From 8a80363e07b5c9309d785bf3b41f506f32a750a5 Mon Sep 17 00:00:00 2001

From: Alexander Bokovoy <abokovoy@redhat.com>

Date: Tue, 14 Nov 2017 12:44:02 +0200

Subject: [PATCH] ipa-extdom-extop: refactor nsswitch operations

Refactor nsswitch operations in ipa-extdom-extop plugin to allow use

of timeout-enabled nsswitch calls provided by libsss_nss_idmap.

Standard POSIX nsswitch API has no way to cancel requests which may

cause ipa-extdom-extop requests to hang far too long and potentially

exhaust LDAP server workers. In addition, glibc nsswitch API iterates

through all nsswitch modules one by one and with multiple parallel

requests a lock up may happen in an unrelated nsswitch module like

nss_files.so.2.

A solution to the latter issue is to directly load nss_sss.so.2 plugin

and utilize it. This, however, does not solve a problem with lack of

cancellable API.

With SSSD 1.16.1, libsss_nss_idmap provides a timeout-enabled variant of

nsswitch API that is directly integrated with SSSD client side machinery

used by nss_sss.so.2. As result, this API can be used instead of loading

nss_sss.so.2 directly.

To support older SSSD version, both direct loading of nss_sss.so.2 and

new timeout-enabled API are supported by this changeset. An API to

abstract both is designed to be a mix between internal glibc nsswitch

API and external nsswitch API that libsss_nss_idmap mimics. API does not

expose per-call timeout. Instead, it allows to set a timeout per

nsswitch operation context to reduce requirements on information

a caller has to maintain.

A choice which API to use is made at configure time.

In order to test the API, a cmocka test is updated to explicitly load

nss_files.so.2 as a backend. Since use of nss_sss.so.2 would always

depend on availablility of SSSD, predictable testing would not be

possible without it otherwise. Also, cmocka test does not use

nss_wrapper anymore because nss_wrapper overrides higher level glibc

nsswitch API while we are loading an individual nsswitch module

directly.

As result, cmocka test overrides fopen() call used by nss_files.so.2 to

load /etc/passwd and /etc/group. An overridden version changes paths to

/etc/passwd and /etc/group to a local test_data/passwd and

test_data/group. This way we can continue testing a backend API for

ipa-extdom-extop with the same data as with nss_wrapper.

Fixes https://pagure.io/freeipa/issue/5464

Reviewed-By: Christian Heimes <cheimes@redhat.com>

Reviewed-By: Simo Sorce <ssorce@redhat.com>

Reviewed-By: Robbie Harwood <rharwood@redhat.com>

---

 configure.ac                                       |  25 +-

 .../ipa-slapi-plugins/ipa-extdom-extop/Makefile.am |  17 +-

 .../ipa-extdom-extop/back_extdom.h                 |  79 ++++++

 .../ipa-extdom-extop/back_extdom_nss_sss.c         | 276 +++++++++++++++++++++

 .../ipa-extdom-extop/back_extdom_sss_idmap.c       | 260 +++++++++++++++++++

 .../ipa-extdom-extop/ipa_extdom.h                  |  13 +-

 .../ipa-extdom-extop/ipa_extdom_cmocka_tests.c     | 241 +++++++++++++++---

 .../ipa-extdom-extop/ipa_extdom_common.c           | 242 +++++++++---------

 .../ipa-extdom-extop/ipa_extdom_extop.c            |  17 ++

 .../ipa-extdom-extop/test_data/test_setup.sh       |   3 -

 freeipa.spec.in                                    |   1 -

 server.m4                                          |  10 +

 12 files changed, 994 insertions(+), 190 deletions(-)

 create mode 100644 daemons/ipa-slapi-plugins/ipa-extdom-extop/back_extdom.h

 create mode 100644 daemons/ipa-slapi-plugins/ipa-extdom-extop/back_extdom_nss_sss.c

 create mode 100644 daemons/ipa-slapi-plugins/ipa-extdom-extop/back_extdom_sss_idmap.c

 delete mode 100644 daemons/ipa-slapi-plugins/ipa-extdom-extop/test_data/test_setup.sh

diff --git a/configure.ac b/configure.ac

index e7a8b11153209fdfb4903cd3876e21a871a92f03..8a99b028886790aca211ddf164772920221f3ec7 100644

