2 * Unix SMB/CIFS implementation.
4 * Copyright (C) Volker Lendecke 2015
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 3 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program. If not, see <http://www.gnu.org/licenses/>.
22 #include "../libcli/security/security.h"
23 #include "idmap_cache.h"
24 #include "librpc/gen_ndr/ndr_winbind_c.h"
25 #include "librpc/gen_ndr/ndr_netlogon.h"
26 #include "passdb/lookup_sid.h"
28 struct wb_xids2sids_dom_map {
36 * Map idmap ranges to domain names, taken from smb.conf. This is
37 * stored in the parent winbind and used to assemble xid2sid calls
38 * into per-idmap-domain chunks.
40 static struct wb_xids2sids_dom_map *dom_maps;
42 static bool wb_xids2sids_add_dom(const char *domname,
45 struct wb_xids2sids_dom_map *map = NULL;
46 size_t num_maps = talloc_array_length(dom_maps);
49 unsigned low_id, high_id;
52 range = idmap_config_const_string(domname, "range", NULL);
54 DBG_DEBUG("No range for domain %s found\n", domname);
58 ret = sscanf(range, "%u - %u", &low_id, &high_id);
60 DBG_DEBUG("Invalid range spec \"%s\" for domain %s\n",
65 if (low_id > high_id) {
66 DBG_DEBUG("Invalid range %u - %u for domain %s\n",
67 low_id, high_id, domname);
71 for (i=0; i<num_maps; i++) {
72 if (strequal(domname, dom_maps[i].name)) {
79 struct wb_xids2sids_dom_map *tmp;
82 name = talloc_strdup(talloc_tos(), domname);
84 DBG_DEBUG("talloc failed\n");
89 NULL, dom_maps, struct wb_xids2sids_dom_map,
97 map = &dom_maps[num_maps];
99 map->name = talloc_move(dom_maps, &name);
102 map->low_id = low_id;
103 map->high_id = high_id;
108 struct wb_xids2sids_init_dom_maps_state {
109 struct tevent_context *ev;
110 struct tevent_req *req;
114 static void wb_xids2sids_init_dom_maps_lookupname_next(
115 struct wb_xids2sids_init_dom_maps_state *state);
117 static void wb_xids2sids_init_dom_maps_lookupname_done(
118 struct tevent_req *subreq);
120 static struct tevent_req *wb_xids2sids_init_dom_maps_send(
121 TALLOC_CTX *mem_ctx, struct tevent_context *ev)
123 struct tevent_req *req = NULL;
124 struct wb_xids2sids_init_dom_maps_state *state = NULL;
126 req = tevent_req_create(mem_ctx, &state,
127 struct wb_xids2sids_init_dom_maps_state);
131 *state = (struct wb_xids2sids_init_dom_maps_state) {
137 if (dom_maps != NULL) {
138 tevent_req_done(req);
139 return tevent_req_post(req, ev);
142 * Put the passdb idmap domain first. We always need to try
146 dom_maps = talloc_zero_array(NULL, struct wb_xids2sids_dom_map, 1);
147 if (tevent_req_nomem(dom_maps, req)) {
148 return tevent_req_post(req, ev);
150 dom_maps[0].low_id = 0;
151 dom_maps[0].high_id = UINT_MAX;
152 dom_maps[0].name = talloc_strdup(dom_maps, get_global_sam_name());
153 if (tevent_req_nomem(dom_maps[0].name, req)) {
154 TALLOC_FREE(dom_maps);
155 return tevent_req_post(req, ev);
158 lp_scan_idmap_domains(wb_xids2sids_add_dom, NULL);
160 wb_xids2sids_init_dom_maps_lookupname_next(state);
161 if (!tevent_req_is_in_progress(req)) {
162 tevent_req_post(req, ev);
167 static void wb_xids2sids_init_dom_maps_lookupname_next(
168 struct wb_xids2sids_init_dom_maps_state *state)
170 struct tevent_req *subreq = NULL;
172 if (state->dom_idx == talloc_array_length(dom_maps)) {
173 tevent_req_done(state->req);
