From c759197de2cd6354e3f43658832701b84eb9a76e Mon Sep 17 00:00:00 2001 From: Stef Walter Date: Fri, 12 Apr 2013 15:38:27 +0200 Subject: [PATCH] Option 'automatic-id-mapping' turns off id mapping This new per-realm option 'automatic-id-mapping = no' turns off automatic ID mapping, and makes sssd and winbind obey RFC2307 when configured. https://bugs.freedesktop.org/show_bug.cgi?id=60679 --- doc/manual/realmd-guide-configuring.xml | 18 ++++++++++++++++ service/realm-options.c | 6 ++++++ service/realm-options.h | 2 ++ service/realm-samba-winbind.c | 37 +++++++++++++++++++++++++-------- service/realm-samba-winbind.h | 1 + service/realm-samba.c | 6 +++++- service/realm-sssd-ad.c | 1 + 7 files changed, 61 insertions(+), 10 deletions(-) diff --git a/doc/manual/realmd-guide-configuring.xml b/doc/manual/realmd-guide-configuring.xml index 1c488e6..f1a6bad 100644 --- a/doc/manual/realmd-guide-configuring.xml +++ b/doc/manual/realmd-guide-configuring.xml @@ -237,5 +237,23 @@ computer-ou = OU=Linux Computers,DC=domain,DC=example,DC=com +
+ automatic-id-mapping + + This option is on by default for Active Directory realms. + Turn it off to use UID and GID information stored in the + directory (as-per RFC2307) rather than automatically generating + UID and GID numbers. + + + +[domain.example.com] +automatic-id-mapping = no +# automatic-id-mapping = yes + + + +
+ diff --git a/service/realm-options.c b/service/realm-options.c index 9b45b87..3d22fcc 100644 --- a/service/realm-options.c +++ b/service/realm-options.c @@ -56,3 +56,9 @@ realm_options_computer_ou (GVariant *options, return g_strdup (computer_ou); } + +gboolean +realm_options_automatic_mapping (const gchar *realm_name) +{ + return realm_settings_boolean (realm_name, "automatic-id-mapping", TRUE); +} diff --git a/service/realm-options.h b/service/realm-options.h index 1a9b319..d712067 100644 --- a/service/realm-options.h +++ b/service/realm-options.h @@ -28,6 +28,8 @@ const gchar * realm_options_computer_ou (GVariant *options, const gchar * realm_options_user_principal (GVariant *options); +gboolean realm_options_automatic_mapping (const gchar *realm_name); + G_END_DECLS #endif /* __REALM_OPTIONS_H__ */ diff --git a/service/realm-samba-winbind.c b/service/realm-samba-winbind.c index d67cf8f..26824d2 100644 --- a/service/realm-samba-winbind.c +++ b/service/realm-samba-winbind.c @@ -71,6 +71,7 @@ on_enable_do_nss (GObject *source, void realm_samba_winbind_configure_async (RealmIniConfig *config, + gboolean automatic_mapping, GDBusMethodInvocation *invocation, GAsyncReadyCallback callback, gpointer user_data) @@ -89,15 +90,33 @@ realm_samba_winbind_configure_async (RealmIniConfig *config, /* TODO: need to use autorid mapping */ - realm_ini_config_change (config, REALM_SAMBA_CONFIG_GLOBAL, &error, - "idmap uid", "10000-20000", - "idmap gid", "10000-20000", - "winbind enum users", "no", - "winbind enum groups", "no", - "template shell", realm_settings_string ("users", "default-shell"), - "winbind offline logon", "yes", - "winbind refresh tickets", "yes", - NULL); + if (realm_ini_config_begin_change(config, &error)) { + realm_ini_config_set (config, REALM_SAMBA_CONFIG_GLOBAL, + "winbind enum users", "no", + "winbind enum groups", "no", + "winbind offline logon", "yes", + "winbind refresh tickets", "yes", + "template shell", realm_settings_string ("users", "default-shell"), + NULL); + + if (automatic_mapping) { + realm_ini_config_set (config, REALM_SAMBA_CONFIG_GLOBAL, + "idmap uid", "10000-2000000", + "idmap gid", "10000-2000000", + "idmap backend", "tdb", + "idmap schema", NULL, + NULL); + } else { + realm_ini_config_set (config, REALM_SAMBA_CONFIG_GLOBAL, + "idmap uid", "500-4294967296", + "idmap gid", "500-4294967296", + "idmap backend", "ad", + "idmap schema", "rfc2307", + NULL); + } + + realm_ini_config_finish_change (config, &error); + } if (error == NULL) { realm_service_enable_and_restart ("winbind", invocation, diff --git a/service/realm-samba-winbind.h b/service/realm-samba-winbind.h index 2c42cca..f959911 100644 --- a/service/realm-samba-winbind.h +++ b/service/realm-samba-winbind.h @@ -22,6 +22,7 @@ G_BEGIN_DECLS void realm_samba_winbind_configure_async (RealmIniConfig *config, + gboolean automatic_mapping, GDBusMethodInvocation *invocation, GAsyncReadyCallback callback, gpointer user_data); diff --git a/service/realm-samba.c b/service/realm-samba.c index 0b65101..908a417 100644 --- a/service/realm-samba.c +++ b/service/realm-samba.c @@ -183,6 +183,7 @@ on_join_do_winbind (GObject *source, GHashTable *settings = NULL; GError *error = NULL; const gchar *workgroup = NULL; + const gchar *name; realm_samba_enroll_join_finish (result, &settings, &error); if (error == NULL) { @@ -204,7 +205,10 @@ on_join_do_winbind (GObject *source, } if (error == NULL) { - realm_samba_winbind_configure_async (self->config, enroll->invocation, + name = realm_kerberos_get_name (REALM_KERBEROS (self)); + realm_samba_winbind_configure_async (self->config, + realm_options_automatic_mapping (name), + enroll->invocation, on_winbind_done, g_object_ref (res)); } else { g_simple_async_result_take_error (res, error); diff --git a/service/realm-sssd-ad.c b/service/realm-sssd-ad.c index 37dd6f0..e476b3a 100644 --- a/service/realm-sssd-ad.c +++ b/service/realm-sssd-ad.c @@ -197,6 +197,7 @@ configure_sssd_for_domain (RealmIniConfig *config, "ad_domain", domain, "krb5_realm", realm, "krb5_store_password_if_offline", "True", + "ldap_id_mapping", realm_options_automatic_mapping (domain) ? "True" : "False", "fallback_homedir", home, NULL); -- 1.8.1.4