--- a/configure.ac

+++ b/configure.ac

@@ -140,30 +140,6 @@ PKG_CHECK_EXISTS(cmocka,

 )

 AM_CONDITIONAL([HAVE_CMOCKA], [test x$have_cmocka = xyes])

-dnl A macro to check presence of a cwrap (http://cwrap.org) wrapper on the system

-dnl Usage:

-dnl     AM_CHECK_WRAPPER(name, conditional)

-dnl If the cwrap library is found, sets the HAVE_$name conditional

-AC_DEFUN([AM_CHECK_WRAPPER],

-[

-    FOUND_WRAPPER=0

-

-    AC_MSG_CHECKING([for $1])

-    PKG_CHECK_EXISTS([$1],

-                     [

-                        AC_MSG_RESULT([yes])

-                        FOUND_WRAPPER=1

-                     ],

-                     [

-                        AC_MSG_RESULT([no])

-                        AC_MSG_WARN([cwrap library $1 not found, some tests will not run])

-                     ])

-

-    AM_CONDITIONAL($2, [ test x$FOUND_WRAPPER = x1])

-])

-

-AM_CHECK_WRAPPER(nss_wrapper, HAVE_NSS_WRAPPER)

-

 dnl ---------------------------------------------------------------------------

 dnl - Check for POPT

 dnl ---------------------------------------------------------------------------

@@ -235,6 +211,7 @@ dnl ---------------------------------------------------------------------------

 AM_COND_IF([ENABLE_SERVER], [

     m4_include(server.m4)

 ])

+AM_CONDITIONAL([USE_SSS_NSS_TIMEOUT], [test "x$ac_cv_have_decl_sss_nss_getpwnam_timeout" = xyes])

 dnl ---------------------------------------------------------------------------

 dnl - Check if IPA certauth plugin can be build

diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/Makefile.am b/daemons/ipa-slapi-plugins/ipa-extdom-extop/Makefile.am

index 1213965c96607bf14c6c92ce592585aed1a125db..cbdd570eabeb12b95fdc26213a64749f9ba9fdde 100644

--- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/Makefile.am

+++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/Makefile.am

@@ -25,6 +25,7 @@ libipa_extdom_extop_la_SOURCES = 	\

 	ipa_extdom.h			\

 	ipa_extdom_extop.c		\

 	ipa_extdom_common.c		\

+	back_extdom.h			\

 	$(NULL)

 libipa_extdom_extop_la_LDFLAGS = -avoid-version

@@ -34,20 +35,29 @@ libipa_extdom_extop_la_LIBADD = 	\

 	$(SSSNSSIDMAP_LIBS)		\

 	$(NULL)

+# We have two backends for nss operations:

+# (1) directly loading nss_sss.so.2

+# (2) using timeout-enabled API from libsss_nss_idmap

+# We prefer (2) if available

+if USE_SSS_NSS_TIMEOUT

+libipa_extdom_extop_la_SOURCES += back_extdom_sss_idmap.c

+else

+libipa_extdom_extop_la_SOURCES += back_extdom_nss_sss.c

+endif

+

+

 TESTS =

 check_PROGRAMS =

 if HAVE_CMOCKA

-if HAVE_NSS_WRAPPER

-TESTS_ENVIRONMENT = . ./test_data/test_setup.sh;

