On Fri, Oct 05, 2012 at 06:34:25PM +0200, Sumit Bose wrote:
> On Fri, Oct 05, 2012 at 09:45:58AM -0400, Simo Sorce wrote:
> > On Fri, 2012-10-05 at 16:27 +0300, Alexander Bokovoy wrote:
> > > On Tue, 02 Oct 2012, Simo Sorce wrote:
> > > >On Tue, 2012-10-02 at 21:29 +0200, Sumit Bose wrote:
> > > >> Hi,
> > > >>
> > > >> this patch should fix https://fedorahosted.org/freeipa/ticket/2955 by
> > > >> adding a fallback group as described in comment 2 of the ticket in
> > > >> ipa-adtrust-install.
> > > >>
> > > >> If you prefer to use a different kind of group I can change the patch
> > > >> accordingly.
> > > Patch works for me, so ACK except the group name.
> > >
> > > >Yes I think we should use a more natural group name. In my recent
> > > >testing I have been using the name 'Trust Users' that pairs well with
> > > >another group we create called 'Trust Admins'. But I am open to
> > > >suggestions on a better name, 'Domain Users' may be better if we really
> > > >want to associate the wellknown SID to this group.
> > > I'm fine with 'Trust Users'.
> > >
> > > >On the SID side I wonder if using the wellknown 'Domain Users' SID is
> > > >the right thing to do. I do not see any special reasons why it shouldn't
> > > >but I also do not have any special reason why we should.
> > > >Anyone can think of any pros/cons of doing that ?
> > > Since it only has special meaning within the same domain and we are not
> > > using it for anything, it should be fine.
> >
> > Well it has a special meaning for samba servers ... we may have a few in
> > the IPA domain.
> > I think using that SID is fine but I think then the name 'Trust Users'
> > could be confusing to users looking at permissions.
> >
> > We also need to make the group a posix group btw, because samba uses the
> > Primary Group SID for users and if it can't be resolved to uid/gids it
> > will probably prevent authentication.
> >
> > What about calling it 'Default SMB Group' or similar ?
> >
> > Simo.
>
> ok new version attached. The group is now a Posix with an
> automatically assigned SID called 'default_smb_group' and in the
> protected list.
>
> bye,
> Sumit
> >
> > --
> > Simo Sorce * Red Hat, Inc * New York
> >
I found a copy-and-paste issue in the first patch, new version attached.
bye,
Sumit
From a855b06f390791e873cf9ee6b49ec7d7f63733c4 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sb...@redhat.com>
Date: Tue, 18 Sep 2012 11:32:10 +0200
Subject: [PATCH] ipa-adtrust-install: Add fallback group
---
ipalib/plugins/group.py | 2 +-
ipaserver/install/adtrustinstance.py | 110 +++++++++++++++++++++++++++++++----
2 Dateien geändert, 99 Zeilen hinzugefügt(+), 13 Zeilen entfernt(-)
diff --git a/ipalib/plugins/group.py b/ipalib/plugins/group.py
index
45758d320bb58f3933938ce579d211a83d56ce09..1611e422bbef3d1ee9c71a819b7f9cc13cd819ab
100644
--- a/ipalib/plugins/group.py
+++ b/ipalib/plugins/group.py
@@ -107,7 +107,7 @@ Example:
ipa group-add-member ad_admins --groups ad_admins_external
""")
-PROTECTED_GROUPS = (u'admins', u'trust admins')
+PROTECTED_GROUPS = (u'admins', u'trust admins', u'default_smb_group')
class group(LDAPObject):
"""
diff --git a/ipaserver/install/adtrustinstance.py
b/ipaserver/install/adtrustinstance.py
index
c44037754dfd74cf6a9ceda4c9f4d2a6a224b1ea..3c7aeb578cc7b1062f2b5b78e434a8af69be1aaa
100644
--- a/ipaserver/install/adtrustinstance.py
+++ b/ipaserver/install/adtrustinstance.py
@@ -22,6 +22,7 @@ import errno
import ldap
import tempfile
import uuid
+import krbV
from ipaserver import ipaldap
from ipaserver.install import installutils
from ipaserver.install import service
@@ -96,9 +97,11 @@ class ADTRUSTInstance(service.Service):
ATTR_SID = "ipaNTSecurityIdentifier"
ATTR_FLAT_NAME = "ipaNTFlatName"
ATTR_GUID = "ipaNTDomainGUID"
+ ATTR_FALLBACK_GROUP = "ipaNTFallbackPrimaryGroup"
OBJC_USER = "ipaNTUserAttrs"
OBJC_GROUP = "ipaNTGroupAttrs"
OBJC_DOMAIN = "ipaNTDomainAttrs"
+ FALLBACK_GROUP_NAME = u'Default_SMB_Group'
def __init__(self, fstore=None):
self.fqdn = None
@@ -134,6 +137,18 @@ class ADTRUSTInstance(service.Service):
return "S-1-5-21-%d-%d-%d" % (sub_ids[0], sub_ids[1], sub_ids[2])
def __add_admin_sids(self):
+ """
+ The IPA admin and the IPA admins group with get the well knows SIDs
+ used by AD for the administrator and the administrator group.
