2 * idmap_autorid: static map between Active Directory/NT RIDs
3 * and RFC 2307 accounts
5 * based on the idmap_rid module, but this module defines the ranges
6 * for the domains by automatically allocating a range for each domain
8 * Copyright (C) Christian Ambach, 2010
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License as published by
12 * the Free Software Foundation; either version 3 of the License, or
13 * (at your option) any later version.
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, see <http://www.gnu.org/licenses/>.
29 #include "../libcli/security/dom_sid.h"
32 #define DBGC_CLASS DBGC_IDMAP
34 #define HWM "NEXT RANGE"
35 struct autorid_global_config {
41 struct autorid_domain_config {
44 struct autorid_global_config *globalcfg;
47 /* handle to the tdb storing domain <-> range assignments */
48 static struct db_context *autorid_db;
50 static NTSTATUS idmap_autorid_get_domainrange(struct db_context *db,
54 uint32_t domainnum, hwm;
55 char *sidstr, *numstr;
56 struct autorid_domain_config *cfg;
58 cfg = (struct autorid_domain_config *)private_data;
59 sidstr = dom_sid_string(talloc_tos(), &(cfg->sid));
62 return NT_STATUS_NO_MEMORY;
65 if (!dbwrap_fetch_uint32(db, sidstr, &domainnum)) {
66 DEBUG(10, ("Acquiring new range for domain %s\n", sidstr));
68 /* fetch the current HWM */
69 if (!dbwrap_fetch_uint32(db, HWM, &hwm)) {
70 DEBUG(1, ("Fatal error while fetching current "
72 ret = NT_STATUS_INTERNAL_ERROR;
76 /* do we have a range left? */
77 if (hwm >= cfg->globalcfg->maxranges) {
78 DEBUG(1, ("No more domain ranges available!\n"));
79 ret = NT_STATUS_NO_MEMORY;
83 /* increase the HWM */
84 ret = dbwrap_change_uint32_atomic(db, HWM, &domainnum, 1);
85 if (!NT_STATUS_IS_OK(ret)) {
86 DEBUG(1, ("Fatal error while fetching a new "
87 "domain range value!\n"));
91 /* store away the new mapping in both directions */
92 ret = dbwrap_trans_store_uint32(db, sidstr, domainnum);
93 if (!NT_STATUS_IS_OK(ret)) {
94 DEBUG(1, ("Fatal error while storing new "
95 "domain->range assignment!\n"));
99 numstr = talloc_asprintf(db, "%u", domainnum);
101 ret = NT_STATUS_NO_MEMORY;
105 ret = dbwrap_trans_store_bystring(db, numstr,
106 string_term_tdb_data(sidstr),
108 if (!NT_STATUS_IS_OK(ret)) {
110 DEBUG(1, ("Fatal error while storing "
111 "new domain->range assignment!\n"));
115 DEBUG(5, ("Acquired new range #%d for domain %s\n",
119 DEBUG(10, ("Using range #%d for domain %s\n", domainnum, sidstr));
120 cfg->domainnum = domainnum;
131 static NTSTATUS idmap_autorid_id_to_sid(TALLOC_CTX * memctx,
132 struct autorid_global_config *cfg,
140 /* can this be one of our ids? */
141 if (map->xid.id < cfg->minvalue) {
142 DEBUG(10, ("id %d is lower than minimum value, "
143 "ignoring mapping request\n", map->xid.id));
144 map->status = ID_UNKNOWN;
148 if (map->xid.id > (cfg->minvalue + cfg->rangesize * cfg->maxranges)) {
149 DEBUG(10, ("id %d is outside of maximum id value, "
150 "ignoring mapping request\n", map->xid.id));
151 map->status = ID_UNKNOWN;
155 /* determine the range of this uid */
156 range = ((map->xid.id - cfg->minvalue) / cfg->rangesize);
158 keystr = talloc_asprintf(memctx, "%u", range);
160 return NT_STATUS_NO_MEMORY;
163 data = dbwrap_fetch_bystring(autorid_db, memctx, keystr);
166 DEBUG(4, ("id %d belongs to range %d which does not have "
167 "domain mapping, ignoring mapping request\n",
168 map->xid.id, range));
170 string_to_sid(&sid, (const char *)data.dptr);
172 sid_compose(map->sid, &sid,
173 (map->xid.id - cfg->minvalue -
174 range * cfg->rangesize));
176 /* We **really** should have some way of validating
177 the SID exists and is the correct type here. But
178 that is a deficiency in the idmap_rid design. */
180 map->status = ID_MAPPED;
