|
 |
ced1f5 |
From 75da39f57ba0223be9bd9906cd3ed902623aed10 Mon Sep 17 00:00:00 2001
|
|
|
ced1f5 |
From: Sumit Bose <sbose@redhat.com>
|
|
|
ced1f5 |
Date: Mon, 18 Dec 2017 20:30:04 +0100
|
|
|
ced1f5 |
Subject: [PATCH 94/96] SDAP: skip builtin AD groups in sdap_save_grpmem()
|
|
|
ced1f5 |
MIME-Version: 1.0
|
|
|
ced1f5 |
Content-Type: text/plain; charset=UTF-8
|
|
|
ced1f5 |
Content-Transfer-Encoding: 8bit
|
|
|
ced1f5 |
|
|
|
ced1f5 |
While processing group memberships SSSD might accidentally save builtin
|
|
|
ced1f5 |
or other well known AD groups. With this patch those groups are skipped
|
|
|
ced1f5 |
similar as e.g. in sdap_save_group().
|
|
|
ced1f5 |
|
|
|
ced1f5 |
Resolves:
|
|
|
ced1f5 |
https://pagure.io/SSSD/sssd/issue/3610
|
|
|
ced1f5 |
|
|
|
ced1f5 |
Reviewed-by: Fabiano FidĂȘncio <fidencio@redhat.com>
|
|
|
ced1f5 |
(cherry picked from commit c36a66b7fb77cff29400c751b363a342923e122e)
|
|
|
ced1f5 |
---
|
|
|
ced1f5 |
src/providers/ldap/sdap_async_groups.c | 11 +++++++++++
|
|
|
ced1f5 |
1 file changed, 11 insertions(+)
|
|
|
ced1f5 |
|
|
|
ced1f5 |
diff --git a/src/providers/ldap/sdap_async_groups.c b/src/providers/ldap/sdap_async_groups.c
|
|
|
ced1f5 |
index b1cfb7e4a4c054e5d365da5fca65da27c9ef5461..bbe6f1386eadbe4eb7b47bea9e5a6bb8ff4ee8eb 100644
|
|
|
ced1f5 |
--- a/src/providers/ldap/sdap_async_groups.c
|
|
|
ced1f5 |
+++ b/src/providers/ldap/sdap_async_groups.c
|
|
|
ced1f5 |
@@ -880,6 +880,8 @@ static int sdap_save_grpmem(TALLOC_CTX *memctx,
|
|
|
ced1f5 |
int ret;
|
|
|
ced1f5 |
const char *remove_attrs[] = {SYSDB_MEMBER, SYSDB_ORIG_MEMBER, SYSDB_GHOST,
|
|
|
ced1f5 |
NULL};
|
|
|
ced1f5 |
+ const char *check_dom;
|
|
|
ced1f5 |
+ const char *check_name;
|
|
|
ced1f5 |
|
|
|
ced1f5 |
if (dom->ignore_group_members) {
|
|
|
ced1f5 |
DEBUG(SSSDBG_CRIT_FAILURE,
|
|
|
ced1f5 |
@@ -905,6 +907,15 @@ static int sdap_save_grpmem(TALLOC_CTX *memctx,
|
|
|
ced1f5 |
group_dom = sss_get_domain_by_sid_ldap_fallback(get_domains_head(dom),
|
|
|
ced1f5 |
group_sid);
|
|
|
ced1f5 |
if (group_dom == NULL) {
|
|
|
ced1f5 |
+ ret = well_known_sid_to_name(group_sid, &check_dom, &check_name);
|
|
|
ced1f5 |
+ if (ret == EOK) {
|
|
|
ced1f5 |
+ DEBUG(SSSDBG_TRACE_FUNC,
|
|
|
ced1f5 |
+ "Skipping group with SID [%s][%s\\%s] which is "
|
|
|
ced1f5 |
+ "currently not handled by SSSD.\n",
|
|
|
ced1f5 |
+ group_sid, check_dom, check_name);
|
|
|
ced1f5 |
+ return EOK;
|
|
|
ced1f5 |
+ }
|
|
|
ced1f5 |
+
|
|
|
ced1f5 |
DEBUG(SSSDBG_TRACE_FUNC, "SID [%s] does not belong to any known "
|
|
|
ced1f5 |
"domain, using [%s].\n", group_sid,
|
|
|
ced1f5 |
dom->name);
|
|
|
ced1f5 |
--
|
|
|
ced1f5 |
2.14.3
|
|
|
ced1f5 |
|