rpms/sssd
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Additional upstream fixes

Browse Source
This commit is contained in:
Lukas Slebodnik 2016-01-20 18:40:57 +01:00
parent 9bfc8ef4de
commit 6d11a34b89
7 changed files with 2037 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
0045-sdap_connect_send-fail-if-uri-or-sockaddr-is-NULL.patch Normal file
View File

@ -0,0 +1,37 @@
From 62ae069bc8c559f4814f64504335475edc522622 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Tue, 19 Jan 2016 13:30:58 +0100
Subject: [PATCH 45/55] sdap_connect_send: fail if uri or sockaddr is NULL
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Resolves:
https://fedorahosted.org/sssd/ticket/2904
Reviewed-by: Michal Židek <mzidek@redhat.com>
(cherry picked from commit 8bd9ec3a8885b01a34863d22aa784e221fc422fb)
---
src/providers/ldap/sdap_async_connection.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/src/providers/ldap/sdap_async_connection.c b/src/providers/ldap/sdap_async_connection.c
index 8f5227d263f995693f6e65bd238171538aa52af7..85b7aaa5bf5acedf3511ffe6f8636be007d5a136 100644
--- a/src/providers/ldap/sdap_async_connection.c
+++ b/src/providers/ldap/sdap_async_connection.c
@@ -75,6 +75,12 @@ struct tevent_req *sdap_connect_send(TALLOC_CTX *memctx,
req = tevent_req_create(memctx, &state, struct sdap_connect_state);
if (!req) return NULL;
+ if (uri == NULL || sockaddr == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Invalid uri or sockaddr\n");
+ ret = EINVAL;
+ goto fail;
+ }
+
state->reply = talloc(state, struct sdap_msg);
if (!state->reply) {
talloc_zfree(req);
--
2.5.0

136
0046-SDAP-Make-it-possible-to-silence-errors-from-derefer.patch Normal file
View File

