diff options
author | Gerald Carter <jerry@samba.org> | 2006-03-15 16:00:34 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 11:15:30 -0500 |
commit | 5133ab016e8400e815b6dae9947206e57332616b (patch) | |
tree | 0a0b4089b9568126e4db601da4a3edec70249820 | |
parent | 36f622acea8ffa59233bc1b96c6a38f1c29623a8 (diff) | |
download | samba-5133ab016e8400e815b6dae9947206e57332616b.tar.gz samba-5133ab016e8400e815b6dae9947206e57332616b.tar.bz2 samba-5133ab016e8400e815b6dae9947206e57332616b.zip |
r14451: In order to get pdb_ldap searching for SID_NAME_ALIAS
groups in the ${MACHINESID} and S_1-5-32 domains correctly,
I had to add a substr search on sambaSID.
* add substr matching rule to OpenLDAP schema
(we need to update the other schema as will since this
is a pretty important change). Sites will need to
- install the new schema
- add 'indea sambaSID sub' to slapd.conf
- run slapindex
* remove uses of SID_NAME_WKN_GRP in pdb_ldap.c
(This used to be commit 2c0a46d73122e9000a900f7e16f9b010ad4b78e3)
-rw-r--r-- | examples/LDAP/samba.schema | 2 | ||||
-rw-r--r-- | source3/passdb/pdb_ldap.c | 58 |
2 files changed, 17 insertions, 43 deletions
diff --git a/examples/LDAP/samba.schema b/examples/LDAP/samba.schema index e7ecc9e070..4e1556eba5 100644 --- a/examples/LDAP/samba.schema +++ b/examples/LDAP/samba.schema @@ -295,9 +295,9 @@ attributetype ( 1.3.6.1.4.1.7165.2.1.54 NAME 'sambaPasswordHistory' attributetype ( 1.3.6.1.4.1.7165.2.1.20 NAME 'sambaSID' DESC 'Security ID' EQUALITY caseIgnoreIA5Match + SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE ) - ## ## Primary group SID, compatible with ntSid ## diff --git a/source3/passdb/pdb_ldap.c b/source3/passdb/pdb_ldap.c index b4f7e2b55c..eb5d3c9c31 100644 --- a/source3/passdb/pdb_ldap.c +++ b/source3/passdb/pdb_ldap.c @@ -2740,19 +2740,10 @@ static NTSTATUS ldapsam_add_group_mapping_entry(struct pdb_methods *methods, break; case SID_NAME_ALIAS: - if (!sid_check_is_in_our_domain(&map->sid)) { - DEBUG(3, ("Refusing to map sid %s as an alias, not " - "in our domain\n", - sid_string_static(&map->sid))); - result = NT_STATUS_INVALID_PARAMETER; - goto done; - } - break; - - case SID_NAME_WKN_GRP: - if (!sid_check_is_in_builtin(&map->sid)) { - DEBUG(3, ("Refusing to map sid %s as an alias, not " - "in builtin domain\n", + if (!sid_check_is_in_our_domain(&map->sid) + && !sid_check_is_in_builtin(&map->sid) ) + { + DEBUG(3, ("Refusing to map sid %s as an alias, not in our domain\n", sid_string_static(&map->sid))); result = NT_STATUS_INVALID_PARAMETER; goto done; @@ -3137,7 +3128,7 @@ static NTSTATUS ldapsam_modify_aliasmem(struct pdb_methods *methods, pstring filter; if (sid_check_is_in_builtin(alias)) { - type = SID_NAME_WKN_GRP; + type = SID_NAME_ALIAS; } if (sid_check_is_in_our_domain(alias)) { @@ -3250,7 +3241,7 @@ static NTSTATUS ldapsam_enum_aliasmem(struct pdb_methods *methods, *p_num_members = 0; if (sid_check_is_in_builtin(alias)) { - type = SID_NAME_WKN_GRP; + type = SID_NAME_ALIAS; } if (sid_check_is_in_our_domain(alias)) { @@ -3346,7 +3337,7 @@ static NTSTATUS ldapsam_alias_memberships(struct pdb_methods *methods, enum SID_NAME_USE type = SID_NAME_USE_NONE; if (sid_check_is_builtin(domain_sid)) { - type = SID_NAME_WKN_GRP; + type = SID_NAME_ALIAS; } if (sid_check_is_domain(domain_sid)) { @@ -3775,7 +3766,7 @@ static NTSTATUS ldapsam_lookup_rids(struct pdb_methods *methods, type = atol(attr); /* Consistency checks */ - if ((is_builtin && (type != SID_NAME_WKN_GRP)) || + if ((is_builtin && (type != SID_NAME_ALIAS)) || (!is_builtin && ((type != SID_NAME_ALIAS) && (type != SID_NAME_DOM_GRP)))) { DEBUG(2, ("Rejecting invalid group mapping entry %s\n", dn)); @@ -4261,25 +4252,15 @@ static BOOL ldapgroup2displayentry(struct ldap_search_state *state, case SID_NAME_DOM_GRP: case SID_NAME_ALIAS: - if (!sid_peek_check_rid(get_global_sam_sid(), &sid, - &result->rid)) { + if (!sid_peek_check_rid(get_global_sam_sid(), &sid, &result->rid) + && !sid_peek_check_rid(&global_sid_Builtin, &sid, &result->rid)) + { DEBUG(0, ("%s is not in our domain\n", sid_string_static(&sid))); return False; } break; - case SID_NAME_WKN_GRP: - - if (!sid_peek_check_rid(&global_sid_Builtin, &sid, - &result->rid)) { - - DEBUG(0, ("%s is not in builtin sid\n", - sid_string_static(&sid))); - return False; - } - break; - default: DEBUG(0,("unkown group type: %d\n", group_type)); return False; @@ -4290,6 +4271,7 @@ static BOOL ldapgroup2displayentry(struct ldap_search_state *state, static BOOL ldapsam_search_grouptype(struct pdb_methods *methods, struct pdb_search *search, + const DOM_SID *sid, enum SID_NAME_USE type) { struct ldapsam_privates *ldap_state = methods->private_data; @@ -4308,7 +4290,8 @@ static BOOL ldapsam_search_grouptype(struct pdb_methods *methods, state->scope = LDAP_SCOPE_SUBTREE; state->filter = talloc_asprintf(search->mem_ctx, "(&(objectclass=sambaGroupMapping)" - "(sambaGroupType=%d))", type); + "(sambaGroupType=%d)(sambaSID=%s)", + sid_string_static(sid), type); state->attrs = talloc_attrs(search->mem_ctx, "cn", "sambaSid", "displayName", "description", "sambaGroupType", NULL); @@ -4333,23 +4316,14 @@ static BOOL ldapsam_search_grouptype(struct pdb_methods *methods, static BOOL ldapsam_search_groups(struct pdb_methods *methods, struct pdb_search *search) { - return ldapsam_search_grouptype(methods, search, SID_NAME_DOM_GRP); + return ldapsam_search_grouptype(methods, search, get_global_sam_sid(), SID_NAME_DOM_GRP); } static BOOL ldapsam_search_aliases(struct pdb_methods *methods, struct pdb_search *search, const DOM_SID *sid) { - if (sid_check_is_domain(sid)) - return ldapsam_search_grouptype(methods, search, - SID_NAME_ALIAS); - - if (sid_check_is_builtin(sid)) - return ldapsam_search_grouptype(methods, search, - SID_NAME_WKN_GRP); - - DEBUG(5, ("Don't know SID %s\n", sid_string_static(sid))); - return False; + return ldapsam_search_grouptype(methods, search, sid, SID_NAME_ALIAS); } static BOOL ldapsam_rid_algorithm(struct pdb_methods *methods) |