2 Unix SMB/CIFS implementation.
4 mapping routines for SID <-> unix uid/gid
6 Copyright (C) Andrew Tridgell 2004
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
23 #include "system/passwd.h"
24 #include "dsdb/common/flags.h"
25 #include "dsdb/samdb/samdb.h"
26 #include "auth/auth.h"
27 #include "libcli/ldap/ldap_ndr.h"
28 #include "lib/ldb/include/ldb.h"
29 #include "util/util_ldb.h"
30 #include "libcli/security/security.h"
31 #include "param/param.h"
34 these are used for the fallback local uid/gid to sid mapping
37 #define SIDMAP_LOCAL_USER_BASE 0x80000000
38 #define SIDMAP_LOCAL_GROUP_BASE 0xC0000000
39 #define SIDMAP_MAX_LOCAL_UID 0x3fffffff
40 #define SIDMAP_MAX_LOCAL_GID 0x3fffffff
43 private context for sid mapping routines
45 struct sidmap_context {
46 struct ldb_context *samctx;
50 open a sidmap context - use talloc_free to close
52 struct sidmap_context *sidmap_open(TALLOC_CTX *mem_ctx, struct event_context *ev_ctx,
53 struct loadparm_context *lp_ctx)
55 struct sidmap_context *sidmap;
56 sidmap = talloc(mem_ctx, struct sidmap_context);
60 sidmap->samctx = samdb_connect(sidmap, ev_ctx, lp_ctx, system_session(sidmap, lp_ctx));
61 if (sidmap->samctx == NULL) {
71 check the sAMAccountType field of a search result to see if
72 the account is a user account
74 static bool is_user_account(struct ldb_message *res)
76 uint_t atype = samdb_result_uint(res, "sAMAccountType", 0);
77 if (atype && (!(atype & ATYPE_ACCOUNT))) {
84 check the sAMAccountType field of a search result to see if
85 the account is a group account
87 static bool is_group_account(struct ldb_message *res)
89 uint_t atype = samdb_result_uint(res, "sAMAccountType", 0);
90 if (atype && atype == ATYPE_NORMAL_ACCOUNT) {
99 return the dom_sid of our primary domain
101 static NTSTATUS sidmap_primary_domain_sid(struct sidmap_context *sidmap,
102 TALLOC_CTX *mem_ctx, struct dom_sid **sid)
104 const char *attrs[] = { "objectSid", NULL };
106 struct ldb_message **res = NULL;
108 ret = gendb_search_dn(sidmap->samctx, mem_ctx, NULL, &res, attrs);
111 return NT_STATUS_NO_SUCH_DOMAIN;
114 *sid = samdb_result_dom_sid(mem_ctx, res[0], "objectSid");
117 return NT_STATUS_NO_MEMORY;
125 map a sid to a unix uid
127 NTSTATUS sidmap_sid_to_unixuid(struct sidmap_context *sidmap,
128 const struct dom_sid *sid, uid_t *uid)
130 const char *attrs[] = { "sAMAccountName", "uidNumber",
131 "sAMAccountType", "unixName", NULL };
135 struct ldb_message **res;
136 struct dom_sid *domain_sid;
139 tmp_ctx = talloc_new(sidmap);
141 ret = gendb_search(sidmap->samctx, tmp_ctx, NULL, &res, attrs,
143 ldap_encode_ndr_dom_sid(tmp_ctx, sid));
149 /* make sure its a user, not a group */
150 if (!is_user_account(res[0])) {
151 DEBUG(0,("sid_to_unixuid: sid %s is not an account!\n",
152 dom_sid_string(tmp_ctx, sid)));
153 talloc_free(tmp_ctx);
154 return NT_STATUS_INVALID_SID;
157 /* first try to get the uid directly */
158 s = samdb_result_string(res[0], "uidNumber", NULL);
160 *uid = strtoul(s, NULL, 0);
161 talloc_free(tmp_ctx);
165 /* next try via the UnixName attribute */
166 s = samdb_result_string(res[0], "unixName", NULL);
168 struct passwd *pwd = getpwnam(s);
