effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher Stephen Gallagher <sgallagh@redhat.com>
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher Copyright (C) 2012 Red Hat
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher This program is free software; you can redistribute it and/or modify
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher it under the terms of the GNU General Public License as published by
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher the Free Software Foundation; either version 3 of the License, or
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher (at your option) any later version.
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher This program is distributed in the hope that it will be useful,
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher but WITHOUT ANY WARRANTY; without even the implied warranty of
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher GNU General Public License for more details.
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher You should have received a copy of the GNU General Public License
effcbdb12c7ef892f1fd92a745cb33a08ca4ba30Stephen Gallagher along with this program. If not, see <http://www.gnu.org/licenses/>.
e81deec535d11912b87954c81a1edd768c1386c9Jakub Hrozek if (dp_opt_get_bool(ad_options->basic, AD_ENABLE_GC) == false) {
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_IMPORTANT_INFO, "POSIX attributes were requested "
e81deec535d11912b87954c81a1edd768c1386c9Jakub Hrozek "but are not present on the server side. Global Catalog "
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov "lookups will be disabled\n");
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov "Could not turn off GC support\n");
e81deec535d11912b87954c81a1edd768c1386c9Jakub Hrozek /* Not fatal */
5546876b121d674077e93fe908f3a602de8ec31fJakub Hrozekstatic errno_t ad_handle_acct_info_step(struct tevent_req *req);
5546876b121d674077e93fe908f3a602de8ec31fJakub Hrozekstatic void ad_handle_acct_info_done(struct tevent_req *subreq);
5546876b121d674077e93fe908f3a602de8ec31fJakub Hrozek req = tevent_req_create(mem_ctx, &state, struct ad_handle_acct_info_state);
64d4b1e5fd4a3c99ef8d8fef6ad0db52c5152c1cJakub Hrozek if (sss_domain_get_state(sdom->dom) == DOM_INACTIVE) {
5546876b121d674077e93fe908f3a602de8ec31fJakub Hrozek /* Lookup in progress */
5546876b121d674077e93fe908f3a602de8ec31fJakub Hrozekad_handle_acct_info_step(struct tevent_req *req)
5546876b121d674077e93fe908f3a602de8ec31fJakub Hrozek struct ad_handle_acct_info_state *state = tevent_req_data(req,
63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4Sumit Bose if ((state->ar->entry_type & BE_REQ_TYPE_MASK) == BE_REQ_INITGROUPS) {
63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4Sumit Bose ret = check_if_pac_is_available(state, state->sdom->dom,
63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4Sumit Bose /* evaluate PAC */
63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4Sumit Bose subreq = ad_handle_pac_initgr_send(state, state->ctx->be,
63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4Sumit Bose DEBUG(SSSDBG_OP_FAILURE, "ad_handle_pac_initgr_send failed.\n");
63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4Sumit Bose /* Fall through if there is no PAC or any other error */
63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4Sumit Bose subreq = sdap_handle_acct_req_send(state, state->ctx->be,
5546876b121d674077e93fe908f3a602de8ec31fJakub Hrozek tevent_req_set_callback(subreq, ad_handle_acct_info_done, req);
5546876b121d674077e93fe908f3a602de8ec31fJakub Hrozekad_handle_acct_info_done(struct tevent_req *subreq)
5546876b121d674077e93fe908f3a602de8ec31fJakub Hrozek struct tevent_req *req = tevent_req_callback_data(subreq,
5546876b121d674077e93fe908f3a602de8ec31fJakub Hrozek struct ad_handle_acct_info_state *state = tevent_req_data(req,
63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4Sumit Bose ret = ad_handle_pac_initgr_recv(subreq, &dp_error, &err, &sdap_err);
63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4Sumit Bose ret = sdap_handle_acct_req_recv(subreq, &dp_error, &err, &sdap_err);
d67a80baf0bdc888297d3587c98f8a12d4827ebcLukas Slebodnik && state->conn[state->cindex]->ignore_mark_offline) {
d67a80baf0bdc888297d3587c98f8a12d4827ebcLukas Slebodnik /* This is a special case: GC does not work.
d67a80baf0bdc888297d3587c98f8a12d4827ebcLukas Slebodnik * We need to Fall back to ldap
42bc7cb28858f8affa5bc7586f8d39b3afe4c387Lukas Slebodnik /* if GC was not used dp error should be set */
e81deec535d11912b87954c81a1edd768c1386c9Jakub Hrozek /* Ret is only ENOENT or ERR_NO_POSIX now. Try the next connection */
5546876b121d674077e93fe908f3a602de8ec31fJakub Hrozek /* No additional search in progress. Save the last
5546876b121d674077e93fe908f3a602de8ec31fJakub Hrozek * error status, we'll be returning it.
