rpms/sssd
5
0
Fork 0
Code Issues Pull Requests Releases Activity

Resolves: rhbz#1445680 - Properly fall back to local Smartcard authentication

Browse Source 
Resolves: rhbz#1437199 - sssd-nfs-idmap-1.15.2-1.fc25.x86_64 conflicts with
                           file from package sssd-common-1.15.1-1.fc25.x86_64
Resolves: rhbz#1063278 - sss_ssh_knownhostsproxy doesn't fall back to ipv4
This commit is contained in:
Lukas Slebodnik 2017-04-29 23:49:49 +02:00
parent 576a19ee5a
commit 7bddea6c90
38 changed files with 3602 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
0099-DP-Fix-typo.patch Normal file
View File

@ -0,0 +1,38 @@
From 6a611406e805a1707ca0b9e86b6aa96e02e43ecc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Thu, 6 Apr 2017 11:23:43 +0200
Subject: [PATCH 099/135] DP: Fix typo
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
---
src/providers/data_provider/dp_target_id.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/providers/data_provider/dp_target_id.c b/src/providers/data_provider/dp_target_id.c
index 0bca9bac27b68a8b905a668992cb8f7650023f65..2088f9529cab83794ac793c7fd5a320f479dbf11 100644
--- a/src/providers/data_provider/dp_target_id.c
+++ b/src/providers/data_provider/dp_target_id.c
@@ -210,7 +210,7 @@ static errno_t dp_initgroups(struct sbus_request *sbus_req,
ret = sysdb_initgroups(sbus_req, domain, data->filter_value, &res);
if (ret == ENOENT || (ret == EOK && res->count == 0)) {
- /* There is no point in concacting NSS responder. Proceed as usual. */
+ /* There is no point in contacting NSS responder. Proceed as usual. */
return EAGAIN;
} else if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to get initgroups [%d]: %s\n",
@@ -274,7 +274,7 @@ errno_t dp_get_account_info_handler(struct sbus_request *sbus_req,
}
if ((data->entry_type & BE_REQ_TYPE_MASK) == BE_REQ_INITGROUPS) {
- ret = dp_initgroups(sbus_req, dp_cli, key, dp_flags, data);
+ ret = dp_initgroups(sbus_req, dp_cli, key, dp_flags, data);
if (ret != EAGAIN) {
goto done;
}
--
2.12.2

77
0100-CONFDB-Fix-handling-of-enable_files_domain.patch Normal file
View File

@ -0,0 +1,77 @@
From 3509bb03ecef49264820c9e287e8b2c7e0a8a508 Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Wed, 5 Apr 2017 14:04:46 +0200
Subject: [PATCH 100/135] CONFDB: Fix handling of enable_files_domain
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The option enable_files_domain worked only if sssd
was compiled with --enable-files-domain. But manual page described
something else.
Resolves:
https://pagure.io/SSSD/sssd/issue/3340
Reviewed-by: Michal Židek <mzidek@redhat.com>
---
src/confdb/confdb.c | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
index 88e114457deac3ca50c291a131122624fb6f6fe4..68693e8382c0fbf1015ee47f14fa7c6f64ae98b2 100644
--- a/src/confdb/confdb.c
+++ b/src/confdb/confdb.c
@@ -1695,7 +1695,6 @@ done:
return ret;
}
-#ifdef ADD_FILES_DOMAIN
static int confdb_has_files_domain(struct confdb_ctx *cdb)
{
TALLOC_CTX *tmp_ctx = NULL;
@@ -1830,25 +1829,27 @@ done:
talloc_free(tmp_ctx);
return ret;
}
-#endif /* ADD_FILES_DOMAIN */
int confdb_ensure_files_domain(struct confdb_ctx *cdb,
const char *implicit_files_dom_name)
{
-#ifndef ADD_FILES_DOMAIN
- return EOK;
+#ifdef ADD_FILES_DOMAIN
+ const bool default_enable_files = true;
#else
+ const bool default_enable_files = false;
+#endif
errno_t ret;
bool enable_files;
ret = confdb_get_bool(cdb,
CONFDB_MONITOR_CONF_ENTRY,
CONFDB_MONITOR_ENABLE_FILES_DOM,
- true, &enable_files);
+ default_enable_files, &enable_files);
if (ret != EOK) {
DEBUG(SSSDBG_MINOR_FAILURE,
- "Cannot get the value of %s assuming true\n",
- CONFDB_MONITOR_ENABLE_FILES_DOM);
+ "Cannot get the value of %s assuming %s\n",
+ CONFDB_MONITOR_ENABLE_FILES_DOM,
+ default_enable_files ? "true" : "false");
return ret;
}
@@ -1874,7 +1875,6 @@ int confdb_ensure_files_domain(struct confdb_ctx *cdb,
}
return activate_files_domain(cdb, implicit_files_dom_name);
-#endif /* ADD_FILES_DOMAIN */
}
static int confdb_get_parent_domain(TALLOC_CTX *mem_ctx,
--
2.12.2

104
0101-pam_test_client-add-service-and-environment-to-PAM-t.patch Normal file
View File

@ -0,0 +1,104 @@
From 7be6624d9eda369e9a4d70c8ee4939b3622229b3 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 24 Jan 2017 14:50:20 +0100
Subject: [PATCH 101/135] pam_test_client: add service and environment to PAM
test client
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Related to https://pagure.io/SSSD/sssd/issue/3292
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
src/sss_client/pam_test_client.c | 50 ++++++++++++++++++++++++++++++----------
1 file changed, 38 insertions(+), 12 deletions(-)
diff --git a/src/sss_client/pam_test_client.c b/src/sss_client/pam_test_client.c
index 29d1fcbf01682668d51bf154736aec673bd46501..ea032a75b195a9bf8078ed7d248da154ab0c8430 100644
--- a/src/sss_client/pam_test_client.c
+++ b/src/sss_client/pam_test_client.c
@@ -48,34 +48,44 @@ static struct pam_conv conv = {
# error "Missing text based pam conversation function"
#endif
+#define DEFAULT_ACTION "acct"
+#define DEFAULT_SERVICE "system-auth"
+
int main(int argc, char *argv[]) {
pam_handle_t *pamh;
char *user;
char *action;
+ char *service;
int ret;
+ size_t c;
+ char **pam_env;
if (argc == 1) {
- fprintf(stderr, "missing action and user name, using default\n");
- action = strdup("auth");
- user = strdup("dummy");
+ fprintf(stderr, "Usage: pam_test_client USERNAME "
+ "[auth|acct|setc|chau|open|clos] [pam_service]\n");
+ return 0;
} else if (argc == 2) {
- fprintf(stdout, "using first argument as action and default user name\n");
- action = strdup(argv[1]);
- user = strdup("dummy");
- } else {
- action = strdup(argv[1]);
- user = strdup(argv[2]);
+ fprintf(stderr, "using first argument as user name and default action "
+ "and service\n");
+ } else if (argc == 3) {
+ fprintf(stderr, "using first argument as user name, second as action "
+ "and default service\n");
}
- if (action == NULL || user == NULL) {
+ user = strdup(argv[1]);
+ action = argc > 2 ? strdup(argv[2]) : strdup(DEFAULT_ACTION);
+ service = argc > 3 ? strdup(argv[3]) : strdup(DEFAULT_SERVICE);
+
+ if (action == NULL || user == NULL || service == NULL) {
fprintf(stderr, "Out of memory!\n");
return 1;
}
- fprintf(stdout, "action: %s\nuser: %s\n", action,user);
+ fprintf(stdout, "user: %s\naction: %s\nservice: %s\n",
+ user, action, service);
- ret = pam_start("sss_test", user, &conv, &pamh);
+ ret = pam_start(service, user, &conv, &pamh);
if (ret != PAM_SUCCESS) {
fprintf(stderr, "pam_start failed: %s\n", pam_strerror(pamh, ret));
return 1;
@@ -109,7 +119,23 @@ int main(int argc, char *argv[]) {
fprintf(stderr, "unknown action\n");
}
+ fprintf(stderr, "PAM Environment:\n");
+ pam_env = pam_getenvlist(pamh);
+ if (pam_env != NULL && pam_env[0] != NULL) {
+ for (c = 0; pam_env[c] != NULL; c++) {
+ fprintf(stderr, " - %s\n", pam_env[c]);
+ free(pam_env[c]);
+ }
+ } else {
+ fprintf(stderr, " - no env -\n");
+ }
+ free(pam_env);
+
pam_end(pamh, ret);
+ free(user);
+ free(action);
+ free(service);
+
return 0;
}
--
2.12.2

141
0102-pam_test_client-add-SSSD-getpwnam-lookup.patch Normal file
View File

@ -0,0 +1,141 @@
From 435b3678de25d22eb8a6e892109d26c32f0760a4 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 25 Jan 2017 16:50:00 +0100
Subject: [PATCH 102/135] pam_test_client: add SSSD getpwnam lookup
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Related to https://pagure.io/SSSD/sssd/issue/3292
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
Makefile.am | 10 ++++--
src/sss_client/pam_test_client.c | 76 ++++++++++++++++++++++++++++++++++++++++
2 files changed, 84 insertions(+), 2 deletions(-)
diff --git a/Makefile.am b/Makefile.am
index d45c0ff757dfae378c71c6f8850fddce2c61cad8..7aca5b86f1275e89ae73f5594887f515773c2058 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -3461,8 +3461,14 @@ if BUILD_WITH_LIBCURL
noinst_PROGRAMS += tcurl-test-tool
endif
-pam_test_client_SOURCES = src/sss_client/pam_test_client.c
-pam_test_client_LDADD = $(PAM_LIBS) $(PAM_MISC_LIBS)
+pam_test_client_SOURCES = \
+ src/sss_client/pam_test_client.c \
+ $(NULL)
+pam_test_client_LDADD = \
+ $(PAM_LIBS) \
+ $(PAM_MISC_LIBS) \
+ $(LIBADD_DL) \
+ $(NULL)
if BUILD_AUTOFS
autofs_test_client_SOURCES = \
diff --git a/src/sss_client/pam_test_client.c b/src/sss_client/pam_test_client.c
index ea032a75b195a9bf8078ed7d248da154ab0c8430..69af612270492968b56d1c11de2bf56ebf57471f 100644
--- a/src/sss_client/pam_test_client.c
+++ b/src/sss_client/pam_test_client.c
@@ -25,6 +25,11 @@
#include <stdio.h>
#include <unistd.h>
#include <string.h>
+#include <dlfcn.h>
+#include <sys/types.h>
+#include <pwd.h>
+#include <nss.h>
+#include <errno.h>
#include <security/pam_appl.h>
@@ -51,6 +56,70 @@ static struct pam_conv conv = {
#define DEFAULT_ACTION "acct"
#define DEFAULT_SERVICE "system-auth"
+#define DEFAULT_BUFSIZE 4096
+
+static int sss_getpwnam_check(const char *user)
+{
+ void *dl_handle = NULL;
+ enum nss_status (*sss_getpwnam_r)(const char *name, struct passwd *result,
+ char *buffer, size_t buflen,
+ int *errnop);
+ struct passwd pwd = { 0 };
+ enum nss_status status;
+ char *buffer = NULL;
+ size_t buflen;
+ int nss_errno;
+ int ret;
+
+ dl_handle = dlopen("libnss_sss.so.2", RTLD_NOW);
+ if (dl_handle == NULL) {
+ fprintf(stderr, "dlopen failed with [%s].\n", dlerror());
+ ret = EIO;
+ goto done;
+ }
+
+ sss_getpwnam_r = dlsym(dl_handle, "_nss_sss_getpwnam_r");
+ if (sss_getpwnam_r == NULL) {
+ fprintf(stderr, "dlsym failed with [%s].\n", dlerror());
+ ret = EIO;
+ goto done;
+ }
+
+ buflen = DEFAULT_BUFSIZE;
+ buffer = malloc(buflen);
+ if (buffer == NULL) {
+ fprintf(stderr, "malloc failed.\n");
+ ret = ENOMEM;
+ goto done;
+ }
+
+ status = sss_getpwnam_r(user, &pwd, buffer, buflen, &nss_errno);
+ if (status != NSS_STATUS_SUCCESS) {
+ fprintf(stderr, "sss_getpwnam_r failed with [%d].\n", status);
+ ret = EIO;
+ goto done;
+ }
+
+ fprintf(stdout, "SSSD nss user lookup result:\n");
+ fprintf(stdout, " - user name: %s\n", pwd.pw_name);
+ fprintf(stdout, " - user id: %d\n", pwd.pw_uid);
+ fprintf(stdout, " - group id: %d\n", pwd.pw_gid);
+ fprintf(stdout, " - gecos: %s\n", pwd.pw_gecos);
+ fprintf(stdout, " - home directory: %s\n", pwd.pw_dir);
+ fprintf(stdout, " - shell: %s\n", pwd.pw_shell);
+
+ ret = 0;
+
+done:
+ if (dl_handle != NULL) {
+ dlclose(dl_handle);
+ }
+
+ free(buffer);
+
+ return ret;
+}
+
int main(int argc, char *argv[]) {
pam_handle_t *pamh;
@@ -85,6 +154,13 @@ int main(int argc, char *argv[]) {
fprintf(stdout, "user: %s\naction: %s\nservice: %s\n",
user, action, service);
+ if (*user != '\0') {
+ ret = sss_getpwnam_check(user);
+ if (ret != 0) {
+ fprintf(stderr, "User name lookup with [%s] failed.\n", user);
+ }
+ }
+
ret = pam_start(service, user, &conv, &pamh);
if (ret != PAM_SUCCESS) {
fprintf(stderr, "pam_start failed: %s\n", pam_strerror(pamh, ret));
--
2.12.2

