summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSumit Bose <sbose@redhat.com>2012-08-27 21:26:30 +0200
committerMartin Kosek <mkosek@redhat.com>2012-09-06 09:24:59 +0200
commit621b28a4a050309a767a05ff2ef5df9ee387afe3 (patch)
tree97727a1d677f17736915c9b5d4a32c3f0b0f48a8
parentdbd4cb51d316bd7c1b00629ff622859149cdc4a7 (diff)
downloadfreeipa-621b28a4a050309a767a05ff2ef5df9ee387afe3.tar.gz
freeipa-621b28a4a050309a767a05ff2ef5df9ee387afe3.tar.xz
freeipa-621b28a4a050309a767a05ff2ef5df9ee387afe3.zip
ipasam: add libsss_idmap context and replace string_to_sid()
-rw-r--r--daemons/ipa-sam/Makefile.am2
-rw-r--r--daemons/ipa-sam/ipa_sam.c118
2 files changed, 89 insertions, 31 deletions
diff --git a/daemons/ipa-sam/Makefile.am b/daemons/ipa-sam/Makefile.am
index 11179276c..53c8f47bb 100644
--- a/daemons/ipa-sam/Makefile.am
+++ b/daemons/ipa-sam/Makefile.am
@@ -27,6 +27,7 @@ INCLUDES = \
$(TALLOC_CFLAGS) \
$(SAMBAUTIL_CFLAGS) \
$(NDR_CFLAGS) \
+ $(SSSIDMAP_CFLAGS) \
$(NULL)
plugindir = $(libdir)/samba/pdb
@@ -52,6 +53,7 @@ ipasam_la_LIBADD = \
$(SAMBAUTIL_LIBS) \
$(NDR_LIBS) \
$(SAMBA40EXTRA_LIBS) \
+ $(SSSIDMAP_LIBS) \
$(NULL)
EXTRA_DIST = \
diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c
index b3be5a679..58a598f5a 100644
--- a/daemons/ipa-sam/ipa_sam.c
+++ b/daemons/ipa-sam/ipa_sam.c
@@ -29,6 +29,7 @@
#include <sasl/sasl.h>
#include <krb5/krb5.h>
+#include <sss_idmap.h>
#include "ipa_krb5.h"
#include "ipa_pwd.h"
@@ -85,7 +86,6 @@ bool fetch_ldap_pw(char **dn, char** pw); /* available in libpdb.so */
bool sid_check_is_builtin(const struct dom_sid *sid); /* available in libpdb.so */
/* available in libpdb.so, renamed from sid_check_is_domain() in c43505b621725c9a754f0ee98318d451b093f2ed */
bool sid_linearize(char *outbuf, size_t len, const struct dom_sid *sid); /* available in libsmbconf.so */
-bool string_to_sid(struct dom_sid *sidout, const char *sidstr); /* available in libsecurity.so */
char *sid_string_talloc(TALLOC_CTX *mem_ctx, const struct dom_sid *sid); /* available in libsmbconf.so */
char *sid_string_dbg(const struct dom_sid *sid); /* available in libsmbconf.so */
bool trim_char(char *s,char cfront,char cback); /* available in libutil_str.so */
@@ -160,8 +160,19 @@ struct ipasam_privates {
char *fallback_primary_group;
char *server_princ;
char *client_princ;
+ struct sss_idmap_ctx *idmap_ctx;
};
+static void *idmap_talloc(size_t size, void *pvt)
+{
+ return talloc_size(pvt, size);
+}
+
+static void idmap_talloc_free(void *ptr, void *pvt)
+{
+ talloc_free(ptr);
+}
+
static void sid_copy(struct dom_sid *dst, const struct dom_sid *src)
{
size_t c;
@@ -348,12 +359,14 @@ done:
static bool ldapsam_extract_rid_from_entry(LDAP *ldap_struct,
LDAPMessage *entry,
+ struct sss_idmap_ctx *idmap_ctx,
const struct dom_sid *domain_sid,
uint32_t *rid)
{
char *str = NULL;
- struct dom_sid sid;
+ struct dom_sid *sid = NULL;
bool res = false;
+ enum idmap_error_code err;
str = get_single_attribute(NULL, ldap_struct, entry,
