[PATCHES] idmap_rfc2307: Fix handling of cn realm

Christof Schmitt cs at samba.org
Wed Dec 9 19:59:04 UTC 2015


From 8f6c242568420c686475c4d9da150be86de39f75 Mon Sep 17 00:00:00 2001
From: Christof Schmitt <cs at samba.org>
Date: Tue, 8 Dec 2015 11:52:41 -0700
Subject: [PATCH 1/2] idmap_rfc2307: Fix handling of cn realm

When cn_realm was set, the idmap_rfc2307 module tried to determine the
realm from the AD connection struct. In case of referring to a different
domain using the ldap_domain config option, the wrong realm was used.

Since the LDAP-server case already requires having the realm in the
config, extend that to the AD case to fix the issue: Having LDAP records
with @realm in the cn, now always requires having the realm in the
config.

Now cn_realm and ldap_realm always would have to be specified together,
so replace the two options with a single "realm" option.

Signed-off-by: Christof Schmitt <cs at samba.org>
---
 source3/winbindd/idmap_rfc2307.c |   39 +++++++++++++------------------------
 1 files changed, 14 insertions(+), 25 deletions(-)

diff --git a/source3/winbindd/idmap_rfc2307.c b/source3/winbindd/idmap_rfc2307.c
index 6b3ab4a..3ef10f6 100644
--- a/source3/winbindd/idmap_rfc2307.c
+++ b/source3/winbindd/idmap_rfc2307.c
@@ -38,7 +38,6 @@ struct idmap_rfc2307_context {
 	const char *bind_path_user;
 	const char *bind_path_group;
 	const char *ldap_domain;
-	bool cn_realm;
 	bool user_cn;
 	const char *realm;
 
@@ -82,9 +81,6 @@ static NTSTATUS idmap_rfc2307_ads_check_connection(struct idmap_domain *dom)
 	status = ads_idmap_cached_connection(&ctx->ads, dom_name);
 	if (ADS_ERR_OK(status)) {
 		ctx->ldap = ctx->ads->ldap.ld;
-		if (ctx->cn_realm) {
-			ctx->realm = ctx->ads->server.realm;
-		}
 	} else {
 		DEBUG(1, ("Could not connect to domain %s: %s\n", dom->name,
 			  ads_errstr(status)));
@@ -172,7 +168,7 @@ static NTSTATUS idmap_rfc2307_init_ldap(struct idmap_rfc2307_context *ctx,
 	NTSTATUS ret;
 	char *url;
 	char *secret = NULL;
-	const char *ldap_url, *user_dn, *ldap_realm;
+	const char *ldap_url, *user_dn;
 	TALLOC_CTX *mem_ctx = ctx;
 
 	ldap_url = lp_parm_const_string(-1, config_option, "ldap_url", NULL);
@@ -204,21 +200,6 @@ static NTSTATUS idmap_rfc2307_init_ldap(struct idmap_rfc2307_context *ctx,
 
 	ctx->search = idmap_rfc2307_ldap_search;
 
-	if (ctx->cn_realm) {
-		ldap_realm = lp_parm_const_string(-1, config_option,
-						  "ldap_realm", NULL);
-		if (!ldap_realm) {
-			DEBUG(1, ("ERROR: cn_realm set, "
-				  "but ldap_realm is missing\n"));
-			ret = NT_STATUS_UNSUCCESSFUL;
-			goto done;
-		}
-		ctx->realm = talloc_strdup(mem_ctx, ldap_realm);
-		if (!ctx->realm) {
-			ret = NT_STATUS_NO_MEMORY;
-		}
-	}
-
 done:
 	talloc_free(url);
 	return ret;
@@ -276,7 +257,7 @@ static void idmap_rfc2307_map_sid_results(struct idmap_rfc2307_context *ctx,
 			continue;
 		}
 
-		if (ctx->cn_realm) {
+		if (ctx->realm != NULL) {
 			/* Strip @realm from user or group name */
 			char *delim;
 
