Bug 3345 - Patch to 3.0.20b to add RFC2307 capabilities to winbind
Patch to 3.0.20b to add RFC2307 capabilities to winbind
Status: RESOLVED FIXED
Product: Samba 3.0
Classification: Unclassified
Component: winbind
3.0.20b
All All
: P3 enhancement
: none
Assigned To: Guenther Deschner
Samba QA Contact
:
: 3745 (view as bug list)
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2005-12-21 02:08 UTC by Howard Wilkinson
Modified: 2006-05-18 11:13 UTC (History)
4 users (show)

See Also:


Attachments
Patch to be applied to 3.0.20b for rfc2307 functionality use patch -p1 (12.32 KB, patch)
2005-12-21 02:11 UTC, Howard Wilkinson
no flags Details
Version of the patch for 3.0.21c use patch -p1 (12.32 KB, patch)
2006-02-27 12:27 UTC, Howard Wilkinson
no flags Details
Corrected path for 3.0.21c (13.69 KB, patch)
2006-03-08 15:21 UTC, Howard Wilkinson
no flags Details
Additional patch to fix const problem with compilers other than gcc (550 bytes, patch)
2006-03-17 08:22 UTC, Howard Wilkinson
no flags Details
Additional patch to fix const problem with compilers other than gcc (775 bytes, patch)
2006-03-17 09:37 UTC, Howard Wilkinson
no flags Details
Patch to fix a compiler optimisation problem (2.05 KB, patch)
2006-03-21 10:49 UTC, Howard Wilkinson
no flags Details
Consolidated patch for 3.0.21c with a small bug fix (15.02 KB, patch)
2006-03-22 03:26 UTC, Howard Wilkinson
no flags Details
Alternative patch (to 3.0.21c) that avoids new config parameter (6.38 KB, patch)
2006-04-05 08:50 UTC, Bob Gautier (550 Unknown Recipient)
no flags Details
another alternative patch (work in progress) (11.92 KB, patch)
2006-05-05 12:41 UTC, Guenther Deschner
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Howard Wilkinson 2005-12-21 02:08:09 UTC
I have a patch that includes the RFC2307 attributes as an alternative to the SFU attributes for Winbind and idmap_ad to function with Active Directory supporting these extensions.

This patch also applies to 3.0.21 code tree. I have tested this in a Fedora 4 environment only using the RPM spec file shipped with Fedora 4 as the build platform, the test has been run using the 3.0.20b release. I will try 3.0.21 in the next few days.

The configuration parameter "winbind nss info" has been extended to recognise "rfc2307" as an alternative to "sfu".

I will submit this patch if someone will tell me how and where I should do so!
Comment 1 Howard Wilkinson 2005-12-21 02:11:05 UTC
Created attachment 1629 [details]
Patch to be applied to 3.0.20b for rfc2307 functionality use patch -p1

OK found out how to add a patch!
Comment 2 Guenther Deschner 2005-12-22 07:05:50 UTC
Howard, you are referring to an RFC2307 attributes implementation beside SFU that is already in Active Directory? Or do you use a separate extension to add these?
Comment 3 Howard Wilkinson 2005-12-24 06:54:40 UTC
 The RFC2307 standard uses different OID's to that used by SFU. The upcoming release of Windows 2003 (W2K3 R2) has these attributes as standard. This patch enables these in place of the SFU OID's. Thus it is closer to compatible with other LDAP implementations.
Comment 4 Howard Wilkinson 2006-02-27 12:27:21 UTC
Created attachment 1762 [details]
Version of the patch for 3.0.21c use patch -p1

3.0.21c made changes in the same area as the submitted patch, so I have reproduced the patch (with a couple of minor changes) to meet this version.
Comment 5 Howard Wilkinson 2006-03-08 11:39:52 UTC
(In reply to comment #4)
> Created an attachment (id=1762) [edit]
> Version of the patch for 3.0.21c use patch -p1
> 3.0.21c made changes in the same area as the submitted patch, so I have
> reproduced the patch (with a couple of minor changes) to meet this version.

I have attached the wrong patch file will fix this later tonight after I have rerun the builds to ensure I have the right version.
Comment 6 Howard Wilkinson 2006-03-08 15:21:20 UTC
Created attachment 1779 [details]
Corrected path for 3.0.21c

I found the right patch. This has been tested in a Fedora 4 Linux environment and compiles and functions when faced with an RFC2307 environment. Extensive testing has not been carried out but it has been live for 10 days now.
Comment 7 Howard Wilkinson 2006-03-17 08:22:43 UTC
Created attachment 1810 [details]
Additional patch to fix const problem with compilers other than gcc

This is an additional patch for the 3.0.21c version which fixes a problem with a const declaration on compilers other than gcc
Comment 8 Howard Wilkinson 2006-03-17 09:37:54 UTC
Created attachment 1811 [details]
Additional patch to fix const problem with compilers other than gcc

