From 8cdb9b9824d3fcc2448544d67544496f55b8d393 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 14 Aug 2013 16:55:34 +0200
Subject: sdap_save_user: save original primary GID of subdomain users

If ID mapping is enabled we use magic private groups (MPG) for
subdomains, i.e. the UID and the primary GID of the user will have the
same numerical value. As a consequence the information about the
original primary group might get lost because neither in AD domains nor
on a typical UNIX system the user is an explicit member of it's primary
group.

With this patch the mapped GID or the original primary group is saved in
the cached user object under a new attribute.

Fixes https://fedorahosted.org/sssd/ticket/2027
---
 src/providers/ldap/sdap_async_users.c | 33 ++++++++++++++++++++++-----------
 1 file changed, 22 insertions(+), 11 deletions(-)

(limited to 'src/providers')

diff --git a/src/providers/ldap/sdap_async_users.c b/src/providers/ldap/sdap_async_users.c
index 07ddb6227..353dc3992 100644
--- a/src/providers/ldap/sdap_async_users.c
+++ b/src/providers/ldap/sdap_async_users.c
@@ -269,19 +269,30 @@ int sdap_save_user(TALLOC_CTX *memctx,
     }
 
     if (use_id_mapping) {
-        if (IS_SUBDOMAIN(dom) == false) {
-            ret = sdap_get_idmap_primary_gid(opts, attrs, sid_str, dom_sid_str,
-                                             &gid);
-            if (ret) {
-                DEBUG(SSSDBG_CRIT_FAILURE,
-                      ("Cannot get the GID for [%s] in domain [%s].\n",
-                       user_name, dom->name));
-                goto done;
-            }
-        } else {
+        ret = sdap_get_idmap_primary_gid(opts, attrs, sid_str, dom_sid_str,
+                                         &gid);
+        if (ret) {
+            DEBUG(SSSDBG_CRIT_FAILURE,
+                  ("Cannot get the GID for [%s] in domain [%s].\n",
+                   user_name, dom->name));
+            goto done;
+        }
+
+        if (IS_SUBDOMAIN(dom)) {
             /* For subdomain users, only create the private group as
-             * the subdomain is an MPG domain
+             * the subdomain is an MPG domain.
+             * But we have to save the GID of the original primary group
+             * becasuse otherwise this information might be lost because
+             * typically (Unix and AD) the user is not listed in his primary
+             * group as a member.
              */
+            ret = sysdb_attrs_add_uint32(user_attrs, SYSDB_PRIMARY_GROUP_GIDNUM,
+                                         (uint32_t) gid);
+            if (ret != EOK) {
+                DEBUG(SSSDBG_OP_FAILURE, ("sysdb_attrs_add_uint32 failed.\n"));
+                goto done;
+            }
+
             gid = 0;
         }
 
-- 
cgit