Changeset 988 for vendor/current/source4/winbind
- Timestamp:
- Nov 24, 2016, 1:14:11 PM (9 years ago)
- Location:
- vendor/current/source4/winbind
- Files:
-
- 1 added
- 38 deleted
- 6 edited
-
idmap.c (modified) (12 diffs)
-
idmap.h (modified) (1 diff)
-
wb_async_helpers.c (modified) (14 diffs)
-
wb_async_helpers.h (modified) (1 diff)
-
wb_cmd_getdcname.c (deleted)
-
wb_cmd_getgrent.c (deleted)
-
wb_cmd_getgrgid.c (deleted)
-
wb_cmd_getgrnam.c (deleted)
-
wb_cmd_getgroups.c (deleted)
-
wb_cmd_getpwent.c (deleted)
-
wb_cmd_getpwnam.c (deleted)
-
wb_cmd_getpwuid.c (deleted)
-
wb_cmd_list_groups.c (deleted)
-
wb_cmd_list_trustdom.c (deleted)
-
wb_cmd_list_users.c (deleted)
-
wb_cmd_lookupname.c (deleted)
-
wb_cmd_lookupsid.c (deleted)
-
wb_cmd_setgrent.c (deleted)
-
wb_cmd_setpwent.c (deleted)
-
wb_cmd_userdomgroups.c (deleted)
-
wb_cmd_usersids.c (deleted)
-
wb_connect_lsa.c (deleted)
-
wb_connect_sam.c (deleted)
-
wb_dom_info.c (deleted)
-
wb_dom_info_trusted.c (deleted)
-
wb_gid2sid.c (deleted)
-
wb_init_domain.c (deleted)
-
wb_irpc.c (deleted)
-
wb_name2domain.c (deleted)
-
wb_pam_auth.c (deleted)
-
wb_sam_logon.c (deleted)
-
wb_samba3_cmd.c (deleted)
-
wb_samba3_protocol.c (deleted)
-
wb_server.c (deleted)
-
wb_server.h (deleted)
-
wb_sid2domain.c (deleted)
-
wb_sid2gid.c (deleted)
-
wb_sid2uid.c (deleted)
-
wb_sids2xids.c (deleted)
-
wb_uid2sid.c (deleted)
-
wb_update_rodc_dns.c (deleted)
-
wb_utils.c (modified) (1 diff)
-
wb_xids2sids.c (deleted)
-
winbindd.c (added)
-
wscript_build (modified) (2 diffs)
Legend:
- Unmodified
- Added
- Removed
-
vendor/current/source4/winbind/idmap.c
r740 r988 5 5 6 6 Copyright (C) Kai Blin 2008 7 Copyright (C) Andrew Bartlett 2012 7 8 8 9 This program is free software; you can redistribute it and/or modify … … 29 30 #include "libcli/security/security.h" 30 31 #include "libcli/ldap/ldap_ndr.h" 32 #include "dsdb/samdb/samdb.h" 33 #include "../libds/common/flags.h" 31 34 32 35 /** … … 165 168 166 169 idmap_ctx->ldb_ctx = ldb_wrap_connect(mem_ctx, ev_ctx, lp_ctx, 167 lpcfg_idmap_url(lp_ctx),170 "idmap.ldb", 168 171 system_session(lp_ctx), 169 172 NULL, 0); … … 179 182 idmap_ctx->unix_users_sid = dom_sid_parse_talloc(mem_ctx, "S-1-22-1"); 180 183 if (idmap_ctx->unix_users_sid == NULL) { 184 return NULL; 185 } 186 187 idmap_ctx->samdb = samdb_connect(idmap_ctx, ev_ctx, lp_ctx, system_session(lp_ctx), 0); 188 if (idmap_ctx->samdb == NULL) { 189 DEBUG(0, ("Failed to load sam.ldb in idmap_init\n")); 181 190 return NULL; 182 191 } … … 200 209 static NTSTATUS idmap_xid_to_sid(struct idmap_context *idmap_ctx, 201 210 TALLOC_CTX *mem_ctx, 202 conststruct unixid *unixid,211 struct unixid *unixid, 203 212 struct dom_sid **sid) 204 213 { … … 207 216 struct ldb_context *ldb = idmap_ctx->ldb_ctx; 208 217 struct ldb_result *res = NULL; 218 struct ldb_message *msg; 209 219 struct dom_sid *unix_sid, *new_sid; 210 220 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); 211 221 const char *id_type; 212 222 223 const char *sam_attrs[] = {"objectSid", NULL}; 224 225 /* 226 * First check against our local DB, to see if this user has a 227 * mapping there. This means that the Samba4 AD DC behaves 228 * much like a winbindd member server running idmap_ad 229 */ 230 213 231 switch (unixid->type) { 214 232 case ID_TYPE_UID: 233 if (lpcfg_parm_bool(idmap_ctx->lp_ctx, NULL, "idmap_ldb", "use rfc2307", false)) { 234 ret = dsdb_search_one(idmap_ctx->samdb, tmp_ctx, &msg, 235 ldb_get_default_basedn(idmap_ctx->samdb), 236 LDB_SCOPE_SUBTREE, 237 sam_attrs, 0, 238 "(&(|(sAMaccountType=%u)(sAMaccountType=%u)(sAMaccountType=%u))" 239 "(uidNumber=%u)(objectSid=*))", 240 ATYPE_ACCOUNT, ATYPE_WORKSTATION_TRUST, ATYPE_INTERDOMAIN_TRUST, unixid->id); 241 } else { 242 /* If we are not to use the rfc2307 attributes, we just emulate a non-match */ 243 ret = LDB_ERR_NO_SUCH_OBJECT; 244 } 245 246 if (ret == LDB_ERR_CONSTRAINT_VIOLATION) { 247 DEBUG(1, ("Search for uidNumber=%lu gave duplicate results, failing to map to a SID!\n", 248 (unsigned long)unixid->id)); 249 status = NT_STATUS_NONE_MAPPED; 250 goto failed; 251 } else if (ret == LDB_SUCCESS) { 252 *sid = samdb_result_dom_sid(mem_ctx, msg, "objectSid"); 253 if (*sid == NULL) { 254 DEBUG(1, ("Search for uidNumber=%lu did not return an objectSid!\n", 255 (unsigned long)unixid->id)); 256 status = NT_STATUS_NONE_MAPPED; 257 goto failed; 258 } 259 talloc_free(tmp_ctx); 260 return NT_STATUS_OK; 261 } else if (ret != LDB_ERR_NO_SUCH_OBJECT) { 262 DEBUG(1, ("Search for uidNumber=%lu gave '%s', failing to map to a SID!\n", 263 (unsigned long)unixid->id, ldb_errstring(idmap_ctx->samdb))); 264 status = NT_STATUS_NONE_MAPPED; 265 goto failed; 266 } 267 215 268 id_type = "ID_TYPE_UID"; 216 269 break; 217 270 case ID_TYPE_GID: 271 if (lpcfg_parm_bool(idmap_ctx->lp_ctx, NULL, "idmap_ldb", "use rfc2307", false)) { 272 ret = dsdb_search_one(idmap_ctx->samdb, tmp_ctx, &msg, 273 ldb_get_default_basedn(idmap_ctx->samdb), 274 LDB_SCOPE_SUBTREE, 275 sam_attrs, 0, 276 "(&(|(sAMaccountType=%u)(sAMaccountType=%u))(gidNumber=%u))", 277 ATYPE_SECURITY_GLOBAL_GROUP, ATYPE_SECURITY_LOCAL_GROUP, 278 unixid->id); 279 } else { 280 /* If we are not to use the rfc2307 attributes, we just emulate a non-match */ 281 ret = LDB_ERR_NO_SUCH_OBJECT; 282 } 283 if (ret == LDB_ERR_CONSTRAINT_VIOLATION) { 284 DEBUG(1, ("Search for gidNumber=%lu gave duplicate results, failing to map to a SID!\n", 285 (unsigned long)unixid->id)); 286 status = NT_STATUS_NONE_MAPPED; 287 goto failed; 288 } else if (ret == LDB_SUCCESS) { 289 *sid = samdb_result_dom_sid(mem_ctx, msg, "objectSid"); 290 if (*sid == NULL) { 291 DEBUG(1, ("Search for gidNumber=%lu did not return an objectSid!\n", 292 (unsigned long)unixid->id)); 293 status = NT_STATUS_NONE_MAPPED; 294 goto failed; 295 } 296 talloc_free(tmp_ctx); 297 return NT_STATUS_OK; 298 } else if (ret != LDB_ERR_NO_SUCH_OBJECT) { 299 DEBUG(1, ("Search for gidNumber=%lu gave '%s', failing to map to a SID!\n", 300 (unsigned long)unixid->id, ldb_errstring(idmap_ctx->samdb))); 301 status = NT_STATUS_NONE_MAPPED; 302 goto failed; 303 } 304 218 305 id_type = "ID_TYPE_GID"; 219 306 break; … … 235 322 236 323 if (res->count == 1) { 324 const char *type = ldb_msg_find_attr_as_string(res->msgs[0], 325 "type", NULL); 326 237 327 *sid = idmap_msg_get_dom_sid(mem_ctx, res->msgs[0], 238 328 "objectSid"); … … 242 332 goto failed; 243 333 } 334 335 if (type == NULL) { 336 DEBUG(1, ("Invalid type for mapping entry.