diff --git a/0001-Sanitize-search-filters-for-nested-group-lookups.patch b/0001-Sanitize-search-filters-for-nested-group-lookups.patch deleted file mode 100644 index 58b9544..0000000 --- a/0001-Sanitize-search-filters-for-nested-group-lookups.patch +++ /dev/null @@ -1,73 +0,0 @@ -From 979943195da209bdc28efd5e90a19f888f4b88ed Mon Sep 17 00:00:00 2001 -From: Stephen Gallagher -Date: Mon, 31 Jan 2011 13:00:56 -0500 -Subject: [PATCH] Sanitize search filters for nested group lookups - ---- - src/providers/ldap/sdap_async_accounts.c | 20 +++++++++++++++++--- - 1 files changed, 17 insertions(+), 3 deletions(-) - -diff --git a/src/providers/ldap/sdap_async_accounts.c b/src/providers/ldap/sdap_async_accounts.c -index 648f9a734eca60401c07d2b0d0fa432751c9ab73..5b6d3d74ac1496fe6a4266c327d0111e12e24b64 100644 ---- a/src/providers/ldap/sdap_async_accounts.c -+++ b/src/providers/ldap/sdap_async_accounts.c -@@ -3409,6 +3409,7 @@ errno_t save_rfc2307bis_user_memberships( - { - errno_t ret, tret; - char *member_dn; -+ char *sanitized_dn; - char *filter; - const char **attrs; - size_t reply_count, i; -@@ -3447,12 +3448,18 @@ errno_t save_rfc2307bis_user_memberships( - ret = ENOMEM; - goto error; - } -+ ret = sss_filter_sanitize(tmp_ctx, member_dn, &sanitized_dn); -+ if (ret != EOK) { -+ goto error; -+ } -+ talloc_free(member_dn); - -- filter = talloc_asprintf(tmp_ctx, "(member=%s)", member_dn); -+ filter = talloc_asprintf(tmp_ctx, "(member=%s)", sanitized_dn); - if (!filter) { - ret = ENOMEM; - goto error; - } -+ talloc_free(sanitized_dn); - - ret = sysdb_search_groups(tmp_ctx, state->sysdb, state->dom, - filter, attrs, &reply_count, &replies); -@@ -3874,6 +3881,7 @@ static errno_t rfc2307bis_nested_groups_update_sysdb( - const char *name; - bool in_transaction = false; - char *member_dn; -+ char *sanitized_dn; - char *filter; - const char **attrs; - size_t reply_count, i; -@@ -3918,12 +3926,18 @@ static errno_t rfc2307bis_nested_groups_update_sysdb( - goto error; - } - -- filter = talloc_asprintf(tmp_ctx, "(member=%s)", member_dn); -+ ret = sss_filter_sanitize(tmp_ctx, member_dn, &sanitized_dn); -+ if (ret != EOK) { -+ goto error; -+ } -+ talloc_free(member_dn); -+ -+ filter = talloc_asprintf(tmp_ctx, "(member=%s)", sanitized_dn); - if (!filter) { - ret = ENOMEM; - goto error; - } -- talloc_free(member_dn); -+ talloc_free(sanitized_dn); - - ret = sysdb_search_groups(tmp_ctx, state->sysdb, state->dom, - filter, attrs, --- -1.7.3.5 - diff --git a/0004-Remove-cached-user-entry-if-initgroups-returns-ENOEN.patch b/0004-Remove-cached-user-entry-if-initgroups-returns-ENOEN.patch deleted file mode 100644 index fc8137e..0000000 --- a/0004-Remove-cached-user-entry-if-initgroups-returns-ENOEN.patch +++ /dev/null @@ -1,36 +0,0 @@ -From e7c95d693f4694f64790c3105550c141e94c5b45 Mon Sep 17 00:00:00 2001 -From: Stephen Gallagher -Date: Thu, 17 Feb 2011 14:33:50 -0500 -Subject: [PATCH 4/6] Remove cached user entry if initgroups returns ENOENT - -This behavior was present for getpwnam() but was lacking for -initgroups. ---- - src/providers/ldap/ldap_id.c | 11 +++++++++++ - 1 files changed, 11 insertions(+), 0 deletions(-) - -diff --git a/src/providers/ldap/ldap_id.c b/src/providers/ldap/ldap_id.c -index 09f0026b00cda442f90e07e30e0d083a53206d85..9a234280082f7396eda4307e9e4bb4bd63b5615c 100644 ---- a/src/providers/ldap/ldap_id.c -+++ b/src/providers/ldap/ldap_id.c -@@ -631,6 +631,17 @@ static void groups_by_user_done(struct tevent_req *subreq) - return; - } - -+ if (ret == ENOENT) { -+ ret = sysdb_delete_user(state, -+ state->ctx->be->sysdb, -+ state->ctx->be->domain, -+ state->name, 0); -+ if (ret != EOK && ret != ENOENT) { -+ tevent_req_error(req, ret); -+ return; -+ } -+ } -+ - state->dp_error = DP_ERR_OK; - tevent_req_done(req); - } --- -1.7.4 - diff --git a/0005-Perform-initgroups-lookups-for-all-domains.patch b/0005-Perform-initgroups-lookups-for-all-domains.patch deleted file mode 100644 index 1ee234c..0000000 --- a/0005-Perform-initgroups-lookups-for-all-domains.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 4ef3fd7c5d0defbc1e2fca745853f0d292201f28 Mon Sep 17 00:00:00 2001 -From: Stephen Gallagher -Date: Fri, 18 Feb 2011 09:33:42 -0500 -Subject: [PATCH 5/6] Perform initgroups lookups for all domains - -Previously, we were setting the client context PAM lookup timeout -after the first domain replied. However, if the user wasn't a -member of the first domain, their information wasn't being -updated. - -This patch ensures that we only set this timeout after the user -has been found or all domains were searched. ---- - src/responder/pam/pamsrv_cmd.c | 8 +++++--- - 1 files changed, 5 insertions(+), 3 deletions(-) - -diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c -index 79993d3366073c75f1873ee8176eb4a70f2a383d..8035a687846fa6f4305fe129d1ec87d3291a7fc8 100644 ---- a/src/responder/pam/pamsrv_cmd.c -+++ b/src/responder/pam/pamsrv_cmd.c -@@ -952,10 +952,12 @@ static void pam_check_user_dp_callback(uint16_t err_maj, uint32_t err_min, - (unsigned int)err_maj, (unsigned int)err_min, err_msg)); - } - -- /* Make sure we don't go to the ID provider too often */ -- preq->cctx->pam_timeout = time(NULL) + pctx->id_timeout; -- - ret = pam_check_user_search(preq); -+ if (ret == EOK || ret == ENOENT) { -+ /* Make sure we don't go to the ID provider too often */ -+ preq->cctx->pam_timeout = time(NULL) + pctx->id_timeout; -+ } -+ - if (ret == EOK) { - pam_dom_forwarder(preq); - } --- -1.7.4 - diff --git a/0006-IPA-provider-remove-deleted-groups-during-initgroups.patch b/0006-IPA-provider-remove-deleted-groups-during-initgroups.patch deleted file mode 100644 index 69cdb07..0000000 --- a/0006-IPA-provider-remove-deleted-groups-during-initgroups.patch +++ /dev/null @@ -1,168 +0,0 @@ -From 9ffe746a46b299162c31a3864cb5db8b8518a569 Mon Sep 17 00:00:00 2001 -From: Stephen Gallagher -Date: Fri, 18 Feb 2011 16:23:15 -0500 -Subject: [PATCH 6/6] IPA provider: remove deleted groups during initgroups() - -The IPA provider was not properly removing groups in the cache -that the user was no longer a member of. - -https://fedorahosted.org/sssd/ticket/803 ---- - src/providers/ldap/sdap_async_accounts.c | 115 +++++++++++++++++++++++++++++- - 1 files changed, 112 insertions(+), 3 deletions(-) - -diff --git a/src/providers/ldap/sdap_async_accounts.c b/src/providers/ldap/sdap_async_accounts.c -index 5b6d3d74ac1496fe6a4266c327d0111e12e24b64..8e459598674d589c0cdfcece125c183f7c95bb4d 100644 ---- a/src/providers/ldap/sdap_async_accounts.c -+++ b/src/providers/ldap/sdap_async_accounts.c -@@ -2161,6 +2161,8 @@ struct sdap_initgr_nested_state { - struct sss_domain_info *dom; - struct sdap_handle *sh; - -+ const char *username; -+ - const char **grp_attrs; - - char *filter; -@@ -2188,7 +2190,8 @@ static struct tevent_req *sdap_initgr_nested_send(TALLOC_CTX *memctx, - struct tevent_req *req, *subreq; - struct sdap_initgr_nested_state *state; - struct ldb_message_element *el; -- int i, ret; -+ int i; -+ errno_t ret; - - req = tevent_req_create(memctx, &state, struct sdap_initgr_nested_state); - if (!req) return NULL; -@@ -2201,6 +2204,13 @@ static struct tevent_req *sdap_initgr_nested_send(TALLOC_CTX *memctx, - state->grp_attrs = grp_attrs; - state->op = NULL; - -+ ret = sysdb_attrs_get_string(user, SYSDB_NAME, &state->username); -+ if (ret != EOK) { -+ DEBUG(1, ("User entry had no username\n")); -+ talloc_free(req); -+ return NULL; -+ } -+ - state->filter = talloc_asprintf(state, "(objectclass=%s)", - opts->group_map[SDAP_OC_GROUP].name); - if (!state->filter) { -@@ -2311,13 +2321,112 @@ static void sdap_initgr_nested_search(struct tevent_req *subreq) - static void sdap_initgr_nested_store(struct tevent_req *req) - { - struct sdap_initgr_nested_state *state; -- int ret; -+ errno_t ret, sret; -+ const char *attrs[] = { SYSDB_MEMBEROF, NULL }; -+ struct ldb_message *msg; -+ struct ldb_message_element *groups; -+ char **sysdb_grouplist = NULL; -+ char **ldap_grouplist = NULL; -+ char **del_groups; -+ size_t i, count; - - state = tevent_req_data(req, struct sdap_initgr_nested_state); - -+ ret = sysdb_transaction_start(state->sysdb); -+ if (ret != EOK) { -+ DEBUG(1, ("Could not create sysdb transaction\n")); -+ goto done; -+ } -+ - ret = sdap_save_groups(state, state->sysdb, state->dom, state->opts, - state->groups, state->groups_cur, false, NULL); -- if (ret) { -+ if (ret != EOK) { -+ goto done; -+ } -+ -+ /* Get the list of groups this user belongs to */ -+ ret = sysdb_search_user_by_name(state, state->sysdb, state->dom, -+ state->username, attrs, -+ &msg); -+ if (ret != EOK) { -+ goto done; -+ } -+ -+ groups = ldb_msg_find_element(msg, SYSDB_MEMBEROF); -+ if (!groups || groups->num_values == 0) { -+ /* No groups for this user in sysdb currently, so -+ * nothing to delete. -+ */ -+ ret = EOK; -+ goto done; -+ } -+ -+ sysdb_grouplist = talloc_array(state, char *, groups->num_values+1); -+ if (!sysdb_grouplist) { -+ ret = ENOMEM; -+ goto done; -+ } -+ -+ /* Get a list of the groups by name */ -+ for (i = 0; i < groups->num_values; i++) { -+ ret = sysdb_group_dn_name(state->sysdb, -+ sysdb_grouplist, -+ (const char *)groups->values[i].data, -+ &sysdb_grouplist[i]); -+ if (ret != EOK) goto done; -+ } -+ sysdb_grouplist[groups->num_values] = NULL; -+ -+ count = 0; -+ while (state->group_dns[count]) count++; -+ -+ ldap_grouplist = talloc_array(state, char *, count+1); -+ if (!ldap_grouplist) { -+ ret = ENOMEM; -+ goto done; -+ } -+ -+ for (i = 0; i < count; i++) { -+ ret = sysdb_group_dn_name(state->sysdb, -+ ldap_grouplist, -+ state->group_dns[i], -+ &ldap_grouplist[i]); -+ if (ret != EOK) goto done; -+ } -+ ldap_grouplist[count] = NULL; -+ -+ /* Find the differences between the sysdb and LDAP lists -+ * Groups in the sysdb only must be removed. -+ */ -+ ret = diff_string_lists(state, ldap_grouplist, sysdb_grouplist, -+ NULL, &del_groups, NULL); -+ if (ret != EOK) goto done; -+ -+ if (!del_groups || !del_groups[0]) { -+ /* No groups to delete */ -+ ret = EOK; -+ goto done; -+ } -+ -+ ret = sysdb_update_members(state->sysdb, state->dom, state->username, -+ SYSDB_MEMBER_USER, NULL, -+ (const char *const *)del_groups); -+ -+done: -+ if (ret == EOK) { -+ ret = sysdb_transaction_commit(state->sysdb); -+ if (ret != EOK) { -+ DEBUG(1, ("Could not commit transaction! [%d][%s]\n", -+ ret, strerror(ret))); -+ } -+ } -+ -+ if (ret != EOK) { -+ sret = sysdb_transaction_cancel(state->sysdb); -+ if (sret != EOK) { -+ DEBUG(0, ("Unable to cancel transaction! [%d][%s]\n", -+ sret, strerror(sret))); -+ } - tevent_req_error(req, ret); - return; - } --- -1.7.4 - diff --git a/0002-Fix-module-registration-with-newer-LDB-libraries.patch b/FED01-Fix-module-registration-with-newer-LDB-libraries.patch similarity index 100% rename from 0002-Fix-module-registration-with-newer-LDB-libraries.patch rename to FED01-Fix-module-registration-with-newer-LDB-libraries.patch diff --git a/0003-Make-make-check-look-nice-again.patch b/FED02-Make-make-check-look-nice-again.patch similarity index 100% rename from 0003-Make-make-check-look-nice-again.patch rename to FED02-Make-make-check-look-nice-again.patch diff --git a/sssd.spec b/sssd.spec index 83e2b72..acffd16 100644 --- a/sssd.spec +++ b/sssd.spec @@ -4,8 +4,8 @@ %endif Name: sssd -Version: 1.5.1 -Release: 9%{?dist} +Version: 1.5.2 +Release: 1%{?dist} Group: Applications/System Summary: System Security Services Daemon License: GPLv3+ @@ -14,12 +14,8 @@ Source0: https://fedorahosted.org/released/sssd/%{name}-%{version}.tar.gz BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX) ### Patches ### -Patch0001: 0001-Sanitize-search-filters-for-nested-group-lookups.patch -Patch0002: 0002-Fix-module-registration-with-newer-LDB-libraries.patch -Patch0003: 0003-Make-make-check-look-nice-again.patch -Patch0004: 0004-Remove-cached-user-entry-if-initgroups-returns-ENOEN.patch -Patch0005: 0005-Perform-initgroups-lookups-for-all-domains.patch -Patch0006: 0006-IPA-provider-remove-deleted-groups-during-initgroups.patch +Patch1001: FED01-Fix-module-registration-with-newer-LDB-libraries.patch +Patch1002: FED02-Make-make-check-look-nice-again.patch ### Dependencies ### @@ -116,12 +112,8 @@ use with ldap_default_authtok_type = obfuscated_password. %prep %setup -q -%patch0001 -p1 -%patch0002 -p1 -%patch0003 -p1 -%patch0004 -p1 -%patch0005 -p1 -%patch0006 -p1 +%patch1001 -p1 +%patch1002 -p1 %build autoreconf -ivf @@ -282,11 +274,24 @@ fi %postun client -p /sbin/ldconfig %changelog +* Thu Mar 10 2011 Stephen Gallagher - 1.5.2-1 +- New upstream release 1.5.2 +- https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.2 +- Fixes for support of FreeIPA v2 +- Fixes for failover if DNS entries change +- Improved sss_obfuscate tool with better interactive mode +- Fix several crash bugs +- Don't attempt to use START_TLS over SSL. Some LDAP servers can't handle this +- Delete users from the local cache if initgroups calls return 'no such user' +- (previously only worked for getpwnam/getpwuid) +- Use new Transifex.net translations +- Better support for automatic TGT renewal (now survives restart) +- Netgroup fixes + * Sun Feb 27 2011 Simo Sorce - 1.5.1-9 - Rebuild sssd against libldb 1.0.2 so the memberof module loads again. - Related: rhbz#677425 - * Mon Feb 21 2011 Stephen Gallagher - 1.5.1-8 - Resolves: rhbz#677768 - name service caches names, so id command shows - recently deleted users