From: HABIB Ramzi <ramzi@nomado.eu>
To: Kevin Coffman <kwc@citi.umich.edu>
Cc: linux-nfs@vger.kernel.org, 581199@bugs.debian.org
Subject: Re: libnfsidmap: Virtual domains/users handling with at sign in idmap
Date: Tue, 11 May 2010 17:58:18 +0100 [thread overview]
Message-ID: <4BE98CAA.3050702@nomado.eu> (raw)
In-Reply-To: <4BE96A0B.8070000@nomado.eu>
[-- Attachment #1: Type: text/plain, Size: 7216 bytes --]
Hi again,
Here is a second patch that applies to 0.21 and up only ( up to testing
and unstable 0.23-2 for debian libnfsidmap2 packages and 0.23
libnfsidmap source ) where dealing with local realms and principal realm
was introduced first in. libnfsidmap
strstr has been switched to strrchr ( to avoid using strrstr as it's
not a standard function ) .
Patch to fix principal realm in addition to previous domain patch in
#1st post
libnfsidmap_0.21_up_fix_at_sign_user_realm_fix.diff
///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
--- libnfsidmap-0.23.orig/nss.c 2009-07-29 22:19:06.000000000 +0200
+++ libnfsidmap-0.23/nss.c 2010-05-11 17:34:03.000000000 +0200
@@ -135,7 +135,7 @@
char *l = NULL;
int len;
- c = strchr(name, '@');
+ c = strrchr(name, '@');
if (c == NULL && domain != NULL)
goto out;
if (c == NULL && domain == NULL) {
@@ -276,7 +276,7 @@
return -EINVAL;
/* get princ's realm */
- princ_realm = strstr(princ, "@");
+ princ_realm = strrchr(princ, '@');
if (princ_realm == NULL)
return -EINVAL;
princ_realm++;
///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
Patch to fix both domain & principal realm
libnfsidmap_0.21_up_fix_at_sign_user_with_domain_plus_realm_fix.diff
///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
--- libnfsidmap-0.23.orig/nss.c 2009-07-29 22:19:06.000000000 +0200
+++ libnfsidmap-0.23/nss.c 2010-05-11 17:34:03.000000000 +0200
@@ -135,7 +135,7 @@
char *l = NULL;
int len;
- c = strchr(name, '@');
+ c = strrchr(name, '@');
if (c == NULL && domain != NULL)
goto out;
if (c == NULL && domain == NULL) {
@@ -276,7 +276,7 @@
return -EINVAL;
/* get princ's realm */
- princ_realm = strstr(princ, "@");
+ princ_realm = strrchr(princ, '@');
if (princ_realm == NULL)
return -EINVAL;
princ_realm++;
///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
Le 11/05/2010 15:30, HABIB Ramzi a écrit :
> You're welcome.
> The patch fixes the problem if not using kerberos.
> I checked the latest version (0.23, in testing and unstable packages.
> Doesn't apply for oldstable and stable ones) from citi's website and
> it seems there's an additional fix to make for function
> "nss_gss_princ_to_ids" in nss.c file on line 279 :
>
> /////////////////////////////////////////////////
>
> /* get princ's realm */
> princ_realm = strstr(princ, "@");
> if (princ_realm == NULL)
> return -EINVAL;
> princ_realm++;
>
> ////////////////////////////////////////////////
>
> I'll check that soon and get back to you with the results.
>
> Ramzi
>
> Le 11/05/2010 15:07, Kevin Coffman a écrit :
>> Thanks. Unless someone else sees a problem with this, I'll apply it.
>>
>> On Tue, May 11, 2010 at 9:07 AM, HABIB Ramzi<ramzi@nomado.eu> wrote:
>>> Subject: libnfsidmap: Virtual domains/users handling with at sign in
>>> idmap
>>> Package: libnfsidmap
>>> Version: 0.23
>>> Severity: normal
>>> Tags: patch
>>>
>>> *** Please type your report below this line ***
>>>
>>> Idmap fails to map uid to localname or vice versa in case an 'at' (
>>> @ ) sign
>>> is included in the localname.
>>> This is particularly the case of virtual domains username where
>>> a user@virtual_domain is in fact the username and its @ sign
>>> conflicts with
>>> username@idmap_domain format used by idmap to handle uid/localname
>>> conversions.
>>> Where username = user@virtual_domain.
>>> Idmap is still able to map uid/localname correctly when the username
>>> does
>>> not
>>> include an @ sign.
>>> Both NFS Server and Client are PAM/NSS clients of an OpenLDAP Server
>>> that
>>> handles users& groups. NFSv4 is used and without kerberos and
>>> "nsswitch"
>>> Translation method is used rather than umich_ldap.
>>> Idmap looks for the first occurrence of and @ sign in the name string
>>> and assumes that the @ sign is the one of user@virtual_domain rather
>>> than
>>> using the one of username@idmap_domain
>>> (user@virtual_domain@idmap_domain).
>>> The function "strip_domain" is defined in nss.c file and uses "strchr"
>>> function on line 138 to find the first occurrence of an @ sign from
>>> the name
>>> string.
>>> As the name string includes 2 occurrences, the domain resulting from
>>> that
>>> (virtual_domain@idmap_domain) fails to match with the configured idmap
>>> domain
>>> (idmap_domain) and this causes idmap returning a null value.
