[SSSD] [sssd PR#228][comment] test_ldap.py: Add test for filter_{users,group}

[fidencio]

  URL: https://github.com/SSSD/sssd/pull/228
Title: #228: test_ldap.py: Add test for filter_{users,group}

fidencio commented:
"""
Okay, I've removed the label rejected but I do believe my comment was quite 
clear about having this patch as part of another PR.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/228#issuecomment-296919598
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#228][-Rejected] test_ldap.py: Add test for filter_{users,group}

[fidencio]

  URL: https://github.com/SSSD/sssd/pull/228
Title: #228: test_ldap.py: Add test for filter_{users,group}

Label: -Rejected
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#228][comment] test_ldap.py: Add test for filter_{users,group}

[lslebodn]

  URL: https://github.com/SSSD/sssd/pull/228
Title: #228: test_ldap.py: Add test for filter_{users,group}

lslebodn commented:
"""
This patch was not rejected so label should be removed. Other users might be 
really confused.
We should either not include patches in different PR or use better labels when 
closing PR
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/228#issuecomment-296823556
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#234][comment] HBAC: Use memberof ASQ search instead of originalMemberOf

[jhrozek]

  URL: https://github.com/SSSD/sssd/pull/234
Title: #234: HBAC: Use memberof ASQ search instead of originalMemberOf

jhrozek commented:
"""
Done. I'm sorry it took so long.

The downstream tests all passed for me. Unfortunately, I can't provide a job ID 
for those tests, because I had to run them more or less manually, otherwise 
they wouldn't pass (I think this can be caused be the tests being faster than 
`ipa_hbac_refresh` and I asked the developer of those tests to take a look)
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/234#issuecomment-296798223
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#234][synchronized] HBAC: Use memberof ASQ search instead of originalMemberOf

[jhrozek]

   URL: https://github.com/SSSD/sssd/pull/234
Author: jhrozek
 Title: #234: HBAC: Use memberof ASQ search instead of originalMemberOf
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/234/head:pr234
git checkout pr234
From d4aa2dfa38515f084f16e20ad8d2b007dae1ff8d Mon Sep 17 00:00:00 2001
From: Jakub Hrozek 
Date: Sun, 9 Apr 2017 20:50:47 +0200
Subject: [PATCH] HBAC: Do not rely on originalMemberOf, use the sysdb memberof
 links instead

The IPA HBAC code used to read the group members from the the
originalMemberOf attribute value for performance reasons. However,
especially on IPA clients trusting an AD domain, the originalMemberOf
attribute value is often not synchronized correctly.

Instead of going through the work of maintaining both member/memberOf
and originalMemberOf, let's just do an ASQ search for the group names of
the groups the user is a member of in the cache and read their
SYSBD_NAME attribute.

To avoid clashing between similarly-named groups in IPA and in AD, we
look at the container of the group.

Resolves:
https://pagure.io/SSSD/sssd/issue/3382
---
 src/providers/ipa/ipa_hbac_common.c | 111 +++-
 1 file changed, 83 insertions(+), 28 deletions(-)

diff --git a/src/providers/ipa/ipa_hbac_common.c b/src/providers/ipa/ipa_hbac_common.c
index b99b75d..6efff3e 100644
--- a/src/providers/ipa/ipa_hbac_common.c
+++ b/src/providers/ipa/ipa_hbac_common.c
@@ -507,15 +507,18 @@ hbac_eval_user_element(TALLOC_CTX *mem_ctx,
struct hbac_request_element **user_element)
 {
 errno_t ret;
-unsigned int i;
 unsigned int num_groups = 0;
 TALLOC_CTX *tmp_ctx;
-const char *member_dn;
 struct hbac_request_element *users;
 struct ldb_message *msg;
-struct ldb_message_element *el;
-const char *attrs[] = { SYSDB_ORIG_MEMBEROF, NULL };
+const char *attrs[] = { SYSDB_NAME, NULL };
 char *shortname;
+struct ldb_message **members;
+size_t m_count;
+const char *fqgroupname;
+struct sss_domain_info *ipa_domain;
+struct ldb_dn *ipa_groups_basedn;
+struct ldb_dn *member_group_container;
 
 tmp_ctx = talloc_new(mem_ctx);
 if (tmp_ctx == NULL) return ENOMEM;
@@ -533,12 +536,21 @@ hbac_eval_user_element(TALLOC_CTX *mem_ctx,
 }
 users->name = talloc_steal(users, shortname);
 
