| blob | 7ff9db4d947e0b61387015109a406d6b1739fbd5 |
1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.
23 * Copyright 2011 Nexenta Systems, Inc. All rights reserved.
24 */
26 /*
27 * Database related utility routines
28 */
30 #include <stdio.h>
31 #include <stdlib.h>
32 #include <string.h>
33 #include <errno.h>
34 #include <sys/types.h>
35 #include <sys/stat.h>
36 #include <rpc/rpc.h>
37 #include <sys/sid.h>
38 #include <time.h>
39 #include <pwd.h>
40 #include <grp.h>
41 #include <pthread.h>
42 #include <assert.h>
43 #include <sys/u8_textprep.h>
44 #include <alloca.h>
45 #include <libuutil.h>
46 #include <note.h>
65 #define DO_NOT_ALLOC_NEW_ID_MAPPING(req)\
66 (req->flag & IDMAP_REQ_FLG_NO_NEW_ID_ALLOC)
68 #define AVOID_NAMESERVICE(req)\
69 (req->flag & IDMAP_REQ_FLG_NO_NAMESERVICE)
71 #define ALLOW_WK_OR_LOCAL_SIDS_ONLY(req)\
72 (req->flag & IDMAP_REQ_FLG_WK_OR_LOCAL_SIDS_ONLY)
79 /*
80 * Thread specific data to hold the database handles so that the
81 * databases are not opened and closed for every request. It also
82 * contains the sqlite busy handler structure.
83 */
91 };
101 /*
102 * Flags to indicate how local the directory we're consulting is.
103 * If neither is set, it means the directory belongs to a remote forest.
104 */
105 #define DOMAIN_IS_LOCAL 0x01
106 #define FOREST_IS_LOCAL 0x02
118 void
120 {
129 }
130 }
132 void
134 {
139 }
143 idmap_tsd_t *
145 {
149 /* No thread specific data so create it */
151 /* Initialize thread specific data */
153 /* save the trhread specific data */
155 /* Can't store key */
158 }
161 }
162 }
165 }
167 /*
168 * A simple wrapper around u8_textprep_str() that returns the Unicode
169 * lower-case version of some string. The result must be freed.
170 */
173 {
179 /*
180 * u8_textprep_str() does not allocate memory. The input and
181 * output buffers may differ in size (though that would be more
182 * likely when normalization is done). We have to loop over it...
183 *
184 * To improve the chances that we can avoid looping we add 10
185 * bytes of output buffer room the first go around.
186 */
198 /* adjust input/output buffer pointers */
201 /* adjust outbytesleft and outlen */
204 }
210 }
215 }
221 /*
222 * Initialize 'dbname' using 'sql'
223 */
224 static
225 int
229 {
242 rinse_repeat:
246 }
248 /* Last try, log errors */
259 }
263 /* Detect current version of schema in the db, if any */
269 #ifdef IDMAPD_DEBUG
271 detect_version_sql);
283 }
290 }
293 }
299 }
304 /* Install or upgrade schema */
305 #ifdef IDMAPD_DEBUG
318 }
323 done:
326 }
329 /*
330 * This is the SQLite database busy handler that retries the SQL
331 * operation until it is successful.
332 */
333 int
334 /* LINTED E_FUNC_ARG_UNUSED */
336 {
344 }
350 }
356 }
362 }
365 /*
366 * Get the database handle
367 */
368 idmap_retcode
370 {
374 /*
375 * Retrieve the db handle from thread-specific storage
376 * If none exists, open and store in thread-specific storage.
377 */
382 }
391 }
399 }
402 }
404 /*
405 * Get the cache handle
406 */
407 idmap_retcode
409 {
413 /*
414 * Retrieve the db handle from thread-specific storage
415 * If none exists, open and store in thread-specific storage.
416 */
419 IDMAP_DBNAME);
421 }
430 }
438 }
441 }
443 /*
444 * Initialize cache and db
445 */
446 int
448 {
452 /* name-based mappings; probably OK to blow away in a pinch(?) */
461 /* mappings, name/SID lookup cache + ephemeral IDs; OK to blow away */
474 }
476 /*
477 * Finalize databases
478 */
479 void
481 {
482 }
484 /*
485 * This table is a listing of status codes that will be returned to the
486 * client when a SQL command fails with the corresponding error message.
487 */
492 "columns winname, windomain, is_user, is_wuser, w2u_order are not"
496 };
498 /*
499 * idmapd's version of string2stat to map SQLite messages to
500 * status codes
501 */
502 idmap_retcode
504 {
509 }
511 }
513 /*
514 * Executes some SQL in a transaction.
515 *
516 * Returns 0 on success, -1 if it failed but the rollback succeeded, -2
517 * if the rollback failed.
518 */
519 static
520 int
523 {
533 }
542 }
548 }
555 rollback:
562 }
566 }
568 /*
569 * Execute the given SQL statment without using any callbacks
570 */
571 idmap_retcode
573 {
576 idmap_retcode retcode;
588 }
591 }
593 /*
594 * Generate expression that can be used in WHERE statements.
595 * Examples:
596 * <prefix> <col> <op> <value> <suffix>
597 * "" "unixuser" "=" "foo" "AND"
598 */
599 idmap_retcode
601 {
618 }
619 }
632 }
633 }
642 }
643 }
660 }
666 dir);
672 }
674 out:
683 }
687 /*
688 * Generate and execute SQL statement for LIST RPC calls
689 */
690 idmap_retcode
693 {
694 list_cb_data_t cb_data;
717 }
721 }
723 /*
724 * This routine is called by callbacks that process the results of
725 * LIST RPC calls to validate data and to allocate memory for
726 * the result array.
727 */
728 idmap_retcode
731 {
741 }
743 /* alloc in bulk to reduce number of reallocs */
750 }
755 }
757 }
759 static
760 idmap_retcode
763 {
767 /*
768 * Windows to UNIX lookup order:
769 * 1. winname@domain (or winname) to ""
770 * 2. winname@domain (or winname) to unixname
771 * 3. winname@* to ""
772 * 4. winname@* to unixname
773 * 5. *@domain (or *) to *
774 * 6. *@domain (or *) to ""
775 * 7. *@domain (or *) to unixname
776 * 8. *@* to *
777 * 9. *@* to ""
778 * 10. *@* to unixname
779 *
780 * winname is a special case of winname@domain when domain is the
781 * default domain. Similarly * is a special case of *@domain when
782 * domain is the default domain.
