From 03bc96247cbd567ad11a4c693c1d90580f903bb7 Mon Sep 17 00:00:00 2001 From: Pavel Březina Date: Dec 11 2019 13:37:22 +0000 Subject: nss: use real primary gid if the value is overriden SYSDB_PRIMARY_GROUP_GIDNUM contains original primary group id from AD because any possible override may not be known at the time of storing the user. Now we try to lookup group by its originalADgidNumber and if it is found we will replace the original id with real primary group id. Steps to reproduce: 1. Enroll SSSD to IPA domain with AD trust 2. Add ID override to Domain Users `ipa idoverridegroup-add 'Default Trust View' "Domain Users@ad.vm" --gid=40000000` 3. On IPA server: Remove cache for the overrides to apply immediately and restart SSSD `sssctl cache-remove --stop --start` 4. On IPA server: Resolve user `id Administrator@ad.vm` There will be visible both new and old gids without the patch. Resolves: https://pagure.io/SSSD/sssd/issue/4124 Reviewed-by: Sumit Bose --- diff --git a/src/db/sysdb.h b/src/db/sysdb.h index e03c32d..5660437 100644 --- a/src/db/sysdb.h +++ b/src/db/sysdb.h @@ -208,6 +208,7 @@ #define SYSDB_GRNAM_FILTER "(&("SYSDB_GC")(|("SYSDB_NAME_ALIAS"=%s)("SYSDB_NAME_ALIAS"=%s)("SYSDB_NAME"=%s)))" #define SYSDB_GRGID_FILTER "(&("SYSDB_GC")("SYSDB_GIDNUM"=%lu))" +#define SYSDB_GRORIGGID_FILTER "(&("SYSDB_GC")("ORIGINALAD_PREFIX SYSDB_GIDNUM"=%lu))" #define SYSDB_GRSID_FILTER "(&("SYSDB_GC")("SYSDB_SID_STR"=%s))" #define SYSDB_GRENT_FILTER "("SYSDB_GC")" #define SYSDB_GRNAM_MPG_FILTER "(&("SYSDB_MPGC")(|("SYSDB_NAME_ALIAS"=%s)("SYSDB_NAME_ALIAS"=%s)("SYSDB_NAME"=%s)))" @@ -977,6 +978,12 @@ int sysdb_search_group_by_gid(TALLOC_CTX *mem_ctx, const char **attrs, struct ldb_message **msg); +int sysdb_search_group_by_origgid(TALLOC_CTX *mem_ctx, + struct sss_domain_info *domain, + gid_t gid, + const char **attrs, + struct ldb_message **msg); + int sysdb_search_group_by_sid_str(TALLOC_CTX *mem_ctx, struct sss_domain_info *domain, const char *sid_str, diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c index a108a7e..1ba40b4 100644 --- a/src/db/sysdb_ops.c +++ b/src/db/sysdb_ops.c @@ -774,14 +774,13 @@ int sysdb_search_group_by_name(TALLOC_CTX *mem_ctx, return sysdb_search_by_name(mem_ctx, domain, name, SYSDB_GROUP, attrs, msg); } -/* Please note that sysdb_search_group_by_gid() is not aware of MPGs. If MPG - * support is needed either the caller must handle it or sysdb_getgrgid() or - * sysdb_getgrgid_attrs() should be used. */ -int sysdb_search_group_by_gid(TALLOC_CTX *mem_ctx, - struct sss_domain_info *domain, - gid_t gid, - const char **attrs, - struct ldb_message **msg) +static int +sysdb_search_group_by_id(TALLOC_CTX *mem_ctx, + struct sss_domain_info *domain, + const char *filterfmt, + gid_t gid, + const char **attrs, + struct ldb_message **msg) { TALLOC_CTX *tmp_ctx; const char *def_attrs[] = { SYSDB_NAME, SYSDB_GIDNUM, NULL }; @@ -802,7 +801,7 @@ int sysdb_search_group_by_gid(TALLOC_CTX *mem_ctx, goto done; } - filter = talloc_asprintf(tmp_ctx, SYSDB_GRGID_FILTER, (unsigned long)gid); + filter = talloc_asprintf(tmp_ctx, filterfmt, (unsigned long)gid); if (!filter) { ret = ENOMEM; goto done; @@ -833,6 +832,29 @@ done: return ret; } +/* Please note that sysdb_search_group_by_gid() is not aware of MPGs. If MPG + * support is needed either the caller must handle it or sysdb_getgrgid() or + * sysdb_getgrgid_attrs() should be used. */ +int sysdb_search_group_by_gid(TALLOC_CTX *mem_ctx, + struct sss_domain_info *domain, + gid_t gid, + const char **attrs, + struct ldb_message **msg) +{ + return sysdb_search_group_by_id(mem_ctx, domain, SYSDB_GRGID_FILTER, + gid, attrs, msg); +} + +int sysdb_search_group_by_origgid(TALLOC_CTX *mem_ctx, + struct sss_domain_info *domain, + gid_t gid, + const char **attrs, + struct ldb_message **msg) +{ + return sysdb_search_group_by_id(mem_ctx, domain, SYSDB_GRORIGGID_FILTER, + gid, attrs, msg); +} + int sysdb_search_group_by_sid_str(TALLOC_CTX *mem_ctx, struct sss_domain_info *domain, const char *sid_str, diff --git a/src/responder/nss/nss_protocol_grent.c b/src/responder/nss/nss_protocol_grent.c index 59cdd80..2367d9e 100644 --- a/src/responder/nss/nss_protocol_grent.c +++ b/src/responder/nss/nss_protocol_grent.c @@ -317,6 +317,7 @@ nss_protocol_fill_initgr(struct nss_ctx *nss_ctx, struct sss_domain_info *domain; struct ldb_message *user; struct ldb_message *msg; + struct ldb_message *primary_group_msg; const char *posix; struct sized_string rawname; struct sized_string unique_name; @@ -349,6 +350,19 @@ nss_protocol_fill_initgr(struct nss_ctx *nss_ctx, SYSDB_PRIMARY_GROUP_GIDNUM, 0); + /* Try to get the real gid in case the primary group's gid was overriden. */ + ret = sysdb_search_group_by_origgid(NULL, domain, orig_gid, NULL, + &primary_group_msg); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, "Unable to find primary gid [%d]: %s\n", + ret, sss_strerror(ret)); + /* Just continue with what we have. */ + } else { + orig_gid = ldb_msg_find_attr_as_uint64(primary_group_msg, SYSDB_GIDNUM, + orig_gid); + talloc_free(primary_group_msg); + } + /* If the GID of the original primary group is available but equal to the * current primary GID it must not be added. */ orig_gid = orig_gid == gid ? 0 : orig_gid;