Add winbind idmap plugin

With this plugin winbind can use the same id-mapping as SSSD which makes
it possible to run both together in a consistent way.

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

3 files changed, 330 insertions, 0 deletions

diff --git a/src/lib/winbind_idmap_sss/libdlopen-test-winbind-idmap.c b/src/lib/winbind_idmap_sss/libdlopen-test-winbind-idmap.c
new file mode 100644
index 000000000..94e8719f8
--- /dev/null
+++ b/src/lib/winbind_idmap_sss/libdlopen-test-winbind-idmap.c
@@ -0,0 +1,31 @@
+/*
+    SSSD
+
+    ID-mapping plugin for winbind - helper library for dlopen test
+
+    Authors:
+        Sumit Bose <sbose@redhat.com>
+
+    Copyright (C) 2016 Red Hat
+
+    This program is free software; you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation; either version 3 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "lib/winbind_idmap_sss/winbind_idmap_sss.h"
+
+NTSTATUS smb_register_idmap(int version, const char *name,
+                            struct idmap_methods *methods)
+{
+    return NT_STATUS_OK;
+}
diff --git a/src/lib/winbind_idmap_sss/winbind_idmap_sss.c b/src/lib/winbind_idmap_sss/winbind_idmap_sss.c
new file mode 100644
index 000000000..26f753708
--- /dev/null
+++ b/src/lib/winbind_idmap_sss/winbind_idmap_sss.c
@@ -0,0 +1,201 @@
+/*
+    SSSD
+
+    ID-mapping plugin for winbind
+
+    Authors:
+        Sumit Bose <sbose@redhat.com>
+
+    Copyright (C) 2016 Red Hat
+
+    This program is free software; you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation; either version 3 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include <string.h>
+#include <errno.h>
+
+#include "lib/winbind_idmap_sss/winbind_idmap_sss.h"
+#include "sss_client/idmap/sss_nss_idmap.h"
+#include "lib/idmap/sss_idmap.h"
+#include "util/util_sss_idmap.h"
+
+struct idmap_sss_ctx {
+    struct sss_idmap_ctx *idmap_ctx;
+};
+
+static NTSTATUS idmap_sss_initialize(struct idmap_domain *dom)
+{
+    struct idmap_sss_ctx *ctx;
+    enum idmap_error_code err;
+
+    if (dom == NULL) {
+        return ERROR_INVALID_PARAMETER;
+    }
+
+    ctx = talloc_zero(dom, struct idmap_sss_ctx);
+    if (ctx == NULL) {
+        return NT_STATUS_NO_MEMORY;
+    }
+
+    err = sss_idmap_init(sss_idmap_talloc, ctx, sss_idmap_talloc_free,
+                         &ctx->idmap_ctx);
+    if (err != IDMAP_SUCCESS) {
+        talloc_free(ctx);
+        return NT_STATUS_NO_MEMORY;
+    }
+
+    dom->private_data = ctx;
+
+    return NT_STATUS_OK;
+}
+
+static NTSTATUS idmap_sss_unixids_to_sids(struct idmap_domain *dom,
+                                          struct id_map **map)
+{
+    size_t c;
+    int ret;
+    char *sid_str;
+    enum sss_id_type id_type;
+    struct dom_sid *sid;
+    enum idmap_error_code err;
+    struct idmap_sss_ctx *ctx;
+
+    if (dom == NULL) {
+        return ERROR_INVALID_PARAMETER;
+    }
+
+    ctx = talloc_get_type(dom->private_data, struct idmap_sss_ctx);
+    if (ctx == NULL) {
+        return ERROR_INVALID_PARAMETER;
+    }
+
+    for (c = 0; map[c]; c++) {
+        map[c]->status = ID_UNKNOWN;
+    }
+
+    for (c = 0; map[c]; c++) {
+        ret = sss_nss_getsidbyid(map[c]->xid.id, &sid_str, &id_type);
+        if (ret != 0) {
+            if (ret == ENOENT) {
+                map[c]->status = ID_UNMAPPED;
+            }
+            continue;
+        }
+
+        switch (id_type) {
+        case SSS_ID_TYPE_UID:
+            map[c]->xid.type = ID_TYPE_UID;
+            break;
+        case SSS_ID_TYPE_GID:
+            map[c]->xid.type = ID_TYPE_GID;
+            break;
+        case SSS_ID_TYPE_BOTH:
+            map[c]->xid.type = ID_TYPE_BOTH;
+            break;
+        default:
+            free(sid_str);
+            continue;
+        }
+
+        err = sss_idmap_sid_to_smb_sid(ctx->idmap_ctx, sid_str, &sid);
+        free(sid_str);
+        if (err != IDMAP_SUCCESS) {
+            continue;
+        }
+
+        memcpy(map[c]->sid, sid, sizeof(struct dom_sid));
+        sss_idmap_free_smb_sid(ctx->idmap_ctx, sid);
+
+        map[c]->status = ID_MAPPED;
+    }
+
+    return NT_STATUS_OK;
+}
+
+static NTSTATUS idmap_sss_sids_to_unixids(struct idmap_domain *dom,
+                                          struct id_map **map)
