summaryrefslogtreecommitdiff
path: root/source3/utils
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2003-07-04 13:29:42 +0000
committerAndrew Bartlett <abartlet@samba.org>2003-07-04 13:29:42 +0000
commit4168d61fb22e19a248a6c3d3ad43e2f73e37fc6a (patch)
tree01be3640a7c53378fb4a2edf69ecd4c3306db83f /source3/utils
parentcd6687673a2d741c32997c8d3ce1df8bc61915fa (diff)
downloadsamba-4168d61fb22e19a248a6c3d3ad43e2f73e37fc6a.tar.gz
samba-4168d61fb22e19a248a6c3d3ad43e2f73e37fc6a.tar.bz2
samba-4168d61fb22e19a248a6c3d3ad43e2f73e37fc6a.zip
This patch cleans up some of our ldap code, for better behaviour:
We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
Diffstat (limited to 'source3/utils')
-rw-r--r--source3/utils/pdbedit.c6
1 files changed, 6 insertions, 0 deletions
diff --git a/source3/utils/pdbedit.c b/source3/utils/pdbedit.c
index 3fa2751347..5b702f7591 100644
--- a/source3/utils/pdbedit.c
+++ b/source3/utils/pdbedit.c
@@ -606,6 +606,12 @@ int main (int argc, char **argv)
exit(1);
}
+ /* Initialise the password backed before idmap and the global_sam_sid
+ to ensure that we fetch from ldap before we make a domain sid up */
+
+ if(!initialize_password_db(False))
+ exit(1);
+
if (!init_names())
exit(1);