1058
1057
Store uid to SID mapping in cache.
1059
1058
*****************************************************************/
1061
void store_uid_sid_cache(const DOM_SID *psid, uid_t uid)
1060
void store_uid_sid_cache(const struct dom_sid *psid, uid_t uid)
1063
1062
memcache_add(NULL, SID_UID_CACHE,
1064
data_blob_const(psid, ndr_size_dom_sid(psid, NULL, 0)),
1063
data_blob_const(psid, ndr_size_dom_sid(psid, 0)),
1065
1064
data_blob_const(&uid, sizeof(uid)));
1066
1065
memcache_add(NULL, UID_SID_CACHE,
1067
1066
data_blob_const(&uid, sizeof(uid)),
1068
data_blob_const(psid, ndr_size_dom_sid(psid, NULL, 0)));
1067
data_blob_const(psid, ndr_size_dom_sid(psid, 0)));
1071
1070
/*****************************************************************
1072
1071
Find a SID given a gid.
1073
1072
*****************************************************************/
1075
static bool fetch_sid_from_gid_cache(DOM_SID *psid, gid_t gid)
1074
static bool fetch_sid_from_gid_cache(struct dom_sid *psid, gid_t gid)
1077
1076
DATA_BLOB cache_value;
1113
1112
Store gid to SID mapping in cache.
1114
1113
*****************************************************************/
1116
void store_gid_sid_cache(const DOM_SID *psid, gid_t gid)
1115
void store_gid_sid_cache(const struct dom_sid *psid, gid_t gid)
1118
1117
memcache_add(NULL, SID_GID_CACHE,
1119
data_blob_const(psid, ndr_size_dom_sid(psid, NULL, 0)),
1118
data_blob_const(psid, ndr_size_dom_sid(psid, 0)),
1120
1119
data_blob_const(&gid, sizeof(gid)));
1121
1120
memcache_add(NULL, GID_SID_CACHE,
1122
1121
data_blob_const(&gid, sizeof(gid)),
1123
data_blob_const(psid, ndr_size_dom_sid(psid, NULL, 0)));
1122
data_blob_const(psid, ndr_size_dom_sid(psid, 0)));
1126
1125
/*****************************************************************
1127
1126
*THE LEGACY* convert uid_t to SID function.
1128
1127
*****************************************************************/
1130
static void legacy_uid_to_sid(DOM_SID *psid, uid_t uid)
1129
static void legacy_uid_to_sid(struct dom_sid *psid, uid_t uid)
1398
bool sids_to_unix_ids(const struct dom_sid *sids, uint32_t num_sids,
1399
struct wbcUnixId *ids)
1401
struct wbcDomainSid *wbc_sids = NULL;
1402
struct wbcUnixId *wbc_ids = NULL;
1403
uint32_t i, num_not_cached;
1407
wbc_sids = TALLOC_ARRAY(talloc_tos(), struct wbcDomainSid, num_sids);
1408
if (wbc_sids == NULL) {
1414
for (i=0; i<num_sids; i++) {
1418
if (fetch_uid_from_cache(&ids[i].id.uid, &sids[i])) {
1419
ids[i].type = WBC_ID_TYPE_UID;
1422
if (fetch_gid_from_cache(&ids[i].id.gid, &sids[i])) {
1423
ids[i].type = WBC_ID_TYPE_GID;
1426
if (sid_peek_check_rid(&global_sid_Unix_Users,
1428
ids[i].type = WBC_ID_TYPE_UID;
1429
ids[i].id.uid = rid;
1432
if (sid_peek_check_rid(&global_sid_Unix_Groups,
1434
ids[i].type = WBC_ID_TYPE_GID;
1435
ids[i].id.gid = rid;
1438
if (idmap_cache_find_sid2uid(&sids[i], &ids[i].id.uid,
1441
ids[i].type = WBC_ID_TYPE_UID;
1444
if (idmap_cache_find_sid2gid(&sids[i], &ids[i].id.gid,
1447
ids[i].type = WBC_ID_TYPE_GID;
1450
ids[i].type = WBC_ID_TYPE_NOT_SPECIFIED;
1451
memcpy(&wbc_sids[num_not_cached], &sids[i],
1452
ndr_size_dom_sid(&sids[i], 0));
1453
num_not_cached += 1;
1455
if (num_not_cached == 0) {
1458
wbc_ids = TALLOC_ARRAY(talloc_tos(), struct wbcUnixId, num_not_cached);
1459
if (wbc_ids == NULL) {
1462
for (i=0; i<num_not_cached; i++) {
1463
wbc_ids[i].type = WBC_ID_TYPE_NOT_SPECIFIED;
1465
err = wbcSidsToUnixIds(wbc_sids, num_not_cached, wbc_ids);
1466
if (!WBC_ERROR_IS_OK(err)) {
1467
DEBUG(10, ("wbcSidsToUnixIds returned %s\n",
1468
wbcErrorString(err)));
1473
for (i=0; i<num_sids; i++) {
1474
if (ids[i].type == WBC_ID_TYPE_NOT_SPECIFIED) {
1475
ids[i] = wbc_ids[num_not_cached];
