t5sid

Explanation

Resolves:
https://fedorahosted.org/sssd/ticket/XXXX

2 files changed, 55 insertions, 15 deletions

diff --git a/src/providers/ldap/sdap_async_initgroups.c b/src/providers/ldap/sdap_async_initgroups.c
index 6bc9579d..ddf82721 100644
--- a/src/providers/ldap/sdap_async_initgroups.c
+++ b/src/providers/ldap/sdap_async_initgroups.c
@@ -2782,8 +2782,7 @@ static void sdap_get_initgr_user(struct tevent_req *subreq)
             return;
         }
 
-        if (state->use_id_mapping
-                && state->opts->dc_functional_level >= DS_BEHAVIOR_WIN2008) {
+        if (state->opts->dc_functional_level >= DS_BEHAVIOR_WIN2008) {
             /* Take advantage of AD's tokenGroups mechanism to look up all
              * parent groups in a single request.
              */
@@ -2880,8 +2879,7 @@ static void sdap_get_initgr_done(struct tevent_req *subreq)
 
     case SDAP_SCHEMA_RFC2307BIS:
     case SDAP_SCHEMA_AD:
-        if (state->use_id_mapping
-                && state->opts->dc_functional_level >= DS_BEHAVIOR_WIN2008) {
+        if (state->opts->dc_functional_level >= DS_BEHAVIOR_WIN2008) {
             ret = sdap_get_ad_tokengroups_initgroups_recv(subreq);
         }
         else if (state->opts->support_matching_rule
diff --git a/src/providers/ldap/sdap_async_initgroups_ad.c b/src/providers/ldap/sdap_async_initgroups_ad.c
index 89789204..b5e82044 100644
--- a/src/providers/ldap/sdap_async_initgroups_ad.c
+++ b/src/providers/ldap/sdap_async_initgroups_ad.c
@@ -365,12 +365,14 @@ sdap_get_ad_tokengroups_initgroups_lookup_done(struct tevent_req *subreq)
     gid_t gid;
     time_t now;
     struct sysdb_attrs **users;
+    struct sysdb_attrs *group_attrs;
     struct ldb_message_element *el;
     struct ldb_message *msg;
     char **ldap_grouplist;
     char **sysdb_grouplist;
     char **add_groups;
     char **del_groups;
+    bool use_id_mapping;
     const char *attrs[] = { SYSDB_NAME, NULL };
     const char *group_name;
     struct tevent_req *req =
@@ -455,29 +457,45 @@ sdap_get_ad_tokengroups_initgroups_lookup_done(struct tevent_req *subreq)
                    idmap_error_string(err)));
             continue;
         }
+
         DEBUG(SSSDBG_TRACE_LIBS,
               ("Processing membership SID [%s]\n",
                sid_str));
+
+        use_id_mapping = sdap_idmap_domain_has_algorithmic_mapping(state->opts->idmap_ctx,
+                                                                   sid_str);
         ret = sdap_idmap_sid_to_unix(state->opts->idmap_ctx, sid_str,
                                      &gid);
         if (ret == ENOTSUP) {
             DEBUG(SSSDBG_TRACE_FUNC, ("Skipping built-in object.\n"));
             ret = EOK;
             continue;
-        } else if (ret != EOK) {
-            DEBUG(SSSDBG_MINOR_FAILURE,
-                  ("Could not convert SID to GID: [%s]. Skipping\n",
-                   strerror(ret)));
-            continue;
         }
 
-        DEBUG(SSSDBG_TRACE_LIBS,
-              ("Processing membership GID [%lu]\n",
-               gid));
+        if (use_id_mapping) {
+            if (ret != EOK) {
+                DEBUG(SSSDBG_MINOR_FAILURE,
+                      ("Could not convert SID to GID: [%s]. Skipping\n",
+                       strerror(ret)));
+                continue;
+            }
+
+            DEBUG(SSSDBG_TRACE_LIBS,
+                  ("Processing membership GID [%lu]\n",
+                   gid));
+            /* Check whether this GID already exists in the sysdb */
+            ret = sysdb_search_group_by_gid(tmp_ctx, state->sysdb, state->domain,
+                                            gid, attrs, &msg);
+        } else {
+            DEBUG(SSSDBG_TRACE_LIBS,
+                  ("Processing membership group SID [%s]\n",
+                   sid_str));
+
+            ret = sysdb_search_group_by_sid_str(tmp_ctx, state->sysdb,
+                                                state->domain, sid_str, attrs,
+                                                &msg);
+        }
 
-        /* Check whether this GID already exists in the sysdb */
-        ret = sysdb_search_group_by_gid(tmp_ctx, state->sysdb, state->domain,
-                                        gid, attrs, &msg);
         if (ret == EOK) {
             group_name = ldb_msg_find_attr_as_string(msg, SYSDB_NAME, NULL);
             if (!group_name) {
@@ -503,6 +521,30 @@ sdap_get_ad_tokengroups_initgroups_lookup_done(struct tevent_req *subreq)
                        strerror(ret)));
                 goto done;
             }
+
+            group_attrs = sysdb_new_attrs(tmp_ctx);
+            if (group_attrs == NULL) {
+                ret = ENOMEM;
+                goto done;
+            }
+
+            ret = sysdb_attrs_add_string(group_attrs, SYSDB_SID_STR,
+                                         sid_str);
+            if (ret != EOK) {
+                DEBUG(SSSDBG_MINOR_FAILURE, ("Could not add SID string: "
+                                             "[%s]\n", strerror(ret)));
+                goto done;
+            }
+
+            ret = sysdb_set_group_attr(state->sysdb,
+                                       state->domain,
+                                       group_name, group_attrs,
+                                       SYSDB_MOD_REP);
+            if (ret != EOK) {
+                DEBUG(SSSDBG_MINOR_FAILURE, ("Could not save SID string "
+                                             "[%s] to sysdb.\n"));
+                goto done;
+            }
         } else {
             /* Unexpected error */
             DEBUG(SSSDBG_MINOR_FAILURE,