+ Additonally the well know domain users SID will be assinged to a
+ special fallback group.
+
+ By default new users belong only to a user private group (UPG) and no
+ other Posix group since ipausers is not a Posix group anymore. To be
+ able to add a RID to the primary RID attribute in a PAC a fallback
+ group is added.
+ """
+
admin_dn = DN(('uid', 'admin'), api.env.container_user,
self.suffix)
admin_group_dn = DN(('cn', 'admins'), api.env.container_group,
@@ -163,24 +178,94 @@ class ADTRUSTInstance(service.Service):
print "IPA admin group object not found"
return
- if admin_entry.getValue(self.ATTR_SID) or \
- admin_group_entry.getValue(self.ATTR_SID):
- print "Admin SID already set, nothing to do"
+ if admin_entry.getValue(self.ATTR_SID):
+ self.print_msg("Admin SID already set, nothing to do")
+ else:
+ try:
+ self.admin_conn.modify_s(admin_dn, \
+ [(ldap.MOD_ADD, "objectclass", self.OBJC_USER), \
+ (ldap.MOD_ADD, self.ATTR_SID, dom_sid + "-500")])
+ except:
+ self.print_msg("Failed to modify IPA admin object")
+
+ if admin_group_entry.getValue(self.ATTR_SID):
+ self.print_msg("Admin group SID already set, nothing to do")
+ else:
+ try:
+ self.admin_conn.modify_s(admin_group_dn, \
+ [(ldap.MOD_ADD, "objectclass", self.OBJC_GROUP), \
+ (ldap.MOD_ADD, self.ATTR_SID, dom_sid + "-512")])
+ except:
+ self.print_msg("Failed to modify IPA admin group object")
+
+
+ def __add_fallback_group(self):
+ """
+ By default new users belong only to a user private group (UPG) and no
+ other Posix group since ipausers is not a Posix group anymore. To be
+ able to add a RID to the primary RID attribute in a PAC a fallback
+ group is added.
+
+ Since this method must be run after a restart of the directory server
+ to enable the sidgen plugin we have to reconnect to the directory
+ server.
+ """
+
+ self.ldap_connect()
+ try:
+ ctx = krbV.default_context()
+ ccache = ctx.default_ccache()
+ except krbV.Krb5Error, e:
+ self.print_msg("Must have Kerberos credentials to setup " \
+ "AD trusts on server")
return
try:
- self.admin_conn.modify_s(admin_dn, \
- [(ldap.MOD_ADD, "objectclass", self.OBJC_USER), \
- (ldap.MOD_ADD, self.ATTR_SID, dom_sid + "-500")])
- except:
- print "Failed to modify IPA admin object"
+ api.Backend.ldap2.disconnect()
+ api.Backend.ldap2.connect(ccache.name)
+ except errors.ACIError, e:
+ self.print_msg("Outdated Kerberos credentials. " \
+ "Use kdestroy and kinit to update your ticket")
+ return
+ except errors.DatabaseError, e:
+ self.print_msg("Cannot connect to the LDAP database. " \
+ "Please check if IPA is running")
+ return
+
+ try:
+ dom_entry = self.admin_conn.getEntry(self.smb_dom_dn, \
+ ldap.SCOPE_BASE)
+ except errors.NotFound:
+ self.print_msg("Samba domain object not found")
+ return
+
+ if dom_entry.getValue(self.ATTR_FALLBACK_GROUP):
+ self.print_msg("Fallback group already set, nothing to do")
+ return
+
+ fb_group_dn = DN(('cn', self.FALLBACK_GROUP_NAME),
+ api.env.container_group, self.suffix)
+ try:
+ self.admin_conn.getEntry(fb_group_dn, ldap.SCOPE_BASE)
+ except errors.NotFound:
+ try:
+ fallback = api.Command['group_add'](self.FALLBACK_GROUP_NAME,
+ description= u'Fallback group for '
\
+ 'primary group RID, '
\
+ 'do not add user to '
\
+ 'this group',
+ nonposix=False)
+ fb_group_dn = fallback['result']['dn']
+ except Exception, e:
+ self.print_msg("Failed to add fallback group.")
+ raise e
try:
- self.admin_conn.modify_s(admin_group_dn, \
- [(ldap.MOD_ADD, "objectclass", self.OBJC_GROUP), \
- (ldap.MOD_ADD, self.ATTR_SID, dom_sid + "-512")])
+ mod = [(ldap.MOD_ADD, self.ATTR_FALLBACK_GROUP,
+ fallback['result']['dn'])]
+ self.admin_conn.modify_s(self.smb_dom_dn, mod)
except:
- print "Failed to modify IPA admin group object"
+ self.print_msg("Failed to add fallback group to domain object")
def __add_rid_bases(self):
"""
@@ -612,6 +697,7 @@ class ADTRUSTInstance(service.Service):
self.__add_dns_service_records)
self.step("restarting Directory Server to take MS PAC and LDAP plugins
changes into account", \
self.__restart_dirsrv)
+ self.step("adding fallback group", self.__add_fallback_group)
self.step("setting SELinux booleans", \
self.__configure_selinux_for_smbd)
self.step("starting CIFS services", self.__start)
--
1.7.11.4
From 0071498c8e5f29e1541cbc8b8674dc62d9e7c556 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sb...@redhat.com>
Date: Tue, 18 Sep 2012 11:35:57 +0200
Subject: [PATCH 76/78] ipa-adtrust-install: replace print with self.print_msg
---
ipaserver/install/adtrustinstance.py | 28 ++++++++++++++--------------
1 Datei geändert, 14 Zeilen hinzugefügt(+), 14 Zeilen entfernt(-)
diff --git a/ipaserver/install/adtrustinstance.py
b/ipaserver/install/adtrustinstance.py
index
fe44ef36dab1c124c062db84207995adb4649723..cdad99c8ec994a1170ed58a8b31596bca03c89a6
100644
--- a/ipaserver/install/adtrustinstance.py
+++ b/ipaserver/install/adtrustinstance.py
@@ -157,25 +157,25 @@ class ADTRUSTInstance(service.Service):
dom_entry = self.admin_conn.getEntry(self.smb_dom_dn, \
ldap.SCOPE_BASE)
except errors.NotFound:
- print "Samba domain object not found"
+ self.print_msg("Samba domain object not found")
return
dom_sid = dom_entry.getValue(self.ATTR_SID)
if not dom_sid:
- print "Samba domain object does not have a SID"
+ self.print_msg("Samba domain object does not have a SID")
return
try:
admin_entry = self.admin_conn.getEntry(admin_dn, ldap.SCOPE_BASE)
except:
- print "IPA admin object not found"
+ self.print_msg("IPA admin object not found")
return
try:
admin_group_entry = self.admin_conn.getEntry(admin_group_dn, \
ldap.SCOPE_BASE)
except:
- print "IPA admin group object not found"
+ self.print_msg("IPA admin group object not found")
return
if admin_entry.getValue(self.ATTR_SID):
@@ -279,13 +279,13 @@ class ADTRUSTInstance(service.Service):
if res[0].getValue('ipaBaseRID') or \
res[0].getValue('ipaSecondaryBaseRID'):
- print "RID bases already set, nothing to do"
+ self.print_msg("RID bases already set, nothing to do")
return
size = res[0].getValue('ipaIDRangeSize')
if abs(self.rid_base - self.secondary_rid_base) > size:
- print "Primary and secondary RID base are too close. " \
- "They have to differ at least by %d." % size
+ self.print_msg("Primary and secondary RID base are too close.
" \
+ "They have to differ at least by %d." % size)
raise RuntimeError("RID bases too close.\n")
try:
@@ -295,7 +295,7 @@ class ADTRUSTInstance(service.Service):
(ldap.MOD_ADD, "ipaSecondaryBaseRID",
\
str(self.secondary_rid_base))])
except:
- print "Failed to add RID bases to the local range object"
+ self.print_msg("Failed to add RID bases to the local range
object")
except errors.NotFound as e:
root_logger.critical("ID range of the local domain not found, " \
@@ -322,8 +322,8 @@ class ADTRUSTInstance(service.Service):
try:
name = new_dn[1].attr
except Exception, e:
- print 'Cannot extract RDN attribute value from "%s": %s' %
\
- (new_dn, e)
+ self.print_msg('Cannot extract RDN attribute value from
"%s": %s' % \
+ (new_dn, e))
return
entry.setValues("cn", name)
self.admin_conn.addEntry(entry)
@@ -440,12 +440,12 @@ class ADTRUSTInstance(service.Service):
"as it is not defined in IPA" % zone
if err_msg:
- print err_msg
- print "Add the following service records to your DNS server " \
- "for DNS zone %s: " % zone
+ self.print_msg(err_msg)
+ self.print_msg("Add the following service records to your DNS " \
+ "server for DNS zone %s: " % zone)
for (srv, rdata) in ipa_srv_rec:
for suff in win_srv_suffix:
- print " - %s%s" % (srv, suff)
+ self.print_msg(" - %s%s" % (srv, suff))
return
for (srv, rdata) in ipa_srv_rec:
--
1.7.11.4
From 2fb8f182b2dd465c1c5ac9a0b6ca33c15d21971f Mon Sep 17 00:00:00 2001
From: Sumit Bose <sb...@redhat.com>
Date: Mon, 24 Sep 2012 17:25:07 +0200
Subject: [PATCH 77/78] ipasam: add fallback primary group
---
daemons/ipa-sam/ipa_sam.c | 237 ++++++++++++++++++++++++++++++++++++++++++++--
1 Datei geändert, 230 Zeilen hinzugefügt(+), 7 Zeilen entfernt(-)
diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c
index
db300022af0a29c32a2df5e5ef2bc12f39ed2886..2453eb09ce1d168c3d4389c09265cd63d65c5c9d
100644
--- a/daemons/ipa-sam/ipa_sam.c
+++ b/daemons/ipa-sam/ipa_sam.c
@@ -121,6 +121,8 @@ bool secrets_store(const char *key, const void *data,
size_t size); /* available
#define LDAP_ATTRIBUTE_LOGON_SCRIPT "ipaNTLogonScript"
#define LDAP_ATTRIBUTE_PROFILE_PATH "ipaNTProfilePath"
#define LDAP_ATTRIBUTE_NTHASH "ipaNTHash"
+#define LDAP_ATTRIBUTE_UIDNUMBER "uidnumber"
+#define LDAP_ATTRIBUTE_GIDNUMBER "gidnumber"
#define LDAP_OBJ_KRB_PRINCIPAL "krbPrincipal"
#define LDAP_OBJ_KRB_PRINCIPAL_AUX "krbPrincipalAux"
@@ -155,7 +157,7 @@ struct ipasam_privates {
char *base_dn;
char *trust_dn;
char *flat_name;
- char *fallback_primary_group;
+ struct dom_sid fallback_primary_group;
char *server_princ;
char *client_princ;
struct sss_idmap_ctx *idmap_ctx;
@@ -2677,6 +2679,141 @@ static bool ipasam_nthash_regen(struct ldapsam_privates
*ldap_state,
