diff options
Diffstat (limited to 'src/providers')
-rw-r--r-- | src/providers/krb5/krb5_access.c | 16 | ||||
-rw-r--r-- | src/providers/krb5/krb5_auth.c | 27 | ||||
-rw-r--r-- | src/providers/krb5/krb5_auth.h | 2 | ||||
-rw-r--r-- | src/providers/krb5/krb5_renew_tgt.c | 38 |
4 files changed, 49 insertions, 34 deletions
diff --git a/src/providers/krb5/krb5_access.c b/src/providers/krb5/krb5_access.c index afa3a89d..25612807 100644 --- a/src/providers/krb5/krb5_access.c +++ b/src/providers/krb5/krb5_access.c @@ -25,6 +25,7 @@ #include "util/util.h" #include "providers/krb5/krb5_auth.h" #include "providers/krb5/krb5_common.h" +#include "providers/krb5/krb5_utils.h" struct krb5_access_state { struct tevent_context *ev; @@ -101,15 +102,12 @@ struct tevent_req *krb5_access_send(TALLOC_CTX *mem_ctx, goto done; break; case 1: - state->kr->upn = ldb_msg_find_attr_as_string(res->msgs[0], SYSDB_UPN, - NULL); - if (state->kr->upn == NULL) { - ret = krb5_get_simple_upn(state, krb5_ctx, pd->user, - &state->kr->upn); - if (ret != EOK) { - DEBUG(1, ("krb5_get_simple_upn failed.\n")); - goto done; - } + ret = find_or_guess_upn(state, res->msgs[0], krb5_ctx, + be_ctx->domain->name, pd->user, pd->domain, + &state->kr->upn); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, ("find_or_guess_upn failed.\n")); + goto done; } state->kr->uid = ldb_msg_find_attr_as_uint64(res->msgs[0], SYSDB_UIDNUM, diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c index 98dc8d84..c1f9f14b 100644 --- a/src/providers/krb5/krb5_auth.c +++ b/src/providers/krb5/krb5_auth.c @@ -420,20 +420,19 @@ struct tevent_req *krb5_auth_send(TALLOC_CTX *mem_ctx, break; case 1: - kr->upn = ldb_msg_find_attr_as_string(res->msgs[0], SYSDB_UPN, NULL); - if (kr->upn == NULL) { - ret = krb5_get_simple_upn(state, krb5_ctx, pd->user, &kr->upn); - if (ret != EOK) { - DEBUG(1, ("krb5_get_simple_upn failed.\n")); - goto done; - } - } else { - ret = compare_principal_realm(kr->upn, realm, - &kr->upn_from_different_realm); - if (ret != 0) { - DEBUG(SSSDBG_OP_FAILURE, ("compare_principal_realm failed.\n")); - goto done; - } + ret = find_or_guess_upn(state, res->msgs[0], krb5_ctx, + be_ctx->domain->name, pd->user, pd->domain, + &kr->upn); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, ("find_or_guess_upn failed.\n")); + goto done; + } + + ret = compare_principal_realm(kr->upn, realm, + &kr->upn_from_different_realm); + if (ret != 0) { + DEBUG(SSSDBG_OP_FAILURE, ("compare_principal_realm failed.\n")); + goto done; } kr->homedir = ldb_msg_find_attr_as_string(res->msgs[0], SYSDB_HOMEDIR, diff --git a/src/providers/krb5/krb5_auth.h b/src/providers/krb5/krb5_auth.h index bf49f7cf..9133472a 100644 --- a/src/providers/krb5/krb5_auth.h +++ b/src/providers/krb5/krb5_auth.h @@ -45,7 +45,7 @@ struct krb5child_req { const char *ccname; const char *old_ccname; const char *homedir; - const char *upn; + char *upn; uid_t uid; gid_t gid; bool is_offline; diff --git a/src/providers/krb5/krb5_renew_tgt.c b/src/providers/krb5/krb5_renew_tgt.c index 217e03d3..ccb7e6af 100644 --- a/src/providers/krb5/krb5_renew_tgt.c +++ b/src/providers/krb5/krb5_renew_tgt.c @@ -381,9 +381,11 @@ static errno_t check_ccache_files(struct renew_tgt_ctx *renew_tgt_ctx) struct ldb_message **msgs = NULL; size_t c; const char *ccache_file; - const char *upn; + char *upn; const char *user_name; struct ldb_dn *base_dn; + const struct ldb_val *user_dom_val; + char *user_dom; tmp_ctx = talloc_new(NULL); if (tmp_ctx == NULL) { @@ -421,15 +423,31 @@ static errno_t check_ccache_files(struct renew_tgt_ctx *renew_tgt_ctx) continue; } - upn = ldb_msg_find_attr_as_string(msgs[c], SYSDB_UPN, NULL); - if (upn == NULL) { - ret = krb5_get_simple_upn(tmp_ctx, renew_tgt_ctx->krb5_ctx, - user_name, &upn); - if (ret != EOK) { - DEBUG(1, ("krb5_get_simple_upn failed.\n")); - continue; - } - DEBUG(9, ("No upn stored in cache, using [%s].\n", upn)); + /* The DNs of users in sysdb ends with ...,cn=domain.name,cn=sysdb, so + * the value of the component before the last (index 1) is the domain + * name. */ + + user_dom_val = ldb_dn_get_component_val(msgs[c]->dn, 1); + if (user_dom_val == NULL) { + DEBUG(SSSDBG_OP_FAILURE, ("Invalid user DN [%s].\n", + ldb_dn_get_linearized(msgs[c]->dn))); + ret = EINVAL; + goto done; + } + user_dom = talloc_strndup(tmp_ctx, (char *) user_dom_val->data, + user_dom_val->length); + if (user_dom == NULL) { + DEBUG(SSSDBG_OP_FAILURE, ("talloc_strndup failed,\n")); + ret = ENOMEM; + goto done; + } + + ret = find_or_guess_upn(tmp_ctx, msgs[c], renew_tgt_ctx->krb5_ctx, + renew_tgt_ctx->be_ctx->domain->name, + user_name, user_dom, &upn); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, ("find_or_guess_upn failed.\n")); + goto done; } ccache_file = ldb_msg_find_attr_as_string(msgs[c], SYSDB_CCACHE_FILE, |