source3/winbindd/idmap_util.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3    ID Mapping
   4    Copyright (C) Simo Sorce 2003
   5    Copyright (C) Jeremy Allison 2006
   6    Copyright (C) Michael Adam 2010
   7
   8    This program is free software; you can redistribute it and/or modify
   9    it under the terms of the GNU General Public License as published by
  10    the Free Software Foundation; either version 3 of the License, or
  11    (at your option) any later version.
  12
  13    This program is distributed in the hope that it will be useful,
  14    but WITHOUT ANY WARRANTY; without even the implied warranty of
  15    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  16    GNU General Public License for more details.
  17
  18    You should have received a copy of the GNU General Public License
  19    along with this program.  If not, see <http://www.gnu.org/licenses/>.*/
  20
  21 #include "includes.h"
  22 #include "winbindd.h"
  23 #include "winbindd_proto.h"
  24 #include "idmap.h"
  25 #include "idmap_cache.h"
  26 #include "../libcli/security/security.h"
  27 #include "secrets.h"
  28
  29 #undef DBGC_CLASS
  30 #define DBGC_CLASS DBGC_IDMAP
  31
  32 /*****************************************************************
  33  Returns the SID mapped to the given UID.
  34  If mapping is not possible returns an error.
  35 *****************************************************************/
  36
  37 NTSTATUS idmap_uid_to_sid(const char *domname, struct dom_sid *sid, uid_t uid)
  38 {
  39         NTSTATUS ret;
  40         struct id_map map;
  41         bool expired;
  42
  43         DEBUG(10,("idmap_uid_to_sid: uid = [%lu], domain = '%s'\n",
  44                   (unsigned long)uid, domname?domname:"NULL"));
  45
  46         if (winbindd_use_idmap_cache()
  47             && idmap_cache_find_uid2sid(uid, sid, &expired)) {
  48                 DEBUG(10, ("idmap_cache_find_uid2sid found %u%s\n",
  49                         (unsigned int)uid,
  50                            expired ? " (expired)": ""));
  51                 if (expired && idmap_is_online()) {
  52                         DEBUG(10, ("revalidating expired entry\n"));
  53                         goto backend;
  54                 }
  55                 if (is_null_sid(sid)) {
  56                         DEBUG(10, ("Returning negative cache entry\n"));
  57                         return NT_STATUS_NONE_MAPPED;
  58                 }
  59                 DEBUG(10, ("Returning positive cache entry\n"));
  60                 return NT_STATUS_OK;
  61         }
  62
  63 backend:
  64         ZERO_STRUCT(map);
  65         map.sid = sid;
  66         map.xid.type = ID_TYPE_UID;
  67         map.xid.id = uid;
  68
  69         ret = idmap_backends_unixid_to_sid(domname, &map);
  70         if ( ! NT_STATUS_IS_OK(ret)) {
  71                 DEBUG(10, ("error mapping uid [%lu]: %s\n", (unsigned long)uid,
  72                            nt_errstr(ret)));
  73                 map.status = ID_UNMAPPED;
  74         }
  75
  76         if (map.status != ID_MAPPED) {
  77                 if (winbindd_use_idmap_cache()) {
  78                         struct dom_sid null_sid;
  79                         struct unixid id;
  80                         id.type = ID_TYPE_UID;
  81                         id.id = uid;
  82                         ZERO_STRUCT(null_sid);
  83                         idmap_cache_set_sid2unixid(&null_sid, &id);
  84                 }
  85                 DEBUG(10, ("uid [%lu] not mapped\n", (unsigned long)uid));
  86                 return NT_STATUS_NONE_MAPPED;
  87         }
  88
  89         if (winbindd_use_idmap_cache()) {
  90                 idmap_cache_set_sid2unixid(sid, &map.xid);
  91         }
  92
  93         return NT_STATUS_OK;
