From d56d41e76741f418e88e479b91193db3ee3f1688 Mon Sep 17 00:00:00 2001

From: Jakub Hrozek <jhrozek@redhat.com>

Date: Wed, 17 Jan 2018 21:59:24 +0100

Subject: [PATCH 101/101] AD: Use the right sdap_domain for the forest root

MIME-Version: 1.0

Content-Type: text/plain; charset=UTF-8

Content-Transfer-Encoding: 8bit

Each ad_id_ctx structure which represents a trusted AD domain contains a

list of sdap_domain structures representing all the other domains. This

is used to e.g. be able to reach another domain's ad_id_ctx and use its

LDAP connection.

However, the sdap search call that was searching for trusted domains in

the forest that the root domain knows about, was unconditionally using

the first sdap_domain structure in the list linked from the root_domain's

ad_id_ctx structure.

It should be noted that this search only happens in case the machine is

joined to one of the non-root domains in the forest and searches the root

domain explicitly.

In case sdap_domain structures linked from the ad_id_ctx representing

the root domain were ordered so that the first sdap_domain in the list

was representing a different domain than the one linked from the

ad_id_ctx, the sdap search would have used a wrong search base derived

from the unexpected sdap_domain which would result in a referral being

returned.

This patch explicitly looks up the sdap_domain structure that

corresponds to the root domain.

Resolves:

https://pagure.io/SSSD/sssd/issue/3594

Reviewed-by: Sumit Bose <sbose@redhat.com>

Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

(cherry picked from commit 9ac071272ce0152eb293d3181a5c12b395655521)

---

 src/providers/ad/ad_subdomains.c | 110 +++++++++++++++++++++++++++------------

 1 file changed, 77 insertions(+), 33 deletions(-)

diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c

index 1b9483a5dce937d6acdd813486a1e8c18210d35f..bd94ba8ea93679df8d01508b3d4d85217d9c1c87 100644

--- a/src/providers/ad/ad_subdomains.c

+++ b/src/providers/ad/ad_subdomains.c

@@ -57,6 +57,71 @@

 /* do not refresh more often than every 5 seconds for now */

 #define AD_SUBDOMAIN_REFRESH_LIMIT 5

+static struct sss_domain_info *

+ads_get_root_domain(struct be_ctx *be_ctx, struct sysdb_attrs *attrs)

+{

+    struct sss_domain_info *dom;

+    const char *name;

+    errno_t ret;

+

+    if (attrs == NULL) {

+        /* Clients joined to the forest root directly don't even discover

+         * the root domain, so the attrs are expected to be NULL in this

+         * case

+         */

+        return be_ctx->domain;

+    }

+

+    ret = sysdb_attrs_get_string(attrs, AD_AT_TRUST_PARTNER, &name);

+    if (ret != EOK) {

+        DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_get_string failed.\n");

+        return NULL;

+    }

+

+    /* With a subsequent run, the root should already be known */

+    for (dom = be_ctx->domain; dom != NULL;

+         dom = get_next_domain(dom, SSS_GND_ALL_DOMAINS)) {

+

+        if (strcasecmp(dom->name, name) == 0) {

+            /* The forest root is special, although it might be disabled for

+             * general lookups we still want to try to get the domains in the

+             * forest from a DC of the forest root */

+            if (sss_domain_get_state(dom) == DOM_DISABLED

+                    && !sss_domain_is_forest_root(dom)) {

+                return NULL;

+            }

+            return dom;

+        }

+    }

+

+    return NULL;

+}

+

+static struct sdap_domain *

+ads_get_root_sdap_domain(struct be_ctx *be_ctx,

+                         struct sdap_options *opts,

+                         struct sysdb_attrs *attrs)

+{

+    struct sdap_domain *root_sdom;

+    struct sss_domain_info *root_dom;

+

+    root_dom = ads_get_root_domain(be_ctx, attrs);

+    if (root_dom == NULL) {

+        DEBUG(SSSDBG_OP_FAILURE,

+              "ads_get_root_domain did not find the domain\n");

+        return NULL;

