| blob | b868242728f6966f295fdbaeb22dfef8e7fe0bcd |
1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.
23 * Copyright 2011 Nexenta Systems, Inc. All rights reserved.
24 */
26 /*
27 * Database related utility routines
28 */
30 #include <stdio.h>
31 #include <stdlib.h>
32 #include <string.h>
33 #include <errno.h>
34 #include <sys/types.h>
35 #include <sys/stat.h>
36 #include <rpc/rpc.h>
37 #include <sys/sid.h>
38 #include <time.h>
39 #include <pwd.h>
40 #include <grp.h>
41 #include <pthread.h>
42 #include <assert.h>
43 #include <sys/u8_textprep.h>
44 #include <alloca.h>
45 #include <libuutil.h>
46 #include <note.h>
65 #define DO_NOT_ALLOC_NEW_ID_MAPPING(req)\
66 (req->flag & IDMAP_REQ_FLG_NO_NEW_ID_ALLOC)
68 #define AVOID_NAMESERVICE(req)\
69 (req->flag & IDMAP_REQ_FLG_NO_NAMESERVICE)
71 #define ALLOW_WK_OR_LOCAL_SIDS_ONLY(req)\
72 (req->flag & IDMAP_REQ_FLG_WK_OR_LOCAL_SIDS_ONLY)
79 /*
80 * Thread specific data to hold the database handles so that the
81 * databases are not opened and closed for every request. It also
82 * contains the sqlite busy handler structure.
83 */
91 };
101 /*
102 * Flags to indicate how local the directory we're consulting is.
103 * If neither is set, it means the directory belongs to a remote forest.
104 */
105 #define DOMAIN_IS_LOCAL 0x01
106 #define FOREST_IS_LOCAL 0x02
118 void
120 {
129 }
130 }
132 void
134 {
139 }
143 idmap_tsd_t *
145 {
149 /* No thread specific data so create it */
151 /* Initialize thread specific data */
153 /* save the trhread specific data */
155 /* Can't store key */
158 }
161 }
162 }
165 }
167 /*
168 * A simple wrapper around u8_textprep_str() that returns the Unicode
169 * lower-case version of some string. The result must be freed.
170 */
173 {
179 /*
180 * u8_textprep_str() does not allocate memory. The input and
181 * output buffers may differ in size (though that would be more
182 * likely when normalization is done). We have to loop over it...
183 *
184 * To improve the chances that we can avoid looping we add 10
185 * bytes of output buffer room the first go around.
186 */
198 /* adjust input/output buffer pointers */
201 /* adjust outbytesleft and outlen */
204 }
210 }
215 }
221 /*
222 * Initialize 'dbname' using 'sql'
223 */
224 static
225 int
229 {
242 rinse_repeat:
246 }
248 /* Last try, log errors */
259 }
263 /* Detect current version of schema in the db, if any */
269 #ifdef IDMAPD_DEBUG
271 detect_version_sql);
283 }
290 }
293 }
299 }
304 /* Install or upgrade schema */
305 #ifdef IDMAPD_DEBUG
318 }
323 done:
326 }
329 /*
330 * This is the SQLite database busy handler that retries the SQL
331 * operation until it is successful.
332 */
333 int
334 /* LINTED E_FUNC_ARG_UNUSED */
336 {
344 }
350 }
356 }
362 }
365 /*
366 * Get the database handle
367 */
368 idmap_retcode
370 {
374 /*
375 * Retrieve the db handle from thread-specific storage
376 * If none exists, open and store in thread-specific storage.
377 */
382 }
391 }
399 }
402 }
404 /*
405 * Get the cache handle
406 */
407 idmap_retcode
409 {
413 /*
414 * Retrieve the db handle from thread-specific storage
415 * If none exists, open and store in thread-specific storage.
416 */
419 IDMAP_DBNAME);
421 }
430 }
438 }
441 }
443 /*
444 * Initialize cache and db
445 */
446 int
448 {
452 /* name-based mappings; probably OK to blow away in a pinch(?) */
461 /* mappings, name/SID lookup cache + ephemeral IDs; OK to blow away */
474 }
476 /*
477 * Finalize databases
478 */
479 void
481 {
482 }
484 /*
485 * This table is a listing of status codes that will be returned to the
486 * client when a SQL command fails with the corresponding error message.
487 */
492 "columns winname, windomain, is_user, is_wuser, w2u_order are not"
496 };
498 /*
499 * idmapd's version of string2stat to map SQLite messages to
500 * status codes
501 */
502 idmap_retcode
504 {
509 }
511 }
513 /*
514 * Executes some SQL in a transaction.
515 *
516 * Returns 0 on success, -1 if it failed but the rollback succeeded, -2
517 * if the rollback failed.
518 */
519 static
520 int
523 {
533 }
542 }
548 }
555 rollback:
562 }
566 }
568 /*
569 * Execute the given SQL statment without using any callbacks
570 */
571 idmap_retcode
573 {
576 idmap_retcode retcode;
588 }
591 }
593 /*
594 * Generate expression that can be used in WHERE statements.
595 * Examples:
596 * <prefix> <col> <op> <value> <suffix>
597 * "" "unixuser" "=" "foo" "AND"
598 */
599 idmap_retcode
601 {
618 }
619 }
632 }
633 }
642 }
643 }
660 }
666 dir);
672 }
674 out:
683 }
687 /*
688 * Generate and execute SQL statement for LIST RPC calls
689 */
690 idmap_retcode
693 {
694 list_cb_data_t cb_data;
717 }
721 }
723 /*
724 * This routine is called by callbacks that process the results of
725 * LIST RPC calls to validate data and to allocate memory for
726 * the result array.
727 */
728 idmap_retcode
731 {
741 }
743 /* alloc in bulk to reduce number of reallocs */
750 }
755 }
757 }
759 static
760 idmap_retcode
763 {
767 /*
768 * Windows to UNIX lookup order:
769 * 1. winname@domain (or winname) to ""
770 * 2. winname@domain (or winname) to unixname
771 * 3. winname@* to ""
772 * 4. winname@* to unixname
773 * 5. *@domain (or *) to *
774 * 6. *@domain (or *) to ""
775 * 7. *@domain (or *) to unixname
776 * 8. *@* to *
777 * 9. *@* to ""
778 * 10. *@* to unixname
779 *
780 * winname is a special case of winname@domain when domain is the
781 * default domain. Similarly * is a special case of *@domain when
782 * domain is the default domain.
