URL: https://github.com/SSSD/sssd/pull/514
Author: jhrozek
 Title: #514: Backport several UPN related patches to sssd-1-13
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/514/head:pr514
git checkout pr514
From cec07619fca57375af50233d090e0794f0bbefed Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhro...@redhat.com>
Date: Thu, 25 Jan 2018 17:25:50 +0100
Subject: [PATCH 1/3] IPA: make get_object_from_cache() aware of UPN searches

Based on commit 0ad1bcec60a2ec67a602e0ad1888f859d6009d54 in master, but
somewhat adapted to apply on sssd-1-13
---
 src/providers/ipa/ipa_subdomains_id.c | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/src/providers/ipa/ipa_subdomains_id.c b/src/providers/ipa/ipa_subdomains_id.c
index 64383e186..e3bb7a238 100644
--- a/src/providers/ipa/ipa_subdomains_id.c
+++ b/src/providers/ipa/ipa_subdomains_id.c
@@ -1019,11 +1019,19 @@ errno_t get_object_from_cache(TALLOC_CTX *mem_ctx,
         case BE_REQ_INITGROUPS:
         case BE_REQ_USER:
         case BE_REQ_USER_AND_GROUP:
-            ret = sysdb_search_user_by_name(mem_ctx, dom, name, attrs, &msg);
-            if (ret == ENOENT && (ar->entry_type & BE_REQ_TYPE_MASK)
+            if (ar->extra_value
+                    && strcmp(ar->extra_value, EXTRA_NAME_IS_UPN) == 0) {
+                ret = sysdb_search_user_by_upn(mem_ctx, dom, name,
+                                               attrs, &msg);
+            } else {
+                ret = sysdb_search_user_by_name(mem_ctx, dom, name,
+                                                attrs, &msg);
+                if (ret == ENOENT && (ar->entry_type & BE_REQ_TYPE_MASK)
                                                      == BE_REQ_USER_AND_GROUP) {
-                ret = sysdb_search_group_by_name(mem_ctx, dom, name,
-                                                 attrs, &msg);
+                    ret = sysdb_search_group_by_name(mem_ctx, dom,
+                                                     name, attrs,
+                                                     &msg);
+                }
             }
             break;
         default:

From 1fbb6e82f2286b9e3029d827365c6c90e1fe3103 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sb...@redhat.com>
Date: Wed, 29 Jun 2016 14:02:02 +0200
Subject: [PATCH 2/3] NSS: Fix domain for UPN based lookups

Since sysdb_search_user_by_upn() searches the whole cache we have to set
the domain so that it matches the result.

Reviewed-by: Jakub Hrozek <jhro...@redhat.com>
(cherry picked from commit f426a8b81a871188348b41aa52803a05bc3a02de)
---
 src/responder/nss/nsssrv_cmd.c | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)

diff --git a/src/responder/nss/nsssrv_cmd.c b/src/responder/nss/nsssrv_cmd.c
index ef6f06145..987d0fe9b 100644
--- a/src/responder/nss/nsssrv_cmd.c
+++ b/src/responder/nss/nsssrv_cmd.c
@@ -978,6 +978,7 @@ static int nss_cmd_getpwnam_search(struct nss_dom_ctx *dctx)
     struct ldb_message *msg;
     const char *extra_flag = NULL;
     char *neg_cache_name;
+    const char *sysdb_name;
 
     nctx = talloc_get_type(cctx->rctx->pvt_ctx, struct nss_ctx);
 
@@ -1080,6 +1081,23 @@ static int nss_cmd_getpwnam_search(struct nss_dom_ctx *dctx)
                 }
 
                 dctx->res->msgs[0] = talloc_steal(dctx->res->msgs, msg);
+
+                /* Since sysdb_search_user_by_upn() searches the whole cache we
+                 * have to set the domain so that it matches the result. */
+                sysdb_name = ldb_msg_find_attr_as_string(dctx->res->msgs[0],
+                                                         SYSDB_NAME, NULL);
+                if (sysdb_name == NULL) {
+                    DEBUG(SSSDBG_CRIT_FAILURE, "Cached entry has no name.\n");
+                    return EINVAL;
+                }
+                dctx->domain = find_domain_by_object_name(get_domains_head(dom),
+                                                          sysdb_name);
+                if (dctx->domain == NULL) {
+                    DEBUG(SSSDBG_CRIT_FAILURE,
+                          "Cannot find matching domain for [%s].\n",
+                          sysdb_name);
+                    return EINVAL;
+                }
             }
         } else {
             ret = sysdb_getpwnam_with_views(cmdctx, dom, name, &dctx->res);
@@ -4409,6 +4427,17 @@ static int nss_cmd_initgroups_search(struct nss_dom_ctx *dctx)
                     return EINVAL;
                 }
 
+                /* Since sysdb_search_user_by_upn() searches the whole cache we
+                 * have to set the domain so that it matches the result. */
+                dctx->domain = find_domain_by_object_name(get_domains_head(dom),
+                                                          sysdb_name);
+                if (dctx->domain == NULL) {
+                    DEBUG(SSSDBG_CRIT_FAILURE,
+                          "Cannot find matching domain for [%s].\n",
+                          sysdb_name);
+                    return EINVAL;
+                }
+
                 ret = sysdb_initgroups(cmdctx, dom, sysdb_name, &dctx->res);
                 if (ret == EOK && DOM_HAS_VIEWS(dom)) {
                     for (c = 0; c < dctx->res->count; c++) {

From 139f98c3c0aca487e72a45ff3e8b26a154b1c128 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhro...@redhat.com>
Date: Thu, 25 Jan 2018 20:14:11 +0100
Subject: [PATCH 3/3] Fix iterating to next domain for initgroup lookups

This is a sssd-1-13 only commit so that the code in the NSS responder
matches the behaviour in the master branch as of sssd-1.16.0
---
 src/responder/nss/nsssrv_cmd.c | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/src/responder/nss/nsssrv_cmd.c b/src/responder/nss/nsssrv_cmd.c
index 987d0fe9b..27d02d3a3 100644
--- a/src/responder/nss/nsssrv_cmd.c
+++ b/src/responder/nss/nsssrv_cmd.c
@@ -4386,7 +4386,11 @@ static int nss_cmd_initgroups_search(struct nss_dom_ctx *dctx)
                    name, dom->name);
             /* if a multidomain search, try with next */
             if (cmdctx->check_next) {
-                dom = get_next_domain(dom, 0);
+                if (cmdctx->name_is_upn) {
+                    dom = get_next_domain(dom, SSS_GND_DESCEND);
+                } else {
+                    dom = get_next_domain(dom, 0);
+                }
                 continue;
             }
             /* There are no further domains or this was a
@@ -4471,10 +4475,15 @@ static int nss_cmd_initgroups_search(struct nss_dom_ctx *dctx)
 
             /* if a multidomain search, try with next */
             if (cmdctx->check_next) {
-                dom = get_next_domain(dom, 0);
+                if (cmdctx->name_is_upn) {
+                    dom = get_next_domain(dom, SSS_GND_DESCEND);
+                } else {
+                    dom = get_next_domain(dom, 0);
+                }
                 if (dom) continue;
             }
 
+
             DEBUG(SSSDBG_OP_FAILURE, "No results for initgroups call\n");
 
             return ENOENT;
_______________________________________________
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

Reply via email to