783 *
784 * Note that "" has priority over specific names because "" inhibits
785 * mappings and traditionally deny rules always had higher priority.
786 */
788 /* bi-directional or from windows to unix */
810 /* winname == name */
818 /* winname == name && windomain == null or name */
825 }
827 }
829 /*
830 * 1. unixname to "", non-diagonal
831 * 2. unixname to winname@domain (or winname), non-diagonal
832 * 3. unixname to "", diagonal
833 * 4. unixname to winname@domain (or winname), diagonal
834 * 5. * to *@domain (or *), non-diagonal
835 * 5. * to *@domain (or *), diagonal
836 * 7. * to ""
837 * 8. * to winname@domain (or winname)
838 * 9. * to "", non-diagonal
839 * 10. * to winname@domain (or winname), diagonal
840 */
844 /* bi-directional or from unix to windows */
856 else
863 else
865 }
866 }
868 }
870 /*
871 * Generate and execute SQL statement to add name-based mapping rule
872 */
873 idmap_retcode
875 {
877 idmap_stat retcode;
896 /*
897 * For the triggers on namerules table to work correctly:
898 * 1) Use NULL instead of 0 for w2u_order and u2w_order
899 * 2) Use "" instead of NULL for "no domain"
900 */
914 else
916 }
918 "(is_user, is_wuser, windomain, winname_display, is_nt4, "
919 "unixname, w2u_order, u2w_order) "
930 }
937 out:
943 }
945 /*
946 * Flush name-based mapping rules
947 */
948 idmap_retcode
950 {
951 idmap_stat retcode;
956 }
958 /*
959 * Generate and execute SQL statement to remove a name-based mapping rule
960 */
961 idmap_retcode
963 {
965 idmap_stat retcode;
982 }
987 out:
993 }
995 /*
996 * Compile the given SQL query and step just once.
997 *
998 * Input:
999 * db - db handle
1000 * sql - SQL statement
1001 *
1002 * Output:
1003 * vm - virtual SQL machine
1004 * ncol - number of columns in the result
1005 * values - column values
1006 *
1007 * Return values:
1008 * IDMAP_SUCCESS
1009 * IDMAP_ERR_NOTFOUND
1010 * IDMAP_ERR_INTERNAL
1011 */
1013 static
1014 idmap_retcode
1017 {
1026 }
1036 }
1037 /* Caller will call finalize after using the results */
1043 }
1051 }
1053 /*
1054 * Load config in the state.
1055 *
1056 * nm_siduid and nm_sidgid fields:
1057 * state->nm_siduid represents mode used by sid2uid and uid2sid
1058 * requests for directory-based name mappings. Similarly,
1059 * state->nm_sidgid represents mode used by sid2gid and gid2sid
1060 * requests.
1061 *
1062 * sid2uid/uid2sid:
1063 * none -> directory_based_mapping != DIRECTORY_MAPPING_NAME
1064 * AD-mode -> !nldap_winname_attr && ad_unixuser_attr
1065 * nldap-mode -> nldap_winname_attr && !ad_unixuser_attr
1066 * mixed-mode -> nldap_winname_attr && ad_unixuser_attr
1067 *
1068 * sid2gid/gid2sid:
1069 * none -> directory_based_mapping != DIRECTORY_MAPPING_NAME
1070 * AD-mode -> !nldap_winname_attr && ad_unixgroup_attr
1071 * nldap-mode -> nldap_winname_attr && !ad_unixgroup_attr
1072 * mixed-mode -> nldap_winname_attr && ad_unixgroup_attr
1073 */
1074 idmap_retcode
1076 {
1099 }
1103 }
1106 DIRECTORY_MAPPING_NAME) {
1109 }
1125 }
1132 }
1133 }
1140 }
1141 }
1148 }
1149 }
1152 }
1154 /*
1155 * Set the rule with specified values.
1156 * All the strings are copied.
1157 */
1158 static void
1162 {
1163 /*
1164 * Only update if they differ because we have to free
1165 * and duplicate the strings
1166 */
1172 }
1175 }
1182 }
1185 }
1192 }
1195 }
1201 }
1203 /*
1204 * Lookup well-known SIDs table either by winname or by SID.
1205 *
1206 * If the given winname or SID is a well-known SID then we set is_wksid
1207 * variable and then proceed to see if the SID has a hard mapping to
1208 * a particular UID/GID (Ex: Creator Owner/Creator Group mapped to
1209 * fixed ephemeral ids). The direction flag indicates whether we have
1210 * a mapping; UNDEF indicates that we do not.
1211 *
1212 * If we find a mapping then we return success, except for the
1213 * special case of IDMAP_SENTINEL_PID which indicates an inhibited mapping.
1214 *
1215 * If we find a matching entry, but no mapping, we supply SID, name, and type
1216 * information and return "not found". Higher layers will probably
1217 * do ephemeral mapping.
1218 *
1219 * If we do not find a match, we return "not found" and leave the question
1220 * to higher layers.
1221 */
1222 static
1223 idmap_retcode
1225 {
1239 }
1243 /* Found matching entry. */
1245 /* Fill in name if it was not already there. */
1250 }
1252 /* Fill in SID if it was not already there */
1262 }
1266 }
1268 /* Fill in the canonical domain if not already there */
1275 else
1281 }
1290 }
1293 /*
1294 * We don't have a mapping
1295 * (But note that we may have supplied SID, name, or type
1296 * information.)
1297 */
1299 }
1301 /*
1302 * We have an explicit mapping.
1303 */
1305 /*
1306 * ... which is that mapping is inhibited.
1307 */
1309 }
1319 /* IDMAP_POSIXID is eliminated above */
1321 }
1327 }
1330 /*
1331 * Look for an entry mapping a PID to a SID.
