Don't qualify users from files domain when default_domain_suffix is set

Resolves: https://pagure.io/SSSD/sssd/issue/4052 The files domain should always be non-qualified. The usual rules like qualification of all domains except the one set with default_domain_suffix should not apply. Reviewed-by: Michal Židek <[email protected]>
SSSD · Aug 14, 2019 · 41da9dd · 41da9dd
1 parent 5574de0
commit 41da9dd
Show file tree

Hide file tree

Showing 3 changed files with 43 additions and 3 deletions.
diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
@@ -1049,7 +1049,8 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb,
 
     /* Determine if user/group names will be Fully Qualified
      * in NSS interfaces */
-    if (default_domain != NULL) {
+    if (default_domain != NULL
+             && is_files_provider(domain) == false) {
         DEBUG(SSSDBG_CONF_SETTINGS,
               "Default domain suffix set. Changing default for "
               "use_fully_qualified_names to True.\n");
@@ -1064,7 +1065,9 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb,
         goto done;
     }
 
-    if (default_domain != NULL && domain->fqnames == false) {
+    if (default_domain != NULL
+            && domain->fqnames == false
+            && is_files_provider(domain) == false) {
         DEBUG(SSSDBG_FATAL_FAILURE,
               "Invalid configuration detected (default_domain_suffix is used "
               "while use_fully_qualified_names was set to false).\n");

diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
@@ -412,7 +412,13 @@
                                 to log in. Setting this option changes default
                                 of use_fully_qualified_names to True. It is not
                                 allowed to use this option together with
-                                use_fully_qualified_names set to False.
+                                use_fully_qualified_names set to False. One
+                                exception from this rule are domains with
+                                <quote>id_provider=files</quote> that always try
+                                to match the behaviour of nss_files
+                                and therefore their output is not
+                                qualified even when the default_domain_suffix
+                                option is used.
                             </para>
                             <para>
                                 Default: not set

diff --git a/src/tests/intg/test_files_provider.py b/src/tests/intg/test_files_provider.py
@@ -310,6 +310,22 @@ def domain_resolution_order(request):
     return None
 
 
+@pytest.fixture
+def default_domain_suffix(request):
+    conf = unindent("""\
+        [sssd]
+        domains             = files
+        services            = nss
+        default_domain_suffix = foo
+
+        [domain/files]
+        id_provider = files
+    """).format(**locals())
+    create_conf_fixture(request, conf)
+    create_sssd_fixture(request)
+    return None
+
+
 @pytest.fixture
 def override_homedir_and_shell(request):
     conf = unindent("""\
@@ -1206,6 +1222,21 @@ def test_files_with_domain_resolution_order(add_user_with_canary,
     check_user(USER1)
 
 
+def test_files_with_default_domain_suffix(add_user_with_canary,
+                                          default_domain_suffix):
+    """
+    Test that when using domain_resolution_order the user won't be using
+    its fully-qualified name.
+    """
+    ret = poll_canary(call_sssd_getpwuid, CANARY["uid"])
+    if ret is False:
+        return NssReturnCode.NOTFOUND, None
+
+    res, found_user = call_sssd_getpwuid(USER1["uid"])
+    assert res == NssReturnCode.SUCCESS
+    assert found_user == USER1
+
+
 def test_files_with_override_homedir(add_user_with_canary,
                                      override_homedir_and_shell):
     res, user = sssd_getpwnam_sync(USER1["name"])