r21186: * Merge nss_info and idmap interface changes to current

  stable branch
* Also include pam_winbind changes for multiple groups in the
  require-membership-of parameter

3 files changed, 228 insertions, 101 deletions

diff --git a/source/passdb/lookup_sid.c b/source/passdb/lookup_sid.c
index 758fe968fc6..0b596fc8d7f 100644
--- a/source/passdb/lookup_sid.c
+++ b/source/passdb/lookup_sid.c
@@ -1112,29 +1112,16 @@ void store_gid_sid_cache(const DOM_SID *psid, gid_t gid)
 }
 
 /*****************************************************************
- *THE CANONICAL* convert uid_t to SID function.
+ *THE LEGACY* convert uid_t to SID function.
 *****************************************************************/  
 
-void uid_to_sid(DOM_SID *psid, uid_t uid)
+void legacy_uid_to_sid(DOM_SID *psid, uid_t uid)
 {
-	uid_t low, high;
 	uint32 rid;
 	BOOL ret;
 
 	ZERO_STRUCTP(psid);
 
-	if (fetch_sid_from_uid_cache(psid, uid))
-		return;
-
-	if ((lp_winbind_trusted_domains_only() ||
-	     (lp_idmap_uid(&low, &high) && (uid >= low) && (uid <= high))) &&
-	    winbind_uid_to_sid(psid, uid)) {
-
-		DEBUG(10,("uid_to_sid: winbindd %u -> %s\n",
-			  (unsigned int)uid, sid_string_static(psid)));
-		goto done;
-	}
-
 	become_root_uid_only();
 	ret = pdb_uid_to_rid(uid, &rid);
 	unbecome_root_uid_only();
@@ -1151,7 +1138,7 @@ void uid_to_sid(DOM_SID *psid, uid_t uid)
 	uid_to_unix_users_sid(uid, psid);
 
  done:
-	DEBUG(10,("uid_to_sid: local %u -> %s\n", (unsigned int)uid,
+	DEBUG(10,("LEGACY: uid %u -> sid %s\n", (unsigned int)uid,
 		  sid_string_static(psid)));
 
 	store_uid_sid_cache(psid, uid);
@@ -1159,28 +1146,15 @@ void uid_to_sid(DOM_SID *psid, uid_t uid)
 }
 
 /*****************************************************************
- *THE CANONICAL* convert gid_t to SID function.
+ *THE LEGACY* convert gid_t to SID function.
 *****************************************************************/  
 
-void gid_to_sid(DOM_SID *psid, gid_t gid)
+void legacy_gid_to_sid(DOM_SID *psid, gid_t gid)
 {
 	BOOL ret;
-	gid_t low, high;
 
 	ZERO_STRUCTP(psid);
 
-	if (fetch_sid_from_gid_cache(psid, gid))
-		return;
-
-	if ((lp_winbind_trusted_domains_only() ||
-	     (lp_idmap_gid(&low, &high) && (gid >= low) && (gid <= high))) &&
-	    winbind_gid_to_sid(psid, gid)) {
-
-		DEBUG(10,("gid_to_sid: winbindd %u -> %s\n",
-			  (unsigned int)gid, sid_string_static(psid)));
-		goto done;
-	}
-
 	become_root_uid_only();
 	ret = pdb_gid_to_sid(gid, psid);
 	unbecome_root_uid_only();
@@ -1195,7 +1169,7 @@ void gid_to_sid(DOM_SID *psid, gid_t gid)
 	gid_to_unix_groups_sid(gid, psid);
 
  done:
-	DEBUG(10,("gid_to_sid: local %u -> %s\n", (unsigned int)gid,
+	DEBUG(10,("LEGACY: gid %u -> sid %s\n", (unsigned int)gid,
 		  sid_string_static(psid)));
 
 	store_gid_sid_cache(psid, gid);
@@ -1203,21 +1177,13 @@ void gid_to_sid(DOM_SID *psid, gid_t gid)
 }
 
 /*****************************************************************
- *THE CANONICAL* convert SID to uid function.
+ *THE LEGACY* convert SID to uid function.
 *****************************************************************/  
 
-BOOL sid_to_uid(const DOM_SID *psid, uid_t *puid)
+BOOL legacy_sid_to_uid(const DOM_SID *psid, uid_t *puid)
 {
 	enum lsa_SidType type;
 	uint32 rid;
-	gid_t gid;
-
-	if (fetch_uid_from_cache(puid, psid))
-		return True;
-
-	if (fetch_gid_from_cache(&gid, psid)) {
-		return False;
-	}
 
 	if (sid_peek_check_rid(&global_sid_Unix_Users, psid, &rid)) {
 		uid_t uid = rid;
@@ -1245,35 +1211,13 @@ BOOL sid_to_uid(const DOM_SID *psid, uid_t *puid)
 		}
 
 		/* This was ours, but it was not mapped.  Fail */
-
-		return False;
-	}
-
-	if (winbind_lookup_sid(NULL, psid, NULL, NULL, &type)) {
-
-		if (type != SID_NAME_USER) {
-			DEBUG(10, ("sid_to_uid: sid %s is a %s\n",
-				   sid_string_static(psid),
-				   sid_type_lookup(type)));
-			return False;
 		}
 
-		if (!winbind_sid_to_uid(puid, psid)) {
-			DEBUG(5, ("sid_to_uid: winbind failed to allocate a "
-				  "new uid for sid %s\n",
-				  sid_string_static(psid)));
-			return False;
-		}
-		goto done;
-	}
-
-	/* TODO: Here would be the place to allocate both a gid and a uid for
-	 * the SID in question */
-
+	DEBUG(10,("LEGACY: mapping failed for sid %s\n", sid_string_static(psid)));
 	return False;
 
- done:
-	DEBUG(10,("sid_to_uid: %s -> %u\n", sid_string_static(psid),
+done:
+	DEBUG(10,("LEGACY: sid %s -> uid %u\n", sid_string_static(psid),
 		(unsigned int)*puid ));
 
 	store_uid_sid_cache(psid, *puid);
@@ -1281,23 +1225,16 @@ BOOL sid_to_uid(const DOM_SID *psid, uid_t *puid)
 }
 
 /*****************************************************************
- *THE CANONICAL* convert SID to gid function.
+ *THE LEGACY* convert SID to gid function.
  Group mapping is used for gids that maps to Wellknown SIDs
 *****************************************************************/  
 
-BOOL sid_to_gid(const DOM_SID *psid, gid_t *pgid)
+BOOL legacy_sid_to_gid(const DOM_SID *psid, gid_t *pgid)
 {
 	uint32 rid;
 	GROUP_MAP map;
 	union unid_t id;
 	enum lsa_SidType type;
-	uid_t uid;
-
-	if (fetch_gid_from_cache(pgid, psid))
-		return True;
-
-	if (fetch_uid_from_cache(&uid, psid))
-		return False;
 
 	if (sid_peek_check_rid(&global_sid_Unix_Groups, psid, &rid)) {
 		gid_t gid = rid;
@@ -1317,6 +1254,7 @@ BOOL sid_to_gid(const DOM_SID *psid, gid_t *pgid)
 			*pgid = map.gid;
 			goto done;
 		}
+		DEBUG(10,("LEGACY: mapping failed for sid %s\n", sid_string_static(psid)));
 		return False;
 	}
 
@@ -1330,7 +1268,7 @@ BOOL sid_to_gid(const DOM_SID *psid, gid_t *pgid)
 		if (ret) {
 			if ((type != SID_NAME_DOM_GRP) &&
 			    (type != SID_NAME_ALIAS)) {
-				DEBUG(5, ("sid %s is a %s, expected a group\n",
+				DEBUG(5, ("LEGACY: sid %s is a %s, expected a group\n",
 					  sid_string_static(psid),
 					  sid_type_lookup(type)));
 				return False;
@@ -1340,37 +1278,146 @@ BOOL sid_to_gid(const DOM_SID *psid, gid_t *pgid)
 		}
 
 		/* This was ours, but it was not mapped.  Fail */
+	}
 
+	DEBUG(10,("LEGACY: mapping failed for sid %s\n", sid_string_static(psid)));
 		return False;
+	
+ done:
+	DEBUG(10,("LEGACY: sid %s -> gid %u\n", sid_string_static(psid),
+		  (unsigned int)*pgid ));
+
+	store_gid_sid_cache(psid, *pgid);
+
+	return True;
+}
+
+/*****************************************************************
+ *THE CANONICAL* convert uid_t to SID function.
+*****************************************************************/  
+
+void uid_to_sid(DOM_SID *psid, uid_t uid)
+{
+	ZERO_STRUCTP(psid);
+
+	if (fetch_sid_from_uid_cache(psid, uid))
+		return;
+
+	if (!winbind_uid_to_sid(psid, uid)) {
+		if (!winbind_ping()) {
+			DEBUG(2, ("WARNING: Winbindd not running, mapping ids with legacy code\n"));
+			legacy_uid_to_sid(psid, uid);
+			return;
+		}
+
+		DEBUG(5, ("uid_to_sid: winbind failed to find a sid for uid %u\n",
+			uid));
+		return;
 	}
 	
-	if (!winbind_lookup_sid(NULL, psid, NULL, NULL, &type)) {
-		DEBUG(11,("sid_to_gid: no one knows the SID %s (tried local, "
-			  "then winbind)\n", sid_string_static(psid)));
+	DEBUG(10,("uid %u -> sid %s\n",
+		  (unsigned int)uid, sid_string_static(psid)));
+
+	store_uid_sid_cache(psid, uid);
+	return;
+}
+
+/*****************************************************************
+ *THE CANONICAL* convert gid_t to SID function.
+*****************************************************************/  
+
+void gid_to_sid(DOM_SID *psid, gid_t gid)
+{
+	ZERO_STRUCTP(psid);
 		
+	if (fetch_sid_from_gid_cache(psid, gid))
+		return;
+
+	if (!winbind_gid_to_sid(psid, gid)) {
+		if (!winbind_ping()) {
+			DEBUG(2, ("WARNING: Winbindd not running, mapping ids with legacy code\n"));
+			legacy_gid_to_sid(psid, gid);
+			return;
+		}
+
+		DEBUG(5, ("gid_to_sid: winbind failed to find a sid for gid %u\n",
+			gid));
+		return;
+	}
+
+	DEBUG(10,("gid %u -> sid %s\n",
+		  (unsigned int)gid, sid_string_static(psid)));
+	
+	store_gid_sid_cache(psid, gid);
+	return;
+}
+
+/*****************************************************************
+ *THE CANONICAL* convert SID to uid function.
+*****************************************************************/  
+
+BOOL sid_to_uid(const DOM_SID *psid, uid_t *puid)
+{
+	gid_t gid;
+
+	if (fetch_uid_from_cache(puid, psid))
+		return True;
+
+	if (fetch_gid_from_cache(&gid, psid)) {
 		return False;
 	}
 
-	/* winbindd knows it; Ensure this is a group sid */
+	if (!winbind_sid_to_uid(puid, psid)) {
+		if (!winbind_ping()) {
+			DEBUG(2, ("WARNING: Winbindd not running, mapping ids with legacy code\n"));
+			return legacy_sid_to_uid(psid, puid);
+		}
 
-	if ((type != SID_NAME_DOM_GRP) && (type != SID_NAME_ALIAS) &&
-	    (type != SID_NAME_WKN_GRP)) {
-		DEBUG(10,("sid_to_gid: winbind lookup succeeded but SID is "
-			  "a %s\n", sid_type_lookup(type)));
+		DEBUG(5, ("winbind failed to find a uid for sid %s\n",
+			  sid_string_static(psid)));
 		return False;
 	}
 	
-	/* winbindd knows it and it is a type of group; sid_to_gid must succeed
-	   or we are dead in the water */
+	/* TODO: Here would be the place to allocate both a gid and a uid for
+	 * the SID in question */
+
+	DEBUG(10,("sid %s -> uid %u\n", sid_string_static(psid),
+		(unsigned int)*puid ));
+
+	store_uid_sid_cache(psid, *puid);
+	return True;
+}
+
+/*****************************************************************
+ *THE CANONICAL* convert SID to gid function.
+ Group mapping is used for gids that maps to Wellknown SIDs
+*****************************************************************/  
+
+BOOL sid_to_gid(const DOM_SID *psid, gid_t *pgid)
+{
+	uid_t uid;
+
+	if (fetch_gid_from_cache(pgid, psid))
+		return True;
+
+	if (fetch_uid_from_cache(&uid, psid))
+		return False;
+
+	/* Ask winbindd if it can map this sid to a gid.
+	 * (Idmap will check it is a valid SID and of the right type) */
 
 	if ( !winbind_sid_to_gid(pgid, psid) ) {
-		DEBUG(10,("sid_to_gid: winbind failed to allocate a new gid "
-			  "for sid %s\n", sid_string_static(psid)));
+		if (!winbind_ping()) {
+			DEBUG(2, ("WARNING: Winbindd not running, mapping ids with legacy code\n"));
+			return legacy_sid_to_gid(psid, pgid);
+		}
+
+		DEBUG(10,("winbind failed to find a gid for sid %s\n",
+					sid_string_static(psid)));
 		return False;
 	}
 
- done:
-	DEBUG(10,("sid_to_gid: %s -> %u\n", sid_string_static(psid),
+	DEBUG(10,("sid %s -> gid %u\n", sid_string_static(psid),
 		  (unsigned int)*pgid ));
 
 	store_gid_sid_cache(psid, *pgid);
diff --git a/source/passdb/pdb_interface.c b/source/passdb/pdb_interface.c
index b84b0bfaff3..2c38f2cf3f8 100644
--- a/source/passdb/pdb_interface.c
+++ b/source/passdb/pdb_interface.c
@@ -961,6 +961,18 @@ NTSTATUS pdb_lookup_rids(const DOM_SID *domain_sid,
 	return pdb->lookup_rids(pdb, domain_sid, num_rids, rids, names, attrs);
 }
 
+/* 
+ * NOTE: pdb_lookup_names is currently (2007-01-12) not used anywhere 
+ *       in the samba code.
+ *       Unlike _lsa_lookup_sids and _samr_lookup_rids, which eventually 
+ *       also ask pdb_lookup_rids, thus looking up a bunch of rids at a time, 
+ *       the pdb_ calls _lsa_lookup_names and _samr_lookup_names come
+ *       down to are pdb_getsampwnam and pdb_getgrnam instead of
+ *       pdb_lookup_names.
+ *       But in principle, it the call belongs to the API and might get
+ *       used in this context some day. 
+ */
+#if 0
 NTSTATUS pdb_lookup_names(const DOM_SID *domain_sid,
 			  int num_names,
 			  const char **names,
@@ -970,6 +982,7 @@ NTSTATUS pdb_lookup_names(const DOM_SID *domain_sid,
 	struct pdb_methods *pdb = pdb_get_methods();
 	return pdb->lookup_names(pdb, domain_sid, num_names, names, rids, attrs);
 }
+#endif
 
 BOOL pdb_get_account_policy(int policy_index, uint32 *value)
 {
@@ -995,6 +1008,12 @@ BOOL pdb_uid_to_rid(uid_t uid, uint32 *rid)
 	return pdb->uid_to_rid(pdb, uid, rid);
 }
 
+BOOL pdb_uid_to_sid(uid_t uid, DOM_SID *sid)
+{
+	struct pdb_methods *pdb = pdb_get_methods();
+	return pdb->uid_to_sid(pdb, uid, sid);
+}
+
 BOOL pdb_gid_to_sid(gid_t gid, DOM_SID *sid)
 {
 	struct pdb_methods *pdb = pdb_get_methods();
@@ -1161,8 +1180,8 @@ static NTSTATUS pdb_default_get_seq_num(struct pdb_methods *methods, time_t *seq
 	return NT_STATUS_OK;
 }
 
-static BOOL pdb_default_uid_to_rid(struct pdb_methods *methods, uid_t uid,
-				   uint32 *rid)
+static BOOL pdb_default_uid_to_sid(struct pdb_methods *methods, uid_t uid,
+				   DOM_SID *sid)
 {
 	struct samu *sampw = NULL;
 	struct passwd *unix_pw;
@@ -1193,15 +1212,31 @@ static BOOL pdb_default_uid_to_rid(struct pdb_methods *methods, uid_t uid,
 		return False;
 	}
 
-	ret = sid_peek_check_rid(get_global_sam_sid(),
-				 pdb_get_user_sid(sampw), rid);
+	sid_copy(sid, pdb_get_user_sid(sampw));
+
+	TALLOC_FREE(sampw);
+
+	return True;
+}
+
+static BOOL pdb_default_uid_to_rid(struct pdb_methods *methods, uid_t uid,
+				   uint32 *rid)
+{
+	DOM_SID sid;
+	BOOL ret;
+
+	ret = pdb_default_uid_to_sid(methods, uid, &sid);
+	if (!ret) {
+		return ret;
+	}
+	
+	ret = sid_peek_check_rid(get_global_sam_sid(), &sid, rid);
 
 	if (!ret) {
 		DEBUG(1, ("Could not peek rid out of sid %s\n",
-			  sid_string_static(pdb_get_user_sid(sampw))));
+			  sid_string_static(&sid)));
 	}
 
-	TALLOC_FREE(sampw);
 	return ret;
 }
 
@@ -1346,7 +1381,7 @@ static BOOL get_memberuids(TALLOC_CTX *mem_ctx, gid_t gid, uid_t **pp_uids, size
 	return ret;
 }
 
-NTSTATUS pdb_default_enum_group_members(struct pdb_methods *methods,
+static NTSTATUS pdb_default_enum_group_members(struct pdb_methods *methods,
 					TALLOC_CTX *mem_ctx,
 					const DOM_SID *group,
 					uint32 **pp_member_rids,
@@ -1388,7 +1423,7 @@ NTSTATUS pdb_default_enum_group_members(struct pdb_methods *methods,
 	return NT_STATUS_OK;
 }
 
-NTSTATUS pdb_default_enum_group_memberships(struct pdb_methods *methods,
+static NTSTATUS pdb_default_enum_group_memberships(struct pdb_methods *methods,
 					    TALLOC_CTX *mem_ctx,
 					    struct samu *user,
 					    DOM_SID **pp_sids,
@@ -1527,7 +1562,7 @@ static BOOL lookup_global_sam_rid(TALLOC_CTX *mem_ctx, uint32 rid,
 	return False;
 }
 
-NTSTATUS pdb_default_lookup_rids(struct pdb_methods *methods,
+static NTSTATUS pdb_default_lookup_rids(struct pdb_methods *methods,
 				 const DOM_SID *domain_sid,
 				 int num_rids,
 				 uint32 *rids,
@@ -1590,7 +1625,8 @@ NTSTATUS pdb_default_lookup_rids(struct pdb_methods *methods,
 	return result;
 }
 
-NTSTATUS pdb_default_lookup_names(struct pdb_methods *methods,
+#if 0
+static NTSTATUS pdb_default_lookup_names(struct pdb_methods *methods,
 				  const DOM_SID *domain_sid,
 				  int num_names,
 				  const char **names,
@@ -1646,6 +1682,7 @@ NTSTATUS pdb_default_lookup_names(struct pdb_methods *methods,
 
 	return result;
 }
+#endif
 
 static struct pdb_search *pdb_search_init(enum pdb_search_type type)
 {
@@ -2015,6 +2052,7 @@ NTSTATUS make_pdb_method( struct pdb_methods **methods )
 	(*methods)->set_account_policy = pdb_default_set_account_policy;
 	(*methods)->get_seq_num = pdb_default_get_seq_num;
 	(*methods)->uid_to_rid = pdb_default_uid_to_rid;
+	(*methods)->uid_to_sid = pdb_default_uid_to_sid;
 	(*methods)->gid_to_sid = pdb_default_gid_to_sid;
 	(*methods)->sid_to_id = pdb_default_sid_to_id;
 
diff --git a/source/passdb/secrets.c b/source/passdb/secrets.c
index 06033116b67..3ac3a932338 100644
--- a/source/passdb/secrets.c
+++ b/source/passdb/secrets.c
@@ -1252,3 +1252,45 @@ BOOL secrets_restore_schannel_session_info(TALLOC_CTX *mem_ctx,
 
 	return True;
 }
+
+BOOL secrets_store_generic(const char *owner, const char *key, const char *secret)
+{
+	char *tdbkey = NULL;
+	BOOL ret;
+	
+	if (asprintf(&tdbkey, "SECRETS/GENERIC/%s/%s", owner, key) < 0) {
+		DEBUG(0, ("asprintf failed!\n"));
+		return False;
+	}
+		
+	ret = secrets_store(tdbkey, secret, strlen(secret)+1);
+	
+	SAFE_FREE(tdbkey);
+	return ret;
+}
+
+/*******************************************************************
+ Find the ldap password.
+******************************************************************/
+
+char *secrets_fetch_generic(const char *owner, const char *key)
+{
+	char *secret = NULL;
+	char *tdbkey = NULL;
+
+	if (( ! owner) || ( ! key)) {
+		DEBUG(1, ("Invalid Paramters"));
+		return NULL;
+	}
+
+	if (asprintf(&tdbkey, "SECRETS/GENERIC/%s/%s", owner, key) < 0) {
+		DEBUG(0, ("Out of memory!\n"));
+		return NULL;
+	}
+	
+	secret = (char *)secrets_fetch(tdbkey, NULL);
+	SAFE_FREE(tdbkey);
+
+	return secret;
+}
+