2 Unix SMB/CIFS implementation.
4 idmap TDB2 backend, used for clustered Samba setups.
6 This uses dbwrap to access tdb files. The location can be set
7 using tdb:idmap2.tdb =" in smb.conf
9 Copyright (C) Andrew Tridgell 2007
11 This is heavily based upon idmap_tdb.c, which is:
13 Copyright (C) Tim Potter 2000
14 Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2003
15 Copyright (C) Jeremy Allison 2006
16 Copyright (C) Simo Sorce 2003-2006
17 Copyright (C) Michael Adam 2009-2010
19 This program is free software; you can redistribute it and/or modify
20 it under the terms of the GNU General Public License as published by
21 the Free Software Foundation; either version 2 of the License, or
22 (at your option) any later version.
24 This program is distributed in the hope that it will be useful,
25 but WITHOUT ANY WARRANTY; without even the implied warranty of
26 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
27 GNU General Public License for more details.
29 You should have received a copy of the GNU General Public License
30 along with this program; if not, write to the Free Software
31 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
39 #define DBGC_CLASS DBGC_IDMAP
41 struct idmap_tdb2_context {
42 struct db_context *db;
43 const char *script; /* script to provide idmaps */
44 struct idmap_rw_ops *rw_ops;
47 /* High water mark keys */
48 #define HWM_GROUP "GROUP HWM"
49 #define HWM_USER "USER HWM"
53 * check and initialize high/low water marks in the db
55 static NTSTATUS idmap_tdb2_init_hwm(struct idmap_domain *dom)
58 struct idmap_tdb2_context *ctx;
60 ctx = talloc_get_type(dom->private_data, struct idmap_tdb2_context);
62 /* Create high water marks for group and user id */
64 low_id = dbwrap_fetch_int32(ctx->db, HWM_USER);
65 if ((low_id == -1) || (low_id < dom->low_id)) {
66 if (!NT_STATUS_IS_OK(dbwrap_trans_store_int32(
69 DEBUG(0, ("Unable to initialise user hwm in idmap "
71 return NT_STATUS_INTERNAL_DB_ERROR;
75 low_id = dbwrap_fetch_int32(ctx->db, HWM_GROUP);
76 if ((low_id == -1) || (low_id < dom->low_id)) {
77 if (!NT_STATUS_IS_OK(dbwrap_trans_store_int32(
80 DEBUG(0, ("Unable to initialise group hwm in idmap "
82 return NT_STATUS_INTERNAL_DB_ERROR;
91 open the permanent tdb
93 static NTSTATUS idmap_tdb2_open_db(struct idmap_domain *dom)
96 struct idmap_tdb2_context *ctx;
98 ctx = talloc_get_type(dom->private_data, struct idmap_tdb2_context);
101 /* its already open */
105 db_path = lp_parm_talloc_string(-1, "tdb", "idmap2.tdb", NULL);
106 if (db_path == NULL) {
107 /* fall back to the private directory, which, despite
108 its name, is usually on shared storage */
109 db_path = talloc_asprintf(NULL, "%s/idmap2.tdb", lp_private_dir());
111 NT_STATUS_HAVE_NO_MEMORY(db_path);
113 /* Open idmap repository */
114 ctx->db = db_open(ctx, db_path, 0, TDB_DEFAULT, O_RDWR|O_CREAT, 0644);
115 TALLOC_FREE(db_path);
117 if (ctx->db == NULL) {
118 DEBUG(0, ("Unable to open idmap_tdb2 database '%s'\n",
120 return NT_STATUS_UNSUCCESSFUL;
123 return idmap_tdb2_init_hwm(dom);
131 struct idmap_tdb2_allocate_id_context {
138 static NTSTATUS idmap_tdb2_allocate_id_action(struct db_context *db,
142 struct idmap_tdb2_allocate_id_context *state;
145 state = (struct idmap_tdb2_allocate_id_context *)private_data;