-/* Read the originalMemberOf attribute
- * This will give us the list of both POSIX and
- * non-POSIX groups that this user belongs to.
- */
+ipa_domain = get_domains_head(domain);
+if (ipa_domain == NULL) {
+ret = EINVAL;
+goto done;
+}
+
+ipa_groups_basedn = ldb_dn_new_fmt(tmp_ctx, sysdb_ctx_get_ldb(domain->sysdb),
+SYSDB_TMPL_GROUP_BASE, ipa_domain->name);
+if (ipa_groups_basedn == NULL) {
+ret = ENOMEM;
+goto done;
+}
+
 ret = sysdb_search_user_by_name(tmp_ctx, domain, username,
-attrs, );
+NULL, );
 if (ret != EOK) {
 DEBUG(SSSDBG_CRIT_FAILURE,
   "Could not determine user memberships for [%s]\n",
@@ -546,43 +558,86 @@ hbac_eval_user_element(TALLOC_CTX *mem_ctx,
 goto done;
 }
 
-el = ldb_msg_find_element(msg, SYSDB_ORIG_MEMBEROF);
-if (el == NULL || el->num_values == 0) {
+/*
+ * Get the name attribute of all groups pointed to by the memberof
+ * attribute. This includes both POSIX and non-POSIX groups.
+ */
+ret = sysdb_asq_search(tmp_ctx, domain, msg->dn,
+   "("SYSDB_OBJECTCLASS"="SYSDB_GROUP_CLASS")",
+   SYSDB_MEMBEROF,
+   attrs,
+   _count, );
+if (ret != EOK) {
+DEBUG(SSSDBG_CRIT_FAILURE,
+  "sysdb_asq_search failed [%d]: %s\n", ret, sss_strerror(ret));
+goto done;
+}
+
+if (m_count == 0) {
 DEBUG(SSSDBG_TRACE_LIBS, "No groups for [%s]\n", users->name);
 ret = create_empty_grouplist(users);
 goto done;
 }
-DEBUG(SSSDBG_TRACE_LIBS,
-  "[%d] groups for [%s]\n", el->num_values, users->name);
+DEBUG(SSSDBG_TRACE_LIBS, "[%zu] groups for [%s]\n", m_count, username);
 
-users->groups = talloc_array(users, const char *, el->num_values + 1);
+users->groups = talloc_array(users, const char *, m_count + 1);
 if (users->groups == NULL) {
 ret = ENOMEM;
 goto done;
 }
 
-for (i = 0; i < el->num_values; i++) {
-member_dn = (const char *)el->values[i].data;
+for (size_t i = 0; i < m_count; i++) {
+fqgroupname = ldb_msg_find_attr_as_string(members[i], SYSDB_NAME, NULL);
+if (fqgroupname == NULL) {
+DEBUG(SSSDBG_MINOR_FAILURE,
+  "Skipping malformed entry [%s]\n",
+  

[SSSD] [sssd PR#234][-Changes requested] HBAC: Use memberof ASQ search instead of originalMemberOf

[jhrozek]

  URL: https://github.com/SSSD/sssd/pull/234
Title: #234: HBAC: Use memberof ASQ search instead of originalMemberOf

Label: -Changes requested
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#235][-Changes requested] Allow using the "shortnames" feature without requiring any configuration from the client side

[fidencio]

  URL: https://github.com/SSSD/sssd/pull/235
Title: #235: Allow using the "shortnames" feature without requiring any 
configuration from the client side

Label: -Changes requested
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#235][comment] Allow using the "shortnames" feature without requiring any configuration from the client side

[fidencio]

  URL: https://github.com/SSSD/sssd/pull/235
Title: #235: Allow using the "shortnames" feature without requiring any 
configuration from the client side

fidencio commented:
"""
Patch set updated according to @pbrezina's comments.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/235#issuecomment-296793840
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#235][synchronized] Allow using the "shortnames" feature without requiring any configuration from the client side

[fidencio]

   URL: https://github.com/SSSD/sssd/pull/235
Author: fidencio
 Title: #235: Allow using the "shortnames" feature without requiring any 
configuration from the client side
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/235/head:pr235
git checkout pr235
From 694e1ab706e82141487aeb3f08ab53bef399227b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= 
Date: Wed, 12 Apr 2017 10:43:25 +0200
Subject: [PATCH 1/5] RESPONDER: Fallback to global domain resolution order in
 case the view doesn't have this option set
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The current code has been ignoring the domain resolution order set
globally on IPA in case there's a view but this doesn't have any domain
resolution order set.

It happens because we haven't been checking whether the view attribute
didn't exist and then we ended up populating the list cache_req domains'
list assuming that no order has been set instead of falling back to the
next preferred method.

Related:
https://pagure.io/SSSD/sssd/issue/3001

Signed-off-by: Fabiano Fidêncio 
---
 src/responder/common/cache_req/cache_req_domain.c |  14 ++-
 src/responder/common/cache_req/cache_req_domain.h |   5 +-
 src/responder/common/responder_common.c   | 108 +-
 3 files changed, 74 insertions(+), 53 deletions(-)

diff --git a/src/responder/common/cache_req/cache_req_domain.c b/src/responder/common/cache_req/cache_req_domain.c
index bbabd69..86a88ef 100644
--- a/src/responder/common/cache_req/cache_req_domain.c
+++ b/src/responder/common/cache_req/cache_req_domain.c
@@ -120,20 +120,21 @@ cache_req_domain_new_list_from_string_list(TALLOC_CTX *mem_ctx,
 return cr_domains;
 }
 
-struct cache_req_domain *
+errno_t
 cache_req_domain_new_list_from_domain_resolution_order(
 TALLOC_CTX *mem_ctx,
 struct sss_domain_info *domains,
-const char *domain_resolution_order)
+const char *domain_resolution_order,
+struct cache_req_domain **_cr_domains)
 {
 TALLOC_CTX *tmp_ctx;
-struct cache_req_domain *cr_domains = NULL;
+struct cache_req_domain *cr_domains;
 char **list = NULL;
 errno_t ret;
 
 tmp_ctx = talloc_new(NULL);
 if (tmp_ctx == NULL) {
-return NULL;
+return ENOMEM;
 }
 
 if (domain_resolution_order != NULL) {
@@ -160,7 +161,10 @@ cache_req_domain_new_list_from_domain_resolution_order(
 goto done;
 }
 
+*_cr_domains = cr_domains;
+ret = EOK;
+
 done:
 talloc_free(tmp_ctx);
-return cr_domains;
+return ret;
 }
diff --git a/src/responder/common/cache_req/cache_req_domain.h b/src/responder/common/cache_req/cache_req_domain.h
index 41c50e8..87e 100644
--- a/src/responder/common/cache_req/cache_req_domain.h
+++ b/src/responder/common/cache_req/cache_req_domain.h
@@ -34,11 +34,12 @@ struct cache_req_domain *
 cache_req_domain_get_domain_by_name(struct cache_req_domain *domains,
 const char *name);
 
-struct cache_req_domain *
+errno_t
 cache_req_domain_new_list_from_domain_resolution_order(
 TALLOC_CTX *mem_ctx,
 struct sss_domain_info *domains,
-const char *domain_resolution_order);
+const char *domain_resolution_order,
+struct cache_req_domain **_cr_domains);
 
 void cache_req_domain_list_zfree(struct cache_req_domain **cr_domains);
 
diff --git a/src/responder/common/responder_common.c b/src/responder/common/responder_common.c
index ac6320b..62b71b5 100644
--- a/src/responder/common/responder_common.c
+++ b/src/responder/common/responder_common.c
@@ -1486,10 +1486,11 @@ errno_t responder_setup_idle_timeout_config(struct resp_ctx *rctx)
 }
 
 /* == Helper functions for the domain resolution order === */
-static struct cache_req_domain *
+static errno_t
 sss_resp_new_cr_domains_from_ipa_id_view(TALLOC_CTX *mem_ctx,
  struct sss_domain_info *domains,
- struct sysdb_ctx *sysdb)
+ struct sysdb_ctx *sysdb,
+ struct cache_req_domain **_cr_domains)
 {
 TALLOC_CTX *tmp_ctx;
 struct cache_req_domain *cr_domains = NULL;
@@ -1498,7 +1499,7 @@ sss_resp_new_cr_domains_from_ipa_id_view(TALLOC_CTX *mem_ctx,
 
 tmp_ctx = talloc_new(NULL);
 if (tmp_ctx == NULL) {
-return NULL;
+return ENOMEM;
 }
 
 ret = sysdb_get_view_domain_resolution_order(tmp_ctx, sysdb,
@@ -1510,12 

[SSSD] [sssd PR#228][+Rejected] test_ldap.py: Add test for filter_{users,group}

[fidencio]

  URL: https://github.com/SSSD/sssd/pull/228
Title: #228: test_ldap.py: Add test for filter_{users,group}

Label: +Rejected
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#228][closed] test_ldap.py: Add test for filter_{users,group}

[fidencio]

   URL: https://github.com/SSSD/sssd/pull/228
Author: lslebodn
 Title: #228: test_ldap.py: Add test for filter_{users,group}
Action: closed

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/228/head:pr228
git checkout pr228
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#228][comment] test_ldap.py: Add test for filter_{users,group}

[fidencio]

  URL: https://github.com/SSSD/sssd/pull/228
Title: #228: test_ldap.py: Add test for filter_{users,group}

fidencio commented:
"""
Closing this PR as the very same patch is part of PR #246
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/228#issuecomment-296789919
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#246][opened] filter_users and filter_groups stop working properly in v 1.15

[fidencio]

   URL: https://github.com/SSSD/sssd/pull/246
Author: fidencio
 Title: #246: filter_users and filter_groups stop working properly in v 1.15
Action: opened

PR body:
"""
This patchset fix the issue reported on https://pagure.io/SSSD/sssd/issue/3362.

@pbrezina suggested to do the changes in a new cache_req module, but I'm really 
not sure whether we want to have NSS specific code (like nss_get_pwent() and 
nss_get_grent() calls) there.

For now I'm leaving this as it was before the nss/cache_req refactoring.
"""

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/246/head:pr246
git checkout pr246
From 5870f184220fcf2f46ca0b96caacab83bc3612fe Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= 
Date: Mon, 24 Apr 2017 12:11:46 +0200
Subject: [PATCH 1/4] NSS: Use fqnames when performing a ncache check
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The names stored in the negative cache are fully qualified, so we have
to use fully qualified names when checking whether a user/group is part
of negative cache or not.

This regression was introduced by commit 4049b63.