@ -0,0 +1,136 @@
From 199a9d29c3e56c1c341fb331cfe790b35736a1f2 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Tue, 19 Jan 2016 14:54:45 +0100
Subject: [PATCH 46/55] SDAP: Make it possible to silence errors from
dereference
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
https://fedorahosted.org/sssd/ticket/2791
When a modern IPA client is connected to an old (3.x) IPA server, the
attribute dereferenced during the ID views lookup does not exist, which
triggers an error during the dereference processing and also a confusing
syslog message.
This patch suppresses the syslog message.
Reviewed-by: Michal Židek <mzidek@redhat.com>
(cherry picked from commit 95c132e1a8c6bbab4be8b3a340333fadd8076122)
---
src/providers/ipa/ipa_subdomains.c | 6 +++++-
src/providers/ldap/sdap_async.c | 25 +++++++++++++++++--------
src/providers/ldap/sdap_async.h | 7 ++++++-
3 files changed, 28 insertions(+), 10 deletions(-)
diff --git a/src/providers/ipa/ipa_subdomains.c b/src/providers/ipa/ipa_subdomains.c
index cd78506ffc59c392da4e834c764c9ca82dbc89b0..f13847f12a7eae42b13a51e3fe1d09b60878633b 100644
--- a/src/providers/ipa/ipa_subdomains.c
+++ b/src/providers/ipa/ipa_subdomains.c
@@ -792,6 +792,9 @@ static errno_t ipa_get_view_name(struct ipa_subdomains_req_ctx *ctx)
return EOK;
}
+ /* We add SDAP_DEREF_FLG_SILENT because old IPA servers don't have
+ * the attribute we dereference, causing the deref call to fail
+ */
req = sdap_deref_search_with_filter_send(ctx, ctx->sd_ctx->be_ctx->ev,
ctx->sd_ctx->sdap_id_ctx->opts,
sdap_id_op_handle(ctx->sdap_op),
@@ -799,7 +802,8 @@ static errno_t ipa_get_view_name(struct ipa_subdomains_req_ctx *ctx)
ctx->current_filter, IPA_ASSIGNED_ID_VIEW, attrs,
1, maps,
dp_opt_get_int(ctx->sd_ctx->sdap_id_ctx->opts->basic,
- SDAP_SEARCH_TIMEOUT));
+ SDAP_SEARCH_TIMEOUT),
+ SDAP_DEREF_FLG_SILENT);
if (req == NULL) {
DEBUG(SSSDBG_OP_FAILURE, "sdap_get_generic_send failed.\n");
diff --git a/src/providers/ldap/sdap_async.c b/src/providers/ldap/sdap_async.c
index 5260aafebf7570291876b2433dbcf44ffb5b0011..6cc32323b4a4c43023a50e10a3a003bc4b2b8994 100644
--- a/src/providers/ldap/sdap_async.c
+++ b/src/providers/ldap/sdap_async.c
@@ -2763,6 +2763,7 @@ struct sdap_deref_search_state {
size_t reply_count;
struct sdap_deref_attrs **reply;
enum sdap_deref_type deref_type;
+ unsigned flags;
};
static void sdap_deref_search_done(struct tevent_req *subreq);
@@ -2779,7 +2780,8 @@ sdap_deref_search_with_filter_send(TALLOC_CTX *memctx,
const char **attrs,
int num_maps,
struct sdap_attr_map_info *maps,
- int timeout)
+ int timeout,
+ unsigned flags)
{
struct tevent_req *req = NULL;
struct tevent_req *subreq = NULL;
@@ -2791,6 +2793,7 @@ sdap_deref_search_with_filter_send(TALLOC_CTX *memctx,
state->sh = sh;
state->reply_count = 0;
state->reply = NULL;
+ state->flags = flags;
if (sdap_is_control_supported(sh, LDAP_CONTROL_X_DEREF)) {
DEBUG(SSSDBG_TRACE_INTERNAL, "Server supports OpenLDAP deref\n");
@@ -2917,14 +2920,20 @@ static void sdap_deref_search_done(struct tevent_req *subreq)
DEBUG(SSSDBG_OP_FAILURE,
"dereference processing failed [%d]: %s\n", ret, strerror(ret));
if (ret == ENOTSUP) {
- sss_log(SSS_LOG_WARNING,
- "LDAP server claims to support deref, but deref search failed. "
- "Disabling deref for further requests. You can permanently "
- "disable deref by setting ldap_deref_threshold to 0 in domain "
- "configuration.");
state->sh->disable_deref = true;
- } else {
- sss_log(SSS_LOG_WARNING, "dereference processing failed : %s", strerror(ret));
+ }
+
+ if (!(state->flags & SDAP_DEREF_FLG_SILENT)) {
+ if (ret == ENOTSUP) {
+ sss_log(SSS_LOG_WARNING,
+ "LDAP server claims to support deref, but deref search "
+ "failed. Disabling deref for further requests. You can "
+ "permanently disable deref by setting "
+ "ldap_deref_threshold to 0 in domain configuration.");
+ } else {
+ sss_log(SSS_LOG_WARNING,
+ "dereference processing failed : %s", strerror(ret));
+ }
}
tevent_req_error(req, ret);
return;
diff --git a/src/providers/ldap/sdap_async.h b/src/providers/ldap/sdap_async.h
index 09bc0d65407253f93514b30877850cc38009c625..f86f1890bc2971ede4fe70f42154d7bc39c43ac6 100644
--- a/src/providers/ldap/sdap_async.h
+++ b/src/providers/ldap/sdap_async.h
@@ -227,6 +227,10 @@ int sdap_get_generic_recv(struct tevent_req *req,
bool sdap_has_deref_support(struct sdap_handle *sh, struct sdap_options *opts);
+enum sdap_deref_flags {
+ SDAP_DEREF_FLG_SILENT = 1 << 0, /* Do not warn if dereference fails */
+};
+
struct tevent_req *
sdap_deref_search_with_filter_send(TALLOC_CTX *memctx,
struct tevent_context *ev,
@@ -238,7 +242,8 @@ sdap_deref_search_with_filter_send(TALLOC_CTX *memctx,
const char **attrs,
int num_maps,
struct sdap_attr_map_info *maps,
- int timeout);
+ int timeout,
+ unsigned flags);
int sdap_deref_search_with_filter_recv(struct tevent_req *req,
TALLOC_CTX *mem_ctx,
size_t *reply_count,
--
2.5.0

