Backport fixes for rhbz#961278, rhbz#961278 and rhbz#961251
- Resolves: rhbz#961357 - Missing dyndns_update entry in sssd.conf during realm join - Resolves: rhbz#961278 - Login failure: Enterprise Principal enabled by default for AD Provider - Resolves: rhbz#961251 - sssd does not create user's krb5 ccache dir/file parent directory when logging in
This commit is contained in:
parent
3cfed3426f
commit
2f295ac01f
@ -0,0 +1,39 @@
|
|||||||
|
From 517ba52c518eb747ccb2a76d75a7ec88fc870cf4 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Sumit Bose <sbose@redhat.com>
|
||||||
|
Date: Mon, 13 May 2013 14:25:15 +0200
|
||||||
|
Subject: [PATCH] Always update cached upn if enterprise principals are used
|
||||||
|
|
||||||
|
Instead of continuing to use the initial upn if enterprise principals
|
||||||
|
are used if should always be replaced. The enterprise principal
|
||||||
|
is stored in the credential cache and without knowing it the
|
||||||
|
ccache_for_princ() calls to determine the location of the credential
|
||||||
|
cache will fail.
|
||||||
|
|
||||||
|
Fixes https://fedorahosted.org/sssd/ticket/1921
|
||||||
|
---
|
||||||
|
src/providers/krb5/krb5_auth.c | 7 ++++---
|
||||||
|
1 files changed, 4 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
|
||||||
|
index 6d7494c..f65e599 100644
|
||||||
|
--- a/src/providers/krb5/krb5_auth.c
|
||||||
|
+++ b/src/providers/krb5/krb5_auth.c
|
||||||
|
@@ -913,11 +913,12 @@ static void krb5_auth_done(struct tevent_req *subreq)
|
||||||
|
KRB5_USE_ENTERPRISE_PRINCIPAL);
|
||||||
|
|
||||||
|
/* Check if the cases of our upn are correct and update it if needed.
|
||||||
|
- * Fail if the upn differs by more than just the case. */
|
||||||
|
+ * Fail if the upn differs by more than just the case for non-enterprise
|
||||||
|
+ * principals. */
|
||||||
|
if (res->correct_upn != NULL &&
|
||||||
|
- use_enterprise_principal == false &&
|
||||||
|
strcmp(kr->upn, res->correct_upn) != 0) {
|
||||||
|
- if (strcasecmp(kr->upn, res->correct_upn) == 0) {
|
||||||
|
+ if (strcasecmp(kr->upn, res->correct_upn) == 0 ||
|
||||||
|
+ use_enterprise_principal == true) {
|
||||||
|
talloc_free(kr->upn);
|
||||||
|
kr->upn = talloc_strdup(kr, res->correct_upn);
|
||||||
|
if (kr->upn == NULL) {
|
||||||
|
--
|
||||||
|
1.7.7.6
|
||||||
|
|
40
0008-Enable-the-AD-dynamic-DNS-updates-by-default.patch
Normal file
40
0008-Enable-the-AD-dynamic-DNS-updates-by-default.patch
Normal file
@ -0,0 +1,40 @@
|
|||||||
|
From ad1be6fd04234f61f108773ff39aa7485abda47c Mon Sep 17 00:00:00 2001
|
||||||
|
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||||
|
Date: Thu, 9 May 2013 16:41:47 +0200
|
||||||
|
Subject: [PATCH] Enable the AD dynamic DNS updates by default
|
||||||
|
|
||||||
|
https://fedorahosted.org/sssd/ticket/1915
|
||||||
|
---
|
||||||
|
src/man/sssd-ad.5.xml | 2 +-
|
||||||
|
src/providers/ad/ad_opts.h | 2 +-
|
||||||
|
2 files changed, 2 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml
|
||||||
|
index 71e8a2075bc83bc814987f2ca738ddb138c14e5a..589dfd0b5f7514a8e17c9f04407476ccf7c33e88 100644
|
||||||
|
--- a/src/man/sssd-ad.5.xml
|
||||||
|
+++ b/src/man/sssd-ad.5.xml
|
||||||
|
@@ -170,7 +170,7 @@ ldap_id_mapping = False
|
||||||
|
realm must be set properly in /etc/krb5.conf
