From 5c28b1bdb9f180590bdfec947bd2df52351912a8 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Tue, 6 Aug 2013 11:10:10 +0200 Subject: PAC: do not create users with missing GID If the user entry does not exist in the cache and a primary GID cannot be found it does not make sense to create a user entry. --- src/responder/pac/pacsrv_cmd.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/src/responder/pac/pacsrv_cmd.c b/src/responder/pac/pacsrv_cmd.c index e51520069..bcdcdc467 100644 --- a/src/responder/pac/pacsrv_cmd.c +++ b/src/responder/pac/pacsrv_cmd.c @@ -575,6 +575,20 @@ static errno_t save_pac_user(struct pac_req_ctx *pr_ctx) ret = sysdb_search_user_by_uid(tmp_ctx, sysdb, pr_ctx->dom, pwd->pw_uid, attrs, &msg); if (ret == ENOENT) { + if (pwd->pw_gid == 0 && !pr_ctx->dom->mpg) { + DEBUG(SSSDBG_CRIT_FAILURE, ("Primary group RID from the PAC " \ + "cannot be translated into a GID for " \ + "user [%s]. Typically this happens " \ + "when UIDs and GIDs are read from AD " \ + "and the primary AD group does not " \ + "have a GID assigned. Make sure the " \ + "user is created by the ID provider " \ + "before GSSAPI based authentication " \ + "is used in this case.", pwd->pw_name)); + ret = EINVAL; + goto done; + } + ret = sysdb_store_user(sysdb, pr_ctx->dom, pwd->pw_name, NULL, pwd->pw_uid, pwd->pw_gid, pwd->pw_gecos, pwd->pw_dir, -- cgit