On Tue, Apr 14, 2015 at 12:26:15PM +0200, Jakub Hrozek wrote:
On Mon, Apr 13, 2015 at 04:47:35PM +0200, Lukas Slebodnik wrote:
> ehlo,
>
> the problem is that with current master and 1.12 the domain local groups
> from subdomain are not filtered.
>
> The 1st patch partially fixes the problem. The name of group is not visible
> after "id user", but there is a GID which does not have a name.
> BTW without this patch "Distributions groups" needn't be filtered with
disabled
> tokengroups. It might explain some cases where groups were missing with
> disabled tokengroups. Users might use this bug as a workaround.
>
> The last patch filter domain local groups from subdomains
> while doing initgroups. So there will not be GIDs without name.
>
> Please try to review patches very soon. So we can fix regression with
> domain local groups caused by recent optimalisation of initgroups.
>
> LS
Seems to work fine:
(Tue Apr 14 06:11:08 2015) [sssd[be[AD.EXAMPLE.COM]]] [sdap_add_incomplete_groups]
(0x2000): Group [Denied RODC Password Replication Group(a)CHILD.AD.EXAMPLE.COM] has mapped
gid [577600572]
(Tue Apr 14 06:11:08 2015) [sssd[be[AD.EXAMPLE.COM]]] [sdap_check_ad_group_type]
(0x4000): AD group [Denied RODC Password Replication Group(a)CHILD.AD.EXAMPLE.COM] has type
flags 0x80000004.
(Tue Apr 14 06:11:08 2015) [sssd[be[AD.EXAMPLE.COM]]] [sdap_check_ad_group_type]
(0x0400): Filtering AD group [Denied RODC Password Replication
Group(a)CHILD.AD.EXAMPLE.COM].
(Tue Apr 14 06:11:08 2015) [sssd[be[AD.EXAMPLE.COM]]] [sdap_add_incomplete_groups]
(0x2000): Adding fake group Denied RODC Password Replication Group(a)CHILD.AD.EXAMPLE.COM to
sysdb
The patches look good as well.
btw I think we should rename the request sdap_ad_tokengroups_initgr_posix()
because for subdomains it's called even if TGs are enabled.
ACK
CI is pending, I'll push after the CI run finishes.
master:
* b9fbeb75e7a4f50f98d979a70a710f9221892483
* bad2fc8133d941e5a6c8d8016c9689e039265c61
* 5d864e7a9d0e1e6fb7dd8158c5b8bfb71040b908
sssd-1-12:
* 49895bb18508a4f4b83b99d9875e99e17c81285b
* bdd031d274659263db5f28408d8b75c63d3485a0
* cf7047634308c431f4cfbff1d88564668d2a33c7