The branch, v4-20-test has been updated via 83da49f3489 tests: Add a test for "all_groups=no" to test_idmap_ad.sh via 84f82a09ffd selftest: Add "winbind expand groups = 1" to setup_ad_member_idmap_ad via 83701298384 s3:winbindd: Improve performance of lookup_groupmem() in idmap_ad via 8857cf29979 docs-xml: Add parameter all_groupmem to idmap_ad from 215bb9bd48e Do not fail checksums for RFC8009 types
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-20-test - Log ----------------------------------------------------------------- commit 83da49f348921a21a22ff93ffecbd638ff004541 Author: Pavel Filipenský <pfilipen...@samba.org> Date: Thu Mar 14 15:24:21 2024 +0100 tests: Add a test for "all_groups=no" to test_idmap_ad.sh BUG: https://bugzilla.samba.org/show_bug.cgi?id=15605 Signed-off-by: Pavel Filipenský <pfilipen...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> Autobuild-User(master): Pavel Filipensky <pfilipen...@samba.org> Autobuild-Date(master): Tue Apr 2 13:25:39 UTC 2024 on atb-devel-224 (cherry picked from commit f8b72aa1f72881989990fabc9f4888968bb81967) Autobuild-User(v4-20-test): Jule Anger <jan...@samba.org> Autobuild-Date(v4-20-test): Wed Apr 17 14:38:42 UTC 2024 on atb-devel-224 commit 84f82a09ffd1336bf79cffbe4caa3045aedbd16e Author: Pavel Filipenský <pfilipen...@samba.org> Date: Mon Mar 25 22:38:18 2024 +0100 selftest: Add "winbind expand groups = 1" to setup_ad_member_idmap_ad BUG: https://bugzilla.samba.org/show_bug.cgi?id=15605 Signed-off-by: Pavel Filipenský <pfilipen...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> (cherry picked from commit 2dab3a331b5511b4f2253f2b3b4513db7e52ea9a) commit 837012983840d10488404fac2ebad07dd75a6f1c Author: Pavel Filipenský <pfilipen...@samba.org> Date: Tue Mar 12 13:20:24 2024 +0100 s3:winbindd: Improve performance of lookup_groupmem() in idmap_ad The LDAP query of lookup_groupmem() returns all group members from AD even those with missing uidNumber. Such group members are useless in UNIX environment for idmap_ad backend since there is no uid mapping. 'test_user' is member of group "Domanin Users" with 200K members, only 20K members have set uidNumber. Without this fix: $ time id test_user real 1m5.946s user 0m0.019s sys 0m0.012s With this fix: $ time id test_user real 0m3.544s user 0m0.004s sys 0m0.007s BUG: https://bugzilla.samba.org/show_bug.cgi?id=15605 Signed-off-by: Pavel Filipenský <pfilipen...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> (cherry picked from commit 5d475d26a3d545f04791a04e85a06b8b192e3fcf) commit 8857cf299792f50e5917319a38d450c068fa07f4 Author: Pavel Filipenský <pfilipen...@samba.org> Date: Wed Mar 13 13:55:41 2024 +0100 docs-xml: Add parameter all_groupmem to idmap_ad BUG: https://bugzilla.samba.org/show_bug.cgi?id=15605 Signed-off-by: Pavel Filipenský <pfilipen...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> (cherry picked from commit a485d9de2f2d6a9815dcac6addb988a8987e111c) ----------------------------------------------------------------------- Summary of changes: docs-xml/manpages/idmap_ad.8.xml | 10 ++++++++++ nsswitch/tests/test_idmap_ad.sh | 22 ++++++++++++++++++++++ selftest/target/Samba3.pm | 1 + source3/winbindd/winbindd_ads.c | 11 +++++++---- 4 files changed, 40 insertions(+), 4 deletions(-) Changeset truncated at 500 lines: diff --git a/docs-xml/manpages/idmap_ad.8.xml b/docs-xml/manpages/idmap_ad.8.xml index 32df8d066c2..c7fcc65d763 100644 --- a/docs-xml/manpages/idmap_ad.8.xml +++ b/docs-xml/manpages/idmap_ad.8.xml @@ -105,6 +105,16 @@ </listitem> </varlistentry> <varlistentry> + <term>all_groupmem = yes/no</term> + <listitem><para> + If set to <parameter>yes</parameter> winbind will retrieve all + group members for getgrnam(3), getgrgid(3) and getgrent(3) calls, + including those with missing uidNumber. + </para> + <para>Default: no</para> + </listitem> + </varlistentry> + <varlistentry> <term>deny ous</term> <listitem><para>This parameter is a list of OUs from which objects will not be mapped via the ad idmap diff --git a/nsswitch/tests/test_idmap_ad.sh b/nsswitch/tests/test_idmap_ad.sh index 7ae112ada71..1d4bd395ba9 100755 --- a/nsswitch/tests/test_idmap_ad.sh +++ b/nsswitch/tests/test_idmap_ad.sh @@ -94,6 +94,14 @@ gidNumber: 2000001 unixHomeDirectory: /home/forbidden loginShell: /bin/tcsh gecos: User in forbidden OU + +dn: CN=no_posix_id,CN=Users,$BASE_DN +changetype: add +objectClass: user +samaccountName: no_posix_id +unixHomeDirectory: /home/no_posix_id +loginShell: /bin/sh +gecos: User without uidNumber and gidNumber EOF # @@ -171,6 +179,17 @@ then failed=$(($failed + 1)) fi +# +# Test 6: Make sure that with the default "all_groups=no" +# the group "domain users" will not show user "no_posix_id" +# but will show "SAMBA2008R2/administrator" +# + +dom_users="$DOMAIN/domain users" # Extra step to make sure that all is one word +out="$($wbinfo --group-info "$dom_users")" +testit_grep_count "no_posix_id1" "no_posix_id" 0 echo "$out" || failed=$(expr $failed + 1) +testit_grep "no_posix_id2" "SAMBA2008R2/administrator" echo "$out" || failed=$(expr $failed + 1) + # # Trusted domain test 1: Test uid of Administrator, should be 2500000 # @@ -241,6 +260,9 @@ gidNumber: 2000002 dn: cn=forbidden,ou=sub,$BASE_DN changetype: delete +dn: CN=no_posix_id,CN=Users,$BASE_DN +changetype: delete + dn: ou=sub,$BASE_DN changetype: delete EOF diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm index bbce55ea508..cf40633d127 100755 --- a/selftest/target/Samba3.pm +++ b/selftest/target/Samba3.pm @@ -1420,6 +1420,7 @@ sub setup_ad_member_idmap_ad idmap config $dcvars->{TRUST_DOMAIN} : range = 2000000-2999999 gensec_gssapi:requested_life_time = 5 winbind scan trusted domains = yes + winbind expand groups = 1 "; my $ret = $self->provision( diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c index 7e572e5d41f..7d6324033ea 100644 --- a/source3/winbindd/winbindd_ads.c +++ b/source3/winbindd/winbindd_ads.c @@ -1039,7 +1039,7 @@ static NTSTATUS lookup_useraliases(struct winbindd_domain *domain, } static NTSTATUS add_primary_group_members( - ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, uint32_t rid, + ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, uint32_t rid, const char *domname, char ***all_members, size_t *num_all_members) { char *filter; @@ -1051,10 +1051,13 @@ static NTSTATUS add_primary_group_members( char **members; size_t num_members; ads_control args; + bool all_groupmem = idmap_config_bool(domname, "all_groupmem", false); filter = talloc_asprintf( - mem_ctx, "(&(objectCategory=user)(primaryGroupID=%u))", - (unsigned)rid); + mem_ctx, + "(&(objectCategory=user)(primaryGroupID=%u)%s)", + (unsigned)rid, + all_groupmem ? "" : "(uidNumber=*)(!(uidNumber=0))"); if (filter == NULL) { goto done; } @@ -1206,7 +1209,7 @@ static NTSTATUS lookup_groupmem(struct winbindd_domain *domain, DEBUG(10, ("ads lookup_groupmem: got %d sids via extended dn call\n", (int)num_members)); - status = add_primary_group_members(ads, mem_ctx, rid, + status = add_primary_group_members(ads, mem_ctx, rid, domain->name, &members, &num_members); if (!NT_STATUS_IS_OK(status)) { DEBUG(10, ("%s: add_primary_group_members failed: %s\n", -- Samba Shared Repository