From f9b7073e5cd057cf961b34f99ea1dff0c86b5b6a Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Fri, 17 Nov 2017 20:15:34 +0100 Subject: [PATCH 01/15] IPA: Handle empty nisDomainName MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Resolves: https://pagure.io/SSSD/sssd/issue/3573 If nisdomain=, i.e. a blank NIS domain name, sssd was not processing the netgroup at all. This is not in agreement with man innetgr which says "Any of the elements in a triple can be empty, which means that anything matches. The functions described here allow access to the netgroup databases". This patch instead returns an empty domain as well, which eventually produces the same output as if the netgroup was requested from the compat tree. To reproduce the bug: $ ipa netgroup-add Netgroup name: emptydom ------------------------- Added netgroup "emptydom" ------------------------- Netgroup name: emptydom NIS domain name: ipa.test IPA unique ID: 164bc15a-f4b3-11e7-acdb-525400ca6df3 $ ipa netgroup-add-member Netgroup name: emptydom [member user]: admin [member group]: [member host]: [member host group]: [member netgroup]: Netgroup name: emptydom NIS domain name: ipa.test Member User: admin ------------------------- Number of members added 1 ------------------------- $ ipa netgroup-mod --nisdomain="" emptydom ---------------------------- Modified netgroup "emptydom" ---------------------------- Netgroup name: emptydom Member User: admin Then run: getent negroup emptydom without the patch, the netgroup won't be resolvable. It will resolve to a netgroup triple that looks like this after the patch: emptydom (-,admin,) Reviewed-by: Fabiano FidĂȘncio --- src/providers/ipa/ipa_netgroups.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/providers/ipa/ipa_netgroups.c b/src/providers/ipa/ipa_netgroups.c index 5c929a485..05ebac758 100644 --- a/src/providers/ipa/ipa_netgroups.c +++ b/src/providers/ipa/ipa_netgroups.c @@ -953,7 +953,9 @@ static int ipa_netgr_process_all(struct ipa_get_netgroups_state *state) ret = sysdb_attrs_get_string(state->netgroups[i], SYSDB_NETGROUP_DOMAIN, &domain); - if (ret != EOK) { + if (ret == ENOENT) { + domain = NULL; + } else if (ret != EOK) { goto done; } @@ -974,7 +976,7 @@ static int ipa_netgr_process_all(struct ipa_get_netgroups_state *state) for (k = 0; k < hosts_count; k++) { triple = talloc_asprintf(state, "(%s,%s,%s)", hosts[k], uids[j], - domain); + domain ? domain : ""); if (triple == NULL) { ret = ENOMEM; goto done; -- 2.14.3