From: HABIB Ramzi <ramzi@nomado.eu>
To: Kevin Coffman <kwc@citi.umich.edu>
Cc: linux-nfs@vger.kernel.org, 581199@bugs.debian.org
Subject: Re: libnfsidmap: Virtual domains/users handling with at sign in idmap
Date: Tue, 11 May 2010 17:58:18 +0100 [thread overview]
Message-ID: <4BE98CAA.3050702@nomado.eu> (raw)
In-Reply-To: <4BE96A0B.8070000@nomado.eu>
[-- Attachment #1: Type: text/plain, Size: 7216 bytes --]
Hi again,
Here is a second patch that applies to 0.21 and up only ( up to testing
and unstable 0.23-2 for debian libnfsidmap2 packages and 0.23
libnfsidmap source ) where dealing with local realms and principal realm
was introduced first in. libnfsidmap
strstr has been switched to strrchr ( to avoid using strrstr as it's
not a standard function ) .
Patch to fix principal realm in addition to previous domain patch in
#1st post
libnfsidmap_0.21_up_fix_at_sign_user_realm_fix.diff
///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
--- libnfsidmap-0.23.orig/nss.c 2009-07-29 22:19:06.000000000 +0200
+++ libnfsidmap-0.23/nss.c 2010-05-11 17:34:03.000000000 +0200
@@ -135,7 +135,7 @@
char *l = NULL;
int len;
- c = strchr(name, '@');
+ c = strrchr(name, '@');
if (c == NULL && domain != NULL)
goto out;
if (c == NULL && domain == NULL) {
@@ -276,7 +276,7 @@
return -EINVAL;
/* get princ's realm */
- princ_realm = strstr(princ, "@");
+ princ_realm = strrchr(princ, '@');
if (princ_realm == NULL)
return -EINVAL;
princ_realm++;
///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
Patch to fix both domain & principal realm
libnfsidmap_0.21_up_fix_at_sign_user_with_domain_plus_realm_fix.diff
///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
--- libnfsidmap-0.23.orig/nss.c 2009-07-29 22:19:06.000000000 +0200
+++ libnfsidmap-0.23/nss.c 2010-05-11 17:34:03.000000000 +0200
@@ -135,7 +135,7 @@
char *l = NULL;
int len;
- c = strchr(name, '@');
+ c = strrchr(name, '@');
if (c == NULL && domain != NULL)
goto out;
if (c == NULL && domain == NULL) {
@@ -276,7 +276,7 @@
return -EINVAL;
/* get princ's realm */
- princ_realm = strstr(princ, "@");
+ princ_realm = strrchr(princ, '@');
if (princ_realm == NULL)
return -EINVAL;
princ_realm++;
///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
Le 11/05/2010 15:30, HABIB Ramzi a écrit :
> You're welcome.
> The patch fixes the problem if not using kerberos.
> I checked the latest version (0.23, in testing and unstable packages.
> Doesn't apply for oldstable and stable ones) from citi's website and
> it seems there's an additional fix to make for function
> "nss_gss_princ_to_ids" in nss.c file on line 279 :
>
> /////////////////////////////////////////////////
>
> /* get princ's realm */
> princ_realm = strstr(princ, "@");
> if (princ_realm == NULL)
> return -EINVAL;
> princ_realm++;
>
> ////////////////////////////////////////////////
>
> I'll check that soon and get back to you with the results.
>
> Ramzi
>
> Le 11/05/2010 15:07, Kevin Coffman a écrit :
>> Thanks. Unless someone else sees a problem with this, I'll apply it.
>>
>> On Tue, May 11, 2010 at 9:07 AM, HABIB Ramzi<ramzi@nomado.eu> wrote:
>>> Subject: libnfsidmap: Virtual domains/users handling with at sign in
>>> idmap
>>> Package: libnfsidmap
>>> Version: 0.23
>>> Severity: normal
>>> Tags: patch
>>>
>>> *** Please type your report below this line ***
>>>
>>> Idmap fails to map uid to localname or vice versa in case an 'at' (
>>> @ ) sign
>>> is included in the localname.
>>> This is particularly the case of virtual domains username where
>>> a user@virtual_domain is in fact the username and its @ sign
>>> conflicts with
>>> username@idmap_domain format used by idmap to handle uid/localname
>>> conversions.
>>> Where username = user@virtual_domain.
>>> Idmap is still able to map uid/localname correctly when the username
>>> does
>>> not
>>> include an @ sign.
>>> Both NFS Server and Client are PAM/NSS clients of an OpenLDAP Server
>>> that
>>> handles users& groups. NFSv4 is used and without kerberos and
>>> "nsswitch"
>>> Translation method is used rather than umich_ldap.
>>> Idmap looks for the first occurrence of and @ sign in the name string
>>> and assumes that the @ sign is the one of user@virtual_domain rather
>>> than
>>> using the one of username@idmap_domain
>>> (user@virtual_domain@idmap_domain).
>>> The function "strip_domain" is defined in nss.c file and uses "strchr"
>>> function on line 138 to find the first occurrence of an @ sign from
>>> the name
>>> string.
>>> As the name string includes 2 occurrences, the domain resulting from
>>> that
>>> (virtual_domain@idmap_domain) fails to match with the configured idmap
>>> domain
>>> (idmap_domain) and this causes idmap returning a null value.
