New upstream release 1.13.1
- https://fedorahosted.org/sssd/wiki/Releases/Notes-1.13.1
This commit is contained in:
parent
996f9ec8f7
commit
05c3b14125
1
.gitignore
vendored
1
.gitignore
vendored
@ -64,3 +64,4 @@ sssd-1.2.91.tar.gz
|
||||
/sssd-1.12.5.tar.gz
|
||||
/sssd-1.13.0alpha.tar.gz
|
||||
/sssd-1.13.0.tar.gz
|
||||
/sssd-1.13.1.tar.gz
|
||||
|
@ -1,25 +0,0 @@
|
||||
From adac3439a9f7de30400420c650b3f3b9c80fe285 Mon Sep 17 00:00:00 2001
|
||||
From: Lukas Slebodnik <lslebodn@redhat.com>
|
||||
Date: Mon, 29 Jun 2015 21:54:26 +0200
|
||||
Subject: [PATCH] SSSDConfig: return list for list_active_domains
|
||||
|
||||
---
|
||||
src/config/SSSDConfig/__init__.py.in | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
|
||||
index f2d9bf0190745d4a5296c56212e5ff97681db59c..b9219bf1ed52c765e70076faa45cc6621f73b50c 100644
|
||||
--- a/src/config/SSSDConfig/__init__.py.in
|
||||
+++ b/src/config/SSSDConfig/__init__.py.in
|
||||
@@ -1778,7 +1778,7 @@ class SSSDConfig(SSSDChangeConf):
|
||||
if dom not in configured_domains:
|
||||
del domain_dict[dom]
|
||||
|
||||
- active_domains = domain_dict.keys()
|
||||
+ active_domains = list(domain_dict.keys())
|
||||
else:
|
||||
active_domains = []
|
||||
|
||||
--
|
||||
2.4.3
|
||||
|
@ -1,32 +0,0 @@
|
||||
From 3c0ed7ebf698f69ce1643d0f41d758fc730e06a7 Mon Sep 17 00:00:00 2001
|
||||
From: Lukas Slebodnik <lslebodn@redhat.com>
|
||||
Date: Tue, 14 Jul 2015 12:48:47 +0200
|
||||
Subject: [PATCH] KRB5: Return right data provider error code
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Resolves:
|
||||
https://fedorahosted.org/sssd/ticket/2719
|
||||
|
||||
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
||||
---
|
||||
src/providers/krb5/krb5_wait_queue.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/providers/krb5/krb5_wait_queue.c b/src/providers/krb5/krb5_wait_queue.c
|
||||
index 126209620dcd22889cf7bcb1cbec1890b8891b41..b4d3f903a94c9fdfffc975f1dfd10a27ab653a8d 100644
|
||||
--- a/src/providers/krb5/krb5_wait_queue.c
|
||||
+++ b/src/providers/krb5/krb5_wait_queue.c
|
||||
@@ -366,7 +366,7 @@ int krb5_auth_queue_recv(struct tevent_req *req,
|
||||
}
|
||||
|
||||
if (_dp_err) {
|
||||
- *_dp_err = state->pam_status;
|
||||
+ *_dp_err = state->dp_err;
|
||||
}
|
||||
|
||||
TEVENT_REQ_RETURN_ON_ERROR(req);
|
||||
--
|
||||
2.4.3
|
||||
|
@ -1,98 +0,0 @@
|
||||
From a74f42e33fd62be175c30574242a214cdce14b06 Mon Sep 17 00:00:00 2001
|
||||
From: Pavel Reichl <preichl@redhat.com>
|
||||
Date: Wed, 8 Jul 2015 09:01:24 -0400
|
||||
Subject: [PATCH 03/14] DYNDNS: sss_iface_addr_list_get return ENOENT
|
||||
|
||||
If none of eligible interfaces matches ifname then ENOENT is returned.
|
||||
|
||||
Resolves:
|
||||
https://fedorahosted.org/sssd/ticket/2549
|
||||
---
|
||||
src/providers/dp_dyndns.c | 13 +++++++++++--
|
||||
src/providers/ldap/sdap_dyndns.c | 6 +++++-
|
||||
src/tests/cmocka/test_dyndns.c | 20 ++++++++++++++++++++
|
||||
3 files changed, 36 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/src/providers/dp_dyndns.c b/src/providers/dp_dyndns.c
|
||||
index 1cac3d0fae2454cea823ed640a4325f27580353f..2ac43a108ff6197d9e2662198a6da976ca348e76 100644
|
||||
--- a/src/providers/dp_dyndns.c
|
||||
+++ b/src/providers/dp_dyndns.c
|
||||
@@ -222,8 +222,17 @@ sss_iface_addr_list_get(TALLOC_CTX *mem_ctx, const char *ifname,
|
||||
}
|
||||
}
|
||||
|
||||
- ret = EOK;
|
||||
- *_addrlist = addrlist;
|
||||
+ if (addrlist != NULL) {
|
||||
+ /* OK, some result was found */
|
||||
+ ret = EOK;
|
||||
+ *_addrlist = addrlist;
|
||||
+ } else {
|
||||
+ /* No result was found */
|
||||
+ DEBUG(SSSDBG_TRACE_FUNC,
|
||||
+ "No IPs usable for DNS was found for interface: %s.\n", ifname);
|
||||
+ ret = ENOENT;
|
||||
+ }
|
||||
+
|
||||
done:
|
||||
freeifaddrs(ifaces);
|
||||
return ret;
|
||||
diff --git a/src/providers/ldap/sdap_dyndns.c b/src/providers/ldap/sdap_dyndns.c
|
||||
index 0d9c9205792062378aa25aad6ac706058001433a..e99a4f6687035928f6775c38b9df6b2a06d38f38 100644
|
||||
--- a/src/providers/ldap/sdap_dyndns.c
|
||||
+++ b/src/providers/ldap/sdap_dyndns.c
|
||||
@@ -502,8 +502,12 @@ sdap_dyndns_get_addrs_send(TALLOC_CTX *mem_ctx,
|
||||
if (iface) {
|
||||
ret = sss_iface_addr_list_get(state, iface, &state->addresses);
|
||||
if (ret != EOK) {
|
||||
- DEBUG(SSSDBG_OP_FAILURE,
|
||||
+ DEBUG(ret == ENOENT ? SSSDBG_MINOR_FAILURE : SSSDBG_OP_FAILURE,
|
||||
"Cannot get list of addresses from interface %s\n", iface);
|
||||
+ /* non critical failure */
|
||||
+ if (ret == ENOENT) {
|
||||
+ ret = EOK;
|
||||
+ }
|
||||
}
|
||||
/* We're done. Just fake an async request completion */
|
||||
goto done;
|
||||
diff --git a/src/tests/cmocka/test_dyndns.c b/src/tests/cmocka/test_dyndns.c
|
||||
index 689e333d4e68c4a2582894d06b8b7b20c76b9be8..3214e90c063ea9a4cf6f6bc6507bf4e37b7d23a4 100644
|
||||
--- a/src/tests/cmocka/test_dyndns.c
|
||||
+++ b/src/tests/cmocka/test_dyndns.c
|
||||
@@ -247,6 +247,23 @@ void dyndns_test_get_multi_ifaddr(void **state)
|
||||
assert_true(check_leaks_pop(dyndns_test_ctx) == true);
|
||||
}
|
||||
|
||||
+void dyndns_test_get_ifaddr_enoent(void **state)
|
||||
+{
|
||||
+ errno_t ret;
|
||||
+ struct sss_iface_addr *addrlist = NULL;
|
||||
+
|
||||
+ check_leaks_push(dyndns_test_ctx);
|
||||
+ will_return_getifaddrs("eth0", "192.168.0.1");
|
||||
+ will_return_getifaddrs("eth1", "192.168.0.2");
|
||||
+ will_return_getifaddrs(NULL, NULL); /* sentinel */
|
||||
+ ret = sss_iface_addr_list_get(dyndns_test_ctx, "non_existing_interface",
|
||||
+ &addrlist);
|
||||
+ assert_int_equal(ret, ENOENT);
|
||||
+ talloc_free(addrlist);
|
||||
+
|
||||
+ assert_true(check_leaks_pop(dyndns_test_ctx) == true);
|
||||
+}
|
||||
+
|
||||
void dyndns_test_ok(void **state)
|
||||
{
|
||||
struct tevent_req *req;
|
||||
@@ -460,6 +477,9 @@ int main(int argc, const char *argv[])
|
||||
cmocka_unit_test_setup_teardown(dyndns_test_get_multi_ifaddr,
|
||||
dyndns_test_simple_setup,
|
||||
dyndns_test_teardown),
|
||||
+ cmocka_unit_test_setup_teardown(dyndns_test_get_ifaddr_enoent,
|
||||
+ dyndns_test_simple_setup,
|
||||
+ dyndns_test_teardown),
|
||||
|
||||
/* Dynamic DNS update unit tests*/
|
||||
cmocka_unit_test_setup_teardown(dyndns_test_ok,
|
||||
--
|
||||
2.5.0
|
||||
|
@ -1,194 +0,0 @@
|
||||
From 7a7696e489087f3e02f7d484766dc55112fe7803 Mon Sep 17 00:00:00 2001
|
||||
From: Pavel Reichl <preichl@redhat.com>
|
||||
Date: Wed, 8 Jul 2015 09:08:03 -0400
|
||||
Subject: [PATCH 04/14] DYNDNS: support mult. interfaces for dyndns_iface opt
|
||||
|
||||
Resolves:
|
||||
https://fedorahosted.org/sssd/ticket/2549
|
||||
---
|
||||
src/man/sssd-ad.5.xml | 11 +++---
|
||||
src/man/sssd-ipa.5.xml | 10 ++++--
|
||||
src/providers/dp_dyndns.c | 6 ++++
|
||||
src/providers/dp_dyndns.h | 4 +++
|
||||
src/providers/ldap/sdap_dyndns.c | 72 +++++++++++++++++++++++++++++++++++-----
|
||||
5 files changed, 87 insertions(+), 16 deletions(-)
|
||||
|
||||
diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml
|
||||
index 938a443e027b9bf83c75c240a7d6b2a0876b92c8..ff43ea37066514a87934d07b141e680416dcc05b 100644
|
||||
--- a/src/man/sssd-ad.5.xml
|
||||
+++ b/src/man/sssd-ad.5.xml
|
||||
@@ -754,15 +754,16 @@ ad_gpo_map_deny = +my_pam_service
|
||||
<listitem>
|
||||
<para>
|
||||
Optional. Applicable only when dyndns_update
|
||||
- is true. Choose the interface whose IP address
|
||||
- should be used for dynamic DNS updates.
|
||||
- </para>
|
||||
- <para>
|
||||
- NOTE: This option currently supports only one interface.
|
||||
+ is true. Choose the interface or a list of interfaces
|
||||
+ whose IP addresses should be used for dynamic DNS
|
||||
+ updates.
|
||||
</para>
|
||||
<para>
|
||||
Default: Use the IP address of the AD LDAP connection
|
||||
</para>
|
||||
+ <para>
|
||||
+ Example: dyndns_iface = em1, vnet1, vnet2
|
||||
+ </para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
diff --git a/src/man/sssd-ipa.5.xml b/src/man/sssd-ipa.5.xml
|
||||
index 0716b6235f93965170983856b930799bfded6258..d450c2fadbb1713096ff766bf536702195cfd137 100644
|
||||
--- a/src/man/sssd-ipa.5.xml
|
||||
+++ b/src/man/sssd-ipa.5.xml
|
||||
@@ -166,11 +166,12 @@
|
||||
<listitem>
|
||||
<para>
|
||||
Optional. Applicable only when dyndns_update
|
||||
- is true. Choose the interface whose IP address
|
||||
- should be used for dynamic DNS updates.
|
||||
+ is true. Choose the interface or a list of interfaces
|
||||
+ whose IP addresses should be used for dynamic DNS
|
||||
+ updates.
|
||||
</para>
|
||||
<para>
|
||||
- NOTE: This option currently supports only one interface.
|
||||
+ NOTE: This option currently supports multiple interfaces.
