sssd/backport-ad-use-sAMAccountName-to-lookup-hosts.patch

From 67c11c2ebae843f7ddd6b857efa2e1f6449986f3 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 7 Jun 2023 10:45:59 +0200
Subject: [PATCH] ad: use sAMAccountName to lookup hosts

To determine which GPOs apply to the host running SSSD the full DN of
the host object in AD is needed. To fine this object we use the NetBIOS
name of the host which is stored in AD in the sAMAccountName attribute.
Using other attributes, e.g. if ldap_user_name is set to a different
attribute, will most probably cause a failure since those attributes are
not managed as expected for host object. As a result sAMAccountName
should be hardcoded here to avoid issues.

Resolves: https://github.com/SSSD/sssd/issues/6766

Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
Reviewed-by: Justin Stephenson <jstephen@redhat.com>

Reference: https://github.com/SSSD/sssd/commit/67c11c2ebae843f7ddd6b857efa2e1f6449986f3
Conflict: NA
---
 src/providers/ad/ad_gpo.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
index 4b7bbf182..44e9cbb27 100644
--- a/src/providers/ad/ad_gpo.c
+++ b/src/providers/ad/ad_gpo.c
@@ -59,6 +59,7 @@
 
 #define AD_AT_DN "distinguishedName"
 #define AD_AT_UAC "userAccountControl"
+#define AD_AT_SAMACCOUNTNAME "sAMAccountName"
 #define AD_AT_CONFIG_NC "configurationNamingContext"
 #define AD_AT_GPLINK "gPLink"
 #define AD_AT_GPOPTIONS "gpOptions"
@@ -2061,7 +2062,7 @@ ad_gpo_connect_done(struct tevent_req *subreq)
     filter = talloc_asprintf(state,
                              "(&(objectclass=%s)(%s=%s))",
                              state->opts->user_map[SDAP_OC_USER].name,
-                             state->opts->user_map[SDAP_AT_USER_NAME].name,
+                             AD_AT_SAMACCOUNTNAME,
                              sam_account_name);
     if (filter == NULL) {
         ret = ENOMEM;
-- 
2.27.0
backport upstream patches (cherry picked from commit dfd154fc1eab69ccf7205c936abb022bbd1fb80a) 2023-09-22 14:42:09 +08:00			`From 67c11c2ebae843f7ddd6b857efa2e1f6449986f3 Mon Sep 17 00:00:00 2001`
			`From: Sumit Bose <sbose@redhat.com>`
			`Date: Wed, 7 Jun 2023 10:45:59 +0200`
			`Subject: [PATCH] ad: use sAMAccountName to lookup hosts`

			`To determine which GPOs apply to the host running SSSD the full DN of`
			`the host object in AD is needed. To fine this object we use the NetBIOS`
			`name of the host which is stored in AD in the sAMAccountName attribute.`
			`Using other attributes, e.g. if ldap_user_name is set to a different`
			`attribute, will most probably cause a failure since those attributes are`
			`not managed as expected for host object. As a result sAMAccountName`
			`should be hardcoded here to avoid issues.`

			`Resolves: https://github.com/SSSD/sssd/issues/6766`

			`Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>`
			`Reviewed-by: Justin Stephenson <jstephen@redhat.com>`

			`Reference: https://github.com/SSSD/sssd/commit/67c11c2ebae843f7ddd6b857efa2e1f6449986f3`
			`Conflict: NA`
			`---`
			`src/providers/ad/ad_gpo.c \| 3 ++-`
			`1 file changed, 2 insertions(+), 1 deletion(-)`

			`diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c`
			`index 4b7bbf182..44e9cbb27 100644`
			`--- a/src/providers/ad/ad_gpo.c`
			`+++ b/src/providers/ad/ad_gpo.c`
			`@@ -59,6 +59,7 @@`

			`#define AD_AT_DN "distinguishedName"`
			`#define AD_AT_UAC "userAccountControl"`
			`+#define AD_AT_SAMACCOUNTNAME "sAMAccountName"`
			`#define AD_AT_CONFIG_NC "configurationNamingContext"`
			`#define AD_AT_GPLINK "gPLink"`
			`#define AD_AT_GPOPTIONS "gpOptions"`
			`@@ -2061,7 +2062,7 @@ ad_gpo_connect_done(struct tevent_req *subreq)`
			`filter = talloc_asprintf(state,`
			`"(&(objectclass=%s)(%s=%s))",`
			`state->opts->user_map[SDAP_OC_USER].name,`
			`- state->opts->user_map[SDAP_AT_USER_NAME].name,`
			`+ AD_AT_SAMACCOUNTNAME,`
			`sam_account_name);`
			`if (filter == NULL) {`
			`ret = ENOMEM;`
			`--`
			`2.27.0`