search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
r15837: starting sync up for 3.0.23rc1 (in sync with SAMBA_3_0 r15822)
[Samba.git] / source / sam / idmap_ad.c
blob5edfad487d7d43130e31b191fc05ad7e4d880e74
1 /*
2 * idmap_ad: map between Active Directory and RFC 2307 or "Services for Unix" (SFU) Accounts
3 *
4 * Unix SMB/CIFS implementation.
5 *
6 * Winbind ADS backend functions
7 *
8 * Copyright (C) Andrew Tridgell 2001
9 * Copyright (C) Andrew Bartlett <abartlet@samba.org> 2003
10 * Copyright (C) Gerald (Jerry) Carter 2004
11 * Copyright (C) Luke Howard 2001-2004
12 *
13 * This program is free software; you can redistribute it and/or modify
14 * it under the terms of the GNU General Public License as published by
15 * the Free Software Foundation; either version 2 of the License, or
16 * (at your option) any later version.
17 *
18 * This program is distributed in the hope that it will be useful,
19 * but WITHOUT ANY WARRANTY; without even the implied warranty of
20 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
21 * GNU General Public License for more details.
22 *
23 * You should have received a copy of the GNU General Public License
24 * along with this program; if not, write to the Free Software
25 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
26 */
27
28 #include "includes.h"
29
30 #undef DBGC_CLASS
31 #define DBGC_CLASS DBGC_IDMAP
32
33 #define WINBIND_CCACHE_NAME "MEMORY:winbind_ccache"
34
35 NTSTATUS init_module(void);
36
37 static ADS_STRUCT *ad_idmap_ads = NULL;
38 static char *ad_idmap_uri = NULL;
39
40 static char *attr_uidnumber = NULL;
41 static char *attr_gidnumber = NULL;
42
43 static ADS_STATUS ad_idmap_check_attr_mapping(ADS_STRUCT *ads)
44 {
45 ADS_STATUS status;
46 enum wb_posix_mapping map_type;
47
48 if (attr_uidnumber != NULL && attr_gidnumber != NULL) {
49 return ADS_ERROR(LDAP_SUCCESS);
50 }
51
52 SMB_ASSERT(ads->server.workgroup);
53
54 map_type = get_nss_info(ads->server.workgroup);
55
56 if ((map_type == WB_POSIX_MAP_SFU) ||
57 (map_type == WB_POSIX_MAP_RFC2307)) {
58
59 status = ads_check_posix_schema_mapping(ads, map_type);
60 if (ADS_ERR_OK(status)) {
61 attr_uidnumber = SMB_STRDUP(ads->schema.posix_uidnumber_attr);
62 attr_gidnumber = SMB_STRDUP(ads->schema.posix_gidnumber_attr);
63 ADS_ERROR_HAVE_NO_MEMORY(attr_uidnumber);
64 ADS_ERROR_HAVE_NO_MEMORY(attr_gidnumber);
65 return ADS_ERROR(LDAP_SUCCESS);
66 } else {
67 DEBUG(0,("ads_check_posix_schema_mapping failed: %s\n", ads_errstr(status)));
68 /* return status; */
69 }
70 }
71
72 /* fallback to XAD defaults */
73 attr_uidnumber = SMB_STRDUP("uidNumber");
74 attr_gidnumber = SMB_STRDUP("gidNumber");
75 ADS_ERROR_HAVE_NO_MEMORY(attr_uidnumber);
76 ADS_ERROR_HAVE_NO_MEMORY(attr_gidnumber);
77
78 return ADS_ERROR(LDAP_SUCCESS);
