From bea6b6c6bcf711e0d96a4263f60e0e1b0a64c45f Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Mon, 13 Apr 2015 09:50:29 +0200
Subject: [PATCH 200/200] SDAP: Filter ad groups in initgroups

Function sdap_add_incomplete_groups stored domain local groups
from subdomain as POSIX group, which should not be done.

Resolves:
https://fedorahosted.org/sssd/ticket/2614

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit b9fbeb75e7a4f50f98d979a70a710f9221892483)
---
 src/providers/ldap/sdap_async_initgroups.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/src/providers/ldap/sdap_async_initgroups.c b/src/providers/ldap/sdap_async_initgroups.c
index bc6b5e45e6a7f7dc0c482a6bbbf2aa602371a647..43b72fe2051b452c6ea755c8842117cceafa143a 100644
--- a/src/providers/ldap/sdap_async_initgroups.c
+++ b/src/providers/ldap/sdap_async_initgroups.c
@@ -51,6 +51,7 @@ errno_t sdap_add_incomplete_groups(struct sysdb_ctx *sysdb,
     time_t now;
     char *sid_str = NULL;
     bool use_id_mapping;
+    bool need_filter;
     char *tmp_name;
 
     /* There are no groups in LDAP but we should add user to groups ?? */
@@ -205,6 +206,17 @@ errno_t sdap_add_incomplete_groups(struct sysdb_ctx *sysdb,
                     uuid = NULL;
                 }
 
+                ret = sdap_check_ad_group_type(domain, opts, ldap_groups[ai],
+                                               groupname, &need_filter);
+                if (ret != EOK) {
+                    goto done;
+                }
+
+                if (need_filter) {
+                    posix = false;
+                    gid = 0;
+                }
+
                 DEBUG(SSSDBG_TRACE_INTERNAL,
                       "Adding fake group %s to sysdb\n", groupname);
                 ret = sysdb_add_incomplete_group(domain, groupname, gid,
-- 
2.1.0