sssd/SOURCES/0018-ipa-do-not-add-guessed-principal-to-the-cache.patch

From 29aa434816ce6ae2aaf3b0bcf24b89f05f426d1b Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 22 Nov 2022 13:39:26 +0100
Subject: [PATCH 18/19] ipa: do not add guessed principal to the cache

Currently on IPA clients a calculated principal based on the user name
and the Kerberos realm is added to the cached user object. This code is
quite old and might have been necessary at times when sub-domain support
was added to SSSD. But since quite some time SSSD is capable of
generating the principal on the fly during authentication if nothing is
stored in the cache.

Removing the code makes the cache more consistent with other use-cases,
e.g. with the IPA server where this attribute is empty, and allows to
properly detect a missing UPN, e.g. during the PAC validation.

Resolves: https://github.com/SSSD/sssd/issues/6451

(cherry picked from commit b3d7a4f6d4e1d4fa1bd33b296cd4301973f1860c)

Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
---
 src/providers/ipa/ipa_s2n_exop.c | 44 --------------------------------
 1 file changed, 44 deletions(-)

diff --git a/src/providers/ipa/ipa_s2n_exop.c b/src/providers/ipa/ipa_s2n_exop.c
index c68c1de26..81927a6b8 100644
--- a/src/providers/ipa/ipa_s2n_exop.c
+++ b/src/providers/ipa/ipa_s2n_exop.c
@@ -2467,8 +2467,6 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom,
     time_t now;
     struct sss_nss_homedir_ctx homedir_ctx;
     char *name = NULL;
-    char *realm;
-    char *short_name = NULL;
     char *upn = NULL;
     gid_t gid;
     gid_t orig_gid = 0;
@@ -2607,48 +2605,6 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom,
                 goto done;
             }
 
-            if (upn == NULL) {
-                /* We also have to store a fake UPN here, because otherwise the
-                 * krb5 child later won't be able to properly construct one as
-                 * the username is fully qualified but the child doesn't have
-                 * access to the regex to deconstruct it */
-                /* FIXME: The real UPN is available from the PAC, we should get
-                 * it from there. */
-                realm = get_uppercase_realm(tmp_ctx, dom->name);
-                if (!realm) {
-                    DEBUG(SSSDBG_OP_FAILURE, "failed to get realm.\n");
-                    ret = ENOMEM;
-                    goto done;
-                }
-
-                ret = sss_parse_internal_fqname(tmp_ctx, attrs->a.user.pw_name,
-                                                &short_name, NULL);
-                if (ret != EOK) {
-                    DEBUG(SSSDBG_CRIT_FAILURE,
-                          "Cannot parse internal name %s\n",
-                          attrs->a.user.pw_name);
-                    goto done;
-                }
-
-                upn = talloc_asprintf(tmp_ctx, "%s@%s", short_name, realm);
-                if (!upn) {
-                    DEBUG(SSSDBG_OP_FAILURE, "failed to format UPN.\n");
-                    ret = ENOMEM;
-                    goto done;
-                }
-
-                /* We might already have the SID or the UPN from other sources
-                 * hence sysdb_attrs_add_string_safe is used to avoid double
-                 * entries. */
-                ret = sysdb_attrs_add_string_safe(attrs->sysdb_attrs, SYSDB_UPN,
-                                                  upn);
-                if (ret != EOK) {
-                    DEBUG(SSSDBG_OP_FAILURE,
-                          "sysdb_attrs_add_string failed.\n");
-                    goto done;
-                }
-            }
-
             if (req_input->type == REQ_INP_SECID) {
                 ret = sysdb_attrs_add_string_safe(attrs->sysdb_attrs,
                                                   SYSDB_SID_STR,
-- 
2.37.3