 TESTS += extdom_cmocka_tests

 check_PROGRAMS += extdom_cmocka_tests

 endif

-endif

 extdom_cmocka_tests_SOURCES = 		\

 	ipa_extdom_cmocka_tests.c	\

 	ipa_extdom_common.c		\

+	back_extdom_nss_sss.c		\

 	$(NULL)

 extdom_cmocka_tests_CFLAGS = $(CMOCKA_CFLAGS)

 extdom_cmocka_tests_LDFLAGS = 	\

@@ -58,6 +68,7 @@ extdom_cmocka_tests_LDADD = 	\

 	$(LDAP_LIBS)		\

 	$(DIRSRV_LIBS)		\

 	$(SSSNSSIDMAP_LIBS)	\

+	-ldl			\

 	$(NULL)

diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/back_extdom.h b/daemons/ipa-slapi-plugins/ipa-extdom-extop/back_extdom.h

new file mode 100644

index 0000000000000000000000000000000000000000..d2937c8c8ecf8b960b5b31e9449c719bfda86de4

--- /dev/null

+++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/back_extdom.h

@@ -0,0 +1,79 @@

+/*

+ * Copyright 2017 Red Hat, Inc.

+ *

+ * This Program is free software; you can redistribute it and/or modify

+ * it under the terms of the GNU General Public License as published by

+ * the Free Software Foundation; version 2 of the License.

+ *

+ * This Program is distributed in the hope that it will be useful, but

+ * WITHOUT ANY WARRANTY; without even the implied warranty of

+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU

+ * General Public License for more details.

+ *

+ * You should have received a copy of the GNU General Public License

+ * along with this Program; if not, write to the

+ *

+ *   Free Software Foundation, Inc.

+ *   59 Temple Place, Suite 330

+ *   Boston, MA 02111-1307 USA

+ *

+ */

+

+#ifndef BACK_EXTDOM_H

+#define BACK_EXTDOM_H

+#include <unistd.h>

+#include <pwd.h>

+#include <grp.h>

+

+/* Possible results of lookup using a nss_* function.

+ * Note: don't include nss.h as its path gets overriden by NSS library */

+enum nss_status {

+    NSS_STATUS_TRYAGAIN = -2,

+    NSS_STATUS_UNAVAIL,

+    NSS_STATUS_NOTFOUND,

+    NSS_STATUS_SUCCESS,

+    NSS_STATUS_RETURN

+};

+

+/* NSS backend operations implemented using either nss_sss.so.2 or libsss_nss_idmap API */

+struct nss_ops_ctx;

+

+int back_extdom_init_context(struct nss_ops_ctx **nss_context);

+void back_extdom_free_context(struct nss_ops_ctx **nss_context);

+void back_extdom_set_timeout(struct nss_ops_ctx *nss_context,

+                             unsigned int timeout);

+void back_extdom_evict_user(struct nss_ops_ctx *nss_context,

+                            const char *name);

+void back_extdom_evict_group(struct nss_ops_ctx *nss_context,

+                             const char *name);

+

+enum nss_status back_extdom_getpwnam(struct nss_ops_ctx *nss_context,

+                                     const char *name, struct passwd *pwd,

+                                     char *buffer, size_t buflen,

+                                     struct passwd **result,

+                                     int *lerrno);

+

+enum nss_status back_extdom_getpwuid(struct nss_ops_ctx *nss_context,

+                                     uid_t uid, struct passwd *pwd,

+                                     char *buffer, size_t buflen,

+                                     struct passwd **result,

+                                     int *lerrno);

+

+enum nss_status back_extdom_getgrnam(struct nss_ops_ctx *nss_context,

+                                     const char *name, struct group *grp,

+                                     char *buffer, size_t buflen,

+                                     struct group **result,

+                                     int *lerrno);

+

+enum nss_status back_extdom_getgrgid(struct nss_ops_ctx *nss_context,

+                                     gid_t gid, struct group *grp,

+                                     char *buffer, size_t buflen,

+                                     struct group **result,

+                                     int *lerrno);

