diff options
-rw-r--r-- | src/db/sysdb_search.c | 24 | ||||
-rw-r--r-- | src/providers/data_provider.h | 1 | ||||
-rw-r--r-- | src/providers/ipa/ipa_subdomains_id.c | 13 | ||||
-rw-r--r-- | src/providers/ldap/ldap_id.c | 15 | ||||
-rw-r--r-- | src/providers/ldap/sdap_async_initgroups.c | 2 | ||||
-rw-r--r-- | src/tests/sysdb-tests.c | 12 |
6 files changed, 56 insertions, 11 deletions
diff --git a/src/db/sysdb_search.c b/src/db/sysdb_search.c index 7acefcedd..39b3abb55 100644 --- a/src/db/sysdb_search.c +++ b/src/db/sysdb_search.c @@ -1581,7 +1581,7 @@ done: errno_t sysdb_get_real_name(TALLOC_CTX *mem_ctx, struct sss_domain_info *domain, - const char *name_or_upn, + const char *name_or_upn_or_sid, const char **_cname) { errno_t ret; @@ -1595,20 +1595,28 @@ errno_t sysdb_get_real_name(TALLOC_CTX *mem_ctx, return ENOMEM; } - ret = sysdb_getpwnam(tmp_ctx, domain, name_or_upn, &res); + ret = sysdb_getpwnam(tmp_ctx, domain, name_or_upn_or_sid, &res); if (ret != EOK) { DEBUG(SSSDBG_OP_FAILURE, "Cannot canonicalize username\n"); goto done; } if (res->count == 0) { - ret = sysdb_search_user_by_upn(tmp_ctx, domain, name_or_upn, NULL, - &msg); + ret = sysdb_search_user_by_upn(tmp_ctx, domain, name_or_upn_or_sid, + NULL, &msg); if (ret != EOK) { - /* User cannot be found in cache */ - DEBUG(SSSDBG_OP_FAILURE, "Cannot find user [%s] in cache\n", - name_or_upn); - goto done; + if (ret == ENOENT) { + ret = sysdb_search_user_by_sid_str(tmp_ctx, domain, + name_or_upn_or_sid, NULL, + &msg); + } + + if (ret != EOK) { + /* User cannot be found in cache */ + DEBUG(SSSDBG_OP_FAILURE, "Cannot find user [%s] in cache\n", + name_or_upn_or_sid); + goto done; + } } } else if (res->count == 1) { msg = res->msgs[0]; diff --git a/src/providers/data_provider.h b/src/providers/data_provider.h index 5df493e9d..89fb06a0d 100644 --- a/src/providers/data_provider.h +++ b/src/providers/data_provider.h @@ -150,6 +150,7 @@ #define DP_SEC_ID_LEN (sizeof(DP_SEC_ID) - 1) #define EXTRA_NAME_IS_UPN "U" +#define EXTRA_NAME_IS_SID "S" #define EXTRA_INPUT_MAYBE_WITH_VIEW "V" /* AUTH related common data and functions */ diff --git a/src/providers/ipa/ipa_subdomains_id.c b/src/providers/ipa/ipa_subdomains_id.c index 0508e14b6..15776d2e1 100644 --- a/src/providers/ipa/ipa_subdomains_id.c +++ b/src/providers/ipa/ipa_subdomains_id.c @@ -201,6 +201,7 @@ static void ipa_subdomain_account_got_override(struct tevent_req *subreq) } if (state->override_attrs != NULL) { + DEBUG(SSSDBG_TRACE_ALL, "Processing override.\n"); ret = sysdb_attrs_get_string(state->override_attrs, SYSDB_OVERRIDE_ANCHOR_UUID, &anchor); @@ -219,6 +220,16 @@ static void ipa_subdomain_account_got_override(struct tevent_req *subreq) DEBUG(SSSDBG_OP_FAILURE, "get_be_acct_req_for_sid failed.\n"); goto fail; } + + if (state->ipa_server_mode + && (state->ar->entry_type & BE_REQ_TYPE_MASK) + == BE_REQ_INITGROUPS) { + DEBUG(SSSDBG_TRACE_ALL, + "Switching back to BE_REQ_INITGROUPS.\n"); + ar->entry_type = BE_REQ_INITGROUPS; + ar->filter_type = BE_FILTER_SECID; + ar->attr_type = BE_ATTR_CORE; + } } else { DEBUG(SSSDBG_CRIT_FAILURE, "Unsupported override anchor type [%s].