search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s3-winbindd: Move code for verifying ADS connection to common helper function
[Samba/gebeck_regimport.git] / source3 / winbindd / idmap_ad.c
blob0e00a340bf24c365431c85607a3fd990d89231ab
1 /*
2 * idmap_ad: map between Active Directory and RFC 2307 or "Services for Unix" (SFU) Accounts
3 *
4 * Unix SMB/CIFS implementation.
5 *
6 * Winbind ADS backend functions
7 *
8 * Copyright (C) Andrew Tridgell 2001
9 * Copyright (C) Andrew Bartlett <abartlet@samba.org> 2003
10 * Copyright (C) Gerald (Jerry) Carter 2004-2007
11 * Copyright (C) Luke Howard 2001-2004
12 * Copyright (C) Michael Adam 2008,2010
13 *
14 * This program is free software; you can redistribute it and/or modify
15 * it under the terms of the GNU General Public License as published by
16 * the Free Software Foundation; either version 3 of the License, or
17 * (at your option) any later version.
18 *
19 * This program is distributed in the hope that it will be useful,
20 * but WITHOUT ANY WARRANTY; without even the implied warranty of
21 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
22 * GNU General Public License for more details.
23 *
24 * You should have received a copy of the GNU General Public License
25 * along with this program; if not, see <http://www.gnu.org/licenses/>.
26 */
27
28 #include "includes.h"
29 #include "winbindd.h"
30 #include "../libds/common/flags.h"
31 #include "ads.h"
32 #include "libads/ldap_schema.h"
33 #include "nss_info.h"
34 #include "secrets.h"
35 #include "idmap.h"
36 #include "../libcli/ldap/ldap_ndr.h"
37 #include "../libcli/security/security.h"
38
39 #undef DBGC_CLASS
40 #define DBGC_CLASS DBGC_IDMAP
41
42 #define CHECK_ALLOC_DONE(mem) do { \
43 if (!mem) { \
44 DEBUG(0, ("Out of memory!\n")); \
45 ret = NT_STATUS_NO_MEMORY; \
46 goto done; \
47 } \
48 } while (0)
49
50 struct idmap_ad_context {
51 ADS_STRUCT *ads;
52 struct posix_schema *ad_schema;
53 enum wb_posix_mapping ad_map_type; /* WB_POSIX_MAP_UNKNOWN */
54 };
55
56 /************************************************************************
57 ***********************************************************************/
58
59 static ADS_STATUS ad_idmap_cached_connection_internal(struct idmap_domain *dom)
60 {
61 ADS_STRUCT *ads;
62 ADS_STATUS status;
63 fstring dc_name;
64 struct sockaddr_storage dc_ip;
65 struct idmap_ad_context *ctx;
66 char *ldap_server = NULL;
67 char *realm = NULL;
68 struct winbindd_domain *wb_dom;
69
70 DEBUG(10, ("ad_idmap_cached_connection: called for domain '%s'\n",
71 dom->name));
72
73 ctx = talloc_get_type(dom->private_data, struct idmap_ad_context);
74
75 ads_cached_connection_reuse(&ctx->ads);
76 if (ctx->ads != NULL) {
77 return ADS_SUCCESS;
78 }
79
80 /* we don't want this to affect the users ccache */
81 setenv("KRB5CCNAME", WINBIND_CCACHE_NAME, 1);
82
83 /*
84 * At this point we only have the NetBIOS domain name.
85 * Check if we can get server nam and realm from SAF cache
86 * and the domain list.
87 */
88 ldap_server = saf_fetch(dom->name);
89 DEBUG(10, ("ldap_server from saf cache: '%s'\n", ldap_server?ldap_server:""));
90
91 wb_dom = find_domain_from_name_noinit(dom->name);
92 if (wb_dom == NULL) {
93 DEBUG(10, ("find_domain_from_name_noinit did not find domain '%s'\n",
94 dom->name));
95 realm = NULL;
96 } else {
97 DEBUG(10, ("find_domain_from_name_noinit found realm '%s' for "
98 " domain '%s'\n", wb_dom->alt_name, dom->name));
99 realm = wb_dom->alt_name;
100 }
101
102 if ( (ads = ads_init(realm, dom->name, ldap_server)) == NULL ) {
103 DEBUG(1,("ads_init failed\n"));
104 return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
105 }
106
107 /* the machine acct password might have change - fetch it every time */
108 SAFE_FREE(ads->auth.password);
109 ads->auth.password = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL);
110
111 SAFE_FREE(ads->auth.realm);
112 ads->auth.realm = SMB_STRDUP(lp_realm());
