ad initgroups: continue if resolved SID is still missing

https://fedorahosted.org/sssd/ticket/2389

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 983983dd1629ab33eab340a40d9ee83965a339c6)

1 files changed, 13 insertions, 6 deletions

diff --git a/src/providers/ldap/sdap_async_initgroups_ad.c b/src/providers/ldap/sdap_async_initgroups_ad.c
index f52952d97..394a5b0e9 100644
--- a/src/providers/ldap/sdap_async_initgroups_ad.c
+++ b/src/providers/ldap/sdap_async_initgroups_ad.c
@@ -1219,13 +1219,20 @@ sdap_ad_tokengroups_update_posix_members(TALLOC_CTX *mem_ctx,
                 goto done;
             }
             num_valid_groups++;
-        } else if (ret == ENOENT && _missing != NULL) {
-            /* we need to download this group */
-            missing_sids[num_missing_sids] = talloc_steal(missing_sids, sid);
-            num_missing_sids++;
+        } else if (ret == ENOENT) {
+            if (_missing != NULL) {
+                /* we need to download this group */
+                missing_sids[num_missing_sids] = talloc_steal(missing_sids,
+                                                              sid);
+                num_missing_sids++;
+
+                DEBUG(SSSDBG_TRACE_FUNC, "Missing SID %s will be downloaded\n",
+                                          sid);
+            }
 
-            DEBUG(SSSDBG_TRACE_FUNC, "Missing SID %s will be downloaded\n",
-                                      sid);
+            /* else: We have downloaded missing groups but some of them may
+             * remained missing because they are outside of search base. We
+             * will just ignore them and continue with the next group. */
         } else {
             DEBUG(SSSDBG_MINOR_FAILURE, "Could not look up SID %s in sysdb: "
                                          "[%s]\n", sid, strerror(ret));