Hi, the attached patches should fix https://fedorahosted.org/sssd/ticket/2027, i.e. always show that and AD user is a member of it's primary AD group, even for subdomains.
The first patch in this series just fixes a typo I came across while working at #2027. bye, Sumit
From 9a7272c4f0d875d036bef0e04f0c7ea9a1f6d296 Mon Sep 17 00:00:00 2001 From: Sumit Bose <[email protected]> Date: Wed, 14 Aug 2013 12:48:40 +0200 Subject: [PATCH 1/3] sdap_get_initgr_done: use the right SID to get a GID --- src/providers/ldap/sdap_async_initgroups.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) diff --git a/src/providers/ldap/sdap_async_initgroups.c b/src/providers/ldap/sdap_async_initgroups.c index 5242c1a..02158a6 100644 --- a/src/providers/ldap/sdap_async_initgroups.c +++ b/src/providers/ldap/sdap_async_initgroups.c @@ -2937,7 +2937,8 @@ static void sdap_get_initgr_done(struct tevent_req *subreq) } /* Convert the SID into a UNIX group ID */ - ret = sdap_idmap_sid_to_unix(opts->idmap_ctx, sid_str, &primary_gid); + ret = sdap_idmap_sid_to_unix(opts->idmap_ctx, group_sid_str, + &primary_gid); if (ret != EOK) goto fail; } else { ret = sysdb_attrs_get_uint32_t(state->orig_user, SYSDB_GIDNUM, -- 1.7.7.6
From 954dd661523e715d8efc02f35b813e1f4523f758 Mon Sep 17 00:00:00 2001 From: Sumit Bose <[email protected]> Date: Wed, 14 Aug 2013 16:55:34 +0200 Subject: [PATCH 2/3] sdap_save_user: save original primary GID of subdomain users If ID mapping is enabled we use magic private groups (MPG) for subdomains, i.e. the UID and the primary GID of the user will have the same numerical value. As a consequence the information about the original primary group might get lost because neither in AD domains nor on a typical UNIX system the user is an explicit member of it's primary group. With this patch the mapped GID or the original primary group is saved in the cached user object under a new attribute. Fixes https://fedorahosted.org/sssd/ticket/2027 --- src/db/sysdb.h | 1 + src/providers/ldap/sdap_async_users.c | 33 ++++++++++++++++++++++----------- 2 files changed, 23 insertions(+), 11 deletions(-) diff --git a/src/db/sysdb.h b/src/db/sysdb.h index 7045edf..53fb860 100644 --- a/src/db/sysdb.h +++ b/src/db/sysdb.h @@ -105,6 +105,7 @@ #define SYSDB_UUID "uniqueID" #define SYSDB_SID "objectSID" #define SYSDB_PRIMARY_GROUP "ADPrimaryGroupID" +#define SYSDB_PRIMARY_GROUP_GIDNUM "origPrimaryGroupGidNumber" #define SYSDB_SID_STR "objectSIDString" #define SYSDB_UPN "userPrincipalName" #define SYSDB_CCACHE_FILE "ccacheFile" diff --git a/src/providers/ldap/sdap_async_users.c b/src/providers/ldap/sdap_async_users.c index 07ddb62..353dc39 100644 --- a/src/providers/ldap/sdap_async_users.c +++ b/src/providers/ldap/sdap_async_users.c @@ -269,19 +269,30 @@ int sdap_save_user(TALLOC_CTX *memctx, } if (use_id_mapping) { - if (IS_SUBDOMAIN(dom) == false) { - ret = sdap_get_idmap_primary_gid(opts, attrs, sid_str, dom_sid_str, - &gid); - if (ret) { - DEBUG(SSSDBG_CRIT_FAILURE, - ("Cannot get the GID for [%s] in domain [%s].\n", - user_name, dom->name)); - goto done; - } - } else { + ret = sdap_get_idmap_primary_gid(opts, attrs, sid_str, dom_sid_str, + &gid); + if (ret) { + DEBUG(SSSDBG_CRIT_FAILURE, + ("Cannot get the GID for [%s] in domain [%s].