2 Unix SMB/CIFS implementation.
6 Copyright (C) Tim Potter 2000
7 Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2003
8 Copyright (C) Jeremy Allison 2006
9 Copyright (C) Simo Sorce 2003-2006
10 Copyright (C) Michael Adam 2009-2010
12 This program is free software; you can redistribute it and/or modify
13 it under the terms of the GNU General Public License as published by
14 the Free Software Foundation; either version 3 of the License, or
15 (at your option) any later version.
17 This program is distributed in the hope that it will be useful,
18 but WITHOUT ANY WARRANTY; without even the implied warranty of
19 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 GNU General Public License for more details.
22 You should have received a copy of the GNU General Public License
23 along with this program. If not, see <http://www.gnu.org/licenses/>.
27 #include "system/filesys.h"
32 #include "../libcli/security/security.h"
36 #define DBGC_CLASS DBGC_IDMAP
38 /* idmap version determines auto-conversion - this is the database
39 structure version specifier. */
41 #define IDMAP_VERSION 2
43 struct idmap_tdb_context {
44 struct db_context *db;
45 struct idmap_rw_ops *rw_ops;
48 /* High water mark keys */
49 #define HWM_GROUP "GROUP HWM"
50 #define HWM_USER "USER HWM"
52 struct convert_fn_state {
53 struct db_context *db;
57 /*****************************************************************************
58 For idmap conversion: convert one record to new format
59 Ancient versions (eg 2.2.3a) of winbindd_idmap.tdb mapped DOMAINNAME/rid
61 *****************************************************************************/
62 static int convert_fn(struct db_record *rec, void *private_data)
64 struct winbindd_domain *domain;
72 struct convert_fn_state *s = (struct convert_fn_state *)private_data;
74 DEBUG(10,("Converting %s\n", (const char *)rec->key.dptr));
76 p = strchr((const char *)rec->key.dptr, '/');
81 fstrcpy(dom_name, (const char *)rec->key.dptr);
84 domain = find_domain_from_name(dom_name);
86 /* We must delete the old record. */
87 DEBUG(0,("Unable to find domain %s\n", dom_name ));
88 DEBUG(0,("deleting record %s\n", (const char *)rec->key.dptr ));
90 status = rec->delete_rec(rec);
91 if (!NT_STATUS_IS_OK(status)) {
92 DEBUG(0, ("Unable to delete record %s:%s\n",
93 (const char *)rec->key.dptr,
104 sid_compose(&sid, &domain->sid, rid);
106 sid_to_fstring(keystr, &sid);
107 key2 = string_term_tdb_data(keystr);
109 status = dbwrap_store(s->db, key2, rec->value, TDB_INSERT);
110 if (!NT_STATUS_IS_OK(status)) {
111 DEBUG(0,("Unable to add record %s:%s\n",
112 (const char *)key2.dptr,
118 status = dbwrap_store(s->db, rec->value, key2, TDB_REPLACE);
119 if (!NT_STATUS_IS_OK(status)) {
120 DEBUG(0,("Unable to update record %s:%s\n",
121 (const char *)rec->value.dptr,
127 status = rec->delete_rec(rec);
128 if (!NT_STATUS_IS_OK(status)) {
129 DEBUG(0,("Unable to delete record %s:%s\n",
130 (const char *)rec->key.dptr,
139 /*****************************************************************************
140 Convert the idmap database from an older version.
141 *****************************************************************************/
143 static bool idmap_tdb_upgrade(struct idmap_domain *dom, struct db_context *db)
146 bool bigendianheader;
147 struct convert_fn_state s;
150 /* If we are bigendian, tdb is bigendian if NOT converted. */
153 unsigned char small[2];
156 if (u.small[0] == 0x01)
157 bigendianheader = !(db->get_flags(db) & TDB_CONVERT);
159 assert(u.small[0] == 0x02);
160 bigendianheader = (db->get_flags(db) & TDB_CONVERT);
163 bigendianheader = (db->get_flags(db) & TDB_BIGENDIAN) ? True : False;
165 DEBUG(0, ("Upgrading winbindd_idmap.tdb from an old version\n"));
167 vers = dbwrap_fetch_int32(db, "IDMAP_VERSION");
169 if (((vers == -1) && bigendianheader) || (IREV(vers) == IDMAP_VERSION)) {
170 /* Arrggghh ! Bytereversed or old big-endian - make order independent ! */
172 * high and low records were created on a
173 * big endian machine and will need byte-reversing.
