Fix minor spelling mistakes in tests/cmocka/* Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

TESTS: Order list of entries in some lists Some tests started to fail because we depended on specific order of users in groups or messages in ldb results to be returned and that order changed. This patch adds a simple helper functions into these tests that order the entries before comparison with expected results. more deterministic. Resolves: https://pagure.io/SSSD/sssd/issue/3563 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

NSS/TESTS: add unit tests for *_EX requests The patch adds unit tests for the new *_EX requests with different input types and flags. Related to https://pagure.io/SSSD/sssd/issue/2478 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

RESPONDER: Use fqnames as output when needed As some regressions have been caused by not handling properly naming conflicts when using shortnames, last explicitly use fully qualified names as output in the following situations: - domain resolution order is set; - a trusted domain has been using `use_fully_qualified_name = false` In both cases we want to ensure that even handling shortnames as input, the output will always be fully qualified. As part of this patch, our tests ended up being modified to reflect the changes done. In other words, the tests related to shortnames now return expect as return a fully qualified name for trusted domains. Resolves: https://pagure.io/SSSD/sssd/issue/3403 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

sss_nss_getlistbycert: return results from multiple domains Currently only the results from one domain were returned although all domains were searched and the results were available. Unit tests are updated to cover this case as well. Resolves https://pagure.io/SSSD/sssd/issue/3393 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

NSS/TESTS: Improve non-fqnames tests With the changes that are about to happen we have to have the subdomain's fqnames flag set by the time we populate the cr_domains list (as it actually occurs with the real code), as this list may set its own fqnames flag based on the subdomain's fqnames flag. Currently the flag is set to false only when running the tests itself so the cr_domains list doesn't get populate properly (although it still works with the current code). For the changes that are comming, let's introduce a new setup function that ensures that the subdomain's fqnames flag is set up in the right time. Related: https://pagure.io/SSSD/sssd/issue/3001 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>

CACHE_REQ: Make use of domainResolutionOrder domainResolutionOrder has been introduced in the previous commits and allows the admin to set up a specific order which the domains will be resolved during a lookup and with this patch we can take advantage of this. In order to have it working a new structure has been added (struct domain_resolution_order) to the responder context and will be used by the cache_req to perform the lookups based on this list. As the ipaDomainResolutionOrder may be set globally on IPA or per View, SSSD does respect the following precedence order: View > Globally. The way the list is built is quite simple, basically having the domains present on ipaDomainResolutionOrder as the first domains (in that specific order) and then appending the remaining domains to this list. The final result is a completely flat list with all the domains respecting the specified order (it's important to remember that the domains not specified won't follow any specific order, they're just "random" based on the domains list present in the responder context. Related: https://pagure.io/SSSD/sssd/issue/3001 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>

NSS/TESTS: Include searches for non-fqnames members of a subdomain Let's extend the NSS tests in order to also test looking up users, from a subdomain, by their short names (non fully qualified names). Related: https://pagure.io/SSSD/sssd/issue/3001 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>

NSS/TESTS: Improve setup/teardown for subdomains tests This patch basically makes the getgrnam_members_subdom(), getgrnam_mix_dom(), getgrnam_mix_dom_fqdn() and getgrnam_mix_subdom() more independent of each other. Related: https://pagure.io/SSSD/sssd/issue/3001 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>

NSS/TESTS: Fix subdomains attribution Related: https://pagure.io/SSSD/sssd/issue/3001 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>

SUBDOMAINS: Allow use_fully_qualified_names for subdomains Allow option use_fully_qualified_names in subdomain section. This option was recently added to subdomain_inherit. Resolves: https://pagure.io/SSSD/sssd/issue/3337 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

nss-idmap: add sss_nss_getlistbycert() This patch adds a getlistbycert() call to libsss_nss_idmap to make it on par with InfoPipe. Related to https://pagure.io/SSSD/sssd/issue/3050 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

LDAP: always store the certificate from the request Store the certificate used to lookup a user as mapped attribute in the cached user object. Related to https://pagure.io/SSSD/sssd/issue/3050 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