1476
num_not_cached += 1;
1480
for (i=0; i<num_sids; i++) {
1481
if (ids[i].type != WBC_ID_TYPE_NOT_SPECIFIED) {
1484
if (legacy_sid_to_gid(&sids[i], &ids[i].id.gid)) {
1485
ids[i].type = WBC_ID_TYPE_GID;
1488
if (legacy_sid_to_uid(&sids[i], &ids[i].id.uid)) {
1489
ids[i].type = WBC_ID_TYPE_UID;
1496
TALLOC_FREE(wbc_ids);
1497
TALLOC_FREE(wbc_sids);
1401
1501
/*****************************************************************
1402
1502
*THE CANONICAL* convert SID to uid function.
1403
1503
*****************************************************************/
1405
bool sid_to_uid(const DOM_SID *psid, uid_t *puid)
1505
bool sid_to_uid(const struct dom_sid *psid, uid_t *puid)
1407
1507
bool expired = true;
1520
1620
store_gid_sid_cache(psid, *pgid);
1625
* @brief This function gets the primary group SID mapping the primary
1626
* GID of the user as obtained by an actual getpwnam() call.
1627
* This is necessary to avoid issues with arbitrary group SIDs
1628
* stored in passdb. We try as hard as we can to get the SID
1629
* corresponding to the GID, including trying group mapping.
1630
* If nothing else works, we will force "Domain Users" as the
1632
* This is needed because we must always be able to lookup the
1633
* primary group SID, so we cannot settle for an arbitrary SID.
1635
* This call can be expensive. Use with moderation.
1636
* If you have a "samu" struct around use pdb_get_group_sid()
1637
* instead as it does properly cache results.
1639
* @param mem_ctx[in] The memory context iused to allocate the result.
1640
* @param username[in] The user's name
1641
* @param _pwd[in|out] If available, pass in user's passwd struct.
1642
* It will contain a tallocated passwd if NULL was
1644
* @param _group_sid[out] The user's Primary Group SID
1646
* @return NTSTATUS error code.
1648
NTSTATUS get_primary_group_sid(TALLOC_CTX *mem_ctx,
1649
const char *username,
1650
struct passwd **_pwd,
1651
struct dom_sid **_group_sid)
1653
TALLOC_CTX *tmp_ctx;
1654
bool need_lookup_sid = false;
1655
struct dom_sid *group_sid;
1656
struct passwd *pwd = *_pwd;
1658
tmp_ctx = talloc_new(mem_ctx);
1660
return NT_STATUS_NO_MEMORY;
1664
pwd = Get_Pwnam_alloc(mem_ctx, username);
1666
DEBUG(0, ("Failed to find a Unix account for %s",
1668
TALLOC_FREE(tmp_ctx);
1669
return NT_STATUS_NO_SUCH_USER;
1673
group_sid = talloc_zero(mem_ctx, struct dom_sid);
1675
TALLOC_FREE(tmp_ctx);
1676
return NT_STATUS_NO_MEMORY;
1679
gid_to_sid(group_sid, pwd->pw_gid);
1680
if (!is_null_sid(group_sid)) {
1681
struct dom_sid domain_sid;
1684
/* We need a sid within our domain */
1685
sid_copy(&domain_sid, group_sid);
1686
sid_split_rid(&domain_sid, &rid);
1687
if (dom_sid_equal(&domain_sid, get_global_sam_sid())) {
1689
* As shortcut for the expensive lookup_sid call
1690
* compare the domain sid part
1693
case DOMAIN_RID_ADMINS:
1694
case DOMAIN_RID_USERS:
1697
need_lookup_sid = true;
1701
/* Try group mapping */
1702
ZERO_STRUCTP(group_sid);
1703
if (pdb_gid_to_sid(pwd->pw_gid, group_sid)) {
1704
need_lookup_sid = true;
1709
/* We must verify that this is a valid SID that resolves to a
1710
* group of the correct type */
1711
if (need_lookup_sid) {
1712
enum lsa_SidType type = SID_NAME_UNKNOWN;
1715
DEBUG(10, ("do lookup_sid(%s) for group of user %s\n",
1716
sid_string_dbg(group_sid), username));
1718
/* Now check that it's actually a domain group and
1719
* not something else */
1720
lookup_ret = lookup_sid(tmp_ctx, group_sid,
1723
if (lookup_ret && (type == SID_NAME_DOM_GRP)) {
1727
DEBUG(3, ("Primary group %s for user %s is"
1728
" a %s and not a domain group\n",
1729
sid_string_dbg(group_sid), username,
1730
sid_type_lookup(type)));
1733
/* Everything else, failed.
