import sssd-2.3.0-2.el8
This commit is contained in:
parent
fe0e7f4858
commit
02134115c0
2
.gitignore
vendored
2
.gitignore
vendored
@ -1 +1 @@
|
|||||||
SOURCES/sssd-2.2.3.tar.gz
|
SOURCES/sssd-2.3.0.tar.gz
|
||||||
|
@ -1 +1 @@
|
|||||||
c2b457f85586750f5b22bfedd4cbca5b6f8fdb88 SOURCES/sssd-2.2.3.tar.gz
|
61b8704c33ea80104fa9d94017c704e333c3c552 SOURCES/sssd-2.3.0.tar.gz
|
||||||
|
@ -1,35 +0,0 @@
|
|||||||
From b626651847e188e89a332b8ac4bfaaa5047e1b3d Mon Sep 17 00:00:00 2001
|
|
||||||
From: Tomas Halman <thalman@redhat.com>
|
|
||||||
Date: Tue, 10 Dec 2019 16:30:32 +0100
|
|
||||||
Subject: [PATCH] INI: sssctl config-check command error messages
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
In case of parsing error sssctl config-check command does not give
|
|
||||||
proper error messages with line number. With this patch the error
|
|
||||||
message is printed again.
|
|
||||||
|
|
||||||
Resolves:
|
|
||||||
https://pagure.io/SSSD/sssd/issue/4129
|
|
||||||
|
|
||||||
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
|
||||||
---
|
|
||||||
src/util/sss_ini.c | 1 +
|
|
||||||
1 file changed, 1 insertion(+)
|
|
||||||
|
|
||||||
diff --git a/src/util/sss_ini.c b/src/util/sss_ini.c
|
|
||||||
index e3699805d..5d91602cd 100644
|
|
||||||
--- a/src/util/sss_ini.c
|
|
||||||
+++ b/src/util/sss_ini.c
|
|
||||||
@@ -865,6 +865,7 @@ int sss_ini_read_sssd_conf(struct sss_ini *self,
|
|
||||||
|
|
||||||
ret = sss_ini_parse(self);
|
|
||||||
if (ret != EOK) {
|
|
||||||
+ sss_ini_config_print_errors(self->error_list);
|
|
||||||
DEBUG(SSSDBG_FATAL_FAILURE, "Failed to parse configuration.\n");
|
|
||||||
return ERR_INI_PARSE_FAILED;
|
|
||||||
}
|
|
||||||
--
|
|
||||||
2.20.1
|
|
||||||
|
|
114
SOURCES/0001-ad_gpo_ndr.c-more-ndr-updates.patch
Normal file
114
SOURCES/0001-ad_gpo_ndr.c-more-ndr-updates.patch
Normal file
@ -0,0 +1,114 @@
|
|||||||
|
From a7c755672cd277497da3df4714f6d9457b6ac5ae Mon Sep 17 00:00:00 2001
|
||||||
|
From: Sumit Bose <sbose@redhat.com>
|
||||||
|
Date: Thu, 28 May 2020 15:02:43 +0200
|
||||||
|
Subject: [PATCH] ad_gpo_ndr.c: more ndr updates
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
This patch add another update to the ndr code which was previously
|
||||||
|
updated by commit c031adde4f532f39845a0efd78693600f1f8b2f4 and
|
||||||
|
1fdd8fa2fded1985fbfc6aa67394eebcdbb6a2fc.
|
||||||
|
|
||||||
|
As missing update in ndr_pull_security_ace() cased
|
||||||
|
a failure in ad_gpo_parse_sd(). A unit-test for ad_gpo_parse_sd() was
|
||||||
|
added to prevent similar issues in future.
|
||||||
|
|
||||||
|
Resolves: https://github.com/SSSD/sssd/issues/5183
|
||||||
|
|
||||||
|
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||||
|
---
|
||||||
|
src/providers/ad/ad_gpo_ndr.c | 1 +
|
||||||
|
src/tests/cmocka/test_ad_gpo.c | 57 ++++++++++++++++++++++++++++++++++
|
||||||
|
2 files changed, 58 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/src/providers/ad/ad_gpo_ndr.c b/src/providers/ad/ad_gpo_ndr.c
|
||||||
|
index acd7b77c8..71d6d40f2 100644
|
||||||
|
--- a/src/providers/ad/ad_gpo_ndr.c
|
||||||
|
+++ b/src/providers/ad/ad_gpo_ndr.c
|
||||||
|
@@ -317,6 +317,7 @@ ndr_pull_security_ace(struct ndr_pull *ndr,
|
||||||
|
ndr->offset += pad;
|
||||||
|
}
|
||||||
|
if (ndr_flags & NDR_BUFFERS) {
|
||||||
|
+ NDR_CHECK(ndr_pull_set_switch_value(ndr, &r->object, r->type));
|
||||||
|
NDR_CHECK(ndr_pull_security_ace_object_ctr
|
||||||
|
(ndr, NDR_BUFFERS, &r->object));
|
||||||
|
}
|
||||||
|
diff --git a/src/tests/cmocka/test_ad_gpo.c b/src/tests/cmocka/test_ad_gpo.c
|
||||||
|
index 97f70408a..d1f7a6915 100644
|
||||||
|
--- a/src/tests/cmocka/test_ad_gpo.c
|
||||||
|
+++ b/src/tests/cmocka/test_ad_gpo.c
|
||||||
|
@@ -347,6 +347,60 @@ void test_ad_gpo_ace_includes_host_sid_true(void **state)
|
||||||
|
group_size, ace_dom_sid, true);
|
||||||
|
}
|
||||||
|
|
||||||
|
+uint8_t test_sid_data[] = {
|
||||||
|
+0x01, 0x00, 0x04, 0x9c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
||||||
|
+0x14, 0x00, 0x00, 0x00, 0x04, 0x00, 0x34, 0x01, 0x0a, 0x00, 0x00, 0x00, 0x00, 0x00, 0x24, 0x00,
