The branch, v4-20-test has been updated
via 83da49f3489 tests: Add a test for "all_groups=no" to
test_idmap_ad.sh
via 84f82a09ffd selftest: Add "winbind expand groups = 1" to
setup_ad_member_idmap_ad
via 83701298384 s3:winbindd: Improve performance of lookup_groupmem()
in idmap_ad
via 8857cf29979 docs-xml: Add parameter all_groupmem to idmap_ad
from 215bb9bd48e Do not fail checksums for RFC8009 types
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-20-test
- Log -----------------------------------------------------------------
commit 83da49f348921a21a22ff93ffecbd638ff004541
Author: Pavel Filipenský <pfilipen...@samba.org>
Date: Thu Mar 14 15:24:21 2024 +0100
tests: Add a test for "all_groups=no" to test_idmap_ad.sh
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15605
Signed-off-by: Pavel Filipenský <pfilipen...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
Autobuild-User(master): Pavel Filipensky <pfilipen...@samba.org>
Autobuild-Date(master): Tue Apr 2 13:25:39 UTC 2024 on atb-devel-224
(cherry picked from commit f8b72aa1f72881989990fabc9f4888968bb81967)
Autobuild-User(v4-20-test): Jule Anger <jan...@samba.org>
Autobuild-Date(v4-20-test): Wed Apr 17 14:38:42 UTC 2024 on atb-devel-224
commit 84f82a09ffd1336bf79cffbe4caa3045aedbd16e
Author: Pavel Filipenský <pfilipen...@samba.org>
Date: Mon Mar 25 22:38:18 2024 +0100
selftest: Add "winbind expand groups = 1" to setup_ad_member_idmap_ad
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15605
Signed-off-by: Pavel Filipenský <pfilipen...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
(cherry picked from commit 2dab3a331b5511b4f2253f2b3b4513db7e52ea9a)
commit 837012983840d10488404fac2ebad07dd75a6f1c
Author: Pavel Filipenský <pfilipen...@samba.org>
Date: Tue Mar 12 13:20:24 2024 +0100
s3:winbindd: Improve performance of lookup_groupmem() in idmap_ad
The LDAP query of lookup_groupmem() returns all group members from AD
even those with missing uidNumber. Such group members are useless in
UNIX environment for idmap_ad backend since there is no uid mapping.
'test_user' is member of group "Domanin Users" with 200K members,
only 20K members have set uidNumber.
Without this fix:
$ time id test_user
real 1m5.946s
user 0m0.019s
sys 0m0.012s
With this fix:
$ time id test_user
real 0m3.544s
user 0m0.004s
sys 0m0.007s
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15605
Signed-off-by: Pavel Filipenský <pfilipen...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
(cherry picked from commit 5d475d26a3d545f04791a04e85a06b8b192e3fcf)
commit 8857cf299792f50e5917319a38d450c068fa07f4
Author: Pavel Filipenský <pfilipen...@samba.org>
Date: Wed Mar 13 13:55:41 2024 +0100
docs-xml: Add parameter all_groupmem to idmap_ad
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15605
Signed-off-by: Pavel Filipenský <pfilipen...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
(cherry picked from commit a485d9de2f2d6a9815dcac6addb988a8987e111c)
-----------------------------------------------------------------------
Summary of changes:
docs-xml/manpages/idmap_ad.8.xml | 10 ++++++++++
nsswitch/tests/test_idmap_ad.sh | 22 ++++++++++++++++++++++
selftest/target/Samba3.pm | 1 +
source3/winbindd/winbindd_ads.c | 11 +++++++----
4 files changed, 40 insertions(+), 4 deletions(-)
Changeset truncated at 500 lines:
diff --git a/docs-xml/manpages/idmap_ad.8.xml b/docs-xml/manpages/idmap_ad.8.xml
index 32df8d066c2..c7fcc65d763 100644
--- a/docs-xml/manpages/idmap_ad.8.xml
+++ b/docs-xml/manpages/idmap_ad.8.xml
@@ -105,6 +105,16 @@
</listitem>
</varlistentry>
<varlistentry>
+ <term>all_groupmem = yes/no</term>
+ <listitem><para>
+ If set to <parameter>yes</parameter> winbind will retrieve all
+ group members for getgrnam(3), getgrgid(3) and getgrent(3)
calls,
+ including those with missing uidNumber.