178 wm = dbwrap_fetch_int32(db, HWM_USER);
186 if (dbwrap_store_int32(db, HWM_USER, wm) == -1) {
187 DEBUG(0, ("Unable to byteswap user hwm in idmap database\n"));
191 wm = dbwrap_fetch_int32(db, HWM_GROUP);
198 if (dbwrap_store_int32(db, HWM_GROUP, wm) == -1) {
199 DEBUG(0, ("Unable to byteswap group hwm in idmap database\n"));
207 /* the old format stored as DOMAIN/rid - now we store the SID direct */
208 db->traverse(db, convert_fn, &s);
211 DEBUG(0, ("Problem during conversion\n"));
215 if (dbwrap_store_int32(db, "IDMAP_VERSION", IDMAP_VERSION) == -1) {
216 DEBUG(0, ("Unable to store idmap version in database\n"));
223 static NTSTATUS idmap_tdb_init_hwm(struct idmap_domain *dom)
228 bool update_uid = false;
229 bool update_gid = false;
230 struct idmap_tdb_context *ctx;
232 ctx = talloc_get_type(dom->private_data, struct idmap_tdb_context);
234 low_uid = dbwrap_fetch_int32(ctx->db, HWM_USER);
235 if (low_uid == -1 || low_uid < dom->low_id) {
239 low_gid = dbwrap_fetch_int32(ctx->db, HWM_GROUP);
240 if (low_gid == -1 || low_gid < dom->low_id) {
244 if (!update_uid && !update_gid) {
248 if (ctx->db->transaction_start(ctx->db) != 0) {
249 DEBUG(0, ("Unable to start upgrade transaction!\n"));
250 return NT_STATUS_INTERNAL_DB_ERROR;
254 ret = dbwrap_store_int32(ctx->db, HWM_USER, dom->low_id);
256 ctx->db->transaction_cancel(ctx->db);
257 DEBUG(0, ("Unable to initialise user hwm in idmap "
259 return NT_STATUS_INTERNAL_DB_ERROR;
264 ret = dbwrap_store_int32(ctx->db, HWM_GROUP, dom->low_id);
266 ctx->db->transaction_cancel(ctx->db);
267 DEBUG(0, ("Unable to initialise group hwm in idmap "
269 return NT_STATUS_INTERNAL_DB_ERROR;
273 if (ctx->db->transaction_commit(ctx->db) != 0) {
274 DEBUG(0, ("Unable to commit upgrade transaction!\n"));
275 return NT_STATUS_INTERNAL_DB_ERROR;
281 static NTSTATUS idmap_tdb_open_db(struct idmap_domain *dom)
285 char *tdbfile = NULL;
286 struct db_context *db = NULL;
288 bool config_error = false;
289 struct idmap_tdb_context *ctx;
291 ctx = talloc_get_type(dom->private_data, struct idmap_tdb_context);
294 /* it is already open */
298 /* use our own context here */
299 mem_ctx = talloc_stackframe();
301 /* use the old database if present */
302 tdbfile = state_path("winbindd_idmap.tdb");
304 DEBUG(0, ("Out of memory!\n"));
305 ret = NT_STATUS_NO_MEMORY;
309 DEBUG(10,("Opening tdbfile %s\n", tdbfile ));
311 /* Open idmap repository */
312 db = db_open(mem_ctx, tdbfile, 0, TDB_DEFAULT, O_RDWR | O_CREAT, 0644);
314 DEBUG(0, ("Unable to open idmap database\n"));
315 ret = NT_STATUS_UNSUCCESSFUL;
319 /* check against earlier versions */
320 version = dbwrap_fetch_int32(db, "IDMAP_VERSION");
321 if (version != IDMAP_VERSION) {
323 DEBUG(0,("Upgrade of IDMAP_VERSION from %d to %d is not "
324 "possible with incomplete configuration\n",
325 version, IDMAP_VERSION));
326 ret = NT_STATUS_UNSUCCESSFUL;
329 if (db->transaction_start(db) != 0) {
