summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--src/providers/ad/ad_id.c17
-rw-r--r--src/providers/ad/ad_subdomains.c8
2 files changed, 18 insertions, 7 deletions
diff --git a/src/providers/ad/ad_id.c b/src/providers/ad/ad_id.c
index 9ee639a7..f09b9c6f 100644
--- a/src/providers/ad/ad_id.c
+++ b/src/providers/ad/ad_id.c
@@ -178,7 +178,6 @@ get_conn_list(struct be_req *breq, struct ad_id_ctx *ad_ctx,
struct sss_domain_info *dom, struct be_acct_req *ar)
{
struct sdap_id_conn_ctx **clist;
- int i=0;
/* LDAP, GC, sentinel */
clist = talloc_zero_array(breq, struct sdap_id_conn_ctx *, 3);
@@ -190,12 +189,18 @@ get_conn_list(struct be_req *breq, struct ad_id_ctx *ad_ctx,
case BE_REQ_USER_AND_GROUP: /* get SID */
case BE_REQ_GROUP: /* group */
case BE_REQ_INITGROUPS: /* init groups for user */
- if (ad_ctx->gc_ctx && IS_SUBDOMAIN(dom)) {
- clist[i] = ad_ctx->gc_ctx;
- i++;
- } else {
- clist[i] = ad_ctx->ldap_ctx;
+ /* Always try GC first */
+ clist[0] = ad_ctx->gc_ctx;
+ if (IS_SUBDOMAIN(dom) == true) {
+ /* Subdomain users are only present in GC. */
+ break;
}
+
+ /* With root domain users we have the option to
+ * fall back to LDAP in case ie POSIX attributes
+ * are used but not replicated to GC
+ */
+ clist[1] = ad_ctx->ldap_ctx;
break;
default:
diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c
index f6d2eb81..d8e9b26c 100644
--- a/src/providers/ad/ad_subdomains.c
+++ b/src/providers/ad/ad_subdomains.c
@@ -25,6 +25,7 @@
#include "providers/ldap/sdap_async.h"
#include "providers/ad/ad_subdomains.h"
#include "providers/ad/ad_domain_info.h"
+#include "providers/ldap/sdap_idmap.h"
#include "util/util_sss_idmap.h"
#include <ctype.h>
#include <ndr.h>
@@ -108,6 +109,7 @@ ad_subdom_store(struct ad_subdomains_ctx *ctx,
struct ldb_message_element *el;
char *sid_str;
uint32_t trust_type;
+ bool mpg;
tmp_ctx = talloc_new(NULL);
if (tmp_ctx == NULL) {
@@ -158,9 +160,13 @@ ad_subdom_store(struct ad_subdomains_ctx *ctx,
goto done;
}
+ mpg = sdap_idmap_domain_has_algorithmic_mapping(
+ ctx->sdap_id_ctx->opts->idmap_ctx,
+ domain->domain_id);
+
/* AD subdomains are currently all mpg and do not enumerate */
ret = sysdb_subdomain_store(domain->sysdb, name, realm, flat, sid_str,
- true, false, NULL);
+ mpg, false, NULL);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, ("sysdb_subdomain_store failed.\n"));
goto done;