idmap.c revision c5c4113dfcabb1eed3d4bdf7609de5170027a794
/*
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
* Common Development and Distribution License (the "License").
* You may not use this file except in compliance with the License.
*
* You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
* See the License for the specific language governing permissions
* and limitations under the License.
*
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at usr/src/OPENSOLARIS.LICENSE.
* If applicable, add the following below this CDDL HEADER, with the
* fields enclosed by brackets "[]" replaced with your own identifying
* information: Portions Copyright [yyyy] [name of copyright owner]
*
* CDDL HEADER END
*/
/*
* Copyright 2007 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
#pragma ident "%Z%%M% %I% %E% SMI"
#include <stdio.h>
#include <stdlib.h>
#include <locale.h>
#include <strings.h>
#include "idmap_engine.h"
#include "idmap_priv.h"
/* is_user values */
#define I_YES 1
#define I_NO 0
#define I_UNKNOWN -1
/* Directions */
#define DIR_W2U 1
#define DIR_U2W 2
#define DIR_BI 0
#define DIR_UNKNOWN -1
/*
* used in do_show for the type of argument, which can be winname,
* unixname, uid, gid, sid or not given at all:
*/
/* Identity type strings */
#define ID_WINNAME "winname"
#define ID_UNIXNAME "unixname"
#define ID_SID "sid"
#define ID_UID "uid"
#define ID_GID "gid"
/* Flags */
#define g_FLAG 'g'
#define u_FLAG 'u'
#define f_FLAG 'f'
#define t_FLAG 't'
#define d_FLAG 'd'
#define F_FLAG 'F'
#define a_FLAG 'a'
#define n_FLAG 'n'
#define c_FLAG 'c'
/* used in the function do_import */
#define MAX_INPUT_LINE_SZ 2047
typedef struct {
int is_user;
int direction;
char *unixname;
char *winname;
char *windomain;
char *sidprefix;
/*
* Formats of the output:
*
* name mappings in Samba username map format (smbusers), Netapp
* usermap.cfg.
*
* DEFAULT_FORMAT are in fact the idmap subcommands suitable for
* piping to idmap standart input. For example
* add -u -d winname:bob@foo.com unixname:fred
* add -u -d winname:bob2bar.com unixname:fred
*
* SMBUSERS is the format of Samba username map (smbusers). For full
* documentation, search for "username map" in smb.conf manpage.
* The format is for example
* fred = bob@foo.com bob2@bar.com
*
* USERMAP_CFG is the format of Netapp usermap.cfg file. Search
* http://www.netapp.com/ for more documentation. IP qualifiers are not
* supported.
* The format is for example
* bob@foo.com => fred
* "Bob With Spaces"@bar.com => fred #comment
*
* The previous formats were for name rules. MAPPING_NAME and
* commands. MAPPING_NAME prefers the string names of the user over
* their numerical identificators. MAPPING_ID prints just the
* identificators.
* Example of the MAPPING_NAME:
* winname:bob@foo.com -> unixname:fred
*
* Example of the MAPPING_ID:
* sid:S-1-2-3-4 -> uid:5678
*/
typedef enum {
UNDEFINED_FORMAT = -1,
DEFAULT_FORMAT = 0,
} format_t;
/* Gives the format to use. Set in print_mapping_init */
static format_t pnm_format;
/* The file for print_mapping_init output. Mostly just stdout. */
/* In smbusers format, more unixnames can be aggregated to one line. */
static char *pnm_last_unixname;
/*
* idmap_api batch related variables:
*
* idmap can operate in two modes. It the batch mode, the idmap_api
* batch is commited at the end of a batch of several
* commands. At the end of input file, typically. This mode is used
* for processing input from a file.
* In the non-batch mode, each command is commited immediately. This
* mode is used for tty input.
*/
/* Are we in the batch mode? */
static int batch_mode = 0;
/* Handles for idmap_api batch */
/* Do we need to commit the udt batch at the end? */
static int udt_used;
/* Command handlers */
/* Command names and their hanlers to be passed to idmap_engine */
{
"show",
"c(create)",
},
{
"dump",
"n(names)g(group)u(user)",
},
{
"import",
"F(flush)f:(file)",
},
{
"export",
"f:(file)",
},
{
"list",
"g(group)u(user)",
},
{
"add",
"g(group)u(user)d(directional)",
},
{
"remove",
"a(all)u(user)g(group)t(to)f(from)d(directional)",
},
{
"exit",
"",
},
{
"help",
"",
}
};
/* Print help message */
static void
help() {
"idmap\n"
"idmap -f command-file\n"
"idmap show [-c] identity [targettype]\n"
"idmap dump [-u|-g] [-n]\n"
"idmap add -u|-g [-d] name1 name2\n"
"idmap remove -u|-g -a\n"
"idmap remove -u|-g name\n"
"idmap remove -u|-g [-d] name1 name2\n"
"idmap list [-u|-g]\n"
"idmap import [-F] [-f file] format\n"
"idmap export [-f file] format\n"
"idmap help\n");
}
/* The handler for the "help" command. */
static int
/* LINTED E_FUNC_ARG_UNUSED */
{
help();
return (0);
}
/* Initialization of the idmap api batch */
static int
init_batch() {
if (stat < 0) {
gettext("Connection not established (%s)\n"),
return (-1);
}
return (0);
}
/* Initialization common to all commands */
static int
init_command() {
if (batch_mode)
return (0);
return (init_batch());
}
/* Finalization common to all commands */
static void
fini_command() {
if (batch_mode)
return;
(void) idmap_fini(handle);
}
/* Initialization of the commands which perform write operations */
static int
init_udt_batch() {
if (init_batch())
return (-1);
if (stat < 0) {
gettext("Error initiating transaction (%s)"),
return (-1);
}
return (0);
}
/* Finalization of the write commands */
static int
init_udt_command() {
udt_used = 1;
if (batch_mode)
return (0);
return (init_udt_batch());
}
/* If everythings is OK, send the udt batch to idmapd */
static void
fini_udt_command(int ok) {
if (batch_mode)
return;
return;
if (stat < 0) {
gettext("Error commiting transaction (%s)\n"),
}
}
udt_used = 0;
fini_command();
}
/* Convert numeric expression of the direction to it's string form */
static char *
direction2string(int direction) {
switch (direction) {
case DIR_BI:
return ("==");
case DIR_W2U:
return ("=>");
case DIR_U2W:
return ("<=");
default:
return ("");
}
/* never reached */
}
/* Do we need quotation marks around winname in the USERMAP_CFG format? */
static int
needs_protection(char *what) {
return (1);
return (1);
return (1);
return (0);
}
/* Protect all shell-special characters by '\\' */
static int
int i;
char c;
return (-1);
}
for (i = 0; string[i] != '\0'; i++) {
c = string[i];
res_size *= 2;
gettext("Not enough memory.\n"));
return (-1);
}
}
}
return (0);
}
/* Assemble string form sid */
static char *
char *to;
/* 'sid:' + sidprefix + '-' + rid + '\0' */
return (NULL);
return (to);
}
/* Assemble string form uid or gid */
static char *
char *to;
/* ID_UID ":" + uid + '\0' */
return (NULL);
return (to);
}
/* Assemble winname, e.g. "winname:bob@foo.sun.com", from name_mapping_t */
static int
char *out;
int is_domain = 1;
/* Sometimes there are no text names. Return a sid, then. */
return (-1);
return (0);
}
/* Windomain is not mandatory: */
is_domain = 0;
else
gettext("Not enough memory.\n"));
return (-1);
}
if (!is_domain)
} else {
}
return (0);
}
/* Assemble a text unixname, e.g. unixname:fred */
static int
char *out;
char *it;
/* Sometimes there is no name, just pid: */
return (-1);
return (0);
}
return (-1);
gettext("Not enough memory.\n"));
return (-1);
}
return (0);
}
/* Initialize print_mapping variables. Must be called before print_mapping */
static int
pnm_format = f;
switch (pnm_format) {
case SMBUSERS:
break;
default:
;
}
return (0);
}
/* Finalize print_mapping. */
static int
switch (pnm_format) {
case SMBUSERS:
if (pnm_last_unixname != NULL) {
}
break;
default:
;
}
return (0);
}
/*
* This prints both name rules and ordinary mappings, based on the pnm_format
* set in print_mapping_init().
*/
static int
{
char *dirstring;
char type;
switch (pnm_format) {
case MAPPING_NAME:
return (-1);
return (-1);
}
/* LINTED E_CASE_FALLTHRU */
case MAPPING_ID:
if (pnm_format == MAPPING_ID) {
gettext("SID not given.\n"));
return (-1);
}
return (-1);
return (-1);
}
}
unixname);
break;
case SMBUSERS:
gettext("Group rule: "));
f = stderr;
gettext("Opposite direction of the mapping: "));
f = stderr;
}
return (-1);
if (pnm_file != f) {
} else if (pnm_last_unixname != NULL &&
} else {
if (pnm_last_unixname != NULL) {
(void) fprintf(f, "\n");
}
}
break;
case USERMAP_CFG:
gettext("Group rule: "));
f = stderr;
}
(void) fprintf(f, "%s%s%s\t%s\t%s%s%s\n",
else
"%s%s%1$s\\%3$s%4$s%3$s\t%5$s\t%6$s%7$s%6$s\n" :
"%3$s%4$s%3$s@%1$s%2$s%1$s\t%5$s\t%6$s%7$s%6$s\n",
break;
case DEFAULT_FORMAT:
/* 'u', 'g' refer to -u, -g switch of idmap add */
return (-1);
return (-1);
}
return (-1);
}
(void) fprintf(f,
"add -%c -d\t%s\t%s\n",
} else {
(void) fprintf(f,
"add -%c %s\t%s\t%s\n",
}
break;
default:
return (-1);
}
return (0);
}
/* Allocate a new name_mapping_t and initialize the values. */
static name_mapping_t *
return (NULL);
}
return (nm);
}
/* Free name_mapping_t */
static void
}
/* Is there exactly one of -g, -u flags? */
static int
{
gettext("Type (-u|-g) not determined.\n"));
return (0);
}
return (1);
}
/* Does user request a user-related operation? */
static int
is_user_wanted(flag_t *f) {
return (1);
return (0);
}
/* Does user request a group-related operation? */
static int
is_group_wanted(flag_t *f) {
return (1);
return (0);
}
/* dump command handler */
static int
/* LINTED E_FUNC_ARG_UNUSED */
{
int is_user;
int rc = 0;
if (init_command())
return (-1);
stdout);
/*
* If there is exactly one of -u, -g flags, we print
* only that type. Otherwise both of them:
*/
if (!is_user_wanted(f) && is_user ||
!is_group_wanted(f) && !is_user)
continue;
if (stat < 0) {
gettext("Iteration handle not obtained (%s)\n"),
rc = -1;
goto cleanup;
}
do {
rc = -1;
goto cleanup;
}
if (stat >= 0)
(void) print_mapping(nm);
} while (stat > 0);
/* IDMAP_ERR_NOTFOUND indicates end of the list */
gettext("Error during iteration (%s)\n"),
rc = -1;
goto cleanup;
}
}
(void) print_mapping_fini();
fini_command();
return (rc);
}
/*
* The same as strdup, but length chars is duplicated, no matter on
* '\0'. The caller must guarantee "length" chars in "from".
*/
static char *
return (NULL);
}
return (out);
}
/* Does line start with USERMAP_CFG IP qualifier? */
static int
ucp_is_IP_qualifier(char *line) {
char *it;
}
/*
* returns interior of quotation marks in USERMAP_CFG. In this format,
* there cannot be a protected quotation mark inside.
*/
static char *
char *out;
gettext("Line %d: Unclosed quotations\n"),
line_num);
return (NULL);
}
return (out);
}
/*
* Grab next token from the line in USERMAP_CFG format. terminators,
* the 3rd parameter, contains all the characters which can terminate
* the token. line_num is the line number of input used for error
* reporting.
*/
static char *
char *token;
if (**line == '"')
else {
}
return (token);
}
/*
* Convert a line in usermap.cfg format to name_mapping. line_num is
* the line number of input used for error reporting.
*
* Return values: -1 for error, 0 for empty line, 1 for a mapping
* found.
