2 Unix SMB/CIFS implementation.
4 Map SIDs to unixids and back
6 Copyright (C) Kai Blin 2008
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
23 #include "auth/auth.h"
24 #include "librpc/gen_ndr/ndr_security.h"
25 #include "lib/ldb/include/ldb.h"
27 #include "param/param.h"
28 #include "winbind/idmap.h"
29 #include "libcli/security/security.h"
30 #include "libcli/ldap/ldap_ndr.h"
33 * Get uid/gid bounds from idmap database
35 * \param idmap_ctx idmap context to use
36 * \param low lower uid/gid bound is stored here
37 * \param high upper uid/gid bound is stored here
38 * \return 0 on success, nonzero on failure
40 static int idmap_get_bounds(struct idmap_context
*idmap_ctx
, uint32_t *low
,
44 struct ldb_context
*ldb
= idmap_ctx
->ldb_ctx
;
46 struct ldb_result
*res
= NULL
;
47 TALLOC_CTX
*tmp_ctx
= talloc_new(idmap_ctx
);
48 uint32_t lower_bound
= (uint32_t) -1;
49 uint32_t upper_bound
= (uint32_t) -1;
51 dn
= ldb_dn_new(tmp_ctx
, ldb
, "CN=CONFIG");
52 if (dn
== NULL
) goto failed
;
54 ret
= ldb_search(ldb
, tmp_ctx
, &res
, dn
, LDB_SCOPE_BASE
, NULL
, NULL
);
55 if (ret
!= LDB_SUCCESS
) goto failed
;
57 if (res
->count
!= 1) {
62 lower_bound
= ldb_msg_find_attr_as_uint(res
->msgs
[0], "lowerBound", -1);
63 if (lower_bound
!= (uint32_t) -1) {
70 upper_bound
= ldb_msg_find_attr_as_uint(res
->msgs
[0], "upperBound", -1);
71 if (upper_bound
!= (uint32_t) -1) {
85 * Add a dom_sid structure to a ldb_message
86 * \param idmap_ctx idmap context to use
87 * \param mem_ctx talloc context to use
88 * \param ldb_message ldb message to add dom_sid to
89 * \param attr_name name of the attribute to store the dom_sid in
90 * \param sid dom_sid to store
91 * \return 0 on success, an ldb error code on failure.
93 static int idmap_msg_add_dom_sid(struct idmap_context
*idmap_ctx
,
94 TALLOC_CTX
*mem_ctx
, struct ldb_message
*msg
,
95 const char *attr_name
, const struct dom_sid
*sid
)
98 enum ndr_err_code ndr_err
;
100 ndr_err
= ndr_push_struct_blob(&val
, mem_ctx
, sid
,
101 (ndr_push_flags_fn_t
)ndr_push_dom_sid
);
103 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
107 return ldb_msg_add_value(msg
, attr_name
, &val
, NULL
);
111 * Get a dom_sid structure from a ldb message.
113 * \param mem_ctx talloc context to allocate dom_sid memory in
114 * \param msg ldb_message to get dom_sid from
115 * \param attr_name key that has the dom_sid as data
116 * \return dom_sid structure on success, NULL on failure
118 static struct dom_sid
*idmap_msg_get_dom_sid(TALLOC_CTX
*mem_ctx
,
119 struct ldb_message
*msg
, const char *attr_name
)
122 const struct ldb_val
*val
;
123 enum ndr_err_code ndr_err
;
125 val
= ldb_msg_find_ldb_val(msg
, attr_name
);
130 sid
= talloc(mem_ctx
, struct dom_sid
);
135 ndr_err
= ndr_pull_struct_blob(val
, sid
, sid
,
136 (ndr_pull_flags_fn_t
)ndr_pull_dom_sid
);
137 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
146 * Initialize idmap context
148 * talloc_free to close.
150 * \param mem_ctx talloc context to use.
