[SSSD] [sssd PR#857][synchronized] Don't qualify users from files domain when default_domain_suffix is set

jhrozek Thu, 08 Aug 2019 12:53:59 -0700

   URL: https://github.com/SSSD/sssd/pull/857
Author: jhrozek
 Title: #857: Don't qualify users from files domain when default_domain_suffix 
is set
Action: synchronized


To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/857/head:pr857
git checkout pr857

From e6f976bf3654d7936e0b5e591857cede758c0c95 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhro...@redhat.com>
Date: Fri, 2 Aug 2019 12:07:51 +0200
Subject: [PATCH] Don't qualify users from files domain when
 default_domain_suffix is set

Resolves:
https://pagure.io/SSSD/sssd/issue/4052

The files domain should always be non-qualified. The usual rules like
qualification of all domains except the one set with
default_domain_suffix should not apply.
---
 src/confdb/confdb.c                   |  7 ++++--
 src/man/sssd.conf.5.xml               |  8 ++++++-
 src/tests/intg/test_files_provider.py | 31 +++++++++++++++++++++++++++
 3 files changed, 43 insertions(+), 3 deletions(-)

diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
index f6fdbc3aa8..be65310dcc 100644
--- a/src/confdb/confdb.c
+++ b/src/confdb/confdb.c
@@ -1049,7 +1049,8 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb,
 
     /* Determine if user/group names will be Fully Qualified
      * in NSS interfaces */
-    if (default_domain != NULL) {
+    if (default_domain != NULL
+             && is_files_provider(domain) == false) {
         DEBUG(SSSDBG_CONF_SETTINGS,
               "Default domain suffix set. Changing default for "
               "use_fully_qualified_names to True.\n");
@@ -1064,7 +1065,9 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb,
         goto done;
     }
 
-    if (default_domain != NULL && domain->fqnames == false) {
+    if (default_domain != NULL
+            && domain->fqnames == false
+            && is_files_provider(domain) == false) {
         DEBUG(SSSDBG_FATAL_FAILURE,
               "Invalid configuration detected (default_domain_suffix is used "
               "while use_fully_qualified_names was set to false).\n");
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index 304a6a170c..c810123572 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -412,7 +412,13 @@
                                 to log in. Setting this option changes default
                                 of use_fully_qualified_names to True. It is not
                                 allowed to use this option together with
-                                use_fully_qualified_names set to False.
+                                use_fully_qualified_names set to False. One
+                                exception from this rule are domains with
+                                <quote>id_provider=files</quote> that always try
+                                to match the behaviour of nss_files
+                                and therefore their output is not
+                                qualified even when the default_domain_suffix
+                                option is used.
                             </para>
                             <para>
                                 Default: not set
diff --git a/src/tests/intg/test_files_provider.py b/src/tests/intg/test_files_provider.py
index 784bfa91f7..9f3aad9949 100644
--- a/src/tests/intg/test_files_provider.py
+++ b/src/tests/intg/test_files_provider.py
@@ -310,6 +310,22 @@ def domain_resolution_order(request):
     return None
 
 
+@pytest.fixture
+def default_domain_suffix(request):
+    conf = unindent("""\
+        [sssd]
+        domains             = files
+        services            = nss
+        default_domain_suffix = foo
+
+        [domain/files]
+        id_provider = files
+    """).format(**locals())
+    create_conf_fixture(request, conf)
+    create_sssd_fixture(request)
+    return None
+
+
 @pytest.fixture
 def override_homedir_and_shell(request):
     conf = unindent("""\
@@ -1206,6 +1222,21 @@ def test_files_with_domain_resolution_order(add_user_with_canary,
     check_user(USER1)
 
 
+def test_files_with_default_domain_suffix(add_user_with_canary,
+                                          default_domain_suffix):
+    """
+    Test that when using domain_resolution_order the user won't be using
+    its fully-qualified name.
+    """
+    ret = poll_canary(call_sssd_getpwuid, CANARY["uid"])
+    if ret is False:
+        return NssReturnCode.NOTFOUND, None
+
+    res, found_user = call_sssd_getpwuid(USER1["uid"])
+    assert res == NssReturnCode.SUCCESS
+    assert found_user == USER1
+
+
 def test_files_with_override_homedir(add_user_with_canary,
                                      override_homedir_and_shell):
     res, user = sssd_getpwnam_sync(USER1["name"])

_______________________________________________
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org

[SSSD] [sssd PR#857][synchronized] Don't qualify users from files domain when default_domain_suffix is set

Reply via email to