[SCM] Samba Shared Repository - branch v3-3-test updated -
release-3-2-0pre2-4156-g62785b8
Gerald Carter
jerry at samba.org
Mon Sep 22 22:48:45 GMT 2008
The branch, v3-3-test has been updated
via 62785b8e2aa862b7eb85e20a11f7a29e1e8b2825 (commit)
from 110756cc7bcaed5a9d6aa58f3b3fe4481f8d1f31 (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-3-test
- Log -----------------------------------------------------------------
commit 62785b8e2aa862b7eb85e20a11f7a29e1e8b2825
Author: Gerald (Jerry) Carter <jerry at samba.org>
Date: Fri Sep 19 12:27:15 2008 -0500
idmap_adex: Add new idmap plugin for support RFC2307 enabled AD forests.
The adex idmap/nss_info plugin is an adapation of the Likewise
Enterprise plugin with support for OU based cells removed
(since the Windows pieces to manage the cells are not available).
This plugin supports
* The RFC2307 schema for users and groups.
* Connections to trusted domains
* Global catalog searches
* Cross forest trusts
* User and group aliases
Prerequiste: Add the following attributes to the Partial Attribute
Set in global catalog:
* uidNumber
* uid
* gidNumber
A basic config using the current trunk code would look like
[global]
idmap backend = adex
idmap uid = 10000 - 29999
idmap gid = 10000 - 29999
winbind nss info = adex
winbind normalize names = yes
winbind refresh tickets = yes
template homedir = /home/%D/%U
template shell = /bin/bash
-----------------------------------------------------------------------
Summary of changes:
source/Makefile.in | 12 +
source/configure.in | 1 +
source/winbindd/idmap_adex/cell_util.c | 292 ++++++
source/winbindd/idmap_adex/domain_util.c | 278 ++++++
source/winbindd/idmap_adex/gc_util.c | 848 ++++++++++++++++++
source/winbindd/idmap_adex/idmap_adex.c | 460 ++++++++++
source/winbindd/idmap_adex/idmap_adex.h | 257 ++++++
source/winbindd/idmap_adex/likewise_cell.c | 425 +++++++++
source/winbindd/idmap_adex/provider_unified.c | 1180 +++++++++++++++++++++++++
9 files changed, 3753 insertions(+), 0 deletions(-)
create mode 100644 source/winbindd/idmap_adex/cell_util.c
create mode 100644 source/winbindd/idmap_adex/domain_util.c
create mode 100644 source/winbindd/idmap_adex/gc_util.c
create mode 100644 source/winbindd/idmap_adex/idmap_adex.c
create mode 100644 source/winbindd/idmap_adex/idmap_adex.h
create mode 100644 source/winbindd/idmap_adex/likewise_cell.c
create mode 100644 source/winbindd/idmap_adex/provider_unified.c
Changeset truncated at 500 lines:
diff --git a/source/Makefile.in b/source/Makefile.in
index 1b2339e..3546f51 100644
--- a/source/Makefile.in
+++ b/source/Makefile.in
@@ -989,6 +989,14 @@ IDMAP_HASH_OBJ = \
winbindd/idmap_hash/idmap_hash.o \
winbindd/idmap_hash/mapfile.o
+IDMAP_ADEX_OBJ = \
+ winbindd/idmap_adex/idmap_adex.o \
+ winbindd/idmap_adex/cell_util.o \
+ winbindd/idmap_adex/likewise_cell.o \
+ winbindd/idmap_adex/provider_unified.o \
+ winbindd/idmap_adex/gc_util.o \
+ winbindd/idmap_adex/domain_util.o
+
WINBINDD_OBJ1 = \
winbindd/winbindd.o \
winbindd/winbindd_user.o \
@@ -2224,6 +2232,10 @@ bin/hash. at SHLIBEXT@: $(BINARY_PREREQS) $(IDMAP_HASH_OBJ)
@echo "Building plugin $@"
@$(SHLD_MODULE) $(IDMAP_HASH_OBJ)
+bin/adex. at SHLIBEXT@: $(BINARY_PREREQS) $(IDMAP_ADEX_OBJ)
+ @echo "Building plugin $@"
+ @$(SHLD_MODULE) $(IDMAP_ADEX_OBJ)
+
bin/tdb2. at SHLIBEXT@: $(BINARY_PREREQS) winbindd/idmap_tdb2.o
@echo "Building plugin $@"