LDAP_ATTRIBUTE_SID);
@@ -363,29 +376,31 @@ static bool ldapsam_extract_rid_from_entry(LDAP *ldap_struct,
goto done;
}
- if (!string_to_sid(&sid, str)) {
+ err = sss_idmap_sid_to_smb_sid(idmap_ctx, str, &sid);
+ if (err != IDMAP_SUCCESS) {
DEBUG(10, ("Could not convert string %s to sid\n", str));
res = false;
goto done;
}
- if (dom_sid_compare_domain(&sid, domain_sid) != 0) {
+ if (dom_sid_compare_domain(sid, domain_sid) != 0) {
DEBUG(10, ("SID %s is not in expected domain %s\n",
str, sid_string_dbg(domain_sid)));
res = false;
goto done;
}
- if (sid.num_auths <= 0) {
+ if (sid->num_auths <= 0) {
DEBUG(10, ("Invalid num_auths in SID %s.\n", str));
res = false;
goto done;
}
- *rid = sid.sub_auths[sid.num_auths - 1];
+ *rid = sid->sub_auths[sid->num_auths - 1];
res = true;
done:
+ talloc_free(sid);
talloc_free(str);
return res;
}
@@ -479,7 +494,9 @@ static NTSTATUS ldapsam_lookup_rids(struct pdb_methods *methods,
int rid_index;
const char *name;
- if (!ldapsam_extract_rid_from_entry(ld, entry, domain_sid,
+ if (!ldapsam_extract_rid_from_entry(ld, entry,
+ ldap_state->ipasam_privates->idmap_ctx,
+ domain_sid,
&rid)) {
DEBUG(2, ("Could not find sid from ldap entry\n"));
continue;
@@ -564,8 +581,9 @@ static NTSTATUS ldapsam_lookup_rids(struct pdb_methods *methods,
DEBUG(2, ("Rejecting invalid group mapping entry %s\n", dn));
}
- if (!ldapsam_extract_rid_from_entry(ld, entry, domain_sid,
- &rid)) {
+ if (!ldapsam_extract_rid_from_entry(ld, entry,
+ ldap_state->ipasam_privates->idmap_ctx,
+ domain_sid, &rid)) {
DEBUG(2, ("Could not find sid from ldap entry %s\n", dn));
continue;
}
@@ -718,8 +736,9 @@ static bool ldapsam_uid_to_sid(struct pdb_methods *methods, uid_t uid,
LDAPMessage *entry = NULL;
bool ret = false;
char *user_sid_string;
- struct dom_sid user_sid;
+ struct dom_sid *user_sid = NULL;
int rc;
+ enum idmap_error_code err;
TALLOC_CTX *tmp_ctx = talloc_stackframe();
filter = talloc_asprintf(tmp_ctx,
@@ -757,17 +776,20 @@ static bool ldapsam_uid_to_sid(struct pdb_methods *methods, uid_t uid,
goto done;
}
- if (!string_to_sid(&user_sid, user_sid_string)) {
+ err = sss_idmap_sid_to_smb_sid(priv->ipasam_privates->idmap_ctx,
+ user_sid_string, &user_sid);
+ if (err != IDMAP_SUCCESS) {
DEBUG(3, ("Error calling sid_string_talloc for sid '%s'\n",
user_sid_string));
goto done;
}
- sid_copy(sid, &user_sid);
+ sid_copy(sid, user_sid);
ret = true;
- done:
+done:
+ talloc_free(user_sid);
TALLOC_FREE(tmp_ctx);
return ret;
}
@@ -783,8 +805,9 @@ static bool ldapsam_gid_to_sid(struct pdb_methods *methods, gid_t gid,
LDAPMessage *entry = NULL;
bool ret = false;
char *group_sid_string;
- struct dom_sid group_sid;
+ struct dom_sid *group_sid = NULL;
int rc;
+ enum idmap_error_code err;
TALLOC_CTX *tmp_ctx = talloc_stackframe();
filter = talloc_asprintf(tmp_ctx,
@@ -820,17 +843,20 @@ static bool ldapsam_gid_to_sid(struct pdb_methods *methods, gid_t gid,
goto done;
}
- if (!string_to_sid(&group_sid, group_sid_string)) {