This is a further tidy up obsoletes the last patch.
Comment 9 Howard Wilkinson 2006-03-21 10:49:42 UTC
Created attachment 1814 [details]
Patch to fix a compiler optimisation problem

You need this patch to fix the compiler optimisation problem that stops winbind from finding the uidnumber and gidnumber in some lookups.
Comment 10 Howard Wilkinson 2006-03-22 03:26:27 UTC
Created attachment 1817 [details]
Consolidated patch for 3.0.21c with a small  bug fix

OK this one contains all of the previous changes consolidated with a memory leak fixed. To use this you need to use an AD with RFC2307 oids. Windows 2003 R2 has these natively. The user need uidnumber, gidnumber, shell, homedir set (gecos can also be set) and must have a group that also has gidnumber set to match. This group must be set to be the primary group for the user.
Comment 11 Bob Gautier (550 Unknown Recipient) 2006-04-05 08:50:04 UTC
Created attachment 1845 [details]
Alternative patch (to 3.0.21c) that avoids new config parameter

I notice someone has beaten me to it but my patch deals with both old and new schemas automatically so I thought I would offer it here as an alternative.  Of course, I don't mind which ends up in the product!
Comment 12 Howard Wilkinson 2006-04-06 05:55:04 UTC
The alternative patch has the advantage that it does not need a config option to switch on the facility. It does have the disadvantage that it does not allow an environment where both the RFC2307 and the SFU schema objects exist to select which set of data to utilise.

A clean W2K3 R2 release would never suffer from this problem but upgraded W2K0 and W2k3 systems that have used SFU would.

I had considered adding a facility to allow the RFC2307 attributes to override the SFU ones by searching for them first and if not found search for the SFU candidates. This has the disadvantage of needing 2 lookups or one lookup that brings back both sets of data. You win or lose depending on your environment.

I would still prefer to be able to specify which attributes to use, and possibly enhance the code to allow both to be switched on at once for those environments that are migrating from SFu to RFC2307.
Comment 13 Bob Gautier (550 Unknown Recipient) 2006-04-10 04:02:12 UTC
(In reply to comment #12)

> A clean W2K3 R2 release would never suffer from this problem but upgraded W2K0
> and W2k3 systems that have used SFU would.

Yes, I'd been wondering what to do about locations that had both schemas installed -- especially those which had tried to use RFC2307 in the past but had eventually installed SFU instead.  They might have an AD that does not allow schema deletions so they may be unable to discard the now redundant bits of schema.

On the whole I think that from the user's point of view a new config parameter isn't much to have to deal with, and now the code for that new parameter is written we may as well use it.  So the original patch gets my vote.

One concern though: does this patch require all domains to use the same schema?  Is it possible that the set of domains that are accessible to a Samba server includes some rfc2307 domains and some sfu domains?
Comment 14 Howard Wilkinson 2006-04-10 05:12:47 UTC
Bob,

The schema for an Active Directory Forest must be the same in all domains - a strength/weakness of the AD model. So Schema extensions are propagated to all domain controllers. This is a real pain in a large global forest. Across forest boundaries then all bets are off. However, you would have to use trusts or work out how to make Samba a member of multiple forests (domains in different forests to be precise) which as far as I know does not exist as a capability in Samba today.

I still think it might be worth looking to update the code to support environments where both sets of attributes exist in the schema and the data has been filled in using the RFC and SFU attributes. We should probably only accept data for one or the other for a User - RFC userid and SFU groupid would not make much sense. The advantage of this would be in supporting any environment that is doing a migration and did not want to globally update their users.

As an alternative I could knock together a very simple LDAP update script (PERL of course) that would copy all SFU attributes into their RFC equivalents across a domain.

I know of a couple of sites that are using this patch but I would be grateful for some more feedback. Not having written code for Samba before I would like to know whether my code follows the quality standards set for Samba and if not what I need to change.

Comment 15 Guenther Deschner 2006-05-02 02:49:31 UTC
*** Bug 3745 has been marked as a duplicate of this bug. ***
Comment 16 Guenther Deschner 2006-05-05 12:38:18 UTC
Ok, finally got around to look at the patches, looks quite good but there are some more issues we have to solve: one is the abilitiy to choose between sfu/rfc2307/template per trusted domain. 

I attach my own patch (work in progress).
Comment 17 Guenther Deschner 2006-05-05 12:41:42 UTC
Created attachment 1892 [details]
another alternative patch (work in progress)
Comment 18 Guenther Deschner 2006-05-18 11:13:55 UTC
This has been adressed in subversion (http://websvn.samba.org/cgi-bin/viewcvs.cgi?rev=15697&view=rev)

Thanks everybody involved!

Please reopen if you see any issues with it.