Mercurial > illumos > illumos-gate

changeset 4695:42666b3425e5

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
6569573 idmapd could log better messages when AD LDAP bind fails 6579507 idmapd should generate and set a machine_sid when it's missing 6579919 Need Creator Authority domain string in idmap.h
author baban
date Fri, 20 Jul 2007 15:17:01 -0700
parents 73996a03bcc9
children 666103281afe
files usr/src/cmd/idmap/idmapd/Makefile usr/src/cmd/idmap/idmapd/adutils.c usr/src/cmd/idmap/idmapd/idmap_config.c usr/src/cmd/idmap/idmapd/idmapd.c usr/src/cmd/idmap/idmapd/init.c usr/src/lib/libidmap/common/idmap_api.c usr/src/uts/common/sys/idmap.h
diffstat 7 files changed, 168 insertions(+), 18 deletions(-) [+]
line wrap: on
line diff
--- a/usr/src/cmd/idmap/idmapd/Makefile	Fri Jul 20 14:09:21 2007 -0700
+++ b/usr/src/cmd/idmap/idmapd/Makefile	Fri Jul 20 15:17:01 2007 -0700
@@ -60,7 +60,7 @@
 CLOBBERFILES += $(IDMAP_PROT_H)
 
 CFLAGS += -v
-LDLIBS += -lsecdb -lnsl -lidmap -lscf -lldap
+LDLIBS += -lsecdb -lnsl -lidmap -lscf -lldap -luuid
 
 $(PROG) := MAPFILES = $(MAPFILE.INT) $(MAPFILE.NGB)
 $(PROG) := LDFLAGS += $(MAPFILES:%=-M%)
--- a/usr/src/cmd/idmap/idmapd/adutils.c	Fri Jul 20 14:09:21 2007 -0700
+++ b/usr/src/cmd/idmap/idmapd/adutils.c	Fri Jul 20 15:17:01 2007 -0700
@@ -483,9 +483,9 @@
 		    &idmap_saslcallback, NULL /* defaults */);
 
 		if (rc != LDAP_SUCCESS) {
-			idmapdlog(LOG_ERR, "Could not authenticate to the "
-			    "LDAP server.  (Check that the host keys are "
-			    "correct?)");
+			idmapdlog(LOG_ERR, "ldap_sasl_interactive_bind_s() "
+			    "to server %s:%d failed. (%s)",
+			    adh->host, adh->port, ldap_err2string(rc));
 			return (rc);
 		}
 	}
--- a/usr/src/cmd/idmap/idmapd/idmap_config.c	Fri Jul 20 14:09:21 2007 -0700
+++ b/usr/src/cmd/idmap/idmapd/idmap_config.c	Fri Jul 20 15:17:01 2007 -0700
@@ -41,17 +41,55 @@
 #include "idmapd.h"
 #include <stdio.h>
 #include <stdarg.h>
+#include <uuid/uuid.h>
 
+#define	MACHINE_SID_LEN	(9 + UUID_LEN/4 * 11)
 #define	FMRI_BASE "svc:/system/idmap"
-
 #define	CONFIG_PG "config"
 #define	GENERAL_PG "general"
-
 /* initial length of the array for policy options/attributes: */
 #define	DEF_ARRAY_LENGTH 16
 
 static const char *me = "idmapd";
 
+static int
+generate_machine_sid(char **machine_sid) {
+	char *p;
+	uuid_t uu;
+	int i, j, len, rlen;
+	uint32_t rid;
+
+	/*
+	 * Generate and split 128-bit UUID into four 32-bit RIDs
+	 * The machine_sid will be of the form S-1-5-N1-N2-N3-N4
+	 * We depart from Windows here, which instead of 128
+	 * bits worth of random numbers uses 96 bits.
+	 */
+
+	*machine_sid = calloc(1, MACHINE_SID_LEN);
+	if (*machine_sid == NULL) {
+		idmapdlog(LOG_ERR, "%s: Out of memory", me);
+		return (-1);
+	}
+	(void) strcpy(*machine_sid, "S-1-5-21");
+	p = *machine_sid + strlen("S-1-5-21");
+	len = MACHINE_SID_LEN - strlen("S-1-5-21");
+
+	uuid_clear(uu);
+	uuid_generate_random(uu);
+
+	for (i = 0; i < UUID_LEN/4; i++) {
+		j = i * 4;
+		rid = (uu[j] << 24) | (uu[j + 1] << 16) |
+			(uu[j + 2] << 8) | (uu[j + 3]);
+		rlen = snprintf(p, len, "-%u", rid);
+		p += rlen;
+		len -= rlen;
+	}
+
+	return (0);
+}
+
 /* Check if in the case of failure the original value of *val is preserved */
 static int
 get_val_int(idmap_cfg_t *cfg, char *name, void *val, scf_type_t type)
@@ -177,6 +215,96 @@
 	return (rc);
 }
 
