From 75da39f57ba0223be9bd9906cd3ed902623aed10 Mon Sep 17 00:00:00 2001

From: Sumit Bose <sbose@redhat.com>

Date: Mon, 18 Dec 2017 20:30:04 +0100

Subject: [PATCH 94/96] SDAP: skip builtin AD groups in sdap_save_grpmem()

MIME-Version: 1.0

Content-Type: text/plain; charset=UTF-8

Content-Transfer-Encoding: 8bit

While processing group memberships SSSD might accidentally save builtin

or other well known AD groups. With this patch those groups are skipped

similar as e.g. in sdap_save_group().

Resolves:

https://pagure.io/SSSD/sssd/issue/3610

Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

(cherry picked from commit c36a66b7fb77cff29400c751b363a342923e122e)

---

 src/providers/ldap/sdap_async_groups.c | 11 +++++++++++

 1 file changed, 11 insertions(+)

diff --git a/src/providers/ldap/sdap_async_groups.c b/src/providers/ldap/sdap_async_groups.c

index b1cfb7e4a4c054e5d365da5fca65da27c9ef5461..bbe6f1386eadbe4eb7b47bea9e5a6bb8ff4ee8eb 100644

--- a/src/providers/ldap/sdap_async_groups.c

+++ b/src/providers/ldap/sdap_async_groups.c

@@ -880,6 +880,8 @@ static int sdap_save_grpmem(TALLOC_CTX *memctx,

     int ret;

     const char *remove_attrs[] = {SYSDB_MEMBER, SYSDB_ORIG_MEMBER, SYSDB_GHOST,

                                   NULL};

+    const char *check_dom;

+    const char *check_name;

     if (dom->ignore_group_members) {

         DEBUG(SSSDBG_CRIT_FAILURE,

@@ -905,6 +907,15 @@ static int sdap_save_grpmem(TALLOC_CTX *memctx,

         group_dom = sss_get_domain_by_sid_ldap_fallback(get_domains_head(dom),

                                                         group_sid);

         if (group_dom == NULL) {

+            ret = well_known_sid_to_name(group_sid, &check_dom, &check_name);

+            if (ret == EOK) {

+                DEBUG(SSSDBG_TRACE_FUNC,

+                      "Skipping group with SID [%s][%s\\%s] which is "

+                      "currently not handled by SSSD.\n",

+                      group_sid, check_dom, check_name);

+                return EOK;

+            }

+

             DEBUG(SSSDBG_TRACE_FUNC, "SID [%s] does not belong to any known "

                                      "domain, using [%s].\n", group_sid,

                                                               dom->name);

-- 

2.14.3