Read remote groups from PAC

Read the group membership of the remote domain the user belongs to from the PAC and add them to the cache. Fixes: https://fedorahosted.org/sssd/ticket/1666
author: Sumit Bose <sbose@redhat.com> 2012-11-26 22:16:49 +0100
committer: Jakub Hrozek <jhrozek@redhat.com> 2013-01-08 14:42:56 +0100
commit: 6b2c6d2818804bbfd142346d6034d160560bae14 (patch)
tree: 5d9d35119dbb8d6a113da2e3919c9af2a6b9a461
parent: f34ea77a5b87e778ece155485c36e756d5137686 (diff)
1 files changed, 52 insertions, 3 deletions
diff --git a/src/responder/pac/pacsrv_utils.c b/src/responder/pac/pacsrv_utils.c
index 217e27ab5..2daced2b2 100644
--- a/src/responder/pac/pacsrv_utils.c
+++ b/src/responder/pac/pacsrv_utils.c
@@ -437,8 +437,9 @@ errno_t get_gids_from_pac(TALLOC_CTX *mem_ctx,
     struct netr_SamInfo3 *info3;
     struct pac_grp *gids = NULL;
     struct sss_domain_info *grp_dom;
-    char *sid_str;
+    char *sid_str = NULL;
     enum idmap_error_code err;
+    struct dom_sid *grp_sid = NULL;
 
     if (pac_ctx == NULL || range_map == NULL || domain_sid == NULL ||
         logon_info == NULL || _gid_count == NULL || _gids == NULL) {
@@ -448,13 +449,14 @@ errno_t get_gids_from_pac(TALLOC_CTX *mem_ctx,
 
     info3 = &logon_info->info3;
 
-    if (info3->sidcount == 0) {
+    if (info3->sidcount == 0 && info3->base.groups.count == 0) {
         DEBUG(SSSDBG_TRACE_ALL, ("No extra groups found.\n"));
         ret = EOK;
         goto done;
     }
 
-    gids = talloc_zero_array(mem_ctx, struct pac_grp, info3->sidcount);
+    gids = talloc_zero_array(mem_ctx, struct pac_grp,
+                             info3->sidcount + info3->base.groups.count);
     if (gids == NULL) {
         DEBUG(SSSDBG_OP_FAILURE, ("talloc_array failed.\n"));
         ret = ENOMEM;
@@ -492,9 +494,56 @@ errno_t get_gids_from_pac(TALLOC_CTX *mem_ctx,
         }
     }
 
+    talloc_zfree(sid_str);
+    err = sss_idmap_smb_sid_to_sid(pac_ctx->idmap_ctx, info3->base.domain_sid,
+                                   &sid_str);
+    if (err != IDMAP_SUCCESS) {
+        DEBUG(SSSDBG_OP_FAILURE, ("sss_idmap_smb_sid_to_sid failed.\n"));
+        ret = EFAULT;
+        goto done;
+    }
+
+    grp_dom =  find_domain_by_id(pac_ctx->rctx->domains, sid_str);
+    if (grp_dom == NULL) {
+        DEBUG(SSSDBG_OP_FAILURE, ("find_domain_by_id failed.\n"));
+        ret = EINVAL;
+        goto done;
+    }
+
+    err = sss_idmap_sid_to_smb_sid(pac_ctx->idmap_ctx, sid_str, &grp_sid);
+    if (err != IDMAP_SUCCESS) {
+        DEBUG(SSSDBG_OP_FAILURE, ("sss_idmap_sid_to_smb_sid failed.\n"));
+        ret = EFAULT;
+        goto done;
+    }
+
+    grp_sid->num_auths++;
+
+    for (s = 0; s < info3->base.groups.count; s++) {
+        grp_sid->sub_auths[grp_sid->num_auths - 1] =
+                                                info3->base.groups.rids[s].rid;
+        err = sss_idmap_smb_sid_to_unix(pac_ctx->idmap_ctx, grp_sid,
+                                        &gids[g].gid);
+        if (err != IDMAP_SUCCESS) {
+            DEBUG(SSSDBG_FATAL_FAILURE, ("sss_idmap_smb_sid_to_unix failed for"
+                                         "[%s] [%d].\n", sid_str,
+                                         info3->base.groups.rids[s].rid));
+            ret = ENOENT;
+            goto done;
+        }
+
+        gids[g].grp_dom = grp_dom;
+        DEBUG(SSSDBG_TRACE_ALL, ("Found extra group "
+                                 "with gid [%d].\n", gids[g].gid));
+        g++;
+    }
+
     ret = EOK;
 
 done:
+    talloc_free(sid_str);
+    talloc_free(grp_sid);
+
     if (ret == EOK) {
         *_gid_count = g;
         *_gids = gids;
author	Sumit Bose <sbose@redhat.com>	2012-11-26 22:16:49 +0100
committer	Jakub Hrozek <jhrozek@redhat.com>	2013-01-08 14:42:56 +0100
commit	6b2c6d2818804bbfd142346d6034d160560bae14 (patch)
tree	5d9d35119dbb8d6a113da2e3919c9af2a6b9a461
parent	f34ea77a5b87e778ece155485c36e756d5137686 (diff)