From d8c0b5421934cae887a44be42250d5df5631d3de Mon Sep 17 00:00:00 2001

From: Sumit Bose <sbose@redhat.com>

Date: Wed, 22 Jun 2016 18:21:11 +0200

Subject: [PATCH 58/62] PAM: continue with UPN/email search if name was not

 found

Currently we only search for UPNs if the domain part of the name was not

know, with Kerberos aliases and email addresses we have to do this even

if the domain name is a know domain.

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

(cherry picked from commit 3381d9736b698d6111d10e219a0b5b898a4c757c)

---

 src/responder/pam/pamsrv_cmd.c | 39 +++++++++++++++++++++++++++++++++++++++

 1 file changed, 39 insertions(+)

diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c

index 3a35c3f08821aa23051989599d45b8b7b0677da4..1c759f009321cbb322fce624b506ed07f93f997b 100644

--- a/src/responder/pam/pamsrv_cmd.c

+++ b/src/responder/pam/pamsrv_cmd.c

@@ -924,6 +924,39 @@ static void pam_check_user_dp_callback(uint16_t err_maj, uint32_t err_min,

 static int pam_check_user_search(struct pam_auth_req *preq);

 static int pam_check_user_done(struct pam_auth_req *preq, int ret);

+static errno_t pam_cmd_assume_upn(struct pam_auth_req *preq)

+{

+    int ret;

+

+    if (!preq->pd->name_is_upn

+            && preq->pd->logon_name != NULL

+            && strchr(preq->pd->logon_name, '@') != NULL) {

+        DEBUG(SSSDBG_TRACE_ALL,

+              "No entry found so far, trying UPN/email lookup with [%s].\n",

+              preq->pd->logon_name);

+        /* Assuming Kerberos principal */

+        preq->domain = preq->cctx->rctx->domains;

+        preq->check_provider =

+                            NEED_CHECK_PROVIDER(preq->domain->provider);

+        preq->pd->user = talloc_strdup(preq->pd, preq->pd->logon_name);

+        if (preq->pd->user == NULL) {

+            DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n");

+            return ENOMEM;

+        }

+        preq->pd->name_is_upn = true;

+        preq->pd->domain = NULL;

+

+        ret = pam_check_user_search(preq);

+        if (ret == EOK) {

+            pam_dom_forwarder(preq);

+        }

+        return EOK;

+    }

+

+    return ENOENT;

+}

+

+

 /* TODO: we should probably return some sort of cookie that is set in the

  * PAM_ENVIRONMENT, so that we can save performing some calls and cache

  * data. */

@@ -1220,6 +1253,8 @@ static int pam_forwarder(struct cli_ctx *cctx, int pam_cmd)

     ret = pam_check_user_search(preq);

     if (ret == EOK) {

         pam_dom_forwarder(preq);

+    } else if (ret == ENOENT) {

+        ret = pam_cmd_assume_upn(preq);

     }

 done:

@@ -1417,6 +1452,8 @@ static void pam_forwarder_cb(struct tevent_req *req)

     ret = pam_check_user_search(preq);

     if (ret == EOK) {

         pam_dom_forwarder(preq);

+    } else if  (ret == ENOENT) {

+        ret = pam_cmd_assume_upn(preq);

     }

 done:

@@ -1694,6 +1731,8 @@ static void pam_check_user_dp_callback(uint16_t err_maj, uint32_t err_min,

         }

         pam_dom_forwarder(preq);

+    } else if (ret == ENOENT) {

+        ret = pam_cmd_assume_upn(preq);

     }

     ret = pam_check_user_done(preq, ret);

-- 

2.4.11