1 files changed, 100 insertions, 60 deletions

diff --git a/src/providers/ldap/sdap_async_groups.c b/src/providers/ldap/sdap_async_groups.c
index 9f7e3e55d..33648c5da 100644
--- a/src/providers/ldap/sdap_async_groups.c
+++ b/src/providers/ldap/sdap_async_groups.c
@@ -451,6 +451,7 @@ static int sdap_save_group(TALLOC_CTX *memctx,
     bool posix_group;
     bool use_id_mapping;
     char *sid_str;
+    int32_t ad_group_type;
 
     tmpctx = talloc_new(NULL);
     if (!tmpctx) {
@@ -503,74 +504,113 @@ static int sdap_save_group(TALLOC_CTX *memctx,
     }
     DEBUG(SSSDBG_TRACE_FUNC, ("Processing group %s\n", group_name));
 
-    use_id_mapping = sdap_idmap_domain_has_algorithmic_mapping(opts->idmap_ctx,
-                                                               dom->name,
-                                                               sid_str);
-    if (use_id_mapping) {
-        posix_group = true;
-
-        if (sid_str == NULL) {
-            DEBUG(SSSDBG_MINOR_FAILURE, ("SID not available, cannot map a " \
-                                         "unix ID to group [%s].\n", group_name));
-            ret = ENOENT;
+    posix_group = true;
+    if (opts->schema_type == SDAP_SCHEMA_AD) {
+        ret = sysdb_attrs_get_int32_t(attrs, SYSDB_GROUP_TYPE, &ad_group_type);
+        if (ret != EOK) {
+            DEBUG(SSSDBG_OP_FAILURE, ("sysdb_attrs_get_int32_t failed.\n"));
             goto done;
         }
 
-        DEBUG(SSSDBG_TRACE_LIBS,
-              ("Mapping group [%s] objectSID [%s] to unix ID\n",
-               group_name, sid_str));
-
-        /* Convert the SID into a UNIX group ID */
-        ret = sdap_idmap_sid_to_unix(opts->idmap_ctx, sid_str, &gid);
-        if (ret == ENOTSUP) {
-            /* ENOTSUP is returned if built-in SID was provided
-             * => do not store the group, but return EOK */
-            DEBUG(SSSDBG_TRACE_FUNC, ("Skipping built-in object.\n"));
-            ret = EOK;
-            goto done;
-        } else if (ret != EOK) {
-            DEBUG(SSSDBG_MINOR_FAILURE,
-                  ("Could not convert SID string: [%s]\n",
-                   strerror(ret)));
-            goto done;
+        DEBUG(SSSDBG_TRACE_ALL, ("AD group [%s] has type flags %#x.",
+                                 group_name, ad_group_type));
+        /* Only security groups from AD are considered for POSIX groups.
+         * Additionally only global and universal group are taken to account
+         * for trusted domains. */
+        if (!(ad_group_type & SDAP_AD_GROUP_TYPE_SECURITY)
+                || (IS_SUBDOMAIN(dom)
+                    && (!((ad_group_type & SDAP_AD_GROUP_TYPE_GLOBAL)
+                        || (ad_group_type & SDAP_AD_GROUP_TYPE_UNIVERSAL))))) {
+            posix_group = false;
+            gid = 0;
+            DEBUG(SSSDBG_TRACE_FUNC, ("Filtering AD group [%s].\n",
+                                      group_name));
+            ret = sysdb_attrs_add_uint32(group_attrs,
+                                         opts->group_map[SDAP_AT_GROUP_GID].sys_name, 0);
+            if (ret != EOK) {
+                DEBUG(SSSDBG_CRIT_FAILURE,
+                      ("Failed to add a GID to non-posix group!\n"));
+                return ret;
+            }
+            ret = sysdb_attrs_add_bool(group_attrs, SYSDB_POSIX, false);
+            if (ret != EOK) {
+                DEBUG(SSSDBG_OP_FAILURE,
+                      ("Error: Failed to mark group as non-posix!\n"));
+                return ret;
+            }
         }
+    }
 
