URL: https://github.com/SSSD/sssd/pull/475 Author: jhrozek Title: #475: AD: Use the right sdap_domain for the forest root Action: synchronized
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/475/head:pr475 git checkout pr475
From 7d636e1da65b338f3919e8d47366aa69147be0d6 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek <jhro...@redhat.com> Date: Wed, 17 Jan 2018 21:59:24 +0100 Subject: [PATCH] AD: Use the right sdap_domain for the forest root Resolves: https://pagure.io/SSSD/sssd/issue/3594 Each ad_id_ctx structure which represents a trusted AD domain contains a list of sdap_domain structures representing all the other domains. This is used to e.g. be able to reach another domain's ad_id_ctx and use its LDAP connection. However, the sdap search call that was searching for trusted domains in the forest that the root domain knows about, was unconditionally using the first sdap_domain structure in the list linked from the root_domain's ad_id_ctx structure. It should be noted that this search only happens in case the machine is joined to one of the non-root domains in the forest and searches the root domain explicitly. In case sdap_domain structures linked from the ad_id_ctx representing the root domain were ordered so that the first sdap_domain in the list was representing a different domain than the one linked from the ad_id_ctx, the sdap search would have used a wrong search base derived from the unexpected sdap_domain which would result in a referral being returned. This patch explicitly looks up the sdap_domain structure that corresponds to the root domain. --- src/providers/ad/ad_subdomains.c | 99 ++++++++++++++++++++++++++-------------- 1 file changed, 66 insertions(+), 33 deletions(-) diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c index 1b9483a5d..0e9a8e50e 100644 --- a/src/providers/ad/ad_subdomains.c +++ b/src/providers/ad/ad_subdomains.c @@ -57,6 +57,63 @@ /* do not refresh more often than every 5 seconds for now */ #define AD_SUBDOMAIN_REFRESH_LIMIT 5 +static struct sss_domain_info * +ads_get_root_domain(struct be_ctx *be_ctx, struct sysdb_attrs *attrs) +{ + struct sss_domain_info *dom; + const char *name; + errno_t ret; + + ret = sysdb_attrs_get_string(attrs, AD_AT_TRUST_PARTNER, &name); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_get_string failed.\n"); + return NULL; + } + + /* With a subsequent run, the root should already be known */ + for (dom = be_ctx->domain; dom != NULL; + dom = get_next_domain(dom, SSS_GND_ALL_DOMAINS)) { + + if (strcasecmp(dom->name, name) == 0) { + /* The forest root is special, although it might be disabled for + * general lookups we still want to try to get the domains in the + * forest from a DC of the forest root */ + if (sss_domain_get_state(dom) == DOM_DISABLED + && !sss_domain_is_forest_root(dom)) { + return NULL; + } + return dom; + } + } + + return NULL; +} + +static struct sdap_domain * +ads_get_root_sdap_domain(struct be_ctx *be_ctx, + struct sdap_options *opts, + struct sysdb_attrs *attrs) +{ + struct sdap_domain *root_sdom; + struct sss_domain_info *root_dom; + + root_dom = ads_get_root_domain(be_ctx, attrs); + if (root_dom == NULL) { + DEBUG(SSSDBG_OP_FAILURE, + "ads_get_root_domain did not find the domain\n"); + return NULL; + } + + root_sdom = sdap_domain_get(opts, root_dom); + if (root_sdom == NULL) { + DEBUG(SSSDBG_OP_FAILURE, + "Failed to find sdap_domain for the root domain\n"); + return NULL; + } + + return root_sdom; +} + static errno_t ad_get_enabled_domains(TALLOC_CTX *mem_ctx, struct ad_id_ctx *ad_id_ctx, const char *ad_domain, @@ -755,6 +812,7 @@ struct ad_get_slave_domain_state { struct sdap_options *opts; struct sdap_idmap_ctx *idmap_ctx; struct sysdb_attrs *root_attrs; + struct sdap_domain *root_sdom; struct sdap_id_op *sdap_op; }; @@ -786,6 +844,13 @@ ad_get_slave_domain_send(TALLOC_CTX *mem_ctx, state->opts = root_id_ctx->sdap_id_ctx->opts; state->idmap_ctx = root_id_ctx->sdap_id_ctx->opts->idmap_ctx; state->root_attrs = root_attrs; + state->root_sdom = ads_get_root_sdap_domain(state->be_ctx, + state->opts, + state->root_attrs); + if (state->root_sdom == NULL) { + ret = ERR_DOMAIN_NOT_FOUND; + goto immediately; + } state->sdap_op = sdap_id_op_create(state, root_id_ctx->ldap_ctx->conn_cache); if (state->sdap_op == NULL) { @@ -861,7 +926,7 @@ static void ad_get_slave_domain_connect_done(struct tevent_req *subreq) subreq = sdap_search_bases_send(state, state->ev, state->opts, sdap_id_op_handle(state->sdap_op), - state->opts->sdom->search_bases, + state->root_sdom->search_bases, NULL, false, 0, SLAVE_DOMAIN_FILTER, attrs); if (subreq == NULL) { @@ -965,38 +1030,6 @@ static errno_t ad_get_slave_domain_recv(struct tevent_req *req) return EOK; } -static struct sss_domain_info * -ads_get_root_domain(struct be_ctx *be_ctx, struct sysdb_attrs *attrs) -{ - struct sss_domain_info *dom; - const char *name; - errno_t ret; - - ret = sysdb_attrs_get_string(attrs, AD_AT_TRUST_PARTNER, &name); - if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_get_string failed.\n"); - return NULL; - } - - /* With a subsequent run, the root should already be known */ - for (dom = be_ctx->domain; dom != NULL; - dom = get_next_domain(dom, SSS_GND_ALL_DOMAINS)) { - - if (strcasecmp(dom->name, name) == 0) { - /* The forest root is special, although it might be disabled for - * general lookups we still want to try to get the domains in the - * forest from a DC of the forest root */ - if (sss_domain_get_state(dom) == DOM_DISABLED - && !sss_domain_is_forest_root(dom)) { - return NULL; - } - return dom; - } - } - - return NULL; -} - static struct ad_id_ctx * ads_get_root_id_ctx(struct be_ctx *be_ctx, struct ad_id_ctx *ad_id_ctx,
_______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
