static NTSTATUS idmap_tdb_load_ranges(void)
{
uid_t low_uid = 0;
uid_t high_uid = 0;
gid_t low_gid = 0;
gid_t high_gid = 0;
if (!lp_idmap_uid(&low_uid, &high_uid)) {
DEBUG(1, ("idmap uid missing\n"));
return NT_STATUS_UNSUCCESSFUL;
}
if (!lp_idmap_gid(&low_gid, &high_gid)) {
DEBUG(1, ("idmap gid missing\n"));
return NT_STATUS_UNSUCCESSFUL;
}
idmap_tdb_state.low_uid = low_uid;
idmap_tdb_state.high_uid = high_uid;
idmap_tdb_state.low_gid = low_gid;
idmap_tdb_state.high_gid = high_gid;
if (idmap_tdb_state.high_uid <= idmap_tdb_state.low_uid) {
DEBUG(1, ("idmap uid range missing or invalid\n"));
return NT_STATUS_UNSUCCESSFUL;
}
if (idmap_tdb_state.high_gid <= idmap_tdb_state.low_gid) {
DEBUG(1, ("idmap gid range missing or invalid\n"));
return NT_STATUS_UNSUCCESSFUL;
}
return NT_STATUS_OK;
}
static NTSTATUS net_idmap_fixup_hwm(void)
{
NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
TDB_CONTEXT *idmap_tdb;
char *tdbfile = NULL;
struct hwms hwms;
struct hwms highest;
if (!lp_idmap_uid(&hwms.user_hwm, &highest.user_hwm) ||
!lp_idmap_gid(&hwms.group_hwm, &highest.group_hwm)) {
d_fprintf(stderr, "idmap range missing\n");
return NT_STATUS_UNSUCCESSFUL;
}
tdbfile = SMB_STRDUP(lock_path("winbindd_idmap.tdb"));
if (!tdbfile) {
DEBUG(0, ("idmap_init: out of memory!\n"));
return NT_STATUS_NO_MEMORY;
}
idmap_tdb = tdb_open_log(tdbfile, 0, TDB_DEFAULT, O_RDWR, 0);
if (idmap_tdb == NULL) {
d_fprintf(stderr, "Could not open idmap: %s\n", tdbfile);
return NT_STATUS_NO_SUCH_FILE;
}
hwms.ok = True;
tdb_traverse(idmap_tdb, net_idmap_find_max_id, &hwms);
if (!hwms.ok) {
goto done;
}
d_printf("USER HWM: %d GROUP HWM: %d\n",
hwms.user_hwm, hwms.group_hwm);
if (hwms.user_hwm >= highest.user_hwm) {
d_fprintf(stderr, "Highest UID out of uid range\n");
goto done;
}
if (hwms.group_hwm >= highest.group_hwm) {
d_fprintf(stderr, "Highest GID out of gid range\n");
goto done;
}
if ((tdb_store_int32(idmap_tdb, "USER HWM", (int32)hwms.user_hwm) != 0) ||
(tdb_store_int32(idmap_tdb, "GROUP HWM", (int32)hwms.group_hwm) != 0)) {
d_fprintf(stderr, "Could not store HWMs\n");
goto done;
}
result = NT_STATUS_OK;
done:
tdb_close(idmap_tdb);
return result;
}
static PyObject *py_config_dict(void)
{
PyObject *result;
uid_t ulow, uhi;
gid_t glow, ghi;
if (!(result = PyDict_New()))
return NULL;
/* Various string parameters */
PyDict_SetItemString(result, "workgroup",
PyString_FromString(lp_workgroup()));
PyDict_SetItemString(result, "separator",
PyString_FromString(lp_winbind_separator()));
PyDict_SetItemString(result, "template_homedir",
PyString_FromString(lp_template_homedir()));
PyDict_SetItemString(result, "template_shell",
PyString_FromString(lp_template_shell()));
/* idmap uid/gid range */
if (lp_idmap_uid(&ulow, &uhi)) {
PyDict_SetItemString(result, "uid_low", PyInt_FromLong(ulow));
PyDict_SetItemString(result, "uid_high", PyInt_FromLong(uhi));
}
if (lp_idmap_gid(&glow, &ghi)) {
PyDict_SetItemString(result, "gid_low", PyInt_FromLong(glow));
PyDict_SetItemString(result, "gid_high", PyInt_FromLong(ghi));
}
return result;
}
/*******************************************************************
gets a domain user's groups
********************************************************************/
NTSTATUS get_alias_user_groups(TALLOC_CTX *ctx, DOM_SID *sid, int *numgroups, uint32 **prids, DOM_SID *q_sid)
{
SAM_ACCOUNT *sam_pass=NULL;
int i, cur_rid=0;
gid_t gid;
gid_t *groups = NULL;
int num_groups;
GROUP_MAP map;
DOM_SID tmp_sid;
fstring user_name;
fstring str_domsid, str_qsid;
uint32 rid,grid;
uint32 *rids=NULL, *new_rids=NULL;
gid_t winbind_gid_low, winbind_gid_high;
BOOL ret;
BOOL winbind_groups_exist;
/*
* this code is far from perfect.
