102 lines
4.8 KiB
Diff
102 lines
4.8 KiB
Diff
From a4a447b7bf394ded65c8ae872832e7cd135425d1 Mon Sep 17 00:00:00 2001
|
|
From: Sumit Bose <sbose@redhat.com>
|
|
Date: Wed, 29 Apr 2015 15:21:17 +0200
|
|
Subject: [PATCH 82/99] NSS: check for overrides before calling backend
|
|
|
|
Currently the flag that the input data in a user or group lookup request
|
|
might be an override value is only set if no cached entry was found. If
|
|
the cached entry of an object with overrides is expired and a request
|
|
with the override value as input is processed the flag is not set and
|
|
the backend might not be able to find the right entry on the server.
|
|
Typically this should not happen because of mid-point refreshes. To
|
|
reproduce this create a FreeIPA user and override the login name for a
|
|
specific view. On a client which has this view applied call
|
|
|
|
getent passwd overridename
|
|
sss_cache -E
|
|
getent passwd overridename
|
|
|
|
The second getent command will still show the right output but in the
|
|
logs a
|
|
|
|
[sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error
|
|
code: 3 errno: 0 error message: Account info lookup failed
|
|
|
|
message can be found for the second request.
|
|
|
|
Related to https://fedorahosted.org/sssd/ticket/2642
|
|
|
|
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
(cherry picked from commit 35b178d02dfd293778aefbc0b465a5a3a4b6cd8f)
|
|
---
|
|
src/responder/nss/nsssrv_cmd.c | 25 ++++++++++++++++++++-----
|
|
1 file changed, 20 insertions(+), 5 deletions(-)
|
|
|
|
diff --git a/src/responder/nss/nsssrv_cmd.c b/src/responder/nss/nsssrv_cmd.c
|
|
index 4c0e9414d2cdebe61fd91de06f4900f00904ef22..70da3924f2b087f463a25748d0ea1a4d88b0e818 100644
|
|
--- a/src/responder/nss/nsssrv_cmd.c
|
|
+++ b/src/responder/nss/nsssrv_cmd.c
|
|
@@ -948,7 +948,10 @@ static int nss_cmd_getpwnam_search(struct nss_dom_ctx *dctx)
|
|
|
|
if (cmdctx->name_is_upn) {
|
|
extra_flag = EXTRA_NAME_IS_UPN;
|
|
- } else if (DOM_HAS_VIEWS(dom) && dctx->res->count == 0) {
|
|
+ } else if (DOM_HAS_VIEWS(dom) && (dctx->res->count == 0
|
|
+ || ldb_msg_find_attr_as_string(dctx->res->msgs[0],
|
|
+ OVERRIDE_PREFIX SYSDB_NAME,
|
|
+ NULL) != NULL)) {
|
|
extra_flag = EXTRA_INPUT_MAYBE_WITH_VIEW;
|
|
} else {
|
|
extra_flag = NULL;
|
|
@@ -1608,7 +1611,10 @@ static int nss_cmd_getpwuid_search(struct nss_dom_ctx *dctx)
|
|
* yet) then verify that the cache is uptodate */
|
|
if (dctx->check_provider) {
|
|
|
|
- if (DOM_HAS_VIEWS(dom) && dctx->res->count == 0) {
|
|
+ if (DOM_HAS_VIEWS(dom) && (dctx->res->count == 0
|
|
+ || ldb_msg_find_attr_as_uint64(dctx->res->msgs[0],
|
|
+ OVERRIDE_PREFIX SYSDB_UIDNUM,
|
|
+ 0) != 0)) {
|
|
extra_flag = EXTRA_INPUT_MAYBE_WITH_VIEW;
|
|
} else {
|
|
extra_flag = NULL;
|
|
@@ -3049,7 +3055,10 @@ static int nss_cmd_getgrnam_search(struct nss_dom_ctx *dctx)
|
|
* yet) then verify that the cache is uptodate */
|
|
if (dctx->check_provider) {
|
|
|
|
- if (DOM_HAS_VIEWS(dom) && dctx->res->count == 0) {
|
|
+ if (DOM_HAS_VIEWS(dom) && (dctx->res->count == 0
|
|
+ || ldb_msg_find_attr_as_string(dctx->res->msgs[0],
|
|
+ OVERRIDE_PREFIX SYSDB_NAME,
|
|
+ NULL) != NULL)) {
|
|
extra_flag = EXTRA_INPUT_MAYBE_WITH_VIEW;
|
|
} else {
|
|
extra_flag = NULL;
|
|
@@ -3173,7 +3182,10 @@ static int nss_cmd_getgrgid_search(struct nss_dom_ctx *dctx)
|
|
* yet) then verify that the cache is uptodate */
|
|
if (dctx->check_provider) {
|
|
|
|
- if (DOM_HAS_VIEWS(dom) && dctx->res->count == 0) {
|
|
+ if (DOM_HAS_VIEWS(dom) && (dctx->res->count == 0
|
|
+ || ldb_msg_find_attr_as_uint64(dctx->res->msgs[0],
|
|
+ OVERRIDE_PREFIX SYSDB_GIDNUM,
|
|
+ 0) != 0)) {
|
|
extra_flag = EXTRA_INPUT_MAYBE_WITH_VIEW;
|
|
} else {
|
|
extra_flag = NULL;
|
|
@@ -4131,7 +4143,10 @@ static int nss_cmd_initgroups_search(struct nss_dom_ctx *dctx)
|
|
|
|
if (cmdctx->name_is_upn) {
|
|
extra_flag = EXTRA_NAME_IS_UPN;
|
|
- } else if (DOM_HAS_VIEWS(dom) && dctx->res->count == 0) {
|
|
+ } else if (DOM_HAS_VIEWS(dom) && (dctx->res->count == 0
|
|
+ || ldb_msg_find_attr_as_string(dctx->res->msgs[0],
|
|
+ OVERRIDE_PREFIX SYSDB_NAME,
|
|
+ NULL) != NULL)) {
|
|
extra_flag = EXTRA_INPUT_MAYBE_WITH_VIEW;
|
|
} else {
|
|
extra_flag = NULL;
|
|
--
|
|
2.4.0
|
|
|