From 6f31f43ee15bcb0933ddca8726b166a93f9371a9 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Tue, 1 Oct 2019 20:24:09 +0200 Subject: [PATCH] ad: add ad_allow_remote_domain_local_groups MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit As the option name says if set to true Domain Local groups from remote domains won't be filtered out. This option is added to facilitate the migration from other solution and should only be used for this purpose. Resolves: https://github.com/SSSD/sssd/issues/5346 Reviewed-by: Pavel Březina (cherry picked with changes from commit 4f65a8d15b8e5f3dd613e789d68f38e60e0addc5) Reviewed-by: Pavel Březina --- src/config/SSSDConfig/__init__.py.in | 1 + src/config/cfg_rules.ini | 1 + src/config/etc/sssd.api.d/sssd-ad.conf | 1 + src/man/sssd-ad.5.xml | 49 ++++++++++++++++++++++++++ src/providers/ad/ad_common.c | 3 ++ src/providers/ad/ad_common.h | 1 + src/providers/ad/ad_opts.c | 1 + src/providers/ldap/sdap.h | 1 + src/providers/ldap/sdap_ad_groups.c | 3 +- 9 files changed, 60 insertions(+), 1 deletion(-) diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in index 1aa93f8cf..15ab632aa 100644 --- a/src/config/SSSDConfig/__init__.py.in +++ b/src/config/SSSDConfig/__init__.py.in @@ -250,6 +250,7 @@ option_strings = { 'ad_maximum_machine_account_password_age' : _('Maximum age in days before the machine account password should be renewed'), 'ad_machine_account_password_renewal_opts' : _('Option for tuning the machine account renewal task'), 'ad_use_ldaps' : _('Use LDAPS port for LDAP and Global Catalog requests'), + 'ad_allow_remote_domain_local_groups' : _('Do not filter domain local groups from other domains'), # [provider/krb5] 'krb5_kdcip' : _('Kerberos server address'), diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini index e8ea13081..8f8ef30c3 100644 --- a/src/config/cfg_rules.ini +++ b/src/config/cfg_rules.ini @@ -459,6 +459,7 @@ option = ad_maximum_machine_account_password_age option = ad_server option = ad_site option = ad_use_ldaps +option = ad_allow_remote_domain_local_groups # IPA provider specific options option = ipa_anchor_uuid diff --git a/src/config/etc/sssd.api.d/sssd-ad.conf b/src/config/etc/sssd.api.d/sssd-ad.conf index c53c08f37..74599a56d 100644 --- a/src/config/etc/sssd.api.d/sssd-ad.conf +++ b/src/config/etc/sssd.api.d/sssd-ad.conf @@ -21,6 +21,7 @@ ad_site = str, None, false ad_maximum_machine_account_password_age = int, None, false ad_machine_account_password_renewal_opts = str, None, false ad_use_ldaps = bool, None, false +ad_allow_remote_domain_local_groups = bool, None, false ldap_uri = str, None, false ldap_backup_uri = str, None, false ldap_search_base = str, None, false diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml index 6fc57ca21..839279bad 100644 --- a/src/man/sssd-ad.5.xml +++ b/src/man/sssd-ad.5.xml @@ -923,6 +923,55 @@ ad_gpo_map_deny = +my_pam_service + + ad_allow_remote_domain_local_groups (boolean) + + + If this option is set to true SSSD + will not filter out Domain Local groups from remote + domains in the AD forest. By default they are + filtered out e.g. when following a nested group + hierarchy in remote domains because they are not + valid in the local domain. To be compatible with + other solutions which make AD users and groups + available on Linux client this option was added. + + + Please note that setting this option to + true will be against the intention of + Domain Local group in Active Directory and + SHOULD ONLY BE USED TO FACILITATE + MIGRATION FROM OTHER SOLUTIONS. Although + the group exists and user can be member of the group + the intention is that the group should be only used + in the domain it is defined and in no others. Since + there is only one type of POSIX groups the only way + to achieve this on the Linux side is to ignore those + groups. This is also done by Active Directory as can + be seen in the PAC of the Kerberos ticket for a + local service or in tokenGroups requests where + remote Domain Local groups are missing as well. + + + Given the comments above, if this option is set to + true the tokenGroups request must be + disabled by setting + ldap_use_tokengroups to + false to get consistent + group-memberships of a users. Additionally the + Global Catalog lookup should be skipped as well by + setting ad_enable_gc to + false. Finally it might be necessary + to modify ldap_group_nesting_level if + the remote Domain Local groups can only be found + with a deeper nesting level. + + + Default: False + + + + dyndns_update (boolean) diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c index 4e46da7f2..4e51d08e6 100644 --- a/src/providers/ad/ad_common.c +++ b/src/providers/ad/ad_common.c @@ -1072,6 +1072,9 @@ ad_set_sdap_options(struct ad_options *ad_opts, keytab_path); } + id_opts->allow_remote_domain_local_groups = dp_opt_get_bool(ad_opts->basic, + AD_ALLOW_REMOTE_DOMAIN_LOCAL); + ret = sdap_set_sasl_options(id_opts, dp_opt_get_string(ad_opts->basic, AD_HOSTNAME), diff --git a/src/providers/ad/ad_common.h b/src/providers/ad/ad_common.h index 753394832..815b41419 100644 --- a/src/providers/ad/ad_common.h +++ b/src/providers/ad/ad_common.h @@ -69,6 +69,7 @@ enum ad_basic_opt { AD_MAXIMUM_MACHINE_ACCOUNT_PASSWORD_AGE, AD_MACHINE_ACCOUNT_PASSWORD_RENEWAL_OPTS, AD_USE_LDAPS, + AD_ALLOW_REMOTE_DOMAIN_LOCAL, AD_OPTS_BASIC /* opts counter */ }; diff --git a/src/providers/ad/ad_opts.c b/src/providers/ad/ad_opts.c index f2596a935..950ea51ff 100644 --- a/src/providers/ad/ad_opts.c +++ b/src/providers/ad/ad_opts.c @@ -55,6 +55,7 @@ struct dp_option ad_basic_opts[] = { { "ad_maximum_machine_account_password_age", DP_OPT_NUMBER, { .number = 30 }, NULL_NUMBER }, { "ad_machine_account_password_renewal_opts", DP_OPT_STRING, { "86400:750" }, NULL_STRING }, { "ad_use_ldaps", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, + { "ad_allow_remote_domain_local_groups", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, DP_OPTION_TERMINATOR }; diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h index 0bf4fe12b..d9eff20ec 100644 --- a/src/providers/ldap/sdap.h +++ b/src/providers/ldap/sdap.h @@ -511,6 +511,7 @@ struct sdap_options { bool support_matching_rule; enum dc_functional_level dc_functional_level; const char *schema_basedn; + bool allow_remote_domain_local_groups; /* Certificate mapping support */ struct sdap_certmap_ctx *sdap_certmap_ctx; diff --git a/src/providers/ldap/sdap_ad_groups.c b/src/providers/ldap/sdap_ad_groups.c index 0e36328b9..e8c6280d0 100644 --- a/src/providers/ldap/sdap_ad_groups.c +++ b/src/providers/ldap/sdap_ad_groups.c @@ -38,7 +38,8 @@ errno_t sdap_check_ad_group_type(struct sss_domain_info *dom, errno_t ret = EOK; *_need_filter = false; - if (opts->schema_type == SDAP_SCHEMA_AD) { + if (opts->schema_type == SDAP_SCHEMA_AD + && !opts->allow_remote_domain_local_groups) { ret = sysdb_attrs_get_int32_t(group_attrs, SYSDB_GROUP_TYPE, &ad_group_type); if (ret != EOK) { -- 2.21.3