search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
r19787: get winbindd compiling
[Samba.git] / source / groupdb / mapping_tdb.c
blob0d1790013303bd397a96ab5f4435b260d70b15bc
1 /*
2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Copyright (C) Andrew Tridgell 1992-2006,
5 * Copyright (C) Jean François Micouleau 1998-2001.
6 * Copyright (C) Volker Lendecke 2006.
7 * Copyright (C) Gerald Carter 2006.
8 *
9 * This program is free software; you can redistribute it and/or modify
10 * it under the terms of the GNU General Public License as published by
11 * the Free Software Foundation; either version 2 of the License, or
12 * (at your option) any later version.
13 *
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
18 *
19 * You should have received a copy of the GNU General Public License
20 * along with this program; if not, write to the Free Software
21 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
22 */
23
24 #include "includes.h"
25 #include "groupdb/mapping.h"
26
27 static TDB_CONTEXT *tdb; /* used for driver files */
28
29 /****************************************************************************
30 Open the group mapping tdb.
31 ****************************************************************************/
32 BOOL init_group_mapping(void)
33 {
34 const char *vstring = "INFO/version";
35 int32 vers_id;
36 GROUP_MAP *map_table = NULL;
37 size_t num_entries = 0;
38
39 if (tdb)
40 return True;
41
42 tdb = tdb_open_log(lock_path("group_mapping.tdb"), 0, TDB_DEFAULT, O_RDWR|O_CREAT, 0600);
43 if (!tdb) {
44 DEBUG(0,("Failed to open group mapping database\n"));
45 return False;
46 }
47
48 /* handle a Samba upgrade */
49 tdb_lock_bystring(tdb, vstring);
50
51 /* Cope with byte-reversed older versions of the db. */
52 vers_id = tdb_fetch_int32(tdb, vstring);
53 if ((vers_id == DATABASE_VERSION_V1) || (IREV(vers_id) == DATABASE_VERSION_V1)) {
54 /* Written on a bigendian machine with old fetch_int code. Save as le. */
55 tdb_store_int32(tdb, vstring, DATABASE_VERSION_V2);
56 vers_id = DATABASE_VERSION_V2;
57 }
58
59 /* if its an unknown version we remove everthing in the db */
60
61 if (vers_id != DATABASE_VERSION_V2) {
62 tdb_traverse(tdb, tdb_traverse_delete_fn, NULL);
63 tdb_store_int32(tdb, vstring, DATABASE_VERSION_V2);
64 }
65
66 tdb_unlock_bystring(tdb, vstring);
67
68 /* cleanup any map entries with a gid == -1 */
69
70 if ( enum_group_mapping( NULL, SID_NAME_UNKNOWN, &map_table, &num_entries, False ) ) {
71 int i;
72
73 for ( i=0; i<num_entries; i++ ) {
74 if ( map_table[i].gid == -1 ) {
75 group_map_remove( &map_table[i].sid );
76 }
77 }
78
79 SAFE_FREE( map_table );
80 }
81
82
83 return True;
84 }
85
86 /****************************************************************************
87 ****************************************************************************/
88 BOOL add_mapping_entry(GROUP_MAP *map, int flag)
89 {
90 TDB_DATA kbuf, dbuf;
91 pstring key, buf;
92 fstring string_sid="";
93 int len;
94
95 if(!init_group_mapping()) {
96 DEBUG(0,("failed to initialize group mapping\n"));
97 return(False);
98 }
99
100 sid_to_string(string_sid, &map->sid);
101
102 len = tdb_pack(buf, sizeof(buf), "ddff",
103 map->gid, map->sid_name_use, map->nt_name, map->comment);
104
105 if (len > sizeof(buf))
106 return False;
107
108 slprintf(key, sizeof(key), "%s%s", GROUP_PREFIX, string_sid);
109
110 kbuf.dsize = strlen(key)+1;
111 kbuf.dptr = key;
112 dbuf.dsize = len;
113 dbuf.dptr = buf;
114 if (tdb_store(tdb, kbuf, dbuf, flag) != 0) return False;
115
116 return True;
117 }
118
119
120 /****************************************************************************
121 Return the sid and the type of the unix group.
122 ****************************************************************************/
123
124 BOOL get_group_map_from_sid(DOM_SID sid, GROUP_MAP *map)
125 {
126 TDB_DATA kbuf, dbuf;
127 pstring key;
128 fstring string_sid;
129 int ret = 0;
130
131 if(!init_group_mapping()) {
132 DEBUG(0,("failed to initialize group mapping\n"));
133 return(False);
134 }
135
136 /* the key is the SID, retrieving is direct */
137
138 sid_to_string(string_sid, &sid);
139 slprintf(key, sizeof(key), "%s%s", GROUP_PREFIX, string_sid);
140
141 kbuf.dptr = key;
142 kbuf.dsize = strlen(key)+1;
143
144 dbuf = tdb_fetch(tdb, kbuf);
145 if (!dbuf.dptr)
146 return False;
147
148 ret = tdb_unpack(dbuf.dptr, dbuf.dsize, "ddff",
149 &map->gid, &map->sid_name_use, &map->nt_name, &map->comment);
150
151 SAFE_FREE(dbuf.dptr);
152
153 if ( ret == -1 ) {
154 DEBUG(3,("get_group_map_from_sid: tdb_unpack failure\n"));
155 return False;
156 }
157
158 sid_copy(&map->sid, &sid);
159
160 return True;
161 }
162
163 /****************************************************************************
164 Return the sid and the type of the unix group.
165 ****************************************************************************/
166
167 BOOL get_group_map_from_gid(gid_t gid, GROUP_MAP *map)
168 {
169 TDB_DATA kbuf, dbuf, newkey;
170 fstring string_sid;
171 int ret;
172
173 if(!init_group_mapping()) {
174 DEBUG(0,("failed to initialize group mapping\n"));
175 return(False);
176 }
177
178 /* we need to enumerate the TDB to find the GID */
179
180 for (kbuf = tdb_firstkey(tdb);
181 kbuf.dptr;
182 newkey = tdb_nextkey(tdb, kbuf), safe_free(kbuf.dptr), kbuf=newkey) {
183
184 if (strncmp(kbuf.dptr, GROUP_PREFIX, strlen(GROUP_PREFIX)) != 0) continue;
185
186 dbuf = tdb_fetch(tdb, kbuf);
187 if (!dbuf.dptr)
188 continue;
189
190 fstrcpy(string_sid, kbuf.dptr+strlen(GROUP_PREFIX));
191
192 string_to_sid(&map->sid, string_sid);
193
194 ret = tdb_unpack(dbuf.dptr, dbuf.dsize, "ddff",
195 &map->gid, &map->sid_name_use, &map->nt_name, &map->comment);
196
197 SAFE_FREE(dbuf.dptr);
198
199 if ( ret == -1 ) {
200 DEBUG(3,("get_group_map_from_gid: tdb_unpack failure\n"));
201 return False;
202 }
203
204 if (gid==map->gid) {
205 SAFE_FREE(kbuf.dptr);
206 return True;
207 }
208 }
209
210 return False;
211 }
212
213 /****************************************************************************
214 Return the sid and the type of the unix group.
215 ****************************************************************************/
216
217 BOOL get_group_map_from_ntname(const char *name, GROUP_MAP *map)
218 {
219 TDB_DATA kbuf, dbuf, newkey;
220 fstring string_sid;
221 int ret;
222
223 if(!init_group_mapping()) {
224 DEBUG(0,("get_group_map_from_ntname:failed to initialize group mapping\n"));
225 return(False);
226 }
227
228 /* we need to enumerate the TDB to find the name */
229
230 for (kbuf = tdb_firstkey(tdb);
231 kbuf.dptr;
232 newkey = tdb_nextkey(tdb, kbuf), safe_free(kbuf.dptr), kbuf=newkey) {
233
234 if (strncmp(kbuf.dptr, GROUP_PREFIX, strlen(GROUP_PREFIX)) != 0) continue;
235
236 dbuf = tdb_fetch(tdb, kbuf);
237 if (!dbuf.dptr)
238 continue;
239
240 fstrcpy(string_sid, kbuf.dptr+strlen(GROUP_PREFIX));
241
242 string_to_sid(&map->sid, string_sid);
243
244 ret = tdb_unpack(dbuf.dptr, dbuf.dsize, "ddff",
245 &map->gid, &map->sid_name_use, &map->nt_name, &map->comment);
246
247 SAFE_FREE(dbuf.dptr);
248
249 if ( ret == -1 ) {
250 DEBUG(3,("get_group_map_from_ntname: tdb_unpack failure\n"));
251 return False;
252 }
253
254 if ( strequal(name, map->nt_name) ) {
255 SAFE_FREE(kbuf.dptr);
256 return True;
257 }
258 }
259
260 return False;
261 }
262
263 /****************************************************************************