UTIL: Store UPN suffixes when creating a new subdomain We used to store UPN suffixes pointer into the domain structure only if the domain changed, not when a new domain was created. As an effect, the enterprise principals flag was not enabled unless a domain changed, preventing logins with enterprise principals. Reviewed-by: Sumit Bose <sbose@redhat.com>

cache_req: use own namespace for UPNs If the UPN use the same domain name as the configured domain an unsuccessful lookup by name will already create an entry in the negative cache. If the lookup by UPN would use the same namespace the lookup will immediately be finished because there would already be an entry in the negative cache. Resolves: https://pagure.io/SSSD/sssd/issue/3313 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

nss: make nss responder tests work with new code There were few type of changes that were require for tests to work: 1) When calling "get by name" commands, a name is parsed with sss_parse_inp. Returned value is now mocked. 2) When calling "get by upn" commands, a name is parsed with sss_parse_inp and negative cache is not hit in the first run since cache_req knows it may be upn since it is not equal to any known domain. Returned value of sss_parse_inp is now mocked to return ERR_DOMAIN_NOT_FOUND and negative cache hits are checked to be 0. 3) Lookups by certificate or sid do not require name parsing so those have separate mock functions. 4) Sometime the test fail since different number of mocked functions is called due to changes in the code. Where possible, will_return_always() is used, otherwise number of mocked values was fixed. 5) In SID by name lookups, we set nss_test_ctx->tctx->done to false on the beggining of for cycle, since the code now contains tevent calls and withough it only a first request proceed into tevent_loop in test_ev_loop() because the first finished request sets it to true. Resolves: https://fedorahosted.org/sssd/ticket/3151 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

responders: unify usage of sss_cmd_send_empty and _error Originally sss_cmd_send_empty() called also sss_cmd_done() to send an empty reply packet to the cliant where as sss_cmd_send_error() did not invoke this call and required the caller to call it manually. For this reason, a possible error in users_find_by_cert_done() was not send to the caller. This patch unifies the usage of those two functions in a way that both of them only creates the reply packet but do not send it. Another sss_cmd_done() call is required to send the reply. Because sss_cmd_done() is now always called, unit tests needed to be changed to always mock a value for __wrap_sss_cmd_done. Resolves: https://fedorahosted.org/sssd/ticket/3151 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

nss: move nss_ctx->global_names to rctx Global names context is used to parse AD well known SIDs and names into its opposite. This patch moves definition of this parameter from nss responder into common responder context so it can be used also by other responders. This change will be use to enable looking up well known SIDs and names directly in cache_req. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

tests: Add tests for getorig by UPN NSS op Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

tests: Add tests for sidbyname NSS operation Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

views: properly override group member names Resolves https://fedorahosted.org/sssd/ticket/2948 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

sysdb: make subdomain calls aware of upn_suffixes sysdb_subdomain_store() and sysdb_update_subdomains() can now update upn_suffixes as well. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

nss-srv-tests: Fix prototype of wrapped ncache functions The argument ttl was recently removed from negative cache functions (sss_ncache_check_user, sss_ncache_check_uid, sss_ncache_check_sid, sss_ncache_check_cert) but it was not removed from wrapped versions in nss-srv-tests. It caused a crash on machine with big endian and when configure wih --coverage. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

TESTS; orig_name does not need to be expanded to sysdb format Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

NSS: Fix NSS responder to cope with fully-qualified usernames Adds a utility function sized_output_name() which wraps the output_name() function and returns the sized_struct structure. This function is used when formatting the output name for the client, but also when saving/deleting the memory cache entries. Its sister function sized_member_name() is very similar, but infers the domain name from memberuid or ghost attribute. Because all names internally are used in the same format, the logic to append domain or format the usename for output in the fill_XXX() family of functions is much simpler. In general, adding a domain suffix no longer relies in the domain being a subdomain, but only the dom->fqnames The parse_member() function was removed because it is no longer required. The nss test was amended to store names in the internal fqdn format on input and checks for either shortnames or qualified names with the right format created using sss_tc_fqname() on output. Reviewed-by: Sumit Bose <sbose@redhat.com>

TESTS: Start fixing the NSS test for fully qualified names in sysdb Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Responders: Make the client context more generic This is useufl to allow reusing the responder code with other protocols. Store protocol data and responder state data behind opaque pointers and use tallog_get_type to check they are of the right type. This also allows to store per responder state_ctx so that, for example, the autofs responder does not have to carry useless variables used only by the nss responder. Resolves: https://fedorahosted.org/sssd/ticket/2918 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