170 DEBUG(0,("unixName %s for sid %s does not exist as a local user\n", s,
171 dom_sid_string(tmp_ctx, sid)));
172 talloc_free(tmp_ctx);
173 return NT_STATUS_NO_SUCH_USER;
176 talloc_free(tmp_ctx);
180 /* finally try via the sAMAccountName attribute */
181 s = samdb_result_string(res[0], "sAMAccountName", NULL);
183 struct passwd *pwd = getpwnam(s);
185 DEBUG(0,("sAMAccountName '%s' for sid %s does not exist as a local user\n",
186 s, dom_sid_string(tmp_ctx, sid)));
187 talloc_free(tmp_ctx);
188 return NT_STATUS_NO_SUCH_USER;
191 talloc_free(tmp_ctx);
197 status = sidmap_primary_domain_sid(sidmap, tmp_ctx, &domain_sid);
198 if (!NT_STATUS_IS_OK(status)) {
199 talloc_free(tmp_ctx);
200 return NT_STATUS_NO_SUCH_DOMAIN;
203 if (dom_sid_in_domain(domain_sid, sid)) {
204 uint32_t rid = sid->sub_auths[sid->num_auths-1];
205 if (rid >= SIDMAP_LOCAL_USER_BASE &&
206 rid < SIDMAP_LOCAL_GROUP_BASE) {
207 *uid = rid - SIDMAP_LOCAL_USER_BASE;
208 talloc_free(tmp_ctx);
214 DEBUG(0,("sid_to_unixuid: no uidNumber, unixName or sAMAccountName for sid %s\n",
215 dom_sid_string(tmp_ctx, sid)));
217 talloc_free(tmp_ctx);
218 return NT_STATUS_NONE_MAPPED;
223 see if a sid is a group - very inefficient!
225 bool sidmap_sid_is_group(struct sidmap_context *sidmap, struct dom_sid *sid)
227 const char *attrs[] = { "sAMAccountType", NULL };
230 struct ldb_message **res;
232 struct dom_sid *domain_sid;
235 tmp_ctx = talloc_new(sidmap);
237 ret = gendb_search(sidmap->samctx, tmp_ctx, NULL, &res, attrs,
238 "objectSid=%s", ldap_encode_ndr_dom_sid(tmp_ctx, sid));
240 is_group = is_group_account(res[0]);
241 talloc_free(tmp_ctx);
245 status = sidmap_primary_domain_sid(sidmap, tmp_ctx, &domain_sid);
246 if (!NT_STATUS_IS_OK(status)) {
247 talloc_free(tmp_ctx);
251 if (dom_sid_in_domain(domain_sid, sid)) {
252 uint32_t rid = sid->sub_auths[sid->num_auths-1];
253 if (rid >= SIDMAP_LOCAL_GROUP_BASE) {
254 talloc_free(tmp_ctx);
259 talloc_free(tmp_ctx);
264 map a sid to a unix gid
266 NTSTATUS sidmap_sid_to_unixgid(struct sidmap_context *sidmap,
267 const struct dom_sid *sid, gid_t *gid)
269 const char *attrs[] = { "sAMAccountName", "gidNumber",
270 "unixName", "sAMAccountType", NULL };
274 struct ldb_message **res;
276 struct dom_sid *domain_sid;
278 tmp_ctx = talloc_new(sidmap);
280 ret = gendb_search(sidmap->samctx, tmp_ctx, NULL, &res, attrs,
281 "objectSid=%s", ldap_encode_ndr_dom_sid(tmp_ctx, sid));
286 /* make sure its not a user */
287 if (!is_group_account(res[0])) {
288 DEBUG(0,("sid_to_unixgid: sid %s is a ATYPE_NORMAL_ACCOUNT\n",
289 dom_sid_string(tmp_ctx, sid)));
290 talloc_free(tmp_ctx);
291 return NT_STATUS_INVALID_SID;
294 /* first try to get the gid directly */
295 s = samdb_result_string(res[0], "gidNumber", NULL);
297 *gid = strtoul(s, NULL, 0);
298 talloc_free(tmp_ctx);
302 /* next try via the UnixName attribute */
303 s = samdb_result_string(res[0], "unixName", NULL);
305 struct group *grp = getgrnam(s);
307 DEBUG(0,("unixName '%s' for sid %s does not exist as a local group\n",
308 s, dom_sid_string(tmp_ctx, sid)));
309 talloc_free(tmp_ctx);
310 return NT_STATUS_NO_SUCH_GROUP;
313 talloc_free(tmp_ctx);
317 /* finally try via the sAMAccountName attribute */
