2
* idmap_autorid: static map between Active Directory/NT RIDs
3
* and RFC 2307 accounts
5
* based on the idmap_rid module, but this module defines the ranges
6
* for the domains by automatically allocating a range for each domain
8
* Copyright (C) Christian Ambach, 2010-2011
10
* This program is free software; you can redistribute it and/or modify
11
* it under the terms of the GNU General Public License as published by
12
* the Free Software Foundation; either version 3 of the License, or
13
* (at your option) any later version.
15
* This program is distributed in the hope that it will be useful,
16
* but WITHOUT ANY WARRANTY; without even the implied warranty of
17
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18
* GNU General Public License for more details.
20
* You should have received a copy of the GNU General Public License
21
* along with this program; if not, see <http://www.gnu.org/licenses/>.
26
#include "system/filesys.h"
30
#include "../libcli/security/dom_sid.h"
34
#define DBGC_CLASS DBGC_IDMAP
36
#define HWM "NEXT RANGE"
37
#define CONFIGKEY "CONFIG"
39
struct autorid_global_config {
45
struct autorid_domain_config {
48
struct autorid_global_config *globalcfg;
51
/* handle to the tdb storing domain <-> range assignments */
52
static struct db_context *autorid_db;
54
static NTSTATUS idmap_autorid_get_domainrange(struct db_context *db,
58
uint32_t domainnum, hwm;
61
struct autorid_domain_config *cfg;
63
cfg = (struct autorid_domain_config *)private_data;
64
dom_sid_string_buf(&(cfg->sid), sidstr, sizeof(sidstr));
66
if (!dbwrap_fetch_uint32(db, sidstr, &domainnum)) {
67
DEBUG(10, ("Acquiring new range for domain %s\n", sidstr));
69
/* fetch the current HWM */
70
if (!dbwrap_fetch_uint32(db, HWM, &hwm)) {
71
DEBUG(1, ("Fatal error while fetching current "
73
ret = NT_STATUS_INTERNAL_ERROR;
77
/* do we have a range left? */
78
if (hwm >= cfg->globalcfg->maxranges) {
79
DEBUG(1, ("No more domain ranges available!\n"));
80
ret = NT_STATUS_NO_MEMORY;
84
/* increase the HWM */
85
ret = dbwrap_change_uint32_atomic(db, HWM, &domainnum, 1);
86
if (!NT_STATUS_IS_OK(ret)) {
87
DEBUG(1, ("Fatal error while fetching a new "
88
"domain range value!\n"));
92
/* store away the new mapping in both directions */
93
ret = dbwrap_trans_store_uint32(db, sidstr, domainnum);
94
if (!NT_STATUS_IS_OK(ret)) {
95
DEBUG(1, ("Fatal error while storing new "
96
"domain->range assignment!\n"));
100
numstr = talloc_asprintf(db, "%u", domainnum);
102
ret = NT_STATUS_NO_MEMORY;
106
ret = dbwrap_trans_store_bystring(db, numstr,
107
string_term_tdb_data(sidstr),
110
if (!NT_STATUS_IS_OK(ret)) {
111
DEBUG(1, ("Fatal error while storing "
112
"new domain->range assignment!\n"));
115
DEBUG(5, ("Acquired new range #%d for domain %s\n",
119
DEBUG(10, ("Using range #%d for domain %s\n", domainnum, sidstr));
120
cfg->domainnum = domainnum;
129
static NTSTATUS idmap_autorid_id_to_sid(struct autorid_global_config *cfg,
137
/* can this be one of our ids? */
138
if (map->xid.id < cfg->minvalue) {
139
DEBUG(10, ("id %d is lower than minimum value, "
140
"ignoring mapping request\n", map->xid.id));
141
map->status = ID_UNKNOWN;
145
if (map->xid.id > (cfg->minvalue + cfg->rangesize * cfg->maxranges)) {
146
DEBUG(10, ("id %d is outside of maximum id value, "
147
"ignoring mapping request\n", map->xid.id));
148
map->status = ID_UNKNOWN;
152
/* determine the range of this uid */
153
range = ((map->xid.id - cfg->minvalue) / cfg->rangesize);
155
keystr = talloc_asprintf(talloc_tos(), "%u", range);
157
return NT_STATUS_NO_MEMORY;
160
data = dbwrap_fetch_bystring(autorid_db, talloc_tos(), keystr);
164
DEBUG(4, ("id %d belongs to range %d which does not have "
165
"domain mapping, ignoring mapping request\n",
166
map->xid.id, range));
167
map->status = ID_UNKNOWN;
171
string_to_sid(&sid, (const char *)data.dptr);
172
TALLOC_FREE(data.dptr);
174
sid_compose(map->sid, &sid,
175
(map->xid.id - cfg->minvalue -
176
range * cfg->rangesize));
178
/* We **really** should have some way of validating
179
the SID exists and is the correct type here. But
180
that is a deficiency in the idmap_rid design. */
182
map->status = ID_MAPPED;
186
/**********************************
187
Single sid to id lookup function.
