|
 |
b2d430 |
From e5b8922062e127d1014609df16f1909da49850bf Mon Sep 17 00:00:00 2001
|
|
|
b2d430 |
From: Sumit Bose <sbose@redhat.com>
|
|
|
b2d430 |
Date: Fri, 22 Jul 2016 16:01:38 +0200
|
|
|
b2d430 |
Subject: [PATCH 59/62] NSS: use different neg cache name for UPN searches
|
|
|
b2d430 |
|
|
|
b2d430 |
If Kerberos principals or email address have the same domain suffix as
|
|
|
b2d430 |
the domain itself the first user lookup by name might have already added
|
|
|
b2d430 |
the name to the negative cache and the second lookup by UPN/email will
|
|
|
b2d430 |
skip the domain because of the neg cache entry. To avoid this a special
|
|
|
b2d430 |
name with a '@' prefix is used here.
|
|
|
b2d430 |
|
|
|
b2d430 |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
b2d430 |
(cherry picked from commit 62df78512145db94b51c5573d4df1737197e368a)
|
|
|
b2d430 |
---
|
|
|
b2d430 |
src/responder/nss/nsssrv_cmd.c | 12 ++++++++++--
|
|
|
b2d430 |
1 file changed, 10 insertions(+), 2 deletions(-)
|
|
|
b2d430 |
|
|
|
b2d430 |
diff --git a/src/responder/nss/nsssrv_cmd.c b/src/responder/nss/nsssrv_cmd.c
|
|
|
b2d430 |
index cd15b41886ad046d1d70dbd8ad54af5a4eccee5d..f3b6ac4afb5d1571f283933b48e0256b91c56391 100644
|
|
|
b2d430 |
--- a/src/responder/nss/nsssrv_cmd.c
|
|
|
b2d430 |
+++ b/src/responder/nss/nsssrv_cmd.c
|
|
|
b2d430 |
@@ -1002,6 +1002,7 @@ static int nss_cmd_getpwnam_search(struct nss_dom_ctx *dctx)
|
|
|
b2d430 |
struct ldb_message *msg;
|
|
|
b2d430 |
const char *extra_flag = NULL;
|
|
|
b2d430 |
const char *sysdb_name;
|
|
|
b2d430 |
+ char *neg_cache_name;
|
|
|
b2d430 |
|
|
|
b2d430 |
nctx = talloc_get_type(cctx->rctx->pvt_ctx, struct nss_ctx);
|
|
|
b2d430 |
|
|
|
b2d430 |
@@ -1031,9 +1032,15 @@ static int nss_cmd_getpwnam_search(struct nss_dom_ctx *dctx)
|
|
|
b2d430 |
return ENOMEM;
|
|
|
b2d430 |
}
|
|
|
b2d430 |
|
|
|
b2d430 |
+ if (cmdctx->name_is_upn) {
|
|
|
b2d430 |
+ neg_cache_name = talloc_asprintf(name, "@%s", name);
|
|
|
b2d430 |
+ } else {
|
|
|
b2d430 |
+ neg_cache_name = name;
|
|
|
b2d430 |
+ }
|
|
|
b2d430 |
+
|
|
|
b2d430 |
/* verify this user has not yet been negatively cached,
|
|
|
b2d430 |
* or has been permanently filtered */
|
|
|
b2d430 |
- ret = sss_ncache_check_user(nctx->rctx->ncache, dom, name);
|
|
|
b2d430 |
+ ret = sss_ncache_check_user(nctx->rctx->ncache, dom, neg_cache_name);
|
|
|
b2d430 |
|
|
|
b2d430 |
/* if neg cached, return we didn't find it */
|
|
|
b2d430 |
if (ret == EEXIST) {
|
|
|
b2d430 |
@@ -1130,7 +1137,8 @@ static int nss_cmd_getpwnam_search(struct nss_dom_ctx *dctx)
|
|
|
b2d430 |
|
|
|
b2d430 |
if (dctx->res->count == 0 && !dctx->check_provider) {
|
|
|
b2d430 |
/* set negative cache only if not result of cache check */
|
|
|
b2d430 |
- ret = sss_ncache_set_user(nctx->rctx->ncache, false, dom, name);
|
|
|
b2d430 |
+ ret = sss_ncache_set_user(nctx->rctx->ncache, false, dom,
|
|
|
b2d430 |
+ neg_cache_name);
|
|
|
b2d430 |
if (ret != EOK) {
|
|
|
b2d430 |
DEBUG(SSSDBG_MINOR_FAILURE, "Cannot set negcache for %s\n",
|
|
|
b2d430 |
name);
|
|
|
b2d430 |
--
|
|
|
b2d430 |
2.4.11
|
|
|
b2d430 |
|