diff options
Diffstat (limited to 'source/nsswitch')
| -rw-r--r-- | source/nsswitch/idmap.c | 401 | ||||
| -rw-r--r-- | source/nsswitch/idmap_cache.c | 6 | ||||
| -rw-r--r-- | source/nsswitch/idmap_ldap.c | 436 | ||||
| -rw-r--r-- | source/nsswitch/wb_common.c | 6 | ||||
| -rw-r--r-- | source/nsswitch/winbindd_cache.c | 13 | ||||
| -rw-r--r-- | source/nsswitch/winbindd_cm.c | 44 | ||||
| -rw-r--r-- | source/nsswitch/winbindd_rpc.c | 3 |
7 files changed, 547 insertions, 362 deletions
diff --git a/source/nsswitch/idmap.c b/source/nsswitch/idmap.c index fd6de933f24..84fcb835419 100644 --- a/source/nsswitch/idmap.c +++ b/source/nsswitch/idmap.c @@ -1,9 +1,9 @@ -/* +/* Unix SMB/CIFS implementation. ID Mapping Copyright (C) Tim Potter 2000 Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2003 - Copyright (C) Simo Sorce 2003 + Copyright (C) Simo Sorce 2003-2007 Copyright (C) Jeremy Allison 2006 This program is free software; you can redistribute it and/or modify @@ -61,11 +61,23 @@ static int def_dom_num = -1; static struct idmap_alloc_backend *alloc_backends = NULL; static struct idmap_alloc_context *idmap_alloc_ctx = NULL; -#define IDMAP_CHECK_RET(ret) do { if ( ! NT_STATUS_IS_OK(ret)) { DEBUG(2, ("ERROR: NTSTATUS = 0x%08x\n", NT_STATUS_V(ret))); goto done; } } while(0) -#define IDMAP_REPORT_RET(ret) do { if ( ! NT_STATUS_IS_OK(ret)) { DEBUG(2, ("ERROR: NTSTATUS = 0x%08x\n", NT_STATUS_V(ret))); } } while(0) -#define IDMAP_CHECK_ALLOC(mem) do { if (!mem) { DEBUG(0, ("Out of memory!\n")); ret = NT_STATUS_NO_MEMORY; goto done; } } while(0) - -static struct idmap_methods *get_methods(struct idmap_backend *be, const char *name) +#define IDMAP_CHECK_RET(ret) do { \ + if ( ! NT_STATUS_IS_OK(ret)) { \ + DEBUG(2, ("ERROR: NTSTATUS = 0x%08x\n", NT_STATUS_V(ret))); \ + goto done; \ + } } while(0) +#define IDMAP_REPORT_RET(ret) do { \ + if ( ! NT_STATUS_IS_OK(ret)) { \ + DEBUG(2, ("ERROR: NTSTATUS = 0x%08x\n", NT_STATUS_V(ret))); \ + } } while(0) +#define IDMAP_CHECK_ALLOC(mem) do { \ + if (!mem) { \ + DEBUG(0, ("Out of memory!\n")); ret = NT_STATUS_NO_MEMORY; \ + goto done; \ + } } while(0) + +static struct idmap_methods *get_methods(struct idmap_backend *be, + const char *name) { struct idmap_backend *b; @@ -78,7 +90,9 @@ static struct idmap_methods *get_methods(struct idmap_backend *be, const char *n return NULL; } -static struct idmap_alloc_methods *get_alloc_methods(struct idmap_alloc_backend *be, const char *name) +static struct idmap_alloc_methods *get_alloc_methods( + struct idmap_alloc_backend *be, + const char *name) { struct idmap_alloc_backend *b; @@ -101,7 +115,8 @@ BOOL idmap_is_offline(void) Allow a module to register itself as a method. **********************************************************************/ -NTSTATUS smb_register_idmap(int version, const char *name, struct idmap_methods *methods) +NTSTATUS smb_register_idmap(int version, const char *name, + struct idmap_methods *methods) { struct idmap_methods *test; struct idmap_backend *entry; @@ -112,9 +127,11 @@ NTSTATUS smb_register_idmap(int version, const char *name, struct idmap_methods if ((version != SMB_IDMAP_INTERFACE_VERSION)) { DEBUG(0, ("Failed to register idmap module.\n" - "The module was compiled against SMB_IDMAP_INTERFACE_VERSION %d,\n" + "The module was compiled against " + "SMB_IDMAP_INTERFACE_VERSION %d,\n" "current SMB_IDMAP_INTERFACE_VERSION is %d.\n" - "Please recompile against the current version of samba!\n", + "Please recompile against the current version " + "of samba!\n", version, SMB_IDMAP_INTERFACE_VERSION)); return NT_STATUS_OBJECT_TYPE_MISMATCH; } @@ -151,7 +168,8 @@ NTSTATUS smb_register_idmap(int version, const char *name, struct idmap_methods Allow a module to register itself as a method. **********************************************************************/ -NTSTATUS smb_register_idmap_alloc(int version, const char *name, struct idmap_alloc_methods *methods) +NTSTATUS smb_register_idmap_alloc(int version, const char *name, + struct idmap_alloc_methods *methods) { struct idmap_alloc_methods *test; struct idmap_alloc_backend *entry; @@ -162,9 +180,11 @@ NTSTATUS smb_register_idmap_alloc(int version, const char *name, struct idmap_al if ((version != SMB_IDMAP_INTERFACE_VERSION)) { DEBUG(0, ("Failed to register idmap alloc module.\n" - "The module was compiled against SMB_IDMAP_INTERFACE_VERSION %d,\n" + "The module was compiled against " + "SMB_IDMAP_INTERFACE_VERSION %d,\n" "current SMB_IDMAP_INTERFACE_VERSION is %d.\n" - "Please recompile against the current version of samba!\n", + "Please recompile against the current version " + "of samba!\n", version, SMB_IDMAP_INTERFACE_VERSION)); return NT_STATUS_OBJECT_TYPE_MISMATCH; } @@ -242,14 +262,14 @@ static const char *idmap_default_domain[] = { "default domain", NULL }; ****************************************************************************/ NTSTATUS idmap_init_cache(void) -{ +{ /* Always initialize the cache. We'll have to delay initialization of backends if we are offline */ if ( idmap_ctx ) { return NT_STATUS_OK; - } - + } + if ( (idmap_ctx = talloc_named_const(NULL, 0, "idmap_ctx")) == NULL ) { return NT_STATUS_NO_MEMORY; } @@ -265,7 +285,7 @@ NTSTATUS idmap_init_cache(void) ****************************************************************************/ NTSTATUS idmap_init(void) -{ +{ NTSTATUS ret; static NTSTATUS idmap_init_status = NT_STATUS_UNSUCCESSFUL; struct idmap_domain *dom; @@ -279,7 +299,7 @@ NTSTATUS idmap_init(void) int i; ret = idmap_init_cache(); - if ( !NT_STATUS_IS_OK(ret) ) + if (!NT_STATUS_IS_OK(ret)) return ret; if (NT_STATUS_IS_OK(idmap_init_status)) @@ -288,46 +308,48 @@ NTSTATUS idmap_init(void) static_init_idmap; dom_list = lp_idmap_domains(); - + if ( lp_idmap_backend() ) { const char **compat_list = lp_idmap_backend(); char *p = NULL; - const char *q = NULL; + const char *q = NULL; - if ( dom_list ) { - DEBUG(0, ("WARNING: idmap backend and idmap domains are " - "mutually excusive!\n")); + if (dom_list) { + DEBUG(0, ("WARNING: idmap backend and idmap domains " + "are mutually excusive!\n")); DEBUGADD(0,("idmap backend option will be IGNORED!\n")); } else { compat = 1; - if ( (compat_backend = talloc_strdup( idmap_ctx, *compat_list )) == NULL ) { + compat_backend = talloc_strdup(idmap_ctx, *compat_list); + if (compat_backend == NULL) { ret = NT_STATUS_NO_MEMORY; goto done; } - + /* strip any leading idmap_ prefix of */ if (strncmp(*compat_list, "idmap_", 6) == 0 ) { q = *compat_list += 6; - DEBUG(0, ("WARNING: idmap backend uses obsolete and " - "deprecated 'idmap_' prefix.\n" - "Please replace 'idmap_%s' by '%s' in %s\n", - q, q, dyn_CONFIGFILE)); - compat_backend = talloc_strdup( idmap_ctx, q); + DEBUG(0, ("WARNING: idmap backend uses obsolete" + " and deprecated 'idmap_' prefix.\n" + "Please replace 'idmap_%s' by '%s' in" + " %s\n", q, q, dyn_CONFIGFILE)); + compat_backend = talloc_strdup(idmap_ctx, q); } else { - compat_backend = talloc_strdup( idmap_ctx, *compat_list); + compat_backend = talloc_strdup(idmap_ctx, + *compat_list); } - + /* separate the backend and module arguements */ if ((p = strchr(compat_backend, ':')) != NULL) { - *p = '\0'; + *p = '\0'; compat_params = p + 1; } - } + } } else if ( !dom_list ) { /* Back compatible: without idmap domains and explicit idmap backend. Taking default idmap backend: tdb */ - + compat = 1; compat_backend = talloc_strdup( idmap_ctx, "tdb"); compat_params = compat_backend; @@ -336,7 +358,7 @@ NTSTATUS idmap_init(void) if ( ! dom_list) { dom_list = idmap_default_domain; } - + /*************************** * initialize idmap domains */ @@ -347,10 +369,10 @@ NTSTATUS idmap_init(void) char *config_option; /* ignore BUILTIN and local MACHINE domains */ - if ( strequal(dom_list[i], "BUILTIN") - || strequal(dom_list[i], get_global_sam_name() ) ) + if (strequal(dom_list[i], "BUILTIN") + || strequal(dom_list[i], get_global_sam_name())) { - DEBUG(0,("idmap_init: Ignoring invalid domain %s\n", + DEBUG(0,("idmap_init: Ignoring invalid domain %s\n", dom_list[i])); continue; } @@ -359,44 +381,50 @@ NTSTATUS idmap_init(void) pri_dom_is_in_list = True; } /* init domain */ - + dom = TALLOC_ZERO_P(idmap_ctx, struct idmap_domain); IDMAP_CHECK_ALLOC(dom); dom->name = talloc_strdup(dom, dom_list[i]); IDMAP_CHECK_ALLOC(dom->name); - config_option = talloc_asprintf(dom, "idmap config %s", dom->name); + config_option = talloc_asprintf(dom, "idmap config %s", + dom->name); IDMAP_CHECK_ALLOC(config_option); /* default or specific ? */ - dom->default_domain = lp_parm_bool(-1, config_option, "default", False); + dom->default_domain = lp_parm_bool(-1, config_option, + "default", False); if (dom->default_domain || strequal(dom_list[i], idmap_default_domain[0])) { - /* make sure this is set even when we match idmap_default_domain[0] */ + /* make sure this is set even when we match + * idmap_default_domain[0] */ dom->default_domain = True; if (default_already_defined) { - DEBUG(1, ("ERROR: Multiple domains defined as default!