diff options
Diffstat (limited to 'source3')
-rw-r--r-- | source3/include/passdb.h | 4 | ||||
-rw-r--r-- | source3/passdb/passdb.c | 348 | ||||
-rw-r--r-- | source3/passdb/pdb_smbpasswd.c | 1 | ||||
-rw-r--r-- | source3/passdb/pdb_tdb.c | 47 | ||||
-rw-r--r-- | source3/smbd/uid.c | 271 |
5 files changed, 141 insertions, 530 deletions
diff --git a/source3/include/passdb.h b/source3/include/passdb.h index 06409aa34eb..35399758b20 100644 --- a/source3/include/passdb.h +++ b/source3/include/passdb.h @@ -51,7 +51,7 @@ typedef struct pdb_context NTSTATUS (*pdb_getsampwnam)(struct pdb_context *, SAM_ACCOUNT *sam_acct, const char *username); NTSTATUS (*pdb_getsampwsid)(struct pdb_context *, SAM_ACCOUNT *sam_acct, const DOM_SID *sid); - + NTSTATUS (*pdb_add_sam_account)(struct pdb_context *, SAM_ACCOUNT *sampass); NTSTATUS (*pdb_update_sam_account)(struct pdb_context *, SAM_ACCOUNT *sampass); @@ -104,7 +104,7 @@ typedef struct pdb_methods NTSTATUS (*getsampwnam)(struct pdb_methods *, SAM_ACCOUNT *sam_acct, const char *username); - NTSTATUS (*getsampwsid)(struct pdb_methods *, SAM_ACCOUNT *sam_acct, const DOM_SID *Sid); + NTSTATUS (*getsampwsid)(struct pdb_methods *, SAM_ACCOUNT *sam_acct, const DOM_SID *sid); NTSTATUS (*add_sam_account)(struct pdb_methods *, SAM_ACCOUNT *sampass); diff --git a/source3/passdb/passdb.c b/source3/passdb/passdb.c index 99f5c228efe..15756b7e225 100644 --- a/source3/passdb/passdb.c +++ b/source3/passdb/passdb.c @@ -163,13 +163,7 @@ NTSTATUS pdb_init_sam(SAM_ACCOUNT **user) NTSTATUS pdb_fill_sam_pw(SAM_ACCOUNT *sam_account, const struct passwd *pwd) { - GROUP_MAP map; - - const char *guest_account = lp_guestaccount(); - if (!(guest_account && *guest_account)) { - DEBUG(1, ("NULL guest account!?!?\n")); - return NT_STATUS_UNSUCCESSFUL; - } + NTSTATUS ret; if (!pwd) { return NT_STATUS_UNSUCCESSFUL; @@ -197,37 +191,8 @@ NTSTATUS pdb_fill_sam_pw(SAM_ACCOUNT *sam_account, const struct passwd *pwd) -- abartlet 11-May-02 */ - - /* Ensure this *must* be set right */ - if (strcmp(pwd->pw_name, guest_account) == 0) { - if (!pdb_set_user_sid_from_rid(sam_account, DOMAIN_USER_RID_GUEST, PDB_DEFAULT)) { - return NT_STATUS_UNSUCCESSFUL; - } - if (!pdb_set_group_sid_from_rid(sam_account, DOMAIN_GROUP_RID_GUESTS, PDB_DEFAULT)) { - return NT_STATUS_UNSUCCESSFUL; - } - } else { - - if (!pdb_set_user_sid_from_rid(sam_account, - fallback_pdb_uid_to_user_rid(pwd->pw_uid), PDB_SET)) { - DEBUG(0,("Can't set User SID from RID!\n")); - return NT_STATUS_INVALID_PARAMETER; - } - - /* call the mapping code here */ - if(pdb_getgrgid(&map, pwd->pw_gid, MAPPING_WITHOUT_PRIV)) { - if (!pdb_set_group_sid(sam_account,&map.sid, PDB_SET)){ - DEBUG(0,("Can't set Group SID!\n")); - return NT_STATUS_INVALID_PARAMETER; - } - } - else { - if (!pdb_set_group_sid_from_rid(sam_account,pdb_gid_to_group_rid(pwd->pw_gid), PDB_SET)) { - DEBUG(0,("Can't set Group SID\n")); - return NT_STATUS_INVALID_PARAMETER; - } - } - } + ret = pdb_set_sam_sids(sam_account, pwd); + if (NT_STATUS_IS_ERR(ret)) return ret; /* check if this is a user account or a machine account */ if (pwd->pw_name[strlen(pwd->pw_name)-1] != '$') @@ -371,102 +336,77 @@ NTSTATUS pdb_free_sam(SAM_ACCOUNT **user) /************************************************************************** * This function will take care of all the steps needed to correctly * allocate and set the user SID, please do use this function to create new - * users and don't add the account to the passdb directly unless you know - * what are you doing, messing with SIDs is not good. - * - * account_data must be provided initialized. But values may be discarded if - * free RIDs are not in use. - * - * ATTENTION: Please pay attention to leave any ID field to NULL unless you - * really know what you are doing + * users, messing with SIDs is not good. * + * account_data must be provided initialized, pwd may be null. * SSS ***************************************************************************/ -NTSTATUS pdb_create_new_user_account(char *username, SAM_ACCOUNT *account_data) +NTSTATUS pdb_set_sam_sids(SAM_ACCOUNT *account_data, const struct passwd *pwd) { + const char *guest_account = lp_guestaccount(); NTSTATUS ret = NT_STATUS_UNSUCCESSFUL; - SAM_ACCOUNT test; - DOM_SID u_sid, g_sid; - struct passwd *pw; - if (!username || !account_data) { + if (!account_data || (!pwd && !(pdb_get_free_rid_base() && lp_idmap_only()))) { return NT_STATUS_INVALID_PARAMETER; } - if (pdb_getsampwnam(&test, username)) { - DEBUG(3, ("pdb_create_new_user_account: User already exist in SAM! Aborting...\n")); + /* this is a hack this thing should not be set + this way --SSS */ + if (!(guest_account && *guest_account)) { + DEBUG(1, ("NULL guest account!?!?\n")); return NT_STATUS_UNSUCCESSFUL; + } else { + /* Ensure this *must* be set right */ + if (strcmp(pwd->pw_name, guest_account) == 0) { + if (!pdb_set_user_sid_from_rid(account_data, DOMAIN_USER_RID_GUEST, PDB_DEFAULT)) { + return NT_STATUS_UNSUCCESSFUL; + } + if (!pdb_set_group_sid_from_rid(account_data, DOMAIN_GROUP_RID_GUESTS, PDB_DEFAULT)) { + return NT_STATUS_UNSUCCESSFUL; + } + return NT_STATUS_OK; + } } - pw = getpwnam_alloc(username); - - if (pdb_get_free_rid_base()) { - unid_t idval; - int idtype; + if (pwd) { + GROUP_MAP map; - if (!pdb_set_username(account_data, username, PDB_CHANGED)) { - goto done; + if (!pdb_set_user_sid_from_rid(account_data, fallback_pdb_uid_to_user_rid(pwd->pw_uid), PDB_SET)) { + DEBUG(0,("Can't set User SID from RID!\n")); + return NT_STATUS_INVALID_PARAMETER; } - - if (lp_idmap_only() || !pw) { - if (pdb_get_init_flags(account_data, PDB_USERSID) == PDB_DEFAULT) { - if (!pdb_get_next_sid(&u_sid)) { - goto done; - } - pdb_set_user_sid(account_data, &u_sid, PDB_SET); - } - /* make a mapping in idmap */ - idtype = ID_USERID; - idmap_get_id_from_sid(&idval, &idtype, &u_sid); - if (pdb_get_init_flags(account_data, PDB_GROUPSID) == PDB_DEFAULT) { - /* set Domain Users by default ! */ - sid_copy(&g_sid, get_global_sam_sid()); - sid_append_rid(&u_sid, DOMAIN_GROUP_RID_USERS); - pdb_set_group_sid(account_data, &g_sid, PDB_SET); - } - /* make a mapping in idmap */ - idtype = ID_GROUPID; - idmap_get_id_from_sid(&idval, &idtype, &g_sid); - } else { - GROUP_MAP map; - - if (!pdb_set_user_sid_from_rid(account_data, fallback_pdb_uid_to_user_rid(pw->pw_uid), PDB_SET)) { - DEBUG(0,("Can't set User SID from RID!