static NTSTATUS idmap_tdb_load_ranges(void) { uid_t low_uid = 0; uid_t high_uid = 0; gid_t low_gid = 0; gid_t high_gid = 0; if (!lp_idmap_uid(&low_uid, &high_uid)) { DEBUG(1, ("idmap uid missing\n")); return NT_STATUS_UNSUCCESSFUL; } if (!lp_idmap_gid(&low_gid, &high_gid)) { DEBUG(1, ("idmap gid missing\n")); return NT_STATUS_UNSUCCESSFUL; } idmap_tdb_state.low_uid = low_uid; idmap_tdb_state.high_uid = high_uid; idmap_tdb_state.low_gid = low_gid; idmap_tdb_state.high_gid = high_gid; if (idmap_tdb_state.high_uid <= idmap_tdb_state.low_uid) { DEBUG(1, ("idmap uid range missing or invalid\n")); return NT_STATUS_UNSUCCESSFUL; } if (idmap_tdb_state.high_gid <= idmap_tdb_state.low_gid) { DEBUG(1, ("idmap gid range missing or invalid\n")); return NT_STATUS_UNSUCCESSFUL; } return NT_STATUS_OK; }
static NTSTATUS net_idmap_fixup_hwm(void) { NTSTATUS result = NT_STATUS_UNSUCCESSFUL; TDB_CONTEXT *idmap_tdb; char *tdbfile = NULL; struct hwms hwms; struct hwms highest; if (!lp_idmap_uid(&hwms.user_hwm, &highest.user_hwm) || !lp_idmap_gid(&hwms.group_hwm, &highest.group_hwm)) { d_fprintf(stderr, "idmap range missing\n"); return NT_STATUS_UNSUCCESSFUL; } tdbfile = SMB_STRDUP(lock_path("winbindd_idmap.tdb")); if (!tdbfile) { DEBUG(0, ("idmap_init: out of memory!\n")); return NT_STATUS_NO_MEMORY; } idmap_tdb = tdb_open_log(tdbfile, 0, TDB_DEFAULT, O_RDWR, 0); if (idmap_tdb == NULL) { d_fprintf(stderr, "Could not open idmap: %s\n", tdbfile); return NT_STATUS_NO_SUCH_FILE; } hwms.ok = True; tdb_traverse(idmap_tdb, net_idmap_find_max_id, &hwms); if (!hwms.ok) { goto done; } d_printf("USER HWM: %d GROUP HWM: %d\n", hwms.user_hwm, hwms.group_hwm); if (hwms.user_hwm >= highest.user_hwm) { d_fprintf(stderr, "Highest UID out of uid range\n"); goto done; } if (hwms.group_hwm >= highest.group_hwm) { d_fprintf(stderr, "Highest GID out of gid range\n"); goto done; } if ((tdb_store_int32(idmap_tdb, "USER HWM", (int32)hwms.user_hwm) != 0) || (tdb_store_int32(idmap_tdb, "GROUP HWM", (int32)hwms.group_hwm) != 0)) { d_fprintf(stderr, "Could not store HWMs\n"); goto done; } result = NT_STATUS_OK; done: tdb_close(idmap_tdb); return result; }
static PyObject *py_config_dict(void) { PyObject *result; uid_t ulow, uhi; gid_t glow, ghi; if (!(result = PyDict_New())) return NULL; /* Various string parameters */ PyDict_SetItemString(result, "workgroup", PyString_FromString(lp_workgroup())); PyDict_SetItemString(result, "separator", PyString_FromString(lp_winbind_separator())); PyDict_SetItemString(result, "template_homedir", PyString_FromString(lp_template_homedir())); PyDict_SetItemString(result, "template_shell", PyString_FromString(lp_template_shell())); /* idmap uid/gid range */ if (lp_idmap_uid(&ulow, &uhi)) { PyDict_SetItemString(result, "uid_low", PyInt_FromLong(ulow)); PyDict_SetItemString(result, "uid_high", PyInt_FromLong(uhi)); } if (lp_idmap_gid(&glow, &ghi)) { PyDict_SetItemString(result, "gid_low", PyInt_FromLong(glow)); PyDict_SetItemString(result, "gid_high", PyInt_FromLong(ghi)); } return result; }
