sssd/0077-IPA-do-initgroups-if-extdom-exop-supports-it.patch

From 24905d4ecbf210687e385449448f5a5ec97d2833 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 28 Apr 2015 17:18:48 +0200
Subject: [PATCH 77/99] IPA: do initgroups if extdom exop supports it

Newer versions of the extdom plugin return the full list of
group-memberships during a user lookup request. With these version there
is no need to reject a initgroups request for sub/trusted-domain users
anymore. This is e.g. useful for callers which call getgrouplist()
directly without calling getpwnam() before. Additionally it helps if for
some reasons the lifetime of the user entry and the lifetime of the
initgroups data is different.

Related to https://fedorahosted.org/sssd/ticket/2633

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit e87badc0f6fb20a443cf12bde9582ecbc2aef727)
---
 src/providers/ipa/ipa_s2n_exop.c      |  3 ---
 src/providers/ipa/ipa_subdomains.h    |  4 ++++
 src/providers/ipa/ipa_subdomains_id.c | 24 +++++++++++++++++-------
 3 files changed, 21 insertions(+), 10 deletions(-)

diff --git a/src/providers/ipa/ipa_s2n_exop.c b/src/providers/ipa/ipa_s2n_exop.c
index d07923cffb49bbfeb7d500f281b1a2aff547ed1c..3830a2b4b0a82f056b0992c260bef6fe718c10da 100644
--- a/src/providers/ipa/ipa_s2n_exop.c
+++ b/src/providers/ipa/ipa_s2n_exop.c
@@ -50,9 +50,6 @@ enum response_types {
 };
 
 /* ==Sid2Name Extended Operation============================================= */
-#define EXOP_SID2NAME_OID "2.16.840.1.113730.3.8.10.4"
-#define EXOP_SID2NAME_V1_OID "2.16.840.1.113730.3.8.10.4.1"
-
 struct ipa_s2n_exop_state {
     struct sdap_handle *sh;
 
diff --git a/src/providers/ipa/ipa_subdomains.h b/src/providers/ipa/ipa_subdomains.h
index ceb862226b504bca6c9c596554fb88e6df1d51c3..9b179792dcab7ea935fa7159ca879d12b561a55f 100644
--- a/src/providers/ipa/ipa_subdomains.h
+++ b/src/providers/ipa/ipa_subdomains.h
@@ -28,6 +28,10 @@
 #include "providers/dp_backend.h"
 #include "providers/ipa/ipa_common.h"
 
+/* ==Sid2Name Extended Operation============================================= */
+#define EXOP_SID2NAME_OID "2.16.840.1.113730.3.8.10.4"
+#define EXOP_SID2NAME_V1_OID "2.16.840.1.113730.3.8.10.4.1"
+
 struct be_ctx *ipa_get_subdomains_be_ctx(struct be_ctx *be_ctx);
 
 const char *get_flat_name_from_subdomain_name(struct be_ctx *be_ctx,
diff --git a/src/providers/ipa/ipa_subdomains_id.c b/src/providers/ipa/ipa_subdomains_id.c
index 15776d2e13af158058a874f761671a5801cf3d6a..1253510dcb8523c19d879d4351ffa07995f161f7 100644
--- a/src/providers/ipa/ipa_subdomains_id.c
+++ b/src/providers/ipa/ipa_subdomains_id.c
@@ -386,15 +386,9 @@ struct tevent_req *ipa_get_subdom_acct_send(TALLOC_CTX *memctx,
         case BE_REQ_GROUP:
         case BE_REQ_BY_SECID:
         case BE_REQ_USER_AND_GROUP:
+        case BE_REQ_INITGROUPS:
             ret = EOK;
             break;
-        case BE_REQ_INITGROUPS:
-            ret = ENOTSUP;
-            DEBUG(SSSDBG_TRACE_FUNC, "Initgroups requests are not handled " \
-                                      "by the IPA provider but are resolved " \
-                                      "by the responder directly from the " \
-                                      "cache.\n");
-            break;
         default:
             ret = EINVAL;
             DEBUG(SSSDBG_OP_FAILURE, "Invalid sub-domain request type.\n");
@@ -434,6 +428,22 @@ static void ipa_get_subdom_acct_connected(struct tevent_req *subreq)
         return;
     }
 
+    if (state->entry_type == BE_REQ_INITGROUPS) {
+        /* With V1 of the extdom plugin a user lookup will resolve the full
+         * group membership of the user. */
+        if (sdap_is_extension_supported(sdap_id_op_handle(state->op),
+                                        EXOP_SID2NAME_V1_OID)) {
+            state->entry_type = BE_REQ_USER;
+        } else {
+            DEBUG(SSSDBG_TRACE_FUNC, "Initgroups requests are not handled " \
+                                      "by the IPA provider but are resolved " \
+                                      "by the responder directly from the " \
+                                      "cache.\n");
+            tevent_req_error(req, ENOTSUP);
+            return;
+        }
+    }
+
     req_input = talloc(state, struct req_input);
     if (req_input == NULL) {
         DEBUG(SSSDBG_OP_FAILURE, "talloc failed.\n");
-- 
2.4.0