rpms/ipa
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Adopt to Samba changes in malformed SID processing

Browse Source 
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
This commit is contained in:
Alexander Bokovoy 2023-10-23 18:16:23 +03:00
parent f81c02d7c7
commit eb660edcd1
2 changed files with 86 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

80
freeipa-4.11-samba-changes.patch Normal file
View File

@ -0,0 +1,80 @@
From d50624dce932d02ea03a00d3ac2ec1be69e8d3b6 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Thu, 19 Oct 2023 12:47:03 +0200
Subject: [PATCH 1/2] group-add-member fails with an external member
The command ipa group-add-member --external aduser@addomain.test
fails with an internal error when used with samba 4.19.
The command internally calls samba.security.dom_sid(sid) which
used to raise a TypeError but now raises a ValueError
(commit 9abdd67 on https://github.com/samba-team/samba).
IPA source code needs to handle properly both exception types.
Fixes: https://pagure.io/freeipa/issue/9466
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
ipaserver/dcerpc.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
index 741f0608f..7e585c876 100644
--- a/ipaserver/dcerpc.py
+++ b/ipaserver/dcerpc.py
@@ -303,7 +303,7 @@ class DomainValidator:
# Parse sid string to see if it is really in a SID format
try:
test_sid = security.dom_sid(sid)
- except TypeError:
+ except (TypeError, ValueError):
raise errors.ValidationError(name='sid',
error=_('SID is not valid'))
--
2.41.0
From ed6fa6029d863aed1522b449d3360e6c4028e066 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Fri, 20 Oct 2023 10:20:57 +0200
Subject: [PATCH 2/2] Handle samba changes in samba.security.dom_sid()
samba.security.dom_sid() in 4.19 now raises ValueError instead of
TypeError. Fix the expected exception.
Related: https://pagure.io/freeipa/issue/9466
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
ipaserver/dcerpc.py | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
index 7e585c876..675572c03 100644
--- a/ipaserver/dcerpc.py
+++ b/ipaserver/dcerpc.py
@@ -97,7 +97,7 @@ logger = logging.getLogger(__name__)
def is_sid_valid(sid):
try:
security.dom_sid(sid)
- except TypeError:
+ except (TypeError, ValueError):
return False
else:
return True
@@ -457,7 +457,7 @@ class DomainValidator:
try:
test_sid = security.dom_sid(sid)
return unicode(test_sid)
- except TypeError:
+ except (TypeError, ValueError):
raise errors.ValidationError(name=_('trusted domain object'),
error=_('Trusted domain did not '
'return a valid SID for '
--
2.41.0

7
freeipa.spec
View File

@ -201,7 +201,7 @@
Name: %{package_name}
Version: %{IPA_VERSION}
Release: 5%{?rc_version:.%rc_version}%{?dist}
Release: 6%{?rc_version:.%rc_version}%{?dist}
Summary: The Identity, Policy and Audit system
License: GPL-3.0-or-later
@ -220,6 +220,8 @@ Source1: https://releases.pagure.org/freeipa/freeipa-%{version}%{?rc_vers
Source2: gpgkey-0E63D716D76AC080A4A33513F40800B6298EB963.asc
%endif
Patch0001: freeipa-4.11-samba-changes.patch
# RHEL spec file only: START: Change branding to IPA and Identity Management
# Moved branding logos and background to redhat-logos-ipa-80.4:
# header-logo.png, login-screen-background.jpg, login-screen-logo.png,
@ -1739,6 +1741,9 @@ fi
%endif
%changelog
* Mon Oct 23 2023 Alexander Bokovoy <abokovoy@redhat.com> - 4.11.0-6
- Adopt trust to AD code to Samba changes in case SIDs are malformed
* Tue Oct 03 2023 Alexander Bokovoy <abokovoy@redhat.com> - 4.11.0-5
- FreeIPA 4.11.0 release
- Simplify Fedora spec file