From 2b61bbee117148e160036768235522c51f647759 Mon Sep 17 00:00:00 2001 From: Lukas Slebodnik Date: Wed, 31 Aug 2016 19:45:36 +0200 Subject: [PATCH] Backport important patches from upstream 1.14.2 prerelease - Resolves: upstream #3154 - sssd exits if clock is adjusted backwards after boot - Resolves: upstream #3163 - resolving IPA nested user group is broken in 1.14 --- ...ux_provider-is-a-valid-provider-type.patch | 79 +++ ...sion_provider-does-not-exist-anymore.patch | 81 +++ ...-fqname-when-converting-to-lowercase.patch | 40 ++ ...netgroup.py-Resolve-nested-netgroups.patch | 253 +++++++++ ...xing-of-removing-netgroup-from-cache.patch | 50 ++ ...ng-support-for-netgroups-to-ldap_ent.patch | 54 ++ ...INTG-Tests-for-ldap-nested-netgroups.patch | 501 ++++++++++++++++++ 0008-watchdog-cope-with-time-shift.patch | 97 ++++ ...Allow-to-read-private-pipes-for-root.patch | 82 +++ 0010-SYSDB-Rework-sysdb_cache_connect.patch | 124 +++++ ...-timestamp-cache-for-a-newly-created.patch | 152 ++++++ ...NOENT-when_deleting-a-non-existent-s.patch | 48 ++ 0013-SPEC-Fix-typo-in-Summary.patch | 27 + ...ied-names-when-guessing-AD-user-prin.patch | 62 +++ ...e-lowercase-attribute-from-save_user.patch | 114 ++++ ...che_timeout-attribute-from-save_user.patch | 92 ++++ ...he_timeout-attribute-from-save_group.patch | 76 +++ ...at-save_user-s-parameters-are-alread.patch | 40 ++ ...hare-common-code-of-save_-group-user.patch | 222 ++++++++ ...DB-Fix-uninitialized-scalar-variable.patch | 36 ++ ...dd-a-few-more-targets-for-intg-tests.patch | 82 +++ 0022-BUILD-Clean-up-prerelease-targets.patch | 60 +++ ...BUILD-Fix-typo-in-intgcheck-run-rule.patch | 34 ++ ...ove-leftover-after-sysdb-refactoring.patch | 29 + ...-the-no-longer-used-diag_cmd-command.patch | 239 +++++++++ ...he-no-longer-used-kill_service-comma.patch | 289 ++++++++++ ...CHDOG-define-and-use-_MAX_TICKS-as-3.patch | 44 ++ ...-PROXY-Use-right-name-in-ldap-filter.patch | 52 ++ ...ECRETS-Make-internal-function-static.patch | 31 ++ ...ding-the-config-options-more-uniform.patch | 34 ++ ...and-unify-ipa-with-ad-debug-message-.patch | 46 ++ 0032-netlink-Don-t-define-USE_GNU.patch | 42 ++ ...NITOR-Remove-leftovers-from-diag_cmd.patch | 140 +++++ ...R-Remove-leftovers-from-kill_service.patch | 175 ++++++ ...handling-in-sysdb_get_user_members_r.patch | 51 ++ ...ne-feed-to-messages-from-libsemanage.patch | 34 ++ ...t-the-ldap_user_primary_group-option.patch | 43 ++ ...ed_get_membership_diff-use-fully-qua.patch | 36 ++ 0039-SYSDB-Removing-of-unused-parameter.patch | 50 ++ sssd.spec | 48 +- 40 files changed, 3788 insertions(+), 1 deletion(-) create mode 100644 0001-CONFIG-selinux_provider-is-a-valid-provider-type.patch create mode 100644 0002-CONFIG-session_provider-does-not-exist-anymore.patch create mode 100644 0003-PROXY-Use-the-fqname-when-converting-to-lowercase.patch create mode 100644 0004-sssd_netgroup.py-Resolve-nested-netgroups.patch create mode 100644 0005-LDAP-Fixing-of-removing-netgroup-from-cache.patch create mode 100644 0006-INTG-Adding-support-for-netgroups-to-ldap_ent.patch create mode 100644 0007-INTG-Tests-for-ldap-nested-netgroups.patch create mode 100644 0008-watchdog-cope-with-time-shift.patch create mode 100644 0009-BUILD-Allow-to-read-private-pipes-for-root.patch create mode 100644 0010-SYSDB-Rework-sysdb_cache_connect.patch create mode 100644 0011-SYSDB-Remove-the-timestamp-cache-for-a-newly-created.patch create mode 100644 0012-SECRETS-Return-ENOENT-when_deleting-a-non-existent-s.patch create mode 100644 0013-SPEC-Fix-typo-in-Summary.patch create mode 100644 0014-IPA-Parse-qualified-names-when-guessing-AD-user-prin.patch create mode 100644 0015-PROXY-Remove-lowercase-attribute-from-save_user.patch create mode 100644 0016-PROXY-Remove-cache_timeout-attribute-from-save_user.patch create mode 100644 0017-PROXY-Remove-cache_timeout-attribute-from-save_group.patch create mode 100644 0018-PROXY-Mention-that-save_user-s-parameters-are-alread.patch create mode 100644 0019-PROXY-Share-common-code-of-save_-group-user.patch create mode 100644 0020-SYSDB-Fix-uninitialized-scalar-variable.patch create mode 100644 0021-BUILD-Add-a-few-more-targets-for-intg-tests.patch create mode 100644 0022-BUILD-Clean-up-prerelease-targets.patch create mode 100644 0023-BUILD-Fix-typo-in-intgcheck-run-rule.patch create mode 100644 0024-BUILD-Remove-leftover-after-sysdb-refactoring.patch create mode 100644 0025-MONITOR-Remove-the-no-longer-used-diag_cmd-command.patch create mode 100644 0026-MONITOR-Remove-the-no-longer-used-kill_service-comma.patch create mode 100644 0027-WATCHDOG-define-and-use-_MAX_TICKS-as-3.patch create mode 100644 0028-PROXY-Use-right-name-in-ldap-filter.patch create mode 100644 0029-SECRETS-Make-internal-function-static.patch create mode 100644 0030-SECRETS-Make-reading-the-config-options-more-uniform.patch create mode 100644 0031-dyndns-fix-typo-and-unify-ipa-with-ad-debug-message-.patch create mode 100644 0032-netlink-Don-t-define-USE_GNU.patch create mode 100644 0033-MONITOR-Remove-leftovers-from-diag_cmd.patch create mode 100644 0034-MONITOR-Remove-leftovers-from-kill_service.patch create mode 100644 0035-SYSDB-Fix-error-handling-in-sysdb_get_user_members_r.patch create mode 100644 0036-DEBUG-Apend-line-feed-to-messages-from-libsemanage.patch create mode 100644 0037-MAN-Document-the-ldap_user_primary_group-option.patch create mode 100644 0038-sdap_initgr_nested_get_membership_diff-use-fully-qua.patch create mode 100644 0039-SYSDB-Removing-of-unused-parameter.patch diff --git a/0001-CONFIG-selinux_provider-is-a-valid-provider-type.patch b/0001-CONFIG-selinux_provider-is-a-valid-provider-type.patch new file mode 100644 index 0000000..06f20b6 --- /dev/null +++ b/0001-CONFIG-selinux_provider-is-a-valid-provider-type.patch @@ -0,0 +1,79 @@ +From 78db9b76d9be4aa307fbaaba7315b121421e8826 Mon Sep 17 00:00:00 2001 +From: Jakub Hrozek +Date: Fri, 19 Aug 2016 11:36:41 +0200 +Subject: [PATCH 01/39] CONFIG: selinux_provider is a valid provider type +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +We should not warn about it in the validator and should allow +selinux_provider from the config API. + +Reviewed-by: Fabiano Fidêncio +(cherry picked from commit dec00197181ee8f7efbfbdadd73629f66f80f1ff) +--- + src/config/SSSDConfig/__init__.py.in | 1 + + src/config/SSSDConfigTest.py | 2 ++ + src/config/cfg_rules.ini | 1 + + src/config/etc/sssd.api.conf | 1 + + 4 files changed, 5 insertions(+) + +diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in +index 1718a9babf390b95710ec356f25f09ea679bdd73..9683ea63e042115c20010cfb0904b2f65d76468b 100644 +--- a/src/config/SSSDConfig/__init__.py.in ++++ b/src/config/SSSDConfig/__init__.py.in +@@ -128,6 +128,7 @@ option_strings = { + 'autofs_provider' : _('Autofs provider'), + 'session_provider' : _('Session-loading provider'), + 'hostid_provider' : _('Host identity provider'), ++ 'selinux_provider' : _('SELinux provider'), + + # [domain] + 'min_id' : _('Minimum user ID'), +diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py +index 00c688f1e57c5f481d3adba2fe0374145216bc33..09adf1faad767968dc1df2cc1668144526ffe504 100755 +--- a/src/config/SSSDConfigTest.py ++++ b/src/config/SSSDConfigTest.py +@@ -557,6 +557,7 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase): + 'session_provider', + 'hostid_provider', + 'subdomains_provider', ++ 'selinux_provider', + 'realmd_tags', + 'subdomain_refresh_interval', + 'subdomain_inherit', +@@ -926,6 +927,7 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase): + 'session_provider', + 'hostid_provider', + 'subdomains_provider', ++ 'selinux_provider', + 'realmd_tags', + 'subdomain_refresh_interval', + 'subdomain_inherit', +diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini +index ef6435b08aee416e377fe854e6768f3fa4fd9650..f0b4c4e7640aa24cf14815b2717327c742fcd89a 100644 +--- a/src/config/cfg_rules.ini ++++ b/src/config/cfg_rules.ini +@@ -251,6 +251,7 @@ option = autofs_provider + option = session_provider + option = hostid_provider + option = subdomains_provider ++option = selinux_provider + + # Options available to all domains + option = min_id +diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf +index 5ac6f79521f5f776fc17319c3afb87d44961afca..94edb45ad2b85e3f4200a917c914a8f4fcb29c28 100644 +--- a/src/config/etc/sssd.api.conf ++++ b/src/config/etc/sssd.api.conf +@@ -106,6 +106,7 @@ autofs_provider = str, None, false + session_provider = str, None, false + hostid_provider = str, None, false + subdomains_provider = str, None, false ++selinux_provider = str, None, false + + [domain] + # Options available to all domains +-- +2.9.3 + diff --git a/0002-CONFIG-session_provider-does-not-exist-anymore.patch b/0002-CONFIG-session_provider-does-not-exist-anymore.patch new file mode 100644 index 0000000..591f553 --- /dev/null +++ b/0002-CONFIG-session_provider-does-not-exist-anymore.patch @@ -0,0 +1,81 @@ +From b37a86a8a84255742bbcffcb47e9e1a1dded0113 Mon Sep 17 00:00:00 2001 +From: Jakub Hrozek +Date: Fri, 19 Aug 2016 11:48:20 +0200 +Subject: [PATCH 02/39] CONFIG: session_provider does not exist anymore +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The session_provider used to exist a long time ago when we used to set +the SELinux context from it, but the provider had been removed for a +long time. We just forgot to remove the value from the config API and +the validator. + +Reviewed-by: Fabiano Fidêncio +(cherry picked from commit d940593e647731c0caec1fd04cf16a1b23578f32) +--- + src/config/SSSDConfig/__init__.py.in | 1 - + src/config/SSSDConfigTest.py | 2 -- + src/config/cfg_rules.ini | 1 - + src/config/etc/sssd.api.conf | 1 - + 4 files changed, 5 deletions(-) + +diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in +index 9683ea63e042115c20010cfb0904b2f65d76468b..b3f04ac26309bb5b518fb87cd0dae2962e853179 100644 +--- a/src/config/SSSDConfig/__init__.py.in ++++ b/src/config/SSSDConfig/__init__.py.in +@@ -126,7 +126,6 @@ option_strings = { + 'chpass_provider' : _('Password change provider'), + 'sudo_provider' : _('SUDO provider'), + 'autofs_provider' : _('Autofs provider'), +- 'session_provider' : _('Session-loading provider'), + 'hostid_provider' : _('Host identity provider'), + 'selinux_provider' : _('SELinux provider'), + +diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py +index 09adf1faad767968dc1df2cc1668144526ffe504..8fcd1a55c36035a7026f1fb4c8116aaae24e78ef 100755 +--- a/src/config/SSSDConfigTest.py ++++ b/src/config/SSSDConfigTest.py +@@ -554,7 +554,6 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase): + 'chpass_provider', + 'sudo_provider', + 'autofs_provider', +- 'session_provider', + 'hostid_provider', + 'subdomains_provider', + 'selinux_provider', +@@ -924,7 +923,6 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase): + 'chpass_provider', + 'sudo_provider', + 'autofs_provider', +- 'session_provider', + 'hostid_provider', + 'subdomains_provider', + 'selinux_provider', +diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini +index f0b4c4e7640aa24cf14815b2717327c742fcd89a..df10538dee4a547a1b1af62a4cfe37b89e236b18 100644 +--- a/src/config/cfg_rules.ini ++++ b/src/config/cfg_rules.ini +@@ -248,7 +248,6 @@ option = access_provider + option = chpass_provider + option = sudo_provider + option = autofs_provider +-option = session_provider + option = hostid_provider + option = subdomains_provider + option = selinux_provider +diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf +index 94edb45ad2b85e3f4200a917c914a8f4fcb29c28..5e69414f2a490977bdaf1555325814ad61202071 100644 +--- a/src/config/etc/sssd.api.conf ++++ b/src/config/etc/sssd.api.conf +@@ -103,7 +103,6 @@ access_provider = str, None, false + chpass_provider = str, None, false + sudo_provider = str, None, false + autofs_provider = str, None, false +-session_provider = str, None, false + hostid_provider = str, None, false + subdomains_provider = str, None, false + selinux_provider = str, None, false +-- +2.9.3 + diff --git a/0003-PROXY-Use-the-fqname-when-converting-to-lowercase.patch b/0003-PROXY-Use-the-fqname-when-converting-to-lowercase.patch new file mode 100644 index 0000000..3281697 --- /dev/null +++ b/0003-PROXY-Use-the-fqname-when-converting-to-lowercase.patch @@ -0,0 +1,40 @@ +From 224612480eb4a64b23e096a96e7c5ea0d746d25a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= +Date: Tue, 23 Aug 2016 23:46:59 +0200 +Subject: [PATCH 03/39] PROXY: Use the fqname when converting to lowercase +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +When saving the user there is a comparison between the "cased alias" +and the "lowercase password name". However, the first doesn't use fully +qualified name while the second does, resulting in a not expected +override of the "nameAlias" attribute of a stored user when trying to +authenticate more than once using an alias. + +Resolves: +https://fedorahosted.org/sssd/ticket/3134 + +Signed-off-by: Fabiano Fidêncio +Reviewed-by: Lukáš Slebodník +(cherry picked from commit 5691b2d668541585d2a8ae3ddb834f29d828036e) +--- + src/providers/proxy/proxy_id.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/providers/proxy/proxy_id.c b/src/providers/proxy/proxy_id.c +index 26f4d7499c02272e524ba9b713108189cd910bfd..b0c82807b42d91a4212578ca98af7f96484735b1 100644 +--- a/src/providers/proxy/proxy_id.c ++++ b/src/providers/proxy/proxy_id.c +@@ -256,7 +256,7 @@ static int save_user(struct sss_domain_info *domain, + } + + if (lowercase) { +- lc_pw_name = sss_tc_utf8_str_tolower(attrs, pwd->pw_name); ++ lc_pw_name = sss_tc_utf8_str_tolower(attrs, real_name); + if (lc_pw_name == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "Cannot convert name to lowercase.\n"); + ret = ENOMEM; +-- +2.9.3 + diff --git a/0004-sssd_netgroup.py-Resolve-nested-netgroups.patch b/0004-sssd_netgroup.py-Resolve-nested-netgroups.patch new file mode 100644 index 0000000..7f003ff --- /dev/null +++ b/0004-sssd_netgroup.py-Resolve-nested-netgroups.patch @@ -0,0 +1,253 @@ +From 3c1c173bab2e3ee3058f5661562080d6a65e324f Mon Sep 17 00:00:00 2001 +From: Lukas Slebodnik +Date: Wed, 10 Aug 2016 20:05:52 +0200 +Subject: [PATCH 04/39] sssd_netgroup.py: Resolve nested netgroups +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Reviewed-by: Petr Čech +(cherry picked from commit c596fc4d75304ff224cbad0aa2aecd3cbe82d2ff) +--- + src/tests/intg/sssd_netgroup.py | 204 ++++++++++++++++++++++++++++++---------- + 1 file changed, 154 insertions(+), 50 deletions(-) + +diff --git a/src/tests/intg/sssd_netgroup.py b/src/tests/intg/sssd_netgroup.py +index 3525261cb28707db9031ee1dfeb144ae4c362833..2c7f76fad4da0003d1760a359ac9a1834abbb2f9 100644 +--- a/src/tests/intg/sssd_netgroup.py ++++ b/src/tests/intg/sssd_netgroup.py +@@ -71,49 +71,173 @@ class Netgrent(Structure): + ("nip", c_void_p)] + + +-def call_sssd_setnetgrent(netgroup): +- libnss_sss_path = config.NSS_MODULE_DIR + "/libnss_sss.so.2" +- libnss_sss = cdll.LoadLibrary(libnss_sss_path) ++class NetgroupRetriever(object): ++ def __init__(self, name): ++ self.name = name ++ self.needed_groups = [] ++ self.known_groups = [] ++ self.netgroups = [] + +- func = libnss_sss._nss_sss_setnetgrent +- func.restype = c_int +- func.argtypes = [c_char_p, POINTER(Netgrent)] ++ @staticmethod ++ def _setnetgrent(netgroup): ++ """ ++ This private method is ctypes wrapper for ++ enum nss_status _nss_sss_setnetgrent(const char *netgroup, ++ struct __netgrent *result) + +- result = Netgrent() +- result_p = POINTER(Netgrent)(result) ++ @param string name name of netgroup + +- res = func(c_char_p(netgroup), result_p) ++ @return (int, POINTER(Netgrent)) (err, result_p) ++ err is a constant from class NssReturnCode and in case of SUCCESS ++ result_p will contain POINTER(Netgrent) which can be used in ++ _getnetgrent_r or _getnetgrent_r. ++ """ ++ libnss_sss_path = config.NSS_MODULE_DIR + "/libnss_sss.so.2" ++ libnss_sss = cdll.LoadLibrary(libnss_sss_path) + +- return (int(res), result_p) ++ func = libnss_sss._nss_sss_setnetgrent ++ func.restype = c_int ++ func.argtypes = [c_char_p, POINTER(Netgrent)] + ++ result = Netgrent() ++ result_p = POINTER(Netgrent)(result) + +-def call_sssd_getnetgrent_r(result_p, buff, buff_len): +- libnss_sss_path = config.NSS_MODULE_DIR + "/libnss_sss.so.2" +- libnss_sss = cdll.LoadLibrary(libnss_sss_path) ++ res = func(c_char_p(netgroup), result_p) + +- func = libnss_sss._nss_sss_getnetgrent_r +- func.restype = c_int +- func.argtypes = [POINTER(Netgrent), POINTER(c_char), c_size_t, +- POINTER(c_int)] ++ return (int(res), result_p) + +- errno = POINTER(c_int)(c_int(0)) ++ @staticmethod ++ def _getnetgrent_r(result_p, buff, buff_len): ++ """ ++ This private method is ctypes wrapper for ++ enum nss_status _nss_sss_getnetgrent_r(struct __netgrent *result, ++ char *buffer, size_t buflen, ++ int *errnop) ++ @param POINTER(Netgrent) result_p pointer to initialized C structure ++ struct __netgrent ++ @param ctypes.c_char_Array buff buffer used by C functions ++ @param int buff_len size of c_char_Array passed as a paramere buff + +- res = func(result_p, buff, buff_len, errno) ++ @return (int, int, List[(string, string, string]) ++ (err, errno, netgroups) ++ if err is NssReturnCode.SUCCESS netgroups will contain list of ++ touples. Each touple will consist of 3 elemets either string or ++ """ ++ libnss_sss_path = config.NSS_MODULE_DIR + "/libnss_sss.so.2" ++ libnss_sss = cdll.LoadLibrary(libnss_sss_path) + +- return (int(res), int(errno[0]), result_p) ++ func = libnss_sss._nss_sss_getnetgrent_r ++ func.restype = c_int ++ func.argtypes = [POINTER(Netgrent), POINTER(c_char), c_size_t, ++ POINTER(c_int)] + ++ errno = POINTER(c_int)(c_int(0)) + +-def call_sssd_endnetgrent(result_p): +- libnss_sss_path = config.NSS_MODULE_DIR + "/libnss_sss.so.2" +- libnss_sss = cdll.LoadLibrary(libnss_sss_path) ++ res = func(result_p, buff, buff_len, errno) + +- func = libnss_sss._nss_sss_endnetgrent +- func.restype = c_int +- func.argtypes = [POINTER(Netgrent)] ++ return (int(res), int(errno[0]), result_p) + +- res = func(result_p) ++ @staticmethod ++ def _endnetgrent(result_p): ++ """ ++ This private method is ctypes wrapper for ++ enum nss_status _nss_sss_endnetgrent(struct __netgrent *result) + +- return int(res) ++ @param POINTER(Netgrent) result_p pointer to initialized C structure ++ struct __netgrent ++ ++ @return int a constant from class NssReturnCode ++ """ ++ libnss_sss_path = config.NSS_MODULE_DIR + "/libnss_sss.so.2" ++ libnss_sss = cdll.LoadLibrary(libnss_sss_path) ++ ++ func = libnss_sss._nss_sss_endnetgrent ++ func.restype = c_int ++ func.argtypes = [POINTER(Netgrent)] ++ ++ res = func(result_p) ++ ++ return int(res) ++ ++ def get_netgroups(self): ++ """ ++ Function will return netgroup triplets for given user. All nested ++ netgroups will be retieved as part of executions and will content ++ will be merged with direct triplets. ++ Missing nested netgroups will not cause failure and are considered ++ as an empty netgroup without triplets. ++ ++ @param string name name of netgroup ++ ++ @return (int, int, List[(string, string, string]) ++ (err, errno, netgroups) ++ if err is NssReturnCode.SUCCESS netgroups will contain list of ++ touples. Each touple will consist of 3 elemets either string or ++ None (host, user, domain). ++ """ ++ res, errno, result = self._flat_fetch_netgroups(self.name) ++ if res != NssReturnCode.SUCCESS: ++ return (res, errno, self.netgroups) ++ ++ self.netgroups += result ++ ++ while self.needed_groups: ++ name = self.needed_groups.pop(0) ++ ++ nest_res, nest_errno, result = self._flat_fetch_netgroups(name) ++ # do not fail for missing nested netgroup ++ if nest_res not in (NssReturnCode.SUCCESS, NssReturnCode.NOTFOUND): ++ return (nest_res, nest_errno, self.netgroups) ++ ++ self.netgroups = result + self.netgroups ++ ++ return (res, errno, self.netgroups) ++ ++ def _flat_fetch_netgroups(self, name): ++ """ ++ Function will return netgroup triplets for given user. The nested ++ netgroups will not be returned. Missing nested netgroups will be ++ appended to the array needed_groups ++ ++ @param string name name of netgroup ++ ++ @return (int, int, List[(string, string, string]) ++ (err, errno, netgroups) ++ if err is NssReturnCode.SUCCESS netgroups will contain list of ++ touples. Each touple will consist of 3 elemets either string or ++ None (host, user, domain). ++ """ ++ buff_len = 1024 * 1024 ++ buff = create_string_buffer(buff_len) ++ ++ result = [] ++ ++ res, result_p = self._setnetgrent(name) ++ if res != NssReturnCode.SUCCESS: ++ return (res, get_errno(), result) ++ ++ res, errno, result_p = self._getnetgrent_r(result_p, buff, buff_len) ++ while res == NssReturnCode.SUCCESS: ++ if result_p[0].type == NetgroupType.GROUP_VAL: ++ nested_netgroup = result_p[0].val.group ++ if nested_netgroup not in self.known_groups: ++ self.needed_groups.append(nested_netgroup) ++ self.known_groups.append(nested_netgroup) ++ ++ if result_p[0].type == NetgroupType.TRIPLE_VAL: ++ result.append((result_p[0].val.triple.host, ++ result_p[0].val.triple.user, ++ result_p[0].val.triple.domain)) ++ ++ res, errno, result_p = self._getnetgrent_r(result_p, buff, ++ buff_len) ++ ++ if res != NssReturnCode.RETURN: ++ return (res, errno, result) ++ ++ res = self._endnetgrent(result_p) ++ ++ return (res, errno, result) + + + def get_sssd_netgroups(name): +@@ -129,27 +253,7 @@ def get_sssd_netgroups(name): + Each touple will consist of 3 elemets either string or None + (host, user, domain). + """ +- buff_len = 1024 * 1024 +- buff = create_string_buffer(buff_len) + +- result = [] ++ retriever = NetgroupRetriever(name) + +- res, result_p = call_sssd_setnetgrent(name) +- if res != NssReturnCode.SUCCESS: +- return (res, get_errno(), result) +- +- res, errno, result_p = call_sssd_getnetgrent_r(result_p, buff, buff_len) +- while res == NssReturnCode.SUCCESS: +- assert result_p[0].type == NetgroupType.TRIPLE_VAL +- result.append((result_p[0].val.triple.host, +- result_p[0].val.triple.user, +- result_p[0].val.triple.domain)) +- res, errno, result_p = call_sssd_getnetgrent_r(result_p, buff, +- buff_len) +- +- if res != NssReturnCode.RETURN: +- return (res, errno, result) +- +- res = call_sssd_endnetgrent(result_p) +- +- return (res, errno, result) ++ return retriever.get_netgroups() +-- +2.9.3 + diff --git a/0005-LDAP-Fixing-of-removing-netgroup-from-cache.patch b/0005-LDAP-Fixing-of-removing-netgroup-from-cache.patch new file mode 100644 index 0000000..d20d59d --- /dev/null +++ b/0005-LDAP-Fixing-of-removing-netgroup-from-cache.patch @@ -0,0 +1,50 @@ +From 5ac050f0f5160dc433aba21fd1ae2f2a8ffa9a88 Mon Sep 17 00:00:00 2001 +From: Petr Cech +Date: Fri, 22 Jul 2016 14:28:54 +0200 +Subject: [PATCH 05/39] LDAP: Fixing of removing netgroup from cache +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +There were problem with local key which wasn't properly removed. +This patch fixes it. + +Resolves: +https://fedorahosted.org/sssd/ticket/2841 + +Reviewed-by: Lukáš Slebodník +(cherry picked from commit bf141e052a81b28ee0ad2f61ff8b4879e4faa13b) +--- + src/providers/ldap/sdap_async_netgroups.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +diff --git a/src/providers/ldap/sdap_async_netgroups.c b/src/providers/ldap/sdap_async_netgroups.c +index df233d956df70cfcb5f68bd2afc9e2a23c50c3bb..e1d69ad769f542cccffca50547932a5bfb352230 100644 +--- a/src/providers/ldap/sdap_async_netgroups.c ++++ b/src/providers/ldap/sdap_async_netgroups.c +@@ -138,6 +138,22 @@ static errno_t sdap_save_netgroup(TALLOC_CTX *memctx, + goto fail; + } + ++ /* We store memberNisNetgroup from LDAP as originalMemberNisNetgroup in ++ * sysdb. It may contain simple name or DN. That's the reason why we always ++ * translate/generate simple name and store it in SYSDB_NETGROUP_MEMBER ++ * (memberNisNetgroup) in sysdb which is internally used for searching ++ * netgropus. ++ * We need to ensure if originalMemberNisNetgroup is missing, ++ * memberNisNetgroup is missing too. ++ */ ++ if (string_in_list(SYSDB_ORIG_NETGROUP_MEMBER, missing, false)) { ++ ret = add_string_to_list(attrs, SYSDB_NETGROUP_MEMBER, &missing); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_CRIT_FAILURE, "Failed to add string into list\n"); ++ goto fail; ++ } ++ } ++ + ret = sysdb_add_netgroup(dom, name, NULL, netgroup_attrs, missing, + dom->netgroup_timeout, now); + if (ret) goto fail; +-- +2.9.3 + diff --git a/0006-INTG-Adding-support-for-netgroups-to-ldap_ent.patch b/0006-INTG-Adding-support-for-netgroups-to-ldap_ent.patch new file mode 100644 index 0000000..159383a --- /dev/null +++ b/0006-INTG-Adding-support-for-netgroups-to-ldap_ent.patch @@ -0,0 +1,54 @@ +From f3f50d7a9ca36d0d56f29d25e4fceaa50c9a06e9 Mon Sep 17 00:00:00 2001 +From: Petr Cech +Date: Wed, 17 Aug 2016 14:01:09 +0200 +Subject: [PATCH 06/39] INTG: Adding support for netgroups to ldap_ent +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Resolves: +https://fedorahosted.org/sssd/ticket/2841 + +Reviewed-by: Lukáš Slebodník +(cherry picked from commit 1cba321946084231c220e9561487555671b944c3) +--- + src/tests/intg/ldap_ent.py | 19 +++++++++++++++++++ + 1 file changed, 19 insertions(+) + +diff --git a/src/tests/intg/ldap_ent.py b/src/tests/intg/ldap_ent.py +index f8f2f7fe6977aec6fd704ad1c78a476a163a16f1..c912844b063cfeb9c48744d593685d0b7fbcc706 100644 +--- a/src/tests/intg/ldap_ent.py ++++ b/src/tests/intg/ldap_ent.py +@@ -87,6 +87,20 @@ def group_bis(base_dn, cn, gidNumber, member_uids=[], member_gids=[]): + return ("cn=" + cn + ",ou=Groups," + base_dn, attr_list) + + ++def netgroup(base_dn, cn, triples=(), members=()): ++ """ ++ Generate an RFC2307bis netgroup add-modlist for passing to ldap.add*. ++ """ ++ attr_list = [ ++ ('objectClass', ['top', 'nisNetgroup']) ++ ] ++ if triples: ++ attr_list.append(('nisNetgroupTriple', triples)) ++ if members: ++ attr_list.append(('memberNisNetgroup', members)) ++ return ("cn=" + cn + ",ou=Netgroups," + base_dn, attr_list) ++ ++ + class List(list): + """LDAP add-modlist list""" + +@@ -124,3 +138,8 @@ class List(list): + self.append(group_bis(base_dn or self.base_dn, + cn, gidNumber, + member_uids, member_gids)) ++ ++ def add_netgroup(self, cn, triples=(), members=(), base_dn=None): ++ """Add an RFC2307bis netgroup add-modlist.""" ++ self.append(netgroup(base_dn or self.base_dn, ++ cn, triples, members)) +-- +2.9.3 + diff --git a/0007-INTG-Tests-for-ldap-nested-netgroups.patch b/0007-INTG-Tests-for-ldap-nested-netgroups.patch new file mode 100644 index 0000000..6a6bc42 --- /dev/null +++ b/0007-INTG-Tests-for-ldap-nested-netgroups.patch @@ -0,0 +1,501 @@ +From 620d402a126580a13730f446dd99bf50814c9fb8 Mon Sep 17 00:00:00 2001 +From: Petr Cech +Date: Wed, 17 Aug 2016 13:58:30 +0200 +Subject: [PATCH 07/39] INTG: Tests for ldap nested netgroups +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This patch adds tests on reproducer of t2841. + +Resolves: +https://fedorahosted.org/sssd/ticket/2841 + +Reviewed-by: Lukáš Slebodník +(cherry picked from commit 05457ed0e399aaacc919b7aacee5d8210e1c1072) +--- + src/tests/intg/Makefile.am | 1 + + src/tests/intg/test_netgroup.py | 459 ++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 460 insertions(+) + create mode 100644 src/tests/intg/test_netgroup.py + +diff --git a/src/tests/intg/Makefile.am b/src/tests/intg/Makefile.am +index d73e4216310ccd1c90e6b7eb0a0e60068fc45bd5..75422a4417046116bec11a8a680fe2248e3afb69 100644 +--- a/src/tests/intg/Makefile.am ++++ b/src/tests/intg/Makefile.am +@@ -15,6 +15,7 @@ dist_noinst_DATA = \ + test_ldap.py \ + test_memory_cache.py \ + test_ts_cache.py \ ++ test_netgroup.py \ + $(NULL) + + config.py: config.py.m4 +diff --git a/src/tests/intg/test_netgroup.py b/src/tests/intg/test_netgroup.py +new file mode 100644 +index 0000000000000000000000000000000000000000..b99476126844e35d5dbc1793077720b4020c2fb7 +--- /dev/null ++++ b/src/tests/intg/test_netgroup.py +@@ -0,0 +1,459 @@ ++# ++# Netgroup integration test ++# ++# Copyright (c) 2016 Red Hat, Inc. ++# Author: Petr Cech ++# ++# This is free software; you can redistribute it and/or modify it ++# under the terms of the GNU General Public License as published by ++# the Free Software Foundation; version 2 only ++# ++# This program is distributed in the hope that it will be useful, but ++# WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++# General Public License for more details. ++# ++# You should have received a copy of the GNU General Public License ++# along with this program. If not, see . ++# ++ ++import os ++import stat ++import signal ++import subprocess ++import time ++import ldap ++import ldap.modlist ++import pytest ++ ++import config ++import ds_openldap ++import ldap_ent ++from util import unindent ++import sssd_netgroup ++ ++LDAP_BASE_DN = "dc=example,dc=com" ++ ++ ++@pytest.fixture(scope="module") ++def ds_inst(request): ++ """LDAP server instance fixture""" ++ ds_inst = ds_openldap.DSOpenLDAP( ++ config.PREFIX, 10389, LDAP_BASE_DN, ++ "cn=admin", "Secret123" ++ ) ++ ++ try: ++ ds_inst.setup() ++ except: ++ ds_inst.teardown() ++ raise ++ request.addfinalizer(ds_inst.teardown) ++ return ds_inst ++ ++ ++@pytest.fixture(scope="module") ++def ldap_conn(request, ds_inst): ++ """LDAP server connection fixture""" ++ ldap_conn = ds_inst.bind() ++ ldap_conn.ds_inst = ds_inst ++ request.addfinalizer(ldap_conn.unbind_s) ++ return ldap_conn ++ ++ ++def create_ldap_entries(ldap_conn, ent_list=None): ++ """Add LDAP entries from ent_list""" ++ if ent_list is not None: ++ for entry in ent_list: ++ ldap_conn.add_s(entry[0], entry[1]) ++ ++ ++def cleanup_ldap_entries(ldap_conn, ent_list=None): ++ """Remove LDAP entries added by create_ldap_entries""" ++ if ent_list is None: ++ for ou in ("Users", "Groups", "Netgroups", "Services", "Policies"): ++ for entry in ldap_conn.search_s("ou=" + ou + "," + ++ ldap_conn.ds_inst.base_dn, ++ ldap.SCOPE_ONELEVEL, ++ attrlist=[]): ++ ldap_conn.delete_s(entry[0]) ++ else: ++ for entry in ent_list: ++ ldap_conn.delete_s(entry[0]) ++ ++ ++def create_ldap_cleanup(request, ldap_conn, ent_list=None): ++ """Add teardown for removing all user/group LDAP entries""" ++ request.addfinalizer(lambda: cleanup_ldap_entries(ldap_conn, ent_list)) ++ ++ ++def create_ldap_fixture(request, ldap_conn, ent_list=None): ++ """Add LDAP entries and add teardown for removing them""" ++ create_ldap_entries(ldap_conn, ent_list) ++ create_ldap_cleanup(request, ldap_conn, ent_list) ++ ++ ++SCHEMA_RFC2307_BIS = "rfc2307bis" ++ ++ ++def format_basic_conf(ldap_conn, schema): ++ """Format a basic SSSD configuration""" ++ schema_conf = "ldap_schema = " + schema + "\n" ++ schema_conf += "ldap_group_object_class = groupOfNames\n" ++ return unindent("""\ ++ [sssd] ++ domains = LDAP ++ services = nss ++ ++ [domain/LDAP] ++ {schema_conf} ++ id_provider = ldap ++ auth_provider = ldap ++ ldap_uri = {ldap_conn.ds_inst.ldap_url} ++ ldap_search_base = {ldap_conn.ds_inst.base_dn} ++ ldap_netgroup_search_base = ou=Netgroups,{ldap_conn.ds_inst.base_dn} ++ """).format(**locals()) ++ ++ ++def create_conf_file(contents): ++ """Create sssd.conf with specified contents""" ++ conf = open(config.CONF_PATH, "w") ++ conf.write(contents) ++ conf.close() ++ os.chmod(config.CONF_PATH, stat.S_IRUSR | stat.S_IWUSR) ++ ++ ++def cleanup_conf_file(): ++ """Remove sssd.conf, if it exists""" ++ if os.path.lexists(config.CONF_PATH): ++ os.unlink(config.CONF_PATH) ++ ++ ++def create_conf_cleanup(request): ++ """Add teardown for removing sssd.conf""" ++ request.addfinalizer(cleanup_conf_file) ++ ++ ++def create_conf_fixture(request, contents): ++ """ ++ Create sssd.conf with specified contents and add teardown for removing it ++ """ ++ create_conf_file(contents) ++ create_conf_cleanup(request) ++ ++ ++def create_sssd_process(): ++ """Start the SSSD process""" ++ if subprocess.call(["sssd", "-D", "-f"]) != 0: ++ raise Exception("sssd start failed") ++ ++ ++def cleanup_sssd_process(): ++ """Stop the SSSD process and remove its state""" ++ try: ++ pid_file = open(config.PIDFILE_PATH, "r") ++ pid = int(pid_file.read()) ++ os.kill(pid, signal.SIGTERM) ++ while True: ++ try: ++ os.kill(pid, signal.SIGCONT) ++ except: ++ break ++ time.sleep(1) ++ except: ++ pass ++ for path in os.listdir(config.DB_PATH): ++ os.unlink(config.DB_PATH + "/" + path) ++ for path in os.listdir(config.MCACHE_PATH): ++ os.unlink(config.MCACHE_PATH + "/" + path) ++ ++ ++def create_sssd_cleanup(request): ++ """Add teardown for stopping SSSD and removing its state""" ++ request.addfinalizer(cleanup_sssd_process) ++ ++ ++def create_sssd_fixture(request): ++ """Start SSSD and add teardown for stopping it and removing its state""" ++ create_sssd_process() ++ create_sssd_cleanup(request) ++ ++ ++@pytest.fixture ++def add_empty_netgroup(request, ldap_conn): ++ ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) ++ ++ ent_list.add_netgroup("empty_netgroup") ++ ++ create_ldap_fixture(request, ldap_conn, ent_list) ++ conf = format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS) ++ create_conf_fixture(request, conf) ++ create_sssd_fixture(request) ++ return None ++ ++ ++def test_add_empty_netgroup(add_empty_netgroup): ++ """ ++ Adding empty netgroup. ++ """ ++ ++ res, _, netgroups = sssd_netgroup.get_sssd_netgroups("empty_netgroup") ++ assert res == sssd_netgroup.NssReturnCode.SUCCESS ++ assert netgroups == [] ++ ++ ++@pytest.fixture ++def add_tripled_netgroup(request, ldap_conn): ++ ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) ++ ++ ent_list.add_netgroup("tripled_netgroup", ["(host,user,domain)"]) ++ ++ ent_list.add_netgroup("adv_tripled_netgroup", ["(host1,user1,domain1)", ++ "(host2,user2,domain2)"]) ++ ++ create_ldap_fixture(request, ldap_conn, ent_list) ++ conf = format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS) ++ create_conf_fixture(request, conf) ++ create_sssd_fixture(request) ++ return None ++ ++ ++def test_add_tripled_netgroup(add_tripled_netgroup): ++ """ ++ Adding netgroup with triplet. ++ """ ++ ++ res, _, netgrps = sssd_netgroup.get_sssd_netgroups("tripled_netgroup") ++ assert res == sssd_netgroup.NssReturnCode.SUCCESS ++ assert netgrps == [("host", "user", "domain")] ++ ++ res, _, netgrps = sssd_netgroup.get_sssd_netgroups("adv_tripled_netgroup") ++ assert res == sssd_netgroup.NssReturnCode.SUCCESS ++ assert