diff options
author | Stephen Gallagher <sgallagh@redhat.com> | 2013-07-11 10:06:09 -0400 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2013-07-29 12:59:17 +0200 |
commit | 1933ff17513da1d979dd22776a03478341ef5e6b (patch) | |
tree | 0114f3aacf1755a7b2372d3c319a29daadd0e5e2 /src/responder | |
parent | 680ddbdf8478f26cbb5efc9b712ea35714e089ba (diff) | |
download | sssd-1933ff17513da1d979dd22776a03478341ef5e6b.tar.gz sssd-1933ff17513da1d979dd22776a03478341ef5e6b.tar.bz2 sssd-1933ff17513da1d979dd22776a03478341ef5e6b.zip |
Netgroups should ignore the 'use_fully_qualified_names' setting
Netgroups often have memberNisNetgroup entries included in them
that will never process correctly if we require fully-qualified
names on the nested lookup. This patch alters the behavior of
netgroup lookups to check *all* domains for an unqualified
netgroup name, instead of only the ones not requiring fully-
qualified names.
https://fedorahosted.org/sssd/ticket/2013
Diffstat (limited to 'src/responder')
-rw-r--r-- | src/responder/nss/nsssrv_netgroup.c | 14 |
1 files changed, 6 insertions, 8 deletions
diff --git a/src/responder/nss/nsssrv_netgroup.c b/src/responder/nss/nsssrv_netgroup.c index 12be52bf..773e5ecb 100644 --- a/src/responder/nss/nsssrv_netgroup.c +++ b/src/responder/nss/nsssrv_netgroup.c @@ -428,14 +428,12 @@ static errno_t lookup_netgr_step(struct setent_step_ctx *step_ctx) /* Check each domain for this netgroup name */ while (dom) { - /* if it is a domainless search, skip domains that require fully - * qualified names instead */ - while (dom && step_ctx->check_next && dom->fqnames) { - dom = get_next_domain(dom, false); - } - - /* No domains left to search */ - if (!dom) break; + /* Netgroups are a special case. We have to ignore the + * fully-qualified name requirement because memberNisNetgroup + * entries do not have fully-qualified components and we need + * to be able to always check them. So unlike the other + * maps, here we avoid skipping over fully-qualified domains. + */ if (dom != step_ctx->dctx->domain) { /* make sure we reset the check_provider flag when we check |