From b02eda90e9c6d6666af55041b1b12f5ac2f47b73 Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Dec 08 2014 09:43:01 +0000
Subject: IPA: Do not append domain name to fq name


Usernames from AD subdomains are already in fqdn we should not append
domain name in this case.

Resolves:
https://fedorahosted.org/sssd/ticket/2512

Reviewed-by: Michal Židek <mzidek@redhat.com>

---

diff --git a/src/providers/ipa/ipa_selinux.c b/src/providers/ipa/ipa_selinux.c
index 531258d..c4e70cf 100644
--- a/src/providers/ipa/ipa_selinux.c
+++ b/src/providers/ipa/ipa_selinux.c
@@ -812,6 +812,7 @@ selinux_child_setup(TALLOC_CTX *mem_ctx,
     char *ptr;
     char *username;
     char *username_final;
+    char *domain_name = NULL;
     TALLOC_CTX *tmp_ctx;
     struct selinux_child_input *sci;
 
@@ -849,10 +850,22 @@ selinux_child_setup(TALLOC_CTX *mem_ctx,
     }
 
     if (dom->fqnames) {
-        username_final = talloc_asprintf(tmp_ctx, dom->names->fq_fmt,
-                                         username, dom->name);
-        if (username_final == NULL) {
-            ret = ENOMEM;
+        ret = sss_parse_name(tmp_ctx, dom->names, username, &domain_name,
+                             NULL);
+        if (ret == EOK && domain_name != NULL) {
+            /* username is already a fully qualified name */
+            username_final = username;
+        } else if ((ret == EOK && domain_name == NULL)
+                   || ret == ERR_REGEX_NOMATCH) {
+            username_final = talloc_asprintf(tmp_ctx, dom->names->fq_fmt,
+                                             username, dom->name);
+            if (username_final == NULL) {
+                ret = ENOMEM;
+                goto done;
+            }
+        } else {
+            DEBUG(SSSDBG_OP_FAILURE,
+                  "sss_parse_name failed: [%d] %s", ret, sss_strerror(ret));
             goto done;
         }
     } else {