diff options
-rw-r--r-- | src/lib/idmap/sss_idmap.c | 13 | ||||
-rw-r--r-- | src/lib/idmap/sss_idmap.h | 5 | ||||
-rw-r--r-- | src/providers/ldap/sdap_async_groups.c | 61 | ||||
-rw-r--r-- | src/providers/ldap/sdap_async_initgroups_ad.c | 6 | ||||
-rw-r--r-- | src/providers/ldap/sdap_async_users.c | 95 | ||||
-rw-r--r-- | src/providers/ldap/sdap_idmap.c | 25 |
6 files changed, 125 insertions, 80 deletions
diff --git a/src/lib/idmap/sss_idmap.c b/src/lib/idmap/sss_idmap.c index c589bd458..d7254e3ea 100644 --- a/src/lib/idmap/sss_idmap.c +++ b/src/lib/idmap/sss_idmap.c @@ -280,6 +280,15 @@ fail: return IDMAP_OUT_OF_MEMORY; } +static bool sss_idmap_sid_is_builtin(const char *sid) +{ + if (strncmp(sid, "S-1-5-32-", 9) == 0) { + return true; + } + + return false; +} + enum idmap_error_code sss_idmap_sid_to_unix(struct sss_idmap_ctx *ctx, const char *sid, uint32_t *id) @@ -293,6 +302,10 @@ enum idmap_error_code sss_idmap_sid_to_unix(struct sss_idmap_ctx *ctx, idmap_domain_info = ctx->idmap_domain_info; + if (sid && sss_idmap_sid_is_builtin(sid)) { + return IDMAP_BUILTIN_SID; + } + while (idmap_domain_info != NULL) { dom_len = strlen(idmap_domain_info->sid); if (strlen(sid) > dom_len && sid[dom_len] == '-' && diff --git a/src/lib/idmap/sss_idmap.h b/src/lib/idmap/sss_idmap.h index 6b7cbe507..22a4d5484 100644 --- a/src/lib/idmap/sss_idmap.h +++ b/src/lib/idmap/sss_idmap.h @@ -68,7 +68,10 @@ enum idmap_error_code { IDMAP_SID_UNKNOWN, /** The provided UID or GID could not be mapped */ - IDMAP_NO_RANGE + IDMAP_NO_RANGE, + + /** The provided SID is a built-in one */ + IDMAP_BUILTIN_SID }; /** diff --git a/src/providers/ldap/sdap_async_groups.c b/src/providers/ldap/sdap_async_groups.c index d7d262d56..930d7fd82 100644 --- a/src/providers/ldap/sdap_async_groups.c +++ b/src/providers/ldap/sdap_async_groups.c @@ -334,13 +334,13 @@ static int sdap_save_group(TALLOC_CTX *memctx, tmpctx = talloc_new(NULL); if (!tmpctx) { ret = ENOMEM; - goto fail; + goto done; } group_attrs = sysdb_new_attrs(tmpctx); if (group_attrs == NULL) { ret = ENOMEM; - goto fail; + goto done; } ret = sysdb_attrs_primary_name(ctx, attrs, @@ -348,7 +348,7 @@ static int sdap_save_group(TALLOC_CTX *memctx, &name); if (ret != EOK) { DEBUG(1, ("Failed to save the group - entry has no name attribute\n")); - goto fail; + goto done; } DEBUG(SSSDBG_TRACE_FUNC, ("Processing group %s\n", name)); @@ -366,7 +366,7 @@ static int sdap_save_group(TALLOC_CTX *memctx, DEBUG(SSSDBG_MINOR_FAILURE, ("Could not identify objectSID: [%s]\n", strerror(ret))); - goto fail; + goto done; } /* Add string representation to the cache for easier @@ -377,16 +377,22 @@ static int sdap_save_group(TALLOC_CTX *memctx, DEBUG(SSSDBG_MINOR_FAILURE, ("Could not add SID string: [%s]\n", strerror(ret))); - goto fail; + goto done; } /* Convert the SID into a UNIX group ID */ ret = sdap_idmap_sid_to_unix(opts->idmap_ctx, sid_str, &gid); - if (ret != EOK) { + if (ret == ENOTSUP) { + /* ENOTSUP is returned if built-in SID was provided + * => do not store the group, but return EOK */ + DEBUG(SSSDBG_TRACE_FUNC, ("Skipping built-in object.