2 * idmap_autorid: static map between Active Directory/NT RIDs
3 * and RFC 2307 accounts
5 * based on the idmap_rid module, but this module defines the ranges
6 * for the domains by automatically allocating a range for each domain
8 * Copyright (C) Christian Ambach, 2010-2011
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License as published by
12 * the Free Software Foundation; either version 3 of the License, or
13 * (at your option) any later version.
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, see <http://www.gnu.org/licenses/>.
26 #include "system/filesys.h"
28 #include "dbwrap/dbwrap.h"
29 #include "dbwrap/dbwrap_open.h"
31 #include "../libcli/security/dom_sid.h"
35 #define DBGC_CLASS DBGC_IDMAP
37 #define HWM "NEXT RANGE"
38 #define ALLOC_HWM_UID "NEXT ALLOC UID"
39 #define ALLOC_HWM_GID "NEXT ALLOC GID"
40 #define ALLOC_RANGE "ALLOC"
41 #define CONFIGKEY "CONFIG"
43 struct autorid_global_config {
49 struct autorid_domain_config {
52 struct autorid_global_config *globalcfg;
55 /* handle to the tdb storing domain <-> range assignments */
56 static struct db_context *autorid_db;
58 static NTSTATUS idmap_autorid_get_domainrange_action(struct db_context *db,
62 uint32_t domainnum, hwm;
64 struct autorid_domain_config *cfg;
66 cfg = (struct autorid_domain_config *)private_data;
68 ret = dbwrap_fetch_uint32(db, cfg->sid, &(cfg->domainnum));
70 if (NT_STATUS_IS_OK(ret)) {
71 /* entry is already present*/
75 DEBUG(10, ("Acquiring new range for domain %s\n", cfg->sid));
77 /* fetch the current HWM */
78 ret = dbwrap_fetch_uint32(db, HWM, &hwm);
79 if (!NT_STATUS_IS_OK(ret)) {
80 DEBUG(1, ("Fatal error while fetching current "
81 "HWM value: %s\n", nt_errstr(ret)));
82 ret = NT_STATUS_INTERNAL_ERROR;
86 /* do we have a range left? */
87 if (hwm >= cfg->globalcfg->maxranges) {
88 DEBUG(1, ("No more domain ranges available!\n"));
89 ret = NT_STATUS_NO_MEMORY;
93 /* increase the HWM */
94 ret = dbwrap_change_uint32_atomic(db, HWM, &domainnum, 1);
95 if (!NT_STATUS_IS_OK(ret)) {
96 DEBUG(1, ("Fatal error while fetching a new "
97 "domain range value!\n"));
101 /* store away the new mapping in both directions */
102 ret = dbwrap_store_uint32(db, cfg->sid, domainnum);
103 if (!NT_STATUS_IS_OK(ret)) {
104 DEBUG(1, ("Fatal error while storing new "
105 "domain->range assignment!\n"));
109 numstr = talloc_asprintf(db, "%u", domainnum);
111 ret = NT_STATUS_NO_MEMORY;
115 ret = dbwrap_store_bystring(db, numstr,
116 string_term_tdb_data(cfg->sid), TDB_INSERT);
119 if (!NT_STATUS_IS_OK(ret)) {
120 DEBUG(1, ("Fatal error while storing "
121 "new domain->range assignment!\n"));
124 DEBUG(5, ("Acquired new range #%d for domain %s\n",
125 domainnum, cfg->sid));
127 cfg->domainnum = domainnum;
136 static NTSTATUS idmap_autorid_get_domainrange(struct autorid_domain_config *dom)
141 * try to find mapping without locking the database,
142 * if it is not found create a mapping in a transaction
144 ret = dbwrap_fetch_uint32(autorid_db, dom->sid, &(dom->domainnum));
146 if (!NT_STATUS_IS_OK(ret)) {;
147 ret = dbwrap_trans_do(autorid_db,
148 idmap_autorid_get_domainrange_action, dom);
151 DEBUG(10, ("Using range #%d for domain %s\n", dom->domainnum,
157 static NTSTATUS idmap_autorid_id_to_sid(struct autorid_global_config *cfg,
166 /* can this be one of our ids? */
167 if (map->xid.id < cfg->minvalue) {
168 DEBUG(10, ("id %d is lower than minimum value, "
169 "ignoring mapping request\n", map->xid.id));
170 map->status = ID_UNKNOWN;
174 if (map->xid.id > (cfg->minvalue + cfg->rangesize * cfg->maxranges)) {
175 DEBUG(10, ("id %d is outside of maximum id value, "
176 "ignoring mapping request\n", map->xid.id));
177 map->status = ID_UNKNOWN;
181 /* determine the range of this uid */
182 range = ((map->xid.id - cfg->minvalue) / cfg->rangesize);
184 keystr = talloc_asprintf(talloc_tos(), "%u", range);
186 return NT_STATUS_NO_MEMORY;
189 status = dbwrap_fetch_bystring(autorid_db, talloc_tos(), keystr, &data);
192 if (!NT_STATUS_IS_OK(status)) {
193 DEBUG(4, ("id %d belongs to range %d which does not have "
194 "domain mapping, ignoring mapping request\n",
195 map->xid.id, range));
196 TALLOC_FREE(data.dptr);
197 map->status = ID_UNKNOWN;
201 if (strncmp((const char *)data.dptr,
203 strlen(ALLOC_RANGE)) == 0) {
204 /* this is from the alloc range, there is no mapping back */
205 DEBUG(5, ("id %d belongs to alloc range, cannot map back\n",
207 TALLOC_FREE(data.dptr);
208 map->status = ID_UNKNOWN;
212 string_to_sid(&sid, (const char *)data.dptr);
213 TALLOC_FREE(data.dptr);
215 sid_compose(map->sid, &sid,
216 (map->xid.id - cfg->minvalue -
217 range * cfg->rangesize));
219 /* We **really** should have some way of validating
220 the SID exists and is the correct type here. But
221 that is a deficiency in the idmap_rid design. */
223 map->status = ID_MAPPED;
227 /**********************************
228 Single sid to id lookup function.
229 **********************************/
231 static NTSTATUS idmap_autorid_sid_to_id(struct autorid_global_config *global,
232 struct autorid_domain_config *domain,
237 sid_peek_rid(map->sid, &rid);
239 /* if the rid is higher than the size of the range, we cannot map it */
240 if (rid >= global->rangesize) {
241 map->status = ID_UNKNOWN;
242 DEBUG(2, ("RID %d is larger then size of range (%d), "
243 "user cannot be mapped\n", rid, global->rangesize));
244 return NT_STATUS_UNSUCCESSFUL;
246 map->xid.id = global->minvalue +
247 (global->rangesize * domain->domainnum)+rid;
249 /* We **really** should have some way of validating
250 the SID exists and is the correct type here. But
251 that is a deficiency in the idmap_rid design. */
253 map->status = ID_MAPPED;
258 /**********************************
259 lookup a set of unix ids.
260 **********************************/
262 static NTSTATUS idmap_autorid_unixids_to_sids(struct idmap_domain *dom,
265 struct autorid_global_config *globalcfg;
269 /* initialize the status to avoid surprise */
270 for (i = 0; ids[i]; i++) {
271 ids[i]->status = ID_UNKNOWN;
274 globalcfg = talloc_get_type(dom->private_data,
275 struct autorid_global_config);
277 for (i = 0; ids[i]; i++) {
279 ret = idmap_autorid_id_to_sid(globalcfg, ids[i]);
281 if ((!NT_STATUS_IS_OK(ret)) &&
282 (!NT_STATUS_EQUAL(ret, NT_STATUS_NONE_MAPPED))) {
283 /* some fatal error occurred, log it */
284 DEBUG(3, ("Unexpected error resolving an ID "
285 " (%d)\n", ids[i]->xid.id));
295 /**********************************
296 lookup a set of sids.
