diff options
author | Jakub Hrozek <jhrozek@redhat.com> | 2013-06-27 12:02:34 +0200 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2013-06-27 18:42:40 +0200 |
commit | 80a874555d8b2737827bb150133ba70a83c65bb7 (patch) | |
tree | 398263b162d67425304ed0415dc5bdba552019bf /src/providers | |
parent | 895ba2c346beb7e55d43be3d0c7f54fd287faa74 (diff) | |
download | sssd-80a874555d8b2737827bb150133ba70a83c65bb7.tar.gz sssd-80a874555d8b2737827bb150133ba70a83c65bb7.tar.bz2 sssd-80a874555d8b2737827bb150133ba70a83c65bb7.zip |
KRB5: guess UPN for subdomain users
Diffstat (limited to 'src/providers')
-rw-r--r-- | src/providers/krb5/krb5_access.c | 2 | ||||
-rw-r--r-- | src/providers/krb5/krb5_auth.c | 2 | ||||
-rw-r--r-- | src/providers/krb5/krb5_common.c | 47 | ||||
-rw-r--r-- | src/providers/krb5/krb5_common.h | 2 | ||||
-rw-r--r-- | src/providers/krb5/krb5_renew_tgt.c | 2 | ||||
-rw-r--r-- | src/providers/krb5/krb5_utils.c | 4 | ||||
-rw-r--r-- | src/providers/krb5/krb5_utils.h | 2 |
7 files changed, 43 insertions, 18 deletions
diff --git a/src/providers/krb5/krb5_access.c b/src/providers/krb5/krb5_access.c index c4ee672f..8caed7c6 100644 --- a/src/providers/krb5/krb5_access.c +++ b/src/providers/krb5/krb5_access.c @@ -103,7 +103,7 @@ struct tevent_req *krb5_access_send(TALLOC_CTX *mem_ctx, break; case 1: ret = find_or_guess_upn(state, res->msgs[0], krb5_ctx, - be_ctx->domain->name, pd->user, pd->domain, + be_ctx->domain, pd->user, pd->domain, &state->kr->upn); if (ret != EOK) { DEBUG(SSSDBG_OP_FAILURE, ("find_or_guess_upn failed.\n")); diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c index dfd22f7a..22495f57 100644 --- a/src/providers/krb5/krb5_auth.c +++ b/src/providers/krb5/krb5_auth.c @@ -594,7 +594,7 @@ struct tevent_req *krb5_auth_send(TALLOC_CTX *mem_ctx, case 1: ret = find_or_guess_upn(state, res->msgs[0], krb5_ctx, - be_ctx->domain->name, pd->user, pd->domain, + be_ctx->domain, pd->user, pd->domain, &kr->upn); if (ret != EOK) { DEBUG(SSSDBG_OP_FAILURE, ("find_or_guess_upn failed.\n")); diff --git a/src/providers/krb5/krb5_common.c b/src/providers/krb5/krb5_common.c index 9db14b8a..4bf071ee 100644 --- a/src/providers/krb5/krb5_common.c +++ b/src/providers/krb5/krb5_common.c @@ -884,41 +884,66 @@ errno_t krb5_install_sigterm_handler(struct tevent_context *ev, } errno_t krb5_get_simple_upn(TALLOC_CTX *mem_ctx, struct krb5_ctx *krb5_ctx, - const char *domain_name, const char *username, + struct sss_domain_info *dom, const char *username, const char *user_dom, char **_upn) { const char *realm = NULL; char *uc_dom = NULL; char *upn; + char *name; + char *domname; + TALLOC_CTX *tmp_ctx = NULL; + errno_t ret; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, ("talloc_new failed.\n")); + return ENOMEM; + } - if (user_dom != NULL && domain_name != NULL && - strcasecmp(domain_name,user_dom) != 0) { - uc_dom = get_uppercase_realm(mem_ctx, user_dom); + if (user_dom != NULL && dom->name != NULL && + strcasecmp(dom->name, user_dom) != 0) { + uc_dom = get_uppercase_realm(tmp_ctx, user_dom); if (uc_dom == NULL) { DEBUG(SSSDBG_OP_FAILURE, ("get_uppercase_realm failed.\n")); - return ENOMEM; + ret = ENOMEM; + goto done; } } else { realm = dp_opt_get_cstring(krb5_ctx->opts, KRB5_REALM); if (realm == NULL) { DEBUG(SSSDBG_OP_FAILURE, ("Missing Kerberos realm.