diff options
-rw-r--r-- | src/providers/ad/ad_id.c | 17 | ||||
-rw-r--r-- | src/providers/ad/ad_subdomains.c | 8 |
2 files changed, 18 insertions, 7 deletions
diff --git a/src/providers/ad/ad_id.c b/src/providers/ad/ad_id.c index 9ee639a7..f09b9c6f 100644 --- a/src/providers/ad/ad_id.c +++ b/src/providers/ad/ad_id.c @@ -178,7 +178,6 @@ get_conn_list(struct be_req *breq, struct ad_id_ctx *ad_ctx, struct sss_domain_info *dom, struct be_acct_req *ar) { struct sdap_id_conn_ctx **clist; - int i=0; /* LDAP, GC, sentinel */ clist = talloc_zero_array(breq, struct sdap_id_conn_ctx *, 3); @@ -190,12 +189,18 @@ get_conn_list(struct be_req *breq, struct ad_id_ctx *ad_ctx, case BE_REQ_USER_AND_GROUP: /* get SID */ case BE_REQ_GROUP: /* group */ case BE_REQ_INITGROUPS: /* init groups for user */ - if (ad_ctx->gc_ctx && IS_SUBDOMAIN(dom)) { - clist[i] = ad_ctx->gc_ctx; - i++; - } else { - clist[i] = ad_ctx->ldap_ctx; + /* Always try GC first */ + clist[0] = ad_ctx->gc_ctx; + if (IS_SUBDOMAIN(dom) == true) { + /* Subdomain users are only present in GC. */ + break; } + + /* With root domain users we have the option to + * fall back to LDAP in case ie POSIX attributes + * are used but not replicated to GC + */ + clist[1] = ad_ctx->ldap_ctx; break; default: diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c index f6d2eb81..d8e9b26c 100644 --- a/src/providers/ad/ad_subdomains.c +++ b/src/providers/ad/ad_subdomains.c @@ -25,6 +25,7 @@ #include "providers/ldap/sdap_async.h" #include "providers/ad/ad_subdomains.h" #include "providers/ad/ad_domain_info.h" +#include "providers/ldap/sdap_idmap.h" #include "util/util_sss_idmap.h" #include <ctype.h> #include <ndr.h> @@ -108,6 +109,7 @@ ad_subdom_store(struct ad_subdomains_ctx *ctx, struct ldb_message_element *el; char *sid_str; uint32_t trust_type; + bool mpg; tmp_ctx = talloc_new(NULL); if (tmp_ctx == NULL) { @@ -158,9 +160,13 @@ ad_subdom_store(struct ad_subdomains_ctx *ctx, goto done; } + mpg = sdap_idmap_domain_has_algorithmic_mapping( + ctx->sdap_id_ctx->opts->idmap_ctx, + domain->domain_id); + /* AD subdomains are currently all mpg and do not enumerate */ ret = sysdb_subdomain_store(domain->sysdb, name, realm, flat, sid_str, - true, false, NULL); + mpg, false, NULL); if (ret != EOK) { DEBUG(SSSDBG_OP_FAILURE, ("sysdb_subdomain_store failed.\n")); goto done; |