1734
* Just set it to the 'Domain Users' RID of 513 which will
1735
always resolve to a name */
1736
DEBUG(3, ("Forcing Primary Group to 'Domain Users' for %s\n",
1739
sid_compose(group_sid, get_global_sam_sid(), DOMAIN_RID_USERS);
1742
*_pwd = talloc_move(mem_ctx, &pwd);
1743
*_group_sid = talloc_move(mem_ctx, &group_sid);
1744
TALLOC_FREE(tmp_ctx);
1745
return NT_STATUS_OK;
1748
bool delete_uid_cache(uid_t puid)
1750
DATA_BLOB uid = data_blob_const(&puid, sizeof(puid));
1753
if (!memcache_lookup(NULL, UID_SID_CACHE, uid, &sid)) {
1754
DEBUG(3, ("UID %d is not memcached!\n", (int)puid));
1757
DEBUG(3, ("Delete mapping UID %d <-> %s from memcache\n", (int)puid,
1758
sid_string_dbg((struct dom_sid*)sid.data)));
1759
memcache_delete(NULL, SID_UID_CACHE, sid);
1760
memcache_delete(NULL, UID_SID_CACHE, uid);
1764
bool delete_gid_cache(gid_t pgid)
1766
DATA_BLOB gid = data_blob_const(&pgid, sizeof(pgid));
1768
if (!memcache_lookup(NULL, GID_SID_CACHE, gid, &sid)) {
1769
DEBUG(3, ("GID %d is not memcached!\n", (int)pgid));
1772
DEBUG(3, ("Delete mapping GID %d <-> %s from memcache\n", (int)pgid,
1773
sid_string_dbg((struct dom_sid*)sid.data)));
1774
memcache_delete(NULL, SID_GID_CACHE, sid);
1775
memcache_delete(NULL, GID_SID_CACHE, gid);
1779
bool delete_sid_cache(const struct dom_sid* psid)
1781
DATA_BLOB sid = data_blob_const(psid, ndr_size_dom_sid(psid, 0));
1783
if (memcache_lookup(NULL, SID_GID_CACHE, sid, &id)) {
1784
DEBUG(3, ("Delete mapping %s <-> GID %d from memcache\n",
1785
sid_string_dbg(psid), *(int*)id.data));
1786
memcache_delete(NULL, SID_GID_CACHE, sid);
1787
memcache_delete(NULL, GID_SID_CACHE, id);
1788
} else if (memcache_lookup(NULL, SID_UID_CACHE, sid, &id)) {
1789
DEBUG(3, ("Delete mapping %s <-> UID %d from memcache\n",
1790
sid_string_dbg(psid), *(int*)id.data));
1791
memcache_delete(NULL, SID_UID_CACHE, sid);
1792
memcache_delete(NULL, UID_SID_CACHE, id);
1794
DEBUG(3, ("SID %s is not memcached!\n", sid_string_dbg(psid)));
1800
void flush_gid_cache(void)
1802
DEBUG(3, ("Flush GID <-> SID memcache\n"));
1803
memcache_flush(NULL, SID_GID_CACHE);
1804
memcache_flush(NULL, GID_SID_CACHE);
1807
void flush_uid_cache(void)
1809
DEBUG(3, ("Flush UID <-> SID memcache\n"));
1810
memcache_flush(NULL, SID_UID_CACHE);
1811
memcache_flush(NULL, UID_SID_CACHE);