|
|
1c5238 |
From 29aa434816ce6ae2aaf3b0bcf24b89f05f426d1b Mon Sep 17 00:00:00 2001
|
|
|
1c5238 |
From: Sumit Bose <sbose@redhat.com>
|
|
|
1c5238 |
Date: Tue, 22 Nov 2022 13:39:26 +0100
|
|
|
1c5238 |
Subject: [PATCH 18/19] ipa: do not add guessed principal to the cache
|
|
|
1c5238 |
|
|
|
1c5238 |
Currently on IPA clients a calculated principal based on the user name
|
|
|
1c5238 |
and the Kerberos realm is added to the cached user object. This code is
|
|
|
1c5238 |
quite old and might have been necessary at times when sub-domain support
|
|
|
1c5238 |
was added to SSSD. But since quite some time SSSD is capable of
|
|
|
1c5238 |
generating the principal on the fly during authentication if nothing is
|
|
|
1c5238 |
stored in the cache.
|
|
|
1c5238 |
|
|
|
1c5238 |
Removing the code makes the cache more consistent with other use-cases,
|
|
|
1c5238 |
e.g. with the IPA server where this attribute is empty, and allows to
|
|
|
1c5238 |
properly detect a missing UPN, e.g. during the PAC validation.
|
|
|
1c5238 |
|
|
|
1c5238 |
Resolves: https://github.com/SSSD/sssd/issues/6451
|
|
|
1c5238 |
|
|
|
1c5238 |
(cherry picked from commit b3d7a4f6d4e1d4fa1bd33b296cd4301973f1860c)
|
|
|
1c5238 |
|
|
|
1c5238 |
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
|
|
1c5238 |
---
|
|
|
1c5238 |
src/providers/ipa/ipa_s2n_exop.c | 44 --------------------------------
|
|
|
1c5238 |
1 file changed, 44 deletions(-)
|
|
|
1c5238 |
|
|
|
1c5238 |
diff --git a/src/providers/ipa/ipa_s2n_exop.c b/src/providers/ipa/ipa_s2n_exop.c
|
|
|
1c5238 |
index c68c1de26..81927a6b8 100644
|
|
|
1c5238 |
--- a/src/providers/ipa/ipa_s2n_exop.c
|
|
|
1c5238 |
+++ b/src/providers/ipa/ipa_s2n_exop.c
|
|
|
1c5238 |
@@ -2467,8 +2467,6 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom,
|
|
|
1c5238 |
time_t now;
|
|
|
1c5238 |
struct sss_nss_homedir_ctx homedir_ctx;
|
|
|
1c5238 |
char *name = NULL;
|
|
|
1c5238 |
- char *realm;
|
|
|
1c5238 |
- char *short_name = NULL;
|
|
|
1c5238 |
char *upn = NULL;
|
|
|
1c5238 |
gid_t gid;
|
|
|
1c5238 |
gid_t orig_gid = 0;
|
|
|
1c5238 |
@@ -2607,48 +2605,6 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom,
|
|
|
1c5238 |
goto done;
|
|
|
1c5238 |
}
|
|
|
1c5238 |
|
|
|
1c5238 |
- if (upn == NULL) {
|
|
|
1c5238 |
- /* We also have to store a fake UPN here, because otherwise the
|
|
|
1c5238 |
- * krb5 child later won't be able to properly construct one as
|
|
|
1c5238 |
- * the username is fully qualified but the child doesn't have
|
|
|
1c5238 |
- * access to the regex to deconstruct it */
|
|
|
1c5238 |
- /* FIXME: The real UPN is available from the PAC, we should get
|
|
|
1c5238 |
- * it from there. */
|
|
|
1c5238 |
- realm = get_uppercase_realm(tmp_ctx, dom->name);
|
|
|
1c5238 |
- if (!realm) {
|
|
|
1c5238 |
- DEBUG(SSSDBG_OP_FAILURE, "failed to get realm.\n");
|
|
|
1c5238 |
- ret = ENOMEM;
|
|
|
1c5238 |
- goto done;
|
|
|
1c5238 |
- }
|
|
|
1c5238 |
-
|
|
|
1c5238 |
- ret = sss_parse_internal_fqname(tmp_ctx, attrs->a.user.pw_name,
|
|
|
1c5238 |
- &short_name, NULL);
|
|
|
1c5238 |
- if (ret != EOK) {
|
|
|
1c5238 |
- DEBUG(SSSDBG_CRIT_FAILURE,
|
|
|
1c5238 |
- "Cannot parse internal name %s\n",
|
|
|
1c5238 |
- attrs->a.user.pw_name);
|
|
|
1c5238 |
- goto done;
|
|
|
1c5238 |
- }
|
|
|
1c5238 |
-
|
|
|
1c5238 |
- upn = talloc_asprintf(tmp_ctx, "%s@%s", short_name, realm);
|
|
|
1c5238 |
- if (!upn) {
|
|
|
1c5238 |
- DEBUG(SSSDBG_OP_FAILURE, "failed to format UPN.\n");
|
|
|
1c5238 |
- ret = ENOMEM;
|
|
|
1c5238 |
- goto done;
|
|
|
1c5238 |
- }
|
|
|
1c5238 |
-
|
|
|
1c5238 |
- /* We might already have the SID or the UPN from other sources
|
|
|
1c5238 |
- * hence sysdb_attrs_add_string_safe is used to avoid double
|
|
|
1c5238 |
- * entries. */
|
|
|
1c5238 |
- ret = sysdb_attrs_add_string_safe(attrs->sysdb_attrs, SYSDB_UPN,
|
|
|
1c5238 |
- upn);
|
|
|
1c5238 |
- if (ret != EOK) {
|
|
|
1c5238 |
- DEBUG(SSSDBG_OP_FAILURE,
|
|
|
1c5238 |
- "sysdb_attrs_add_string failed.\n");
|
|
|
1c5238 |
- goto done;
|
|
|
1c5238 |
- }
|
|
|
1c5238 |
- }
|
|
|
1c5238 |
-
|
|
|
1c5238 |
if (req_input->type == REQ_INP_SECID) {
|
|
|
1c5238 |
ret = sysdb_attrs_add_string_safe(attrs->sysdb_attrs,
|
|
|
1c5238 |
SYSDB_SID_STR,
|
|
|
1c5238 |
--
|
|
|
1c5238 |
2.37.3
|
|
|
1c5238 |
|