diff -up libnfsidmap-0.25/idmapd.conf.5.orig libnfsidmap-0.25/idmapd.conf.5

--- libnfsidmap-0.25/idmapd.conf.5.orig	2017-01-10 13:30:28.696901000 -0500

+++ libnfsidmap-0.25/idmapd.conf.5	2017-01-10 13:32:44.241316000 -0500

@@ -63,6 +63,30 @@ The local NFSv4 domain name.  An NFSv4 d

 a unique username<->UID and groupname<->GID mapping.

 (Default: Host's fully-qualified DNS domain name)

 .TP

+.B No-Strip

+In multi-domain environments, some NFS servers will append the identity

+management domain to the owner and owner_group in lieu of a true NFSv4

+domain.  This option can facilitate lookups in such environments.  If

+set to a value other than "none", the nsswitch  plugin will first pass

+the name to the password/group lookup function without stripping the

+domain off.  If that mapping fails then the plugin will try again using

+the old method (comparing the domain in the string to the Domain value,

+stripping it if it matches, and passing the resulting short name to the

+lookup function).  Valid values are "user", "group", "both", and

+"none".

+(Default: "none")

+.TP

+.B Reformat-Group

+Winbind has a quirk whereby doing a group lookup in UPN format

+(e.g. staff@americas.example.com) will cause the group to be

+displayed prefixed with the full domain in uppercase

+(e.g. AMERICAS.EXAMPLE.COM\\staff) instead of in the familiar netbios

+name format (e.g. AMERICAS\\staff).  Setting this option to true

+causes the name to be reformatted before passing it to the group

+lookup function in order to work around this.  This setting is

+ignored unless No-Strip is set to either "both" or "group".

+(Default: "false")

+.TP

 .B Local-Realms

 A comma-separated list of Kerberos realm names that may be considered equivalent to the

 local realm name.  For example, users juser@ORDER.EDU and juser@MAIL.ORDER.EDU

diff -up libnfsidmap-0.25/idmapd.conf.orig libnfsidmap-0.25/idmapd.conf

--- libnfsidmap-0.25/idmapd.conf.orig	2011-12-05 15:28:10.000000000 -0500

+++ libnfsidmap-0.25/idmapd.conf	2017-01-10 13:32:44.235315000 -0500

@@ -4,6 +4,29 @@

 # The default is the host's DNS domain name.

 #Domain = local.domain.edu

+# In multi-domain environments, some NFS servers will append the identity

+# management domain to the owner and owner_group in lieu of a true NFSv4

+# domain.  This option can facilitate lookups in such environments.  If

+# set to a value other than "none", the nsswitch  plugin will first pass

+# the name to the password/group lookup function without stripping the

+# domain off.  If that mapping fails then the plugin will try again using

+# the old method (comparing the domain in the string to the Domain value,

+# stripping it if it matches, and passing the resulting short name to the

+# lookup function).  Valid values are "user", "group", "both", and

+# "none".  The default is "none".

+#No-Strip = none

+

+# Winbind has a quirk whereby doing a group lookup in UPN format

+# (e.g. staff@americas.example.com) will cause the group to be

+# displayed prefixed with the full domain in uppercase

+# (e.g. AMERICAS.EXAMPLE.COM\staff) instead of in the familiar netbios

+# name format (e.g. AMERICAS\staff).  Setting this option to true

+# causes the name to be reformatted before passing it to the group

+# lookup function in order to work around this.  This setting is

+# ignored unless No-Strip is set to either "both" or "group".

+# The default is "false".

+#Reformat-Group = false

+

 # The following is a comma-separated list of Kerberos realm

 # names that should be considered to be equivalent to the

 # local realm, such that <user>@REALM.A can be assumed to

diff -up libnfsidmap-0.25/libnfsidmap.c.orig libnfsidmap-0.25/libnfsidmap.c

--- libnfsidmap-0.25/libnfsidmap.c.orig	2017-01-10 13:30:28.837901000 -0500

+++ libnfsidmap-0.25/libnfsidmap.c	2017-01-10 13:32:44.247315000 -0500

@@ -60,6 +60,8 @@

 static char *default_domain;

 static struct conf_list *local_realms;

 int idmap_verbosity = 0;

+int no_strip = 0;

+int reformat_group = 0;

 static struct mapping_plugin **nfs4_plugins = NULL;

 static struct mapping_plugin **gss_plugins = NULL;

 uid_t nobody_uid = (uid_t)-1;

