[Pkg-freeipa-devel] freeipa: Changes to 'master'
Timo Aaltonen
tjaalton at moszumanska.debian.org
Sat Dec 16 07:18:24 UTC 2017
debian/changelog | 12
debian/patches/fix-opendnssec-setup.diff | 4
debian/patches/samba-4.7-fix-1.diff | 142 +
debian/patches/samba-4.7-fix-2.diff | 77
debian/patches/samba-4.7-fix-3.diff | 2721 +++++++++++++++++++++++++++++++
debian/patches/samba-4.7-fix-4.diff | 52
debian/patches/series | 4
debian/tests/server-install | 2
8 files changed, 3011 insertions(+), 3 deletions(-)
New commits:
commit b68953de5c2a0ebe5087e621fb1f64a3450a6d9e
Author: Timo Aaltonen <tjaalton at debian.org>
Date: Sat Dec 16 09:16:46 2017 +0200
releasing package freeipa version 4.4.4-4
diff --git a/debian/changelog b/debian/changelog
index ef8228e..ac2f23f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,4 +1,4 @@
-freeipa (4.4.4-4) UNRELEASED; urgency=medium
+freeipa (4.4.4-4) unstable; urgency=medium
[ Timo Aaltonen ]
* fix-opendnssec-setup.diff: Use /usr/sbin prefix for ods binaries.
@@ -8,7 +8,7 @@ freeipa (4.4.4-4) UNRELEASED; urgency=medium
[ Steve Langasek ]
* Fix autopkgtest to be robust in the face of changed iproute2 output.
- -- Timo Aaltonen <tjaalton at debian.org> Sun, 15 Oct 2017 09:50:35 +0300
+ -- Timo Aaltonen <tjaalton at debian.org> Sat, 16 Dec 2017 09:15:37 +0200
freeipa (4.4.4-3) unstable; urgency=medium
commit 98c9c2dae8d4e2a8f3370d784cec5194af7fad0d
Author: Timo Aaltonen <tjaalton at debian.org>
Date: Sat Dec 16 09:03:09 2017 +0200
samba-4.7-fix-*: Add backported commits to allow building against samba 4.7. (Closes: #880841)
diff --git a/debian/changelog b/debian/changelog
index 6d5980a..ef8228e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -2,6 +2,8 @@ freeipa (4.4.4-4) UNRELEASED; urgency=medium
[ Timo Aaltonen ]
* fix-opendnssec-setup.diff: Use /usr/sbin prefix for ods binaries.
+ * samba-4.7-fix-*: Add backported commits to allow building against
+ samba 4.7. (Closes: #880841)
[ Steve Langasek ]
* Fix autopkgtest to be robust in the face of changed iproute2 output.
diff --git a/debian/patches/samba-4.7-fix-1.diff b/debian/patches/samba-4.7-fix-1.diff
new file mode 100644
index 0000000..b0a7de8
--- /dev/null
+++ b/debian/patches/samba-4.7-fix-1.diff
@@ -0,0 +1,142 @@
+From 0f450488b0883c3e66cc8dfebd9498e9a5c13a7c Mon Sep 17 00:00:00 2001
+From: Florence Blanc-Renaud <flo at redhat.com>
+Date: Tue, 21 Mar 2017 17:33:20 +0100
+Subject: [PATCH] ipa-sam: create the gidNumber attribute in the trusted domain
+ entry
+
+When a trusted domain entry is created, the uidNumber attribute is created
+but not the gidNumber attribute. This causes samba to log
+ Failed to find a Unix account for DOM-AD$
+because the samu structure does not contain a group_sid and is not put
+in the cache.
+The fix creates the gidNumber attribute in the trusted domain entry,
+and initialises the group_sid field in the samu structure returned
+by ldapsam_getsampwnam. This ensures that the entry is put in the cache.
+
+Note that this is only a partial fix for 6660 as it does not prevent
+_netr_ServerAuthenticate3 from failing with the log
+ _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client VM-AD machine account dom-ad.example.com.
+
+https://pagure.io/freeipa/issue/6827
+
+Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
+---
+ daemons/ipa-sam/ipa_sam.c | 40 +++++++++++++++++++++++++++++++++++++---
+ 1 file changed, 37 insertions(+), 3 deletions(-)
+
+diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c
+index 4c1fda5f82..6a29e8e10b 100644
+--- a/daemons/ipa-sam/ipa_sam.c
++++ b/daemons/ipa-sam/ipa_sam.c
+@@ -195,6 +195,7 @@ struct ipasam_privates {
+ char *trust_dn;
+ char *flat_name;
+ struct dom_sid fallback_primary_group;
++ char *fallback_primary_group_gid_str;
+ char *server_princ;
+ char *client_princ;
+ struct sss_idmap_ctx *idmap_ctx;
+@@ -2419,6 +2420,9 @@ static NTSTATUS ipasam_set_trusted_domain(struct pdb_methods *methods,
+ if (entry == NULL || sid == NULL) {
+ smbldap_make_mod(priv2ld(ldap_state), entry, &mods,
+ LDAP_ATTRIBUTE_UIDNUMBER, IPA_MAGIC_ID_STR);
++ smbldap_make_mod(priv2ld(ldap_state), entry, &mods,
++ LDAP_ATTRIBUTE_GIDNUMBER,
++ ldap_state->ipasam_privates->fallback_primary_group_gid_str);
+ }
+
+ if (td->netbios_name != NULL) {
+@@ -2829,6 +2833,7 @@ static bool init_sam_from_td(struct samu *user, struct pdb_trusted_domain *td,
+ {
+ NTSTATUS status;
+ struct dom_sid *u_sid;
++ struct dom_sid *g_sid;
+ char *name;
+ char *trustpw = NULL;
+ char *trustpw_utf8 = NULL;
+@@ -2884,6 +2889,11 @@ static bool init_sam_from_td(struct samu *user, struct pdb_trusted_domain *td,
+ }
+ talloc_free(u_sid);
+
++ g_sid = &ldap_state->ipasam_privates->fallback_primary_group;
++ if (!pdb_set_group_sid(user, g_sid, PDB_SET)) {
++ return false;
++ }
++
+ status = get_trust_pwd(user, &td->trust_auth_incoming, &trustpw, NULL);
+ if (!NT_STATUS_IS_OK(status)) {
+ return false;
+@@ -3594,14 +3604,17 @@ static void ipasam_free_private_data(void **vp)
+ static struct dom_sid *get_fallback_group_sid(TALLOC_CTX *mem_ctx,
+ struct smbldap_state *ldap_state,
+ struct sss_idmap_ctx *idmap_ctx,
+- LDAPMessage *dom_entry)
++ LDAPMessage *dom_entry,
++ char **fallback_group_gid_str)
+ {
+ char *dn;
+ char *sid;
++ char *gidnumber;
+ int ret;
+ const char *filter = "objectClass=*";
+ const char *attr_list[] = {
+ LDAP_ATTRIBUTE_SID,
++ LDAP_ATTRIBUTE_GIDNUMBER,
+ NULL};
+ LDAPMessage *result;
+ LDAPMessage *entry;
+@@ -3648,9 +3661,20 @@ static struct dom_sid *get_fallback_group_sid(TALLOC_CTX *mem_ctx,
+ talloc_free(sid);
+ return NULL;
+ }
++ talloc_free(sid);
++
++ gidnumber = get_single_attribute(mem_ctx, ldap_state->ldap_struct,
++ entry, LDAP_ATTRIBUTE_GIDNUMBER);
++ if (gidnumber == NULL) {
++ DEBUG(0, ("Missing mandatory attribute %s.\n",
++ LDAP_ATTRIBUTE_GIDNUMBER));
++ ldap_msgfree(result);
++ return NULL;
++ }
++
++ *fallback_group_gid_str = gidnumber;
+
+ ldap_msgfree(result);
+- talloc_free(sid);
+
+ return fallback_group_sid;
+ }
+@@ -4443,6 +4467,7 @@ static NTSTATUS pdb_init_ipasam(struct pdb_methods **pdb_method,
+ char *domain_sid_string = NULL;
+ struct dom_sid *ldap_domain_sid = NULL;
+ struct dom_sid *fallback_group_sid = NULL;
++ char *fallback_group_gid_str = NULL;
+
+ LDAPMessage *result = NULL;
+ LDAPMessage *entry = NULL;
+@@ -4586,7 +4611,8 @@ static NTSTATUS pdb_init_ipasam(struct pdb_methods **pdb_method,
+ fallback_group_sid = get_fallback_group_sid(ldap_state,
+ ldap_state->smbldap_state,
+ ldap_state->ipasam_privates->idmap_ctx,
+- result);
++ result,
++ &fallback_group_gid_str);
+ if (fallback_group_sid == NULL) {
+ DEBUG(0, ("Cannot find SID of fallback group.\n"));
+ ldap_msgfree(result);
+@@ -4596,6 +4622,14 @@ static NTSTATUS pdb_init_ipasam(struct pdb_methods **pdb_method,
+ fallback_group_sid);
+ talloc_free(fallback_group_sid);
+
++ if (fallback_group_gid_str == NULL) {
++ DEBUG(0, ("Cannot find gidNumber of fallback group.\n"));
++ ldap_msgfree(result);
++ return NT_STATUS_INVALID_PARAMETER;
++ }
++ ldap_state->ipasam_privates->fallback_primary_group_gid_str =
++ fallback_group_gid_str;
++
+ domain_sid_string = get_single_attribute(
+ ldap_state,
+ ldap_state->smbldap_state->ldap_struct,
diff --git a/debian/patches/samba-4.7-fix-2.diff b/debian/patches/samba-4.7-fix-2.diff
new file mode 100644
index 0000000..f54cb4c
--- /dev/null
+++ b/debian/patches/samba-4.7-fix-2.diff
@@ -0,0 +1,77 @@
+From 64d23dd1382223fd2c0eb4aea0988977118b5799 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose at redhat.com>
+Date: Fri, 16 Jun 2017 16:26:41 +0200
+Subject: [PATCH] ipa-sam: replace encode_nt_key() with E_md4hash()
+
+Since ipa-sam is running as part of smbd is it safe to use the
+E_md4hash() from Samba. This way ipa-sam does not depend on other crypto
+libraries which might depend on other rules like e.g. FIPS mode.
