svn commit: samba r13680 - in trunk/source/passdb: .
idra at samba.org
idra at samba.org
Fri Feb 24 21:50:42 GMT 2006
Author: idra
Date: 2006-02-24 21:50:41 +0000 (Fri, 24 Feb 2006)
New Revision: 13680
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=13680
Log:
Initial work toward a scriptless working ldap setup
This add a create users to ldapsam that is called
instead of the add user and add machine scripts if
both ldapsam:trusted=yes and ldapsam:editposix=yes
are set.
Simo
Modified:
trunk/source/passdb/pdb_ldap.c
Changeset:
Modified: trunk/source/passdb/pdb_ldap.c
===================================================================
--- trunk/source/passdb/pdb_ldap.c 2006-02-24 21:36:40 UTC (rev 13679)
+++ trunk/source/passdb/pdb_ldap.c 2006-02-24 21:50:41 UTC (rev 13680)
@@ -4524,6 +4524,220 @@
return ret;
}
+/*
+ * This function is called only if ldapsam:trusted
+ * and ldapsam:editposix are set to true
+ *
+ * It creates a new posixAccount and sambaSamAccount
+ * object in the ldap users subtree
+ *
+ * The uid is allocated by winbindd.
+ */
+
+static NTSTATUS ldapsam_create_user(struct pdb_methods *my_methods,
+ TALLOC_CTX *tmp_ctx, const char *name,
+ uint32 acb_info, uint32 *rid)
+{
+ struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
+ NTSTATUS ret;
+ LDAPMessage *entry = NULL;
+ LDAPMessage *result = NULL;
+ uint32 num_result;
+ pstring filter;
+ fstring str;
+ BOOL is_machine = False;
+ BOOL is_new_entry = False;
+ LDAPMod **mods = NULL;
+ char *groupsidstr;
+ char *usersidstr;
+ char *actflags;
+ char *username;
+ char *homedir;
+ char *gidstr;
+ char *uidstr;
+ char *shell;
+ char *dn = NULL;
+ DOM_SID group_sid;
+ DOM_SID user_sid;
+ gid_t gid = -1;
+ uid_t uid = -1;
+ int rc;
+
+ if ((acb_info & ACB_NORMAL) && name[strlen(name)-1] == '$') {
+ is_machine = True;
+ }
+
+ username = escape_ldap_string_alloc(name);
+ pstrcpy(filter, "(uid=%u)");
+ all_string_sub(filter, "%u", username, sizeof(filter));
+ SAFE_FREE(username);
+
+ rc = smbldap_search_suffix(ldap_state->smbldap_state, filter, NULL, &result);
+ if (rc != LDAP_SUCCESS) {
+ DEBUG(0,("ldapsam_create_user: ldap search failed!\n"));
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ num_result = ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result);
+
+ if (num_result > 1) {
+ DEBUG (0, ("ldapsam_create_user: More than one user with that username exists: bailing out!\n"));
+ ldap_msgfree(result);
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ if (num_result == 1) {
+ GROUP_MAP map;
+ char *tmp;
+
+ /* check if it is just a posix account.
+ * or if there is a sid attached to this entry
+ */
+
+ entry = ldap_first_entry(priv2ld(ldap_state), result);
+ if (!entry) {
+ ldap_msgfree(result);
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ if (!smbldap_get_single_attribute(priv2ld(ldap_state), entry, "sambaSID", str, sizeof(str)-1)) {
+ DEBUG (1, ("ldapsam_create_user: The user [%s] already exist!\n", name));
+ ldap_msgfree(result);
+ return NT_STATUS_USER_EXISTS;
+ }
+
+ /* it is just a posix account, retrieve the user_sid and group_sid for later use */
+ if (!smbldap_get_single_attribute(priv2ld(ldap_state), entry, "gidNumber", str, sizeof(str)-1)) {
+ DEBUG (1, ("ldapsam_create_user: Couldn't retrieve the gidNumber for [%s]?!?!\n", name));
+ ldap_msgfree(result);
+ return NT_STATUS_INTERNAL_DB_CORRUPTION;
+ }
+
+ gid = strtoul(str, NULL, 10);
+
+ if (!NT_STATUS_IS_OK((ret = ldapsam_getgrgid(my_methods, &map, gid)))) {
+ DEBUG(1, ("ldapsam_create_user: User's primary group is not mapped! Fail.\n"));
+ ldap_msgfree(result);
+ return ret;
+ }
+
+ sid_copy(&group_sid, &map.sid);
+
+ tmp = smbldap_get_dn(priv2ld(ldap_state), entry);
+ if (!tmp) {
+ DEBUG(1, ("ldapsam_create_user: Couldn't retrieve the DN for [%s]?!?!\n", name));
+ ldap_msgfree(result);
+ return NT_STATUS_INTERNAL_DB_CORRUPTION;
+ }
+ dn = talloc_strdup(tmp_ctx, tmp);
+ SAFE_FREE(tmp);
+ if (!dn) {
+ DEBUG(0,("ldapsam_create_user: Out of memory!\n"));
+ ldap_msgfree(result);
+ return NT_STATUS_NO_MEMORY;
+ }
+ }
+
+ ldap_msgfree(result);
+
+ if (num_result == 0) {
+ DEBUG(3,("ldapsam_create_user: Creating new posix user\n"));
+
+ is_new_entry = True;
+
+ /* retrieve the Domain Users group gid */
+ if (!sid_compose(&group_sid, get_global_sam_sid(), DOMAIN_GROUP_RID_USERS) ||
