libnfsidmap2: Virtual domains/users handling with at sign in idmap
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| libnfsidmap (Debian) |
New
|
Unknown
|
|||
| libnfsidmap (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned | ||
Bug Description
Binary package hint: libnfsidmap2
Package: libnfsidmap2
Version: 0.23-2
Severity: normal
Tags: patch
Idmap fails to map uid to localname or vice versa in case an 'at' ( @ ) sign
is included in the localname.
This is particularly the case of virtual domains username where
a user@virtual_domain is in fact the username and its @ sign conflicts with
username@
Where username = user@virtual_
Idmap is still able to map uid/localname correctly when the username does not
include an @ sign.
Both NFS Server and Client are PAM/NSS clients of an OpenLDAP Server that
handles users & groups. NFSv4 is used and without kerberos and "nsswitch"
Translation method is used rather than umich_ldap.
Idmap looks for the first occurrence of and @ sign in the name string
and assumes that the @ sign is the one of user@virtual_domain rather than
using the one of username@
The function "strip_domain" is defined in nss.c file and uses "strchr"
function on line 138 to find the first occurrence of an @ sign from the name
string.
As the name string includes 2 occurrences, the domain resulting from that
(virtual_
(idmap_domain) and this causes idmap returning a null value.
Switching from "strchr" to "strrchr" simply fix the problem as it would look
for the last occurrence rather than the first one and therefore has a resulting
domain that matched the idmap one.
This obviously makes sense as a URI should be read from right to left and not
from left to right when handling domains.
The idmap domain is this way the root domain and all virtual domains included
in the username it handles will not conflicts with it.
EDIT : An additional fix is needed to fix realm handling in NSSWITCH method in idmapd. This was introduced in version 0.21 and up.
a switch between strstr and strrchr is needed when it comes to search for '@' ( at sign ) in the Realm variable. Similarly to the domain handling.
A patch is included here below :
Patch to fix both domain & principal realm. Applies to :
libnfsidmap2-0.23-2 in lucid
libnfsidmap2-0.21-2 in jaunty
libnfsidmap2-0.21-2 in karmic
libnfsidmap_
///////
--- libnfsidmap-
+++ libnfsidmap-
@@ -135,7 +135,7 @@
char *l = NULL;
int len;
- c = strchr(name, '@');
+ c = strrchr(name, '@');
if (c == NULL && domain != NULL)
if (c == NULL && domain == NULL) {
@@ -276,7 +276,7 @@
/* get princ's realm */
- princ_realm = strstr(princ, "@");
+ princ_realm = strrchr(princ, '@');
if (princ_realm == NULL)
///////
This is the same bug reported at debian but I wasn't able to reply to it with this final patch.
Each time I send a reply to the bug email address, it just doesn't update it.
http://
Here is a patch that applies to versions below 0.21 libnfsidmap where only the domain @ sign fix is needed ( no realm @ sign handling ) :
Patch to fix domain only. Applies to :
libnfsidmap2-
libnfsidmap2-0.20-1 in hardy
libnfsidmap_
///////
--- libnfsidmap-
+++ libnfsidmap-
@@ -135,7 +135,7 @@
char *l = NULL;
int len;
- c = strchr(name, '@');
+ c = strrchr(name, '@');
if (c == NULL && domain != NULL)
goto out;
if (c == NULL && domain == NULL) {
///////
| Ramzi HABIB (ramzi-nomado) wrote | #1 |
| Ramzi HABIB (ramzi-nomado) wrote | #2 |
| tags: | added: udd-find |
| Changed in libnfsidmap (Debian): | |
| status: | Unknown → New |
| Launchpad Janitor (janitor) wrote | #3 |
| Changed in libnfsidmap (Ubuntu): | |
| status: | New → Confirmed |
| Andreas Hasenack (ahasenack) wrote | #4 |
| Andreas Hasenack (ahasenack) wrote | #5 |
| Andreas Hasenack (ahasenack) wrote | #6 |
For versions below 0.21 where no realm at sign ( "@" ) handling was introduced yet