+
+Resolves https://pagure.io/freeipa/issue/7026
+
+Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
+Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
+---
+ daemons/ipa-sam/ipa_sam.c | 27 ++-------------------------
+ 1 file changed, 2 insertions(+), 25 deletions(-)
+
+diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c
+index 6a29e8e10b..59d92f37c9 100644
+--- a/daemons/ipa-sam/ipa_sam.c
++++ b/daemons/ipa-sam/ipa_sam.c
+@@ -110,6 +110,7 @@ char *sid_string_dbg(const struct dom_sid *sid); /* available in libsmbconf.so *
+ char *escape_ldap_string(TALLOC_CTX *mem_ctx, const char *s); /* available in libsmbconf.so */
+ bool secrets_store(const char *key, const void *data, size_t size); /* available in libpdb.so */
+ void idmap_cache_set_sid2unixid(const struct dom_sid *sid, struct unixid *unix_id); /* available in libsmbconf.so */
++bool E_md4hash(const char *passwd, uint8_t p16[16]); /* available in libcliauth-samba4.so */
+
+ #define LDAP_OBJ_SAMBASAMACCOUNT "ipaNTUserAttrs"
+ #define LDAP_OBJ_TRUSTED_DOMAIN "ipaNTTrustedDomain"
+@@ -2836,11 +2837,7 @@ static bool init_sam_from_td(struct samu *user, struct pdb_trusted_domain *td,
+ struct dom_sid *g_sid;
+ char *name;
+ char *trustpw = NULL;
+- char *trustpw_utf8 = NULL;
+- char *tmp_str = NULL;
+- int ret;
+ uint8_t nt_key[16];
+- size_t converted_size;
+ bool res;
+ char *sid_str;
+ enum idmap_error_code err;
+@@ -2899,19 +2896,7 @@ static bool init_sam_from_td(struct samu *user, struct pdb_trusted_domain *td,
+ return false;
+ }
+
+- if (!push_utf8_talloc(user, &trustpw_utf8, trustpw, &converted_size)) {
+- res = false;
+- goto done;
+- }
+-
+- tmp_str = talloc_strdup_upper(user, trustpw);
+- if (tmp_str == NULL) {
+- res = false;
+- goto done;
+- }
+-
+- ret = encode_nt_key(trustpw_utf8, nt_key);
+- if (ret != 0) {
++ if (!E_md4hash(trustpw, nt_key)) {
+ res = false;
+ goto done;
+ }
+@@ -2927,14 +2912,6 @@ static bool init_sam_from_td(struct samu *user, struct pdb_trusted_domain *td,
+ memset(trustpw, 0, strlen(trustpw));
+ talloc_free(trustpw);
+ }
+- if (trustpw_utf8 != NULL) {
+- memset(trustpw_utf8, 0, strlen(trustpw_utf8));
+- talloc_free(trustpw_utf8);
+- }
+- if (tmp_str != NULL) {
+- memset(tmp_str, 0, strlen(tmp_str));
+- talloc_free(tmp_str);
+- }
+
+ return res;
+ }
diff --git a/debian/patches/samba-4.7-fix-3.diff b/debian/patches/samba-4.7-fix-3.diff
new file mode 100644
index 0000000..7e3b9e6
--- /dev/null
+++ b/debian/patches/samba-4.7-fix-3.diff
@@ -0,0 +1,2721 @@
+From 7edccc9347410e7249ab18ec56b18c2161636daa Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy at redhat.com>
+Date: Wed, 19 Apr 2017 15:16:15 +0300
+Subject: [PATCH] ipa-sam: use own private structure, not ldapsam_privates
+
+With Samba 4.7 access to ldapsam internal structures will not be
+available for external applications. FreeIPA's ipasam module was using
+those for own needs. Now it needs to migrate to proper own private
+structure.
+
+Given that we anyway need to implement many missing functions like
+pdb_update_sam_account() callback with FreeIPA-specific logic,
+piggybacking on ldapsam structures is not needed anymore.
+
+Fixes https://pagure.io/freeipa/issue/6877
+
+Reviewed-By: Martin Basti <mbasti at redhat.com>
+---
+ daemons/configure.ac | 5 +
+ daemons/ipa-sam/ipa_sam.c | 902 ++++++++++++++++++++++++----------------------
+ 2 files changed, 475 insertions(+), 432 deletions(-)
+
+diff --git a/daemons/configure.ac b/daemons/configure.ac
+index 77a3be0397..b3fed6e79e 100644
+--- a/daemons/configure.ac
++++ b/daemons/configure.ac
+@@ -225,6 +225,11 @@ AC_CHECK_LIB([$LIBPDB_NAME],[pdb_enum_upn_suffixes],
+ [AC_MSG_WARN([libpdb does not have pdb_enum_upn_suffixes, no support for realm domains in ipasam])],
+ [$SAMBA40EXTRA_LIBPATH])
+
++AC_CHECK_LIB([smbldap],[smbldap_get_ldap],
++ [AC_DEFINE([HAVE_SMBLDAP_GET_LDAP], [1], [struct smbldap_state is opaque])],
++ [AC_MSG_WARN([libsmbldap is not opaque, not using smbldap_get_ldap])],
++ [$SAMBA40EXTRA_LIBPATH])
++
+ dnl ---------------------------------------------------------------------------
+ dnl Check for libunistring
+ dnl ---------------------------------------------------------------------------
+diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c
+index 59d92f37c9..fe9913d611 100644
+--- a/daemons/ipa-sam/ipa_sam.c
++++ b/daemons/ipa-sam/ipa_sam.c
+@@ -190,7 +190,19 @@ bool E_md4hash(const char *passwd, uint8_t p16[16]); /* available in libcliauth-
+ const struct dom_sid global_sid_Builtin = { 1, 1, {0,0,0,0,0,5},
+ {32,0,0,0,0,0,0,0,0,0,0,0,0,0,0}};
+
+-struct ipasam_privates {
++/* With Samba 4.7 ldapsam_privates structure is not public anymore.
