-
Notifications
You must be signed in to change notification settings - Fork 238
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nss: fix getsidbyname for IPA user-private-groups #5608
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Generally LGTM, just few minor questions. Also I think a commit message needs to be simplified to better reflect what is this about. I have to go via full BZ description to get it.
I think use-case description together with this if - else if - else
possible variants and when they may happen could be useful (user_sid == NULL + group_sid == NULL etc.).
Use case from source bugzilla (https://bugzilla.redhat.com/show_bug.cgi?id=1837090):
Result of this PR build deployed:
|
Currently the getsidbyname request does not work properly for IPA users due to the way IPA user-private-groups are handled by SSSD. With this patch two different cases are handled. The first is about the default automatic user-private-groups where the group is a managed object. In this case there will be a user and a group object with the same name in the cache which will both be found by the lookup by name. Since only the user object will have a SID we can return this SID for the request. The second case is the manual creation of a user and a groups with UID and GIDs so that the group is a user-private group. Here the user and the group object will both get a different SID assigned since they are independent objects. In this case, both objects have a SID and the UID and GID of the user and the GID of the group all have the same numerical value, the SID of the user is returned. Resolves: SSSD#5607 :fixes: Fix getsidbyname issues with IPA users with a user-private-group
0adfd78
to
f968767
Compare
Hi, thank you for your comments, I update the commit message to make it (hopefully) more clear. bye, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for the commit message update and answers for my questions, LGTM.
Currently the getsidbyname request does not work properly for IPA users
due to the way IPA user-private-groups are handled by SSSD. With this
patch two different cases, the default automatic user-private-groups
where the group is a managed object and manual creation of a user and a
groups with UID and GIDs so that the group is a user-private group, are
covered.
Resolves: #5607
:fixes: Fix getsidbyname issues with IPA users with a user-private-group