From 7a33e7710b70defa3250e1961c5e95ac6b8cfadf Mon Sep 17 00:00:00 2001 From: Stephen Gallagher Date: Mon, 21 Feb 2011 15:42:00 -0500 Subject: [PATCH] - Resolves: rhbz#677768 - name service caches names, so id command shows - recently deleted users --- ...er-entry-if-initgroups-returns-ENOEN.patch | 36 ++++ ...m-initgroups-lookups-for-all-domains.patch | 39 ++++ ...ove-deleted-groups-during-initgroups.patch | 168 ++++++++++++++++++ sssd.spec | 12 +- 4 files changed, 254 insertions(+), 1 deletion(-) create mode 100644 0004-Remove-cached-user-entry-if-initgroups-returns-ENOEN.patch create mode 100644 0005-Perform-initgroups-lookups-for-all-domains.patch create mode 100644 0006-IPA-provider-remove-deleted-groups-during-initgroups.patch diff --git a/0004-Remove-cached-user-entry-if-initgroups-returns-ENOEN.patch b/0004-Remove-cached-user-entry-if-initgroups-returns-ENOEN.patch new file mode 100644 index 0000000..fc8137e --- /dev/null +++ b/0004-Remove-cached-user-entry-if-initgroups-returns-ENOEN.patch @@ -0,0 +1,36 @@ +From e7c95d693f4694f64790c3105550c141e94c5b45 Mon Sep 17 00:00:00 2001 +From: Stephen Gallagher +Date: Thu, 17 Feb 2011 14:33:50 -0500 +Subject: [PATCH 4/6] Remove cached user entry if initgroups returns ENOENT + +This behavior was present for getpwnam() but was lacking for +initgroups. +--- + src/providers/ldap/ldap_id.c | 11 +++++++++++ + 1 files changed, 11 insertions(+), 0 deletions(-) + +diff --git a/src/providers/ldap/ldap_id.c b/src/providers/ldap/ldap_id.c +index 09f0026b00cda442f90e07e30e0d083a53206d85..9a234280082f7396eda4307e9e4bb4bd63b5615c 100644 +--- a/src/providers/ldap/ldap_id.c ++++ b/src/providers/ldap/ldap_id.c +@@ -631,6 +631,17 @@ static void groups_by_user_done(struct tevent_req *subreq) + return; + } + ++ if (ret == ENOENT) { ++ ret = sysdb_delete_user(state, ++ state->ctx->be->sysdb, ++ state->ctx->be->domain, ++ state->name, 0); ++ if (ret != EOK && ret != ENOENT) { ++ tevent_req_error(req, ret); ++ return; ++ } ++ } ++ + state->dp_error = DP_ERR_OK; + tevent_req_done(req); + } +-- +1.7.4 + diff --git a/0005-Perform-initgroups-lookups-for-all-domains.patch b/0005-Perform-initgroups-lookups-for-all-domains.patch new file mode 100644 index 0000000..1ee234c --- /dev/null +++ b/0005-Perform-initgroups-lookups-for-all-domains.patch @@ -0,0 +1,39 @@ +From 4ef3fd7c5d0defbc1e2fca745853f0d292201f28 Mon Sep 17 00:00:00 2001 +From: Stephen Gallagher +Date: Fri, 18 Feb 2011 09:33:42 -0500 +Subject: [PATCH 5/6] Perform initgroups lookups for all domains + +Previously, we were setting the client context PAM lookup timeout +after the first domain replied. However, if the user wasn't a +member of the first domain, their information wasn't being +updated. + +This patch ensures that we only set this timeout after the user +has been found or all domains were searched. +--- + src/responder/pam/pamsrv_cmd.c | 8 +++++--- + 1 files changed, 5 insertions(+), 3 deletions(-) + +diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c +index 79993d3366073c75f1873ee8176eb4a70f2a383d..8035a687846fa6f4305fe129d1ec87d3291a7fc8 100644 +--- a/src/responder/pam/pamsrv_cmd.c ++++ b/src/responder/pam/pamsrv_cmd.c +@@ -952,10 +952,12 @@ static void pam_check_user_dp_callback(uint16_t err_maj, uint32_t err_min, + (unsigned int)err_maj, (unsigned int)err_min, err_msg)); + } + +- /* Make sure we don't go to the ID provider too