+ err = sss_idmap_sid_to_smb_sid(priv->ipasam_privates->idmap_ctx,
+ group_sid_string, &group_sid);
+ if (err != IDMAP_SUCCESS) {
DEBUG(3, ("Error calling sid_string_talloc for sid '%s'\n",
group_sid_string));
goto done;
}
- sid_copy(sid, &group_sid);
+ sid_copy(sid, group_sid);
ret = true;
- done:
+done:
+ talloc_free(group_sid);
TALLOC_FREE(tmp_ctx);
return ret;
}
@@ -897,6 +923,7 @@ struct ldap_search_state {
const char **attrs;
int attrsonly;
void *pagedresults_cookie;
+ struct sss_idmap_ctx *idmap_ctx;
LDAPMessage *entries, *current_entry;
bool (*ldap2displayentry)(struct ldap_search_state *state,
@@ -1066,7 +1093,9 @@ static bool ldapuser2displayentry(struct ldap_search_state *state,
{
char **vals;
size_t converted_size;
- struct dom_sid sid;
+ struct dom_sid *sid = NULL;
+ enum idmap_error_code err;
+ bool res;
/* FIXME: SB try to figure out which flags to set instead of hardcode them */
result->acct_flags = 66048;
@@ -1128,14 +1157,17 @@ static bool ldapuser2displayentry(struct ldap_search_state *state,
return false;
}
- if (!string_to_sid(&sid, vals[0])) {
+ err = sss_idmap_sid_to_smb_sid(state->idmap_ctx, vals[0], &sid);
+ if (err != IDMAP_SUCCESS) {
DEBUG(0, ("Could not convert %s to SID\n", vals[0]));
ldap_value_free(vals);
return false;
}
ldap_value_free(vals);
- if (!sid_peek_check_rid(get_global_sam_sid(), &sid, &result->rid)) {
+ res = sid_peek_check_rid(get_global_sam_sid(), sid, &result->rid);
+ talloc_free(sid);
+ if (!res) {
DEBUG(0, ("sid does not belong to our domain\n"));
return false;
}
@@ -1170,6 +1202,7 @@ static bool ldapsam_search_users(struct pdb_methods *methods,
state->attrsonly = 0;
state->pagedresults_cookie = NULL;
state->entries = NULL;
+ state->idmap_ctx = ldap_state->ipasam_privates->idmap_ctx;
state->ldap2displayentry = ldapuser2displayentry;
if ((state->filter == NULL) || (state->attrs == NULL)) {
@@ -1191,8 +1224,9 @@ static bool ldapgroup2displayentry(struct ldap_search_state *state,
{
char **vals = NULL;
size_t converted_size;
- struct dom_sid sid;
+ struct dom_sid *sid = NULL;
uint16_t group_type;
+ enum idmap_error_code err;
result->account_name = "";
result->fullname = "";
@@ -1268,8 +1302,10 @@ static bool ldapgroup2displayentry(struct ldap_search_state *state,
return false;
}
- if (!string_to_sid(&sid, vals[0])) {
+ err = sss_idmap_sid_to_smb_sid(state->idmap_ctx, vals[0], &sid);
+ if (err != IDMAP_SUCCESS) {
DEBUG(0, ("Could not convert %s to SID\n", vals[0]));
+ ldap_value_free(vals);
return false;
}
@@ -1279,9 +1315,10 @@ static bool ldapgroup2displayentry(struct ldap_search_state *state,
case SID_NAME_DOM_GRP:
case SID_NAME_ALIAS:
- if (!sid_peek_check_rid(get_global_sam_sid(), &sid, &result->rid)
- && !sid_peek_check_rid(&global_sid_Builtin, &sid, &result->rid))
+ if (!sid_peek_check_rid(get_global_sam_sid(), sid, &result->rid)
+ && !sid_peek_check_rid(&global_sid_Builtin, sid, &result->rid))
{
+ talloc_free(sid);
DEBUG(0, ("SID is not in our domain\n"));
return false;
}
