rpms/sssd
7
0
Fork 0
Code Issues Pull Requests Releases Activity

New upstream release 1.10 beta1

Browse Source 
https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0beta1
This commit is contained in:
Jakub Hrozek 2013-05-03 22:24:02 +02:00
parent 90d9c5609a
commit 6d4f357f0c
2 changed files with 74 additions and 189 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

181
0001-Fix-krbcc-dir-creation-issue-with-MIT-krb5-1.11.patch
View File

@ -1,181 +0,0 @@
From 9d890186ec2b511aa30a9574543f29e1ef56e0e8 Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Sat, 6 Apr 2013 17:58:53 +0200
Subject: [PATCH] Fix krbcc dir creation issue with MIT krb5 1.11
In krb5-libs >= 1.11, function krb5_cc_resolve verify if credential cache dir
exists. If it doesn't exist, than it will be created with process permissions
and not user permissions.
Function cc_residual_is_used has already checked for non existing
directory, but it wasn't considered to be a failure and therefore next call
of krb5_init_context will create directory with wrong permissions.
Now if directory doesn't exist, it will be handled like there was not ccache
attribute in sysdb cache. We also check if "primary" file in ccache directory
has right permissions. But we ignore missing "primary" file.
https://fedorahosted.org/sssd/ticket/1822
---
src/providers/krb5/krb5_auth.c | 12 ++++++++-
src/providers/krb5/krb5_utils.c | 60 ++++++++++++++++++++++++++++++++++-------
2 files changed, 61 insertions(+), 11 deletions(-)
diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
index 00025bfc156eaf641217194c6301f4d70a773a73..5baea0bc84bb6991d32300210d4bb4db3bcee5d0 100644
--- a/src/providers/krb5/krb5_auth.c
+++ b/src/providers/krb5/krb5_auth.c
@@ -106,6 +106,11 @@ check_old_ccache(const char *old_ccache, struct krb5child_req *kr,
ret = old_cc_ops->check_existing(old_ccache, kr->uid, realm, kr->upn,
cc_template, active, valid);
+ if (ret == ENOENT) {
+ DEBUG(SSSDBG_TRACE_FUNC,
+ ("Saved ccache %s doesn't exist.\n", old_ccache));
+ return ret;
+ }
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE,
("Cannot check if saved ccache %s is active and valid\n",
@@ -617,7 +622,12 @@ struct tevent_req *krb5_auth_send(TALLOC_CTX *mem_ctx,
ret = check_old_ccache(ccache_file, kr, realm,
&kr->active_ccache,
&kr->valid_tgt);
- if (ret != EOK) {
+ if (ret == ENOENT) {
+ DEBUG(SSSDBG_FUNC_DATA,
+ ("Ignoring ccache attribute [%s], because it doesn't"
+ "exist.\n", ccache_file));
+ ccache_file = NULL;
+ } else if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE,
("check_if_ccache_file_is_used failed.\n"));
goto done;
diff --git a/src/providers/krb5/krb5_utils.c b/src/providers/krb5/krb5_utils.c
index ad77c7cc8305a98cc263cd7c6222979f361d0155..524568939507dac497ebf373612c40dfac6bf74c 100644
--- a/src/providers/krb5/krb5_utils.c
+++ b/src/providers/krb5/krb5_utils.c
@@ -776,7 +776,7 @@ cc_residual_is_used(uid_t uid, const char *ccname,
DEBUG(SSSDBG_FUNC_DATA, ("Cache file [%s] does not exist, "
"it will be recreated\n", ccname));
*result = false;
- return EOK;
+ return ENOENT;
}
