rpms/sssd
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Backport important patches from upstream 1.14.2 prerelease

Browse Source 
- Resolves: upstream #3154 - sssd exits if clock is adjusted backwards after
                             boot
- Resolves: upstream #3163 - resolving IPA nested user group is broken in 1.14
This commit is contained in:
Lukas Slebodnik 2016-08-31 19:45:36 +02:00
parent 6bce0a242d
commit 2b61bbee11
40 changed files with 3788 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

79
0001-CONFIG-selinux_provider-is-a-valid-provider-type.patch Normal file
View File

@ -0,0 +1,79 @@
From 78db9b76d9be4aa307fbaaba7315b121421e8826 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Fri, 19 Aug 2016 11:36:41 +0200
Subject: [PATCH 01/39] CONFIG: selinux_provider is a valid provider type
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
We should not warn about it in the validator and should allow
selinux_provider from the config API.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
(cherry picked from commit dec00197181ee8f7efbfbdadd73629f66f80f1ff)
---
src/config/SSSDConfig/__init__.py.in | 1 +
src/config/SSSDConfigTest.py | 2 ++
src/config/cfg_rules.ini | 1 +
src/config/etc/sssd.api.conf | 1 +
4 files changed, 5 insertions(+)
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
index 1718a9babf390b95710ec356f25f09ea679bdd73..9683ea63e042115c20010cfb0904b2f65d76468b 100644
--- a/src/config/SSSDConfig/__init__.py.in
+++ b/src/config/SSSDConfig/__init__.py.in
@@ -128,6 +128,7 @@ option_strings = {
'autofs_provider' : _('Autofs provider'),
'session_provider' : _('Session-loading provider'),
'hostid_provider' : _('Host identity provider'),
+ 'selinux_provider' : _('SELinux provider'),
# [domain]
'min_id' : _('Minimum user ID'),
diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py
index 00c688f1e57c5f481d3adba2fe0374145216bc33..09adf1faad767968dc1df2cc1668144526ffe504 100755
--- a/src/config/SSSDConfigTest.py
+++ b/src/config/SSSDConfigTest.py
@@ -557,6 +557,7 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase):
'session_provider',
'hostid_provider',
'subdomains_provider',
+ 'selinux_provider',
'realmd_tags',
'subdomain_refresh_interval',
'subdomain_inherit',
@@ -926,6 +927,7 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase):
'session_provider',
'hostid_provider',
'subdomains_provider',
+ 'selinux_provider',
'realmd_tags',
'subdomain_refresh_interval',
'subdomain_inherit',
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
index ef6435b08aee416e377fe854e6768f3fa4fd9650..f0b4c4e7640aa24cf14815b2717327c742fcd89a 100644
--- a/src/config/cfg_rules.ini
+++ b/src/config/cfg_rules.ini
@@ -251,6 +251,7 @@ option = autofs_provider
option = session_provider
option = hostid_provider
option = subdomains_provider
+option = selinux_provider
# Options available to all domains
option = min_id
diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
index 5ac6f79521f5f776fc17319c3afb87d44961afca..94edb45ad2b85e3f4200a917c914a8f4fcb29c28 100644
--- a/src/config/etc/sssd.api.conf
+++ b/src/config/etc/sssd.api.conf
@@ -106,6 +106,7 @@ autofs_provider = str, None, false
session_provider = str, None, false
hostid_provider = str, None, false
subdomains_provider = str, None, false
+selinux_provider = str, None, false
[domain]
# Options available to all domains
--
2.9.3

81
0002-CONFIG-session_provider-does-not-exist-anymore.patch Normal file
View File

@ -0,0 +1,81 @@
From b37a86a8a84255742bbcffcb47e9e1a1dded0113 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Fri, 19 Aug 2016 11:48:20 +0200
Subject: [PATCH 02/39] CONFIG: session_provider does not exist anymore
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The session_provider used to exist a long time ago when we used to set
the SELinux context from it, but the provider had been removed for a
long time. We just forgot to remove the value from the config API and
the validator.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
(cherry picked from commit d940593e647731c0caec1fd04cf16a1b23578f32)
---
src/config/SSSDConfig/__init__.py.in | 1 -
src/config/SSSDConfigTest.py | 2 --
src/config/cfg_rules.ini | 1 -
src/config/etc/sssd.api.conf | 1 -
4 files changed, 5 deletions(-)
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
index 9683ea63e042115c20010cfb0904b2f65d76468b..b3f04ac26309bb5b518fb87cd0dae2962e853179 100644
--- a/src/config/SSSDConfig/__init__.py.in
+++ b/src/config/SSSDConfig/__init__.py.in
@@ -126,7 +126,6 @@ option_strings = {
'chpass_provider' : _('Password change provider'),
'sudo_provider' : _('SUDO provider'),
'autofs_provider' : _('Autofs provider'),
- 'session_provider' : _('Session-loading provider'),
'hostid_provider' : _('Host identity provider'),
'selinux_provider' : _('SELinux provider'),
diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py
index 09adf1faad767968dc1df2cc1668144526ffe504..8fcd1a55c36035a7026f1fb4c8116aaae24e78ef 100755
--- a/src/config/SSSDConfigTest.py
+++ b/src/config/SSSDConfigTest.py
@@ -554,7 +554,6 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase):
'chpass_provider',
'sudo_provider',
'autofs_provider',
- 'session_provider',
'hostid_provider',
'subdomains_provider',
'selinux_provider',
@@ -924,7 +923,6 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase):
'chpass_provider',
'sudo_provider',
'autofs_provider',
- 'session_provider',
'hostid_provider',
'subdomains_provider',
'selinux_provider',
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
index f0b4c4e7640aa24cf14815b2717327c742fcd89a..df10538dee4a547a1b1af62a4cfe37b89e236b18 100644
--- a/src/config/cfg_rules.ini
+++ b/src/config/cfg_rules.ini
@@ -248,7 +248,6 @@ option = access_provider
option = chpass_provider
option = sudo_provider
option = autofs_provider
-option = session_provider
option = hostid_provider
option = subdomains_provider
option = selinux_provider
diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
index 94edb45ad2b85e3f4200a917c914a8f4fcb29c28..5e69414f2a490977bdaf1555325814ad61202071 100644
--- a/src/config/etc/sssd.api.conf
+++ b/src/config/etc/sssd.api.conf
@@ -103,7 +103,6 @@ access_provider = str, None, false
chpass_provider = str, None, false
sudo_provider = str, None, false
autofs_provider = str, None, false
-session_provider = str, None, false
hostid_provider = str, None, false
subdomains_provider = str, None, false
selinux_provider = str, None, false
--
2.9.3

40
0003-PROXY-Use-the-fqname-when-converting-to-lowercase.patch Normal file
View File

@ -0,0 +1,40 @@
From 224612480eb4a64b23e096a96e7c5ea0d746d25a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
Date: Tue, 23 Aug 2016 23:46:59 +0200
Subject: [PATCH 03/39] PROXY: Use the fqname when converting to lowercase
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
When saving the user there is a comparison between the "cased alias"
and the "lowercase password name". However, the first doesn't use fully
qualified name while the second does, resulting in a not expected
override of the "nameAlias" attribute of a stored user when trying to
authenticate more than once using an alias.
Resolves:
https://fedorahosted.org/sssd/ticket/3134
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit 5691b2d668541585d2a8ae3ddb834f29d828036e)
---
src/providers/proxy/proxy_id.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/providers/proxy/proxy_id.c b/src/providers/proxy/proxy_id.c
index 26f4d7499c02272e524ba9b713108189cd910bfd..b0c82807b42d91a4212578ca98af7f96484735b1 100644
--- a/src/providers/proxy/proxy_id.c
+++ b/src/providers/proxy/proxy_id.c
@@ -256,7 +256,7 @@ static int save_user(struct sss_domain_info *domain,
}
if (lowercase) {
- lc_pw_name = sss_tc_utf8_str_tolower(attrs, pwd->pw_name);
+ lc_pw_name = sss_tc_utf8_str_tolower(attrs, real_name);
if (lc_pw_name == NULL) {
DEBUG(SSSDBG_OP_FAILURE, "Cannot convert name to lowercase.\n");
ret = ENOMEM;
--
2.9.3

253
0004-sssd_netgroup.py-Resolve-nested-netgroups.patch Normal file
View File

@ -0,0 +1,253 @@
From 3c1c173bab2e3ee3058f5661562080d6a65e324f Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Wed, 10 Aug 2016 20:05:52 +0200
Subject: [PATCH 04/39] sssd_netgroup.py: Resolve nested netgroups
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reviewed-by: Petr Čech <pcech@redhat.com>
(cherry picked from commit c596fc4d75304ff224cbad0aa2aecd3cbe82d2ff)
---
src/tests/intg/sssd_netgroup.py | 204 ++++++++++++++++++++++++++++++----------
1 file changed, 154 insertions(+), 50 deletions(-)
diff --git a/src/tests/intg/sssd_netgroup.py b/src/tests/intg/sssd_netgroup.py
index 3525261cb28707db9031ee1dfeb144ae4c362833..2c7f76fad4da0003d1760a359ac9a1834abbb2f9 100644
--- a/src/tests/intg/sssd_netgroup.py
+++ b/src/tests/intg/sssd_netgroup.py
@@ -71,49 +71,173 @@ class Netgrent(Structure):
("nip", c_void_p)]
-def call_sssd_setnetgrent(netgroup):
- libnss_sss_path = config.NSS_MODULE_DIR + "/libnss_sss.so.2"
- libnss_sss = cdll.LoadLibrary(libnss_sss_path)
+class NetgroupRetriever(object):
+ def __init__(self, name):
+ self.name = name
+ self.needed_groups = []
+ self.known_groups = []
+ self.netgroups = []
- func = libnss_sss._nss_sss_setnetgrent
- func.restype = c_int
- func.argtypes = [c_char_p, POINTER(Netgrent)]
+ @staticmethod
+ def _setnetgrent(netgroup):
+ """
+ This private method is ctypes wrapper for
+ enum nss_status _nss_sss_setnetgrent(const char *netgroup,
+ struct __netgrent *result)
- result = Netgrent()
- result_p = POINTER(Netgrent)(result)
+ @param string name name of netgroup
- res = func(c_char_p(netgroup), result_p)
+ @return (int, POINTER(Netgrent)) (err, result_p)
+ err is a constant from class NssReturnCode and in case of SUCCESS
+ result_p will contain POINTER(Netgrent) which can be used in
+ _getnetgrent_r or _getnetgrent_r.
+ """
+ libnss_sss_path = config.NSS_MODULE_DIR + "/libnss_sss.so.2"
+ libnss_sss = cdll.LoadLibrary(libnss_sss_path)
- return (int(res), result_p)
+ func = libnss_sss._nss_sss_setnetgrent
+ func.restype = c_int
+ func.argtypes = [c_char_p, POINTER(Netgrent)]
+ result = Netgrent()
+ result_p = POINTER(Netgrent)(result)
-def call_sssd_getnetgrent_r(result_p, buff, buff_len):
- libnss_sss_path = config.NSS_MODULE_DIR + "/libnss_sss.so.2"
- libnss_sss = cdll.LoadLibrary(libnss_sss_path)
+ res = func(c_char_p(netgroup), result_p)
- func = libnss_sss._nss_sss_getnetgrent_r
- func.restype = c_int
- func.argtypes = [POINTER(Netgrent), POINTER(c_char), c_size_t,
- POINTER(c_int)]
+ return (int(res), result_p)
- errno = POINTER(c_int)(c_int(0))
+ @staticmethod
+ def _getnetgrent_r(result_p, buff, buff_len):
+ """
+ This private method is ctypes wrapper for
+ enum nss_status _nss_sss_getnetgrent_r(struct __netgrent *result,
+ char *buffer, size_t buflen,
+ int *errnop)
+ @param POINTER(Netgrent) result_p pointer to initialized C structure
+ struct __netgrent
+ @param ctypes.c_char_Array buff buffer used by C functions
+ @param int buff_len size of c_char_Array passed as a paramere buff
- res = func(result_p, buff, buff_len, errno)
+ @return (int, int, List[(string, string, string])
+ (err, errno, netgroups)
+ if err is NssReturnCode.SUCCESS netgroups will contain list of
+ touples. Each touple will consist of 3 elemets either string or
+ """
+ libnss_sss_path = config.NSS_MODULE_DIR + "/libnss_sss.so.2"
+ libnss_sss = cdll.LoadLibrary(libnss_sss_path)
- return (int(res), int(errno[0]), result_p)
+ func = libnss_sss._nss_sss_getnetgrent_r
+ func.restype = c_int
+ func.argtypes = [POINTER(Netgrent), POINTER(c_char), c_size_t,
+ POINTER(c_int)]
+ errno = POINTER(c_int)(c_int(0))
-def call_sssd_endnetgrent(result_p):
- libnss_sss_path = config.NSS_MODULE_DIR + "/libnss_sss.so.2"
- libnss_sss = cdll.LoadLibrary(libnss_sss_path)
+ res = func(result_p, buff, buff_len, errno)
- func = libnss_sss._nss_sss_endnetgrent
- func.restype = c_int
- func.argtypes = [POINTER(Netgrent)]
+ return (int(res), int(errno[0]), result_p)
- res = func(result_p)
+ @staticmethod
+ def _endnetgrent(result_p):
+ """
+ This private method is ctypes wrapper for
+ enum nss_status _nss_sss_endnetgrent(struct __netgrent *result)
- return int(res)
+ @param POINTER(Netgrent) result_p pointer to initialized C structure
+ struct __netgrent
+
+ @return int a constant from class NssReturnCode
+ """
+ libnss_sss_path = config.NSS_MODULE_DIR + "/libnss_sss.so.2"
+ libnss_sss = cdll.LoadLibrary(libnss_sss_path)
+
+ func = libnss_sss._nss_sss_endnetgrent
+ func.restype = c_int
+ func.argtypes = [POINTER(Netgrent)]
+
+ res = func(result_p)
+
+ return int(res)
+
+ def get_netgroups(self):
+ """
+ Function will return netgroup triplets for given user. All nested
+ netgroups will be retieved as part of executions and will content
+ will be merged with direct triplets.
+ Missing nested netgroups will not cause failure and are considered
+ as an empty netgroup without triplets.
+
+ @param string name name of netgroup
+
+ @return (int, int, List[(string, string, string])
+ (err, errno, netgroups)
+ if err is NssReturnCode.SUCCESS netgroups will contain list of
+ touples. Each touple will consist of 3 elemets either string or
+ None (host, user, domain).
+ """
+ res, errno, result = self._flat_fetch_netgroups(self.name)
+ if res != NssReturnCode.SUCCESS:
+ return (res, errno, self.netgroups)
+
+ self.netgroups += result
+
+ while self.needed_groups:
+ name = self.needed_groups.pop(0)
+
+ nest_res, nest_errno, result = self._flat_fetch_netgroups(name)
+ # do not fail for missing nested netgroup
+ if nest_res not in (NssReturnCode.SUCCESS, NssReturnCode.NOTFOUND):
+ return (nest_res, nest_errno, self.netgroups)
+
+ self.netgroups = result + self.netgroups
+
+ return (res, errno, self.netgroups)
+
+ def _flat_fetch_netgroups(self, name):
+ """
+ Function will return netgroup triplets for given user. The nested
+ netgroups will not be returned. Missing nested netgroups will be
+ appended to the array needed_groups
+
+ @param string name name of netgroup
+
+ @return (int, int, List[(string, string, string])
+ (err, errno, netgroups)
+ if err is NssReturnCode.SUCCESS netgroups will contain list of
+ touples. Each touple will consist of 3 elemets either string or
+ None (host, user, domain).
+ """
+ buff_len = 1024 * 1024
+ buff = create_string_buffer(buff_len)
+
+ result = []
+
+ res, result_p = self._setnetgrent(name)
+ if res != NssReturnCode.SUCCESS:
+ return (res, get_errno(), result)
+
+ res, errno, result_p = self._getnetgrent_r(result_p, buff, buff_len)
+ while res == NssReturnCode.SUCCESS:
+ if result_p[0].type == NetgroupType.GROUP_VAL:
+ nested_netgroup = result_p[0].val.group
+ if nested_netgroup not in self.known_groups:
+ self.needed_groups.append(nested_netgroup)
+ self.known_groups.append(nested_netgroup)
+
+ if result_p[0].type == NetgroupType.TRIPLE_VAL:
+ result.append((result_p[0].val.triple.host,
+ result_p[0].val.triple.user,
+ result_p[0].val.triple.domain))
+
+ res, errno, result_p = self._getnetgrent_r(result_p, buff,
+ buff_len)
+
+ if res != NssReturnCode.RETURN:
+ return (res, errno, result)
+
+ res = self._endnetgrent(result_p)
+
+ return (res, errno, result)
def get_sssd_netgroups(name):
@@ -129,27 +253,7 @@ def get_sssd_netgroups(name):
Each touple will consist of 3 elemets either string or None
(host, user, domain).
"""
- buff_len = 1024 * 1024
- buff = create_string_buffer(buff_len)
- result = []
+ retriever = NetgroupRetriever(name)
- res, result_p = call_sssd_setnetgrent(name)
- if res != NssReturnCode.SUCCESS:
- return (res, get_errno(), result)
-
- res, errno, result_p = call_sssd_getnetgrent_r(result_p, buff, buff_len)
- while res == NssReturnCode.SUCCESS:
- assert result_p[0].type == NetgroupType.TRIPLE_VAL
- result.append((result_p[0].val.triple.host,
- result_p[0].val.triple.user,
- result_p[0].val.triple.domain))
- res, errno, result_p = call_sssd_getnetgrent_r(result_p, buff,
- buff_len)
-
- if res != NssReturnCode.RETURN:
- return (res, errno, result)
-
- res = call_sssd_endnetgrent(result_p)
-
- return (res, errno, result)
+ return retriever.get_netgroups()
--
2.9.3