\n")); - ret = NT_STATUS_INVALID_PARAMETER; - goto done; + /* call the mapping code here */ + if(pdb_getgrgid(&map, pwd->pw_gid, MAPPING_WITHOUT_PRIV)) { + if (!pdb_set_group_sid(account_data, &map.sid, PDB_SET)){ + DEBUG(0,("Can't set Group SID!\n")); + return NT_STATUS_INVALID_PARAMETER; } - - /* call the mapping code here */ - if(pdb_getgrgid(&map, pw->pw_gid, MAPPING_WITHOUT_PRIV)) { - if (!pdb_set_group_sid(account_data, &map.sid, PDB_SET)){ - DEBUG(0,("Can't set Group SID!\n")); - ret = NT_STATUS_INVALID_PARAMETER; - goto done; - } - } - else { - if (!pdb_set_group_sid_from_rid(account_data, pdb_gid_to_group_rid(pw->pw_gid), PDB_SET)) { - DEBUG(0,("Can't set Group SID\n")); - ret = NT_STATUS_INVALID_PARAMETER; - goto done; - } + } + else { + if (!pdb_set_group_sid_from_rid(account_data, pdb_gid_to_group_rid(pwd->pw_gid), PDB_SET)) { + DEBUG(0,("Can't set Group SID\n")); + return NT_STATUS_INVALID_PARAMETER; } - } - } else { - if (!pw || NT_STATUS_IS_ERR(pdb_fill_sam_pw(account_data, pw))) { - goto done; } - } + } else { + unid_t idval; + int idtype; - if (pdb_add_sam_account(account_data)) { - ret = NT_STATUS_OK; + /* this is a hack this thing should not be set + here --SSS */ + if (pdb_get_init_flags(account_data, PDB_GROUPSID) == PDB_DEFAULT) { + DOM_SID g_sid; + + /* set Domain Users by default ! */ + sid_copy(&g_sid, get_global_sam_sid()); + sid_append_rid(&g_sid, DOMAIN_GROUP_RID_USERS); + pdb_set_group_sid(account_data, &g_sid, PDB_SET); + } } -done: - passwd_free(&pw); - return ret; + return NT_STATUS_OK; } /****************************************************************** @@ -957,190 +897,6 @@ BOOL local_lookup_name(const char *c_user, DOM_SID *psid, enum SID_NAME_USE *psi return True; } -/**************************************************************************** - Convert a uid to SID - locally. -****************************************************************************/ - -DOM_SID *local_uid_to_sid(DOM_SID *psid, uid_t uid) -{ - struct passwd *pass; - SAM_ACCOUNT *sam_user = NULL; - fstring str; /* sid string buffer */ - - sid_copy(psid, get_global_sam_sid()); - - if((pass = getpwuid_alloc(uid))) { - - if (NT_STATUS_IS_ERR(pdb_init_sam(&sam_user))) { - passwd_free(&pass); - return NULL; - } - - if (pdb_getsampwnam(sam_user, pass->pw_name)) { - sid_copy(psid, pdb_get_user_sid(sam_user)); - } else { - sid_append_rid(psid, fallback_pdb_uid_to_user_rid(uid)); - } - - DEBUG(10,("local_uid_to_sid: uid %u -> SID (%s) (%s).\n", - (unsigned)uid, sid_to_string( str, psid), - pass->pw_name )); - - passwd_free(&pass); - pdb_free_sam(&sam_user); - - } else { - sid_append_rid(psid, fallback_pdb_uid_to_user_rid(uid)); - - DEBUG(10,("local_uid_to_sid: uid %u -> SID (%s) (unknown user).