From c9c2b60128b7faa29615123de79ed206491396a9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Thu, 30 May 2019 10:48:07 +0200
Subject: [PATCH 38/44] ad: remove subdomain that has been disabled through
 ad_enabled_domains from sysdb

If previously enabled subdomain was disabled by removing it from ad_enabled_domains
option in sssd.conf, its cached content (including the domain object itself)
was kept in sysdb. Therefore eventhough the domain was effectively disabled in
backed its cached data was still available in responders.

Subdomains that are disabled on server side are correctly removed from sysdb in
`ad_subdomains_refresh()` so this issue is related only to the configuration
option.

Resolves:
https://pagure.io/SSSD/sssd/issue/4009

Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit 815957cd10a82aca6742b0bd56c7e7f199596cd4)
---
 src/providers/ad/ad_subdomains.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c
index b4e09fb7e..a3906e994 100644
--- a/src/providers/ad/ad_subdomains.c
+++ b/src/providers/ad/ad_subdomains.c
@@ -825,6 +825,15 @@ static errno_t ad_subdomains_process(TALLOC_CTX *mem_ctx,
 
         if (is_domain_enabled(sd_name, enabled_domains_list) == false) {
             DEBUG(SSSDBG_TRACE_FUNC, "Disabling subdomain %s\n", sd_name);
+
+            /* The subdomain is now disabled in configuraiton file, we
+             * need to delete its cached content so it is not returned
+             * by responders. The subdomain shares sysdb with its parent
+             * domain so it is OK to use domain->sysdb. */
+            ret = sysdb_subdomain_delete(domain->sysdb, sd_name);
+            if (ret != EOK) {
+                goto fail;
+            }
             continue;
         } else {
             DEBUG(SSSDBG_TRACE_FUNC, "Enabling subdomain %s\n", sd_name);
-- 
2.20.1