+static int
+set_val_astring(idmap_cfg_t *cfg, char *name, const char *val)
+{
+	int			rc = 0, i;
+	scf_property_t		*scf_prop = NULL;
+	scf_value_t		*value = NULL;
+	scf_transaction_t	*tx = NULL;
+	scf_transaction_entry_t	*ent = NULL;
+
+	if ((scf_prop = scf_property_create(cfg->handles.main)) == NULL ||
+	    (value = scf_value_create(cfg->handles.main)) == NULL ||
+	    (tx = scf_transaction_create(cfg->handles.main)) == NULL ||
+	    (ent = scf_entry_create(cfg->handles.main)) == NULL) {
+		idmapdlog(LOG_ERR, "%s: Unable to set property %s: %s",
+		    me, name, scf_strerror(scf_error()));
+		rc = -1;
+		goto destruction;
+	}
+
+	for (i = 0; i < MAX_TRIES && rc == 0; i++) {
+		if (scf_transaction_start(tx, cfg->handles.config_pg) == -1) {
+			idmapdlog(LOG_ERR,
+			    "%s: scf_transaction_start(%s) failed: %s",
+			    me, name, scf_strerror(scf_error()));
+			rc = -1;
+			goto destruction;
+		}
+
+		rc = scf_transaction_property_new(tx, ent, name,
+		    SCF_TYPE_ASTRING);
+		if (rc == -1) {
+			idmapdlog(LOG_ERR,
+			    "%s: scf_transaction_property_new() failed: %s",
+			    me, scf_strerror(scf_error()));
+			goto destruction;
+		}
+
+		if (scf_value_set_astring(value, val) == -1) {
+			idmapdlog(LOG_ERR,
+			    "%s: scf_value_set_astring() failed: %s",
+			    me, scf_strerror(scf_error()));
+			rc = -1;
+			goto destruction;
+		}
+
+		if (scf_entry_add_value(ent, value) == -1) {
+			idmapdlog(LOG_ERR,
+			    "%s: scf_entry_add_value() failed: %s",
+			    me, scf_strerror(scf_error()));
+			rc = -1;
+			goto destruction;
+		}
+
+		rc = scf_transaction_commit(tx);
+		if (rc == 0 && i < MAX_TRIES - 1) {
+			/*
+			 * Property group set in scf_transaction_start()
+			 * is not the most recent. Update pg, reset tx and
+			 * retry tx.
+			 */
+			idmapdlog(LOG_WARNING,
+			    "%s: scf_transaction_commit(%s) failed - Retry: %s",
+			    me, name, scf_strerror(scf_error()));
+			if (scf_pg_update(cfg->handles.config_pg) == -1) {
+				idmapdlog(LOG_ERR,
+				    "%s: scf_pg_update() failed: %s",
+				    me, scf_strerror(scf_error()));
+				rc = -1;
+				goto destruction;
+			}
+			scf_transaction_reset(tx);
+		}
+	}
+
+	/* Log failure message if all retries failed */
+	if (rc == 0) {
+		idmapdlog(LOG_ERR,
+		    "%s: scf_transaction_commit(%s) failed: %s",
+		    me, name, scf_strerror(scf_error()));
+		rc = -1;
+	}
+
+destruction:
+	scf_value_destroy(value);
+	scf_entry_destroy(ent);
+	scf_transaction_destroy(tx);
+	scf_property_destroy(scf_prop);
+	return (rc);
+}
+
 int
 idmap_cfg_load(idmap_cfg_t *cfg)
 {
@@ -237,6 +365,18 @@
 	rc = get_val_astring(cfg, "machine_sid", &cfg->pgcfg.machine_sid);
 	if (rc != 0)
 		return (-1);
+	if (cfg->pgcfg.machine_sid == NULL) {
+		/* If machine_sid not configured, generate one */
+		if (generate_machine_sid(&cfg->pgcfg.machine_sid) < 0)
+			return (-1);
+		rc = set_val_astring(cfg, "machine_sid",
+		    cfg->pgcfg.machine_sid);
+		if (rc < 0) {
+			free(cfg->pgcfg.machine_sid);
+			cfg->pgcfg.machine_sid = NULL;
+			return (-1);
+		}
+	}
 
 	rc = get_val_astring(cfg, "global_catalog", &cfg->pgcfg.global_catalog);
 	if (rc != 0)
--- a/usr/src/cmd/idmap/idmapd/idmapd.c	Fri Jul 20 14:09:21 2007 -0700
+++ b/usr/src/cmd/idmap/idmapd/idmapd.c	Fri Jul 20 15:17:01 2007 -0700
@@ -288,15 +288,11 @@
 		exit(1);
 	}
 
