KRB5: Rely on internal fqname when constructing UPNs

Because internally, we use the same name for all users and groups
regardless of the domain they belong to, we can parse the username from
the qualified name in a simpler manner.

Reviewed-by: Sumit Bose <sbose@redhat.com>

1 files changed, 9 insertions, 10 deletions

diff --git a/src/providers/krb5/krb5_common.c b/src/providers/krb5/krb5_common.c
index 5f6173179..208a003e0 100644
--- a/src/providers/krb5/krb5_common.c
+++ b/src/providers/krb5/krb5_common.c
@@ -1040,28 +1040,27 @@ errno_t krb5_get_simple_upn(TALLOC_CTX *mem_ctx, struct krb5_ctx *krb5_ctx,
         }
     }
 
-    /* Subdomains already have a fully qualified name, which contains
-     * the domain name. We need to replace it with the realm name
+    /* The internal username is qualified, but we are only interested in
+     * the name part
      */
-    ret = sss_parse_name(tmp_ctx, dom->names, username, NULL, &name);
+    ret = sss_parse_internal_fqname(tmp_ctx, username, &name, NULL);
     if (ret != EOK) {
         DEBUG(SSSDBG_OP_FAILURE,
               "Could not parse [%s] into name and "
-               "domain components, login might fail\n", username);
-        name = discard_const(username);
+              "domain components, login might fail\n", username);
+        upn = talloc_strdup(tmp_ctx, username);
+    } else {
+        /* NOTE: this is a hack, works only in some environments */
+        upn = talloc_asprintf(tmp_ctx, "%s@%s",
+                              name, realm != NULL ? realm : uc_dom);
     }
 
-    /* NOTE: this is a hack, works only in some environments */
-    upn = talloc_asprintf(tmp_ctx, "%s@%s",  name,
-                                             realm != NULL ? realm : uc_dom);
     if (upn == NULL) {
-        DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n");
         ret = ENOMEM;
         goto done;
     }
 
     DEBUG(SSSDBG_TRACE_ALL, "Using simple UPN [%s].\n", upn);
-
     *_upn = talloc_steal(mem_ctx, upn);
     ret = EOK;
 done: