2 Unix SMB/CIFS implementation.
4 Map SIDs to unixids and back
6 Copyright (C) Kai Blin 2008
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
23 #include "auth/auth.h"
24 #include "librpc/gen_ndr/ndr_security.h"
27 #include "param/param.h"
28 #include "winbind/idmap.h"
29 #include "libcli/security/security.h"
30 #include "libcli/ldap/ldap_ndr.h"
33 * Get uid/gid bounds from idmap database
35 * \param idmap_ctx idmap context to use
36 * \param low lower uid/gid bound is stored here
37 * \param high upper uid/gid bound is stored here
38 * \return 0 on success, nonzero on failure
40 static int idmap_get_bounds(struct idmap_context
*idmap_ctx
, uint32_t *low
,
44 struct ldb_context
*ldb
= idmap_ctx
->ldb_ctx
;
46 struct ldb_result
*res
= NULL
;
47 TALLOC_CTX
*tmp_ctx
= talloc_new(idmap_ctx
);
48 uint32_t lower_bound
= (uint32_t) -1;
49 uint32_t upper_bound
= (uint32_t) -1;
51 dn
= ldb_dn_new(tmp_ctx
, ldb
, "CN=CONFIG");
52 if (dn
== NULL
) goto failed
;
54 ret
= ldb_search(ldb
, tmp_ctx
, &res
, dn
, LDB_SCOPE_BASE
, NULL
, NULL
);
55 if (ret
!= LDB_SUCCESS
) goto failed
;
57 if (res
->count
!= 1) {
62 lower_bound
= ldb_msg_find_attr_as_uint(res
->msgs
[0], "lowerBound", -1);
63 if (lower_bound
!= (uint32_t) -1) {
70 upper_bound
= ldb_msg_find_attr_as_uint(res
->msgs
[0], "upperBound", -1);
71 if (upper_bound
!= (uint32_t) -1) {
85 * Add a dom_sid structure to a ldb_message
86 * \param idmap_ctx idmap context to use
87 * \param mem_ctx talloc context to use
88 * \param ldb_message ldb message to add dom_sid to
89 * \param attr_name name of the attribute to store the dom_sid in
90 * \param sid dom_sid to store
91 * \return 0 on success, an ldb error code on failure.
93 static int idmap_msg_add_dom_sid(struct idmap_context
*idmap_ctx
,
94 TALLOC_CTX
*mem_ctx
, struct ldb_message
*msg
,
95 const char *attr_name
, const struct dom_sid
*sid
)
98 enum ndr_err_code ndr_err
;
100 ndr_err
= ndr_push_struct_blob(&val
, mem_ctx
, sid
,
101 (ndr_push_flags_fn_t
)ndr_push_dom_sid
);
103 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
107 return ldb_msg_add_value(msg
, attr_name
, &val
, NULL
);
111 * Get a dom_sid structure from a ldb message.
113 * \param mem_ctx talloc context to allocate dom_sid memory in
114 * \param msg ldb_message to get dom_sid from
115 * \param attr_name key that has the dom_sid as data
116 * \return dom_sid structure on success, NULL on failure
118 static struct dom_sid
*idmap_msg_get_dom_sid(TALLOC_CTX
*mem_ctx
,
119 struct ldb_message
*msg
, const char *attr_name
)
122 const struct ldb_val
*val
;
123 enum ndr_err_code ndr_err
;
125 val
= ldb_msg_find_ldb_val(msg
, attr_name
);
130 sid
= talloc(mem_ctx
, struct dom_sid
);
135 ndr_err
= ndr_pull_struct_blob(val
, sid
, sid
,
136 (ndr_pull_flags_fn_t
)ndr_pull_dom_sid
);
137 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
146 * Initialize idmap context
148 * talloc_free to close.
150 * \param mem_ctx talloc context to use.
