effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher Stephen Gallagher <sgallagh@redhat.com>
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher Copyright (C) 2012 Red Hat
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher This program is free software; you can redistribute it and/or modify
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher it under the terms of the GNU General Public License as published by
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher the Free Software Foundation; either version 3 of the License, or
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher (at your option) any later version.
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher This program is distributed in the hope that it will be useful,
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher but WITHOUT ANY WARRANTY; without even the implied warranty of
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher GNU General Public License for more details.
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher You should have received a copy of the GNU General Public License
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher along with this program. If not, see <http://www.gnu.org/licenses/>.
e81deec535d11912b87954c81a1edd768c1386c9Jakub Hrozek if (dp_opt_get_bool(ad_options->basic, AD_ENABLE_GC) == false) {
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_IMPORTANT_INFO, "POSIX attributes were requested "
e81deec535d11912b87954c81a1edd768c1386c9Jakub Hrozek "but are not present on the server side. Global Catalog "
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov "lookups will be disabled\n");
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov "Could not turn off GC support\n");
e81deec535d11912b87954c81a1edd768c1386c9Jakub Hrozek /* Not fatal */
dfe05f505dcfea16e7d66ca1a44206aa2570e861Jakub Hrozekstatic bool ad_account_can_shortcut(struct sdap_idmap_ctx *idmap_ctx,
dfe05f505dcfea16e7d66ca1a44206aa2570e861Jakub Hrozek if (!sdap_idmap_domain_has_algorithmic_mapping(idmap_ctx, domain->name,
dfe05f505dcfea16e7d66ca1a44206aa2570e861Jakub Hrozek /* convert value to ID */
dfe05f505dcfea16e7d66ca1a44206aa2570e861Jakub Hrozek DEBUG(SSSDBG_MINOR_FAILURE, "Unable to convert filter value to "
dfe05f505dcfea16e7d66ca1a44206aa2570e861Jakub Hrozek /* convert the ID to its SID equivalent */
dfe05f505dcfea16e7d66ca1a44206aa2570e861Jakub Hrozek err = sss_idmap_unix_to_sid(idmap_ctx->map, id, &sid);
dfe05f505dcfea16e7d66ca1a44206aa2570e861Jakub Hrozek DEBUG(SSSDBG_MINOR_FAILURE, "Mapping ID [%s] to SID failed: "
dfe05f505dcfea16e7d66ca1a44206aa2570e861Jakub Hrozek "[%s]\n", filter_value, idmap_error_string(err));
a406b52a0d20e0ec502f52d63dee293636d1443aSumit Bose /* assume id is from a different domain */
dfe05f505dcfea16e7d66ca1a44206aa2570e861Jakub Hrozek /* fall through */
dfe05f505dcfea16e7d66ca1a44206aa2570e861Jakub Hrozek DEBUG(SSSDBG_CRIT_FAILURE, "Cannot find domain head\n");
dfe05f505dcfea16e7d66ca1a44206aa2570e861Jakub Hrozek DEBUG(SSSDBG_OP_FAILURE, "Invalid domain for SID:%s\n", csid);
dfe05f505dcfea16e7d66ca1a44206aa2570e861Jakub Hrozek if (strcasecmp(sid_dom->name, domain->name) != 0) {
5546876b121d674077e93fe908f3a602de8ec31fJakub Hrozekstatic errno_t ad_handle_acct_info_step(struct tevent_req *req);
5546876b121d674077e93fe908f3a602de8ec31fJakub Hrozekstatic void ad_handle_acct_info_done(struct tevent_req *subreq);
5546876b121d674077e93fe908f3a602de8ec31fJakub Hrozek req = tevent_req_create(mem_ctx, &state, struct ad_handle_acct_info_state);
dfe05f505dcfea16e7d66ca1a44206aa2570e861Jakub Hrozek /* Try to shortcut if this is ID or SID search and it belongs to
dfe05f505dcfea16e7d66ca1a44206aa2570e861Jakub Hrozek * other domain range than is in ar->domain. */
dfe05f505dcfea16e7d66ca1a44206aa2570e861Jakub Hrozek shortcut = ad_account_can_shortcut(ctx->opts->idmap_ctx,
dfe05f505dcfea16e7d66ca1a44206aa2570e861Jakub Hrozek DEBUG(SSSDBG_TRACE_FUNC, "This ID is from different domain\n");
64d4b1e5fd4a3c99ef8d8fef6ad0db52c5152c1cJakub Hrozek if (sss_domain_get_state(sdom->dom) == DOM_INACTIVE) {
5546876b121d674077e93fe908f3a602de8ec31fJakub Hrozek /* Lookup in progress */
5546876b121d674077e93fe908f3a602de8ec31fJakub Hrozekad_handle_acct_info_step(struct tevent_req *req)
5546876b121d674077e93fe908f3a602de8ec31fJakub Hrozek struct ad_handle_acct_info_state *state = tevent_req_data(req,
