On Tue, 13 May 2014, Pavel Reichl wrote:
Hello,
Alexander has prepared attached patches, but he was not able to post
them himself as he is currently having bad connection.
Note that you cannot currently test them on master (other than compile)
as master is broken with regards to AD integration in IPA mode due to
sdap maps code.
I've tested it by backporting to 1.11 branch (sssd-1-11) and it works
there quite well:
[root@master sssd]# id Administrator@AD.SAMBAXP
uid=894000500(administrator@ad.sambaxp) gid=894000500(administrator@ad.sambaxp)
groups=894000500(administrator@ad.sambaxp),894000512(domain admins@ad.sambaxp),
894000519(enterprise admins@ad.sambaxp),894000518(schema admins@ad.sambaxp),
894000520(group policy creator owners@ad.sambaxp),894000513(domain
users@ad.sambaxp)
[root@master sssd]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: Administrator@AD.SAMBAXP
Valid starting Expires Service principal
13.05.2014 12:40:13 13.05.2014 22:39:49 host/master.ipa.sambaxp@IPA.SAMBAXP
renew until 14.05.2014 12:39:47
13.05.2014 12:40:13 13.05.2014 22:39:49 krbtgt/IPA.SAMBAXP@AD.SAMBAXP
renew until 14.05.2014 12:39:47
13.05.2014 12:39:49 13.05.2014 22:39:49 krbtgt/AD.SAMBAXP@AD.SAMBAXP
renew until 14.05.2014 12:39:47
[root@master sssd]# ssh -k -l Administrator@AD.SAMBAXP `hostname`
Last failed login: Tue May 13 13:27:38 EEST 2014 from master.ipa.sambaxp on
ssh:notty
There were 2 failed login attempts since the last successful login.
Last login: Tue May 13 12:41:21 2014 from master.ipa.sambaxp
-sh-4.2$ klist
klist: No credentials cache found while retrieving principal name
-sh-4.2$ logout
Connection to master.ipa.sambaxp closed.
Backported patch 0001 is attached. There is no well-known SIDs support
in 1.11 so the patch is not needed there.
--
/ Alexander Bokovoy
>From 46b6fee28c8186d317d979defa66a3e1115d4182 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <aboko...@redhat.com>
Date: Tue, 13 May 2014 11:22:29 +0300
Subject: [PATCH] ipa subdomains provider: make sure search by SID works for
homedir
---
src/providers/ipa/ipa_subdomains_id.c | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/src/providers/ipa/ipa_subdomains_id.c
b/src/providers/ipa/ipa_subdomains_id.c
index bf68554..974e115 100644
--- a/src/providers/ipa/ipa_subdomains_id.c
+++ b/src/providers/ipa/ipa_subdomains_id.c
@@ -484,7 +484,8 @@ apply_subdomain_homedir(TALLOC_CTX *mem_ctx, struct
sss_domain_info *dom,
uint32_t uid;
const char *fqname;
const char *homedir = NULL;
- struct ldb_result *res;
+ struct ldb_result *res = NULL;
+ struct ldb_message *msg = NULL;
if (filter_type == BE_FILTER_NAME) {
ret = sysdb_getpwnam(mem_ctx, dom->sysdb, dom, filter_value, &res);
@@ -496,6 +497,8 @@ apply_subdomain_homedir(TALLOC_CTX *mem_ctx, struct
sss_domain_info *dom,
goto done;
}
ret = sysdb_getpwuid(mem_ctx, dom->sysdb, dom, uid, &res);
+ } else if (filter_type == BE_FILTER_SECID) {
+ ret = sysdb_search_user_by_sid_str(mem_ctx, dom->sysdb, dom,
filter_value, NULL, &msg);
} else {
DEBUG(SSSDBG_OP_FAILURE,
"Unsupported filter type: [%d].\n", filter_type);
@@ -510,17 +513,20 @@ apply_subdomain_homedir(TALLOC_CTX *mem_ctx, struct
sss_domain_info *dom,
goto done;
}
- if (res->count == 0) {
+ if (res && res->count == 0) {
ret = ENOENT;
goto done;
}
+ if (res != NULL) {
+ msg = res->msgs[0];
+ }
/*
* Homedir is always overriden by subdomain_homedir even if it was
* explicitly set by user.
*/
- fqname = ldb_msg_find_attr_as_string(res->msgs[0], SYSDB_NAME, NULL);
- uid = ldb_msg_find_attr_as_uint64(res->msgs[0], SYSDB_UIDNUM, 0);
+ fqname = ldb_msg_find_attr_as_string(msg, SYSDB_NAME, NULL);
+ uid = ldb_msg_find_attr_as_uint64(msg, SYSDB_UIDNUM, 0);
if (uid == 0) {
DEBUG(SSSDBG_OP_FAILURE, "UID for user [%s] is not known.\n",
filter_value);
--
1.9.0
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
