On Mon, Jul 29, 2013 at 11:37:20AM +0200, Pavel Březina wrote: > On 07/22/2013 08:23 PM, Stephen Gallagher wrote: > >-----BEGIN PGP SIGNED MESSAGE----- > >Hash: SHA1 > > > >On 07/15/2013 09:53 AM, Jakub Hrozek wrote: > >>On Thu, Jul 11, 2013 at 10:08:36AM -0400, Stephen Gallagher wrote: > >>>-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > >>> > >>>Netgroups often have memberNisNetgroup entries included in them > >>>that will never process correctly if we require fully-qualified > >>>names on the nested lookup. This patch alters the behavior of > >>>netgroup lookups to check *all* domains for an unqualified > >>>netgroup name, instead of only the ones not requiring fully- > >>>qualified names. > >>> > >>>Fixes https://fedorahosted.org/sssd/ticket/2013 > >> > >>>@@ -428,9 +428,12 @@ static errno_t lookup_netgr_step(struct > >>>setent_step_ctx *step_ctx) > >>> > >>>/* Check each domain for this netgroup name */ while (dom) { - > >>>/* if it is a domainless search, skip domains that require fully > >>>- * qualified names instead */ - while (dom && > >>>step_ctx->check_next && dom->fqnames) { + /* Netgroups are > >>>a special case. We have to ignore the + * fully-qualified > >>>name requirement because memberNisNetgroup + * entries do > >>>not have fully-qualified components and we need + * to be > >>>able to always check them. + */ + while (dom && > >>>step_ctx->check_next) { dom = get_next_domain(dom, false); } > >> > >>I don't think this is a correct change, the way I read the loop now > >>is: > >> > >>while(there is a domain and the search is domainless) { get next > >>domain } > >> > >>So essentially this just skips domains? I'm not able to call getent > >>netgroup for a netgroup that resides in a second domain in my > >>multidomain setup with this patch.. > > > >That's what I deserve for throwing together a simple patch just before > >going on vacation... > > > >Instead of removing the loop that skips over the fully-qualified > >domains, I only removed the part of the loop control that prevented it > >from skipping over non-fully-qualified ones. Thus, of course, it > >skipped ALL domains. > > > >The attached patch should get it right this time. > > Works well. Ack. > > However, I noticed that 'getent netgroup ng@DOMAIN' actually doesn't work at > all. It is not caused by this patch. I will send a patch shortly.
Pushed to master and sssd-1-10 _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel