search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
r7415: * big change -- volker's new async winbindd from trunk
[Samba/gbeck.git] / source / nsswitch / winbindd_sid.c
blobf8fb5e93c2ec1aabdcfe004694b2663646f3f92b
1 /*
2 Unix SMB/CIFS implementation.
3
4 Winbind daemon - sid related functions
5
6 Copyright (C) Tim Potter 2000
7
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 2 of the License, or
11 (at your option) any later version.
12
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
17
18 You should have received a copy of the GNU General Public License
19 along with this program; if not, write to the Free Software
20 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
21 */
22
23 #include "includes.h"
24 #include "winbindd.h"
25
26 #undef DBGC_CLASS
27 #define DBGC_CLASS DBGC_WINBIND
28
29 /* Convert a string */
30
31 static void lookupsid_recv(void *private, BOOL success,
32 const char *dom_name, const char *name,
33 enum SID_NAME_USE type);
34
35 enum winbindd_result winbindd_lookupsid(struct winbindd_cli_state *state)
36 {
37 DOM_SID sid;
38
39 /* Ensure null termination */
40 state->request.data.sid[sizeof(state->request.data.sid)-1]='\0';
41
42 DEBUG(3, ("[%5lu]: lookupsid %s\n", (unsigned long)state->pid,
43 state->request.data.sid));
44
45 if (!string_to_sid(&sid, state->request.data.sid)) {
46 DEBUG(5, ("%s not a SID\n", state->request.data.sid));
47 return WINBINDD_ERROR;
48 }
49
50 winbindd_lookupsid_async(state->mem_ctx, &sid, lookupsid_recv, state);
51 return WINBINDD_PENDING;
52 }
53
54 static void lookupsid_recv(void *private, BOOL success,
55 const char *dom_name, const char *name,
56 enum SID_NAME_USE type)
57 {
58 struct winbindd_cli_state *state =
59 talloc_get_type_abort(private, struct winbindd_cli_state);
60
61 if (!success) {
62 DEBUG(5, ("lookupsid returned an error\n"));
63 state->response.result = WINBINDD_ERROR;
64 request_finished(state);
65 return;
66 }
67
68 fstrcpy(state->response.data.name.dom_name, dom_name);
69 fstrcpy(state->response.data.name.name, name);
70 state->response.data.name.type = type;
71 state->response.result = WINBINDD_OK;
72 request_finished(state);
73 }
74
75 /**
76 * Look up the SID for a qualified name.
77 **/
78
79 static void lookupname_recv(void *private, BOOL success,
80 const DOM_SID *sid, enum SID_NAME_USE type);
81
82 enum winbindd_result winbindd_lookupname(struct winbindd_cli_state *state)
83 {
84 char *name_domain, *name_user;
85 char *p;
86
87 /* Ensure null termination */
88 state->request.data.sid[sizeof(state->request.data.name.dom_name)-1]='\0';
89
90 /* Ensure null termination */
91 state->request.data.sid[sizeof(state->request.data.name.name)-1]='\0';
92
93 /* cope with the name being a fully qualified name */
94 p = strstr(state->request.data.name.name, lp_winbind_separator());
95 if (p) {
96 *p = 0;
97 name_domain = state->request.data.name.name;
98 name_user = p+1;
99 } else {
100 name_domain = state->request.data.name.dom_name;
101 name_user = state->request.data.name.name;
102 }
103
104 DEBUG(3, ("[%5lu]: lookupname %s%s%s\n", (unsigned long)state->pid,
105 name_domain, lp_winbind_separator(), name_user));
106
107 winbindd_lookupname_async(state->mem_ctx, name_domain, name_user,
108 lookupname_recv, state);
109 return WINBINDD_PENDING;
110 }
111
112 static void lookupname_recv(void *private, BOOL success,
113 const DOM_SID *sid, enum SID_NAME_USE type)
114 {
