rpms/sssd
3
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
640e44ca24
sssd/0079-KRB5-Fixing-FQ-name-of-user-in-krb5_setup.patch
Lukas Slebodnik 640e44ca24 Fix regression with krb5_map_user 
- Resolves: rhbz#1375552 - krb5_map_user doesn't seem effective anymore
- Resolves: rhbz#1349286 - authconfig fails with SSSDConfig.NoDomainError:
                           default if nonexistent domain is mentioned
2016-09-22 22:28:47 +02:00

203 lines
9.2 KiB
Diff
Raw Blame History

From 6f97e6da7389e541f74855c702f8dafa02bbee67 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20=C4=8Cech?= <pcech@redhat.com>
Date: Wed, 14 Sep 2016 09:00:06 -0400
Subject: [PATCH 79/79] KRB5: Fixing FQ name of user in krb5_setup()
This patch fixes creation of FQ username if krb5_map_user option
ise used.
Resolves:
https://fedorahosted.org/sssd/ticket/3188
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit b34ffbf33729c557c3d1aebf4707ad0ffe4f1904)
---
src/providers/krb5/krb5_auth.c | 8 +++++++-
src/providers/krb5/krb5_init_shared.c | 1 +
src/providers/krb5/krb5_utils.c | 26 +++++++++++++++++++++++++-
src/providers/krb5/krb5_utils.h | 4 +++-
src/tests/krb5_utils-tests.c | 33 ++++++++++++++++++++-------------
5 files changed, 56 insertions(+), 16 deletions(-)
diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
index f0f2280022a3ee951ccfa0040b616c48c3b25706..a5ecb24323d3d413bc08f100b90195d3619172d3 100644
--- a/src/providers/krb5/krb5_auth.c
+++ b/src/providers/krb5/krb5_auth.c
@@ -207,7 +207,13 @@ errno_t krb5_setup(TALLOC_CTX *mem_ctx,
if (ret == EOK) {
DEBUG(SSSDBG_TRACE_FUNC, "Setting mapped name to: %s\n", mapped_name);
kr->user = mapped_name;
- kr->kuserok_user = mapped_name;
+
+ kr->kuserok_user = sss_output_name(kr, kr->user,
+ dom->case_sensitive, 0);
+ if (kr->kuserok_user == NULL) {
+ ret = ENOMEM;
+ goto done;
+ }
} else if (ret == ENOENT) {
DEBUG(SSSDBG_TRACE_ALL, "No mapping for: %s\n", pd->user);
kr->user = pd->user;
diff --git a/src/providers/krb5/krb5_init_shared.c b/src/providers/krb5/krb5_init_shared.c
index 767291c0b953ea3f227f64a7e21f191262424cf5..c8fd8593a8b6d304fe314254c940351fa5ee12f3 100644
--- a/src/providers/krb5/krb5_init_shared.c
+++ b/src/providers/krb5/krb5_init_shared.c
@@ -94,6 +94,7 @@ errno_t krb5_child_init(struct krb5_ctx *krb5_auth_ctx,
ret = parse_krb5_map_user(krb5_auth_ctx,
dp_opt_get_cstring(krb5_auth_ctx->opts,
KRB5_MAP_USER),
+ bectx->domain->name,
&krb5_auth_ctx->name_to_primary);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, "parse_krb5_map_user failed: %s:[%d]\n",
diff --git a/src/providers/krb5/krb5_utils.c b/src/providers/krb5/krb5_utils.c
index 0ac60daee533ea1264bc55d0d65054ed38b3a092..e968dfa5fe50c43c51e624507261ae2c8263b67d 100644
--- a/src/providers/krb5/krb5_utils.c
+++ b/src/providers/krb5/krb5_utils.c
@@ -521,7 +521,9 @@ done:
}
errno_t
-parse_krb5_map_user(TALLOC_CTX *mem_ctx, const char *krb5_map_user,
+parse_krb5_map_user(TALLOC_CTX *mem_ctx,
+ const char *krb5_map_user,
+ const char *dom_name,
struct map_id_name_to_krb_primary **_name_to_primary)
{
int size;
@@ -570,6 +572,28 @@ parse_krb5_map_user(TALLOC_CTX *mem_ctx, const char *krb5_map_user,
}
}
+ /* conversion names to fully-qualified names */
+ for (int i = 0; i < size; i++) {
+ name_to_primary[i].id_name = sss_create_internal_fqname(
+ name_to_primary,
+ name_to_primary[i].id_name,
+ dom_name);
+ if (name_to_primary[i].id_name == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "sss_create_internal_fqname failed\n");
+ ret = ENOMEM;
+ goto done;
+ }
+
+ name_to_primary[i].krb_primary = sss_create_internal_fqname(
+ name_to_primary,
+ name_to_primary[i].krb_primary,
+ dom_name);
+ if (name_to_primary[i].krb_primary == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "sss_create_internal_fqname failed\n");
+ ret = ENOMEM;
+ goto done;
+ }
+ }
ret = EOK;
done:
diff --git a/src/providers/krb5/krb5_utils.h b/src/providers/krb5/krb5_utils.h
index 75b93c30ef5be5d16f2ce73f44abef674c6e98ff..3051a99445054638d04fbee34415e9cf3d226588 100644
--- a/src/providers/krb5/krb5_utils.h
