Always use the spn of the user for nss requests

This is the cause of the failing whoami requests, because it provides the uid of the user for the request. As long as the cached user token hadn't expired, the resolver would respond. But when it needed refreshed, Himmelblau couldn't even find the id provider, because it was trying to match the uid against a domain name on the spn. Signed-off-by: David Mulder <[email protected]>
himmelblau-idm · May 14, 2024 · 3b8b873 · 3b8b873
1 parent 8dff47c
commit 3b8b873
Showing 1 changed file with 8 additions and 2 deletions.
diff --git a/src/common/src/idprovider/himmelblau.rs b/src/common/src/idprovider/himmelblau.rs
@@ -141,7 +141,10 @@ impl IdProvider for HimmelblauMultiProvider {
         machine_key: &tpm::MachineKey,
     ) -> Result<UserToken, IdpError> {
         /* AAD doesn't permit user listing (must use cache entries from auth) */
-        let account_id = id.to_string().clone();
+        let account_id = match old_token {
+            Some(token) => token.spn.clone(),
+            None => id.to_string().clone(),
+        };
         match split_username(&account_id) {
             Some((_sam, domain)) => {
                 let providers = self.providers.read().await;
@@ -479,7 +482,10 @@ impl IdProvider for HimmelblauProvider {
         machine_key: &tpm::MachineKey,
     ) -> Result<UserToken, IdpError> {
         /* Use the prt mem cache to refresh the user token */
-        let account_id = id.to_string().clone();
+        let account_id = match old_token {
+            Some(token) => token.spn.clone(),
+            None => id.to_string().clone(),
+        };
         let prt = match self.refresh_cache.refresh_token(&account_id).await {
             Ok(prt) => prt,
             Err(_) => {