151 * \return allocated idmap_context on success, NULL on error
153 struct idmap_context
*idmap_init(TALLOC_CTX
*mem_ctx
,
154 struct tevent_context
*ev_ctx
,
155 struct loadparm_context
*lp_ctx
)
157 struct idmap_context
*idmap_ctx
;
159 idmap_ctx
= talloc(mem_ctx
, struct idmap_context
);
160 if (idmap_ctx
== NULL
) {
164 idmap_ctx
->lp_ctx
= lp_ctx
;
166 idmap_ctx
->ldb_ctx
= ldb_wrap_connect(mem_ctx
, ev_ctx
, lp_ctx
,
168 system_session(lp_ctx
),
170 if (idmap_ctx
->ldb_ctx
== NULL
) {
174 idmap_ctx
->unix_groups_sid
= dom_sid_parse_talloc(mem_ctx
, "S-1-22-2");
175 if (idmap_ctx
->unix_groups_sid
== NULL
) {
179 idmap_ctx
->unix_users_sid
= dom_sid_parse_talloc(mem_ctx
, "S-1-22-1");
180 if (idmap_ctx
->unix_users_sid
== NULL
) {
188 * Convert an unixid to the corresponding SID
190 * \param idmap_ctx idmap context to use
191 * \param mem_ctx talloc context the memory for the struct dom_sid is allocated
193 * \param unixid pointer to a unixid struct to convert
194 * \param sid pointer that will take the struct dom_sid pointer if the mapping
196 * \return NT_STATUS_OK on success, NT_STATUS_NONE_MAPPED if mapping not
197 * possible or some other NTSTATUS that is more descriptive on failure.
200 static NTSTATUS
idmap_xid_to_sid(struct idmap_context
*idmap_ctx
,
202 const struct unixid
*unixid
,
203 struct dom_sid
**sid
)
206 NTSTATUS status
= NT_STATUS_NONE_MAPPED
;
207 struct ldb_context
*ldb
= idmap_ctx
->ldb_ctx
;
208 struct ldb_result
*res
= NULL
;
209 struct dom_sid
*unix_sid
, *new_sid
;
210 TALLOC_CTX
*tmp_ctx
= talloc_new(mem_ctx
);
213 switch (unixid
->type
) {
215 id_type
= "ID_TYPE_UID";
218 id_type
= "ID_TYPE_GID";
221 DEBUG(1, ("unixid->type must be type gid or uid (got %u) for lookup with id %lu\n",
222 (unsigned)unixid
->type
, (unsigned long)unixid
->id
));
223 status
= NT_STATUS_NONE_MAPPED
;
227 ret
= ldb_search(ldb
, tmp_ctx
, &res
, NULL
, LDB_SCOPE_SUBTREE
,
228 NULL
, "(&(|(type=ID_TYPE_BOTH)(type=%s))"
229 "(xidNumber=%u))", id_type
, unixid
->id
);
230 if (ret
!= LDB_SUCCESS
) {
231 DEBUG(1, ("Search failed: %s\n", ldb_errstring(ldb
)));
232 status
= NT_STATUS_NONE_MAPPED
;
236 if (res
->count
== 1) {
237 *sid
= idmap_msg_get_dom_sid(mem_ctx
, res
->msgs
[0],
240 DEBUG(1, ("Failed to get sid from db: %u\n", ret
));
241 status
= NT_STATUS_NONE_MAPPED
;
244 talloc_free(tmp_ctx
);
248 DEBUG(6, ("xid not found in idmap db, create S-1-22- SID.\n"));
250 /* For local users/groups , we just create a rid = uid/gid */
251 if (unixid
->type
== ID_TYPE_UID
) {
252 unix_sid
= dom_sid_parse_talloc(tmp_ctx
, "S-1-22-1");
254 unix_sid
= dom_sid_parse_talloc(tmp_ctx
, "S-1-22-2");
256 if (unix_sid
== NULL
) {
257 status
= NT_STATUS_NO_MEMORY
;
261 new_sid
= dom_sid_add_rid(mem_ctx
, unix_sid
, unixid
->id
);
262 if (new_sid
== NULL
) {
263 status
= NT_STATUS_NO_MEMORY
;
268 talloc_free(tmp_ctx
);
272 talloc_free(tmp_ctx
);
278 * Map a SID to an unixid struct.
280 * If no mapping exists, a new mapping will be created.
282 * \todo Check if SIDs can be resolved if lpcfg_idmap_trusted_only() == true
283 * \todo Fix backwards compatibility for Samba3
285 * \param idmap_ctx idmap context to use
286 * \param mem_ctx talloc context to use
287 * \param sid SID to map to an unixid struct
288 * \param unixid pointer to a unixid struct
289 * \return NT_STATUS_OK on success, NT_STATUS_INVALID_SID if the sid is not from
290 * a trusted domain and idmap trusted only = true, NT_STATUS_NONE_MAPPED if the
293 static NTSTATUS
idmap_sid_to_xid(struct idmap_context
*idmap_ctx
,
295 const struct dom_sid
*sid
,
296 struct unixid
*unixid
)
299 NTSTATUS status
= NT_STATUS_NONE_MAPPED
;
300 struct ldb_context
*ldb
= idmap_ctx
->ldb_ctx
;
302 struct ldb_message
*hwm_msg
, *map_msg
;
303 struct ldb_result
*res
= NULL
;
305 uint32_t low
, high
, hwm
, new_xid
;
306 char *sid_string
, *unixid_string
, *hwm_string
;
307 bool hwm_entry_exists
;
308 TALLOC_CTX
*tmp_ctx
= talloc_new(mem_ctx
);
310 if (dom_sid_in_domain(idmap_ctx
->unix_users_sid
, sid
)) {
312 DEBUG(6, ("This is a local unix uid, just calculate that.\n"));
313 status
= dom_sid_split_rid(tmp_ctx
, sid
, NULL
, &rid
);
314 if (!NT_STATUS_IS_OK(status
)) {
315 talloc_free(tmp_ctx
);
320 unixid
->type
= ID_TYPE_UID
;
322 talloc_free(tmp_ctx
);
326 if (dom_sid_in_domain(idmap_ctx
->unix_groups_sid
, sid
)) {
328 DEBUG(6, ("This is a local unix gid, just calculate that.\n"));
329 status
= dom_sid_split_rid(tmp_ctx
, sid
, NULL
, &rid
);
330 if (!NT_STATUS_IS_OK(status
)) {
331 talloc_free(tmp_ctx
);
336 unixid
->type
= ID_TYPE_GID
;
338 talloc_free(tmp_ctx
);
342 ret
= ldb_search(ldb
, tmp_ctx
, &res
, NULL
, LDB_SCOPE_SUBTREE
,
343 NULL
, "(&(objectClass=sidMap)(objectSid=%s))",
344 ldap_encode_ndr_dom_sid(tmp_ctx
, sid
));
345 if (ret
!= LDB_SUCCESS
) {
346 DEBUG(1, ("Search failed: %s\n", ldb_errstring(ldb
)));
347 talloc_free(tmp_ctx
);
348 return NT_STATUS_NONE_MAPPED
;
351 if (res
->count
== 1) {
352 const char *type
= ldb_msg_find_attr_as_string(res
->msgs
[0],
354 new_xid
= ldb_msg_find_attr_as_uint(res
->msgs
[0], "xidNumber",
356 if (new_xid
== (uint32_t) -1) {
357 DEBUG(1, ("Invalid xid mapping.\n"));
358 talloc_free(tmp_ctx
);
359 return NT_STATUS_NONE_MAPPED
;
363 DEBUG(1, ("Invalid type for mapping entry.\n"));
364 talloc_free(tmp_ctx
);
365 return NT_STATUS_NONE_MAPPED
;
368 unixid
->id
= new_xid
;
370 if (strcmp(type
, "ID_TYPE_BOTH") == 0) {
371 unixid
->type
= ID_TYPE_BOTH
;
372 } else if (strcmp(type
, "ID_TYPE_UID") == 0) {
373 unixid
->type
= ID_TYPE_UID
;
375 unixid
