[IPA] SID allocation using DNA plugin

Andrew Bartlett abartlet at samba.org
Mon Oct 26 21:22:35 MDT 2009 

On Mon, 2009-10-26 at 23:03 -0400, Endi Sukma Dewata wrote:
> Andrew,
> 
> I have a question related to this proposal:
> http://www.freeipa.org/page/Samba_4_SID_Allocation_using_DNA_Plugin
> 
> Please take a look at dsdb/samdb/ldb_modules/password_hash.c. During an add operation
> the password_hash module tries to extract the domain SID from the object SID.
> 
> static int password_hash_add(struct ldb_module *module, struct ldb_request *req)
> {
> 	ac->domain_sid = samdb_result_sid_prefix(ac, req->op.add.message, "objectSid");
> 	ret = build_domain_data_request(ac);
> }
> 
> The domain SID will be used to create a search filter to find the domain object in the
> following method:
> 
> static int build_domain_data_request(struct ph_context *ac)
> {
> 	attrs[] = { "pwdProperties", "pwdHistoryLength", NULL };
> 	ldb = ldb_module_get_ctx(ac->module);
> 
> 	filter = talloc_asprintf(ac,
> 				 "(objectSid=%s)",
> 				 ldap_encode_ndr_dom_sid(ac, ac->domain_sid));
> 
> 	return ldb_build_search_req(&ac->dom_req, ldb, ac,
> 				    ldb_get_default_basedn(ldb),
> 				    LDB_SCOPE_BASE,
> 				    filter, attrs,
> 				    NULL,
> 				    ac, get_domain_data_callback,
> 				    ac->req);
> }
> 
> It seems like the use of search filter here is redundant because the base DN and
> the scope point to the domain object directly. Is it correct?
> 
> If that's case can we use a NULL filter in this search, so we don't need the domain
> SID, meaning we don't need to check the objectSid in the previous method. This way
> the SID can be generated by the backend. Is this correct?

This is a reasonable assumption.  We had in the past written parts of
Samba in a more generic way, trying to support the creation of multiple
domains in a single Samba server.  We don't try this any more, and a
patch to remove this would be gladly accepted.

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20091027/391d72f7/attachment.pgp>

More information about the samba-technical mailing list