summaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorSumit Bose <sbose@redhat.com>2012-11-26 22:16:49 +0100
committerJakub Hrozek <jhrozek@redhat.com>2013-01-08 15:05:48 +0100
commitb8caebd6618f1c726c3bc7bd3d837651026a0a84 (patch)
treeafd529269855f122c3e04bc1bff628e850a8cb3b /src
parent51846266a5d87f5560f9b34e62ab94ed96f533b3 (diff)
downloadsssd-b8caebd6618f1c726c3bc7bd3d837651026a0a84.tar.gz
sssd-b8caebd6618f1c726c3bc7bd3d837651026a0a84.tar.xz
sssd-b8caebd6618f1c726c3bc7bd3d837651026a0a84.zip
Read remote groups from PAC
Read the group membership of the remote domain the user belongs to from the PAC and add them to the cache. Fixes: https://fedorahosted.org/sssd/ticket/1666
Diffstat (limited to 'src')
-rw-r--r--src/responder/pac/pacsrv_utils.c55
1 files changed, 52 insertions, 3 deletions
diff --git a/src/responder/pac/pacsrv_utils.c b/src/responder/pac/pacsrv_utils.c
index 217e27ab5..2daced2b2 100644
--- a/src/responder/pac/pacsrv_utils.c
+++ b/src/responder/pac/pacsrv_utils.c
@@ -437,8 +437,9 @@ errno_t get_gids_from_pac(TALLOC_CTX *mem_ctx,
struct netr_SamInfo3 *info3;
struct pac_grp *gids = NULL;
struct sss_domain_info *grp_dom;
- char *sid_str;
+ char *sid_str = NULL;
enum idmap_error_code err;
+ struct dom_sid *grp_sid = NULL;
if (pac_ctx == NULL || range_map == NULL || domain_sid == NULL ||
logon_info == NULL || _gid_count == NULL || _gids == NULL) {
@@ -448,13 +449,14 @@ errno_t get_gids_from_pac(TALLOC_CTX *mem_ctx,
info3 = &logon_info->info3;
- if (info3->sidcount == 0) {
+ if (info3->sidcount == 0 && info3->base.groups.count == 0) {
DEBUG(SSSDBG_TRACE_ALL, ("No extra groups found.\n"));
ret = EOK;
goto done;
}
- gids = talloc_zero_array(mem_ctx, struct pac_grp, info3->sidcount);
+ gids = talloc_zero_array(mem_ctx, struct pac_grp,
+ info3->sidcount + info3->base.groups.count);
if (gids == NULL) {
DEBUG(SSSDBG_OP_FAILURE, ("talloc_array failed.\n"));
ret = ENOMEM;
@@ -492,9 +494,56 @@ errno_t get_gids_from_pac(TALLOC_CTX *mem_ctx,
}
}
+ talloc_zfree(sid_str);
+ err = sss_idmap_smb_sid_to_sid(pac_ctx->idmap_ctx, info3->base.domain_sid,
+ &sid_str);
+ if (err != IDMAP_SUCCESS) {
+ DEBUG(SSSDBG_OP_FAILURE, ("sss_idmap_smb_sid_to_sid failed.\n"));
+ ret = EFAULT;
+ goto done;
+ }
+
+ grp_dom = find_domain_by_id(pac_ctx->rctx->domains, sid_str);
+ if (grp_dom == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, ("find_domain_by_id failed.\n"));
+ ret = EINVAL;
+ goto done;
+ }
+
+ err = sss_idmap_sid_to_smb_sid(pac_ctx->idmap_ctx, sid_str, &grp_sid);
+ if (err != IDMAP_SUCCESS) {
+ DEBUG(SSSDBG_OP_FAILURE, ("sss_idmap_sid_to_smb_sid failed.\n"));
+ ret = EFAULT;
+ goto done;
+ }
+
+ grp_sid->num_auths++;
+
+ for (s = 0; s < info3->base.groups.count; s++) {
+ grp_sid->sub_auths[grp_sid->num_auths - 1] =
+ info3->base.groups.rids[s].rid;
+ err = sss_idmap_smb_sid_to_unix(pac_ctx->idmap_ctx, grp_sid,
+ &gids[g].gid);
+ if (err != IDMAP_SUCCESS) {
+ DEBUG(SSSDBG_FATAL_FAILURE, ("sss_idmap_smb_sid_to_unix failed for"
+ "[%s] [%d].\n", sid_str,
+ info3->base.groups.rids[s].rid));
+ ret = ENOENT;
+ goto done;
+ }
+
+ gids[g].grp_dom = grp_dom;
+ DEBUG(SSSDBG_TRACE_ALL, ("Found extra group "
+ "with gid [%d].\n", gids[g].gid));
+ g++;
+ }
+
ret = EOK;
done:
+ talloc_free(sid_str);
+ talloc_free(grp_sid);
+
if (ret == EOK) {
*_gid_count = g;
*_gids = gids;