+{
+    size_t c;
+    int ret;
+    char *sid_str;
+    enum sss_id_type id_type;
+    enum idmap_error_code err;
+    struct idmap_sss_ctx *ctx;
+    uint32_t id;
+
+    if (dom == NULL) {
+        return ERROR_INVALID_PARAMETER;
+    }
+
+    ctx = talloc_get_type(dom->private_data, struct idmap_sss_ctx);
+    if (ctx == NULL) {
+        return ERROR_INVALID_PARAMETER;
+    }
+
+    for (c = 0; map[c]; c++) {
+        map[c]->status = ID_UNKNOWN;
+    }
+
+    for (c = 0; map[c]; c++) {
+        err = sss_idmap_smb_sid_to_sid(ctx->idmap_ctx, map[c]->sid, &sid_str);
+        if (err != IDMAP_SUCCESS) {
+            continue;
+        }
+
+        ret = sss_nss_getidbysid(sid_str, &id, &id_type);
+        sss_idmap_free_sid(ctx->idmap_ctx, sid_str);
+        if (ret != 0) {
+            if (ret == ENOENT) {
+                map[c]->status = ID_UNMAPPED;
+            }
+            continue;
+        }
+
+        switch (id_type) {
+        case SSS_ID_TYPE_UID:
+            map[c]->xid.type = ID_TYPE_UID;
+            break;
+        case SSS_ID_TYPE_GID:
+            map[c]->xid.type = ID_TYPE_GID;
+            break;
+        case SSS_ID_TYPE_BOTH:
+            map[c]->xid.type = ID_TYPE_BOTH;
+            break;
+        default:
+            continue;
+        }
+
+        map[c]->xid.id = id;
+
+        map[c]->status = ID_MAPPED;
+    }
+
+    return NT_STATUS_OK;
+}
+
+static struct idmap_methods sss_methods = {
+    .init = idmap_sss_initialize,
+    .unixids_to_sids = idmap_sss_unixids_to_sids,
+    .sids_to_unixids = idmap_sss_sids_to_unixids,
+};
+
+NTSTATUS idmap_sss_init(void)
+{
+    return smb_register_idmap(SMB_IDMAP_INTERFACE_VERSION, "sss", &sss_methods);
+}
+
+NTSTATUS samba_init_module(void)
+{
+    return smb_register_idmap(SMB_IDMAP_INTERFACE_VERSION, "sss", &sss_methods);
+}
diff --git a/src/lib/winbind_idmap_sss/winbind_idmap_sss.h b/src/lib/winbind_idmap_sss/winbind_idmap_sss.h
new file mode 100644
index 000000000..0f27c8561
--- /dev/null
+++ b/src/lib/winbind_idmap_sss/winbind_idmap_sss.h
@@ -0,0 +1,98 @@
+/*
+    SSSD
+
+    ID-mapping plugin for winbind
+
+    Authors:
+        Sumit Bose <sbose@redhat.com>
+
+    Copyright (C) 2016 Red Hat
+
+    This program is free software; you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation; either version 3 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#ifndef _WINBIND_SSS_IDMAP_H_
+#define _WINBIND_SSS_IDMAP_H_
+
+#include <stdint.h>
+#include <stdbool.h>
+
+#include <core/ntstatus.h>
+#include <ndr.h>
+#include <gen_ndr/security.h>
+
+/* The following definitions are taken from the Samba header files
+ * - winbindd/idmap_proto.h
+ * - idmap.d
+ * - gen_ndr/idmap.h
+ *  and can be removed if the related Samba header files become public headers
+ *  or if this plugin is build inside the Samba source tree. */
+
+enum id_type {
+    ID_TYPE_NOT_SPECIFIED,
+    ID_TYPE_UID,
+    ID_TYPE_GID,
+    ID_TYPE_BOTH
+};
+
+struct unixid {
+    uint32_t id;
+    enum id_type type;
+};
+
+enum id_mapping {
+    ID_UNKNOWN,
+    ID_MAPPED,
+    ID_UNMAPPED,
+    ID_EXPIRED
+};
+
+struct id_map {
+    struct dom_sid *sid;
+    struct unixid xid;
+    enum id_mapping status;
+};
+
+#define SMB_IDMAP_INTERFACE_VERSION 5
+
+struct idmap_domain {
+    const char *name;
+    struct idmap_methods *methods;
+    uint32_t low_id;
+    uint32_t high_id;
+    bool read_only;
+    void *private_data;
+};
+
+/* Filled out by IDMAP backends */
+struct idmap_methods {
+
+    /* Called when backend is first loaded */
+    NTSTATUS (*init)(struct idmap_domain *dom);
+
+    /* Map an array of uids/gids to SIDs.  The caller specifies
+       the uid/gid and type. Gets back the SID. */
+    NTSTATUS (*unixids_to_sids)(struct idmap_domain *dom, struct id_map **ids);
+
+    /* Map an arry of SIDs to uids/gids.  The caller sets the SID
+       and type and gets back a uid or gid. */
+    NTSTATUS (*sids_to_unixids)(struct idmap_domain *dom, struct id_map **ids);
+
+    /* Allocate a Unix-ID. */
+    NTSTATUS (*allocate_id)(struct idmap_domain *dom, struct unixid *id);
+};
+
+NTSTATUS smb_register_idmap(int version, const char *name,
+                            struct idmap_methods *methods);
+#endif /* _WINBIND_SSS_IDMAP_H_ */