|
||||||
|
</para>
|
||||||
|
<para>
|
||||||
|
- Default: false
|
||||||
|
+ Default: true
|
||||||
|
</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
diff --git a/src/providers/ad/ad_opts.h b/src/providers/ad/ad_opts.h
|
||||||
|
index 32bbe3db2f4048056c7e96619eaf53ce22bf52f8..6e9d843c1f0a619fc3da26ae82bb15fe80eb4420 100644
|
||||||
|
--- a/src/providers/ad/ad_opts.h
|
||||||
|
+++ b/src/providers/ad/ad_opts.h
|
||||||
|
@@ -239,7 +239,7 @@ struct sdap_attr_map ad_autofs_entry_map[] = {
|
||||||
|
};
|
||||||
|
|
||||||
|
struct dp_option ad_dyndns_opts[] = {
|
||||||
|
- { "dyndns_update", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
|
||||||
|
+ { "dyndns_update", DP_OPT_BOOL, BOOL_TRUE, BOOL_FALSE },
|
||||||
|
{ "dyndns_refresh_interval", DP_OPT_NUMBER, { .number = 86400 }, NULL_NUMBER },
|
||||||
|
{ "dyndns_iface", DP_OPT_STRING, NULL_STRING, NULL_STRING },
|
||||||
|
{ "dyndns_ttl", DP_OPT_NUMBER, { .number = 3600 }, NULL_NUMBER },
|
||||||
|
--
|
||||||
|
1.8.2.1
|
||||||
|
|
12
sssd.spec
12
sssd.spec
@ -16,7 +16,7 @@
|
|||||||
|
|
||||||
Name: sssd
|
Name: sssd
|
||||||
Version: 1.10.0
|
Version: 1.10.0
|
||||||
Release: 5%{?dist}.beta1
|
Release: 6%{?dist}.beta1
|
||||||
Group: Applications/System
|
Group: Applications/System
|
||||||
Summary: System Security Services Daemon
|
Summary: System Security Services Daemon
|
||||||
License: GPLv3+
|
License: GPLv3+
|
||||||
@ -31,6 +31,8 @@ Patch0003: 0003-UTIL-Add-function-sss_names_init_from_args.patch
|
|||||||
Patch0004: 0004-SSH-Fix-parsing-of-names-from-client-requests.patch
|
Patch0004: 0004-SSH-Fix-parsing-of-names-from-client-requests.patch
|
||||||
Patch0005: 0005-SSH-Use-separate-field-for-domain-name-in-client-req.patch
|
Patch0005: 0005-SSH-Use-separate-field-for-domain-name-in-client-req.patch
|
||||||
Patch0006: 0006-SSH-Do-not-skip-domains-with-use_fully_qualified_nam.patch
|
Patch0006: 0006-SSH-Do-not-skip-domains-with-use_fully_qualified_nam.patch
|
||||||
|
Patch0007: 0007-Always-update-cached-upn-if-enterprise-principals-ar.patch
|
||||||
|
Patch0008: 0008-Enable-the-AD-dynamic-DNS-updates-by-default.patch
|
||||||
|
|
||||||
Patch0501: 0501-FEDORA-Switch-the-default-ccache-location.patch
|
Patch0501: 0501-FEDORA-Switch-the-default-ccache-location.patch
|
||||||
|
|
||||||
@ -603,6 +605,14 @@ fi
|
|||||||
%postun -n libsss_sudo -p /sbin/ldconfig
|
%postun -n libsss_sudo -p /sbin/ldconfig
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue May 14 2013 Jakub Hrozek <jhrozek@redhat.com> - 1.10.0-6.beta1
|
||||||
|
- Resolves: rhbz#961357 - Missing dyndns_update entry in sssd.conf during
|
||||||
|
realm join
|
||||||
|
- Resolves: rhbz#961278 - Login failure: Enterprise Principal enabled by
|
||||||
|
default for AD Provider
|
||||||
|
- Resolves: rhbz#961251 - sssd does not create user's krb5 ccache dir/file
|
||||||
|
parent directory when logging in
|
||||||
|
|
||||||
* Tue May 7 2013 Jakub Hrozek <jhrozek@redhat.com> - 1.10.0-5.beta1
|
* Tue May 7 2013 Jakub Hrozek <jhrozek@redhat.com> - 1.10.0-5.beta1
|
||||||
- BuildRequire recent libini_config to ensure consistent behaviour
|
- BuildRequire recent libini_config to ensure consistent behaviour
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user