ehlo,
two patches are attached.
The 1st one is almost he same like patch:
commit 16b27fcceebcbbaeefaf5b9bdf2dec3065adba4a
LDAP: Don't fail if subdomain cannot be found by sid
I didn't notice that similar change was done in two separeted patches.
I am not sure if 2nd is right solution, because some conditions are litle bit
confusing for me.
LS
>From 6fb4a41e7340f48565d5d81f079e9861b5b3c71e Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lsleb...@redhat.com>
Date: Fri, 24 Jan 2014 17:03:27 +0100
Subject: [PATCH 1/2] LDAP: store group if subdomain cannot be found by sid
Domain needn't contain sid if id_provider is ldap.
With enabled id mapping, group couldn't be stored, because domain
couldn't be found by sid.
Resolves:
https://fedorahosted.org/sssd/ticket/2172
---
src/providers/ldap/sdap_async_groups.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/src/providers/ldap/sdap_async_groups.c
b/src/providers/ldap/sdap_async_groups.c
index
4ae772636863acf4c1fd59a20a20d1ad3a28ace0..55813c0fe4ffe864e1725959ad2a6ff51b1ffc65
100644
--- a/src/providers/ldap/sdap_async_groups.c
+++ b/src/providers/ldap/sdap_async_groups.c
@@ -450,6 +450,7 @@ static int sdap_save_group(TALLOC_CTX *memctx,
bool posix_group;
bool use_id_mapping;
char *sid_str;
+ struct sss_domain_info *subdomain;
int32_t ad_group_type;
tmpctx = talloc_new(NULL);
@@ -488,11 +489,12 @@ static int sdap_save_group(TALLOC_CTX *memctx,
/* If this object has a SID available, we will determine the correct
* domain by its SID. */
if (sid_str != NULL) {
- dom = find_subdomain_by_sid(get_domains_head(dom), sid_str);
- if (dom == NULL) {
- DEBUG(SSSDBG_OP_FAILURE, ("SID %s does not belong to any known "
+ subdomain = find_subdomain_by_sid(get_domains_head(dom), sid_str);
+ if (subdomain) {
+ dom = subdomain;
+ } else {
+ DEBUG(SSSDBG_TRACE_FUNC, ("SID %s does not belong to any known "
"domain\n", sid_str));
- return ERR_DOMAIN_NOT_FOUND;
}
}
--
1.8.5.3
>From 8ee3656c5a24abf5520ea5c636935ff9b0c5fb2d Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lsleb...@redhat.com>
Date: Fri, 24 Jan 2014 19:11:57 +0100
Subject: [PATCH 2/2] LDAP: Fix group handling with AD schema
regression introduced in commit 8280c5213094a72fcaa499dda2f8647246185d45
Resolves:
https://fedorahosted.org/sssd/ticket/2172
---
src/providers/ldap/sdap_async_groups.c | 59 +++++++++++++--------------
src/providers/ldap/sdap_async_nested_groups.c | 31 +++++++-------
2 files changed, 42 insertions(+), 48 deletions(-)
diff --git a/src/providers/ldap/sdap_async_groups.c
b/src/providers/ldap/sdap_async_groups.c
index
55813c0fe4ffe864e1725959ad2a6ff51b1ffc65..efb58313374de9e99e9622820d58c8042d111320
100644
--- a/src/providers/ldap/sdap_async_groups.c
+++ b/src/providers/ldap/sdap_async_groups.c
@@ -508,38 +508,35 @@ static int sdap_save_group(TALLOC_CTX *memctx,
posix_group = true;
if (opts->schema_type == SDAP_SCHEMA_AD) {
ret = sysdb_attrs_get_int32_t(attrs, SYSDB_GROUP_TYPE, &ad_group_type);
- if (ret != EOK) {
- DEBUG(SSSDBG_OP_FAILURE, ("sysdb_attrs_get_int32_t failed.\n"));
- goto done;
- }
-
- DEBUG(SSSDBG_TRACE_ALL, ("AD group [%s] has type flags %#x.",
- group_name, ad_group_type));
- /* Only security groups from AD are considered for POSIX groups.
- * Additionally only global and universal group are taken to account
- * for trusted domains. */
- if (!(ad_group_type & SDAP_AD_GROUP_TYPE_SECURITY)
- || (IS_SUBDOMAIN(dom)
- && (!((ad_group_type & SDAP_AD_GROUP_TYPE_GLOBAL)
- || (ad_group_type & SDAP_AD_GROUP_TYPE_UNIVERSAL))))) {
- posix_group = false;
- gid = 0;
- DEBUG(SSSDBG_TRACE_FUNC, ("Filtering AD group [%s].\n",
- group_name));
- ret = sysdb_attrs_add_uint32(group_attrs,
-
opts->group_map[SDAP_AT_GROUP_GID].sys_name, 0);
- if (ret != EOK) {
- DEBUG(SSSDBG_CRIT_FAILURE,
- ("Failed to add a GID to non-posix group!\n"));
- return ret;
+ if (ret == EOK) {
+ DEBUG(SSSDBG_TRACE_ALL, ("AD group [%s] has type flags %#x.",
+ group_name, ad_group_type));
+ /* Only security groups from AD are considered for POSIX groups.
+ * Additionally only global and universal group are taken to
account
+ * for trusted domains. */
+ if (!(ad_group_type & SDAP_AD_GROUP_TYPE_SECURITY)
+ || (IS_SUBDOMAIN(dom)
+ && (!((ad_group_type & SDAP_AD_GROUP_TYPE_GLOBAL)
+ || (ad_group_type &
SDAP_AD_GROUP_TYPE_UNIVERSAL))))) {
+ posix_group = false;
+ gid = 0;
+ DEBUG(SSSDBG_TRACE_FUNC, ("Filtering AD group [%s].\n",
+ group_name));
+ ret = sysdb_attrs_add_uint32(group_attrs,
+
opts->group_map[SDAP_AT_GROUP_GID].sys_name, 0);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ ("Failed to add a GID to non-posix group!\n"));
+ return ret;
+ }
+ ret = sysdb_attrs_add_bool(group_attrs, SYSDB_POSIX, false);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ ("Error: Failed to mark group as non-posix!\n"));
+ return ret;
+ }
}
- ret = sysdb_attrs_add_bool(group_attrs, SYSDB_POSIX, false);
- if (ret != EOK) {
- DEBUG(SSSDBG_OP_FAILURE,
- ("Error: Failed to mark group as non-posix!\n"));
- return ret;
- }
- }
+ } /* have attribute SYSDB_GROUP_TYPE */
}
if (posix_group) {
diff --git a/src/providers/ldap/sdap_async_nested_groups.c
b/src/providers/ldap/sdap_async_nested_groups.c
index
306f55397dbbd2a6787fcb90daaff67cbaac26e3..446afd7b2317dcefd78c523cf13e4c5e5b421870
100644
--- a/src/providers/ldap/sdap_async_nested_groups.c
+++ b/src/providers/ldap/sdap_async_nested_groups.c
@@ -245,23 +245,20 @@ sdap_nested_group_hash_group(struct sdap_nested_group_ctx
*group_ctx,
if (group_ctx->opts->schema_type == SDAP_SCHEMA_AD) {
ret = sysdb_attrs_get_int32_t(group, SYSDB_GROUP_TYPE, &ad_group_type);
- if (ret != EOK) {
- DEBUG(SSSDBG_OP_FAILURE, ("sysdb_attrs_get_int32_t failed.\n"));
- return ret;
- }
-
- DEBUG(SSSDBG_TRACE_ALL, ("AD group has type flags %#x.\n",
- ad_group_type));
- /* Only security groups from AD are considered for POSIX groups.
- * Additionally only global and universal group are taken to account
- * for trusted domains. */
- if (!(ad_group_type & SDAP_AD_GROUP_TYPE_SECURITY)
- || (IS_SUBDOMAIN(group_ctx->domain)
- && (!((ad_group_type & SDAP_AD_GROUP_TYPE_GLOBAL)
- || (ad_group_type & SDAP_AD_GROUP_TYPE_UNIVERSAL))))) {
- posix_group = false;
- gid = 0;
- DEBUG(SSSDBG_TRACE_FUNC, ("Filtering AD group.\n"));
+ if (ret == EOK) {
+ DEBUG(SSSDBG_TRACE_ALL, ("AD group has type flags %#x.\n",
+ ad_group_type));
+ /* Only security groups from AD are considered for POSIX groups.
+ * Additionally only global and universal group are taken to
account
+ * for trusted domains. */
+ if (!(ad_group_type & SDAP_AD_GROUP_TYPE_SECURITY)
+ || (IS_SUBDOMAIN(group_ctx->domain)
+ && (!((ad_group_type & SDAP_AD_GROUP_TYPE_GLOBAL)
+ || (ad_group_type &
SDAP_AD_GROUP_TYPE_UNIVERSAL))))) {
+ posix_group = false;
+ gid = 0;
+ DEBUG(SSSDBG_TRACE_FUNC, ("Filtering AD group.\n"));
+ }
}
}
--
1.8.5.3
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
