diff options
author | Sumit Bose <sbose@redhat.com> | 2017-07-20 20:01:14 +0200 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2017-07-25 10:48:55 +0200 |
commit | a406b52a0d20e0ec502f52d63dee293636d1443a (patch) | |
tree | e77ef2f206c9b87c9df7f4b4ae2e27a08190d8b2 | |
parent | 865cbab7db1458422033bbd19197516110b9deca (diff) | |
download | sssd-a406b52a0d20e0ec502f52d63dee293636d1443a.tar.gz sssd-a406b52a0d20e0ec502f52d63dee293636d1443a.tar.xz sssd-a406b52a0d20e0ec502f52d63dee293636d1443a.zip |
ad_account_can_shortcut: shortcut if ID is unknown
If sss_idmap_unix_to_sid() returns an error we can assume that the given
POSIX ID is not from the current domain and can be skipped. This is e.g.
the case in the IPA provider if a POSIX ID used in the IPA domain is
checked in a trusted id-mapped AD domain before the IPA domain is
checked.
Resolves https://pagure.io/SSSD/sssd/issue/3452
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
-rw-r--r-- | src/providers/ad/ad_id.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/src/providers/ad/ad_id.c b/src/providers/ad/ad_id.c index d1f6c444f..e14ada386 100644 --- a/src/providers/ad/ad_id.c +++ b/src/providers/ad/ad_id.c @@ -86,6 +86,8 @@ static bool ad_account_can_shortcut(struct sdap_idmap_ctx *idmap_ctx, if (err != IDMAP_SUCCESS) { DEBUG(SSSDBG_MINOR_FAILURE, "Mapping ID [%s] to SID failed: " "[%s]\n", filter_value, idmap_error_string(err)); + /* assume id is from a different domain */ + shortcut = true; goto done; } /* fall through */ |