188
**********************************/
190
static NTSTATUS idmap_autorid_sid_to_id(struct autorid_global_config *global,
191
struct autorid_domain_config *domain,
196
sid_peek_rid(map->sid, &rid);
198
/* if the rid is higher than the size of the range, we cannot map it */
199
if (rid >= global->rangesize) {
200
map->status = ID_UNKNOWN;
201
DEBUG(2, ("RID %d is larger then size of range (%d), "
202
"user cannot be mapped\n", rid, global->rangesize));
203
return NT_STATUS_UNSUCCESSFUL;
205
map->xid.id = global->minvalue +
206
(global->rangesize * domain->domainnum)+rid;
208
/* We **really** should have some way of validating
209
the SID exists and is the correct type here. But
210
that is a deficiency in the idmap_rid design. */
212
map->status = ID_MAPPED;
217
/**********************************
218
lookup a set of unix ids.
219
**********************************/
221
static NTSTATUS idmap_autorid_unixids_to_sids(struct idmap_domain *dom,
224
struct autorid_global_config *globalcfg;
228
/* initialize the status to avoid surprise */
229
for (i = 0; ids[i]; i++) {
230
ids[i]->status = ID_UNKNOWN;
233
globalcfg = talloc_get_type(dom->private_data,
234
struct autorid_global_config);
236
for (i = 0; ids[i]; i++) {
238
ret = idmap_autorid_id_to_sid(globalcfg, ids[i]);
240
if ((!NT_STATUS_IS_OK(ret)) &&
241
(!NT_STATUS_EQUAL(ret, NT_STATUS_NONE_MAPPED))) {
242
/* some fatal error occurred, log it */
243
DEBUG(3, ("Unexpected error resolving an ID "
244
" (%d)\n", ids[i]->xid.id));
254
/**********************************
255
lookup a set of sids.
256
**********************************/
258
static NTSTATUS idmap_autorid_sids_to_unixids(struct idmap_domain *dom,
261
struct autorid_global_config *global;
265
/* initialize the status to avoid surprise */
266
for (i = 0; ids[i]; i++) {
267
ids[i]->status = ID_UNKNOWN;
270
global = talloc_get_type(dom->private_data,
271
struct autorid_global_config);
273
for (i = 0; ids[i]; i++) {
274
struct winbindd_tdc_domain *domain;
275
struct autorid_domain_config domaincfg;
278
ZERO_STRUCT(domaincfg);
280
sid_copy(&domaincfg.sid, ids[i]->sid);
281
if (!sid_split_rid(&domaincfg.sid, &rid)) {
282
DEBUG(4, ("Could not determine domain SID from %s, "
283
"ignoring mapping request\n",
284
sid_string_dbg(ids[i]->sid)));
289
* Check if the domain is around
291
domain = wcache_tdc_fetch_domainbysid(talloc_tos(),
293
if (domain == NULL) {
294
DEBUG(10, ("Ignoring unknown domain sid %s\n",
295
sid_string_dbg(&domaincfg.sid)));
300
domaincfg.globalcfg = global;
302
ret = dbwrap_trans_do(autorid_db,
303
idmap_autorid_get_domainrange,
306
if (!NT_STATUS_IS_OK(ret)) {
307
DEBUG(3, ("Could not determine range for domain, "
308
"check previous messages for reason\n"));
312
ret = idmap_autorid_sid_to_id(global, &domaincfg, ids[i]);
314
if ((!NT_STATUS_IS_OK(ret)) &&
315
(!NT_STATUS_EQUAL(ret, NT_STATUS_NONE_MAPPED))) {
316
/* some fatal error occurred, log it */
317
DEBUG(3, ("Unexpected error resolving a SID (%s)\n",
318
sid_string_dbg(ids[i]->sid)));
330
* open and initialize the database which stores the ranges for the domains
332
static NTSTATUS idmap_autorid_db_init(void)
337
/* its already open */
341
/* Open idmap repository */
342
autorid_db = db_open(NULL, state_path("autorid.tdb"), 0,
343
TDB_DEFAULT, O_RDWR | O_CREAT, 0644);
346
DEBUG(0, ("Unable to open idmap_autorid database '%s'\n",
347
state_path("autorid.tdb")));
348
return NT_STATUS_UNSUCCESSFUL;
351
/* Initialize high water mark for the currently used range to 0 */
352
hwm = dbwrap_fetch_int32(autorid_db, HWM);
355
(dbwrap_trans_store_int32(autorid_db, HWM, 0))) {
357
("Unable to initialise HWM in autorid "
359
return NT_STATUS_INTERNAL_DB_ERROR;
366
static struct autorid_global_config *idmap_autorid_loadconfig(TALLOC_CTX * ctx)
370
struct autorid_global_config *cfg;
371
unsigned long minvalue, rangesize, maxranges;
373
data = dbwrap_fetch_bystring(autorid_db, ctx, CONFIGKEY);
376
DEBUG(10, ("No saved config found\n"));
380
cfg = TALLOC_ZERO_P(ctx, struct autorid_global_config);