* first it enumerates the full /etc/group and that can be slow.
* second, it works only with users' SIDs
* whereas the day we support nested groups, it will have to
* support both users's SIDs and domain groups' SIDs
*
* having our own ldap backend would be so much faster !
* we're far from that, but hope one day ;-) JFM.
*/
*prids=NULL;
*numgroups=0;
winbind_groups_exist = lp_idmap_gid(&winbind_gid_low, &winbind_gid_high);
DEBUG(10,("get_alias_user_groups: looking if SID %s is a member of groups in the SID domain %s\n",
sid_to_string(str_qsid, q_sid), sid_to_string(str_domsid, sid)));
pdb_init_sam(&sam_pass);
become_root();
ret = pdb_getsampwsid(sam_pass, q_sid);
unbecome_root();
if (ret == False) {
pdb_free_sam(&sam_pass);
return NT_STATUS_NO_SUCH_USER;
}
fstrcpy(user_name, pdb_get_username(sam_pass));
grid=pdb_get_group_rid(sam_pass);
if (!NT_STATUS_IS_OK(sid_to_gid(pdb_get_group_sid(sam_pass), &gid))) {
/* this should never happen */
DEBUG(2,("get_alias_user_groups: sid_to_gid failed!\n"));
pdb_free_sam(&sam_pass);
return NT_STATUS_UNSUCCESSFUL;
}
become_root();
/* on some systems this must run as root */
num_groups = getgroups_user(user_name, &groups);
unbecome_root();
if (num_groups == -1) {
/* this should never happen */
DEBUG(2,("get_alias_user_groups: getgroups_user failed\n"));
pdb_free_sam(&sam_pass);
return NT_STATUS_UNSUCCESSFUL;
}
for (i=0;i<num_groups;i++) {
if (!get_group_from_gid(groups[i], &map)) {
DEBUG(10,("get_alias_user_groups: gid %d. not found\n", (int)groups[i]));
continue;
}
/* if it's not an alias, continue */
if (map.sid_name_use != SID_NAME_ALIAS) {
DEBUG(10,("get_alias_user_groups: not returing %s, not an ALIAS group.\n", map.nt_name));
continue;
}
sid_copy(&tmp_sid, &map.sid);
sid_split_rid(&tmp_sid, &rid);
/* if the sid is not in the correct domain, continue */
if (!sid_equal(&tmp_sid, sid)) {
DEBUG(10,("get_alias_user_groups: not returing %s, not in the domain SID.\n", map.nt_name));
continue;
}
/* Don't return winbind groups as they are not local! */
if (winbind_groups_exist && (groups[i] >= winbind_gid_low) && (groups[i] <= winbind_gid_high)) {
DEBUG(10,("get_alias_user_groups: not returing %s, not local.\n", map.nt_name));
continue;
}
/* Don't return user private groups... */
if (Get_Pwnam(map.nt_name) != 0) {
DEBUG(10,("get_alias_user_groups: not returing %s, clashes with user.\n", map.nt_name));
continue;
}
new_rids=(uint32 *)Realloc(rids, sizeof(uint32)*(cur_rid+1));
if (new_rids==NULL) {
DEBUG(10,("get_alias_user_groups: could not realloc memory\n"));
pdb_free_sam(&sam_pass);
free(groups);
return NT_STATUS_NO_MEMORY;
}
rids=new_rids;
sid_peek_rid(&map.sid, &(rids[cur_rid]));
cur_rid++;
break;
}
if(num_groups)
free(groups);
/* now check for the user's gid (the primary group rid) */
for (i=0; i<cur_rid && grid!=rids[i]; i++)
;
/* the user's gid is already there */
if (i!=cur_rid) {
DEBUG(10,("get_alias_user_groups: user is already in the list. good.\n"));
goto done;
}
DEBUG(10,("get_alias_user_groups: looking for gid %d of user %s\n", (int)gid, user_name));
if(!get_group_from_gid(gid, &map)) {
DEBUG(0,("get_alias_user_groups: gid of user %s doesn't exist. Check your "
