diff options
author | Gerald Carter <jerry@samba.org> | 2003-11-07 14:41:08 +0000 |
---|---|---|
committer | Gerald Carter <jerry@samba.org> | 2003-11-07 14:41:08 +0000 |
commit | e9bd28d0a7b0fd667e52683013404dc4b1e03673 (patch) | |
tree | 9c1599d3f70a7246bc4657e21c7827fa8840a403 /source3/passdb/lookup_sid.c | |
parent | 178a4635245c2c433b9a510282ad5c49a2ffe804 (diff) | |
download | samba-e9bd28d0a7b0fd667e52683013404dc4b1e03673.tar.gz samba-e9bd28d0a7b0fd667e52683013404dc4b1e03673.tar.bz2 samba-e9bd28d0a7b0fd667e52683013404dc4b1e03673.zip |
fix for bug 680 (heads up). This gist is to map the
UNIX entity foo to DOMAIN\foo instead of SERVER\foo
on members of a Samba domain when all UNIX accounts
are shared via NIS, et. al.
* allow winbindd to match local accounts to domain SID
when 'winbind trusted domains only = yes'
* remove code in idmap_ldap that searches the user
suffix and group suffix. It's not needed and
provides inconsistent functionality from the tdb backend.
This has been tested. I'm still waiting on some more feedback
but This needs to be in 3.0.1pre2 for widespread use.
(This used to be commit cac4723e206bd001882011c9e12327064d032268)
Diffstat (limited to 'source3/passdb/lookup_sid.c')
-rw-r--r-- | source3/passdb/lookup_sid.c | 22 |
1 files changed, 17 insertions, 5 deletions
diff --git a/source3/passdb/lookup_sid.c b/source3/passdb/lookup_sid.c index f84ff28db9..425c9b87f1 100644 --- a/source3/passdb/lookup_sid.c +++ b/source3/passdb/lookup_sid.c @@ -299,15 +299,20 @@ static void store_gid_sid_cache(const DOM_SID *psid, gid_t gid) NTSTATUS uid_to_sid(DOM_SID *psid, uid_t uid) { - uid_t low, high; fstring sid; + uid_t low, high; ZERO_STRUCTP(psid); if (fetch_sid_from_uid_cache(psid, uid)) return ( psid ? NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL ); - if (lp_idmap_uid(&low, &high) && uid >= low && uid <= high) { + /* DC's never use winbindd to resolve users outside the + defined idmap range */ + + if ( lp_server_role()==ROLE_DOMAIN_MEMBER + || (lp_idmap_uid(&low, &high) && uid >= low && uid <= high) ) + { if (winbind_uid_to_sid(psid, uid)) { DEBUG(10,("uid_to_sid: winbindd %u -> %s\n", @@ -336,15 +341,20 @@ NTSTATUS uid_to_sid(DOM_SID *psid, uid_t uid) NTSTATUS gid_to_sid(DOM_SID *psid, gid_t gid) { - gid_t low, high; fstring sid; + gid_t low, high; ZERO_STRUCTP(psid); if (fetch_sid_from_gid_cache(psid, gid)) return ( psid ? NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL ); - if (lp_idmap_gid(&low, &high) && gid >= low && gid <= high) { + /* DC's never use winbindd to resolve groups outside the + defined idmap range */ + + if ( lp_server_role()==ROLE_DOMAIN_MEMBER + || (lp_idmap_gid(&low, &high) && gid >= low && gid <= high) ) + { if (winbind_gid_to_sid(psid, gid)) { DEBUG(10,("gid_to_sid: winbindd %u -> %s\n", @@ -458,7 +468,9 @@ NTSTATUS sid_to_gid(const DOM_SID *psid, gid_t *pgid) /* winbindd knows it; Ensure this is a group sid */ - if ((name_type != SID_NAME_DOM_GRP) && (name_type != SID_NAME_ALIAS) && (name_type != SID_NAME_WKN_GRP)) { + if ((name_type != SID_NAME_DOM_GRP) && (name_type != SID_NAME_ALIAS) + && (name_type != SID_NAME_WKN_GRP)) + { DEBUG(10,("sid_to_gid: winbind lookup succeeded but SID is not a known group (%u)\n", (unsigned int)name_type )); |