147 hwm = dbwrap_fetch_int32(db, state->hwmkey);
149 ret = NT_STATUS_INTERNAL_DB_ERROR;
153 /* check it is in the range */
154 if (hwm > state->high_hwm) {
155 DEBUG(1, ("Fatal Error: %s range full!! (max: %lu)\n",
156 state->hwmtype, (unsigned long)state->high_hwm));
157 ret = NT_STATUS_UNSUCCESSFUL;
161 /* fetch a new id and increment it */
162 ret = dbwrap_trans_change_uint32_atomic(db, state->hwmkey, &hwm, 1);
163 if (!NT_STATUS_IS_OK(ret)) {
164 DEBUG(1, ("Fatal error while fetching a new %s value\n!",
169 /* recheck it is in the range */
170 if (hwm > state->high_hwm) {
171 DEBUG(1, ("Fatal Error: %s range full!! (max: %lu)\n",
172 state->hwmtype, (unsigned long)state->high_hwm));
173 ret = NT_STATUS_UNSUCCESSFUL;
184 static NTSTATUS idmap_tdb2_allocate_id(struct idmap_domain *dom,
192 struct idmap_tdb2_allocate_id_context state;
193 struct idmap_tdb2_context *ctx;
195 status = idmap_tdb2_open_db(dom);
196 NT_STATUS_NOT_OK_RETURN(status);
198 ctx = talloc_get_type(dom->private_data, struct idmap_tdb2_context);
200 /* Get current high water mark */
214 DEBUG(2, ("Invalid ID type (0x%x)\n", xid->type));
215 return NT_STATUS_INVALID_PARAMETER;
218 high_hwm = dom->high_id;
221 state.high_hwm = high_hwm;
222 state.hwmtype = hwmtype;
223 state.hwmkey = hwmkey;
225 status = dbwrap_trans_do(ctx->db, idmap_tdb2_allocate_id_action,
228 if (NT_STATUS_IS_OK(status)) {
230 DEBUG(10,("New %s = %d\n", hwmtype, state.hwm));
232 DEBUG(1, ("Error allocating a new %s\n", hwmtype));
239 * Allocate a new unix-ID.
240 * For now this is for the default idmap domain only.
241 * Should be extended later on.
243 static NTSTATUS idmap_tdb2_get_new_id(struct idmap_domain *dom,
248 if (!strequal(dom->name, "*")) {
249 DEBUG(3, ("idmap_tdb2_get_new_id: "
250 "Refusing creation of mapping for domain'%s'. "
251 "Currently only supported for the default "
254 return NT_STATUS_NOT_IMPLEMENTED;
257 ret = idmap_tdb2_allocate_id(dom, id);
263 IDMAP MAPPING TDB BACKEND
266 static NTSTATUS idmap_tdb2_set_mapping(struct idmap_domain *dom,
267 const struct id_map *map);
270 Initialise idmap database.
272 static NTSTATUS idmap_tdb2_db_init(struct idmap_domain *dom,
276 struct idmap_tdb2_context *ctx;
278 ctx = talloc_zero(dom, struct idmap_tdb2_context);
280 DEBUG(0, ("Out of memory!\n"));
281 return NT_STATUS_NO_MEMORY;
284 if (strequal(dom->name, "*")) {
285 ctx->script = lp_parm_const_string(-1, "idmap", "script", NULL);
287 DEBUG(1, ("using idmap script '%s'\n", ctx->script));
290 char *config_option = NULL;
292 config_option = talloc_asprintf(ctx, "idmap config %s", dom->name);
293 if ( ! config_option) {
294 DEBUG(0, ("Out of memory!\n"));
295 ret = NT_STATUS_NO_MEMORY;
299 ctx->script = lp_parm_const_string(-1, config_option, "script", NULL);
301 DEBUG(1, ("using idmap script '%s'\n", ctx->script));
304 talloc_free(config_option);
307 ctx->rw_ops = talloc_zero(ctx, struct idmap_rw_ops);
308 if (ctx->rw_ops == NULL) {
309 DEBUG(0, ("Out of memory!\n"));
310 ret = NT_STATUS_NO_MEMORY;
314 ctx->rw_ops->get_new_id = idmap_tdb2_get_new_id;
315 ctx->rw_ops->set_mapping = idmap_tdb2_set_mapping;
317 dom->private_data = ctx;
319 ret = idmap_tdb2_open_db(dom);
320 if (!NT_STATUS_IS_OK(ret)) {
333 * store a mapping in the database.
