From 3381d9736b698d6111d10e219a0b5b898a4c757c Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Jul 29 2016 12:45:08 +0000
Subject: PAM: continue with UPN/email search if name was not found


Currently we only search for UPNs if the domain part of the name was not
know, with Kerberos aliases and email addresses we have to do this even
if the domain name is a know domain.

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

---

diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index 3a35c3f..1c759f0 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -924,6 +924,39 @@ static void pam_check_user_dp_callback(uint16_t err_maj, uint32_t err_min,
 static int pam_check_user_search(struct pam_auth_req *preq);
 static int pam_check_user_done(struct pam_auth_req *preq, int ret);
 
+static errno_t pam_cmd_assume_upn(struct pam_auth_req *preq)
+{
+    int ret;
+
+    if (!preq->pd->name_is_upn
+            && preq->pd->logon_name != NULL
+            && strchr(preq->pd->logon_name, '@') != NULL) {
+        DEBUG(SSSDBG_TRACE_ALL,
+              "No entry found so far, trying UPN/email lookup with [%s].\n",
+              preq->pd->logon_name);
+        /* Assuming Kerberos principal */
+        preq->domain = preq->cctx->rctx->domains;
+        preq->check_provider =
+                            NEED_CHECK_PROVIDER(preq->domain->provider);
+        preq->pd->user = talloc_strdup(preq->pd, preq->pd->logon_name);
+        if (preq->pd->user == NULL) {
+            DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n");
+            return ENOMEM;
+        }
+        preq->pd->name_is_upn = true;
+        preq->pd->domain = NULL;
+
+        ret = pam_check_user_search(preq);
+        if (ret == EOK) {
+            pam_dom_forwarder(preq);
+        }
+        return EOK;
+    }
+
+    return ENOENT;
+}
+
+
 /* TODO: we should probably return some sort of cookie that is set in the
  * PAM_ENVIRONMENT, so that we can save performing some calls and cache
  * data. */
@@ -1220,6 +1253,8 @@ static int pam_forwarder(struct cli_ctx *cctx, int pam_cmd)
     ret = pam_check_user_search(preq);
     if (ret == EOK) {
         pam_dom_forwarder(preq);
+    } else if (ret == ENOENT) {
+        ret = pam_cmd_assume_upn(preq);
     }
 
 done:
@@ -1417,6 +1452,8 @@ static void pam_forwarder_cb(struct tevent_req *req)
     ret = pam_check_user_search(preq);
     if (ret == EOK) {
         pam_dom_forwarder(preq);
+    } else if  (ret == ENOENT) {
+        ret = pam_cmd_assume_upn(preq);
     }
 
 done:
@@ -1694,6 +1731,8 @@ static void pam_check_user_dp_callback(uint16_t err_maj, uint32_t err_min,
         }
 
         pam_dom_forwarder(preq);
+    } else if (ret == ENOENT) {
+        ret = pam_cmd_assume_upn(preq);
     }
 
     ret = pam_check_user_done(preq, ret);