s3-winbindd: Move connection to AD server from idmap_ad
[Samba/gbeck.git] / source3 / winbindd / idmap_util.c
bloba068298968514fefb4c4152fe359760224445201
1 /*
2 Unix SMB/CIFS implementation.
3 ID Mapping
4 Copyright (C) Simo Sorce 2003
5 Copyright (C) Jeremy Allison 2006
6 Copyright (C) Michael Adam 2010
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.*/
21 #include "includes.h"
22 #include "winbindd.h"
23 #include "winbindd_proto.h"
24 #include "idmap.h"
25 #include "idmap_cache.h"
26 #include "../libcli/security/security.h"
27 #include "secrets.h"
29 #undef DBGC_CLASS
30 #define DBGC_CLASS DBGC_IDMAP
32 /*****************************************************************
33 Returns the SID mapped to the given UID.
34 If mapping is not possible returns an error.
35 *****************************************************************/
37 NTSTATUS idmap_uid_to_sid(const char *domname, struct dom_sid *sid, uid_t uid)
39 NTSTATUS ret;
40 struct id_map map;
41 bool expired;
43 DEBUG(10,("idmap_uid_to_sid: uid = [%lu], domain = '%s'\n",
44 (unsigned long)uid, domname?domname:"NULL"));
46 if (winbindd_use_idmap_cache()
47 && idmap_cache_find_uid2sid(uid, sid, &expired)) {
48 DEBUG(10, ("idmap_cache_find_uid2sid found %u%s\n",
49 (unsigned int)uid,
50 expired ? " (expired)": ""));
51 if (expired && idmap_is_online()) {
52 DEBUG(10, ("revalidating expired entry\n"));
53 goto backend;
55 if (is_null_sid(sid)) {
56 DEBUG(10, ("Returning negative cache entry\n"));
57 return NT_STATUS_NONE_MAPPED;
59 DEBUG(10, ("Returning positive cache entry\n"));
60 return NT_STATUS_OK;
63 backend:
64 ZERO_STRUCT(map);
65 map.sid = sid;
66 map.xid.type = ID_TYPE_UID;
67 map.xid.id = uid;
69 ret = idmap_backends_unixid_to_sid(domname, &map);
70 if ( ! NT_STATUS_IS_OK(ret)) {
71 DEBUG(10, ("error mapping uid [%lu]\n", (unsigned long)uid));
72 return ret;
75 if (map.status != ID_MAPPED) {
76 if (winbindd_use_idmap_cache()) {
77 struct dom_sid null_sid;
78 struct unixid id;
79 id.type = ID_TYPE_UID;
80 id.id = uid;
81 ZERO_STRUCT(null_sid);
82 idmap_cache_set_sid2unixid(&null_sid, &id);
84 DEBUG(10, ("uid [%lu] not mapped\n", (unsigned long)uid));
85 return NT_STATUS_NONE_MAPPED;
88 if (winbindd_use_idmap_cache()) {
89 idmap_cache_set_sid2unixid(sid, &map.xid);
92 return NT_STATUS_OK;
95 /*****************************************************************
96 Returns SID mapped to the given GID.
97 If mapping is not possible returns an error.
98 *****************************************************************/
100 NTSTATUS idmap_gid_to_sid(const char *domname, struct dom_sid *sid, gid_t gid)
102 NTSTATUS ret;
103 struct id_map map;
104 bool expired;
106 DEBUG(10,("idmap_gid_to_sid: gid = [%lu], domain = '%s'\n",
107 (unsigned long)gid, domname?domname:"NULL"));
109 if (winbindd_use_idmap_cache()
110 && idmap_cache_find_gid2sid(gid, sid, &expired)) {
111 DEBUG(10, ("idmap_cache_find_gid2sid found %u%s\n",
112 (unsigned int)gid,
113 expired ? " (expired)": ""));
114 if (expired && idmap_is_online()) {
115 DEBUG(10, ("revalidating expired entry\n"));
116 goto backend;
118 if (is_null_sid(sid)) {
119 DEBUG(10, ("Returning negative cache entry\n"));
120 return NT_STATUS_NONE_MAPPED;
122 DEBUG(10, ("Returning positive cache entry\n"));
123 return NT_STATUS_OK;
126 backend:
127 ZERO_STRUCT(map);
128 map.sid = sid;
129 map.xid.type = ID_TYPE_GID;
130 map.xid.id = gid;
132 ret = idmap_backends_unixid_to_sid(domname, &map);
133 if ( ! NT_STATUS_IS_OK(ret)) {
134 DEBUG(10, ("error mapping gid [%lu]\n", (unsigned long)gid));
135 return ret;
138 if (map.status != ID_MAPPED) {
139 if (winbindd_use_idmap_cache()) {
140 struct dom_sid null_sid;
141 struct unixid id;
142 id.type = ID_TYPE_GID;
143 id.id = gid;
144 ZERO_STRUCT(null_sid);
145 idmap_cache_set_sid2unixid(&null_sid, &id);
147 DEBUG(10, ("gid [%lu] not mapped\n", (unsigned long)gid));
148 return NT_STATUS_NONE_MAPPED;
151 if (winbindd_use_idmap_cache()) {
152 idmap_cache_set_sid2unixid(sid, &map.xid);
155 return NT_STATUS_OK;
159 * check whether a given unix id is inside the filter range of an idmap domain
161 bool idmap_unix_id_is_in_range(uint32_t id, struct idmap_domain *dom)
163 if (id == 0) {
164 /* 0 is not an allowed unix id for id mapping */
165 return false;
168 if ((dom->low_id && (id < dom->low_id)) ||
169 (dom->high_id && (id > dom->high_id)))
171 return false;
174 return true;
178 * Helper for unixids_to_sids: find entry by id in mapping array,
179 * search up to IDMAP_AD_MAX_IDS entries
181 struct id_map *idmap_find_map_by_id(struct id_map **maps, enum id_type type,
182 uint32_t id)
184 int i;
186 for (i = 0; i < IDMAP_LDAP_MAX_IDS; i++) {
187 if (maps[i] == NULL) { /* end of the run */
188 return NULL;
190 if ((maps[i]->xid.type == type) && (maps[i]->xid.id == id)) {
191 return maps[i];
195 return NULL;
199 * Helper for sids_to_unix_ids: find entry by SID in mapping array,
200 * search up to IDMAP_AD_MAX_IDS entries
202 struct id_map *idmap_find_map_by_sid(struct id_map **maps, struct dom_sid *sid)
204 int i;
206 for (i = 0; i < IDMAP_LDAP_MAX_IDS; i++) {
207 if (maps[i] == NULL) { /* end of the run */
208 return NULL;
210 if (dom_sid_equal(maps[i]->sid, sid)) {
211 return maps[i];
215 return NULL;
218 char *idmap_fetch_secret(const char *backend, const char *domain,
219 const char *identity)
221 char *tmp, *ret;
222 int r;
224 r = asprintf(&tmp, "IDMAP_%s_%s", backend, domain);
226 if (r < 0)
227 return NULL;
229 /* make sure the key is case insensitive */
230 if (!strupper_m(tmp)) {
231 SAFE_FREE(tmp);
232 return NULL;
235 ret = secrets_fetch_generic(tmp, identity);
237 SAFE_FREE(tmp);
239 return ret;