diff options
| author | Sumit Bose <sbose@redhat.com> | 2012-10-24 10:01:09 +0200 |
|---|---|---|
| committer | Jakub Hrozek <jhrozek@redhat.com> | 2012-11-05 00:14:05 +0100 |
| commit | 2740f251044837ea88409faa79b29bfd9716a234 (patch) | |
| tree | c1b79fec723c646e73026f05447f36b940f07dc2 /src/providers/krb5/krb5_auth.c | |
| parent | 983fab6286fa68b8586d7f20850491dc5ec22188 (diff) | |
| download | sssd-2740f251044837ea88409faa79b29bfd9716a234.tar.gz sssd-2740f251044837ea88409faa79b29bfd9716a234.tar.xz sssd-2740f251044837ea88409faa79b29bfd9716a234.zip | |
krb5_auth: update with correct UPN if needed
The Active Directory KDC handles request case in-sensitive and it might
not always to possible to guess the UPN with the correct case. We check
if the returned principal has a different case then the one used in the
request and updates the principal if needed. This will help using calls
from the Kerberos client libraries later on which would otherwise fail
because the principal is handled case sensitive by those libraries.
Diffstat (limited to 'src/providers/krb5/krb5_auth.c')
| -rw-r--r-- | src/providers/krb5/krb5_auth.c | 30 |
1 files changed, 30 insertions, 0 deletions
diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c index c1f9f14b1..f2e00fac1 100644 --- a/src/providers/krb5/krb5_auth.c +++ b/src/providers/krb5/krb5_auth.c @@ -782,6 +782,36 @@ static void krb5_child_done(struct tevent_req *subreq) } } + /* Check if the cases of our upn are correct and update it if needed. + * Fail if the upn differs by more than just the case. */ + if (res->correct_upn != NULL && + strcmp(kr->upn, res->correct_upn) != 0) { + if (strcasecmp(kr->upn, res->correct_upn) == 0) { + talloc_free(kr->upn); + kr->upn = talloc_strdup(kr, res->correct_upn); + if (kr->upn == NULL) { + DEBUG(SSSDBG_OP_FAILURE, ("talloc_strdup failed.\n")); + ret = ENOMEM; + goto done; + } + + ret = check_if_cached_upn_needs_update(state->sysdb, pd->user, + res->correct_upn); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + ("check_if_cached_upn_needs_update failed.\n")); + goto done; + } + } else { + DEBUG(SSSDBG_CRIT_FAILURE, ("UPN used in the request [%s] and " \ + "returned UPN [%s] differ by more " \ + "than just the case.\n", + kr->upn, res->correct_upn)); + ret = EINVAL; + goto done; + } + } + /* If the child request failed, but did not return an offline error code, * return with the status */ if (res->msg_status != PAM_SUCCESS && |