URL: https://github.com/SSSD/sssd/pull/5347 Author: sumit-bose Title: #5347: ad: add ad_allow_remote_domain_local_groups Action: synchronized
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5347/head:pr5347 git checkout pr5347
From 1ae4ae532674b537d5571cdda65860f57a9d90eb Mon Sep 17 00:00:00 2001 From: Sumit Bose <sb...@redhat.com> Date: Tue, 1 Oct 2019 20:24:09 +0200 Subject: [PATCH] ad: add ad_allow_remote_domain_local_groups As the option name says if set to true Domain Local groups from remote domains won't be filtered out. This option is added to facilitate the migration from other solution and should only be used for this purpose. Resolves: https://github.com/SSSD/sssd/issues/5346 --- src/config/SSSDConfig/sssdoptions.py | 1 + src/config/cfg_rules.ini | 1 + src/config/etc/sssd.api.d/sssd-ad.conf | 1 + src/man/sssd-ad.5.xml | 49 ++++++++++++++++++++++++++ src/providers/ad/ad_common.c | 3 ++ src/providers/ad/ad_common.h | 1 + src/providers/ad/ad_opts.c | 1 + src/providers/ldap/sdap.h | 1 + src/providers/ldap/sdap_ad_groups.c | 3 +- 9 files changed, 60 insertions(+), 1 deletion(-) diff --git a/src/config/SSSDConfig/sssdoptions.py b/src/config/SSSDConfig/sssdoptions.py index 33c9990bad..de96db6f44 100644 --- a/src/config/SSSDConfig/sssdoptions.py +++ b/src/config/SSSDConfig/sssdoptions.py @@ -322,6 +322,7 @@ def __init__(self): 'ad_update_samba_machine_account_password': _('Whether to update the machine account password in the Samba ' 'database'), 'ad_use_ldaps': _('Use LDAPS port for LDAP and Global Catalog requests'), + 'ad_allow_remote_domain_local_groups' : _('Do not filter domain local groups from other domains'), # [provider/krb5] 'krb5_kdcip': _('Kerberos server address'), diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini index cc40bfb8d9..773afd8bba 100644 --- a/src/config/cfg_rules.ini +++ b/src/config/cfg_rules.ini @@ -513,6 +513,7 @@ option = ad_server option = ad_site option = ad_update_samba_machine_account_password option = ad_use_ldaps +option = ad_allow_remote_domain_local_groups # IPA provider specific options option = ipa_anchor_uuid diff --git a/src/config/etc/sssd.api.d/sssd-ad.conf b/src/config/etc/sssd.api.d/sssd-ad.conf index dd909b0978..30d785316d 100644 --- a/src/config/etc/sssd.api.d/sssd-ad.conf +++ b/src/config/etc/sssd.api.d/sssd-ad.conf @@ -22,6 +22,7 @@ ad_maximum_machine_account_password_age = int, None, false ad_machine_account_password_renewal_opts = str, None, false ad_update_samba_machine_account_password = bool, None, false ad_use_ldaps = bool, None, false +ad_allow_remote_domain_local_groups = bool, None, false ldap_uri = str, None, false ldap_backup_uri = str, None, false ldap_search_base = str, None, false diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml index 882b709db2..f6a308a76d 100644 --- a/src/man/sssd-ad.5.xml +++ b/src/man/sssd-ad.5.xml @@ -1105,6 +1105,55 @@ ad_gpo_map_deny = +my_pam_service </listitem> </varlistentry> + <varlistentry> + <term>ad_allow_remote_domain_local_groups (boolean)</term> + <listitem> + <para> + If this option is set to <quote>true</quote> SSSD + will not filter out Domain Local groups from remote + domains in the AD forest. By default they are + filtered out e.g. when following a nested group + hierarchy in remote domains because they are not + valid in the local domain. To be compatible with + other solutions which make AD users and groups + available on Linux client this option was added. + </para> + <para> + Please note that setting this option to + <quote>true</quote> will be against the intention of + Domain Local group in Active Directory and + <emphasis>SHOULD ONLY BE USED TO FACILITATE + MIGRATION FROM OTHER SOLUTIONS</emphasis>. Although + the group exists and user can be member of the group + the intention is that the group should be only used + in the domain it is defined and in no others. Since + there is only one type of POSIX groups the only way + to achieve this on the Linux side is to ignore those + groups. This is also done by Active Directory as can + be seen in the PAC of the Kerberos ticket for a + local service or in tokenGroups requests where + remote Domain Local groups are missing as well. + </para> + <para> + Given the comments above, if this option is set to + <quote>true</quote> the tokenGroups request must be + disabled by setting + <quote>ldap_use_tokengroups</quote> to + <quote>false</quote> to get consistent + group-memberships of a users. Additionally the + Global Catalog lookup should be skipped as well by + setting <quote>ad_enable_gc</quote> to + <quote>false</quote>. Finally it might be necessary + to modify <quote>ldap_group_nesting_level</quote> if + the remote Domain Local groups can only be found + with a deeper nesting level. + </para> + <para> + Default: False + </para> + </listitem> + </varlistentry> + <varlistentry> <term>dyndns_update (boolean)</term> <listitem> diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c index e228d460e2..3f6cb8576e 100644 --- a/src/providers/ad/ad_common.c +++ b/src/providers/ad/ad_common.c @@ -1179,6 +1179,9 @@ ad_set_sdap_options(struct ad_options *ad_opts, keytab_path); } + id_opts->allow_remote_domain_local_groups = dp_opt_get_bool(ad_opts->basic, + AD_ALLOW_REMOTE_DOMAIN_LOCAL); + ret = sdap_set_sasl_options(id_opts, dp_opt_get_string(ad_opts->basic, AD_HOSTNAME), diff --git a/src/providers/ad/ad_common.h b/src/providers/ad/ad_common.h index 0204227b35..6b274ff66d 100644 --- a/src/providers/ad/ad_common.h +++ b/src/providers/ad/ad_common.h @@ -70,6 +70,7 @@ enum ad_basic_opt { AD_MACHINE_ACCOUNT_PASSWORD_RENEWAL_OPTS, AD_UPDATE_SAMBA_MACHINE_ACCOUNT_PASSWORD, AD_USE_LDAPS, + AD_ALLOW_REMOTE_DOMAIN_LOCAL, AD_OPTS_BASIC /* opts counter */ }; diff --git a/src/providers/ad/ad_opts.c b/src/providers/ad/ad_opts.c index 83069ac7bd..47cf568798 100644 --- a/src/providers/ad/ad_opts.c +++ b/src/providers/ad/ad_opts.c @@ -58,6 +58,7 @@ struct dp_option ad_basic_opts[] = { { "ad_machine_account_password_renewal_opts", DP_OPT_STRING, { "86400:750" }, NULL_STRING }, { "ad_update_samba_machine_account_password", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, { "ad_use_ldaps", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, + { "ad_allow_remote_domain_local_groups", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, DP_OPTION_TERMINATOR }; diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h index 9f3082dcd8..bcc65fd46c 100644 --- a/src/providers/ldap/sdap.h +++ b/src/providers/ldap/sdap.h @@ -526,6 +526,7 @@ struct sdap_options { bool support_matching_rule; enum dc_functional_level dc_functional_level; const char *schema_basedn; + bool allow_remote_domain_local_groups; /* Certificate mapping support */ struct sdap_certmap_ctx *sdap_certmap_ctx; diff --git a/src/providers/ldap/sdap_ad_groups.c b/src/providers/ldap/sdap_ad_groups.c index 0e36328b9b..e8c6280d08 100644 --- a/src/providers/ldap/sdap_ad_groups.c +++ b/src/providers/ldap/sdap_ad_groups.c @@ -38,7 +38,8 @@ errno_t sdap_check_ad_group_type(struct sss_domain_info *dom, errno_t ret = EOK; *_need_filter = false; - if (opts->schema_type == SDAP_SCHEMA_AD) { + if (opts->schema_type == SDAP_SCHEMA_AD + && !opts->allow_remote_domain_local_groups) { ret = sysdb_attrs_get_int32_t(group_attrs, SYSDB_GROUP_TYPE, &ad_group_type); if (ret != EOK) {
_______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