\n", - (unsigned)uid, sid_to_string( str, psid))); - } - - return psid; -} - -/**************************************************************************** - Convert a SID to uid - locally. -****************************************************************************/ - -BOOL local_sid_to_uid(uid_t *puid, const DOM_SID *psid, enum SID_NAME_USE *name_type) -{ - fstring str; - SAM_ACCOUNT *sam_user = NULL; - - *name_type = SID_NAME_UNKNOWN; - - if (NT_STATUS_IS_ERR(pdb_init_sam(&sam_user))) - return False; - - if (pdb_getsampwsid(sam_user, psid)) { - - if (!IS_SAM_SET(sam_user,PDB_UID)&&!IS_SAM_CHANGED(sam_user,PDB_UID)) { - pdb_free_sam(&sam_user); - return False; - } - - *puid = pdb_get_uid(sam_user); - - DEBUG(10,("local_sid_to_uid: SID %s -> uid (%u) (%s).\n", sid_to_string( str, psid), - (unsigned int)*puid, pdb_get_username(sam_user))); - pdb_free_sam(&sam_user); - } else { - - DOM_SID dom_sid; - uint32 rid; - GROUP_MAP map; - - pdb_free_sam(&sam_user); - - if (pdb_getgrsid(&map, *psid, MAPPING_WITHOUT_PRIV)) { - DEBUG(3, ("local_sid_to_uid: SID '%s' is a group, not a user... \n", sid_to_string(str, psid))); - /* It's a group, not a user... */ - return False; - } - - sid_copy(&dom_sid, psid); - if (!sid_peek_check_rid(get_global_sam_sid(), psid, &rid)) { - DEBUG(3, ("sid_peek_rid failed - sid '%s' is not in our domain\n", sid_to_string(str, psid))); - return False; - } - - if (!pdb_rid_is_user(rid)) { - DEBUG(3, ("local_sid_to_uid: sid '%s' cannot be mapped to a uid algorithmicly becouse it is a group\n", sid_to_string(str, psid))); - return False; - } - - *puid = fallback_pdb_user_rid_to_uid(rid); - - DEBUG(5,("local_sid_to_uid: SID %s algorithmicly mapped to %ld mapped becouse SID was not found in passdb.\n", - sid_to_string(str, psid), (signed long int)(*puid))); - } - - *name_type = SID_NAME_USER; - - return True; -} - -/**************************************************************************** - Convert a gid to SID - locally. -****************************************************************************/ - -DOM_SID *local_gid_to_sid(DOM_SID *psid, gid_t gid) -{ - GROUP_MAP map; - - sid_copy(psid, get_global_sam_sid()); - - if (pdb_getgrgid(&map, gid, MAPPING_WITHOUT_PRIV)) { - sid_copy(psid, &map.sid); - } - else { - sid_append_rid(psid, pdb_gid_to_group_rid(gid)); - } - - return psid; -} - -/**************************************************************************** - Convert a SID to gid - locally. -****************************************************************************/ - -BOOL local_sid_to_gid(gid_t *pgid, const DOM_SID *psid, enum SID_NAME_USE *name_type) -{ - fstring str; - GROUP_MAP map; - - *name_type = SID_NAME_UNKNOWN; - - /* - * We can only convert to a gid if this is our local - * Domain SID (ie. we are the controling authority). - * - * Or in the Builtin SID too. JFM, 11/30/2001 - */ - - if (pdb_getgrsid(&map, *psid, MAPPING_WITHOUT_PRIV)) { - - /* the SID is in the mapping table but not mapped */ - if (map.gid==(gid_t)-1) - return False; - - *pgid = map.gid; - *name_type = map.sid_name_use; - DEBUG(10,("local_sid_to_gid: mapped SID %s (%s) -> gid (%u).