#3847 gpo: use correct base dn
Closed: cloned-to-github 2 years ago by pbrezina. Opened 3 years ago by pbrezina.

GPO code in ad_gpo_connect_done converts domain name to base dn which may not be correct. For example if the domain name in sssd.conf is AD, computed base is then dc=AD, but the correct base dn is dc=ad,dc=vm. This makes gpo code to fail.

    /* Convert the domain name into domain DN */
    ret = domain_to_basedn(state, state->host_domain->name, &domain_dn);
    if (ret != EOK) {
              "Cannot convert domain name [%s] to base DN [%d]: %s\n",
               state->host_domain->name, ret, sss_strerror(ret));
        goto done;

    /* SDAP_OC_USER objectclass covers both users and computers */
    filter = talloc_asprintf(state,
    if (filter == NULL) {
        ret = ENOMEM;
        goto done;

    subreq = sdap_get_generic_send(state, state->ev, state->opts,
                                   domain_dn, LDAP_SCOPE_SUBTREE,
^^^ correct base dn should be used
                                   filter, attrs, NULL, 0,

    if (subreq == NULL) {
        DEBUG(SSSDBG_OP_FAILURE, "sdap_get_generic_send failed.\n");
        ret = EIO;
        goto done;

    tevent_req_set_callback(subreq, ad_gpo_target_dn_retrieval_done, req);

Metadata Update from @jhrozek:
- Issue assigned to mzidek

3 years ago

Metadata Update from @pbrezina:
- Issue tagged with: Future milestone, New hire task

2 years ago

Metadata Update from @pbrezina:
- Issue assigned to avisiedo (was: mzidek)

2 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/4840

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Metadata Update from @pbrezina:
- Issue close_status updated to: cloned-to-github
- Issue status updated to: Closed (was: Open)

2 years ago

Login to comment on this ticket.