DEBUG(SSSDBG_OP_FAILURE,
@@ -869,10 +869,13 @@ cc_file_check_existing(const char *location, uid_t uid,
ret = cc_residual_is_used(uid, filename, SSS_KRB5_TYPE_FILE, &active);
if (ret != EOK) {
- DEBUG(SSSDBG_OP_FAILURE, ("Could not check if ccache is active. "
- "Will create a new one.\n"));
+ if (ret != ENOENT) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ ("Could not check if ccache is active.\n"));
+ }
cc_check_template(cc_template);
active = false;
+ return ret;
}
kerr = krb5_init_context(&context);
@@ -998,6 +1001,7 @@ cc_dir_check_existing(const char *location, uid_t uid,
const char *cc_template, bool *_active, bool *_valid)
{
bool active = false;
+ bool active_primary = false;
bool valid = false;
krb5_ccache ccache = NULL;
krb5_context context = NULL;
@@ -1006,7 +1010,9 @@ cc_dir_check_existing(const char *location, uid_t uid,
const char *filename;
const char *dir;
char *tmp;
+ char *primary_file;
errno_t ret;
+ TALLOC_CTX *tmp_ctx;
type = sss_krb5_get_type(location);
if (type != SSS_KRB5_TYPE_DIR) {
@@ -1027,29 +1033,62 @@ cc_dir_check_existing(const char *location, uid_t uid,
return EINVAL;
}
- tmp = talloc_strdup(NULL, filename);
- if (!tmp) return ENOMEM;
+ tmp_ctx = talloc_new(NULL);
+ if (tmp_ctx == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, ("talloc_new failed.\n"));
+ return ENOMEM;
+ }
+
+ tmp = talloc_strdup(tmp_ctx, filename);
+ if (!tmp) {
+ DEBUG(SSSDBG_CRIT_FAILURE, ("talloc_strdup failed.\n"));
+ ret = ENOMEM;
+ goto done;
+ }
dir = dirname(tmp);
if (!dir) {
DEBUG(SSSDBG_CRIT_FAILURE,
("Cannot base get directory of %s\n", location));
- return EINVAL;
+ ret = EINVAL;
+ goto done;
}
ret = cc_residual_is_used(uid, dir, SSS_KRB5_TYPE_DIR, &active);
- talloc_free(tmp);
if (ret != EOK) {
- DEBUG(SSSDBG_OP_FAILURE, ("Could not check if ccache is active. "
- "Will create a new one.\n"));
+ if (ret != ENOENT) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ ("Could not check if ccache is active.\n"));
+ }
cc_check_template(cc_template);
active = false;
+ goto done;
+ }
+
+ /* If primary file isn't in ccache dir, we will ignore it.
+ * But if primary file has wrong permissions, we will fail.
+ */
+ primary_file = talloc_asprintf(tmp_ctx, "%s/primary", dir);
+ if (!primary_file) {
+ DEBUG(SSSDBG_CRIT_FAILURE, ("talloc_asprintf failed.\n"));
+ ret = ENOMEM;
+ goto done;
+ }
+ ret = cc_residual_is_used(uid, primary_file, SSS_KRB5_TYPE_FILE,
+ &active_primary);
+ if (ret != EOK && ret != ENOENT) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ ("Could not check if file 'primary' [%s] in dir ccache"
+ " is active.\n", primary_file));
+ active = false;
+ goto done;
}
krberr = krb5_init_context(&context);
if (krberr) {
DEBUG(SSSDBG_CRIT_FAILURE, ("Failed to init kerberos context\n"));
- return EIO;
+ ret = EIO;
+ goto done;
}
krberr = krb5_cc_resolve(context, location, &ccache);
@@ -1081,6 +1120,7 @@ cc_dir_check_existing(const char *location, uid_t uid,
ret = EOK;
done:
+ talloc_free(tmp_ctx);
if (ccache) krb5_cc_close(context, ccache);
krb5_free_context(context);
*_active = active;
--
1.8.1.4

