From 2c233636c093708d5cdd7ddb69af9b0ecde633bd Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 6 Sep 2024 14:37:05 +0200
Subject: [PATCH 11/11] ad: use default user_map when looking of host groups
 for GPO
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Use the default AD user attribute map to lookup the group membership of
the AD host object. This should help to avoid issues if user attributes
are overwritten in the user attribute map.

Resolves: https://github.com/SSSD/sssd/issues/7590

Reviewed-by: Justin Stephenson <jstephen@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
(cherry picked from commit 5f5077ac1158deff6fbb51722d37b9c5f8b05cf7)
---
 src/providers/ad/ad_access.h |  1 +
 src/providers/ad/ad_gpo.c    | 15 ++++++++++++++-
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/src/providers/ad/ad_access.h b/src/providers/ad/ad_access.h
index 34d5597da..c54b53eed 100644
--- a/src/providers/ad/ad_access.h
+++ b/src/providers/ad/ad_access.h
@@ -49,6 +49,7 @@ struct ad_access_ctx {
     } gpo_map_type;
     hash_table_t *gpo_map_options_table;
     enum gpo_map_type gpo_default_right;
+    struct sdap_attr_map *host_attr_map;
 };
 
 struct tevent_req *
diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
index fa68d814f..6b154f71d 100644
--- a/src/providers/ad/ad_gpo.c
+++ b/src/providers/ad/ad_gpo.c
@@ -45,6 +45,7 @@
 #include "providers/ad/ad_common.h"
 #include "providers/ad/ad_domain_info.h"
 #include "providers/ad/ad_gpo.h"
+#include "providers/ad/ad_opts.h"
 #include "providers/ldap/sdap_access.h"
 #include "providers/ldap/sdap_async.h"
 #include "providers/ldap/sdap.h"
@@ -2238,13 +2239,25 @@ ad_gpo_connect_done(struct tevent_req *subreq)
               "trying with user search base.");
     }
 
+    if (state->access_ctx->host_attr_map == NULL) {
+        ret = sdap_copy_map(state->access_ctx,
+                            ad_2008r2_user_map, SDAP_OPTS_USER,
+                            &state->access_ctx->host_attr_map);
+        if (ret != EOK) {
+            DEBUG(SSSDBG_OP_FAILURE, "Failed to copy user map.\n");
+            goto done;
+        }
+    }
+
     subreq = groups_by_user_send(state, state->ev,
                                  state->access_ctx->ad_id_ctx->sdap_id_ctx,
                                  sdom, state->conn,
                                  search_bases,
                                  state->host_fqdn,
                                  BE_FILTER_NAME,
-                                 NULL, NULL, 0,
+                                 NULL,
+                                 state->access_ctx->host_attr_map,
+                                 SDAP_OPTS_USER,
                                  true,
                                  true);
     tevent_req_set_callback(subreq, ad_gpo_target_dn_retrieval_done, req);
-- 
2.45.0