From b0c4751808040afdc15ca801619c43fe192c6a35 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Tue, 6 Oct 2009 12:12:21 -0400 Subject: Remove magicPrivateGroups option In sssd only local is a native mpg domain, and it is forced. All other providers will have to unroll mpg users into a user/group pair of entries in the db. This allows the provider to automatically establish if the remote server provides mpg users w/o possibily conflicting manual configurations on the client trying to force an mpg behavior where none is provided. --- server/confdb/confdb.c | 12 ------------ server/confdb/confdb.h | 1 - server/db/sysdb.c | 6 ++++++ server/db/sysdb_ops.c | 10 +++++----- server/db/sysdb_private.h | 1 + server/db/sysdb_search.c | 10 +++++----- server/man/sssd.conf.5.xml | 41 ----------------------------------------- 7 files changed, 17 insertions(+), 64 deletions(-) diff --git a/server/confdb/confdb.c b/server/confdb/confdb.c index b2a941ecb..88bdd65e4 100644 --- a/server/confdb/confdb.c +++ b/server/confdb/confdb.c @@ -835,18 +835,6 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb, DEBUG(1, ("No enumeration for [%s]!\n", domain->name)); } - /* Determine if this is domain uses MPG */ - ret = get_entry_as_bool(res->msgs[0], &domain->mpg, CONFDB_DOMAIN_MPG, 0); - if(ret != EOK) { - DEBUG(0, ("Invalid value for %s\n", CONFDB_DOMAIN_MPG)); - goto done; - } - - /* The local provider always uses MPG, so override it */ - if (strcasecmp(domain->provider, "local") == 0) { - domain->mpg = true; - } - /* Determine if user/group names will be Fully Qualified * in NSS interfaces */ ret = get_entry_as_bool(res->msgs[0], &domain->fqnames, CONFDB_DOMAIN_FQ, 0); diff --git a/server/confdb/confdb.h b/server/confdb/confdb.h index 3821ffff3..089432729 100644 --- a/server/confdb/confdb.h +++ b/server/confdb/confdb.h @@ -111,7 +111,6 @@ struct sss_domain_info { int timeout; bool enumerate; bool fqnames; - bool mpg; uint32_t id_min; uint32_t id_max; diff --git a/server/db/sysdb.c b/server/db/sysdb.c index 87d0de965..7a6d61660 100644 --- a/server/db/sysdb.c +++ b/server/db/sysdb.c @@ -1063,6 +1063,12 @@ static int sysdb_domain_init_internal(TALLOC_CTX *mem_ctx, ctx->ev = ev; ctx->domain = domain; + /* The local provider s the only true MPG, + * for the other domains, the provider actually unrolls MPGs */ + if (strcasecmp(domain->provider, "local") == 0) { + ctx->mpg = true; + } + ret = sysdb_get_db_file(ctx, domain, db_path, &ctx->ldb_file); if (ret != EOK) { return ret; diff --git a/server/db/sysdb_ops.c b/server/db/sysdb_ops.c index 3a53c9e5e..5743dc85c 100644 --- a/server/db/sysdb_ops.c +++ b/server/db/sysdb_ops.c @@ -1731,7 +1731,7 @@ struct tevent_req *sysdb_add_user_send(TALLOC_CTX *mem_ctx, state->shell = shell; state->attrs = attrs; - if (domain->mpg) { + if (handle->ctx->mpg) { if (gid != 0) { DEBUG(0, ("Cannot add user with arbitrary GID in MPG domain!\n")); ERROR_OUT(ret, EINVAL, fail); @@ -1753,7 +1753,7 @@ struct tevent_req *sysdb_add_user_send(TALLOC_CTX *mem_ctx, ERROR_OUT(ret, ERANGE, fail); } - if (domain->mpg) { + if (handle->ctx->mpg) { /* In MPG domains you can't have groups with the same name as users, * search if a group with the same name exists. * Don't worry about users, if we try to add a user with the same @@ -1956,7 +1956,7 @@ static void sysdb_add_user_get_id_done(struct tevent_req *subreq) tevent_req_error(req, ret); return; } - if (state->domain->mpg) { + if (state->handle->ctx->mpg) { ret = sysdb_attrs_add_uint32(id_attrs, SYSDB_GIDNUM, id); if (ret) { DEBUG(6, ("Error: %d (%s)\n", ret, strerror(ret))); @@ -2173,7 +2173,7 @@ struct tevent_req *sysdb_add_group_send(TALLOC_CTX *mem_ctx, ERROR_OUT(ret, ERANGE, fail); } - if (domain->mpg) { + if (handle->ctx->mpg) { /* In MPG domains you can't have groups with the same name as users, * search if a group with the same name exists. * Don't worry about users, if we try to add a user with the same @@ -2665,7 +2665,7 @@ static void sysdb_store_user_check(struct tevent_req *subreq) } } - if (state->uid && !state->gid && state->domain->mpg) { + if (state->uid && !state->gid && state->handle->ctx->mpg) { ret = sysdb_attrs_add_uint32(state->attrs, SYSDB_GIDNUM, state->uid); if (ret) { DEBUG(6, ("Error: %d (%s)\n", ret, strerror(ret))); diff --git a/server/db/sysdb_private.h b/server/db/sysdb_private.h index e380c8278..1f603eb4b 100644 --- a/server/db/sysdb_private.h +++ b/server/db/sysdb_private.h @@ -72,6 +72,7 @@ struct sysdb_ctx { struct tevent_context *ev; struct sss_domain_info *domain; + bool mpg; struct ldb_context *ldb; char *ldb_file; diff --git a/server/db/sysdb_search.c b/server/db/sysdb_search.c index 199f5a1ae..2b5dc369e 100644 --- a/server/db/sysdb_search.c +++ b/server/db/sysdb_search.c @@ -589,7 +589,7 @@ static int get_grp_callback(struct ldb_request *req, switch (rep->type) { case LDB_REPLY_ENTRY: - if (sctx->domain->mpg) { + if (sctx->ctx->mpg) { ret = mpg_convert(rep->message); if (ret != EOK) { request_ldberror(sctx, LDB_ERR_OPERATIONS_ERROR); @@ -682,7 +682,7 @@ static void grp_search(struct tevent_req *treq) return request_error(sctx, ret); } - if (sctx->domain->mpg) { + if (sctx->ctx->mpg) { base_dn = ldb_dn_new_fmt(sctx, sctx->ctx->ldb, SYSDB_DOM_BASE, sctx->domain->name); } else { @@ -726,7 +726,7 @@ int sysdb_getgrnam(TALLOC_CTX *mem_ctx, return ENOMEM; } - if (domain->mpg) { + if (ctx->mpg) { sctx->expression = talloc_asprintf(sctx, SYSDB_GRNAM_MPG_FILTER, name); } else { sctx->expression = talloc_asprintf(sctx, SYSDB_GRNAM_FILTER, name); @@ -765,7 +765,7 @@ int sysdb_getgrgid(TALLOC_CTX *mem_ctx, return ENOMEM; } - if (domain->mpg) { + if (ctx->mpg) { sctx->expression = talloc_asprintf(sctx, SYSDB_GRGID_MPG_FILTER, (unsigned long int)gid); @@ -809,7 +809,7 @@ int sysdb_enumgrent(TALLOC_CTX *mem_ctx, sctx->enumeration = true; - if (domain->mpg) { + if (ctx->mpg) { sctx->expression = SYSDB_GRENT_MPG_FILTER; } else { sctx->expression = SYSDB_GRENT_FILTER; diff --git a/server/man/sssd.conf.5.xml b/server/man/sssd.conf.5.xml index 7946ed45c..3eab23553 100644 --- a/server/man/sssd.conf.5.xml +++ b/server/man/sssd.conf.5.xml @@ -363,47 +363,6 @@ - - magic_private_groups (bool) - - - By using the Magic Private Groups option, you - are imposing two limitations to the ID space - and name space: - - - 1. Users and groups in the domain share a common - name space. There can never be an explicit group - with the same name as a user - - - 2. Users and groups share a common ID - space, there can never be an explicit group with - a same ID as a user - - - Using Magic Private groups bring the benefit of - better Windows Interoperability (in Windows, - the ID and name spaces are unique) and also - avoids creating a group for every user, - thus cluttering the group space. Also, for - NSS calls, every user is actually returned - as user's private group without having to - explicitly create the group, thus having the - same effect as User Private Groups - - - Default: FALSE* - - - *Magic Private Groups are always enabled when - provider=local and this setting does not - affect that in any way. For other providers, - Magic Private Groups default to FALSE - - - - enumerate (bool) -- cgit