Hi, my recent patch "sysdb_get_user_attr: use fqn for subdomain users" kinda broke authentication (thx ab).
The problem was that sysdb_get_user_attr is often called with fully qualified name and we basically ended up with "user@domain@domain" name.
One solution would be to translate the name to fq format in IFP. Other would be to change the other places so they use just name without the domain part. But since sysdb_get_user_attr now calls sss_get_domain_name in the same way as other sysdb functions does I think the best solution here is to check the name format in this function and response as appropriate.
On Mon, Oct 13, 2014 at 04:30:53PM +0200, Pavel Březina wrote:
Hi, my recent patch "sysdb_get_user_attr: use fqn for subdomain users" kinda broke authentication (thx ab).
The problem was that sysdb_get_user_attr is often called with fully qualified name and we basically ended up with "user@domain@domain" name.
One solution would be to translate the name to fq format in IFP. Other would be to change the other places so they use just name without the domain part. But since sysdb_get_user_attr now calls sss_get_domain_name in the same way as other sysdb functions does I think the best solution here is to check the name format in this function and response as appropriate.
This patch fixed AD subdomain authentication for me.
I'm sorry for the bad review the first time around.
ACK to both.
On Tue, Oct 14, 2014 at 02:23:16PM +0200, Jakub Hrozek wrote:
On Mon, Oct 13, 2014 at 04:30:53PM +0200, Pavel Březina wrote:
Hi, my recent patch "sysdb_get_user_attr: use fqn for subdomain users" kinda broke authentication (thx ab).
The problem was that sysdb_get_user_attr is often called with fully qualified name and we basically ended up with "user@domain@domain" name.
One solution would be to translate the name to fq format in IFP. Other would be to change the other places so they use just name without the domain part. But since sysdb_get_user_attr now calls sss_get_domain_name in the same way as other sysdb functions does I think the best solution here is to check the name format in this function and response as appropriate.
This patch fixed AD subdomain authentication for me.
I'm sorry for the bad review the first time around.
ACK to both.
* master: 09a36be00ddcf1d7bd5b8a368143d5b2e2f4fb68 7a153394bdeb77325b7e4ee1502a1e89fa306f5a
sssd-devel@lists.fedorahosted.org
-
Jakub Hrozek -
Pavel Březina