2 Unix SMB/CIFS implementation.
4 Copyright (C) Tim Potter 2000
5 Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2003
6 Copyright (C) Simo Sorce 2003-2007
7 Copyright (C) Jeremy Allison 2006
8 Copyright (C) Michael Adam 2010
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
29 #define DBGC_CLASS DBGC_IDMAP
33 static void idmap_init(void)
35 static bool initialized;
41 DEBUG(10, ("idmap_init(): calling static_init_idmap\n"));
49 * Pointer to the backend methods. Modules register themselves here via
53 struct idmap_backend {
55 struct idmap_methods *methods;
56 struct idmap_backend *prev, *next;
58 static struct idmap_backend *backends = NULL;
61 * Default idmap domain configured via "idmap backend".
63 static struct idmap_domain *default_idmap_domain;
66 * Passdb idmap domain, not configurable. winbind must always give passdb a
69 static struct idmap_domain *passdb_idmap_domain;
72 * List of specially configured idmap domains. This list is filled on demand
73 * in the winbind idmap child when the parent winbind figures out via the
74 * special range parameter or via the domain SID that a special "idmap config
75 * domain" configuration is present.
77 static struct idmap_domain **idmap_domains = NULL;
78 static int num_domains = 0;
80 static struct idmap_methods *get_methods(const char *name)
82 struct idmap_backend *b;
84 for (b = backends; b; b = b->next) {
85 if (strequal(b->name, name)) {
93 bool idmap_is_offline(void)
95 return ( lp_winbind_offline_logon() &&
96 get_global_winbindd_state_offline() );
99 bool idmap_is_online(void)
101 return !idmap_is_offline();
104 /**********************************************************************
105 Allow a module to register itself as a method.
106 **********************************************************************/
108 NTSTATUS smb_register_idmap(int version, const char *name,
109 struct idmap_methods *methods)
111 struct idmap_backend *entry;
113 if ((version != SMB_IDMAP_INTERFACE_VERSION)) {
114 DEBUG(0, ("Failed to register idmap module.\n"
115 "The module was compiled against "
116 "SMB_IDMAP_INTERFACE_VERSION %d,\n"
117 "current SMB_IDMAP_INTERFACE_VERSION is %d.\n"
118 "Please recompile against the current version "
120 version, SMB_IDMAP_INTERFACE_VERSION));
121 return NT_STATUS_OBJECT_TYPE_MISMATCH;
124 if (!name || !name[0] || !methods) {
125 DEBUG(0,("Called with NULL pointer or empty name!\n"));
126 return NT_STATUS_INVALID_PARAMETER;
129 for (entry = backends; entry != NULL; entry = entry->next) {
130 if (strequal(entry->name, name)) {
131 DEBUG(0,("Idmap module %s already registered!\n",
133 return NT_STATUS_OBJECT_NAME_COLLISION;
137 entry = talloc(NULL, struct idmap_backend);
139 DEBUG(0,("Out of memory!\n"));
141 return NT_STATUS_NO_MEMORY;
143 entry->name = talloc_strdup(entry, name);
144 if ( ! entry->name) {
145 DEBUG(0,("Out of memory!\n"));
147 return NT_STATUS_NO_MEMORY;
149 entry->methods = methods;
151 DLIST_ADD(backends, entry);
152 DEBUG(5, ("Successfully added idmap backend '%s'\n", name));
156 static bool parse_idmap_module(TALLOC_CTX *mem_ctx, const char *param,
157 char **pmodulename, char **pargs)
162 if (strncmp(param, "idmap_", 6) == 0) {
164 DEBUG(1, ("idmap_init: idmap backend uses deprecated "
165 "'idmap_' prefix. Please replace 'idmap_%s' by "
166 "'%s'\n", param, param));
169 modulename = talloc_strdup(mem_ctx, param);
170 if (modulename == NULL) {
174 args = strchr(modulename, ':');
176 *pmodulename = modulename;
183 args = talloc_strdup(mem_ctx, args+1);
185 TALLOC_FREE(modulename);
189 *pmodulename = modulename;
195 * Initialize a domain structure
196 * @param[in] mem_ctx memory context for the result
197 * @param[in] domainname which domain is this for
198 * @param[in] modulename which backend module
199 * @param[in] params parameter to pass to the init function
200 * @param[in] check_range whether range checking should be done
201 * @result The initialized structure
203 static struct idmap_domain *idmap_init_domain(TALLOC_CTX *mem_ctx,
204 const char *domainname,
205 const char *modulename,
209 struct idmap_domain *result;
212 result = talloc_zero(mem_ctx, struct idmap_domain);
213 if (result == NULL) {
214 DEBUG(0, ("talloc failed\n"));
218 result->name = talloc_strdup(result, domainname);
219 if (result->name == NULL) {
220 DEBUG(0, ("talloc failed\n"));
225 * load ranges and read only information from the config
227 if (strequal(result->name, "*")) {
229 * The default domain "*" is configured differently
230 * from named domains.
