sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-03-08 04:58:40 +03:00
Code

idmap_rfc2307: Fix handling of cn realm

Browse Source 
When cn_realm was set, the idmap_rfc2307 module tried to determine the
realm from the AD connection struct. In case of referring to a different
domain using the ldap_domain config option, the wrong realm was used.

Since the LDAP-server case already requires having the realm in the
config, extend that to the AD case to fix the issue: Having LDAP records
with @realm in the cn, now always requires having the realm in the
config.

Now cn_realm and ldap_realm always would have to be specified together,
so replace the two options with a single "realm" option.

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
This commit is contained in:
Christof Schmitt 2015-12-08 11:52:41 -07:00 committed by Volker Lendecke
parent b36c6214f0
commit 7cd99b4207
1 changed files with 14 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
source3/winbindd/idmap_rfc2307.c
View File

@ -38,7 +38,6 @@ struct idmap_rfc2307_context {
const char *bind_path_user;
const char *bind_path_group;
const char *ldap_domain;
bool cn_realm;
bool user_cn;
const char *realm;
@ -82,9 +81,6 @@ static NTSTATUS idmap_rfc2307_ads_check_connection(struct idmap_domain *dom)
status = ads_idmap_cached_connection(&ctx->ads, dom_name);
if (ADS_ERR_OK(status)) {
ctx->ldap = ctx->ads->ldap.ld;
if (ctx->cn_realm) {
ctx->realm = ctx->ads->server.realm;
}
} else {
DEBUG(1, ("Could not connect to domain %s: %s\n", dom->name,
ads_errstr(status)));
@ -172,7 +168,7 @@ static NTSTATUS idmap_rfc2307_init_ldap(struct idmap_rfc2307_context *ctx,
NTSTATUS ret;
char *url;
char *secret = NULL;
const char *ldap_url, *user_dn, *ldap_realm;
const char *ldap_url, *user_dn;
TALLOC_CTX *mem_ctx = ctx;
ldap_url = lp_parm_const_string(-1, config_option, "ldap_url", NULL);
@ -204,21 +200,6 @@ static NTSTATUS idmap_rfc2307_init_ldap(struct idmap_rfc2307_context *ctx,
ctx->search = idmap_rfc2307_ldap_search;
if (ctx->cn_realm) {
ldap_realm = lp_parm_const_string(-1, config_option,
"ldap_realm", NULL);
if (!ldap_realm) {
DEBUG(1, ("ERROR: cn_realm set, "
"but ldap_realm is missing\n"));
ret = NT_STATUS_UNSUCCESSFUL;
goto done;
}
ctx->realm = talloc_strdup(mem_ctx, ldap_realm);
if (!ctx->realm) {
ret = NT_STATUS_NO_MEMORY;
}
}
done:
talloc_free(url);
return ret;
@ -276,7 +257,7 @@ static void idmap_rfc2307_map_sid_results(struct idmap_rfc2307_context *ctx,
continue;
}
if (ctx->cn_realm) {
if (ctx->realm != NULL) {
/* Strip @realm from user or group name */
char *delim;
@ -487,7 +468,7 @@ static NTSTATUS idmap_rfc_2307_sids_to_names(TALLOC_CTX *mem_ctx,
switch(lsa_type) {
case SID_NAME_USER:
id->xid.type = map->type = ID_TYPE_UID;
if (ctx->user_cn && ctx->cn_realm) {
if (ctx->user_cn && ctx->realm != NULL) {
name = talloc_asprintf(mem_ctx, "%s@%s",
name, ctx->realm);
}
@ -497,7 +478,7 @@ static NTSTATUS idmap_rfc_2307_sids_to_names(TALLOC_CTX *mem_ctx,
case SID_NAME_DOM_GRP:
case SID_NAME_ALIAS:
case SID_NAME_WKN_GRP:
if (ctx->cn_realm) {
if (ctx->realm != NULL) {
name = talloc_asprintf(mem_ctx, "%s@%s",
name, ctx->realm);
}
@ -781,7 +762,7 @@ static NTSTATUS idmap_rfc2307_initialize(struct idmap_domain *domain)
{
struct idmap_rfc2307_context *ctx;
char *cfg_opt;
const char *bind_path_user, *bind_path_group, *ldap_server;
const char *bind_path_user, *bind_path_group, *ldap_server, *realm;
NTSTATUS status;
ctx = talloc_zero(domain, struct idmap_rfc2307_context);
@ -842,7 +823,15 @@ static NTSTATUS idmap_rfc2307_initialize(struct idmap_domain *domain)
goto err;
}
ctx->cn_realm = lp_parm_bool(-1, cfg_opt, "cn_realm", false);
realm = lp_parm_const_string(-1, cfg_opt, "realm", NULL);
if (realm) {
ctx->realm = talloc_strdup(ctx, realm);
if (ctx->realm == NULL) {
status = NT_STATUS_NO_MEMORY;
goto err;
}
}
ctx->user_cn = lp_parm_bool(-1, cfg_opt, "user_cn", false);
domain->private_data = ctx;