From e9bd28d0a7b0fd667e52683013404dc4b1e03673 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 7 Nov 2003 14:41:08 +0000 Subject: fix for bug 680 (heads up). This gist is to map the UNIX entity foo to DOMAIN\foo instead of SERVER\foo on members of a Samba domain when all UNIX accounts are shared via NIS, et. al. * allow winbindd to match local accounts to domain SID when 'winbind trusted domains only = yes' * remove code in idmap_ldap that searches the user suffix and group suffix. It's not needed and provides inconsistent functionality from the tdb backend. This has been tested. I'm still waiting on some more feedback but This needs to be in 3.0.1pre2 for widespread use. (This used to be commit cac4723e206bd001882011c9e12327064d032268) --- source3/passdb/lookup_sid.c | 22 +++++++++++++++++----- 1 file changed, 17 insertions(+), 5 deletions(-) (limited to 'source3/passdb') diff --git a/source3/passdb/lookup_sid.c b/source3/passdb/lookup_sid.c index f84ff28db9..425c9b87f1 100644 --- a/source3/passdb/lookup_sid.c +++ b/source3/passdb/lookup_sid.c @@ -299,15 +299,20 @@ static void store_gid_sid_cache(const DOM_SID *psid, gid_t gid) NTSTATUS uid_to_sid(DOM_SID *psid, uid_t uid) { - uid_t low, high; fstring sid; + uid_t low, high; ZERO_STRUCTP(psid); if (fetch_sid_from_uid_cache(psid, uid)) return ( psid ? NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL ); - if (lp_idmap_uid(&low, &high) && uid >= low && uid <= high) { + /* DC's never use winbindd to resolve users outside the + defined idmap range */ + + if ( lp_server_role()==ROLE_DOMAIN_MEMBER + || (lp_idmap_uid(&low, &high) && uid >= low && uid <= high) ) + { if (winbind_uid_to_sid(psid, uid)) { DEBUG(10,("uid_to_sid: winbindd %u -> %s\n", @@ -336,15 +341,20 @@ NTSTATUS uid_to_sid(DOM_SID *psid, uid_t uid) NTSTATUS gid_to_sid(DOM_SID *psid, gid_t gid) { - gid_t low, high; fstring sid; + gid_t low, high; ZERO_STRUCTP(psid); if (fetch_sid_from_gid_cache(psid, gid)) return ( psid ? NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL ); - if (lp_idmap_gid(&low, &high) && gid >= low && gid <= high) { + /* DC's never use winbindd to resolve groups outside the + defined idmap range */ + + if ( lp_server_role()==ROLE_DOMAIN_MEMBER + || (lp_idmap_gid(&low, &high) && gid >= low && gid <= high) ) + { if (winbind_gid_to_sid(psid, gid)) { DEBUG(10,("gid_to_sid: winbindd %u -> %s\n", @@ -458,7 +468,9 @@ NTSTATUS sid_to_gid(const DOM_SID *psid, gid_t *pgid) /* winbindd knows it; Ensure this is a group sid */ - if ((name_type != SID_NAME_DOM_GRP) && (name_type != SID_NAME_ALIAS) && (name_type != SID_NAME_WKN_GRP)) { + if ((name_type != SID_NAME_DOM_GRP) && (name_type != SID_NAME_ALIAS) + && (name_type != SID_NAME_WKN_GRP)) + { DEBUG(10,("sid_to_gid: winbind lookup succeeded but SID is not a known group (%u)\n", (unsigned int)name_type )); -- cgit