[SCM] Samba Shared Repository - branch master updated
Volker Lendecke
vlendec at samba.org
Wed Mar 30 15:59:04 UTC 2016
The branch, master has been updated
via 3cc3406 winbind: Remove unused idmap_backends_unixid_to_sid
via fa8f097 winbind: Remove unused idmap_[ug]id_to_sid
via fdfe993 winbind: Use plural xids2sids in _wbint_UnixIDs2Sids
via bfc1d07 winbind: Pass down the domain name to xids2sids
via 5d90692 winbind: Add idmap_backend_unixids_to_sids
via a3bd040 winbind: Do per-domain xids2sids calls
via 50aef48 winbind: Introduce id_map_ptrs_init
via 16dc16e idmap: Factor out lp_scan_idmap_domains()
from 9efb5bb VLV: avoid name conflict with string.h's index()
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 3cc34062200907fe2dd539565039cb2c7cb76a6e
Author: Volker Lendecke <vl at samba.org>
Date: Wed Mar 16 15:35:51 2016 +0100
winbind: Remove unused idmap_backends_unixid_to_sid
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Volker Lendecke <vl at samba.org>
Autobuild-Date(master): Wed Mar 30 17:58:48 CEST 2016 on sn-devel-144
commit fa8f09766edb34a96b27b0b751944ccc0c43c7a2
Author: Volker Lendecke <vl at samba.org>
Date: Wed Mar 16 15:33:48 2016 +0100
winbind: Remove unused idmap_[ug]id_to_sid
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit fdfe993f2eb3c1cce57e86c4a9cd6990b95bd904
Author: Volker Lendecke <vl at samba.org>
Date: Fri Mar 4 15:45:24 2016 +0100
winbind: Use plural xids2sids in _wbint_UnixIDs2Sids
We've had plural xid2sid idmap backends for a while. Start using
them.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit bfc1d073b54a6e37d1cc9d42b5a840bdc22f0c43
Author: Volker Lendecke <vl at samba.org>
Date: Wed Mar 16 15:25:35 2016 +0100
winbind: Pass down the domain name to xids2sids
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 5d9069242d3022eaead5de3fcdfab4a2a97c5327
Author: Volker Lendecke <vl at samba.org>
Date: Fri Mar 4 15:03:08 2016 +0100
winbind: Add idmap_backend_unixids_to_sids
This is the plural version of idmap_backends_unixid_to_sid that expects all ids
to come from the same idmap domain. The singular version walks the domain list
itself, this one expects the domain name to be passed to it.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit a3bd040a5168470580dc2e0a0528afdc6faebe81
Author: Volker Lendecke <vl at samba.org>
Date: Tue Mar 1 14:34:26 2016 +0100
winbind: Do per-domain xids2sids calls
This prepares the equivalent of 2b1dd01934b657a for xids2sids.
Collecting sids2xids per domain is a bit easier: SIDs carry their own domain
prefix. For the reverse, we need to scan the configuration for all the idmap
range definitions.
It has a separate effect: It enables overlapping idmap ranges. The per-domain
calls are done whenever a range matches. If the idmap child finds a successful
xid2sid mapping, this will be collected as one result. This means that every
range definition can contribute mappings.
If there are two rfc2307 sfu domains with overlapping ranges, the domains will
be queried one after the other for a specific mapping. If the defined ranges
overlap, the admin has to make sure that there are no conflicts, because in the
current code "the first writer wins", and the code does not specify an order
(yet).
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 50aef48e18e7e0a265c348d2486f687ddad839a0
Author: Volker Lendecke <vl at samba.org>
Date: Fri Mar 4 14:23:51 2016 +0100
winbind: Introduce id_map_ptrs_init
This simplifies _wbint_Sids2UnixIDs a bit and will be re-used in _wbint_UnixIDs2Sids
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 16dc16e904d75143fa8d89faa4c6fdbeab234763
Author: Volker Lendecke <vl at samba.org>
Date: Mon Feb 22 17:03:43 2016 +0100
idmap: Factor out lp_scan_idmap_domains()
This simplifies idmap_found_domain_backend() by moving the regex magic
somewhere else. Also, this routine will be useful soon somewhere else, thus
make it non-static to idmap.c.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
-----------------------------------------------------------------------
Summary of changes:
librpc/idl/winbind.idl | 1 +
source3/torture/test_idmap_tdb_common.c | 5 -
source3/winbindd/idmap.c | 170 +++++++++++--------
source3/winbindd/idmap_proto.h | 7 +-
source3/winbindd/idmap_util.c | 157 ++++--------------
source3/winbindd/wb_xids2sids.c | 280 ++++++++++++++++++++++++++++++--
source3/winbindd/winbindd_dual_srv.c | 71 ++++----
source3/winbindd/winbindd_proto.h | 3 +
8 files changed, 436 insertions(+), 258 deletions(-)
Changeset truncated at 500 lines:
diff --git a/librpc/idl/winbind.idl b/librpc/idl/winbind.idl
index b1aed30..60c875b 100644
--- a/librpc/idl/winbind.idl
+++ b/librpc/idl/winbind.idl
@@ -57,6 +57,7 @@ interface winbind
);
NTSTATUS wbint_UnixIDs2Sids(
+ [in,string,charset(UTF8)] char *domain_name,
[in] uint32 num_ids,
[in] unixid xids[num_ids],
[out] dom_sid sids[num_ids]
diff --git a/source3/torture/test_idmap_tdb_common.c b/source3/torture/test_idmap_tdb_common.c
index dd736ad..897d217 100644
--- a/source3/torture/test_idmap_tdb_common.c
+++ b/source3/torture/test_idmap_tdb_common.c
@@ -62,11 +62,6 @@ bool idmap_is_online(void)
return true;
}
-NTSTATUS idmap_backends_unixid_to_sid(struct id_map *id)
-{
- return NT_STATUS_OK;
-}
-
static bool open_db(struct idmap_tdb_common_context *ctx)
{
NTSTATUS status;
diff --git a/source3/winbindd/idmap.c b/source3/winbindd/idmap.c
index 7eb7e58..84834f1 100644
--- a/source3/winbindd/idmap.c
+++ b/source3/winbindd/idmap.c
@@ -25,6 +25,7 @@
#include "winbindd.h"
#include "idmap.h"
#include "lib/util_sid_passdb.h"
+#include "libcli/security/dom_sid.h"
#include "passdb.h"
#undef DBGC_CLASS
@@ -70,13 +71,71 @@ static struct idmap_domain *idmap_init_domain(TALLOC_CTX *mem_ctx,
const char *domainname,
const char *modulename,
bool check_range);
-static bool idmap_found_domain_backend(
+
+struct lp_scan_idmap_domains_state {
+ bool (*fn)(const char *domname, void *private_data);
+ void *private_data;
+};
+
+static bool lp_scan_idmap_found_domain(
const char *string, regmatch_t matches[], void *private_data);
+bool lp_scan_idmap_domains(bool (*fn)(const char *domname,
+ void *private_data),
+ void *private_data)
+{
+ struct lp_scan_idmap_domains_state state = {
+ .fn = fn, .private_data = private_data };
+ int ret;
+
+ ret = lp_wi_scan_global_parametrics(
+ "idmapconfig\\(.*\\):backend", 2,
+ lp_scan_idmap_found_domain, &state);
+ if (ret != 0) {
+ DBG_WARNING("wi_scan_global_parametrics returned %d\n", ret);
+ return false;
+ }
+
+ return true;
+}
+
+static bool lp_scan_idmap_found_domain(
+ const char *string, regmatch_t matches[], void *private_data)
+{
+ bool ok;
+
+ if (matches[1].rm_so == -1) {
+ DBG_WARNING("Found match, but no name??\n");
+ return false;
+ }
+ if (matches[1].rm_eo <= matches[1].rm_so) {
+ DBG_WARNING("Invalid match\n");
+ return false;
+ }
+
+ {
+ struct lp_scan_idmap_domains_state *state = private_data;
