e0d298f0ae
Resolves: RHEL-68507 - sssd backend process segfaults when krb5.conf is invalid [rhel-8.10.z] Resolves: RHEL-66267 - SSSD needs an option to indicate if the LDAP server can run the exop with an anonymous bind or not [rhel-8.10.z] Resolves: RHEL-67128 - Excessive "Domain not found' messages logged to sssd_nss & sssd_be in multidomain AD forest [rhel-8.10.z] Resolves: RHEL-66272 - sssd is skipping GPO evaluation with auto_private_groups [rhel-8.10.z] Resolves: RHEL-66277 - possible regression of rhbz#2196521 [rhel-8.10.z]
81 lines
3.0 KiB
Diff
81 lines
3.0 KiB
Diff
From 9ff2e55000d146381db5f66575e40ada5ecaf0cf Mon Sep 17 00:00:00 2001
|
|
From: Sumit Bose <sbose@redhat.com>
|
|
Date: Fri, 6 Sep 2024 14:37:05 +0200
|
|
Subject: [PATCH 11/15] ad: use default user_map when looking of host groups
|
|
for GPO
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
Use the default AD user attribute map to lookup the group membership of
|
|
the AD host object. This should help to avoid issues if user attributes
|
|
are overwritten in the user attribute map.
|
|
|
|
Resolves: https://github.com/SSSD/sssd/issues/7590
|
|
|
|
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
|
|
Reviewed-by: Tomáš Halman <thalman@redhat.com>
|
|
(cherry picked from commit 5f5077ac1158deff6fbb51722d37b9c5f8b05cf7)
|
|
(cherry picked from commit 2c233636c093708d5cdd7ddb69af9b0ecde633bd)
|
|
|
|
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
|
|
---
|
|
src/providers/ad/ad_access.h | 1 +
|
|
src/providers/ad/ad_gpo.c | 15 ++++++++++++++-
|
|
2 files changed, 15 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/src/providers/ad/ad_access.h b/src/providers/ad/ad_access.h
|
|
index 34d5597da..c54b53eed 100644
|
|
--- a/src/providers/ad/ad_access.h
|
|
+++ b/src/providers/ad/ad_access.h
|
|
@@ -49,6 +49,7 @@ struct ad_access_ctx {
|
|
} gpo_map_type;
|
|
hash_table_t *gpo_map_options_table;
|
|
enum gpo_map_type gpo_default_right;
|
|
+ struct sdap_attr_map *host_attr_map;
|
|
};
|
|
|
|
struct tevent_req *
|
|
diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
|
|
index 69dd54f5b..4e2f06b0d 100644
|
|
--- a/src/providers/ad/ad_gpo.c
|
|
+++ b/src/providers/ad/ad_gpo.c
|
|
@@ -45,6 +45,7 @@
|
|
#include "providers/ad/ad_common.h"
|
|
#include "providers/ad/ad_domain_info.h"
|
|
#include "providers/ad/ad_gpo.h"
|
|
+#include "providers/ad/ad_opts.h"
|
|
#include "providers/ldap/sdap_access.h"
|
|
#include "providers/ldap/sdap_async.h"
|
|
#include "providers/ldap/sdap.h"
|
|
@@ -2238,13 +2239,25 @@ ad_gpo_connect_done(struct tevent_req *subreq)
|
|
"trying with user search base.");
|
|
}
|
|
|
|
+ if (state->access_ctx->host_attr_map == NULL) {
|
|
+ ret = sdap_copy_map(state->access_ctx,
|
|
+ ad_2008r2_user_map, SDAP_OPTS_USER,
|
|
+ &state->access_ctx->host_attr_map);
|
|
+ if (ret != EOK) {
|
|
+ DEBUG(SSSDBG_OP_FAILURE, "Failed to copy user map.\n");
|
|
+ goto done;
|
|
+ }
|
|
+ }
|
|
+
|
|
subreq = groups_by_user_send(state, state->ev,
|
|
state->access_ctx->ad_id_ctx->sdap_id_ctx,
|
|
sdom, state->conn,
|
|
search_bases,
|
|
state->host_fqdn,
|
|
BE_FILTER_NAME,
|
|
- NULL, NULL, 0,
|
|
+ NULL,
|
|
+ state->access_ctx->host_attr_map,
|
|
+ SDAP_OPTS_USER,
|
|
true,
|
|
true);
|
|
tevent_req_set_callback(subreq, ad_gpo_target_dn_retrieval_done, req);
|
|
--
|
|
2.46.1
|
|
|