\n")); + ret = EOK; + goto done; + } else if (ret != EOK) { DEBUG(SSSDBG_MINOR_FAILURE, ("Could not convert SID string: [%s]\n", strerror(ret))); - goto fail; + goto done; } /* Store the GID in the ldap_attrs so it doesn't get @@ -397,7 +403,7 @@ static int sdap_save_group(TALLOC_CTX *memctx, DEBUG(SSSDBG_MINOR_FAILURE, ("Could not store GID: [%s]\n", strerror(ret))); - goto fail; + goto done; } } else { ret = sysdb_attrs_get_bool(attrs, SYSDB_POSIX, &posix_group); @@ -407,7 +413,7 @@ static int sdap_save_group(TALLOC_CTX *memctx, DEBUG(SSSDBG_MINOR_FAILURE, ("Error reading posix attribute: [%s]\n", strerror(ret))); - goto fail; + goto done; } DEBUG(8, ("This is%s a posix group\n", (posix_group)?"":" not")); @@ -416,7 +422,7 @@ static int sdap_save_group(TALLOC_CTX *memctx, DEBUG(SSSDBG_MINOR_FAILURE, ("Error setting posix attribute: [%s]\n", strerror(ret))); - goto fail; + goto done; } ret = sysdb_attrs_get_uint32_t(attrs, @@ -426,7 +432,7 @@ static int sdap_save_group(TALLOC_CTX *memctx, DEBUG(1, ("no gid provided for [%s] in domain [%s].\n", name, dom->name)); ret = EINVAL; - goto fail; + goto done; } } @@ -436,7 +442,7 @@ static int sdap_save_group(TALLOC_CTX *memctx, DEBUG(2, ("Group [%s] filtered out! (id out of range)\n", name)); ret = EINVAL; - goto fail; + goto done; } /* Group ID OK */ } @@ -447,7 +453,7 @@ static int sdap_save_group(TALLOC_CTX *memctx, DEBUG(SSSDBG_MINOR_FAILURE, ("Error setting original DN: [%s]\n", strerror(ret))); - goto fail; + goto done; } ret = sdap_attrs_add_string(attrs, @@ -458,7 +464,7 @@ static int sdap_save_group(TALLOC_CTX *memctx, DEBUG(SSSDBG_MINOR_FAILURE, ("Error setting mod timestamp: [%s]\n", strerror(ret))); - goto fail; + goto done; } ret = sysdb_attrs_get_el(attrs, @@ -467,7 +473,7 @@ static int sdap_save_group(TALLOC_CTX *memctx, DEBUG(SSSDBG_MINOR_FAILURE, ("Error looking up group USN: [%s]\n", strerror(ret))); - goto fail; + goto done; } if (el->num_values == 0) { DEBUG(7, ("Original USN value is not available for [%s].\n", @@ -480,12 +486,12 @@ static int sdap_save_group(TALLOC_CTX *memctx, DEBUG(SSSDBG_MINOR_FAILURE, ("Error setting group USN: [%s]\n", strerror(ret))); - goto fail; + goto done; } usn_value = talloc_strdup(tmpctx, (const char*)el->values[0].data); if (!usn_value) { ret = ENOMEM; - goto fail; + goto done; } } @@ -494,13 +500,13 @@ static int sdap_save_group(TALLOC_CTX *memctx, group_attrs); if (ret != EOK) { DEBUG(SSSDBG_OP_FAILURE, ("Failed to save ghost members\n")); - goto fail; + goto done; } ret = sdap_save_all_names(name, attrs, !dom->case_sensitive, group_attrs); if (ret != EOK) { DEBUG(1, ("Failed to save group names\n")); - goto fail; + goto done; } DEBUG(6, ("Storing info for group %s\n", name)); @@ -513,7 +519,7 @@ static int sdap_save_group(TALLOC_CTX *memctx, DEBUG(SSSDBG_MINOR_FAILURE, ("Could not store group with GID: [%s]\n", strerror(ret))); - goto fail; + goto done; } if (_usn_value) { @@ -521,14 +527,15 @@ static int sdap_save_group(TALLOC_CTX *memctx, } talloc_steal(memctx, group_attrs); - talloc_free(tmpctx); - return EOK; + ret = EOK; -fail: - DEBUG(SSSDBG_MINOR_FAILURE, - ("Failed to save group [%s]: [%s]\n", - name ? name : "Unknown", - strerror(ret))); +done: + if (ret) { + DEBUG(SSSDBG_MINOR_FAILURE, + ("Failed to save group [%s]: [%s]\n", + name ? name : "Unknown", + strerror(ret))); + } talloc_free(tmpctx); return ret; } diff --git a/src/providers/ldap/sdap_async_initgroups_ad.c b/src/providers/ldap/sdap_async_initgroups_ad.c index 7da3f5088..8c0e7062b 100644 --- a/src/providers/ldap/sdap_async_initgroups_ad.c +++ b/src/providers/ldap/sdap_async_initgroups_ad.c @@ -452,7 +452,11 @@ sdap_get_ad_tokengroups_initgroups_lookup_done(struct tevent_req *subreq) sid_str)); ret = sdap_idmap_sid_to_unix(state->opts->idmap_ctx, sid_str, &gid); - if (ret != EOK) { + if (ret == ENOTSUP) { + DEBUG(SSSDBG_TRACE_FUNC, ("Skipping built-in object.