+ regoff_t len = matches[1].rm_eo - matches[1].rm_so;
+ char domname[len+1];
+
+ memcpy(domname, string + matches[1].rm_so, len);
+ domname[len] = '\0';
+
+ DBG_DEBUG("Found idmap domain \"%s\"\n", domname);
+
+ ok = state->fn(domname, state->private_data);
+ }
+
+ return ok;
+}
+
+static bool idmap_found_domain_backend(const char *domname,
+ void *private_data);
+
static bool idmap_init(void)
{
static bool initialized;
- int ret;
+ bool ok;
if (initialized) {
return true;
@@ -109,11 +168,9 @@ static bool idmap_init(void)
return false;
}
- ret = lp_wi_scan_global_parametrics(
- "idmapconfig\\(.*\\):backend", 2,
- idmap_found_domain_backend, NULL);
- if (ret != 0) {
- DBG_WARNING("wi_scan_global_parametrics returned %d\n", ret);
+ ok = lp_scan_idmap_domains(idmap_found_domain_backend, NULL);
+ if (!ok) {
+ DBG_WARNING("lp_scan_idmap_domains failed\n");
return false;
}
@@ -161,46 +218,33 @@ bool domain_has_idmap_config(const char *domname)
return false;
}
-static bool idmap_found_domain_backend(
- const char *string, regmatch_t matches[], void *private_data)
+static bool idmap_found_domain_backend(const char *domname,
+ void *private_data)
{
- if (matches[1].rm_so == -1) {
- DBG_WARNING("Found match, but no name??\n");
- return false;
- }
-
- {
- struct idmap_domain *dom, **tmp;
- regoff_t len = matches[1].rm_eo - matches[1].rm_so;
- char domname[len+1];
-
- memcpy(domname, string + matches[1].rm_so, len);
- domname[len] = '\0';
+ struct idmap_domain *dom, **tmp;
- DBG_DEBUG("Found idmap domain \"%s\"\n", domname);
+ DBG_DEBUG("Found idmap domain \"%s\"\n", domname);
- if (strcmp(domname, "*") == 0) {
- return false;
- }
+ if (strcmp(domname, "*") == 0) {
+ return false;
+ }
- dom = idmap_init_named_domain(idmap_domains, domname);
- if (dom == NULL) {
- DBG_NOTICE("Could not init idmap domain %s\n",
- domname);
- return false;
- }
+ dom = idmap_init_named_domain(idmap_domains, domname);
+ if (dom == NULL) {
+ DBG_NOTICE("Could not init idmap domain %s\n", domname);
+ return false;
+ }
- tmp = talloc_realloc(idmap_domains, idmap_domains,
- struct idmap_domain *, num_domains + 1);
- if (tmp == NULL) {
- DBG_WARNING("talloc_realloc failed\n");
- TALLOC_FREE(dom);
- return false;
- }
- idmap_domains = tmp;
- idmap_domains[num_domains] = dom;
- num_domains += 1;
+ tmp = talloc_realloc(idmap_domains, idmap_domains,
+ struct idmap_domain *, num_domains + 1);
+ if (tmp == NULL) {
+ DBG_WARNING("talloc_realloc failed\n");
+ TALLOC_FREE(dom);
+ return false;
}
+ idmap_domains = tmp;
+ idmap_domains[num_domains] = dom;
+ num_domains += 1;
return false;
}
@@ -544,48 +588,32 @@ NTSTATUS idmap_allocate_gid(struct unixid *id)
return idmap_allocate_unixid(id);
}
-NTSTATUS idmap_backends_unixid_to_sid(struct id_map *id)
+NTSTATUS idmap_backend_unixids_to_sids(struct id_map **maps,
+ const char *domain_name)
{
- struct idmap_domain *dom;
- struct id_map *maps[2];
+ struct idmap_domain *dom = NULL;
+ NTSTATUS status;
bool ok;
- int i;
ok = idmap_init();
if (!ok) {
return NT_STATUS_NONE_MAPPED;
}
- DEBUG(10, ("idmap_backend_unixid_to_sid: xid = %d (type %d)\n",
- id->xid.id, id->xid.type));
-
- maps[0] = id;
- maps[1] = NULL;
-
- /*
- * Always give passdb a chance first
- */
-
- dom = passdb_idmap_domain;
- if ((dom != NULL)
- && NT_STATUS_IS_OK(dom->methods->unixids_to_sids(dom, maps))
- && id->status == ID_MAPPED) {
- return NT_STATUS_OK;
+ if (strequal(domain_name, get_global_sam_name())) {
+ dom = passdb_idmap_domain;
}
-
- dom = default_idmap_domain;
-
- for (i=0; i<num_domains; i++) {
- if ((id->xid.id >= idmap_domains[i]->low_id) &&
- (id->xid.id <= idmap_domains[i]->high_id)) {
- dom = idmap_domains[i];
- break;
- }
+ if (dom == NULL) {
