Patch 0001: AD: Clean up ad_access_gpo Just a minor cleanup to ad_gpo_access_send to adhere to our tevent conventions. This is purely for aesthetic and maintainability reasons; it has no functional effect.
Patch 0002: AD: Always get domain-specific ID connection This one is a little tricky. It turns out that in some circumstances, ad_ctx->ldap_ctx may actually be pointing at a subdomain rather than the enrolled domain. I don't know the reasons for this (and it appears to be a race-condition, because I could only get it to happen if I was quick to test logins right after restarting SSSD). However, the fix is fairly straightforward: sdap_domain_get()->pvt->ldap_ctx always provides the real ldap_ctx for the requested domain (either the enrolled domain or any of the trusted domains). The IS_SUBDOMAIN() check and shortcut to ad_ctx->ldap_ctx was unnecessary and (thanks to the odd race) incorrect. This patch removes this conditional shortcut and forces us to get the correct ldap_ctx. This proved to be the last piece necessary to get Patch 0003 to work.
Patch 0003: AD GPO: Always look up GPOs from machine domain
When dealing with users from a child domain, SSSD was attempting to use the subdomain for lookups. However, all GPOs applicable to this machine are stored in the primary domain (the domain the host directly joined).
This patch has the GPO processing use the primary domain instead of the user domain.