From cc42fe7daece23c639ba8d147808f1c699d8b6ad Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 12 Sep 2019 14:45:08 +0200
Subject: [PATCH 95/97] ipa: ignore objects from disabled domains on the client
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

It is possible that a domain is already disabled on an IPA client but
still  active on the server. This might happen e.g. if the version of
SSSD running on the IPA server does not support disabled domains or if
SSSD on the IPA client updates the domain data before the IPA server and
sees a freshly disabled domain more early.

As a result the server is still sending objects from disabled domains in
the lists of group members or group memberships of a user. The client
should just ignore those objects.

Related to https://pagure.io/SSSD/sssd/issue/4078

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
 src/providers/ipa/ipa_s2n_exop.c | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/src/providers/ipa/ipa_s2n_exop.c b/src/providers/ipa/ipa_s2n_exop.c
index b6efbcd34..f1d5768ae 100644
--- a/src/providers/ipa/ipa_s2n_exop.c
+++ b/src/providers/ipa/ipa_s2n_exop.c
@@ -637,10 +637,16 @@ static errno_t add_v1_user_data(struct sss_domain_info *dom,
             }
 
             if (domain != NULL) {
-                obj_domain = find_domain_by_name(parent_domain, domain, true);
+                obj_domain = find_domain_by_name_ex(parent_domain, domain, true, SSS_GND_ALL_DOMAINS);
                 if (obj_domain == NULL) {
                     DEBUG(SSSDBG_OP_FAILURE, "find_domain_by_name failed.\n");
                     return ENOMEM;
+                } else if (sss_domain_get_state(obj_domain) == DOM_DISABLED) {
+                    /* skipping objects from disabled domains */
+                    DEBUG(SSSDBG_TRACE_ALL,
+                          "Skipping object [%s] from disabled domain.\n",
+                          list[c]);
+                    continue;
                 }
             } else {
                 obj_domain = parent_domain;
@@ -656,6 +662,7 @@ static errno_t add_v1_user_data(struct sss_domain_info *dom,
             gc++;
         }
     }
+    attrs->ngroups = gc;
 
     tag = ber_peek_tag(ber, &ber_len);
     DEBUG(SSSDBG_TRACE_ALL, "BER tag is [%d]\n", (int) tag);
@@ -1567,11 +1574,15 @@ static errno_t process_members(struct sss_domain_info *domain,
     parent_domain = get_domains_head(domain);
 
     for (c = 0; members[c] != NULL; c++) {
-        obj_domain = find_domain_by_object_name(parent_domain, members[c]);
+        obj_domain = find_domain_by_object_name_ex(parent_domain, members[c],
+                                                   false, SSS_GND_ALL_DOMAINS);
         if (obj_domain == NULL) {
             DEBUG(SSSDBG_OP_FAILURE, "find_domain_by_object_name failed.\n");
             ret = ENOMEM;
             goto done;
+        } else if (sss_domain_get_state(obj_domain) == DOM_DISABLED) {
+            /* skip members from disabled domains */
+            continue;
         }
 
         ret = sysdb_search_user_by_name(tmp_ctx, obj_domain, members[c], attrs,
-- 
2.20.1