Fix several regressions since 1.5.x

- Ensure that the RPM creates the /var/lib/sss/mc directory
- Add support for Netscape password warning expiration control
- Rebuild against libldb 1.1.6
This commit is contained in:
Stephen Gallagher 2012-05-24 08:23:25 -04:00
parent 7fa00add1e
commit 359d341a35
20 changed files with 5562 additions and 4 deletions

View File

@ -1,7 +1,8 @@
From 05c49dd916dcbea2ce8f6a6b14fd54a5c67fd6db Mon Sep 17 00:00:00 2001
From: Stephen Gallagher <sgallagh@redhat.com>
Date: Wed, 22 Feb 2012 07:53:56 -0500
Subject: [PATCH] FEDORA: Change Kerberos credential cache default location
Subject: [PATCH 01/19] FEDORA: Change Kerberos credential cache default
location
On Fedora, we need to default to using /run/user/%u for credential
caches for improved security and to simplify rpc.gssd locating the

View File

@ -0,0 +1,25 @@
From 0b6df55aee996a4b1e8824d1c58c5494b0c5fb0b Mon Sep 17 00:00:00 2001
From: Ariel Barria <arielb@fedoraproject.org>
Date: Sat, 12 May 2012 11:00:51 -0500
Subject: [PATCH 02/19] Potential NULL dereference in proxy provider
---
src/providers/proxy/proxy_id.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/providers/proxy/proxy_id.c b/src/providers/proxy/proxy_id.c
index 8a8c7ca80d1b24e53c3d55d06564e719a069642a..e7d9206e5081153ef389dd25db7a32816cc44839 100644
--- a/src/providers/proxy/proxy_id.c
+++ b/src/providers/proxy/proxy_id.c
@@ -215,7 +215,7 @@ static int save_user(struct sysdb_ctx *sysdb, bool lowercase,
shell = NULL;
}
- if (!lowercase || alias) {
+ if (lowercase || alias) {
attrs = sysdb_new_attrs(NULL);
if (!attrs) {
DEBUG(SSSDBG_CRIT_FAILURE, ("Allocation error ?!\n"));
--
1.7.10.1

View File

@ -0,0 +1,62 @@
From 47669c95501ee6adbb0700f4d4a62ae09daa21f7 Mon Sep 17 00:00:00 2001
From: Yuri Chornoivan <yurchor@ukr.net>
Date: Fri, 11 May 2012 23:12:19 +0300
Subject: [PATCH 03/19] Fix typos in message and man pages.
---
src/config/SSSDConfig.py | 2 +-
src/man/include/ldap_id_mapping.xml | 2 +-
src/man/sssd.conf.5.xml | 4 ++--
3 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/src/config/SSSDConfig.py b/src/config/SSSDConfig.py
index a44e138f6461681709d78bbece86f6f8720ae31c..11da7cf2ba42076f3088cbbff81b69b39a0dc449 100644
--- a/src/config/SSSDConfig.py
+++ b/src/config/SSSDConfig.py
@@ -85,7 +85,7 @@ option_strings = {
'autofs_negative_timeout' : _('Negative cache timeout length (seconds)'),
# [ssh]
- 'ssh_hash_known_hosts': _('Whether to hash host names and adresses in the known_hosts file'),
+ 'ssh_hash_known_hosts': _('Whether to hash host names and addresses in the known_hosts file'),
# [provider]
'id_provider' : _('Identity provider'),
diff --git a/src/man/include/ldap_id_mapping.xml b/src/man/include/ldap_id_mapping.xml
index 62e5598eb0d31fdc1185db13ae0c433b233b9ba2..75335f5032c36c01aa0bcc14d05b60ace0c22734 100644
--- a/src/man/include/ldap_id_mapping.xml
+++ b/src/man/include/ldap_id_mapping.xml
@@ -83,7 +83,7 @@ ldap_schema = ad
</para>
<para>
NOTE: This option is different from
- <quote>id_mn</quote> in that <quote>id_min</quote>
+ <quote>id_min</quote> in that <quote>id_min</quote>
acts to filter the output of requests to this domain,
whereas this option controls the range of ID
assignment. This is a subtle distinction, but the
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index e283480e3a5725a1acee93c95b20d5b504393e4f..8eaeb13ce0e2af97b19b0855d8cc7f5985659214 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -521,7 +521,7 @@
<listitem>
<para>
The default shell to use if the provider does not
- return one during lookup. This option supercedes
+ return one during lookup. This option supersedes
any other shell options if it takes effect.
</para>
<para>
@@ -786,7 +786,7 @@
<term>ssh_hash_known_hosts (bool)</term>
<listitem>
<para>
- Whether or not to hash host names and adresses in
+ Whether or not to hash host names and addresses in
the managed known_hosts file.
</para>
<para>
--
1.7.10.1

View File

@ -0,0 +1,43 @@
From ac102092fe08183f916e6115fb6fef0f0a792126 Mon Sep 17 00:00:00 2001
From: Jan Zeleny <jzeleny@redhat.com>
Date: Mon, 14 May 2012 04:11:32 -0400
Subject: [PATCH 04/19] Fixed two minor memory leaks
---
src/providers/ldap/sdap.c | 5 ++++-
src/providers/ldap/sdap_range.c | 3 ++-
2 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/src/providers/ldap/sdap.c b/src/providers/ldap/sdap.c
index 1bb513ae639c37c64cd0064066f7c69552404671..01ba418a6e50808552845f6e91db448c57adbb83 100644
--- a/src/providers/ldap/sdap.c
+++ b/src/providers/ldap/sdap.c
@@ -123,7 +123,10 @@ int sdap_parse_entry(TALLOC_CTX *memctx,
}
attrs = sysdb_new_attrs(tmp_ctx);
- if (!attrs) return ENOMEM;
+ if (!attrs) {
+ ret = ENOMEM;
+ goto done;
+ }
str = ldap_get_dn(sh->ldap, sm->msg);
if (!str) {
diff --git a/src/providers/ldap/sdap_range.c b/src/providers/ldap/sdap_range.c
index 295b6605d15a83b7994bb440e3942f5f620cbeaf..a26443c8244bc58e609b2d9c6b4a2ded71193725 100644
--- a/src/providers/ldap/sdap_range.c
+++ b/src/providers/ldap/sdap_range.c
@@ -104,7 +104,8 @@ errno_t sdap_parse_range(TALLOC_CTX *mem_ctx,
DEBUG(SSSDBG_TRACE_LIBS,
("[%s] contained the last set of values for this attribute\n",
attr_desc));
- return EOK;
+ ret = EOK;
+ goto done;
}
*range_offset = strtouint32(end_range, &endptr, 10);
--
1.7.10.1