+ </para>
+ <para>Default: no</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
<term>deny ous</term>
<listitem><para>This parameter is a list of OUs from
which objects will not be mapped via the ad idmap
diff --git a/nsswitch/tests/test_idmap_ad.sh b/nsswitch/tests/test_idmap_ad.sh
index 7ae112ada71..1d4bd395ba9 100755
--- a/nsswitch/tests/test_idmap_ad.sh
+++ b/nsswitch/tests/test_idmap_ad.sh
@@ -94,6 +94,14 @@ gidNumber: 2000001
unixHomeDirectory: /home/forbidden
loginShell: /bin/tcsh
gecos: User in forbidden OU
+
+dn: CN=no_posix_id,CN=Users,$BASE_DN
+changetype: add
+objectClass: user
+samaccountName: no_posix_id
+unixHomeDirectory: /home/no_posix_id
+loginShell: /bin/sh
+gecos: User without uidNumber and gidNumber
EOF
#
@@ -171,6 +179,17 @@ then
failed=$(($failed + 1))
fi
+#
+# Test 6: Make sure that with the default "all_groups=no"
+# the group "domain users" will not show user "no_posix_id"
+# but will show "SAMBA2008R2/administrator"
+#
+
+dom_users="$DOMAIN/domain users" # Extra step to make sure that all is one
word
+out="$($wbinfo --group-info "$dom_users")"
+testit_grep_count "no_posix_id1" "no_posix_id" 0 echo "$out" || failed=$(expr
$failed + 1)
+testit_grep "no_posix_id2" "SAMBA2008R2/administrator" echo "$out" ||
failed=$(expr $failed + 1)
+
#
# Trusted domain test 1: Test uid of Administrator, should be 2500000
#
@@ -241,6 +260,9 @@ gidNumber: 2000002
dn: cn=forbidden,ou=sub,$BASE_DN
changetype: delete
+dn: CN=no_posix_id,CN=Users,$BASE_DN
+changetype: delete
+
dn: ou=sub,$BASE_DN
changetype: delete
EOF
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index bbce55ea508..cf40633d127 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -1420,6 +1420,7 @@ sub setup_ad_member_idmap_ad
idmap config $dcvars->{TRUST_DOMAIN} : range = 2000000-2999999
gensec_gssapi:requested_life_time = 5
winbind scan trusted domains = yes
+ winbind expand groups = 1
";
my $ret = $self->provision(
diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c
index 7e572e5d41f..7d6324033ea 100644
--- a/source3/winbindd/winbindd_ads.c
+++ b/source3/winbindd/winbindd_ads.c
@@ -1039,7 +1039,7 @@ static NTSTATUS lookup_useraliases(struct winbindd_domain
*domain,
}
static NTSTATUS add_primary_group_members(
- ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, uint32_t rid,
+ ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, uint32_t rid, const char *domname,
char ***all_members, size_t *num_all_members)
{
char *filter;
@@ -1051,10 +1051,13 @@ static NTSTATUS add_primary_group_members(
char **members;
size_t num_members;
ads_control args;
+ bool all_groupmem = idmap_config_bool(domname, "all_groupmem", false);
filter = talloc_asprintf(
- mem_ctx, "(&(objectCategory=user)(primaryGroupID=%u))",
- (unsigned)rid);
+ mem_ctx,
+ "(&(objectCategory=user)(primaryGroupID=%u)%s)",
+ (unsigned)rid,
+ all_groupmem ? "" : "(uidNumber=*)(!(uidNumber=0))");
if (filter == NULL) {
goto done;
}
@@ -1206,7 +1209,7 @@ static NTSTATUS lookup_groupmem(struct winbindd_domain
*domain,
DEBUG(10, ("ads lookup_groupmem: got %d sids via extended dn call\n",
(int)num_members));
- status = add_primary_group_members(ads, mem_ctx, rid,
+ status = add_primary_group_members(ads, mem_ctx, rid, domain->name,
&members, &num_members);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(10, ("%s: add_primary_group_members failed: %s\n",
--
Samba Shared Repository
