63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4Sumit Bose Sumit Bose <sbose@redhat.com>
63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4Sumit Bose Copyright (C) 2016 Red Hat
63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4Sumit Bose This program is free software; you can redistribute it and/or modify
63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4Sumit Bose it under the terms of the GNU General Public License as published by
63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4Sumit Bose the Free Software Foundation; either version 3 of the License, or
63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4Sumit Bose (at your option) any later version.
63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4Sumit Bose This program is distributed in the hope that it will be useful,
63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4Sumit Bose but WITHOUT ANY WARRANTY; without even the implied warranty of
63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4Sumit Bose MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4Sumit Bose GNU General Public License for more details.
63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4Sumit Bose You should have received a copy of the GNU General Public License
63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4Sumit Bose along with this program. If not, see <http://www.gnu.org/licenses/>.
63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4Sumit Bosestatic errno_t find_user_entry(TALLOC_CTX *mem_ctx, struct sss_domain_info *dom,
0e238c259c066cf997aaa940d33d6bda96c15925Sumit Bose const char *user_attrs[] = { SYSDB_NAME, SYSDB_OBJECTCATEGORY,
63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4Sumit Bose DEBUG(SSSDBG_OP_FAILURE, "Missing arguments.\n");
63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4Sumit Bose DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n");
63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4Sumit Bose if (ar->extra_value && strcmp(ar->extra_value, EXTRA_NAME_IS_UPN) == 0) {
afadeb1a530ff010a2f9a7552562576b843c874bJakub Hrozek ret = sysdb_search_user_by_upn(tmp_ctx, dom, false, ar->filter_value,
63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4Sumit Bose ret = sysdb_search_user_by_sid_str(tmp_ctx, dom, ar->filter_value,
63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4Sumit Bose ret = sysdb_search_object_by_uuid(tmp_ctx, dom, ar->filter_value,
63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4Sumit Bose "Search by UUID returned multiple results.\n");
d62f7e644be93477fc869698f6eb3d55f08167a9Jakub Hrozek ret = sysdb_search_user_by_name(tmp_ctx, dom, ar->filter_value,
63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4Sumit Bose DEBUG(SSSDBG_OP_FAILURE, "Unsupported filter type [%d].\n",
63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4Sumit Bose DEBUG(SSSDBG_TRACE_ALL, "No user found with filter [%s].\n",
63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4Sumit Bose "Looking up user in cache with filter [%s] failed.\n",
63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4Sumit Boseerrno_t check_if_pac_is_available(TALLOC_CTX *mem_ctx,
63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4Sumit Bose DEBUG(SSSDBG_OP_FAILURE, "find_user_entry failed.\n");
63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4Sumit Bose pac_expires = ldb_msg_find_attr_as_uint64(msg, SYSDB_PAC_BLOB_EXPIRE, 0);
e0815d726420f905898aac1ae67b380f712cc2c5Thorsten Scherf DEBUG(SSSDBG_TRACE_FUNC, "PAC available but too old.\n");
63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4Sumit Bose DEBUG(SSSDBG_OP_FAILURE, "Missing parameter.\n");
63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4Sumit Bose DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n");
63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4Sumit Bose DEBUG(SSSDBG_OP_FAILURE, "sss_hash_create failed.\n");
63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4Sumit Bose err = sss_idmap_smb_sid_to_sid(idmap_ctx, info3->base.domain_sid,
63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4Sumit Bose DEBUG(SSSDBG_OP_FAILURE, "sss_idmap_smb_sid_to_sid failed.\n");
63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4Sumit Bose sid_str = talloc_zero_size(tmp_ctx, user_dom_sid_str_len + 12);
63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4Sumit Bose DEBUG(SSSDBG_OP_FAILURE, "talloc_zero_size failed.\n");
63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4Sumit Bose memcpy(sid_str, user_dom_sid_str, user_dom_sid_str_len);
63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4Sumit Bose DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n");
63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4Sumit Bose primary_group_sid_str = talloc_strdup(tmp_ctx, sid_str);
63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4Sumit Bose DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n");
63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4Sumit Bose DEBUG(SSSDBG_OP_FAILURE, "hash_enter failed [%d][%s].\n",
63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4Sumit Bose DEBUG(SSSDBG_OP_FAILURE, "hash_enter failed [%d][%s].\n",
63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4Sumit Bose err = sss_idmap_smb_sid_to_sid(idmap_ctx, info3->sids[s].sid,
63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4Sumit Bose DEBUG(SSSDBG_OP_FAILURE, "sss_idmap_smb_sid_to_sid failed.\n");
63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4Sumit Bose DEBUG(SSSDBG_OP_FAILURE, "hash_enter failed [%d][%s].\n",
63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4Sumit Bose sid_list = talloc_array(tmp_ctx, char *, num_sids);
63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4Sumit Bose DEBUG(SSSDBG_OP_FAILURE, "talloc_array failed.\n");
63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4Sumit Bose DEBUG(SSSDBG_OP_FAILURE, "new_hash_iter_context failed.\n");
63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4Sumit Bose sid_list[c] = talloc_strdup(sid_list, entry->key.str);
63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4Sumit Bose DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n");
63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4Sumit Bose *_user_sid_str = talloc_steal(mem_ctx, user_sid_str);
63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4Sumit Bose *_primary_group_sid_str = talloc_steal(mem_ctx, primary_group_sid_str);
63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4Sumit Boseerrno_t ad_get_pac_data_from_user_entry(TALLOC_CTX *mem_ctx,
63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4Sumit Bose DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n");