++ * FreeIPA needs to use own structure */
++
++struct ipasam_private {
++ struct smbldap_state *ldap_state;
++ /* Former statics */
++ LDAPMessage *result;
++ LDAPMessage *entry;
++
++ const char *domain_name;
++ struct dom_sid domain_sid;
++
++ char *domain_dn;
+ char *realm;
+ char *base_dn;
+ char *trust_dn;
+@@ -204,7 +216,7 @@ struct ipasam_privates {
+ };
+
+
+-static NTSTATUS ipasam_get_domain_name(struct ldapsam_privates *ldap_state,
++static NTSTATUS ipasam_get_domain_name(struct ipasam_private *ipasam_state,
+ TALLOC_CTX *mem_ctx,
+ char **domain_name);
+
+@@ -332,9 +344,35 @@ static bool strnequal(const char *s1, const char *s2, size_t n) {
+ return false;
+ }
+
+-static LDAP *priv2ld(struct ldapsam_privates *priv)
++static LDAP *_smbldap_get_ldap(struct smbldap_state *state) {
++#ifdef HAVE_SMBLDAP_GET_LDAP
++ return smbldap_get_ldap(state);
++#else
++ return state->ldap_struct;
++#endif
++
++}
++
++static bool _smbldap_get_paged_results(struct smbldap_state *state) {
++#ifdef HAVE_SMBLDAP_GET_LDAP
++ return smbldap_get_paged_results(state);
++#else
++ return state->paged_results;
++#endif
++}
++
++static void _smbldap_set_paged_results(struct smbldap_state *state,
++ bool paged_results) {
++#ifdef HAVE_SMBLDAP_GET_LDAP
++ smbldap_set_paged_results(state, paged_results);
++#else
++ state->paged_results = paged_results;
++#endif
++}
++
++static LDAP *priv2ld(struct ipasam_private *priv)
+ {
+- return priv->smbldap_state->ldap_struct;
++ return _smbldap_get_ldap(priv->ldap_state);
+ }
+
+ /*
+@@ -508,8 +546,8 @@ static NTSTATUS ldapsam_lookup_rids(struct pdb_methods *methods,
+ const char **names,
+ enum lsa_SidType *attrs)
+ {
+- struct ldapsam_privates *ldap_state =
+- (struct ldapsam_privates *)methods->private_data;
++ struct ipasam_private *ipasam_state =
++ talloc_get_type_abort(methods->private_data, struct ipasam_private);
+ LDAPMessage *msg = NULL;
+ LDAPMessage *entry;
+ char *allsids = NULL;
+@@ -526,7 +564,7 @@ static NTSTATUS ldapsam_lookup_rids(struct pdb_methods *methods,
+ }
+
+ if (!sid_check_is_builtin(domain_sid) &&
+- dom_sid_compare_domain(&ldap_state->domain_sid, domain_sid) != 0) {
++ dom_sid_compare_domain(&ipasam_state->domain_sid, domain_sid) != 0) {
+ result = NT_STATUS_INVALID_PARAMETER;
+ goto done;
+ }
+@@ -570,8 +608,8 @@ static NTSTATUS ldapsam_lookup_rids(struct pdb_methods *methods,
+ goto done;
+ }
+
+- rc = smbldap_search(ldap_state->smbldap_state,
+- ldap_state->ipasam_privates->base_dn,
++ rc = smbldap_search(ipasam_state->ldap_state,
++ ipasam_state->base_dn,
+ LDAP_SCOPE_SUBTREE, filter, ldap_attrs, 0,
+ &msg);
+ smbldap_talloc_autofree_ldapmsg(mem_ctx, msg);
+@@ -580,7 +618,7 @@ static NTSTATUS ldapsam_lookup_rids(struct pdb_methods *methods,
+ if (rc != LDAP_SUCCESS)
+ goto done;
+
+- ld = ldap_state->smbldap_state->ldap_struct;
++ ld = priv2ld(ipasam_state);
+ num_mapped = 0;
+
+ for (entry = ldap_first_entry(ld, msg);
+@@ -591,7 +629,7 @@ static NTSTATUS ldapsam_lookup_rids(struct pdb_methods *methods,
+ const char *name;
+
+ if (!ldapsam_extract_rid_from_entry(ld, entry,
+- ldap_state->ipasam_privates->idmap_ctx,
++ ipasam_state->idmap_ctx,
+ domain_sid,
+ &rid)) {
+ DEBUG(2, ("Could not find sid from ldap entry\n"));
+@@ -640,8 +678,8 @@ static NTSTATUS ldapsam_lookup_rids(struct pdb_methods *methods,
+ goto done;
+ }
+
+- rc = smbldap_search(ldap_state->smbldap_state,
+- ldap_state->ipasam_privates->base_dn,
++ rc = smbldap_search(ipasam_state->ldap_state,
++ ipasam_state->base_dn,
+ LDAP_SCOPE_SUBTREE, filter, ldap_attrs, 0,
+ &msg);
+ smbldap_talloc_autofree_ldapmsg(mem_ctx, msg);
+@@ -652,7 +690,7 @@ static NTSTATUS ldapsam_lookup_rids(struct pdb_methods *methods,
+
+ /* ldap_struct might have changed due to a reconnect */
+
+- ld = ldap_state->smbldap_state->ldap_struct;
++ ld = priv2ld(ipasam_state);
+
+ /* For consistency checks, we already checked we're only domain or builtin */
+
+@@ -678,7 +716,7 @@ static NTSTATUS ldapsam_lookup_rids(struct pdb_methods *methods,
+ }
+
+ if (!ldapsam_extract_rid_from_entry(ld, entry,
+- ldap_state->ipasam_privates->idmap_ctx,
++ ipasam_state->idmap_ctx,
+ domain_sid, &rid)) {
+ DEBUG(2, ("Could not find sid from ldap entry %s\n", dn));
+ continue;
+@@ -727,8 +765,8 @@ static bool ldapsam_sid_to_id(struct pdb_methods *methods,
+ const struct dom_sid *sid,
+ struct unixid *id)
+ {
+- struct ldapsam_privates *priv =
+- (struct ldapsam_privates *)methods->private_data;
++ struct ipasam_private *priv =
++ talloc_get_type_abort(methods->private_data, struct ipasam_private);
+ char *filter;
+ const char *attrs[] = { "objectClass", "gidNumber", "uidNumber",
+ NULL };
+@@ -758,7 +796,7 @@ static bool ldapsam_sid_to_id(struct pdb_methods *methods,
+ goto done;
+ }
+
+- rc = smbldap_search_suffix(priv->smbldap_state, filter,
++ rc = smbldap_search_suffix(priv->ldap_state, filter,
+ attrs, &result);
+ if (rc != LDAP_SUCCESS) {
+ goto done;
+@@ -827,11 +865,11 @@ static bool ldapsam_sid_to_id(struct pdb_methods *methods,
+ return ret;
+ }
+
+-static bool ldapsam_uid_to_sid(struct pdb_methods *methods, uid_t uid,
++static bool ipasam_uid_to_sid(struct pdb_methods *methods, uid_t uid,
+ struct dom_sid *sid)
+ {
+- struct ldapsam_privates *priv =
+- (struct ldapsam_privates *)methods->private_data;
++ struct ipasam_private *priv =
++ talloc_get_type_abort(methods->private_data, struct ipasam_private);
+ char *filter;
+ const char *attrs[] = { LDAP_ATTRIBUTE_SID, NULL };
+ LDAPMessage *result = NULL;
+@@ -867,7 +905,7 @@ static bool ldapsam_uid_to_sid(struct pdb_methods *methods, uid_t uid,
+ goto done;
+ }
+
+- rc = smbldap_search_suffix(priv->smbldap_state, filter, attrs, &result);
++ rc = smbldap_search_suffix(priv->ldap_state, filter, attrs, &result);
+ if (rc != LDAP_SUCCESS) {
+ goto done;
+ }
+@@ -890,7 +928,7 @@ static bool ldapsam_uid_to_sid(struct pdb_methods *methods, uid_t uid,
+ goto done;
+ }
+
+- err = sss_idmap_sid_to_smb_sid(priv->ipasam_privates->idmap_ctx,
++ err = sss_idmap_sid_to_smb_sid(priv->idmap_ctx,
+ user_sid_string, &user_sid);
+ if (err != IDMAP_SUCCESS) {
+ DEBUG(3, ("Error calling sid_string_talloc for sid '%s'\n",
+@@ -912,11 +950,11 @@ static bool ldapsam_uid_to_sid(struct pdb_methods *methods, uid_t uid,
+ return ret;
+ }
+
+-static bool ldapsam_gid_to_sid(struct pdb_methods *methods, gid_t gid,
++static bool ipasam_gid_to_sid(struct pdb_methods *methods, gid_t gid,
+ struct dom_sid *sid)
+ {
+- struct ldapsam_privates *priv =
+- (struct ldapsam_privates *)methods->private_data;
++ struct ipasam_private *priv =
++ talloc_get_type_abort(methods->private_data, struct ipasam_private);
+ char *filter;
+ const char *attrs[] = { LDAP_ATTRIBUTE_SID, LDAP_ATTRIBUTE_OBJECTCLASS, NULL };
+ LDAPMessage *result = NULL;
+@@ -947,7 +985,7 @@ static bool ldapsam_gid_to_sid(struct pdb_methods *methods, gid_t gid,
+ goto done;
+ }
+
+- rc = smbldap_search_suffix(priv->smbldap_state, filter, attrs, &result);
++ rc = smbldap_search_suffix(priv->ldap_state, filter, attrs, &result);
+ if (rc != LDAP_SUCCESS) {
+ goto done;
+ }
+@@ -988,7 +1026,7 @@ static bool ldapsam_gid_to_sid(struct pdb_methods *methods, gid_t gid,
+ "returning fallback group.\n", (unsigned int)gid));
+
+ sid_copy(sid,
+- &priv->ipasam_privates->fallback_primary_group);
++ &priv->fallback_primary_group);
+ ret = true;
+ goto done;
+
+@@ -1002,8 +1040,8 @@ static bool ldapsam_gid_to_sid(struct pdb_methods *methods, gid_t gid,
+ goto done;
+ }
+
+- err = sss_idmap_sid_to_smb_sid(priv->ipasam_privates->idmap_ctx,
+- group_sid_string, &group_sid);
++ err = sss_idmap_sid_to_smb_sid(priv->idmap_ctx,
++ group_sid_string, &group_sid);
+ if (err != IDMAP_SUCCESS) {
+ DEBUG(3, ("Error calling sid_string_talloc for sid '%s'\n",
+ group_sid_string));
+@@ -1031,10 +1069,10 @@ static bool ipasam_id_to_sid(struct pdb_methods *methods, struct unixid *id, str
+ bool result = false;
+
+ if (id->type != ID_TYPE_GID) {
+- result = ldapsam_uid_to_sid(methods, id->id, sid);
++ result = ipasam_uid_to_sid(methods, id->id, sid);
+ }
+ if (!result && id->type != ID_TYPE_UID) {
+- result = ldapsam_gid_to_sid(methods, id->id, sid);
++ result = ipasam_gid_to_sid(methods, id->id, sid);
+ }
+
+ return result;
+@@ -1112,16 +1150,16 @@ struct ldap_search_state {
+ struct samr_displayentry *result);
+ };
+
+-static bool ldapsam_search_firstpage(struct pdb_search *search)
++static bool ipasam_search_firstpage(struct pdb_search *search)
+ {
+ struct ldap_search_state *state =
+- (struct ldap_search_state *)search->private_data;
++ talloc_get_type_abort(search->private_data, struct ldap_search_state);
+ LDAP *ld;
+ int rc = LDAP_OPERATIONS_ERROR;
+
+ state->entries = NULL;
+
+- if (state->connection->paged_results) {
++ if (_smbldap_get_paged_results(state->connection)) {
+ rc = smbldap_search_paged(state->connection, state->base,
+ state->scope, state->filter,
+ state->attrs, state->attrsonly,
+@@ -1146,10 +1184,10 @@ static bool ldapsam_search_firstpage(struct pdb_search *search)