sorted(netgrps) == sorted([("host1", "user1", "domain1"), ++ ("host2", "user2", "domain2")]) ++ ++ ++@pytest.fixture ++def add_mixed_netgroup(request, ldap_conn): ++ ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) ++ ++ ent_list.add_netgroup("mixed_netgroup1") ++ ent_list.add_netgroup("mixed_netgroup2", members=["mixed_netgroup1"]) ++ ++ ent_list.add_netgroup("mixed_netgroup3", ["(host1,user1,domain1)"]) ++ ent_list.add_netgroup("mixed_netgroup4", ++ ["(host2,user2,domain2)", "(host3,user3,domain3)"]) ++ ++ ent_list.add_netgroup("mixed_netgroup5", ++ ["(host4,user4,domain4)"], ++ ["mixed_netgroup1"]) ++ ent_list.add_netgroup("mixed_netgroup6", ++ ["(host5,user5,domain5)"], ++ ["mixed_netgroup2"]) ++ ++ ent_list.add_netgroup("mixed_netgroup7", members=["mixed_netgroup3"]) ++ ent_list.add_netgroup("mixed_netgroup8", ++ members=["mixed_netgroup3", "mixed_netgroup4"]) ++ ++ ent_list.add_netgroup("mixed_netgroup9", ++ ["(host6,user6,domain6)"], ++ ["mixed_netgroup3", "mixed_netgroup4"]) ++ ++ create_ldap_fixture(request, ldap_conn, ent_list) ++ conf = format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS) ++ create_conf_fixture(request, conf) ++ create_sssd_fixture(request) ++ return None ++ ++ ++def test_add_mixed_netgroup(add_mixed_netgroup): ++ """ ++ Adding many netgroups of different type. ++ """ ++ ++ res, _, netgroups = sssd_netgroup.get_sssd_netgroups("mixed_netgroup1") ++ assert res == sssd_netgroup.NssReturnCode.SUCCESS ++ assert netgroups == [] ++ ++ res, _, netgroups = sssd_netgroup.get_sssd_netgroups("mixed_netgroup2") ++ assert res == sssd_netgroup.NssReturnCode.SUCCESS ++ assert netgroups == [] ++ ++ res, _, netgroups = sssd_netgroup.get_sssd_netgroups("mixed_netgroup3") ++ assert res == sssd_netgroup.NssReturnCode.SUCCESS ++ assert netgroups == [("host1", "user1", "domain1")] ++ ++ res, _, netgroups = sssd_netgroup.get_sssd_netgroups("mixed_netgroup4") ++ assert res == sssd_netgroup.NssReturnCode.SUCCESS ++ assert sorted(netgroups) == sorted([("host2", "user2", "domain2"), ++ ("host3", "user3", "domain3")]) ++ ++ res, _, netgroups = sssd_netgroup.get_sssd_netgroups("mixed_netgroup5") ++ assert res == sssd_netgroup.NssReturnCode.SUCCESS ++ assert netgroups == [("host4", "user4", "domain4")] ++ ++ res, _, netgroups = sssd_netgroup.get_sssd_netgroups("mixed_netgroup6") ++ assert res == sssd_netgroup.NssReturnCode.SUCCESS ++ assert netgroups == [("host5", "user5", "domain5")] ++ ++ res, _, netgroups = sssd_netgroup.get_sssd_netgroups("mixed_netgroup7") ++ assert res == sssd_netgroup.NssReturnCode.SUCCESS ++ assert netgroups == [("host1", "user1", "domain1")] ++ ++ res, _, netgroups = sssd_netgroup.get_sssd_netgroups("mixed_netgroup8") ++ assert res == sssd_netgroup.NssReturnCode.SUCCESS ++ assert sorted(netgroups) == sorted([("host1", "user1", "domain1"), ++ ("host2", "user2", "domain2"), ++ ("host3", "user3", "domain3")]) ++ ++ res, _, netgroups = sssd_netgroup.get_sssd_netgroups("mixed_netgroup9") ++ assert res == sssd_netgroup.NssReturnCode.SUCCESS ++ assert sorted(netgroups) == sorted([("host1", "user1", "domain1"), ++ ("host2", "user2", "domain2"), ++ ("host3", "user3", "domain3"), ++ ("host6", "user6", "domain6")]) ++ ++ ++@pytest.fixture ++def remove_step_by_step(request, ldap_conn): ++ ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) ++ ++ ent_list.add_netgroup("rm_empty_netgroup1", ["(host1,user1,domain1)"]) ++ ent_list.add_netgroup("rm_empty_netgroup2", ++ ["(host2,user2,domain2)"], ++ ["rm_empty_netgroup1"]) ++ ++ create_ldap_fixture(request, ldap_conn, ent_list) ++ conf = format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS) ++ create_conf_fixture(request, conf) ++ create_sssd_fixture(request) ++ return ent_list ++ ++ ++def test_remove_step_by_step(remove_step_by_step, ldap_conn): ++ """ ++ Removing netgroups step by step. ++ """ ++ ++ ent_list = remove_step_by_step ++ ++ res, _, netgroups = sssd_netgroup.get_sssd_netgroups("rm_empty_netgroup1") ++ assert res == sssd_netgroup.NssReturnCode.SUCCESS ++ assert netgroups == [('host1', 'user1', 'domain1')] ++ ++ res, _, netgroups = sssd_netgroup.get_sssd_netgroups("rm_empty_netgroup2") ++ assert res == sssd_netgroup.NssReturnCode.SUCCESS ++ assert sorted(netgroups) == sorted([('host1', 'user1', 'domain1'), ++ ('host2', 'user2', 'domain2')]) ++ ++ # removing of rm_empty_netgroup1 ++ ldap_conn.delete_s(ent_list[0][0]) ++ ent_list.remove(ent_list[0]) ++ ++ if subprocess.call(["sss_cache", "-N"]) != 0: ++ raise Exception("sssd_cache failed") ++ ++ res, _, netgroups = sssd_netgroup.get_sssd_netgroups("rm_empty_netgroup1") ++ assert res == sssd_netgroup.NssReturnCode.NOTFOUND ++ assert netgroups == [] ++ ++ res, _, netgroups = sssd_netgroup.get_sssd_netgroups("rm_empty_netgroup2") ++ assert res == sssd_netgroup.NssReturnCode.SUCCESS ++ assert netgroups == [('host2', 'user2', 'domain2')] ++ ++ # removing of rm_empty_netgroup2 ++ ldap_conn.delete_s(ent_list[0][0]) ++ ent_list.remove(ent_list[0]) ++ ++ if subprocess.call(["sss_cache", "-N"]) != 0: ++ raise Exception("sssd_cache failed") ++ ++ res, _, netgroups = sssd_netgroup.get_sssd_netgroups("rm_empty_netgroup1") ++ assert res == sssd_netgroup.NssReturnCode.NOTFOUND ++ assert netgroups == [] ++ ++ res, _, netgroups = sssd_netgroup.get_sssd_netgroups("rm_empty_netgroup2") ++ assert res == sssd_netgroup.NssReturnCode.NOTFOUND ++ assert netgroups == [] ++ ++ ++@pytest.fixture ++def removing_nested_netgroups(request, ldap_conn): ++ ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) ++ ++ ent_list.add_netgroup("t2841_netgroup1", ["(host1,user1,domain1)"]) ++ ent_list.add_netgroup("t2841_netgroup2", ["(host2,user2,domain2)"]) ++ ent_list.add_netgroup("t2841_netgroup3", ++ members=["t2841_netgroup1", "t2841_netgroup2"]) ++ ++ create_ldap_fixture(request, ldap_conn, ent_list) ++ conf = format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS) ++ create_conf_fixture(request, conf) ++ create_sssd_fixture(request) ++ return None ++ ++ ++def test_removing_nested_netgroups(removing_nested_netgroups, ldap_conn): ++ """ ++ Regression test for ticket 2841. ++ https://fedorahosted.org/sssd/ticket/2841 ++ """ ++ ++ netgrp_dn = 'cn=t2841_netgroup3,ou=Netgroups,' + ldap_conn.ds_inst.base_dn ++ ++ res, _, netgroups = sssd_netgroup.get_sssd_netgroups("t2841_netgroup1") ++ assert res == sssd_netgroup.NssReturnCode.SUCCESS ++ assert netgroups == [('host1', 'user1', 'domain1')] ++ ++ res, _, netgroups = sssd_netgroup.get_sssd_netgroups("t2841_netgroup2") ++ assert res == sssd_netgroup.NssReturnCode.SUCCESS ++ assert netgroups == [('host2', 'user2', 'domain2')] ++ ++ res, _, netgroups = sssd_netgroup.get_sssd_netgroups("t2841_netgroup3") ++ assert res == sssd_netgroup.NssReturnCode.SUCCESS ++ assert sorted(netgroups) == sorted([('host1', 'user1', 'domain1'), ++ ('host2', 'user2', 'domain2')]) ++ ++ # removing of t2841_netgroup1 from t2841_netgroup3 ++ old = {'memberNisNetgroup': ["t2841_netgroup1", "t2841_netgroup2"]} ++ new = {'memberNisNetgroup': ["t2841_netgroup2"]} ++ ++ ldif = ldap.modlist.modifyModlist(old, new) ++ ldap_conn.modify_s(netgrp_dn, ldif) ++ ++ if subprocess.call(["sss_cache", "-N"]) != 0: ++ raise Exception("sssd_cache failed") ++ ++ res, _, netgroups = sssd_netgroup.get_sssd_netgroups("t2841_netgroup1") ++ assert res == sssd_netgroup.NssReturnCode.SUCCESS ++ assert netgroups == [('host1', 'user1', 'domain1')] ++ ++ res, _, netgroups = sssd_netgroup.get_sssd_netgroups("t2841_netgroup2") ++ assert res == sssd_netgroup.NssReturnCode.SUCCESS ++ assert netgroups == [('host2', 'user2', 'domain2')] ++ ++ res, _, netgroups = sssd_netgroup.get_sssd_netgroups("t2841_netgroup3") ++ assert res == sssd_netgroup.NssReturnCode.SUCCESS ++ assert netgroups == [('host2', 'user2', 'domain2')] ++ ++ # removing of t2841_netgroup2 from t2841_netgroup3 ++ old = {'memberNisNetgroup': ["t2841_netgroup2"]} ++ new = {'memberNisNetgroup': []} ++ ++ ldif = ldap.modlist.modifyModlist(old, new) ++ ldap_conn.modify_s(netgrp_dn, ldif) ++ ++ if subprocess.call(["sss_cache", "-N"]) != 0: ++ raise Exception("sssd_cache failed") ++ ++ res, _, netgroups = sssd_netgroup.get_sssd_netgroups("t2841_netgroup1") ++ assert res == sssd_netgroup.NssReturnCode.SUCCESS ++ assert netgroups == [('host1', 'user1', 'domain1')] ++ ++ res, _, netgroups = sssd_netgroup.get_sssd_netgroups("t2841_netgroup2") ++ assert res == sssd_netgroup.NssReturnCode.SUCCESS ++ assert netgroups == [('host2', 'user2', 'domain2')] ++ ++ res, _, netgroups = sssd_netgroup.get_sssd_netgroups("t2841_netgroup3") ++ assert res == sssd_netgroup.NssReturnCode.SUCCESS ++ assert netgroups == [] +-- +2.9.3 + diff --git a/0008-watchdog-cope-with-time-shift.patch b/0008-watchdog-cope-with-time-shift.patch new file mode 100644 index 0000000..a8f58e5 --- /dev/null +++ b/0008-watchdog-cope-with-time-shift.patch @@ -0,0 +1,97 @@ +From 2263fb23bdbbf313535edf54440fe20627b57d7f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Mon, 22 Aug 2016 13:15:04 +0200 +Subject: [PATCH 08/39] watchdog: cope with time shift +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +When a time is changed into the past during sssd runtime +(e.g. on boot during time correction), it is possible that +we never hit watchdog tevent timer since it is based on +system time. + +This patch adds a past-time shift detection mechanism. If a time +shift is detected we restart watchdog. + +Resolves: +https://fedorahosted.org/sssd/ticket/3154 + +Reviewed-by: Lukáš Slebodník +Reviewed-by: Fabiano Fidêncio +(cherry picked from commit b8ceaeb80cffb00c26390913ea959b77f7e848b9) +--- + src/util/util_watchdog.c | 41 +++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 41 insertions(+) + +diff --git a/src/util/util_watchdog.c b/src/util/util_watchdog.c +index 5032fddba1b94b3fc7e560162c392dfa57d699cf..1c27d73f13b3042ecb549a2184e1368e8339d199 100644 +--- a/src/util/util_watchdog.c ++++ b/src/util/util_watchdog.c +@@ -29,8 +29,39 @@ struct watchdog_ctx { + struct timeval interval; + struct tevent_timer *te; + volatile int ticks; ++ ++ /* To detect time shift. */ ++ struct tevent_context *ev; ++ int input_interval; ++ time_t timestamp; + } watchdog_ctx; + ++static bool watchdog_detect_timeshift(void) ++{ ++ time_t prev_time; ++ time_t cur_time; ++ errno_t ret; ++ ++ prev_time = watchdog_ctx.timestamp; ++ cur_time = watchdog_ctx.timestamp = time(NULL); ++ if (cur_time < prev_time) { ++ /* Time shift detected. We need to restart watchdog. */ ++ DEBUG(SSSDBG_IMPORTANT_INFO, "Time shift detected, " ++ "restarting watchdog!\n"); ++ teardown_watchdog(); ++ ret = setup_watchdog(watchdog_ctx.ev, watchdog_ctx.input_interval); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_FATAL_FAILURE, "Unable to restart watchdog " ++ "[%d]: %s\n", ret, sss_strerror(ret)); ++ orderly_shutdown(1); ++ } ++ ++ return true; ++ } ++ ++ return false; ++} ++ + /* the watchdog is purposefully *not* handled by the tevent + * signal handler as it is meant to check if the daemon is + * still processing the event queue itself. A stuck process +@@ -38,6 +69,12 @@ struct watchdog_ctx { + * signals either */ + static void watchdog_handler(int sig) + { ++ /* Do not count ticks if time shift was detected ++ * since watchdog was restarted. */ ++ if (watchdog_detect_timeshift()) { ++ return; ++ } ++ + /* if 3 ticks passed by kills itself */ + + if (__sync_add_and_fetch(&watchdog_ctx.ticks, 1) > 3) { +@@ -101,6 +138,10 @@ int setup_watchdog(struct tevent_context *ev, int interval) + watchdog_ctx.interval.tv_sec = interval; + watchdog_ctx.interval.tv_usec = 0; + ++ watchdog_ctx.ev = ev; ++ watchdog_ctx.input_interval = interval; ++ watchdog_ctx.timestamp = time(NULL); ++ + /* Start the timer */ + /* we give 1 second head start to the watchdog event */ + its.it_value.tv_sec = interval + 1; +-- +2.9.3 + diff --git a/0009-BUILD-Allow-to-read-private-pipes-for-root.patch b/0009-BUILD-Allow-to-read-private-pipes-for-root.patch new file mode 100644 index 0000000..fb261c7 --- /dev/null +++ b/0009-BUILD-Allow-to-read-private-pipes-for-root.patch @@ -0,0 +1,82 @@ +From d5a5ff043c5872eb159aa096e1a1fa7863db4f86 Mon Sep 17 00:00:00 2001 +From: Lukas Slebodnik +Date: Fri, 19 Aug 2016 10:46:12 +0200 +Subject: [PATCH 09/39] BUILD: Allow to read private pipes for root + +Root can read anything from any directory even with permissions 000. + +However SELinux checks discretionary access control (DAC) +and deny access if access is not allowed for root by DAC. +The pam_sss use different unix socket /var/lib/sss/pipes/private/pam +for user with uid 0. Therefore root need to be able read content +of directory with private pipes. + +type=AVC msg=audit(08/19/2016 10:58:34.081:3369) : avc: denied + { dac_read_search } for pid=20257 comm=vsftpd capability=dac_read_search + scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 + tcontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tclass=capability + +type=AVC msg=audit(08/19/2016 10:58:34.081:3369) : avc: denied + { dac_override } for pid=20257 comm=vsftpd capability=dac_override + scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 + tcontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tclass=capability + +Resolves: +https://fedorahosted.org/sssd/ticket/3143 + +Reviewed-by: Jakub Hrozek +(cherry picked from commit f49724cd6b3e0e3274302c3d475e93f7a7094f40) +--- + Makefile.am | 8 ++++---- + contrib/sssd.spec.in | 2 +- + 2 files changed, 5 insertions(+), 5 deletions(-) + +diff --git a/Makefile.am b/Makefile.am +index 8b9240f4485c0bce976fdabff6904e648f44356e..6219682de0d1fd4b3a813ee2f95b8185531e62bf 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -3952,7 +3952,6 @@ SSSD_USER_DIRS = \ + $(DESTDIR)$(keytabdir) \ + $(DESTDIR)$(mcpath) \ + $(DESTDIR)$(pipepath) \ +- $(DESTDIR)$(pipepath)/private \ + $(DESTDIR)$(pubconfpath) \ + $(DESTDIR)$(pubconfpath)/krb5.include.d \ + $(DESTDIR)$(gpocachepath) \ +@@ -3979,16 +3978,17 @@ installsssddirs:: + $(DESTDIR)$(sssddatadir) \ + $(DESTDIR)$(sudolibdir) \ + $(DESTDIR)$(autofslibdir) \ ++ $(DESTDIR)$(pipepath)/private \ + $(SSSD_USER_DIRS) \ + $(NULL); + if SSSD_USER +- -chown $(SSSD_USER):$(SSSD_USER) \ +- $(SSSD_USER_DIRS) ++ -chown $(SSSD_USER):$(SSSD_USER) $(SSSD_USER_DIRS) ++ -chown $(SSSD_USER) $(DESTDIR)$(pipepath)/private + endif + $(INSTALL) -d -m 0700 $(DESTDIR)$(dbpath) $(DESTDIR)$(logpath) \ +- $(DESTDIR)$(pipepath)/private \ + $(DESTDIR)$(keytabdir) \ + $(NULL) ++ $(INSTALL) -d -m 0750 $(DESTDIR)$(pipepath)/private + $(INSTALL) -d -m 0755 $(DESTDIR)$(mcpath) $(DESTDIR)$(pipepath) \ + $(DESTDIR)$(pubconfpath) \ + $(DESTDIR)$(pubconfpath)/krb5.include.d $(DESTDIR)$(gpocachepath) +diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in +index 24af8d518bd065388b14d812de7c1c61975f0cca..1e058ca63c25513253c4b350d286208f40f6b660 100644 +--- a/contrib/sssd.spec.in ++++ b/contrib/sssd.spec.in +@@ -791,7 +791,7 @@ done + %ghost %attr(0644,sssd,sssd) %verify(not md5 size mtime) %{mcpath}/group + %ghost %attr(0644,sssd,sssd) %verify(not md5 size mtime) %{mcpath}/initgroups + %attr(755,sssd,sssd) %dir %{pipepath} +-%attr(700,sssd,sssd) %dir %{pipepath}/private ++%attr(750,sssd,root) %dir %{pipepath}/private + %attr(755,sssd,sssd) %dir %{pubconfpath} + %attr(755,sssd,sssd) %dir %{gpocachepath} + %attr(750,sssd,sssd) %dir %{_var}/log/%{name} +-- +2.9.3 + diff --git a/0010-SYSDB-Rework-sysdb_cache_connect.patch b/0010-SYSDB-Rework-sysdb_cache_connect.patch new file mode 100644 index 0000000..66ae3ef --- /dev/null +++ b/0010-SYSDB-Rework-sysdb_cache_connect.patch @@ -0,0 +1,124 @@ +From 3258fa9d328f364fa41fd1a5bc5fc3250e87df8e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= +Date: Tue, 16 Aug 2016 11:20:49 +0200 +Subject: [PATCH 10/39] SYSDB: Rework sysdb_cache_connect() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +As sysdb_cache_connect() has two very specific use cases (connect to the +cache and connect to the timestamp cache) and each of those calls have a +predetermined/fixed sets of values for a few parameters, let's try to +make the code a bit simpler to follow by having explicit functions for +connecting to the cache and connecting to the timestamp cache. + +Macros could be used as well, but I have a slightly preference for +having two new functions instead of macros accessing internal parameters +of the macro's parameter. + +Related: +https://fedorahosted.org/sssd/ticket/3128 + +Signed-off-by: Fabiano Fidêncio + +Reviewed-by: Jakub Hrozek +(cherry picked from commit b6d1cd5eaab4c7c73df8ee041944ec05630a9630) +--- + src/db/sysdb_init.c | 53 ++++++++++++++++++++++++++++++++++------------------- + 1 file changed, 34 insertions(+), 19 deletions(-) + +diff --git a/src/db/sysdb_init.c b/src/db/sysdb_init.c +index 9e3646bfeb9a494ebff2d348ab1c53336f8a5c03..59934701c4d2b9d770385a202af058404a6d3eb9 100644 +--- a/src/db/sysdb_init.c ++++ b/src/db/sysdb_init.c +@@ -511,14 +511,14 @@ done: + return ret; + } + +-static errno_t sysdb_cache_connect(TALLOC_CTX *mem_ctx, +- struct sss_domain_info *domain, +- const char *ldb_file, +- int flags, +- const char *exp_version, +- const char *base_ldif, +- struct ldb_context **_ldb, +- const char **_version) ++static errno_t sysdb_cache_connect_helper(TALLOC_CTX *mem_ctx, ++ struct sss_domain_info *domain, ++ const char *ldb_file, ++ int flags, ++ const char *exp_version, ++ const char *base_ldif, ++ struct ldb_context **_ldb, ++ const char **_version) + { + TALLOC_CTX *tmp_ctx = NULL; + struct ldb_message_element *el; +@@ -619,6 +619,29 @@ done: + return ret; + } + ++static errno_t sysdb_cache_connect(TALLOC_CTX *mem_ctx, ++ struct sysdb_ctx *sysdb, ++ struct sss_domain_info *domain, ++ struct ldb_context **ldb, ++ const char **version) ++{ ++ return sysdb_cache_connect_helper(mem_ctx, domain, sysdb->ldb_file, ++ 0, SYSDB_VERSION, SYSDB_BASE_LDIF, ++ ldb, version); ++} ++ ++static errno_t sysdb_ts_cache_connect(TALLOC_CTX *mem_ctx, ++ struct sysdb_ctx *sysdb, ++ struct sss_domain_info *domain, ++ struct ldb_context **ldb, ++ const char **version) ++{ ++ return sysdb_cache_connect_helper(mem_ctx, domain, sysdb->ldb_ts_file, ++ LDB_FLG_NOSYNC, SYSDB_TS_VERSION, ++ SYSDB_TS_BASE_LDIF, ++ ldb, version); ++} ++ + static errno_t remove_ts_cache(struct sysdb_ctx *sysdb) + { + errno_t ret; +@@ -649,9 +672,7 @@ static int sysdb_domain_cache_connect(struct sysdb_ctx *sysdb, + return ENOMEM; + } + +- ret = sysdb_cache_connect(tmp_ctx, domain, sysdb->ldb_file, 0, +- SYSDB_VERSION, SYSDB_BASE_LDIF, +- &ldb, &version); ++ ret = sysdb_cache_connect(tmp_ctx, sysdb, domain, &ldb, &version); + switch (ret) { + case ERR_SYSDB_VERSION_TOO_OLD: + if (upgrade_ctx == NULL) { +@@ -731,10 +752,7 @@ static int sysdb_timestamp_cache_connect(struct sysdb_ctx *sysdb, + return ENOMEM; + } + +- ret = sysdb_cache_connect(tmp_ctx, domain, +- sysdb->ldb_ts_file, LDB_FLG_NOSYNC, +- SYSDB_TS_VERSION, SYSDB_TS_BASE_LDIF, +- &ldb, &version); ++ ret = sysdb_ts_cache_connect(tmp_ctx, sysdb, domain, &ldb, &version); + switch (ret) { + case ERR_SYSDB_VERSION_TOO_OLD: + if (upgrade_ctx == NULL) { +@@ -801,10 +819,7 @@ static int sysdb_timestamp_cache_connect(struct sysdb_ctx *sysdb, + /* Now the connect must succeed because the previous cache doesn't + * exist anymore. + */ +- ret = sysdb_cache_connect(tmp_ctx, domain, +- sysdb->ldb_ts_file, LDB_FLG_NOSYNC, +- SYSDB_TS_VERSION, SYSDB_TS_BASE_LDIF, +- &ldb, &version); ++ ret = sysdb_ts_cache_connect(tmp_ctx, sysdb, domain, &ldb, &version); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Could not delete the timestamp ldb file (%d) (%s)\n", +-- +2.9.3 + diff --git a/0011-SYSDB-Remove-the-timestamp-cache-for-a-newly-created.patch b/0011-SYSDB-Remove-the-timestamp-cache-for-a-newly-created.patch new file mode 100644 index 0000000..85a40d2 --- /dev/null +++ b/0011-SYSDB-Remove-the-timestamp-cache-for-a-newly-created.patch @@ -0,0 +1,152 @@ +From 85fed431388c7f7f70dbf5bcd0b4f8a889c60bc6 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= +Date: Tue, 16 Aug 2016 11:46:41 +0200 +Subject: [PATCH 11/39] SYSDB: Remove the timestamp cache for a newly created + cache +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +As many users are used to remove the persistent cache without removing +the timestamp cache, let's throw away the timestamp cache in this case. + +Resolves: +https://fedorahosted.org/sssd/ticket/3128 + +Signed-off-by: Fabiano Fidêncio + +Reviewed-by: Jakub Hrozek +(cherry picked from commit 9023bf51de6c84337af024388f1860ac1051924c) +--- + src/db/sysdb_init.c | 69 ++++++++++++++++++++++++++++++++++++----------------- + 1 file changed, 47 insertions(+), 22 deletions(-) + +diff --git a/src/db/sysdb_init.c b/src/db/sysdb_init.c +index 59934701c4d2b9d770385a202af058404a6d3eb9..c387c1b12c116f38d5a13f1adeac5ef64d593af8 100644 +--- a/src/db/sysdb_init.c ++++ b/src/db/sysdb_init.c +@@ -511,12 +511,30 @@ done: + return ret; + } + ++static errno_t remove_ts_cache(struct sysdb_ctx *sysdb) ++{ ++ errno_t ret; ++ ++ if (sysdb->ldb_ts_file == NULL) { ++ return EOK; ++ } ++ ++ ret = unlink(sysdb->ldb_ts_file); ++ if (ret != EOK && errno != ENOENT) { ++ return errno; ++ } ++ ++ return EOK; ++} ++ + static errno_t sysdb_cache_connect_helper(TALLOC_CTX *mem_ctx, ++ struct sysdb_ctx *sysdb, + struct sss_domain_info *domain, + const char *ldb_file, + int flags, + const char *exp_version, + const char *base_ldif, ++ bool *_newly_created, + struct ldb_context **_ldb, + const char **_version) + { +@@ -527,6 +545,7 @@ static errno_t sysdb_cache_connect_helper(TALLOC_CTX *mem_ctx, + const char *version = NULL; + int ret; + struct ldb_context *ldb; ++ bool newly_created; + + tmp_ctx = talloc_new(NULL); + if (!tmp_ctx) { +@@ -592,8 +611,9 @@ static errno_t sysdb_cache_connect_helper(TALLOC_CTX *mem_ctx, + goto done; + } + +- /* The cache has been newly created. +- * We need to reopen the LDB to ensure that ++ newly_created = true; ++ ++ /* We need to reopen the LDB to ensure that + * all of the special values take effect + * (such as enabling the memberOf plugin and + * the various indexes). +@@ -613,6 +633,9 @@ static errno_t sysdb_cache_connect_helper(TALLOC_CTX *mem_ctx, + } + done: + if (ret == EOK) { ++ if (_newly_created != NULL) { ++ *_newly_created = newly_created; ++ } + *_ldb = talloc_steal(mem_ctx, ldb); + } + talloc_free(tmp_ctx); +@@ -625,9 +648,27 @@ static errno_t sysdb_cache_connect(TALLOC_CTX *mem_ctx, + struct ldb_context **ldb, + const char **version) + { +- return sysdb_cache_connect_helper(mem_ctx, domain, sysdb->ldb_file, ++ bool newly_created; ++ bool ldb_file_exists; ++ errno_t ret; ++ ++ ldb_file_exists = !(access(sysdb->ldb_file, F_OK) == -1 && errno == ENOENT); ++ ++ ret = sysdb_cache_connect_helper(mem_ctx, sysdb, domain, sysdb->ldb_file, + 0, SYSDB_VERSION, SYSDB_BASE_LDIF, +- ldb, version); ++ &newly_created, ldb, version); ++ ++ /* The cache has been newly created. */ ++ if (ret == EOK && newly_created && !ldb_file_exists) { ++ ret = remove_ts_cache(sysdb); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_MINOR_FAILURE, ++ "Could not delete the timestamp ldb file (%d) (%s)\n", ++ ret, sss_strerror(ret)); ++ } ++ } ++ ++ return ret; + } + + static errno_t sysdb_ts_cache_connect(TALLOC_CTX *mem_ctx, +@@ -636,28 +677,12 @@ static errno_t sysdb_ts_cache_connect(TALLOC_CTX *mem_ctx, + struct ldb_context **ldb, + const char **version) + { +- return sysdb_cache_connect_helper(mem_ctx, domain, sysdb->ldb_ts_file, ++ return sysdb_cache_connect_helper(mem_ctx, sysdb, domain, sysdb->ldb_ts_file, + LDB_FLG_NOSYNC, SYSDB_TS_VERSION, +- SYSDB_TS_BASE_LDIF, ++ SYSDB_TS_BASE_LDIF, NULL, + ldb, version); + } + +-static errno_t remove_ts_cache(struct sysdb_ctx *sysdb) +-{ +- errno_t ret; +- +- if (sysdb->ldb_ts_file == NULL) { +- return EOK; +- } +- +- ret = unlink(sysdb->ldb_ts_file); +- if (ret != EOK && errno != ENOENT) { +- return errno; +- } +- +- return EOK; +-} +- + static int sysdb_domain_cache_connect(struct sysdb_ctx *sysdb, + struct sss_domain_info *domain, + struct sysdb_dom_upgrade_ctx *upgrade_ctx) +-- +2.9.3 + diff --git a/0012-SECRETS-Return-ENOENT-when_deleting-a-non-existent-s.patch b/0012-SECRETS-Return-ENOENT-when_deleting-a-non-existent-s.patch new file mode 100644 index 0000000..86e1bb6 --- /dev/null +++ b/0012-SECRETS-Return-ENOENT-when_deleting-a-non-existent-s.patch @@ -0,0 +1,48 @@ +From 2a287173752a2854df5e4bdb6b27328837be4805 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= +Date: Wed, 17 Aug 2016 13:12:21 +0200 +Subject: [PATCH 12/39] SECRETS: Return ENOENT when_deleting a non-existent + secret +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +For this, just make use of the sysdb_error_to_errno() function. + +Resolves: +https://fedorahosted.org/sssd/ticket/3125 + +Signed-off-by: Fabiano Fidêncio + +Reviewed-by: Lukáš Slebodník +Reviewed-by: Jakub Hrozek +(cherry picked from commit c4a3b24dc70fb50c8c0cc5490c29a3755d8b1b73) +--- + src/responder/secrets/local.c | 9 ++------- + 1 file changed, 2 insertions(+), 7 deletions(-) + +diff --git a/src/responder/secrets/local.c b/src/responder/secrets/local.c +index 17469249b357cbdc5e50ddff6b563fdf2f377577..ac3049b62fa77f69d44ec5792139fe3378afb3f4 100644 +--- a/src/responder/secrets/local.c ++++ b/src/responder/secrets/local.c +@@ -375,15 +375,10 @@ int local_db_delete(TALLOC_CTX *mem_ctx, + int ret; + + ret = local_db_dn(mem_ctx, lctx->ldb, req_path, &dn); +- if (ret != EOK) goto done; ++ if (ret != EOK) return ret; + + ret = ldb_delete(lctx->ldb, dn); +- if (ret != EOK) { +- ret = EIO; +- } +- +-done: +- return ret; ++ return sysdb_error_to_errno(ret); + } + + int local_db_create(TALLOC_CTX *mem_ctx, +-- +2.9.3 + diff --git a/0013-SPEC-Fix-typo-in-Summary.patch b/0013-SPEC-Fix-typo-in-Summary.patch new file mode 100644 index 0000000..e7e9ce1 --- /dev/null +++ b/0013-SPEC-Fix-typo-in-Summary.patch @@ -0,0 +1,27 @@ +From 8fbc37dac506556c53f7fcb63a219af71eeaa9be Mon Sep 17 00:00:00 2001 +From: Lukas Slebodnik +Date: Fri, 19 Aug 2016 18:06:45 +0200 +Subject: [PATCH 13/39] SPEC: Fix typo in Summary + +Reviewed-by: Jakub Hrozek +(cherry picked from commit afa6891a809db262a49f68913f82a3a6137d8e2e) +--- + contrib/sssd.spec.in | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in +index 1e058ca63c25513253c4b350d286208f40f6b660..1f79ca7cd0a56dc1ab9c951abe11dc216ef3ad03 100644 +--- a/contrib/sssd.spec.in ++++ b/contrib/sssd.spec.in +@@ -588,7 +588,7 @@ License: GPLv3+ and LGPLv3+ + Development libraries for the SSSD libwbclient implementation. + + %package winbind-idmap +-Summary: SSSSD's idmap_sss Backend for Winbind ++Summary: SSSD's idmap_sss Backend for Winbind + Group: Applications/System + License: GPLv3+ and LGPLv3+ + +-- +2.9.3 + diff --git a/0014-IPA-Parse-qualified-names-when-guessing-AD-user-prin.patch b/0014-IPA-Parse-qualified-names-when-guessing-AD-user-prin.patch new file mode 100644 index 0000000..fe276e1 --- /dev/null +++ b/0014-IPA-Parse-qualified-names-when-guessing-AD-user-prin.patch @@ -0,0 +1,62 @@ +From 82ccc38b4143b996ca9741f3682c2bb1f2694bef Mon Sep 17 00:00:00 2001 +From: Jakub Hrozek +Date: Tue, 9 Aug 2016 22:08:27 +0200 +Subject: [PATCH 14/39] IPA: Parse qualified names when guessing AD user + principal + +Most AD users store their UPN in an attribute. If they don't, or the sssd +was configured (typically in earlier versions to work around a bug) to not +look at the principal attribute, then sssd is supposed to guess +the attribute. + +That currently doesn't work in 1.14, because the username is already +qualified and then we also append the realm name to it. We need to parse +the simple username from the qualified name first. + +The issue can be reproduced simply by authenticating as the Administrator +account in IPA-AD trust setups. + +Resolves: +https://fedorahosted.org/sssd/ticket/3127 + +Reviewed-by: Sumit Bose +(cherry picked from commit 0302e3e7b3b06b809bd63c7911a42ab3e0a7ebf9) +--- + src/providers/ipa/ipa_s2n_exop.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/src/providers/ipa/ipa_s2n_exop.c b/src/providers/ipa/ipa_s2n_exop.c +index a8c415b4c86ccd3bd3b180c8df835c75420fbb21..07bbb2b4d252c8ca9ada4d890c36c903c9f75773 100644 +--- a/src/providers/ipa/ipa_s2n_exop.c ++++ b/src/providers/ipa/ipa_s2n_exop.c +@@ -1941,6 +1941,7 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom, + struct sss_nss_homedir_ctx homedir_ctx; + char *name = NULL; + char *realm; ++ char *short_name = NULL; + char *upn = NULL; + gid_t gid; + gid_t orig_gid = 0; +@@ -2092,8 +2093,17 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom, + ret = ENOMEM; + goto done; + } +- upn = talloc_asprintf(tmp_ctx, "%s@%s", +- attrs->a.user.pw_name, realm); ++ ++ ret = sss_parse_internal_fqname(tmp_ctx, attrs->a.user.pw_name, ++ &short_name, NULL); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_CRIT_FAILURE, ++ "Cannot parse internal name %s\n", ++ attrs->a.user.pw_name); ++ goto done; ++ } ++ ++ upn = talloc_asprintf(tmp_ctx, "%s@%s", short_name, realm); + if (!upn) { + DEBUG(SSSDBG_OP_FAILURE, "failed to format UPN.\n"); + ret = ENOMEM; +-- +2.9.3 + diff --git a/0015-PROXY-Remove-lowercase-attribute-from-save_user.patch b/0015-PROXY-Remove-lowercase-attribute-from-save_user.patch new file mode 100644 index 0000000..1b90810 --- /dev/null +++ b/0015-PROXY-Remove-lowercase-attribute-from-save_user.patch @@ -0,0 +1,114 @@ +From 18c3db957a198351f8d3c13c51dff976ad736021 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= +Date: Wed, 24 Aug 2016 13:16:31 +0200 +Subject: [PATCH 15/39] PROXY: Remove lowercase attribute from save_user() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +As this function already receives a struct sss_domain_info * parameter +as argument, we can simply check whether we will need a lowercase name +by accessing domain->case_sensitive. + +Related: +https://fedorahosted.org/sssd/ticket/3134 + +Signed-off-by: Fabiano Fidêncio +Reviewed-by: Lukáš Slebodník +(cherry picked from commit 413aef1529fb3d5ed4d0f38e219f5456d7fe3ae0) +--- + src/providers/proxy/proxy_id.c | 22 +++++++++------------- + 1 file changed, 9 insertions(+), 13 deletions(-) + +diff --git a/src/providers/proxy/proxy_id.c b/src/providers/proxy/proxy_id.c +index b0c82807b42d91a4212578ca98af7f96484735b1..ff2631c9b493c8c688919139114da5520b428e04 100644 +--- a/src/providers/proxy/proxy_id.c ++++ b/src/providers/proxy/proxy_id.c +@@ -31,7 +31,7 @@ + /* =Getpwnam-wrapper======================================================*/ + + static int save_user(struct sss_domain_info *domain, +- bool lowercase, struct passwd *pwd, const char *real_name, ++ struct passwd *pwd, const char *real_name, + const char *alias, uint64_t cache_timeout); + + static int +@@ -143,8 +143,7 @@ static int get_pw_name(struct proxy_id_ctx *ctx, + } + + /* Both lookups went fine, we can save the user now */ +- ret = save_user(dom, !dom->case_sensitive, pwd, +- real_name, i_name, dom->user_timeout); ++ ret = save_user(dom, pwd, real_name, i_name, dom->user_timeout); + + done: + talloc_zfree(tmpctx); +@@ -224,7 +223,7 @@ delete_user(struct sss_domain_info *domain, + } + + static int save_user(struct sss_domain_info *domain, +- bool lowercase, struct passwd *pwd, const char *real_name, ++ struct passwd *pwd, const char *real_name, + const char *alias, uint64_t cache_timeout) + { + const char *shell; +@@ -246,7 +245,7 @@ static int save_user(struct sss_domain_info *domain, + gecos = NULL; + } + +- if (lowercase || alias) { ++ if (!domain->case_sensitive || alias) { + attrs = sysdb_new_attrs(NULL); + if (!attrs) { + DEBUG(SSSDBG_CRIT_FAILURE, "Allocation error ?!\n"); +@@ -255,7 +254,7 @@ static int save_user(struct sss_domain_info *domain, + } + } + +- if (lowercase) { ++ if (!domain->case_sensitive) { + lc_pw_name = sss_tc_utf8_str_tolower(attrs, real_name); + if (lc_pw_name == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "Cannot convert name to lowercase.\n"); +@@ -273,7 +272,7 @@ static int save_user(struct sss_domain_info *domain, + } + + if (alias) { +- cased_alias = sss_get_cased_name(attrs, alias, !lowercase); ++ cased_alias = sss_get_cased_name(attrs, alias, domain->case_sensitive); + if (!cased_alias) { + ret = ENOMEM; + goto done; +@@ -366,8 +365,7 @@ static int get_pw_uid(struct proxy_id_ctx *ctx, + pwd->pw_name); + goto done; + } +- ret = save_user(dom, !dom->case_sensitive, pwd, +- name, NULL, dom->user_timeout); ++ ret = save_user(dom, pwd, name, NULL, dom->user_timeout); + + done: + talloc_zfree(tmpctx); +@@ -497,8 +495,7 @@ static int enum_users(TALLOC_CTX *mem_ctx, + pwd->pw_name); + goto done; + } +- ret = save_user(dom, !dom->case_sensitive, pwd, +- name, NULL, dom->user_timeout); ++ ret = save_user(dom, pwd, name, NULL, dom->user_timeout); + if (ret) { + /* Do not fail completely on errors. + * Just report the failure to save and go on */ +@@ -1331,8 +1328,7 @@ static int get_initgr(TALLOC_CTX *mem_ctx, + goto done; + } + +- ret = save_user(dom, !dom->case_sensitive, pwd, +- real_name, i_name, dom->user_timeout); ++ ret = save_user(dom, pwd, real_name, i_name, dom->user_timeout); + if (ret) { + DEBUG(SSSDBG_OP_FAILURE, "Could not save user\n"); + goto fail; +-- +2.9.3 + diff --git a/0016-PROXY-Remove-cache_timeout-attribute-from-save_user.patch b/0016-PROXY-Remove-cache_timeout-attribute-from-save_user.patch new file mode 100644 index 0000000..abc5c18 --- /dev/null +++ b/0016-PROXY-Remove-cache_timeout-attribute-from-save_user.patch @@ -0,0 +1,92 @@ +From 87bce14e200e16b3f6ec9a79333b2a9da0274fbf Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= +Date: Wed, 24 Aug 2016 13:25:44 +0200 +Subject: [PATCH 16/39] PROXY: Remove cache_timeout attribute from save_user() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +As this function already receives a struct sss_domain_info * parameter +as argument, we can simply get the cache_timeout attribute by accessing +domain->user_timeout. + +Related: +https://fedorahosted.org/sssd/ticket/3134 + +Signed-off-by: Fabiano Fidêncio +Reviewed-by: Lukáš Slebodník +(cherry picked from commit 2537fe318a3866780abca100cf6eb7c258f9d02b) +--- + src/providers/proxy/proxy_id.