/*
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
* Common Development and Distribution License (the "License").
* You may not use this file except in compliance with the License.
*
* You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
* or http://www.opensolaris.org/os/licensing.
* See the License for the specific language governing permissions
* and limitations under the License.
*
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at usr/src/OPENSOLARIS.LICENSE.
* If applicable, add the following below this CDDL HEADER, with the
* fields enclosed by brackets "[]" replaced with your own identifying
* information: Portions Copyright [yyyy] [name of copyright owner]
*
* CDDL HEADER END
*/
/*
* Copyright (c) 2008, 2010, Oracle and/or its affiliates. All rights reserved.
*/
#include <pwd.h>
#include <idmap.h>
#include <ctype.h>
#include "ad_common.h"
/* passwd attributes and filters */
#define _PWD_DN "dn"
#define _PWD_SAN "sAMAccountName"
#define _PWD_OBJSID "objectSid"
#define _PWD_PRIMARYGROUPID "primaryGroupID"
#define _PWD_CN "cn"
#define _PWD_HOMEDIRECTORY "homedirectory"
#define _PWD_LOGINSHELL "loginshell"
#define _PWD_OBJCLASS "objectClass"
#define _F_GETPWNAM "(sAMAccountName=%.*s)"
#define _F_GETPWUID "(objectSid=%s)"
static const char *pwd_attrs[] = {
_PWD_SAN,
_PWD_OBJSID,
_PWD_PRIMARYGROUPID,
_PWD_CN,
_PWD_HOMEDIRECTORY,
_PWD_LOGINSHELL,
_PWD_OBJCLASS,
(char *)NULL
};
static int
update_buffer(ad_backend_ptr be, nss_XbyY_args_t *argp,
const char *name, const char *domain,
uid_t uid, gid_t gid, const char *gecos,
const char *homedir, const char *shell)
{
int buflen;
char *buffer;
if (be->db_type == NSS_AD_DB_PASSWD_BYNAME) {
/*
* The canonical name obtained from AD lookup may not match
* the case of the name (i.e. key) in the request. Therefore,
* use the name from the request to construct the result.
*/
buflen = snprintf(NULL, 0, "%s:%s:%u:%u:%s:%s:%s",
argp->key.name, "x", uid, gid, gecos, homedir, shell) + 1;
} else {
if (domain == NULL)
domain = WK_DOMAIN;
buflen = snprintf(NULL, 0, "%s@%s:%s:%u:%u:%s:%s:%s",
name, domain, "x", uid, gid, gecos, homedir, shell) + 1;
}
if (argp->buf.result != NULL) {
buffer = be->buffer = malloc(buflen);
if (be->buffer == NULL)
return (-1);
be->buflen = buflen;
} else {
if (buflen > argp->buf.buflen)
return (-1);
buflen = argp->buf.buflen;
buffer = argp->buf.buffer;
}
if (be->db_type == NSS_AD_DB_PASSWD_BYNAME)
(void) snprintf(buffer, buflen, "%s:%s:%u:%u:%s:%s:%s",
argp->key.name, "x", uid, gid, gecos, homedir, shell);
else
(void) snprintf(buffer, buflen, "%s@%s:%s:%u:%u:%s:%s:%s",
name, domain, "x", uid, gid, gecos, homedir, shell);
return (0);
}
#define NET_SCHEME "/net"
/*
* 1) If the homeDirectory string is in UNC format then convert it into
* a /net format. This needs to be revisited later but is fine for now
* because Solaris does not support -hosts automount map for CIFS yet.
*
* 2) If homeDirectory contains ':' then return NULL because ':' is the
* delimiter in passwd entries and may break apps that parse these entries.
*
* 3) For all other cases return the same string that was passed to
* this function.
*/
static
char *
process_homedir(char *homedir)
{
size_t len, smb_len;
char *smb_homedir;
int i, slash = 0;
len = strlen(homedir);
if (strchr(homedir, ':') != NULL)
/*
* Ignore paths that have colon ':' because ':' is a
* delimiter for the passwd entry.
*/
return (NULL);
if (!(len > 1 && homedir[0] == '\\' && homedir[1] == '\\'))
/* Keep homedir intact if not in UNC format */
return (homedir);
/*
* Convert UNC string into /net format
* Example: \\server\abc -> /net/server/abc
*/
smb_len = len + 1 + sizeof (NET_SCHEME);
if ((smb_homedir = calloc(1, smb_len)) == NULL)
return (NULL);
(void) strlcpy(smb_homedir, NET_SCHEME, smb_len);
for (i = strlen(smb_homedir); *homedir != '\0'; homedir++) {
if (*homedir == '\\') {
/* Reduce double backslashes into one */
if (slash)
slash = 0;
else {
slash = 1;
smb_homedir[i++] = '/';
}
} else {
smb_homedir[i++] = *homedir;
slash = 0;
}
}
return (smb_homedir);
}
/*
* _nss_ad_passwd2str is the data marshaling method for the passwd getXbyY
* (e.g., getbyuid(), getbyname(), getpwent()) backend processes. This method is
* called after a successful AD search has been performed. This method will
* parse the AD search values into the file format.
* e.g.
*
* blue@whale:x:123456:10:Blue Whale:/:
*
*/
static int
_nss_ad_passwd2str(ad_backend_ptr be, nss_XbyY_args_t *argp)
{
int nss_result;
adutils_result_t *result = be->result;
const adutils_entry_t *entry;
char **sid_v, *ptr, **pgid_v, *end;
ulong_t tmp;
uint32_t urid, grid;
uid_t uid;
gid_t gid;
idmap_stat gstat;
idmap_get_handle_t *ig = NULL;
char **name_v, **dn_v, *domain = NULL;
char **gecos_v, **shell_v;
char **homedir_v = NULL, *homedir = NULL;
char *NULL_STR = "";
if (result == NULL)
return (NSS_STR_PARSE_PARSE);
entry = adutils_getfirstentry(result);
nss_result = NSS_STR_PARSE_PARSE;
/* Create handles for idmap service */
if (idmap_get_create(&ig) != 0)
goto result_pwd2str;
/* Get name */
name_v = adutils_getattr(entry, _PWD_SAN);
if (name_v == NULL || name_v[0] == NULL || *name_v[0] == '\0')
goto result_pwd2str;
/* Get domain */
dn_v = adutils_getattr(entry, _PWD_DN);
if (dn_v == NULL || dn_v[0] == NULL || *dn_v[0] == '\0')
goto result_pwd2str;
domain = adutils_dn2dns(dn_v[0]);
/* Get objectSID (in text format) */
sid_v = adutils_getattr(entry, _PWD_OBJSID);
if (sid_v == NULL || sid_v[0] == NULL || *sid_v[0] == '\0')
goto result_pwd2str;
/* Break SID into prefix and rid */
if ((ptr = strrchr(sid_v[0], '-')) == NULL)
goto result_pwd2str;
*ptr = '\0';
end = ++ptr;
tmp = strtoul(ptr, &end, 10);
if (end == ptr || tmp > UINT32_MAX)
goto result_pwd2str;
urid = (uint32_t)tmp;
/* We already have uid -- no need to call idmapd */
if (be->db_type == NSS_AD_DB_PASSWD_BYUID)
uid = argp->key.uid;
else
uid = be->uid;
/* Get primaryGroupID */
pgid_v = adutils_getattr(entry, _PWD_PRIMARYGROUPID);
if (pgid_v == NULL || pgid_v[0] == NULL || *pgid_v[0] == '\0')
/*
* If primaryGroupID is not found then we request
* a GID to be mapped to the given user's objectSID
* (diagonal mapping) and use this GID as the primary
* GID for the entry.
