From cc42fe7daece23c639ba8d147808f1c699d8b6ad Mon Sep 17 00:00:00 2001

From: Sumit Bose <sbose@redhat.com>

Date: Thu, 12 Sep 2019 14:45:08 +0200

Subject: [PATCH 95/97] ipa: ignore objects from disabled domains on the client

MIME-Version: 1.0

Content-Type: text/plain; charset=UTF-8

Content-Transfer-Encoding: 8bit

It is possible that a domain is already disabled on an IPA client but

still  active on the server. This might happen e.g. if the version of

SSSD running on the IPA server does not support disabled domains or if

SSSD on the IPA client updates the domain data before the IPA server and

sees a freshly disabled domain more early.

As a result the server is still sending objects from disabled domains in

the lists of group members or group memberships of a user. The client

should just ignore those objects.

Related to https://pagure.io/SSSD/sssd/issue/4078

Reviewed-by: Pavel Březina <pbrezina@redhat.com>

---

 src/providers/ipa/ipa_s2n_exop.c | 15 +++++++++++++--

 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/src/providers/ipa/ipa_s2n_exop.c b/src/providers/ipa/ipa_s2n_exop.c

index b6efbcd34..f1d5768ae 100644

--- a/src/providers/ipa/ipa_s2n_exop.c

+++ b/src/providers/ipa/ipa_s2n_exop.c

@@ -637,10 +637,16 @@ static errno_t add_v1_user_data(struct sss_domain_info *dom,

             }

             if (domain != NULL) {

-                obj_domain = find_domain_by_name(parent_domain, domain, true);

+                obj_domain = find_domain_by_name_ex(parent_domain, domain, true, SSS_GND_ALL_DOMAINS);

                 if (obj_domain == NULL) {

                     DEBUG(SSSDBG_OP_FAILURE, "find_domain_by_name failed.\n");

                     return ENOMEM;

+                } else if (sss_domain_get_state(obj_domain) == DOM_DISABLED) {

+                    /* skipping objects from disabled domains */

+                    DEBUG(SSSDBG_TRACE_ALL,

+                          "Skipping object [%s] from disabled domain.\n",

+                          list[c]);

+                    continue;

                 }

             } else {

                 obj_domain = parent_domain;

@@ -656,6 +662,7 @@ static errno_t add_v1_user_data(struct sss_domain_info *dom,

             gc++;

         }

     }

+    attrs->ngroups = gc;

     tag = ber_peek_tag(ber, &ber_len);

     DEBUG(SSSDBG_TRACE_ALL, "BER tag is [%d]\n", (int) tag);

@@ -1567,11 +1574,15 @@ static errno_t process_members(struct sss_domain_info *domain,

     parent_domain = get_domains_head(domain);

     for (c = 0; members[c] != NULL; c++) {

-        obj_domain = find_domain_by_object_name(parent_domain, members[c]);

+        obj_domain = find_domain_by_object_name_ex(parent_domain, members[c],

+                                                   false, SSS_GND_ALL_DOMAINS);

         if (obj_domain == NULL) {

             DEBUG(SSSDBG_OP_FAILURE, "find_domain_by_object_name failed.\n");

             ret = ENOMEM;

             goto done;

+        } else if (sss_domain_get_state(obj_domain) == DOM_DISABLED) {

+            /* skip members from disabled domains */

+            continue;

         }

         ret = sysdb_search_user_by_name(tmp_ctx, obj_domain, members[c], attrs,

-- 

2.20.1