63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4Sumit Bose if ((state->ar->entry_type & BE_REQ_TYPE_MASK) == BE_REQ_INITGROUPS) {
63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4Sumit Bose ret = check_if_pac_is_available(state, state->sdom->dom,
63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4Sumit Bose /* evaluate PAC */
63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4Sumit Bose subreq = ad_handle_pac_initgr_send(state, state->ctx->be,
63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4Sumit Bose DEBUG(SSSDBG_OP_FAILURE, "ad_handle_pac_initgr_send failed.\n");
63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4Sumit Bose /* Fall through if there is no PAC or any other error */
63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4Sumit Bose subreq = sdap_handle_acct_req_send(state, state->ctx->be,
5546876b121d674077e93fe908f3a602de8ec31fJakub Hrozek tevent_req_set_callback(subreq, ad_handle_acct_info_done, req);
5546876b121d674077e93fe908f3a602de8ec31fJakub Hrozekad_handle_acct_info_done(struct tevent_req *subreq)
5546876b121d674077e93fe908f3a602de8ec31fJakub Hrozek struct tevent_req *req = tevent_req_callback_data(subreq,
5546876b121d674077e93fe908f3a602de8ec31fJakub Hrozek struct ad_handle_acct_info_state *state = tevent_req_data(req,
63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4Sumit Bose ret = ad_handle_pac_initgr_recv(subreq, &dp_error, &err, &sdap_err);
63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4Sumit Bose ret = sdap_handle_acct_req_recv(subreq, &dp_error, &err, &sdap_err);
d67a80baf0bdc888297d3587c98f8a12d4827ebcLukas Slebodnik && state->conn[state->cindex]->ignore_mark_offline) {
d67a80baf0bdc888297d3587c98f8a12d4827ebcLukas Slebodnik /* This is a special case: GC does not work.
d67a80baf0bdc888297d3587c98f8a12d4827ebcLukas Slebodnik * We need to Fall back to ldap
42bc7cb28858f8affa5bc7586f8d39b3afe4c387Lukas Slebodnik /* if GC was not used dp error should be set */
e81deec535d11912b87954c81a1edd768c1386c9Jakub Hrozek /* Ret is only ENOENT or ERR_NO_POSIX now. Try the next connection */
5546876b121d674077e93fe908f3a602de8ec31fJakub Hrozek /* No additional search in progress. Save the last
5546876b121d674077e93fe908f3a602de8ec31fJakub Hrozek * error status, we'll be returning it.
5546876b121d674077e93fe908f3a602de8ec31fJakub Hrozek /* No more connections */
5546876b121d674077e93fe908f3a602de8ec31fJakub Hrozek /* Another lookup in progress */
64d4b1e5fd4a3c99ef8d8fef6ad0db52c5152c1cJakub Hrozek /* Deactivate subdomain on lookup errors instead of going
64d4b1e5fd4a3c99ef8d8fef6ad0db52c5152c1cJakub Hrozek * offline completely.
64d4b1e5fd4a3c99ef8d8fef6ad0db52c5152c1cJakub Hrozek * This is a stopgap, until our failover is per-domain,
64d4b1e5fd4a3c99ef8d8fef6ad0db52c5152c1cJakub Hrozek * not per-backend. Unfortunately, we can't rewrite the error
64d4b1e5fd4a3c99ef8d8fef6ad0db52c5152c1cJakub Hrozek * code on some reported codes only, because sdap_id_op code
64d4b1e5fd4a3c99ef8d8fef6ad0db52c5152c1cJakub Hrozek * encapsulated the failover as well..
5546876b121d674077e93fe908f3a602de8ec31fJakub Hrozekad_handle_acct_info_recv(struct tevent_req *req,
5546876b121d674077e93fe908f3a602de8ec31fJakub Hrozek struct ad_handle_acct_info_state *state = tevent_req_data(req,
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březinaget_conn_list(TALLOC_CTX *mem_ctx, struct ad_id_ctx *ad_ctx,
3d29430867cf92b2d71afa95abb679711231117cPavel Březina struct sss_domain_info *dom, struct dp_id_data *ar)
008e1ee835602023891ac45408483d87f41e4d5cSumit Bose case BE_REQ_INITGROUPS: /* init groups for user */
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina clist = ad_gc_conn_list(mem_ctx, ad_ctx, dom);
72ae534f5aef6d2e5d3f2f51299aede5abf9687eJakub Hrozek /* Requests for other object should only contact LDAP by default */
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina clist = ad_ldap_conn_list(mem_ctx, ad_ctx, dom);
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březinastatic void ad_account_info_handler_done(struct tevent_req *subreq);
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březinaad_account_info_handler_send(TALLOC_CTX *mem_ctx,
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n");
40bc389bc79bc41429b5a92d5ce75955f8eefaf5Jakub Hrozek DEBUG(SSSDBG_TRACE_LIBS, "Skipping enumeration on demand\n");
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina if (strcasecmp(data->domain, be_ctx->domain->name) != 0) {
