diff options
| -rw-r--r-- | Makefile.am | 51 | ||||
| -rw-r--r-- | configure.ac | 1 | ||||
| -rw-r--r-- | contrib/sssd.spec.in | 14 | ||||
| -rw-r--r-- | src/conf_macros.m4 | 14 | ||||
| -rw-r--r-- | src/lib/winbind_idmap_sss/libdlopen-test-winbind-idmap.c | 31 | ||||
| -rw-r--r-- | src/lib/winbind_idmap_sss/winbind_idmap_sss.c | 201 | ||||
| -rw-r--r-- | src/lib/winbind_idmap_sss/winbind_idmap_sss.h | 98 | ||||
| -rw-r--r-- | src/man/Makefile.am | 2 | ||||
| -rw-r--r-- | src/man/idmap_sss.8.xml | 63 | ||||
| -rw-r--r-- | src/tests/dlopen-tests.c | 3 |
10 files changed, 476 insertions, 2 deletions
diff --git a/Makefile.am b/Makefile.am index 12586abbf..ba4b0b47c 100644 --- a/Makefile.am +++ b/Makefile.am @@ -49,6 +49,9 @@ endif if BUILD_CIFS_IDMAP_PLUGIN cifsplugindir = @cifspluginpath@ endif +if BUILD_SAMBA +winbindplugindir = @winbindpluginpath@ +endif if BUILD_LIBWBCLIENT libwbclientdir = @appmodpath@ endif @@ -345,6 +348,12 @@ cifsplugin_LTLIBRARIES = \ cifs_idmap_sss.la endif +if BUILD_SAMBA +winbindplugin_LTLIBRARIES = \ + winbind_idmap_sss.la \ + $(NULL) +endif + noinst_LTLIBRARIES = pkglib_LTLIBRARIES = @@ -710,6 +719,7 @@ dist_noinst_HEADERS = \ src/sss_client/nfs/nfsidmap_internal.h \ src/lib/idmap/sss_idmap_private.h \ src/lib/sifp/sss_sifp_private.h \ + src/lib/winbind_idmap_sss/winbind_idmap_sss.h \ src/tests/cmocka/test_utils.h \ src/tools/common/sss_tools.h \ src/tools/common/sss_colondb.h \ @@ -1553,7 +1563,10 @@ check_LTLIBRARIES += \ $(NULL) if BUILD_SAMBA -check_LTLIBRARIES += libsss_ad_tests.la +check_LTLIBRARIES += \ + libsss_ad_tests.la \ + libdlopen_test_winbind_idmap.la \ + $(NULL) endif libdlopen_test_providers_la_SOURCES = \ @@ -3670,6 +3683,40 @@ cifs_idmap_sss_la_LDFLAGS = \ -module endif +if BUILD_SAMBA +winbind_idmap_sss_la_SOURCES = \ + src/lib/winbind_idmap_sss/winbind_idmap_sss.c \ + src/util/util_sss_idmap.c \ + $(NULL) +winbind_idmap_sss_la_LIBADD = \ + libsss_idmap.la \ + libsss_nss_idmap.la \ + $(TALLOC_LIBS) \ + $(NULL) +winbind_idmap_sss_la_CFLAGS = \ + $(AM_CFLAGS) \ + $(NDR_KRB5PAC_CFLAGS) \ + $(NULL) +winbind_idmap_sss_la_LDFLAGS = \ + -avoid-version \ + -module \ + $(NULL) + +libdlopen_test_winbind_idmap_la_SOURCES = \ + src/lib/winbind_idmap_sss/libdlopen-test-winbind-idmap.c \ + $(NULL) +libdlopen_test_winbind_idmap_la_CFLAGS = \ + $(AM_CFLAGS) \ + $(NDR_KRB5PAC_CFLAGS) \ + $(NULL) +libdlopen_test_winbind_idmap_la_LDFLAGS = \ + -shared \ + -avoid-version \ + -rpath $(abs_top_builddir) \ + -export-dynamic + $(NULL) +endif + ################ # TRANSLATIONS # ################ @@ -3899,6 +3946,7 @@ install-data-hook: if [ ! $(krb5rcachedir) = "__LIBKRB5_DEFAULTS__" ]; then \ $(MKDIR_P) $(DESTDIR)/$(krb5rcachedir) ; \ fi + mv $(DESTDIR)/$(winbindplugindir)/winbind_idmap_sss.so $(DESTDIR)/$(winbindplugindir)/sss.so uninstall-hook: if [ -f $(abs_builddir)/src/config/.files2 ]; then \ @@ -3920,6 +3968,7 @@ if BUILD_PYTHON3_BINDINGS cd $(DESTDIR)$(py3execdir) && \ rm -f pysss.so pyhbac.so pysss_murmur.so pysss_nss_idmap.so endif + rm $(DESTDIR)/$(winbindplugindir)/sss.so clean-local: if BUILD_PYTHON2_BINDINGS diff --git a/configure.ac b/configure.ac index f91150e01..964ea8058 100644 --- a/configure.ac +++ b/configure.ac @@ -126,6 +126,7 @@ WITH_KRB5_CONF WITH_PYTHON2_BINDINGS WITH_PYTHON3_BINDINGS WITH_CIFS_PLUGIN_PATH +WITH_WINBIND_PLUGIN_PATH WITH_SELINUX WITH_NSCD WITH_IPA_GETKEYTAB diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in index 0f2bcdf61..68dc0afd9 100644 --- a/contrib/sssd.spec.in +++ b/contrib/sssd.spec.in @@ -583,6 +583,15 @@ License: GPLv3+ and LGPLv3+ %description libwbclient-devel Development libraries for the SSSD libwbclient implementation. +%package winbind-idmap +Summary: SSSSD's idmap_sss Backend for Winbind +Group: Applications/System +License: GPLv3+ and LGPLv3+ + +%description winbind-idmap +The idmap_sss module provides a way for Winbind to call SSSD to map UIDs/GIDs +and SIDs. + %prep %setup -q -n %{name}-%{version} @@ -1037,6 +1046,11 @@ done %{_libdir}/%{name}/modules/libwbclient.so %{_libdir}/pkgconfig/wbclient_sssd.pc +%files winbind-idmap +%dir %{_libdir}/samba/idmap +%{_libdir}/samba/idmap/sss.so +%{_mandir}/man8/idmap_sss.8* + %pre common getent group sssd >/dev/null || groupadd -r sssd getent passwd sssd >/dev/null || useradd -r -g sssd -d / -s /sbin/nologin -c "User for sssd" sssd diff --git a/src/conf_macros.m4 b/src/conf_macros.m4 index c8774b5f5..eed6508b1 100644 --- a/src/conf_macros.m4 +++ b/src/conf_macros.m4 @@ -288,6 +288,20 @@ AC_DEFUN([WITH_CIFS_PLUGIN_PATH], AC_SUBST(cifspluginpath) ]) +AC_DEFUN([WITH_WINBIND_PLUGIN_PATH], + [ AC_ARG_WITH([winbind-plugin-path], + [AC_HELP_STRING([--with-winbind-plugin-path=PATH], + [Path to winbind idmap plugin store [/usr/lib/samba/idmap]] + ) + ] + ) + winbindpluginpath="${libdir}/samba/idmap" + if test x"$with_winbind_plugin_path" != x; then + winbindpluginpath=$with_winbind_plugin_path + fi + AC_SUBST(winbindpluginpath) + ]) + AC_DEFUN([WITH_KRB5_RCACHE_DIR], [ AC_ARG_WITH([krb5-rcache-dir], [AC_HELP_STRING([--with-krb5-rcache-dir=PATH], diff --git a/src/lib/winbind_idmap_sss/libdlopen-test-winbind-idmap.c b/src/lib/winbind_idmap_sss/libdlopen-test-winbind-idmap.c new file mode 100644 index 000000000..94e8719f8 --- /dev/null +++ b/src/lib/winbind_idmap_sss/libdlopen-test-winbind-idmap.c @@ -0,0 +1,31 @@ +/* + SSSD + + ID-mapping plugin for winbind - helper library for dlopen test + + Authors: + Sumit Bose <sbose@redhat.com> + + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include "lib/winbind_idmap_sss/winbind_idmap_sss.h" + +NTSTATUS smb_register_idmap(int version, const char *name, + struct idmap_methods *methods) +{ + return NT_STATUS_OK; +} diff --git a/src/lib/winbind_idmap_sss/winbind_idmap_sss.c b/src/lib/winbind_idmap_sss/winbind_idmap_sss.c