winbind alloc id patch

Volker Lendecke Volker.Lendecke at SerNet.DE
Wed Mar 19 08:14:24 GMT 2003 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi!

Here's a little ten-liner I wrote some weeks ago being annoyed by
diverging uid/gid allocation on separate member servers. I declared
one of them the ID master, and had the others ask him.

I know this is an ugly hack, but for me it worked quite well.

I'm afraid this only works for 3_0, HEAD has a layer of indirection
towards a pluggable winbind id map module architecture.

Volker

P.S: There's a little bug fix for winbindd_user.c. On error, a debug
message used the uninitializes string domain_user_name.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Key-ID D32186CF, Fingerprint available: phone +49 551 3700000

iD8DBQE+d5sVOmSXH9Mhhs8RAseEAJoC7SM7bFFP4CeTK0vb58nz6cGhOgCbB4ej
NzWGE9rgeVccI8+s8h0OB7o=
=aYMe
-----END PGP SIGNATURE-----

Index: docs/docbook/manpages/smb.conf.5.sgml
===================================================================
RCS file: /space/vl/cvstree/samba/docs/docbook/manpages/smb.conf.5.sgml,v
retrieving revision 1.24.2.16
diff -u -r1.24.2.16 smb.conf.5.sgml
--- docs/docbook/manpages/smb.conf.5.sgml	2 Jan 2003 16:12:23 -0000	1.24.2.16
+++ docs/docbook/manpages/smb.conf.5.sgml	18 Mar 2003 22:10:23 -0000
@@ -776,6 +776,7 @@
 		<listitem><para><link linkend="UTMP"><parameter>utmp</parameter></link></para></listitem>
 		<listitem><para><link linkend="UTMPDIRECTORY"><parameter>utmp directory</parameter></link></para></listitem>
 		<listitem><para><link linkend="WTMPDIRECTORY"><parameter>wtmp directory</parameter></link></para></listitem>
+		<listitem><para><link linkend="WINBINDALLOCIDSCRIPT"><parameter>winbind alloc id script</parameter></link></para></listitem>
 		<listitem><para><link linkend="WINBINDCACHETIME"><parameter>winbind cache time</parameter></link></para></listitem>
 		<listitem><para><link linkend="WINBINDENUMUSERS"><parameter>winbind enum users</parameter></link></para></listitem>
 		<listitem><para><link linkend="WINBINDENUMGROUPS"><parameter>winbind enum groups</parameter></link></para></listitem>
@@ -8158,6 +8159,29 @@
 
 
 
+
+		<varlistentry>
+		<term><anchor id="WINBINDALLOCIDSCRIPT">winbind alloc id script (G)</term>
+		<listitem><para>This parameter specifies a script that the
+		<ulink url="winbindd.8.html">winbindd(8)</ulink> daemon will ask
+		if it needs to look up a unix uid or gid for a given NT SID. This 
+		script should answer with the ID on stdout. It can be used
+		to coordinate ID mapping across several domain member servers
+		using winbind. Winbind will expand <parameter>%S</parameter> to
+		the SID in question and <parameter>%g</parameter> to -S if the
+		SID represents a user and to -Y if the SID represents a group.
+		This is designed to be used together with 
+		<ulink url="wbinfo.8.html>wbinfo(1)</ulink> on a remote machine.
+		</para>
+
+		<para>Default: <command>winbind alloc id script = </command></para>
+		<para>Example: <command>winbind alloc id script =
+		/usr/sbin/ssh -i /root/.ssh/wbinfo.id dummy at id-master wbinfo %g %S</command><para>
+		<para>This example certainly assumes that you have a passphrase-less
+		identity in /root/.ssh/wbinfo.id that has the corresponding
+		id-master:~dummy/.ssh/authorized_keys.
+		</listitem>
+		</varlistentry>
 
 		<varlistentry>
 		<term><anchor id="WINBINDCACHETIME">winbind cache time (G)</term>
Index: source/nsswitch/winbindd_idmap.c
===================================================================
RCS file: /space/vl/cvstree/samba/source/nsswitch/winbindd_idmap.c,v
retrieving revision 1.18.2.1
diff -u -r1.18.2.1 winbindd_idmap.c
--- source/nsswitch/winbindd_idmap.c	15 Jul 2002 10:34:44 -0000	1.18.2.1
+++ source/nsswitch/winbindd_idmap.c	18 Mar 2003 21:47:59 -0000
@@ -37,12 +37,58 @@
 
 static TDB_CONTEXT *idmap_tdb;
 
+/* Ask an external script to give us an id */
+
+static BOOL ask_alloc_script(char *sid, uid_t *id, BOOL isgroup)
+{
+	pstring alloc_script;
+	fstring output;
+	int ret;
+	int fd = 0;
+
+	pstrcpy(alloc_script, lp_winbind_alloc_id_script());
+	if (! *alloc_script) return False;
+
+	pstring_sub(alloc_script, "%g", isgroup ? "-Y" : "-S");
+	pstring_sub(alloc_script, "%S", sid);
+
+	ret = smbrun(alloc_script, &fd);
+
+	DEBUG(3, ("Running the command '%s' gave %d\n",
+		  alloc_script, ret));
+
+	if (ret != 0)
+		return False;
+
+	if (fd == 0)
+		return False;
+
+	*id = 0;
+	if (read(fd, output, sizeof(output)-1) > 0) {
+		output[sizeof(output)-1] = 0;
+		DEBUG(10, ("stdout of command '%s' is: '%s'\n",
+			   alloc_script, output));
+		*id = (uid_t)strtoul(output, NULL, 10);
+	}
+	close(fd);
+
+	if (*id == 0 || errno == ERANGE) {
+		/* The output was garbage */
+		return False;
+	}
+	return True;
+}
+
 /* Allocate either a user or group id from the pool */
 
-static BOOL allocate_id(uid_t *id, BOOL isgroup)
+static BOOL allocate_id(char *sid, uid_t *id, BOOL isgroup)
 {
     int hwm;
 
+    if (*lp_winbind_alloc_id_script()) {
+	return ask_alloc_script(sid, id, isgroup);
+    }
+
     /* Get current high water mark */
 
     if ((hwm = tdb_fetch_int32(idmap_tdb, 
@@ -108,7 +154,7 @@
 
         /* Allocate a new id for this sid */
 
-        if (id && allocate_id(id, isgroup)) {
+        if (id && allocate_id(keystr, id, isgroup)) {
             fstring keystr2;
 
             /* Store new id */
Index: source/nsswitch/winbindd_user.c
===================================================================
RCS file: /space/vl/cvstree/samba/source/nsswitch/winbindd_user.c,v
retrieving revision 1.43.2.6
diff -u -r1.43.2.6 winbindd_user.c
--- source/nsswitch/winbindd_user.c	12 Feb 2003 01:08:40 -0000	1.43.2.6
+++ source/nsswitch/winbindd_user.c	18 Mar 2003 21:36:44 -0000
@@ -449,7 +449,6 @@
 
 	for (i = 0; i < num_users; i++) {
 		struct getpwent_user *name_list = NULL;
-		fstring domain_user_name;
 		uint32 result;
 
 		/* Do we need to fetch another chunk of users? */
@@ -509,8 +508,8 @@
 				sizeof(struct winbindd_pw);
 
 		} else
-			DEBUG(1, ("could not lookup domain user %s\n",
-				  domain_user_name));
+			DEBUG(1, ("could not lookup domain user [%s]\n",
+				  name_list[ent->sam_entry_index].name));
 	}
 
 	/* Out of domains */
Index: source/param/loadparm.c
===================================================================
RCS file: /space/vl/cvstree/samba/source/param/loadparm.c,v
retrieving revision 1.397.2.29
diff -u -r1.397.2.29 loadparm.c
--- source/param/loadparm.c	12 Mar 2003 21:02:45 -0000	1.397.2.29
+++ source/param/loadparm.c	18 Mar 2003 19:33:41 -0000
@@ -162,6 +162,7 @@
 	BOOL bWinbindEnumUsers;
 	BOOL bWinbindEnumGroups;
 	BOOL bWinbindUseDefaultDomain;
+	char *szWinbindAllocIdScript;
 	char *szAddShareCommand;
 	char *szChangeShareCommand;
 	char *szDeleteShareCommand;
@@ -1106,6 +1107,7 @@
 	{"winbind enum users", P_BOOL, P_GLOBAL, &Globals.bWinbindEnumUsers, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
 	{"winbind enum groups", P_BOOL, P_GLOBAL, &Globals.bWinbindEnumGroups, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
 	{"winbind use default domain", P_BOOL, P_GLOBAL, &Globals.bWinbindUseDefaultDomain, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
+	{"winbind alloc id script", P_STRING, P_GLOBAL, &Globals.szWinbindAllocIdScript, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
 
 	{NULL, P_BOOL, P_NONE, NULL, NULL, NULL, 0}
 };
@@ -1616,6 +1618,7 @@
 FN_GLOBAL_BOOL(lp_winbind_enum_users, &Globals.bWinbindEnumUsers)
 FN_GLOBAL_BOOL(lp_winbind_enum_groups, &Globals.bWinbindEnumGroups)
 FN_GLOBAL_BOOL(lp_winbind_use_default_domain, &Globals.bWinbindUseDefaultDomain)
+FN_GLOBAL_STRING(lp_winbind_alloc_id_script, &Globals.szWinbindAllocIdScript)
 
 #ifdef WITH_LDAP_SAMCONFIG
 FN_GLOBAL_STRING(lp_ldap_server, &Globals.szLdapServer)

More information about the samba-technical mailing list