151 * \return allocated idmap_context on success, NULL on error
153 struct idmap_context
*idmap_init(TALLOC_CTX
*mem_ctx
,
154 struct tevent_context
*ev_ctx
,
155 struct loadparm_context
*lp_ctx
)
157 struct idmap_context
*idmap_ctx
;
159 idmap_ctx
= talloc(mem_ctx
, struct idmap_context
);
160 if (idmap_ctx
== NULL
) {
164 idmap_ctx
->lp_ctx
= lp_ctx
;
166 idmap_ctx
->ldb_ctx
= ldb_wrap_connect(mem_ctx
, ev_ctx
, lp_ctx
,
167 lp_idmap_url(lp_ctx
),
168 system_session(lp_ctx
),
170 if (idmap_ctx
->ldb_ctx
== NULL
) {
174 idmap_ctx
->unix_groups_sid
= dom_sid_parse_talloc(mem_ctx
, "S-1-22-2");
175 if (idmap_ctx
->unix_groups_sid
== NULL
) {
179 idmap_ctx
->unix_users_sid
= dom_sid_parse_talloc(mem_ctx
, "S-1-22-1");
180 if (idmap_ctx
->unix_users_sid
== NULL
) {
188 * Convert an unixid to the corresponding SID
190 * \param idmap_ctx idmap context to use
191 * \param mem_ctx talloc context the memory for the struct dom_sid is allocated
193 * \param unixid pointer to a unixid struct to convert
194 * \param sid pointer that will take the struct dom_sid pointer if the mapping
196 * \return NT_STATUS_OK on success, NT_STATUS_NONE_MAPPED if mapping not
197 * possible or some other NTSTATUS that is more descriptive on failure.
200 static NTSTATUS
idmap_xid_to_sid(struct idmap_context
*idmap_ctx
,
202 const struct unixid
*unixid
,
203 struct dom_sid
**sid
)
206 NTSTATUS status
= NT_STATUS_NONE_MAPPED
;
207 struct ldb_context
*ldb
= idmap_ctx
->ldb_ctx
;
208 struct ldb_result
*res
= NULL
;
209 struct dom_sid
*unix_sid
, *new_sid
;
210 TALLOC_CTX
*tmp_ctx
= talloc_new(mem_ctx
);
213 switch (unixid
->type
) {
215 id_type
= "ID_TYPE_UID";
218 id_type
= "ID_TYPE_GID";
221 DEBUG(1, ("unixid->type must be type gid or uid (got %u) for lookup with id %lu\n",
222 (unsigned)unixid
->type
, (unsigned long)unixid
->id
));
223 status
= NT_STATUS_NONE_MAPPED
;
227 ret
= ldb_search(ldb
, tmp_ctx
, &res
, NULL
, LDB_SCOPE_SUBTREE
,
228 NULL
, "(&(|(type=ID_TYPE_BOTH)(type=%s))"
229 "(xidNumber=%u))", id_type
, unixid
->id
);
230 if (ret
!= LDB_SUCCESS
) {
231 DEBUG(1, ("Search failed: %s\n", ldb_errstring(ldb
)));
232 status
= NT_STATUS_NONE_MAPPED
;
236 if (res
->count
== 1) {
237 *sid
= idmap_msg_get_dom_sid(mem_ctx
, res
->msgs
[0],
240 DEBUG(1, ("Failed to get sid from db: %u\n", ret
));
241 status
= NT_STATUS_NONE_MAPPED
;
244 talloc_free(tmp_ctx
);
248 DEBUG(6, ("xid not found in idmap db, create S-1-22- SID.\n"));
250 /* For local users/groups , we just create a rid = uid/gid */
251 if (unixid
->type
== ID_TYPE_UID
) {
252 unix_sid
= dom_sid_parse_talloc(tmp_ctx
, "S-1-22-1");
254 unix_sid
= dom_sid_parse_talloc(tmp_ctx
, "S-1-22-2");
256 if (unix_sid
== NULL
) {
257 status
= NT_STATUS_NO_MEMORY
;
261 new_sid
= dom_sid_add_rid(mem_ctx
, unix_sid
, unixid
->id
);
262 if (new_sid
== NULL
) {
263 status
= NT_STATUS_NO_MEMORY
;
268 talloc_free(tmp_ctx
);
272 talloc_free(tmp_ctx
);
278 * Map a SID to an unixid struct.
280 * If no mapping exists, a new mapping will be created.
282 * \todo Check if SIDs can be resolved if lp_idmap_trusted_only() == true
283 * \todo Fix backwards compatibility for Samba3
285 * \param idmap_ctx idmap context to use
286 * \param mem_ctx talloc context to use
287 * \param sid SID to map to an unixid struct
288 * \param unixid pointer to a unixid struct
289 * \return NT_STATUS_OK on success, NT_STATUS_INVALID_SID if the sid is not from
290 * a trusted domain and idmap trusted only = true, NT_STATUS_NONE_MAPPED if the
293 static NTSTATUS
idmap_sid_to_xid(struct idmap_context
*idmap_ctx
,
295 const struct dom_sid
*sid
,
296 struct unixid
*unixid
)
299 NTSTATUS status
= NT_STATUS_NONE_MAPPED
;
300 struct ldb_context
*ldb
= idmap_ctx
->ldb_ctx
;
302 struct ldb_message
*hwm_msg
, *map_msg
;
303 struct ldb_result
*res
= NULL
;
305 uint32_t low
, high
, hwm
, new_xid
;
306 char *sid_string
, *unixid_string
, *hwm_string
;
307 bool hwm_entry_exists
;
308 TALLOC_CTX
*tmp_ctx
= talloc_new(mem_ctx
);
310 if (dom_sid_in_domain(idmap_ctx
->unix_users_sid
, sid
)) {
312 DEBUG(6, ("This is a local unix uid, just calculate that.\n"));
313 status
= dom_sid_split_rid(tmp_ctx
, sid
, NULL
, &rid
);
314 if (!NT_STATUS_IS_OK(status
)) goto failed
;
317 unixid
->type
= ID_TYPE_UID
;
319 talloc_free(tmp_ctx
);
323 if (dom_sid_in_domain(idmap_ctx
->unix_groups_sid
, sid
)) {
325 DEBUG(6, ("This is a local unix gid, just calculate that.\n"));
326 status
= dom_sid_split_rid(tmp_ctx
, sid
, NULL
, &rid
);
327 if (!NT_STATUS_IS_OK(status
)) goto failed
;
330 unixid
->type
= ID_TYPE_GID
;
332 talloc_free(tmp_ctx
);
336 ret
= ldb_search(ldb
, tmp_ctx
, &res
, NULL
, LDB_SCOPE_SUBTREE
,
337 NULL
, "(&(objectClass=sidMap)(objectSid=%s))",
338 ldap_encode_ndr_dom_sid(tmp_ctx
, sid
));
339 if (ret
!= LDB_SUCCESS
) {
340 DEBUG(1, ("Search failed: %s\n", ldb_errstring(ldb
)));
341 status
= NT_STATUS_NONE_MAPPED
;
345 if (res
->count
== 1) {
346 const char *type
= ldb_msg_find_attr_as_string(res
->msgs
[0],
348 new_xid
= ldb_msg_find_attr_as_uint(res
->msgs
[0], "xidNumber",
350 if (new_xid
== (uint32_t) -1) {
351 DEBUG(1, ("Invalid xid mapping.\n"));
352 status
= NT_STATUS_NONE_MAPPED
;
357 DEBUG(1, ("Invalid type for mapping entry.\n"));
358 status
= NT_STATUS_NONE_MAPPED
;
362 unixid
->id
= new_xid
;
364 if (strcmp(type
, "ID_TYPE_BOTH") == 0) {
365 unixid
->type
= ID_TYPE_BOTH
;
366 } else if (strcmp(type
, "ID_TYPE_UID") == 0) {
367 unixid
->type
= ID_TYPE_UID
;
369 unixid
->type
= ID_TYPE_GID
;
372 talloc_free(tmp_ctx
);
376 DEBUG(6, ("No existing mapping found, attempting to create one.\n"));
378 trans
= ldb_transaction_start(ldb
);
379 if (trans
!= LDB_SUCCESS
) {
380 status
= NT_STATUS_NONE_MAPPED
;
384 /* Redo the search to make sure noone changed the mapping while we
386 ret
= ldb_search(ldb
, tmp_ctx
, &res
, NULL
, LDB_SCOPE_SUBTREE
,
387 NULL
, "(&(objectClass=sidMap)(objectSid=%s))",
388 ldap_encode_ndr_dom_sid(tmp_ctx
, sid
));
389 if (ret
!= LDB_SUCCESS
) {
390 DEBUG(1, ("Search failed: %s\n", ldb_errstring(ldb
)));
391 status
= NT_STATUS_NONE_MAPPED
;
395 if (res
->count
> 0) {
396 DEBUG(1, ("Database changed while trying to add a sidmap.\n"));
397 status
= NT_STATUS_RETRY
;
401 /*FIXME: if lp_idmap_trusted_only() == true, check if SID can be
404 ret
= idmap_get_bounds(idmap_ctx
, &low
, &high
);
405 if (ret
