@@ -305,6 +305,7 @@ simple_resolve_group_check(struct simple_resolve_group_state *state)
305305{
306306 errno_t ret ;
307307 struct ldb_message * group ;
308+ bool is_sid ;
308309 const char * group_attrs [] = { SYSDB_NAME , SYSDB_POSIX ,
309310 SYSDB_GIDNUM , NULL };
310311
@@ -327,6 +328,19 @@ simple_resolve_group_check(struct simple_resolve_group_state *state)
327328 return ERR_ACCOUNT_UNKNOWN ;
328329 }
329330
331+ /* if name is still a SID then we still need to resolve the group */
332+ ret = string_begins_with (state -> name , "S-1-5" , & is_sid );
333+ if (ret != EOK ) {
334+ DEBUG (SSSDBG_OP_FAILURE , "string_begins_with() failure\n" );
335+ return ret ;
336+ }
337+
338+ if (is_sid ) {
339+ DEBUG (SSSDBG_TRACE_LIBS , "POSIX group name [%s] still in SID format\n" ,
340+ state -> name );
341+ return EAGAIN ;
342+ }
343+
330344 if (is_posix (group ) == false) {
331345 DEBUG (SSSDBG_TRACE_LIBS ,
332346 "The group is still non-POSIX\n" );
@@ -587,11 +601,13 @@ static errno_t
587601simple_check_process_group (struct simple_check_groups_state * state ,
588602 struct ldb_message * group )
589603{
604+ errno_t ret ;
590605 const char * name ;
591606 const char * group_sid ;
592607 struct sss_domain_info * domain ;
593608 gid_t gid ;
594609 bool posix ;
610+ bool is_sid ;
595611
596612 posix = is_posix (group );
597613 name = ldb_msg_find_attr_as_string (group , SYSDB_NAME , NULL );
@@ -602,6 +618,9 @@ simple_check_process_group(struct simple_check_groups_state *state,
602618 return EINVAL ;
603619 }
604620
621+ DEBUG (SSSDBG_TRACE_FUNC , "Checking group [%s]: gid: [%u], posix: [%s]\n" ,
622+ name , gid , posix ? "True" : "False" );
623+
605624 if (gid == 0 ) {
606625 if (posix == true) {
607626 DEBUG (SSSDBG_CRIT_FAILURE , "POSIX group without GID\n" );
@@ -616,22 +635,34 @@ simple_check_process_group(struct simple_check_groups_state *state,
616635 if (!state -> group_names [state -> num_names ]) {
617636 return ENOMEM ;
618637 }
619- DEBUG (SSSDBG_TRACE_INTERNAL , "Adding group %s\n" , name );
638+ DEBUG (SSSDBG_TRACE_INTERNAL , "Adding non-POSIX group %s\n" , name );
620639 state -> num_names ++ ;
621640 return EOK ;
622641 }
623642
624643 /* Here are only groups with a name and gid. POSIX group can already
625- * be used, non-POSIX groups can be resolved */
644+ * be used, non-POSIX groups can be resolved. If name is still a SID
645+ * then dont add the group, it needs to be resolved */
626646 if (posix ) {
627- state -> group_names [state -> num_names ] = talloc_strdup (state -> group_names ,
628- name );
629- if (!state -> group_names [state -> num_names ]) {
630- return ENOMEM ;
647+ ret = string_begins_with (name , "S-1-5" , & is_sid );
648+ if (ret != EOK ) {
649+ DEBUG (SSSDBG_OP_FAILURE , "string_begins_with() failure\n" );
650+ return ret ;
651+ }
652+
653+ if (is_sid ) {
654+ DEBUG (SSSDBG_TRACE_FUNC , "POSIX group name [%s] still in SID format,"
655+ " need to resolve this\n" , name );
656+ } else {
657+ state -> group_names [state -> num_names ] = talloc_strdup (state -> group_names ,
658+ name );
659+ if (!state -> group_names [state -> num_names ]) {
660+ return ENOMEM ;
661+ }
662+ DEBUG (SSSDBG_TRACE_INTERNAL , "Adding POSIX group %s\n" , name );
663+ state -> num_names ++ ;
664+ return EOK ;
631665 }
632- DEBUG (SSSDBG_TRACE_INTERNAL , "Adding group %s\n" , name );
633- state -> num_names ++ ;
634- return EOK ;
635666 }
636667
637668 /* Try to get group SID and assign it a domain */
@@ -651,7 +682,7 @@ simple_check_process_group(struct simple_check_groups_state *state,
651682 /* It is a non-POSIX group with a GID. Needs resolving */
652683 state -> lookup_groups [state -> num_groups ].domain = domain ;
653684 state -> lookup_groups [state -> num_groups ].gid = gid ;
654- DEBUG (SSSDBG_TRACE_INTERNAL , "Adding GID %" SPRIgid "\n" , gid );
685+ DEBUG (SSSDBG_TRACE_INTERNAL , "Adding GID %" SPRIgid " to resolve list \n" , gid );
655686 state -> num_groups ++ ;
656687 return EOK ;
657688}
0 commit comments