SYSDB: Prevent users and groups ID collision in MPG domains except for id_provider=local

This commit makes the check when adding an object in a MPG domain
stricter in the sense that not only same names are allowed in a MPG
domain, but also the same groups are not allowed either.

This commit is a backwards-incompatible change, but one that is needed,
otherwise requesting the duplicate group first and then requesting the
user entry would yield two object when searching by GID.

In order to keep backwards-compatibility, this uniqueness is NOT
enforced with id_provider=local. This constraint can be removed in
the future (or the local provider can be dropped altogether)

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

1 files changed, 38 insertions, 3 deletions

diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
index 0e39a629a..2f8e36c6c 100644
--- a/src/db/sysdb_ops.c
+++ b/src/db/sysdb_ops.c
@@ -1960,16 +1960,34 @@ int sysdb_add_user(struct sss_domain_info *domain,
     }
 
     if (domain->mpg) {
-        /* In MPG domains you can't have groups with the same name as users,
-         * search if a group with the same name exists.
+        /* In MPG domains you can't have groups with the same name or GID
+         * as users, search if a group with the same name exists.
          * Don't worry about users, if we try to add a user with the same
          * name the operation will fail */
 
         ret = sysdb_search_group_by_name(tmp_ctx, domain, name, NULL, &msg);
         if (ret != ENOENT) {
-            if (ret == EOK) ret = EEXIST;
+            if (ret == EOK) {
+                DEBUG(SSSDBG_OP_FAILURE,
+                      "Group named %s already exists in an MPG domain\n",
+                      name);
+                ret = EEXIST;
+            }
             goto done;
         }
+
+        if (strcasecmp(domain->provider, "local") != 0) {
+            ret = sysdb_search_group_by_gid(tmp_ctx, domain, uid, NULL, &msg);
+            if (ret != ENOENT) {
+                if (ret == EOK) {
+                    DEBUG(SSSDBG_OP_FAILURE,
+                        "Group with GID [%"SPRIgid"] already exists in an "
+                        "MPG domain\n", gid);
+                    ret = EEXIST;
+                }
+                goto done;
+            }
+        }
     }
 
     /* check no other user with the same uid exist */
@@ -2177,6 +2195,23 @@ int sysdb_add_group(struct sss_domain_info *domain,
             }
             goto done;
         }
+
+        if (strcasecmp(domain->provider, "local") != 0) {
+            ret = sysdb_search_user_by_uid(tmp_ctx, domain, gid, NULL, &msg);
+            if (ret != ENOENT) {
+                if (ret == EOK) {
+                    DEBUG(SSSDBG_TRACE_LIBS,
+                          "User with the same UID exists in MPG domain: "
+                          "[%"SPRIgid"].\n", gid);
+                    ret = EEXIST;
+                } else {
+                    DEBUG(SSSDBG_TRACE_LIBS,
+                          "sysdb_search_user_by_uid failed for gid: "
+                          "[%"SPRIgid"].\n", gid);
+                }
+                goto done;
+            }
+        }
     }
 
     /* check no other groups with the same gid exist */