Changeset 988 for vendor/current/source4/winbind/idmap.c
- Timestamp:
- Nov 24, 2016, 1:14:11 PM (9 years ago)
- File:
-
- 1 edited
-
vendor/current/source4/winbind/idmap.c (modified) (12 diffs)
Legend:
- Unmodified
- Added
- Removed
-
vendor/current/source4/winbind/idmap.c
r740 r988 5 5 6 6 Copyright (C) Kai Blin 2008 7 Copyright (C) Andrew Bartlett 2012 7 8 8 9 This program is free software; you can redistribute it and/or modify … … 29 30 #include "libcli/security/security.h" 30 31 #include "libcli/ldap/ldap_ndr.h" 32 #include "dsdb/samdb/samdb.h" 33 #include "../libds/common/flags.h" 31 34 32 35 /** … … 165 168 166 169 idmap_ctx->ldb_ctx = ldb_wrap_connect(mem_ctx, ev_ctx, lp_ctx, 167 lpcfg_idmap_url(lp_ctx),170 "idmap.ldb", 168 171 system_session(lp_ctx), 169 172 NULL, 0); … … 179 182 idmap_ctx->unix_users_sid = dom_sid_parse_talloc(mem_ctx, "S-1-22-1"); 180 183 if (idmap_ctx->unix_users_sid == NULL) { 184 return NULL; 185 } 186 187 idmap_ctx->samdb = samdb_connect(idmap_ctx, ev_ctx, lp_ctx, system_session(lp_ctx), 0); 188 if (idmap_ctx->samdb == NULL) { 189 DEBUG(0, ("Failed to load sam.ldb in idmap_init\n")); 181 190 return NULL; 182 191 } … … 200 209 static NTSTATUS idmap_xid_to_sid(struct idmap_context *idmap_ctx, 201 210 TALLOC_CTX *mem_ctx, 202 conststruct unixid *unixid,211 struct unixid *unixid, 203 212 struct dom_sid **sid) 204 213 { … … 207 216 struct ldb_context *ldb = idmap_ctx->ldb_ctx; 208 217 struct ldb_result *res = NULL; 218 struct ldb_message *msg; 209 219 struct dom_sid *unix_sid, *new_sid; 210 220 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); 211 221 const char *id_type; 212 222 223 const char *sam_attrs[] = {"objectSid", NULL}; 224 225 /* 226 * First check against our local DB, to see if this user has a 227 * mapping there. This means that the Samba4 AD DC behaves 228 * much like a winbindd member server running idmap_ad 229 */ 230 213 231 switch (unixid->type) { 214 232 case ID_TYPE_UID: 233 if (lpcfg_parm_bool(idmap_ctx->lp_ctx, NULL, "idmap_ldb", "use rfc2307", false)) { 234 ret = dsdb_search_one(idmap_ctx->samdb, tmp_ctx, &msg, 235 ldb_get_default_basedn(idmap_ctx->samdb), 236 LDB_SCOPE_SUBTREE, 237 sam_attrs, 0, 238 "(&(|(sAMaccountType=%u)(sAMaccountType=%u)(sAMaccountType=%u))" 239 "(uidNumber=%u)(objectSid=*))", 240 ATYPE_ACCOUNT, ATYPE_WORKSTATION_TRUST, ATYPE_INTERDOMAIN_TRUST, unixid->id); 241 } else { 242 /* If we are not to use the rfc2307 attributes, we just emulate a non-match */ 243 ret = LDB_ERR_NO_SUCH_OBJECT; 244 } 245 246 if (ret == LDB_ERR_CONSTRAINT_VIOLATION) { 247 DEBUG(1, ("Search for uidNumber=%lu gave duplicate results, failing to map to a SID!\n", 248 (unsigned long)unixid->id)); 249 status = NT_STATUS_NONE_MAPPED; 250 goto failed; 251 } else if (ret == LDB_SUCCESS) { 252 *sid = samdb_result_dom_sid(mem_ctx, msg, "objectSid"); 253 if (*sid == NULL) { 254 DEBUG(1, ("Search for uidNumber=%lu did not return an objectSid!