Blame SOURCES/0108-AD-Only-connect-to-GC-for-subdomain-users.patch

2fc102
From e62c422753537d8e2b98e979553626850b7b7600 Mon Sep 17 00:00:00 2001
2fc102
From: Jakub Hrozek <jhrozek@redhat.com>
2fc102
Date: Wed, 5 Mar 2014 11:50:54 +0100
2fc102
Subject: [PATCH 108/110] AD: Only connect to GC for subdomain users
2fc102
MIME-Version: 1.0
2fc102
Content-Type: text/plain; charset=UTF-8
2fc102
Content-Transfer-Encoding: 8bit
2fc102
2fc102
https://fedorahosted.org/sssd/ticket/2251
2fc102
2fc102
By connecting to GC for users from both trusted domains and parent
2fc102
domain, we lose the ability to download the shell and homedir if these
2fc102
are used with ID mapping.
2fc102
2fc102
This patch changes the user lookups only. Changing the logic for all
2fc102
lookups would break cross-domain group memberships, for example.
2fc102
2fc102
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
2fc102
(cherry picked from commit bb8a08118db0916bf8252a9481c16271ec20acd3)
2fc102
---
2fc102
 src/providers/ad/ad_id.c | 17 +++++++++++++++++
2fc102
 1 file changed, 17 insertions(+)
2fc102
2fc102
diff --git a/src/providers/ad/ad_id.c b/src/providers/ad/ad_id.c
2fc102
index 87af656b364344a8ef27a444e5dfcf8848939110..a35823b4b77d42fc583a61653a175f0ee4d22ac4 100644
2fc102
--- a/src/providers/ad/ad_id.c
2fc102
+++ b/src/providers/ad/ad_id.c
2fc102
@@ -215,9 +215,26 @@ get_conn_list(struct be_req *breq, struct ad_id_ctx *ad_ctx,
2fc102
               struct sss_domain_info *dom, struct be_acct_req *ar)
2fc102
 {
2fc102
     struct sdap_id_conn_ctx **clist;
2fc102
+    int cindex = 0;
2fc102
 
2fc102
     switch (ar->entry_type & BE_REQ_TYPE_MASK) {
2fc102
     case BE_REQ_USER: /* user */
2fc102
+        clist = talloc_zero_array(ad_ctx, struct sdap_id_conn_ctx *, 3);
2fc102
+        if (clist == NULL) return NULL;
2fc102
+
2fc102
+        /* Try GC first for users from trusted domains */
2fc102
+        if (dp_opt_get_bool(ad_ctx->ad_options->basic, AD_ENABLE_GC)
2fc102
+                && IS_SUBDOMAIN(dom)) {
2fc102
+            clist[cindex] = ad_ctx->gc_ctx;
2fc102
+            clist[cindex]->ignore_mark_offline = true;
2fc102
+            cindex++;
2fc102
+        }
2fc102
+
2fc102
+        /* Users from primary domain can be just downloaded from LDAP.
2fc102
+         * The domain's LDAP connection also works as a fallback
2fc102
+         */
2fc102
+        clist[cindex] = ad_get_dom_ldap_conn(ad_ctx, dom);
2fc102
+        break;
2fc102
     case BE_REQ_BY_SECID:   /* by SID */
2fc102
     case BE_REQ_USER_AND_GROUP: /* get SID */
2fc102
     case BE_REQ_GROUP: /* group */
2fc102
-- 
2fc102
1.8.5.3
2fc102