diff options
author | Gerald Carter <jerry@samba.org> | 2007-02-06 20:57:41 +0000 |
---|---|---|
committer | Gerald Carter <jerry@samba.org> | 2007-02-06 20:57:41 +0000 |
commit | 244d86abdfe1fb9ed59e52ed057bc8a1fea779f9 (patch) | |
tree | 61d0933acd58c72244b779ae8761d4aa01249e89 /source/passdb | |
parent | 97c74057933f17a180751a679060e3da1251f307 (diff) | |
download | samba-244d86abdfe1fb9ed59e52ed057bc8a1fea779f9.tar.gz samba-244d86abdfe1fb9ed59e52ed057bc8a1fea779f9.tar.xz samba-244d86abdfe1fb9ed59e52ed057bc8a1fea779f9.zip |
r21186: * Merge nss_info and idmap interface changes to current
stable branch
* Also include pam_winbind changes for multiple groups in the
require-membership-of parameter
Diffstat (limited to 'source/passdb')
-rw-r--r-- | source/passdb/lookup_sid.c | 229 | ||||
-rw-r--r-- | source/passdb/pdb_interface.c | 58 | ||||
-rw-r--r-- | source/passdb/secrets.c | 42 |
3 files changed, 228 insertions, 101 deletions
diff --git a/source/passdb/lookup_sid.c b/source/passdb/lookup_sid.c index 758fe968fc6..0b596fc8d7f 100644 --- a/source/passdb/lookup_sid.c +++ b/source/passdb/lookup_sid.c @@ -1112,29 +1112,16 @@ void store_gid_sid_cache(const DOM_SID *psid, gid_t gid) } /***************************************************************** - *THE CANONICAL* convert uid_t to SID function. + *THE LEGACY* convert uid_t to SID function. *****************************************************************/ -void uid_to_sid(DOM_SID *psid, uid_t uid) +void legacy_uid_to_sid(DOM_SID *psid, uid_t uid) { - uid_t low, high; uint32 rid; BOOL ret; ZERO_STRUCTP(psid); - if (fetch_sid_from_uid_cache(psid, uid)) - return; - - if ((lp_winbind_trusted_domains_only() || - (lp_idmap_uid(&low, &high) && (uid >= low) && (uid <= high))) && - winbind_uid_to_sid(psid, uid)) { - - DEBUG(10,("uid_to_sid: winbindd %u -> %s\n", - (unsigned int)uid, sid_string_static(psid))); - goto done; - } - become_root_uid_only(); ret = pdb_uid_to_rid(uid, &rid); unbecome_root_uid_only(); @@ -1151,7 +1138,7 @@ void uid_to_sid(DOM_SID *psid, uid_t uid) uid_to_unix_users_sid(uid, psid); done: - DEBUG(10,("uid_to_sid: local %u -> %s\n", (unsigned int)uid, + DEBUG(10,("LEGACY: uid %u -> sid %s\n", (unsigned int)uid, sid_string_static(psid))); store_uid_sid_cache(psid, uid); @@ -1159,28 +1146,15 @@ void uid_to_sid(DOM_SID *psid, uid_t uid) } /***************************************************************** - *THE CANONICAL* convert gid_t to SID function. + *THE LEGACY* convert gid_t to SID function. *****************************************************************/ -void gid_to_sid(DOM_SID *psid, gid_t gid) +void legacy_gid_to_sid(DOM_SID *psid, gid_t gid) { BOOL ret; - gid_t low, high; ZERO_STRUCTP(psid); - if (fetch_sid_from_gid_cache(psid, gid)) - return; - - if ((lp_winbind_trusted_domains_only() || - (lp_idmap_gid(&low, &high) && (gid >= low) && (gid <= high))) && - winbind_gid_to_sid(psid, gid)) { - - DEBUG(10,("gid_to_sid: winbindd %u -> %s\n", - (unsigned int)gid, sid_string_static(psid))); - goto done; - } - become_root_uid_only(); ret = pdb_gid_to_sid(gid, psid); unbecome_root_uid_only(); @@ -1195,7 +1169,7 @@ void gid_to_sid(DOM_SID *psid, gid_t gid) gid_to_unix_groups_sid(gid, psid); done: - DEBUG(10,("gid_to_sid: local %u -> %s\n", (unsigned int)gid, + DEBUG(10,("LEGACY: gid %u -> sid %s\n", (unsigned int)gid, sid_string_static(psid))); store_gid_sid_cache(psid, gid); @@ -1203,21 +1177,13 @@ void gid_to_sid(DOM_SID *psid, gid_t gid) } /***************************************************************** - *THE CANONICAL* convert SID to uid function. + *THE LEGACY* convert SID to uid function. *****************************************************************/ -BOOL sid_to_uid(const DOM_SID *psid, uid_t *puid) +BOOL legacy_sid_to_uid(const DOM_SID *psid, uid_t *puid) { enum lsa_SidType type; uint32 rid; - gid_t gid; - - if (fetch_uid_from_cache(puid, psid)) - return True; - - if (fetch_gid_from_cache(&gid, psid)) { - return False; - } if (sid_peek_check_rid(&global_sid_Unix_Users, psid, &rid)) { uid_t uid = rid; @@ -1245,35 +1211,13 @@ BOOL sid_to_uid(const DOM_SID *psid, uid_t *puid) } /* This was ours, but it was not mapped. Fail */ - - return False; - } - - if (winbind_lookup_sid(NULL, psid, NULL, NULL, &type)) { - - if (type != SID_NAME_USER) { - DEBUG(10, ("sid_to_uid: sid %s is a %s\n", - sid_string_static(psid), - sid_type_lookup(type))); - return False; } - if (!winbind_sid_to_uid(puid, psid)) { - DEBUG(5, ("sid_to_uid: winbind failed to allocate a " - "new uid for sid %s\n", - sid_string_static(psid))); - return False; - } - goto done; - } - - /* TODO: Here would be the place to allocate both a gid and a uid for - * the SID in question */ - + DEBUG(10,("LEGACY: mapping failed for sid %s\n", sid_string_static(psid))); return False; - done: - DEBUG(10,("sid_to_uid: %s -> %u\n", sid_string_static(psid), +done: + DEBUG(10,("LEGACY: sid %s -> uid %u\n", sid_string_static(psid), (unsigned int)*puid )); store_uid_sid_cache(psid, *puid); @@ -1281,23 +1225,16 @@ BOOL sid_to_uid(const DOM_SID *psid, uid_t *puid) } /***************************************************************** - *THE CANONICAL* convert SID to gid function. + *THE LEGACY* convert SID to gid function. Group mapping is used for gids that maps to Wellknown SIDs *****************************************************************/ -BOOL sid_to_gid(const DOM_SID *psid, gid_t *pgid) +BOOL legacy_sid_to_gid(const DOM_SID *psid, gid_t *pgid) { uint32 rid; GROUP_MAP map; union unid_t id; enum lsa_SidType type; - uid_t uid; - - if (fetch_gid_from_cache(pgid, psid)) - return True; - - if (fetch_uid_from_cache(&uid, psid)) - return False; if (sid_peek_check_rid(&global_sid_Unix_Groups, psid, &rid)) { gid_t gid = rid; @@ -1317,6 +1254,7 @@ BOOL sid_to_gid(const DOM_SID *psid, gid_t *pgid) *pgid = map.gid; goto done; } + DEBUG(10,("LEGACY: mapping failed for sid %s\n", sid_string_static(psid))); return False; } @@ -1330,7 +1268,7 @@ BOOL sid_to_gid(const DOM_SID *psid, gid_t *pgid) if (ret) { if ((type != SID_NAME_DOM_GRP) && (type != SID_NAME_ALIAS)) { - DEBUG(5, ("sid %s is a %s, expected a group\n", + DEBUG(5, ("LEGACY: sid %s is a %s, expected a group\n", sid_string_static(psid), sid_type_lookup(type))); return False; @@ -1340,37 +1278,146 @@ BOOL sid_to_gid(const DOM_SID *psid, gid_t *pgid) } /* This was ours, but it was not mapped. Fail */ + } + DEBUG(10,("LEGACY: mapping failed for sid %s\n", sid_string_static(psid))); return False; + + done: + DEBUG(10,("LEGACY: sid %s -> gid %u\n", sid_string_static(psid), + (unsigned int)*pgid )); + + store_gid_sid_cache(psid, *pgid); + + return True; +} + +/***************************************************************** + *THE CANONICAL* convert uid_t to SID function. +*****************************************************************/ + +void uid_to_sid(DOM_SID *psid, uid_t uid) +{ + ZERO_STRUCTP(psid); + + if (fetch_sid_from_uid_cache(psid, uid)) + return; + + if (!winbind_uid_to_sid(psid, uid)) { + if (!winbind_ping()) { + DEBUG(2, ("WARNING: Winbindd not running, mapping ids with legacy code\n")); + legacy_uid_to_sid(psid, uid); + return; + } + + DEBUG(5, ("uid_to_sid: winbind failed to find a sid for uid %u\n", + uid)); + return; } - if (!winbind_lookup_sid(NULL, psid, NULL, NULL, &type)) { - DEBUG(11,("sid_to_gid: no one knows the SID %s (tried local, " - "then winbind)\n", sid_string_static(psid))); + DEBUG(10,("uid %u -> sid %s\n", + (unsigned int)uid, sid_string_static(psid))); + + store_uid_sid_cache(psid, uid); + return; +} + +/***************************************************************** + *THE CANONICAL* convert gid_t to SID function. +*****************************************************************/ + +void gid_to_sid(DOM_SID *psid, gid_t gid) +{ + ZERO_STRUCTP(psid); + if (fetch_sid_from_gid_cache(psid, gid)) + return; + + if (!winbind_gid_to_sid(psid, gid)) { + if (!winbind_ping()) { + DEBUG(2, ("WARNING: Winbindd not running, mapping ids with legacy code\n")); + legacy_gid_to_sid(psid, gid); + return; + } + + DEBUG(5, ("gid_to_sid: winbind failed to find a sid for gid %u\n", + gid)); + return; + } + + DEBUG(10,("gid %u -> sid %s\n", + (unsigned int)gid, sid_string_static(psid))); + + store_gid_sid_cache(psid, gid); + return; +} + +/***************************************************************** + *THE CANONICAL* convert SID to uid function. +*****************************************************************/ + +BOOL sid_to_uid(const DOM_SID *psid, uid_t *puid) +{ + gid_t gid; + + if (fetch_uid_from_cache(puid, psid)) + return True; + + if (fetch_gid_from_cache(&gid, psid)) { return False; } - /* winbindd knows it; Ensure this is a group sid */ + if (!winbind_sid_to_uid(puid, psid)) { + if (!winbind_ping()) { + DEBUG(2, ("WARNING: Winbindd not running, mapping ids with legacy code\n")); + return legacy_sid_to_uid(psid, puid); + } - if ((type != SID_NAME_DOM_GRP) && (type != SID_NAME_ALIAS) && - (type != SID_NAME_WKN_GRP)) { - DEBUG(10,("sid_to_gid: winbind lookup succeeded but SID is " - "a %s\n", sid_type_lookup(type))); + DEBUG(5, ("winbind failed to find a uid for sid %s\n", + sid_string_static(psid))); return False; } - /* winbindd knows it and it is a type of group; sid_to_gid must succeed - or we are dead in the water */ + /* TODO: Here would be the place to allocate both a gid and a uid for + * the SID in question */ + + DEBUG(10,("sid %s -> uid %u\n", sid_string_static(psid), + (unsigned int)*puid )); + + store_uid_sid_cache(psid, *puid); + return True; +} + +/***************************************************************** + *THE CANONICAL* convert SID to gid function. + Group mapping is used for gids that maps to Wellknown SIDs +*****************************************************************/ + +BOOL sid_to_gid(const DOM_SID *psid, gid_t *pgid) +{ + uid_t uid; + + if (fetch_gid_from_cache(pgid, psid)) + return True; + + if (fetch_uid_from_cache(&uid, psid)) + return False; + + /* Ask winbindd if it can map this sid to a gid. + * (Idmap will check it is a valid SID and of the right type) */ if ( !winbind_sid_to_gid(pgid, psid) ) { - DEBUG(10,("sid_to_gid: winbind failed to allocate a new gid " - "for sid %s\n", sid_string_static(psid))); + if (!winbind_ping()) { + DEBUG(2, ("WARNING: Winbindd not running, mapping ids with legacy code\n")); + return legacy_sid_to_gid(psid, pgid); + } + + DEBUG(10,("winbind failed to find a gid for sid %s\n", + sid_string_static(psid))); return False; } - done: - DEBUG(10,("sid_to_gid: %s -> %u\n", sid_string_static(psid), + DEBUG(10,("sid %s -> gid %u\n", sid_string_static(psid), (unsigned int)*pgid )); store_gid_sid_cache(psid, *pgid); diff --git a/source/passdb/pdb_interface.c b/source/passdb/pdb_interface.c index b84b0bfaff3..2c38f2cf3f8 100644 --- a/source/passdb/pdb_interface.c +++ b/source/passdb/pdb_interface.c @@ -961,6 +961,18 @@ NTSTATUS pdb_lookup_rids(const DOM_SID *domain_sid, return pdb->lookup_rids(pdb, domain_sid, num_rids, rids, names, attrs); } +/* + * NOTE: pdb_lookup_names is currently (2007-01-12) not used anywhere + * in the samba code. + * Unlike _lsa_lookup_sids and _samr_lookup_rids, which eventually + * also ask pdb_lookup_rids, thus looking up a bunch of rids at a time, + * the pdb_ calls _lsa_lookup_names and _samr_lookup_names come + * down to are pdb_getsampwnam and pdb_getgrnam instead of + * pdb_lookup_names. + * But in principle, it the call belongs to the API and might get + * used in this context some day. + */ +#if 0 NTSTATUS pdb_lookup_names(const DOM_SID *domain_sid, int num_names, const char **names, @@ -970,6 +982,7 @@ NTSTATUS pdb_lookup_names(const DOM_SID *domain_sid, struct pdb_methods *pdb = pdb_get_methods(); return pdb->lookup_names(pdb, domain_sid, num_names, names, rids, attrs); } +#endif BOOL pdb_get_account_policy(int policy_index, uint32 *value) { @@ -995,6 +1008,12 @@ BOOL pdb_uid_to_rid(uid_t uid, uint32 *rid) return pdb->uid_to_rid(pdb, uid, rid); } +BOOL pdb_uid_to_sid(uid_t uid, DOM_SID *sid) +{ + struct pdb_methods *pdb = pdb_get_methods(); + return pdb->uid_to_sid(pdb, uid, sid); +} + BOOL pdb_gid_to_sid(gid_t gid, DOM_SID *sid) { struct pdb_methods *pdb = pdb_get_methods(); @@ -1161,8 +1180,8 @@ static NTSTATUS pdb_default_get_seq_num(struct pdb_methods *methods, time_t *seq return NT_STATUS_OK; } -static BOOL pdb_default_uid_to_rid(struct pdb_methods *methods, uid_t uid, - uint32 *rid) +static BOOL pdb_default_uid_to_sid(struct pdb_methods *methods, uid_t uid, + DOM_SID *sid) { struct samu *sampw = NULL; struct passwd *unix_pw; @@ -1193,15 +1212,31 @@ static BOOL pdb_default_uid_to_rid(struct pdb_methods *methods, uid_t uid, return False; } - ret = sid_peek_check_rid(get_global_sam_sid(), - pdb_get_user_sid(sampw), rid); + sid_copy(sid, pdb_get_user_sid(sampw)); + + TALLOC_FREE(sampw); + + return True; +} + +static BOOL pdb_default_uid_to_rid(struct pdb_methods *methods, uid_t uid, + uint32 *rid) +{ + DOM_SID sid; + BOOL ret; + + ret = pdb_default_uid_to_sid(methods, uid, &sid); + if (!ret) { + return ret; + } + + ret = sid_peek_check_rid(get_global_sam_sid(), &sid, rid); if (!ret) { DEBUG(1, ("Could not peek rid out of sid %s\n", - sid_string_static(pdb_get_user_sid(sampw)))); + sid_string_static(&sid))); } - TALLOC_FREE(sampw); return ret; } @@ -1346,7 +1381,7 @@ static BOOL get_memberuids(TALLOC_CTX *mem_ctx, gid_t gid, uid_t **pp_uids, size return ret; } -NTSTATUS pdb_default_enum_group_members(struct pdb_methods *methods, +static NTSTATUS pdb_default_enum_group_members(struct pdb_methods *methods, TALLOC_CTX *mem_ctx, const DOM_SID *group, uint32 **pp_member_rids, @@ -1388,7 +1423,7 @@ NTSTATUS pdb_default_enum_group_members(struct pdb_methods *methods, return NT_STATUS_OK; } -NTSTATUS pdb_default_enum_group_memberships(struct pdb_methods *methods, +static NTSTATUS pdb_default_enum_group_memberships(struct pdb_methods *methods, TALLOC_CTX *mem_ctx, struct samu *user, DOM_SID **pp_sids, @@ -1527,7 +1562,7 @@ static BOOL lookup_global_sam_rid(TALLOC_CTX *mem_ctx, uint32 rid, return False; } -NTSTATUS pdb_default_lookup_rids(struct pdb_methods *methods, +static NTSTATUS pdb_default_lookup_rids(struct pdb_methods *methods, const DOM_SID *domain_sid, int num_rids, uint32 *rids, @@ -1590,7 +1625,8 @@ NTSTATUS pdb_default_lookup_rids(struct pdb_methods *methods, return result; } -NTSTATUS pdb_default_lookup_names(struct pdb_methods *methods, +#if 0 +static NTSTATUS pdb_default_lookup_names(struct pdb_methods *methods, const DOM_SID *domain_sid, int num_names, const char **names, @@ -1646,6 +1682,7 @@ NTSTATUS pdb_default_lookup_names(struct pdb_methods *methods, return result; } +#endif static struct pdb_search *pdb_search_init(enum pdb_search_type type) { @@ -2015,6 +2052,7 @@ NTSTATUS make_pdb_method( struct pdb_methods **methods ) (*methods)->set_account_policy = pdb_default_set_account_policy; (*methods)->get_seq_num = pdb_default_get_seq_num; (*methods)->uid_to_rid = pdb_default_uid_to_rid; + (*methods)->uid_to_sid = pdb_default_uid_to_sid; (*methods)->gid_to_sid = pdb_default_gid_to_sid; (*methods)->sid_to_id = pdb_default_sid_to_id; diff --git a/source/passdb/secrets.c b/source/passdb/secrets.c index 06033116b67..3ac3a932338 100644 --- a/source/passdb/secrets.c +++ b/source/passdb/secrets.c @@ -1252,3 +1252,45 @@ BOOL secrets_restore_schannel_session_info(TALLOC_CTX *mem_ctx, return True; } + +BOOL secrets_store_generic(const char *owner, const char *key, const char *secret) +{ + char *tdbkey = NULL; + BOOL ret; + + if (asprintf(&tdbkey, "SECRETS/GENERIC/%s/%s", owner, key) < 0) { + DEBUG(0, ("asprintf failed!\n")); + return False; + } + + ret = secrets_store(tdbkey, secret, strlen(secret)+1); + + SAFE_FREE(tdbkey); + return ret; +} + +/******************************************************************* + Find the ldap password. +******************************************************************/ + +char *secrets_fetch_generic(const char *owner, const char *key) +{ + char *secret = NULL; + char *tdbkey = NULL; + + if (( ! owner) || ( ! key)) { + DEBUG(1, ("Invalid Paramters")); + return NULL; + } + + if (asprintf(&tdbkey, "SECRETS/GENERIC/%s/%s", owner, key) < 0) { + DEBUG(0, ("Out of memory!\n")); + return NULL; + } + + secret = (char *)secrets_fetch(tdbkey, NULL); + SAFE_FREE(tdbkey); + + return secret; +} + |