diff --git a/0001-ipa-fix-issues-with-older-servers-not-supporting-vie.patch b/0001-ipa-fix-issues-with-older-servers-not-supporting-vie.patch new file mode 100644 index 0000000..e17af0b --- /dev/null +++ b/0001-ipa-fix-issues-with-older-servers-not-supporting-vie.patch @@ -0,0 +1,97 @@ +From c61100799c7d8e46c82a862eca3f543a4320490c Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Wed, 22 Oct 2014 10:03:09 +0200 +Subject: [PATCH 1/4] ipa: fix issues with older servers not supporting views + +Older FreeIPA servers which do not know about the ipaAssignedIDView +attribute will return an error during the LDAP dereference request +because SSSD marks LDAP extensions as critical. In this case we keep the +view name empty and skip override lookups. + +Reviewed-by: Jakub Hrozek +--- + src/providers/ipa/ipa_subdomains.c | 14 +++++++++++++- + src/providers/ipa/ipa_subdomains_id.c | 4 +++- + src/providers/ipa/ipa_views.c | 17 ++++++++++++----- + 3 files changed, 28 insertions(+), 7 deletions(-) + +diff --git a/src/providers/ipa/ipa_subdomains.c b/src/providers/ipa/ipa_subdomains.c +index bedc0f1a50e8a35ea65de45247b1814c9abc0bcd..eb172fdfc05ac4e482174f01d89ad28db1498fc1 100644 +--- a/src/providers/ipa/ipa_subdomains.c ++++ b/src/providers/ipa/ipa_subdomains.c +@@ -1002,7 +1002,19 @@ static void ipa_get_view_name_done(struct tevent_req *req) + ret = sdap_deref_search_with_filter_recv(req, ctx, &reply_count, &reply); + talloc_zfree(req); + if (ret != EOK) { +- DEBUG(SSSDBG_OP_FAILURE, "get_view_name request failed.\n"); ++ if (ret == EOPNOTSUPP) { ++ DEBUG(SSSDBG_TRACE_FUNC, "get_view_name request failed, looks " \ ++ "like server does not support views.\n"); ++ ret = ipa_check_master(ctx); ++ if (ret == EAGAIN) { ++ return; ++ } else if (ret != EOK) { ++ goto done; ++ } ++ ++ } else { ++ DEBUG(SSSDBG_OP_FAILURE, "get_view_name request failed.\n"); ++ } + goto done; + } + +diff --git a/src/providers/ipa/ipa_subdomains_id.c b/src/providers/ipa/ipa_subdomains_id.c +index 36f8b239249e5f0146610cfab148be20c39c66c2..b67006ce6e0b4bf9c794016c1dfc923ac6da3624 100644 +--- a/src/providers/ipa/ipa_subdomains_id.c ++++ b/src/providers/ipa/ipa_subdomains_id.c +@@ -106,11 +106,13 @@ struct tevent_req *ipa_subdomain_account_send(TALLOC_CTX *memctx, + * have to check first if the request matches an override in the given + * view. But there are cases where this can be skipped and the AD object + * can be searched directly: ++ * - if no view is defined, i.e. the server does not supprt views yet + * - searches by SID: because we do not override the SID + * - if the responder does not send the EXTRA_INPUT_MAYBE_WITH_VIEW flags, + * because in this case the entry was found in the cache and the + * original value is used for the search (e.g. during cache updates) */ +- if (state->ar->filter_type == BE_FILTER_SECID ++ if (state->ipa_ctx->view_name == NULL ++ || state->ar->filter_type == BE_FILTER_SECID + || (!state->ipa_server_mode + && state->ar->extra_value != NULL + && strcmp(state->ar->extra_value, +diff --git a/src/providers/ipa/ipa_views.c b/src/providers/ipa/ipa_views.c +index 33dbf7b1c17f188924ee7b50a77ab699f03392be..2eb77216ab9759d8b1d66fbdf0b2e90cd07a4604 100644 +--- a/src/providers/ipa/ipa_views.c ++++ b/src/providers/ipa/ipa_views.c +@@ -208,16 +208,23 @@ struct tevent_req *ipa_get_ad_override_send(TALLOC_CTX *mem_ctx, + state->sdap_id_ctx = sdap_id_ctx; + state->ipa_options = ipa_options; + state->ipa_realm = ipa_realm; +- if (strcmp(view_name, SYSDB_DEFAULT_VIEW_NAME) == 0) { +- state->ipa_view_name = IPA_DEFAULT_VIEW_NAME; +- } else { +- state->ipa_view_name = view_name; +- } + state->ar = ar; + state->dp_error = -1; + state->override_attrs = NULL; + state->filter = NULL; + ++ if (view_name == NULL) { ++ DEBUG(SSSDBG_TRACE_ALL, "View not defined, nothing to do.