nss_check_name_of_well_known_sid() improve name splitting

Currently in the default configuration
nss_check_name_of_well_known_sid() can only split fully-qualified names
in the user@domain.name style. DOM\user style names will cause an error
and terminate the whole request.

With this patch both styles can be handled by default, additionally if
the name could not be split nss_check_name_of_well_known_sid() returns
ENOENT which can be handled more gracefully by the caller.

Resolves https://fedorahosted.org/sssd/ticket/2717

Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

1 files changed, 8 insertions, 0 deletions

diff --git a/src/responder/nss/nsssrv_cmd.c b/src/responder/nss/nsssrv_cmd.c
index 012946730..b3998015f 100644
--- a/src/responder/nss/nsssrv_cmd.c
+++ b/src/responder/nss/nsssrv_cmd.c
@@ -1255,6 +1255,14 @@ static int nss_check_name_of_well_known_sid(struct nss_cmd_ctx *cmdctx,
         return ret;
     }
 
+    if (wk_dom_name == NULL || wk_name == NULL) {
+        DEBUG(SSSDBG_OP_FAILURE,
+              "Unable to split [%s] in name and domain part. " \
+              "Skipping check for well-known name.\n", full_name);
+
+        return ENOENT;
+    }
+
     ret = name_to_well_known_sid(wk_dom_name, wk_name, &wk_sid);
     talloc_free(wk_dom_name);
     talloc_free(wk_name);