783 *
784 * Note that "" has priority over specific names because "" inhibits
785 * mappings and traditionally deny rules always had higher priority.
786 */
788 /* bi-directional or from windows to unix */
810 /* winname == name */
818 /* winname == name && windomain == null or name */
825 }
827 }
829 /*
830 * 1. unixname to "", non-diagonal
831 * 2. unixname to winname@domain (or winname), non-diagonal
832 * 3. unixname to "", diagonal
833 * 4. unixname to winname@domain (or winname), diagonal
834 * 5. * to *@domain (or *), non-diagonal
835 * 5. * to *@domain (or *), diagonal
836 * 7. * to ""
837 * 8. * to winname@domain (or winname)
838 * 9. * to "", non-diagonal
839 * 10. * to winname@domain (or winname), diagonal
840 */
844 /* bi-directional or from unix to windows */
856 else
863 else
865 }
866 }
868 }
870 /*
871 * Generate and execute SQL statement to add name-based mapping rule
872 */
873 idmap_retcode
875 {
877 idmap_stat retcode;
896 /*
897 * For the triggers on namerules table to work correctly:
898 * 1) Use NULL instead of 0 for w2u_order and u2w_order
899 * 2) Use "" instead of NULL for "no domain"
900 */
914 else
916 }
918 "(is_user, is_wuser, windomain, winname_display, is_nt4, "
919 "unixname, w2u_order, u2w_order) "
930 }
937 out:
943 }
945 /*
946 * Flush name-based mapping rules
947 */
948 idmap_retcode
950 {
951 idmap_stat retcode;
956 }
958 /*
959 * Generate and execute SQL statement to remove a name-based mapping rule
960 */
961 idmap_retcode
963 {
965 idmap_stat retcode;
982 }
987 out:
993 }
995 /*
996 * Compile the given SQL query and step just once.
997 *
998 * Input:
999 * db - db handle
1000 * sql - SQL statement
1001 *
1002 * Output:
1003 * vm - virtual SQL machine
1004 * ncol - number of columns in the result
1005 * values - column values
1006 *
1007 * Return values:
1008 * IDMAP_SUCCESS
1009 * IDMAP_ERR_NOTFOUND
1010 * IDMAP_ERR_INTERNAL
1011 */
1013 static
1014 idmap_retcode
1017 {
1026 }
1036 }
1037 /* Caller will call finalize after using the results */
1043 }
1051 }
1053 /*
1054 * Load config in the state.
1055 *
1056 * nm_siduid and nm_sidgid fields:
1057 * state->nm_siduid represents mode used by sid2uid and uid2sid
1058 * requests for directory-based name mappings. Similarly,
1059 * state->nm_sidgid represents mode used by sid2gid and gid2sid
1060 * requests.
1061 *
1062 * sid2uid/uid2sid:
1063 * none -> directory_based_mapping != DIRECTORY_MAPPING_NAME
1064 * AD-mode -> !nldap_winname_attr && ad_unixuser_attr
1065 * nldap-mode -> nldap_winname_attr && !ad_unixuser_attr
1066 * mixed-mode -> nldap_winname_attr && ad_unixuser_attr
1067 *
1068 * sid2gid/gid2sid:
1069 * none -> directory_based_mapping != DIRECTORY_MAPPING_NAME
1070 * AD-mode -> !nldap_winname_attr && ad_unixgroup_attr
1071 * nldap-mode -> nldap_winname_attr && !ad_unixgroup_attr
1072 * mixed-mode -> nldap_winname_attr && ad_unixgroup_attr
1073 */
1074 idmap_retcode
1076 {
1099 }
1103 }
1106 DIRECTORY_MAPPING_NAME) {
1109 }
1125 }
1132 }
1133 }
1140 }
1141 }
1148 }
1149 }
1152 }
1154 /*
1155 * Set the rule with specified values.
1156 * All the strings are copied.
1157 */
1158 static void
1162 {
1163 /*
1164 * Only update if they differ because we have to free
1165 * and duplicate the strings
1166 */
1172 }
1175 }
1182 }
1185 }
1192 }
1195 }
1201 }
1203 /*
1204 * Lookup well-known SIDs table either by winname or by SID.
1205 *
1206 * If the given winname or SID is a well-known SID then we set is_wksid
1207 * variable and then proceed to see if the SID has a hard mapping to
1208 * a particular UID/GID (Ex: Creator Owner/Creator Group mapped to
1209 * fixed ephemeral ids). The direction flag indicates whether we have
1210 * a mapping; UNDEF indicates that we do not.
1211 *
1212 * If we find a mapping then we return success, except for the
1213 * special case of IDMAP_SENTINEL_PID which indicates an inhibited mapping.
1214 *
1215 * If we find a matching entry, but no mapping, we supply SID, name, and type
1216 * information and return "not found". Higher layers will probably
1217 * do ephemeral mapping.
1218 *
1219 * If we do not find a match, we return "not found" and leave the question
1220 * to higher layers.
1221 */
1222 static
1223 idmap_retcode
1225 {
1239 }
1243 /* Found matching entry. */
1245 /* Fill in name if it was not already there. */
1250 }
1252 /* Fill in SID if it was not already there */
1262 }
1266 }
1268 /* Fill in the canonical domain if not already there */
1275 else
1281 }
1290 }
1293 /*
1294 * We don't have a mapping
1295 * (But note that we may have supplied SID, name, or type
1296 * information.)
1297 */
1299 }
1301 /*
1302 * We have an explicit mapping.
1303 */
1305 /*
1306 * ... which is that mapping is inhibited.
1307 */
1309 }
1319 /* IDMAP_POSIXID is eliminated above */
1321 }
1327 }
1330 /*
1331 * Look for an entry mapping a PID to a SID.