5546876b121d674077e93fe908f3a602de8ec31fJakub Hrozek /* No more connections */
5546876b121d674077e93fe908f3a602de8ec31fJakub Hrozek /* Another lookup in progress */
64d4b1e5fd4a3c99ef8d8fef6ad0db52c5152c1cJakub Hrozek /* Deactivate subdomain on lookup errors instead of going
64d4b1e5fd4a3c99ef8d8fef6ad0db52c5152c1cJakub Hrozek * offline completely.
64d4b1e5fd4a3c99ef8d8fef6ad0db52c5152c1cJakub Hrozek * This is a stopgap, until our failover is per-domain,
64d4b1e5fd4a3c99ef8d8fef6ad0db52c5152c1cJakub Hrozek * not per-backend. Unfortunately, we can't rewrite the error
64d4b1e5fd4a3c99ef8d8fef6ad0db52c5152c1cJakub Hrozek * code on some reported codes only, because sdap_id_op code
64d4b1e5fd4a3c99ef8d8fef6ad0db52c5152c1cJakub Hrozek * encapsulated the failover as well..
5546876b121d674077e93fe908f3a602de8ec31fJakub Hrozekad_handle_acct_info_recv(struct tevent_req *req,
5546876b121d674077e93fe908f3a602de8ec31fJakub Hrozek struct ad_handle_acct_info_state *state = tevent_req_data(req,
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březinaget_conn_list(TALLOC_CTX *mem_ctx, struct ad_id_ctx *ad_ctx,
3d29430867cf92b2d71afa95abb679711231117cPavel Březina struct sss_domain_info *dom, struct dp_id_data *ar)
008e1ee835602023891ac45408483d87f41e4d5cSumit Bose case BE_REQ_INITGROUPS: /* init groups for user */
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina clist = ad_gc_conn_list(mem_ctx, ad_ctx, dom);
72ae534f5aef6d2e5d3f2f51299aede5abf9687eJakub Hrozek /* Requests for other object should only contact LDAP by default */
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina clist = ad_ldap_conn_list(mem_ctx, ad_ctx, dom);
4cde267bec52ae1723a125d19439a5c75b47ebb7Pavel Březinastatic bool ad_account_can_shortcut(struct be_ctx *be_ctx,
76da70d5a5b5b05b926840d7692a31915d3ca8ebPavel Březina struct sss_domain_info *domain = be_ctx->domain;
76da70d5a5b5b05b926840d7692a31915d3ca8ebPavel Březina if (!sdap_idmap_domain_has_algorithmic_mapping(idmap_ctx, domain->name,
76da70d5a5b5b05b926840d7692a31915d3ca8ebPavel Březina /* convert value to ID */
4cde267bec52ae1723a125d19439a5c75b47ebb7Pavel Březina DEBUG(SSSDBG_MINOR_FAILURE, "Unable to convert filter value to "
76da70d5a5b5b05b926840d7692a31915d3ca8ebPavel Březina /* convert the ID to its SID equivalent */
76da70d5a5b5b05b926840d7692a31915d3ca8ebPavel Březina err = sss_idmap_unix_to_sid(idmap_ctx->map, id, &sid);
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_MINOR_FAILURE, "Mapping ID [%s] to SID failed: "
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov "[%s]\n", filter_value, idmap_error_string(err));
76da70d5a5b5b05b926840d7692a31915d3ca8ebPavel Březina /* fall through */
0f1ca83d9a87953e6e44f94e5948f1675b4adda2Lukas Slebodnik DEBUG(SSSDBG_OP_FAILURE, "Invalid domain for SID:%s\n", csid);
76da70d5a5b5b05b926840d7692a31915d3ca8ebPavel Březina if (strcasecmp(req_dom->name, filter_domain) != 0) {
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březinastatic void ad_account_info_handler_done(struct tevent_req *subreq);
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březinaad_account_info_handler_send(TALLOC_CTX *mem_ctx,
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n");
40bc389bc79bc41429b5a92d5ce75955f8eefaf5Jakub Hrozek DEBUG(SSSDBG_TRACE_LIBS, "Skipping enumeration on demand\n");
76da70d5a5b5b05b926840d7692a31915d3ca8ebPavel Březina /* Try to shortcut if this is ID or SID search and it belongs to
76da70d5a5b5b05b926840d7692a31915d3ca8ebPavel Březina * other domain range than is in ar->domain. */
4cde267bec52ae1723a125d19439a5c75b47ebb7Pavel Březina shortcut = ad_account_can_shortcut(be_ctx, sdap_id_ctx->opts->idmap_ctx,
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_TRACE_FUNC, "This ID is from different domain\n");
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina if (strcasecmp(data->domain, be_ctx->domain->name) != 0) {
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina /* Subdomain request, verify subdomain. */
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina domain = find_domain_by_name(be_ctx->domain, data->domain, true);
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina /* Determine whether to connect to GC, LDAP or try both. */
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina clist = get_conn_list(state, id_ctx, domain, data);
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina sdom = sdap_domain_get(sdap_id_ctx->opts, domain);
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina subreq = ad_handle_acct_info_send(state, data, sdap_id_ctx,
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina tevent_req_set_callback(subreq, ad_account_info_handler_done, req);
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina dp_reply_std_set(&state->reply, DP_ERR_DECIDE, ret, NULL);
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina /* TODO For backward compatibility we always return EOK to DP now. */
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březinastatic void ad_account_info_handler_done(struct tevent_req *subreq)
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina req = tevent_req_callback_data(subreq, struct tevent_req);
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina state = tevent_req_data(req, struct ad_account_info_handler_state);
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina ret = ad_handle_acct_info_recv(subreq, &dp_error, &err_msg);
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina /* TODO For backward compatibility we always return EOK to DP now. */
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina dp_reply_std_set(&state->reply, dp_error, ret, err_msg);
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březinaerrno_t ad_account_info_handler_recv(TALLOC_CTX *mem_ctx,
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina struct ad_account_info_handler_state *state = NULL;
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina state = tevent_req_data(req, struct ad_account_info_handler_state);
74802794554e0f87d1354b6788f1719cd7d80a6cJakub Hrozekstatic void ad_enumeration_conn_done(struct tevent_req *subreq);
74802794554e0f87d1354b6788f1719cd7d80a6cJakub Hrozekstatic void ad_enumeration_master_done(struct tevent_req *subreq);
b4ffa4d19e912740af6df3c1a4fabcea69729885Jakub Hrozekstatic errno_t ad_enum_sdom(struct tevent_req *req, struct sdap_domain *sd,
74802794554e0f87d1354b6788f1719cd7d80a6cJakub Hrozekstatic void ad_enumeration_done(struct tevent_req *subreq);
74802794554e0f87d1354b6788f1719cd7d80a6cJakub Hrozek req = tevent_req_create(mem_ctx, &state, struct ad_enumeration_state);
74802794554e0f87d1354b6788f1719cd7d80a6cJakub Hrozek ectx = talloc_get_type(pvt, struct ldap_enum_ctx);
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_CRIT_FAILURE, "Cannot retrieve ldap_enum_ctx!\n");
f8407faaeb6726bef6463d84f183f2b0ad1f99d4Jakub Hrozek state->id_ctx = talloc_get_type(ectx->pvt, struct ad_id_ctx);
9af86b9c936d07cff9d0c2054acde908749ea522Jakub Hrozek state->realm = dp_opt_get_cstring(state->id_ctx->ad_options->basic,
9af86b9c936d07cff9d0c2054acde908749ea522Jakub Hrozek DEBUG(SSSDBG_CONF_SETTINGS, "Missing realm\n");
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_OP_FAILURE, "sdap_id_op_create failed.\n");
74802794554e0f87d1354b6788f1719cd7d80a6cJakub Hrozek subreq = sdap_id_op_connect_send(state->sdap_op, state, &ret);
