diff options
Diffstat (limited to 'src/providers/ldap/sdap_async_nested_groups.c')
-rw-r--r-- | src/providers/ldap/sdap_async_nested_groups.c | 28 |
1 files changed, 26 insertions, 2 deletions
diff --git a/src/providers/ldap/sdap_async_nested_groups.c b/src/providers/ldap/sdap_async_nested_groups.c index c107b700b..f58564aec 100644 --- a/src/providers/ldap/sdap_async_nested_groups.c +++ b/src/providers/ldap/sdap_async_nested_groups.c @@ -239,15 +239,39 @@ sdap_nested_group_hash_group(struct sdap_nested_group_ctx *group_ctx, struct sdap_attr_map *map = group_ctx->opts->group_map; gid_t gid; errno_t ret; + int32_t ad_group_type; + bool posix_group = true; + + if (group_ctx->opts->schema_type == SDAP_SCHEMA_AD) { + ret = sysdb_attrs_get_int32_t(group, SYSDB_GROUP_TYPE, &ad_group_type); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, ("sysdb_attrs_get_int32_t failed.\n")); + return ret; + } + + DEBUG(SSSDBG_TRACE_ALL, ("AD group has type flags %#x.\n", + ad_group_type)); + /* Only security groups from AD are considered for POSIX groups. + * Additionally only global and universal group are taken to account + * for trusted domains. */ + if (!(ad_group_type & SDAP_AD_GROUP_TYPE_SECURITY) + || (IS_SUBDOMAIN(group_ctx->domain) + && (!((ad_group_type & SDAP_AD_GROUP_TYPE_GLOBAL) + || (ad_group_type & SDAP_AD_GROUP_TYPE_UNIVERSAL))))) { + posix_group = false; + gid = 0; + DEBUG(SSSDBG_TRACE_FUNC, ("Filtering AD group.\n")); + } + } ret = sysdb_attrs_get_uint32_t(group, map[SDAP_AT_GROUP_GID].sys_name, &gid); - if (ret == ENOENT || (ret == EOK && gid == 0)) { + if (ret == ENOENT || (ret == EOK && gid == 0) || !posix_group) { DEBUG(SSSDBG_TRACE_ALL, ("The group's gid was %s\n", ret == ENOENT ? "missing" : "zero")); DEBUG(SSSDBG_TRACE_INTERNAL, ("Marking group as non-posix and setting GID=0!\n")); - if (ret == ENOENT) { + if (ret == ENOENT || !posix_group) { ret = sysdb_attrs_add_uint32(group, map[SDAP_AT_GROUP_GID].sys_name, 0); if (ret != EOK) { |