From 9ff2e55000d146381db5f66575e40ada5ecaf0cf Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 6 Sep 2024 14:37:05 +0200
Subject: [PATCH 11/15] ad: use default user_map when looking of host groups
 for GPO
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Use the default AD user attribute map to lookup the group membership of
the AD host object. This should help to avoid issues if user attributes
are overwritten in the user attribute map.

Resolves: https://github.com/SSSD/sssd/issues/7590

Reviewed-by: Justin Stephenson <jstephen@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
(cherry picked from commit 5f5077ac1158deff6fbb51722d37b9c5f8b05cf7)
(cherry picked from commit 2c233636c093708d5cdd7ddb69af9b0ecde633bd)

Reviewed-by: Justin Stephenson <jstephen@redhat.com>
---
 src/providers/ad/ad_access.h |  1 +
 src/providers/ad/ad_gpo.c    | 15 ++++++++++++++-
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/src/providers/ad/ad_access.h b/src/providers/ad/ad_access.h
index 34d5597da..c54b53eed 100644
--- a/src/providers/ad/ad_access.h
+++ b/src/providers/ad/ad_access.h
@@ -49,6 +49,7 @@ struct ad_access_ctx {
     } gpo_map_type;
     hash_table_t *gpo_map_options_table;
     enum gpo_map_type gpo_default_right;
+    struct sdap_attr_map *host_attr_map;
 };
 
 struct tevent_req *
diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
index 69dd54f5b..4e2f06b0d 100644
--- a/src/providers/ad/ad_gpo.c
+++ b/src/providers/ad/ad_gpo.c
@@ -45,6 +45,7 @@
 #include "providers/ad/ad_common.h"
 #include "providers/ad/ad_domain_info.h"
 #include "providers/ad/ad_gpo.h"
+#include "providers/ad/ad_opts.h"
 #include "providers/ldap/sdap_access.h"
 #include "providers/ldap/sdap_async.h"
 #include "providers/ldap/sdap.h"
@@ -2238,13 +2239,25 @@ ad_gpo_connect_done(struct tevent_req *subreq)
               "trying with user search base.");
     }
 
+    if (state->access_ctx->host_attr_map == NULL) {
+        ret = sdap_copy_map(state->access_ctx,
+                            ad_2008r2_user_map, SDAP_OPTS_USER,
+                            &state->access_ctx->host_attr_map);
+        if (ret != EOK) {
+            DEBUG(SSSDBG_OP_FAILURE, "Failed to copy user map.\n");
+            goto done;
+        }
+    }
+
     subreq = groups_by_user_send(state, state->ev,
                                  state->access_ctx->ad_id_ctx->sdap_id_ctx,
                                  sdom, state->conn,
                                  search_bases,
                                  state->host_fqdn,
                                  BE_FILTER_NAME,
-                                 NULL, NULL, 0,
+                                 NULL,
+                                 state->access_ctx->host_attr_map,
+                                 SDAP_OPTS_USER,
                                  true,
                                  true);
     tevent_req_set_callback(subreq, ad_gpo_target_dn_retrieval_done, req);
-- 
2.46.1