From cc42fe7daece23c639ba8d147808f1c699d8b6ad Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Thu, 12 Sep 2019 14:45:08 +0200 Subject: [PATCH 95/97] ipa: ignore objects from disabled domains on the client MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit It is possible that a domain is already disabled on an IPA client but still active on the server. This might happen e.g. if the version of SSSD running on the IPA server does not support disabled domains or if SSSD on the IPA client updates the domain data before the IPA server and sees a freshly disabled domain more early. As a result the server is still sending objects from disabled domains in the lists of group members or group memberships of a user. The client should just ignore those objects. Related to https://pagure.io/SSSD/sssd/issue/4078 Reviewed-by: Pavel Březina --- src/providers/ipa/ipa_s2n_exop.c | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/src/providers/ipa/ipa_s2n_exop.c b/src/providers/ipa/ipa_s2n_exop.c index b6efbcd34..f1d5768ae 100644 --- a/src/providers/ipa/ipa_s2n_exop.c +++ b/src/providers/ipa/ipa_s2n_exop.c @@ -637,10 +637,16 @@ static errno_t add_v1_user_data(struct sss_domain_info *dom, } if (domain != NULL) { - obj_domain = find_domain_by_name(parent_domain, domain, true); + obj_domain = find_domain_by_name_ex(parent_domain, domain, true, SSS_GND_ALL_DOMAINS); if (obj_domain == NULL) { DEBUG(SSSDBG_OP_FAILURE, "find_domain_by_name failed.\n"); return ENOMEM; + } else if (sss_domain_get_state(obj_domain) == DOM_DISABLED) { + /* skipping objects from disabled domains */ + DEBUG(SSSDBG_TRACE_ALL, + "Skipping object [%s] from disabled domain.\n", + list[c]); + continue; } } else { obj_domain = parent_domain; @@ -656,6 +662,7 @@ static errno_t add_v1_user_data(struct sss_domain_info *dom, gc++; } } + attrs->ngroups = gc; tag = ber_peek_tag(ber, &ber_len); DEBUG(SSSDBG_TRACE_ALL, "BER tag is [%d]\n", (int) tag); @@ -1567,11 +1574,15 @@ static errno_t process_members(struct sss_domain_info *domain, parent_domain = get_domains_head(domain); for (c = 0; members[c] != NULL; c++) { - obj_domain = find_domain_by_object_name(parent_domain, members[c]); + obj_domain = find_domain_by_object_name_ex(parent_domain, members[c], + false, SSS_GND_ALL_DOMAINS); if (obj_domain == NULL) { DEBUG(SSSDBG_OP_FAILURE, "find_domain_by_object_name failed.\n"); ret = ENOMEM; goto done; + } else if (sss_domain_get_state(obj_domain) == DOM_DISABLED) { + /* skip members from disabled domains */ + continue; } ret = sysdb_search_user_by_name(tmp_ctx, obj_domain, members[c], attrs, -- 2.20.1