search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Maintain a back-pointer to the fsp in struct smb_Dir when opening with FDOPENDIR.
[Samba/vl.git] / source3 / winbindd / idmap_util.c
bloba068298968514fefb4c4152fe359760224445201
1 /*
2 Unix SMB/CIFS implementation.
3 ID Mapping
4 Copyright (C) Simo Sorce 2003
5 Copyright (C) Jeremy Allison 2006
6 Copyright (C) Michael Adam 2010
7
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
12
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
17
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.*/
20
21 #include "includes.h"
22 #include "winbindd.h"
23 #include "winbindd_proto.h"
24 #include "idmap.h"
25 #include "idmap_cache.h"
26 #include "../libcli/security/security.h"
27 #include "secrets.h"
28
29 #undef DBGC_CLASS
30 #define DBGC_CLASS DBGC_IDMAP
31
32 /*****************************************************************
33 Returns the SID mapped to the given UID.
34 If mapping is not possible returns an error.
35 *****************************************************************/
36
37 NTSTATUS idmap_uid_to_sid(const char *domname, struct dom_sid *sid, uid_t uid)
38 {
39 NTSTATUS ret;
40 struct id_map map;
41 bool expired;
42
43 DEBUG(10,("idmap_uid_to_sid: uid = [%lu], domain = '%s'\n",
44 (unsigned long)uid, domname?domname:"NULL"));
45
46 if (winbindd_use_idmap_cache()
47 && idmap_cache_find_uid2sid(uid, sid, &expired)) {
48 DEBUG(10, ("idmap_cache_find_uid2sid found %u%s\n",
49 (unsigned int)uid,
50 expired ? " (expired)": ""));
51 if (expired && idmap_is_online()) {
52 DEBUG(10, ("revalidating expired entry\n"));
53 goto backend;
54 }
55 if (is_null_sid(sid)) {
56 DEBUG(10, ("Returning negative cache entry\n"));
57 return NT_STATUS_NONE_MAPPED;
58 }
59 DEBUG(10, ("Returning positive cache entry\n"));
60 return NT_STATUS_OK;
61 }
62
63 backend:
64 ZERO_STRUCT(map);
65 map.sid = sid;
66 map.xid.type = ID_TYPE_UID;
67 map.xid.id = uid;
68
69 ret = idmap_backends_unixid_to_sid(domname, &map);
70 if ( ! NT_STATUS_IS_OK(ret)) {
71 DEBUG(10, ("error mapping uid [%lu]\n", (unsigned long)uid));
72 return ret;
73 }
74
75 if (map.status != ID_MAPPED) {
76 if (winbindd_use_idmap_cache()) {
77 struct dom_sid null_sid;
78 struct unixid id;
79 id.type = ID_TYPE_UID;
80 id.id = uid;
81 ZERO_STRUCT(null_sid);
82 idmap_cache_set_sid2unixid(&null_sid, &id);
83 }
84 DEBUG(10, ("uid [%lu] not mapped\n", (unsigned long)uid));
85 return NT_STATUS_NONE_MAPPED;
86 }
87
88 if (winbindd_use_idmap_cache()) {
89 idmap_cache_set_sid2unixid(sid, &map.xid);
90 }
91
92 return NT_STATUS_OK;
93 }
94
95 /*****************************************************************
96 Returns SID mapped to the given GID.
97 If mapping is not possible returns an error.
98 *****************************************************************/
99
100 NTSTATUS idmap_gid_to_sid(const char *domname, struct dom_sid *sid, gid_t gid)
101 {
102 NTSTATUS ret;
103 struct id_map map;
104 bool expired;
105
106 DEBUG(10,("idmap_gid_to_sid: gid = [%lu], domain = '%s'\n",
107 (unsigned long)gid, domname?domname:"NULL"));
108
109 if (winbindd_use_idmap_cache()
110 && idmap_cache_find_gid2sid(gid, sid, &expired)) {
111 DEBUG(10, ("idmap_cache_find_gid2sid found %u%s\n",
112 (unsigned int)gid,
113 expired ? " (expired)": ""));
114 if (expired && idmap_is_online()) {
115 DEBUG(10, ("revalidating expired entry\n"));
116 goto backend;
117 }
118 if (is_null_sid(sid)) {
119 DEBUG(10, ("Returning negative cache entry\n"));
120 return NT_STATUS_NONE_MAPPED;
121 }
122 DEBUG(10, ("Returning positive cache entry\n"));
123 return NT_STATUS_OK;
124 }
125
126 backend:
127 ZERO_STRUCT(map);
128 map.sid = sid;
129 map.xid.type = ID_TYPE_GID;
130 map.xid.id = gid;
131
132 ret = idmap_backends_unixid_to_sid(domname, &map);
133 if ( ! NT_STATUS_IS_OK(ret)) {
134 DEBUG(10, ("error mapping gid [%lu]\n", (unsigned long)gid));
135 return ret;
136 }
137
138 if (map.status != ID_MAPPED) {
139 if (winbindd_use_idmap_cache()) {
140 struct dom_sid null_sid;
141 struct unixid id;
142 id.type = ID_TYPE_GID;
143 id.id = gid;
144 ZERO_STRUCT(null_sid);
145 idmap_cache_set_sid2unixid(&null_sid, &id);
146 }
147 DEBUG(10, ("gid [%lu] not mapped\n", (unsigned long)gid));
148 return NT_STATUS_NONE_MAPPED;
149 }
150
151 if (winbindd_use_idmap_cache()) {
152 idmap_cache_set_sid2unixid(sid, &map.xid);
153 }
154
155 return NT_STATUS_OK;
156 }
157
158 /**
159 * check whether a given unix id is inside the filter range of an idmap domain
160 */
161 bool idmap_unix_id_is_in_range(uint32_t id, struct idmap_domain *dom)
162 {
163 if (id == 0) {
164 /* 0 is not an allowed unix id for id mapping */
165 return false;
166 }
167
168 if ((dom->low_id && (id < dom->low_id)) ||
169 (dom->high_id && (id > dom->high_id)))
170 {
171 return false;
172 }
173
174 return true;
175 }
176
177 /**
178 * Helper for unixids_to_sids: find entry by id in mapping array,
179 * search up to IDMAP_AD_MAX_IDS entries
180 */
181 struct id_map *idmap_find_map_by_id(struct id_map **maps, enum id_type type,
182 uint32_t id)
183 {
184 int i;
185
186 for (i = 0; i < IDMAP_LDAP_MAX_IDS; i++) {
187 if (maps[i] == NULL) { /* end of the run */
188 return NULL;
189 }
190 if ((maps[i]->xid.type == type) && (maps[i]->xid.id == id)) {
191 return maps[i];
192 }
193 }
194
195 return NULL;
196 }
197
198 /**
199 * Helper for sids_to_unix_ids: find entry by SID in mapping array,
200 * search up to IDMAP_AD_MAX_IDS entries
201 */
202 struct id_map *idmap_find_map_by_sid(struct id_map **maps, struct dom_sid *sid)
203 {
204 int i;
205
206 for (i = 0; i < IDMAP_LDAP_MAX_IDS; i++) {
207 if (maps[i] == NULL) { /* end of the run */
208 return NULL;
209 }
210 if (dom_sid_equal(maps[i]->sid, sid)) {
211 return maps[i];
212 }
213 }
214
215 return NULL;
216 }
217
218 char *idmap_fetch_secret(const char *backend, const char *domain,
219 const char *identity)
220 {
221 char *tmp, *ret;
222 int r;
223
224 r = asprintf(&tmp, "IDMAP_%s_%s", backend, domain);
225
226 if (r < 0)
227 return NULL;
228
229 /* make sure the key is case insensitive */
230 if (!strupper_m(tmp)) {
231 SAFE_FREE(tmp);
232 return NULL;
233 }
234
235 ret = secrets_fetch_generic(tmp, identity);
236
237 SAFE_FREE(tmp);
238
239 return ret;
240 }