\n")); 337 talloc_free(tmp_ctx); 338 return NT_STATUS_NONE_MAPPED; 339 } 340 341 if (strcmp(type, "ID_TYPE_BOTH") == 0) { 342 unixid->type = ID_TYPE_BOTH; 343 } else if (strcmp(type, "ID_TYPE_UID") == 0) { 344 unixid->type = ID_TYPE_UID; 345 } else { 346 unixid->type = ID_TYPE_GID; 347 } 348 244 349 talloc_free(tmp_ctx); 245 350 return NT_STATUS_OK; … … 279 384 * 280 385 * If no mapping exists, a new mapping will be created. 281 *282 * \todo Check if SIDs can be resolved if lpcfg_idmap_trusted_only() == true283 * \todo Fix backwards compatibility for Samba3284 386 * 285 387 * \param idmap_ctx idmap context to use … … 300 402 struct ldb_context *ldb = idmap_ctx->ldb_ctx; 301 403 struct ldb_dn *dn; 302 struct ldb_message *hwm_msg, *map_msg ;404 struct ldb_message *hwm_msg, *map_msg, *sam_msg; 303 405 struct ldb_result *res = NULL; 304 int trans ;406 int trans = -1; 305 407 uint32_t low, high, hwm, new_xid; 306 408 char *sid_string, *unixid_string, *hwm_string; 307 409 bool hwm_entry_exists; 308 410 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); 411 const char *sam_attrs[] = {"uidNumber", "gidNumber", "samAccountType", NULL}; 309 412 310 413 if (dom_sid_in_domain(idmap_ctx->unix_users_sid, sid)) { … … 338 441 talloc_free(tmp_ctx); 339 442 return NT_STATUS_OK; 340 } 443 } 444 445 /* 446 * First check against our local DB, to see if this user has a 447 * mapping there. This means that the Samba4 AD DC behaves 448 * much like a winbindd member server running idmap_ad 449 */ 450 451 if (lpcfg_parm_bool(idmap_ctx->lp_ctx, NULL, "idmap_ldb", "use rfc2307", false)) { 452 ret = dsdb_search_one(idmap_ctx->samdb, tmp_ctx, &sam_msg, 453 ldb_get_default_basedn(idmap_ctx->samdb), 454 LDB_SCOPE_SUBTREE, sam_attrs, 0, 455 "(&(objectSid=%s)" 456 "(|(sAMaccountType=%u)(sAMaccountType=%u)(sAMaccountType=%u)" 457 "(sAMaccountType=%u)(sAMaccountType=%u))" 458 "(|(uidNumber=*)(gidNumber=*)))", 459 dom_sid_string(tmp_ctx, sid), 460 ATYPE_ACCOUNT, ATYPE_WORKSTATION_TRUST, ATYPE_INTERDOMAIN_TRUST, 461 ATYPE_SECURITY_GLOBAL_GROUP, ATYPE_SECURITY_LOCAL_GROUP); 462 } else { 463 /* If we are not to use the rfc2307 attributes, we just emulate a non-match */ 464 ret = LDB_ERR_NO_SUCH_OBJECT; 465 } 466 467 if (ret == LDB_ERR_CONSTRAINT_VIOLATION) { 468 DEBUG(1, ("Search for objectSid=%s gave duplicate results, failing to map to a unix ID!\n", 469 dom_sid_string(tmp_ctx, sid))); 470 status = NT_STATUS_NONE_MAPPED; 471 goto failed; 472 } else if (ret == LDB_SUCCESS) { 473 uint32_t account_type = ldb_msg_find_attr_as_uint(sam_msg, "sAMaccountType", 0); 474 if ((account_type == ATYPE_ACCOUNT) || 475 (account_type == ATYPE_WORKSTATION_TRUST ) || 476 (account_type == ATYPE_INTERDOMAIN_TRUST )) 477 { 478 const struct ldb_val *v = ldb_msg_find_ldb_val(sam_msg, "uidNumber"); 479 if (v) { 480 unixid->type = ID_TYPE_UID; 481 unixid->id = ldb_msg_find_attr_as_uint(sam_msg, "uidNumber", -1); 482 talloc_free(tmp_ctx); 