From e9457990c14446fc46b72f7f927e6d5fc776d490 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 5 Mar 2015 15:10:43 +0100
Subject: [PATCH 27/99] PAM: use the logon_name as the key for the PAM initgr
 cache

Currently the name member of the pam_data struct is used as a key but it
can change during a request. Especially for sub-domain users the name is
changed from the short to the fully-qualified version before the cache
entry is created. As a result the cache searches are always done with
the short name while the entry was written with the fully-qualified name.

The logon_name member of the pam_data struct contains the name which was
send by the PAM client and is never changed during the request.

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 7bbf9d1d054f0571fa90ff5dd400a6f4a5a7f6c8)
---
 src/responder/pam/pamsrv_cmd.c | 16 +++-------------
 1 file changed, 3 insertions(+), 13 deletions(-)

diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index 86e763f825096edc0c07adbe2e02820e5f2bdac9..0b54402729e77f22391c6bd17fd8c937ddea3592 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -1140,7 +1140,8 @@ static int pam_check_user_search(struct pam_auth_req *preq)
          * the number of updates within a reasonable timeout
          */
         if (preq->check_provider) {
-            ret = pam_initgr_check_timeout(pctx->id_table, name);
+            ret = pam_initgr_check_timeout(pctx->id_table,
+                                           preq->pd->logon_name);
             if (ret != EOK
                     && ret != ENOENT) {
                 DEBUG(SSSDBG_OP_FAILURE,
@@ -1334,7 +1335,6 @@ static void pam_check_user_dp_callback(uint16_t err_maj, uint32_t err_min,
     int ret;
     struct pam_ctx *pctx =
             talloc_get_type(preq->cctx->rctx->pvt_ctx, struct pam_ctx);
-    char *name;
 
     if (err_maj) {
         DEBUG(SSSDBG_OP_FAILURE,
@@ -1346,17 +1346,8 @@ static void pam_check_user_dp_callback(uint16_t err_maj, uint32_t err_min,
     ret = pam_check_user_search(preq);
     if (ret == EOK) {
         /* Make sure we don't go to the ID provider too often */
-        name = preq->domain->case_sensitive ?
-                talloc_strdup(preq, preq->pd->user) :
-                sss_tc_utf8_str_tolower(preq, preq->pd->user);
-        if (!name) {
-            ret = ENOMEM;
-            goto done;
-        }
-
         ret = pam_initgr_cache_set(pctx->rctx->ev, pctx->id_table,
-                                   name, pctx->id_timeout);
-        talloc_free(name);
+                                   preq->pd->logon_name, pctx->id_timeout);
         if (ret != EOK) {
             DEBUG(SSSDBG_OP_FAILURE,
                   "Could not save initgr timestamp. "
@@ -1371,7 +1362,6 @@ static void pam_check_user_dp_callback(uint16_t err_maj, uint32_t err_min,
 
     ret = pam_check_user_done(preq, ret);
 
-done:
     if (ret) {
         preq->pd->pam_status = PAM_SYSTEM_ERR;
         pam_reply(preq);
-- 
2.4.0