URL: https://github.com/SSSD/sssd/pull/514
Author: jhrozek
Title: #514: Backport several UPN related patches to sssd-1-13
Action: opened
PR body:
"""
There are several patches that were applied to master, but never to sssd-1-13.
The patches are needed to enable UPN logins in both direct join and trust-based
setup.
The patches were already tested by one affected RHEL customer, so I'm quite
certain they work. It would be nice to run CI and Coverity to make sure we
don't introduce any regressions.
I did some basic sanity testing when backporting the fixes, but if you want to
test the patches, first create a user with an 'enterprise principal', see e.g.
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc772007(v=ws.11)
then create an UPN that is different than the realm name. Restart SSSD to make
sure the subdomains are refreshed. With a trust setup, you also might need to
run 'ipa trustdomain-fetch' to make sure the suffix shows up.
Then, login using the UPN as the username.
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/514/head:pr514
git checkout pr514
From 30949ccf1d41b31c4a91445c5b78a494eb84e501 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhro...@redhat.com>
Date: Thu, 25 Jan 2018 17:25:50 +0100
Subject: [PATCH 1/3] Make get_object_from_cache() aware of UPN searches
---
src/providers/ipa/ipa_subdomains_id.c | 16 ++++++++++++----
1 file changed, 12 insertions(+), 4 deletions(-)
diff --git a/src/providers/ipa/ipa_subdomains_id.c b/src/providers/ipa/ipa_subdomains_id.c
index 0956046d7..223dbec15 100644
--- a/src/providers/ipa/ipa_subdomains_id.c
+++ b/src/providers/ipa/ipa_subdomains_id.c
@@ -1000,11 +1000,19 @@ errno_t get_object_from_cache(TALLOC_CTX *mem_ctx,
case BE_REQ_INITGROUPS:
case BE_REQ_USER:
case BE_REQ_USER_AND_GROUP:
- ret = sysdb_search_user_by_name(mem_ctx, dom, name, attrs, &msg);
- if (ret == ENOENT && (ar->entry_type & BE_REQ_TYPE_MASK)
+ if (ar->extra_value
+ && strcmp(ar->extra_value, EXTRA_NAME_IS_UPN) == 0) {
+ ret = sysdb_search_user_by_upn(mem_ctx, dom, name,
+ attrs, &msg);
+ } else {
+ ret = sysdb_search_user_by_name(mem_ctx, dom, name,
+ attrs, &msg);
+ if (ret == ENOENT && (ar->entry_type & BE_REQ_TYPE_MASK)
== BE_REQ_USER_AND_GROUP) {
- ret = sysdb_search_group_by_name(mem_ctx, dom, name,
- attrs, &msg);
+ ret = sysdb_search_group_by_name(mem_ctx, dom,
+ name, attrs,
+ &msg);
+ }
}
break;
default:
From 855fa6187314b5f56f69658f1f4faa81820a3011 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sb...@redhat.com>
Date: Wed, 29 Jun 2016 14:02:02 +0200
Subject: [PATCH 2/3] NSS: Fix domain for UPN based lookups
Since sysdb_search_user_by_upn() searches the whole cache we have to set
the domain so that it matches the result.
Reviewed-by: Jakub Hrozek <jhro...@redhat.com>
(cherry picked from commit f426a8b81a871188348b41aa52803a05bc3a02de)
---
src/responder/nss/nsssrv_cmd.c | 29 +++++++++++++++++++++++++++++
1 file changed, 29 insertions(+)
diff --git a/src/responder/nss/nsssrv_cmd.c b/src/responder/nss/nsssrv_cmd.c
index 61e961efc..3ea43169f 100644
--- a/src/responder/nss/nsssrv_cmd.c
+++ b/src/responder/nss/nsssrv_cmd.c
@@ -975,6 +975,7 @@ static int nss_cmd_getpwnam_search(struct nss_dom_ctx *dctx)
struct ldb_message *msg;
const char *extra_flag = NULL;
char *neg_cache_name;
+ const char *sysdb_name;
nctx = talloc_get_type(cctx->rctx->pvt_ctx, struct nss_ctx);
@@ -1077,6 +1078,23 @@ static int nss_cmd_getpwnam_search(struct nss_dom_ctx *dctx)
}
dctx->res->msgs[0] = talloc_steal(dctx->res->msgs, msg);
+
+ /* Since sysdb_search_user_by_upn() searches the whole cache we
+ * have to set the domain so that it matches the result. */
+ sysdb_name = ldb_msg_find_attr_as_string(dctx->res->msgs[0],
+ SYSDB_NAME, NULL);
+ if (sysdb_name == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Cached entry has no name.\n");
+ return EINVAL;
+ }
+ dctx->domain = find_domain_by_object_name(get_domains_head(dom),
+ sysdb_name);
+ if (dctx->domain == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Cannot find matching domain for [%s].\n",
+ sysdb_name);
+ return EINVAL;
+ }
}
} else {
ret = sysdb_getpwnam_with_views(cmdctx, dom, name, &dctx->res);
@@ -4406,6 +4424,17 @@ static int nss_cmd_initgroups_search(struct nss_dom_ctx *dctx)
return EINVAL;
}
+ /* Since sysdb_search_user_by_upn() searches the whole cache we
+ * have to set the domain so that it matches the result. */
+ dctx->domain = find_domain_by_object_name(get_domains_head(dom),
+ sysdb_name);
+ if (dctx->domain == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Cannot find matching domain for [%s].\n",
+ sysdb_name);
+ return EINVAL;
+ }
+
ret = sysdb_initgroups(cmdctx, dom, sysdb_name, &dctx->res);
if (ret == EOK && DOM_HAS_VIEWS(dom)) {
for (c = 0; c < dctx->res->count; c++) {
From 7b138d35ba62a42e2556f01b9cb715304d6bcfd9 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhro...@redhat.com>
Date: Thu, 25 Jan 2018 20:14:11 +0100
Subject: [PATCH 3/3] Fix iterating to next domain for initgroup lookups
---
src/responder/nss/nsssrv_cmd.c | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
diff --git a/src/responder/nss/nsssrv_cmd.c b/src/responder/nss/nsssrv_cmd.c
index 3ea43169f..d9e08aedb 100644
--- a/src/responder/nss/nsssrv_cmd.c
+++ b/src/responder/nss/nsssrv_cmd.c
@@ -4383,7 +4383,11 @@ static int nss_cmd_initgroups_search(struct nss_dom_ctx *dctx)
name, dom->name);
/* if a multidomain search, try with next */
if (cmdctx->check_next) {
- dom = get_next_domain(dom, 0);
+ if (cmdctx->name_is_upn) {
+ dom = get_next_domain(dom, SSS_GND_DESCEND);
+ } else {
+ dom = get_next_domain(dom, 0);
+ }
continue;
}
/* There are no further domains or this was a
@@ -4468,10 +4472,15 @@ static int nss_cmd_initgroups_search(struct nss_dom_ctx *dctx)
/* if a multidomain search, try with next */
if (cmdctx->check_next) {
- dom = get_next_domain(dom, 0);
+ if (cmdctx->name_is_upn) {
+ dom = get_next_domain(dom, SSS_GND_DESCEND);
+ } else {
+ dom = get_next_domain(dom, 0);
+ }
if (dom) continue;
}
+
DEBUG(SSSDBG_OP_FAILURE, "No results for initgroups call\n");
return ENOENT;
_______________________________________________
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
