From 2f5aca39b5b473259cd43e6b93246ff218a2b177 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Mar 14 2019 21:04:19 +0000 Subject: NEGCACHE: initialize UPN negative cache as well UPNs are handled separately in the negative cache. To properly filter user names even in the case of the fallback to a UPN lookup the negative cahe for UPNs has to be initialized with the names from the filter_user option as well. If the name from the option is a short name it will be added to the negative UPN cache for each domain with the respective domain name. If the name from the option is fully-qualified it will be added as is to the negative UPN cache for each domain. Related to https://pagure.io/SSSD/sssd/issue/3978 Reviewed-by: Jakub Hrozek --- diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml index bea25c6..b225cd0 100644 --- a/src/man/sssd.conf.5.xml +++ b/src/man/sssd.conf.5.xml @@ -849,7 +849,8 @@ from the sss NSS database. This is particularly useful for system accounts. This option can also be set per-domain or include fully-qualified names - to filter only users from the particular domain. + to filter only users from the particular domain or + by a user principal name (UPN). NOTE: The filter_groups option doesn't affect diff --git a/src/responder/common/negcache.c b/src/responder/common/negcache.c index c5c4317..ca3b062 100644 --- a/src/responder/common/negcache.c +++ b/src/responder/common/negcache.c @@ -974,10 +974,16 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache, } if (domainname && strcmp(domainname, dom->name)) { - DEBUG(SSSDBG_CRIT_FAILURE, + DEBUG(SSSDBG_TRACE_FUNC, "Mismatch between domain name (%s) and name " - "set in FQN (%s), skipping user %s\n", - dom->name, domainname, name); + "set in FQN (%s), assuming %s is UPN\n", + dom->name, domainname, filter_list[i]); + ret = sss_ncache_set_upn(ncache, true, dom, filter_list[i]); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "sss_ncache_set_upn failed (%d [%s]), ignored\n", + ret, sss_strerror(ret)); + } continue; } @@ -986,13 +992,19 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache, continue; } + ret = sss_ncache_set_upn(ncache, true, dom, fqname); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "sss_ncache_set_upn failed (%d [%s]), ignored\n", + ret, sss_strerror(ret)); + } ret = sss_ncache_set_user(ncache, true, dom, fqname); talloc_zfree(fqname); if (ret != EOK) { DEBUG(SSSDBG_CRIT_FAILURE, "Failed to store permanent user filter for [%s]" " (%d [%s])\n", filter_list[i], - ret, strerror(ret)); + ret, sss_strerror(ret)); continue; } } @@ -1023,7 +1035,18 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache, dom = responder_get_domain(rctx, domainname); if (!dom) { DEBUG(SSSDBG_CRIT_FAILURE, - "Invalid domain name [%s]\n", domainname); + "Unknown domain name [%s], assuming [%s] is UPN\n", + domainname, filter_list[i]); + for (dom = domain_list; + dom != NULL; + dom = get_next_domain(dom, SSS_GND_ALL_DOMAINS)) { + ret = sss_ncache_set_upn(ncache, true, dom, filter_list[i]); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "sss_ncache_set_upn failed (%d [%s]), ignored\n", + ret, sss_strerror(ret)); + } + } continue; } @@ -1050,6 +1073,15 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache, continue; } + ret = sss_ncache_set_upn(ncache, true, dom, fqname); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to store permanent upn filter for" + " [%s:%s] (%d [%s])\n", + dom->name, filter_list[i], + ret, strerror(ret)); + } + ret = sss_ncache_set_user(ncache, true, dom, fqname); talloc_zfree(fqname); if (ret != EOK) {