Patch 0001: AD: Clean up ad_access_gpo Just a minor cleanup to ad_gpo_access_send to adhere to our tevent conventions. This is purely for aesthetic and maintainability reasons; it has no functional effect.
Patch 0002: AD: Always get domain-specific ID connection This one is a little tricky. It turns out that in some circumstances, ad_ctx->ldap_ctx may actually be pointing at a subdomain rather than the enrolled domain. I don't know the reasons for this (and it appears to be a race-condition, because I could only get it to happen if I was quick to test logins right after restarting SSSD). However, the fix is fairly straightforward: sdap_domain_get()->pvt->ldap_ctx always provides the real ldap_ctx for the requested domain (either the enrolled domain or any of the trusted domains). The IS_SUBDOMAIN() check and shortcut to ad_ctx->ldap_ctx was unnecessary and (thanks to the odd race) incorrect. This patch removes this conditional shortcut and forces us to get the correct ldap_ctx. This proved to be the last piece necessary to get Patch 0003 to work.
Patch 0003: AD GPO: Always look up GPOs from machine domain
When dealing with users from a child domain, SSSD was attempting to use the subdomain for lookups. However, all GPOs applicable to this machine are stored in the primary domain (the domain the host directly joined).
This patch has the GPO processing use the primary domain instead of the user domain.
On Tue, Apr 14, 2015 at 10:31:57PM -0400, Stephen Gallagher wrote:
Patch 0001: AD: Clean up ad_access_gpo Just a minor cleanup to ad_gpo_access_send to adhere to our tevent conventions. This is purely for aesthetic and maintainability reasons; it has no functional effect.
Patch 0002: AD: Always get domain-specific ID connection This one is a little tricky. It turns out that in some circumstances, ad_ctx->ldap_ctx may actually be pointing at a subdomain rather than the enrolled domain. I don't know the reasons for this (and it appears to be a race-condition, because I could only get it to happen if I was quick to test logins right after restarting SSSD). However, the fix is fairly straightforward: sdap_domain_get()->pvt->ldap_ctx always provides the real ldap_ctx for the requested domain (either the enrolled domain or any of the trusted domains). The IS_SUBDOMAIN() check and shortcut to ad_ctx->ldap_ctx was unnecessary and (thanks to the odd race) incorrect. This patch removes this conditional shortcut and forces us to get the correct ldap_ctx. This proved to be the last piece necessary to get Patch 0003 to work.
Patch 0003: AD GPO: Always look up GPOs from machine domain
When dealing with users from a child domain, SSSD was attempting to use the subdomain for lookups. However, all GPOs applicable to this machine are stored in the primary domain (the domain the host directly joined).
This patch has the GPO processing use the primary domain instead of the user domain.
From 39a0dc5dd670cb251e3c9a3b35aca9dbb2ede061 Mon Sep 17 00:00:00 2001 From: Stephen Gallagher sgallagh@redhat.com Date: Tue, 14 Apr 2015 13:07:36 -0400 Subject: [PATCH 1/3] AD: Clean up ad_access_gpo
ACK
From 5e57bf4e92fd898a1879dc773c7a380b1f96b7ad Mon Sep 17 00:00:00 2001 From: Stephen Gallagher sgallagh@redhat.com Date: Tue, 14 Apr 2015 21:50:36 -0400 Subject: [PATCH 2/3] AD: Always get domain-specific ID connection
I tested this patch by requesting users and groups from two different AD subdomains, both with and without GC support. I didn't see any regressions and the patch looks good to me as well.
If other developers have more idas what to test, I'll be glad to do more testing, but for now:
ACK
From a3811325ff351520528ed01693ebba0481feab6a Mon Sep 17 00:00:00 2001 From: Stephen Gallagher sgallagh@redhat.com Date: Fri, 10 Apr 2015 16:34:37 -0400 Subject: [PATCH 3/3] AD GPO: Always look up GPOs from machine domain
When dealing with users from a child domain, SSSD was attempting to use the subdomain for lookups. However, all GPOs applicable to this machine are stored in the primary domain (the domain the host directly joined).
This patch has the GPO processing use the primary domain instead of the user domain.
Makes sense and the GPO code no longer returns System Error.
ACK
Thanks again for helping us fix this bug!
On Wed, Apr 15, 2015 at 02:43:45PM +0200, Jakub Hrozek wrote:
ACK
Thanks again for helping us fix this bug!
master: 475d986b534c5e0dfdb8e2348ab89b13fd4874aa e2bd4f8a41b72aea0712ad21ad02ccebb707f536 d9079aa05eb8aacb488992fdce328c1abadd08d8 sssd-1-12: b025f8a22cab47ac1f705a872917e3da0799fdd9 89a706acf3131bbe8c0aefa9c740dd44e892754f d7efa39ab732fb034f51501cb2b1b8d3b1716979
sssd-devel@lists.fedorahosted.org
-
Jakub Hrozek -
Stephen Gallagher