1332 *
1333 * Note that direction=UNDEF entries do not specify a mapping,
1334 * and that IDMAP_SENTINEL_PID entries represent either an inhibited
1335 * mapping or an ephemeral mapping. We don't handle either here;
1336 * they are filtered out by find_wksid_by_pid.
1337 */
1338 static
1339 idmap_retcode
1341 {
1350 }
1361 }
1366 }
1368 /* Fill in name if it was not already there. */
1373 }
1375 /* Fill in the canonical domain if not already there */
1382 else
1388 }
1394 }
1396 /*
1397 * Look up a name in the wksids list, matching name and, if supplied, domain,
1398 * and extract data.
1399 *
1400 * Given:
1401 * name Windows user name
1402 * domain Windows domain name (or NULL)
1403 *
1404 * Return: Error code
1405 *
1406 * *canonname canonical name (if canonname non-NULL) [1]
1407 * *canondomain canonical domain (if canondomain non-NULL) [1]
1408 * *sidprefix SID prefix (if sidprefix non-NULL) [1]
1409 * *rid RID (if rid non-NULL) [2]
1410 * *type Type (if type non-NULL) [2]
1411 *
1412 * [1] malloc'ed, NULL on error
1413 * [2] Undefined on error
1414 */
1415 idmap_retcode
1424 {
1446 }
1449 }
1458 }
1467 }
1470 }
1478 nomem:
1484 }
1489 }
1494 }
1497 }
1499 static
1500 idmap_retcode
1502 {
1508 uid_t pid;
1510 idmap_retcode retcode;
1513 /* Current time */
1520 }
1530 /* the non-diagonal mapping */
1536 }
1538 /* SQL to lookup the cache */
1542 "unixname, u2w, is_wuser, "
1543 "map_type, map_dn, map_attr, map_value, "
1544 "map_windomain, map_winname, map_unixname, map_is_nt4 "
1545 "FROM idmap_cache WHERE is_user = %s AND "
1546 "sidprefix = %Q AND rid = %u AND w2u = 1 AND "
1547 "(pid >= 2147483648 OR "
1548 "(expiration = 0 OR expiration ISNULL OR "
1556 "unixname, u2w, is_wuser, "
1557 "map_type, map_dn, map_attr, map_value, "
1558 "map_windomain, map_winname, map_unixname, map_is_nt4 "
1559 "FROM idmap_cache WHERE is_user = %s AND "
1560 "winname = %Q AND windomain = %Q AND w2u = 1 AND "
1561 "(pid >= 2147483648 OR "
1562 "(expiration = 0 OR expiration ISNULL OR "
1565 curtime);
1571 }
1576 }
1584 /* sanity checks */
1588 }
1599 }
1601 /*
1602 * We may have an expired ephemeral mapping. Consider
1603 * the expired entry as valid if we are not going to
1604 * perform name-based mapping. But do not renew the
1605 * expiration.
1606 * If we will be doing name-based mapping then store the
1607 * ephemeral pid in the result so that we can use it
1608 * if we end up doing dynamic mapping again.
1609 */
1615 /* Store the ephemeral pid */
1618 ? _IDMAP_F_EXP_EPH_UID
1621 }
1622 }
1623 }
1625 out:
1631 else
1641 }
1642 }
1679 is_user;
1703 /* Unknown mapping type */
1705 }
1706 }
1707 }
1711 }
1713 /*
1714 * Previous versions used two enumerations for representing types.
1715 * One of those has largely been eliminated, but was used in the
1716 * name cache table and so during an upgrade might still be visible.
1717 * In addition, the test suite prepopulates the cache with these values.
1718 *
1719 * This function translates those old values into the new values.
1720 *
1721 * This code deliberately does not use symbolic values for the legacy
1722 * values. This is the *only* place where they should be used.
1723 */
1724 static
1725 idmap_id_type
1727 {
1735 }
1737 }
1739 static
1740 idmap_retcode
1743 {
1752 /* Get current time */
1759 }
1761 /* SQL to lookup the cache */
1763 "FROM name_cache WHERE "
1764 "sidprefix = %Q AND rid = %u AND "
1765 "(expiration = 0 OR expiration ISNULL OR "
1772 }
1781 }
1783 }
1790 }
1791 }
1798 }
1802 }
1803 }
1804 }
1806 out:
1810 }
1812 /*
1813 * Given SID, find winname using name_cache OR
1814 * Given winname, find SID using name_cache.
1815 * Used when mapping win to unix i.e. req->id1 is windows id and
1816 * req->id2 is unix id
1817 */
1818 static
1819 idmap_retcode
1821 {
1823 idmap_retcode retcode;
1825 idmap_rid_t rid;
1828 /* Done if we've both sid and winname */
1830 /* Don't bother TRACE()ing, too boring */
1832 }
1835 /* Lookup sid to winname */
1840 /* Lookup winame to sid */
1843 }
1850 }
1855 }
1861 /*
1862 * If we found canonical names or domain, use them instead of
1863 * the existing values.
1864 */
1868 }
1872 }
1877 }
1881 }
1885 static int
1889 {
1890 idmap_retcode retcode;
1903 /*
1904 * Since req->id2.idtype is unused, we will use it here
1905 * to retrieve the value of sid_type. But it needs to be
1906 * reset to IDMAP_NONE before we return to prevent xdr
1907 * from mis-interpreting req->id2 when it tries to free
1908 * the input argument. Other option is to allocate an
1909 * array of integers and use it instead for the batched
1910 * call. But why un-necessarily allocate memory. That may
1911 * be an option if req->id2.idtype cannot be re-used in
1912 * future.
1913 *
1914 * Similarly, we use req->id2.idmap_id_u.uid to return
1915 * uidNumber or gidNumber supplied by IDMU, and reset it
1916 * back to IDMAP_SENTINEL_PID when we're done. Note that
1917 * the query always puts the result in req->id2.idmap_id_u.uid,
1918 * not .gid.
