ID_MAPPED;
602 DEBUG(10, ("Mapped %s -> %lu (%d)\n",
603 sid_string_static(map->sid),
604 (unsigned long)map->xid.id,
609 ads_msgfree(ads, res);
612 if (ids[idx]) { /* still some values to map */
618 /* mark all unknwon ones as unmapped */
619 for (i = 0; ids[i]; i++) {
620 if (ids[i]->status == ID_UNKNOWN)
621 ids[i]->status = ID_UNMAPPED;
629 /************************************************************************
630 ***********************************************************************/
632 static NTSTATUS idmap_ad_close(struct idmap_domain *dom)
634 ADS_STRUCT *ads = ad_idmap_ads;
637 /* we own this ADS_STRUCT so make sure it goes away */
643 TALLOC_FREE( ad_schema );
649 * nss_info_{sfu,rfc2307}
652 /************************************************************************
653 Initialize the {sfu,rfc2307} state
654 ***********************************************************************/
656 static NTSTATUS nss_sfu_init( struct nss_domain_entry *e )
658 /* Sanity check if we have previously been called with a
659 different schema model */
661 if ( (ad_map_type != WB_POSIX_MAP_UNKNOWN) &&
662 (ad_map_type != WB_POSIX_MAP_SFU) )
664 DEBUG(0,("nss_sfu_init: Posix Map type has already been set. "
665 "Mixed schema models not supported!\n"));
666 return NT_STATUS_NOT_SUPPORTED;
669 ad_map_type = WB_POSIX_MAP_SFU;
672 return idmap_ad_initialize( NULL, NULL );
677 static NTSTATUS nss_rfc2307_init( struct nss_domain_entry *e )
679 /* Sanity check if we have previously been called with a
680 different schema model */
682 if ( (ad_map_type != WB_POSIX_MAP_UNKNOWN) &&
683 (ad_map_type != WB_POSIX_MAP_RFC2307) )
685 DEBUG(0,("nss_rfc2307_init: Posix Map type has already been set. "
686 "Mixed schema models not supported!\n"));
687 return NT_STATUS_NOT_SUPPORTED;
690 ad_map_type = WB_POSIX_MAP_RFC2307;
693 return idmap_ad_initialize( NULL, NULL );
699 /************************************************************************
700 ***********************************************************************/
701 static NTSTATUS nss_ad_get_info( struct nss_domain_entry *e,
711 char *home, *sh, *gec;
714 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
716 if ( !homedir || !shell || !gecos )
717 return NT_STATUS_INVALID_PARAMETER;
719 home = ads_pull_string( ads, ctx, msg, ad_schema->posix_homedir_attr );
720 sh = ads_pull_string( ads, ctx, msg, ad_schema->posix_shell_attr );
721 gec = ads_pull_string( ads, ctx, msg, ad_schema->posix_gecos_attr );
724 if ( !ads_pull_uint32(ads, msg, ad_schema->posix_gidnumber_attr, gid ) )
729 *homedir = talloc_strdup( ctx, home );
731 *shell = talloc_strdup( ctx, sh );
733 *gecos = talloc_strdup( ctx, gec );
742 /************************************************************************
743 ***********************************************************************/
745 static NTSTATUS nss_ad_close( void )
747 /* nothing to do. All memory is free()'d by the idmap close_fn() */
752 /************************************************************************
753 Function dispatch tables for the idmap and nss plugins
754 ***********************************************************************/
756 static struct idmap_methods ad_methods = {
757 .init = idmap_ad_initialize,
758 .unixids_to_sids = idmap_ad_unixids_to_sids,
759 .sids_to_unixids = idmap_ad_sids_to_unixids,
760 .close_fn = idmap_ad_close
763 /* The SFU and RFC2307 NSS plugins share everything but the init
764 function which sets the intended schema model to use */
766 static struct nss_info_methods nss_rfc2307_methods = {
767 .init = nss_rfc2307_init,
768 .get_nss_info = nss_ad_get_info,
769 .close_fn = nss_ad_close
772 static struct nss_info_methods nss_sfu_methods = {
773 .init = nss_sfu_init,
774 .get_nss_info = nss_ad_get_info,
775 .close_fn = nss_ad_close
779 /************************************************************************
780 Initialize the plugins
781 ***********************************************************************/
783 NTSTATUS idmap_ad_init(void)
785 static NTSTATUS status_idmap_ad = NT_STATUS_UNSUCCESSFUL;
786 static NTSTATUS status_nss_rfc2307 = NT_STATUS_UNSUCCESSFUL;
787 static NTSTATUS status_nss_sfu = NT_STATUS_UNSUCCESSFUL;
789 /* Always register the AD method first in order to get the
790 idmap_domain interface called */
792 if ( !NT_STATUS_IS_OK(status_idmap_ad) ) {
793 status_idmap_ad = smb_register_idmap(SMB_IDMAP_INTERFACE_VERSION,
795 if ( !NT_STATUS_IS_OK(status_idmap_ad) )
796 return status_idmap_ad;
799 if ( !NT_STATUS_IS_OK( status_nss_rfc2307 ) ) {
800 status_nss_rfc2307 = smb_register_idmap_nss(SMB_NSS_INFO_INTERFACE_VERSION,
801 "rfc2307", &nss_rfc2307_methods );
802 if ( !NT_STATUS_IS_OK(status_nss_rfc2307) )
803 return status_nss_rfc2307;
806 if ( !NT_STATUS_IS_OK( status_nss_sfu ) ) {
807 status_nss_sfu = smb_register_idmap_nss(SMB_NSS_INFO_INTERFACE_VERSION,
808 "sfu", &nss_sfu_methods );
809 if ( !NT_STATUS_IS_OK(status_nss_sfu) )
810 return status_nss_sfu;