@$(SHLD_MODULE) winbindd/idmap_tdb2.o
diff --git a/source/configure.in b/source/configure.in
index 12d98e2..7913d29 100644
--- a/source/configure.in
+++ b/source/configure.in
@@ -6060,6 +6060,7 @@ SMB_MODULE(idmap_nss, winbindd/idmap_nss.o, "bin/nss.$SHLIBEXT", IDMAP)
SMB_MODULE(idmap_rid, winbindd/idmap_rid.o, "bin/rid.$SHLIBEXT", IDMAP)
SMB_MODULE(idmap_ad, winbindd/idmap_ad.o, "bin/ad.$SHLIBEXT", IDMAP)
SMB_MODULE(idmap_hash, \$(IDMAP_HASH_OBJ), "bin/hash.$SHLIBEXT", IDMAP)
+SMB_MODULE(idmap_adex, \$(IDMAP_ADEX_OBJ), "bin/adex.$SHLIBEXT", IDMAP)
SMB_SUBSYSTEM(IDMAP, winbindd/idmap.o)
SMB_MODULE(nss_info_template, winbindd/nss_info_template.o, "bin/template.$SHLIBEXT", NSS_INFO)
diff --git a/source/winbindd/idmap_adex/cell_util.c b/source/winbindd/idmap_adex/cell_util.c
new file mode 100644
index 0000000..f5c08a0
--- /dev/null
+++ b/source/winbindd/idmap_adex/cell_util.c
@@ -0,0 +1,292 @@
+/*
+ * idmap_adex: Support for AD Forests
+ *
+ * Copyright (C) Gerald (Jerry) Carter 2006-2008
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+ */
+
+#include "includes.h"
+#include "idmap_adex.h"
+
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_IDMAP
+
+/**********************************************************************
+**********************************************************************/
+
+ char *find_attr_string(char **list, size_t num_lines, const char *substr)
+{
+ int i;
+ int cmplen = strlen(substr);
+
+ for (i = 0; i < num_lines; i++) {
+ /* make sure to avoid substring matches like uid
+ and uidNumber */
+ if ((StrnCaseCmp(list[i], substr, cmplen) == 0) &&
+ (list[i][cmplen] == '=')) {
+ /* Don't return an empty string */
+ if (list[i][cmplen + 1] != '\0')
+ return &(list[i][cmplen + 1]);
+
+ return NULL;
+ }
+ }
+
+ return NULL;
+}
+
+/**********************************************************************
+**********************************************************************/
+
+ bool is_object_class(char **list, size_t num_lines, const char *substr)
+{
+ int i;
+
+ for (i = 0; i < num_lines; i++) {
+ if (strequal(list[i], substr)) {
+ return true;
+ }
+ }
+
+ return false;
+}
+
+/**********************************************************************
+ Find out about the cell (e.g. use2307Attrs, etc...)
+**********************************************************************/
+
+ NTSTATUS cell_lookup_settings(struct likewise_cell * cell)
+{
+ NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
+
+ /* Parameter check */
+
+ if (!cell) {
+ nt_status = NT_STATUS_INVALID_PARAMETER;
+ BAIL_ON_NTSTATUS_ERROR(nt_status);
+ }
+
+ /* Only supporting Forest-wide, schema based searches */
+
+ cell_set_flags(cell, LWCELL_FLAG_USE_RFC2307_ATTRS);
+ cell_set_flags(cell, LWCELL_FLAG_SEARCH_FOREST);
+
+ cell->provider = &ccp_unified;
+
+ nt_status = NT_STATUS_OK;
+
+done:
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ DEBUG(1,("LWI: Failed to obtain cell settings (%s)\n",
+ nt_errstr(nt_status)));
+ }
+
+ return nt_status;
+}
+
+
+static NTSTATUS cell_lookup_forest(struct likewise_cell *c)
+{
+ NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
+ struct gc_info *gc = NULL;
+
+ if (!c) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ if ((gc = TALLOC_ZERO_P(NULL, struct gc_info)) == NULL) {
+ nt_status = NT_STATUS_NO_MEMORY;
+ BAIL_ON_NTSTATUS_ERROR(nt_status);
+ }
+
+ /* Query the rootDSE for the forest root naming conect first.
