diff --git a/0001-IPA-Handle-empty-nisDomainName.patch b/0001-IPA-Handle-empty-nisDomainName.patch new file mode 100644 index 0000000..5bdca99 --- /dev/null +++ b/0001-IPA-Handle-empty-nisDomainName.patch @@ -0,0 +1,87 @@ +From f9b7073e5cd057cf961b34f99ea1dff0c86b5b6a Mon Sep 17 00:00:00 2001 +From: Jakub Hrozek +Date: Fri, 17 Nov 2017 20:15:34 +0100 +Subject: [PATCH 01/15] IPA: Handle empty nisDomainName +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Resolves: +https://pagure.io/SSSD/sssd/issue/3573 + +If nisdomain=, i.e. a blank NIS domain name, sssd was not processing the +netgroup at all. This is not in agreement with man innetgr which says "Any of +the elements in a triple can be empty, which means that anything matches. The +functions described here allow access to the netgroup databases". + +This patch instead returns an empty domain as well, which eventually +produces the same output as if the netgroup was requested from the +compat tree. + +To reproduce the bug: +$ ipa netgroup-add +Netgroup name: emptydom +------------------------- +Added netgroup "emptydom" +------------------------- + Netgroup name: emptydom + NIS domain name: ipa.test + IPA unique ID: 164bc15a-f4b3-11e7-acdb-525400ca6df3 +$ ipa netgroup-add-member +Netgroup name: emptydom +[member user]: admin +[member group]: +[member host]: +[member host group]: +[member netgroup]: + Netgroup name: emptydom + NIS domain name: ipa.test + Member User: admin +------------------------- +Number of members added 1 +------------------------- +$ ipa netgroup-mod --nisdomain="" emptydom +---------------------------- +Modified netgroup "emptydom" +---------------------------- + Netgroup name: emptydom + Member User: admin + +Then run: + getent negroup emptydom +without the patch, the netgroup won't be resolvable. It will resolve to +a netgroup triple that looks like this after the patch: + emptydom (-,admin,) + +Reviewed-by: Fabiano FidĂȘncio +--- + src/providers/ipa/ipa_netgroups.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/src/providers/ipa/ipa_netgroups.c b/src/providers/ipa/ipa_netgroups.c +index 5c929a485..05ebac758 100644 +--- a/src/providers/ipa/ipa_netgroups.c ++++ b/src/providers/ipa/ipa_netgroups.c +@@ -953,7 +953,9 @@ static int ipa_netgr_process_all(struct ipa_get_netgroups_state *state) + + ret = sysdb_attrs_get_string(state->netgroups[i], SYSDB_NETGROUP_DOMAIN, + &domain); +- if (ret != EOK) { ++ if (ret == ENOENT) { ++ domain = NULL; ++ } else if (ret != EOK) { + goto done; + } + +@@ -974,7 +976,7 @@ static int ipa_netgr_process_all(struct ipa_get_netgroups_state *state) + for (k = 0; k < hosts_count; k++) { + triple = talloc_asprintf(state, "(%s,%s,%s)", + hosts[k], uids[j], +- domain); ++ domain ? domain : ""); + if (triple == NULL) { + ret = ENOMEM; + goto done; +-- +2.14.3 + diff --git a/0002-intg-enhance-netgroups-test.patch b/0002-intg-enhance-netgroups-test.patch new file mode 100644 index 0000000..1a3bfb1 --- /dev/null +++ b/0002-intg-enhance-netgroups-test.patch @@ -0,0 +1,85 @@ +From 3adc0a2fac5f7f1f30f6b1f75f098d4b50e7cf35 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Mon, 5 Mar 2018 12:29:58 +0100 +Subject: [PATCH 02/15] intg: enhance netgroups test + +Reviewed-by: Jakub Hrozek +--- + src/tests/intg/sssd_netgroup.py | 9 ++++++--- + src/tests/intg/test_netgroup.py | 26 ++++++++++++++++++++++++++ + 2 files changed, 32 insertions(+), 3 deletions(-) + +diff --git a/src/tests/intg/sssd_netgroup.py b/src/tests/intg/sssd_netgroup.py +index 3668d2e29..4c34ea61f 100644 +--- a/src/tests/intg/sssd_netgroup.py ++++ b/src/tests/intg/sssd_netgroup.py +@@ -209,9 +209,12 @@ class NetgroupRetriever(object): + + if result_p[0].type == NetgroupType.TRIPLE_VAL: + triple = result_p[0].val.triple +- result.append((triple.host.decode('utf-8'), +- triple.user.decode('utf-8'), +- triple.domain.decode('utf-8'))) ++ result.append((triple.host and triple.host.decode('utf-8') ++ or "", ++ triple.user and triple.user.decode('utf-8') ++ or "", ++ triple.domain and triple.domain.decode('utf-8') ++ or "")) + + res, errno, result_p = self._getnetgrent_r(result_p, buff, + buff_len) +diff --git a/src/tests/intg/test_netgroup.py b/src/tests/intg/test_netgroup.py +index 3cf5dac2e..06a1cfafd 100644 +--- a/src/tests/intg/test_netgroup.py ++++ b/src/tests/intg/test_netgroup.py +@@ -106,6 +106,8 @@ def format_basic_conf(ldap_conn, schema): + services = nss + disable_netlink = true + ++ [nss] ++ + [domain/LDAP] + {schema_conf} + id_provider = ldap +@@ -222,6 +224,14 @@ def add_tripled_netgroup(request, ldap_conn): + ent_list.add_netgroup("adv_tripled_netgroup", ["(host1,user1,domain1)", + "(host2,user2,domain2)"]) + ++ ent_list.add_netgroup("tripled_netgroup_no_domain", ["(host,user,)"]) ++ ++ ent_list.add_netgroup("tripled_netgroup_no_user", ["(host,,domain)"]) ++ ++ ent_list.add_netgroup("tripled_netgroup_no_host", ["(,user,domain)"]) ++ ++ ent_list.add_netgroup("tripled_netgroup_none", ["(,,)"]) ++ + create_ldap_fixture(request, ldap_conn, ent_list) + conf = format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS) + create_conf_fixture(request, conf) +@@ -243,6 +253,22 @@ def test_add_tripled_netgroup(add_tripled_netgroup): + assert sorted(netgrps) == sorted([("host1", "user1", "domain1"), + ("host2", "user2", "domain2")]) + ++ res, _, netgrps = sssd_netgroup.get_sssd_netgroups("tripled_netgroup_no_domain") ++ assert res == sssd_netgroup.NssReturnCode.SUCCESS ++ assert netgrps == [("host", "user", "")] ++ ++ res, _, netgrps = sssd_netgroup.get_sssd_netgroups("tripled_netgroup_no_user") ++ assert res == sssd_netgroup.NssReturnCode.SUCCESS ++ assert netgrps == [("host", "", "domain")] ++ ++ res, _, netgrps = sssd_netgroup.get_sssd_netgroups("tripled_netgroup_no_host") ++ assert res == sssd_netgroup.NssReturnCode.SUCCESS ++ assert netgrps == [("", "user", "domain")] ++ ++ res, _, netgrps = sssd_netgroup.get_sssd_netgroups("tripled_netgroup_none") ++ assert res == sssd_netgroup.NssReturnCode.SUCCESS ++ assert netgrps == [("", "", "")] ++ + + @pytest.fixture + def add_mixed_netgroup(request, ldap_conn): +-- +2.14.3 + diff --git a/sssd.spec b/sssd.spec index 01f5e8b..48e7fd1 100644 --- a/sssd.spec +++ b/sssd.spec @@ -34,7 +34,7 @@ Name: sssd Version: 1.16.1 -Release: 1%{?dist} +Release: 2%{?dist} Group: Applications/System Summary: System Security Services Daemon License: GPLv3+ @@ -42,6 +42,8 @@ URL: https://pagure.io/SSSD/sssd/ Source0: https://releases.pagure.org/SSSD/sssd/%{name}-%{version}.tar.gz ### Patches ### +Patch0001: 0001-IPA-Handle-empty-nisDomainName.patch +Patch0002: 0002-intg-enhance-netgroups-test.patch Patch0502: 0502-SYSTEMD-Use-capabilities.patch Patch0503: 0503-Disable-stopping-idle-socket-activated-responders.patch @@ -1243,6 +1245,9 @@ fi %{_libdir}/%{name}/modules/libwbclient.so %changelog +* Fri Mar 30 2018 Fabiano FidĂȘncio - 1.16.1-2 +- Resolves: upstream#3573 - sssd won't show netgroups with blank domain + * Fri Mar 9 2018 Fabiano FidĂȘncio - 1.16.1-1 - New upstream release 1.16.1 - https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_16_1.html