2 Unix SMB/CIFS implementation.
4 Map SIDs to unixids and back
6 Copyright (C) Kai Blin 2008
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
23 #include "auth/auth.h"
24 #include "librpc/gen_ndr/ndr_security.h"
25 #include "lib/ldb/include/ldb.h"
26 #include "lib/ldb_wrap.h"
27 #include "param/param.h"
28 #include "winbind/idmap.h"
29 #include "libcli/security/security.h"
30 #include "libcli/ldap/ldap_ndr.h"
33 * Get uid/gid bounds from idmap database
35 * \param idmap_ctx idmap context to use
36 * \param low lower uid/gid bound is stored here
37 * \param high upper uid/gid bound is stored here
38 * \return 0 on success, nonzero on failure
40 static int idmap_get_bounds(struct idmap_context *idmap_ctx, uint32_t *low,
44 struct ldb_context *ldb = idmap_ctx->ldb_ctx;
46 struct ldb_result *res = NULL;
47 TALLOC_CTX *tmp_ctx = talloc_new(idmap_ctx);
48 uint32_t lower_bound = (uint32_t) -1;
49 uint32_t upper_bound = (uint32_t) -1;
51 dn = ldb_dn_new(tmp_ctx, ldb, "CN=CONFIG");
52 if (dn == NULL) goto failed;
54 ret = ldb_search(ldb, tmp_ctx, &res, dn, LDB_SCOPE_BASE, NULL, NULL);
55 if (ret != LDB_SUCCESS) goto failed;
57 if (res->count != 1) {
62 lower_bound = ldb_msg_find_attr_as_uint(res->msgs[0], "lowerBound", -1);
63 if (lower_bound != (uint32_t) -1) {
70 upper_bound = ldb_msg_find_attr_as_uint(res->msgs[0], "upperBound", -1);
71 if (upper_bound != (uint32_t) -1) {
85 * Add a dom_sid structure to a ldb_message
86 * \param idmap_ctx idmap context to use
87 * \param mem_ctx talloc context to use
88 * \param ldb_message ldb message to add dom_sid to
89 * \param attr_name name of the attribute to store the dom_sid in
90 * \param sid dom_sid to store
91 * \return 0 on success, an ldb error code on failure.
93 static int idmap_msg_add_dom_sid(struct idmap_context *idmap_ctx,
94 TALLOC_CTX *mem_ctx, struct ldb_message *msg,
95 const char *attr_name, const struct dom_sid *sid)
98 enum ndr_err_code ndr_err;
100 ndr_err = ndr_push_struct_blob(&val, mem_ctx,
101 lp_iconv_convenience(idmap_ctx->lp_ctx),
103 (ndr_push_flags_fn_t)ndr_push_dom_sid);
105 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
109 return ldb_msg_add_value(msg, attr_name, &val, NULL);
113 * Get a dom_sid structure from a ldb message.
115 * \param mem_ctx talloc context to allocate dom_sid memory in
116 * \param msg ldb_message to get dom_sid from
117 * \param attr_name key that has the dom_sid as data
118 * \return dom_sid structure on success, NULL on failure
120 static struct dom_sid *idmap_msg_get_dom_sid(TALLOC_CTX *mem_ctx,
121 struct ldb_message *msg, const char *attr_name)
124 const struct ldb_val *val;
125 enum ndr_err_code ndr_err;
127 val = ldb_msg_find_ldb_val(msg, attr_name);
132 sid = talloc(mem_ctx, struct dom_sid);
137 ndr_err = ndr_pull_struct_blob(val, sid, NULL, sid,
138 (ndr_pull_flags_fn_t)ndr_pull_dom_sid);
139 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
148 * Initialize idmap context
150 * talloc_free to close.
152 * \param mem_ctx talloc context to use.
153 * \return allocated idmap_context on success, NULL on error
155 struct idmap_context *idmap_init(TALLOC_CTX *mem_ctx,
156 struct tevent_context *ev_ctx,
157 struct loadparm_context *lp_ctx)
159 struct idmap_context *idmap_ctx;
161 idmap_ctx = talloc(mem_ctx, struct idmap_context);
162 if (idmap_ctx == NULL) {
166 idmap_ctx->lp_ctx = lp_ctx;
168 idmap_ctx->ldb_ctx = ldb_wrap_connect(mem_ctx, ev_ctx, lp_ctx,
169 lp_idmap_url(lp_ctx),
170 system_session(lp_ctx),
172 if (idmap_ctx->ldb_ctx == NULL) {
176 idmap_ctx->unix_groups_sid = dom_sid_parse_talloc(mem_ctx, "S-1-22-2");
177 if (idmap_ctx->unix_groups_sid == NULL) {
181 idmap_ctx->unix_users_sid = dom_sid_parse_talloc(mem_ctx, "S-1-22-1");
182 if (idmap_ctx->unix_users_sid == NULL) {
190 * Convert an unixid to the corresponding SID
192 * \param idmap_ctx idmap context to use
193 * \param mem_ctx talloc context the memory for the struct dom_sid is allocated
195 * \param unixid pointer to a unixid struct to convert
196 * \param sid pointer that will take the struct dom_sid pointer if the mapping
198 * \return NT_STATUS_OK on success, NT_STATUS_NONE_MAPPED if mapping not
199 * possible or some other NTSTATUS that is more descriptive on failure.
202 static NTSTATUS idmap_xid_to_sid(struct idmap_context *idmap_ctx,
204 const struct unixid *unixid,
205 struct dom_sid **sid)
208 NTSTATUS status = NT_STATUS_NONE_MAPPED;
209 struct ldb_context *ldb = idmap_ctx->ldb_ctx;
210 struct ldb_result *res = NULL;
211 struct dom_sid *unix_sid, *new_sid;
212 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
215 switch (unixid->type) {
217 id_type = "ID_TYPE_UID";
220 id_type = "ID_TYPE_GID";
223 DEBUG(1, ("unixid->type must be type gid or uid\n"));
224 status = NT_STATUS_NONE_MAPPED;
228 ret = ldb_search(ldb, tmp_ctx, &res, NULL, LDB_SCOPE_SUBTREE,
229 NULL, "(&(|(type=ID_TYPE_BOTH)(type=%s))"
230 "(xidNumber=%u))", id_type, unixid->id);
231 if (ret != LDB_SUCCESS) {
232 DEBUG(1, ("Search failed: %s\n", ldb_errstring(ldb)));
233 status = NT_STATUS_NONE_MAPPED;
237 if (res->count == 1) {
238 *sid = idmap_msg_get_dom_sid(mem_ctx, res->msgs[0],
241 DEBUG(1, ("Failed to get sid from db: %u\n", ret));
242 status = NT_STATUS_NONE_MAPPED;
245 talloc_free(tmp_ctx);
249 DEBUG(6, ("xid not found in idmap db, create S-1-22- SID.\n"));
251 /* For local users/groups , we just create a rid = uid/gid */
252 if (unixid->type == ID_TYPE_UID) {
253 unix_sid = dom_sid_parse_talloc(tmp_ctx, "S-1-22-1");
255 unix_sid = dom_sid_parse_talloc(tmp_ctx, "S-1-22-2");
257 if (unix_sid == NULL) {
258 status = NT_STATUS_NO_MEMORY;
262 new_sid = dom_sid_add_rid(mem_ctx, unix_sid, unixid->id);
263 if (new_sid == NULL) {
264 status = NT_STATUS_NO_MEMORY;
269 talloc_free(tmp_ctx);
273 talloc_free(tmp_ctx);
279 * Map a SID to an unixid struct.
281 * If no mapping exists, a new mapping will be created.