NSS: add SSS_NSS_GETNAMEBYCERT request Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

RESPONDER: Removing ncache from nss_ctx This patch switches ncache from nss_ctx to resp_ctx. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

RESPONDER: Removing neg_timeout from nss responder Timeout of negative cahce is handled by internal negative cache context. This patch removes neg_timeout from struct nss_ctx. Resolves: https://fedorahosted.org/sssd/ticket/2317 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

NEGCACHE: Adding timeout to struct sss_nc_ctx It adds timeout of negative cache to handling struct sss_nc_ctx. There is one change in API of negatice cache: * int sss_ncache_init(TALLOC_CTX *memctx, uint32_t timeout, <----- new struct sss_nc_ctx **_ctx); There is also one new function in common/responder: * errno_t responder_get_neg_timeout_from_confdb(struct confdb_ctx *cdb, uint32_t *ncache_timeout); Resolves: https://fedorahosted.org/sssd/ticket/2317 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

NSS: fix a use-after-free issue While handling well-known SIDs a debug statement tries to access memory that is already freed. This can be seen with the following output from valgrind. ==17600== Invalid read of size 4 ==17600== at 0x805ACC6: nss_cmd_getbysid (nsssrv_cmd.c:5458) ==17600== by 0x805AF41: nss_cmd_getnamebysid (nsssrv_cmd.c:5509) ==17600== by 0x80662F4: sss_cmd_execute (responder_cmd.c:161) ==17600== by 0x8067015: client_cmd_execute (responder_common.c:249) ==17600== by 0x80671F5: client_recv (responder_common.c:283) ==17600== by 0x806741C: client_fd_handler (responder_common.c:335) ==17600== by 0x45F5112: epoll_event_loop (tevent_epoll.c:728) ==17600== by 0x45F5112: epoll_event_loop_once (tevent_epoll.c:926) ==17600== by 0x45F32EE: std_event_loop_once (tevent_standard.c:114) ==17600== by 0x45EF3BF: _tevent_loop_once (tevent.c:530) ==17600== by 0x45EF5AB: tevent_common_loop_wait (tevent.c:634) ==17600== by 0x45F326E: std_event_loop_wait (tevent_standard.c:140) ==17600== by 0x45EF647: _tevent_loop_wait (tevent.c:653) ==17600== Address 0x4b248a0 is 72 bytes inside a block of size 88 free'd ==17600== at 0x402C26D: free (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==17600== by 0x45FEC9E: _talloc_free_internal (talloc.c:1057) ==17600== by 0x45FEC9E: _talloc_free (talloc.c:1581) ==17600== by 0x8066085: sss_cmd_done (responder_cmd.c:93) ==17600== by 0x805A9B0: nss_check_well_known_sid (nsssrv_cmd.c:5382) ==17600== by 0x805AC86: nss_cmd_getbysid (nsssrv_cmd.c:5455) ==17600== by 0x805AF41: nss_cmd_getnamebysid (nsssrv_cmd.c:5509) ==17600== by 0x80662F4: sss_cmd_execute (responder_cmd.c:161) ==17600== by 0x8067015: client_cmd_execute (responder_common.c:249) ==17600== by 0x80671F5: client_recv (responder_common.c:283) ==17600== by 0x806741C: client_fd_handler (responder_common.c:335) ==17600== by 0x45F5112: epoll_event_loop (tevent_epoll.c:728) ==17600== by 0x45F5112: epoll_event_loop_once (tevent_epoll.c:926) ==17600== by 0x45F32EE: std_event_loop_once (tevent_standard.c:114) ==17600== The patch contains a change to the unit tests which frees the memory in the wrapper for sss_cmd_done() too. This allows to detect this kind of issue in the unit tests as well. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

tests: Use unique name for TEST_PATH We had a cases in patch where two tests were using the same TEST_PATH and therefore they were stepping each other to the same files which caused failures. These failures are not easy to reproduce. This patch uses macro BASE_FILE_STEM for unique name. It should prevent copy&paste problem resulting to intermittent failures. @see also https://www.gnu.org/software/make/manual/html_node/Automatic-Variables.html Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

