On Tue, Apr 14, 2015 at 10:31:57PM -0400, Stephen Gallagher wrote:
Patch 0001: AD: Clean up ad_access_gpo
Just a minor cleanup to ad_gpo_access_send to adhere to our tevent
conventions. This is purely for aesthetic and maintainability reasons;
it has no functional effect.
Patch 0002: AD: Always get domain-specific ID connection
This one is a little tricky. It turns out that in some circumstances,
ad_ctx->ldap_ctx may actually be pointing at a subdomain rather than
the enrolled domain. I don't know the reasons for this (and it appears
to be a race-condition, because I could only get it to happen if I was
quick to test logins right after restarting SSSD). However, the fix is
fairly straightforward: sdap_domain_get()->pvt->ldap_ctx always
provides the real ldap_ctx for the requested domain (either the
enrolled domain or any of the trusted domains). The IS_SUBDOMAIN()
check and shortcut to ad_ctx->ldap_ctx was unnecessary and (thanks to
the odd race) incorrect. This patch removes this conditional shortcut
and forces us to get the correct ldap_ctx. This proved to be the last
piece necessary to get Patch 0003 to work.
Patch 0003: AD GPO: Always look up GPOs from machine domain
When dealing with users from a child domain, SSSD was attempting to use
the subdomain for lookups. However, all GPOs applicable to this machine
are stored in the primary domain (the domain the host directly joined).
This patch has the GPO processing use the primary domain instead of the
user domain.
Resolves:
https://fedorahosted.org/sssd/ticket/2606
From 39a0dc5dd670cb251e3c9a3b35aca9dbb2ede061 Mon Sep 17 00:00:00
2001
From: Stephen Gallagher <sgallagh(a)redhat.com>
Date: Tue, 14 Apr 2015 13:07:36 -0400
Subject: [PATCH 1/3] AD: Clean up ad_access_gpo
ACK
From 5e57bf4e92fd898a1879dc773c7a380b1f96b7ad Mon Sep 17 00:00:00
2001
From: Stephen Gallagher <sgallagh(a)redhat.com>
Date: Tue, 14 Apr 2015 21:50:36 -0400
Subject: [PATCH 2/3] AD: Always get domain-specific ID connection
I tested this patch by requesting users and groups from two different AD
subdomains, both with and without GC support. I didn't see any
regressions and the patch looks good to me as well.
If other developers have more idas what to test, I'll be glad to do more
testing, but for now:
ACK
From a3811325ff351520528ed01693ebba0481feab6a Mon Sep 17 00:00:00
2001
From: Stephen Gallagher <sgallagh(a)redhat.com>
Date: Fri, 10 Apr 2015 16:34:37 -0400
Subject: [PATCH 3/3] AD GPO: Always look up GPOs from machine domain
When dealing with users from a child domain, SSSD was attempting to use
the subdomain for lookups. However, all GPOs applicable to this machine
are stored in the primary domain (the domain the host directly joined).
This patch has the GPO processing use the primary domain instead of the
user domain.
Resolves:
https://fedorahosted.org/sssd/ticket/2606
Makes sense and the GPO code no longer returns System Error.
ACK
Thanks again for helping us fix this bug!