From 5ca331e80520035d7de2680cd2803fa508d15287 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Mon, 3 Apr 2017 21:27:32 +0200
Subject: [PATCH 116/118] ad: handle forest root not listed in
ad_enabled_domains
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Although users and groups from the forest root should be ignored SSSD
will still try to get information about the forest topology from a DC
from the forest root. So even if the forest root domain is disabled we
should makes sure it is usable for those searches.
Resolves https://pagure.io/SSSD/sssd/issue/3361
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit feeabf273aa7af580552366ce58655e6a482a0cd)
---
src/providers/ad/ad_subdomains.c | 39 ++++++++++++++++++++++++++++++++++++---
1 file changed, 36 insertions(+), 3 deletions(-)
diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c
index bc659b2cb0a02723437d24d0021ec3592381e84c..ef166446e837c3f7cd824c1abf4b5cc587aec9da 100644
--- a/src/providers/ad/ad_subdomains.c
+++ b/src/providers/ad/ad_subdomains.c
@@ -433,6 +433,14 @@ static errno_t ad_subdomains_refresh(struct be_ctx *be_ctx,
if (c >= num_subdomains) {
/* ok this subdomain does not exist anymore, let's clean up */
sss_domain_set_state(dom, DOM_DISABLED);
+
+ /* Just disable the forest root but do not remove sdap data */
+ if (sss_domain_is_forest_root(dom)) {
+ DEBUG(SSSDBG_TRACE_ALL,
+ "Skipping removal of forest root sdap data.\n");
+ continue;
+ }
+
ret = sysdb_subdomain_delete(dom->sysdb, dom->name);
if (ret != EOK) {
goto done;
@@ -633,6 +641,7 @@ static errno_t ad_subdom_reinit(struct ad_subdomains_ctx *subdoms_ctx)
const char *path;
errno_t ret;
bool canonicalize = false;
+ struct sss_domain_info *dom;
path = dp_opt_get_string(subdoms_ctx->ad_id_ctx->ad_options->basic,
AD_KRB5_CONFD_PATH);
@@ -675,6 +684,17 @@ static errno_t ad_subdom_reinit(struct ad_subdomains_ctx *subdoms_ctx)
return ret;
}
+ /* Make sure disabled domains are not re-enabled accidentially */
+ if (subdoms_ctx->ad_enabled_domains != NULL) {
+ for (dom = subdoms_ctx->be_ctx->domain->subdomains; dom;
+ dom = get_next_domain(dom, false)) {
+ if (!is_domain_enabled(dom->name,
+ subdoms_ctx->ad_enabled_domains)) {
+ sss_domain_set_state(dom, DOM_DISABLED);
+ }
+ }
+ }
+
return EOK;
}
@@ -898,7 +918,7 @@ static errno_t ad_get_slave_domain_recv(struct tevent_req *req)
static struct sss_domain_info *
ads_get_root_domain(struct be_ctx *be_ctx, struct sysdb_attrs *attrs)
{
- struct sss_domain_info *root;
+ struct sss_domain_info *dom;
const char *name;
errno_t ret;
@@ -909,9 +929,22 @@ ads_get_root_domain(struct be_ctx *be_ctx, struct sysdb_attrs *attrs)
}
/* With a subsequent run, the root should already be known */
- root = find_domain_by_name(be_ctx->domain, name, false);
+ for (dom = be_ctx->domain; dom != NULL;
+ dom = get_next_domain(dom, SSS_GND_ALL_DOMAINS)) {
- return root;
+ if (strcasecmp(dom->name, name) == 0) {
+ /* The forest root is special, although it might be disabled for
+ * general lookups we still want to try to get the domains in the
+ * forest from a DC of the forest root */
+ if (sss_domain_get_state(dom) == DOM_DISABLED
+ && !sss_domain_is_forest_root(dom)) {
+ return NULL;
+ }
+ return dom;
+ }
+ }
+
+ return NULL;
}
static struct ad_id_ctx *
--
2.9.3