50
0005-LDAP-Fixing-of-removing-netgroup-from-cache.patch Normal file
View File

@ -0,0 +1,50 @@
From 5ac050f0f5160dc433aba21fd1ae2f2a8ffa9a88 Mon Sep 17 00:00:00 2001
From: Petr Cech <pcech@redhat.com>
Date: Fri, 22 Jul 2016 14:28:54 +0200
Subject: [PATCH 05/39] LDAP: Fixing of removing netgroup from cache
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
There were problem with local key which wasn't properly removed.
This patch fixes it.
Resolves:
https://fedorahosted.org/sssd/ticket/2841
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit bf141e052a81b28ee0ad2f61ff8b4879e4faa13b)
---
src/providers/ldap/sdap_async_netgroups.c | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
diff --git a/src/providers/ldap/sdap_async_netgroups.c b/src/providers/ldap/sdap_async_netgroups.c
index df233d956df70cfcb5f68bd2afc9e2a23c50c3bb..e1d69ad769f542cccffca50547932a5bfb352230 100644
--- a/src/providers/ldap/sdap_async_netgroups.c
+++ b/src/providers/ldap/sdap_async_netgroups.c
@@ -138,6 +138,22 @@ static errno_t sdap_save_netgroup(TALLOC_CTX *memctx,
goto fail;
}
+ /* We store memberNisNetgroup from LDAP as originalMemberNisNetgroup in
+ * sysdb. It may contain simple name or DN. That's the reason why we always
+ * translate/generate simple name and store it in SYSDB_NETGROUP_MEMBER
+ * (memberNisNetgroup) in sysdb which is internally used for searching
+ * netgropus.
+ * We need to ensure if originalMemberNisNetgroup is missing,
+ * memberNisNetgroup is missing too.
+ */
+ if (string_in_list(SYSDB_ORIG_NETGROUP_MEMBER, missing, false)) {
+ ret = add_string_to_list(attrs, SYSDB_NETGROUP_MEMBER, &missing);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Failed to add string into list\n");
+ goto fail;
+ }
+ }
+
ret = sysdb_add_netgroup(dom, name, NULL, netgroup_attrs, missing,
dom->netgroup_timeout, now);
if (ret) goto fail;
--
2.9.3

54
0006-INTG-Adding-support-for-netgroups-to-ldap_ent.patch Normal file
View File

@ -0,0 +1,54 @@
From f3f50d7a9ca36d0d56f29d25e4fceaa50c9a06e9 Mon Sep 17 00:00:00 2001
From: Petr Cech <pcech@redhat.com>
Date: Wed, 17 Aug 2016 14:01:09 +0200
Subject: [PATCH 06/39] INTG: Adding support for netgroups to ldap_ent
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Resolves:
https://fedorahosted.org/sssd/ticket/2841
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit 1cba321946084231c220e9561487555671b944c3)
---
src/tests/intg/ldap_ent.py | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
diff --git a/src/tests/intg/ldap_ent.py b/src/tests/intg/ldap_ent.py
index f8f2f7fe6977aec6fd704ad1c78a476a163a16f1..c912844b063cfeb9c48744d593685d0b7fbcc706 100644
--- a/src/tests/intg/ldap_ent.py
+++ b/src/tests/intg/ldap_ent.py
@@ -87,6 +87,20 @@ def group_bis(base_dn, cn, gidNumber, member_uids=[], member_gids=[]):
return ("cn=" + cn + ",ou=Groups," + base_dn, attr_list)
+def netgroup(base_dn, cn, triples=(), members=()):
+ """
+ Generate an RFC2307bis netgroup add-modlist for passing to ldap.add*.
+ """
+ attr_list = [
+ ('objectClass', ['top', 'nisNetgroup'])
+ ]
+ if triples:
+ attr_list.append(('nisNetgroupTriple', triples))
+ if members:
+ attr_list.append(('memberNisNetgroup', members))
+ return ("cn=" + cn + ",ou=Netgroups," + base_dn, attr_list)
+
+
class List(list):
"""LDAP add-modlist list"""
@@ -124,3 +138,8 @@ class List(list):
self.append(group_bis(base_dn or self.base_dn,
cn, gidNumber,
member_uids, member_gids))
+
+ def add_netgroup(self, cn, triples=(), members=(), base_dn=None):
+ """Add an RFC2307bis netgroup add-modlist."""
+ self.append(netgroup(base_dn or self.base_dn,
+ cn, triples, members))
--
2.9.3

501
0007-INTG-Tests-for-ldap-nested-netgroups.patch Normal file
View File

@ -0,0 +1,501 @@
From 620d402a126580a13730f446dd99bf50814c9fb8 Mon Sep 17 00:00:00 2001
From: Petr Cech <pcech@redhat.com>
Date: Wed, 17 Aug 2016 13:58:30 +0200
Subject: [PATCH 07/39] INTG: Tests for ldap nested netgroups
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This patch adds tests on reproducer of t2841.
Resolves:
https://fedorahosted.org/sssd/ticket/2841
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit 05457ed0e399aaacc919b7aacee5d8210e1c1072)
---
src/tests/intg/Makefile.am | 1 +
src/tests/intg/test_netgroup.py | 459 ++++++++++++++++++++++++++++++++++++++++
2 files changed, 460 insertions(+)
create mode 100644 src/tests/intg/test_netgroup.py
diff --git a/src/tests/intg/Makefile.am b/src/tests/intg/Makefile.am
index d73e4216310ccd1c90e6b7eb0a0e60068fc45bd5..75422a4417046116bec11a8a680fe2248e3afb69 100644
--- a/src/tests/intg/Makefile.am
+++ b/src/tests/intg/Makefile.am
@@ -15,6 +15,7 @@ dist_noinst_DATA = \
test_ldap.py \
test_memory_cache.py \
test_ts_cache.py \
+ test_netgroup.py \
$(NULL)
config.py: config.py.m4
diff --git a/src/tests/intg/test_netgroup.py b/src/tests/intg/test_netgroup.py
new file mode 100644
index 0000000000000000000000000000000000000000..b99476126844e35d5dbc1793077720b4020c2fb7
--- /dev/null
+++ b/src/tests/intg/test_netgroup.py
@@ -0,0 +1,459 @@
+#
+# Netgroup integration test
+#
+# Copyright (c) 2016 Red Hat, Inc.
+# Author: Petr Cech <pcech@redhat.com>
+#
+# This is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 only
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+import os
+import stat
+import signal
+import subprocess
+import time
+import ldap
+import ldap.modlist
+import pytest
+
+import config
+import ds_openldap
+import ldap_ent
+from util import unindent
+import sssd_netgroup
+
+LDAP_BASE_DN = "dc=example,dc=com"
+
+
+@pytest.fixture(scope="module")
+def ds_inst(request):
+ """LDAP server instance fixture"""
+ ds_inst = ds_openldap.DSOpenLDAP(
+ config.PREFIX, 10389, LDAP_BASE_DN,
+ "cn=admin", "Secret123"
+ )
+
+ try:
+ ds_inst.setup()
+ except:
+ ds_inst.teardown()
+ raise
+ request.addfinalizer(ds_inst.teardown)
+ return ds_inst
+
+
+@pytest.fixture(scope="module")
+def ldap_conn(request, ds_inst):
+ """LDAP server connection fixture"""
+ ldap_conn = ds_inst.bind()
+ ldap_conn.ds_inst = ds_inst
+ request.addfinalizer(ldap_conn.unbind_s)
+ return ldap_conn
+
+
+def create_ldap_entries(ldap_conn, ent_list=None):
+ """Add LDAP entries from ent_list"""
+ if ent_list is not None:
+ for entry in ent_list:
+ ldap_conn.add_s(entry[0], entry[1])
+
+
+def cleanup_ldap_entries(ldap_conn, ent_list=None):
+ """Remove LDAP entries added by create_ldap_entries"""
+ if ent_list is None:
+ for ou in ("Users", "Groups", "Netgroups", "Services", "Policies"):
+ for entry in ldap_conn.search_s("ou=" + ou + "," +
+ ldap_conn.ds_inst.base_dn,
+ ldap.SCOPE_ONELEVEL,
+ attrlist=[]):
+ ldap_conn.delete_s(entry[0])
+ else:
+ for entry in ent_list:
+ ldap_conn.delete_s(entry[0])
+
+
+def create_ldap_cleanup(request, ldap_conn, ent_list=None):
+ """Add teardown for removing all user/group LDAP entries"""
+ request.addfinalizer(lambda: cleanup_ldap_entries(ldap_conn, ent_list))
+
+
+def create_ldap_fixture(request, ldap_conn, ent_list=None):
+ """Add LDAP entries and add teardown for removing them"""
+ create_ldap_entries(ldap_conn, ent_list)
+ create_ldap_cleanup(request, ldap_conn, ent_list)
+
+
+SCHEMA_RFC2307_BIS = "rfc2307bis"
+
+
+def format_basic_conf(ldap_conn, schema):
+ """Format a basic SSSD configuration"""
+ schema_conf = "ldap_schema = " + schema + "\n"
+ schema_conf += "ldap_group_object_class = groupOfNames\n"
+ return unindent("""\
+ [sssd]
+ domains = LDAP
+ services = nss
+
+ [domain/LDAP]
+ {schema_conf}
+ id_provider = ldap
+ auth_provider = ldap
+ ldap_uri = {ldap_conn.ds_inst.ldap_url}
+ ldap_search_base = {ldap_conn.ds_inst.base_dn}
+ ldap_netgroup_search_base = ou=Netgroups,{ldap_conn.ds_inst.base_dn}
+ """).format(**locals())
+
+
+def create_conf_file(contents):
+ """Create sssd.conf with specified contents"""
+ conf = open(config.CONF_PATH, "w")
+ conf.write(contents)
+ conf.close()
+ os.chmod(config.CONF_PATH, stat.S_IRUSR | stat.S_IWUSR)
+
+
+def cleanup_conf_file():
+ """Remove sssd.conf, if it exists"""
+ if os.path.lexists(config.CONF_PATH):
+ os.unlink(config.CONF_PATH)
+
+
+def create_conf_cleanup(request):
+ """Add teardown for removing sssd.conf"""
+ request.addfinalizer(cleanup_conf_file)
+
+
+def create_conf_fixture(request, contents):
+ """
+ Create sssd.conf with specified contents and add teardown for removing it
+ """
+ create_conf_file(contents)
+ create_conf_cleanup(request)
+
+
+def create_sssd_process():
+ """Start the SSSD process"""
+ if subprocess.call(["sssd", "-D", "-f"]) != 0:
+ raise Exception("sssd start failed")
+
+
+def cleanup_sssd_process():
+ """Stop the SSSD process and remove its state"""
+ try:
+ pid_file = open(config.PIDFILE_PATH, "r")
+ pid = int(pid_file.read())
+ os.kill(pid, signal.SIGTERM)
+ while True:
+ try:
+ os.kill(pid, signal.SIGCONT)
+ except:
+ break
+ time.sleep(1)
+ except:
+ pass
+ for path in os.listdir(config.DB_PATH):
+ os.unlink(config.DB_PATH + "/" + path)
+ for path in os.listdir(config.MCACHE_PATH):
+ os.unlink(config.MCACHE_PATH + "/" + path)
+
+
+def create_sssd_cleanup(request):
+ """Add teardown for stopping SSSD and removing its state"""
+ request.addfinalizer(cleanup_sssd_process)
+
+
+def create_sssd_fixture(request):
+ """Start SSSD and add teardown for stopping it and removing its state"""
+ create_sssd_process()
+ create_sssd_cleanup(request)
+
+
+@pytest.fixture
+def add_empty_netgroup(request, ldap_conn):
+ ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn)
+
+ ent_list.add_netgroup("empty_netgroup")
+
+ create_ldap_fixture(request, ldap_conn, ent_list)
+ conf = format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS)
+ create_conf_fixture(request, conf)
+ create_sssd_fixture(request)
+ return None
+
+
+def test_add_empty_netgroup(add_empty_netgroup):
+ """
+ Adding empty netgroup.
+ """
+
+ res, _, netgroups = sssd_netgroup.get_sssd_netgroups("empty_netgroup")
+ assert res == sssd_netgroup.NssReturnCode.SUCCESS
+ assert netgroups == []
+
+
+@pytest.fixture
+def add_tripled_netgroup(request, ldap_conn):
+ ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn)
+
+ ent_list.add_netgroup("tripled_netgroup", ["(host,user,domain)"])
+
+ ent_list.add_netgroup("adv_tripled_netgroup", ["(host1,user1,domain1)",
+ "(host2,user2,domain2)"])
+
+ create_ldap_fixture(request, ldap_conn, ent_list)
+ conf = format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS)
+ create_conf_fixture(request, conf)
+ create_sssd_fixture(request)
+ return None
+
+
+def test_add_tripled_netgroup(add_tripled_netgroup):
+ """
+ Adding netgroup with triplet.
+ """
+
+ res, _, netgrps = sssd_netgroup.get_sssd_netgroups("tripled_netgroup")
+ assert res == sssd_netgroup.NssReturnCode.SUCCESS
+ assert netgrps == [("host", "user", "domain")]
+
+ res, _, netgrps = sssd_netgroup.get_sssd_netgroups("adv_tripled_netgroup")
+ assert res == sssd_netgroup.NssReturnCode.SUCCESS
+ assert sorted(netgrps) == sorted([("host1", "user1", "domain1"),
+ ("host2", "user2", "domain2")])
+
+
+@pytest.fixture
+def add_mixed_netgroup(request, ldap_conn):
+ ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn)
+
+ ent_list.add_netgroup("mixed_netgroup1")
+ ent_list.add_netgroup("mixed_netgroup2", members=["mixed_netgroup1"])
+
+ ent_list.add_netgroup("mixed_netgroup3", ["(host1,user1,domain1)"])
+ ent_list.add_netgroup("mixed_netgroup4",
+ ["(host2,user2,domain2)", "(host3,user3,domain3)"])
+
+ ent_list.add_netgroup("mixed_netgroup5",
+ ["(host4,user4,domain4)"],
+ ["mixed_netgroup1"])
+ ent_list.add_netgroup("mixed_netgroup6",
+ ["(host5,user5,domain5)"],
+ ["mixed_netgroup2"])
+
+ ent_list.add_netgroup("mixed_netgroup7", members=["mixed_netgroup3"])
+ ent_list.add_netgroup("mixed_netgroup8",
+ members=["mixed_netgroup3", "mixed_netgroup4"])
+
+ ent_list.add_netgroup("mixed_netgroup9",
+ ["(host6,user6,domain6)"],
+ ["mixed_netgroup3", "mixed_netgroup4"])
+
+ create_ldap_fixture(request, ldap_conn, ent_list)
+ conf = format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS)
+ create_conf_fixture(request, conf)
+ create_sssd_fixture(request)
+ return None
+
+
+def test_add_mixed_netgroup(add_mixed_netgroup):
+ """
+ Adding many netgroups of different type.
+ """
+
+ res, _, netgroups = sssd_netgroup.get_sssd_netgroups("mixed_netgroup1")
+ assert res == sssd_netgroup.NssReturnCode.SUCCESS
+ assert netgroups == []
+
+ res, _, netgroups = sssd_netgroup.get_sssd_netgroups("mixed_netgroup2")
+ assert res == sssd_netgroup.NssReturnCode.SUCCESS
+ assert netgroups == []
+
+ res, _, netgroups = sssd_netgroup.get_sssd_netgroups("mixed_netgroup3")
+ assert res == sssd_netgroup.NssReturnCode.SUCCESS
+ assert netgroups == [("host1", "user1", "domain1")]
+
+ res, _, netgroups = sssd_netgroup.get_sssd_netgroups("mixed_netgroup4")
+ assert res == sssd_netgroup.NssReturnCode.SUCCESS
+ assert sorted(netgroups) == sorted([("host2", "user2", "domain2"),
+ ("host3", "user3", "domain3")])
+
+ res, _, netgroups = sssd_netgroup.get_sssd_netgroups("mixed_netgroup5")
+ assert res == sssd_netgroup.NssReturnCode.SUCCESS
+ assert netgroups == [("host4", "user4", "domain4")]
+
+ res, _, netgroups = sssd_netgroup.get_sssd_netgroups("mixed_netgroup6")
+ assert res == sssd_netgroup.NssReturnCode.SUCCESS
+ assert netgroups == [("host5", "user5", "domain5")]
+
+ res, _, netgroups = sssd_netgroup.get_sssd_netgroups("mixed_netgroup7")
+ assert res == sssd_netgroup.NssReturnCode.SUCCESS
+ assert netgroups == [("host1", "user1", "domain1")]
+
+ res, _, netgroups = sssd_netgroup.get_sssd_netgroups("mixed_netgroup8")
+ assert res == sssd_netgroup.NssReturnCode.SUCCESS
+ assert sorted(netgroups) == sorted([("host1", "user1", "domain1"),
+ ("host2", "user2", "domain2"),
+ ("host3", "user3", "domain3")])
+
+ res, _, netgroups = sssd_netgroup.get_sssd_netgroups("mixed_netgroup9")
+ assert res == sssd_netgroup.NssReturnCode.SUCCESS
+ assert sorted(netgroups) == sorted([("host1", "user1", "domain1"),
+ ("host2", "user2", "domain2"),
+ ("host3", "user3", "domain3"),
+ ("host6", "user6", "domain6")])
+
+
+@pytest.fixture
+def remove_step_by_step(request, ldap_conn):
+ ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn)
+
+ ent_list.add_netgroup("rm_empty_netgroup1", ["(host1,user1,domain1)"])
+ ent_list.add_netgroup("rm_empty_netgroup2",
+ ["(host2,user2,domain2)"],
+ ["rm_empty_netgroup1"])
+
+ create_ldap_fixture(request, ldap_conn, ent_list)
+ conf = format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS)
+ create_conf_fixture(request, conf)
+ create_sssd_fixture(request)
+ return ent_list
+
+
+def test_remove_step_by_step(remove_step_by_step, ldap_conn):
+ """
+ Removing netgroups step by step.
+ """
+
+ ent_list = remove_step_by_step
+
+ res, _, netgroups = sssd_netgroup.get_sssd_netgroups("rm_empty_netgroup1")
+ assert res == sssd_netgroup.NssReturnCode.SUCCESS
+ assert netgroups == [('host1', 'user1', 'domain1')]
+
+ res, _, netgroups = sssd_netgroup.get_sssd_netgroups("rm_empty_netgroup2")
+ assert res == sssd_netgroup.NssReturnCode.SUCCESS
+ assert sorted(netgroups) == sorted([('host1', 'user1', 'domain1'),
+ ('host2', 'user2', 'domain2')])
+
+ # removing of rm_empty_netgroup1
+ ldap_conn.delete_s(ent_list[0][0])
+ ent_list.remove(ent_list[0])
+
+ if subprocess.call(["sss_cache", "-N"]) != 0:
+ raise Exception("sssd_cache failed")
+
+ res, _, netgroups = sssd_netgroup.get_sssd_netgroups("rm_empty_netgroup1")
+ assert res == sssd_netgroup.NssReturnCode.NOTFOUND
+ assert netgroups == []
+
+ res, _, netgroups = sssd_netgroup.get_sssd_netgroups("rm_empty_netgroup2")
+ assert res == sssd_netgroup.NssReturnCode.SUCCESS
+ assert netgroups == [('host2', 'user2', 'domain2')]
+
+ # removing of rm_empty_netgroup2
+ ldap_conn.delete_s(ent_list[0][0])
+ ent_list.remove(ent_list[0])
+
+ if subprocess.call(["sss_cache", "-N"]) != 0:
+ raise Exception("sssd_cache failed")
+
+ res, _, netgroups = sssd_netgroup.get_sssd_netgroups("rm_empty_netgroup1")
+ assert res == sssd_netgroup.NssReturnCode.NOTFOUND
+ assert netgroups == []
+
+ res, _, netgroups = sssd_netgroup.get_sssd_netgroups("rm_empty_netgroup2")
+ assert res == sssd_netgroup.NssReturnCode.NOTFOUND
+ assert netgroups == []
+
+
+@pytest.fixture
+def removing_nested_netgroups(request, ldap_conn):
+ ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn)
+
+ ent_list.add_netgroup("t2841_netgroup1", ["(host1,user1,domain1)"])
+ ent_list.add_netgroup("t2841_netgroup2", ["(host2,user2,domain2)"])
+ ent_list.add_netgroup("t2841_netgroup3",
+ members=["t2841_netgroup1", "t2841_netgroup2"])
+
+ create_ldap_fixture(request, ldap_conn, ent_list)
+ conf = format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS)
+ create_conf_fixture(request, conf)
+ create_sssd_fixture(request)
+ return None
+
+
+def test_removing_nested_netgroups(removing_nested_netgroups, ldap_conn):
+ """
+ Regression test for ticket 2841.
+ https://fedorahosted.org/sssd/ticket/2841
+ """
+
+ netgrp_dn = 'cn=t2841_netgroup3,ou=Netgroups,' + ldap_conn.ds_inst.base_dn
+
+ res, _, netgroups = sssd_netgroup.get_sssd_netgroups("t2841_netgroup1")
+ assert res == sssd_netgroup.NssReturnCode.SUCCESS
+ assert netgroups == [('host1', 'user1', 'domain1')]
+
+ res, _, netgroups = sssd_netgroup.get_sssd_netgroups("t2841_netgroup2")
+ assert res == sssd_netgroup.NssReturnCode.SUCCESS
+ assert netgroups == [('host2', 'user2', 'domain2')]
+
+ res, _, netgroups = sssd_netgroup.get_sssd_netgroups("t2841_netgroup3")
+ assert res == sssd_netgroup.NssReturnCode.SUCCESS
+ assert sorted(netgroups) == sorted([('host1', 'user1', 'domain1'),
+ ('host2', 'user2', 'domain2')])
+
+ # removing of t2841_netgroup1 from t2841_netgroup3
+ old = {'memberNisNetgroup': ["t2841_netgroup1", "t2841_netgroup2"]}
+ new = {'memberNisNetgroup': ["t2841_netgroup2"]}
+
+ ldif = ldap.modlist.modifyModlist(old, new)
+ ldap_conn.modify_s(netgrp_dn, ldif)
+
+ if subprocess.call(["sss_cache", "-N"]) != 0:
+ raise Exception("sssd_cache failed")
+
+ res, _, netgroups = sssd_netgroup.get_sssd_netgroups("t2841_netgroup1")
+ assert res == sssd_netgroup.NssReturnCode.SUCCESS
+ assert netgroups == [('host1', 'user1', 'domain1')]
+
+ res, _, netgroups = sssd_netgroup.get_sssd_netgroups("t2841_netgroup2")
+ assert res == sssd_netgroup.NssReturnCode.SUCCESS
+ assert netgroups == [('host2', 'user2', 'domain2')]
+
+ res, _, netgroups = sssd_netgroup.get_sssd_netgroups("t2841_netgroup3")
+ assert res == sssd_netgroup.NssReturnCode.SUCCESS
+ assert netgroups == [('host2', 'user2', 'domain2')]
+
+ # removing of t2841_netgroup2 from t2841_netgroup3
+ old = {'memberNisNetgroup': ["t2841_netgroup2"]}
+ new = {'memberNisNetgroup': []}
+
+ ldif = ldap.modlist.modifyModlist(old, new)
+ ldap_conn.modify_s(netgrp_dn, ldif)
+
+ if subprocess.call(["sss_cache", "-N"]) != 0:
+ raise Exception("sssd_cache failed")
+
+ res, _, netgroups = sssd_netgroup.get_sssd_netgroups("t2841_netgroup1")
+ assert res == sssd_netgroup.NssReturnCode.SUCCESS
+ assert netgroups == [('host1', 'user1', 'domain1')]
+
+ res, _, netgroups = sssd_netgroup.get_sssd_netgroups("t2841_netgroup2")
+ assert res == sssd_netgroup.NssReturnCode.SUCCESS
+ assert netgroups == [('host2', 'user2', 'domain2')]
+
+ res, _, netgroups = sssd_netgroup.get_sssd_netgroups("t2841_netgroup3")
+ assert res == sssd_netgroup.NssReturnCode.SUCCESS
+ assert netgroups == []
--
2.9.3

