|
 |
ecf709 |
From 55e8b436443cfae1c3b2155be7325d53760f7271 Mon Sep 17 00:00:00 2001
|
|
|
ecf709 |
From: Sumit Bose <sbose@redhat.com>
|
|
|
ecf709 |
Date: Thu, 20 Jul 2017 20:01:14 +0200
|
|
|
ecf709 |
Subject: [PATCH 190/190] ad_account_can_shortcut: shortcut if ID is unknown
|
|
|
ecf709 |
MIME-Version: 1.0
|
|
|
ecf709 |
Content-Type: text/plain; charset=UTF-8
|
|
|
ecf709 |
Content-Transfer-Encoding: 8bit
|
|
|
ecf709 |
|
|
|
ecf709 |
If sss_idmap_unix_to_sid() returns an error we can assume that the given
|
|
|
ecf709 |
POSIX ID is not from the current domain and can be skipped. This is e.g.
|
|
|
ecf709 |
the case in the IPA provider if a POSIX ID used in the IPA domain is
|
|
|
ecf709 |
checked in a trusted id-mapped AD domain before the IPA domain is
|
|
|
ecf709 |
checked.
|
|
|
ecf709 |
|
|
|
ecf709 |
Resolves https://pagure.io/SSSD/sssd/issue/3452
|
|
|
ecf709 |
|
|
|
ecf709 |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
ecf709 |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
ecf709 |
---
|
|
|
ecf709 |
src/providers/ad/ad_id.c | 2 ++
|
|
|
ecf709 |
1 file changed, 2 insertions(+)
|
|
|
ecf709 |
|
|
|
ecf709 |
diff --git a/src/providers/ad/ad_id.c b/src/providers/ad/ad_id.c
|
|
|
ecf709 |
index d1f6c444f5ddbcbbac6ff7f41fb6c8bf9ca976cb..e14ada386f16851a65097952c85e57b7acda14aa 100644
|
|
|
ecf709 |
--- a/src/providers/ad/ad_id.c
|
|
|
ecf709 |
+++ b/src/providers/ad/ad_id.c
|
|
|
ecf709 |
@@ -86,6 +86,8 @@ static bool ad_account_can_shortcut(struct sdap_idmap_ctx *idmap_ctx,
|
|
|
ecf709 |
if (err != IDMAP_SUCCESS) {
|
|
|
ecf709 |
DEBUG(SSSDBG_MINOR_FAILURE, "Mapping ID [%s] to SID failed: "
|
|
|
ecf709 |
"[%s]\n", filter_value, idmap_error_string(err));
|
|
|
ecf709 |
+ /* assume id is from a different domain */
|
|
|
ecf709 |
+ shortcut = true;
|
|
|
ecf709 |
goto done;
|
|
|
ecf709 |
}
|
|
|
ecf709 |
/* fall through */
|
|
|
ecf709 |
--
|
|
|
ecf709 |
2.9.4
|
|
|
ecf709 |
|