113
114 /* setup server affinity */
115
116 get_dc_name(dom->name, realm, dc_name, &dc_ip );
117
118 status = ads_connect(ads);
119 if (!ADS_ERR_OK(status)) {
120 DEBUG(1, ("ad_idmap_cached_connection_internal: failed to "
121 "connect to AD\n"));
122 ads_destroy(&ads);
123 return status;
124 }
125
126 ads->is_mine = False;
127
128 ctx->ads = ads;
129
130 return ADS_SUCCESS;
131 }
132
133 /************************************************************************
134 ***********************************************************************/
135
136 static ADS_STATUS ad_idmap_cached_connection(struct idmap_domain *dom)
137 {
138 ADS_STATUS status;
139 struct idmap_ad_context * ctx;
140
141 status = ad_idmap_cached_connection_internal(dom);
142 if (!ADS_ERR_OK(status)) {
143 return status;
144 }
145
146 ctx = talloc_get_type(dom->private_data, struct idmap_ad_context);
147
148 /* if we have a valid ADS_STRUCT and the schema model is
149 defined, then we can return here. */
150
151 if ( ctx->ad_schema ) {
152 return ADS_SUCCESS;
153 }
154
155 /* Otherwise, set the schema model */
156
157 if ( (ctx->ad_map_type == WB_POSIX_MAP_SFU) ||
158 (ctx->ad_map_type == WB_POSIX_MAP_SFU20) ||
159 (ctx->ad_map_type == WB_POSIX_MAP_RFC2307) )
160 {
161 status = ads_check_posix_schema_mapping(
162 ctx, ctx->ads, ctx->ad_map_type, &ctx->ad_schema);
163 if ( !ADS_ERR_OK(status) ) {
164 DEBUG(2,("ad_idmap_cached_connection: Failed to obtain schema details!\n"));
165 }
166 }
167
168 return status;
169 }
170
171 static int idmap_ad_context_destructor(struct idmap_ad_context *ctx)
172 {
173 if (ctx->ads != NULL) {
174 /* we own this ADS_STRUCT so make sure it goes away */
175 ctx->ads->is_mine = True;
176 ads_destroy( &ctx->ads );
177 ctx->ads = NULL;
178 }
179 return 0;
180 }
181
182 /************************************************************************
183 ***********************************************************************/
184
185 static NTSTATUS idmap_ad_initialize(struct idmap_domain *dom)
186 {
187 struct idmap_ad_context *ctx;
188 char *config_option;
189 const char *schema_mode = NULL;
190
191 ctx = talloc_zero(dom, struct idmap_ad_context);
192 if (ctx == NULL) {
193 DEBUG(0, ("Out of memory!\n"));
194 return NT_STATUS_NO_MEMORY;
195 }
196 talloc_set_destructor(ctx, idmap_ad_context_destructor);
197
198 config_option = talloc_asprintf(ctx, "idmap config %s", dom->name);
199 if (config_option == NULL) {
200 DEBUG(0, ("Out of memory!\n"));
201 talloc_free(ctx);
202 return NT_STATUS_NO_MEMORY;
203 }
204
205 /* default map type */
206 ctx->ad_map_type = WB_POSIX_MAP_RFC2307;
207
208 /* schema mode */
209 schema_mode = lp_parm_const_string(-1, config_option, "schema_mode", NULL);
210 if ( schema_mode && schema_mode[0] ) {
211 if ( strequal(schema_mode, "sfu") )
212 ctx->ad_map_type = WB_POSIX_MAP_SFU;
213 else if ( strequal(schema_mode, "sfu20" ) )
214 ctx->ad_map_type = WB_POSIX_MAP_SFU20;
215 else if ( strequal(schema_mode, "rfc2307" ) )
216 ctx->ad_map_type = WB_POSIX_MAP_RFC2307;
217 else
218 DEBUG(0,("idmap_ad_initialize: Unknown schema_mode (%s)\n",
219 schema_mode));
220 }
221
222 dom->private_data = ctx;
223
224 talloc_free(config_option);
225
226 return NT_STATUS_OK;
227 }
228
229 /************************************************************************
230 ***********************************************************************/
231
232 static NTSTATUS idmap_ad_unixids_to_sids(struct idmap_domain *dom, struct id_map **ids)
233 {
234 NTSTATUS ret;
235 TALLOC_CTX *memctx;
236 struct idmap_ad_context *ctx;
237 ADS_STATUS rc;
238 const char *attrs[] = { "sAMAccountType",
239 "objectSid",
240 NULL, /* uidnumber */
241 NULL, /* gidnumber */
242 NULL };
243 LDAPMessage *res = NULL;
244 LDAPMessage *entry = NULL;
245 char *filter = NULL;
246 int idx = 0;
247 int bidx = 0;
248 int count;
249 int i;
250 char *u_filter = NULL;
251 char *g_filter = NULL;
252
