fix: 96588-Group membership offline

No group membership was returned when a domain is offline. This will now ignore that domain and proceed to enumerate online domains. Related work items: #96588
BeyondTrust · Mar 26, 2019 · 107669e · 107669e
1 parent 5c4eb4f
commit 107669e
Show file tree

Hide file tree

Showing 7 changed files with 79 additions and 10 deletions.
diff --git a/lsass/server/auth-providers/ad-open-provider/adldap.c b/lsass/server/auth-providers/ad-open-provider/adldap.c
@@ -1479,7 +1479,7 @@ ADLdap_GetObjectGroupMembership(
 
     if ( dwError != LW_ERROR_DOMAIN_IS_OFFLINE )
     {
-        LSA_LOG_ERROR("Failed to group memberships of SID=%s. [error code:%u]",
+        LSA_LOG_ERROR("Failed to get group memberships for SID=%s. [error code:%u]",
                       pObject->pszObjectSid, dwError);
     }
 

diff --git a/lsass/server/auth-providers/ad-open-provider/batch.c b/lsass/server/auth-providers/ad-open-provider/batch.c
@@ -123,7 +123,9 @@ LsaAdBatchCheckDomainModeCompatibility(
         // Exclude all the external trusts in default mode to inherit the feature from 4.0
         // To be specific, external trust in default mode is not supported.
         dwError = LW_ERROR_INCOMPATIBLE_MODES_BETWEEN_TRUSTEDDOMAINS;
-        BAIL_ON_LSA_ERROR(dwError);
+
+        LSA_LOG_DEBUG("External trusts not supported in default cell mode for %s", pszDomainDnToUse ? pszDomainDnToUse : LSA_SAFE_LOG_STRING(pszDnsDomainName));
+        goto error;
     }
 
     if (!pszDomainDnToUse)
@@ -154,7 +156,10 @@ LsaAdBatchCheckDomainModeCompatibility(
     if (adMode != pState->pProviderData->adConfigurationMode)
     {
         dwError = LW_ERROR_INCOMPATIBLE_MODES_BETWEEN_TRUSTEDDOMAINS;
-        BAIL_ON_LSA_ERROR(dwError);
+
+        LSA_LOG_ERROR("Incompatible schema mode for %s (0x%X:0x%X)", LSA_SAFE_LOG_STRING(pszDomainDnToUse), (int)adMode, (int)pState->pProviderData->adConfigurationMode);
+
+        goto error;
     }
 
 cleanup:
@@ -269,6 +274,11 @@ LsaAdBatchGetDomainEntryType(
             LSA_LOG_DEBUG("Mark trusted domain %s [skip] due to incompatible modes from primary domain %s",
                            pszDomainName, pState->pProviderData->szDomain);
         }
+        if (dwError == LW_ERROR_DOMAIN_IS_OFFLINE)
+        {
+            dwError = 0;
+            LSA_LOG_DEBUG("Unable to determine compatibility for offline domain %s", pszDomainName);
+        }
         BAIL_ON_LSA_ERROR(dwError);
     }
 
@@ -973,6 +983,12 @@ LsaAdBatchSplitBIListToBIListPerDomain(
                 dwError = 0;
                 continue;
             }
+            if (LW_ERROR_DOMAIN_IS_OFFLINE == dwError)
+            {
+                LSA_LOG_DEBUG("Domain is offline for query item - '%s'", pBatchItem->pszSid);
+                dwError = 0;
+                continue;
+            }
             BAIL_ON_LSA_ERROR(dwError);
 
             LsaListInsertTail(pDomainList, &pFoundEntry->DomainEntryListLinks);
@@ -1061,6 +1077,12 @@ LsaAdBatchSplitQTListToBIListPerDomain(
                 dwError = 0;
                 continue;
             }
+            if (LW_ERROR_DOMAIN_IS_OFFLINE == dwError)
+            {
+                LSA_LOG_DEBUG("Domain is offline for query item - '%s'", ppszQueryList[i]);
+                dwError = 0;
+                continue;
+            }
             BAIL_ON_LSA_ERROR(dwError);
 