NSS: Don't ignore backslash in usernames with ldap provider The regression was caused by changing default domain regex for ldap provider in ticket #2717 Resolves: https://fedorahosted.org/sssd/ticket/2772 Reviewed-by: Sumit Bose <sbose@redhat.com>

negcache: allow domain name for UID and GID Related to https://fedorahosted.org/sssd/ticket/2731 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

nss_check_name_of_well_known_sid() improve name splitting Currently in the default configuration nss_check_name_of_well_known_sid() can only split fully-qualified names in the user@domain.name style. DOM\user style names will cause an error and terminate the whole request. With this patch both styles can be handled by default, additionally if the name could not be split nss_check_name_of_well_known_sid() returns ENOENT which can be handled more gracefully by the caller. Resolves https://fedorahosted.org/sssd/ticket/2717 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

tests: Move N_ELEMENTS definition to tests/common.h Avoids code duplication Reviewed-by: Pavel Březina <pbrezina@redhat.com>

UTIL/SYSDB: Move new_subdomain() to sysdb_subdomains.c and make it private In order to make updating the subdomain list a two-step process. Therefore we need to make sure that update_subdomains() is the only interface towards the SSSD that changes the subdomain list. Move the new_subdomain() function to sysdb_subdomains.c and only make it available through a private header so it's usable by unit tests. Reviewed-by: Sumit Bose <sbose@redhat.com>

SYSDB: Store trust direction for subdomains We need to store the subdomain trust direction in order to recover the structure after SSSD restart. The trust direction is a plain uint32_t to avoid leaking the knowledge about AD trust directions to sysdb while at the same time making it easy to compare values between sysdb and LDAP and avoid translating the values. Reviewed-by: Sumit Bose <sbose@redhat.com>

nss: Do not ignore default vaue of SYSDB_INITGR_EXPIRE When SYSDB_INITGR_EXPIRE had default value (0) then value of SYSDB_CACHE_EXPIRE was used as initgroups expire attribute. The right apoach is already used in responder_cache_req.c Reviewed-by: Pavel Březina <pbrezina@redhat.com>

test_nss_srv: Use right function for storing time_t The size of time_t can be 8 bytes on some platforms. It is because of year 2038 problem. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

tests: Add NSS responder tests for bysid requests Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

Add unit tests for initgroups Reviewed-by: Pavel Reichl <preichl@redhat.com>

tests: Add a getpwnam-by-UPN test Reviewed-by: Pavel Reichl <preichl@redhat.com>

tests: ncache_hit must be an int to test UPNs In order to detect faulty cases where negcache would be checked twice, we need to convert the ncache_hit to integer and check exact amounts of hits. Reviewed-by: Pavel Reichl <preichl@redhat.com>

tests: convert all unit tests to cmocka 1.0 or later All tests now use the cmocka-1.0-compatible API. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

nss: Add original DN and memberOf to origbyname request IPA HBAC evaluation relies on the original values for DN and memberOf attributes. Resolves https://fedorahosted.org/sssd/ticket/2560 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

nss: make fill_orig() multi-value aware Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

tests: remove code duplication in single domain cleanup Reviewed-by: Michal Židek <mzidek@redhat.com>

nss: return user_attributes in origbyname request To allow IPA clients to offer special attributes of AD users form trusted domain the extdom plugin on the IPA server must send them to the clients. The extdom plugin already uses sss_nss_getorigbyname() to get attributes like the SID and the user principal name. This patch adds the attributes given by the NSS/IFP user_attributes option to the list of attributes returned by sss_nss_getorigbyname(). Fixes https://fedorahosted.org/sssd/ticket/2464 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

nss: add SSS_NSS_GETORIGBYNAME request This patch adds a new request to the nss responder which follows the same flow as a SSS_NSSGETSIDBYNAME request but returns more data than just the SID. The data is returned as pairs of \0-terminated strings where the first string is the sysdb attribute name and the second the corresponding value. The main use case is on the FreeIPA server to make additional user and group data available to the extdom plugin which then send this data to SSSD running on FreeIPA clients. Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

NSS: Use right domain for group members with fq names If we query group from subdomain it can contain users from different domains. All members from subdomain have fully qualified name, but member from main domain aren't. In function fill_members, we extracted name and domain with function fill_members. Later, we called function sss_fqname the first time with queried group domain and the second time with parsed domain. It caused following error in nss responder: [fill_members] (0x0040): Failed to generate a fully qualified name for member [user2_dom1@sssdad_tree.com] of group [group2_dom2@sssdad_tree.com]! Skipping The test test_nss_getgrnam_mix_dom_fqdn passed, because name of main domain and name of subdomain had the same length, Therefore there was not problem in function fill_members with calling sss_fqname with different domains. This patch also changes name of subdomain to prevent such problems in future. Reviewed-by: Pavel Reichl <preichl@redhat.com>

