3 files changed, 21 insertions, 10 deletions

diff --git a/src/providers/ipa/ipa_s2n_exop.c b/src/providers/ipa/ipa_s2n_exop.c
index d07923cff..3830a2b4b 100644
--- a/src/providers/ipa/ipa_s2n_exop.c
+++ b/src/providers/ipa/ipa_s2n_exop.c
@@ -50,9 +50,6 @@ enum response_types {
 };
 
 /* ==Sid2Name Extended Operation============================================= */
-#define EXOP_SID2NAME_OID "2.16.840.1.113730.3.8.10.4"
-#define EXOP_SID2NAME_V1_OID "2.16.840.1.113730.3.8.10.4.1"
-
 struct ipa_s2n_exop_state {
     struct sdap_handle *sh;
 
diff --git a/src/providers/ipa/ipa_subdomains.h b/src/providers/ipa/ipa_subdomains.h
index ceb862226..9b179792d 100644
--- a/src/providers/ipa/ipa_subdomains.h
+++ b/src/providers/ipa/ipa_subdomains.h
@@ -28,6 +28,10 @@
 #include "providers/dp_backend.h"
 #include "providers/ipa/ipa_common.h"
 
+/* ==Sid2Name Extended Operation============================================= */
+#define EXOP_SID2NAME_OID "2.16.840.1.113730.3.8.10.4"
+#define EXOP_SID2NAME_V1_OID "2.16.840.1.113730.3.8.10.4.1"
+
 struct be_ctx *ipa_get_subdomains_be_ctx(struct be_ctx *be_ctx);
 
 const char *get_flat_name_from_subdomain_name(struct be_ctx *be_ctx,
diff --git a/src/providers/ipa/ipa_subdomains_id.c b/src/providers/ipa/ipa_subdomains_id.c
index 15776d2e1..1253510dc 100644
--- a/src/providers/ipa/ipa_subdomains_id.c
+++ b/src/providers/ipa/ipa_subdomains_id.c
@@ -386,14 +386,8 @@ struct tevent_req *ipa_get_subdom_acct_send(TALLOC_CTX *memctx,
         case BE_REQ_GROUP:
         case BE_REQ_BY_SECID:
         case BE_REQ_USER_AND_GROUP:
-            ret = EOK;
-            break;
         case BE_REQ_INITGROUPS:
-            ret = ENOTSUP;
-            DEBUG(SSSDBG_TRACE_FUNC, "Initgroups requests are not handled " \
-                                      "by the IPA provider but are resolved " \
-                                      "by the responder directly from the " \
-                                      "cache.\n");
+            ret = EOK;
             break;
         default:
             ret = EINVAL;
@@ -434,6 +428,22 @@ static void ipa_get_subdom_acct_connected(struct tevent_req *subreq)
         return;
     }
 
+    if (state->entry_type == BE_REQ_INITGROUPS) {
+        /* With V1 of the extdom plugin a user lookup will resolve the full
+         * group membership of the user. */
+        if (sdap_is_extension_supported(sdap_id_op_handle(state->op),
+                                        EXOP_SID2NAME_V1_OID)) {
+            state->entry_type = BE_REQ_USER;
+        } else {
+            DEBUG(SSSDBG_TRACE_FUNC, "Initgroups requests are not handled " \
+                                      "by the IPA provider but are resolved " \
+                                      "by the responder directly from the " \
+                                      "cache.\n");
+            tevent_req_error(req, ENOTSUP);
+            return;
+        }
+    }
+
     req_input = talloc(state, struct req_input);
     if (req_input == NULL) {
         DEBUG(SSSDBG_OP_FAILURE, "talloc failed.\n");