283 * \todo Check if SIDs can be resolved if lp_idmap_trusted_only() == true
284 * \todo Fix backwards compatibility for Samba3
286 * \param idmap_ctx idmap context to use
287 * \param mem_ctx talloc context to use
288 * \param sid SID to map to an unixid struct
289 * \param unixid pointer to a unixid struct pointer
290 * \return NT_STATUS_OK on success, NT_STATUS_INVALID_SID if the sid is not from
291 * a trusted domain and idmap trusted only = true, NT_STATUS_NONE_MAPPED if the
294 static NTSTATUS idmap_sid_to_xid(struct idmap_context *idmap_ctx,
296 const struct dom_sid *sid,
297 struct unixid **unixid)
300 NTSTATUS status = NT_STATUS_NONE_MAPPED;
301 struct ldb_context *ldb = idmap_ctx->ldb_ctx;
303 struct ldb_message *hwm_msg, *map_msg;
304 struct ldb_result *res = NULL;
306 uint32_t low, high, hwm, new_xid;
307 char *sid_string, *unixid_string, *hwm_string;
308 bool hwm_entry_exists;
309 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
311 if (dom_sid_in_domain(idmap_ctx->unix_users_sid, sid)) {
313 DEBUG(6, ("This is a local unix uid, just calculate that.\n"));
314 status = dom_sid_split_rid(tmp_ctx, sid, NULL, &rid);
315 if (!NT_STATUS_IS_OK(status)) goto failed;
317 *unixid = talloc(mem_ctx, struct unixid);
318 if (*unixid == NULL) {
319 status = NT_STATUS_NO_MEMORY;
323 (*unixid)->type = ID_TYPE_UID;
325 talloc_free(tmp_ctx);
329 if (dom_sid_in_domain(idmap_ctx->unix_groups_sid, sid)) {
331 DEBUG(6, ("This is a local unix gid, just calculate that.\n"));
332 status = dom_sid_split_rid(tmp_ctx, sid, NULL, &rid);
333 if (!NT_STATUS_IS_OK(status)) goto failed;
335 *unixid = talloc(mem_ctx, struct unixid);
336 if (*unixid == NULL) {
337 status = NT_STATUS_NO_MEMORY;
341 (*unixid)->type = ID_TYPE_GID;
343 talloc_free(tmp_ctx);
347 ret = ldb_search(ldb, tmp_ctx, &res, NULL, LDB_SCOPE_SUBTREE,
348 NULL, "(&(objectClass=sidMap)(objectSid=%s))",
349 ldap_encode_ndr_dom_sid(tmp_ctx, sid));
350 if (ret != LDB_SUCCESS) {
351 DEBUG(1, ("Search failed: %s\n", ldb_errstring(ldb)));
352 status = NT_STATUS_NONE_MAPPED;
356 if (res->count == 1) {
357 const char *type = ldb_msg_find_attr_as_string(res->msgs[0],
359 new_xid = ldb_msg_find_attr_as_uint(res->msgs[0], "xidNumber",
361 if (new_xid == (uint32_t) -1) {
362 DEBUG(1, ("Invalid xid mapping.\n"));
363 status = NT_STATUS_NONE_MAPPED;
368 DEBUG(1, ("Invalid type for mapping entry.\n"));
369 status = NT_STATUS_NONE_MAPPED;
373 *unixid = talloc(mem_ctx, struct unixid);
374 if (*unixid == NULL) {
375 status = NT_STATUS_NO_MEMORY;
379 (*unixid)->id = new_xid;
381 if (strcmp(type, "ID_TYPE_BOTH") == 0) {
382 (*unixid)->type = ID_TYPE_BOTH;
383 } else if (strcmp(type, "ID_TYPE_UID") == 0) {
384 (*unixid)->type = ID_TYPE_UID;
386 (*unixid)->type = ID_TYPE_GID;
389 talloc_free(tmp_ctx);
393 DEBUG(6, ("No existing mapping found, attempting to create one.\n"));
395 trans = ldb_transaction_start(ldb);
396 if (trans != LDB_SUCCESS) {
397 status = NT_STATUS_NONE_MAPPED;
401 /* Redo the search to make sure noone changed the mapping while we
403 ret = ldb_search(ldb, tmp_ctx, &res, NULL, LDB_SCOPE_SUBTREE,
404 NULL, "(&(objectClass=sidMap)(objectSid=%s))",
405 ldap_encode_ndr_dom_sid(tmp_ctx, sid));
406 if (ret != LDB_SUCCESS) {
407 DEBUG(1, ("Search failed: %s\n", ldb_errstring(ldb)));
408 status = NT_STATUS_NONE_MAPPED;
