diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/providers/ldap/sdap_async_initgroups.c | 1 | ||||
-rw-r--r-- | src/providers/ldap/sdap_async_initgroups_ad.c | 67 |
2 files changed, 43 insertions, 25 deletions
diff --git a/src/providers/ldap/sdap_async_initgroups.c b/src/providers/ldap/sdap_async_initgroups.c index 4e9aab7c..fc48f91a 100644 --- a/src/providers/ldap/sdap_async_initgroups.c +++ b/src/providers/ldap/sdap_async_initgroups.c @@ -2559,6 +2559,7 @@ struct sdap_get_initgr_state { struct sdap_search_base **user_search_bases; bool use_id_mapping; + bool failed_tokengroups; }; static errno_t sdap_get_initgr_next_base(struct tevent_req *req); diff --git a/src/providers/ldap/sdap_async_initgroups_ad.c b/src/providers/ldap/sdap_async_initgroups_ad.c index e5649a2b..9b2a2908 100644 --- a/src/providers/ldap/sdap_async_initgroups_ad.c +++ b/src/providers/ldap/sdap_async_initgroups_ad.c @@ -377,6 +377,8 @@ sdap_get_ad_tokengroups_initgroups_lookup_done(struct tevent_req *subreq) tevent_req_callback_data(subreq, struct tevent_req); struct sdap_ad_tokengroups_initgr_state *state = tevent_req_data(req, struct sdap_ad_tokengroups_initgr_state); + struct sdap_get_initgr_state *istate = + tevent_req_data(req, struct sdap_get_initgr_state); tmp_ctx = talloc_new(NULL); if (!tmp_ctx) { @@ -464,20 +466,29 @@ sdap_get_ad_tokengroups_initgroups_lookup_done(struct tevent_req *subreq) DEBUG(SSSDBG_TRACE_FUNC, ("Skipping built-in object.\n")); ret = EOK; continue; - } else if (ret != EOK) { - DEBUG(SSSDBG_MINOR_FAILURE, - ("Could not convert SID to GID: [%s]. Skipping\n", - strerror(ret))); - continue; } - DEBUG(SSSDBG_TRACE_LIBS, - ("Processing membership GID [%lu]\n", - gid)); + if (istate->use_id_mapping) { + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + ("Could not convert SID to GID: [%s]. Skipping\n", + strerror(ret))); + continue; + } + + DEBUG(SSSDBG_TRACE_LIBS, + ("Processing membership GID [%lu]\n", + gid)); + + /* Check whether this GID already exists in the sysdb */ + ret = sysdb_search_group_by_gid(tmp_ctx, state->sysdb, state->domain, + gid, attrs, &msg); + } else { + ret = sysdb_search_group_by_sid_str(tmp_ctx, state->sysdb, + state->domain, sid_str, attrs, + &msg); + } - /* Check whether this GID already exists in the sysdb */ - ret = sysdb_search_group_by_gid(tmp_ctx, state->sysdb, state->domain, - gid, attrs, &msg); if (ret == EOK) { group_name = ldb_msg_find_attr_as_string(msg, SYSDB_NAME, NULL); if (!group_name) { @@ -487,20 +498,26 @@ sdap_get_ad_tokengroups_initgroups_lookup_done(struct tevent_req *subreq) goto done; } } else if (ret == ENOENT) { - /* This is a new group. For now, we will store it - * under the name of its SID. When a direct lookup of - * the group or its GID occurs, it will replace this - * temporary entry. - */ - group_name = sid_str; - ret = sysdb_add_incomplete_group(state->sysdb, - state->domain, - group_name, gid, - NULL, sid_str, false, now); - if (ret != EOK) { - DEBUG(SSSDBG_MINOR_FAILURE, - ("Could not create incomplete group: [%s]\n", - strerror(ret))); + if (istate->use_id_mapping) { + /* This is a new group. For now, we will store it + * under the name of its SID. When a direct lookup of + * the group or its GID occurs, it will replace this + * temporary entry. + */ + group_name = sid_str; + ret = sysdb_add_incomplete_group(state->sysdb, + state->domain, + group_name, gid, + NULL, sid_str, false, now); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + ("Could not create incomplete group: [%s]\n", + strerror(ret))); + goto done; + } + } else { + istate->failed_tokengroups = true; + ret = EOK; goto done; } } else { |