  94 }
  95
  96 /*****************************************************************
  97  Returns SID mapped to the given GID.
  98  If mapping is not possible returns an error.
  99 *****************************************************************/
 100
 101 NTSTATUS idmap_gid_to_sid(const char *domname, struct dom_sid *sid, gid_t gid)
 102 {
 103         NTSTATUS ret;
 104         struct id_map map;
 105         bool expired;
 106
 107         DEBUG(10,("idmap_gid_to_sid: gid = [%lu], domain = '%s'\n",
 108                   (unsigned long)gid, domname?domname:"NULL"));
 109
 110         if (winbindd_use_idmap_cache()
 111             && idmap_cache_find_gid2sid(gid, sid, &expired)) {
 112                 DEBUG(10, ("idmap_cache_find_gid2sid found %u%s\n",
 113                         (unsigned int)gid,
 114                            expired ? " (expired)": ""));
 115                 if (expired && idmap_is_online()) {
 116                         DEBUG(10, ("revalidating expired entry\n"));
 117                         goto backend;
 118                 }
 119                 if (is_null_sid(sid)) {
 120                         DEBUG(10, ("Returning negative cache entry\n"));
 121                         return NT_STATUS_NONE_MAPPED;
 122                 }
 123                 DEBUG(10, ("Returning positive cache entry\n"));
 124                 return NT_STATUS_OK;
 125         }
 126
 127 backend:
 128         ZERO_STRUCT(map);
 129         map.sid = sid;
 130         map.xid.type = ID_TYPE_GID;
 131         map.xid.id = gid;
 132
 133         ret = idmap_backends_unixid_to_sid(domname, &map);
 134         if ( ! NT_STATUS_IS_OK(ret)) {
 135                 DEBUG(10, ("error mapping gid [%lu]: %s\n", (unsigned long)gid,
 136                            nt_errstr(ret)));
 137                 map.status = ID_UNMAPPED;
 138         }
 139
 140         if (map.status != ID_MAPPED) {
 141                 if (winbindd_use_idmap_cache()) {
 142                         struct dom_sid null_sid;
 143                         struct unixid id;
 144                         id.type = ID_TYPE_GID;
 145                         id.id = gid;
 146                         ZERO_STRUCT(null_sid);
 147                         idmap_cache_set_sid2unixid(&null_sid, &id);
 148                 }
 149                 DEBUG(10, ("gid [%lu] not mapped\n", (unsigned long)gid));
 150                 return NT_STATUS_NONE_MAPPED;
 151         }
 152
 153         if (winbindd_use_idmap_cache()) {
 154                 idmap_cache_set_sid2unixid(sid, &map.xid);
 155         }
 156
 157         return NT_STATUS_OK;
 158 }
 159
 160 /**
 161  * check whether a given unix id is inside the filter range of an idmap domain
 162  */
 163 bool idmap_unix_id_is_in_range(uint32_t id, struct idmap_domain *dom)
 164 {
 165         if (id == 0) {
 166                 /* 0 is not an allowed unix id for id mapping */
 167                 return false;
 168         }
 169
 170         if ((dom->low_id && (id < dom->low_id)) ||
 171             (dom->high_id && (id > dom->high_id)))
 172         {
 173                 return false;
 174         }
 175
 176         return true;
 177 }
 178
 179 /**
 180  * Helper for unixids_to_sids: find entry by id in mapping array,
 181  * search up to IDMAP_AD_MAX_IDS entries
 182  */
 183 struct id_map *idmap_find_map_by_id(struct id_map **maps, enum id_type type,
 184                                     uint32_t id)
 185 {
 186         int i;
 187
 188         for (i = 0; i < IDMAP_LDAP_MAX_IDS; i++) {
 189                 if (maps[i] == NULL) { /* end of the run */
 190                         return NULL;
 191                 }
 192                 if ((maps[i]->xid.type == type) && (maps[i]->xid.id == id)) {
 193                         return maps[i];
 194                 }
 195         }
 196
 197         return NULL;
 198 }
 199
 200 /**
 201  * Helper for sids_to_unix_ids: find entry by SID in mapping array,
 202  * search up to IDMAP_AD_MAX_IDS entries
 203  */
 204 struct id_map *idmap_find_map_by_sid(struct id_map **maps, struct dom_sid *sid)
 205 {
 206         int i;
 207
 208         for (i = 0; i < IDMAP_LDAP_MAX_IDS; i++) {
 209                 if (maps[i] == NULL) { /* end of the run */
 210                         return NULL;
 211                 }
 212                 if (dom_sid_equal(maps[i]->sid, sid)) {
 213                         return maps[i];
 214                 }
 215         }
 216
 217         return NULL;
 218 }
 219
 220 char *idmap_fetch_secret(const char *backend, const char *domain,
 221                          const char *identity)
 222 {
 223         char *tmp, *ret;
 224         int r;
 225
 226         r = asprintf(&tmp, "IDMAP_%s_%s", backend, domain);
 227
 228         if (r < 0)
 229                 return NULL;
 230
 231         /* make sure the key is case insensitive */
 232         if (!strupper_m(tmp)) {
 233                 SAFE_FREE(tmp);
 234                 return NULL;
 235         }
 236
 237         ret = secrets_fetch_generic(tmp, identity);
 238
 239         SAFE_FREE(tmp);
 240
 241         return ret;
 242 }