simple provider: Don't treat primary GID lookup failures as fatal

1 files changed, 19 insertions, 13 deletions

diff --git a/src/providers/simple/simple_access.c b/src/providers/simple/simple_access.c
index a54bad000..e2fc0755c 100644
--- a/src/providers/simple/simple_access.c
+++ b/src/providers/simple/simple_access.c
@@ -158,22 +158,28 @@ errno_t simple_access_check(struct simple_ctx *ctx, const char *username,
     if (ret != EOK) {
         DEBUG(1, ("Could not look up primary group [%lu]: [%d][%s]\n",
                   gid, ret, strerror(ret)));
-        goto done;
-    }
+        /* We have to treat this as non-fatal, because the primary
+         * group may be local to the machine and not available in
+         * our ID provider.
+         */
+    } else {
+        primary_group = ldb_msg_find_attr_as_string(msg, SYSDB_NAME, NULL);
+        if (!primary_group) {
+            ret = EINVAL;
+            goto done;
+        }
 
-    primary_group = ldb_msg_find_attr_as_string(msg, SYSDB_NAME, NULL);
-    if (!primary_group) {
-        ret = EINVAL;
-        goto done;
-    }
+        groups[j] = talloc_strdup(tmp_ctx, primary_group);
+        if (!groups[j]) {
+            ret = ENOMEM;
+            goto done;
+        }
+        j++;
 
-    groups[j] = talloc_strdup(tmp_ctx, primary_group);
-    if (!groups[j]) {
-        ret = ENOMEM;
-        goto done;
+        talloc_zfree(msg);
     }
-    groups[j+1] = NULL;
-    talloc_zfree(msg);
+
+    groups[j] = NULL;
 
     /* Now process allow and deny group rules
      * If access was already granted above, we'll skip