sid-mapping-idmap-passdb.sh [plain text]
#! /bin/bash
SCRIPTBASE=${SCRIPTBASE:-$(cd $(dirname $0)/.. && pwd )}
. $SCRIPTBASE/common.sh
. $SCRIPTBASE/directory-services.sh
ASROOT=sudo
failed=0
sidfilter()
{
perl -ne '/(S-[0123456789-]+)/ && print "$1\n";'
}
uid_list=$(create_temp_file $0 uid) || testerr $0 "can't create temp file"
gid_list=$(create_temp_file $0 gid) || testerr $0 "can't create temp file"
user_sid_list=$(create_temp_file $0 usersid) || \
testerr $0 "can't create temp file"
group_sid_list=$(create_temp_file $0 groupsid) || \
testerr $0 "can't create temp file"
machine_sid=$($ASROOT net getlocalsid | sidfilter )
failtest()
{
echo "*** TEST FAILED ***"
failed=`expr $failed + 1`
}
cleanup()
{
rm -f $uid_list $gid_list $user_sid_list $group_sid_list
}
trap "cleanup 2>/dev/null" 0 1 2 3 15
unix_ids_match()
{
if [ "$1" = "-2" -a "$2" = "2147483647" ]; then
true
elif [ "$2" = "-2" -a "$1" = "2147483647" ]; then
true
elif [ "$1" = "$2" ]; then
if [ "$1" = "" ]; then
false
else
true
fi
else
false
fi
}
group_sids_match()
{
if [ "$1" = "" -o "$2" = "" ]; then
false
elif [ "$1" = "$2" ]; then
true
elif [ x$(wbinfo --sid-to-gid=$1) = x$(wbinfo --sid-to-gid=$2) ] ; then
true
else
false
fi
}
user_sids_match()
{
if [ "$1" = "" -o "$2" = "" ]; then
false
elif [ "$1" = "$2" ]; then
true
elif [ x$(wbinfo --sid-to-uid=$1) = x$(wbinfo --sid-to-uid=$2) ] ; then
true
else
false
fi
}
pdb_user_sid()
{
$ASROOT pdbedit -d0 -v -u $1 | awk -F: '/User SID/{print $2}' | \
sidfilter
}
pdb_group_sid()
{
$ASROOT pdbedit -d0 -v -u $1 | awk -F: '/Group SID/{print $2}' | \
sidfilter
}
check_well_known_group_sid()
{
local sid="$1"
local expected_group="$2"
echo checking that well-known group SID $sid is group $expected_group
expected_gid=$(ds_lookup_group_gid $expected_group) || \
testerr $0 "unable to get GID for group $expected_group"
wb_gid=$(wbinfo --sid-to-gid=$sid)
if [ $? -ne 0 -o "$wb_gid" != "$expected_gid" ]; then
failtest
if [ "$wb_gid" ]; then
echo $sid mapped to GID $wb_gid, but expected $expected_gid
else
echo failed to map $sid to expected GID $expected_gid
fi
fi
}
check_well_known_group_rid()
{
local sid="$1"
local rid="$2"
local expected_group="$3"
check_well_known_group_sid "${sid}-${rid}" $expected_group
}
if [ -e /var/samba/idmap_cache.tdb ]; then
$ASROOT tdbtool /var/samba/idmap_cache.tdb erase || \
testerr $0 "failed to clear the idmap cache"
fi
echo testing existing fixed group SID mappings
$DSSEARCH -list /Groups SMBSID | while read groupname sidlist; do
case $groupname in
_clamav|_amavisd) continue;
esac
for sid in $sidlist ; do
check_well_known_group_sid $sid $groupname
done
done
check_well_known_group_rid $machine_sid 512 admin
check_well_known_group_rid $machine_sid 513 staff
check_well_known_group_rid $machine_sid 514 unknown
if [ -e /var/samba/idmap_cache.tdb ]; then
$ASROOT tdbtool /var/samba/idmap_cache.tdb erase || \
testerr $0 "failed to clear the idmap cache"
fi
$ASROOT killall -TERM winbindd
echo searching for user IDs
ds_search_user_ids > $uid_list
echo searching for group IDs
ds_search_group_ids > $gid_list
shopt -s extglob
echo mapping $(count_lines $uid_list) user IDs
while read uid ; do
if [ "$uid" = "-1" ]; then
continue
fi
case $uid in
+([0-9])) ;;
-+([0-9])) ;;
*)
echo "skipping invalid uid ($uid)"
continue
;;
esac
echo trying uid=$uid
username=$(ds_lookup_user_name $uid) || testerr $0 "no name for user $uid"
primary_gid=$(ds_user_primary_group $username) || \
testerr $0 "no primary group ID for $username"
group=$(ds_lookup_group_name $primary_gid)
context="user $username($uid), primary group $group($primary_gid)"
wb_usid=$(wbinfo -U $uid)
if [ $? -ne 0 -o "$wb_usid" = "" ]; then
failtest
echo $context
echo "unable to map SID for user $username (uid $uid)"
continue
fi
wb_uid=$(wbinfo --sid-to-uid=$wb_usid)
if ! unix_ids_match $wb_uid $uid ; then
failtest
echo $context
echo mismatched user ID for $username
echo "idmap gave: " $wb_uid
echo "expected: " $uid
fi
user_sid=$(pdb_user_sid $username) || \
testerr $0 "no user SID for $username"
group_sid=$(pdb_group_sid $username) || \
testerr $0 "no group SID for $username"
if ! user_sids_match $user_sid $wb_usid ; then
failtest
echo $context
echo mismatched user SID for $username
echo "idmap gave: " $wb_usid
echo "passdb gave: " $user_sid
fi
wb_gsid=$(wbinfo --gid-to-sid=$primary_gid $username)
if ! group_sids_match $group_sid $wb_gsid ; then
failtest
echo $context
echo mismatched group SID for $username
echo "idmap gave: " $wb_gsid
echo "passdb gave: " $group_sid
fi
echo $uid $wb_usid >> $user_sid_list
done < $uid_list
echo mapping $(count_lines $gid_list) group IDs
while read gid ; do
if [ "$gid" = "-1" ]; then
continue
fi
wb_gsid=$(wbinfo -G $gid)
if [ $? -ne 0 -o "$wb_gsid" = "" ]; then
failtest
fi
wb_gid=$(wbinfo --sid-to-gid=$wb_gsid)
if [ $? -ne 0 -o "$wb_gid" != "$gid" ]; then
echo failed to reverse map $wb_gsid, got \"$wb_gid\" instead of $gid
failtest
fi
echo $gid $wb_gsid >> $group_sid_list
done < $gid_list
echo checking that uid and user list lists match
if [ $(count_lines $user_sid_list) -ne $(count_lines $uid_list) ]; then
failtest
fi
echo checking that gid and group list lists match
if [ $(count_lines $group_sid_list) -ne $(count_lines $gid_list) ]; then
failtest
fi
testok $0 $failed