URL: https://github.com/SSSD/sssd/pull/954 Author: pbrezina Title: #954: nss: use real primary gid if the value is overriden Action: opened
PR body: """ SYSDB_PRIMARY_GROUP_GIDNUM contains original primary group id from AD because any possible override may not be known at the time of storing the user. Now we try to lookup group by its originalADgidNumber and if it is found we will replace the original id with real primary group id. Steps to reproduce: 1. Enroll SSSD to IPA domain with AD trust 2. Add ID override to Domain Users `ipa idoverridegroup-add 'Default Trust View' "Domain [email protected]" --gid=40000000` 3. On IPA server: Remove cache for the overrides to apply immediately and restart SSSD `sssctl cache-remove --stop --start` 4. On IPA server: Resolve user `id [email protected]` There will be visible both new and old gids without the patch. Resolves: https://pagure.io/SSSD/sssd/issue/4124 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/954/head:pr954 git checkout pr954
From 10504b9dbc111926d0594384f0214586a4f2ac8a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <[email protected]> Date: Tue, 3 Dec 2019 13:29:00 +0100 Subject: [PATCH] nss: use real primary gid if the value is overriden SYSDB_PRIMARY_GROUP_GIDNUM contains original primary group id from AD because any possible override may not be known at the time of storing the user. Now we try to lookup group by its originalADgidNumber and if it is found we will replace the original id with real primary group id. Steps to reproduce: 1. Enroll SSSD to IPA domain with AD trust 2. Add ID override to Domain Users `ipa idoverridegroup-add 'Default Trust View' "Domain [email protected]" --gid=40000000` 3. On IPA server: Remove cache for the overrides to apply immediately and restart SSSD `sssctl cache-remove --stop --start` 4. On IPA server: Resolve user `id [email protected]` There will be visible both new and old gids without the patch. Resolves: https://pagure.io/SSSD/sssd/issue/4124 --- src/db/sysdb.h | 7 +++++ src/db/sysdb_ops.c | 40 ++++++++++++++++++++------ src/responder/nss/nss_protocol_grent.c | 14 +++++++++ 3 files changed, 52 insertions(+), 9 deletions(-) diff --git a/src/db/sysdb.h b/src/db/sysdb.h index e03c32d41d..5660437772 100644 --- a/src/db/sysdb.h +++ b/src/db/sysdb.h @@ -208,6 +208,7 @@ #define SYSDB_GRNAM_FILTER "(&("SYSDB_GC")(|("SYSDB_NAME_ALIAS"=%s)("SYSDB_NAME_ALIAS"=%s)("SYSDB_NAME"=%s)))" #define SYSDB_GRGID_FILTER "(&("SYSDB_GC")("SYSDB_GIDNUM"=%lu))" +#define SYSDB_GRORIGGID_FILTER "(&("SYSDB_GC")("ORIGINALAD_PREFIX SYSDB_GIDNUM"=%lu))" #define SYSDB_GRSID_FILTER "(&("SYSDB_GC")("SYSDB_SID_STR"=%s))" #define SYSDB_GRENT_FILTER "("SYSDB_GC")" #define SYSDB_GRNAM_MPG_FILTER "(&("SYSDB_MPGC")(|("SYSDB_NAME_ALIAS"=%s)("SYSDB_NAME_ALIAS"=%s)("SYSDB_NAME"=%s)))" @@ -977,6 +978,12 @@ int sysdb_search_group_by_gid(TALLOC_CTX *mem_ctx, const char **attrs, struct ldb_message **msg); +int sysdb_search_group_by_origgid(TALLOC_CTX *mem_ctx, + struct sss_domain_info *domain, + gid_t gid, + const char **attrs, + struct ldb_message **msg); + int sysdb_search_group_by_sid_str(TALLOC_CTX *mem_ctx, struct sss_domain_info *domain, const char *sid_str, diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c index a108a7e60e..1ba40b44f7 100644 --- a/src/db/sysdb_ops.c +++ b/src/db/sysdb_ops.c @@ -774,14 +774,13 @@ int sysdb_search_group_by_name(TALLOC_CTX *mem_ctx, return sysdb_search_by_name(mem_ctx, domain, name, SYSDB_GROUP, attrs, msg); } -/* Please note that sysdb_search_group_by_gid() is not aware of MPGs. If MPG - * support is needed either the caller must handle it or sysdb_getgrgid() or - * sysdb_getgrgid_attrs() should be used. */ -int sysdb_search_group_by_gid(TALLOC_CTX *mem_ctx, - struct sss_domain_info *domain, - gid_t gid, - const char **attrs, - struct ldb_message **msg) +static int +sysdb_search_group_by_id(TALLOC_CTX *mem_ctx, + struct sss_domain_info *domain, + const char *filterfmt, + gid_t gid, + const char **attrs, + struct ldb_message **msg) { TALLOC_CTX *tmp_ctx; const char *def_attrs[] = { SYSDB_NAME, SYSDB_GIDNUM, NULL }; @@ -802,7 +801,7 @@ int sysdb_search_group_by_gid(TALLOC_CTX *mem_ctx, goto done; } - filter = talloc_asprintf(tmp_ctx, SYSDB_GRGID_FILTER, (unsigned long)gid); + filter = talloc_asprintf(tmp_ctx, filterfmt, (unsigned long)gid); if (!filter) { ret = ENOMEM; goto done; @@ -833,6 +832,29 @@ int sysdb_search_group_by_gid(TALLOC_CTX *mem_ctx, return ret; } +/* Please note that sysdb_search_group_by_gid() is not aware of MPGs. If MPG + * support is needed either the caller must handle it or sysdb_getgrgid() or + * sysdb_getgrgid_attrs() should be used. */ +int sysdb_search_group_by_gid(TALLOC_CTX *mem_ctx, + struct sss_domain_info *domain, + gid_t gid, + const char **attrs, + struct ldb_message **msg) +{ + return sysdb_search_group_by_id(mem_ctx, domain, SYSDB_GRGID_FILTER, + gid, attrs, msg); +} + +int sysdb_search_group_by_origgid(TALLOC_CTX *mem_ctx, + struct sss_domain_info *domain, + gid_t gid, + const char **attrs, + struct ldb_message **msg) +{ + return sysdb_search_group_by_id(mem_ctx, domain, SYSDB_GRORIGGID_FILTER, + gid, attrs, msg); +} + int sysdb_search_group_by_sid_str(TALLOC_CTX *mem_ctx, struct sss_domain_info *domain, const char *sid_str, diff --git a/src/responder/nss/nss_protocol_grent.c b/src/responder/nss/nss_protocol_grent.c index 59cdd800d1..2367d9ecd9 100644 --- a/src/responder/nss/nss_protocol_grent.c +++ b/src/responder/nss/nss_protocol_grent.c @@ -317,6 +317,7 @@ nss_protocol_fill_initgr(struct nss_ctx *nss_ctx, struct sss_domain_info *domain; struct ldb_message *user; struct ldb_message *msg; + struct ldb_message *primary_group_msg; const char *posix; struct sized_string rawname; struct sized_string unique_name; @@ -349,6 +350,19 @@ nss_protocol_fill_initgr(struct nss_ctx *nss_ctx, SYSDB_PRIMARY_GROUP_GIDNUM, 0); + /* Try to get the real gid in case the primary group's gid was overriden. */ + ret = sysdb_search_group_by_origgid(NULL, domain, orig_gid, NULL, + &primary_group_msg); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, "Unable to find primary gid [%d]: %s\n", + ret, sss_strerror(ret)); + /* Just continue with what we have. */ + } else { + orig_gid = ldb_msg_find_attr_as_uint64(primary_group_msg, SYSDB_GIDNUM, + orig_gid); + talloc_free(primary_group_msg); + } + /* If the GID of the original primary group is available but equal to the * current primary GID it must not be added. */ orig_gid = orig_gid == gid ? 0 : orig_gid;
_______________________________________________ sssd-devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