318 s = samdb_result_string(res[0], "sAMAccountName", NULL);
320 struct group *grp = getgrnam(s);
322 DEBUG(0,("sAMAccountName '%s' for sid %s does not exist as a local group\n", s, dom_sid_string(tmp_ctx, sid)));
323 talloc_free(tmp_ctx);
324 return NT_STATUS_NO_SUCH_GROUP;
327 talloc_free(tmp_ctx);
332 status = sidmap_primary_domain_sid(sidmap, tmp_ctx, &domain_sid);
333 if (!NT_STATUS_IS_OK(status)) {
334 talloc_free(tmp_ctx);
335 return NT_STATUS_NO_SUCH_DOMAIN;
338 if (dom_sid_in_domain(domain_sid, sid)) {
339 uint32_t rid = sid->sub_auths[sid->num_auths-1];
340 if (rid >= SIDMAP_LOCAL_GROUP_BASE) {
341 *gid = rid - SIDMAP_LOCAL_GROUP_BASE;
342 talloc_free(tmp_ctx);
347 DEBUG(0,("sid_to_unixgid: no gidNumber, unixName or sAMAccountName for sid %s\n",
348 dom_sid_string(tmp_ctx, sid)));
350 talloc_free(tmp_ctx);
351 return NT_STATUS_NONE_MAPPED;
356 map a unix uid to a dom_sid
357 the returned sid is allocated in the supplied mem_ctx
359 NTSTATUS sidmap_uid_to_sid(struct sidmap_context *sidmap,
361 const uid_t uid, struct dom_sid **sid)
363 const char *attrs[] = { "sAMAccountName", "objectSid", "sAMAccountType", NULL };
366 struct ldb_message **res;
368 struct dom_sid *domain_sid;
372 we search for the mapping in the following order:
374 - check if the uid is in the dynamic uid range assigned for winbindd
375 use. If it is, then look in winbindd sid mapping
376 database (not implemented yet)
377 - look for a user account in samdb that has uidNumber set to the
379 - look for a user account in samdb that has unixName or
380 sAMAccountName set to the name given by getpwuid()
381 - assign a SID by adding the uid to SIDMAP_LOCAL_USER_BASE in the local
386 tmp_ctx = talloc_new(mem_ctx);
390 step 2: look for a user account in samdb that has uidNumber set to the
394 ret = gendb_search(sidmap->samctx, tmp_ctx, NULL, &res, attrs,
395 "uidNumber=%u", (unsigned int)uid);
396 for (i=0;i<ret;i++) {
397 if (!is_user_account(res[i])) continue;
399 *sid = samdb_result_dom_sid(mem_ctx, res[i], "objectSid");
400 talloc_free(tmp_ctx);
401 NT_STATUS_HAVE_NO_MEMORY(*sid);
406 step 3: look for a user account in samdb that has unixName
407 or sAMAccountName set to the name given by getpwuid()
414 ret = gendb_search(sidmap->samctx, tmp_ctx, NULL, &res, attrs,
415 "(|(unixName=%s)(sAMAccountName=%s))",
416 pwd->pw_name, pwd->pw_name);
417 for (i=0;i<ret;i++) {
418 if (!is_user_account(res[i])) continue;
420 *sid = samdb_result_dom_sid(mem_ctx, res[i], "objectSid");
421 talloc_free(tmp_ctx);
422 NT_STATUS_HAVE_NO_MEMORY(*sid);
428 step 4: assign a SID by adding the uid to
429 SIDMAP_LOCAL_USER_BASE in the local domain
432 if (uid > SIDMAP_MAX_LOCAL_UID) {
433 return NT_STATUS_NONE_MAPPED;
436 status = sidmap_primary_domain_sid(sidmap, tmp_ctx, &domain_sid);
437 if (!NT_STATUS_IS_OK(status)) {
438 talloc_free(tmp_ctx);
442 *sid = dom_sid_add_rid(mem_ctx, domain_sid, SIDMAP_LOCAL_USER_BASE + uid);
443 talloc_free(tmp_ctx);
446 return NT_STATUS_NO_MEMORY;
454 map a unix gid to a dom_sid
455 the returned sid is allocated in the supplied mem_ctx
457 NTSTATUS sidmap_gid_to_sid(struct sidmap_context *sidmap,
459 const gid_t gid, struct dom_sid **sid)