/******************************************************************* gets a domain user's groups ********************************************************************/ NTSTATUS get_alias_user_groups(TALLOC_CTX *ctx, DOM_SID *sid, int *numgroups, uint32 **prids, DOM_SID *q_sid) { SAM_ACCOUNT *sam_pass=NULL; int i, cur_rid=0; gid_t gid; gid_t *groups = NULL; int num_groups; GROUP_MAP map; DOM_SID tmp_sid; fstring user_name; fstring str_domsid, str_qsid; uint32 rid,grid; uint32 *rids=NULL, *new_rids=NULL; gid_t winbind_gid_low, winbind_gid_high; BOOL ret; BOOL winbind_groups_exist; /* * this code is far from perfect. * first it enumerates the full /etc/group and that can be slow. * second, it works only with users' SIDs * whereas the day we support nested groups, it will have to * support both users's SIDs and domain groups' SIDs * * having our own ldap backend would be so much faster ! * we're far from that, but hope one day ;-) JFM. */ *prids=NULL; *numgroups=0; winbind_groups_exist = lp_idmap_gid(&winbind_gid_low, &winbind_gid_high); DEBUG(10,("get_alias_user_groups: looking if SID %s is a member of groups in the SID domain %s\n", sid_to_string(str_qsid, q_sid), sid_to_string(str_domsid, sid))); pdb_init_sam(&sam_pass); become_root(); ret = pdb_getsampwsid(sam_pass, q_sid); unbecome_root(); if (ret == False) { pdb_free_sam(&sam_pass); return NT_STATUS_NO_SUCH_USER; } fstrcpy(user_name, pdb_get_username(sam_pass)); grid=pdb_get_group_rid(sam_pass); if (!NT_STATUS_IS_OK(sid_to_gid(pdb_get_group_sid(sam_pass), &gid))) { /* this should never happen */ DEBUG(2,("get_alias_user_groups: sid_to_gid failed!\n")); pdb_free_sam(&sam_pass); return NT_STATUS_UNSUCCESSFUL; } become_root(); /* on some systems this must run as root */ num_groups = getgroups_user(user_name, &groups); unbecome_root(); if (num_groups == -1) { /* this should never happen */ DEBUG(2,("get_alias_user_groups: getgroups_user failed\n")); pdb_free_sam(&sam_pass); return NT_STATUS_UNSUCCESSFUL; } for (i=0;i<num_groups;i++) { if (!get_group_from_gid(groups[i], &map)) { DEBUG(10,("get_alias_user_groups: gid %d. not found\n", (int)groups[i])); continue; } /* if it's not an alias, continue */ if (map.sid_name_use != SID_NAME_ALIAS) { DEBUG(10,("get_alias_user_groups: not returing %s, not an ALIAS group.\n", map.nt_name)); continue; } sid_copy(&tmp_sid, &map.sid); sid_split_rid(&tmp_sid, &rid); /* if the sid is not in the correct domain, continue */ if (!sid_equal(&tmp_sid, sid)) { DEBUG(10,("get_alias_user_groups: not returing %s, not in the domain SID.\n", map.nt_name)); continue; } /* Don't return winbind groups as they are not local! */ if (winbind_groups_exist && (groups[i] >= winbind_gid_low) && (groups[i] <= winbind_gid_high)) { DEBUG(10,("get_alias_user_groups: not returing %s, not local.\n", map.nt_name)); continue; } /* Don't return user private groups... */ if (Get_Pwnam(map.nt_name) != 0) { DEBUG(10,("get_alias_user_groups: not returing %s, clashes with user.\n", map.nt_name)); continue; } new_rids=(uint32 *)Realloc(rids, sizeof(uint32)*(cur_rid+1)); if (new_rids==NULL) { DEBUG(10,("get_alias_user_groups: could not realloc memory\n")); pdb_free_sam(&sam_pass); free(groups); return NT_STATUS_NO_MEMORY; } rids=new_rids; sid_peek_rid(&map.sid, &(rids[cur_rid])); cur_rid++; break; } if(num_groups) free(groups); /* now check for the user's gid (the primary group rid) */ for (i=0; i<cur_rid && grid!=rids[i]; i++) ; /* the user's gid is already there */ if (i!=cur_rid) { DEBUG(10,("get_alias_user_groups: user is already in the list. good.