240 if (!lp_idmap_uid(&low_uid, &high_uid)) {
241 DEBUG(1, ("'idmap uid' not set!\n"));
247 result->low_id = low_uid;
248 result->high_id = high_uid;
250 if (!lp_idmap_gid(&low_gid, &high_gid)) {
251 DEBUG(1, ("'idmap gid' not set!\n"));
257 if ((low_gid != low_uid) || (high_gid != high_uid)) {
258 DEBUG(1, ("Warning: 'idmap uid' and 'idmap gid'"
259 " ranges do not agree -- building "
261 result->low_id = MAX(result->low_id, low_gid);
262 result->high_id = MIN(result->high_id, high_gid);
265 result->read_only = lp_idmap_read_only();
267 char *config_option = NULL;
270 config_option = talloc_asprintf(result, "idmap config %s",
272 if (config_option == NULL) {
273 DEBUG(0, ("Out of memory!\n"));
277 range = lp_parm_const_string(-1, config_option, "range", NULL);
279 DEBUG(1, ("idmap range not specified for domain %s\n",
284 } else if (sscanf(range, "%u - %u", &result->low_id,
285 &result->high_id) != 2)
287 DEBUG(1, ("invalid range '%s' specified for domain "
288 "'%s'\n", range, result->name));
294 result->read_only = lp_parm_bool(-1, config_option, "read only",
297 talloc_free(config_option);
300 if (result->low_id > result->high_id) {
301 DEBUG(1, ("Error: invalid idmap range detected: %lu - %lu\n",
302 (unsigned long)result->low_id,
303 (unsigned long)result->high_id));
309 result->methods = get_methods(modulename);
310 if (result->methods == NULL) {
311 DEBUG(3, ("idmap backend %s not found\n", modulename));
313 status = smb_probe_module("idmap", modulename);
314 if (!NT_STATUS_IS_OK(status)) {
315 DEBUG(3, ("Could not probe idmap module %s\n",
320 result->methods = get_methods(modulename);
322 if (result->methods == NULL) {
323 DEBUG(1, ("idmap backend %s not found\n", modulename));
327 status = result->methods->init(result, params);
328 if (!NT_STATUS_IS_OK(status)) {
329 DEBUG(1, ("idmap initialization returned %s\n",
342 * Initialize the default domain structure
343 * @param[in] mem_ctx memory context for the result
344 * @result The default domain structure
346 * This routine takes the module name from the "idmap backend" parameter,
347 * passing a possible parameter like ldap:ldap://ldap-url/ to the module.
350 static struct idmap_domain *idmap_init_default_domain(TALLOC_CTX *mem_ctx)
352 struct idmap_domain *result;
358 if (!parse_idmap_module(talloc_tos(), lp_idmap_backend(), &modulename,
360 DEBUG(1, ("parse_idmap_module failed\n"));
364 DEBUG(3, ("idmap_init: using '%s' as remote backend\n", modulename));
366 result = idmap_init_domain(mem_ctx, "*", modulename, params, true);
367 if (result == NULL) {
371 TALLOC_FREE(modulename);
376 TALLOC_FREE(modulename);
383 * Initialize a named domain structure
384 * @param[in] mem_ctx memory context for the result
385 * @param[in] domname the domain name
386 * @result The default domain structure
388 * This routine looks at the "idmap config <domname>" parameters to figure out
392 static struct idmap_domain *idmap_init_named_domain(TALLOC_CTX *mem_ctx,
395 struct idmap_domain *result = NULL;
399 config_option = talloc_asprintf(talloc_tos(), "idmap config %s",
401 if (config_option == NULL) {
402 DEBUG(0, ("talloc failed\n"));
406 backend = lp_parm_const_string(-1, config_option, "backend", NULL);
407 if (backend == NULL) {
408 DEBUG(1, ("no backend defined for %s\n", config_option));
412 result = idmap_init_domain(mem_ctx, domname, backend, NULL, true);
413 if (result == NULL) {
417 TALLOC_FREE(config_option);
421 TALLOC_FREE(config_option);
427 * Initialize the passdb domain structure
428 * @param[in] mem_ctx memory context for the result
429 * @result The default domain structure
431 * No config, passdb has its own configuration.
434 static struct idmap_domain *idmap_init_passdb_domain(TALLOC_CTX *mem_ctx)
439 * Always init the default domain, we can't go without one
441 if (default_idmap_domain == NULL) {
442 default_idmap_domain = idmap_init_default_domain(NULL);
444 if (default_idmap_domain == NULL) {
448 if (passdb_idmap_domain != NULL) {
449 return passdb_idmap_domain;
452 passdb_idmap_domain = idmap_init_domain(NULL, get_global_sam_name(),
453 "passdb", NULL, false);
454 if (passdb_idmap_domain == NULL) {
455 DEBUG(1, ("Could not init passdb idmap domain\n"));
458 return passdb_idmap_domain;
462 * Find a domain struct according to a domain name
463 * @param[in] domname Domain name to get the config for
464 * @result The default domain structure that fits
466 * This is the central routine in the winbindd-idmap child to pick the correct
467 * domain for looking up IDs. If domname is NULL or empty, we use the default
468 * domain. If it contains something, we try to use idmap_init_named_domain()
469 * to fetch the correct backend.
471 * The choice about "domname" is being made by the winbind parent, look at the
472 * "have_idmap_config" of "struct winbindd_domain" which is set in
473 * add_trusted_domain.
476 static struct idmap_domain *idmap_find_domain(const char *domname)
478 struct idmap_domain *result;
481 DEBUG(10, ("idmap_find_domain called for domain '%s'\n",
482 domname?domname:"NULL"));
485 * Always init the default domain, we can't go without one
487 if (default_idmap_domain == NULL) {
488 default_idmap_domain = idmap_init_default_domain(NULL);
490 if (default_idmap_domain == NULL) {
494 if ((domname == NULL) || (domname[0] == '\0')) {
495 return default_idmap_domain;
498 for (i=0; i<num_domains; i++) {
499 if (strequal(idmap_domains[i]->name, domname)) {
500 return idmap_domains[i];
504 if (idmap_domains == NULL) {
506 * talloc context for all idmap domains
508 idmap_domains = TALLOC_ARRAY(NULL, struct idmap_domain *, 1);
511 if (idmap_domains == NULL) {
512 DEBUG(0, ("talloc failed\n"));
516 result = idmap_init_named_domain(idmap_domains, domname);
517 if (result == NULL) {
519 * Could not init that domain -- try the default one
521 return default_idmap_domain;
524 ADD_TO_ARRAY(idmap_domains, struct idmap_domain *, result,
525 &idmap_domains, &num_domains);
529 void idmap_close(void)
531 TALLOC_FREE(default_idmap_domain);
532 TALLOC_FREE(passdb_idmap_domain);
533 TALLOC_FREE(idmap_domains);
537 /**************************************************************************
538 idmap allocator interface functions
539 **************************************************************************/
541 static NTSTATUS idmap_allocate_unixid(struct unixid *id)
543 struct idmap_domain *dom;
546 dom = idmap_find_domain(NULL);
549 return NT_STATUS_UNSUCCESSFUL;
552 if (dom->methods->allocate_id == NULL) {
553 return NT_STATUS_NOT_IMPLEMENTED;
556 ret = dom->methods->allocate_id(dom, id);
562 NTSTATUS idmap_allocate_uid(struct unixid *id)
564 id->type = ID_TYPE_UID;
565 return idmap_allocate_unixid(id);
568 NTSTATUS idmap_allocate_gid(struct unixid *id)
570 id->type = ID_TYPE_GID;
571 return idmap_allocate_unixid(id);
574 NTSTATUS idmap_backends_unixid_to_sid(const char *domname, struct id_map *id)
576 struct idmap_domain *dom;
577 struct id_map *maps[2];
579 DEBUG(10, ("idmap_backend_unixid_to_sid: domain = '%s', xid = %d "
581 domname?domname:"NULL", id->xid.id, id->xid.type));
587 * Always give passdb a chance first
590 dom = idmap_init_passdb_domain(NULL);
592 && NT_STATUS_IS_OK(dom->methods->unixids_to_sids(dom, maps))
593 && id->status == ID_MAPPED) {
597 dom = idmap_find_domain(domname);
599 return NT_STATUS_NONE_MAPPED;
602 return dom->methods->unixids_to_sids(dom, maps);
605 NTSTATUS idmap_backends_sid_to_unixid(const char *domain, struct id_map *id)
607 struct idmap_domain *dom;
608 struct id_map *maps[2];
610 DEBUG(10, ("idmap_backends_sid_to_unixid: domain = '%s', sid = [%s]\n",
611 domain?domain:"NULL", sid_string_dbg(id->sid)));
616 if (sid_check_is_in_builtin(id->sid)
617 || (sid_check_is_in_our_domain(id->sid)))
621 DEBUG(10, ("asking passdb...\n"));
623 dom = idmap_init_passdb_domain(NULL);
625 return NT_STATUS_NONE_MAPPED;
627 status = dom->methods->sids_to_unixids(dom, maps);
629 if (NT_STATUS_IS_OK(status) && id->status == ID_MAPPED) {
633 DEBUG(10, ("passdb could not map.\n"));
635 return NT_STATUS_NONE_MAPPED;
638 dom = idmap_find_domain(domain);
640 return NT_STATUS_NONE_MAPPED;
643 return dom->methods->sids_to_unixids(dom, maps);