git.samba.org - sfrench/samba-autobuild/.git/commit

author	Michael Adam <obnox@samba.org>
	Wed, 26 Nov 2008 22:09:49 +0000 (23:09 +0100)
committer	Michael Adam <obnox@samba.org>
	Mon, 1 Dec 2008 03:37:22 +0000 (04:37 +0100)
commit	484fa90aefe131d5dd67c458b365045dbf6c7e78
tree	2e5c5f12fe49ba27e792e1373a8d125a1f8ed5c5	tree
parent	be233ae32a573ba5048dff9d9fa30869493cf4ff	commit \| diff

s3:winbindd/idmap_ad: add support for trusted domains to idmap_ad (bug #3661)

This initial fix does at least work for explicitly configured domains.

The patch has a few disadvantages:

1. It does work only for explicitly configured domains, not with
   the default backend (idmap backend = ad), since it relies on the
   domain name being passed in via the idmap_domain. One workaround
   for this would be to create clones of the default idmap_domain
   for domains not explicitly configured.

2. It calls find_domain_from_name_noinit() from idmap_ad_cached_connection.
   The problem here is that only the NetBIOS domain name (workgroup
   name) is passed in via the idmap_domain struct, and the module
   has to establish a connection to the domain based on that information.
   find_domain_from_name_noinit() has the disadvantage that it uses the state
   of the domain list at fork time (unless used from the main winbindd).
   But this should be ok as long as the primary domain was reachable at
   start time.

For nss_info, the situation is similar - This will only work for domains
explicitly configured in smb.conf as follows:
"winbind nss info = rfc2307:dom1 sfu:dom2 rfc2307:dom3 template:dom4"
Setting the default nss info to one of the ad backends (rfc2307, sfu, sfu20)
will fail since the domain name is not passed in with the nss_domain_entry.

Michael