53
0103-sss_sifp-update-method-names.patch Normal file
View File

@ -0,0 +1,53 @@
From 40ff10d73063949ca699670ca212e96b809d5fcd Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 16 Mar 2017 11:37:41 +0100
Subject: [PATCH 103/135] sss_sifp: update method names
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Related to https://pagure.io/SSSD/sssd/issue/3292
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
Makefile.am | 2 +-
src/lib/sifp/sss_sifp_common.c | 4 ++--
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/Makefile.am b/Makefile.am
index 7aca5b86f1275e89ae73f5594887f515773c2058..6f143000c2459d25f18b013b155248c9ddf93120 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -1221,7 +1221,7 @@ libsss_simpleifp_la_LIBADD = \
$(DHASH_LIBS)
libsss_simpleifp_la_LDFLAGS = \
-Wl,--version-script,$(srcdir)/src/lib/sifp/sss_simpleifp.exports \
- -version-info 1:0:1
+ -version-info 1:1:1
dist_noinst_DATA += src/lib/sifp/sss_simpleifp.exports
diff --git a/src/lib/sifp/sss_sifp_common.c b/src/lib/sifp/sss_sifp_common.c
index bd1dc6a3108329d2c795dc0a259637e71964be9f..8913d0be3d43bd8707829001a5b476d9ab864fd8 100644
--- a/src/lib/sifp/sss_sifp_common.c
+++ b/src/lib/sifp/sss_sifp_common.c
@@ -168,7 +168,7 @@ sss_sifp_fetch_user_by_uid(sss_sifp_ctx *ctx,
uint64_t _uid = uid;
return sss_sifp_fetch_object_by_attr(ctx, IFP_PATH_USERS, IFACE_IFP_USERS,
- IFACE_IFP_USERS_USER, "UserByID",
+ IFACE_IFP_USERS_USER, "ByID",
DBUS_TYPE_UINT64, &_uid, _user);
}
@@ -178,6 +178,6 @@ sss_sifp_fetch_user_by_name(sss_sifp_ctx *ctx,
sss_sifp_object **_user)
{
return sss_sifp_fetch_object_by_name(ctx, IFP_PATH_USERS, IFACE_IFP_USERS,
- IFACE_IFP_USERS_USER, "UserByName",
+ IFACE_IFP_USERS_USER, "ByName",
name, _user);
}
--
2.12.2

130
0104-pam_test_client-add-InfoPipe-user-lookup.patch Normal file
View File

@ -0,0 +1,130 @@
From 9be97c9cc69e5e6e568d7e21f61a46c3ae2dc387 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 16 Mar 2017 11:38:20 +0100
Subject: [PATCH 104/135] pam_test_client: add InfoPipe user lookup
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Related to https://pagure.io/SSSD/sssd/issue/3292
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
Makefile.am | 1 +
src/sss_client/pam_test_client.c | 71 ++++++++++++++++++++++++++++++++++++++++
2 files changed, 72 insertions(+)
diff --git a/Makefile.am b/Makefile.am
index 6f143000c2459d25f18b013b155248c9ddf93120..05a5ae89cbe5dccf39ce9bdfd95c1b115a64c768 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -3468,6 +3468,7 @@ pam_test_client_LDADD = \
$(PAM_LIBS) \
$(PAM_MISC_LIBS) \
$(LIBADD_DL) \
+ libsss_simpleifp.la \
$(NULL)
if BUILD_AUTOFS
diff --git a/src/sss_client/pam_test_client.c b/src/sss_client/pam_test_client.c
index 69af612270492968b56d1c11de2bf56ebf57471f..40ef3f6d480c0108c985fce7e34e983d145f237e 100644
--- a/src/sss_client/pam_test_client.c
+++ b/src/sss_client/pam_test_client.c
@@ -30,9 +30,12 @@
#include <pwd.h>
#include <nss.h>
#include <errno.h>
+#include <inttypes.h>
#include <security/pam_appl.h>
+#include "lib/sifp/sss_sifp.h"
+
#ifdef HAVE_SECURITY_PAM_MISC_H
# include <security/pam_misc.h>
#elif defined(HAVE_SECURITY_OPENPAM_H)
@@ -58,6 +61,69 @@ static struct pam_conv conv = {
#define DEFAULT_BUFSIZE 4096
+static int get_ifp_user(const char *user)
+{
+ sss_sifp_ctx *sifp;
+ sss_sifp_error error;
+ sss_sifp_object *user_obj;
+ const char *tmp_str;
+ uint32_t tmp_uint32;
+ size_t c;
+
+ struct ifp_user_attr {
+ const char *name;
+ bool is_string;
+ } ifp_user_attr[] = {
+ { "name", true },
+ { "uidNumber", false },
+ { "gidNumber", false },
+ { "gecos", true },
+ { "homeDirectory", true },
+ { "loginShell", true },
+ { NULL, false }
+ };
+
+ error = sss_sifp_init(&sifp);
+ if (error != SSS_SIFP_OK) {
+ fprintf(stderr, "Unable to connect to the InfoPipe");
+ return EFAULT;
+ }
+
+ error = sss_sifp_fetch_user_by_name(sifp, user, &user_obj);
+ if (error != SSS_SIFP_OK) {
+ fprintf(stderr, "Unable to get user object");
+ return EIO;
+ }
+
+ fprintf(stdout, "SSSD InfoPipe user lookup result:\n");
+ for (c = 0; ifp_user_attr[c].name != NULL; c++) {
+ if (ifp_user_attr[c].is_string) {
+ error = sss_sifp_find_attr_as_string(user_obj->attrs,
+ ifp_user_attr[c].name,
+ &tmp_str);
+ } else {
+ error = sss_sifp_find_attr_as_uint32(user_obj->attrs,
+ ifp_user_attr[c].name,
+ &tmp_uint32);
+ }
+ if (error != SSS_SIFP_OK) {
+ fprintf(stderr, "Unable to get user name attr");
+ return EIO;
+ }
+
+ if (ifp_user_attr[c].is_string) {
+ fprintf(stdout, " - %s: %s\n", ifp_user_attr[c].name, tmp_str);
+ } else {
+ fprintf(stdout, " - %s: %"PRIu32"\n", ifp_user_attr[c].name,
+ tmp_uint32);
+ }
+ }
+
+ sss_sifp_free_object(sifp, &user_obj);
+ sss_sifp_free(&sifp);
+ return 0;
+}
+
static int sss_getpwnam_check(const char *user)
{
void *dl_handle = NULL;
@@ -159,6 +225,11 @@ int main(int argc, char *argv[]) {
if (ret != 0) {
fprintf(stderr, "User name lookup with [%s] failed.\n", user);
}
+
+ ret = get_ifp_user(user);
+ if (ret != 0) {
+ fprintf(stderr, "InforPipe User lookup with [%s] failed.\n", user);
+ }
}
ret = pam_start(service, user, &conv, &pamh);
--
2.12.2

358
0105-sssctl-integrate-pam_test_client-into-sssctl.patch Normal file
View File

