[Authentication] When does 'realm discover' return two sections for the one realm, with one not configured?

Sumit Bose sbose at redhat.com
Thu Oct 17 18:06:22 UTC 2019 

On Wed, Oct 16, 2019 at 07:04:11PM -0700, Richard Sharpe wrote:
> On Wed, Oct 16, 2019 at 6:07 PM Richard Sharpe
> <realrichardsharpe at gmail.com> wrote:
> >
> > > We are using sssd 1.16.1 and have no changes in the realm code or the
> > > SSSDConfig utility.
> >
> > I have managed to reproduce, I believe, the problem. I did it by
> > specifying an uppercase domain name when setting up a new domain.
> >
> > This is what I now see with 'realm discover -v BAD.AD.TEST'
> > ---------------------
> >  $ realm discover -v BAD.AD.TEST
> >  * Resolving: _ldap._tcp.bad.ad.test
> >  * Performing LDAP DSE lookup on: 10.200.8.100
> >  * Successfully discovered: BAD.AD.TEST
> > BAD.AD.TEST
> >   type: kerberos
> >   realm-name: BAD.AD.TEST
> >   domain-name: BAD.AD.TEST
> >   configured: no
> >   server-software: active-directory
> >   client-software: sssd
> >   required-package: oddjob
> >   required-package: oddjob-mkhomedir
> >   required-package: sssd
> >   required-package: adcli
> >   required-package: samba-common-tools
> > bad.ad.test
> >   type: kerberos
> >   realm-name: BAD.AD.TEST
> >   domain-name: bad.ad.test
> >   configured: no
> > ------------------
> >
> > I never see the second, lower-case realm/domain when the domain is
> > created with a lowercase name to begin with.

Hi,

thanks for the analysis. After creating a domain with upper-case letters
in the name I'm able to reproduce this as well.

> 
> Here is a fix for the problem. Domain names are canonicalized to lower
> case in realmd:

Thanks for the fix, would you mind to open a new merge request at
https://gitlab.freedesktop.org/realmd/realmd/merge_requests/new ? If you
prefer, I can open one for you as well.

bye,
Sumit

> -------------
> --- a/service/realm-sssd-config.c.orig  2019-10-17 01:22:09.518635587 +0000
> +++ a/service/realm-sssd-config.c       2019-10-17 01:25:36.705920722 +0000
> @@ -70,8 +70,12 @@
>  gchar *
>  realm_sssd_config_domain_to_section (const gchar *domain)
>  {
> +       char *inter, *fixed_dom;
>         g_return_val_if_fail (domain != NULL, NULL);
> -       return g_strdup_printf ("domain/%s", domain);
> +       fixed_dom = g_ascii_strdown(domain, strlen(domain));
> +       inter = g_strdup_printf ("domain/%s", fixed_dom);
> +       g_free(fixed_dom);
> +       return inter;
>  }
> 
>  gboolean
> --- a/tests/test-sssd-config.c  2019-10-17 01:37:13.858344394 +0000
> +++ a/tests/test-sssd-config.c.orig     2019-10-17 01:38:26.777074923 +0000
> @@ -68,7 +68,7 @@
>         g_free (section);
> 
>         section = realm_sssd_config_domain_to_section ("Another");
> -       g_assert_cmpstr (section, ==, "domain/Another");
> +       g_assert_cmpstr (section, ==, "domain/another");
>         g_free (section);
>  }
> ------------
> 
> I have tested this both against the bad domain, BAD.AD.TEST, which was
> created with an uppercase domain name, and the good domain,
> win.ad.test and it works in both cases.
> 
> Attached is the patch because the above likely will not apply!
> 
> -- 
> Regards,
> Richard Sharpe
> (何以解憂?唯有杜康。--曹操)(传说杜康是酒的发明者)


> _______________________________________________
> Authentication mailing list
> Authentication at lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/authentication

More information about the Authentication mailing list