2
* Unix SMB/CIFS implementation.
4
* group mapping code on top of ldb
6
* Copyright (C) Andrew Tridgell 2006
8
* based on tdb group mapping code from groupdb/mapping.c
10
* This program is free software; you can redistribute it and/or modify
11
* it under the terms of the GNU General Public License as published by
12
* the Free Software Foundation; either version 3 of the License, or
13
* (at your option) any later version.
15
* This program is distributed in the hope that it will be useful,
16
* but WITHOUT ANY WARRANTY; without even the implied warranty of
17
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18
* GNU General Public License for more details.
20
* You should have received a copy of the GNU General Public License
21
* along with this program; if not, see <http://www.gnu.org/licenses/>.
25
#include "groupdb/mapping.h"
26
#include "lib/ldb/include/includes.h"
27
#include "lib/ldb/include/ldb_errors.h"
29
static struct ldb_context *ldb;
31
static bool mapping_upgrade(const char *tdb_path);
34
connect to the group mapping ldb
36
static bool init_group_mapping(void)
39
const char *init_ldif[] =
40
{ "dn: @ATTRIBUTES\n" \
41
"ntName: CASE_INSENSITIVE\n" \
44
"@IDXATTR: gidNumber\n" \
45
"@IDXATTR: ntName\n" \
46
"@IDXATTR: member\n" };
47
const char *db_path, *tdb_path;
55
/* this is needed as Samba3 doesn't have this globally yet */
58
db_path = state_path("group_mapping.ldb");
61
if (ldb == NULL) goto failed;
63
/* Ensure this db is created read/write for root only. */
64
ldb_set_create_perms(ldb, 0600);
66
existed = file_exist(db_path);
68
if (lp_parm_bool(-1, "groupmap", "nosync", False)) {
69
flags |= LDB_FLG_NOSYNC;
73
flags |= LDB_FLG_NOMMAP;
76
ret = ldb_connect(ldb, db_path, flags, NULL);
77
if (ret != LDB_SUCCESS) {
81
/* force the permissions on the ldb to 0600 - this will fix
82
existing databases as well as new ones */
83
if (chmod(db_path, 0600) != 0) {
88
/* initialise the ldb with an index */
89
struct ldb_ldif *ldif;
91
for (i=0;i<ARRAY_SIZE(init_ldif);i++) {
92
ldif = ldb_ldif_read_string(ldb, &init_ldif[i]);
93
if (ldif == NULL) goto failed;
94
ret = ldb_add(ldb, ldif->msg);
96
if (ret == -1) goto failed;
100
/* possibly upgrade */
101
tdb_path = state_path("group_mapping.tdb");
102
if (file_exist(tdb_path) && !mapping_upgrade(tdb_path)) {
103
unlink(state_path("group_mapping.ldb"));
110
DEBUG(0,("Failed to open group mapping ldb '%s' - '%s'\n",
111
db_path, ldb?ldb_errstring(ldb):strerror(errno)));
119
form the DN for a mapping entry from a SID
121
static struct ldb_dn *mapping_dn(TALLOC_CTX *mem_ctx, const DOM_SID *sid)
127
sid_copy(&domsid, sid);
128
if (!sid_split_rid(&domsid, &rid)) {
131
if (!sid_to_fstring(string_sid, &domsid)) {
134
/* we split by domain and rid so we can do a subtree search
135
when we only want one domain */
136
return ldb_dn_string_compose(mem_ctx, NULL, "rid=%u,domain=%s",
141
add a group mapping entry
143
static bool add_mapping_entry(GROUP_MAP *map, int flag)
145
struct ldb_message *msg;
149
msg = ldb_msg_new(ldb);
154
msg->dn = mapping_dn(msg, &map->sid);
155
if (msg->dn == NULL) {
159
if (ldb_msg_add_string(msg, "objectClass", "groupMap") != LDB_SUCCESS ||
160
ldb_msg_add_string(msg, "sid",
161
sid_to_fstring(string_sid, &map->sid)) != LDB_SUCCESS ||
162
ldb_msg_add_fmt(msg, "gidNumber", "%u", (unsigned)map->gid) != LDB_SUCCESS ||
163
ldb_msg_add_fmt(msg, "sidNameUse", "%u", (unsigned)map->sid_name_use) != LDB_SUCCESS ||
164
ldb_msg_add_string(msg, "comment", map->comment) != LDB_SUCCESS ||
165