336 struct idmap_tdb2_set_mapping_context {
341 static NTSTATUS idmap_tdb2_set_mapping_action(struct db_context *db,
346 struct idmap_tdb2_set_mapping_context *state;
347 TALLOC_CTX *tmp_ctx = talloc_stackframe();
349 state = (struct idmap_tdb2_set_mapping_context *)private_data;
351 DEBUG(10, ("Storing %s <-> %s map\n", state->ksidstr, state->kidstr));
353 /* check wheter sid mapping is already present in db */
354 data = dbwrap_fetch_bystring(db, tmp_ctx, state->ksidstr);
356 ret = NT_STATUS_OBJECT_NAME_COLLISION;
360 ret = dbwrap_store_bystring(db, state->ksidstr,
361 string_term_tdb_data(state->kidstr),
363 if (!NT_STATUS_IS_OK(ret)) {
364 DEBUG(0, ("Error storing SID -> ID: %s\n", nt_errstr(ret)));
368 ret = dbwrap_store_bystring(db, state->kidstr,
369 string_term_tdb_data(state->ksidstr),
371 if (!NT_STATUS_IS_OK(ret)) {
372 DEBUG(0, ("Error storing ID -> SID: %s\n", nt_errstr(ret)));
373 /* try to remove the previous stored SID -> ID map */
374 dbwrap_delete_bystring(db, state->ksidstr);
378 DEBUG(10,("Stored %s <-> %s\n", state->ksidstr, state->kidstr));
381 talloc_free(tmp_ctx);
385 static NTSTATUS idmap_tdb2_set_mapping(struct idmap_domain *dom, const struct id_map *map)
387 struct idmap_tdb2_context *ctx;
389 char *ksidstr, *kidstr;
390 struct idmap_tdb2_set_mapping_context state;
392 if (!map || !map->sid) {
393 return NT_STATUS_INVALID_PARAMETER;
396 ksidstr = kidstr = NULL;
398 /* TODO: should we filter a set_mapping using low/high filters ? */
400 ctx = talloc_get_type(dom->private_data, struct idmap_tdb2_context);
402 switch (map->xid.type) {
405 kidstr = talloc_asprintf(ctx, "UID %lu", (unsigned long)map->xid.id);
409 kidstr = talloc_asprintf(ctx, "GID %lu", (unsigned long)map->xid.id);
413 DEBUG(2, ("INVALID unix ID type: 0x02%x\n", map->xid.type));
414 return NT_STATUS_INVALID_PARAMETER;
417 if (kidstr == NULL) {
418 DEBUG(0, ("ERROR: Out of memory!\n"));
419 ret = NT_STATUS_NO_MEMORY;
423 ksidstr = sid_string_talloc(ctx, map->sid);
424 if (ksidstr == NULL) {
425 DEBUG(0, ("Out of memory!\n"));
426 ret = NT_STATUS_NO_MEMORY;
430 state.ksidstr = ksidstr;
431 state.kidstr = kidstr;
433 ret = dbwrap_trans_do(ctx->db, idmap_tdb2_set_mapping_action,
437 talloc_free(ksidstr);
443 * Create a new mapping for an unmapped SID, also allocating a new ID.
444 * This should be run inside a transaction.
447 * Properly integrate this with multi domain idmap config:
448 * Currently, the allocator is default-config only.
