diff options
author | Sumit Bose <sbose@redhat.com> | 2016-02-18 13:03:44 +0100 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2016-02-26 11:59:58 +0100 |
commit | b25d33b0a775e2337014a334699156ac56b08f9b (patch) | |
tree | 68975ca7cc9ac1ee0615d51f0b60350c1ae1b1e3 | |
parent | b5797517abb117cff7330acc894b71deda74be3d (diff) | |
download | sssd-b25d33b0a775e2337014a334699156ac56b08f9b.tar.gz sssd-b25d33b0a775e2337014a334699156ac56b08f9b.tar.xz sssd-b25d33b0a775e2337014a334699156ac56b08f9b.zip |
IPA: lookup idview name even if there is no master domain record
Currently the IPA subdomain provider returns with a error if there is no
master domain record found. Since this record contains data which is
only needed to create a trust with AD, like e.g. the IPA domain SID,
this record is only created by ipa-adtrust-install. But the idview name
is read after the master domain record. To make the idview feature work
with a plain FreeIPA setup without running ipa-adtrust-install the
missing master domain record should be handled gracefully and the
following lookup should run as well.
Resolves https://fedorahosted.org/sssd/ticket/2960
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
-rw-r--r-- | src/providers/ipa/ipa_subdomains.c | 78 |
1 files changed, 43 insertions, 35 deletions
diff --git a/src/providers/ipa/ipa_subdomains.c b/src/providers/ipa/ipa_subdomains.c index 8bbbad0ab..20b1c9cbf 100644 --- a/src/providers/ipa/ipa_subdomains.c +++ b/src/providers/ipa/ipa_subdomains.c @@ -1219,6 +1219,9 @@ static void ipa_subdomains_handler_master_done(struct tevent_req *req) size_t reply_count = 0; struct sysdb_attrs **reply = NULL; struct ipa_subdomains_req_ctx *ctx; + const char *flat = NULL; + const char *id = NULL; + const char *realm = NULL; ctx = tevent_req_callback_data(req, struct ipa_subdomains_req_ctx); @@ -1230,10 +1233,6 @@ static void ipa_subdomains_handler_master_done(struct tevent_req *req) } if (reply_count) { - const char *flat = NULL; - const char *id = NULL; - const char *realm; - ret = sysdb_attrs_get_string(reply[0], IPA_FLATNAME, &flat); if (ret != EOK) { goto done; @@ -1244,31 +1243,9 @@ static void ipa_subdomains_handler_master_done(struct tevent_req *req) goto done; } - realm = dp_opt_get_string(ctx->sd_ctx->id_ctx->ipa_options->basic, - IPA_KRB5_REALM); - if (realm == NULL) { - DEBUG(SSSDBG_CRIT_FAILURE, "No Kerberos realm for IPA?\n"); - ret = EINVAL; - goto done; - } - - ret = sysdb_master_domain_add_info(ctx->sd_ctx->be_ctx->domain, - realm, flat, id, NULL); - if (ret != EOK) { - goto done; - } - /* There is only one master record. Don't bother checking other IPA * search bases; move to checking subdomains instead */ - ret = ipa_subdomains_handler_get_start(ctx, - ctx->sd_ctx->search_bases, - IPA_SUBDOMAINS_SLAVE); - if (ret == EAGAIN) { - return; - } - - /* Either no search bases or an error. End the request in both cases */ } else { ret = ipa_subdomains_handler_get_cont(ctx, IPA_SUBDOMAINS_MASTER); if (ret == EAGAIN) { @@ -1277,17 +1254,48 @@ static void ipa_subdomains_handler_master_done(struct tevent_req *req) goto done; } - /* Right now we know there has been an error - * and we don't have the master domain record - */ - DEBUG(SSSDBG_CRIT_FAILURE, "Master domain record not found!\n"); + /* All search paths are searched and no master domain record was + * found. + * + * A default IPA installation will not have a master domain record, + * this is only created by ipa-adtrust-install. Nevertheless we should + * continue to read other data like the idview on IPA clients. */ - if (!ctx->sd_ctx->configured_explicit) { - ctx->sd_ctx->disabled_until = time(NULL) + - IPA_SUBDOMAIN_DISABLED_PERIOD; - } + DEBUG(SSSDBG_TRACE_INTERNAL, "Master domain record not found!\n"); - ret = EIO; + } + + realm = dp_opt_get_string(ctx->sd_ctx->id_ctx->ipa_options->basic, + IPA_KRB5_REALM); + if (realm == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "No Kerberos realm for IPA?\n"); + ret = EINVAL; + goto done; + } + + ret = sysdb_master_domain_add_info(ctx->sd_ctx->be_ctx->domain, + realm, flat, id, NULL); + if (ret != EOK) { + goto done; + } + + ret = ipa_subdomains_handler_get_start(ctx, + ctx->sd_ctx->search_bases, + IPA_SUBDOMAINS_SLAVE); + if (ret == EAGAIN) { + return; + } else if (ret == EOK) { + /* If there are no search bases defined for subdomains try to get the + * idview before ending the request */ + if (ctx->sd_ctx->id_ctx->server_mode == NULL) { + /* Only get view on clients, on servers it is always 'default' */ + ret = ipa_get_view_name(ctx); + if (ret == EAGAIN) { + return; + } else if (ret != EOK) { + goto done; + } + } } done: |