The following reply was made to PR bin/43900; it has been noted by GNATS.
From: David Holland <dholland-bugs%netbsd.org@localhost>
To: gnats-bugs%NetBSD.org@localhost
Cc:
Subject: Re: bin/43900: ypbind(8) fails to handle multiple domains correcly
Date: Mon, 23 May 2011 05:24:46 +0000
On Thu, Sep 23, 2010 at 01:45:00PM +0000,
Wolfgang.Stukenbrock%nagler-company.com@localhost wrote:
> The current implementation of ypbind will only handle multiple
> domains correctly if it runs in broadcast mode. Direct binding and
> ypset-mode may not handle different sets of ypservers for different
> domains correcly. The cause for the problem is that in ypbind.c
> some state information is stored from global variables and not in
> domain specific data. These global variables are correct for the
> default domain, but not for any additional domain.
>
> The current implementation will use the
> /var/yp/bind/<defaultdomain>.ypservers for any domain ypbind is ask
> for. And in the current implementation ypset will set the server
> for the specified domain but switches to "ypset-mode" for all
> domains. So all other domains not explitly bound by a separate
> ypset call will fail.
Right, so this is definitely quite broken.
However, I'm concerned about the semantics for ypbindmode. It seems to
me (particularly from the man page, but also from going over the code)
that the intent of the -ypset and -ypsetme options is to allow ypset
to be used for domains that we broadcast for. This is basically a
global permission setting and I don't think it makes sense to try to
track or configure it on a per-domain basis.
Thus I think YPBIND_SETALL and YPBIND_SETLOCAL should be removed from
the modes enumeration and replaced with a pair of global flags. Then I
think the broadcast vs. direct mode can be handled separately for each
domain without getting into trouble.
(I'm also wondering whether it makes sense, for domains in direct
mode, and if ypset is enabled, to allow ypset to pick one of the
servers that's in the configured servers list for that domain. I
suppose since it's not 1990 that it's a fairly pointless idea.)
--
David A. Holland
dholland%netbsd.org@localhost