Blob Blame History Raw
From 61964561654d86e1ba2179fc0afd7f93cafbc6ab Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 28 Apr 2015 20:59:43 +0200
Subject: [PATCH 214/214] IPA: search for overrides during initgroups in sever
 mode

After the group memberships of a user from a trusted domain are read it
must be checked if there are overrides for the discovered groups to be
able to return the right gid or name to the caller.

Related to https://fedorahosted.org/sssd/ticket/2633

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 2263c6dd1242c92253240f4998c86a04b6a0ca3a)
(cherry picked from commit eaf656843831d579f30f94154d88aba2201c1712)
---
 src/providers/ipa/ipa_subdomains_id.c | 69 +++++++++++++++++++++++++++++++++++
 1 file changed, 69 insertions(+)

diff --git a/src/providers/ipa/ipa_subdomains_id.c b/src/providers/ipa/ipa_subdomains_id.c
index 1020c8a0b9209fc7404c32963ad5622fc6958d6b..ffe2b18e8dda2137d2ebbfdb780c908eabcd4708 100644
--- a/src/providers/ipa/ipa_subdomains_id.c
+++ b/src/providers/ipa/ipa_subdomains_id.c
@@ -558,6 +558,8 @@ struct ipa_get_ad_acct_state {
 static void ipa_get_ad_acct_ad_part_done(struct tevent_req *subreq);
 static void ipa_get_ad_override_done(struct tevent_req *subreq);
 static errno_t ipa_get_ad_apply_override_step(struct tevent_req *req);
+static errno_t ipa_get_ad_ipa_membership_step(struct tevent_req *req);
+static void ipa_id_get_groups_overrides_done(struct tevent_req *subreq);
 static void ipa_get_ad_acct_done(struct tevent_req *subreq);
 static struct ad_id_ctx *ipa_get_ad_id_ctx(struct ipa_id_ctx *ipa_ctx,
                                            struct sss_domain_info *dom);
@@ -1112,6 +1114,9 @@ static errno_t ipa_get_ad_apply_override_step(struct tevent_req *req)
     struct tevent_req *subreq;
     const char *obj_name;
     int entry_type;
+    size_t groups_count = 0;
+    struct ldb_message **groups = NULL;
+    const char *attrs[] = SYSDB_INITGR_ATTRS;
 
     if (state->override_attrs != NULL) {
         /* We are in ipa-server-mode, so the view is the default view by
@@ -1166,6 +1171,70 @@ static errno_t ipa_get_ad_apply_override_step(struct tevent_req *req)
         state->ar->entry_type = BE_REQ_USER;
     }
 
+    /* Lookup all groups the user is a member of which do not have ORIGINALAD
+     * attributes set, i.e. where overrides might not have been applied. */
+    ret = sysdb_asq_search(state, state->obj_dom, state->obj_msg->dn,
+                          "(&("SYSDB_GC")("SYSDB_GIDNUM"=*)" \
+                            "(!("ORIGINALAD_PREFIX SYSDB_GIDNUM"=*))" \
+                            "(!("ORIGINALAD_PREFIX SYSDB_NAME"=*)))",
+                          SYSDB_INITGR_ATTR,
+                          attrs, &groups_count, &groups);
+    if (ret != EOK) {
+        DEBUG(SSSDBG_OP_FAILURE, "ipa_get_ad_groups_without_orig failed.\n");
+        return ret;
+    }
+
+    if (groups != NULL) {
+        subreq = ipa_initgr_get_overrides_send(state, state->ev, state->ipa_ctx,
+                                               state->obj_dom, groups_count,
+                                               groups, SYSDB_SID_STR);
+        if (subreq == NULL) {
+            DEBUG(SSSDBG_OP_FAILURE, "ipa_initgr_get_overrides_send failed.\n");
+            return ENOMEM;
+        }
+        tevent_req_set_callback(subreq, ipa_id_get_groups_overrides_done, req);
+        return EOK;
+    }
+
+    ret = ipa_get_ad_ipa_membership_step(req);
+    if (ret != EOK) {
+        DEBUG(SSSDBG_OP_FAILURE, "ipa_get_ad_ipa_membership_step failed.\n");
+        return ret;
+    }
+
+    return EOK;
+}
+
+static void ipa_id_get_groups_overrides_done(struct tevent_req *subreq)
+{
+    struct tevent_req *req = tevent_req_callback_data(subreq,
+                                                struct tevent_req);
+    errno_t ret;
+
+    ret = ipa_initgr_get_overrides_recv(subreq, NULL);
+    talloc_zfree(subreq);
+    if (ret != EOK) {
+        DEBUG(SSSDBG_OP_FAILURE,
+              "IPA resolve user groups overrides failed [%d].\n", ret);
+        tevent_req_error(req, ret);
+        return;
+    }
+
+    ret = ipa_get_ad_ipa_membership_step(req);
+    if (ret != EOK) {
+        DEBUG(SSSDBG_OP_FAILURE, "ipa_get_ad_ipa_membership_step failed.\n");
+        tevent_req_error(req, ret);
+        return;
+    }
+
+    return;
+}
+
+static errno_t ipa_get_ad_ipa_membership_step(struct tevent_req *req)
+{
+    struct ipa_get_ad_acct_state *state = tevent_req_data(req,
+                                                struct ipa_get_ad_acct_state);
+    struct tevent_req *subreq;
 
     /* For initgroups request we have to check IPA group memberships of AD
      * users. This has to be done for other user-request as well to make sure
-- 
2.4.3