From 538321890c4d5f08c8702cfc2c00e57cbd13d334 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Mar 03 2017 16:36:09 +0000
Subject: CACHE_REQ: Only search the given domain when looking up entries by UPN


We were searching UPNs in the whole sysdb, which made cache_req think the
result came in from the domain it was searching.

The bug manifested when a user from a trusted domain was looked by UPN,
then cache_req searched the main domain, the result from subdomain was
considered as coming from the main domain and as a result, the getpwnam()
output was not qualified. That is a problem, because PAM applications
often sanitize the user with getpwnam, so effectively a login with UPN
was shortened to just a shortname and failed.

Reviewed-by: Sumit Bose <sbose@redhat.com>

---

diff --git a/src/responder/common/cache_req/plugins/cache_req_user_by_upn.c b/src/responder/common/cache_req/plugins/cache_req_user_by_upn.c
index 2453430..40a097b 100644
--- a/src/responder/common/cache_req/plugins/cache_req_user_by_upn.c
+++ b/src/responder/common/cache_req/plugins/cache_req_user_by_upn.c
@@ -85,10 +85,10 @@ cache_req_user_by_upn_lookup(TALLOC_CTX *mem_ctx,
                              struct ldb_result **_result)
 {
     if (data->attrs == NULL) {
-        return sysdb_getpwupn(mem_ctx, domain, false, data->name.lookup, _result);
+        return sysdb_getpwupn(mem_ctx, domain, true, data->name.lookup, _result);
     }
 
-    return sysdb_search_user_by_upn_res(mem_ctx, domain, false,
+    return sysdb_search_user_by_upn_res(mem_ctx, domain, true,
                                         data->name.lookup, data->attrs,
                                         _result);
 }