summaryrefslogtreecommitdiff
path: root/source3/winbindd/idmap_autorid.c
diff options
context:
space:
mode:
authorChristian Ambach <ambi@samba.org>2012-05-07 14:19:26 +0200
committerChristian Ambach <ambi@samba.org>2012-05-08 09:26:07 +0200
commit2997f2fe807cde8d22eaf4f253f9a64a8aca833a (patch)
tree895c7b8b63382e38ac5a1fe94d95b8859dec2105 /source3/winbindd/idmap_autorid.c
parent6bda0f6f88d381c93d1a46b46ad7fce7bed2d2de (diff)
downloadsamba-2997f2fe807cde8d22eaf4f253f9a64a8aca833a.tar.gz
samba-2997f2fe807cde8d22eaf4f253f9a64a8aca833a.tar.bz2
samba-2997f2fe807cde8d22eaf4f253f9a64a8aca833a.zip
s3:winbindd/autorid add support for read-only mode
make it possible to set read-only = yes for the backend so users can replicate an autorid.tdb to another server to use the same mappings without risking that updates are done on both sides
Diffstat (limited to 'source3/winbindd/idmap_autorid.c')
-rw-r--r--source3/winbindd/idmap_autorid.c44
1 files changed, 38 insertions, 6 deletions
diff --git a/source3/winbindd/idmap_autorid.c b/source3/winbindd/idmap_autorid.c
index 554a033512..d3b38bd398 100644
--- a/source3/winbindd/idmap_autorid.c
+++ b/source3/winbindd/idmap_autorid.c
@@ -135,17 +135,22 @@ error:
}
-static NTSTATUS idmap_autorid_get_domainrange(struct autorid_domain_config *dom)
+static NTSTATUS idmap_autorid_get_domainrange(struct autorid_domain_config *dom,
+ bool read_only)
{
NTSTATUS ret;
/*
* try to find mapping without locking the database,
- * if it is not found create a mapping in a transaction
+ * if it is not found create a mapping in a transaction unless
+ * read-only mode has been set
*/
ret = dbwrap_fetch_uint32(autorid_db, dom->sid, &(dom->domainnum));
- if (!NT_STATUS_IS_OK(ret)) {;
+ if (!NT_STATUS_IS_OK(ret)) {
+ if (read_only) {
+ return NT_STATUS_NOT_FOUND;
+ }
ret = dbwrap_trans_do(autorid_db,
idmap_autorid_get_domainrange_action, dom);
}
@@ -171,6 +176,12 @@ static NTSTATUS idmap_autorid_allocate_id(struct idmap_domain *dom,
globalcfg = talloc_get_type(commoncfg->private_data,
struct autorid_global_config);
+ if (dom->read_only) {
+ DEBUG(3, ("Backend is read-only, refusing "
+ "new allocation request\n"));
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
/* fetch the range for the allocation pool */
ZERO_STRUCT(domaincfg);
@@ -178,7 +189,7 @@ static NTSTATUS idmap_autorid_allocate_id(struct idmap_domain *dom,
domaincfg.globalcfg = globalcfg;
fstrcpy(domaincfg.sid, ALLOC_RANGE);
- ret = idmap_autorid_get_domainrange(&domaincfg);
+ ret = idmap_autorid_get_domainrange(&domaincfg, dom->read_only);
if (!NT_STATUS_IS_OK(ret)) {
DEBUG(3, ("Could not determine range for allocation pool, "
@@ -413,6 +424,12 @@ static NTSTATUS idmap_autorid_map_sid_to_id(struct idmap_domain *dom,
return ret;
}
+ if (dom->read_only) {
+ DEBUG(3, ("Not allocating new mapping for %s, because backend "
+ "is read-only\n", sid_string_dbg(map->sid)));
+ return NT_STATUS_NONE_MAPPED;
+ }
+
DEBUG(10, ("Creating new mapping in pool for %s\n",
sid_string_dbg(map->sid)));
@@ -501,7 +518,9 @@ static NTSTATUS idmap_autorid_sids_to_unixids(struct idmap_domain *dom,
goto failure;
}
- num_mapped++;
+ if (ids[i]->status == ID_MAPPED) {
+ num_mapped++;
+ }
continue;
}
@@ -521,7 +540,16 @@ static NTSTATUS idmap_autorid_sids_to_unixids(struct idmap_domain *dom,
domaincfg.globalcfg = global;
sid_to_fstring(domaincfg.sid, &domainsid);
- ret = idmap_autorid_get_domainrange(&domaincfg);
+ ret = idmap_autorid_get_domainrange(&domaincfg, dom->read_only);
+
+ /* read-only mode and a new domain range would be required? */
+ if (NT_STATUS_EQUAL(ret, NT_STATUS_NOT_FOUND) &&
+ dom->read_only) {
+ DEBUG(10, ("read-only is enabled, did not allocate "
+ "new range for domain %s\n",
+ sid_string_dbg(&domainsid)));
+ continue;
+ }
if (!NT_STATUS_IS_OK(ret)) {
DEBUG(3, ("Could not determine range for domain, "
@@ -698,6 +726,10 @@ static NTSTATUS idmap_autorid_preallocate_wellknown(struct idmap_domain *dom)
int i, num;
NTSTATUS status;
+ if (dom->read_only) {
+ return NT_STATUS_OK;
+ }
+
num = sizeof(groups)/sizeof(char*);
maps = talloc_zero_array(talloc_tos(), struct id_map*, num+1);