nss: use real primary gid if the value is overriden

SYSDB_PRIMARY_GROUP_GIDNUM contains original primary group id from AD
because any possible override may not be known at the time of storing
the user.

Now we try to lookup group by its originalADgidNumber and if it is found
we will replace the original id with real primary group id.

Steps to reproduce:
1. Enroll SSSD to IPA domain with AD trust
2. Add ID override to Domain Users `ipa idoverridegroup-add 'Default Trust View' "Domain Users@ad.vm" --gid=40000000`
3. On IPA server: Remove cache for the overrides to apply immediately and restart SSSD `sssctl cache-remove --stop --start`
4. On IPA server: Resolve user `id Administrator@ad.vm`

There will be visible both new and old gids without the patch.

Resolves:
https://pagure.io/SSSD/sssd/issue/4124

Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit 03bc962)

src/db/sysdb.h

@@ -208,6 +208,7 @@
 
 #define SYSDB_GRNAM_FILTER "(&("SYSDB_GC")(|("SYSDB_NAME_ALIAS"=%s)("SYSDB_NAME_ALIAS"=%s)("SYSDB_NAME"=%s)))"
 #define SYSDB_GRGID_FILTER "(&("SYSDB_GC")("SYSDB_GIDNUM"=%lu))"
+#define SYSDB_GRORIGGID_FILTER "(&("SYSDB_GC")("ORIGINALAD_PREFIX SYSDB_GIDNUM"=%lu))"
 #define SYSDB_GRSID_FILTER "(&("SYSDB_GC")("SYSDB_SID_STR"=%s))"
 #define SYSDB_GRENT_FILTER "("SYSDB_GC")"
 #define SYSDB_GRNAM_MPG_FILTER "(&("SYSDB_MPGC")(|("SYSDB_NAME_ALIAS"=%s)("SYSDB_NAME_ALIAS"=%s)("SYSDB_NAME"=%s)))"
@@ -974,6 +975,12 @@ int sysdb_search_group_by_gid(TALLOC_CTX *mem_ctx,
                               const char **attrs,
                               struct ldb_message **msg);
 
+int sysdb_search_group_by_origgid(TALLOC_CTX *mem_ctx,
+                                  struct sss_domain_info *domain,
+                                  gid_t gid,
+                                  const char **attrs,
+                                  struct ldb_message **msg);
+
 int sysdb_search_group_by_sid_str(TALLOC_CTX *mem_ctx,
                                   struct sss_domain_info *domain,
                                   const char *sid_str,

src/db/sysdb_ops.c

@@ -763,14 +763,13 @@ int sysdb_search_group_by_name(TALLOC_CTX *mem_ctx,
     return sysdb_search_by_name(mem_ctx, domain, name, SYSDB_GROUP, attrs, msg);
 }
 
-/* Please note that sysdb_search_group_by_gid() is not aware of MPGs. If MPG
- * support is needed either the caller must handle it or sysdb_getgrgid() or
- * sysdb_getgrgid_attrs() should be used. */
-int sysdb_search_group_by_gid(TALLOC_CTX *mem_ctx,
-                              struct sss_domain_info *domain,
-                              gid_t gid,
-                              const char **attrs,
-                              struct ldb_message **msg)
+static int
+sysdb_search_group_by_id(TALLOC_CTX *mem_ctx,
+                         struct sss_domain_info *domain,
+                         const char *filterfmt,
+                         gid_t gid,
+                         const char **attrs,
+                         struct ldb_message **msg)
 {
     TALLOC_CTX *tmp_ctx;
     const char *def_attrs[] = { SYSDB_NAME, SYSDB_GIDNUM, NULL };
@@ -791,7 +790,7 @@ int sysdb_search_group_by_gid(TALLOC_CTX *mem_ctx,
         goto done;
     }
 
-    filter = talloc_asprintf(tmp_ctx, SYSDB_GRGID_FILTER, (unsigned long)gid);
+    filter = talloc_asprintf(tmp_ctx, filterfmt, (unsigned long)gid);
     if (!filter) {
         ret = ENOMEM;
         goto done;
@@ -822,6 +821,29 @@ int sysdb_search_group_by_gid(TALLOC_CTX *mem_ctx,
     return ret;
 }
 
+/* Please note that sysdb_search_group_by_gid() is not aware of MPGs. If MPG
+ * support is needed either the caller must handle it or sysdb_getgrgid() or
+ * sysdb_getgrgid_attrs() should be used. */
+int sysdb_search_group_by_gid(TALLOC_CTX *mem_ctx,
+                              struct sss_domain_info *domain,
+                              gid_t gid,
+                              const char **attrs,
+                              struct ldb_message **msg)
+{
+    return sysdb_search_group_by_id(mem_ctx, domain, SYSDB_GRGID_FILTER,
+                                    gid, attrs, msg);
+}
+
+int sysdb_search_group_by_origgid(TALLOC_CTX *mem_ctx,
+                                  struct sss_domain_info *domain,
+                                  gid_t gid,
+                                  const char **attrs,
+                                  struct ldb_message **msg)
+{
+    return sysdb_search_group_by_id(mem_ctx, domain, SYSDB_GRORIGGID_FILTER,
+                                    gid, attrs, msg);
+}
+
 int sysdb_search_group_by_sid_str(TALLOC_CTX *mem_ctx,
                                   struct sss_domain_info *domain,
                                   const char *sid_str,

src/responder/nss/nss_protocol_grent.c

@@ -317,6 +317,7 @@ nss_protocol_fill_initgr(struct nss_ctx *nss_ctx,
     struct sss_domain_info *domain;
     struct ldb_message *user;
     struct ldb_message *msg;
+    struct ldb_message *primary_group_msg;
     const char *posix;
     struct sized_string rawname;
     struct sized_string unique_name;
@@ -349,6 +350,19 @@ nss_protocol_fill_initgr(struct nss_ctx *nss_ctx,
                                                     SYSDB_PRIMARY_GROUP_GIDNUM,
                                                     0);
 
+    /* Try to get the real gid in case the primary group's gid was overriden. */
+    ret = sysdb_search_group_by_origgid(NULL, domain, orig_gid, NULL,
+                                        &primary_group_msg);
+    if (ret != EOK) {
+        DEBUG(SSSDBG_MINOR_FAILURE, "Unable to find primary gid [%d]: %s\n",
+              ret, sss_strerror(ret));
+        /* Just continue with what we have. */
+    } else {
+        orig_gid = ldb_msg_find_attr_as_uint64(primary_group_msg, SYSDB_GIDNUM,
+                                               orig_gid);
+        talloc_free(primary_group_msg);
+    }
+
     /* If the GID of the original primary group is available but equal to the
      * current primary GID it must not be added. */
     orig_gid = orig_gid == gid ? 0 : orig_gid;