Skip to content

Commit

Permalink
NEGCACHE: initialize UPN negative cache as well
Browse files Browse the repository at this point in the history 
UPNs are handled separately in the negative cache. To properly filter
user names even in the case of the fallback to a UPN lookup the negative
cahe for UPNs has to be initialized with the names from the filter_user
option as well.

If the name from the option is a short name it will be added to the
negative UPN cache for each domain with the respective domain name. If
the name from the option is fully-qualified it will be added as is to
the negative UPN cache for each domain.

Related to https://pagure.io/SSSD/sssd/issue/3978

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
  • Loading branch information
@sumit-bose @jhrozek
sumit-bose authored and jhrozek committed Mar 14, 2019
1 parent c295d07 commit 2f5aca3
Show file tree
Hide file tree
Showing 2 changed files with 39 additions and 6 deletions.
3 changes: 2 additions & 1 deletion src/man/sssd.conf.5.xml
View file
Expand Up @@ -849,7 +849,8 @@
from the sss NSS database. This is particularly
useful for system accounts. This option can also
be set per-domain or include fully-qualified names
to filter only users from the particular domain.
to filter only users from the particular domain or
by a user principal name (UPN).
</para>
<para>
NOTE: The filter_groups option doesn't affect
Expand Down
42 changes: 37 additions & 5 deletions src/responder/common/negcache.c
View file
Expand Up @@ -974,10 +974,16 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache,
}

if (domainname && strcmp(domainname, dom->name)) {
DEBUG(SSSDBG_CRIT_FAILURE,
DEBUG(SSSDBG_TRACE_FUNC,
"Mismatch between domain name (%s) and name "
"set in FQN (%s), skipping user %s\n",
dom->name, domainname, name);
"set in FQN (%s), assuming %s is UPN\n",
dom->name, domainname, filter_list[i]);
ret = sss_ncache_set_upn(ncache, true, dom, filter_list[i]);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE,
"sss_ncache_set_upn failed (%d [%s]), ignored\n",
ret, sss_strerror(ret));
}
continue;
}

Expand All @@ -986,13 +992,19 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache,
continue;
}

ret = sss_ncache_set_upn(ncache, true, dom, fqname);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE,
"sss_ncache_set_upn failed (%d [%s]), ignored\n",
ret, sss_strerror(ret));
}
ret = sss_ncache_set_user(ncache, true, dom, fqname);
talloc_zfree(fqname);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE,
"Failed to store permanent user filter for [%s]"
" (%d [%s])\n", filter_list[i],
ret, strerror(ret));
ret, sss_strerror(ret));
continue;
}
}
Expand Down Expand Up @@ -1023,7 +1035,18 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache,
dom = responder_get_domain(rctx, domainname);
if (!dom) {
DEBUG(SSSDBG_CRIT_FAILURE,
"Invalid domain name [%s]\n", domainname);
"Unknown domain name [%s], assuming [%s] is UPN\n",
domainname, filter_list[i]);
for (dom = domain_list;
dom != NULL;
dom = get_next_domain(dom, SSS_GND_ALL_DOMAINS)) {
ret = sss_ncache_set_upn(ncache, true, dom, filter_list[i]);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE,
"sss_ncache_set_upn failed (%d [%s]), ignored\n",
ret, sss_strerror(ret));
}
}
continue;
}

Expand All @@ -1050,6 +1073,15 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache,
continue;
}

ret = sss_ncache_set_upn(ncache, true, dom, fqname);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE,
"Failed to store permanent upn filter for"
" [%s:%s] (%d [%s])\n",
dom->name, filter_list[i],
ret, strerror(ret));
}

ret = sss_ncache_set_user(ncache, true, dom, fqname);
talloc_zfree(fqname);
if (ret != EOK) {
Expand Down

0 comments on commit 2f5aca3

Please sign in to comment.