*/
static int
char *it;
char *token;
char *token2;
char separator;
int is_direction = 0;
/* empty or comment lines are OK: */
return (0);
/* We do not support network qualifiers */
if (ucp_is_IP_qualifier(it)) {
gettext("Line %d: unable to handle network qualifier.\n"),
line_num);
return (-1);
}
/* The windows name: */
return (-1);
/* Didn't we bump to the end of line? */
gettext("Line %d: UNIX_name not found.\n"),
line_num);
return (-1);
}
/* Do we have a domainname? */
it ++;
return (-1);
gettext("Line %d: UNIX_name not found.\n"),
line_num);
}
if (separator == '\\') {
} else {
}
} else {
}
/* Direction string is optional: */
is_direction = 1;
is_direction = 1;
is_direction = 1;
} else {
is_direction = 0;
}
if (is_direction) {
it += 2;
gettext("Line %d: UNIX_name not found.\n"),
line_num);
return (-1);
}
}
/* Now unixname: */
/* nm->winname to be freed by name_mapping_fini */
return (-1);
/* Neither here we support IP qualifiers */
if (ucp_is_IP_qualifier(token)) {
gettext("Line %d: unable to handle network qualifier.\n"),
line_num);
return (-1);
}
/* Does something remain on the line */
gettext("Line %d: unrecognized parameters \"%s\".\n"),
return (-1);
}
return (1);
}
/*
* Parse SMBUSERS line to name_mapping_t. if line is NULL, then
* pasrsing of the previous line is continued. line_num is input line
* number used for error reporting.
* Return values:
* rc -1: error
* rc = 0: mapping found and the line is finished,
* rc = 1: mapping found and there remains other on the line
*/
static int
static size_t unixname_l = 0;
char *token;
return (0);
ll += unixname_l;
return (0);
}
return (0);
return (-1);
return (-1);
return (1);
}
/* Parse line to name_mapping_t. Basicaly just a format switch. */
static int
switch (f) {
case USERMAP_CFG:
return (0);
else
case SMBUSERS:
default:
}
return (-1);
}
/* Examine -f flag and return the appropriate format_t */
static format_t
return (UNDEFINED_FORMAT);
}
return (DEFAULT_FORMAT);
return (USERMAP_CFG);
return (SMBUSERS);
"\"smbusers\".\n"));
return (UNDEFINED_FORMAT);
}
/* Delete all namerules of the given type */
static int
{
if (stat < 0) {
: gettext("Unable to flush groups (%s).\n"),
return (-1);
}
return (0);
}
/* import command handler */
static int
/* LINTED E_FUNC_ARG_UNUSED */
{
char line[MAX_INPUT_LINE_SZ];
int rc = 0;
int line_num;
if (batch_mode) {
gettext("Import is not allowed in the batch mode.\n"));
return (-1);
}
if (format == UNDEFINED_FORMAT)
return (-1);
if (init_udt_command())
return (-1);
/* We don't flush groups in the usermap.cfg nor smbusers format */
rc = -1;
goto cleanup;
}
line_num = 0;
/* Where we import from? */
else {
goto cleanup;
}
}
line_num++;
/*
* In SMBUSERS format there can be more mappings on
* each line. So we need the internal cycle for each line.
*/
do {
nm = name_mapping_init();
rc = -1;
goto cleanup;
}
if (rc < 1) {
break;
}
if (stat < 0) {
gettext("Transaction error (%s)\n"),
rc = -1;
}
} while (rc >= 0);
if (rc < 0) {
gettext("Import canceled.\n"));
break;
}
}
return (rc);
}
/*
* List name mappings in the format specified. list_users /
* list_groups determine which type to list. The output goes to the
* file fi.
