From 621b28a4a050309a767a05ff2ef5df9ee387afe3 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Mon, 27 Aug 2012 21:26:30 +0200 Subject: ipasam: add libsss_idmap context and replace string_to_sid() --- daemons/ipa-sam/Makefile.am | 2 + daemons/ipa-sam/ipa_sam.c | 118 ++++++++++++++++++++++++++++++++------------ 2 files changed, 89 insertions(+), 31 deletions(-) (limited to 'daemons') diff --git a/daemons/ipa-sam/Makefile.am b/daemons/ipa-sam/Makefile.am index 11179276c..53c8f47bb 100644 --- a/daemons/ipa-sam/Makefile.am +++ b/daemons/ipa-sam/Makefile.am @@ -27,6 +27,7 @@ INCLUDES = \ $(TALLOC_CFLAGS) \ $(SAMBAUTIL_CFLAGS) \ $(NDR_CFLAGS) \ + $(SSSIDMAP_CFLAGS) \ $(NULL) plugindir = $(libdir)/samba/pdb @@ -52,6 +53,7 @@ ipasam_la_LIBADD = \ $(SAMBAUTIL_LIBS) \ $(NDR_LIBS) \ $(SAMBA40EXTRA_LIBS) \ + $(SSSIDMAP_LIBS) \ $(NULL) EXTRA_DIST = \ diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c index b3be5a679..58a598f5a 100644 --- a/daemons/ipa-sam/ipa_sam.c +++ b/daemons/ipa-sam/ipa_sam.c @@ -29,6 +29,7 @@ #include #include +#include #include "ipa_krb5.h" #include "ipa_pwd.h" @@ -85,7 +86,6 @@ bool fetch_ldap_pw(char **dn, char** pw); /* available in libpdb.so */ bool sid_check_is_builtin(const struct dom_sid *sid); /* available in libpdb.so */ /* available in libpdb.so, renamed from sid_check_is_domain() in c43505b621725c9a754f0ee98318d451b093f2ed */ bool sid_linearize(char *outbuf, size_t len, const struct dom_sid *sid); /* available in libsmbconf.so */ -bool string_to_sid(struct dom_sid *sidout, const char *sidstr); /* available in libsecurity.so */ char *sid_string_talloc(TALLOC_CTX *mem_ctx, const struct dom_sid *sid); /* available in libsmbconf.so */ char *sid_string_dbg(const struct dom_sid *sid); /* available in libsmbconf.so */ bool trim_char(char *s,char cfront,char cback); /* available in libutil_str.so */ @@ -160,8 +160,19 @@ struct ipasam_privates { char *fallback_primary_group; char *server_princ; char *client_princ; + struct sss_idmap_ctx *idmap_ctx; }; +static void *idmap_talloc(size_t size, void *pvt) +{ + return talloc_size(pvt, size); +} + +static void idmap_talloc_free(void *ptr, void *pvt) +{ + talloc_free(ptr); +} + static void sid_copy(struct dom_sid *dst, const struct dom_sid *src) { size_t c; @@ -348,12 +359,14 @@ done: static bool ldapsam_extract_rid_from_entry(LDAP *ldap_struct, LDAPMessage *entry, + struct sss_idmap_ctx *idmap_ctx, const struct dom_sid *domain_sid, uint32_t *rid) { char *str = NULL; - struct dom_sid sid; + struct dom_sid *sid = NULL; bool res = false; + enum idmap_error_code err; str = get_single_attribute(NULL, ldap_struct, entry, LDAP_ATTRIBUTE_SID); @@ -363,29 +376,31 @@ static bool ldapsam_extract_rid_from_entry(LDAP *ldap_struct, goto done; } - if (!string_to_sid(&sid, str)) { + err = sss_idmap_sid_to_smb_sid(idmap_ctx, str, &sid); + if (err != IDMAP_SUCCESS) { DEBUG(10, ("Could not convert string %s to sid\n", str)); res = false; goto done; } - if (dom_sid_compare_domain(&sid, domain_sid) != 0) { + if (dom_sid_compare_domain(sid, domain_sid) != 0) { DEBUG(10, ("SID %s is not in expected domain %s\n", str, sid_string_dbg(domain_sid))); res = false; goto done; } - if (sid.num_auths <= 0) { + if (sid->num_auths <= 0) { DEBUG(10, ("Invalid num_auths in SID %s.\n", str)); res = false; goto done; } - *rid = sid.sub_auths[sid.num_auths - 1]; + *rid = sid->sub_auths[sid->num_auths - 1]; res = true; done: + talloc_free(sid); talloc_free(str); return res; } @@ -479,7 +494,9 @@ static NTSTATUS ldapsam_lookup_rids(struct pdb_methods *methods, int rid_index; const char *name; - if (!ldapsam_extract_rid_from_entry(ld, entry, domain_sid, + if (!ldapsam_extract_rid_from_entry(ld, entry, + ldap_state->ipasam_privates->idmap_ctx, + domain_sid, &rid)) { DEBUG(2, ("Could not find sid from ldap entry\n")); continue; @@ -564,8 +581,9 @@ static NTSTATUS