From 1944936fc9b2b932330da24226aaaca5b270bcab Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Mon, 11 Nov 2024 18:42:09 +0100 Subject: [PATCH] ldap: make sure realm is set In general the canonical principal will be only set in the cache after a successful authentication because in general it is not know what the canonical principal might be. For Active Directory it is known that the canonical principal is build with the sAMAccountName attribute and the Kerberos realm which is used in the patch "AD: Construct UPN from the sAMAccountName" (7a27e539). If 'id_provider = ldap' is used to access Active Directory the realm might not be set in the internal domain data and as a result a wrong principal might be created. This patch makes sure the realm is set before creating the canonical principal. --- src/providers/ldap/sdap_async_users.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/src/providers/ldap/sdap_async_users.c b/src/providers/ldap/sdap_async_users.c index 9dd88f9de9b..4d947530f10 100644 --- a/src/providers/ldap/sdap_async_users.c +++ b/src/providers/ldap/sdap_async_users.c @@ -204,7 +204,7 @@ int sdap_save_user(TALLOC_CTX *memctx, size_t c; char *p1; char *p2; - char *new_upn; + char *new_upn = NULL; bool is_posix = true; DEBUG(SSSDBG_TRACE_FUNC, "Save user\n"); @@ -278,8 +278,10 @@ int sdap_save_user(TALLOC_CTX *memctx, &samaccountname); if (ret == EOK) { ret = ENOENT; - new_upn = talloc_asprintf(memctx, "%s@%s", samaccountname, - dom->realm); + if (dom->realm != NULL) { + new_upn = talloc_asprintf(memctx, "%s@%s", samaccountname, + dom->realm); + } if (new_upn != NULL){ ret = sysdb_attrs_add_string(user_attrs, SYSDB_CANONICAL_UPN, new_upn);