rpms/sssd
3
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
ca67484fda
sssd/0120-CACHE_REQ-Allow-configurationless-shortname-lookups.patch
Lukas Slebodnik 7bddea6c90 Resolves: rhbz#1445680 - Properly fall back to local Smartcard authentication 
Resolves: rhbz#1437199 - sssd-nfs-idmap-1.15.2-1.fc25.x86_64 conflicts with
                           file from package sssd-common-1.15.1-1.fc25.x86_64
Resolves: rhbz#1063278 - sss_ssh_knownhostsproxy doesn't fall back to ipv4
2017-04-29 23:49:52 +02:00

139 lines
5.5 KiB
Diff
Raw Blame History

From dae798231fc2c575f213785768bc24ed765ba243 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
Date: Tue, 11 Apr 2017 17:19:29 +0200
Subject: [PATCH 120/135] CACHE_REQ: Allow configurationless shortname lookups
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Configurationless shortnames lookups must be allowed when a domains'
resolution order is present and the (head) domain is not enforcing the
usage of fully-qualified-names.
With this patch SSSD does not require any kind of changes from client
side for taking advantage of shortname lookups.
Related:
https://pagure.io/SSSD/sssd/issue/3001
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
src/responder/common/cache_req/cache_req.c | 2 +-
src/responder/common/cache_req/cache_req_domain.c | 48 +++++++++++++++++++++++
src/responder/common/cache_req/cache_req_domain.h | 1 +
3 files changed, 50 insertions(+), 1 deletion(-)
diff --git a/src/responder/common/cache_req/cache_req.c b/src/responder/common/cache_req/cache_req.c
index 3a5fecf34427437bbf95317e05c5bd8b07b4537d..797325a30e6c1ed5f1d4b4c147c65391d5204b52 100644
--- a/src/responder/common/cache_req/cache_req.c
+++ b/src/responder/common/cache_req/cache_req.c
@@ -480,7 +480,7 @@ static errno_t cache_req_search_domains_next(struct tevent_req *req)
* qualified names on domain less search. We do not descend into
* subdomains here since those are implicitly qualified.
*/
- if (state->check_next && !allow_no_fqn && domain->fqnames) {
+ if (state->check_next && !allow_no_fqn && state->cr_domain->fqnames) {
state->cr_domain = state->cr_domain->next;
continue;
}
diff --git a/src/responder/common/cache_req/cache_req_domain.c b/src/responder/common/cache_req/cache_req_domain.c
index 86a88efd54ca0f4a0748b44ece1b8515438d4628..bfdd2b7f640178f6d0a0d92f2fed329c856b478c 100644
--- a/src/responder/common/cache_req/cache_req_domain.c
+++ b/src/responder/common/cache_req/cache_req_domain.c
@@ -60,6 +60,48 @@ void cache_req_domain_list_zfree(struct cache_req_domain **cr_domains)
*cr_domains = NULL;
}
+static bool
+cache_req_domain_use_fqnames(struct sss_domain_info *domain,
+ bool enforce_non_fqnames)
+{
+ struct sss_domain_info *head;
+
+ head = get_domains_head(domain);
+
+ /*
+ * In order to decide whether fully_qualified_names must be used on the
+ * lookups we have to take into consideration:
+ * - use_fully_qualified_name value of the head of the domains;
+ * (head->fqnames)
+ * - the presence of a domains' resolution order list;
+ * (non_fqnames_enforced)
+ *
+ * The relationship between those two can be described by:
+ * - head->fqnames:
+ * - true: in this case doesn't matter whether it's enforced or not,
+ * fully-qualified-names will _always_ be used
+ * - false: in this case (which is also the default case), the usage
+ * depends on it being enforced;
+ *
+ * - enforce_non_fqnames:
+ * - true: in this case, the usage of fully-qualified-names is not
+ * needed;
+ * - false: in this case, the usage of fully-qualified-names will be
+ * done accordingly to what's set for the domain itself.
+ */
+ switch (head->fqnames) {
+ case true:
+ return true;
+ case false:
+ switch (enforce_non_fqnames) {
+ case true:
+ return false;
+ case false:
+ return domain->fqnames;
+ }
+ }
+}
+
static struct cache_req_domain *
cache_req_domain_new_list_from_string_list(TALLOC_CTX *mem_ctx,
struct sss_domain_info *domains,
@@ -71,9 +113,11 @@ cache_req_domain_new_list_from_string_list(TALLOC_CTX *mem_ctx,
char *name;
int flag = SSS_GND_ALL_DOMAINS;
int i;
+ bool enforce_non_fqnames = false;
errno_t ret;
if (resolution_order != NULL) {
+ enforce_non_fqnames = true;
for (i = 0; resolution_order[i] != NULL; i++) {
name = resolution_order[i];
for (dom = domains; dom; dom = get_next_domain(dom, flag)) {
@@ -87,6 +131,8 @@ cache_req_domain_new_list_from_string_list(TALLOC_CTX *mem_ctx,
goto done;
}
cr_domain->domain = dom;
+ cr_domain->fqnames =
+ cache_req_domain_use_fqnames(dom, enforce_non_fqnames);
DLIST_ADD_END(cr_domains, cr_domain,
struct cache_req_domain *);
@@ -106,6 +152,8 @@ cache_req_domain_new_list_from_string_list(TALLOC_CTX *mem_ctx,
goto done;
}
cr_domain->domain = dom;
+ cr_domain->fqnames =
+ cache_req_domain_use_fqnames(dom, enforce_non_fqnames);
DLIST_ADD_END(cr_domains, cr_domain, struct cache_req_domain *);
}
diff --git a/src/responder/common/cache_req/cache_req_domain.h b/src/responder/common/cache_req/cache_req_domain.h
index 000087e5ca2074f22169a4af627810f4f287e430..5bcbb9b493caf05bf71aac5cf7633ded91f22e73 100644
--- a/src/responder/common/cache_req/cache_req_domain.h
+++ b/src/responder/common/cache_req/cache_req_domain.h
@@ -25,6 +25,7 @@
struct cache_req_domain {
struct sss_domain_info *domain;
+ bool fqnames;
struct cache_req_domain *prev;
struct cache_req_domain *next;
--
2.12.2
Reference in New Issue View Git Blame Copy Permalink