URL: https://github.com/SSSD/sssd/pull/311
Author: fidencio
 Title: #311: RESPONDER: Use fqnames as output when needed
Action: opened

PR body:
"""
As some regressions have been caused by not handling properly naming
conflicts when using shortnames, last explicitly use fully qualified
names as output in the following situations:
- domain resolution order is set;
- a trusted domain has been using `use_fully_qualified_name = false`

In both cases we want to ensure that even handling shortnames as input,
the output will always be fully qualified.

Resolves:
https://pagure.io/SSSD/sssd/issue/3403

Signed-off-by: Fabiano FidĂȘncio <fiden...@redhat.com>
"""

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/311/head:pr311
git checkout pr311
From c760c60c6f2a7bd8d2fde249cb5fd45dca179552 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fiden...@redhat.com>
Date: Mon, 19 Jun 2017 09:05:00 +0200
Subject: [PATCH] RESPONDER: Use fqnames as output when needed
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

As some regressions have been caused by not handling properly naming
conflicts when using shortnames, last explicitly use fully qualified
names as output in the following situations:
- domain resolution order is set;
- a trusted domain has been using `use_fully_qualified_name = false`

In both cases we want to ensure that even handling shortnames as input,
the output will always be fully qualified.

Resolves:
https://pagure.io/SSSD/sssd/issue/3403

Signed-off-by: Fabiano FidĂȘncio <fiden...@redhat.com>
---
 src/confdb/confdb.h                               |  1 +
 src/db/sysdb_subdomains.c                         | 14 ++++++++++++++
 src/responder/common/cache_req/cache_req_domain.c | 14 ++++++++++++++
 src/tests/cmocka/test_nss_srv.c                   |  8 +++++++-
 src/util/usertools.c                              |  2 +-
 5 files changed, 37 insertions(+), 2 deletions(-)

diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
index 797353141..32a422155 100644
--- a/src/confdb/confdb.h
+++ b/src/confdb/confdb.h
@@ -291,6 +291,7 @@ struct sss_domain_info {
     bool enumerate;
     char **sd_enumerate;
     bool fqnames;
+    bool output_fqnames;
     bool mpg;
     bool ignore_group_members;
     uint32_t id_min;
diff --git a/src/db/sysdb_subdomains.c b/src/db/sysdb_subdomains.c
index e2a4f7bb1..e896812ed 100644
--- a/src/db/sysdb_subdomains.c
+++ b/src/db/sysdb_subdomains.c
@@ -129,6 +129,13 @@ struct sss_domain_info *new_subdomain(TALLOC_CTX *mem_ctx,
     dom->mpg = mpg;
     dom->state = DOM_ACTIVE;
 
+    /* use fully qualified names as output in order to avoid causing
+     * conflicts with users who have the same name and either the
+     * shortname user resolution is enabled or the trusted domain has
+     * been explicitly set to use non-fully qualified names as input.
+     */
+    dom->output_fqnames = true;
+
     /* If the parent domain filters out group members, the subdomain should
      * as well if configured */
     inherit_option = string_in_list(CONFDB_DOMAIN_IGNORE_GROUP_MEMBERS,
@@ -218,6 +225,13 @@ check_subdom_config_file(struct confdb_ctx *confdb,
           sd_conf_path, CONFDB_DOMAIN_FQ,
           subdomain->fqnames ? "TRUE" : "FALSE");
 
+    /* use fully qualified names as output in order to avoid causing
+     * conflicts with users who have the same name and either the
+     * shortname user resolution is enabled or the trusted domain has
+     * been explicitly set to use non-fully qualified names as input.
+     */
+    subdomain->output_fqnames = true;
+
     ret = EOK;
 done:
     talloc_free(tmp_ctx);
diff --git a/src/responder/common/cache_req/cache_req_domain.c b/src/responder/common/cache_req/cache_req_domain.c
index 8bf7fc6dc..bad4bf9a6 100644
--- a/src/responder/common/cache_req/cache_req_domain.c
+++ b/src/responder/common/cache_req/cache_req_domain.c
@@ -132,6 +132,12 @@ cache_req_domain_new_list_from_string_list(TALLOC_CTX *mem_ctx,
                 cr_domain->fqnames =
                     cache_req_domain_use_fqnames(dom, enforce_non_fqnames);
 
