git.samba.org / metze / samba / wip.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
idmap_hash: remember new domain sids in idmap_hash_sid_to_id()
[metze/samba/wip.git] / source3 / winbindd / idmap_hash / idmap_hash.c
1 /*
2  *  idmap_hash.c
3  *
4  * Copyright (C) Gerald Carter  <jerry@samba.org>      2007 - 2008
5  *
6  *  This program is free software; you can redistribute it and/or modify
7  *  it under the terms of the GNU General Public License as published by
8  *  the Free Software Foundation; either version 3 of the License, or
9  *  (at your option) any later version.
10  *
11  *  This program is distributed in the hope that it will be useful,
12  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
13  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
14  *  GNU General Public License for more details.
15  *
16  *  You should have received a copy of the GNU General Public License
17  *  along with this program; if not, see <http://www.gnu.org/licenses/>.
18  *
19  */
20
21 #include "includes.h"
22 #include "winbindd/winbindd.h"
23 #include "idmap.h"
24 #include "idmap_hash.h"
25 #include "ads.h"
26 #include "nss_info.h"
27 #include "../libcli/security/dom_sid.h"
28 #include "libsmb/samlogon_cache.h"
29
30 #undef DBGC_CLASS
31 #define DBGC_CLASS DBGC_IDMAP
32
33 struct sid_hash_table {
34         struct dom_sid *sid;
35 };
36
37 /*********************************************************************
38  Hash a domain SID (S-1-5-12-aaa-bbb-ccc) to a 12bit number
39  ********************************************************************/
40
41 static uint32_t hash_domain_sid(const struct dom_sid *sid)
42 {
43         uint32_t hash;
44
45         if (sid->num_auths != 4)
46                 return 0;
47
48         /* XOR the last three subauths */
49
50         hash = ((sid->sub_auths[1] ^ sid->sub_auths[2]) ^ sid->sub_auths[3]);
51
52         /* Take all 32-bits into account when generating the 12-bit
53            hash value */
54         hash = (((hash & 0xFFF00000) >> 20)
55                 + ((hash & 0x000FFF00) >> 8)
56                 + (hash & 0x000000FF)) & 0x0000FFF;
57
58         /* return a 12-bit hash value */
59
60         return hash;
61 }
62
63 /*********************************************************************
64  Hash a Relative ID to a 19 bit number
65  ********************************************************************/
66
67 static uint32_t hash_rid(uint32_t rid)
68 {
69         /*
70          * 19 bits for the rid which allows us to support
71          * the first 50K users/groups in a domain
72          *
73          */
74
75         return (rid & 0x0007FFFF);
76 }
77
78 /*********************************************************************
79  ********************************************************************/
80
81 static uint32_t combine_hashes(uint32_t h_domain,
82                                uint32_t h_rid)
83 {
84         uint32_t return_id = 0;
85
86         /*
87          * shift the hash_domain 19 bits to the left and OR with the
88          * hash_rid
89          *
90          * This will generate a 31 bit number out of
91          * 12 bit domain and 19 bit rid.
92          */
93
94         return_id = ((h_domain<<19) | h_rid);
95
96         return return_id;
97 }
98
99 /*********************************************************************
100  ********************************************************************/
101
102 static void separate_hashes(uint32_t id,
103                             uint32_t *h_domain,
104                             uint32_t *h_rid)
105 {
106         *h_rid = id & 0x0007FFFF;
107         *h_domain = (id & 0x7FF80000) >> 19;
108
109         return;
110 }
111
112
113 /*********************************************************************
114  ********************************************************************/
115
116 static NTSTATUS idmap_hash_initialize(struct idmap_domain *dom)
117 {
118         struct sid_hash_table *hashed_domains;
119         NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
120         struct winbindd_tdc_domain *dom_list = NULL;
121         size_t num_domains = 0;
122         size_t i;
123
124         DBG_ERR("The idmap_hash module is deprecated and should not be used. "
125                 "Please migrate to a different plugin. This module will be "
126                 "removed in a future version of Samba\n");
127
128         if (!strequal(dom->name, "*")) {
129                 DBG_ERR("Error: idmap_hash configured for domain '%s'. "
130                         "But the hash module can only be used for the default "
131                         "idmap configuration.\n", dom->name);
132                 return NT_STATUS_INVALID_PARAMETER;
133         }
134
135         if (!wcache_tdc_fetch_list(&dom_list, &num_domains)) {
136                 nt_status = NT_STATUS_TRUSTED_DOMAIN_FAILURE;
137                 BAIL_ON_NTSTATUS_ERROR(nt_status);
138         }
139
140         /* Create the hash table of domain SIDs */
141
142         hashed_domains = talloc_zero_array(dom, struct sid_hash_table, 4096);
143         BAIL_ON_PTR_NT_ERROR(hashed_domains, nt_status);
144
145         /* create the hash table of domain SIDs */
146
147         for (i=0; i<num_domains; i++) {
148                 struct dom_sid_buf buf;
149                 uint32_t hash;
150
151                 if (is_null_sid(&dom_list[i].sid))
152                         continue;
153
154                 /*
155                  * Check if the domain from the list is not already configured
156                  * to use another idmap backend. Not checking this makes the
157                  * idmap_hash module map IDs for *all* domains implicitly.  This
158                  * is quite dangerous in setups that use multiple idmap
159                  * configurations.
