On Tue, Apr 18, 2017 at 12:09:51PM -0400, Justin Stephenson wrote: > Hello, > > I was working on a fix for BZ # 1433835(IPA clients fails to retrieve groups > with @-sign in the group name in an IPA-AD trust setup) where the patch at > the end of this email seems to work well parsing a double-qualified object > properly a group name like 'group@testing@domain' > > > [ipa_s2n_get_user_done] (0x0400): Received [4] groups in group list from IPA > Server > [ipa_s2n_get_user_done] (0x0400): [trustuser1@ad.jstephen]. > [ipa_s2n_get_user_done] (0x0400): [customgroup@testing@ad.jstephen]. > [ipa_s2n_get_user_done] (0x0400): [trustgroup@ad.jstephen]. > [ipa_s2n_get_user_done] (0x0400): [domain users@ad.jstephen]. > > > However, there is a subsequent group lookup extended operation which fails > on the IPA server when the NSS responder is unable to parse the > double-qualified name. > > - Client > > [ipa_s2n_get_list_step] (0x0400): Sending request_type: > [REQ_FULL_WITH_MEMBERS] for group [customgroup@testing@ad.jstephen]. > [ipa_s2n_exop_send] (0x0400): Executing extended operation > [ipa_s2n_exop_send] (0x2000): ldap_extended_operation sent, msgid = 14 > [ipa_s2n_exop_done] (0x0040): ldap_extended_operation result: No such > object(32), (null). > [ipa_s2n_get_list_next] (0x0040): s2n exop request failed. > [ipa_s2n_get_list_done] (0x0040): s2n get_fqlist request failed. > > > - Server > > [nss_getby_name] (0x0400): Input name: customgroup@testing > [cache_req_set_plugin] (0x2000): CR #16: Setting "Group by name" plugin > [cache_req_send] (0x0400): CR #16: New request 'Group by name' > [cache_req_process_input] (0x0400): CR #16: Parsing input name > [customgroup@testing] > [sss_domain_get_state] (0x1000): Domain idm.jstephen is Active > [sss_domain_get_state] (0x1000): Domain AD.JSTEPHEN is Active > [sss_parse_inp_send] (0x0200): Requesting info for [(null)] from [testing] > [sss_domain_get_state] (0x1000): Domain AD.JSTEPHEN is Active > [sss_dp_get_domains_send] (0x0400): Last call was too recent, nothing to do! > [sss_domain_get_state] (0x1000): Domain idm.jstephen is Active > [sss_domain_get_state] (0x1000): Domain AD.JSTEPHEN is Active > [sss_parse_inp_done] (0x0040): Unknown domain in [customgroup@testing] > [nss_protocol_done] (0x4000): Sending reply: error [1432158243]: Domain not > found > > > I suspect the input to the NSS responder received here is output from the > extdom plugin parsing the domain and object name. > > I was looking for some advice on the best way to fix this, or if my patch is > doing things horribly wrong then just let me know please :)
(I'm travelling, pardon the brevity) Check out https://bugzilla.redhat.com/show_bug.cgi?id=1383520, there is a regex that should be set on both the servers and the clients so that all sssd instances can parse the name. However, it's not clear if the IPA DS extdom plugin needs fixing as well to use strrchr('@') rather than strchr('@') to parse the names. I think the best would be to change the default regex and fix the DS plugin and test this all well. _______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
