Netgroups should ignore the 'use_fully_qualified_names' setting

Netgroups often have memberNisNetgroup entries included in them that will never process correctly if we require fully-qualified names on the nested lookup. This patch alters the behavior of netgroup lookups to check *all* domains for an unqualified netgroup name, instead of only the ones not requiring fully- qualified names. https://fedorahosted.org/sssd/ticket/2013
SSSD · Jul 29, 2013 · 6266b15 · 6266b15
1 parent ff7ea28
commit 6266b15
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 8 deletions.
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
@@ -1208,6 +1208,13 @@ override_homedir = /home/%u
                             wouldn't find the user while <command>getent
                             passwd test@LOCAL</command> would.
                         </para>
+                        <para>
+                            NOTE: This option has no effect on netgroup
+                            lookups due to their tendency to include nested
+                            netgroups without qualified names. For netgroups,
+                            all domains will be searched when an unqualified
+                            name is requested.
+                        </para>
                         <para>
                             Default: FALSE
                         </para>

diff --git a/src/responder/nss/nsssrv_netgroup.c b/src/responder/nss/nsssrv_netgroup.c
@@ -428,14 +428,12 @@ static errno_t lookup_netgr_step(struct setent_step_ctx *step_ctx)
 
     /* Check each domain for this netgroup name */
     while (dom) {
-        /* if it is a domainless search, skip domains that require fully
-         * qualified names instead */
-        while (dom && step_ctx->check_next && dom->fqnames) {
-            dom = get_next_domain(dom, false);
-        }
-
-        /* No domains left to search */
-        if (!dom) break;
+        /* Netgroups are a special case. We have to ignore the
+         * fully-qualified name requirement because memberNisNetgroup
+         * entries do not have fully-qualified components and we need
+         * to be able to always check them. So unlike the other
+         * maps, here we avoid skipping over fully-qualified domains.
+         */
 
         if (dom != step_ctx->dctx->domain) {
             /* make sure we reset the check_provider flag when we check