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/src/providers/proxy/proxy_id.c b/src/providers/proxy/proxy_id.c +index ff2631c9b493c8c688919139114da5520b428e04..bdcac66319897981c21e7fd7da7334ee97d010f6 100644 +--- a/src/providers/proxy/proxy_id.c ++++ b/src/providers/proxy/proxy_id.c +@@ -32,7 +32,7 @@ + + static int save_user(struct sss_domain_info *domain, + struct passwd *pwd, const char *real_name, +- const char *alias, uint64_t cache_timeout); ++ const char *alias); + + static int + handle_getpw_result(enum nss_status status, struct passwd *pwd, +@@ -143,7 +143,7 @@ static int get_pw_name(struct proxy_id_ctx *ctx, + } + + /* Both lookups went fine, we can save the user now */ +- ret = save_user(dom, pwd, real_name, i_name, dom->user_timeout); ++ ret = save_user(dom, pwd, real_name, i_name); + + done: + talloc_zfree(tmpctx); +@@ -224,7 +224,7 @@ delete_user(struct sss_domain_info *domain, + + static int save_user(struct sss_domain_info *domain, + struct passwd *pwd, const char *real_name, +- const char *alias, uint64_t cache_timeout) ++ const char *alias) + { + const char *shell; + const char *gecos; +@@ -299,7 +299,7 @@ static int save_user(struct sss_domain_info *domain, + NULL, + attrs, + NULL, +- cache_timeout, ++ domain->user_timeout, + 0); + if (ret) { + DEBUG(SSSDBG_OP_FAILURE, "Could not add user to cache\n"); +@@ -365,7 +365,7 @@ static int get_pw_uid(struct proxy_id_ctx *ctx, + pwd->pw_name); + goto done; + } +- ret = save_user(dom, pwd, name, NULL, dom->user_timeout); ++ ret = save_user(dom, pwd, name, NULL); + + done: + talloc_zfree(tmpctx); +@@ -495,7 +495,7 @@ static int enum_users(TALLOC_CTX *mem_ctx, + pwd->pw_name); + goto done; + } +- ret = save_user(dom, pwd, name, NULL, dom->user_timeout); ++ ret = save_user(dom, pwd, name, NULL); + if (ret) { + /* Do not fail completely on errors. + * Just report the failure to save and go on */ +@@ -1328,7 +1328,7 @@ static int get_initgr(TALLOC_CTX *mem_ctx, + goto done; + } + +- ret = save_user(dom, pwd, real_name, i_name, dom->user_timeout); ++ ret = save_user(dom, pwd, real_name, i_name); + if (ret) { + DEBUG(SSSDBG_OP_FAILURE, "Could not save user\n"); + goto fail; +-- +2.9.3 + diff --git a/0017-PROXY-Remove-cache_timeout-attribute-from-save_group.patch b/0017-PROXY-Remove-cache_timeout-attribute-from-save_group.patch new file mode 100644 index 0000000..a78130d --- /dev/null +++ b/0017-PROXY-Remove-cache_timeout-attribute-from-save_group.patch @@ -0,0 +1,76 @@ +From c919d358561f4b26b4017f4379fc7b9b791f5cd8 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= +Date: Wed, 24 Aug 2016 13:29:17 +0200 +Subject: [PATCH 17/39] PROXY: Remove cache_timeout attribute from save_group() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +As this function already receives a struct sss_domain_info * parameter +as argument, we can simply get the cache_timeout attribute by accessing +domain->group_timeout. + +Related: +https://fedorahosted.org/sssd/ticket/3134 + +Signed-off-by: Fabiano Fidêncio +Reviewed-by: Lukáš Slebodník +(cherry picked from commit 221d70ae3c5b7bc7384f57ffd3f88f89a3e6ae6a) +--- + src/providers/proxy/proxy_id.c | 12 +++++------- + 1 file changed, 5 insertions(+), 7 deletions(-) + +diff --git a/src/providers/proxy/proxy_id.c b/src/providers/proxy/proxy_id.c +index bdcac66319897981c21e7fd7da7334ee97d010f6..c4d68f8e6855941dda386658758c37b4c9080712 100644 +--- a/src/providers/proxy/proxy_id.c ++++ b/src/providers/proxy/proxy_id.c +@@ -558,8 +558,7 @@ static errno_t proxy_process_missing_users(struct sysdb_ctx *sysdb, + static int save_group(struct sysdb_ctx *sysdb, struct sss_domain_info *dom, + struct group *grp, + const char *real_name, /* already qualified */ +- const char *alias, /* already qualified */ +- uint64_t cache_timeout) ++ const char *alias) /* already qualified */ + { + errno_t ret, sret; + struct sysdb_attrs *attrs = NULL; +@@ -664,7 +663,7 @@ static int save_group(struct sysdb_ctx *sysdb, struct sss_domain_info *dom, + real_name, + grp->gr_gid, + attrs, +- cache_timeout, ++ dom->group_timeout, + now); + if (ret) { + DEBUG(SSSDBG_OP_FAILURE, "Could not add group to cache\n"); +@@ -947,7 +946,7 @@ static int get_gr_name(struct proxy_id_ctx *ctx, + goto done; + } + +- ret = save_group(sysdb, dom, grp, real_name, i_name, dom->group_timeout); ++ ret = save_group(sysdb, dom, grp, real_name, i_name); + if (ret) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot save group [%d]: %s\n", ret, strerror(ret)); +@@ -1032,7 +1031,7 @@ static int get_gr_gid(TALLOC_CTX *mem_ctx, + goto done; + } + +- ret = save_group(sysdb, dom, grp, name, NULL, dom->group_timeout); ++ ret = save_group(sysdb, dom, grp, name, NULL); + if (ret) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot save user [%d]: %s\n", ret, strerror(ret)); +@@ -1165,8 +1164,7 @@ static int enum_groups(TALLOC_CTX *mem_ctx, + "Ignoring\n"); + ret = ENOMEM; + } +- ret = save_group(sysdb, dom, grp, name, +- NULL, dom->group_timeout); ++ ret = save_group(sysdb, dom, grp, name, NULL); + if (ret) { + /* Do not fail completely on errors. + * Just report the failure to save and go on */ +-- +2.9.3 + diff --git a/0018-PROXY-Mention-that-save_user-s-parameters-are-alread.patch b/0018-PROXY-Mention-that-save_user-s-parameters-are-alread.patch new file mode 100644 index 0000000..8b54b1b --- /dev/null +++ b/0018-PROXY-Mention-that-save_user-s-parameters-are-alread.patch @@ -0,0 +1,40 @@ +From 232b543cb667cbd0769608b4e5c790ab73f4c2b4 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= +Date: Wed, 24 Aug 2016 13:32:10 +0200 +Subject: [PATCH 18/39] PROXY: Mention that save_user()'s parameters are + already qualified +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Those comments are similar to what we have in the save_group() function. + +Related: +https://fedorahosted.org/sssd/ticket/3134 + +Signed-off-by: Fabiano Fidêncio +Reviewed-by: Lukáš Slebodník +(cherry picked from commit 9900d2b153ebb7d994ccd05275f18b973556d5b3) +--- + src/providers/proxy/proxy_id.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/src/providers/proxy/proxy_id.c b/src/providers/proxy/proxy_id.c +index c4d68f8e6855941dda386658758c37b4c9080712..921b5253a5ffe90526c73b8078067d69f83c75e6 100644 +--- a/src/providers/proxy/proxy_id.c ++++ b/src/providers/proxy/proxy_id.c +@@ -223,8 +223,9 @@ delete_user(struct sss_domain_info *domain, + } + + static int save_user(struct sss_domain_info *domain, +- struct passwd *pwd, const char *real_name, +- const char *alias) ++ struct passwd *pwd, ++ const char *real_name, /* already qualified */ ++ const char *alias) /* already qualified */ + { + const char *shell; + const char *gecos; +-- +2.9.3 + diff --git a/0019-PROXY-Share-common-code-of-save_-group-user.patch b/0019-PROXY-Share-common-code-of-save_-group-user.patch new file mode 100644 index 0000000..a927a7b --- /dev/null +++ b/0019-PROXY-Share-common-code-of-save_-group-user.patch @@ -0,0 +1,222 @@ +From b05544a1ba3b49a880b14c8c5c9cafa378c86e24 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= +Date: Wed, 24 Aug 2016 14:28:42 +0200 +Subject: [PATCH 19/39] PROXY: Share common code of save_{group,user}() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +These two functions (save_user() and save_group()) share, between +themselves, the code preparing the attributes that are going to be +stored in the sysdb. + +This patch basically splits this code out of those functions and +introduces the new prepare_attrs_for_saving_ops(). + +Related: +https://fedorahosted.org/sssd/ticket/3134 + +Signed-off-by: Fabiano Fidêncio +Reviewed-by: Lukáš Slebodník +(cherry picked from commit 69e8b7fcb9e3dc814a9ffc2a97fa656521cc4505) +--- + src/providers/proxy/proxy_id.c | 155 +++++++++++++++++++---------------------- + 1 file changed, 70 insertions(+), 85 deletions(-) + +diff --git a/src/providers/proxy/proxy_id.c b/src/providers/proxy/proxy_id.c +index 921b5253a5ffe90526c73b8078067d69f83c75e6..48f552925447d1f31c4282e89a5994364dbc074d 100644 +--- a/src/providers/proxy/proxy_id.c ++++ b/src/providers/proxy/proxy_id.c +@@ -222,6 +222,68 @@ delete_user(struct sss_domain_info *domain, + return ret; + } + ++static int ++prepare_attrs_for_saving_ops(TALLOC_CTX *mem_ctx, ++ bool case_sensitive, ++ const char *real_name, /* already_qualified */ ++ const char *alias, /* already qualified */ ++ struct sysdb_attrs **attrs) ++{ ++ const char *lc_name = NULL; ++ const char *cased_alias = NULL; ++ errno_t ret; ++ ++ if (!case_sensitive || alias != NULL) { ++ if (*attrs == NULL) { ++ *attrs = sysdb_new_attrs(mem_ctx); ++ if (*attrs == NULL) { ++ DEBUG(SSSDBG_CRIT_FAILURE, "Allocation error ?!\n"); ++ ret = ENOMEM; ++ goto done; ++ } ++ } ++ } ++ ++ if (!case_sensitive) { ++ lc_name = sss_tc_utf8_str_tolower(*attrs, real_name); ++ if (lc_name == NULL) { ++ DEBUG(SSSDBG_OP_FAILURE, "Cannot convert name to lowercase.\n"); ++ ret = ENOMEM; ++ goto done; ++ } ++ ++ ret = sysdb_attrs_add_string(*attrs, SYSDB_NAME_ALIAS, lc_name); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_OP_FAILURE, "Could not add name alias\n"); ++ ret = ENOMEM; ++ goto done; ++ } ++ ++ } ++ ++ if (alias != NULL) { ++ cased_alias = sss_get_cased_name(*attrs, alias, case_sensitive); ++ if (cased_alias == NULL) { ++ ret = ENOMEM; ++ goto done; ++ } ++ ++ /* Add the alias only if it differs from lowercased pw_name */ ++ if (lc_name == NULL || strcmp(cased_alias, lc_name) != 0) { ++ ret = sysdb_attrs_add_string(*attrs, SYSDB_NAME_ALIAS, ++ cased_alias); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_OP_FAILURE, "Could not add name alias\n"); ++ goto done; ++ } ++ } ++ } ++ ++ ret = EOK; ++done: ++ return ret; ++} ++ + static int save_user(struct sss_domain_info *domain, + struct passwd *pwd, + const char *real_name, /* already qualified */ +@@ -231,8 +293,6 @@ static int save_user(struct sss_domain_info *domain, + const char *gecos; + struct sysdb_attrs *attrs = NULL; + errno_t ret; +- const char *cased_alias; +- const char *lc_pw_name = NULL; + + if (pwd->pw_shell && pwd->pw_shell[0] != '\0') { + shell = pwd->pw_shell; +@@ -246,47 +306,10 @@ static int save_user(struct sss_domain_info *domain, + gecos = NULL; + } + +- if (!domain->case_sensitive || alias) { +- attrs = sysdb_new_attrs(NULL); +- if (!attrs) { +- DEBUG(SSSDBG_CRIT_FAILURE, "Allocation error ?!\n"); +- ret = ENOMEM; +- goto done; +- } +- } +- +- if (!domain->case_sensitive) { +- lc_pw_name = sss_tc_utf8_str_tolower(attrs, real_name); +- if (lc_pw_name == NULL) { +- DEBUG(SSSDBG_OP_FAILURE, "Cannot convert name to lowercase.\n"); +- ret = ENOMEM; +- goto done; +- } +- +- ret = sysdb_attrs_add_string(attrs, SYSDB_NAME_ALIAS, lc_pw_name); +- if (ret) { +- DEBUG(SSSDBG_OP_FAILURE, "Could not add name alias\n"); +- ret = ENOMEM; +- goto done; +- } +- +- } +- +- if (alias) { +- cased_alias = sss_get_cased_name(attrs, alias, domain->case_sensitive); +- if (!cased_alias) { +- ret = ENOMEM; +- goto done; +- } +- +- /* Add the alias only if it differs from lowercased pw_name */ +- if (lc_pw_name == NULL || strcmp(cased_alias, lc_pw_name) != 0) { +- ret = sysdb_attrs_add_string(attrs, SYSDB_NAME_ALIAS, cased_alias); +- if (ret) { +- DEBUG(SSSDBG_OP_FAILURE, "Could not add name alias\n"); +- goto done; +- } +- } ++ ret = prepare_attrs_for_saving_ops(NULL, domain->case_sensitive, ++ real_name, alias, &attrs); ++ if (ret != EOK) { ++ goto done; + } + + ret = sysdb_store_user(domain, +@@ -563,8 +586,6 @@ static int save_group(struct sysdb_ctx *sysdb, struct sss_domain_info *dom, + { + errno_t ret, sret; + struct sysdb_attrs *attrs = NULL; +- const char *cased_alias; +- const char *lc_gr_name = NULL; + TALLOC_CTX *tmp_ctx; + time_t now = time(NULL); + bool in_transaction = false; +@@ -618,46 +639,10 @@ static int save_group(struct sysdb_ctx *sysdb, struct sss_domain_info *dom, + } + } + +- if (dom->case_sensitive == false || alias) { +- if (!attrs) { +- attrs = sysdb_new_attrs(tmp_ctx); +- if (!attrs) { +- DEBUG(SSSDBG_CRIT_FAILURE, "Allocation error ?!\n"); +- ret = ENOMEM; +- goto done; +- } +- } +- } +- +- if (dom->case_sensitive == false) { +- lc_gr_name = sss_tc_utf8_str_tolower(attrs, real_name); +- if (lc_gr_name == NULL) { +- DEBUG(SSSDBG_OP_FAILURE, "Cannot convert name to lowercase.\n"); +- ret = ENOMEM; +- goto done; +- } +- +- ret = sysdb_attrs_add_string(attrs, SYSDB_NAME_ALIAS, lc_gr_name); +- if (ret != EOK) { +- goto done; +- } +- } +- +- if (alias) { +- cased_alias = sss_get_cased_name(attrs, alias, dom->case_sensitive); +- if (!cased_alias) { +- ret = ENOMEM; +- DEBUG(SSSDBG_OP_FAILURE, "Could not add name alias\n"); +- goto done; +- } +- +- if (lc_gr_name == NULL || strcmp(cased_alias, lc_gr_name)) { +- ret = sysdb_attrs_add_string(attrs, SYSDB_NAME_ALIAS, cased_alias); +- if (ret) { +- DEBUG(SSSDBG_OP_FAILURE, "Could not add name alias\n"); +- goto done; +- } +- } ++ ret = prepare_attrs_for_saving_ops(tmp_ctx, dom->case_sensitive, ++ real_name, alias, &attrs); ++ if (ret != EOK) { ++ goto done; + } + + ret = sysdb_store_group(dom, +-- +2.9.3 + diff --git a/0020-SYSDB-Fix-uninitialized-scalar-variable.patch b/0020-SYSDB-Fix-uninitialized-scalar-variable.patch new file mode 100644 index 0000000..bb2bdd9 --- /dev/null +++ b/0020-SYSDB-Fix-uninitialized-scalar-variable.patch @@ -0,0 +1,36 @@ +From 007341bedfcc7e356f4bcb1af8b29acab133300a Mon Sep 17 00:00:00 2001 +From: Lukas Slebodnik +Date: Mon, 29 Aug 2016 09:13:49 +0200 +Subject: [PATCH 20/39] SYSDB: Fix uninitialized scalar variable +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The boolean variable newly_created could be used uninitialized +in done section in case of failure. The variable was firstly initialized +to true after succesfull execution of function sysdb_cache_create_empty. + +Uninitialized variable usually means true for boolean variable. + +Reviewed-by: Fabiano Fidêncio +(cherry picked from commit 975d0b67a40847265523d195438bf4753d18ff1c) +--- + src/db/sysdb_init.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/db/sysdb_init.c b/src/db/sysdb_init.c +index c387c1b12c116f38d5a13f1adeac5ef64d593af8..d110aa7a2878e47650db177cfd342d0ac32248ab 100644 +--- a/src/db/sysdb_init.c ++++ b/src/db/sysdb_init.c +@@ -545,7 +545,7 @@ static errno_t sysdb_cache_connect_helper(TALLOC_CTX *mem_ctx, + const char *version = NULL; + int ret; + struct ldb_context *ldb; +- bool newly_created; ++ bool newly_created = false; + + tmp_ctx = talloc_new(NULL); + if (!tmp_ctx) { +-- +2.9.3 + diff --git a/0021-BUILD-Add-a-few-more-targets-for-intg-tests.patch b/0021-BUILD-Add-a-few-more-targets-for-intg-tests.patch new file mode 100644 index 0000000..ed238b1 --- /dev/null +++ b/0021-BUILD-Add-a-few-more-targets-for-intg-tests.patch @@ -0,0 +1,82 @@ +From 9a3ae9e00405501c964b489ac3415482ba3b3974 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= +Date: Thu, 18 Aug 2016 16:24:17 +0200 +Subject: [PATCH 21/39] BUILD: Add a few more targets for intg tests +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Running "make intgcheck" has been proven to be a bit painful (mainly +when the developer is just writing down a single test case), as it +cleans up the build directory and fireis a new build before, finally, +run the tests. + +In order to make it a little less painful, let's break the whole +operation into 3 new targets: + intgcheck-{prepare,run,clean}. + +As expected, "make intgcheck" calls these 3 new operations in the same +order they were presented, not changing then the current behavior. + +Each operation will trigger the previous one in case there is no +"$$prefix" directory created and the directory is _only_ created in the +very first operation (intghcheck-prepare). + +A note must be done about how to run a simple test file or a simple test +from a test file when running "make intgcheck-run". The option always +been here but only makes sense now that we have the intgcheck split in a +few useful steps. See the examples below (and for more detailed +information, check the py.test documentation): + #Run a single file + make intgcheck-run INTGCHECK_PYTEST_ARGS="-k test_netgroup.py" + #Run a single test from a single file + make intgcheck-run INTGCHECK_PYTEST_ARGS="-k test_add_empty_netgroup" + +Signed-off-by: Fabiano Fidêncio +Reviewed-by: Lukáš Slebodník +(cherry picked from commit 6159c33125f8ee82e88d495ea2aa5d00018ea844) +--- + Makefile.am | 17 +++++++++++++++-- + 1 file changed, 15 insertions(+), 2 deletions(-) + +diff --git a/Makefile.am b/Makefile.am +index 6219682de0d1fd4b3a813ee2f95b8185531e62bf..6299ac7a7bf1c2ed41dfeeda7063c8901214941a 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -3076,7 +3076,7 @@ endif + # Integration tests # + ##################### + +-intgcheck: ++intgcheck-prepare: + echo "temporarily disabled" + set -e; \ + rm -Rf intg; \ +@@ -3096,10 +3096,23 @@ intgcheck: + $(MAKE) $(AM_MAKEFLAGS) -j1 install; \ + : Remove .la files from LDB module directory to avoid loader warnings; \ + rm "$$prefix"/lib/ldb/*.la; \ ++ cd ../.. ++ ++intgcheck-run: ++ if [ ! -d intg/pfx ]; then $(MAKE) intgcheck-build; fi; \ ++ cd intg/bld; \ + $(MAKE) $(AM_MAKEFLAGS) -C src/tests/intg intgcheck-installed; \ +- cd ../..; \ ++ cd ../.. ++ ++intgcheck-clean: ++ prefix=`readlink -e intg/pfx`; \ + rm -Rf "$$prefix" intg + ++intgcheck: ++ $(MAKE) intgcheck-prepare ++ $(MAKE) intgcheck-run ++ $(MAKE) intgcheck-clean ++ + #################### + # Client Libraries # + #################### +-- +2.9.3 + diff --git a/0022-BUILD-Clean-up-prerelease-targets.patch b/0022-BUILD-Clean-up-prerelease-targets.patch new file mode 100644 index 0000000..251278d --- /dev/null +++ b/0022-BUILD-Clean-up-prerelease-targets.patch @@ -0,0 +1,60 @@ +From 557e0e8c28a77b423a3746168a3be8e8a8d5462d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= +Date: Wed, 17 Aug 2016 21:08:23 +0200 +Subject: [PATCH 22/39] BUILD: Clean up prerelease targets +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Clean up the pre-release targets in order to avoid lines exceeding 80 +characters. + +Signed-off-by: Fabiano Fidêncio +Reviewed-by: Lukáš Slebodník +(cherry picked from commit 01d970a8afa6ffed82b3e8dda96e08118222e16e) +--- + Makefile.am | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/Makefile.am b/Makefile.am +index 6299ac7a7bf1c2ed41dfeeda7063c8901214941a..4a56d8b0a3ea49c9fae35bf5717871ea515813b8 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -4202,6 +4202,14 @@ rpmroot: + $(MKDIR_P) $(RPMBUILD)/SPECS + $(MKDIR_P) $(RPMBUILD)/SRPMS + ++# pre-release related vars ++ ++PR_VERSION_DATE := $(shell date +%Y%m%d.