ldb_msg_add_string(msg, "ntName", map->nt_name) != LDB_SUCCESS) {
169
ret = ldb_add(ldb, msg);
171
/* if it exists we update it. This is a hangover from the semantics the
173
if (ret == LDB_ERR_ENTRY_ALREADY_EXISTS) {
174
for (i=0;i<msg->num_elements;i++) {
175
msg->elements[i].flags = LDB_FLAG_MOD_REPLACE;
177
ret = ldb_modify(ldb, msg);
182
return ret == LDB_SUCCESS;
190
unpack a ldb message into a GROUP_MAP structure
192
static bool msg_to_group_map(struct ldb_message *msg, GROUP_MAP *map)
196
map->gid = ldb_msg_find_attr_as_int(msg, "gidNumber", -1);
197
map->sid_name_use = ldb_msg_find_attr_as_int(msg, "sidNameUse", -1);
198
fstrcpy(map->nt_name, ldb_msg_find_attr_as_string(msg, "ntName", NULL));
199
fstrcpy(map->comment, ldb_msg_find_attr_as_string(msg, "comment", NULL));
200
sidstr = ldb_msg_find_attr_as_string(msg, "sid", NULL);
202
if (!string_to_sid(&map->sid, sidstr) ||
203
map->gid == (gid_t)-1 ||
204
map->sid_name_use == (enum lsa_SidType)-1) {
205
DEBUG(0,("Unable to unpack group mapping\n"));
213
return a group map entry for a given sid
215
static bool get_group_map_from_sid(DOM_SID sid, GROUP_MAP *map)
219
struct ldb_result *res=NULL;
222
dn = mapping_dn(talloc_tos(), &sid);
227
ret = ldb_search(ldb, dn, &res, dn, LDB_SCOPE_BASE, NULL, NULL);
228
if (ret != LDB_SUCCESS || res->count != 1) {
232
if (!msg_to_group_map(res->msgs[0], map)) {
243
return a group map entry for a given gid
245
static bool get_group_map_from_gid(gid_t gid, GROUP_MAP *map)
248
struct ldb_result *res=NULL;
251
ret = ldb_search(ldb, talloc_tos(), &res, NULL, LDB_SCOPE_SUBTREE,
252
NULL, "(&(gidNumber=%u)(objectClass=groupMap))",
254
if (ret != LDB_SUCCESS || res->count != 1) {
258
if (!msg_to_group_map(res->msgs[0], map)) {
269
Return the sid and the type of the unix group.
271
static bool get_group_map_from_ntname(const char *name, GROUP_MAP *map)
274
struct ldb_result *res=NULL;
277
ret = ldb_search(ldb, talloc_tos(), &res, NULL, LDB_SCOPE_SUBTREE,
278
NULL, "(&(ntName=%s)(objectClass=groupMap))", name);
279
if (ret != LDB_SUCCESS || res->count != 1) {
283
if (!msg_to_group_map(res->msgs[0], map)) {
294
Remove a group mapping entry.
296
static bool group_map_remove(const DOM_SID *sid)
301
dn = mapping_dn(ldb, sid);
305
ret = ldb_delete(ldb, dn);
308
return ret == LDB_SUCCESS;
313
Enumerate the group mappings for a domain
315
static bool enum_group_mapping(const DOM_SID *domsid, enum lsa_SidType sid_name_use,
317
size_t *p_num_entries, bool unix_only)
321
struct ldb_result *res = NULL;
322
struct ldb_dn *basedn=NULL;
325
tmp_ctx = talloc_new(ldb);
326
if (tmp_ctx == NULL) goto failed;
328
/* we do a subtree search on the domain */
329
if (domsid != NULL) {
330
sid_to_fstring(name, domsid);
331
basedn = ldb_dn_string_compose(tmp_ctx, NULL, "domain=%s", name);
332
if (basedn == NULL) goto failed;
335
if (sid_name_use == SID_NAME_UNKNOWN) {
336
ret = ldb_search(ldb, tmp_ctx, &res, basedn, LDB_SCOPE_SUBTREE,
337
NULL, "(&(objectClass=groupMap))");
339
ret = ldb_search(ldb, tmp_ctx, &res, basedn, LDB_SCOPE_SUBTREE,
340
NULL, "(&(sidNameUse=%u)(objectClass=groupMap))",
344
if (ret != LDB_SUCCESS) goto failed;
349
for (i=0;i<res->count;i++) {
350
(*pp_rmap) = SMB_REALLOC_ARRAY((*pp_rmap), GROUP_MAP,
352
if (!(*pp_rmap)) goto failed;
354
if (!msg_to_group_map(res->msgs[i], &(*pp_rmap)[*p_num_entries])) {
361
talloc_free(tmp_ctx);
365
talloc_free(tmp_ctx);
370
This operation happens on session setup, so it should better be fast. We
371
store a list of aliases a SID is member of hanging off MEMBEROF/SID.
