Hi,
another issue found by Steeve during testing. To reproduce this you need
a universal group with members from different domains. Then either look
up the group by SID e.g. with
python -c "import pysss_nss_idmap; print
pysss_nss_idmap.getnamebysid('S-1-5-21-3456664713-2053453454-4165325232-1234')"
and then with getent group groupname.
Or use IPA views, override the group name in the 'default trust view'
on the IPA server and look up the group by the overridden name. In both
case the group should not already be in the cache. Only members from the
domain of the group should be show without the patch.
bye,
Sumit
From 4dd97d17700c7e0b474137015df5c6ac6e082d25 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sb...@redhat.com>
Date: Wed, 28 Jan 2015 14:04:45 +0100
Subject: [PATCH] AD: use GC for SID requests as well
If a universal group is looked up by SID the cross-domain members must
be resolved with the help of the Global Catalog.
Related to https://fedorahosted.org/sssd/ticket/2514
---
src/providers/ipa/ipa_subdomains_id.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/providers/ipa/ipa_subdomains_id.c
b/src/providers/ipa/ipa_subdomains_id.c
index
c8714a216daff7506f00248e25c281529d0479c4..0508e14b690c144f4bace9ed14a326ac724eb910
100644
--- a/src/providers/ipa/ipa_subdomains_id.c
+++ b/src/providers/ipa/ipa_subdomains_id.c
@@ -603,6 +603,7 @@ ipa_get_ad_acct_send(TALLOC_CTX *mem_ctx,
*/
switch (state->ar->entry_type & BE_REQ_TYPE_MASK) {
case BE_REQ_INITGROUPS:
+ case BE_REQ_BY_SECID:
case BE_REQ_GROUP:
clist = ad_gc_conn_list(req, ad_id_ctx, state->obj_dom);
if (clist == NULL) {
--
2.1.0
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
