Issues with AD/IPA Trust works & how SSSD deals with AD users.
Lets say we have a IPA domain linux.example.com & AD domain
win.example.com, We setup IPA/AD trust so that Windows domain users can
login into Linux, When we setup AD Trust with IPA, AD users login as
username@AD_REALM, With our example above, username will be
"user@xxxxxxxxxxxxxxx" Without @win.example.com that user will be
searched only in IPA domain not in AD domain. That is the reason @DOMAIN
part is important in SSSD when dealing with IPA-AD trust.
With current behaviour the client-side code is stripping the domain off
based on the location of the first "@" character in the value returned
by the server. This results in UID/GID mappings failing and resulting in
ownership on the clients as "nobody".
With the provided patch, we can accept fully qualified usernames.
commit 7ff76ddf2e37d595732d9c8e534de8aa530eb57a
Author: Shijoe Panjikkaran <spanjikk@xxxxxxxxxx>
Date: Tue Apr 1 20:53:54 2014 +0530
nss: strrchr() instead of strchr() to get the last occurrence of "@"
Signed-off-by: Shijoe Panjikkaran <spanjikk@xxxxxxxxxx>
diff --git a/nss.c b/nss.c
index b2b1227..f8129fe 100644
--- a/nss.c
+++ b/nss.c
@@ -135,7 +135,7 @@ static char *strip_domain(const char *name, const char *domain)
char *l = NULL;
int len;
- c = strchr(name, '@');
+ c = strrchr(name, '@');
if (c == NULL && domain != NULL)
goto out;
if (c == NULL && domain == NULL) {
