From 2d8d8d1c8badb063daad8ccb3bae01f6e6e5314e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
Date: Fri, 27 Apr 2018 21:30:42 +0200
Subject: [PATCH] Resolves: upstream#3646 - SSSD's GPO code ignores ad_site
 option
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
(cherry picked from commit 8565df471c2fab61534fe6aa1ab81a676ee9c7fe)
(cherry picked from commit d4cc9f09a984fbbf61afab4882795ea55289e885)
---
 0025-AD-Missing-header-in-ad_access.h.patch   | 30 +++++++
 ..._options-to-ad_gpo_process_som_state.patch | 65 +++++++++++++++
 0027-GPO-Use-AD-site-override-if-set.patch    | 79 +++++++++++++++++++
 sssd.spec                                     |  4 +
 4 files changed, 178 insertions(+)
 create mode 100644 0025-AD-Missing-header-in-ad_access.h.patch
 create mode 100644 0026-GPO-Add-ad_options-to-ad_gpo_process_som_state.patch
 create mode 100644 0027-GPO-Use-AD-site-override-if-set.patch

diff --git a/0025-AD-Missing-header-in-ad_access.h.patch b/0025-AD-Missing-header-in-ad_access.h.patch
new file mode 100644
index 0000000..b00bb67
--- /dev/null
+++ b/0025-AD-Missing-header-in-ad_access.h.patch
@@ -0,0 +1,30 @@
+From d81931454a0846fe503d090595fa5b0d4ffd93a5 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Michal=20=C5=BDidek?= <mzidek@redhat.com>
+Date: Wed, 4 Apr 2018 12:10:13 +0200
+Subject: [PATCH] AD: Missing header in ad_access.h
+
+ad_access.h depends on data_provider.h header but
+does not include it.
+
+Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
+(cherry picked from commit abf377672e0011da817b5105fe581b27f2f855b7)
+---
+ src/providers/ad/ad_access.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/providers/ad/ad_access.h b/src/providers/ad/ad_access.h
+index cc565a8e6..34d5597da 100644
+--- a/src/providers/ad/ad_access.h
++++ b/src/providers/ad/ad_access.h
+@@ -23,6 +23,8 @@
+ #ifndef AD_ACCESS_H_
+ #define AD_ACCESS_H_
+ 
++#include "providers/data_provider.h"
++
+ struct ad_access_ctx {
+     struct dp_option *ad_options;
+     struct sdap_access_ctx *sdap_access_ctx;
+-- 
+2.14.3
+
diff --git a/0026-GPO-Add-ad_options-to-ad_gpo_process_som_state.patch b/0026-GPO-Add-ad_options-to-ad_gpo_process_som_state.patch
new file mode 100644
index 0000000..34ef7ce
--- /dev/null
+++ b/0026-GPO-Add-ad_options-to-ad_gpo_process_som_state.patch
@@ -0,0 +1,65 @@
+From 5e47ae51f5cf11decdfec483ab1adef07ec2b7ef Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Michal=20=C5=BDidek?= <mzidek@redhat.com>
+Date: Wed, 4 Apr 2018 12:17:37 +0200
+Subject: [PATCH] GPO: Add ad_options to ad_gpo_process_som_state
+
+We will need at least ad_site option from this
+context available to get the AD site override
+value.
+
+Resolves:
+https://pagure.io/SSSD/sssd/issue/3646
+
+Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
+(cherry picked from commit 7a42831b208ed8d2fcb9d8beaa12bd2214bb7dce)
+---
+ src/providers/ad/ad_gpo.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
+index d9ea31141..028f6a2e7 100644
+--- a/src/providers/ad/ad_gpo.c
++++ b/src/providers/ad/ad_gpo.c
+@@ -146,6 +146,7 @@ struct tevent_req *ad_gpo_process_som_send(TALLOC_CTX *mem_ctx,
+                                            struct ldb_context *ldb_ctx,
+                                            struct sdap_id_op *sdap_op,
+                                            struct sdap_options *opts,
++                                           struct dp_option *ad_options,
+                                            int timeout,
+                                            const char *target_dn,
+                                            const char *domain_name);
+@@ -1975,6 +1976,7 @@ ad_gpo_target_dn_retrieval_done(struct tevent_req *subreq)
+                                      state->ldb_ctx,
+                                      state->sdap_op,
+                                      state->opts,
++                                     state->access_ctx->ad_options,
+                                      state->timeout,
+                                      state->target_dn,
+                                      state->host_domain->name);
+@@ -2701,6 +2703,7 @@ struct ad_gpo_process_som_state {
+     struct tevent_context *ev;
+     struct sdap_id_op *sdap_op;
+     struct sdap_options *opts;
++    struct dp_option *ad_options;
+     int timeout;
+     bool allow_enforced_only;
+     char *site_name;
+@@ -2734,6 +2737,7 @@ ad_gpo_process_som_send(TALLOC_CTX *mem_ctx,
+                         struct ldb_context *ldb_ctx,
+                         struct sdap_id_op *sdap_op,
+                         struct sdap_options *opts,
++                        struct dp_option *ad_options,
+                         int timeout,
+                         const char *target_dn,
+                         const char *domain_name)