115 struct winbindd_cli_state *state =
116 talloc_get_type_abort(private, struct winbindd_cli_state);
117
118 if (!success) {
119 DEBUG(5, ("lookupname returned an error\n"));
120 state->response.result = WINBINDD_ERROR;
121 request_finished(state);
122 return;
123 }
124
125 sid_to_string(state->response.data.sid.sid, sid);
126 state->response.data.sid.type = type;
127 state->response.result = WINBINDD_OK;
128 request_finished(state);
129 return;
130 }
131
132 static struct winbindd_child static_idmap_child;
133
134 void init_idmap_child(void)
135 {
136 setup_domain_child(NULL, &static_idmap_child, "idmap");
137 }
138
139 struct winbindd_child *idmap_child(void)
140 {
141 return &static_idmap_child;
142 }
143
144 /* Convert a sid to a uid. We assume we only have one rid attached to the
145 sid. */
146
147 static void sid2uid_recv(void *private, BOOL success, uid_t uid);
148
149 enum winbindd_result winbindd_sid_to_uid(struct winbindd_cli_state *state)
150 {
151 DOM_SID sid;
152 NTSTATUS result;
153
154 /* Ensure null termination */
155 state->request.data.sid[sizeof(state->request.data.sid)-1]='\0';
156
157 DEBUG(3, ("[%5lu]: sid to uid %s\n", (unsigned long)state->pid,
158 state->request.data.sid));
159
160 if (idmap_proxyonly()) {
161 DEBUG(8, ("IDMAP proxy only\n"));
162 return WINBINDD_ERROR;
163 }
164
165 if (!string_to_sid(&sid, state->request.data.sid)) {
166 DEBUG(1, ("Could not get convert sid %s from string\n",
167 state->request.data.sid));
168 return WINBINDD_ERROR;
169 }
170
171 /* Query only the local tdb, everything else might possibly block */
172
173 result = idmap_sid_to_uid(&sid, &(state->response.data.uid),
174 ID_QUERY_ONLY|ID_CACHE_ONLY);
175
176 if (NT_STATUS_IS_OK(result)) {
177 return WINBINDD_OK;
178 }
179
180 winbindd_sid2uid_async(state->mem_ctx, &sid, sid2uid_recv, state);
181 return WINBINDD_PENDING;
182 }
183
184 static void sid2uid_recv(void *private, BOOL success, uid_t uid)
185 {
186 struct winbindd_cli_state *state =
187 talloc_get_type_abort(private, struct winbindd_cli_state);
188
189 if (!success) {
190 DEBUG(5, ("Could not convert sid %s\n",
191 state->request.data.sid));
192 state->response.result = WINBINDD_ERROR;
193 request_finished(state);
194 return;
195 }
196
197 state->response.result = WINBINDD_OK;
198 state->response.data.uid = uid;
199 request_finished(state);
200 }
201
202 /* Convert a sid to a gid. We assume we only have one rid attached to the
203 sid.*/
204
205 static void sid2gid_recv(void *private, BOOL success, gid_t gid);
206
207 enum winbindd_result winbindd_sid_to_gid(struct winbindd_cli_state *state)
208 {
209 DOM_SID sid;
210 NTSTATUS result;
211
212 /* Ensure null termination */
213 state->request.data.sid[sizeof(state->request.data.sid)-1]='\0';
214
215 DEBUG(3, ("[%5lu]: sid to gid %s\n", (unsigned long)state->pid,
216 state->request.data.sid));
217
218 if (idmap_proxyonly()) {
219 DEBUG(8, ("IDMAP proxy only\n"));
220 return WINBINDD_ERROR;
221 }
222
223 if (!string_to_sid(&sid, state->request.data.sid)) {
224 DEBUG(1, ("Could not get convert sid %s from string\n",
225 state->request.data.sid));
226 return WINBINDD_ERROR;
227 }
228
229 /* Query only the local tdb, everything else might possibly block */
230
231 result = idmap_sid_to_gid(&sid, &(state->response.data.gid),
232 ID_QUERY_ONLY|ID_CACHE_ONLY);
233
234 if (NT_STATUS_IS_OK(result)) {
235 return WINBINDD_OK;
236 }
237
238 winbindd_sid2gid_async(state->mem_ctx, &sid, sid2gid_recv, state);
