The Samba-Bugzilla – Attachment 2089 Details for
Bug 3661
idmap_ad doesn't find users in trusted domains
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Updated patch for 3.0.23b
samba-3.0.23b.multiple_connections.patch (text/plain), 8.91 KB, created by
Bob Gautier (550 Unknown Recipient)
on 2006-08-10 04:29:25 UTC
(
hide
)
Description:
Updated patch for 3.0.23b
Filename:
MIME Type:
Creator:
Bob Gautier (550 Unknown Recipient)
Created:
2006-08-10 04:29:25 UTC
Size:
8.91 KB
patch
obsolete
>--- samba-3.0.23b/source/sam/idmap_ad.c.multiple_connections 2006-07-21 17:22:57.000000000 +0100 >+++ samba-3.0.23b/source/sam/idmap_ad.c 2006-08-09 15:57:57.000000000 +0100 >@@ -26,6 +26,7 @@ > */ > > #include "includes.h" >+#include "../nsswitch/winbindd.h" > > #undef DBGC_CLASS > #define DBGC_CLASS DBGC_IDMAP >@@ -34,57 +35,78 @@ > > NTSTATUS init_module(void); > >-static ADS_STRUCT *ad_idmap_ads = NULL; >+/* >+ * Connection management. >+ * >+ * Like winbindd_ads.c, use a separate connection to each domain. >+ * FIXME: Merge this with the code there? >+ */ > >-static char *attr_uidnumber = NULL; >-static char *attr_gidnumber = NULL; >+/* >+ * Create a new connection for the cache. This ought to be the same as code in >+ * winbindd_ads but I have factored out the domain->private_data checking. So the >+ * code here is simply an edited version of the original from idmap_ad.c >+ */ > >-static ADS_STATUS ad_idmap_check_attr_mapping(ADS_STRUCT *ads) >+static ADS_STRUCT *ad_idmap_new_cached_connection(struct winbindd_domain *domain) > { >+ ADS_STRUCT *ads = NULL; > ADS_STATUS status; >- enum wb_posix_mapping map_type; > >- if (attr_uidnumber != NULL && attr_gidnumber != NULL) { >- return ADS_ERROR(LDAP_SUCCESS); >+ DEBUG(3,("ad_idmap_new_cached_connection to %s [%s]\n", >+ domain->name, sid_string_static(&domain->sid))); >+ >+ SMB_ASSERT(domain->private_data == NULL); >+ >+ /* we don't want this to affect the users ccache */ >+ setenv("KRB5CCNAME", WINBIND_CCACHE_NAME, 1); >+ >+ ads = ads_init(domain->alt_name, domain->name, NULL); >+ if (!ads) { >+ DEBUG(1,("ads_init failed\n")); >+ return NULL; > } > >- SMB_ASSERT(ads->server.workgroup); >+ /* the machine acct password might have change - fetch it every time */ >+ SAFE_FREE(ads->auth.password); >+ ads->auth.password = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL); > >- map_type = get_nss_info(ads->server.workgroup); >+ /* FIXME? This looks like a significant different between pre1 and rc1 */ > >- if ((map_type == WB_POSIX_MAP_SFU) || >- (map_type == WB_POSIX_MAP_RFC2307)) { >+ SAFE_FREE(ads->auth.realm); >+ ads->auth.realm = SMB_STRDUP(lp_realm()); > >- status = ads_check_posix_schema_mapping(ads, map_type); >- if (ADS_ERR_OK(status)) { >- attr_uidnumber = SMB_STRDUP(ads->schema.posix_uidnumber_attr); >- attr_gidnumber = SMB_STRDUP(ads->schema.posix_gidnumber_attr); >- ADS_ERROR_HAVE_NO_MEMORY(attr_uidnumber); >- ADS_ERROR_HAVE_NO_MEMORY(attr_gidnumber); >- return ADS_ERROR(LDAP_SUCCESS); >- } else { >- DEBUG(0,("ads_check_posix_schema_mapping failed: %s\n", ads_errstr(status))); >- /* return status; */ >- } >+ status = ads_connect(ads); >+ if (!ADS_ERR_OK(status)) { >+ DEBUG(1, ("ad_idmap_new_cached_connection: failed to connect to AD %s\n", >+ domain->name)); >+ ads_destroy(&ads); >+ return NULL; > } >- >- /* fallback to XAD defaults */ >- attr_uidnumber = SMB_STRDUP("uidNumber"); >- attr_gidnumber = SMB_STRDUP("gidNumber"); >- ADS_ERROR_HAVE_NO_MEMORY(attr_uidnumber); >- ADS_ERROR_HAVE_NO_MEMORY(attr_gidnumber); > >- return ADS_ERROR(LDAP_SUCCESS); >+ status = ads_check_posix_schema_mapping(ads, get_nss_info(domain->name)); >+ if (!ADS_ERR_OK(status)) { >+ DEBUG(1,("ad_idmap_new_cached_connection: ads_check_posix_schema_mapping failed for %s with %s\n", >+ domain->name,ads_errstr(status))); >+ >+ ads_destroy(&ads); >+ return NULL; >+ } >+ >+ ads->is_mine = False; >+ >+ domain->private_data = ads; >+ return ads; > } > >-static ADS_STRUCT *ad_idmap_cached_connection(void) >+static ADS_STRUCT *ad_idmap_live_connection(struct winbindd_domain *d) > { >- ADS_STRUCT *ads; >- ADS_STATUS status; >- BOOL local = False; >+ ADS_STRUCT *ads = (ADS_STRUCT *) d->private_data; > >- if (ad_idmap_ads != NULL) { >- ads = ad_idmap_ads; >+ if (ads) { >+ >+ DEBUG(7,("Found cached connection to realm %s for [%s]\n", >+ ads->server.realm, sid_string_static(&d->sid))); > > /* check for a valid structure */ > >@@ -92,50 +114,41 @@ > (uint32) ads->auth.expire, (uint32) time(NULL))); > if ( ads->config.realm && (ads->auth.expire > time(NULL))) { > return ads; >- } else { >- /* we own this ADS_STRUCT so make sure it goes away */ >- ads->is_mine = True; >- ads_destroy( &ads ); >- ads_kdestroy(WINBIND_CCACHE_NAME); >- ad_idmap_ads = NULL; > } >- } > >- if (!local) { >- /* we don't want this to affect the users ccache */ >- setenv("KRB5CCNAME", WINBIND_CCACHE_NAME, 1); >- } >+ /* tickets have expired so we need a new connection */ >+ /* we own this ADS_STRUCT so make sure it goes away */ > >- ads = ads_init(lp_realm(), lp_workgroup(), NULL); >- if (!ads) { >- DEBUG(1,("ads_init failed\n")); >- return NULL; >+ ads->is_mine = True; >+ ads_destroy( &ads ); >+ ads_kdestroy(WINBIND_CCACHE_NAME); >+ ads = NULL; >+ d->private_data = NULL; > } > >- /* the machine acct password might have change - fetch it every time */ >- SAFE_FREE(ads->auth.password); >- ads->auth.password = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL); >+ return ad_idmap_new_cached_connection(d); >+} > >- SAFE_FREE(ads->auth.realm); >- ads->auth.realm = SMB_STRDUP(lp_realm()); >+static ADS_STRUCT *ad_idmap_cached_connection(const DOM_SID *sid) >+{ >+ struct winbindd_domain *d; >+ ADS_STRUCT *ads = NULL; > >- status = ads_connect(ads); >- if (!ADS_ERR_OK(status)) { >- DEBUG(1, ("ad_idmap_init: failed to connect to AD\n")); >- ads_destroy(&ads); >+ d = find_domain_from_sid(sid); >+ >+ if (d == NULL) { >+ DEBUG(1,("Tried to find connection to unknown domain [%s]\n", >+ sid_string_static(sid))); > return NULL; > } > >- ads->is_mine = False; >- >- status = ad_idmap_check_attr_mapping(ads); >- if (!ADS_ERR_OK(status)) { >- DEBUG(1, ("ad_idmap_init: failed to check attribute mapping\n")); >+ if (!d->active_directory) { >+ DEBUG(1,("ad_idmap_cached_connection found non-AD domain %s\n", >+ d->name)); > return NULL; > } > >- ad_idmap_ads = ads; >- return ads; >+ return ad_idmap_live_connection(d); > } > > /* no op */ >@@ -144,7 +157,7 @@ > return NT_STATUS_OK; > } > >-static NTSTATUS ad_idmap_get_sid_from_id(DOM_SID *sid, unid_t unid, int id_type, int