@ -0,0 +1,358 @@
From 4a9160e2b3b9c531e2b4a7884f49bfbb4a07a992 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 30 Mar 2017 16:21:15 +0200
Subject: [PATCH 105/135] sssctl: integrate pam_test_client into sssctl
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
Makefile.am | 16 +--
po/POTFILES.in | 1 -
src/tools/sssctl/sssctl.c | 1 +
src/tools/sssctl/sssctl.h | 4 +
.../sssctl/sssctl_user_checks.c} | 122 +++++++++++----------
5 files changed, 72 insertions(+), 72 deletions(-)
rename src/{sss_client/pam_test_client.c => tools/sssctl/sssctl_user_checks.c} (62%)
diff --git a/Makefile.am b/Makefile.am
index 05a5ae89cbe5dccf39ce9bdfd95c1b115a64c768..c947e31e5530c842d0d0024a5825ddd7b593d518 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -1724,11 +1724,15 @@ sssctl_SOURCES = \
src/tools/sssctl/sssctl_domains.c \
src/tools/sssctl/sssctl_sifp.c \
src/tools/sssctl/sssctl_config.c \
+ src/tools/sssctl/sssctl_user_checks.c \
$(SSSD_TOOLS_OBJ) \
$(NULL)
sssctl_LDADD = \
$(TOOLS_LIBS) \
$(SSSD_INTERNAL_LTLIBS) \
+ $(PAM_LIBS) \
+ $(PAM_MISC_LIBS) \
+ $(LIBADD_DL) \
libsss_simpleifp.la \
$(NULL)
sssctl_CFLAGS = \
@@ -3450,7 +3454,7 @@ endif # BUILD_KCM
endif # HAVE_CMOCKA
-noinst_PROGRAMS = pam_test_client
+noinst_PROGRAMS =
if BUILD_SUDO
noinst_PROGRAMS += sss_sudo_cli
endif
@@ -3461,16 +3465,6 @@ if BUILD_WITH_LIBCURL
noinst_PROGRAMS += tcurl-test-tool
endif
-pam_test_client_SOURCES = \
- src/sss_client/pam_test_client.c \
- $(NULL)
-pam_test_client_LDADD = \
- $(PAM_LIBS) \
- $(PAM_MISC_LIBS) \
- $(LIBADD_DL) \
- libsss_simpleifp.la \
- $(NULL)
-
if BUILD_AUTOFS
autofs_test_client_SOURCES = \
src/sss_client/autofs/autofs_test_client.c \
diff --git a/po/POTFILES.in b/po/POTFILES.in
index ee532def223fdd5db632ad98fd11a57e38d0e125..f4e4e095f9e4025d129b6b13422bdd0bc07c8e1a 100644
--- a/po/POTFILES.in
+++ b/po/POTFILES.in
@@ -9,7 +9,6 @@ src/sss_client/common.c
src/sss_client/nss_group.c
src/sss_client/nss_passwd.c
src/sss_client/pam_sss.c
-src/sss_client/pam_test_client.c
src/sss_client/ssh/sss_ssh_authorizedkeys.c
src/sss_client/ssh/sss_ssh_knownhostsproxy.c
src/tools/sss_useradd.c
diff --git a/src/tools/sssctl/sssctl.c b/src/tools/sssctl/sssctl.c
index e1cf46382cd1dee54cd372ca500368f149411b78..509d2e1a00d3b57b541590ce7db5f94d2ff43add 100644
--- a/src/tools/sssctl/sssctl.c
+++ b/src/tools/sssctl/sssctl.c
@@ -263,6 +263,7 @@ int main(int argc, const char **argv)
SSS_TOOL_DELIMITER("SSSD Status:"),
SSS_TOOL_COMMAND("domain-list", "List available domains", 0, sssctl_domain_list),
SSS_TOOL_COMMAND("domain-status", "Print information about domain", 0, sssctl_domain_status),
+ SSS_TOOL_COMMAND("user-checks", "Print information about a user and check authentication", 0, sssctl_user_checks),
SSS_TOOL_DELIMITER("Information about cached content:"),
SSS_TOOL_COMMAND("user-show", "Information about cached user", 0, sssctl_user_show),
SSS_TOOL_COMMAND("group-show", "Information about cached group", 0, sssctl_group_show),
diff --git a/src/tools/sssctl/sssctl.h b/src/tools/sssctl/sssctl.h
index 5270a9ec62dfb288511af179a99e9a542ea26ec4..22626e2210252e5e3fadeb6c5d01d4620cd60e5b 100644
--- a/src/tools/sssctl/sssctl.h
+++ b/src/tools/sssctl/sssctl.h
@@ -121,4 +121,8 @@ errno_t sssctl_netgroup_show(struct sss_cmdline *cmdline,
errno_t sssctl_config_check(struct sss_cmdline *cmdline,
struct sss_tool_ctx *tool_ctx,
void *pvt);
+
+errno_t sssctl_user_checks(struct sss_cmdline *cmdline,
+ struct sss_tool_ctx *tool_ctx,
+ void *pvt);
#endif /* _SSSCTL_H_ */
diff --git a/src/sss_client/pam_test_client.c b/src/tools/sssctl/sssctl_user_checks.c
similarity index 62%
rename from src/sss_client/pam_test_client.c
rename to src/tools/sssctl/sssctl_user_checks.c
index 40ef3f6d480c0108c985fce7e34e983d145f237e..7c7b564bd29100382c9bbef7a3131c379e9aa97e 100644
--- a/src/sss_client/pam_test_client.c
+++ b/src/tools/sssctl/sssctl_user_checks.c
@@ -35,6 +35,9 @@
#include <security/pam_appl.h>
#include "lib/sifp/sss_sifp.h"
+#include "util/util.h"
+#include "tools/common/sss_tools.h"
+#include "tools/sssctl/sssctl.h"
#ifdef HAVE_SECURITY_PAM_MISC_H
# include <security/pam_misc.h>
@@ -85,17 +88,17 @@ static int get_ifp_user(const char *user)
error = sss_sifp_init(&sifp);
if (error != SSS_SIFP_OK) {
- fprintf(stderr, "Unable to connect to the InfoPipe");
+ fprintf(stderr, _("Unable to connect to the InfoPipe"));
return EFAULT;
}
error = sss_sifp_fetch_user_by_name(sifp, user, &user_obj);
if (error != SSS_SIFP_OK) {
- fprintf(stderr, "Unable to get user object");
+ fprintf(stderr, _("Unable to get user object"));
return EIO;
}
- fprintf(stdout, "SSSD InfoPipe user lookup result:\n");
+ fprintf(stdout, _("SSSD InfoPipe user lookup result:\n"));
for (c = 0; ifp_user_attr[c].name != NULL; c++) {
if (ifp_user_attr[c].is_string) {
error = sss_sifp_find_attr_as_string(user_obj->attrs,
@@ -107,7 +110,7 @@ static int get_ifp_user(const char *user)
&tmp_uint32);
}
if (error != SSS_SIFP_OK) {
- fprintf(stderr, "Unable to get user name attr");
+ fprintf(stderr, _("Unable to get user name attr"));
return EIO;
}
@@ -118,6 +121,7 @@ static int get_ifp_user(const char *user)
tmp_uint32);
}
}
+ fprintf(stdout, "\n");
sss_sifp_free_object(sifp, &user_obj);
sss_sifp_free(&sifp);
@@ -139,14 +143,14 @@ static int sss_getpwnam_check(const char *user)
dl_handle = dlopen("libnss_sss.so.2", RTLD_NOW);
if (dl_handle == NULL) {
- fprintf(stderr, "dlopen failed with [%s].\n", dlerror());
+ fprintf(stderr, _("dlopen failed with [%s].\n"), dlerror());
ret = EIO;
goto done;
}
sss_getpwnam_r = dlsym(dl_handle, "_nss_sss_getpwnam_r");
if (sss_getpwnam_r == NULL) {
- fprintf(stderr, "dlsym failed with [%s].\n", dlerror());
+ fprintf(stderr, _("dlsym failed with [%s].\n"), dlerror());
ret = EIO;
goto done;
}
@@ -154,25 +158,25 @@ static int sss_getpwnam_check(const char *user)
buflen = DEFAULT_BUFSIZE;
buffer = malloc(buflen);
if (buffer == NULL) {
- fprintf(stderr, "malloc failed.\n");
+ fprintf(stderr, _("malloc failed.\n"));
ret = ENOMEM;
goto done;
}
status = sss_getpwnam_r(user, &pwd, buffer, buflen, &nss_errno);
if (status != NSS_STATUS_SUCCESS) {
- fprintf(stderr, "sss_getpwnam_r failed with [%d].\n", status);
+ fprintf(stderr, _("sss_getpwnam_r failed with [%d].\n"), status);
ret = EIO;
goto done;
}
- fprintf(stdout, "SSSD nss user lookup result:\n");
- fprintf(stdout, " - user name: %s\n", pwd.pw_name);
- fprintf(stdout, " - user id: %d\n", pwd.pw_uid);
- fprintf(stdout, " - group id: %d\n", pwd.pw_gid);
- fprintf(stdout, " - gecos: %s\n", pwd.pw_gecos);
- fprintf(stdout, " - home directory: %s\n", pwd.pw_dir);
- fprintf(stdout, " - shell: %s\n", pwd.pw_shell);
+ fprintf(stdout, _("SSSD nss user lookup result:\n"));
+ fprintf(stdout, _(" - user name: %s\n"), pwd.pw_name);
+ fprintf(stdout, _(" - user id: %d\n"), pwd.pw_uid);
+ fprintf(stdout, _(" - group id: %d\n"), pwd.pw_gid);
+ fprintf(stdout, _(" - gecos: %s\n"), pwd.pw_gecos);
+ fprintf(stdout, _(" - home directory: %s\n"), pwd.pw_dir);
+ fprintf(stdout, _(" - shell: %s\n\n"), pwd.pw_shell);
ret = 0;
@@ -186,87 +190,89 @@ done:
return ret;
}
-int main(int argc, char *argv[]) {
+errno_t sssctl_user_checks(struct sss_cmdline *cmdline,
+ struct sss_tool_ctx *tool_ctx,
+ void *pvt)
+{
pam_handle_t *pamh;
- char *user;
- char *action;
- char *service;
+ const char *user = NULL;
+ const char *action = DEFAULT_ACTION;
+ const char *service = DEFAULT_SERVICE;
int ret;
size_t c;
char **pam_env;
- if (argc == 1) {
- fprintf(stderr, "Usage: pam_test_client USERNAME "
- "[auth|acct|setc|chau|open|clos] [pam_service]\n");
- return 0;
- } else if (argc == 2) {
- fprintf(stderr, "using first argument as user name and default action "
- "and service\n");
- } else if (argc == 3) {
- fprintf(stderr, "using first argument as user name, second as action "
- "and default service\n");
- }
-
- user = strdup(argv[1]);
- action = argc > 2 ? strdup(argv[2]) : strdup(DEFAULT_ACTION);
- service = argc > 3 ? strdup(argv[3]) : strdup(DEFAULT_SERVICE);
+ /* Parse command line. */
+ struct poptOption options[] = {
+ { "action", 'a', POPT_ARG_STRING, &action, 0,
+ _("PAM action [auth|acct|setc|chau|open|clos], default: "
+ DEFAULT_ACTION), NULL },
+ { "service", 's', POPT_ARG_STRING, &service, 0,
+ _("PAM service, default: " DEFAULT_SERVICE), NULL },
+ POPT_TABLEEND
+ };
- if (action == NULL || user == NULL || service == NULL) {
- fprintf(stderr, "Out of memory!\n");
- return 1;
+ ret = sss_tool_popt_ex(cmdline, options, SSS_TOOL_OPT_OPTIONAL,
+ NULL, NULL, "USERNAME", _("Specify user name."),
+ &user, NULL);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to parse command arguments\n");
+ return ret;
}
- fprintf(stdout, "user: %s\naction: %s\nservice: %s\n",
+ fprintf(stdout, _("user: %s\naction: %s\nservice: %s\n\n"),
user, action, service);
if (*user != '\0') {
ret = sss_getpwnam_check(user);
if (ret != 0) {
- fprintf(stderr, "User name lookup with [%s] failed.\n", user);
+ fprintf(stderr, _("User name lookup with [%s] failed.\n"), user);
}
ret = get_ifp_user(user);
if (ret != 0) {
- fprintf(stderr, "InforPipe User lookup with [%s] failed.\n", user);
+ fprintf(stderr, _("InforPipe User lookup with [%s] failed.\n"),
+ user);
}
}
ret = pam_start(service, user, &conv, &pamh);
if (ret != PAM_SUCCESS) {
- fprintf(stderr, "pam_start failed: %s\n", pam_strerror(pamh, ret));
+ fprintf(stderr, _("pam_start failed: %s\n"), pam_strerror(pamh, ret));
return 1;
}
if ( strncmp(action, "auth", 4)== 0 ) {
- fprintf(stdout, "testing pam_authenticate\n");
+ fprintf(stdout, _("testing pam_authenticate\n\n"));
ret = pam_authenticate(pamh, 0);
- fprintf(stderr, "pam_authenticate: %s\n", pam_strerror(pamh, ret));
+ fprintf(stderr, _("pam_authenticate: %s\n\n"), pam_strerror(pamh, ret));
} else if ( strncmp(action, "chau", 4)== 0 ) {
- fprintf(stdout, "testing pam_chauthtok\n");
+ fprintf(stdout, _("testing pam_chauthtok\n\n"));
ret = pam_chauthtok(pamh, 0);
- fprintf(stderr, "pam_chauthtok: %s\n", pam_strerror(pamh, ret));
+ fprintf(stderr, _("pam_chauthtok: %s\n\n"), pam_strerror(pamh, ret));
} else if ( strncmp(action, "acct", 4)== 0 ) {
- fprintf(stdout, "testing pam_acct_mgmt\n");
+ fprintf(stdout, _("testing pam_acct_mgmt\n\n"));
ret = pam_acct_mgmt(pamh, 0);
- fprintf(stderr, "pam_acct_mgmt: %s\n", pam_strerror(pamh, ret));
+ fprintf(stderr, _("pam_acct_mgmt: %s\n\n"), pam_strerror(pamh, ret));
} else if ( strncmp(action, "setc", 4)== 0 ) {
- fprintf(stdout, "testing pam_setcred\n");
+ fprintf(stdout, _("testing pam_setcred\n\n"));
ret = pam_setcred(pamh, 0);
- fprintf(stderr, "pam_setcred: %d[%s]\n", ret, pam_strerror(pamh, ret));
+ fprintf(stderr, _("pam_setcred: [%s]\n\n"), pam_strerror(pamh, ret));
} else if ( strncmp(action, "open", 4)== 0 ) {
- fprintf(stdout, "testing pam_open_session\n");
+ fprintf(stdout, _("testing pam_open_session\n\n"));
ret = pam_open_session(pamh, 0);
- fprintf(stderr, "pam_open_session: %s\n", pam_strerror(pamh, ret));
+ fprintf(stderr, _("pam_open_session: %s\n\n"), pam_strerror(pamh, ret));
} else if ( strncmp(action, "clos", 4)== 0 ) {
- fprintf(stdout, "testing pam_close_session\n");
+ fprintf(stdout, _("testing pam_close_session\n\n"));
ret = pam_close_session(pamh, 0);
- fprintf(stderr, "pam_close_session: %s\n", pam_strerror(pamh, ret));
+ fprintf(stderr, _("pam_close_session: %s\n\n"),
+ pam_strerror(pamh, ret));
} else {
- fprintf(stderr, "unknown action\n");
+ fprintf(stderr, _("unknown action\n"));
}
- fprintf(stderr, "PAM Environment:\n");
+ fprintf(stderr, _("PAM Environment:\n"));
pam_env = pam_getenvlist(pamh);
if (pam_env != NULL && pam_env[0] != NULL) {
for (c = 0; pam_env[c] != NULL; c++) {
@@ -274,15 +280,11 @@ int main(int argc, char *argv[]) {
free(pam_env[c]);
}
} else {
- fprintf(stderr, " - no env -\n");
+ fprintf(stderr, _(" - no env -\n"));
}
free(pam_env);
pam_end(pamh, ret);
- free(user);
- free(action);
- free(service);
-
return 0;
}
--
2.12.2

33
0106-i18n-adding-sssctl-files.patch Normal file
View File

@ -0,0 +1,33 @@
From dbeae483464e42238a84c6a5b8c3c4f5312ae643 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 7 Apr 2017 14:24:10 +0200
Subject: [PATCH 106/135] i18n: adding sssctl files
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
po/POTFILES.in | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/po/POTFILES.in b/po/POTFILES.in
index f4e4e095f9e4025d129b6b13422bdd0bc07c8e1a..33e7ed7f9e9bc19f33fca8a1f2649b69b79a882f 100644
--- a/po/POTFILES.in
+++ b/po/POTFILES.in
@@ -23,4 +23,12 @@ src/tools/sss_cache.c
src/tools/sss_debuglevel.c
src/tools/tools_util.c
src/tools/tools_util.h
+src/tools/sssctl/sssctl.c
+src/tools/sssctl/sssctl_cache.c
+src/tools/sssctl/sssctl_config.c
+src/tools/sssctl/sssctl_data.c
+src/tools/sssctl/sssctl_domains.c
+src/tools/sssctl/sssctl_logs.c
+src/tools/sssctl/sssctl_sifp.c
+src/tools/sssctl/sssctl_user_checks.c
src/util/util.h
--
2.12.2

38
0107-config-check-Message-when-sssd.conf-is-missing.patch Normal file
View File

