Claude: suggestion: Both this guard (streq(name, result->pw_name)) and the later matching in user_record_matches_user_name() (streq/strv_contains) are case-sensitive. NSS/AD/SSSD names are commonly case-insensitive, so the originally requested name frequently differs from the canonical pw_name only in case (e.g. requested [email protected] vs returned testuser). Storing the verbatim requested string does help that exact spelling, but any subsequent lookup that differs only in case from the recorded alias will still be rejected as ConflictingRecordFound. If case-insensitive providers are the motivating use case, consider whether the storage/matching should account for case rather than relying on byte-exact comparison.

Case-insensitive matching is a deeper fix, which I think is out the scope of this PR.

This change is intentionally narrow: it preserves the exact lookup name that NSS already resolved, so canonicalized NSS results continue to match the original request.

Claude: nit: test-group-record-nss.c is inserted between test-fstab-util.c and test-glob-util.c, breaking the otherwise-alphabetical ordering of this list (glob < gpt < group < gunicode). It should be placed after test-gpt.c and before test-gunicode.c. The sibling test-user-record-nss.c was added in the correct position.

Claude: suggestion: The NSS by-name path records the originally-requested lookup name as an alias on the returned record (and the same at the group path). Downstream, the userdb worker validates the record with user_record_matches_user_name(hr, p.name) and otherwise rejects it with ConflictingRecordFound. Because the requested name is added as an alias during the same lookup (whenever it passes valid_user_group_name(VALID_USER_RELAX) and differs from the canonical name), that self-check now always passes for any NSS-backed by-name lookup, relaxing the defense-in-depth check that previously caught NSS modules returning a record whose pw_name does not correspond to the requested name.

This is not a privilege escalation in itself — the uid/gid come solely from the NSS record, and a hostile NSS module could already return the requested name as pw_name directly. Flagging for awareness: if you want the conflict check to retain meaning for genuinely mismatched NSS results, consider scoping alias recording more narrowly than "any syntactically-valid requested name" (e.g. only the canonicalization case the PR targets).

I agree with this concern, but I am not yet sure what the right constraint should be here. Would checking that the requested name has the form <pw_name>@... be an acceptable way to scope this more tightly?

so the user_record_matches_user_name() check in userwork.c exists mostly to ensure that if people do a lookup where they specify both UID and name, that we fail if the record we found doesn't match both. because that would be weird.

now, if both UID and name are specified we currently do the lookup via UID, and then check the name afterwards. I guess this should be switched so that we do the lookup by name instead, so that for records like yours we definitely have the right alias in the record, and the test will then succeed.

Claude: suggestion: Two coverage gaps in the new user-side test (the production logic is correct; these are just missing cases):

1. The user-side alias@realm matching branch is untested. user_record_matches_user_name() gained the same realm-stripping logic as the group side, and the group test exercises it via nss_group_alias_realm, but there is no user equivalent, so a regression in the user realm branch would go undetected. Mirror nss_group_alias_realm: build a record with an alias, set u->realm, then assert user_record_matches_user_name(u, "<alias>@<realm>").
2. The nss_add_valid_alias() no-op branches are untested: alias_name equal to the canonical name (must not add a redundant alias nor emit an aliases JSON key) and the NULL/empty alias_name path used by the by-uid/by-gid and iterator callers.

JSON_BUILD_PAIR_STRV_NON_EMPTY()

we generally want in new code that "opaque" params in func calls (i.e. those which give you no hint what you are passing there) are prefixed with a param comment. i.e. for the 3rd argument here write /* name= */ NULL instead of just NULL.

as above

as above

as above

as above

Claude: suggestion: The new aliases field is added only to the top-level group_dispatch_table, but not to the group per_machine_dispatch_table. On the user side aliases is dispatched in both the main user_dispatch_table and the perMachine table, so a GroupRecord that carries aliases inside a perMachine block round-trips asymmetrically: the user loader honors per-machine aliases while the group loader silently drops them. The NSS path this PR targets is unaffected (it writes the top-level aliases key), but for group-vs-user symmetry of the struct/JSON mapping consider also adding the aliases entry to the group perMachine table.

Claude: suggestion: The new tests cover group_record_matches_group_name()/user_record_matches_user_name() and the JSON round-trip, but neither test file exercises the other new branch added by this PR: the alias-aware fuzzy match in group_record_match() and user_record_match(), which now additionally calls user_name_fuzzy_match() over ->aliases. A record carrying only an alias (no matching name or realm) looked up via a UserDBMatch with fuzzy_names is currently untested, so a regression in that branch would go undetected. This is distinct from the already-noted user-side alias@realm and nss_add_valid_alias() no-op coverage gaps.

Claude: nit: For symmetry with UserRecord — where aliases is placed after user_name, realm, and user_name_and_realm_auto — consider moving this aliases field to after group_name_and_realm_auto instead of between group_name and realm (and reorder the matching strv_free() in group_record_free() accordingly). Purely cosmetic, no behavioral impact.

Claude: nit: Claude: Per systemd's include conventions, sd-* public-library headers form their own group separated from the preceding system headers by a blank line (compare test-user-record.c). Here #include "sd-json.h" is glued directly onto the <pwd.h>/<string.h> block (note the file already leaves a blank line after it, before the internal headers). Add a blank line before it so the grouping reads system headers / sd-* headers / internal headers.

Claude: nit: Claude: Per systemd's include conventions, sd-* public-library headers form their own group separated from the preceding system headers by a blank line (compare test-user-record.c). Here #include "sd-json.h" is glued directly onto the <grp.h>/<string.h> block (note the file already leaves a blank line after it, before the internal headers). Add a blank line before it so the grouping reads system headers / sd-* headers / internal headers.

Claude: suggestion: The new alias@realm matching block here is byte-for-byte identical to the one in user_record_matches_user_name() in src/shared/user-record.c (only g->/group_name vs u->/user_name differ): same strrchr(name, '@'), realm-suffix compare, and STRV_FOREACH with startswith(name, *a) == realm. Consider factoring it into a shared helper taking (name, aliases, realm) so the user and group matchers can't drift apart as one side is later tweaked.

Claude: nit: The user test exercises both no-op branches of nss_add_valid_alias() — nss_user_alias_same_as_canonical_noop (alias equals canonical name) and nss_user_null_alias_noop (NULL alias) — but the group test has no equivalents. Since the PR's goal is symmetric alias handling, consider adding nss_group_alias_same_as_canonical_noop and nss_group_null_alias_noop so the skip-if-empty / skip-if-equal policy is covered on the group side too.