Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GPO evaluation of primary group #7071

Closed
wants to merge 1 commit into from
Closed

GPO evaluation of primary group #7071

wants to merge 1 commit into from

Conversation

thalman
Copy link
Contributor

@thalman thalman commented Dec 6, 2023

When we are evaluating GPO the SID of user's primary group is not returned in the list. This patch converts the value of origPrimaryGroupGidNumber attribute back to SID and that SID is added to the list of SIDs before evaluating the GPO rules.

sumit-bose
sumit-bose reviewed Dec 8, 2023
View reviewed changes
src/providers/ad/ad_gpo.c Outdated
SYSDB_PRIMARY_GROUP_GIDNUM,
0);
if (orig_gid != 0) {
sss_idmap_unix_to_sid(idmap_ctx, orig_gid, &orig_gid_sid);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi,

please check return code of sss_idmap_unix_to_sid() because it might return IDMAP_EXTERNAL. In this case there is no id-mapping for the domain the orig_gid is coming from but the values are stored in the group object. In this case you have to search the cache for the group with orig_gid and take the SID from the cached group.

bye,
Sumit

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for explanation/hint, will do

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

@thalman thalman marked this pull request as draft December 11, 2023 07:53
@thalman thalman marked this pull request as ready for review December 12, 2023 09:35
sumit-bose
sumit-bose reviewed Dec 20, 2023
View reviewed changes
src/providers/ad/ad_gpo.c Outdated
return NULL;
}

sid = discard_const(ldb_msg_find_attr_as_string(msg, SYSDB_SID_STR, NULL));
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi,

I would prefer to avoid discard_const() even if this would mean to declare another variable like e.g. const char *tmp;.

bye,
Sumit

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

sumit-bose
sumit-bose approved these changes Dec 21, 2023
View reviewed changes
Copy link
Contributor

@sumit-bose sumit-bose left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi,

thanks for the update, works for me, ACK.

bye,
Sumit

@alexey-tikhonov
Copy link
Member

To be rebased on the top of #7107

danlavu
danlavu approved these changes Jan 8, 2024
View reviewed changes
Copy link

@danlavu danlavu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested, working.

(2024-01-08 11:20:02): [be[domain-8l9d.com]] [ad_gpo_access_check] (0x0400): [RID#34] user_sid = S-1-5-21-1477186385-3752140279-2633954784-1122
(2024-01-08 11:20:02): [be[domain-8l9d.com]] [ad_gpo_access_check] (0x0400): [RID#34] group_sids[0] = S-1-5-21-1477186385-3752140279-2633954784-513
(2024-01-08 11:20:02): [be[domain-8l9d.com]] [ad_gpo_access_check] (0x0400): [RID#34] group_sids[1] = S-1-5-21-1477186385-3752140279-2633954784-1113
(2024-01-08 11:20:02): [be[domain-8l9d.com]] [ad_gpo_access_check] (0x0400): [RID#34] group_sids[2] = S-1-5-11

@alexey-tikhonov
Copy link
Member

@sumit-bose, @danlavu, please re-review after rebase.

@thalman
Copy link
Contributor Author

thalman commented Jan 9, 2024
edited
Loading

JFI, The rebase went smoothly, I had to add one more change when calling ad_gpo_get_sids.

@thalman
GPO evaluation of primary group
8fa54e6 
When we are evaluating GPO the SID of user's primary
group is not returned in the list. This patch converts
the value of origPrimaryGroupGidNumber attribute back to
SID and that SID is added to the list of SIDs before
evaluating the GPO rules.
thalman
thalman commented Jan 9, 2024
View reviewed changes
src/providers/ad/ad_gpo.c
Comment on lines +1159 to 1160
ret = ad_gpo_get_sids(tmp_ctx, host_fqdn, host_domain, idmap_ctx, &host_sid,
&host_group_sids, &host_group_size);
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@sumit-bose, @danlavu, This has been added since last review

@danlavu
Copy link

danlavu commented Jan 9, 2024
edited
Loading

Tested.
unpatched

(2024-01-09 14:36:28): [be[domain-2875.com]] [ad_gpo_access_check] (0x0400): [RID#6] CURRENT USER: (2024-01-09 14:36:28): [be[domain-2875.com]] [ad_gpo_access_check] (0x0400): [RID#6] user_sid = S-1-5-21-453157533-3668325555-2162132090-1121 (2024-01-09 14:36:28): [be[domain-2875.com]] [ad_gpo_access_check] (0x0400): [RID#6] group_sids[0] = S-1-5-21-453157533-3668325555-2162132090-513 (2024-01-09 14:36:28): [be[domain-2875.com]] [ad_gpo_access_check] (0x0400): [RID#6] group_sids[1] = S-1-5-11

patched

(2024-01-09 14:38:05): [be[domain-2875.com]] [ad_gpo_access_check] (0x0400): [RID#7] CURRENT USER: (2024-01-09 14:38:05): [be[domain-2875.com]] [ad_gpo_access_check] (0x0400): [RID#7] user_sid = S-1-5-21-453157533-3668325555-2162132090-1121 (2024-01-09 14:38:05): [be[domain-2875.com]] [ad_gpo_access_check] (0x0400): [RID#7] group_sids[0] = S-1-5-21-453157533-3668325555-2162132090-513 (2024-01-09 14:38:05): [be[domain-2875.com]] [ad_gpo_access_check] (0x0400): [RID#7] group_sids[1] = S-1-5-11 (2024-01-09 14:38:05): [be[domain-2875.com]] [ad_gpo_access_check] (0x0400): [RID#7] group_sids[2] = S-1-5-21-453157533-3668325555-2162132090-513

Working as expected, approved.

sumit-bose
sumit-bose approved these changes Jan 10, 2024
View reviewed changes
Copy link
Contributor

@sumit-bose sumit-bose left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi,

rebased and updated version still works for me, ACK.

bye,
Sumit

@alexey-tikhonov alexey-tikhonov added the Ready to push Ready to push label Jan 10, 2024
@alexey-tikhonov
Copy link
Member

Pushed PR: #7071

  • master
    • ecb0c63 - GPO evaluation of primary group
  • sssd-2-9
    • 05de56d - GPO evaluation of primary group

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sumit-bose sumit-bose sumit-bose approved these changes

@danlavu danlavu danlavu approved these changes

Assignees

@danlavu danlavu

@sumit-bose sumit-bose

Labels
Pushed
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@thalman @alexey-tikhonov @danlavu @sumit-bose