*/
grid = urid;
else {
end = pgid_v[0];
tmp = strtoul(pgid_v[0], &end, 10);
if (end == pgid_v[0] || tmp > UINT32_MAX)
goto result_pwd2str;
grid = (uint32_t)tmp;
}
/* Map group SID to GID using idmap service */
if (idmap_get_gidbysid(ig, sid_v[0], grid, 0, &gid, &gstat) != 0)
goto result_pwd2str;
if (idmap_get_mappings(ig) != 0 || gstat != 0) {
RESET_ERRNO();
goto result_pwd2str;
}
/* Get gecos, homedirectory and shell information if available */
gecos_v = adutils_getattr(entry, _PWD_CN);
if (gecos_v == NULL || gecos_v[0] == NULL || *gecos_v[0] == '\0')
gecos_v = &NULL_STR;
homedir_v = adutils_getattr(entry, _PWD_HOMEDIRECTORY);
if (homedir_v == NULL || homedir_v[0] == NULL || *homedir_v[0] == '\0')
homedir = NULL_STR;
else if ((homedir = process_homedir(homedir_v[0])) == NULL)
homedir = NULL_STR;
shell_v = adutils_getattr(entry, _PWD_LOGINSHELL);
if (shell_v == NULL || shell_v[0] == NULL || *shell_v[0] == '\0')
shell_v = &NULL_STR;
if (update_buffer(be, argp, name_v[0], domain, uid, gid,
gecos_v[0], homedir, shell_v[0]) < 0)
nss_result = NSS_STR_PARSE_ERANGE;
else
nss_result = NSS_STR_PARSE_SUCCESS;
result_pwd2str:
idmap_get_destroy(ig);
(void) adutils_freeresult(&be->result);
free(domain);
if (homedir != NULL_STR && homedir_v != NULL &&
homedir != homedir_v[0])
free(homedir);
return ((int)nss_result);
}
/*
* getbyname gets a passwd entry by winname. This function constructs an ldap
* search filter using the name invocation parameter and the getpwnam search
* filter defined. Once the filter is constructed, we search for a matching
* entry and marshal the data results into struct passwd for the frontend
* process. The function _nss_ad_passwd2ent performs the data marshaling.
*/
static nss_status_t
getbyname(ad_backend_ptr be, void *a)
{
nss_XbyY_args_t *argp = (nss_XbyY_args_t *)a;
char *searchfilter;
char name[SEARCHFILTERLEN];
char *dname;
int filterlen, namelen;
int flag;
nss_status_t stat;
idmap_stat idmaprc;
uid_t uid;
gid_t gid;
int is_user, is_wuser, try_idmap;
be->db_type = NSS_AD_DB_PASSWD_BYNAME;
/* Sanitize name so that it can be used in our LDAP filter */
if (_ldap_filter_name(name, argp->key.name, sizeof (name)) != 0)
return ((nss_status_t)NSS_NOTFOUND);
if ((dname = strchr(name, '@')) == NULL)
return ((nss_status_t)NSS_NOTFOUND);
*dname = '\0';
dname++;
/*
* Map the given name to UID using idmap service. If idmap
* call fails then this will save us doing AD discovery and
* AD lookup here.
*/
flag = (strcasecmp(dname, WK_DOMAIN) == 0) ?
IDMAP_REQ_FLG_WK_OR_LOCAL_SIDS_ONLY : 0;
is_wuser = -1;
is_user = 1;
if (idmap_get_w2u_mapping(NULL, NULL, name,
dname, flag, &is_user, &is_wuser, &be->uid, NULL,
NULL, NULL) != IDMAP_SUCCESS) {
RESET_ERRNO();
return ((nss_status_t)NSS_NOTFOUND);
}
/* If this is not a Well-Known SID then try AD lookup. */
if (strcasecmp(dname, WK_DOMAIN) != 0) {
/* Assemble filter using the given name */
namelen = strlen(name);
filterlen = snprintf(NULL, 0, _F_GETPWNAM, namelen, name) + 1;
if ((searchfilter = (char *)malloc(filterlen)) == NULL)
return ((nss_status_t)NSS_NOTFOUND);
(void) snprintf(searchfilter, filterlen, _F_GETPWNAM,
namelen, name);
stat = _nss_ad_lookup(be, argp, _PASSWD, searchfilter,
dname, &try_idmap);
free(searchfilter);
if (!try_idmap)
return (stat);
}
/*
* Either this is a Well-Known SID or AD lookup failed. Map
* the given name to GID using idmap service and construct
* the passwd entry.