264 Remove a group mapping entry.
265 ****************************************************************************/
266
267 BOOL group_map_remove(const DOM_SID *sid)
268 {
269 TDB_DATA kbuf, dbuf;
270 pstring key;
271 fstring string_sid;
272
273 if(!init_group_mapping()) {
274 DEBUG(0,("failed to initialize group mapping\n"));
275 return(False);
276 }
277
278 /* the key is the SID, retrieving is direct */
279
280 sid_to_string(string_sid, sid);
281 slprintf(key, sizeof(key), "%s%s", GROUP_PREFIX, string_sid);
282
283 kbuf.dptr = key;
284 kbuf.dsize = strlen(key)+1;
285
286 dbuf = tdb_fetch(tdb, kbuf);
287 if (!dbuf.dptr)
288 return False;
289
290 SAFE_FREE(dbuf.dptr);
291
292 if(tdb_delete(tdb, kbuf) != TDB_SUCCESS)
293 return False;
294
295 return True;
296 }
297
298 /****************************************************************************
299 Enumerate the group mapping.
300 ****************************************************************************/
301
302 BOOL enum_group_mapping(const DOM_SID *domsid, enum SID_NAME_USE sid_name_use, GROUP_MAP **pp_rmap,
303 size_t *p_num_entries, BOOL unix_only)
304 {
305 TDB_DATA kbuf, dbuf, newkey;
306 fstring string_sid;
307 GROUP_MAP map;
308 GROUP_MAP *mapt;
309 int ret;
310 size_t entries=0;
311 DOM_SID grpsid;
312 uint32 rid;
313
314 if(!init_group_mapping()) {
315 DEBUG(0,("failed to initialize group mapping\n"));
316 return(False);
317 }
318
319 *p_num_entries=0;
320 *pp_rmap=NULL;
321
322 for (kbuf = tdb_firstkey(tdb);
323 kbuf.dptr;
324 newkey = tdb_nextkey(tdb, kbuf), safe_free(kbuf.dptr), kbuf=newkey) {
325
326 if (strncmp(kbuf.dptr, GROUP_PREFIX, strlen(GROUP_PREFIX)) != 0)
327 continue;
328
329 dbuf = tdb_fetch(tdb, kbuf);
330 if (!dbuf.dptr)
331 continue;
332
333 fstrcpy(string_sid, kbuf.dptr+strlen(GROUP_PREFIX));
334
335 ret = tdb_unpack(dbuf.dptr, dbuf.dsize, "ddff",
336 &map.gid, &map.sid_name_use, &map.nt_name, &map.comment);
337
338 SAFE_FREE(dbuf.dptr);
339
340 if ( ret == -1 ) {
341 DEBUG(3,("enum_group_mapping: tdb_unpack failure\n"));
342 continue;
343 }
344
345 /* list only the type or everything if UNKNOWN */
346 if (sid_name_use!=SID_NAME_UNKNOWN && sid_name_use!=map.sid_name_use) {
347 DEBUG(11,("enum_group_mapping: group %s is not of the requested type\n", map.nt_name));
348 continue;
349 }
350
351 if (unix_only==ENUM_ONLY_MAPPED && map.gid==-1) {
352 DEBUG(11,("enum_group_mapping: group %s is non mapped\n", map.nt_name));
353 continue;
354 }
355
356 string_to_sid(&grpsid, string_sid);
357 sid_copy( &map.sid, &grpsid );
358
359 sid_split_rid( &grpsid, &rid );
360
361 /* Only check the domain if we were given one */
362
363 if ( domsid && !sid_equal( domsid, &grpsid ) ) {
364 DEBUG(11,("enum_group_mapping: group %s is not in domain %s\n",
365 string_sid, sid_string_static(domsid)));
366 continue;
367 }
368
369 DEBUG(11,("enum_group_mapping: returning group %s of "
370 "type %s\n", map.nt_name,
371 sid_type_lookup(map.sid_name_use)));
372
373 (*pp_rmap) = SMB_REALLOC_ARRAY((*pp_rmap), GROUP_MAP, entries+1);
374 if (!(*pp_rmap)) {
375 DEBUG(0,("enum_group_mapping: Unable to enlarge group map!\n"));
376 return False;
377 }
378
379 mapt = (*pp_rmap);
380
381 mapt[entries].gid = map.gid;
382 sid_copy( &mapt[entries].sid, &map.sid);
383 mapt[entries].sid_name_use = map.sid_name_use;
384 fstrcpy(mapt[entries].nt_name, map.nt_name);
385 fstrcpy(mapt[entries].comment, map.comment);
386
387 entries++;
388
389 }
390
391 *p_num_entries=entries;
392