+ Check that the a GC server for the forest has not already
+ been added */
+
+ nt_status = gc_find_forest_root(gc, cell_dns_domain(c));
+ BAIL_ON_NTSTATUS_ERROR(nt_status);
+
+ c->forest_name = talloc_strdup(c, gc->forest_name);
+ BAIL_ON_PTR_ERROR(c->forest_name, nt_status);
+
+done:
+ if (gc) {
+ talloc_free(gc);
+ }
+
+ return nt_status;
+}
+
+/**********************************************************************
+**********************************************************************/
+
+ NTSTATUS cell_locate_membership(ADS_STRUCT * ads)
+{
+ ADS_STATUS status;
+ char *domain_dn = ads_build_dn(lp_realm());
+ NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
+ DOM_SID sid;
+ struct likewise_cell *cell = NULL;
+
+ /* In the Likewise plugin, I had to support the concept of cells
+ based on the machine's membership in an OU. However, now I'll
+ just assume our membership in the forest cell */
+
+ DEBUG(2, ("locate_cell_membership: Located membership "
+ "in cell \"%s\"\n", domain_dn));
+
+ if ((cell = cell_new()) == NULL) {
+ nt_status = NT_STATUS_NO_MEMORY;
+ BAIL_ON_NTSTATUS_ERROR(nt_status);
+ }
+
+ status = ads_domain_sid(ads, &sid);
+ if (!ADS_ERR_OK(status)) {
+ DEBUG(3,("locate_cell_membership: Failed to find "
+ "domain SID for %s\n", domain_dn));
+ }
+
+ /* save the SID and search base for our domain */
+
+ cell_set_dns_domain(cell, lp_realm());
+ cell_set_connection(cell, ads);
+ cell_set_dn(cell, domain_dn);
+ cell_set_domain_sid(cell, &sid);
+
+ /* Now save our forest root */
+
+ cell_lookup_forest(cell);
+
+ /* Add the cell to the list */
+
+ if (!cell_list_add(cell)) {
+ nt_status = NT_STATUS_INSUFFICIENT_RESOURCES;
+ BAIL_ON_NTSTATUS_ERROR(nt_status);
+ }
+
+ /* Done! */
+ nt_status = NT_STATUS_OK;
+
+done:
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ DEBUG(0,("LWI: Failed to locate cell membership (%s)\n",
+ nt_errstr(nt_status)));
+ }
+
+ SAFE_FREE(domain_dn);
+
+ return nt_status;
+}
+
+/*********************************************************************
+ ********************************************************************/
+
+ int min_id_value(void)
+{
+ int id_val;
+
+ id_val = lp_parm_int(-1, "lwidentity", "min_id_value", MIN_ID_VALUE);
+
+ /* Still don't let it go below 50 */
+
+ return MAX(50, id_val);
+}
+
+/********************************************************************
+ *******************************************************************/
+
+ char *cell_dn_to_dns(const char *dn)
+{
+ NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
+ char *domain = NULL;
+ char *dns_name = NULL;
+ const char *tmp_dn;
+ char *buffer = NULL;
+ TALLOC_CTX *frame = talloc_stackframe();
+
+ if (!dn || !*dn) {
+ goto done;
+ }
+
+ tmp_dn = talloc_strdup(frame, dn);
+ BAIL_ON_PTR_ERROR(tmp_dn, nt_status);
+
+ while (next_token_talloc(frame, &tmp_dn, &buffer, ",")) {
+
+ /* skip everything up the where DC=... begins */
+ if (StrnCaseCmp(buffer, "DC=", 3) != 0)
+ continue;
+
+ if (!domain) {
+ domain = talloc_strdup(frame, &buffer[3]);
+ } else {
+ domain = talloc_asprintf_append(domain, ".%s",
+ &buffer[3]);
+ }
+ BAIL_ON_PTR_ERROR(domain, nt_status);
+ }
+
+ dns_name = SMB_STRDUP(domain);
+ BAIL_ON_PTR_ERROR(dns_name, nt_status);
+
+ nt_status = NT_STATUS_OK;
+
+done:
+ PRINT_NTSTATUS_ERROR(nt_status, "cell_dn_to_dns", 1);
+
+ talloc_destroy(frame);
+
+ return dns_name;
+}
+
+/*********************************************************************
+ ********************************************************************/
+
+ NTSTATUS get_sid_type(ADS_STRUCT *ads,
+ LDAPMessage *msg,
+ enum lsa_SidType *type)
+{
+ NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
+ uint32_t atype;
+
+ if (!ads_pull_uint32(ads, msg, "sAMAccountType", &atype)) {
+ nt_status = NT_STATUS_INVALID_USER_BUFFER;
+ BAIL_ON_NTSTATUS_ERROR(nt_status);
+ }
+
+ switch (atype &0xF0000000) {
+ case ATYPE_SECURITY_GLOBAL_GROUP:
+ *type = SID_NAME_DOM_GRP;
+ break;
