|
 |
905b4d |
From 8f9d7684a47cd4715dce22c8254ddde205db9afe Mon Sep 17 00:00:00 2001
|
|
|
905b4d |
From: Lukas Slebodnik <lslebodn@redhat.com>
|
|
|
905b4d |
Date: Fri, 12 Dec 2014 13:07:55 -0500
|
|
|
905b4d |
Subject: [PATCH 7/7] IPA: properly handle groups from different domains
|
|
|
905b4d |
|
|
|
905b4d |
When groups are resolved on IPA clients as part of a user lookup not all
|
|
|
905b4d |
groups have to be from the same domain as the used. This has to be
|
|
|
905b4d |
checked to store the group object properly in the cache.
|
|
|
905b4d |
|
|
|
905b4d |
Related to https://fedorahosted.org/sssd/ticket/2529
|
|
|
905b4d |
and https://fedorahosted.org/sssd/ticket/2524
|
|
|
905b4d |
|
|
|
905b4d |
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
905b4d |
---
|
|
|
905b4d |
src/providers/ipa/ipa_s2n_exop.c | 18 ++++++++++++++++--
|
|
|
905b4d |
1 file changed, 16 insertions(+), 2 deletions(-)
|
|
|
905b4d |
|
|
|
905b4d |
diff --git a/src/providers/ipa/ipa_s2n_exop.c b/src/providers/ipa/ipa_s2n_exop.c
|
|
|
905b4d |
index 677d1625860186ad02d4d8c7290d45b782bc4c38..6d5b45edf20f720f5b97f0ed5c8ec591c580de0d 100644
|
|
|
905b4d |
--- a/src/providers/ipa/ipa_s2n_exop.c
|
|
|
905b4d |
+++ b/src/providers/ipa/ipa_s2n_exop.c
|
|
|
905b4d |
@@ -1867,10 +1867,24 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom,
|
|
|
905b4d |
case RESP_GROUP_MEMBERS:
|
|
|
905b4d |
type = SYSDB_MEMBER_GROUP;
|
|
|
905b4d |
|
|
|
905b4d |
+ if (0 != strcmp(dom->name, attrs->domain_name)) {
|
|
|
905b4d |
+ dom = find_domain_by_name(get_domains_head(dom),
|
|
|
905b4d |
+ attrs->domain_name, true);
|
|
|
905b4d |
+ if (dom == NULL) {
|
|
|
905b4d |
+ DEBUG(SSSDBG_OP_FAILURE,
|
|
|
905b4d |
+ "Cannot find domain: [%s]\n", attrs->domain_name);
|
|
|
905b4d |
+ ret = EINVAL;
|
|
|
905b4d |
+ goto done;
|
|
|
905b4d |
+ }
|
|
|
905b4d |
+ }
|
|
|
905b4d |
+
|
|
|
905b4d |
if (name == NULL) {
|
|
|
905b4d |
+ name = attrs->a.group.gr_name;
|
|
|
905b4d |
+ }
|
|
|
905b4d |
+
|
|
|
905b4d |
+ if (IS_SUBDOMAIN(dom)) {
|
|
|
905b4d |
/* we always use the fully qualified name for subdomain users */
|
|
|
905b4d |
- name = sss_tc_fqname(tmp_ctx, dom->names, dom,
|
|
|
905b4d |
- attrs->a.group.gr_name);
|
|
|
905b4d |
+ name = sss_tc_fqname(tmp_ctx, dom->names, dom, name);
|
|
|
905b4d |
if (!name) {
|
|
|
905b4d |
DEBUG(SSSDBG_OP_FAILURE, "failed to format user name,\n");
|
|
|
905b4d |
ret = ENOMEM;
|
|
|
905b4d |
--
|
|
|
905b4d |
1.9.3
|
|
|
905b4d |
|