|
|
bac598 |
From fa4b46e7de7297da3c0e37913eab8cba7f103629 Mon Sep 17 00:00:00 2001
|
|
|
bac598 |
From: Sumit Bose <sbose@redhat.com>
|
|
|
bac598 |
Date: Fri, 9 Oct 2020 15:26:39 +0200
|
|
|
bac598 |
Subject: [PATCH 8/8] negcache: do not use default_domain_suffix
|
|
|
bac598 |
|
|
|
bac598 |
When splitting the names from the filter_users and filter_groups options
|
|
|
bac598 |
do not use the default_domain_suffix because it will hide that the
|
|
|
bac598 |
original name is a short name and should be added everywhere.
|
|
|
bac598 |
|
|
|
bac598 |
Additionally this patch fixes a typo where sss_parse_name() was used
|
|
|
bac598 |
instead of sss_parse_name_for_domains().
|
|
|
bac598 |
|
|
|
bac598 |
Resolves: https://github.com/SSSD/sssd/issues/5238
|
|
|
bac598 |
|
|
|
bac598 |
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
|
|
bac598 |
---
|
|
|
bac598 |
src/responder/common/negcache.c | 29 +++++++++++++++--------------
|
|
|
bac598 |
src/tests/cmocka/test_negcache.c | 22 ++++++++++++++++++++--
|
|
|
bac598 |
2 files changed, 35 insertions(+), 16 deletions(-)
|
|
|
bac598 |
|
|
|
bac598 |
diff --git a/src/responder/common/negcache.c b/src/responder/common/negcache.c
|
|
|
bac598 |
index 9ee39ce3e..59e8ad7e7 100644
|
|
|
bac598 |
--- a/src/responder/common/negcache.c
|
|
|
bac598 |
+++ b/src/responder/common/negcache.c
|
|
|
bac598 |
@@ -1000,13 +1000,13 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache,
|
|
|
bac598 |
|
|
|
bac598 |
for (i = 0; (filter_list && filter_list[i]); i++) {
|
|
|
bac598 |
ret = sss_parse_name_for_domains(tmpctx, domain_list,
|
|
|
bac598 |
- rctx->default_domain,
|
|
|
bac598 |
+ NULL,
|
|
|
bac598 |
filter_list[i],
|
|
|
bac598 |
&domainname, &name);
|
|
|
bac598 |
if (ret == EAGAIN) {
|
|
|
bac598 |
DEBUG(SSSDBG_MINOR_FAILURE,
|
|
|
bac598 |
- "cannot add [%s] to negcache because the required or "
|
|
|
bac598 |
- "default domain are not known yet\n", filter_list[i]);
|
|
|
bac598 |
+ "Can add [%s] only as UPN to negcache because the "
|
|
|
bac598 |
+ "required domain is not known yet\n", filter_list[i]);
|
|
|
bac598 |
} else if (ret != EOK) {
|
|
|
bac598 |
DEBUG(SSSDBG_CRIT_FAILURE,
|
|
|
bac598 |
"Invalid name in filterUsers list: [%s] (%d)\n",
|
|
|
bac598 |
@@ -1066,12 +1066,12 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache,
|
|
|
bac598 |
|
|
|
bac598 |
for (i = 0; (filter_list && filter_list[i]); i++) {
|
|
|
bac598 |
ret = sss_parse_name_for_domains(tmpctx, domain_list,
|
|
|
bac598 |
- rctx->default_domain, filter_list[i],
|
|
|
bac598 |
+ NULL, filter_list[i],
|
|
|
bac598 |
&domainname, &name);
|
|
|
bac598 |
if (ret == EAGAIN) {
|
|
|
bac598 |
DEBUG(SSSDBG_MINOR_FAILURE,
|
|
|
bac598 |
- "Cannot add [%s] to negcache because the required or "
|
|
|
bac598 |
- "default domain are not known yet\n", filter_list[i]);
|
|
|
bac598 |
+ "Can add [%s] only as UPN to negcache because the "
|
|
|
bac598 |
+ "required domain is not known yet\n", filter_list[i]);
|
|
|
bac598 |
} else if (ret != EOK) {
|
|
|
bac598 |
DEBUG(SSSDBG_CRIT_FAILURE,
|
|
|
bac598 |
"Invalid name in filterUsers list: [%s] (%d)\n",
|
|
|
bac598 |
@@ -1158,9 +1158,12 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache,
|
|
|
bac598 |
if (ret != EOK) goto done;
|
|
|
bac598 |
|
|
|
bac598 |
for (i = 0; (filter_list && filter_list[i]); i++) {
|
|
|
bac598 |
- ret = sss_parse_name(tmpctx, dom->names, filter_list[i],
|
|
|
bac598 |
- &domainname, &name);
|
|
|
bac598 |
+ ret = sss_parse_name_for_domains(tmpctx, domain_list,
|
|
|
bac598 |
+ NULL, filter_list[i],
|
|
|
bac598 |
+ &domainname, &name);
|
|
|
bac598 |
if (ret != EOK) {
|
|
|
bac598 |
+ /* Groups do not have UPNs, so domain names, if present,
|
|
|
bac598 |
+ * must be known */
|
|
|
bac598 |
DEBUG(SSSDBG_CRIT_FAILURE,
|
|
|
bac598 |
"Invalid name in filterGroups list: [%s] (%d)\n",
|
|
|
bac598 |
filter_list[i], ret);
|
|
|
bac598 |
@@ -1207,13 +1210,11 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache,
|
|
|
bac598 |
|
|
|
bac598 |
for (i = 0; (filter_list && filter_list[i]); i++) {
|
|
|
bac598 |
ret = sss_parse_name_for_domains(tmpctx, domain_list,
|
|
|
bac598 |
- rctx->default_domain, filter_list[i],
|
|
|
bac598 |
+ NULL, filter_list[i],
|
|
|
bac598 |
&domainname, &name);
|
|
|
bac598 |
- if (ret == EAGAIN) {
|
|
|
bac598 |
- DEBUG(SSSDBG_MINOR_FAILURE,
|
|
|
bac598 |
- "Cannot add [%s] to negcache because the required or "
|
|
|
bac598 |
- "default domain are not known yet\n", filter_list[i]);
|
|
|
bac598 |
- } else if (ret != EOK) {
|
|
|
bac598 |
+ if (ret != EOK) {
|
|
|
bac598 |
+ /* Groups do not have UPNs, so domain names, if present,
|
|
|
bac598 |
+ * must be known */
|
|
|
bac598 |
DEBUG(SSSDBG_CRIT_FAILURE,
|
|
|
bac598 |
"Invalid name in filterGroups list: [%s] (%d)\n",
|
|
|
bac598 |
filter_list[i], ret);
|
|
|
bac598 |
diff --git a/src/tests/cmocka/test_negcache.c b/src/tests/cmocka/test_negcache.c
|
|
|
bac598 |
index fb306b110..30218d52a 100644
|
|
|
bac598 |
--- a/src/tests/cmocka/test_negcache.c
|
|
|
bac598 |
+++ b/src/tests/cmocka/test_negcache.c
|
|
|
bac598 |
@@ -933,7 +933,9 @@ static void test_sss_ncache_reset_prepopulate(void **state)
|
|
|
bac598 |
*
|
|
|
bac598 |
* The result should of course be independent of the present domains. To
|
|
|
bac598 |
* verify this the domains are added one after the other and the negative
|
|
|
bac598 |
- * cache is repopulated each time.
|
|
|
bac598 |
+ * cache is repopulated each time. The result should be also independent of
|
|
|
bac598 |
+ * the setting of default_domain_suffix option which is tested by
|
|
|
bac598 |
+ * test_sss_ncache_short_name_in_domain_with_prefix.
|
|
|
bac598 |
*
|
|
|
bac598 |
* With the given domains, users and group we have to following expectations:
|
|
|
bac598 |
* - the short name entry will be added to the domain and all sub-domains as
|
|
|
bac598 |
@@ -1081,7 +1083,8 @@ static void expect_no_entries_in_dom(struct sss_nc_ctx *ncache,
|
|
|
bac598 |
assert_int_equal(ret, ENOENT);
|
|
|
bac598 |
}
|
|
|
bac598 |
|
|
|
bac598 |
-static void test_sss_ncache_short_name_in_domain(void **state)
|
|
|
bac598 |
+static void run_sss_ncache_short_name_in_domain(void **state,
|
|
|
bac598 |
+ bool use_default_domain_prefix)
|
|
|
bac598 |
{
|
|
|
bac598 |
int ret;
|
|
|
bac598 |
struct test_state *ts;
|
|
|
bac598 |
@@ -1131,6 +1134,9 @@ static void test_sss_ncache_short_name_in_domain(void **state)
|
|
|
bac598 |
ncache = ts->ctx;
|
|
|
bac598 |
ts->rctx = mock_rctx(ts, ev, dom, ts->nctx);
|
|
|
bac598 |
assert_non_null(ts->rctx);
|
|
|
bac598 |
+ if (use_default_domain_prefix) {
|
|
|
bac598 |
+ ts->rctx->default_domain = discard_const(TEST_DOM_NAME);
|
|
|
bac598 |
+ }
|
|
|
bac598 |
ts->rctx->cdb = tc->confdb;
|
|
|
bac598 |
|
|
|
bac598 |
ret = sss_names_init(ts, tc->confdb, TEST_DOM_NAME, &dom->names);
|
|
|
bac598 |
@@ -1173,6 +1179,16 @@ static void test_sss_ncache_short_name_in_domain(void **state)
|
|
|
bac598 |
expect_no_entries_in_dom(ncache, dom2);
|
|
|
bac598 |
}
|
|
|
bac598 |
|
|
|
bac598 |
+static void test_sss_ncache_short_name_in_domain(void **state)
|
|
|
bac598 |
+{
|
|
|
bac598 |
+ run_sss_ncache_short_name_in_domain(state, false);
|
|
|
bac598 |
+}
|
|
|
bac598 |
+
|
|
|
bac598 |
+static void test_sss_ncache_short_name_in_domain_with_prefix(void **state)
|
|
|
bac598 |
+{
|
|
|
bac598 |
+ run_sss_ncache_short_name_in_domain(state, true);
|
|
|
bac598 |
+}
|
|
|
bac598 |
+
|
|
|
bac598 |
static void test_sss_ncache_reset(void **state)
|
|
|
bac598 |
{
|
|
|
bac598 |
errno_t ret;
|
|
|
bac598 |
@@ -1337,6 +1353,8 @@ int main(void)
|
|
|
bac598 |
setup, teardown),
|
|
|
bac598 |
cmocka_unit_test_setup_teardown(test_sss_ncache_short_name_in_domain,
|
|
|
bac598 |
setup, teardown),
|
|
|
bac598 |
+ cmocka_unit_test_setup_teardown(test_sss_ncache_short_name_in_domain_with_prefix,
|
|
|
bac598 |
+ setup, teardown),
|
|
|
bac598 |
cmocka_unit_test_setup_teardown(test_sss_ncache_reset,
|
|
|
bac598 |
setup, teardown),
|
|
|
bac598 |
cmocka_unit_test_setup_teardown(test_sss_ncache_locate_uid_gid,
|
|
|
bac598 |
--
|
|
|
bac598 |
2.21.3
|
|
|
bac598 |
|