Blame SOURCES/0120-LDAP-AD-Do-not-fail-in-case-rfc2307bis_nested_groups.patch

ecf709
From 428909abd59f1eb8bb02b6627f37f61af3de2691 Mon Sep 17 00:00:00 2001
ecf709
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
ecf709
Date: Mon, 1 May 2017 14:49:50 +0200
ecf709
Subject: [PATCH 120/120] LDAP/AD: Do not fail in case
ecf709
 rfc2307bis_nested_groups_recv() returns ENOENT
ecf709
MIME-Version: 1.0
ecf709
Content-Type: text/plain; charset=UTF-8
ecf709
Content-Transfer-Encoding: 8bit
ecf709
ecf709
Commit 25699846 introduced a regression seen when an initgroup lookup is
ecf709
done and there's no nested groups involved.
ecf709
ecf709
In this scenario the whole lookup fails due to an ENOENT returned by
ecf709
rfc2307bis_nested_groups_recv(), which leads to the user removal from
ecf709
sysdb causing some authentication issues.
ecf709
ecf709
Resolves:
ecf709
https://pagure.io/SSSD/sssd/issue/3331
ecf709
ecf709
Signed-off-by: Fabiano FidĂȘncio <fidencio@redhat.com>
ecf709
Reviewed-by: Sumit Bose <sbose@redhat.com>
ecf709
---
ecf709
 src/providers/ldap/sdap_async_initgroups_ad.c | 8 +++++++-
ecf709
 1 file changed, 7 insertions(+), 1 deletion(-)
ecf709
ecf709
diff --git a/src/providers/ldap/sdap_async_initgroups_ad.c b/src/providers/ldap/sdap_async_initgroups_ad.c
ecf709
index f75b9211e2a06616dbf9b948e60b023a818c7e19..2831be9776293260aeec0e2ff85160f1938bdb32 100644
ecf709
--- a/src/providers/ldap/sdap_async_initgroups_ad.c
ecf709
+++ b/src/providers/ldap/sdap_async_initgroups_ad.c
ecf709
@@ -1746,7 +1746,13 @@ static void sdap_ad_get_domain_local_groups_done(struct tevent_req *subreq)
ecf709
 
ecf709
     ret = rfc2307bis_nested_groups_recv(subreq);
ecf709
     talloc_zfree(subreq);
ecf709
-    if (ret != EOK) {
ecf709
+    if (ret == ENOENT) {
ecf709
+        /* In case of ENOENT we can just proceed without making
ecf709
+         * sdap_get_initgr_user() fail because there's no nested
ecf709
+         * groups for this user/group. */
ecf709
+        ret = EOK;
ecf709
+        goto done;
ecf709
+    } else if (ret != EOK) {
ecf709
         tevent_req_error(req, ret);
ecf709
         return;
ecf709
     }
ecf709
-- 
ecf709
2.9.3
ecf709