|
||||||
|
+0xbd, 0x00, 0x0e, 0x00, 0x01, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x15, 0x00, 0x00, 0x00,
|
||||||
|
+0xda, 0x0e, 0xba, 0x60, 0x0f, 0xa2, 0xf4, 0x55, 0xb5, 0x57, 0x47, 0xf8, 0x00, 0x02, 0x00, 0x00,
|
||||||
|
+0x00, 0x0a, 0x24, 0x00, 0xff, 0x00, 0x0f, 0x00, 0x01, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05,
|
||||||
|
+0x15, 0x00, 0x00, 0x00, 0xda, 0x0e, 0xba, 0x60, 0x0f, 0xa2, 0xf4, 0x55, 0xb5, 0x57, 0x47, 0xf8,
|
||||||
|
+0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x24, 0x00, 0xbd, 0x00, 0x0e, 0x00, 0x01, 0x05, 0x00, 0x00,
|
||||||
|
+0x00, 0x00, 0x00, 0x05, 0x15, 0x00, 0x00, 0x00, 0xda, 0x0e, 0xba, 0x60, 0x0f, 0xa2, 0xf4, 0x55,
|
||||||
|
+0xb5, 0x57, 0x47, 0xf8, 0x07, 0x02, 0x00, 0x00, 0x00, 0x0a, 0x24, 0x00, 0xff, 0x00, 0x0f, 0x00,
|
||||||
|
+0x01, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x15, 0x00, 0x00, 0x00, 0xda, 0x0e, 0xba, 0x60,
|
||||||
|
+0x0f, 0xa2, 0xf4, 0x55, 0xb5, 0x57, 0x47, 0xf8, 0x07, 0x02, 0x00, 0x00, 0x00, 0x00, 0x24, 0x00,
|
||||||
|
+0xbd, 0x00, 0x0e, 0x00, 0x01, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x15, 0x00, 0x00, 0x00,
|
||||||
|
+0xda, 0x0e, 0xba, 0x60, 0x0f, 0xa2, 0xf4, 0x55, 0xb5, 0x57, 0x47, 0xf8, 0x00, 0x02, 0x00, 0x00,
|
||||||
|
+0x00, 0x0a, 0x14, 0x00, 0xff, 0x00, 0x0f, 0x00, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03,
|
||||||
|
+0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x14, 0x00, 0xff, 0x00, 0x0f, 0x00, 0x01, 0x01, 0x00, 0x00,
|
||||||
|
+0x00, 0x00, 0x00, 0x05, 0x12, 0x00, 0x00, 0x00, 0x00, 0x02, 0x14, 0x00, 0x94, 0x00, 0x02, 0x00,
|
||||||
|
+0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x0b, 0x00, 0x00, 0x00, 0x05, 0x02, 0x28, 0x00,
|
||||||
|
+0x00, 0x01, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x8f, 0xfd, 0xac, 0xed, 0xb3, 0xff, 0xd1, 0x11,
|
||||||
|
+0xb4, 0x1d, 0x00, 0xa0, 0xc9, 0x68, 0xf9, 0x39, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05,
|
||||||
|
+0x0b, 0x00, 0x00, 0x00, 0x00, 0x02, 0x14, 0x00, 0x94, 0x00, 0x02, 0x00, 0x01, 0x01, 0x00, 0x00,
|
||||||
|
+0x00, 0x00, 0x00, 0x05, 0x09, 0x00, 0x00, 0x00
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
+void test_ad_gpo_parse_sd(void **state)
|
||||||
|
+{
|
||||||
|
+ int ret;
|
||||||
|
+ struct security_descriptor *sd = NULL;
|
||||||
|
+
|
||||||
|
+ ret = ad_gpo_parse_sd(test_ctx, NULL, 0, &sd);
|
||||||
|
+ assert_int_equal(ret, EINVAL);
|
||||||
|
+
|
||||||
|
+ ret = ad_gpo_parse_sd(test_ctx, test_sid_data, sizeof(test_sid_data), &sd);
|
||||||
|
+ assert_int_equal(ret, EOK);
|
||||||
|
+ assert_non_null(sd);
|
||||||
|
+ assert_int_equal(sd->revision, 1);
|
||||||
|
+ assert_int_equal(sd->type, 39940);
|
||||||
|
+ assert_null(sd->owner_sid);
|
||||||
|
+ assert_null(sd->group_sid);
|
||||||
|
+ assert_null(sd->sacl);
|
||||||
|
+ assert_non_null(sd->dacl);
|
||||||
|
+ assert_int_equal(sd->dacl->revision, 4);
|
||||||
|
+ assert_int_equal(sd->dacl->size, 308);
|
||||||
|
+ assert_int_equal(sd->dacl->num_aces, 10);
|
||||||
|
+ assert_int_equal(sd->dacl->aces[0].type, 0);
|
||||||
|
+ assert_int_equal(sd->dacl->aces[0].flags, 0);
|
||||||
|
+ assert_int_equal(sd->dacl->aces[0].size, 36);
|
||||||
|
+ assert_int_equal(sd->dacl->aces[0].access_mask, 917693);
|
||||||
|
+ /* There are more components and ACEs in the security_descriptor struct
|
||||||
|
+ * which are not checked here. */
|
||||||
|
+
|
||||||
|
+ talloc_free(sd);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
int main(int argc, const char *argv[])
|
||||||
|
{
|
||||||
|
poptContext pc;
|
||||||
|
@@ -385,6 +439,9 @@ int main(int argc, const char *argv[])
|
||||||
|
cmocka_unit_test_setup_teardown(test_ad_gpo_ace_includes_host_sid_true,
|
||||||
|
ad_gpo_test_setup,
|
||||||
|
ad_gpo_test_teardown),
|
||||||
|
+ cmocka_unit_test_setup_teardown(test_ad_gpo_parse_sd,
|
||||||
|
+ ad_gpo_test_setup,
|
||||||
|
+ ad_gpo_test_teardown),
|
||||||
|
};
|
||||||
|
|
||||||
|
/* Set debug level to invalid value so we can decide if -d 0 was used. */
|
||||||
|
--
|
||||||
|
2.21.1
|
||||||
|
|
@ -1,42 +0,0 @@
|
|||||||
From 21cb9fb28db1f2eb4ee770eb029bfe20233e4392 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Sumit Bose <sbose@redhat.com>
|
|
||||||
Date: Thu, 12 Dec 2019 13:10:16 +0100
|
|
||||||
Subject: [PATCH] certmap: mention special regex characters in man page
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
Since some of the matching rules use regular expressions some characters
|
|
||||||
must be escaped so that they can be used a ordinary characters in the
|
|
||||||
rules.
|
|
||||||
|
|
||||||
Related to https://pagure.io/SSSD/sssd/issue/4127
|
|
||||||
|
|
||||||
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
|
||||||
---
|
|
||||||
src/man/sss-certmap.5.xml | 9 +++++++++
|
|
||||||
1 file changed, 9 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/src/man/sss-certmap.5.xml b/src/man/sss-certmap.5.xml
|
|
||||||
index db258d14a..10343625e 100644
|
|
||||||
--- a/src/man/sss-certmap.5.xml
|
|
||||||
+++ b/src/man/sss-certmap.5.xml
|
|
||||||
@@ -92,6 +92,15 @@
|
|
||||||
<para>
|
|
||||||
Example: <SUBJECT>.*,DC=MY,DC=DOMAIN
|
|
||||||
</para>
|
|
||||||
+ <para>
|
|
||||||
+ Please note that the characters "^.[$()|*+?{\" have a
|
|
||||||
+ special meaning in regular expressions and must be
|
|
||||||
+ escaped with the help of the '\' character so that they
|
|
||||||
+ are matched as ordinary characters.
|
|
||||||
+ </para>
|
|
||||||
+ <para>
|
|
||||||
+ Example: <SUBJECT>^CN=.* \(Admin\),DC=MY,DC=DOMAIN$
|
|
||||||
+ </para>
|
|
||||||
</listitem>
|
|
||||||
</varlistentry>
|
|
||||||
<varlistentry>
|
|
||||||
--
|
|
||||||
2.20.1
|
|
||||||
|
|
39
SOURCES/0002-test-avoid-endian-issues-in-network-tests.patch
Normal file
39
SOURCES/0002-test-avoid-endian-issues-in-network-tests.patch
Normal file
@ -0,0 +1,39 @@
|
|||||||
|
From 532b75c937d767caf60bb00f1a525ae7f6c70cc6 Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
||||||
|
Date: Wed, 20 May 2020 12:07:13 +0200
|
||||||
|
Subject: [PATCH] test: avoid endian issues in network tests
|
||||||
|
|
||||||
|
Reviewed-by: Alexey Tikhonov <atikhonov@redhat.com>
|
||||||
|
---
|
||||||
|
src/tests/cmocka/test_nss_srv.c | 7 +++++++
|
||||||
|
1 file changed, 7 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/src/tests/cmocka/test_nss_srv.c b/src/tests/cmocka/test_nss_srv.c
|
||||||
|
index 2c91d0a23..3cd7809cf 100644
|
||||||
|
--- a/src/tests/cmocka/test_nss_srv.c
|
||||||
|
+++ b/src/tests/cmocka/test_nss_srv.c
|
||||||
|
@@ -35,6 +35,7 @@
|
||||||
|
#include "util/util_sss_idmap.h"
|
||||||
|
#include "util/crypto/sss_crypto.h"
|
||||||
|
#include "util/crypto/nss/nss_util.h"
|
||||||
|
+#include "util/sss_endian.h"
|
||||||
|
#include "db/sysdb_private.h" /* new_subdomain() */
|
||||||
|
#include "db/sysdb_iphosts.h"
|
||||||
|
#include "db/sysdb_ipnetworks.h"
|
||||||
|
@@ -5308,7 +5309,13 @@ struct netent test_netent = {
|
||||||
|
.n_name = discard_const("test_network"),
|
||||||
|
.n_aliases = discard_const(test_netent_aliases),
|
||||||
|
.n_addrtype = AF_INET,
|
||||||
|
+#if (__BYTE_ORDER == __LITTLE_ENDIAN)
|
||||||
|
.n_net = 0x04030201 /* 1.2.3.4 */
|
||||||
|
+#elif (__BYTE_ORDER == __BIG_ENDIAN)
|
||||||
|
+ .n_net = 0x01020304 /* 1.2.3.4 */
|
||||||
|
+#else
|
||||||
|
+ #error "unknow endianess"
|
||||||
|
+#endif
|
||||||
|
};
|
||||||
|
|
||||||
|
static void mock_input_netbyname(const char *name)
|
||||||
|
--
|
||||||
|
2.21.1
|
||||||
|
|
@ -1,98 +0,0 @@
|
|||||||
From 580d61884b6c0a81357d8f9fa69fe69d1f017185 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Sumit Bose <sbose@redhat.com>
|
|
||||||
Date: Fri, 6 Dec 2019 12:29:49 +0100
|
|
||||||
Subject: [PATCH] ldap_child: do not try PKINIT
|
|
||||||
|
|
||||||
if the PKINIT plugin is installed and pkinit_identities is set in
|
|
||||||
/etc/krb5.conf libkrb5 will try to do PKINIT although ldap_child only
|
|
||||||
wants to authenticate with a keytab. As a result ldap_child might try to
|
|
||||||
access a Smartcard which is either not allowed at all or might cause
|
|
||||||
unexpected delays.