239 return WINBINDD_PENDING;
240 }
241
242 static void sid2gid_recv(void *private, BOOL success, gid_t gid)
243 {
244 struct winbindd_cli_state *state =
245 talloc_get_type_abort(private, struct winbindd_cli_state);
246
247 if (!success) {
248 DEBUG(5, ("Could not convert sid %s\n",
249 state->request.data.sid));
250 state->response.result = WINBINDD_ERROR;
251 request_finished(state);
252 return;
253 }
254
255 state->response.result = WINBINDD_OK;
256 state->response.data.gid = gid;
257 request_finished(state);
258 }
259
260 /* Convert a uid to a sid */
261
262 struct uid2sid_state {
263 struct winbindd_cli_state *cli_state;
264 uid_t uid;
265 fstring name;
266 DOM_SID sid;
267 enum SID_NAME_USE type;
268 };
269
270 static void uid2sid_uid2name_recv(void *private, BOOL success,
271 const char *username);
272 static void uid2sid_lookupname_recv(void *private, BOOL success,
273 const DOM_SID *sid,
274 enum SID_NAME_USE type);
275 static void uid2sid_idmap_set_mapping_recv(void *private, BOOL success);
276
277 enum winbindd_result winbindd_uid_to_sid(struct winbindd_cli_state *state)
278 {
279 DOM_SID sid;
280 NTSTATUS status;
281 struct uid2sid_state *uid2sid_state;
282
283 DEBUG(3, ("[%5lu]: uid to sid %lu\n", (unsigned long)state->pid,
284 (unsigned long)state->request.data.uid));
285
286 if (idmap_proxyonly()) {
287 DEBUG(8, ("IDMAP proxy only\n"));
288 return WINBINDD_ERROR;
289 }
290
291 status = idmap_uid_to_sid(&sid, state->request.data.uid,
292 ID_QUERY_ONLY | ID_CACHE_ONLY);
293
294 if (NT_STATUS_IS_OK(status)) {
295 sid_to_string(state->response.data.sid.sid, &sid);
296 state->response.data.sid.type = SID_NAME_USER;
297 return WINBINDD_OK;
298 }
299
300 if (is_in_uid_range(state->request.data.uid)) {
301 /* This is winbind's, so we should better have succeeded
302 * above. */
303 return WINBINDD_ERROR;
304 }
305
306 /* The only chance that this is correct is that winbind trusted
307 * domains only = yes, and the user exists in nss and the domain. */
308
309 if (!lp_winbind_trusted_domains_only()) {
310 return WINBINDD_ERROR;
311 }
312
313 /* The only chance that this is correct is that winbind trusted
314 * domains only = yes, and the user exists in nss and the domain. */
315
316 uid2sid_state = TALLOC_ZERO_P(state->mem_ctx, struct uid2sid_state);
317 if (uid2sid_state == NULL) {
318 DEBUG(0, ("talloc failed\n"));
319 return WINBINDD_ERROR;
320 }
321
322 uid2sid_state->cli_state = state;
323 uid2sid_state->uid = state->request.data.uid;
324
325 winbindd_uid2name_async(state->mem_ctx, state->request.data.uid,
326 uid2sid_uid2name_recv, uid2sid_state);
327 return WINBINDD_PENDING;
328 }
329
330 static void uid2sid_uid2name_recv(void *private, BOOL success,
331 const char *username)
332 {
333 struct uid2sid_state *state =
334 talloc_get_type_abort(private, struct uid2sid_state);
335
336 DEBUG(10, ("uid2sid: uid %lu has name %s\n",
337 (unsigned long)state->uid, username));
338
339 fstrcpy(state->name, username);
340
341 if (!success) {
342 state->cli_state->response.result = WINBINDD_ERROR;
343 request_finished(state->cli_state);
344 return;
345 }
346
347 winbindd_lookupname_async(state->cli_state->mem_ctx,
348 find_our_domain()->name, username,
349 uid2sid_lookupname_recv, state);
350 }
351
352 static void uid2sid_lookupname_recv(void *private, BOOL success,
353 const DOM_SID *sid, enum SID_NAME_USE type)
354 {
355 struct uid2sid_state *state =
