idmap_rid.c

samba-3.0.22.tar.gz 编译smb服务器的源码

	if (!sid_equal(domain_sid, get_global_sam_sid()))
		++own_domains;

	/* put the results together */
	*num_domains = trusted_num_domains + own_domains;
	*domain_names = SMB_REALLOC_ARRAY(*domain_names, fstring,
					  *num_domains);
	*domain_sids = SMB_REALLOC_ARRAY(*domain_sids, DOM_SID, *num_domains);

	/* first add mydomain */
	fstrcpy((*domain_names)[0], domain_name);
	sid_copy(&(*domain_sids)[0], domain_sid);

	/* then add BUILTIN */
	fstrcpy((*domain_names)[1], "BUILTIN");
	sid_copy(&(*domain_sids)[1], &global_sid_Builtin);

	/* then add my local sid */
	if (!sid_equal(domain_sid, get_global_sam_sid())) {
		fstrcpy((*domain_names)[2], global_myname());
		sid_copy(&(*domain_sids)[2], get_global_sam_sid());
	}

	/* add trusted domains */
	for (i=0; i<trusted_num_domains; i++) {
		fstrcpy((*domain_names)[i+own_domains], trusted_domain_names[i]);
		sid_copy(&((*domain_sids)[i+own_domains]), &(trusted_domain_sids[i]));
	}

	/* show complete domain list */
	DEBUG(5,("rid_idmap_get_domains: complete domain-list has %d entries:\n", *num_domains));
	for (i=0; i<*num_domains; i++) {
		sid_to_string(sid_str, &((*domain_sids)[i]));
		DEBUGADD(5,("rid_idmap_get_domains:\t#%d\tdomain: [%s], sid: [%s]\n", 
					i, (*domain_names)[i], sid_str ));
	}

	status = NT_STATUS_OK;

out:
	rpccli_lsa_close(pipe_hnd, mem_ctx, &pol);
	cli_rpc_pipe_close(pipe_hnd);
	talloc_destroy(mem_ctx);
	cli_shutdown(cli);

	return status;
}

static NTSTATUS rid_idmap_init(char *init_param)
{
	int i, j;
	uid_t u_low, u_high;
	gid_t g_low, g_high;
	uint32 num_domains = 0;
	fstring *domain_names;
	DOM_SID *domain_sids;
	NTSTATUS nt_status = NT_STATUS_INVALID_PARAMETER;
	trust.dom = NULL;

	/* basic sanity checks */
	if (!lp_idmap_uid(&u_low, &u_high) || !lp_idmap_gid(&g_low, &g_high)) {
		DEBUG(0, ("rid_idmap_init: cannot get required global idmap-ranges.\n"));
		return nt_status;
	}

	if (u_low != g_low || u_high != g_high) {
		DEBUG(0, ("rid_idmap_init: range defined in \"idmap uid\" must match range of \"idmap gid\".\n"));
		return nt_status;
	}

	if (lp_allow_trusted_domains()) {
#if IDMAP_RID_SUPPORT_TRUSTED_DOMAINS
		DEBUG(3,("rid_idmap_init: enabling trusted-domain-mapping\n"));
#else
		DEBUG(0,("rid_idmap_init: idmap_rid does not work with trusted domains\n"));
		DEBUGADD(0,("rid_idmap_init: please set \"allow trusted domains\" to \"no\" when using idmap_rid\n"));
		return nt_status;
#endif
	}

	/* init sizes */
	trust.dom = SMB_MALLOC_P(struct dom_entry);
	if (trust.dom == NULL) { 
		return NT_STATUS_NO_MEMORY;
	}

	/* retrieve full domain list */
	nt_status = rid_idmap_get_domains(&num_domains, &domain_names, &domain_sids);
	if (!NT_STATUS_IS_OK(nt_status) &&
	    !NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_MORE_ENTRIES) &&
	    !NT_STATUS_EQUAL(nt_status, STATUS_MORE_ENTRIES)) {
		DEBUG(0, ("rid_idmap_init: cannot fetch sids for domain and/or trusted-domains from domain-controller.\n"));
		return nt_status;
	}

	/* parse the init string */
	nt_status = rid_idmap_parse(init_param, num_domains, domain_names, domain_sids, u_low, u_high);
	if (!NT_STATUS_IS_OK(nt_status)) {
		DEBUG(0, ("rid_idmap_init: cannot parse module-configuration\n"));
		goto out;
	}

	nt_status = NT_STATUS_INVALID_PARAMETER;

	/* some basic sanity checks */
	for (i=0; i<trust.number; i++) {

		if (trust.dom[i].min_id > trust.dom[i].max_id) {
			DEBUG(0, ("rid_idmap_init: min_id (%d) has to be smaller than max_id (%d) for domain [%s]\n", 
						trust.dom[i].min_id, trust.dom[i].max_id, trust.dom[i].name));
			goto out;
		}

		if (trust.dom[i].min_id < u_low || trust.dom[i].max_id > u_high) {
			DEBUG(0, ("rid_idmap_init: mapping of domain [%s] (%d-%d) has to fit into global idmap range (%d-%d).\n",
						trust.dom[i].name, trust.dom[i].min_id, trust.dom[i].max_id, u_low, u_high));
			goto out;
		}
	}

	/* check for overlaps */
	for (i=0; i<trust.number-1; i++) {
		for (j=i+1; j<trust.number; j++) {
			if (trust.dom[i].min_id <= trust.dom[j].max_id && trust.dom[j].min_id <= trust.dom[i].max_id) {
				DEBUG(0, ("rid_idmap_init: the ranges of domain [%s] and [%s] overlap\n", 
							trust.dom[i+1].name, trust.dom[i].name));
				goto out;
			}
		}
	}
	