often */ +- preq->cctx->pam_timeout = time(NULL) + pctx->id_timeout; +- + ret = pam_check_user_search(preq); ++ if (ret == EOK || ret == ENOENT) { ++ /* Make sure we don't go to the ID provider too often */ ++ preq->cctx->pam_timeout = time(NULL) + pctx->id_timeout; ++ } ++ + if (ret == EOK) { + pam_dom_forwarder(preq); + } +-- +1.7.4 + diff --git a/0006-IPA-provider-remove-deleted-groups-during-initgroups.patch b/0006-IPA-provider-remove-deleted-groups-during-initgroups.patch new file mode 100644 index 0000000..69cdb07 --- /dev/null +++ b/0006-IPA-provider-remove-deleted-groups-during-initgroups.patch @@ -0,0 +1,168 @@ +From 9ffe746a46b299162c31a3864cb5db8b8518a569 Mon Sep 17 00:00:00 2001 +From: Stephen Gallagher +Date: Fri, 18 Feb 2011 16:23:15 -0500 +Subject: [PATCH 6/6] IPA provider: remove deleted groups during initgroups() + +The IPA provider was not properly removing groups in the cache +that the user was no longer a member of. + +https://fedorahosted.org/sssd/ticket/803 +--- + src/providers/ldap/sdap_async_accounts.c | 115 +++++++++++++++++++++++++++++- + 1 files changed, 112 insertions(+), 3 deletions(-) + +diff --git a/src/providers/ldap/sdap_async_accounts.c b/src/providers/ldap/sdap_async_accounts.c +index 5b6d3d74ac1496fe6a4266c327d0111e12e24b64..8e459598674d589c0cdfcece125c183f7c95bb4d 100644 +--- a/src/providers/ldap/sdap_async_accounts.c ++++ b/src/providers/ldap/sdap_async_accounts.c +@@ -2161,6 +2161,8 @@ struct sdap_initgr_nested_state { + struct sss_domain_info *dom; + struct sdap_handle *sh; + ++ const char *username; ++ + const char **grp_attrs; + + char *filter; +@@ -2188,7 +2190,8 @@ static struct tevent_req *sdap_initgr_nested_send(TALLOC_CTX *memctx, + struct tevent_req *req, *subreq; + struct sdap_initgr_nested_state *state; + struct ldb_message_element *el; +- int i, ret; ++ int i; ++ errno_t ret; + + req = tevent_req_create(memctx, &state, struct sdap_initgr_nested_state); + if (!req) return NULL; +@@ -2201,6 +2204,13 @@ static struct tevent_req *sdap_initgr_nested_send(TALLOC_CTX *memctx, + state->grp_attrs = grp_attrs; + state->op = NULL; + ++ ret = sysdb_attrs_get_string(user, SYSDB_NAME, &state->username); ++ if (ret != EOK) { ++ DEBUG(1, ("User entry had no username\n")); ++ talloc_free(req); ++ return NULL; ++ } ++ + state->filter = talloc_asprintf(state, "(objectclass=%s)", + opts->group_map[SDAP_OC_GROUP].name); + if (!state->filter) { +@@ -2311,13 +2321,112 @@ static void sdap_initgr_nested_search(struct tevent_req *subreq) + static void sdap_initgr_nested_store(struct tevent_req *req) + { + struct sdap_initgr_nested_state *state; +- int ret; ++ errno_t ret, sret; ++ const char *attrs[] = { SYSDB_MEMBEROF, NULL }; ++ struct ldb_message *msg; ++ struct ldb_message_element *groups; ++ char **sysdb_grouplist = NULL; ++ char **ldap_grouplist = NULL; ++ char **del_groups; ++ size_t i, count; + + state = tevent_req_data(req, struct sdap_initgr_nested_state); + ++ ret = sysdb_transaction_start(state->sysdb); ++ if (ret != EOK) { ++ DEBUG(1, ("Could not create sysdb transaction\n")); ++ goto done; ++ } ++ + ret = sdap_save_groups(state, state->sysdb, state->dom, state->opts, + state->groups, state->groups_cur, false, NULL); +- if (ret) { ++ if (ret != EOK) { ++ goto done; ++ } ++ ++ /* Get the list of groups this user belongs to */ ++ ret = sysdb_search_user_by_name(state, state->sysdb, state->dom, ++ state->username, attrs, ++ &msg); ++ if (ret != EOK) { ++ goto done; ++ } ++ ++ groups = ldb_msg_find_element(msg, SYSDB_MEMBEROF); ++ if (!groups || groups->num_values == 0) { ++ /* No groups for this user in sysdb currently, so ++ * nothing to delete. ++ */ ++ ret = EOK; ++ goto done; ++ } ++ ++ sysdb_grouplist = talloc_array(state, char *, groups->num_values+1); ++ if (!sysdb_grouplist) { ++ ret = ENOMEM; ++ goto done; ++ } ++ ++ /* Get a list of the groups by name */ ++ for (i = 0; i < groups->num_values; i++) { ++ ret = sysdb_group_dn_name(state->sysdb, ++ sysdb_grouplist, ++ (const char *)groups->values[i].data, ++ &sysdb_grouplist[i]); ++ if (ret != EOK) goto done; ++ } ++ sysdb_grouplist[groups->num_values] = NULL; ++ ++ count = 0; ++ while (state->group_dns[count]) count++; ++ ++ ldap_grouplist = talloc_array(state, char *, count+1); ++ if (!ldap_grouplist) { ++ ret = ENOMEM; ++ goto done; ++ } ++ ++ for (i = 0; i < count; i++) { ++ ret = sysdb_group_dn_name(state->sysdb, ++ ldap_grouplist, ++ state->group_dns[i], ++ &ldap_grouplist[i]); ++ if (ret != EOK) goto done; ++ } ++ ldap_grouplist[count] = NULL; ++ ++ /* Find the differences between the sysdb and LDAP lists ++ * Groups in the sysdb only must be removed. ++ */ ++ ret = diff_string_lists(state, ldap_grouplist, sysdb_grouplist, ++ NULL, &del_groups, NULL); ++ if (ret != EOK) goto done; ++ ++ if (!del_groups || !del_groups[0]) { ++ /* No groups to delete */ ++ ret = EOK; ++ goto done; ++ } ++ ++ ret = sysdb_update_members(state->sysdb, state->dom, state->username, ++ SYSDB_MEMBER_USER, NULL, ++ (const char *const *)del_groups); ++ ++done: ++ if (ret == EOK) { ++ ret = sysdb_transaction_commit(state->sysdb); ++ if (ret != EOK) { ++ DEBUG(1, ("Could not commit transaction! [%d][%s]\n", ++ ret, strerror(ret))); ++ } ++ } ++ ++ if (ret != EOK) { ++ sret = sysdb_transaction_cancel(state->sysdb); ++ if (sret != EOK) { ++ DEBUG(0, ("Unable to cancel transaction! [%d][%s]\n", ++ sret, strerror(sret))); ++ } + tevent_req_error(req, ret); + return; + } +-- +1.7.4 + diff --git a/sssd.spec b/sssd.spec index 8d385df..fe2992d 100644 --- a/sssd.spec +++ b/sssd.spec @@ -5,7 +5,7 @@ Name: sssd Version: 1.5.1 -Release: 7%{?dist} +Release: 8%{?dist} Group: Applications/System Summary: System Security Services Daemon License: GPLv3+ @@ -17,6 +17,9 @@ BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX) Patch0001: 0001-Sanitize-search-filters-for-nested-group-lookups.patch Patch0002: 0002-Fix-module-registration-with-newer-LDB-libraries.patch Patch0003: 0003-Make-make-check-look-nice-again.patch +Patch0004: 0004-Remove-cached-user-entry-if-initgroups-returns-ENOEN.patch +Patch0005: 0005-Perform-initgroups-lookups-for-all-domains.patch +Patch0006: 0006-IPA-provider-remove-deleted-groups-during-initgroups.patch ### Dependencies ### @@ -116,6 +119,9 @@ use with ldap_default_authtok_type = obfuscated_password. %patch0001 -p1 %patch0002 -p1 %patch0003 -p1 +%patch0004 -p1 +%patch0005 -p1 +%patch0006 -p1 %build autoreconf -ivf @@ -276,6 +282,10 @@ fi %postun client -p /sbin/ldconfig %changelog +* Mon Feb 21 2011 Stephen Gallagher - 1.5.1-8 +- Resolves: rhbz#677768 - name service caches names, so id command shows +- recently deleted users + * Fri Feb 11 2011 Stephen Gallagher - 1.5.1-7 - Ensure that SSSD builds against libldb-1.0.0 on F15 and later - Remove .la for memberOf