2025-07-23 20:59:10 +03:00 · 2012-06-20 12:51:43 +10:00
parent 2b50e8c534
commit 352dbddb6d
3 changed files with 51 additions and 22 deletions
--- a/source4/scripting/python/samba/provision/init.py
+++ b/source4/scripting/python/samba/provision/init.py
@ -1604,7 +1604,8 @@ def provision(logger, session_info, credentials, smbconf=None,
        backend_type=None, sitename=None,
        ol_mmr_urls=None, ol_olc=None, slapd_path="/bin/false",
        useeadb=False, am_rodc=False,
-        lp=None, use_ntvfs=False):
+        lp=None, use_ntvfs=False,
+        use_rfc2307=False):
    """Provision samba4

    :note: caution, this wipes all existing data!
@ -1648,6 +1649,9 @@ def provision(logger, session_info, credentials, smbconf=None,

    server_services = []
    global_param = {}
+    if use_rfc2307:
+        global_param["idmap_ldb:use rfc2307"] = ["yes"]
+
    if dns_backend == "SAMBA_INTERNAL":
        server_services.append("+dns")

--- a/source4/scripting/python/samba/upgrade.py
+++ b/source4/scripting/python/samba/upgrade.py
@ -702,7 +702,7 @@ Please fix this account before attempting to upgrade again
                       dom_for_fun_level=dsdb.DS_DOMAIN_FUNCTION_2003,
                       hostname=netbiosname.lower(), machinepass=machinepass,
                       serverrole=serverrole, samdb_fill=FILL_FULL,
-                       useeadb=useeadb, dns_backend=dns_backend)
+                       useeadb=useeadb, dns_backend=dns_backend, use_rfc2307=True)
    result.report_logger(logger)

    # Import WINS database
--- a/source4/winbind/idmap.c
+++ b/source4/winbind/idmap.c
@ -230,11 +230,20 @@ static NTSTATUS idmap_xid_to_sid(struct idmap_context *idmap_ctx,
 	