1919 */
1920 retry:
1931 }
1937 /*
1938 * Directory based name mapping is only performed within the
1939 * joined forest. We don't trust other "trusted"
1940 * forests to provide DS-based name mapping information because
1941 * AD's definition of "cross-forest trust" does not encompass
1942 * this sort of behavior.
1943 */
1946 }
1957 /* Skip if no AD lookup required */
1961 /* Skip if we've already tried and gotten a "not found" */
1965 /* Skip if we've already either succeeded or failed */
1971 /* win2unix request: */
1977 DIRECTORY_MAPPING_NAME &&
1990 }
1993 /*
1994 * Get how info for DS-based name
1995 * mapping only if AD or MIXED
1996 * mode is enabled.
1997 */
2004 }
2006 DIRECTORY_MAPPING_IDMU &&
2008 /*
2009 * Ensure that we only do IDMU processing
2010 * when querying the domain we've joined.
2011 */
2013 /*
2014 * Get how info for IDMU based mapping.
2015 */
2022 }
2025 /* Lookup AD by SID */
2035 pid,
2038 num_queued++;
2040 /* Lookup AD by winname */
2044 esidtype,
2050 pid,
2053 num_queued++;
2054 }
2058 /* unix2win request: */
2062 /* Already have SID and winname. done */
2065 }
2068 /*
2069 * SID but no winname -- lookup AD by
2070 * SID to get winname.
2071 * how info is not needed here because
2072 * we are not retrieving unixname from
2073 * AD.
2074 */
2079 IDMAP_POSIXID,
2085 num_queued++;
2087 /*
2088 * winname but no SID -- lookup AD by
2089 * winname to get SID.
2090 * how info is not needed here because
2091 * we are not retrieving unixname from
2092 * AD.
2093 */
2096 IDMAP_POSIXID,
2101 NULL,
2104 num_queued++;
2106 DIRECTORY_MAPPING_IDMU &&
2109 IDMAP_SENTINEL_PID);
2115 else
2118 /* IDMU can't do diagonal mappings */
2135 num_queued++;
2137 /*
2138 * No SID and no winname but we've unixname.
2139 * Lookup AD by unixname to get SID.
2140 */
2146 else
2162 num_queued++;
2163 }
2164 }
2171 }
2175 /* add keeps track if we added an entry to the batch */
2178 else
2184 }
2193 /* Mark any unproccessed requests for an other AD */
2195 i++) {
2199 }
2200 }
2205 out:
2206 /*
2207 * This loop does the following:
2208 * 1. Reset _IDMAP_F_LOOKUP_AD flag from the request.
2209 * 2. Reset req->id2.idtype to IDMAP_NONE
2210 * 3. If batch_start or batch_add failed then set the status
2211 * of each request marked for AD lookup to that error.
2212 * 4. Evaluate the type of the AD object (i.e. user or group)
2213 * and update the idtype in request.
2214 */
2216 idmap_id_type type;
2217 uid_t posix_id;
2226 /*
2227 * If it didn't need AD lookup, ignore it.
2228 */
2232 /*
2233 * If we deferred it this time, reset for the next
2234 * AD server.
2235 */
2239 }
2241 /* Count number processed */
2244 /* Reset AD lookup flag */
2247 /*
2248 * If batch_start or batch_add failed then set the
2249 * status of each request marked for AD lookup to
2250 * that error.
2251 */
2255 }
2258 /* Nothing found - remove the preset info */
2260 }
2266 }
2271 }
2272 /* Evaluate result type */
2277 /*
2278 * We found a user. If we got information
2279 * from IDMU and we were expecting a user,
2280 * copy the id.
2281 */
2287 IDMAP_MAP_TYPE_IDMU;
2289 }
2296 /*
2297 * We found a group. If we got information
2298 * from IDMU and we were expecting a group,
2299 * copy the id.
2300 */
2306 IDMAP_MAP_TYPE_IDMU;
2308 }
2315 }
2324 }
2330 /*
2331 * If AD lookup by unixname or pid
2332 * failed with non fatal error
2333 * then clear the error (ie set
2334 * res->retcode to success).
2335 * This allows the next pass to
2336 * process other mapping
2337 * mechanisms for this request.
2338 */
2340 IDMAP_ERR_NOTFOUND) {
2341 /* This is not an error */
2349 }
2352 }
2354 }
2355 /* Evaluate result type */
2366 }
2368 }
2369 }
2372 }
2376 /*
2377 * Batch AD lookups
2378 */
2379 idmap_retcode
2382 {
2383 idmap_retcode retcode;
2397 /* Skip if not marked for AD lookup or already in error. */
2402 /* Init status */
2404 }
2410 /* Case of no ADs */
2419 }
2421 }
2432 }
2433 }
2443 }
2445 /*
2446 * There are no more ADs to try. Return errors for any
2447 * remaining requests.
2448 */
2457 }
2458 }
2460 out:
2463 /* AD lookups done. Reset state->ad_nqueries and return */
2466 }
2468 /*
2469 * Convention when processing win2unix requests:
2470 *
2471 * Windows identity:
2472 * req->id1name =
2473 * winname if given otherwise winname found will be placed
2474 * here.
2475 * req->id1domain =
2476 * windomain if given otherwise windomain found will be
2477 * placed here.
2478 * req->id1.idtype =
2479 * Either IDMAP_SID/USID/GSID. If this is IDMAP_SID then it'll
2480 * be set to IDMAP_USID/GSID depending upon whether the
2481 * given SID is user or group respectively. The user/group-ness
2482 * is determined either when looking up well-known SIDs table OR
2483 * if the SID is found in namecache OR by ad_lookup_batch().
2484 * req->id1..sid.[prefix, rid] =
2485 * SID if given otherwise SID found will be placed here.
2486 *
2487 * Unix identity:
2488 * req->id2name =
2489 * unixname found will be placed here.
2490 * req->id2domain =
2491 * NOT USED
2492 * res->id.idtype =
2493 * Target type initialized from req->id2.idtype. If
2494 * it is IDMAP_POSIXID then actual type (IDMAP_UID/GID) found
2495 * will be placed here.
2496 * res->id..[uid or gid] =
2497 * UID/GID found will be placed here.
