KRB5: guess UPN for subdomain users

author: Jakub Hrozek <jhrozek@redhat.com> 2013-06-27 12:02:34 +0200
committer: Jakub Hrozek <jhrozek@redhat.com> 2013-06-27 18:42:40 +0200
commit: 80a874555d8b2737827bb150133ba70a83c65bb7 (patch)
tree: 398263b162d67425304ed0415dc5bdba552019bf
parent: 895ba2c346beb7e55d43be3d0c7f54fd287faa74 (diff)
download: sssd-80a874555d8b2737827bb150133ba70a83c65bb7.tar.gz
sssd-80a874555d8b2737827bb150133ba70a83c65bb7.tar.xz
sssd-80a874555d8b2737827bb150133ba70a83c65bb7.zip
7 files changed, 43 insertions, 18 deletions
diff --git a/src/providers/krb5/krb5_access.c b/src/providers/krb5/krb5_access.c
index c4ee672f8..8caed7c69 100644
--- a/src/providers/krb5/krb5_access.c
+++ b/src/providers/krb5/krb5_access.c
@@ -103,7 +103,7 @@ struct tevent_req *krb5_access_send(TALLOC_CTX *mem_ctx,
         break;
     case 1:
         ret = find_or_guess_upn(state, res->msgs[0], krb5_ctx,
-                                be_ctx->domain->name, pd->user, pd->domain,
+                                be_ctx->domain, pd->user, pd->domain,
                                 &state->kr->upn);
         if (ret != EOK) {
             DEBUG(SSSDBG_OP_FAILURE, ("find_or_guess_upn failed.\n"));
diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
index dfd22f7a3..22495f570 100644
--- a/src/providers/krb5/krb5_auth.c
+++ b/src/providers/krb5/krb5_auth.c
@@ -594,7 +594,7 @@ struct tevent_req *krb5_auth_send(TALLOC_CTX *mem_ctx,
 
     case 1:
         ret = find_or_guess_upn(state, res->msgs[0], krb5_ctx,
-                                be_ctx->domain->name, pd->user, pd->domain,
+                                be_ctx->domain, pd->user, pd->domain,
                                 &kr->upn);
         if (ret != EOK) {
             DEBUG(SSSDBG_OP_FAILURE, ("find_or_guess_upn failed.\n"));
diff --git a/src/providers/krb5/krb5_common.c b/src/providers/krb5/krb5_common.c
index 9db14b8a6..4bf071eef 100644
--- a/src/providers/krb5/krb5_common.c
+++ b/src/providers/krb5/krb5_common.c
@@ -884,41 +884,66 @@ errno_t krb5_install_sigterm_handler(struct tevent_context *ev,
 }
 
 errno_t krb5_get_simple_upn(TALLOC_CTX *mem_ctx, struct krb5_ctx *krb5_ctx,
-                            const char *domain_name, const char *username,
+                            struct sss_domain_info *dom, const char *username,
                             const char *user_dom, char **_upn)
 {
     const char *realm = NULL;
     char *uc_dom = NULL;
     char *upn;
+    char *name;
+    char *domname;
+    TALLOC_CTX *tmp_ctx = NULL;
+    errno_t ret;
+
+    tmp_ctx = talloc_new(NULL);
+    if (tmp_ctx == NULL) {
+        DEBUG(SSSDBG_CRIT_FAILURE, ("talloc_new failed.\n"));
+        return ENOMEM;
+    }
 
-    if (user_dom != NULL && domain_name != NULL &&
-        strcasecmp(domain_name,user_dom) != 0) {
-        uc_dom = get_uppercase_realm(mem_ctx, user_dom);
+    if (user_dom != NULL && dom->name != NULL &&
+        strcasecmp(dom->name, user_dom) != 0) {
+        uc_dom = get_uppercase_realm(tmp_ctx, user_dom);
         if (uc_dom == NULL) {
             DEBUG(SSSDBG_OP_FAILURE, ("get_uppercase_realm failed.\n"));
-            return ENOMEM;
+            ret = ENOMEM;
+            goto done;
         }
     } else {
         realm = dp_opt_get_cstring(krb5_ctx->opts, KRB5_REALM);
         if (realm == NULL) {
             DEBUG(SSSDBG_OP_FAILURE, ("Missing Kerberos realm.\n"));
-            return ENOENT;
+            ret = ENOMEM;
+            goto done;
         }
     }
 
+    /* Subdomains already have a fully qualified name, which contains
+     * the domain name. We need to replace it with the realm name
+     */
+    ret = sss_parse_name(tmp_ctx, dom->names, username, &domname, &name);
+    if (ret != EOK) {
+        DEBUG(SSSDBG_OP_FAILURE, ("Could not parse %s into name and " \
+                                  "domain components, login might fail\n"));
+        name = username;
+    }
+
     /* NOTE: this is a hack, works only in some environments */
-    upn = talloc_asprintf(mem_ctx, "%s@%s",  username,
+    upn = talloc_asprintf(tmp_ctx, "%s@%s",  name,
                                              realm != NULL ? realm : uc_dom);
-    talloc_free(uc_dom);
     if (upn == NULL) {
         DEBUG(1, ("talloc_asprintf failed.\n"));
-        return ENOMEM;
+        ret = ENOMEM;
+        goto done;
     }
 
