From de891b231464f10ce029593d7ee2ebb401e8a0b3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Mon, 19 Feb 2018 12:51:57 +0100 Subject: [PATCH] SDAP: Properly handle group id-collision when renaming incomplete groups MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Resolves: https://pagure.io/SSSD/sssd/issue/2653 Signed-off-by: Fabiano FidĂȘncio Reviewed-by: Jakub Hrozek (cherry picked from commit a2e743cd23e8e2033340612c77a8dbb8ef48c1e1) --- src/providers/ad/ad_pac.c | 3 +++ src/providers/ldap/sdap_async_ad.h | 1 + src/providers/ldap/sdap_async_initgroups.c | 13 +++++++++++++ src/providers/ldap/sdap_async_initgroups_ad.c | 15 +++++++++++++++ 4 files changed, 32 insertions(+) diff --git a/src/providers/ad/ad_pac.c b/src/providers/ad/ad_pac.c index 6b47462cf..1a344725f 100644 --- a/src/providers/ad/ad_pac.c +++ b/src/providers/ad/ad_pac.c @@ -434,6 +434,7 @@ struct ad_handle_pac_initgr_state { const char *err; int dp_error; int sdap_ret; + struct sdap_options *opts; size_t num_missing_sids; char **missing_sids; @@ -471,6 +472,7 @@ struct tevent_req *ad_handle_pac_initgr_send(TALLOC_CTX *mem_ctx, return NULL; } state->user_dom = sdom->dom; + state->opts = id_ctx->opts; /* The following variables are currently unused because no sub-request * returns any of them. But they are needed to allow the same signature as @@ -514,6 +516,7 @@ struct tevent_req *ad_handle_pac_initgr_send(TALLOC_CTX *mem_ctx, DEBUG(SSSDBG_TRACE_ALL, "Running PAC processing with id-mapping.\n"); ret = sdap_ad_save_group_membership_with_idmapping(state->username, + state->opts, sdom->dom, id_ctx->opts->idmap_ctx, num_sids, group_sids); diff --git a/src/providers/ldap/sdap_async_ad.h b/src/providers/ldap/sdap_async_ad.h index 950f5a030..a5f47a1a9 100644 --- a/src/providers/ldap/sdap_async_ad.h +++ b/src/providers/ldap/sdap_async_ad.h @@ -25,6 +25,7 @@ #define SDAP_ASYNC_AD_H_ errno_t sdap_ad_save_group_membership_with_idmapping(const char *username, + struct sdap_options *opts, struct sss_domain_info *user_dom, struct sdap_idmap_ctx *idmap_ctx, size_t num_sids, diff --git a/src/providers/ldap/sdap_async_initgroups.c b/src/providers/ldap/sdap_async_initgroups.c index 34747be59..03f6de01a 100644 --- a/src/providers/ldap/sdap_async_initgroups.c +++ b/src/providers/ldap/sdap_async_initgroups.c @@ -225,6 +225,19 @@ errno_t sdap_add_incomplete_groups(struct sysdb_ctx *sysdb, ret = sysdb_add_incomplete_group(domain, groupname, gid, original_dn, sid_str, uuid, posix, now); + if (ret == ERR_GID_DUPLICATED) { + /* In case o group id-collision, do: + * - Delete the group from sysdb + * - Add the new incomplete group + * - Notify the NSS responder that the entry has also to be + * removed from the memory cache + */ + ret = sdap_handle_id_collision_for_incomplete_groups( + opts->dp, domain, groupname, gid, + original_dn, sid_str, uuid, posix, + now); + } + if (ret != EOK) { goto done; } diff --git a/src/providers/ldap/sdap_async_initgroups_ad.c b/src/providers/ldap/sdap_async_initgroups_ad.c index 30f1d3db2..eab103652 100644 --- a/src/providers/ldap/sdap_async_initgroups_ad.c +++ b/src/providers/ldap/sdap_async_initgroups_ad.c @@ -836,6 +836,7 @@ sdap_ad_tokengroups_initgr_mapping_connect_done(struct tevent_req *subreq) } errno_t sdap_ad_save_group_membership_with_idmapping(const char *username, + struct sdap_options *opts, struct sss_domain_info *user_dom, struct sdap_idmap_ctx *idmap_ctx, size_t num_sids, @@ -921,6 +922,19 @@ errno_t sdap_ad_save_group_membership_with_idmapping(const char *username, ret = sysdb_add_incomplete_group(domain, name, gid, NULL, sid, NULL, false, now); + if (ret == ERR_GID_DUPLICATED) { + /* In case o group id-collision, do: + * - Delete the group from sysdb + * - Add the new incomplete group + * - Notify the NSS responder that the entry has also to be + * removed from the memory cache + */ + ret = sdap_handle_id_collision_for_incomplete_groups( + idmap_ctx->id_ctx->be->provider, + domain, name, gid, NULL, sid, NULL, + false, now); + } + if (ret != EOK) { DEBUG(SSSDBG_MINOR_FAILURE, "Could not create incomplete " "group: [%s]\n", strerror(ret)); @@ -992,6 +1006,7 @@ static void sdap_ad_tokengroups_initgr_mapping_done(struct tevent_req *subreq) } ret = sdap_ad_save_group_membership_with_idmapping(state->username, + state->opts, state->domain, state->idmap_ctx, num_sids, -- 2.14.3