On (12/12/14 11:04), Sumit Bose wrote:
Hi,
This patch tries to assure on IPA clients that users from trusted
domains are really belong ot all groups they are member of and should
fix
https://fedorahosted.org/sssd/ticket/2529 .
bye,
Sumit
From 57f82b2f316d78b1971d6d045c6662a54fe8a6a6 Mon Sep 17 00:00:00
2001
From: Sumit Bose <sbose(a)redhat.com>
Date: Thu, 11 Dec 2014 10:49:39 +0100
Subject: [PATCH] IPA: verify group memberships of trusted domain users
Depending on the state of the cache group object a freshly created or
updates user entry for a trusted domain user might already be a member
of the group or not. This cache makes sure the requested user is a
member of all groups returned from the extdom request.
Resolves
https://fedorahosted.org/sssd/ticket/2529
---
Your patch fixes problem just partially. There is still problem with external
group. I had similar problem with RESP_GROUP_MEMBERS in ticket #2524.
The main problem is that domain for storing result in sysdb needn't be the
same. In my case, external groups were stored to ad.domain instead of
ipa.domain. I fixed it with using right domain (attached patch)
There is still problem if two AD users are members of the same groups
(especially external IPA group).
For the first user, groups are resolved due to RESP_GROUP_MEMBERS.
Membership for the second user is partially fixed by your patch for
RESP_USER_GROUPLIST, but external group is not fixed.
Let me show small example.
We have users aduser1(a)ipaad2012.test and aduser2(a)ipaad2012r2.test.
aduser1 connects with ssh to machine. group membership is resolved due to
RESP_GROUP_MEMBERS. The second user aduser2 connects to the same machine and
is member of the same groups. It will receive list of groups
(RESP_USER_GROUPLIST)
list = { "aduser2(a)ipaad2012.test", "domain users(a)ipaad2012.test",
"adgroup1(a)ipaad2012.test", "tgroup5" }
"tgroup5" is ipa group.
There are errors in log file::
[sysdb_update_members_ex] (0x0020): Could not add
member [aduser2(a)ipaad2012r2.test] to group [tgroup5]. Skipping.
[sysdb_update_members_ex] (0x0020): Could not add
member [aduser2(a)ipaad2012r2.test] to group [aduser2(a)ipaad2012r2.test]. Skipping.
The reason why it failed is that sssd tried to update membership
in the group tgroup5(a)ipaad2012.test, which does not exists.
I'm not sure what is right solution. In my opinion IPA server mode should
enable fully quallified names. So we sould be extract domain from group name
"tgroup5(a)ipa.test", but it would not fix the bug in RESP_USER_GROUPLIST
it would need to be speacial cased. Another solution can be to change default
domain to ipa domain and search for subdomain where it is necessary.
BTW: the function ipa_s2n_save_objects is big enough. So it would be good to
extract your patch to static function. The another season for separate function
is ldb transaction.
LS