TESTS: Add unit tests for the replace-space functionality Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

Make the space override responder-agnostic https://fedorahosted.org/sssd/ticket/2397 In order to make the override_space option usable by other responders, we need to move the override_space option to the generic responder structure. Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

Only replace space with the specified substitution https://fedorahosted.org/sssd/ticket/2397 - make sss_replace_whitespaces only replace space (' ') not any whitespace - make sss_replace_whitespaces only replace a single char, not the whole string - rename CONFDB_NSS_OVERRIDE_DEFAULT_WHITESPACE to CONFDB_NSS_OVERRIDE_DEFAULT_SPACE - rename the override_default_whitespace option to override_space - rename sss_replace_whitespaces() to sss_replace_space() - rename sss_reverse_replace_whitespaces() to sss_reverse_replace_space() - rename nctx->override_default_wsp_str to nctx->override_space - make the return value of sss_replace_space non-const to avoid freeing the result without compilation warnings Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

TOOLS: Always debug to stderr https://fedorahosted.org/sssd/ticket/2348 Programs that are supposed to only be executed on the foreground should log to stderr automatically. Reviewed-by: Michal Židek <mzidek@redhat.com>

RESPONDERS: Add a new request sss_parse_inp_send The responders were copying code to parse input and on encountering an uknown domain, send the discover subdomain request. This patch adds a reusable request that can always be called in responders and in case the name can be parsed, just shortcut. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

cmocka-unit-test-for-functions-getpwuid*-added Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

TEST: Remove unused argument sysdb_path Name of sysdb file is automatically generated from domain name and db_path in function sysdb_domain_init. talloc_asprintf is called with arguments "%s/cache_%s.ldb", db_path, dom->name Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Make DEBUG macro invocations variadic Use a script to update DEBUG macro invocations to use it as a variadic macro, supplying format string and its arguments directly, instead of wrapping them in parens. This script was used to update the code: grep -rwl --include '*.[hc]' DEBUG . | while read f; do mv "$f"{,.orig} perl -e \ 'use strict; use File::Slurp; my $text=read_file(\*STDIN); $text=~s#(\bDEBUG\s*\([^(]+)\((.*?)\)\s*\)\s*;#$1$2);#gs; print $text;' < "$f.orig" > "$f" rm "$f.orig" done Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Stephen Gallagher <sgallagh@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

NSS: Don't use printf(3) on user provided strings. This also fixes several corner cases and crashers. It's not prudent to pass user input to (even admin) input as a format string to printf, and various distros now check for this. This can cause accessing memory incorrectly, and various also various libc abort()'s. In addition various assumptions were made about full_name_format that aren't necessarily the case if the user uses a more complex format. Use safe-printf.c implementation for formatting full_name_format. Adapt the NSS resolver so it doesn't barf on formatted strings that are shorter than expected given a full_name_format. Tests added and updated appropriately.

nss: check for Well-Known SIDs in SID based requests

nss-srv-tests: check packet status Besides checking the content of output packets it might also be useful to check the status. This is e.g. important if no results are expected and the status should be set to ENOENT and not to any other error code.

SYSDB: Drop the sysdb_ctx parameter - module sysdb_ops (part 2)

SYSDB: Drop the sysdb_ctx parameter from the sysdb_search module

NSS: Print FQDN for groups with mixed domain membership This patch is a workaround until https://fedorahosted.org/sssd/ticket/2129 is fixed properly. Consider a group entry such as: cn: subgroup@subdom ghost: someuser ghost: anotheruser@subdom Currently in order to print all group members as FQDN (which is the default for AD provider), the code needs to iterate over the ghost attributes and parse them into (name,domain) and optionally re-add the domain. The proper fix would be to store always just the FQDN in the hardcoded form of user@domain

TEST: Test getgrnam with emphasis on members

Allow flat name in the FQname format https://fedorahosted.org/sssd/ticket/1648 Adds another expansion in the printf format that allows the user to use the domain flat name in the format.

CMocka based test for the NSS responder