+ case ATYPE_SECURITY_LOCAL_GROUP:
+ *type = SID_NAME_ALIAS;
+ break;
+ case ATYPE_NORMAL_ACCOUNT:
+ case ATYPE_WORKSTATION_TRUST:
+ case ATYPE_INTERDOMAIN_TRUST:
+ *type = SID_NAME_USER;
+ break;
+ default:
+ *type = SID_NAME_USE_NONE;
+ nt_status = NT_STATUS_INVALID_ACCOUNT_NAME;
+ BAIL_ON_NTSTATUS_ERROR(nt_status);
+ }
+
+ nt_status = NT_STATUS_OK;
+
+done:
+ return nt_status;
+}
diff --git a/source/winbindd/idmap_adex/domain_util.c b/source/winbindd/idmap_adex/domain_util.c
new file mode 100644
index 0000000..ab31cce
--- /dev/null
+++ b/source/winbindd/idmap_adex/domain_util.c
@@ -0,0 +1,278 @@
+/*
+ * idmap_adex: Domain search interface
+ *
+ * Copyright (C) Gerald (Jerry) Carter 2007-2008
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+ */
+
+#include "includes.h"
+#include "idmap_adex.h"
+
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_IDMAP
+
+struct dc_info {
+ struct dc_info *prev, *next;
+ char *dns_name;
+ struct likewise_cell *domain_cell;
+};
+
+static struct dc_info *_dc_server_list = NULL;
+
+
+/**********************************************************************
+ *********************************************************************/
+
+static struct dc_info *dc_list_head(void)
+{
+ return _dc_server_list;
+}
+
+/**********************************************************************
+ *********************************************************************/
+
+static NTSTATUS dc_add_domain(const char *domain)
+{
+ NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
+ struct dc_info *dc = NULL;
+
+ /* Check for duplicates */
+
+ dc = dc_list_head();
+ while (dc) {
+ if (strequal (dc->dns_name, domain))
+ break;
+ dc = dc->next;
+ }
+
+ if (dc) {
+ DEBUG(10,("dc_add_domain: %s already in list\n", domain));
+ return NT_STATUS_OK;
+ }
+
+ dc = TALLOC_ZERO_P(NULL, struct dc_info);
+ BAIL_ON_PTR_ERROR(dc, nt_status);
+
+ dc->dns_name = talloc_strdup(dc, domain);
+ BAIL_ON_PTR_ERROR(dc->dns_name, nt_status);
+
+ DLIST_ADD_END(_dc_server_list, dc, struct dc_info*);
+
+ nt_status = NT_STATUS_OK;
+
+done:
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ talloc_destroy(dc);
+ DEBUG(0,("LWI: Failed to add new DC connection for %s (%s)\n",
+ domain, nt_errstr(nt_status)));
+ }
+
+ return nt_status;
+}
+
+/**********************************************************************
+ *********************************************************************/
+
+static void dc_server_list_destroy(void)
+{
+ struct dc_info *dc = dc_list_head();
+
+ while (dc) {
+ struct dc_info *p = dc->next;
+
+ cell_destroy(dc->domain_cell);
+ talloc_destroy(dc);
+
+ dc = p;
+ }
+
+ return;
+}
+
+
+/**********************************************************************
+ *********************************************************************/
+
+ NTSTATUS domain_init_list(void)
+{
+ NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
+ struct winbindd_tdc_domain *domains = NULL;
+ size_t num_domains = 0;
+ int i;
+
+ if (_dc_server_list != NULL) {
+ dc_server_list_destroy();
+ }
+
+ /* Add our domain */
+
+ nt_status = dc_add_domain(lp_realm());
+ BAIL_ON_NTSTATUS_ERROR(nt_status);
+
+ if (!wcache_tdc_fetch_list(&domains, &num_domains)) {
+ nt_status = NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
+ BAIL_ON_NTSTATUS_ERROR(nt_status);
+ }
+
+ /* Add all domains with an incoming trust path */
+
+ for (i=0; i<num_domains; i++) {
+ uint32_t flags = (NETR_TRUST_FLAG_INBOUND|NETR_TRUST_FLAG_IN_FOREST);
+
+ /* We just require one of the flags to be set here */
+
+ if (domains[i].trust_flags & flags) {
+ nt_status = dc_add_domain(domains[i].dns_name);
+ BAIL_ON_NTSTATUS_ERROR(nt_status);
+ }
+ }
+
+ nt_status = NT_STATUS_OK;
+
+done:
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ DEBUG(2,("LWI: Failed to initialize DC list (%s)\n",
+ nt_errstr(nt_status)));
+ }
+
+ TALLOC_FREE(domains);
+
+ return nt_status;
+}
--
Samba Shared Repository
More information about the samba-cvs
mailing list