@@ -1289,8 +1326,10 @@ static bool ldapgroup2displayentry(struct ldap_search_state *state,
default:
DEBUG(0,("unknown group type: %d\n", group_type));
+ talloc_free(sid);
return false;
}
+ talloc_free(sid);
result->acct_flags = 0;
@@ -1327,6 +1366,7 @@ static bool ldapsam_search_grouptype(struct pdb_methods *methods,
state->pagedresults_cookie = NULL;
state->entries = NULL;
state->group_type = type;
+ state->idmap_ctx = ldap_state->ipasam_privates->idmap_ctx;
state->ldap2displayentry = ldapgroup2displayentry;
if ((state->filter == NULL) || (state->attrs == NULL)) {
@@ -1848,6 +1888,8 @@ static bool fill_pdb_trusted_domain(TALLOC_CTX *mem_ctx,
char *dummy;
bool res;
struct pdb_trusted_domain *td;
+ struct dom_sid *sid = NULL;
+ enum idmap_error_code err;
if (entry == NULL) {
return false;
@@ -1867,11 +1909,14 @@ static bool fill_pdb_trusted_domain(TALLOC_CTX *mem_ctx,
LDAP_ATTRIBUTE_TRUST_SID));
ZERO_STRUCT(td->security_identifier);
} else {
- res = string_to_sid(&td->security_identifier, dummy);
+ err = sss_idmap_sid_to_smb_sid(ldap_state->ipasam_privates->idmap_ctx,
+ dummy, &sid);
TALLOC_FREE(dummy);
- if (!res) {
+ if (err != IDMAP_SUCCESS) {
return false;
}
+ sid_copy(&td->security_identifier, sid);
+ talloc_free(sid);
}
if (!smbldap_talloc_single_blob(td, priv2ld(ldap_state), entry,
@@ -3634,12 +3679,13 @@ static NTSTATUS pdb_init_ipasam(struct pdb_methods **pdb_method,
NTSTATUS status;
char *dn = NULL;
char *domain_sid_string = NULL;
- struct dom_sid ldap_domain_sid;
+ struct dom_sid *ldap_domain_sid = NULL;
char *bind_dn = NULL;
char *bind_secret = NULL;
LDAPMessage *result = NULL;
LDAPMessage *entry = NULL;
+ enum idmap_error_code err;
status = make_pdb_method(pdb_method);
if (!NT_STATUS_IS_OK(status)) {
@@ -3776,15 +3822,27 @@ static NTSTATUS pdb_init_ipasam(struct pdb_methods **pdb_method,
entry,
LDAP_ATTRIBUTE_SID);
+ err = sss_idmap_init(idmap_talloc, ldap_state->ipasam_privates,
+ idmap_talloc_free,
+ &ldap_state->ipasam_privates->idmap_ctx);
+ if (err != IDMAP_SUCCESS) {
+ DEBUG(1, ("Failed to setup idmap context.\n"));
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
if (domain_sid_string) {
- if (!string_to_sid(&ldap_domain_sid, domain_sid_string)) {
+ err = sss_idmap_sid_to_smb_sid(ldap_state->ipasam_privates->idmap_ctx,
+ domain_sid_string,
+ &ldap_domain_sid);
+ if (err != IDMAP_SUCCESS) {
DEBUG(1, ("pdb_init_ldapsam: SID [%s] could not be "
"read as a valid SID\n", domain_sid_string));
ldap_msgfree(result);
TALLOC_FREE(domain_sid_string);
return NT_STATUS_INVALID_PARAMETER;
}
- sid_copy(&ldap_state->domain_sid, &ldap_domain_sid);
+ sid_copy(&ldap_state->domain_sid, ldap_domain_sid);
+ talloc_free(ldap_domain_sid);
talloc_free(domain_sid_string);
status = save_sid_to_secret(ldap_state);
@@ -3793,8 +3851,6 @@ static NTSTATUS pdb_init_ipasam(struct pdb_methods **pdb_method,
}
}
-
-
(*pdb_method)->getsampwnam = ldapsam_getsampwnam;
(*pdb_method)->search_users = ldapsam_search_users;
(*pdb_method)->search_groups = ldapsam_search_groups;