[PATCH] Add special users to Samba4 (bugzilla #4918)

Andrew Bartlett abartlet at samba.org
Fri Aug 24 07:47:50 GMT 2007 

On Thu, 2007-08-23 at 22:31 -0500, Andrew Kroeger wrote:
> First:  I have been playing with Samba 4 for a number of months and I
> love what all of you have accomplished to date.  Great Job!

Thanks!

> This last patch is the one that I anticipate the most feedback on.
> Given the special handling of the foreignSecurityPrincipal objectClass
> that appears to be special-cased for CN=ForeignSecurityPrincipals, I
> needed to add another special case for CN=WellKnows Security Principals.
>  There may be a more general way to handle this, but I couldn't find any
> existing code that looked like it would help.(ldb_dn_canonical_string

Could we do this a bit more generically:  If no objectSid is present,
and the CN can be parsed as a SID, then use that, otherwise just apply
the template?

> I also anticipate there may be issues with the following:
> - The use of ldb_dn_canonical_string() to get the DN to differentiate
> this special case from the other handling of foreignSecurityPrincipal.
> - The use of strstr() to look for a given substring in the DN.
> - My code makes a case-sensitive comparision, but I don't know if the
> DNs are case-sensitive.

They are not case sensitive or insensitive, it depends on the parts...

The function you were looking for is:
/* Determine if dn is below base, in the ldap tree.  Used for
 * evaluating a subtree search.
 * 0 if they match, otherwise non-zero
 */

int ldb_dn_compare_base(struct ldb_dn *base, struct ldb_dn *dn)

(regardless, I think we can avoid doing that, and make it compleatly
generic). 

> - The samldb_fill_wellKnown_foreignSecurityPrincipal_object() function I
> created copies the input ldb_message and then calls
> samdb_copy_template().  I don't know if any of that is necessary, as I
> don't yet fully understand what they do :)  I do know that my code fails
> if msg2 is not set, so evidently what I am trying to do depends on the
> additional processing code that happens later in samdb_add() after the
> check for msg2 == NULL.

Indeed, the code you copied this from is complex.  It is critical co
copy the msg into msg2, and to return it with:

	ret = samldb_notice_sid(module, msg2, sid);
	if (ret == 0) {
		talloc_steal(msg, msg2);
		*ret_msg = msg2;
	}


> I welcome any and all feedback regarding what I have put together.

This looks like a really useful patch.  I think if the wellKnown case
would be best dealt with in the core
samldb_fill_foreignSecurityPrincipal_object() code, but very well done
for chasing this so far!

Do you want to try that?

Thanks

Andrew Bartlett

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20070824/16b6ecd5/attachment.bin

More information about the samba-technical mailing list