URL: https://github.com/SSSD/sssd/pull/484 Author: sumit-bose Title: #484: SDAP: skip builtin AD groups in sdap_save_grpmem() Action: opened
PR body: """ While processing group memberships SSSD might accidentally save builtin or other well known AD groups. With this patch those groups are skipped similar as e.g. in sdap_save_group(). Resolves https://pagure.io/SSSD/sssd/issue/3610 There are other ways to solve the issue reported in ticket #3610, e.g. making sure 'isPosix=False' is added to the group object in the cache. But since the builtin groups are also ignored in sdap_save_group() I think this way is currently more consistent. Long term I think we should find a way to assign POSIX IDs to the well-known SIDs so that we can treat them as Posix objects. """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/484/head:pr484 git checkout pr484
From 9837144db903cdbf2f43557200cea7e2adeed1ea Mon Sep 17 00:00:00 2001 From: Sumit Bose <sb...@redhat.com> Date: Mon, 18 Dec 2017 20:30:04 +0100 Subject: [PATCH] SDAP: skip builtin AD groups in sdap_save_grpmem() While processing group memberships SSSD might accidentally save builtin or other well known AD groups. With this patch those groups are skipped similar as e.g. in sdap_save_group(). Resolves https://pagure.io/SSSD/sssd/issue/3610 --- src/providers/ldap/sdap_async_groups.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/src/providers/ldap/sdap_async_groups.c b/src/providers/ldap/sdap_async_groups.c index b1cfb7e4a..bbe6f1386 100644 --- a/src/providers/ldap/sdap_async_groups.c +++ b/src/providers/ldap/sdap_async_groups.c @@ -880,6 +880,8 @@ static int sdap_save_grpmem(TALLOC_CTX *memctx, int ret; const char *remove_attrs[] = {SYSDB_MEMBER, SYSDB_ORIG_MEMBER, SYSDB_GHOST, NULL}; + const char *check_dom; + const char *check_name; if (dom->ignore_group_members) { DEBUG(SSSDBG_CRIT_FAILURE, @@ -905,6 +907,15 @@ static int sdap_save_grpmem(TALLOC_CTX *memctx, group_dom = sss_get_domain_by_sid_ldap_fallback(get_domains_head(dom), group_sid); if (group_dom == NULL) { + ret = well_known_sid_to_name(group_sid, &check_dom, &check_name); + if (ret == EOK) { + DEBUG(SSSDBG_TRACE_FUNC, + "Skipping group with SID [%s][%s\\%s] which is " + "currently not handled by SSSD.\n", + group_sid, check_dom, check_name); + return EOK; + } + DEBUG(SSSDBG_TRACE_FUNC, "SID [%s] does not belong to any known " "domain, using [%s].\n", group_sid, dom->name);
_______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