"/etc/passwd and /etc/group files\n", user_name));
goto done;
}
/* the primary group isn't an alias */
if (map.sid_name_use!=SID_NAME_ALIAS) {
DEBUG(10,("get_alias_user_groups: not returing %s, not an ALIAS group.\n", map.nt_name));
goto done;
}
sid_copy(&tmp_sid, &map.sid);
sid_split_rid(&tmp_sid, &rid);
/* if the sid is not in the correct domain, continue */
if (!sid_equal(&tmp_sid, sid)) {
DEBUG(10,("get_alias_user_groups: not returing %s, not in the domain SID.\n", map.nt_name));
goto done;
}
/* Don't return winbind groups as they are not local! */
if (winbind_groups_exist && (gid >= winbind_gid_low) && (gid <= winbind_gid_high)) {
DEBUG(10,("get_alias_user_groups: not returing %s, not local.\n", map.nt_name ));
goto done;
}
/* Don't return user private groups... */
if (Get_Pwnam(map.nt_name) != 0) {
DEBUG(10,("get_alias_user_groups: not returing %s, clashes with user.\n", map.nt_name ));
goto done;
}
new_rids=(uint32 *)Realloc(rids, sizeof(uint32)*(cur_rid+1));
if (new_rids==NULL) {
DEBUG(10,("get_alias_user_groups: could not realloc memory\n"));
pdb_free_sam(&sam_pass);
return NT_STATUS_NO_MEMORY;
}
rids=new_rids;
sid_peek_rid(&map.sid, &(rids[cur_rid]));
cur_rid++;
done:
*prids=rids;
*numgroups=cur_rid;
pdb_free_sam(&sam_pass);
return NT_STATUS_OK;
}
/*
load the idmap allocation ranges and high/low water marks
*/
static NTSTATUS idmap_tdb2_alloc_load(void)
{
uid_t low_uid = 0;
uid_t high_uid = 0;
gid_t low_gid = 0;
gid_t high_gid = 0;
uint32 low_id;
/* see if a idmap script is configured */
idmap_tdb2_state.idmap_script = lp_parm_const_string(-1, "idmap",
"script", NULL);
if (idmap_tdb2_state.idmap_script) {
DEBUG(1, ("using idmap script '%s'\n",
idmap_tdb2_state.idmap_script));
}
/* load ranges */
/* Create high water marks for group and user id */
if (!lp_idmap_uid(&low_uid, &high_uid)
|| !lp_idmap_gid(&low_gid, &high_gid)) {
DEBUG(1, ("idmap uid or idmap gid missing\n"));
return NT_STATUS_UNSUCCESSFUL;
}
idmap_tdb2_state.low_uid = low_uid;
idmap_tdb2_state.high_uid = high_uid;
idmap_tdb2_state.low_gid = low_gid;
idmap_tdb2_state.high_gid = high_gid;
if (idmap_tdb2_state.high_uid <= idmap_tdb2_state.low_uid) {
DEBUG(1, ("idmap uid range missing or invalid\n"));
DEBUGADD(1, ("idmap will be unable to map foreign SIDs\n"));
return NT_STATUS_UNSUCCESSFUL;
}
if (((low_id = dbwrap_fetch_int32(idmap_tdb2,
HWM_USER)) == -1) ||
(low_id < idmap_tdb2_state.low_uid)) {
if (!NT_STATUS_IS_OK(dbwrap_trans_store_int32(
idmap_tdb2, HWM_USER,
idmap_tdb2_state.low_uid))) {
DEBUG(0, ("Unable to initialise user hwm in idmap "
"database\n"));
return NT_STATUS_INTERNAL_DB_ERROR;
}
}
if (idmap_tdb2_state.high_gid <= idmap_tdb2_state.low_gid) {
DEBUG(1, ("idmap gid range missing or invalid\n"));
DEBUGADD(1, ("idmap will be unable to map foreign SIDs\n"));
return NT_STATUS_UNSUCCESSFUL;
}
if (((low_id = dbwrap_fetch_int32(idmap_tdb2,
HWM_GROUP)) == -1) ||
(low_id < idmap_tdb2_state.low_gid)) {
if (!NT_STATUS_IS_OK(dbwrap_trans_store_int32(
idmap_tdb2, HWM_GROUP,
idmap_tdb2_state.low_gid))) {
DEBUG(0, ("Unable to initialise group hwm in idmap "
"database\n"));
return NT_STATUS_INTERNAL_DB_ERROR;
}
}
return NT_STATUS_OK;
}
static NTSTATUS idmap_ldap_alloc_init(const char *params)
{
NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
const char *range;
const char *tmp;
uid_t low_uid = 0;
uid_t high_uid = 0;
gid_t low_gid = 0;
gid_t high_gid = 0;
/* Only do init if we are online */
if (idmap_is_offline()) {
return NT_STATUS_FILE_IS_OFFLINE;
}
idmap_alloc_ldap = TALLOC_ZERO_P(NULL, struct idmap_ldap_alloc_context);
CHECK_ALLOC_DONE( idmap_alloc_ldap );
/* load ranges */
idmap_alloc_ldap->low_uid = 0;
idmap_alloc_ldap->high_uid = 0;
idmap_alloc_ldap->low_gid = 0;
idmap_alloc_ldap->high_gid = 0;
range = lp_parm_const_string(-1, "idmap alloc config", "range", NULL);
if (range && range[0]) {
unsigned low_id, high_id;
if (sscanf(range, "%u - %u", &low_id, &high_id) == 2) {
if (low_id < high_id) {
idmap_alloc_ldap->low_gid = low_id;
idmap_alloc_ldap->low_uid = low_id;
idmap_alloc_ldap->high_gid = high_id;
idmap_alloc_ldap->high_uid = high_id;
} else {
DEBUG(1, ("ERROR: invalid idmap alloc range "
"[%s]", range));
}
} else {
DEBUG(1, ("ERROR: invalid syntax for idmap alloc "
"config:range [%s]", range));
}
}
if (lp_idmap_uid(&low_uid, &high_uid)) {
idmap_alloc_ldap->low_uid = low_uid;
idmap_alloc_ldap->high_uid = high_uid;
}
if (lp_idmap_gid(&low_gid, &high_gid)) {
idmap_alloc_ldap->low_gid = low_gid;
idmap_alloc_ldap->high_gid= high_gid;
}
if (idmap_alloc_ldap->high_uid <= idmap_alloc_ldap->low_uid) {
DEBUG(1, ("idmap uid range missing or invalid\n"));
DEBUGADD(1, ("idmap will be unable to map foreign SIDs\n"));
ret = NT_STATUS_UNSUCCESSFUL;
goto done;
}
if (idmap_alloc_ldap->high_gid <= idmap_alloc_ldap->low_gid) {
DEBUG(1, ("idmap gid range missing or invalid\n"));
DEBUGADD(1, ("idmap will be unable to map foreign SIDs\n"));
ret = NT_STATUS_UNSUCCESSFUL;
goto done;
}
if (params && *params) {
/* assume location is the only parameter */
idmap_alloc_ldap->url = talloc_strdup(idmap_alloc_ldap, params);
} else {
tmp = lp_parm_const_string(-1, "idmap alloc config",
"ldap_url", NULL);
if ( ! tmp) {
DEBUG(1, ("ERROR: missing idmap ldap url\n"));
ret = NT_STATUS_UNSUCCESSFUL;
goto done;
}
idmap_alloc_ldap->url = talloc_strdup(idmap_alloc_ldap, tmp);
}
CHECK_ALLOC_DONE( idmap_alloc_ldap->url );
tmp = lp_parm_const_string(-1, "idmap alloc config",
"ldap_base_dn", NULL);
if ( ! tmp || ! *tmp) {
tmp = lp_ldap_idmap_suffix();
if ( ! tmp) {
DEBUG(1, ("ERROR: missing idmap ldap suffix\n"));
ret = NT_STATUS_UNSUCCESSFUL;
goto done;
}
}
idmap_alloc_ldap->suffix = talloc_strdup(idmap_alloc_ldap, tmp);
CHECK_ALLOC_DONE( idmap_alloc_ldap->suffix );
ret = smbldap_init(idmap_alloc_ldap, winbind_event_context(),
idmap_alloc_ldap->url,
&idmap_alloc_ldap->smbldap_state);
if (!NT_STATUS_IS_OK(ret)) {
DEBUG(1, ("ERROR: smbldap_init (%s) failed!\n",
idmap_alloc_ldap->url));
goto done;
}
ret = get_credentials( idmap_alloc_ldap,
idmap_alloc_ldap->smbldap_state,
"idmap alloc config", NULL,
&idmap_alloc_ldap->user_dn );
if ( !NT_STATUS_IS_OK(ret) ) {
DEBUG(1,("idmap_ldap_alloc_init: Failed to get connection "
"credentials (%s)\n", nt_errstr(ret)));
goto done;
}
/* see if the idmap suffix and sub entries exists */
ret = verify_idpool();
done:
if ( !NT_STATUS_IS_OK( ret ) )
TALLOC_FREE( idmap_alloc_ldap );
return ret;
}