@@ -234,6 +236,8 @@ int nfs4_init_name_mapping(char *conffil

 	int dflt = 0;

 	struct conf_list *nfs4_methods, *gss_methods;

 	char *nobody_user, *nobody_group;

+	char *nostrip;

+	char *reformatgroup;

 	/* XXX: need to be able to reload configurations... */

 	if (nfs4_plugins) /* already succesfully initialized */

@@ -306,6 +310,26 @@ int nfs4_init_name_mapping(char *conffil

 			IDMAP_LOG(1, ("libnfsidmap: Realms list: <NULL> "));

 	}

+	nostrip = conf_get_str_with_def("General", "No-Strip", "none");

+	if (strcasecmp(nostrip, "both") == 0)

+		no_strip = IDTYPE_USER|IDTYPE_GROUP;

+	else if (strcasecmp(nostrip, "group") == 0)

+		no_strip = IDTYPE_GROUP;

+	else if (strcasecmp(nostrip, "user") == 0)

+		no_strip = IDTYPE_USER;

+	else

+		no_strip = 0;

+

+	if (no_strip & IDTYPE_GROUP) {

+		reformatgroup = conf_get_str_with_def("General", "Reformat-Group", "false");

+		if ((strcasecmp(reformatgroup, "true") == 0) ||

+		    (strcasecmp(reformatgroup, "on") == 0) ||

+		    (strcasecmp(reformatgroup, "yes") == 0))

+			reformat_group = 1;

+		else

+			reformat_group = 0;

+	}

+

 	nfs4_methods = conf_get_list("Translation", "Method");

 	if (nfs4_methods) {

 		IDMAP_LOG(1, ("libnfsidmap: processing 'Method' list"));

diff -up libnfsidmap-0.25/nfsidmap_internal.h.orig libnfsidmap-0.25/nfsidmap_internal.h

--- libnfsidmap-0.25/nfsidmap_internal.h.orig	2011-12-05 15:28:10.000000000 -0500

+++ libnfsidmap-0.25/nfsidmap_internal.h	2017-01-10 13:32:44.253315000 -0500

@@ -63,6 +63,8 @@ typedef enum {

 	IDTYPE_GROUP = 2

 } idtypes;

+extern int no_strip;

+extern int reformat_group;

 extern int idmap_verbosity;

 extern nfs4_idmap_log_function_t idmap_log_func;

 /* Level zero always prints, others print depending on verbosity level */

diff -up libnfsidmap-0.25/nss.c.orig libnfsidmap-0.25/nss.c

--- libnfsidmap-0.25/nss.c.orig	2017-01-10 13:30:28.892903000 -0500

+++ libnfsidmap-0.25/nss.c	2017-01-10 13:32:44.259316000 -0500

@@ -45,6 +45,7 @@

 #include <err.h>

 #include <grp.h>

 #include <limits.h>

+#include <ctype.h>

 #include "nfsidmap.h"

 #include "nfsidmap_internal.h"

 #include "cfg.h"

@@ -58,14 +59,20 @@

  * and ignore the domain entirely when looking up a name.

  */

-static int write_name(char *dest, char *localname, char *domain, size_t len)

+static int write_name(char *dest, char *localname, char *domain, size_t len,

+		      int doappend)

 {

-	if (strlen(localname) + 1 + strlen(domain) + 1 > len) {

-		return -ENOMEM; /* XXX: Is there an -ETOOLONG? */

+	if (doappend || !strchr(localname,'@')) {

+		if (strlen(localname) + 1 + strlen(domain) + 1 > len)

+			return -ENOMEM; /* XXX: Is there an -ETOOLONG? */

+		strcpy(dest, localname);

+		strcat(dest, "@");

+		strcat(dest, domain);

+	} else {

+		if (strlen(localname) + 1 > len)

+			return -ENOMEM;

+		strcpy(dest, localname);

 	}

-	strcpy(dest, localname);

-	strcat(dest, "@");

-	strcat(dest, domain);

 	return 0;

 }

@@ -87,7 +94,10 @@ static int nss_uid_to_name(uid_t uid, ch

 		err = -ENOENT;

 	if (err)

 		goto out_buf;

-	err = write_name(name, pw->pw_name, domain, len);

+	if (no_strip & IDTYPE_USER)

+		err = write_name(name, pw->pw_name, domain, len, 0);

+	else

+		err = write_name(name, pw->pw_name, domain, len, 1);

 out_buf:

 	free(buf);

 out:

@@ -121,7 +131,10 @@ static int nss_gid_to_name(gid_t gid, ch

 	if (err)

 		goto out_buf;

-	err = write_name(name, gr->gr_name, domain, len);

+	if (no_strip & IDTYPE_GROUP)

+		err = write_name(name, gr->gr_name, domain, len, 0);

+	else

+		err = write_name(name, gr->gr_name, domain, len, 1);

 out_buf:

 	free(buf);

 out:

@@ -164,7 +177,8 @@ struct pwbuf {

 	char buf[1];

 };

-static struct passwd *nss_getpwnam(const char *name, const char *domain, int *err_p)

+static struct passwd *nss_getpwnam(const char *name, const char *domain,

+				   int *err_p, int dostrip)

 {

 	struct passwd *pw;

 	struct pwbuf *buf;

@@ -180,22 +194,29 @@ static struct passwd *nss_getpwnam(const

 		goto err;

 	err = EINVAL;

-	localname = strip_domain(name, domain);

-	IDMAP_LOG(4, ("nss_getpwnam: name '%s' domain '%s': "

-		  "resulting localname '%s'", name, domain, localname));

-	if (localname == NULL) {

-		IDMAP_LOG(0, ("nss_getpwnam: name '%s' does not map "

-			"into domain '%s'", name,

-			domain ? domain : "<not-provided>"));

-		goto err_free_buf;

-	}

+	if (dostrip) {

+		localname = strip_domain(name, domain);

+		IDMAP_LOG(4, ("nss_getpwnam: name '%s' domain '%s': "

+			  "resulting localname '%s'", name, domain, localname));

+		if (localname == NULL) {

+			IDMAP_LOG(0, ("nss_getpwnam: name '%s' does not map "

+				"into domain '%s'", name,

+				domain ? domain : "<not-provided>"));

+			goto err_free_buf;

+		}

-	err = getpwnam_r(localname, &buf->pwbuf, buf->buf, buflen, &pw;;

-	if (pw == NULL && domain != NULL)

-		IDMAP_LOG(0,

-			("nss_getpwnam: name '%s' not found in domain '%s'",

-			localname, domain));

-	free(localname);

+		err = getpwnam_r(localname, &buf->pwbuf, buf->buf, buflen, &pw;;

+		if (pw == NULL && domain != NULL)

+			IDMAP_LOG(1,

+				("nss_getpwnam: name '%s' not found in domain '%s'",

+				localname, domain));

+		free(localname);

+	} else {

+		err = getpwnam_r(name, &buf->pwbuf, buf->buf, buflen, &pw;;

+		if (pw == NULL)

+			IDMAP_LOG(1,

+				("nss_getpwnam: name '%s' not found (domain not stripped)", name));

+	}

 	if (err == 0 && pw != NULL) {

 		*err_p = 0;

 		return pw;

@@ -217,28 +238,83 @@ static int nss_name_to_uid(char *name, u

 	int err = -ENOENT;

 	domain = get_default_domain();

-	pw = nss_getpwnam(name, domain, &err;;

+	if (no_strip & IDTYPE_USER) {

+		pw = nss_getpwnam(name, domain, &err, 0);

+		if (pw != NULL)

+			goto out_uid;

+	}

+	pw = nss_getpwnam(name, domain, &err, 1);

 	if (pw == NULL)

 		goto out;

+out_uid:

 	*uid = pw->pw_uid;

+	IDMAP_LOG(4, ("nss_name_to_uid: name '%s' uid %u", name, *uid));

 	free(pw);

 	err = 0;

 out:

 	return err;

 }

-static int nss_name_to_gid(char *name, gid_t *gid)

+static char *reformat_name(const char *name)

+{

+	const char *domain;

+	const char *c;

+	const char *d;

+	char *l = NULL;

+	int len;

+	int dlen = 0;

+	int i;

+

+	c = strchr(name, '@');

+	if (c == NULL)

+		goto out;

+	len = c - name;

+	domain = ++c;

+	d = strchr(domain, '.');

+	if (d == NULL)

+		goto out;

+	dlen = d - domain;

+	l = malloc(dlen + 1 + len + 1);

+	if (l == NULL)

+		goto out;

+	for (i = 0; i < dlen; i++)

+		l[i] = toupper(domain[i]);

+	l[dlen] = '\\';