412 if (res->count > 0) {
413 DEBUG(1, ("Database changed while trying to add a sidmap.\n"));
414 status = NT_STATUS_RETRY;
418 /*FIXME: if lp_idmap_trusted_only() == true, check if SID can be
421 ret = idmap_get_bounds(idmap_ctx, &low, &high);
422 if (ret != LDB_SUCCESS) {
423 status = NT_STATUS_NONE_MAPPED;
427 dn = ldb_dn_new(tmp_ctx, ldb, "CN=CONFIG");
429 status = NT_STATUS_NO_MEMORY;
433 ret = ldb_search(ldb, tmp_ctx, &res, dn, LDB_SCOPE_BASE, NULL, NULL);
434 if (ret != LDB_SUCCESS) {
435 DEBUG(1, ("Search failed: %s\n", ldb_errstring(ldb)));
436 status = NT_STATUS_NONE_MAPPED;
440 if (res->count != 1) {
441 DEBUG(1, ("No CN=CONFIG record, idmap database is broken.\n"));
442 status = NT_STATUS_NONE_MAPPED;
446 hwm = ldb_msg_find_attr_as_uint(res->msgs[0], "xidNumber", -1);
447 if (hwm == (uint32_t)-1) {
449 hwm_entry_exists = false;
451 hwm_entry_exists = true;
455 DEBUG(1, ("Out of xids to allocate.\n"));
456 status = NT_STATUS_NONE_MAPPED;
460 hwm_msg = ldb_msg_new(tmp_ctx);
461 if (hwm_msg == NULL) {
462 DEBUG(1, ("Out of memory when creating ldb_message\n"));
463 status = NT_STATUS_NO_MEMORY;
472 hwm_string = talloc_asprintf(tmp_ctx, "%u", hwm);
473 if (hwm_string == NULL) {
474 status = NT_STATUS_NO_MEMORY;
478 sid_string = dom_sid_string(tmp_ctx, sid);
479 if (sid_string == NULL) {
480 status = NT_STATUS_NO_MEMORY;
484 unixid_string = talloc_asprintf(tmp_ctx, "%u", new_xid);
485 if (unixid_string == NULL) {
486 status = NT_STATUS_NO_MEMORY;
490 if (hwm_entry_exists) {
491 struct ldb_message_element *els;
492 struct ldb_val *vals;
494 /* We're modifying the entry, not just adding a new one. */
495 els = talloc_array(tmp_ctx, struct ldb_message_element, 2);
497 status = NT_STATUS_NO_MEMORY;
501 vals = talloc_array(tmp_ctx, struct ldb_val, 2);
503 status = NT_STATUS_NO_MEMORY;
507 hwm_msg->num_elements = 2;
508 hwm_msg->elements = els;
510 els[0].num_values = 1;
511 els[0].values = &vals[0];
512 els[0].flags = LDB_FLAG_MOD_DELETE;
513 els[0].name = talloc_strdup(tmp_ctx, "xidNumber");
514 if (els[0].name == NULL) {
515 status = NT_STATUS_NO_MEMORY;
519 els[1].num_values = 1;
520 els[1].values = &vals[1];
521 els[1].flags = LDB_FLAG_MOD_ADD;
522 els[1].name = els[0].name;
524 vals[0].data = (uint8_t *)unixid_string;
525 vals[0].length = strlen(unixid_string);
526 vals[1].data = (uint8_t *)hwm_string;
527 vals[1].length = strlen(hwm_string);
529 ret = ldb_msg_add_empty(hwm_msg, "xidNumber", LDB_FLAG_MOD_ADD,
531 if (ret != LDB_SUCCESS) {
532 status = NT_STATUS_NONE_MAPPED;
536 ret = ldb_msg_add_string(hwm_msg, "xidNumber", hwm_string);
537 if (ret != LDB_SUCCESS)
539 status = NT_STATUS_NONE_MAPPED;
544 ret = ldb_modify(ldb, hwm_msg);
545 if (ret != LDB_SUCCESS) {
546 DEBUG(1, ("Updating the xid high water mark failed: %s\n",
547 ldb_errstring(ldb)));
548 status = NT_STATUS_NONE_MAPPED;
552 map_msg = ldb_msg_new(tmp_ctx);
553 if (map_msg == NULL) {
554 status = NT_STATUS_NO_MEMORY;
558 map_msg->dn = ldb_dn_new_fmt(tmp_ctx, ldb, "CN=%s", sid_string);
559 if (map_msg->dn == NULL) {
560 status = NT_STATUS_NO_MEMORY;
564 ret = ldb_msg_add_string(map_msg, "xidNumber", unixid_string);
565 if (ret != LDB_SUCCESS) {
566 status = NT_STATUS_NONE_MAPPED;
570 ret = idmap_msg_add_dom_sid(idmap_ctx, tmp_ctx, map_msg, "objectSid",
572 if (ret != LDB_SUCCESS) {