\n", + user_name, dom->name)); + goto done; + } + + if (IS_SUBDOMAIN(dom)) { /* For subdomain users, only create the private group as - * the subdomain is an MPG domain + * the subdomain is an MPG domain. + * But we have to save the GID of the original primary group + * becasuse otherwise this information might be lost because + * typically (Unix and AD) the user is not listed in his primary + * group as a member. */ + ret = sysdb_attrs_add_uint32(user_attrs, SYSDB_PRIMARY_GROUP_GIDNUM, + (uint32_t) gid); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, ("sysdb_attrs_add_uint32 failed.\n")); + goto done; + } + gid = 0; } -- 1.7.7.6
From 0f4e594207d8902ffb8026267aa54ec84b979697 Mon Sep 17 00:00:00 2001 From: Sumit Bose <[email protected]> Date: Wed, 14 Aug 2013 17:13:13 +0200 Subject: [PATCH 3/3] fill_initgr: add original primary GID if available In some cases when MPG domains are used the information about the original primary group of a user cannot be determined by looking at the explicit group memberships. In those cases the GID related to the original primary group is stored in a special attribute of the user object. This patch adds the GID of the original primary group when available and needed. Fixes https://fedorahosted.org/sssd/ticket/2027 --- src/db/sysdb.h | 1 + src/responder/nss/nsssrv_cmd.c | 27 +++++++++++++++++++++++++++ 2 files changed, 28 insertions(+), 0 deletions(-) diff --git a/src/db/sysdb.h b/src/db/sysdb.h index 53fb860..7b02b34 100644 --- a/src/db/sysdb.h +++ b/src/db/sysdb.h @@ -170,6 +170,7 @@ SYSDB_GIDNUM, SYSDB_GECOS, \ SYSDB_HOMEDIR, SYSDB_SHELL, \ SYSDB_DEFAULT_ATTRS, \ + SYSDB_PRIMARY_GROUP_GIDNUM, \ NULL} #define SYSDB_GRSRC_ATTRS {SYSDB_NAME, SYSDB_GIDNUM, \ SYSDB_MEMBERUID, \ diff --git a/src/responder/nss/nsssrv_cmd.c b/src/responder/nss/nsssrv_cmd.c index 888d165..7325333 100644 --- a/src/responder/nss/nsssrv_cmd.c +++ b/src/responder/nss/nsssrv_cmd.c @@ -3399,6 +3399,7 @@ static int fill_initgr(struct sss_packet *packet, struct ldb_result *res) int ret, i, num, bindex; int skipped = 0; const char *posix; + gid_t orig_primary_gid; if (res->count == 0) { return ENOENT; @@ -3413,6 +3414,20 @@ static int fill_initgr(struct sss_packet *packet, struct ldb_result *res) } sss_packet_get_body(packet, &body, &blen); + orig_primary_gid = ldb_msg_find_attr_as_uint64(res->msgs[0], + SYSDB_PRIMARY_GROUP_GIDNUM, + 0); + + /* If the GID of the original primary group is available but equal to the + * current primary GID it must not be added. */ + if (orig_primary_gid != 0) { + gid = ldb_msg_find_attr_as_uint64(res->msgs[0], SYSDB_GIDNUM, 0); + + if (orig_primary_gid == gid) { + orig_primary_gid = 0; + } + } + /* skip first entry, it's the user entry */ bindex = 0; for (i = 0; i < num; i++) { @@ -3429,6 +3444,18 @@ static int fill_initgr(struct sss_packet *packet, struct ldb_result *res) } ((uint32_t *)body)[2 + bindex] = gid; bindex++; + + /* do not add the GID of the original primary group is the user is + * already and explicit member of the group. */ + if (orig_primary_gid == gid) { + orig_primary_gid = 0; + } + } + + if (orig_primary_gid != 0) { + ((uint32_t *)body)[2 + bindex] = orig_primary_gid; + bindex++; + num++; } ((uint32_t *)body)[0] = num-skipped; /* num results */ -- 1.7.7.6
_______________________________________________ sssd-devel mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
