From e5b8922062e127d1014609df16f1909da49850bf Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 22 Jul 2016 16:01:38 +0200
Subject: [PATCH 59/62] NSS: use different neg cache name for UPN searches

If Kerberos principals or email address have the same domain suffix as
the domain itself the first user lookup by name might have already added
the name to the negative cache and the second lookup by UPN/email will
skip the domain because of the neg cache entry. To avoid this a special
name with a '@' prefix is used here.

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 62df78512145db94b51c5573d4df1737197e368a)
---
 src/responder/nss/nsssrv_cmd.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/src/responder/nss/nsssrv_cmd.c b/src/responder/nss/nsssrv_cmd.c
index cd15b41886ad046d1d70dbd8ad54af5a4eccee5d..f3b6ac4afb5d1571f283933b48e0256b91c56391 100644
--- a/src/responder/nss/nsssrv_cmd.c
+++ b/src/responder/nss/nsssrv_cmd.c
@@ -1002,6 +1002,7 @@ static int nss_cmd_getpwnam_search(struct nss_dom_ctx *dctx)
     struct ldb_message *msg;
     const char *extra_flag = NULL;
     const char *sysdb_name;
+    char *neg_cache_name;
 
     nctx = talloc_get_type(cctx->rctx->pvt_ctx, struct nss_ctx);
 
@@ -1031,9 +1032,15 @@ static int nss_cmd_getpwnam_search(struct nss_dom_ctx *dctx)
             return ENOMEM;
         }
 
+        if (cmdctx->name_is_upn) {
+            neg_cache_name = talloc_asprintf(name, "@%s", name);
+        } else {
+            neg_cache_name = name;
+        }
+
         /* verify this user has not yet been negatively cached,
         * or has been permanently filtered */
-        ret = sss_ncache_check_user(nctx->rctx->ncache, dom, name);
+        ret = sss_ncache_check_user(nctx->rctx->ncache, dom, neg_cache_name);
 
         /* if neg cached, return we didn't find it */
         if (ret == EEXIST) {
@@ -1130,7 +1137,8 @@ static int nss_cmd_getpwnam_search(struct nss_dom_ctx *dctx)
 
         if (dctx->res->count == 0 && !dctx->check_provider) {
             /* set negative cache only if not result of cache check */
-            ret = sss_ncache_set_user(nctx->rctx->ncache, false, dom, name);
+            ret = sss_ncache_set_user(nctx->rctx->ncache, false, dom,
+                                      neg_cache_name);
             if (ret != EOK) {
                 DEBUG(SSSDBG_MINOR_FAILURE, "Cannot set negcache for %s\n",
                       name);
-- 
2.4.11