29
0047-p11-add-gnome-screensaver-to-list-of-allowed-service.patch Normal file
View File

@ -0,0 +1,29 @@
From 20623658d24b860b2d13ae2da4a22ce7151394d9 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 14 Jan 2016 11:42:26 +0100
Subject: [PATCH 47/55] p11: add gnome-screensaver to list of allowed services
Resolves https://fedorahosted.org/sssd/ticket/2925
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit e9c42ec738c213bd5f351567c20d404a280b32d0)
---
src/responder/pam/pamsrv_p11.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/responder/pam/pamsrv_p11.c b/src/responder/pam/pamsrv_p11.c
index ea428a6a3dd41b1770b69ff0301ed98c1c08c01d..ad1670136dbf8efc41df6950af744ff8b06e6a11 100644
--- a/src/responder/pam/pamsrv_p11.c
+++ b/src/responder/pam/pamsrv_p11.c
@@ -45,7 +45,7 @@ bool may_do_cert_auth(struct pam_ctx *pctx, struct pam_data *pd)
size_t c;
const char *sc_services[] = { "login", "su", "su-l", "gdm-smartcard",
"gdm-password", "kdm", "sudo", "sudo-i",
- NULL };
+ "gnome-screensaver", NULL };
if (!pctx->cert_auth) {
return false;
}
--
2.5.0

50
0048-IDMAP-Fix-computing-max-id-for-slice-range.patch Normal file
View File

@ -0,0 +1,50 @@
From 2fe18a1614007d20ffaa74387e162b5af4dcafb0 Mon Sep 17 00:00:00 2001
From: Pavel Reichl <preichl@redhat.com>
Date: Wed, 13 Jan 2016 09:07:39 -0500
Subject: [PATCH 48/55] IDMAP: Fix computing max id for slice range
Max value of id mapping range was 1 unit too high.
Resolves:
https://fedorahosted.org/sssd/ticket/2922
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit 7db89d44b5582a0cb0a61a7aa42a2fac7ca9408f)
---
src/lib/idmap/sss_idmap.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/lib/idmap/sss_idmap.c b/src/lib/idmap/sss_idmap.c
index 4c453120539a549807e9b6bb4db2dc396c1b3152..b5457f92dbb91ac5109ad17258920549e8808d26 100644
--- a/src/lib/idmap/sss_idmap.c
+++ b/src/lib/idmap/sss_idmap.c
@@ -336,7 +336,7 @@ enum idmap_error_code sss_idmap_calculate_range(struct sss_idmap_ctx *ctx,
}
min = (rangesize * new_slice) + idmap_lower;
- max = min + rangesize;
+ max = min + rangesize - 1;
/* Verify that this slice is not already in use */
do {
for (dom = ctx->idmap_domain_info; dom != NULL; dom = dom->next) {
@@ -353,7 +353,7 @@ enum idmap_error_code sss_idmap_calculate_range(struct sss_idmap_ctx *ctx,
}
min = (rangesize * new_slice) + idmap_lower;
- max = min + rangesize;
+ max = min + rangesize - 1;
break;
}
}
@@ -371,7 +371,7 @@ enum idmap_error_code sss_idmap_calculate_range(struct sss_idmap_ctx *ctx,
}
_range->min = (rangesize * new_slice) + idmap_lower;
- _range->max = _range->min + rangesize;
+ _range->max = _range->min + rangesize - 1;
if (slice_num) {
*slice_num = new_slice;
--
2.5.0