View File

@ -0,0 +1,296 @@
From 4e59e4c8f344e93a64d2bb53578c977475d76546 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Mon, 14 May 2012 13:14:14 +0200
Subject: [PATCH 05/19] Rename struct dom_sid to struct sss_dom_sid
To avoid conflicts with struct dom_sid used by samba the sss_ prefix is
added to the struct used by libsss_idmap.
---
Makefile.am | 2 +-
src/lib/idmap/sss_idmap.c | 6 +++---
src/lib/idmap/sss_idmap.h | 14 +++++++-------
src/lib/idmap/sss_idmap_conv.c | 26 +++++++++++++-------------
src/tests/sss_idmap-tests.c | 16 ++++++++--------
5 files changed, 32 insertions(+), 32 deletions(-)
diff --git a/Makefile.am b/Makefile.am
index 5089b8e5c9cd6bddd0ad038423101a0d29e8b18e..2e13a9777a074e628b48bbd23626d019c2e5c617 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -500,7 +500,7 @@ libsss_idmap_la_SOURCES = \
src/lib/idmap/sss_idmap.c \
src/lib/idmap/sss_idmap_conv.c
libsss_idmap_la_LDFLAGS = \
- -version 1:0:1
+ -version-info 0:1:0
include_HEADERS = \
diff --git a/src/lib/idmap/sss_idmap.c b/src/lib/idmap/sss_idmap.c
index c970293bccd2385886453afdc2573e2bbbc9c7ad..c589bd458a01ecd9ba298e879e21f746a2ef50e6 100644
--- a/src/lib/idmap/sss_idmap.c
+++ b/src/lib/idmap/sss_idmap.c
@@ -361,7 +361,7 @@ enum idmap_error_code sss_idmap_unix_to_sid(struct sss_idmap_ctx *ctx,
}
enum idmap_error_code sss_idmap_dom_sid_to_unix(struct sss_idmap_ctx *ctx,
- struct dom_sid *dom_sid,
+ struct sss_dom_sid *dom_sid,
uint32_t *id)
{
enum idmap_error_code err;
@@ -407,11 +407,11 @@ done:
enum idmap_error_code sss_idmap_unix_to_dom_sid(struct sss_idmap_ctx *ctx,
uint32_t id,
- struct dom_sid **_dom_sid)
+ struct sss_dom_sid **_dom_sid)
{
enum idmap_error_code err;
char *sid = NULL;
- struct dom_sid *dom_sid = NULL;
+ struct sss_dom_sid *dom_sid = NULL;
CHECK_IDMAP_CTX(ctx, IDMAP_CONTEXT_INVALID);
diff --git a/src/lib/idmap/sss_idmap.h b/src/lib/idmap/sss_idmap.h
index 78e786afe680fa276e75148798a590115aec2c1b..a3ec919c8041bb151747cdb8b577dc25f64ad124 100644
--- a/src/lib/idmap/sss_idmap.h
+++ b/src/lib/idmap/sss_idmap.h
@@ -90,7 +90,7 @@ struct sss_idmap_range {
/**
* Opaque type for SIDs
*/
-struct dom_sid;
+struct sss_dom_sid;
/**
* Opaque type for the idmap context
@@ -167,7 +167,7 @@ enum idmap_error_code sss_idmap_sid_to_unix(struct sss_idmap_ctx *ctx,
* idmap context
*/
enum idmap_error_code sss_idmap_dom_sid_to_unix(struct sss_idmap_ctx *ctx,
- struct dom_sid *dom_sid,
+ struct sss_dom_sid *dom_sid,
uint32_t *id);
/**
@@ -220,7 +220,7 @@ enum idmap_error_code sss_idmap_unix_to_sid(struct sss_idmap_ctx *ctx,
*/
enum idmap_error_code sss_idmap_unix_to_dom_sid(struct sss_idmap_ctx *ctx,
uint32_t id,
- struct dom_sid **dom_sid);
+ struct sss_dom_sid **dom_sid);
/**
* @brief Translate unix UID or GID to a binary SID
@@ -288,7 +288,7 @@ bool is_domain_sid(const char *str);
enum idmap_error_code sss_idmap_bin_sid_to_dom_sid(struct sss_idmap_ctx *ctx,
const uint8_t *bin_sid,
size_t length,
- struct dom_sid **dom_sid);
+ struct sss_dom_sid **dom_sid);
/**
* @brief Convert binary SID to SID string
@@ -322,7 +322,7 @@ enum idmap_error_code sss_idmap_bin_sid_to_sid(struct sss_idmap_ctx *ctx,
* - #IDMAP_OUT_OF_MEMORY: Failed to allocate memory for the result
*/
enum idmap_error_code sss_idmap_dom_sid_to_bin_sid(struct sss_idmap_ctx *ctx,
- struct dom_sid *dom_sid,
+ struct sss_dom_sid *dom_sid,
uint8_t **bin_sid,
size_t *length);
@@ -357,7 +357,7 @@ enum idmap_error_code sss_idmap_sid_to_bin_sid(struct sss_idmap_ctx *ctx,
* - #IDMAP_OUT_OF_MEMORY: Failed to allocate memory for the result
*/
enum idmap_error_code sss_idmap_dom_sid_to_sid(struct sss_idmap_ctx *ctx,
- struct dom_sid *dom_sid,
+ struct sss_dom_sid *dom_sid,
char **sid);
/**
@@ -374,7 +374,7 @@ enum idmap_error_code sss_idmap_dom_sid_to_sid(struct sss_idmap_ctx *ctx,
*/
enum idmap_error_code sss_idmap_sid_to_dom_sid(struct sss_idmap_ctx *ctx,
const char *sid,
- struct dom_sid **dom_sid);
+ struct sss_dom_sid **dom_sid);
/**
* @}
*/
diff --git a/src/lib/idmap/sss_idmap_conv.c b/src/lib/idmap/sss_idmap_conv.c
index e2064f6dabf0c599ff415b9e5655c1d2d3f60dc5..df96fcc327679bedbe19fc2c8d7cc54f692a8161 100644
--- a/src/lib/idmap/sss_idmap_conv.c
+++ b/src/lib/idmap/sss_idmap_conv.c
@@ -33,7 +33,7 @@
#define SID_ID_AUTHS 6
#define SID_SUB_AUTHS 15
-struct dom_sid {
+struct sss_dom_sid {
uint8_t sid_rev_num;
int8_t num_auths; /* [range(0,15)] */
uint8_t id_auth[SID_ID_AUTHS]; /* highest order byte has index 0 */
@@ -43,19 +43,19 @@ struct dom_sid {
enum idmap_error_code sss_idmap_bin_sid_to_dom_sid(struct sss_idmap_ctx *ctx,
const uint8_t *bin_sid,
size_t length,
- struct dom_sid **_dom_sid)
+ struct sss_dom_sid **_dom_sid)
{
enum idmap_error_code err;
- struct dom_sid *dom_sid;
+ struct sss_dom_sid *dom_sid;
size_t i = 0;
size_t p = 0;
uint32_t val;
CHECK_IDMAP_CTX(ctx, IDMAP_CONTEXT_INVALID);
- if (length > sizeof(struct dom_sid)) return IDMAP_SID_INVALID;
+ if (length > sizeof(struct sss_dom_sid)) return IDMAP_SID_INVALID;
- dom_sid = ctx->alloc_func(sizeof(struct dom_sid), ctx->alloc_pvt);
+ dom_sid = ctx->alloc_func(sizeof(struct sss_dom_sid), ctx->alloc_pvt);
if (dom_sid == NULL) {
return IDMAP_OUT_OF_MEMORY;
}
@@ -101,7 +101,7 @@ done:
}
enum idmap_error_code sss_idmap_dom_sid_to_bin_sid(struct sss_idmap_ctx *ctx,
- struct dom_sid *dom_sid,
+ struct sss_dom_sid *dom_sid,
uint8_t **_bin_sid,
size_t *_length)
{
@@ -157,7 +157,7 @@ done:
}
enum idmap_error_code sss_idmap_dom_sid_to_sid(struct sss_idmap_ctx *ctx,
- struct dom_sid *dom_sid,
+ struct sss_dom_sid *dom_sid,
char **_sid)
{
enum idmap_error_code err;
@@ -222,13 +222,13 @@ done:
enum idmap_error_code sss_idmap_sid_to_dom_sid(struct sss_idmap_ctx *ctx,
const char *sid,
- struct dom_sid **_dom_sid)
+ struct sss_dom_sid **_dom_sid)
{
enum idmap_error_code err;
unsigned long ul;
char *r;
char *end;
- struct dom_sid *dom_sid;
+ struct sss_dom_sid *dom_sid;
CHECK_IDMAP_CTX(ctx, IDMAP_CONTEXT_INVALID);
@@ -236,11 +236,11 @@ enum idmap_error_code sss_idmap_sid_to_dom_sid(struct sss_idmap_ctx *ctx,
return IDMAP_SID_INVALID;
}
- dom_sid = ctx->alloc_func(sizeof(struct dom_sid), ctx->alloc_pvt);
+ dom_sid = ctx->alloc_func(sizeof(struct sss_dom_sid), ctx->alloc_pvt);
if (dom_sid == NULL) {
return IDMAP_OUT_OF_MEMORY;
}
- memset(dom_sid, 0, sizeof(struct dom_sid));
+ memset(dom_sid, 0, sizeof(struct sss_dom_sid));
if (!isdigit(sid[2])) {
@@ -330,7 +330,7 @@ enum idmap_error_code sss_idmap_sid_to_bin_sid(struct sss_idmap_ctx *ctx,
size_t *_length)
{
enum idmap_error_code err;
- struct dom_sid *dom_sid = NULL;
+ struct sss_dom_sid *dom_sid = NULL;
size_t length;
uint8_t *bin_sid = NULL;
@@ -363,7 +363,7 @@ enum idmap_error_code sss_idmap_bin_sid_to_sid(struct sss_idmap_ctx *ctx,
char **_sid)
{
enum idmap_error_code err;
- struct dom_sid *dom_sid = NULL;
+ struct sss_dom_sid *dom_sid = NULL;
char *sid = NULL;
err = sss_idmap_bin_sid_to_dom_sid(ctx, bin_sid, length, &dom_sid);
diff --git a/src/tests/sss_idmap-tests.c b/src/tests/sss_idmap-tests.c
index d81922f1195413674a7a2b5f8429cfe0c2c037c5..b821dfc98b806f71e4d2a11b1fb609711d3e91b7 100644
--- a/src/tests/sss_idmap-tests.c
+++ b/src/tests/sss_idmap-tests.c
@@ -182,7 +182,7 @@ START_TEST(idmap_test_dom_sid2uid)
{
enum idmap_error_code err;
uint32_t id;
- struct dom_sid *dom_sid = NULL;
+ struct sss_dom_sid *dom_sid = NULL;
err = sss_idmap_sid_to_dom_sid(idmap_ctx, "S-1-5-21-1-2-3-1000", &dom_sid);
fail_unless(err == IDMAP_SUCCESS, "Failed to convert SID to SID structure");
@@ -219,7 +219,7 @@ END_TEST
START_TEST(idmap_test_uid2dom_sid)
{
enum idmap_error_code err;
- struct dom_sid *dom_sid = NULL;
+ struct sss_dom_sid *dom_sid = NULL;
char *sid = NULL;
err = sss_idmap_unix_to_dom_sid(idmap_ctx, 10000, &dom_sid);
@@ -269,7 +269,7 @@ END_TEST
START_TEST(idmap_test_sid_bin2dom_sid)
{
- struct dom_sid *dom_sid = NULL;
+ struct sss_dom_sid *dom_sid = NULL;
enum idmap_error_code err;
uint8_t *new_bin_sid = NULL;
size_t new_bin_sid_length;
@@ -278,12 +278,12 @@ START_TEST(idmap_test_sid_bin2dom_sid)
test_bin_sid_length, &dom_sid);
fail_unless(err == IDMAP_SUCCESS,
- "Failed to convert binary SID to struct dom_sid.");
+ "Failed to convert binary SID to struct sss_dom_sid.");
err = sss_idmap_dom_sid_to_bin_sid(idmap_ctx, dom_sid, &new_bin_sid,
&new_bin_sid_length);
fail_unless(err == IDMAP_SUCCESS,
- "Failed to convert struct dom_sid to binary SID.");
+ "Failed to convert struct sss_dom_sid to binary SID.");
fail_unless(new_bin_sid_length == test_bin_sid_length,
"Length of binary SIDs do not match.");
@@ -297,18 +297,18 @@ END_TEST
START_TEST(idmap_test_sid2dom_sid)
{
- struct dom_sid *dom_sid = NULL;
+ struct sss_dom_sid *dom_sid = NULL;
enum idmap_error_code err;
char *new_sid = NULL;
err = sss_idmap_sid_to_dom_sid(idmap_ctx, "S-1-5-21-1-2-3-1000", &dom_sid);
fail_unless(err == IDMAP_SUCCESS,
- "Failed to convert SID string to struct dom_sid.");
+ "Failed to convert SID string to struct sss_dom_sid.");
err = sss_idmap_dom_sid_to_sid(idmap_ctx, dom_sid, &new_sid);
fail_unless(err == IDMAP_SUCCESS,
- "Failed to convert struct dom_sid to SID string.");
+ "Failed to convert struct sss_dom_sid to SID string.");
fail_unless(new_sid != NULL, "SID string not set");
fail_unless(strlen("S-1-5-21-1-2-3-1000") == strlen(new_sid),
--
1.7.10.1

