diff options
author | Lukas Slebodnik <lslebodn@redhat.com> | 2014-12-12 13:07:55 -0500 |
---|---|---|
committer | Sumit Bose <sbose@redhat.com> | 2014-12-17 16:52:37 +0100 |
commit | 8f9d7684a47cd4715dce22c8254ddde205db9afe (patch) | |
tree | 229127d6fabaaa7b7728bfc943363a2e07228d1a | |
parent | ad463501d3bdea4c24c17d792efc1c3e65c08c19 (diff) | |
download | sssd-8f9d7684a47cd4715dce22c8254ddde205db9afe.tar.gz sssd-8f9d7684a47cd4715dce22c8254ddde205db9afe.tar.xz sssd-8f9d7684a47cd4715dce22c8254ddde205db9afe.zip |
IPA: properly handle groups from different domains
When groups are resolved on IPA clients as part of a user lookup not all
groups have to be from the same domain as the used. This has to be
checked to store the group object properly in the cache.
Related to https://fedorahosted.org/sssd/ticket/2529
and https://fedorahosted.org/sssd/ticket/2524
Reviewed-by: Sumit Bose <sbose@redhat.com>
-rw-r--r-- | src/providers/ipa/ipa_s2n_exop.c | 18 |
1 files changed, 16 insertions, 2 deletions
diff --git a/src/providers/ipa/ipa_s2n_exop.c b/src/providers/ipa/ipa_s2n_exop.c index 677d16258..6d5b45edf 100644 --- a/src/providers/ipa/ipa_s2n_exop.c +++ b/src/providers/ipa/ipa_s2n_exop.c @@ -1867,10 +1867,24 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom, case RESP_GROUP_MEMBERS: type = SYSDB_MEMBER_GROUP; + if (0 != strcmp(dom->name, attrs->domain_name)) { + dom = find_domain_by_name(get_domains_head(dom), + attrs->domain_name, true); + if (dom == NULL) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot find domain: [%s]\n", attrs->domain_name); + ret = EINVAL; + goto done; + } + } + if (name == NULL) { + name = attrs->a.group.gr_name; + } + + if (IS_SUBDOMAIN(dom)) { /* we always use the fully qualified name for subdomain users */ - name = sss_tc_fqname(tmp_ctx, dom->names, dom, - attrs->a.group.gr_name); + name = sss_tc_fqname(tmp_ctx, dom->names, dom, name); if (!name) { DEBUG(SSSDBG_OP_FAILURE, "failed to format user name,\n"); ret = ENOMEM; |