+
+ /* Ok, the server was lying. It told us it could do paged
+ * searches when it could not. */
+- state->connection->paged_results = false;
++ _smbldap_set_paged_results(state->connection, false);
+ }
+
+- ld = state->connection->ldap_struct;
++ ld = _smbldap_get_ldap(state->connection);
+ if ( ld == NULL) {
+ DEBUG(5, ("Don't have an LDAP connection right after a "
+ "search\n"));
+@@ -1160,13 +1198,14 @@ static bool ldapsam_search_firstpage(struct pdb_search *search)
+ return true;
+ }
+
+-static bool ldapsam_search_nextpage(struct pdb_search *search)
++static bool ipasam_search_nextpage(struct pdb_search *search)
+ {
+ struct ldap_search_state *state =
+- (struct ldap_search_state *)search->private_data;
++ talloc_get_type_abort(search->private_data, struct ldap_search_state);
++ LDAP *ld;
+ int rc;
+
+- if (!state->connection->paged_results) {
++ if (!_smbldap_get_paged_results(state->connection)) {
+ /* There is no next page when there are no paged results */
+ return false;
+ }
+@@ -1180,7 +1219,14 @@ static bool ldapsam_search_nextpage(struct pdb_search *search)
+ if ((rc != LDAP_SUCCESS) || (state->entries == NULL))
+ return false;
+
+- state->current_entry = ldap_first_entry(state->connection->ldap_struct, state->entries);
++ ld = _smbldap_get_ldap(state->connection);
++ if ( ld == NULL) {
++ DEBUG(5, ("Don't have an LDAP connection right after a "
++ "search\n"));
++ return false;
++ }
++ state->current_entry = ldap_first_entry(ld,
++ state->entries);
+
+ if (state->current_entry == NULL) {
+ ldap_msgfree(state->entries);
+@@ -1191,38 +1237,44 @@ static bool ldapsam_search_nextpage(struct pdb_search *search)
+ return true;
+ }
+
+-static bool ldapsam_search_next_entry(struct pdb_search *search,
++static bool ipasam_search_next_entry(struct pdb_search *search,
+ struct samr_displayentry *entry)
+ {
+ struct ldap_search_state *state =
+- (struct ldap_search_state *)search->private_data;
++ talloc_get_type_abort(search->private_data, struct ldap_search_state);
+ bool result;
++ LDAP *ld;
+
+ retry:
+ if ((state->entries == NULL) && (state->pagedresults_cookie == NULL))
+ return false;
+
+ if ((state->entries == NULL) &&
+- !ldapsam_search_nextpage(search))
++ !ipasam_search_nextpage(search))
+ return false;
+
+ if (state->current_entry == NULL) {
+ return false;
+ }
+
++ ld = _smbldap_get_ldap(state->connection);
++ if ( ld == NULL) {
++ DEBUG(5, ("Don't have an LDAP connection right after a "
++ "search\n"));
++ return false;
++ }
+ result = state->ldap2displayentry(state, search,
+- state->connection->ldap_struct,
++ ld,
+ state->current_entry, entry);
+
+ if (!result) {
+ char *dn;
+- dn = ldap_get_dn(state->connection->ldap_struct,
+- state->current_entry);
++ dn = ldap_get_dn(ld, state->current_entry);
+ DEBUG(5, ("Skipping entry %s\n", dn != NULL ? dn : "<NULL>"));
+ if (dn != NULL) ldap_memfree(dn);
+ }
+
+- state->current_entry = ldap_next_entry(state->connection->ldap_struct,
++ state->current_entry = ldap_next_entry(ld,
+ state->current_entry);
+
+ if (state->current_entry == NULL) {
+@@ -1235,10 +1287,10 @@ static bool ldapsam_search_next_entry(struct pdb_search *search,
+ return true;
+ }
+
+-static void ldapsam_search_end(struct pdb_search *search)
++static void ipasam_search_end(struct pdb_search *search)
+ {
+ struct ldap_search_state *state =
+- (struct ldap_search_state *)search->private_data;
++ talloc_get_type_abort(search->private_data, struct ldap_search_state);
+ int rc;
+
+ if (state->pagedresults_cookie == NULL)
+@@ -1250,7 +1302,7 @@ static void ldapsam_search_end(struct pdb_search *search)
+ state->entries = NULL;
+ state->current_entry = NULL;
+
+- if (!state->connection->paged_results)
++ if (!_smbldap_get_paged_results(state->connection))
+ return;
+
+ /* Tell the LDAP server we're not interested in the rest anymore. */
+@@ -1263,7 +1315,6 @@ static void ldapsam_search_end(struct pdb_search *search)
+ if (rc != LDAP_SUCCESS)
+ DEBUG(5, ("Could not end search properly\n"));
+
+- return;
+ }
+
+ static bool ldapuser2displayentry(struct ldap_search_state *state,
+@@ -1355,12 +1406,12 @@ static bool ldapuser2displayentry(struct ldap_search_state *state,
+ return true;
+ }
+
+-static bool ldapsam_search_users(struct pdb_methods *methods,
++static bool ipasam_search_users(struct pdb_methods *methods,
+ struct pdb_search *search,
+ uint32_t acct_flags)
+ {
+- struct ldapsam_privates *ldap_state =
+- (struct ldapsam_privates *)methods->private_data;