1332 *
1333 * Note that direction=UNDEF entries do not specify a mapping,
1334 * and that IDMAP_SENTINEL_PID entries represent either an inhibited
1335 * mapping or an ephemeral mapping. We don't handle either here;
1336 * they are filtered out by find_wksid_by_pid.
1337 */
1338 static
1339 idmap_retcode
1341 {
1350 }
1361 }
1366 }
1368 /* Fill in name if it was not already there. */
1373 }
1375 /* Fill in the canonical domain if not already there */
1382 else
1388 }
1394 }
1396 /*
1397 * Look up a name in the wksids list, matching name and, if supplied, domain,
1398 * and extract data.
1399 *
1400 * Given:
1401 * name Windows user name
1402 * domain Windows domain name (or NULL)
1403 *
1404 * Return: Error code
1405 *
1406 * *canonname canonical name (if canonname non-NULL) [1]
1407 * *canondomain canonical domain (if canondomain non-NULL) [1]
1408 * *sidprefix SID prefix (if sidprefix non-NULL) [1]
1409 * *rid RID (if rid non-NULL) [2]
1410 * *type Type (if type non-NULL) [2]
1411 *
1412 * [1] malloc'ed, NULL on error
1413 * [2] Undefined on error
1414 */
1415 idmap_retcode
1424 {
1446 }
1449 }
1458 }
1467 }
1470 }
1478 nomem:
1484 }
1489 }
1494 }
1497 }
1499 static
1500 idmap_retcode
1502 {
1508 uid_t pid;
1510 idmap_retcode retcode;
1513 /* Current time */
1520 }
1530 /* the non-diagonal mapping */
1536 }
1538 /* SQL to lookup the cache */
1542 "unixname, u2w, is_wuser, "
1543 "map_type, map_dn, map_attr, map_value, "
1544 "map_windomain, map_winname, map_unixname, map_is_nt4 "
1545 "FROM idmap_cache WHERE is_user = %s AND "
1546 "sidprefix = %Q AND rid = %u AND w2u = 1 AND "
1547 "(pid >= 2147483648 OR "
1548 "(expiration = 0 OR expiration ISNULL OR "
1556 "unixname, u2w, is_wuser, "
1557 "map_type, map_dn, map_attr, map_value, "
1558 "map_windomain, map_winname, map_unixname, map_is_nt4 "
1559 "FROM idmap_cache WHERE is_user = %s AND "
1560 "winname = %Q AND windomain = %Q AND w2u = 1 AND "
1561 "(pid >= 2147483648 OR "
1562 "(expiration = 0 OR expiration ISNULL OR "
1565 curtime);
1571 }
1576 }
1584 /* sanity checks */
1588 }
1599 }
1601 /*
1602 * We may have an expired ephemeral mapping. Consider
1603 * the expired entry as valid if we are not going to
1604 * perform name-based mapping. But do not renew the
1605 * expiration.
1606 * If we will be doing name-based mapping then store the
1607 * ephemeral pid in the result so that we can use it
1608 * if we end up doing dynamic mapping again.
1609 */
1615 /* Store the ephemeral pid */
1618 ? _IDMAP_F_EXP_EPH_UID
1621 }
1622 }
1623 }
1625 out:
1631 else
1640 }
1641 }
1678 is_user;
1702 /* Unknown mapping type */
1704 }
1705 }
1706 }
1710 }
1712 /*
1713 * Previous versions used two enumerations for representing types.
1714 * One of those has largely been eliminated, but was used in the
1715 * name cache table and so during an upgrade might still be visible.
1716 * In addition, the test suite prepopulates the cache with these values.
1717 *
1718 * This function translates those old values into the new values.
1719 *
1720 * This code deliberately does not use symbolic values for the legacy
1721 * values. This is the *only* place where they should be used.
1722 */
1723 static
1724 idmap_id_type
1726 {
1734 }
1736 }
1738 static
1739 idmap_retcode
1742 {
1751 /* Get current time */
1758 }
1760 /* SQL to lookup the cache */
1762 "FROM name_cache WHERE "
1763 "sidprefix = %Q AND rid = %u AND "
1764 "(expiration = 0 OR expiration ISNULL OR "
1771 }
1780 }
1782 }
1789 }
1790 }
1797 }
1801 }
1802 }
1803 }
1805 out:
1809 }
1811 /*
1812 * Given SID, find winname using name_cache OR
1813 * Given winname, find SID using name_cache.
1814 * Used when mapping win to unix i.e. req->id1 is windows id and
1815 * req->id2 is unix id
1816 */
1817 static
1818 idmap_retcode
1820 {
1822 idmap_retcode retcode;
1824 idmap_rid_t rid;
1827 /* Done if we've both sid and winname */
1829 /* Don't bother TRACE()ing, too boring */
1831 }
1834 /* Lookup sid to winname */
1839 /* Lookup winame to sid */
1842 }
1849 }
1854 }
1860 /*
1861 * If we found canonical names or domain, use them instead of
1862 * the existing values.
1863 */
1867 }
1871 }
1876 }
1880 }
1884 static int
1888 {
1889 idmap_retcode retcode;
1902 /*
1903 * Since req->id2.idtype is unused, we will use it here
1904 * to retrieve the value of sid_type. But it needs to be
1905 * reset to IDMAP_NONE before we return to prevent xdr
1906 * from mis-interpreting req->id2 when it tries to free
1907 * the input argument. Other option is to allocate an
1908 * array of integers and use it instead for the batched
1909 * call. But why un-necessarily allocate memory. That may
1910 * be an option if req->id2.idtype cannot be re-used in
1911 * future.
1912 *
1913 * Similarly, we use req->id2.idmap_id_u.uid to return
1914 * uidNumber or gidNumber supplied by IDMU, and reset it
1915 * back to IDMAP_SENTINEL_PID when we're done. Note that
1916 * the query always puts the result in req->id2.idmap_id_u.uid,
1917 * not .gid.