177 if (strequal(dom_maps[state->dom_idx].name, "*")) {
179 if (state->dom_idx == talloc_array_length(dom_maps)) {
180 tevent_req_done(state->req);
185 subreq = wb_lookupname_send(state,
187 dom_maps[state->dom_idx].name,
188 dom_maps[state->dom_idx].name,
191 if (tevent_req_nomem(subreq, state->req)) {
194 tevent_req_set_callback(subreq,
195 wb_xids2sids_init_dom_maps_lookupname_done,
199 static void wb_xids2sids_init_dom_maps_lookupname_done(
200 struct tevent_req *subreq)
202 struct tevent_req *req = tevent_req_callback_data(
203 subreq, struct tevent_req);
204 struct wb_xids2sids_init_dom_maps_state *state = tevent_req_data(
205 req, struct wb_xids2sids_init_dom_maps_state);
206 enum lsa_SidType type;
209 status = wb_lookupname_recv(subreq,
210 &dom_maps[state->dom_idx].sid,
213 if (!NT_STATUS_IS_OK(status)) {
214 DBG_WARNING("Lookup domain name '%s' failed '%s'\n",
215 dom_maps[state->dom_idx].name,
219 wb_xids2sids_init_dom_maps_lookupname_next(state);
223 if (type != SID_NAME_DOMAIN) {
224 struct dom_sid_buf buf;
226 DBG_WARNING("SID %s for idmap domain name '%s' "
227 "not a domain SID\n",
228 dom_sid_str_buf(&dom_maps[state->dom_idx].sid,
230 dom_maps[state->dom_idx].name);
232 ZERO_STRUCT(dom_maps[state->dom_idx].sid);
236 wb_xids2sids_init_dom_maps_lookupname_next(state);
241 static NTSTATUS wb_xids2sids_init_dom_maps_recv(struct tevent_req *req)
243 return tevent_req_simple_recv_ntstatus(req);
246 struct wb_xids2sids_dom_state {
247 struct tevent_context *ev;
248 struct unixid *all_xids;
251 struct dom_sid *all_sids;
252 struct wb_xids2sids_dom_map *dom_map;
256 struct unixid *dom_xids;
257 struct dom_sid *dom_sids;
260 static void wb_xids2sids_dom_done(struct tevent_req *subreq);
261 static void wb_xids2sids_dom_gotdc(struct tevent_req *subreq);
263 static struct tevent_req *wb_xids2sids_dom_send(
264 TALLOC_CTX *mem_ctx, struct tevent_context *ev,
265 struct wb_xids2sids_dom_map *dom_map,
269 struct dom_sid *sids)
271 struct tevent_req *req, *subreq;
272 struct wb_xids2sids_dom_state *state;
273 struct winbindd_child *child;
276 req = tevent_req_create(mem_ctx, &state,
277 struct wb_xids2sids_dom_state);
282 state->all_xids = xids;
283 state->cached = cached;
284 state->num_all_xids = num_xids;
285 state->all_sids = sids;
286 state->dom_map = dom_map;
288 state->dom_xids = talloc_array(state, struct unixid, num_xids);
289 if (tevent_req_nomem(state->dom_xids, req)) {
290 return tevent_req_post(req, ev);
292 state->dom_sids = talloc_array(state, struct dom_sid, num_xids);
293 if (tevent_req_nomem(state->dom_sids, req)) {
294 return tevent_req_post(req, ev);
297 for (i=0; i<num_xids; i++) {
298 struct unixid id = state->all_xids[i];
300 if ((id.id < dom_map->low_id) || (id.id > dom_map->high_id)) {
304 if (state->cached[i]) {
305 /* already found in cache */
308 if (!is_null_sid(&state->all_sids[i])) {
309 /* already mapped in a previously asked domain */
312 state->dom_xids[state->num_dom_xids++] = id;
315 if (state->num_dom_xids == 0) {
316 tevent_req_done(req);
317 return tevent_req_post(req, ev);
320 child = idmap_child();
321 subreq = dcerpc_wbint_UnixIDs2Sids_send(
322 state, ev, child->binding_handle, dom_map->name, dom_map->sid,
323 state->num_dom_xids, state->dom_xids, state->dom_sids);