82
sssd.spec
View File

@ -16,16 +16,15 @@
Name: sssd
Version: 1.10.0
Release: 2%{?dist}.alpha1
Release: 3%{?dist}.beta1
Group: Applications/System
Summary: System Security Services Daemon
License: GPLv3+
URL: http://fedorahosted.org/sssd/
Source0: https://fedorahosted.org/released/sssd/%{name}-%{version}alpha1.tar.gz
Source0: https://fedorahosted.org/released/sssd/%{name}-%{version}beta1.tar.gz
BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
### Patches ###
Patch0001: 0001-Fix-krbcc-dir-creation-issue-with-MIT-krb5-1.11.patch
Patch0501: 0501-FEDORA-Switch-the-default-ccache-location.patch
### Dependencies ###
@ -37,6 +36,7 @@ Requires: sssd-client%{?_isa} = %{version}-%{release}
Requires: cyrus-sasl-gssapi%{?_isa}
Requires: libipa_hbac%{?_isa} = %{version}-%{release}
Requires: libsss_idmap%{?_isa} = %{version}-%{release}
Requires: python-sssdconfig = %{version}-%{release}
Requires: krb5-libs%{?_isa} >= 1.10
Requires(post): systemd-units initscripts chkconfig
Requires(preun): systemd-units initscripts chkconfig
@ -130,6 +130,15 @@ Also provides several other administrative tools:
* sss_seed which pre-creates a user entry for use in kickstarts
* sss_obfuscate for generating an obfuscated LDAP password
%package -n python-sssdconfig
Summary: SSSD and IPA configuration file manipulation classes and functions
Group: Applications/System
License: GPLv3+
BuildArch: noarch
%description -n python-sssdconfig
Provides python files for manipulation SSSD and IPA configuration files.
%package -n libsss_idmap
Summary: FreeIPA Idmap library
Group: Development/Libraries
@ -178,6 +187,35 @@ Requires: libipa_hbac = %{version}-%{release}
The libipa_hbac-python contains the bindings so that libipa_hbac can be
used by Python applications.
%package -n libsss_nss_idmap
Summary: Library for SID based lookups
Group: Development/Libraries
License: LGPLv3+
Requires(post): /sbin/ldconfig
Requires(postun): /sbin/ldconfig
%description -n libsss_nss_idmap
Utility library for SID based lookups
%package -n libsss_nss_idmap-devel
Summary: Library for SID based lookups
Group: Development/Libraries
License: LGPLv3+
Requires: libsss_nss_idmap = %{version}-%{release}
%description -n libsss_nss_idmap-devel
Utility library for SID based lookups
%package -n libsss_nss_idmap-python
Summary: Python bindings for libsss_nss_idmap
Group: Development/Libraries
License: LGPLv3+
Requires: libsss_nss_idmap = %{version}-%{release}
%description -n libsss_nss_idmap-python
The libsss_nss_idmap-python contains the bindings so that libsss_nss_idmap can
be used by Python applications.
%package -n libsss_sudo
Summary: A library to allow communication between SUDO and SSSD
Group: Development/Libraries
@ -214,7 +252,7 @@ UpdateTimestamps() {
done
}
%setup -q -n %{name}-1.9.91
%setup -q -n %{name}-1.9.92
for p in %patches ; do
@ -278,10 +316,10 @@ find $RPM_BUILD_ROOT -name "*.la" -exec rm -f {} \;
rm -Rf ${RPM_BUILD_ROOT}/%{_docdir}/%{name}
# Older versions of rpmbuild can only handle one -f option
# So we need to append to the sssd.lang file
# So we need to append to the sssd*.lang file
for file in `ls $RPM_BUILD_ROOT/%{python_sitelib}/*.egg-info 2> /dev/null`
do
echo %{python_sitelib}/`basename $file` >> sssd.lang
echo %{python_sitelib}/`basename $file` >> python_sssdconfig.lang
done
touch sssd_tools.lang
@ -397,8 +435,6 @@ rm -rf $RPM_BUILD_ROOT
%{python_sitearch}/pysss.so
%{python_sitearch}/pysss_murmur.so
%dir %{python_sitelib}/SSSDConfig
%{python_sitelib}/SSSDConfig/*.py*
%files client -f sssd_client.lang
%defattr(-,root,root,-)
@ -434,6 +470,11 @@ rm -rf $RPM_BUILD_ROOT
%{_mandir}/man8/sss_debuglevel.8*
%{_mandir}/man8/sss_seed.8*
%files -n python-sssdconfig -f python_sssdconfig.lang
%defattr(-,root,root,-)
%dir %{python_sitelib}/SSSDConfig
%{python_sitelib}/SSSDConfig/*.py*
%files -n libsss_idmap
%defattr(-,root,root,-)
%doc src/sss_client/COPYING src/sss_client/COPYING.LESSER
@ -484,6 +525,27 @@ A utility library to allow communication between Autofs and SSSD
%doc src/sss_client/COPYING src/sss_client/COPYING.LESSER
%{_libdir}/sssd/modules/libsss_autofs.so*
%files -n libsss_nss_idmap
%defattr(-,root,root,-)
%doc src/sss_client/COPYING src/sss_client/COPYING.LESSER
%{_libdir}/libsss_nss_idmap.so.*
%files -n libsss_nss_idmap-devel
%defattr(-,root,root,-)
%if 0%{?fedora}
%doc nss_idmap_doc/html
%endif
%if 0%{?rhel} >= 6
%doc nss_idmap_doc/html
%endif
%{_includedir}/sss_nss_idmap.h
%{_libdir}/libsss_nss_idmap.so
%{_libdir}/pkgconfig/sss_nss_idmap.pc
%files -n libsss_nss_idmap-python
%defattr(-,root,root,-)
%{python_sitearch}/pysss_nss_idmap.so
%post
if [ $1 -ge 1 ] ; then
# Initial installation
@ -533,6 +595,10 @@ fi
%postun -n libsss_sudo -p /sbin/ldconfig
%changelog
* Fri May 3 2013 Jakub Hrozek <jhrozek@redhat.com> - 1.10.0-3.beta1
- New upstream release 1.10 beta1
- https://fedorahosted.org/sssd/wiki/Releases/Notes-1.10.0beta1
* Wed Apr 17 2013 Jakub Hrozek <jhrozek@redhat.com> - 1.10.0-2.alpha1
- Add a patch to fix krb5 ccache creation issue with krb5 1.11