450 static NTSTATUS idmap_tdb2_new_mapping(struct idmap_domain *dom, struct id_map *map)
453 struct idmap_tdb2_context *ctx;
455 ctx = talloc_get_type(dom->private_data, struct idmap_tdb2_context);
457 ret = idmap_rw_new_mapping(dom, ctx->rw_ops, map);
464 run a script to perform a mapping
466 The script should the following command lines:
472 and should return one of the following as a single line of text
478 static NTSTATUS idmap_tdb2_script(struct idmap_tdb2_context *ctx, struct id_map *map,
479 const char *fmt, ...)
487 cmd = talloc_asprintf(ctx, "%s ", ctx->script);
488 NT_STATUS_HAVE_NO_MEMORY(cmd);
491 cmd = talloc_vasprintf_append(cmd, fmt, ap);
493 NT_STATUS_HAVE_NO_MEMORY(cmd);
498 return NT_STATUS_NONE_MAPPED;
501 if (fgets(line, sizeof(line)-1, p) == NULL) {
503 return NT_STATUS_NONE_MAPPED;
507 DEBUG(10,("idmap script gave: %s\n", line));
509 if (sscanf(line, "UID:%lu", &v) == 1) {
511 map->xid.type = ID_TYPE_UID;
512 } else if (sscanf(line, "GID:%lu", &v) == 1) {
514 map->xid.type = ID_TYPE_GID;
515 } else if (strncmp(line, "SID:S-", 6) == 0) {
516 if (!string_to_sid(map->sid, &line[4])) {
517 DEBUG(0,("Bad SID in '%s' from idmap script %s\n",
519 return NT_STATUS_NONE_MAPPED;
522 DEBUG(0,("Bad reply '%s' from idmap script %s\n",
524 return NT_STATUS_NONE_MAPPED;
533 Single id to sid lookup function.
535 static NTSTATUS idmap_tdb2_id_to_sid(struct idmap_domain *dom, struct id_map *map)
541 struct idmap_tdb2_context *ctx;
545 return NT_STATUS_INVALID_PARAMETER;
548 status = idmap_tdb2_open_db(dom);
549 NT_STATUS_NOT_OK_RETURN(status);
551 ctx = talloc_get_type(dom->private_data, struct idmap_tdb2_context);
553 /* apply filters before checking */
554 if (!idmap_unix_id_is_in_range(map->xid.id, dom)) {
555 DEBUG(5, ("Requested id (%u) out of range (%u - %u). Filtered!\n",
556 map->xid.id, dom->low_id, dom->high_id));
557 return NT_STATUS_NONE_MAPPED;
560 switch (map->xid.type) {
563 keystr = talloc_asprintf(ctx, "UID %lu", (unsigned long)map->xid.id);
567 keystr = talloc_asprintf(ctx, "GID %lu", (unsigned long)map->xid.id);
571 DEBUG(2, ("INVALID unix ID type: 0x02%x\n", map->xid.type));
572 return NT_STATUS_INVALID_PARAMETER;
575 /* final SAFE_FREE safe */
578 if (keystr == NULL) {
579 DEBUG(0, ("Out of memory!\n"));
580 ret = NT_STATUS_NO_MEMORY;
584 DEBUG(10,("Fetching record %s\n", keystr));
586 /* Check if the mapping exists */
587 data = dbwrap_fetch_bystring(ctx->db, keystr, keystr);
591 struct idmap_tdb2_set_mapping_context store_state;
593 DEBUG(10,("Record %s not found\n", keystr));
594 if (ctx->script == NULL) {
595 ret = NT_STATUS_NONE_MAPPED;
599 ret = idmap_tdb2_script(ctx, map, "IDTOSID %s", keystr);
601 /* store it on shared storage */
602 if (!NT_STATUS_IS_OK(ret)) {
606 sidstr = sid_string_talloc(keystr, map->sid);
608 ret = NT_STATUS_NO_MEMORY;
612 store_state.ksidstr = sidstr;
613 store_state.kidstr = keystr;
615 ret = dbwrap_trans_do(ctx->db, idmap_tdb2_set_mapping_action,
620 if (!string_to_sid(map->sid, (const char *)data.dptr)) {
621 DEBUG(10,("INVALID SID (%s) in record %s\n",
622 (const char *)data.dptr, keystr));
623 ret = NT_STATUS_INTERNAL_DB_ERROR;