|
|
||||||
|
|
||||||
To avoid this the current patch sets pkinit_identities for LDAP child
|
|
||||||
explicitly to make the PKINIT plugin fail because if installed libkrb5
|
|
||||||
will always use it.
|
|
||||||
|
|
||||||
It turned out the setting pre-authentication options requires some
|
|
||||||
internal flags to be set and krb5_get_init_creds_opt_alloc() must be
|
|
||||||
used to initialize the options struct.
|
|
||||||
|
|
||||||
Related to https://pagure.io/SSSD/sssd/issue/4126
|
|
||||||
|
|
||||||
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
|
||||||
---
|
|
||||||
src/providers/ldap/ldap_child.c | 30 ++++++++++++++++++++++--------
|
|
||||||
1 file changed, 22 insertions(+), 8 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/providers/ldap/ldap_child.c b/src/providers/ldap/ldap_child.c
|
|
||||||
index 408d64db4..b081df90f 100644
|
|
||||||
--- a/src/providers/ldap/ldap_child.c
|
|
||||||
+++ b/src/providers/ldap/ldap_child.c
|
|
||||||
@@ -277,7 +277,7 @@ static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx,
|
|
||||||
krb5_ccache ccache = NULL;
|
|
||||||
krb5_principal kprinc;
|
|
||||||
krb5_creds my_creds;
|
|
||||||
- krb5_get_init_creds_opt options;
|
|
||||||
+ krb5_get_init_creds_opt *options = NULL;
|
|
||||||
krb5_error_code krberr;
|
|
||||||
krb5_timestamp kdc_time_offset;
|
|
||||||
int canonicalize = 0;
|
|
||||||
@@ -392,19 +392,32 @@ static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx,
|
|
||||||
}
|
|
||||||
|
|
||||||
memset(&my_creds, 0, sizeof(my_creds));
|
|
||||||
- memset(&options, 0, sizeof(options));
|
|
||||||
|
|
||||||
- krb5_get_init_creds_opt_set_address_list(&options, NULL);
|
|
||||||
- krb5_get_init_creds_opt_set_forwardable(&options, 0);
|
|
||||||
- krb5_get_init_creds_opt_set_proxiable(&options, 0);
|
|
||||||
- krb5_get_init_creds_opt_set_tkt_life(&options, lifetime);
|
|
||||||
+ krberr = krb5_get_init_creds_opt_alloc(context, &options);
|
|
||||||
+ if (krberr != 0) {
|
|
||||||
+ DEBUG(SSSDBG_OP_FAILURE, "krb5_get_init_creds_opt_alloc failed.\n");
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ krb5_get_init_creds_opt_set_address_list(options, NULL);
|
|
||||||
+ krb5_get_init_creds_opt_set_forwardable(options, 0);
|
|
||||||
+ krb5_get_init_creds_opt_set_proxiable(options, 0);
|
|
||||||
+ krb5_get_init_creds_opt_set_tkt_life(options, lifetime);
|
|
||||||
+ krberr = krb5_get_init_creds_opt_set_pa(context, options,
|
|
||||||
+ "X509_user_identity", "");
|
|
||||||
+ if (krberr != 0) {
|
|
||||||
+ DEBUG(SSSDBG_OP_FAILURE,
|
|
||||||
+ "krb5_get_init_creds_opt_set_pa failed [%d], ignored.\n",
|
|
||||||
+ krberr);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
|
|
||||||
tmp_str = getenv("KRB5_CANONICALIZE");
|
|
||||||
if (tmp_str != NULL && strcasecmp(tmp_str, "true") == 0) {
|
|
||||||
DEBUG(SSSDBG_CONF_SETTINGS, "Will canonicalize principals\n");
|
|
||||||
canonicalize = 1;
|
|
||||||
}
|
|
||||||
- sss_krb5_get_init_creds_opt_set_canonicalize(&options, canonicalize);
|
|
||||||
+ sss_krb5_get_init_creds_opt_set_canonicalize(options, canonicalize);
|
|
||||||
|
|
||||||
ccname_file = talloc_asprintf(tmp_ctx, "%s/ccache_%s",
|
|
||||||
DB_PATH, realm_name);
|
|
||||||
@@ -433,7 +446,7 @@ static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx,
|
|
||||||
}
|
|
||||||
|
|
||||||
krberr = krb5_get_init_creds_keytab(context, &my_creds, kprinc,
|
|
||||||
- keytab, 0, NULL, &options);
|
|
||||||
+ keytab, 0, NULL, options);
|
|
||||||
if (krberr != 0) {
|
|
||||||
DEBUG(SSSDBG_OP_FAILURE,
|
|
||||||
"krb5_get_init_creds_keytab() failed: %d\n", krberr);
|
|
||||||
@@ -513,6 +526,7 @@ static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx,
|
|
||||||
