summaryrefslogtreecommitdiff
path: root/src/providers
diff options
context:
space:
mode:
Diffstat (limited to 'src/providers')
-rw-r--r--src/providers/data_provider_be.c11
-rw-r--r--src/providers/ipa/ipa_s2n_exop.c54
2 files changed, 61 insertions, 4 deletions
diff --git a/src/providers/data_provider_be.c b/src/providers/data_provider_be.c
index 685c666a..f4ad8536 100644
--- a/src/providers/data_provider_be.c
+++ b/src/providers/data_provider_be.c
@@ -2188,6 +2188,17 @@ int be_process_init(TALLOC_CTX *mem_ctx,
goto fail;
}
+ /* We need this for subdomains support, as they have to store fully
+ * qualified user and group names for now */
+ ret = sss_names_init(ctx->domain, cdb,
+ ctx->domain->name, &ctx->domain->names);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_FATAL_FAILURE,
+ ("fatal error setting fully qualified name format for %s\n",
+ ctx->domain->name));
+ goto fail;
+ }
+
ret = be_srv_init(ctx);
if (ret != EOK) {
DEBUG(SSSDBG_FATAL_FAILURE, ("fatal error setting up server bus\n"));
diff --git a/src/providers/ipa/ipa_s2n_exop.c b/src/providers/ipa/ipa_s2n_exop.c
index 1a81c860..8fc22819 100644
--- a/src/providers/ipa/ipa_s2n_exop.c
+++ b/src/providers/ipa/ipa_s2n_exop.c
@@ -591,6 +591,9 @@ static void ipa_s2n_get_user_done(struct tevent_req *subreq)
uint64_t timeout = 10*60*60; /* FIXME: find a better timeout ! */
const char *homedir = NULL;
struct sysdb_attrs *user_attrs = NULL;
+ char *name;
+ char *realm;
+ char *upn;
ret = ipa_s2n_exop_recv(subreq, state, &result, &retoid, &retdata);
talloc_zfree(subreq);
@@ -640,21 +643,64 @@ static void ipa_s2n_get_user_done(struct tevent_req *subreq)
goto done;
}
- ret = sysdb_attrs_add_string(user_attrs, SYSDB_NAME_ALIAS,
- attrs->a.user.pw_name);
+ /* we always use the fully qualified name for subdomain users */
+ name = talloc_asprintf(state, state->dom->names->fq_fmt,
+ attrs->a.user.pw_name, state->dom->name);
+ if (!name) {
+ DEBUG(SSSDBG_OP_FAILURE, ("failed to format user name.\n"));
+ ret = ENOMEM;
+ goto done;
+ }
+
+ ret = sysdb_attrs_add_string(user_attrs, SYSDB_NAME_ALIAS, name);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, ("sysdb_attrs_add_string failed.\n"));
+ goto done;
+ }
+
+ /* We also have to store a fake UPN here, because otherwise the
+ * krb5 child later won't be able to properly construct one as
+ * the username is fully qualified but the child doesn't have
+ * access to the regex to deconstruct it */
+ /* FIXME: The real UPN is available from the PAC, we should get
+ * it from there. */
+ realm = get_uppercase_realm(state, state->dom->name);
+ if (!realm) {
+ DEBUG(SSSDBG_OP_FAILURE, ("failed to get realm.\n"));
+ ret = ENOMEM;
+ goto done;
+ }
+ upn = talloc_asprintf(state, "%s@%s",
+ attrs->a.user.pw_name, realm);
+ if (!upn) {
+ DEBUG(SSSDBG_OP_FAILURE, ("failed to format UPN.\n"));
+ ret = ENOMEM;
+ goto done;
+ }
+
+ ret = sysdb_attrs_add_string(user_attrs, SYSDB_UPN, upn);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, ("sysdb_attrs_add_string failed.\n"));
goto done;
}
- ret = sysdb_store_domuser(state->dom, attrs->a.user.pw_name, NULL,
+ ret = sysdb_store_domuser(state->dom, name, NULL,
attrs->a.user.pw_uid,
0, NULL, /* gecos */
homedir, NULL,
user_attrs, NULL, timeout, now);
break;
case RESP_GROUP:
- ret = sysdb_store_domgroup(state->dom, attrs->a.group.gr_name,
+ /* we always use the fully qualified name for subdomain users */
+ name = talloc_asprintf(state, state->dom->names->fq_fmt,
+ attrs->a.group.gr_name, state->dom->name);
+ if (!name) {
+ DEBUG(SSSDBG_OP_FAILURE, ("failed to format user name,\n"));
+ ret = ENOMEM;
+ goto done;
+ }
+
+ ret = sysdb_store_domgroup(state->dom, name,
attrs->a.group.gr_gid, NULL, timeout,
now);
break;