385
if (sscanf((char *)data.dptr,
386
"minvalue:%lu rangesize:%lu maxranges:%lu",
387
&minvalue, &rangesize, &maxranges) != 3) {
389
("Found invalid configuration data"
390
"creating new config\n"));
394
cfg->minvalue = minvalue;
395
cfg->rangesize = rangesize;
396
cfg->maxranges = maxranges;
398
DEBUG(10, ("Loaded previously stored configuration "
399
"minvalue:%d rangesize:%d\n",
400
cfg->minvalue, cfg->rangesize));
406
static NTSTATUS idmap_autorid_saveconfig(struct autorid_global_config *cfg)
414
talloc_asprintf(talloc_tos(),
415
"minvalue:%u rangesize:%u maxranges:%u",
416
cfg->minvalue, cfg->rangesize, cfg->maxranges);
419
return NT_STATUS_NO_MEMORY;
422
data = string_tdb_data(cfgstr);
424
status = dbwrap_trans_store_bystring(autorid_db, CONFIGKEY,
432
static NTSTATUS idmap_autorid_initialize(struct idmap_domain *dom)
434
struct autorid_global_config *config;
435
struct autorid_global_config *storedconfig = NULL;
439
if (!strequal(dom->name, "*")) {
440
DEBUG(0, ("idmap_autorid_initialize: Error: autorid configured "
441
"for domain '%s'. But autorid can only be used for "
442
"the default idmap configuration.\n", dom->name));
443
return NT_STATUS_INVALID_PARAMETER;
446
config = TALLOC_ZERO_P(dom, struct autorid_global_config);
448
DEBUG(0, ("Out of memory!\n"));
449
return NT_STATUS_NO_MEMORY;
452
status = idmap_autorid_db_init();
453
if (!NT_STATUS_IS_OK(status)) {
457
config->minvalue = dom->low_id;
458
config->rangesize = lp_parm_int(-1, "idmap config *", "rangesize", 100000);
460
if (config->rangesize < 2000) {
461
DEBUG(1, ("autorid rangesize must be at least 2000\n"));
462
status = NT_STATUS_INVALID_PARAMETER;
466
config->maxranges = (dom->high_id - dom->low_id + 1) /
469
if (config->maxranges == 0) {
470
DEBUG(1, ("allowed uid range is smaller then rangesize, "
471
"increase uid range or decrease rangesize\n"));
472
status = NT_STATUS_INVALID_PARAMETER;
476
/* check if the high-low limit is a multiple of the rangesize */
477
if ((dom->high_id - dom->low_id + 1) % config->rangesize != 0) {
478
DEBUG(5, ("High uid-low uid difference of %d "
479
"is not a multiple of the rangesize %d, "
480
"limiting ranges to lower boundary number of %d\n",
481
(dom->high_id - dom->low_id + 1), config->rangesize,
485
DEBUG(10, ("Current configuration in config is "
486
"minvalue:%d rangesize:%d maxranges:%d\n",
487
config->minvalue, config->rangesize, config->maxranges));
489
/* read previously stored config and current HWM */
490
storedconfig = idmap_autorid_loadconfig(talloc_tos());
492
if (!dbwrap_fetch_uint32(autorid_db, HWM, &hwm)) {
493
DEBUG(1, ("Fatal error while fetching current "
495
status = NT_STATUS_INTERNAL_ERROR;
499
/* did the minimum value or rangesize change? */
501
((storedconfig->minvalue != config->minvalue) ||
502
(storedconfig->rangesize != config->rangesize))) {
503
DEBUG(1, ("New configuration values for rangesize or "
504
"minimum uid value conflict with previously "
505
"used values! Aborting initialization\n"));
506
status = NT_STATUS_INVALID_PARAMETER;
511
* has the highest uid value been reduced to setting that is not
512
* sufficient any more for already existing ranges?
514
if (hwm > config->maxranges) {
515
DEBUG(1, ("New upper uid limit is too low to cover "
516
"existing mappings! Aborting initialization\n"));
517
status = NT_STATUS_INVALID_PARAMETER;
521
status = idmap_autorid_saveconfig(config);
523
if (!NT_STATUS_IS_OK(status)) {
524
DEBUG(1, ("Failed to store configuration data!\n"));
528
DEBUG(5, ("%d domain ranges with a size of %d are available\n",
529
config->maxranges, config->rangesize));
531
dom->private_data = config;
539
talloc_free(storedconfig);
545
Close the idmap tdb instance
547
static struct idmap_methods autorid_methods = {
548
.init = idmap_autorid_initialize,
549
.unixids_to_sids = idmap_autorid_unixids_to_sids,
550
.sids_to_unixids = idmap_autorid_sids_to_unixids,
553
NTSTATUS idmap_autorid_init(void)
555
return smb_register_idmap(SMB_IDMAP_INTERFACE_VERSION,
556
"autorid", &autorid_methods);