97
0008-watchdog-cope-with-time-shift.patch Normal file
View File

@ -0,0 +1,97 @@
From 2263fb23bdbbf313535edf54440fe20627b57d7f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Mon, 22 Aug 2016 13:15:04 +0200
Subject: [PATCH 08/39] watchdog: cope with time shift
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
When a time is changed into the past during sssd runtime
(e.g. on boot during time correction), it is possible that
we never hit watchdog tevent timer since it is based on
system time.
This patch adds a past-time shift detection mechanism. If a time
shift is detected we restart watchdog.
Resolves:
https://fedorahosted.org/sssd/ticket/3154
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
(cherry picked from commit b8ceaeb80cffb00c26390913ea959b77f7e848b9)
---
src/util/util_watchdog.c | 41 +++++++++++++++++++++++++++++++++++++++++
1 file changed, 41 insertions(+)
diff --git a/src/util/util_watchdog.c b/src/util/util_watchdog.c
index 5032fddba1b94b3fc7e560162c392dfa57d699cf..1c27d73f13b3042ecb549a2184e1368e8339d199 100644
--- a/src/util/util_watchdog.c
+++ b/src/util/util_watchdog.c
@@ -29,8 +29,39 @@ struct watchdog_ctx {
struct timeval interval;
struct tevent_timer *te;
volatile int ticks;
+
+ /* To detect time shift. */
+ struct tevent_context *ev;
+ int input_interval;
+ time_t timestamp;
} watchdog_ctx;
+static bool watchdog_detect_timeshift(void)
+{
+ time_t prev_time;
+ time_t cur_time;
+ errno_t ret;
+
+ prev_time = watchdog_ctx.timestamp;
+ cur_time = watchdog_ctx.timestamp = time(NULL);
+ if (cur_time < prev_time) {
+ /* Time shift detected. We need to restart watchdog. */
+ DEBUG(SSSDBG_IMPORTANT_INFO, "Time shift detected, "
+ "restarting watchdog!\n");
+ teardown_watchdog();
+ ret = setup_watchdog(watchdog_ctx.ev, watchdog_ctx.input_interval);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_FATAL_FAILURE, "Unable to restart watchdog "
+ "[%d]: %s\n", ret, sss_strerror(ret));
+ orderly_shutdown(1);
+ }
+
+ return true;
+ }
+
+ return false;
+}
+
/* the watchdog is purposefully *not* handled by the tevent
* signal handler as it is meant to check if the daemon is
* still processing the event queue itself. A stuck process
@@ -38,6 +69,12 @@ struct watchdog_ctx {
* signals either */
static void watchdog_handler(int sig)
{
+ /* Do not count ticks if time shift was detected
+ * since watchdog was restarted. */
+ if (watchdog_detect_timeshift()) {
+ return;
+ }
+
/* if 3 ticks passed by kills itself */
if (__sync_add_and_fetch(&watchdog_ctx.ticks, 1) > 3) {
@@ -101,6 +138,10 @@ int setup_watchdog(struct tevent_context *ev, int interval)
watchdog_ctx.interval.tv_sec = interval;
watchdog_ctx.interval.tv_usec = 0;
+ watchdog_ctx.ev = ev;
+ watchdog_ctx.input_interval = interval;
+ watchdog_ctx.timestamp = time(NULL);
+
/* Start the timer */
/* we give 1 second head start to the watchdog event */
its.it_value.tv_sec = interval + 1;
--
2.9.3

82
0009-BUILD-Allow-to-read-private-pipes-for-root.patch Normal file
View File

@ -0,0 +1,82 @@
From d5a5ff043c5872eb159aa096e1a1fa7863db4f86 Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Fri, 19 Aug 2016 10:46:12 +0200
Subject: [PATCH 09/39] BUILD: Allow to read private pipes for root
Root can read anything from any directory even with permissions 000.
However SELinux checks discretionary access control (DAC)
and deny access if access is not allowed for root by DAC.
The pam_sss use different unix socket /var/lib/sss/pipes/private/pam
for user with uid 0. Therefore root need to be able read content
of directory with private pipes.
type=AVC msg=audit(08/19/2016 10:58:34.081:3369) : avc: denied
{ dac_read_search } for pid=20257 comm=vsftpd capability=dac_read_search
scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023
tcontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(08/19/2016 10:58:34.081:3369) : avc: denied
{ dac_override } for pid=20257 comm=vsftpd capability=dac_override
scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023
tcontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tclass=capability
Resolves:
https://fedorahosted.org/sssd/ticket/3143
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit f49724cd6b3e0e3274302c3d475e93f7a7094f40)
---
Makefile.am | 8 ++++----
contrib/sssd.spec.in | 2 +-
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/Makefile.am b/Makefile.am
index 8b9240f4485c0bce976fdabff6904e648f44356e..6219682de0d1fd4b3a813ee2f95b8185531e62bf 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -3952,7 +3952,6 @@ SSSD_USER_DIRS = \
$(DESTDIR)$(keytabdir) \
$(DESTDIR)$(mcpath) \
$(DESTDIR)$(pipepath) \
- $(DESTDIR)$(pipepath)/private \
$(DESTDIR)$(pubconfpath) \
$(DESTDIR)$(pubconfpath)/krb5.include.d \
$(DESTDIR)$(gpocachepath) \
@@ -3979,16 +3978,17 @@ installsssddirs::
$(DESTDIR)$(sssddatadir) \
$(DESTDIR)$(sudolibdir) \
$(DESTDIR)$(autofslibdir) \
+ $(DESTDIR)$(pipepath)/private \
$(SSSD_USER_DIRS) \
$(NULL);
if SSSD_USER
- -chown $(SSSD_USER):$(SSSD_USER) \
- $(SSSD_USER_DIRS)
+ -chown $(SSSD_USER):$(SSSD_USER) $(SSSD_USER_DIRS)
+ -chown $(SSSD_USER) $(DESTDIR)$(pipepath)/private
endif
$(INSTALL) -d -m 0700 $(DESTDIR)$(dbpath) $(DESTDIR)$(logpath) \
- $(DESTDIR)$(pipepath)/private \
$(DESTDIR)$(keytabdir) \
$(NULL)
+ $(INSTALL) -d -m 0750 $(DESTDIR)$(pipepath)/private
$(INSTALL) -d -m 0755 $(DESTDIR)$(mcpath) $(DESTDIR)$(pipepath) \
$(DESTDIR)$(pubconfpath) \
$(DESTDIR)$(pubconfpath)/krb5.include.d $(DESTDIR)$(gpocachepath)
diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
index 24af8d518bd065388b14d812de7c1c61975f0cca..1e058ca63c25513253c4b350d286208f40f6b660 100644
--- a/contrib/sssd.spec.in
+++ b/contrib/sssd.spec.in
@@ -791,7 +791,7 @@ done
%ghost %attr(0644,sssd,sssd) %verify(not md5 size mtime) %{mcpath}/group
%ghost %attr(0644,sssd,sssd) %verify(not md5 size mtime) %{mcpath}/initgroups
%attr(755,sssd,sssd) %dir %{pipepath}
-%attr(700,sssd,sssd) %dir %{pipepath}/private
+%attr(750,sssd,root) %dir %{pipepath}/private
%attr(755,sssd,sssd) %dir %{pubconfpath}
%attr(755,sssd,sssd) %dir %{gpocachepath}
%attr(750,sssd,sssd) %dir %{_var}/log/%{name}
--
2.9.3

124
0010-SYSDB-Rework-sysdb_cache_connect.patch Normal file
View File

@ -0,0 +1,124 @@
From 3258fa9d328f364fa41fd1a5bc5fc3250e87df8e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
Date: Tue, 16 Aug 2016 11:20:49 +0200
Subject: [PATCH 10/39] SYSDB: Rework sysdb_cache_connect()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
As sysdb_cache_connect() has two very specific use cases (connect to the
cache and connect to the timestamp cache) and each of those calls have a
predetermined/fixed sets of values for a few parameters, let's try to
make the code a bit simpler to follow by having explicit functions for
connecting to the cache and connecting to the timestamp cache.
Macros could be used as well, but I have a slightly preference for
having two new functions instead of macros accessing internal parameters
of the macro's parameter.
Related:
https://fedorahosted.org/sssd/ticket/3128
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit b6d1cd5eaab4c7c73df8ee041944ec05630a9630)
---
src/db/sysdb_init.c | 53 ++++++++++++++++++++++++++++++++++-------------------
1 file changed, 34 insertions(+), 19 deletions(-)
diff --git a/src/db/sysdb_init.c b/src/db/sysdb_init.c
index 9e3646bfeb9a494ebff2d348ab1c53336f8a5c03..59934701c4d2b9d770385a202af058404a6d3eb9 100644
--- a/src/db/sysdb_init.c
+++ b/src/db/sysdb_init.c
@@ -511,14 +511,14 @@ done:
return ret;
}
-static errno_t sysdb_cache_connect(TALLOC_CTX *mem_ctx,
- struct sss_domain_info *domain,
- const char *ldb_file,
- int flags,
- const char *exp_version,
- const char *base_ldif,
- struct ldb_context **_ldb,
- const char **_version)
+static errno_t sysdb_cache_connect_helper(TALLOC_CTX *mem_ctx,
+ struct sss_domain_info *domain,
+ const char *ldb_file,
+ int flags,
+ const char *exp_version,
+ const char *base_ldif,
+ struct ldb_context **_ldb,
+ const char **_version)
{
TALLOC_CTX *tmp_ctx = NULL;
struct ldb_message_element *el;
@@ -619,6 +619,29 @@ done:
return ret;
}
+static errno_t sysdb_cache_connect(TALLOC_CTX *mem_ctx,
+ struct sysdb_ctx *sysdb,
+ struct sss_domain_info *domain,
+ struct ldb_context **ldb,
+ const char **version)
+{
+ return sysdb_cache_connect_helper(mem_ctx, domain, sysdb->ldb_file,
+ 0, SYSDB_VERSION, SYSDB_BASE_LDIF,
+ ldb, version);
+}
+
+static errno_t sysdb_ts_cache_connect(TALLOC_CTX *mem_ctx,
+ struct sysdb_ctx *sysdb,
+ struct sss_domain_info *domain,
+ struct ldb_context **ldb,
+ const char **version)
+{
+ return sysdb_cache_connect_helper(mem_ctx, domain, sysdb->ldb_ts_file,
+ LDB_FLG_NOSYNC, SYSDB_TS_VERSION,
+ SYSDB_TS_BASE_LDIF,
+ ldb, version);
+}
+
static errno_t remove_ts_cache(struct sysdb_ctx *sysdb)
{
errno_t ret;
@@ -649,9 +672,7 @@ static int sysdb_domain_cache_connect(struct sysdb_ctx *sysdb,
return ENOMEM;
}
- ret = sysdb_cache_connect(tmp_ctx, domain, sysdb->ldb_file, 0,
- SYSDB_VERSION, SYSDB_BASE_LDIF,
- &ldb, &version);
+ ret = sysdb_cache_connect(tmp_ctx, sysdb, domain, &ldb, &version);
switch (ret) {
case ERR_SYSDB_VERSION_TOO_OLD:
if (upgrade_ctx == NULL) {
@@ -731,10 +752,7 @@ static int sysdb_timestamp_cache_connect(struct sysdb_ctx *sysdb,
return ENOMEM;
}
- ret = sysdb_cache_connect(tmp_ctx, domain,
- sysdb->ldb_ts_file, LDB_FLG_NOSYNC,
- SYSDB_TS_VERSION, SYSDB_TS_BASE_LDIF,
- &ldb, &version);
+ ret = sysdb_ts_cache_connect(tmp_ctx, sysdb, domain, &ldb, &version);
switch (ret) {
case ERR_SYSDB_VERSION_TOO_OLD:
if (upgrade_ctx == NULL) {
@@ -801,10 +819,7 @@ static int sysdb_timestamp_cache_connect(struct sysdb_ctx *sysdb,
/* Now the connect must succeed because the previous cache doesn't
* exist anymore.
*/
- ret = sysdb_cache_connect(tmp_ctx, domain,
- sysdb->ldb_ts_file, LDB_FLG_NOSYNC,
- SYSDB_TS_VERSION, SYSDB_TS_BASE_LDIF,
- &ldb, &version);
+ ret = sysdb_ts_cache_connect(tmp_ctx, sysdb, domain, &ldb, &version);
if (ret != EOK) {
DEBUG(SSSDBG_MINOR_FAILURE,
"Could not delete the timestamp ldb file (%d) (%s)\n",
--
2.9.3