+ !sid_to_gid(&group_sid, &gid)) {
+ DEBUG (0, ("ldapsam_create_user: Unable to get the Domain Users gid: bailing out!\n"));
+ return NT_STATUS_INVALID_PRIMARY_GROUP;
+ }
+
+ /* lets allocate a new userid for this user */
+ if (!winbind_allocate_uid(&uid)) {
+ DEBUG (0, ("ldapsam_create_user: Unable to allocate a new user id: bailing out!\n"));
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+
+ if (is_machine) {
+ /* TODO: choose a more appropriate default for machines */
+ homedir = talloc_sub_specified(tmp_ctx, lp_template_homedir(), "SMB_workstations_home", ldap_state->domain_name, uid, gid);
+ shell = talloc_strdup(tmp_ctx, "/bin/false");
+ } else {
+ homedir = talloc_sub_specified(tmp_ctx, lp_template_homedir(), name, ldap_state->domain_name, uid, gid);
+ shell = talloc_sub_specified(tmp_ctx, lp_template_shell(), name, ldap_state->domain_name, uid, gid);
+ }
+ uidstr = talloc_asprintf(tmp_ctx, "%d", uid);
+ gidstr = talloc_asprintf(tmp_ctx, "%d", gid);
+ if (is_machine) {
+ dn = talloc_asprintf(tmp_ctx, "uid=%s,%s", name, lp_ldap_machine_suffix ());
+ } else {
+ dn = talloc_asprintf(tmp_ctx, "uid=%s,%s", name, lp_ldap_user_suffix ());
+ }
+
+ if (!homedir || !shell || !uidstr || !gidstr || !dn) {
+ DEBUG (0, ("ldapsam_create_user: Out of memory!\n"));
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectclass", LDAP_OBJ_ACCOUNT);
+ smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectclass", LDAP_OBJ_POSIXACCOUNT);
+ smbldap_set_mod(&mods, LDAP_MOD_ADD, "uid", name);
+ smbldap_set_mod(&mods, LDAP_MOD_ADD, "cn", name);
+ smbldap_set_mod(&mods, LDAP_MOD_ADD, "uidNumber", uidstr);
+ smbldap_set_mod(&mods, LDAP_MOD_ADD, "gidNumber", gidstr);
+ smbldap_set_mod(&mods, LDAP_MOD_ADD, "homeDirectory", homedir);
+ smbldap_set_mod(&mods, LDAP_MOD_ADD, "loginShell", shell);
+ }
+
+ if (!NT_STATUS_IS_OK((ret = ldapsam_get_new_rid(ldap_state, rid)))) {
+ DEBUG(1, ("ldapsam_create_user: Could not allocate a new RID\n"));
+ return ret;
+ }
+
+ sid_copy(&user_sid, get_global_sam_sid());
+ sid_append_rid(&user_sid, *rid);
+
+ sid_to_string(str, &group_sid);
+ groupsidstr = talloc_strdup(tmp_ctx, str);
+ sid_to_string(str, &user_sid);
+ usersidstr = talloc_strdup(tmp_ctx, str);
+
+ if (is_machine) {
+ actflags = talloc_strdup(tmp_ctx, pdb_encode_acct_ctrl(ACB_WSTRUST & ACB_DISABLED, NEW_PW_FORMAT_SPACE_PADDED_LEN));
+ } else {
+ actflags = talloc_strdup(tmp_ctx, pdb_encode_acct_ctrl(acb_info & ACB_DISABLED, NEW_PW_FORMAT_SPACE_PADDED_LEN));
+ }
+
+ if (!groupsidstr || !usersidstr || !actflags) {
+ DEBUG(0,("ldapsam_create_user: Out of memory!\n"));
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectclass", LDAP_OBJ_SAMBASAMACCOUNT);
+ smbldap_set_mod(&mods, LDAP_MOD_ADD, get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PRIMARY_GROUP_SID), usersidstr);
+ smbldap_set_mod(&mods, LDAP_MOD_ADD, get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_SID), usersidstr);
+ smbldap_set_mod(&mods, LDAP_MOD_ADD, get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_DISPLAY_NAME), name);
+ smbldap_set_mod(&mods, LDAP_MOD_ADD, get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_ACB_INFO), actflags);
+
+ if (is_new_entry) {
+ rc = smbldap_add(ldap_state->smbldap_state, dn, mods);
+ } else {
+ rc = smbldap_modify(ldap_state->smbldap_state, dn, mods);
+ }
+
+ if (rc != LDAP_SUCCESS) {
+ DEBUG(0,("ldapsam_create_user: failed to create a new user [%s] (dn = %s)\n", name ,dn));
+ ldap_mods_free(mods, True);
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ DEBUG(2,("ldapsam_create_user: added account [%s] in the LDAP database\n", username));
+ ldap_mods_free(mods, True);
+
+ return NT_STATUS_OK;
+}
+
/**********************************************************************
Housekeeping
*********************************************************************/
@@ -4589,6 +4803,10 @@
(*pdb_method)->rid_algorithm = ldapsam_rid_algorithm;
(*pdb_method)->new_rid = ldapsam_new_rid;
+ if (lp_parm_bool(-1, "ldapsam", "trusted", False) &&
+ lp_parm_bool(-1, "ldapsam", "editposix", False)) {
+ (*pdb_method)->create_user = ldapsam_create_user;
+ }
/* TODO: Setup private data and free */
if ( !(ldap_state = TALLOC_ZERO_P(*pdb_method, struct ldapsam_privates)) ) {
More information about the samba-cvs
mailing list