[PATCHv2] Supplement nss info gecos from cn
Ralph Böhme
rb at sernet.de
Tue Jul 28 11:00:03 UTC 2015
On Tue, Jul 28, 2015 at 10:20:38AM +0200, Jakub Hrozek wrote:
> On Tue, Jul 28, 2015 at 07:25:49AM +0300, Alexander Bokovoy wrote:
> > On Mon, 27 Jul 2015, Rowland Penny wrote:
> > > On 27/07/15 21:11, Ralph Böhme wrote:
> > > >On Mon, Jul 27, 2015 at 06:30:51PM +0100, Rowland Penny wrote:
> > > >>On 27/07/15 18:12, Ralph Böhme wrote:
> > > >>>Attached is a small patchset that tries to address a shortcoming in
> > > >>>winbind pulling gecos information from AD.
> > > >>>
> > > >>>Either winbind nss info sfu, sfu20 and rfc2307 will end up querying
> > > >>>the gecos attribute, which will be empty in most cases, as neither
> > > >>>Samba AD nor Windows with IDMU assigns a value to it by default.
> > > >>>
> > > >>>As a result Samba servers pulling nss info via winbind will show empty
> > > >>>gecos fields. Wouldn't it make sense to pull the gecos info from
> > > >>>another attribute like displayName in case gecos is empty?
> > > >>>
> > > >>>Review&comments appreciated. Thanks!
> > > >>>
> > > >>>-Ralph
> > > >>>
> > > >>er, you do realise that if you create a user with samba-tool
> > > >>'samba-tool user create username' you do not get a displayName
> > > >>attribute either,
> > > >yes, but using MS tools will.
> > > >
> > > >>so what are your plans to fall back to ?
> > > >That's not the point.
> > > >
> > > >>Or to put it another way, you cannot presume the displayName
> > > >>attribute will be populated either, so why bother ?
> > > >Because when using MS tools gecos will always be empty while
> > > >displayName will contain something. For Samba users in an MS AD
> > > >environment that makes a difference I guess.
> > > >
> > > >Cheerio!
> > > >-Ralph
> > >
> > > Hi Ralph, I think you are missing the point :-)
> > >
> > > You cannot be sure that displayName will be populated, so if you want
> > > 'gecos' to seemingly contain something, you need to either patch 'samba-tool
> > > user create' to refuse to create the user unless the users first and last
> > > names are also given i.e. just like windows, or test if gecos is empty, if
> > > so, use displayName contents and if this is also empty, fall back to
> > > samaccountname.
> > Well, in case of SSSD we synthesize it from 'cn' (which couldn't be
> > missing). I'd prefer a common behavior here but otherwise I agree with
> > you.
>
> According to the commit message in SSSD, that's compliant with
> section 5.3 of RFC 2307 which states:
>
> An account's GECOS field is preferably determined by a value of the
> gecos attribute. If no gecos attribute exists, the value of the cn
> attribute MUST be used.
updated patchset attached.
-Ralph
--
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de,mailto:kontakt@sernet.de
-------------- next part --------------
From b88edb1282cd0154ba2b7ec5ec9e98b5e2da3e6e Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow at samba.org>
Date: Mon, 27 Jul 2015 16:55:46 +0200
Subject: [PATCH 1/2] s3-libads: ldap_schema: zero initialize schema
Signed-off-by: Ralph Boehme <slow at samba.org>
---
source3/libads/ldap_schema.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/source3/libads/ldap_schema.c b/source3/libads/ldap_schema.c
index 7368be8..f3a94c9 100644
--- a/source3/libads/ldap_schema.c
+++ b/source3/libads/ldap_schema.c
@@ -252,7 +252,7 @@ ADS_STATUS ads_check_posix_schema_mapping(TALLOC_CTX *mem_ctx,
return ADS_ERROR(LDAP_NO_MEMORY);
}
- if ( (schema = talloc(mem_ctx, struct posix_schema)) == NULL ) {
+ if ( (schema = talloc_zero(mem_ctx, struct posix_schema)) == NULL ) {
TALLOC_FREE( ctx );
return ADS_ERROR(LDAP_NO_MEMORY);
}
--
2.1.0
From ba7b2fc97b0e544ef1b4bce5e4b0463b7986d944 Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow at samba.org>
Date: Tue, 28 Jul 2015 12:30:04 +0200
Subject: [PATCH 2/2] s3-libads: use cn as fallback for empty gecos
This is imo nice to have and actually specified as a MUST in RFC 2307:
An account's GECOS field is preferably determined by a value of the
gecos attribute. If no gecos attribute exists, the value of the cn
attribute MUST be used.
Signed-off-by: Ralph Boehme <slow at samba.org>
---
source3/libads/ldap_schema.c | 14 +++++++++++---
source3/libads/ldap_schema.h | 3 +++
source3/winbindd/idmap_ad.c | 13 +++++++++++++
3 files changed, 27 insertions(+), 3 deletions(-)
diff --git a/source3/libads/ldap_schema.c b/source3/libads/ldap_schema.c
index f3a94c9..6ca32c9 100644
--- a/source3/libads/ldap_schema.c
+++ b/source3/libads/ldap_schema.c
@@ -212,21 +212,24 @@ ADS_STATUS ads_check_posix_schema_mapping(TALLOC_CTX *mem_ctx,
ADS_ATTR_SFU_HOMEDIR_OID,
ADS_ATTR_SFU_SHELL_OID,
ADS_ATTR_SFU_GECOS_OID,
- ADS_ATTR_SFU_UID_OID };
+ ADS_ATTR_SFU_UID_OID,
+ ADS_ATTR_CN_OID };
const char *oids_sfu20[] = { ADS_ATTR_SFU20_UIDNUMBER_OID,
ADS_ATTR_SFU20_GIDNUMBER_OID,
ADS_ATTR_SFU20_HOMEDIR_OID,
ADS_ATTR_SFU20_SHELL_OID,
ADS_ATTR_SFU20_GECOS_OID,
- ADS_ATTR_SFU20_UID_OID };
+ ADS_ATTR_SFU20_UID_OID,
+ ADS_ATTR_CN_OID };
const char *oids_rfc2307[] = { ADS_ATTR_RFC2307_UIDNUMBER_OID,
ADS_ATTR_RFC2307_GIDNUMBER_OID,
ADS_ATTR_RFC2307_HOMEDIR_OID,
ADS_ATTR_RFC2307_SHELL_OID,
ADS_ATTR_RFC2307_GECOS_OID,
- ADS_ATTR_RFC2307_UID_OID };
+ ADS_ATTR_RFC2307_UID_OID,
+ ADS_ATTR_CN_OID };
DEBUG(10,("ads_check_posix_schema_mapping for schema mode: %d\n", map_type));
@@ -333,6 +336,11 @@ ADS_STATUS ads_check_posix_schema_mapping(TALLOC_CTX *mem_ctx,
strequal(ADS_ATTR_SFU20_UID_OID, oids_out[i])) {
schema->posix_uid_attr = talloc_strdup(schema, names_out[i]);
}
+
+ if (strequal(ADS_ATTR_CN_OID, oids_out[i])) {
+ schema->posix_cn_attr = talloc_strdup(schema, names_out[i]);
+ continue;
+ }
}
if (!schema->posix_uidnumber_attr ||
diff --git a/source3/libads/ldap_schema.h b/source3/libads/ldap_schema.h
index fc4ed07..deaf2fb 100644
--- a/source3/libads/ldap_schema.h
+++ b/source3/libads/ldap_schema.h
@@ -31,6 +31,7 @@ struct posix_schema {
char *posix_gidnumber_attr;
char *posix_gecos_attr;
char *posix_uid_attr;
+ char *posix_cn_attr;
};
/* ldap attribute oids (Services for Unix 3.0, 3.5) */
@@ -58,6 +59,8 @@ struct posix_schema {
#define ADS_ATTR_RFC2307_GECOS_OID "1.3.6.1.1.1.1.2"
#define ADS_ATTR_RFC2307_UID_OID "0.9.2342.19200300.100.1.1"
+#define ADS_ATTR_CN_OID "2.5.4.3"
+
enum wb_posix_mapping {
WB_POSIX_MAP_UNKNOWN = -1,
WB_POSIX_MAP_TEMPLATE = 0,
diff --git a/source3/winbindd/idmap_ad.c b/source3/winbindd/idmap_ad.c
index 5f7ab63..8b4a1e3 100644
--- a/source3/winbindd/idmap_ad.c
+++ b/source3/winbindd/idmap_ad.c
@@ -678,6 +678,7 @@ static NTSTATUS nss_ad_get_info( struct nss_domain_entry *e,
NULL, /* attr_shell */
NULL, /* attr_gecos */
NULL, /* attr_gidnumber */
+ NULL, /* gecos fallback */
NULL };
char *filter = NULL;
LDAPMessage *msg_internal = NULL;
@@ -721,6 +722,7 @@ static NTSTATUS nss_ad_get_info( struct nss_domain_entry *e,
attrs[1] = ctx->ad_schema->posix_shell_attr;
attrs[2] = ctx->ad_schema->posix_gecos_attr;
attrs[3] = ctx->ad_schema->posix_gidnumber_attr;
+ attrs[4] = ctx->ad_schema->posix_cn_attr;
sidstr = ldap_encode_ndr_dom_sid(mem_ctx, sid);
filter = talloc_asprintf(mem_ctx, "(objectSid=%s)", sidstr);
@@ -746,6 +748,17 @@ static NTSTATUS nss_ad_get_info( struct nss_domain_entry *e,
*gid = (uint32_t)-1;
}
+ if (*gecos == NULL) {
+ /*
+ * gecos attribute most often doesn't have a value,
+ * use the MS displayName attribute as a fallback.
+ * Will still result in no value for gecos in case the
+ * LDAP server doesn't use the MS schema.
+ */
+ *gecos = ads_pull_string(ctx->ads, mem_ctx, msg_internal,
+ ctx->ad_schema->posix_cn_attr);
+ }
+
nt_status = NT_STATUS_OK;
done:
--
2.1.0
More information about the samba-technical
mailing list