+

+enum nss_status back_extdom_getgrouplist(struct nss_ops_ctx *nss_context,

+                                         const char *name, gid_t group,

+                                         gid_t *groups, int *ngroups,

+                                         int *lerrno);

+

+#endif /* BACK_EXTDOM_H */

diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/back_extdom_nss_sss.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/back_extdom_nss_sss.c

new file mode 100644

index 0000000000000000000000000000000000000000..346c7d4301a607c7bc07ca5a9c53fe84618ac8ad

--- /dev/null

+++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/back_extdom_nss_sss.c

@@ -0,0 +1,276 @@

+/*

+ * Copyright 2013-2017 Red Hat, Inc.

+ *

+ * This Program is free software; you can redistribute it and/or modify

+ * it under the terms of the GNU General Public License as published by

+ * the Free Software Foundation; version 2 of the License.

+ *

+ * This Program is distributed in the hope that it will be useful, but

+ * WITHOUT ANY WARRANTY; without even the implied warranty of

+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU

+ * General Public License for more details.

+ *

+ * You should have received a copy of the GNU General Public License

+ * along with this Program; if not, write to the

+ *

+ *   Free Software Foundation, Inc.

+ *   59 Temple Place, Suite 330

+ *   Boston, MA 02111-1307 USA

+ *

+ */

+

+#ifdef HAVE_CONFIG_H

+#include "config.h"

+#endif

+

+#include <sys/types.h>

+#include <stdlib.h>

+#include <string.h>

+#include <time.h>

+#include <unistd.h>

+#include <dlfcn.h>

+#include <errno.h>

+#include <pwd.h>

+#include <grp.h>

+#include <sys/param.h>

+#include "back_extdom.h"

+

+struct nss_ops_ctx {

+    void *dl_handle;

+    long int initgroups_start;

+

+    enum nss_status (*getpwnam_r)(const char *name, struct passwd *result,

+                                  char *buffer, size_t buflen, int *errnop);

+    enum nss_status (*getpwuid_r)(uid_t uid, struct passwd *result,

+                                  char *buffer, size_t buflen, int *errnop);

+    enum nss_status (*getgrnam_r)(const char *name, struct group *result,

+                                  char *buffer, size_t buflen, int *errnop);

+    enum nss_status (*getgrgid_r)(gid_t gid, struct group *result,

+                                  char *buffer, size_t buflen, int *errnop);

+    enum nss_status (*initgroups_dyn)(const char *user, gid_t group,

+                                      long int *start, long int *size,

+                                      gid_t **groups, long int limit,

+                                      int *errnop);

+};

+

+void back_extdom_free_context(struct nss_ops_ctx **nss_context)

+{

+    if ((nss_context == NULL) || (*nss_context == NULL)) {

+        return;

+    }

+

+    if ((*nss_context)->dl_handle != NULL) {

+        dlclose((*nss_context)->dl_handle);

+    }

+

+    free((*nss_context));

+    *nss_context = NULL;

+}

+

+int back_extdom_init_context(struct nss_ops_ctx **nss_context)

+{

+    struct nss_ops_ctx *ctx = NULL;

+

+    if (nss_context == NULL) {

+        return EINVAL;

+    }

+

+    ctx = calloc(1, sizeof(struct nss_ops_ctx));

+    if (ctx == NULL) {

+        return ENOMEM;

+    }

+    *nss_context = ctx;

+

+    ctx->dl_handle = dlopen("libnss_sss.so.2", RTLD_NOW);

+    if (ctx->dl_handle == NULL) {

+        goto fail;

+    }

+

+    ctx->getpwnam_r = dlsym(ctx->dl_handle, "_nss_sss_getpwnam_r");

+    if (ctx->getpwnam_r == NULL) {

+        goto fail;

+    }

+

+    ctx->getpwuid_r = dlsym(ctx->dl_handle, "_nss_sss_getpwuid_r");

+    if (ctx->getpwuid_r == NULL) {

+        goto fail;