152
0011-SYSDB-Remove-the-timestamp-cache-for-a-newly-created.patch Normal file
View File

@ -0,0 +1,152 @@
From 85fed431388c7f7f70dbf5bcd0b4f8a889c60bc6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
Date: Tue, 16 Aug 2016 11:46:41 +0200
Subject: [PATCH 11/39] SYSDB: Remove the timestamp cache for a newly created
cache
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
As many users are used to remove the persistent cache without removing
the timestamp cache, let's throw away the timestamp cache in this case.
Resolves:
https://fedorahosted.org/sssd/ticket/3128
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 9023bf51de6c84337af024388f1860ac1051924c)
---
src/db/sysdb_init.c | 69 ++++++++++++++++++++++++++++++++++++-----------------
1 file changed, 47 insertions(+), 22 deletions(-)
diff --git a/src/db/sysdb_init.c b/src/db/sysdb_init.c
index 59934701c4d2b9d770385a202af058404a6d3eb9..c387c1b12c116f38d5a13f1adeac5ef64d593af8 100644
--- a/src/db/sysdb_init.c
+++ b/src/db/sysdb_init.c
@@ -511,12 +511,30 @@ done:
return ret;
}
+static errno_t remove_ts_cache(struct sysdb_ctx *sysdb)
+{
+ errno_t ret;
+
+ if (sysdb->ldb_ts_file == NULL) {
+ return EOK;
+ }
+
+ ret = unlink(sysdb->ldb_ts_file);
+ if (ret != EOK && errno != ENOENT) {
+ return errno;
+ }
+
+ return EOK;
+}
+
static errno_t sysdb_cache_connect_helper(TALLOC_CTX *mem_ctx,
+ struct sysdb_ctx *sysdb,
struct sss_domain_info *domain,
const char *ldb_file,
int flags,
const char *exp_version,
const char *base_ldif,
+ bool *_newly_created,
struct ldb_context **_ldb,
const char **_version)
{
@@ -527,6 +545,7 @@ static errno_t sysdb_cache_connect_helper(TALLOC_CTX *mem_ctx,
const char *version = NULL;
int ret;
struct ldb_context *ldb;
+ bool newly_created;
tmp_ctx = talloc_new(NULL);
if (!tmp_ctx) {
@@ -592,8 +611,9 @@ static errno_t sysdb_cache_connect_helper(TALLOC_CTX *mem_ctx,
goto done;
}
- /* The cache has been newly created.
- * We need to reopen the LDB to ensure that
+ newly_created = true;
+
+ /* We need to reopen the LDB to ensure that
* all of the special values take effect
* (such as enabling the memberOf plugin and
* the various indexes).
@@ -613,6 +633,9 @@ static errno_t sysdb_cache_connect_helper(TALLOC_CTX *mem_ctx,
}
done:
if (ret == EOK) {
+ if (_newly_created != NULL) {
+ *_newly_created = newly_created;
+ }
*_ldb = talloc_steal(mem_ctx, ldb);
}
talloc_free(tmp_ctx);
@@ -625,9 +648,27 @@ static errno_t sysdb_cache_connect(TALLOC_CTX *mem_ctx,
struct ldb_context **ldb,
const char **version)
{
- return sysdb_cache_connect_helper(mem_ctx, domain, sysdb->ldb_file,
+ bool newly_created;
+ bool ldb_file_exists;
+ errno_t ret;
+
+ ldb_file_exists = !(access(sysdb->ldb_file, F_OK) == -1 && errno == ENOENT);
+
+ ret = sysdb_cache_connect_helper(mem_ctx, sysdb, domain, sysdb->ldb_file,
0, SYSDB_VERSION, SYSDB_BASE_LDIF,
- ldb, version);
+ &newly_created, ldb, version);
+
+ /* The cache has been newly created. */
+ if (ret == EOK && newly_created && !ldb_file_exists) {
+ ret = remove_ts_cache(sysdb);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_MINOR_FAILURE,
+ "Could not delete the timestamp ldb file (%d) (%s)\n",
+ ret, sss_strerror(ret));
+ }
+ }
+
+ return ret;
}
static errno_t sysdb_ts_cache_connect(TALLOC_CTX *mem_ctx,
@@ -636,28 +677,12 @@ static errno_t sysdb_ts_cache_connect(TALLOC_CTX *mem_ctx,
struct ldb_context **ldb,
const char **version)
{
- return sysdb_cache_connect_helper(mem_ctx, domain, sysdb->ldb_ts_file,
+ return sysdb_cache_connect_helper(mem_ctx, sysdb, domain, sysdb->ldb_ts_file,
LDB_FLG_NOSYNC, SYSDB_TS_VERSION,
- SYSDB_TS_BASE_LDIF,
+ SYSDB_TS_BASE_LDIF, NULL,
ldb, version);
}
-static errno_t remove_ts_cache(struct sysdb_ctx *sysdb)
-{
- errno_t ret;
-
- if (sysdb->ldb_ts_file == NULL) {
- return EOK;
- }
-
- ret = unlink(sysdb->ldb_ts_file);
- if (ret != EOK && errno != ENOENT) {
- return errno;
- }
-
- return EOK;
-}
-
static int sysdb_domain_cache_connect(struct sysdb_ctx *sysdb,
struct sss_domain_info *domain,
struct sysdb_dom_upgrade_ctx *upgrade_ctx)
--
2.9.3

48
0012-SECRETS-Return-ENOENT-when_deleting-a-non-existent-s.patch Normal file
View File

@ -0,0 +1,48 @@
From 2a287173752a2854df5e4bdb6b27328837be4805 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
Date: Wed, 17 Aug 2016 13:12:21 +0200
Subject: [PATCH 12/39] SECRETS: Return ENOENT when_deleting a non-existent
secret
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
For this, just make use of the sysdb_error_to_errno() function.
Resolves:
https://fedorahosted.org/sssd/ticket/3125
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit c4a3b24dc70fb50c8c0cc5490c29a3755d8b1b73)
---
src/responder/secrets/local.c | 9 ++-------
1 file changed, 2 insertions(+), 7 deletions(-)
diff --git a/src/responder/secrets/local.c b/src/responder/secrets/local.c
index 17469249b357cbdc5e50ddff6b563fdf2f377577..ac3049b62fa77f69d44ec5792139fe3378afb3f4 100644
--- a/src/responder/secrets/local.c
+++ b/src/responder/secrets/local.c
@@ -375,15 +375,10 @@ int local_db_delete(TALLOC_CTX *mem_ctx,
int ret;
ret = local_db_dn(mem_ctx, lctx->ldb, req_path, &dn);
- if (ret != EOK) goto done;
+ if (ret != EOK) return ret;
ret = ldb_delete(lctx->ldb, dn);
- if (ret != EOK) {
- ret = EIO;
- }
-
-done:
- return ret;
+ return sysdb_error_to_errno(ret);
}
int local_db_create(TALLOC_CTX *mem_ctx,
--
2.9.3

27
0013-SPEC-Fix-typo-in-Summary.patch Normal file
View File

@ -0,0 +1,27 @@
From 8fbc37dac506556c53f7fcb63a219af71eeaa9be Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Fri, 19 Aug 2016 18:06:45 +0200
Subject: [PATCH 13/39] SPEC: Fix typo in Summary
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit afa6891a809db262a49f68913f82a3a6137d8e2e)
---
contrib/sssd.spec.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
index 1e058ca63c25513253c4b350d286208f40f6b660..1f79ca7cd0a56dc1ab9c951abe11dc216ef3ad03 100644
--- a/contrib/sssd.spec.in
+++ b/contrib/sssd.spec.in
@@ -588,7 +588,7 @@ License: GPLv3+ and LGPLv3+
Development libraries for the SSSD libwbclient implementation.
%package winbind-idmap
-Summary: SSSSD's idmap_sss Backend for Winbind
+Summary: SSSD's idmap_sss Backend for Winbind
Group: Applications/System
License: GPLv3+ and LGPLv3+
--
2.9.3

62
0014-IPA-Parse-qualified-names-when-guessing-AD-user-prin.patch Normal file
View File

@ -0,0 +1,62 @@
From 82ccc38b4143b996ca9741f3682c2bb1f2694bef Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Tue, 9 Aug 2016 22:08:27 +0200
Subject: [PATCH 14/39] IPA: Parse qualified names when guessing AD user
principal
Most AD users store their UPN in an attribute. If they don't, or the sssd
was configured (typically in earlier versions to work around a bug) to not
look at the principal attribute, then sssd is supposed to guess
the attribute.
That currently doesn't work in 1.14, because the username is already
qualified and then we also append the realm name to it. We need to parse
the simple username from the qualified name first.
The issue can be reproduced simply by authenticating as the Administrator
account in IPA-AD trust setups.
Resolves:
https://fedorahosted.org/sssd/ticket/3127
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit 0302e3e7b3b06b809bd63c7911a42ab3e0a7ebf9)
---
src/providers/ipa/ipa_s2n_exop.c | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
diff --git a/src/providers/ipa/ipa_s2n_exop.c b/src/providers/ipa/ipa_s2n_exop.c
index a8c415b4c86ccd3bd3b180c8df835c75420fbb21..07bbb2b4d252c8ca9ada4d890c36c903c9f75773 100644
--- a/src/providers/ipa/ipa_s2n_exop.c
+++ b/src/providers/ipa/ipa_s2n_exop.c
@@ -1941,6 +1941,7 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom,
struct sss_nss_homedir_ctx homedir_ctx;
char *name = NULL;
char *realm;
+ char *short_name = NULL;
char *upn = NULL;
gid_t gid;
gid_t orig_gid = 0;
@@ -2092,8 +2093,17 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom,
ret = ENOMEM;
goto done;
}
- upn = talloc_asprintf(tmp_ctx, "%s@%s",
- attrs->a.user.pw_name, realm);
+
+ ret = sss_parse_internal_fqname(tmp_ctx, attrs->a.user.pw_name,
+ &short_name, NULL);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Cannot parse internal name %s\n",
+ attrs->a.user.pw_name);
+ goto done;
+ }
+
+ upn = talloc_asprintf(tmp_ctx, "%s@%s", short_name, realm);
if (!upn) {
DEBUG(SSSDBG_OP_FAILURE, "failed to format UPN.\n");
ret = ENOMEM;
--
2.9.3

114
0015-PROXY-Remove-lowercase-attribute-from-save_user.patch Normal file
View File

@ -0,0 +1,114 @@
From 18c3db957a198351f8d3c13c51dff976ad736021 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
Date: Wed, 24 Aug 2016 13:16:31 +0200
Subject: [PATCH 15/39] PROXY: Remove lowercase attribute from save_user()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
As this function already receives a struct sss_domain_info * parameter
as argument, we can simply check whether we will need a lowercase name
by accessing domain->case_sensitive.
Related:
https://fedorahosted.org/sssd/ticket/3134
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit 413aef1529fb3d5ed4d0f38e219f5456d7fe3ae0)
---
src/providers/proxy/proxy_id.c | 22 +++++++++-------------
1 file changed, 9 insertions(+), 13 deletions(-)
diff --git a/src/providers/proxy/proxy_id.c b/src/providers/proxy/proxy_id.c
index b0c82807b42d91a4212578ca98af7f96484735b1..ff2631c9b493c8c688919139114da5520b428e04 100644
--- a/src/providers/proxy/proxy_id.c
+++ b/src/providers/proxy/proxy_id.c
@@ -31,7 +31,7 @@
/* =Getpwnam-wrapper======================================================*/
static int save_user(struct sss_domain_info *domain,
- bool lowercase, struct passwd *pwd, const char *real_name,
+ struct passwd *pwd, const char *real_name,
const char *alias, uint64_t cache_timeout);
static int
@@ -143,8 +143,7 @@ static int get_pw_name(struct proxy_id_ctx *ctx,
}
/* Both lookups went fine, we can save the user now */
- ret = save_user(dom, !dom->case_sensitive, pwd,
- real_name, i_name, dom->user_timeout);
+ ret = save_user(dom, pwd, real_name, i_name, dom->user_timeout);
done:
talloc_zfree(tmpctx);
@@ -224,7 +223,7 @@ delete_user(struct sss_domain_info *domain,
}
static int save_user(struct sss_domain_info *domain,
- bool lowercase, struct passwd *pwd, const char *real_name,
+ struct passwd *pwd, const char *real_name,
const char *alias, uint64_t cache_timeout)
{
const char *shell;
@@ -246,7 +245,7 @@ static int save_user(struct sss_domain_info *domain,
gecos = NULL;
}
- if (lowercase || alias) {
+ if (!domain->case_sensitive || alias) {
attrs = sysdb_new_attrs(NULL);
if (!attrs) {
DEBUG(SSSDBG_CRIT_FAILURE, "Allocation error ?!\n");
@@ -255,7 +254,7 @@ static int save_user(struct sss_domain_info *domain,
}
}
- if (lowercase) {
+ if (!domain->case_sensitive) {
lc_pw_name = sss_tc_utf8_str_tolower(attrs, real_name);
if (lc_pw_name == NULL) {
DEBUG(SSSDBG_OP_FAILURE, "Cannot convert name to lowercase.\n");
@@ -273,7 +272,7 @@ static int save_user(struct sss_domain_info *domain,
}
if (alias) {
- cased_alias = sss_get_cased_name(attrs, alias, !lowercase);
+ cased_alias = sss_get_cased_name(attrs, alias, domain->case_sensitive);
if (!cased_alias) {
ret = ENOMEM;
goto done;
@@ -366,8 +365,7 @@ static int get_pw_uid(struct proxy_id_ctx *ctx,
pwd->pw_name);
goto done;
}
- ret = save_user(dom, !dom->case_sensitive, pwd,
- name, NULL, dom->user_timeout);
+ ret = save_user(dom, pwd, name, NULL, dom->user_timeout);
done:
talloc_zfree(tmpctx);
@@ -497,8 +495,7 @@ static int enum_users(TALLOC_CTX *mem_ctx,
pwd->pw_name);
goto done;
}
- ret = save_user(dom, !dom->case_sensitive, pwd,
- name, NULL, dom->user_timeout);
+ ret = save_user(dom, pwd, name, NULL, dom->user_timeout);
if (ret) {
/* Do not fail completely on errors.
* Just report the failure to save and go on */
@@ -1331,8 +1328,7 @@ static int get_initgr(TALLOC_CTX *mem_ctx,
goto done;
}
- ret = save_user(dom, !dom->case_sensitive, pwd,
- real_name, i_name, dom->user_timeout);
+ ret = save_user(dom, pwd, real_name, i_name, dom->user_timeout);
if (ret) {
DEBUG(SSSDBG_OP_FAILURE, "Could not save user\n");
goto fail;
--
2.9.3

92
0016-PROXY-Remove-cache_timeout-attribute-from-save_user.patch Normal file
View File

@ -0,0 +1,92 @@
From 87bce14e200e16b3f6ec9a79333b2a9da0274fbf Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
Date: Wed, 24 Aug 2016 13:25:44 +0200
Subject: [PATCH 16/39] PROXY: Remove cache_timeout attribute from save_user()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
As this function already receives a struct sss_domain_info * parameter
as argument, we can simply get the cache_timeout attribute by accessing
domain->user_timeout.
Related:
https://fedorahosted.org/sssd/ticket/3134
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit 2537fe318a3866780abca100cf6eb7c258f9d02b)
---
src/providers/proxy/proxy_id.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/src/providers/proxy/proxy_id.c b/src/providers/proxy/proxy_id.c
index ff2631c9b493c8c688919139114da5520b428e04..bdcac66319897981c21e7fd7da7334ee97d010f6 100644
--- a/src/providers/proxy/proxy_id.c
+++ b/src/providers/proxy/proxy_id.c
@@ -32,7 +32,7 @@
static int save_user(struct sss_domain_info *domain,
struct passwd *pwd, const char *real_name,
- const char *alias, uint64_t cache_timeout);
+ const char *alias);
static int
handle_getpw_result(enum nss_status status, struct passwd *pwd,
@@ -143,7 +143,7 @@ static int get_pw_name(struct proxy_id_ctx *ctx,
}
/* Both lookups went fine, we can save the user now */
- ret = save_user(dom, pwd, real_name, i_name, dom->user_timeout);
+ ret = save_user(dom, pwd, real_name, i_name);
done:
talloc_zfree(tmpctx);
@@ -224,7 +224,7 @@ delete_user(struct sss_domain_info *domain,
static int save_user(struct sss_domain_info *domain,
struct passwd *pwd, const char *real_name,
- const char *alias, uint64_t cache_timeout)
+ const char *alias)
{
const char *shell;
const char *gecos;
@@ -299,7 +299,7 @@ static int save_user(struct sss_domain_info *domain,
NULL,
attrs,
NULL,
- cache_timeout,
+ domain->user_timeout,
0);
if (ret) {
DEBUG(SSSDBG_OP_FAILURE, "Could not add user to cache\n");
@@ -365,7 +365,7 @@ static int get_pw_uid(struct proxy_id_ctx *ctx,
pwd->pw_name);
goto done;
}
- ret = save_user(dom, pwd, name, NULL, dom->user_timeout);
+ ret = save_user(dom, pwd, name, NULL);
done:
talloc_zfree(tmpctx);
@@ -495,7 +495,7 @@ static int enum_users(TALLOC_CTX *mem_ctx,
pwd->pw_name);
goto done;
}
- ret = save_user(dom, pwd, name, NULL, dom->user_timeout);
+ ret = save_user(dom, pwd, name, NULL);
if (ret) {
/* Do not fail completely on errors.
* Just report the failure to save and go on */
@@ -1328,7 +1328,7 @@ static int get_initgr(TALLOC_CTX *mem_ctx,
goto done;
}
- ret = save_user(dom, pwd, real_name, i_name, dom->user_timeout);
+ ret = save_user(dom, pwd, real_name, i_name);
if (ret) {
DEBUG(SSSDBG_OP_FAILURE, "Could not save user\n");
goto fail;
--
2.9.3

76
0017-PROXY-Remove-cache_timeout-attribute-from-save_group.patch Normal file
View File

@ -0,0 +1,76 @@
From c919d358561f4b26b4017f4379fc7b9b791f5cd8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
Date: Wed, 24 Aug 2016 13:29:17 +0200
Subject: [PATCH 17/39] PROXY: Remove cache_timeout attribute from save_group()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
As this function already receives a struct sss_domain_info * parameter
as argument, we can simply get the cache_timeout attribute by accessing
domain->group_timeout.
Related:
https://fedorahosted.org/sssd/ticket/3134
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit 221d70ae3c5b7bc7384f57ffd3f88f89a3e6ae6a)
---
src/providers/proxy/proxy_id.c | 12 +++++-------
1 file changed, 5 insertions(+), 7 deletions(-)
diff --git a/src/providers/proxy/proxy_id.c b/src/providers/proxy/proxy_id.c
index bdcac66319897981c21e7fd7da7334ee97d010f6..c4d68f8e6855941dda386658758c37b4c9080712 100644
--- a/src/providers/proxy/proxy_id.c
+++ b/src/providers/proxy/proxy_id.c
@@ -558,8 +558,7 @@ static errno_t proxy_process_missing_users(struct sysdb_ctx *sysdb,
static int save_group(struct sysdb_ctx *sysdb, struct sss_domain_info *dom,
struct group *grp,
const char *real_name, /* already qualified */
- const char *alias, /* already qualified */
- uint64_t cache_timeout)
+ const char *alias) /* already qualified */
{
errno_t ret, sret;
struct sysdb_attrs *attrs = NULL;
@@ -664,7 +663,7 @@ static int save_group(struct sysdb_ctx *sysdb, struct sss_domain_info *dom,
real_name,
grp->gr_gid,
attrs,
- cache_timeout,
+ dom->group_timeout,
now);
if (ret) {
DEBUG(SSSDBG_OP_FAILURE, "Could not add group to cache\n");
@@ -947,7 +946,7 @@ static int get_gr_name(struct proxy_id_ctx *ctx,
goto done;
}
- ret = save_group(sysdb, dom, grp, real_name, i_name, dom->group_timeout);
+ ret = save_group(sysdb, dom, grp, real_name, i_name);
if (ret) {
DEBUG(SSSDBG_OP_FAILURE,
"Cannot save group [%d]: %s\n", ret, strerror(ret));
@@ -1032,7 +1031,7 @@ static int get_gr_gid(TALLOC_CTX *mem_ctx,
goto done;
}
- ret = save_group(sysdb, dom, grp, name, NULL, dom->group_timeout);
+ ret = save_group(sysdb, dom, grp, name, NULL);
if (ret) {
DEBUG(SSSDBG_OP_FAILURE,
"Cannot save user [%d]: %s\n", ret, strerror(ret));
@@ -1165,8 +1164,7 @@ static int enum_groups(TALLOC_CTX *mem_ctx,
"Ignoring\n");
ret = ENOMEM;
}
- ret = save_group(sysdb, dom, grp, name,
- NULL, dom->group_timeout);
+ ret = save_group(sysdb, dom, grp, name, NULL);
if (ret) {
/* Do not fail completely on errors.
* Just report the failure to save and go on */
--
2.9.3

40
0018-PROXY-Mention-that-save_user-s-parameters-are-alread.patch Normal file
View File

@ -0,0 +1,40 @@
From 232b543cb667cbd0769608b4e5c790ab73f4c2b4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
Date: Wed, 24 Aug 2016 13:32:10 +0200
Subject: [PATCH 18/39] PROXY: Mention that save_user()'s parameters are
already qualified
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Those comments are similar to what we have in the save_group() function.
Related:
https://fedorahosted.org/sssd/ticket/3134
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit 9900d2b153ebb7d994ccd05275f18b973556d5b3)
---
src/providers/proxy/proxy_id.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/src/providers/proxy/proxy_id.c b/src/providers/proxy/proxy_id.c
index c4d68f8e6855941dda386658758c37b4c9080712..921b5253a5ffe90526c73b8078067d69f83c75e6 100644
--- a/src/providers/proxy/proxy_id.c
+++ b/src/providers/proxy/proxy_id.c
@@ -223,8 +223,9 @@ delete_user(struct sss_domain_info *domain,
}
static int save_user(struct sss_domain_info *domain,
- struct passwd *pwd, const char *real_name,
- const char *alias)
+ struct passwd *pwd,
+ const char *real_name, /* already qualified */
+ const char *alias) /* already qualified */
{
const char *shell;
const char *gecos;
--
2.9.3

222
0019-PROXY-Share-common-code-of-save_-group-user.patch Normal file
View File

@ -0,0 +1,222 @@
From b05544a1ba3b49a880b14c8c5c9cafa378c86e24 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
Date: Wed, 24 Aug 2016 14:28:42 +0200
Subject: [PATCH 19/39] PROXY: Share common code of save_{group,user}()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
These two functions (save_user() and save_group()) share, between
themselves, the code preparing the attributes that are going to be
stored in the sysdb.
This patch basically splits this code out of those functions and
introduces the new prepare_attrs_for_saving_ops().
Related:
https://fedorahosted.org/sssd/ticket/3134
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit 69e8b7fcb9e3dc814a9ffc2a97fa656521cc4505)
---
src/providers/proxy/proxy_id.c | 155 +++++++++++++++++++----------------------
1 file changed, 70 insertions(+), 85 deletions(-)
diff --git a/src/providers/proxy/proxy_id.c b/src/providers/proxy/proxy_id.c
index 921b5253a5ffe90526c73b8078067d69f83c75e6..48f552925447d1f31c4282e89a5994364dbc074d 100644
--- a/src/providers/proxy/proxy_id.c
+++ b/src/providers/proxy/proxy_id.c
@@ -222,6 +222,68 @@ delete_user(struct sss_domain_info *domain,
return ret;
}
+static int
+prepare_attrs_for_saving_ops(TALLOC_CTX *mem_ctx,
+ bool case_sensitive,
+ const char *real_name, /* already_qualified */
+ const char *alias, /* already qualified */
+ struct sysdb_attrs **attrs)
+{
+ const char *lc_name = NULL;
+ const char *cased_alias = NULL;
+ errno_t ret;
+
+ if (!case_sensitive || alias != NULL) {
+ if (*attrs == NULL) {
+ *attrs = sysdb_new_attrs(mem_ctx);
+ if (*attrs == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Allocation error ?!\n");
+ ret = ENOMEM;
+ goto done;
+ }
+ }
+ }
+
+ if (!case_sensitive) {
+ lc_name = sss_tc_utf8_str_tolower(*attrs, real_name);
+ if (lc_name == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "Cannot convert name to lowercase.\n");
+ ret = ENOMEM;
+ goto done;
+ }
+
+ ret = sysdb_attrs_add_string(*attrs, SYSDB_NAME_ALIAS, lc_name);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "Could not add name alias\n");
+ ret = ENOMEM;
+ goto done;
+ }
+
+ }
+
+ if (alias != NULL) {
+ cased_alias = sss_get_cased_name(*attrs, alias, case_sensitive);
+ if (cased_alias == NULL) {
+ ret = ENOMEM;
+ goto done;
+ }
+
+ /* Add the alias only if it differs from lowercased pw_name */
+ if (lc_name == NULL || strcmp(cased_alias, lc_name) != 0) {
+ ret = sysdb_attrs_add_string(*attrs, SYSDB_NAME_ALIAS,
+ cased_alias);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "Could not add name alias\n");
+ goto done;
+ }
+ }
+ }
+
+ ret = EOK;
+done:
+ return ret;
+}
+
static int save_user(struct sss_domain_info *domain,
struct passwd *pwd,
const char *real_name, /* already qualified */
@@ -231,8 +293,6 @@ static int save_user(struct sss_domain_info *domain,
const char *gecos;
struct sysdb_attrs *attrs = NULL;
errno_t ret;
- const char *cased_alias;
- const char *lc_pw_name = NULL;
if (pwd->pw_shell && pwd->pw_shell[0] != '\0') {
shell = pwd->pw_shell;
@@ -246,47 +306,10 @@ static int save_user(struct sss_domain_info *domain,
gecos = NULL;
}
- if (!domain->case_sensitive || alias) {
- attrs = sysdb_new_attrs(NULL);
- if (!attrs) {
- DEBUG(SSSDBG_CRIT_FAILURE, "Allocation error ?!\n");
- ret = ENOMEM;
- goto done;
- }
- }
-
- if (!domain->case_sensitive) {
- lc_pw_name = sss_tc_utf8_str_tolower(attrs, real_name);
- if (lc_pw_name == NULL) {
- DEBUG(SSSDBG_OP_FAILURE, "Cannot convert name to lowercase.\n");
- ret = ENOMEM;
- goto done;
- }
-
- ret = sysdb_attrs_add_string(attrs, SYSDB_NAME_ALIAS, lc_pw_name);
- if (ret) {
- DEBUG(SSSDBG_OP_FAILURE, "Could not add name alias\n");
- ret = ENOMEM;
- goto done;
- }
-
- }
-
- if (alias) {
- cased_alias = sss_get_cased_name(attrs, alias, domain->case_sensitive);
- if (!cased_alias) {
- ret = ENOMEM;
- goto done;
- }
-
- /* Add the alias only if it differs from lowercased pw_name */
- if (lc_pw_name == NULL || strcmp(cased_alias, lc_pw_name) != 0) {
- ret = sysdb_attrs_add_string(attrs, SYSDB_NAME_ALIAS, cased_alias);
- if (ret) {
- DEBUG(SSSDBG_OP_FAILURE, "Could not add name alias\n");
- goto done;
- }
- }
+ ret = prepare_attrs_for_saving_ops(NULL, domain->case_sensitive,
+ real_name, alias, &attrs);
+ if (ret != EOK) {
+ goto done;
}
ret = sysdb_store_user(domain,
@@ -563,8 +586,6 @@ static int save_group(struct sysdb_ctx *sysdb, struct sss_domain_info *dom,
{
errno_t ret, sret;
struct sysdb_attrs *attrs = NULL;
- const char *cased_alias;
- const char *lc_gr_name = NULL;
TALLOC_CTX *tmp_ctx;
time_t now = time(NULL);
bool in_transaction = false;
@@ -618,46 +639,10 @@ static int save_group(struct sysdb_ctx *sysdb, struct sss_domain_info *dom,
}
}
- if (dom->case_sensitive == false || alias) {
- if (!attrs) {
- attrs = sysdb_new_attrs(tmp_ctx);
- if (!attrs) {
- DEBUG(SSSDBG_CRIT_FAILURE, "Allocation error ?!\n");
- ret = ENOMEM;
- goto done;
- }
- }
- }
-
- if (dom->case_sensitive == false) {
- lc_gr_name = sss_tc_utf8_str_tolower(attrs, real_name);
- if (lc_gr_name == NULL) {
- DEBUG(SSSDBG_OP_FAILURE, "Cannot convert name to lowercase.\n");
- ret = ENOMEM;
- goto done;
- }
-
- ret = sysdb_attrs_add_string(attrs, SYSDB_NAME_ALIAS, lc_gr_name);
- if (ret != EOK) {
- goto done;
- }
- }
-
- if (alias) {
- cased_alias = sss_get_cased_name(attrs, alias, dom->case_sensitive);
- if (!cased_alias) {
- ret = ENOMEM;
- DEBUG(SSSDBG_OP_FAILURE, "Could not add name alias\n");
- goto done;
- }
-
- if (lc_gr_name == NULL || strcmp(cased_alias, lc_gr_name)) {
- ret = sysdb_attrs_add_string(attrs, SYSDB_NAME_ALIAS, cased_alias);
- if (ret) {
- DEBUG(SSSDBG_OP_FAILURE, "Could not add name alias\n");
- goto done;
- }
- }
+ ret = prepare_attrs_for_saving_ops(tmp_ctx, dom->case_sensitive,
+ real_name, alias, &attrs);
+ if (ret != EOK) {
+ goto done;
}
ret = sysdb_store_group(dom,
--
2.9.3

36
0020-SYSDB-Fix-uninitialized-scalar-variable.patch Normal file
View File

@ -0,0 +1,36 @@
From 007341bedfcc7e356f4bcb1af8b29acab133300a Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Mon, 29 Aug 2016 09:13:49 +0200
Subject: [PATCH 20/39] SYSDB: Fix uninitialized scalar variable
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The boolean variable newly_created could be used uninitialized
in done section in case of failure. The variable was firstly initialized
to true after succesfull execution of function sysdb_cache_create_empty.
Uninitialized variable usually means true for boolean variable.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
(cherry picked from commit 975d0b67a40847265523d195438bf4753d18ff1c)
---
src/db/sysdb_init.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/db/sysdb_init.c b/src/db/sysdb_init.c
index c387c1b12c116f38d5a13f1adeac5ef64d593af8..d110aa7a2878e47650db177cfd342d0ac32248ab 100644
--- a/src/db/sysdb_init.c
+++ b/src/db/sysdb_init.c
@@ -545,7 +545,7 @@ static errno_t sysdb_cache_connect_helper(TALLOC_CTX *mem_ctx,
const char *version = NULL;
int ret;
struct ldb_context *ldb;
- bool newly_created;
+ bool newly_created = false;
tmp_ctx = talloc_new(NULL);
if (!tmp_ctx) {
--
2.9.3

82
0021-BUILD-Add-a-few-more-targets-for-intg-tests.patch Normal file
View File

@ -0,0 +1,82 @@
From 9a3ae9e00405501c964b489ac3415482ba3b3974 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
Date: Thu, 18 Aug 2016 16:24:17 +0200
Subject: [PATCH 21/39] BUILD: Add a few more targets for intg tests
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Running "make intgcheck" has been proven to be a bit painful (mainly
when the developer is just writing down a single test case), as it
cleans up the build directory and fireis a new build before, finally,
run the tests.
In order to make it a little less painful, let's break the whole
operation into 3 new targets:
intgcheck-{prepare,run,clean}.
As expected, "make intgcheck" calls these 3 new operations in the same
order they were presented, not changing then the current behavior.
Each operation will trigger the previous one in case there is no
"$$prefix" directory created and the directory is _only_ created in the
very first operation (intghcheck-prepare).
A note must be done about how to run a simple test file or a simple test
from a test file when running "make intgcheck-run". The option always
been here but only makes sense now that we have the intgcheck split in a
few useful steps. See the examples below (and for more detailed
information, check the py.test documentation):
#Run a single file
make intgcheck-run INTGCHECK_PYTEST_ARGS="-k test_netgroup.py"
#Run a single test from a single file
make intgcheck-run INTGCHECK_PYTEST_ARGS="-k test_add_empty_netgroup"
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit 6159c33125f8ee82e88d495ea2aa5d00018ea844)
---
Makefile.am | 17 +++++++++++++++--
1 file changed, 15 insertions(+), 2 deletions(-)
diff --git a/Makefile.am b/Makefile.am
index 6219682de0d1fd4b3a813ee2f95b8185531e62bf..6299ac7a7bf1c2ed41dfeeda7063c8901214941a 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -3076,7 +3076,7 @@ endif
# Integration tests #
#####################
-intgcheck:
+intgcheck-prepare:
echo "temporarily disabled"
set -e; \
rm -Rf intg; \
@@ -3096,10 +3096,23 @@ intgcheck:
$(MAKE) $(AM_MAKEFLAGS) -j1 install; \
: Remove .la files from LDB module directory to avoid loader warnings; \
rm "$$prefix"/lib/ldb/*.la; \
+ cd ../..
+
+intgcheck-run:
+ if [ ! -d intg/pfx ]; then $(MAKE) intgcheck-build; fi; \
+ cd intg/bld; \
$(MAKE) $(AM_MAKEFLAGS) -C src/tests/intg intgcheck-installed; \
- cd ../..; \
+ cd ../..
+
+intgcheck-clean:
+ prefix=`readlink -e intg/pfx`; \
rm -Rf "$$prefix" intg
+intgcheck:
+ $(MAKE) intgcheck-prepare
+ $(MAKE) intgcheck-run
+ $(MAKE) intgcheck-clean
+
####################
# Client Libraries #
####################
--
2.9.3