1918 */
1919 retry:
1930 }
1936 /*
1937 * Directory based name mapping is only performed within the
1938 * joined forest. We don't trust other "trusted"
1939 * forests to provide DS-based name mapping information because
1940 * AD's definition of "cross-forest trust" does not encompass
1941 * this sort of behavior.
1942 */
1945 }
1956 /* Skip if no AD lookup required */
1960 /* Skip if we've already tried and gotten a "not found" */
1964 /* Skip if we've already either succeeded or failed */
1970 /* win2unix request: */
1976 DIRECTORY_MAPPING_NAME &&
1989 }
1992 /*
1993 * Get how info for DS-based name
1994 * mapping only if AD or MIXED
1995 * mode is enabled.
1996 */
2003 }
2005 DIRECTORY_MAPPING_IDMU &&
2007 /*
2008 * Ensure that we only do IDMU processing
2009 * when querying the domain we've joined.
2010 */
2012 /*
2013 * Get how info for IDMU based mapping.
2014 */
2021 }
2024 /* Lookup AD by SID */
2034 pid,
2037 num_queued++;
2039 /* Lookup AD by winname */
2043 esidtype,
2049 pid,
2052 num_queued++;
2053 }
2057 /* unix2win request: */
2061 /* Already have SID and winname. done */
2064 }
2067 /*
2068 * SID but no winname -- lookup AD by
2069 * SID to get winname.
2070 * how info is not needed here because
2071 * we are not retrieving unixname from
2072 * AD.
2073 */
2078 IDMAP_POSIXID,
2084 num_queued++;
2086 /*
2087 * winname but no SID -- lookup AD by
2088 * winname to get SID.
2089 * how info is not needed here because
2090 * we are not retrieving unixname from
2091 * AD.
2092 */
2095 IDMAP_POSIXID,
2100 NULL,
2103 num_queued++;
2105 DIRECTORY_MAPPING_IDMU &&
2108 IDMAP_SENTINEL_PID);
2114 else
2117 /* IDMU can't do diagonal mappings */
2134 num_queued++;
2136 /*
2137 * No SID and no winname but we've unixname.
2138 * Lookup AD by unixname to get SID.
2139 */
2145 else
2161 num_queued++;
2162 }
2163 }
2170 }
2174 /* add keeps track if we added an entry to the batch */
2177 else
2183 }
2192 /* Mark any unproccessed requests for an other AD */
2194 i++) {
2198 }
2199 }
2204 out:
2205 /*
2206 * This loop does the following:
2207 * 1. Reset _IDMAP_F_LOOKUP_AD flag from the request.
2208 * 2. Reset req->id2.idtype to IDMAP_NONE
2209 * 3. If batch_start or batch_add failed then set the status
2210 * of each request marked for AD lookup to that error.
2211 * 4. Evaluate the type of the AD object (i.e. user or group)
2212 * and update the idtype in request.
2213 */
2215 idmap_id_type type;
2216 uid_t posix_id;
2225 /*
2226 * If it didn't need AD lookup, ignore it.
2227 */
2231 /*
2232 * If we deferred it this time, reset for the next
2233 * AD server.
2234 */
2238 }
2240 /* Count number processed */
2243 /* Reset AD lookup flag */
2246 /*
2247 * If batch_start or batch_add failed then set the
2248 * status of each request marked for AD lookup to
2249 * that error.
2250 */
2254 }
2257 /* Nothing found - remove the preset info */
2259 }
2265 }
2270 }
2271 /* Evaluate result type */
2276 /*
2277 * We found a user. If we got information
2278 * from IDMU and we were expecting a user,
2279 * copy the id.
2280 */
2286 IDMAP_MAP_TYPE_IDMU;
2288 }
2295 /*
2296 * We found a group. If we got information
2297 * from IDMU and we were expecting a group,
2298 * copy the id.
2299 */
2305 IDMAP_MAP_TYPE_IDMU;
2307 }
2314 }
2323 }
2329 /*
2330 * If AD lookup by unixname or pid
2331 * failed with non fatal error
2332 * then clear the error (ie set
2333 * res->retcode to success).
2334 * This allows the next pass to
2335 * process other mapping
2336 * mechanisms for this request.
2337 */
2339 IDMAP_ERR_NOTFOUND) {
2340 /* This is not an error */
2348 }
2351 }
2353 }
2354 /* Evaluate result type */
2365 }
2367 }
2368 }
2371 }
2375 /*
2376 * Batch AD lookups
2377 */
2378 idmap_retcode
2381 {
2382 idmap_retcode retcode;
2396 /* Skip if not marked for AD lookup or already in error. */
2401 /* Init status */
2403 }
2409 /* Case of no ADs */
2418 }
2420 }
2431 }
2432 }
2442 }
2444 /*
2445 * There are no more ADs to try. Return errors for any
2446 * remaining requests.
2447 */
2456 }
2457 }
2459 out:
2462 /* AD lookups done. Reset state->ad_nqueries and return */
2465 }
2467 /*
2468 * Convention when processing win2unix requests:
2469 *
2470 * Windows identity:
2471 * req->id1name =
2472 * winname if given otherwise winname found will be placed
2473 * here.
2474 * req->id1domain =
2475 * windomain if given otherwise windomain found will be
2476 * placed here.
2477 * req->id1.idtype =
2478 * Either IDMAP_SID/USID/GSID. If this is IDMAP_SID then it'll
2479 * be set to IDMAP_USID/GSID depending upon whether the
2480 * given SID is user or group respectively. The user/group-ness
2481 * is determined either when looking up well-known SIDs table OR
2482 * if the SID is found in namecache OR by ad_lookup_batch().
2483 * req->id1..sid.[prefix, rid] =
2484 * SID if given otherwise SID found will be placed here.
2485 *
2486 * Unix identity:
2487 * req->id2name =
2488 * unixname found will be placed here.
2489 * req->id2domain =
2490 * NOT USED
2491 * res->id.idtype =
2492 * Target type initialized from req->id2.idtype. If
2493 * it is IDMAP_POSIXID then actual type (IDMAP_UID/GID) found
2494 * will be placed here.
2495 * res->id..[uid or gid] =
2496 * UID/GID found will be placed here.
