From bea6b6c6bcf711e0d96a4263f60e0e1b0a64c45f Mon Sep 17 00:00:00 2001

From: Lukas Slebodnik <lslebodn@redhat.com>

Date: Mon, 13 Apr 2015 09:50:29 +0200

Subject: [PATCH 200/200] SDAP: Filter ad groups in initgroups

Function sdap_add_incomplete_groups stored domain local groups

from subdomain as POSIX group, which should not be done.

Resolves:

https://fedorahosted.org/sssd/ticket/2614

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

(cherry picked from commit b9fbeb75e7a4f50f98d979a70a710f9221892483)

---

 src/providers/ldap/sdap_async_initgroups.c | 12 ++++++++++++

 1 file changed, 12 insertions(+)

diff --git a/src/providers/ldap/sdap_async_initgroups.c b/src/providers/ldap/sdap_async_initgroups.c

index bc6b5e45e6a7f7dc0c482a6bbbf2aa602371a647..43b72fe2051b452c6ea755c8842117cceafa143a 100644

--- a/src/providers/ldap/sdap_async_initgroups.c

+++ b/src/providers/ldap/sdap_async_initgroups.c

@@ -51,6 +51,7 @@ errno_t sdap_add_incomplete_groups(struct sysdb_ctx *sysdb,

     time_t now;

     char *sid_str = NULL;

     bool use_id_mapping;

+    bool need_filter;

     char *tmp_name;

     /* There are no groups in LDAP but we should add user to groups ?? */

@@ -205,6 +206,17 @@ errno_t sdap_add_incomplete_groups(struct sysdb_ctx *sysdb,

                     uuid = NULL;

                 }

+                ret = sdap_check_ad_group_type(domain, opts, ldap_groups[ai],

+                                               groupname, &need_filter);

+                if (ret != EOK) {

+                    goto done;

+                }

+

+                if (need_filter) {

+                    posix = false;

+                    gid = 0;

+                }

+

                 DEBUG(SSSDBG_TRACE_INTERNAL,

                       "Adding fake group %s to sysdb\n", groupname);

                 ret = sysdb_add_incomplete_group(domain, groupname, gid,

-- 

2.1.0