diff --git a/0060-CACHE_REQ-Do-not-fail-the-domain-locator-plugin-if-I.patch b/0060-CACHE_REQ-Do-not-fail-the-domain-locator-plugin-if-I.patch new file mode 100644 index 0000000..a379cd0 --- /dev/null +++ b/0060-CACHE_REQ-Do-not-fail-the-domain-locator-plugin-if-I.patch @@ -0,0 +1,124 @@ +From 2b965403ecc5a6685602859945a4b73d0f5cddcd Mon Sep 17 00:00:00 2001 +From: Jakub Hrozek +Date: Wed, 2 May 2018 11:37:55 +0200 +Subject: [PATCH] CACHE_REQ: Do not fail the domain locator plugin if ID + outside the domain range is looked up +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +A fix for upstream bug #3569 and the domain-locator feature were both +developed in the context of the same upstream version and therefore +touched the same code, but the domain locator did not account for the +ERR_ID_OUTSIDE_RANGE error code. + +Therefore lookups for IDs that are outside the range for the domain +caused the whole lookup to fail instead of carrying on to the next +domain. + +This patch just handles ERR_ID_OUTSIDE_RANGE the same way as if the ID +was not found at all. Also some whitespace errors are fixed. + +Resolves: +https://pagure.io/SSSD/sssd/issue/3728 + +Reviewed-by: Fabiano FidĂȘncio +(cherry picked from commit 2952de740f2ec1da9cbd682fb1d9219e5370e6a1) +--- + src/responder/common/cache_req/cache_req.c | 1 + + .../cache_req/plugins/cache_req_common.c | 2 +- + .../cache_req/plugins/cache_req_group_by_id.c | 2 +- + src/tests/cmocka/test_responder_cache_req.c | 32 +++++++++++++++++++ + 4 files changed, 35 insertions(+), 2 deletions(-) + +diff --git a/src/responder/common/cache_req/cache_req.c b/src/responder/common/cache_req/cache_req.c +index 134688b0f..28b563392 100644 +--- a/src/responder/common/cache_req/cache_req.c ++++ b/src/responder/common/cache_req/cache_req.c +@@ -523,6 +523,7 @@ static void cache_req_locate_dom_cache_done(struct tevent_req *subreq) + DEBUG(SSSDBG_TRACE_INTERNAL, "Result found in the cache\n"); + tevent_req_done(req); + return; ++ case ERR_ID_OUTSIDE_RANGE: + case ENOENT: + /* Not cached and locator was requested, run the locator + * DP request plugin +diff --git a/src/responder/common/cache_req/plugins/cache_req_common.c b/src/responder/common/cache_req/plugins/cache_req_common.c +index 240416803..d19ca8912 100644 +--- a/src/responder/common/cache_req/plugins/cache_req_common.c ++++ b/src/responder/common/cache_req/plugins/cache_req_common.c +@@ -27,7 +27,7 @@ + #include "responder/common/cache_req/cache_req_plugin.h" + + errno_t cache_req_idminmax_check(struct cache_req_data *data, +- struct sss_domain_info *domain) ++ struct sss_domain_info *domain) + { + if (((domain->id_min != 0) && (data->id < domain->id_min)) || + ((domain->id_max != 0) && (data->id > domain->id_max))) { +diff --git a/src/responder/common/cache_req/plugins/cache_req_group_by_id.c b/src/responder/common/cache_req/plugins/cache_req_group_by_id.c +index 3fb81032b..e0c6b6515 100644 +--- a/src/responder/common/cache_req/plugins/cache_req_group_by_id.c ++++ b/src/responder/common/cache_req/plugins/cache_req_group_by_id.c +@@ -85,7 +85,7 @@ cache_req_group_by_id_lookup(TALLOC_CTX *mem_ctx, + + ret = cache_req_idminmax_check(data, domain); + if (ret != EOK) { +- return ret; ++ return ret; + } + return sysdb_getgrgid_with_views(mem_ctx, domain, data->id, _result); + } +diff --git a/src/tests/cmocka/test_responder_cache_req.c b/src/tests/cmocka/test_responder_cache_req.c +index 252d89dad..45d71b83b 100644 +--- a/src/tests/cmocka/test_responder_cache_req.c ++++ b/src/tests/cmocka/test_responder_cache_req.c +@@ -1827,6 +1827,37 @@ void test_group_by_id_multiple_domains_notfound(void **state) + assert_true(test_ctx->dp_called); + } + ++void test_group_by_id_multiple_domains_outside_id_range(void **state) ++{ ++ struct cache_req_test_ctx *test_ctx = NULL; ++ struct sss_domain_info *domain = NULL; ++ struct sss_domain_info *domain_a = NULL; ++ ++ test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); ++ ++ domain_a = find_domain_by_name(test_ctx->tctx->dom, ++ "responder_cache_req_test_a", true); ++ assert_non_null(domain_a); ++ domain_a->id_min = 1; ++ domain_a->id_max = 100; ++ ++ /* Setup group. */ ++ domain = find_domain_by_name(test_ctx->tctx->dom, ++ "responder_cache_req_test_d", true); ++ assert_non_null(domain); ++ prepare_group(domain, &groups[0], 1000, time(NULL)); ++ ++ /* Mock values. */ ++ will_return_always(__wrap_sss_dp_get_account_send, test_ctx); ++ will_return_always(sss_dp_req_recv, 0); ++ will_return_always(sss_dp_get_account_domain_recv, ERR_GET_ACCT_DOM_NOT_SUPPORTED); ++ ++ /* Test. */ ++ run_group_by_id(test_ctx, NULL, 0, ERR_OK); ++ assert_true(test_ctx->dp_called); ++ check_group(test_ctx, &groups[0], domain); ++} ++ + void test_group_by_id_multiple_domains_locator_cache_valid(void **state) + { + struct cache_req_test_ctx *test_ctx = NULL; +@@ -3970,6 +4001,7 @@ int main(int argc, const char *argv[]) + new_single_domain_test(group_by_id_missing_notfound), + new_multi_domain_test(group_by_id_multiple_domains_found), + new_multi_domain_test(group_by_id_multiple_domains_notfound), ++ new_multi_domain_test(group_by_id_multiple_domains_outside_id_range), + + new_multi_domain_test(group_by_id_multiple_domains_locator_cache_valid), + new_multi_domain_test(group_by_id_multiple_domains_locator_cache_expired), +-- +2.17.0 + diff --git a/sssd.spec b/sssd.spec index f44e77f..548afac 100644 --- a/sssd.spec +++ b/sssd.spec @@ -101,6 +101,7 @@ Patch0056: 0056-DYNDNS-Retry-also-on-timeouts.patch Patch0057: 0057-AD-Warn-if-the-LDAP-schema-is-overriden-with-the-AD-.patch Patch0058: 0058-SYSDB-Only-check-non-POSIX-groups-for-GID-conflicts.patch Patch0059: 0059-Do-not-keep-allocating-external-groups-on-a-long-liv.patch +Patch0060: 0060-CACHE_REQ-Do-not-fail-the-domain-locator-plugin-if-I.patch Patch0502: 0502-SYSTEMD-Use-capabilities.patch Patch0503: 0503-Disable-stopping-idle-socket-activated-responders.patch @@ -1315,6 +1316,8 @@ fi - Resolves: upstream#3719 - The SSSD IPA provider allocates information about external groups on a long lived memory context, causing memory growth of the sssd_be process +- Resolves: upstream#3728 - Request by ID outside the min_id/max_id limit of a + first domain does not reach the second domain * Sat May 05 2018 Fabiano FidĂȘncio - 1.16.1-4 - Resolves: rhbz#1574778 - sssd fails to download known_hosts from freeipa