samba-cvs.cvs
[Top] [All Lists]

svn commit: samba r13680 - in trunk/source/passdb: .

Subject: svn commit: samba r13680 - in trunk/source/passdb: .
From:
Date: Fri, 24 Feb 2006 21:50:42 +0000 GMT
Author: idra
Date: 2006-02-24 21:50:41 +0000 (Fri, 24 Feb 2006)
New Revision: 13680

WebSVN: 
http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=13680

Log:

Initial work toward a scriptless working ldap setup

This add a create users to ldapsam that is called
instead of the add user and add machine scripts if
both ldapsam:trusted=yes and ldapsam:editposix=yes
are set.

Simo


Modified:
   trunk/source/passdb/pdb_ldap.c


Changeset:
Modified: trunk/source/passdb/pdb_ldap.c
===================================================================
--- trunk/source/passdb/pdb_ldap.c      2006-02-24 21:36:40 UTC (rev 13679)
+++ trunk/source/passdb/pdb_ldap.c      2006-02-24 21:50:41 UTC (rev 13680)
@@ -4524,6 +4524,220 @@
        return ret;
 }
 
+/*
+ * This function is called only if ldapsam:trusted
+ * and ldapsam:editposix are set to true
+ *
+ * It creates a new posixAccount and sambaSamAccount
+ * object in the ldap users subtree
+ *
+ * The uid is allocated by winbindd.
+ */
+
+static NTSTATUS ldapsam_create_user(struct pdb_methods *my_methods,
+                                   TALLOC_CTX *tmp_ctx, const char *name,
+                                   uint32 acb_info, uint32 *rid)
+{
+       struct ldapsam_privates *ldap_state = (struct ldapsam_privates 
*)my_methods->private_data;
+       NTSTATUS ret;
+       LDAPMessage *entry = NULL;
+       LDAPMessage *result = NULL;
+       uint32 num_result;
+       pstring filter;
+       fstring str;
+       BOOL is_machine = False;
+       BOOL is_new_entry = False;
+       LDAPMod **mods = NULL;
+       char *groupsidstr;
+       char *usersidstr;
+       char *actflags;
+       char *username;
+       char *homedir;
+       char *gidstr;
+       char *uidstr;
+       char *shell;
+       char *dn = NULL;
+       DOM_SID group_sid;
+       DOM_SID user_sid;
+       gid_t gid = -1;
+       uid_t uid = -1;
+       int rc;
+       
+       if ((acb_info & ACB_NORMAL) && name[strlen(name)-1] == '$') {
+               is_machine = True;
+       }
+
+       username = escape_ldap_string_alloc(name);
+       pstrcpy(filter, "(uid=%u)");
+       all_string_sub(filter, "%u", username, sizeof(filter));
+       SAFE_FREE(username);
+
+       rc = smbldap_search_suffix(ldap_state->smbldap_state, filter, NULL, 
&result);
+       if (rc != LDAP_SUCCESS) {
+               DEBUG(0,("ldapsam_create_user: ldap search failed!\n"));
+               return NT_STATUS_UNSUCCESSFUL;
+       }
+
+       num_result = ldap_count_entries(ldap_state->smbldap_state->ldap_struct, 
result);
+
+       if (num_result > 1) {
+               DEBUG (0, ("ldapsam_create_user: More than one user with that 
username exists: bailing out!\n"));
+               ldap_msgfree(result);
+               return NT_STATUS_UNSUCCESSFUL;
+       }
+       
+       if (num_result == 1) {
+               GROUP_MAP map;
+               char *tmp;
+
+               /* check if it is just a posix account.
+                * or if there is a sid attached to this entry
+                */
+
+               entry = ldap_first_entry(priv2ld(ldap_state), result);
+               if (!entry) {
+                       ldap_msgfree(result);
+                       return NT_STATUS_UNSUCCESSFUL;
+               }
+
+               if (!smbldap_get_single_attribute(priv2ld(ldap_state), entry, 
"sambaSID", str, sizeof(str)-1)) {
+                       DEBUG (1, ("ldapsam_create_user: The user [%s] already 
exist!\n", name));
+                       ldap_msgfree(result);
+                       return NT_STATUS_USER_EXISTS;
+               }
+
+               /* it is just a posix account, retrieve the user_sid and 
group_sid for later use */
+               if (!smbldap_get_single_attribute(priv2ld(ldap_state), entry, 
"gidNumber", str, sizeof(str)-1)) {
+                       DEBUG (1, ("ldapsam_create_user: Couldn't retrieve the 
gidNumber for [%s]?!?!\n", name));
+                       ldap_msgfree(result);
+                       return NT_STATUS_INTERNAL_DB_CORRUPTION;
+               }
+               
+               gid = strtoul(str, NULL, 10);
+
+               if (!NT_STATUS_IS_OK((ret = ldapsam_getgrgid(my_methods, &map, 
gid)))) {
+                       DEBUG(1, ("ldapsam_create_user: User's primary group is 
not mapped! Fail.\n"));
+                       ldap_msgfree(result);
+                       return ret;
+               }
+
+               sid_copy(&group_sid, &map.sid);
+
+               tmp = smbldap_get_dn(priv2ld(ldap_state), entry);
+               if (!tmp) {
+                       DEBUG(1, ("ldapsam_create_user: Couldn't retrieve the 
DN for [%s]?!?!\n", name));
+                       ldap_msgfree(result);
+                       return NT_STATUS_INTERNAL_DB_CORRUPTION;
+               }
+               dn = talloc_strdup(tmp_ctx, tmp);
+               SAFE_FREE(tmp);
+               if (!dn) {
+                       DEBUG(0,("ldapsam_create_user: Out of memory!\n"));
+                       ldap_msgfree(result);
+                       return NT_STATUS_NO_MEMORY;
+               }
+       }
+
+       ldap_msgfree(result);
+
+       if (num_result == 0) {
+               DEBUG(3,("ldapsam_create_user: Creating new posix user\n"));
+
+               is_new_entry = True;
+       
+               /* retrieve the Domain Users group gid */
+               if (!sid_compose(&group_sid, get_global_sam_sid(), 
DOMAIN_GROUP_RID_USERS) ||
+                   !sid_to_gid(&group_sid, &gid)) {
+                       DEBUG (0, ("ldapsam_create_user: Unable to get the 
Domain Users gid: bailing out!\n"));
+                       return NT_STATUS_INVALID_PRIMARY_GROUP;
+               }
+
+               /* lets allocate a new userid for this user */
+               if (!winbind_allocate_uid(&uid)) {
+                       DEBUG (0, ("ldapsam_create_user: Unable to allocate a 
new user id: bailing out!\n"));
+                       return NT_STATUS_UNSUCCESSFUL;
+               }
+
+
+               if (is_machine) {
+                       /* TODO: choose a more appropriate default for machines 
*/
+                       homedir = talloc_sub_specified(tmp_ctx, 
lp_template_homedir(), "SMB_workstations_home", ldap_state->domain_name, uid, 
gid);
+                       shell = talloc_strdup(tmp_ctx, "/bin/false");
+               } else {
+                       homedir = talloc_sub_specified(tmp_ctx, 
lp_template_homedir(), name, ldap_state->domain_name, uid, gid);
+                       shell = talloc_sub_specified(tmp_ctx, 
lp_template_shell(), name, ldap_state->domain_name, uid, gid);
+               }
+               uidstr = talloc_asprintf(tmp_ctx, "%d", uid);
+               gidstr = talloc_asprintf(tmp_ctx, "%d", gid);
+               if (is_machine) {
+                       dn = talloc_asprintf(tmp_ctx, "uid=%s,%s", name, 
lp_ldap_machine_suffix ());
+               } else {
+                       dn = talloc_asprintf(tmp_ctx, "uid=%s,%s", name, 
lp_ldap_user_suffix ());
+               }
+
+               if (!homedir || !shell || !uidstr || !gidstr || !dn) {
+                       DEBUG (0, ("ldapsam_create_user: Out of memory!\n"));