\n")); + DEBUG(1, ("ERROR: Multiple domains defined as" + " default!\n")); ret = NT_STATUS_INVALID_PARAMETER; goto done; } default_already_defined = True; - } + } - dom->readonly = lp_parm_bool(-1, config_option, "readonly", False); + dom->readonly = lp_parm_bool(-1, config_option, + "readonly", False); /* find associated backend (default: tdb) */ if (compat) { parm_backend = talloc_strdup(idmap_ctx, compat_backend); } else { - parm_backend = talloc_strdup(idmap_ctx, - lp_parm_const_string(-1, config_option, "backend", "tdb")); + char *backend = lp_parm_const_string(-1, config_option, + "backend", "tdb"); + parm_backend = talloc_strdup(idmap_ctx, backend); } IDMAP_CHECK_ALLOC(parm_backend); @@ -406,22 +434,27 @@ NTSTATUS idmap_init(void) if ( ! dom->methods) { ret = smb_probe_module("idmap", parm_backend); if (NT_STATUS_IS_OK(ret)) { - dom->methods = get_methods(backends, parm_backend); + dom->methods = get_methods(backends, + parm_backend); } } if ( ! dom->methods) { - DEBUG(0, ("ERROR: Could not get methods for backend %s\n", parm_backend)); + DEBUG(0, ("ERROR: Could not get methods for " + "backend %s\n", parm_backend)); ret = NT_STATUS_UNSUCCESSFUL; goto done; } - /* check the set_mapping function exists otherwise mark the module as readonly */ + /* check the set_mapping function exists otherwise mark the + * module as readonly */ if ( ! dom->methods->set_mapping) { - DEBUG(5, ("Forcing to readonly, as this module can't store arbitrary mappings.\n")); + DEBUG(5, ("Forcing to readonly, as this module can't" + " store arbitrary mappings.\n")); dom->readonly = True; } - /* now that we have methods, set the destructor for this domain */ + /* now that we have methods, + * set the destructor for this domain */ talloc_set_destructor(dom, close_domain_destructor); if (compat_params) { @@ -434,10 +467,12 @@ NTSTATUS idmap_init(void) /* Finally instance a backend copy for this domain */ ret = dom->methods->init(dom); if ( ! NT_STATUS_IS_OK(ret)) { - DEBUG(0, ("ERROR: Initialization failed for backend %s (domain %s), deferred!\n", - parm_backend, dom->name)); + DEBUG(0, ("ERROR: Initialization failed for backend " + "%s (domain %s), deferred!\n", + parm_backend, dom->name)); } - idmap_domains = talloc_realloc(idmap_ctx, idmap_domains, struct idmap_domain *, i+1); + idmap_domains = talloc_realloc(idmap_ctx, idmap_domains, + struct idmap_domain *, i+1); if ( ! idmap_domains) { DEBUG(0, ("Out of memory!\n")); ret = NT_STATUS_NO_MEMORY; @@ -445,13 +480,15 @@ NTSTATUS idmap_init(void) } idmap_domains[i] = dom; - if (dom->default_domain) { /* save default domain position for future uses */ + /* save default domain position for future uses */ + if (dom->default_domain) { def_dom_num = i; } DEBUG(10, ("Domain %s - Backend %s - %sdefault - %sreadonly\n", dom->name, parm_backend, - dom->default_domain?"":"not ", dom->readonly?"":"not ")); + dom->default_domain?"":"not ", + dom->readonly?"":"not ")); talloc_free(config_option); } @@ -478,12 +515,13 @@ NTSTATUS idmap_init(void) /* (the nss module is always statically linked) */ if ( ! dom->methods) { - DEBUG(0, ("ERROR: Could not get methods for idmap_nss ?!\n")); + DEBUG(0, ("ERROR: No methods for idmap_nss ?!\n")); ret = NT_STATUS_UNSUCCESSFUL; goto done; } - /* now that we have methods, set the destructor for this domain */ + /* now that we have methods, + * set the destructor for this domain */ talloc_set_destructor(dom, close_domain_destructor); if (compat_params) { @@ -496,12 +534,15 @@ NTSTATUS idmap_init(void) /* Finally instance a backend copy for this domain */ ret = dom->methods->init(dom); if ( ! NT_STATUS_IS_OK(ret)) { - DEBUG(0, ("ERROR: Initialization failed for idmap_nss ?!\n")); + DEBUG(0, ("ERROR: Init. failed for idmap_nss ?!\n")); ret = NT_STATUS_UNSUCCESSFUL; goto done; } - idmap_domains = talloc_realloc(idmap_ctx, idmap_domains, struct idmap_domain *, num_domains+1); + idmap_domains = talloc_realloc(idmap_ctx, + idmap_domains, + struct idmap_domain *, + num_domains+1); if ( ! idmap_domains) { DEBUG(0, ("Out of memory!\n")); ret = NT_STATUS_NO_MEMORY; @@ -509,7 +550,8 @@ NTSTATUS idmap_init(void) } idmap_domains[num_domains] = dom; - DEBUG(10, ("Domain %s - Backend nss - not default - readonly\n", dom->name )); + DEBUG(10, ("Domain %s - Backend nss - not default - readonly\n", + dom->name )); num_domains++; } @@ -529,7 +571,7 @@ NTSTATUS idmap_init(void) /* (the passdb module is always statically linked) */ if ( ! dom->methods) { - DEBUG(0, ("ERROR: Could not get methods for idmap_passdb ?!\n")); + DEBUG(0, ("ERROR: No methods for idmap_passdb ?!\n")); ret = NT_STATUS_UNSUCCESSFUL; goto done; } @@ -547,12 +589,15 @@ NTSTATUS idmap_init(void) /* Finally instance a backend copy for this domain */ ret = dom->methods->init(dom); if ( ! NT_STATUS_IS_OK(ret)) { - DEBUG(0, ("ERROR: Initialization failed for idmap_passdb ?!\n")); + DEBUG(0, ("ERROR: Init. failed for idmap_passdb ?!\n")); ret = NT_STATUS_UNSUCCESSFUL; goto done; } - idmap_domains = talloc_realloc(idmap_ctx, idmap_domains, struct idmap_domain *, num_domains+1); + idmap_domains = talloc_realloc(idmap_ctx, + idmap_domains, + struct idmap_domain *, + num_domains+1); if ( ! idmap_domains) { DEBUG(0, ("Out of memory!\n")); ret = NT_STATUS_NO_MEMORY; @@ -563,14 +608,16 @@ NTSTATUS idmap_init(void) /* needed to handle special BUILTIN and wellknown SIDs cases */ pdb_dom_num = num_domains; - DEBUG(10, ("Domain %s - Backend passdb - not default - readonly\n", dom->name)); + DEBUG(10, ("Domain %s - Backend passdb - not default - readonly\n", + dom->name)); num_domains++; /**** finished adding idmap_passdb backend ****/ /* sort domains so that the default is the last one */ /* don't sort if no default domain defined */ - if (def_dom_num != -1 && def_dom_num != num_domains-1) { /* default is not last, move it */ + if (def_dom_num != -1 && def_dom_num != num_domains-1) { + /* default is not last, move it */ struct idmap_domain *tmp; if (pdb_dom_num > def_dom_num) { @@ -599,28 +646,35 @@ NTSTATUS idmap_init(void) alloc_backend = talloc_strdup(idmap_ctx, compat_backend); } else { char *ab = lp_idmap_alloc_backend(); - + if (ab && (ab[0] != '\0')) { - alloc_backend = talloc_strdup(idmap_ctx, lp_idmap_alloc_backend()); + alloc_backend = talloc_strdup(idmap_ctx, + lp_idmap_alloc_backend()); } } if ( alloc_backend ) { - - idmap_alloc_ctx = TALLOC_ZERO_P(idmap_ctx, struct idmap_alloc_context); + + idmap_alloc_ctx = TALLOC_ZERO_P(idmap_ctx, + struct idmap_alloc_context); IDMAP_CHECK_ALLOC(idmap_alloc_ctx); - idmap_alloc_ctx->methods = get_alloc_methods(alloc_backends, alloc_backend); + idmap_alloc_ctx->methods = get_alloc_methods(alloc_backends, + alloc_backend); if ( ! idmap_alloc_ctx->methods) { ret = smb_probe_module("idmap", alloc_backend); if (NT_STATUS_IS_OK(ret)) { - idmap_alloc_ctx->methods = get_alloc_methods(alloc_backends, alloc_backend); + idmap_alloc_ctx->methods = + get_alloc_methods(alloc_backends, + alloc_backend); } } if (idmap_alloc_ctx->methods) { if (compat_params) { - idmap_alloc_ctx->params = talloc_strdup(idmap_alloc_ctx, compat_params); + idmap_alloc_ctx->params = + talloc_strdup(idmap_alloc_ctx, + compat_params); IDMAP_CHECK_ALLOC(idmap_alloc_ctx->params); } else { idmap_alloc_ctx->params = NULL; @@ -628,13 +682,15 @@ NTSTATUS idmap_init(void) ret = idmap_alloc_ctx->methods->init(idmap_alloc_ctx->params); if ( ! NT_STATUS_IS_OK(ret)) { - DEBUG(0, ("ERROR: Initialization failed for alloc " - "backend %s, deferred!\n", alloc_backend)); + DEBUG(0, ("ERROR: Initialization failed for " + "alloc backend %s, deferred!\n", + alloc_backend)); } else { idmap_alloc_ctx->initialized = True; } } else { - DEBUG(2, ("idmap_init: Unable to get methods for alloc backend %s\n", + DEBUG(2, ("idmap_init: Unable to get methods for " + "alloc backend %s\n", alloc_backend)); /* certain compat backends are just readonly */ if ( compat ) { @@ -645,12 +701,12 @@ NTSTATUS idmap_init(void) } } } - + /* cleanpu temporary strings */ TALLOC_FREE( compat_backend ); idmap_init_status = NT_STATUS_OK; - + return ret; done: @@ -748,16 +804,16 @@ static struct idmap_domain* find_idmap_domain_from_sid( DOM_SID *account_sid ) uint32 rid; struct winbindd_domain *domain = NULL; int i; - + /* 1. Handle BUILTIN or Special SIDs and prevent them from falling into the default domain space (if we have a configured passdb backend. */ - if ( (pdb_dom_num != -1) && + if ( (pdb_dom_num != -1) && (sid_check_is_in_builtin(account_sid) || sid_check_is_in_wellknown_domain(account_sid) || sid_check_is_in_unix_groups(account_sid) || - sid_check_is_in_unix_users(account_sid)) ) + sid_check_is_in_unix_users(account_sid)) ) { return idmap_domains[pdb_dom_num]; } @@ -765,8 +821,8 @@ static struct idmap_domain* find_idmap_domain_from_sid( DOM_SID *account_sid ) /* 2. Lookup the winbindd_domain from the account_sid */ sid_copy( &domain_sid, account_sid ); - sid_split_rid( &domain_sid, &rid ); - domain = find_domain_from_sid_noinit( &domain_sid ); + sid_split_rid( &domain_sid, &rid ); + domain = find_domain_from_sid_noinit( &domain_sid ); for (i = 0; domain && i < num_domains; i++) { if ( strequal( idmap_domains[i]->name, domain->name ) ) { @@ -790,13 +846,13 @@ static struct idmap_domain* find_idmap_domain_from_sid( DOM_SID *account_sid ) static uint32 find_idmap_domain_index( struct idmap_domain *id_domain) { int i; - + for (i = 0; i < num_domains; i++) { if ( idmap_domains[i] == id_domain ) - return i; + return i; } - return -1; + return -1; } @@ -804,15 +860,18 @@ static uint32 find_idmap_domain_index( struct idmap_domain *id_domain) Check if creating a mapping is permitted for the domain *********************************************************/ -static NTSTATUS idmap_can_map(const struct id_map *map, struct idmap_domain **ret_dom) +static NTSTATUS idmap_can_map(const struct id_map *map, + struct idmap_domain **ret_dom) { struct idmap_domain *dom; - /* Check we do not create mappings for our own local domain, or BUILTIN or special SIDs */ + /* Check we do not create mappings for our own local domain, + * or BUILTIN or special SIDs */ if ((sid_compare_domain(map->sid, get_global_sam_sid()) == 0) || sid_check_is_in_builtin(map->sid) || sid_check_is_in_wellknown_domain(map->sid)) { - DEBUG(10, ("We are not supposed to create mappings for our own domains (local, builtin, specials)\n")); + DEBUG(10, ("We are not supposed to create mappings for " + "our own domains (local, builtin, specials)\n")); return NT_STATUS_UNSUCCESSFUL; } @@ -820,21 +879,28 @@ static NTSTATUS idmap_can_map(const struct id_map *map, struct idmap_domain **re if (lp_winbind_trusted_domains_only()) { struct winbindd_domain *wdom = find_our_domain(); if (wdom && (sid_compare_domain(map->sid, &wdom->sid) == 0)) { - DEBUG(10, ("We are not supposed to create mappings for our primary domain when <trusted domain only> is True\n")); - DEBUGADD(10, ("Leave [%s] unmapped\n", sid_string_static(map->sid))); + DEBUG(10, ("We are not supposed to create mappings for " + "our primary domain when <trusted domain " + "only> is True\n")); + DEBUGADD(10, ("Leave [%s] unmapped\n", + sid_string_static(map->sid))); return NT_STATUS_UNSUCCESSFUL; } } if ( (dom = find_idmap_domain_from_sid( map->sid )) == NULL ) { - /* huh, couldn't find a suitable domain, let's just leave it unmapped */ - DEBUG(10, ("Could not find idmap backend for SID %s", sid_string_static(map->sid))); + /* huh, couldn't find a suitable domain, + * let's just leave it unmapped */ + DEBUG(10, ("Could not find idmap backend for SID %s", + sid_string_static(map->sid))); return NT_STATUS_NO_SUCH_DOMAIN; } if (dom->readonly) { - /* ouch the domain is read only, let's just leave it unmapped */ - DEBUG(10, ("idmap backend for SID %s is READONLY!\n", sid_string_static(map->sid))); + /* ouch the domain is read only, + * let's just leave it unmapped */ + DEBUG(10, ("idmap backend for SID %s is READONLY!\n", + sid_string_static(map->sid))); return NT_STATUS_UNSUCCESSFUL; } @@ -863,7 +929,8 @@ static NTSTATUS idmap_new_mapping(TALLOC_CTX *ctx, struct id_map *map) ret = idmap_allocate_uid(&map->xid); if ( ! NT_STATUS_IS_OK(ret)) { /* can't allocate id, let's just leave it unmapped */ - DEBUG(2, ("uid allocation failed! Can't create mapping\n")); + DEBUG(2, ("uid allocation failed! " + "Can't create mapping\n")); return NT_STATUS_NONE_MAPPED; } break; @@ -871,14 +938,15 @@ static NTSTATUS idmap_new_mapping(TALLOC_CTX *ctx, struct id_map *map) ret = idmap_allocate_gid(&map->xid); if ( ! NT_STATUS_IS_OK(ret)) { /* can't allocate id, let's just leave it unmapped */ - DEBUG(2, ("gid allocation failed! Can't create mapping\n")); + DEBUG(2, ("gid allocation failed! " + "Can't create mapping\n")); return NT_STATUS_NONE_MAPPED; } break; default: /* invalid sid, let's just leave it unmapped */ DEBUG(3,("idmap_new_mapping: Refusing to create a " - "mapping for an unspecified ID type.\n")); + "mapping for an unspecified ID type.\n")); return NT_STATUS_NONE_MAPPED; } @@ -895,7 +963,7 @@ static NTSTATUS idmap_new_mapping(TALLOC_CTX *ctx, struct id_map *map) /* something wrong here :-( */ DEBUG(2, ("Failed to commit mapping\n!")); - /* TODO: would it make sense to have an "unalloc_id function?" */ + /* TODO: would it make sense to have an "unalloc_id function?" */ return NT_STATUS_NONE_MAPPED; } @@ -918,7 +986,7 @@ static NTSTATUS idmap_backends_set_mapping(const struct id_map *map) return ret; } - DEBUG(10,("set_mapping for domain %s\n", dom->name )); + DEBUG(10,("set_mapping for domain %s\n", dom->name )); return dom->methods->set_mapping(dom, map); } @@ -956,7 +1024,7 @@ static NTSTATUS idmap_backends_unixids_to_sids(struct id_map **ids) dom = idmap_domains[n]; DEBUG(10, ("Query sids from domain %s\n", dom->name)); - + ret = dom->methods->unixids_to_sids(dom, _ids); IDMAP_REPORT_RET(ret); @@ -964,7 +1032,8 @@ static NTSTATUS idmap_backends_unixids_to_sids(struct id_map **ids) for (i = 0, u = 0; _ids[i]; i++) { if (_ids[i]->status != ID_MAPPED) { - unmapped = talloc_realloc(ctx, unmapped, struct id_map *, u + 2); + unmapped = talloc_realloc(ctx, unmapped, + struct id_map *, u + 2); IDMAP_CHECK_ALLOC(unmapped); unmapped[u] = _ids[i]; u++; @@ -978,21 +1047,27 @@ static NTSTATUS idmap_backends_unixids_to_sids(struct id_map **ids) } _ids = unmapped; - + } if (unmapped) { - /* there are still unmapped ids, map them to the unix users/groups domains */ - /* except for expired entries, these will be returned as valid (offline mode) */ + /* there are still unmapped ids, + * map them to the unix users/groups domains */ + /* except for expired entries, + * these will be returned as valid (offline mode) */ for (i = 0; unmapped[i]; i++) { if (unmapped[i]->status == ID_EXPIRED) continue; switch (unmapped[i]->xid.type) { case ID_TYPE_UID: - uid_to_unix_users_sid((uid_t)unmapped[i]->xid.id, unmapped[i]->sid); + uid_to_unix_users_sid( + (uid_t)unmapped[i]->xid.id, + unmapped[i]->sid); unmapped[i]->status = ID_MAPPED; break; case ID_TYPE_GID: - gid_to_unix_groups_sid((gid_t)unmapped[i]->xid.id, unmapped[i]->sid); + gid_to_unix_groups_sid( + (gid_t)unmapped[i]->xid.id, + unmapped[i]->sid); unmapped[i]->status = ID_MAPPED; break; default: /* what?! */ @@ -1007,7 +1082,7 @@ static NTSTATUS idmap_backends_unixids_to_sids(struct id_map **ids) done: talloc_free(ctx); return ret; -} +} static NTSTATUS idmap_backends_sids_to_unixids(struct id_map **ids) { @@ -1038,22 +1113,23 @@ static NTSTATUS idmap_backends_sids_to_unixids(struct id_map **ids) /* partition the requests by domain */ for (i = 0; ids[i]; i++) { - uint32 idx; + uint32 idx; - if ( (dom = find_idmap_domain_from_sid( ids[i]->sid )) == NULL ) { + if ((dom = find_idmap_domain_from_sid(ids[i]->sid)) == NULL) { /* no available idmap_domain. Move on */ continue; } - DEBUG(10,("SID %s is being handled by %s\n", - sid_string_static(ids[i]->sid), + DEBUG(10,("SID %s is being handled by %s\n", + sid_string_static(ids[i]->sid), dom ? dom->name : "none" )); idx = find_idmap_domain_index( dom ); SMB_ASSERT( idx != -1 ); - - dom_ids[idx] = talloc_realloc(ctx, dom_ids[idx], - struct id_map *, counters[idx] + 2); + + dom_ids[idx] = talloc_realloc(ctx, dom_ids[idx], + struct id_map *, + counters[idx] + 2); IDMAP_CHECK_ALLOC(dom_ids[idx]); dom_ids[idx][counters[idx]] = ids[i]; @@ -1079,13 +1155,15 @@ static NTSTATUS idmap_backends_sids_to_unixids(struct id_map **ids) for (i = 0; ids[i]; i++) { /* NOTE: this will NOT touch ID_EXPIRED entries that the backend * was not able to confirm/deny (offline mode) */ - if (ids[i]->status == ID_UNKNOWN || ids[i]->status == ID_UNMAPPED) { + if (ids[i]->status == ID_UNKNOWN || + ids[i]->status == ID_UNMAPPED) { /* ok this is an unmapped one, see if we can map it */ ret = idmap_new_mapping(ctx, ids[i]); if (NT_STATUS_IS_OK(ret)) { /* successfully mapped */ ids[i]->status = ID_MAPPED; - } else if (NT_STATUS_EQUAL(ret, NT_STATUS_NONE_MAPPED)) { + } else + if (NT_STATUS_EQUAL(ret, NT_STATUS_NONE_MAPPED)) { /* could not map it */ ids[i]->status = ID_UNMAPPED; } else { @@ -1101,7 +1179,7 @@ static NTSTATUS idmap_backends_sids_to_unixids(struct id_map **ids) done: talloc_free(ctx); return ret; -} +} /************************************************************************** idmap interface functions @@ -1133,7 +1211,7 @@ NTSTATUS idmap_unixids_to_sids(struct id_map **ids) /* no ids to be asked to the backends by default */ bids = NULL; bi = 0; - + for (i = 0; ids[i]; i++) { if ( ! ids[i]->sid) { @@ -1147,7 +1225,8 @@ NTSTATUS idmap_unixids_to_sids(struct id_map **ids) if ( ! NT_STATUS_IS_OK(ret)) { if ( ! bids) { - /* alloc space for ids to be resolved by backends (realloc ten by ten) */ + /* alloc space for ids to be resolved by + * backends (realloc ten by ten) */ bids = TALLOC_ARRAY(ctx, struct id_map *, 10); if ( ! bids) { DEBUG(1, ("Out of memory!