[PATCHv2] Supplement nss info gecos from cn

Ralph Böhme rb at sernet.de
Tue Jul 28 11:00:03 UTC 2015 

On Tue, Jul 28, 2015 at 10:20:38AM +0200, Jakub Hrozek wrote:
> On Tue, Jul 28, 2015 at 07:25:49AM +0300, Alexander Bokovoy wrote:
> > On Mon, 27 Jul 2015, Rowland Penny wrote:
> > > On 27/07/15 21:11, Ralph Böhme wrote:
> > > >On Mon, Jul 27, 2015 at 06:30:51PM +0100, Rowland Penny wrote:
> > > >>On 27/07/15 18:12, Ralph Böhme wrote:
> > > >>>Attached is a small patchset that tries to address a shortcoming in
> > > >>>winbind pulling gecos information from AD.
> > > >>>
> > > >>>Either winbind nss info sfu, sfu20 and rfc2307 will end up querying
> > > >>>the gecos attribute, which will be empty in most cases, as neither
> > > >>>Samba AD nor Windows with IDMU assigns a value to it by default.
> > > >>>
> > > >>>As a result Samba servers pulling nss info via winbind will show empty
> > > >>>gecos fields. Wouldn't it make sense to pull the gecos info from
> > > >>>another attribute like displayName in case gecos is empty?
> > > >>>
> > > >>>Review&comments appreciated. Thanks!
> > > >>>
> > > >>>-Ralph
> > > >>>
> > > >>er, you do realise that if you create a user with samba-tool
> > > >>'samba-tool user create username' you do not get a displayName
> > > >>attribute either,
> > > >yes, but using MS tools will.
> > > >
> > > >>so what are your plans to fall back to ?
> > > >That's not the point.
> > > >
> > > >>Or to put it another way, you cannot presume the displayName
> > > >>attribute will be populated either, so why bother ?
> > > >Because when using MS tools gecos will always be empty while
> > > >displayName will contain something. For Samba users in an MS AD
> > > >environment that makes a difference I guess.
> > > >
> > > >Cheerio!
> > > >-Ralph
> > > 
> > > Hi Ralph, I think you are missing the point :-)
> > > 
> > > You cannot be sure that displayName will be populated, so if you want
> > > 'gecos' to seemingly contain something, you need to either patch 'samba-tool
> > > user create' to refuse to create the user unless the users first and last
> > > names are also given i.e. just like windows, or test if gecos is empty, if
> > > so, use displayName contents and if this is also empty, fall back to
> > > samaccountname.
> > Well, in case of SSSD we synthesize it from 'cn' (which couldn't be
> > missing). I'd prefer a common behavior here but otherwise I agree with
> > you.
> 
> According to the commit message in SSSD, that's compliant with
> section 5.3 of RFC 2307 which states:
> 
> An account's GECOS field is preferably determined by a value of the
> gecos attribute. If no gecos attribute exists, the value of the cn
> attribute MUST be used.

updated patchset attached.

-Ralph

-- 
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de,mailto:kontakt@sernet.de
-------------- next part --------------
From b88edb1282cd0154ba2b7ec5ec9e98b5e2da3e6e Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow at samba.org>
Date: Mon, 27 Jul 2015 16:55:46 +0200
Subject: [PATCH 1/2] s3-libads: ldap_schema: zero initialize schema

Signed-off-by: Ralph Boehme <slow at samba.org>
---
 source3/libads/ldap_schema.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/source3/libads/ldap_schema.c b/source3/libads/ldap_schema.c
index 7368be8..f3a94c9 100644
--- a/source3/libads/ldap_schema.c
+++ b/source3/libads/ldap_schema.c
@@ -252,7 +252,7 @@ ADS_STATUS ads_check_posix_schema_mapping(TALLOC_CTX *mem_ctx,
 		return ADS_ERROR(LDAP_NO_MEMORY);
 	}
 
-	if ( (schema = talloc(mem_ctx, struct posix_schema)) == NULL ) {
+	if ( (schema = talloc_zero(mem_ctx, struct posix_schema)) == NULL ) {
 		TALLOC_FREE( ctx );
 		return ADS_ERROR(LDAP_NO_MEMORY);
 	}
-- 
2.1.0


From ba7b2fc97b0e544ef1b4bce5e4b0463b7986d944 Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow at samba.org>
Date: Tue, 28 Jul 2015 12:30:04 +0200
Subject: [PATCH 2/2] s3-libads: use cn as fallback for empty gecos

This is imo nice to have and actually specified as a MUST in RFC 2307:

  An account's GECOS field is preferably determined by a value of the
  gecos attribute. If no gecos attribute exists, the value of the cn
  attribute MUST be used.