160                  */
161
162                 if (domain_has_idmap_config(dom_list[i].domain_name)) {
163                         continue;
164                 }
165
166                 if ((hash = hash_domain_sid(&dom_list[i].sid)) == 0)
167                         continue;
168
169                 DBG_INFO("Adding %s (%s) -> %d\n",
170                          dom_list[i].domain_name,
171                          dom_sid_str_buf(&dom_list[i].sid, &buf),
172                          hash);
173
174                 hashed_domains[hash].sid = talloc(hashed_domains, struct dom_sid);
175                 sid_copy(hashed_domains[hash].sid, &dom_list[i].sid);
176         }
177
178         dom->private_data = hashed_domains;
179
180 done:
181         return nt_status;
182 }
183
184 /*********************************************************************
185  ********************************************************************/
186
187 static NTSTATUS idmap_hash_id_to_sid(struct sid_hash_table *hashed_domains,
188                                      struct idmap_domain *dom,
189                                      struct id_map *id)
190 {
191         uint32_t h_domain, h_rid;
192
193         id->status = ID_UNMAPPED;
194
195         separate_hashes(id->xid.id, &h_domain, &h_rid);
196
197         /*
198          * If the domain hash doesn't find a SID in the table,
199          * skip it
200          */
201         if (hashed_domains[h_domain].sid == NULL) {
202                 return NT_STATUS_NONE_MAPPED;
203         }
204
205         sid_compose(id->sid, hashed_domains[h_domain].sid, h_rid);
206         id->status = ID_MAPPED;
207
208         return NT_STATUS_OK;
209 }
210
211 static NTSTATUS unixids_to_sids(struct idmap_domain *dom,
212                                 struct id_map **ids)
213 {
214         struct sid_hash_table *hashed_domains = talloc_get_type_abort(
215                 dom->private_data, struct sid_hash_table);
216         int i;
217         int num_tomap = 0;
218         int num_mapped = 0;
219
220         /* initialize the status to avoid surprise */
221         for (i = 0; ids[i]; i++) {
222                 ids[i]->status = ID_UNKNOWN;
223                 num_tomap++;
224         }
225
226         for (i=0; ids[i]; i++) {
227                 NTSTATUS ret;
228
229                 ret = idmap_hash_id_to_sid(hashed_domains, dom, ids[i]);
230
231                 if ((!NT_STATUS_IS_OK(ret)) &&
232                     (!NT_STATUS_EQUAL(ret, NT_STATUS_NONE_MAPPED))) {
233                         /* some fatal error occurred, log it */
234                         DBG_NOTICE("Unexpected error resolving an ID "
235                                    "(%d): %s\n", ids[i]->xid.id,
236                                    nt_errstr(ret));
237                         return ret;
238                 }
239
240                 if (NT_STATUS_IS_OK(ret) && ids[i]->status == ID_MAPPED) {
241                         num_mapped++;
242                 }
243         }
244
245         if (num_tomap == num_mapped) {
246                 return NT_STATUS_OK;
247         } else if (num_mapped == 0) {
248                 return NT_STATUS_NONE_MAPPED;
249         }
250
251         return STATUS_SOME_UNMAPPED;
252 }
253
254 /*********************************************************************
255  ********************************************************************/
256
257 static NTSTATUS idmap_hash_sid_to_id(struct sid_hash_table *hashed_domains,
258                                      struct idmap_domain *dom,
259                                      struct id_map *id)
260 {
261         struct dom_sid sid;
262         uint32_t rid;
263         uint32_t h_domain, h_rid;
264
265         id->status = ID_UNMAPPED;
266
267         sid_copy(&sid, id->sid);
268         sid_split_rid(&sid, &rid);
269
270         h_domain = hash_domain_sid(&sid);
271         h_rid = hash_rid(rid);
272
273         /* Check that both hashes are non-zero*/
274         if (h_domain == 0) {
275                 return NT_STATUS_NONE_MAPPED;
276         }
277         if (h_rid == 0) {
278                 return NT_STATUS_NONE_MAPPED;
279         }
280
281         /*
282          * If the domain hash already exists find a SID in the table,
283          * just return the mapping.