@ -0,0 +1,38 @@
From 955574eeb3a3b937abc3df150e9bbbb79b75c889 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C5=BDidek?= <mzidek@redhat.com>
Date: Tue, 14 Mar 2017 15:43:41 +0100
Subject: [PATCH 107/135] config-check: Message when sssd.conf is missing
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
sssctl config-check should print a message for user
if no sssd.conf was found.
Resolves:
https://pagure.io/SSSD/sssd/issue/3330
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
---
src/tools/sssctl/sssctl_config.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/src/tools/sssctl/sssctl_config.c b/src/tools/sssctl/sssctl_config.c
index 630df3c8ff5368ef253bb9753380e94c8c0a307d..7e3ebf5428ce3fef232eee7334c7fd90e904b2d3 100644
--- a/src/tools/sssctl/sssctl_config.c
+++ b/src/tools/sssctl/sssctl_config.c
@@ -63,7 +63,10 @@ errno_t sssctl_config_check(struct sss_cmdline *cmdline,
/* Open config file */
ret = sss_ini_config_file_open(init_data, SSSD_CONFIG_FILE);
- if (ret != EOK) {
+ if (ret == ENOENT) {
+ ERROR("File %1$s does not exist.\n", SSSD_CONFIG_FILE);
+ goto done;
+ } else if (ret != EOK) {
DEBUG(SSSDBG_TRACE_FUNC,
"sss_ini_config_file_open failed: %s [%d]\n",
sss_strerror(ret),
--
2.12.2

89
0108-KRB5_LOCATOR-add-env-variable-to-disable-plugin.patch Normal file
View File

@ -0,0 +1,89 @@
From 1193f20a8267e506d863b27c74870c86c085902b Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 17 Nov 2016 10:55:43 +0100
Subject: [PATCH 108/135] KRB5_LOCATOR: add env variable to disable plugin
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
If the new environment variable SSSD_KRB5_LOCATOR_DISABLE is set to any
value SSSD's krb5 locator plugin is disabled. The variable is needed
because there is currently no other way than removing the plugin
completely to disable it. For a use-case see e.g.
https://bugzilla.redhat.com/show_bug.cgi?id=1072939.
Resolves:
https://pagure.io/SSSD/sssd/issue/3359
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
---
src/krb5_plugin/sssd_krb5_locator_plugin.c | 15 +++++++++++++++
src/man/sssd_krb5_locator_plugin.8.xml | 5 +++++
2 files changed, 20 insertions(+)
diff --git a/src/krb5_plugin/sssd_krb5_locator_plugin.c b/src/krb5_plugin/sssd_krb5_locator_plugin.c
index aa8d387a5d0be302e5cc98ddcf10ebce6957f3a5..7c17fcb33373293fbbbe2be967dca57b31ef13de 100644
--- a/src/krb5_plugin/sssd_krb5_locator_plugin.c
+++ b/src/krb5_plugin/sssd_krb5_locator_plugin.c
@@ -45,6 +45,7 @@
#define BUFSIZE 512
#define PORT_STR_SIZE 7
#define SSSD_KRB5_LOCATOR_DEBUG "SSSD_KRB5_LOCATOR_DEBUG"
+#define SSSD_KRB5_LOCATOR_DISABLE "SSSD_KRB5_LOCATOR_DISABLE"
#define DEBUG_KEY "[sssd_krb5_locator] "
#define PLUGIN_DEBUG(body) do { \
if (ctx->debug) { \
@@ -59,6 +60,7 @@ struct sssd_ctx {
char *kpasswd_addr;
uint16_t kpasswd_port;
bool debug;
+ bool disabled;
};
void plugin_debug_fn(const char *format, ...)
@@ -232,6 +234,14 @@ krb5_error_code sssd_krb5_locator_init(krb5_context context,
PLUGIN_DEBUG(("sssd_krb5_locator_init called\n"));
}
+ dummy = getenv(SSSD_KRB5_LOCATOR_DISABLE);
+ if (dummy == NULL) {
+ ctx->disabled = false;
+ } else {
+ ctx->disabled = true;
+ PLUGIN_DEBUG(("SSSD KRB5 locator plugin is disabled.\n"));
+ }
+
*private_data = ctx;
return 0;
@@ -273,6 +283,11 @@ krb5_error_code sssd_krb5_locator_lookup(void *private_data,
if (private_data == NULL) return KRB5_PLUGIN_NO_HANDLE;
ctx = (struct sssd_ctx *) private_data;
+ if (ctx->disabled) {
+ PLUGIN_DEBUG(("Plugin disabled, nothing to do.\n"));
+ return KRB5_PLUGIN_NO_HANDLE;
+ }
+
if (ctx->sssd_realm == NULL || strcmp(ctx->sssd_realm, realm) != 0) {
free(ctx->sssd_realm);
ctx->sssd_realm = strdup(realm);
diff --git a/src/man/sssd_krb5_locator_plugin.8.xml b/src/man/sssd_krb5_locator_plugin.8.xml
index 25a20c88fcd4c2b3f644da24b34a4d5e9eb80ed3..d28546012802955c2594680e53698518f0178ab1 100644
--- a/src/man/sssd_krb5_locator_plugin.8.xml
+++ b/src/man/sssd_krb5_locator_plugin.8.xml
@@ -69,6 +69,11 @@
If the environment variable SSSD_KRB5_LOCATOR_DEBUG is set to any
value debug messages will be sent to stderr.
</para>
+ <para>
+ If the environment variable SSSD_KRB5_LOCATOR_DISABLE is set to any
+ value the plugin is disabled and will just return
+ KRB5_PLUGIN_NO_HANDLE to the caller.
+ </para>
</refsect1>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/seealso.xml" />
--
2.12.2

43
0109-sbus-check-connection-for-NULL-before-unregister-it.patch Normal file
View File

@ -0,0 +1,43 @@
From 35186217d44d0138a1aedf7a4db72249b2c40e66 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Mon, 10 Apr 2017 13:45:27 +0200
Subject: [PATCH 109/135] sbus: check connection for NULL before unregister it
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
There seem to be code paths where the data is a added to the hash before
the connection is properly initialized, to avoid core dump during shut
down we only call dbus_conection_unregister_object_path() if there is a
connection.
Resolves:
https://pagure.io/SSSD/sssd/issue/3367
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
src/sbus/sssd_dbus_interface.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/src/sbus/sssd_dbus_interface.c b/src/sbus/sssd_dbus_interface.c
index 1a11c6abcf23053e3b8c77f4d469d7c202a88eb8..c9007a4814e09e26fedaf605ca7313234d5ebf2c 100644
--- a/src/sbus/sssd_dbus_interface.c
+++ b/src/sbus/sssd_dbus_interface.c
@@ -490,7 +490,13 @@ sbus_opath_hash_delete_cb(hash_entry_t *item,
conn = talloc_get_type(pvt, struct sbus_connection);
path = sbus_opath_get_base_path(NULL, item->key.str);
- dbus_connection_unregister_object_path(conn->dbus.conn, path);
+ /* There seem to be code paths where the data is added to the hash
+ * before the connection is properly initialized, to avoid core dump
+ * during shut down we only call dbus_connection_unregister_object_path()
+ * if there is a connection. */
+ if (conn->dbus.conn != NULL) {
+ dbus_connection_unregister_object_path(conn->dbus.conn, path);
+ }
}
hash_table_t *
--
2.12.2

48
0110-UTIL-Use-max-15-characters-for-AD-host-UPN.patch Normal file
View File

@ -0,0 +1,48 @@
From c6f1bc32774a7cf2f8678499dfbced420be3a3a1 Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Tue, 14 Mar 2017 10:34:00 +0100
Subject: [PATCH 110/135] UTIL: Use max 15 characters for AD host UPN
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
We do not want to use host principal with AD
"host/name.domain.tld@DOMAIN.TLD" because it does not work.
We need to use correct user principal for AD hosts. And we cannot
rely all fallback "*$" because of other principals in keytab.
The NetBIOS naming convention allows for 16 characters in a NetBIOS
name. Microsoft, however, limits NetBIOS names to 15 characters and
uses the 16th character as a NetBIOS suffix.
https://support.microsoft.com/en-us/help/163409/netbios-suffixes-16th-character-of-the-netbios-name
Resolves:
https://pagure.io/SSSD/sssd/issue/3329
Reviewed-by: Michal Židek <mzidek@redhat.com>
---
src/util/sss_krb5.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/src/util/sss_krb5.c b/src/util/sss_krb5.c
index d461cf881566af37f31524c16f6a5f1511a5dc89..a3f066e8add5b7d7575c1e0f537c5729e4a0dad0 100644
--- a/src/util/sss_krb5.c
+++ b/src/util/sss_krb5.c
@@ -51,7 +51,13 @@ sss_krb5_get_primary(TALLOC_CTX *mem_ctx,
*c = toupper(*c);
}
- primary = talloc_asprintf(mem_ctx, "%s$", shortname);
+ /* The samAccountName is recommended to be less than 20 characters.
+ * This is only for users and groups. For machine accounts,
+ * the real limit is caused by NetBIOS protocol.
+ * NetBIOS names are limited to 16 (15 + $)
+ * https://support.microsoft.com/en-us/help/163409/netbios-suffixes-16th-character-of-the-netbios-name
+ */
+ primary = talloc_asprintf(mem_ctx, "%.15s$", shortname);
talloc_free(shortname);
return primary;
}
--
2.12.2

169
0111-minor-typo-fixes.patch Normal file
View File

@ -0,0 +1,169 @@
From 0a86dede8773ecce91b5bd2ae75a02f9ff89a358 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ren=C3=A9=20Genz?= <liebundartig@freenet.de>
Date: Wed, 19 Apr 2017 08:36:12 +0000
Subject: [PATCH 111/135] minor typo fixes
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Merges: https://pagure.io/SSSD/sssd/pull-request/3374
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
---
src/man/idmap_sss.8.xml | 2 +-
src/man/sssd-kcm.8.xml | 2 +-
src/man/sssd-ldap.5.xml | 8 ++++----
src/man/sssd.conf.5.xml | 18 +++++++++---------
src/tests/intg/test_files_provider.py | 2 +-
5 files changed, 16 insertions(+), 16 deletions(-)
diff --git a/src/man/idmap_sss.8.xml b/src/man/idmap_sss.8.xml
index 4c26a17f958fbf7251ad64de916db9de02c48364..0b73966e5952705a0f340ac169775c30153c392d 100644
--- a/src/man/idmap_sss.8.xml
+++ b/src/man/idmap_sss.8.xml
@@ -32,7 +32,7 @@
<varlistentry>
<term>range = low - high</term>
<listitem><para>
- Defines the available matching uid and gid range for which the
+ Defines the available matching UID and GID range for which the
backend is authoritative.
</para></listitem>
</varlistentry>
diff --git a/src/man/sssd-kcm.8.xml b/src/man/sssd-kcm.8.xml
index 5dc93838e48723bdb470c0a9c8575bd17c7593e8..db50ed8b49294057da99b01655a4b158f2908dcb 100644
--- a/src/man/sssd-kcm.8.xml
+++ b/src/man/sssd-kcm.8.xml
@@ -48,7 +48,7 @@
<itemizedlist>
<listitem>
<para>
- since the process runs in userspace, it is subject to UID namespacing, ulike the kernel keyring
+ since the process runs in userspace, it is subject to UID namespacing, unlike the kernel keyring
</para>
</listitem>
<listitem>
diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml
index fae669a8d0c1119b68e087bb16def7bd9a4464d3..739ae15c359da4e8dad9bc225ea60cff9dc96b91 100644
--- a/src/man/sssd-ldap.5.xml
+++ b/src/man/sssd-ldap.5.xml
@@ -965,7 +965,7 @@
domains.
</para>
<para>
- Default: groupType in the AD provider, othewise not
+ Default: groupType in the AD provider, otherwise not
set
</para>
</listitem>
@@ -1591,7 +1591,7 @@
</varlistentry>
<varlistentry>
- <term>ldap_min_id, ldap_max_id (interger)</term>
+ <term>ldap_min_id, ldap_max_id (integer)</term>
<listitem>
<para>
In contrast to the SID based ID mapping which is
@@ -1939,7 +1939,7 @@ ldap_access_filter = (employeeType=admin)
was granted access permission. If they were
granted access during their last login, they will
continue to be granted access while offline and
- vice-versa.
+ vice versa.
</para>
<para>
Default: Empty
@@ -2633,7 +2633,7 @@ ldap_access_filter = (employeeType=admin)
If the option <quote>ldap_use_tokengroups</quote> is
enabled. The searches against Active Directory will
not be restricted and return all groups memberships,
- even with no gid mapping. It is recommended to disable
+ even with no GID mapping. It is recommended to disable
this feature, if group names are not being displayed
correctly.
</para>
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index c4e30396f16c40db37af2f56ac218b6e37201ef7..c71287029f132906e4f17ff6618d5234a27617f1 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -246,7 +246,7 @@
information. SSSD can use more domains
at the same time, but at least one
must be configured or SSSD won't start.
- This parameter described the list of domains
+ This parameter describes the list of domains
in the order you want them to be queried.
A domain name should only consist of alphanumeric
ASCII characters, dashes, dots and underscores.
@@ -264,7 +264,7 @@
<para>
Each domain can have an individual regular
expression configured. For some ID providers
- there are also default regular expressions. See
+ there are also default regular expressions. See
DOMAIN SECTIONS for more info on these regular
expressions.
</para>
@@ -490,7 +490,7 @@
<para>The nickname of the cert to trust
(expected) to sign the OCSP responses.
The certificate with the given nickname
- must be availble in the systems NSS
+ must be available in the systems NSS
database.</para>
<para>This option must be used together
with ocsp_default_responder.</para>
@@ -1253,7 +1253,7 @@ fallback_homedir = /home/%u
</para>
<para>
Note: Please be aware that message is only
- printed for the SSH service unless pam_verbostiy
+ printed for the SSH service unless pam_verbosity
is set to 3 (show all messages and debug
information).
</para>
@@ -1456,13 +1456,13 @@ pam_account_locked_message = Account locked, please contact help desk.
authentication to the PAC responder. The sub-domain provider
collects domain SID and ID ranges of the domain the client is
joined to and of remote trusted domains from the local domain
- controller. If the PAC is decoded and evaluated some of the
+ controller. If the PAC is decoded and evaluated some of the
following operations are done:
<itemizedlist>
<listitem><para>If the remote user does not exist in the
- cache, it is created. The uid is determined with the help
- of the SID, trusted domains will have UPGs and the gid
- will have the same value as the uid. The home directory is
+ cache, it is created. The UID is determined with the help
+ of the SID, trusted domains will have UPGs and the GID
+ will have the same value as the UID. The home directory is
set based on the subdomain_homedir parameter. The shell will
be empty by default, i.e. the system defaults are used, but
can be overwritten with the default_shell parameter.</para>
@@ -2110,7 +2110,7 @@ pam_account_locked_message = Account locked, please contact help desk.
</para>
<para>
<quote>ldap</quote> to change a password stored
- in a LDAP server. See
+ in a LDAP server. See
<citerefentry>
<refentrytitle>sssd-ldap</refentrytitle>
<manvolnum>5</manvolnum>
diff --git a/src/tests/intg/test_files_provider.py b/src/tests/intg/test_files_provider.py
index 8748ac10b089087056b1b93950c8d890a190c8d0..eced3997cd061b155f68ec5b2d15552061ffe3e3 100644
--- a/src/tests/intg/test_files_provider.py
+++ b/src/tests/intg/test_files_provider.py
@@ -433,7 +433,7 @@ def test_incomplete_user_fail(setup_pw_with_canary, files_domain_only):
Test resolving an incomplete user where the missing field is required
to be present in the user record and thus the user shouldn't resolve.
- We cannot test uid and gid missing because nss_wrapper doesn't even
+ We cannot test UID and GID missing because nss_wrapper doesn't even
load the malformed passwd file, then.
"""
bad_incomplete_user_setup(setup_pw_with_canary, 'name')
--
2.12.2

46
0112-SPEC-Drop-conditional-build-for-krb5_local_auth_plug.patch Normal file
View File

@ -0,0 +1,46 @@
From bf8f119774dc2eabc5b9bc9f348cd95063ab2199 Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Wed, 15 Mar 2017 12:07:37 +0100
Subject: [PATCH 112/135] SPEC: Drop conditional build for
krb5_local_auth_plugin
It was mainly aimed for time when stable CentOS and
rhel nightly had different versions of krb5.
Anyway, rhel7.0 and rhel <= 6.6 are already out of support
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
contrib/sssd.spec.in | 6 ------
1 file changed, 6 deletions(-)
diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
index 39a974edebba3dbcd7625d1729b4a7330eaa8a27..84400e03e3fa6ead6d6cac57b3843ef79ef9ee6b 100644
--- a/contrib/sssd.spec.in
+++ b/contrib/sssd.spec.in
@@ -97,10 +97,6 @@
%global with_cifs_utils_plugin_option --disable-cifs-idmap-plugin
%endif
-%if (0%{?fedora} || (0%{?rhel} == 7 && 0%{?rhel7_minor} >= 1) || (0%{?rhel} == 6 && 0%{?rhel6_minor} >= 7))
- %global with_krb5_localauth_plugin 1
-%endif
-
%if (0%{?fedora})
%global with_python3 1
%else
@@ -1046,11 +1042,9 @@ done
%dir %{_sysconfdir}/cifs-utils
%ghost %{_sysconfdir}/cifs-utils/idmap-plugin
%endif
-%if (0%{?with_krb5_localauth_plugin} == 1)
%dir %{_libdir}/%{name}
%dir %{_libdir}/%{name}/modules
%{_libdir}/%{name}/modules/sssd_krb5_localauth_plugin.so
-%endif
%{_mandir}/man8/pam_sss.8*
%{_mandir}/man8/sssd_krb5_locator_plugin.8*
--
2.12.2

39
0113-README-Update-links-to-mailing-lists.patch Normal file
View File

@ -0,0 +1,39 @@
From 363e4c407085ea5623850b1dadb1344f2edd3c34 Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Wed, 12 Apr 2017 15:13:45 +0200
Subject: [PATCH 113/135] README: Update links to mailing lists
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Old links are redirected to information about Fedorahosted-retirement
e.g.
https://fedorahosted.org/mailman/listinfo/sssd-devel
-> https://fedoraproject.org/wiki/Infrastructure/Fedorahosted-retirement
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
README.md | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/README.md b/README.md
index 40c88c08070b986a634496ac2d6ffba8643bd8a7..600802da1b9a432ecf691137082b0ba2794e3ca7 100644
--- a/README.md
+++ b/README.md
@@ -21,8 +21,10 @@ Please see the file called COPYING.
## Contacts
There are several ways to contact us:
-* the sssd-devel mailing list: [Development of the System Security Services Daemon](https://fedorahosted.org/mailman/listinfo/sssd-devel)
-* the sssd-users mailing list: [End-user discussions about the System Security Services Daemon](https://fedorahosted.org/mailman/listinfo/sssd-users)
+* the sssd-devel mailing list: [Development of the System Security Services Daemon](
+ https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org/)
+* the sssd-users mailing list: [End-user discussions about the System Security Services Daemon](
+ https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org/)
* the #sssd and #freeipa IRC channels on freenode:
* irc://irc.freenode.net/sssd
* irc://irc.freenode.net/freeipa
--
2.12.2

299
0114-Move-sized_output_name-and-sized_domain_name-into-re.patch Normal file
View File

@ -0,0 +1,299 @@
From 7c074ba2f923985ab0d4f9d6a5e01ff3f2f0a7a8 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Wed, 19 Apr 2017 17:44:40 +0200
Subject: [PATCH 114/135] Move sized_output_name() and sized_domain_name() into
responder common code
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
These functions are used to format a name into a format that the user
configured for output, including case sensitiveness, replacing
whitespace and qualified format. They were used only in the NSS
responder, which typically returns strings to the NSS client library and
then the user.
But it makes sense to just reuse the same code in the IFP responder as
well, since it does essentially the same job.
The patch also renames sized_member_name to sized_domain_name.
Previously, the function was only used to format a group member, the IFP
responder would use the same function to format a group the user is a
member of.
Related to:
https://pagure.io/SSSD/sssd/issue/3268
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
src/responder/common/responder.h | 21 ++++++++
src/responder/common/responder_common.c | 90 +++++++++++++++++++++++++++++++++
src/responder/nss/nss_private.h | 11 ----
src/responder/nss/nss_protocol_grent.c | 2 +-
src/responder/nss/nss_utils.c | 87 -------------------------------
5 files changed, 112 insertions(+), 99 deletions(-)
diff --git a/src/responder/common/responder.h b/src/responder/common/responder.h
index 4210307489fe25829a1674f254ecc7d185029698..dfe1ec455e355de263c3550306e53fea3ada85df 100644
--- a/src/responder/common/responder.h
+++ b/src/responder/common/responder.h
@@ -393,4 +393,25 @@ char *sss_resp_create_fqname(TALLOC_CTX *mem_ctx,
errno_t sss_resp_populate_cr_domains(struct resp_ctx *rctx);
+/**
+ * Helper functions to format output names
+ */
+
+/* Format orig_name into a sized_string in output format as prescribed
+ * by the name_dom domain
+ */
+int sized_output_name(TALLOC_CTX *mem_ctx,
+ struct resp_ctx *rctx,
+ const char *orig_name,
+ struct sss_domain_info *name_dom,
+ struct sized_string **_name);
+
+/* Format orig_name into a sized_string in output format as prescribed
+ * by the domain read from the fully qualified name.
+ */
+int sized_domain_name(TALLOC_CTX *mem_ctx,
+ struct resp_ctx *rctx,
+ const char *member_name,
+ struct sized_string **_name);
+
#endif /* __SSS_RESPONDER_H__ */
diff --git a/src/responder/common/responder_common.c b/src/responder/common/responder_common.c
index 67e1deefdfde19c95a68029b11099579d851513f..ac6320b08de09bc6c7e8dd1af72e0a493a449f7a 100644
--- a/src/responder/common/responder_common.c
+++ b/src/responder/common/responder_common.c
@@ -1651,3 +1651,93 @@ done:
return ret;
}
+
+/**
+ * Helper functions to format output names
+ */
+int sized_output_name(TALLOC_CTX *mem_ctx,
+ struct resp_ctx *rctx,
+ const char *orig_name,
+ struct sss_domain_info *name_dom,
+ struct sized_string **_name)
+{
+ TALLOC_CTX *tmp_ctx = NULL;
+ errno_t ret;
+ char *username;
+ struct sized_string *name;
+
+ tmp_ctx = talloc_new(NULL);
+ if (tmp_ctx == NULL) {
+ return ENOMEM;
+ }
+
+ username = sss_output_name(tmp_ctx, orig_name, name_dom->case_preserve,
+ rctx->override_space);
+ if (username == NULL) {
+ ret = EIO;
+ goto done;
+ }
+
+ if (name_dom->fqnames) {
+ username = sss_tc_fqname(tmp_ctx, name_dom->names, name_dom, username);
+ if (username == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "sss_replace_space failed\n");
+ ret = EIO;
+ goto done;
+ }
+ }
+
+ name = talloc_zero(tmp_ctx, struct sized_string);
+ if (name == NULL) {
+ ret = ENOMEM;
+ goto done;
+ }
+
+ to_sized_string(name, username);
+ name->str = talloc_steal(name, username);
+ *_name = talloc_steal(mem_ctx, name);
+ ret = EOK;
+done:
+ talloc_zfree(tmp_ctx);
+ return ret;
+}
+
+int sized_domain_name(TALLOC_CTX *mem_ctx,
+ struct resp_ctx *rctx,
+ const char *member_name,
+ struct sized_string **_name)
+{
+ TALLOC_CTX *tmp_ctx = NULL;
+ errno_t ret;
+ char *domname;
+ struct sss_domain_info *member_dom;
+
+ tmp_ctx = talloc_new(NULL);
+ if (tmp_ctx == NULL) {
+ return ENOMEM;
+ }
+
+ ret = sss_parse_internal_fqname(tmp_ctx, member_name, NULL, &domname);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "sss_parse_internal_fqname failed\n");
+ goto done;
+ }
+
+ if (domname == NULL) {
+ ret = ERR_WRONG_NAME_FORMAT;
+ goto done;
+ }
+
+ member_dom = find_domain_by_name(get_domains_head(rctx->domains),
+ domname, true);
+ if (member_dom == NULL) {
+ ret = ERR_DOMAIN_NOT_FOUND;
+ goto done;
+ }
+
+ ret = sized_output_name(mem_ctx, rctx, member_name,
+ member_dom, _name);
+done:
+ talloc_free(tmp_ctx);
+ return ret;
+}
diff --git a/src/responder/nss/nss_private.h b/src/responder/nss/nss_private.h
index acb3c4aa504e538ca56dca8d43ee04b0f60954a9..13de83226177bbaa8b8237e3e27b7e72da369194 100644
--- a/src/responder/nss/nss_private.h
+++ b/src/responder/nss/nss_private.h
@@ -140,17 +140,6 @@ const char *
nss_get_name_from_msg(struct sss_domain_info *domain,
struct ldb_message *msg);
-int sized_output_name(TALLOC_CTX *mem_ctx,
- struct resp_ctx *rctx,
- const char *orig_name,
- struct sss_domain_info *name_dom,
- struct sized_string **_name);
-
-int sized_member_name(TALLOC_CTX *mem_ctx,
- struct resp_ctx *rctx,
- const char *member_name,
- struct sized_string **_name);
-
const char *
nss_get_pwfield(struct nss_ctx *nctx,
struct sss_domain_info *dom);
diff --git a/src/responder/nss/nss_protocol_grent.c b/src/responder/nss/nss_protocol_grent.c
index 283ab9f6731bc4c8261ca79075ab030005bf70db..fae1d47d7b217beafba75740e2e6d9cb8cdbc1d0 100644
--- a/src/responder/nss/nss_protocol_grent.c
+++ b/src/responder/nss/nss_protocol_grent.c
@@ -163,7 +163,7 @@ nss_protocol_fill_members(struct sss_packet *packet,
}
}
- ret = sized_member_name(tmp_ctx, rctx, member_name, &name);
+ ret = sized_domain_name(tmp_ctx, rctx, member_name, &name);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, "Unable to get sized name [%d]: %s\n",
ret, sss_strerror(ret));
diff --git a/src/responder/nss/nss_utils.c b/src/responder/nss/nss_utils.c
index f839930a275db56e8d729888af870562d7b6f260..2cd9c33b42f7e018ea89d2df206637f35646489e 100644
--- a/src/responder/nss/nss_utils.c
+++ b/src/responder/nss/nss_utils.c
@@ -53,93 +53,6 @@ nss_get_name_from_msg(struct sss_domain_info *domain,
return ldb_msg_find_attr_as_string(msg, SYSDB_NAME, NULL);
}
-int sized_output_name(TALLOC_CTX *mem_ctx,
- struct resp_ctx *rctx,
- const char *orig_name,
- struct sss_domain_info *name_dom,
- struct sized_string **_name)
-{
- TALLOC_CTX *tmp_ctx = NULL;
- errno_t ret;
- char *username;
- struct sized_string *name;
-
- tmp_ctx = talloc_new(NULL);
- if (tmp_ctx == NULL) {
- return ENOMEM;
- }
-
- username = sss_output_name(tmp_ctx, orig_name, name_dom->case_preserve,
- rctx->override_space);
- if (username == NULL) {
- ret = EIO;
- goto done;
- }
-
- if (name_dom->fqnames) {
- username = sss_tc_fqname(tmp_ctx, name_dom->names, name_dom, username);
- if (username == NULL) {
- DEBUG(SSSDBG_CRIT_FAILURE, "sss_replace_space failed\n");
- ret = EIO;
- goto done;
- }
- }
-
- name = talloc_zero(tmp_ctx, struct sized_string);
- if (name == NULL) {
- ret = ENOMEM;
- goto done;
- }
-
- to_sized_string(name, username);
- name->str = talloc_steal(name, username);
- *_name = talloc_steal(mem_ctx, name);
- ret = EOK;
-done:
- talloc_zfree(tmp_ctx);
- return ret;
-}
-
-int sized_member_name(TALLOC_CTX *mem_ctx,
- struct resp_ctx *rctx,
- const char *member_name,
- struct sized_string **_name)
-{
- TALLOC_CTX *tmp_ctx = NULL;
- errno_t ret;
- char *domname;
- struct sss_domain_info *member_dom;
-
- tmp_ctx = talloc_new(NULL);
- if (tmp_ctx == NULL) {
- return ENOMEM;
- }
-
- ret = sss_parse_internal_fqname(tmp_ctx, member_name, NULL, &domname);
- if (ret != EOK) {
- DEBUG(SSSDBG_CRIT_FAILURE, "sss_parse_internal_fqname failed\n");
- goto done;
- }
-
- if (domname == NULL) {
- ret = ERR_WRONG_NAME_FORMAT;
- goto done;
- }
-
- member_dom = find_domain_by_name(get_domains_head(rctx->domains),
- domname, true);
- if (member_dom == NULL) {
- ret = ERR_DOMAIN_NOT_FOUND;
- goto done;
- }
-
- ret = sized_output_name(mem_ctx, rctx, member_name,
- member_dom, _name);
-done:
- talloc_free(tmp_ctx);
- return ret;
-}
-
const char *
nss_get_pwfield(struct nss_ctx *nctx,
struct sss_domain_info *dom)
--
2.12.2

