[PATCH] RFC2307bis Naming Contexts and Group Recursion

Klinger, John (N-CSC) john.klinger at lmco.com
Tue Feb 3 17:11:51 GMT 2004 

Samba 3.0.1, security=ads, idmap backend=ldap:ldap:...

This is a patch to the ads system. It adds base_path, filter, scope,
and recursion options for winbindd group resolution; and base_path, 
filter, and scope options for winbindd user resolution. The patch was 
written so that the impact to the process was minimal to none if the
options were left at their default. The default values result in
behavior identical to the non-patched version.

The options are based off of RFC2307bis naming contexts, but are 
split into separate options for each base, scope, and filter
component. If desired, this can be implemented the other way,
"nss base group base?scope?filter", with minor changes to the 
param/loadparm.c file.

Here's a brief description of what this patch gives Samba.

##############################################################################
# NSS naming contexts to limit winbindd lookups when "security = ads"
#
# nss group recursion = <recursion lvl>
# nss group bind path = <base>
# nss group scope     = <scope>
# nss group filter    = <filter>
#
# nss passwd bind path = <base>
# nss passwd scope     = <scope>
# nss passwd filter    = <filter>
#
# where  <base>   is the bind_path where the search begins. If the suffix is
#                 not supplied, it will be obtained via the realm
#                 configuration option.
#                 Default: The realm root dc.
#                 Examples:
#                    nss group bind path = ou=groups,ou=samba
#                    nss group bind path = ou=Samba,dc=sub,dc=company,dc=com
#        <scope>  is one of {base, one, sub}, defining bind path search depth.
#                 Default: "sub" - All sub-trees of the bind path are parsed.
#        <filter> is a filter that is &'d with winbind's query filter
#                 Default: ""
#                 Example: nss group filter = (|(cn=samba*)(cn=dev*))
# <recursion lvl> is one of {full, context, none}, defining how winbindd
#                 handles nested groups when determining the groups that a
#                 user is a member of.
#                 Default: "full"
#
#                 If "none", only groups that directly have the user as a
#                 member are returned.
#
#                 If "context", the children of groups that exist in
#                 the conditions defined by the "nss group bind path",
#                 "nss group scope", and "nss group filter" are recursed
#                 into.
#
#                 If "full", a full recurse of all groups is performed. If
#                 the AD tokenGroups parameter exists for a user, that option
#                 is used, allowing AD to perform the recursion. Otherwise,
#                 winbindd recurses through the groups via multiple queries
#                 to AD.
#
#                 In all cases, the final list of groups that are returned
#                 are only those that meet the conditions defined by the
#                 "nss group ..." configuration directives. The one exception
#                 to this is the primary group, which may exist anywhere on
#                 the AD.
#
#                 All recursion options handle circular group memberships.
#
#-----------------------------------------------------------------------------
#
# For example:
#
# With Active Directory contents:
#
#    ou=Users
#      cn=myUserName  (memberOf=innerGroup1, primaryGroupID=928)
#      cn=outerGroup1 (memberOf=innerGroup3)
#    ou=tstGroups
#      cn=innerGroup1 (memberOf=outerGroup1, memberOf=innerGroup2)
#      cn=innerGroup2
#      cn=innerGroup3 (memberOf=innerGroup4)
#      cn=innerGroup4 (memberOf=innerGroup1)
#    ou=mainGroups
#      cn=primaryGroup (sid = S-...-928)
#
# with: nss group bind path = ou=tstGroups
#
# when "nss group recursion = none", the following is returned for myUserName:
#          primaryGroup, innerGroup1
#
# when "nss group recursion = context", the following groups are returned:
#          primaryGroup, innerGroup1, innerGroup2
#
# when "nss group recursion = full", the following groups are returned:
#          primaryGroup, innerGroup1, innerGroup3, innerGroup4, innerGroup2
#
# with full recursion and "nss group filter = (|(cn=*4)(cn=*3))"
#          primaryGroup, innerGroup3, innerGroup4
##############################################################################

The Diff is based off of the 3.0.1 release.

<patch included as email attachment due to size>

===================================
Development notes:
===================================

There was minor discussion on whether the "nss group..." and
"nss passwd..." options should be "ads" instead of "nss". We
left it "nss" due to the RFC2307bis naming context bases. I'll
leave this up to group consensus.

libads/ads_ldap.c was modified to allow pam authentication
to use these filters. If the original is left in, pam will 
authenticate all AD users regardless of the "nss passwd ..." 
options.

The function use_netsamlogon_cache was added to the 
winbindd_methods. This was to prevent the netsamlogon_cache 
from being used to determine group membership when 
"nss group ..." options are set. Adding this method allowed 
me to keep winbindd_group.c backend-independent, while 
adding this capability. Another option I could have 
implemented was to modify the pam authentication so that 
groups within info3 that are returned by the authentication 
request are checked, and only those groups within the defined 
"nss group ..." context are added to the netsamlogon_cache. 
I did not want to be intrusive in the pam process, so I 
decided to handle this on the other side when winbindd 
accesses the netsamlogon_cache in nsswitch/winbindd_group.c.

The recursion will still use the AD "tokenGroups" when full
recursion is specified.

Recursion is supported both with and without "tokenGroups". 

===================================
To Do
===================================
If the "nss group ..." or "nss passwd ..." options are modified
after winbindd has been running, the tdb's will be out of date
[unless the no-cache winbindd option was in effect]. So, if
these options change, the tdb's must be removed or otherwise
refreshed to ensure up-to-date information is retrieved. I
would like to have this performed automatically.

Man page updates. The patch is only for source code.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ads_filters_and_recursion.zip
Type: application/x-zip-compressed
Size: 7689 bytes
Desc: ads_filters_and_recursion.zip
Url : http://lists.samba.org/archive/samba-technical/attachments/20040203/9f0d2a36/ads_filters_and_recursion.bin

More information about the samba-technical mailing list