diff options
| author | Sumit Bose <sbose@redhat.com> | 2016-07-22 16:01:38 +0200 |
|---|---|---|
| committer | Jakub Hrozek <jhrozek@redhat.com> | 2016-07-29 14:45:11 +0200 |
| commit | 62df78512145db94b51c5573d4df1737197e368a (patch) | |
| tree | 88e8eb8e3ed032bc26718ddcf1eeae65a0cbe849 /src/responder/nss | |
| parent | 3381d9736b698d6111d10e219a0b5b898a4c757c (diff) | |
| download | sssd-62df78512145db94b51c5573d4df1737197e368a.tar.gz sssd-62df78512145db94b51c5573d4df1737197e368a.tar.xz sssd-62df78512145db94b51c5573d4df1737197e368a.zip | |
NSS: use different neg cache name for UPN searches
If Kerberos principals or email address have the same domain suffix as
the domain itself the first user lookup by name might have already added
the name to the negative cache and the second lookup by UPN/email will
skip the domain because of the neg cache entry. To avoid this a special
name with a '@' prefix is used here.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Diffstat (limited to 'src/responder/nss')
| -rw-r--r-- | src/responder/nss/nsssrv_cmd.c | 12 |
1 files changed, 10 insertions, 2 deletions
diff --git a/src/responder/nss/nsssrv_cmd.c b/src/responder/nss/nsssrv_cmd.c index cd15b4188..f3b6ac4af 100644 --- a/src/responder/nss/nsssrv_cmd.c +++ b/src/responder/nss/nsssrv_cmd.c @@ -1002,6 +1002,7 @@ static int nss_cmd_getpwnam_search(struct nss_dom_ctx *dctx) struct ldb_message *msg; const char *extra_flag = NULL; const char *sysdb_name; + char *neg_cache_name; nctx = talloc_get_type(cctx->rctx->pvt_ctx, struct nss_ctx); @@ -1031,9 +1032,15 @@ static int nss_cmd_getpwnam_search(struct nss_dom_ctx *dctx) return ENOMEM; } + if (cmdctx->name_is_upn) { + neg_cache_name = talloc_asprintf(name, "@%s", name); + } else { + neg_cache_name = name; + } + /* verify this user has not yet been negatively cached, * or has been permanently filtered */ - ret = sss_ncache_check_user(nctx->rctx->ncache, dom, name); + ret = sss_ncache_check_user(nctx->rctx->ncache, dom, neg_cache_name); /* if neg cached, return we didn't find it */ if (ret == EEXIST) { @@ -1130,7 +1137,8 @@ static int nss_cmd_getpwnam_search(struct nss_dom_ctx *dctx) if (dctx->res->count == 0 && !dctx->check_provider) { /* set negative cache only if not result of cache check */ - ret = sss_ncache_set_user(nctx->rctx->ncache, false, dom, name); + ret = sss_ncache_set_user(nctx->rctx->ncache, false, dom, + neg_cache_name); if (ret != EOK) { DEBUG(SSSDBG_MINOR_FAILURE, "Cannot set negcache for %s\n", name); |