Related:
https://pagure.io/SSSD/sssd/issue/3362

Signed-off-by: Fabiano Fidêncio 
---
 src/responder/nss/nss_protocol_grent.c | 12 +++-
 src/responder/nss/nss_protocol_pwent.c | 12 +++-
 2 files changed, 22 insertions(+), 2 deletions(-)

diff --git a/src/responder/nss/nss_protocol_grent.c b/src/responder/nss/nss_protocol_grent.c
index fae1d47..6f6ad9e 100644
--- a/src/responder/nss/nss_protocol_grent.c
+++ b/src/responder/nss/nss_protocol_grent.c
@@ -205,6 +205,7 @@ nss_protocol_fill_grent(struct nss_ctx *nss_ctx,
 uint32_t num_results;
 uint32_t num_members;
 char *members;
+char *fqname;
 size_t members_size;
 size_t rp;
 size_t rp_members;
@@ -243,8 +244,17 @@ nss_protocol_fill_grent(struct nss_ctx *nss_ctx,
 
 /* Check negative cache during enumeration. */
 if (cmd_ctx->enumeration) {
+fqname = sss_create_internal_fqname(tmp_ctx, name->str,
+result->domain->name);
+if (fqname == NULL) {
+DEBUG(SSSDBG_OP_FAILURE,
+  "sss_create_internal_fqname() failed\n");
+ret = ENOMEM;
+goto done;
+}
+
 ret = sss_ncache_check_group(nss_ctx->rctx->ncache,
- result->domain, name->str);
+ result->domain, fqname);
 if (ret == EEXIST) {
 DEBUG(SSSDBG_TRACE_FUNC,
   "User [%s] filtered out! (negative cache)\n",
diff --git a/src/responder/nss/nss_protocol_pwent.c b/src/responder/nss/nss_protocol_pwent.c
index edda9d3..e781352 100644
--- a/src/responder/nss/nss_protocol_pwent.c
+++ b/src/responder/nss/nss_protocol_pwent.c
@@ -273,6 +273,7 @@ nss_protocol_fill_pwent(struct nss_ctx *nss_ctx,
 struct sized_string gecos;
 struct sized_string homedir;
 struct sized_string shell;
+char *fqname;
 uint32_t gid;
 uint32_t uid;
 uint32_t num_results;
@@ -311,8 +312,17 @@ nss_protocol_fill_pwent(struct nss_ctx *nss_ctx,
 
 /* Check negative cache during enumeration. */
 if (cmd_ctx->enumeration) {
+fqname = sss_create_internal_fqname(tmp_ctx, name->str,
+result->domain->name);
+if (fqname == NULL) {
+DEBUG(SSSDBG_OP_FAILURE,
+  "sss_create_internal_fqname() failed\n");
+ret = ENOMEM;
+goto done;
+}
+
 ret = sss_ncache_check_user(nss_ctx->rctx->ncache,
-result->domain, name->str);
+result->domain, fqname);
 if (ret == EEXIST) {
 DEBUG(SSSDBG_TRACE_FUNC,
   "User [%s] filtered out! (negative cache)\n", name->str);

From 38036e7cbdc0661a45dd028247be35eb2315b31c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= 
Date: Mon, 24 Apr 2017 14:43:01 +0200
Subject: [PATCH 2/4] NSS: Check the ncache when filling pwent from id lookup
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

It's needed when looking up for a user by its id and the id is not part
of the negative cache, but the user is.

Unfortunately it can't be done on cache_req level because there we do
not know which is the user owner of the search UID.

This regression was introduced by commit 4049b63.

Related:
https://pagure.io/SSSD/sssd/issue/3362

Signed-off-by: Fabiano Fidêncio 
---
 src/responder/nss/nss_cmd.c|  6 +++---
 src/responder/nss/nss_protocol.h   | 14 ++
 

[SSSD] [sssd PR#245][opened] ad: handle forest root not listed in ad_enabled_domains

[sumit-bose]

   URL: https://github.com/SSSD/sssd/pull/245
Author: sumit-bose
 Title: #245: ad: handle forest root not listed in ad_enabled_domains
Action: opened

PR body:
"""
Although users and groups from the forest root should be ignored SSSD will
still try to get information about the forest topology from a DC from the
forest root. So even if the forest root domain is disabled we should makes
sure it is usable for those searches.

