This is a 3.0.1 patch to the ads system. It adds base_path, filter, scope, and recursion options for winbindd group resolution; and base_path, filter, and scope options for winbindd user resolution. The patch was written so that the impact to the process was minimal to none if the options were left at their default. The default values result in behavior identical to the non-patched version. The options are based off of RFC2307bis naming contexts, but are split into separate options for each base, scope, and filter component. Here's a brief description of what this enhancement gives Samba. ############################################################################## # NSS naming contexts to limit winbindd lookups when "security = ads" # # nss group recursion = <recursion lvl> # nss group bind path = <base> # nss group scope = <scope> # nss group filter = <filter> # # nss passwd bind path = <base> # nss passwd scope = <scope> # nss passwd filter = <filter> # # where <base> is the bind_path where the search begins. If the suffix is # not supplied, it will be obtained via the realm # configuration option. # Default: The realm root dc. # Examples: # nss group bind path = ou=groups,ou=samba # nss group bind path = ou=Samba,dc=sub,dc=company,dc=com # <scope> is one of {base, one, sub}, defining bind path search depth. # Default: "sub" - All sub-trees of the bind path are parsed. # <filter> is a filter that is &'d with winbind's query filter # Default: "" # Example: nss group filter = (|(cn=samba*)(cn=dev*)) # <recursion lvl> is one of {full, context, none}, defining how winbindd # handles nested groups when determining the groups that a # user is a member of. # Default: "full" # # If "none", only groups that directly have the user as a # member are returned. # # If "context", the children of groups that exist in # the conditions defined by the "nss group bind path", # "nss group scope", and "nss group filter" are recursed # into. # # If "full", a full recurse of all groups is performed. If # the AD tokenGroups parameter exists for a user, that option # is used, allowing AD to perform the recursion. Otherwise, # winbindd recurses through the groups via multiple queries # to AD. # # In all cases, the final list of groups that are returned # are only those that meet the conditions defined by the # "nss group ..." configuration directives. The one exception # to this is the primary group, which may exist anywhere on # the AD. # # All recursion options handle circular group memberships. # #----------------------------------------------------------------------------- # # For example: # # With Active Directory contents: # # ou=Users # cn=myUserName (memberOf=innerGroup1, primaryGroupID=928) # cn=outerGroup1 (memberOf=innerGroup3) # ou=tstGroups # cn=innerGroup1 (memberOf=outerGroup1, memberOf=innerGroup2) # cn=innerGroup2 # cn=innerGroup3 (memberOf=innerGroup4) # cn=innerGroup4 (memberOf=innerGroup1) # ou=mainGroups # cn=primaryGroup (sid = S-...-928) # # with: nss group bind path = ou=tstGroups # # when "nss group recursion = none", the following is returned for myUserName: # primaryGroup, innerGroup1 # # when "nss group recursion = context", the following groups are returned: # primaryGroup, innerGroup1, innerGroup2 # # when "nss group recursion = full", the following groups are returned: # primaryGroup, innerGroup1, innerGroup3, innerGroup4, innerGroup2 # # with full recursion and "nss group filter = (|(cn=*4)(cn=*3))" # primaryGroup, innerGroup3, innerGroup4 ##############################################################################
Created attachment 438 [details] The enhancement patch.
3.0 isn't supported anymore. Please reopen with a patch for master which uses the nss plugin interface