diff options
| author | Stephen Gallagher <sgallagh@redhat.com> | 2013-07-11 10:06:09 -0400 |
|---|---|---|
| committer | Jakub Hrozek <jhrozek@redhat.com> | 2013-07-29 12:59:17 +0200 |
| commit | 1933ff17513da1d979dd22776a03478341ef5e6b (patch) | |
| tree | 0114f3aacf1755a7b2372d3c319a29daadd0e5e2 /src | |
| parent | 680ddbdf8478f26cbb5efc9b712ea35714e089ba (diff) | |
| download | sssd-1933ff17513da1d979dd22776a03478341ef5e6b.tar.gz sssd-1933ff17513da1d979dd22776a03478341ef5e6b.tar.bz2 sssd-1933ff17513da1d979dd22776a03478341ef5e6b.zip | |
Netgroups should ignore the 'use_fully_qualified_names' setting
Netgroups often have memberNisNetgroup entries included in them
that will never process correctly if we require fully-qualified
names on the nested lookup. This patch alters the behavior of
netgroup lookups to check *all* domains for an unqualified
netgroup name, instead of only the ones not requiring fully-
qualified names.
https://fedorahosted.org/sssd/ticket/2013
Diffstat (limited to 'src')
| -rw-r--r-- | src/man/sssd.conf.5.xml | 7 | ||||
| -rw-r--r-- | src/responder/nss/nsssrv_netgroup.c | 14 |
2 files changed, 13 insertions, 8 deletions
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml index 4f01794d..31150a6a 100644 --- a/src/man/sssd.conf.5.xml +++ b/src/man/sssd.conf.5.xml @@ -1213,6 +1213,13 @@ override_homedir = /home/%u passwd test@LOCAL</command> would. </para> <para> + NOTE: This option has no effect on netgroup + lookups due to their tendency to include nested + netgroups without qualified names. For netgroups, + all domains will be searched when an unqualified + name is requested. + </para> + <para> Default: FALSE </para> </listitem> diff --git a/src/responder/nss/nsssrv_netgroup.c b/src/responder/nss/nsssrv_netgroup.c index 12be52bf..773e5ecb 100644 --- a/src/responder/nss/nsssrv_netgroup.c +++ b/src/responder/nss/nsssrv_netgroup.c @@ -428,14 +428,12 @@ static errno_t lookup_netgr_step(struct setent_step_ctx *step_ctx) /* Check each domain for this netgroup name */ while (dom) { - /* if it is a domainless search, skip domains that require fully - * qualified names instead */ - while (dom && step_ctx->check_next && dom->fqnames) { - dom = get_next_domain(dom, false); - } - - /* No domains left to search */ - if (!dom) break; + /* Netgroups are a special case. We have to ignore the + * fully-qualified name requirement because memberNisNetgroup + * entries do not have fully-qualified components and we need + * to be able to always check them. So unlike the other + * maps, here we avoid skipping over fully-qualified domains. + */ if (dom != step_ctx->dctx->domain) { /* make sure we reset the check_provider flag when we check |