static NTSTATUS lwi_get_id_from_sid(struct idmap_domain *dom,
struct id_map **ids)
{
NTSTATUS nt_status = NT_STATUS_NONE_MAPPED;
int i;
for (i = 0; ids[i]; i++) {
struct wbcDomainSid wbc_sid;
wbcErr wbc_status = WBC_ERR_UNKNOWN_FAILURE;
/* Setup */
memcpy(&wbc_sid, ids[i]->sid, sizeof(wbc_sid));
ids[i]->status = ID_UNMAPPED;
switch (ids[i]->xid.type) {
case ID_TYPE_UID:
wbc_status = wbcSidToUid(&wbc_sid, (uid_t*)&ids[i]->xid.id);
break;
case ID_TYPE_GID:
wbc_status = wbcSidToGid(&wbc_sid, (gid_t*)&ids[i]->xid.id);
break;
default:
return NT_STATUS_INVALID_PARAMETER;
}
if (WBC_ERROR_IS_OK(wbc_status)) {
ids[i]->status = ID_MAPPED;
nt_status = NT_STATUS_OK;
}
}
return nt_status;
}
bool winbind_sid_to_gid(gid_t *pgid, const struct dom_sid *sid)
{
struct wbcDomainSid dom_sid;
wbcErr result;
memcpy(&dom_sid, sid, sizeof(dom_sid));
result = wbcSidToGid(&dom_sid, pgid);
return (result == WBC_ERR_SUCCESS);
}
static bool wbinfo_sid_to_gid(const char *sid_str)
{
wbcErr wbc_status = WBC_ERR_UNKNOWN_FAILURE;
struct wbcDomainSid sid;
gid_t gid;
/* Send request */
wbc_status = wbcStringToSid(sid_str, &sid);
if (!WBC_ERROR_IS_OK(wbc_status)) {
return false;
}
wbc_status = wbcSidToGid(&sid, &gid);
if (!WBC_ERROR_IS_OK(wbc_status)) {
return false;
}
/* Display response */
d_printf("%d\n", (int)gid);
return true;
}
/**
* @brief Convert a principal (as returned by @c gss_display_name) to a UID
*
* @param[in] name The principal of the user
* @param[out] uid The resulting UID
*
* @return true if successful, false otherwise
*/
bool principal2uid(char *principal, uid_t *uid, gid_t *gid)
#endif
{
#ifdef USE_NFSIDMAP
uid_t gss_uid = ANON_UID;
gid_t gss_gid = ANON_GID;
const gid_t *gss_gidres = NULL;
int rc;
bool success;
struct gsh_buffdesc princbuff = {
.addr = principal,
.len = strlen(principal)
};
#endif
if (nfs_param.nfsv4_param.use_getpwnam)
return false;
#ifdef USE_NFSIDMAP
PTHREAD_RWLOCK_rdlock(&idmapper_user_lock);
success =
idmapper_lookup_by_uname(&princbuff, &gss_uid, &gss_gidres, true);
if (success && gss_gidres)
gss_gid = *gss_gidres;
PTHREAD_RWLOCK_unlock(&idmapper_user_lock);
if (unlikely(!success)) {
if ((princbuff.len >= 4)
&& (!memcmp(princbuff.addr, "nfs/", 4)
|| !memcmp(princbuff.addr, "root/", 5)
|| !memcmp(princbuff.addr, "host/", 5))) {
/* NFSv4 specific features: RPCSEC_GSS will
* provide user like
*
* nfs/<host>
* root/<host>
* host/<host>
* choice is made to map them to root */
/* This is a "root" request made from the
hostbased nfs principal, use root */
*uid = 0;
return true;
}
/* nfs4_gss_princ_to_ids required to extract uid/gid
from gss creds */
rc = nfs4_gss_princ_to_ids("krb5", principal, &gss_uid,
&gss_gid);
if (rc) {
#ifdef _MSPAC_SUPPORT
bool found_uid = false;
bool found_gid = false;
if (gd->flags & SVC_RPC_GSS_FLAG_MSPAC) {
struct wbcAuthUserParams params;
wbcErr wbc_err;
struct wbcAuthUserInfo *info;
struct wbcAuthErrorInfo *error = NULL;
memset(¶ms, 0, sizeof(params));
params.level = WBC_AUTH_USER_LEVEL_PAC;
params.password.pac.data =
(uint8_t *) gd->pac.ms_pac.value;
params.password.pac.length =
gd->pac.ms_pac.length;
wbc_err =
wbcAuthenticateUserEx(¶ms, &info,
&error);
if (!WBC_ERROR_IS_OK(wbc_err)) {
LogCrit(COMPONENT_IDMAPPER,
"wbcAuthenticateUserEx returned %s",
wbcErrorString(wbc_err));
return false;
}
if (error) {
LogCrit(COMPONENT_IDMAPPER,
"nt_status: %s, display_string %s",
error->nt_string,
error->display_string);
wbcFreeMemory(error);
return false;
}
/* 1st SID is account sid, see wbclient.h */
wbc_err =
wbcSidToUid(&info->sids[0].sid, &gss_uid);
if (!WBC_ERROR_IS_OK(wbc_err)) {
LogCrit(COMPONENT_IDMAPPER,
"wbcSidToUid for uid returned %s",
wbcErrorString(wbc_err));
wbcFreeMemory(info);
return false;
}
/* 2nd SID is primary_group sid, see
wbclient.h */
wbc_err =
wbcSidToGid(&info->sids[1].sid, &gss_gid);
if (!WBC_ERROR_IS_OK(wbc_err)) {
LogCrit(COMPONENT_IDMAPPER,
"wbcSidToUid for gid returned %s\n",
wbcErrorString(wbc_err));
wbcFreeMemory(info);
return false;
}
wbcFreeMemory(info);
found_uid = true;
found_gid = true;
}
#endif /* _MSPAC_SUPPORT */
#ifdef _MSPAC_SUPPORT
if ((found_uid == true) && (found_gid == true))
goto principal_found;
#endif
return false;
}
#ifdef _MSPAC_SUPPORT
principal_found:
#endif
PTHREAD_RWLOCK_wrlock(&idmapper_user_lock);
success =
idmapper_add_user(&princbuff, gss_uid, &gss_gid, true);
PTHREAD_RWLOCK_unlock(&idmapper_user_lock);
if (!success) {
LogMajor(COMPONENT_IDMAPPER,
"idmapper_add_user(%s, %d, %d) failed",
principal, gss_uid, gss_gid);
}
}
*uid = gss_uid;
*gid = gss_gid;
return true;
#else /* !USE_NFSIDMAP */
assert(!"prohibited by configuration");
return false;
#endif
}
