[Freeipa-devel] [PATCH] Don't segfault on adding user outside domains
Stephen Gallagher
sgallagh at redhat.com
Tue Jul 28 14:02:52 UTC 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 07/28/2009 08:58 AM, Jakub Hrozek wrote:
> On 05/26/2009 01:44 PM, Stephen Gallagher wrote:
>> On 05/25/2009 08:35 AM, Jakub Hrozek wrote:
>>> Found this when working on tools testsuite..
>>>
>>> If the user enters UID outside any domain ranges, we invoke the legacy
>>> tools. But that was broken since the code read on domain->xxx even in
>>> this case, when domain == NULL. Fix attached.
>>>
>>> Jakub
>>>
>>>
>>> ------------------------------------------------------------------------
>>>
>>> _______________________________________________
>>> Freeipa-devel mailing list
>>> Freeipa-devel at redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>
> I'm sorry, I absolutely forgot about this thread. Luckily, Jenny
> reminded me with ticket #86 :-)
>
>> Nack.
>> The only way to enter the useradd_legacy() function is for the domain to
>> be NULL. There will never be a case where the USERADD_UID_MIN/MAX will
>> be used. I think we need to rethink how to generate that portion of the
>> parameter, because we want to ensure that the legacy useradd doesn't
>> step on the toes of one of our domains.
>
>
> I disagree, it you consider having two domains LEGACYLOCAL that handles
> IDs of 500-999 and LOCAL that handles 1000-1999, there are two ways to
> enter the useradd_legacy function:
> 1) specify UID in the LEGACYLOCAL range, i.e. "sss_useradd -u 999 foo"
> 2) specify UID outside any known domain
>
> There will be a third way once I implement a fix for #513670 and that
> would be "sss_useradd foo at LEGACYLOCAL" - where you really need to pass
> USERADD_UID_MIN/MAX since you don't care about the specific UID, you
> only want it to be in the range given by LEGACYLOCAL domain.
>
>
>> Perhaps try creating local users where the USERADD_UID_MAX is the value
>> of the lowest supported domain, except where this is impossible (we have
>> a domain handling UID 1), in which case we set the USERADD_UID_MIN to
>> the highest max domain range. If this is also impossible (such as having
>> a domain with no maximum), then exit out and instruct the user to
>> specify the uid and gid manually because no automatic value could be
>> determined.
>
>
My understanding was that we were trying to avoid using domain names as
reserved words. That's why we're using provider=local instead of the
LOCAL domain name.
The problem is that LEGACYLOCAL is just a special case of the proxy. If
we wanted to do this, we need to add a provider=legacylocal that is an
alias for proxy. (This way they can name their domain whatever they want)
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel at redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
- --
Stephen Gallagher
RHCE 804006346421761
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkpvBQgACgkQeiVVYja6o6NSfwCdGugk/OFNrcfHATxTA7h3Lsx2
MkcAoIQdTNFhkjCeYXVwhOPhrImrF9We
=0RwI
-----END PGP SIGNATURE-----
More information about the Freeipa-devel
mailing list