Blame SOURCES/0190-ad_account_can_shortcut-shortcut-if-ID-is-unknown.patch

ecf709
From 55e8b436443cfae1c3b2155be7325d53760f7271 Mon Sep 17 00:00:00 2001
ecf709
From: Sumit Bose <sbose@redhat.com>
ecf709
Date: Thu, 20 Jul 2017 20:01:14 +0200
ecf709
Subject: [PATCH 190/190] ad_account_can_shortcut: shortcut if ID is unknown
ecf709
MIME-Version: 1.0
ecf709
Content-Type: text/plain; charset=UTF-8
ecf709
Content-Transfer-Encoding: 8bit
ecf709
ecf709
If sss_idmap_unix_to_sid() returns an error we can assume that the given
ecf709
POSIX ID is not from the current domain and can be skipped. This is e.g.
ecf709
the case in the IPA provider if a POSIX ID used in the IPA domain is
ecf709
checked in a trusted id-mapped AD domain before the IPA domain is
ecf709
checked.
ecf709
ecf709
Resolves https://pagure.io/SSSD/sssd/issue/3452
ecf709
ecf709
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
ecf709
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
ecf709
---
ecf709
 src/providers/ad/ad_id.c | 2 ++
ecf709
 1 file changed, 2 insertions(+)
ecf709
ecf709
diff --git a/src/providers/ad/ad_id.c b/src/providers/ad/ad_id.c
ecf709
index d1f6c444f5ddbcbbac6ff7f41fb6c8bf9ca976cb..e14ada386f16851a65097952c85e57b7acda14aa 100644
ecf709
--- a/src/providers/ad/ad_id.c
ecf709
+++ b/src/providers/ad/ad_id.c
ecf709
@@ -86,6 +86,8 @@ static bool ad_account_can_shortcut(struct sdap_idmap_ctx *idmap_ctx,
ecf709
         if (err != IDMAP_SUCCESS) {
ecf709
             DEBUG(SSSDBG_MINOR_FAILURE, "Mapping ID [%s] to SID failed: "
ecf709
                   "[%s]\n", filter_value, idmap_error_string(err));
ecf709
+            /* assume id is from a different domain */
ecf709
+            shortcut = true;
ecf709
             goto done;
ecf709
         }
ecf709
         /* fall through */
ecf709
-- 
ecf709
2.9.4
ecf709