return (ret == LDAP_SUCCESS);
}
+static int ipasam_get_sid_by_gid(struct ldapsam_privates *ldap_state,
+ uint32_t gid,
+ struct dom_sid *_sid)
+{
+ int ret;
+ char *filter;
+ TALLOC_CTX *tmp_ctx;
+ LDAPMessage *entry = NULL;
+ LDAPMessage *result = NULL;
+ char *sid_str = NULL;
+ struct dom_sid *sid = NULL;
+ int count;
+ enum idmap_error_code err;
+
+ tmp_ctx = talloc_new("ipasam_get_sid_by_gid");
+ if (tmp_ctx == NULL) {
+ return ENOMEM;
+ }
+
+ filter = talloc_asprintf(tmp_ctx, "(&(%s=%s)(%s=%lu))",
+ LDAP_ATTRIBUTE_OBJECTCLASS,
+ LDAP_OBJ_POSIXGROUP,
+ LDAP_ATTRIBUTE_GIDNUMBER,
+ (unsigned long) gid);
+ if (filter == NULL) {
+ ret = ENOMEM;
+ goto done;
+ }
+
+ ret = smbldap_search(ldap_state->smbldap_state,
+ ldap_state->ipasam_privates->base_dn,
+ LDAP_SCOPE_SUBTREE,filter, NULL, 0,
+ &result);
+ if (ret != LDAP_SUCCESS) {
+ ret = ENOENT;
+ goto done;
+ }
+
+ count = ldap_count_entries(ldap_state->smbldap_state->ldap_struct,
+ result);
+ if (count != 1) {
+ ret = ENOENT;
+ goto done;
+ }
+
+ entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct,
result);
+ if (entry == NULL) {
+ ret = ENOENT;
+ goto done;
+ }
+
+ sid_str = get_single_attribute(tmp_ctx,
+ ldap_state->smbldap_state->ldap_struct,
+ entry, LDAP_ATTRIBUTE_SID);
+ if (sid_str == NULL) {
+ ret = ENOENT;
+ goto done;
+ }
+
+ err = sss_idmap_sid_to_smb_sid(ldap_state->ipasam_privates->idmap_ctx,
+ sid_str, &sid);
+ if (err != IDMAP_SUCCESS) {
+ ret = EFAULT;
+ goto done;
+ }
+ sid_copy(_sid, sid);
+
+ ret = 0;
+
+done:
+ talloc_free(sid);
+ ldap_msgfree(result);
+ talloc_free(tmp_ctx);
+
+ return ret;
+}
+
+static int ipasam_get_primary_group_sid(TALLOC_CTX *mem_ctx,
+ struct ldapsam_privates *ldap_state,
+ LDAPMessage *entry,
+ struct dom_sid **_group_sid)
+{
+ int ret;
+ uint32_t uid;
+ uint32_t gid;
+ struct dom_sid *group_sid;
+
+ TALLOC_CTX *tmp_ctx = talloc_init("ipasam_get_primary_group_sid");
+ if (tmp_ctx == NULL) {
+ return ENOMEM;
+ }
+
+ if (!get_uint32_t_from_ldap_msg(ldap_state, entry,
+ LDAP_ATTRIBUTE_UIDNUMBER, &uid)) {
+ ret = ENOENT;
+ DEBUG(1, ("No uidnumber attribute found for this user!\n"));
+ goto done;
+ }
+
+ if (!get_uint32_t_from_ldap_msg(ldap_state, entry,
+ LDAP_ATTRIBUTE_GIDNUMBER, &gid)) {
+ ret = ENOENT;
+ DEBUG(1, ("No gidnumber attribute found for this user!\n"));
+ goto done;
+ }
+
+ group_sid = talloc(tmp_ctx, struct dom_sid);
+ if (group_sid == NULL) {
+ ret = ENOMEM;
+ goto done;
+ }
+
+ if (uid == gid) { /* User private group, use default fallback group */
+ sid_copy(group_sid,
+ &ldap_state->ipasam_privates->fallback_primary_group);
+ ret = 0;
+ goto done;
+ } else {
+ ret = ipasam_get_sid_by_gid(ldap_state, gid, group_sid);
+ if (ret != 0) {
+ goto done;
+ }
+ }