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina /* Subdomain request, verify subdomain. */
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina domain = find_domain_by_name(be_ctx->domain, data->domain, true);
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina /* Determine whether to connect to GC, LDAP or try both. */
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina clist = get_conn_list(state, id_ctx, domain, data);
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina sdom = sdap_domain_get(sdap_id_ctx->opts, domain);
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina subreq = ad_handle_acct_info_send(state, data, sdap_id_ctx,
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina tevent_req_set_callback(subreq, ad_account_info_handler_done, req);
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina dp_reply_std_set(&state->reply, DP_ERR_DECIDE, ret, NULL);
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina /* TODO For backward compatibility we always return EOK to DP now. */
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březinastatic void ad_account_info_handler_done(struct tevent_req *subreq)
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina req = tevent_req_callback_data(subreq, struct tevent_req);
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina state = tevent_req_data(req, struct ad_account_info_handler_state);
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina ret = ad_handle_acct_info_recv(subreq, &dp_error, &err_msg);
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina /* TODO For backward compatibility we always return EOK to DP now. */
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina dp_reply_std_set(&state->reply, dp_error, ret, err_msg);
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březinaerrno_t ad_account_info_handler_recv(TALLOC_CTX *mem_ctx,
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina struct ad_account_info_handler_state *state = NULL;
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina state = tevent_req_data(req, struct ad_account_info_handler_state);
74802794554e0f87d1354b6788f1719cd7d80a6cJakub Hrozekstatic void ad_enumeration_conn_done(struct tevent_req *subreq);
74802794554e0f87d1354b6788f1719cd7d80a6cJakub Hrozekstatic void ad_enumeration_master_done(struct tevent_req *subreq);
b4ffa4d19e912740af6df3c1a4fabcea69729885Jakub Hrozekstatic errno_t ad_enum_sdom(struct tevent_req *req, struct sdap_domain *sd,
74802794554e0f87d1354b6788f1719cd7d80a6cJakub Hrozekstatic void ad_enumeration_done(struct tevent_req *subreq);
74802794554e0f87d1354b6788f1719cd7d80a6cJakub Hrozek req = tevent_req_create(mem_ctx, &state, struct ad_enumeration_state);
74802794554e0f87d1354b6788f1719cd7d80a6cJakub Hrozek ectx = talloc_get_type(pvt, struct ldap_enum_ctx);
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_CRIT_FAILURE, "Cannot retrieve ldap_enum_ctx!\n");
f8407faaeb6726bef6463d84f183f2b0ad1f99d4Jakub Hrozek state->id_ctx = talloc_get_type(ectx->pvt, struct ad_id_ctx);
9af86b9c936d07cff9d0c2054acde908749ea522Jakub Hrozek state->realm = dp_opt_get_cstring(state->id_ctx->ad_options->basic,
9af86b9c936d07cff9d0c2054acde908749ea522Jakub Hrozek DEBUG(SSSDBG_CONF_SETTINGS, "Missing realm\n");
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_OP_FAILURE, "sdap_id_op_create failed.\n");
74802794554e0f87d1354b6788f1719cd7d80a6cJakub Hrozek subreq = sdap_id_op_connect_send(state->sdap_op, state, &ret);
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_OP_FAILURE, "sdap_id_op_connect_send failed: %d(%s).\n",
74802794554e0f87d1354b6788f1719cd7d80a6cJakub Hrozek tevent_req_set_callback(subreq, ad_enumeration_conn_done, req);
74802794554e0f87d1354b6788f1719cd7d80a6cJakub Hrozekad_enumeration_conn_done(struct tevent_req *subreq)
74802794554e0f87d1354b6788f1719cd7d80a6cJakub Hrozek struct tevent_req *req = tevent_req_callback_data(subreq,
74802794554e0f87d1354b6788f1719cd7d80a6cJakub Hrozek struct ad_enumeration_state *state = tevent_req_data(req,
74802794554e0f87d1354b6788f1719cd7d80a6cJakub Hrozek ret = sdap_id_op_connect_recv(subreq, &dp_error);
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov "Backend is marked offline, retry later!\n");
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov "Domain enumeration failed to connect to " \
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov "LDAP server: (%d)[%s]\n", ret, strerror(ret));
74802794554e0f87d1354b6788f1719cd7d80a6cJakub Hrozek subreq = ad_master_domain_send(state, state->ev,
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_OP_FAILURE, "ad_master_domain_send failed.\n");
74802794554e0f87d1354b6788f1719cd7d80a6cJakub Hrozek tevent_req_set_callback(subreq, ad_enumeration_master_done, req);
74802794554e0f87d1354b6788f1719cd7d80a6cJakub Hrozekad_enumeration_master_done(struct tevent_req *subreq)
74802794554e0f87d1354b6788f1719cd7d80a6cJakub Hrozek struct tevent_req *req = tevent_req_callback_data(subreq,
74802794554e0f87d1354b6788f1719cd7d80a6cJakub Hrozek struct ad_enumeration_state *state = tevent_req_data(req,
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_OP_FAILURE, "Cannot retrieve master domain info\n");
9af86b9c936d07cff9d0c2054acde908749ea522Jakub Hrozek ret = sysdb_master_domain_add_info(state->sdom->dom, state->realm,
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_OP_FAILURE, "Cannot save master domain info\n");
b4ffa4d19e912740af6df3c1a4fabcea69729885Jakub Hrozek ret = ad_enum_sdom(req, state->sdom, state->id_ctx);
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov "Could not enumerate domain %s\n", state->sdom->dom->name);
b4ffa4d19e912740af6df3c1a4fabcea69729885Jakub Hrozek /* Execution will resume in ad_enumeration_done */
b4ffa4d19e912740af6df3c1a4fabcea69729885Jakub Hrozek struct ad_enumeration_state *state = tevent_req_data(req,
b4ffa4d19e912740af6df3c1a4fabcea69729885Jakub Hrozek if (dp_opt_get_bool(id_ctx->ad_options->basic, AD_ENABLE_GC)) {
dde2f0b4fcabc7093ddfcdda3dbacff00b82df46Jakub Hrozek /* Groups are searched for in LDAP, users in GC. Services (if present,
dde2f0b4fcabc7093ddfcdda3dbacff00b82df46Jakub Hrozek * which is unlikely in AD) from LDAP as well
dde2f0b4fcabc7093ddfcdda3dbacff00b82df46Jakub Hrozek subreq = sdap_dom_enum_ex_send(state, state->ev,
74802794554e0f87d1354b6788f1719cd7d80a6cJakub Hrozek /* The ptask API will reschedule the enumeration on its own on
74802794554e0f87d1354b6788f1719cd7d80a6cJakub Hrozek * failure */
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov "Failed to schedule enumeration, retrying later!\n");
74802794554e0f87d1354b6788f1719cd7d80a6cJakub Hrozek tevent_req_set_callback(subreq, ad_enumeration_done, req);
b4ffa4d19e912740af6df3c1a4fabcea69729885Jakub Hrozekstatic errno_t ad_enum_cross_dom_members(struct sdap_options *opts,
74802794554e0f87d1354b6788f1719cd7d80a6cJakub Hrozek struct tevent_req *req = tevent_req_callback_data(subreq,
74802794554e0f87d1354b6788f1719cd7d80a6cJakub Hrozek struct ad_enumeration_state *state = tevent_req_data(req,
e81deec535d11912b87954c81a1edd768c1386c9Jakub Hrozek /* Retry enumerating the same domain again, this time w/o
e81deec535d11912b87954c81a1edd768c1386c9Jakub Hrozek * connecting to GC
e81deec535d11912b87954c81a1edd768c1386c9Jakub Hrozek ret = ad_enum_sdom(req, state->sditer, state->id_ctx);
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov "Could not retry domain %s\n", state->sditer->dom->name);
e81deec535d11912b87954c81a1edd768c1386c9Jakub Hrozek /* Execution will resume in ad_enumeration_done */
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov "Could not enumerate domain %s\n", state->sditer->dom->name);
b4ffa4d19e912740af6df3c1a4fabcea69729885Jakub Hrozek ret = ad_enum_sdom(req, state->sditer, state->sditer->pvt);
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_OP_FAILURE, "Could not enumerate domain %s\n",
b4ffa4d19e912740af6df3c1a4fabcea69729885Jakub Hrozek /* Execution will resume in ad_enumeration_done */
b4ffa4d19e912740af6df3c1a4fabcea69729885Jakub Hrozek /* No more subdomains to enumerate. Check if we need to fixup
b4ffa4d19e912740af6df3c1a4fabcea69729885Jakub Hrozek * cross-domain membership
b4ffa4d19e912740af6df3c1a4fabcea69729885Jakub Hrozek /* We did enumerate at least one subdomain. Walk the subdomains
b4ffa4d19e912740af6df3c1a4fabcea69729885Jakub Hrozek * and fixup members for each of them
b4ffa4d19e912740af6df3c1a4fabcea69729885Jakub Hrozek ret = ad_enum_cross_dom_members(state->id_ctx->ad_options->id,
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_MINOR_FAILURE, "Could not check cross-domain "
b4ffa4d19e912740af6df3c1a4fabcea69729885Jakub Hrozek "memberships for %s, group memberships might be "
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov "incomplete!\n", state->sdom->dom->name);