94
0115-IFP-Use-sized_domain_name-to-format-the-groups-the-u.patch Normal file
View File

@ -0,0 +1,94 @@
From c9a73bb6ffa010ef206896a0d1c2801bc056fa45 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Wed, 19 Apr 2017 17:46:03 +0200
Subject: [PATCH 115/135] IFP: Use sized_domain_name to format the groups the
user is a member of
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Resolves:
https://pagure.io/SSSD/sssd/issue/3268
Uses the common function sized_domain_name() to format a group the user
is a member of to the appropriate format.
To see the code is working correctly, run:
dbus-send --system --print-reply --dest=org.freedesktop.sssd.infopipe
/org/freedesktop/sssd/infopipe
org.freedesktop.sssd.infopipe.GetUserGroups
string:trusted_user
Where trusted_user is a user from a trusted domain that is a member of groups
from the joined domain and a trusted domain as well. The groups from the
joined domain should not be qualified, the groups from the trusted
domain should be qualified.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
src/responder/ifp/ifpsrv_cmd.c | 29 +++++++++++++++--------------
1 file changed, 15 insertions(+), 14 deletions(-)
diff --git a/src/responder/ifp/ifpsrv_cmd.c b/src/responder/ifp/ifpsrv_cmd.c
index d10f35e41dbb1623a0b9de37a4c43363cbefc1a3..e4d6c42ef35ef372472803d3d26b17d4181021a8 100644
--- a/src/responder/ifp/ifpsrv_cmd.c
+++ b/src/responder/ifp/ifpsrv_cmd.c
@@ -369,10 +369,11 @@ ifp_user_get_groups_reply(struct sss_domain_info *domain,
struct ifp_req *ireq,
struct ldb_result *res)
{
- int i, num;
+ int i, gri, num;
const char *name;
const char **groupnames;
- char *out_name;
+ struct sized_string *group_name;
+ errno_t ret;
/* one less, the first one is the user entry */
num = res->count - 1;
@@ -381,6 +382,7 @@ ifp_user_get_groups_reply(struct sss_domain_info *domain,
return sbus_request_finish(ireq->dbus_req, NULL);
}
+ gri = 0;
for (i = 0; i < num; i++) {
name = sss_view_ldb_msg_find_attr_as_string(domain,
res->msgs[i + 1],
@@ -390,22 +392,21 @@ ifp_user_get_groups_reply(struct sss_domain_info *domain,
continue;
}
- out_name = sss_output_name(ireq, name, domain->case_preserve,
- ireq->ifp_ctx->rctx->override_space);
- if (out_name == NULL) {
+ ret = sized_domain_name(ireq, ireq->ifp_ctx->rctx, name, &group_name);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_MINOR_FAILURE,
+ "Unable to get sized name for %s [%d]: %s\n",
+ name, ret, sss_strerror(ret));
continue;
}
- if (domain->fqnames) {
- groupnames[i] = sss_tc_fqname(groupnames, domain->names,
- domain, out_name);
- if (out_name == NULL) {
- DEBUG(SSSDBG_CRIT_FAILURE, "sss_tc_fqname failed\n");
- continue;
- }
- } else {
- groupnames[i] = talloc_steal(groupnames, out_name);
+ groupnames[gri] = talloc_strndup(groupnames,
+ group_name->str, group_name->len);
+ if (groupnames[gri] == NULL) {
+ DEBUG(SSSDBG_MINOR_FAILURE, "talloc_strndup failed\n");
+ continue;
}
+ gri++;
DEBUG(SSSDBG_TRACE_FUNC, "Adding group %s\n", groupnames[i]);
}
--
2.12.2

32
0116-SECRETS-remove-unused-variable.patch Normal file
View File

@ -0,0 +1,32 @@
From 0e8f0c06cad5805b1a1161f60e3f2cdb7a5a2921 Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Wed, 19 Apr 2017 17:56:20 +0200
Subject: [PATCH 116/135] SECRETS: remove unused variable
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
src/responder/secrets/proxy.c | 5 -----
1 file changed, 5 deletions(-)
diff --git a/src/responder/secrets/proxy.c b/src/responder/secrets/proxy.c
index fd96e985c897e2cb470a9b5d6eecbd34350fb7d2..9c2aa425d414728d10aa830f640632e98def3c1c 100644
--- a/src/responder/secrets/proxy.c
+++ b/src/responder/secrets/proxy.c
@@ -570,11 +570,6 @@ static void proxy_secret_req_done(struct tevent_req *subreq)
}
}
-struct provider_handle proxy_secrets_handle = {
- .fn = proxy_secret_req,
- .context = NULL,
-};
-
int proxy_secrets_provider_handle(struct sec_ctx *sctx,
struct provider_handle **out_handle)
{
--
2.12.2

41
0117-IPA-Improve-DEBUG-message-if-a-group-has-no-ipaNTSec.patch Normal file
View File

@ -0,0 +1,41 @@
From ef019268d2d112ebff3577e551cd19478d73d93b Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Fri, 21 Apr 2017 12:39:44 +0200
Subject: [PATCH 117/135] IPA: Improve DEBUG message if a group has no
ipaNTSecurityIdentifier
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
There was an issue in a production deployment where the admin selected a
GID outside the IDM range for a group that contained a user from the
trusted domain. This resulted in not adding a SID for the IPA group,
which in turn meant the group couldn't be resolved on the client.
This patch just improves the DEBUG message so that it's clearer for the
admins where the issue is.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
---
src/providers/ipa/ipa_s2n_exop.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/src/providers/ipa/ipa_s2n_exop.c b/src/providers/ipa/ipa_s2n_exop.c
index 2173db357700499a6140aa61841e443139981483..55ec904ca3188c7cf10ac41972e9ecf94ebf44bb 100644
--- a/src/providers/ipa/ipa_s2n_exop.c
+++ b/src/providers/ipa/ipa_s2n_exop.c
@@ -1308,7 +1308,10 @@ static void ipa_s2n_get_list_next(struct tevent_req *subreq)
ret = sysdb_attrs_get_string(state->attrs->sysdb_attrs, SYSDB_SID_STR,
&sid_str);
if (ret != EOK) {
- DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_get_string failed.\n");
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Object [%s] has no SID, please check the "
+ "ipaNTSecurityIdentifier attribute on the server-side",
+ state->attrs->a.name);
goto fail;
}
--
2.12.2

312
0118-RESPONDER-Fallback-to-global-domain-resolution-order.patch Normal file
View File