324 if (tevent_req_nomem(subreq, req)) {
325 return tevent_req_post(req, ev);
327 tevent_req_set_callback(subreq, wb_xids2sids_dom_done, req);
331 static void wb_xids2sids_dom_done(struct tevent_req *subreq)
333 struct tevent_req *req = tevent_req_callback_data(
334 subreq, struct tevent_req);
335 struct wb_xids2sids_dom_state *state = tevent_req_data(
336 req, struct wb_xids2sids_dom_state);
337 struct wb_xids2sids_dom_map *dom_map = state->dom_map;
338 NTSTATUS status, result;
342 status = dcerpc_wbint_UnixIDs2Sids_recv(subreq, state, &result);
344 if (tevent_req_nterror(req, status)) {
348 if (NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND) &&
349 !state->tried_dclookup) {
351 subreq = wb_dsgetdcname_send(
352 state, state->ev, state->dom_map->name, NULL, NULL,
354 if (tevent_req_nomem(subreq, req)) {
357 tevent_req_set_callback(subreq, wb_xids2sids_dom_gotdc, req);
361 if (!NT_STATUS_EQUAL(result, NT_STATUS_NONE_MAPPED) &&
362 tevent_req_nterror(req, result)) {
368 for (i=0; i<state->num_all_xids; i++) {
369 struct unixid *id = &state->all_xids[i];
371 if ((id->id < dom_map->low_id) || (id->id > dom_map->high_id)) {
375 if (state->cached[i]) {
376 /* already found in cache */
379 if (!is_null_sid(&state->all_sids[i])) {
380 /* already mapped in a previously asked domain */
384 sid_copy(&state->all_sids[i], &state->dom_sids[dom_sid_idx]);
385 *id = state->dom_xids[dom_sid_idx];
390 tevent_req_done(req);
393 static void wb_xids2sids_dom_gotdc(struct tevent_req *subreq)
395 struct tevent_req *req = tevent_req_callback_data(
396 subreq, struct tevent_req);
397 struct wb_xids2sids_dom_state *state = tevent_req_data(
398 req, struct wb_xids2sids_dom_state);
399 struct winbindd_child *child = idmap_child();
400 struct netr_DsRGetDCNameInfo *dcinfo;
403 status = wb_dsgetdcname_recv(subreq, state, &dcinfo);
405 if (tevent_req_nterror(req, status)) {
409 state->tried_dclookup = true;
411 status = wb_dsgetdcname_gencache_set(state->dom_map->name, dcinfo);
412 if (tevent_req_nterror(req, status)) {
416 child = idmap_child();
417 subreq = dcerpc_wbint_UnixIDs2Sids_send(
418 state, state->ev, child->binding_handle, state->dom_map->name,
419 state->dom_map->sid, state->num_dom_xids,
420 state->dom_xids, state->dom_sids);
421 if (tevent_req_nomem(subreq, req)) {
424 tevent_req_set_callback(subreq, wb_xids2sids_dom_done, req);
427 static NTSTATUS wb_xids2sids_dom_recv(struct tevent_req *req)
429 return tevent_req_simple_recv_ntstatus(req);
432 struct wb_xids2sids_state {
433 struct tevent_context *ev;
436 struct dom_sid *sids;
442 static void wb_xids2sids_done(struct tevent_req *subreq);
443 static void wb_xids2sids_init_dom_maps_done(struct tevent_req *subreq);
445 struct tevent_req *wb_xids2sids_send(TALLOC_CTX *mem_ctx,
446 struct tevent_context *ev,
447 const struct unixid *xids,
450 struct tevent_req *req, *subreq;
451 struct wb_xids2sids_state *state;
453 req = tevent_req_create(mem_ctx, &state,
454 struct wb_xids2sids_state);
459 state->num_xids = num_xids;
461 state->xids = talloc_array(state, struct unixid, num_xids);
462 if (tevent_req_nomem(state->xids, req)) {
463 return tevent_req_post(req, ev);
465 memcpy(state->xids, xids, num_xids * sizeof(struct unixid));