++ struct ipasam_private *ipasam_state =
++ talloc_get_type_abort(methods->private_data, struct ipasam_private);
+ struct ldap_search_state *state;
+
+ state = talloc(search, struct ldap_search_state);
+@@ -1369,9 +1420,9 @@ static bool ldapsam_search_users(struct pdb_methods *methods,
+ return false;
+ }
+
+- state->connection = ldap_state->smbldap_state;
++ state->connection = ipasam_state->ldap_state;
+
+- state->base = talloc_strdup(search, ldap_state->ipasam_privates->base_dn);
++ state->base = talloc_strdup(search, ipasam_state->base_dn);
+
+ state->acct_flags = acct_flags;
+ state->scope = LDAP_SCOPE_SUBTREE;
+@@ -1382,8 +1433,8 @@ static bool ldapsam_search_users(struct pdb_methods *methods,
+ state->attrsonly = 0;
+ state->pagedresults_cookie = NULL;
+ state->entries = NULL;
+- state->idmap_ctx = ldap_state->ipasam_privates->idmap_ctx;
+- state->dom_sid = &ldap_state->domain_sid;
++ state->idmap_ctx = ipasam_state->idmap_ctx;
++ state->dom_sid = &ipasam_state->domain_sid;
+ state->ldap2displayentry = ldapuser2displayentry;
+
+ if ((state->filter == NULL) || (state->attrs == NULL)) {
+@@ -1392,10 +1443,10 @@ static bool ldapsam_search_users(struct pdb_methods *methods,
+ }
+
+ search->private_data = state;
+- search->next_entry = ldapsam_search_next_entry;
+- search->search_end = ldapsam_search_end;
++ search->next_entry = ipasam_search_next_entry;
++ search->search_end = ipasam_search_end;
+
+- return ldapsam_search_firstpage(search);
++ return ipasam_search_firstpage(search);
+ }
+
+ static bool ldapgroup2displayentry(struct ldap_search_state *state,
+@@ -1496,8 +1547,8 @@ static bool ldapgroup2displayentry(struct ldap_search_state *state,
+ case SID_NAME_DOM_GRP:
+ case SID_NAME_ALIAS:
+
+- if (!sid_peek_check_rid(state->dom_sid, sid, &result->rid)
+- && !sid_peek_check_rid(&global_sid_Builtin, sid, &result->rid))
++ if (!sid_peek_check_rid(state->dom_sid, sid, &result->rid) &&
++ !sid_peek_check_rid(&global_sid_Builtin, sid, &result->rid))
+ {
+ talloc_free(sid);
+ DEBUG(0, ("SID is not in our domain\n"));
+@@ -1517,13 +1568,13 @@ static bool ldapgroup2displayentry(struct ldap_search_state *state,
+ return true;
+ }
+
+-static bool ldapsam_search_grouptype(struct pdb_methods *methods,
++static bool ipasam_search_grouptype(struct pdb_methods *methods,
+ struct pdb_search *search,
+ const struct dom_sid *sid,
+ enum lsa_SidType type)
+ {
+- struct ldapsam_privates *ldap_state =
+- (struct ldapsam_privates *)methods->private_data;
++ struct ipasam_private *ipasam_state =
++ talloc_get_type_abort(methods->private_data, struct ipasam_private);
+ struct ldap_search_state *state;
+
+ state = talloc(search, struct ldap_search_state);
+@@ -1532,8 +1583,8 @@ static bool ldapsam_search_grouptype(struct pdb_methods *methods,
+ return false;
+ }
+
+- state->base = talloc_strdup(search, ldap_state->ipasam_privates->base_dn);
+- state->connection = ldap_state->smbldap_state;
++ state->base = talloc_strdup(search, ipasam_state->base_dn);
++ state->connection = ipasam_state->ldap_state;
+ state->scope = LDAP_SCOPE_SUBTREE;
+ state->filter = talloc_asprintf(search, "(&(objectclass=%s)"
+ "(%s=%s*))",
+@@ -1547,8 +1598,8 @@ static bool ldapsam_search_grouptype(struct pdb_methods *methods,
+ state->pagedresults_cookie = NULL;
+ state->entries = NULL;
+ state->group_type = type;
+- state->idmap_ctx = ldap_state->ipasam_privates->idmap_ctx;
+- state->dom_sid = &ldap_state->domain_sid;
++ state->idmap_ctx = ipasam_state->idmap_ctx;
++ state->dom_sid = &ipasam_state->domain_sid;
+ state->ldap2displayentry = ldapgroup2displayentry;
+
+ if ((state->filter == NULL) || (state->attrs == NULL)) {
+@@ -1557,56 +1608,48 @@ static bool ldapsam_search_grouptype(struct pdb_methods *methods,
+ }
+
+ search->private_data = state;
+- search->next_entry = ldapsam_search_next_entry;
+- search->search_end = ldapsam_search_end;
++ search->next_entry = ipasam_search_next_entry;
++ search->search_end = ipasam_search_end;
+
+- return ldapsam_search_firstpage(search);
++ return ipasam_search_firstpage(search);
+ }
+
+-static bool ldapsam_search_groups(struct pdb_methods *methods,
++static bool ipasam_search_groups(struct pdb_methods *methods,
+ struct pdb_search *search)
+ {
+- struct ldapsam_privates *ldap_state =
+- (struct ldapsam_privates *)methods->private_data;
++ struct ipasam_private *ipasam_state =
++ talloc_get_type_abort(methods->private_data, struct ipasam_private);
+
+- return ldapsam_search_grouptype(methods, search,