+    }

+

+    root_sdom = sdap_domain_get(opts, root_dom);

+    if (root_sdom == NULL) {

+        DEBUG(SSSDBG_OP_FAILURE,

+              "Failed to find sdap_domain for the root domain\n");

+        return NULL;

+    }

+

+    return root_sdom;

+}

+

 static errno_t ad_get_enabled_domains(TALLOC_CTX *mem_ctx,

                                       struct ad_id_ctx *ad_id_ctx,

                                       const char *ad_domain,

@@ -755,6 +820,7 @@ struct ad_get_slave_domain_state {

     struct sdap_options *opts;

     struct sdap_idmap_ctx *idmap_ctx;

     struct sysdb_attrs *root_attrs;

+    struct sdap_domain *root_sdom;

     struct sdap_id_op *sdap_op;

 };

@@ -786,6 +852,13 @@ ad_get_slave_domain_send(TALLOC_CTX *mem_ctx,

     state->opts = root_id_ctx->sdap_id_ctx->opts;

     state->idmap_ctx = root_id_ctx->sdap_id_ctx->opts->idmap_ctx;

     state->root_attrs = root_attrs;

+    state->root_sdom = ads_get_root_sdap_domain(state->be_ctx,

+                                                state->opts,

+                                                state->root_attrs);

+    if (state->root_sdom == NULL) {

+        ret = ERR_DOMAIN_NOT_FOUND;

+        goto immediately;

+    }

     state->sdap_op = sdap_id_op_create(state, root_id_ctx->ldap_ctx->conn_cache);

     if (state->sdap_op == NULL) {

@@ -861,7 +934,7 @@ static void ad_get_slave_domain_connect_done(struct tevent_req *subreq)

     subreq = sdap_search_bases_send(state, state->ev, state->opts,

                                     sdap_id_op_handle(state->sdap_op),

-                                    state->opts->sdom->search_bases,

+                                    state->root_sdom->search_bases,

                                     NULL, false, 0,

                                     SLAVE_DOMAIN_FILTER, attrs);

     if (subreq == NULL) {

@@ -965,38 +1038,6 @@ static errno_t ad_get_slave_domain_recv(struct tevent_req *req)

     return EOK;

 }

-static struct sss_domain_info *

-ads_get_root_domain(struct be_ctx *be_ctx, struct sysdb_attrs *attrs)

-{

-    struct sss_domain_info *dom;

-    const char *name;

-    errno_t ret;

-

-    ret = sysdb_attrs_get_string(attrs, AD_AT_TRUST_PARTNER, &name);

-    if (ret != EOK) {

-        DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_get_string failed.\n");

-        return NULL;

-    }

-

-    /* With a subsequent run, the root should already be known */

-    for (dom = be_ctx->domain; dom != NULL;

-         dom = get_next_domain(dom, SSS_GND_ALL_DOMAINS)) {

-

-        if (strcasecmp(dom->name, name) == 0) {

-            /* The forest root is special, although it might be disabled for

-             * general lookups we still want to try to get the domains in the

-             * forest from a DC of the forest root */

-            if (sss_domain_get_state(dom) == DOM_DISABLED

-                    && !sss_domain_is_forest_root(dom)) {

-                return NULL;

-            }

-            return dom;

-        }

-    }

-

-    return NULL;

-}

-

 static struct ad_id_ctx *

 ads_get_root_id_ctx(struct be_ctx *be_ctx,

                     struct ad_id_ctx *ad_id_ctx,

@@ -1416,6 +1457,9 @@ static void ad_subdomains_refresh_root_done(struct tevent_req *subreq)

     req = tevent_req_callback_data(subreq, struct tevent_req);

     state = tevent_req_data(req, struct ad_subdomains_refresh_state);

+    /* Note: For clients joined to the root domain, root_attrs is NULL,

+     * see ad_get_root_domain_send()

+     */

     ret = ad_get_root_domain_recv(state, subreq, &root_attrs, &root_id_ctx);

     talloc_zfree(subreq);

     if (ret != EOK) {

-- 

2.14.3