|
||||
</para>
|
||||
<para>
|
||||
NOTE: While it is still possible to use the old
|
||||
@@ -181,6 +182,9 @@
|
||||
<para>
|
||||
Default: Use the IP address of the IPA LDAP connection
|
||||
</para>
|
||||
+ <para>
|
||||
+ Example: dyndns_iface = em1, vnet1, vnet2
|
||||
+ </para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
diff --git a/src/providers/dp_dyndns.c b/src/providers/dp_dyndns.c
|
||||
index 2ac43a108ff6197d9e2662198a6da976ca348e76..76562840ef1d427629e41617b871caaedab779d4 100644
|
||||
--- a/src/providers/dp_dyndns.c
|
||||
+++ b/src/providers/dp_dyndns.c
|
||||
@@ -49,6 +49,12 @@ struct sss_iface_addr {
|
||||
struct sockaddr_storage *addr;
|
||||
};
|
||||
|
||||
+void sss_iface_addr_concatenate(struct sss_iface_addr **list,
|
||||
+ struct sss_iface_addr *list2)
|
||||
+{
|
||||
+ DLIST_CONCATENATE((*list), list2, struct sss_iface_addr*);
|
||||
+}
|
||||
+
|
||||
struct sss_iface_addr *
|
||||
sss_iface_addr_add(TALLOC_CTX *mem_ctx, struct sss_iface_addr **list,
|
||||
struct sockaddr_storage *ss)
|
||||
diff --git a/src/providers/dp_dyndns.h b/src/providers/dp_dyndns.h
|
||||
index 23b833dace58a0ecbb1e2e21963a55186f1d06a8..deba112538ad22cd7f59be07934778ee9d4361e7 100644
|
||||
--- a/src/providers/dp_dyndns.h
|
||||
+++ b/src/providers/dp_dyndns.h
|
||||
@@ -128,4 +128,8 @@ nsupdate_get_addrs_recv(struct tevent_req *req,
|
||||
struct sss_iface_addr **_addrlist,
|
||||
size_t *_count);
|
||||
|
||||
+void
|
||||
+sss_iface_addr_concatenate(struct sss_iface_addr **list,
|
||||
+ struct sss_iface_addr *list2);
|
||||
+
|
||||
#endif /* DP_DYNDNS_H_ */
|
||||
diff --git a/src/providers/ldap/sdap_dyndns.c b/src/providers/ldap/sdap_dyndns.c
|
||||
index e99a4f6687035928f6775c38b9df6b2a06d38f38..f5929cff3db6f724efcedeb963e3a12d04f6e1d3 100644
|
||||
--- a/src/providers/ldap/sdap_dyndns.c
|
||||
+++ b/src/providers/ldap/sdap_dyndns.c
|
||||
@@ -482,6 +482,65 @@ static void sdap_dyndns_get_addrs_done(struct tevent_req *subreq);
|
||||
static errno_t sdap_dyndns_add_ldap_conn(struct sdap_dyndns_get_addrs_state *state,
|
||||
struct sdap_handle *sh);
|
||||
|
||||
+static errno_t get_ifaces_addrs(TALLOC_CTX *mem_ctx,
|
||||
+ const char *iface,
|
||||
+ struct sss_iface_addr **_result)
|
||||
+{
|
||||
+ struct sss_iface_addr *result_addrs = NULL;
|
||||
+ struct sss_iface_addr *intf_addrs;
|
||||
+ TALLOC_CTX *tmp_ctx;
|
||||
+ char **list_of_intfs;
|
||||
+ int num_of_intfs;
|
||||
+ errno_t ret;
|
||||
+ int i;
|
||||
+
|
||||
+ tmp_ctx = talloc_new(NULL);
|
||||
+ if (tmp_ctx == NULL) {
|
||||
+ ret = ENOMEM;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ ret = split_on_separator(tmp_ctx, iface, ',', true, true, &list_of_intfs,
|
||||
+ &num_of_intfs);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_MINOR_FAILURE,
|
||||
+ "Parsing names of interfaces failed - %d:[%s].\n",
|
||||
+ ret, sss_strerror(ret));
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ for (i = 0; i < num_of_intfs; i++) {
|
||||
+ ret = sss_iface_addr_list_get(tmp_ctx, list_of_intfs[i], &intf_addrs);
|
||||
+ if (ret == EOK) {
|
||||
+ if (result_addrs != NULL) {
|
||||
+ /* If there is already an existing list, head of this existing
|
||||
+ * list will be considered as parent talloc context for the
|
||||
+ * new list.
|
||||
+ */
|
||||
+ talloc_steal(result_addrs, intf_addrs);
|
||||
+ }
|
||||
+ sss_iface_addr_concatenate(&result_addrs, intf_addrs);
|
||||
+ } else if (ret == ENOENT) {
|
||||
+ /* non-critical failure */
|
||||
+ DEBUG(SSSDBG_TRACE_FUNC,
|
||||
+ "Cannot get interface %s or there are no addresses "
|
||||
+ "bind to it.\n", list_of_intfs[i]);
|
||||
+ } else {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE,
|
||||
+ "Cannot get list of addresses from interface %s - %d:[%s]\n",
|
||||
+ list_of_intfs[i], ret, sss_strerror(ret));
|
||||
+ goto done;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ ret = EOK;
|
||||
+ *_result = talloc_steal(mem_ctx, result_addrs);
|
||||
+
|
||||
+done:
|
||||
+ talloc_free(tmp_ctx);
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
static struct tevent_req *
|
||||
sdap_dyndns_get_addrs_send(TALLOC_CTX *mem_ctx,
|
||||
struct tevent_context *ev,
|
||||
@@ -500,14 +559,11 @@ sdap_dyndns_get_addrs_send(TALLOC_CTX *mem_ctx,
|
||||
}
|
||||
|
||||
if (iface) {
|
||||
- ret = sss_iface_addr_list_get(state, iface, &state->addresses);
|
||||
- if (ret != EOK) {
|
||||
- DEBUG(ret == ENOENT ? SSSDBG_MINOR_FAILURE : SSSDBG_OP_FAILURE,
|
||||
- "Cannot get list of addresses from interface %s\n", iface);
|
||||
- /* non critical failure */
|
||||
- if (ret == ENOENT) {
|
||||
- ret = EOK;
|
||||
- }
|
||||
+ ret = get_ifaces_addrs(state, iface, &state->addresses);
|
||||
+ if (ret != EOK || state->addresses == NULL) {
|
||||
+ DEBUG(SSSDBG_MINOR_FAILURE,
|
||||
+ "get_ifaces_addrs() failed: %d:[%s]\n",
|
||||
+ ret, sss_strerror(ret));
|
||||
}
|
||||
/* We're done. Just fake an async request completion */
|
||||
goto done;
|
||||
--
|
||||
2.5.0
|
||||
|
@ -1,107 +0,0 @@
|
||||
From ef7a48d5acc481a207ac2821fc43651641f1b298 Mon Sep 17 00:00:00 2001
|
||||
From: Pavel Reichl <preichl@redhat.com>
|
||||
Date: Tue, 14 Jul 2015 04:21:34 -0400
|
||||
Subject: [PATCH 05/14] DYNDNS: special value '*' for dyndns_iface option
|
||||
|
||||
Option dyndns_iface has now special value '*' which implies that IPs
|
||||
from add interfaces should be sent during DDNS update.
|
||||
---
|
||||
src/man/sssd-ad.5.xml | 6 ++++--
|
||||
src/man/sssd-ipa.5.xml | 9 ++++-----
|
||||
src/providers/dp_dyndns.c | 20 ++++++++++++++++----
|
||||
3 files changed, 24 insertions(+), 11 deletions(-)
|
||||
|
||||
diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml
|
||||
index ff43ea37066514a87934d07b141e680416dcc05b..3cbc10520098372d984d00425d03832d002d6672 100644
|
||||
--- a/src/man/sssd-ad.5.xml
|
||||
+++ b/src/man/sssd-ad.5.xml
|
||||
@@ -756,10 +756,12 @@ ad_gpo_map_deny = +my_pam_service
|
||||
Optional. Applicable only when dyndns_update
|
||||
is true. Choose the interface or a list of interfaces
|
||||
whose IP addresses should be used for dynamic DNS
|
||||
- updates.
|
||||
+ updates. Special value <quote>*</quote> implies that
|
||||
+ IPs from all interfaces should be used.
|
||||
</para>
|
||||
<para>
|
||||
- Default: Use the IP address of the AD LDAP connection
|
||||
+ Default: Use the IP addresses of the interface which
|
||||
+ is used for AD LDAP connection
|
||||
</para>
|
||||
<para>
|
||||
Example: dyndns_iface = em1, vnet1, vnet2
|
||||
diff --git a/src/man/sssd-ipa.5.xml b/src/man/sssd-ipa.5.xml
|
||||
index d450c2fadbb1713096ff766bf536702195cfd137..2e985991fde10827aff0e7c8e67f29a009683450 100644
|
||||
--- a/src/man/sssd-ipa.5.xml
|
||||
+++ b/src/man/sssd-ipa.5.xml
|
||||
@@ -168,10 +168,8 @@
|
||||
Optional. Applicable only when dyndns_update
|
||||
is true. Choose the interface or a list of interfaces
|
||||
whose IP addresses should be used for dynamic DNS
|
||||
- updates.
|
||||
- </para>
|
||||
- <para>
|
||||
- NOTE: This option currently supports multiple interfaces.
|
||||
+ updates. Special value <quote>*</quote> implies that
|
||||
+ IPs from all interfaces should be used.
|
||||
</para>
|
||||
<para>
|
||||
NOTE: While it is still possible to use the old
|
||||
@@ -180,7 +178,8 @@
|
||||
in their config file.
