Blame SOURCES/0116-ad-handle-forest-root-not-listed-in-ad_enabled_domai.patch

ecf709
From 5ca331e80520035d7de2680cd2803fa508d15287 Mon Sep 17 00:00:00 2001
ecf709
From: Sumit Bose <sbose@redhat.com>
ecf709
Date: Mon, 3 Apr 2017 21:27:32 +0200
ecf709
Subject: [PATCH 116/118] ad: handle forest root not listed in
ecf709
 ad_enabled_domains
ecf709
MIME-Version: 1.0
ecf709
Content-Type: text/plain; charset=UTF-8
ecf709
Content-Transfer-Encoding: 8bit
ecf709
ecf709
Although users and groups from the forest root should be ignored SSSD
ecf709
will still try to get information about the forest topology from a DC
ecf709
from the forest root. So even if the forest root domain is disabled we
ecf709
should makes sure it is usable for those searches.
ecf709
ecf709
Resolves https://pagure.io/SSSD/sssd/issue/3361
ecf709
ecf709
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
ecf709
(cherry picked from commit feeabf273aa7af580552366ce58655e6a482a0cd)
ecf709
---
ecf709
 src/providers/ad/ad_subdomains.c | 39 ++++++++++++++++++++++++++++++++++++---
ecf709
 1 file changed, 36 insertions(+), 3 deletions(-)
ecf709
ecf709
diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c
ecf709
index bc659b2cb0a02723437d24d0021ec3592381e84c..ef166446e837c3f7cd824c1abf4b5cc587aec9da 100644
ecf709
--- a/src/providers/ad/ad_subdomains.c
ecf709
+++ b/src/providers/ad/ad_subdomains.c
ecf709
@@ -433,6 +433,14 @@ static errno_t ad_subdomains_refresh(struct be_ctx *be_ctx,
ecf709
         if (c >= num_subdomains) {
ecf709
             /* ok this subdomain does not exist anymore, let's clean up */
ecf709
             sss_domain_set_state(dom, DOM_DISABLED);
ecf709
+
ecf709
+            /* Just disable the forest root but do not remove sdap data */
ecf709
+            if (sss_domain_is_forest_root(dom)) {
ecf709
+                DEBUG(SSSDBG_TRACE_ALL,
ecf709
+                      "Skipping removal of forest root sdap data.\n");
ecf709
+                continue;
ecf709
+            }
ecf709
+
ecf709
             ret = sysdb_subdomain_delete(dom->sysdb, dom->name);
ecf709
             if (ret != EOK) {
ecf709
                 goto done;
ecf709
@@ -633,6 +641,7 @@ static errno_t ad_subdom_reinit(struct ad_subdomains_ctx *subdoms_ctx)
ecf709
     const char *path;
ecf709
     errno_t ret;
ecf709
     bool canonicalize = false;
ecf709
+    struct sss_domain_info *dom;
ecf709
 
ecf709
     path = dp_opt_get_string(subdoms_ctx->ad_id_ctx->ad_options->basic,
ecf709
                              AD_KRB5_CONFD_PATH);
ecf709
@@ -675,6 +684,17 @@ static errno_t ad_subdom_reinit(struct ad_subdomains_ctx *subdoms_ctx)
ecf709
         return ret;
ecf709
     }
ecf709
 
ecf709
+    /* Make sure disabled domains are not re-enabled accidentially */
ecf709
+    if (subdoms_ctx->ad_enabled_domains != NULL) {
ecf709
+        for (dom = subdoms_ctx->be_ctx->domain->subdomains; dom;
ecf709
+                                            dom = get_next_domain(dom, false)) {
ecf709
+            if (!is_domain_enabled(dom->name,
ecf709
+                                   subdoms_ctx->ad_enabled_domains)) {
ecf709
+                sss_domain_set_state(dom, DOM_DISABLED);
ecf709
+            }
ecf709
+        }
ecf709
+    }
ecf709
+
ecf709
     return EOK;
ecf709
 }
ecf709
 
ecf709
@@ -898,7 +918,7 @@ static errno_t ad_get_slave_domain_recv(struct tevent_req *req)
ecf709
 static struct sss_domain_info *
ecf709
 ads_get_root_domain(struct be_ctx *be_ctx, struct sysdb_attrs *attrs)
ecf709
 {
ecf709
-    struct sss_domain_info *root;
ecf709
+    struct sss_domain_info *dom;
ecf709
     const char *name;
ecf709
     errno_t ret;
ecf709
 
ecf709
@@ -909,9 +929,22 @@ ads_get_root_domain(struct be_ctx *be_ctx, struct sysdb_attrs *attrs)
ecf709
     }
ecf709
 
ecf709
     /* With a subsequent run, the root should already be known */
ecf709
-    root = find_domain_by_name(be_ctx->domain, name, false);
ecf709
+    for (dom = be_ctx->domain; dom != NULL;
ecf709
+         dom = get_next_domain(dom, SSS_GND_ALL_DOMAINS)) {
ecf709
 
ecf709
-    return root;
ecf709
+        if (strcasecmp(dom->name, name) == 0) {
ecf709
+            /* The forest root is special, although it might be disabled for
ecf709
+             * general lookups we still want to try to get the domains in the
ecf709
+             * forest from a DC of the forest root */
ecf709
+            if (sss_domain_get_state(dom) == DOM_DISABLED
ecf709
+                    && !sss_domain_is_forest_root(dom)) {
ecf709
+                return NULL;
ecf709
+            }
ecf709
+            return dom;
ecf709
+        }
ecf709
+    }
ecf709
+
ecf709
+    return NULL;
ecf709
 }
ecf709
 
ecf709
 static struct ad_id_ctx *
ecf709
-- 
ecf709
2.9.3
ecf709