Hello,
I was working on a fix for BZ # 1433835(IPA clients fails to retrieve
groups with @-sign in the group name in an IPA-AD trust setup) where the
patch at the end of this email seems to work well parsing a
double-qualified object properly a group name like 'group@testing@domain'
[ipa_s2n_get_user_done] (0x0400): Received [4] groups in group list from
IPA Server
[ipa_s2n_get_user_done] (0x0400): [trustuser1@ad.jstephen].
[ipa_s2n_get_user_done] (0x0400): [customgroup@testing@ad.jstephen].
[ipa_s2n_get_user_done] (0x0400): [trustgroup@ad.jstephen].
[ipa_s2n_get_user_done] (0x0400): [domain users@ad.jstephen].
However, there is a subsequent group lookup extended operation which
fails on the IPA server when the NSS responder is unable to parse the
double-qualified name.
- Client
[ipa_s2n_get_list_step] (0x0400): Sending request_type:
[REQ_FULL_WITH_MEMBERS] for group [customgroup@testing@ad.jstephen].
[ipa_s2n_exop_send] (0x0400): Executing extended operation
[ipa_s2n_exop_send] (0x2000): ldap_extended_operation sent, msgid = 14
[ipa_s2n_exop_done] (0x0040): ldap_extended_operation result: No such
object(32), (null).
[ipa_s2n_get_list_next] (0x0040): s2n exop request failed.
[ipa_s2n_get_list_done] (0x0040): s2n get_fqlist request failed.
- Server
[nss_getby_name] (0x0400): Input name: customgroup@testing
[cache_req_set_plugin] (0x2000): CR #16: Setting "Group by name" plugin
[cache_req_send] (0x0400): CR #16: New request 'Group by name'
[cache_req_process_input] (0x0400): CR #16: Parsing input name
[customgroup@testing]
[sss_domain_get_state] (0x1000): Domain idm.jstephen is Active
[sss_domain_get_state] (0x1000): Domain AD.JSTEPHEN is Active
[sss_parse_inp_send] (0x0200): Requesting info for [(null)] from [testing]
[sss_domain_get_state] (0x1000): Domain AD.JSTEPHEN is Active
[sss_dp_get_domains_send] (0x0400): Last call was too recent, nothing to do!
[sss_domain_get_state] (0x1000): Domain idm.jstephen is Active
[sss_domain_get_state] (0x1000): Domain AD.JSTEPHEN is Active
[sss_parse_inp_done] (0x0040): Unknown domain in [customgroup@testing]
[nss_protocol_done] (0x4000): Sending reply: error [1432158243]: Domain
not found
I suspect the input to the NSS responder received here is output from
the extdom plugin parsing the domain and object name.
I was looking for some advice on the best way to fix this, or if my
patch is doing things horribly wrong then just let me know please :)
----------------------------
diff --git a/src/providers/ipa/ipa_s2n_exop.c
b/src/providers/ipa/ipa_s2n_exop.c
index 2173db3..8bdc3f4 100644
--- a/src/providers/ipa/ipa_s2n_exop.c
+++ b/src/providers/ipa/ipa_s2n_exop.c
@@ -550,6 +550,68 @@ static errno_t get_extra_attrs(BerElement *ber,
struct resp_attrs *resp_attrs)
return EOK;
}
+static errno_t ipa_s2n_parse_name(TALLOC_CTX *mem_ctx,
+ struct sss_domain_info *dom,
+ char *fq_name,
+ char **_domain,
+ char **_name)
+{
+ char *parsed_domain = NULL;
+ char *parsed_name = NULL;
+ char *mid_name = NULL;
+ char *real_domain = NULL;
+ char *real_name = NULL;
+ int ret;
+ TALLOC_CTX *tmp_ctx;
+
+ tmp_ctx = talloc_new(NULL);
+ if (tmp_ctx == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n");
+ return ENOMEM;
+ }
+
+ ret = sss_parse_name(mem_ctx, dom->names, fq_name,
+ &parsed_domain, &parsed_name);
+
+ /* Handle parsing double-qualified object name@something@domain */
+ if ((strchr(parsed_domain, '@')) != NULL) {
+ ret = sss_parse_internal_fqname(mem_ctx, parsed_domain,
+ &mid_name,
+ &real_domain);
+
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "Cannot parse internal name [%s]\n", fq_name);
+ ret = ENOMEM;
+ goto done;
+ }
+
+ real_name = talloc_asprintf(tmp_ctx, "%s@%s", parsed_name,
mid_name);
+
+ if (!real_name) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "failed to format double-qualified name.\n");
+ ret = ENOMEM;
+ goto done;
+ }
+
+ if (fq_name != NULL && real_domain != NULL) {
+ parsed_domain = real_domain;
+ parsed_name = real_name;
+ }
+ }
+
+ *_domain = talloc_steal(mem_ctx, parsed_domain);
+ *_name = talloc_steal(mem_ctx, parsed_name);
+
+ ret = EOK;
+
+done:
+ talloc_free(tmp_ctx);
+
+ return ret;
+}
+
static errno_t add_v1_user_data(struct sss_domain_info *dom,
BerElement *ber,
struct resp_attrs *attrs)
@@ -628,8 +690,9 @@ static errno_t add_v1_user_data(struct
sss_domain_info *dom,
parent_domain = get_domains_head(dom);
for (c = 0, gc = 0; c < attrs->ngroups; c++) {
- ret = sss_parse_name(attrs, dom->names, list[c],
- &domain, &name);
+ ret = ipa_s2n_parse_name(attrs, dom, list[c],
+ &domain, &name);
+
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE,
"Cannot parse member %s\n", list[c]);
@@ -675,7 +738,6 @@ done:
ber_memfree(homedir);
ber_memfree(shell);
ber_memvfree((void **) list);
-
return ret;
}
@@ -712,8 +774,9 @@ static errno_t add_v1_group_data(BerElement *ber,
}
for (c = 0, mc=0; c < attrs->ngroups; c++) {
- ret = sss_parse_name(attrs, dom->names, list[c],
- &domain, &name);
+ ret = ipa_s2n_parse_name(attrs, dom, list[c],
+ &domain, &name);
+
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE,
"Cannot parse member %s\n", list[c]);
@@ -1180,8 +1243,10 @@ static errno_t ipa_s2n_get_list_step(struct
tevent_req *req)
switch (state->req_input.type) {
case REQ_INP_NAME:
- ret = sss_parse_name(state, state->dom->names,
state->list[state->list_idx],
- &domain_name, &short_name);
+ ret = ipa_s2n_parse_name(state, state->dom,
+ state->list[state->list_idx],
+ &domain_name, &short_name);
+
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to parse name '%s'
[%d]: %s\n",
state->list[state->list_idx],
Kind regards,
Justin Stephenson
_______________________________________________
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
