From 09bf564bfe4f6f8407056e3261bfc7948d45bdbf Mon Sep 17 00:00:00 2001

From: Jakub Hrozek <jhrozek@redhat.com>

Date: Tue, 21 Jul 2015 11:44:03 +0200

Subject: [PATCH 210/210] IPA: Remove MPG groups if getgrgid was called before

 getpw()

https://fedorahosted.org/sssd/ticket/2724

This bug only affects IPA clients that are connected to IPA servers with

AD trust and ID mapping in effect.

If an IPA client calls getgrgid() for an ID that matches a user, the

user's private group would be returned and stored as a group entry.

Subsequent queries for that user would fail, because MPG domains impose

uniqueness restriction for both the ID and name space across groups and

users.

To work around that, we remove the UPG groups in MPG domains during a

group lookup.

Reviewed-by: Sumit Bose <sbose@redhat.com>

---

 src/providers/ipa/ipa_s2n_exop.c | 41 ++++++++++++++++++++++++++++++++++++++--

 1 file changed, 39 insertions(+), 2 deletions(-)

diff --git a/src/providers/ipa/ipa_s2n_exop.c b/src/providers/ipa/ipa_s2n_exop.c

index 292f174257fbf6f6ebc8db6d1eb38cb4b5349b81..8de46136d0bc9d1c26b44c532d7bd405880aca50 100644

--- a/src/providers/ipa/ipa_s2n_exop.c

+++ b/src/providers/ipa/ipa_s2n_exop.c

@@ -1757,6 +1757,7 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom,

     int tret;

     struct sysdb_attrs *gid_override_attrs = NULL;

     char ** exop_grouplist;

+    struct ldb_message *msg;

     tmp_ctx = talloc_new(NULL);

     if (tmp_ctx == NULL) {

@@ -1997,8 +1998,44 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom,

                                    attrs->a.user.pw_dir, attrs->a.user.pw_shell,

                                    NULL, attrs->sysdb_attrs, NULL,

                                    timeout, now);

-            if (ret != EOK) {

-                DEBUG(SSSDBG_OP_FAILURE, "sysdb_store_user failed.\n");

+            if (ret == EEXIST && dom->mpg == true) {

+                /* This handles the case where getgrgid() was called for

+                 * this user, so a group was created in the cache

+                 */

+                ret = sysdb_search_group_by_name(tmp_ctx, dom, name, NULL, &msg;;

+                if (ret != EOK) {

+                    /* Fail even on ENOENT, the group must be around */

+                    DEBUG(SSSDBG_OP_FAILURE,

+                          "Could not delete MPG group [%d]: %s\n",

+                          ret, sss_strerror(ret));

+                    goto done;

+                }

+

+                ret = sysdb_delete_group(dom, NULL, attrs->a.user.pw_uid);

+                if (ret != EOK) {

+                    DEBUG(SSSDBG_OP_FAILURE,

+                          "sysdb_delete_group failed for MPG group [%d]: %s\n",

+                          ret, sss_strerror(ret));

+                    goto done;

+                }

+

+                ret = sysdb_store_user(dom, name, NULL,

+                                       attrs->a.user.pw_uid,

+                                       gid, attrs->a.user.pw_gecos,

+                                       attrs->a.user.pw_dir,

+                                       attrs->a.user.pw_shell,

+                                       NULL, attrs->sysdb_attrs, NULL,

+                                       timeout, now);

+                if (ret != EOK) {

+                    DEBUG(SSSDBG_OP_FAILURE,

+                          "sysdb_store_user failed for MPG user [%d]: %s\n",

+                          ret, sss_strerror(ret));

+                    goto done;

+                }

+            } else if (ret != EOK) {

+                DEBUG(SSSDBG_OP_FAILURE,

+                      "sysdb_store_user failed [%d]: %s\n",

+                      ret, sss_strerror(ret));

                 goto done;

             }

-- 

2.4.3