[SSSD] [sssd PR#614][opened] nss_protocol_fill_initgr: skip incomplete groups instead of bailing out

Tue, 10 Jul 2018 08:37:20 -0700 

   URL: https://github.com/SSSD/sssd/pull/614
Author: asheplyakov
 Title: #614: nss_protocol_fill_initgr: skip incomplete groups instead of 
bailing out
Action: opened

PR body:
"""
Suppose the user U is a member of (AD) groups D1\A, D1\B, D2\X, and no
domain controllers in the domain D2 can be reached at the moment (and
there are no cached info). As of now initgroups won't assign any groups
at all. To improve the behavior skip the incomplete groups so initgroup
assigns at least some groups (D1\A, D1\B in the above example).
"""

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/614/head:pr614
git checkout pr614

From 4715b03dc7d5ad980cf0c3b8a7ae2823b30acbce Mon Sep 17 00:00:00 2001
From: Alexey Sheplyakov <asheplya...@altlinux.org>
Date: Tue, 10 Jul 2018 14:51:15 +0000
Subject: [PATCH] nss_protocol_fill_initgr: skip incomplete groups instead of
 bailing out

Suppose the user U is a member of (AD) groups D1\A, D1\B, D2\X, and no
domain controllers in the domain D2 can be reached at the moment (and
there are no cached info). As of now initgroups won't assign any groups
at all. To improve the behavior skip the incomplete groups so initgroup
assigns at least some groups (D1\A, D1\B in the above example).
---
 src/responder/nss/nss_protocol_grent.c | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/src/responder/nss/nss_protocol_grent.c b/src/responder/nss/nss_protocol_grent.c
index b89ce2bc5..a697e86ef 100644
--- a/src/responder/nss/nss_protocol_grent.c
+++ b/src/responder/nss/nss_protocol_grent.c
@@ -365,11 +365,10 @@ nss_protocol_fill_initgr(struct nss_ctx *nss_ctx,
             if (posix != NULL && strcmp(posix, "FALSE") == 0) {
                 continue;
             } else {
-                DEBUG(SSSDBG_CRIT_FAILURE,
+                DEBUG(SSSDBG_MINOR_FAILURE,
                       "Incomplete group object [%s] for initgroups! "
-                      "Aborting.\n", ldb_dn_get_linearized(msg->dn));
-                ret = EINVAL;
-                goto done;
+                      "Skipping.\n", ldb_dn_get_linearized(msg->dn));
+                continue;
             }
         }
 

_______________________________________________
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/sssd-devel@lists.fedorahosted.org/message/GM5UWIZSZCZ765JAWURE2YUDZUWB2BXE/

Reply via email to