Blame SOURCES/0018-ipa-do-not-add-guessed-principal-to-the-cache.patch

1c5238
From 29aa434816ce6ae2aaf3b0bcf24b89f05f426d1b Mon Sep 17 00:00:00 2001
1c5238
From: Sumit Bose <sbose@redhat.com>
1c5238
Date: Tue, 22 Nov 2022 13:39:26 +0100
1c5238
Subject: [PATCH 18/19] ipa: do not add guessed principal to the cache
1c5238
1c5238
Currently on IPA clients a calculated principal based on the user name
1c5238
and the Kerberos realm is added to the cached user object. This code is
1c5238
quite old and might have been necessary at times when sub-domain support
1c5238
was added to SSSD. But since quite some time SSSD is capable of
1c5238
generating the principal on the fly during authentication if nothing is
1c5238
stored in the cache.
1c5238
1c5238
Removing the code makes the cache more consistent with other use-cases,
1c5238
e.g. with the IPA server where this attribute is empty, and allows to
1c5238
properly detect a missing UPN, e.g. during the PAC validation.
1c5238
1c5238
Resolves: https://github.com/SSSD/sssd/issues/6451
1c5238
1c5238
(cherry picked from commit b3d7a4f6d4e1d4fa1bd33b296cd4301973f1860c)
1c5238
1c5238
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
1c5238
---
1c5238
 src/providers/ipa/ipa_s2n_exop.c | 44 --------------------------------
1c5238
 1 file changed, 44 deletions(-)
1c5238
1c5238
diff --git a/src/providers/ipa/ipa_s2n_exop.c b/src/providers/ipa/ipa_s2n_exop.c
1c5238
index c68c1de26..81927a6b8 100644
1c5238
--- a/src/providers/ipa/ipa_s2n_exop.c
1c5238
+++ b/src/providers/ipa/ipa_s2n_exop.c
1c5238
@@ -2467,8 +2467,6 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom,
1c5238
     time_t now;
1c5238
     struct sss_nss_homedir_ctx homedir_ctx;
1c5238
     char *name = NULL;
1c5238
-    char *realm;
1c5238
-    char *short_name = NULL;
1c5238
     char *upn = NULL;
1c5238
     gid_t gid;
1c5238
     gid_t orig_gid = 0;
1c5238
@@ -2607,48 +2605,6 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom,
1c5238
                 goto done;
1c5238
             }
1c5238
 
1c5238
-            if (upn == NULL) {
1c5238
-                /* We also have to store a fake UPN here, because otherwise the
1c5238
-                 * krb5 child later won't be able to properly construct one as
1c5238
-                 * the username is fully qualified but the child doesn't have
1c5238
-                 * access to the regex to deconstruct it */
1c5238
-                /* FIXME: The real UPN is available from the PAC, we should get
1c5238
-                 * it from there. */
1c5238
-                realm = get_uppercase_realm(tmp_ctx, dom->name);
1c5238
-                if (!realm) {
1c5238
-                    DEBUG(SSSDBG_OP_FAILURE, "failed to get realm.\n");
1c5238
-                    ret = ENOMEM;
1c5238
-                    goto done;
1c5238
-                }
1c5238
-
1c5238
-                ret = sss_parse_internal_fqname(tmp_ctx, attrs->a.user.pw_name,
1c5238
-                                                &short_name, NULL);
1c5238
-                if (ret != EOK) {
1c5238
-                    DEBUG(SSSDBG_CRIT_FAILURE,
1c5238
-                          "Cannot parse internal name %s\n",
1c5238
-                          attrs->a.user.pw_name);
1c5238
-                    goto done;
1c5238
-                }
1c5238
-
1c5238
-                upn = talloc_asprintf(tmp_ctx, "%s@%s", short_name, realm);
1c5238
-                if (!upn) {
1c5238
-                    DEBUG(SSSDBG_OP_FAILURE, "failed to format UPN.\n");
1c5238
-                    ret = ENOMEM;
1c5238
-                    goto done;
1c5238
-                }
1c5238
-
1c5238
-                /* We might already have the SID or the UPN from other sources
1c5238
-                 * hence sysdb_attrs_add_string_safe is used to avoid double
1c5238
-                 * entries. */
1c5238
-                ret = sysdb_attrs_add_string_safe(attrs->sysdb_attrs, SYSDB_UPN,
1c5238
-                                                  upn);
1c5238
-                if (ret != EOK) {
1c5238
-                    DEBUG(SSSDBG_OP_FAILURE,
1c5238
-                          "sysdb_attrs_add_string failed.\n");
1c5238
-                    goto done;
1c5238
-                }
1c5238
-            }
1c5238
-
1c5238
             if (req_input->type == REQ_INP_SECID) {
1c5238
                 ret = sysdb_attrs_add_string_safe(attrs->sysdb_attrs,
1c5238
                                                   SYSDB_SID_STR,
1c5238
-- 
1c5238
2.37.3
1c5238