|
||||
</para>
|
||||
<para>
|
||||
- Default: Use the IP address of the IPA LDAP connection
|
||||
+ Default: Use the IP addresses of the interface which
|
||||
+ is used for IPA LDAP connection
|
||||
</para>
|
||||
<para>
|
||||
Example: dyndns_iface = em1, vnet1, vnet2
|
||||
diff --git a/src/providers/dp_dyndns.c b/src/providers/dp_dyndns.c
|
||||
index 76562840ef1d427629e41617b871caaedab779d4..03389acfba13e566540ca8b0570c0d009173575f 100644
|
||||
--- a/src/providers/dp_dyndns.c
|
||||
+++ b/src/providers/dp_dyndns.c
|
||||
@@ -42,6 +42,9 @@
|
||||
#define DYNDNS_TIMEOUT 15
|
||||
#endif /* DYNDNS_TIMEOUT */
|
||||
|
||||
+/* MASK represents special value for matching all interfaces */
|
||||
+#define MASK "*"
|
||||
+
|
||||
struct sss_iface_addr {
|
||||
struct sss_iface_addr *next;
|
||||
struct sss_iface_addr *prev;
|
||||
@@ -171,6 +174,16 @@ ok_for_dns(struct sockaddr *sa)
|
||||
return true;
|
||||
}
|
||||
|
||||
+static bool supported_address_family(sa_family_t sa_family)
|
||||
+{
|
||||
+ return sa_family == AF_INET || sa_family == AF_INET6;
|
||||
+}
|
||||
+
|
||||
+static bool matching_name(const char *ifname, const char *ifname2)
|
||||
+{
|
||||
+ return (strcmp(MASK, ifname) == 0) || (strcasecmp(ifname, ifname2) == 0);
|
||||
+}
|
||||
+
|
||||
/* Collect IP addresses associated with an interface */
|
||||
errno_t
|
||||
sss_iface_addr_list_get(TALLOC_CTX *mem_ctx, const char *ifname,
|
||||
@@ -200,10 +213,9 @@ sss_iface_addr_list_get(TALLOC_CTX *mem_ctx, const char *ifname,
|
||||
if (!ifa->ifa_addr) continue;
|
||||
|
||||
/* Add IP addresses to the list */
|
||||
- if ((ifa->ifa_addr->sa_family == AF_INET ||
|
||||
- ifa->ifa_addr->sa_family == AF_INET6) &&
|
||||
- strcasecmp(ifa->ifa_name, ifname) == 0 &&
|
||||
- ok_for_dns(ifa->ifa_addr)) {
|
||||
+ if (supported_address_family(ifa->ifa_addr->sa_family)
|
||||
+ && matching_name(ifname, ifa->ifa_name)
|
||||
+ && ok_for_dns(ifa->ifa_addr)) {
|
||||
|
||||
/* Add this address to the IP address list */
|
||||
address = talloc_zero(mem_ctx, struct sss_iface_addr);
|
||||
--
|
||||
2.5.0
|
||||
|
@ -1,130 +0,0 @@
|
||||
From cef454da178e7e7f097fade886f4d06ba6aa0f4f Mon Sep 17 00:00:00 2001
|
||||
From: Pavel Reichl <preichl@redhat.com>
|
||||
Date: Wed, 15 Jul 2015 10:58:38 -0400
|
||||
Subject: [PATCH 06/14] TESTS: dyndns tests support AAAA addresses
|
||||
|
||||
Resolves:
|
||||
https://fedorahosted.org/sssd/ticket/2558
|
||||
---
|
||||
src/tests/cmocka/test_dyndns.c | 51 +++++++++++++++++++++++++++++++-----------
|
||||
1 file changed, 38 insertions(+), 13 deletions(-)
|
||||
|
||||
diff --git a/src/tests/cmocka/test_dyndns.c b/src/tests/cmocka/test_dyndns.c
|
||||
index 3214e90c063ea9a4cf6f6bc6507bf4e37b7d23a4..e9d42cea37472b38ae2eb900368f2ce3f409fefc 100644
|
||||
--- a/src/tests/cmocka/test_dyndns.c
|
||||
+++ b/src/tests/cmocka/test_dyndns.c
|
||||
@@ -97,7 +97,9 @@ int __wrap_getifaddrs(struct ifaddrs **_ifap)
|
||||
struct ifaddrs *ifap_head = NULL;
|
||||
char *name;
|
||||
char *straddr;
|
||||
+ int ad_family;
|
||||
struct sockaddr_in *sa;
|
||||
+ void *dst;
|
||||
|
||||
while ((name = sss_mock_ptr_type(char *)) != NULL) {
|
||||
straddr = sss_mock_ptr_type(char *);
|
||||
@@ -105,6 +107,7 @@ int __wrap_getifaddrs(struct ifaddrs **_ifap)
|
||||
errno = EINVAL;
|
||||
goto fail;
|
||||
}
|
||||
+ ad_family = sss_mock_type(int);
|
||||
|
||||
ifap = talloc_zero(global_mock_context, struct ifaddrs);
|
||||
if (ifap == NULL) {
|
||||
@@ -127,15 +130,33 @@ int __wrap_getifaddrs(struct ifaddrs **_ifap)
|
||||
|
||||
/* Do not alocate directly on ifap->ifa_addr to
|
||||
* avoid alignment warnings */
|
||||
- sa = talloc(ifap, struct sockaddr_in);
|
||||
+ if (ad_family == AF_INET) {
|
||||
+ sa = talloc(ifap, struct sockaddr_in);
|
||||
+ } else if (ad_family == AF_INET6) {
|
||||
+ sa = (struct sockaddr_in *) talloc(ifap, struct sockaddr_in6);
|
||||
+ } else {
|
||||
+ errno = EINVAL;
|
||||
+ goto fail;
|
||||
+ }
|
||||
+
|
||||
if (sa == NULL) {
|
||||
errno = ENOMEM;
|
||||
goto fail;
|
||||
}
|
||||
- sa->sin_family = AF_INET;
|
||||
+
|
||||
+ sa->sin_family = ad_family;
|
||||
+
|
||||
+ if (ad_family == AF_INET) {
|
||||
+ dst = &sa->sin_addr;
|
||||
+ } else if (ad_family == AF_INET6) {
|
||||
+ dst = &((struct sockaddr_in6 *)sa)->sin6_addr;
|
||||
+ } else {
|
||||
+ errno = EINVAL;
|
||||
+ goto fail;
|
||||
+ }
|
||||
|
||||
/* convert straddr into ifa_addr */
|
||||
- if (inet_pton(AF_INET, straddr, &sa->sin_addr) != 1) {
|
||||
+ if (inet_pton(ad_family, straddr, dst) != 1) {
|
||||
goto fail;
|
||||
}
|
||||
|
||||
@@ -167,12 +188,16 @@ static void dyndns_test_done(struct tevent_req *req)
|
||||
ctx->tctx->done = true;
|
||||
}
|
||||
|
||||
-void will_return_getifaddrs(const char *ifname, const char *straddr)
|
||||
+void will_return_getifaddrs(const char *ifname, const char *straddr,
|
||||
+ int af_family)
|
||||
{
|
||||
will_return(__wrap_getifaddrs, ifname);
|
||||
if (ifname) {
|
||||
will_return(__wrap_getifaddrs, straddr);
|
||||
}
|
||||
+ if (straddr) {
|
||||
+ will_return(__wrap_getifaddrs, af_family);
|
||||
+ }
|
||||
}
|
||||
|
||||
void dyndns_test_get_ifaddr(void **state)
|
||||
@@ -182,9 +207,9 @@ void dyndns_test_get_ifaddr(void **state)
|
||||
char straddr[128];
|
||||
|
||||
check_leaks_push(dyndns_test_ctx);
|
||||
- will_return_getifaddrs("eth0", "192.168.0.1");
|
||||
- will_return_getifaddrs("eth1", "192.168.0.2");
|
||||
- will_return_getifaddrs(NULL, NULL); /* sentinel */
|
||||
+ will_return_getifaddrs("eth0", "192.168.0.1", AF_INET);
|
||||
+ will_return_getifaddrs("eth1", "192.168.0.2", AF_INET);
|
||||
+ will_return_getifaddrs(NULL, NULL, 0); /* sentinel */
|
||||
ret = sss_iface_addr_list_get(dyndns_test_ctx, "eth0", &addrlist);
|
||||
assert_int_equal(ret, EOK);
|
||||
|
||||
@@ -212,9 +237,9 @@ void dyndns_test_get_multi_ifaddr(void **state)
|
||||
char straddr[128];
|
||||
|
||||
check_leaks_push(dyndns_test_ctx);
|
||||
- will_return_getifaddrs("eth0", "192.168.0.2");
|
||||
- will_return_getifaddrs("eth0", "192.168.0.1");
|
||||
- will_return_getifaddrs(NULL, NULL); /* sentinel */
|
||||
+ will_return_getifaddrs("eth0", "192.168.0.2", AF_INET);
|
||||
+ will_return_getifaddrs("eth0", "192.168.0.1", AF_INET);
|
||||
+ will_return_getifaddrs(NULL, NULL, 0); /* sentinel */
|
||||
ret = sss_iface_addr_list_get(dyndns_test_ctx, "eth0", &addrlist);
|
||||
assert_int_equal(ret, EOK);
|
||||
|
||||
@@ -253,9 +278,9 @@ void dyndns_test_get_ifaddr_enoent(void **state)
|
||||
struct sss_iface_addr *addrlist = NULL;
|
||||
|
||||
check_leaks_push(dyndns_test_ctx);
|
||||
- will_return_getifaddrs("eth0", "192.168.0.1");
|
||||
- will_return_getifaddrs("eth1", "192.168.0.2");
|
||||
- will_return_getifaddrs(NULL, NULL); /* sentinel */
|
||||
+ will_return_getifaddrs("eth0", "192.168.0.1", AF_INET);
|
||||
+ will_return_getifaddrs("eth1", "192.168.0.2", AF_INET);
|
||||
+ will_return_getifaddrs(NULL, NULL, 0); /* sentinel */
|
||||
ret = sss_iface_addr_list_get(dyndns_test_ctx, "non_existing_interface",
|
||||
&addrlist);
|
||||
assert_int_equal(ret, ENOENT);
|
||||
--
|
||||
2.5.0
|
||||
|
@ -1,88 +0,0 @@
|
||||
From 2322de0bd2fdc6b2ca64969df35662ab962620a4 Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||
Date: Tue, 21 Jul 2015 11:44:03 +0200
|
||||
Subject: [PATCH 07/14] IPA: Remove MPG groups if getgrgid was called before
|
||||
getpw()
|
||||
|
||||
https://fedorahosted.org/sssd/ticket/2724
|
||||
|
||||
This bug only affects IPA clients that are connected to IPA servers with
|
||||
AD trust and ID mapping in effect.
|
||||
|
||||
If an IPA client calls getgrgid() for an ID that matches a user, the
|
||||
user's private group would be returned and stored as a group entry.
|
||||
|
||||
Subsequent queries for that user would fail, because MPG domains impose
|
||||
uniqueness restriction for both the ID and name space across groups and
|
||||
users.
|
||||
|
||||
To work around that, we remove the UPG groups in MPG domains during a
|
||||
group lookup.
|
||||
|
||||
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
||||
---
|
||||
src/providers/ipa/ipa_s2n_exop.c | 41 ++++++++++++++++++++++++++++++++++++++--
|
||||
1 file changed, 39 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/providers/ipa/ipa_s2n_exop.c b/src/providers/ipa/ipa_s2n_exop.c
|
||||
index 812a4bbd707faf5c184594b562c148d1e704fd58..1e6368dc7ef1a6f60b541409f7f6740d602f0d43 100644
|
||||
--- a/src/providers/ipa/ipa_s2n_exop.c
|
||||
+++ b/src/providers/ipa/ipa_s2n_exop.c
|
||||
@@ -1764,6 +1764,7 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom,
|
||||
int tret;
|
||||
struct sysdb_attrs *gid_override_attrs = NULL;
|
||||
char ** exop_grouplist;
|
||||
+ struct ldb_message *msg;
|
||||
|
||||
tmp_ctx = talloc_new(NULL);
|
||||
if (tmp_ctx == NULL) {
|
||||
@@ -2005,8 +2006,44 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom,
|
||||
attrs->a.user.pw_dir, attrs->a.user.pw_shell,
|
||||
NULL, attrs->sysdb_attrs, NULL,
|
||||
timeout, now);
|
||||
- if (ret != EOK) {
|
||||
- DEBUG(SSSDBG_OP_FAILURE, "sysdb_store_user failed.\n");
|
||||
+ if (ret == EEXIST && dom->mpg == true) {
|
||||
+ /* This handles the case where getgrgid() was called for
|
||||
+ * this user, so a group was created in the cache
|
||||
+ */
|
||||
+ ret = sysdb_search_group_by_name(tmp_ctx, dom, name, NULL, &msg);
|
||||
+ if (ret != EOK) {
|
||||
+ /* Fail even on ENOENT, the group must be around */
|
||||
+ DEBUG(SSSDBG_OP_FAILURE,
|
||||
+ "Could not delete MPG group [%d]: %s\n",
|
||||
+ ret, sss_strerror(ret));
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ ret = sysdb_delete_group(dom, NULL, attrs->a.user.pw_uid);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE,
|
||||
+ "sysdb_delete_group failed for MPG group [%d]: %s\n",
|
||||
+ ret, sss_strerror(ret));
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ ret = sysdb_store_user(dom, name, NULL,
|
||||
+ attrs->a.user.pw_uid,
|
||||
+ gid, attrs->a.user.pw_gecos,
|
||||
+ attrs->a.user.pw_dir,
|
||||
+ attrs->a.user.pw_shell,
|
||||
+ NULL, attrs->sysdb_attrs, NULL,
|
||||
+ timeout, now);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE,
|
||||
+ "sysdb_store_user failed for MPG user [%d]: %s\n",
|
||||
+ ret, sss_strerror(ret));
|
||||
+ goto done;
|
||||
+ }
|
||||
+ } else if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE,
|
||||
+ "sysdb_store_user failed [%d]: %s\n",
|
||||
+ ret, sss_strerror(ret));
|
||||
goto done;
|
||||
}
|
||||
|
||||
--
|
||||
2.5.0
|
||||
|
@ -1,27 +0,0 @@
|
||||
From f2fd03807a6a7d92b706f0964bd1bcf172766cd6 Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||
Date: Wed, 22 Jul 2015 15:17:57 +0200
|
||||
Subject: [PATCH 08/14] IPA: Better debugging
|
||||
|
||||
Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
---
|
||||
src/providers/ipa/ipa_subdomains_server.c | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/src/providers/ipa/ipa_subdomains_server.c b/src/providers/ipa/ipa_subdomains_server.c
|
||||
index cd8c6301c4e4fbbf194ca98ce7a7bfe6215b381c..a9e2c1f700ef47716be868bad68590b8d5d0d42a 100644
|
||||
--- a/src/providers/ipa/ipa_subdomains_server.c
|
||||
+++ b/src/providers/ipa/ipa_subdomains_server.c
|
||||
@@ -623,6 +623,9 @@ ipa_server_trust_add_send(TALLOC_CTX *mem_ctx,
|
||||
|
||||
immediate:
|
||||
if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE,
|
||||
+ "Could not add trusted subdomain %s from forest %s\n",
|
||||
+ subdom->name, state->forest);
|
||||
tevent_req_error(req, ret);
|
||||
} else {
|
||||
tevent_req_done(req);
|
||||
--
|
||||
2.5.0
|
||||
|
@ -1,50 +0,0 @@
|
||||
From b5e5c04b5af74537c95213a72d4c916b50c05588 Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||
Date: Wed, 22 Jul 2015 16:29:09 +0200
|
||||
Subject: [PATCH 09/14] UTIL: Lower debug level in perform_checks()
|
||||
|
||||
Failures in perform_checks() don't have to be fatal, therefore the debug
|
||||
messages shouldn't be either.
