On (03/12/14 19:55), Michal Židek wrote:
On 12/02/2014 12:05 PM, Lukas Slebodnik wrote:
>ehlo,
>
>With attached patch, selinuxusermap should apply to ipa user and ad user.
>It should work with enabled and disabled use_fully_qualified_names.
>I was testing with IPA in server mode.
>
>It is good to remove sssd generated entries from "semanage login" after
each
>test.
>
>LS
>
>
>0001-IPA-Do-not-append-domain-name-to-fq-name.patch
>
>
> From 40282cb008862500844614ed7e1c81b87b87dc9e Mon Sep 17 00:00:00 2001
>From: Lukas Slebodnik<lslebodn(a)redhat.com>
>Date: Mon, 1 Dec 2014 17:29:49 +0100
>Subject: [PATCH] IPA: Do not append domain name to fq name
>
>Usernames from AD subdomains are already in fqdn we should not append
>domain name in this case.
>
>Resolves:
>https://fedorahosted.org/sssd/ticket/2512
>---
> src/providers/ipa/ipa_selinux.c | 17 +++++++++++++++--
> 1 file changed, 15 insertions(+), 2 deletions(-)
>
>diff --git a/src/providers/ipa/ipa_selinux.c b/src/providers/ipa/ipa_selinux.c
>index
30ad6f0a7c4622ca5eb9a75ae4f57183543515c6..79eb9e82d10dbb4eba06bd5b19345f5978412f44 100644
>--- a/src/providers/ipa/ipa_selinux.c
>+++ b/src/providers/ipa/ipa_selinux.c
>@@ -812,6 +812,7 @@ selinux_child_setup(TALLOC_CTX *mem_ctx,
> char *ptr;
> char *username;
> char *username_final;
>+ char *domain_name = NULL;
> TALLOC_CTX *tmp_ctx;
> struct selinux_child_input *sci;
>
>@@ -849,8 +850,20 @@ selinux_child_setup(TALLOC_CTX *mem_ctx,
> }
>
> if (dom->fqnames) {
>- username_final = talloc_asprintf(tmp_ctx, dom->names->fq_fmt,
>- username, dom->name);
>+ ret = sss_parse_name(tmp_ctx, dom->names, username, &domain_name,
>+ NULL);
>+ if (ret == EOK && domain_name != NULL) {
>+ /* username is already a fully qualified name */
>+ username_final = username;
>+ } else if ((ret == EOK && domain_name == NULL)
>+ || ret == ERR_REGEX_NOMATCH) {
>+ username_final = talloc_asprintf(tmp_ctx, dom->names->fq_fmt,
>+ username, dom->name);
^^^^^^^^^^^^^^^^^^^^^
Check here if the allocation was successful.
>+ } else {
>+ DEBUG(SSSDBG_OP_FAILURE,
>+ "sss_parse_name failed: [%d] %s", ret,
sss_strerror(ret));
>+ goto done;
>+ }
> if (username_final == NULL) {
> ret = ENOMEM;
> goto done;
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
And not here.
No problem.
Thank you for review.
Updated version is attached.
LS