From a3877f8eb322be17f7d08d74ad3cf655b96219b5 Mon Sep 17 00:00:00 2001

From: Jakub Hrozek <jhrozek@redhat.com>

Date: Tue, 13 May 2014 15:18:07 +0200

Subject: [PATCH 122/124] AD: Do not remove non-root domains when looking up

 root domain

https://fedorahosted.org/sssd/ticket/2322

When the AD subdomains code looked up the root domain subsequently

(after the domain list was already populated), the non-root domains

might have been removed along with their respective tasks, because the

root domain lookup only ever matched a single root domain.

This could cause havoc especially during login when different lookups

for different domains might be going on during user group refresh.

---

 src/providers/ad/ad_subdomains.c | 25 ++++++++++++++++++++++---

 1 file changed, 22 insertions(+), 3 deletions(-)

diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c

index 3c841788d5d88069d79a9438b72f57c8c2e0ffda..ee04cbbe048e55666db22c48cf22c4c0241a0e3c 100644

--- a/src/providers/ad/ad_subdomains.c

+++ b/src/providers/ad/ad_subdomains.c

@@ -325,13 +325,15 @@ done:

 }

 static errno_t ad_subdomains_refresh(struct ad_subdomains_ctx *ctx,

-                                     int count, struct sysdb_attrs **reply,

+                                     int count, bool root_domain,

+                                     struct sysdb_attrs **reply,

                                      bool *changes)

 {

     struct sdap_domain *sdom;

     struct sss_domain_info *domain, *dom;

     bool handled[count];

     const char *value;

+    const char *root_name = NULL;

     int c, h;

     int ret;

     bool enumerate;

@@ -340,10 +342,27 @@ static errno_t ad_subdomains_refresh(struct ad_subdomains_ctx *ctx,

     memset(handled, 0, sizeof(bool) * count);

     h = 0;

+    if (root_domain) {

+        ret = sysdb_attrs_get_string(reply[0], AD_AT_TRUST_PARTNER,

+                                     &root_name);

+        if (ret != EOK) {

+            DEBUG(SSSDBG_OP_FAILURE, ("sysdb_attrs_get_string failed.\n"));

+            goto done;

+        }

+    }

+

     /* check existing subdomains */

     for (dom = get_next_domain(domain, true);

          dom && IS_SUBDOMAIN(dom); /* if we get back to a parent, stop */

          dom = get_next_domain(dom, false)) {

+

+        /* If we are handling root domain, skip all the other domains. We don't

+         * want to accidentally remove non-root domains

+         */

+        if (root_name && strcmp(root_name, dom->name) != 0) {

+            continue;

+        }

+

         for (c = 0; c < count; c++) {

             if (handled[c]) {

                 continue;

@@ -719,7 +738,7 @@ static void ad_subdomains_get_root_domain_done(struct tevent_req *req)

         goto fail;

     }

-    ret = ad_subdomains_refresh(ctx->sd_ctx, 1, reply, &has_changes);

+    ret = ad_subdomains_refresh(ctx->sd_ctx, 1, true, reply, &has_changes);

     if (ret != EOK) {

         DEBUG(SSSDBG_OP_FAILURE, ("ad_subdomains_refresh failed.\n"));

         goto fail;

@@ -1013,7 +1032,7 @@ static void ad_subdomains_get_slave_domain_done(struct tevent_req *req)

     }

     /* Got all the subdomains, let's process them */

-    ret = ad_subdomains_refresh(ctx->sd_ctx, nsubdoms, subdoms,

+    ret = ad_subdomains_refresh(ctx->sd_ctx, nsubdoms, false, subdoms,

                                 &refresh_has_changes);

     if (ret != EOK) {

         DEBUG(SSSDBG_OP_FAILURE, ("Failed to refresh subdomains.\n"));

-- 

1.9.0