253 /* initialize the status to avoid suprise */
254 for (i = 0; ids[i]; i++) {
255 ids[i]->status = ID_UNKNOWN;
256 }
257
258 /* Only do query if we are online */
259 if (idmap_is_offline()) {
260 return NT_STATUS_FILE_IS_OFFLINE;
261 }
262
263 ctx = talloc_get_type(dom->private_data, struct idmap_ad_context);
264
265 if ( (memctx = talloc_new(ctx)) == NULL ) {
266 DEBUG(0, ("Out of memory!\n"));
267 return NT_STATUS_NO_MEMORY;
268 }
269
270 rc = ad_idmap_cached_connection(dom);
271 if (!ADS_ERR_OK(rc)) {
272 DEBUG(1, ("ADS uninitialized: %s\n", ads_errstr(rc)));
273 ret = NT_STATUS_UNSUCCESSFUL;
274 /* ret = ads_ntstatus(rc); */
275 goto done;
276 }
277
278 attrs[2] = ctx->ad_schema->posix_uidnumber_attr;
279 attrs[3] = ctx->ad_schema->posix_gidnumber_attr;
280
281 again:
282 bidx = idx;
283 for (i = 0; (i < IDMAP_LDAP_MAX_IDS) && ids[idx]; i++, idx++) {
284 switch (ids[idx]->xid.type) {
285 case ID_TYPE_UID:
286 if ( ! u_filter) {
287 u_filter = talloc_asprintf(memctx, "(&(|"
288 "(sAMAccountType=%d)"
289 "(sAMAccountType=%d)"
290 "(sAMAccountType=%d))(|",
291 ATYPE_NORMAL_ACCOUNT,
292 ATYPE_WORKSTATION_TRUST,
293 ATYPE_INTERDOMAIN_TRUST);
294 }
295 u_filter = talloc_asprintf_append_buffer(u_filter, "(%s=%lu)",
296 ctx->ad_schema->posix_uidnumber_attr,
297 (unsigned long)ids[idx]->xid.id);
298 CHECK_ALLOC_DONE(u_filter);
299 break;
300
301 case ID_TYPE_GID:
302 if ( ! g_filter) {
303 g_filter = talloc_asprintf(memctx, "(&(|"
304 "(sAMAccountType=%d)"
305 "(sAMAccountType=%d))(|",
306 ATYPE_SECURITY_GLOBAL_GROUP,
307 ATYPE_SECURITY_LOCAL_GROUP);
308 }
309 g_filter = talloc_asprintf_append_buffer(g_filter, "(%s=%lu)",
310 ctx->ad_schema->posix_gidnumber_attr,
311 (unsigned long)ids[idx]->xid.id);
312 CHECK_ALLOC_DONE(g_filter);
313 break;
314
315 default:
316 DEBUG(3, ("Error: mapping requested but Unknown ID type\n"));
317 ids[idx]->status = ID_UNKNOWN;
318 continue;
319 }
320 }
321 filter = talloc_asprintf(memctx, "(|");
322 CHECK_ALLOC_DONE(filter);
323 if ( u_filter) {
324 filter = talloc_asprintf_append_buffer(filter, "%s))", u_filter);
325 CHECK_ALLOC_DONE(filter);
326 TALLOC_FREE(u_filter);
327 }
328 if ( g_filter) {
329 filter = talloc_asprintf_append_buffer(filter, "%s))", g_filter);
330 CHECK_ALLOC_DONE(filter);
331 TALLOC_FREE(g_filter);
332 }
333 filter = talloc_asprintf_append_buffer(filter, ")");
334 CHECK_ALLOC_DONE(filter);
335
336 rc = ads_search_retry(ctx->ads, &res, filter, attrs);
337 if (!ADS_ERR_OK(rc)) {
338 DEBUG(1, ("ERROR: ads search returned: %s\n", ads_errstr(rc)));
339 ret = NT_STATUS_UNSUCCESSFUL;
340 goto done;
341 }
342
343 if ( (count = ads_count_replies(ctx->ads, res)) == 0 ) {
344 DEBUG(10, ("No IDs found\n"));
345 }
346
347 entry = res;
348 for (i = 0; (i < count) && entry; i++) {
349 struct dom_sid sid;
350 enum id_type type;
351 struct id_map *map;
352 uint32_t id;
353 uint32_t atype;
354
355 if (i == 0) { /* first entry */
356 entry = ads_first_entry(ctx->ads, entry);
357 } else { /* following ones */
358 entry = ads_next_entry(ctx->ads, entry);
359 }
360
361 if ( !entry ) {
362 DEBUG(2, ("ERROR: Unable to fetch ldap entries from results\n"));
363 break;
364 }
365
366 /* first check if the SID is present */
367 if (!ads_pull_sid(ctx->ads, entry, "objectSid", &sid)) {
368 DEBUG(2, ("Could not retrieve SID from entry\n"));
369 continue;
370 }
371
372 /* get type */
373 if (!ads_pull_uint32(ctx->ads, entry, "sAMAccountType", &atype)) {
374 DEBUG(1, ("could not get SAM account type\n"));
375 continue;
376 }
377
378 switch (atype & 0xF0000000) {
379 case ATYPE_SECURITY_GLOBAL_GROUP:
380 case ATYPE_SECURITY_LOCAL_GROUP:
381 type = ID_TYPE_GID;
382 break;
383 case ATYPE_NORMAL_ACCOUNT:
384 case ATYPE_WORKSTATION_TRUST:
385 case ATYPE_INTERDOMAIN_TRUST:
386 type = ID_TYPE_UID;
387 break;
388 default:
389 DEBUG(1, ("unrecognized SAM account type %08x\n", atype));
390 continue;
391 }
392
393 if (!ads_pull_uint32(ctx->ads, entry, (type==ID_TYPE_UID) ?
394 ctx->ad_schema->posix_uidnumber_attr :
395 ctx->ad_schema->posix_gidnumber_attr,
396 &id))
397 {
398 DEBUG(1, ("Could not get unix ID\n"));
399 continue;
400 }
401
402 if (!idmap_unix_id_is_in_range(id, dom)) {
403 DEBUG(5, ("Requested id (%u) out of range (%u - %u). Filtered!\n",
404 id, dom->low_id, dom->high_id));
405 continue;
406 }
407
408 map = idmap_find_map_by_id(&ids[bidx], type, id);
409 if (!map) {
410 DEBUG(2, ("WARNING: couldn't match result with requested ID\n"));
411 continue;
412 }
413
414 sid_copy(map->sid, &sid);
415
416 /* mapped */
417 map->status = ID_MAPPED;
418
419 DEBUG(10, ("Mapped %s -> %lu (%d)\n", sid_string_dbg(map->sid),
420 (unsigned long)map->xid.id,
421 map->xid.type));
422 }
423
424 if (res) {
425 ads_msgfree(ctx->ads, res);
426 }
427
428 if (ids[idx]) { /* still some values to map */
429 goto again;
430 }
431
432 ret = NT_STATUS_OK;
433
434 /* mark all unknown/expired ones as unmapped */
435 for (i = 0; ids[i]; i++) {
436 if (ids[i]->status != ID_MAPPED)
437 ids[i]->status = ID_UNMAPPED;
438 }
439
440 done:
441 talloc_free(memctx);
442 return ret;
443 }
444
445 /************************************************************************
446 ***********************************************************************/
447
448 static NTSTATUS idmap_ad_sids_to_unixids(struct idmap_domain *dom, struct id_map **ids)
449 {
450 NTSTATUS ret;
451 TALLOC_CTX *memctx;
452 struct idmap_ad_context *ctx;
453 ADS_STATUS rc;
454 const char *attrs[] = { "sAMAccountType",
455 "objectSid",
456 NULL, /* attr_uidnumber */
457 NULL, /* attr_gidnumber */
458 NULL };
459 LDAPMessage *res = NULL;
460 LDAPMessage *entry = NULL;
461 char *filter = NULL;
462 int idx = 0;
463 int bidx = 0;
464 int count;
465 int i;
466 char *sidstr;
467
468 /* initialize the status to avoid suprise */
469 for (i = 0; ids[i]; i++) {
470 ids[i]->status = ID_UNKNOWN;
471 }
472
473 /* Only do query if we are online */
474 if (idmap_is_offline()) {
475 return NT_STATUS_FILE_IS_OFFLINE;
476 }
477
478 ctx = talloc_get_type(dom->private_data, struct idmap_ad_context);
479
480 if ( (memctx = talloc_new(ctx)) == NULL ) {
481 DEBUG(0, ("Out of memory!\n"));
482 return NT_STATUS_NO_MEMORY;
483 }
484
485 rc = ad_idmap_cached_connection(dom);
486 if (!ADS_ERR_OK(rc)) {
487 DEBUG(1, ("ADS uninitialized: %s\n", ads_errstr(rc)));
488 ret = NT_STATUS_UNSUCCESSFUL;
489 /* ret = ads_ntstatus(rc); */
490 goto done;
491 }
492
493 if (ctx->ad_schema == NULL) {
494 DEBUG(0, ("haven't got ctx->ad_schema ! \n"));
495 ret = NT_STATUS_UNSUCCESSFUL;
496 goto done;
497 }
498
499 attrs[2] = ctx->ad_schema->posix_uidnumber_attr;
500 attrs[3] = ctx->ad_schema->posix_gidnumber_attr;
501
502 again:
503 filter = talloc_asprintf(memctx, "(&(|"
504 "(sAMAccountType=%d)(sAMAccountType=%d)(sAMAccountType=%d)" /* user account types */
505 "(sAMAccountType=%d)(sAMAccountType=%d)" /* group account types */
506 ")(|",
507 ATYPE_NORMAL_ACCOUNT, ATYPE_WORKSTATION_TRUST, ATYPE_INTERDOMAIN_TRUST,
508 ATYPE_SECURITY_GLOBAL_GROUP, ATYPE_SECURITY_LOCAL_GROUP);
509
510 CHECK_ALLOC_DONE(filter);
511
512 bidx = idx;
513 for (i = 0; (i < IDMAP_LDAP_MAX_IDS) && ids[idx]; i++, idx++) {
514
515 ids[idx]->status = ID_UNKNOWN;
516
517 sidstr = ldap_encode_ndr_dom_sid(talloc_tos(), ids[idx]->sid);
518 filter = talloc_asprintf_append_buffer(filter, "(objectSid=%s)", sidstr);
519
520 TALLOC_FREE(sidstr);
521 CHECK_ALLOC_DONE(filter);
522 }
523 filter = talloc_asprintf_append_buffer(filter, "))");
524 CHECK_ALLOC_DONE(filter);
525 DEBUG(10, ("Filter: [%s]\n", filter));
526
527 rc = ads_search_retry(ctx->ads, &res, filter, attrs);
528 if (!ADS_ERR_OK(rc)) {
529 DEBUG(1, ("ERROR: ads search returned: %s\n", ads_errstr(rc)));
530 ret = NT_STATUS_UNSUCCESSFUL;
531 goto done;
532 }
533
534 if ( (count = ads_count_replies(ctx->ads, res)) == 0 ) {
535 DEBUG(10, ("No IDs found\n"));
536 }
537