356 talloc_get_type_abort(private, struct uid2sid_state);
357 unid_t id;
358
359 if ((!success) || (type != SID_NAME_USER)) {
360 state->cli_state->response.result = WINBINDD_ERROR;
361 request_finished(state->cli_state);
362 return;
363 }
364
365 state->sid = *sid;
366 state->type = type;
367
368 id.uid = state->uid;
369 idmap_set_mapping_async(state->cli_state->mem_ctx, sid, id, ID_USERID,
370 uid2sid_idmap_set_mapping_recv, state );
371 }
372
373 static void uid2sid_idmap_set_mapping_recv(void *private, BOOL success)
374 {
375 struct uid2sid_state *state =
376 talloc_get_type_abort(private, struct uid2sid_state);
377
378 /* don't fail if we can't store it */
379
380 sid_to_string(state->cli_state->response.data.sid.sid, &state->sid);
381 state->cli_state->response.data.sid.type = state->type;
382 state->cli_state->response.result = WINBINDD_OK;
383 request_finished(state->cli_state);
384 }
385
386 /* Convert a gid to a sid */
387
388 struct gid2sid_state {
389 struct winbindd_cli_state *cli_state;
390 gid_t gid;
391 fstring name;
392 DOM_SID sid;
393 enum SID_NAME_USE type;
394 };
395
396 static void gid2sid_gid2name_recv(void *private, BOOL success,
397 const char *groupname);
398 static void gid2sid_lookupname_recv(void *private, BOOL success,
399 const DOM_SID *sid,
400 enum SID_NAME_USE type);
401 static void gid2sid_idmap_set_mapping_recv(void *private, BOOL success);
402
403 enum winbindd_result winbindd_gid_to_sid(struct winbindd_cli_state *state)
404 {
405 DOM_SID sid;
406 NTSTATUS status;
407 struct gid2sid_state *gid2sid_state;
408
409 DEBUG(3, ("[%5lu]: gid to sid %lu\n", (unsigned long)state->pid,
410 (unsigned long)state->request.data.gid));
411
412 if (idmap_proxyonly()) {
413 DEBUG(8, ("IDMAP proxy only\n"));
414 return WINBINDD_ERROR;
415 }
416
417 status = idmap_gid_to_sid(&sid, state->request.data.gid,
418 ID_QUERY_ONLY | ID_CACHE_ONLY);
419
420 if (NT_STATUS_IS_OK(status)) {
421 sid_to_string(state->response.data.sid.sid, &sid);
422 state->response.data.sid.type = SID_NAME_USER;
423 return WINBINDD_OK;
424 }
425
426 if (is_in_gid_range(state->request.data.gid)) {
427 /* This is winbind's, so we should better have succeeded
428 * above. */
429 return WINBINDD_ERROR;
430 }
431
432 /* The only chance that this is correct is that winbind trusted
433 * domains only = yes, and the user exists in nss and the domain. */
434
435 if (!lp_winbind_trusted_domains_only()) {
436 return WINBINDD_ERROR;
437 }
438
439 /* The only chance that this is correct is that winbind trusted
440 * domains only = yes, and the user exists in nss and the domain. */
441
442 gid2sid_state = TALLOC_ZERO_P(state->mem_ctx, struct gid2sid_state);
443 if (gid2sid_state == NULL) {
444 DEBUG(0, ("talloc failed\n"));
445 return WINBINDD_ERROR;
446 }
447
448 gid2sid_state->cli_state = state;
449 gid2sid_state->gid = state->request.data.gid;
450
451 winbindd_gid2name_async(state->mem_ctx, state->request.data.gid,
452 gid2sid_gid2name_recv, gid2sid_state);
453 return WINBINDD_PENDING;
454 }
455
456 static void gid2sid_gid2name_recv(void *private, BOOL success,
457 const char *username)
458 {
459 struct gid2sid_state *state =
460 talloc_get_type_abort(private, struct gid2sid_state);
461
462 DEBUG(10, ("gid2sid: gid %lu has name %s\n",
463 (unsigned long)state->gid, username));
464
465 fstrcpy(state->name, username);
466
467 if (!success) {
468 state->cli_state->response.result = WINBINDD_ERROR;
