On 11/22/2012 07:16 PM, Pavel Březina wrote:
On 11/22/2012 06:47 PM, Jakub Hrozek wrote:
On Thu, Nov 22, 2012 at 10:38:28AM +0100, Michal Židek wrote:
On 11/22/2012 10:27 AM, Pavel Březina wrote:
On 11/21/2012 03:00 PM, Michal Židek wrote:
On 11/21/2012 11:04 AM, Jakub Hrozek wrote:
On Tue, Nov 20, 2012 at 03:20:06PM +0100, Pavel Březina wrote:
We should propagate the built-in sid error instead of misusing id.
Maybe
return IDMAP* directly and return errno value in new output
parameter.
I actually think that using a special ID value is OK. We've been
treating the UID and GID 0 as a special case before anyway for the
fake
users and groups. Also sdap_idmap_sid_to_unix() is supposed to return
errno and not IDMAP* anyway, so even if we introduced a new IDMAP*
return code, we would have to translate it into an (errno, id) tuple.
The NSS responder would skip groups with a zero GID anyway.
I let this as it was in the previous patch. The other things are
fixed.
New patch attached.
Thanks
Michal
Nack.
+static bool sss_idmap_sid_is_builtin(const char *sid)
+{
+ if (strncmp(sid, "S-1-5-32-", 9) == 0) {
+ return true;
+ }
+
+ return true;
should say false ^
It looks good otherwise.
New patch attached.
Thanks
Michal
I was thinking about it some more and I think that Pavel is right, a
special
errno code would make the caller's code more readable. Maybe ENOTSUP
would
be usable?
+1
Sorry I steered you in the wrong direction.
This patch does the same as previous, but uses the ENOTSUP to indicate
that SID was processed.
Thanks
Michal
>From b2aba3637e25465539560476056b1311522db8dc Mon Sep 17 00:00:00 2001
From: Michal Zidek <mzi...@redhat.com>
Date: Wed, 14 Nov 2012 15:36:22 +0100
Subject: [PATCH] idmap: Silence DEBUG messages when dealing with built-in
SIDs.
When converting built-in SID to unix GID/UID a confusing debug
message about the failed conversion was printed. This patch special
cases these built-in objects.
https://fedorahosted.org/sssd/ticket/1593
---
src/lib/idmap/sss_idmap.c | 13 +++++++++++++
src/lib/idmap/sss_idmap.h | 5 ++++-
src/providers/ldap/sdap_async_groups.c | 18 +++++++++++++-----
src/providers/ldap/sdap_async_initgroups_ad.c | 6 +++++-
src/providers/ldap/sdap_async_users.c | 14 +++++++++++---
src/providers/ldap/sdap_idmap.c | 25 ++++++++++++++++++-------
6 files changed, 64 insertions(+), 17 deletions(-)
diff --git a/src/lib/idmap/sss_idmap.c b/src/lib/idmap/sss_idmap.c
index c589bd4..d7254e3 100644
--- a/src/lib/idmap/sss_idmap.c
+++ b/src/lib/idmap/sss_idmap.c
@@ -280,6 +280,15 @@ fail:
return IDMAP_OUT_OF_MEMORY;
}
+static bool sss_idmap_sid_is_builtin(const char *sid)
+{
+ if (strncmp(sid, "S-1-5-32-", 9) == 0) {
+ return true;
+ }
+
+ return false;
+}
+
enum idmap_error_code sss_idmap_sid_to_unix(struct sss_idmap_ctx *ctx,
const char *sid,
uint32_t *id)
@@ -293,6 +302,10 @@ enum idmap_error_code sss_idmap_sid_to_unix(struct sss_idmap_ctx *ctx,
idmap_domain_info = ctx->idmap_domain_info;
+ if (sid && sss_idmap_sid_is_builtin(sid)) {
+ return IDMAP_BUILTIN_SID;
+ }
+
while (idmap_domain_info != NULL) {
dom_len = strlen(idmap_domain_info->sid);
if (strlen(sid) > dom_len && sid[dom_len] == '-' &&
diff --git a/src/lib/idmap/sss_idmap.h b/src/lib/idmap/sss_idmap.h
index 6b7cbe5..22a4d54 100644
--- a/src/lib/idmap/sss_idmap.h
+++ b/src/lib/idmap/sss_idmap.h
@@ -68,7 +68,10 @@ enum idmap_error_code {
IDMAP_SID_UNKNOWN,
/** The provided UID or GID could not be mapped */
- IDMAP_NO_RANGE
+ IDMAP_NO_RANGE,
+
+ /** The provided SID is a built-in one */
+ IDMAP_BUILTIN_SID
};
/**
diff --git a/src/providers/ldap/sdap_async_groups.c b/src/providers/ldap/sdap_async_groups.c
index b635dc2..39c5426 100644
--- a/src/providers/ldap/sdap_async_groups.c
+++ b/src/providers/ldap/sdap_async_groups.c
@@ -382,11 +382,17 @@ static int sdap_save_group(TALLOC_CTX *memctx,
/* Convert the SID into a UNIX group ID */
ret = sdap_idmap_sid_to_unix(opts->idmap_ctx, sid_str, &gid);
- if (ret != EOK) {
+ if (ret != EOK && ret != ENOTSUP) {
DEBUG(SSSDBG_MINOR_FAILURE,
("Could not convert SID string: [%s]\n",
strerror(ret)));
goto fail;
+ } else if (ret == ENOTSUP) {
+ /* ENOTSUP is returned if built-in SID was provided
+ * => fail to store the group, but return EOK */
+ DEBUG(SSSDBG_TRACE_FUNC, ("Skipping built-in object.\n"));
+ ret = EOK;
+ goto fail;
}
/* Store the GID in the ldap_attrs so it doesn't get
@@ -525,10 +531,12 @@ static int sdap_save_group(TALLOC_CTX *memctx,
return EOK;
fail:
- DEBUG(SSSDBG_MINOR_FAILURE,
- ("Failed to save group [%s]: [%s]\n",
- name ? name : "Unknown",
- strerror(ret)));
+ if (ret) {
+ DEBUG(SSSDBG_MINOR_FAILURE,
+ ("Failed to save group [%s]: [%s]\n",
+ name ? name : "Unknown",
+ strerror(ret)));
+ }
talloc_free(tmpctx);
return ret;
}
diff --git a/src/providers/ldap/sdap_async_initgroups_ad.c b/src/providers/ldap/sdap_async_initgroups_ad.c
index 7da3f50..ea0a105 100644
--- a/src/providers/ldap/sdap_async_initgroups_ad.c
+++ b/src/providers/ldap/sdap_async_initgroups_ad.c
@@ -452,11 +452,15 @@ sdap_get_ad_tokengroups_initgroups_lookup_done(struct tevent_req *subreq)
sid_str));
ret = sdap_idmap_sid_to_unix(state->opts->idmap_ctx, sid_str,
&gid);
- if (ret != EOK) {
+ if (ret != EOK && ret != ENOTSUP) {
DEBUG(SSSDBG_MINOR_FAILURE,
("Could not convert SID to GID: [%s]. Skipping\n",
strerror(ret)));
continue;
+ } else if (ret == ENOTSUP) {
+ DEBUG(SSSDBG_TRACE_FUNC, ("Skipping built-in object.\n"));
+ ret = EOK;
+ continue;
}
DEBUG(SSSDBG_TRACE_LIBS,
diff --git a/src/providers/ldap/sdap_async_users.c b/src/providers/ldap/sdap_async_users.c
index d706740..f86a5ca 100644
--- a/src/providers/ldap/sdap_async_users.c
+++ b/src/providers/ldap/sdap_async_users.c
@@ -149,7 +149,13 @@ int sdap_save_user(TALLOC_CTX *memctx,
/* Convert the SID into a UNIX user ID */
ret = sdap_idmap_sid_to_unix(opts->idmap_ctx, sid_str, &uid);
- if (ret != EOK) goto fail;
+ if (ret != EOK && ret != ENOTSUP) {
+ goto fail;
+ } else if (ret == ENOTSUP) {
+ DEBUG(SSSDBG_TRACE_FUNC, ("Skipping built-in object.\n"));
+ ret = EOK;
+ goto fail;
+ }
/* Store the UID in the ldap_attrs so it doesn't get
* treated as a missing attribute from LDAP and removed.
@@ -382,8 +388,10 @@ int sdap_save_user(TALLOC_CTX *memctx,
return EOK;
fail:
- DEBUG(2, ("Failed to save user [%s]\n",
- name ? name : "Unknown"));
+ if (ret) {
+ DEBUG(2, ("Failed to save user [%s]\n",
+ name ? name : "Unknown"));
+ }
talloc_free(tmpctx);
return ret;
}
diff --git a/src/providers/ldap/sdap_idmap.c b/src/providers/ldap/sdap_idmap.c
index 9ace11b..e51fcc6 100644
--- a/src/providers/ldap/sdap_idmap.c
+++ b/src/providers/ldap/sdap_idmap.c
@@ -380,13 +380,10 @@ sdap_idmap_sid_to_unix(struct sdap_idmap_ctx *idmap_ctx,
err = sss_idmap_sid_to_unix(idmap_ctx->map,
sid_str,
(uint32_t *)id);
- if (err != IDMAP_SUCCESS && err != IDMAP_NO_DOMAIN) {
- DEBUG(SSSDBG_MINOR_FAILURE,
- ("Could not convert objectSID [%s] to a UNIX ID\n",
- sid_str));
- ret = EIO;
- goto done;
- } else if (err == IDMAP_NO_DOMAIN) {
+ switch (err) {
+ case IDMAP_SUCCESS:
+ break;
+ case IDMAP_NO_DOMAIN:
/* This is the first time we've seen this domain
* Create a new domain for it. We'll use the dom-sid
* as the domain name for now, since we don't have
@@ -420,6 +417,20 @@ sdap_idmap_sid_to_unix(struct sdap_idmap_ctx *idmap_ctx,
ret = EIO;
goto done;
}
+ break;
+ case IDMAP_BUILTIN_SID:
+ DEBUG(SSSDBG_TRACE_FUNC,
+ ("Object SID [%s] is a built-in one.\n", sid_str));
+ /* ENOTSUP indicates built-in SID */
+ ret = ENOTSUP;
+ goto done;
+ break;
+ default:
+ DEBUG(SSSDBG_MINOR_FAILURE,
+ ("Could not convert objectSID [%s] to a UNIX ID\n",
+ sid_str));
+ ret = EIO;
+ goto done;
}
ret = EOK;
--
1.7.11.2
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