View File

@ -0,0 +1,25 @@
From a231d0b597a79b1a9a2617f543b1fef084532c9e Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Mon, 14 May 2012 15:04:38 +0200
Subject: [PATCH 06/19] Fix libsss_hbac library version
---
Makefile.am | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Makefile.am b/Makefile.am
index 2e13a9777a074e628b48bbd23626d019c2e5c617..e238b3538494a254c474518a1c4ea3fae7f975c8 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -492,7 +492,7 @@ libipa_hbac_la_SOURCES = \
src/providers/ipa/hbac_evaluator.c \
src/util/sss_utf8.c
libipa_hbac_la_LDFLAGS = \
- -version 1:0:1 \
+ -version-info 0:1:0 \
$(UNICODE_LIBS)
dist_pkgconfig_DATA += src/lib/idmap/sss_idmap.pc
--
1.7.10.1

View File

@ -0,0 +1,26 @@
From 33c35e25ba25100dcd77562055eea2a0cb1197a9 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Mon, 14 May 2012 15:53:18 +0200
Subject: [PATCH 07/19] NSS: keep a pointer to body after body is reallocated
---
src/responder/nss/nsssrv_cmd.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/responder/nss/nsssrv_cmd.c b/src/responder/nss/nsssrv_cmd.c
index f36a9a322ab92144c93b8cb9041d7a28515cc85d..43e82ae3ad1d98d440c076513ffb78ed46feb949 100644
--- a/src/responder/nss/nsssrv_cmd.c
+++ b/src/responder/nss/nsssrv_cmd.c
@@ -1919,6 +1919,9 @@ static int fill_grent(struct sss_packet *packet,
num++;
if (gr_mmap_cache) {
+ /* body was reallocated, so fullname might be pointing to
+ * where body used to be, not where it is */
+ to_sized_string(&fullname, (const char *)&body[rzero+STRS_ROFFSET]);
ret = sss_mmap_cache_gr_store(nctx->grp_mc_ctx,
&fullname, &pwfield, gid, memnum,
(char *)&body[rzero] + STRS_ROFFSET +
--
1.7.10.1

View File

@ -0,0 +1,34 @@
From f12d3379b89bb16ec8e85f496f9dbd9fba95d874 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Mon, 14 May 2012 15:58:37 +0200
Subject: [PATCH 08/19] Use sized_string correctly in FQDN domains
---
src/responder/nss/nsssrv_cmd.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/responder/nss/nsssrv_cmd.c b/src/responder/nss/nsssrv_cmd.c
index 43e82ae3ad1d98d440c076513ffb78ed46feb949..aa3ef3cbc0b98d3fe44e14dce212ecf1279f14f3 100644
--- a/src/responder/nss/nsssrv_cmd.c
+++ b/src/responder/nss/nsssrv_cmd.c
@@ -1863,7 +1863,7 @@ static int fill_grent(struct sss_packet *packet,
if (add_domain) {
ret = snprintf((char *)&body[rzero + rsize],
name.len + delim + dom_len,
- namefmt, name, domain);
+ namefmt, name.str, domain);
if (ret >= (name.len + delim + dom_len)) {
/* need more space,
* got creative with the print format ? */
@@ -1879,7 +1879,7 @@ static int fill_grent(struct sss_packet *packet,
/* retry */
ret = snprintf((char *)&body[rzero + rsize],
name.len + delim + dom_len,
- namefmt, name, domain);
+ namefmt, name.str, domain);
}
if (ret != name.len + delim + dom_len - 1) {
--
1.7.10.1

View File

@ -0,0 +1,63 @@
From 6bfc4b41bfa7291eeb54a94c4eac85c7b9357565 Mon Sep 17 00:00:00 2001
From: Stephen Gallagher <sgallagh@redhat.com>
Date: Tue, 15 May 2012 11:38:15 -0400
Subject: [PATCH 09/19] RPM: Allow running 'make rpms' on RHEL 5 machines
Our previous detection for this was flawed, because the %{rhel}
macro did not exist on the version of RPM shipped with RHEL 5, but
it worked when building for RHEL 5 through mock. This new patch
relies on grepping /etc/redhat-release for the version
information.
https://fedorahosted.org/sssd/ticket/1206
---
contrib/sssd.spec.in | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
index e5a4ed523ef71fe5efbe5e533f0ebb52f0d7f0f9..9972ebbd752d0abbcff35639819f03a97b19327c 100644
--- a/contrib/sssd.spec.in
+++ b/contrib/sssd.spec.in
@@ -3,8 +3,10 @@
%{!?python_sitearch: %global python_sitearch %(%{__python} -c "from distutils.sysconfig import get_python_lib; print(get_python_lib(1))")}
%endif
-%if (0%{?rhel} == 5)
-%{!?is_rhel57: %global is_rhel57 %(%{__grep} -c "5\.[^0-6]" /etc/redhat-release)}
+%global is_rhel5 %(%{__grep} -c "release 5" /etc/redhat-release)
+%global rhel5_minor %(%{__grep} -o "5.[0-9]*" /etc/redhat-release |%{__sed} -s 's/5.//')
+
+%if 0%{?is_rhel5} > 0
%global with_unicode_lib --with-unicode-lib=glib2
# we don't want to provide private python extension libs
%{?filter_setup:
@@ -65,7 +67,7 @@ BuildRequires: automake
BuildRequires: libtool
BuildRequires: m4
%{?fedora:BuildRequires: popt-devel}
-%if 0%{?rhel} <= 5
+%if 0%{?is_rhel5} > 0
BuildRequires: popt
%endif
%if 0%{?rhel} >= 6
@@ -80,7 +82,7 @@ BuildRequires: libcollection-devel
BuildRequires: libini_config-devel
BuildRequires: dbus-devel
BuildRequires: dbus-libs
-%if 0%{?is_rhel57} > 0
+%if 0%{?rhel5_minor} >= 7
BuildRequires: openldap24-libs-devel
%else
BuildRequires: openldap-devel
@@ -106,7 +108,7 @@ BuildRequires: gettext-devel
BuildRequires: pkgconfig
BuildRequires: findutils
-%if 0%{?rhel} == 5
+%if 0%{?is_rhel5} > 0
BuildRequires: glib2-devel
%else
BuildRequires: libunistring-devel
--
1.7.10.1

View File

@ -0,0 +1,39 @@
From 43818e4ba2a9c6fb11344da0b68138f0501f6bfc Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Wed, 16 May 2012 17:03:41 +0200
Subject: [PATCH 10/19] Use the sysdb attribute name, not LDAP attribute name
---
src/providers/ldap/sdap_async_autofs.c | 2 +-
src/providers/ldap/sdap_async_groups.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/providers/ldap/sdap_async_autofs.c b/src/providers/ldap/sdap_async_autofs.c
index 3140596efb07e8433f6e044dc2e2c8bba8735886..d8a2d0eec75c3e42cd3dc39930d20a0a51e2c541 100644
--- a/src/providers/ldap/sdap_async_autofs.c
+++ b/src/providers/ldap/sdap_async_autofs.c
@@ -770,7 +770,7 @@ sdap_autofs_setautomntent_save(struct tevent_req *req)
ret = sysdb_attrs_to_list(
tmp_ctx, state->entries,
state->entries_count,
- state->opts->autofs_entry_map[SDAP_AT_AUTOFS_ENTRY_KEY].name,
+ state->opts->autofs_entry_map[SDAP_AT_AUTOFS_ENTRY_KEY].sys_name,
&ldap_entrylist);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE,
diff --git a/src/providers/ldap/sdap_async_groups.c b/src/providers/ldap/sdap_async_groups.c
index 361525037eb270462251fe03d0c5e1df63de73f4..b48fe72eca1ab1dfe2dcb7a97a856ecef86d6f33 100644
--- a/src/providers/ldap/sdap_async_groups.c
+++ b/src/providers/ldap/sdap_async_groups.c
@@ -3044,7 +3044,7 @@ sdap_nested_group_process_deref_result(struct tevent_req *req)
} else if (dctx->deref_result[dctx->result_index]->map == \
state->opts->group_map) {
ret = sysdb_attrs_get_string(dctx->deref_result[dctx->result_index]->attrs,
- state->opts->group_map[SDAP_AT_GROUP_NAME].name,
+ state->opts->group_map[SDAP_AT_GROUP_NAME].sys_name,
&tmp_name);
if (ret == ENOENT) {
DEBUG(7, ("Dereferenced a group without name, skipping ...\n"));
--
1.7.10.1

View File

@ -0,0 +1,46 @@
From 977de33c57278fe0d90a3f937c58046298ab8742 Mon Sep 17 00:00:00 2001
From: Stephen Gallagher <sgallagh@redhat.com>
Date: Wed, 16 May 2012 14:32:29 -0400
Subject: [PATCH 11/19] NSS: Expire in-memory netgroup cache before the nowait
timeout
The fact that we were keeping it in memory for the full duration
of the cache timeout meant that we would never reap the benefits
of the midpoint cache refresh.
https://fedorahosted.org/sssd/ticket/1340
---
src/responder/nss/nsssrv_netgroup.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/src/responder/nss/nsssrv_netgroup.c b/src/responder/nss/nsssrv_netgroup.c
index 83e79a2fae7f957264d452bbc39550cacb792774..593b7e435b1e8e504975d20a2295ce65cb60e7a0 100644
--- a/src/responder/nss/nsssrv_netgroup.c
+++ b/src/responder/nss/nsssrv_netgroup.c
@@ -416,6 +416,7 @@ static errno_t lookup_netgr_step(struct setent_step_ctx *step_ctx)
struct getent_ctx *netgr;
struct sysdb_ctx *sysdb;
char *name = NULL;
+ uint32_t lifetime;
/* Check each domain for this netgroup name */
while (dom) {
@@ -531,7 +532,14 @@ static errno_t lookup_netgr_step(struct setent_step_ctx *step_ctx)
name, dom->name));
netgr->ready = true;
netgr->found = true;
- set_netgr_lifetime(dom->netgroup_timeout, step_ctx, netgr);
+ if (step_ctx->nctx->cache_refresh_percent) {
+ lifetime = dom->netgroup_timeout *
+ (step_ctx->nctx->cache_refresh_percent / 100);
+ } else {
+ lifetime = dom->netgroup_timeout;
+ }
+ if (lifetime < 10) lifetime = 10;
+ set_netgr_lifetime(lifetime, step_ctx, netgr);
return EOK;
}
--
1.7.10.1

