diff options
author | Davy Defaud <davy.defaud@free.fr> | 2014-01-30 14:48:24 +0100 |
---|---|---|
committer | Arthur de Jong <arthur@arthurdejong.org> | 2014-01-31 21:27:07 +0100 |
commit | 4211961e35501ef89b2897dd1e633f2a983447a7 (patch) | |
tree | f1ce38beb11bc2e57376630dc7f807d32c1ec8b4 | |
parent | f6a067594d2527f0ce950c3117138df09413c007 (diff) |
Support builtin Windows groups
This maps the gid (gidNumber) to an AD SID for builtin groups when
searching a group by gid (RID) between 544 and 552. In that case the SID
prefix is not the domain's prefix (S-1-5-21-dddddd-dddddd-dddddd) but
the BUILTIN SID prefix (1-5-32).
For example, if you add a user to the Administrators builtin group
(S-1-5-32-544), now you should be able to get this group through nslcd,
instead of receiving an error message.
-rw-r--r-- | nslcd/group.c | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/nslcd/group.c b/nslcd/group.c index ffaeb80..390e398 100644 --- a/nslcd/group.c +++ b/nslcd/group.c @@ -72,6 +72,11 @@ const char *attmap_group_member = "member"; (these are already LDAP-escaped strings) */ static char *gidSid = NULL; +/* BUILTIN SID definitions */ +static char *builtinSid = NULL; +const gid_t min_builtin_rid = 544; +const gid_t max_builtin_rid = 552; + /* default values for attributes */ static const char *default_group_userPassword = "*"; /* unmatchable */ @@ -99,8 +104,15 @@ static int mkfilter_group_byname(const char *name, by gid, return -1 on errors */ static int mkfilter_group_bygid(gid_t gid, char *buffer, size_t buflen) { + /* if searching for a Windows domain SID */ if (gidSid != NULL) { + /* the given gid is a BUILTIN gid, the SID prefix is not the domain SID */ + if ((gid >= min_builtin_rid) && (gid <= max_builtin_rid)) + return mysnprintf(buffer, buflen, "(&%s(%s=%s\\%02x\\%02x\\%02x\\%02x))", + group_filter, attmap_group_gidNumber, builtinSid, + (int)(gid & 0xff), (int)((gid >> 8) & 0xff), + (int)((gid >> 16) & 0xff), (int)((gid >> 24) & 0xff)); return mysnprintf(buffer, buflen, "(&%s(%s=%s\\%02x\\%02x\\%02x\\%02x))", group_filter, attmap_group_gidNumber, gidSid, (int)(gid & 0xff), (int)((gid >> 8) & 0xff), @@ -168,6 +180,7 @@ void group_init(void) if (strncasecmp(attmap_group_gidNumber, "objectSid:", 10) == 0) { gidSid = sid2search(attmap_group_gidNumber + 10); + builtinSid = sid2search("S-1-5-32"); attmap_group_gidNumber = strndup(attmap_group_gidNumber, 9); } /* set up attribute list */ |