On (03/12/14 19:55), Michal Židek wrote:
> On 12/02/2014 12:05 PM, Lukas Slebodnik wrote:
>> ehlo,
>>
>> With attached patch, selinuxusermap should apply to ipa user and ad user.
>> It should work with enabled and disabled use_fully_qualified_names.
>> I was testing with IPA in server mode.
>>
>> It is good to remove sssd generated entries from "semanage login" after
each
>> test.
>>
>> LS
>>
>>
>> 0001-IPA-Do-not-append-domain-name-to-fq-name.patch
>>
>>
>> From 40282cb008862500844614ed7e1c81b87b87dc9e Mon Sep 17 00:00:00 2001
>> From: Lukas Slebodnik<lslebodn(a)redhat.com>
>> Date: Mon, 1 Dec 2014 17:29:49 +0100
>> Subject: [PATCH] IPA: Do not append domain name to fq name
>>
>> Usernames from AD subdomains are already in fqdn we should not append
>> domain name in this case.
>>
>> Resolves:
>>
https://fedorahosted.org/sssd/ticket/2512
>> ---
>> src/providers/ipa/ipa_selinux.c | 17 +++++++++++++++--
>> 1 file changed, 15 insertions(+), 2 deletions(-)
>>
>> diff --git a/src/providers/ipa/ipa_selinux.c b/src/providers/ipa/ipa_selinux.c
>> index
30ad6f0a7c4622ca5eb9a75ae4f57183543515c6..79eb9e82d10dbb4eba06bd5b19345f5978412f44 100644
>> --- a/src/providers/ipa/ipa_selinux.c
>> +++ b/src/providers/ipa/ipa_selinux.c
>> @@ -812,6 +812,7 @@ selinux_child_setup(TALLOC_CTX *mem_ctx,
>> char *ptr;
>> char *username;
>> char *username_final;
>> + char *domain_name = NULL;
>> TALLOC_CTX *tmp_ctx;
>> struct selinux_child_input *sci;
>>
>> @@ -849,8 +850,20 @@ selinux_child_setup(TALLOC_CTX *mem_ctx,
>> }
>>
>> if (dom->fqnames) {
>> - username_final = talloc_asprintf(tmp_ctx, dom->names->fq_fmt,
>> - username, dom->name);
>> + ret = sss_parse_name(tmp_ctx, dom->names, username,
&domain_name,
>> + NULL);
>> + if (ret == EOK && domain_name != NULL) {
>> + /* username is already a fully qualified name */
>> + username_final = username;
>> + } else if ((ret == EOK && domain_name == NULL)
>> + || ret == ERR_REGEX_NOMATCH) {
>> + username_final = talloc_asprintf(tmp_ctx, dom->names->fq_fmt,
>> + username, dom->name);
> ^^^^^^^^^^^^^^^^^^^^^
> Check here if the allocation was successful.
>
>> + } else {
>> + DEBUG(SSSDBG_OP_FAILURE,
>> + "sss_parse_name failed: [%d] %s", ret,
sss_strerror(ret));
>> + goto done;
>> + }
>> if (username_final == NULL) {
>> ret = ENOMEM;
>> goto done;
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> And not here.
No problem.
Thank you for review.
Updated version is attached.
LS