|
|
ced1f5 |
From d56d41e76741f418e88e479b91193db3ee3f1688 Mon Sep 17 00:00:00 2001
|
|
|
ced1f5 |
From: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
ced1f5 |
Date: Wed, 17 Jan 2018 21:59:24 +0100
|
|
|
ced1f5 |
Subject: [PATCH 101/101] AD: Use the right sdap_domain for the forest root
|
|
|
ced1f5 |
MIME-Version: 1.0
|
|
|
ced1f5 |
Content-Type: text/plain; charset=UTF-8
|
|
|
ced1f5 |
Content-Transfer-Encoding: 8bit
|
|
|
ced1f5 |
|
|
|
ced1f5 |
Each ad_id_ctx structure which represents a trusted AD domain contains a
|
|
|
ced1f5 |
list of sdap_domain structures representing all the other domains. This
|
|
|
ced1f5 |
is used to e.g. be able to reach another domain's ad_id_ctx and use its
|
|
|
ced1f5 |
LDAP connection.
|
|
|
ced1f5 |
|
|
|
ced1f5 |
However, the sdap search call that was searching for trusted domains in
|
|
|
ced1f5 |
the forest that the root domain knows about, was unconditionally using
|
|
|
ced1f5 |
the first sdap_domain structure in the list linked from the root_domain's
|
|
|
ced1f5 |
ad_id_ctx structure.
|
|
|
ced1f5 |
|
|
|
ced1f5 |
It should be noted that this search only happens in case the machine is
|
|
|
ced1f5 |
joined to one of the non-root domains in the forest and searches the root
|
|
|
ced1f5 |
domain explicitly.
|
|
|
ced1f5 |
|
|
|
ced1f5 |
In case sdap_domain structures linked from the ad_id_ctx representing
|
|
|
ced1f5 |
the root domain were ordered so that the first sdap_domain in the list
|
|
|
ced1f5 |
was representing a different domain than the one linked from the
|
|
|
ced1f5 |
ad_id_ctx, the sdap search would have used a wrong search base derived
|
|
|
ced1f5 |
from the unexpected sdap_domain which would result in a referral being
|
|
|
ced1f5 |
returned.
|
|
|
ced1f5 |
|
|
|
ced1f5 |
This patch explicitly looks up the sdap_domain structure that
|
|
|
ced1f5 |
corresponds to the root domain.
|
|
|
ced1f5 |
|
|
|
ced1f5 |
Resolves:
|
|
|
ced1f5 |
https://pagure.io/SSSD/sssd/issue/3594
|
|
|
ced1f5 |
|
|
|
ced1f5 |
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
ced1f5 |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
ced1f5 |
(cherry picked from commit 9ac071272ce0152eb293d3181a5c12b395655521)
|
|
|
ced1f5 |
---
|
|
|
ced1f5 |
src/providers/ad/ad_subdomains.c | 110 +++++++++++++++++++++++++++------------
|
|
|
ced1f5 |
1 file changed, 77 insertions(+), 33 deletions(-)
|
|
|
ced1f5 |
|
|
|
ced1f5 |
diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c
|
|
|
ced1f5 |
index 1b9483a5dce937d6acdd813486a1e8c18210d35f..bd94ba8ea93679df8d01508b3d4d85217d9c1c87 100644
|
|
|
ced1f5 |
--- a/src/providers/ad/ad_subdomains.c
|
|
|
ced1f5 |
+++ b/src/providers/ad/ad_subdomains.c
|
|
|
ced1f5 |
@@ -57,6 +57,71 @@
|
|
|
ced1f5 |
/* do not refresh more often than every 5 seconds for now */
|
|
|
ced1f5 |
#define AD_SUBDOMAIN_REFRESH_LIMIT 5
|
|
|
ced1f5 |
|
|
|
ced1f5 |
+static struct sss_domain_info *
|
|
|
ced1f5 |
+ads_get_root_domain(struct be_ctx *be_ctx, struct sysdb_attrs *attrs)
|
|
|
ced1f5 |
+{
|
|
|
ced1f5 |
+ struct sss_domain_info *dom;
|
|
|
ced1f5 |
+ const char *name;
|
|
|
ced1f5 |
+ errno_t ret;
|
|
|
ced1f5 |
+
|
|
|
ced1f5 |
+ if (attrs == NULL) {
