From 1afff677f7bca2ae267579bfeaf24b6879cc4803 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Wed, 22 Apr 2015 16:57:37 +0200 Subject: [PATCH] IPA: allow initgroups by SID for AD users If a user from a trusted AD domain is search with the help of an override name the SID from the override anchor is used to search the user in AD. Currently the initgroups request only allows searches by name. With this patch a SID can be used as well. Resolves https://fedorahosted.org/sssd/ticket/2632 --- src/db/sysdb_search.c | 24 ++++++++++++++++-------- src/providers/data_provider.h | 1 + src/providers/ipa/ipa_subdomains_id.c | 13 +++++++++++++ src/providers/ldap/ldap_id.c | 15 +++++++++++++-- src/providers/ldap/sdap_async_initgroups.c | 2 ++ 5 files changed, 45 insertions(+), 10 deletions(-) diff --git a/src/db/sysdb_search.c b/src/db/sysdb_search.c index 7acefcedd5c32ad0f3b12d3a9c32f20ea8c9f890..39b3abb557ef7d2ce153c4e2765e06e3253f5800 100644 --- a/src/db/sysdb_search.c +++ b/src/db/sysdb_search.c @@ -1581,7 +1581,7 @@ done: errno_t sysdb_get_real_name(TALLOC_CTX *mem_ctx, struct sss_domain_info *domain, - const char *name_or_upn, + const char *name_or_upn_or_sid, const char **_cname) { errno_t ret; @@ -1595,20 +1595,28 @@ errno_t sysdb_get_real_name(TALLOC_CTX *mem_ctx, return ENOMEM; } - ret = sysdb_getpwnam(tmp_ctx, domain, name_or_upn, &res); + ret = sysdb_getpwnam(tmp_ctx, domain, name_or_upn_or_sid, &res); if (ret != EOK) { DEBUG(SSSDBG_OP_FAILURE, "Cannot canonicalize username\n"); goto done; } if (res->count == 0) { - ret = sysdb_search_user_by_upn(tmp_ctx, domain, name_or_upn, NULL, - &msg); + ret = sysdb_search_user_by_upn(tmp_ctx, domain, name_or_upn_or_sid, + NULL, &msg); if (ret != EOK) { - /* User cannot be found in cache */ - DEBUG(SSSDBG_OP_FAILURE, "Cannot find user [%s] in cache\n", - name_or_upn); - goto done; + if (ret == ENOENT) { + ret = sysdb_search_user_by_sid_str(tmp_ctx, domain, + name_or_upn_or_sid, NULL, + &msg); + } + + if (ret != EOK) { + /* User cannot be found in cache */ + DEBUG(SSSDBG_OP_FAILURE, "Cannot find user [%s] in cache\n", + name_or_upn_or_sid); + goto done; + } } } else if (res->count == 1) { msg = res->msgs[0]; diff --git a/src/providers/data_provider.h b/src/providers/data_provider.h index 5df493e9d1ae21ada6f5fd6198a6d9c36680d044..89fb06a0d6f791a8ae50f9d8b4b69d6176912c6c 100644 --- a/src/providers/data_provider.h +++ b/src/providers/data_provider.h @@ -150,6 +150,7 @@ #define DP_SEC_ID_LEN (sizeof(DP_SEC_ID) - 1) #define EXTRA_NAME_IS_UPN "U" +#define EXTRA_NAME_IS_SID "S" #define EXTRA_INPUT_MAYBE_WITH_VIEW "V" /* AUTH related common data and functions */ diff --git a/src/providers/ipa/ipa_subdomains_id.c b/src/providers/ipa/ipa_subdomains_id.c index 0508e14b690c144f4bace9ed14a326ac724eb910..15776d2e13af158058a874f761671a5801cf3d6a 100644 --- a/src/providers/ipa/ipa_subdomains_id.c +++ b/src/providers/ipa/ipa_subdomains_id.c @@ -201,6 +201,7 @@ static void ipa_subdomain_account_got_override(struct tevent_req *subreq) } if (state->override_attrs != NULL) { + DEBUG(SSSDBG_TRACE_ALL, "Processing override.\n"); ret = sysdb_attrs_get_string(state->override_attrs, SYSDB_OVERRIDE_ANCHOR_UUID, &anchor); @@ -219,6 +220,16 @@ static void ipa_subdomain_account_got_override(struct tevent_req *subreq) DEBUG(SSSDBG_OP_FAILURE, "get_be_acct_req_for_sid failed.\n"); goto fail; } + + if (state->ipa_server_mode + && (state->ar->entry_type & BE_REQ_TYPE_MASK) + == BE_REQ_INITGROUPS) { + DEBUG(SSSDBG_TRACE_ALL, + "Switching back to BE_REQ_INITGROUPS.\n"); + ar->entry_type = BE_REQ_INITGROUPS; + ar->filter_type = BE_FILTER_SECID; + ar->attr_type = BE_ATTR_CORE; + } } else { DEBUG(SSSDBG_CRIT_FAILURE, "Unsupported override anchor type [%s].\n", anchor); @@ -1125,6 +1136,8 @@ static errno_t ipa_get_ad_apply_override_step(struct tevent_req *req) /* Replace ID with name in search filter */ if ((entry_type == BE_REQ_USER && state->ar->filter_type == BE_FILTER_IDNUM) + || (entry_type == BE_REQ_INITGROUPS + && state->ar->filter_type == BE_FILTER_SECID) || entry_type == BE_REQ_BY_SECID) { if (state->obj_msg == NULL) { ret = get_object_from_cache(state, state->obj_dom, state->ar, diff --git a/src/providers/ldap/ldap_id.c b/src/providers/ldap/ldap_id.c index 642ae5c2930f07bca63d92f6c293e3b6aa6bda50..d65bd5f6ac929ecce2e6e5bbbba5edb2fce01f14 100644 --- a/src/providers/ldap/ldap_id.c +++ b/src/providers/ldap/ldap_id.c @@ -1392,7 +1392,8 @@ sdap_handle_acct_req_send(TALLOC_CTX *mem_ctx, break; case BE_REQ_INITGROUPS: /* init groups for user */ - if (ar->filter_type != BE_FILTER_NAME) { + if (ar->filter_type != BE_FILTER_NAME + && ar->filter_type != BE_FILTER_SECID) { ret = EINVAL; state->err = "Invalid filter type"; goto done; @@ -1402,11 +1403,21 @@ sdap_handle_acct_req_send(TALLOC_CTX *mem_ctx, state->err = "Invalid attr type"; goto done; } + if (ar->filter_type == BE_FILTER_SECID && ar->extra_value != NULL + && strcmp(ar->extra_value, EXTRA_NAME_IS_SID) != 0) { + DEBUG(SSSDBG_OP_FAILURE, + "Unexpected extra value [%s] for BE_FILTER_SECID.\n", + ar->extra_value); + ret = EINVAL; + state->err = "Invalid extra value"; + goto done; + } subreq = groups_by_user_send(state, be_ctx->ev, id_ctx, sdom, conn, ar->filter_value, - ar->extra_value, + (ar->filter_type == BE_FILTER_SECID) + ? EXTRA_NAME_IS_SID : ar->extra_value, noexist_delete); break; diff --git a/src/providers/ldap/sdap_async_initgroups.c b/src/providers/ldap/sdap_async_initgroups.c index ae617b9c4c6899d0b85dcc4c4b6b971d0f235b88..5c5be5eabd7006b457291062519cdad9626f13fa 100644 --- a/src/providers/ldap/sdap_async_initgroups.c +++ b/src/providers/ldap/sdap_async_initgroups.c @@ -2716,6 +2716,8 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx, if (extra_value && strcmp(extra_value, EXTRA_NAME_IS_UPN) == 0) { search_attr = state->opts->user_map[SDAP_AT_USER_PRINC].name; + } else if (extra_value && strcmp(extra_value, EXTRA_NAME_IS_SID) == 0) { + search_attr = state->opts->user_map[SDAP_AT_USER_OBJECTSID].name; } else { search_attr = state->opts->user_map[SDAP_AT_USER_NAME].name; } -- 2.1.0