From 6f31f43ee15bcb0933ddca8726b166a93f9371a9 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 1 Oct 2019 20:24:09 +0200
Subject: [PATCH] ad: add ad_allow_remote_domain_local_groups
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
As the option name says if set to true Domain Local groups from remote
domains won't be filtered out. This option is added to facilitate the
migration from other solution and should only be used for this purpose.
Resolves: https://github.com/SSSD/sssd/issues/5346
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked with changes from commit 4f65a8d15b8e5f3dd613e789d68f38e60e0addc5)
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
src/config/SSSDConfig/__init__.py.in | 1 +
src/config/cfg_rules.ini | 1 +
src/config/etc/sssd.api.d/sssd-ad.conf | 1 +
src/man/sssd-ad.5.xml | 49 ++++++++++++++++++++++++++
src/providers/ad/ad_common.c | 3 ++
src/providers/ad/ad_common.h | 1 +
src/providers/ad/ad_opts.c | 1 +
src/providers/ldap/sdap.h | 1 +
src/providers/ldap/sdap_ad_groups.c | 3 +-
9 files changed, 60 insertions(+), 1 deletion(-)
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
index 1aa93f8cf..15ab632aa 100644
--- a/src/config/SSSDConfig/__init__.py.in
+++ b/src/config/SSSDConfig/__init__.py.in
@@ -250,6 +250,7 @@ option_strings = {
'ad_maximum_machine_account_password_age' : _('Maximum age in days before the machine account password should be renewed'),
'ad_machine_account_password_renewal_opts' : _('Option for tuning the machine account renewal task'),
'ad_use_ldaps' : _('Use LDAPS port for LDAP and Global Catalog requests'),
+ 'ad_allow_remote_domain_local_groups' : _('Do not filter domain local groups from other domains'),
# [provider/krb5]
'krb5_kdcip' : _('Kerberos server address'),
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
index e8ea13081..8f8ef30c3 100644
--- a/src/config/cfg_rules.ini
+++ b/src/config/cfg_rules.ini
@@ -459,6 +459,7 @@ option = ad_maximum_machine_account_password_age
option = ad_server
option = ad_site
option = ad_use_ldaps
+option = ad_allow_remote_domain_local_groups
# IPA provider specific options
option = ipa_anchor_uuid
diff --git a/src/config/etc/sssd.api.d/sssd-ad.conf b/src/config/etc/sssd.api.d/sssd-ad.conf
index c53c08f37..74599a56d 100644
--- a/src/config/etc/sssd.api.d/sssd-ad.conf
+++ b/src/config/etc/sssd.api.d/sssd-ad.conf
@@ -21,6 +21,7 @@ ad_site = str, None, false
ad_maximum_machine_account_password_age = int, None, false
ad_machine_account_password_renewal_opts = str, None, false
ad_use_ldaps = bool, None, false
+ad_allow_remote_domain_local_groups = bool, None, false
ldap_uri = str, None, false
ldap_backup_uri = str, None, false
ldap_search_base = str, None, false
diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml
index 6fc57ca21..839279bad 100644
--- a/src/man/sssd-ad.5.xml
+++ b/src/man/sssd-ad.5.xml
@@ -923,6 +923,55 @@ ad_gpo_map_deny = +my_pam_service
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>ad_allow_remote_domain_local_groups (boolean)</term>
+ <listitem>
+ <para>
+ If this option is set to <quote>true</quote> SSSD
+ will not filter out Domain Local groups from remote
+ domains in the AD forest. By default they are
+ filtered out e.g. when following a nested group
+ hierarchy in remote domains because they are not
+ valid in the local domain. To be compatible with
+ other solutions which make AD users and groups
+ available on Linux client this option was added.
+ </para>
+ <para>
+ Please note that setting this option to
+ <quote>true</quote> will be against the intention of
+ Domain Local group in Active Directory and
+ <emphasis>SHOULD ONLY BE USED TO FACILITATE
+ MIGRATION FROM OTHER SOLUTIONS</emphasis>. Although
+ the group exists and user can be member of the group
+ the intention is that the group should be only used
+ in the domain it is defined and in no others. Since
+ there is only one type of POSIX groups the only way
+ to achieve this on the Linux side is to ignore those
+ groups. This is also done by Active Directory as can
+ be seen in the PAC of the Kerberos ticket for a
+ local service or in tokenGroups requests where
+ remote Domain Local groups are missing as well.