+    }

+

+    ctx->getgrnam_r = dlsym(ctx->dl_handle, "_nss_sss_getgrnam_r");

+    if (ctx->getgrnam_r == NULL) {

+        goto fail;

+    }

+

+    ctx->getgrgid_r = dlsym(ctx->dl_handle, "_nss_sss_getgrgid_r");

+    if (ctx->getgrgid_r == NULL) {

+        goto fail;

+    }

+

+    ctx->initgroups_dyn = dlsym(ctx->dl_handle, "_nss_sss_initgroups_dyn");

+    if (ctx->initgroups_dyn == NULL) {

+        goto fail;

+    }

+

+    return 0;

+

+fail:

+    back_extdom_free_context(nss_context);

+

+    return EINVAL;

+}

+

+

+/* Following three functions cannot be implemented with nss_sss.so.2

+ * As result, we simply do nothing here */

+

+void back_extdom_set_timeout(struct nss_ops_ctx *nss_context,

+                             unsigned int timeout) {

+        /* no operation */

+}

+

+void back_extdom_evict_user(struct nss_ops_ctx *nss_context,

+                            const char *name) {

+        /* no operation */

+}

+

+void back_extdom_evict_group(struct nss_ops_ctx *nss_context,

+                             const char *name) {

+        /* no operation */

+}

+

+enum nss_status back_extdom_getpwnam(struct nss_ops_ctx *nss_context,

+                                     const char *name, struct passwd *pwd,

+                                     char *buffer, size_t buflen,

+                                     struct passwd **result,

+                                     int *lerrno) {

+    enum nss_status ret;

+

+    if (nss_context == NULL) {

+        return NSS_STATUS_UNAVAIL;

+    }

+

+    ret = nss_context->getpwnam_r(name, pwd,

+                                  buffer, buflen,

+                                  lerrno);

+

+    if ((ret == NSS_STATUS_SUCCESS) && (result != NULL)) {

+        *result = pwd;

+        *lerrno = 0;

+    }

+

+    return ret;

+}

+

+enum nss_status back_extdom_getpwuid(struct nss_ops_ctx *nss_context,

+                                     uid_t uid, struct passwd *pwd,

+                                     char *buffer, size_t buflen,

+                                     struct passwd **result,

+                                     int *lerrno) {

+    enum nss_status ret;

+

+    if (nss_context == NULL) {

+        return NSS_STATUS_UNAVAIL;

+    }

+

+    ret = nss_context->getpwuid_r(uid, pwd,

+                                  buffer, buflen,

+                                  lerrno);

+

+    if ((ret == NSS_STATUS_SUCCESS) && (result != NULL)) {

+        *result = pwd;

+        *lerrno = 0;

+    }

+

+    return ret;

+}

+

+enum nss_status back_extdom_getgrnam(struct nss_ops_ctx *nss_context,

+                                     const char *name, struct group *grp,

+                                     char *buffer, size_t buflen,

+                                     struct group **result,

+                                     int *lerrno) {

+    enum nss_status ret;

+

+    if (nss_context == NULL) {

+        return NSS_STATUS_UNAVAIL;

+    }

+

+    ret = nss_context->getgrnam_r(name, grp,

+                                  buffer, buflen,

+                                  lerrno);

+

+    if ((ret == NSS_STATUS_SUCCESS) && (result != NULL)) {

+        *result = grp;

+        *lerrno = 0;

+    }

+

+    return ret;

+}

+

+enum nss_status back_extdom_getgrgid(struct nss_ops_ctx *nss_context,

+                                     gid_t gid, struct group *grp,

+                                     char *buffer, size_t buflen,

+                                     struct group **result,

+                                     int *lerrno) {

+

+    enum nss_status ret;

+

+    if (nss_context == NULL) {

+        return NSS_STATUS_UNAVAIL;

+    }

+

+    ret = nss_context->getgrgid_r(gid, grp,

+                                  buffer, buflen,

+                                  lerrno);