|
|
|
ced1f5 |
+ /* Clients joined to the forest root directly don't even discover
|
|
|
ced1f5 |
+ * the root domain, so the attrs are expected to be NULL in this
|
|
|
ced1f5 |
+ * case
|
|
|
ced1f5 |
+ */
|
|
|
ced1f5 |
+ return be_ctx->domain;
|
|
|
ced1f5 |
+ }
|
|
|
ced1f5 |
+
|
|
|
ced1f5 |
+ ret = sysdb_attrs_get_string(attrs, AD_AT_TRUST_PARTNER, &name);
|
|
|
ced1f5 |
+ if (ret != EOK) {
|
|
|
ced1f5 |
+ DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_get_string failed.\n");
|
|
|
ced1f5 |
+ return NULL;
|
|
|
ced1f5 |
+ }
|
|
|
ced1f5 |
+
|
|
|
ced1f5 |
+ /* With a subsequent run, the root should already be known */
|
|
|
ced1f5 |
+ for (dom = be_ctx->domain; dom != NULL;
|
|
|
ced1f5 |
+ dom = get_next_domain(dom, SSS_GND_ALL_DOMAINS)) {
|
|
|
ced1f5 |
+
|
|
|
ced1f5 |
+ if (strcasecmp(dom->name, name) == 0) {
|
|
|
ced1f5 |
+ /* The forest root is special, although it might be disabled for
|
|
|
ced1f5 |
+ * general lookups we still want to try to get the domains in the
|
|
|
ced1f5 |
+ * forest from a DC of the forest root */
|
|
|
ced1f5 |
+ if (sss_domain_get_state(dom) == DOM_DISABLED
|
|
|
ced1f5 |
+ && !sss_domain_is_forest_root(dom)) {
|
|
|
ced1f5 |
+ return NULL;
|
|
|
ced1f5 |
+ }
|
|
|
ced1f5 |
+ return dom;
|
|
|
ced1f5 |
+ }
|
|
|
ced1f5 |
+ }
|
|
|
ced1f5 |
+
|
|
|
ced1f5 |
+ return NULL;
|
|
|
ced1f5 |
+}
|
|
|
ced1f5 |
+
|
|
|
ced1f5 |
+static struct sdap_domain *
|
|
|
ced1f5 |
+ads_get_root_sdap_domain(struct be_ctx *be_ctx,
|
|
|
ced1f5 |
+ struct sdap_options *opts,
|
|
|
ced1f5 |
+ struct sysdb_attrs *attrs)
|
|
|
ced1f5 |
+{
|
|
|
ced1f5 |
+ struct sdap_domain *root_sdom;
|
|
|
ced1f5 |
+ struct sss_domain_info *root_dom;
|
|
|
ced1f5 |
+
|
|
|
ced1f5 |
+ root_dom = ads_get_root_domain(be_ctx, attrs);
|
|
|
ced1f5 |
+ if (root_dom == NULL) {
|
|
|
ced1f5 |
+ DEBUG(SSSDBG_OP_FAILURE,
|
|
|
ced1f5 |
+ "ads_get_root_domain did not find the domain\n");
|
|
|
ced1f5 |
+ return NULL;
|
|
|
ced1f5 |
+ }
|
|
|
ced1f5 |
+
|
|
|
ced1f5 |
+ root_sdom = sdap_domain_get(opts, root_dom);
|
|
|
ced1f5 |
+ if (root_sdom == NULL) {
|
|
|
ced1f5 |
+ DEBUG(SSSDBG_OP_FAILURE,
|
|
|
ced1f5 |
+ "Failed to find sdap_domain for the root domain\n");
|
|
|
ced1f5 |
+ return NULL;
|
|
|
ced1f5 |
+ }
|
|
|
ced1f5 |
+
|
|
|
ced1f5 |
+ return root_sdom;
|
|
|
ced1f5 |
+}
|
|
|
ced1f5 |
+
|
|
|
ced1f5 |
static errno_t ad_get_enabled_domains(TALLOC_CTX *mem_ctx,
|
|
|
ced1f5 |
struct ad_id_ctx *ad_id_ctx,
|
|
|
ced1f5 |
const char *ad_domain,
|
|
|
ced1f5 |
@@ -755,6 +820,7 @@ struct ad_get_slave_domain_state {
|
|
|
ced1f5 |
struct sdap_options *opts;
|
|
|
ced1f5 |
struct sdap_idmap_ctx *idmap_ctx;
|
|
|
ced1f5 |
struct sysdb_attrs *root_attrs;
|
|
|
ced1f5 |
+ struct sdap_domain *root_sdom;
|
|
|
ced1f5 |
struct sdap_id_op *sdap_op;
|
|
|
ced1f5 |
};
|
|
|
ced1f5 |
|
|
|
ced1f5 |
@@ -786,6 +852,13 @@ ad_get_slave_domain_send(TALLOC_CTX *mem_ctx,
|
|
|
ced1f5 |
state->opts = root_id_ctx->sdap_id_ctx->opts;
|
|
|
ced1f5 |
state->idmap_ctx = root_id_ctx->sdap_id_ctx->opts->idmap_ctx;
|
|
|
ced1f5 |
state->root_attrs = root_attrs;
|
|
|
ced1f5 |
+ state->root_sdom = ads_get_root_sdap_domain(state->be_ctx,
