ehlo, two patches are attached. The 1st one is almost he same like patch: commit 16b27fcceebcbbaeefaf5b9bdf2dec3065adba4a LDAP: Don't fail if subdomain cannot be found by sid
I didn't notice that similar change was done in two separeted patches. I am not sure if 2nd is right solution, because some conditions are litle bit confusing for me. LS
>From 6fb4a41e7340f48565d5d81f079e9861b5b3c71e Mon Sep 17 00:00:00 2001 From: Lukas Slebodnik <lsleb...@redhat.com> Date: Fri, 24 Jan 2014 17:03:27 +0100 Subject: [PATCH 1/2] LDAP: store group if subdomain cannot be found by sid Domain needn't contain sid if id_provider is ldap. With enabled id mapping, group couldn't be stored, because domain couldn't be found by sid. Resolves: https://fedorahosted.org/sssd/ticket/2172 --- src/providers/ldap/sdap_async_groups.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/src/providers/ldap/sdap_async_groups.c b/src/providers/ldap/sdap_async_groups.c index 4ae772636863acf4c1fd59a20a20d1ad3a28ace0..55813c0fe4ffe864e1725959ad2a6ff51b1ffc65 100644 --- a/src/providers/ldap/sdap_async_groups.c +++ b/src/providers/ldap/sdap_async_groups.c @@ -450,6 +450,7 @@ static int sdap_save_group(TALLOC_CTX *memctx, bool posix_group; bool use_id_mapping; char *sid_str; + struct sss_domain_info *subdomain; int32_t ad_group_type; tmpctx = talloc_new(NULL); @@ -488,11 +489,12 @@ static int sdap_save_group(TALLOC_CTX *memctx, /* If this object has a SID available, we will determine the correct * domain by its SID. */ if (sid_str != NULL) { - dom = find_subdomain_by_sid(get_domains_head(dom), sid_str); - if (dom == NULL) { - DEBUG(SSSDBG_OP_FAILURE, ("SID %s does not belong to any known " + subdomain = find_subdomain_by_sid(get_domains_head(dom), sid_str); + if (subdomain) { + dom = subdomain; + } else { + DEBUG(SSSDBG_TRACE_FUNC, ("SID %s does not belong to any known " "domain\n", sid_str)); - return ERR_DOMAIN_NOT_FOUND; } } -- 1.8.5.3
>From 8ee3656c5a24abf5520ea5c636935ff9b0c5fb2d Mon Sep 17 00:00:00 2001 From: Lukas Slebodnik <lsleb...@redhat.com> Date: Fri, 24 Jan 2014 19:11:57 +0100 Subject: [PATCH 2/2] LDAP: Fix group handling with AD schema regression introduced in commit 8280c5213094a72fcaa499dda2f8647246185d45 Resolves: https://fedorahosted.org/sssd/ticket/2172 --- src/providers/ldap/sdap_async_groups.c | 59 +++++++++++++-------------- src/providers/ldap/sdap_async_nested_groups.c | 31 +++++++------- 2 files changed, 42 insertions(+), 48 deletions(-) diff --git a/src/providers/ldap/sdap_async_groups.c b/src/providers/ldap/sdap_async_groups.c index 55813c0fe4ffe864e1725959ad2a6ff51b1ffc65..efb58313374de9e99e9622820d58c8042d111320 100644 --- a/src/providers/ldap/sdap_async_groups.c +++ b/src/providers/ldap/sdap_async_groups.c @@ -508,38 +508,35 @@ static int sdap_save_group(TALLOC_CTX *memctx, posix_group = true; if (opts->schema_type == SDAP_SCHEMA_AD) { ret = sysdb_attrs_get_int32_t(attrs, SYSDB_GROUP_TYPE, &ad_group_type); - if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, ("sysdb_attrs_get_int32_t failed.\n")); - goto done; - } - - DEBUG(SSSDBG_TRACE_ALL, ("AD group [%s] has type flags %#x.", - group_name, ad_group_type)); - /* Only security groups from AD are considered for POSIX groups. - * Additionally only global and universal group are taken to account - * for trusted domains. */ - if (!(ad_group_type & SDAP_AD_GROUP_TYPE_SECURITY) - || (IS_SUBDOMAIN(dom) - && (!