>>> Switching from "strchr" to "strrchr" simply fix the problem as it
>>> would look
>>> for the last occurrence rather than the first one and therefore has a
>>> resulting
>>> domain that matched the idmap one.
>>> This obviously makes sense as a URI should be read from right to
>>> left and
>>> not
>>> from left to right when handling domains.
>>> The idmap domain is this way the root domain and all virtual domains
>>> included
>>> in the username it handles will not conflicts with it.
>>>
>>> A patch is included here below :
>>>
>>> libnfsidmap_0.23_fix_at_sign_user_with_domain.diff
>>>
>>> //////////////////////////////////////////////////////////////////
>>>
>>> --- libnfsidmap-0.23.orig/nss.c 2009-07-29 22:19:06.000000000 +0200
>>> +++ libnfsidmap-0.23/nss.c 2010-05-11 15:02:13.000000000 +0200
>>> @@ -135,7 +135,7 @@
>>> char *l = NULL;
>>> int len;
>>>
>>> - c = strchr(name, '@');
>>> + c = strrchr(name, '@');
>>> if (c == NULL&& domain != NULL)
>>> goto out;
>>> if (c == NULL&& domain == NULL) {
>>>
>>> //////////////////////////////////////////////////////////////////
>>>
>>> The patch applies to all archs.
>>> Versions checked :
>>> Debian :
>>> libnfsidmap2 0.18-0 (oldstable)
>>> libnfsidmap2 0.20-1 (stable)
>>> libnfsidmap2 0.23-2 (testing,unstable)
>>>
>>> -- System Information:
>>> Debian Release: 5.0.4
>>> APT prefers stable
>>> APT policy: (500, 'stable')
>>> Architecture: amd64 (x86_64)
>>>
>>> Kernel: Linux 2.6.26-2-amd64 (SMP w/1 CPU core)
>>> Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
>>> Shell: /bin/sh linked to /bin/bash
>>>
>>> Versions of packages libnfsidmap2 depends on:
>>> ii libc6 2.7-18lenny2 GNU C Library: Shared
>>> libraries
>>> ii libldap-2.4-2 2.4.11-1+lenny1 OpenLDAP libraries
>>>
>>> Ramzi HABIB
>>> ramzi<at> nomado.eu
>>>
>> __________ Information provenant d'ESET Smart Security, version de la
>> base des signatures de virus 5105 (20100511) __________
>>
>> Le message a été vérifié par ESET Smart Security.
>>
>> http://www.eset.com
>>
>>
>>
>>
>
[-- Attachment #2: libnfsidmap_0.20-1_fix_at_sign_user_with_domain.diff --]
[-- Type: text/plain, Size: 318 bytes --]
--- libnfsidmap-0.20.orig/nss.c 2007-02-05 17:13:05.000000000 +0100
+++ libnfsidmap-0.20/nss.c 2010-05-11 14:35:55.000000000 +0200
@@ -135,7 +135,7 @@
char *l = NULL;
int len;
- c = strchr(name, '@');
+ c = strrchr(name, '@');
if (c == NULL && domain != NULL)
goto out;
if (c == NULL && domain == NULL) {
[-- Attachment #3: libnfsidmap_0.21_up_fix_at_sign_user_with_domain_plus_realm_fix.diff --]
[-- Type: text/plain, Size: 521 bytes --]
--- libnfsidmap-0.23.orig/nss.c 2009-07-29 22:19:06.000000000 +0200
+++ libnfsidmap-0.23/nss.c 2010-05-11 17:34:03.000000000 +0200
@@ -135,7 +135,7 @@
char *l = NULL;
int len;
- c = strchr(name, '@');
+ c = strrchr(name, '@');
if (c == NULL && domain != NULL)
goto out;
if (c == NULL && domain == NULL) {
@@ -276,7 +276,7 @@
return -EINVAL;
/* get princ's realm */
- princ_realm = strstr(princ, "@");
+ princ_realm = strrchr(princ, '@');
if (princ_realm == NULL)
return -EINVAL;
princ_realm++;
[-- Attachment #4: libnfsidmap_0.21_up_fix_at_sign_user_realm_fix.diff --]
[-- Type: text/plain, Size: 334 bytes --]
--- libnfsidmap-0.23.orig/nss.c 2009-07-29 22:19:06.000000000 +0200
+++ libnfsidmap-0.23/nss.c 2010-05-11 17:34:03.000000000 +0200
@@ -276,7 +276,7 @@
return -EINVAL;
/* get princ's realm */
- princ_realm = strstr(princ, "@");
+ princ_realm = strrchr(princ, '@');
if (princ_realm == NULL)
return -EINVAL;
princ_realm++;
prev parent reply other threads:[~2010-05-11 16:58 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-05-11 13:07 libnfsidmap: Virtual domains/users handling with at sign in idmap HABIB Ramzi
[not found] ` <4BE956AC.3070303-nj/97Yry1BOHXe+LvDLADg@public.gmane.org>
2010-05-11 14:07 ` Kevin Coffman
2010-05-11 14:36 ` HABIB Ramzi
[not found] ` <4BE96A0B.8070000@nomado.eu>
2010-05-11 16:58 ` HABIB Ramzi [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4BE98CAA.3050702@nomado.eu \
--to=ramzi@nomado.eu \
--cc=581199@bugs.debian.org \
--cc=kwc@citi.umich.edu \
--cc=linux-nfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).