*expire_time_out = my_creds.times.endtime - kdc_time_offset;
|
|
||||||
|
|
||||||
done:
|
|
||||||
+ krb5_get_init_creds_opt_free(context, options);
|
|
||||||
if (krberr != 0) {
|
|
||||||
if (*_krb5_msg == NULL) {
|
|
||||||
/* no custom error message provided hence get one from libkrb5 */
|
|
||||||
--
|
|
||||||
2.20.1
|
|
||||||
|
|
@ -0,0 +1,137 @@
|
|||||||
|
From 61f4aaa56ea876fb75c1366c938818b7799408ab Mon Sep 17 00:00:00 2001
|
||||||
|
From: Tomas Halman <thalman@redhat.com>
|
||||||
|
Date: Wed, 29 Apr 2020 16:40:36 +0200
|
||||||
|
Subject: [PATCH] sssctl: sssctl config-check alternative config file
|
||||||
|
|
||||||
|
The sssctl config-check now allows to specify alternative config
|
||||||
|
file so it can be tested before rewriting system configuration.
|
||||||
|
|
||||||
|
sssctl config-check -c ./sssd.conf
|
||||||
|
|
||||||
|
Configuration snippets are looked up in the same place under
|
||||||
|
conf.d directory. It would be in ./conf.d/ for the example above.
|
||||||
|
|
||||||
|
Resolves:
|
||||||
|
https://github.com/SSSD/sssd/issues/5142
|
||||||
|
|
||||||
|
Reviewed-by: Pawel Polawski <ppolawsk@redhat.com>
|
||||||
|
---
|
||||||
|
src/confdb/confdb.h | 6 ++--
|
||||||
|
src/tools/sssctl/sssctl_config.c | 56 ++++++++++++++++++++++++++++----
|
||||||
|
2 files changed, 53 insertions(+), 9 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
|
||||||
|
index 0a5593232..a2b58e12a 100644
|
||||||
|
--- a/src/confdb/confdb.h
|
||||||
|
+++ b/src/confdb/confdb.h
|
||||||
|
@@ -40,8 +40,10 @@
|
||||||
|
|
||||||
|
#define CONFDB_DEFAULT_CFG_FILE_VER 2
|
||||||
|
#define CONFDB_FILE "config.ldb"
|
||||||
|
-#define SSSD_CONFIG_FILE SSSD_CONF_DIR"/sssd.conf"
|
||||||
|
-#define CONFDB_DEFAULT_CONFIG_DIR SSSD_CONF_DIR"/conf.d"
|
||||||
|
+#define SSSD_CONFIG_FILE_NAME "sssd.conf"
|
||||||
|
+#define SSSD_CONFIG_FILE SSSD_CONF_DIR"/"SSSD_CONFIG_FILE_NAME
|
||||||
|
+#define CONFDB_DEFAULT_CONFIG_DIR_NAME "conf.d"
|
||||||
|
+#define CONFDB_DEFAULT_CONFIG_DIR SSSD_CONF_DIR"/"CONFDB_DEFAULT_CONFIG_DIR_NAME
|
||||||
|
#define SSSD_MIN_ID 1
|
||||||
|
#define SSSD_LOCAL_MINID 1000
|
||||||
|
#define CONFDB_DEFAULT_SHELL_FALLBACK "/bin/sh"
|
||||||
|
diff --git a/src/tools/sssctl/sssctl_config.c b/src/tools/sssctl/sssctl_config.c
|
||||||
|
index 74395b61c..de9f3de6e 100644
|
||||||
|
--- a/src/tools/sssctl/sssctl_config.c
|
||||||
|
+++ b/src/tools/sssctl/sssctl_config.c
|
||||||
|
@@ -34,6 +34,29 @@
|
||||||
|
|
||||||
|
|
||||||
|
#ifdef HAVE_LIBINI_CONFIG_V1_3
|
||||||
|
+
|
||||||
|
+static char *sssctl_config_snippet_path(TALLOC_CTX *ctx, const char *path)
|
||||||
|
+{
|
||||||
|
+ char *tmp = NULL;
|
||||||
|
+ const char delimiter = '/';
|
||||||
|
+ char *dpos = NULL;
|
||||||
|
+
|
||||||
|
+ tmp = talloc_strdup(ctx, path);
|
||||||
|
+ if (!tmp) {
|
||||||
|
+ return NULL;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ dpos = strrchr(tmp, delimiter);
|
||||||
|
+ if (dpos != NULL) {
|
||||||
|
+ ++dpos;
|
||||||
|
+ *dpos = '\0';
|
||||||
|
+ } else {
|
||||||
|
+ *tmp = '\0';
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ return talloc_strdup_append(tmp, CONFDB_DEFAULT_CONFIG_DIR_NAME);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
errno_t sssctl_config_check(struct sss_cmdline *cmdline,
|
||||||
|
struct sss_tool_ctx *tool_ctx,
|
||||||
|
void *pvt)
|
||||||
|
@@ -47,8 +70,15 @@ errno_t sssctl_config_check(struct sss_cmdline *cmdline,
|
||||||
|
size_t num_ra_error, num_ra_success;
|
||||||
|
char **strs = NULL;
|
||||||
|
TALLOC_CTX *tmp_ctx = NULL;
|
||||||
|
-
|
||||||
|
- ret = sss_tool_popt(cmdline, NULL, SSS_TOOL_OPT_OPTIONAL, NULL, NULL);
|
||||||
|
+ const char *config_path = NULL;
|
||||||
|