373
static NTSTATUS one_alias_membership(const DOM_SID *member,
374
DOM_SID **sids, size_t *num)
376
const char *attrs[] = {
382
struct ldb_result *res=NULL;
386
if (!sid_to_fstring(string_sid, member)) {
387
return NT_STATUS_INVALID_PARAMETER;
390
ret = ldb_search(ldb, talloc_tos(), &res, NULL, LDB_SCOPE_SUBTREE,
391
attrs, "(&(member=%s)(objectClass=groupMap))",
393
if (ret != LDB_SUCCESS) {
394
status = NT_STATUS_INTERNAL_DB_CORRUPTION;
398
for (i=0;i<res->count;i++) {
399
struct ldb_message_element *el;
400
el = ldb_msg_find_element(res->msgs[i], "sid");
401
if (el == NULL || el->num_values != 1) {
402
status = NT_STATUS_INTERNAL_DB_CORRUPTION;
405
string_to_sid(&alias, (char *)el->values[0].data);
406
status = add_sid_to_array_unique(NULL, &alias, sids, num);
407
if (!NT_STATUS_IS_OK(status)) {
412
status = NT_STATUS_OK;
419
add/remove a member field
421
static NTSTATUS modify_aliasmem(const DOM_SID *alias, const DOM_SID *member,
426
struct ldb_message msg;
427
struct ldb_message_element el;
432
if (!get_group_map_from_sid(*alias, &map)) {
433
sid_to_fstring(string_sid, alias);
434
return NT_STATUS_NO_SUCH_ALIAS;
437
if ((map.sid_name_use != SID_NAME_ALIAS) &&
438
(map.sid_name_use != SID_NAME_WKN_GRP)) {
439
DEBUG(0,("sid_name_use=%d\n", map.sid_name_use));
440
return NT_STATUS_NO_SUCH_ALIAS;
443
tmp_ctx = talloc_new(NULL);
444
if (tmp_ctx == NULL) {
445
return NT_STATUS_NO_MEMORY;
448
msg.dn = mapping_dn(tmp_ctx, alias);
449
if (msg.dn == NULL) {
450
return NT_STATUS_NO_MEMORY;
452
msg.num_elements = 1;
454
el.flags = operation;
455
el.name = talloc_strdup(tmp_ctx, "member");
458
sid_to_fstring(string_sid, member);
459
val.data = (uint8_t *)string_sid;
460
val.length = strlen(string_sid);
462
ret = ldb_modify(ldb, &msg);
463
talloc_free(tmp_ctx);
465
if (ret == LDB_ERR_NO_SUCH_OBJECT) {
466
return NT_STATUS_NO_SUCH_ALIAS;
469
if (operation == LDB_FLAG_MOD_ADD &&
470
ret == LDB_ERR_ATTRIBUTE_OR_VALUE_EXISTS) {
471
return NT_STATUS_MEMBER_IN_ALIAS;
474
return (ret == LDB_SUCCESS ? NT_STATUS_OK : NT_STATUS_ACCESS_DENIED);
477
static NTSTATUS add_aliasmem(const DOM_SID *alias, const DOM_SID *member)
479
return modify_aliasmem(alias, member, LDB_FLAG_MOD_ADD);
482
static NTSTATUS del_aliasmem(const DOM_SID *alias, const DOM_SID *member)
484
return modify_aliasmem(alias, member, LDB_FLAG_MOD_DELETE);
489
enumerate sids that have the given alias set in member
491
static NTSTATUS enum_aliasmem(const DOM_SID *alias, DOM_SID **sids, size_t *num)
493
const char *attrs[] = {
498
NTSTATUS status = NT_STATUS_OK;
499
struct ldb_result *res=NULL;
501
struct ldb_message_element *el;
506
dn = mapping_dn(ldb, alias);
508
return NT_STATUS_NO_MEMORY;
511
ret = ldb_search(ldb, ldb, &res, dn, LDB_SCOPE_BASE, attrs, NULL);
512
if (ret == LDB_SUCCESS && res->count == 0) {
517
if (ret != LDB_SUCCESS) {
519
return NT_STATUS_INTERNAL_DB_CORRUPTION;
522
talloc_steal(dn, res);
523
el = ldb_msg_find_element(res->msgs[0], "member");
529
for (i=0;i<el->num_values;i++) {
531
string_to_sid(&sid, (const char *)el->values[i].data);
532
status = add_sid_to_array_unique(NULL, &sid, sids, num);
533
if (!NT_STATUS_IS_OK(status)) {
