ad: use default user_map when looking of host groups for GPO

Use the default AD user attribute map to lookup the group membership of the AD host object. This should help to avoid issues if user attributes are overwritten in the user attribute map. Resolves: #7590 Reviewed-by: Justin Stephenson <[email protected]> Reviewed-by: Tomáš Halman <[email protected]>
SSSD · Sep 24, 2024 · 5f5077a · 5f5077a
1 parent 69f63f1
commit 5f5077a
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 1 deletion.
diff --git a/src/providers/ad/ad_access.h b/src/providers/ad/ad_access.h
@@ -49,6 +49,7 @@ struct ad_access_ctx {
     } gpo_map_type;
     hash_table_t *gpo_map_options_table;
     enum gpo_map_type gpo_default_right;
+    struct sdap_attr_map *host_attr_map;
 };
 
 struct tevent_req *

diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
@@ -45,6 +45,7 @@
 #include "providers/ad/ad_common.h"
 #include "providers/ad/ad_domain_info.h"
 #include "providers/ad/ad_gpo.h"
+#include "providers/ad/ad_opts.h"
 #include "providers/ldap/sdap_access.h"
 #include "providers/ldap/sdap_async.h"
 #include "providers/ldap/sdap.h"
@@ -2241,13 +2242,25 @@ ad_gpo_connect_done(struct tevent_req *subreq)
               "trying with user search base.");
     }
 
+    if (state->access_ctx->host_attr_map == NULL) {
+        ret = sdap_copy_map(state->access_ctx,
+                            ad_2008r2_user_map, SDAP_OPTS_USER,
+                            &state->access_ctx->host_attr_map);
+        if (ret != EOK) {
+            DEBUG(SSSDBG_OP_FAILURE, "Failed to copy user map.\n");
+            goto done;
+        }
+    }
+
     subreq = groups_by_user_send(state, state->ev,
                                  state->access_ctx->ad_id_ctx->sdap_id_ctx,
                                  sdom, state->conn,
                                  search_bases,
                                  state->host_fqdn,
                                  BE_FILTER_NAME,
-                                 NULL, NULL, 0,
+                                 NULL,
+                                 state->access_ctx->host_attr_map,
+                                 SDAP_OPTS_USER,
                                  true,
                                  true);
     tevent_req_set_callback(subreq, ad_gpo_target_dn_retrieval_done, req);