+++ b/src/providers/krb5/krb5_utils.h
@@ -51,7 +51,9 @@ errno_t get_domain_or_subdomain(struct be_ctx *be_ctx,
struct sss_domain_info **dom);
errno_t
-parse_krb5_map_user(TALLOC_CTX *mem_ctx, const char *krb5_map_user,
+parse_krb5_map_user(TALLOC_CTX *mem_ctx,
+ const char *krb5_map_user,
+ const char *dom_name,
struct map_id_name_to_krb_primary **_name_to_primary);
#endif /* __KRB5_UTILS_H__ */
diff --git a/src/tests/krb5_utils-tests.c b/src/tests/krb5_utils-tests.c
index 515a1941509c13ca4ad8d9953687f9047da29426..36bd0324475e161e627006de0ddcbc775f8a749b 100644
--- a/src/tests/krb5_utils-tests.c
+++ b/src/tests/krb5_utils-tests.c
@@ -614,25 +614,25 @@ START_TEST(test_parse_krb5_map_user)
/* empty input */
{
check_leaks_push(mem_ctx);
- ret = parse_krb5_map_user(mem_ctx, NULL, &name_to_primary);
+ ret = parse_krb5_map_user(mem_ctx, NULL, DOMAIN_NAME, &name_to_primary);
fail_unless(ret == EOK);
fail_unless(name_to_primary[0].id_name == NULL &&
name_to_primary[0].krb_primary == NULL);
talloc_free(name_to_primary);
- ret = parse_krb5_map_user(mem_ctx, "", &name_to_primary);
+ ret = parse_krb5_map_user(mem_ctx, "", DOMAIN_NAME, &name_to_primary);
fail_unless(ret == EOK);
fail_unless(name_to_primary[0].id_name == NULL &&
name_to_primary[0].krb_primary == NULL);
talloc_free(name_to_primary);
- ret = parse_krb5_map_user(mem_ctx, ",", &name_to_primary);
+ ret = parse_krb5_map_user(mem_ctx, ",", DOMAIN_NAME, &name_to_primary);
fail_unless(ret == EOK);
fail_unless(name_to_primary[0].id_name == NULL &&
name_to_primary[0].krb_primary == NULL);
talloc_free(name_to_primary);
- ret = parse_krb5_map_user(mem_ctx, ",,", &name_to_primary);
+ ret = parse_krb5_map_user(mem_ctx, ",,", DOMAIN_NAME, &name_to_primary);
fail_unless(ret == EOK);
fail_unless(name_to_primary[0].id_name == NULL &&
name_to_primary[0].krb_primary == NULL);
@@ -645,14 +645,16 @@ START_TEST(test_parse_krb5_map_user)
check_leaks_push(mem_ctx);
const char *p = "pája:preichl,joe:juser,jdoe:ßlack";
const char *p2 = " pája : preichl , joe:\njuser,jdoe\t: ßlack ";
- const char *expected[] = {"pája", "preichl", "joe", "juser", "jdoe", "ßlack"};
- ret = parse_krb5_map_user(mem_ctx, p, &name_to_primary);
+ const char *expected[] = { "pája@testdomain", "preichl@" DOMAIN_NAME,
+ "joe@testdomain", "juser@testdomain",
+ "jdoe@testdomain", "ßlack@testdomain" };
+ ret = parse_krb5_map_user(mem_ctx, p, DOMAIN_NAME, &name_to_primary);
fail_unless(ret == EOK);
compare_map_id_name_to_krb_primary(name_to_primary, expected,
sizeof(expected)/sizeof(const char*)/2);
talloc_free(name_to_primary);
- ret = parse_krb5_map_user(mem_ctx, p2, &name_to_primary);
+ ret = parse_krb5_map_user(mem_ctx, p2, DOMAIN_NAME, &name_to_primary);
fail_unless(ret == EOK);
compare_map_id_name_to_krb_primary(name_to_primary, expected,
sizeof(expected)/sizeof(const char*)/2);
@@ -663,22 +665,27 @@ START_TEST(test_parse_krb5_map_user)
{
check_leaks_push(mem_ctx);
- ret = parse_krb5_map_user(mem_ctx, ":", &name_to_primary);
+ ret = parse_krb5_map_user(mem_ctx, ":", DOMAIN_NAME, &name_to_primary);
fail_unless(ret == EINVAL);
- ret = parse_krb5_map_user(mem_ctx, "joe:", &name_to_primary);
+ ret = parse_krb5_map_user(mem_ctx, "joe:", DOMAIN_NAME,
+ &name_to_primary);
fail_unless(ret == EINVAL);
- ret = parse_krb5_map_user(mem_ctx, ":joe", &name_to_primary);
+ ret = parse_krb5_map_user(mem_ctx, ":joe", DOMAIN_NAME,
+ &name_to_primary);
fail_unless(ret == EINVAL);
- ret = parse_krb5_map_user(mem_ctx, "joe:,", &name_to_primary);
+ ret = parse_krb5_map_user(mem_ctx, "joe:,", DOMAIN_NAME,
+ &name_to_primary);
fail_unless(ret == EINVAL);
- ret = parse_krb5_map_user(mem_ctx, ",joe", &name_to_primary);
+ ret = parse_krb5_map_user(mem_ctx, ",joe", DOMAIN_NAME,
+ &name_to_primary);
fail_unless(ret == EINVAL);
- ret = parse_krb5_map_user(mem_ctx, "joe:j:user", &name_to_primary);
+ ret = parse_krb5_map_user(mem_ctx, "joe:j:user", DOMAIN_NAME,
+ &name_to_primary);
fail_unless(ret == EINVAL);
fail_unless(check_leaks_pop(mem_ctx));
--
2.9.3
Reference in New Issue View Git Blame Copy Permalink