((ad_group_type & SDAP_AD_GROUP_TYPE_GLOBAL) - || (ad_group_type & SDAP_AD_GROUP_TYPE_UNIVERSAL))))) { - posix_group = false; - gid = 0; - DEBUG(SSSDBG_TRACE_FUNC, ("Filtering AD group [%s].\n", - group_name)); - ret = sysdb_attrs_add_uint32(group_attrs, - opts->group_map[SDAP_AT_GROUP_GID].sys_name, 0); - if (ret != EOK) { - DEBUG(SSSDBG_CRIT_FAILURE, - ("Failed to add a GID to non-posix group!\n")); - return ret; + if (ret == EOK) { + DEBUG(SSSDBG_TRACE_ALL, ("AD group [%s] has type flags %#x.", + group_name, ad_group_type)); + /* Only security groups from AD are considered for POSIX groups. + * Additionally only global and universal group are taken to account + * for trusted domains. */ + if (!(ad_group_type & SDAP_AD_GROUP_TYPE_SECURITY) + || (IS_SUBDOMAIN(dom) + && (!((ad_group_type & SDAP_AD_GROUP_TYPE_GLOBAL) + || (ad_group_type & SDAP_AD_GROUP_TYPE_UNIVERSAL))))) { + posix_group = false; + gid = 0; + DEBUG(SSSDBG_TRACE_FUNC, ("Filtering AD group [%s].\n", + group_name)); + ret = sysdb_attrs_add_uint32(group_attrs, + opts->group_map[SDAP_AT_GROUP_GID].sys_name, 0); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + ("Failed to add a GID to non-posix group!\n")); + return ret; + } + ret = sysdb_attrs_add_bool(group_attrs, SYSDB_POSIX, false); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + ("Error: Failed to mark group as non-posix!\n")); + return ret; + } } - ret = sysdb_attrs_add_bool(group_attrs, SYSDB_POSIX, false); - if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, - ("Error: Failed to mark group as non-posix!\n")); - return ret; - } - } + } /* have attribute SYSDB_GROUP_TYPE */ } if (posix_group) { diff --git a/src/providers/ldap/sdap_async_nested_groups.c b/src/providers/ldap/sdap_async_nested_groups.c index 306f55397dbbd2a6787fcb90daaff67cbaac26e3..446afd7b2317dcefd78c523cf13e4c5e5b421870 100644 --- a/src/providers/ldap/sdap_async_nested_groups.c +++ b/src/providers/ldap/sdap_async_nested_groups.c @@ -245,23 +245,20 @@ sdap_nested_group_hash_group(struct sdap_nested_group_ctx *group_ctx, if (group_ctx->opts->schema_type == SDAP_SCHEMA_AD) { ret = sysdb_attrs_get_int32_t(group, SYSDB_GROUP_TYPE, &ad_group_type); - if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, ("sysdb_attrs_get_int32_t failed.\n")); - return ret; - } - - DEBUG(SSSDBG_TRACE_ALL, ("AD group has type flags %#x.\n", - ad_group_type)); - /* Only security groups from AD are considered for POSIX groups. - * Additionally only global and universal group are taken to account - * for trusted domains. */ - if (!(ad_group_type & SDAP_AD_GROUP_TYPE_SECURITY) - || (IS_SUBDOMAIN(group_ctx->domain) - && (!((ad_group_type & SDAP_AD_GROUP_TYPE_GLOBAL) - || (ad_group_type & SDAP_AD_GROUP_TYPE_UNIVERSAL))))) { - posix_group = false; - gid = 0; - DEBUG(SSSDBG_TRACE_FUNC, ("Filtering AD group.\n")); + if (ret == EOK) { + DEBUG(SSSDBG_TRACE_ALL, ("AD group has type flags %#x.\n", + ad_group_type)); + /* Only security groups from AD are considered for POSIX groups. + * Additionally only global and universal group are taken to account + * for trusted domains. */ + if (!(ad_group_type & SDAP_AD_GROUP_TYPE_SECURITY) + || (IS_SUBDOMAIN(group_ctx->domain) + && (!((ad_group_type & SDAP_AD_GROUP_TYPE_GLOBAL) + || (ad_group_type & SDAP_AD_GROUP_TYPE_UNIVERSAL))))) { + posix_group = false; + gid = 0; + DEBUG(SSSDBG_TRACE_FUNC, ("Filtering AD group.\n")); + } } } -- 1.8.5.3
_______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel