r7994: This adds support in Winbindd's "security = ads"-mode to retrieve the POSIX

homedirectory and the loginshell from Active Directory's "Services for Unix".

Enable it with:

        winbind sfu support = yes

User-Accounts without SFU-Unix-Attributes will be assigned template-based
Shells and Homedirs as before.

Note that it doesn't matter which version of Services for Unix you use (2.0,
2.2, 3.0 or 3.5). Samba should detect the correct attributes (msSFULoginShell,
msSFU30LoginShell, etc.) automatically.

If you also want to share the same uid/gid-space as SFU then also use PADL's
ad-idmap-Plugin:

        idmap backend = ad

When using the idmap-plugin only those accounts will appear in Name Service
Switch that have those UNIX-attributes which avoids potential uid/gid-space
clashes between SFU-ids and automatically assigned idmap-ids.

Guenther
(This used to be commit 28b59699425b1c954d191fc0e3bd357e4a4e4cd8)

1 files changed, 40 insertions, 7 deletions

diff --git a/source3/sam/idmap_ad.c b/source3/sam/idmap_ad.c
index b3b9b7ad47..840dff025e 100644
--- a/source3/sam/idmap_ad.c
+++ b/source3/sam/idmap_ad.c
@@ -1,5 +1,5 @@
 /*
- *  idmap_ad: map between Active Directory and RFC 2307 accounts
+ *  idmap_ad: map between Active Directory and RFC 2307 or "Services for Unix" (SFU) Accounts
  *  Copyright (C) 2001-2004 PADL Software Pty Ltd. All rights reserved.
  *
  *  This program is free software; you can redistribute it and/or modify
@@ -37,13 +37,11 @@
 #define DBGC_CLASS DBGC_IDMAP
 
 #ifndef ATTR_UIDNUMBER
-/* #define ATTR_UIDNUMBER "msSFU30UidNumber" */
-#define ATTR_UIDNUMBER "uidNumber"
+#define ATTR_UIDNUMBER ADS_ATTR_SFU_UIDNUMBER_OID
 #endif
 
 #ifndef ATTR_GIDNUMBER
-/* #define ATTR_GIDNUMBER "msSFU30GidNumber" */
-#define ATTR_GIDNUMBER "gidNumber"
+#define ATTR_GIDNUMBER ADS_ATTR_SFU_GIDNUMBER_OID
 #endif
 
 #define WINBIND_CCACHE_NAME "MEMORY:winbind_ccache"
@@ -53,6 +51,33 @@ NTSTATUS init_module(void);
 static ADS_STRUCT *ad_idmap_ads = NULL;
 static char *ad_idmap_uri = NULL;
 
+static char *attr_uidnumber = NULL;
+static char *attr_gidnumber = NULL;
+
+static BOOL ad_idmap_check_attr_mapping(ADS_STRUCT *ads)
+{
+	if (attr_uidnumber != NULL && attr_gidnumber != NULL) {
+		return True;
+	}
+
+	if (lp_winbind_sfu_support()) {
+	
+		if (!ads_check_sfu_mapping(ads)) {
+			DEBUG(0,("ad_idmap_check_attr_mapping: failed to check for SFU schema\n"));
+			return False;
+		}
+
+		attr_uidnumber = SMB_STRDUP(ads->schema.sfu_uidnumber_attr);
+		attr_gidnumber = SMB_STRDUP(ads->schema.sfu_gidnumber_attr);
+
+	} else {
+		attr_uidnumber = SMB_STRDUP("uidNumber");
+		attr_gidnumber = SMB_STRDUP("gidNumber");
+	}
+
+	return True;
+}
+
 static ADS_STRUCT *ad_idmap_cached_connection(void)
 {
 	ADS_STRUCT *ads;
@@ -130,6 +155,11 @@ static ADS_STRUCT *ad_idmap_cached_connection(void)
 
 	ads->is_mine = False;
 
+	if (!ad_idmap_check_attr_mapping(ads)) {
+		DEBUG(1, ("ad_idmap_init: failed to check attribute mapping\n"));
+		return NULL;
+	}
+
 	ad_idmap_ads = ads;
 	return ads;
 }
@@ -300,9 +330,9 @@ static NTSTATUS ad_idmap_get_id_from_sid(unid_t *unid, int *id_type, const DOM_S
 		break;
 	}
 
-	if (!ads_pull_uint32(ads, msg, (*id_type == ID_GROUPID) ? ATTR_GIDNUMBER : ATTR_UIDNUMBER, &uid)) {
+	if (!ads_pull_uint32(ads, msg, (*id_type == ID_GROUPID) ? attr_gidnumber : attr_uidnumber, &uid)) {
 		DEBUG(1, ("ad_idmap_get_id_from_sid: ads_pull_uint32: could not read attribute '%s'\n",
-			(*id_type == ID_GROUPID) ? ATTR_GIDNUMBER : ATTR_UIDNUMBER));
+			(*id_type == ID_GROUPID) ? attr_gidnumber : attr_uidnumber));
 		goto done;
 	}
 
@@ -341,6 +371,9 @@ static NTSTATUS ad_idmap_close(void)
 		ad_idmap_ads = NULL;
 	}
 
+	SAFE_FREE(attr_uidnumber);
+	SAFE_FREE(attr_gidnumber);
+	
 	return NT_STATUS_OK;
 }