rpms/sssd
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Include couple of patches from upstream 1.11 branch

Browse Source
This commit is contained in:
Jakub Hrozek 2014-03-11 13:35:03 +01:00
parent 4d4fe7434d
commit 1fd6df7177
7 changed files with 391 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
0001-IPA-Don-t-call-tevent_req_post-outside-_send.patch Normal file
View File

@ -0,0 +1,29 @@
From 0c2004f594b219c39c684222a88226d7c2a3befb Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Wed, 19 Feb 2014 15:00:15 +0100
Subject: [PATCH 1/6] IPA: Don't call tevent_req_post outside _send
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit 6d4574a8dd1a9cafbb15631e7d01bdf6e67f821b)
---
src/providers/ipa/ipa_subdomains_id.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/src/providers/ipa/ipa_subdomains_id.c b/src/providers/ipa/ipa_subdomains_id.c
index b61c6a5f4d7605f0cdfa182bbc933d35c4613a79..c15bdaa703835ab07a9b3b21d1304220a01eac10 100644
--- a/src/providers/ipa/ipa_subdomains_id.c
+++ b/src/providers/ipa/ipa_subdomains_id.c
@@ -580,7 +580,6 @@ ipa_get_ad_acct_ad_part_done(struct tevent_req *subreq)
fail:
state->dp_error = DP_ERR_FATAL;
tevent_req_error(req, ret);
- tevent_req_post(req, state->ev);
return;
}
--
1.8.5.3

27
0002-IPA-Don-t-fail-if-apply_subdomain_homedir-returns-EN.patch Normal file
View File

@ -0,0 +1,27 @@
From 22926e00fdfb838e9bb9c5b32b16b499cd2ee5f3 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Wed, 19 Feb 2014 15:34:34 +0100
Subject: [PATCH 2/6] IPA: Don't fail if apply_subdomain_homedir returns ENOENT
Reviewed-by: Pavel Reichl <preichl@redhat.com>
(cherry picked from commit 26786da26706aeedbda4caea0383c143ed4e59dc)
---
src/providers/ipa/ipa_subdomains_id.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/providers/ipa/ipa_subdomains_id.c b/src/providers/ipa/ipa_subdomains_id.c
index c15bdaa703835ab07a9b3b21d1304220a01eac10..637dd61f9f272eb4ac4ecb8368d2210801bb0373 100644
--- a/src/providers/ipa/ipa_subdomains_id.c
+++ b/src/providers/ipa/ipa_subdomains_id.c
@@ -550,7 +550,7 @@ ipa_get_ad_acct_ad_part_done(struct tevent_req *subreq)
ret = apply_subdomain_homedir(state, state->user_dom,
state->ar->filter_type,
state->ar->filter_value);
- if (ret != EOK) {
+ if (ret != EOK && ret != ENOENT) {
DEBUG(SSSDBG_OP_FAILURE,
("apply_subdomain_homedir failed: [%d]: [%s].\n",
ret, sss_strerror(ret)));
--
1.8.5.3

50
0003-ipa-server-mode-use-lower-case-user-name-for-home-di.patch Normal file
View File

@ -0,0 +1,50 @@
From 8ad066fb0ca6e543bd99b93bdd52866eddfceb12 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Mon, 3 Mar 2014 12:40:43 +0100
Subject: [PATCH 3/6] ipa-server-mode: use lower-case user name for home dir
In older IPA server versions where the AD users where looked up by
winbind the user name component of the home directory path was always
lower case. This still holds for IPA clients as well. To avoid
regression this patch makes the user name component lower case as well.
Fixes https://fedorahosted.org/sssd/ticket/2263
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 48b1db73639135dd4a15ee153f958c912836c621)
---
src/providers/ipa/ipa_subdomains_id.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/src/providers/ipa/ipa_subdomains_id.c b/src/providers/ipa/ipa_subdomains_id.c
index 637dd61f9f272eb4ac4ecb8368d2210801bb0373..00993c496c1d100b37a780828c81492c2fac6157 100644
--- a/src/providers/ipa/ipa_subdomains_id.c
+++ b/src/providers/ipa/ipa_subdomains_id.c
@@ -358,6 +358,7 @@ get_subdomain_homedir_of_user(TALLOC_CTX *mem_ctx, struct sss_domain_info *dom,
{
errno_t ret;
char *name;
+ char *lc_name;
const char *homedir;
TALLOC_CTX *tmp_ctx;
@@ -372,7 +373,15 @@ get_subdomain_homedir_of_user(TALLOC_CTX *mem_ctx, struct sss_domain_info *dom,
goto done;
}
- homedir = expand_homedir_template(tmp_ctx, dom->subdomain_homedir, name,
+ /* To be compatible with the old winbind based user lookups and IPA
+ * clients the user name in the home directory path will be lower-case. */
+ lc_name = sss_tc_utf8_str_tolower(tmp_ctx, name);
+ if (lc_name == NULL) {
+ ret =ENOMEM;
+ goto done;
+ }
+
+ homedir = expand_homedir_template(tmp_ctx, dom->subdomain_homedir, lc_name,
uid, NULL, dom->name, dom->flat_name);
if (homedir == NULL) {
--
1.8.5.3