63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4Sumit Bose DEBUG(SSSDBG_OP_FAILURE, "Expected only one PAC blob.");
63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4Sumit Bose ret = ad_get_data_from_pac(tmp_ctx, el->values[0].data,
63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4Sumit Bose DEBUG(SSSDBG_OP_FAILURE, "get_data_from_pac failed.\n");
63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4Sumit Bose dummy = ldb_msg_find_attr_as_string(msg, SYSDB_NAME, NULL);
63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4Sumit Bose DEBUG(SSSDBG_OP_FAILURE, "Missing user name in cache entry.\n");
63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4Sumit Bose DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n");
63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4Sumit Bose ret = ad_get_sids_from_pac(mem_ctx, idmap_ctx, logon_info,
63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4Sumit Bose DEBUG(SSSDBG_OP_FAILURE, "get_sids_from_pac failed.\n");
63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4Sumit Bosestatic void ad_handle_pac_initgr_lookup_sids_done(struct tevent_req *subreq);
63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4Sumit Bosestruct tevent_req *ad_handle_pac_initgr_send(TALLOC_CTX *mem_ctx,
63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4Sumit Bose DEBUG(SSSDBG_OP_FAILURE, "tevent_req_create failed.\n");
63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4Sumit Bose /* The following variables are currently unused because no sub-request
63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4Sumit Bose * returns any of them. But they are needed to allow the same signature as
63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4Sumit Bose * sdap_handle_acct_req_recv() from the alternative group-membership
63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4Sumit Bose * lookup path. */
63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4Sumit Bose ret = ad_get_pac_data_from_user_entry(state, msg,
63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4Sumit Bose DEBUG(SSSDBG_OP_FAILURE, "ad_get_pac_data_from_user_entry failed.\n");
63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4Sumit Bose use_id_mapping = sdap_idmap_domain_has_algorithmic_mapping(
63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4Sumit Bose /* In contrast to the tokenGroups based group-membership lookup the
63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4Sumit Bose * PAC based approach can be used for sub-domains with id-mapping as
63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4Sumit Bose * well because the PAC will only contain groups which are valid in
63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4Sumit Bose * the target domain, i.e. it will not contain domain-local groups for
63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4Sumit Bose * domains other than the user domain. This means the groups must not
63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4Sumit Bose * be looked up immediately to determine if they are domain-local or
63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4Sumit Bose * Additionally, as a temporary workaround until
63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4Sumit Bose * https://fedorahosted.org/sssd/ticket/2522 is fixed, we also fetch
63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4Sumit Bose * the group object if group members are ignored to avoid having to
63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4Sumit Bose * transfer and retain members when the fake tokengroups object
63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4Sumit Bose * without name is replaced by the full group object.
63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4Sumit Bose DEBUG(SSSDBG_TRACE_ALL, "Running PAC processing with id-mapping.\n");
63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4Sumit Bose ret = sdap_ad_save_group_membership_with_idmapping(state->username,
63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4Sumit Bose "sdap_ad_save_group_membership_with_idmapping failed.\n");
63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4Sumit Bose /* this path only includes cache operation, so we can finish the
63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4Sumit Bose * request immediately */
63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4Sumit Bose DEBUG(SSSDBG_TRACE_ALL, "Running PAC processing with external IDs.\n");
63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4Sumit Bose ret = sdap_ad_tokengroups_get_posix_members(state, sdom->dom,
63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4Sumit Bose "sdap_ad_tokengroups_get_posix_members failed.\n");
63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4Sumit Bose /* download missing SIDs */
63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4Sumit Bose subreq = sdap_ad_resolve_sids_send(state, be_ctx->ev, id_ctx,
63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4Sumit Bose DEBUG(SSSDBG_OP_FAILURE, "sdap_ad_resolve_sids_send failed.\n");
63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4Sumit Bose tevent_req_set_callback(subreq, ad_handle_pac_initgr_lookup_sids_done,
63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4Sumit Bosestatic void ad_handle_pac_initgr_lookup_sids_done(struct tevent_req *subreq)
63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4Sumit Bose req = tevent_req_callback_data(subreq, struct tevent_req);
63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4Sumit Bose state = tevent_req_data(req, struct ad_handle_pac_initgr_state);
63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4Sumit Bose DEBUG(SSSDBG_CRIT_FAILURE, "Unable to resolve missing SIDs "
63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4Sumit Bose ret = sdap_ad_tokengroups_get_posix_members(state, state->user_dom,
63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4Sumit Bose "sdap_ad_tokengroups_get_posix_members failed [%d]: %s\n",
63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4Sumit Bose state->cached_groups = concatenate_string_array(state,
63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4Sumit Bose /* update membership of existing groups */
63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4Sumit Bose ret = sdap_ad_tokengroups_update_members(state->username,
63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4Sumit Bose DEBUG(SSSDBG_MINOR_FAILURE, "Membership update failed [%d]: %s\n",
63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4Sumit Boseerrno_t ad_handle_pac_initgr_recv(struct tevent_req *req,