diff options
author | Sumit Bose <sbose@redhat.com> | 2013-08-14 16:55:34 +0200 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2013-08-19 12:53:49 +0200 |
commit | 8cdb9b9824d3fcc2448544d67544496f55b8d393 (patch) | |
tree | 2f6f2d938b8b104034af5aa28491e79331cab8e8 /src | |
parent | 85089c1037f00c87a29f72647ece37a3b2b6481b (diff) | |
download | sssd-8cdb9b9824d3fcc2448544d67544496f55b8d393.tar.gz sssd-8cdb9b9824d3fcc2448544d67544496f55b8d393.tar.bz2 sssd-8cdb9b9824d3fcc2448544d67544496f55b8d393.zip |
sdap_save_user: save original primary GID of subdomain users
If ID mapping is enabled we use magic private groups (MPG) for
subdomains, i.e. the UID and the primary GID of the user will have the
same numerical value. As a consequence the information about the
original primary group might get lost because neither in AD domains nor
on a typical UNIX system the user is an explicit member of it's primary
group.
With this patch the mapped GID or the original primary group is saved in
the cached user object under a new attribute.
Fixes https://fedorahosted.org/sssd/ticket/2027
Diffstat (limited to 'src')
-rw-r--r-- | src/db/sysdb.h | 1 | ||||
-rw-r--r-- | src/providers/ldap/sdap_async_users.c | 33 |
2 files changed, 23 insertions, 11 deletions
diff --git a/src/db/sysdb.h b/src/db/sysdb.h index 7045edf7..53fb8603 100644 --- a/src/db/sysdb.h +++ b/src/db/sysdb.h @@ -105,6 +105,7 @@ #define SYSDB_UUID "uniqueID" #define SYSDB_SID "objectSID" #define SYSDB_PRIMARY_GROUP "ADPrimaryGroupID" +#define SYSDB_PRIMARY_GROUP_GIDNUM "origPrimaryGroupGidNumber" #define SYSDB_SID_STR "objectSIDString" #define SYSDB_UPN "userPrincipalName" #define SYSDB_CCACHE_FILE "ccacheFile" diff --git a/src/providers/ldap/sdap_async_users.c b/src/providers/ldap/sdap_async_users.c index 07ddb622..353dc399 100644 --- a/src/providers/ldap/sdap_async_users.c +++ b/src/providers/ldap/sdap_async_users.c @@ -269,19 +269,30 @@ int sdap_save_user(TALLOC_CTX *memctx, } if (use_id_mapping) { - if (IS_SUBDOMAIN(dom) == false) { - ret = sdap_get_idmap_primary_gid(opts, attrs, sid_str, dom_sid_str, - &gid); - if (ret) { - DEBUG(SSSDBG_CRIT_FAILURE, - ("Cannot get the GID for [%s] in domain [%s].\n", - user_name, dom->name)); - goto done; - } - } else { + ret = sdap_get_idmap_primary_gid(opts, attrs, sid_str, dom_sid_str, + &gid); + if (ret) { + DEBUG(SSSDBG_CRIT_FAILURE, + ("Cannot get the GID for [%s] in domain [%s].\n", + user_name, dom->name)); + goto done; + } + + if (IS_SUBDOMAIN(dom)) { /* For subdomain users, only create the private group as - * the subdomain is an MPG domain + * the subdomain is an MPG domain. + * But we have to save the GID of the original primary group + * becasuse otherwise this information might be lost because + * typically (Unix and AD) the user is not listed in his primary + * group as a member. */ + ret = sysdb_attrs_add_uint32(user_attrs, SYSDB_PRIMARY_GROUP_GIDNUM, + (uint32_t) gid); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, ("sysdb_attrs_add_uint32 failed.\n")); + goto done; + } + gid = 0; } |