From: Lennart Poettering Date: Fri, 19 Jun 2026 20:14:03 +0000 (+0200) Subject: Accept NSS aliases for canonicalized user records (#42452) X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0322fe3220af0c707518c1611ddca125cb460893;p=thirdparty%2Fsystemd.git Accept NSS aliases for canonicalized user records (#42452) This PR fixes userdb lookups for NSS users that are resolved through an alias but returned with a canonical user name. Some NSS providers, such as SSSD, can successfully resolve a user by an alias-like name, for example a Kerberos/AD UPN (for example testuser@example.test) while returning a passwd record with the canonical login name. The original lookup name was not preserved. Later, the userdb worker checked whether the returned record matched the requested name with user_record_matches_user_name(). Since the requested name was testuser@example.test, but the record only contained testuser, the lookup was rejected as: `io.systemd.UserDatabase.ConflictingRecordFound` This also caused pam_systemd to fail opening sessions for such users with: `pam_systemd(...:session): Failed to get user record` In my case, this broke graphical logins for Samba users logging in with a UPN on systems where SSSD canonicalizes the NSS result. My solution preserves the requested name as a UserRecord alias when an NSS lookup by name succeeds but the returned pw_name differs from the requested name. This allows user_record_matches_user_name() to accept the canonicalized NSS result instead of treating it as a conflicting record. The patch does not invent new aliases. It only records the name that NSS itself already accepted and resolved successfully. I'm not an expert on working with systemd, so I'm asking for a review of my PR. --- 0322fe3220af0c707518c1611ddca125cb460893