+
+ ret = 0;
+done:
+ if (ret == 0) {
+ *_group_sid = talloc_steal(mem_ctx, group_sid);
+ }
+
+ talloc_free(tmp_ctx);
+
+ return ret;
+}
+
static bool init_sam_from_ldap(struct ldapsam_privates *ldap_state,
struct samu * sampass,
LDAPMessage * entry)
@@ -2692,7 +2829,9 @@ static bool init_sam_from_ldap(struct ldapsam_privates
*ldap_state,
char *temp = NULL;
bool ret = false;
bool retval = false;
+ int status;
DATA_BLOB nthash;
+ struct dom_sid *group_sid;
TALLOC_CTX *tmp_ctx = talloc_init("init_sam_from_ldap");
if (!tmp_ctx) {
@@ -2738,6 +2877,12 @@ static bool init_sam_from_ldap(struct ldapsam_privates
*ldap_state,
entry, LDAP_ATTRIBUTE_SECURITY_IDENTIFIER,
tmp_ctx)) != NULL) {
pdb_set_user_sid_from_string(sampass, temp, PDB_SET);
+
+ status = ipasam_get_primary_group_sid(tmp_ctx, ldap_state,
+ entry, &group_sid);
+ if (status != 0) {
+ goto fn_exit;
+ }
} else {
goto fn_exit;
}
@@ -2872,6 +3017,7 @@ done:
talloc_free(tmp_ctx);
return status;
}
+
static NTSTATUS ldapsam_getsampwnam(struct pdb_methods *methods,
struct samu *user,
const char *sname)
@@ -3105,6 +3251,70 @@ static void ipasam_free_private_data(void **vp)
/* No need to free any further, as it is talloc()ed */
}
+static struct dom_sid *get_fallback_group_sid(TALLOC_CTX *mem_ctx,
+ struct smbldap_state *ldap_state,
+ struct sss_idmap_ctx *idmap_ctx,
+ LDAPMessage *dom_entry)
+{
+ char *dn;
+ char *sid;
+ int ret;
+ const char *filter = "objectClass=*";
+ const char *attr_list[] = {
+ LDAP_ATTRIBUTE_SID,
+ NULL};
+ LDAPMessage *result;
+ LDAPMessage *entry;
+ enum idmap_error_code err;
+ struct dom_sid *fallback_group_sid;
+
+ dn = get_single_attribute(mem_ctx, ldap_state->ldap_struct,
+ dom_entry,
+ LDAP_ATTRIBUTE_FALLBACK_PRIMARY_GROUP);
+ if (dn == NULL) {
+ DEBUG(0, ("Missing mandatory attribute %s.\n",
+ LDAP_ATTRIBUTE_FALLBACK_PRIMARY_GROUP));
+ return NULL;
+ }
+
+ ret = smbldap_search(ldap_state, dn, LDAP_SCOPE_BASE, filter, attr_list,
+ 0, &result);
+ talloc_free(dn);
+ if (ret != LDAP_SUCCESS) {
+ DEBUG(2,("Failed to read faillback group [%s].", dn));
+ return NULL;
+ }
+
+ entry = ldap_first_entry(ldap_state->ldap_struct, result);
+ if (entry == NULL) {
+ DEBUG(0, ("Could not get fallback group entry\n"));
+ ldap_msgfree(result);
+ return NULL;
+ }
+
+ sid = get_single_attribute(mem_ctx, ldap_state->ldap_struct,
+ entry, LDAP_ATTRIBUTE_SID);
+ if (sid == NULL) {
+ DEBUG(0, ("Missing mandatory attribute %s.\n",
+ LDAP_ATTRIBUTE_SID));
+ ldap_msgfree(result);
+ return NULL;
+ }
+
+ err = sss_idmap_sid_to_smb_sid(idmap_ctx, sid, &fallback_group_sid);
+ if (err != IDMAP_SUCCESS) {
+ DEBUG(1, ("SID [%s] could not be converted\n", sid));
+ ldap_msgfree(result);
+ talloc_free(sid);
+ return NULL;
