IPA: allow initgroups by SID for AD users

If a user from a trusted AD domain is search with the help of an override name the SID from the override anchor is used to search the user in AD. Currently the initgroups request only allows searches by name. With this patch a SID can be used as well. Resolves https://fedorahosted.org/sssd/ticket/2632 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
author: Sumit Bose <sbose@redhat.com> 2015-04-22 16:57:37 +0200
committer: Jakub Hrozek <jhrozek@redhat.com> 2015-04-29 11:33:22 +0200
commit: f70a1adbfc30b9acc302027439fb8157e0c6ea2a (patch)
tree: b65879cc54087e6e7fcc5aea4e2b86a4de3d1683 /src/db
parent: 82a958e6592c4a4078e45b7197bbe4751b70f511 (diff)
download: sssd-f70a1adbfc30b9acc302027439fb8157e0c6ea2a.tar.gz
sssd-f70a1adbfc30b9acc302027439fb8157e0c6ea2a.tar.xz
sssd-f70a1adbfc30b9acc302027439fb8157e0c6ea2a.zip
1 files changed, 16 insertions, 8 deletions
diff --git a/src/db/sysdb_search.c b/src/db/sysdb_search.c
index 7acefcedd..39b3abb55 100644
--- a/src/db/sysdb_search.c
+++ b/src/db/sysdb_search.c
@@ -1581,7 +1581,7 @@ done:
 
 errno_t sysdb_get_real_name(TALLOC_CTX *mem_ctx,
                             struct sss_domain_info *domain,
-                            const char *name_or_upn,
+                            const char *name_or_upn_or_sid,
                             const char **_cname)
 {
     errno_t ret;
@@ -1595,20 +1595,28 @@ errno_t sysdb_get_real_name(TALLOC_CTX *mem_ctx,
         return ENOMEM;
     }
 
-    ret = sysdb_getpwnam(tmp_ctx, domain, name_or_upn, &res);
+    ret = sysdb_getpwnam(tmp_ctx, domain, name_or_upn_or_sid, &res);
     if (ret != EOK) {
         DEBUG(SSSDBG_OP_FAILURE, "Cannot canonicalize username\n");
         goto done;
     }
 
     if (res->count == 0) {
-        ret = sysdb_search_user_by_upn(tmp_ctx, domain, name_or_upn, NULL,
-                                       &msg);
+        ret = sysdb_search_user_by_upn(tmp_ctx, domain, name_or_upn_or_sid,
+                                       NULL, &msg);
         if (ret != EOK) {
-            /* User cannot be found in cache */
-            DEBUG(SSSDBG_OP_FAILURE, "Cannot find user [%s] in cache\n",
-                                     name_or_upn);
-            goto done;
+            if (ret == ENOENT) {
+                ret = sysdb_search_user_by_sid_str(tmp_ctx, domain,
+                                                   name_or_upn_or_sid, NULL,
+                                                   &msg);
+            }
+
+            if (ret != EOK) {
+                /* User cannot be found in cache */
+                DEBUG(SSSDBG_OP_FAILURE, "Cannot find user [%s] in cache\n",
+                                         name_or_upn_or_sid);
+                goto done;
+            }
         }
     } else if (res->count == 1) {
         msg = res->msgs[0];
author	Sumit Bose <sbose@redhat.com>	2015-04-22 16:57:37 +0200
committer	Jakub Hrozek <jhrozek@redhat.com>	2015-04-29 11:33:22 +0200
commit	f70a1adbfc30b9acc302027439fb8157e0c6ea2a (patch)
tree	b65879cc54087e6e7fcc5aea4e2b86a4de3d1683 /src/db
parent	82a958e6592c4a4078e45b7197bbe4751b70f511 (diff)
download	sssd-f70a1adbfc30b9acc302027439fb8157e0c6ea2a.tar.gz sssd-f70a1adbfc30b9acc302027439fb8157e0c6ea2a.tar.xz sssd-f70a1adbfc30b9acc302027439fb8157e0c6ea2a.zip