diff options
| author | Sumit Bose <sbose@redhat.com> | 2014-09-04 15:42:26 +0200 |
|---|---|---|
| committer | Jakub Hrozek <jhrozek@redhat.com> | 2014-09-16 13:25:04 +0200 |
| commit | 742ccb4b821b0d320fefb5eb0f1eafe82da8548c (patch) | |
| tree | 0981b8322ce02512c9a6abbf5f652a55b1a5c33f /src/responder/nss | |
| parent | 7ba70236daccb48432350147d0560b3302518cee (diff) | |
| download | sssd-742ccb4b821b0d320fefb5eb0f1eafe82da8548c.tar.gz sssd-742ccb4b821b0d320fefb5eb0f1eafe82da8548c.tar.xz sssd-742ccb4b821b0d320fefb5eb0f1eafe82da8548c.zip | |
name2sid: Check negative cache for users and groups
Since we cannot know if a SID belongs to a user or a group a lookup
should only fail if the given name is in both the negative cache for the
users and the groups.
Currently if the SID for a group called 'abc' should be looked up and
the negative cache for the users contain an entry for 'abc' the request
fails.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Diffstat (limited to 'src/responder/nss')
| -rw-r--r-- | src/responder/nss/nsssrv_cmd.c | 34 |
1 files changed, 19 insertions, 15 deletions
diff --git a/src/responder/nss/nsssrv_cmd.c b/src/responder/nss/nsssrv_cmd.c index 560578428..3956e4463 100644 --- a/src/responder/nss/nsssrv_cmd.c +++ b/src/responder/nss/nsssrv_cmd.c @@ -4076,26 +4076,30 @@ static errno_t nss_cmd_getsidby_search(struct nss_dom_ctx *dctx) } - /* verify this user has not yet been negatively cached, - * or has been permanently filtered */ + /* verify this name has not yet been negatively cached, as user + * and groupm, or has been permanently filtered */ ret = sss_ncache_check_user(nctx->ncache, nctx->neg_timeout, dom, name); - /* if neg cached, return we didn't find it */ if (ret == EEXIST) { - DEBUG(SSSDBG_TRACE_FUNC, - "User [%s] does not exist in [%s]! (negative cache)\n", - name, dom->name); - /* if a multidomain search, try with next */ - if (cmdctx->check_next) { - dom = get_next_domain(dom, false); - continue; + ret = sss_ncache_check_group(nctx->ncache, nctx->neg_timeout, + dom, name); + if (ret == EEXIST) { + /* if neg cached, return we didn't find it */ + DEBUG(SSSDBG_TRACE_FUNC, + "SID [%s] does not exist in [%s]! (negative cache)\n", + name, dom->name); + /* if a multidomain search, try with next */ + if (cmdctx->check_next) { + dom = get_next_domain(dom, false); + continue; + } + /* There are no further domains or this was a + * fully-qualified user request. + */ + ret = ENOENT; + goto done; } - /* There are no further domains or this was a - * fully-qualified user request. - */ - ret = ENOENT; - goto done; } DEBUG(SSSDBG_TRACE_FUNC, "Requesting info for [%s@%s]\n", |