View File

@ -0,0 +1,264 @@
From 56f1f51468005df27198c51acc203e2fe00312f8 Mon Sep 17 00:00:00 2001
From: Stephen Gallagher <sgallagh@redhat.com>
Date: Thu, 17 May 2012 13:54:29 -0400
Subject: [PATCH 12/19] Always use positional arguments in translatable
strings
https://fedorahosted.org/sssd/ticket/1336
---
src/sss_client/pam_sss.c | 4 ++--
src/tools/sss_cache.c | 10 +++++-----
src/tools/sss_groupdel.c | 2 +-
src/tools/sss_groupmod.c | 4 ++--
src/tools/sss_groupshow.c | 10 +++++-----
src/tools/sss_useradd.c | 6 +++---
src/tools/sss_userdel.c | 8 ++++----
src/tools/sss_usermod.c | 4 ++--
src/tools/tools_util.h | 2 +-
9 files changed, 25 insertions(+), 25 deletions(-)
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
index e25792fc012c587e2ffc804057a2b43ec6b90068..9dca7e3c7b2f773abf08d5127d63b0bfc52ed06e 100644
--- a/src/sss_client/pam_sss.c
+++ b/src/sss_client/pam_sss.c
@@ -637,7 +637,7 @@ static int user_info_grace_login(pam_handle_t *pamh,
memcpy(&grace, buf + sizeof(uint32_t), sizeof(uint32_t));
ret = snprintf(user_msg, sizeof(user_msg),
_("Your password has expired. "
- "You have %d grace login(s) remaining."),
+ "You have %1$d grace login(s) remaining."),
grace);
if (ret < 0 || ret >= sizeof(user_msg)) {
D(("snprintf failed."));
@@ -682,7 +682,7 @@ static int user_info_expire_warn(pam_handle_t *pamh,
}
ret = snprintf(user_msg, sizeof(user_msg),
- _("Your password will expire in %d %s."), expire, unit);
+ _("Your password will expire in %1$d %2$s."), expire, unit);
if (ret < 0 || ret >= sizeof(user_msg)) {
D(("snprintf failed."));
return PAM_SYSTEM_ERR;
diff --git a/src/tools/sss_cache.c b/src/tools/sss_cache.c
index d0f2b28714140a068ed43d22e0b0bf75feb804e3..1b2b29fe774b58bc15bf51ec0560a681382bc66d 100644
--- a/src/tools/sss_cache.c
+++ b/src/tools/sss_cache.c
@@ -169,10 +169,10 @@ bool invalidate_entries(TALLOC_CTX *ctx, struct sysdb_ctx *sysdb,
("Searching for %s with filter %s failed\n",
type_rec.type_string, filter));
if (name) {
- ERROR("No such %s named %s, skipping\n",
+ ERROR("No such %1$s named %2$s, skipping\n",
type_rec.type_string, name);
} else {
- ERROR("No objects of type %s in the cache, skipping\n",
+ ERROR("No objects of type %1$s in the cache, skipping\n",
type_rec.type_string);
}
return false;
@@ -184,14 +184,14 @@ bool invalidate_entries(TALLOC_CTX *ctx, struct sysdb_ctx *sysdb,
if (c_name == NULL) {
DEBUG(SSSDBG_MINOR_FAILURE,
("Something bad happened, can't find attribute %s", SYSDB_NAME));
- ERROR("Couldn't invalidate %s", type_rec.type_string);
+ ERROR("Couldn't invalidate %1$s", type_rec.type_string);
iret = false;
} else {
ret = invalidate_entry(ctx, sysdb, c_name, entry_type);
if (ret != EOK) {
DEBUG(SSSDBG_MINOR_FAILURE,
("Couldn't invalidate %s %s", type_rec.type_string, c_name));
- ERROR("Couldn't invalidate %s %s", type_rec.type_string, c_name);
+ ERROR("Couldn't invalidate %1$s %2$s", type_rec.type_string, c_name);
iret = false;
}
}
@@ -452,7 +452,7 @@ errno_t init_context(int argc, const char *argv[], struct cache_tool_ctx **tctx)
ret = init_domains(ctx, domain);
if (ret != EOK) {
if (domain) {
- ERROR("Could not open domain %s\n", domain);
+ ERROR("Could not open domain %1$s\n", domain);
} else {
ERROR("Could not open available domains\n");
}
diff --git a/src/tools/sss_groupdel.c b/src/tools/sss_groupdel.c
index 09f73504df9039a38879ba16e7d8628741176ec8..70030cab4f38b89cfbb61d896a04903eeac311f0 100644
--- a/src/tools/sss_groupdel.c
+++ b/src/tools/sss_groupdel.c
@@ -98,7 +98,7 @@ int main(int argc, const char **argv)
if ((tctx->octx->gid < tctx->local->id_min) ||
(tctx->local->id_max && tctx->octx->gid > tctx->local->id_max)) {
- ERROR("Group %s is outside the defined ID range for domain\n",
+ ERROR("Group %1$s is outside the defined ID range for domain\n",
tctx->octx->name);
ret = EXIT_FAILURE;
goto fini;
diff --git a/src/tools/sss_groupmod.c b/src/tools/sss_groupmod.c
index 47134aedf78354aa1107cf30e01fc1fcbe2abc4f..abab4f57f644215e130b787a176bf4b9a72d9e44 100644
--- a/src/tools/sss_groupmod.c
+++ b/src/tools/sss_groupmod.c
@@ -152,7 +152,7 @@ int main(int argc, const char **argv)
/* Check group names in the LOCAL domain */
ret = check_group_names(tctx, tctx->octx->addgroups, &badgroup);
if (ret != EOK) {
- ERROR("Cannot find group %s in local domain, "
+ ERROR("Cannot find group %1$s in local domain, "
"only groups in local domain are allowed\n", badgroup);
ret = EXIT_FAILURE;
goto fini;
@@ -179,7 +179,7 @@ int main(int argc, const char **argv)
/* Check group names in the LOCAL domain */
ret = check_group_names(tctx, tctx->octx->rmgroups, &badgroup);
if (ret != EOK) {
- ERROR("Cannot find group %s in local domain, "
+ ERROR("Cannot find group %1$s in local domain, "
"only groups in local domain are allowed\n", badgroup);
ret = EXIT_FAILURE;
goto fini;
diff --git a/src/tools/sss_groupshow.c b/src/tools/sss_groupshow.c
index 764e32416b046dfc6ff2a47de37627e40b0109f0..0eecd3a9671c1aae5ced8e8fa35f4ab6a3310075 100644
--- a/src/tools/sss_groupshow.c
+++ b/src/tools/sss_groupshow.c
@@ -559,26 +559,26 @@ static void print_group_info(struct group_info *g, int level)
snprintf(fmt, 8, "%%%ds", level*PADDING_SPACES);
snprintf(padding, 512, fmt, "");
- printf(_("%s%sGroup: %s\n"), padding,
+ printf(_("%1$s%2$sGroup: %3$s\n"), padding,
g->mpg ? _("Magic Private ") : "",
g->name);
- printf(_("%sGID number: %d\n"), padding, g->gid);
+ printf(_("%1$sGID number: %2$d\n"), padding, g->gid);
- printf(_("%sMember users: "), padding);
+ printf(_("%1$sMember users: "), padding);
if (g->user_members) {
for (i=0; g->user_members[i]; ++i) {
printf("%s%s", i>0 ? "," : "",
g->user_members[i]);
}
}
- printf(_("\n%sIs a member of: "), padding);
+ printf(_("\n%1$sIs a member of: "), padding);
if (g->memberofs) {
for (i=0; g->memberofs[i]; ++i) {
printf("%s%s", i>0 ? "," : "",
g->memberofs[i]);
}
}
- printf(_("\n%sMember groups: "), padding);
+ printf(_("\n%1$sMember groups: "), padding);
}
static void print_recursive(struct group_info **group_members, int level)
diff --git a/src/tools/sss_useradd.c b/src/tools/sss_useradd.c
index 5ca2612a351bb060f172434ace3bce9c7e022a1d..4df7c098e554d4b8c924961305f35492bfba3807 100644
--- a/src/tools/sss_useradd.c
+++ b/src/tools/sss_useradd.c
@@ -150,7 +150,7 @@ int main(int argc, const char **argv)
/* Check group names in the LOCAL domain */
ret = check_group_names(tctx, tctx->octx->addgroups, &badgroup);
if (ret != EOK) {
- ERROR("Cannot find group %s in local domain\n", badgroup);
+ ERROR("Cannot find group %1$s in local domain\n", badgroup);
ret = EXIT_FAILURE;
goto fini;
}
@@ -229,7 +229,7 @@ int main(int argc, const char **argv)
ERROR("User's home directory already exists, not copying "
"data from skeldir\n");
} else if (ret != EOK) {
- ERROR("Cannot create user's home directory: %s\n", strerror(ret));
+ ERROR("Cannot create user's home directory: %1$s\n", strerror(ret));
ret = EXIT_FAILURE;
goto fini;
}
@@ -240,7 +240,7 @@ int main(int argc, const char **argv)
tctx->octx->uid,
tctx->octx->gid);
if (ret != EOK) {
- ERROR("Cannot create user's mail spool: %s\n", strerror(ret));
+ ERROR("Cannot create user's mail spool: %1$s\n", strerror(ret));
DEBUG(1, ("Cannot create user's mail spool: [%d][%s].\n",
ret, strerror(ret)));
ret = EXIT_FAILURE;
diff --git a/src/tools/sss_userdel.c b/src/tools/sss_userdel.c
index 6d5e8295877afee3106e2a9d978504697f870d46..0d1c63e4ce58544775ae28041c65443ac054ee0d 100644
--- a/src/tools/sss_userdel.c
+++ b/src/tools/sss_userdel.c
@@ -227,7 +227,7 @@ int main(int argc, const char **argv)
if ((tctx->octx->uid < tctx->local->id_min) ||
(tctx->local->id_max && tctx->octx->uid > tctx->local->id_max)) {
- ERROR("User %s is outside the defined ID range for domain\n",
+ ERROR("User %1$s is outside the defined ID range for domain\n",
tctx->octx->name);
ret = EXIT_FAILURE;
goto fini;
@@ -264,7 +264,7 @@ int main(int argc, const char **argv)
break;
case EOK:
- ERROR("WARNING: The user (uid %lu) was still logged in when "
+ ERROR("WARNING: The user (uid %1$lu) was still logged in when "
"deleted.\n", (unsigned long) tctx->octx->uid);
break;
@@ -281,7 +281,7 @@ int main(int argc, const char **argv)
ret = run_userdel_cmd(tctx);
if (ret != EOK) {
- ERROR("The post-delete command failed: %s\n", strerror(ret));
+ ERROR("The post-delete command failed: %1$s\n", strerror(ret));
goto fini;
}
@@ -295,7 +295,7 @@ int main(int argc, const char **argv)
if (ret == EPERM) {
ERROR("Not removing home dir - not owned by user\n");
} else if (ret != EOK) {
- ERROR("Cannot remove homedir: %s\n", strerror(ret));
+ ERROR("Cannot remove homedir: %1$s\n", strerror(ret));
ret = EXIT_FAILURE;
goto fini;
}
diff --git a/src/tools/sss_usermod.c b/src/tools/sss_usermod.c
index dfcde9e56c632b6ddee0ec5cf375258c713ac360..b761de225de5842624d8f888bb0d7053617eb37d 100644
--- a/src/tools/sss_usermod.c
+++ b/src/tools/sss_usermod.c
@@ -173,7 +173,7 @@ int main(int argc, const char **argv)
/* Check group names in the LOCAL domain */
ret = check_group_names(tctx, tctx->octx->addgroups, &badgroup);
if (ret != EOK) {
- ERROR("Cannot find group %s in local domain, "
+ ERROR("Cannot find group %1$s in local domain, "
"only groups in local domain are allowed\n", badgroup);
ret = EXIT_FAILURE;
goto fini;
@@ -200,7 +200,7 @@ int main(int argc, const char **argv)
/* Check group names in the LOCAL domain */
ret = check_group_names(tctx, tctx->octx->rmgroups, &badgroup);
if (ret != EOK) {
- ERROR("Cannot find group %s in local domain, "
+ ERROR("Cannot find group %1$s in local domain, "
"only groups in local domain are allowed\n", badgroup);
ret = EXIT_FAILURE;
goto fini;
diff --git a/src/tools/tools_util.h b/src/tools/tools_util.h
index fccd9d96bdc293f85d4af2ebcb0756a1fcc940cc..fd26b89056cf16b974102b5163e7ee76608a2d2e 100644
--- a/src/tools/tools_util.h
+++ b/src/tools/tools_util.h
@@ -37,7 +37,7 @@
val = getuid(); \
if (val != 0) { \
DEBUG(1, ("Running under %d, must be root\n", val)); \
- ERROR("%s must be run as root\n", prg_name); \
+ ERROR("%1$s must be run as root\n", prg_name); \
val = EXIT_FAILURE; \
goto fini; \
} \
--
1.7.10.1

