On Thu, 2013-06-27 at 13:27 +0200, Jakub Hrozek wrote: > Hi, > > during testing I found out that we mishandle UPNs for subdomain users > when using Kerberos authentication. > > If there is no userPrincipal attribute we guess based on username@REALM. > But for subdomain users the username is already qualified, so so you end > up with username@DOMAIN@REALM. Currently first login works fine because > krb5 auth code treats the result as an enterprise principal. But if you > are checking existing ccache then the krb5 code errors out because one of > the krb5_cc_* functions treats username@DOMAIN@REALM as invalid principal. > > The attached patch checks if the username is already qualified and > replaces the domain name with realm name when guessing the UPN. I really > don't like the result because parsing out is inherently fragile. I think > we should store the plain username in an additional sysdb attribute, > too.
Or we could simply parse out the ticket received during authentication and save the 'canonicalized principal name' in the cache. This way you do not need to do any guesswork at all. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
