Re: [SSSD] [PATCHES] SDAP: Filter ad groups in initgroups

Tue, 14 Apr 2015 04:25:39 -0700 

On Tue, Apr 14, 2015 at 12:26:15PM +0200, Jakub Hrozek wrote:
> On Mon, Apr 13, 2015 at 04:47:35PM +0200, Lukas Slebodnik wrote:
> > ehlo,
> > 
> > the problem is that with current master and 1.12 the domain local groups
> > from subdomain are not filtered.
> > 
> > The 1st patch partially fixes the problem. The name of group is not visible
> > after "id user", but there is a GID which does not have a name.
> > BTW without this patch "Distributions groups" needn't be filtered with 
> > disabled
> > tokengroups. It might explain some cases where groups were missing with
> > disabled tokengroups. Users might use this bug as a workaround.
> > 
> > The last patch filter domain local groups from subdomains
> > while doing initgroups. So there will not be GIDs without name.
> > 
> > Please try to review patches very soon. So we can fix regression with
> > domain local groups caused by recent optimalisation of initgroups.
> > 
> > LS
> 
> Seems to work fine:
> (Tue Apr 14 06:11:08 2015) [sssd[be[AD.EXAMPLE.COM]]] 
> [sdap_add_incomplete_groups] (0x2000): Group [Denied RODC Password 
> Replication gr...@child.ad.example.com] has mapped gid [577600572]
> (Tue Apr 14 06:11:08 2015) [sssd[be[AD.EXAMPLE.COM]]] 
> [sdap_check_ad_group_type] (0x4000): AD group [Denied RODC Password 
> Replication gr...@child.ad.example.com] has type flags 0x80000004.
> (Tue Apr 14 06:11:08 2015) [sssd[be[AD.EXAMPLE.COM]]] 
> [sdap_check_ad_group_type] (0x0400): Filtering AD group [Denied RODC Password 
> Replication gr...@child.ad.example.com].
> (Tue Apr 14 06:11:08 2015) [sssd[be[AD.EXAMPLE.COM]]] 
> [sdap_add_incomplete_groups] (0x2000): Adding fake group Denied RODC Password 
> Replication gr...@child.ad.example.com to sysdb
> 
> The patches look good as well.
> 
> btw I think we should rename the request sdap_ad_tokengroups_initgr_posix()
> because for subdomains it's called even if TGs are enabled.
> 
> ACK
> 
> CI is pending, I'll push after the CI run finishes.


master:
    * b9fbeb75e7a4f50f98d979a70a710f9221892483
    * bad2fc8133d941e5a6c8d8016c9689e039265c61
    * 5d864e7a9d0e1e6fb7dd8158c5b8bfb71040b908 
sssd-1-12:
    * 49895bb18508a4f4b83b99d9875e99e17c81285b
    * bdd031d274659263db5f28408d8b75c63d3485a0
    * cf7047634308c431f4cfbff1d88564668d2a33c7 
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel

Reply via email to