\n")); + ret = EOK; + continue; + } else if (ret != EOK) { DEBUG(SSSDBG_MINOR_FAILURE, ("Could not convert SID to GID: [%s]. Skipping\n", strerror(ret))); diff --git a/src/providers/ldap/sdap_async_users.c b/src/providers/ldap/sdap_async_users.c index d706740df..f640b970a 100644 --- a/src/providers/ldap/sdap_async_users.c +++ b/src/providers/ldap/sdap_async_users.c @@ -67,13 +67,13 @@ int sdap_save_user(TALLOC_CTX *memctx, tmpctx = talloc_new(NULL); if (!tmpctx) { ret = ENOMEM; - goto fail; + goto done; } user_attrs = sysdb_new_attrs(tmpctx); if (user_attrs == NULL) { ret = ENOMEM; - goto fail; + goto done; } ret = sysdb_attrs_primary_name(ctx, attrs, @@ -81,7 +81,7 @@ int sdap_save_user(TALLOC_CTX *memctx, &name); if (ret != EOK) { DEBUG(1, ("Failed to save the user - entry has no name attribute\n")); - goto fail; + goto done; } if (opts->schema_type == SDAP_SCHEMA_AD) { @@ -90,22 +90,22 @@ int sdap_save_user(TALLOC_CTX *memctx, if (ret == EOK) { ret = sysdb_attrs_add_string(user_attrs, SYSDB_FULLNAME, fullname); if (ret != EOK) { - goto fail; + goto done; } } else if (ret != ENOENT) { - goto fail; + goto done; } } ret = sysdb_attrs_get_el(attrs, opts->user_map[SDAP_AT_USER_PWD].sys_name, &el); - if (ret) goto fail; + if (ret) goto done; if (el->num_values == 0) pwd = NULL; else pwd = (const char *)el->values[0].data; ret = sysdb_attrs_get_el(attrs, opts->user_map[SDAP_AT_USER_GECOS].sys_name, &el); - if (ret) goto fail; + if (ret) goto done; if (el->num_values == 0) gecos = NULL; else gecos = (const char *)el->values[0].data; @@ -114,19 +114,19 @@ int sdap_save_user(TALLOC_CTX *memctx, ret = sysdb_attrs_get_el( attrs, opts->user_map[SDAP_AT_USER_FULLNAME].sys_name, &el); - if (ret) goto fail; + if (ret) goto done; if (el->num_values > 0) gecos = (const char *)el->values[0].data; } ret = sysdb_attrs_get_el(attrs, opts->user_map[SDAP_AT_USER_HOME].sys_name, &el); - if (ret) goto fail; + if (ret) goto done; if (el->num_values == 0) homedir = NULL; else homedir = (const char *)el->values[0].data; ret = sysdb_attrs_get_el(attrs, opts->user_map[SDAP_AT_USER_SHELL].sys_name, &el); - if (ret) goto fail; + if (ret) goto done; if (el->num_values == 0) shell = NULL; else shell = (const char *)el->values[0].data; @@ -139,23 +139,29 @@ int sdap_save_user(TALLOC_CTX *memctx, tmpctx, opts->idmap_ctx, attrs, opts->user_map[SDAP_AT_USER_OBJECTSID].sys_name, &sid_str); - if (ret != EOK) goto fail; + if (ret != EOK) goto done; /* Add string representation to the cache for easier * debugging */ ret = sysdb_attrs_add_string(user_attrs, SYSDB_SID_STR, sid_str); - if (ret != EOK) goto fail; + if (ret != EOK) goto done; /* Convert the SID into a UNIX user ID */ ret = sdap_idmap_sid_to_unix(opts->idmap_ctx, sid_str, &uid); - if (ret != EOK) goto fail; + if (ret == ENOTSUP) { + DEBUG(SSSDBG_TRACE_FUNC, ("Skipping built-in object.