101
0004-IPA-Do-not-save-intermediate-data-to-sysdb.patch Normal file
View File

@ -0,0 +1,101 @@
From e9383f540242084b9c61161642c1a62304607be5 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Tue, 4 Mar 2014 13:48:36 +0100
Subject: [PATCH 4/6] IPA: Do not save intermediate data to sysdb
https://fedorahosted.org/sssd/ticket/2264
Reviewed-by: Sumit Bose <sbose@redhat.com>
---
src/providers/ipa/ipa_selinux.c | 68 ++++++++++++++++++++---------------------
1 file changed, 34 insertions(+), 34 deletions(-)
diff --git a/src/providers/ipa/ipa_selinux.c b/src/providers/ipa/ipa_selinux.c
index c227db937a84228c0f3945dbe11ba904c7ad9744..2209ca188654d8c79ee402ba71beeadab2904093 100644
--- a/src/providers/ipa/ipa_selinux.c
+++ b/src/providers/ipa/ipa_selinux.c
@@ -251,6 +251,40 @@ static void ipa_selinux_handler_done(struct tevent_req *req)
goto fail;
}
+ ret = sysdb_transaction_start(sysdb);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE, ("Failed to start transaction\n"));
+ goto fail;
+ }
+ in_transaction = true;
+
+ ret = sysdb_delete_usermaps(op_ctx->domain->sysdb, op_ctx->domain);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ ("Cannot delete existing maps from sysdb\n"));
+ goto fail;
+ }
+
+ ret = sysdb_store_selinux_config(sysdb, op_ctx->domain,
+ default_user, map_order);
+ if (ret != EOK) {
+ goto fail;
+ }
+
+ if (map_count > 0 && maps != NULL) {
+ ret = ipa_save_user_maps(sysdb, op_ctx->domain, map_count, maps);
+ if (ret != EOK) {
+ goto fail;
+ }
+ }
+
+ ret = sysdb_transaction_commit(sysdb);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, ("Could not commit transaction\n"));
+ goto fail;
+ }
+ in_transaction = false;
+
/* Process the maps and return list of best matches (maps with
* highest priority). The input maps are also parent memory
* context for the output list of best matches. The best match
@@ -279,40 +313,6 @@ static void ipa_selinux_handler_done(struct tevent_req *req)
goto fail;
}
- ret = sysdb_transaction_start(sysdb);
- if (ret != EOK) {
- DEBUG(SSSDBG_CRIT_FAILURE, ("Failed to start transaction\n"));
- goto fail;
- }
- in_transaction = true;
-
- ret = sysdb_delete_usermaps(op_ctx->domain->sysdb, op_ctx->domain);
- if (ret != EOK) {
- DEBUG(SSSDBG_CRIT_FAILURE,
- ("Cannot delete existing maps from sysdb\n"));
- goto fail;
- }
-
- ret = sysdb_store_selinux_config(sysdb, op_ctx->domain,
- default_user, map_order);
- if (ret != EOK) {
- goto fail;
- }
-
- if (map_count > 0 && maps != NULL) {
- ret = ipa_save_user_maps(sysdb, op_ctx->domain, map_count, maps);
- if (ret != EOK) {
- goto fail;
- }
- }
-
- ret = sysdb_transaction_commit(sysdb);
- if (ret != EOK) {
- DEBUG(SSSDBG_OP_FAILURE, ("Could not commit transaction\n"));
- goto fail;
- }
- in_transaction = false;
-
/* If we got here in online mode, set last_update to current time */
if (!be_is_offline(be_ctx)) {
op_ctx->selinux_ctx->last_update = time(NULL);
--
1.8.5.3

127
0005-Fix-krb5-changepw-when-FAST-only-preauth-methods-are.patch Normal file
View File