238
0049-IDMAP-New-structure-for-domain-range-params.patch Normal file
View File

@ -0,0 +1,238 @@
From 3cc105df9f064a4380dc01010f470025217964e7 Mon Sep 17 00:00:00 2001
From: Pavel Reichl <preichl@redhat.com>
Date: Thu, 26 Nov 2015 10:46:34 -0500
Subject: [PATCH 49/55] IDMAP: New structure for domain range params
Create new internal structure idmap_range_params by merging ID mapping
range relevant fields from idmap_domain_info and remove corrsponding
fields.
Resolves:
https://fedorahosted.org/sssd/ticket/2188
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit c3cdd6a644a870531092e4378cbcd1a428ff514c)
---
src/lib/idmap/sss_idmap.c | 117 ++++++++++++++++++++++++----------------------
1 file changed, 60 insertions(+), 57 deletions(-)
diff --git a/src/lib/idmap/sss_idmap.c b/src/lib/idmap/sss_idmap.c
index b5457f92dbb91ac5109ad17258920549e8808d26..23ed46a583547a3f2f0bca5ab62824bd045e56b9 100644
--- a/src/lib/idmap/sss_idmap.c
+++ b/src/lib/idmap/sss_idmap.c
@@ -33,13 +33,21 @@
#define SID_FMT "%s-%d"
#define SID_STR_MAX_LEN 1024
+/* Hold all parameters for unix<->sid mapping relevant for
+ * given slice. */
+struct idmap_range_params {
+ uint32_t min_id;
+ uint32_t max_id;
+ char *range_id;
+
+ uint32_t first_rid;
+};
+
struct idmap_domain_info {
char *name;
char *sid;
- struct sss_idmap_range *range;
+ struct idmap_range_params range_params;
struct idmap_domain_info *next;
- uint32_t first_rid;
- char *range_id;
bool external_mapping;
};
@@ -72,37 +80,17 @@ static char *idmap_strdup(struct sss_idmap_ctx *ctx, const char *str)
return new;
}
-static struct sss_idmap_range *idmap_range_dup(struct sss_idmap_ctx *ctx,
- struct sss_idmap_range *range)
-{
- struct sss_idmap_range *new = NULL;
-
- CHECK_IDMAP_CTX(ctx, NULL);
-
-
- new = ctx->alloc_func(sizeof(struct sss_idmap_range), ctx->alloc_pvt);
- if (new == NULL) {
- return NULL;
- }
-
- memset(new, 0, sizeof(struct sss_idmap_range));
-
- new->min = range->min;
- new->max = range->max;
-
- return new;
-}
-
-static bool id_is_in_range(uint32_t id, struct idmap_domain_info *dom,
+static bool id_is_in_range(uint32_t id,
+ struct idmap_range_params *rp,
uint32_t *rid)
{
- if (id == 0 || dom == NULL || dom->range == NULL) {
+ if (id == 0 || rp == NULL) {
return false;
}
- if (id >= dom->range->min && id <= dom->range->max) {
+ if (id >= rp->min_id && id <= rp->max_id) {
if (rid != NULL) {
- *rid = dom->first_rid + (id - dom->range->min);
+ *rid = rp->first_rid + (id - rp->min_id);
}
return true;
@@ -220,8 +208,7 @@ static void sss_idmap_free_domain(struct sss_idmap_ctx *ctx,
return;
}
- ctx->free_func(dom->range_id, ctx->alloc_pvt);
- ctx->free_func(dom->range, ctx->alloc_pvt);
+ ctx->free_func(dom->range_params.range_id, ctx->alloc_pvt);
ctx->free_func(dom->name, ctx->alloc_pvt);
ctx->free_func(dom->sid, ctx->alloc_pvt);
ctx->free_func(dom, ctx->alloc_pvt);
@@ -340,9 +327,12 @@ enum idmap_error_code sss_idmap_calculate_range(struct sss_idmap_ctx *ctx,
/* Verify that this slice is not already in use */
do {
for (dom = ctx->idmap_domain_info; dom != NULL; dom = dom->next) {
- if ((dom->range->min <= min && dom->range->max >= max) ||
- (dom->range->min >= min && dom->range->min <= max) ||
- (dom->range->max >= min && dom->range->max <= max)) {
+ uint32_t dmin = dom->range_params.min_id;
+ uint32_t dmax = dom->range_params.max_id;
+
+ if ((dmin <= min && dmax >= max) ||
+ (dmin >= min && dmin <= max) ||
+ (dmax >= min && dmax <= max)) {
/* This range overlaps one already registered
* We'll try the next available slot
*/
@@ -445,10 +435,17 @@ enum idmap_error_code sss_idmap_check_collision(struct sss_idmap_ctx *ctx,
{
struct idmap_domain_info *dom;
enum idmap_error_code err;
+ struct sss_idmap_range range;