->type
= ID_TYPE_GID
;
378 talloc_free(tmp_ctx
);
382 DEBUG(6, ("No existing mapping found, attempting to create one.\n"));
384 trans
= ldb_transaction_start(ldb
);
385 if (trans
!= LDB_SUCCESS
) {
386 status
= NT_STATUS_NONE_MAPPED
;
390 /* Redo the search to make sure noone changed the mapping while we
392 ret
= ldb_search(ldb
, tmp_ctx
, &res
, NULL
, LDB_SCOPE_SUBTREE
,
393 NULL
, "(&(objectClass=sidMap)(objectSid=%s))",
394 ldap_encode_ndr_dom_sid(tmp_ctx
, sid
));
395 if (ret
!= LDB_SUCCESS
) {
396 DEBUG(1, ("Search failed: %s\n", ldb_errstring(ldb
)));
397 status
= NT_STATUS_NONE_MAPPED
;
401 if (res
->count
> 0) {
402 DEBUG(1, ("Database changed while trying to add a sidmap.\n"));
403 status
= NT_STATUS_RETRY
;
407 /*FIXME: if lpcfg_idmap_trusted_only() == true, check if SID can be
410 ret
= idmap_get_bounds(idmap_ctx
, &low
, &high
);
411 if (ret
!= LDB_SUCCESS
) {
412 status
= NT_STATUS_NONE_MAPPED
;
416 dn
= ldb_dn_new(tmp_ctx
, ldb
, "CN=CONFIG");
418 status
= NT_STATUS_NO_MEMORY
;
422 ret
= ldb_search(ldb
, tmp_ctx
, &res
, dn
, LDB_SCOPE_BASE
, NULL
, NULL
);
423 if (ret
!= LDB_SUCCESS
) {
424 DEBUG(1, ("Search failed: %s\n", ldb_errstring(ldb
)));
425 status
= NT_STATUS_NONE_MAPPED
;
429 if (res
->count
!= 1) {
430 DEBUG(1, ("No CN=CONFIG record, idmap database is broken.\n"));
431 status
= NT_STATUS_NONE_MAPPED
;
435 hwm
= ldb_msg_find_attr_as_uint(res
->msgs
[0], "xidNumber", -1);
436 if (hwm
== (uint32_t)-1) {
438 hwm_entry_exists
= false;
440 hwm_entry_exists
= true;
444 DEBUG(1, ("Out of xids to allocate.\n"));
445 status
= NT_STATUS_NONE_MAPPED
;
449 hwm_msg
= ldb_msg_new(tmp_ctx
);
450 if (hwm_msg
== NULL
) {
451 DEBUG(1, ("Out of memory when creating ldb_message\n"));
452 status
= NT_STATUS_NO_MEMORY
;
461 hwm_string
= talloc_asprintf(tmp_ctx
, "%u", hwm
);
462 if (hwm_string
== NULL
) {
463 status
= NT_STATUS_NO_MEMORY
;
467 sid_string
= dom_sid_string(tmp_ctx
, sid
);
468 if (sid_string
== NULL
) {
469 status
= NT_STATUS_NO_MEMORY
;
473 unixid_string
= talloc_asprintf(tmp_ctx
, "%u", new_xid
);
474 if (unixid_string
== NULL
) {
475 status
= NT_STATUS_NO_MEMORY
;
479 if (hwm_entry_exists
) {
480 struct ldb_message_element
*els
;
481 struct ldb_val
*vals
;
483 /* We're modifying the entry, not just adding a new one. */
484 els
= talloc_array(tmp_ctx
, struct ldb_message_element
, 2);
486 status
= NT_STATUS_NO_MEMORY
;
490 vals
= talloc_array(tmp_ctx
, struct ldb_val
, 2);
492 status
= NT_STATUS_NO_MEMORY
;
496 hwm_msg
->num_elements
= 2;
497 hwm_msg
->elements
= els
;
499 els
[0].num_values
= 1;
500 els
[0].values
= &vals
[0];
501 els
[0].flags