483 return NT_STATUS_OK; 484 } 485 486 } else if ((account_type == ATYPE_SECURITY_GLOBAL_GROUP) || 487 (account_type == ATYPE_SECURITY_LOCAL_GROUP)) 488 { 489 const struct ldb_val *v = ldb_msg_find_ldb_val(sam_msg, "gidNumber"); 490 if (v) { 491 unixid->type = ID_TYPE_GID; 492 unixid->id = ldb_msg_find_attr_as_uint(sam_msg, "gidNumber", -1); 493 talloc_free(tmp_ctx); 494 return NT_STATUS_OK; 495 } 496 } 497 } else if (ret != LDB_ERR_NO_SUCH_OBJECT) { 498 DEBUG(1, ("Search for objectSid=%s gave '%s', failing to map to a SID!\n", 499 dom_sid_string(tmp_ctx, sid), ldb_errstring(idmap_ctx->samdb))); 500 501 status = NT_STATUS_NONE_MAPPED; 502 goto failed; 503 } 341 504 342 505 ret = ldb_search(ldb, tmp_ctx, &res, NULL, LDB_SCOPE_SUBTREE, … … 404 567 goto failed; 405 568 } 406 407 /*FIXME: if lpcfg_idmap_trusted_only() == true, check if SID can be408 * resolved here. */409 569 410 570 ret = idmap_get_bounds(idmap_ctx, &low, &high); -
vendor/current/source4/winbind/idmap.h
r740 r988 30 30 struct dom_sid *unix_groups_sid; 31 31 struct dom_sid *unix_users_sid; 32 struct ldb_context *samdb; 32 33 }; 33 34 -
vendor/current/source4/winbind/wb_async_helpers.c
r860 r988 30 30 #include "librpc/gen_ndr/ndr_samr_c.h" 31 31 32 #include "winbind/wb_helper.h" 33 32 34 33 35 struct lsa_lookupsids_state { … … 45 47 46 48 struct composite_context *wb_lsa_lookupsids_send(TALLOC_CTX *mem_ctx, 47 struct dcerpc_pipe *lsa_pipe, 49 struct tevent_context *ev, 50 struct dcerpc_binding_handle *lsa_binding, 48 51 struct policy_handle *handle, 49 52 uint32_t num_sids, … … 55 58 struct tevent_req *subreq; 56 59 57 result = composite_create(mem_ctx, lsa_pipe->conn->event_ctx);60 result = composite_create(mem_ctx, ev); 58 61 if (result == NULL) goto failed; 59 62 … … 90 93 state->r.out.domains = &state->domains; 91 94 92 subreq = dcerpc_lsa_LookupSids_r_send(state, 93 result->event_ctx, 94 lsa_pipe->binding_handle, 95 subreq = dcerpc_lsa_LookupSids_r_send(state, ev, 96 lsa_binding, 95 97 &state->r); 96 98 if (subreq == NULL) goto failed; … … 208 210 209 211 struct composite_context *wb_lsa_lookupnames_send(TALLOC_CTX *mem_ctx, 210 struct dcerpc_pipe *lsa_pipe, 212 struct tevent_context *ev, 213 struct dcerpc_binding_handle *lsa_binding, 211 214 struct policy_handle *handle, 212 215 uint32_t num_names, … … 220 223 uint32_t i; 221 224 222 result = composite_create(mem_ctx, lsa_pipe->conn->event_ctx);225 result = composite_create(mem_ctx, ev); 223 226 if (result == NULL) goto failed; 224 227 … … 253 256 state->r.out.domains = &state->domains; 254 257 255 subreq = dcerpc_lsa_LookupNames_r_send(state, 256 result->event_ctx, 257 lsa_pipe->binding_handle, 258 subreq = dcerpc_lsa_LookupNames_r_send(state, ev, 259 lsa_binding, 258 260 &state->r); 259 261 if (subreq == NULL) goto failed; … … 344 346 struct samr_getuserdomgroups_state { 345 347 struct composite_context *ctx; 346 struct dcerpc_ pipe *samr_pipe;348 struct dcerpc_binding_handle *samr_binding; 347 349 348 350 uint32_t num_rids; … … 362 364 363 365 struct composite_context *wb_samr_userdomgroups_send(TALLOC_CTX *mem_ctx, 364 struct dcerpc_pipe *samr_pipe, 366 struct tevent_context *ev, 367 struct dcerpc_binding_handle *samr_binding, 365 368 struct policy_handle *domain_handle, 366 369 uint32_t rid) … … 370 373 struct tevent_req *subreq; 371 374 372 result = composite_create(mem_ctx, samr_pipe->conn->event_ctx);375 result = composite_create(mem_ctx, ev); 373 376 if (result == NULL) goto failed; 374 377 … … 378 381 state->ctx = result; 379 382 380 state->samr_ pipe = samr_pipe;383 state->samr_binding = samr_binding; 381 384 382 385 state->user_handle = talloc(state, struct policy_handle); … … 389 392 390 393 subreq = dcerpc_samr_OpenUser_r_send(state, 391 result->event_ctx,392 state->samr_ pipe->binding_handle,394 state->ctx->event_ctx, 395 state->samr_binding, 393 396 &state->o); 394 397 if (subreq == NULL) goto failed; … … 419 422 subreq = dcerpc_samr_GetGroupsForUser_r_send(state, 420 423 state->ctx->event_ctx, 421 state->samr_ pipe->binding_handle,424 state->samr_binding, 422 425 &state->g); 423 426 if (composite_nomem(subreq, state->ctx)) return; … … 442 445 subreq = dcerpc_samr_Close_r_send(state, 443 446 state->ctx->event_ctx, 444 state->samr_ pipe->binding_handle,447 state->samr_binding, 445 448 &state->c); 446 449 if (composite_nomem(subreq, state->ctx)) return; -
vendor/current/source4/winbind/wb_async_helpers.h
r414 r988 23 23 #define __WB_ASYNC_HELPERS_H__ 24 24 25 struct dcerpc_pipe; 26 struct dcerpc_binding_handle; 27 25 28 #include "librpc/gen_ndr/lsa.h" 26 29 -
vendor/current/source4/winbind/wb_utils.c
r740 r988 22 22 #include "includes.h" 23 23 #include "param/param.h" 24 #include "libcli/security/dom_sid.h" 25 #include "winbind/wb_async_helpers.h" 26 #include "winbind/wb_helper.h" 24 27 25 28 -
vendor/current/source4/winbind/wscript_build
r740 r988 2 2 3 3 4 bld.SAMBA_MODULE('service_winbind', 5 source='wb_server.c wb_irpc.c wb_samba3_protocol.c wb_samba3_cmd.c wb_init_domain.c wb_dom_info.c wb_dom_info_trusted.c wb_sid2domain.c wb_name2domain.c wb_sids2xids.c wb_xids2sids.c wb_gid2sid.c wb_sid2uid.c wb_sid2gid.c wb_uid2sid.c wb_connect_lsa.c wb_connect_sam.c wb_cmd_lookupname.c wb_cmd_lookupsid.c wb_cmd_getdcname.c wb_cmd_getgrnam.c wb_cmd_getgrgid.c wb_cmd_getpwnam.c wb_cmd_getpwuid.c wb_cmd_userdomgroups.c wb_cmd_usersids.c wb_cmd_list_groups.c wb_cmd_list_trustdom.c wb_cmd_list_users.c wb_cmd_setpwent.c wb_cmd_getpwent.c wb_cmd_getgrent.c wb_cmd_setgrent.c wb_cmd_getgroups.c wb_pam_auth.c wb_sam_logon.c wb_update_rodc_dns.c', 6 autoproto='wb_proto.h', 4 bld.SAMBA_MODULE('service_winbindd', 5 source='winbindd.c', 7 6 subsystem='service', 8 init_function='server_service_winbind _init',9 deps=' WB_HELPER IDMAP NDR_WINBIND process_model RPC_NDR_LSA dcerpc-samr PAM_ERRORS cli-ldap samba-net LIBSAMBA_TSOCKET',7 init_function='server_service_winbindd_init', 8 deps='process_model UTIL_RUNCMD', 10 9 internal_module=False, 11 10 ) … … 25 24 ) 26 25 27 bld.SAMBA_BINARY('wbinfo',28 source='../../nsswitch/wbinfo.c',29 deps='samba-util LIBCLI_AUTH popt POPT_SAMBA winbind-client wbclient tevent UTIL_TEVENT LIBASYNC_REQ security ndr NDR_SECURITY'30 )
Note:
See TracChangeset
for help on using the changeset viewer.