2498 *
2499 * Others:
2500 * res->retcode =
2501 * Return status for this request will be placed here.
2502 * res->direction =
2503 * Direction found will be placed here. Direction
2504 * meaning whether the resultant mapping is valid
2505 * only from win2unix or bi-directional.
2506 * req->direction =
2507 * INTERNAL USE. Used by idmapd to set various
2508 * flags (_IDMAP_F_xxxx) to aid in processing
2509 * of the request.
2510 * req->id2.idtype =
2511 * INTERNAL USE. Initially this is the requested target
2512 * type and is used to initialize res->id.idtype.
2513 * ad_lookup_batch() uses this field temporarily to store
2514 * sid_type obtained by the batched AD lookups and after
2515 * use resets it to IDMAP_NONE to prevent xdr from
2516 * mis-interpreting the contents of req->id2.
2517 * req->id2.idmap_id_u.uid =
2518 * INTERNAL USE. If the AD lookup finds IDMU data
2519 * (uidNumber or gidNumber, depending on the type of
2520 * the entry), it's left here.
2521 */
2523 /*
2524 * This function does the following:
2525 * 1. Lookup well-known SIDs table.
2526 * 2. Check if the given SID is a local-SID and if so extract UID/GID from it.
2527 * 3. Lookup cache.
2528 * 4. Check if the client does not want new mapping to be allocated
2529 * in which case this pass is the final pass.
2530 * 5. Set AD lookup flag if it determines that the next stage needs
2531 * to do AD lookup.
2532 */
2533 idmap_retcode
2536 {
2537 idmap_retcode retcode;
2540 /* Initialize result */
2547 /* They have to give us *something* to work with! */
2551 }
2553 /* sanitize sidprefix */
2557 /* Allow for a fully-qualified name in the "name" parameter */
2571 }
2572 }
2573 }
2574 }
2576 /* Lookup well-known SIDs table */
2579 /* Found a well-known account with a hardwired mapping */
2586 }
2589 /* Found a well-known account, but no mapping */
2594 /* Check if this is a localsid */
2603 }
2609 }
2610 }
2612 /*
2613 * If this is a name-based request and we don't have a domain,
2614 * use the default domain. Note that the well-known identity
2615 * cases will have supplied a SID prefix already, and that we
2616 * don't (yet?) support looking up a local user through a Windows
2617 * style name.
2618 */
2624 }
2629 }
2631 }
2633 /* Lookup cache */
2641 }
2647 }
2649 /*
2650 * Failed to find non-expired entry in cache. Next step is
2651 * to determine if this request needs to be batched for AD lookup.
2652 *
2653 * At this point we have either sid or winname or both. If we don't
2654 * have both then lookup name_cache for the sid or winname
2655 * whichever is missing. If not found then this request will be
2656 * batched for AD lookup.
2657 */
2663 else
2665 }
2671 /*
2672 * If we don't have both name and SID, try looking up the
2673 * entry with LSA.
2674 */
2689 }
2713 }
2714 }
2715 }
2717 /*
2718 * Set the flag to indicate that we are not done yet so that
2719 * subsequent passes considers this request for name-based
2720 * mapping and ephemeral mapping.
2721 */
2725 /*
2726 * Even if we have both sid and winname, we still may need to batch
2727 * this request for AD lookup if we don't have unixname and
2728 * directory-based name mapping (AD or mixed) is enabled.
2729 * We avoid AD lookup for well-known SIDs because they don't have
2730 * regular AD objects.
2731 */
2743 }
2746 out:
2748 /*
2749 * If we are done and there was an error then set fallback pid
2750 * in the result.
2751 */
2755 }
2757 /*
2758 * Generate SID using the following convention
2759 * <machine-sid-prefix>-<1000 + uid>
2760 * <machine-sid-prefix>-<2^31 + gid>
2761 */
2762 static
2763 idmap_retcode
2766 {
2770 /*
2771 * Diagonal mapping for localSIDs not supported because of the
2772 * way we generate localSIDs.
2773 */
2779 /* Skip 1000 UIDs */
2785 /*
2786 * machine_sid is never NULL because if it is we won't be here.
2787 * No need to assert because strdup(NULL) will core anyways.
2788 */
2795 }
2807 }
2809 /*
2810 * Don't update name_cache because local sids don't have
2811 * valid windows names.
2812 */
2815 }
2817 static
2818 idmap_retcode
2820 {
2825 /*
2826 * If the sidprefix == localsid then UID = last RID - 1000 or
2827 * GID = last RID - 2^31.
2828 */
2830 /* This means we are looking up by winname */
2839 /*
2840 * If the given sidprefix does not match machine_sid then this is
2841 * not a local SID.
2842 */
2866 }
2870 }
2874 }
2876 /*
2877 * Name service lookup by unixname to get pid
2878 */
2879 static
2880 idmap_retcode
2882 {
2901 else
2903 }
2917 else
2919 }
2924 }
2926 }
2929 /*
2930 * Name service lookup by pid to get unixname
2931 */
2932 static
2933 idmap_retcode
2935 {
2950 else
2952 }
2962 else
2964 }
2966 }
2970 }
2972 /*
2973 * Name-based mapping
2974 *
2975 * Case 1: If no rule matches do ephemeral
2976 *
2977 * Case 2: If rule matches and unixname is "" then return no mapping.
2978 *
2979 * Case 3: If rule matches and unixname is specified then lookup name
2980 * service using the unixname. If unixname not found then return no mapping.
2981 *
2982 * Case 4: If rule matches and unixname is * then lookup name service
2983 * using winname as the unixname. If unixname not found then process
2984 * other rules using the lookup order. If no other rule matches then do
2985 * ephemeral. Otherwise, based on the matched rule do Case 2 or 3 or 4.
2986 * This allows us to specify a fallback unixname per _domain_ or no mapping
2987 * instead of the default behaviour of doing ephemeral mapping.
2988 *
2989 * Example 1:
2990 * *@sfbay == *
2991 * If looking up windows users foo@sfbay and foo does not exists in
2992 * the name service then foo@sfbay will be mapped to an ephemeral id.
