On Mon, Apr 25, 2016 at 09:16:22PM +0300, Nikolai Kondrashov wrote:
On 04/11/2016 07:44 PM, Sumit Bose wrote:
>On Fri, Apr 08, 2016 at 07:31:59PM +0300, Nikolai Kondrashov wrote:
>>On 04/06/2016 02:06 PM, Sumit Bose wrote:
>>>I wonder if it would makes sense to add the cached user object to preq
>>>in pam_check_user_search() to avoid the lookup in
>>>pam_reply_export_shell(). The data is already allocated on preq and as
>>>far as I can see never freed explicitly, so it wouldn't even cost more
>>>memory.
>>
>>Sure, that would be nice. However it's really hard for me to tell where that
>>would come from, where it's actually retrieved and what's the lifetime
would
>>be. I really miss documentation there.
>>
>>Could you suggest the change, perhaps?
>
>sure, please have a look at attached (untested) patch. With this you start in
>pam_reply_export_shell() with
>
>+ shell = ldb_msg_find_attr_as_string(preq->user_obj, SYSDB_SHELL, NULL);
>+ if (shell == NULL) {
>+ DEBUG(SSSDBG_CRIT_FAILURE, "user has no shell\n");
>+ ret = ENOENT;
>+ goto done;
>+ }
Thanks a lot Sumit, this is very helpful! However, the problem is the non-UPN
case is requesting the user with sysdb_getpwnam_with_views and
pam_reply_export_shell needs the non-overridden shell to pass it to tlog-rec,
as local override is the mechanism used to enable tlog-rec at the moment.
So, it seems we need the second lookup in pam_reply_export_shell after all.
Or am I missing something?
The *_with_views() calls add the override data with the OVERRIDE_PREFIX,
so SYSDB_SHELL is still the original one while OVERRIDE_PREFIX SYSDB_SHELL
is the overridden one if there is any.
There is something special with AD users and the default view. If the
shell for an AD user is overridden in the default view it is already
applied and SYSDB_SHELL will show it. The original shell from AD can be
found in ORIGINALAD_PREFIX SYSDB_SHELL if it is needed here.
HTH
bye,
Sumit
P.S. Based on your comments I opened
https://fedorahosted.org/sssd/ticket/2997 and
https://fedorahosted.org/sssd/ticket/2999 to check if we handle the
shell correctly in the case it is overridded.
>
> Thank you.
>
> Nick
> _______________________________________________
> sssd-devel mailing list
> sssd-devel(a)lists.fedorahosted.org
>
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org