297 **********************************/
299 static NTSTATUS idmap_autorid_sids_to_unixids(struct idmap_domain *dom,
302 struct autorid_global_config *global;
306 /* initialize the status to avoid surprise */
307 for (i = 0; ids[i]; i++) {
308 ids[i]->status = ID_UNKNOWN;
311 global = talloc_get_type(dom->private_data,
312 struct autorid_global_config);
314 for (i = 0; ids[i]; i++) {
315 struct winbindd_tdc_domain *domain;
316 struct autorid_domain_config domaincfg;
318 struct dom_sid domainsid;
320 ZERO_STRUCT(domaincfg);
322 sid_copy(&domainsid, ids[i]->sid);
323 if (!sid_split_rid(&domainsid, &rid)) {
324 DEBUG(4, ("Could not determine domain SID from %s, "
325 "ignoring mapping request\n",
326 sid_string_dbg(ids[i]->sid)));
331 * Check if the domain is around
333 domain = wcache_tdc_fetch_domainbysid(talloc_tos(),
335 if (domain == NULL) {
336 DEBUG(10, ("Ignoring unknown domain sid %s\n",
337 sid_string_dbg(&domainsid)));
342 domaincfg.globalcfg = global;
343 sid_to_fstring(domaincfg.sid, &domainsid);
345 ret = idmap_autorid_get_domainrange(&domaincfg);
347 if (!NT_STATUS_IS_OK(ret)) {
348 DEBUG(3, ("Could not determine range for domain, "
349 "check previous messages for reason\n"));
353 ret = idmap_autorid_sid_to_id(global, &domaincfg, ids[i]);
355 if ((!NT_STATUS_IS_OK(ret)) &&
356 (!NT_STATUS_EQUAL(ret, NT_STATUS_NONE_MAPPED))) {
357 /* some fatal error occurred, log it */
358 DEBUG(3, ("Unexpected error resolving a SID (%s)\n",
359 sid_string_dbg(ids[i]->sid)));
370 /* initialize the given HWM to 0 if it does not exist yet */
371 static NTSTATUS idmap_autorid_init_hwm(const char *hwm) {
376 status = dbwrap_fetch_uint32(autorid_db, hwm, &hwmval);
377 if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_FOUND)) {
378 status = dbwrap_trans_store_int32(autorid_db, hwm, 0);
379 if (!NT_STATUS_IS_OK(status)) {
381 ("Unable to initialise HWM (%s) in autorid "
382 "database: %s\n", hwm, nt_errstr(status)));
383 return NT_STATUS_INTERNAL_DB_ERROR;
385 } else if (!NT_STATUS_IS_OK(status)) {
386 DEBUG(0, ("unable to fetch HWM (%s) from autorid "
387 "database: %s\n", hwm, nt_errstr(status)));
395 * open and initialize the database which stores the ranges for the domains
397 static NTSTATUS idmap_autorid_db_init(void)
402 /* its already open */
406 /* Open idmap repository */
407 autorid_db = db_open(NULL, state_path("autorid.tdb"), 0,
408 TDB_DEFAULT, O_RDWR | O_CREAT, 0644,
409 DBWRAP_LOCK_ORDER_1);
412 DEBUG(0, ("Unable to open idmap_autorid database '%s'\n",
413 state_path("autorid.tdb")));
414 return NT_STATUS_UNSUCCESSFUL;
417 /* Initialize high water mark for the currently used range to 0 */
419 status = idmap_autorid_init_hwm(HWM);
420 NT_STATUS_NOT_OK_RETURN(status);
422 status = idmap_autorid_init_hwm(ALLOC_HWM_UID);
423 NT_STATUS_NOT_OK_RETURN(status);
425 status = idmap_autorid_init_hwm(ALLOC_HWM_GID);
430 static struct autorid_global_config *idmap_autorid_loadconfig(TALLOC_CTX * ctx)
434 struct autorid_global_config *cfg;
435 unsigned long minvalue, rangesize, maxranges;
438 status = dbwrap_fetch_bystring(autorid_db, ctx, CONFIGKEY, &data);
440 if (!NT_STATUS_IS_OK(status)) {
441 DEBUG(10, ("No saved config found\n"));
445 cfg = talloc_zero(ctx, struct autorid_global_config);
450 if (sscanf((char *)data.dptr,
451 "minvalue:%lu rangesize:%lu maxranges:%lu",
452 &minvalue, &rangesize, &maxranges) != 3) {
454 ("Found invalid configuration data"
455 "creating new config\n"));
459 cfg->minvalue = minvalue;
460 cfg->rangesize = rangesize;
461 cfg->maxranges = maxranges;
463 DEBUG(10, ("Loaded previously stored configuration "
464 "minvalue:%d rangesize:%d\n",
465 cfg->minvalue, cfg->rangesize));
471 static NTSTATUS idmap_autorid_saveconfig(struct autorid_global_config *cfg)
479 talloc_asprintf(talloc_tos(),
480 "minvalue:%u rangesize:%u maxranges:%u",
481 cfg->minvalue, cfg->rangesize, cfg->maxranges);
484 return NT_STATUS_NO_MEMORY;
487 data = string_tdb_data(cfgstr);
489 status = dbwrap_trans_store_bystring(autorid_db, CONFIGKEY,
497 static NTSTATUS idmap_autorid_initialize(struct idmap_domain *dom)
499 struct autorid_global_config *config;
500 struct autorid_global_config *storedconfig = NULL;
504 if (!strequal(dom->name, "*")) {
505 DEBUG(0, ("idmap_autorid_initialize: Error: autorid configured "
506 "for domain '%s'. But autorid can only be used for "
507 "the default idmap configuration.\n", dom->name));
508 return NT_STATUS_INVALID_PARAMETER;
511 config = talloc_zero(dom, struct autorid_global_config);
513 DEBUG(0, ("Out of memory!\n"));
514 return NT_STATUS_NO_MEMORY;
517 status = idmap_autorid_db_init();
518 if (!NT_STATUS_IS_OK(status)) {
522 config->minvalue = dom->low_id;
523 config->rangesize = lp_parm_int(-1, "idmap config *", "rangesize", 100000);
525 if (config->rangesize < 2000) {
526 DEBUG(1, ("autorid rangesize must be at least 2000\n"));
527 status = NT_STATUS_INVALID_PARAMETER;
531 config->maxranges = (dom->high_id - dom->low_id + 1) /
534 if (config->maxranges == 0) {
535 DEBUG(1, ("allowed uid range is smaller then rangesize, "
536 "increase uid range or decrease rangesize\n"));
537 status = NT_STATUS_INVALID_PARAMETER;
541 /* check if the high-low limit is a multiple of the rangesize */
542 if ((dom->high_id - dom->low_id + 1) % config->rangesize != 0) {
543 DEBUG(5, ("High uid-low uid difference of %d "
544 "is not a multiple of the rangesize %d, "
545 "limiting ranges to lower boundary number of %d\n",
546 (dom->high_id - dom->low_id + 1), config->rangesize,
550 DEBUG(10, ("Current configuration in config is "
551 "minvalue:%d rangesize:%d maxranges:%d\n",
552 config->minvalue, config->rangesize, config->maxranges));
554 /* read previously stored config and current HWM */
555 storedconfig = idmap_autorid_loadconfig(talloc_tos());
557 status = dbwrap_fetch_uint32(autorid_db, HWM, &hwm);
558 if (!NT_STATUS_IS_OK(status)) {
559 DEBUG(1, ("Fatal error while fetching current "
560 "HWM value: %s\n", nt_errstr(status)));
561 status = NT_STATUS_INTERNAL_ERROR;
565 /* did the minimum value or rangesize change? */
567 ((storedconfig->minvalue != config->minvalue) ||
568 (storedconfig->rangesize != config->rangesize))) {
569 DEBUG(1, ("New configuration values for rangesize or "
570 "minimum uid value conflict with previously "
571 "used values! Aborting initialization\n"));
572 status = NT_STATUS_INVALID_PARAMETER;
577 * has the highest uid value been reduced to setting that is not
578 * sufficient any more for already existing ranges?