b4ffa4d19e912740af6df3c1a4fabcea69729885Jakub Hrozekstatic errno_t ad_group_extra_members(TALLOC_CTX *mem_ctx,
b4ffa4d19e912740af6df3c1a4fabcea69729885Jakub Hrozekstatic errno_t ad_group_add_member(struct sdap_options *opts,
b4ffa4d19e912740af6df3c1a4fabcea69729885Jakub Hrozek const char *member);
b4ffa4d19e912740af6df3c1a4fabcea69729885Jakub Hrozekad_enum_cross_dom_members(struct sdap_options *opts,
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_CRIT_FAILURE, "Failed to start transaction\n");
b4ffa4d19e912740af6df3c1a4fabcea69729885Jakub Hrozek filter = talloc_asprintf(tmp_ctx, "(%s=*)", SYSDB_NAME);
b4ffa4d19e912740af6df3c1a4fabcea69729885Jakub Hrozek ret = sysdb_search_groups(tmp_ctx, dom, filter, attrs, &count, &msgs);
b4ffa4d19e912740af6df3c1a4fabcea69729885Jakub Hrozek for (i = 0; i < count; i++) {
b4ffa4d19e912740af6df3c1a4fabcea69729885Jakub Hrozek ret = ad_group_extra_members(tmp_ctx, msgs[i], dom, &group_only);
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_OP_FAILURE, "Failed to check extra members\n");
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_TRACE_INTERNAL, "No extra members\n");
b4ffa4d19e912740af6df3c1a4fabcea69729885Jakub Hrozek /* Group has extra members */
b4ffa4d19e912740af6df3c1a4fabcea69729885Jakub Hrozek ret = ad_group_add_member(opts, dom, msgs[i]->dn, group_only[mi]);
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_MINOR_FAILURE, "Failed to add [%s]: %s\n",
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_CRIT_FAILURE, "Failed to commit transaction\n");
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_CRIT_FAILURE, "Could not cancel transaction\n");
b4ffa4d19e912740af6df3c1a4fabcea69729885Jakub Hrozekad_group_stored_orig_members(TALLOC_CTX *mem_ctx, struct sss_domain_info *dom,
b4ffa4d19e912740af6df3c1a4fabcea69729885Jakub Hrozekad_group_extra_members(TALLOC_CTX *mem_ctx, const struct ldb_message *group,
b4ffa4d19e912740af6df3c1a4fabcea69729885Jakub Hrozek struct sss_domain_info *dom, char ***_group_only)
b4ffa4d19e912740af6df3c1a4fabcea69729885Jakub Hrozek om = ldb_msg_find_element(group, SYSDB_ORIG_MEMBER);
b4ffa4d19e912740af6df3c1a4fabcea69729885Jakub Hrozek name = ldb_msg_find_attr_as_string(group, SYSDB_NAME, NULL);
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_OP_FAILURE, "A group with no name!\n");
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_TRACE_FUNC, "Group %s has no original members\n", name);
b4ffa4d19e912740af6df3c1a4fabcea69729885Jakub Hrozek if (m == NULL || (m->num_values < om->num_values)) {
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov "Group %s has %d members but %d original members\n",
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov name, m ? m->num_values : 0, om->num_values);
b4ffa4d19e912740af6df3c1a4fabcea69729885Jakub Hrozek /* Get the list of originalDN attributes that are already
b4ffa4d19e912740af6df3c1a4fabcea69729885Jakub Hrozek * linked to the group
b4ffa4d19e912740af6df3c1a4fabcea69729885Jakub Hrozek ret = ad_group_stored_orig_members(tmp_ctx, dom, group->dn,
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov "Could not retrieve list of original members for %s\n",
b4ffa4d19e912740af6df3c1a4fabcea69729885Jakub Hrozek /* Get the list of original DN attributes the group had in AD */
b4ffa4d19e912740af6df3c1a4fabcea69729885Jakub Hrozek group_odn_list = sss_ldb_el_to_string_list(tmp_ctx, om);
b4ffa4d19e912740af6df3c1a4fabcea69729885Jakub Hrozek /* Compare the two lists */
b4ffa4d19e912740af6df3c1a4fabcea69729885Jakub Hrozek ret = diff_string_lists(tmp_ctx, discard_const(group_odn_list),
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov "Could not compare lists of members for %s\n", name);
b4ffa4d19e912740af6df3c1a4fabcea69729885Jakub Hrozek *_group_only = talloc_steal(mem_ctx, group_only);
b4ffa4d19e912740af6df3c1a4fabcea69729885Jakub Hrozekad_group_stored_orig_members(TALLOC_CTX *mem_ctx, struct sss_domain_info *dom,
b4ffa4d19e912740af6df3c1a4fabcea69729885Jakub Hrozek /* Get all entries member element points to */
b4ffa4d19e912740af6df3c1a4fabcea69729885Jakub Hrozek ret = sysdb_asq_search(tmp_ctx, dom, dn, NULL, SYSDB_MEMBER,
b4ffa4d19e912740af6df3c1a4fabcea69729885Jakub Hrozek odn_list = talloc_zero_array(tmp_ctx, char *, m_count + 1);
b4ffa4d19e912740af6df3c1a4fabcea69729885Jakub Hrozek /* Get a list of their original DNs */
b4ffa4d19e912740af6df3c1a4fabcea69729885Jakub Hrozek for (i = 0; i < m_count; i++) {
b4ffa4d19e912740af6df3c1a4fabcea69729885Jakub Hrozek odn = ldb_msg_find_attr_as_string(members[i], SYSDB_ORIG_DN, NULL);
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_TRACE_INTERNAL, "Member %s already in sysdb\n", odn);
b4ffa4d19e912740af6df3c1a4fabcea69729885Jakub Hrozek /* This member would be from a different domain */
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_MINOR_FAILURE, "No matching domain for %s\n", member);
b4ffa4d19e912740af6df3c1a4fabcea69729885Jakub Hrozek mem_filter = talloc_asprintf(tmp_ctx, "(%s=%s)",
b4ffa4d19e912740af6df3c1a4fabcea69729885Jakub Hrozek ret = sysdb_search_entry(tmp_ctx, sd->dom->sysdb, base_dn,
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_TRACE_FUNC, "No member [%s] in sysdb\n", member);
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_TRACE_INTERNAL, "[%s] found in sysdb\n", member);
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov "Search by orig DN returned %zd results!\n", msgs_count);
b4ffa4d19e912740af6df3c1a4fabcea69729885Jakub Hrozek ret = sysdb_mod_group_member(group_domain, msgs[0]->dn, group_dn, SYSDB_MOD_ADD);
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_OP_FAILURE, "Could not add [%s] as a member of [%s]\n",
095844d6b48aef483c33e5a369a405ae686e044dJakub Hrozekstatic errno_t ad_get_account_domain_prepare_search(struct tevent_req *req);
095844d6b48aef483c33e5a369a405ae686e044dJakub Hrozekstatic errno_t ad_get_account_domain_connect_retry(struct tevent_req *req);
095844d6b48aef483c33e5a369a405ae686e044dJakub Hrozekstatic void ad_get_account_domain_connect_done(struct tevent_req *subreq);
095844d6b48aef483c33e5a369a405ae686e044dJakub Hrozekstatic void ad_get_account_domain_posix_check_done(struct tevent_req *subreq);
095844d6b48aef483c33e5a369a405ae686e044dJakub Hrozekstatic void ad_get_account_domain_search(struct tevent_req *req);
095844d6b48aef483c33e5a369a405ae686e044dJakub Hrozekstatic void ad_get_account_domain_search_done(struct tevent_req *subreq);
095844d6b48aef483c33e5a369a405ae686e044dJakub Hrozekstatic void ad_get_account_domain_evaluate(struct tevent_req *req);
095844d6b48aef483c33e5a369a405ae686e044dJakub Hrozek DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n");
095844d6b48aef483c33e5a369a405ae686e044dJakub Hrozek state->entry_type = data->entry_type & BE_REQ_TYPE_MASK;
095844d6b48aef483c33e5a369a405ae686e044dJakub Hrozek state->attrs = talloc_array(state, const char *, 2);
095844d6b48aef483c33e5a369a405ae686e044dJakub Hrozek || state->entry_type == BE_REQ_USER_AND_GROUP) {
095844d6b48aef483c33e5a369a405ae686e044dJakub Hrozek if (state->entry_type == BE_REQ_USER_AND_GROUP) {
095844d6b48aef483c33e5a369a405ae686e044dJakub Hrozek /* The get-account-domain request only works with GC */
095844d6b48aef483c33e5a369a405ae686e044dJakub Hrozek if (dp_opt_get_bool(id_ctx->ad_options->basic, AD_ENABLE_GC) == false) {
095844d6b48aef483c33e5a369a405ae686e044dJakub Hrozek "Global catalog support is not enabled, "
095844d6b48aef483c33e5a369a405ae686e044dJakub Hrozek "cannot locate the account domain\n");
095844d6b48aef483c33e5a369a405ae686e044dJakub Hrozek state->sdom = sdap_domain_get(id_ctx->sdap_id_ctx->opts,
095844d6b48aef483c33e5a369a405ae686e044dJakub Hrozek DEBUG(SSSDBG_CRIT_FAILURE, "Cannot find sdap_domain\n");
095844d6b48aef483c33e5a369a405ae686e044dJakub Hrozek /* Currently we only support locating the account domain
095844d6b48aef483c33e5a369a405ae686e044dJakub Hrozek * if ID mapping is disabled. With ID mapping enabled, we can
095844d6b48aef483c33e5a369a405ae686e044dJakub Hrozek * already shortcut the 'real' ID request
095844d6b48aef483c33e5a369a405ae686e044dJakub Hrozek use_id_mapping = sdap_idmap_domain_has_algorithmic_mapping(
095844d6b48aef483c33e5a369a405ae686e044dJakub Hrozek "No point in locating domain with GC if ID-mapping "
095844d6b48aef483c33e5a369a405ae686e044dJakub Hrozek "is enabled\n");
095844d6b48aef483c33e5a369a405ae686e044dJakub Hrozek ret = sss_filter_sanitize(state, data->filter_value, &state->clean_filter);
095844d6b48aef483c33e5a369a405ae686e044dJakub Hrozek "Cannot sanitize filter [%d]: %s\n", ret, sss_strerror(ret));
095844d6b48aef483c33e5a369a405ae686e044dJakub Hrozek ret = ad_get_account_domain_prepare_search(req);
095844d6b48aef483c33e5a369a405ae686e044dJakub Hrozek /* FIXME - should gc_ctx always default to ignore_offline on creation
095844d6b48aef483c33e5a369a405ae686e044dJakub Hrozek * time rather than setting the flag on first use?
