On Thu, Jun 27, 2013 at 08:58:19AM -0400, Simo Sorce wrote:
On Thu, 2013-06-27 at 13:27 +0200, Jakub Hrozek wrote:
> Hi,
>
> during testing I found out that we mishandle UPNs for subdomain users
> when using Kerberos authentication.
>
> If there is no userPrincipal attribute we guess based on username@REALM.
> But for subdomain users the username is already qualified, so so you end
> up with username@DOMAIN@REALM. Currently first login works fine because
> krb5 auth code treats the result as an enterprise principal. But if you
> are checking existing ccache then the krb5 code errors out because one of
> the krb5_cc_* functions treats username@DOMAIN@REALM as invalid principal.
>
> The attached patch checks if the username is already qualified and
> replaces the domain name with realm name when guessing the UPN. I really
> don't like the result because parsing out is inherently fragile. I think
> we should store the plain username in an additional sysdb attribute,
> too.
Or we could simply parse out the ticket received during authentication
and save the 'canonicalized principal name' in the cache.
This is already done, this patch is about finding a principal for the
initial authentication.
bye,
Sumit
This way you do not need to do any guesswork at all.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
_______________________________________________
sssd-devel mailing list
sssd-devel(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel