Backport fixes for rhbz#961278, rhbz#961278 and rhbz#961251
- Resolves: rhbz#961357 - Missing dyndns_update entry in sssd.conf during realm join - Resolves: rhbz#961278 - Login failure: Enterprise Principal enabled by default for AD Provider - Resolves: rhbz#961251 - sssd does not create user's krb5 ccache dir/file parent directory when logging in
This commit is contained in:
parent
3cfed3426f
commit
2f295ac01f
@ -0,0 +1,39 @@
|
||||
From 517ba52c518eb747ccb2a76d75a7ec88fc870cf4 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Mon, 13 May 2013 14:25:15 +0200
|
||||
Subject: [PATCH] Always update cached upn if enterprise principals are used
|
||||
|
||||
Instead of continuing to use the initial upn if enterprise principals
|
||||
are used if should always be replaced. The enterprise principal
|
||||
is stored in the credential cache and without knowing it the
|
||||
ccache_for_princ() calls to determine the location of the credential
|
||||
cache will fail.
|
||||
|
||||
Fixes https://fedorahosted.org/sssd/ticket/1921
|
||||
---
|
||||
src/providers/krb5/krb5_auth.c | 7 ++++---
|
||||
1 files changed, 4 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
|
||||
index 6d7494c..f65e599 100644
|
||||
--- a/src/providers/krb5/krb5_auth.c
|
||||
+++ b/src/providers/krb5/krb5_auth.c
|
||||
@@ -913,11 +913,12 @@ static void krb5_auth_done(struct tevent_req *subreq)
|
||||
KRB5_USE_ENTERPRISE_PRINCIPAL);
|
||||
|
||||
/* Check if the cases of our upn are correct and update it if needed.
|
||||
- * Fail if the upn differs by more than just the case. */
|
||||
+ * Fail if the upn differs by more than just the case for non-enterprise
|
||||
+ * principals. */
|
||||
if (res->correct_upn != NULL &&
|
||||
- use_enterprise_principal == false &&
|
||||
strcmp(kr->upn, res->correct_upn) != 0) {
|
||||
- if (strcasecmp(kr->upn, res->correct_upn) == 0) {
|
||||
+ if (strcasecmp(kr->upn, res->correct_upn) == 0 ||
|
||||
+ use_enterprise_principal == true) {
|
||||
talloc_free(kr->upn);
|
||||
kr->upn = talloc_strdup(kr, res->correct_upn);
|
||||
if (kr->upn == NULL) {
|
||||
--
|
||||
1.7.7.6
|
||||
|
40
0008-Enable-the-AD-dynamic-DNS-updates-by-default.patch
Normal file
40
0008-Enable-the-AD-dynamic-DNS-updates-by-default.patch
Normal file
@ -0,0 +1,40 @@
|
||||
From ad1be6fd04234f61f108773ff39aa7485abda47c Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||
Date: Thu, 9 May 2013 16:41:47 +0200
|
||||
Subject: [PATCH] Enable the AD dynamic DNS updates by default
|
||||
|
||||
https://fedorahosted.org/sssd/ticket/1915
|
||||
---
|
||||
src/man/sssd-ad.5.xml | 2 +-
|
||||
src/providers/ad/ad_opts.h | 2 +-
|
||||
2 files changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml
|
||||
index 71e8a2075bc83bc814987f2ca738ddb138c14e5a..589dfd0b5f7514a8e17c9f04407476ccf7c33e88 100644
|
||||
--- a/src/man/sssd-ad.5.xml
|
||||
+++ b/src/man/sssd-ad.5.xml
|
||||
@@ -170,7 +170,7 @@ ldap_id_mapping = False
|
||||
realm must be set properly in /etc/krb5.conf
|
||||
</para>
|
||||
<para>
|
||||
- Default: false
|
||||
+ Default: true
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
diff --git a/src/providers/ad/ad_opts.h b/src/providers/ad/ad_opts.h
|
||||
index 32bbe3db2f4048056c7e96619eaf53ce22bf52f8..6e9d843c1f0a619fc3da26ae82bb15fe80eb4420 100644
|
||||
--- a/src/providers/ad/ad_opts.h
|
||||
+++ b/src/providers/ad/ad_opts.h
|
||||
@@ -239,7 +239,7 @@ struct sdap_attr_map ad_autofs_entry_map[] = {
|
||||
};
|
||||
|
||||
struct dp_option ad_dyndns_opts[] = {
|
||||
- { "dyndns_update", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
|
||||
+ { "dyndns_update", DP_OPT_BOOL, BOOL_TRUE, BOOL_FALSE },
|
||||
{ "dyndns_refresh_interval", DP_OPT_NUMBER, { .number = 86400 }, NULL_NUMBER },
|
||||
{ "dyndns_iface", DP_OPT_STRING, NULL_STRING, NULL_STRING },
|
||||
{ "dyndns_ttl", DP_OPT_NUMBER, { .number = 3600 }, NULL_NUMBER },
|
||||
--
|
||||
1.8.2.1
|
||||
|
12
sssd.spec
12
sssd.spec
@ -16,7 +16,7 @@
|
||||
|
||||
Name: sssd
|
||||
Version: 1.10.0
|
||||
Release: 5%{?dist}.beta1
|
||||
Release: 6%{?dist}.beta1
|
||||
Group: Applications/System
|
||||
Summary: System Security Services Daemon
|
||||
License: GPLv3+
|
||||
@ -31,6 +31,8 @@ Patch0003: 0003-UTIL-Add-function-sss_names_init_from_args.patch
|
||||
Patch0004: 0004-SSH-Fix-parsing-of-names-from-client-requests.patch
|
||||
Patch0005: 0005-SSH-Use-separate-field-for-domain-name-in-client-req.patch
|
||||
Patch0006: 0006-SSH-Do-not-skip-domains-with-use_fully_qualified_nam.patch
|
||||
Patch0007: 0007-Always-update-cached-upn-if-enterprise-principals-ar.patch
|
||||
Patch0008: 0008-Enable-the-AD-dynamic-DNS-updates-by-default.patch
|
||||
|
||||
Patch0501: 0501-FEDORA-Switch-the-default-ccache-location.patch
|
||||
|
||||
@ -603,6 +605,14 @@ fi
|
||||
%postun -n libsss_sudo -p /sbin/ldconfig
|
||||
|
||||
%changelog
|
||||
* Tue May 14 2013 Jakub Hrozek <jhrozek@redhat.com> - 1.10.0-6.beta1
|
||||
- Resolves: rhbz#961357 - Missing dyndns_update entry in sssd.conf during
|
||||
realm join
|
||||
- Resolves: rhbz#961278 - Login failure: Enterprise Principal enabled by
|
||||
default for AD Provider
|
||||
- Resolves: rhbz#961251 - sssd does not create user's krb5 ccache dir/file
|
||||
parent directory when logging in
|
||||
|
||||
* Tue May 7 2013 Jakub Hrozek <jhrozek@redhat.com> - 1.10.0-5.beta1
|
||||
- BuildRequire recent libini_config to ensure consistent behaviour
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user