for (dom = ctx->idmap_domain_info; dom != NULL; dom = dom->next) {
- err = sss_idmap_check_collision_ex(dom->name, dom->sid, dom->range,
- dom->first_rid, dom->range_id,
+
+ range.min = dom->range_params.min_id;
+ range.max = dom->range_params.max_id;
+
+ err = sss_idmap_check_collision_ex(dom->name, dom->sid,
+ &range,
+ dom->range_params.first_rid,
+ dom->range_params.range_id,
dom->external_mapping,
n_name, n_sid, n_range, n_first_rid,
n_range_id, n_external_mapping);
@@ -459,20 +456,29 @@ enum idmap_error_code sss_idmap_check_collision(struct sss_idmap_ctx *ctx,
return IDMAP_SUCCESS;
}
-static enum idmap_error_code dom_check_collision(
- struct idmap_domain_info *dom_list,
- struct idmap_domain_info *new_dom)
+static enum
+idmap_error_code dom_check_collision(struct idmap_domain_info *dom_list,
+ struct idmap_domain_info *new_dom)
{
struct idmap_domain_info *dom;
enum idmap_error_code err;
+ struct sss_idmap_range range;
+ struct sss_idmap_range new_dom_range = { new_dom->range_params.min_id,
+ new_dom->range_params.max_id };
for (dom = dom_list; dom != NULL; dom = dom->next) {
- err = sss_idmap_check_collision_ex(dom->name, dom->sid, dom->range,
- dom->first_rid, dom->range_id,
+ range.min = dom->range_params.min_id;
+ range.max = dom->range_params.max_id;
+
+ err = sss_idmap_check_collision_ex(dom->name, dom->sid,
+ &range,
+ dom->range_params.first_rid,
+ dom->range_params.range_id,
dom->external_mapping,
new_dom->name, new_dom->sid,
- new_dom->range, new_dom->first_rid,
- new_dom->range_id,
+ &new_dom_range,
+ new_dom->range_params.first_rid,
+ new_dom->range_params.range_id,
new_dom->external_mapping);
if (err != IDMAP_SUCCESS) {
return err;
@@ -531,21 +537,18 @@ enum idmap_error_code sss_idmap_add_domain_ex(struct sss_idmap_ctx *ctx,
}
}
- dom->range = idmap_range_dup(ctx, range);
- if (dom->range == NULL) {
- err = IDMAP_OUT_OF_MEMORY;
- goto fail;
- }
+ dom->range_params.min_id = range->min;
+ dom->range_params.max_id = range->max;
if (range_id != NULL) {
- dom->range_id = idmap_strdup(ctx, range_id);
- if (dom->range_id == NULL) {
+ dom->range_params.range_id = idmap_strdup(ctx, range_id);
+ if (dom->range_params.range_id == NULL) {
err = IDMAP_OUT_OF_MEMORY;
goto fail;
}
}
- dom->first_rid = rid;
+ dom->range_params.first_rid = rid;
dom->external_mapping = external_mapping;
err = dom_check_collision(ctx->idmap_domain_info, dom);
@@ -621,10 +624,10 @@ enum idmap_error_code sss_idmap_sid_to_unix(struct sss_idmap_ctx *ctx,
return IDMAP_SID_INVALID;
}
- if (rid >= idmap_domain_info->first_rid) {
- id = idmap_domain_info->range->min
- + (rid - idmap_domain_info->first_rid);
- if (id <= idmap_domain_info->range->max) {
+ if (rid >= idmap_domain_info->range_params.first_rid) {
+ id = idmap_domain_info->range_params.min_id
+ + (rid - idmap_domain_info->range_params.first_rid);
+ if (id <= idmap_domain_info->range_params.max_id) {
*_id = id;
return IDMAP_SUCCESS;
}
@@ -670,8 +673,8 @@ enum idmap_error_code sss_idmap_check_sid_unix(struct sss_idmap_ctx *ctx,
if (strlen(sid) > dom_len && sid[dom_len] == '-'
&& strncmp(sid, idmap_domain_info->sid, dom_len) == 0) {
- if (id >= idmap_domain_info->range->min
- && id <= idmap_domain_info->range->max) {
+ if (id >= idmap_domain_info->range_params.min_id
+ && id <= idmap_domain_info->range_params.max_id) {
return IDMAP_SUCCESS;
}
@@ -700,7 +703,7 @@ enum idmap_error_code sss_idmap_unix_to_sid(struct sss_idmap_ctx *ctx,
idmap_domain_info = ctx->idmap_domain_info;
while (idmap_domain_info != NULL) {
- if (id_is_in_range(id, idmap_domain_info, &rid)) {
+ if (id_is_in_range(id, &idmap_domain_info->range_params, &rid)) {
if (idmap_domain_info->external_mapping == true
|| idmap_domain_info->sid == NULL) {
--
2.5.0