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_OP_FAILURE, "sdap_id_op_connect_send failed: %d(%s).\n",
74802794554e0f87d1354b6788f1719cd7d80a6cJakub Hrozek tevent_req_set_callback(subreq, ad_enumeration_conn_done, req);
74802794554e0f87d1354b6788f1719cd7d80a6cJakub Hrozekad_enumeration_conn_done(struct tevent_req *subreq)
74802794554e0f87d1354b6788f1719cd7d80a6cJakub Hrozek struct tevent_req *req = tevent_req_callback_data(subreq,
74802794554e0f87d1354b6788f1719cd7d80a6cJakub Hrozek struct ad_enumeration_state *state = tevent_req_data(req,
74802794554e0f87d1354b6788f1719cd7d80a6cJakub Hrozek ret = sdap_id_op_connect_recv(subreq, &dp_error);
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov "Backend is marked offline, retry later!\n");
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov "Domain enumeration failed to connect to " \
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov "LDAP server: (%d)[%s]\n", ret, strerror(ret));
74802794554e0f87d1354b6788f1719cd7d80a6cJakub Hrozek subreq = ad_master_domain_send(state, state->ev,
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_OP_FAILURE, "ad_master_domain_send failed.\n");
74802794554e0f87d1354b6788f1719cd7d80a6cJakub Hrozek tevent_req_set_callback(subreq, ad_enumeration_master_done, req);
74802794554e0f87d1354b6788f1719cd7d80a6cJakub Hrozekad_enumeration_master_done(struct tevent_req *subreq)
74802794554e0f87d1354b6788f1719cd7d80a6cJakub Hrozek struct tevent_req *req = tevent_req_callback_data(subreq,
74802794554e0f87d1354b6788f1719cd7d80a6cJakub Hrozek struct ad_enumeration_state *state = tevent_req_data(req,
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_OP_FAILURE, "Cannot retrieve master domain info\n");
9af86b9c936d07cff9d0c2054acde908749ea522Jakub Hrozek ret = sysdb_master_domain_add_info(state->sdom->dom, state->realm,
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_OP_FAILURE, "Cannot save master domain info\n");
b4ffa4d19e912740af6df3c1a4fabcea69729885Jakub Hrozek ret = ad_enum_sdom(req, state->sdom, state->id_ctx);
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov "Could not enumerate domain %s\n", state->sdom->dom->name);
b4ffa4d19e912740af6df3c1a4fabcea69729885Jakub Hrozek /* Execution will resume in ad_enumeration_done */
b4ffa4d19e912740af6df3c1a4fabcea69729885Jakub Hrozek struct ad_enumeration_state *state = tevent_req_data(req,
b4ffa4d19e912740af6df3c1a4fabcea69729885Jakub Hrozek if (dp_opt_get_bool(id_ctx->ad_options->basic, AD_ENABLE_GC)) {
dde2f0b4fcabc7093ddfcdda3dbacff00b82df46Jakub Hrozek /* Groups are searched for in LDAP, users in GC. Services (if present,
dde2f0b4fcabc7093ddfcdda3dbacff00b82df46Jakub Hrozek * which is unlikely in AD) from LDAP as well
dde2f0b4fcabc7093ddfcdda3dbacff00b82df46Jakub Hrozek subreq = sdap_dom_enum_ex_send(state, state->ev,
74802794554e0f87d1354b6788f1719cd7d80a6cJakub Hrozek /* The ptask API will reschedule the enumeration on its own on
74802794554e0f87d1354b6788f1719cd7d80a6cJakub Hrozek * failure */
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov "Failed to schedule enumeration, retrying later!\n");
74802794554e0f87d1354b6788f1719cd7d80a6cJakub Hrozek tevent_req_set_callback(subreq, ad_enumeration_done, req);
b4ffa4d19e912740af6df3c1a4fabcea69729885Jakub Hrozekstatic errno_t ad_enum_cross_dom_members(struct sdap_options *opts,
74802794554e0f87d1354b6788f1719cd7d80a6cJakub Hrozek struct tevent_req *req = tevent_req_callback_data(subreq,
74802794554e0f87d1354b6788f1719cd7d80a6cJakub Hrozek struct ad_enumeration_state *state = tevent_req_data(req,
e81deec535d11912b87954c81a1edd768c1386c9Jakub Hrozek /* Retry enumerating the same domain again, this time w/o
