Thanks. Unless someone else sees a problem with this, I'll apply it.
On Tue, May 11, 2010 at 9:07 AM, HABIB Ramzi <ramzi@xxxxxxxxx> wrote:
> Subject: libnfsidmap: Virtual domains/users handling with at sign in idmap
> Package: libnfsidmap
> Version: 0.23
> Severity: normal
> Tags: patch
>
> *** Please type your report below this line ***
>
> Idmap fails to map uid to localname or vice versa in case an 'at' ( @ ) sign
> is included in the localname.
> This is particularly the case of virtual domains username where
> a user@virtual_domain is in fact the username and its @ sign conflicts with
> username@idmap_domain format used by idmap to handle uid/localname
> conversions.
> Where username = user@virtual_domain.
> Idmap is still able to map uid/localname correctly when the username does
> not
> include an @ sign.
> Both NFS Server and Client are PAM/NSS clients of an OpenLDAP Server that
> handles users & groups. NFSv4 is used and without kerberos and "nsswitch"
> Translation method is used rather than umich_ldap.
> Idmap looks for the first occurrence of and @ sign in the name string
> and assumes that the @ sign is the one of user@virtual_domain rather than
> using the one of username@idmap_domain (user@virtual_domain@idmap_domain).
> The function "strip_domain" is defined in nss.c file and uses "strchr"
> function on line 138 to find the first occurrence of an @ sign from the name
> string.
> As the name string includes 2 occurrences, the domain resulting from that
> (virtual_domain@idmap_domain) fails to match with the configured idmap
> domain
> (idmap_domain) and this causes idmap returning a null value.
> Switching from "strchr" to "strrchr" simply fix the problem as it would look
> for the last occurrence rather than the first one and therefore has a
> resulting
> domain that matched the idmap one.
> This obviously makes sense as a URI should be read from right to left and
> not
> from left to right when handling domains.
> The idmap domain is this way the root domain and all virtual domains
> included
> in the username it handles will not conflicts with it.
>
> A patch is included here below :
>
> libnfsidmap_0.23_fix_at_sign_user_with_domain.diff
>
> //////////////////////////////////////////////////////////////////
>
> --- libnfsidmap-0.23.orig/nss.c 2009-07-29 22:19:06.000000000 +0200
> +++ libnfsidmap-0.23/nss.c 2010-05-11 15:02:13.000000000 +0200
> @@ -135,7 +135,7 @@
> char *l = NULL;
> int len;
>
> - c = strchr(name, '@');
> + c = strrchr(name, '@');
> if (c == NULL && domain != NULL)
> goto out;
> if (c == NULL && domain == NULL) {
>
> //////////////////////////////////////////////////////////////////
>
> The patch applies to all archs.
> Versions checked :
> Debian :
> libnfsidmap2 0.18-0 (oldstable)
> libnfsidmap2 0.20-1 (stable)
> libnfsidmap2 0.23-2 (testing,unstable)
>
> -- System Information:
> Debian Release: 5.0.4
> APT prefers stable
> APT policy: (500, 'stable')
> Architecture: amd64 (x86_64)
>
> Kernel: Linux 2.6.26-2-amd64 (SMP w/1 CPU core)
> Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/bash
>
> Versions of packages libnfsidmap2 depends on:
> ii libc6 2.7-18lenny2 GNU C Library: Shared libraries
> ii libldap-2.4-2 2.4.11-1+lenny1 OpenLDAP libraries
>
> Ramzi HABIB
> ramzi <at> nomado.eu
>
--
To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