\n")); + ret = EOK; + goto done; + } else if (ret != EOK) { + goto done; + } /* Store the UID in the ldap_attrs so it doesn't get * treated as a missing attribute from LDAP and removed. */ ret = sysdb_attrs_add_uint32(attrs, SYSDB_UIDNUM, uid); - if (ret != EOK) goto fail; + if (ret != EOK) goto done; } else { ret = sysdb_attrs_get_uint32_t(attrs, opts->user_map[SDAP_AT_USER_UID].sys_name, @@ -164,7 +170,7 @@ int sdap_save_user(TALLOC_CTX *memctx, DEBUG(1, ("no uid provided for [%s] in domain [%s].\n", name, dom->name)); ret = EINVAL; - goto fail; + goto done; } } /* check that the uid is valid for this domain */ @@ -172,7 +178,7 @@ int sdap_save_user(TALLOC_CTX *memctx, DEBUG(2, ("User [%s] filtered out! (uid out of range)\n", name)); ret = EINVAL; - goto fail; + goto done; } if (use_id_mapping) { @@ -185,7 +191,7 @@ int sdap_save_user(TALLOC_CTX *memctx, ("no primary group ID provided for [%s] in domain [%s].\n", name, dom->name)); ret = EINVAL; - goto fail; + goto done; } /* The primary group ID is just the RID part of the objectSID @@ -200,7 +206,7 @@ int sdap_save_user(TALLOC_CTX *memctx, if (ret != EOK) { DEBUG(SSSDBG_MINOR_FAILURE, ("Could not parse domain SID from [%s]\n", sid_str)); - goto fail; + goto done; } } @@ -210,18 +216,18 @@ int sdap_save_user(TALLOC_CTX *memctx, (unsigned long)primary_gid); if (!group_sid_str) { ret = ENOMEM; - goto fail; + goto done; } /* Convert the SID into a UNIX group ID */ ret = sdap_idmap_sid_to_unix(opts->idmap_ctx, group_sid_str, &gid); - if (ret != EOK) goto fail; + if (ret != EOK) goto done; /* Store the GID in the ldap_attrs so it doesn't get * treated as a missing attribute from LDAP and removed. */ ret = sysdb_attrs_add_uint32(attrs, SYSDB_GIDNUM, gid); - if (ret != EOK) goto fail; + if (ret != EOK) goto done; } else { ret = sysdb_attrs_get_uint32_t(attrs, opts->user_map[SDAP_AT_USER_GID].sys_name, @@ -230,7 +236,7 @@ int sdap_save_user(TALLOC_CTX *memctx, DEBUG(1, ("no gid provided for [%s] in domain [%s].\n", name, dom->name)); ret = EINVAL; - goto fail; + goto done; } } @@ -239,12 +245,12 @@ int sdap_save_user(TALLOC_CTX *memctx, DEBUG(2, ("User [%s] filtered out! (primary gid out of range)\n", name)); ret = EINVAL; - goto fail; + goto done; } ret = sysdb_attrs_get_el(attrs, SYSDB_ORIG_DN, &el); if (ret) { - goto fail; + goto done; } if (!el || el->num_values == 0) { DEBUG(SSSDBG_MINOR_FAILURE, @@ -256,13 +262,13 @@ int sdap_save_user(TALLOC_CTX *memctx, ret = sysdb_attrs_add_string(user_attrs, SYSDB_ORIG_DN, orig_dn); if (ret) { - goto fail; + goto done; } } ret = sysdb_attrs_get_el(attrs, SYSDB_MEMBEROF, &el); if (ret) { - goto fail; + goto done; } if (el->num_values == 0) { DEBUG(7, ("Original memberOf is not available for [%s].\n", @@ -274,7 +280,7 @@ int sdap_save_user(TALLOC_CTX *memctx, ret = sysdb_attrs_add_string(user_attrs, SYSDB_ORIG_MEMBEROF, (const char *) el->values[i].data); if (ret) { - goto fail; + goto done; } } } @@ -284,13 +290,13 @@ int sdap_save_user(TALLOC_CTX *memctx, "original mod-Timestamp", name, user_attrs); if (ret != EOK) { - goto fail; + goto done; } ret = sysdb_attrs_get_el(attrs, opts->user_map[SDAP_AT_USER_USN].sys_name, &el); if (ret) { - goto fail; + goto done; } if (el->num_values == 0) { DEBUG(7, ("Original USN value is not available for [%s].\n", @@ -300,19 +306,19 @@ int sdap_save_user(TALLOC_CTX *memctx, opts->user_map[SDAP_AT_USER_USN].sys_name, (const char*)el->values[0].data); if (ret) { - goto fail; + goto done; } usn_value = talloc_strdup(tmpctx, (const char*)el->values[0].data); if (!usn_value) { ret = ENOMEM; - goto fail; + goto done; } } ret = sysdb_attrs_get_el(attrs, opts->user_map[SDAP_AT_USER_PRINC].sys_name, &el); if (ret) { - goto fail; + goto done; } if (el->num_values == 0) { DEBUG(7, ("User principal is not available for [%s].\n", name)); @@ -320,7 +326,7 @@ int sdap_save_user(TALLOC_CTX *memctx, upn = talloc_strdup(user_attrs, (const char*) el->values[0].data); if (!upn) { ret = ENOMEM; - goto fail; + goto done; } if (dp_opt_get_bool(opts->basic, SDAP_FORCE_UPPER_CASE_REALM)) { make_realm_upper_case(upn); @@ -329,7 +335,7 @@ int sdap_save_user(TALLOC_CTX *memctx, upn, name)); ret = sysdb_attrs_add_string(user_attrs, SYSDB_UPN, upn); if (ret) { - goto fail; + goto done; } } @@ -337,7 +343,7 @@ int sdap_save_user(TALLOC_CTX *memctx, ret = sdap_attrs_add_list(attrs, opts->user_map[i].sys_name, NULL, name, user_attrs); if (ret) { - goto fail; + goto done; } } @@ -348,14 +354,14 @@ int sdap_save_user(TALLOC_CTX *memctx, (cache_timeout ? (time(NULL) + cache_timeout) : 0)); if (ret) { - goto fail; + goto done; } } ret = sdap_save_all_names(name, attrs, !dom->case_sensitive, user_attrs); if (ret != EOK) { DEBUG(1, ("Failed to save user names\n")); - goto fail; + goto done; } /* Make sure that any attributes we requested from LDAP that we @@ -364,26 +370,27 @@ int sdap_save_user(TALLOC_CTX *memctx, ret = list_missing_attrs(user_attrs, opts->user_map, SDAP_OPTS_USER, attrs, &missing); if (ret != EOK) { - goto fail; + goto done; } DEBUG(6, ("Storing info for user %s\n", name)); ret = sysdb_store_user(ctx, name, pwd, uid, gid, gecos, homedir, shell, orig_dn, user_attrs, missing, cache_timeout, now); - if (ret) goto fail; + if (ret) goto done; if (_usn_value) { *_usn_value = talloc_steal(memctx, usn_value); } talloc_steal(memctx, user_attrs); - talloc_free(tmpctx); - return EOK; + ret = EOK; -fail: - DEBUG(2, ("Failed to save user [%s]\n", - name ? name : "Unknown")); +done: + if (ret) { + DEBUG(2, ("Failed to save user [%s]\n", + name ? name : "Unknown")); + } talloc_free(tmpctx); return ret; } diff --git a/src/providers/ldap/sdap_idmap.c b/src/providers/ldap/sdap_idmap.c index 9ace11b5c..e51fcc6b4 100644 --- a/src/providers/ldap/sdap_idmap.c +++ b/src/providers/ldap/sdap_idmap.c @@ -380,13 +380,10 @@ sdap_idmap_sid_to_unix(struct sdap_idmap_ctx *idmap_ctx, err = sss_idmap_sid_to_unix(idmap_ctx->map, sid_str, (uint32_t *)id); - if (err != IDMAP_SUCCESS && err != IDMAP_NO_DOMAIN) { - DEBUG(SSSDBG_MINOR_FAILURE, - ("Could not convert objectSID [%s] to a UNIX ID\n", - sid_str)); - ret = EIO; - goto done; - } else if (err == IDMAP_NO_DOMAIN) { + switch (err) { + case IDMAP_SUCCESS: + break; + case IDMAP_NO_DOMAIN: /* This is the first time we've seen this domain * Create a new domain for it. We'll use the dom-sid * as the domain name for now, since we don't have @@ -420,6 +417,20 @@ sdap_idmap_sid_to_unix(struct sdap_idmap_ctx *idmap_ctx, ret = EIO; goto done; } + break; + case IDMAP_BUILTIN_SID: + DEBUG(SSSDBG_TRACE_FUNC, + ("Object SID [%s] is a built-in one.\n", sid_str)); + /* ENOTSUP indicates built-in SID */ + ret = ENOTSUP; + goto done; + break; + default: + DEBUG(SSSDBG_MINOR_FAILURE, + ("Could not convert objectSID [%s] to a UNIX ID\n", + sid_str)); + ret = EIO; + goto done; } ret = EOK; |