|
 |
d6181b |
From 41da9ddfd084024ba9ca20b6d3c0b531c0473231 Mon Sep 17 00:00:00 2001
|
|
|
d6181b |
From: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
d6181b |
Date: Fri, 2 Aug 2019 12:07:51 +0200
|
|
|
d6181b |
Subject: [PATCH] Don't qualify users from files domain when
|
|
|
d6181b |
default_domain_suffix is set
|
|
|
d6181b |
MIME-Version: 1.0
|
|
|
d6181b |
Content-Type: text/plain; charset=UTF-8
|
|
|
d6181b |
Content-Transfer-Encoding: 8bit
|
|
|
d6181b |
|
|
|
d6181b |
Resolves:
|
|
|
d6181b |
https://pagure.io/SSSD/sssd/issue/4052
|
|
|
d6181b |
|
|
|
d6181b |
The files domain should always be non-qualified. The usual rules like
|
|
|
d6181b |
qualification of all domains except the one set with
|
|
|
d6181b |
default_domain_suffix should not apply.
|
|
|
d6181b |
|
|
|
d6181b |
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
|
|
d6181b |
---
|
|
|
d6181b |
src/confdb/confdb.c | 7 ++++--
|
|
|
d6181b |
src/man/sssd.conf.5.xml | 8 ++++++-
|
|
|
d6181b |
src/tests/intg/test_files_provider.py | 31 +++++++++++++++++++++++++++
|
|
|
d6181b |
3 files changed, 43 insertions(+), 3 deletions(-)
|
|
|
d6181b |
|
|
|
d6181b |
diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
|
|
|
d6181b |
index f6fdbc3aa..be65310dc 100644
|
|
|
d6181b |
--- a/src/confdb/confdb.c
|
|
|
d6181b |
+++ b/src/confdb/confdb.c
|
|
|
d6181b |
@@ -1049,7 +1049,8 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb,
|
|
|
d6181b |
|
|
|
d6181b |
/* Determine if user/group names will be Fully Qualified
|
|
|
d6181b |
* in NSS interfaces */
|
|
|
d6181b |
- if (default_domain != NULL) {
|
|
|
d6181b |
+ if (default_domain != NULL
|
|
|
d6181b |
+ && is_files_provider(domain) == false) {
|
|
|
d6181b |
DEBUG(SSSDBG_CONF_SETTINGS,
|
|
|
d6181b |
"Default domain suffix set. Changing default for "
|
|
|
d6181b |
"use_fully_qualified_names to True.\n");
|
|
|
d6181b |
@@ -1064,7 +1065,9 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb,
|
|
|
d6181b |
goto done;
|
|
|
d6181b |
}
|
|
|
d6181b |
|
|
|
d6181b |
- if (default_domain != NULL && domain->fqnames == false) {
|
|
|
d6181b |
+ if (default_domain != NULL
|
|
|
d6181b |
+ && domain->fqnames == false
|
|
|
d6181b |
+ && is_files_provider(domain) == false) {
|
|
|
d6181b |
DEBUG(SSSDBG_FATAL_FAILURE,
|
|
|
d6181b |
"Invalid configuration detected (default_domain_suffix is used "
|
|
|
d6181b |
"while use_fully_qualified_names was set to false).\n");
|
|
|
d6181b |
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
|
|
|
d6181b |
index 304a6a170..c81012357 100644
|
|
|
d6181b |
--- a/src/man/sssd.conf.5.xml
|
|
|
d6181b |
+++ b/src/man/sssd.conf.5.xml
|
|
|
d6181b |
@@ -412,7 +412,13 @@
|
|
|
d6181b |
to log in. Setting this option changes default
|
|
|
d6181b |
of use_fully_qualified_names to True. It is not
|
|
|
d6181b |
allowed to use this option together with
|
|
|
d6181b |
- use_fully_qualified_names set to False.
|
|
|
d6181b |
+ use_fully_qualified_names set to False. One
|
|
|
d6181b |
+ exception from this rule are domains with
|
|
|
d6181b |
+ <quote>id_provider=files</quote> that always try
|
|
|
d6181b |
+ to match the behaviour of nss_files
|
|
|
d6181b |
+ and therefore their output is not
|
|
|
d6181b |
+ qualified even when the default_domain_suffix
|
|
|
d6181b |
+ option is used.
|
|
|
d6181b |
</para>
|
|
|
d6181b |
<para>
|
|
|
d6181b |
Default: not set
|
|
|
d6181b |
diff --git a/src/tests/intg/test_files_provider.py b/src/tests/intg/test_files_provider.py
|
|
|
d6181b |
index 784bfa91f..9f3aad994 100644
|
|
|
d6181b |
--- a/src/tests/intg/test_files_provider.py
|
|
|
d6181b |
+++ b/src/tests/intg/test_files_provider.py
|
|
|
d6181b |
@@ -310,6 +310,22 @@ def domain_resolution_order(request):
|
|
|
d6181b |
return None
|
|
|
d6181b |
|
|
|
d6181b |
|
|
|
d6181b |
+@pytest.fixture
|
|
|
d6181b |
+def default_domain_suffix(request):
|
|
|
d6181b |
+ conf = unindent("""\
|
|
|
d6181b |
+ [sssd]
|
|
|
d6181b |
+ domains = files
|
|
|
d6181b |
+ services = nss
|
|
|
d6181b |
+ default_domain_suffix = foo
|
|
|
d6181b |
+
|
|
|
d6181b |
+ [domain/files]
|
|
|
d6181b |
+ id_provider = files
|
|
|
d6181b |
+ """).format(**locals())
|
|
|
d6181b |
+ create_conf_fixture(request, conf)
|
|
|
d6181b |
+ create_sssd_fixture(request)
|
|
|
d6181b |
+ return None
|
|
|
d6181b |
+
|
|
|
d6181b |
+
|
|
|
d6181b |
@pytest.fixture
|
|
|
d6181b |
def override_homedir_and_shell(request):
|
|
|
d6181b |
conf = unindent("""\
|
|
|
d6181b |
@@ -1206,6 +1222,21 @@ def test_files_with_domain_resolution_order(add_user_with_canary,
|
|
|
d6181b |
check_user(USER1)
|
|
|
d6181b |
|
|
|
d6181b |
|
|
|
d6181b |
+def test_files_with_default_domain_suffix(add_user_with_canary,
|
|
|
d6181b |
+ default_domain_suffix):
|
|
|
d6181b |
+ """
|
|
|
d6181b |
+ Test that when using domain_resolution_order the user won't be using
|
|
|
d6181b |
+ its fully-qualified name.
|
|
|
d6181b |
+ """
|
|
|
d6181b |
+ ret = poll_canary(call_sssd_getpwuid, CANARY["uid"])
|
|
|
d6181b |
+ if ret is False:
|
|
|
d6181b |
+ return NssReturnCode.NOTFOUND, None
|
|
|
d6181b |
+
|
|
|
d6181b |
+ res, found_user = call_sssd_getpwuid(USER1["uid"])
|
|
|
d6181b |
+ assert res == NssReturnCode.SUCCESS
|
|
|
d6181b |
+ assert found_user == USER1
|
|
|
d6181b |
+
|
|
|
d6181b |
+
|
|
|
d6181b |
def test_files_with_override_homedir(add_user_with_canary,
|
|
|
d6181b |
override_homedir_and_shell):
|
|
|
d6181b |
res, user = sssd_getpwnam_sync(USER1["name"])
|
|
|
d6181b |
--
|
|
|
d6181b |
2.20.1
|
|
|
d6181b |
|