\n", - sid_to_string( str, psid), - map.nt_name, (unsigned int)*pgid)); - - } else { - uint32 rid; - SAM_ACCOUNT *sam_user = NULL; - if (NT_STATUS_IS_ERR(pdb_init_sam(&sam_user))) - return False; - - if (pdb_getsampwsid(sam_user, psid)) { - return False; - pdb_free_sam(&sam_user); - } - - pdb_free_sam(&sam_user); - - if (!sid_peek_check_rid(get_global_sam_sid(), psid, &rid)) { - DEBUG(3, ("sid_peek_rid failed - sid '%s' is not in our domain\n", sid_to_string(str, psid))); - return False; - } - - if (pdb_rid_is_user(rid)) - return False; - - *pgid = pdb_group_rid_to_gid(rid); - *name_type = SID_NAME_ALIAS; - DEBUG(10,("local_sid_to_gid: SID %s -> gid (%u).\n", sid_to_string( str, psid), - (unsigned int)*pgid)); - } - - return True; -} - /************************************************************* Change a password entry in the local smbpasswd file. diff --git a/source3/passdb/pdb_smbpasswd.c b/source3/passdb/pdb_smbpasswd.c index 38bb61957c5..637f40f8c68 100644 --- a/source3/passdb/pdb_smbpasswd.c +++ b/source3/passdb/pdb_smbpasswd.c @@ -1507,7 +1507,6 @@ static void free_private_data(void **vp) /* No need to free any further, as it is talloc()ed */ } - NTSTATUS pdb_init_smbpasswd(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method, const char *location) { NTSTATUS nt_status; diff --git a/source3/passdb/pdb_tdb.c b/source3/passdb/pdb_tdb.c index 41c6bbd4297..32ddd189db6 100644 --- a/source3/passdb/pdb_tdb.c +++ b/source3/passdb/pdb_tdb.c @@ -874,6 +874,49 @@ done: return (ret); } +#if 0 +/*************************************************************************** + Allocates a new RID and returns it to the caller as a domain sid + + NOTE: Use carefullt, do not waste RIDs they are a limited resource! + - SSS + ***************************************************************************/ + +static NTSTATUS tdbsam_get_next_sid (struct pdb_methods *my_methods, DOM_SID *sid) +{ + NTSTATUS ret = NT_STATUS_UNSUCCESSFUL; + struct tdbsam_privates *tdb_state = (struct tdbsam_privates *)my_methods->private_data; + TDB_CONTEXT *pwd_tdb; + uint32 rid; + + if (sid == NULL) { + return NT_STATUS_INVALID_PARAMETER; + } + + pwd_tdb = tdb_open_log(tdb_state->tdbsam_location, 0, TDB_DEFAULT, O_RDWR | O_CREAT, 0600); + if (!pwd_tdb) + { + DEBUG(0, ("tdbsam_get_next_sid: Unable to open TDB passwd (%s)!\n", tdb_state->tdbsam_location)); + return NT_STATUS_UNSUCCESSFUL; + } + + rid = BASE_RID; + if (tdb_change_uint32_atomic(pwd_tdb, "RID_COUNTER", &rid, 1)) { + + sid_copy(sid, get_global_sam_sid()); + if (!sid_append_rid(sid, rid)) { + goto done; + } + + ret = NT_STATUS_OK; + } + +done: + tdb_close (pwd_tdb); + return ret; +} +#endif + /*************************************************************************** Modifies an existing SAM_ACCOUNT ****************************************************************************/ @@ -946,8 +989,6 @@ NTSTATUS pdb_init_tdbsam(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method, con tdb_state->tdbsam_location = talloc_strdup(pdb_context->mem_ctx, tdbfile); } - tdb_state->algorithmic_rids = True; - (*pdb_method)->private_data = tdb_state; (*pdb_method)->free_private_data = free_private_data; @@ -961,6 +1002,8 @@ NTSTATUS pdb_init_tdbsam(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method, con tdb_state->high_nua_rid=fallback_pdb_uid_to_user_rid(high_nua_uid); + } else { + tdb_state->algorithmic_rids = True; } return NT_STATUS_OK; diff --git a/source3/smbd/uid.c b/source3/smbd/uid.c index 0b67b53c719..353ae8f50d9 100644 --- a/source3/smbd/uid.c +++ b/source3/smbd/uid.c @@ -722,7 +722,6 @@ static void store_gid_sid_cache(const DOM_SID *psid, const enum SID_NAME_USE sid DOM_SID *uid_to_sid(DOM_SID *psid, uid_t uid) { -#ifdef WITH_IDMAP unid_t id; DEBUG(10,("uid_to_sid: uid = [%d]\n", uid)); @@ -738,47 +737,13 @@ DOM_SID *uid_to_sid(DOM_SID *psid, uid_t uid) We may add a switch in future to allow smooth migrations to idmap-only db ---Simo */ - become_root(); - psid = local_uid_to_sid(psid, uid); - unbecome_root(); + sid_copy(psid, get_global_sam_sid()); + sid_append_rid(psid, fallback_pdb_uid_to_user_rid(uid)); DEBUG(10,("uid_to_sid: algorithmic %u -> %s\n", (unsigned int)uid, sid_string_static(psid))); - if (psid) - idmap_set_mapping(psid, id, ID_USERID); return psid; -#else - uid_t low, high; - enum SID_NAME_USE sidtype; - fstring sid; - - if (fetch_sid_from_uid_cache(psid, &sidtype, uid)) - return psid; - - if (lp_idmap_uid(&low, &high) && uid >= low && uid <= high) { - if (winbind_uid_to_sid(psid, uid)) { - - DEBUG(10,("uid_to_sid: winbindd %u -> %s\n", - (unsigned int)uid, sid_to_string(sid, psid))); - - if (psid) - store_uid_sid_cache(psid, SID_NAME_USER, uid); - return psid; - } - } - - /* Make sure we report failure, (when psid == NULL) */ - become_root(); - psid = local_uid_to_sid(psid, uid); - unbecome_root(); - - DEBUG(10,("uid_to_sid: local %u -> %s\n", (unsigned int)uid, sid_to_string(sid, psid))); - if (psid) - store_uid_sid_cache(psid, SID_NAME_USER, uid); - - return psid; -#endif } /***************************************************************** @@ -789,7 +754,7 @@ DOM_SID *uid_to_sid(DOM_SID *psid, uid_t uid) DOM_SID *gid_to_sid(DOM_SID *psid, gid_t gid) { -#ifdef WITH_IDMAP + GROUP_MAP map; unid_t id; DEBUG(10,("gid_to_sid: gid = [%d]\n", gid)); @@ -805,46 +770,16 @@ DOM_SID *gid_to_sid(DOM_SID *psid, gid_t gid) We may add a switch in future to allow smooth migrations to idmap-only db ---Simo */ - become_root(); - psid = local_gid_to_sid(psid, gid); - unbecome_root(); - - DEBUG(10,("gid_to_sid: algorithmic %u -> %s\n", (unsigned int)gid, sid_string_static(psid))); - if (psid) - idmap_set_mapping(psid, id, ID_GROUPID); - - return psid; - -#else - gid_t low, high; - enum SID_NAME_USE sidtype; - fstring sid; - - if (fetch_sid_from_gid_cache(psid, &sidtype, gid)) - return psid; - - if (lp_idmap_gid(&low, &high) && gid >= low && gid <= high) { - if (winbind_gid_to_sid(psid, gid)) { - - DEBUG(10,("gid_to_sid: winbindd %u -> %s\n", - (unsigned int)gid, sid_to_string(sid, psid))); - - if (psid) - store_gid_sid_cache(psid, SID_NAME_DOM_GRP, gid); - return psid; - } + if (pdb_getgrgid(&map, gid, MAPPING_WITHOUT_PRIV)) { + sid_copy(psid, &map.sid); + } else { + sid_copy(psid, get_global_sam_sid()); + sid_append_rid(psid, pdb_gid_to_group_rid(gid)); } - /* Make sure we report failure, (when psid == NULL) */ - become_root(); - psid = local_gid_to_sid(psid, gid); - unbecome_root(); - DEBUG(10,("gid_to_sid: local %u -> %s\n", (unsigned int)gid, sid_to_string(sid, psid))); - if (psid) - store_gid_sid_cache(psid, SID_NAME_DOM_GRP, gid); + DEBUG(10,("gid_to_sid: algorithmic %u -> %s\n", (unsigned int)gid, sid_string_static(psid))); return psid; -#endif } /***************************************************************** @@ -856,7 +791,6 @@ DOM_SID *gid_to_sid(DOM_SID *psid, gid_t gid) BOOL sid_to_uid(const DOM_SID *psid, uid_t *puid, enum SID_NAME_USE *sidtype) { -#ifdef WITH_IDMAP unid_t id; int type; @@ -873,94 +807,22 @@ BOOL sid_to_uid(const DOM_SID *psid, uid_t *puid, enum SID_NAME_USE *sidtype) if (sid_compare_domain(get_global_sam_sid(), psid) == 0) { BOOL result; + uint32 rid; DEBUG(10,("sid_to_uid: sid is local [%s]\n", sid_string_static(get_global_sam_sid()))); - become_root(); - result = local_sid_to_uid(puid, psid, sidtype); - unbecome_root(); - if (result) { - id.uid = *puid; - DEBUG(10,("sid_to_uid: uid = [%d]\n", id.uid)); - idmap_set_mapping(psid, id, ID_USERID); - return True; - } - } - return False; -#else - fstring sid_str; - if (fetch_uid_from_cache(puid, psid, *sidtype)) + if (!sid_peek_rid(psid, &rid)) { + DEBUG(0, ("sid_to_uid: Error extracting RID from SID\n!")); + return False; + } + if (!pdb_rid_is_user(rid)) { + DEBUG(3, ("sid_to_uid: RID %u is *NOT* a user\n", (unsigned)rid)); + return False; + } + *puid = fallback_pdb_user_rid_to_uid(rid); return True; - - /* if we know its local then don't try winbindd */ - if (sid_compare_domain(get_global_sam_sid(), psid) == 0) { - BOOL result; - become_root(); - result = local_sid_to_uid(puid, psid, sidtype); - unbecome_root(); - if (result) - store_uid_sid_cache(psid, *sidtype, *puid); - return result; - } - -/* (tridge) I commented out the slab of code below in order to support foreign SIDs - Do we really need to validate the type of SID we have in this case? -*/ -#if 0 - fstring dom_name, name; - enum SID_NAME_USE name_type; - - *sidtype = SID_NAME_UNKNOWN; - /* - * First we must look up the name and decide if this is a user sid. - */ - - if ( (!winbind_lookup_sid(psid, dom_name, name, &name_type)) || (name_type != SID_NAME_USER) ) { - BOOL result; - DEBUG(10,("sid_to_uid: winbind lookup for sid %s failed - trying local.\n", - sid_to_string(sid_str, psid) )); - - become_root(); - result = local_sid_to_uid(puid, psid, sidtype); - unbecome_root(); - return result; - } - - /* - * Ensure this is a user sid. - */ - - if (name_type != SID_NAME_USER) { - DEBUG(10,("sid_to_uid: winbind lookup succeeded but SID is not a uid (%u)\n", - (unsigned int)name_type )); - return False; - } -#endif - *sidtype = SID_NAME_USER; - - /* - * Get the uid for this SID. - */ - - if (!winbind_sid_to_uid(puid, psid)) { - BOOL result; - DEBUG(10,("sid_to_uid: winbind lookup for sid %s failed.