From 2997f2fe807cde8d22eaf4f253f9a64a8aca833a Mon Sep 17 00:00:00 2001 From: Christian Ambach Date: Mon, 7 May 2012 14:19:26 +0200 Subject: s3:winbindd/autorid add support for read-only mode make it possible to set read-only = yes for the backend so users can replicate an autorid.tdb to another server to use the same mappings without risking that updates are done on both sides --- source3/winbindd/idmap_autorid.c | 44 ++++++++++++++++++++++++++++++++++------ 1 file changed, 38 insertions(+), 6 deletions(-) (limited to 'source3/winbindd') diff --git a/source3/winbindd/idmap_autorid.c b/source3/winbindd/idmap_autorid.c index 554a033512..d3b38bd398 100644 --- a/source3/winbindd/idmap_autorid.c +++ b/source3/winbindd/idmap_autorid.c @@ -135,17 +135,22 @@ error: } -static NTSTATUS idmap_autorid_get_domainrange(struct autorid_domain_config *dom) +static NTSTATUS idmap_autorid_get_domainrange(struct autorid_domain_config *dom, + bool read_only) { NTSTATUS ret; /* * try to find mapping without locking the database, - * if it is not found create a mapping in a transaction + * if it is not found create a mapping in a transaction unless + * read-only mode has been set */ ret = dbwrap_fetch_uint32(autorid_db, dom->sid, &(dom->domainnum)); - if (!NT_STATUS_IS_OK(ret)) {; + if (!NT_STATUS_IS_OK(ret)) { + if (read_only) { + return NT_STATUS_NOT_FOUND; + } ret = dbwrap_trans_do(autorid_db, idmap_autorid_get_domainrange_action, dom); } @@ -171,6 +176,12 @@ static NTSTATUS idmap_autorid_allocate_id(struct idmap_domain *dom, globalcfg = talloc_get_type(commoncfg->private_data, struct autorid_global_config); + if (dom->read_only) { + DEBUG(3, ("Backend is read-only, refusing " + "new allocation request\n")); + return NT_STATUS_UNSUCCESSFUL; + } + /* fetch the range for the allocation pool */ ZERO_STRUCT(domaincfg); @@ -178,7 +189,7 @@ static NTSTATUS idmap_autorid_allocate_id(struct idmap_domain *dom, domaincfg.globalcfg = globalcfg; fstrcpy(domaincfg.sid, ALLOC_RANGE); - ret = idmap_autorid_get_domainrange(&domaincfg); + ret = idmap_autorid_get_domainrange(&domaincfg, dom->read_only); if (!NT_STATUS_IS_OK(ret)) { DEBUG(3, ("Could not determine range for allocation pool, " @@ -413,6 +424,12 @@ static NTSTATUS idmap_autorid_map_sid_to_id(struct idmap_domain *dom, return ret; } + if (dom->read_only) { + DEBUG(3, ("Not allocating new mapping for %s, because backend " + "is read-only\n", sid_string_dbg(map->sid))); + return NT_STATUS_NONE_MAPPED; + } + DEBUG(10, ("Creating new mapping in pool for %s\n", sid_string_dbg(map->sid))); @@ -501,7 +518,9 @@ static NTSTATUS idmap_autorid_sids_to_unixids(struct idmap_domain *dom, goto failure; } - num_mapped++; + if (ids[i]->status == ID_MAPPED) { + num_mapped++; + } continue; } @@ -521,7 +540,16 @@ static NTSTATUS idmap_autorid_sids_to_unixids(struct idmap_domain *dom, domaincfg.globalcfg = global; sid_to_fstring(domaincfg.sid, &domainsid); - ret = idmap_autorid_get_domainrange(&domaincfg); + ret = idmap_autorid_get_domainrange(&domaincfg, dom->read_only); + + /* read-only mode and a new domain range would be required? */ + if (NT_STATUS_EQUAL(ret, NT_STATUS_NOT_FOUND) && + dom->read_only) { + DEBUG(10, ("read-only is enabled, did not allocate " + "new range for domain %s\n", + sid_string_dbg(&domainsid))); + continue; + } if (!NT_STATUS_IS_OK(ret)) { DEBUG(3, ("Could not determine range for domain, " @@ -698,6 +726,10 @@ static NTSTATUS idmap_autorid_preallocate_wellknown(struct idmap_domain *dom) int i, num; NTSTATUS status; + if (dom->read_only) { + return NT_STATUS_OK; + } + num = sizeof(groups)/sizeof(char*); maps = talloc_zero_array(talloc_tos(), struct id_map*, num+1); -- cgit