\n")); @@ -1157,14 +1236,17 @@ NTSTATUS idmap_unixids_to_sids(struct id_map **ids) bn = 10; } - /* add this id to the ones to be retrieved from the backends */ + /* add this id to the ones to be retrieved + * from the backends */ bids[bi] = ids[i]; bi++; - - /* check if we need to allocate new space on the rids array */ + + /* check if we need to allocate new space + * on the rids array */ if (bi == bn) { bn += 10; - bids = talloc_realloc(ctx, bids, struct id_map *, bn); + bids = talloc_realloc(ctx, bids, + struct id_map *, bn); if ( ! bids) { DEBUG(1, ("Out of memory!\n")); talloc_free(ctx); @@ -1177,7 +1259,8 @@ NTSTATUS idmap_unixids_to_sids(struct id_map **ids) } } - /* let's see if there is any id mapping to be retieved from the backends */ + /* let's see if there is any id mapping to be retieved + * from the backends */ if (bi) { ret = idmap_backends_unixids_to_sids(bids); @@ -1188,18 +1271,21 @@ NTSTATUS idmap_unixids_to_sids(struct id_map **ids) if (bids[i]->status == ID_MAPPED) { ret = idmap_cache_set(idmap_cache, bids[i]); } else if (bids[i]->status == ID_EXPIRED) { - /* the cache returned an expired entry and the backend was - * was not able to clear the situation (offline). - * This handles a previous NT_STATUS_SYNCHRONIZATION_REQUIRED + /* the cache returned an expired entry and the + * backend was not able to clear the situation + * (offline). This handles a previous + * NT_STATUS_SYNCHRONIZATION_REQUIRED * for disconnected mode, */ bids[i]->status = ID_MAPPED; } else if (bids[i]->status == ID_UNKNOWN) { - /* something bad here. We were not able to handle this for some - * reason, mark it as unmapped and hope next time things will + /* something bad here. We were not able to + * handle this for some reason, mark it as + * unmapped and hope next time things will * settle down. */ bids[i]->status = ID_UNMAPPED; } else { /* unmapped */ - ret = idmap_cache_set_negative_id(idmap_cache, bids[i]); + ret = idmap_cache_set_negative_id(idmap_cache, + bids[i]); } IDMAP_CHECK_RET(ret); } @@ -1237,7 +1323,7 @@ NTSTATUS idmap_sids_to_unixids(struct id_map **ids) /* no ids to be asked to the backends by default */ bids = NULL; bi = 0; - + for (i = 0; ids[i]; i++) { if ( ! ids[i]->sid) { @@ -1262,14 +1348,17 @@ NTSTATUS idmap_sids_to_unixids(struct id_map **ids) bn = 10; } - /* add this id to the ones to be retrieved from the backends */ + /* add this id to the ones to be retrieved + * from the backends */ bids[bi] = ids[i]; bi++; - /* check if we need to allocate new space on the ids array */ + /* check if we need to allocate new space + * on the ids array */ if (bi == bn) { bn += 10; - bids = talloc_realloc(ctx, bids, struct id_map *, bn); + bids = talloc_realloc(ctx, bids, + struct id_map *, bn); if ( ! bids) { DEBUG(1, ("Out of memory!\n")); talloc_free(ctx); @@ -1282,9 +1371,10 @@ NTSTATUS idmap_sids_to_unixids(struct id_map **ids) } } - /* let's see if there is any id mapping to be retieved from the backends */ + /* let's see if there is any id mapping to be retieved + * from the backends */ if (bids) { - + ret = idmap_backends_sids_to_unixids(bids); IDMAP_CHECK_RET(ret); @@ -1293,18 +1383,21 @@ NTSTATUS idmap_sids_to_unixids(struct id_map **ids) if (bids[i]->status == ID_MAPPED) { ret = idmap_cache_set(idmap_cache, bids[i]); } else if (bids[i]->status == ID_EXPIRED) { - /* the cache returned an expired entry and the backend was - * was not able to clear the situation (offline). - * This handles a previous NT_STATUS_SYNCHRONIZATION_REQUIRED + /* the cache returned an expired entry and the + * backend was not able to clear the situation + * (offline). This handles a previous + * NT_STATUS_SYNCHRONIZATION_REQUIRED * for disconnected mode, */ bids[i]->status = ID_MAPPED; } else if (bids[i]->status == ID_UNKNOWN) { - /* something bad here. We were not able to handle this for some - * reason, mark it as unmapped and hope next time things will + /* something bad here. We were not able to + * handle this for some reason, mark it as + * unmapped and hope next time things will * settle down. */ bids[i]->status = ID_UNMAPPED; } else { /* unmapped */ - ret = idmap_cache_set_negative_sid(idmap_cache, bids[i]); + ret = idmap_cache_set_negative_sid(idmap_cache, + bids[i]); } IDMAP_CHECK_RET(ret); } @@ -1371,28 +1464,30 @@ void idmap_dump_maps(char *logfile) dump = fopen(logfile, "w"); if ( ! dump) { - DEBUG(0, ("Unable to open open stream for file [%s], errno: %d\n", logfile, errno)); + DEBUG(0, ("Unable to open open stream for file [%s], " + "errno: %d\n", logfile, errno)); return; } - if (NT_STATUS_IS_OK(ret = idmap_alloc_init())) { + if (NT_STATUS_IS_OK(ret = idmap_alloc_init())) { allid.type = ID_TYPE_UID; allid.id = 0; idmap_alloc_ctx->methods->get_id_hwm(&allid); fprintf(dump, "USER HWM %lu\n", (unsigned long)allid.id); - + allid.type = ID_TYPE_GID; allid.id = 0; idmap_alloc_ctx->methods->get_id_hwm(&allid); fprintf(dump, "GROUP HWM %lu\n", (unsigned long)allid.id); } - + maps = talloc(idmap_ctx, struct id_map); num_maps = 0; for (i = 0; i < num_domains; i++) { if (idmap_domains[i]->methods->dump_data) { - idmap_domains[i]->methods->dump_data(idmap_domains[i], &maps, &num_maps); + idmap_domains[i]->methods->dump_data(idmap_domains[i], + &maps, &num_maps); } } @@ -1429,13 +1524,13 @@ char *idmap_fetch_secret(const char *backend, bool alloc, r = asprintf(&tmp, "IDMAP_%s_%s", backend, domain); } - if (r < 0) + if (r < 0) return NULL; strupper_m(tmp); /* make sure the key is case insensitive */ ret = secrets_fetch_generic(tmp, identity); - SAFE_FREE( tmp ); + SAFE_FREE(tmp); return ret; } diff --git a/source/nsswitch/idmap_cache.c b/source/nsswitch/idmap_cache.c index 037b1cb1e81..b56b155f83c 100644 --- a/source/nsswitch/idmap_cache.c +++ b/source/nsswitch/idmap_cache.c @@ -399,7 +399,8 @@ NTSTATUS idmap_cache_map_sid(struct idmap_cache_ctx *cache, struct id_map *id) if (databuf.dptr == NULL) { DEBUG(10, ("Cache entry with key = %s couldn't be found\n", sidkey)); - return NT_STATUS_NONE_MAPPED; + ret = NT_STATUS_NONE_MAPPED; + goto done; } t = strtol(databuf.dptr, &endptr, 10); @@ -496,7 +497,8 @@ NTSTATUS idmap_cache_map_id(struct idmap_cache_ctx *cache, struct id_map *id) if (databuf.dptr == NULL) { DEBUG(10, ("Cache entry with key = %s couldn't be found\n", idkey)); - return NT_STATUS_NONE_MAPPED; + ret = NT_STATUS_NONE_MAPPED; + goto done; } t = strtol(databuf.dptr, &endptr, 10); diff --git a/source/nsswitch/idmap_ldap.c b/source/nsswitch/idmap_ldap.c index ca7d32b3924..d1639c07721 100644 --- a/source/nsswitch/idmap_ldap.c +++ b/source/nsswitch/idmap_ldap.c @@ -6,7 +6,7 @@ Copyright (C) Tim Potter 2000 Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2003 Copyright (C) Gerald Carter 2003 - Copyright (C) Simo Sorce 2003-2006 + Copyright (C) Simo Sorce 2003-2007 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -52,39 +52,47 @@ struct idmap_ldap_alloc_context { }; -#define CHECK_ALLOC_DONE(mem) do { if (!mem) { DEBUG(0, ("Out of memory!\n")); ret = NT_STATUS_NO_MEMORY; goto done; } } while (0) +#define CHECK_ALLOC_DONE(mem) do { \ + if (!mem) { \ + DEBUG(0, ("Out of memory!