winbind alloc id patch
Volker Lendecke
Volker.Lendecke at SerNet.DE
Wed Mar 19 08:14:24 GMT 2003
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi!
Here's a little ten-liner I wrote some weeks ago being annoyed by
diverging uid/gid allocation on separate member servers. I declared
one of them the ID master, and had the others ask him.
I know this is an ugly hack, but for me it worked quite well.
I'm afraid this only works for 3_0, HEAD has a layer of indirection
towards a pluggable winbind id map module architecture.
Volker
P.S: There's a little bug fix for winbindd_user.c. On error, a debug
message used the uninitializes string domain_user_name.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Key-ID D32186CF, Fingerprint available: phone +49 551 3700000
iD8DBQE+d5sVOmSXH9Mhhs8RAseEAJoC7SM7bFFP4CeTK0vb58nz6cGhOgCbB4ej
NzWGE9rgeVccI8+s8h0OB7o=
=aYMe
-----END PGP SIGNATURE-----
Index: docs/docbook/manpages/smb.conf.5.sgml
===================================================================
RCS file: /space/vl/cvstree/samba/docs/docbook/manpages/smb.conf.5.sgml,v
retrieving revision 1.24.2.16
diff -u -r1.24.2.16 smb.conf.5.sgml
--- docs/docbook/manpages/smb.conf.5.sgml 2 Jan 2003 16:12:23 -0000 1.24.2.16
+++ docs/docbook/manpages/smb.conf.5.sgml 18 Mar 2003 22:10:23 -0000
@@ -776,6 +776,7 @@
<listitem><para><link linkend="UTMP"><parameter>utmp</parameter></link></para></listitem>
<listitem><para><link linkend="UTMPDIRECTORY"><parameter>utmp directory</parameter></link></para></listitem>
<listitem><para><link linkend="WTMPDIRECTORY"><parameter>wtmp directory</parameter></link></para></listitem>
+ <listitem><para><link linkend="WINBINDALLOCIDSCRIPT"><parameter>winbind alloc id script</parameter></link></para></listitem>
<listitem><para><link linkend="WINBINDCACHETIME"><parameter>winbind cache time</parameter></link></para></listitem>
<listitem><para><link linkend="WINBINDENUMUSERS"><parameter>winbind enum users</parameter></link></para></listitem>
<listitem><para><link linkend="WINBINDENUMGROUPS"><parameter>winbind enum groups</parameter></link></para></listitem>
@@ -8158,6 +8159,29 @@
+
+ <varlistentry>
+ <term><anchor id="WINBINDALLOCIDSCRIPT">winbind alloc id script (G)</term>
+ <listitem><para>This parameter specifies a script that the
+ <ulink url="winbindd.8.html">winbindd(8)</ulink> daemon will ask
+ if it needs to look up a unix uid or gid for a given NT SID. This
+ script should answer with the ID on stdout. It can be used
+ to coordinate ID mapping across several domain member servers
+ using winbind. Winbind will expand <parameter>%S</parameter> to
+ the SID in question and <parameter>%g</parameter> to -S if the
+ SID represents a user and to -Y if the SID represents a group.
+ This is designed to be used together with
+ <ulink url="wbinfo.8.html>wbinfo(1)</ulink> on a remote machine.
+ </para>
+
+ <para>Default: <command>winbind alloc id script = </command></para>
+ <para>Example: <command>winbind alloc id script =
+ /usr/sbin/ssh -i /root/.ssh/wbinfo.id dummy at id-master wbinfo %g %S</command><para>
+ <para>This example certainly assumes that you have a passphrase-less
+ identity in /root/.ssh/wbinfo.id that has the corresponding
+ id-master:~dummy/.ssh/authorized_keys.
