Re: [SSSD] [PATCH] IPA: Do not append domain name to fq name

On (03/12/14 19:55), Michal Židek wrote: > On 12/02/2014 12:05 PM, Lukas Slebodnik wrote: >> ehlo, >> >> With attached patch, selinuxusermap should apply to ipa user and ad user. >> It should work with enabled and disabled use_fully_qualified_names. >> I was testing with IPA in server mode. >> >> It is good to remove sssd generated entries from "semanage login" after each >> test. >> >> LS >> >> >> 0001-IPA-Do-not-append-domain-name-to-fq-name.patch >> >> >> From 40282cb008862500844614ed7e1c81b87b87dc9e Mon Sep 17 00:00:00 2001 >> From: Lukas Slebodnik<lslebodn(a)redhat.com> >> Date: Mon, 1 Dec 2014 17:29:49 +0100 >> Subject: [PATCH] IPA: Do not append domain name to fq name >> >> Usernames from AD subdomains are already in fqdn we should not append >> domain name in this case. >> >> Resolves: >> https://fedorahosted.org/sssd/ticket/2512 >> --- >> src/providers/ipa/ipa_selinux.c | 17 +++++++++++++++-- >> 1 file changed, 15 insertions(+), 2 deletions(-) >> >> diff --git a/src/providers/ipa/ipa_selinux.c b/src/providers/ipa/ipa_selinux.c >> index 30ad6f0a7c4622ca5eb9a75ae4f57183543515c6..79eb9e82d10dbb4eba06bd5b19345f5978412f44 100644 >> --- a/src/providers/ipa/ipa_selinux.c >> +++ b/src/providers/ipa/ipa_selinux.c >> @@ -812,6 +812,7 @@ selinux_child_setup(TALLOC_CTX *mem_ctx, >> char *ptr; >> char *username; >> char *username_final; >> + char *domain_name = NULL; >> TALLOC_CTX *tmp_ctx; >> struct selinux_child_input *sci; >> >> @@ -849,8 +850,20 @@ selinux_child_setup(TALLOC_CTX *mem_ctx, >> } >> >> if (dom->fqnames) { >> - username_final = talloc_asprintf(tmp_ctx, dom->names->fq_fmt, >> - username, dom->name); >> + ret = sss_parse_name(tmp_ctx, dom->names, username, &domain_name, >> + NULL); >> + if (ret == EOK && domain_name != NULL) { >> + /* username is already a fully qualified name */ >> + username_final = username; >> + } else if ((ret == EOK && domain_name == NULL) >> + || ret == ERR_REGEX_NOMATCH) { >> + username_final = talloc_asprintf(tmp_ctx, dom->names->fq_fmt, >> + username, dom->name); > ^^^^^^^^^^^^^^^^^^^^^ > Check here if the allocation was successful. > >> + } else { >> + DEBUG(SSSDBG_OP_FAILURE, >> + "sss_parse_name failed: [%d] %s", ret, sss_strerror(ret)); >> + goto done; >> + } >> if (username_final == NULL) { >> ret = ENOMEM; >> goto done; > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > And not here. No problem. Thank you for review. Updated version is attached. LS