r7994: This adds support in Winbindd's "security = ads"-mode to retrieve the POSIX

homedirectory and the loginshell from Active Directory's "Services for Unix".

Enable it with:

        winbind sfu support = yes

User-Accounts without SFU-Unix-Attributes will be assigned template-based
Shells and Homedirs as before.

Note that it doesn't matter which version of Services for Unix you use (2.0,
2.2, 3.0 or 3.5). Samba should detect the correct attributes (msSFULoginShell,
msSFU30LoginShell, etc.) automatically.

If you also want to share the same uid/gid-space as SFU then also use PADL's
ad-idmap-Plugin:

        idmap backend = ad

When using the idmap-plugin only those accounts will appear in Name Service
Switch that have those UNIX-attributes which avoids potential uid/gid-space
clashes between SFU-ids and automatically assigned idmap-ids.

Guenther
(This used to be commit 28b59699425b1c954d191fc0e3bd357e4a4e4cd8)

1 files changed, 21 insertions, 3 deletions

diff --git a/source3/nsswitch/winbindd_ads.c b/source3/nsswitch/winbindd_ads.c
index c807ec59a5..868a7bc2ac 100644
--- a/source3/nsswitch/winbindd_ads.c
+++ b/source3/nsswitch/winbindd_ads.c
@@ -95,6 +95,11 @@ static ADS_STRUCT *ads_cached_connection(struct winbindd_domain *domain)
 		return NULL;
 	}
 
+	if (lp_winbind_sfu_support() && (!ads_check_sfu_mapping(ads))) {
+		DEBUG(0,("ads_cached_connection: failed to check sfu attributes\n"));
+		return NULL;
+	}
+	
 	/* set the flag that says we don't own the memory even 
 	   though we do so that ads_destroy() won't destroy the 
 	   structure we pass back by reference */
@@ -116,7 +121,10 @@ static NTSTATUS query_user_list(struct winbindd_domain *domain,
 	const char *attrs[] = {"userPrincipalName",
 			       "sAMAccountName",
 			       "name", "objectSid", "primaryGroupID", 
-			       "sAMAccountType", NULL};
+			       "sAMAccountType", 
+			       ADS_ATTR_SFU_HOMEDIR_OID, 
+			       ADS_ATTR_SFU_SHELL_OID, 
+			       NULL};
 	int i, count;
 	ADS_STATUS rc;
 	void *res = NULL;
@@ -155,7 +163,7 @@ static NTSTATUS query_user_list(struct winbindd_domain *domain,
 	i = 0;
 
 	for (msg = ads_first_entry(ads, res); msg; msg = ads_next_entry(ads, msg)) {
-		char *name, *gecos;
+		char *name, *gecos, *homedir, *shell;
 		uint32 group;
 		uint32 atype;
 
@@ -167,6 +175,9 @@ static NTSTATUS query_user_list(struct winbindd_domain *domain,
 
 		name = ads_pull_username(ads, mem_ctx, msg);
 		gecos = ads_pull_string(ads, mem_ctx, msg, "name");
+		homedir = ads_pull_string(ads, mem_ctx, msg, ads->schema.sfu_homedir_attr);
+		shell = ads_pull_string(ads, mem_ctx, msg, ads->schema.sfu_shell_attr);
+
 		if (!ads_pull_sid(ads, msg, "objectSid",
 				  &(*info)[i].user_sid)) {
 			DEBUG(1,("No sid for %s !?\n", name));
@@ -179,6 +190,8 @@ static NTSTATUS query_user_list(struct winbindd_domain *domain,
 
 		(*info)[i].acct_name = name;
 		(*info)[i].full_name = gecos;
+		(*info)[i].homedir = homedir;
+		(*info)[i].shell = shell;
 		sid_compose(&(*info)[i].group_sid, &domain->sid, group);
 		i++;
 	}
@@ -364,7 +377,10 @@ static NTSTATUS query_user(struct winbindd_domain *domain,
 	const char *attrs[] = {"userPrincipalName", 
 			       "sAMAccountName",
 			       "name", 
-			       "primaryGroupID", NULL};
+			       "primaryGroupID", 
+			       ADS_ATTR_SFU_HOMEDIR_OID, 
+			       ADS_ATTR_SFU_SHELL_OID, 
+			       NULL};
 	ADS_STATUS rc;
 	int count;
 	void *msg = NULL;
@@ -402,6 +418,8 @@ static NTSTATUS query_user(struct winbindd_domain *domain,
 
 	info->acct_name = ads_pull_username(ads, mem_ctx, msg);
 	info->full_name = ads_pull_string(ads, mem_ctx, msg, "name");
+	info->homedir = ads_pull_string(ads, mem_ctx, msg, ads->schema.sfu_homedir_attr);
+	info->shell = ads_pull_string(ads, mem_ctx, msg, ads->schema.sfu_shell_attr);
 
 	if (!ads_pull_uint32(ads, msg, "primaryGroupID", &group_rid)) {
 		DEBUG(1,("No primary group for %s !?\n",