[SSSD] [PATCH] IPA: Parse qualified names when guessing AD user principal

Tue, 09 Aug 2016 13:28:03 -0700 

The attached patch fixes issues with logging in as users without an
explicit UPN in a trust scenario. The simplest reproducer is to log in
as Administrator or configure sssd to not look up the principal
attribute by adding this to the server's sssd.conf
    subdomain_inherit = ldap_user_principal
    ldap_user_principal = nosuchatt

Please see the commit message for more details.

>From 80dd688eaf7a20fbf6d71768c29fb7d73b315238 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhro...@redhat.com>
Date: Tue, 9 Aug 2016 22:08:27 +0200
Subject: [PATCH] IPA: Parse qualified names when guessing AD user principal

https://fedorahosted.org/sssd/ticket/3127

Most AD users store their UPN in an attribute. If they don't, or the sssd was
configured (typically in earlier versions to work around a bug) to not look
at the principal attribute, then sssd is supposed to guess the attribute.

That currently doesn't work in 1.14, because the username is already
qualified and then we also append the realm name to it. We need to parse
the simple username from the qualified name first.

The issue can be reproduced simply by authenticating as the Administrator
account in IPA-AD trust setups.
---
 src/providers/ipa/ipa_s2n_exop.c | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/src/providers/ipa/ipa_s2n_exop.c b/src/providers/ipa/ipa_s2n_exop.c
index 
a8c415b4c86ccd3bd3b180c8df835c75420fbb21..07bbb2b4d252c8ca9ada4d890c36c903c9f75773
 100644
--- a/src/providers/ipa/ipa_s2n_exop.c
+++ b/src/providers/ipa/ipa_s2n_exop.c
@@ -1941,6 +1941,7 @@ static errno_t ipa_s2n_save_objects(struct 
sss_domain_info *dom,
     struct sss_nss_homedir_ctx homedir_ctx;
     char *name = NULL;
     char *realm;
+    char *short_name = NULL;
     char *upn = NULL;
     gid_t gid;
     gid_t orig_gid = 0;
@@ -2092,8 +2093,17 @@ static errno_t ipa_s2n_save_objects(struct 
sss_domain_info *dom,
                     ret = ENOMEM;
                     goto done;
                 }
-                upn = talloc_asprintf(tmp_ctx, "%s@%s",
-                                      attrs->a.user.pw_name, realm);
+
+                ret = sss_parse_internal_fqname(tmp_ctx, attrs->a.user.pw_name,
+                                                &short_name, NULL);
+                if (ret != EOK) {
+                    DEBUG(SSSDBG_CRIT_FAILURE,
+                          "Cannot parse internal name %s\n",
+                          attrs->a.user.pw_name);
+                    goto done;
+                }
+
+                upn = talloc_asprintf(tmp_ctx, "%s@%s", short_name, realm);
                 if (!upn) {
                     DEBUG(SSSDBG_OP_FAILURE, "failed to format UPN.\n");
                     ret = ENOMEM;
-- 
2.4.11


_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org

Reply via email to