+ </para>
+ <para>
+ Given the comments above, if this option is set to
+ <quote>true</quote> the tokenGroups request must be
+ disabled by setting
+ <quote>ldap_use_tokengroups</quote> to
+ <quote>false</quote> to get consistent
+ group-memberships of a users. Additionally the
+ Global Catalog lookup should be skipped as well by
+ setting <quote>ad_enable_gc</quote> to
+ <quote>false</quote>. Finally it might be necessary
+ to modify <quote>ldap_group_nesting_level</quote> if
+ the remote Domain Local groups can only be found
+ with a deeper nesting level.
+ </para>
+ <para>
+ Default: False
+ </para>
+ </listitem>
+ </varlistentry>
+
<varlistentry>
<term>dyndns_update (boolean)</term>
<listitem>
diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c
index 4e46da7f2..4e51d08e6 100644
--- a/src/providers/ad/ad_common.c
+++ b/src/providers/ad/ad_common.c
@@ -1072,6 +1072,9 @@ ad_set_sdap_options(struct ad_options *ad_opts,
keytab_path);
}
+ id_opts->allow_remote_domain_local_groups = dp_opt_get_bool(ad_opts->basic,
+ AD_ALLOW_REMOTE_DOMAIN_LOCAL);
+
ret = sdap_set_sasl_options(id_opts,
dp_opt_get_string(ad_opts->basic,
AD_HOSTNAME),
diff --git a/src/providers/ad/ad_common.h b/src/providers/ad/ad_common.h
index 753394832..815b41419 100644
--- a/src/providers/ad/ad_common.h
+++ b/src/providers/ad/ad_common.h
@@ -69,6 +69,7 @@ enum ad_basic_opt {
AD_MAXIMUM_MACHINE_ACCOUNT_PASSWORD_AGE,
AD_MACHINE_ACCOUNT_PASSWORD_RENEWAL_OPTS,
AD_USE_LDAPS,
+ AD_ALLOW_REMOTE_DOMAIN_LOCAL,
AD_OPTS_BASIC /* opts counter */
};
diff --git a/src/providers/ad/ad_opts.c b/src/providers/ad/ad_opts.c
index f2596a935..950ea51ff 100644
--- a/src/providers/ad/ad_opts.c
+++ b/src/providers/ad/ad_opts.c
@@ -55,6 +55,7 @@ struct dp_option ad_basic_opts[] = {
{ "ad_maximum_machine_account_password_age", DP_OPT_NUMBER, { .number = 30 }, NULL_NUMBER },
{ "ad_machine_account_password_renewal_opts", DP_OPT_STRING, { "86400:750" }, NULL_STRING },
{ "ad_use_ldaps", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
+ { "ad_allow_remote_domain_local_groups", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
DP_OPTION_TERMINATOR
};
diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h
index 0bf4fe12b..d9eff20ec 100644
--- a/src/providers/ldap/sdap.h
+++ b/src/providers/ldap/sdap.h
@@ -511,6 +511,7 @@ struct sdap_options {
bool support_matching_rule;
enum dc_functional_level dc_functional_level;
const char *schema_basedn;
+ bool allow_remote_domain_local_groups;
/* Certificate mapping support */
struct sdap_certmap_ctx *sdap_certmap_ctx;
diff --git a/src/providers/ldap/sdap_ad_groups.c b/src/providers/ldap/sdap_ad_groups.c
index 0e36328b9..e8c6280d0 100644
--- a/src/providers/ldap/sdap_ad_groups.c
+++ b/src/providers/ldap/sdap_ad_groups.c
@@ -38,7 +38,8 @@ errno_t sdap_check_ad_group_type(struct sss_domain_info *dom,
errno_t ret = EOK;
*_need_filter = false;
- if (opts->schema_type == SDAP_SCHEMA_AD) {
+ if (opts->schema_type == SDAP_SCHEMA_AD
+ && !opts->allow_remote_domain_local_groups) {
ret = sysdb_attrs_get_int32_t(group_attrs, SYSDB_GROUP_TYPE,
&ad_group_type);
if (ret != EOK) {
--
2.21.3