URL: https://github.com/SSSD/sssd/pull/149 Author: jhrozek Title: #149: Fix subdomain discovery if sssd.conf domain name is different from joined domain name Action: opened
PR body: """ Please see the commit message for problem description and a way to reproduce the issue. """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/149/head:pr149 git checkout pr149
From 908a9b10d9ec5f94d9a081eea14c6da6fee7a9cc Mon Sep 17 00:00:00 2001 From: Jakub Hrozek <jhro...@redhat.com> Date: Tue, 7 Feb 2017 11:05:47 +0100 Subject: [PATCH] AD: Use ad_domain to match forest root domain, not the configured domain from sssd.conf If the sssd.conf domain name was different from the joined domain name, but sssd was joined to the forest root, the AD subdomains code considered sssd joined to a non-root domain and tried to discover the forest root. This could be reproduced by joining sssd to a domain, for example win.trust.test but calling the sssd.conf domain otherwise, for example: [domain/addomain] ad_domain = win.trust.test This is/was a frequent use-case in the RHEL world, where authconfig often names the sssd.conf domain 'default'. Without the patch, the trusted domain were not reproduced. --- src/providers/ad/ad_subdomains.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c index 5e57d21..ad075c1 100644 --- a/src/providers/ad/ad_subdomains.c +++ b/src/providers/ad/ad_subdomains.c @@ -948,6 +948,7 @@ static void ad_get_root_domain_done(struct tevent_req *subreq); static struct tevent_req * ad_get_root_domain_send(TALLOC_CTX *mem_ctx, struct tevent_context *ev, + const char *domain, const char *forest, struct sdap_handle *sh, struct ad_subdomains_ctx *sd_ctx) @@ -968,7 +969,7 @@ ad_get_root_domain_send(TALLOC_CTX *mem_ctx, return NULL; } - if (forest != NULL && strcasecmp(sd_ctx->be_ctx->domain->name, forest) == 0) { + if (forest != NULL && strcasecmp(domain, forest) == 0) { state->root_id_ctx = sd_ctx->ad_id_ctx; state->root_domain_attrs = NULL; ret = EOK; @@ -1230,6 +1231,7 @@ static void ad_subdomains_refresh_master_done(struct tevent_req *subreq) struct ad_subdomains_refresh_state *state; struct tevent_req *req; const char *realm; + const char *ad_domain; char *master_sid; char *flat_name; char *forest; @@ -1277,7 +1279,14 @@ static void ad_subdomains_refresh_master_done(struct tevent_req *subreq) } } - subreq = ad_get_root_domain_send(state, state->ev, forest, + ad_domain = dp_opt_get_cstring(state->ad_options->basic, AD_DOMAIN); + if (ad_domain == NULL) { + DEBUG(SSSDBG_CONF_SETTINGS, + "Missing AD domain name, falling back to sssd domain name\n"); + ad_domain = state->sd_ctx->be_ctx->domain->name; + } + + subreq = ad_get_root_domain_send(state, state->ev, ad_domain, forest, sdap_id_op_handle(state->sdap_op), state->sd_ctx); if (subreq == NULL) {
_______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org