-        /* Store the GID in the ldap_attrs so it doesn't get
-         * treated as a missing attribute from LDAP and removed.
-         */
-        ret = sdap_replace_id(attrs, SYSDB_GIDNUM, gid);
-        if (ret) {
-            DEBUG(SSSDBG_OP_FAILURE, ("Cannot set the id-mapped GID\n"));
-            goto done;
-        }
-    } else {
-        ret = sysdb_attrs_get_bool(attrs, SYSDB_POSIX, &posix_group);
-        if (ret == ENOENT) {
+    if (posix_group) {
+        use_id_mapping = sdap_idmap_domain_has_algorithmic_mapping(opts->idmap_ctx,
+                                                                   dom->name,
+                                                                   sid_str);
+        if (use_id_mapping) {
             posix_group = true;
-        } else if (ret != EOK) {
-            DEBUG(SSSDBG_MINOR_FAILURE,
-                  ("Error reading posix attribute: [%s]\n",
-                   strerror(ret)));
-            goto done;
-        }
 
-        DEBUG(8, ("This is%s a posix group\n", (posix_group)?"":" not"));
-        ret = sysdb_attrs_add_bool(group_attrs, SYSDB_POSIX, posix_group);
-        if (ret != EOK) {
-            DEBUG(SSSDBG_MINOR_FAILURE,
-                  ("Error setting posix attribute: [%s]\n",
-                   strerror(ret)));
-            goto done;
-        }
+            if (sid_str == NULL) {
+                DEBUG(SSSDBG_MINOR_FAILURE, ("SID not available, cannot map a " \
+                                             "unix ID to group [%s].\n", group_name));
+                ret = ENOENT;
+                goto done;
+            }
 
-        ret = sysdb_attrs_get_uint32_t(attrs,
-                                       opts->group_map[SDAP_AT_GROUP_GID].sys_name,
-                                       &gid);
-        if (ret != EOK) {
-            DEBUG(1, ("no gid provided for [%s] in domain [%s].\n",
-                      group_name, dom->name));
-            ret = EINVAL;
-            goto done;
+            DEBUG(SSSDBG_TRACE_LIBS,
+                  ("Mapping group [%s] objectSID [%s] to unix ID\n",
+                   group_name, sid_str));
+
+            /* Convert the SID into a UNIX group ID */
+            ret = sdap_idmap_sid_to_unix(opts->idmap_ctx, sid_str, &gid);
+            if (ret == ENOTSUP) {
+                /* ENOTSUP is returned if built-in SID was provided
+                 * => do not store the group, but return EOK */
+                DEBUG(SSSDBG_TRACE_FUNC, ("Skipping built-in object.\n"));
+                ret = EOK;
+                goto done;
+            } else if (ret != EOK) {
+                DEBUG(SSSDBG_MINOR_FAILURE,
+                      ("Could not convert SID string: [%s]\n",
+                       strerror(ret)));
+                goto done;
+            }
+
+            /* Store the GID in the ldap_attrs so it doesn't get
+             * treated as a missing attribute from LDAP and removed.
+             */
+            ret = sdap_replace_id(attrs, SYSDB_GIDNUM, gid);
+            if (ret) {
+                DEBUG(SSSDBG_OP_FAILURE, ("Cannot set the id-mapped GID\n"));
+                goto done;
+            }
+        } else {
+            ret = sysdb_attrs_get_bool(attrs, SYSDB_POSIX, &posix_group);
+            if (ret == ENOENT) {
+                posix_group = true;
+            } else if (ret != EOK) {
+                DEBUG(SSSDBG_MINOR_FAILURE,
+                      ("Error reading posix attribute: [%s]\n",
+                       strerror(ret)));
+                goto done;
+            }
+
+            DEBUG(8, ("This is%s a posix group\n", (posix_group)?"":" not"));
+            ret = sysdb_attrs_add_bool(group_attrs, SYSDB_POSIX, posix_group);
+            if (ret != EOK) {
+                DEBUG(SSSDBG_MINOR_FAILURE,
+                      ("Error setting posix attribute: [%s]\n",
+                       strerror(ret)));
+                goto done;
+            }
+
+            ret = sysdb_attrs_get_uint32_t(attrs,
+                                           opts->group_map[SDAP_AT_GROUP_GID].sys_name,
+                                           &gid);
+            if (ret != EOK) {
+                DEBUG(1, ("no gid provided for [%s] in domain [%s].\n",
+                          group_name, dom->name));
+                ret = EINVAL;
+                goto done;
+            }
         }
     }