\n", - sid_to_string(sid_str, psid) )); - become_root(); - result = local_sid_to_uid(puid, psid, sidtype); - unbecome_root(); - if (result) - store_uid_sid_cache(psid, *sidtype, *puid); - return result; } - - DEBUG(10,("sid_to_uid: winbindd %s -> %u\n", - sid_to_string(sid_str, psid), - (unsigned int)*puid )); - - store_uid_sid_cache(psid, *sidtype, *puid); - return True; -#endif + return False; } /***************************************************************** @@ -972,7 +834,6 @@ BOOL sid_to_uid(const DOM_SID *psid, uid_t *puid, enum SID_NAME_USE *sidtype) BOOL sid_to_gid(const DOM_SID *psid, gid_t *pgid, enum SID_NAME_USE *sidtype) { -#ifdef WITH_IDMAP unid_t id; int type; @@ -988,81 +849,33 @@ BOOL sid_to_gid(const DOM_SID *psid, gid_t *pgid, enum SID_NAME_USE *sidtype) } if (sid_compare_domain(get_global_sam_sid(), psid) == 0) { + GROUP_MAP map; BOOL result; - become_root(); - result = local_sid_to_gid(pgid, psid, sidtype); - unbecome_root(); - if (result) { - id.gid = *pgid; - DEBUG(10,("sid_to_gid: gid = [%d]\n", id.gid)); - idmap_set_mapping(psid, id, ID_GROUPID); + + if (pdb_getgrsid(&map, *psid, MAPPING_WITHOUT_PRIV)) { + /* the SID is in the mapping table but not mapped */ + if (map.gid==(gid_t)-1) + return False; + + *pgid = map.gid; + *sidtype = map.sid_name_use; return True; + } else { + uint32 rid; + + if (!sid_peek_rid(psid, &rid)) { + DEBUG(0, ("sid_to_gid: Error extracting RID from SID\n!")); + return False; + } + if (pdb_rid_is_user(rid)) { + DEBUG(3, ("sid_to_gid: RID %u is *NOT* a group\n", (unsigned)rid)); + return False; + } + *pgid = pdb_group_rid_to_gid(rid); + *sidtype = SID_NAME_ALIAS; } } return False; - -#else - fstring dom_name, name, sid_str; - enum SID_NAME_USE name_type; - - *sidtype = SID_NAME_UNKNOWN; - - if (fetch_gid_from_cache(pgid, psid, *sidtype)) - return True; - - /* - * First we must look up the name and decide if this is a group sid. - */ - - /* if we know its local then don't try winbindd */ - if (sid_compare_domain(get_global_sam_sid(), psid) == 0) { - BOOL result; - become_root(); - result = local_sid_to_gid(pgid, psid, sidtype); - unbecome_root(); - if (result) - store_gid_sid_cache(psid, *sidtype, *pgid); - return result; - } - - if (!winbind_lookup_sid(psid, dom_name, name, &name_type)) { - DEBUG(10,("sid_to_gid: winbind lookup for sid %s failed.\n", - sid_to_string(sid_str, psid) )); - /* this was probably a foreign sid - assume its a group rid - and continue */ - name_type = SID_NAME_DOM_GRP; - } - - /* - * Ensure this is a group sid. - */ - - if ((name_type != SID_NAME_DOM_GRP) && (name_type != SID_NAME_ALIAS) && (name_type != SID_NAME_WKN_GRP)) { - DEBUG(10,("sid_to_gid: winbind lookup succeeded but SID is not a known group (%u)\n", - (unsigned int)name_type )); - - return False; - } - - *sidtype = name_type; - - /* - * Get the gid for this SID. - */ - - if (!winbind_sid_to_gid(pgid, psid)) { - DEBUG(10,("sid_to_gid: winbind lookup for sid %s failed.\n", - sid_to_string(sid_str, psid) )); - return False; - } - - DEBUG(10,("sid_to_gid: winbindd %s -> %u\n", - sid_to_string(sid_str, psid), - (unsigned int)*pgid )); - - store_gid_sid_cache(psid, *sidtype, *pgid); - return True; -#endif } |