+ dom = idmap_find_domain(domain_name);
}
-
if (dom == NULL) {
return NT_STATUS_NONE_MAPPED;
}
- return dom->methods->unixids_to_sids(dom, maps);
+ status = dom->methods->unixids_to_sids(dom, maps);
+
+ DBG_DEBUG("unixid_to_sids for domain %s returned %s\n",
+ domain_name, nt_errstr(status));
+
+ return status;
}
diff --git a/source3/winbindd/idmap_proto.h b/source3/winbindd/idmap_proto.h
index a12e5b4..ea96d72 100644
--- a/source3/winbindd/idmap_proto.h
+++ b/source3/winbindd/idmap_proto.h
@@ -34,7 +34,8 @@ NTSTATUS smb_register_idmap(int version, const char *name,
void idmap_close(void);
NTSTATUS idmap_allocate_uid(struct unixid *id);
NTSTATUS idmap_allocate_gid(struct unixid *id);
-NTSTATUS idmap_backends_unixid_to_sid(struct id_map *id);
+NTSTATUS idmap_backend_unixids_to_sids(struct id_map **maps,
+ const char *domain_name);
/* The following definitions come from winbindd/idmap_nss.c */
@@ -50,8 +51,6 @@ NTSTATUS idmap_tdb_init(void);
/* The following definitions come from winbindd/idmap_util.c */
-NTSTATUS idmap_uid_to_sid(struct dom_sid *sid, uid_t uid);
-NTSTATUS idmap_gid_to_sid(struct dom_sid *sid, gid_t gid);
bool idmap_unix_id_is_in_range(uint32_t id, struct idmap_domain *dom);
struct id_map *idmap_find_map_by_id(struct id_map **maps, enum id_type type,
uint32_t id);
@@ -59,6 +58,8 @@ struct id_map *idmap_find_map_by_sid(struct id_map **maps, struct dom_sid *sid);
char *idmap_fetch_secret(const char *backend, const char *domain,
const char *identity);
+struct id_map **id_map_ptrs_init(TALLOC_CTX *mem_ctx, size_t num_ids);
+
/* max number of ids requested per LDAP batch query */
#define IDMAP_LDAP_MAX_IDS 30
diff --git a/source3/winbindd/idmap_util.c b/source3/winbindd/idmap_util.c
index f90565f..3da39e8 100644
--- a/source3/winbindd/idmap_util.c
+++ b/source3/winbindd/idmap_util.c
@@ -29,132 +29,6 @@
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_IDMAP
-/*****************************************************************
- Returns the SID mapped to the given UID.
- If mapping is not possible returns an error.
-*****************************************************************/
-
-NTSTATUS idmap_uid_to_sid(struct dom_sid *sid, uid_t uid)
-{
- NTSTATUS ret;
- struct id_map map;
- bool expired;
-
- DEBUG(10, ("idmap_uid_to_sid: uid = [%lu]\n", (unsigned long)uid));
-
- if (winbindd_use_idmap_cache()
- && idmap_cache_find_uid2sid(uid, sid, &expired)) {
- DEBUG(10, ("idmap_cache_find_uid2sid found %u%s\n",
- (unsigned int)uid,
- expired ? " (expired)": ""));
- if (expired && idmap_is_online()) {
- DEBUG(10, ("revalidating expired entry\n"));
- goto backend;
- }
- if (is_null_sid(sid)) {
- DEBUG(10, ("Returning negative cache entry\n"));
- return NT_STATUS_NONE_MAPPED;
- }
- DEBUG(10, ("Returning positive cache entry\n"));
- return NT_STATUS_OK;
- }
-
-backend:
- ZERO_STRUCT(map);
- map.sid = sid;
- map.xid.type = ID_TYPE_UID;
- map.xid.id = uid;
-
- ret = idmap_backends_unixid_to_sid(&map);
- if ( ! NT_STATUS_IS_OK(ret)) {
- DEBUG(10, ("error mapping uid [%lu]: %s\n", (unsigned long)uid,
- nt_errstr(ret)));
- map.status = ID_UNMAPPED;
- }
-
- if (map.status != ID_MAPPED) {
- if (winbindd_use_idmap_cache()) {
- struct dom_sid null_sid;
- struct unixid id;
- id.type = ID_TYPE_UID;
- id.id = uid;
- ZERO_STRUCT(null_sid);
- idmap_cache_set_sid2unixid(&null_sid, &id);
- }
- DEBUG(10, ("uid [%lu] not mapped\n", (unsigned long)uid));
- return NT_STATUS_NONE_MAPPED;
- }
-
- if (winbindd_use_idmap_cache()) {
- idmap_cache_set_sid2unixid(sid, &map.xid);
- }
-
- return NT_STATUS_OK;
-}
-
-/*****************************************************************
- Returns SID mapped to the given GID.
- If mapping is not possible returns an error.
-*****************************************************************/
-
-NTSTATUS idmap_gid_to_sid(struct dom_sid *sid, gid_t gid)
-{
- NTSTATUS ret;
- struct id_map map;
- bool expired;
-
- DEBUG(10, ("idmap_gid_to_sid: gid = [%lu]\n", (unsigned long)gid));
-
- if (winbindd_use_idmap_cache()
- && idmap_cache_find_gid2sid(gid, sid, &expired)) {
- DEBUG(10, ("idmap_cache_find_gid2sid found %u%s\n",
- (unsigned int)gid,
- expired ? " (expired)": ""));
- if (expired && idmap_is_online()) {
- DEBUG(10, ("revalidating expired entry\n"));
- goto backend;
- }
- if (is_null_sid(sid)) {
- DEBUG(10, ("Returning negative cache entry\n"));
- return NT_STATUS_NONE_MAPPED;
- }
- DEBUG(10, ("Returning positive cache entry\n"));
- return NT_STATUS_OK;
- }
-
-backend:
- ZERO_STRUCT(map);
- map.sid = sid;
- map.xid.type = ID_TYPE_GID;
- map.xid.id = gid;
-
- ret = idmap_backends_unixid_to_sid(&map);
- if ( ! NT_STATUS_IS_OK(ret)) {
- DEBUG(10, ("error mapping gid [%lu]: %s\n", (unsigned long)gid,
- nt_errstr(ret)));
- map.status = ID_UNMAPPED;
- }
-
- if (map.status != ID_MAPPED) {
- if (winbindd_use_idmap_cache()) {
- struct dom_sid null_sid;
- struct unixid id;
- id.type = ID_TYPE_GID;
- id.id = gid;
- ZERO_STRUCT(null_sid);
- idmap_cache_set_sid2unixid(&null_sid, &id);
- }
- DEBUG(10, ("gid [%lu] not mapped\n", (unsigned long)gid));
- return NT_STATUS_NONE_MAPPED;
- }
-
- if (winbindd_use_idmap_cache()) {
- idmap_cache_set_sid2unixid(sid, &map.xid);
- }
-
- return NT_STATUS_OK;
-}
-
/**
* check whether a given unix id is inside the filter range of an idmap domain
*/
@@ -238,3 +112,34 @@ char *idmap_fetch_secret(const char *backend, const char *domain,
return ret;
}
+
+struct id_map **id_map_ptrs_init(TALLOC_CTX *mem_ctx, size_t num_ids)
+{
+ struct id_map **ptrs;
+ struct id_map *maps;
+ struct dom_sid *sids;
+ size_t i;
+
+ ptrs = talloc_array(mem_ctx, struct id_map *, num_ids+1);
+ if (ptrs == NULL) {
+ return NULL;
+ }
+ maps = talloc_array(ptrs, struct id_map, num_ids);
+ if (maps == NULL) {
+ TALLOC_FREE(ptrs);
+ return NULL;
+ }
+ sids = talloc_zero_array(ptrs, struct dom_sid, num_ids);
+ if (sids == NULL) {
+ TALLOC_FREE(ptrs);
+ return NULL;
+ }
+
+ for (i=0; i<num_ids; i++) {
+ maps[i] = (struct id_map) { .sid = &sids[i] };
+ ptrs[i] = &maps[i];
+ }
+ ptrs[num_ids] = NULL;
+
+ return ptrs;
+}
diff --git a/source3/winbindd/wb_xids2sids.c b/source3/winbindd/wb_xids2sids.c
index 6c3f0f6..77372f7 100644
--- a/source3/winbindd/wb_xids2sids.c
+++ b/source3/winbindd/wb_xids2sids.c
@@ -23,8 +23,244 @@
#include "idmap_cache.h"
#include "librpc/gen_ndr/ndr_winbind_c.h"
+struct wb_xids2sids_dom_map {
+ unsigned low_id;
+ unsigned high_id;
+ const char *name;
+};
+
+/*
+ * Map idmap ranges to domain names, taken from smb.conf. This is
+ * stored in the parent winbind and used to assemble xid2sid calls
+ * into per-idmap-domain chunks.
+ */
+static struct wb_xids2sids_dom_map *dom_maps;
+
+static bool wb_xids2sids_add_dom(const char *domname,
+ void *private_data)
+{
+ struct wb_xids2sids_dom_map *map = NULL;
+ size_t num_maps = talloc_array_length(dom_maps);
+ size_t i;
+ char *config_option;
+ const char *range;
+ unsigned low_id, high_id;
+ int ret;
+
+ config_option = talloc_asprintf(
+ talloc_tos(), "idmap config %s", domname);
+ if (config_option == NULL) {
+ return false;
--
Samba Shared Repository
More information about the samba-cvs
mailing list