= LDB_FLAG_MOD_DELETE
;
502 els
[0].name
= talloc_strdup(tmp_ctx
, "xidNumber");
503 if (els
[0].name
== NULL
) {
504 status
= NT_STATUS_NO_MEMORY
;
508 els
[1].num_values
= 1;
509 els
[1].values
= &vals
[1];
510 els
[1].flags
= LDB_FLAG_MOD_ADD
;
511 els
[1].name
= els
[0].name
;
513 vals
[0].data
= (uint8_t *)unixid_string
;
514 vals
[0].length
= strlen(unixid_string
);
515 vals
[1].data
= (uint8_t *)hwm_string
;
516 vals
[1].length
= strlen(hwm_string
);
518 ret
= ldb_msg_add_empty(hwm_msg
, "xidNumber", LDB_FLAG_MOD_ADD
,
520 if (ret
!= LDB_SUCCESS
) {
521 status
= NT_STATUS_NONE_MAPPED
;
525 ret
= ldb_msg_add_string(hwm_msg
, "xidNumber", hwm_string
);
526 if (ret
!= LDB_SUCCESS
)
528 status
= NT_STATUS_NONE_MAPPED
;
533 ret
= ldb_modify(ldb
, hwm_msg
);
534 if (ret
!= LDB_SUCCESS
) {
535 DEBUG(1, ("Updating the xid high water mark failed: %s\n",
536 ldb_errstring(ldb
)));
537 status
= NT_STATUS_NONE_MAPPED
;
541 map_msg
= ldb_msg_new(tmp_ctx
);
542 if (map_msg
== NULL
) {
543 status
= NT_STATUS_NO_MEMORY
;
547 map_msg
->dn
= ldb_dn_new_fmt(tmp_ctx
, ldb
, "CN=%s", sid_string
);
548 if (map_msg
->dn
== NULL
) {
549 status
= NT_STATUS_NO_MEMORY
;
553 ret
= ldb_msg_add_string(map_msg
, "xidNumber", unixid_string
);
554 if (ret
!= LDB_SUCCESS
) {
555 status
= NT_STATUS_NONE_MAPPED
;
559 ret
= idmap_msg_add_dom_sid(idmap_ctx
, tmp_ctx
, map_msg
, "objectSid",
561 if (ret
!= LDB_SUCCESS
) {
562 status
= NT_STATUS_NONE_MAPPED
;
566 ret
= ldb_msg_add_string(map_msg
, "objectClass", "sidMap");
567 if (ret
!= LDB_SUCCESS
) {
568 status
= NT_STATUS_NONE_MAPPED
;
572 ret
= ldb_msg_add_string(map_msg
, "type", "ID_TYPE_BOTH");
573 if (ret
!= LDB_SUCCESS
) {
574 status
= NT_STATUS_NONE_MAPPED
;
578 ret
= ldb_msg_add_string(map_msg
, "cn", sid_string
);
579 if (ret
!= LDB_SUCCESS
) {
580 status
= NT_STATUS_NONE_MAPPED
;
584 ret
= ldb_add(ldb
, map_msg
);
585 if (ret
!= LDB_SUCCESS
) {
586 DEBUG(1, ("Adding a sidmap failed: %s\n", ldb_errstring(ldb
)));
587 status
= NT_STATUS_NONE_MAPPED
;
591 trans
= ldb_transaction_commit(ldb
);
592 if (trans
!= LDB_SUCCESS
) {
593 DEBUG(1, ("Transaction failed: %s\n", ldb_errstring(ldb
)));
594 status
= NT_STATUS_NONE_MAPPED
;
598 unixid
->id
= new_xid
;
599 unixid
->type
= ID_TYPE_BOTH
;
600 talloc_free(tmp_ctx
);
604 if (trans
== LDB_SUCCESS
) ldb_transaction_cancel(ldb
);
605 talloc_free(tmp_ctx
);
610 * Convert an array of unixids to the corresponding array of SIDs
612 * \param idmap_ctx idmap context to use
613 * \param mem_ctx talloc context the memory for the dom_sids is allocated
615 * \param count length of id_mapping array.