\n")); goto done; } DEBUG(10,("get_alias_user_groups: looking for gid %d of user %s\n", (int)gid, user_name)); if(!get_group_from_gid(gid, &map)) { DEBUG(0,("get_alias_user_groups: gid of user %s doesn't exist. Check your " "/etc/passwd and /etc/group files\n", user_name)); goto done; } /* the primary group isn't an alias */ if (map.sid_name_use!=SID_NAME_ALIAS) { DEBUG(10,("get_alias_user_groups: not returing %s, not an ALIAS group.\n", map.nt_name)); goto done; } sid_copy(&tmp_sid, &map.sid); sid_split_rid(&tmp_sid, &rid); /* if the sid is not in the correct domain, continue */ if (!sid_equal(&tmp_sid, sid)) { DEBUG(10,("get_alias_user_groups: not returing %s, not in the domain SID.\n", map.nt_name)); goto done; } /* Don't return winbind groups as they are not local! */ if (winbind_groups_exist && (gid >= winbind_gid_low) && (gid <= winbind_gid_high)) { DEBUG(10,("get_alias_user_groups: not returing %s, not local.\n", map.nt_name )); goto done; } /* Don't return user private groups... */ if (Get_Pwnam(map.nt_name) != 0) { DEBUG(10,("get_alias_user_groups: not returing %s, clashes with user.\n", map.nt_name )); goto done; } new_rids=(uint32 *)Realloc(rids, sizeof(uint32)*(cur_rid+1)); if (new_rids==NULL) { DEBUG(10,("get_alias_user_groups: could not realloc memory\n")); pdb_free_sam(&sam_pass); return NT_STATUS_NO_MEMORY; } rids=new_rids; sid_peek_rid(&map.sid, &(rids[cur_rid])); cur_rid++; done: *prids=rids; *numgroups=cur_rid; pdb_free_sam(&sam_pass); return NT_STATUS_OK; }
/* load the idmap allocation ranges and high/low water marks */ static NTSTATUS idmap_tdb2_alloc_load(void) { uid_t low_uid = 0; uid_t high_uid = 0; gid_t low_gid = 0; gid_t high_gid = 0; uint32 low_id; /* see if a idmap script is configured */ idmap_tdb2_state.idmap_script = lp_parm_const_string(-1, "idmap", "script", NULL); if (idmap_tdb2_state.idmap_script) { DEBUG(1, ("using idmap script '%s'\n", idmap_tdb2_state.idmap_script)); } /* load ranges */ /* Create high water marks for group and user id */ if (!lp_idmap_uid(&low_uid, &high_uid) || !lp_idmap_gid(&low_gid, &high_gid)) { DEBUG(1, ("idmap uid or idmap gid missing\n")); return NT_STATUS_UNSUCCESSFUL; } idmap_tdb2_state.low_uid = low_uid; idmap_tdb2_state.high_uid = high_uid; idmap_tdb2_state.low_gid = low_gid; idmap_tdb2_state.high_gid = high_gid; if (idmap_tdb2_state.high_uid <= idmap_tdb2_state.low_uid) { DEBUG(1, ("idmap uid range missing or invalid\n")); DEBUGADD(1, ("idmap will be unable to map foreign SIDs\n")); return NT_STATUS_UNSUCCESSFUL; } if (((low_id = dbwrap_fetch_int32(idmap_tdb2, HWM_USER)) == -1) || (low_id < idmap_tdb2_state.low_uid)) { if (!NT_STATUS_IS_OK(dbwrap_trans_store_int32( idmap_tdb2, HWM_USER, idmap_tdb2_state.low_uid))) { DEBUG(0, ("Unable to initialise user hwm in idmap " "database\n")); return NT_STATUS_INTERNAL_DB_ERROR; } } if (idmap_tdb2_state.high_gid <= idmap_tdb2_state.low_gid) { DEBUG(1, ("idmap gid range missing or invalid\n")); DEBUGADD(1, ("idmap will be unable to map foreign SIDs\n")); return NT_STATUS_UNSUCCESSFUL; } if (((low_id = dbwrap_fetch_int32(idmap_tdb2, HWM_GROUP)) == -1) || (low_id < idmap_tdb2_state.low_gid)) { if (!NT_STATUS_IS_OK(dbwrap_trans_store_int32( idmap_tdb2, HWM_GROUP, idmap_tdb2_state.low_gid))) { DEBUG(0, ("Unable to initialise group hwm in idmap " "database\n")); return NT_STATUS_INTERNAL_DB_ERROR; } } return NT_STATUS_OK; }