185 /**********************************
186 Single sid to id lookup function.
187 **********************************/
189 static NTSTATUS idmap_autorid_sid_to_id(TALLOC_CTX * memctx,
190 struct autorid_global_config *global,
191 struct autorid_domain_config *domain,
196 sid_peek_rid(map->sid, &rid);
198 /* if the rid is higher than the size of the range, we cannot map it */
199 if (rid >= global->rangesize) {
200 map->status = ID_UNKNOWN;
201 DEBUG(2, ("RID %d is larger then size of range (%d), "
202 "user cannot be mapped\n", rid, global->rangesize));
203 return NT_STATUS_UNSUCCESSFUL;
205 map->xid.id = global->minvalue +
206 (global->rangesize * domain->domainnum)+rid;
208 /* We **really** should have some way of validating
209 the SID exists and is the correct type here. But
210 that is a deficiency in the idmap_rid design. */
212 map->status = ID_MAPPED;
217 /**********************************
218 lookup a set of unix ids.
219 **********************************/
221 static NTSTATUS idmap_autorid_unixids_to_sids(struct idmap_domain *dom,
224 struct autorid_global_config *globalcfg;
229 /* initialize the status to avoid surprise */
230 for (i = 0; ids[i]; i++) {
231 ids[i]->status = ID_UNKNOWN;
234 globalcfg = talloc_get_type(dom->private_data,
235 struct autorid_global_config);
237 ctx = talloc_new(dom);
239 DEBUG(0, ("Out of memory!\n"));
240 return NT_STATUS_NO_MEMORY;
243 for (i = 0; ids[i]; i++) {
245 ret = idmap_autorid_id_to_sid(ctx, globalcfg, ids[i]);
247 if ((!NT_STATUS_IS_OK(ret)) &&
248 (!NT_STATUS_EQUAL(ret, NT_STATUS_NONE_MAPPED))) {
249 /* some fatal error occurred, log it */
250 DEBUG(3, ("Unexpected error resolving an ID "
251 " (%d)\n", ids[i]->xid.id));
265 /**********************************
266 lookup a set of sids.
267 **********************************/
269 static NTSTATUS idmap_autorid_sids_to_unixids(struct idmap_domain *dom,
272 struct autorid_global_config *global;
273 struct autorid_domain_config *domaincfg;
274 struct dom_sid *domainsid;
275 struct winbindd_tdc_domain *domain;
281 ctx = talloc_new(dom);
282 domainsid = talloc(ctx, struct dom_sid);
283 if (!ctx || !domainsid) {
284 DEBUG(0, ("Out of memory!\n"));
285 ret = NT_STATUS_NO_MEMORY;
289 if ((domaincfg = TALLOC_ZERO_P(ctx,
290 struct autorid_domain_config)) == NULL) {
291 DEBUG(0, ("Out of memory!\n"));
292 ret = NT_STATUS_NO_MEMORY;
296 /* initialize the status to avoid surprise */
297 for (i = 0; ids[i]; i++) {
298 ids[i]->status = ID_UNKNOWN;
301 global = talloc_get_type(dom->private_data,
302 struct autorid_global_config);
304 for (i = 0; ids[i]; i++) {
305 ZERO_STRUCTP(domainsid);
306 sid_copy(domainsid, ids[i]->sid);
307 if (!sid_split_rid(domainsid, &rid)) {
308 DEBUG(4, ("Could not determine domain SID from %s, "
309 "ignoring mapping request\n",
310 sid_string_dbg(ids[i]->sid)));
314 domain = wcache_tdc_fetch_domainbysid(ctx, domainsid);
315 if (domain == NULL) {
316 DEBUG(10, ("Ignoring unknown domain sid %s\n",
317 sid_string_dbg(domainsid)));
321 ZERO_STRUCTP(domaincfg);
322 domaincfg->sid = domain->sid;