2497 *
2498 * Others:
2499 * res->retcode =
2500 * Return status for this request will be placed here.
2501 * res->direction =
2502 * Direction found will be placed here. Direction
2503 * meaning whether the resultant mapping is valid
2504 * only from win2unix or bi-directional.
2505 * req->direction =
2506 * INTERNAL USE. Used by idmapd to set various
2507 * flags (_IDMAP_F_xxxx) to aid in processing
2508 * of the request.
2509 * req->id2.idtype =
2510 * INTERNAL USE. Initially this is the requested target
2511 * type and is used to initialize res->id.idtype.
2512 * ad_lookup_batch() uses this field temporarily to store
2513 * sid_type obtained by the batched AD lookups and after
2514 * use resets it to IDMAP_NONE to prevent xdr from
2515 * mis-interpreting the contents of req->id2.
2516 * req->id2.idmap_id_u.uid =
2517 * INTERNAL USE. If the AD lookup finds IDMU data
2518 * (uidNumber or gidNumber, depending on the type of
2519 * the entry), it's left here.
2520 */
2522 /*
2523 * This function does the following:
2524 * 1. Lookup well-known SIDs table.
2525 * 2. Check if the given SID is a local-SID and if so extract UID/GID from it.
2526 * 3. Lookup cache.
2527 * 4. Check if the client does not want new mapping to be allocated
2528 * in which case this pass is the final pass.
2529 * 5. Set AD lookup flag if it determines that the next stage needs
2530 * to do AD lookup.
2531 */
2532 idmap_retcode
2535 {
2536 idmap_retcode retcode;
2539 /* Initialize result */
2546 /* They have to give us *something* to work with! */
2550 }
2552 /* sanitize sidprefix */
2556 /* Allow for a fully-qualified name in the "name" parameter */
2570 }
2571 }
2572 }
2573 }
2575 /* Lookup well-known SIDs table */
2578 /* Found a well-known account with a hardwired mapping */
2585 }
2588 /* Found a well-known account, but no mapping */
2593 /* Check if this is a localsid */
2602 }
2608 }
2609 }
2611 /*
2612 * If this is a name-based request and we don't have a domain,
2613 * use the default domain. Note that the well-known identity
2614 * cases will have supplied a SID prefix already, and that we
2615 * don't (yet?) support looking up a local user through a Windows
2616 * style name.
2617 */
2623 }
2628 }
2630 }
2632 /* Lookup cache */
2640 }
2646 }
2648 /*
2649 * Failed to find non-expired entry in cache. Next step is
2650 * to determine if this request needs to be batched for AD lookup.
2651 *
2652 * At this point we have either sid or winname or both. If we don't
2653 * have both then lookup name_cache for the sid or winname
2654 * whichever is missing. If not found then this request will be
2655 * batched for AD lookup.
2656 */
2662 else
2664 }
2670 /*
2671 * If we don't have both name and SID, try looking up the
2672 * entry with LSA.
2673 */
2688 }
2712 }
2713 }
2714 }
2716 /*
2717 * Set the flag to indicate that we are not done yet so that
2718 * subsequent passes considers this request for name-based
2719 * mapping and ephemeral mapping.
2720 */
2724 /*
2725 * Even if we have both sid and winname, we still may need to batch
2726 * this request for AD lookup if we don't have unixname and
2727 * directory-based name mapping (AD or mixed) is enabled.
2728 * We avoid AD lookup for well-known SIDs because they don't have
2729 * regular AD objects.
2730 */
2742 }
2745 out:
2747 /*
2748 * If we are done and there was an error then set fallback pid
2749 * in the result.
2750 */
2754 }
2756 /*
2757 * Generate SID using the following convention
2758 * <machine-sid-prefix>-<1000 + uid>
2759 * <machine-sid-prefix>-<2^31 + gid>
2760 */
2761 static
2762 idmap_retcode
2765 {
2769 /*
2770 * Diagonal mapping for localSIDs not supported because of the
2771 * way we generate localSIDs.
2772 */
2778 /* Skip 1000 UIDs */
2784 /*
2785 * machine_sid is never NULL because if it is we won't be here.
2786 * No need to assert because strdup(NULL) will core anyways.
2787 */
2794 }
2806 }
2808 /*
2809 * Don't update name_cache because local sids don't have
2810 * valid windows names.
2811 */
2814 }
2816 static
2817 idmap_retcode
2819 {
2824 /*
2825 * If the sidprefix == localsid then UID = last RID - 1000 or
2826 * GID = last RID - 2^31.
2827 */
2829 /* This means we are looking up by winname */
2838 /*
2839 * If the given sidprefix does not match machine_sid then this is
2840 * not a local SID.
2841 */
2865 }
2869 }
2873 }
2875 /*
2876 * Name service lookup by unixname to get pid
2877 */
2878 static
2879 idmap_retcode
2881 {
2902 else
2904 }
2918 else
2920 }
2925 }
2927 }
2930 /*
2931 * Name service lookup by pid to get unixname
2932 */
2933 static
2934 idmap_retcode
2936 {
2953 else
2955 }
2965 else
2967 }
2969 }
2973 }
2975 /*
2976 * Name-based mapping
2977 *
2978 * Case 1: If no rule matches do ephemeral
2979 *
2980 * Case 2: If rule matches and unixname is "" then return no mapping.
2981 *
2982 * Case 3: If rule matches and unixname is specified then lookup name
2983 * service using the unixname. If unixname not found then return no mapping.
2984 *
2985 * Case 4: If rule matches and unixname is * then lookup name service
2986 * using winname as the unixname. If unixname not found then process
2987 * other rules using the lookup order. If no other rule matches then do
2988 * ephemeral. Otherwise, based on the matched rule do Case 2 or 3 or 4.
2989 * This allows us to specify a fallback unixname per _domain_ or no mapping
2990 * instead of the default behaviour of doing ephemeral mapping.
2991 *
2992 * Example 1:
2993 * *@sfbay == *
2994 * If looking up windows users foo@sfbay and foo does not exists in
2995 * the name service then foo@sfbay will be mapped to an ephemeral id.