+                       return NT_STATUS_NO_MEMORY;
+               }
+
+               smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectclass", 
LDAP_OBJ_ACCOUNT);
+               smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectclass", 
LDAP_OBJ_POSIXACCOUNT);
+               smbldap_set_mod(&mods, LDAP_MOD_ADD, "uid", name);
+               smbldap_set_mod(&mods, LDAP_MOD_ADD, "cn", name);
+               smbldap_set_mod(&mods, LDAP_MOD_ADD, "uidNumber", uidstr);
+               smbldap_set_mod(&mods, LDAP_MOD_ADD, "gidNumber", gidstr);
+               smbldap_set_mod(&mods, LDAP_MOD_ADD, "homeDirectory", homedir);
+               smbldap_set_mod(&mods, LDAP_MOD_ADD, "loginShell", shell);
+       }
+
+       if (!NT_STATUS_IS_OK((ret = ldapsam_get_new_rid(ldap_state, rid)))) {
+               DEBUG(1, ("ldapsam_create_user: Could not allocate a new 
RID\n"));
+               return ret;
+       }
+
+       sid_copy(&user_sid, get_global_sam_sid());
+       sid_append_rid(&user_sid, *rid);
+
+       sid_to_string(str, &group_sid);
+       groupsidstr = talloc_strdup(tmp_ctx, str);
+       sid_to_string(str, &user_sid);
+       usersidstr = talloc_strdup(tmp_ctx, str);
+
+       if (is_machine) {
+               actflags = talloc_strdup(tmp_ctx, 
pdb_encode_acct_ctrl(ACB_WSTRUST & ACB_DISABLED, 
NEW_PW_FORMAT_SPACE_PADDED_LEN));
+       } else {
+               actflags = talloc_strdup(tmp_ctx, pdb_encode_acct_ctrl(acb_info 
& ACB_DISABLED, NEW_PW_FORMAT_SPACE_PADDED_LEN));
+       }
+
+       if (!groupsidstr || !usersidstr || !actflags) {
+               DEBUG(0,("ldapsam_create_user: Out of memory!\n"));
+               return NT_STATUS_NO_MEMORY;
+       }
+
+       smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectclass", 
LDAP_OBJ_SAMBASAMACCOUNT);
+       smbldap_set_mod(&mods, LDAP_MOD_ADD, 
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PRIMARY_GROUP_SID), 
usersidstr);
+       smbldap_set_mod(&mods, LDAP_MOD_ADD, 
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_SID), 
usersidstr);
+       smbldap_set_mod(&mods, LDAP_MOD_ADD, 
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_DISPLAY_NAME), name);
+       smbldap_set_mod(&mods, LDAP_MOD_ADD, 
get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_ACB_INFO), actflags);
+
+       if (is_new_entry) {     
+               rc = smbldap_add(ldap_state->smbldap_state, dn, mods);
+       } else {
+               rc = smbldap_modify(ldap_state->smbldap_state, dn, mods);
+       }       
+
+       if (rc != LDAP_SUCCESS) {
+               DEBUG(0,("ldapsam_create_user: failed to create a new user [%s] 
(dn = %s)\n", name ,dn));
+               ldap_mods_free(mods, True);
+               return NT_STATUS_UNSUCCESSFUL;
+       }
+
+       DEBUG(2,("ldapsam_create_user: added account [%s] in the LDAP 
database\n", username));
+       ldap_mods_free(mods, True);
+
+       return NT_STATUS_OK;
+}
+
 /**********************************************************************
  Housekeeping
  *********************************************************************/
@@ -4589,6 +4803,10 @@
        (*pdb_method)->rid_algorithm = ldapsam_rid_algorithm;
        (*pdb_method)->new_rid = ldapsam_new_rid;
 
+       if (lp_parm_bool(-1, "ldapsam", "trusted", False) &&
+           lp_parm_bool(-1, "ldapsam", "editposix", False)) {
+               (*pdb_method)->create_user = ldapsam_create_user;
+       }
        /* TODO: Setup private data and free */
 
        if ( !(ldap_state = TALLOC_ZERO_P(*pdb_method, struct 
ldapsam_privates)) ) {

<Prev in Thread] Current Thread [Next in Thread>
  • svn commit: samba r13680 - in trunk/source/passdb: ., idra <=