[SSSD] Re: AD Trust code question - s2n exop parsing of double-qualified name

[Justin Stephenson]

On 04/18/2017 02:20 PM, Alexander Bokovoy wrote:
On ti, 18 huhti 2017, Jakub Hrozek wrote:
On Tue, Apr 18, 2017 at 08:52:50PM +0300, Alexander Bokovoy wrote:
On ti, 18 huhti 2017, Justin Stephenson wrote:
> Hello,
>
> I was working on a fix for BZ # 1433835(IPA clients fails to retrieve
> groups with @-sign in the group name in an IPA-AD trust setup) 
where the
> patch at the end of this email seems to work well parsing a
> double-qualified object properly a group name like
> 'group@testing@domain'
>
>
> [ipa_s2n_get_user_done] (0x0400): Received [4] groups in group list 
from
> IPA Server
> [ipa_s2n_get_user_done] (0x0400): [trustuser1@ad.jstephen].
> [ipa_s2n_get_user_done] (0x0400): [customgroup@testing@ad.jstephen].
> [ipa_s2n_get_user_done] (0x0400): [trustgroup@ad.jstephen].
> [ipa_s2n_get_user_done] (0x0400): [domain users@ad.jstephen].
>
>
> However, there is a subsequent group lookup extended operation which
> fails on the IPA server when the NSS responder is unable to parse the
> double-qualified name.
>
>  - Client
>
> [ipa_s2n_get_list_step] (0x0400): Sending request_type:
> [REQ_FULL_WITH_MEMBERS] for group [customgroup@testing@ad.jstephen].
> [ipa_s2n_exop_send] (0x0400): Executing extended operation
> [ipa_s2n_exop_send] (0x2000): ldap_extended_operation sent, msgid = 14
> [ipa_s2n_exop_done] (0x0040): ldap_extended_operation result: No such
> object(32), (null).
> [ipa_s2n_get_list_next] (0x0040): s2n exop request failed.
> [ipa_s2n_get_list_done] (0x0040): s2n get_fqlist request failed.
>
>
>   - Server
>
> [nss_getby_name] (0x0400): Input name: customgroup@testing
> [cache_req_set_plugin] (0x2000): CR #16: Setting "Group by name" 
plugin
> [cache_req_send] (0x0400): CR #16: New request 'Group by name'
> [cache_req_process_input] (0x0400): CR #16: Parsing input name
> [customgroup@testing]
> [sss_domain_get_state] (0x1000): Domain idm.jstephen is Active
> [sss_domain_get_state] (0x1000): Domain AD.JSTEPHEN is Active
> [sss_parse_inp_send] (0x0200): Requesting info for [(null)] from 
[testing]
> [sss_domain_get_state] (0x1000): Domain AD.JSTEPHEN is Active
> [sss_dp_get_domains_send] (0x0400): Last call was too recent, 
nothing to do!
> [sss_domain_get_state] (0x1000): Domain idm.jstephen is Active
> [sss_domain_get_state] (0x1000): Domain AD.JSTEPHEN is Active
> [sss_parse_inp_done] (0x0040): Unknown domain in [customgroup@testing]
> [nss_protocol_done] (0x4000): Sending reply: error [1432158243]: 
Domain
> not found
>
>
> I suspect the input to the NSS responder received here is output from
> the extdom plugin parsing the domain and object name.
>
> I was looking for some advice on the best way to fix this, or if my
> patch is doing things horribly wrong then just let me know please :)
I think we fixed server side (FreeIPA) part with Sumit in 
https://github.com/freeipa/freeipa/commit/ee455f163d756a6b71db8e999365139cad46c6ad 


If you want to handle it on the client side, make sure to use strrchr()
to search '@' from end of the string. This way you can handle multiple
'@' in a string as only the last one will be a real separator.

We use regexes instead for parsing input.

I didn't know the IPA part is fixed though, thanks. Then just by
modifying the regex, the clients should work (as long as the servers are
ficxed with the commit you linked)
Yes, this is not backported yet. Will be part of FreeIPA 4.5.1.

Thanks, I see now that the regular expression value modifies the 
behavior of sss_parse_name(). I will wait until the extdom plugin fix is 
included in FreeIPA then test the regex setting on the SSSD side without 
any code changes.

Kind regards,
Justin Stephenson
_______________________________________________
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org