From f6bc534c6b82445e5e29a1e80768657c06d0557b Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Thu, 18 Feb 2016 13:03:44 +0100 Subject: [PATCH 1/2] IPA: lookup idview name even if there is no master domain record Currently the IPA subdomain provider returns with a error if there is no master domain record found. Since this record contains data which is only needed to create a trust with AD, like e.g. the IPA domain SID, this record is only created by ipa-adtrust-install. But the idview name is read after the master domain record. To make the idview feature work with a plain FreeIPA setup without running ipa-adtrust-install the missing master domain record should be handled gracefully and the following lookup should run as well. Resolves https://fedorahosted.org/sssd/ticket/2960 --- src/providers/ipa/ipa_subdomains.c | 80 +++++++++++++++++++++----------------- 1 file changed, 44 insertions(+), 36 deletions(-) diff --git a/src/providers/ipa/ipa_subdomains.c b/src/providers/ipa/ipa_subdomains.c index 8bbbad0ab6d12179d34402ab8ebff2a1b782760c..20b1c9cbff874e9f02f5db1cd0fcf6f9cfd746fc 100644 --- a/src/providers/ipa/ipa_subdomains.c +++ b/src/providers/ipa/ipa_subdomains.c @@ -1219,6 +1219,9 @@ static void ipa_subdomains_handler_master_done(struct tevent_req *req) size_t reply_count = 0; struct sysdb_attrs **reply = NULL; struct ipa_subdomains_req_ctx *ctx; + const char *flat = NULL; + const char *id = NULL; + const char *realm = NULL; ctx = tevent_req_callback_data(req, struct ipa_subdomains_req_ctx); @@ -1230,10 +1233,6 @@ static void ipa_subdomains_handler_master_done(struct tevent_req *req) } if (reply_count) { - const char *flat = NULL; - const char *id = NULL; - const char *realm; - ret = sysdb_attrs_get_string(reply[0], IPA_FLATNAME, &flat); if (ret != EOK) { goto done; @@ -1244,31 +1243,9 @@ static void ipa_subdomains_handler_master_done(struct tevent_req *req) goto done; } - realm = dp_opt_get_string(ctx->sd_ctx->id_ctx->ipa_options->basic, - IPA_KRB5_REALM); - if (realm == NULL) { - DEBUG(SSSDBG_CRIT_FAILURE, "No Kerberos realm for IPA?\n"); - ret = EINVAL; - goto done; - } - - ret = sysdb_master_domain_add_info(ctx->sd_ctx->be_ctx->domain, - realm, flat, id, NULL); - if (ret != EOK) { - goto done; - } - /* There is only one master record. Don't bother checking other IPA * search bases; move to checking subdomains instead */ - ret = ipa_subdomains_handler_get_start(ctx, - ctx->sd_ctx->search_bases, - IPA_SUBDOMAINS_SLAVE); - if (ret == EAGAIN) { - return; - } - - /* Either no search bases or an error. End the request in both cases */ } else { ret = ipa_subdomains_handler_get_cont(ctx, IPA_SUBDOMAINS_MASTER); if (ret == EAGAIN) { @@ -1277,17 +1254,48 @@ static void ipa_subdomains_handler_master_done(struct tevent_req *req) goto done; } - /* Right now we know there has been an error - * and we don't have the master domain record - */ - DEBUG(SSSDBG_CRIT_FAILURE, "Master domain record not found!\n"); - - if (!ctx->sd_ctx->configured_explicit) { - ctx->sd_ctx->disabled_until = time(NULL) + - IPA_SUBDOMAIN_DISABLED_PERIOD; + /* All search paths are searched and no master domain record was + * found. + * + * A default IPA installation will not have a master domain record, + * this is only created by ipa-adtrust-install. Nevertheless we should + * continue to read other data like the idview on IPA clients. */ + + DEBUG(SSSDBG_TRACE_INTERNAL, "Master domain record not found!\n"); + + } + + realm = dp_opt_get_string(ctx->sd_ctx->id_ctx->ipa_options->basic, + IPA_KRB5_REALM); + if (realm == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "No Kerberos realm for IPA?\n"); + ret = EINVAL; + goto done; + } + + ret = sysdb_master_domain_add_info(ctx->sd_ctx->be_ctx->domain, + realm, flat, id, NULL); + if (ret != EOK) { + goto done; + } + + ret = ipa_subdomains_handler_get_start(ctx, + ctx->sd_ctx->search_bases, + IPA_SUBDOMAINS_SLAVE); + if (ret == EAGAIN) { + return; + } else if (ret == EOK) { + /* If there are no search bases defined for subdomains try to get the + * idview before ending the request */ + if (ctx->sd_ctx->id_ctx->server_mode == NULL) { + /* Only get view on clients, on servers it is always 'default' */ + ret = ipa_get_view_name(ctx); + if (ret == EAGAIN) { + return; + } else if (ret != EOK) { + goto done; + } } - - ret = EIO; } done: -- 2.1.0