79 }
80
81 static ADS_STRUCT *ad_idmap_cached_connection(void)
82 {
83 ADS_STRUCT *ads;
84 ADS_STATUS status;
85 BOOL local = False;
86
87 if (ad_idmap_ads != NULL) {
88 ads = ad_idmap_ads;
89
90 /* check for a valid structure */
91
92 DEBUG(7, ("Current tickets expire at %d, time is now %d\n",
93 (uint32) ads->auth.expire, (uint32) time(NULL)));
94 if ( ads->config.realm && (ads->auth.expire > time(NULL))) {
95 return ads;
96 } else {
97 /* we own this ADS_STRUCT so make sure it goes away */
98 ads->is_mine = True;
99 ads_destroy( &ads );
100 ads_kdestroy(WINBIND_CCACHE_NAME);
101 ad_idmap_ads = NULL;
102 }
103 }
104
105 if (!local) {
106 /* we don't want this to affect the users ccache */
107 setenv("KRB5CCNAME", WINBIND_CCACHE_NAME, 1);
108 }
109
110 ads = ads_init(lp_realm(), lp_workgroup(), NULL);
111 if (!ads) {
112 DEBUG(1,("ads_init failed\n"));
113 return NULL;
114 }
115
116 /* the machine acct password might have change - fetch it every time */
117 SAFE_FREE(ads->auth.password);
118 ads->auth.password = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL);
119
120 SAFE_FREE(ads->auth.realm);
121 ads->auth.realm = SMB_STRDUP(lp_realm());
122
123 status = ads_connect(ads);
124 if (!ADS_ERR_OK(status)) {
125 DEBUG(1, ("ad_idmap_init: failed to connect to AD\n"));
126 ads_destroy(&ads);
127 return NULL;
128 }
129
130 ads->is_mine = False;
131
132 status = ad_idmap_check_attr_mapping(ads);
133 if (!ADS_ERR_OK(status)) {
134 DEBUG(1, ("ad_idmap_init: failed to check attribute mapping\n"));
135 return NULL;
136 }
137
138 ad_idmap_ads = ads;
139 return ads;
140 }
141
142 static NTSTATUS ad_idmap_init(char *uri)
143 {
144 ad_idmap_uri = SMB_STRDUP(uri);
145 if (ad_idmap_uri == NULL) {
146 return NT_STATUS_NO_MEMORY;
147 }
148
149 return NT_STATUS_OK;
150 }
151
152 static NTSTATUS ad_idmap_get_sid_from_id(DOM_SID *sid, unid_t unid, int id_type)
153 {
154 ADS_STATUS rc;
155 NTSTATUS status = NT_STATUS_NONE_MAPPED;
156 const char *attrs[] = { "objectSid", NULL };
157 void *res = NULL;
158 void *msg = NULL;
159 char *expr = NULL;
160 fstring sid_string;
161 int count;
162 ADS_STRUCT *ads;
163
164 if (sid == NULL) {
165 return NT_STATUS_INVALID_PARAMETER;
166 }
167
168 ads = ad_idmap_cached_connection();
169 if (ads == NULL) {
170 DEBUG(1, ("ad_idmap_get_id_from_sid ADS uninitialized\n"));
171 return NT_STATUS_NOT_SUPPORTED;
172 }
173
174 switch (id_type & ID_TYPEMASK) {
175 case ID_USERID:
176 if (asprintf(&expr, "(&(|(sAMAccountType=%d)(sAMAccountType=%d)(sAMAccountType=%d))(%s=%d))",
177 ATYPE_NORMAL_ACCOUNT, ATYPE_WORKSTATION_TRUST, ATYPE_INTERDOMAIN_TRUST,
178 ads->schema.posix_uidnumber_attr, (int)unid.uid) == -1) {
179 return NT_STATUS_NO_MEMORY;
180 }
181 break;
182 case ID_GROUPID:
183 if (asprintf(&expr, "(&(|(sAMAccountType=%d)(sAMAccountType=%d))(%s=%d))",
184 ATYPE_SECURITY_GLOBAL_GROUP, ATYPE_SECURITY_LOCAL_GROUP,
185 ads->schema.posix_gidnumber_attr, (int)unid.gid) == -1) {
186 return NT_STATUS_NO_MEMORY;
187 }
188 break;
189 default:
190 return NT_STATUS_INVALID_PARAMETER;
191 break;
192 }
193
194 rc = ads_search_retry(ads, &res, expr, attrs);
195 free(expr);
196 if (!ADS_ERR_OK(rc)) {
197 DEBUG(1, ("ad_idmap_get_sid_from_id: ads_search: %s\n", ads_errstr(rc)));
198 goto done;
199 }
200
201 count = ads_count_replies(ads, res);
202 if (count == 0) {
203 DEBUG(1, ("ad_idmap_get_sid_from_id: ads_count_replies: no results\n"));
204 goto done;
205 } else if (count != 1) {
206 DEBUG(1, ("ad_idmap_get_sid_from_id: ads_count_replies: incorrect cardinality\n"));
207 goto done;
208 }
209
210 msg = ads_first_entry(ads, res);
211 if (msg == NULL) {
212 DEBUG(1, ("ad_idmap_get_sid_from_id: ads_first_entry: could not retrieve search result\n"));
213 goto done;
214 }
215
216 if (!ads_pull_sid(ads, msg, "objectSid", sid)) {
217 DEBUG(1, ("ad_idmap_get_sid_from_id: ads_pull_sid: could not retrieve SID from entry\n"));
218 goto done;
219 }
220
221 status = NT_STATUS_OK;
222 DEBUG(1, ("ad_idmap_get_sid_from_id mapped POSIX %s %d to SID [%s]\n",
223 (id_type == ID_GROUPID) ? "GID" : "UID", (int)unid.uid,
224 sid_to_string(sid_string, sid)));
225
226 done:
227 if (res != NULL) {
228 ads_msgfree(ads, res);
229 }
230
231 return status;
232 }
233
234 static NTSTATUS ad_idmap_get_id_from_sid(unid_t *unid, int *id_type, const DOM_SID *sid)
235 {
236 ADS_STATUS rc;
237 NTSTATUS status = NT_STATUS_NONE_MAPPED;
238 const char *attrs[] = { "sAMAccountType", ADS_ATTR_SFU_UIDNUMBER_OID,
239 ADS_ATTR_SFU_GIDNUMBER_OID,
240 ADS_ATTR_RFC2307_UIDNUMBER_OID,
241 ADS_ATTR_RFC2307_GIDNUMBER_OID,
242 NULL };
243 void *res = NULL;
244 void *msg = NULL;
245 char *expr = NULL;
246 uint32 atype, uid;
247 char *sidstr;
248 fstring sid_string;
249 int count;
250 ADS_STRUCT *ads;
251
252 if (unid == NULL) {
253 return NT_STATUS_INVALID_PARAMETER;
254 }
255
256 ads = ad_idmap_cached_connection();
257 if (ads == NULL) {
258 DEBUG(1, ("ad_idmap_get_id_from_sid ADS uninitialized\n"));
259 return NT_STATUS_NOT_SUPPORTED;
260 }
261
262 sidstr = sid_binstring(sid);
263 if (asprintf(&expr, "(objectSid=%s)", sidstr) == -1) {
264 free(sidstr);
265 return NT_STATUS_NO_MEMORY;
266 }
267
268 rc = ads_search_retry(ads, &res, expr, attrs);
269 free(sidstr);
270 free(expr);
271 if (!ADS_ERR_OK(rc)) {
272 DEBUG(1, ("ad_idmap_get_id_from_sid: ads_search: %s\n", ads_errstr(rc)));
273 goto done;
274 }
275
276 count = ads_count_replies(ads, res);
277 if (count == 0) {
278 DEBUG(1, ("ad_idmap_get_id_from_sid: ads_count_replies: no results\n"));
279 goto done;
280 } else if (count != 1) {