!= LDB_SUCCESS
) {
406 status
= NT_STATUS_NONE_MAPPED
;
410 dn
= ldb_dn_new(tmp_ctx
, ldb
, "CN=CONFIG");
412 status
= NT_STATUS_NO_MEMORY
;
416 ret
= ldb_search(ldb
, tmp_ctx
, &res
, dn
, LDB_SCOPE_BASE
, NULL
, NULL
);
417 if (ret
!= LDB_SUCCESS
) {
418 DEBUG(1, ("Search failed: %s\n", ldb_errstring(ldb
)));
419 status
= NT_STATUS_NONE_MAPPED
;
423 if (res
->count
!= 1) {
424 DEBUG(1, ("No CN=CONFIG record, idmap database is broken.\n"));
425 status
= NT_STATUS_NONE_MAPPED
;
429 hwm
= ldb_msg_find_attr_as_uint(res
->msgs
[0], "xidNumber", -1);
430 if (hwm
== (uint32_t)-1) {
432 hwm_entry_exists
= false;
434 hwm_entry_exists
= true;
438 DEBUG(1, ("Out of xids to allocate.\n"));
439 status
= NT_STATUS_NONE_MAPPED
;
443 hwm_msg
= ldb_msg_new(tmp_ctx
);
444 if (hwm_msg
== NULL
) {
445 DEBUG(1, ("Out of memory when creating ldb_message\n"));
446 status
= NT_STATUS_NO_MEMORY
;
455 hwm_string
= talloc_asprintf(tmp_ctx
, "%u", hwm
);
456 if (hwm_string
== NULL
) {
457 status
= NT_STATUS_NO_MEMORY
;
461 sid_string
= dom_sid_string(tmp_ctx
, sid
);
462 if (sid_string
== NULL
) {
463 status
= NT_STATUS_NO_MEMORY
;
467 unixid_string
= talloc_asprintf(tmp_ctx
, "%u", new_xid
);
468 if (unixid_string
== NULL
) {
469 status
= NT_STATUS_NO_MEMORY
;
473 if (hwm_entry_exists
) {
474 struct ldb_message_element
*els
;
475 struct ldb_val
*vals
;
477 /* We're modifying the entry, not just adding a new one. */
478 els
= talloc_array(tmp_ctx
, struct ldb_message_element
, 2);
480 status
= NT_STATUS_NO_MEMORY
;
484 vals
= talloc_array(tmp_ctx
, struct ldb_val
, 2);
486 status
= NT_STATUS_NO_MEMORY
;
490 hwm_msg
->num_elements
= 2;
491 hwm_msg
->elements
= els
;
493 els
[0].num_values
= 1;
494 els
[0].values
= &vals
[0];
495 els
[0].flags
= LDB_FLAG_MOD_DELETE
;
496 els
[0].name
= talloc_strdup(tmp_ctx
, "xidNumber");
497 if (els
[0].name
== NULL
) {
498 status
= NT_STATUS_NO_MEMORY
;
502 els
[1].num_values
= 1;
503 els
[1].values
= &vals
[1];
504 els
[1].flags
= LDB_FLAG_MOD_ADD
;
505 els
[1].name
= els
[0].name
;
507 vals
[0].data
= (uint8_t *)unixid_string
;
508 vals
[0].length
= strlen(unixid_string
);
509 vals
[1].data
= (uint8_t *)hwm_string
;
510 vals
[1].length
= strlen(hwm_string
);
512 ret
= ldb_msg_add_empty(hwm_msg
, "xidNumber", LDB_FLAG_MOD_ADD
,
514 if (ret
!= LDB_SUCCESS
) {
515 status
= NT_STATUS_NONE_MAPPED
;
519 ret
= ldb_msg_add_string(hwm_msg
, "xidNumber", hwm_string
);
520 if (ret
!= LDB_SUCCESS
)
522 status
= NT_STATUS_NONE_MAPPED
;
527 ret
= ldb_modify(ldb
, hwm_msg
);
528 if (ret
!= LDB_SUCCESS
) {
529 DEBUG(1, ("Updating the xid high water mark failed: %s\n",
530 ldb_errstring(ldb
)));
531 status
= NT_STATUS_NONE_MAPPED
;
535 map_msg
= ldb_msg_new(tmp_ctx
);
536 if (map_msg
== NULL
) {
537 status
= NT_STATUS_NO_MEMORY
;
541 map_msg
->dn
= ldb_dn_new_fmt(tmp_ctx
, ldb
, "CN=%s", sid_string
);
542 if (map_msg
->dn
== NULL
) {
543 status
= NT_STATUS_NO_MEMORY
;
547 ret
= ldb_msg_add_string(map_msg
, "xidNumber", unixid_string
);
548 if (ret
!= LDB_SUCCESS
) {
549 status
= NT_STATUS_NONE_MAPPED
;
553 ret
= idmap_msg_add_dom_sid(idmap_ctx
, tmp_ctx
, map_msg
, "objectSid",
555 if (ret
!= LDB_SUCCESS
) {
556 status
= NT_STATUS_NONE_MAPPED
;
560 ret
= ldb_msg_add_string(map_msg
, "objectClass", "sidMap");
561 if (ret
!= LDB_SUCCESS
) {
