6 files changed, 56 insertions, 11 deletions

diff --git a/src/db/sysdb_search.c b/src/db/sysdb_search.c
index 677257405..da0c6d90c 100644
--- a/src/db/sysdb_search.c
+++ b/src/db/sysdb_search.c
@@ -1589,7 +1589,7 @@ done:
 
 errno_t sysdb_get_real_name(TALLOC_CTX *mem_ctx,
                             struct sss_domain_info *domain,
-                            const char *name_or_upn,
+                            const char *name_or_upn_or_sid,
                             const char **_cname)
 {
     errno_t ret;
@@ -1603,20 +1603,28 @@ errno_t sysdb_get_real_name(TALLOC_CTX *mem_ctx,
         return ENOMEM;
     }
 
-    ret = sysdb_getpwnam(tmp_ctx, domain, name_or_upn, &res);
+    ret = sysdb_getpwnam(tmp_ctx, domain, name_or_upn_or_sid, &res);
     if (ret != EOK) {
         DEBUG(SSSDBG_OP_FAILURE, "Cannot canonicalize username\n");
         goto done;
     }
 
     if (res->count == 0) {
-        ret = sysdb_search_user_by_upn(tmp_ctx, domain, name_or_upn, NULL,
-                                       &msg);
+        ret = sysdb_search_user_by_upn(tmp_ctx, domain, name_or_upn_or_sid,
+                                       NULL, &msg);
         if (ret != EOK) {
-            /* User cannot be found in cache */
-            DEBUG(SSSDBG_OP_FAILURE, "Cannot find user [%s] in cache\n",
-                                     name_or_upn);
-            goto done;
+            if (ret == ENOENT) {
+                ret = sysdb_search_user_by_sid_str(tmp_ctx, domain,
+                                                   name_or_upn_or_sid, NULL,
+                                                   &msg);
+            }
+
+            if (ret != EOK) {
+                /* User cannot be found in cache */
+                DEBUG(SSSDBG_OP_FAILURE, "Cannot find user [%s] in cache\n",
+                                         name_or_upn_or_sid);
+                goto done;
+            }
         }
     } else if (res->count == 1) {
         msg = res->msgs[0];
diff --git a/src/providers/data_provider.h b/src/providers/data_provider.h
index 5df493e9d..89fb06a0d 100644
--- a/src/providers/data_provider.h
+++ b/src/providers/data_provider.h
@@ -150,6 +150,7 @@
 #define DP_SEC_ID_LEN (sizeof(DP_SEC_ID) - 1)
 
 #define EXTRA_NAME_IS_UPN "U"
+#define EXTRA_NAME_IS_SID "S"
 #define EXTRA_INPUT_MAYBE_WITH_VIEW "V"
 
 /* AUTH related common data and functions */
diff --git a/src/providers/ipa/ipa_subdomains_id.c b/src/providers/ipa/ipa_subdomains_id.c
index 0508e14b6..15776d2e1 100644
--- a/src/providers/ipa/ipa_subdomains_id.c
+++ b/src/providers/ipa/ipa_subdomains_id.c
@@ -201,6 +201,7 @@ static void ipa_subdomain_account_got_override(struct tevent_req *subreq)
     }
 
     if (state->override_attrs != NULL) {
+        DEBUG(SSSDBG_TRACE_ALL, "Processing override.\n");
         ret = sysdb_attrs_get_string(state->override_attrs,
                                      SYSDB_OVERRIDE_ANCHOR_UUID,
                                      &anchor);
@@ -219,6 +220,16 @@ static void ipa_subdomain_account_got_override(struct tevent_req *subreq)
                 DEBUG(SSSDBG_OP_FAILURE, "get_be_acct_req_for_sid failed.\n");
                 goto fail;
             }
+
+            if (state->ipa_server_mode
+                    && (state->ar->entry_type & BE_REQ_TYPE_MASK)
+                                                         == BE_REQ_INITGROUPS) {
+                DEBUG(SSSDBG_TRACE_ALL,
+                      "Switching back to BE_REQ_INITGROUPS.\n");
+                ar->entry_type = BE_REQ_INITGROUPS;
+                ar->filter_type = BE_FILTER_SECID;
+                ar->attr_type = BE_ATTR_CORE;
+            }
         } else {
             DEBUG(SSSDBG_CRIT_FAILURE,
                   "Unsupported override anchor type [%s].\n", anchor);
@@ -1125,6 +1136,8 @@ static errno_t ipa_get_ad_apply_override_step(struct tevent_req *req)
 
     /* Replace ID with name in search filter */
     if ((entry_type == BE_REQ_USER && state->ar->filter_type == BE_FILTER_IDNUM)
+            || (entry_type == BE_REQ_INITGROUPS
+                    && state->ar->filter_type == BE_FILTER_SECID)
             || entry_type == BE_REQ_BY_SECID) {
         if (state->obj_msg == NULL) {
             ret = get_object_from_cache(state, state->obj_dom, state->ar,
diff --git a/src/providers/ldap/ldap_id.c b/src/providers/ldap/ldap_id.c
index 55bb3c9fb..c2686d249 100644
--- a/src/providers/ldap/ldap_id.c
+++ b/src/providers/ldap/ldap_id.c
@@ -1391,7 +1391,8 @@ sdap_handle_acct_req_send(TALLOC_CTX *mem_ctx,
         break;
 
     case BE_REQ_INITGROUPS: /* init groups for user */
-        if (ar->filter_type != BE_FILTER_NAME) {
+        if (ar->filter_type != BE_FILTER_NAME
+                && ar->filter_type != BE_FILTER_SECID) {
             ret = EINVAL;
             state->err = "Invalid filter type";
             goto done;
@@ -1401,11 +1402,21 @@ sdap_handle_acct_req_send(TALLOC_CTX *mem_ctx,
             state->err = "Invalid attr type";
             goto done;
         }
+        if (ar->filter_type == BE_FILTER_SECID && ar->extra_value != NULL
+                && strcmp(ar->extra_value, EXTRA_NAME_IS_SID) != 0) {
+            DEBUG(SSSDBG_OP_FAILURE,
+                  "Unexpected extra value [%s] for BE_FILTER_SECID.\n",
+                  ar->extra_value);
+            ret = EINVAL;
+            state->err = "Invalid extra value";
+            goto done;
+        }
 
         subreq = groups_by_user_send(state, be_ctx->ev, id_ctx,
                                      sdom, conn,
                                      ar->filter_value,
-                                     ar->extra_value,
+                                     (ar->filter_type == BE_FILTER_SECID)
+                                        ? EXTRA_NAME_IS_SID : ar->extra_value,
                                      noexist_delete);
         break;
 
diff --git a/src/providers/ldap/sdap_async_initgroups.c b/src/providers/ldap/sdap_async_initgroups.c
index ae617b9c4..5c5be5eab 100644
--- a/src/providers/ldap/sdap_async_initgroups.c
+++ b/src/providers/ldap/sdap_async_initgroups.c
@@ -2716,6 +2716,8 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx,
 
     if (extra_value && strcmp(extra_value, EXTRA_NAME_IS_UPN) == 0) {
         search_attr =  state->opts->user_map[SDAP_AT_USER_PRINC].name;
+    } else if (extra_value && strcmp(extra_value, EXTRA_NAME_IS_SID) == 0) {
+        search_attr =  state->opts->user_map[SDAP_AT_USER_OBJECTSID].name;
     } else {
         search_attr =  state->opts->user_map[SDAP_AT_USER_NAME].name;
     }
diff --git a/src/tests/sysdb-tests.c b/src/tests/sysdb-tests.c
index 7c2c6d208..0185beeaf 100644
--- a/src/tests/sysdb-tests.c
+++ b/src/tests/sysdb-tests.c
@@ -3577,6 +3577,10 @@ START_TEST(test_sysdb_get_real_name)
     ret = sysdb_attrs_add_string(user_attrs, SYSDB_UPN, "foo@bar");
     fail_unless(ret == EOK, "sysdb_attrs_add_string failed.");
 
+    ret = sysdb_attrs_add_string(user_attrs, SYSDB_SID_STR,
+                                 "S-1-5-21-123-456-789-111");
+    fail_unless(ret == EOK, "sysdb_attrs_add_string failed.");
+
     ret = sysdb_store_user(test_ctx->domain, "RealName",
                            NULL, 22345, 0, "gecos",
                            "/home/realname", "/bin/bash",
@@ -3592,7 +3596,13 @@ START_TEST(test_sysdb_get_real_name)
     ret = sysdb_get_real_name(test_ctx, test_ctx->domain, "foo@bar", &str);
     fail_unless(ret == EOK, "sysdb_get_real_name failed.");
     fail_unless(strcmp(str, "RealName") == 0, "Expected [%s], got [%s].",
-                                              "foo@bar", str);
+                                              "RealName", str);
+
+    ret = sysdb_get_real_name(test_ctx, test_ctx->domain,
+                              "S-1-5-21-123-456-789-111", &str);
+    fail_unless(ret == EOK, "sysdb_get_real_name failed.");
+    fail_unless(strcmp(str, "RealName") == 0, "Expected [%s], got [%s].",
+                                              "RealName", str);
 
 }
 END_TEST