627 DEBUG(10,("Found record %s -> %s\n", keystr, (const char *)data.dptr));
637 Single sid to id lookup function.
639 static NTSTATUS idmap_tdb2_sid_to_id(struct idmap_domain *dom, struct id_map *map)
644 unsigned long rec_id = 0;
645 struct idmap_tdb2_context *ctx;
646 TALLOC_CTX *tmp_ctx = talloc_stackframe();
648 ret = idmap_tdb2_open_db(dom);
649 NT_STATUS_NOT_OK_RETURN(ret);
651 ctx = talloc_get_type(dom->private_data, struct idmap_tdb2_context);
653 keystr = sid_string_talloc(tmp_ctx, map->sid);
654 if (keystr == NULL) {
655 DEBUG(0, ("Out of memory!\n"));
656 ret = NT_STATUS_NO_MEMORY;
660 DEBUG(10,("Fetching record %s\n", keystr));
662 /* Check if sid is present in database */
663 data = dbwrap_fetch_bystring(ctx->db, tmp_ctx, keystr);
666 struct idmap_tdb2_set_mapping_context store_state;
668 DEBUG(10,(__location__ " Record %s not found\n", keystr));
670 if (ctx->script == NULL) {
671 ret = NT_STATUS_NONE_MAPPED;
675 ret = idmap_tdb2_script(ctx, map, "SIDTOID %s", keystr);
676 /* store it on shared storage */
677 if (!NT_STATUS_IS_OK(ret)) {
681 /* apply filters before returning result */
682 if (!idmap_unix_id_is_in_range(map->xid.id, dom)) {
683 DEBUG(5, ("Script returned id (%u) out of range "
684 "(%u - %u). Filtered!\n",
685 map->xid.id, dom->low_id, dom->high_id));
686 ret = NT_STATUS_NONE_MAPPED;
690 idstr = talloc_asprintf(tmp_ctx, "%cID %lu",
691 map->xid.type == ID_TYPE_UID?'U':'G',
692 (unsigned long)map->xid.id);
694 ret = NT_STATUS_NO_MEMORY;
698 store_state.ksidstr = keystr;
699 store_state.kidstr = idstr;
701 ret = dbwrap_trans_do(ctx->db, idmap_tdb2_set_mapping_action,
706 /* What type of record is this ? */
707 if (sscanf((const char *)data.dptr, "UID %lu", &rec_id) == 1) { /* Try a UID record. */
708 map->xid.id = rec_id;
709 map->xid.type = ID_TYPE_UID;
710 DEBUG(10,("Found uid record %s -> %s \n", keystr, (const char *)data.dptr ));
713 } else if (sscanf((const char *)data.dptr, "GID %lu", &rec_id) == 1) { /* Try a GID record. */
714 map->xid.id = rec_id;
715 map->xid.type = ID_TYPE_GID;
716 DEBUG(10,("Found gid record %s -> %s \n", keystr, (const char *)data.dptr ));
719 } else { /* Unknown record type ! */
720 DEBUG(2, ("Found INVALID record %s -> %s\n", keystr, (const char *)data.dptr));
721 ret = NT_STATUS_INTERNAL_DB_ERROR;
725 /* apply filters before returning result */
726 if (!idmap_unix_id_is_in_range(map->xid.id, dom)) {
727 DEBUG(5, ("Requested id (%u) out of range (%u - %u). Filtered!\n",
728 map->xid.id, dom->low_id, dom->high_id));
729 ret = NT_STATUS_NONE_MAPPED;
733 talloc_free(tmp_ctx);
738 lookup a set of unix ids.