@ -0,0 +1,312 @@
From a3faad0e4dc1ca4473746c3822ecfc5aed876e6d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
Date: Wed, 12 Apr 2017 10:43:25 +0200
Subject: [PATCH 118/135] RESPONDER: Fallback to global domain resolution order
in case the view doesn't have this option set
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The current code has been ignoring the domain resolution order set
globally on IPA in case there's a view but this doesn't have any domain
resolution order set.
It happens because we haven't been checking whether the view attribute
didn't exist and then we ended up populating the list cache_req domains'
list assuming that no order has been set instead of falling back to the
next preferred method.
Related:
https://pagure.io/SSSD/sssd/issue/3001
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
src/responder/common/cache_req/cache_req_domain.c | 14 ++-
src/responder/common/cache_req/cache_req_domain.h | 5 +-
src/responder/common/responder_common.c | 108 +++++++++++++---------
3 files changed, 74 insertions(+), 53 deletions(-)
diff --git a/src/responder/common/cache_req/cache_req_domain.c b/src/responder/common/cache_req/cache_req_domain.c
index bbabd695f1c6b6c29b7e61f571382ab9adfb0ea2..86a88efd54ca0f4a0748b44ece1b8515438d4628 100644
--- a/src/responder/common/cache_req/cache_req_domain.c
+++ b/src/responder/common/cache_req/cache_req_domain.c
@@ -120,20 +120,21 @@ done:
return cr_domains;
}
-struct cache_req_domain *
+errno_t
cache_req_domain_new_list_from_domain_resolution_order(
TALLOC_CTX *mem_ctx,
struct sss_domain_info *domains,
- const char *domain_resolution_order)
+ const char *domain_resolution_order,
+ struct cache_req_domain **_cr_domains)
{
TALLOC_CTX *tmp_ctx;
- struct cache_req_domain *cr_domains = NULL;
+ struct cache_req_domain *cr_domains;
char **list = NULL;
errno_t ret;
tmp_ctx = talloc_new(NULL);
if (tmp_ctx == NULL) {
- return NULL;
+ return ENOMEM;
}
if (domain_resolution_order != NULL) {
@@ -160,7 +161,10 @@ cache_req_domain_new_list_from_domain_resolution_order(
goto done;
}
+ *_cr_domains = cr_domains;
+ ret = EOK;
+
done:
talloc_free(tmp_ctx);
- return cr_domains;
+ return ret;
}
diff --git a/src/responder/common/cache_req/cache_req_domain.h b/src/responder/common/cache_req/cache_req_domain.h
index 41c50e8c293d7b032cb2f05482c40e93e4f723dc..000087e5ca2074f22169a4af627810f4f287e430 100644
--- a/src/responder/common/cache_req/cache_req_domain.h
+++ b/src/responder/common/cache_req/cache_req_domain.h
@@ -34,11 +34,12 @@ struct cache_req_domain *
cache_req_domain_get_domain_by_name(struct cache_req_domain *domains,
const char *name);
-struct cache_req_domain *
+errno_t
cache_req_domain_new_list_from_domain_resolution_order(
TALLOC_CTX *mem_ctx,
struct sss_domain_info *domains,
- const char *domain_resolution_order);
+ const char *domain_resolution_order,
+ struct cache_req_domain **_cr_domains);
void cache_req_domain_list_zfree(struct cache_req_domain **cr_domains);
diff --git a/src/responder/common/responder_common.c b/src/responder/common/responder_common.c
index ac6320b08de09bc6c7e8dd1af72e0a493a449f7a..62b71b5104fdbb585d086d44d2ca2ab9717dd788 100644
--- a/src/responder/common/responder_common.c
+++ b/src/responder/common/responder_common.c
@@ -1486,10 +1486,11 @@ fail:
}
/* ====== Helper functions for the domain resolution order ======= */
-static struct cache_req_domain *
+static errno_t
sss_resp_new_cr_domains_from_ipa_id_view(TALLOC_CTX *mem_ctx,
struct sss_domain_info *domains,
- struct sysdb_ctx *sysdb)
+ struct sysdb_ctx *sysdb,
+ struct cache_req_domain **_cr_domains)
{
TALLOC_CTX *tmp_ctx;
struct cache_req_domain *cr_domains = NULL;
@@ -1498,7 +1499,7 @@ sss_resp_new_cr_domains_from_ipa_id_view(TALLOC_CTX *mem_ctx,
tmp_ctx = talloc_new(NULL);
if (tmp_ctx == NULL) {
- return NULL;
+ return ENOMEM;
}
ret = sysdb_get_view_domain_resolution_order(tmp_ctx, sysdb,
@@ -1510,12 +1511,13 @@ sss_resp_new_cr_domains_from_ipa_id_view(TALLOC_CTX *mem_ctx,
goto done;
}
- /* Using mem_ctx (which is rctx) directly here to avoid copying
- * this memory around. */
- cr_domains = cache_req_domain_new_list_from_domain_resolution_order(
- mem_ctx, domains, domain_resolution_order);
- if (cr_domains == NULL) {
- ret = ENOMEM;
+ if (ret == ENOENT) {
+ goto done;
+ }
+
+ ret = cache_req_domain_new_list_from_domain_resolution_order(
+ mem_ctx, domains, domain_resolution_order, &cr_domains);
+ if (ret != EOK) {
DEBUG(SSSDBG_DEFAULT,
"cache_req_domain_new_list_from_domain_resolution_order() "
"failed [%d]: [%s].\n",
@@ -1523,25 +1525,31 @@ sss_resp_new_cr_domains_from_ipa_id_view(TALLOC_CTX *mem_ctx,
goto done;
}
+ *_cr_domains = cr_domains;
+
+ ret = EOK;
+
done:
talloc_free(tmp_ctx);
- return cr_domains;
+ return ret;
}
-static struct cache_req_domain *
+static errno_t
sss_resp_new_cr_domains_from_ipa_config(TALLOC_CTX *mem_ctx,
struct sss_domain_info *domains,
struct sysdb_ctx *sysdb,
- const char *domain)
+ const char *domain,
+ struct cache_req_domain **_cr_domains)
{
TALLOC_CTX *tmp_ctx;
- struct cache_req_domain *cr_domains = NULL;
const char *domain_resolution_order = NULL;
errno_t ret;
+ *_cr_domains = NULL;
+
tmp_ctx = talloc_new(NULL);
if (tmp_ctx == NULL) {
- return NULL;
+ return ENOMEM;
}
ret = sysdb_domain_get_domain_resolution_order(tmp_ctx, sysdb, domain,
@@ -1554,11 +1562,13 @@ sss_resp_new_cr_domains_from_ipa_config(TALLOC_CTX *mem_ctx,
goto done;
}
- /* Using mem_ctx (which is rctx) directly here to avoid copying
- * this memory around. */
- cr_domains = cache_req_domain_new_list_from_domain_resolution_order(
- mem_ctx, domains, domain_resolution_order);
- if (cr_domains == NULL) {
+ if (ret == ENOENT) {
+ goto done;
+ }
+
+ ret = cache_req_domain_new_list_from_domain_resolution_order(
+ mem_ctx, domains, domain_resolution_order, _cr_domains);
+ if (ret != EOK) {
DEBUG(SSSDBG_DEFAULT,
"cache_req_domain_new_list_from_domain_resolution_order() "
"failed [%d]: [%s].\n",
@@ -1566,9 +1576,11 @@ sss_resp_new_cr_domains_from_ipa_config(TALLOC_CTX *mem_ctx,
goto done;
}
+ ret = EOK;
+
done:
talloc_free(tmp_ctx);
- return cr_domains;
+ return ret;
}
errno_t sss_resp_populate_cr_domains(struct resp_ctx *rctx)
@@ -1578,16 +1590,16 @@ errno_t sss_resp_populate_cr_domains(struct resp_ctx *rctx)
errno_t ret;
if (rctx->domain_resolution_order != NULL) {
- cr_domains = cache_req_domain_new_list_from_domain_resolution_order(
- rctx, rctx->domains, rctx->domain_resolution_order);
-
- if (cr_domains == NULL) {
+ ret = cache_req_domain_new_list_from_domain_resolution_order(
+ rctx, rctx->domains,
+ rctx->domain_resolution_order, &cr_domains);
+ if (ret == EOK) {
+ goto done;
+ } else {
DEBUG(SSSDBG_MINOR_FAILURE,
"Failed to use domain_resolution_order set in the config file.\n"
"Trying to fallback to use ipaDomainOrderResolution setup by "
"IPA.\n");
- } else {
- goto done;
}
}
@@ -1598,9 +1610,9 @@ errno_t sss_resp_populate_cr_domains(struct resp_ctx *rctx)
}
if (dom == NULL) {
- cr_domains = cache_req_domain_new_list_from_domain_resolution_order(
- rctx, rctx->domains, NULL);
- if (cr_domains == NULL) {
+ ret = cache_req_domain_new_list_from_domain_resolution_order(
+ rctx, rctx->domains, NULL, &cr_domains);
+ if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE,
"Failed to flatten the list of domains.\n");
}
@@ -1608,44 +1620,48 @@ errno_t sss_resp_populate_cr_domains(struct resp_ctx *rctx)
}
if (dom->has_views) {
- cr_domains = sss_resp_new_cr_domains_from_ipa_id_view(rctx,
- rctx->domains,
- dom->sysdb);
- if (cr_domains == NULL) {
+ ret = sss_resp_new_cr_domains_from_ipa_id_view(rctx, rctx->domains,
+ dom->sysdb,
+ &cr_domains);
+ if (ret == EOK) {
+ goto done;
+ }
+
+ if (ret != ENOENT) {
DEBUG(SSSDBG_MINOR_FAILURE,
"Failed to use ipaDomainResolutionOrder set for the "
"view \"%s\".\n"
"Trying to fallback to use ipaDomainOrderResolution "
"set in ipaConfig for the domain: %s.\n",
dom->view_name, dom->name);
- } else {
- goto done;
}
}
- cr_domains = sss_resp_new_cr_domains_from_ipa_config(rctx, rctx->domains,
- dom->sysdb,
- dom->name);
- if (cr_domains == NULL) {
+ ret = sss_resp_new_cr_domains_from_ipa_config(rctx, rctx->domains,
+ dom->sysdb, dom->name,
+ &cr_domains);
+ if (ret == EOK) {
+ goto done;
+ }
+
+ if (ret != ENOENT) {
DEBUG(SSSDBG_MINOR_FAILURE,
"Failed to use ipaDomainResolutionOrder set in ipaConfig "
"for the domain: \"%s\".\n"
"No ipaDomainResolutionOrder will be followed.\n",
dom->name);
- } else {
- goto done;
}
- cr_domains = cache_req_domain_new_list_from_domain_resolution_order(
- rctx, rctx->domains, NULL);
- if (cr_domains == NULL) {
+ ret = cache_req_domain_new_list_from_domain_resolution_order(
+ rctx, rctx->domains, NULL, &cr_domains);
+ if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE, "Failed to flatten the list of domains.\n");
goto done;
}
-done:
- ret = cr_domains != NULL ? EOK : ENOMEM;
+ ret = EOK;
+done:
cache_req_domain_list_zfree(&rctx->cr_domains);
rctx->cr_domains = cr_domains;
--
2.12.2

163
0119-NSS-TESTS-Improve-non-fqnames-tests.patch Normal file
View File

@ -0,0 +1,163 @@
From ed518f61f1a5d4cf5d87eec492c158725a73d6a1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
Date: Mon, 17 Apr 2017 09:32:39 +0200
Subject: [PATCH 119/135] NSS/TESTS: Improve non-fqnames tests
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
With the changes that are about to happen we have to have the subdomain's
fqnames flag set by the time we populate the cr_domains list (as it
actually occurs with the real code), as this list may set its own fqnames
flag based on the subdomain's fqnames flag.
Currently the flag is set to false only when running the tests itself so
the cr_domains list doesn't get populate properly (although it still
works with the current code).
For the changes that are comming, let's introduce a new setup function
that ensures that the subdomain's fqnames flag is set up in the right
time.
Related:
https://pagure.io/SSSD/sssd/issue/3001
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
src/tests/cmocka/test_nss_srv.c | 45 +++++++++++++++++++++++++++--------------
1 file changed, 30 insertions(+), 15 deletions(-)
diff --git a/src/tests/cmocka/test_nss_srv.c b/src/tests/cmocka/test_nss_srv.c
index 2f526660cbbbf2443dbae4e213c1336feb6c661e..8c72f44f1869558893627e1f2f91b5f3b96c6317 100644
--- a/src/tests/cmocka/test_nss_srv.c
+++ b/src/tests/cmocka/test_nss_srv.c
@@ -1709,8 +1709,6 @@ void test_nss_getgrnam_members_subdom_nonfqnames(void **state)
{
errno_t ret;
- nss_test_ctx->subdom->fqnames = false;
-
mock_input_user_or_group("testsubdomgroup");
mock_account_recv_simple();
will_return(__wrap_sss_packet_get_cmd, SSS_NSS_GETGRNAM);
@@ -1802,8 +1800,6 @@ void test_nss_getgrnam_mix_dom_nonfqnames(void **state)
{
errno_t ret;
- nss_test_ctx->subdom->fqnames = false;
-
ret = store_group_member(nss_test_ctx,
testgroup_members.gr_name,
nss_test_ctx->tctx->dom,
@@ -1917,6 +1913,7 @@ void test_nss_getgrnam_mix_dom_fqdn(void **state)
assert_int_equal(ret, EOK);
}
+
void test_nss_getgrnam_mix_dom_fqdn_nonfqnames(void **state)
{
errno_t ret;
@@ -1929,10 +1926,6 @@ void test_nss_getgrnam_mix_dom_fqdn_nonfqnames(void **state)
SYSDB_MEMBER_USER);
assert_int_equal(ret, EOK);
- nss_test_ctx->tctx->dom->fqnames = false;
- nss_test_ctx->subdom->fqnames = false;
-
-
mock_input_user_or_group("testgroup_members");
will_return(__wrap_sss_packet_get_cmd, SSS_NSS_GETGRNAM);
will_return_always(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
@@ -2044,8 +2037,6 @@ void test_nss_getgrnam_mix_subdom_nonfqnames(void **state)
{
errno_t ret;
- nss_test_ctx->subdom->fqnames = false;
-
ret = store_group_member(nss_test_ctx,
testsubdomgroup.gr_name,
nss_test_ctx->subdom,
@@ -3417,9 +3408,11 @@ static int nss_test_setup_extra_attr(void **state)
return 0;
}
-static int nss_subdom_test_setup(void **state)
+static int nss_subdom_test_setup_common(void **state, bool nonfqnames)
{
const char *const testdom[4] = { TEST_SUBDOM_NAME, "TEST.SUB", "test", "S-3" };
+ struct sss_domain_info *dom;
+
struct sss_domain_info *subdomain;
errno_t ret;
@@ -3440,6 +3433,17 @@ static int nss_subdom_test_setup(void **state)
nss_test_ctx->tctx->confdb);
assert_int_equal(ret, EOK);
+ if (nonfqnames) {
+ for (dom = nss_test_ctx->rctx->domains;
+ dom != NULL;
+ dom = get_next_domain(dom, SSS_GND_ALL_DOMAINS)) {
+ if (strcmp(dom->name, subdomain->name) == 0) {
+ dom->fqnames = false;
+ break;
+ }
+ }
+ }
+
ret = sss_resp_populate_cr_domains(nss_test_ctx->rctx);
assert_int_equal(ret, EOK);
assert_non_null(nss_test_ctx->rctx->cr_domains);
@@ -3475,6 +3479,17 @@ static int nss_subdom_test_setup(void **state)
assert_int_equal(ret, EOK);
return 0;
+
+}
+
+static int nss_subdom_test_setup(void **state)
+{
+ return nss_subdom_test_setup_common(state, false);
+}
+
+static int nss_subdom_test_setup_nonfqnames(void **state)
+{
+ return nss_subdom_test_setup_common(state, true);
}
static int nss_fqdn_fancy_test_setup(void **state)
@@ -4192,25 +4207,25 @@ int main(int argc, const char *argv[])
nss_subdom_test_setup,
nss_subdom_test_teardown),
cmocka_unit_test_setup_teardown(test_nss_getgrnam_members_subdom_nonfqnames,
- nss_subdom_test_setup,
+ nss_subdom_test_setup_nonfqnames,
nss_subdom_test_teardown),
cmocka_unit_test_setup_teardown(test_nss_getgrnam_mix_dom,
nss_subdom_test_setup,
nss_subdom_test_teardown),
cmocka_unit_test_setup_teardown(test_nss_getgrnam_mix_dom_nonfqnames,
- nss_subdom_test_setup,
+ nss_subdom_test_setup_nonfqnames,
nss_subdom_test_teardown),
cmocka_unit_test_setup_teardown(test_nss_getgrnam_mix_dom_fqdn,
nss_subdom_test_setup,
nss_subdom_test_teardown),
cmocka_unit_test_setup_teardown(test_nss_getgrnam_mix_dom_fqdn_nonfqnames,
- nss_subdom_test_setup,
+ nss_subdom_test_setup_nonfqnames,
nss_subdom_test_teardown),
cmocka_unit_test_setup_teardown(test_nss_getgrnam_mix_subdom,
nss_subdom_test_setup,
nss_subdom_test_teardown),
cmocka_unit_test_setup_teardown(test_nss_getgrnam_mix_subdom_nonfqnames,
- nss_subdom_test_setup,
+ nss_subdom_test_setup_nonfqnames,
nss_subdom_test_teardown),
cmocka_unit_test_setup_teardown(test_nss_getgrnam_space,
nss_test_setup, nss_test_teardown),
--
2.12.2