+ </listitem>
+ </varlistentry>
<varlistentry>
<term><anchor id="WINBINDCACHETIME">winbind cache time (G)</term>
Index: source/nsswitch/winbindd_idmap.c
===================================================================
RCS file: /space/vl/cvstree/samba/source/nsswitch/winbindd_idmap.c,v
retrieving revision 1.18.2.1
diff -u -r1.18.2.1 winbindd_idmap.c
--- source/nsswitch/winbindd_idmap.c 15 Jul 2002 10:34:44 -0000 1.18.2.1
+++ source/nsswitch/winbindd_idmap.c 18 Mar 2003 21:47:59 -0000
@@ -37,12 +37,58 @@
static TDB_CONTEXT *idmap_tdb;
+/* Ask an external script to give us an id */
+
+static BOOL ask_alloc_script(char *sid, uid_t *id, BOOL isgroup)
+{
+ pstring alloc_script;
+ fstring output;
+ int ret;
+ int fd = 0;
+
+ pstrcpy(alloc_script, lp_winbind_alloc_id_script());
+ if (! *alloc_script) return False;
+
+ pstring_sub(alloc_script, "%g", isgroup ? "-Y" : "-S");
+ pstring_sub(alloc_script, "%S", sid);
+
+ ret = smbrun(alloc_script, &fd);
+
+ DEBUG(3, ("Running the command '%s' gave %d\n",
+ alloc_script, ret));
+
+ if (ret != 0)
+ return False;
+
+ if (fd == 0)
+ return False;
+
+ *id = 0;
+ if (read(fd, output, sizeof(output)-1) > 0) {
+ output[sizeof(output)-1] = 0;
+ DEBUG(10, ("stdout of command '%s' is: '%s'\n",
+ alloc_script, output));
+ *id = (uid_t)strtoul(output, NULL, 10);
+ }
+ close(fd);
+
+ if (*id == 0 || errno == ERANGE) {
+ /* The output was garbage */
+ return False;
+ }
+ return True;
+}
+
/* Allocate either a user or group id from the pool */
-static BOOL allocate_id(uid_t *id, BOOL isgroup)
+static BOOL allocate_id(char *sid, uid_t *id, BOOL isgroup)
{
int hwm;
+ if (*lp_winbind_alloc_id_script()) {
+ return ask_alloc_script(sid, id, isgroup);
+ }
+
/* Get current high water mark */
if ((hwm = tdb_fetch_int32(idmap_tdb,
@@ -108,7 +154,7 @@
/* Allocate a new id for this sid */
- if (id && allocate_id(id, isgroup)) {
+ if (id && allocate_id(keystr, id, isgroup)) {
fstring keystr2;
/* Store new id */
Index: source/nsswitch/winbindd_user.c
===================================================================
RCS file: /space/vl/cvstree/samba/source/nsswitch/winbindd_user.c,v
retrieving revision 1.43.2.6
diff -u -r1.43.2.6 winbindd_user.c
--- source/nsswitch/winbindd_user.c 12 Feb 2003 01:08:40 -0000 1.43.2.6
+++ source/nsswitch/winbindd_user.c 18 Mar 2003 21:36:44 -0000
@@ -449,7 +449,6 @@
for (i = 0; i < num_users; i++) {
struct getpwent_user *name_list = NULL;
- fstring domain_user_name;
uint32 result;
/* Do we need to fetch another chunk of users? */
@@ -509,8 +508,8 @@
sizeof(struct winbindd_pw);
} else
- DEBUG(1, ("could not lookup domain user %s\n",
- domain_user_name));
+ DEBUG(1, ("could not lookup domain user [%s]\n",
+ name_list[ent->sam_entry_index].name));
}
/* Out of domains */
Index: source/param/loadparm.c
===================================================================
RCS file: /space/vl/cvstree/samba/source/param/loadparm.c,v
retrieving revision 1.397.2.29
diff -u -r1.397.2.29 loadparm.c
--- source/param/loadparm.c 12 Mar 2003 21:02:45 -0000 1.397.2.29
+++ source/param/loadparm.c 18 Mar 2003 19:33:41 -0000
@@ -162,6 +162,7 @@
BOOL bWinbindEnumUsers;
BOOL bWinbindEnumGroups;
BOOL bWinbindUseDefaultDomain;
+ char *szWinbindAllocIdScript;
char *szAddShareCommand;
char *szChangeShareCommand;
char *szDeleteShareCommand;
@@ -1106,6 +1107,7 @@
{"winbind enum users", P_BOOL, P_GLOBAL, &Globals.bWinbindEnumUsers, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
{"winbind enum groups", P_BOOL, P_GLOBAL, &Globals.bWinbindEnumGroups, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
{"winbind use default domain", P_BOOL, P_GLOBAL, &Globals.bWinbindUseDefaultDomain, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
+ {"winbind alloc id script", P_STRING, P_GLOBAL, &Globals.szWinbindAllocIdScript, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
{NULL, P_BOOL, P_NONE, NULL, NULL, NULL, 0}
};
@@ -1616,6 +1618,7 @@
FN_GLOBAL_BOOL(lp_winbind_enum_users, &Globals.bWinbindEnumUsers)
FN_GLOBAL_BOOL(lp_winbind_enum_groups, &Globals.bWinbindEnumGroups)
FN_GLOBAL_BOOL(lp_winbind_use_default_domain, &Globals.bWinbindUseDefaultDomain)
+FN_GLOBAL_STRING(lp_winbind_alloc_id_script, &Globals.szWinbindAllocIdScript)
#ifdef WITH_LDAP_SAMCONFIG
FN_GLOBAL_STRING(lp_ldap_server, &Globals.szLdapServer)
More information about the samba-technical
mailing list