From 45e322191c7aa9390798b64ccb158ee800489945 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Tue, 13 Jun 2017 12:26:51 +0200
Subject: [PATCH 84/93] IPA: Only attempt migration for the joined domain
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

After the recent changes in commit a5e134b22aa27ff6cd66a7ff47089788ebc098a1
to fix ticket #3394, the PAM_CRED_ERR error would try to start migration
for any account. Further down the request, a sysdb search would try to find
the user in the joined domain only because the migration code presumes the
user is in the IPA domain which would error out and return System Error
to the PAM client.

This patch changes the migration somewhat to only attempt the migration
for IPA users.

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
 src/providers/ipa/ipa_auth.c | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/src/providers/ipa/ipa_auth.c b/src/providers/ipa/ipa_auth.c
index 80a9987277d7a298f703a8efb584ca428b67c94f..ef89c7177f2250547beb785d8cec836f893b039a 100644
--- a/src/providers/ipa/ipa_auth.c
+++ b/src/providers/ipa/ipa_auth.c
@@ -172,6 +172,7 @@ struct ipa_pam_auth_handler_state {
     struct ipa_auth_ctx *auth_ctx;
     struct be_ctx *be_ctx;
     struct pam_data *pd;
+    struct sss_domain_info *dom;
 };
 
 static void ipa_pam_auth_handler_krb5_done(struct tevent_req *subreq);
@@ -201,6 +202,14 @@ ipa_pam_auth_handler_send(TALLOC_CTX *mem_ctx,
     state->ev = params->ev;
     state->auth_ctx = auth_ctx;
     state->be_ctx = params->be_ctx;
+    state->dom = find_domain_by_name(state->be_ctx->domain,
+                                     state->pd->domain,
+                                     true);
+    if (state->dom == NULL) {
+        DEBUG(SSSDBG_CRIT_FAILURE, "Uknown domain %s\n", state->pd->domain);
+        pd->pam_status = PAM_SYSTEM_ERR;
+        goto immediately;
+    }
 
     pd->pam_status = PAM_SYSTEM_ERR;
 
@@ -248,7 +257,8 @@ static void ipa_pam_auth_handler_krb5_done(struct tevent_req *subreq)
     }
 
     if (state->pd->cmd == SSS_PAM_AUTHENTICATE
-            && state->pd->pam_status == PAM_CRED_ERR) {
+            && state->pd->pam_status == PAM_CRED_ERR
+            && !IS_SUBDOMAIN(state->dom)) {
         realm = dp_opt_get_string(state->auth_ctx->ipa_options, IPA_KRB5_REALM);
         subreq = get_password_migration_flag_send(state, state->ev,
                                                   state->auth_ctx->sdap_id_ctx,
-- 
2.14.1