1537
0050-IDMAP-Add-support-for-automatic-adding-of-ranges.patch Normal file
View File

File diff suppressed because it is too large Load Diff

11
sssd.spec
View File

@ -24,7 +24,7 @@
Name: sssd
Version: 1.13.3
Release: 2%{?dist}
Release: 3%{?dist}
Group: Applications/System
Summary: System Security Services Daemon
License: GPLv3+
@ -77,6 +77,12 @@ Patch0041: 0041-AD-add-task-to-renew-the-machine-account-password-if.patch
Patch0042: 0042-FO-add-fo_get_active_server.patch
Patch0043: 0043-FO-add-be_fo_get_active_server_name.patch
Patch0044: 0044-AD-try-to-use-current-server-in-the-renewal-task.patch
Patch0045: 0045-sdap_connect_send-fail-if-uri-or-sockaddr-is-NULL.patch
Patch0046: 0046-SDAP-Make-it-possible-to-silence-errors-from-derefer.patch
Patch0047: 0047-p11-add-gnome-screensaver-to-list-of-allowed-service.patch
Patch0048: 0048-IDMAP-Fix-computing-max-id-for-slice-range.patch
Patch0049: 0049-IDMAP-New-structure-for-domain-range-params.patch
Patch0050: 0050-IDMAP-Add-support-for-automatic-adding-of-ranges.patch
Patch0100: 0100-FO-Don-t-free-rc-allocated-structure.patch
Patch0101: 0101-tests-Reduce-failover-code-duplication.patch
Patch0102: 0102-FO-Use-refcount-to-keep-track-of-servers-returned-to.patch
@ -1063,6 +1069,9 @@ fi
%{_libdir}/%{name}/modules/libwbclient.so
%changelog
* Wed Jan 20 2016 Lukas Slebodnik <lslebodn@redhat.com> - 1.13.3-3
- Additional upstream fixes
* Tue Jan 19 2016 Lukas Slebodnik <lslebodn@redhat.com> - 1.13.3-2
- Resolves: rhbz#1256849 - SUDO: Support the IPA schema