2 * idmap_adex: Support for D Forests
4 * Copyright (C) Gerald (Jerry) Carter 2006-2008
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
24 #include "idmap_adex.h"
29 #define DBGC_CLASS DBGC_IDMAP
31 #define WINBIND_CCACHE_NAME "MEMORY:winbind_ccache"
37 /********************************************************************
38 Basic init function responsible for determining our current mode
39 (standalone or using Centeris Cells). This must return success or
40 it will be dropped from the idmap backend list.
41 *******************************************************************/
43 static NTSTATUS
_idmap_adex_init(struct idmap_domain
*dom
)
45 ADS_STRUCT
*ads
= NULL
;
47 static NTSTATUS init_status
= NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND
;
48 struct dom_sid domain_sid
;
50 struct sockaddr_storage ip
;
51 struct likewise_cell
*lwcell
;
53 if (NT_STATUS_IS_OK(init_status
))
56 /* Silently fail if we are not a member server in security = ads */
58 if ((lp_server_role() != ROLE_DOMAIN_MEMBER
) ||
59 (lp_security() != SEC_ADS
)) {
60 init_status
= NT_STATUS_INVALID_SERVER_STATE
;
61 BAIL_ON_NTSTATUS_ERROR(init_status
);
64 /* fetch our domain SID first */
66 if (!secrets_fetch_domain_sid(lp_workgroup(), &domain_sid
)) {
67 init_status
= NT_STATUS_CANT_ACCESS_DOMAIN_INFO
;
68 BAIL_ON_NTSTATUS_ERROR(init_status
);
71 /* reuse the same ticket cache as winbindd */
73 setenv("KRB5CCNAME", WINBIND_CCACHE_NAME
, 1);
75 /* Establish a connection to a DC */
77 if ((ads
= ads_init(lp_realm(), lp_workgroup(), NULL
)) == NULL
) {
78 init_status
= NT_STATUS_NO_MEMORY
;
79 BAIL_ON_NTSTATUS_ERROR(init_status
);
83 secrets_fetch_machine_password(lp_workgroup(), NULL
, NULL
);
84 ads
->auth
.realm
= SMB_STRDUP(lp_realm());
86 /* get the DC name here to setup the server affinity cache and
89 get_dc_name(lp_workgroup(), lp_realm(), dcname
, &ip
);
91 status
= ads_connect(ads
);
92 if (!ADS_ERR_OK(status
)) {
93 DEBUG(0, ("_idmap_adex_init: ads_connect() failed! (%s)\n",
96 init_status
= ads_ntstatus(status
);
97 BAIL_ON_NTSTATUS_ERROR(init_status
);
100 /* Find out cell membership */
102 init_status
= cell_locate_membership(ads
);
103 if (!NT_STATUS_IS_OK(init_status
)) {
104 DEBUG(0,("LWI: Fail to locate cell membership (%s).",
105 nt_errstr(init_status
)));
109 /* Fill in the cell information */
111 lwcell
= cell_list_head();
113 init_status
= cell_lookup_settings(lwcell
);
114 BAIL_ON_NTSTATUS_ERROR(init_status
);
116 /* Miscellaneous setup. E.g. set up the list of GC
117 servers and domain list for our forest (does not actually
120 init_status
= gc_init_list();
121 BAIL_ON_NTSTATUS_ERROR(init_status
);
123 init_status
= domain_init_list();
124 BAIL_ON_NTSTATUS_ERROR(init_status
);
127 if (!NT_STATUS_IS_OK(init_status
)) {
128 DEBUG(1,("Likewise initialization failed (%s)\n",
129 nt_errstr(init_status
)));
134 if (!NT_STATUS_IS_OK(init_status
)) {
137 /* init_status stores the failure reason but we need to
138 return success or else idmap_init() will drop us from the
143 init_status
= NT_STATUS_OK
;
148 /**********************************************************************
149 *********************************************************************/
151 static NTSTATUS
_idmap_adex_get_sid_from_id(struct
159 struct likewise_cell
*cell
;
161 /* initialize the status to avoid suprise */
162 for (i
= 0; ids
[i
]; i
++) {
163 ids
[i
]->status
= ID_UNKNOWN
;
166 nt_status
= _idmap_adex_init(dom
);
167 if (!NT_STATUS_IS_OK(nt_status
))
170 if ((cell
= cell_list_head()) == NULL
) {
171 return NT_STATUS_INVALID_SERVER_STATE
;
174 /* have to work through these one by one */
175 for (i
= 0; ids
[i
]; i
++) {
177 status
= cell
->provider
->get_sid_from_id(ids
[i
]->sid
,
180 /* Fail if we cannot find any DC */
182 (status
, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND
)) {
186 if (!NT_STATUS_IS_OK(status
)) {
187 ids
[i
]->status
= ID_UNMAPPED
;
191 ids
[i
]->status
= ID_MAPPED
;
197 /**********************************************************************
198 *********************************************************************/
200 static NTSTATUS
_idmap_adex_get_id_from_sid(struct
208 struct likewise_cell
*cell
;
210 /* initialize the status to avoid suprise */
211 for (i
= 0; ids
[i
]; i
++) {
212 ids
[i
]->status
= ID_UNKNOWN
;
215 nt_status
= _idmap_adex_init(dom
);
216 if (!NT_STATUS_IS_OK(nt_status
))
219 if ((cell
= cell_list_head()) == NULL
) {
220 return NT_STATUS_INVALID_SERVER_STATE
;
223 /* have to work through these one by one */
224 for (i
= 0; ids
[i
]; i
++) {
226 status
= cell
->provider
->get_id_from_sid(&ids
[i
]->xid
.id
,
229 /* Fail if we cannot find any DC */
231 (status
, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND
)) {
235 if (!NT_STATUS_IS_OK(status
)) {
236 ids
[i
]->status
= ID_UNMAPPED
;
240 ids
[i
]->status
= ID_MAPPED
;
250 /**********************************************************************
251 *********************************************************************/
253 static NTSTATUS
_nss_adex_init(struct nss_domain_entry
256 return _idmap_adex_init(NULL
);
259 /**********************************************************************
260 *********************************************************************/
262 static NTSTATUS
_nss_adex_get_info(struct
264 const struct dom_sid
* sid
,
266 const char **homedir
,
268 const char **gecos
, gid_t
* p_gid
)
271 struct likewise_cell
*cell
;
273 nt_status
= _idmap_adex_init(NULL
);
274 if (!NT_STATUS_IS_OK(nt_status
))
277 if ((cell
= cell_list_head()) == NULL
) {
278 return NT_STATUS_INVALID_SERVER_STATE
;
281 return cell
->provider
->get_nss_info(sid
, ctx
, homedir
,
282 shell
, gecos
, p_gid
);
285 /**********************************************************************
286 *********************************************************************/
288 static NTSTATUS
_nss_adex_map_to_alias(TALLOC_CTX
* mem_ctx
,
289 struct nss_domain_entry
*e
,
290 const char *name
, char **alias
)
292 NTSTATUS nt_status
= NT_STATUS_UNSUCCESSFUL
;
293 struct likewise_cell
*cell
= NULL
;
295 nt_status
= _idmap_adex_init(NULL
);
296 BAIL_ON_NTSTATUS_ERROR(nt_status
);
298 if ((cell
= cell_list_head()) == NULL
) {
299 nt_status
= NT_STATUS_INVALID_SERVER_STATE
;
300 BAIL_ON_NTSTATUS_ERROR(nt_status
);
303 nt_status
= cell
->provider
->map_to_alias(mem_ctx
, e
->domain
,
306 /* go ahead and allow the cache mgr to mark this in
309 if (!NT_STATUS_IS_OK(nt_status
))
310 nt_status
= NT_STATUS_NONE_MAPPED
;
316 /**********************************************************************
317 *********************************************************************/
319 static NTSTATUS
_nss_adex_map_from_alias(TALLOC_CTX
* mem_ctx
,
320 struct nss_domain_entry
*e
,
321 const char *alias
, char **name
)
323 NTSTATUS nt_status
= NT_STATUS_UNSUCCESSFUL
;
324 struct likewise_cell
*cell
= NULL
;
326 nt_status
= _idmap_adex_init(NULL
);
327 BAIL_ON_NTSTATUS_ERROR(nt_status
);
329 if ((cell
= cell_list_head()) == NULL
) {
330 nt_status
= NT_STATUS_INVALID_SERVER_STATE
;
331 BAIL_ON_NTSTATUS_ERROR(nt_status
);
335 nt_status
= cell
->provider
->map_from_alias(mem_ctx
, e
->domain
,
338 /* go ahead and allow the cache mgr to mark this in
341 if (!NT_STATUS_IS_OK(nt_status
))
342 nt_status
= NT_STATUS_NONE_MAPPED
;
348 /**********************************************************************
349 *********************************************************************/
351 static NTSTATUS
_nss_adex_close(void)
353 return NT_STATUS_NOT_IMPLEMENTED
;
356 /**********************************************************************
357 *********************************************************************/
359 static struct idmap_methods adex_idmap_methods
= {
361 .init
= _idmap_adex_init
,
362 .unixids_to_sids
= _idmap_adex_get_sid_from_id
,
363 .sids_to_unixids
= _idmap_adex_get_id_from_sid
,
365 static struct nss_info_methods adex_nss_methods
= {
366 .init
= _nss_adex_init
,
367 .get_nss_info
= _nss_adex_get_info
,
368 .map_to_alias
= _nss_adex_map_to_alias
,
369 .map_from_alias
= _nss_adex_map_from_alias
,
370 .close_fn
= _nss_adex_close
373 /**********************************************************************
374 Register with the idmap and idmap_nss subsystems. We have to protect
375 against the idmap and nss_info interfaces being in a half-registered
377 **********************************************************************/
378 NTSTATUS
samba_init_module(void)
380 static NTSTATUS idmap_status
= NT_STATUS_UNSUCCESSFUL
;
381 static NTSTATUS nss_status
= NT_STATUS_UNSUCCESSFUL
;
382 if (!NT_STATUS_IS_OK(idmap_status
)) {
384 smb_register_idmap(SMB_IDMAP_INTERFACE_VERSION
,
385 "adex", &adex_idmap_methods
);
386 if (!NT_STATUS_IS_OK(idmap_status
)) {
388 ("idmap_centeris_init: Failed to register the adex"
394 if (!NT_STATUS_IS_OK(nss_status
)) {
396 smb_register_idmap_nss(SMB_NSS_INFO_INTERFACE_VERSION
,
397 "adex", &adex_nss_methods
);
398 if (!NT_STATUS_IS_OK(nss_status
)) {
400 ("idmap_adex_init: Failed to register the adex"