330 DEBUG(0, ("Unable to start upgrade transaction!\n"));
331 ret = NT_STATUS_INTERNAL_DB_ERROR;
335 if (!idmap_tdb_upgrade(dom, db)) {
336 db->transaction_cancel(db);
337 DEBUG(0, ("Unable to open idmap database, it's in an old format, and upgrade failed!\n"));
338 ret = NT_STATUS_INTERNAL_DB_ERROR;
342 if (db->transaction_commit(db) != 0) {
343 DEBUG(0, ("Unable to commit upgrade transaction!\n"));
344 ret = NT_STATUS_INTERNAL_DB_ERROR;
349 ctx->db = talloc_move(ctx, &db);
351 ret = idmap_tdb_init_hwm(dom);
354 talloc_free(mem_ctx);
358 /**********************************************************************
359 IDMAP ALLOC TDB BACKEND
360 **********************************************************************/
362 /**********************************
364 **********************************/
366 struct idmap_tdb_allocate_id_context {
373 static NTSTATUS idmap_tdb_allocate_id_action(struct db_context *db,
377 struct idmap_tdb_allocate_id_context *state;
380 state = (struct idmap_tdb_allocate_id_context *)private_data;
382 hwm = dbwrap_fetch_int32(db, state->hwmkey);
384 ret = NT_STATUS_INTERNAL_DB_ERROR;
388 /* check it is in the range */
389 if (hwm > state->high_hwm) {
390 DEBUG(1, ("Fatal Error: %s range full!! (max: %lu)\n",
391 state->hwmtype, (unsigned long)state->high_hwm));
392 ret = NT_STATUS_UNSUCCESSFUL;
396 /* fetch a new id and increment it */
397 ret = dbwrap_trans_change_uint32_atomic(db, state->hwmkey, &hwm, 1);
398 if (!NT_STATUS_IS_OK(ret)) {
399 DEBUG(0, ("Fatal error while fetching a new %s value: %s\n!",
400 state->hwmtype, nt_errstr(ret)));
404 /* recheck it is in the range */
405 if (hwm > state->high_hwm) {
406 DEBUG(1, ("Fatal Error: %s range full!! (max: %lu)\n",
407 state->hwmtype, (unsigned long)state->high_hwm));
408 ret = NT_STATUS_UNSUCCESSFUL;
419 static NTSTATUS idmap_tdb_allocate_id(struct idmap_domain *dom,
427 struct idmap_tdb_allocate_id_context state;
428 struct idmap_tdb_context *ctx;
430 ctx = talloc_get_type(dom->private_data, struct idmap_tdb_context);
432 /* Get current high water mark */
446 DEBUG(2, ("Invalid ID type (0x%x)\n", xid->type));
447 return NT_STATUS_INVALID_PARAMETER;
450 high_hwm = dom->high_id;
453 state.high_hwm = high_hwm;
454 state.hwmtype = hwmtype;
455 state.hwmkey = hwmkey;
457 status = dbwrap_trans_do(ctx->db, idmap_tdb_allocate_id_action,
460 if (NT_STATUS_IS_OK(status)) {
462 DEBUG(10,("New %s = %d\n", hwmtype, state.hwm));
464 DEBUG(1, ("Error allocating a new %s\n", hwmtype));
471 * Allocate a new unix-ID.
472 * For now this is for the default idmap domain only.
473 * Should be extended later on.
475 static NTSTATUS idmap_tdb_get_new_id(struct idmap_domain *dom,
480 if (!strequal(dom->name, "*")) {
481 DEBUG(3, ("idmap_tdb_get_new_id: "
482 "Refusing allocation of a new unixid for domain'%s'. "
483 "Currently only supported for the default "
486 return NT_STATUS_NOT_IMPLEMENTED;
489 ret = idmap_tdb_allocate_id(dom, id);
