s4-idmap: Add parameter 'idmap_ldb:use rfc2307' and correct implementation errors

diff --git a/source4/scripting/python/samba/provision/__init__.py b/source4/scripting/python/samba/provision/__init__.py
index e0e5e4b6f707f2dc369fffaaffa4ff25efab80fe..c95db4e6393ed1879242d5f3660f8013a51e072a 100644 (file)
--- a/source4/scripting/python/samba/provision/__init__.py
+++ b/source4/scripting/python/samba/provision/__init__.py
@@ -1604,7 +1604,8 @@ def provision(logger, session_info, credentials, smbconf=None,
         backend_type=None, sitename=None,
         ol_mmr_urls=None, ol_olc=None, slapd_path="/bin/false",
         useeadb=False, am_rodc=False,
-        lp=None, use_ntvfs=False):
+        lp=None, use_ntvfs=False,
+        use_rfc2307=False):
     """Provision samba4
 
     :note: caution, this wipes all existing data!
@@ -1648,6 +1649,9 @@ def provision(logger, session_info, credentials, smbconf=None,
 
     server_services = []
     global_param = {}
+    if use_rfc2307:
+        global_param["idmap_ldb:use rfc2307"] = ["yes"]
+
     if dns_backend == "SAMBA_INTERNAL":
         server_services.append("+dns")
 

diff --git a/source4/scripting/python/samba/upgrade.py b/source4/scripting/python/samba/upgrade.py
index 09a52c182ced0da3fd4ddc221ec5dd5aee6b07a2..3ef79ed6468d8790fe2399d4e381758bb807d992 100644 (file)
--- a/source4/scripting/python/samba/upgrade.py
+++ b/source4/scripting/python/samba/upgrade.py
@@ -702,7 +702,7 @@ Please fix this account before attempting to upgrade again
                        dom_for_fun_level=dsdb.DS_DOMAIN_FUNCTION_2003,
                        hostname=netbiosname.lower(), machinepass=machinepass,
                        serverrole=serverrole, samdb_fill=FILL_FULL,
-                       useeadb=useeadb, dns_backend=dns_backend)
+                       useeadb=useeadb, dns_backend=dns_backend, use_rfc2307=True)
     result.report_logger(logger)
 
     # Import WINS database

diff --git a/source4/winbind/idmap.c b/source4/winbind/idmap.c
index af6f66af285330fc6852034efc510a9a0575e3c4..354507ca6fe1e7afa7288bfd5d36ab4ccc38e5a4 100644 (file)
--- a/source4/winbind/idmap.c
+++ b/source4/winbind/idmap.c
@@ -230,11 +230,20 @@ static NTSTATUS idmap_xid_to_sid(struct idmap_context *idmap_ctx,
        
        switch (unixid->type) {
                case ID_TYPE_UID:
-                       ret = dsdb_search_one(idmap_ctx->samdb, tmp_ctx, &msg, NULL, LDB_SCOPE_SUBTREE, 
-                                             sam_attrs, 0,
-                                             "(&(sAMaccountType:" LDB_OID_COMPARATOR_AND ":=%u)(uidNumber=%u)(objectSid=*)"
-                                             "(|(objectClass=posixAccount)(objectClass=posixGroup)))",
-                                             ATYPE_ACCOUNT, unixid->id);
+                       if (lpcfg_parm_bool(idmap_ctx->lp_ctx, NULL, "idmap_ldb", "use rfc2307", false)) {
+                               ret = dsdb_search_one(idmap_ctx->samdb, tmp_ctx, &msg,
+                                                     ldb_get_default_basedn(idmap_ctx->samdb),
+                                                     LDB_SCOPE_SUBTREE,
+                                                     sam_attrs, 0,
+                                                     "(&(sAMaccountType:" LDB_OID_COMPARATOR_AND ":=%u)"
+                                                     "(uidNumber=%u)(objectSid=*)"
+                                                     "(|(objectClass=posixAccount)(objectClass=posixGroup)))",
+                                                     ATYPE_ACCOUNT, unixid->id);
+                       } else {
+                               /* If we are not to use the rfc2307 attributes, we just emulate a non-match */
+                               ret = LDB_ERR_NO_SUCH_OBJECT;
+                       }
+
                        if (ret == LDB_ERR_CONSTRAINT_VIOLATION) {
                                DEBUG(1, ("Search for uidNumber=%lu gave duplicate results, failing to map to a SID!\n",
                                          (unsigned long)unixid->id));
@@ -242,7 +251,7 @@ static NTSTATUS idmap_xid_to_sid(struct idmap_context *idmap_ctx,
                                goto failed;
                        } else if (ret == LDB_SUCCESS) {
                                *sid = samdb_result_dom_sid(mem_ctx, msg, "objectSid");
-                               if (*sid) {
+                               if (*sid == NULL) {
                                        DEBUG(1, ("Search for uidNumber=%lu did not return an objectSid!\n",
                                                  (unsigned long)unixid->id));
                                        status = NT_STATUS_NONE_MAPPED;
@@ -260,11 +269,19 @@ static NTSTATUS idmap_xid_to_sid(struct idmap_context *idmap_ctx,
                        id_type = "ID_TYPE_UID";
                        break;
                case ID_TYPE_GID:
-                       ret = dsdb_search_one(idmap_ctx->samdb, tmp_ctx, &msg, NULL, LDB_SCOPE_SUBTREE, 
-                                             sam_attrs, 0,
-                                             "(&(|(sAMaccountType=%u)(sAMaccountType=%u))(gidNumber=%u)"
-                                             "(|(objectClass=posixAccount)(objectClass=posixGroup)))",
-                                             ATYPE_SECURITY_GLOBAL_GROUP, ATYPE_SECURITY_LOCAL_GROUP, unixid->id);
+                       if (lpcfg_parm_bool(idmap_ctx->lp_ctx, NULL, "idmap_ldb", "use rfc2307", false)) {
+                               ret = dsdb_search_one(idmap_ctx->samdb, tmp_ctx, &msg,
+                                                     ldb_get_default_basedn(idmap_ctx->samdb),
+                                                     LDB_SCOPE_SUBTREE,
+                                                     sam_attrs, 0,
+                                                     "(&(|(sAMaccountType=%u)(sAMaccountType=%u))(gidNumber=%u)"
+                                                     "(|(objectClass=posixAccount)(objectClass=posixGroup)))",
+                                                     ATYPE_SECURITY_GLOBAL_GROUP, ATYPE_SECURITY_LOCAL_GROUP,
+                                                     unixid->id);
+                       } else {
+                               /* If we are not to use the rfc2307 attributes, we just emulate a non-match */
+                               ret = LDB_ERR_NO_SUCH_OBJECT;
+                       }
                        if (ret == LDB_ERR_CONSTRAINT_VIOLATION) {
                                DEBUG(1, ("Search for gidNumber=%lu gave duplicate results, failing to map to a SID!\n",
                                          (unsigned long)unixid->id));
@@ -272,7 +289,7 @@ static NTSTATUS idmap_xid_to_sid(struct idmap_context *idmap_ctx,
                                goto failed;
                        } else if (ret == LDB_SUCCESS) {
                                *sid = samdb_result_dom_sid(mem_ctx, msg, "objectSid");
-                               if (*sid) {
+                               if (*sid == NULL) {
                                        DEBUG(1, ("Search for gidNumber=%lu did not return an objectSid!\n",
                                                  (unsigned long)unixid->id));
                                        status = NT_STATUS_NONE_MAPPED;
@@ -418,14 +435,22 @@ static NTSTATUS idmap_sid_to_xid(struct idmap_context *idmap_ctx,
         * much like a winbindd member server running idmap_ad
         */
        
-       ret = dsdb_search_one(idmap_ctx->samdb, tmp_ctx, &sam_msg, NULL, LDB_SCOPE_SUBTREE, sam_attrs, 0,
-                             "(&(objectSid=%s)"
-                             "(|(sAMaccountType:" LDB_OID_COMPARATOR_AND ":=%u)"
-                             "(sAMaccountType=%u)"
-                             "(sAMaccountType=%u))"
-                             "(|(uidNumber=*)(gidNumber=*))"
-                             "(|(objectClass=posixAccount)(objectClass=posixGroup)))",
-                             dom_sid_string(tmp_ctx, sid), ATYPE_ACCOUNT, ATYPE_SECURITY_GLOBAL_GROUP, ATYPE_SECURITY_LOCAL_GROUP);
+       if (lpcfg_parm_bool(idmap_ctx->lp_ctx, NULL, "idmap_ldb", "use rfc2307", false)) {
+               ret = dsdb_search_one(idmap_ctx->samdb, tmp_ctx, &sam_msg,
+                                     ldb_get_default_basedn(idmap_ctx->samdb),
+                                     LDB_SCOPE_SUBTREE, sam_attrs, 0,
+                                     "(&(objectSid=%s)"
+                                     "(|(sAMaccountType:" LDB_OID_COMPARATOR_AND ":=%u)"
+                                     "(sAMaccountType=%u)"
+                                     "(sAMaccountType=%u))"
+                                     "(|(uidNumber=*)(gidNumber=*))"
+                                     "(|(objectClass=posixAccount)(objectClass=posixGroup)))",
+                                     dom_sid_string(tmp_ctx, sid), ATYPE_ACCOUNT, ATYPE_SECURITY_GLOBAL_GROUP, ATYPE_SECURITY_LOCAL_GROUP);
+       } else {
+               /* If we are not to use the rfc2307 attributes, we just emulate a non-match */
+               ret = LDB_ERR_NO_SUCH_OBJECT;
+       }
+
        if (ret == LDB_ERR_CONSTRAINT_VIOLATION) {
                DEBUG(1, ("Search for objectSid=%s gave duplicate results, failing to map to a unix ID!\n",
                          dom_sid_string(tmp_ctx, sid)));