summaryrefslogtreecommitdiff
path: root/src/responder
diff options
context:
space:
mode:
authorSumit Bose <sbose@redhat.com>2012-11-26 22:16:49 +0100
committerJakub Hrozek <jhrozek@redhat.com>2013-01-08 14:42:56 +0100
commit6b2c6d2818804bbfd142346d6034d160560bae14 (patch)
tree5d9d35119dbb8d6a113da2e3919c9af2a6b9a461 /src/responder
parentf34ea77a5b87e778ece155485c36e756d5137686 (diff)
downloadsssd-6b2c6d2818804bbfd142346d6034d160560bae14.tar.gz
sssd-6b2c6d2818804bbfd142346d6034d160560bae14.tar.bz2
sssd-6b2c6d2818804bbfd142346d6034d160560bae14.zip
Read remote groups from PAC
Read the group membership of the remote domain the user belongs to from the PAC and add them to the cache. Fixes: https://fedorahosted.org/sssd/ticket/1666
Diffstat (limited to 'src/responder')
-rw-r--r--src/responder/pac/pacsrv_utils.c55
1 files changed, 52 insertions, 3 deletions
diff --git a/src/responder/pac/pacsrv_utils.c b/src/responder/pac/pacsrv_utils.c
index 217e27ab..2daced2b 100644
--- a/src/responder/pac/pacsrv_utils.c
+++ b/src/responder/pac/pacsrv_utils.c
@@ -437,8 +437,9 @@ errno_t get_gids_from_pac(TALLOC_CTX *mem_ctx,
struct netr_SamInfo3 *info3;
struct pac_grp *gids = NULL;
struct sss_domain_info *grp_dom;
- char *sid_str;
+ char *sid_str = NULL;
enum idmap_error_code err;
+ struct dom_sid *grp_sid = NULL;
if (pac_ctx == NULL || range_map == NULL || domain_sid == NULL ||
logon_info == NULL || _gid_count == NULL || _gids == NULL) {
@@ -448,13 +449,14 @@ errno_t get_gids_from_pac(TALLOC_CTX *mem_ctx,
info3 = &logon_info->info3;
- if (info3->sidcount == 0) {
+ if (info3->sidcount == 0 && info3->base.groups.count == 0) {
DEBUG(SSSDBG_TRACE_ALL, ("No extra groups found.\n"));
ret = EOK;
goto done;
}
- gids = talloc_zero_array(mem_ctx, struct pac_grp, info3->sidcount);
+ gids = talloc_zero_array(mem_ctx, struct pac_grp,
+ info3->sidcount + info3->base.groups.count);
if (gids == NULL) {
DEBUG(SSSDBG_OP_FAILURE, ("talloc_array failed.\n"));
ret = ENOMEM;
@@ -492,9 +494,56 @@ errno_t get_gids_from_pac(TALLOC_CTX *mem_ctx,
}
}
+ talloc_zfree(sid_str);
+ err = sss_idmap_smb_sid_to_sid(pac_ctx->idmap_ctx, info3->base.domain_sid,
+ &sid_str);
+ if (err != IDMAP_SUCCESS) {
+ DEBUG(SSSDBG_OP_FAILURE, ("sss_idmap_smb_sid_to_sid failed.\n"));
+ ret = EFAULT;
+ goto done;
+ }
+
+ grp_dom = find_domain_by_id(pac_ctx->rctx->domains, sid_str);
+ if (grp_dom == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, ("find_domain_by_id failed.\n"));
+ ret = EINVAL;
+ goto done;
+ }
+
+ err = sss_idmap_sid_to_smb_sid(pac_ctx->idmap_ctx, sid_str, &grp_sid);
+ if (err != IDMAP_SUCCESS) {
+ DEBUG(SSSDBG_OP_FAILURE, ("sss_idmap_sid_to_smb_sid failed.\n"));
+ ret = EFAULT;
+ goto done;
+ }
+
+ grp_sid->num_auths++;
+
+ for (s = 0; s < info3->base.groups.count; s++) {
+ grp_sid->sub_auths[grp_sid->num_auths - 1] =
+ info3->base.groups.rids[s].rid;
+ err = sss_idmap_smb_sid_to_unix(pac_ctx->idmap_ctx, grp_sid,
+ &gids[g].gid);
+ if (err != IDMAP_SUCCESS) {
+ DEBUG(SSSDBG_FATAL_FAILURE, ("sss_idmap_smb_sid_to_unix failed for"
+ "[%s] [%d].\n", sid_str,
+ info3->base.groups.rids[s].rid));
+ ret = ENOENT;
+ goto done;
+ }
+
+ gids[g].grp_dom = grp_dom;
+ DEBUG(SSSDBG_TRACE_ALL, ("Found extra group "
+ "with gid [%d].\n", gids[g].gid));
+ g++;
+ }
+
ret = EOK;
done:
+ talloc_free(sid_str);
+ talloc_free(grp_sid);
+
if (ret == EOK) {
*_gid_count = g;
*_gids = gids;