2993 *
2994 * Example 2:
2995 * *@sfbay == *
2996 * *@sfbay => guest
2997 * If looking up windows users foo@sfbay and foo does not exists in
2998 * the name service then foo@sfbay will be mapped to guest.
2999 *
3000 * Example 3:
3001 * *@sfbay == *
3002 * *@sfbay => ""
3003 * If looking up windows users foo@sfbay and foo does not exists in
3004 * the name service then we will return no mapping for foo@sfbay.
3005 *
3006 */
3007 static
3008 idmap_retcode
3011 {
3014 idmap_retcode retcode;
3040 }
3053 }
3061 "SELECT unixname, u2w_order, winname_display, windomain, is_nt4 "
3062 "FROM namerules WHERE "
3063 "w2u_order > 0 AND is_user = %d AND is_wuser = %d AND "
3064 "(winname = %Q OR winname = '*') AND "
3065 "(windomain = %Q OR windomain = '*') "
3072 }
3080 }
3090 }
3100 }
3103 direction =
3106 else
3114 direction);
3117 }
3125 }
3135 unixname);
3136 /* Case 4 */
3141 /* Case 3 */
3144 is_wuser,
3146 direction);
3148 }
3152 }
3166 }
3167 }
3169 /* Found */
3175 else
3182 }
3189 out:
3194 }
3202 }
3209 }
3211 static
3212 int
3214 {
3215 uid_t uid;
3216 gid_t gid;
3227 }
3231 }
3233 static
3234 int
3236 {
3237 uid_t uid;
3238 gid_t gid;
3249 }
3253 }
3255 static
3256 int
3258 {
3267 }
3272 }
3277 }
3279 static
3280 int
3283 {
3299 }
3301 }
3303 }
3305 static
3306 void
3308 {
3314 next++;
3316 }
3322 }
3324 void
3326 {
3332 }
3334 /* ARGSUSED */
3335 static
3336 idmap_retcode
3339 {
3341 uid_t next_pid;
3349 }
3358 }
3368 }
3377 }
3379 idmap_retcode
3382 {
3383 idmap_retcode retcode;
3384 idmap_retcode retcode2;
3386 /* Check if second pass is needed */
3390 /* Get status from previous pass */
3395 /*
3396 * We are asked to map an unresolvable SID to a UID or
3397 * GID, but, which? We'll treat all unresolvable SIDs
3398 * as users unless the caller specified which of a UID
3399 * or GID they want.
3400 */
3410 }
3412 }
3416 /*
3417 * There are two ways we might get here with a Posix ID:
3418 * - It could be from an expired ephemeral cache entry.
3419 * - It could be from IDMU.
3420 * If it's from IDMU, we need to look up the name, for name-based
3421 * requests and the cache.
3422 */
3426 /*
3427 * If the lookup fails, go ahead anyway.
3428 * The general UNIX rule is that it's OK to
3429 * have a UID or GID that isn't in the
3430 * name service.
3431 */
3437 retcode2);
3440 }
3441 }
3443 }
3445 /*
3446 * If directory-based name mapping is enabled then the unixname
3447 * may already have been retrieved from the AD object (AD-mode or
3448 * mixed-mode) or from native LDAP object (nldap-mode) -- done.
3449 */
3459 /*
3460 * Special case: (1) If the ad_unixuser_attr and
3461 * ad_unixgroup_attr uses the same attribute
3462 * name and (2) if this is a diagonal mapping
3463 * request and (3) the unixname has been retrieved
3464 * from the AD object -- then we ignore it and fallback
3465 * to name-based mapping rules and ephemeral mapping
3466 *
3467 * Example:
3468 * Properties:
3469 * config/ad_unixuser_attr = "unixname"
3470 * config/ad_unixgroup_attr = "unixname"
3471 * AD user object:
3472 * dn: cn=bob ...
3473 * objectclass: user
3474 * sam: bob
3475 * unixname: bob1234
3476 * AD group object:
3477 * dn: cn=winadmins ...
3478 * objectclass: group
3479 * sam: winadmins
3480 * unixname: unixadmins
3481 *
3482 * In this example whether "unixname" refers to a unixuser
3483 * or unixgroup depends upon the AD object.
3484 *
3485 * $idmap show -c winname:bob gid
3486 * AD lookup by "samAccountName=bob" for
3487 * "ad_unixgroup_attr (i.e unixname)" for directory-based
3488 * mapping would get "bob1234" which is not what we want.
3489 * Now why not getgrnam_r("bob1234") and use it if it
3490 * is indeed a unixgroup? That's because Unix can have
3491 * users and groups with the same name and we clearly
3492 * don't know the intention of the admin here.
3493 * Therefore we ignore this and fallback to name-based
3494 * mapping rules or ephemeral mapping.
3495 */
3510 /* fallback */
3516 /*
3517 * If ns_lookup_byname() fails that
3518 * means the unixname (req->id2name),
3519 * which was obtained from the AD
3520 * object by directory-based mapping,
3521 * is not a valid Unix user/group and
3522 * therefore we return the error to the
3523 * client instead of doing rule-based
3524 * mapping or ephemeral mapping. This
3525 * way the client can detect the issue.
3526 */
3530 }
3532 }
3534 }
3535 }
3537 /* Free any mapping info from Directory based mapping */
3541 /*
3542 * If we don't have unixname then evaluate local name-based
3543 * mapping rules.
3544 */
3552 }
3554 do_eph:
3555 /* If not found, do ephemeral mapping */
3563 }
3565 out:
3570 }
3574 }
3576 idmap_retcode
3579 {
3581 idmap_retcode retcode;
3582 idmap_retcode retcode2;
3591 /* Check if we need to cache anything */
3595 /* We don't cache negative entries */
3603 /*
3604 * If we've gotten to this point and we *still* don't know the
3605 * unixname, well, we'd like to have it now for the cache.