|
|
|
ced1f5 |
+ state->opts,
|
|
|
ced1f5 |
+ state->root_attrs);
|
|
|
ced1f5 |
+ if (state->root_sdom == NULL) {
|
|
|
ced1f5 |
+ ret = ERR_DOMAIN_NOT_FOUND;
|
|
|
ced1f5 |
+ goto immediately;
|
|
|
ced1f5 |
+ }
|
|
|
ced1f5 |
|
|
|
ced1f5 |
state->sdap_op = sdap_id_op_create(state, root_id_ctx->ldap_ctx->conn_cache);
|
|
|
ced1f5 |
if (state->sdap_op == NULL) {
|
|
|
ced1f5 |
@@ -861,7 +934,7 @@ static void ad_get_slave_domain_connect_done(struct tevent_req *subreq)
|
|
|
ced1f5 |
|
|
|
ced1f5 |
subreq = sdap_search_bases_send(state, state->ev, state->opts,
|
|
|
ced1f5 |
sdap_id_op_handle(state->sdap_op),
|
|
|
ced1f5 |
- state->opts->sdom->search_bases,
|
|
|
ced1f5 |
+ state->root_sdom->search_bases,
|
|
|
ced1f5 |
NULL, false, 0,
|
|
|
ced1f5 |
SLAVE_DOMAIN_FILTER, attrs);
|
|
|
ced1f5 |
if (subreq == NULL) {
|
|
|
ced1f5 |
@@ -965,38 +1038,6 @@ static errno_t ad_get_slave_domain_recv(struct tevent_req *req)
|
|
|
ced1f5 |
return EOK;
|
|
|
ced1f5 |
}
|
|
|
ced1f5 |
|
|
|
ced1f5 |
-static struct sss_domain_info *
|
|
|
ced1f5 |
-ads_get_root_domain(struct be_ctx *be_ctx, struct sysdb_attrs *attrs)
|
|
|
ced1f5 |
-{
|
|
|
ced1f5 |
- struct sss_domain_info *dom;
|
|
|
ced1f5 |
- const char *name;
|
|
|
ced1f5 |
- errno_t ret;
|
|
|
ced1f5 |
-
|
|
|
ced1f5 |
- ret = sysdb_attrs_get_string(attrs, AD_AT_TRUST_PARTNER, &name);
|
|
|
ced1f5 |
- if (ret != EOK) {
|
|
|
ced1f5 |
- DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_get_string failed.\n");
|
|
|
ced1f5 |
- return NULL;
|
|
|
ced1f5 |
- }
|
|
|
ced1f5 |
-
|
|
|
ced1f5 |
- /* With a subsequent run, the root should already be known */
|
|
|
ced1f5 |
- for (dom = be_ctx->domain; dom != NULL;
|
|
|
ced1f5 |
- dom = get_next_domain(dom, SSS_GND_ALL_DOMAINS)) {
|
|
|
ced1f5 |
-
|
|
|
ced1f5 |
- if (strcasecmp(dom->name, name) == 0) {
|
|
|
ced1f5 |
- /* The forest root is special, although it might be disabled for
|
|
|
ced1f5 |
- * general lookups we still want to try to get the domains in the
|
|
|
ced1f5 |
- * forest from a DC of the forest root */
|
|
|
ced1f5 |
- if (sss_domain_get_state(dom) == DOM_DISABLED
|
|
|
ced1f5 |
- && !sss_domain_is_forest_root(dom)) {
|
|
|
ced1f5 |
- return NULL;
|
|
|
ced1f5 |
- }
|
|
|
ced1f5 |
- return dom;
|
|
|
ced1f5 |
- }
|
|
|
ced1f5 |
- }
|
|
|
ced1f5 |
-
|
|
|
ced1f5 |
- return NULL;
|
|
|
ced1f5 |
-}
|
|
|
ced1f5 |
-
|
|
|
ced1f5 |
static struct ad_id_ctx *
|
|
|
ced1f5 |
ads_get_root_id_ctx(struct be_ctx *be_ctx,
|
|
|
ced1f5 |
struct ad_id_ctx *ad_id_ctx,
|
|
|
ced1f5 |
@@ -1416,6 +1457,9 @@ static void ad_subdomains_refresh_root_done(struct tevent_req *subreq)
|
|
|
ced1f5 |
req = tevent_req_callback_data(subreq, struct tevent_req);
|
|
|
ced1f5 |
state = tevent_req_data(req, struct ad_subdomains_refresh_state);
|
|
|
ced1f5 |
|
|
|
ced1f5 |
+ /* Note: For clients joined to the root domain, root_attrs is NULL,
|
|
|
ced1f5 |
+ * see ad_get_root_domain_send()
|
|
|
ced1f5 |
+ */
|
|
|
ced1f5 |
ret = ad_get_root_domain_recv(state, subreq, &root_attrs, &root_id_ctx);
|
|
|
ced1f5 |
talloc_zfree(subreq);
|
|
|
ced1f5 |
if (ret != EOK) {
|
|
|
ced1f5 |
--
|
|
|
ced1f5 |
2.14.3
|
|
|
ced1f5 |
|