Refactor the way subdomain accounts are saved

The original sysdb code had a strong assumption that only users from one
domain are saved in the databse, with the subdomain feature, we have
changed reality, but have not adjusted all the code arund the sysdb calls
to not rely on the original assumption.

One of the side effects of this incongrunece is that currently group
memberships do not return fully qualified names for subdomain users as they
should.

In oreder to fix this and other potential issues surrounding the violation
of the original assumption, we need to fully qualify subdomain user names.
By savin them fully qualified we do not risk aliasing local users and have
group memberhips or other name based matching code mistake a domain user
with subdomain usr or vice versa.

2 files changed, 61 insertions, 4 deletions

diff --git a/src/providers/data_provider_be.c b/src/providers/data_provider_be.c
index 88f968695..ec9cc51ca 100644
--- a/src/providers/data_provider_be.c
+++ b/src/providers/data_provider_be.c
@@ -2186,6 +2186,17 @@ int be_process_init(TALLOC_CTX *mem_ctx,
         goto fail;
     }
 
+    /* We need this for subdomains support, as they have to store fully
+     * qualified user and group names for now */
+    ret = sss_names_init(ctx->domain, cdb,
+                         ctx->domain->name, &ctx->domain->names);
+    if (ret != EOK) {
+        DEBUG(SSSDBG_FATAL_FAILURE,
+              ("fatal error setting fully qualified name format for %s\n",
+              ctx->domain->name));
+        goto fail;
+    }
+
     ret = be_srv_init(ctx);
     if (ret != EOK) {
         DEBUG(SSSDBG_FATAL_FAILURE, ("fatal error setting up server bus\n"));
diff --git a/src/providers/ipa/ipa_s2n_exop.c b/src/providers/ipa/ipa_s2n_exop.c
index 1a81c8609..8fc22819b 100644
--- a/src/providers/ipa/ipa_s2n_exop.c
+++ b/src/providers/ipa/ipa_s2n_exop.c
@@ -591,6 +591,9 @@ static void ipa_s2n_get_user_done(struct tevent_req *subreq)
     uint64_t timeout = 10*60*60; /* FIXME: find a better timeout ! */
     const char *homedir = NULL;
     struct sysdb_attrs *user_attrs = NULL;
+    char *name;
+    char *realm;
+    char *upn;
 
     ret = ipa_s2n_exop_recv(subreq, state, &result, &retoid, &retdata);
     talloc_zfree(subreq);
@@ -640,21 +643,64 @@ static void ipa_s2n_get_user_done(struct tevent_req *subreq)
                 goto done;
             }
 
-            ret = sysdb_attrs_add_string(user_attrs, SYSDB_NAME_ALIAS,
-                                         attrs->a.user.pw_name);
+            /* we always use the fully qualified name for subdomain users */
+            name = talloc_asprintf(state, state->dom->names->fq_fmt,
+                                   attrs->a.user.pw_name, state->dom->name);
+            if (!name) {
+                DEBUG(SSSDBG_OP_FAILURE, ("failed to format user name.\n"));
+                ret = ENOMEM;
+                goto done;
+            }
+
+            ret = sysdb_attrs_add_string(user_attrs, SYSDB_NAME_ALIAS, name);
+            if (ret != EOK) {
+                DEBUG(SSSDBG_OP_FAILURE, ("sysdb_attrs_add_string failed.\n"));
+                goto done;
+            }
+
+            /* We also have to store a fake UPN here, because otherwise the
+             * krb5 child later won't be able to properly construct one as
+             * the username is fully qualified but the child doesn't have
+             * access to the regex to deconstruct it */
+            /* FIXME: The real UPN is available from the PAC, we should get
+             * it from there. */
+            realm = get_uppercase_realm(state, state->dom->name);
+            if (!realm) {
+                DEBUG(SSSDBG_OP_FAILURE, ("failed to get realm.\n"));
+                ret = ENOMEM;
+                goto done;
+            }
+            upn = talloc_asprintf(state, "%s@%s",
+                                  attrs->a.user.pw_name, realm);
+            if (!upn) {
+                DEBUG(SSSDBG_OP_FAILURE, ("failed to format UPN.\n"));
+                ret = ENOMEM;
+                goto done;
+            }
+
+            ret = sysdb_attrs_add_string(user_attrs, SYSDB_UPN, upn);
             if (ret != EOK) {
                 DEBUG(SSSDBG_OP_FAILURE, ("sysdb_attrs_add_string failed.\n"));
                 goto done;
             }
 
-            ret = sysdb_store_domuser(state->dom, attrs->a.user.pw_name, NULL,
+            ret = sysdb_store_domuser(state->dom, name, NULL,
                                       attrs->a.user.pw_uid,
                                       0, NULL, /* gecos */
                                       homedir, NULL,
                                       user_attrs, NULL, timeout, now);
             break;
         case RESP_GROUP:
-            ret = sysdb_store_domgroup(state->dom, attrs->a.group.gr_name,
+            /* we always use the fully qualified name for subdomain users */
+            name = talloc_asprintf(state, state->dom->names->fq_fmt,
+                                   attrs->a.group.gr_name, state->dom->name);
+            if (!name) {
+                DEBUG(SSSDBG_OP_FAILURE, ("failed to format user name,\n"));
+                ret = ENOMEM;
+                goto done;
+            }
+
+            ret = sysdb_store_domgroup(state->dom, name,
                                        attrs->a.group.gr_gid, NULL, timeout,
                                        now);
             break;