From 4517ac5121054f0f14dbcb977f0844d49817f4b8 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 28 Jan 2015 14:04:45 +0100
Subject: [PATCH 187/188] AD: use GC for SID requests as well
If a universal group is looked up by SID the cross-domain members must
be resolved with the help of the Global Catalog.
Related to https://fedorahosted.org/sssd/ticket/2514
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 561ed2fd03bab04cfdddbc09c4b48563c9d9b87e)
---
src/providers/ipa/ipa_subdomains_id.c | 1 +
src/providers/ldap/ldap_id.c | 38 ++++++++++++++++++++++++++---------
2 files changed, 29 insertions(+), 10 deletions(-)
diff --git a/src/providers/ipa/ipa_subdomains_id.c b/src/providers/ipa/ipa_subdomains_id.c
index c8714a216daff7506f00248e25c281529d0479c4..0508e14b690c144f4bace9ed14a326ac724eb910 100644
--- a/src/providers/ipa/ipa_subdomains_id.c
+++ b/src/providers/ipa/ipa_subdomains_id.c
@@ -603,6 +603,7 @@ ipa_get_ad_acct_send(TALLOC_CTX *mem_ctx,
*/
switch (state->ar->entry_type & BE_REQ_TYPE_MASK) {
case BE_REQ_INITGROUPS:
+ case BE_REQ_BY_SECID:
case BE_REQ_GROUP:
clist = ad_gc_conn_list(req, ad_id_ctx, state->obj_dom);
if (clist == NULL) {
diff --git a/src/providers/ldap/ldap_id.c b/src/providers/ldap/ldap_id.c
index 2e58f4e49eb33a85cbb8b4144c69004c6b5b312b..5ce462d77867f115fe5c0214fcb95b72a4370472 100644
--- a/src/providers/ldap/ldap_id.c
+++ b/src/providers/ldap/ldap_id.c
@@ -33,6 +33,7 @@
#include "providers/ldap/sdap_async.h"
#include "providers/ldap/sdap_idmap.h"
#include "providers/ldap/sdap_users.h"
+#include "providers/ad/ad_common.h"
/* =Users-Related-Functions-(by-name,by-uid)============================== */
@@ -1745,6 +1746,8 @@ static void get_user_and_group_groups_done(struct tevent_req *subreq)
struct get_user_and_group_state *state = tevent_req_data(req,
struct get_user_and_group_state);
int ret;
+ struct ad_id_ctx *ad_id_ctx;
+ struct sdap_id_conn_ctx *user_conn;
ret = groups_get_recv(subreq, &state->dp_error, &state->sdap_ret);
talloc_zfree(subreq);
@@ -1764,8 +1767,22 @@ static void get_user_and_group_groups_done(struct tevent_req *subreq)
/* Now the search finished fine but did not find an entry.
* Retry with users. */
+
+ user_conn = state->conn;
+ /* Prefer LDAP over GC for users */
+ if (state->id_ctx->opts->schema_type == SDAP_SCHEMA_AD
+ && state->sdom->pvt != NULL) {
+ ad_id_ctx = talloc_get_type(state->sdom->pvt, struct ad_id_ctx);
+ if (ad_id_ctx != NULL && ad_id_ctx->ldap_ctx != NULL
+ && state->conn == ad_id_ctx->gc_ctx) {
+ DEBUG(SSSDBG_TRACE_ALL,
+ "Switching to LDAP connection for user lookup.\n");
+ user_conn = ad_id_ctx->ldap_ctx;
+ }
+ }
+
subreq = users_get_send(req, state->ev, state->id_ctx,
- state->sdom, state->conn,
+ state->sdom, user_conn,
state->filter_val, state->filter_type, NULL,
state->attrs_type, state->noexist_delete);
if (subreq == NULL) {
@@ -1792,16 +1809,17 @@ static void get_user_and_group_users_done(struct tevent_req *subreq)
tevent_req_error(req, ret);
return;
}
-
if (state->sdap_ret == ENOENT) {
- /* The search ran to completion, but nothing was found.
- * Delete the existing entry, if any. */
- ret = sysdb_delete_by_sid(state->sysdb, state->domain,
- state->filter_val);
- if (ret != EOK) {
- DEBUG(SSSDBG_OP_FAILURE, "Could not delete entry by SID!\n");
- tevent_req_error(req, ret);
- return;
+ if (state->noexist_delete == true) {
+ /* The search ran to completion, but nothing was found.
+ * Delete the existing entry, if any. */
+ ret = sysdb_delete_by_sid(state->sysdb, state->domain,
+ state->filter_val);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "Could not delete entry by SID!\n");
+ tevent_req_error(req, ret);
+ return;
+ }
}
} else if (state->sdap_ret != EOK) {
tevent_req_error(req, EIO);
--
2.1.0