284          */
285         if (hashed_domains[h_domain].sid != NULL) {
286                 goto return_mapping;
287         }
288
289         /*
290          * If the caller already did a lookup sid and made sure the
291          * domain sid is valid, we can allocate a new range.
292          *
293          * Currently the winbindd parent already does a lookup sids
294          * first, but hopefully changes in future. If the
295          * caller knows the domain sid, ID_TYPE_BOTH should be
296          * passed instead of ID_TYPE_NOT_SPECIFIED.
297          */
298         if (id->xid.type == ID_TYPE_NOT_SPECIFIED) {
299                 /*
300                  * We keep the legacy behavior and
301                  * just return the mapping, but
302                  * the reverse mapping would not
303                  * still not work.
304                  *
305                  * Maybe we should return NT_STATUS_NONE_MAPPED,
306                  * but for now we keep what we already have.
307                  */
308                 goto return_mapping;
309         }
310
311         /*
312          * Check of last resort: A domain is valid if a user from that
313          * domain has recently logged in. The samlogon_cache these
314          * days also stores the domain sid.
315          *
316          * We used to check the list of trusted domains we received
317          * from "our" dc, but this is not reliable enough.
318          */
319         if (!netsamlogon_cache_have(&sid)) {
320                 /*
321                  * We keep the legacy behavior and
322                  * just return the mapping, but
323                  * the reverse mapping would not
324                  * still not work.
325                  *
326                  * Maybe we should return NT_STATUS_NONE_MAPPED,
327                  * but for now we keep what we already have.
328                  */
329                 goto return_mapping;
330         }
331
332         /*
333          * Now we're sure the domain exist, remember
334          * the domain in order to return reverse mappings
335          * in future.
336          */
337         hashed_domains[h_domain].sid = dom_sid_dup(hashed_domains, &sid);
338         if (hashed_domains[h_domain].sid == NULL) {
339                 return NT_STATUS_NO_MEMORY;
340         }
341
342 return_mapping:
343         id->xid.id = combine_hashes(h_domain, h_rid);
344         id->status = ID_MAPPED;
345
346         return NT_STATUS_OK;
347 }
348
349 static NTSTATUS sids_to_unixids(struct idmap_domain *dom,
350                                 struct id_map **ids)
351 {
352         struct sid_hash_table *hashed_domains = talloc_get_type_abort(
353                 dom->private_data, struct sid_hash_table);
354         int i;
355         int num_tomap = 0;
356         int num_mapped = 0;
357
358         /* initialize the status to avoid surprise */
359         for (i = 0; ids[i]; i++) {
360                 ids[i]->status = ID_UNKNOWN;
361                 num_tomap++;
362         }
363
364         for (i=0; ids[i]; i++) {
365                 NTSTATUS ret;
366
367                 ret = idmap_hash_sid_to_id(hashed_domains, dom, ids[i]);
368
369                 if ((!NT_STATUS_IS_OK(ret)) &&
370                     (!NT_STATUS_EQUAL(ret, NT_STATUS_NONE_MAPPED))) {
371                         struct dom_sid_buf buf;
372                         /* some fatal error occurred, log it */
373                         DBG_NOTICE("Unexpected error resolving a SID "
374                                    "(%s): %s\n",
375                                    dom_sid_str_buf(ids[i]->sid, &buf),
376                                    nt_errstr(ret));
377                         return ret;
378                 }
379
380                 if (NT_STATUS_IS_OK(ret) && ids[i]->status == ID_MAPPED) {
381                         num_mapped++;
382                 }
383         }
384
385         if (num_tomap == num_mapped) {
386                 return NT_STATUS_OK;
387         } else if (num_mapped == 0) {
388                 return NT_STATUS_NONE_MAPPED;
389         }
390
391         return STATUS_SOME_UNMAPPED;
392 }
393
394 /*********************************************************************
395  ********************************************************************/
396
397 static NTSTATUS nss_hash_init(struct nss_domain_entry *e )
398 {
399         return NT_STATUS_OK;
400 }
401
402 /**********************************************************************
403  *********************************************************************/
404
405 static NTSTATUS nss_hash_map_to_alias(TALLOC_CTX *mem_ctx,
406                                         struct nss_domain_entry *e,
407                                         const char *name,
408                                         char **alias)
409 {
410         NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
411         const char *value;
412
413         value = talloc_asprintf(mem_ctx, "%s\\%s", e->domain, name);
414         BAIL_ON_PTR_NT_ERROR(value, nt_status);
415
416         nt_status = mapfile_lookup_key(mem_ctx, value, alias);
417         BAIL_ON_NTSTATUS_ERROR(nt_status);
418
419 done:
420         return nt_status;
421 }
422
423 /**********************************************************************
424  *********************************************************************/
425
426 static NTSTATUS nss_hash_map_from_alias(TALLOC_CTX *mem_ctx,
427                                           struct nss_domain_entry *e,
428                                           const char *alias,
429                                           char **name)
430 {
431         return mapfile_lookup_value(mem_ctx, alias, name);
432 }
433
434 /**********************************************************************
435  *********************************************************************/
436
437 static NTSTATUS nss_hash_close(void)
438 {
439         return NT_STATUS_OK;
440 }
441
442 /*********************************************************************
443  Dispatch Tables for IDMap and NssInfo Methods
444 ********************************************************************/
445
446 static const struct idmap_methods hash_idmap_methods = {
447         .init            = idmap_hash_initialize,
448         .unixids_to_sids = unixids_to_sids,
449         .sids_to_unixids = sids_to_unixids,
450 };
451
452 static const struct nss_info_methods hash_nss_methods = {
453         .init           = nss_hash_init,
454         .map_to_alias   = nss_hash_map_to_alias,
455         .map_from_alias = nss_hash_map_from_alias,
456         .close_fn       = nss_hash_close
457 };
458
459 /**********************************************************************
460  Register with the idmap and idmap_nss subsystems. We have to protect
461  against the idmap and nss_info interfaces being in a half-registered
462  state.
463  **********************************************************************/
464
465 static_decl_idmap;
466 NTSTATUS idmap_hash_init(TALLOC_CTX *ctx)
467 {
468         static NTSTATUS idmap_status = NT_STATUS_UNSUCCESSFUL;
469         static NTSTATUS nss_status = NT_STATUS_UNSUCCESSFUL;
470
471         if ( !NT_STATUS_IS_OK(idmap_status) ) {
472                 idmap_status =  smb_register_idmap(SMB_IDMAP_INTERFACE_VERSION,
473                                                    "hash", &hash_idmap_methods);
474
475                 if ( !NT_STATUS_IS_OK(idmap_status) ) {
476                         DEBUG(0,("Failed to register hash idmap plugin.\n"));
477                         return idmap_status;
478                 }
479         }
480
481         if ( !NT_STATUS_IS_OK(nss_status) ) {
482                 nss_status = smb_register_idmap_nss(SMB_NSS_INFO_INTERFACE_VERSION,
483                                                     "hash", &hash_nss_methods);
484                 if ( !NT_STATUS_IS_OK(nss_status) ) {
485                         DEBUG(0,("Failed to register hash idmap nss plugin.\n"));
486                         return nss_status;
487                 }
488         }
489
490         return NT_STATUS_OK;
491 }
Work in progress branches