e81deec535d11912b87954c81a1edd768c1386c9Jakub Hrozek * connecting to GC
e81deec535d11912b87954c81a1edd768c1386c9Jakub Hrozek ret = ad_enum_sdom(req, state->sditer, state->id_ctx);
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov "Could not retry domain %s\n", state->sditer->dom->name);
e81deec535d11912b87954c81a1edd768c1386c9Jakub Hrozek /* Execution will resume in ad_enumeration_done */
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov "Could not enumerate domain %s\n", state->sditer->dom->name);
b4ffa4d19e912740af6df3c1a4fabcea69729885Jakub Hrozek ret = ad_enum_sdom(req, state->sditer, state->sditer->pvt);
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_OP_FAILURE, "Could not enumerate domain %s\n",
b4ffa4d19e912740af6df3c1a4fabcea69729885Jakub Hrozek /* Execution will resume in ad_enumeration_done */
b4ffa4d19e912740af6df3c1a4fabcea69729885Jakub Hrozek /* No more subdomains to enumerate. Check if we need to fixup
b4ffa4d19e912740af6df3c1a4fabcea69729885Jakub Hrozek * cross-domain membership
b4ffa4d19e912740af6df3c1a4fabcea69729885Jakub Hrozek /* We did enumerate at least one subdomain. Walk the subdomains
b4ffa4d19e912740af6df3c1a4fabcea69729885Jakub Hrozek * and fixup members for each of them
b4ffa4d19e912740af6df3c1a4fabcea69729885Jakub Hrozek ret = ad_enum_cross_dom_members(state->id_ctx->ad_options->id,
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_MINOR_FAILURE, "Could not check cross-domain "
b4ffa4d19e912740af6df3c1a4fabcea69729885Jakub Hrozek "memberships for %s, group memberships might be "
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov "incomplete!\n", state->sdom->dom->name);
b4ffa4d19e912740af6df3c1a4fabcea69729885Jakub Hrozekstatic errno_t ad_group_extra_members(TALLOC_CTX *mem_ctx,
b4ffa4d19e912740af6df3c1a4fabcea69729885Jakub Hrozekstatic errno_t ad_group_add_member(struct sdap_options *opts,
b4ffa4d19e912740af6df3c1a4fabcea69729885Jakub Hrozek const char *member);
b4ffa4d19e912740af6df3c1a4fabcea69729885Jakub Hrozekad_enum_cross_dom_members(struct sdap_options *opts,
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_CRIT_FAILURE, "Failed to start transaction\n");
b4ffa4d19e912740af6df3c1a4fabcea69729885Jakub Hrozek filter = talloc_asprintf(tmp_ctx, "(%s=*)", SYSDB_NAME);
b4ffa4d19e912740af6df3c1a4fabcea69729885Jakub Hrozek ret = sysdb_search_groups(tmp_ctx, dom, filter, attrs, &count, &msgs);
b4ffa4d19e912740af6df3c1a4fabcea69729885Jakub Hrozek for (i = 0; i < count; i++) {
b4ffa4d19e912740af6df3c1a4fabcea69729885Jakub Hrozek ret = ad_group_extra_members(tmp_ctx, msgs[i], dom, &group_only);
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_OP_FAILURE, "Failed to check extra members\n");
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_TRACE_INTERNAL, "No extra members\n");
b4ffa4d19e912740af6df3c1a4fabcea69729885Jakub Hrozek /* Group has extra members */
b4ffa4d19e912740af6df3c1a4fabcea69729885Jakub Hrozek ret = ad_group_add_member(opts, dom, msgs[i]->dn, group_only[mi]);
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_MINOR_FAILURE, "Failed to add [%s]: %s\n",
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_CRIT_FAILURE, "Failed to commit transaction\n");
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_CRIT_FAILURE, "Could not cancel transaction\n");
b4ffa4d19e912740af6df3c1a4fabcea69729885Jakub Hrozekad_group_stored_orig_members(TALLOC_CTX *mem_ctx, struct sss_domain_info *dom,
b4ffa4d19e912740af6df3c1a4fabcea69729885Jakub Hrozekad_group_extra_members(TALLOC_CTX *mem_ctx, const struct ldb_message *group,
b4ffa4d19e912740af6df3c1a4fabcea69729885Jakub Hrozek struct sss_domain_info *dom, char ***_group_only)
