Netgroups should ignore the 'use_fully_qualified_names' setting

Netgroups often have memberNisNetgroup entries included in them
that will never process correctly if we require fully-qualified
names on the nested lookup. This patch alters the behavior of
netgroup lookups to check *all* domains for an unqualified
netgroup name, instead of only the ones not requiring fully-
qualified names.

https://fedorahosted.org/sssd/ticket/2013

1 files changed, 6 insertions, 8 deletions

diff --git a/src/responder/nss/nsssrv_netgroup.c b/src/responder/nss/nsssrv_netgroup.c
index 12be52bf..773e5ecb 100644
--- a/src/responder/nss/nsssrv_netgroup.c
+++ b/src/responder/nss/nsssrv_netgroup.c
@@ -428,14 +428,12 @@ static errno_t lookup_netgr_step(struct setent_step_ctx *step_ctx)
 
     /* Check each domain for this netgroup name */
     while (dom) {
-        /* if it is a domainless search, skip domains that require fully
-         * qualified names instead */
-        while (dom && step_ctx->check_next && dom->fqnames) {
-            dom = get_next_domain(dom, false);
-        }
-
-        /* No domains left to search */
-        if (!dom) break;
+        /* Netgroups are a special case. We have to ignore the
+         * fully-qualified name requirement because memberNisNetgroup
+         * entries do not have fully-qualified components and we need
+         * to be able to always check them. So unlike the other
+         * maps, here we avoid skipping over fully-qualified domains.
+         */
 
         if (dom != step_ctx->dctx->domain) {
             /* make sure we reset the check_provider flag when we check