ldapsam_lookup_rids(struct pdb_methods *methods, DEBUG(2, ("Rejecting invalid group mapping entry %s\n", dn)); } - if (!ldapsam_extract_rid_from_entry(ld, entry, domain_sid, - &rid)) { + if (!ldapsam_extract_rid_from_entry(ld, entry, + ldap_state->ipasam_privates->idmap_ctx, + domain_sid, &rid)) { DEBUG(2, ("Could not find sid from ldap entry %s\n", dn)); continue; } @@ -718,8 +736,9 @@ static bool ldapsam_uid_to_sid(struct pdb_methods *methods, uid_t uid, LDAPMessage *entry = NULL; bool ret = false; char *user_sid_string; - struct dom_sid user_sid; + struct dom_sid *user_sid = NULL; int rc; + enum idmap_error_code err; TALLOC_CTX *tmp_ctx = talloc_stackframe(); filter = talloc_asprintf(tmp_ctx, @@ -757,17 +776,20 @@ static bool ldapsam_uid_to_sid(struct pdb_methods *methods, uid_t uid, goto done; } - if (!string_to_sid(&user_sid, user_sid_string)) { + err = sss_idmap_sid_to_smb_sid(priv->ipasam_privates->idmap_ctx, + user_sid_string, &user_sid); + if (err != IDMAP_SUCCESS) { DEBUG(3, ("Error calling sid_string_talloc for sid '%s'\n", user_sid_string)); goto done; } - sid_copy(sid, &user_sid); + sid_copy(sid, user_sid); ret = true; - done: +done: + talloc_free(user_sid); TALLOC_FREE(tmp_ctx); return ret; } @@ -783,8 +805,9 @@ static bool ldapsam_gid_to_sid(struct pdb_methods *methods, gid_t gid, LDAPMessage *entry = NULL; bool ret = false; char *group_sid_string; - struct dom_sid group_sid; + struct dom_sid *group_sid = NULL; int rc; + enum idmap_error_code err; TALLOC_CTX *tmp_ctx = talloc_stackframe(); filter = talloc_asprintf(tmp_ctx, @@ -820,17 +843,20 @@ static bool ldapsam_gid_to_sid(struct pdb_methods *methods, gid_t gid, goto done; } - if (!string_to_sid(&group_sid, group_sid_string)) { + err = sss_idmap_sid_to_smb_sid(priv->ipasam_privates->idmap_ctx, + group_sid_string, &group_sid); + if (err != IDMAP_SUCCESS) { DEBUG(3, ("Error calling sid_string_talloc for sid '%s'\n", group_sid_string)); goto done; } - sid_copy(sid, &group_sid); + sid_copy(sid, group_sid); ret = true; - done: +done: + talloc_free(group_sid); TALLOC_FREE(tmp_ctx); return ret; } @@ -897,6 +923,7 @@ struct ldap_search_state { const char **attrs; int attrsonly; void *pagedresults_cookie; + struct sss_idmap_ctx *idmap_ctx; LDAPMessage *entries, *current_entry; bool (*ldap2displayentry)(struct ldap_search_state *state, @@ -1066,7 +1093,9 @@ static bool ldapuser2displayentry(struct ldap_search_state *state, { char **vals; size_t converted_size; - struct dom_sid sid; + struct dom_sid *sid = NULL; + enum idmap_error_code err; + bool res; /* FIXME: SB try to figure out which flags to set instead of hardcode them */ result->acct_flags = 66048; @@ -1128,14 +1157,17 @@ static bool ldapuser2displayentry(struct ldap_search_state *state, return false; } - if (!string_to_sid(&sid, vals[0])) { + err = sss_idmap_sid_to_smb_sid(state->idmap_ctx, vals[0], &sid); + if (err != IDMAP_SUCCESS) { DEBUG(0, ("Could not convert %s to SID\n", vals[0])); ldap_value_free(vals); return false; } ldap_value_free(vals); - if (!sid_peek_check_rid(get_global_sam_sid(), &sid, &result->rid)) { + res = sid_peek_check_rid(get_global_sam_sid(), sid, &result->rid); + talloc_free(sid); + if (!res) { DEBUG(0, ("sid does not belong to our domain\n")); return false; } @@ -1170,6 +1202,7 @@ static bool ldapsam_search_users(struct pdb_methods *methods, state->attrsonly = 0; state->pagedresults_cookie = NULL; state->entries = NULL; + state->idmap_ctx = ldap_state->ipasam_privates->idmap_ctx; state->ldap2displayentry = ldapuser2displayentry; if ((state->filter == NULL) || (state->attrs == NULL)) { @@ -1191,8 +1224,9 @@ static bool ldapgroup2displayentry(struct ldap_search_state *state, { char **vals = NULL; size_t converted_size; - struct dom_sid sid; + struct dom_sid *sid = NULL; uint16_t group_type; + enum idmap_error_code err; result->account_name = ""; result->fullname = ""; @@ -1268,8 +1302,10 @@ static bool ldapgroup2displayentry(struct ldap_search_state *state, return false; } - if (!string_to_sid(&sid, vals[0])) { + err = sss_idmap_sid_to_smb_sid(state->idmap_ctx, vals[0], &sid); + if (err != IDMAP_SUCCESS) { DEBUG(0, ("Could not convert %s to SID\n", vals[0])); + ldap_value_free(vals); return false; } @@ -1279,9 +1315,10 @@ static bool ldapgroup2displayentry(struct ldap_search_state *state, case SID_NAME_DOM_GRP: case SID_NAME_ALIAS: - if (!sid_peek_check_rid(get_global_sam_sid(), &sid, &result->rid) - && !sid_peek_check_rid(&global_sid_Builtin, &sid, &result->rid)) + if (!sid_peek_check_rid(get_global_sam_sid(), sid, &result->rid) + && !sid_peek_check_rid(&global_sid_Builtin, sid, &result->rid)) { + talloc_free(sid); DEBUG(0, ("SID is not in our domain\n")); return false; } @@ -1289,8 +1326,10 @@ static bool ldapgroup2displayentry(struct ldap_search_state *state, default: DEBUG(0,("unknown group type: %d\n", group_type)); + talloc_free(sid); return false; } + talloc_free(sid); result->acct_flags = 0; @@ -1327,6 +1366,7 @@ static bool ldapsam_search_grouptype(struct pdb_methods *methods, state->pagedresults_cookie = NULL; state->entries = NULL; state->group_type = type; + state->idmap_ctx = ldap_state->ipasam_privates->idmap_ctx; state->ldap2displayentry = ldapgroup2displayentry; if ((state->filter == NULL) || (state->attrs == NULL)) { @@ -1848,6 +1888,8 @@ static bool fill_pdb_trusted_domain(TALLOC_CTX *mem_ctx, char *dummy; bool res; struct pdb_trusted_domain *td; + struct dom_sid *sid = NULL; + enum idmap_error_code err; if (entry == NULL) { return false; @@ -1867,11 +1909,14 @@ static bool fill_pdb_trusted_domain(TALLOC_CTX *mem_ctx, LDAP_ATTRIBUTE_TRUST_SID)); ZERO_STRUCT(td->security_identifier); } else { - res = string_to_sid(&td->security_identifier, dummy); + err = sss_idmap_sid_to_smb_sid(ldap_state->ipasam_privates->idmap_ctx, + dummy, &sid); TALLOC_FREE(dummy); - if (!res) { + if (err != IDMAP_SUCCESS) { return false; } + sid_copy(&td->security_identifier, sid); + talloc_free(sid); } if (!smbldap_talloc_single_blob(td, priv2ld(ldap_state), entry, @@ -3634,12 +3679,13 @@ static NTSTATUS pdb_init_ipasam(struct pdb_methods **pdb_method, NTSTATUS status; char *dn = NULL; char *domain_sid_string = NULL; - struct dom_sid ldap_domain_sid; + struct dom_sid *ldap_domain_sid = NULL; char *bind_dn = NULL; char *bind_secret = NULL; LDAPMessage *result = NULL; LDAPMessage *entry = NULL; + enum idmap_error_code err; status = make_pdb_method(pdb_method); if (!NT_STATUS_IS_OK(status)) { @@ -3776,15 +3822,27 @@ static NTSTATUS pdb_init_ipasam(struct pdb_methods **pdb_method, entry, LDAP_ATTRIBUTE_SID); + err = sss_idmap_init(idmap_talloc, ldap_state->ipasam_privates, + idmap_talloc_free, + &ldap_state->ipasam_privates->idmap_ctx); + if (err != IDMAP_SUCCESS) { + DEBUG(1, ("Failed to setup idmap context.\n")); + return NT_STATUS_UNSUCCESSFUL; + } + if (domain_sid_string) { - if (!string_to_sid(&ldap_domain_sid, domain_sid_string)) { + err = sss_idmap_sid_to_smb_sid(ldap_state->ipasam_privates->idmap_ctx, + domain_sid_string, + &ldap_domain_sid); + if (err != IDMAP_SUCCESS) { DEBUG(1, ("pdb_init_ldapsam: SID [%s] could not be " "read as a valid SID\n", domain_sid_string)); ldap_msgfree(result); TALLOC_FREE(domain_sid_string); return NT_STATUS_INVALID_PARAMETER; } - sid_copy(&ldap_state->domain_sid, &ldap_domain_sid); + sid_copy(&ldap_state->domain_sid, ldap_domain_sid); + talloc_free(ldap_domain_sid); talloc_free(domain_sid_string); status = save_sid_to_secret(ldap_state); @@ -3793,8 +3851,6 @@ static NTSTATUS pdb_init_ipasam(struct pdb_methods **pdb_method, } } - - (*pdb_method)->getsampwnam = ldapsam_getsampwnam; (*pdb_method)->search_users = ldapsam_search_users; (*pdb_method)->search_groups = ldapsam_search_groups; -- cgit