573 status = NT_STATUS_NONE_MAPPED;
577 ret = ldb_msg_add_string(map_msg, "objectClass", "sidMap");
578 if (ret != LDB_SUCCESS) {
579 status = NT_STATUS_NONE_MAPPED;
583 ret = ldb_msg_add_string(map_msg, "type", "ID_TYPE_BOTH");
584 if (ret != LDB_SUCCESS) {
585 status = NT_STATUS_NONE_MAPPED;
589 ret = ldb_msg_add_string(map_msg, "cn", sid_string);
590 if (ret != LDB_SUCCESS) {
591 status = NT_STATUS_NONE_MAPPED;
595 ret = ldb_add(ldb, map_msg);
596 if (ret != LDB_SUCCESS) {
597 DEBUG(1, ("Adding a sidmap failed: %s\n", ldb_errstring(ldb)));
598 status = NT_STATUS_NONE_MAPPED;
602 trans = ldb_transaction_commit(ldb);
603 if (trans != LDB_SUCCESS) {
604 DEBUG(1, ("Transaction failed: %s\n", ldb_errstring(ldb)));
605 status = NT_STATUS_NONE_MAPPED;
609 *unixid = talloc(mem_ctx, struct unixid);
610 if (*unixid == NULL) {
611 status = NT_STATUS_NO_MEMORY;
615 (*unixid)->id = new_xid;
616 (*unixid)->type = ID_TYPE_BOTH;
617 talloc_free(tmp_ctx);
621 if (trans == LDB_SUCCESS) ldb_transaction_cancel(ldb);
622 talloc_free(tmp_ctx);
627 * Convert an array of unixids to the corresponding array of SIDs
629 * \param idmap_ctx idmap context to use
630 * \param mem_ctx talloc context the memory for the dom_sids is allocated
632 * \param count length of id_mapping array.
633 * \param id array of id_mappings.
634 * \return NT_STATUS_OK on success, NT_STATUS_NONE_MAPPED if mapping is not
635 * possible at all, NT_STATUS_SOME_UNMAPPED if some mappings worked and some
639 NTSTATUS idmap_xids_to_sids(struct idmap_context *idmap_ctx,
640 TALLOC_CTX *mem_ctx, int count,
647 for (i = 0; i < count; ++i) {
648 status = idmap_xid_to_sid(idmap_ctx, mem_ctx,
649 id[i].unixid, &id[i].sid);
650 if (NT_STATUS_EQUAL(status, NT_STATUS_RETRY)) {
651 status = idmap_xid_to_sid(idmap_ctx, mem_ctx,
655 if (!NT_STATUS_IS_OK(status)) {
656 DEBUG(1, ("idmapping xid_to_sid failed for id[%d]\n", i));
658 id[i].status = ID_UNMAPPED;
660 id[i].status = ID_MAPPED;
664 if (error_count == count) {
665 /* Mapping did not work at all. */
666 return NT_STATUS_NONE_MAPPED;
667 } else if (error_count > 0) {
668 /* Some mappings worked, some did not. */
669 return STATUS_SOME_UNMAPPED;
676 * Convert an array of SIDs to the corresponding array of unixids
678 * \param idmap_ctx idmap context to use
679 * \param mem_ctx talloc context the memory for the unixids is allocated
681 * \param count length of id_mapping array.
682 * \param id array of id_mappings.
683 * \return NT_STATUS_OK on success, NT_STATUS_NONE_MAPPED if mapping is not
684 * possible at all, NT_STATUS_SOME_UNMAPPED if some mappings worked and some
688 NTSTATUS idmap_sids_to_xids(struct idmap_context *idmap_ctx,
689 TALLOC_CTX *mem_ctx, int count,
696 for (i = 0; i < count; ++i) {
697 status = idmap_sid_to_xid(idmap_ctx, mem_ctx,
698 id[i].sid, &id[i].unixid);
699 if (NT_STATUS_EQUAL(status, NT_STATUS_RETRY)) {
700 status = idmap_sid_to_xid(idmap_ctx, mem_ctx,
704 if (!NT_STATUS_IS_OK(status)) {
705 DEBUG(1, ("idmapping sid_to_xid failed for id[%d]\n", i));
707 id[i].status = ID_UNMAPPED;
709 id[i].status = ID_MAPPED;
713 if (error_count == count) {
714 /* Mapping did not work at all. */
715 return NT_STATUS_NONE_MAPPED;
716 } else if (error_count > 0) {
717 /* Some mappings worked, some did not. */
718 return STATUS_SOME_UNMAPPED;