@ -0,0 +1,127 @@
From 80e2cbb00c796a332cc5f13cfe17af9b040f8e57 Mon Sep 17 00:00:00 2001
From: Nathaniel McCallum <npmccallum@redhat.com>
Date: Fri, 7 Mar 2014 12:21:11 -0500
Subject: [PATCH 5/6] Fix krb5 changepw when FAST-only preauth methods are used
(like OTP)
Before this patch, a different set of options was used when calling
krb5_get_init_creds_password() for the changepw principal. Because
this set of options did not contain the same FAST settings as the
options for normal requests, all authentication would fail when the
password of a FAST-only account would expire.
The two sets approach was cargo-cult from kinit where multiple
requests could be issued using the same options set. However, in the
case of krb5_child, only one request (or occasionally a well-defined
second request) will be issued. Two option sets are therefore not
required.
To fix this problem we removed the second option set used for changepw
requests. All requests now use a single option set which is modified,
if needed, for well-defined subsequent requests.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
---
src/providers/krb5/krb5_child.c | 40 ++++++----------------------------------
1 file changed, 6 insertions(+), 34 deletions(-)
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
index bd937e8081df4a5637a4267c356c1f9a08965b42..e9febe4756ca5b56f0b1c04d21d1fcf450315b8b 100644
--- a/src/providers/krb5/krb5_child.c
+++ b/src/providers/krb5/krb5_child.c
@@ -65,27 +65,14 @@ struct krb5_req {
static krb5_context krb5_error_ctx;
#define KRB5_CHILD_DEBUG(level, error) KRB5_DEBUG(level, krb5_error_ctx, error)
-static krb5_error_code get_changepw_options(krb5_context ctx,
- krb5_get_init_creds_opt **_options)
+static void set_changepw_options(krb5_context ctx,
+ krb5_get_init_creds_opt *options)
{
- krb5_get_init_creds_opt *options;
- krb5_error_code kerr;
-
- kerr = sss_krb5_get_init_creds_opt_alloc(ctx, &options);
- if (kerr != 0) {
- KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr);
- return kerr;
- }
-
sss_krb5_get_init_creds_opt_set_canonicalize(options, 0);
krb5_get_init_creds_opt_set_forwardable(options, 0);
krb5_get_init_creds_opt_set_proxiable(options, 0);
krb5_get_init_creds_opt_set_renew_life(options, 0);
krb5_get_init_creds_opt_set_tkt_life(options, 5*60);
-
- *_options = options;
-
- return 0;
}
static errno_t sss_send_pac(krb5_authdata **pac_authdata)
@@ -1023,7 +1010,6 @@ static errno_t changepw_child(struct krb5_req *kr, bool prelim)
krb5_prompter_fct prompter = NULL;
const char *realm_name;
int realm_length;
- krb5_get_init_creds_opt *chagepw_options;
size_t msg_len;
uint8_t *msg;
@@ -1041,12 +1027,7 @@ static errno_t changepw_child(struct krb5_req *kr, bool prelim)
prompter = sss_krb5_prompter;
}
- kerr = get_changepw_options(kr->ctx, &chagepw_options);
- if (kerr != 0) {
- DEBUG(SSSDBG_OP_FAILURE, ("get_changepw_options failed.\n"));
- return kerr;
- }
-
+ set_changepw_options(kr->ctx, kr->options);
sss_krb5_princ_realm(kr->ctx, kr->princ, &realm_name, &realm_length);
DEBUG(SSSDBG_TRACE_FUNC,
@@ -1055,8 +1036,7 @@ static errno_t changepw_child(struct krb5_req *kr, bool prelim)
discard_const(password),
prompter, kr, 0,
SSSD_KRB5_CHANGEPW_PRINCIPAL,
- chagepw_options);
- sss_krb5_get_init_creds_opt_free(kr->ctx, chagepw_options);
+ kr->options);
if (kerr != 0) {
ret = pack_user_info_chpass_error(kr->pd, "Old password not accepted.",
&msg_len, &msg);
@@ -1164,7 +1144,6 @@ static errno_t changepw_child(struct krb5_req *kr, bool prelim)
static errno_t tgt_req_child(struct krb5_req *kr)
{
- krb5_get_init_creds_opt *chagepw_options;
const char *password = NULL;
krb5_error_code kerr;
int ret;
@@ -1210,19 +1189,12 @@ static errno_t tgt_req_child(struct krb5_req *kr)
DEBUG(1, ("Failed to unset expire callback, continue ...\n"));
}
- kerr = get_changepw_options(kr->ctx, &chagepw_options);
- if (kerr != 0) {
- DEBUG(SSSDBG_OP_FAILURE, ("get_changepw_options failed.\n"));
- return kerr;
- }
-
+ set_changepw_options(kr->ctx, kr->options);
kerr = krb5_get_init_creds_password(kr->ctx, kr->creds, kr->princ,
discard_const(password),
sss_krb5_prompter, kr, 0,
SSSD_KRB5_CHANGEPW_PRINCIPAL,
- chagepw_options);
-
- sss_krb5_get_init_creds_opt_free(kr->ctx, chagepw_options);
+ kr->options);
krb5_free_cred_contents(kr->ctx, kr->creds);
if (kerr == 0) {
--
1.8.5.3

46
0006-IPA-Use-GC-for-AD-initgroup-requests.patch Normal file
View File

@ -0,0 +1,46 @@
From f87c0437c9c94a7f447688c0152220ad51dc3a0e Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 6 Mar 2014 15:37:57 +0100
Subject: [PATCH 6/6] IPA: Use GC for AD initgroup requests
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/providers/ipa/ipa_subdomains_id.c | 21 +++++++++++++++------
1 file changed, 15 insertions(+), 6 deletions(-)
diff --git a/src/providers/ipa/ipa_subdomains_id.c b/src/providers/ipa/ipa_subdomains_id.c
index 00993c496c1d100b37a780828c81492c2fac6157..978ccc261d7525662e835b867044b6a5238a29df 100644
--- a/src/providers/ipa/ipa_subdomains_id.c
+++ b/src/providers/ipa/ipa_subdomains_id.c
@@ -307,13 +307,22 @@ ipa_get_ad_acct_send(TALLOC_CTX *mem_ctx,
/* Currently only LDAP port for AD is used because POSIX
* attributes are not replicated to GC by default
*/
- clist = talloc_zero_array(req, struct sdap_id_conn_ctx *, 2);
- if (clist == NULL) {
- ret = ENOMEM;
- goto fail;
+
+ if ((state->ar->entry_type & BE_REQ_TYPE_MASK) == BE_REQ_INITGROUPS) {
+ clist = ad_gc_conn_list(req, ad_id_ctx, state->user_dom);
+ if (clist == NULL) {
+ ret = ENOMEM;
+ goto fail;
+ }
+ } else {
+ clist = talloc_zero_array(req, struct sdap_id_conn_ctx *, 2);
+ if (clist == NULL) {
+ ret = ENOMEM;
+ goto fail;
+ }
+ clist[0] = ad_id_ctx->ldap_ctx;
+ clist[1] = NULL;
}
- clist[0] = ad_id_ctx->ldap_ctx;
- clist[1] = NULL;
/* Now we already need ad_id_ctx in particular sdap_id_conn_ctx */
sdom = sdap_domain_get(sdap_id_ctx->opts, state->user_dom);
--
1.8.5.3

12
sssd.spec
View File

@ -14,7 +14,7 @@
Name: sssd Name: sssd
Version: 1.11.4 Version: 1.11.4
Release: 1%{?dist} Release: 2%{?dist}
Group: Applications/System Group: Applications/System
Summary: System Security Services Daemon Summary: System Security Services Daemon
License: GPLv3+ License: GPLv3+
@ -23,6 +23,13 @@ Source0: https://fedorahosted.org/released/sssd/%{name}-%{version}.tar.gz
BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX) BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
### Patches ### ### Patches ###
Patch0001: 0001-IPA-Don-t-call-tevent_req_post-outside-_send.patch
Patch0002: 0002-IPA-Don-t-fail-if-apply_subdomain_homedir-returns-EN.patch
Patch0003: 0003-ipa-server-mode-use-lower-case-user-name-for-home-di.patch
Patch0004: 0004-IPA-Do-not-save-intermediate-data-to-sysdb.patch
Patch0005: 0005-Fix-krb5-changepw-when-FAST-only-preauth-methods-are.patch
Patch0006: 0006-IPA-Use-GC-for-AD-initgroup-requests.patch
Patch0602: 0602-FEDORA-Add-CIFS-idmap-plugin.patch Patch0602: 0602-FEDORA-Add-CIFS-idmap-plugin.patch
### Dependencies ### ### Dependencies ###
@ -730,6 +737,9 @@ fi
%postun -n libsss_idmap -p /sbin/ldconfig %postun -n libsss_idmap -p /sbin/ldconfig
%changelog %changelog
* Mon Mar 11 2014 Jakub Hrozek <jhrozek@redhat.com> - 1.11.4-2
- Include couple of patches from upstream 1.11 branch
* Mon Feb 17 2014 Jakub Hrozek <jhrozek@redhat.com> - 1.11.4-1 * Mon Feb 17 2014 Jakub Hrozek <jhrozek@redhat.com> - 1.11.4-1
- New upstream release 1.11.4 - New upstream release 1.11.4
- Remove upstreamed patch - Remove upstreamed patch