View File

@ -0,0 +1,204 @@
From 0aac71d726bda4af3ba141bed7707512cda7fd9a Mon Sep 17 00:00:00 2001
From: Joshua Roys <roysjosh@gmail.com>
Date: Mon, 14 May 2012 10:23:34 -0400
Subject: [PATCH 13/19] Simple implementation of Netscape password warning
expiration control
---
src/providers/ldap/sdap_async_connection.c | 96 +++++++++++++++++++++-------
src/util/sss_ldap.h | 8 +++
2 files changed, 82 insertions(+), 22 deletions(-)
diff --git a/src/providers/ldap/sdap_async_connection.c b/src/providers/ldap/sdap_async_connection.c
index e933e296b7df20ff8d034c2a11745b5c68b25e65..efd9cd8cc7205e4cb838523b0311ffd50805d590 100644
--- a/src/providers/ldap/sdap_async_connection.c
+++ b/src/providers/ldap/sdap_async_connection.c
@@ -26,6 +26,7 @@
#include "util/util.h"
#include "util/sss_krb5.h"
#include "util/sss_ldap.h"
+#include "util/strtonum.h"
#include "providers/ldap/sdap_async_private.h"
#include "providers/ldap/ldap_common.h"
@@ -541,7 +542,9 @@ static void simple_bind_done(struct sdap_op *op,
struct simple_bind_state *state = tevent_req_data(req,
struct simple_bind_state);
char *errmsg = NULL;
- int ret;
+ char *nval;
+ errno_t ret;
+ int lret;
LDAPControl **response_controls;
int c;
ber_int_t pp_grace;
@@ -555,30 +558,33 @@ static void simple_bind_done(struct sdap_op *op,
state->reply = talloc_steal(state, reply);
- ret = ldap_parse_result(state->sh->ldap, state->reply->msg,
+ lret = ldap_parse_result(state->sh->ldap, state->reply->msg,
&state->result, NULL, &errmsg, NULL,
&response_controls, 0);
- if (ret != LDAP_SUCCESS) {
- DEBUG(2, ("ldap_parse_result failed (%d)\n", state->op->msgid));
+ if (lret != LDAP_SUCCESS) {
+ DEBUG(SSSDBG_MINOR_FAILURE,
+ ("ldap_parse_result failed (%d)\n", state->op->msgid));
ret = EIO;
goto done;
}
if (response_controls == NULL) {
- DEBUG(5, ("Server returned no controls.\n"));
+ DEBUG(SSSDBG_TRACE_LIBS, ("Server returned no controls.\n"));
state->ppolicy = NULL;
} else {
for (c = 0; response_controls[c] != NULL; c++) {
- DEBUG(9, ("Server returned control [%s].\n",
- response_controls[c]->ldctl_oid));
+ DEBUG(SSSDBG_TRACE_INTERNAL,
+ ("Server returned control [%s].\n",
+ response_controls[c]->ldctl_oid));
if (strcmp(response_controls[c]->ldctl_oid,
LDAP_CONTROL_PASSWORDPOLICYRESPONSE) == 0) {
- ret = ldap_parse_passwordpolicy_control(state->sh->ldap,
+ lret = ldap_parse_passwordpolicy_control(state->sh->ldap,
response_controls[c],
&pp_expire, &pp_grace,
&pp_error);
- if (ret != LDAP_SUCCESS) {
- DEBUG(1, ("ldap_parse_passwordpolicy_control failed.\n"));
+ if (lret != LDAP_SUCCESS) {
+ DEBUG(SSSDBG_MINOR_FAILURE,
+ ("ldap_parse_passwordpolicy_control failed.\n"));
ret = EIO;
goto done;
}
@@ -586,9 +592,10 @@ static void simple_bind_done(struct sdap_op *op,
DEBUG(7, ("Password Policy Response: expire [%d] grace [%d] "
"error [%s].\n", pp_expire, pp_grace,
ldap_passwordpolicy_err2txt(pp_error)));
- state->ppolicy = talloc(state, struct sdap_ppolicy_data);
+ if (!state->ppolicy)
+ state->ppolicy = talloc_zero(state,
+ struct sdap_ppolicy_data);
if (state->ppolicy == NULL) {
- DEBUG(1, ("talloc failed.\n"));
ret = ENOMEM;
goto done;
}
@@ -596,36 +603,81 @@ static void simple_bind_done(struct sdap_op *op,
state->ppolicy->expire = pp_expire;
if (state->result == LDAP_SUCCESS) {
if (pp_error == PP_changeAfterReset) {
- DEBUG(4, ("Password was reset. "
- "User must set a new password.\n"));
+ DEBUG(SSSDBG_TRACE_LIBS,
+ ("Password was reset. "
+ "User must set a new password.\n"));
state->result = LDAP_X_SSSD_PASSWORD_EXPIRED;
} else if (pp_grace > 0) {
- DEBUG(4, ("Password expired. "
- "[%d] grace logins remaining.\n", pp_grace));
+ DEBUG(SSSDBG_TRACE_LIBS,
+ ("Password expired. "
+ "[%d] grace logins remaining.\n",
+ pp_grace));
} else if (pp_expire > 0) {
- DEBUG(4, ("Password will expire in [%d] seconds.\n",
- pp_expire));
+ DEBUG(SSSDBG_TRACE_LIBS,
+ ("Password will expire in [%d] seconds.\n",
+ pp_expire));
}
} else if (state->result == LDAP_INVALID_CREDENTIALS &&
pp_error == PP_passwordExpired) {
- DEBUG(4,
+ DEBUG(SSSDBG_TRACE_LIBS,
("Password expired user must set a new password.\n"));
state->result = LDAP_X_SSSD_PASSWORD_EXPIRED;
}
+ } else if (strcmp(response_controls[c]->ldctl_oid,
+ LDAP_CONTROL_PWEXPIRED) == 0) {
+ DEBUG(SSSDBG_TRACE_LIBS,
+ ("Password expired user must set a new password.\n"));
+ state->result = LDAP_X_SSSD_PASSWORD_EXPIRED;
+ } else if (strcmp(response_controls[c]->ldctl_oid,
+ LDAP_CONTROL_PWEXPIRING) == 0) {
+ /* ignore controls with suspiciously long values */
+ if (response_controls[c]->ldctl_value.bv_len > 32) {
+ continue;
+ }
+
+ if (!state->ppolicy) {
+ state->ppolicy = talloc(state, struct sdap_ppolicy_data);
+ }
+
+ if (state->ppolicy == NULL) {
+ ret = ENOMEM;
+ goto done;
+ }
+ /* ensure that bv_val is a null-terminated string */
+ nval = talloc_strndup(NULL,
+ response_controls[c]->ldctl_value.bv_val,
+ response_controls[c]->ldctl_value.bv_len);
+ if (nval == NULL) {
+ ret = ENOMEM;
+ goto done;
+ }
+ state->ppolicy->expire = strtouint32(nval, NULL, 10);
+ ret = errno;
+ talloc_zfree(nval);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_MINOR_FAILURE,
+ ("Could not convert control response to an integer. ",
+ "[%s]\n", strerror(ret)));
+ goto done;
+ }
+
+ DEBUG(SSSDBG_TRACE_LIBS,
+ ("Password will expire in [%d] seconds.\n",
+ state->ppolicy->expire));
}
}
}
- DEBUG(3, ("Bind result: %s(%d), %s\n",
+ DEBUG(SSSDBG_TRACE_FUNC, ("Bind result: %s(%d), %s\n",
sss_ldap_err2string(state->result), state->result,
errmsg ? errmsg : "no errmsg set"));
- ret = LDAP_SUCCESS;
+ ret = EOK;
done:
ldap_controls_free(response_controls);
ldap_memfree(errmsg);
- if (ret == LDAP_SUCCESS) {
+ if (ret == EOK) {
tevent_req_done(req);
} else {
tevent_req_error(req, ret);
diff --git a/src/util/sss_ldap.h b/src/util/sss_ldap.h
index 8a69b832965bf5ad23986a9b64cb5252cc3b1999..46829259aedcf4a4f2ba3f94fc059c343c0e9ba6 100644
--- a/src/util/sss_ldap.h
+++ b/src/util/sss_ldap.h
@@ -29,6 +29,14 @@
#define LDAP_X_SSSD_PASSWORD_EXPIRED 0x555D
+#ifndef LDAP_CONTROL_PWEXPIRED
+#define LDAP_CONTROL_PWEXPIRED "2.16.840.1.113730.3.4.4"
+#endif
+
+#ifndef LDAP_CONTROL_PWEXPIRING
+#define LDAP_CONTROL_PWEXPIRING "2.16.840.1.113730.3.4.5"
+#endif
+
#ifdef LDAP_OPT_DIAGNOSTIC_MESSAGE
#define SDAP_DIAGNOSTIC_MESSAGE LDAP_OPT_DIAGNOSTIC_MESSAGE
#else
--
1.7.10.1

