AD: Only connect to GC for subdomain users

https://fedorahosted.org/sssd/ticket/2251

By connecting to GC for users from both trusted domains and parent
domain, we lose the ability to download the shell and homedir if these
are used with ID mapping.

This patch changes the user lookups only. Changing the logic for all
lookups would break cross-domain group memberships, for example.

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit bb8a08118db0916bf8252a9481c16271ec20acd3)

1 files changed, 17 insertions, 0 deletions

diff --git a/src/providers/ad/ad_id.c b/src/providers/ad/ad_id.c
index 87af656b3..a35823b4b 100644
--- a/src/providers/ad/ad_id.c
+++ b/src/providers/ad/ad_id.c
@@ -215,9 +215,26 @@ get_conn_list(struct be_req *breq, struct ad_id_ctx *ad_ctx,
               struct sss_domain_info *dom, struct be_acct_req *ar)
 {
     struct sdap_id_conn_ctx **clist;
+    int cindex = 0;
 
     switch (ar->entry_type & BE_REQ_TYPE_MASK) {
     case BE_REQ_USER: /* user */
+        clist = talloc_zero_array(ad_ctx, struct sdap_id_conn_ctx *, 3);
+        if (clist == NULL) return NULL;
+
+        /* Try GC first for users from trusted domains */
+        if (dp_opt_get_bool(ad_ctx->ad_options->basic, AD_ENABLE_GC)
+                && IS_SUBDOMAIN(dom)) {
+            clist[cindex] = ad_ctx->gc_ctx;
+            clist[cindex]->ignore_mark_offline = true;
+            cindex++;
+        }
+
+        /* Users from primary domain can be just downloaded from LDAP.
+         * The domain's LDAP connection also works as a fallback
+         */
+        clist[cindex] = ad_get_dom_ldap_conn(ad_ctx, dom);
+        break;
     case BE_REQ_BY_SECID:   /* by SID */
     case BE_REQ_USER_AND_GROUP: /* get SID */
     case BE_REQ_GROUP: /* group */