summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorStephen Gallagher <sgallagh@redhat.com>2013-07-11 10:06:09 -0400
committerJakub Hrozek <jhrozek@redhat.com>2013-07-29 12:59:17 +0200
commit1933ff17513da1d979dd22776a03478341ef5e6b (patch)
tree0114f3aacf1755a7b2372d3c319a29daadd0e5e2
parent680ddbdf8478f26cbb5efc9b712ea35714e089ba (diff)
downloadsssd-1933ff17513da1d979dd22776a03478341ef5e6b.tar.gz
sssd-1933ff17513da1d979dd22776a03478341ef5e6b.tar.bz2
sssd-1933ff17513da1d979dd22776a03478341ef5e6b.zip
Netgroups should ignore the 'use_fully_qualified_names' setting
Netgroups often have memberNisNetgroup entries included in them that will never process correctly if we require fully-qualified names on the nested lookup. This patch alters the behavior of netgroup lookups to check *all* domains for an unqualified netgroup name, instead of only the ones not requiring fully- qualified names. https://fedorahosted.org/sssd/ticket/2013
-rw-r--r--src/man/sssd.conf.5.xml7
-rw-r--r--src/responder/nss/nsssrv_netgroup.c14
2 files changed, 13 insertions, 8 deletions
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index 4f01794d..31150a6a 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -1213,6 +1213,13 @@ override_homedir = /home/%u
passwd test@LOCAL</command> would.
</para>
<para>
+ NOTE: This option has no effect on netgroup
+ lookups due to their tendency to include nested
+ netgroups without qualified names. For netgroups,
+ all domains will be searched when an unqualified
+ name is requested.
+ </para>
+ <para>
Default: FALSE
</para>
</listitem>
diff --git a/src/responder/nss/nsssrv_netgroup.c b/src/responder/nss/nsssrv_netgroup.c
index 12be52bf..773e5ecb 100644
--- a/src/responder/nss/nsssrv_netgroup.c
+++ b/src/responder/nss/nsssrv_netgroup.c
@@ -428,14 +428,12 @@ static errno_t lookup_netgr_step(struct setent_step_ctx *step_ctx)
/* Check each domain for this netgroup name */
while (dom) {
- /* if it is a domainless search, skip domains that require fully
- * qualified names instead */
- while (dom && step_ctx->check_next && dom->fqnames) {
- dom = get_next_domain(dom, false);
- }
-
- /* No domains left to search */
- if (!dom) break;
+ /* Netgroups are a special case. We have to ignore the
+ * fully-qualified name requirement because memberNisNetgroup
+ * entries do not have fully-qualified components and we need
+ * to be able to always check them. So unlike the other
+ * maps, here we avoid skipping over fully-qualified domains.
+ */
if (dom != step_ctx->dctx->domain) {
/* make sure we reset the check_provider flag when we check