740 static NTSTATUS idmap_tdb2_unixids_to_sids(struct idmap_domain *dom, struct id_map **ids)
745 /* initialize the status to avoid suprise */
746 for (i = 0; ids[i]; i++) {
747 ids[i]->status = ID_UNKNOWN;
750 for (i = 0; ids[i]; i++) {
751 ret = idmap_tdb2_id_to_sid(dom, ids[i]);
752 if ( ! NT_STATUS_IS_OK(ret)) {
754 /* if it is just a failed mapping continue */
755 if (NT_STATUS_EQUAL(ret, NT_STATUS_NONE_MAPPED)) {
757 /* make sure it is marked as unmapped */
758 ids[i]->status = ID_UNMAPPED;
762 /* some fatal error occurred, return immediately */
766 /* all ok, id is mapped */
767 ids[i]->status = ID_MAPPED;
777 lookup a set of sids.
780 struct idmap_tdb2_sids_to_unixids_context {
781 struct idmap_domain *dom;
783 bool allocate_unmapped;
786 static NTSTATUS idmap_tdb2_sids_to_unixids_action(struct db_context *db,
789 struct idmap_tdb2_sids_to_unixids_context *state;
791 NTSTATUS ret = NT_STATUS_OK;
793 state = (struct idmap_tdb2_sids_to_unixids_context *)private_data;
795 DEBUG(10, ("idmap_tdb2_sids_to_unixids_action: "
796 " domain: [%s], allocate: %s\n",
798 state->allocate_unmapped ? "yes" : "no"));
800 for (i = 0; state->ids[i]; i++) {
801 if ((state->ids[i]->status == ID_UNKNOWN) ||
802 /* retry if we could not map in previous run: */
803 (state->ids[i]->status == ID_UNMAPPED))
807 ret2 = idmap_tdb2_sid_to_id(state->dom, state->ids[i]);
808 if (!NT_STATUS_IS_OK(ret2)) {
810 /* if it is just a failed mapping, continue */
811 if (NT_STATUS_EQUAL(ret2, NT_STATUS_NONE_MAPPED)) {
813 /* make sure it is marked as unmapped */
814 state->ids[i]->status = ID_UNMAPPED;
815 ret = STATUS_SOME_UNMAPPED;
817 /* some fatal error occurred, return immediately */
822 /* all ok, id is mapped */
823 state->ids[i]->status = ID_MAPPED;
827 if ((state->ids[i]->status == ID_UNMAPPED) &&
828 state->allocate_unmapped)
830 ret = idmap_tdb2_new_mapping(state->dom, state->ids[i]);
831 if (!NT_STATUS_IS_OK(ret)) {
841 static NTSTATUS idmap_tdb2_sids_to_unixids(struct idmap_domain *dom, struct id_map **ids)
845 struct idmap_tdb2_sids_to_unixids_context state;
846 struct idmap_tdb2_context *ctx;
848 ctx = talloc_get_type(dom->private_data, struct idmap_tdb2_context);
850 /* initialize the status to avoid suprise */
851 for (i = 0; ids[i]; i++) {
852 ids[i]->status = ID_UNKNOWN;
857 state.allocate_unmapped = false;
859 ret = idmap_tdb2_sids_to_unixids_action(ctx->db, &state);
861 if (NT_STATUS_EQUAL(ret, STATUS_SOME_UNMAPPED) && !dom->read_only) {
862 state.allocate_unmapped = true;
863 ret = dbwrap_trans_do(ctx->db,
864 idmap_tdb2_sids_to_unixids_action,
873 Close the idmap tdb instance
875 static NTSTATUS idmap_tdb2_close(struct idmap_domain *dom)
877 /* don't do anything */
881 static struct idmap_methods db_methods = {
882 .init = idmap_tdb2_db_init,
883 .unixids_to_sids = idmap_tdb2_unixids_to_sids,
884 .sids_to_unixids = idmap_tdb2_sids_to_unixids,
885 .allocate_id = idmap_tdb2_get_new_id,
886 .close_fn = idmap_tdb2_close
889 NTSTATUS idmap_tdb2_init(void)
891 return smb_register_idmap(SMB_IDMAP_INTERFACE_VERSION, "tdb2", &db_methods);