sssd/0082-NSS-check-for-overrides-before-calling-backend.patch

102 lines
4.8 KiB
Diff

From a4a447b7bf394ded65c8ae872832e7cd135425d1 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 29 Apr 2015 15:21:17 +0200
Subject: [PATCH 82/99] NSS: check for overrides before calling backend
Currently the flag that the input data in a user or group lookup request
might be an override value is only set if no cached entry was found. If
the cached entry of an object with overrides is expired and a request
with the override value as input is processed the flag is not set and
the backend might not be able to find the right entry on the server.
Typically this should not happen because of mid-point refreshes. To
reproduce this create a FreeIPA user and override the login name for a
specific view. On a client which has this view applied call
getent passwd overridename
sss_cache -E
getent passwd overridename
The second getent command will still show the right output but in the
logs a
[sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error
code: 3 errno: 0 error message: Account info lookup failed
message can be found for the second request.
Related to https://fedorahosted.org/sssd/ticket/2642
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 35b178d02dfd293778aefbc0b465a5a3a4b6cd8f)
---
src/responder/nss/nsssrv_cmd.c | 25 ++++++++++++++++++++-----
1 file changed, 20 insertions(+), 5 deletions(-)
diff --git a/src/responder/nss/nsssrv_cmd.c b/src/responder/nss/nsssrv_cmd.c
index 4c0e9414d2cdebe61fd91de06f4900f00904ef22..70da3924f2b087f463a25748d0ea1a4d88b0e818 100644
--- a/src/responder/nss/nsssrv_cmd.c
+++ b/src/responder/nss/nsssrv_cmd.c
@@ -948,7 +948,10 @@ static int nss_cmd_getpwnam_search(struct nss_dom_ctx *dctx)
if (cmdctx->name_is_upn) {
extra_flag = EXTRA_NAME_IS_UPN;
- } else if (DOM_HAS_VIEWS(dom) && dctx->res->count == 0) {
+ } else if (DOM_HAS_VIEWS(dom) && (dctx->res->count == 0
+ || ldb_msg_find_attr_as_string(dctx->res->msgs[0],
+ OVERRIDE_PREFIX SYSDB_NAME,
+ NULL) != NULL)) {
extra_flag = EXTRA_INPUT_MAYBE_WITH_VIEW;
} else {
extra_flag = NULL;
@@ -1608,7 +1611,10 @@ static int nss_cmd_getpwuid_search(struct nss_dom_ctx *dctx)
* yet) then verify that the cache is uptodate */
if (dctx->check_provider) {
- if (DOM_HAS_VIEWS(dom) && dctx->res->count == 0) {
+ if (DOM_HAS_VIEWS(dom) && (dctx->res->count == 0
+ || ldb_msg_find_attr_as_uint64(dctx->res->msgs[0],
+ OVERRIDE_PREFIX SYSDB_UIDNUM,
+ 0) != 0)) {
extra_flag = EXTRA_INPUT_MAYBE_WITH_VIEW;
} else {
extra_flag = NULL;
@@ -3049,7 +3055,10 @@ static int nss_cmd_getgrnam_search(struct nss_dom_ctx *dctx)
* yet) then verify that the cache is uptodate */
if (dctx->check_provider) {
- if (DOM_HAS_VIEWS(dom) && dctx->res->count == 0) {
+ if (DOM_HAS_VIEWS(dom) && (dctx->res->count == 0
+ || ldb_msg_find_attr_as_string(dctx->res->msgs[0],
+ OVERRIDE_PREFIX SYSDB_NAME,
+ NULL) != NULL)) {
extra_flag = EXTRA_INPUT_MAYBE_WITH_VIEW;
} else {
extra_flag = NULL;
@@ -3173,7 +3182,10 @@ static int nss_cmd_getgrgid_search(struct nss_dom_ctx *dctx)
* yet) then verify that the cache is uptodate */
if (dctx->check_provider) {
- if (DOM_HAS_VIEWS(dom) && dctx->res->count == 0) {
+ if (DOM_HAS_VIEWS(dom) && (dctx->res->count == 0
+ || ldb_msg_find_attr_as_uint64(dctx->res->msgs[0],
+ OVERRIDE_PREFIX SYSDB_GIDNUM,
+ 0) != 0)) {
extra_flag = EXTRA_INPUT_MAYBE_WITH_VIEW;
} else {
extra_flag = NULL;
@@ -4131,7 +4143,10 @@ static int nss_cmd_initgroups_search(struct nss_dom_ctx *dctx)
if (cmdctx->name_is_upn) {
extra_flag = EXTRA_NAME_IS_UPN;
- } else if (DOM_HAS_VIEWS(dom) && dctx->res->count == 0) {
+ } else if (DOM_HAS_VIEWS(dom) && (dctx->res->count == 0
+ || ldb_msg_find_attr_as_string(dctx->res->msgs[0],
+ OVERRIDE_PREFIX SYSDB_NAME,
+ NULL) != NULL)) {
extra_flag = EXTRA_INPUT_MAYBE_WITH_VIEW;
} else {
extra_flag = NULL;
--
2.4.0