8 files changed, 33 insertions, 2 deletions

diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
index 4975a4276..fdf409f96 100644
--- a/src/confdb/confdb.c
+++ b/src/confdb/confdb.c
@@ -842,6 +842,13 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb,
         goto done;
     }
 
+    ret = get_entry_as_uint32(res->msgs[0], &domain->override_gid,
+                              CONFDB_DOMAIN_OVERRIDE_GID, 0);
+    if (ret != EOK) {
+        DEBUG(0, ("Invalid value for [%s]\n", CONFDB_DOMAIN_OVERRIDE_GID));
+        goto done;
+    }
+
     *_domain = domain;
     ret = EOK;
 
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
index 7173c9fc8..4e8a6dd84 100644
--- a/src/confdb/confdb.h
+++ b/src/confdb/confdb.h
@@ -109,6 +109,7 @@
 #define CONFDB_DOMAIN_DNS_DISCOVERY_NAME "dns_discovery_domain"
 #define CONFDB_DOMAIN_FAMILY_ORDER "lookup_family_order"
 #define CONFDB_DOMAIN_ACCOUNT_CACHE_EXPIRATION "account_cache_expiration"
+#define CONFDB_DOMAIN_OVERRIDE_GID "override_gid"
 
 /* Local Provider */
 #define CONFDB_LOCAL_DEFAULT_SHELL   "default_shell"
@@ -143,6 +144,8 @@ struct sss_domain_info {
     bool cache_credentials;
     bool legacy_passwords;
 
+    gid_t override_gid;
+
     uint32_t entry_cache_timeout;
 
     struct sss_domain_info *next;
diff --git a/src/config/SSSDConfig.py b/src/config/SSSDConfig.py
index 6026bf4ff..d8f13a1e0 100644
--- a/src/config/SSSDConfig.py
+++ b/src/config/SSSDConfig.py
@@ -85,6 +85,7 @@ option_strings = {
     'account_cache_expiration' : _('How long to keep cached entries after last successful login (days)'),
     'dns_resolver_timeout' : _('How long to wait for replies from DNS when resolving servers (seconds)'),
     'dns_discovery_domain' : _('The domain part of service discovery DNS query'),
+    'override_gid' : _('Override GID value from the identity provider with this value'),
 
     # [provider/ipa]
     'ipa_domain' : _('IPA domain'),
diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py
index cad183ea0..93cae9c59 100755
--- a/src/config/SSSDConfigTest.py
+++ b/src/config/SSSDConfigTest.py
@@ -479,6 +479,7 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase):
             'account_cache_expiration',
             'dns_resolver_timeout',
             'dns_discovery_domain',
+            'override_gid',
             'id_provider',
             'auth_provider',
             'access_provider',
@@ -808,6 +809,7 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase):
             'lookup_family_order',
             'dns_resolver_timeout',
             'dns_discovery_domain',
+            'override_gid',
             'id_provider',
             'auth_provider',
             'access_provider',
diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
index e91597166..9176407ad 100644
--- a/src/config/etc/sssd.api.conf
+++ b/src/config/etc/sssd.api.conf
@@ -63,6 +63,7 @@ filter_users = list, str, false
 filter_groups = list, str, false
 dns_resolver_timeout = int, None, false
 dns_discovery_domain = str, None, false
+override_gid = int, None, false
 
 # Special providers
 [provider/permit]
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index 6ac9de890..386dd035c 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -807,6 +807,15 @@
                         </para>
                     </listitem>
                 </varlistentry>
+
+                <varlistentry>
+                    <term>override_gid (integer)</term>
+                    <listitem>
+                        <para>
+                            Override the primary GID value with the one specified.
+                        </para>
+                    </listitem>
+                </varlistentry>
             </variablelist>
         </para>
 
diff --git a/src/responder/nss/nsssrv.c b/src/responder/nss/nsssrv.c
index dfb0312e8..fe66c0d4d 100644
--- a/src/responder/nss/nsssrv.c
+++ b/src/responder/nss/nsssrv.c
@@ -94,7 +94,7 @@ static int nss_get_config(struct nss_ctx *nctx,
     if (ret != EOK) goto done;
     if (nctx->cache_refresh_percent < 0 ||
         nctx->cache_refresh_percent > 99) {
-        DEBUG(0,("Configuration error: entry_cache_nowait_percentage is"
+        DEBUG(0,("Configuration error: entry_cache_nowait_percentage is "
                  "invalid. Disabling feature.\n"));
         nctx->cache_refresh_percent = 0;
     }
diff --git a/src/responder/nss/nsssrv_cmd.c b/src/responder/nss/nsssrv_cmd.c
index e5a63e02a..6ab32abd0 100644
--- a/src/responder/nss/nsssrv_cmd.c
+++ b/src/responder/nss/nsssrv_cmd.c
@@ -170,6 +170,14 @@ struct setent_ctx {
  * PASSWD db related functions
  ***************************************************************************/
 
+static gid_t get_gid_override(struct ldb_message *msg,
+                              struct sss_domain_info *dom)
+{
+    return dom->override_gid ?
+        dom->override_gid :
+        ldb_msg_find_attr_as_uint64(msg, SYSDB_GIDNUM, 0);
+}
+
 static int fill_pwent(struct sss_packet *packet,
                       struct sss_domain_info *dom,
                       struct nss_ctx *nctx,
@@ -206,7 +214,7 @@ static int fill_pwent(struct sss_packet *packet,
 
         name = ldb_msg_find_attr_as_string(msg, SYSDB_NAME, NULL);
         uid = ldb_msg_find_attr_as_uint64(msg, SYSDB_UIDNUM, 0);
-        gid = ldb_msg_find_attr_as_uint64(msg, SYSDB_GIDNUM, 0);
+        gid = get_gid_override(msg, dom);
 
         if (!name || !uid || !gid) {
             DEBUG(2, ("Incomplete or fake user object for %s[%llu]! Skipping\n",