From 1944936fc9b2b932330da24226aaaca5b270bcab Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Mon, 11 Nov 2024 18:42:09 +0100
Subject: [PATCH 1/2] ldap: make sure realm is set

In general the canonical principal will be only set in the cache after a
successful authentication because in general it is not know what the
canonical principal might be.

For Active Directory it is known that the canonical principal is build
with the sAMAccountName attribute and the Kerberos realm which is used
in the patch "AD: Construct UPN from the sAMAccountName" (7a27e539). If
'id_provider = ldap' is used to access Active Directory the realm might
not be set in the internal domain data and as a result a wrong principal
might be created. This patch makes sure the realm is set before creating
the canonical principal.
---
 src/providers/ldap/sdap_async_users.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/src/providers/ldap/sdap_async_users.c b/src/providers/ldap/sdap_async_users.c
index 9dd88f9de9b..4d947530f10 100644
--- a/src/providers/ldap/sdap_async_users.c
+++ b/src/providers/ldap/sdap_async_users.c
@@ -204,7 +204,7 @@ int sdap_save_user(TALLOC_CTX *memctx,
     size_t c;
     char *p1;
     char *p2;
-    char *new_upn;
+    char *new_upn = NULL;
     bool is_posix = true;
 
     DEBUG(SSSDBG_TRACE_FUNC, "Save user\n");
@@ -278,8 +278,10 @@ int sdap_save_user(TALLOC_CTX *memctx,
                                    &samaccountname);
         if (ret == EOK) {
             ret = ENOENT;
-            new_upn = talloc_asprintf(memctx, "%s@%s", samaccountname,
-                                      dom->realm);
+            if (dom->realm != NULL) {
+                new_upn = talloc_asprintf(memctx, "%s@%s", samaccountname,
+                                          dom->realm);
+            }
             if (new_upn != NULL){
                 ret = sysdb_attrs_add_string(user_attrs,
                                              SYSDB_CANONICAL_UPN, new_upn);

From 0a2054d5cc4fd1f722111a8adb23995aa514cece Mon Sep 17 00:00:00 2001
From: Madhuri Upadhye <mupadhye@redhat.com>
Date: Fri, 15 Nov 2024 19:53:10 +0530
Subject: [PATCH 2/2] Test: Add the test when we replace id_provider

With AD/Samba check the authentication of user
by replacing id_provider = ldap

Signed-off-by: Madhuri Upadhye <mupadhye@redhat.com>
---
 src/tests/system/tests/test_ad.py | 70 +++++++++++++++++++++++++++++++
 1 file changed, 70 insertions(+)
 create mode 100644 src/tests/system/tests/test_ad.py

diff --git a/src/tests/system/tests/test_ad.py b/src/tests/system/tests/test_ad.py
new file mode 100644
index 00000000000..53695f90a4c
--- /dev/null
+++ b/src/tests/system/tests/test_ad.py
@@ -0,0 +1,70 @@
+"""
+SSSD AD Provider Test Cases
+
+:requirement: ad
+"""
+
+from __future__ import annotations
+
+import pytest
+from sssd_test_framework.roles.client import Client
+from sssd_test_framework.roles.generic import GenericADProvider
+from sssd_test_framework.topology import KnownTopologyGroup
+
+
+@pytest.mark.topology(KnownTopologyGroup.AnyAD)
+@pytest.mark.ticket(jira="RHEL-65848", gh=7690)
+@pytest.mark.parametrize("method", ["su", "ssh"])
+@pytest.mark.importance("high")
+def test_ad__user_authentication_when_provider_is_set_to_ldap_with_gss_spnego(
+    client: Client, provider: GenericADProvider, method: str
+):
+    """
+    :title: Login to AD when id_provider is set to ldap
+    :setup:
+        1. Add AD user
+        2. Update sssd.conf with 'id_provider = ldap', 'ldap_schema = ad',
+        'ldap_id_use_start_tls = false', 'auth_provider = ad' and
+        'ldap_sasl_mech = gssspengo' and Start SSSD
+    :steps:
+        1. Check authentication of the user
+        2. Check log message in krb5_child.log, UPN [user1@null] should not be logged
+    :expectedresults:
+        1. Authentication is successful
+        2. Get required UPN [user1@<domain_name>] from krb5_child.log
+    :customerscenario: False
+    """
+    provider.user("user1").add()
+
+    client.sssd.config.remove_option("domain/test", "id_provider")
+
+    configurations = {
+        "id_provider": "ldap",
+        "ldap_schema": "ad",
+        "ldap_id_use_start_tls": "False",
+        "auth_provider": "ad",
+        "ldap_referrals": "False",
+        "ldap_sasl_mech": "GSS-SPNEGO",
+        "ldap_id_mapping": "True",
+    }
+
+    for key, value in configurations.items():
+        client.sssd.domain[key] = value
+
+    # id_provider = ldap will not add them automatically if they are not
+    # defined on the server side.
+    client.sssd.nss["default_shell"] = "/bin/bash"
+    client.sssd.nss["override_homedir"] = "/home/%u"
+
+    # `provider.host.domain` is ignored because it is dynamically added
+    p_domain = f"{provider.host.domain}"  # type: ignore[attr-defined]
+
+    client.sssd.domain["krb5_realm"] = f"{p_domain.upper()}"
+    client.sssd.domain["dns_discovery_domain"] = f"{p_domain}"
+
+    client.sssd.start()
+
+    assert client.auth.parametrize(method).password("user1", "Secret123"), "User user1 failed login!"
+
+    log_str = client.fs.read("/var/log/sssd/krb5_child.log")
+    assert f"UPN [user1@{p_domain}]" in log_str, f"'UPN [user1@{p_domain}]' not in logs!"  # type: ignore