>From 337439ce4f30b5c4d020b1b56f955aad12d2bda2 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Wed, 5 Mar 2014 11:50:54 +0100 Subject: [PATCH 1/2] AD: Only connect to GC for subdomain users https://fedorahosted.org/sssd/ticket/2251 By connecting to GC for users from both trusted domains and parent domain, we lose the ability to download the shell and homedir if these are used with ID mapping. This patch changes the user lookups only. Changing the logic for all lookups would break cross-domain group memberships, for example. --- src/providers/ad/ad_id.c | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/src/providers/ad/ad_id.c b/src/providers/ad/ad_id.c index 481534e6d98bc76a52e9f40db6b0779331620b34..e68c8a8ff9e6960a0bf4f67dea34ed70cc31bcbf 100644 --- a/src/providers/ad/ad_id.c +++ b/src/providers/ad/ad_id.c @@ -215,9 +215,26 @@ get_conn_list(struct be_req *breq, struct ad_id_ctx *ad_ctx, struct sss_domain_info *dom, struct be_acct_req *ar) { struct sdap_id_conn_ctx **clist; + int cindex = 0; switch (ar->entry_type & BE_REQ_TYPE_MASK) { case BE_REQ_USER: /* user */ + clist = talloc_zero_array(ad_ctx, struct sdap_id_conn_ctx *, 3); + if (clist == NULL) return NULL; + + /* Try GC first for users from trusted domains */ + if (dp_opt_get_bool(ad_ctx->ad_options->basic, AD_ENABLE_GC) + && IS_SUBDOMAIN(dom)) { + clist[cindex] = ad_ctx->gc_ctx; + clist[cindex]->ignore_mark_offline = true; + cindex++; + } + + /* Users from primary domain can be just downloaded from LDAP. + * The domain's LDAP connection also works as a fallback + */ + clist[cindex] = ad_get_dom_ldap_conn(ad_ctx, dom); + break; case BE_REQ_BY_SECID: /* by SID */ case BE_REQ_USER_AND_GROUP: /* get SID */ case BE_REQ_GROUP: /* group */ -- 1.8.5.3