*/
static int
{
int is_user;
if (is_user && !list_users)
continue;
if (!is_user && !list_groups)
continue;
/* Only users can be in USERMAP_CFG format, not a group */
continue;
if (stat < 0) {
gettext("Iteration handle not obtained (%s)\n"),
return (-1);
}
do {
nm = name_mapping_init();
return (-1);
}
if (stat >= 0) {
(void) print_mapping(nm);
}
} while (stat > 0);
(void) print_mapping_fini();
gettext("Error during iteration (%s)\n"),
return (-1);
}
}
return (0);
}
/* Export command handler */
static int
/* LINTED E_FUNC_ARG_UNUSED */
int rc;
if (format == UNDEFINED_FORMAT)
return (-1);
/* Where do we output to? */
else {
return (-1);
}
}
if (init_command() < 0) {
rc = -1;
goto cleanup;
}
/* List the requested types: */
is_group_wanted(f),
fi);
fini_command();
return (rc);
}
/* List command handler */
static int
/* LINTED E_FUNC_ARG_UNUSED */
{
int rc;
if (init_command()) {
return (-1);
}
/* List the requested types: */
is_group_wanted(f),
stdout);
fini_command();
return (rc);
}
/* This is just a debug function for dumping flags */
static void
print_flags(flag_t *f)
{
int c;
for (c = 0; c < FLAG_ALPHABET_SIZE; c++) {
if (f[c] == FLAG_SET)
(void) printf("FLAG: -%c, VALUE: %p\n", c,
(void *) f[c]);
else if (f[c])
(void) printf("FLAG: -%c, VALUE: %s\n", c, f[c]);
}
}
/*
* Compare two strings just like strcmp, but stop before the end of
* the s2
*/
static int
}
/* The same as strcmp_no0, but case insensitive. */
static int
}
/*
* This function splits name to the relevant pieces: is_user, winname,
* windomain unixname. Sometimes it is not possible to determine OS
* side, because it could be determined by the opposite name in idmap
* show. So this function must be called several times.
*
* Return values: -1 ... clear syntax error
* 0 ... it wasnt possible to determine
* 1 ... determined
*/
static int
char *it;
return (0);
/* If it starts with type string, that is easy: */
return (0);
return (0);
} else {
gettext("Error: invalid identity type\n"));
return (-1);
}
}
/* If it contains '@' or '\\', then it is a winname with domain */
return (1);
return (1);
}
}
/*
* hope is that the opposite side is known already. In that
* case, it is the only remaining side.
*/
else
return (1);
else
return (1);
}
return (0);
}
/* add command handler. */
static int
{
int rc = 0;
int i;
int is_argv0_unix = -1;
/* Two arguments and exactly one of -u, -g must be specified */
if (argc < 2) {
return (-1);
} else if (argc > 2) {
return (-1);
} else if (!is_type_determined(f))
return (-1);
/*
* Direction can be determined by the opposite name, so we
* need to run name2parts twice for the first name, i.e. 3x in
* total.
*/
nm = name_mapping_init();
return (-1);
for (i = 0; i < 3; i++) {
case -1:
return (-1);
case 1:
if (is_argv0_unix < 0)
break;
}
}
return (-1);
}
else
/* Now let us write it: */
if (init_udt_command()) {
return (-1);
}
/* We echo the mapping */
(void) print_mapping(nm);
(void) print_mapping_fini();
if (stat < 0) {
gettext("Mapping not created (%s)\n"),
rc = -1;
}
fini_udt_command(1);
return (rc);
}
/* remove command handler */
static int
{
int rc = 0;
int i;
int is_argv0_unix = -1;
/* "-a" means we flush all of them */
if (argc) {
gettext("Too many arguments.\n"));
return (-1);
}
if (!is_type_determined(f))
return (-1);
if (init_udt_command())
return (-1);
return (rc);
}
/* Contrary to add_name_mapping, we can have only one argument */
if (argc < 1) {
return (-1);
} else if (argc > 2) {
return (-1);
} else if (!is_type_determined(f)) {
return (-1);
} else if (
/* both -f and -t: */
/* -d with a single argument: */
/* -f or -t with two arguments: */
gettext("Direction ambiguous.\n"));
return (-1);
}
/*
* Similar to do_add_name_mapping - see the comments
* there. Except we may have only one argument here.
*/
nm = name_mapping_init();
return (-1);
case -1:
return (-1);
case 1:
if (is_argv0_unix < 0)
break;
}
}
return (-1);
}
/*
* If the direction is not specified by a -d/-f/-t flag, then it
* is DIR_UNKNOWN, because in that case we want to remove any
* mapping. If it was DIR_BI, idmap_api would delete a
* bidirectional one only.
