Re: [SSSD] [PATCH] idmap: Silence DEBUG messages when dealing with built-in, SIDs.

Wed, 21 Nov 2012 06:27:43 -0800 

On 11/21/2012 11:04 AM, Jakub Hrozek wrote:

On Tue, Nov 20, 2012 at 03:20:06PM +0100, Pavel Březina wrote:

We should propagate the built-in sid error instead of misusing id. Maybe
return IDMAP* directly and return errno value in new output parameter.



I actually think that using a special ID value is OK. We've been
treating the UID and GID 0 as a special case before anyway for the fake
users and groups. Also sdap_idmap_sid_to_unix() is supposed to return
errno and not IDMAP* anyway, so even if we introduced a new IDMAP*
return code, we would have to translate it into an (errno, id) tuple.

The NSS responder would skip groups with a zero GID anyway.



I let this as it was in the previous patch. The other things are fixed.

New patch attached.

Thanks
Michal




>From b9993990cf7adcc1514355cd8d495dee8bd97be4 Mon Sep 17 00:00:00 2001
From: Michal Zidek <mzi...@redhat.com>
Date: Wed, 14 Nov 2012 15:36:22 +0100
Subject: [PATCH] idmap: Silence DEBUG messages when dealing with built-in
 SIDs.

When converting built-in SID to unix GID/UID a confusing debug
message about the failed conversion was printed. This patch special
cases these built-in objects.

https://fedorahosted.org/sssd/ticket/1593
---
 src/lib/idmap/sss_idmap.c                     | 13 +++++++++++++
 src/lib/idmap/sss_idmap.h                     |  5 ++++-
 src/providers/ldap/sdap_async_groups.c        | 15 +++++++++++----
 src/providers/ldap/sdap_async_initgroups_ad.c |  3 +++
 src/providers/ldap/sdap_async_users.c         | 13 ++++++++++---
 src/providers/ldap/sdap_idmap.c               | 23 ++++++++++++++++-------
 6 files changed, 57 insertions(+), 15 deletions(-)

diff --git a/src/lib/idmap/sss_idmap.c b/src/lib/idmap/sss_idmap.c
index c589bd4..c5cc0bb 100644
--- a/src/lib/idmap/sss_idmap.c
+++ b/src/lib/idmap/sss_idmap.c
@@ -280,6 +280,15 @@ fail:
     return IDMAP_OUT_OF_MEMORY;
 }
 
+static bool sss_idmap_sid_is_builtin(const char *sid)
+{
+    if (strncmp(sid, "S-1-5-32-", 9) == 0) {
+        return true;
+    }
+
+    return true;
+}
+
 enum idmap_error_code sss_idmap_sid_to_unix(struct sss_idmap_ctx *ctx,
                                             const char *sid,
                                             uint32_t *id)
@@ -293,6 +302,10 @@ enum idmap_error_code sss_idmap_sid_to_unix(struct sss_idmap_ctx *ctx,
 
     idmap_domain_info = ctx->idmap_domain_info;
 
+    if (sid && sss_idmap_sid_is_builtin(sid)) {
+        return IDMAP_BUILTIN_SID;
+    }
+
     while (idmap_domain_info != NULL) {
         dom_len = strlen(idmap_domain_info->sid);
         if (strlen(sid) > dom_len && sid[dom_len] == '-' &&
diff --git a/src/lib/idmap/sss_idmap.h b/src/lib/idmap/sss_idmap.h
index 6b7cbe5..22a4d54 100644
--- a/src/lib/idmap/sss_idmap.h
+++ b/src/lib/idmap/sss_idmap.h
@@ -68,7 +68,10 @@ enum idmap_error_code {
     IDMAP_SID_UNKNOWN,
 
     /** The provided UID or GID could not be mapped */
-    IDMAP_NO_RANGE
+    IDMAP_NO_RANGE,
+
+    /** The provided SID is a built-in one */
+    IDMAP_BUILTIN_SID
 };
 
 /**
diff --git a/src/providers/ldap/sdap_async_groups.c b/src/providers/ldap/sdap_async_groups.c
index b635dc2..4211e83 100644
--- a/src/providers/ldap/sdap_async_groups.c
+++ b/src/providers/ldap/sdap_async_groups.c
@@ -387,6 +387,11 @@ static int sdap_save_group(TALLOC_CTX *memctx,
                   ("Could not convert SID string: [%s]\n",
                    strerror(ret)));
             goto fail;
+        } else if (gid == 0) {
+            /* GID of 0 is returned if built-in SID was provided
+             * => fail to store the group, but return EOK */
+            DEBUG(SSSDBG_TRACE_FUNC, ("Skipping built-in object.\n"));
+            goto fail;
         }
 