393 return True;
394 }
395
396 /* This operation happens on session setup, so it should better be fast. We
397 * store a list of aliases a SID is member of hanging off MEMBEROF/SID. */
398
399 NTSTATUS one_alias_membership(const DOM_SID *member,
400 DOM_SID **sids, size_t *num)
401 {
402 fstring key, string_sid;
403 TDB_DATA kbuf, dbuf;
404 const char *p;
405
406 if (!init_group_mapping()) {
407 DEBUG(0,("failed to initialize group mapping\n"));
408 return NT_STATUS_ACCESS_DENIED;
409 }
410
411 sid_to_string(string_sid, member);
412 slprintf(key, sizeof(key), "%s%s", MEMBEROF_PREFIX, string_sid);
413
414 kbuf.dsize = strlen(key)+1;
415 kbuf.dptr = key;
416
417 dbuf = tdb_fetch(tdb, kbuf);
418
419 if (dbuf.dptr == NULL) {
420 return NT_STATUS_OK;
421 }
422
423 p = dbuf.dptr;
424
425 while (next_token(&p, string_sid, " ", sizeof(string_sid))) {
426
427 DOM_SID alias;
428
429 if (!string_to_sid(&alias, string_sid))
430 continue;
431
432 add_sid_to_array_unique(NULL, &alias, sids, num);
433
434 if (sids == NULL)
435 return NT_STATUS_NO_MEMORY;
436 }
437
438 SAFE_FREE(dbuf.dptr);
439 return NT_STATUS_OK;
440 }
441
442 static NTSTATUS alias_memberships(const DOM_SID *members, size_t num_members,
443 DOM_SID **sids, size_t *num)
444 {
445 size_t i;
446
447 *num = 0;
448 *sids = NULL;
449
450 for (i=0; i<num_members; i++) {
451 NTSTATUS status = one_alias_membership(&members[i], sids, num);
452 if (!NT_STATUS_IS_OK(status))
453 return status;
454 }
455 return NT_STATUS_OK;
456 }
457
458 static BOOL is_aliasmem(const DOM_SID *alias, const DOM_SID *member)
459 {
460 DOM_SID *sids;
461 size_t i, num;
462
463 /* This feels the wrong way round, but the on-disk data structure
464 * dictates it this way. */
465 if (!NT_STATUS_IS_OK(alias_memberships(member, 1, &sids, &num)))
466 return False;
467
468 for (i=0; i<num; i++) {
469 if (sid_compare(alias, &sids[i]) == 0) {
470 SAFE_FREE(sids);
471 return True;
472 }
473 }
474 SAFE_FREE(sids);
475 return False;
476 }
477
478
479 NTSTATUS add_aliasmem(const DOM_SID *alias, const DOM_SID *member)
480 {
481 GROUP_MAP map;
482 TDB_DATA kbuf, dbuf;
483 pstring key;
484 fstring string_sid;
485 char *new_memberstring;
486 int result;
487
488 if(!init_group_mapping()) {
489 DEBUG(0,("failed to initialize group mapping\n"));
490 return NT_STATUS_ACCESS_DENIED;
491 }
492
493 if (!get_group_map_from_sid(*alias, &map))
494 return NT_STATUS_NO_SUCH_ALIAS;
495
496 if ( (map.sid_name_use != SID_NAME_ALIAS) &&
497 (map.sid_name_use != SID_NAME_WKN_GRP) )
498 return NT_STATUS_NO_SUCH_ALIAS;
499
500 if (is_aliasmem(alias, member))
501 return NT_STATUS_MEMBER_IN_ALIAS;
502
503 sid_to_string(string_sid, member);
504 slprintf(key, sizeof(key), "%s%s", MEMBEROF_PREFIX, string_sid);
505
506 kbuf.dsize = strlen(key)+1;
507 kbuf.dptr = key;
508
509 dbuf = tdb_fetch(tdb, kbuf);
510
511 sid_to_string(string_sid, alias);
512
513 if (dbuf.dptr != NULL) {
514 asprintf(&new_memberstring, "%s %s", (char *)(dbuf.dptr),
515 string_sid);
516 } else {
517 new_memberstring = SMB_STRDUP(string_sid);
518 }
519
520 if (new_memberstring == NULL)
521 return NT_STATUS_NO_MEMORY;
522
523 SAFE_FREE(dbuf.dptr);
524 dbuf.dsize = strlen(new_memberstring)+1;
525 dbuf.dptr = new_memberstring;
526
527 result = tdb_store(tdb, kbuf, dbuf, 0);
528
529 SAFE_FREE(new_memberstring);
530
531 return (result == 0 ? NT_STATUS_OK : NT_STATUS_ACCESS_DENIED);
532 }
533
534 struct aliasmem_closure {
535 const DOM_SID *alias;
536 DOM_SID **sids;
537 size_t *num;
538 };
539
540 static int collect_aliasmem(TDB_CONTEXT *tdb_ctx, TDB_DATA key, TDB_DATA data,
541 void *state)
542 {
543 struct aliasmem_closure *closure = (struct aliasmem_closure *)state;
544 const char *p;
545 fstring alias_string;
546
547 if (strncmp(key.dptr, MEMBEROF_PREFIX,
548 strlen(MEMBEROF_PREFIX)) != 0)
549 return 0;
550
551 p = data.dptr;
552
553 while (next_token(&p, alias_string, " ", sizeof(alias_string))) {
554
555 DOM_SID alias, member;
556 const char *member_string;
557
558
559 if (!string_to_sid(&alias, alias_string))
560 continue;
561
562 if (sid_compare(closure->alias, &alias) != 0)
563 continue;
564
565 /* Ok, we found the alias we're looking for in the membership
566 * list currently scanned. The key represents the alias
567 * member. Add that. */
568
569 member_string = strchr(key.dptr, '/');
570
571 /* Above we tested for MEMBEROF_PREFIX which includes the
572 * slash. */
573
574 SMB_ASSERT(member_string != NULL);
575 member_string += 1;
576
577 if (!string_to_sid(&member, member_string))
578 continue;
579
580 add_sid_to_array(NULL, &member, closure->sids, closure->num);
581 }
582
583 return 0;
584 }
585
586 NTSTATUS enum_aliasmem(const DOM_SID *alias, DOM_SID **sids, size_t *num)
587 {
588 GROUP_MAP map;
589 struct aliasmem_closure closure;
590
591 if(!init_group_mapping()) {
592 DEBUG(0,("failed to initialize group mapping\n"));
593 return NT_STATUS_ACCESS_DENIED;
594 }
595
596 if (!get_group_map_from_sid(*alias, &map))
597 return NT_STATUS_NO_SUCH_ALIAS;
598
599 if ( (map.sid_name_use != SID_NAME_ALIAS) &&
600 (map.sid_name_use != SID_NAME_WKN_GRP) )
601 return NT_STATUS_NO_SUCH_ALIAS;
602
603 *sids = NULL;
604 *num = 0;
605
606 closure.alias = alias;
607 closure.sids = sids;
608 closure.num = num;
609
610 tdb_traverse(tdb, collect_aliasmem, &closure);
611 return NT_STATUS_OK;
612 }
613
614 NTSTATUS del_aliasmem(const DOM_SID *alias, const DOM_SID *member)
615 {
616 NTSTATUS result;
617 DOM_SID *sids;
618 size_t i, num;
619 BOOL found = False;
620 char *member_string;
621 TDB_DATA kbuf, dbuf;
622 pstring key;
623 fstring sid_string;
624
625 result = alias_memberships(member, 1, &sids, &num);
626
627 if (!NT_STATUS_IS_OK(result))
628 return result;
629
630 for (i=0; i<num; i++) {
631 if (sid_compare(&sids[i], alias) == 0) {
632 found = True;
633 break;
634 }
635 }
636
637 if (!found) {
638 SAFE_FREE(sids);
639 return NT_STATUS_MEMBER_NOT_IN_ALIAS;
640 }
641
642 if (i < num)
643 sids[i] = sids[num-1];
644
645 num -= 1;
646
647 sid_to_string(sid_string, member);
648 slprintf(key, sizeof(key), "%s%s", MEMBEROF_PREFIX, sid_string);
649
650 kbuf.dsize = strlen(key)+1;
651 kbuf.dptr = key;
652
653 if (num == 0)
654 return tdb_delete(tdb, kbuf) == 0 ?
655 NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL;
656
657 member_string = SMB_STRDUP("");
658
659 if (member_string == NULL) {
660 SAFE_FREE(sids);
661 return NT_STATUS_NO_MEMORY;
662 }
663
664 for (i=0; i<num; i++) {
665 char *s = member_string;
666
667 sid_to_string(sid_string, &sids[i]);
668 asprintf(&member_string, "%s %s", s, sid_string);
669
670 SAFE_FREE(s);
671 if (member_string == NULL) {
672 SAFE_FREE(sids);
673 return NT_STATUS_NO_MEMORY;
674 }
675 }
676
677 dbuf.dsize = strlen(member_string)+1;
678 dbuf.dptr = member_string;
679
680 result = tdb_store(tdb, kbuf, dbuf, 0) == 0 ?
681 NT_STATUS_OK : NT_STATUS_ACCESS_DENIED;
682
683 SAFE_FREE(sids);
684 SAFE_FREE(member_string);
685
686 return result;
687 }
688
Samba GIT mirror