Resolves https://pagure.io/SSSD/sssd/issue/3361
"""

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/245/head:pr245
git checkout pr245
From 9d8d34e2f7e611771777a4ef1cd732a8ac3ba92a Mon Sep 17 00:00:00 2001
From: Sumit Bose 
Date: Tue, 4 Apr 2017 14:35:47 +0200
Subject: [PATCH 1/2] utils: add sss_domain_is_forest_root()

Related to https://pagure.io/SSSD/sssd/issue/3361
---
 src/util/domain_info_utils.c | 5 +
 src/util/util.h  | 1 +
 2 files changed, 6 insertions(+)

diff --git a/src/util/domain_info_utils.c b/src/util/domain_info_utils.c
index 2af7852..541058a 100644
--- a/src/util/domain_info_utils.c
+++ b/src/util/domain_info_utils.c
@@ -844,6 +844,11 @@ void sss_domain_set_state(struct sss_domain_info *dom,
   "Domain %s is %s\n", dom->name, domain_state_str(dom));
 }
 
+bool sss_domain_is_forest_root(struct sss_domain_info *dom)
+{
+return (dom->forest_root == dom);
+}
+
 bool is_email_from_domain(const char *email, struct sss_domain_info *dom)
 {
 const char *p;
diff --git a/src/util/util.h b/src/util/util.h
index 436550f..4ef13ce 100644
--- a/src/util/util.h
+++ b/src/util/util.h
@@ -539,6 +539,7 @@ enum sss_domain_state sss_domain_get_state(struct sss_domain_info *dom);
 void sss_domain_set_state(struct sss_domain_info *dom,
   enum sss_domain_state state);
 bool is_email_from_domain(const char *email, struct sss_domain_info *dom);
+bool sss_domain_is_forest_root(struct sss_domain_info *dom);
 const char *sss_domain_type_str(struct sss_domain_info *dom);
 
 struct sss_domain_info*

From af99072d9202ec894c15d6d3c4912fa4f7bff6f2 Mon Sep 17 00:00:00 2001
From: Sumit Bose 
Date: Mon, 3 Apr 2017 21:27:32 +0200
Subject: [PATCH 2/2] ad: handle forest root not listed in ad_enabled_domains

Although users and groups from the forest root should be ignored SSSD
will still try to get information about the forest topology from a DC
from the forest root. So even if the forest root domain is disabled we
should makes sure it is usable for those searches.

Resolves https://pagure.io/SSSD/sssd/issue/3361
---
 src/providers/ad/ad_subdomains.c | 39 ---
 1 file changed, 36 insertions(+), 3 deletions(-)

diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c
index bc659b2..ef16644 100644
--- a/src/providers/ad/ad_subdomains.c
+++ b/src/providers/ad/ad_subdomains.c
@@ -433,6 +433,14 @@ static errno_t ad_subdomains_refresh(struct be_ctx *be_ctx,
 if (c >= num_subdomains) {
 /* ok this subdomain does not exist anymore, let's clean up */
 sss_domain_set_state(dom, DOM_DISABLED);
+
+/* Just disable the forest root but do not remove sdap data */
+if (sss_domain_is_forest_root(dom)) {
+DEBUG(SSSDBG_TRACE_ALL,
+  "Skipping removal of forest root sdap data.\n");
+continue;
+}
+
 ret = sysdb_subdomain_delete(dom->sysdb, dom->name);
 if (ret != EOK) {
 goto done;
@@ -633,6 +641,7 @@ static errno_t ad_subdom_reinit(struct ad_subdomains_ctx *subdoms_ctx)
 const char *path;
 errno_t ret;
 bool canonicalize = false;
+struct sss_domain_info *dom;
 
 path = dp_opt_get_string(subdoms_ctx->ad_id_ctx->ad_options->basic,
  AD_KRB5_CONFD_PATH);
@@ -675,6 +684,17 @@ static errno_t ad_subdom_reinit(struct ad_subdomains_ctx *subdoms_ctx)
 return ret;
 }
 