%H%M) ++PR_VERSION_COMMIT_HASH := $(shell git log -1 --pretty=format:%h) ++PR_VERSION_NUMBER = $(PR_VERSION_DATE).git$(PR_VERSION_COMMIT_HASH) ++PR_VERSION_REGEX = m4_define(\[PRERELEASE_VERSION_NUMBER\], \[.*\]) ++PR_VERSION_REPL = m4_define(\[PRERELEASE_VERSION_NUMBER\], \[.$(PR_VERSION_NUMBER)\]) ++ + rpmbrprep: dist-gzip rpmroot + if GIT_CHECKOUT + # When we're building RPMs from a git checkout, +@@ -4219,7 +4227,8 @@ rpms: rpmbrprep + if GIT_CHECKOUT + prerelease-rpms: + cp $(srcdir)/version.m4 $(srcdir)/version.m4.orig +- sed -e "s/m4_define(\[PRERELEASE_VERSION_NUMBER\], \[.*\])/m4_define(\[PRERELEASE_VERSION_NUMBER\], \[.`date +%Y%m%d.%H%M`.git`git log -1 --pretty=format:%h`\])/" < $(srcdir)/version.m4.orig > $(srcdir)/version.m4 ++ sed -e "s/$(PR_VERSION_REGEX)/$(PR_VERSION_REPL)/" \ ++ < $(srcdir)/version.m4.orig > $(srcdir)/version.m4 + $(MAKE) rpms + mv $(srcdir)/version.m4.orig $(srcdir)/version.m4 + endif +@@ -4234,7 +4243,8 @@ srpm: rpmbrprep + if GIT_CHECKOUT + prerelease-srpm: + cp $(srcdir)/version.m4 $(srcdir)/version.m4.orig +- sed -e "s/m4_define(\[PRERELEASE_VERSION_NUMBER\], \[.*\])/m4_define(\[PRERELEASE_VERSION_NUMBER\], \[.`date +%Y%m%d.%H%M`.git`git log -1 --pretty=format:%h`\])/" < $(srcdir)/version.m4.orig > $(srcdir)/version.m4 ++ sed -e "s/$(PR_VERSION_REGEX)/$(PR_VERSION_REPL)/" \ ++ < $(srcdir)/version.m4.orig > $(srcdir)/version.m4 + $(MAKE) srpm + mv $(srcdir)/version.m4.orig $(srcdir)/version.m4 + endif +-- +2.9.3 + diff --git a/0023-BUILD-Fix-typo-in-intgcheck-run-rule.patch b/0023-BUILD-Fix-typo-in-intgcheck-run-rule.patch new file mode 100644 index 0000000..647a5a3 --- /dev/null +++ b/0023-BUILD-Fix-typo-in-intgcheck-run-rule.patch @@ -0,0 +1,34 @@ +From 665ef221b1c2144a78ed9f98263bb8b9acce6f6d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= +Date: Mon, 29 Aug 2016 16:01:59 +0200 +Subject: [PATCH 23/39] BUILD: Fix typo in intgcheck-run rule +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +During the review process "intgcheck-build" ended up being merged to the +"intgcheck-prepare" rule. + +Signed-off-by: Fabiano Fidêncio +Reviewed-by: Lukáš Slebodník +(cherry picked from commit 9639cf410dd6ba9670748535811f061e0c475bc6) +--- + Makefile.am | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Makefile.am b/Makefile.am +index 4a56d8b0a3ea49c9fae35bf5717871ea515813b8..25a81b93b8881ec6dfa18397ddcc3430e6a3ebd0 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -3099,7 +3099,7 @@ intgcheck-prepare: + cd ../.. + + intgcheck-run: +- if [ ! -d intg/pfx ]; then $(MAKE) intgcheck-build; fi; \ ++ if [ ! -d intg/pfx ]; then $(MAKE) intgcheck-prepare; fi; \ + cd intg/bld; \ + $(MAKE) $(AM_MAKEFLAGS) -C src/tests/intg intgcheck-installed; \ + cd ../.. +-- +2.9.3 + diff --git a/0024-BUILD-Remove-leftover-after-sysdb-refactoring.patch b/0024-BUILD-Remove-leftover-after-sysdb-refactoring.patch new file mode 100644 index 0000000..8273d65 --- /dev/null +++ b/0024-BUILD-Remove-leftover-after-sysdb-refactoring.patch @@ -0,0 +1,29 @@ +From ce87fa6dd3fb47f28f9e80b730c50f23b099e835 Mon Sep 17 00:00:00 2001 +From: Lukas Slebodnik +Date: Mon, 29 Aug 2016 17:50:17 +0200 +Subject: [PATCH 24/39] BUILD: Remove leftover after sysdb refactoring +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Reviewed-by: Fabiano Fidêncio +(cherry picked from commit 4229ffb929bd7029f8b94d92099032d3350f5cf4) +--- + Makefile.am | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/Makefile.am b/Makefile.am +index 25a81b93b8881ec6dfa18397ddcc3430e6a3ebd0..f89af5a9d6d26c732574aa3651de8c175f538b28 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -3077,7 +3077,6 @@ endif + ##################### + + intgcheck-prepare: +- echo "temporarily disabled" + set -e; \ + rm -Rf intg; \ + $(MKDIR_P) intg/bld; \ +-- +2.9.3 + diff --git a/0025-MONITOR-Remove-the-no-longer-used-diag_cmd-command.patch b/0025-MONITOR-Remove-the-no-longer-used-diag_cmd-command.patch new file mode 100644 index 0000000..1e56dca --- /dev/null +++ b/0025-MONITOR-Remove-the-no-longer-used-diag_cmd-command.patch @@ -0,0 +1,239 @@ +From 854db7ed3fc4c0c58b1df0f93bb5b896eea417e8 Mon Sep 17 00:00:00 2001 +From: Jakub Hrozek +Date: Sun, 8 May 2016 14:41:35 +0200 +Subject: [PATCH 25/39] MONITOR: Remove the no longer used diag_cmd command +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +After introducing the watchdog, the diag_cmd is longer used and makes no +sense trying to make it usable by watchdog as the result of "pstack %p" +seems next to useless in this context. + +Related: +https://fedorahosted.org/sssd/ticket/3051 + +Reviewed-by: Petr Čech +(cherry picked from commit 1620f435dbe7013f985128dcdf001e9158cb00e3) +--- + src/confdb/confdb.h | 1 - + src/monitor/monitor.c | 163 -------------------------------------------------- + 2 files changed, 164 deletions(-) + +diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h +index 72adbd80ea534eb0becd3e517c00b0c26d00444c..58a085ba954cf75a5c756d6f8fbd04e6fa49a687 100644 +--- a/src/confdb/confdb.h ++++ b/src/confdb/confdb.h +@@ -73,7 +73,6 @@ + #define CONFDB_MONITOR_DEFAULT_DOMAIN "default_domain_suffix" + #define CONFDB_MONITOR_OVERRIDE_SPACE "override_space" + #define CONFDB_MONITOR_USER_RUNAS "user" +-#define CONFDB_MONITOR_PRE_KILL_CMD "diag_cmd" + #define CONFDB_MONITOR_CERT_VERIFICATION "certificate_verification" + + /* Both monitor and domains */ +diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c +index 7a9ef569bbd565d6240cebed8493d0bd85aba89e..f97b2a960b1835540357714b608feac54c2d72c5 100644 +--- a/src/monitor/monitor.c ++++ b/src/monitor/monitor.c +@@ -112,7 +112,6 @@ struct mt_svc { + char *identity; + pid_t pid; + +- char *diag_cmd; + int kill_time; + + struct tevent_timer *kill_timer; +@@ -373,77 +372,6 @@ static int add_svc_conn_spy(struct mt_svc *svc) + return EOK; + } + +-static char *expand_diag_cmd(struct mt_svc *svc, +- const char *template) +-{ +- TALLOC_CTX *tmp_ctx = NULL; +- char *copy; +- char *p_copy; +- char *n; +- char *result = NULL; +- char action; +- char *res = NULL; +- +- if (template == NULL) { +- DEBUG(SSSDBG_CRIT_FAILURE, "Missing template.\n"); +- return NULL; +- } +- +- tmp_ctx = talloc_new(NULL); +- if (!tmp_ctx) return NULL; +- +- copy = talloc_strdup(tmp_ctx, template); +- if (copy == NULL) { +- DEBUG(SSSDBG_CRIT_FAILURE, "talloc_strdup failed.\n"); +- goto done; +- } +- +- result = talloc_strdup(tmp_ctx, ""); +- if (result == NULL) { +- DEBUG(SSSDBG_CRIT_FAILURE, "talloc_strdup failed.\n"); +- goto done; +- } +- +- p_copy = copy; +- while ((n = strchr(p_copy, '%')) != NULL) { +- *n = '\0'; +- n++; +- if ( *n == '\0' ) { +- DEBUG(SSSDBG_CRIT_FAILURE, +- "format error, single %% at the end of the template.\n"); +- goto done; +- } +- +- action = *n; +- switch (action) { +- case 'p': +- result = talloc_asprintf_append(result, "%s%d", p_copy, svc->pid); +- break; +- default: +- DEBUG(SSSDBG_CRIT_FAILURE, +- "format error, unknown template [%%%c].\n", *n); +- goto done; +- } +- +- if (result == NULL) { +- DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf_append failed.\n"); +- goto done; +- } +- +- p_copy = n + 1; +- } +- +- result = talloc_asprintf_append(result, "%s", p_copy); +- if (result == NULL) { +- DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf_append failed.\n"); +- goto done; +- } +- +- res = talloc_move(svc, &result); +-done: +- talloc_zfree(tmp_ctx); +- return res; +-} + + static void svc_child_info(struct mt_svc *svc, int wait_status) + { +@@ -467,82 +395,6 @@ static void svc_child_info(struct mt_svc *svc, int wait_status) + } + } + +-static void svc_diag_cmd_exit_handler(int pid, int wait_status, void *pvt) +-{ +- struct mt_svc *svc = talloc_get_type(pvt, struct mt_svc); +- +- svc_child_info(svc, wait_status); +-} +- +-static void svc_run_diag_cmd(struct mt_svc *svc) +-{ +- pid_t pkc_pid; +- char **args; +- int ret; +- int debug_fd; +- char *diag_cmd; +- struct sss_child_ctx *diag_child_ctx; +- +- if (svc->diag_cmd == NULL) { +- return; +- } +- +- pkc_pid = fork(); +- if (pkc_pid != 0) { +- /* parent, schedule SIGKILL */ +- +- ret = sss_child_register(svc, +- svc->mt_ctx->sigchld_ctx, +- pkc_pid, +- svc_diag_cmd_exit_handler, +- svc, +- &diag_child_ctx); +- if (ret != EOK) { +- DEBUG(SSSDBG_CRIT_FAILURE, "Cannot register child %d\n", pkc_pid); +- /* Try to go on ... */ +- } +- +- return; +- } +- +- /* child, execute diagnostics */ +- diag_cmd = expand_diag_cmd(svc, svc->diag_cmd); +- if (diag_cmd == NULL) { +- DEBUG(SSSDBG_CRIT_FAILURE, +- "Failed to expand [%s]\n", svc->diag_cmd); +- _exit(1); +- } +- +- if (debug_level >= SSSDBG_TRACE_LIBS) { +- debug_fd = get_fd_from_debug_file(); +- ret = dup2(debug_fd, STDERR_FILENO); +- if (ret == -1) { +- ret = errno; +- DEBUG(SSSDBG_MINOR_FAILURE, +- "dup2 failed for stderr [%d][%s].\n", ret, sss_strerror(ret)); +- /* failure to redirect stderr is not fatal */ +- } +- +- ret = dup2(debug_fd, STDOUT_FILENO); +- if (ret == -1) { +- ret = errno; +- DEBUG(SSSDBG_MINOR_FAILURE, +- "dup2 failed for stdout [%d][%s].\n", ret, sss_strerror(ret)); +- /* failure to redirect stdout is not fatal */ +- } +- } +- +- args = parse_args(diag_cmd); +- execvp(args[0], args); +- +- /* If we are here, exec() has failed +- * Print errno and abort quickly */ +- ret = errno; +- DEBUG(SSSDBG_FATAL_FAILURE, +- "Could not exec %s, reason: %s\n", svc->diag_cmd, strerror(ret)); +- _exit(1); +-} +- + static int mark_service_as_started(struct mt_svc *svc) + { + struct mt_ctx *ctx = svc->mt_ctx; +@@ -712,8 +564,6 @@ static int monitor_kill_service (struct mt_svc *svc) + return EOK; + } + +- svc_run_diag_cmd(svc); +- + /* Set up a timer to send SIGKILL if this process + * doesn't exit within the configured interval + */ +@@ -1147,19 +997,6 @@ static errno_t get_kill_config(struct mt_ctx *ctx, const char *path, + { + errno_t ret; + +- ret = confdb_get_string(ctx->cdb, svc, path, +- CONFDB_MONITOR_PRE_KILL_CMD, +- NULL, &svc->diag_cmd); +- if (ret != EOK) { +- DEBUG(SSSDBG_CRIT_FAILURE, +- "Failed to get diagnostics command for %s\n", svc->name); +- return ret; +- } +- if (svc->diag_cmd) { +- DEBUG(SSSDBG_CONF_SETTINGS, +- "Diagnostics command: [%s]\n", svc->diag_cmd); +- } +- + ret = confdb_get_int(ctx->cdb, path, + CONFDB_SERVICE_FORCE_TIMEOUT, + MONITOR_DEF_FORCE_TIME, &svc->kill_time); +-- +2.9.3 + diff --git a/0026-MONITOR-Remove-the-no-longer-used-kill_service-comma.patch b/0026-MONITOR-Remove-the-no-longer-used-kill_service-comma.patch new file mode 100644 index 0000000..ea46440 --- /dev/null +++ b/0026-MONITOR-Remove-the-no-longer-used-kill_service-comma.patch @@ -0,0 +1,289 @@ +From 10e635167418fdf7a896b2cb3d095fd345053103 Mon Sep 17 00:00:00 2001 +From: Jakub Hrozek +Date: Sun, 8 May 2016 14:46:25 +0200 +Subject: [PATCH 26/39] MONITOR: Remove the no longer used kill_service command +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +After introducing the watchdog, the force_timeout option is no longer +used. + +Resolves: +https://fedorahosted.org/sssd/ticket/3052 + +Reviewed-by: Petr Čech +(cherry picked from commit fa93cd0f0fc75a6d635079e67788f8a9fe183c3c) +--- + src/confdb/confdb.h | 1 - + src/man/sssd.conf.5.xml | 33 ------------ + src/monitor/monitor.c | 141 ------------------------------------------------ + 3 files changed, 175 deletions(-) + +diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h +index 58a085ba954cf75a5c756d6f8fbd04e6fa49a687..401e5fbf7ed6bb9e8d7158dfab378c8159aa03db 100644 +--- a/src/confdb/confdb.h ++++ b/src/confdb/confdb.h +@@ -58,7 +58,6 @@ + #define CONFDB_SERVICE_DEBUG_TIMESTAMPS "debug_timestamps" + #define CONFDB_SERVICE_DEBUG_MICROSECONDS "debug_microseconds" + #define CONFDB_SERVICE_DEBUG_TO_FILES "debug_to_files" +-#define CONFDB_SERVICE_FORCE_TIMEOUT "force_timeout" + #define CONFDB_SERVICE_RECON_RETRIES "reconnection_retries" + #define CONFDB_SERVICE_FD_LIMIT "fd_limit" + #define CONFDB_SERVICE_ALLOWED_UIDS "allowed_uids" +diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml +index e95a7e7e213e07c15e79185730d481e5afceb69c..ae291e0fc8f2f9afabcdf32f18a5ec12252bbbbf 100644 +--- a/src/man/sssd.conf.5.xml ++++ b/src/man/sssd.conf.5.xml +@@ -549,22 +549,6 @@ + + + +- force_timeout (integer) +- +- +- If a service is not responding to ping checks (see +- the timeout option), it is first sent +- the SIGTERM signal that instructs it to quit gracefully. +- If the service does not terminate after force_timeout +- seconds, the monitor will forcibly shut it down by +- sending a SIGKILL signal. +- +- +- Default: 60 +- +- +- +- + offline_timeout (integer) + + +@@ -1453,23 +1437,6 @@ pam_account_locked_message = Account locked, please contact help desk. + + + +- force_timeout (integer) +- +- +- If a service is not responding to ping checks (see +- the timeout option), it is first sent +- the SIGTERM signal that instructs it to quit gracefully. +- If the service does not terminate after force_timeout +- seconds, the monitor will forcibly shut it down by +- sending a SIGKILL signal. +- +- +- Default: 60 +- +- +- +- +- + entry_cache_timeout (integer) + + +diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c +index f97b2a960b1835540357714b608feac54c2d72c5..1f89c5a79feab8a921ce2f9132763b37ab506596 100644 +--- a/src/monitor/monitor.c ++++ b/src/monitor/monitor.c +@@ -114,8 +114,6 @@ struct mt_svc { + + int kill_time; + +- struct tevent_timer *kill_timer; +- + bool svc_started; + + int restarts; +@@ -176,8 +174,6 @@ static int monitor_service_init(struct sbus_connection *conn, void *data); + + static int service_signal_reset_offline(struct mt_svc *svc); + +-static int monitor_kill_service (struct mt_svc *svc); +- + static int get_service_config(struct mt_ctx *ctx, const char *name, + struct mt_svc **svc_cfg); + static int get_provider_config(struct mt_ctx *ctx, const char *name, +@@ -542,95 +538,6 @@ static int monitor_dbus_init(struct mt_ctx *ctx) + } + + static void monitor_restart_service(struct mt_svc *svc); +-static void mt_svc_sigkill(struct tevent_context *ev, +- struct tevent_timer *te, +- struct timeval t, void *ptr); +-static int monitor_kill_service (struct mt_svc *svc) +-{ +- int ret; +- struct timeval tv; +- +- ret = kill(svc->pid, SIGTERM); +- if (ret == -1) { +- ret = errno; +- DEBUG(SSSDBG_FATAL_FAILURE, +- "Sending signal to child (%s:%d) failed: [%d]: %s! " +- "Ignore and pretend child is dead.\n", +- svc->name, svc->pid, ret, strerror(ret)); +- /* The only thing we can try here is to launch a new process +- * and hope that it works. +- */ +- monitor_restart_service(svc); +- return EOK; +- } +- +- /* Set up a timer to send SIGKILL if this process +- * doesn't exit within the configured interval +- */ +- tv = tevent_timeval_current_ofs(svc->kill_time, 0); +- svc->kill_timer = tevent_add_timer(svc->mt_ctx->ev, +- svc, +- tv, +- mt_svc_sigkill, +- svc); +- if (svc->kill_timer == NULL) { +- /* Nothing much we can do */ +- DEBUG(SSSDBG_CRIT_FAILURE, +- "Failed to allocate timed event: mt_svc_sigkill.\n"); +- /* We'll just have to hope that the SIGTERM succeeds */ +- } +- return EOK; +-} +- +-static void mt_svc_sigkill(struct tevent_context *ev, +- struct tevent_timer *te, +- struct timeval t, void *ptr) +-{ +- int ret; +- struct mt_svc *svc = talloc_get_type(ptr, struct mt_svc); +- +- DEBUG(SSSDBG_FATAL_FAILURE, +- "[%s][%d] is not responding to SIGTERM. Sending SIGKILL.\n", +- svc->name, svc->pid); +- sss_log(SSS_LOG_ERR, +- "[%s][%d] is not responding to SIGTERM. Sending SIGKILL.\n", +- svc->name, svc->pid); +- +- /* timer was succesfully executed and it will be released by tevent */ +- svc->kill_timer = NULL; +- +- ret = kill(svc->pid, SIGKILL); +- if (ret != EOK) { +- ret = errno; +- DEBUG(SSSDBG_FATAL_FAILURE, +- "Sending signal to child (%s:%d) failed! " +- "Ignore and pretend child is dead.