From 75da39f57ba0223be9bd9906cd3ed902623aed10 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Mon, 18 Dec 2017 20:30:04 +0100
Subject: [PATCH 94/96] SDAP: skip builtin AD groups in sdap_save_grpmem()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
While processing group memberships SSSD might accidentally save builtin
or other well known AD groups. With this patch those groups are skipped
similar as e.g. in sdap_save_group().
Resolves:
https://pagure.io/SSSD/sssd/issue/3610
Reviewed-by: Fabiano FidĂȘncio <fidencio@redhat.com>
(cherry picked from commit c36a66b7fb77cff29400c751b363a342923e122e)
---
src/providers/ldap/sdap_async_groups.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/src/providers/ldap/sdap_async_groups.c b/src/providers/ldap/sdap_async_groups.c
index b1cfb7e4a4c054e5d365da5fca65da27c9ef5461..bbe6f1386eadbe4eb7b47bea9e5a6bb8ff4ee8eb 100644
--- a/src/providers/ldap/sdap_async_groups.c
+++ b/src/providers/ldap/sdap_async_groups.c
@@ -880,6 +880,8 @@ static int sdap_save_grpmem(TALLOC_CTX *memctx,
int ret;
const char *remove_attrs[] = {SYSDB_MEMBER, SYSDB_ORIG_MEMBER, SYSDB_GHOST,
NULL};
+ const char *check_dom;
+ const char *check_name;
if (dom->ignore_group_members) {
DEBUG(SSSDBG_CRIT_FAILURE,
@@ -905,6 +907,15 @@ static int sdap_save_grpmem(TALLOC_CTX *memctx,
group_dom = sss_get_domain_by_sid_ldap_fallback(get_domains_head(dom),
group_sid);
if (group_dom == NULL) {
+ ret = well_known_sid_to_name(group_sid, &check_dom, &check_name);
+ if (ret == EOK) {
+ DEBUG(SSSDBG_TRACE_FUNC,
+ "Skipping group with SID [%s][%s\\%s] which is "
+ "currently not handled by SSSD.\n",
+ group_sid, check_dom, check_name);
+ return EOK;
+ }
+
DEBUG(SSSDBG_TRACE_FUNC, "SID [%s] does not belong to any known "
"domain, using [%s].\n", group_sid,
dom->name);
--
2.14.3