From ead272e1e4e9e3e605cfb91fa333310edf27b2ed Mon Sep 17 00:00:00 2001

From: Sumit Bose <sbose@redhat.com>

Date: Wed, 7 Jun 2023 10:45:59 +0200

Subject: [PATCH] ad: use sAMAccountName to lookup hosts

To determine which GPOs apply to the host running SSSD the full DN of

the host object in AD is needed. To fine this object we use the NetBIOS

name of the host which is stored in AD in the sAMAccountName attribute.

Using other attributes, e.g. if ldap_user_name is set to a different

attribute, will most probably cause a failure since those attributes are

not managed as expected for host object. As a result sAMAccountName

should be hardcoded here to avoid issues.

Resolves: https://github.com/SSSD/sssd/issues/6766

Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>

Reviewed-by: Justin Stephenson <jstephen@redhat.com>

(cherry picked from commit 67c11c2ebae843f7ddd6b857efa2e1f6449986f3)

---

 src/providers/ad/ad_gpo.c | 3 ++-

 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c

index 27885ef8a..c6ea859fd 100644

--- a/src/providers/ad/ad_gpo.c

+++ b/src/providers/ad/ad_gpo.c

@@ -56,6 +56,7 @@

 #define AD_AT_DN "distinguishedName"

 #define AD_AT_UAC "userAccountControl"

+#define AD_AT_SAMACCOUNTNAME "sAMAccountName"

 #define AD_AT_CONFIG_NC "configurationNamingContext"

 #define AD_AT_GPLINK "gPLink"

 #define AD_AT_GPOPTIONS "gpOptions"

@@ -1882,7 +1883,7 @@ ad_gpo_connect_done(struct tevent_req *subreq)

     filter = talloc_asprintf(state,

                              "(&(objectclass=%s)(%s=%s))",

                              state->opts->user_map[SDAP_OC_USER].name,

-                             state->opts->user_map[SDAP_AT_USER_NAME].name,

+                             AD_AT_SAMACCOUNTNAME,

                              sam_account_name);

     if (filter == NULL) {

         ret = ENOMEM;

-- 

2.41.0