\n")); \ + ret = NT_STATUS_NO_MEMORY; \ + goto done; \ + } } while (0) /********************************************************************** IDMAP ALLOC TDB BACKEND **********************************************************************/ - + static struct idmap_ldap_alloc_context *idmap_alloc_ldap; /********************************************************************* ********************************************************************/ -static NTSTATUS get_credentials( TALLOC_CTX *mem_ctx, +static NTSTATUS get_credentials( TALLOC_CTX *mem_ctx, struct smbldap_state *ldap_state, const char *config_option, struct idmap_domain *dom, char **dn ) { NTSTATUS ret = NT_STATUS_UNSUCCESSFUL; - char *user_dn = NULL; char *secret = NULL; const char *tmp = NULL; - + char *user_dn = NULL; + BOOL anon = False; + /* assume anonymous if we don't have a specified user */ tmp = lp_parm_const_string(-1, config_option, "ldap_user_dn", NULL); if ( tmp ) { if (!dom) { - /* only the alloc backend is allowed to pass in a NULL dom */ - secret = idmap_fetch_secret("ldap", true, NULL, tmp); + /* only the alloc backend can pass in a NULL dom */ + secret = idmap_fetch_secret("ldap", True, + NULL, tmp); } else { - secret = idmap_fetch_secret("ldap", false, dom->name, tmp); - } + secret = idmap_fetch_secret("ldap", False, + dom->name, tmp); + } if (!secret) { DEBUG(0, ("get_credentials: Unable to fetch " @@ -92,33 +100,33 @@ static NTSTATUS get_credentials( TALLOC_CTX *mem_ctx, tmp, (dom==NULL)?"ALLOC":dom->name)); ret = NT_STATUS_ACCESS_DENIED; goto done; - } + } *dn = talloc_strdup(mem_ctx, tmp); - CHECK_ALLOC_DONE(*dn); + CHECK_ALLOC_DONE(*dn); } else { - if ( !fetch_ldap_pw( &user_dn, &secret ) ) { + if (!fetch_ldap_pw(&user_dn, &secret)) { DEBUG(2, ("get_credentials: Failed to lookup ldap " - "bind creds. Using anonymous connection.\n")); - *dn = talloc_strdup( mem_ctx, "" ); + "bind creds. Using anonymous connection.\n")); + anon = True; } else { *dn = talloc_strdup(mem_ctx, user_dn); - SAFE_FREE( user_dn ); + SAFE_FREE( user_dn ); CHECK_ALLOC_DONE(*dn); - } + } } - smbldap_set_creds(ldap_state, false, *dn, secret); + smbldap_set_creds(ldap_state, anon, *dn, secret); ret = NT_STATUS_OK; - - done: - SAFE_FREE( secret ); - return ret; +done: + SAFE_FREE(secret); + + return ret; } /********************************************************************** - Verify the sambaUnixIdPool entry in the directory. + Verify the sambaUnixIdPool entry in the directory. **********************************************************************/ static NTSTATUS verify_idpool(void) @@ -131,7 +139,7 @@ static NTSTATUS verify_idpool(void) char *filter; int count; int rc; - + if ( ! idmap_alloc_ldap) { return NT_STATUS_UNSUCCESSFUL; } @@ -144,12 +152,12 @@ static NTSTATUS verify_idpool(void) filter = talloc_asprintf(ctx, "(objectclass=%s)", LDAP_OBJ_IDPOOL); CHECK_ALLOC_DONE(filter); - + attr_list = get_attr_list(ctx, idpool_attr_list); CHECK_ALLOC_DONE(attr_list); rc = smbldap_search(idmap_alloc_ldap->smbldap_state, - idmap_alloc_ldap->suffix, + idmap_alloc_ldap->suffix, LDAP_SCOPE_SUBTREE, filter, attr_list, @@ -157,11 +165,13 @@ static NTSTATUS verify_idpool(void) &result); if (rc != LDAP_SUCCESS) { - DEBUG(1, ("Unable to verify the idpool, cannot continue initialization!\n")); + DEBUG(1, ("Unable to verify the idpool, " + "cannot continue initialization!\n")); return NT_STATUS_UNSUCCESSFUL; } - count = ldap_count_entries(idmap_alloc_ldap->smbldap_state->ldap_struct, result); + count = ldap_count_entries(idmap_alloc_ldap->smbldap_state->ldap_struct, + result); ldap_msgfree(result); @@ -173,17 +183,21 @@ static NTSTATUS verify_idpool(void) } else if (count == 0) { char *uid_str, *gid_str; - - uid_str = talloc_asprintf(ctx, "%lu", (unsigned long)idmap_alloc_ldap->low_uid); - gid_str = talloc_asprintf(ctx, "%lu", (unsigned long)idmap_alloc_ldap->low_gid); + + uid_str = talloc_asprintf(ctx, "%lu", + (unsigned long)idmap_alloc_ldap->low_uid); + gid_str = talloc_asprintf(ctx, "%lu", + (unsigned long)idmap_alloc_ldap->low_gid); smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_IDPOOL); - smbldap_set_mod(&mods, LDAP_MOD_ADD, - get_attr_key2string(idpool_attr_list, LDAP_ATTR_UIDNUMBER), + smbldap_set_mod(&mods, LDAP_MOD_ADD, + get_attr_key2string(idpool_attr_list, + LDAP_ATTR_UIDNUMBER), uid_str); smbldap_set_mod(&mods, LDAP_MOD_ADD, - get_attr_key2string(idpool_attr_list, LDAP_ATTR_GIDNUMBER), + get_attr_key2string(idpool_attr_list, + LDAP_ATTR_GIDNUMBER), gid_str); if (mods) { rc = smbldap_modify(idmap_alloc_ldap->smbldap_state, @@ -203,12 +217,12 @@ done: } /***************************************************************************** - Initialise idmap database. + Initialise idmap database. *****************************************************************************/ static NTSTATUS idmap_ldap_alloc_init(const char *params) { - NTSTATUS ret = NT_STATUS_UNSUCCESSFUL; + NTSTATUS ret = NT_STATUS_UNSUCCESSFUL; const char *range; const char *tmp; uid_t low_uid = 0; @@ -223,7 +237,7 @@ static NTSTATUS idmap_ldap_alloc_init(const char *params) idmap_alloc_ldap = TALLOC_ZERO_P(NULL, struct idmap_ldap_alloc_context); CHECK_ALLOC_DONE( idmap_alloc_ldap ); - + /* load ranges */ idmap_alloc_ldap->low_uid = 0; @@ -237,13 +251,17 @@ static NTSTATUS idmap_ldap_alloc_init(const char *params) if (sscanf(range, "%u - %u", &low_id, &high_id) == 2) { if (low_id < high_id) { - idmap_alloc_ldap->low_gid = idmap_alloc_ldap->low_uid = low_id; - idmap_alloc_ldap->high_gid = idmap_alloc_ldap->high_uid = high_id; + idmap_alloc_ldap->low_gid = low_id; + idmap_alloc_ldap->low_uid = low_id; + idmap_alloc_ldap->high_gid = high_id; + idmap_alloc_ldap->high_uid = high_id; } else { - DEBUG(1, ("ERROR: invalid idmap alloc range [%s]", range)); + DEBUG(1, ("ERROR: invalid idmap alloc range " + "[%s]", range)); } } else { - DEBUG(1, ("ERROR: invalid syntax for idmap alloc config:range [%s]", range)); + DEBUG(1, ("ERROR: invalid syntax for idmap alloc " + "config:range [%s]", range)); } } @@ -275,28 +293,23 @@ static NTSTATUS idmap_ldap_alloc_init(const char *params) /* assume location is the only parameter */ idmap_alloc_ldap->url = talloc_strdup(idmap_alloc_ldap, params); } else { - tmp = lp_parm_const_string(-1, "idmap alloc config", "ldap_url", NULL); + tmp = lp_parm_const_string(-1, "idmap alloc config", + "ldap_url", NULL); if ( ! tmp) { DEBUG(1, ("ERROR: missing idmap ldap url\n")); ret = NT_STATUS_UNSUCCESSFUL; goto done; } - + idmap_alloc_ldap->url = talloc_strdup(idmap_alloc_ldap, tmp); } CHECK_ALLOC_DONE( idmap_alloc_ldap->url ); - tmp = lp_ldap_idmap_suffix(); + tmp = lp_parm_const_string(-1, "idmap alloc config", + "ldap_base_dn", NULL); if ( ! tmp || ! *tmp) { - tmp = lp_parm_const_string(-1, "idmap alloc config", "ldap_base_dn", NULL); - } - if ( ! tmp) { - tmp = lp_ldap_suffix(); - if (tmp) { - DEBUG(1, ("WARNING: Trying to use the global ldap suffix(%s)\n", tmp)); - DEBUGADD(1, ("as suffix. This may not be what you want!\n")); - } + tmp = lp_ldap_idmap_suffix(); if ( ! tmp) { DEBUG(1, ("ERROR: missing idmap ldap suffix\n")); ret = NT_STATUS_UNSUCCESSFUL; @@ -306,33 +319,33 @@ static NTSTATUS idmap_ldap_alloc_init(const char *params) idmap_alloc_ldap->suffix = talloc_strdup(idmap_alloc_ldap, tmp); CHECK_ALLOC_DONE( idmap_alloc_ldap->suffix ); - + ret = smbldap_init(idmap_alloc_ldap, idmap_alloc_ldap->url, - &idmap_alloc_ldap->smbldap_state); - if (!NT_STATUS_IS_OK(ret)) { - DEBUG(1, ("ERROR: smbldap_init (%s) failed!\n", + &idmap_alloc_ldap->smbldap_state); + if (!NT_STATUS_IS_OK(ret)) { + DEBUG(1, ("ERROR: smbldap_init (%s) failed!\n", idmap_alloc_ldap->url)); - goto done; + goto done; } - ret = get_credentials( idmap_alloc_ldap, - idmap_alloc_ldap->smbldap_state, + ret = get_credentials( idmap_alloc_ldap, + idmap_alloc_ldap->smbldap_state, "idmap alloc config", NULL, &idmap_alloc_ldap->user_dn ); if ( !NT_STATUS_IS_OK(ret) ) { DEBUG(1,("idmap_ldap_alloc_init: Failed to get connection " "credentials (%s)\n", nt_errstr(ret))); goto done; - } + } /* see if the idmap suffix and sub entries exists */ - ret = verify_idpool(); + ret = verify_idpool(); done: if ( !NT_STATUS_IS_OK( ret ) ) TALLOC_FREE( idmap_alloc_ldap ); - + return ret; } @@ -375,11 +388,13 @@ static NTSTATUS idmap_ldap_allocate_id(struct unixid *xid) switch (xid->type) { case ID_TYPE_UID: - type = get_attr_key2string(idpool_attr_list, LDAP_ATTR_UIDNUMBER); + type = get_attr_key2string(idpool_attr_list, + LDAP_ATTR_UIDNUMBER); break; case ID_TYPE_GID: - type = get_attr_key2string(idpool_attr_list, LDAP_ATTR_GIDNUMBER); + type = get_attr_key2string(idpool_attr_list, + LDAP_ATTR_GIDNUMBER); break; default: @@ -399,23 +414,27 @@ static NTSTATUS idmap_ldap_allocate_id(struct unixid *xid) idmap_alloc_ldap->suffix, LDAP_SCOPE_SUBTREE, filter, attr_list, 0, &result); - + if (rc != LDAP_SUCCESS) { DEBUG(0,("%s object not found\n", LDAP_OBJ_IDPOOL)); goto done; } talloc_autofree_ldapmsg(ctx, result); - - count = ldap_count_entries(idmap_alloc_ldap->smbldap_state->ldap_struct, result); + + count = ldap_count_entries(idmap_alloc_ldap->smbldap_state->ldap_struct, + result); if (count != 1) { DEBUG(0,("Single %s object not found\n", LDAP_OBJ_IDPOOL)); goto done; } - entry = ldap_first_entry(idmap_alloc_ldap->smbldap_state->ldap_struct, result); + entry = ldap_first_entry(idmap_alloc_ldap->smbldap_state->ldap_struct, + result); - dn = smbldap_talloc_dn(ctx, idmap_alloc_ldap->smbldap_state->ldap_struct, entry); + dn = smbldap_talloc_dn(ctx, + idmap_alloc_ldap->smbldap_state->ldap_struct, + entry); if ( ! dn) { goto done; } @@ -438,15 +457,15 @@ static NTSTATUS idmap_ldap_allocate_id(struct unixid *xid) switch (xid->type) { case ID_TYPE_UID: if (xid->id > idmap_alloc_ldap->high_uid) { - DEBUG(0,("Cannot allocate uid above %lu!