Re: [SSSD] [PATCH] IPA: Do not append domain name to fq name

Wed, 03 Dec 2014 10:56:26 -0800 

On 12/02/2014 12:05 PM, Lukas Slebodnik wrote:

ehlo,

With attached patch, selinuxusermap should apply to ipa user and ad user.
It should work with enabled and disabled use_fully_qualified_names.
I was testing with IPA in server mode.

It is good to remove sssd generated entries from "semanage login" after each
test.

LS


0001-IPA-Do-not-append-domain-name-to-fq-name.patch


 From 40282cb008862500844614ed7e1c81b87b87dc9e Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik<lsleb...@redhat.com>
Date: Mon, 1 Dec 2014 17:29:49 +0100
Subject: [PATCH] IPA: Do not append domain name to fq name

Usernames from AD subdomains are already in fqdn we should not append
domain name in this case.

Resolves:
https://fedorahosted.org/sssd/ticket/2512
---
  src/providers/ipa/ipa_selinux.c | 17 +++++++++++++++--
  1 file changed, 15 insertions(+), 2 deletions(-)

diff --git a/src/providers/ipa/ipa_selinux.c b/src/providers/ipa/ipa_selinux.c
index 
30ad6f0a7c4622ca5eb9a75ae4f57183543515c6..79eb9e82d10dbb4eba06bd5b19345f5978412f44
 100644
--- a/src/providers/ipa/ipa_selinux.c
+++ b/src/providers/ipa/ipa_selinux.c
@@ -812,6 +812,7 @@ selinux_child_setup(TALLOC_CTX *mem_ctx,
      char *ptr;
      char *username;
      char *username_final;
+    char *domain_name = NULL;
      TALLOC_CTX *tmp_ctx;
      struct selinux_child_input *sci;

@@ -849,8 +850,20 @@ selinux_child_setup(TALLOC_CTX *mem_ctx,
      }

      if (dom->fqnames) {
-        username_final = talloc_asprintf(tmp_ctx, dom->names->fq_fmt,
-                                         username, dom->name);
+        ret = sss_parse_name(tmp_ctx, dom->names, username, &domain_name,
+                             NULL);
+        if (ret == EOK && domain_name != NULL) {
+            /* username is already a fully qualified name */
+            username_final = username;
+        } else if ((ret == EOK && domain_name == NULL)
+                   || ret == ERR_REGEX_NOMATCH) {
+            username_final = talloc_asprintf(tmp_ctx, dom->names->fq_fmt,
+                                             username, dom->name);

               ^^^^^^^^^^^^^^^^^^^^^
Check here if the allocation was successful.


+        } else {
+            DEBUG(SSSDBG_OP_FAILURE,
+                  "sss_parse_name failed: [%d] %s", ret, sss_strerror(ret));
+            goto done;
+        }
          if (username_final == NULL) {
              ret = ENOMEM;
              goto done;

            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
And not here.

Michal

_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel

Reply via email to