095844d6b48aef483c33e5a369a405ae686e044dJakub Hrozek state->op = sdap_id_op_create(state, id_ctx->gc_ctx->conn_cache);
095844d6b48aef483c33e5a369a405ae686e044dJakub Hrozek DEBUG(SSSDBG_OP_FAILURE, "sdap_id_op_create failed\n");
095844d6b48aef483c33e5a369a405ae686e044dJakub Hrozek ret = ad_get_account_domain_connect_retry(req);
095844d6b48aef483c33e5a369a405ae686e044dJakub Hrozek dp_reply_std_set(&state->reply, DP_ERR_DECIDE, ret, NULL);
095844d6b48aef483c33e5a369a405ae686e044dJakub Hrozek /* TODO For backward compatibility we always return EOK to DP now. */
095844d6b48aef483c33e5a369a405ae686e044dJakub Hrozekstatic errno_t ad_get_account_domain_prepare_search(struct tevent_req *req)
095844d6b48aef483c33e5a369a405ae686e044dJakub Hrozek struct ad_get_account_domain_state *state = tevent_req_data(req,
095844d6b48aef483c33e5a369a405ae686e044dJakub Hrozek state->search_bases = state->sdom->user_search_bases;
095844d6b48aef483c33e5a369a405ae686e044dJakub Hrozek attr_name = state->sdap_id_ctx->opts->user_map[SDAP_AT_USER_UID].name;
095844d6b48aef483c33e5a369a405ae686e044dJakub Hrozek objectclass = state->sdap_id_ctx->opts->user_map[SDAP_OC_USER].name;
095844d6b48aef483c33e5a369a405ae686e044dJakub Hrozek state->search_bases = state->sdom->group_search_bases;
095844d6b48aef483c33e5a369a405ae686e044dJakub Hrozek attr_name = state->sdap_id_ctx->opts->group_map[SDAP_AT_GROUP_GID].name;
095844d6b48aef483c33e5a369a405ae686e044dJakub Hrozek objectclass = state->sdap_id_ctx->opts->group_map[SDAP_OC_GROUP].name;
095844d6b48aef483c33e5a369a405ae686e044dJakub Hrozek "Unsupported request type %X\n",
095844d6b48aef483c33e5a369a405ae686e044dJakub Hrozek "Unsupported filter type %X\n", state->filter_type);
095844d6b48aef483c33e5a369a405ae686e044dJakub Hrozek "(&(%s=%s)(objectclass=%s))",
095844d6b48aef483c33e5a369a405ae686e044dJakub Hrozekstatic errno_t ad_get_account_domain_connect_retry(struct tevent_req *req)
095844d6b48aef483c33e5a369a405ae686e044dJakub Hrozek struct ad_get_account_domain_state *state = tevent_req_data(req,
095844d6b48aef483c33e5a369a405ae686e044dJakub Hrozek subreq = sdap_id_op_connect_send(state->op, state, &ret);
095844d6b48aef483c33e5a369a405ae686e044dJakub Hrozek tevent_req_set_callback(subreq, ad_get_account_domain_connect_done, req);
095844d6b48aef483c33e5a369a405ae686e044dJakub Hrozekstatic void ad_get_account_domain_connect_done(struct tevent_req *subreq)
095844d6b48aef483c33e5a369a405ae686e044dJakub Hrozek struct tevent_req *req = tevent_req_callback_data(subreq,
095844d6b48aef483c33e5a369a405ae686e044dJakub Hrozek struct ad_get_account_domain_state *state = tevent_req_data(req,
095844d6b48aef483c33e5a369a405ae686e044dJakub Hrozek ret = sdap_id_op_connect_recv(subreq, &dp_error);
095844d6b48aef483c33e5a369a405ae686e044dJakub Hrozek /* If POSIX attributes have been requested with an AD server and we
095844d6b48aef483c33e5a369a405ae686e044dJakub Hrozek * have no idea about POSIX attributes support, run a one-time check
095844d6b48aef483c33e5a369a405ae686e044dJakub Hrozek state->sdap_id_ctx->srv_opts->posix_checked == false) {
095844d6b48aef483c33e5a369a405ae686e044dJakub Hrozek tevent_req_set_callback(subreq, ad_get_account_domain_posix_check_done, req);
095844d6b48aef483c33e5a369a405ae686e044dJakub Hrozekstatic void ad_get_account_domain_posix_check_done(struct tevent_req *subreq)
095844d6b48aef483c33e5a369a405ae686e044dJakub Hrozek struct tevent_req *req = tevent_req_callback_data(subreq,
095844d6b48aef483c33e5a369a405ae686e044dJakub Hrozek struct ad_get_account_domain_state *state = tevent_req_data(req,
095844d6b48aef483c33e5a369a405ae686e044dJakub Hrozek ret = sdap_gc_posix_check_recv(subreq, &has_posix);
095844d6b48aef483c33e5a369a405ae686e044dJakub Hrozek /* We can only finish the id_op on error as the connection
095844d6b48aef483c33e5a369a405ae686e044dJakub Hrozek * is re-used by the real search
095844d6b48aef483c33e5a369a405ae686e044dJakub Hrozek ret2 = sdap_id_op_done(state->op, ret, &dp_error);
095844d6b48aef483c33e5a369a405ae686e044dJakub Hrozek ret = ad_get_account_domain_connect_retry(req);
095844d6b48aef483c33e5a369a405ae686e044dJakub Hrozek state->sdap_id_ctx->srv_opts->posix_checked = true;
095844d6b48aef483c33e5a369a405ae686e044dJakub Hrozek * If the GC has no POSIX attributes, there is nothing we can do.
095844d6b48aef483c33e5a369a405ae686e044dJakub Hrozek * Return an error and let the responders disable the functionality
095844d6b48aef483c33e5a369a405ae686e044dJakub Hrozek * from now on.
095844d6b48aef483c33e5a369a405ae686e044dJakub Hrozek if (has_posix == false) {
095844d6b48aef483c33e5a369a405ae686e044dJakub Hrozek "The Global Catalog has no POSIX attributes\n");
095844d6b48aef483c33e5a369a405ae686e044dJakub Hrozekstatic void ad_get_account_domain_search(struct tevent_req *req)
095844d6b48aef483c33e5a369a405ae686e044dJakub Hrozek struct ad_get_account_domain_state *state = tevent_req_data(req,
095844d6b48aef483c33e5a369a405ae686e044dJakub Hrozek state->filter = sdap_combine_filters(state, state->base_filter,
095844d6b48aef483c33e5a369a405ae686e044dJakub Hrozek state->search_bases[state->base_iter]->filter);
095844d6b48aef483c33e5a369a405ae686e044dJakub Hrozek subreq = sdap_get_generic_send(state, state->ev, state->sdap_id_ctx->opts,
095844d6b48aef483c33e5a369a405ae686e044dJakub Hrozek dp_opt_get_int(state->sdap_id_ctx->opts->basic,
095844d6b48aef483c33e5a369a405ae686e044dJakub Hrozek DEBUG(SSSDBG_OP_FAILURE, "sdap_get_generic_send failed.\n");
095844d6b48aef483c33e5a369a405ae686e044dJakub Hrozek tevent_req_set_callback(subreq, ad_get_account_domain_search_done, req);
095844d6b48aef483c33e5a369a405ae686e044dJakub Hrozekstatic void ad_get_account_domain_search_done(struct tevent_req *subreq)
095844d6b48aef483c33e5a369a405ae686e044dJakub Hrozek struct tevent_req *req = tevent_req_callback_data(subreq,
095844d6b48aef483c33e5a369a405ae686e044dJakub Hrozek struct ad_get_account_domain_state *state = tevent_req_data(req,
095844d6b48aef483c33e5a369a405ae686e044dJakub Hrozek copied = sdap_steal_objects_in_dom(state->sdap_id_ctx->opts,
095844d6b48aef483c33e5a369a405ae686e044dJakub Hrozek /* Even though we search with an empty search base (=across all domains)
095844d6b48aef483c33e5a369a405ae686e044dJakub Hrozek * the reason we iterate over search bases is that the search bases can
095844d6b48aef483c33e5a369a405ae686e044dJakub Hrozek * also contain a filter which might restrict the IDs we find
095844d6b48aef483c33e5a369a405ae686e044dJakub Hrozek /* There are more search bases to try */
095844d6b48aef483c33e5a369a405ae686e044dJakub Hrozek /* No more searches, evaluate results */
095844d6b48aef483c33e5a369a405ae686e044dJakub Hrozekstatic void ad_get_account_domain_evaluate(struct tevent_req *req)
095844d6b48aef483c33e5a369a405ae686e044dJakub Hrozek struct ad_get_account_domain_state *state = tevent_req_data(req,
095844d6b48aef483c33e5a369a405ae686e044dJakub Hrozek ret = ad_get_account_domain_prepare_search(req);
095844d6b48aef483c33e5a369a405ae686e044dJakub Hrozek DEBUG(SSSDBG_OP_FAILURE, "Cannot retry search\n");
095844d6b48aef483c33e5a369a405ae686e044dJakub Hrozek dp_reply_std_set(&state->reply, DP_ERR_DECIDE, ERR_NOT_FOUND, NULL);
095844d6b48aef483c33e5a369a405ae686e044dJakub Hrozek /* FIXME: If more than one entry was found, return error for now
095844d6b48aef483c33e5a369a405ae686e044dJakub Hrozek * as the account requsts have no way of returning multiple
095844d6b48aef483c33e5a369a405ae686e044dJakub Hrozek * messages back until we switch to the rdp_* requests
095844d6b48aef483c33e5a369a405ae686e044dJakub Hrozek * from the responder side
095844d6b48aef483c33e5a369a405ae686e044dJakub Hrozek DEBUG(SSSDBG_OP_FAILURE, "Multiple entries found, error!\n");
095844d6b48aef483c33e5a369a405ae686e044dJakub Hrozek dp_reply_std_set(&state->reply, DP_ERR_DECIDE, ERANGE, NULL);
095844d6b48aef483c33e5a369a405ae686e044dJakub Hrozek /* Exactly one entry was found */
095844d6b48aef483c33e5a369a405ae686e044dJakub Hrozek obj_dom = sdap_get_object_domain(state->sdap_id_ctx->opts,
095844d6b48aef483c33e5a369a405ae686e044dJakub Hrozek "Could not match entry with domain!\n");
095844d6b48aef483c33e5a369a405ae686e044dJakub Hrozek dp_reply_std_set(&state->reply, DP_ERR_DECIDE, ERR_NOT_FOUND, NULL);
095844d6b48aef483c33e5a369a405ae686e044dJakub Hrozek dp_reply_std_set(&state->reply, DP_ERR_DECIDE, EOK, obj_dom->name);
095844d6b48aef483c33e5a369a405ae686e044dJakub Hrozekerrno_t ad_get_account_domain_recv(TALLOC_CTX *mem_ctx,
095844d6b48aef483c33e5a369a405ae686e044dJakub Hrozek struct ad_get_account_domain_state *state = NULL;