From 46b194196749d4ea77d5d4e6bdd64d7c0996b105 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Tue, 31 Aug 2021 12:59:15 +0200 Subject: [PATCH] sdap: always create sdap object for a forest root MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Even if the forest root is disabled for user and group lookups a sdap object is needed to lookup trusted domains. This already works if the forest root is discovered for the first time at runtime. But if SSSD is restarted only the domain object but not the sdap object is created. Resolves: https://github.com/SSSD/sssd/issues/5770 :fixes: Even if the forest root is disabled for lookups all required internal data is initialized to be able to refresh the list of trusted domains in the forest from a DC of the forest root. Reviewed-by: Pavel Březina (cherry picked from commit 2a617c0efc07d10efc0688652bfe7ab2d8d6f477) --- src/providers/ldap/sdap_domain.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/src/providers/ldap/sdap_domain.c b/src/providers/ldap/sdap_domain.c index d384b2e4a..fa6e9340d 100644 --- a/src/providers/ldap/sdap_domain.c +++ b/src/providers/ldap/sdap_domain.c @@ -132,9 +132,17 @@ sdap_domain_subdom_add(struct sdap_id_ctx *sdap_id_ctx, struct sdap_domain *sdom, *sditer; errno_t ret; - for (dom = get_next_domain(parent, SSS_GND_DESCEND); + for (dom = get_next_domain(parent, SSS_GND_DESCEND|SSS_GND_INCLUDE_DISABLED); dom && IS_SUBDOMAIN(dom); /* if we get back to a parent, stop */ - dom = get_next_domain(dom, 0)) { + dom = get_next_domain(dom, SSS_GND_INCLUDE_DISABLED)) { + + /* Always create sdap domain object for the forest root, even if it is + * disabled so that we can connect later to discover trusted domains + * in the forest. */ + if (sss_domain_get_state(dom) == DOM_DISABLED + && !sss_domain_is_forest_root(dom)) { + continue; + } DLIST_FOR_EACH(sditer, sdom_list) { if (sditer->dom == dom) { -- 2.26.3