323 domaincfg->globalcfg = global;
325 ret = dbwrap_trans_do(autorid_db, idmap_autorid_get_domainrange,
328 if (!NT_STATUS_IS_OK(ret)) {
329 DEBUG(3, ("Could not determine range for domain, "
330 "check previous messages for reason\n"));
334 ret = idmap_autorid_sid_to_id(ctx, global, domaincfg, ids[i]);
336 if ((!NT_STATUS_IS_OK(ret)) &&
337 (!NT_STATUS_EQUAL(ret, NT_STATUS_NONE_MAPPED))) {
338 /* some fatal error occurred, log it */
339 DEBUG(3, ("Unexpected error resolving a SID (%s)\n",
340 sid_string_dbg(ids[i]->sid)));
355 * open and initialize the database which stores the ranges for the domains
357 static NTSTATUS idmap_autorid_db_init(void)
362 /* its already open */
366 /* Open idmap repository */
367 autorid_db = db_open(NULL, state_path("autorid.tdb"), 0,
368 TDB_DEFAULT, O_RDWR | O_CREAT, 0644);
371 DEBUG(0, ("Unable to open idmap_autorid database '%s'\n",
372 state_path("autorid.tdb")));
373 return NT_STATUS_UNSUCCESSFUL;
376 /* Initialize high water mark for the currently used range to 0 */
377 hwm = dbwrap_fetch_int32(autorid_db, HWM);
380 (dbwrap_trans_store_int32(autorid_db, HWM, 0))) {
382 ("Unable to initialise HWM in autorid "
384 return NT_STATUS_INTERNAL_DB_ERROR;
391 static NTSTATUS idmap_autorid_initialize(struct idmap_domain *dom,
394 struct autorid_global_config *config;
397 config = TALLOC_ZERO_P(dom, struct autorid_global_config);
399 DEBUG(0, ("Out of memory!\n"));
400 return NT_STATUS_NO_MEMORY;
403 status = idmap_autorid_db_init();
404 if (!NT_STATUS_IS_OK(status)) {
408 config->minvalue = dom->low_id;
409 config->rangesize = lp_parm_int(-1, "autorid", "rangesize", 100000);
411 if (config->rangesize < 2000) {
412 DEBUG(1, ("autorid rangesize must be at least 2000\n"));
413 status = NT_STATUS_INVALID_PARAMETER;
417 config->maxranges = (dom->high_id - dom->low_id + 1) /
420 if (config->maxranges == 0) {
421 DEBUG(1, ("allowed uid range is smaller then rangesize, "
422 "increase uid range or decrease rangesize\n"));
423 status = NT_STATUS_INVALID_PARAMETER;
427 /* check if the high-low limit is a multiple of the rangesize */
428 if ((dom->high_id - dom->low_id + 1) % config->rangesize != 0) {
429 DEBUG(5, ("High uid-low uid difference of %d "
430 "is not a multiple of the rangesize %d, "
431 "limiting ranges to lower boundary number of %d\n",
432 (dom->high_id - dom->low_id + 1), config->rangesize,
436 DEBUG(5, ("%d domain ranges with a size of %d are available\n",
437 config->maxranges, config->rangesize));
439 dom->private_data = config;
441 if (!NT_STATUS_IS_OK(status)) {
453 Close the idmap tdb instance
455 static NTSTATUS idmap_autorid_close(struct idmap_domain *dom)
457 /* don't do anything */
461 static struct idmap_methods autorid_methods = {
462 .init = idmap_autorid_initialize,
463 .unixids_to_sids = idmap_autorid_unixids_to_sids,
464 .sids_to_unixids = idmap_autorid_sids_to_unixids,
465 .close_fn = idmap_autorid_close
468 NTSTATUS idmap_autorid_init(void)
470 return smb_register_idmap(SMB_IDMAP_INTERFACE_VERSION,
471 "autorid", &autorid_methods);
git.samba.org / kai / samba.git / blob