-	setegid(DAEMON_GID);
-	seteuid(DAEMON_UID);
 	if (init_mapping_system() < 0) {
 		idmapdlog(LOG_ERR,
 		"idmapd: unable to initialize mapping system");
 		exit(1);
 	}
-	seteuid(0);
-	setegid(0);
 
 	xprt = svc_door_create(idmap_prog_1, IDMAP_PROG, IDMAP_V1, 0);
 	if (xprt == NULL) {
--- a/usr/src/cmd/idmap/idmapd/init.c	Fri Jul 20 14:09:21 2007 -0700
+++ b/usr/src/cmd/idmap/idmapd/init.c	Fri Jul 20 15:17:01 2007 -0700
@@ -38,20 +38,29 @@
 #include <unistd.h>
 #include <sys/types.h>
 #include <sys/stat.h>
+#include <rpcsvc/daemon_utils.h>
 
 static const char *me = "idmapd";
 
 int
 init_mapping_system() {
+	int rc = 0;
+
 	if (rwlock_init(&_idmapdstate.rwlk_cfg, USYNC_THREAD, NULL) != 0)
 		return (-1);
 	if (load_config() < 0)
 		return (-1);
+
+	(void) setegid(DAEMON_GID);
+	(void) seteuid(DAEMON_UID);
 	if (init_dbs() < 0) {
+		rc = -1;
 		fini_mapping_system();
-		return (-1);
 	}
-	return (0);
+	(void) seteuid(0);
+	(void) setegid(0);
+
+	return (rc);
 }
 
 void
--- a/usr/src/lib/libidmap/common/idmap_api.c	Fri Jul 20 14:09:21 2007 -0700
+++ b/usr/src/lib/libidmap/common/idmap_api.c	Fri Jul 20 15:17:01 2007 -0700
@@ -658,7 +658,7 @@
 	if (sidprefix) {
 		str = mappings->mappings.mappings_val[iter->next].id1.
 			idmap_id_u.sid.prefix;
-		if (str) {
+		if (str && *str != '\0') {
 			*sidprefix = strdup(str);
 			if (*sidprefix == NULL) {
 				retcode = IDMAP_ERR_MEMORY;
@@ -1124,7 +1124,8 @@
 			if (gh->retlist[i].rid)
 				*gh->retlist[i].rid = id->idmap_id_u.sid.rid;
 			if (gh->retlist[i].sidprefix) {
-				if (id->idmap_id_u.sid.prefix == NULL) {
+				if (id->idmap_id_u.sid.prefix == NULL ||
+				    *id->idmap_id_u.sid.prefix == '\0') {
 					*gh->retlist[i].sidprefix = NULL;
 					break;
 				}
@@ -1340,7 +1341,8 @@
 
 	if (direction)
 		*direction = mapping->direction;
-	if (sidprefix && mapping->id2.idmap_id_u.sid.prefix) {
+	if (sidprefix && mapping->id2.idmap_id_u.sid.prefix &&
+	    *mapping->id2.idmap_id_u.sid.prefix != '\0') {
 		*sidprefix = strdup(mapping->id2.idmap_id_u.sid.prefix);
 		if (*sidprefix == NULL) {
 			retcode = IDMAP_ERR_MEMORY;
@@ -1404,7 +1406,7 @@
 			return (IDMAP_SUCCESS);
 		if (in->idmap_utf8str_val == NULL)
 			return (IDMAP_ERR_ARG);
-		if (in->idmap_utf8str_val[len - 1] != 0)
+		if (in->idmap_utf8str_val[len - 1] != '\0')
 			len++;
 		*out = calloc(1, len);
 		if (*out == NULL)
@@ -1417,7 +1419,7 @@
 			return (IDMAP_SUCCESS);
 		if (in->idmap_utf8str_val == NULL)
 			return (IDMAP_ERR_ARG);
-		if (in->idmap_utf8str_val[len - 1] != 0)
+		if (in->idmap_utf8str_val[len - 1] != '\0')
 			len++;
 		if (outsize < len)
 			return (IDMAP_ERR_ARG);
@@ -1501,7 +1503,7 @@
 	{IDMAP_ERR_RPC, gettext("RPC error"), EINVAL},
 	{IDMAP_ERR_CLIENT_HANDLE, gettext("Bad client handle"), EINVAL},
 	{IDMAP_ERR_BUSY, gettext("Server is busy"), EBUSY},
-	{IDMAP_ERR_PERMISSION_DENIED, gettext("Permisssion denied"), EACCES},
+	{IDMAP_ERR_PERMISSION_DENIED, gettext("Permission denied"), EACCES},
 	{IDMAP_ERR_NOMAPPING,
 		gettext("Mapping not found or inhibited"), EINVAL},
 	{IDMAP_ERR_NEW_ID_ALLOC_REQD,
--- a/usr/src/uts/common/sys/idmap.h	Fri Jul 20 14:09:21 2007 -0700
+++ b/usr/src/uts/common/sys/idmap.h	Fri Jul 20 15:17:01 2007 -0700
@@ -71,4 +71,7 @@
 #define	IDMAP_WK_CREATOR_OWNER_UID	2147483648U
 #define	IDMAP_WK__MAX_UID		2147483648U
 
+/* Reserved SIDs */
+#define	IDMAP_WK_CREATOR_SID_AUTHORITY	"S-1-3"
+
 #endif /* _SYS_IDMAP_H */