469 request_finished(state->cli_state);
470 return;
471 }
472
473 winbindd_lookupname_async(state->cli_state->mem_ctx,
474 find_our_domain()->name, username,
475 gid2sid_lookupname_recv, state);
476 }
477
478 static void gid2sid_lookupname_recv(void *private, BOOL success,
479 const DOM_SID *sid, enum SID_NAME_USE type)
480 {
481 struct gid2sid_state *state =
482 talloc_get_type_abort(private, struct gid2sid_state);
483 unid_t id;
484
485 if ((!success) ||
486 ((type != SID_NAME_DOM_GRP) && (type!=SID_NAME_ALIAS))) {
487 state->cli_state->response.result = WINBINDD_ERROR;
488 request_finished(state->cli_state);
489 return;
490 }
491
492 state->sid = *sid;
493 state->type = type;
494
495 id.gid = state->gid;
496 idmap_set_mapping_async(state->cli_state->mem_ctx, sid, id, ID_GROUPID,
497 gid2sid_idmap_set_mapping_recv, state );
498 }
499
500 static void gid2sid_idmap_set_mapping_recv(void *private, BOOL success)
501 {
502 struct gid2sid_state *state = private;
503
504 /* don't fail if we can't store it */
505
506 sid_to_string(state->cli_state->response.data.sid.sid, &state->sid);
507 state->cli_state->response.data.sid.type = state->type;
508 state->cli_state->response.result = WINBINDD_OK;
509 request_finished(state->cli_state);
510 }
511
512 enum winbindd_result winbindd_allocate_rid(struct winbindd_cli_state *state)
513 {
514 if ( !state->privileged ) {
515 DEBUG(2, ("winbindd_allocate_rid: non-privileged access "
516 "denied!\n"));
517 return WINBINDD_ERROR;
518 }
519
520 async_request(state->mem_ctx, idmap_child(),
521 &state->request, &state->response,
522 request_finished_cont, state);
523 return WINBINDD_PENDING;
524 }
525
526 enum winbindd_result winbindd_dual_allocate_rid(struct winbindd_domain *domain,
527 struct winbindd_cli_state *state)
528 {
529 /* We tell idmap to always allocate a user RID. There might be a good
530 * reason to keep RID allocation for users to even and groups to
531 * odd. This needs discussion I think. For now only allocate user
532 * rids. */
533
534 if (!NT_STATUS_IS_OK(idmap_allocate_rid(&state->response.data.rid,
535 USER_RID_TYPE)))
536 return WINBINDD_ERROR;
537
538 return WINBINDD_OK;
539 }
540
541 enum winbindd_result winbindd_allocate_rid_and_gid(struct winbindd_cli_state *state)
542 {
543 if ( !state->privileged ) {
544 DEBUG(2, ("winbindd_allocate_rid: non-privileged access "
545 "denied!\n"));
546 return WINBINDD_ERROR;
547 }
548
549 async_request(state->mem_ctx, idmap_child(),
550 &state->request, &state->response,
551 request_finished_cont, state);
552 return WINBINDD_PENDING;
553 }
554
555 enum winbindd_result winbindd_dual_allocate_rid_and_gid(struct winbindd_domain *domain,
556 struct winbindd_cli_state *state)
557 {
558 NTSTATUS result;
559 DOM_SID sid;
560
561 /* We tell idmap to always allocate a user RID. This is really
562 * historic and needs to be fixed. I *think* this has to do with the
563 * way winbind determines its free RID space. */
564
565 result = idmap_allocate_rid(&state->response.data.rid_and_gid.rid,
566 USER_RID_TYPE);
567
568 if (!NT_STATUS_IS_OK(result))
569 return WINBINDD_ERROR;
570
571 sid_copy(&sid, get_global_sam_sid());
572 sid_append_rid(&sid, state->response.data.rid_and_gid.rid);
573
574 result = idmap_sid_to_gid(&sid, &state->response.data.rid_and_gid.gid,
575 0);
576
577 if (!NT_STATUS_IS_OK(result))
578 return WINBINDD_ERROR;
579
580 return WINBINDD_OK;
581 }
WIP