1 files changed, 34 insertions, 1 deletions

diff --git a/server/tools/sss_usermod.c b/server/tools/sss_usermod.c
index 2c2b80ec2..733f9982e 100644
--- a/server/tools/sss_usermod.c
+++ b/server/tools/sss_usermod.c
@@ -60,6 +60,7 @@ int main(int argc, const char **argv)
     int ret;
     const char *pc_username = NULL;
     struct tools_ctx *tctx = NULL;
+    char *badgroup = NULL;
 
     debug_prg_name = argv[0];
 
@@ -133,6 +134,16 @@ int main(int argc, const char **argv)
         ret = EXIT_FAILURE;
         goto fini;
     }
+    /* check the username to be able to give sensible error message */
+    ret = sysdb_getpwnam_sync(tctx, tctx->ev, tctx->sysdb,
+                              tctx->octx->name, tctx->local,
+                              &tctx->octx);
+    if (ret != EOK) {
+        ERROR("Cannot find user in local domain, "
+              "modifying users is allowed only in local domain\n");
+        ret = EXIT_FAILURE;
+        goto fini;
+    }
 
     if (id_in_range(tctx->octx->uid, tctx->octx->domain) != EOK) {
         ERROR("The selected UID is outside the allowed range\n");
@@ -145,6 +156,7 @@ int main(int argc, const char **argv)
         if (ret != EOK) {
             DEBUG(1, ("Cannot parse groups to add the user to\n"));
             ERROR("Internal error while parsing parameters\n");
+            ret = EXIT_FAILURE;
             goto fini;
         }
 
@@ -152,6 +164,16 @@ int main(int argc, const char **argv)
         if (ret != EOK) {
             DEBUG(1, ("Cannot parse FQDN groups to add the user to\n"));
             ERROR("Groups must be in the same domain as user\n");
+            ret = EXIT_FAILURE;
+            goto fini;
+        }
+
+        /* Check group names in the LOCAL domain */
+        ret = check_group_names(tctx, tctx->octx->addgroups, &badgroup);
+        if (ret != EOK) {
+            ERROR("Cannot find group %s in local domain, "
+                  "only groups in local domain are allowed\n", badgroup);
+            ret = EXIT_FAILURE;
             goto fini;
         }
     }
@@ -161,6 +183,7 @@ int main(int argc, const char **argv)
         if (ret != EOK) {
             DEBUG(1, ("Cannot parse groups to remove the user from\n"));
             ERROR("Internal error while parsing parameters\n");
+            ret = EXIT_FAILURE;
             goto fini;
         }
 
@@ -168,6 +191,16 @@ int main(int argc, const char **argv)
         if (ret != EOK) {
             DEBUG(1, ("Cannot parse FQDN groups to remove the user from\n"));
             ERROR("Groups must be in the same domain as user\n");
+            ret = EXIT_FAILURE;
+            goto fini;
+        }
+
+        /* Check group names in the LOCAL domain */
+        ret = check_group_names(tctx, tctx->octx->rmgroups, &badgroup);
+        if (ret != EOK) {
+            ERROR("Cannot find group %s in local domain, "
+                  "only groups in local domain are allowed\n", badgroup);
+            ret = EXIT_FAILURE;
             goto fini;
         }
     }
@@ -205,7 +238,7 @@ done:
                 break;
 
             case EFAULT:
-                ERROR("Could not modify user - check if username is correct\n");
+                ERROR("Could not modify user - user already member of groups?\n");
                 break;
 
             default: