[Authentication] When does 'realm discover' return two sections for the one realm, with one not configured?

Richard Sharpe realrichardsharpe at gmail.com
Thu Oct 17 02:04:11 UTC 2019 

On Wed, Oct 16, 2019 at 6:07 PM Richard Sharpe
<realrichardsharpe at gmail.com> wrote:
>
> > We are using sssd 1.16.1 and have no changes in the realm code or the
> > SSSDConfig utility.
>
> I have managed to reproduce, I believe, the problem. I did it by
> specifying an uppercase domain name when setting up a new domain.
>
> This is what I now see with 'realm discover -v BAD.AD.TEST'
> ---------------------
>  $ realm discover -v BAD.AD.TEST
>  * Resolving: _ldap._tcp.bad.ad.test
>  * Performing LDAP DSE lookup on: 10.200.8.100
>  * Successfully discovered: BAD.AD.TEST
> BAD.AD.TEST
>   type: kerberos
>   realm-name: BAD.AD.TEST
>   domain-name: BAD.AD.TEST
>   configured: no
>   server-software: active-directory
>   client-software: sssd
>   required-package: oddjob
>   required-package: oddjob-mkhomedir
>   required-package: sssd
>   required-package: adcli
>   required-package: samba-common-tools
> bad.ad.test
>   type: kerberos
>   realm-name: BAD.AD.TEST
>   domain-name: bad.ad.test
>   configured: no
> ------------------
>
> I never see the second, lower-case realm/domain when the domain is
> created with a lowercase name to begin with.

Here is a fix for the problem. Domain names are canonicalized to lower
case in realmd:
-------------
--- a/service/realm-sssd-config.c.orig  2019-10-17 01:22:09.518635587 +0000
+++ a/service/realm-sssd-config.c       2019-10-17 01:25:36.705920722 +0000
@@ -70,8 +70,12 @@
 gchar *
 realm_sssd_config_domain_to_section (const gchar *domain)
 {
+       char *inter, *fixed_dom;
        g_return_val_if_fail (domain != NULL, NULL);
-       return g_strdup_printf ("domain/%s", domain);
+       fixed_dom = g_ascii_strdown(domain, strlen(domain));
+       inter = g_strdup_printf ("domain/%s", fixed_dom);
+       g_free(fixed_dom);
+       return inter;
 }

 gboolean
--- a/tests/test-sssd-config.c  2019-10-17 01:37:13.858344394 +0000
+++ a/tests/test-sssd-config.c.orig     2019-10-17 01:38:26.777074923 +0000
@@ -68,7 +68,7 @@
        g_free (section);

        section = realm_sssd_config_domain_to_section ("Another");
-       g_assert_cmpstr (section, ==, "domain/Another");
+       g_assert_cmpstr (section, ==, "domain/another");
        g_free (section);
 }
------------

I have tested this both against the bad domain, BAD.AD.TEST, which was
created with an uppercase domain name, and the good domain,
win.ad.test and it works in both cases.

Attached is the patch because the above likely will not apply!

-- 
Regards,
Richard Sharpe
(何以解憂?唯有杜康。--曹操)(传说杜康是酒的发明者)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: realm-canon-domain-1.patch
Type: application/octet-stream
Size: 883 bytes
Desc: not available
URL: <https://lists.freedesktop.org/archives/authentication/attachments/20191016/79b168ac/attachment.obj>

More information about the Authentication mailing list