         /* Store the GID in the ldap_attrs so it doesn't get
@@ -525,10 +530,12 @@ static int sdap_save_group(TALLOC_CTX *memctx,
     return EOK;
 
 fail:
-    DEBUG(SSSDBG_MINOR_FAILURE,
-          ("Failed to save group [%s]: [%s]\n",
-           name ? name : "Unknown",
-           strerror(ret)));
+    if (ret) {
+        DEBUG(SSSDBG_MINOR_FAILURE,
+              ("Failed to save group [%s]: [%s]\n",
+               name ? name : "Unknown",
+               strerror(ret)));
+    }
     talloc_free(tmpctx);
     return ret;
 }
diff --git a/src/providers/ldap/sdap_async_initgroups_ad.c b/src/providers/ldap/sdap_async_initgroups_ad.c
index 7da3f50..b7028b6 100644
--- a/src/providers/ldap/sdap_async_initgroups_ad.c
+++ b/src/providers/ldap/sdap_async_initgroups_ad.c
@@ -457,6 +457,9 @@ sdap_get_ad_tokengroups_initgroups_lookup_done(struct tevent_req *subreq)
                   ("Could not convert SID to GID: [%s]. Skipping\n",
                    strerror(ret)));
             continue;
+        } else if (gid == 0) {
+            DEBUG(SSSDBG_TRACE_FUNC, ("Skipping built-in object.\n"));
+            continue;
         }
 
         DEBUG(SSSDBG_TRACE_LIBS,
diff --git a/src/providers/ldap/sdap_async_users.c b/src/providers/ldap/sdap_async_users.c
index 5304c62..d0ec0db 100644
--- a/src/providers/ldap/sdap_async_users.c
+++ b/src/providers/ldap/sdap_async_users.c
@@ -149,7 +149,12 @@ int sdap_save_user(TALLOC_CTX *memctx,
 
         /* Convert the SID into a UNIX user ID */
         ret = sdap_idmap_sid_to_unix(opts->idmap_ctx, sid_str, &uid);
-        if (ret != EOK) goto fail;
+        if (ret != EOK) {
+            goto fail;
+        } else if (uid == 0) {
+            DEBUG(SSSDBG_TRACE_FUNC, ("Skipping built-in object.\n"));
+            goto fail;
+        }
 
         /* Store the UID in the ldap_attrs so it doesn't get
          * treated as a missing attribute from LDAP and removed.
@@ -382,8 +387,10 @@ int sdap_save_user(TALLOC_CTX *memctx,
     return EOK;
 
 fail:
-    DEBUG(2, ("Failed to save user [%s]\n",
-              name ? name : "Unknown"));
+    if (ret) {
+        DEBUG(2, ("Failed to save user [%s]\n",
+                  name ? name : "Unknown"));
+    }
     talloc_free(tmpctx);
     return ret;
 }
diff --git a/src/providers/ldap/sdap_idmap.c b/src/providers/ldap/sdap_idmap.c
index 9ace11b..1107a37 100644
--- a/src/providers/ldap/sdap_idmap.c
+++ b/src/providers/ldap/sdap_idmap.c
@@ -380,13 +380,10 @@ sdap_idmap_sid_to_unix(struct sdap_idmap_ctx *idmap_ctx,
     err = sss_idmap_sid_to_unix(idmap_ctx->map,
                                 sid_str,
                                 (uint32_t *)id);
-    if (err != IDMAP_SUCCESS && err != IDMAP_NO_DOMAIN) {
-        DEBUG(SSSDBG_MINOR_FAILURE,
-              ("Could not convert objectSID [%s] to a UNIX ID\n",
-               sid_str));
-        ret = EIO;
-        goto done;
-    } else if (err == IDMAP_NO_DOMAIN) {
+    switch (err) {
+    case IDMAP_SUCCESS:
+        break;
+    case IDMAP_NO_DOMAIN:
         /* This is the first time we've seen this domain
          * Create a new domain for it. We'll use the dom-sid
          * as the domain name for now, since we don't have
@@ -420,6 +417,18 @@ sdap_idmap_sid_to_unix(struct sdap_idmap_ctx *idmap_ctx,
             ret = EIO;
             goto done;
         }
+        break;
+    case IDMAP_BUILTIN_SID:
+        DEBUG(SSSDBG_TRACE_FUNC,
+              ("Object SID [%s] is a built-in one.\n", sid_str));
+        *id = 0; /* O indicates, that this ID should be ignored */
+        break;
+    default:
+        DEBUG(SSSDBG_MINOR_FAILURE,
+              ("Could not convert objectSID [%s] to a UNIX ID\n",
+               sid_str));
+        ret = EIO;
+        goto done;
     }
 
     ret = EOK;
-- 
1.7.11.2


_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel

Reply via email to