+

+    if ((ret == NSS_STATUS_SUCCESS) && (result != NULL)) {

+        *result = grp;

+        *lerrno = 0;

+    }

+

+    return ret;

+}

+

+enum nss_status back_extdom_getgrouplist(struct nss_ops_ctx *nss_context,

+                                         const char *name, gid_t group,

+                                         gid_t *groups, int *ngroups,

+                                         int *lerrno) {

+

+    enum nss_status ret = NSS_STATUS_UNAVAIL;

+    long int tsize = MAX (1, *ngroups);

+    gid_t *newgroups = NULL;

+

+    if (nss_context == NULL) {

+        return NSS_STATUS_UNAVAIL;

+    }

+

+    newgroups = (gid_t *) calloc (tsize, sizeof (gid_t));

+    if (newgroups == NULL) {

+        *lerrno = ENOMEM;

+        return NSS_STATUS_TRYAGAIN;

+    }

+

+    newgroups[0] = group;

+    nss_context->initgroups_start = 1;

+

+    ret = nss_context->initgroups_dyn(name, group,

+                                      &nss_context->initgroups_start,

+                                      &tsize, &newgroups,

+                                      -1, lerrno);

+

+    (void) memcpy(groups, newgroups,

+                  MIN(*ngroups, nss_context->initgroups_start) * sizeof(gid_t));

+    free(newgroups);

+

+    if (*ngroups < nss_context->initgroups_start) {

+        ret = NSS_STATUS_TRYAGAIN;

+        *lerrno = ERANGE;

+    }

+

+    *ngroups = (int) nss_context->initgroups_start;

+

+    nss_context->initgroups_start = 0;

+

+    return ret;

+}

+

diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/back_extdom_sss_idmap.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/back_extdom_sss_idmap.c

new file mode 100644

index 0000000000000000000000000000000000000000..89c58ca2de333b26954d916836b57aed5d7e18fb

--- /dev/null

+++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/back_extdom_sss_idmap.c

@@ -0,0 +1,260 @@

+/*

+ * Copyright 2013-2017 Red Hat, Inc.

+ *

+ * This Program is free software; you can redistribute it and/or modify

+ * it under the terms of the GNU General Public License as published by

+ * the Free Software Foundation; version 2 of the License.

+ *

+ * This Program is distributed in the hope that it will be useful, but

+ * WITHOUT ANY WARRANTY; without even the implied warranty of

+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU

+ * General Public License for more details.

+ *

+ * You should have received a copy of the GNU General Public License

+ * along with this Program; if not, write to the

+ *

+ *   Free Software Foundation, Inc.

+ *   59 Temple Place, Suite 330

+ *   Boston, MA 02111-1307 USA

+ *

+ */

+

+#ifdef HAVE_CONFIG_H

+#include "config.h"

+#endif

+

+#include <sys/types.h>

+#include <stdlib.h>

+#include <string.h>

+#include <time.h>

+#include <unistd.h>

+#include <errno.h>

+#include <pwd.h>

+#include <grp.h>

+#include "back_extdom.h"

+

+/* SSSD only exposes *_timeout() variants if the following symbol is defined */

+#define IPA_389DS_PLUGIN_HELPER_CALLS

+#include <sss_nss_idmap.h>

+

+struct nss_ops_ctx {

+    unsigned int timeout;

+};

+

+static enum nss_status __convert_sss_nss2nss_status(int errcode) {

+    switch(errcode) {

+    case 0:

+        return NSS_STATUS_SUCCESS;

+    case ENOENT:

+        return NSS_STATUS_NOTFOUND;

+    case ETIME:

+        /* fall-through */

+    case ERANGE:

+        return NSS_STATUS_TRYAGAIN;

+    case ETIMEDOUT:

+        /* fall-through */

+    default:

+        return NSS_STATUS_UNAVAIL;