new file mode 100644 index 000000000..26f753708 --- /dev/null +++ b/src/lib/winbind_idmap_sss/winbind_idmap_sss.c @@ -0,0 +1,201 @@ +/* + SSSD + + ID-mapping plugin for winbind + + Authors: + Sumit Bose <sbose@redhat.com> + + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include <string.h> +#include <errno.h> + +#include "lib/winbind_idmap_sss/winbind_idmap_sss.h" +#include "sss_client/idmap/sss_nss_idmap.h" +#include "lib/idmap/sss_idmap.h" +#include "util/util_sss_idmap.h" + +struct idmap_sss_ctx { + struct sss_idmap_ctx *idmap_ctx; +}; + +static NTSTATUS idmap_sss_initialize(struct idmap_domain *dom) +{ + struct idmap_sss_ctx *ctx; + enum idmap_error_code err; + + if (dom == NULL) { + return ERROR_INVALID_PARAMETER; + } + + ctx = talloc_zero(dom, struct idmap_sss_ctx); + if (ctx == NULL) { + return NT_STATUS_NO_MEMORY; + } + + err = sss_idmap_init(sss_idmap_talloc, ctx, sss_idmap_talloc_free, + &ctx->idmap_ctx); + if (err != IDMAP_SUCCESS) { + talloc_free(ctx); + return NT_STATUS_NO_MEMORY; + } + + dom->private_data = ctx; + + return NT_STATUS_OK; +} + +static NTSTATUS idmap_sss_unixids_to_sids(struct idmap_domain *dom, + struct id_map **map) +{ + size_t c; + int ret; + char *sid_str; + enum sss_id_type id_type; + struct dom_sid *sid; + enum idmap_error_code err; + struct idmap_sss_ctx *ctx; + + if (dom == NULL) { + return ERROR_INVALID_PARAMETER; + } + + ctx = talloc_get_type(dom->private_data, struct idmap_sss_ctx); + if (ctx == NULL) { + return ERROR_INVALID_PARAMETER; + } + + for (c = 0; map[c]; c++) { + map[c]->status = ID_UNKNOWN; + } + + for (c = 0; map[c]; c++) { + ret = sss_nss_getsidbyid(map[c]->xid.id, &sid_str, &id_type); + if (ret != 0) { + if (ret == ENOENT) { + map[c]->status = ID_UNMAPPED; + } + continue; + } + + switch (id_type) { + case SSS_ID_TYPE_UID: + map[c]->xid.type = ID_TYPE_UID; + break; + case SSS_ID_TYPE_GID: + map[c]->xid.type = ID_TYPE_GID; + break; + case SSS_ID_TYPE_BOTH: + map[c]->xid.type = ID_TYPE_BOTH; + break; + default: + free(sid_str); + continue; + } + + err = sss_idmap_sid_to_smb_sid(ctx->idmap_ctx, sid_str, &sid); + free(sid_str); + if (err != IDMAP_SUCCESS) { + continue; + } + + memcpy(map[c]->sid, sid, sizeof(struct dom_sid)); + sss_idmap_free_smb_sid(ctx->idmap_ctx, sid); + + map[c]->status = ID_MAPPED; + } + + return NT_STATUS_OK; +} + +static NTSTATUS idmap_sss_sids_to_unixids(struct idmap_domain *dom, + struct id_map **map) +{ + size_t c; + int ret; + char *sid_str; + enum sss_id_type id_type; + enum idmap_error_code err; + struct idmap_sss_ctx *ctx; + uint32_t id; + + if (dom == NULL) { + return ERROR_INVALID_PARAMETER; + } + + ctx = talloc_get_type(dom->private_data, struct idmap_sss_ctx); + if (ctx == NULL) { + return ERROR_INVALID_PARAMETER; + } + + for (c = 0; map[c]; c++) { + map[c]->status = ID_UNKNOWN; + } + + for (c = 0; map[c]; c++) { + err = sss_idmap_smb_sid_to_sid(ctx->idmap_ctx, map[c]->sid, &sid_str); + if (err != IDMAP_SUCCESS) { + continue; + } + + ret = sss_nss_getidbysid(sid_str, &id, &id_type); + sss_idmap_free_sid(ctx->idmap_ctx, sid_str); + if (ret != 0) { + if (ret == ENOENT) { + map[c]->status = ID_UNMAPPED; + } + continue; + } + + switch (id_type) { + case SSS_ID_TYPE_UID: + map[c]->xid.type = ID_TYPE_UID; + break; + case SSS_ID_TYPE_GID: + map[c]->xid.type = ID_TYPE_GID; + break; + case SSS_ID_TYPE_BOTH: + map[c]->xid.type = ID_TYPE_BOTH; + break; + default: + continue; + } + + map[c]->xid.id = id; + + map[c]->status = ID_MAPPED; + } + + return NT_STATUS_OK; +} + +static struct idmap_methods sss_methods = { + .init = idmap_sss_initialize, + .unixids_to_sids = idmap_sss_unixids_to_sids, + .sids_to_unixids = idmap_sss_sids_to_unixids, +}; + +NTSTATUS idmap_sss_init(void) +{ + return smb_register_idmap(SMB_IDMAP_INTERFACE_VERSION, "sss", &sss_methods); +} + +NTSTATUS samba_init_module(void) +{ + return smb_register_idmap(SMB_IDMAP_INTERFACE_VERSION, "sss", &sss_methods); +} diff --git a/src/lib/winbind_idmap_sss/winbind_idmap_sss.h b/src/lib/winbind_idmap_sss/winbind_idmap_sss.h new file mode 100644 index 000000000..0f27c8561 --- /dev/null +++ b/src/lib/winbind_idmap_sss/winbind_idmap_sss.h @@ -0,0 +1,98 @@ +/* + SSSD + + ID-mapping plugin for winbind + + Authors: + Sumit Bose <sbose@redhat.com> + + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#ifndef _WINBIND_SSS_IDMAP_H_ +#define _WINBIND_SSS_IDMAP_H_ + +#include <stdint.h> +#include <stdbool.h> + +#include <core/ntstatus.h> +#include <ndr.h> +#include <gen_ndr/security.h> + +/* The following definitions are taken from the Samba header files + * - winbindd/idmap_proto.h + * - idmap.d + * - gen_ndr/idmap.h + * and can be removed if the related Samba header files become public headers + * or if this plugin is build inside the Samba source tree. */ + +enum id_type { + ID_TYPE_NOT_SPECIFIED, + ID_TYPE_UID, + ID_TYPE_GID, + ID_TYPE_BOTH +}; + +struct unixid { + uint32_t id; + enum id_type type; +}; + +enum id_mapping { + ID_UNKNOWN, + ID_MAPPED, + ID_UNMAPPED, + ID_EXPIRED +}; + +struct id_map { + struct dom_sid *sid; + struct unixid xid; + enum id_mapping status; +}; + +#define SMB_IDMAP_INTERFACE_VERSION 5 + +struct idmap_domain { + const char *name; + struct idmap_methods *methods; + uint32_t low_id; + uint32_t high_id; + bool read_only; + void *private_data; +}; + +/* Filled out by IDMAP backends */ +struct idmap_methods { + + /* Called when backend is first loaded */ + NTSTATUS (*init)(struct idmap_domain *dom); + + /* Map an array of uids/gids to SIDs. The caller specifies + the uid/gid and type. Gets back the SID. */ + NTSTATUS (*unixids_to_sids)(struct idmap_domain *dom, struct id_map **ids); + + /* Map an arry of SIDs to uids/gids. The caller sets the SID + and type and gets back a uid or gid. */ + NTSTATUS (*sids_to_unixids)(struct idmap_domain *dom, struct id_map **ids); + + /* Allocate a Unix-ID. */ + NTSTATUS (*allocate_id)(struct idmap_domain *dom, struct unixid *id); +}; + +NTSTATUS smb_register_idmap(int version, const char *name, + struct idmap_methods *methods); +#endif /* _WINBIND_SSS_IDMAP_H_ */ diff --git a/src/man/Makefile.am b/src/man/Makefile.am index 565fab1be..433d1cddc 100644 --- a/src/man/Makefile.am +++ b/src/man/Makefile.am @@ -51,7 +51,7 @@ man_MANS = \ sssd-krb5.5 sssd-simple.5 \ sssd_krb5_locator_plugin.8 sss_groupshow.8 \ pam_sss.8 sss_obfuscate.8 sss_cache.8 sss_debuglevel.8 sss_seed.8 \ - sss_override.8 + sss_override.8 idmap_sss.8 \ $(NULL) if BUILD_SAMBA diff --git a/src/man/idmap_sss.8.xml b/src/man/idmap_sss.8.xml new file mode 100644 index 000000000..5ba4e212e --- /dev/null +++ b/src/man/idmap_sss.8.xml @@ -0,0 +1,63 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE reference PUBLIC "-//OASIS//DTD DocBook V4.4//EN" +"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> +<reference> +<title>SSSD Manual pages</title> +<refentry> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/upstream.xml" /> + + <refmeta> + <refentrytitle>idmap_sss</refentrytitle> + <manvolnum>8</manvolnum> + </refmeta> + + <refnamediv id='name'> + <refname>idmap_sss</refname> + <refpurpose>SSSSD's idmap_sss Backend for Winbind</refpurpose> + </refnamediv> + + <refsect1 id='description'> + <title>DESCRIPTION</title> + <para> + The idmap_sss module provides a way to call SSSD to map UIDs/GIDs + and SIDs. No database is required in this case as the mapping is + done by SSSD. + </para> + </refsect1> + + <refsect1> + <title>IDMAP OPTIONS</title> + + <variablelist> + <varlistentry> + <term>range = low - high</term> + <listitem><para> + Defines the available matching uid and gid range for which the + backend is authoritative. + </para></listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1> + <title>EXAMPLES</title> + <para> + This example shows how to configure idmap_sss as the default mapping + module. + </para> + + <programlisting format="linespecific"> + [global] + security = domain + workgroup = MAIN + + idmap config * : backend = sss + idmap config * : range = 200000-2147483647 + + </programlisting> + </refsect1> + + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/seealso.xml" /> + +</refentry> +</reference> diff --git a/src/tests/dlopen-tests.c b/src/tests/dlopen-tests.c index e808f23e7..332b268e2 100644 --- a/src/tests/dlopen-tests.c +++ b/src/tests/dlopen-tests.c @@ -70,6 +70,9 @@ struct so { #ifdef HAVE_CIFS_IDMAP_PLUGIN { "cifs_idmap_sss.so", { LIBPFX"cifs_idmap_sss.so", NULL } }, #endif + { "winbind_idmap_sss.so", { LIBPFX"libdlopen_test_winbind_idmap.so", + LIBPFX"winbind_idmap_sss.so", + NULL } }, { "memberof.so", { LIBPFX"memberof.so", NULL } }, { "libsss_child.so", { LIBPFX"libsss_util.so", LIBPFX"libsss_child.so", NULL } }, |