View File

@ -0,0 +1,45 @@
From 0549c49a94c24672657748303fff1d33128c1c74 Mon Sep 17 00:00:00 2001
From: Stephen Gallagher <sgallagh@redhat.com>
Date: Mon, 21 May 2012 20:36:44 -0400
Subject: [PATCH 14/19] KRB5: Avoid NULL-dereference with empty keytab
https://fedorahosted.org/sssd/ticket/1330
---
src/util/sss_krb5.c | 20 +++++++++++++-------
1 file changed, 13 insertions(+), 7 deletions(-)
diff --git a/src/util/sss_krb5.c b/src/util/sss_krb5.c
index 988531995aba7fd7a2a1d801fabde19fa537e26b..81a1623ef9df340d7618bdf55c1707ce4cfb1a6a 100644
--- a/src/util/sss_krb5.c
+++ b/src/util/sss_krb5.c
@@ -1104,14 +1104,20 @@ sss_krb5_read_etypes_for_keytab(TALLOC_CTX *mem_ctx,
}
if (ret == 0) {
- /* Sort the preferred enctypes first */
- qsort(etypes, count, sizeof(*etypes), compare_etypes);
- etypes = talloc_realloc(tmp_ctx, etypes, krb5_enctype, count);
- if (etypes == NULL) {
- ret = ENOMEM;
+ if (etypes) {
+ /* Sort the preferred enctypes first */
+ qsort(etypes, count, sizeof(*etypes), compare_etypes);
+ etypes = talloc_realloc(tmp_ctx, etypes, krb5_enctype, count);
+ if (etypes == NULL) {
+ ret = ENOMEM;
+ } else {
+ *etype_list = talloc_steal(mem_ctx, etypes);
+ *n_etype_list = count;
+ }
} else {
- *etype_list = talloc_steal(mem_ctx, etypes);
- *n_etype_list = count;
+ /* The key table was empty. There are no enctypes to match */
+ *etype_list = NULL;
+ *n_etype_list = 0;
}
}
--
1.7.10.1

View File

@ -0,0 +1,27 @@
From e52a31484c88d46e381238493384f26d9c95f8ff Mon Sep 17 00:00:00 2001
From: Ariel Barria <arielb@fedoraproject.org>
Date: Tue, 22 May 2012 07:13:21 -0500
Subject: [PATCH 15/19] Warn to syslog when dereference requests fail
---
src/providers/ldap/sdap_async.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/providers/ldap/sdap_async.c b/src/providers/ldap/sdap_async.c
index a8a12c3d390a4ebee0dca81d6610be9fe240a4a6..14a27bcba2385fef5980a5a933cb7e7a9742a231 100644
--- a/src/providers/ldap/sdap_async.c
+++ b/src/providers/ldap/sdap_async.c
@@ -2051,8 +2051,8 @@ static void sdap_deref_search_done(struct tevent_req *subreq)
talloc_zfree(subreq);
if (ret != EOK) {
- DEBUG(2, ("dereference processing failed [%d]: %s\n",
- ret, strerror(ret)));
+ DEBUG(2, ("dereference processing failed [%d]: %s\n", ret, strerror(ret)));
+ sss_log(SSS_LOG_WARNING, "dereference processing failed : %s", strerror(ret));
tevent_req_error(req, ret);
return;
}
--
1.7.10.1

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,58 @@
From 04462f020ebb14c9b7a34425606f47db064f4f4a Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Tue, 22 May 2012 17:41:52 +0200
Subject: [PATCH 17/19] LDAP nested groups: Do not process callback with _post
deep in the nested structure
https://fedorahosted.org/sssd/ticket/1343
---
src/providers/ldap/sdap_async_groups.c | 22 ++++++++++------------
1 file changed, 10 insertions(+), 12 deletions(-)
diff --git a/src/providers/ldap/sdap_async_groups.c b/src/providers/ldap/sdap_async_groups.c
index b48fe72eca1ab1dfe2dcb7a97a856ecef86d6f33..c3cc2ac92b80a52632655be03f8386ab2e68d7b9 100644
--- a/src/providers/ldap/sdap_async_groups.c
+++ b/src/providers/ldap/sdap_async_groups.c
@@ -2493,14 +2493,13 @@ static errno_t sdap_nested_group_lookup_user(struct tevent_req *req,
ret = sdap_nested_group_process_step(req);
}
- if (ret == EOK) {
- /* EOK means it's complete */
- tevent_req_done(req);
- tevent_req_post(req, state->ev);
- } else if (ret != EAGAIN) {
+ if (ret != EOK && ret != EAGAIN) {
+ DEBUG(SSSDBG_OP_FAILURE, ("Nested group processing failed\n"));
return ret;
+ } else if (ret == EOK) {
+ DEBUG(SSSDBG_TRACE_FUNC, ("All done.\n"));
+ tevent_req_done(req);
}
-
return EOK;
}
/*
@@ -2578,14 +2577,13 @@ static errno_t sdap_nested_group_lookup_group(struct tevent_req *req)
ret = sdap_nested_group_process_step(req);
}
- if (ret == EOK) {
- /* EOK means it's complete */
- tevent_req_done(req);
- tevent_req_post(req, state->ev);
- } else if (ret != EAGAIN) {
+ if (ret != EOK && ret != EAGAIN) {
+ DEBUG(SSSDBG_OP_FAILURE, ("Nested group processing failed\n"));
return ret;
+ } else if (ret == EOK) {
+ DEBUG(SSSDBG_TRACE_FUNC, ("All done.\n"));
+ tevent_req_done(req);
}
-
return EOK;
}
--
1.7.10.1