             LsaListInsertTail(pDomainList, &pFoundEntry->DomainEntryListLinks);
@@ -1635,6 +1657,8 @@ LsaAdBatchFindObjects(
     DWORD dwObjectsCount = 0;
     PLSA_SECURITY_OBJECT* ppObjects = NULL;
 
+    LSA_LOG_DEBUG("Batch Find Objects %d", (int)dwQueryItemsCount);
+
     dwError = LsaAdBatchFindObjectsInternal(
                    pContext,
                    QueryType,

diff --git a/lsass/server/auth-providers/ad-open-provider/lsadm.c b/lsass/server/auth-providers/ad-open-provider/lsadm.c
@@ -3272,8 +3272,7 @@ LsaDmpLdapOpen(
     // domain goes offline, not when the machine goes globally offline).
     if (LsaDmpIsDomainOffline(hDmState, pszDnsDomainName, bUseGc))
     {
-        dwError = LW_ERROR_DOMAIN_IS_OFFLINE;
-        BAIL_ON_LSA_ERROR(dwError);
+        LSA_LOG_DEBUG("Domain %s is offline", LSA_SAFE_LOG_STRING(pszDnsDomainName));
     }
 
     LsaDmpAcquireMutex(hDmState->pMutex);

diff --git a/lsass/server/auth-providers/ad-open-provider/memcache.c b/lsass/server/auth-providers/ad-open-provider/memcache.c
@@ -999,6 +999,9 @@ MemCacheFindUserByName(
     if (dwError == ERROR_NOT_FOUND)
     {
         dwError = LW_ERROR_NOT_HANDLED;
+
+        LSA_LOG_DEBUG("User cache entry for %s not found", pszKey);
+        goto error;
     }
     BAIL_ON_LSA_ERROR(dwError);
 
@@ -1058,6 +1061,9 @@ MemCacheFindUserById(
     if (dwError == ERROR_NOT_FOUND)
     {
         dwError = LW_ERROR_NOT_HANDLED;
+
+        LSA_LOG_DEBUG("User cache entry for id %lu not found", (unsigned long)uid);
+        goto error;
     }
     BAIL_ON_LSA_ERROR(dwError);
 
@@ -1143,6 +1149,9 @@ MemCacheFindGroupByName(
     if (dwError == ERROR_NOT_FOUND)
     {
         dwError = LW_ERROR_NOT_HANDLED;
+
+        LSA_LOG_DEBUG("Group cache entry for %s not found", pszKey);
+        goto error;
     }
     BAIL_ON_LSA_ERROR(dwError);
 
@@ -1199,6 +1208,9 @@ MemCacheFindGroupById(
     if (dwError == ERROR_NOT_FOUND)
     {
         dwError = LW_ERROR_NOT_HANDLED;
+
+        LSA_LOG_DEBUG("Group cache entry for id %lu not found", (unsigned long)gid);
+        goto error;
     }
     BAIL_ON_LSA_ERROR(dwError);
 

diff --git a/lsass/server/auth-providers/ad-open-provider/offline.c b/lsass/server/auth-providers/ad-open-provider/offline.c
@@ -628,6 +628,8 @@ AD_OfflineQueryMemberOfForSid(
     PLSA_SECURITY_OBJECT* ppUserObject = NULL;
     DWORD dwIndex = 0;
 
+    LSA_LOG_DEBUG("Offline query member of for SID=%s", LSA_SAFE_LOG_STRING(pszSid));
+
     dwError = AD_OfflineFindObjectsBySidList(
                   pContext->pState,
                   1,

diff --git a/lsass/server/auth-providers/ad-open-provider/online.c b/lsass/server/auth-providers/ad-open-provider/online.c
@@ -4037,6 +4037,7 @@ AD_OnlineQueryMemberOfForSid(
     )
 {
     DWORD dwError = LW_ERROR_SUCCESS;
+    DWORD dwErrorOnline = LW_ERROR_SUCCESS;
     size_t sMembershipCount = 0;
     PLSA_GROUP_MEMBERSHIP* ppMemberships = NULL;
     BOOLEAN bIsCacheOnlyMode = FALSE;
@@ -4051,6 +4052,8 @@ AD_OnlineQueryMemberOfForSid(
     PLSA_SECURITY_OBJECT pUserInfo = NULL;
     DWORD dwIndex = 0;
 