494 /**********************************************************************
495 IDMAP MAPPING TDB BACKEND
496 **********************************************************************/
498 /*****************************
499 Initialise idmap database.
500 *****************************/
502 static NTSTATUS idmap_tdb_set_mapping(struct idmap_domain *dom,
503 const struct id_map *map);
505 static NTSTATUS idmap_tdb_db_init(struct idmap_domain *dom)
508 struct idmap_tdb_context *ctx;
510 DEBUG(10, ("idmap_tdb_db_init called for domain '%s'\n", dom->name));
512 ctx = talloc_zero(dom, struct idmap_tdb_context);
514 DEBUG(0, ("Out of memory!\n"));
515 return NT_STATUS_NO_MEMORY;
518 /* load backend specific configuration here: */
520 if (strequal(dom->name, "*")) {
525 ctx->rw_ops = talloc_zero(ctx, struct idmap_rw_ops);
526 if (ctx->rw_ops == NULL) {
527 DEBUG(0, ("Out of memory!\n"));
528 ret = NT_STATUS_NO_MEMORY;
532 ctx->rw_ops->get_new_id = idmap_tdb_get_new_id;
533 ctx->rw_ops->set_mapping = idmap_tdb_set_mapping;
535 dom->private_data = ctx;
537 ret = idmap_tdb_open_db(dom);
538 if ( ! NT_STATUS_IS_OK(ret)) {
551 * store a mapping in the database
554 struct idmap_tdb_set_mapping_context {
559 static NTSTATUS idmap_tdb_set_mapping_action(struct db_context *db,
563 struct idmap_tdb_set_mapping_context *state;
565 state = (struct idmap_tdb_set_mapping_context *)private_data;
567 DEBUG(10, ("Storing %s <-> %s map\n", state->ksidstr, state->kidstr));
569 ret = dbwrap_store_bystring(db, state->ksidstr,
570 string_term_tdb_data(state->kidstr),
572 if (!NT_STATUS_IS_OK(ret)) {
573 DEBUG(0, ("Error storing SID -> ID (%s -> %s): %s\n",
574 state->ksidstr, state->kidstr, nt_errstr(ret)));
578 ret = dbwrap_store_bystring(db, state->kidstr,
579 string_term_tdb_data(state->ksidstr),
581 if (!NT_STATUS_IS_OK(ret)) {
582 DEBUG(0, ("Error storing ID -> SID (%s -> %s): %s\n",
583 state->kidstr, state->ksidstr, nt_errstr(ret)));
587 DEBUG(10,("Stored %s <-> %s\n", state->ksidstr, state->kidstr));
594 static NTSTATUS idmap_tdb_set_mapping(struct idmap_domain *dom,
595 const struct id_map *map)
597 struct idmap_tdb_context *ctx;
599 char *ksidstr, *kidstr;
600 struct idmap_tdb_set_mapping_context state;
602 if (!map || !map->sid) {
603 return NT_STATUS_INVALID_PARAMETER;
606 ksidstr = kidstr = NULL;
608 /* TODO: should we filter a set_mapping using low/high filters ? */
610 ctx = talloc_get_type(dom->private_data, struct idmap_tdb_context);
612 switch (map->xid.type) {
615 kidstr = talloc_asprintf(ctx, "UID %lu",
616 (unsigned long)map->xid.id);
620 kidstr = talloc_asprintf(ctx, "GID %lu",
621 (unsigned long)map->xid.id);
625 DEBUG(2, ("INVALID unix ID type: 0x02%x\n", map->xid.type));
626 return NT_STATUS_INVALID_PARAMETER;
629 if (kidstr == NULL) {
630 DEBUG(0, ("ERROR: Out of memory!\n"));
631 ret = NT_STATUS_NO_MEMORY;
635 ksidstr = sid_string_talloc(ctx, map->sid);
636 if (ksidstr == NULL) {
637 DEBUG(0, ("Out of memory!\n"));
638 ret = NT_STATUS_NO_MEMORY;
642 state.ksidstr = ksidstr;
643 state.kidstr = kidstr;
645 ret = dbwrap_trans_do(ctx->db, idmap_tdb_set_mapping_action, &state);
648 talloc_free(ksidstr);
654 * Create a new mapping for an unmapped SID, also allocating a new ID.
655 * This should be run inside a transaction.
658 * Properly integrate this with multi domain idmap config:
659 * Currently, the allocator is default-config only.
661 static NTSTATUS idmap_tdb_new_mapping(struct idmap_domain *dom, struct id_map *map)
664 struct idmap_tdb_context *ctx;
666 ctx = talloc_get_type(dom->private_data, struct idmap_tdb_context);
668 ret = idmap_rw_new_mapping(dom, ctx->rw_ops, map);
674 /**********************************
675 Single id to sid lookup function.
676 **********************************/
678 static NTSTATUS idmap_tdb_id_to_sid(struct idmap_domain *dom, struct id_map *map)
683 struct idmap_tdb_context *ctx;
686 return NT_STATUS_INVALID_PARAMETER;
689 ctx = talloc_get_type(dom->private_data, struct idmap_tdb_context);
691 /* apply filters before checking */
692 if (!idmap_unix_id_is_in_range(map->xid.id, dom)) {
693 DEBUG(5, ("Requested id (%u) out of range (%u - %u). Filtered!\n",
694 map->xid.id, dom->low_id, dom->high_id));
695 return NT_STATUS_NONE_MAPPED;
698 switch (map->xid.type) {
701 keystr = talloc_asprintf(ctx, "UID %lu", (unsigned long)map->xid.id);
705 keystr = talloc_asprintf(ctx, "GID %lu", (unsigned long)map->xid.id);
709 DEBUG(2, ("INVALID unix ID type: 0x02%x\n", map->xid.type));
710 return NT_STATUS_INVALID_PARAMETER;
713 /* final SAFE_FREE safe */
716 if (keystr == NULL) {
717 DEBUG(0, ("Out of memory!\n"));
718 ret = NT_STATUS_NO_MEMORY;
722 DEBUG(10,("Fetching record %s\n", keystr));
724 /* Check if the mapping exists */
725 data = dbwrap_fetch_bystring(ctx->db, NULL, keystr);
728 DEBUG(10,("Record %s not found\n", keystr));
729 ret = NT_STATUS_NONE_MAPPED;
733 if (!string_to_sid(map->sid, (const char *)data.dptr)) {
734 DEBUG(10,("INVALID SID (%s) in record %s\n",
735 (const char *)data.dptr, keystr));
736 ret = NT_STATUS_INTERNAL_DB_ERROR;
740 DEBUG(10,("Found record %s -> %s\n", keystr, (const char *)data.dptr));
744 talloc_free(data.dptr);
749 /**********************************
750 Single sid to id lookup function.
751 **********************************/
753 static NTSTATUS idmap_tdb_sid_to_id(struct idmap_domain *dom, struct id_map *map)
758 unsigned long rec_id = 0;
759 struct idmap_tdb_context *ctx;
760 TALLOC_CTX *tmp_ctx = talloc_stackframe();
762 ctx = talloc_get_type(dom->private_data, struct idmap_tdb_context);
764 keystr = sid_string_talloc(tmp_ctx, map->sid);
765 if (keystr == NULL) {
766 DEBUG(0, ("Out of memory!\n"));
767 ret = NT_STATUS_NO_MEMORY;
771 DEBUG(10,("Fetching record %s\n", keystr));
773 /* Check if sid is present in database */
774 data = dbwrap_fetch_bystring(ctx->db, tmp_ctx, keystr);
776 DEBUG(10,("Record %s not found\n", keystr));
777 ret = NT_STATUS_NONE_MAPPED;
781 /* What type of record is this ? */
782 if (sscanf((const char *)data.dptr, "UID %lu", &rec_id) == 1) { /* Try a UID record. */
783 map->xid.id = rec_id;
784 map->xid.type = ID_TYPE_UID;
785 DEBUG(10,("Found uid record %s -> %s \n", keystr, (const char *)data.dptr ));
788 } else if (sscanf((const char *)data.dptr, "GID %lu", &rec_id) == 1) { /* Try a GID record. */
789 map->xid.id = rec_id;
790 map->xid.type = ID_TYPE_GID;
791 DEBUG(10,("Found gid record %s -> %s \n", keystr, (const char *)data.dptr ));
794 } else { /* Unknown record type ! */
795 DEBUG(2, ("Found INVALID record %s -> %s\n", keystr, (const char *)data.dptr));
796 ret = NT_STATUS_INTERNAL_DB_ERROR;
800 /* apply filters before returning result */
801 if (!idmap_unix_id_is_in_range(map->xid.id, dom)) {
802 DEBUG(5, ("Requested id (%u) out of range (%u - %u). Filtered!\n",
803 map->xid.id, dom->low_id, dom->high_id));
804 ret = NT_STATUS_NONE_MAPPED;
808 talloc_free(tmp_ctx);
812 /**********************************
813 lookup a set of unix ids.
