|
 |
b2d430 |
From b93f618189d9906802c79d3090fcc477f762e6e6 Mon Sep 17 00:00:00 2001
|
|
|
b2d430 |
From: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
b2d430 |
Date: Tue, 9 Aug 2016 22:08:27 +0200
|
|
|
b2d430 |
Subject: [PATCH 122/126] IPA: Parse qualified names when guessing AD user
|
|
|
b2d430 |
principal
|
|
|
b2d430 |
|
|
|
b2d430 |
Most AD users store their UPN in an attribute. If they don't, or the sssd
|
|
|
b2d430 |
was configured (typically in earlier versions to work around a bug) to not
|
|
|
b2d430 |
look at the principal attribute, then sssd is supposed to guess
|
|
|
b2d430 |
the attribute.
|
|
|
b2d430 |
|
|
|
b2d430 |
That currently doesn't work in 1.14, because the username is already
|
|
|
b2d430 |
qualified and then we also append the realm name to it. We need to parse
|
|
|
b2d430 |
the simple username from the qualified name first.
|
|
|
b2d430 |
|
|
|
b2d430 |
The issue can be reproduced simply by authenticating as the Administrator
|
|
|
b2d430 |
account in IPA-AD trust setups.
|
|
|
b2d430 |
|
|
|
b2d430 |
Resolves:
|
|
|
b2d430 |
https://fedorahosted.org/sssd/ticket/3127
|
|
|
b2d430 |
|
|
|
b2d430 |
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
b2d430 |
---
|
|
|
b2d430 |
src/providers/ipa/ipa_s2n_exop.c | 14 ++++++++++++--
|
|
|
b2d430 |
1 file changed, 12 insertions(+), 2 deletions(-)
|
|
|
b2d430 |
|
|
|
b2d430 |
diff --git a/src/providers/ipa/ipa_s2n_exop.c b/src/providers/ipa/ipa_s2n_exop.c
|
|
|
b2d430 |
index 255dad45037a6cb8f399bf2df500215f6fb25b59..bfa6757046282d656627aa57cb9054b09facd2b8 100644
|
|
|
b2d430 |
--- a/src/providers/ipa/ipa_s2n_exop.c
|
|
|
b2d430 |
+++ b/src/providers/ipa/ipa_s2n_exop.c
|
|
|
b2d430 |
@@ -1941,6 +1941,7 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom,
|
|
|
b2d430 |
struct sss_nss_homedir_ctx homedir_ctx;
|
|
|
b2d430 |
char *name = NULL;
|
|
|
b2d430 |
char *realm;
|
|
|
b2d430 |
+ char *short_name = NULL;
|
|
|
b2d430 |
char *upn = NULL;
|
|
|
b2d430 |
gid_t gid;
|
|
|
b2d430 |
gid_t orig_gid = 0;
|
|
|
b2d430 |
@@ -2092,8 +2093,17 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom,
|
|
|
b2d430 |
ret = ENOMEM;
|
|
|
b2d430 |
goto done;
|
|
|
b2d430 |
}
|
|
|
b2d430 |
- upn = talloc_asprintf(tmp_ctx, "%s@%s",
|
|
|
b2d430 |
- attrs->a.user.pw_name, realm);
|
|
|
b2d430 |
+
|
|
|
b2d430 |
+ ret = sss_parse_internal_fqname(tmp_ctx, attrs->a.user.pw_name,
|
|
|
b2d430 |
+ &short_name, NULL);
|
|
|
b2d430 |
+ if (ret != EOK) {
|
|
|
b2d430 |
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
|
|
b2d430 |
+ "Cannot parse internal name %s\n",
|
|
|
b2d430 |
+ attrs->a.user.pw_name);
|
|
|
b2d430 |
+ goto done;
|
|
|
b2d430 |
+ }
|
|
|
b2d430 |
+
|
|
|
b2d430 |
+ upn = talloc_asprintf(tmp_ctx, "%s@%s", short_name, realm);
|
|
|
b2d430 |
if (!upn) {
|
|
|
b2d430 |
DEBUG(SSSDBG_OP_FAILURE, "failed to format UPN.\n");
|
|
|
b2d430 |
ret = ENOMEM;
|
|
|
b2d430 |
--
|
|
|
b2d430 |
2.4.11
|
|
|
b2d430 |
|