467 state->sids = talloc_zero_array(state, struct dom_sid, num_xids);
468 if (tevent_req_nomem(state->sids, req)) {
469 return tevent_req_post(req, ev);
472 state->cached = talloc_zero_array(state, bool, num_xids);
473 if (tevent_req_nomem(state->cached, req)) {
474 return tevent_req_post(req, ev);
477 if (winbindd_use_idmap_cache()) {
480 for (i=0; i<num_xids; i++) {
481 struct dom_sid sid = {0};
482 bool ok, expired = true;
484 ok = idmap_cache_find_xid2sid(
485 &xids[i], &sid, &expired);
486 if (ok && !expired) {
487 struct dom_sid_buf buf;
488 DBG_DEBUG("Found %cID in cache: %s\n",
489 xids[i].type == ID_TYPE_UID?'U':'G',
490 dom_sid_str_buf(&sid, &buf));
492 sid_copy(&state->sids[i], &sid);
493 state->cached[i] = true;
498 subreq = wb_xids2sids_init_dom_maps_send(
500 if (tevent_req_nomem(subreq, req)) {
501 return tevent_req_post(req, ev);
503 tevent_req_set_callback(subreq, wb_xids2sids_init_dom_maps_done, req);
507 static void wb_xids2sids_init_dom_maps_done(struct tevent_req *subreq)
509 struct tevent_req *req = tevent_req_callback_data(
510 subreq, struct tevent_req);
511 struct wb_xids2sids_state *state = tevent_req_data(
512 req, struct wb_xids2sids_state);
516 status = wb_xids2sids_init_dom_maps_recv(subreq);
518 if (tevent_req_nterror(req, status)) {
522 num_domains = talloc_array_length(dom_maps);
523 if (num_domains == 0) {
524 tevent_req_done(req);
528 subreq = wb_xids2sids_dom_send(
529 state, state->ev, &dom_maps[state->dom_idx],
530 state->xids, state->cached, state->num_xids, state->sids);
531 if (tevent_req_nomem(subreq, req)) {
534 tevent_req_set_callback(subreq, wb_xids2sids_done, req);
538 static void wb_xids2sids_done(struct tevent_req *subreq)
540 struct tevent_req *req = tevent_req_callback_data(
541 subreq, struct tevent_req);
542 struct wb_xids2sids_state *state = tevent_req_data(
543 req, struct wb_xids2sids_state);
544 size_t num_domains = talloc_array_length(dom_maps);
548 status = wb_xids2sids_dom_recv(subreq);
550 if (tevent_req_nterror(req, status)) {
556 if (state->dom_idx < num_domains) {
557 subreq = wb_xids2sids_dom_send(state,
559 &dom_maps[state->dom_idx],
564 if (tevent_req_nomem(subreq, req)) {
567 tevent_req_set_callback(subreq, wb_xids2sids_done, req);
572 for (i = 0; i < state->num_xids; i++) {
574 * Prime the cache after an xid2sid call. It's important that we
575 * use the xid value returned from the backend for the xid value
576 * passed to idmap_cache_set_sid2unixid(), not the input to
577 * wb_xids2sids_send: the input carries what was asked for,
578 * e.g. a ID_TYPE_UID. The result from the backend something the
579 * idmap child possibly changed to ID_TYPE_BOTH.
581 * And of course If the value was from the cache don't update
585 if (state->cached[i]) {
589 idmap_cache_set_sid2unixid(&state->sids[i], &state->xids[i]);
592 tevent_req_done(req);
596 NTSTATUS wb_xids2sids_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
597 struct dom_sid **sids)
599 struct wb_xids2sids_state *state = tevent_req_data(
600 req, struct wb_xids2sids_state);
603 if (tevent_req_is_nterror(req, &status)) {
604 DEBUG(5, ("wb_sids_to_xids failed: %s\n", nt_errstr(status)));
608 *sids = talloc_move(mem_ctx, &state->sids);
git.samba.org / metze / samba / wip.git / blob