View File

@ -0,0 +1,35 @@
From 2c3443347ea83ff5e39515bd47b632c8efa1124c Mon Sep 17 00:00:00 2001
From: Jan Zeleny <jzeleny@redhat.com>
Date: Tue, 15 May 2012 10:49:14 -0400
Subject: [PATCH 18/19] Fixed issue in SELinux user maps
There was an issue when IPA provider didn't set PAM_SUCCESS when
successfully finished loading SELinux user maps. This lead to the map
not being read in the responder.
---
src/providers/ipa/ipa_session.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/providers/ipa/ipa_session.c b/src/providers/ipa/ipa_session.c
index e23b0120e6c2ce1303f4e70190721721a99b124a..238acdde776520dbb69046b8d45ecac4569e5cbc 100644
--- a/src/providers/ipa/ipa_session.c
+++ b/src/providers/ipa/ipa_session.c
@@ -104,6 +104,7 @@ static void ipa_session_handler_done(struct tevent_req *req)
struct sysdb_attrs **maps;
bool in_transaction = false;
char *default_user;
+ struct pam_data *pd = talloc_get_type(breq->req_data, struct pam_data);
char *map_order;
ret = ipa_get_selinux_recv(req, breq, &map_count, &maps,
@@ -140,6 +141,7 @@ static void ipa_session_handler_done(struct tevent_req *req)
in_transaction = false;
+ pd->pam_status = PAM_SUCCESS;
breq->fn(breq, DP_ERR_OK, EOK, "Success");
return;
--
1.7.10.1

View File

@ -0,0 +1,35 @@
From faa68e44b8f4237cc7a99a94dadc090ae8bd003f Mon Sep 17 00:00:00 2001
From: Stephen Gallagher <sgallagh@redhat.com>
Date: Wed, 23 May 2012 08:35:26 -0400
Subject: [PATCH 19/19] NSS: Fix segfault when mmap cache cannot be
initialized
---
src/responder/nss/nsssrv_cmd.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/responder/nss/nsssrv_cmd.c b/src/responder/nss/nsssrv_cmd.c
index aa3ef3cbc0b98d3fe44e14dce212ecf1279f14f3..1b444e68a2f09749a3f230905febc5efa15c8a82 100644
--- a/src/responder/nss/nsssrv_cmd.c
+++ b/src/responder/nss/nsssrv_cmd.c
@@ -365,7 +365,7 @@ static int fill_pwent(struct sss_packet *packet,
num++;
- if (pw_mmap_cache) {
+ if (pw_mmap_cache && nctx->pwd_mc_ctx) {
ret = sss_mmap_cache_pw_store(nctx->pwd_mc_ctx,
&fullname, &pwfield,
uid, gid,
@@ -1918,7 +1918,7 @@ static int fill_grent(struct sss_packet *packet,
num++;
- if (gr_mmap_cache) {
+ if (gr_mmap_cache && nctx->grp_mc_ctx) {
/* body was reallocated, so fullname might be pointing to
* where body used to be, not where it is */
to_sized_string(&fullname, (const char *)&body[rzero+STRS_ROFFSET]);
--
1.7.10.1

View File

@ -12,11 +12,11 @@
# Determine the location of the LDB modules directory
%global ldb_modulesdir %(pkg-config --variable=modulesdir ldb)
%global ldb_version 1.1.4
%global ldb_version 1.1.6
Name: sssd
Version: 1.9.0
Release: 1%{?dist}.beta1
Release: 2%{?dist}.beta1
Group: Applications/System
Summary: System Security Services Daemon
License: GPLv3+
@ -26,7 +26,27 @@ BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
### Patches ###
Patch1001: FED01-Change-Kerberos-credential-cache-default-loca.patch
#Fedora-specific: set the default credential cache location
Patch0001: 0001-FEDORA-Change-Kerberos-credential-cache-default-loca.patch
Patch0002: 0002-Potential-NULL-dereference-in-proxy-provider.patch
Patch0003: 0003-Fix-typos-in-message-and-man-pages.patch
Patch0004: 0004-Fixed-two-minor-memory-leaks.patch
Patch0005: 0005-Rename-struct-dom_sid-to-struct-sss_dom_sid.patch
Patch0006: 0006-Fix-libsss_hbac-library-version.patch
Patch0007: 0007-NSS-keep-a-pointer-to-body-after-body-is-reallocated.patch
Patch0008: 0008-Use-sized_string-correctly-in-FQDN-domains.patch
Patch0009: 0009-RPM-Allow-running-make-rpms-on-RHEL-5-machines.patch
Patch0010: 0010-Use-the-sysdb-attribute-name-not-LDAP-attribute-name.patch
Patch0011: 0011-NSS-Expire-in-memory-netgroup-cache-before-the-nowai.patch
Patch0012: 0012-Always-use-positional-arguments-in-translatable-stri.patch
Patch0013: 0013-Simple-implementation-of-Netscape-password-warning-e.patch
Patch0014: 0014-KRB5-Avoid-NULL-dereference-with-empty-keytab.patch
Patch0015: 0015-Warn-to-syslog-when-dereference-requests-fail.patch
Patch0016: 0016-Update-translation-sources.patch
Patch0017: 0017-LDAP-nested-groups-Do-not-process-callback-with-_pos.patch
Patch0018: 0018-Fixed-issue-in-SELinux-user-maps.patch
Patch0019: 0019-NSS-Fix-segfault-when-mmap-cache-cannot-be-initializ.patch
### Dependencies ###
@ -48,6 +68,7 @@ Requires(postun): systemd-units initscripts chkconfig /sbin/ldconfig
%global dbpath %{sssdstatedir}/db
%global pipepath %{sssdstatedir}/pipes
%global pubconfpath %{sssdstatedir}/pubconf
%global mcachepath %{sssdstatedir}/mc
### Build Dependencies ###
@ -213,6 +234,7 @@ autoreconf -ivf
--with-db-path=%{dbpath} \
--with-pipe-path=%{pipepath} \
--with-pubconf-path=%{pubconfpath} \
--with-mcache-path=%{mcachepath} \
--with-init-dir=%{_initrddir} \
--with-krb5-rcache-dir=%{_localstatedir}/cache/krb5rcache \
--enable-nsslibdir=/%{_lib} \
@ -336,6 +358,7 @@ rm -rf $RPM_BUILD_ROOT
%attr(700,root,root) %dir %{dbpath}
%attr(755,root,root) %dir %{pipepath}
%attr(755,root,root) %dir %{pubconfpath}
%attr(755,root,root) %dir %{mcachepath}
%attr(700,root,root) %dir %{pipepath}/private
%attr(750,root,root) %dir %{_var}/log/%{name}
%attr(700,root,root) %dir %{_sysconfdir}/sssd
@ -486,6 +509,12 @@ fi
%postun -n libipa_hbac -p /sbin/ldconfig
%changelog
* Thu May 24 2012 Stephen Gallagher <sgallagh@redhat.com> - 1.9.0-2.beta1
- Fix several regressions since 1.5.x
- Ensure that the RPM creates the /var/lib/sss/mc directory
- Add support for Netscape password warning expiration control
- Rebuild against libldb 1.1.6
* Fri May 11 2012 Stephen Gallagher <sgallagh@redhat.com> - 1.9.0-1.beta1
- New upstream release 1.9.0 beta 1
- https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.0beta1