+	memcpy(l + dlen + 1, name, len);

+	l[dlen + 1 + len] = '\0';

+out:

+	return l;

+}

+

+static int _nss_name_to_gid(char *name, gid_t *gid, int dostrip)

 {

 	struct group *gr = NULL;

 	struct group grbuf;

-	char *buf, *localname, *domain;

+	char *buf, *domain;

 	size_t buflen = sysconf(_SC_GETGR_R_SIZE_MAX);

 	int err = -EINVAL;

+	char *localname = NULL;

+	char *ref_name = NULL;

 	domain = get_default_domain();

-	localname = strip_domain(name, domain);

-	if (!localname)

-		goto out;

+	if (dostrip) {

+		localname = strip_domain(name, domain);

+		IDMAP_LOG(4, ("nss_name_to_gid: name '%s' domain '%s': "

+			  "resulting localname '%s'", name, domain, localname));

+		if (!localname) {

+			IDMAP_LOG(0, ("nss_name_to_gid: name '%s' does not map "

+				  "into domain '%s'", name, domain));

+			goto out;

+		}

+	} else if (reformat_group) {

+		ref_name = reformat_name(name);

+		if (ref_name == NULL) {

+			IDMAP_LOG(1, ("nss_name_to_gid: failed to reformat name '%s'",

+				  name));

+			err = -ENOENT;

+			goto out;

+		}

+	}

 	err = -ENOMEM;

 	if (buflen > UINT_MAX)

@@ -248,9 +324,24 @@ static int nss_name_to_gid(char *name, g

 		buf = malloc(buflen);

 		if (!buf)

 			goto out_name;

-		err = -getgrnam_r(localname, &grbuf, buf, buflen, &gr);

-		if (gr == NULL && !err)

+		if (dostrip)

+			err = -getgrnam_r(localname, &grbuf, buf, buflen, &gr);

+		else if (reformat_group)

+			err = -getgrnam_r(ref_name, &grbuf, buf, buflen, &gr);

+		else

+			err = -getgrnam_r(name, &grbuf, buf, buflen, &gr);

+		if (gr == NULL && !err) {

+			if (dostrip)

+				IDMAP_LOG(1, ("nss_name_to_gid: name '%s' not found "

+					  "in domain '%s'", localname, domain));

+			else if (reformat_group)

+				IDMAP_LOG(1, ("nss_name_to_gid: name '%s' not found "

+					  "(reformatted)", ref_name));

+			else

+				IDMAP_LOG(1, ("nss_name_to_gid: name '%s' not found "

+					  "(domain not stripped)", name));

 			err = -ENOENT;

+		}

 		if (err == -ERANGE) {

 			buflen *= 2;

 			free(buf);

@@ -260,10 +351,28 @@ static int nss_name_to_gid(char *name, g

 	if (err)

 		goto out_buf;

 	*gid = gr->gr_gid;

+	IDMAP_LOG(4, ("nss_name_to_gid: name '%s' gid %u", name, *gid));

 out_buf:

 	free(buf);

 out_name:

-	free(localname);

+	if (dostrip)

+		free(localname);

+	if (reformat_group)

+		free(ref_name);

+out:

+	return err;

+}

+

+static int nss_name_to_gid(char *name, gid_t *gid)

+{

+	int err = 0;

+

+	if (no_strip & IDTYPE_GROUP) {

+		err = _nss_name_to_gid(name, gid, 0);

+		if (!err)

+			goto out;

+	}

+	err = _nss_name_to_gid(name, gid, 1);

 out:

 	return err;

 }

@@ -306,7 +415,7 @@ static int nss_gss_princ_to_ids(char *se

 		return -ENOENT;

 	}

 	/* XXX: this should call something like getgssauthnam instead? */

-	pw = nss_getpwnam(princ, NULL, &err;;

+	pw = nss_getpwnam(princ, NULL, &err, 0);

 	if (pw == NULL) {

 		err = -ENOENT;

 		goto out;

@@ -329,7 +438,7 @@ int nss_gss_princ_to_grouplist(char *sec

 		goto out;

 	/* XXX: not quite right?  Need to know default realm? */

 	/* XXX: this should call something like getgssauthnam instead? */

-	pw = nss_getpwnam(princ, NULL, &ret;;

+	pw = nss_getpwnam(princ, NULL, &ret, 0);

 	if (pw == NULL) {

 		ret = -ENOENT;

 		goto out;