281 DEBUG(1, ("ad_idmap_get_id_from_sid: ads_count_replies: incorrect cardinality\n"));
282 goto done;
283 }
284
285 msg = ads_first_entry(ads, res);
286 if (msg == NULL) {
287 DEBUG(1, ("ad_idmap_get_id_from_sid: ads_first_entry: could not retrieve search result\n"));
288 goto done;
289 }
290
291 if (!ads_pull_uint32(ads, msg, "sAMAccountType", &atype)) {
292 DEBUG(1, ("ad_idmap_get_id_from_sid: ads_pull_uint32: could not read SAM account type\n"));
293 goto done;
294 }
295
296 switch (atype & 0xF0000000) {
297 case ATYPE_SECURITY_GLOBAL_GROUP:
298 case ATYPE_SECURITY_LOCAL_GROUP:
299 *id_type = ID_GROUPID;
300 break;
301 case ATYPE_NORMAL_ACCOUNT:
302 case ATYPE_WORKSTATION_TRUST:
303 case ATYPE_INTERDOMAIN_TRUST:
304 *id_type = ID_USERID;
305 break;
306 default:
307 DEBUG(1, ("ad_idmap_get_id_from_sid: unrecognized SAM account type %08x\n", atype));
308 goto done;
309 break;
310 }
311
312 if (!ads_pull_uint32(ads, msg, (*id_type == ID_GROUPID) ? attr_gidnumber : attr_uidnumber, &uid)) {
313 DEBUG(1, ("ad_idmap_get_id_from_sid: ads_pull_uint32: could not read attribute '%s'\n",
314 (*id_type == ID_GROUPID) ? attr_gidnumber : attr_uidnumber));
315 goto done;
316 }
317
318 unid->uid = (uid_t)uid;
319
320 status = NT_STATUS_OK;
321 DEBUG(1, ("ad_idmap_get_id_from_sid mapped SID [%s] to POSIX %s %d\n",
322 sid_to_string(sid_string, sid),
323 (*id_type == ID_GROUPID) ? "GID" : "UID", uid));
324
325 done:
326 if (res != NULL) {
327 ads_msgfree(ads, res);
328 }
329
330 return status;
331
332 }
333
334 static NTSTATUS ad_idmap_set_mapping(const DOM_SID *sid, unid_t id, int id_type)
335 {
336 /* Not supported, and probably won't be... */
337 /* (It's not particularly feasible with a single-master model.) */
338
339 return NT_STATUS_NOT_IMPLEMENTED;
340 }
341
342 static NTSTATUS ad_idmap_close(void)
343 {
344 ADS_STRUCT *ads = ad_idmap_ads;
345
346 if (ads != NULL) {
347 /* we own this ADS_STRUCT so make sure it goes away */
348 ads->is_mine = True;
349 ads_destroy( &ads );
350 ad_idmap_ads = NULL;
351 }
352
353 SAFE_FREE(attr_uidnumber);
354 SAFE_FREE(attr_gidnumber);
355
356 return NT_STATUS_OK;
357 }
358
359 static NTSTATUS ad_idmap_allocate_id(unid_t *id, int id_type)
360 {
361 return NT_STATUS_NOT_IMPLEMENTED;
362 }
363
364 static void ad_idmap_status(void)
365 {
366 DEBUG(0, ("AD IDMAP Status not available\n"));
367 }
368
369 static struct idmap_methods ad_methods = {
370 ad_idmap_init,
371 ad_idmap_allocate_id,
372 ad_idmap_get_sid_from_id,
373 ad_idmap_get_id_from_sid,
374 ad_idmap_set_mapping,
375 ad_idmap_close,
376 ad_idmap_status
377 };
378
379
380 /* support for new authentication subsystem */
381 NTSTATUS init_module(void)
382 {
383 return smb_register_idmap(SMB_IDMAP_INTERFACE_VERSION, "ad", &ad_methods);
384 }
385
Samba GIT mirror