544
upgrade one group mapping record from the old tdb format
546
static int upgrade_map_record(TDB_CONTEXT *tdb_ctx, TDB_DATA key,
547
TDB_DATA data, void *state)
552
if (strncmp((char *)key.dptr, GROUP_PREFIX,
553
MIN(key.dsize, strlen(GROUP_PREFIX))) != 0) {
557
if (!string_to_sid(&map.sid, strlen(GROUP_PREFIX) + (const char *)key.dptr)) {
558
DEBUG(0,("Bad sid key '%s' during upgrade\n", (const char *)key.dptr));
563
ret = tdb_unpack(data.dptr, data.dsize, "ddff",
564
&map.gid, &map.sid_name_use, &map.nt_name, &map.comment);
566
DEBUG(0,("Failed to unpack group map record during upgrade\n"));
571
if ((int)map.gid == -1) {
573
* Ignore old invalid mappings
578
if (!add_mapping_entry(&map, 0)) {
579
DEBUG(0,("Failed to add mapping entry during upgrade\n"));
588
upgrade one alias record from the old tdb format
590
static int upgrade_alias_record(TDB_CONTEXT *tdb_ctx, TDB_DATA key,
591
TDB_DATA data, void *state)
593
const char *p = (const char *)data.dptr;
598
if (strncmp((char *)key.dptr, MEMBEROF_PREFIX,
599
MIN(key.dsize, strlen(MEMBEROF_PREFIX))) != 0) {
603
if (!string_to_sid(&member, strlen(MEMBEROF_PREFIX) + (const char *)key.dptr)) {
604
DEBUG(0,("Bad alias key %s during upgrade\n",
605
(const char *)key.dptr));
609
frame = talloc_stackframe();
610
while (next_token_talloc(frame,&p, &string_sid, " ")) {
613
string_to_sid(&alias, string_sid);
614
status = add_aliasmem(&alias, &member);
615
if (NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_ALIAS)) {
616
DEBUG(0,("Ignoring orphaned alias record '%s'\n",
618
} else if (!NT_STATUS_IS_OK(status)) {
619
DEBUG(0,("Failed to add alias member during upgrade - %s\n",
631
upgrade from a old style tdb
633
static bool mapping_upgrade(const char *tdb_path)
635
static TDB_CONTEXT *tdb;
638
tdb = tdb_open_log(tdb_path, 0, TDB_DEFAULT, O_RDWR, 0600);
639
if (tdb == NULL) goto failed;
641
/* we have to do the map records first, as alias records may
643
ret = tdb_traverse(tdb, upgrade_map_record, &status);
644
if (ret == -1 || status == -1) goto failed;
646
ret = tdb_traverse(tdb, upgrade_alias_record, &status);
647
if (ret == -1 || status == -1) goto failed;
655
const char *old_path = tdb_path;
656
char *new_path = state_path("group_mapping.tdb.upgraded");
661
if (rename(old_path, new_path) != 0) {
662
DEBUG(0,("Failed to rename old group mapping database\n"));
669
DEBUG(0,("Failed to upgrade group mapping database\n"));
670
if (tdb) tdb_close(tdb);
676
static const struct mapping_backend ldb_backend = {
677
.add_mapping_entry = add_mapping_entry,
678
.get_group_map_from_sid = get_group_map_from_sid,
679
.get_group_map_from_gid = get_group_map_from_gid,
680
.get_group_map_from_ntname = get_group_map_from_ntname,
681
.group_map_remove = group_map_remove,
682
.enum_group_mapping = enum_group_mapping,
683
.one_alias_membership = one_alias_membership,
684
.add_aliasmem = add_aliasmem,
685
.del_aliasmem = del_aliasmem,
686
.enum_aliasmem = enum_aliasmem
690
initialise the ldb mapping backend
692
const struct mapping_backend *groupdb_ldb_init(void)
694
if (!init_group_mapping()) {
695
DEBUG(0,("Failed to initialise ldb mapping backend\n"));