>>> Switching from "strchr" to "strrchr" simply fix the problem as it
>>> would look
>>> for the last occurrence rather than the first one and therefore has a
>>> resulting
>>> domain that matched the idmap one.
>>> This obviously makes sense as a URI should be read from right to
>>> left and
>>> not
>>> from left to right when handling domains.
>>> The idmap domain is this way the root domain and all virtual domains
>>> included
>>> in the username it handles will not conflicts with it.
>>>
>>> A patch is included here below :
>>>
>>> libnfsidmap_0.23_fix_at_sign_user_with_domain.diff
>>>
>>> //////////////////////////////////////////////////////////////////
>>>
>>> --- libnfsidmap-0.23.orig/nss.c 2009-07-29 22:19:06.000000000 +0200
>>> +++ libnfsidmap-0.23/nss.c 2010-05-11 15:02:13.000000000 +0200
>>> @@ -135,7 +135,7 @@
>>> char *l = NULL;
>>> int len;
>>>
>>> - c = strchr(name, '@');
>>> + c = strrchr(name, '@');
>>> if (c == NULL&& domain != NULL)
>>> goto out;
>>> if (c == NULL&& domain == NULL) {
>>>
>>> //////////////////////////////////////////////////////////////////
>>>
>>> The patch applies to all archs.
>>> Versions checked :
>>> Debian :
>>> libnfsidmap2 0.18-0 (oldstable)
>>> libnfsidmap2 0.20-1 (stable)
>>> libnfsidmap2 0.23-2 (testing,unstable)
>>>
>>> -- System Information:
>>> Debian Release: 5.0.4
>>> APT prefers stable
>>> APT policy: (500, 'stable')
>>> Architecture: amd64 (x86_64)
>>>
>>> Kernel: Linux 2.6.26-2-amd64 (SMP w/1 CPU core)
>>> Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
>>> Shell: /bin/sh linked to /bin/bash
>>>
>>> Versions of packages libnfsidmap2 depends on:
>>> ii libc6 2.7-18lenny2 GNU C Library: Shared
>>> libraries
>>> ii libldap-2.4-2 2.4.11-1+lenny1 OpenLDAP libraries
>>>
>>> Ramzi HABIB
>>> ramzi<at> nomado.eu
>>>
>> __________ Information provenant d'ESET Smart Security, version de la
>> base des signatures de virus 5105 (20100511) __________
>>
>> Le message a été vérifié par ESET Smart Security.
>>
>> http://www.eset.com
>>
>>
>>
>>
>
[-- Attachment #2: libnfsidmap_0.20-1_fix_at_sign_user_with_domain.diff --]
[-- Type: text/plain, Size: 318 bytes --]
--- libnfsidmap-0.20.orig/nss.c 2007-02-05 17:13:05.000000000 +0100
+++ libnfsidmap-0.20/nss.c 2010-05-11 14:35:55.000000000 +0200
@@ -135,7 +135,7 @@
char *l = NULL;
int len;
- c = strchr(name, '@');
+ c = strrchr(name, '@');
if (c == NULL && domain != NULL)
goto out;
if (c == NULL && domain == NULL) {
[-- Attachment #3: libnfsidmap_0.21_up_fix_at_sign_user_with_domain_plus_realm_fix.diff --]
[-- Type: text/plain, Size: 521 bytes --]
--- libnfsidmap-0.23.orig/nss.c 2009-07-29 22:19:06.000000000 +0200
+++ libnfsidmap-0.23/nss.c 2010-05-11 17:34:03.000000000 +0200
@@ -135,7 +135,7 @@
char *l = NULL;
int len;
- c = strchr(name, '@');
+ c = strrchr(name, '@');
if (c == NULL && domain != NULL)
goto out;
if (c == NULL && domain == NULL) {
@@ -276,7 +276,7 @@
return -EINVAL;
/* get princ's realm */
- princ_realm = strstr(princ, "@");
+ princ_realm = strrchr(princ, '@');
if (princ_realm == NULL)
return -EINVAL;
princ_realm++;
[-- Attachment #4: libnfsidmap_0.21_up_fix_at_sign_user_realm_fix.diff --]
[-- Type: text/plain, Size: 334 bytes --]
--- libnfsidmap-0.23.orig/nss.c 2009-07-29 22:19:06.000000000 +0200
+++ libnfsidmap-0.23/nss.c 2010-05-11 17:34:03.000000000 +0200
@@ -276,7 +276,7 @@
return -EINVAL;
/* get princ's realm */
- princ_realm = strstr(princ, "@");
+ princ_realm = strrchr(princ, '@');
if (princ_realm == NULL)
return -EINVAL;
princ_realm++;
prev parent reply other threads:[~2010-05-11 16:58 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-05-11 13:07 libnfsidmap: Virtual domains/users handling with at sign in idmap HABIB Ramzi
[not found] ` <4BE956AC.3070303-nj/97Yry1BOHXe+LvDLADg@public.gmane.org>
2010-05-11 14:07 ` Kevin Coffman
2010-05-11 14:36 ` HABIB Ramzi
[not found] ` <4BE96A0B.8070000@nomado.eu>
2010-05-11 16:58 ` HABIB Ramzi [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4BE98CAA.3050702@nomado.eu \
--to=ramzi@nomado.eu \
--cc=581199@bugs.debian.org \
--cc=kwc@citi.umich.edu \
--cc=linux-nfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.