|
 |
f9c044 |
From 7afd36a4c4b35d72742eec2d23bd6908e635c097 Mon Sep 17 00:00:00 2001
|
|
|
f9c044 |
From: Sumit Bose <sbose@redhat.com>
|
|
|
f9c044 |
Date: Fri, 19 Jun 2020 13:36:49 +0200
|
|
|
f9c044 |
Subject: [PATCH 70/71] AD: do not override LDAP data during GC lookups
|
|
|
f9c044 |
MIME-Version: 1.0
|
|
|
f9c044 |
Content-Type: text/plain; charset=UTF-8
|
|
|
f9c044 |
Content-Transfer-Encoding: 8bit
|
|
|
f9c044 |
|
|
|
f9c044 |
The Global Catalog contains user and group information of the whole
|
|
|
f9c044 |
forest and hence any Global Catalog server can be used. Currently when a
|
|
|
f9c044 |
Global Catalog server is looked up the data of the LDAP server is
|
|
|
f9c044 |
overwritten as well. I guess the original intention was to use a single
|
|
|
f9c044 |
server for both services.
|
|
|
f9c044 |
|
|
|
f9c044 |
However since the Global Catalog server can come from any domain in the
|
|
|
f9c044 |
forest this might overwrite the LDAP data of a DC from the local domain
|
|
|
f9c044 |
with the data from a AD of a remote domain and as a result lookups for
|
|
|
f9c044 |
users and groups from the local domain might fail since the remote DC
|
|
|
f9c044 |
does not has this information available at the LDAP port. In most cases
|
|
|
f9c044 |
this overwrite is hidden by a following lookup to find a KDC for
|
|
|
f9c044 |
authentication which is searched only in the local domain again where
|
|
|
f9c044 |
the LDAP data is overwritten again to make sure the same DC is used for
|
|
|
f9c044 |
LDAP and Kerberos communication. But depending on the connection
|
|
|
f9c044 |
timeouts and lifetime of Kerberos tickets the KDC lookup might be
|
|
|
f9c044 |
skipped because new credentials are not needed and as a result the wrong
|
|
|
f9c044 |
LDAP data is used.
|
|
|
f9c044 |
|
|
|
f9c044 |
To avoid this the LDAP data is now only set if the current lookup is not
|
|
|
f9c044 |
a Global Catalog lookup.
|
|
|
f9c044 |
|
|
|
f9c044 |
Resolves: https://github.com/SSSD/sssd/issues/5351
|
|
|
f9c044 |
|
|
|
f9c044 |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
f9c044 |
(cherry picked from commit 5f3b9e1d45df77bca1b2665e67bbd73b26fafbc2)
|
|
|
f9c044 |
|
|
|
f9c044 |
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
|
|
f9c044 |
---
|
|
|
f9c044 |
src/providers/ad/ad_common.c | 12 ++++++++----
|
|
|
f9c044 |
1 file changed, 8 insertions(+), 4 deletions(-)
|
|
|
f9c044 |
|
|
|
f9c044 |
diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c
|
|
|
f9c044 |
index 4e51d08e6..c99c4d110 100644
|
|
|
f9c044 |
--- a/src/providers/ad/ad_common.c
|
|
|
f9c044 |
+++ b/src/providers/ad/ad_common.c
|
|
|
f9c044 |
@@ -942,10 +942,14 @@ ad_resolve_callback(void *private_data, struct fo_server *server)
|
|
|
f9c044 |
}
|
|
|
f9c044 |
|
|
|
f9c044 |
/* free old one and replace with new one */
|
|
|
f9c044 |
- talloc_zfree(service->sdap->uri);
|
|
|
f9c044 |
- service->sdap->uri = new_uri;
|
|
|
f9c044 |
- talloc_zfree(service->sdap->sockaddr);
|
|
|
f9c044 |
- service->sdap->sockaddr = talloc_steal(service->sdap, sockaddr);
|
|
|
f9c044 |
+ if (sdata == NULL || !sdata->gc) {
|
|
|
f9c044 |
+ /* do not update LDAP data during GC lookups because the selected server
|
|
|
f9c044 |
+ * might be from a different domain. */
|
|
|
f9c044 |
+ talloc_zfree(service->sdap->uri);
|
|
|
f9c044 |
+ service->sdap->uri = new_uri;
|
|
|
f9c044 |
+ talloc_zfree(service->sdap->sockaddr);
|
|
|
f9c044 |
+ service->sdap->sockaddr = talloc_steal(service->sdap, sockaddr);
|
|
|
f9c044 |
+ }
|
|
|
f9c044 |
|
|
|
f9c044 |
talloc_zfree(service->gc->uri);
|
|
|
f9c044 |
talloc_zfree(service->gc->sockaddr);
|
|
|
f9c044 |
--
|
|
|
f9c044 |
2.26.3
|
|
|
f9c044 |
|