562 status
= NT_STATUS_NONE_MAPPED
;
566 ret
= ldb_msg_add_string(map_msg
, "type", "ID_TYPE_BOTH");
567 if (ret
!= LDB_SUCCESS
) {
568 status
= NT_STATUS_NONE_MAPPED
;
572 ret
= ldb_msg_add_string(map_msg
, "cn", sid_string
);
573 if (ret
!= LDB_SUCCESS
) {
574 status
= NT_STATUS_NONE_MAPPED
;
578 ret
= ldb_add(ldb
, map_msg
);
579 if (ret
!= LDB_SUCCESS
) {
580 DEBUG(1, ("Adding a sidmap failed: %s\n", ldb_errstring(ldb
)));
581 status
= NT_STATUS_NONE_MAPPED
;
585 trans
= ldb_transaction_commit(ldb
);
586 if (trans
!= LDB_SUCCESS
) {
587 DEBUG(1, ("Transaction failed: %s\n", ldb_errstring(ldb
)));
588 status
= NT_STATUS_NONE_MAPPED
;
592 unixid
->id
= new_xid
;
593 unixid
->type
= ID_TYPE_BOTH
;
594 talloc_free(tmp_ctx
);
598 if (trans
== LDB_SUCCESS
) ldb_transaction_cancel(ldb
);
599 talloc_free(tmp_ctx
);
604 * Convert an array of unixids to the corresponding array of SIDs
606 * \param idmap_ctx idmap context to use
607 * \param mem_ctx talloc context the memory for the dom_sids is allocated
609 * \param count length of id_mapping array.
610 * \param id array of id_mappings.
611 * \return NT_STATUS_OK on success, NT_STATUS_NONE_MAPPED if mapping is not
612 * possible at all, NT_STATUS_SOME_UNMAPPED if some mappings worked and some
616 NTSTATUS
idmap_xids_to_sids(struct idmap_context
*idmap_ctx
,
620 unsigned int i
, error_count
= 0;
623 for (i
= 0; id
&& id
[i
]; i
++) {
624 status
= idmap_xid_to_sid(idmap_ctx
, mem_ctx
,
625 &id
[i
]->xid
, &id
[i
]->sid
);
626 if (NT_STATUS_EQUAL(status
, NT_STATUS_RETRY
)) {
627 status
= idmap_xid_to_sid(idmap_ctx
, mem_ctx
,
631 if (!NT_STATUS_IS_OK(status
)) {
632 DEBUG(1, ("idmapping xid_to_sid failed for id[%d]=%lu: %s\n",
633 i
, (unsigned long)id
[i
]->xid
.id
, nt_errstr(status
)));
635 id
[i
]->status
= ID_UNMAPPED
;
637 id
[i
]->status
= ID_MAPPED
;
641 if (error_count
== i
) {
642 /* Mapping did not work at all. */
643 return NT_STATUS_NONE_MAPPED
;
644 } else if (error_count
> 0) {
645 /* Some mappings worked, some did not. */
646 return STATUS_SOME_UNMAPPED
;
653 * Convert an array of SIDs to the corresponding array of unixids
655 * \param idmap_ctx idmap context to use
656 * \param mem_ctx talloc context the memory for the unixids is allocated
658 * \param count length of id_mapping array.
659 * \param id array of id_mappings.
660 * \return NT_STATUS_OK on success, NT_STATUS_NONE_MAPPED if mapping is not
661 * possible at all, NT_STATUS_SOME_UNMAPPED if some mappings worked and some
665 NTSTATUS
idmap_sids_to_xids(struct idmap_context
*idmap_ctx
,
669 unsigned int i
, error_count
= 0;
672 for (i
= 0; id
&& id
[i
]; i
++) {
673 status
= idmap_sid_to_xid(idmap_ctx
, mem_ctx
,
674 id
[i
]->sid
, &id
[i
]->xid
);
675 if (NT_STATUS_EQUAL(status
, NT_STATUS_RETRY
)) {
676 status
= idmap_sid_to_xid(idmap_ctx
, mem_ctx
,
680 if (!NT_STATUS_IS_OK(status
)) {
681 char *str
= dom_sid_string(mem_ctx
, id
[i
]->sid
);
682 DEBUG(1, ("idmapping sid_to_xid failed for id[%d]=%s: %s\n",
683 i
, str
, nt_errstr(status
)));
686 id
[i
]->status
= ID_UNMAPPED
;
688 id
[i
]->status
= ID_MAPPED
;
692 if (error_count
== i
) {
693 /* Mapping did not work at all. */
694 return NT_STATUS_NONE_MAPPED
;
695 } else if (error_count
> 0) {
696 /* Some mappings worked, some did not. */
697 return STATUS_SOME_UNMAPPED
;