From 75da39f57ba0223be9bd9906cd3ed902623aed10 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Mon, 18 Dec 2017 20:30:04 +0100 Subject: [PATCH 94/96] SDAP: skip builtin AD groups in sdap_save_grpmem() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit While processing group memberships SSSD might accidentally save builtin or other well known AD groups. With this patch those groups are skipped similar as e.g. in sdap_save_group(). Resolves: https://pagure.io/SSSD/sssd/issue/3610 Reviewed-by: Fabiano FidĂȘncio (cherry picked from commit c36a66b7fb77cff29400c751b363a342923e122e) --- src/providers/ldap/sdap_async_groups.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/src/providers/ldap/sdap_async_groups.c b/src/providers/ldap/sdap_async_groups.c index b1cfb7e4a4c054e5d365da5fca65da27c9ef5461..bbe6f1386eadbe4eb7b47bea9e5a6bb8ff4ee8eb 100644 --- a/src/providers/ldap/sdap_async_groups.c +++ b/src/providers/ldap/sdap_async_groups.c @@ -880,6 +880,8 @@ static int sdap_save_grpmem(TALLOC_CTX *memctx, int ret; const char *remove_attrs[] = {SYSDB_MEMBER, SYSDB_ORIG_MEMBER, SYSDB_GHOST, NULL}; + const char *check_dom; + const char *check_name; if (dom->ignore_group_members) { DEBUG(SSSDBG_CRIT_FAILURE, @@ -905,6 +907,15 @@ static int sdap_save_grpmem(TALLOC_CTX *memctx, group_dom = sss_get_domain_by_sid_ldap_fallback(get_domains_head(dom), group_sid); if (group_dom == NULL) { + ret = well_known_sid_to_name(group_sid, &check_dom, &check_name); + if (ret == EOK) { + DEBUG(SSSDBG_TRACE_FUNC, + "Skipping group with SID [%s][%s\\%s] which is " + "currently not handled by SSSD.\n", + group_sid, check_dom, check_name); + return EOK; + } + DEBUG(SSSDBG_TRACE_FUNC, "SID [%s] does not belong to any known " "domain, using [%s].\n", group_sid, dom->name); -- 2.14.3