+- &ldap_state->domain_sid,
++ return ipasam_search_grouptype(methods, search,
++ &ipasam_state->domain_sid,
+ SID_NAME_DOM_GRP);
+ }
+
+-static bool ldapsam_search_aliases(struct pdb_methods *methods,
++static bool ipasam_search_aliases(struct pdb_methods *methods,
+ struct pdb_search *search,
+ const struct dom_sid *sid)
+ {
+- return ldapsam_search_groups(methods, search);
++ return ipasam_search_grouptype(methods, search,
++ sid, SID_NAME_ALIAS);
+ }
+
+-
+-
+-
+-
+-
+-
+-
+-
+-
+ static char *trusted_domain_dn(TALLOC_CTX *mem_ctx,
+- struct ldapsam_privates *ldap_state,
++ struct ipasam_private *ipasam_state,
+ const char *domain)
+ {
+ return talloc_asprintf(mem_ctx, "%s=%s,%s",
+ LDAP_ATTRIBUTE_CN, domain,
+- ldap_state->ipasam_privates->trust_dn);
++ ipasam_state->trust_dn);
+ }
+
+-static NTSTATUS ipasam_get_objectclasses(struct ldapsam_privates *ldap_state,
++static NTSTATUS ipasam_get_objectclasses(struct ipasam_private *ipasam_state,
+ const char *dn, LDAPMessage *entry,
+ uint32_t *has_objectclass)
+ {
+ struct berval **bervals;
+ size_t c;
+
+- bervals = ldap_get_values_len(priv2ld(ldap_state), entry,
++ bervals = ldap_get_values_len(priv2ld(ipasam_state), entry,
+ LDAP_ATTRIBUTE_OBJECTCLASS);
+ if (bervals == NULL) {
+ DEBUG(0, ("Entry [%s] does not have any objectclasses.\n", dn));
+@@ -1643,7 +1686,7 @@ static NTSTATUS ipasam_get_objectclasses(struct ldapsam_privates *ldap_state,
+ return NT_STATUS_OK;
+ }
+
+-static bool search_krb_princ(struct ldapsam_privates *ldap_state,
++static bool search_krb_princ(struct ipasam_private *ipasam_state,
+ TALLOC_CTX *mem_ctx,
+ const char *princ, const char *base_dn,
+ LDAPMessage **entry)
+@@ -1659,7 +1702,7 @@ static bool search_krb_princ(struct ldapsam_privates *ldap_state,
+ return false;
+ }
+
+- rc = smbldap_search(ldap_state->smbldap_state, base_dn,
++ rc = smbldap_search(ipasam_state->ldap_state, base_dn,
+ LDAP_SCOPE_SUBTREE, filter, NULL, 0, &result);
+
+ if (result != NULL) {
+@@ -1675,7 +1718,7 @@ static bool search_krb_princ(struct ldapsam_privates *ldap_state,
+ return false;
+ }
+
+- num_result = ldap_count_entries(priv2ld(ldap_state), result);
++ num_result = ldap_count_entries(priv2ld(ipasam_state), result);
+
+ if (num_result > 1) {
+ DEBUG(1, ("search_krb_princ: more than one object found "
+@@ -1688,7 +1731,7 @@ static bool search_krb_princ(struct ldapsam_privates *ldap_state,
+ "with filter '%s'.\n", filter));
+ *entry = NULL;
+ } else {
+- *entry = ldap_first_entry(priv2ld(ldap_state), result);
++ *entry = ldap_first_entry(priv2ld(ipasam_state), result);
+ }
+
+ return true;
+@@ -1701,7 +1744,7 @@ long default_enctypes[DEF_ENCTYPE_NUM] = {
+ ENCTYPE_ARCFOUR_HMAC
+ };
+
+-static int set_cross_realm_pw(struct ldapsam_privates *ldap_state,
++static int set_cross_realm_pw(struct ipasam_private *ipasam_state,
+ const char *princ,
+ const char *pwd)
+ {
+@@ -1720,7 +1763,7 @@ static int set_cross_realm_pw(struct ldapsam_privates *ldap_state,
+ reqdata.bv_len = buflen;
+ reqdata.bv_val = buffer;
+
+- ret = smbldap_extended_operation(ldap_state->smbldap_state,
++ ret = smbldap_extended_operation(ipasam_state->ldap_state,
+ KEYTAB_GET_OID, &reqdata, NULL, NULL,
+ &retoid, &retdata);
+ if (ret != LDAP_SUCCESS) {
+@@ -1744,7 +1787,7 @@ static int set_cross_realm_pw(struct ldapsam_privates *ldap_state,
+ #define KRB_PRINC_CREATE_DISABLED 0x00000001
+ #define KRB_PRINC_CREATE_AGENT_PERMISSION 0x00000002
+
+-static bool set_krb_princ(struct ldapsam_privates *ldap_state,
++static bool set_krb_princ(struct ipasam_private *ipasam_state,
+ TALLOC_CTX *mem_ctx,
+ const char *princ, const char *saltprinc,
+ const char *pwd,
+@@ -1758,17 +1801,17 @@ static bool set_krb_princ(struct ldapsam_privates *ldap_state,
+ uint32_t has_objectclass = 0;
+ NTSTATUS status;
+
+- if (!search_krb_princ(ldap_state, mem_ctx, princ, base_dn, &entry)) {
++ if (!search_krb_princ(ipasam_state, mem_ctx, princ, base_dn, &entry)) {
+ return false;
+ }
+
+ if (entry) {
+- dn = get_dn(mem_ctx, priv2ld(ldap_state), entry);
++ dn = get_dn(mem_ctx, priv2ld(ipasam_state), entry);
+ if (!dn) {
+ return false;
+ }
+
+- status = ipasam_get_objectclasses(ldap_state, dn, entry,
++ status = ipasam_get_objectclasses(ipasam_state, dn, entry,
+ &has_objectclass);
+ if (!NT_STATUS_IS_OK(status)) {
+ return false;
+@@ -1810,13 +1853,13 @@ static bool set_krb_princ(struct ldapsam_privates *ldap_state,
More information about the Pkg-freeipa-devel
mailing list