     DEBUG(9, ("Using simple UPN [%s].\n", upn));
 
-    *_upn = upn;
-    return EOK;
+    *_upn = talloc_steal(mem_ctx, upn);
+    ret = EOK;
+done:
+    talloc_free(tmp_ctx);
+    return ret;
 }
 
 errno_t compare_principal_realm(const char *upn, const char *realm,
diff --git a/src/providers/krb5/krb5_common.h b/src/providers/krb5/krb5_common.h
index 501cdef10..9eb602cfb 100644
--- a/src/providers/krb5/krb5_common.h
+++ b/src/providers/krb5/krb5_common.h
@@ -182,7 +182,7 @@ errno_t write_krb5info_file(const char *realm, const char *kdc,
 errno_t remove_krb5_info_files(TALLOC_CTX *mem_ctx, const char *realm);
 
 errno_t krb5_get_simple_upn(TALLOC_CTX *mem_ctx, struct krb5_ctx *krb5_ctx,
-                            const char *domain_name, const char *username,
+                            struct sss_domain_info *dom, const char *username,
                             const char *user_dom, char **_upn);
 
 errno_t compare_principal_realm(const char *upn, const char *realm,
diff --git a/src/providers/krb5/krb5_renew_tgt.c b/src/providers/krb5/krb5_renew_tgt.c
index 0b1f26fd3..d6cdff8f8 100644
--- a/src/providers/krb5/krb5_renew_tgt.c
+++ b/src/providers/krb5/krb5_renew_tgt.c
@@ -442,7 +442,7 @@ static errno_t check_ccache_files(struct renew_tgt_ctx *renew_tgt_ctx)
         }
 
         ret = find_or_guess_upn(tmp_ctx, msgs[c], renew_tgt_ctx->krb5_ctx,
-                                renew_tgt_ctx->be_ctx->domain->name,
+                                renew_tgt_ctx->be_ctx->domain,
                                 user_name, user_dom, &upn);
         if (ret != EOK) {
             DEBUG(SSSDBG_OP_FAILURE, ("find_or_guess_upn failed.\n"));
diff --git a/src/providers/krb5/krb5_utils.c b/src/providers/krb5/krb5_utils.c
index 3f16faa7f..1f7ed0745 100644
--- a/src/providers/krb5/krb5_utils.c
+++ b/src/providers/krb5/krb5_utils.c
@@ -32,7 +32,7 @@
 
 errno_t find_or_guess_upn(TALLOC_CTX *mem_ctx, struct ldb_message *msg,
                           struct krb5_ctx *krb5_ctx,
-                          const char *domain_name, const char *user,
+                          struct sss_domain_info *dom, const char *user,
                           const char *user_dom, char **_upn)
 {
     const char *upn;
@@ -40,7 +40,7 @@ errno_t find_or_guess_upn(TALLOC_CTX *mem_ctx, struct ldb_message *msg,
 
     upn = ldb_msg_find_attr_as_string(msg, SYSDB_UPN, NULL);
     if (upn == NULL) {
-        ret = krb5_get_simple_upn(mem_ctx, krb5_ctx, domain_name, user,
+        ret = krb5_get_simple_upn(mem_ctx, krb5_ctx, dom, user,
                                   user_dom, _upn);
         if (ret != EOK) {
             DEBUG(SSSDBG_OP_FAILURE, ("krb5_get_simple_upn failed.\n"));
diff --git a/src/providers/krb5/krb5_utils.h b/src/providers/krb5/krb5_utils.h
index aad2770d4..2e1bec717 100644
--- a/src/providers/krb5/krb5_utils.h
+++ b/src/providers/krb5/krb5_utils.h
@@ -34,7 +34,7 @@
 
 errno_t find_or_guess_upn(TALLOC_CTX *mem_ctx, struct ldb_message *msg,
                           struct krb5_ctx *krb5_ctx,
-                          const char *domain_name, const char *user,
+                          struct sss_domain_info *dom, const char *user,
                           const char *user_dom, char **_upn);
 
 errno_t check_if_cached_upn_needs_update(struct sysdb_ctx *sysdb,
author	Jakub Hrozek <jhrozek@redhat.com>	2013-06-27 12:02:34 +0200
committer	Jakub Hrozek <jhrozek@redhat.com>	2013-06-27 18:42:40 +0200
commit	80a874555d8b2737827bb150133ba70a83c65bb7 (patch)
tree	398263b162d67425304ed0415dc5bdba552019bf
parent	895ba2c346beb7e55d43be3d0c7f54fd287faa74 (diff)
download	sssd-80a874555d8b2737827bb150133ba70a83c65bb7.tar.gz sssd-80a874555d8b2737827bb150133ba70a83c65bb7.tar.xz sssd-80a874555d8b2737827bb150133ba70a83c65bb7.zip