diff options
| author | Sumit Bose <sbose@redhat.com> | 2015-04-29 15:21:17 +0200 |
|---|---|---|
| committer | Jakub Hrozek <jhrozek@redhat.com> | 2015-05-06 10:51:36 +0200 |
| commit | a4a447b7bf394ded65c8ae872832e7cd135425d1 (patch) | |
| tree | 04bbd93b285c01a6e8e203a598fd1d1b244cbcca | |
| parent | 226224c91971247f60a86d9c46dd1402f5c29e8a (diff) | |
| download | sssd-a4a447b7bf394ded65c8ae872832e7cd135425d1.tar.gz sssd-a4a447b7bf394ded65c8ae872832e7cd135425d1.tar.xz sssd-a4a447b7bf394ded65c8ae872832e7cd135425d1.zip | |
NSS: check for overrides before calling backend
Currently the flag that the input data in a user or group lookup request
might be an override value is only set if no cached entry was found. If
the cached entry of an object with overrides is expired and a request
with the override value as input is processed the flag is not set and
the backend might not be able to find the right entry on the server.
Typically this should not happen because of mid-point refreshes. To
reproduce this create a FreeIPA user and override the login name for a
specific view. On a client which has this view applied call
getent passwd overridename
sss_cache -E
getent passwd overridename
The second getent command will still show the right output but in the
logs a
[sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error
code: 3 errno: 0 error message: Account info lookup failed
message can be found for the second request.
Related to https://fedorahosted.org/sssd/ticket/2642
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 35b178d02dfd293778aefbc0b465a5a3a4b6cd8f)
| -rw-r--r-- | src/responder/nss/nsssrv_cmd.c | 25 |
1 files changed, 20 insertions, 5 deletions
diff --git a/src/responder/nss/nsssrv_cmd.c b/src/responder/nss/nsssrv_cmd.c index 4c0e9414d..70da3924f 100644 --- a/src/responder/nss/nsssrv_cmd.c +++ b/src/responder/nss/nsssrv_cmd.c @@ -948,7 +948,10 @@ static int nss_cmd_getpwnam_search(struct nss_dom_ctx *dctx) if (cmdctx->name_is_upn) { extra_flag = EXTRA_NAME_IS_UPN; - } else if (DOM_HAS_VIEWS(dom) && dctx->res->count == 0) { + } else if (DOM_HAS_VIEWS(dom) && (dctx->res->count == 0 + || ldb_msg_find_attr_as_string(dctx->res->msgs[0], + OVERRIDE_PREFIX SYSDB_NAME, + NULL) != NULL)) { extra_flag = EXTRA_INPUT_MAYBE_WITH_VIEW; } else { extra_flag = NULL; @@ -1608,7 +1611,10 @@ static int nss_cmd_getpwuid_search(struct nss_dom_ctx *dctx) * yet) then verify that the cache is uptodate */ if (dctx->check_provider) { - if (DOM_HAS_VIEWS(dom) && dctx->res->count == 0) { + if (DOM_HAS_VIEWS(dom) && (dctx->res->count == 0 + || ldb_msg_find_attr_as_uint64(dctx->res->msgs[0], + OVERRIDE_PREFIX SYSDB_UIDNUM, + 0) != 0)) { extra_flag = EXTRA_INPUT_MAYBE_WITH_VIEW; } else { extra_flag = NULL; @@ -3049,7 +3055,10 @@ static int nss_cmd_getgrnam_search(struct nss_dom_ctx *dctx) * yet) then verify that the cache is uptodate */ if (dctx->check_provider) { - if (DOM_HAS_VIEWS(dom) && dctx->res->count == 0) { + if (DOM_HAS_VIEWS(dom) && (dctx->res->count == 0 + || ldb_msg_find_attr_as_string(dctx->res->msgs[0], + OVERRIDE_PREFIX SYSDB_NAME, + NULL) != NULL)) { extra_flag = EXTRA_INPUT_MAYBE_WITH_VIEW; } else { extra_flag = NULL; @@ -3173,7 +3182,10 @@ static int nss_cmd_getgrgid_search(struct nss_dom_ctx *dctx) * yet) then verify that the cache is uptodate */ if (dctx->check_provider) { - if (DOM_HAS_VIEWS(dom) && dctx->res->count == 0) { + if (DOM_HAS_VIEWS(dom) && (dctx->res->count == 0 + || ldb_msg_find_attr_as_uint64(dctx->res->msgs[0], + OVERRIDE_PREFIX SYSDB_GIDNUM, + 0) != 0)) { extra_flag = EXTRA_INPUT_MAYBE_WITH_VIEW; } else { extra_flag = NULL; @@ -4131,7 +4143,10 @@ static int nss_cmd_initgroups_search(struct nss_dom_ctx *dctx) if (cmdctx->name_is_upn) { extra_flag = EXTRA_NAME_IS_UPN; - } else if (DOM_HAS_VIEWS(dom) && dctx->res->count == 0) { + } else if (DOM_HAS_VIEWS(dom) && (dctx->res->count == 0 + || ldb_msg_find_attr_as_string(dctx->res->msgs[0], + OVERRIDE_PREFIX SYSDB_NAME, + NULL) != NULL)) { extra_flag = EXTRA_INPUT_MAYBE_WITH_VIEW; } else { extra_flag = NULL; |