|
||||
|
||||
Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
---
|
||||
src/util/check_and_open.c | 8 ++++----
|
||||
1 file changed, 4 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/src/util/check_and_open.c b/src/util/check_and_open.c
|
||||
index 59b90bf4b96731e385fcf92ed8bc251cb94abfda..b40ae2003e3de22ce9e4ca07cecc68e18a7abab4 100644
|
||||
--- a/src/util/check_and_open.c
|
||||
+++ b/src/util/check_and_open.c
|
||||
@@ -99,12 +99,12 @@ static errno_t perform_checks(struct stat *stat_buf,
|
||||
}
|
||||
|
||||
if ((mode & S_IFMT) != (st_mode & S_IFMT)) {
|
||||
- DEBUG(SSSDBG_CRIT_FAILURE, "File is not the right type.\n");
|
||||
+ DEBUG(SSSDBG_TRACE_LIBS, "File is not the right type.\n");
|
||||
return EINVAL;
|
||||
}
|
||||
|
||||
if ((st_mode & ALLPERMS) != (mode & ALLPERMS)) {
|
||||
- DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
+ DEBUG(SSSDBG_TRACE_LIBS,
|
||||
"File has the wrong (bit masked) mode [%.7o], "
|
||||
"expected [%.7o].\n",
|
||||
(st_mode & ALLPERMS), (mode & ALLPERMS));
|
||||
@@ -112,12 +112,12 @@ static errno_t perform_checks(struct stat *stat_buf,
|
||||
}
|
||||
|
||||
if (uid != (uid_t)(-1) && stat_buf->st_uid != uid) {
|
||||
- DEBUG(SSSDBG_CRIT_FAILURE, "File must be owned by uid [%d].\n", uid);
|
||||
+ DEBUG(SSSDBG_TRACE_LIBS, "File must be owned by uid [%d].\n", uid);
|
||||
return EINVAL;
|
||||
}
|
||||
|
||||
if (gid != (gid_t)(-1) && stat_buf->st_gid != gid) {
|
||||
- DEBUG(SSSDBG_CRIT_FAILURE, "File must be owned by gid [%d].\n", gid);
|
||||
+ DEBUG(SSSDBG_TRACE_LIBS, "File must be owned by gid [%d].\n", gid);
|
||||
return EINVAL;
|
||||
}
|
||||
|
||||
--
|
||||
2.5.0
|
||||
|
@ -1,116 +0,0 @@
|
||||
From 629fba06bc02e6ff4b25680532d298552fa55b22 Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||
Date: Wed, 22 Jul 2015 17:20:11 +0200
|
||||
Subject: [PATCH 10/14] IPA: Handle sssd-owned keytabs when running as root
|
||||
|
||||
https://fedorahosted.org/sssd/ticket/2718
|
||||
|
||||
This patch handles the case where the keytab is created with sssd:sssd
|
||||
ownership (perhaps by the IPA oddjob script) but SSSD runs as root,
|
||||
which is the default in many distributions.
|
||||
|
||||
Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
---
|
||||
src/providers/ipa/ipa_subdomains.h | 3 ++
|
||||
src/providers/ipa/ipa_subdomains_server.c | 46 +++++++++++++++++++++++++------
|
||||
2 files changed, 41 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/src/providers/ipa/ipa_subdomains.h b/src/providers/ipa/ipa_subdomains.h
|
||||
index 5bc63a173a1a8967eb5de30a2da84a81377d3900..2302c5f03e80de2ea1efad424769e777cd6dd8d5 100644
|
||||
--- a/src/providers/ipa/ipa_subdomains.h
|
||||
+++ b/src/providers/ipa/ipa_subdomains.h
|
||||
@@ -94,6 +94,9 @@ struct ipa_server_mode_ctx {
|
||||
|
||||
struct ipa_ad_server_ctx *trusts;
|
||||
struct ipa_ext_groups *ext_groups;
|
||||
+
|
||||
+ uid_t kt_owner_uid;
|
||||
+ uid_t kt_owner_gid;
|
||||
};
|
||||
|
||||
int ipa_ad_subdom_init(struct be_ctx *be_ctx,
|
||||
diff --git a/src/providers/ipa/ipa_subdomains_server.c b/src/providers/ipa/ipa_subdomains_server.c
|
||||
index a9e2c1f700ef47716be868bad68590b8d5d0d42a..4bfea61e6dd0a02f6b723a39f7ba236c914009b0 100644
|
||||
--- a/src/providers/ipa/ipa_subdomains_server.c
|
||||
+++ b/src/providers/ipa/ipa_subdomains_server.c
|
||||
@@ -520,16 +520,28 @@ static errno_t ipa_getkeytab_recv(struct tevent_req *req, int *child_status)
|
||||
return EOK;
|
||||
}
|
||||
|
||||
-static errno_t ipa_check_keytab(const char *keytab)
|
||||
+static errno_t ipa_check_keytab(const char *keytab,
|
||||
+ uid_t kt_owner_uid,
|
||||
+ gid_t kt_owner_gid)
|
||||
{
|
||||
errno_t ret;
|
||||
|
||||
ret = check_file(keytab, getuid(), getgid(), S_IFREG|0600, 0, NULL, false);
|
||||
- if (ret != EOK) {
|
||||
- if (ret != ENOENT) {
|
||||
- DEBUG(SSSDBG_OP_FAILURE, "Failed to check for %s\n", keytab);
|
||||
- } else {
|
||||
- DEBUG(SSSDBG_TRACE_FUNC, "Keytab %s is not present\n", keytab);
|
||||
+ if (ret == ENOENT) {
|
||||
+ DEBUG(SSSDBG_TRACE_FUNC, "Keytab %s is not present\n", keytab);
|
||||
+ goto done;
|
||||
+ } else if (ret != EOK) {
|
||||
+ if (kt_owner_uid) {
|
||||
+ ret = check_file(keytab, kt_owner_uid, kt_owner_gid,
|
||||
+ S_IFREG|0600, 0, NULL, false);
|
||||
+ }
|
||||
+
|
||||
+ if (ret != EOK) {
|
||||
+ if (ret != ENOENT) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "Failed to check for %s\n", keytab);
|
||||
+ } else {
|
||||
+ DEBUG(SSSDBG_TRACE_FUNC, "Keytab %s is not present\n", keytab);
|
||||
+ }
|
||||
}
|
||||
goto done;
|
||||
}
|
||||
@@ -648,7 +660,9 @@ static errno_t ipa_server_trust_add_1way(struct tevent_req *req)
|
||||
return EIO;
|
||||
}
|
||||
|
||||
- ret = ipa_check_keytab(state->keytab);
|
||||
+ ret = ipa_check_keytab(state->keytab,
|
||||
+ state->id_ctx->server_mode->kt_owner_uid,
|
||||
+ state->id_ctx->server_mode->kt_owner_gid);
|
||||
if (ret == EOK) {
|
||||
DEBUG(SSSDBG_TRACE_FUNC,
|
||||
"Keytab already present, can add the trust\n");
|
||||
@@ -704,7 +718,9 @@ static void ipa_server_trust_1way_kt_done(struct tevent_req *subreq)
|
||||
DEBUG(SSSDBG_TRACE_FUNC,
|
||||
"Keytab successfully retrieved to %s\n", state->keytab);
|
||||
|
||||
- ret = ipa_check_keytab(state->keytab);
|
||||
+ ret = ipa_check_keytab(state->keytab,
|
||||
+ state->id_ctx->server_mode->kt_owner_uid,
|
||||
+ state->id_ctx->server_mode->kt_owner_gid);
|
||||
if (ret != EOK) {
|
||||
DEBUG(SSSDBG_OP_FAILURE, "ipa_check_keytab failed: %d\n", ret);
|
||||
tevent_req_error(req, ret);
|
||||
@@ -1029,6 +1045,20 @@ int ipa_ad_subdom_init(struct be_ctx *be_ctx,
|
||||
id_ctx->server_mode->hostname = hostname;
|
||||
id_ctx->server_mode->trusts = NULL;
|
||||
id_ctx->server_mode->ext_groups = NULL;
|
||||
+ id_ctx->server_mode->kt_owner_uid = 0;
|
||||
+ id_ctx->server_mode->kt_owner_gid = 0;
|
||||
+
|
||||
+ if (getuid() == 0) {
|
||||
+ /* We need to handle keytabs created by IPA oddjob script gracefully
|
||||
+ * even if we're running as root and IPA creates them as the SSSD user
|
||||
+ */
|
||||
+ ret = sss_user_by_name_or_uid(SSSD_USER,
|
||||
+ &id_ctx->server_mode->kt_owner_uid,
|
||||
+ &id_ctx->server_mode->kt_owner_gid);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_MINOR_FAILURE, "Failed to get ID of %s\n", SSSD_USER);
|
||||
+ }
|
||||
+ }
|
||||
|
||||
ret = ipa_ad_subdom_reinit(be_ctx, be_ctx->ev,
|
||||
be_ctx, id_ctx, be_ctx->domain);
|
||||
--
|
||||
2.5.0
|
||||
|
@ -1,47 +0,0 @@
|
||||
From 4c4bc726cfc0207681c00fc386e3707d47bfe3a4 Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||
Date: Mon, 10 Aug 2015 12:40:30 +0200
|
||||
Subject: [PATCH 11/14] LDAP: use ldb_binary_encode when printing attribute
|
||||
values
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
---
|
||||
src/providers/ldap/sdap_utils.c | 11 ++++++++++-
|
||||
1 file changed, 10 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/providers/ldap/sdap_utils.c b/src/providers/ldap/sdap_utils.c
|
||||
index f5ce8ee54f60a6c4c4cdbd5e50b20d973c175e83..9da46ea70bf80e7f4d12fdfc7d1c97e99de8d000 100644
|
||||
--- a/src/providers/ldap/sdap_utils.c
|
||||
+++ b/src/providers/ldap/sdap_utils.c
|
||||
@@ -35,6 +35,7 @@ sdap_attrs_add_ldap_attr(struct sysdb_attrs *ldap_attrs,
|
||||
const char *objname = name ?: "object";
|
||||
const char *desc = attr_desc ?: attr_name;
|
||||
unsigned int num_values, i;
|
||||
+ char *printable;
|
||||
|
||||
ret = sysdb_attrs_get_el(ldap_attrs, attr_name, &el);
|
||||
if (ret) {
|
||||
@@ -50,8 +51,16 @@ sdap_attrs_add_ldap_attr(struct sysdb_attrs *ldap_attrs,
|
||||
} else {
|
||||
num_values = multivalued ? el->num_values : 1;
|
||||
for (i = 0; i < num_values; i++) {
|
||||
+ printable = ldb_binary_encode(ldap_attrs, el->values[i]);
|
||||
+ if (printable == NULL) {
|
||||
+ DEBUG(SSSDBG_MINOR_FAILURE, "ldb_binary_encode failed..\n");
|
||||
+ continue;
|
||||
+ }
|
||||
+
|
||||
DEBUG(SSSDBG_TRACE_INTERNAL, "Adding %s [%s] to attributes "
|
||||
- "of [%s].\n", desc, el->values[i].data, objname);
|
||||
+ "of [%s].\n", desc, printable, objname);
|
||||
+
|
||||
+ talloc_zfree(printable);
|
||||
|
||||
ret = sysdb_attrs_add_mem(attrs, attr_name, el->values[i].data,
|
||||
el->values[i].length);
|
||||
--
|
||||
2.5.0
|
||||
|
@ -1,50 +0,0 @@
|
||||
From 4c8af4a9bd8b0cdfa6820b3a39ae958869957dcb Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||
Date: Mon, 10 Aug 2015 12:40:39 +0200
|
||||
Subject: [PATCH 12/14] IPA: Change the default of ldap_user_certificate to
|
||||
userCertificate;binary
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
This is safe from ldb point of view, because ldb gurantees the data is
|
||||
NULL-terminated. We must be careful before we save the data, though.