+    LSA_LOG_DEBUG("Online query member of for SID=%s", LSA_SAFE_LOG_STRING(pszSid));
+
     if (FindFlags & LSA_FIND_FLAGS_NSS)
     {
         bIsCacheOnlyMode = AD_GetNssUserMembershipCacheOnlyEnabled(pContext->pState);
@@ -4185,7 +4188,12 @@ AD_OnlineQueryMemberOfForSid(
                     pszGroupSid,
                     pGroupHash);
                 pszGroupSid = NULL;
-                BAIL_ON_LSA_ERROR(dwError);
+
+                // Record the AD_OnlineQueryMemberOfForSid error but continue as other domains may be online
+                if (dwError) 
+                {
+                   dwErrorOnline = dwError;
+                }
             }
         }
     }
@@ -4215,6 +4223,11 @@ AD_OnlineQueryMemberOfForSid(
         }
     }
 
+    if (dwErrorOnline) 
+    {
+       dwError = dwErrorOnline;
+    }
+
 cleanup:
 
     LW_SAFE_FREE_MEMORY(pszGroupSid);
@@ -4320,18 +4333,25 @@ AD_OnlineQueryMemberOf(
 
     for (dwIndex = 0; dwIndex < dwSidCount; dwIndex++)
     {
+        DWORD dwErrorOnline = 0;
         if (AdIsSpecialDomainSidPrefix(ppszSids[dwIndex]))
         {
             continue;
         }
 
-        dwError = AD_OnlineQueryMemberOfForSid(
+        dwErrorOnline = AD_OnlineQueryMemberOfForSid(
             pContext,
             FindFlags,
             ppszSids[dwIndex],
             pGroupHash);
-        BAIL_ON_LSA_ERROR(dwError);
+
+        // Record the AD_OnlineQueryMemberOfForSid error but continue as other domains may be online
+        if (dwErrorOnline) 
+        {
+           dwError = dwErrorOnline;
+        }
     }
+    BAIL_ON_LSA_ERROR(dwError);
 
     dwError = AD_MoveHashValuesToArray(
                     pGroupHash,

diff --git a/lsass/server/auth-providers/ad-open-provider/provider-main.c b/lsass/server/auth-providers/ad-open-provider/provider-main.c
@@ -5309,6 +5309,8 @@ AD_QueryMemberOf(
 {
     DWORD dwError = 0;
     PAD_PROVIDER_CONTEXT pContext = NULL;
+    DWORD dwGroupSidCount = 0;
+    PSTR* ppszGroupSids = NULL;
 
     dwError = AD_ResolveProviderState(hProvider, &pContext);
     BAIL_ON_LSA_ERROR(dwError);
@@ -5331,12 +5333,19 @@ AD_QueryMemberOf(
             FindFlags,
             dwSidCount,
             ppszSids,
-            pdwGroupSidCount,
-            pppszGroupSids);
+            &dwGroupSidCount,
+            &ppszGroupSids);
     }
 
     if (LW_ERROR_DOMAIN_IS_OFFLINE == dwError)
     {
+        if (ppszGroupSids)
+        {
+            LwFreeStringArray(ppszGroupSids, dwGroupSidCount);
+            dwGroupSidCount = 0;
+            ppszGroupSids = NULL;
+        }
+
         dwError = AD_OfflineQueryMemberOf(
             pContext,
             FindFlags,
@@ -5346,6 +5355,9 @@ AD_QueryMemberOf(
             pppszGroupSids);
     }
 
+    *pdwGroupSidCount = dwGroupSidCount;
+    *pppszGroupSids = ppszGroupSids;
+
 cleanup:
 
     AD_ClearProviderState(pContext);