On ti, 18 huhti 2017, Justin Stephenson wrote:
Hello,
I was working on a fix for BZ # 1433835(IPA clients fails to retrieve
groups with @-sign in the group name in an IPA-AD trust setup) where
the patch at the end of this email seems to work well parsing a
double-qualified object properly a group name like
'group@testing@domain'
[ipa_s2n_get_user_done] (0x0400): Received [4] groups in group list
from IPA Server
[ipa_s2n_get_user_done] (0x0400): [trustuser1@ad.jstephen].
[ipa_s2n_get_user_done] (0x0400): [customgroup@testing@ad.jstephen].
[ipa_s2n_get_user_done] (0x0400): [trustgroup@ad.jstephen].
[ipa_s2n_get_user_done] (0x0400): [domain users@ad.jstephen].
However, there is a subsequent group lookup extended operation which
fails on the IPA server when the NSS responder is unable to parse the
double-qualified name.
- Client
[ipa_s2n_get_list_step] (0x0400): Sending request_type:
[REQ_FULL_WITH_MEMBERS] for group [customgroup@testing@ad.jstephen].
[ipa_s2n_exop_send] (0x0400): Executing extended operation
[ipa_s2n_exop_send] (0x2000): ldap_extended_operation sent, msgid = 14
[ipa_s2n_exop_done] (0x0040): ldap_extended_operation result: No such
object(32), (null).
[ipa_s2n_get_list_next] (0x0040): s2n exop request failed.
[ipa_s2n_get_list_done] (0x0040): s2n get_fqlist request failed.
- Server
[nss_getby_name] (0x0400): Input name: customgroup@testing
[cache_req_set_plugin] (0x2000): CR #16: Setting "Group by name" plugin
[cache_req_send] (0x0400): CR #16: New request 'Group by name'
[cache_req_process_input] (0x0400): CR #16: Parsing input name
[customgroup@testing]
[sss_domain_get_state] (0x1000): Domain idm.jstephen is Active
[sss_domain_get_state] (0x1000): Domain AD.JSTEPHEN is Active
[sss_parse_inp_send] (0x0200): Requesting info for [(null)] from [testing]
[sss_domain_get_state] (0x1000): Domain AD.JSTEPHEN is Active
[sss_dp_get_domains_send] (0x0400): Last call was too recent, nothing to do!
[sss_domain_get_state] (0x1000): Domain idm.jstephen is Active
[sss_domain_get_state] (0x1000): Domain AD.JSTEPHEN is Active
[sss_parse_inp_done] (0x0040): Unknown domain in [customgroup@testing]
[nss_protocol_done] (0x4000): Sending reply: error [1432158243]:
Domain not found
I suspect the input to the NSS responder received here is output from
the extdom plugin parsing the domain and object name.
I was looking for some advice on the best way to fix this, or if my
patch is doing things horribly wrong then just let me know please :)
I think we fixed server side (FreeIPA) part with Sumit in
https://github.com/freeipa/freeipa/commit/ee455f163d756a6b71db8e999365139cad46c6ad
If you want to handle it on the client side, make sure to use strrchr()
to search '@' from end of the string. This way you can handle multiple
'@' in a string as only the last one will be a real separator.
--
/ Alexander Bokovoy
_______________________________________________
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org