diff options
-rw-r--r-- | examples/LDAP/samba.schema | 12 | ||||
-rw-r--r-- | source3/passdb/pdb_ldap.c | 62 |
2 files changed, 56 insertions, 18 deletions
diff --git a/examples/LDAP/samba.schema b/examples/LDAP/samba.schema index f9475f07ea..3a620b9a59 100644 --- a/examples/LDAP/samba.schema +++ b/examples/LDAP/samba.schema @@ -119,6 +119,16 @@ attributetype ( 1.3.6.1.4.1.7165.2.1.20 NAME 'ntSid' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE ) + +## +## Primary group SID, compatible with ntSid +## + +attributetype ( 1.3.6.1.4.1.7165.2.1.23 NAME 'primaryGroupSID' + DESC 'Primary Group Security ID' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE ) + ## ## group mapping attributes ## @@ -168,7 +178,7 @@ objectclass ( 1.3.6.1.4.1.7165.2.2.3 NAME 'sambaAccount' SUP top AUXILIARY MAY ( cn $ lmPassword $ ntPassword $ pwdLastSet $ logonTime $ logoffTime $ kickoffTime $ pwdCanChange $ pwdMustChange $ acctFlags $ displayName $ smbHome $ homeDrive $ scriptPath $ profilePath $ - description $ userWorkstations $ primaryGroupID $ domain )) + description $ userWorkstations $ primaryGroupSID $ domain )) ############################################################################ ## diff --git a/source3/passdb/pdb_ldap.c b/source3/passdb/pdb_ldap.c index e9c6093e26..53fefd6336 100644 --- a/source3/passdb/pdb_ldap.c +++ b/source3/passdb/pdb_ldap.c @@ -164,7 +164,7 @@ static const char *attr[] = {"uid", "pwdLastSet", "logonTime", "smbHome", "scriptPath", "profilePath", "description", "userWorkstations", "rid", "ntSid", - "primaryGroupID", "lmPassword", + "primaryGroupID", "primaryGroupSid", "lmPassword", "ntPassword", "acctFlags", "domain", "objectClass", "uidNumber", "gidNumber", @@ -1667,11 +1667,31 @@ static BOOL init_sam_from_ldap (struct ldapsam_privates *ldap_state, if (get_single_attribute(ldap_state->ldap_struct, entry, "ntSid", temp)) { pdb_set_user_sid_from_string(sampass, temp, PDB_SET); } + if (get_single_attribute(ldap_state->ldap_struct, entry, "primaryGroupSid", temp)) { + pdb_set_group_sid_from_string(sampass, temp, PDB_SET); + } else { + pdb_set_group_sid_from_rid(sampass, DOMAIN_GROUP_RID_USERS, PDB_DEFAULT); + } } else { if (get_single_attribute(ldap_state->ldap_struct, entry, "rid", temp)) { user_rid = (uint32)atol(temp); pdb_set_user_sid_from_rid(sampass, user_rid, PDB_SET); } + if (get_single_attribute(ldap_state->ldap_struct, entry, "primaryGroupID", temp)) { + uint32 group_rid; + group_rid = (uint32)atol(temp); + + if (group_rid > 0) { + /* for some reason, we often have 0 as a primary group RID. + Make sure that we treat this just as a 'default' value + */ + pdb_set_group_sid_from_rid(sampass, group_rid, PDB_SET); + } else { + pdb_set_group_sid_from_rid(sampass, DOMAIN_GROUP_RID_USERS, PDB_DEFAULT); + } + } else { + pdb_set_group_sid_from_rid(sampass, DOMAIN_GROUP_RID_USERS, PDB_DEFAULT); + } } if (pdb_get_init_flags(sampass,PDB_USERSID) == PDB_DEFAULT) { @@ -1679,14 +1699,6 @@ static BOOL init_sam_from_ldap (struct ldapsam_privates *ldap_state, return False; } - if (!get_single_attribute(ldap_state->ldap_struct, entry, "primaryGroupID", temp)) { - pdb_set_group_sid_from_rid(sampass, DOMAIN_GROUP_RID_USERS, PDB_DEFAULT); - } else { - uint32 group_rid; - group_rid = (uint32)atol(temp); - pdb_set_group_sid_from_rid(sampass, group_rid, PDB_SET); - } - /* * If so configured, try and get the values from LDAP */ @@ -1952,15 +1964,16 @@ static BOOL init_ldap_from_sam (struct ldapsam_privates *ldap_state, if (need_update(sampass, PDB_USERSID)) { fstring sid_string; fstring dom_sid_string; - const DOM_SID *user_sid; - user_sid = pdb_get_user_sid(sampass); + const DOM_SID *user_sid = pdb_get_user_sid(sampass); if (ldap_state->use_ntsid) { make_ldap_mod(ldap_state->ldap_struct, existing, mods, "ntSid", sid_to_string(sid_string, user_sid)); } else { if (!sid_peek_check_rid(get_global_sam_sid(), user_sid, &rid)) { - DEBUG(1, ("User's SID (%s) is not for this domain (%s), cannot add to LDAP!\n", sid_to_string(sid_string, user_sid), sid_to_string(dom_sid_string, get_global_sam_sid()))); + DEBUG(1, ("User's SID (%s) is not for this domain (%s), cannot add to LDAP!\n", + sid_to_string(sid_string, user_sid), + sid_to_string(dom_sid_string, get_global_sam_sid()))); return False; } slprintf(temp, sizeof(temp) - 1, "%i", rid); @@ -1974,10 +1987,24 @@ static BOOL init_ldap_from_sam (struct ldapsam_privates *ldap_state, 'free' to hang off the unix primary group makes life easier */ if (need_update(sampass, PDB_GROUPSID)) { - rid = pdb_get_group_rid(sampass); - slprintf(temp, sizeof(temp) - 1, "%i", rid); - make_ldap_mod(ldap_state->ldap_struct, existing, mods, - "primaryGroupID", temp); + fstring sid_string; + fstring dom_sid_string; + const DOM_SID *group_sid = pdb_get_group_sid(sampass); + + if (ldap_state->use_ntsid) { + make_ldap_mod(ldap_state->ldap_struct, existing, mods, + "primaryGroupSid", sid_to_string(sid_string, group_sid)); + } else { + if (!sid_peek_check_rid(get_global_sam_sid(), group_sid, &rid)) { + DEBUG(1, ("User's Primary Group SID (%s) is not for this domain (%s), cannot add to LDAP!\n", + sid_to_string(sid_string, group_sid), + sid_to_string(dom_sid_string, get_global_sam_sid()))); + return False; + } + slprintf(temp, sizeof(temp) - 1, "%i", rid); + make_ldap_mod(ldap_state->ldap_struct, existing, mods, + "primaryGroupID", temp); + } } /* displayName, cn, and gecos should all be the same @@ -2389,7 +2416,8 @@ static NTSTATUS ldapsam_delete_sam_account(struct pdb_methods *my_methods, SAM_A { "lmPassword", "ntPassword", "pwdLastSet", "logonTime", "logoffTime", "kickoffTime", "pwdCanChange", "pwdMustChange", "acctFlags", "displayName", "smbHome", "homeDrive", "scriptPath", "profilePath", - "userWorkstations", "primaryGroupID", "domain", "rid", "ntSid", NULL }; + "userWorkstations", "primaryGroupID", "primaryGroupSid", "domain", + "rid", "ntSid", NULL }; if (!sam_acct) { DEBUG(0, ("sam_acct was NULL!\n")); |