[SSSD] [PATCH] IPA: Do not append domain name to fq name

Tue, 02 Dec 2014 03:05:29 -0800 

ehlo,

With attached patch, selinuxusermap should apply to ipa user and ad user.
It should work with enabled and disabled use_fully_qualified_names.
I was testing with IPA in server mode.

It is good to remove sssd generated entries from "semanage login" after each
test.

LS

>From 40282cb008862500844614ed7e1c81b87b87dc9e Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lsleb...@redhat.com>
Date: Mon, 1 Dec 2014 17:29:49 +0100
Subject: [PATCH] IPA: Do not append domain name to fq name

Usernames from AD subdomains are already in fqdn we should not append
domain name in this case.

Resolves:
https://fedorahosted.org/sssd/ticket/2512
---
 src/providers/ipa/ipa_selinux.c | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

diff --git a/src/providers/ipa/ipa_selinux.c b/src/providers/ipa/ipa_selinux.c
index 
30ad6f0a7c4622ca5eb9a75ae4f57183543515c6..79eb9e82d10dbb4eba06bd5b19345f5978412f44
 100644
--- a/src/providers/ipa/ipa_selinux.c
+++ b/src/providers/ipa/ipa_selinux.c
@@ -812,6 +812,7 @@ selinux_child_setup(TALLOC_CTX *mem_ctx,
     char *ptr;
     char *username;
     char *username_final;
+    char *domain_name = NULL;
     TALLOC_CTX *tmp_ctx;
     struct selinux_child_input *sci;
 
@@ -849,8 +850,20 @@ selinux_child_setup(TALLOC_CTX *mem_ctx,
     }
 
     if (dom->fqnames) {
-        username_final = talloc_asprintf(tmp_ctx, dom->names->fq_fmt,
-                                         username, dom->name);
+        ret = sss_parse_name(tmp_ctx, dom->names, username, &domain_name,
+                             NULL);
+        if (ret == EOK && domain_name != NULL) {
+            /* username is already a fully qualified name */
+            username_final = username;
+        } else if ((ret == EOK && domain_name == NULL)
+                   || ret == ERR_REGEX_NOMATCH) {
+            username_final = talloc_asprintf(tmp_ctx, dom->names->fq_fmt,
+                                             username, dom->name);
+        } else {
+            DEBUG(SSSDBG_OP_FAILURE,
+                  "sss_parse_name failed: [%d] %s", ret, sss_strerror(ret));
+            goto done;
+        }
         if (username_final == NULL) {
             ret = ENOMEM;
             goto done;
-- 
2.1.0


_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel

Reply via email to