461 const char *attrs[] = { "sAMAccountName", "objectSid", "sAMAccountType", NULL };
464 struct ldb_message **res;
466 struct dom_sid *domain_sid;
470 we search for the mapping in the following order:
472 - check if the gid is in the dynamic gid range assigned for winbindd
473 use. If it is, then look in winbindd sid mapping
474 database (not implemented yet)
475 - look for a group account in samdb that has gidNumber set to the
477 - look for a group account in samdb that has unixName or
478 sAMAccountName set to the name given by getgrgid()
479 - assign a SID by adding the gid to SIDMAP_LOCAL_GROUP_BASE in the local
484 tmp_ctx = talloc_new(sidmap);
488 step 2: look for a group account in samdb that has gidNumber set to the
492 ret = gendb_search(sidmap->samctx, tmp_ctx, NULL, &res, attrs,
493 "gidNumber=%u", (unsigned int)gid);
494 for (i=0;i<ret;i++) {
495 if (!is_group_account(res[i])) continue;
497 *sid = samdb_result_dom_sid(mem_ctx, res[i], "objectSid");
498 talloc_free(tmp_ctx);
499 NT_STATUS_HAVE_NO_MEMORY(*sid);
504 step 3: look for a group account in samdb that has unixName
505 or sAMAccountName set to the name given by getgrgid()
512 ret = gendb_search(sidmap->samctx, tmp_ctx, NULL, &res, attrs,
513 "(|(unixName=%s)(sAMAccountName=%s))",
514 grp->gr_name, grp->gr_name);
515 for (i=0;i<ret;i++) {
516 if (!is_group_account(res[i])) continue;
518 *sid = samdb_result_dom_sid(mem_ctx, res[i], "objectSid");
519 talloc_free(tmp_ctx);
520 NT_STATUS_HAVE_NO_MEMORY(*sid);
526 step 4: assign a SID by adding the gid to
527 SIDMAP_LOCAL_GROUP_BASE in the local domain
530 if (gid > SIDMAP_MAX_LOCAL_GID) {
531 return NT_STATUS_NONE_MAPPED;
534 status = sidmap_primary_domain_sid(sidmap, tmp_ctx, &domain_sid);
535 if (!NT_STATUS_IS_OK(status)) {
536 talloc_free(tmp_ctx);
540 *sid = dom_sid_add_rid(mem_ctx, domain_sid, SIDMAP_LOCAL_GROUP_BASE + gid);
541 talloc_free(tmp_ctx);
544 return NT_STATUS_NO_MEMORY;
551 check if a sid is in the range of auto-allocated SIDs from our primary domain,
552 and if it is, then return the name and atype
554 NTSTATUS sidmap_allocated_sid_lookup(struct sidmap_context *sidmap,
556 const struct dom_sid *sid,
558 enum lsa_SidType *rtype)
561 struct dom_sid *domain_sid;
562 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
565 status = sidmap_primary_domain_sid(sidmap, tmp_ctx, &domain_sid);
566 if (!NT_STATUS_IS_OK(status)) {
567 return NT_STATUS_NO_SUCH_DOMAIN;
570 if (!dom_sid_in_domain(domain_sid, sid)) {
571 talloc_free(tmp_ctx);
572 return NT_STATUS_NONE_MAPPED;
575 talloc_free(tmp_ctx);
577 rid = sid->sub_auths[sid->num_auths-1];
578 if (rid < SIDMAP_LOCAL_USER_BASE) {
579 return NT_STATUS_NONE_MAPPED;
582 if (rid < SIDMAP_LOCAL_GROUP_BASE) {
584 uid_t uid = rid - SIDMAP_LOCAL_USER_BASE;
585 atype = ATYPE_NORMAL_ACCOUNT;
586 *rtype = samdb_atype_map(atype);
590 *name = talloc_asprintf(mem_ctx, "uid%u", uid);
592 *name = talloc_strdup(mem_ctx, pwd->pw_name);
596 gid_t gid = rid - SIDMAP_LOCAL_GROUP_BASE;
597 atype = ATYPE_LOCAL_GROUP;
598 *rtype = samdb_atype_map(atype);
601 *name = talloc_asprintf(mem_ctx, "gid%u", gid);
603 *name = talloc_strdup(mem_ctx, grp->gr_name);
608 return NT_STATUS_NO_MEMORY;