	DEBUG(3, ("rid_idmap_init: using %d mappings:\n", trust.number));
	for (i=0; i<trust.number; i++) {
		DEBUGADD(3, ("rid_idmap_init:\tdomain: [%s], sid: [%s], min_id: [%d], max_id: [%d]\n", 
				trust.dom[i].name, trust.dom[i].sid, trust.dom[i].min_id, trust.dom[i].max_id));
	}

	nt_status = NT_STATUS_OK;

out:
	SAFE_FREE(domain_names);
	SAFE_FREE(domain_sids);
		
	return nt_status;
}

static NTSTATUS rid_idmap_get_sid_from_id(DOM_SID *sid, unid_t unid, int id_type)
{
	fstring sid_string;
	int i;
	DOM_SID sidstr;

	/* find range */
	for (i=0; i<trust.number; i++) {
		if (trust.dom[i].min_id <= unid.uid && trust.dom[i].max_id >= unid.uid ) 
			break;
	}

	if (i == trust.number) {
		DEBUG(0,("rid_idmap_get_sid_from_id: no suitable range available for id: %d\n", unid.uid));
		return NT_STATUS_INVALID_PARAMETER;
	}
	
	/* use lower-end of idmap-range as offset for users and groups*/
	unid.uid -= trust.dom[i].min_id;

	if (!trust.dom[i].sid)
		return NT_STATUS_INVALID_PARAMETER;

	string_to_sid(&sidstr, trust.dom[i].sid);
	sid_copy(sid, &sidstr);
	if (!sid_append_rid( sid, (unsigned long)unid.uid )) {
		DEBUG(0,("rid_idmap_get_sid_from_id: could not append rid to domain sid\n"));
		return NT_STATUS_NO_MEMORY;
	}

	DEBUG(3, ("rid_idmap_get_sid_from_id: mapped POSIX %s %d to SID [%s]\n",
		(id_type == ID_GROUPID) ? "GID" : "UID", unid.uid,
		sid_to_string(sid_string, sid)));

	return NT_STATUS_OK;
}

static NTSTATUS rid_idmap_get_id_from_sid(unid_t *unid, int *id_type, const DOM_SID *sid)
{
	fstring sid_string;
	int i;
	uint32 rid;
	DOM_SID sidstr;

	/* check if we have a mapping for the sid */
	for (i=0; i<trust.number; i++) {
		if (!trust.dom[i].sid) {
			return NT_STATUS_INVALID_PARAMETER;
		}
		string_to_sid(&sidstr, trust.dom[i].sid);	
		if ( sid_compare_domain(sid, &sidstr) == 0 )
			break;
	}
	
	if (i == trust.number) {
		DEBUG(0,("rid_idmap_get_id_from_sid: no suitable range available for sid: %s\n",
			sid_string_static(sid)));
		return NT_STATUS_INVALID_PARAMETER;
	}

	if (!sid_peek_rid(sid, &rid)) {
		DEBUG(0,("rid_idmap_get_id_from_sid: could not peek rid\n"));
		return NT_STATUS_INVALID_PARAMETER;
	}

	/* use lower-end of idmap-range as offset for users and groups */
	unid->uid = rid + trust.dom[i].min_id;

	if (unid->uid > trust.dom[i].max_id) {
		DEBUG(0,("rid_idmap_get_id_from_sid: rid: %d (%s: %d) too high for mapping of domain: %s (%d-%d)\n", 
			rid, (*id_type == ID_GROUPID) ? "GID" : "UID", unid->uid, trust.dom[i].name, 
			trust.dom[i].min_id, trust.dom[i].max_id));
		return NT_STATUS_INVALID_PARAMETER;
	}
	if (unid->uid < trust.dom[i].min_id) {
		DEBUG(0,("rid_idmap_get_id_from_sid: rid: %d (%s: %d) too low for mapping of domain: %s (%d-%d)\n", 
			rid, (*id_type == ID_GROUPID) ? "GID" : "UID", unid->uid, 
			trust.dom[i].name, trust.dom[i].min_id, trust.dom[i].max_id));
		return NT_STATUS_INVALID_PARAMETER;
	}

	DEBUG(3,("rid_idmap_get_id_from_sid: mapped SID [%s] to POSIX %s %d\n",
		sid_to_string(sid_string, sid),
		(*id_type == ID_GROUPID) ? "GID" : "UID", unid->uid));

	return NT_STATUS_OK;

}

static NTSTATUS rid_idmap_set_mapping(const DOM_SID *sid, unid_t id, int id_type)
{
	return NT_STATUS_NOT_IMPLEMENTED;
}

static NTSTATUS rid_idmap_close(void)
{
	SAFE_FREE(trust.dom);

	return NT_STATUS_OK;
}

static NTSTATUS rid_idmap_allocate_rid(uint32 *rid, int rid_type)
{
	return NT_STATUS_NOT_IMPLEMENTED;
}

static NTSTATUS rid_idmap_allocate_id(unid_t *id, int id_type)
{
	return NT_STATUS_NOT_IMPLEMENTED;
}

static void rid_idmap_status(void)
{
	DEBUG(0, ("RID IDMAP Status not available\n"));      
}

static struct idmap_methods rid_methods = {
	rid_idmap_init,
	rid_idmap_allocate_rid,
	rid_idmap_allocate_id,
	rid_idmap_get_sid_from_id,
	rid_idmap_get_id_from_sid,
	rid_idmap_set_mapping,
	rid_idmap_close,
	rid_idmap_status
};

NTSTATUS init_module(void)
{
	return smb_register_idmap(SMB_IDMAP_INTERFACE_VERSION, "rid", &rid_methods);
}