2996 *
2997 * Example 2:
2998 * *@sfbay == *
2999 * *@sfbay => guest
3000 * If looking up windows users foo@sfbay and foo does not exists in
3001 * the name service then foo@sfbay will be mapped to guest.
3002 *
3003 * Example 3:
3004 * *@sfbay == *
3005 * *@sfbay => ""
3006 * If looking up windows users foo@sfbay and foo does not exists in
3007 * the name service then we will return no mapping for foo@sfbay.
3008 *
3009 */
3010 static
3011 idmap_retcode
3014 {
3017 idmap_retcode retcode;
3043 }
3056 }
3064 "SELECT unixname, u2w_order, winname_display, windomain, is_nt4 "
3065 "FROM namerules WHERE "
3066 "w2u_order > 0 AND is_user = %d AND is_wuser = %d AND "
3067 "(winname = %Q OR winname = '*') AND "
3068 "(windomain = %Q OR windomain = '*') "
3075 }
3083 }
3093 }
3103 }
3106 direction =
3109 else
3117 direction);
3120 }
3128 }
3138 unixname);
3139 /* Case 4 */
3144 /* Case 3 */
3147 is_wuser,
3149 direction);
3151 }
3155 }
3169 }
3170 }
3172 /* Found */
3178 else
3185 }
3192 out:
3197 }
3205 }
3212 }
3214 static
3215 int
3217 {
3218 uid_t uid;
3219 gid_t gid;
3230 }
3234 }
3236 static
3237 int
3239 {
3240 uid_t uid;
3241 gid_t gid;
3252 }
3256 }
3258 static
3259 int
3261 {
3270 }
3275 }
3280 }
3282 static
3283 int
3286 {
3302 }
3304 }
3306 }
3308 static
3309 void
3311 {
3317 next++;
3319 }
3325 }
3327 void
3329 {
3335 }
3337 /* ARGSUSED */
3338 static
3339 idmap_retcode
3342 {
3344 uid_t next_pid;
3352 }
3361 }
3371 }
3380 }
3382 idmap_retcode
3385 {
3386 idmap_retcode retcode;
3387 idmap_retcode retcode2;
3389 /* Check if second pass is needed */
3393 /* Get status from previous pass */
3398 /*
3399 * We are asked to map an unresolvable SID to a UID or
3400 * GID, but, which? We'll treat all unresolvable SIDs
3401 * as users unless the caller specified which of a UID
3402 * or GID they want.
3403 */
3413 }
3415 }
3419 /*
3420 * There are two ways we might get here with a Posix ID:
3421 * - It could be from an expired ephemeral cache entry.
3422 * - It could be from IDMU.
3423 * If it's from IDMU, we need to look up the name, for name-based
3424 * requests and the cache.
3425 */
3429 /*
3430 * If the lookup fails, go ahead anyway.
3431 * The general UNIX rule is that it's OK to
3432 * have a UID or GID that isn't in the
3433 * name service.
3434 */
3440 retcode2);
3443 }
3444 }
3446 }
3448 /*
3449 * If directory-based name mapping is enabled then the unixname
3450 * may already have been retrieved from the AD object (AD-mode or
3451 * mixed-mode) or from native LDAP object (nldap-mode) -- done.
3452 */
3462 /*
3463 * Special case: (1) If the ad_unixuser_attr and
3464 * ad_unixgroup_attr uses the same attribute
3465 * name and (2) if this is a diagonal mapping
3466 * request and (3) the unixname has been retrieved
3467 * from the AD object -- then we ignore it and fallback
3468 * to name-based mapping rules and ephemeral mapping
3469 *
3470 * Example:
3471 * Properties:
3472 * config/ad_unixuser_attr = "unixname"
3473 * config/ad_unixgroup_attr = "unixname"
3474 * AD user object:
3475 * dn: cn=bob ...
3476 * objectclass: user
3477 * sam: bob
3478 * unixname: bob1234
3479 * AD group object:
3480 * dn: cn=winadmins ...
3481 * objectclass: group
3482 * sam: winadmins
3483 * unixname: unixadmins
3484 *
3485 * In this example whether "unixname" refers to a unixuser
3486 * or unixgroup depends upon the AD object.
3487 *
3488 * $idmap show -c winname:bob gid
3489 * AD lookup by "samAccountName=bob" for
3490 * "ad_unixgroup_attr (i.e unixname)" for directory-based
3491 * mapping would get "bob1234" which is not what we want.
3492 * Now why not getgrnam_r("bob1234") and use it if it
3493 * is indeed a unixgroup? That's because Unix can have
3494 * users and groups with the same name and we clearly
3495 * don't know the intention of the admin here.
3496 * Therefore we ignore this and fallback to name-based
3497 * mapping rules or ephemeral mapping.
3498 */
3513 /* fallback */
3519 /*
3520 * If ns_lookup_byname() fails that
3521 * means the unixname (req->id2name),
3522 * which was obtained from the AD
3523 * object by directory-based mapping,
3524 * is not a valid Unix user/group and
3525 * therefore we return the error to the
3526 * client instead of doing rule-based
3527 * mapping or ephemeral mapping. This
3528 * way the client can detect the issue.
3529 */
3533 }
3535 }
3537 }
3538 }
3540 /* Free any mapping info from Directory based mapping */
3544 /*
3545 * If we don't have unixname then evaluate local name-based
3546 * mapping rules.
3547 */
3555 }
3557 do_eph:
3558 /* If not found, do ephemeral mapping */
3566 }
3568 out:
3573 }
3577 }
3579 idmap_retcode
3582 {
3584 idmap_retcode retcode;
3585 idmap_retcode retcode2;
3594 /* Check if we need to cache anything */
3598 /* We don't cache negative entries */
3606 /*
3607 * If we've gotten to this point and we *still* don't know the
3608 * unixname, well, we'd like to have it now for the cache.