616 * \param id array of id_mappings.
617 * \return NT_STATUS_OK on success, NT_STATUS_NONE_MAPPED if mapping is not
618 * possible at all, NT_STATUS_SOME_UNMAPPED if some mappings worked and some
622 NTSTATUS
idmap_xids_to_sids(struct idmap_context
*idmap_ctx
,
626 unsigned int i
, error_count
= 0;
629 for (i
= 0; id
&& id
[i
]; i
++) {
630 status
= idmap_xid_to_sid(idmap_ctx
, mem_ctx
,
631 &id
[i
]->xid
, &id
[i
]->sid
);
632 if (NT_STATUS_EQUAL(status
, NT_STATUS_RETRY
)) {
633 status
= idmap_xid_to_sid(idmap_ctx
, mem_ctx
,
637 if (!NT_STATUS_IS_OK(status
)) {
638 DEBUG(1, ("idmapping xid_to_sid failed for id[%d]=%lu: %s\n",
639 i
, (unsigned long)id
[i
]->xid
.id
, nt_errstr(status
)));
641 id
[i
]->status
= ID_UNMAPPED
;
643 id
[i
]->status
= ID_MAPPED
;
647 if (error_count
== i
) {
648 /* Mapping did not work at all. */
649 return NT_STATUS_NONE_MAPPED
;
650 } else if (error_count
> 0) {
651 /* Some mappings worked, some did not. */
652 return STATUS_SOME_UNMAPPED
;
659 * Convert an array of SIDs to the corresponding array of unixids
661 * \param idmap_ctx idmap context to use
662 * \param mem_ctx talloc context the memory for the unixids is allocated
664 * \param count length of id_mapping array.
665 * \param id array of id_mappings.
666 * \return NT_STATUS_OK on success, NT_STATUS_NONE_MAPPED if mapping is not
667 * possible at all, NT_STATUS_SOME_UNMAPPED if some mappings worked and some
671 NTSTATUS
idmap_sids_to_xids(struct idmap_context
*idmap_ctx
,
675 unsigned int i
, error_count
= 0;
678 for (i
= 0; id
&& id
[i
]; i
++) {
679 status
= idmap_sid_to_xid(idmap_ctx
, mem_ctx
,
680 id
[i
]->sid
, &id
[i
]->xid
);
681 if (NT_STATUS_EQUAL(status
, NT_STATUS_RETRY
)) {
682 status
= idmap_sid_to_xid(idmap_ctx
, mem_ctx
,
686 if (!NT_STATUS_IS_OK(status
)) {
687 char *str
= dom_sid_string(mem_ctx
, id
[i
]->sid
);
688 DEBUG(1, ("idmapping sid_to_xid failed for id[%d]=%s: %s\n",
689 i
, str
, nt_errstr(status
)));
692 id
[i
]->status
= ID_UNMAPPED
;
694 id
[i
]->status
= ID_MAPPED
;
698 if (error_count
== i
) {
699 /* Mapping did not work at all. */
700 return NT_STATUS_NONE_MAPPED
;
701 } else if (error_count
> 0) {
702 /* Some mappings worked, some did not. */
703 return STATUS_SOME_UNMAPPED
;