Hi,
I came across this very old code. Before there was a domain GUID
attribute for the IPA domain in the directory tree ipa-sam used a
auto generated one. Since we now have that attribute and deliver it e.g.
via CLDAP ipa-sam should use the same.
bye,
Sumit
From 45af7302b80bff25892bb6629689dbf4dfa3b37d Mon Sep 17 00:00:00 2001
From: Sumit Bose <sb...@ipa-devel.ipa.devel>
Date: Fri, 16 Jan 2015 12:35:57 +0100
Subject: [PATCH] ipa-sam: use proper domain GUID
---
daemons/ipa-sam/ipa_sam.c | 28 ++++++++++++++++------------
1 file changed, 16 insertions(+), 12 deletions(-)
diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c
index
07249fd27b362ed6499e372d651192dfc31b5173..f514546fd3152bda65062a8c236dedd787f7a5d8
100644
--- a/daemons/ipa-sam/ipa_sam.c
+++ b/daemons/ipa-sam/ipa_sam.c
@@ -126,6 +126,7 @@ void idmap_cache_set_sid2unixid(const struct dom_sid *sid,
struct unixid *unix_i
#define LDAP_ATTRIBUTE_SUPPORTED_ENC_TYPE "ipaNTSupportedEncryptionTypes"
#define LDAP_ATTRIBUTE_TRUST_PARTNER "ipaNTTrustPartner"
#define LDAP_ATTRIBUTE_FLAT_NAME "ipaNTFlatName"
+#define LDAP_ATTRIBUTE_DOMAIN_GUID "ipaNTDomainGUID"
#define LDAP_ATTRIBUTE_TRUST_AUTH_OUTGOING "ipaNTTrustAuthOutgoing"
#define LDAP_ATTRIBUTE_TRUST_AUTH_INCOMING "ipaNTTrustAuthIncoming"
#define LDAP_ATTRIBUTE_SECURITY_IDENTIFIER "ipaNTSecurityIdentifier"
@@ -179,6 +180,7 @@ struct ipasam_privates {
char *base_dn;
char *trust_dn;
char *flat_name;
+ char *guid;
struct dom_sid fallback_primary_group;
char *server_princ;
char *client_princ;
@@ -3473,8 +3475,6 @@ static struct pdb_domain_info
*pdb_ipasam_get_domain_info(struct pdb_methods *pd
struct pdb_domain_info *info;
struct ldapsam_privates *ldap_state =
(struct ldapsam_privates *)pdb_methods->private_data;
- char sid_buf[24];
- DATA_BLOB sid_blob;
NTSTATUS status;
info = talloc(mem_ctx, struct pdb_domain_info);
@@ -3502,16 +3502,7 @@ static struct pdb_domain_info
*pdb_ipasam_get_domain_info(struct pdb_methods *pd
sid_copy(&info->sid, &ldap_state->domain_sid);
- if (!sid_linearize(sid_buf, sizeof(sid_buf), &info->sid)) {
- goto fail;
- }
-
- /* the first 8 bytes of the linearized SID are not random,
- * so we skip them */
- sid_blob.data = (uint8_t *) sid_buf + 8 ;
- sid_blob.length = 16;
-
- status = GUID_from_ndr_blob(&sid_blob, &info->guid);
+ status = GUID_from_string(ldap_state->ipasam_privates->guid,
&info->guid);
if (!NT_STATUS_IS_OK(status)) {
goto fail;
}
@@ -3612,6 +3603,7 @@ static NTSTATUS ipasam_search_domain_info(struct
smbldap_state *ldap_state,
const char *filter = "objectClass=ipaNTDomainAttrs";
const char *attr_list[] = {
LDAP_ATTRIBUTE_FLAT_NAME,
+ LDAP_ATTRIBUTE_DOMAIN_GUID,
LDAP_ATTRIBUTE_SID,
LDAP_ATTRIBUTE_FALLBACK_PRIMARY_GROUP,
LDAP_ATTRIBUTE_OBJECTCLASS,
@@ -4525,6 +4517,18 @@ static NTSTATUS pdb_init_ipasam(struct pdb_methods
**pdb_method,
return NT_STATUS_INVALID_PARAMETER;
}
+ ldap_state->ipasam_privates->guid = get_single_attribute(
+ ldap_state,
+ ldap_state->smbldap_state->ldap_struct,
+ entry,
+ LDAP_ATTRIBUTE_DOMAIN_GUID);
+ if (ldap_state->ipasam_privates->guid == NULL) {
+ DEBUG(0, ("Missing mandatory attribute %s.\n",
+ LDAP_ATTRIBUTE_DOMAIN_GUID));
+ ldap_msgfree(result);
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
err = sss_idmap_init(idmap_talloc, ldap_state->ipasam_privates,
idmap_talloc_free,
&ldap_state->ipasam_privates->idmap_ctx);
--
2.1.0
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
