fedfb7c KRB5: Send the output username, not internal fqname to krb5_child

4 files Authored by jhrozek 4 years ago, Committed by lslebodn 4 years ago,
    KRB5: Send the output username, not internal fqname to krb5_child
    
    krb5_child calls krb5_kuserok() during the access phase which checks if
    a particular user is allowed to authenticate as a particular principal.
    We used to pass the internal fqname to krb5_kuserok() which broke the
    functionality and all users were denied access.
    
    This patch changes that to send the 'output' username to krb5_child,
    because that's the username the system receives through getpwnam() or
    getpwuid() anyway. The patch also adds a new structure member fo the
    krb5child_req structure to avoid reusing the pd->user variable but have
    an explicit one that serves as the input for the child process.
    
    Resolves:
    https://fedorahosted.org/sssd/ticket/3172
    
    Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>