SDAP: Store SID members during AD initgroups with a qualified name

This is to be consistent with how we name groups normally. We rename the
groupnames when resolving the groups by ID anyway, but if we fail to do
so, at least be consistent.

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

1 files changed, 6 insertions, 1 deletions

diff --git a/src/providers/ldap/sdap_async_initgroups_ad.c b/src/providers/ldap/sdap_async_initgroups_ad.c
index 92cedb05f..ad54c1fb8 100644
--- a/src/providers/ldap/sdap_async_initgroups_ad.c
+++ b/src/providers/ldap/sdap_async_initgroups_ad.c
@@ -916,7 +916,12 @@ errno_t sdap_ad_save_group_membership_with_idmapping(const char *username,
             /* This is a new group. For now, we will store it under the name
              * of its SID. When a direct lookup of the group or its GID occurs,
              * it will replace this temporary entry. */
-            name = sid;
+            name = sss_create_internal_fqname(tmp_ctx, sid, domain->name);
+            if (name == NULL) {
+                ret = ENOMEM;
+                goto done;
+            }
+
             ret = sysdb_add_incomplete_group(domain, name, gid,
                                              NULL, sid, NULL, false, now);
             if (ret != EOK) {