Signed-off-by: Ralph Boehme <slow at samba.org>
---
 source3/libads/ldap_schema.c | 14 +++++++++++---
 source3/libads/ldap_schema.h |  3 +++
 source3/winbindd/idmap_ad.c  | 13 +++++++++++++
 3 files changed, 27 insertions(+), 3 deletions(-)

diff --git a/source3/libads/ldap_schema.c b/source3/libads/ldap_schema.c
index f3a94c9..6ca32c9 100644
--- a/source3/libads/ldap_schema.c
+++ b/source3/libads/ldap_schema.c
@@ -212,21 +212,24 @@ ADS_STATUS ads_check_posix_schema_mapping(TALLOC_CTX *mem_ctx,
 					ADS_ATTR_SFU_HOMEDIR_OID,
 					ADS_ATTR_SFU_SHELL_OID,
 					ADS_ATTR_SFU_GECOS_OID,
-					ADS_ATTR_SFU_UID_OID };
+					ADS_ATTR_SFU_UID_OID,
+					ADS_ATTR_CN_OID };
 
 	const char *oids_sfu20[] = { 	ADS_ATTR_SFU20_UIDNUMBER_OID,
 					ADS_ATTR_SFU20_GIDNUMBER_OID,
 					ADS_ATTR_SFU20_HOMEDIR_OID,
 					ADS_ATTR_SFU20_SHELL_OID,
 					ADS_ATTR_SFU20_GECOS_OID,
-					ADS_ATTR_SFU20_UID_OID };
+					ADS_ATTR_SFU20_UID_OID,
+					ADS_ATTR_CN_OID };
 
 	const char *oids_rfc2307[] = {	ADS_ATTR_RFC2307_UIDNUMBER_OID,
 					ADS_ATTR_RFC2307_GIDNUMBER_OID,
 					ADS_ATTR_RFC2307_HOMEDIR_OID,
 					ADS_ATTR_RFC2307_SHELL_OID,
 					ADS_ATTR_RFC2307_GECOS_OID,
-					ADS_ATTR_RFC2307_UID_OID };
+					ADS_ATTR_RFC2307_UID_OID,
+					ADS_ATTR_CN_OID };
 
 	DEBUG(10,("ads_check_posix_schema_mapping for schema mode: %d\n", map_type));
 
@@ -333,6 +336,11 @@ ADS_STATUS ads_check_posix_schema_mapping(TALLOC_CTX *mem_ctx,
 		    strequal(ADS_ATTR_SFU20_UID_OID, oids_out[i])) {
 			schema->posix_uid_attr = talloc_strdup(schema, names_out[i]);
 		}
+
+		if (strequal(ADS_ATTR_CN_OID, oids_out[i])) {
+			schema->posix_cn_attr = talloc_strdup(schema, names_out[i]);
+			continue;
+		}
 	}
 
 	if (!schema->posix_uidnumber_attr ||
diff --git a/source3/libads/ldap_schema.h b/source3/libads/ldap_schema.h
index fc4ed07..deaf2fb 100644
--- a/source3/libads/ldap_schema.h
+++ b/source3/libads/ldap_schema.h
@@ -31,6 +31,7 @@ struct posix_schema {
 	char *posix_gidnumber_attr;
 	char *posix_gecos_attr;
 	char *posix_uid_attr;
+	char *posix_cn_attr;
 };
 
 /* ldap attribute oids (Services for Unix 3.0, 3.5) */
@@ -58,6 +59,8 @@ struct posix_schema {
 #define ADS_ATTR_RFC2307_GECOS_OID	"1.3.6.1.1.1.1.2"
 #define ADS_ATTR_RFC2307_UID_OID        "0.9.2342.19200300.100.1.1"
 
+#define ADS_ATTR_CN_OID                 "2.5.4.3"
+
 enum wb_posix_mapping {
 	WB_POSIX_MAP_UNKNOWN    = -1,
 	WB_POSIX_MAP_TEMPLATE 	= 0,
diff --git a/source3/winbindd/idmap_ad.c b/source3/winbindd/idmap_ad.c
index 5f7ab63..8b4a1e3 100644
--- a/source3/winbindd/idmap_ad.c
+++ b/source3/winbindd/idmap_ad.c
@@ -678,6 +678,7 @@ static NTSTATUS nss_ad_get_info( struct nss_domain_entry *e,
 			       NULL, /* attr_shell */
 			       NULL, /* attr_gecos */
 			       NULL, /* attr_gidnumber */
+			       NULL, /* gecos fallback */
 			       NULL };
 	char *filter = NULL;
 	LDAPMessage *msg_internal = NULL;
@@ -721,6 +722,7 @@ static NTSTATUS nss_ad_get_info( struct nss_domain_entry *e,
 	attrs[1] = ctx->ad_schema->posix_shell_attr;
 	attrs[2] = ctx->ad_schema->posix_gecos_attr;
 	attrs[3] = ctx->ad_schema->posix_gidnumber_attr;
+	attrs[4] = ctx->ad_schema->posix_cn_attr;
 
 	sidstr = ldap_encode_ndr_dom_sid(mem_ctx, sid);
 	filter = talloc_asprintf(mem_ctx, "(objectSid=%s)", sidstr);
@@ -746,6 +748,17 @@ static NTSTATUS nss_ad_get_info( struct nss_domain_entry *e,
 			*gid = (uint32_t)-1;
 	}
 
+	if (*gecos == NULL) {
+		/*
+		 * gecos attribute most often doesn't have a value,
+		 * use the MS displayName attribute as a fallback.
+		 * Will still result in no value for gecos in case the
+		 * LDAP server doesn't use the MS schema.
+		 */
+		*gecos = ads_pull_string(ctx->ads, mem_ctx, msg_internal,
+					 ctx->ad_schema->posix_cn_attr);
+	}
+
 	nt_status = NT_STATUS_OK;
 
 done:
-- 
2.1.0

More information about the samba-technical mailing list