\n", + DEBUG(0,("Cannot allocate uid above %lu!\n", (unsigned long)idmap_alloc_ldap->high_uid)); goto done; } break; - - case ID_TYPE_GID: + + case ID_TYPE_GID: if (xid->id > idmap_alloc_ldap->high_gid) { - DEBUG(0,("Cannot allocate gid above %lu!\n", + DEBUG(0,("Cannot allocate gid above %lu!\n", (unsigned long)idmap_alloc_ldap->high_uid)); goto done; } @@ -456,33 +475,35 @@ static NTSTATUS idmap_ldap_allocate_id(struct unixid *xid) /* impossible */ goto done; } - + new_id_str = talloc_asprintf(ctx, "%lu", (unsigned long)xid->id + 1); if ( ! new_id_str) { DEBUG(0,("Out of memory\n")); ret = NT_STATUS_NO_MEMORY; goto done; } - + smbldap_set_mod(&mods, LDAP_MOD_DELETE, type, id_str); smbldap_set_mod(&mods, LDAP_MOD_ADD, type, new_id_str); if (mods == NULL) { DEBUG(0,("smbldap_set_mod() failed.\n")); - goto done; + goto done; } - DEBUG(10, ("Try to atomically increment the id (%s -> %s)\n", id_str, new_id_str)); + DEBUG(10, ("Try to atomically increment the id (%s -> %s)\n", + id_str, new_id_str)); rc = smbldap_modify(idmap_alloc_ldap->smbldap_state, dn, mods); ldap_mods_free(mods, True); if (rc != LDAP_SUCCESS) { - DEBUG(1,("Failed to allocate new %s. smbldap_modify() failed.\n", type)); + DEBUG(1,("Failed to allocate new %s. " + "smbldap_modify() failed.\n", type)); goto done; } - + ret = NT_STATUS_OK; done: @@ -491,7 +512,7 @@ done: } /********************************** - Get current highest id. + Get current highest id. **********************************/ static NTSTATUS idmap_ldap_get_hwm(struct unixid *xid) @@ -526,11 +547,13 @@ static NTSTATUS idmap_ldap_get_hwm(struct unixid *xid) switch (xid->type) { case ID_TYPE_UID: - type = get_attr_key2string(idpool_attr_list, LDAP_ATTR_UIDNUMBER); + type = get_attr_key2string(idpool_attr_list, + LDAP_ATTR_UIDNUMBER); break; case ID_TYPE_GID: - type = get_attr_key2string(idpool_attr_list, LDAP_ATTR_GIDNUMBER); + type = get_attr_key2string(idpool_attr_list, + LDAP_ATTR_GIDNUMBER); break; default: @@ -548,21 +571,23 @@ static NTSTATUS idmap_ldap_get_hwm(struct unixid *xid) idmap_alloc_ldap->suffix, LDAP_SCOPE_SUBTREE, filter, attr_list, 0, &result); - + if (rc != LDAP_SUCCESS) { DEBUG(0,("%s object not found\n", LDAP_OBJ_IDPOOL)); goto done; } talloc_autofree_ldapmsg(memctx, result); - - count = ldap_count_entries(idmap_alloc_ldap->smbldap_state->ldap_struct, result); + + count = ldap_count_entries(idmap_alloc_ldap->smbldap_state->ldap_struct, + result); if (count != 1) { DEBUG(0,("Single %s object not found\n", LDAP_OBJ_IDPOOL)); goto done; } - entry = ldap_first_entry(idmap_alloc_ldap->smbldap_state->ldap_struct, result); + entry = ldap_first_entry(idmap_alloc_ldap->smbldap_state->ldap_struct, + result); id_str = smbldap_talloc_single_attribute(idmap_alloc_ldap->smbldap_state->ldap_struct, entry, type, memctx); @@ -577,14 +602,14 @@ static NTSTATUS idmap_ldap_get_hwm(struct unixid *xid) } xid->id = strtoul(id_str, NULL, 10); - + ret = NT_STATUS_OK; done: talloc_free(memctx); return ret; } /********************************** - Set highest id. + Set highest id. **********************************/ static NTSTATUS idmap_ldap_set_hwm(struct unixid *xid) @@ -621,11 +646,13 @@ static NTSTATUS idmap_ldap_set_hwm(struct unixid *xid) switch (xid->type) { case ID_TYPE_UID: - type = get_attr_key2string(idpool_attr_list, LDAP_ATTR_UIDNUMBER); + type = get_attr_key2string(idpool_attr_list, + LDAP_ATTR_UIDNUMBER); break; case ID_TYPE_GID: - type = get_attr_key2string(idpool_attr_list, LDAP_ATTR_GIDNUMBER); + type = get_attr_key2string(idpool_attr_list, + LDAP_ATTR_GIDNUMBER); break; default: @@ -643,23 +670,27 @@ static NTSTATUS idmap_ldap_set_hwm(struct unixid *xid) idmap_alloc_ldap->suffix, LDAP_SCOPE_SUBTREE, filter, attr_list, 0, &result); - + if (rc != LDAP_SUCCESS) { DEBUG(0,("%s object not found\n", LDAP_OBJ_IDPOOL)); goto done; } talloc_autofree_ldapmsg(ctx, result); - - count = ldap_count_entries(idmap_alloc_ldap->smbldap_state->ldap_struct, result); + + count = ldap_count_entries(idmap_alloc_ldap->smbldap_state->ldap_struct, + result); if (count != 1) { DEBUG(0,("Single %s object not found\n", LDAP_OBJ_IDPOOL)); goto done; } - entry = ldap_first_entry(idmap_alloc_ldap->smbldap_state->ldap_struct, result); + entry = ldap_first_entry(idmap_alloc_ldap->smbldap_state->ldap_struct, + result); - dn = smbldap_talloc_dn(ctx, idmap_alloc_ldap->smbldap_state->ldap_struct, entry); + dn = smbldap_talloc_dn(ctx, + idmap_alloc_ldap->smbldap_state->ldap_struct, + entry); if ( ! dn) { goto done; } @@ -670,12 +701,12 @@ static NTSTATUS idmap_ldap_set_hwm(struct unixid *xid) ret = NT_STATUS_NO_MEMORY; goto done; } - + smbldap_set_mod(&mods, LDAP_MOD_REPLACE, type, new_id_str); if (mods == NULL) { DEBUG(0,("smbldap_set_mod() failed.\n")); - goto done; + goto done; } rc = smbldap_modify(idmap_alloc_ldap->smbldap_state, dn, mods); @@ -683,10 +714,11 @@ static NTSTATUS idmap_ldap_set_hwm(struct unixid *xid) ldap_mods_free(mods, True); if (rc != LDAP_SUCCESS) { - DEBUG(1,("Failed to allocate new %s. smbldap_modify() failed.\n", type)); + DEBUG(1,("Failed to allocate new %s. " + "smbldap_modify() failed.\n", type)); goto done; } - + ret = NT_STATUS_OK; done: @@ -713,7 +745,7 @@ static NTSTATUS idmap_ldap_alloc_close(void) /********************************************************************** IDMAP MAPPING LDAP BACKEND **********************************************************************/ - + static int idmap_ldap_close_destructor(struct idmap_ldap_context *ctx) { smbldap_free_struct(&ctx->smbldap_state); @@ -724,7 +756,7 @@ static int idmap_ldap_close_destructor(struct idmap_ldap_context *ctx) } /******************************** - Initialise idmap database. + Initialise idmap database. ********************************/ static NTSTATUS idmap_ldap_db_init(struct idmap_domain *dom) @@ -756,7 +788,8 @@ static NTSTATUS idmap_ldap_db_init(struct idmap_domain *dom) /* load ranges */ range = lp_parm_const_string(-1, config_option, "range", NULL); if (range && range[0]) { - if ((sscanf(range, "%u - %u", &ctx->filter_low_id, &ctx->filter_high_id) != 2) || + if ((sscanf(range, "%u - %u", &ctx->filter_low_id, + &ctx->filter_high_id) != 2) || (ctx->filter_low_id > ctx->filter_high_id)) { DEBUG(1, ("ERROR: invalid filter range [%s]", range)); ctx->filter_low_id = 0; @@ -775,26 +808,21 @@ static NTSTATUS idmap_ldap_db_init(struct idmap_domain *dom) ret = NT_STATUS_UNSUCCESSFUL; goto done; } - + ctx->url = talloc_strdup(ctx, tmp); } CHECK_ALLOC_DONE(ctx->url); - tmp = lp_ldap_idmap_suffix(); - if ( ! tmp || ! *tmp) { - tmp = lp_parm_const_string(-1, config_option, "ldap_base_dn", NULL); - } - if ( ! tmp) { - tmp = lp_ldap_suffix(); - if (tmp) { - DEBUG(1, ("WARNING: Trying to use the global ldap suffix(%s)\n", tmp)); - DEBUGADD(1, ("as suffix. This may not be what you want!\n")); - } else { - DEBUG(1, ("ERROR: missing idmap ldap suffix\n")); - ret = NT_STATUS_UNSUCCESSFUL; - goto done; - } - } + tmp = lp_parm_const_string(-1, config_option, "ldap_base_dn", NULL); + if ( ! tmp || ! *tmp) { + tmp = lp_ldap_idmap_suffix(); + if ( ! tmp) { + DEBUG(1, ("ERROR: missing idmap ldap suffix\n")); + ret = NT_STATUS_UNSUCCESSFUL; + goto done; + } + } + ctx->suffix = talloc_strdup(ctx, tmp); CHECK_ALLOC_DONE(ctx->suffix); @@ -804,14 +832,14 @@ static NTSTATUS idmap_ldap_db_init(struct idmap_domain *dom) goto done; } - ret = get_credentials( ctx, ctx->smbldap_state, config_option, + ret = get_credentials( ctx, ctx->smbldap_state, config_option, dom, &ctx->user_dn ); if ( !NT_STATUS_IS_OK(ret) ) { DEBUG(1,("idmap_ldap_db_init: Failed to get connection " "credentials (%s)\n", nt_errstr(ret))); goto done; - } - + } + /* set the destructor on the context, so that resource are properly freed if the contexts is released */ @@ -830,14 +858,17 @@ done: } /* max number of ids requested per batch query */ -#define IDMAP_LDAP_MAX_IDS 30 +#define IDMAP_LDAP_MAX_IDS 30 /********************************** - lookup a set of unix ids. + lookup a set of unix ids. **********************************/ -/* this function searches up to IDMAP_LDAP_MAX_IDS entries in maps for a match */ -static struct id_map *find_map_by_id(struct id_map **maps, enum id_type type, uint32_t id) +/* this function searches up to