SDAP: Continue resolving SID even if some fail

Resolving groups obtained via Token-Groups in case of disabled ID mapping may
lead to failure as non-posix groups are not resolved. This patch amends
sdap_ad_resolve_sids_done() not to abruptly finish request if ENOENT is
returned.

Resolves:
https://fedorahosted.org/sssd/ticket/2345

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

1 files changed, 6 insertions, 1 deletions

diff --git a/src/providers/ldap/sdap_async_initgroups_ad.c b/src/providers/ldap/sdap_async_initgroups_ad.c
index 114552eba..5bcc1ec02 100644
--- a/src/providers/ldap/sdap_async_initgroups_ad.c
+++ b/src/providers/ldap/sdap_async_initgroups_ad.c
@@ -646,7 +646,12 @@ static void sdap_ad_resolve_sids_done(struct tevent_req *subreq)
 
     ret = groups_get_recv(subreq, &dp_error, &sdap_error);
     talloc_zfree(subreq);
-    if (ret != EOK || sdap_error != EOK || dp_error != DP_ERR_OK) {
+
+    if (ret == EOK && sdap_error == ENOENT && dp_error == DP_ERR_OK) {
+        DEBUG(SSSDBG_CRIT_FAILURE,
+              "Unable to resolve SID %s - will try next sid.\n",
+              state->current_sid);
+    } else if (ret != EOK || sdap_error != EOK || dp_error != DP_ERR_OK) {
         DEBUG(SSSDBG_CRIT_FAILURE, "Unable to resolve SID %s [dp_error: %d, "
               "sdap_error: %d, ret: %d]: %s\n", state->current_sid, dp_error,
               sdap_error, ret, strerror(ret));