3606 *
3607 * If we truly always need it for the cache, we should probably
3608 * look it up once at the beginning, rather than "at need" in
3609 * several places as is now done. However, it's not really clear
3610 * that we *do* need it in the cache; there's a decent argument
3611 * that the cache should contain only SIDs and PIDs, so we'll
3612 * leave our options open by doing it "at need" here too.
3613 *
3614 * If we can't find it... c'est la vie.
3615 */
3621 else
3623 }
3659 /* Don't cache other mapping types */
3661 }
3663 /*
3664 * Using NULL for u2w instead of 0 so that our trigger allows
3665 * the same pid to be the destination in multiple entries
3666 */
3668 "(sidprefix, rid, windomain, canon_winname, pid, unixname, "
3669 "is_user, is_wuser, expiration, w2u, u2w, "
3670 "map_type, map_dn, map_attr, map_value, map_windomain, "
3671 "map_winname, map_unixname, map_is_nt4) "
3672 "VALUES(%Q, %u, %Q, %Q, %u, %Q, %d, %d, "
3673 "strftime('%%s','now') + %u, %q, 1, "
3688 }
3698 /* Check if we need to update namecache */
3706 "(sidprefix, rid, canon_name, domain, type, expiration) "
3716 }
3720 out:
3724 }
3726 idmap_retcode
3729 {
3731 idmap_retcode retcode;
3741 /* Check if we need to cache anything */
3745 /* We don't cache negative entries */
3753 else
3759 "SET w2u = 0 WHERE "
3760 "sidprefix = %Q AND rid = %u AND w2u = 1 AND "
3764 is_eph_user);
3769 }
3777 }
3812 /* Don't cache other mapping types */
3814 }
3817 "(sidprefix, rid, windomain, canon_winname, pid, unixname, "
3818 "is_user, is_wuser, expiration, w2u, u2w, "
3819 "map_type, map_dn, map_attr, map_value, map_windomain, "
3820 "map_winname, map_unixname, map_is_nt4) "
3821 "VALUES(%Q, %u, %Q, %Q, %u, %Q, %d, %d, "
3822 "strftime('%%s','now') + %u, 1, %q, "
3838 }
3848 /* Check if we need to update namecache */
3856 "(sidprefix, rid, canon_name, domain, type, expiration) "
3866 }
3870 out:
3874 }
3876 static
3877 idmap_retcode
3880 {
3888 idmap_id_type idtype;
3890 /* Current time */
3897 }
3899 /* SQL to lookup the cache by pid or by unixname */
3902 "canon_winname, windomain, w2u, is_wuser, "
3903 "map_type, map_dn, map_attr, map_value, map_windomain, "
3904 "map_winname, map_unixname, map_is_nt4 "
3905 "FROM idmap_cache WHERE "
3906 "pid = %u AND u2w = 1 AND is_user = %d AND "
3907 "(pid >= 2147483648 OR "
3908 "(expiration = 0 OR expiration ISNULL OR "
3913 "canon_winname, windomain, w2u, is_wuser, "
3914 "map_type, map_dn, map_attr, map_value, map_windomain, "
3915 "map_winname, map_unixname, map_is_nt4 "
3916 "FROM idmap_cache WHERE "
3917 "unixname = %Q AND u2w = 1 AND is_user = %d AND "
3918 "(pid >= 2147483648 OR "
3919 "(expiration = 0 OR expiration ISNULL OR "
3925 }
3931 }
3939 /* sanity checks */
3943 }
3960 }
3970 }
3976 else
3986 }
3995 }
4001 }
4034 is_user;
4058 /* Unknown mapping type */
4060 }
4061 }
4062 }
4064 out:
4068 }
4070 /*
4071 * Given:
4072 * cache sqlite handle
4073 * name Windows user name
4074 * domain Windows domain name
4075 *
4076 * Return: Error code
4077 *
4078 * *canonname Canonical name (if canonname is non-NULL) [1]
4079 * *sidprefix SID prefix [1]
4080 * *rid RID
4081 * *type Type of name
4082 *
4083 * [1] malloc'ed, NULL on error
4084 */
4085 static
4086 idmap_retcode
4095 {
4102 idmap_retcode retcode;
4108 /* Get current time */
4115 }
4117 /* SQL to lookup the cache */
4121 "FROM name_cache WHERE name = %Q AND domain = %Q AND "
4122 "(expiration = 0 OR expiration ISNULL OR "
4130 }
4142 }
4144 }
4149 }
4158 }
4159 }
4166 }
4171 out:
4181 }
4182 }
4184 }
4186 static
4187 idmap_retcode
4193 {
4204 retry:
4218 }
4223 /*
4224 * Directory based name mapping is only
4225 * performed within the joined forest (i == 0).
4226 * We don't trust other "trusted" forests to
4227 * provide DS-based name mapping information
4228 * because AD's definition of "cross-forest
4229 * trust" does not encompass this sort of
4230 * behavior.
4231 */
4235 }
4243 }
4247 else
4256 }
4258 /* No AD case */
4260 }
4268 retcode);
4270 }
4272 }
4274 /*
4275 * Given:
4276 * cache sqlite handle to cache
4277 * name Windows user name
4278 * domain Windows domain name
4279 * local_only if true, don't try AD lookups
4280 *
4281 * Returns: Error code
4282 *
4283 * *canonname Canonical name (if non-NULL) [1]
4284 * *canondomain Canonical domain (if non-NULL) [1]
4285 * *sidprefix SID prefix [1]
4286 * *rid RID
4287 * *req Request (direction is updated)
4288 *
4289 * [1] malloc'ed, NULL on error
4290 */
4291 idmap_retcode
4304 {
4305 idmap_retcode retcode;
4313 /* Lookup well-known SIDs table */
4321 }
4323 /* Lookup cache */
4331 }
4333 /*
4334 * The caller may be using this function to determine if this
4335 * request needs to be marked for AD lookup or not
4336 * (i.e. _IDMAP_F_LOOKUP_AD) and therefore may not want this
4337 * function to AD lookup now.
4338 */
4348 type);
4353 }
4355 /* Lookup AD */
4361 out:
4362 /*
4363 * Entry found (cache or Windows lookup)
4364 */
4370 /*
4371 * Caller wants to know if its user or group
4372 * Verify that it's one or the other.
