ipa: ignore objects from disabled domains on the client

It is possible that a domain is already disabled on an IPA client but still active on the server. This might happen e.g. if the version of SSSD running on the IPA server does not support disabled domains or if SSSD on the IPA client updates the domain data before the IPA server and sees a freshly disabled domain more early. As a result the server is still sending objects from disabled domains in the lists of group members or group memberships of a user. The client should just ignore those objects. Related to https://pagure.io/SSSD/sssd/issue/4078 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
SSSD · Sep 20, 2019 · cc42fe7 · cc42fe7
1 parent 698e27d
commit cc42fe7
Showing 1 changed file with 13 additions and 2 deletions.
diff --git a/src/providers/ipa/ipa_s2n_exop.c b/src/providers/ipa/ipa_s2n_exop.c
@@ -637,10 +637,16 @@ static errno_t add_v1_user_data(struct sss_domain_info *dom,
             }
 
             if (domain != NULL) {
-                obj_domain = find_domain_by_name(parent_domain, domain, true);
+                obj_domain = find_domain_by_name_ex(parent_domain, domain, true, SSS_GND_ALL_DOMAINS);
                 if (obj_domain == NULL) {
                     DEBUG(SSSDBG_OP_FAILURE, "find_domain_by_name failed.\n");
                     return ENOMEM;
+                } else if (sss_domain_get_state(obj_domain) == DOM_DISABLED) {
+                    /* skipping objects from disabled domains */
+                    DEBUG(SSSDBG_TRACE_ALL,
+                          "Skipping object [%s] from disabled domain.\n",
+                          list[c]);
+                    continue;
                 }
             } else {
                 obj_domain = parent_domain;
@@ -656,6 +662,7 @@ static errno_t add_v1_user_data(struct sss_domain_info *dom,
             gc++;
         }
     }
+    attrs->ngroups = gc;
 
     tag = ber_peek_tag(ber, &ber_len);
     DEBUG(SSSDBG_TRACE_ALL, "BER tag is [%d]\n", (int) tag);
@@ -1567,11 +1574,15 @@ static errno_t process_members(struct sss_domain_info *domain,
     parent_domain = get_domains_head(domain);
 
     for (c = 0; members[c] != NULL; c++) {
-        obj_domain = find_domain_by_object_name(parent_domain, members[c]);
+        obj_domain = find_domain_by_object_name_ex(parent_domain, members[c],
+                                                   false, SSS_GND_ALL_DOMAINS);
         if (obj_domain == NULL) {
             DEBUG(SSSDBG_OP_FAILURE, "find_domain_by_object_name failed.\n");
             ret = ENOMEM;
             goto done;
+        } else if (sss_domain_get_state(obj_domain) == DOM_DISABLED) {
+            /* skip members from disabled domains */
+            continue;
         }
 
         ret = sysdb_search_user_by_name(tmp_ctx, obj_domain, members[c], attrs,