538 entry = res;
539 for (i = 0; (i < count) && entry; i++) {
540 struct dom_sid sid;
541 enum id_type type;
542 struct id_map *map;
543 uint32_t id;
544 uint32_t atype;
545
546 if (i == 0) { /* first entry */
547 entry = ads_first_entry(ctx->ads, entry);
548 } else { /* following ones */
549 entry = ads_next_entry(ctx->ads, entry);
550 }
551
552 if ( !entry ) {
553 DEBUG(2, ("ERROR: Unable to fetch ldap entries from results\n"));
554 break;
555 }
556
557 /* first check if the SID is present */
558 if (!ads_pull_sid(ctx->ads, entry, "objectSid", &sid)) {
559 DEBUG(2, ("Could not retrieve SID from entry\n"));
560 continue;
561 }
562
563 map = idmap_find_map_by_sid(&ids[bidx], &sid);
564 if (!map) {
565 DEBUG(2, ("WARNING: couldn't match result with requested SID\n"));
566 continue;
567 }
568
569 /* get type */
570 if (!ads_pull_uint32(ctx->ads, entry, "sAMAccountType", &atype)) {
571 DEBUG(1, ("could not get SAM account type\n"));
572 continue;
573 }
574
575 switch (atype & 0xF0000000) {
576 case ATYPE_SECURITY_GLOBAL_GROUP:
577 case ATYPE_SECURITY_LOCAL_GROUP:
578 type = ID_TYPE_GID;
579 break;
580 case ATYPE_NORMAL_ACCOUNT:
581 case ATYPE_WORKSTATION_TRUST:
582 case ATYPE_INTERDOMAIN_TRUST:
583 type = ID_TYPE_UID;
584 break;
585 default:
586 DEBUG(1, ("unrecognized SAM account type %08x\n", atype));
587 continue;
588 }
589
590 if (!ads_pull_uint32(ctx->ads, entry, (type==ID_TYPE_UID) ?
591 ctx->ad_schema->posix_uidnumber_attr :
592 ctx->ad_schema->posix_gidnumber_attr,
593 &id))
594 {
595 DEBUG(1, ("Could not get unix ID\n"));
596 continue;
597 }
598 if (!idmap_unix_id_is_in_range(id, dom)) {
599 DEBUG(5, ("Requested id (%u) out of range (%u - %u). Filtered!\n",
600 id, dom->low_id, dom->high_id));
601 continue;
602 }
603
604 /* mapped */
605 map->xid.type = type;
606 map->xid.id = id;
607 map->status = ID_MAPPED;
608
609 DEBUG(10, ("Mapped %s -> %lu (%d)\n", sid_string_dbg(map->sid),
610 (unsigned long)map->xid.id,
611 map->xid.type));
612 }
613
614 if (res) {
615 ads_msgfree(ctx->ads, res);
616 }
617
618 if (ids[idx]) { /* still some values to map */
619 goto again;
620 }
621
622 ret = NT_STATUS_OK;
623
624 /* mark all unknown/expired ones as unmapped */
625 for (i = 0; ids[i]; i++) {
626 if (ids[i]->status != ID_MAPPED)
627 ids[i]->status = ID_UNMAPPED;
628 }
629
630 done:
631 talloc_free(memctx);
632 return ret;
633 }
634
635 /*
636 * nss_info_{sfu,sfu20,rfc2307}
637 */
638
639 /************************************************************************
640 Initialize the {sfu,sfu20,rfc2307} state
641 ***********************************************************************/
642
643 static const char *wb_posix_map_unknown_string = "WB_POSIX_MAP_UNKNOWN";
644 static const char *wb_posix_map_template_string = "WB_POSIX_MAP_TEMPLATE";
645 static const char *wb_posix_map_sfu_string = "WB_POSIX_MAP_SFU";
646 static const char *wb_posix_map_sfu20_string = "WB_POSIX_MAP_SFU20";
647 static const char *wb_posix_map_rfc2307_string = "WB_POSIX_MAP_RFC2307";
648 static const char *wb_posix_map_unixinfo_string = "WB_POSIX_MAP_UNIXINFO";
649
650 static const char *ad_map_type_string(enum wb_posix_mapping map_type)
651 {
652 switch (map_type) {
653 case WB_POSIX_MAP_TEMPLATE:
654 return wb_posix_map_template_string;
655 case WB_POSIX_MAP_SFU:
656 return wb_posix_map_sfu_string;
657 case WB_POSIX_MAP_SFU20:
658 return wb_posix_map_sfu20_string;
659 case WB_POSIX_MAP_RFC2307:
660 return wb_posix_map_rfc2307_string;
661 case WB_POSIX_MAP_UNIXINFO:
662 return wb_posix_map_unixinfo_string;
663 default:
664 return wb_posix_map_unknown_string;
665 }
666 }
667
668 static NTSTATUS nss_ad_generic_init(struct nss_domain_entry *e,
669 enum wb_posix_mapping new_ad_map_type)
670 {
671 struct idmap_domain *dom;
672 struct idmap_ad_context *ctx;
673
674 if (e->state != NULL) {
675 dom = talloc_get_type(e->state, struct idmap_domain);
676 } else {