 	switch (unixid->type) {
 		case ID_TYPE_UID:
-			ret = dsdb_search_one(idmap_ctx->samdb, tmp_ctx, &msg, NULL, LDB_SCOPE_SUBTREE, 
+			if (lpcfg_parm_bool(idmap_ctx->lp_ctx, NULL, "idmap_ldb", "use rfc2307", false)) {
+				ret = dsdb_search_one(idmap_ctx->samdb, tmp_ctx, &msg,
+						      ldb_get_default_basedn(idmap_ctx->samdb),
+						      LDB_SCOPE_SUBTREE,
 						      sam_attrs, 0,
-					      "(&(sAMaccountType:" LDB_OID_COMPARATOR_AND ":=%u)(uidNumber=%u)(objectSid=*)"
+						      "(&(sAMaccountType:" LDB_OID_COMPARATOR_AND ":=%u)"
+						      "(uidNumber=%u)(objectSid=*)"
 						      "(|(objectClass=posixAccount)(objectClass=posixGroup)))",
 						      ATYPE_ACCOUNT, unixid->id);
+			} else {
+				/* If we are not to use the rfc2307 attributes, we just emulate a non-match */
+				ret = LDB_ERR_NO_SUCH_OBJECT;
+			}
+
 			if (ret == LDB_ERR_CONSTRAINT_VIOLATION) {
 				DEBUG(1, ("Search for uidNumber=%lu gave duplicate results, failing to map to a SID!\n",
 					  (unsigned long)unixid->id));
@ -242,7 +251,7 @@ static NTSTATUS idmap_xid_to_sid(struct idmap_context *idmap_ctx,
 				goto failed;
 			} else if (ret == LDB_SUCCESS) {
 				*sid = samdb_result_dom_sid(mem_ctx, msg, "objectSid");
-				if (*sid) {
+				if (*sid == NULL) {
 					DEBUG(1, ("Search for uidNumber=%lu did not return an objectSid!\n",
 						  (unsigned long)unixid->id));
 					status = NT_STATUS_NONE_MAPPED;
@ -260,11 +269,19 @@ static NTSTATUS idmap_xid_to_sid(struct idmap_context *idmap_ctx,
 			id_type = "ID_TYPE_UID";
 			break;
 		case ID_TYPE_GID:
-			ret = dsdb_search_one(idmap_ctx->samdb, tmp_ctx, &msg, NULL, LDB_SCOPE_SUBTREE, 
+			if (lpcfg_parm_bool(idmap_ctx->lp_ctx, NULL, "idmap_ldb", "use rfc2307", false)) {
+				ret = dsdb_search_one(idmap_ctx->samdb, tmp_ctx, &msg,
+						      ldb_get_default_basedn(idmap_ctx->samdb),
+						      LDB_SCOPE_SUBTREE,
 						      sam_attrs, 0,
 						      "(&(|(sAMaccountType=%u)(sAMaccountType=%u))(gidNumber=%u)"
 						      "(|(objectClass=posixAccount)(objectClass=posixGroup)))",
-					      ATYPE_SECURITY_GLOBAL_GROUP, ATYPE_SECURITY_LOCAL_GROUP, unixid->id);
+						      ATYPE_SECURITY_GLOBAL_GROUP, ATYPE_SECURITY_LOCAL_GROUP,
+						      unixid->id);
+			} else {
+				/* If we are not to use the rfc2307 attributes, we just emulate a non-match */
+				ret = LDB_ERR_NO_SUCH_OBJECT;
+			}
 			if (ret == LDB_ERR_CONSTRAINT_VIOLATION) {
 				DEBUG(1, ("Search for gidNumber=%lu gave duplicate results, failing to map to a SID!\n",
 					  (unsigned long)unixid->id));
@ -272,7 +289,7 @@ static NTSTATUS idmap_xid_to_sid(struct idmap_context *idmap_ctx,
 				goto failed;
 			} else if (ret == LDB_SUCCESS) {
 				*sid = samdb_result_dom_sid(mem_ctx, msg, "objectSid");
-				if (*sid) {
+				if (*sid == NULL) {
 					DEBUG(1, ("Search for gidNumber=%lu did not return an objectSid!\n",
 						  (unsigned long)unixid->id));
 					status = NT_STATUS_NONE_MAPPED;
@ -418,7 +435,10 @@ static NTSTATUS idmap_sid_to_xid(struct idmap_context *idmap_ctx,
 	 * much like a winbindd member server running idmap_ad
 	 */
 	
-	ret = dsdb_search_one(idmap_ctx->samdb, tmp_ctx, &sam_msg, NULL, LDB_SCOPE_SUBTREE, sam_attrs, 0,
+	if (lpcfg_parm_bool(idmap_ctx->lp_ctx, NULL, "idmap_ldb", "use rfc2307", false)) {
+		ret = dsdb_search_one(idmap_ctx->samdb, tmp_ctx, &sam_msg,
+				      ldb_get_default_basedn(idmap_ctx->samdb),
+				      LDB_SCOPE_SUBTREE, sam_attrs, 0,
 				      "(&(objectSid=%s)"
 				      "(|(sAMaccountType:" LDB_OID_COMPARATOR_AND ":=%u)"
 				      "(sAMaccountType=%u)"
@ -426,6 +446,11 @@ static NTSTATUS idmap_sid_to_xid(struct idmap_context *idmap_ctx,
 				      "(|(uidNumber=*)(gidNumber=*))"
 				      "(|(objectClass=posixAccount)(objectClass=posixGroup)))",
 				      dom_sid_string(tmp_ctx, sid), ATYPE_ACCOUNT, ATYPE_SECURITY_GLOBAL_GROUP, ATYPE_SECURITY_LOCAL_GROUP);
+	} else {
+		/* If we are not to use the rfc2307 attributes, we just emulate a non-match */
+		ret = LDB_ERR_NO_SUCH_OBJECT;
+	}
+
 	if (ret == LDB_ERR_CONSTRAINT_VIOLATION) {
 		DEBUG(1, ("Search for objectSid=%s gave duplicate results, failing to map to a unix ID!\n",
 			  dom_sid_string(tmp_ctx, sid)));