diff options
| author | Sumit Bose <sbose@redhat.com> | 2012-11-26 13:50:48 +0100 |
|---|---|---|
| committer | Jakub Hrozek <jhrozek@redhat.com> | 2013-01-08 14:57:29 +0100 |
| commit | b99b8e47237e12c13f86ebe333a1426e8fc3d231 (patch) | |
| tree | 17fa0f373657042e70e8d80f9537c3a96fa0a0ff | |
| parent | 1e21d1079f372c390f4d8d14e4c94afaf5a00385 (diff) | |
| download | sssd-b99b8e47237e12c13f86ebe333a1426e8fc3d231.tar.gz sssd-b99b8e47237e12c13f86ebe333a1426e8fc3d231.tar.xz sssd-b99b8e47237e12c13f86ebe333a1426e8fc3d231.zip | |
Save domain and GID for groups from the configured domain
Currently users from subdomains can only be members of groups from the
configured domain and to access those groups a pointer to the domain
struct of the configured domain is used. This patch sets the dom_grp
member of struct pac_grp to point to the domain struct of the configured
for groups from this domain. This is a first step to allow group
membership for groups from subdomains as well. For those groups a
pointer to the related subdomain structure will be saved.
| -rw-r--r-- | src/responder/pac/pacsrv.h | 1 | ||||
| -rw-r--r-- | src/responder/pac/pacsrv_cmd.c | 36 | ||||
| -rw-r--r-- | src/responder/pac/pacsrv_utils.c | 27 |
3 files changed, 47 insertions, 17 deletions
diff --git a/src/responder/pac/pacsrv.h b/src/responder/pac/pacsrv.h index 4d3a31643..71fcf8e41 100644 --- a/src/responder/pac/pacsrv.h +++ b/src/responder/pac/pacsrv.h @@ -100,6 +100,7 @@ errno_t get_my_domain_data(struct pac_ctx *pac_ctx, struct local_mapping_ranges **_range_map); errno_t get_gids_from_pac(TALLOC_CTX *mem_ctx, + struct pac_ctx *pac_ctx, struct local_mapping_ranges *range_map, struct dom_sid *domain_sid, struct PAC_LOGON_INFO *logon_info, diff --git a/src/responder/pac/pacsrv_cmd.c b/src/responder/pac/pacsrv_cmd.c index d2609f577..16aad5d9a 100644 --- a/src/responder/pac/pacsrv_cmd.c +++ b/src/responder/pac/pacsrv_cmd.c @@ -82,9 +82,8 @@ static errno_t save_pac_user(struct pac_req_ctx *pr_ctx); static void pac_get_group_done(struct tevent_req *subreq); static errno_t pac_save_memberships_next(struct tevent_req *req); static errno_t pac_store_membership(struct pac_req_ctx *pr_ctx, - struct sysdb_ctx *group_sysdb, - struct ldb_dn *user_dn, - int gid_iter); + struct ldb_dn *user_dn, + int gid_iter); struct tevent_req *pac_save_memberships_send(struct pac_req_ctx *pr_ctx); static void pac_save_memberships_done(struct tevent_req *req); @@ -232,9 +231,9 @@ static errno_t pac_add_user_next(struct pac_req_ctx *pr_ctx) goto done; } - ret = get_gids_from_pac(pr_ctx, my_range_map, my_dom_sid, - pr_ctx->logon_info, &pr_ctx->gid_count, - &pr_ctx->gids); + ret = get_gids_from_pac(pr_ctx, pr_ctx->pac_ctx, + my_range_map, my_dom_sid, pr_ctx->logon_info, + &pr_ctx->gid_count, &pr_ctx->gids); if (ret != EOK) { DEBUG(SSSDBG_OP_FAILURE, ("get_gids_from_pac failed.\n")); goto done; @@ -564,6 +563,7 @@ static errno_t pac_save_memberships_next(struct tevent_req *req) { errno_t ret; uint32_t gid; + struct sss_domain_info *grp_dom; struct tevent_req *subreq; struct pac_save_memberships_state *state; struct pac_req_ctx *pr_ctx; @@ -581,16 +581,18 @@ static errno_t pac_save_memberships_next(struct tevent_req *req) } while (state->gid_iter < pr_ctx->add_gid_count) { - gid = pr_ctx->add_gids[state->gid_iter].gid; - ret = pac_store_membership(state->pr_ctx, state->group_dom->sysdb, - state->user_dn, state->gid_iter); + ret = pac_store_membership(state->pr_ctx, state->user_dn, + state->gid_iter); if (ret == EOK) { state->gid_iter++; continue; } else if (ret == ENOENT) { + gid = pr_ctx->add_gids[state->gid_iter].gid; + grp_dom = pr_ctx->add_gids[state->gid_iter].grp_dom; + subreq = sss_dp_get_account_send(state, pr_ctx->cctx->rctx, - state->group_dom, true, + grp_dom, true, SSS_DP_GROUP, NULL, gid, NULL); if (subreq == NULL) { @@ -632,8 +634,7 @@ static void pac_get_group_done(struct tevent_req *subreq) goto error; } - ret = pac_store_membership(state->pr_ctx, state->group_dom->sysdb, - state->user_dn, state->gid_iter); + ret = pac_store_membership(state->pr_ctx, state->user_dn, state->gid_iter); if (ret != EOK) { goto error; } @@ -654,14 +655,14 @@ error: static errno_t pac_store_membership(struct pac_req_ctx *pr_ctx, - struct sysdb_ctx *group_sysdb, - struct ldb_dn *user_dn, - int gid_iter) + struct ldb_dn *user_dn, + int gid_iter) { TALLOC_CTX *tmp_ctx; struct sysdb_attrs *user_attrs; struct ldb_message *group; uint32_t gid; + struct sss_domain_info *grp_dom; errno_t ret; const char *orig_group_dn; const char *group_attrs[] = { SYSDB_ORIG_DN, NULL }; @@ -672,8 +673,9 @@ pac_store_membership(struct pac_req_ctx *pr_ctx, } gid = pr_ctx->add_gids[gid_iter].gid; + grp_dom = pr_ctx->add_gids[gid_iter].grp_dom; - ret = sysdb_search_group_by_gid(tmp_ctx, group_sysdb, + ret = sysdb_search_group_by_gid(tmp_ctx, grp_dom->sysdb, gid, group_attrs, &group); if (ret != EOK) { DEBUG(SSSDBG_TRACE_INTERNAL, ("sysdb_search_group_by_gid for gid [%d]" \ @@ -682,7 +684,7 @@ pac_store_membership(struct pac_req_ctx *pr_ctx, goto done; } - ret = sysdb_mod_group_member(group_sysdb, user_dn, group->dn, + ret = sysdb_mod_group_member(grp_dom->sysdb, user_dn, group->dn, LDB_FLAG_MOD_ADD); if (ret != EOK) { DEBUG(SSSDBG_OP_FAILURE, ("sysdb_mod_group_member failed.\n")); diff --git a/src/responder/pac/pacsrv_utils.c b/src/responder/pac/pacsrv_utils.c index d79adb1f2..217e27ab5 100644 --- a/src/responder/pac/pacsrv_utils.c +++ b/src/responder/pac/pacsrv_utils.c @@ -425,6 +425,7 @@ bool dom_sid_in_domain(const struct dom_sid *domain_sid, * domain and convert them to GIDs. */ errno_t get_gids_from_pac(TALLOC_CTX *mem_ctx, + struct pac_ctx *pac_ctx, struct local_mapping_ranges *range_map, struct dom_sid *domain_sid, struct PAC_LOGON_INFO *logon_info, @@ -435,6 +436,15 @@ errno_t get_gids_from_pac(TALLOC_CTX *mem_ctx, size_t s; struct netr_SamInfo3 *info3; struct pac_grp *gids = NULL; + struct sss_domain_info *grp_dom; + char *sid_str; + enum idmap_error_code err; + + if (pac_ctx == NULL || range_map == NULL || domain_sid == NULL || + logon_info == NULL || _gid_count == NULL || _gids == NULL) { + DEBUG(SSSDBG_OP_FAILURE, ("Missing parameter.\n")); + return EINVAL; + } info3 = &logon_info->info3; @@ -451,6 +461,22 @@ errno_t get_gids_from_pac(TALLOC_CTX *mem_ctx, goto done; } + + err = sss_idmap_smb_sid_to_sid(pac_ctx->idmap_ctx, domain_sid, + &sid_str); + if (err != IDMAP_SUCCESS) { + DEBUG(SSSDBG_OP_FAILURE, ("sss_idmap_smb_sid_to_sid failed.\n")); + ret = EFAULT; + goto done; + } + + grp_dom = find_domain_by_id(pac_ctx->rctx->domains, sid_str); + if (grp_dom == NULL) { + DEBUG(SSSDBG_OP_FAILURE, ("find_domain_by_id failed.\n")); + ret = EINVAL; + goto done; + } + for(s = 0; s < info3->sidcount; s++) { if (dom_sid_in_domain(domain_sid, info3->sids[s].sid)) { ret = local_sid_to_id(range_map, info3->sids[s].sid, @@ -459,6 +485,7 @@ errno_t get_gids_from_pac(TALLOC_CTX *mem_ctx, DEBUG(SSSDBG_OP_FAILURE, ("get_rid failed.\n")); goto done; } + gids[g].grp_dom = grp_dom; DEBUG(SSSDBG_TRACE_ALL, ("Found extra group " "with gid [%d].\n", gids[g].gid)); g++; |