\n")); - return ENOENT; + ret = ENOMEM; + goto done; } } + /* Subdomains already have a fully qualified name, which contains + * the domain name. We need to replace it with the realm name + */ + ret = sss_parse_name(tmp_ctx, dom->names, username, &domname, &name); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, ("Could not parse %s into name and " \ + "domain components, login might fail\n")); + name = username; + } + /* NOTE: this is a hack, works only in some environments */ - upn = talloc_asprintf(mem_ctx, "%s@%s", username, + upn = talloc_asprintf(tmp_ctx, "%s@%s", name, realm != NULL ? realm : uc_dom); - talloc_free(uc_dom); if (upn == NULL) { DEBUG(1, ("talloc_asprintf failed.\n")); - return ENOMEM; + ret = ENOMEM; + goto done; } DEBUG(9, ("Using simple UPN [%s].\n", upn)); - *_upn = upn; - return EOK; + *_upn = talloc_steal(mem_ctx, upn); + ret = EOK; +done: + talloc_free(tmp_ctx); + return ret; } errno_t compare_principal_realm(const char *upn, const char *realm, diff --git a/src/providers/krb5/krb5_common.h b/src/providers/krb5/krb5_common.h index 501cdef1..9eb602cf 100644 --- a/src/providers/krb5/krb5_common.h +++ b/src/providers/krb5/krb5_common.h @@ -182,7 +182,7 @@ errno_t write_krb5info_file(const char *realm, const char *kdc, errno_t remove_krb5_info_files(TALLOC_CTX *mem_ctx, const char *realm); errno_t krb5_get_simple_upn(TALLOC_CTX *mem_ctx, struct krb5_ctx *krb5_ctx, - const char *domain_name, const char *username, + struct sss_domain_info *dom, const char *username, const char *user_dom, char **_upn); errno_t compare_principal_realm(const char *upn, const char *realm, diff --git a/src/providers/krb5/krb5_renew_tgt.c b/src/providers/krb5/krb5_renew_tgt.c index 0b1f26fd..d6cdff8f 100644 --- a/src/providers/krb5/krb5_renew_tgt.c +++ b/src/providers/krb5/krb5_renew_tgt.c @@ -442,7 +442,7 @@ static errno_t check_ccache_files(struct renew_tgt_ctx *renew_tgt_ctx) } ret = find_or_guess_upn(tmp_ctx, msgs[c], renew_tgt_ctx->krb5_ctx, - renew_tgt_ctx->be_ctx->domain->name, + renew_tgt_ctx->be_ctx->domain, user_name, user_dom, &upn); if (ret != EOK) { DEBUG(SSSDBG_OP_FAILURE, ("find_or_guess_upn failed.\n")); diff --git a/src/providers/krb5/krb5_utils.c b/src/providers/krb5/krb5_utils.c index 3f16faa7..1f7ed074 100644 --- a/src/providers/krb5/krb5_utils.c +++ b/src/providers/krb5/krb5_utils.c @@ -32,7 +32,7 @@ errno_t find_or_guess_upn(TALLOC_CTX *mem_ctx, struct ldb_message *msg, struct krb5_ctx *krb5_ctx, - const char *domain_name, const char *user, + struct sss_domain_info *dom, const char *user, const char *user_dom, char **_upn) { const char *upn; @@ -40,7 +40,7 @@ errno_t find_or_guess_upn(TALLOC_CTX *mem_ctx, struct ldb_message *msg, upn = ldb_msg_find_attr_as_string(msg, SYSDB_UPN, NULL); if (upn == NULL) { - ret = krb5_get_simple_upn(mem_ctx, krb5_ctx, domain_name, user, + ret = krb5_get_simple_upn(mem_ctx, krb5_ctx, dom, user, user_dom, _upn); if (ret != EOK) { DEBUG(SSSDBG_OP_FAILURE, ("krb5_get_simple_upn failed.\n")); diff --git a/src/providers/krb5/krb5_utils.h b/src/providers/krb5/krb5_utils.h index aad2770d..2e1bec71 100644 --- a/src/providers/krb5/krb5_utils.h +++ b/src/providers/krb5/krb5_utils.h @@ -34,7 +34,7 @@ errno_t find_or_guess_upn(TALLOC_CTX *mem_ctx, struct ldb_message *msg, struct krb5_ctx *krb5_ctx, - const char *domain_name, const char *user, + struct sss_domain_info *dom, const char *user, const char *user_dom, char **_upn); errno_t check_if_cached_upn_needs_update(struct sysdb_ctx *sysdb, |