diff options
-rw-r--r-- | source4/scripting/python/samba/provision/__init__.py | 6 | ||||
-rw-r--r-- | source4/scripting/python/samba/upgrade.py | 2 | ||||
-rw-r--r-- | source4/winbind/idmap.c | 65 |
3 files changed, 51 insertions, 22 deletions
diff --git a/source4/scripting/python/samba/provision/__init__.py b/source4/scripting/python/samba/provision/__init__.py index e0e5e4b6f7..c95db4e639 100644 --- a/source4/scripting/python/samba/provision/__init__.py +++ b/source4/scripting/python/samba/provision/__init__.py @@ -1604,7 +1604,8 @@ def provision(logger, session_info, credentials, smbconf=None, backend_type=None, sitename=None, ol_mmr_urls=None, ol_olc=None, slapd_path="/bin/false", useeadb=False, am_rodc=False, - lp=None, use_ntvfs=False): + lp=None, use_ntvfs=False, + use_rfc2307=False): """Provision samba4 :note: caution, this wipes all existing data! @@ -1648,6 +1649,9 @@ def provision(logger, session_info, credentials, smbconf=None, server_services = [] global_param = {} + if use_rfc2307: + global_param["idmap_ldb:use rfc2307"] = ["yes"] + if dns_backend == "SAMBA_INTERNAL": server_services.append("+dns") diff --git a/source4/scripting/python/samba/upgrade.py b/source4/scripting/python/samba/upgrade.py index 09a52c182c..3ef79ed646 100644 --- a/source4/scripting/python/samba/upgrade.py +++ b/source4/scripting/python/samba/upgrade.py @@ -702,7 +702,7 @@ Please fix this account before attempting to upgrade again dom_for_fun_level=dsdb.DS_DOMAIN_FUNCTION_2003, hostname=netbiosname.lower(), machinepass=machinepass, serverrole=serverrole, samdb_fill=FILL_FULL, - useeadb=useeadb, dns_backend=dns_backend) + useeadb=useeadb, dns_backend=dns_backend, use_rfc2307=True) result.report_logger(logger) # Import WINS database diff --git a/source4/winbind/idmap.c b/source4/winbind/idmap.c index af6f66af28..354507ca6f 100644 --- a/source4/winbind/idmap.c +++ b/source4/winbind/idmap.c @@ -230,11 +230,20 @@ static NTSTATUS idmap_xid_to_sid(struct idmap_context *idmap_ctx, switch (unixid->type) { case ID_TYPE_UID: - ret = dsdb_search_one(idmap_ctx->samdb, tmp_ctx, &msg, NULL, LDB_SCOPE_SUBTREE, - sam_attrs, 0, - "(&(sAMaccountType:" LDB_OID_COMPARATOR_AND ":=%u)(uidNumber=%u)(objectSid=*)" - "(|(objectClass=posixAccount)(objectClass=posixGroup)))", - ATYPE_ACCOUNT, unixid->id); + if (lpcfg_parm_bool(idmap_ctx->lp_ctx, NULL, "idmap_ldb", "use rfc2307", false)) { + ret = dsdb_search_one(idmap_ctx->samdb, tmp_ctx, &msg, + ldb_get_default_basedn(idmap_ctx->samdb), + LDB_SCOPE_SUBTREE, + sam_attrs, 0, + "(&(sAMaccountType:" LDB_OID_COMPARATOR_AND ":=%u)" + "(uidNumber=%u)(objectSid=*)" + "(|(objectClass=posixAccount)(objectClass=posixGroup)))", + ATYPE_ACCOUNT, unixid->id); + } else { + /* If we are not to use the rfc2307 attributes, we just emulate a non-match */ + ret = LDB_ERR_NO_SUCH_OBJECT; + } + if (ret == LDB_ERR_CONSTRAINT_VIOLATION) { DEBUG(1, ("Search for uidNumber=%lu gave duplicate results, failing to map to a SID!\n", (unsigned long)unixid->id)); @@ -242,7 +251,7 @@ static NTSTATUS idmap_xid_to_sid(struct idmap_context *idmap_ctx, goto failed; } else if (ret == LDB_SUCCESS) { *sid = samdb_result_dom_sid(mem_ctx, msg, "objectSid"); - if (*sid) { + if (*sid == NULL) { DEBUG(1, ("Search for uidNumber=%lu did not return an objectSid!\n", (unsigned long)unixid->id)); status = NT_STATUS_NONE_MAPPED; @@ -260,11 +269,19 @@ static NTSTATUS idmap_xid_to_sid(struct idmap_context *idmap_ctx, id_type = "ID_TYPE_UID"; break; case ID_TYPE_GID: - ret = dsdb_search_one(idmap_ctx->samdb, tmp_ctx, &msg, NULL, LDB_SCOPE_SUBTREE, - sam_attrs, 0, - "(&(|(sAMaccountType=%u)(sAMaccountType=%u))(gidNumber=%u)" - "(|(objectClass=posixAccount)(objectClass=posixGroup)))", - ATYPE_SECURITY_GLOBAL_GROUP, ATYPE_SECURITY_LOCAL_GROUP, unixid->id); + if (lpcfg_parm_bool(idmap_ctx->lp_ctx, NULL, "idmap_ldb", "use rfc2307", false)) { + ret = dsdb_search_one(idmap_ctx->samdb, tmp_ctx, &msg, + ldb_get_default_basedn(idmap_ctx->samdb), + LDB_SCOPE_SUBTREE, + sam_attrs, 0, + "(&(|(sAMaccountType=%u)(sAMaccountType=%u))(gidNumber=%u)" + "(|(objectClass=posixAccount)(objectClass=posixGroup)))", + ATYPE_SECURITY_GLOBAL_GROUP, ATYPE_SECURITY_LOCAL_GROUP, + unixid->id); + } else { + /* If we are not to use the rfc2307 attributes, we just emulate a non-match */ + ret = LDB_ERR_NO_SUCH_OBJECT; + } if (ret == LDB_ERR_CONSTRAINT_VIOLATION) { DEBUG(1, ("Search for gidNumber=%lu gave duplicate results, failing to map to a SID!\n", (unsigned long)unixid->id)); @@ -272,7 +289,7 @@ static NTSTATUS idmap_xid_to_sid(struct idmap_context *idmap_ctx, goto failed; } else if (ret == LDB_SUCCESS) { *sid = samdb_result_dom_sid(mem_ctx, msg, "objectSid"); - if (*sid) { + if (*sid == NULL) { DEBUG(1, ("Search for gidNumber=%lu did not return an objectSid!\n", (unsigned long)unixid->id)); status = NT_STATUS_NONE_MAPPED; @@ -418,14 +435,22 @@ static NTSTATUS idmap_sid_to_xid(struct idmap_context *idmap_ctx, * much like a winbindd member server running idmap_ad */ - ret = dsdb_search_one(idmap_ctx->samdb, tmp_ctx, &sam_msg, NULL, LDB_SCOPE_SUBTREE, sam_attrs, 0, - "(&(objectSid=%s)" - "(|(sAMaccountType:" LDB_OID_COMPARATOR_AND ":=%u)" - "(sAMaccountType=%u)" - "(sAMaccountType=%u))" - "(|(uidNumber=*)(gidNumber=*))" - "(|(objectClass=posixAccount)(objectClass=posixGroup)))", - dom_sid_string(tmp_ctx, sid), ATYPE_ACCOUNT, ATYPE_SECURITY_GLOBAL_GROUP, ATYPE_SECURITY_LOCAL_GROUP); + if (lpcfg_parm_bool(idmap_ctx->lp_ctx, NULL, "idmap_ldb", "use rfc2307", false)) { + ret = dsdb_search_one(idmap_ctx->samdb, tmp_ctx, &sam_msg, + ldb_get_default_basedn(idmap_ctx->samdb), + LDB_SCOPE_SUBTREE, sam_attrs, 0, + "(&(objectSid=%s)" + "(|(sAMaccountType:" LDB_OID_COMPARATOR_AND ":=%u)" + "(sAMaccountType=%u)" + "(sAMaccountType=%u))" + "(|(uidNumber=*)(gidNumber=*))" + "(|(objectClass=posixAccount)(objectClass=posixGroup)))", + dom_sid_string(tmp_ctx, sid), ATYPE_ACCOUNT, ATYPE_SECURITY_GLOBAL_GROUP, ATYPE_SECURITY_LOCAL_GROUP); + } else { + /* If we are not to use the rfc2307 attributes, we just emulate a non-match */ + ret = LDB_ERR_NO_SUCH_OBJECT; + } + if (ret == LDB_ERR_CONSTRAINT_VIOLATION) { DEBUG(1, ("Search for objectSid=%s gave duplicate results, failing to map to a unix ID!\n", dom_sid_string(tmp_ctx, sid))); |