dpward / rpms / sssd

Forked from rpms/sssd 3 years ago
Clone

Blame SOURCES/0037-IPA-Remove-MPG-groups-if-getgrgid-was-called-before-.patch

6cf099
From e10bcf99c6105b733b043a50ea96223a46784581 Mon Sep 17 00:00:00 2001
6cf099
From: Jakub Hrozek <jhrozek@redhat.com>
6cf099
Date: Tue, 21 Jul 2015 11:44:03 +0200
6cf099
Subject: [PATCH 37/37] IPA: Remove MPG groups if getgrgid was called before
6cf099
 getpw()
6cf099
6cf099
https://fedorahosted.org/sssd/ticket/2724
6cf099
6cf099
This bug only affects IPA clients that are connected to IPA servers with
6cf099
AD trust and ID mapping in effect.
6cf099
6cf099
If an IPA client calls getgrgid() for an ID that matches a user, the
6cf099
user's private group would be returned and stored as a group entry.
6cf099
6cf099
Subsequent queries for that user would fail, because MPG domains impose
6cf099
uniqueness restriction for both the ID and name space across groups and
6cf099
users.
6cf099
6cf099
To work around that, we remove the UPG groups in MPG domains during a
6cf099
group lookup.
6cf099
6cf099
Reviewed-by: Sumit Bose <sbose@redhat.com>
6cf099
---
6cf099
 src/providers/ipa/ipa_s2n_exop.c | 41 ++++++++++++++++++++++++++++++++++++++--
6cf099
 1 file changed, 39 insertions(+), 2 deletions(-)
6cf099
6cf099
diff --git a/src/providers/ipa/ipa_s2n_exop.c b/src/providers/ipa/ipa_s2n_exop.c
6cf099
index 812a4bbd707faf5c184594b562c148d1e704fd58..1e6368dc7ef1a6f60b541409f7f6740d602f0d43 100644
6cf099
--- a/src/providers/ipa/ipa_s2n_exop.c
6cf099
+++ b/src/providers/ipa/ipa_s2n_exop.c
6cf099
@@ -1764,6 +1764,7 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom,
6cf099
     int tret;
6cf099
     struct sysdb_attrs *gid_override_attrs = NULL;
6cf099
     char ** exop_grouplist;
6cf099
+    struct ldb_message *msg;
6cf099
 
6cf099
     tmp_ctx = talloc_new(NULL);
6cf099
     if (tmp_ctx == NULL) {
6cf099
@@ -2005,8 +2006,44 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom,
6cf099
                                    attrs->a.user.pw_dir, attrs->a.user.pw_shell,
6cf099
                                    NULL, attrs->sysdb_attrs, NULL,
6cf099
                                    timeout, now);
6cf099
-            if (ret != EOK) {
6cf099
-                DEBUG(SSSDBG_OP_FAILURE, "sysdb_store_user failed.\n");
6cf099
+            if (ret == EEXIST && dom->mpg == true) {
6cf099
+                /* This handles the case where getgrgid() was called for
6cf099
+                 * this user, so a group was created in the cache
6cf099
+                 */
6cf099
+                ret = sysdb_search_group_by_name(tmp_ctx, dom, name, NULL, &msg;;
6cf099
+                if (ret != EOK) {
6cf099
+                    /* Fail even on ENOENT, the group must be around */
6cf099
+                    DEBUG(SSSDBG_OP_FAILURE,
6cf099
+                          "Could not delete MPG group [%d]: %s\n",
6cf099
+                          ret, sss_strerror(ret));
6cf099
+                    goto done;
6cf099
+                }
6cf099
+
6cf099
+                ret = sysdb_delete_group(dom, NULL, attrs->a.user.pw_uid);
6cf099
+                if (ret != EOK) {
6cf099
+                    DEBUG(SSSDBG_OP_FAILURE,
6cf099
+                          "sysdb_delete_group failed for MPG group [%d]: %s\n",
6cf099
+                          ret, sss_strerror(ret));
6cf099
+                    goto done;
6cf099
+                }
6cf099
+
6cf099
+                ret = sysdb_store_user(dom, name, NULL,
6cf099
+                                       attrs->a.user.pw_uid,
6cf099
+                                       gid, attrs->a.user.pw_gecos,
6cf099
+                                       attrs->a.user.pw_dir,
6cf099
+                                       attrs->a.user.pw_shell,
6cf099
+                                       NULL, attrs->sysdb_attrs, NULL,
6cf099
+                                       timeout, now);
6cf099
+                if (ret != EOK) {
6cf099
+                    DEBUG(SSSDBG_OP_FAILURE,
6cf099
+                          "sysdb_store_user failed for MPG user [%d]: %s\n",
6cf099
+                          ret, sss_strerror(ret));
6cf099
+                    goto done;
6cf099
+                }
6cf099
+            } else if (ret != EOK) {
6cf099
+                DEBUG(SSSDBG_OP_FAILURE,
6cf099
+                      "sysdb_store_user failed [%d]: %s\n",
6cf099
+                      ret, sss_strerror(ret));
6cf099
                 goto done;
6cf099
             }
6cf099
 
6cf099
-- 
6cf099
2.4.3
6cf099