677 dom = talloc_zero(e, struct idmap_domain);
678 if (dom == NULL) {
679 DEBUG(0, ("Out of memory!\n"));
680 return NT_STATUS_NO_MEMORY;
681 }
682 e->state = dom;
683 }
684
685 if (e->domain != NULL) {
686 dom->name = talloc_strdup(dom, e->domain);
687 if (dom->name == NULL) {
688 DEBUG(0, ("Out of memory!\n"));
689 return NT_STATUS_NO_MEMORY;
690 }
691 }
692
693 if (dom->private_data != NULL) {
694 ctx = talloc_get_type(dom->private_data,
695 struct idmap_ad_context);
696 } else {
697 ctx = talloc_zero(dom, struct idmap_ad_context);
698 if (ctx == NULL) {
699 DEBUG(0, ("Out of memory!\n"));
700 return NT_STATUS_NO_MEMORY;
701 }
702 ctx->ad_map_type = WB_POSIX_MAP_RFC2307;
703 dom->private_data = ctx;
704 }
705
706 if ((ctx->ad_map_type != WB_POSIX_MAP_UNKNOWN) &&
707 (ctx->ad_map_type != new_ad_map_type))
708 {
709 DEBUG(2, ("nss_ad_generic_init: "
710 "Warning: overriding previously set posix map type "
711 "%s for domain %s with map type %s.\n",
712 ad_map_type_string(ctx->ad_map_type),
713 dom->name,
714 ad_map_type_string(new_ad_map_type)));
715 }
716
717 ctx->ad_map_type = new_ad_map_type;
718
719 return NT_STATUS_OK;
720 }
721
722 static NTSTATUS nss_sfu_init( struct nss_domain_entry *e )
723 {
724 return nss_ad_generic_init(e, WB_POSIX_MAP_SFU);
725 }
726
727 static NTSTATUS nss_sfu20_init( struct nss_domain_entry *e )
728 {
729 return nss_ad_generic_init(e, WB_POSIX_MAP_SFU20);
730 }
731
732 static NTSTATUS nss_rfc2307_init( struct nss_domain_entry *e )
733 {
734 return nss_ad_generic_init(e, WB_POSIX_MAP_RFC2307);
735 }
736
737
738 /************************************************************************
739 ***********************************************************************/
740
741 static NTSTATUS nss_ad_get_info( struct nss_domain_entry *e,
742 const struct dom_sid *sid,
743 TALLOC_CTX *mem_ctx,
744 const char **homedir,
745 const char **shell,
746 const char **gecos,
747 uint32 *gid )
748 {
749 const char *attrs[] = {NULL, /* attr_homedir */
750 NULL, /* attr_shell */
751 NULL, /* attr_gecos */
752 NULL, /* attr_gidnumber */
753 NULL };
754 char *filter = NULL;
755 LDAPMessage *msg_internal = NULL;
756 ADS_STATUS ads_status = ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL);
757 NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
758 char *sidstr = NULL;
759 struct idmap_domain *dom;
760 struct idmap_ad_context *ctx;
761
762 DEBUG(10, ("nss_ad_get_info called for sid [%s] in domain '%s'\n",
763 sid_string_dbg(sid), e->domain?e->domain:"NULL"));
764
765 /* Only do query if we are online */
766 if (idmap_is_offline()) {
767 return NT_STATUS_FILE_IS_OFFLINE;
768 }
769
770 dom = talloc_get_type(e->state, struct idmap_domain);
771 ctx = talloc_get_type(dom->private_data, struct idmap_ad_context);
772
773 ads_status = ad_idmap_cached_connection(dom);
774 if (!ADS_ERR_OK(ads_status)) {
775 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
776 }
777
778 if (!ctx->ad_schema) {
779 DEBUG(10, ("nss_ad_get_info: no ad_schema configured!\n"));
780 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
781 }
782
783 if (!sid || !homedir || !shell || !gecos) {
784 return NT_STATUS_INVALID_PARAMETER;
785 }
786
787 /* Have to do our own query */
788
789 DEBUG(10, ("nss_ad_get_info: no ads connection given, doing our "
790 "own query\n"));
791
792 attrs[0] = ctx->ad_schema->posix_homedir_attr;
793 attrs[1] = ctx->ad_schema->posix_shell_attr;
794 attrs[2] = ctx->ad_schema->posix_gecos_attr;
795 attrs[3] = ctx->ad_schema->posix_gidnumber_attr;
796
797 sidstr = ldap_encode_ndr_dom_sid(mem_ctx, sid);
798 filter = talloc_asprintf(mem_ctx, "(objectSid=%s)", sidstr);
799 TALLOC_FREE(sidstr);
800
801 if (!filter) {
802 nt_status = NT_STATUS_NO_MEMORY;
803 goto done;
804 }
805
806 ads_status = ads_search_retry(ctx->ads, &msg_internal, filter, attrs);
807 if (!ADS_ERR_OK(ads_status)) {
808 nt_status = ads_ntstatus(ads_status);
809 goto done;
810 }
811
812 *homedir = ads_pull_string(ctx->ads, mem_ctx, msg_internal, ctx->ad_schema->posix_homedir_attr);
813 *shell = ads_pull_string(ctx->ads, mem_ctx, msg_internal, ctx->ad_schema->posix_shell_attr);
814 *gecos = ads_pull_string(ctx->ads, mem_ctx, msg_internal, ctx->ad_schema->posix_gecos_attr);
815
816 if (gid) {
817 if (!ads_pull_uint32(ctx->ads, msg_internal, ctx->ad_schema->posix_gidnumber_attr, gid))
818 *gid = (uint32)-1;
819 }
820
821 nt_status = NT_STATUS_OK;
822
823 done:
824 if (msg_internal) {
825 ads_msgfree(ctx->ads, msg_internal);
826 }
827
828 return nt_status;
829 }
830
831 /**********************************************************************
832 *********************************************************************/
833
834 static NTSTATUS nss_ad_map_to_alias(TALLOC_CTX *mem_ctx,
835 struct nss_domain_entry *e,
836 const char *name,
837 char **alias)
838 {
839 const char *attrs[] = {NULL, /* attr_uid */
840 NULL };
841 char *filter = NULL;
842 LDAPMessage *msg = NULL;
843 ADS_STATUS ads_status = ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL);
844 NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
845 struct idmap_domain *dom;
846 struct idmap_ad_context *ctx = NULL;
847
848 /* Check incoming parameters */
849
850 if ( !e || !e->domain || !name || !*alias) {
851 nt_status = NT_STATUS_INVALID_PARAMETER;
852 goto done;
853 }
854
855 /* Only do query if we are online */
856
857 if (idmap_is_offline()) {
858 nt_status = NT_STATUS_FILE_IS_OFFLINE;
859 goto done;
860 }
861
862 dom = talloc_get_type(e->state, struct idmap_domain);
863 ctx = talloc_get_type(dom->private_data, struct idmap_ad_context);
864
865 ads_status = ad_idmap_cached_connection(dom);
866 if (!ADS_ERR_OK(ads_status)) {
867 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
868 }
869
870 if (!ctx->ad_schema) {
871 nt_status = NT_STATUS_OBJECT_PATH_NOT_FOUND;
872 goto done;
873 }
874
875 attrs[0] = ctx->ad_schema->posix_uid_attr;
876
877 filter = talloc_asprintf(mem_ctx,
878 "(sAMAccountName=%s)",
879 name);
880 if (!filter) {
881 nt_status = NT_STATUS_NO_MEMORY;
882 goto done;
883 }
884
885 ads_status = ads_search_retry(ctx->ads, &msg, filter, attrs);
886 if (!ADS_ERR_OK(ads_status)) {
887 nt_status = ads_ntstatus(ads_status);
888 goto done;
889 }
890
891 *alias = ads_pull_string(ctx->ads, mem_ctx, msg, ctx->ad_schema->posix_uid_attr);
892
893 if (!*alias) {
894 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
895 }
896
897 nt_status = NT_STATUS_OK;
898
899 done:
900 if (filter) {
901 talloc_destroy(filter);
902 }
903 if (msg) {
904 ads_msgfree(ctx->ads, msg);
905 }
906
907 return nt_status;
908 }
909
910 /**********************************************************************
911 *********************************************************************/
912
913 static NTSTATUS nss_ad_map_from_alias( TALLOC_CTX *mem_ctx,
914 struct nss_domain_entry *e,
915 const char *alias,
916 char **name )
917 {
918 const char *attrs[] = {"sAMAccountName",
919 NULL };
920 char *filter = NULL;
921 LDAPMessage *msg = NULL;
922 ADS_STATUS ads_status = ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL);
923 NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
924 char *username;
925 struct idmap_domain *dom;
926 struct idmap_ad_context *ctx = NULL;
927
928 /* Check incoming parameters */
929
930 if ( !alias || !name) {
931 nt_status = NT_STATUS_INVALID_PARAMETER;
932 goto done;
933 }
934
935 /* Only do query if we are online */
936
937 if (idmap_is_offline()) {
938 nt_status = NT_STATUS_FILE_IS_OFFLINE;
939 goto done;
940 }
941
942 dom = talloc_get_type(e->state, struct idmap_domain);
943 ctx = talloc_get_type(dom->private_data, struct idmap_ad_context);
944
945 ads_status = ad_idmap_cached_connection(dom);
946 if (!ADS_ERR_OK(ads_status)) {
947 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
948 }
949
950 if (!ctx->ad_schema) {
951 nt_status = NT_STATUS_OBJECT_PATH_NOT_FOUND;
952 goto done;
953 }
954
955 filter = talloc_asprintf(mem_ctx,
956 "(%s=%s)",
957 ctx->ad_schema->posix_uid_attr,
958 alias);
959 if (!filter) {
960 nt_status = NT_STATUS_NO_MEMORY;
961 goto done;
962 }
963
964 ads_status = ads_search_retry(ctx->ads, &msg, filter, attrs);
965 if (!ADS_ERR_OK(ads_status)) {
966 nt_status = ads_ntstatus(ads_status);
967 goto done;
968 }
969
970 username = ads_pull_string(ctx->ads, mem_ctx, msg,
971 "sAMAccountName");
972 if (!username) {
973 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
974 }
975
976 *name = talloc_asprintf(mem_ctx, "%s\\%s",
977 lp_workgroup(),
978 username);
979 if (!*name) {
980 nt_status = NT_STATUS_NO_MEMORY;
981 goto done;
982 }
983
984 nt_status = NT_STATUS_OK;
985
986 done:
987 if (filter) {
988 talloc_destroy(filter);
989 }
990 if (msg) {
991 ads_msgfree(ctx->ads, msg);
992 }
993
994 return nt_status;
995 }
996
997 /************************************************************************
998 Function dispatch tables for the idmap and nss plugins
999 ***********************************************************************/
1000
1001 static struct idmap_methods ad_methods = {
1002 .init = idmap_ad_initialize,
1003 .unixids_to_sids = idmap_ad_unixids_to_sids,
1004 .sids_to_unixids = idmap_ad_sids_to_unixids,
1005 };
1006
1007 /* The SFU and RFC2307 NSS plugins share everything but the init
1008 function which sets the intended schema model to use */
1009
1010 static struct nss_info_methods nss_rfc2307_methods = {
1011 .init = nss_rfc2307_init,
1012 .get_nss_info = nss_ad_get_info,
1013 .map_to_alias = nss_ad_map_to_alias,
1014 .map_from_alias = nss_ad_map_from_alias,
1015 };
1016
1017 static struct nss_info_methods nss_sfu_methods = {
1018 .init = nss_sfu_init,
1019 .get_nss_info = nss_ad_get_info,
1020 .map_to_alias = nss_ad_map_to_alias,
1021 .map_from_alias = nss_ad_map_from_alias,
1022 };
1023
1024 static struct nss_info_methods nss_sfu20_methods = {
1025 .init = nss_sfu20_init,
1026 .get_nss_info = nss_ad_get_info,
1027 .map_to_alias = nss_ad_map_to_alias,
1028 .map_from_alias = nss_ad_map_from_alias,
1029 };
1030
1031
1032
1033 /************************************************************************
1034 Initialize the plugins
1035 ***********************************************************************/
1036
1037 NTSTATUS samba_init_module(void)
1038 {
1039 static NTSTATUS status_idmap_ad = NT_STATUS_UNSUCCESSFUL;
1040 static NTSTATUS status_nss_rfc2307 = NT_STATUS_UNSUCCESSFUL;
1041 static NTSTATUS status_nss_sfu = NT_STATUS_UNSUCCESSFUL;
1042 static NTSTATUS status_nss_sfu20 = NT_STATUS_UNSUCCESSFUL;
1043
1044 /* Always register the AD method first in order to get the
1045 idmap_domain interface called */
1046
1047 if ( !NT_STATUS_IS_OK(status_idmap_ad) ) {
1048 status_idmap_ad = smb_register_idmap(SMB_IDMAP_INTERFACE_VERSION,
1049 "ad", &ad_methods);
1050 if ( !NT_STATUS_IS_OK(status_idmap_ad) )
1051 return status_idmap_ad;
1052 }
1053
1054 if ( !NT_STATUS_IS_OK( status_nss_rfc2307 ) ) {
1055 status_nss_rfc2307 = smb_register_idmap_nss(SMB_NSS_INFO_INTERFACE_VERSION,
1056 "rfc2307", &nss_rfc2307_methods );
1057 if ( !NT_STATUS_IS_OK(status_nss_rfc2307) )
1058 return status_nss_rfc2307;
1059 }
1060
1061 if ( !NT_STATUS_IS_OK( status_nss_sfu ) ) {
1062 status_nss_sfu = smb_register_idmap_nss(SMB_NSS_INFO_INTERFACE_VERSION,
1063 "sfu", &nss_sfu_methods );
1064 if ( !NT_STATUS_IS_OK(status_nss_sfu) )
1065 return status_nss_sfu;
1066 }
1067
1068 if ( !NT_STATUS_IS_OK( status_nss_sfu20 ) ) {
1069 status_nss_sfu20 = smb_register_idmap_nss(SMB_NSS_INFO_INTERFACE_VERSION,
1070 "sfu20", &nss_sfu20_methods );
1071 if ( !NT_STATUS_IS_OK(status_nss_sfu20) )
1072 return status_nss_sfu20;
1073 }
1074
1075 return NT_STATUS_OK;
1076 }
1077
reg import