diff options
| author | Jakub Hrozek <jhrozek@redhat.com> | 2016-08-09 22:08:27 +0200 |
|---|---|---|
| committer | Lukas Slebodnik <lslebodn@redhat.com> | 2016-08-26 21:17:16 +0200 |
| commit | 0302e3e7b3b06b809bd63c7911a42ab3e0a7ebf9 (patch) | |
| tree | e4494a093d95165f4696390c13427d23ae2cb18f | |
| parent | afa6891a809db262a49f68913f82a3a6137d8e2e (diff) | |
| download | sssd-0302e3e7b3b06b809bd63c7911a42ab3e0a7ebf9.tar.gz sssd-0302e3e7b3b06b809bd63c7911a42ab3e0a7ebf9.tar.xz sssd-0302e3e7b3b06b809bd63c7911a42ab3e0a7ebf9.zip | |
IPA: Parse qualified names when guessing AD user principal
Most AD users store their UPN in an attribute. If they don't, or the sssd
was configured (typically in earlier versions to work around a bug) to not
look at the principal attribute, then sssd is supposed to guess
the attribute.
That currently doesn't work in 1.14, because the username is already
qualified and then we also append the realm name to it. We need to parse
the simple username from the qualified name first.
The issue can be reproduced simply by authenticating as the Administrator
account in IPA-AD trust setups.
Resolves:
https://fedorahosted.org/sssd/ticket/3127
Reviewed-by: Sumit Bose <sbose@redhat.com>
| -rw-r--r-- | src/providers/ipa/ipa_s2n_exop.c | 14 |
1 files changed, 12 insertions, 2 deletions
diff --git a/src/providers/ipa/ipa_s2n_exop.c b/src/providers/ipa/ipa_s2n_exop.c index a8c415b4c..07bbb2b4d 100644 --- a/src/providers/ipa/ipa_s2n_exop.c +++ b/src/providers/ipa/ipa_s2n_exop.c @@ -1941,6 +1941,7 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom, struct sss_nss_homedir_ctx homedir_ctx; char *name = NULL; char *realm; + char *short_name = NULL; char *upn = NULL; gid_t gid; gid_t orig_gid = 0; @@ -2092,8 +2093,17 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom, ret = ENOMEM; goto done; } - upn = talloc_asprintf(tmp_ctx, "%s@%s", - attrs->a.user.pw_name, realm); + + ret = sss_parse_internal_fqname(tmp_ctx, attrs->a.user.pw_name, + &short_name, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot parse internal name %s\n", + attrs->a.user.pw_name); + goto done; + } + + upn = talloc_asprintf(tmp_ctx, "%s@%s", short_name, realm); if (!upn) { DEBUG(SSSDBG_OP_FAILURE, "failed to format UPN.\n"); ret = ENOMEM; |