ad_account_can_shortcut: shortcut if ID is unknown

If sss_idmap_unix_to_sid() returns an error we can assume that the given POSIX ID is not from the current domain and can be skipped. This is e.g. the case in the IPA provider if a POSIX ID used in the IPA domain is checked in a trusted id-mapped AD domain before the IPA domain is checked. Resolves https://pagure.io/SSSD/sssd/issue/3452 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
author: Sumit Bose <sbose@redhat.com> 2017-07-20 20:01:14 +0200
committer: Jakub Hrozek <jhrozek@redhat.com> 2017-07-25 10:48:55 +0200
commit: a406b52a0d20e0ec502f52d63dee293636d1443a (patch)
tree: e77ef2f206c9b87c9df7f4b4ae2e27a08190d8b2
parent: 865cbab7db1458422033bbd19197516110b9deca (diff)
download: sssd-a406b52a0d20e0ec502f52d63dee293636d1443a.tar.gz
sssd-a406b52a0d20e0ec502f52d63dee293636d1443a.tar.xz
sssd-a406b52a0d20e0ec502f52d63dee293636d1443a.zip
1 files changed, 2 insertions, 0 deletions
diff --git a/src/providers/ad/ad_id.c b/src/providers/ad/ad_id.c
index d1f6c444f..e14ada386 100644
--- a/src/providers/ad/ad_id.c
+++ b/src/providers/ad/ad_id.c
@@ -86,6 +86,8 @@ static bool ad_account_can_shortcut(struct sdap_idmap_ctx *idmap_ctx,
         if (err != IDMAP_SUCCESS) {
             DEBUG(SSSDBG_MINOR_FAILURE, "Mapping ID [%s] to SID failed: "
                   "[%s]\n", filter_value, idmap_error_string(err));
+            /* assume id is from a different domain */
+            shortcut = true;
             goto done;
         }
         /* fall through */
author	Sumit Bose <sbose@redhat.com>	2017-07-20 20:01:14 +0200
committer	Jakub Hrozek <jhrozek@redhat.com>	2017-07-25 10:48:55 +0200
commit	a406b52a0d20e0ec502f52d63dee293636d1443a (patch)
tree	e77ef2f206c9b87c9df7f4b4ae2e27a08190d8b2
parent	865cbab7db1458422033bbd19197516110b9deca (diff)
download	sssd-a406b52a0d20e0ec502f52d63dee293636d1443a.tar.gz sssd-a406b52a0d20e0ec502f52d63dee293636d1443a.tar.xz sssd-a406b52a0d20e0ec502f52d63dee293636d1443a.zip