On ti, 18 huhti 2017, Justin Stephenson wrote:
> Hello,
>
> I was working on a fix for BZ # 1433835(IPA clients fails to retrieve
> groups with @-sign in the group name in an IPA-AD trust setup)
where the
> patch at the end of this email seems to work well parsing a
> double-qualified object properly a group name like
> 'group@testing@domain'
>
>
> [ipa_s2n_get_user_done] (0x0400): Received [4] groups in group list
from
> IPA Server
> [ipa_s2n_get_user_done] (0x0400): [trustuser1@ad.jstephen].
> [ipa_s2n_get_user_done] (0x0400): [customgroup@testing@ad.jstephen].
> [ipa_s2n_get_user_done] (0x0400): [trustgroup@ad.jstephen].
> [ipa_s2n_get_user_done] (0x0400): [domain users@ad.jstephen].
>
>
> However, there is a subsequent group lookup extended operation which
> fails on the IPA server when the NSS responder is unable to parse the
> double-qualified name.
>
> - Client
>
> [ipa_s2n_get_list_step] (0x0400): Sending request_type:
> [REQ_FULL_WITH_MEMBERS] for group [customgroup@testing@ad.jstephen].
> [ipa_s2n_exop_send] (0x0400): Executing extended operation
> [ipa_s2n_exop_send] (0x2000): ldap_extended_operation sent, msgid = 14
> [ipa_s2n_exop_done] (0x0040): ldap_extended_operation result: No such
> object(32), (null).
> [ipa_s2n_get_list_next] (0x0040): s2n exop request failed.
> [ipa_s2n_get_list_done] (0x0040): s2n get_fqlist request failed.
>
>
> - Server
>
> [nss_getby_name] (0x0400): Input name: customgroup@testing
> [cache_req_set_plugin] (0x2000): CR #16: Setting "Group by name"
plugin
> [cache_req_send] (0x0400): CR #16: New request 'Group by name'
> [cache_req_process_input] (0x0400): CR #16: Parsing input name
> [customgroup@testing]
> [sss_domain_get_state] (0x1000): Domain idm.jstephen is Active
> [sss_domain_get_state] (0x1000): Domain AD.JSTEPHEN is Active
> [sss_parse_inp_send] (0x0200): Requesting info for [(null)] from
[testing]
> [sss_domain_get_state] (0x1000): Domain AD.JSTEPHEN is Active
> [sss_dp_get_domains_send] (0x0400): Last call was too recent,
nothing to do!
> [sss_domain_get_state] (0x1000): Domain idm.jstephen is Active
> [sss_domain_get_state] (0x1000): Domain AD.JSTEPHEN is Active
> [sss_parse_inp_done] (0x0040): Unknown domain in [customgroup@testing]
> [nss_protocol_done] (0x4000): Sending reply: error [1432158243]:
Domain
> not found
>
>
> I suspect the input to the NSS responder received here is output from
> the extdom plugin parsing the domain and object name.
>
> I was looking for some advice on the best way to fix this, or if my
> patch is doing things horribly wrong then just let me know please :)
I think we fixed server side (FreeIPA) part with Sumit in
https://github.com/freeipa/freeipa/commit/ee455f163d756a6b71db8e999365139cad46c6ad
If you want to handle it on the client side, make sure to use strrchr()
to search '@' from end of the string. This way you can handle multiple
'@' in a string as only the last one will be a real separator.