\n", 255 (unsigned long)unixid->id)); 256 status = NT_STATUS_NONE_MAPPED; 257 goto failed; 258 } 259 talloc_free(tmp_ctx); 260 return NT_STATUS_OK; 261 } else if (ret != LDB_ERR_NO_SUCH_OBJECT) { 262 DEBUG(1, ("Search for uidNumber=%lu gave '%s', failing to map to a SID!\n", 263 (unsigned long)unixid->id, ldb_errstring(idmap_ctx->samdb))); 264 status = NT_STATUS_NONE_MAPPED; 265 goto failed; 266 } 267 215 268 id_type = "ID_TYPE_UID"; 216 269 break; 217 270 case ID_TYPE_GID: 271 if (lpcfg_parm_bool(idmap_ctx->lp_ctx, NULL, "idmap_ldb", "use rfc2307", false)) { 272 ret = dsdb_search_one(idmap_ctx->samdb, tmp_ctx, &msg, 273 ldb_get_default_basedn(idmap_ctx->samdb), 274 LDB_SCOPE_SUBTREE, 275 sam_attrs, 0, 276 "(&(|(sAMaccountType=%u)(sAMaccountType=%u))(gidNumber=%u))", 277 ATYPE_SECURITY_GLOBAL_GROUP, ATYPE_SECURITY_LOCAL_GROUP, 278 unixid->id); 279 } else { 280 /* If we are not to use the rfc2307 attributes, we just emulate a non-match */ 281 ret = LDB_ERR_NO_SUCH_OBJECT; 282 } 283 if (ret == LDB_ERR_CONSTRAINT_VIOLATION) { 284 DEBUG(1, ("Search for gidNumber=%lu gave duplicate results, failing to map to a SID!\n", 285 (unsigned long)unixid->id)); 286 status = NT_STATUS_NONE_MAPPED; 287 goto failed; 288 } else if (ret == LDB_SUCCESS) { 289 *sid = samdb_result_dom_sid(mem_ctx, msg, "objectSid"); 290 if (*sid == NULL) { 291 DEBUG(1, ("Search for gidNumber=%lu did not return an objectSid!\n", 292 (unsigned long)unixid->id)); 293 status = NT_STATUS_NONE_MAPPED; 294 goto failed; 295 } 296 talloc_free(tmp_ctx); 297 return NT_STATUS_OK; 298 } else if (ret != LDB_ERR_NO_SUCH_OBJECT) { 299 DEBUG(1, ("Search for gidNumber=%lu gave '%s', failing to map to a SID!\n", 300 (unsigned long)unixid->id, ldb_errstring(idmap_ctx->samdb))); 301 status = NT_STATUS_NONE_MAPPED; 302 goto failed; 303 } 304 218 305 id_type = "ID_TYPE_GID"; 219 306 break; … … 235 322 236 323 if (res->count == 1) { 324 const char *type = ldb_msg_find_attr_as_string(res->msgs[0], 325 "type", NULL); 326 237 327 *sid = idmap_msg_get_dom_sid(mem_ctx, res->msgs[0], 238 328 "objectSid"); … … 242 332 goto failed; 243 333 } 334 335 if (type == NULL) { 336 DEBUG(1, ("Invalid type for mapping entry.\n")); 337 talloc_free(tmp_ctx); 338 return NT_STATUS_NONE_MAPPED; 339 } 340 341 if (strcmp(type, "ID_TYPE_BOTH") == 0) { 342 unixid->type = ID_TYPE_BOTH; 343 } else if (strcmp(type, "ID_TYPE_UID") == 0) { 344 unixid->type = ID_TYPE_UID; 345 } else { 346 unixid->type = ID_TYPE_GID; 347 } 348 244 349 talloc_free(tmp_ctx); 245 350 return NT_STATUS_OK; … … 279 384 * 280 385 * If no mapping exists, a new mapping will be created. 281 *282 * \todo Check if SIDs can be resolved if lpcfg_idmap_trusted_only() == true283 * \todo Fix backwards compatibility for Samba3284 386 * 285 387 * \param idmap_ctx idmap context to use … … 300 402 struct ldb_context *ldb = idmap_ctx->ldb_ctx; 301 403 struct ldb_dn *dn; 302 struct ldb_message *hwm_msg, *map_msg ;404 struct ldb_message *hwm_msg, *map_msg, *sam_msg; 303 405 struct ldb_result *res = NULL; 304 int trans ;406 int trans = -1; 305 407 uint32_t low, high, hwm, new_xid; 306 