\n", anchor); @@ -1125,6 +1136,8 @@ static errno_t ipa_get_ad_apply_override_step(struct tevent_req *req) /* Replace ID with name in search filter */ if ((entry_type == BE_REQ_USER && state->ar->filter_type == BE_FILTER_IDNUM) + || (entry_type == BE_REQ_INITGROUPS + && state->ar->filter_type == BE_FILTER_SECID) || entry_type == BE_REQ_BY_SECID) { if (state->obj_msg == NULL) { ret = get_object_from_cache(state, state->obj_dom, state->ar, diff --git a/src/providers/ldap/ldap_id.c b/src/providers/ldap/ldap_id.c index 642ae5c29..d65bd5f6a 100644 --- a/src/providers/ldap/ldap_id.c +++ b/src/providers/ldap/ldap_id.c @@ -1392,7 +1392,8 @@ sdap_handle_acct_req_send(TALLOC_CTX *mem_ctx, break; case BE_REQ_INITGROUPS: /* init groups for user */ - if (ar->filter_type != BE_FILTER_NAME) { + if (ar->filter_type != BE_FILTER_NAME + && ar->filter_type != BE_FILTER_SECID) { ret = EINVAL; state->err = "Invalid filter type"; goto done; @@ -1402,11 +1403,21 @@ sdap_handle_acct_req_send(TALLOC_CTX *mem_ctx, state->err = "Invalid attr type"; goto done; } + if (ar->filter_type == BE_FILTER_SECID && ar->extra_value != NULL + && strcmp(ar->extra_value, EXTRA_NAME_IS_SID) != 0) { + DEBUG(SSSDBG_OP_FAILURE, + "Unexpected extra value [%s] for BE_FILTER_SECID.\n", + ar->extra_value); + ret = EINVAL; + state->err = "Invalid extra value"; + goto done; + } subreq = groups_by_user_send(state, be_ctx->ev, id_ctx, sdom, conn, ar->filter_value, - ar->extra_value, + (ar->filter_type == BE_FILTER_SECID) + ? EXTRA_NAME_IS_SID : ar->extra_value, noexist_delete); break; diff --git a/src/providers/ldap/sdap_async_initgroups.c b/src/providers/ldap/sdap_async_initgroups.c index ae617b9c4..5c5be5eab 100644 --- a/src/providers/ldap/sdap_async_initgroups.c +++ b/src/providers/ldap/sdap_async_initgroups.c @@ -2716,6 +2716,8 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx, if (extra_value && strcmp(extra_value, EXTRA_NAME_IS_UPN) == 0) { search_attr = state->opts->user_map[SDAP_AT_USER_PRINC].name; + } else if (extra_value && strcmp(extra_value, EXTRA_NAME_IS_SID) == 0) { + search_attr = state->opts->user_map[SDAP_AT_USER_OBJECTSID].name; } else { search_attr = state->opts->user_map[SDAP_AT_USER_NAME].name; } diff --git a/src/tests/sysdb-tests.c b/src/tests/sysdb-tests.c index a6c6b33de..e41fb0504 100644 --- a/src/tests/sysdb-tests.c +++ b/src/tests/sysdb-tests.c @@ -3580,6 +3580,10 @@ START_TEST(test_sysdb_get_real_name) ret = sysdb_attrs_add_string(user_attrs, SYSDB_UPN, "foo@bar"); fail_unless(ret == EOK, "sysdb_attrs_add_string failed."); + ret = sysdb_attrs_add_string(user_attrs, SYSDB_SID_STR, + "S-1-5-21-123-456-789-111"); + fail_unless(ret == EOK, "sysdb_attrs_add_string failed."); + ret = sysdb_store_user(test_ctx->domain, "RealName", NULL, 22345, 0, "gecos", "/home/realname", "/bin/bash", @@ -3595,7 +3599,13 @@ START_TEST(test_sysdb_get_real_name) ret = sysdb_get_real_name(test_ctx, test_ctx->domain, "foo@bar", &str); fail_unless(ret == EOK, "sysdb_get_real_name failed."); fail_unless(strcmp(str, "RealName") == 0, "Expected [%s], got [%s].", - "foo@bar", str); + "RealName", str); + + ret = sysdb_get_real_name(test_ctx, test_ctx->domain, + "S-1-5-21-123-456-789-111", &str); + fail_unless(ret == EOK, "sysdb_get_real_name failed."); + fail_unless(strcmp(str, "RealName") == 0, "Expected [%s], got [%s].", + "RealName", str); } END_TEST |