diff options
Diffstat (limited to 'src/providers/ldap/sdap_async_groups.c')
-rw-r--r-- | src/providers/ldap/sdap_async_groups.c | 160 |
1 files changed, 100 insertions, 60 deletions
diff --git a/src/providers/ldap/sdap_async_groups.c b/src/providers/ldap/sdap_async_groups.c index 9f7e3e55d..33648c5da 100644 --- a/src/providers/ldap/sdap_async_groups.c +++ b/src/providers/ldap/sdap_async_groups.c @@ -451,6 +451,7 @@ static int sdap_save_group(TALLOC_CTX *memctx, bool posix_group; bool use_id_mapping; char *sid_str; + int32_t ad_group_type; tmpctx = talloc_new(NULL); if (!tmpctx) { @@ -503,74 +504,113 @@ static int sdap_save_group(TALLOC_CTX *memctx, } DEBUG(SSSDBG_TRACE_FUNC, ("Processing group %s\n", group_name)); - use_id_mapping = sdap_idmap_domain_has_algorithmic_mapping(opts->idmap_ctx, - dom->name, - sid_str); - if (use_id_mapping) { - posix_group = true; - - if (sid_str == NULL) { - DEBUG(SSSDBG_MINOR_FAILURE, ("SID not available, cannot map a " \ - "unix ID to group [%s].\n", group_name)); - ret = ENOENT; + posix_group = true; + if (opts->schema_type == SDAP_SCHEMA_AD) { + ret = sysdb_attrs_get_int32_t(attrs, SYSDB_GROUP_TYPE, &ad_group_type); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, ("sysdb_attrs_get_int32_t failed.\n")); goto done; } - DEBUG(SSSDBG_TRACE_LIBS, - ("Mapping group [%s] objectSID [%s] to unix ID\n", - group_name, sid_str)); - - /* Convert the SID into a UNIX group ID */ - ret = sdap_idmap_sid_to_unix(opts->idmap_ctx, sid_str, &gid); - if (ret == ENOTSUP) { - /* ENOTSUP is returned if built-in SID was provided - * => do not store the group, but return EOK */ - DEBUG(SSSDBG_TRACE_FUNC, ("Skipping built-in object.\n")); - ret = EOK; - goto done; - } else if (ret != EOK) { - DEBUG(SSSDBG_MINOR_FAILURE, - ("Could not convert SID string: [%s]\n", - strerror(ret))); - goto done; + DEBUG(SSSDBG_TRACE_ALL, ("AD group [%s] has type flags %#x.", + group_name, ad_group_type)); + /* Only security groups from AD are considered for POSIX groups. + * Additionally only global and universal group are taken to account + * for trusted domains. */ + if (!(ad_group_type & SDAP_AD_GROUP_TYPE_SECURITY) + || (IS_SUBDOMAIN(dom) + && (!((ad_group_type & SDAP_AD_GROUP_TYPE_GLOBAL) + || (ad_group_type & SDAP_AD_GROUP_TYPE_UNIVERSAL))))) { + posix_group = false; + gid = 0; + DEBUG(SSSDBG_TRACE_FUNC, ("Filtering AD group [%s].\n", + group_name)); + ret = sysdb_attrs_add_uint32(group_attrs, + opts->group_map[SDAP_AT_GROUP_GID].sys_name, 0); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + ("Failed to add a GID to non-posix group!\n")); + return ret; + } + ret = sysdb_attrs_add_bool(group_attrs, SYSDB_POSIX, false); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + ("Error: Failed to mark group as non-posix!\n")); + return ret; + } } + } - /* Store the GID in the ldap_attrs so it doesn't get - * treated as a missing attribute from LDAP and removed. - */ - ret = sdap_replace_id(attrs, SYSDB_GIDNUM, gid); - if (ret) { - DEBUG(SSSDBG_OP_FAILURE, ("Cannot set the id-mapped GID\n")); - goto done; - } - } else { - ret = sysdb_attrs_get_bool(attrs, SYSDB_POSIX, &posix_group); - if (ret == ENOENT) { + if (posix_group) { + use_id_mapping = sdap_idmap_domain_has_algorithmic_mapping(opts->idmap_ctx, + dom->name, + sid_str); + if (use_id_mapping) { posix_group = true; - } else if (ret != EOK) { - DEBUG(SSSDBG_MINOR_FAILURE, - ("Error reading posix attribute: [%s]\n", - strerror(ret))); - goto done; - } - DEBUG(8, ("This is%s a posix group\n", (posix_group)?"":" not")); - ret = sysdb_attrs_add_bool(group_attrs, SYSDB_POSIX, posix_group); - if (ret != EOK) { - DEBUG(SSSDBG_MINOR_FAILURE, - ("Error setting posix attribute: [%s]\n", - strerror(ret))); - goto done; - } + if (sid_str == NULL) { + DEBUG(SSSDBG_MINOR_FAILURE, ("SID not available, cannot map a " \ + "unix ID to group [%s].\n", group_name)); + ret = ENOENT; + goto done; + } - ret = sysdb_attrs_get_uint32_t(attrs, - opts->group_map[SDAP_AT_GROUP_GID].sys_name, - &gid); - if (ret != EOK) { - DEBUG(1, ("no gid provided for [%s] in domain [%s].\n", - group_name, dom->name)); - ret = EINVAL; - goto done; + DEBUG(SSSDBG_TRACE_LIBS, + ("Mapping group [%s] objectSID [%s] to unix ID\n", + group_name, sid_str)); + + /* Convert the SID into a UNIX group ID */ + ret = sdap_idmap_sid_to_unix(opts->idmap_ctx, sid_str, &gid); + if (ret == ENOTSUP) { + /* ENOTSUP is returned if built-in SID was provided + * => do not store the group, but return EOK */ + DEBUG(SSSDBG_TRACE_FUNC, ("Skipping built-in object.\n")); + ret = EOK; + goto done; + } else if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + ("Could not convert SID string: [%s]\n", + strerror(ret))); + goto done; + } + + /* Store the GID in the ldap_attrs so it doesn't get + * treated as a missing attribute from LDAP and removed. + */ + ret = sdap_replace_id(attrs, SYSDB_GIDNUM, gid); + if (ret) { + DEBUG(SSSDBG_OP_FAILURE, ("Cannot set the id-mapped GID\n")); + goto done; + } + } else { + ret = sysdb_attrs_get_bool(attrs, SYSDB_POSIX, &posix_group); + if (ret == ENOENT) { + posix_group = true; + } else if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + ("Error reading posix attribute: [%s]\n", + strerror(ret))); + goto done; + } + + DEBUG(8, ("This is%s a posix group\n", (posix_group)?"":" not")); + ret = sysdb_attrs_add_bool(group_attrs, SYSDB_POSIX, posix_group); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + ("Error setting posix attribute: [%s]\n", + strerror(ret))); + goto done; + } + + ret = sysdb_attrs_get_uint32_t(attrs, + opts->group_map[SDAP_AT_GROUP_GID].sys_name, + &gid); + if (ret != EOK) { + DEBUG(1, ("no gid provided for [%s] in domain [%s].\n", + group_name, dom->name)); + ret = EINVAL; + goto done; + } } } |