static NTSTATUS idmap_ldap_alloc_init(const char *params) { NTSTATUS ret = NT_STATUS_UNSUCCESSFUL; const char *range; const char *tmp; uid_t low_uid = 0; uid_t high_uid = 0; gid_t low_gid = 0; gid_t high_gid = 0; /* Only do init if we are online */ if (idmap_is_offline()) { return NT_STATUS_FILE_IS_OFFLINE; } idmap_alloc_ldap = TALLOC_ZERO_P(NULL, struct idmap_ldap_alloc_context); CHECK_ALLOC_DONE( idmap_alloc_ldap ); /* load ranges */ idmap_alloc_ldap->low_uid = 0; idmap_alloc_ldap->high_uid = 0; idmap_alloc_ldap->low_gid = 0; idmap_alloc_ldap->high_gid = 0; range = lp_parm_const_string(-1, "idmap alloc config", "range", NULL); if (range && range[0]) { unsigned low_id, high_id; if (sscanf(range, "%u - %u", &low_id, &high_id) == 2) { if (low_id < high_id) { idmap_alloc_ldap->low_gid = low_id; idmap_alloc_ldap->low_uid = low_id; idmap_alloc_ldap->high_gid = high_id; idmap_alloc_ldap->high_uid = high_id; } else { DEBUG(1, ("ERROR: invalid idmap alloc range " "[%s]", range)); } } else { DEBUG(1, ("ERROR: invalid syntax for idmap alloc " "config:range [%s]", range)); } } if (lp_idmap_uid(&low_uid, &high_uid)) { idmap_alloc_ldap->low_uid = low_uid; idmap_alloc_ldap->high_uid = high_uid; } if (lp_idmap_gid(&low_gid, &high_gid)) { idmap_alloc_ldap->low_gid = low_gid; idmap_alloc_ldap->high_gid= high_gid; } if (idmap_alloc_ldap->high_uid <= idmap_alloc_ldap->low_uid) { DEBUG(1, ("idmap uid range missing or invalid\n")); DEBUGADD(1, ("idmap will be unable to map foreign SIDs\n")); ret = NT_STATUS_UNSUCCESSFUL; goto done; } if (idmap_alloc_ldap->high_gid <= idmap_alloc_ldap->low_gid) { DEBUG(1, ("idmap gid range missing or invalid\n")); DEBUGADD(1, ("idmap will be unable to map foreign SIDs\n")); ret = NT_STATUS_UNSUCCESSFUL; goto done; } if (params && *params) { /* assume location is the only parameter */ idmap_alloc_ldap->url = talloc_strdup(idmap_alloc_ldap, params); } else { tmp = lp_parm_const_string(-1, "idmap alloc config", "ldap_url", NULL); if ( ! tmp) { DEBUG(1, ("ERROR: missing idmap ldap url\n")); ret = NT_STATUS_UNSUCCESSFUL; goto done; } idmap_alloc_ldap->url = talloc_strdup(idmap_alloc_ldap, tmp); } CHECK_ALLOC_DONE( idmap_alloc_ldap->url ); tmp = lp_parm_const_string(-1, "idmap alloc config", "ldap_base_dn", NULL); if ( ! tmp || ! *tmp) { tmp = lp_ldap_idmap_suffix(); if ( ! tmp) { DEBUG(1, ("ERROR: missing idmap ldap suffix\n")); ret = NT_STATUS_UNSUCCESSFUL; goto done; } } idmap_alloc_ldap->suffix = talloc_strdup(idmap_alloc_ldap, tmp); CHECK_ALLOC_DONE( idmap_alloc_ldap->suffix ); ret = smbldap_init(idmap_alloc_ldap, winbind_event_context(), idmap_alloc_ldap->url, &idmap_alloc_ldap->smbldap_state); if (!NT_STATUS_IS_OK(ret)) { DEBUG(1, ("ERROR: smbldap_init (%s) failed!\n", idmap_alloc_ldap->url)); goto done; } ret = get_credentials( idmap_alloc_ldap, idmap_alloc_ldap->smbldap_state, "idmap alloc config", NULL, &idmap_alloc_ldap->user_dn ); if ( !NT_STATUS_IS_OK(ret) ) { DEBUG(1,("idmap_ldap_alloc_init: Failed to get connection " "credentials (%s)\n", nt_errstr(ret))); goto done; } /* see if the idmap suffix and sub entries exists */ ret = verify_idpool(); done: if ( !NT_STATUS_IS_OK( ret ) ) TALLOC_FREE( idmap_alloc_ldap ); return ret; }