4373 */
4376 }
4379 /*
4380 * If we were asked for a canonical domain and none
4381 * of the searches have provided one, assume it's the
4382 * supplied domain.
4383 */
4388 }
4389 }
4396 }
4400 }
4401 }
4403 }
4405 static
4406 idmap_retcode
4409 {
4414 idmap_retcode retcode;
4429 "SELECT winname_display, windomain, w2u_order, "
4430 "is_wuser, unixname, is_nt4 "
4431 "FROM namerules WHERE "
4432 "u2w_order > 0 AND is_user = %d AND "
4433 "(unixname = %Q OR unixname = '*') "
4439 }
4447 }
4456 }
4464 /* values [1] and [2] can be null */
4467 }
4470 direction =
4473 else
4481 direction);
4485 }
4491 }
4502 windomain);
4509 }
4531 }
4536 }
4542 direction);
4558 }
4559 }
4565 else
4577 out:
4584 }
4589 }
4591 /*
4592 * Convention when processing unix2win requests:
4593 *
4594 * Unix identity:
4595 * req->id1name =
4596 * unixname if given otherwise unixname found will be placed
4597 * here.
4598 * req->id1domain =
4599 * NOT USED
4600 * req->id1.idtype =
4601 * Given type (IDMAP_UID or IDMAP_GID)
4602 * req->id1..[uid or gid] =
4603 * UID/GID if given otherwise UID/GID found will be placed here.
4604 *
4605 * Windows identity:
4606 * req->id2name =
4607 * winname found will be placed here.
4608 * req->id2domain =
4609 * windomain found will be placed here.
4610 * res->id.idtype =
4611 * Target type initialized from req->id2.idtype. If
4612 * it is IDMAP_SID then actual type (IDMAP_USID/GSID) found
4613 * will be placed here.
4614 * req->id..sid.[prefix, rid] =
4615 * SID found will be placed here.
4616 *
4617 * Others:
4618 * res->retcode =
4619 * Return status for this request will be placed here.
4620 * res->direction =
4621 * Direction found will be placed here. Direction
4622 * meaning whether the resultant mapping is valid
4623 * only from unix2win or bi-directional.
4624 * req->direction =
4625 * INTERNAL USE. Used by idmapd to set various
4626 * flags (_IDMAP_F_xxxx) to aid in processing
4627 * of the request.
4628 * req->id2.idtype =
4629 * INTERNAL USE. Initially this is the requested target
4630 * type and is used to initialize res->id.idtype.
4631 * ad_lookup_batch() uses this field temporarily to store
4632 * sid_type obtained by the batched AD lookups and after
4633 * use resets it to IDMAP_NONE to prevent xdr from
4634 * mis-interpreting the contents of req->id2.
4635 * req->id2..[uid or gid or sid] =
4636 * NOT USED
4637 */
4639 /*
4640 * This function does the following:
4641 * 1. Lookup well-known SIDs table.
4642 * 2. Lookup cache.
4643 * 3. Check if the client does not want new mapping to be allocated
4644 * in which case this pass is the final pass.
4645 * 4. Set AD/NLDAP lookup flags if it determines that the next stage needs
4646 * to do AD/NLDAP lookup.
4647 */
4648 idmap_retcode
4651 {
4652 idmap_retcode retcode;
4653 idmap_retcode retcode2;
4656 /* Initialize result */
4661 /* sanitize sidprefix */
4664 }
4666 /* Find pid */
4671 }
4678 }
4680 }
4682 /* Lookup in well-known SIDs table */
4691 }
4693 /* Lookup in cache */
4702 }
4705 /* Ephemeral ids cannot be allocated during pid2sid */
4710 }
4715 }
4721 }
4723 /* Set flags for the next stage */
4728 /*
4729 * If AD-based name mapping is enabled then the next stage
4730 * will need to lookup AD using unixname to get the
4731 * corresponding winname.
4732 */
4734 /* Get unixname if only pid is given. */
4742 }
4744 }
4748 /*
4749 * If native LDAP or mixed mode is enabled for name mapping
4750 * then the next stage will need to lookup native LDAP using
4751 * unixname/pid to get the corresponding winname.
4752 */
4755 }
4757 /*
4758 * Failed to find non-expired entry in cache. Set the flag to
4759 * indicate that we are not done yet.
4760 */
4765 out:
4772 else
4775 }
4776 }
4778 }
4780 idmap_retcode
4783 {
4786 idmap_retcode retcode2;
4788 /* Check if second pass is needed */
4792 /* Get status from previous pass */
4797 /*
4798 * If directory-based name mapping is enabled then the winname
4799 * may already have been retrieved from the AD object (AD-mode)
4800 * or from native LDAP object (nldap-mode or mixed-mode).
4801 * Note that if we have winname but no SID then it's an error
4802 * because this implies that the Native LDAP entry contains
4803 * winname which does not exist and it's better that we return
4804 * an error instead of doing rule-based mapping so that the user
4805 * can detect the issue and take appropriate action.
4806 */
4808 /* Return notfound if we've winname but no SID. */
4813 }
4824 /*
4825 * We've SID but no winname. This is fine because
4826 * the caller may have only requested SID.
4827 */
4829 }
4831 /* Free any mapping info from Directory based mapping */
4836 /* Get unixname from name service */
4843 }
4846 /* Get pid from name service */
4853 }
4855 }
4857 /* Use unixname to evaluate local name-based mapping rules */
4867 }
4869 }
4871 out:
4883 else
4888 }
4889 }
4893 }
4895 idmap_retcode
4897 {
4898 idmap_retcode rc;
4905 sql1 =
4907 sql2 =
4918 }
4924 /*
4925 * Note that we flush the idmapd cache first, before the kernel
4926 * cache. If we did it the other way 'round, a request could come
4927 * in after the kernel cache flush and pull a soon-to-be-flushed
4928 * idmapd cache entry back into the kernel cache. This way the
4929 * worst that will happen is that a new entry will be added to
4930 * the kernel cache and then immediately flushed.
4931 */
4941 }