| commit | 5d71b64801769d4492501c3c5e226fac866083c7 | |
| author | Michael Adam <obnox@samba.org> | |
| Wed, 26 Nov 2008 22:09:49 +0000 (26 23:09 +0100) | ||
| committer | Karolin Seeger <kseeger@samba.org> | |
| Thu, 11 Dec 2008 09:27:08 +0000 (11 10:27 +0100) | ||
| tree | c37a2b0661fb52c924b0230eba1fcf62ffb7dec7 | treesnapshot (tar.gz zip) |
| parent | 5ea6a81f2a845b579568acd533750f783e65ba53 | commitdiff |
winbindd/idmap_ad: add support for trusted domains to idmap_ad (bug #3661)
This initial fix does at least work for explicitly configured domains.
The patch has a few disadvantages:
1. It does work only for explicitly configured domains, not with
the default backend (idmap backend = ad), since it relies on the
domain name being passed in via the idmap_domain. One workaround
for this would be to create clones of the default idmap_domain
for domains not explicitly configured.
2. It calls find_domain_from_name_noinit() from idmap_ad_cached_connection.
The problem here is that only the NetBIOS domain name (workgroup
name) is passed in via the idmap_domain struct, and the module
has to establish a connection to the domain based on that information.
find_domain_from_name_noinit() has the disadvantage that it uses the state
of the domain list at fork time (unless used from the main winbindd).
But this should be ok as long as the primary domain was reachable at
start time.
For nss_info, the situation is similar - This will only work for domains
explicitly configured in smb.conf as follows:
"winbind nss info = rfc2307:dom1 sfu:dom2 rfc2307:dom3 template:dom4"
Setting the default nss info to one of the ad backends (rfc2307, sfu, sfu20)
will fail since the domain name is not passed in with the nss_domain_entry.
Michael
(cherry picked from commit 9423214217558036c4c88d48efead41df48d2492)
This initial fix does at least work for explicitly configured domains.
The patch has a few disadvantages:
1. It does work only for explicitly configured domains, not with
the default backend (idmap backend = ad), since it relies on the
domain name being passed in via the idmap_domain. One workaround
for this would be to create clones of the default idmap_domain
for domains not explicitly configured.
2. It calls find_domain_from_name_noinit() from idmap_ad_cached_connection.
The problem here is that only the NetBIOS domain name (workgroup
name) is passed in via the idmap_domain struct, and the module
has to establish a connection to the domain based on that information.
find_domain_from_name_noinit() has the disadvantage that it uses the state
of the domain list at fork time (unless used from the main winbindd).
But this should be ok as long as the primary domain was reachable at
start time.
For nss_info, the situation is similar - This will only work for domains
explicitly configured in smb.conf as follows:
"winbind nss info = rfc2307:dom1 sfu:dom2 rfc2307:dom3 template:dom4"
Setting the default nss info to one of the ad backends (rfc2307, sfu, sfu20)
will fail since the domain name is not passed in with the nss_domain_entry.
Michael
(cherry picked from commit 9423214217558036c4c88d48efead41df48d2492)
| source/winbindd/idmap_ad.c | diffblobblamehistory |