Print this page
NEX-17849 idmap fails to lookup group SID in AD
Reviewed by: Gordon Ross <gordon.ross@nexenta.com>
@@ -19,10 +19,12 @@
* CDDL HEADER END
*/
/*
* Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.
+ *
+ * Copyright 2018 Nexenta Systems, Inc. All rights reserved.
*/
/*
* Processes name2sid & sid2name batched lookups for a given user or
* computer from an AD Directory server using GSSAPI authentication
@@ -57,11 +59,11 @@
#define UIDNUMBER "uidNumber"
#define GIDNUMBER "gidNumber"
#define UIDNUMBERFILTER "(&(objectclass=user)(uidNumber=%u))"
#define GIDNUMBERFILTER "(&(objectclass=group)(gidNumber=%u))"
#define SANFILTER "(sAMAccountName=%s)"
-#define OBJSIDFILTER "(objectSid=%s)"
+#define OBJSIDFILTER "(|(objectSid=%s)(sIDHistory=%s))"
void idmap_ldap_res_search_cb(LDAP *ld, LDAPMessage **res, int rc,
int qid, void *argp);
/*
@@ -790,11 +792,11 @@
ret = adutils_txtsid2hexbinsid(sid, rid, &cbinsid[0], sizeof (cbinsid));
if (ret != 0)
return (IDMAP_ERR_SID);
/* Assemble filter */
- (void) asprintf(&filter, OBJSIDFILTER, cbinsid);
+ (void) asprintf(&filter, OBJSIDFILTER, cbinsid, cbinsid);
if (filter == NULL)
return (IDMAP_ERR_MEMORY);
retcode = idmap_batch_add1(state, filter, NULL, NULL, esidtype,
dn, attr, value, name, dname, NULL, NULL, sid_type, unixname,