*/
is_wuser = -1;
is_user = 0; /* Map name to primary gid */
idmaprc = idmap_get_w2u_mapping(NULL, NULL, name, dname,
flag, &is_user, &is_wuser, &gid, NULL, NULL, NULL);
if (idmaprc != IDMAP_SUCCESS) {
RESET_ERRNO();
return ((nss_status_t)NSS_NOTFOUND);
}
/* Create passwd(4) style string */
if (update_buffer(be, argp, name, dname,
be->uid, gid, "", "", "") < 0)
return ((nss_status_t)NSS_NOTFOUND);
/* Marshall the data, sanitize the return status and return */
stat = _nss_ad_marshall_data(be, argp);
return (_nss_ad_sanitize_status(be, argp, stat));
}
/*
* getbyuid gets a passwd entry by uid number. This function constructs an ldap
* search filter using the uid invocation parameter and the getpwuid search
* filter defined. Once the filter is constructed, we search for a matching
* entry and marshal the data results into struct passwd for the frontend
* process. The function _nss_ad_passwd2ent performs the data marshaling.
*/
static nss_status_t
getbyuid(ad_backend_ptr be, void *a)
{
nss_XbyY_args_t *argp = (nss_XbyY_args_t *)a;
char searchfilter[ADUTILS_MAXHEXBINSID + 14];
char *sidprefix = NULL;
idmap_rid_t rid;
char cbinsid[ADUTILS_MAXHEXBINSID + 1];
char *winname = NULL, *windomain = NULL;
int is_user, is_wuser;
gid_t gid;
idmap_stat idmaprc;
int ret, try_idmap;
nss_status_t stat;
be->db_type = NSS_AD_DB_PASSWD_BYUID;
stat = (nss_status_t)NSS_NOTFOUND;
/* nss_ad does not support non ephemeral uids */
if (argp->key.uid <= MAXUID)
goto out;
/* Map the given UID to a SID using the idmap service */
if (idmap_get_u2w_mapping(&argp->key.uid, NULL, 0,
1, NULL, &sidprefix, &rid, &winname, &windomain,
NULL, NULL) != 0) {
RESET_ERRNO();
goto out;
}
/*
* NULL winname implies a local SID or unresolvable SID both of
* which cannot be used to generated passwd(4) entry
*/
if (winname == NULL)
goto out;
/* If this is not a Well-Known SID try AD lookup */
if (windomain != NULL && strcasecmp(windomain, WK_DOMAIN) != 0) {
if (adutils_txtsid2hexbinsid(sidprefix, &rid,
&cbinsid[0], sizeof (cbinsid)) != 0)
goto out;
ret = snprintf(searchfilter, sizeof (searchfilter),
_F_GETPWUID, cbinsid);
if (ret >= sizeof (searchfilter) || ret < 0)
goto out;
stat = _nss_ad_lookup(be, argp, _PASSWD, searchfilter,
windomain, &try_idmap);
if (!try_idmap)
goto out;
}
/* Map winname to primary gid using idmap service */
is_user = 0;
is_wuser = -1;
idmaprc = idmap_get_w2u_mapping(NULL, NULL,
winname, windomain, 0, &is_user, &is_wuser, &gid,
NULL, NULL, NULL);
if (idmaprc != IDMAP_SUCCESS) {
RESET_ERRNO();
goto out;
}
/* Create passwd(4) style string */
if (update_buffer(be, argp, winname, windomain,
argp->key.uid, gid, "", "", "") < 0)
goto out;
/* Marshall the data, sanitize the return status and return */
stat = _nss_ad_marshall_data(be, argp);
stat = _nss_ad_sanitize_status(be, argp, stat);
out:
idmap_free(sidprefix);
idmap_free(winname);
idmap_free(windomain);
return (stat);
}
static ad_backend_op_t passwd_ops[] = {
_nss_ad_destr,
_nss_ad_endent,
_nss_ad_setent,
_nss_ad_getent,
getbyname,
getbyuid
};
/*
* _nss_ad_passwd_constr is where life begins. This function calls the
* generic AD constructor function to define and build the abstract
* data types required to support AD operations.
*/
/*ARGSUSED0*/
nss_backend_t *
_nss_ad_passwd_constr(const char *dummy1, const char *dummy2,
const char *dummy3)
{
return ((nss_backend_t *)_nss_ad_constr(passwd_ops,
sizeof (passwd_ops)/sizeof (passwd_ops[0]),
_PASSWD, pwd_attrs, _nss_ad_passwd2str));
}