60
0022-BUILD-Clean-up-prerelease-targets.patch Normal file
View File

@ -0,0 +1,60 @@
From 557e0e8c28a77b423a3746168a3be8e8a8d5462d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
Date: Wed, 17 Aug 2016 21:08:23 +0200
Subject: [PATCH 22/39] BUILD: Clean up prerelease targets
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Clean up the pre-release targets in order to avoid lines exceeding 80
characters.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit 01d970a8afa6ffed82b3e8dda96e08118222e16e)
---
Makefile.am | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
diff --git a/Makefile.am b/Makefile.am
index 6299ac7a7bf1c2ed41dfeeda7063c8901214941a..4a56d8b0a3ea49c9fae35bf5717871ea515813b8 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -4202,6 +4202,14 @@ rpmroot:
$(MKDIR_P) $(RPMBUILD)/SPECS
$(MKDIR_P) $(RPMBUILD)/SRPMS
+# pre-release related vars
+
+PR_VERSION_DATE := $(shell date +%Y%m%d.%H%M)
+PR_VERSION_COMMIT_HASH := $(shell git log -1 --pretty=format:%h)
+PR_VERSION_NUMBER = $(PR_VERSION_DATE).git$(PR_VERSION_COMMIT_HASH)
+PR_VERSION_REGEX = m4_define(\[PRERELEASE_VERSION_NUMBER\], \[.*\])
+PR_VERSION_REPL = m4_define(\[PRERELEASE_VERSION_NUMBER\], \[.$(PR_VERSION_NUMBER)\])
+
rpmbrprep: dist-gzip rpmroot
if GIT_CHECKOUT
# When we're building RPMs from a git checkout,
@@ -4219,7 +4227,8 @@ rpms: rpmbrprep
if GIT_CHECKOUT
prerelease-rpms:
cp $(srcdir)/version.m4 $(srcdir)/version.m4.orig
- sed -e "s/m4_define(\[PRERELEASE_VERSION_NUMBER\], \[.*\])/m4_define(\[PRERELEASE_VERSION_NUMBER\], \[.`date +%Y%m%d.%H%M`.git`git log -1 --pretty=format:%h`\])/" < $(srcdir)/version.m4.orig > $(srcdir)/version.m4
+ sed -e "s/$(PR_VERSION_REGEX)/$(PR_VERSION_REPL)/" \
+ < $(srcdir)/version.m4.orig > $(srcdir)/version.m4
$(MAKE) rpms
mv $(srcdir)/version.m4.orig $(srcdir)/version.m4
endif
@@ -4234,7 +4243,8 @@ srpm: rpmbrprep
if GIT_CHECKOUT
prerelease-srpm:
cp $(srcdir)/version.m4 $(srcdir)/version.m4.orig
- sed -e "s/m4_define(\[PRERELEASE_VERSION_NUMBER\], \[.*\])/m4_define(\[PRERELEASE_VERSION_NUMBER\], \[.`date +%Y%m%d.%H%M`.git`git log -1 --pretty=format:%h`\])/" < $(srcdir)/version.m4.orig > $(srcdir)/version.m4
+ sed -e "s/$(PR_VERSION_REGEX)/$(PR_VERSION_REPL)/" \
+ < $(srcdir)/version.m4.orig > $(srcdir)/version.m4
$(MAKE) srpm
mv $(srcdir)/version.m4.orig $(srcdir)/version.m4
endif
--
2.9.3

34
0023-BUILD-Fix-typo-in-intgcheck-run-rule.patch Normal file
View File

@ -0,0 +1,34 @@
From 665ef221b1c2144a78ed9f98263bb8b9acce6f6d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
Date: Mon, 29 Aug 2016 16:01:59 +0200
Subject: [PATCH 23/39] BUILD: Fix typo in intgcheck-run rule
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
During the review process "intgcheck-build" ended up being merged to the
"intgcheck-prepare" rule.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit 9639cf410dd6ba9670748535811f061e0c475bc6)
---
Makefile.am | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Makefile.am b/Makefile.am
index 4a56d8b0a3ea49c9fae35bf5717871ea515813b8..25a81b93b8881ec6dfa18397ddcc3430e6a3ebd0 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -3099,7 +3099,7 @@ intgcheck-prepare:
cd ../..
intgcheck-run:
- if [ ! -d intg/pfx ]; then $(MAKE) intgcheck-build; fi; \
+ if [ ! -d intg/pfx ]; then $(MAKE) intgcheck-prepare; fi; \
cd intg/bld; \
$(MAKE) $(AM_MAKEFLAGS) -C src/tests/intg intgcheck-installed; \
cd ../..
--
2.9.3

29
0024-BUILD-Remove-leftover-after-sysdb-refactoring.patch Normal file
View File

@ -0,0 +1,29 @@
From ce87fa6dd3fb47f28f9e80b730c50f23b099e835 Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Mon, 29 Aug 2016 17:50:17 +0200
Subject: [PATCH 24/39] BUILD: Remove leftover after sysdb refactoring
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
(cherry picked from commit 4229ffb929bd7029f8b94d92099032d3350f5cf4)
---
Makefile.am | 1 -
1 file changed, 1 deletion(-)
diff --git a/Makefile.am b/Makefile.am
index 25a81b93b8881ec6dfa18397ddcc3430e6a3ebd0..f89af5a9d6d26c732574aa3651de8c175f538b28 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -3077,7 +3077,6 @@ endif
#####################
intgcheck-prepare:
- echo "temporarily disabled"
set -e; \
rm -Rf intg; \
$(MKDIR_P) intg/bld; \
--
2.9.3

239
0025-MONITOR-Remove-the-no-longer-used-diag_cmd-command.patch Normal file
View File

@ -0,0 +1,239 @@
From 854db7ed3fc4c0c58b1df0f93bb5b896eea417e8 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Sun, 8 May 2016 14:41:35 +0200
Subject: [PATCH 25/39] MONITOR: Remove the no longer used diag_cmd command
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
After introducing the watchdog, the diag_cmd is longer used and makes no
sense trying to make it usable by watchdog as the result of "pstack %p"
seems next to useless in this context.
Related:
https://fedorahosted.org/sssd/ticket/3051
Reviewed-by: Petr Čech <pcech@redhat.com>
(cherry picked from commit 1620f435dbe7013f985128dcdf001e9158cb00e3)
---
src/confdb/confdb.h | 1 -
src/monitor/monitor.c | 163 --------------------------------------------------
2 files changed, 164 deletions(-)
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
index 72adbd80ea534eb0becd3e517c00b0c26d00444c..58a085ba954cf75a5c756d6f8fbd04e6fa49a687 100644
--- a/src/confdb/confdb.h
+++ b/src/confdb/confdb.h
@@ -73,7 +73,6 @@
#define CONFDB_MONITOR_DEFAULT_DOMAIN "default_domain_suffix"
#define CONFDB_MONITOR_OVERRIDE_SPACE "override_space"
#define CONFDB_MONITOR_USER_RUNAS "user"
-#define CONFDB_MONITOR_PRE_KILL_CMD "diag_cmd"
#define CONFDB_MONITOR_CERT_VERIFICATION "certificate_verification"
/* Both monitor and domains */
diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c
index 7a9ef569bbd565d6240cebed8493d0bd85aba89e..f97b2a960b1835540357714b608feac54c2d72c5 100644
--- a/src/monitor/monitor.c
+++ b/src/monitor/monitor.c
@@ -112,7 +112,6 @@ struct mt_svc {
char *identity;
pid_t pid;
- char *diag_cmd;
int kill_time;
struct tevent_timer *kill_timer;
@@ -373,77 +372,6 @@ static int add_svc_conn_spy(struct mt_svc *svc)
return EOK;
}
-static char *expand_diag_cmd(struct mt_svc *svc,
- const char *template)
-{
- TALLOC_CTX *tmp_ctx = NULL;
- char *copy;
- char *p_copy;
- char *n;
- char *result = NULL;
- char action;
- char *res = NULL;
-
- if (template == NULL) {
- DEBUG(SSSDBG_CRIT_FAILURE, "Missing template.\n");
- return NULL;
- }
-
- tmp_ctx = talloc_new(NULL);
- if (!tmp_ctx) return NULL;
-
- copy = talloc_strdup(tmp_ctx, template);
- if (copy == NULL) {
- DEBUG(SSSDBG_CRIT_FAILURE, "talloc_strdup failed.\n");
- goto done;
- }
-
- result = talloc_strdup(tmp_ctx, "");
- if (result == NULL) {
- DEBUG(SSSDBG_CRIT_FAILURE, "talloc_strdup failed.\n");
- goto done;
- }
-
- p_copy = copy;
- while ((n = strchr(p_copy, '%')) != NULL) {
- *n = '\0';
- n++;
- if ( *n == '\0' ) {
- DEBUG(SSSDBG_CRIT_FAILURE,
- "format error, single %% at the end of the template.\n");
- goto done;
- }
-
- action = *n;
- switch (action) {
- case 'p':
- result = talloc_asprintf_append(result, "%s%d", p_copy, svc->pid);
- break;
- default:
- DEBUG(SSSDBG_CRIT_FAILURE,
- "format error, unknown template [%%%c].\n", *n);
- goto done;
- }
-
- if (result == NULL) {
- DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf_append failed.\n");
- goto done;
- }
-
- p_copy = n + 1;
- }
-
- result = talloc_asprintf_append(result, "%s", p_copy);
- if (result == NULL) {
- DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf_append failed.\n");
- goto done;
- }
-
- res = talloc_move(svc, &result);
-done:
- talloc_zfree(tmp_ctx);
- return res;
-}
static void svc_child_info(struct mt_svc *svc, int wait_status)
{
@@ -467,82 +395,6 @@ static void svc_child_info(struct mt_svc *svc, int wait_status)
}
}
-static void svc_diag_cmd_exit_handler(int pid, int wait_status, void *pvt)
-{
- struct mt_svc *svc = talloc_get_type(pvt, struct mt_svc);
-
- svc_child_info(svc, wait_status);
-}
-
-static void svc_run_diag_cmd(struct mt_svc *svc)
-{
- pid_t pkc_pid;
- char **args;
- int ret;
- int debug_fd;
- char *diag_cmd;
- struct sss_child_ctx *diag_child_ctx;
-
- if (svc->diag_cmd == NULL) {
- return;
- }
-
- pkc_pid = fork();
- if (pkc_pid != 0) {
- /* parent, schedule SIGKILL */
-
- ret = sss_child_register(svc,
- svc->mt_ctx->sigchld_ctx,
- pkc_pid,
- svc_diag_cmd_exit_handler,
- svc,
- &diag_child_ctx);
- if (ret != EOK) {
- DEBUG(SSSDBG_CRIT_FAILURE, "Cannot register child %d\n", pkc_pid);
- /* Try to go on ... */
- }
-
- return;
- }
-
- /* child, execute diagnostics */
- diag_cmd = expand_diag_cmd(svc, svc->diag_cmd);
- if (diag_cmd == NULL) {
- DEBUG(SSSDBG_CRIT_FAILURE,
- "Failed to expand [%s]\n", svc->diag_cmd);
- _exit(1);
- }
-
- if (debug_level >= SSSDBG_TRACE_LIBS) {
- debug_fd = get_fd_from_debug_file();
- ret = dup2(debug_fd, STDERR_FILENO);
- if (ret == -1) {
- ret = errno;
- DEBUG(SSSDBG_MINOR_FAILURE,
- "dup2 failed for stderr [%d][%s].\n", ret, sss_strerror(ret));
- /* failure to redirect stderr is not fatal */
- }
-
- ret = dup2(debug_fd, STDOUT_FILENO);
- if (ret == -1) {
- ret = errno;
- DEBUG(SSSDBG_MINOR_FAILURE,
- "dup2 failed for stdout [%d][%s].\n", ret, sss_strerror(ret));
- /* failure to redirect stdout is not fatal */
- }
- }
-
- args = parse_args(diag_cmd);
- execvp(args[0], args);
-
- /* If we are here, exec() has failed
- * Print errno and abort quickly */
- ret = errno;
- DEBUG(SSSDBG_FATAL_FAILURE,
- "Could not exec %s, reason: %s\n", svc->diag_cmd, strerror(ret));
- _exit(1);
-}
-
static int mark_service_as_started(struct mt_svc *svc)
{
struct mt_ctx *ctx = svc->mt_ctx;
@@ -712,8 +564,6 @@ static int monitor_kill_service (struct mt_svc *svc)
return EOK;
}
- svc_run_diag_cmd(svc);
-
/* Set up a timer to send SIGKILL if this process
* doesn't exit within the configured interval
*/
@@ -1147,19 +997,6 @@ static errno_t get_kill_config(struct mt_ctx *ctx, const char *path,
{
errno_t ret;
- ret = confdb_get_string(ctx->cdb, svc, path,
- CONFDB_MONITOR_PRE_KILL_CMD,
- NULL, &svc->diag_cmd);
- if (ret != EOK) {
- DEBUG(SSSDBG_CRIT_FAILURE,
- "Failed to get diagnostics command for %s\n", svc->name);
- return ret;
- }
- if (svc->diag_cmd) {
- DEBUG(SSSDBG_CONF_SETTINGS,
- "Diagnostics command: [%s]\n", svc->diag_cmd);
- }
-
ret = confdb_get_int(ctx->cdb, path,
CONFDB_SERVICE_FORCE_TIMEOUT,
MONITOR_DEF_FORCE_TIME, &svc->kill_time);
--
2.9.3

289
0026-MONITOR-Remove-the-no-longer-used-kill_service-comma.patch Normal file
View File

@ -0,0 +1,289 @@
From 10e635167418fdf7a896b2cb3d095fd345053103 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Sun, 8 May 2016 14:46:25 +0200
Subject: [PATCH 26/39] MONITOR: Remove the no longer used kill_service command
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
After introducing the watchdog, the force_timeout option is no longer
used.
Resolves:
https://fedorahosted.org/sssd/ticket/3052
Reviewed-by: Petr Čech <pcech@redhat.com>
(cherry picked from commit fa93cd0f0fc75a6d635079e67788f8a9fe183c3c)
---
src/confdb/confdb.h | 1 -
src/man/sssd.conf.5.xml | 33 ------------
src/monitor/monitor.c | 141 ------------------------------------------------
3 files changed, 175 deletions(-)
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
index 58a085ba954cf75a5c756d6f8fbd04e6fa49a687..401e5fbf7ed6bb9e8d7158dfab378c8159aa03db 100644
--- a/src/confdb/confdb.h
+++ b/src/confdb/confdb.h
@@ -58,7 +58,6 @@
#define CONFDB_SERVICE_DEBUG_TIMESTAMPS "debug_timestamps"
#define CONFDB_SERVICE_DEBUG_MICROSECONDS "debug_microseconds"
#define CONFDB_SERVICE_DEBUG_TO_FILES "debug_to_files"
-#define CONFDB_SERVICE_FORCE_TIMEOUT "force_timeout"
#define CONFDB_SERVICE_RECON_RETRIES "reconnection_retries"
#define CONFDB_SERVICE_FD_LIMIT "fd_limit"
#define CONFDB_SERVICE_ALLOWED_UIDS "allowed_uids"
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index e95a7e7e213e07c15e79185730d481e5afceb69c..ae291e0fc8f2f9afabcdf32f18a5ec12252bbbbf 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -549,22 +549,6 @@
</listitem>
</varlistentry>
<varlistentry>
- <term>force_timeout (integer)</term>
- <listitem>
- <para>
- If a service is not responding to ping checks (see
- the <quote>timeout</quote> option), it is first sent
- the SIGTERM signal that instructs it to quit gracefully.
- If the service does not terminate after <quote>force_timeout</quote>
- seconds, the monitor will forcibly shut it down by
- sending a SIGKILL signal.
- </para>
- <para>
- Default: 60
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
<term>offline_timeout (integer)</term>
<listitem>
<para>
@@ -1453,23 +1437,6 @@ pam_account_locked_message = Account locked, please contact help desk.
</varlistentry>
<varlistentry>
- <term>force_timeout (integer)</term>
- <listitem>
- <para>
- If a service is not responding to ping checks (see
- the <quote>timeout</quote> option), it is first sent
- the SIGTERM signal that instructs it to quit gracefully.
- If the service does not terminate after <quote>force_timeout</quote>
- seconds, the monitor will forcibly shut it down by
- sending a SIGKILL signal.
- </para>
- <para>
- Default: 60
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
<term>entry_cache_timeout (integer)</term>
<listitem>
<para>
diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c
index f97b2a960b1835540357714b608feac54c2d72c5..1f89c5a79feab8a921ce2f9132763b37ab506596 100644
--- a/src/monitor/monitor.c
+++ b/src/monitor/monitor.c
@@ -114,8 +114,6 @@ struct mt_svc {
int kill_time;
- struct tevent_timer *kill_timer;
-
bool svc_started;
int restarts;
@@ -176,8 +174,6 @@ static int monitor_service_init(struct sbus_connection *conn, void *data);
static int service_signal_reset_offline(struct mt_svc *svc);
-static int monitor_kill_service (struct mt_svc *svc);
-
static int get_service_config(struct mt_ctx *ctx, const char *name,
struct mt_svc **svc_cfg);
static int get_provider_config(struct mt_ctx *ctx, const char *name,
@@ -542,95 +538,6 @@ static int monitor_dbus_init(struct mt_ctx *ctx)
}
static void monitor_restart_service(struct mt_svc *svc);
-static void mt_svc_sigkill(struct tevent_context *ev,
- struct tevent_timer *te,
- struct timeval t, void *ptr);
-static int monitor_kill_service (struct mt_svc *svc)
-{
- int ret;
- struct timeval tv;
-
- ret = kill(svc->pid, SIGTERM);
- if (ret == -1) {
- ret = errno;
- DEBUG(SSSDBG_FATAL_FAILURE,
- "Sending signal to child (%s:%d) failed: [%d]: %s! "
- "Ignore and pretend child is dead.\n",
- svc->name, svc->pid, ret, strerror(ret));
- /* The only thing we can try here is to launch a new process
- * and hope that it works.
- */
- monitor_restart_service(svc);
- return EOK;
- }
-
- /* Set up a timer to send SIGKILL if this process
- * doesn't exit within the configured interval
- */
- tv = tevent_timeval_current_ofs(svc->kill_time, 0);
- svc->kill_timer = tevent_add_timer(svc->mt_ctx->ev,
- svc,
- tv,
- mt_svc_sigkill,
- svc);
- if (svc->kill_timer == NULL) {
- /* Nothing much we can do */
- DEBUG(SSSDBG_CRIT_FAILURE,
- "Failed to allocate timed event: mt_svc_sigkill.\n");
- /* We'll just have to hope that the SIGTERM succeeds */
- }
- return EOK;
-}
-
-static void mt_svc_sigkill(struct tevent_context *ev,
- struct tevent_timer *te,
- struct timeval t, void *ptr)
-{
- int ret;
- struct mt_svc *svc = talloc_get_type(ptr, struct mt_svc);
-
- DEBUG(SSSDBG_FATAL_FAILURE,
- "[%s][%d] is not responding to SIGTERM. Sending SIGKILL.\n",
- svc->name, svc->pid);
- sss_log(SSS_LOG_ERR,
- "[%s][%d] is not responding to SIGTERM. Sending SIGKILL.\n",
- svc->name, svc->pid);
-
- /* timer was succesfully executed and it will be released by tevent */
- svc->kill_timer = NULL;
-
- ret = kill(svc->pid, SIGKILL);
- if (ret != EOK) {
- ret = errno;
- DEBUG(SSSDBG_FATAL_FAILURE,
- "Sending signal to child (%s:%d) failed! "
- "Ignore and pretend child is dead.\n",
- svc->name, svc->pid);
-
- if (ret == ESRCH) {
- /* The process doesn't exist
- * This most likely means we hit a race where
- * the SIGTERM concluded just after the timer
- * fired but before we called kill() here.
- * We'll just do nothing, since the
- * mt_svc_exit_handler() should be doing the
- * necessary work.
- */
- return;
- }
-
- /* Something went really wrong.
- * The only thing we can try here is to launch a new process
- * and hope that it works.
- */
- monitor_restart_service(svc);
- }
-
- /* The process should terminate immediately and then be
- * restarted by the mt_svc_exit_handler()
- */
- return;
-}
static void reload_reply(DBusPendingCall *pending, void *data)
{
@@ -708,7 +615,6 @@ static int service_signal(struct mt_svc *svc, const char *svc_signal)
DEBUG(SSSDBG_FATAL_FAILURE,
"Out of memory trying to allocate memory to invoke: %s\n",
svc_signal);
- monitor_kill_service(svc);
return ENOMEM;
}
@@ -992,32 +898,6 @@ static int get_monitor_config(struct mt_ctx *ctx)
return EOK;
}
-static errno_t get_kill_config(struct mt_ctx *ctx, const char *path,
- struct mt_svc *svc)
-{
- errno_t ret;
-
- ret = confdb_get_int(ctx->cdb, path,
- CONFDB_SERVICE_FORCE_TIMEOUT,
- MONITOR_DEF_FORCE_TIME, &svc->kill_time);
- if (ret != EOK) {
- DEBUG(SSSDBG_CRIT_FAILURE,
- "Failed to get kill timeout for %s\n", svc->name);
- return ret;
- }
-
- /* 'force_timeout = 0' should be translated to the default */
- if (svc->kill_time == 0) {
- svc->kill_time = MONITOR_DEF_FORCE_TIME;
- }
-
- DEBUG(SSSDBG_CONF_SETTINGS,
- "Time between SIGTERM and SIGKILL for [%s]: [%d]\n",
- svc->name, svc->kill_time);
-
- return EOK;
-}
-
/* This is a temporary function that returns false if the service
* being started was only tested when running as root.
*/
@@ -1154,14 +1034,6 @@ static int get_service_config(struct mt_ctx *ctx, const char *name,
}
}
- ret = get_kill_config(ctx, path, svc);
- if (ret != EOK) {
- DEBUG(SSSDBG_CRIT_FAILURE,
- "Failed to get kill timeouts for %s\n", svc->name);
- talloc_free(svc);
- return ret;
- }
-
svc->last_restart = now;
*svc_cfg = svc;
@@ -1249,14 +1121,6 @@ static int get_provider_config(struct mt_ctx *ctx, const char *name,
return ret;
}
- ret = get_kill_config(ctx, path, svc);
- if (ret != EOK) {
- DEBUG(SSSDBG_CRIT_FAILURE,
- "Failed to get kill timeouts for %s\n", svc->name);
- talloc_free(svc);
- return ret;
- }
-
talloc_free(path);
/* if no provider is present do not run the domain */
@@ -2540,11 +2404,6 @@ static void mt_svc_exit_handler(int pid, int wait_status, void *pvt)
"SIGCHLD handler of service %s called\n", svc->name);
svc_child_info(svc, wait_status);
- /* Clear the kill_timer so we don't try to SIGKILL it after it's
- * already gone.
- */
- talloc_zfree(svc->kill_timer);
-
/* Check the number of restart tries and relaunch the service */
monitor_restart_service(svc);
--
2.9.3