814 **********************************/
816 static NTSTATUS idmap_tdb_unixids_to_sids(struct idmap_domain *dom, struct id_map **ids)
821 /* initialize the status to avoid suprise */
822 for (i = 0; ids[i]; i++) {
823 ids[i]->status = ID_UNKNOWN;
826 for (i = 0; ids[i]; i++) {
827 ret = idmap_tdb_id_to_sid(dom, ids[i]);
828 if ( ! NT_STATUS_IS_OK(ret)) {
830 /* if it is just a failed mapping continue */
831 if (NT_STATUS_EQUAL(ret, NT_STATUS_NONE_MAPPED)) {
833 /* make sure it is marked as unmapped */
834 ids[i]->status = ID_UNMAPPED;
838 /* some fatal error occurred, return immediately */
842 /* all ok, id is mapped */
843 ids[i]->status = ID_MAPPED;
852 /**********************************
853 lookup a set of sids.
854 **********************************/
856 struct idmap_tdb_sids_to_unixids_context {
857 struct idmap_domain *dom;
859 bool allocate_unmapped;
862 static NTSTATUS idmap_tdb_sids_to_unixids_action(struct db_context *db,
865 struct idmap_tdb_sids_to_unixids_context *state;
867 NTSTATUS ret = NT_STATUS_OK;
869 state = (struct idmap_tdb_sids_to_unixids_context *)private_data;
871 DEBUG(10, ("idmap_tdb_sids_to_unixids_action: "
872 " domain: [%s], allocate: %s\n",
874 state->allocate_unmapped ? "yes" : "no"));
876 for (i = 0; state->ids[i]; i++) {
877 if ((state->ids[i]->status == ID_UNKNOWN) ||
878 /* retry if we could not map in previous run: */
879 (state->ids[i]->status == ID_UNMAPPED))
883 ret2 = idmap_tdb_sid_to_id(state->dom, state->ids[i]);
884 if (!NT_STATUS_IS_OK(ret2)) {
886 /* if it is just a failed mapping, continue */
887 if (NT_STATUS_EQUAL(ret2, NT_STATUS_NONE_MAPPED)) {
889 /* make sure it is marked as unmapped */
890 state->ids[i]->status = ID_UNMAPPED;
891 ret = STATUS_SOME_UNMAPPED;
893 /* some fatal error occurred, return immediately */
898 /* all ok, id is mapped */
899 state->ids[i]->status = ID_MAPPED;
903 if ((state->ids[i]->status == ID_UNMAPPED) &&
904 state->allocate_unmapped)
906 ret = idmap_tdb_new_mapping(state->dom, state->ids[i]);
907 if (!NT_STATUS_IS_OK(ret)) {
917 static NTSTATUS idmap_tdb_sids_to_unixids(struct idmap_domain *dom, struct id_map **ids)
919 struct idmap_tdb_context *ctx;
922 struct idmap_tdb_sids_to_unixids_context state;
924 /* initialize the status to avoid suprise */
925 for (i = 0; ids[i]; i++) {
926 ids[i]->status = ID_UNKNOWN;
929 ctx = talloc_get_type(dom->private_data, struct idmap_tdb_context);
933 state.allocate_unmapped = false;
935 ret = idmap_tdb_sids_to_unixids_action(ctx->db, &state);
937 if (NT_STATUS_EQUAL(ret, STATUS_SOME_UNMAPPED) && !dom->read_only) {
938 state.allocate_unmapped = true;
939 ret = dbwrap_trans_do(ctx->db,
940 idmap_tdb_sids_to_unixids_action,
948 /**********************************
949 Close the idmap tdb instance
950 **********************************/
952 static struct idmap_methods db_methods = {
953 .init = idmap_tdb_db_init,
954 .unixids_to_sids = idmap_tdb_unixids_to_sids,
955 .sids_to_unixids = idmap_tdb_sids_to_unixids,
956 .allocate_id = idmap_tdb_get_new_id,
959 NTSTATUS idmap_tdb_init(void)
961 DEBUG(10, ("calling idmap_tdb_init\n"));
963 return smb_register_idmap(SMB_IDMAP_INTERFACE_VERSION, "tdb", &db_methods);