+                /* when using the domain resolution order, using shortnames as
+                 * input is allowed by default. However, we really want to use
+                 * the fully qualified name as output in order to avoid
+                 * conflicts whith users who have the very same name. */
+                cr_domain->domain->output_fqnames = true;
+
                 DLIST_ADD_END(cr_domains, cr_domain,
                               struct cache_req_domain *);
                 break;
@@ -155,6 +161,14 @@ cache_req_domain_new_list_from_string_list(TALLOC_CTX *mem_ctx,
         cr_domain->fqnames =
             cache_req_domain_use_fqnames(dom, enforce_non_fqnames);
 
+        /* when using the domain resolution order, using shortnames as input
+         * is allowed by default. However, we really want to use the fully
+         * qualified name as output in order to avoid conflicts whith users
+         * who have the very same name. */
+        if (resolution_order != NULL) {
+            cr_domain->domain->output_fqnames = true;
+        }
+
         DLIST_ADD_END(cr_domains, cr_domain, struct cache_req_domain *);
     }
 
diff --git a/src/tests/cmocka/test_nss_srv.c b/src/tests/cmocka/test_nss_srv.c
index 03b5bcc30..2e3d41f11 100644
--- a/src/tests/cmocka/test_nss_srv.c
+++ b/src/tests/cmocka/test_nss_srv.c
@@ -1648,7 +1648,7 @@ static int test_nss_getgrnam_members_check_subdom(uint32_t status,
     tmp_ctx = talloc_new(nss_test_ctx);
     assert_non_null(tmp_ctx);
 
-    if (nss_test_ctx->subdom->fqnames) {
+    if (nss_test_ctx->subdom->fqnames || nss_test_ctx->subdom->output_fqnames) {
         exp_members[0] = sss_tc_fqname(tmp_ctx,
                                        nss_test_ctx->subdom->names,
                                        nss_test_ctx->subdom,
@@ -1800,6 +1800,8 @@ void test_nss_getgrnam_mix_dom_nonfqnames(void **state)
 {
     errno_t ret;
 
+    nss_test_ctx->subdom->output_fqnames = false;
+
     ret = store_group_member(nss_test_ctx,
                              testgroup_members.gr_name,
                              nss_test_ctx->tctx->dom,
@@ -1918,6 +1920,8 @@ void test_nss_getgrnam_mix_dom_fqdn_nonfqnames(void **state)
 {
     errno_t ret;
 
+    nss_test_ctx->subdom->output_fqnames = false;
+
     ret = store_group_member(nss_test_ctx,
                              testgroup_members.gr_name,
                              nss_test_ctx->tctx->dom,
@@ -2037,6 +2041,8 @@ void test_nss_getgrnam_mix_subdom_nonfqnames(void **state)
 {
     errno_t ret;
 
+    nss_test_ctx->subdom->output_fqnames = false;
+
     ret = store_group_member(nss_test_ctx,
                              testsubdomgroup.gr_name,
                              nss_test_ctx->subdom,
diff --git a/src/util/usertools.c b/src/util/usertools.c
index 5dfe6d776..83131da1c 100644
--- a/src/util/usertools.c
+++ b/src/util/usertools.c
@@ -867,7 +867,7 @@ int sss_output_fqname(TALLOC_CTX *mem_ctx,
         goto done;
     }
 
-    if (domain->fqnames) {
+    if (domain->output_fqnames || domain->fqnames) {
         output_name = sss_tc_fqname(tmp_ctx, domain->names,
                                     domain, output_name);
         if (output_name == NULL) {
_______________________________________________
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

Reply via email to