URL: https://github.com/SSSD/sssd/pull/257 Author: fidencio Title: #257: LDAP/AD: Do not fail in case rfc2307bis_nested_groups_recv() returns ENOENT Action: opened
PR body: """ Commit 25699846 introduced a regression seen when an initgroup lookup is done and there's no nested groups involved. In this scenario the whole lookup fails due to an ENOENT returned by rfc2307bis_nested_groups_recv(), which leads to the user removal from sysdb causing some authentication issues. The problem was caught by the "Allow only single user from domain1" test, part of ad_access_filter tests (present in "client-ad_provider-ad_forest" package) ran and reported by Lukáš Slebodnik. Resolves: https://pagure.io/SSSD/sssd/issue/3331 Signed-off-by: Fabiano Fidêncio <[email protected]> """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/257/head:pr257 git checkout pr257
From ed2ccfdb1b6d26ba7af3ad170ec8e3fb8c0008cd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <[email protected]> Date: Mon, 1 May 2017 14:49:50 +0200 Subject: [PATCH] LDAP/AD: Do not fail in case rfc2307bis_nested_groups_recv() returns ENOENT MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Commit 25699846 introduced a regression seen when an initgroup lookup is done and there's no nested groups involved. In this scenario the whole lookup fails due to an ENOENT returned by rfc2307bis_nested_groups_recv(), which leads to the user removal from sysdb causing some authentication issues. The problem was caught by the "Allow only single user from domain1" test, part of ad_access_filter tests (present in "client-ad_provider-ad_forest" package) ran and reported by Lukáš Slebodnik. Resolves: https://pagure.io/SSSD/sssd/issue/3331 Signed-off-by: Fabiano Fidêncio <[email protected]> --- src/providers/ldap/sdap_async_initgroups_ad.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/src/providers/ldap/sdap_async_initgroups_ad.c b/src/providers/ldap/sdap_async_initgroups_ad.c index f75b921..2831be9 100644 --- a/src/providers/ldap/sdap_async_initgroups_ad.c +++ b/src/providers/ldap/sdap_async_initgroups_ad.c @@ -1746,7 +1746,13 @@ static void sdap_ad_get_domain_local_groups_done(struct tevent_req *subreq) ret = rfc2307bis_nested_groups_recv(subreq); talloc_zfree(subreq); - if (ret != EOK) { + if (ret == ENOENT) { + /* In case of ENOENT we can just proceed without making + * sdap_get_initgr_user() fail because there's no nested + * groups for this user/group. */ + ret = EOK; + goto done; + } else if (ret != EOK) { tevent_req_error(req, ret); return; }
_______________________________________________ sssd-devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
