summaryrefslogtreecommitdiff
path: root/src/responder/nss
diff options
context:
space:
mode:
authorSimo Sorce <simo@redhat.com>2012-11-16 20:25:42 +0000
committerJakub Hrozek <jhrozek@redhat.com>2012-11-19 15:11:03 +0100
commit8d9e0547a864cee05ab36bc988300c0cfa986025 (patch)
treeced04540ea89289d1066df719cdd0fa5d80fca83 /src/responder/nss
parent868ae511c9b0d610f83acf8f01975e1f5e3c1aa3 (diff)
downloadsssd-8d9e0547a864cee05ab36bc988300c0cfa986025.tar.gz
sssd-8d9e0547a864cee05ab36bc988300c0cfa986025.tar.bz2
sssd-8d9e0547a864cee05ab36bc988300c0cfa986025.zip
Refactor the way subdomain accounts are saved
The original sysdb code had a strong assumption that only users from one domain are saved in the databse, with the subdomain feature, we have changed reality, but have not adjusted all the code arund the sysdb calls to not rely on the original assumption. One of the side effects of this incongrunece is that currently group memberships do not return fully qualified names for subdomain users as they should. In oreder to fix this and other potential issues surrounding the violation of the original assumption, we need to fully qualify subdomain user names. By savin them fully qualified we do not risk aliasing local users and have group memberhips or other name based matching code mistake a domain user with subdomain usr or vice versa.
Diffstat (limited to 'src/responder/nss')
-rw-r--r--src/responder/nss/nsssrv_cmd.c10
1 files changed, 7 insertions, 3 deletions
diff --git a/src/responder/nss/nsssrv_cmd.c b/src/responder/nss/nsssrv_cmd.c
index a453e593..db1efdd2 100644
--- a/src/responder/nss/nsssrv_cmd.c
+++ b/src/responder/nss/nsssrv_cmd.c
@@ -635,7 +635,7 @@ static int nss_cmd_getpwnam_search(struct nss_dom_ctx *dctx)
dctx->domain = dom;
talloc_free(name);
- name = sss_get_cased_name(dctx, cmdctx->name, dom->case_sensitive);
+ name = sss_get_cased_name(cmdctx, cmdctx->name, dom->case_sensitive);
if (!name) return ENOMEM;
/* verify this user has not yet been negatively cached,
@@ -666,7 +666,9 @@ static int nss_cmd_getpwnam_search(struct nss_dom_ctx *dctx)
return EIO;
}
- ret = sysdb_getpwnam(cmdctx, sysdb, name, &dctx->res);
+ /* if this is a subdomain we need to search for the fully qualified
+ * name in the database */
+ ret = sysdb_subdom_getpwnam(cmdctx, sysdb, name, &dctx->res);
if (ret != EOK) {
DEBUG(1, ("Failed to make request to our cache!\n"));
return EIO;
@@ -2204,7 +2206,9 @@ static int nss_cmd_getgrnam_search(struct nss_dom_ctx *dctx)
return EIO;
}
- ret = sysdb_getgrnam(cmdctx, sysdb, name, &dctx->res);
+ /* if this is a subdomain we need to search for the fully qualified
+ * name in the database */
+ ret = sysdb_subdom_getgrnam(cmdctx, sysdb, name, &dctx->res);
if (ret != EOK) {
DEBUG(1, ("Failed to make request to our cache!\n"));
return EIO;