From bbcce1d9b2b5694fc5662d6d8f033dd38c3579f1 Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Wed, 28 Nov 2012 14:23:33 +0100 Subject: [PATCH] Add option 'ad domain' Add option 'ad domain' similar to 'nt domain'. Useful when authenticating against Netatalk on Solaris in case the OS is bound to Active Directory. Currently users have to type in their full AD name user@domain. Adding an option 'ad domain' would allows users to login giving just their usernames. Implements FR #66. --- NEWS | 1 + etc/afpd/uam.c | 34 ++++++++++++++++----------------- include/atalk/globals.h | 2 +- libatalk/util/netatalk_conf.c | 3 +++ man/man5/afp.conf.5.tmpl | 36 ++++++++++++++++++++--------------- 5 files changed, 43 insertions(+), 33 deletions(-) diff --git a/NEWS b/NEWS index 725d1677..c9b6a6a6 100644 --- a/NEWS +++ b/NEWS @@ -2,6 +2,7 @@ Changes in 3.0.2 ================ * NEW: afpd: Put file extension type/creator mapping back in which had been removed in 3.0. +* NEW: afpd: new option 'ad domain'. From FR #66. * UPD: ignore volumes with duplicated volumes paths. * FIX: volumes and home share with symlinks in the path * FIX: Copying packages to a Netatalk share could fail, bug #469 diff --git a/etc/afpd/uam.c b/etc/afpd/uam.c index d99d381e..625cf6a5 100644 --- a/etc/afpd/uam.c +++ b/etc/afpd/uam.c @@ -31,6 +31,7 @@ #include #include #include +#include #include "afp_config.h" #include "auth.h" @@ -209,25 +210,24 @@ struct passwd *uam_getname(void *private, char *name, const int len) return pwent; /* if we have a NT domain name try with it */ - if (obj->options.ntdomain && obj->options.ntseparator) { + if (obj->options.addomain || (obj->options.ntdomain && obj->options.ntseparator)) { /* FIXME What about charset ? */ - size_t ulen = strlen(obj->options.ntdomain) + strlen(obj->options.ntseparator) + strlen(name); - if ((p = malloc(ulen +1))) { - strcpy(p, obj->options.ntdomain); - strcat(p, obj->options.ntseparator); - strcat(p, name); - pwent = getpwnam(p); - free(p); - if (pwent) { - int len = strlen(pwent->pw_name); - if (len < MAXUSERLEN) { - strncpy(name,pwent->pw_name, MAXUSERLEN); - }else{ - LOG(log_error, logtype_uams, "MAJOR:The name %s is longer than %d",pwent->pw_name,MAXUSERLEN); - } - - return pwent; + bstring princ; + if (obj->options.addomain) + princ = bformat("%s@%s", name, obj->options.addomain); + else + princ = bformat("%s%s%s", obj->options.ntdomain, obj->options.ntseparator, name); + pwent = getpwnam(bdata(princ)); + bdestroy(princ); + + if (pwent) { + int len = strlen(pwent->pw_name); + if (len < MAXUSERLEN) { + strncpy(name,pwent->pw_name, MAXUSERLEN); + } else { + LOG(log_error, logtype_uams, "The name '%s' is longer than %d", pwent->pw_name, MAXUSERLEN); } + return pwent; } } #ifndef NO_REAL_USER_NAME diff --git a/include/atalk/globals.h b/include/atalk/globals.h index e50b0a7d..75d4041b 100644 --- a/include/atalk/globals.h +++ b/include/atalk/globals.h @@ -98,7 +98,7 @@ struct afp_options { gid_t admingid; int volnamelen; /* default value for winbind authentication */ - char *ntdomain, *ntseparator; + char *ntdomain, *ntseparator, *addomain; char *logconfig; char *logfile; char *mimicmodel; diff --git a/libatalk/util/netatalk_conf.c b/libatalk/util/netatalk_conf.c index 664fd3e5..12b76665 100644 --- a/libatalk/util/netatalk_conf.c +++ b/libatalk/util/netatalk_conf.c @@ -1669,6 +1669,7 @@ int afp_config_parse(AFPObj *AFPObj, char *processname) options->k5realm = iniparser_getstrdup(config, INISEC_GLOBAL, "k5 realm", NULL); options->listen = iniparser_getstrdup(config, INISEC_GLOBAL, "afp listen", NULL); options->ntdomain = iniparser_getstrdup(config, INISEC_GLOBAL, "nt domain", NULL); + options->addomain = iniparser_getstrdup(config, INISEC_GLOBAL, "ad domain", NULL); options->ntseparator = iniparser_getstrdup(config, INISEC_GLOBAL, "nt separator", NULL); options->mimicmodel = iniparser_getstrdup(config, INISEC_GLOBAL, "mimic model", NULL); options->adminauthuser = iniparser_getstrdup(config, INISEC_GLOBAL, "admin auth user",NULL); @@ -1858,6 +1859,8 @@ void afp_config_free(AFPObj *obj) CONFIG_ARG_FREE(obj->options.listen); if (obj->options.ntdomain) CONFIG_ARG_FREE(obj->options.ntdomain); + if (obj->options.addomain) + CONFIG_ARG_FREE(obj->options.addomain); if (obj->options.ntseparator) CONFIG_ARG_FREE(obj->options.ntseparator); if (obj->options.mimicmodel) diff --git a/man/man5/afp.conf.5.tmpl b/man/man5/afp.conf.5.tmpl index f2fd8b47..e0ba2649 100644 --- a/man/man5/afp.conf.5.tmpl +++ b/man/man5/afp.conf.5.tmpl @@ -37,8 +37,8 @@ The file consists of sections and parameters\&. A section begins with the name o .RS 4 .\} .nf -\fIname\fR = \fIvalue \fR - + \fIname\fR = \fIvalue \fR + .fi .if n \{\ .RE @@ -53,7 +53,7 @@ Only the first equals sign in a parameter is significant\&. Whitespace before or Any line beginning with a semicolon (\(lq;\(rq) or a hash (\(lq#\(rq) character is ignored, as are lines containing only whitespace\&. .PP Any line ending in a -\(lq\e\(rq +\(lq \e \(rq is continued on the next line in the customary UNIX fashion\&. .PP The values following the equals sign in parameters are all either a string (no quotes needed) or a boolean, which may be given as yes/no, 1/0 or true/false\&. Case is not significant in boolean values, but is preserved in string values\&. Some items such as create masks are numeric\&. @@ -93,9 +93,8 @@ baz: .RS 4 .\} .nf -[baz] -path = /foo/bar - + [baz] + path = /foo/bar .fi .if n \{\ .RE @@ -124,9 +123,7 @@ The following example illustrates this\&. Given all user home directories are st .RS 4 .\} .nf -[Homes] -path = afp\-data -basedir regex = /home + [Homes] path = afp\-data basedir regex = /home .fi .if n \{\ @@ -232,6 +229,11 @@ prints dollar sign ($) .SH "EXPLANATION OF GLOBAL PARAMETERS" .SS "Authentication Options" .PP +ad domain = \fIDOMAIN\fR \fB(G)\fR +.RS 4 +Append @DOMAIN to username when authenticating\&. Useful in Active Directory environments that otherwise would require the user to enter the full user@domain string\&. +.RE +.PP admin auth user = \fIuser\fR \fB(G)\fR .RS 4 Specifying eg "\fBadmin auth user = root\fR" whenever a normal user login fails, afpd will try to authenticate as the specified @@ -567,9 +569,9 @@ Max length of UTF8\-MAC volume name for Mac OS X\&. Note that Hangul is especial .RS 4 .\} .nf -73: limit of Mac OS X 10\&.1 -80: limit of Mac OS X 10\&.4/10\&.5 (default) -255: limit of recent Mac OS X + 73: limit of Mac OS X 10\&.1 80: limit of Mac + OS X 10\&.4/10\&.5 (default) 255: limit of recent Mac OS + X .fi .if n \{\ .RE @@ -697,6 +699,7 @@ sasl .RS 4 SASL\&. Not yet supported ! .RE +.sp .RE .PP ldap auth dn = \fIdn\fR \fB(G)\fR @@ -772,6 +775,7 @@ ms\-guid .RS 4 Binary objectGUID from Active Directory .RE +.sp .RE .PP ldap group attr = \fIdn\fR \fB(G)\fR @@ -910,17 +914,19 @@ is for files only, is for directories only\&. Don\'t use with "\fBunix priv = no\fR"\&. .PP \fBExample.\ \&Volume for a collaborative workgroup\fR + .sp .if n \{\ .RS 4 .\} .nf -file perm = 0660 -directory perm = 0770 +file perm = 0660 directory perm = + 0770 .fi .if n \{\ .RE .\} +.sp .RE .PP @@ -1105,7 +1111,7 @@ The option will allow you to select another volume encoding\&. E\&.g\&. for western users another useful setting could be vol charset ISO\-8859\-15\&. \fBafpd\fR will accept any -\fBiconv\fR(1) +\fB iconv \fR(1) provided charset\&. If a character cannot be converted from the \fBmac charset\fR to the selected -- 2.39.2