flags) >+static NTSTATUS ad_idmap_get_sid_from_id_in_domain(ADS_STRUCT *ads,DOM_SID *sid, unid_t unid, int id_type, int flags) > { > ADS_STATUS rc; > NTSTATUS status = NT_STATUS_NONE_MAPPED; >@@ -154,18 +167,11 @@ > char *expr = NULL; > fstring sid_string; > int count; >- ADS_STRUCT *ads; > > if (sid == NULL) { > return NT_STATUS_INVALID_PARAMETER; > } > >- ads = ad_idmap_cached_connection(); >- if (ads == NULL) { >- DEBUG(1, ("ad_idmap_get_id_from_sid ADS uninitialized\n")); >- return NT_STATUS_NOT_SUPPORTED; >- } >- > switch (id_type & ID_TYPEMASK) { > case ID_USERID: > if (asprintf(&expr, "(&(|(sAMAccountType=%d)(sAMAccountType=%d)(sAMAccountType=%d))(%s=%d))", >@@ -226,6 +232,33 @@ > return status; > } > >+ >+/* >+ * Scan all known domains to try to map an id into a sid >+ */ >+ >+static NTSTATUS ad_idmap_get_sid_from_id(DOM_SID *sid, unid_t unid, int id_type, int flags) >+{ >+ struct winbindd_domain *d; >+ ADS_STRUCT *ads; >+ NTSTATUS status; >+ >+ for (d = domain_list(); d; d = d->next) { >+ ads = ad_idmap_live_connection(d); >+ if (!ads) { >+ DEBUG(1,("ad_idmap_get_sid_from_id: could not check %s\n", >+ d->name)); >+ continue; >+ } >+ >+ status = ad_idmap_get_sid_from_id_in_domain(ads,sid,unid,id_type,flags); >+ if (NT_STATUS_IS_OK(status)) >+ return status; >+ } >+ >+ return NT_STATUS_UNSUCCESSFUL; >+} >+ > static NTSTATUS ad_idmap_get_id_from_sid(unid_t *unid, int *id_type, const DOM_SID *sid) > { > ADS_STATUS rc; >@@ -244,13 +277,14 @@ > int count; > ADS_STRUCT *ads; > >- if (unid == NULL) { >+ if ((unid == NULL) || (sid == NULL)) { > return NT_STATUS_INVALID_PARAMETER; > } > >- ads = ad_idmap_cached_connection(); >+ ads = ad_idmap_cached_connection(sid); > if (ads == NULL) { >- DEBUG(1, ("ad_idmap_get_id_from_sid ADS uninitialized\n")); >+ DEBUG(1, ("ad_idmap_get_id_from_sid [%s] could not get connection\n", >+ sid_string_static(sid))); > return NT_STATUS_NOT_SUPPORTED; > } > >@@ -304,9 +338,9 @@ > break; > } > >- if (!ads_pull_uint32(ads, msg, (*id_type == ID_GROUPID) ? attr_gidnumber : attr_uidnumber, &uid)) { >+ if (!ads_pull_uint32(ads, msg, (*id_type == ID_GROUPID) ? ads->schema.posix_gidnumber_attr : ads->schema.posix_uidnumber_attr, &uid)) { > DEBUG(1, ("ad_idmap_get_id_from_sid: ads_pull_uint32: could not read attribute '%s'\n", >- (*id_type == ID_GROUPID) ? attr_gidnumber : attr_uidnumber)); >+ (*id_type == ID_GROUPID) ? ads->schema.posix_gidnumber_attr : ads->schema.posix_uidnumber_attr)); > goto done; > } > >@@ -336,17 +370,7 @@ > > static NTSTATUS ad_idmap_close(void) > { >- ADS_STRUCT *ads = ad_idmap_ads; >- >- if (ads != NULL) { >- /* we own this ADS_STRUCT so make sure it goes away */ >- ads->is_mine = True; >- ads_destroy( &ads ); >- ad_idmap_ads = NULL; >- } >- >- SAFE_FREE(attr_uidnumber); >- SAFE_FREE(attr_gidnumber); >+ /* We might not own all those connections, so don't mess with them */ > > return NT_STATUS_OK; > } >@@ -375,6 +399,7 @@ > /* support for new authentication subsystem */ > NTSTATUS init_module(void) > { >+ DEBUG(1,("idmap_ad: This version has the multiple-connection patch\n")); > return smb_register_idmap(SMB_IDMAP_INTERFACE_VERSION, "ad", &ad_methods); > } >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 3661
:
1846
|
2073
| 2089 |
3528
|
3529
|
3603
|
3613
|
3614
|
3630
|
3635