408 char *sid_string, *unixid_string, *hwm_string; 307 409 bool hwm_entry_exists; 308 410 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); 411 const char *sam_attrs[] = {"uidNumber", "gidNumber", "samAccountType", NULL}; 309 412 310 413 if (dom_sid_in_domain(idmap_ctx->unix_users_sid, sid)) { … … 338 441 talloc_free(tmp_ctx); 339 442 return NT_STATUS_OK; 340 } 443 } 444 445 /* 446 * First check against our local DB, to see if this user has a 447 * mapping there. This means that the Samba4 AD DC behaves 448 * much like a winbindd member server running idmap_ad 449 */ 450 451 if (lpcfg_parm_bool(idmap_ctx->lp_ctx, NULL, "idmap_ldb", "use rfc2307", false)) { 452 ret = dsdb_search_one(idmap_ctx->samdb, tmp_ctx, &sam_msg, 453 ldb_get_default_basedn(idmap_ctx->samdb), 454 LDB_SCOPE_SUBTREE, sam_attrs, 0, 455 "(&(objectSid=%s)" 456 "(|(sAMaccountType=%u)(sAMaccountType=%u)(sAMaccountType=%u)" 457 "(sAMaccountType=%u)(sAMaccountType=%u))" 458 "(|(uidNumber=*)(gidNumber=*)))", 459 dom_sid_string(tmp_ctx, sid), 460 ATYPE_ACCOUNT, ATYPE_WORKSTATION_TRUST, ATYPE_INTERDOMAIN_TRUST, 461 ATYPE_SECURITY_GLOBAL_GROUP, ATYPE_SECURITY_LOCAL_GROUP); 462 } else { 463 /* If we are not to use the rfc2307 attributes, we just emulate a non-match */ 464 ret = LDB_ERR_NO_SUCH_OBJECT; 465 } 466 467 if (ret == LDB_ERR_CONSTRAINT_VIOLATION) { 468 DEBUG(1, ("Search for objectSid=%s gave duplicate results, failing to map to a unix ID!\n", 469 dom_sid_string(tmp_ctx, sid))); 470 status = NT_STATUS_NONE_MAPPED; 471 goto failed; 472 } else if (ret == LDB_SUCCESS) { 473 uint32_t account_type = ldb_msg_find_attr_as_uint(sam_msg, "sAMaccountType", 0); 474 if ((account_type == ATYPE_ACCOUNT) || 475 (account_type == ATYPE_WORKSTATION_TRUST ) || 476 (account_type == ATYPE_INTERDOMAIN_TRUST )) 477 { 478 const struct ldb_val *v = ldb_msg_find_ldb_val(sam_msg, "uidNumber"); 479 if (v) { 480 unixid->type = ID_TYPE_UID; 481 unixid->id = ldb_msg_find_attr_as_uint(sam_msg, "uidNumber", -1); 482 talloc_free(tmp_ctx); 483 return NT_STATUS_OK; 484 } 485 486 } else if ((account_type == ATYPE_SECURITY_GLOBAL_GROUP) || 487 (account_type == ATYPE_SECURITY_LOCAL_GROUP)) 488 { 489 const struct ldb_val *v = ldb_msg_find_ldb_val(sam_msg, "gidNumber"); 490 if (v) { 491 unixid->type = ID_TYPE_GID; 492 unixid->id = ldb_msg_find_attr_as_uint(sam_msg, "gidNumber", -1); 493 talloc_free(tmp_ctx); 494 return NT_STATUS_OK; 495 } 496 } 497 } else if (ret != LDB_ERR_NO_SUCH_OBJECT) { 498 DEBUG(1, ("Search for objectSid=%s gave '%s', failing to map to a SID!\n", 499 dom_sid_string(tmp_ctx, sid), ldb_errstring(idmap_ctx->samdb))); 500 501 status = NT_STATUS_NONE_MAPPED; 502 goto failed; 503 } 341 504 342 505 ret = ldb_search(ldb, tmp_ctx, &res, NULL, LDB_SCOPE_SUBTREE, … … 404 567 goto failed; 405 568 } 406 407 /*FIXME: if lpcfg_idmap_trusted_only() == true, check if SID can be408 * resolved here. */409 569 410 570 ret = idmap_get_bounds(idmap_ctx, &low, &high);
Note:
See TracChangeset
for help on using the changeset viewer.