3609 *
3610 * If we truly always need it for the cache, we should probably
3611 * look it up once at the beginning, rather than "at need" in
3612 * several places as is now done. However, it's not really clear
3613 * that we *do* need it in the cache; there's a decent argument
3614 * that the cache should contain only SIDs and PIDs, so we'll
3615 * leave our options open by doing it "at need" here too.
3616 *
3617 * If we can't find it... c'est la vie.
3618 */
3624 else
3626 }
3662 /* Don't cache other mapping types */
3664 }
3666 /*
3667 * Using NULL for u2w instead of 0 so that our trigger allows
3668 * the same pid to be the destination in multiple entries
3669 */
3671 "(sidprefix, rid, windomain, canon_winname, pid, unixname, "
3672 "is_user, is_wuser, expiration, w2u, u2w, "
3673 "map_type, map_dn, map_attr, map_value, map_windomain, "
3674 "map_winname, map_unixname, map_is_nt4) "
3675 "VALUES(%Q, %u, %Q, %Q, %u, %Q, %d, %d, "
3676 "strftime('%%s','now') + %u, %q, 1, "
3691 }
3701 /* Check if we need to update namecache */
3709 "(sidprefix, rid, canon_name, domain, type, expiration) "
3719 }
3723 out:
3727 }
3729 idmap_retcode
3732 {
3734 idmap_retcode retcode;
3744 /* Check if we need to cache anything */
3748 /* We don't cache negative entries */
3756 else
3762 "SET w2u = 0 WHERE "
3763 "sidprefix = %Q AND rid = %u AND w2u = 1 AND "
3767 is_eph_user);
3772 }
3780 }
3815 /* Don't cache other mapping types */
3817 }
3820 "(sidprefix, rid, windomain, canon_winname, pid, unixname, "
3821 "is_user, is_wuser, expiration, w2u, u2w, "
3822 "map_type, map_dn, map_attr, map_value, map_windomain, "
3823 "map_winname, map_unixname, map_is_nt4) "
3824 "VALUES(%Q, %u, %Q, %Q, %u, %Q, %d, %d, "
3825 "strftime('%%s','now') + %u, 1, %q, "
3841 }
3851 /* Check if we need to update namecache */
3859 "(sidprefix, rid, canon_name, domain, type, expiration) "
3869 }
3873 out:
3877 }
3879 static
3880 idmap_retcode
3883 {
3891 idmap_id_type idtype;
3893 /* Current time */
3900 }
3902 /* SQL to lookup the cache by pid or by unixname */
3905 "canon_winname, windomain, w2u, is_wuser, "
3906 "map_type, map_dn, map_attr, map_value, map_windomain, "
3907 "map_winname, map_unixname, map_is_nt4 "
3908 "FROM idmap_cache WHERE "
3909 "pid = %u AND u2w = 1 AND is_user = %d AND "
3910 "(pid >= 2147483648 OR "
3911 "(expiration = 0 OR expiration ISNULL OR "
3916 "canon_winname, windomain, w2u, is_wuser, "
3917 "map_type, map_dn, map_attr, map_value, map_windomain, "
3918 "map_winname, map_unixname, map_is_nt4 "
3919 "FROM idmap_cache WHERE "
3920 "unixname = %Q AND u2w = 1 AND is_user = %d AND "
3921 "(pid >= 2147483648 OR "
3922 "(expiration = 0 OR expiration ISNULL OR "
3928 }
3934 }
3942 /* sanity checks */
3946 }
3963 }
3973 }
3979 else
3989 }
3998 }
4004 }
4037 is_user;
4061 /* Unknown mapping type */
4063 }
4064 }
4065 }
4067 out:
4071 }
4073 /*
4074 * Given:
4075 * cache sqlite handle
4076 * name Windows user name
4077 * domain Windows domain name
4078 *
4079 * Return: Error code
4080 *
4081 * *canonname Canonical name (if canonname is non-NULL) [1]
4082 * *sidprefix SID prefix [1]
4083 * *rid RID
4084 * *type Type of name
4085 *
4086 * [1] malloc'ed, NULL on error
4087 */
4088 static
4089 idmap_retcode
4098 {
4105 idmap_retcode retcode;
4111 /* Get current time */
4118 }
4120 /* SQL to lookup the cache */
4124 "FROM name_cache WHERE name = %Q AND domain = %Q AND "
4125 "(expiration = 0 OR expiration ISNULL OR "
4133 }
4145 }
4147 }
4152 }
4161 }
4162 }
4169 }
4174 out:
4184 }
4185 }
4187 }
4189 static
4190 idmap_retcode
4196 {
4207 retry:
4221 }
4226 /*
4227 * Directory based name mapping is only
4228 * performed within the joined forest (i == 0).
4229 * We don't trust other "trusted" forests to
4230 * provide DS-based name mapping information
4231 * because AD's definition of "cross-forest
4232 * trust" does not encompass this sort of
4233 * behavior.
4234 */
4238 }
4246 }
4250 else
4259 }
4261 /* No AD case */
4263 }
4271 retcode);
4273 }
4275 }
4277 /*
4278 * Given:
4279 * cache sqlite handle to cache
4280 * name Windows user name
4281 * domain Windows domain name
4282 * local_only if true, don't try AD lookups
4283 *
4284 * Returns: Error code
4285 *
4286 * *canonname Canonical name (if non-NULL) [1]
4287 * *canondomain Canonical domain (if non-NULL) [1]
4288 * *sidprefix SID prefix [1]
4289 * *rid RID
4290 * *req Request (direction is updated)
4291 *
4292 * [1] malloc'ed, NULL on error
4293 */
4294 idmap_retcode
4307 {
4308 idmap_retcode retcode;
4316 /* Lookup well-known SIDs table */
4324 }
4326 /* Lookup cache */
4334 }
4336 /*
4337 * The caller may be using this function to determine if this
4338 * request needs to be marked for AD lookup or not
4339 * (i.e. _IDMAP_F_LOOKUP_AD) and therefore may not want this
4340 * function to AD lookup now.
4341 */
4351 type);
4356 }
4358 /* Lookup AD */
4364 out:
4365 /*
4366 * Entry found (cache or Windows lookup)
4367 */
4373 /*
4374 * Caller wants to know if its user or group
4375 * Verify that it's one or the other.