@@ -487,7 +468,7 @@ static NTSTATUS idmap_rfc_2307_sids_to_names(TALLOC_CTX *mem_ctx,
 		switch(lsa_type) {
 		case SID_NAME_USER:
 			id->xid.type = map->type = ID_TYPE_UID;
-			if (ctx->user_cn && ctx->cn_realm) {
+			if (ctx->user_cn && ctx->realm != NULL) {
 				name = talloc_asprintf(mem_ctx, "%s@%s",
 						       name, ctx->realm);
 			}
@@ -497,7 +478,7 @@ static NTSTATUS idmap_rfc_2307_sids_to_names(TALLOC_CTX *mem_ctx,
 		case SID_NAME_DOM_GRP:
 		case SID_NAME_ALIAS:
 		case SID_NAME_WKN_GRP:
-			if (ctx->cn_realm) {
+			if (ctx->realm != NULL) {
 				name = talloc_asprintf(mem_ctx, "%s@%s",
 						       name, ctx->realm);
 			}
@@ -781,7 +762,7 @@ static NTSTATUS idmap_rfc2307_initialize(struct idmap_domain *domain)
 {
 	struct idmap_rfc2307_context *ctx;
 	char *cfg_opt;
-	const char *bind_path_user, *bind_path_group, *ldap_server;
+	const char *bind_path_user, *bind_path_group, *ldap_server, *realm;
 	NTSTATUS status;
 
 	ctx = talloc_zero(domain, struct idmap_rfc2307_context);
@@ -842,7 +823,15 @@ static NTSTATUS idmap_rfc2307_initialize(struct idmap_domain *domain)
 		goto err;
 	}
 
-	ctx->cn_realm = lp_parm_bool(-1, cfg_opt, "cn_realm", false);
+	realm = lp_parm_const_string(-1, cfg_opt, "realm", NULL);
+	if (realm) {
+		ctx->realm = talloc_strdup(ctx, realm);
+		if (ctx->realm == NULL) {
+			status = NT_STATUS_NO_MEMORY;
+			goto err;
+		}
+	}
+
 	ctx->user_cn = lp_parm_bool(-1, cfg_opt, "user_cn", false);
 
 	domain->private_data = ctx;
-- 
1.7.1


From 5117a868ff37bb807e592831f7fb45d246e46cd1 Mon Sep 17 00:00:00 2001
From: Christof Schmitt <cs at samba.org>
Date: Tue, 8 Dec 2015 12:04:22 -0700
Subject: [PATCH 2/2] docs-xml: Update idmap_rfc2307 manpage for new realm handling

Now there is only "realm" as a config option; it replaces "cn_realm" and
"ldap_realm".

Signed-off-by: Christof Schmitt <cs at samba.org>
---
 docs-xml/manpages/idmap_rfc2307.8.xml |   13 +++----------
 1 files changed, 3 insertions(+), 10 deletions(-)

diff --git a/docs-xml/manpages/idmap_rfc2307.8.xml b/docs-xml/manpages/idmap_rfc2307.8.xml
index 095e035..8df4d53 100644
--- a/docs-xml/manpages/idmap_rfc2307.8.xml
+++ b/docs-xml/manpages/idmap_rfc2307.8.xml
@@ -88,11 +88,11 @@
 			no.</para></listitem>
 		</varlistentry>
 		<varlistentry>
-			<term>cn_realm = <yes | no></term>
+			<term>realm</term>
 			<listitem><para>Append @realm to cn for groups
 			(and users if user_cn is set) in
-			LDAP. This option is not required, the default
-			is no.</para></listitem>
+			LDAP queries. This option is not required, the default
+			is not to append the realm.</para></listitem>
 		</varlistentry>
 		<varlistentry>
 			<term>ldap_domain</term>
@@ -124,13 +124,6 @@
 			absent, an anonymous bind will be
 			performed.</para></listitem>
 		</varlistentry>
-		<varlistentry>
-			<term>ldap_realm</term>
-			<listitem><para>Defines the realm to use in
-			the user and group names. This is only
-			required when using cn_realm together with a
-			stand-alone ldap server.</para></listitem>
-		</varlistentry>
 	</variablelist>
 </refsect1>
 
-- 
1.7.1



More information about the samba-technical mailing list