+ const char *config_snippet_path = NULL;
|
||||||
|
+ struct poptOption long_options[] = {
|
||||||
|
+ {"config", 'c', POPT_ARG_STRING, &config_path,
|
||||||
|
+ 0, _("Specify a non-default config file"), NULL},
|
||||||
|
+ POPT_TABLEEND
|
||||||
|
+ };
|
||||||
|
+
|
||||||
|
+ ret = sss_tool_popt(cmdline, long_options, SSS_TOOL_OPT_OPTIONAL, NULL, NULL);
|
||||||
|
if (ret != EOK) {
|
||||||
|
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to parse command arguments\n");
|
||||||
|
return ret;
|
||||||
|
@@ -62,17 +92,29 @@ errno_t sssctl_config_check(struct sss_cmdline *cmdline,
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ if (config_path != NULL) {
|
||||||
|
+ config_snippet_path = sssctl_config_snippet_path(tmp_ctx, config_path);
|
||||||
|
+ if (config_snippet_path == NULL) {
|
||||||
|
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create snippet path\n");
|
||||||
|
+ ret = ENOMEM;
|
||||||
|
+ goto done;
|
||||||
|
+ }
|
||||||
|
+ } else {
|
||||||
|
+ config_path = SSSD_CONFIG_FILE;
|
||||||
|
+ config_snippet_path = CONFDB_DEFAULT_CONFIG_DIR;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
ret = sss_ini_read_sssd_conf(init_data,
|
||||||
|
- SSSD_CONFIG_FILE,
|
||||||
|
- CONFDB_DEFAULT_CONFIG_DIR);
|
||||||
|
+ config_path,
|
||||||
|
+ config_snippet_path);
|
||||||
|
|
||||||
|
if (ret == ERR_INI_OPEN_FAILED) {
|
||||||
|
- PRINT("Failed to open %s\n", SSSD_CONFIG_FILE);
|
||||||
|
+ PRINT("Failed to open %s\n", config_path);
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!sss_ini_exists(init_data)) {
|
||||||
|
- PRINT("File %1$s does not exist.\n", SSSD_CONFIG_FILE);
|
||||||
|
+ PRINT("File %1$s does not exist.\n", config_path);
|
||||||
|
}
|
||||||
|
|
||||||
|
if (ret == ERR_INI_INVALID_PERMISSION) {
|
||||||
|
@@ -83,7 +125,7 @@ errno_t sssctl_config_check(struct sss_cmdline *cmdline,
|
||||||
|
|
||||||
|
if (ret == ERR_INI_PARSE_FAILED) {
|
||||||
|
PRINT("Failed to load configuration from %s.\n",
|
||||||
|
- SSSD_CONFIG_FILE);
|
||||||
|
+ config_path);
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
|
||||||
|
--
|
||||||
|
2.21.1
|
||||||
|
|
@ -8,12 +8,14 @@
|
|||||||
|
|
||||||
%global install_pcscd_polkit_rule 1
|
%global install_pcscd_polkit_rule 1
|
||||||
|
|
||||||
|
%global samba_package_version %(rpm -q samba-devel --queryformat %{version}-%{release})
|
||||||
|
|
||||||
# Determine the location of the LDB modules directory
|
# Determine the location of the LDB modules directory
|
||||||
%global ldb_modulesdir %(pkg-config --variable=modulesdir ldb)
|
%global ldb_modulesdir %(pkg-config --variable=modulesdir ldb)
|
||||||
%global ldb_version 1.2.0
|
%global ldb_version 1.2.0
|
||||||
|
|
||||||
%global enable_systemtap 1
|
%global enable_systemtap 1
|
||||||
%global enable_systemtap_opt --enable-systemtap
|
%global enable_systemtap_opt --enable-systemtap
|
||||||
|
|
||||||
%global libwbc_alternatives_version 0.14
|
%global libwbc_alternatives_version 0.14
|
||||||
%global libwbc_lib_version %{libwbc_alternatives_version}.0
|
%global libwbc_lib_version %{libwbc_alternatives_version}.0
|
||||||
@ -23,8 +25,8 @@
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
Name: sssd
|
Name: sssd
|
||||||
Version: 2.2.3
|
Version: 2.3.0
|
||||||
Release: 6%{?dist}
|
Release: 2%{?dist}
|
||||||
Group: Applications/System
|
Group: Applications/System
|
||||||
Summary: System Security Services Daemon
|
Summary: System Security Services Daemon
|
||||||
License: GPLv3+
|
License: GPLv3+
|
||||||
@ -32,9 +34,9 @@ URL: https://pagure.io/SSSD/sssd/
|
|||||||
Source0: https://releases.pagure.org/SSSD/sssd/%{name}-%{version}.tar.gz
|
Source0: https://releases.pagure.org/SSSD/sssd/%{name}-%{version}.tar.gz
|
||||||
|
|
||||||
### Patches ###
|
### Patches ###
|
||||||
Patch0001: 0001-INI-sssctl-config-check-command-error-messages.patch
|
Patch0001: 0001-ad_gpo_ndr.c-more-ndr-updates.patch
|
||||||
Patch0002: 0002-certmap-mention-special-regex-characters-in-man-page.patch
|
Patch0002: 0002-test-avoid-endian-issues-in-network-tests.patch
|
||||||
Patch0003: 0003-ldap_child-do-not-try-PKINIT.patch
|
Patch0003: 0003-sssctl-sssctl-config-check-alternative-config-file.patch
|
||||||
|
|
||||||
### Downstream Patches ###
|
### Downstream Patches ###
|
||||||
|
|
||||||
@ -119,7 +121,7 @@ BuildRequires: systemd-devel
|
|||||||
BuildRequires: systemd
|
BuildRequires: systemd
|
||||||
BuildRequires: cifs-utils-devel
|
BuildRequires: cifs-utils-devel
|
||||||
BuildRequires: libnfsidmap-devel
|
BuildRequires: libnfsidmap-devel
|
||||||
BuildRequires: samba4-devel
|
BuildRequires: samba-devel
|
||||||
BuildRequires: libsmbclient-devel
|
BuildRequires: libsmbclient-devel
|
||||||
BuildRequires: samba-winbind
|
BuildRequires: samba-winbind
|
||||||
BuildRequires: systemtap-sdt-devel
|
BuildRequires: systemtap-sdt-devel
|
||||||
@ -212,6 +214,7 @@ Requires: sssd-common = %{version}-%{release}
|
|||||||
# required by sss_obfuscate
|
# required by sss_obfuscate
|
||||||
Requires: python3-sss = %{version}-%{release}
|
Requires: python3-sss = %{version}-%{release}
|
||||||
Requires: python3-sssdconfig = %{version}-%{release}
|
Requires: python3-sssdconfig = %{version}-%{release}
|
||||||
|
Recommends: sssd-dbus
|
||||||
|
|
||||||
%description tools
|
%description tools
|
||||||
Provides userspace tools for manipulating users, groups, and nested groups in
|
Provides userspace tools for manipulating users, groups, and nested groups in
|
||||||
@ -309,6 +312,7 @@ Summary: The IPA back end of the SSSD
|
|||||||
Group: Applications/System
|
Group: Applications/System
|
||||||
License: GPLv3+
|
License: GPLv3+
|
||||||
Conflicts: sssd < 1.10.0-8.beta2
|
Conflicts: sssd < 1.10.0-8.beta2
|
||||||
|
Requires: samba-client-libs >= %{samba_package_version}
|
||||||
Requires: sssd-common = %{version}-%{release}
|
Requires: sssd-common = %{version}-%{release}
|
||||||
Requires: sssd-krb5-common = %{version}-%{release}
|
Requires: sssd-krb5-common = %{version}-%{release}
|
||||||
Requires: libipa_hbac%{?_isa} = %{version}-%{release}
|
Requires: libipa_hbac%{?_isa} = %{version}-%{release}
|
||||||
@ -325,6 +329,7 @@ Summary: The AD back end of the SSSD
|
|||||||
Group: Applications/System
|
Group: Applications/System
|
||||||
License: GPLv3+
|
License: GPLv3+
|
||||||
Conflicts: sssd < 1.10.0-8.beta2
|
Conflicts: sssd < 1.10.0-8.beta2
|
||||||
|
Requires: samba-client-libs >= %{samba_package_version}
|
||||||
Requires: sssd-common = %{version}-%{release}
|
Requires: sssd-common = %{version}-%{release}
|
||||||
Requires: sssd-krb5-common = %{version}-%{release}
|
Requires: sssd-krb5-common = %{version}-%{release}
|
||||||
Requires: sssd-common-pac = %{version}-%{release}
|
Requires: sssd-common-pac = %{version}-%{release}
|
||||||
@ -597,6 +602,8 @@ autoreconf -ivf
|
|||||||
|
|
||||||
|
|
||||||
make %{?_smp_mflags} all docs
|
make %{?_smp_mflags} all docs
|
||||||
|
make -C po ja.gmo
|
||||||
|
make -C po fr.gmo
|
||||||
|
|
||||||
%check
|
%check
|
||||||
export CK_TIMEOUT_MULTIPLIER=10
|
export CK_TIMEOUT_MULTIPLIER=10
|
||||||
@ -1190,6 +1197,69 @@ fi
|
|||||||
%{_libdir}/%{name}/modules/libwbclient.so
|
%{_libdir}/%{name}/modules/libwbclient.so
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Jun 11 2020 Alexey Tikhonov <atikhono@redhat.com> - 2.3.0-2
|
||||||
|
- Resolves: rhbz#Bug 1723273 - RFE: Add option to specify alternate sssd config file location with "sssctl config-check" command.