+/* Make sure disabled domains are not re-enabled accidentially */
+if (subdoms_ctx->ad_enabled_domains != NULL) {
+for (dom = subdoms_ctx->be_ctx->domain->subdomains; dom;
+dom = get_next_domain(dom, false)) {
+if (!is_domain_enabled(dom->name,
+   subdoms_ctx->ad_enabled_domains)) {
+sss_domain_set_state(dom, DOM_DISABLED);
+}
+}
+}
+
 return EOK;
 }
 
@@ -898,7 +918,7 @@ static errno_t ad_get_slave_domain_recv(struct tevent_req *req)
 static struct sss_domain_info *
 ads_get_root_domain(struct be_ctx *be_ctx, struct sysdb_attrs *attrs)
 {
-struct sss_domain_info *root;
+struct sss_domain_info *dom;
 const char *name;
 errno_t ret;
 
@@ -909,9 +929,22 @@ ads_get_root_domain(struct be_ctx *be_ctx, struct sysdb_attrs *attrs)
 }
 
 /* With a subsequent run, the root should already be 

[SSSD] [sssd PR#235][+Changes requested] Allow using the "shortnames" feature without requiring any configuration from the client side

[jhrozek]

  URL: https://github.com/SSSD/sssd/pull/235
Title: #235: Allow using the "shortnames" feature without requiring any 
configuration from the client side

Label: +Changes requested
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#243][+Accepted] IPA: Use search bases from sdap_domain instead of inferring search base from IPA domain structure

[jhrozek]

  URL: https://github.com/SSSD/sssd/pull/243
Title: #243: IPA: Use search bases from sdap_domain instead of inferring search 
base from IPA domain structure

Label: +Accepted
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#136][comment] Tlog integration

[spbnick]

  URL: https://github.com/SSSD/sssd/pull/136
Title: #136: Tlog integration

spbnick commented:
"""
Pavel, I tried to address all your comments, and also added the fix you made to 
data provider initialization regarding overrides. I also improved the tests. 
This is ready for another review.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/136#issuecomment-296623885
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#243][comment] IPA: Use search bases from sdap_domain instead of inferring search base from IPA domain structure

[pbrezina]

  URL: https://github.com/SSSD/sssd/pull/243
Title: #243: IPA: Use search bases from sdap_domain instead of inferring search 
base from IPA domain structure

pbrezina commented:
"""
Ack.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/243#issuecomment-296622691
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#235][comment] Allow using the "shortnames" feature without requiring any configuration from the client side

[pbrezina]

  URL: https://github.com/SSSD/sssd/pull/235
Title: #235: Allow using the "shortnames" feature without requiring any 
configuration from the client side

pbrezina commented:
"""
Functional ack, but please, do the same change also for 
`sss_resp_new_cr_domains_from_ipa_id_view`.

I would also welcome some debug messages so we can known that shortname lookup 
was used etc. and some comments in `cache_req_domain_new_list_from_string_list` 
describing what the for cycles do.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/235#issuecomment-296618933
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#242][comment] IPA: Improve DEBUG message if an external group has no SID

[jhrozek]

  URL: https://github.com/SSSD/sssd/pull/242
Title: #242: IPA: Improve DEBUG message if an external group has no SID

jhrozek commented:
"""
* master: ef019268d2d112ebff3577e551cd19478d73d93b
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/242#issuecomment-296572962
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#242][closed] IPA: Improve DEBUG message if an external group has no SID

[jhrozek]

   URL: https://github.com/SSSD/sssd/pull/242
Author: jhrozek
 Title: #242: IPA: Improve DEBUG message if an external group has no SID
Action: closed

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/242/head:pr242
git checkout pr242
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org