From 59ada2f614ecb6001e11655e7a44bca402136580 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Wed, 21 Aug 2013 10:11:30 -0400
Subject: proxy: Allow initgroup to return NOTFOUND

When the user is only member of its own primary group, initgroups_dyn may
return NOTFOUND as, at least for the 'files' nss provider the code skips the
passed in group.

Resolves:
https://fedorahosted.org/sssd/ticket/2051
---
 src/providers/proxy/proxy_id.c | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

(limited to 'src')

diff --git a/src/providers/proxy/proxy_id.c b/src/providers/proxy/proxy_id.c
index a0d6770c5..120946b7d 100644
--- a/src/providers/proxy/proxy_id.c
+++ b/src/providers/proxy/proxy_id.c
@@ -933,6 +933,12 @@ static int get_gr_gid(TALLOC_CTX *mem_ctx,
         ret = handle_getgr_result(status, grp, dom, &delete_group);
     } while (ret == EAGAIN);
 
+    if (ret != EOK) {
+        DEBUG(SSSDBG_OP_FAILURE,
+              ("getgrgid failed [%d]: %s\n", ret, strerror(ret)));
+        goto done;
+    }
+
     if (delete_group) {
         DEBUG(SSSDBG_TRACE_FUNC,
               ("Group %d does not exist (or is invalid) on remote server,"
@@ -1279,6 +1285,11 @@ static int get_initgr_groups_process(TALLOC_CTX *memctx,
         return ENOMEM;
     }
 
+    /* nss modules may skip the primary group when we pass it in so always add
+     * it in advance */
+    gids[0] = pwd->pw_gid;
+    num_gids++;
+
     /* FIXME: should we move this call outside the transaction to keep the
      * transaction as short as possible ? */
     do {
@@ -1304,6 +1315,11 @@ static int get_initgr_groups_process(TALLOC_CTX *memctx,
     } while(status == NSS_STATUS_TRYAGAIN);
 
     switch (status) {
+    case NSS_STATUS_NOTFOUND:
+        DEBUG(SSSDBG_FUNC_DATA, ("The initgroups call returned 'NOTFOUND'. "
+                                 "Assume the user is only member of its "
+                                 "primary group (%d)\n", pwd->pw_gid));
+        /* fall through */
     case NSS_STATUS_SUCCESS:
         DEBUG(SSSDBG_CONF_SETTINGS, ("User [%s] appears to be member of %lu"
                     "groups\n", pwd->pw_name, num_gids));
-- 
cgit