|
||||
|
||||
Resolves:
|
||||
https://fedorahosted.org/sssd/ticket/2742
|
||||
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
---
|
||||
src/man/sssd-ldap.5.xml | 2 +-
|
||||
src/providers/ipa/ipa_opts.h | 2 +-
|
||||
2 files changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml
|
||||
index f14090843fd32141ad4f491b69868aa7b2412301..0239f656e4fab7d8d85a922fdd0978acd80a236b 100644
|
||||
--- a/src/man/sssd-ldap.5.xml
|
||||
+++ b/src/man/sssd-ldap.5.xml
|
||||
@@ -821,7 +821,7 @@
|
||||
certificate of the user.
|
||||
</para>
|
||||
<para>
|
||||
- Default: no set in the general case, userCertificate
|
||||
+ Default: no set in the general case, userCertificate;binary
|
||||
for IPA
|
||||
</para>
|
||||
</listitem>
|
||||
diff --git a/src/providers/ipa/ipa_opts.h b/src/providers/ipa/ipa_opts.h
|
||||
index 253c0715355536cc181c57beed5326a77e87e464..2f92ad765a1ca53611ed82e5e749c39d6f20a150 100644
|
||||
--- a/src/providers/ipa/ipa_opts.h
|
||||
+++ b/src/providers/ipa/ipa_opts.h
|
||||
@@ -203,7 +203,7 @@ struct sdap_attr_map ipa_user_map[] = {
|
||||
{ "ldap_user_nds_login_allowed_time_map", "loginAllowedTimeMap", SYSDB_NDS_LOGIN_ALLOWED_TIME_MAP, NULL },
|
||||
{ "ldap_user_ssh_public_key", "ipaSshPubKey", SYSDB_SSH_PUBKEY, NULL },
|
||||
{ "ldap_user_auth_type", "ipaUserAuthType", SYSDB_AUTH_TYPE, NULL },
|
||||
- { "ldap_user_certificate", "userCertificate", SYSDB_USER_CERT, NULL },
|
||||
+ { "ldap_user_certificate", "userCertificate;binary", SYSDB_USER_CERT, NULL },
|
||||
SDAP_ATTR_MAP_TERMINATOR
|
||||
};
|
||||
|
||||
--
|
||||
2.5.0
|
||||
|
@ -1,377 +0,0 @@
|
||||
From e3f5577a446e1f6f37c1dfd2c7d6c95f5c4551ab Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||
Date: Wed, 12 Aug 2015 12:41:44 +0200
|
||||
Subject: [PATCH 13/14] UTIL: Provide a common interface to safely create
|
||||
temporary files
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
---
|
||||
src/tests/cmocka/test_utils.c | 175 ++++++++++++++++++++++++++++++++++++++++++
|
||||
src/util/util.c | 127 ++++++++++++++++++++++++++++++
|
||||
src/util/util.h | 21 +++++
|
||||
3 files changed, 323 insertions(+)
|
||||
|
||||
diff --git a/src/tests/cmocka/test_utils.c b/src/tests/cmocka/test_utils.c
|
||||
index d3d00feda0bdd4048519f90ba48ae9d1042a95a1..c7ebe0997ec00197e8852bedbcf26ef1f6394fc3 100644
|
||||
--- a/src/tests/cmocka/test_utils.c
|
||||
+++ b/src/tests/cmocka/test_utils.c
|
||||
@@ -1212,6 +1212,168 @@ void test_fix_domain_in_name_list(void **state)
|
||||
talloc_free(dom);
|
||||
}
|
||||
|
||||
+struct unique_file_test_ctx {
|
||||
+ char *filename;
|
||||
+};
|
||||
+
|
||||
+static int unique_file_test_setup(void **state)
|
||||
+{
|
||||
+ struct unique_file_test_ctx *test_ctx;
|
||||
+
|
||||
+ assert_true(leak_check_setup());
|
||||
+ check_leaks_push(global_talloc_context);
|
||||
+
|
||||
+ test_ctx = talloc_zero(global_talloc_context, struct unique_file_test_ctx);
|
||||
+ assert_non_null(test_ctx);
|
||||
+
|
||||
+ test_ctx->filename = talloc_strdup(test_ctx, "test_unique_file_XXXXXX");
|
||||
+ assert_non_null(test_ctx);
|
||||
+
|
||||
+ *state = test_ctx;
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+static int unique_file_test_teardown(void **state)
|
||||
+{
|
||||
+ struct unique_file_test_ctx *test_ctx;
|
||||
+ errno_t ret;
|
||||
+
|
||||
+ test_ctx = talloc_get_type(*state, struct unique_file_test_ctx);
|
||||
+
|
||||
+ errno = 0;
|
||||
+ ret = unlink(test_ctx->filename);
|
||||
+ if (ret != 0 && errno != ENOENT) {
|
||||
+ fail();
|
||||
+ }
|
||||
+
|
||||
+ talloc_free(test_ctx);
|
||||
+ assert_true(check_leaks_pop(global_talloc_context) == true);
|
||||
+ assert_true(leak_check_teardown());
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+static void assert_destructor(TALLOC_CTX *owner,
|
||||
+ struct unique_file_test_ctx *test_ctx)
|
||||
+{
|
||||
+ int fd;
|
||||
+ errno_t ret;
|
||||
+ char *check_filename;
|
||||
+
|
||||
+ /* Test that the destructor works */
|
||||
+ if (owner == NULL) {
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
+ check_filename = talloc_strdup(test_ctx, test_ctx->filename);
|
||||
+ assert_non_null(check_filename);
|
||||
+
|
||||
+ talloc_free(owner);
|
||||
+
|
||||
+ ret = check_and_open_readonly(test_ctx->filename, &fd,
|
||||
+ geteuid(), getegid(),
|
||||
+ (S_IRUSR | S_IWUSR | S_IFREG), 0);
|
||||
+ close(fd);
|
||||
+ assert_int_not_equal(ret, EOK);
|
||||
+}
|
||||
+
|
||||
+static void sss_unique_file_test(struct unique_file_test_ctx *test_ctx,
|
||||
+ bool test_destructor)
|
||||
+{
|
||||
+ int fd;
|
||||
+ errno_t ret;
|
||||
+ struct stat sb;
|
||||
+ TALLOC_CTX *owner = NULL;
|
||||
+
|
||||
+ if (test_destructor) {
|
||||
+ owner = talloc_new(test_ctx);
|
||||
+ assert_non_null(owner);
|
||||
+ }
|
||||
+
|
||||
+ fd = sss_unique_file(owner, test_ctx->filename, &ret);
|
||||
+ assert_int_not_equal(fd, -1);
|
||||
+ assert_int_equal(ret, EOK);
|
||||
+
|
||||
+ ret = check_fd(fd, geteuid(), getegid(),
|
||||
+ (S_IRUSR | S_IWUSR | S_IFREG), 0, &sb);
|
||||
+ close(fd);
|
||||
+ assert_int_equal(ret, EOK);
|
||||
+
|
||||
+ assert_destructor(owner, test_ctx);
|
||||
+}
|
||||
+
|
||||
+static void test_sss_unique_file(void **state)
|
||||
+{
|
||||
+ struct unique_file_test_ctx *test_ctx;
|
||||
+ test_ctx = talloc_get_type(*state, struct unique_file_test_ctx);
|
||||
+ sss_unique_file_test(test_ctx, false);
|
||||
+}
|
||||
+
|
||||
+static void test_sss_unique_file_destruct(void **state)
|
||||
+{
|
||||
+ struct unique_file_test_ctx *test_ctx;
|
||||
+ test_ctx = talloc_get_type(*state, struct unique_file_test_ctx);
|
||||
+ sss_unique_file_test(test_ctx, true);
|
||||
+}
|
||||
+
|
||||
+static void test_sss_unique_file_neg(void **state)
|
||||
+{
|
||||
+ int fd;
|
||||
+ errno_t ret;
|
||||
+
|
||||
+ fd = sss_unique_file(NULL, discard_const("badpattern"), &ret);
|
||||
+ assert_int_equal(fd, -1);
|
||||
+ assert_int_equal(ret, EINVAL);
|
||||
+}
|
||||
+
|
||||
+static void sss_unique_filename_test(struct unique_file_test_ctx *test_ctx,
|
||||
+ bool test_destructor)
|
||||
+{
|
||||
+ int fd;
|
||||
+ errno_t ret;
|
||||
+ char *tmp_filename;
|
||||
+ TALLOC_CTX *owner = NULL;
|
||||
+
|
||||
+ tmp_filename = talloc_strdup(test_ctx, test_ctx->filename);
|
||||
+ assert_non_null(tmp_filename);
|
||||
+
|
||||
+ if (test_destructor) {
|
||||
+ owner = talloc_new(test_ctx);
|
||||
+ assert_non_null(owner);
|
||||
+ }
|
||||
+
|
||||
+ ret = sss_unique_filename(owner, test_ctx->filename);
|
||||
+ assert_int_equal(ret, EOK);
|
||||
+
|
||||
+ assert_int_equal(strncmp(test_ctx->filename,
|
||||
+ tmp_filename,
|
||||
+ strlen(tmp_filename) - sizeof("XXXXXX")),
|
||||
+ 0);
|
||||
+
|
||||
+ ret = check_and_open_readonly(test_ctx->filename, &fd,
|
||||
+ geteuid(), getegid(),
|
||||
+ (S_IRUSR | S_IWUSR | S_IFREG), 0);
|
||||
+ close(fd);
|
||||
+ assert_int_equal(ret, EOK);
|
||||
+
|
||||
+ assert_destructor(owner, test_ctx);
|
||||
+}
|
||||
+
|
||||
+static void test_sss_unique_filename(void **state)
|
||||
+{
|
||||
+ struct unique_file_test_ctx *test_ctx;
|
||||
+
|
||||
+ test_ctx = talloc_get_type(*state, struct unique_file_test_ctx);
|
||||
+ sss_unique_filename_test(test_ctx, false);
|
||||
+}
|
||||
+
|
||||
+static void test_sss_unique_filename_destruct(void **state)
|
||||
+{
|
||||
+ struct unique_file_test_ctx *test_ctx;
|
||||
+
|
||||
+ test_ctx = talloc_get_type(*state, struct unique_file_test_ctx);
|
||||
+ sss_unique_filename_test(test_ctx, true);
|
||||
+}
|
||||
+
|
||||
int main(int argc, const char *argv[])
|
||||
{
|
||||
poptContext pc;
|
||||
@@ -1275,6 +1437,19 @@ int main(int argc, const char *argv[])
|
||||
cmocka_unit_test_setup_teardown(test_fix_domain_in_name_list,
|
||||
confdb_test_setup,
|
||||
confdb_test_teardown),
|
||||
+ cmocka_unit_test_setup_teardown(test_sss_unique_file,
|
||||
+ unique_file_test_setup,
|
||||
+ unique_file_test_teardown),
|
||||
+ cmocka_unit_test_setup_teardown(test_sss_unique_file_destruct,
|
||||
+ unique_file_test_setup,
|
||||
+ unique_file_test_teardown),
|
||||
+ cmocka_unit_test(test_sss_unique_file_neg),
|
||||
+ cmocka_unit_test_setup_teardown(test_sss_unique_filename,
|
||||
+ unique_file_test_setup,
|
||||
+ unique_file_test_teardown),
|
||||
+ cmocka_unit_test_setup_teardown(test_sss_unique_filename_destruct,
|
||||
+ unique_file_test_setup,
|
||||
+ unique_file_test_teardown),
|
||||
};
|
||||
|
||||
/* Set debug level to invalid value so we can deside if -d 0 was used. */
|
||||
diff --git a/src/util/util.c b/src/util/util.c
|
||||
index cfd26a58b31048996e9669163b821282b219b2de..61e5efedce45ba4a70d57ce19406eafe8373692c 100644
|
||||
--- a/src/util/util.c
|
||||
+++ b/src/util/util.c
|
||||
@@ -957,3 +957,130 @@ errno_t sss_utc_to_time_t(const char *str, const char *format, time_t *_unix_tim
|
||||
*_unix_time = ut;
|
||||
return EOK;
|
||||
}
|
||||
+
|
||||
+struct tmpfile_watch {
|
||||
+ const char *filename;
|
||||
+};
|
||||
+
|
||||
+static int unlink_dbg(const char *filename)
|
||||
+{
|
||||
+ errno_t ret;
|
||||
+
|
||||
+ ret = unlink(filename);
|
||||
+ if (ret != 0) {
|
||||
+ if (errno == 2) {
|
||||
+ DEBUG(SSSDBG_TRACE_INTERNAL,
|
||||
+ "File already removed: [%s]\n", filename);
|
||||
+ return 0;
|
||||
+ } else {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
+ "Cannot remove temporary file [%s]\n", filename);
|
||||
+ return -1;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+static int unique_filename_destructor(void *memptr)
|
||||
+{
|
||||
+ struct tmpfile_watch *tw = talloc_get_type(memptr, struct tmpfile_watch);
|
||||
+
|
||||
+ if (tw == NULL || tw->filename == NULL) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "BUG: Wrong private pointer\n");
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
+ DEBUG(SSSDBG_TRACE_INTERNAL, "Unlinking [%s]\n", tw->filename);
|
||||
+
|
||||
+ return unlink_dbg(tw->filename);
|
||||
+}
|
||||
+
|
||||
+static struct tmpfile_watch *tmpfile_watch_set(TALLOC_CTX *owner,
|
||||
+ const char *filename)
|
||||
+{
|
||||
+ struct tmpfile_watch *tw = NULL;
|
||||
+
|
||||
+ tw = talloc_zero(owner, struct tmpfile_watch);
|
||||
+ if (tw == NULL) {
|
||||
+ return NULL;
|
||||
+ }
|
||||
+
|
||||
+ tw->filename = talloc_strdup(tw, filename);
|
||||
+ if (tw->filename == NULL) {
|
||||
+ talloc_free(tw);
|
||||
+ return NULL;
|
||||
+ }
|
||||
+
|
||||
+ talloc_set_destructor((TALLOC_CTX *) tw,
|
||||
+ unique_filename_destructor);
|
||||
+ return tw;
|
||||
+}
|
||||
+
|
||||
+int sss_unique_file_ex(TALLOC_CTX *owner,
|
||||
+ char *path_tmpl,
|
||||
+ mode_t file_umask,
|
||||
+ errno_t *_err)
|
||||
+{
|
||||
+ size_t tmpl_len;
|
||||
+ errno_t ret;
|
||||
+ int fd = -1;
|
||||
+ mode_t old_umask;
|
||||
+ struct tmpfile_watch *tw = NULL;
|
||||
+
|
||||
+ tmpl_len = strlen(path_tmpl);
|
||||
+ if (tmpl_len < 6 || strcmp(path_tmpl + (tmpl_len - 6), "XXXXXX") != 0) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE,
|
||||
+ "Template too short or doesn't end with XXXXXX!\n");
|
||||
+ ret = EINVAL;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ old_umask = umask(file_umask);
|
||||
+ fd = mkstemp(path_tmpl);
|
||||
+ umask(old_umask);
|
||||
+ if (fd == -1) {
|
||||
+ ret = errno;
|
||||
+ DEBUG(SSSDBG_OP_FAILURE,
|
||||
+ "mkstemp(\"%s\") failed [%d]: %s!\n",
|
||||
+ path_tmpl, ret, strerror(ret));
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ if (owner != NULL) {
|
||||
+ tw = tmpfile_watch_set(owner, path_tmpl);
|
||||
+ if (tw == NULL) {
|
||||
+ unlink_dbg(path_tmpl);
|
||||
+ ret = ENOMEM;
|
||||
+ goto done;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ ret = EOK;
|
||||
+done:
|
||||
+ if (_err) {
|
||||
+ *_err = ret;
|
||||
+ }
|
||||
+ return fd;
|
||||
+}
|
||||
+
|
||||
+int sss_unique_file(TALLOC_CTX *owner,
|
||||
+ char *path_tmpl,
|
||||
+ errno_t *_err)
|
||||
+{
|
||||
+ return sss_unique_file_ex(owner, path_tmpl, 077, _err);
|
||||
+}
|
||||
+
|
||||
+errno_t sss_unique_filename(TALLOC_CTX *owner, char *path_tmpl)
|
||||
+{
|
||||
+ int fd;
|
||||
+ errno_t ret;
|
||||
+
|
||||
+ fd = sss_unique_file(owner, path_tmpl, &ret);
|
||||
+ /* We only care about a unique file name */
|
||||
+ if (fd >= 0) {
|
||||
+ close(fd);
|
||||
+ }
|
||||
+
|
||||
+ return ret;
|
||||
+}
|
||||
diff --git a/src/util/util.h b/src/util/util.h
|
||||
index 3d90cf0d1024b93016987a4d3e8a515359fd974d..ecbed1c9843b16ba6cf31927c6fd3db8c72aefde 100644
|
||||
--- a/src/util/util.h
|
||||
+++ b/src/util/util.h
|
||||
@@ -653,4 +653,25 @@ int get_seuser(TALLOC_CTX *mem_ctx, const char *login_name,
|
||||
/* convert time from generalized form to unix time */
|
||||
errno_t sss_utc_to_time_t(const char *str, const char *format, time_t *unix_time);
|
||||
|
||||
+/* Creates a unique file using mkstemp with provided umask. The template
|
||||
+ * must end with XXXXXX. Returns the fd, sets _err to an errno value on error.
|
||||
+ *
|
||||
+ * Prefer using sss_unique_file() as it uses a secure umask internally.
|
||||
+ */
|
||||
+int sss_unique_file_ex(TALLOC_CTX *mem_ctx,
|
||||
+ char *path_tmpl,
|
||||
+ mode_t file_umask,
|
||||
+ errno_t *_err);
|
||||
+int sss_unique_file(TALLOC_CTX *owner,
|
||||
+ char *path_tmpl,
|
||||
+ errno_t *_err);
|
||||
+
|
||||
+/* Creates a unique filename using mkstemp with secure umask. The template
|
||||
+ * must end with XXXXXX
|
||||
+ *
|
||||
+ * path_tmpl must be a talloc context. Destructor would be set on the filename
|
||||
+ * so that it's guaranteed the file is removed.
|
||||
+ */
|
||||
+int sss_unique_filename(TALLOC_CTX *owner, char *path_tmpl);
|
||||
+
|
||||
#endif /* __SSSD_UTIL_H__ */
|
||||
--
|
||||
2.5.0
|
||||
|
@ -1,447 +0,0 @@
|
||||
From b2d318b91bb9d6ea1bef827031b980b8d6ec7b44 Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||
Date: Fri, 24 Jul 2015 13:13:08 +0200
|
||||
Subject: [PATCH 14/14] IPA: Always re-fetch the keytab from the IPA server
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Even if a keytab for one-way trust exists, re-fetch the keytab again and
|
||||
try to use it. Fall back to the previous one if it exists.
|
||||
|
||||
This is in order to allow the admin to re-establish the trust keytabs
|
||||
with a simple sssd restart.
|
||||
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
---
|
||||
Makefile.am | 2 +
|
||||
src/providers/ipa/ipa_subdomains.c | 4 +-
|
||||
src/providers/ipa/ipa_subdomains_server.c | 83 +++++++++----
|
||||
src/tests/cmocka/test_ipa_subdomains_server.c | 166 ++++++++++++++++++++++++--
|
||||
4 files changed, 221 insertions(+), 34 deletions(-)
|
||||
|
||||
diff --git a/Makefile.am b/Makefile.am
|
||||
index b8cbc6df23ded1edb945a709b6dbe1c44eb54017..4e58b4f419607272f35363875054320af0899dcf 100644
|
||||
--- a/Makefile.am
|
||||
+++ b/Makefile.am
|
||||
@@ -2501,6 +2501,8 @@ test_ipa_subdom_server_LDFLAGS = \
|
||||
-Wl,-wrap,krb5_kt_default \
|
||||
-Wl,-wrap,execle \
|
||||
-Wl,-wrap,execve \
|
||||
+ -Wl,-wrap,rename \
|
||||
+ -Wl,-wrap,sss_unique_filename \
|
||||
$(NULL)
|
||||
test_ipa_subdom_server_LDADD = \
|
||||
$(PAM_LIBS) \
|
||||
diff --git a/src/providers/ipa/ipa_subdomains.c b/src/providers/ipa/ipa_subdomains.c
|
||||
index cf72784473747c67d44a5d887faf867cfe62ce2b..c688ddb9bb9b643e0695c1901a4ca467f71853da 100644
|
||||
--- a/src/providers/ipa/ipa_subdomains.c
|
||||
+++ b/src/providers/ipa/ipa_subdomains.c
|
||||
@@ -264,7 +264,7 @@ static errno_t ipa_ranges_parse_results(TALLOC_CTX *mem_ctx,
|
||||
ret = get_idmap_data_from_range(r, domain_name, &name1, &sid1, &rid1,
|
||||
&range1, &mapping1);
|
||||
if (ret != EOK) {
|
||||
- DEBUG(SSSDBG_OP_FAILURE, ("get_idmap_data_from_range failed.\n"));
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "get_idmap_data_from_range failed.\n");
|
||||
goto done;
|
||||
}
|
||||
for (d = 0; d < c; d++) {
|
||||
@@ -272,7 +272,7 @@ static errno_t ipa_ranges_parse_results(TALLOC_CTX *mem_ctx,
|
||||
&sid2, &rid2, &range2, &mapping2);
|
||||
if (ret != EOK) {
|
||||
DEBUG(SSSDBG_OP_FAILURE,
|
||||
- ("get_idmap_data_from_range failed.\n"));
|
||||
+ "get_idmap_data_from_range failed.\n");
|
||||
goto done;
|
||||
}
|
||||
|
||||
diff --git a/src/providers/ipa/ipa_subdomains_server.c b/src/providers/ipa/ipa_subdomains_server.c
|
||||
index 4bfea61e6dd0a02f6b723a39f7ba236c914009b0..dfecab1bc362b5772379bae6d51f9cef8443f225 100644
|
||||
--- a/src/providers/ipa/ipa_subdomains_server.c
|
||||
+++ b/src/providers/ipa/ipa_subdomains_server.c
|
||||
@@ -445,6 +445,17 @@ static void ipa_getkeytab_exec(const char *ccache,
|
||||
exit(1);
|
||||
}
|
||||
|
||||
+ /* ipa-getkeytab cannot add keys to an empty file, let's unlink it and only
|
||||
+ * use the filename */
|
||||
+ ret = unlink(keytab_path);
|
||||
+ if (ret == -1) {
|
||||
+ ret = errno;
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
+ "Failed to unlink the temporary ccname [%d][%s]\n",
|
||||
+ ret, sss_strerror(ret));
|
||||
+ exit(1);
|
||||
+ }
|
||||
+
|
||||
errno = 0;
|
||||
ret = execle(IPA_GETKEYTAB_PATH, IPA_GETKEYTAB_PATH,
|
||||
"-r", "-s", server, "-p", principal, "-k", keytab_path, NULL,
|
||||
@@ -561,6 +572,7 @@ struct ipa_server_trust_add_state {
|
||||
uint32_t direction;
|
||||
const char *forest;
|
||||
const char *keytab;
|
||||
+ char *new_keytab;
|
||||
const char *principal;
|
||||
const char *forest_realm;
|
||||
const char *ccache;
|
||||
@@ -660,21 +672,20 @@ static errno_t ipa_server_trust_add_1way(struct tevent_req *req)
|
||||
return EIO;
|
||||
}
|
||||
|
||||
- ret = ipa_check_keytab(state->keytab,
|
||||
- state->id_ctx->server_mode->kt_owner_uid,
|
||||
- state->id_ctx->server_mode->kt_owner_gid);
|
||||
- if (ret == EOK) {
|
||||
- DEBUG(SSSDBG_TRACE_FUNC,
|
||||
- "Keytab already present, can add the trust\n");
|
||||
