IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-01-11 00:31:56 -06:00
Code Issues Packages Projects Releases Wiki Activity

Set idmap config for Samba to follow IPA ranges and use SSSD

Browse Source 
Implicit idmap configuration in Samba was changed in Samba 4.7 to always
require range definition. A default ('*') idmap configuration lacks any
range and thus is marked by testparm utility as invalid one.

Since we do not expect Samba allocating any IDs, idmap configuration
needs to be set in a such way that it is correct from Samba side and is
effectively disabling any allocation on those domains that we don't need
to handle.

Note that 'idmap config <domain> : range' parameter accepts range in a
special format with spaces 'begin - end', so we have to keep the
formatting of the range exact.

Related: https://pagure.io/freeipa/issue/6951
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
This commit is contained in:
Alexander Bokovoy 2019-04-24 14:30:11 +03:00 committed by Rob Crittenden
parent dd58a705e5
commit 4ba888694b
2 changed files with 19 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
install/share/smb.conf.template
View File

@ -28,3 +28,7 @@ rpc_server:netlogon = external
rpc_server:tcpip = yes
rpc_daemon:epmd = fork
rpc_daemon:lsasd = fork
idmap config * : backend = tdb
idmap config * : range = 0 - 0
idmap config $NETBIOS_NAME : backend = sss
idmap config $NETBIOS_NAME : range = $IPA_LOCAL_RANGE

15
ipaserver/install/adtrustinstance.py
View File

@ -130,6 +130,15 @@ def map_Guests_to_nobody():
logger.debug("Map BUILTIN\\Guests to a group 'nobody'")
ipautil.run(args, env=env, raiseonerr=False, capture_error=True)
def get_idmap_range(realm):
idrange = api.Command.idrange_show('{}_id_range'.format(realm))['result']
range_start = int(idrange['ipabaseid'][0])
range_size = int(idrange['ipaidrangesize'][0])
range_fmt = '{} - {}'.format(range_start, range_start + range_size)
return range_fmt
class ADTRUSTInstance(service.Service):
ATTR_SID = "ipaNTSecurityIdentifier"
@ -838,12 +847,18 @@ class ADTRUSTInstance(service.Service):
)
api.Backend.ldap2.add_entry(entry)
def __retrieve_local_range(self):
"""Retrieves local IPA ID range to make sure
"""
self.sub_dict['IPA_LOCAL_RANGE'] = get_idmap_range(self.realm)
def create_instance(self):
self.step("validate server hostname",
self.__validate_server_hostname)
self.step("stopping smbd", self.__stop)
self.step("creating samba domain object", \
self.__create_samba_domain_object)
self.step("retrieve local idmap range", self.__retrieve_local_range)
self.step("creating samba config registry", self.__write_smb_registry)
self.step("writing samba config file", self.__write_smb_conf)
self.step("adding cifs Kerberos principal",