|
||||||
|
|
||||||
|
* Mon Jun 08 2020 Alexey Tikhonov <atikhono@redhat.com> - 2.3.0-1
|
||||||
|
- Resolves: rhbz#1839037 - Rebase SSSD for RHEL 8.3
|
||||||
|
- Resolves: rhbz#1843872 - sssd 2.3.0 breaks AD auth due to GPO parsing failure
|
||||||
|
- Resolves: rhbz#1834156 - sssd or sssd-ad not updating their dependencies on "yum update" which breaks working
|
||||||
|
|
||||||
|
* Mon Mar 16 2020 Alexey Tikhonov <atikhono@redhat.com> - 2.2.3-19
|
||||||
|
- Resolves: rhbz#1580506 - [RFE]: sssd to be able to read smartcard
|
||||||
|
certificate EKU and perform an action based
|
||||||
|
on value when generating SSH key from a certificate
|
||||||
|
(additional patch)
|
||||||
|
|
||||||
|
* Fri Mar 13 2020 Alexey Tikhonov <atikhono@redhat.com> - 2.2.3-19
|
||||||
|
- Resolves: rhbz#1810634 - id command taking 1+ minute for returning user
|
||||||
|
information
|
||||||
|
|
||||||
|
* Fri Feb 28 2020 Michal Židek <mzidek@redhat.com> - 2.2.3-18
|
||||||
|
- Resolves: rhbz#1580506 - [RFE]: sssd to be able to read smartcard
|
||||||
|
certificate EKU and perform an action based
|
||||||
|
on value when generating SSH key from a certificate
|
||||||
|
|
||||||
|
* Mon Feb 24 2020 Alexey Tikhonov <atikhono@redhat.com> - 2.2.3-17
|
||||||
|
- Resolves: rhbz#1718193 - p11_child should have an option to skip
|
||||||
|
C_WaitForSlotEvent if the PKCS#11 module
|
||||||
|
does not implement it properly
|
||||||
|
|
||||||
|
* Mon Feb 17 2020 Alexey Tikhonov <atikhono@redhat.com> - 2.2.3-16
|
||||||
|
- Resolves: rhbz#1792331 - sssd_be crashes when krb5_realm and krb5_server is
|
||||||
|
omitted and auth_provider is krb5
|
||||||
|
|
||||||
|
* Wed Feb 12 2020 Michal Židek <mzidek@redhat.com> - 2.2.3-15
|
||||||
|
- Resolves: rhbz#1754996 - [sssd] Tier 0 Localization
|
||||||
|
|
||||||
|
* Tue Jan 28 2020 Michal Židek <mzidek@redhat.com> - 2.2.3-14
|
||||||
|
- Resolves: rhbz#1767514 - sssd requires timed sudoers ldap entries to be
|
||||||
|
specified up to the seconds
|
||||||
|
|
||||||
|
* Tue Jan 28 2020 Michal Židek <mzidek@redhat.com> - 2.2.3-13
|
||||||
|
- Resolves: rhbz#1713368 - Add sssd-dbus package as a dependency of sssd-tools
|
||||||
|
|
||||||
|
* Tue Jan 28 2020 Michal Židek <mzidek@redhat.com> - 2.2.3-12
|
||||||
|
* Resolves: rhbz#1794016 - sssd_be frequent crash
|
||||||
|
|
||||||
|
* Tue Jan 14 2020 Michal Židek <mzidek@redhat.com> - 2.2.3-11
|
||||||
|
* Resolves: rhbz#1762415 - Force LDAPS over 636 with AD Access Provider
|
||||||
|
|
||||||
|
* Tue Jan 14 2020 Michal Židek <mzidek@redhat.com> - 2.2.3-10
|
||||||
|
* Resolves: rhbz#1583592 - [RFE] Add configurable randomness to SSSD ldap
|
||||||
|
connection timeout
|
||||||
|
|
||||||
|
* Tue Jan 14 2020 Michal Židek <mzidek@redhat.com> - 2.2.3-9
|
||||||
|
* Resolves: rhbz#1783190 - [abrt] [faf] sssd:
|
||||||
|
raise(): /usr/libexec/sssd/sssd_autofs killed by 6
|
||||||
|
|
||||||
|
|
||||||
|
* Thu Dec 19 2019 Michal Židek <mzidek@redhat.com> - 2.2.3-8
|
||||||
|
* Resolves: rhbz#1785214 - server/be: SIGTERM handling is incorrect
|
||||||
|
|
||||||
|
* Thu Dec 19 2019 Michal Židek <mzidek@redhat.com> - 2.2.3-7
|
||||||
|
* Resolves: rhbz#1785193 - Watchdog implementation or usage is incorrect
|
||||||
|
|
||||||
* Sun Dec 15 2019 Michal Židek <mzidek@redhat.com> - 2.2.3-6
|
* Sun Dec 15 2019 Michal Židek <mzidek@redhat.com> - 2.2.3-6
|
||||||
* Resolves: rhbz#1704199 - pcscd rejecting sssd ldap_child as unauthorized
|
* Resolves: rhbz#1704199 - pcscd rejecting sssd ldap_child as unauthorized
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user