\n", +- svc->name, svc->pid); +- +- if (ret == ESRCH) { +- /* The process doesn't exist +- * This most likely means we hit a race where +- * the SIGTERM concluded just after the timer +- * fired but before we called kill() here. +- * We'll just do nothing, since the +- * mt_svc_exit_handler() should be doing the +- * necessary work. +- */ +- return; +- } +- +- /* Something went really wrong. +- * The only thing we can try here is to launch a new process +- * and hope that it works. +- */ +- monitor_restart_service(svc); +- } +- +- /* The process should terminate immediately and then be +- * restarted by the mt_svc_exit_handler() +- */ +- return; +-} + + static void reload_reply(DBusPendingCall *pending, void *data) + { +@@ -708,7 +615,6 @@ static int service_signal(struct mt_svc *svc, const char *svc_signal) + DEBUG(SSSDBG_FATAL_FAILURE, + "Out of memory trying to allocate memory to invoke: %s\n", + svc_signal); +- monitor_kill_service(svc); + return ENOMEM; + } + +@@ -992,32 +898,6 @@ static int get_monitor_config(struct mt_ctx *ctx) + return EOK; + } + +-static errno_t get_kill_config(struct mt_ctx *ctx, const char *path, +- struct mt_svc *svc) +-{ +- errno_t ret; +- +- ret = confdb_get_int(ctx->cdb, path, +- CONFDB_SERVICE_FORCE_TIMEOUT, +- MONITOR_DEF_FORCE_TIME, &svc->kill_time); +- if (ret != EOK) { +- DEBUG(SSSDBG_CRIT_FAILURE, +- "Failed to get kill timeout for %s\n", svc->name); +- return ret; +- } +- +- /* 'force_timeout = 0' should be translated to the default */ +- if (svc->kill_time == 0) { +- svc->kill_time = MONITOR_DEF_FORCE_TIME; +- } +- +- DEBUG(SSSDBG_CONF_SETTINGS, +- "Time between SIGTERM and SIGKILL for [%s]: [%d]\n", +- svc->name, svc->kill_time); +- +- return EOK; +-} +- + /* This is a temporary function that returns false if the service + * being started was only tested when running as root. + */ +@@ -1154,14 +1034,6 @@ static int get_service_config(struct mt_ctx *ctx, const char *name, + } + } + +- ret = get_kill_config(ctx, path, svc); +- if (ret != EOK) { +- DEBUG(SSSDBG_CRIT_FAILURE, +- "Failed to get kill timeouts for %s\n", svc->name); +- talloc_free(svc); +- return ret; +- } +- + svc->last_restart = now; + + *svc_cfg = svc; +@@ -1249,14 +1121,6 @@ static int get_provider_config(struct mt_ctx *ctx, const char *name, + return ret; + } + +- ret = get_kill_config(ctx, path, svc); +- if (ret != EOK) { +- DEBUG(SSSDBG_CRIT_FAILURE, +- "Failed to get kill timeouts for %s\n", svc->name); +- talloc_free(svc); +- return ret; +- } +- + talloc_free(path); + + /* if no provider is present do not run the domain */ +@@ -2540,11 +2404,6 @@ static void mt_svc_exit_handler(int pid, int wait_status, void *pvt) + "SIGCHLD handler of service %s called\n", svc->name); + svc_child_info(svc, wait_status); + +- /* Clear the kill_timer so we don't try to SIGKILL it after it's +- * already gone. +- */ +- talloc_zfree(svc->kill_timer); +- + /* Check the number of restart tries and relaunch the service */ + monitor_restart_service(svc); + +-- +2.9.3 + diff --git a/0027-WATCHDOG-define-and-use-_MAX_TICKS-as-3.patch b/0027-WATCHDOG-define-and-use-_MAX_TICKS-as-3.patch new file mode 100644 index 0000000..b141bc5 --- /dev/null +++ b/0027-WATCHDOG-define-and-use-_MAX_TICKS-as-3.patch @@ -0,0 +1,44 @@ +From e293e3a1418e95560498f29147c4e5b1be0b729a Mon Sep 17 00:00:00 2001 +From: Jakub Hrozek +Date: Mon, 15 Aug 2016 12:54:20 +0200 +Subject: [PATCH 27/39] WATCHDOG: define and use _MAX_TICKS as 3 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Instead of using the number 3 directly, let's introduce and use +WATCHDOG_MAX_TICKS. + +Reviewed-by: Petr Čech +(cherry picked from commit d7075a255a1f28e890539072e06d0140ffe0927c) +--- + src/util/util_watchdog.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/util/util_watchdog.c b/src/util/util_watchdog.c +index 1c27d73f13b3042ecb549a2184e1368e8339d199..c184fbd759bdbca4a9eae379ff0d87e2d1628470 100644 +--- a/src/util/util_watchdog.c ++++ b/src/util/util_watchdog.c +@@ -22,6 +22,7 @@ + #include "util/util.h" + + #define WATCHDOG_DEF_INTERVAL 10 ++#define WATCHDOG_MAX_TICKS 3 + + /* this is intentionally a global variable */ + struct watchdog_ctx { +@@ -75,9 +76,8 @@ static void watchdog_handler(int sig) + return; + } + +- /* if 3 ticks passed by kills itself */ +- +- if (__sync_add_and_fetch(&watchdog_ctx.ticks, 1) > 3) { ++ /* if a pre-defined number of ticks passed by kills itself */ ++ if (__sync_add_and_fetch(&watchdog_ctx.ticks, 1) > WATCHDOG_MAX_TICKS) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Watchdog timer overflow, killing process!\n"); + orderly_shutdown(1); +-- +2.9.3 + diff --git a/0028-PROXY-Use-right-name-in-ldap-filter.patch b/0028-PROXY-Use-right-name-in-ldap-filter.patch new file mode 100644 index 0000000..813ff74 --- /dev/null +++ b/0028-PROXY-Use-right-name-in-ldap-filter.patch @@ -0,0 +1,52 @@ +From f7c519962070d797822c960d297f7de7fa42426a Mon Sep 17 00:00:00 2001 +From: Lukas Slebodnik +Date: Fri, 26 Aug 2016 14:57:22 +0200 +Subject: [PATCH 28/39] PROXY: Use right name in ldap filter + +We used internal fq name in ldap filter +with id_provider proxy to files and auth provider +ldap + +[sssd[be[LDAP]]] [sdap_get_generic_ext_step] + (0x0400): calling ldap_search_ext with + [(&(uid=testuser1@ldap)(objectclass=posixAccount))][dc=example,dc=com]. + +Reviewed-by: Jakub Hrozek +(cherry picked from commit b4c6060b10b14257e6f01038ae44e46c5a429f33) +--- + src/providers/ldap/ldap_auth.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c +index 35f16b0d4a6f8e566b0cf63b65ba46f31e7c1bcd..00d38284e428eea42254820fd08ee4fb125235a6 100644 +--- a/src/providers/ldap/ldap_auth.c ++++ b/src/providers/ldap/ldap_auth.c +@@ -361,7 +361,7 @@ shadow_fail: + + /* ==Get-User-DN========================================================== */ + struct get_user_dn_state { +- const char *username; ++ char *username; + + char *orig_dn; + }; +@@ -386,9 +386,14 @@ static struct tevent_req *get_user_dn_send(TALLOC_CTX *memctx, + req = tevent_req_create(memctx, &state, struct get_user_dn_state); + if (!req) return NULL; + +- state->username = username; ++ ret = sss_parse_internal_fqname(state, username, ++ &state->username, NULL); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_OP_FAILURE, "Cannot parse %s\n", username); ++ goto done; ++ } + +- ret = sss_filter_sanitize(state, username, &clean_name); ++ ret = sss_filter_sanitize(state, state->username, &clean_name); + if (ret != EOK) { + goto done; + } +-- +2.9.3 + diff --git a/0029-SECRETS-Make-internal-function-static.patch b/0029-SECRETS-Make-internal-function-static.patch new file mode 100644 index 0000000..fbab4f1 --- /dev/null +++ b/0029-SECRETS-Make-internal-function-static.patch @@ -0,0 +1,31 @@ +From 2dc376b266eb5f3b3aecc980f1a854eeac7d151b Mon Sep 17 00:00:00 2001 +From: Jakub Hrozek +Date: Tue, 16 Aug 2016 20:53:19 +0200 +Subject: [PATCH 29/39] SECRETS: Make internal function static +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Reviewed-by: Pavel Březina +(cherry picked from commit cf902c2b247c1b5793ae0ba58fd2dcbb0f78b686) +--- + src/responder/secrets/providers.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/responder/secrets/providers.c b/src/responder/secrets/providers.c +index 8d815b4837ce71bac648f38a6a8956771dd0520d..4c601988696dac7856cb1c1eb27264180a9347f9 100644 +--- a/src/responder/secrets/providers.c ++++ b/src/responder/secrets/providers.c +@@ -24,7 +24,8 @@ + #include "responder/secrets/secsrv_proxy.h" + #include + +-int sec_map_url_to_user_path(struct sec_req_ctx *secreq, char **mapped_path) ++static int sec_map_url_to_user_path(struct sec_req_ctx *secreq, ++ char **mapped_path) + { + uid_t c_euid; + +-- +2.9.3 + diff --git a/0030-SECRETS-Make-reading-the-config-options-more-uniform.patch b/0030-SECRETS-Make-reading-the-config-options-more-uniform.patch new file mode 100644 index 0000000..28be190 --- /dev/null +++ b/0030-SECRETS-Make-reading-the-config-options-more-uniform.patch @@ -0,0 +1,34 @@ +From e099a2654aa25f98a5f9e7a0e1f0820e8322c372 Mon Sep 17 00:00:00 2001 +From: Jakub Hrozek +Date: Tue, 16 Aug 2016 20:59:30 +0200 +Subject: [PATCH 30/39] SECRETS: Make reading the config options more uniform +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +One of confdb_get_ calls in sec_get_config() used a variable referenced +from rctx, the other used a hardcoded string. Use one of them on both +places instead. + +Reviewed-by: Pavel Březina +(cherry picked from commit ff35d4ffe5eedcb484deb7ef1a04c02c19e634c9) +--- + src/responder/secrets/secsrv.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/responder/secrets/secsrv.c b/src/responder/secrets/secsrv.c +index 6f8052bdf25fe903683d6b26d92b2a4c31743470..eb194a179ae5e3a48547fb00a038f31b8e0264cd 100644 +--- a/src/responder/secrets/secsrv.c ++++ b/src/responder/secrets/secsrv.c +@@ -35,7 +35,7 @@ static int sec_get_config(struct sec_ctx *sctx) + int ret; + + ret = confdb_get_int(sctx->rctx->cdb, +- CONFDB_SEC_CONF_ENTRY, ++ sctx->rctx->confdb_service_path, + CONFDB_SERVICE_FD_LIMIT, + DEFAULT_SEC_FD_LIMIT, + &sctx->fd_limit); +-- +2.9.3 + diff --git a/0031-dyndns-fix-typo-and-unify-ipa-with-ad-debug-message-.patch b/0031-dyndns-fix-typo-and-unify-ipa-with-ad-debug-message-.patch new file mode 100644 index 0000000..a58c3ce --- /dev/null +++ b/0031-dyndns-fix-typo-and-unify-ipa-with-ad-debug-message-.patch @@ -0,0 +1,46 @@ +From 279b4f57263abcdb84e2386f4cb4256981fb8c2d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Thu, 4 Aug 2016 14:10:09 +0200 +Subject: [PATCH 31/39] dyndns: fix typo and unify ipa with ad debug message + when off +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Reviewed-by: Petr Čech +Reviewed-by: Lukáš Slebodník +(cherry picked from commit b3851e86af91dc1aa6e265d5b2e4279b2611ff43) +--- + src/providers/ad/ad_dyndns.c | 2 +- + src/providers/ipa/ipa_init.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/providers/ad/ad_dyndns.c b/src/providers/ad/ad_dyndns.c +index e3f1812837f7cee9d18ef001233871e0fcc16b4c..00190485e8f0ca7362ed60b2df022c74c53988c9 100644 +--- a/src/providers/ad/ad_dyndns.c ++++ b/src/providers/ad/ad_dyndns.c +@@ -47,7 +47,7 @@ errno_t ad_dyndns_init(struct be_ctx *be_ctx, + + if (dp_opt_get_bool(ad_opts->dyndns_ctx->opts, + DP_OPT_DYNDNS_UPDATE) == false) { +- DEBUG(SSSDBG_CONF_SETTINGS, "Dynamic DNS updates not set\n"); ++ DEBUG(SSSDBG_CONF_SETTINGS, "Dynamic DNS updates are off.\n"); + return EOK; + } + +diff --git a/src/providers/ipa/ipa_init.c b/src/providers/ipa/ipa_init.c +index ca99200a1ba1d9508ac0affffecaa08149552fee..7dec4d1fb8541a48470d4e44f10838e5bea67ad5 100644 +--- a/src/providers/ipa/ipa_init.c ++++ b/src/providers/ipa/ipa_init.c +@@ -200,7 +200,7 @@ static errno_t ipa_init_dyndns(struct be_ctx *be_ctx, + enabled = dp_opt_get_bool(ipa_options->dyndns_ctx->opts, + DP_OPT_DYNDNS_UPDATE); + if (!enabled) { +- DEBUG(SSSDBG_CONF_SETTINGS, "Dynamic DNS updates are of.\n"); ++ DEBUG(SSSDBG_CONF_SETTINGS, "Dynamic DNS updates are off.\n"); + return EOK; + } + +-- +2.9.3 + diff --git a/0032-netlink-Don-t-define-USE_GNU.patch b/0032-netlink-Don-t-define-USE_GNU.patch new file mode 100644 index 0000000..1e69b14 --- /dev/null +++ b/0032-netlink-Don-t-define-USE_GNU.patch @@ -0,0 +1,42 @@ +From 2d1d157a07a2b445d6d26573a9763ec62928790f Mon Sep 17 00:00:00 2001 +From: Jakub Hrozek +Date: Tue, 30 Aug 2016 15:26:27 +0200 +Subject: [PATCH 32/39] netlink: Don't define USE_GNU +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Applications should never #define USE_GNU themselves, but rather +_GNU_SOURCE. This patch removes USE_GNU and replaces it with including +config.h which has _GNU_SOURCE defined if applicable for that platform + +See for example: + https://gcc.gnu.org/ml/fortran/2005-10/msg00365.html + +Reviewed-by: Fabiano Fidêncio +(cherry picked from commit 1384d0ce6ea741aefb56b0006b6268d76e6cc2c2) +--- + src/monitor/monitor_netlink.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/monitor/monitor_netlink.c b/src/monitor/monitor_netlink.c +index 22262949c67744493dfa722ff38257a75a5b8291..c4d56b39f29b7686b60da1d561d7db390c272a4d 100644 +--- a/src/monitor/monitor_netlink.c ++++ b/src/monitor/monitor_netlink.c +@@ -21,11 +21,12 @@ + along with this program. If not, see . + */ + ++#include "config.h" ++ + #include + #include + #include + #include +-#define __USE_GNU /* needed for struct ucred */ + #include + #include + #include +-- +2.9.3 + diff --git a/0033-MONITOR-Remove-leftovers-from-diag_cmd.patch b/0033-MONITOR-Remove-leftovers-from-diag_cmd.patch new file mode 100644 index 0000000..d3c9650 --- /dev/null +++ b/0033-MONITOR-Remove-leftovers-from-diag_cmd.patch @@ -0,0 +1,140 @@ +From d58c29636abcd20ef8e90fae90d8754419c394fa Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= +Date: Tue, 30 Aug 2016 18:17:46 +0200 +Subject: [PATCH 33/39] MONITOR: Remove leftovers from diag_cmd +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Seems that when I sent the v2 of 7579cf99 I attached the wrong patch +that ended up being pushed. +That patch was incomplete as there are still some leftovers. + +Related: +https://fedorahosted.org/sssd/ticket/3051 + +Signed-off-by: Fabiano Fidêncio +Reviewed-by: Petr Čech +(cherry picked from commit e04df9feca0c9877c69aa46450d04c556bcb23ad) +--- + src/config/SSSDConfig/__init__.py.in | 1 - + src/config/SSSDConfigTest.py | 1 - + src/config/cfg_rules.ini | 9 --------- + src/config/etc/sssd.api.conf | 1 - + 4 files changed, 12 deletions(-) + +diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in +index b3f04ac26309bb5b518fb87cd0dae2962e853179..fb071270208341f4e993fef95af4e8dc6b58fdbd 100644 +--- a/src/config/SSSDConfig/__init__.py.in ++++ b/src/config/SSSDConfig/__init__.py.in +@@ -51,7 +51,6 @@ option_strings = { + 'reconnection_retries' : _('Number of times to attempt connection to Data Providers'), + 'fd_limit' : _('The number of file descriptors that may be opened by this responder'), + 'client_idle_timeout' : _('Idle time before automatic disconnection of a client'), +- 'diag_cmd' : _('The command to run when a service ping times out'), + + # [sssd] + 'services' : _('SSSD Services to start'), +diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py +index 8fcd1a55c36035a7026f1fb4c8116aaae24e78ef..575a12450eec2e23e7fa30acf72030a0e7e07a50 100755 +--- a/src/config/SSSDConfigTest.py ++++ b/src/config/SSSDConfigTest.py +@@ -309,7 +309,6 @@ class SSSDConfigTestSSSDService(unittest.TestCase): + 'reconnection_retries', + 'fd_limit', + 'client_idle_timeout', +- 'diag_cmd', + 'description', + 'certificate_verification', + 'override_space'] +diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini +index df10538dee4a547a1b1af62a4cfe37b89e236b18..a2c3fa2d5994dc051b72be17e13c512d7f124141 100644 +--- a/src/config/cfg_rules.ini ++++ b/src/config/cfg_rules.ini +@@ -25,7 +25,6 @@ option = fd_limit + option = client_idle_timeout + option = force_timeout + option = description +-option = diag_cmd + + # Monitor service + option = services +@@ -57,7 +56,6 @@ option = fd_limit + option = client_idle_timeout + option = force_timeout + option = description +-option = diag_cmd + + # Name service + option = user_attributes +@@ -96,7 +94,6 @@ option = fd_limit + option = client_idle_timeout + option = force_timeout + option = description +-option = diag_cmd + + # Authentication service + option = offline_credentials_expiration +@@ -130,7 +127,6 @@ option = fd_limit + option = client_idle_timeout + option = force_timeout + option = description +-option = diag_cmd + + # sudo service + option = sudo_timed +@@ -152,7 +148,6 @@ option = fd_limit + option = client_idle_timeout + option = force_timeout + option = description +-option = diag_cmd + + # autofs service + option = autofs_negative_timeout +@@ -173,7 +168,6 @@ option = fd_limit + option = client_idle_timeout + option = force_timeout + option = description +-option = diag_cmd + + # ssh service + option = ssh_hash_known_hosts +@@ -196,7 +190,6 @@ option = fd_limit + option = client_idle_timeout + option = force_timeout + option = description +-option = diag_cmd + + # PAC responder + option = allowed_uids +@@ -218,7 +211,6 @@ option = fd_limit + option = client_idle_timeout + option = force_timeout + option = description +-option = diag_cmd + + # InfoPipe responder + option = allowed_uids +@@ -239,7 +231,6 @@ option = fd_limit + option = client_idle_timeout + option = force_timeout + option = description +-option = diag_cmd + + #Available provider types + option = id_provider +diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf +index 5e69414f2a490977bdaf1555325814ad61202071..b2f20c5b71fa6bf94656d6270ccd08385a88c06e 100644 +--- a/src/config/etc/sssd.api.conf ++++ b/src/config/etc/sssd.api.conf +@@ -15,7 +15,6 @@ fd_limit = int, None, false + client_idle_timeout = int, None, false + force_timeout = int, None, false + description = str, None, false +-diag_cmd = str, None, false + + [sssd] + # Monitor service +-- +2.9.3 + diff --git a/0034-MONITOR-Remove-leftovers-from-kill_service.patch b/0034-MONITOR-Remove-leftovers-from-kill_service.patch new file mode 100644 index 0000000..0b66314 --- /dev/null +++ b/0034-MONITOR-Remove-leftovers-from-kill_service.patch @@ -0,0 +1,175 @@ +From a2145190df8f4faa68a9662a2b5162dd87eca0a6 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= +Date: Tue, 30 Aug 2016 18:25:21 +0200 +Subject: [PATCH 34/39] MONITOR: Remove leftovers from kill_service +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Seems that wen I sent the v2 of ac35fe74 I attached the wrong pacth that +ended up being pushed. +The patch was incomplete as there are still some leftovers. + +The .po and sssd-docs.pot were not touched as I do believe they are +autogenerated from Zanata. + +Related: +https://fedorahosted.org/sssd/ticket/3052 + +Signed-off-by: Fabiano Fidêncio +Reviewed-by: Petr Čech +(cherry picked from commit 5b0735876aa66464b24cb7736a74fafd8ec82128) +--- + src/config/SSSDConfig/__init__.py.in | 1 - + src/config/SSSDConfigTest.py | 3 --- + src/config/cfg_rules.ini | 10 ---------- + src/config/etc/sssd.api.conf | 2 -- + 4 files changed, 16 deletions(-) + +diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in +index fb071270208341f4e993fef95af4e8dc6b58fdbd..0191920f93ab9016508e08785c25dd043c180c0b 100644 +--- a/src/config/SSSDConfig/__init__.py.in ++++ b/src/config/SSSDConfig/__init__.py.in +@@ -46,7 +46,6 @@ option_strings = { + 'debug_microseconds' : _('Include microseconds in timestamps in debug logs'), + 'debug_to_files' : _('Write debug messages to logfiles'), + 'timeout' : _('Watchdog timeout before restarting service'), +- 'force_timeout' : _('Timeout between three failed ping checks and forcibly killing the service'), + 'command' : _('Command to start service'), + 'reconnection_retries' : _('Number of times to attempt connection to Data Providers'), + 'fd_limit' : _('The number of file descriptors that may be opened by this responder'), +diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py +index 575a12450eec2e23e7fa30acf72030a0e7e07a50..6a0fdf0ea5215103b48dc8521a43ae945342c0e2 100755 +--- a/src/config/SSSDConfigTest.py ++++ b/src/config/SSSDConfigTest.py +@@ -293,7 +293,6 @@ class SSSDConfigTestSSSDService(unittest.TestCase): + 'services', + 'domains', + 'timeout', +- 'force_timeout', + 'sbus_timeout', + 're_expression', + 'full_name_format', +@@ -505,7 +504,6 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase): + 'min_id', + 'max_id', + 'timeout', +- 'force_timeout', + 'offline_timeout', + 'try_inotify', + 'command', +@@ -874,7 +872,6 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase): + 'min_id', + 'max_id', + 'timeout', +- 'force_timeout', + 'offline_timeout', + 'try_inotify', + 'command', +diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini +index a2c3fa2d5994dc051b72be17e13c512d7f124141..5e248066bd554d2a654a764f406f6b33c4d66733 100644 +--- a/src/config/cfg_rules.ini ++++ b/src/config/cfg_rules.ini +@@ -23,7 +23,6 @@ option = command + option = reconnection_retries + option = fd_limit + option = client_idle_timeout +-option = force_timeout + option = description + + # Monitor service +@@ -54,7 +53,6 @@ option = command + option = reconnection_retries + option = fd_limit + option = client_idle_timeout +-option = force_timeout + option = description + + # Name service +@@ -92,7 +90,6 @@ option = command + option = reconnection_retries + option = fd_limit + option = client_idle_timeout +-option = force_timeout + option = description + + # Authentication service +@@ -125,7 +122,6 @@ option = command + option = reconnection_retries + option = fd_limit + option = client_idle_timeout +-option = force_timeout + option = description + + # sudo service +@@ -146,7 +142,6 @@ option = command + option = reconnection_retries + option = fd_limit + option = client_idle_timeout +-option = force_timeout + option = description + + # autofs service +@@ -166,7 +161,6 @@ option = command + option = reconnection_retries + option = fd_limit + option = client_idle_timeout +-option = force_timeout + option = description + + # ssh service +@@ -188,7 +182,6 @@ option = command + option = reconnection_retries + option = fd_limit + option = client_idle_timeout +-option = force_timeout + option = description + + # PAC responder +@@ -209,7 +202,6 @@ option = command + option = reconnection_retries + option = fd_limit + option = client_idle_timeout +-option = force_timeout + option = description + + # InfoPipe responder +@@ -229,7 +221,6 @@ option = command + option = reconnection_retries + option = fd_limit + option = client_idle_timeout +-option = force_timeout + option = description + + #Available provider types +@@ -250,7 +241,6 @@ option = timeout + option = try_inotify + option = enumerate + option = subdomain_enumerate +-option = force_timeout + option = offline_timeout + option = cache_credentials + option = cache_credentials_minimal_first_factor_length +diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf +index b2f20c5b71fa6bf94656d6270ccd08385a88c06e..525f939cd204f4d484caa7b490d85b0d50de00ef 100644 +--- a/src/config/etc/sssd.api.conf ++++ b/src/config/etc/sssd.api.conf +@@ -13,7 +13,6 @@ command = str, None, false + reconnection_retries = int, None, false + fd_limit = int, None, false + client_idle_timeout = int, None, false +-force_timeout = int, None, false + description = str, None, false + + [sssd] +@@ -119,7 +118,6 @@ timeout = int, None, false + try_inotify = bool, None, false + enumerate = bool, None, false + subdomain_enumerate = str, None, false +-force_timeout = int, None, false + offline_timeout = int, None, false + cache_credentials = bool, None, false + cache_credentials_minimal_first_factor_length = int, None, false +-- +2.9.3 + diff --git a/0035-SYSDB-Fix-error-handling-in-sysdb_get_user_members_r.patch b/0035-SYSDB-Fix-error-handling-in-sysdb_get_user_members_r.patch new file mode 100644 index 0000000..a4c2cdc --- /dev/null +++ b/0035-SYSDB-Fix-error-handling-in-sysdb_get_user_members_r.patch @@ -0,0 +1,51 @@ +From 223395a44a3016c3124aa5ed841c7023068607d8 Mon Sep 17 00:00:00 2001 +From: Lukas Slebodnik +Date: Tue, 30 Aug 2016 15:37:43 +0200 +Subject: [PATCH 35/39] SYSDB: Fix error handling in + sysdb_get_user_members_recursively +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +We ignored failures from sysdb_search_entry + +Reviewed-by: Petr Čech +(cherry picked from commit b969ccc2cc58fdf761e5d314de9217f2d914bc9b) +--- + src/db/sysdb_ops.c | 3 +++ + src/db/sysdb_views.c | 5 ++++- + 2 files changed, 7 insertions(+), 1 deletion(-) + +diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c +index 44fb5b70e6d33fffbca5824f831a3229254ecb57..e4c8e1e285e3bc49710f71c896ba9a30c742d4fa 100644 +--- a/src/db/sysdb_ops.c ++++ b/src/db/sysdb_ops.c +@@ -4738,6 +4738,9 @@ errno_t sysdb_get_user_members_recursively(TALLOC_CTX *mem_ctx, + + ret = sysdb_search_entry(tmp_ctx, dom->sysdb, base_dn, LDB_SCOPE_SUBTREE, + filter, attrs, &count, &msgs); ++ if (ret != EOK) { ++ goto done; ++ } + + res = talloc_zero(tmp_ctx, struct ldb_result); + if (res == NULL) { +diff --git a/src/db/sysdb_views.c b/src/db/sysdb_views.c +index 79f513d13ba41212a6cd84e1d9e609df6acba29c..9dc48f5b6c414bbc7c64bcd1fe73553f388588bd 100644 +--- a/src/db/sysdb_views.c ++++ b/src/db/sysdb_views.c +@@ -1374,7 +1374,10 @@ errno_t sysdb_add_group_member_overrides(struct sss_domain_info *domain, + + ret = sysdb_get_user_members_recursively(tmp_ctx, domain, obj->dn, + &res_members); +- if (ret != EOK) { ++ if (ret == ENOENT) { ++ ret = EOK; ++ goto done; ++ } else if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "sysdb_get_user_members_recursively failed.\n"); + goto done; +-- +2.9.3 + diff --git a/0036-DEBUG-Apend-line-feed-to-messages-from-libsemanage.patch b/0036-DEBUG-Apend-line-feed-to-messages-from-libsemanage.patch new file mode 100644 index 0000000..3a70aa4 --- /dev/null +++ b/0036-DEBUG-Apend-line-feed-to-messages-from-libsemanage.patch @@ -0,0 +1,34 @@ +From 9e21f9157d7eaf62e48ee9ab43332d336c12708c Mon Sep 17 00:00:00 2001 +From: Lukas Slebodnik +Date: Thu, 1 Sep 2016 08:08:00 +0200 +Subject: [PATCH 36/39] DEBUG: Apend line feed to messages from libsemanage +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +It wasn't simple to read log files from libsemanage +because they were on single line. + +Reviewed-by: Fabiano Fidêncio +(cherry picked from commit a6d279489c35896432e60daa70be5728f0b6c243) +--- + src/util/sss_semanage.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/util/sss_semanage.c b/src/util/sss_semanage.c +index 81068da98db611e55df8ac2de1a55f5980c3e552..fe06bee1dfec3abca3aa3cd5e85e55386ac11343 100644 +--- a/src/util/sss_semanage.c ++++ b/src/util/sss_semanage.c +@@ -55,7 +55,8 @@ static void sss_semanage_error_callback(void *varg, + + va_start(ap, fmt); + if (DEBUG_IS_SET(level)) { +- sss_vdebug_fn(__FILE__, __LINE__, "libsemanage", level, 0, fmt, ap); ++ sss_vdebug_fn(__FILE__, __LINE__, "libsemanage", level, ++ APPEND_LINE_FEED, fmt, ap); + } + va_end(ap); + } +-- +2.9.3 + diff --git a/0037-MAN-Document-the-ldap_user_primary_group-option.patch b/0037-MAN-Document-the-ldap_user_primary_group-option.patch new file mode 100644 index 0000000..a95ca4e --- /dev/null +++ b/0037-MAN-Document-the-ldap_user_primary_group-option.patch @@ -0,0 +1,43 @@ +From 4417b8170e7bb09fd8d724e36e23ddf89d95cb33 Mon Sep 17 00:00:00 2001 +From: Jakub Hrozek +Date: Wed, 31 Aug 2016 10:17:17 +0200 +Subject: [PATCH 37/39] MAN: Document the ldap_user_primary_group option +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Reviewed-by: Pavel Březina +(cherry picked from commit 6f59bb822d1e54e178207be45e382f4ee173c434) +--- + src/man/sssd-ldap.5.xml | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml +index 6009dd8dfa787874c085c293b2d1f8aac6d95714..bfccfab2222e5b2d68b83ca473e9a3aa0f5308e5 100644 +--- a/src/man/sssd-ldap.5.xml ++++ b/src/man/sssd-ldap.5.xml +@@ -299,6 +299,21 @@ + + + ++ ldap_user_primary_group (string) ++ ++ ++ Active Directory primary group attribute ++ for ID-mapping. Note that this attribute should ++ only be set manually if you are running the ++ ldap provider with ID mapping. ++ ++ ++ Default: unset (LDAP), primaryGroupID (AD) ++ ++ ++ ++ ++ + ldap_user_gecos (string) + + +-- +2.9.3 + diff --git a/0038-sdap_initgr_nested_get_membership_diff-use-fully-qua.patch b/0038-sdap_initgr_nested_get_membership_diff-use-fully-qua.patch new file mode 100644 index 0000000..bfa928b --- /dev/null +++ b/0038-sdap_initgr_nested_get_membership_diff-use-fully-qua.patch @@ -0,0 +1,36 @@ +From 1a28f2ce26d49617eaf865e39d52136181d9663d Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Tue, 30 Aug 2016 17:30:10 +0200 +Subject: [PATCH 38/39] sdap_initgr_nested_get_membership_diff: use + fully-qualified names + +I think this is a leftover from the change to use fully-qualified names +in sysdb. To verify this you can create a nested group in IPA. Without +this patch the id command will only show the groups the user is a direct +member of. With the patch the indirect groups memberships should be +shown as well. + +https://fedorahosted.org/sssd/ticket/3163 + +Reviewed-by: Jakub Hrozek +(cherry picked from commit 5bd3bef4a655fdfacd2f5df8a2343fe7bc68a771) +--- + src/providers/ldap/sdap_async_initgroups.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/providers/ldap/sdap_async_initgroups.c b/src/providers/ldap/sdap_async_initgroups.c +index 82c708c226bf1a645ff5a395947dfdbad71e0f1f..f9593f0dfaa2dc6e33fd6c9d1f0c9b78cad3a1d9 100644 +--- a/src/providers/ldap/sdap_async_initgroups.c ++++ b/src/providers/ldap/sdap_async_initgroups.c +@@ -1414,7 +1414,7 @@ sdap_initgr_nested_get_membership_diff(TALLOC_CTX *mem_ctx, + group_name, parents_count); + + if (parents_count > 0) { +- ret = sysdb_attrs_primary_name_list(dom, tmp_ctx, ++ ret = sysdb_attrs_primary_fqdn_list(dom, tmp_ctx, + ldap_parentlist, + parents_count, + opts->group_map[SDAP_AT_GROUP_NAME].name, +-- +2.9.3 + diff --git a/0039-SYSDB-Removing-of-unused-parameter.patch b/0039-SYSDB-Removing-of-unused-parameter.patch new file mode 100644 index 0000000..dda1bc1 --- /dev/null +++ b/0039-SYSDB-Removing-of-unused-parameter.patch @@ -0,0 +1,50 @@ +From c620bb359ff03f40ffbc36a03d74c921346ecfc3 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20=C4=8Cech?= +Date: Wed, 31 Aug 2016 08:50:01 +0200 +Subject: [PATCH 39/39] SYSDB: Removing of unused parameter + +There were unused parameter struct ldb_message *cached_group +in sysdb_store_group_attrs(). + +This parameter was introduced by +40de79d69860ec7f04bf7795bd88b641ec42fd23 +SYSDB: Check if group attributes differ before saving a group + +Reviewed-by: Jakub Hrozek +(cherry picked from commit 0d1d9d8001232f74eca63cbba6c400d507b33823) +--- + src/db/sysdb_ops.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c +index e4c8e1e285e3bc49710f71c896ba9a30c742d4fa..5d9c9fb24a149f8215b3027dcb4b0e1a183e4b43 100644 +--- a/src/db/sysdb_ops.c ++++ b/src/db/sysdb_ops.c +@@ -2661,7 +2661,6 @@ static errno_t sysdb_store_new_group(struct sss_domain_info *domain, + static errno_t sysdb_store_group_attrs(struct sss_domain_info *domain, + const char *name, + gid_t gid, +- struct ldb_message *cached_group, + struct sysdb_attrs *attrs, + uint64_t cache_timeout, + time_t now); +@@ -2731,7 +2730,7 @@ int sysdb_store_group(struct sss_domain_info *domain, + ret = sysdb_store_new_group(domain, name, gid, attrs, + cache_timeout, now); + } else { +- ret = sysdb_store_group_attrs(domain, name, gid, msg, attrs, ++ ret = sysdb_store_group_attrs(domain, name, gid, attrs, + cache_timeout, now); + } + if (ret != EOK) { +@@ -2811,7 +2810,6 @@ static errno_t sysdb_store_new_group(struct sss_domain_info *domain, + static errno_t sysdb_store_group_attrs(struct sss_domain_info *domain, + const char *name, + gid_t gid, +- struct ldb_message *cached_group, + struct sysdb_attrs *attrs, + uint64_t cache_timeout, + time_t now) +-- +2.9.3 + diff --git a/sssd.spec b/sssd.spec index 1a3c62e..3835308 100644 --- a/sssd.spec +++ b/sssd.spec @@ -26,7 +26,7 @@ Name: sssd Version: 1.14.1 -Release: 1%{?dist} +Release: 2%{?dist} Group: Applications/System Summary: System Security Services Daemon License: GPLv3+ @@ -35,6 +35,45 @@ Source0: https://fedorahosted.org/released/sssd/%{name}-%{version}.tar.gz BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX) ### Patches ### +Patch0001: 0001-CONFIG-selinux_provider-is-a-valid-provider-type.patch +Patch0002: 0002-CONFIG-session_provider-does-not-exist-anymore.patch +Patch0003: 0003-PROXY-Use-the-fqname-when-converting-to-lowercase.patch +Patch0004: 0004-sssd_netgroup.py-Resolve-nested-netgroups.patch +Patch0005: 0005-LDAP-Fixing-of-removing-netgroup-from-cache.patch +Patch0006: 0006-INTG-Adding-support-for-netgroups-to-ldap_ent.patch +Patch0007: 0007-INTG-Tests-for-ldap-nested-netgroups.patch +Patch0008: 0008-watchdog-cope-with-time-shift.patch +Patch0009: 0009-BUILD-Allow-to-read-private-pipes-for-root.patch +Patch0010: 0010-SYSDB-Rework-sysdb_cache_connect.patch +Patch0011: 0011-SYSDB-Remove-the-timestamp-cache-for-a-newly-created.patch +Patch0012: 0012-SECRETS-Return-ENOENT-when_deleting-a-non-existent-s.patch +Patch0013: 0013-SPEC-Fix-typo-in-Summary.patch +Patch0014: 0014-IPA-Parse-qualified-names-when-guessing-AD-user-prin.patch +Patch0015: 0015-PROXY-Remove-lowercase-attribute-from-save_user.patch +Patch0016: 0016-PROXY-Remove-cache_timeout-attribute-from-save_user.patch +Patch0017: 0017-PROXY-Remove-cache_timeout-attribute-from-save_group.patch +Patch0018: 0018-PROXY-Mention-that-save_user-s-parameters-are-alread.patch +Patch0019: 0019-PROXY-Share-common-code-of-save_-group-user.patch +Patch0020: 0020-SYSDB-Fix-uninitialized-scalar-variable.patch +Patch0021: 0021-BUILD-Add-a-few-more-targets-for-intg-tests.patch +Patch0022: 0022-BUILD-Clean-up-prerelease-targets.patch +Patch0023: 0023-BUILD-Fix-typo-in-intgcheck-run-rule.patch +Patch0024: 0024-BUILD-Remove-leftover-after-sysdb-refactoring.patch +Patch0025: 0025-MONITOR-Remove-the-no-longer-used-diag_cmd-command.patch +Patch0026: 0026-MONITOR-Remove-the-no-longer-used-kill_service-comma.patch +Patch0027: 0027-WATCHDOG-define-and-use-_MAX_TICKS-as-3.patch +Patch0028: 0028-PROXY-Use-right-name-in-ldap-filter.patch +Patch0029: 0029-SECRETS-Make-internal-function-static.patch +Patch0030: 0030-SECRETS-Make-reading-the-config-options-more-uniform.patch +Patch0031: 0031-dyndns-fix-typo-and-unify-ipa-with-ad-debug-message-.patch +Patch0032: 0032-netlink-Don-t-define-USE_GNU.patch +Patch0033: 0033-MONITOR-Remove-leftovers-from-diag_cmd.patch +Patch0034: 0034-MONITOR-Remove-leftovers-from-kill_service.patch +Patch0035: 0035-SYSDB-Fix-error-handling-in-sysdb_get_user_members_r.patch +Patch0036: 0036-DEBUG-Apend-line-feed-to-messages-from-libsemanage.patch +Patch0037: 0037-MAN-Document-the-ldap_user_primary_group-option.patch +Patch0038: 0038-sdap_initgr_nested_get_membership_diff-use-fully-qua.patch +Patch0039: 0039-SYSDB-Removing-of-unused-parameter.patch ### Dependencies ### @@ -1083,6 +1122,13 @@ fi %{_libdir}/%{name}/modules/libwbclient.so %changelog +* Thu Sep 01 2016 Lukas Slebodnik - 1.14.1-2 +- Backport important patches from upstream 1.14.2 prerelease +- Resolves: upstream #3154 - sssd exits if clock is adjusted backwards after + boot +- Resolves: upstream #3163 - resolving IPA nested user group is broken in 1.14 + + * Fri Aug 19 2016 Lukas Slebodnik - 1.14.1-1 - New upstream release 1.14.0 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.14.1