URL: https://github.com/SSSD/sssd/pull/475 Title: #475: LDAP: Only add a sdap_domain instance for the current domain when instantiating a new ad_id_ctx
jhrozek commented: """ I spent some today trying to understand this issue better so that I can explain it better in the PR. I think the patch is correct as it was submitted the first time but I'm also afraid that the relation between the different structures in SSSD code has reached a critical point where it's really hard to understand how the structures were designed.. So first, about the bug. It only happens where the cache is already primed with subdomain objects. Then, the AD subdomains code will call `ad_subdom_reinit` which reads the subdomains from sysdb. Then `ads_store_sdap_subdom()` calls `sdap_domain_subdom_add()` which creates a `sdap_domain` struct for each subdomain. Here I think both the linked list of `sdap_domain` objects and the `sdap_domain_subdom_add` call are correct. Then, for each of the `sdap_domain`, we call `ad_subdom_ad_ctx_new()` which creates `ad_id_ctx` for every subdomain. This internally used to call `sdap_domain_subdom_add()` which I think was wrong, because inside, `sdap_domain_subdom_add()` iterates over all domains and appends a `sdap_domain` structure per domain to the `sdap_opts` structure. I added some DEBUG messages into the code, which show what happens: ``` (Tue Jan 16 16:25:19 2018) [sssd[be[child1.sssdad.com]]] [ad_subdom_ad_ctx_new] (0x0040): INFO: Creating ad_ctx for sssdad.com (Tue Jan 16 16:25:19 2018) [sssd[be[child1.sssdad.com]]] [sdap_domain_subdom_add] (0x0040): INFO: Parent: child1.sssdad.com (Tue Jan 16 16:25:19 2018) [sssd[be[child1.sssdad.com]]] [sss_domain_get_state] (0x1000): Domain sssdad_tree.com is Active (Tue Jan 16 16:25:19 2018) [sssd[be[child1.sssdad.com]]] [sdap_domain_subdom_add] (0x0040): INFO: Iterating over domain sssdad_tree.com (Tue Jan 16 16:25:19 2018) [sssd[be[child1.sssdad.com]]] [sdap_domain_subdom_add] (0x0400): subdomain sssdad_tree.com is a new one, will create a new sdap domain object (Tue Jan 16 16:25:19 2018) [sssd[be[child1.sssdad.com]]] [sss_domain_get_state] (0x1000): Domain sssdad.com is Active (Tue Jan 16 16:25:19 2018) [sssd[be[child1.sssdad.com]]] [sdap_domain_subdom_add] (0x0040): INFO: Iterating over domain sssdad.com (Tue Jan 16 16:25:19 2018) [sssd[be[child1.sssdad.com]]] [sdap_domain_subdom_add] (0x0400): subdomain sssdad.com is a new one, will create a new sdap domain object ``` So here, for domain `sssdad.com`, the linked list of `sdap_domain` structures is `sssdad_tree.com->sssdad.com`. And later, the code that tries to look up the trusted domains just uses the first one, which in this case is `sssdad_tree.com` for the `sssdad.com` domain: ``` 853 subreq = sdap_search_bases_send(state, state->ev, state->opts, 854 sdap_id_op_handle(state->sdap_op), 855 state->opts->sdom->search_bases, ``` """ See the full comment at https://github.com/SSSD/sssd/pull/475#issuecomment-358115852
_______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org