580 if (hwm > config->maxranges) {
581 DEBUG(1, ("New upper uid limit is too low to cover "
582 "existing mappings! Aborting initialization\n"));
583 status = NT_STATUS_INVALID_PARAMETER;
587 status = idmap_autorid_saveconfig(config);
589 if (!NT_STATUS_IS_OK(status)) {
590 DEBUG(1, ("Failed to store configuration data!\n"));
594 DEBUG(5, ("%d domain ranges with a size of %d are available\n",
595 config->maxranges, config->rangesize));
597 dom->private_data = config;
605 talloc_free(storedconfig);
610 static NTSTATUS idmap_autorid_allocate_id(struct idmap_domain *dom,
611 struct unixid *xid) {
614 struct autorid_global_config *globalcfg;
615 struct autorid_domain_config domaincfg;
619 if (!strequal(dom->name, "*")) {
620 DEBUG(3, ("idmap_autorid_allocate_id: "
621 "Refusing creation of mapping for domain'%s'. "
622 "Currently only supported for the default "
625 return NT_STATUS_NOT_IMPLEMENTED;
628 if ((xid->type != ID_TYPE_UID) && (xid->type != ID_TYPE_GID)) {
629 return NT_STATUS_INVALID_PARAMETER;
633 globalcfg = talloc_get_type(dom->private_data,
634 struct autorid_global_config);
636 /* fetch the range for the allocation pool */
638 ZERO_STRUCT(domaincfg);
640 domaincfg.globalcfg = globalcfg;
641 fstrcpy(domaincfg.sid, ALLOC_RANGE);
643 ret = idmap_autorid_get_domainrange(&domaincfg);
645 if (!NT_STATUS_IS_OK(ret)) {
646 DEBUG(3, ("Could not determine range for allocation pool, "
647 "check previous messages for reason\n"));
651 /* fetch the current HWM */
652 hwmkey = (xid->type==ID_TYPE_UID)?ALLOC_HWM_UID:ALLOC_HWM_GID;
654 ret = dbwrap_fetch_uint32(autorid_db, hwmkey, &hwm);
656 if (!NT_STATUS_IS_OK(ret)) {
657 DEBUG(1, ("Failed to fetch current allocation HWM value: %s\n",
659 return NT_STATUS_INTERNAL_ERROR;
662 if (hwm >= globalcfg->rangesize) {
663 DEBUG(1, ("allocation range is depleted!\n"));
664 return NT_STATUS_NO_MEMORY;
667 ret = dbwrap_change_uint32_atomic(autorid_db, hwmkey, &(xid->id), 1);
668 if (!NT_STATUS_IS_OK(ret)) {
669 DEBUG(1, ("Fatal error while allocating new ID!\n"));
673 xid->id = globalcfg->minvalue +
674 globalcfg->rangesize * domaincfg.domainnum +
677 DEBUG(10, ("Returned new %s %d from allocation range\n",
678 (xid->type==ID_TYPE_UID)?"uid":"gid", xid->id));
684 Close the idmap tdb instance
686 static struct idmap_methods autorid_methods = {
687 .init = idmap_autorid_initialize,
688 .unixids_to_sids = idmap_autorid_unixids_to_sids,
689 .sids_to_unixids = idmap_autorid_sids_to_unixids,
690 .allocate_id = idmap_autorid_allocate_id
693 NTSTATUS samba_init_module(void)
695 return smb_register_idmap(SMB_IDMAP_INTERFACE_VERSION,
696 "autorid", &autorid_methods);
git.samba.org / kai / samba.git / blob