Bug 1184 - [patch] RFC2307bis Naming Contexts and Group Recursion
Summary: [patch] RFC2307bis Naming Contexts and Group Recursion
Status: RESOLVED WONTFIX
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: winbind (show other bugs)
Version: 3.0.1
Hardware: All Solaris
: P3 enhancement
Target Milestone: none
Assignee: Samba Bugzilla Account
QA Contact:
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2004-03-12 12:11 UTC by John Klinger
Modified: 2010-04-26 03:29 UTC (History)
1 user (show)

See Also:


Attachments
The enhancement patch. (32.55 KB, patch)
2004-03-12 12:11 UTC, John Klinger
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description John Klinger 2004-03-12 12:11:11 UTC
This is a 3.0.1 patch to the ads system. It adds base_path, filter, scope, and
recursion options for winbindd group resolution; and base_path, filter, and
scope options for winbindd user resolution. The patch was written so that the
impact to the process was minimal to none if the options were left at their
default. The default values result in behavior identical to the non-patched
version.

The options are based off of RFC2307bis naming contexts, but are split into
separate options for each base, scope, and filter component. 

Here's a brief description of what this enhancement gives Samba.

##############################################################################
# NSS naming contexts to limit winbindd lookups when "security = ads"
#
# nss group recursion = <recursion lvl>
# nss group bind path = <base>
# nss group scope     = <scope>
# nss group filter    = <filter>
#
# nss passwd bind path = <base>
# nss passwd scope     = <scope>
# nss passwd filter    = <filter>
#
# where  <base>   is the bind_path where the search begins. If the suffix is
#                 not supplied, it will be obtained via the realm
#                 configuration option.
#                 Default: The realm root dc.
#                 Examples:
#                    nss group bind path = ou=groups,ou=samba
#                    nss group bind path = ou=Samba,dc=sub,dc=company,dc=com
#        <scope>  is one of {base, one, sub}, defining bind path search depth.
#                 Default: "sub" - All sub-trees of the bind path are parsed.
#        <filter> is a filter that is &'d with winbind's query filter
#                 Default: ""
#                 Example: nss group filter = (|(cn=samba*)(cn=dev*))
# <recursion lvl> is one of {full, context, none}, defining how winbindd
#                 handles nested groups when determining the groups that a
#                 user is a member of.
#                 Default: "full"
#
#                 If "none", only groups that directly have the user as a
#                 member are returned.
#
#                 If "context", the children of groups that exist in
#                 the conditions defined by the "nss group bind path",
#                 "nss group scope", and "nss group filter" are recursed
#                 into.
#
#                 If "full", a full recurse of all groups is performed. If
#                 the AD tokenGroups parameter exists for a user, that option
#                 is used, allowing AD to perform the recursion. Otherwise,
#                 winbindd recurses through the groups via multiple queries
#                 to AD.
#
#                 In all cases, the final list of groups that are returned
#                 are only those that meet the conditions defined by the
#                 "nss group ..." configuration directives. The one exception
#                 to this is the primary group, which may exist anywhere on
#                 the AD.
#
#                 All recursion options handle circular group memberships.
#
#-----------------------------------------------------------------------------
#
# For example:
#
# With Active Directory contents:
#
#    ou=Users
#      cn=myUserName  (memberOf=innerGroup1, primaryGroupID=928)
#      cn=outerGroup1 (memberOf=innerGroup3)
#    ou=tstGroups
#      cn=innerGroup1 (memberOf=outerGroup1, memberOf=innerGroup2)
#      cn=innerGroup2
#      cn=innerGroup3 (memberOf=innerGroup4)
#      cn=innerGroup4 (memberOf=innerGroup1)
#    ou=mainGroups
#      cn=primaryGroup (sid = S-...-928)
#
# with: nss group bind path = ou=tstGroups
#
# when "nss group recursion = none", the following is returned for myUserName:
#          primaryGroup, innerGroup1
#
# when "nss group recursion = context", the following groups are returned:
#          primaryGroup, innerGroup1, innerGroup2
#
# when "nss group recursion = full", the following groups are returned:
#          primaryGroup, innerGroup1, innerGroup3, innerGroup4, innerGroup2
#
# with full recursion and "nss group filter = (|(cn=*4)(cn=*3))"
#          primaryGroup, innerGroup3, innerGroup4
##############################################################################
Comment 1 John Klinger 2004-03-12 12:11:43 UTC
Created attachment 438 [details]
The enhancement patch.
Comment 2 Stefan Metzmacher 2010-04-26 03:29:14 UTC
3.0 isn't supported anymore. Please reopen with a patch for master
which uses the nss plugin interface