+@@ -2752,6 +2756,7 @@ ad_gpo_process_som_send(TALLOC_CTX *mem_ctx,
+     state->ev = ev;
+     state->sdap_op = sdap_op;
+     state->opts = opts;
++    state->ad_options = ad_options;
+     state->timeout = timeout;
+     state->som_index = 0;
+     state->allow_enforced_only = 0;
+-- 
+2.14.3
+
diff --git a/0027-GPO-Use-AD-site-override-if-set.patch b/0027-GPO-Use-AD-site-override-if-set.patch
new file mode 100644
index 0000000..59066dd
--- /dev/null
+++ b/0027-GPO-Use-AD-site-override-if-set.patch
@@ -0,0 +1,79 @@
+From 82096e7e4a6ccaf8a2828ddfc77a04c930a14148 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Michal=20=C5=BDidek?= <mzidek@redhat.com>
+Date: Wed, 4 Apr 2018 13:24:21 +0200
+Subject: [PATCH] GPO: Use AD site override if set
+
+Use AD site override if it was set in SSSD configuration.
+
+Resolves:
+https://pagure.io/SSSD/sssd/issue/3646
+
+Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
+(cherry picked from commit 744e2b4d0710c1dc850bfadbd75ae1ae7faf1148)
+---
+ src/providers/ad/ad_gpo.c | 33 ++++++++++++++++++++++++++++++---
+ 1 file changed, 30 insertions(+), 3 deletions(-)
+
+diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
+index 028f6a2e7..a48f264c7 100644
+--- a/src/providers/ad/ad_gpo.c
++++ b/src/providers/ad/ad_gpo.c
+@@ -2806,7 +2806,8 @@ ad_gpo_site_name_retrieval_done(struct tevent_req *subreq)
+     struct tevent_req *req;
+     struct ad_gpo_process_som_state *state;
+     int ret;
+-    char *site;
++    char *site = NULL;
++    char *site_override = NULL;
+     const char *attrs[] = {AD_AT_CONFIG_NC, NULL};
+ 
+     req = tevent_req_callback_data(subreq, struct tevent_req);
+@@ -2817,17 +2818,43 @@ ad_gpo_site_name_retrieval_done(struct tevent_req *subreq)
+     talloc_zfree(subreq);
+ 
+     if (ret != EOK || site == NULL) {
+-        DEBUG(SSSDBG_OP_FAILURE, "Cannot retrieve master domain info\n");
++        DEBUG(SSSDBG_TRACE_FUNC,
++              "Could not autodiscover AD site. This is not fatal if "
++              "ad_site option was set.\n");
++    }
++
++    site_override = dp_opt_get_string(state->ad_options, AD_SITE);
++    if (site_override != NULL) {
++        DEBUG(SSSDBG_TRACE_FUNC,
++              "Overriding autodiscovered AD site value '%s' with '%s' from "
++              "configuration.\n", site ? site : "none", site_override);
++    }
++
++    if (site == NULL && site_override == NULL) {
++        sss_log(SSS_LOG_WARNING,
++                "Could not autodiscover AD site value using DNS and ad_site "
++                "option was not set in configuration. GPO will not work. "
++                "To work around this issue you can use ad_site option in SSSD "
++                "configuration.");
++        DEBUG(SSSDBG_OP_FAILURE,
++              "Could not autodiscover AD site value using DNS and ad_site "
++              "option was not set in configuration. GPO will not work. "
++              "To work around this issue you can use ad_site option in SSSD "
++              "configuration.\n");
+         tevent_req_error(req, ENOENT);
+         return;
+     }
+ 
+-    state->site_name = talloc_asprintf(state, "cn=%s", site);
++    state->site_name = talloc_asprintf(state, "cn=%s",
++                                       site_override ? site_override
++                                                     : site);
+     if (state->site_name == NULL) {
+         tevent_req_error(req, ENOMEM);
+         return;
+     }
+ 
++    DEBUG(SSSDBG_TRACE_FUNC, "Using AD site '%s'.\n", state->site_name);
++
+     /*
+      * note: the configNC attribute is being retrieved here from the rootDSE
+      * entry. In future, since we already make an LDAP query for the rootDSE
+-- 
+2.14.3
+
diff --git a/sssd.spec b/sssd.spec
index 283c17a..4816d85 100644
--- a/sssd.spec
+++ b/sssd.spec
@@ -67,6 +67,9 @@ Patch0021: 0021-NSS-Adjust-netgroup-setnetgrent-cache-lifetime-if-mi.patch
 Patch0022: 0022-CONFDB-Add-passwd_files-and-group_files-options.patch
 Patch0023: 0023-FILES-Handle-files-provider-sources.patch
 Patch0024: 0024-TESTS-Add-a-test-for-the-multiple-files-feature.patch
+Patch0025: 0025-AD-Missing-header-in-ad_access.h.patch
+Patch0026: 0026-GPO-Add-ad_options-to-ad_gpo_process_som_state.patch
+Patch0027: 0027-GPO-Use-AD-site-override-if-set.patch
 
 Patch0502: 0502-SYSTEMD-Use-capabilities.patch
 Patch0503: 0503-Disable-stopping-idle-socket-activated-responders.patch
@@ -1277,6 +1280,7 @@ fi
 - Resolves: upstream#3550 - refresh_expired_interval does not work with
                             netgrous in 1.15
 - Resolves: upstream#3402 - Support alternative sources for the files provider
+- Resolves: upstream#3646 - SSSD's GPO code ignores ad_site option
 
 * Fri Mar 30 2018 Fabiano Fidêncio <fidencio@fedoraproject.org> - 1.16.1-2
 - Resolves: upstream#3573 - sssd won't show netgroups with blank domain