+    }

+    return NSS_STATUS_UNAVAIL;

+}

+

+int back_extdom_init_context(struct nss_ops_ctx **nss_context)

+{

+    struct nss_ops_ctx *ctx = NULL;

+

+    if (nss_context == NULL) {

+        return EINVAL;

+    }

+

+    ctx = calloc(1, sizeof(struct nss_ops_ctx));

+

+    if (ctx == NULL) {

+        return ENOMEM;

+    }

+    *nss_context = ctx;

+    return 0;

+}

+

+void back_extdom_free_context(struct nss_ops_ctx **nss_context)

+{

+    if ((nss_context == NULL) || (*nss_context == NULL)) {

+        return;

+    }

+

+    free((*nss_context));

+    *nss_context = NULL;

+}

+

+

+void back_extdom_set_timeout(struct nss_ops_ctx *nss_context,

+                             unsigned int timeout) {

+    if (nss_context == NULL) {

+        return;

+    }

+

+    nss_context->timeout = timeout;

+}

+

+void back_extdom_evict_user(struct nss_ops_ctx *nss_context,

+                            const char *name) {

+    if (nss_context == NULL) {

+        return;

+    }

+

+    (void) sss_nss_getpwnam_timeout(name, NULL,

+                                    NULL, 0,

+                                    NULL,

+                                    SSS_NSS_EX_FLAG_INVALIDATE_CACHE,

+                                    nss_context->timeout);

+}

+

+void back_extdom_evict_group(struct nss_ops_ctx *nss_context,

+                             const char *name) {

+    if (nss_context == NULL) {

+            return;

+    }

+

+    (void) sss_nss_getgrnam_timeout(name, NULL,

+                                    NULL, 0,

+                                    NULL,

+                                    SSS_NSS_EX_FLAG_INVALIDATE_CACHE,

+                                    nss_context->timeout);

+}

+

+enum nss_status back_extdom_getpwnam(struct nss_ops_ctx *nss_context,

+                                     const char *name, struct passwd *pwd,

+                                     char *buffer, size_t buflen,

+                                     struct passwd **result,

+                                     int *lerrno) {

+    int ret = 0;

+

+    if (nss_context == NULL) {

+        return NSS_STATUS_UNAVAIL;

+    }

+

+    ret = sss_nss_getpwnam_timeout(name, pwd,

+                                   buffer, buflen,

+                                   result,

+                                   SSS_NSS_EX_FLAG_NO_FLAGS,

+                                   nss_context->timeout);

+

+    /* SSSD uses the same infrastructure to handle sss_nss_get* calls

+     * as nss_sss.so.2 module where 'int *errno' is passed to the helper

+     * but writes down errno into return code so we propagate it in case

+     * of error and translate the return code */

+    if (lerrno != NULL) {

+        *lerrno = ret;

+    }

+    return __convert_sss_nss2nss_status(ret);

+}

+

+enum nss_status back_extdom_getpwuid(struct nss_ops_ctx *nss_context,

+                                     uid_t uid, struct passwd *pwd,

+                                     char *buffer, size_t buflen,

+                                     struct passwd **result,

+                                     int *lerrno) {

+

+    int ret = 0;

+

+    if (nss_context == NULL) {

+        return NSS_STATUS_UNAVAIL;

+    }

+

+    ret = sss_nss_getpwuid_timeout(uid, pwd,

+                                   buffer, buflen,

+                                   result,

+                                   SSS_NSS_EX_FLAG_NO_FLAGS,

+                                   nss_context->timeout);

+

+    /* SSSD uses the same infrastructure to handle sss_nss_get* calls

+     * as nss_sss.so.2 module where 'int *errno' is passed to the helper

+     * but writes down errno into return code so we propagate it in case

+     * of error and translate the return code */

+    if (lerrno != NULL) {

+        *lerrno = ret;

+    }

+    return __convert_sss_nss2nss_status(ret);

+}