mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-24 08:00:02 -06:00
e6f8d8bc9b
ipasam already implemented retrieval of groups for MS-SAMR calls. However, it did not have implementation of a group retrieval for the path of lookup_name() function in Samba. The lookup_name() is used in many places in smbd and winbindd. With this change it will be possible to resolve IPA groups in Windows UI (Security tab) and console (net localgroup ...). When Global Catalog service is enabled, it will be possible to search for those groups as well. In Active Directory, security groups can be domain, domain local, local and so on. In IPA, only domain groups exposed through ipasam because SID generation plugin only supports adding SIDs to POSIX groups and users. Thus, non-POSIX groups are not going to have SIDs associated and will not be visible in both UNIX and Windows environments. Group retrieval in Samba is implemented as a mapping between NT and POSIX groups. IPA doesn't have explicit mapping tables. Instead, any POSIX group in IPA that has a SID associated with it is considered a domain group for Samba. Finally, additional ACI is required to ensure attributes looked up by ipasam are always readable by the trust agents. Fixes: https://pagure.io/freeipa/issue/8660 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> |
||
---|---|---|
.. | ||
05-pre_upgrade_plugins.update | ||
10-config.update | ||
10-db-locks.update | ||
10-enable-betxn.update | ||
10-ipapwd.update | ||
10-rootdse.update | ||
10-selinuxusermap.update | ||
10-uniqueness.update | ||
19-managed-entries.update | ||
20-aci.update | ||
20-autobind.update | ||
20-default_password_policy.update | ||
20-dna.update | ||
20-enable_dirsrv_plugins.update | ||
20-host_nis_groups.update | ||
20-indices.update | ||
20-ipaservers_hostgroup.update | ||
20-nss_ldap.update | ||
20-replication.update | ||
20-sslciphers.update | ||
20-syncrepl.update | ||
20-user_private_groups.update | ||
20-uuid.update | ||
20-whoami.update | ||
21-ca_renewal_container.update | ||
21-certstore_container.update | ||
21-replicas_container.update | ||
25-referint.update | ||
30-ipservices.update | ||
30-provisioning.update | ||
30-s4u2proxy.update | ||
37-locations.update | ||
40-automember.update | ||
40-certprofile.update | ||
40-delegation.update | ||
40-dns.update | ||
40-otp.update | ||
40-realm_domains.update | ||
40-replication.update | ||
40-vault.update | ||
41-caacl.update | ||
41-lightweight-cas.update | ||
45-roles.update | ||
50-7_bit_check.update | ||
50-dogtag10-migration.update | ||
50-groupuuid.update | ||
50-hbacservice.update | ||
50-ipaconfig.update | ||
50-krbenctypes.update | ||
50-nis.update | ||
55-pbacmemberof.update | ||
59-trusts-sysacount.update | ||
60-trusts.update | ||
61-trusts-s4u2proxy.update | ||
62-ranges.update | ||
71-idviews-sasl-mapping.update | ||
71-idviews.update | ||
72-domainlevels.update | ||
73-certmap.update | ||
73-custodia.update | ||
73-winsync.update | ||
75-user-trust-attributes.update | ||
80-schema_compat.update | ||
81-externalmembers.update | ||
90-post_upgrade_plugins.update | ||
Makefile.am | ||
README |
The update files are sorted before being processed because there are cases where order matters (such as getting schema added first, creating parent entries, etc). Updates are applied in blocks of ten so that any entries that are dependant on another can be added successfully without having to rely on the length of the DN to get the sorting correct. The file names should use the format #-<description>.update where # conforms to this: 10 - 19: Configuration 20 - 29: 389-ds configuration, new indices 30 - 39: Structual elements of the DIT 40 - 49: Pre-loaded data 50 - 59: Cleanup existing data 60 - 69: AD Trust 70 - 79: Reserved 80 - 89: Reserved These numbers aren't absolute, there may be reasons to put an update into one place or another, but by adhereing to the scheme it will be easier to find existing updates and know where to put new ones.