4376 */
4379 }
4382 /*
4383 * If we were asked for a canonical domain and none
4384 * of the searches have provided one, assume it's the
4385 * supplied domain.
4386 */
4391 }
4392 }
4399 }
4403 }
4404 }
4406 }
4408 static
4409 idmap_retcode
4412 {
4417 idmap_retcode retcode;
4432 "SELECT winname_display, windomain, w2u_order, "
4433 "is_wuser, unixname, is_nt4 "
4434 "FROM namerules WHERE "
4435 "u2w_order > 0 AND is_user = %d AND "
4436 "(unixname = %Q OR unixname = '*') "
4442 }
4450 }
4459 }
4467 /* values [1] and [2] can be null */
4470 }
4473 direction =
4476 else
4484 direction);
4488 }
4494 }
4505 windomain);
4512 }
4534 }
4539 }
4545 direction);
4561 }
4562 }
4568 else
4580 out:
4587 }
4592 }
4594 /*
4595 * Convention when processing unix2win requests:
4596 *
4597 * Unix identity:
4598 * req->id1name =
4599 * unixname if given otherwise unixname found will be placed
4600 * here.
4601 * req->id1domain =
4602 * NOT USED
4603 * req->id1.idtype =
4604 * Given type (IDMAP_UID or IDMAP_GID)
4605 * req->id1..[uid or gid] =
4606 * UID/GID if given otherwise UID/GID found will be placed here.
4607 *
4608 * Windows identity:
4609 * req->id2name =
4610 * winname found will be placed here.
4611 * req->id2domain =
4612 * windomain found will be placed here.
4613 * res->id.idtype =
4614 * Target type initialized from req->id2.idtype. If
4615 * it is IDMAP_SID then actual type (IDMAP_USID/GSID) found
4616 * will be placed here.
4617 * req->id..sid.[prefix, rid] =
4618 * SID found will be placed here.
4619 *
4620 * Others:
4621 * res->retcode =
4622 * Return status for this request will be placed here.
4623 * res->direction =
4624 * Direction found will be placed here. Direction
4625 * meaning whether the resultant mapping is valid
4626 * only from unix2win or bi-directional.
4627 * req->direction =
4628 * INTERNAL USE. Used by idmapd to set various
4629 * flags (_IDMAP_F_xxxx) to aid in processing
4630 * of the request.
4631 * req->id2.idtype =
4632 * INTERNAL USE. Initially this is the requested target
4633 * type and is used to initialize res->id.idtype.
4634 * ad_lookup_batch() uses this field temporarily to store
4635 * sid_type obtained by the batched AD lookups and after
4636 * use resets it to IDMAP_NONE to prevent xdr from
4637 * mis-interpreting the contents of req->id2.
4638 * req->id2..[uid or gid or sid] =
4639 * NOT USED
4640 */
4642 /*
4643 * This function does the following:
4644 * 1. Lookup well-known SIDs table.
4645 * 2. Lookup cache.
4646 * 3. Check if the client does not want new mapping to be allocated
4647 * in which case this pass is the final pass.
4648 * 4. Set AD/NLDAP lookup flags if it determines that the next stage needs
4649 * to do AD/NLDAP lookup.
4650 */
4651 idmap_retcode
4654 {
4655 idmap_retcode retcode;
4656 idmap_retcode retcode2;
4659 /* Initialize result */
4664 /* sanitize sidprefix */
4667 }
4669 /* Find pid */
4674 }
4681 }
4683 }
4685 /* Lookup in well-known SIDs table */
4694 }
4696 /* Lookup in cache */
4705 }
4708 /* Ephemeral ids cannot be allocated during pid2sid */
4713 }
4718 }
4724 }
4726 /* Set flags for the next stage */
4731 /*
4732 * If AD-based name mapping is enabled then the next stage
4733 * will need to lookup AD using unixname to get the
4734 * corresponding winname.
4735 */
4737 /* Get unixname if only pid is given. */
4745 }
4747 }
4751 /*
4752 * If native LDAP or mixed mode is enabled for name mapping
4753 * then the next stage will need to lookup native LDAP using
4754 * unixname/pid to get the corresponding winname.
4755 */
4758 }
4760 /*
4761 * Failed to find non-expired entry in cache. Set the flag to
4762 * indicate that we are not done yet.
4763 */
4768 out:
4775 else
4778 }
4779 }
4781 }
4783 idmap_retcode
4786 {
4789 idmap_retcode retcode2;
4791 /* Check if second pass is needed */
4795 /* Get status from previous pass */
4800 /*
4801 * If directory-based name mapping is enabled then the winname
4802 * may already have been retrieved from the AD object (AD-mode)
4803 * or from native LDAP object (nldap-mode or mixed-mode).
4804 * Note that if we have winname but no SID then it's an error
4805 * because this implies that the Native LDAP entry contains
4806 * winname which does not exist and it's better that we return
4807 * an error instead of doing rule-based mapping so that the user
4808 * can detect the issue and take appropriate action.
4809 */
4811 /* Return notfound if we've winname but no SID. */
4816 }
4827 /*
4828 * We've SID but no winname. This is fine because
4829 * the caller may have only requested SID.
4830 */
4832 }
4834 /* Free any mapping info from Directory based mapping */
4839 /* Get unixname from name service */
4846 }
4849 /* Get pid from name service */
4856 }
4858 }
4860 /* Use unixname to evaluate local name-based mapping rules */
4870 }
4872 }
4874 out:
4886 else
4891 }
4892 }
4896 }
4898 idmap_retcode
4900 {
4901 idmap_retcode rc;
4908 sql1 =
4910 sql2 =
4921 }
4927 /*
4928 * Note that we flush the idmapd cache first, before the kernel
4929 * cache. If we did it the other way 'round, a request could come
4930 * in after the kernel cache flush and pull a soon-to-be-flushed
4931 * idmapd cache entry back into the kernel cache. This way the
4932 * worst that will happen is that a new entry will be added to
4933 * the kernel cache and then immediately flushed.
4934 */
4944 }