From 9b8fcf685c5ca70a5067a621385bcdc8d9fd6469 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Jul 29 2016 12:45:15 +0000
Subject: PAM: Fix domain for UPN based lookups


Since sysdb_search_user_by_upn() searches the whole cache we have to set
the domain so that it matches the result.

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

---

diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index 1c759f0..66564f5 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -1474,6 +1474,7 @@ static int pam_check_user_search(struct pam_auth_req *preq)
     static const char *user_attrs[] = SYSDB_PW_ATTRS;
     struct ldb_message *msg;
     struct ldb_result *res;
+    const char *sysdb_name;
 
     while (dom) {
        /* if it is a domainless search, skip domains that require fully
@@ -1533,6 +1534,22 @@ static int pam_check_user_search(struct pam_auth_req *preq)
 
         if (preq->pd->name_is_upn) {
             ret = sysdb_search_user_by_upn(preq, dom, name, user_attrs, &msg);
+
+            /* Since sysdb_search_user_by_upn() searches the whole cache we
+             * have to set the domain so that it matches the result. */
+            sysdb_name = ldb_msg_find_attr_as_string(msg, SYSDB_NAME, NULL);
+            if (sysdb_name == NULL) {
+                DEBUG(SSSDBG_CRIT_FAILURE, "Cached entry has no name.\n");
+                return EINVAL;
+            }
+            preq->domain = find_domain_by_object_name(get_domains_head(dom),
+                                                      sysdb_name);
+            if (preq->domain == NULL) {
+                DEBUG(SSSDBG_CRIT_FAILURE,
+                      "Cannot find matching domain for [%s].\n",
+                      sysdb_name);
+                return EINVAL;
+            }
         } else {
             ret = sysdb_getpwnam_with_views(preq, dom, name, &res);
             if (res->count > 1) {