gpo: use correct base dn #4840

sssd-bot · 2020-05-02T13:53:01Z

Cloned from Pagure issue: https://pagure.io/SSSD/sssd/issue/3847

Created at 2018-10-08 13:32:10 by pbrezina
Assigned to avisiedo

GPO code in ad_gpo_connect_done converts domain name to base dn which may not be correct. For example if the domain name in sssd.conf is AD, computed base is then dc=AD, but the correct base dn is dc=ad,dc=vm. This makes gpo code to fail.

    /* Convert the domain name into domain DN */
    ret = domain_to_basedn(state, state->host_domain->name, &domain_dn);
    if (ret != EOK) {
        DEBUG(SSSDBG_OP_FAILURE,
              "Cannot convert domain name [%s] to base DN [%d]: %s\n",
               state->host_domain->name, ret, sss_strerror(ret));
        goto done;
    }

    /* SDAP_OC_USER objectclass covers both users and computers */
    filter = talloc_asprintf(state,
                             "(&(objectclass=%s)(%s=%s))",
                             state->opts->user_map[SDAP_OC_USER].name,
                             state->opts->user_map[SDAP_AT_USER_NAME].name,
                             sam_account_name);
    if (filter == NULL) {
        ret = ENOMEM;
        goto done;
    }

    subreq = sdap_get_generic_send(state, state->ev, state->opts,
                                   sdap_id_op_handle(state->sdap_op),
                                   domain_dn, LDAP_SCOPE_SUBTREE,
^^^ correct base dn should be used
                                   filter, attrs, NULL, 0,
                                   state->timeout,
                                   false);

    if (subreq == NULL) {
        DEBUG(SSSDBG_OP_FAILURE, "sdap_get_generic_send failed.\n");
        ret = EIO;
        goto done;
    }

    tevent_req_set_callback(subreq, ad_gpo_target_dn_retrieval_done, req);

Comments

Comment from jhrozek at 2018-10-11 15:34:11

Metadata Update from @jhrozek:

Issue assigned to mzidek

Comment from pbrezina at 2020-03-13 15:00:51

Metadata Update from @pbrezina:

Issue tagged with: Future milestone, New hire task

Comment from pbrezina at 2020-04-14 13:40:21

Metadata Update from @pbrezina:

Issue assigned to avisiedo (was: mzidek)

The text was updated successfully, but these errors were encountered:

GPO code in ad_gpo_connect_done converts domain name to base dn which may not be correct. For example if the domain name in sssd.conf is AD, computed base is then dc=AD, but the correct base dn is dc=ad,dc=vm. This makes gpo code to fail. Resolves: SSSD#4840 SSSD#4840

Append unit test for basedn_to_domain function Resolves: SSSD#4840 SSSD#4840

GPO code in ad_gpo_connect_done converts domain name to base dn which may not be correct. For example if the domain name in sssd.conf is AD, computed base is then dc=AD, but the correct base dn is dc=ad,dc=vm. This makes gpo code to fail. Resolves: SSSD#4840 SSSD#4840

Fixing some trailing characters that I forgot into the change. Resolves: SSSD#4840

Fix whitespaces that remains into the changes yet. SSSD#4840

GPO code in ad_gpo_connect_done converts domain name to base dn which may not be correct. For example if the domain name in sssd.conf is AD, computed base is then dc=AD, but the correct base dn is dc=ad,dc=vm. This makes gpo code to fail. Resolves: SSSD#4840

Domain name in SSSD configuration does not have to be the same as the AD domain. GPO did not work in this case. Resolves: SSSD#4840

Domain name in SSSD configuration does not have to be the same as the AD domain. GPO did not work in this case. Steps to reproduce: 1. Join SSSD to an AD domain (ad.vm) 2. Create GPO that is applicable to the host/user 3. Name the SSSD domain differently ([domain/AD]) 4. Try to authenticate as AD user Resolves: SSSD#4840

pbrezina · 2020-09-03T11:09:04Z

Pushed PR: #5239

master
- a0792b3 - gpo: use correct base dn
- d79f593 - gpo: remove unused variable domain_dn

sssd-bot added Future milestone New hire task labels May 2, 2020

sssd-bot assigned avisiedo May 2, 2020

avisiedo added a commit to avisiedo/sssd that referenced this issue May 20, 2020

gpo: Use correct base dn

7147fb4

Append unit test for basedn_to_domain function Resolves: SSSD#4840 SSSD#4840

avisiedo mentioned this issue May 20, 2020

gpo: use correct base dn #5169

Closed

avisiedo added a commit to avisiedo/sssd that referenced this issue May 25, 2020

gpo: Use correct base dn

df9853f

Fixing some trailing characters that I forgot into the change. Resolves: SSSD#4840

avisiedo added a commit to avisiedo/sssd that referenced this issue May 26, 2020

gpo: Use correct base dn

c6670a8

Fix whitespaces that remains into the changes yet. SSSD#4840

pbrezina assigned pbrezina and unassigned avisiedo Jul 9, 2020

pbrezina added a commit to pbrezina/sssd that referenced this issue Jul 9, 2020

gpo: use correct base dn

d8622fa

Domain name in SSSD configuration does not have to be the same as the AD domain. GPO did not work in this case. Resolves: SSSD#4840

pbrezina mentioned this issue Jul 9, 2020

gpo: use correct base dn #5239

Closed

alexey-tikhonov linked a pull request Jul 9, 2020 that will close this issue

gpo: use correct base dn #5239

Closed

pbrezina removed Future milestone New hire task labels Jul 9, 2020

pbrezina closed this as completed in a0792b3 Sep 3, 2020

pbrezina added the Closed: Fixed Issue was closed as fixed. label Sep 3, 2020

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

gpo: use correct base dn #4840

gpo: use correct base dn #4840

sssd-bot commented May 2, 2020

pbrezina commented Sep 3, 2020