- return EOK;
|
||||
- } else if (ret != ENOENT) {
|
||||
- DEBUG(SSSDBG_OP_FAILURE,
|
||||
- "Failed to check for keytab: %d\n", ret);
|
||||
+ state->new_keytab = talloc_asprintf(state, "%sXXXXXX", state->keytab);
|
||||
+ if (state->new_keytab == NULL) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Cannot set up ipa_get_keytab\n");
|
||||
+ return ENOMEM;
|
||||
+ }
|
||||
+
|
||||
+ ret = sss_unique_filename(state, state->new_keytab);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create temporary keytab name\n");
|
||||
return ret;
|
||||
}
|
||||
|
||||
DEBUG(SSSDBG_TRACE_FUNC,
|
||||
- "No keytab for %s\n", state->subdom->name);
|
||||
+ "Will re-fetch keytab for %s\n", state->subdom->name);
|
||||
|
||||
hostname = dp_opt_get_string(state->id_ctx->ipa_options->basic,
|
||||
IPA_HOSTNAME);
|
||||
@@ -691,7 +702,7 @@ static errno_t ipa_server_trust_add_1way(struct tevent_req *req)
|
||||
state->ccache,
|
||||
hostname,
|
||||
state->principal,
|
||||
- state->keytab);
|
||||
+ state->new_keytab);
|
||||
if (subreq == NULL) {
|
||||
return ENOMEM;
|
||||
}
|
||||
@@ -710,23 +721,49 @@ static void ipa_server_trust_1way_kt_done(struct tevent_req *subreq)
|
||||
ret = ipa_getkeytab_recv(subreq, NULL);
|
||||
talloc_zfree(subreq);
|
||||
if (ret != EOK) {
|
||||
- DEBUG(SSSDBG_OP_FAILURE, "ipa_getkeytab_recv failed: %d\n", ret);
|
||||
- tevent_req_error(req, ret);
|
||||
- return;
|
||||
+ /* Do not fail here, but try to check and use the previous keytab,
|
||||
+ * if any */
|
||||
+ DEBUG(SSSDBG_MINOR_FAILURE, "ipa_getkeytab_recv failed: %d\n", ret);
|
||||
+ } else {
|
||||
+ DEBUG(SSSDBG_TRACE_FUNC,
|
||||
+ "Keytab successfully retrieved to %s\n", state->new_keytab);
|
||||
}
|
||||
|
||||
- DEBUG(SSSDBG_TRACE_FUNC,
|
||||
- "Keytab successfully retrieved to %s\n", state->keytab);
|
||||
-
|
||||
- ret = ipa_check_keytab(state->keytab,
|
||||
+ ret = ipa_check_keytab(state->new_keytab,
|
||||
state->id_ctx->server_mode->kt_owner_uid,
|
||||
state->id_ctx->server_mode->kt_owner_gid);
|
||||
- if (ret != EOK) {
|
||||
- DEBUG(SSSDBG_OP_FAILURE, "ipa_check_keytab failed: %d\n", ret);
|
||||
- tevent_req_error(req, ret);
|
||||
- return;
|
||||
+ if (ret == EOK) {
|
||||
+ ret = rename(state->new_keytab, state->keytab);
|
||||
+ if (ret == -1) {
|
||||
+ ret = errno;
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
+ "rename failed [%d][%s].\n", ret, strerror(ret));
|
||||
+ tevent_req_error(req, ret);
|
||||
+ return;
|
||||
+ }
|
||||
+ DEBUG(SSSDBG_TRACE_INTERNAL, "Keytab renamed to %s\n", state->keytab);
|
||||
+ } else if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_MINOR_FAILURE,
|
||||
+ "Trying to recover and use the previous keytab, if available\n");
|
||||
+ ret = ipa_check_keytab(state->keytab,
|
||||
+ state->id_ctx->server_mode->kt_owner_uid,
|
||||
+ state->id_ctx->server_mode->kt_owner_gid);
|
||||
+ if (ret == EOK) {
|
||||
+ DEBUG(SSSDBG_TRACE_FUNC,
|
||||
+ "The previous keytab %s contains the expected principal\n",
|
||||
+ state->keytab);
|
||||
+ } else {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE,
|
||||
+ "Cannot use the old keytab: %d\n", ret);
|
||||
+ /* Nothing we can do now */
|
||||
+ tevent_req_error(req, ret);
|
||||
+ return;
|
||||
+ }
|
||||
}
|
||||
|
||||
+ DEBUG(SSSDBG_TRACE_FUNC,
|
||||
+ "Keytab %s contains the expected principals\n", state->new_keytab);
|
||||
+
|
||||
ret = ipa_server_trust_add_step(req);
|
||||
if (ret != EOK) {
|
||||
DEBUG(SSSDBG_OP_FAILURE,
|
||||
diff --git a/src/tests/cmocka/test_ipa_subdomains_server.c b/src/tests/cmocka/test_ipa_subdomains_server.c
|
||||
index a4cb8c2b7538dc84b74e0227205b73780844b652..fb9bd80e299c05fa230599d442fa361ae757dcd3 100644
|
||||
--- a/src/tests/cmocka/test_ipa_subdomains_server.c
|
||||
+++ b/src/tests/cmocka/test_ipa_subdomains_server.c
|
||||
@@ -66,33 +66,79 @@
|
||||
#define ONEWAY_PRINC DOM_FLAT"$"
|
||||
#define ONEWAY_AUTHID ONEWAY_PRINC"@"SUBDOM_REALM
|
||||
|
||||
+static bool global_rename_called;
|
||||
+
|
||||
krb5_error_code __wrap_krb5_kt_default(krb5_context context, krb5_keytab *id)
|
||||
{
|
||||
return krb5_kt_resolve(context, KEYTAB_PATH, id);
|
||||
}
|
||||
|
||||
-static void create_dummy_keytab(void)
|
||||
+static void create_dummy_keytab(const char *dummy_kt)
|
||||
{
|
||||
errno_t ret;
|
||||
|
||||
- assert_non_null(ONEWAY_KEYTAB);
|
||||
+ assert_non_null(dummy_kt);
|
||||
mock_keytab_with_contents(global_talloc_context,
|
||||
- ONEWAY_KEYTAB, ONEWAY_AUTHID);
|
||||
+ dummy_kt, ONEWAY_AUTHID);
|
||||
|
||||
- ret = access(ONEWAY_KEYTAB, R_OK);
|
||||
+ ret = access(dummy_kt, R_OK);
|
||||
assert_int_equal(ret, 0);
|
||||
}
|
||||
|
||||
+static int wrap_exec(void)
|
||||
+{
|
||||
+ const char *test_kt;
|
||||
+ const char *fail_creating_kt;
|
||||
+
|
||||
+ test_kt = getenv("TEST_KT_ENV");
|
||||
+ if (test_kt == NULL) {
|
||||
+ _exit(1);
|
||||
+ }
|
||||
+ unsetenv("TEST_KT_ENV");
|
||||
+
|
||||
+ fail_creating_kt = getenv("KT_CREATE_FAIL");
|
||||
+ if (fail_creating_kt != NULL) {
|
||||
+ _exit(1);
|
||||
+ }
|
||||
+
|
||||
+ create_dummy_keytab(test_kt);
|
||||
+ _exit(0);
|
||||
+
|
||||
+ return 1; /* Should not happen */
|
||||
+}
|
||||
+
|
||||
int __wrap_execle(const char *path, const char *arg, ...)
|
||||
{
|
||||
- create_dummy_keytab();
|
||||
- _exit(0);
|
||||
+ return wrap_exec();
|
||||
}
|
||||
|
||||
int __wrap_execve(const char *path, const char *arg, ...)
|
||||
{
|
||||
- create_dummy_keytab();
|
||||
- _exit(0);
|
||||
+ return wrap_exec();
|
||||
+}
|
||||
+
|
||||
+errno_t __real_sss_unique_filename(TALLOC_CTX *owner, char *path_tmpl);
|
||||
+
|
||||
+errno_t __wrap_sss_unique_filename(TALLOC_CTX *owner, char *path_tmpl)
|
||||
+{
|
||||
+ int ret;
|
||||
+ int sret;
|
||||
+
|
||||
+ ret = __real_sss_unique_filename(owner, path_tmpl);
|
||||
+ if (ret == EOK) {
|
||||
+
|
||||
+ sret = setenv("TEST_KT_ENV", path_tmpl, 1);
|
||||
+ assert_int_equal(sret, 0);
|
||||
+ }
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
+int __real_rename(const char *old, const char *new);
|
||||
+
|
||||
+int __wrap_rename(const char *old, const char *new)
|
||||
+{
|
||||
+ global_rename_called = true;
|
||||
+ return __real_rename(old, new);
|
||||
}
|
||||
|
||||
struct trust_test_ctx {
|
||||
@@ -100,6 +146,7 @@ struct trust_test_ctx {
|
||||
struct be_ctx *be_ctx;
|
||||
|
||||
struct ipa_id_ctx *ipa_ctx;
|
||||
+ bool expect_rename;
|
||||
};
|
||||
|
||||
static struct ipa_id_ctx *mock_ipa_ctx(TALLOC_CTX *mem_ctx,
|
||||
@@ -244,6 +291,8 @@ static int test_ipa_server_create_trusts_setup(void **state)
|
||||
|
||||
mock_keytab_with_contents(test_ctx, KEYTAB_PATH, KEYTAB_TEST_PRINC);
|
||||
|
||||
+ global_rename_called = false;
|
||||
+
|
||||
*state = test_ctx;
|
||||
return 0;
|
||||
}
|
||||
@@ -260,6 +309,11 @@ static int test_ipa_server_create_trusts_teardown(void **state)
|
||||
unlink(ONEWAY_KEYTAB);
|
||||
/* Ignore failures */
|
||||
|
||||
+ /* If a test needs this variable, it should be set again in
|
||||
+ * each test
|
||||
+ */
|
||||
+ unsetenv("KT_CREATE_FAIL");
|
||||
+
|
||||
talloc_free(test_ctx);
|
||||
return 0;
|
||||
}
|
||||
@@ -612,6 +666,8 @@ static void test_ipa_server_create_oneway(void **state)
|
||||
|
||||
assert_null(test_ctx->ipa_ctx->server_mode->trusts);
|
||||
|
||||
+ test_ctx->expect_rename = true;
|
||||
+
|
||||
req = ipa_server_create_trusts_send(test_ctx,
|
||||
test_ctx->tctx->ev,
|
||||
test_ctx->be_ctx,
|
||||
@@ -635,6 +691,8 @@ static void test_ipa_server_create_trusts_oneway(struct tevent_req *req)
|
||||
talloc_zfree(req);
|
||||
assert_int_equal(ret, EOK);
|
||||
|
||||
+ assert_true(test_ctx->expect_rename == global_rename_called);
|
||||
+
|
||||
ret = access(ONEWAY_KEYTAB, R_OK);
|
||||
assert_int_equal(ret, 0);
|
||||
|
||||
@@ -674,10 +732,46 @@ static void test_ipa_server_create_oneway_kt_exists(void **state)
|
||||
|
||||
add_test_1way_subdomains(test_ctx);
|
||||
|
||||
- create_dummy_keytab();
|
||||
+ create_dummy_keytab(ONEWAY_KEYTAB);
|
||||
ret = access(ONEWAY_KEYTAB, R_OK);
|
||||
assert_int_equal(ret, 0);
|
||||
|
||||
+ test_ctx->expect_rename = true;
|
||||
+
|
||||
+ assert_null(test_ctx->ipa_ctx->server_mode->trusts);
|
||||
+
|
||||
+ req = ipa_server_create_trusts_send(test_ctx,
|
||||
+ test_ctx->tctx->ev,
|
||||
+ test_ctx->be_ctx,
|
||||
+ test_ctx->ipa_ctx,
|
||||
+ test_ctx->be_ctx->domain);
|
||||
+ assert_non_null(req);
|
||||
+
|
||||
+ tevent_req_set_callback(req, test_ipa_server_create_trusts_oneway, test_ctx);
|
||||
+
|
||||
+ ret = test_ev_loop(test_ctx->tctx);
|
||||
+ assert_int_equal(ret, ERR_OK);
|
||||
+}
|
||||
+
|
||||
+/* Test scenario where a keytab already exists, but refresh fails. In this case,
|
||||
+ * sssd should attempt to reuse the previous keytab
|
||||
+ */
|
||||
+static void test_ipa_server_create_oneway_kt_refresh_fallback(void **state)
|
||||
+{
|
||||
+ struct trust_test_ctx *test_ctx =
|
||||
+ talloc_get_type(*state, struct trust_test_ctx);
|
||||
+ struct tevent_req *req;
|
||||
+ errno_t ret;
|
||||
+
|
||||
+ add_test_1way_subdomains(test_ctx);
|
||||
+
|
||||
+ create_dummy_keytab(ONEWAY_KEYTAB);
|
||||
+ ret = access(ONEWAY_KEYTAB, R_OK);
|
||||
+ assert_int_equal(ret, 0);
|
||||
+
|
||||
+ setenv("KT_CREATE_FAIL", "1", 1);
|
||||
+ test_ctx->expect_rename = false;
|
||||
+
|
||||
assert_null(test_ctx->ipa_ctx->server_mode->trusts);
|
||||
|
||||
req = ipa_server_create_trusts_send(test_ctx,
|
||||
@@ -693,6 +787,54 @@ static void test_ipa_server_create_oneway_kt_exists(void **state)
|
||||
assert_int_equal(ret, ERR_OK);
|
||||
}
|
||||
|
||||
+/* Tests case where there's no keytab and retrieving fails. Just fail the
|
||||
+ * request in that case
|
||||
+ */
|
||||
+static void test_ipa_server_create_trusts_oneway_fail(struct tevent_req *req);
|
||||
+
|
||||
+static void test_ipa_server_create_oneway_kt_refresh_fail(void **state)
|
||||
+{
|
||||
+ struct trust_test_ctx *test_ctx =
|
||||
+ talloc_get_type(*state, struct trust_test_ctx);
|
||||
+ struct tevent_req *req;
|
||||
+ errno_t ret;
|
||||
+
|
||||
+ add_test_1way_subdomains(test_ctx);
|
||||
+
|
||||
+ setenv("KT_CREATE_FAIL", "1", 1);
|
||||
+ test_ctx->expect_rename = false;
|
||||
+
|
||||
+ assert_null(test_ctx->ipa_ctx->server_mode->trusts);
|
||||
+
|
||||
+ req = ipa_server_create_trusts_send(test_ctx,
|
||||
+ test_ctx->tctx->ev,
|
||||
+ test_ctx->be_ctx,
|
||||
+ test_ctx->ipa_ctx,
|
||||
+ test_ctx->be_ctx->domain);
|
||||
+ assert_non_null(req);
|
||||
+
|
||||
+ tevent_req_set_callback(req,
|
||||
+ test_ipa_server_create_trusts_oneway_fail,
|
||||
+ test_ctx);
|
||||
+
|
||||
+ ret = test_ev_loop(test_ctx->tctx);
|
||||
+ assert_int_equal(ret, ERR_OK);
|
||||
+}
|
||||
+
|
||||
+static void test_ipa_server_create_trusts_oneway_fail(struct tevent_req *req)
|
||||
+{
|
||||
+ struct trust_test_ctx *test_ctx = \
|
||||
+ tevent_req_callback_data(req, struct trust_test_ctx);
|
||||
+ errno_t ret;
|
||||
+
|
||||
+ ret = ipa_server_create_trusts_recv(req);
|
||||
+ assert_int_not_equal(ret, EOK);
|
||||
+
|
||||
+ assert_true(test_ctx->expect_rename == global_rename_called);
|
||||
+
|
||||
+ test_ev_done(test_ctx->tctx, EOK);
|
||||
+}
|
||||
+
|
||||
static void test_ipa_server_trust_oneway_init(void **state)
|
||||
{
|
||||
struct trust_test_ctx *test_ctx =
|
||||
@@ -749,6 +891,12 @@ int main(int argc, const char *argv[])
|
||||
cmocka_unit_test_setup_teardown(test_ipa_server_create_oneway_kt_exists,
|
||||
test_ipa_server_create_trusts_setup,
|
||||
test_ipa_server_create_trusts_teardown),
|
||||
+ cmocka_unit_test_setup_teardown(test_ipa_server_create_oneway_kt_refresh_fallback,
|
||||
+ test_ipa_server_create_trusts_setup,
|
||||
+ test_ipa_server_create_trusts_teardown),
|
||||
+ cmocka_unit_test_setup_teardown(test_ipa_server_create_oneway_kt_refresh_fail,
|
||||
+ test_ipa_server_create_trusts_setup,
|
||||
+ test_ipa_server_create_trusts_teardown),
|
||||
cmocka_unit_test_setup_teardown(test_ipa_server_trust_oneway_init,
|
||||
test_ipa_server_create_trusts_setup,
|
||||
test_ipa_server_create_trusts_teardown),
|
||||
--
|
||||
2.5.0
|
||||
|
@ -1,33 +0,0 @@
|
||||
From 560c4cdf6568c049102ccf47cb302f2e10de023a Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Thu, 23 Jul 2015 15:56:44 +0200
|
||||
Subject: [PATCH 15/15] krb5: do not send SSS_OTP if two factors were used
|
||||
|
||||
Resolves https://fedorahosted.org/sssd/ticket/2729
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
---
|
||||
src/providers/krb5/krb5_auth.c | 7 ++++++-
|
||||
1 file changed, 6 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
|
||||
index 8886456c00c86914da364fd08efc25a488b0e686..d1bf4025b052d82413d1f370a36b0b99720d6f05 100644
|
||||
--- a/src/providers/krb5/krb5_auth.c
|
||||
+++ b/src/providers/krb5/krb5_auth.c
|
||||
@@ -1091,7 +1091,12 @@ static void krb5_auth_done(struct tevent_req *subreq)
|
||||
krb5_auth_store_creds(state->domain, pd);
|
||||
}
|
||||
|
||||
- if (res->otp == true && pd->cmd == SSS_PAM_AUTHENTICATE) {
|
||||
+ /* The SSS_OTP message will prevent pam_sss from putting the entered
|
||||
+ * password on the PAM stack for other modules to use. This is not needed
|
||||
+ * when both factors were entered separately because here the first factor
|
||||
+ * (long term password) can be passed to the other modules. */
|
||||
+ if (res->otp == true && pd->cmd == SSS_PAM_AUTHENTICATE
|
||||
+ && sss_authtok_get_type(pd->authtok) != SSS_AUTHTOK_TYPE_2FA) {
|
||||
uint32_t otp_flag = 1;
|
||||
ret = pam_add_response(pd, SSS_OTP, sizeof(uint32_t),
|
||||
(const uint8_t *) &otp_flag);
|
||||
--
|
||||
2.5.0
|
||||
|
2
sources
2
sources
@ -1 +1 @@
|
||||
2c3f3e6b2cd875879e6a55f49f13d8db sssd-1.13.0.tar.gz
|
||||
56623de935ab1c8e7a2535528f4b95b2 sssd-1.13.1.tar.gz
|
||||
|
29
sssd.spec
29
sssd.spec
@ -28,8 +28,8 @@
|
||||
%endif
|
||||
|
||||
Name: sssd
|
||||
Version: 1.13.0
|
||||
Release: 6%{?dist}
|
||||
Version: 1.13.1
|
||||
Release: 1%{?dist}
|
||||
Group: Applications/System
|
||||
Summary: System Security Services Daemon
|
||||
License: GPLv3+
|
||||
@ -38,21 +38,6 @@ Source0: https://fedorahosted.org/released/sssd/%{name}-%{version}.tar.gz
|
||||
BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
|
||||
|
||||
### Patches ###
|
||||
Patch0001: 0001-SSSDConfig-return-list-for-list_active_domains.patch
|
||||
Patch0002: 0002-KRB5-Return-right-data-provider-error-code.patch
|
||||
Patch0003: 0003-DYNDNS-sss_iface_addr_list_get-return-ENOENT.patch
|
||||
Patch0004: 0004-DYNDNS-support-mult.-interfaces-for-dyndns_iface-opt.patch
|
||||
Patch0005: 0005-DYNDNS-special-value-for-dyndns_iface-option.patch
|
||||
Patch0006: 0006-TESTS-dyndns-tests-support-AAAA-addresses.patch
|
||||
Patch0007: 0007-IPA-Remove-MPG-groups-if-getgrgid-was-called-before-.patch
|
||||
Patch0008: 0008-IPA-Better-debugging.patch
|
||||
Patch0009: 0009-UTIL-Lower-debug-level-in-perform_checks.patch
|
||||
Patch0010: 0010-IPA-Handle-sssd-owned-keytabs-when-running-as-root.patch
|
||||
Patch0011: 0011-LDAP-use-ldb_binary_encode-when-printing-attribute-v.patch
|
||||
Patch0012: 0012-IPA-Change-the-default-of-ldap_user_certificate-to-u.patch
|
||||
Patch0013: 0013-UTIL-Provide-a-common-interface-to-safely-create-tem.patch
|
||||
Patch0014: 0014-IPA-Always-re-fetch-the-keytab-from-the-IPA-server.patch
|
||||
Patch0015: 0015-krb5-do-not-send-SSS_OTP-if-two-factors-were-used.patch
|
||||
|
||||
### Dependencies ###
|
||||
Requires: sssd-common = %{version}-%{release}
|
||||
@ -83,7 +68,6 @@ BuildRequires: popt-devel
|
||||
BuildRequires: libtalloc-devel
|
||||
BuildRequires: libtevent-devel
|
||||
BuildRequires: libtdb-devel
|
||||
|
||||
BuildRequires: libldb-devel >= %{ldb_version}
|
||||
BuildRequires: libdhash-devel >= 0.4.2
|
||||
BuildRequires: libcollection-devel
|
||||
@ -93,7 +77,6 @@ BuildRequires: dbus-libs
|
||||
BuildRequires: openldap-devel
|
||||
BuildRequires: pam-devel
|
||||
BuildRequires: nss-devel
|
||||
BuildRequires: openssl-devel
|
||||
BuildRequires: nspr-devel
|
||||
BuildRequires: pcre-devel
|
||||
BuildRequires: libxslt
|
||||
@ -686,6 +669,7 @@ rm -rf $RPM_BUILD_ROOT
|
||||
%{_libexecdir}/%{servicename}/sssd_autofs
|
||||
%{_libexecdir}/%{servicename}/sssd_ssh
|
||||
%{_libexecdir}/%{servicename}/sssd_sudo
|
||||
%{_libexecdir}/%{servicename}/p11_child
|
||||
|
||||
%dir %{_libdir}/%{name}
|
||||
%{_libdir}/%{name}/libsss_simple.so
|
||||
@ -776,7 +760,6 @@ rm -rf $RPM_BUILD_ROOT
|
||||
%defattr(-,root,root,-)
|
||||
%doc COPYING
|
||||
%{_libdir}/%{name}/libsss_ad.so
|
||||
%{_libdir}/%{name}/libsss_ad_common.so
|
||||
%{_libexecdir}/%{servicename}/gpo_child
|
||||
%{_mandir}/man5/sssd-ad.5*
|
||||
|
||||
@ -836,6 +819,7 @@ rm -rf $RPM_BUILD_ROOT
|
||||
%{_sbindir}/sss_groupmod
|
||||
%{_sbindir}/sss_groupshow
|
||||
%{_sbindir}/sss_obfuscate
|
||||
%{_sbindir}/sss_override
|
||||
%{_sbindir}/sss_debuglevel
|
||||
%{_sbindir}/sss_seed
|
||||
%{_mandir}/man8/sss_groupadd.8*
|
||||
@ -846,6 +830,7 @@ rm -rf $RPM_BUILD_ROOT
|
||||
%{_mandir}/man8/sss_userdel.8*
|
||||
%{_mandir}/man8/sss_usermod.8*
|
||||
%{_mandir}/man8/sss_obfuscate.8*
|
||||
%{_mandir}/man8/sss_override.8*
|
||||
%{_mandir}/man8/sss_debuglevel.8*
|
||||
%{_mandir}/man8/sss_seed.8*
|
||||
|
||||
@ -1025,6 +1010,10 @@ fi
|
||||
%{_libdir}/%{name}/modules/libwbclient.so
|
||||
|
||||
%changelog
|
||||
* Thu Oct 01 2015 Lukas Slebodnik <lslebodn@redhat.com> - 1.13.1-0
|
||||
- New upstream release 1.13.1
|
||||
- https://fedorahosted.org/sssd/wiki/Releases/Notes-1.13.1
|
||||
|
||||
* Thu Sep 10 2015 Lukas Slebodnik <lslebodn@redhat.com> - 1.13.0-6
|
||||
- Fix OTP bug
|
||||
- Resolves: upstream #2729 - Do not send SSS_OTP if both factors were
|
||||
|
Loading…
Reference in New Issue
Block a user