44
0027-WATCHDOG-define-and-use-_MAX_TICKS-as-3.patch Normal file
View File

@ -0,0 +1,44 @@
From e293e3a1418e95560498f29147c4e5b1be0b729a Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Mon, 15 Aug 2016 12:54:20 +0200
Subject: [PATCH 27/39] WATCHDOG: define and use _MAX_TICKS as 3
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Instead of using the number 3 directly, let's introduce and use
WATCHDOG_MAX_TICKS.
Reviewed-by: Petr Čech <pcech@redhat.com>
(cherry picked from commit d7075a255a1f28e890539072e06d0140ffe0927c)
---
src/util/util_watchdog.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/util/util_watchdog.c b/src/util/util_watchdog.c
index 1c27d73f13b3042ecb549a2184e1368e8339d199..c184fbd759bdbca4a9eae379ff0d87e2d1628470 100644
--- a/src/util/util_watchdog.c
+++ b/src/util/util_watchdog.c
@@ -22,6 +22,7 @@
#include "util/util.h"
#define WATCHDOG_DEF_INTERVAL 10
+#define WATCHDOG_MAX_TICKS 3
/* this is intentionally a global variable */
struct watchdog_ctx {
@@ -75,9 +76,8 @@ static void watchdog_handler(int sig)
return;
}
- /* if 3 ticks passed by kills itself */
-
- if (__sync_add_and_fetch(&watchdog_ctx.ticks, 1) > 3) {
+ /* if a pre-defined number of ticks passed by kills itself */
+ if (__sync_add_and_fetch(&watchdog_ctx.ticks, 1) > WATCHDOG_MAX_TICKS) {
DEBUG(SSSDBG_FATAL_FAILURE,
"Watchdog timer overflow, killing process!\n");
orderly_shutdown(1);
--
2.9.3

52
0028-PROXY-Use-right-name-in-ldap-filter.patch Normal file
View File

@ -0,0 +1,52 @@
From f7c519962070d797822c960d297f7de7fa42426a Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Fri, 26 Aug 2016 14:57:22 +0200
Subject: [PATCH 28/39] PROXY: Use right name in ldap filter
We used internal fq name in ldap filter
with id_provider proxy to files and auth provider
ldap
[sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x0400): calling ldap_search_ext with
[(&(uid=testuser1@ldap)(objectclass=posixAccount))][dc=example,dc=com].
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit b4c6060b10b14257e6f01038ae44e46c5a429f33)
---
src/providers/ldap/ldap_auth.c | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c
index 35f16b0d4a6f8e566b0cf63b65ba46f31e7c1bcd..00d38284e428eea42254820fd08ee4fb125235a6 100644
--- a/src/providers/ldap/ldap_auth.c
+++ b/src/providers/ldap/ldap_auth.c
@@ -361,7 +361,7 @@ shadow_fail:
/* ==Get-User-DN========================================================== */
struct get_user_dn_state {
- const char *username;
+ char *username;
char *orig_dn;
};
@@ -386,9 +386,14 @@ static struct tevent_req *get_user_dn_send(TALLOC_CTX *memctx,
req = tevent_req_create(memctx, &state, struct get_user_dn_state);
if (!req) return NULL;
- state->username = username;
+ ret = sss_parse_internal_fqname(state, username,
+ &state->username, NULL);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "Cannot parse %s\n", username);
+ goto done;
+ }
- ret = sss_filter_sanitize(state, username, &clean_name);
+ ret = sss_filter_sanitize(state, state->username, &clean_name);
if (ret != EOK) {
goto done;
}
--
2.9.3

31
0029-SECRETS-Make-internal-function-static.patch Normal file
View File

@ -0,0 +1,31 @@
From 2dc376b266eb5f3b3aecc980f1a854eeac7d151b Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Tue, 16 Aug 2016 20:53:19 +0200
Subject: [PATCH 29/39] SECRETS: Make internal function static
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit cf902c2b247c1b5793ae0ba58fd2dcbb0f78b686)
---
src/responder/secrets/providers.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/responder/secrets/providers.c b/src/responder/secrets/providers.c
index 8d815b4837ce71bac648f38a6a8956771dd0520d..4c601988696dac7856cb1c1eb27264180a9347f9 100644
--- a/src/responder/secrets/providers.c
+++ b/src/responder/secrets/providers.c
@@ -24,7 +24,8 @@
#include "responder/secrets/secsrv_proxy.h"
#include <jansson.h>
-int sec_map_url_to_user_path(struct sec_req_ctx *secreq, char **mapped_path)
+static int sec_map_url_to_user_path(struct sec_req_ctx *secreq,
+ char **mapped_path)
{
uid_t c_euid;
--
2.9.3

34
0030-SECRETS-Make-reading-the-config-options-more-uniform.patch Normal file
View File

@ -0,0 +1,34 @@
From e099a2654aa25f98a5f9e7a0e1f0820e8322c372 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Tue, 16 Aug 2016 20:59:30 +0200
Subject: [PATCH 30/39] SECRETS: Make reading the config options more uniform
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
One of confdb_get_ calls in sec_get_config() used a variable referenced
from rctx, the other used a hardcoded string. Use one of them on both
places instead.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit ff35d4ffe5eedcb484deb7ef1a04c02c19e634c9)
---
src/responder/secrets/secsrv.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/responder/secrets/secsrv.c b/src/responder/secrets/secsrv.c
index 6f8052bdf25fe903683d6b26d92b2a4c31743470..eb194a179ae5e3a48547fb00a038f31b8e0264cd 100644
--- a/src/responder/secrets/secsrv.c
+++ b/src/responder/secrets/secsrv.c
@@ -35,7 +35,7 @@ static int sec_get_config(struct sec_ctx *sctx)
int ret;
ret = confdb_get_int(sctx->rctx->cdb,
- CONFDB_SEC_CONF_ENTRY,
+ sctx->rctx->confdb_service_path,
CONFDB_SERVICE_FD_LIMIT,
DEFAULT_SEC_FD_LIMIT,
&sctx->fd_limit);
--
2.9.3

46
0031-dyndns-fix-typo-and-unify-ipa-with-ad-debug-message-.patch Normal file
View File

@ -0,0 +1,46 @@
From 279b4f57263abcdb84e2386f4cb4256981fb8c2d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Thu, 4 Aug 2016 14:10:09 +0200
Subject: [PATCH 31/39] dyndns: fix typo and unify ipa with ad debug message
when off
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reviewed-by: Petr Čech <pcech@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit b3851e86af91dc1aa6e265d5b2e4279b2611ff43)
---
src/providers/ad/ad_dyndns.c | 2 +-
src/providers/ipa/ipa_init.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/providers/ad/ad_dyndns.c b/src/providers/ad/ad_dyndns.c
index e3f1812837f7cee9d18ef001233871e0fcc16b4c..00190485e8f0ca7362ed60b2df022c74c53988c9 100644
--- a/src/providers/ad/ad_dyndns.c
+++ b/src/providers/ad/ad_dyndns.c
@@ -47,7 +47,7 @@ errno_t ad_dyndns_init(struct be_ctx *be_ctx,
if (dp_opt_get_bool(ad_opts->dyndns_ctx->opts,
DP_OPT_DYNDNS_UPDATE) == false) {
- DEBUG(SSSDBG_CONF_SETTINGS, "Dynamic DNS updates not set\n");
+ DEBUG(SSSDBG_CONF_SETTINGS, "Dynamic DNS updates are off.\n");
return EOK;
}
diff --git a/src/providers/ipa/ipa_init.c b/src/providers/ipa/ipa_init.c
index ca99200a1ba1d9508ac0affffecaa08149552fee..7dec4d1fb8541a48470d4e44f10838e5bea67ad5 100644
--- a/src/providers/ipa/ipa_init.c
+++ b/src/providers/ipa/ipa_init.c
@@ -200,7 +200,7 @@ static errno_t ipa_init_dyndns(struct be_ctx *be_ctx,
enabled = dp_opt_get_bool(ipa_options->dyndns_ctx->opts,
DP_OPT_DYNDNS_UPDATE);
if (!enabled) {
- DEBUG(SSSDBG_CONF_SETTINGS, "Dynamic DNS updates are of.\n");
+ DEBUG(SSSDBG_CONF_SETTINGS, "Dynamic DNS updates are off.\n");
return EOK;
}
--
2.9.3

42
0032-netlink-Don-t-define-USE_GNU.patch Normal file
View File

@ -0,0 +1,42 @@
From 2d1d157a07a2b445d6d26573a9763ec62928790f Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Tue, 30 Aug 2016 15:26:27 +0200
Subject: [PATCH 32/39] netlink: Don't define USE_GNU
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Applications should never #define USE_GNU themselves, but rather
_GNU_SOURCE. This patch removes USE_GNU and replaces it with including
config.h which has _GNU_SOURCE defined if applicable for that platform
See for example:
https://gcc.gnu.org/ml/fortran/2005-10/msg00365.html
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
(cherry picked from commit 1384d0ce6ea741aefb56b0006b6268d76e6cc2c2)
---
src/monitor/monitor_netlink.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/monitor/monitor_netlink.c b/src/monitor/monitor_netlink.c
index 22262949c67744493dfa722ff38257a75a5b8291..c4d56b39f29b7686b60da1d561d7db390c272a4d 100644
--- a/src/monitor/monitor_netlink.c
+++ b/src/monitor/monitor_netlink.c
@@ -21,11 +21,12 @@
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
+#include "config.h"
+
#include <talloc.h>
#include <tevent.h>
#include <sys/types.h>
#include <sys/ioctl.h>
-#define __USE_GNU /* needed for struct ucred */
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
--
2.9.3

140
0033-MONITOR-Remove-leftovers-from-diag_cmd.patch Normal file
View File

@ -0,0 +1,140 @@
From d58c29636abcd20ef8e90fae90d8754419c394fa Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
Date: Tue, 30 Aug 2016 18:17:46 +0200
Subject: [PATCH 33/39] MONITOR: Remove leftovers from diag_cmd
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Seems that when I sent the v2 of 7579cf99 I attached the wrong patch
that ended up being pushed.
That patch was incomplete as there are still some leftovers.
Related:
https://fedorahosted.org/sssd/ticket/3051
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Petr Čech <pcech@redhat.com>
(cherry picked from commit e04df9feca0c9877c69aa46450d04c556bcb23ad)
---
src/config/SSSDConfig/__init__.py.in | 1 -
src/config/SSSDConfigTest.py | 1 -
src/config/cfg_rules.ini | 9 ---------
src/config/etc/sssd.api.conf | 1 -
4 files changed, 12 deletions(-)
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
index b3f04ac26309bb5b518fb87cd0dae2962e853179..fb071270208341f4e993fef95af4e8dc6b58fdbd 100644
--- a/src/config/SSSDConfig/__init__.py.in
+++ b/src/config/SSSDConfig/__init__.py.in
@@ -51,7 +51,6 @@ option_strings = {
'reconnection_retries' : _('Number of times to attempt connection to Data Providers'),
'fd_limit' : _('The number of file descriptors that may be opened by this responder'),
'client_idle_timeout' : _('Idle time before automatic disconnection of a client'),
- 'diag_cmd' : _('The command to run when a service ping times out'),
# [sssd]
'services' : _('SSSD Services to start'),
diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py
index 8fcd1a55c36035a7026f1fb4c8116aaae24e78ef..575a12450eec2e23e7fa30acf72030a0e7e07a50 100755
--- a/src/config/SSSDConfigTest.py
+++ b/src/config/SSSDConfigTest.py
@@ -309,7 +309,6 @@ class SSSDConfigTestSSSDService(unittest.TestCase):
'reconnection_retries',
'fd_limit',
'client_idle_timeout',
- 'diag_cmd',
'description',
'certificate_verification',
'override_space']
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
index df10538dee4a547a1b1af62a4cfe37b89e236b18..a2c3fa2d5994dc051b72be17e13c512d7f124141 100644
--- a/src/config/cfg_rules.ini
+++ b/src/config/cfg_rules.ini
@@ -25,7 +25,6 @@ option = fd_limit
option = client_idle_timeout
option = force_timeout
option = description
-option = diag_cmd
# Monitor service
option = services
@@ -57,7 +56,6 @@ option = fd_limit
option = client_idle_timeout
option = force_timeout
option = description
-option = diag_cmd
# Name service
option = user_attributes
@@ -96,7 +94,6 @@ option = fd_limit
option = client_idle_timeout
option = force_timeout
option = description
-option = diag_cmd
# Authentication service
option = offline_credentials_expiration
@@ -130,7 +127,6 @@ option = fd_limit
option = client_idle_timeout
option = force_timeout
option = description
-option = diag_cmd
# sudo service
option = sudo_timed
@@ -152,7 +148,6 @@ option = fd_limit
option = client_idle_timeout
option = force_timeout
option = description
-option = diag_cmd
# autofs service
option = autofs_negative_timeout
@@ -173,7 +168,6 @@ option = fd_limit
option = client_idle_timeout
option = force_timeout
option = description
-option = diag_cmd
# ssh service
option = ssh_hash_known_hosts
@@ -196,7 +190,6 @@ option = fd_limit
option = client_idle_timeout
option = force_timeout
option = description
-option = diag_cmd
# PAC responder
option = allowed_uids
@@ -218,7 +211,6 @@ option = fd_limit
option = client_idle_timeout
option = force_timeout
option = description
-option = diag_cmd
# InfoPipe responder
option = allowed_uids
@@ -239,7 +231,6 @@ option = fd_limit
option = client_idle_timeout
option = force_timeout
option = description
-option = diag_cmd
#Available provider types
option = id_provider
diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
index 5e69414f2a490977bdaf1555325814ad61202071..b2f20c5b71fa6bf94656d6270ccd08385a88c06e 100644
--- a/src/config/etc/sssd.api.conf
+++ b/src/config/etc/sssd.api.conf
@@ -15,7 +15,6 @@ fd_limit = int, None, false
client_idle_timeout = int, None, false
force_timeout = int, None, false
description = str, None, false
-diag_cmd = str, None, false
[sssd]
# Monitor service
--
2.9.3