+ }
+
+ ldap_msgfree(result);
+ talloc_free(sid);
+
+ return fallback_group_sid;
+}
+
static NTSTATUS ipasam_search_domain_info(struct smbldap_state *ldap_state,
LDAPMessage ** result)
{
@@ -3686,6 +3896,7 @@ static NTSTATUS pdb_init_ipasam(struct pdb_methods
**pdb_method,
char *dn = NULL;
char *domain_sid_string = NULL;
struct dom_sid *ldap_domain_sid = NULL;
+ struct dom_sid *fallback_group_sid = NULL;
LDAPMessage *result = NULL;
LDAPMessage *entry = NULL;
@@ -3815,12 +4026,6 @@ static NTSTATUS pdb_init_ipasam(struct pdb_methods
**pdb_method,
return NT_STATUS_INVALID_PARAMETER;
}
- domain_sid_string = get_single_attribute(
- ldap_state,
- ldap_state->smbldap_state->ldap_struct,
- entry,
- LDAP_ATTRIBUTE_SID);
-
err = sss_idmap_init(idmap_talloc, ldap_state->ipasam_privates,
idmap_talloc_free,
&ldap_state->ipasam_privates->idmap_ctx);
@@ -3829,6 +4034,24 @@ static NTSTATUS pdb_init_ipasam(struct pdb_methods
**pdb_method,
return NT_STATUS_UNSUCCESSFUL;
}
+ fallback_group_sid = get_fallback_group_sid(ldap_state,
+ ldap_state->smbldap_state,
+ ldap_state->ipasam_privates->idmap_ctx,
+ result);
+ if (fallback_group_sid == NULL) {
+ DEBUG(0, ("Cannot find SID of fallback group.\n"));
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+ sid_copy(&ldap_state->ipasam_privates->fallback_primary_group,
+ fallback_group_sid);
+ talloc_free(fallback_group_sid);
+
+ domain_sid_string = get_single_attribute(
+ ldap_state,
+ ldap_state->smbldap_state->ldap_struct,
+ entry,
+ LDAP_ATTRIBUTE_SID);
+
if (domain_sid_string) {
err =
sss_idmap_sid_to_smb_sid(ldap_state->ipasam_privates->idmap_ctx,
domain_sid_string,
--
1.7.11.4
From 706872e48515d54c70f14ffee35c81ab2b8000c4 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sb...@redhat.com>
Date: Tue, 25 Sep 2012 11:11:40 +0200
Subject: [PATCH 78/78] ipadb: use ipaNTGroupAttrs to search for the fallback
group
Since we are primarily interested in the SID of the fallback group we
should use the objectclass containing it in the search filter.
---
daemons/ipa-kdb/ipa_kdb_mspac.c | 2 +-
1 Datei geändert, 1 Zeile hinzugefügt(+), 1 Zeile entfernt(-)
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index
b3cef97db1bfe120d00b3bbfd30ed392dbb7b385..1a03323d137a2b89a08f5b12ca00752e4e190de7
100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -1590,7 +1590,7 @@ krb5_error_code ipadb_reinit_mspac(struct ipadb_context
*ipactx)
if (ret != ENOENT) {
kerr = ipadb_simple_search(ipactx, ipactx->mspac->fallback_group,
LDAP_SCOPE_BASE,
- "(objectclass=posixGroup)",
+ "(objectclass=ipaNTGroupAttrs)",
grp_attrs, &result);
if (kerr && kerr != KRB5_KDB_NOENTRY) {
kerr = ret;
--
1.7.11.4
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
