summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorSumit Bose <sbose@redhat.com>2013-08-14 16:55:34 +0200
committerJakub Hrozek <jhrozek@redhat.com>2013-08-19 12:53:49 +0200
commit8cdb9b9824d3fcc2448544d67544496f55b8d393 (patch)
tree2f6f2d938b8b104034af5aa28491e79331cab8e8 /src
parent85089c1037f00c87a29f72647ece37a3b2b6481b (diff)
downloadsssd-8cdb9b9824d3fcc2448544d67544496f55b8d393.tar.gz
sssd-8cdb9b9824d3fcc2448544d67544496f55b8d393.tar.bz2
sssd-8cdb9b9824d3fcc2448544d67544496f55b8d393.zip
sdap_save_user: save original primary GID of subdomain users
If ID mapping is enabled we use magic private groups (MPG) for subdomains, i.e. the UID and the primary GID of the user will have the same numerical value. As a consequence the information about the original primary group might get lost because neither in AD domains nor on a typical UNIX system the user is an explicit member of it's primary group. With this patch the mapped GID or the original primary group is saved in the cached user object under a new attribute. Fixes https://fedorahosted.org/sssd/ticket/2027
Diffstat (limited to 'src')
-rw-r--r--src/db/sysdb.h1
-rw-r--r--src/providers/ldap/sdap_async_users.c33
2 files changed, 23 insertions, 11 deletions
diff --git a/src/db/sysdb.h b/src/db/sysdb.h
index 7045edf7..53fb8603 100644
--- a/src/db/sysdb.h
+++ b/src/db/sysdb.h
@@ -105,6 +105,7 @@
#define SYSDB_UUID "uniqueID"
#define SYSDB_SID "objectSID"
#define SYSDB_PRIMARY_GROUP "ADPrimaryGroupID"
+#define SYSDB_PRIMARY_GROUP_GIDNUM "origPrimaryGroupGidNumber"
#define SYSDB_SID_STR "objectSIDString"
#define SYSDB_UPN "userPrincipalName"
#define SYSDB_CCACHE_FILE "ccacheFile"
diff --git a/src/providers/ldap/sdap_async_users.c b/src/providers/ldap/sdap_async_users.c
index 07ddb622..353dc399 100644
--- a/src/providers/ldap/sdap_async_users.c
+++ b/src/providers/ldap/sdap_async_users.c
@@ -269,19 +269,30 @@ int sdap_save_user(TALLOC_CTX *memctx,
}
if (use_id_mapping) {
- if (IS_SUBDOMAIN(dom) == false) {
- ret = sdap_get_idmap_primary_gid(opts, attrs, sid_str, dom_sid_str,
- &gid);
- if (ret) {
- DEBUG(SSSDBG_CRIT_FAILURE,
- ("Cannot get the GID for [%s] in domain [%s].\n",
- user_name, dom->name));
- goto done;
- }
- } else {
+ ret = sdap_get_idmap_primary_gid(opts, attrs, sid_str, dom_sid_str,
+ &gid);
+ if (ret) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ ("Cannot get the GID for [%s] in domain [%s].\n",
+ user_name, dom->name));
+ goto done;
+ }
+
+ if (IS_SUBDOMAIN(dom)) {
/* For subdomain users, only create the private group as
- * the subdomain is an MPG domain
+ * the subdomain is an MPG domain.
+ * But we have to save the GID of the original primary group
+ * becasuse otherwise this information might be lost because
+ * typically (Unix and AD) the user is not listed in his primary
+ * group as a member.
*/
+ ret = sysdb_attrs_add_uint32(user_attrs, SYSDB_PRIMARY_GROUP_GIDNUM,
+ (uint32_t) gid);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, ("sysdb_attrs_add_uint32 failed.\n"));
+ goto done;
+ }
+
gid = 0;
}