b4ffa4d19e912740af6df3c1a4fabcea69729885Jakub Hrozek om = ldb_msg_find_element(group, SYSDB_ORIG_MEMBER);
b4ffa4d19e912740af6df3c1a4fabcea69729885Jakub Hrozek name = ldb_msg_find_attr_as_string(group, SYSDB_NAME, NULL);
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_OP_FAILURE, "A group with no name!\n");
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_TRACE_FUNC, "Group %s has no original members\n", name);
b4ffa4d19e912740af6df3c1a4fabcea69729885Jakub Hrozek if (m == NULL || (m->num_values < om->num_values)) {
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov "Group %s has %d members but %d original members\n",
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov name, m ? m->num_values : 0, om->num_values);
b4ffa4d19e912740af6df3c1a4fabcea69729885Jakub Hrozek /* Get the list of originalDN attributes that are already
b4ffa4d19e912740af6df3c1a4fabcea69729885Jakub Hrozek * linked to the group
b4ffa4d19e912740af6df3c1a4fabcea69729885Jakub Hrozek ret = ad_group_stored_orig_members(tmp_ctx, dom, group->dn,
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov "Could not retrieve list of original members for %s\n",
b4ffa4d19e912740af6df3c1a4fabcea69729885Jakub Hrozek /* Get the list of original DN attributes the group had in AD */
b4ffa4d19e912740af6df3c1a4fabcea69729885Jakub Hrozek group_odn_list = sss_ldb_el_to_string_list(tmp_ctx, om);
b4ffa4d19e912740af6df3c1a4fabcea69729885Jakub Hrozek /* Compare the two lists */
b4ffa4d19e912740af6df3c1a4fabcea69729885Jakub Hrozek ret = diff_string_lists(tmp_ctx, discard_const(group_odn_list),
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov "Could not compare lists of members for %s\n", name);
b4ffa4d19e912740af6df3c1a4fabcea69729885Jakub Hrozek *_group_only = talloc_steal(mem_ctx, group_only);
b4ffa4d19e912740af6df3c1a4fabcea69729885Jakub Hrozekad_group_stored_orig_members(TALLOC_CTX *mem_ctx, struct sss_domain_info *dom,
b4ffa4d19e912740af6df3c1a4fabcea69729885Jakub Hrozek /* Get all entries member element points to */
b4ffa4d19e912740af6df3c1a4fabcea69729885Jakub Hrozek ret = sysdb_asq_search(tmp_ctx, dom, dn, NULL, SYSDB_MEMBER,
b4ffa4d19e912740af6df3c1a4fabcea69729885Jakub Hrozek odn_list = talloc_zero_array(tmp_ctx, char *, m_count + 1);
b4ffa4d19e912740af6df3c1a4fabcea69729885Jakub Hrozek /* Get a list of their original DNs */
b4ffa4d19e912740af6df3c1a4fabcea69729885Jakub Hrozek for (i = 0; i < m_count; i++) {
b4ffa4d19e912740af6df3c1a4fabcea69729885Jakub Hrozek odn = ldb_msg_find_attr_as_string(members[i], SYSDB_ORIG_DN, NULL);
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_TRACE_INTERNAL, "Member %s already in sysdb\n", odn);
b4ffa4d19e912740af6df3c1a4fabcea69729885Jakub Hrozek /* This member would be from a different domain */
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_MINOR_FAILURE, "No matching domain for %s\n", member);
b4ffa4d19e912740af6df3c1a4fabcea69729885Jakub Hrozek mem_filter = talloc_asprintf(tmp_ctx, "(%s=%s)",
b4ffa4d19e912740af6df3c1a4fabcea69729885Jakub Hrozek ret = sysdb_search_entry(tmp_ctx, sd->dom->sysdb, base_dn,
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_TRACE_FUNC, "No member [%s] in sysdb\n", member);
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_TRACE_INTERNAL, "[%s] found in sysdb\n", member);
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov "Search by orig DN returned %zd results!\n", msgs_count);
b4ffa4d19e912740af6df3c1a4fabcea69729885Jakub Hrozek ret = sysdb_mod_group_member(group_domain, msgs[0]->dn, group_dn, SYSDB_MOD_ADD);
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_OP_FAILURE, "Could not add [%s] as a member of [%s]\n",