175
0034-MONITOR-Remove-leftovers-from-kill_service.patch Normal file
View File

@ -0,0 +1,175 @@
From a2145190df8f4faa68a9662a2b5162dd87eca0a6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
Date: Tue, 30 Aug 2016 18:25:21 +0200
Subject: [PATCH 34/39] MONITOR: Remove leftovers from kill_service
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Seems that wen I sent the v2 of ac35fe74 I attached the wrong pacth that
ended up being pushed.
The patch was incomplete as there are still some leftovers.
The .po and sssd-docs.pot were not touched as I do believe they are
autogenerated from Zanata.
Related:
https://fedorahosted.org/sssd/ticket/3052
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Petr Čech <pcech@redhat.com>
(cherry picked from commit 5b0735876aa66464b24cb7736a74fafd8ec82128)
---
src/config/SSSDConfig/__init__.py.in | 1 -
src/config/SSSDConfigTest.py | 3 ---
src/config/cfg_rules.ini | 10 ----------
src/config/etc/sssd.api.conf | 2 --
4 files changed, 16 deletions(-)
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
index fb071270208341f4e993fef95af4e8dc6b58fdbd..0191920f93ab9016508e08785c25dd043c180c0b 100644
--- a/src/config/SSSDConfig/__init__.py.in
+++ b/src/config/SSSDConfig/__init__.py.in
@@ -46,7 +46,6 @@ option_strings = {
'debug_microseconds' : _('Include microseconds in timestamps in debug logs'),
'debug_to_files' : _('Write debug messages to logfiles'),
'timeout' : _('Watchdog timeout before restarting service'),
- 'force_timeout' : _('Timeout between three failed ping checks and forcibly killing the service'),
'command' : _('Command to start service'),
'reconnection_retries' : _('Number of times to attempt connection to Data Providers'),
'fd_limit' : _('The number of file descriptors that may be opened by this responder'),
diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py
index 575a12450eec2e23e7fa30acf72030a0e7e07a50..6a0fdf0ea5215103b48dc8521a43ae945342c0e2 100755
--- a/src/config/SSSDConfigTest.py
+++ b/src/config/SSSDConfigTest.py
@@ -293,7 +293,6 @@ class SSSDConfigTestSSSDService(unittest.TestCase):
'services',
'domains',
'timeout',
- 'force_timeout',
'sbus_timeout',
're_expression',
'full_name_format',
@@ -505,7 +504,6 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase):
'min_id',
'max_id',
'timeout',
- 'force_timeout',
'offline_timeout',
'try_inotify',
'command',
@@ -874,7 +872,6 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase):
'min_id',
'max_id',
'timeout',
- 'force_timeout',
'offline_timeout',
'try_inotify',
'command',
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
index a2c3fa2d5994dc051b72be17e13c512d7f124141..5e248066bd554d2a654a764f406f6b33c4d66733 100644
--- a/src/config/cfg_rules.ini
+++ b/src/config/cfg_rules.ini
@@ -23,7 +23,6 @@ option = command
option = reconnection_retries
option = fd_limit
option = client_idle_timeout
-option = force_timeout
option = description
# Monitor service
@@ -54,7 +53,6 @@ option = command
option = reconnection_retries
option = fd_limit
option = client_idle_timeout
-option = force_timeout
option = description
# Name service
@@ -92,7 +90,6 @@ option = command
option = reconnection_retries
option = fd_limit
option = client_idle_timeout
-option = force_timeout
option = description
# Authentication service
@@ -125,7 +122,6 @@ option = command
option = reconnection_retries
option = fd_limit
option = client_idle_timeout
-option = force_timeout
option = description
# sudo service
@@ -146,7 +142,6 @@ option = command
option = reconnection_retries
option = fd_limit
option = client_idle_timeout
-option = force_timeout
option = description
# autofs service
@@ -166,7 +161,6 @@ option = command
option = reconnection_retries
option = fd_limit
option = client_idle_timeout
-option = force_timeout
option = description
# ssh service
@@ -188,7 +182,6 @@ option = command
option = reconnection_retries
option = fd_limit
option = client_idle_timeout
-option = force_timeout
option = description
# PAC responder
@@ -209,7 +202,6 @@ option = command
option = reconnection_retries
option = fd_limit
option = client_idle_timeout
-option = force_timeout
option = description
# InfoPipe responder
@@ -229,7 +221,6 @@ option = command
option = reconnection_retries
option = fd_limit
option = client_idle_timeout
-option = force_timeout
option = description
#Available provider types
@@ -250,7 +241,6 @@ option = timeout
option = try_inotify
option = enumerate
option = subdomain_enumerate
-option = force_timeout
option = offline_timeout
option = cache_credentials
option = cache_credentials_minimal_first_factor_length
diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
index b2f20c5b71fa6bf94656d6270ccd08385a88c06e..525f939cd204f4d484caa7b490d85b0d50de00ef 100644
--- a/src/config/etc/sssd.api.conf
+++ b/src/config/etc/sssd.api.conf
@@ -13,7 +13,6 @@ command = str, None, false
reconnection_retries = int, None, false
fd_limit = int, None, false
client_idle_timeout = int, None, false
-force_timeout = int, None, false
description = str, None, false
[sssd]
@@ -119,7 +118,6 @@ timeout = int, None, false
try_inotify = bool, None, false
enumerate = bool, None, false
subdomain_enumerate = str, None, false
-force_timeout = int, None, false
offline_timeout = int, None, false
cache_credentials = bool, None, false
cache_credentials_minimal_first_factor_length = int, None, false
--
2.9.3

51
0035-SYSDB-Fix-error-handling-in-sysdb_get_user_members_r.patch Normal file
View File

@ -0,0 +1,51 @@
From 223395a44a3016c3124aa5ed841c7023068607d8 Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Tue, 30 Aug 2016 15:37:43 +0200
Subject: [PATCH 35/39] SYSDB: Fix error handling in
sysdb_get_user_members_recursively
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
We ignored failures from sysdb_search_entry
Reviewed-by: Petr Čech <pcech@redhat.com>
(cherry picked from commit b969ccc2cc58fdf761e5d314de9217f2d914bc9b)
---
src/db/sysdb_ops.c | 3 +++
src/db/sysdb_views.c | 5 ++++-
2 files changed, 7 insertions(+), 1 deletion(-)
diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
index 44fb5b70e6d33fffbca5824f831a3229254ecb57..e4c8e1e285e3bc49710f71c896ba9a30c742d4fa 100644
--- a/src/db/sysdb_ops.c
+++ b/src/db/sysdb_ops.c
@@ -4738,6 +4738,9 @@ errno_t sysdb_get_user_members_recursively(TALLOC_CTX *mem_ctx,
ret = sysdb_search_entry(tmp_ctx, dom->sysdb, base_dn, LDB_SCOPE_SUBTREE,
filter, attrs, &count, &msgs);
+ if (ret != EOK) {
+ goto done;
+ }
res = talloc_zero(tmp_ctx, struct ldb_result);
if (res == NULL) {
diff --git a/src/db/sysdb_views.c b/src/db/sysdb_views.c
index 79f513d13ba41212a6cd84e1d9e609df6acba29c..9dc48f5b6c414bbc7c64bcd1fe73553f388588bd 100644
--- a/src/db/sysdb_views.c
+++ b/src/db/sysdb_views.c
@@ -1374,7 +1374,10 @@ errno_t sysdb_add_group_member_overrides(struct sss_domain_info *domain,
ret = sysdb_get_user_members_recursively(tmp_ctx, domain, obj->dn,
&res_members);
- if (ret != EOK) {
+ if (ret == ENOENT) {
+ ret = EOK;
+ goto done;
+ } else if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE,
"sysdb_get_user_members_recursively failed.\n");
goto done;
--
2.9.3

34
0036-DEBUG-Apend-line-feed-to-messages-from-libsemanage.patch Normal file
View File

@ -0,0 +1,34 @@
From 9e21f9157d7eaf62e48ee9ab43332d336c12708c Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Thu, 1 Sep 2016 08:08:00 +0200
Subject: [PATCH 36/39] DEBUG: Apend line feed to messages from libsemanage
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
It wasn't simple to read log files from libsemanage
because they were on single line.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
(cherry picked from commit a6d279489c35896432e60daa70be5728f0b6c243)
---
src/util/sss_semanage.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/util/sss_semanage.c b/src/util/sss_semanage.c
index 81068da98db611e55df8ac2de1a55f5980c3e552..fe06bee1dfec3abca3aa3cd5e85e55386ac11343 100644
--- a/src/util/sss_semanage.c
+++ b/src/util/sss_semanage.c
@@ -55,7 +55,8 @@ static void sss_semanage_error_callback(void *varg,
va_start(ap, fmt);
if (DEBUG_IS_SET(level)) {
- sss_vdebug_fn(__FILE__, __LINE__, "libsemanage", level, 0, fmt, ap);
+ sss_vdebug_fn(__FILE__, __LINE__, "libsemanage", level,
+ APPEND_LINE_FEED, fmt, ap);
}
va_end(ap);
}
--
2.9.3

43
0037-MAN-Document-the-ldap_user_primary_group-option.patch Normal file
View File

@ -0,0 +1,43 @@
From 4417b8170e7bb09fd8d724e36e23ddf89d95cb33 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Wed, 31 Aug 2016 10:17:17 +0200
Subject: [PATCH 37/39] MAN: Document the ldap_user_primary_group option
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit 6f59bb822d1e54e178207be45e382f4ee173c434)
---
src/man/sssd-ldap.5.xml | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml
index 6009dd8dfa787874c085c293b2d1f8aac6d95714..bfccfab2222e5b2d68b83ca473e9a3aa0f5308e5 100644
--- a/src/man/sssd-ldap.5.xml
+++ b/src/man/sssd-ldap.5.xml
@@ -299,6 +299,21 @@
</varlistentry>
<varlistentry>
+ <term>ldap_user_primary_group (string)</term>
+ <listitem>
+ <para>
+ Active Directory primary group attribute
+ for ID-mapping. Note that this attribute should
+ only be set manually if you are running the
+ <quote>ldap</quote> provider with ID mapping.
+ </para>
+ <para>
+ Default: unset (LDAP), primaryGroupID (AD)
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
<term>ldap_user_gecos (string)</term>
<listitem>
<para>
--
2.9.3

36
0038-sdap_initgr_nested_get_membership_diff-use-fully-qua.patch Normal file
View File

@ -0,0 +1,36 @@
From 1a28f2ce26d49617eaf865e39d52136181d9663d Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 30 Aug 2016 17:30:10 +0200
Subject: [PATCH 38/39] sdap_initgr_nested_get_membership_diff: use
fully-qualified names
I think this is a leftover from the change to use fully-qualified names
in sysdb. To verify this you can create a nested group in IPA. Without
this patch the id command will only show the groups the user is a direct
member of. With the patch the indirect groups memberships should be
shown as well.
https://fedorahosted.org/sssd/ticket/3163
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 5bd3bef4a655fdfacd2f5df8a2343fe7bc68a771)
---
src/providers/ldap/sdap_async_initgroups.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/providers/ldap/sdap_async_initgroups.c b/src/providers/ldap/sdap_async_initgroups.c
index 82c708c226bf1a645ff5a395947dfdbad71e0f1f..f9593f0dfaa2dc6e33fd6c9d1f0c9b78cad3a1d9 100644
--- a/src/providers/ldap/sdap_async_initgroups.c
+++ b/src/providers/ldap/sdap_async_initgroups.c
@@ -1414,7 +1414,7 @@ sdap_initgr_nested_get_membership_diff(TALLOC_CTX *mem_ctx,
group_name, parents_count);
if (parents_count > 0) {
- ret = sysdb_attrs_primary_name_list(dom, tmp_ctx,
+ ret = sysdb_attrs_primary_fqdn_list(dom, tmp_ctx,
ldap_parentlist,
parents_count,
opts->group_map[SDAP_AT_GROUP_NAME].name,
--
2.9.3

50
0039-SYSDB-Removing-of-unused-parameter.patch Normal file
View File

@ -0,0 +1,50 @@
From c620bb359ff03f40ffbc36a03d74c921346ecfc3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20=C4=8Cech?= <pcech@redhat.com>
Date: Wed, 31 Aug 2016 08:50:01 +0200
Subject: [PATCH 39/39] SYSDB: Removing of unused parameter
There were unused parameter struct ldb_message *cached_group
in sysdb_store_group_attrs().
This parameter was introduced by
40de79d69860ec7f04bf7795bd88b641ec42fd23
SYSDB: Check if group attributes differ before saving a group
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 0d1d9d8001232f74eca63cbba6c400d507b33823)
---
src/db/sysdb_ops.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
index e4c8e1e285e3bc49710f71c896ba9a30c742d4fa..5d9c9fb24a149f8215b3027dcb4b0e1a183e4b43 100644
--- a/src/db/sysdb_ops.c
+++ b/src/db/sysdb_ops.c
@@ -2661,7 +2661,6 @@ static errno_t sysdb_store_new_group(struct sss_domain_info *domain,
static errno_t sysdb_store_group_attrs(struct sss_domain_info *domain,
const char *name,
gid_t gid,
- struct ldb_message *cached_group,
struct sysdb_attrs *attrs,
uint64_t cache_timeout,
time_t now);
@@ -2731,7 +2730,7 @@ int sysdb_store_group(struct sss_domain_info *domain,
ret = sysdb_store_new_group(domain, name, gid, attrs,
cache_timeout, now);
} else {
- ret = sysdb_store_group_attrs(domain, name, gid, msg, attrs,
+ ret = sysdb_store_group_attrs(domain, name, gid, attrs,
cache_timeout, now);
}
if (ret != EOK) {
@@ -2811,7 +2810,6 @@ static errno_t sysdb_store_new_group(struct sss_domain_info *domain,
static errno_t sysdb_store_group_attrs(struct sss_domain_info *domain,
const char *name,
gid_t gid,
- struct ldb_message *cached_group,
struct sysdb_attrs *attrs,
uint64_t cache_timeout,
time_t now)
--
2.9.3

48
sssd.spec
View File

@ -26,7 +26,7 @@
Name: sssd
Version: 1.14.1
Release: 1%{?dist}
Release: 2%{?dist}
Group: Applications/System
Summary: System Security Services Daemon
License: GPLv3+
@ -35,6 +35,45 @@ Source0: https://fedorahosted.org/released/sssd/%{name}-%{version}.tar.gz
BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
### Patches ###
Patch0001: 0001-CONFIG-selinux_provider-is-a-valid-provider-type.patch
Patch0002: 0002-CONFIG-session_provider-does-not-exist-anymore.patch
Patch0003: 0003-PROXY-Use-the-fqname-when-converting-to-lowercase.patch
Patch0004: 0004-sssd_netgroup.py-Resolve-nested-netgroups.patch
Patch0005: 0005-LDAP-Fixing-of-removing-netgroup-from-cache.patch
Patch0006: 0006-INTG-Adding-support-for-netgroups-to-ldap_ent.patch
Patch0007: 0007-INTG-Tests-for-ldap-nested-netgroups.patch
Patch0008: 0008-watchdog-cope-with-time-shift.patch
Patch0009: 0009-BUILD-Allow-to-read-private-pipes-for-root.patch
Patch0010: 0010-SYSDB-Rework-sysdb_cache_connect.patch
Patch0011: 0011-SYSDB-Remove-the-timestamp-cache-for-a-newly-created.patch
Patch0012: 0012-SECRETS-Return-ENOENT-when_deleting-a-non-existent-s.patch
Patch0013: 0013-SPEC-Fix-typo-in-Summary.patch
Patch0014: 0014-IPA-Parse-qualified-names-when-guessing-AD-user-prin.patch
Patch0015: 0015-PROXY-Remove-lowercase-attribute-from-save_user.patch
Patch0016: 0016-PROXY-Remove-cache_timeout-attribute-from-save_user.patch
Patch0017: 0017-PROXY-Remove-cache_timeout-attribute-from-save_group.patch
Patch0018: 0018-PROXY-Mention-that-save_user-s-parameters-are-alread.patch
Patch0019: 0019-PROXY-Share-common-code-of-save_-group-user.patch
Patch0020: 0020-SYSDB-Fix-uninitialized-scalar-variable.patch
Patch0021: 0021-BUILD-Add-a-few-more-targets-for-intg-tests.patch
Patch0022: 0022-BUILD-Clean-up-prerelease-targets.patch
Patch0023: 0023-BUILD-Fix-typo-in-intgcheck-run-rule.patch
Patch0024: 0024-BUILD-Remove-leftover-after-sysdb-refactoring.patch
Patch0025: 0025-MONITOR-Remove-the-no-longer-used-diag_cmd-command.patch
Patch0026: 0026-MONITOR-Remove-the-no-longer-used-kill_service-comma.patch
Patch0027: 0027-WATCHDOG-define-and-use-_MAX_TICKS-as-3.patch
Patch0028: 0028-PROXY-Use-right-name-in-ldap-filter.patch
Patch0029: 0029-SECRETS-Make-internal-function-static.patch
Patch0030: 0030-SECRETS-Make-reading-the-config-options-more-uniform.patch
Patch0031: 0031-dyndns-fix-typo-and-unify-ipa-with-ad-debug-message-.patch
Patch0032: 0032-netlink-Don-t-define-USE_GNU.patch
Patch0033: 0033-MONITOR-Remove-leftovers-from-diag_cmd.patch
Patch0034: 0034-MONITOR-Remove-leftovers-from-kill_service.patch
Patch0035: 0035-SYSDB-Fix-error-handling-in-sysdb_get_user_members_r.patch
Patch0036: 0036-DEBUG-Apend-line-feed-to-messages-from-libsemanage.patch
Patch0037: 0037-MAN-Document-the-ldap_user_primary_group-option.patch
Patch0038: 0038-sdap_initgr_nested_get_membership_diff-use-fully-qua.patch
Patch0039: 0039-SYSDB-Removing-of-unused-parameter.patch
### Dependencies ###
@ -1083,6 +1122,13 @@ fi
%{_libdir}/%{name}/modules/libwbclient.so
%changelog
* Thu Sep 01 2016 Lukas Slebodnik <lslebodn@redhat.com> - 1.14.1-2
- Backport important patches from upstream 1.14.2 prerelease
- Resolves: upstream #3154 - sssd exits if clock is adjusted backwards after
boot
- Resolves: upstream #3163 - resolving IPA nested user group is broken in 1.14
* Fri Aug 19 2016 Lukas Slebodnik <lslebodn@redhat.com> - 1.14.1-1
- New upstream release 1.14.0
- https://fedorahosted.org/sssd/wiki/Releases/Notes-1.14.1