This patch changes the way subdomain users are stored in the database. The reason for changing the way we do it is that the sysdb code, before the subdomain patches were added assumed a single domain per cache file. This assumption beled in many other interfaces including the way users are read and returned in the nss responder, as well as potentially how hbac and sudo handle rules for checking if users are part of a rule.
In order to make sure subdomain users are univocally recognized as such the safest way is to change how users are saved and always save subdomain users with sully qualified names. With this change we solve one of the most eveident issues we currently have where subdomain users are not listed fully wualified in group membership when they should. The side effect of this change is that cache files need to be removed if the admin decides to change the formatting string for representing fully qualified users. An action like this has many other important consequences on the system so I think this limitation is perfectly reasonable. This patch is in RFC status because I haven't dealt with database migrations to fix existing subdomain users. Would it be acceptable to simply remove all subdomain user entries on upgrade ? Also in order to fix this important issue for 1.9 I have refrained from significantly changing sysdb interfaces or other code around domain manipulation. I think such changes are necessary in future. The consequence of not changing sysdb interfaces is that knowledge of the fact the subdonains users need to be fully qualified bleeds in various other callers. I hope I caught all the callers that need to know about this difference but I haven't yet checked sudo related code for example. The patch is so far fully tested and allows password based logins with full HABC checking. getent passwd/group commands also return the extected outputs. Please review carefully. Simo Sorce (1): Refactor the way subdomain accounts are saved src/db/sysdb_search.c | 17 +++++++++++- src/providers/data_provider_be.c | 11 +++++++ src/providers/ipa/ipa_s2n_exop.c | 54 +++++++++++++++++++++++++++++++++++--- src/responder/nss/nsssrv_cmd.c | 36 +++++++++++++++++++++++-- src/responder/pac/pacsrv_cmd.c | 15 +++++++++- src/responder/pac/pacsrv_utils.c | 52 ++++++++++++++++++++---------------- src/responder/pam/pamsrv_cmd.c | 18 ++++++++++++- src/util/domain_info_utils.c | 2 +- 8 files changed, 170 insertions(+), 35 deletions(-) _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel