summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--examples/LDAP/samba.schema12
-rw-r--r--source3/passdb/pdb_ldap.c62
2 files changed, 56 insertions, 18 deletions
diff --git a/examples/LDAP/samba.schema b/examples/LDAP/samba.schema
index f9475f07ea..3a620b9a59 100644
--- a/examples/LDAP/samba.schema
+++ b/examples/LDAP/samba.schema
@@ -119,6 +119,16 @@ attributetype ( 1.3.6.1.4.1.7165.2.1.20 NAME 'ntSid'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE )
+
+##
+## Primary group SID, compatible with ntSid
+##
+
+attributetype ( 1.3.6.1.4.1.7165.2.1.23 NAME 'primaryGroupSID'
+ DESC 'Primary Group Security ID'
+ EQUALITY caseIgnoreIA5Match
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE )
+
##
## group mapping attributes
##
@@ -168,7 +178,7 @@ objectclass ( 1.3.6.1.4.1.7165.2.2.3 NAME 'sambaAccount' SUP top AUXILIARY
MAY ( cn $ lmPassword $ ntPassword $ pwdLastSet $ logonTime $
logoffTime $ kickoffTime $ pwdCanChange $ pwdMustChange $ acctFlags $
displayName $ smbHome $ homeDrive $ scriptPath $ profilePath $
- description $ userWorkstations $ primaryGroupID $ domain ))
+ description $ userWorkstations $ primaryGroupSID $ domain ))
############################################################################
##
diff --git a/source3/passdb/pdb_ldap.c b/source3/passdb/pdb_ldap.c
index e9c6093e26..53fefd6336 100644
--- a/source3/passdb/pdb_ldap.c
+++ b/source3/passdb/pdb_ldap.c
@@ -164,7 +164,7 @@ static const char *attr[] = {"uid", "pwdLastSet", "logonTime",
"smbHome", "scriptPath",
"profilePath", "description",
"userWorkstations", "rid", "ntSid",
- "primaryGroupID", "lmPassword",
+ "primaryGroupID", "primaryGroupSid", "lmPassword",
"ntPassword", "acctFlags",
"domain", "objectClass",
"uidNumber", "gidNumber",
@@ -1667,11 +1667,31 @@ static BOOL init_sam_from_ldap (struct ldapsam_privates *ldap_state,
if (get_single_attribute(ldap_state->ldap_struct, entry, "ntSid", temp)) {
pdb_set_user_sid_from_string(sampass, temp, PDB_SET);
}
+ if (get_single_attribute(ldap_state->ldap_struct, entry, "primaryGroupSid", temp)) {
+ pdb_set_group_sid_from_string(sampass, temp, PDB_SET);
+ } else {
+ pdb_set_group_sid_from_rid(sampass, DOMAIN_GROUP_RID_USERS, PDB_DEFAULT);
+ }
} else {
if (get_single_attribute(ldap_state->ldap_struct, entry, "rid", temp)) {
user_rid = (uint32)atol(temp);
pdb_set_user_sid_from_rid(sampass, user_rid, PDB_SET);
}
+ if (get_single_attribute(ldap_state->ldap_struct, entry, "primaryGroupID", temp)) {
+ uint32 group_rid;
+ group_rid = (uint32)atol(temp);
+
+ if (group_rid > 0) {
+ /* for some reason, we often have 0 as a primary group RID.
