>From db1ccbbf7ed7763e261b25889608cb65a7afd62f Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Tue, 24 Sep 2013 17:41:42 +0200
Subject: [PATCH 3/4] AD: talk to GC first even for local domain objects

Related: https://fedorahosted.org/sssd/ticket/2070

Since we are recommending to configure the POSIX attributes so that they
are replicated to the Global Catalog, we can start connecting to the GC
by default even for local users. If the object is not matches in the GC,
there is a possibility to fall back to LDAP.
---
 src/providers/ad/ad_id.c         | 17 +++++++++++------
 src/providers/ad/ad_subdomains.c |  8 +++++++-
 2 files changed, 18 insertions(+), 7 deletions(-)

diff --git a/src/providers/ad/ad_id.c b/src/providers/ad/ad_id.c
index 9ee639a75c386045d7e80d8a80b1237b1383417e..f09b9c6fe239b9b602f53e8afce641a4d07be6e9 100644
--- a/src/providers/ad/ad_id.c
+++ b/src/providers/ad/ad_id.c
@@ -178,7 +178,6 @@ get_conn_list(struct be_req *breq, struct ad_id_ctx *ad_ctx,
               struct sss_domain_info *dom, struct be_acct_req *ar)
 {
     struct sdap_id_conn_ctx **clist;
-    int i=0;
 
     /* LDAP, GC, sentinel */
     clist = talloc_zero_array(breq, struct sdap_id_conn_ctx *, 3);
@@ -190,12 +189,18 @@ get_conn_list(struct be_req *breq, struct ad_id_ctx *ad_ctx,
     case BE_REQ_USER_AND_GROUP: /* get SID */
     case BE_REQ_GROUP: /* group */
     case BE_REQ_INITGROUPS: /* init groups for user */
-        if (ad_ctx->gc_ctx && IS_SUBDOMAIN(dom)) {
-            clist[i] = ad_ctx->gc_ctx;
-            i++;
-        } else {
-            clist[i] = ad_ctx->ldap_ctx;
+        /* Always try GC first */
+        clist[0] = ad_ctx->gc_ctx;
+        if (IS_SUBDOMAIN(dom) == true) {
+            /* Subdomain users are only present in GC. */
+            break;
         }
+
+        /* With root domain users we have the option to
+         * fall back to LDAP in case ie POSIX attributes
+         * are used but not replicated to GC
+         */
+        clist[1] = ad_ctx->ldap_ctx;
         break;
 
     default:
diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c
index f6d2eb81024a282a59c56bafce3fd9ecaaa07e9a..d8e9b26c34bc18ca7340e1fdb8c27cdd196b099c 100644
--- a/src/providers/ad/ad_subdomains.c
+++ b/src/providers/ad/ad_subdomains.c
@@ -25,6 +25,7 @@
 #include "providers/ldap/sdap_async.h"
 #include "providers/ad/ad_subdomains.h"
 #include "providers/ad/ad_domain_info.h"
+#include "providers/ldap/sdap_idmap.h"
 #include "util/util_sss_idmap.h"
 #include <ctype.h>
 #include <ndr.h>
@@ -108,6 +109,7 @@ ad_subdom_store(struct ad_subdomains_ctx *ctx,
     struct ldb_message_element *el;
     char *sid_str;
     uint32_t trust_type;
+    bool mpg;
 
     tmp_ctx = talloc_new(NULL);
     if (tmp_ctx == NULL) {
@@ -158,9 +160,13 @@ ad_subdom_store(struct ad_subdomains_ctx *ctx,
         goto done;
     }
 
+    mpg = sdap_idmap_domain_has_algorithmic_mapping(
+                                             ctx->sdap_id_ctx->opts->idmap_ctx,
+                                             domain->domain_id);
+
     /* AD subdomains are currently all mpg and do not enumerate */
     ret = sysdb_subdomain_store(domain->sysdb, name, realm, flat, sid_str,
-                                true, false, NULL);
+                                mpg, false, NULL);
     if (ret != EOK) {
         DEBUG(SSSDBG_OP_FAILURE, ("sysdb_subdomain_store failed.\n"));
         goto done;
-- 
1.8.3.1