*/
else
if (init_udt_command()) {
return (-1);
}
if (stat < 0) {
gettext("Mapping not deleted (%s)\n"),
rc = -1;
}
fini_udt_command(1);
return (rc);
}
/* exit command handler */
static int
/* LINTED E_FUNC_ARG_UNUSED */
return (0);
}
/* debug command handler: just print the parameters */
static int
/* LINTED E_STATIC_UNUSED */
{
int i;
#if 0
#endif
print_flags(f);
for (i = 0; i < argc; i++) {
}
return (0);
}
/*
* Return a pointer after a given prefix. If there is no such prefix,
* return NULL
*/
static char *
return (NULL);
}
/*
* From name_mapping_t, asseble a string containing identity of the
* given type.
*/
static int
switch (type) {
case TYPE_SID:
return (-1);
return (0);
case TYPE_WN:
case TYPE_UID:
case TYPE_GID:
case TYPE_PID:
return (-1);
else
return (0);
case TYPE_UN:
default:
return (-1);
}
/* never reached */
}
/* show command handler */
static int
{
idmap_stat stat = 0;
int flag;
idmap_stat map_stat = 0;
int type_from;
int type_to;
char *root;
char *fromname;
char *toname;
if (argc == 0) {
gettext("No identity given\n"));
return (-1);
} else if (argc > 2) {
gettext("Too many arguments.\n"));
return (-1);
}
if (init_command())
return (-1);
nm = name_mapping_init();
goto cleanup;
/* First, determine type_from: */
else
} else {
gettext("Invalid type.\n"));
goto cleanup;
}
/* Second, determine type_to: */
if (argc < 2) {
else {
gettext("Ivnalid target type.\n"));
goto cleanup;
}
/* Are both arguments the same OS side? */
gettext("Direction ambiguous.\n"));
goto cleanup;
}
goto cleanup;
}
/* Replace '-' by string terminator so that sid = sidprefix */
*p = 0;
/* Restore '-' */
*p = '-';
}
/*
* We have two interfaces for retrieving the mappings:
* idmap_get_sidbyuid & comp (the batch interface) and
* idmap_get_w2u_mapping & comp. We want to use both of them, because
* the former mimicks kernel interface better and the later offers the
* string names. In the batch case, our batch has always size 1.
*/
flag,
} else {
flag,
}
} else {
/* batch handle */
/* To be passed to idmap_get_uidbysid */
/* To be passed to idmap_get_gidbysid */
/* Create an in-memory structure for all the batch: */
if (stat < 0) {
gettext("Unable to create handle for communicating"
" with idmapd(1M) (%s)\n"),
goto cleanup;
}
/* Schedule the request: */
flag,
&uid,
&map_stat);
flag,
&gid,
&map_stat);
flag,
&map_stat);
flag,
&map_stat);
flag,
&map_stat);
} else {
exit(1);
}
if (stat < 0) {
gettext("Request for %.3s not sent (%s)\n"),
goto cleanup;
}
/* Send the batch to idmapd and obtain results: */
if (stat < 0) {
gettext("Mappings not obtained because of"
" RPC problem (%s)\n"),
goto cleanup;
}
/* Destroy the batch handle: */
}
/*
* If there was -c flag, we do output whatever we can even in
* the case of error:
*/
if (map_stat < 0) {
gettext("%s\n"),
if (flag == IDMAP_REQ_FLG_NO_NEW_ID_ALLOC)
goto cleanup;
}
goto cleanup;
if (flag == 0)
(void) printf("%s -> %s:%u\n",
goto cleanup;
}
fini_command();
}
/* main function. Returns 1 for error, 0 otherwise */
int
int rc;
/* set locale and domain for internationalization */
(void) textdomain(TEXT_DOMAIN);
/* idmap_engine determines the batch_mode: */
argc - 1,
argv + 1,
&batch_mode);
if (rc < 0) {
(void) engine_fini();
if (rc == IDMAP_ENG_ERROR_SILENT)
help();
return (1);
}
udt_used = 0;
if (batch_mode) {
if (init_udt_batch() < 0)
return (1);
}
if (batch_mode) {
batch_mode = 0;
}
(void) engine_fini();
return (rc == 0 ? 0 : 1);
}