IDMAP_LDAP_MAX_IDS entries + * in maps for a match */ +static struct id_map *find_map_by_id(struct id_map **maps, + enum id_type type, + uint32_t id) { int i; @@ -850,10 +881,11 @@ static struct id_map *find_map_by_id(struct id_map **maps, enum id_type type, ui } } - return NULL; + return NULL; } -static NTSTATUS idmap_ldap_unixids_to_sids(struct idmap_domain *dom, struct id_map **ids) +static NTSTATUS idmap_ldap_unixids_to_sids(struct idmap_domain *dom, + struct id_map **ids) { NTSTATUS ret; TALLOC_CTX *memctx; @@ -883,7 +915,7 @@ static NTSTATUS idmap_ldap_unixids_to_sids(struct idmap_domain *dom, struct id_m } } - ctx = talloc_get_type(dom->private_data, struct idmap_ldap_context); + ctx = talloc_get_type(dom->private_data, struct idmap_ldap_context); memctx = talloc_new(ctx); if ( ! memctx) { @@ -894,7 +926,7 @@ static NTSTATUS idmap_ldap_unixids_to_sids(struct idmap_domain *dom, struct id_m uidNumber = get_attr_key2string(idpool_attr_list, LDAP_ATTR_UIDNUMBER); gidNumber = get_attr_key2string(idpool_attr_list, LDAP_ATTR_GIDNUMBER); - attr_list = get_attr_list(ctx, sidmap_attr_list); + attr_list = get_attr_list(memctx, sidmap_attr_list); if ( ! ids[1]) { /* if we are requested just one mapping use the simple filter */ @@ -914,7 +946,9 @@ again: if (multi) { talloc_free(filter); - filter = talloc_asprintf(memctx, "(&(objectClass=%s)(|", LDAP_OBJ_IDMAP_ENTRY); + filter = talloc_asprintf(memctx, + "(&(objectClass=%s)(|", + LDAP_OBJ_IDMAP_ENTRY); CHECK_ALLOC_DONE(filter); bidx = idx; @@ -932,7 +966,7 @@ again: idx = 1; } - rc = smbldap_search(ctx->smbldap_state, ctx->suffix, LDAP_SCOPE_SUBTREE, + rc = smbldap_search(ctx->smbldap_state, ctx->suffix, LDAP_SCOPE_SUBTREE, filter, attr_list, 0, &result); if (rc != LDAP_SUCCESS) { @@ -956,12 +990,15 @@ again: uint32_t id; if (i == 0) { /* first entry */ - entry = ldap_first_entry(ctx->smbldap_state->ldap_struct, result); + entry = ldap_first_entry(ctx->smbldap_state->ldap_struct, + result); } else { /* following ones */ - entry = ldap_next_entry(ctx->smbldap_state->ldap_struct, entry); + entry = ldap_next_entry(ctx->smbldap_state->ldap_struct, + entry); } if ( ! entry) { - DEBUG(2, ("ERROR: Unable to fetch ldap entries from results\n")); + DEBUG(2, ("ERROR: Unable to fetch ldap entries " + "from results\n")); break; } @@ -976,7 +1013,8 @@ again: /* now try to see if it is a uid, if not try with a gid * (gid is more common, but in case both uidNumber and - * gidNumber are returned the SID is mapped to the uid not the gid) */ + * gidNumber are returned the SID is mapped to the uid + *not the gid) */ type = ID_TYPE_UID; tmp = smbldap_talloc_single_attribute( ctx->smbldap_state->ldap_struct, @@ -988,7 +1026,8 @@ again: entry, gidNumber, memctx); } if ( ! tmp) { /* wow very strange entry, how did it match ? */ - DEBUG(5, ("Unprobable match on (%s), no uidNumber, nor gidNumber returned\n", sidstr)); + DEBUG(5, ("Unprobable match on (%s), no uidNumber, " + "nor gidNumber returned\n", sidstr)); TALLOC_FREE(sidstr); continue; } @@ -997,8 +1036,9 @@ again: if ((id == 0) || (ctx->filter_low_id && (id < ctx->filter_low_id)) || (ctx->filter_high_id && (id > ctx->filter_high_id))) { - DEBUG(5, ("Requested id (%u) out of range (%u - %u). Filtered!\n", - id, ctx->filter_low_id, ctx->filter_high_id)); + DEBUG(5, ("Requested id (%u) out of range (%u - %u). " + "Filtered!\n", id, + ctx->filter_low_id, ctx->filter_high_id)); TALLOC_FREE(sidstr); TALLOC_FREE(tmp); continue; @@ -1007,7 +1047,8 @@ again: map = find_map_by_id(&ids[bidx], type, id); if (!map) { - DEBUG(2, ("WARNING: couldn't match sid (%s) with requested ids\n", sidstr)); + DEBUG(2, ("WARNING: couldn't match sid (%s) " + "with requested ids\n", sidstr)); TALLOC_FREE(sidstr); continue; } @@ -1022,7 +1063,9 @@ again: /* mapped */ map->status = ID_MAPPED; - DEBUG(10, ("Mapped %s -> %lu (%d)\n", sid_string_static(map->sid), (unsigned long)map->xid.id, map->xid.type)); + DEBUG(10, ("Mapped %s -> %lu (%d)\n", + sid_string_static(map->sid), + (unsigned long)map->xid.id, map->xid.type)); } /* free the ldap results */ @@ -1049,10 +1092,11 @@ done: } /********************************** - lookup a set of sids. + lookup a set of sids. **********************************/ -/* this function searches up to IDMAP_LDAP_MAX_IDS entries in maps for a match */ +/* this function searches up to IDMAP_LDAP_MAX_IDS entries + * in maps for a match */ static struct id_map *find_map_by_sid(struct id_map **maps, DOM_SID *sid) { int i; @@ -1066,10 +1110,11 @@ static struct id_map *find_map_by_sid(struct id_map **maps, DOM_SID *sid) } } - return NULL; + return NULL; } -static NTSTATUS idmap_ldap_sids_to_unixids(struct idmap_domain *dom, struct id_map **ids) +static NTSTATUS idmap_ldap_sids_to_unixids(struct idmap_domain *dom, + struct id_map **ids) { LDAPMessage *entry = NULL; NTSTATUS ret; @@ -1100,7 +1145,7 @@ static NTSTATUS idmap_ldap_sids_to_unixids(struct idmap_domain *dom, struct id_m } } - ctx = talloc_get_type(dom->private_data, struct idmap_ldap_context); + ctx = talloc_get_type(dom->private_data, struct idmap_ldap_context); memctx = talloc_new(ctx); if ( ! memctx) { @@ -1111,7 +1156,7 @@ static NTSTATUS idmap_ldap_sids_to_unixids(struct idmap_domain *dom, struct id_m uidNumber = get_attr_key2string(idpool_attr_list, LDAP_ATTR_UIDNUMBER); gidNumber = get_attr_key2string(idpool_attr_list, LDAP_ATTR_GIDNUMBER); - attr_list = get_attr_list(ctx, sidmap_attr_list); + attr_list = get_attr_list(memctx, sidmap_attr_list); if ( ! ids[1]) { /* if we are requested just one mapping use the simple filter */ @@ -1131,7 +1176,9 @@ again: if (multi) { TALLOC_FREE(filter); - filter = talloc_asprintf(memctx, "(&(objectClass=%s)(|", LDAP_OBJ_IDMAP_ENTRY); + filter = talloc_asprintf(memctx, + "(&(objectClass=%s)(|", + LDAP_OBJ_IDMAP_ENTRY); CHECK_ALLOC_DONE(filter); bidx = idx; @@ -1149,11 +1196,12 @@ again: idx = 1; } - rc = smbldap_search(ctx->smbldap_state, ctx->suffix, LDAP_SCOPE_SUBTREE, + rc = smbldap_search(ctx->smbldap_state, ctx->suffix, LDAP_SCOPE_SUBTREE, filter, attr_list, 0, &result); if (rc != LDAP_SUCCESS) { - DEBUG(3,("Failure looking up sids (%s)\n", ldap_err2string(rc))); + DEBUG(3,("Failure looking up sids (%s)\n", + ldap_err2string(rc))); ret = NT_STATUS_UNSUCCESSFUL; goto done; } @@ -1173,12 +1221,15 @@ again: uint32_t id; if (i == 0) { /* first entry */ - entry = ldap_first_entry(ctx->smbldap_state->ldap_struct, result); + entry = ldap_first_entry(ctx->smbldap_state->ldap_struct, + result); } else { /* following ones */ - entry = ldap_next_entry(ctx->smbldap_state->ldap_struct, entry); + entry = ldap_next_entry(ctx->smbldap_state->ldap_struct, + entry); } if ( ! entry) { - DEBUG(2, ("ERROR: Unable to fetch ldap entries from results\n")); + DEBUG(2, ("ERROR: Unable to fetch ldap entries " + "from results\n")); break; } @@ -1199,7 +1250,8 @@ again: map = find_map_by_sid(&ids[bidx], &sid); if (!map) { - DEBUG(2, ("WARNING: couldn't find entry sid (%s) in ids", sidstr)); + DEBUG(2, ("WARNING: couldn't find entry sid (%s) " + "in ids", sidstr)); TALLOC_FREE(sidstr); continue; } @@ -1208,7 +1260,8 @@ again: /* now try to see if it is a uid, if not try with a gid * (gid is more common, but in case both uidNumber and - * gidNumber are returned the SID is mapped to the uid not the gid) */ + * gidNumber are returned the SID is mapped to the uid + * not the gid) */ type = ID_TYPE_UID; tmp = smbldap_talloc_single_attribute( ctx->smbldap_state->ldap_struct, @@ -1220,7 +1273,8 @@ again: entry, gidNumber, memctx); } if ( ! tmp) { /* no ids ?? */ - DEBUG(5, ("no uidNumber, nor gidNumber attributes found\n")); + DEBUG(5, ("no uidNumber, " + "nor gidNumber attributes found\n")); continue; } @@ -1228,8 +1282,9 @@ again: if ((id == 0) || (ctx->filter_low_id && (id < ctx->filter_low_id)) || (ctx->filter_high_id && (id > ctx->filter_high_id))) { - DEBUG(5, ("Requested id (%u) out of range (%u - %u). Filtered!\n", - id, ctx->filter_low_id, ctx->filter_high_id)); + DEBUG(5, ("Requested id (%u) out of range (%u - %u). " + "Filtered!\n", id, + ctx->filter_low_id, ctx->filter_high_id)); TALLOC_FREE(tmp); continue; } @@ -1239,8 +1294,10 @@ again: map->xid.type = type; map->xid.id = id; map->status = ID_MAPPED; - - DEBUG(10, ("Mapped %s -> %lu (%d)\n", sid_string_static(map->sid), (unsigned long)map->xid.id, map->xid.type)); + + DEBUG(10, ("Mapped %s -> %lu (%d)\n", + sid_string_static(map->sid), + (unsigned long)map->xid.id, map->xid.type)); } /* free the ldap results */ @@ -1267,12 +1324,14 @@ done: } /********************************** - set a mapping. + set a mapping. **********************************/ -/* TODO: change this: This function cannot be called to modify a mapping, only set a new one */ +/* TODO: change this: This function cannot be called to modify a mapping, + * only set a new one */ -static NTSTATUS idmap_ldap_set_mapping(struct idmap_domain *dom, const struct id_map *map) +static NTSTATUS idmap_ldap_set_mapping(struct idmap_domain *dom, + const struct id_map *map) { NTSTATUS ret; TALLOC_CTX *memctx; @@ -1298,15 +1357,17 @@ static NTSTATUS idmap_ldap_set_mapping(struct idmap_domain *dom, const struct id } } - ctx = talloc_get_type(dom->private_data, struct idmap_ldap_context); + ctx = talloc_get_type(dom->private_data, struct idmap_ldap_context); switch(map->xid.type) { case ID_TYPE_UID: - type = get_attr_key2string(sidmap_attr_list, LDAP_ATTR_UIDNUMBER); + type = get_attr_key2string(sidmap_attr_list, + LDAP_ATTR_UIDNUMBER); break; case ID_TYPE_GID: - type = get_attr_key2string(sidmap_attr_list, LDAP_ATTR_GIDNUMBER); + type = get_attr_key2string(sidmap_attr_list, + LDAP_ATTR_GIDNUMBER); break; default: @@ -1331,12 +1392,15 @@ static NTSTATUS idmap_ldap_set_mapping(struct idmap_domain *dom, const struct id ctx->suffix); CHECK_ALLOC_DONE(dn); - smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_IDMAP_ENTRY); + smbldap_set_mod(&mods, LDAP_MOD_ADD, + "objectClass", LDAP_OBJ_IDMAP_ENTRY); - smbldap_make_mod(ctx->smbldap_state->ldap_struct, entry, &mods, type, id_str); + smbldap_make_mod(ctx->smbldap_state->ldap_struct, + entry, &mods, type, id_str); - smbldap_make_mod(ctx->smbldap_state->ldap_struct, entry, &mods, - get_attr_key2string(sidmap_attr_list, LDAP_ATTR_SID), sid); + smbldap_make_mod(ctx->smbldap_state->ldap_struct, entry, &mods, + get_attr_key2string(sidmap_attr_list, LDAP_ATTR_SID), + sid); if ( ! mods) { DEBUG(2, ("ERROR: No mods?\n")); @@ -1351,14 +1415,16 @@ static NTSTATUS idmap_ldap_set_mapping(struct idmap_domain *dom, const struct id DEBUG(10, ("Set DN %s (%s -> %s)\n", dn, sid, id_str)); rc = smbldap_add(ctx->smbldap_state, dn, mods); - ldap_mods_free(mods, True); + ldap_mods_free(mods, True); if (rc != LDAP_SUCCESS) { char *ld_error = NULL; - ldap_get_option(ctx->smbldap_state->ldap_struct, LDAP_OPT_ERROR_STRING, &ld_error); - DEBUG(0,("ldap_set_mapping_internals: Failed to add %s to %lu mapping [%s]\n", - sid, (unsigned long)map->xid.id, type)); - DEBUG(0, ("ldap_set_mapping_internals: Error was: %s (%s)\n", + ldap_get_option(ctx->smbldap_state->ldap_struct, + LDAP_OPT_ERROR_STRING, &ld_error); + DEBUG(0,("ldap_set_mapping_internals: Failed to add %s to %lu " + "mapping [%s]\n", sid, + (unsigned long)map->xid.id, type)); + DEBUG(0, ("ldap_set_mapping_internals: Error was: %s (%s)\n", ld_error ? ld_error : "(NULL)", ldap_err2string (rc))); if (ld_error) { ldap_memfree(ld_error); @@ -1366,9 +1432,9 @@ static NTSTATUS idmap_ldap_set_mapping(struct idmap_domain *dom, const struct id ret = NT_STATUS_UNSUCCESSFUL; goto done; } - - DEBUG(10,("ldap_set_mapping: Successfully created mapping from %s to %lu [%s]\n", - sid, (unsigned long)map->xid.id, type)); + + DEBUG(10,("ldap_set_mapping: Successfully created mapping from %s to " + "%lu [%s]\n", sid, (unsigned long)map->xid.id, type)); ret = NT_STATUS_OK; @@ -1378,7 +1444,7 @@ done: } /********************************** - Close the idmap ldap instance + Close the idmap ldap instance **********************************/ static NTSTATUS idmap_ldap_close(struct idmap_domain *dom) @@ -1386,12 +1452,13 @@ static NTSTATUS idmap_ldap_close(struct idmap_domain *dom) struct idmap_ldap_context *ctx; if (dom->private_data) { - ctx = talloc_get_type(dom->private_data, struct idmap_ldap_context); + ctx = talloc_get_type(dom->private_data, + struct idmap_ldap_context); talloc_free(ctx); dom->private_data = NULL; } - + return NT_STATUS_OK; } @@ -1416,18 +1483,21 @@ static struct idmap_alloc_methods idmap_ldap_alloc_methods = { NTSTATUS idmap_alloc_ldap_init(void) { - return smb_register_idmap_alloc(SMB_IDMAP_INTERFACE_VERSION, "ldap", &idmap_ldap_alloc_methods); + return smb_register_idmap_alloc(SMB_IDMAP_INTERFACE_VERSION, "ldap", + &idmap_ldap_alloc_methods); } NTSTATUS idmap_ldap_init(void) { NTSTATUS ret; - /* FIXME: bad hack to actually register also the alloc_ldap module without changining configure.in */ + /* FIXME: bad hack to actually register also the alloc_ldap module + * without changining configure.in */ ret = idmap_alloc_ldap_init(); if (! NT_STATUS_IS_OK(ret)) { return ret; } - return smb_register_idmap(SMB_IDMAP_INTERFACE_VERSION, "ldap", &idmap_ldap_methods); + return smb_register_idmap(SMB_IDMAP_INTERFACE_VERSION, "ldap", + &idmap_ldap_methods); } diff --git a/source/nsswitch/wb_common.c b/source/nsswitch/wb_common.c index fb84373aa63..563c38648af 100644 --- a/source/nsswitch/wb_common.c +++ b/source/nsswitch/wb_common.c @@ -422,7 +422,7 @@ int write_sock(void *buffer, int count, int recursing, int need_priv) static int read_sock(void *buffer, int count) { - int result = 0, nread = 0; + int nread = 0; int total_time = 0, selret; if (winbindd_fd == -1) { @@ -463,7 +463,7 @@ static int read_sock(void *buffer, int count) /* Do the Read */ - result = read(winbindd_fd, (char *)buffer + nread, + int result = read(winbindd_fd, (char *)buffer + nread, count - nread); if ((result == -1) || (result == 0)) { @@ -481,7 +481,7 @@ static int read_sock(void *buffer, int count) } } - return result; + return nread; } /* Read reply */ diff --git a/source/nsswitch/winbindd_cache.c b/source/nsswitch/winbindd_cache.c index a2b8cb4193e..a88a061686c 100644 --- a/source/nsswitch/winbindd_cache.c +++ b/source/nsswitch/winbindd_cache.c @@ -1133,14 +1133,15 @@ do_query: domain->name )); status = domain->backend->query_user_list(domain, mem_ctx, num_entries, info); - if (!NT_STATUS_IS_OK(status)) + if (!NT_STATUS_IS_OK(status)) { DEBUG(3, ("query_user_list: returned 0x%08x, " "retrying\n", NT_STATUS_V(status))); - if (NT_STATUS_EQUAL(status, NT_STATUS_UNSUCCESSFUL)) { - DEBUG(3, ("query_user_list: flushing " - "connection cache\n")); - invalidate_cm_connection(&domain->conn); - } + } + if (NT_STATUS_EQUAL(status, NT_STATUS_UNSUCCESSFUL)) { + DEBUG(3, ("query_user_list: flushing " + "connection cache\n")); + invalidate_cm_connection(&domain->conn); + } } while (NT_STATUS_V(status) == NT_STATUS_V(NT_STATUS_UNSUCCESSFUL) && (retry++ < 5)); diff --git a/source/nsswitch/winbindd_cm.c b/source/nsswitch/winbindd_cm.c index f96478fe516..9fa1ef16269 100644 --- a/source/nsswitch/winbindd_cm.c +++ b/source/nsswitch/winbindd_cm.c @@ -1032,19 +1032,27 @@ static BOOL dcip_to_name(const struct winbindd_domain *domain, struct in_addr ip DEBUG(10,("dcip_to_name: flags = 0x%x\n", (unsigned int)ads->config.flags)); - if (domain->primary && (ads->config.flags & ADS_KDC) && ads_closest_dc(ads)) { - char *sitename = sitename_fetch(ads->config.realm); - - /* We're going to use this KDC for this realm/domain. - If we are using sites, then force the krb5 libs - to use this KDC. */ - - create_local_private_krb5_conf_for_domain(domain->alt_name, - domain->name, - sitename, - ip); - - SAFE_FREE(sitename); + if (domain->primary && (ads->config.flags & ADS_KDC)) { + if (ads_closest_dc(ads)) { + char *sitename = sitename_fetch(ads->config.realm); + + /* We're going to use this KDC for this realm/domain. + If we are using sites, then force the krb5 libs + to use this KDC. */ + + create_local_private_krb5_conf_for_domain(domain->alt_name, + domain->name, + sitename, + ip); + + SAFE_FREE(sitename); + } else { + /* use an off site KDC */ + create_local_private_krb5_conf_for_domain(domain->alt_name, + domain->name, + NULL, + ip); + } /* Ensure we contact this DC also. */ saf_store( domain->name, name); saf_store( domain->alt_name, name); @@ -1550,6 +1558,16 @@ static void set_dc_type_and_flags( struct winbindd_domain *domain ) DEBUG(5, ("set_dc_type_and_flags: rpccli_ds_getprimarydominfo " "on domain %s failed: (%s)\n", domain->name, nt_errstr(result))); + + /* older samba3 DCs will return DCERPC_FAULT_OP_RNG_ERROR for + * every opcode on the LSARPC_DS pipe, continue with + * no_lsarpc_ds mode here as well to get domain->initialized + * set - gd */ + + if (NT_STATUS_V(result) == DCERPC_FAULT_OP_RNG_ERROR) { + goto no_lsarpc_ds; + } + return; } diff --git a/source/nsswitch/winbindd_rpc.c b/source/nsswitch/winbindd_rpc.c index f408e1e15ee..3c79670d635 100644 --- a/source/nsswitch/winbindd_rpc.c +++ b/source/nsswitch/winbindd_rpc.c @@ -168,8 +168,7 @@ static NTSTATUS enum_dom_groups(struct winbindd_domain *domain, (*num_entries) + count); if (! *info) { talloc_destroy(mem_ctx2); - status = NT_STATUS_NO_MEMORY; - break; + return NT_STATUS_NO_MEMORY; } memcpy(&(*info)[*num_entries], info2, count*sizeof(*info2)); |