+ Make sure that we treat this just as a 'default' value
+ */
+ pdb_set_group_sid_from_rid(sampass, group_rid, PDB_SET);
+ } else {
+ pdb_set_group_sid_from_rid(sampass, DOMAIN_GROUP_RID_USERS, PDB_DEFAULT);
+ }
+ } else {
+ pdb_set_group_sid_from_rid(sampass, DOMAIN_GROUP_RID_USERS, PDB_DEFAULT);
+ }
}
if (pdb_get_init_flags(sampass,PDB_USERSID) == PDB_DEFAULT) {
@@ -1679,14 +1699,6 @@ static BOOL init_sam_from_ldap (struct ldapsam_privates *ldap_state,
return False;
}
- if (!get_single_attribute(ldap_state->ldap_struct, entry, "primaryGroupID", temp)) {
- pdb_set_group_sid_from_rid(sampass, DOMAIN_GROUP_RID_USERS, PDB_DEFAULT);
- } else {
- uint32 group_rid;
- group_rid = (uint32)atol(temp);
- pdb_set_group_sid_from_rid(sampass, group_rid, PDB_SET);
- }
-
/*
* If so configured, try and get the values from LDAP
*/
@@ -1952,15 +1964,16 @@ static BOOL init_ldap_from_sam (struct ldapsam_privates *ldap_state,
if (need_update(sampass, PDB_USERSID)) {
fstring sid_string;
fstring dom_sid_string;
- const DOM_SID *user_sid;
- user_sid = pdb_get_user_sid(sampass);
+ const DOM_SID *user_sid = pdb_get_user_sid(sampass);
if (ldap_state->use_ntsid) {
make_ldap_mod(ldap_state->ldap_struct, existing, mods,
"ntSid", sid_to_string(sid_string, user_sid));
} else {
if (!sid_peek_check_rid(get_global_sam_sid(), user_sid, &rid)) {
- DEBUG(1, ("User's SID (%s) is not for this domain (%s), cannot add to LDAP!\n", sid_to_string(sid_string, user_sid), sid_to_string(dom_sid_string, get_global_sam_sid())));
+ DEBUG(1, ("User's SID (%s) is not for this domain (%s), cannot add to LDAP!\n",
+ sid_to_string(sid_string, user_sid),
+ sid_to_string(dom_sid_string, get_global_sam_sid())));
return False;
}
slprintf(temp, sizeof(temp) - 1, "%i", rid);
@@ -1974,10 +1987,24 @@ static BOOL init_ldap_from_sam (struct ldapsam_privates *ldap_state,
'free' to hang off the unix primary group makes life easier */
if (need_update(sampass, PDB_GROUPSID)) {
- rid = pdb_get_group_rid(sampass);
- slprintf(temp, sizeof(temp) - 1, "%i", rid);
- make_ldap_mod(ldap_state->ldap_struct, existing, mods,
- "primaryGroupID", temp);
+ fstring sid_string;
+ fstring dom_sid_string;
+ const DOM_SID *group_sid = pdb_get_group_sid(sampass);
+
+ if (ldap_state->use_ntsid) {
+ make_ldap_mod(ldap_state->ldap_struct, existing, mods,
+ "primaryGroupSid", sid_to_string(sid_string, group_sid));
+ } else {
+ if (!sid_peek_check_rid(get_global_sam_sid(), group_sid, &rid)) {
+ DEBUG(1, ("User's Primary Group SID (%s) is not for this domain (%s), cannot add to LDAP!\n",
+ sid_to_string(sid_string, group_sid),
+ sid_to_string(dom_sid_string, get_global_sam_sid())));
+ return False;
+ }
+ slprintf(temp, sizeof(temp) - 1, "%i", rid);
+ make_ldap_mod(ldap_state->ldap_struct, existing, mods,
+ "primaryGroupID", temp);
+ }
}
/* displayName, cn, and gecos should all be the same
@@ -2389,7 +2416,8 @@ static NTSTATUS ldapsam_delete_sam_account(struct pdb_methods *my_methods, SAM_A
{ "lmPassword", "ntPassword", "pwdLastSet", "logonTime", "logoffTime",
"kickoffTime", "pwdCanChange", "pwdMustChange", "acctFlags",
"displayName", "smbHome", "homeDrive", "scriptPath", "profilePath",
- "userWorkstations", "primaryGroupID", "domain", "rid", "ntSid", NULL };
+ "userWorkstations", "primaryGroupID", "primaryGroupSid", "domain",
+ "rid", "ntSid", NULL };
if (!sam_acct) {
DEBUG(0, ("sam_acct was NULL!\n"));