\n"); ++ ret = EOK; ++ goto done; ++ } ++ ++ if (strcmp(view_name, SYSDB_DEFAULT_VIEW_NAME) == 0) { ++ state->ipa_view_name = IPA_DEFAULT_VIEW_NAME; ++ } else { ++ state->ipa_view_name = view_name; ++ } ++ + state->sdap_op = sdap_id_op_create(state, + state->sdap_id_ctx->conn->conn_cache); + if (state->sdap_op == NULL) { +-- +1.9.3 + diff --git a/0002-ipa-improve-error-reporting-for-extdom-LDAP-exop.patch b/0002-ipa-improve-error-reporting-for-extdom-LDAP-exop.patch new file mode 100644 index 0000000..9c80ef5 --- /dev/null +++ b/0002-ipa-improve-error-reporting-for-extdom-LDAP-exop.patch @@ -0,0 +1,48 @@ +From 2e39a7b8c58ed6cc6077bef490482dbbd1ed81ac Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Mon, 20 Oct 2014 17:09:34 +0200 +Subject: [PATCH 2/4] ipa: improve error reporting for extdom LDAP exop + +This patch fixes a typo when calling ldap_parse_result() which prevented +the server-side error message to be used and adds a hint that more +information might be available on the server side. + +Fixes: https://fedorahosted.org/sssd/ticket/2456 + +Reviewed-by: Jakub Hrozek +--- + src/providers/ipa/ipa_s2n_exop.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/src/providers/ipa/ipa_s2n_exop.c b/src/providers/ipa/ipa_s2n_exop.c +index 96528816a520b633f1f1caa975dee9b9515621c3..bd5c00b6a48018f8f904aaa03e8162425651b37a 100644 +--- a/src/providers/ipa/ipa_s2n_exop.c ++++ b/src/providers/ipa/ipa_s2n_exop.c +@@ -133,7 +133,7 @@ static void ipa_s2n_exop_done(struct sdap_op *op, + } + + ret = ldap_parse_result(state->sh->ldap, reply->msg, +- &result, &errmsg, NULL, NULL, ++ &result, NULL, &errmsg, NULL, + NULL, 0); + if (ret != LDAP_SUCCESS) { + DEBUG(SSSDBG_OP_FAILURE, "ldap_parse_result failed (%d)\n", +@@ -142,10 +142,13 @@ static void ipa_s2n_exop_done(struct sdap_op *op, + goto done; + } + +- DEBUG(SSSDBG_TRACE_FUNC, "ldap_extended_operation result: %s(%d), %s\n", +- sss_ldap_err2string(result), result, errmsg); ++ DEBUG(result == LDAP_SUCCESS ? SSSDBG_TRACE_FUNC : SSSDBG_OP_FAILURE, ++ "ldap_extended_operation result: %s(%d), %s.\n", ++ sss_ldap_err2string(result), result, errmsg); + + if (result != LDAP_SUCCESS) { ++ DEBUG(SSSDBG_OP_FAILURE, "ldap_extended_operation failed, " \ ++ "server logs might contain more details.\n"); + ret = ERR_NETWORK_IO; + goto done; + } +-- +1.9.3 + diff --git a/0003-ipa_subdomains_handler_master_done-initialize-reply_.patch b/0003-ipa_subdomains_handler_master_done-initialize-reply_.patch new file mode 100644 index 0000000..c3fc6e0 --- /dev/null +++ b/0003-ipa_subdomains_handler_master_done-initialize-reply_.patch @@ -0,0 +1,31 @@ +From 13262a18f804638b40213a865e0a72e33123ccf1 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Tue, 14 Oct 2014 16:52:04 +0200 +Subject: [PATCH 3/4] ipa_subdomains_handler_master_done: initialize + reply_count + +This patch should mainly silence a false-positive Coverity warning but +since further processing depends on this variable I think it is a good +idea anyways. + +Reviewed-by: Pavel Reichl +--- + src/providers/ipa/ipa_subdomains.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/providers/ipa/ipa_subdomains.c b/src/providers/ipa/ipa_subdomains.c +index eb172fdfc05ac4e482174f01d89ad28db1498fc1..c61c1c666908ec23f8a92e5568222e55ec47be0a 100644 +--- a/src/providers/ipa/ipa_subdomains.c ++++ b/src/providers/ipa/ipa_subdomains.c +@@ -1276,7 +1276,7 @@ static void ipa_subdomains_handler_master_done(struct tevent_req *req) + { + errno_t ret; + int dp_error = DP_ERR_FATAL; +- size_t reply_count; ++ size_t reply_count = 0; + struct sysdb_attrs **reply = NULL; + struct ipa_subdomains_req_ctx *ctx; + +-- +1.9.3 + diff --git a/0004-IPA-Handle-NULL-members-in-process_members.patch b/0004-IPA-Handle-NULL-members-in-process_members.patch new file mode 100644 index 0000000..1ab81b9 --- /dev/null +++ b/0004-IPA-Handle-NULL-members-in-process_members.patch @@ -0,0 +1,40 @@ +From 7bdd47bfbb558d948dd2afce0ae53d22046067ef Mon Sep 17 00:00:00 2001 +From: Jakub Hrozek +Date: Tue, 14 Oct 2014 14:15:25 +0200 +Subject: [PATCH 4/4] IPA: Handle NULL members in process_members() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Reviewed-by: Lukáš Slebodník +--- + src/providers/ipa/ipa_s2n_exop.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/src/providers/ipa/ipa_s2n_exop.c b/src/providers/ipa/ipa_s2n_exop.c +index bd5c00b6a48018f8f904aaa03e8162425651b37a..2c31120b196353df52c87ef5b924a80bda134a17 100644 +--- a/src/providers/ipa/ipa_s2n_exop.c ++++ b/src/providers/ipa/ipa_s2n_exop.c +@@ -1196,6 +1196,11 @@ static errno_t process_members(struct sss_domain_info *domain, + struct sss_domain_info *obj_domain; + struct sss_domain_info *parent_domain; + ++ if (members == NULL) { ++ DEBUG(SSSDBG_TRACE_INTERNAL, "No members\n"); ++ return EOK; ++ } ++ + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n"); +@@ -1731,6 +1736,7 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom, + goto done; + } + } ++ DEBUG(SSSDBG_TRACE_FUNC, "Processing group %s\n", name); + + ret = sysdb_attrs_add_lc_name_alias(attrs->sysdb_attrs, name); + if (ret != EOK) { +-- +1.9.3 + diff --git a/sssd.spec b/sssd.spec index fa8af76..6b3c964 100644 --- a/sssd.spec +++ b/sssd.spec @@ -20,7 +20,7 @@ Name: sssd Version: 1.12.2 -Release: 1%{?dist} +Release: 2%{?dist} Group: Applications/System Summary: System Security Services Daemon License: GPLv3+ @@ -29,6 +29,10 @@ Source0: https://fedorahosted.org/released/sssd/%{name}-%{version}.tar.gz BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX) ### Patches ### +Patch0001: 0001-ipa-fix-issues-with-older-servers-not-supporting-vie.patch +Patch0002: 0002-ipa-improve-error-reporting-for-extdom-LDAP-exop.patch +Patch0003: 0003-ipa_subdomains_handler_master_done-initialize-reply_.patch +Patch0004: 0004-IPA-Handle-NULL-members-in-process_members.patch ### Dependencies ### Requires: sssd-common = %{version}-%{release} @@ -845,6 +849,10 @@ fi %postun -n libsss_idmap -p /sbin/ldconfig %changelog +* Wed Oct 22 2014 Jakub Hrozek - 1.12.2-2 +- Backport several patches from upstream. +- Fix a potential crash against old (pre-4.0) IPA servers + * Mon Oct 20 2014 Jakub Hrozek - 1.12.2-1 - New upstream release 1.12.2 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.12.2