138
0120-CACHE_REQ-Allow-configurationless-shortname-lookups.patch Normal file
View File

@ -0,0 +1,138 @@
From dae798231fc2c575f213785768bc24ed765ba243 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
Date: Tue, 11 Apr 2017 17:19:29 +0200
Subject: [PATCH 120/135] CACHE_REQ: Allow configurationless shortname lookups
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Configurationless shortnames lookups must be allowed when a domains'
resolution order is present and the (head) domain is not enforcing the
usage of fully-qualified-names.
With this patch SSSD does not require any kind of changes from client
side for taking advantage of shortname lookups.
Related:
https://pagure.io/SSSD/sssd/issue/3001
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
src/responder/common/cache_req/cache_req.c | 2 +-
src/responder/common/cache_req/cache_req_domain.c | 48 +++++++++++++++++++++++
src/responder/common/cache_req/cache_req_domain.h | 1 +
3 files changed, 50 insertions(+), 1 deletion(-)
diff --git a/src/responder/common/cache_req/cache_req.c b/src/responder/common/cache_req/cache_req.c
index 3a5fecf34427437bbf95317e05c5bd8b07b4537d..797325a30e6c1ed5f1d4b4c147c65391d5204b52 100644
--- a/src/responder/common/cache_req/cache_req.c
+++ b/src/responder/common/cache_req/cache_req.c
@@ -480,7 +480,7 @@ static errno_t cache_req_search_domains_next(struct tevent_req *req)
* qualified names on domain less search. We do not descend into
* subdomains here since those are implicitly qualified.
*/
- if (state->check_next && !allow_no_fqn && domain->fqnames) {
+ if (state->check_next && !allow_no_fqn && state->cr_domain->fqnames) {
state->cr_domain = state->cr_domain->next;
continue;
}
diff --git a/src/responder/common/cache_req/cache_req_domain.c b/src/responder/common/cache_req/cache_req_domain.c
index 86a88efd54ca0f4a0748b44ece1b8515438d4628..bfdd2b7f640178f6d0a0d92f2fed329c856b478c 100644
--- a/src/responder/common/cache_req/cache_req_domain.c
+++ b/src/responder/common/cache_req/cache_req_domain.c
@@ -60,6 +60,48 @@ void cache_req_domain_list_zfree(struct cache_req_domain **cr_domains)
*cr_domains = NULL;
}
+static bool
+cache_req_domain_use_fqnames(struct sss_domain_info *domain,
+ bool enforce_non_fqnames)
+{
+ struct sss_domain_info *head;
+
+ head = get_domains_head(domain);
+
+ /*
+ * In order to decide whether fully_qualified_names must be used on the
+ * lookups we have to take into consideration:
+ * - use_fully_qualified_name value of the head of the domains;
+ * (head->fqnames)
+ * - the presence of a domains' resolution order list;
+ * (non_fqnames_enforced)
+ *
+ * The relationship between those two can be described by:
+ * - head->fqnames:
+ * - true: in this case doesn't matter whether it's enforced or not,
+ * fully-qualified-names will _always_ be used
+ * - false: in this case (which is also the default case), the usage
+ * depends on it being enforced;
+ *
+ * - enforce_non_fqnames:
+ * - true: in this case, the usage of fully-qualified-names is not
+ * needed;
+ * - false: in this case, the usage of fully-qualified-names will be
+ * done accordingly to what's set for the domain itself.
+ */
+ switch (head->fqnames) {
+ case true:
+ return true;
+ case false:
+ switch (enforce_non_fqnames) {
+ case true:
+ return false;
+ case false:
+ return domain->fqnames;
+ }
+ }
+}
+
static struct cache_req_domain *
cache_req_domain_new_list_from_string_list(TALLOC_CTX *mem_ctx,
struct sss_domain_info *domains,
@@ -71,9 +113,11 @@ cache_req_domain_new_list_from_string_list(TALLOC_CTX *mem_ctx,
char *name;
int flag = SSS_GND_ALL_DOMAINS;
int i;
+ bool enforce_non_fqnames = false;
errno_t ret;
if (resolution_order != NULL) {
+ enforce_non_fqnames = true;
for (i = 0; resolution_order[i] != NULL; i++) {
name = resolution_order[i];
for (dom = domains; dom; dom = get_next_domain(dom, flag)) {
@@ -87,6 +131,8 @@ cache_req_domain_new_list_from_string_list(TALLOC_CTX *mem_ctx,
goto done;
}
cr_domain->domain = dom;
+ cr_domain->fqnames =
+ cache_req_domain_use_fqnames(dom, enforce_non_fqnames);
DLIST_ADD_END(cr_domains, cr_domain,
struct cache_req_domain *);
@@ -106,6 +152,8 @@ cache_req_domain_new_list_from_string_list(TALLOC_CTX *mem_ctx,
goto done;
}
cr_domain->domain = dom;
+ cr_domain->fqnames =
+ cache_req_domain_use_fqnames(dom, enforce_non_fqnames);
DLIST_ADD_END(cr_domains, cr_domain, struct cache_req_domain *);
}
diff --git a/src/responder/common/cache_req/cache_req_domain.h b/src/responder/common/cache_req/cache_req_domain.h
index 000087e5ca2074f22169a4af627810f4f287e430..5bcbb9b493caf05bf71aac5cf7633ded91f22e73 100644
--- a/src/responder/common/cache_req/cache_req_domain.h
+++ b/src/responder/common/cache_req/cache_req_domain.h
@@ -25,6 +25,7 @@
struct cache_req_domain {
struct sss_domain_info *domain;
+ bool fqnames;
struct cache_req_domain *prev;
struct cache_req_domain *next;
--
2.12.2

41
0121-CACHE_REQ_DOMAIN-Add-some-comments-to-cache_req_doma.patch Normal file
View File

@ -0,0 +1,41 @@
From f9bac02756aa05cc9c6ac07ae581dba67240c1a4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
Date: Mon, 24 Apr 2017 21:04:58 +0200
Subject: [PATCH 121/135] CACHE_REQ_DOMAIN: Add some comments to
cache_req_domain_new_list_from_string_list()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
src/responder/common/cache_req/cache_req_domain.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/src/responder/common/cache_req/cache_req_domain.c b/src/responder/common/cache_req/cache_req_domain.c
index bfdd2b7f640178f6d0a0d92f2fed329c856b478c..6d37db0f109d5343eb6d7f4272bea522d4c34cf7 100644
--- a/src/responder/common/cache_req/cache_req_domain.c
+++ b/src/responder/common/cache_req/cache_req_domain.c
@@ -116,6 +116,8 @@ cache_req_domain_new_list_from_string_list(TALLOC_CTX *mem_ctx,
bool enforce_non_fqnames = false;
errno_t ret;
+ /* Firstly, in case a domains' resolution order is passed ... iterate over
+ * the list adding its domains to the flatten cache req domains' list */
if (resolution_order != NULL) {
enforce_non_fqnames = true;
for (i = 0; resolution_order[i] != NULL; i++) {
@@ -141,6 +143,8 @@ cache_req_domain_new_list_from_string_list(TALLOC_CTX *mem_ctx,
}
}
+ /* Then iterate through all the other domains (and subdomains) and add them
+ * to the flatten cache req domains' list */
for (dom = domains; dom; dom = get_next_domain(dom, flag)) {
if (string_in_list(dom->name, resolution_order, false)) {
continue;
--
2.12.2

53
0122-RESPONDER_COMMON-Improve-domaiN_resolution_order-deb.patch Normal file
View File

@ -0,0 +1,53 @@
From 213048fd9a5e800deb74cb5b7f0eaf465945c640 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
Date: Mon, 24 Apr 2017 21:09:02 +0200
Subject: [PATCH 122/135] RESPONDER_COMMON: Improve domaiN_resolution_order
debug messages
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Indicate whether a domain_resolution_order has been used and where
it came from.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
src/responder/common/responder_common.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/src/responder/common/responder_common.c b/src/responder/common/responder_common.c
index 62b71b5104fdbb585d086d44d2ca2ab9717dd788..7496d293fddb3e947d59a4f2aaeb2c83234dfcc7 100644
--- a/src/responder/common/responder_common.c
+++ b/src/responder/common/responder_common.c
@@ -1594,6 +1594,8 @@ errno_t sss_resp_populate_cr_domains(struct resp_ctx *rctx)
rctx, rctx->domains,
rctx->domain_resolution_order, &cr_domains);
if (ret == EOK) {
+ DEBUG(SSSDBG_TRACE_FUNC,
+ "Using domain_resolution_order from sssd.conf\n");
goto done;
} else {
DEBUG(SSSDBG_MINOR_FAILURE,
@@ -1624,6 +1626,8 @@ errno_t sss_resp_populate_cr_domains(struct resp_ctx *rctx)
dom->sysdb,
&cr_domains);
if (ret == EOK) {
+ DEBUG(SSSDBG_TRACE_FUNC,
+ "Using domain_resolution_order from IPA ID View\n");
goto done;
}
@@ -1641,6 +1645,8 @@ errno_t sss_resp_populate_cr_domains(struct resp_ctx *rctx)
dom->sysdb, dom->name,
&cr_domains);
if (ret == EOK) {
+ DEBUG(SSSDBG_TRACE_FUNC,
+ "Using domain_resolution_order from IPA Config\n");
goto done;
}
--
2.12.2

49
0123-CACHE_REQ_DOMAIN-debug-the-set-domain-resolution-ord.patch Normal file
View File

@ -0,0 +1,49 @@
From b78febe4c579f86f8007a27599605d1eb9f97a62 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
Date: Tue, 25 Apr 2017 14:25:12 +0200
Subject: [PATCH 123/135] CACHE_REQ_DOMAIN: debug the set domain resolution
order
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
src/responder/common/cache_req/cache_req_domain.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/src/responder/common/cache_req/cache_req_domain.c b/src/responder/common/cache_req/cache_req_domain.c
index 6d37db0f109d5343eb6d7f4272bea522d4c34cf7..2c238c9966d322bb542fa2047313ee9e5144edee 100644
--- a/src/responder/common/cache_req/cache_req_domain.c
+++ b/src/responder/common/cache_req/cache_req_domain.c
@@ -191,6 +191,10 @@ cache_req_domain_new_list_from_domain_resolution_order(
if (domain_resolution_order != NULL) {
if (strcmp(domain_resolution_order, ":") != 0) {
+ DEBUG(SSSDBG_TRACE_FUNC,
+ "Domain resolution order list (split by ':'): \"%s\"\n",
+ domain_resolution_order);
+
ret = split_on_separator(tmp_ctx, domain_resolution_order, ':',
true, true, &list, NULL);
if (ret != EOK) {
@@ -199,7 +203,14 @@ cache_req_domain_new_list_from_domain_resolution_order(
ret, sss_strerror(ret));
goto done;
}
+ } else {
+ DEBUG(SSSDBG_TRACE_FUNC,
+ "Domain resolution order list: ':' "
+ "(do not use any specific order)\n");
}
+ } else {
+ DEBUG(SSSDBG_TRACE_FUNC,
+ "Domain resolution order list: not set\n");
}
cr_domains = cache_req_domain_new_list_from_string_list(mem_ctx, domains,
--
2.12.2

36
0124-LDAP-Allow-passing-a-NULL-map-to-sdap_search_bases_e.patch Normal file
View File

@ -0,0 +1,36 @@
From 53e9a5aef4a688f7c81a4a1e77013e05313e5f9a Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Fri, 21 Apr 2017 15:30:37 +0200
Subject: [PATCH 124/135] LDAP: Allow passing a NULL map to
sdap_search_bases_ex_send
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
NULL attribute map and a NULL list of attributes should translate into
"fetch all entry attributes"
Required for:
https://pagure.io/SSSD/sssd/issue/3378
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
src/providers/ldap/sdap_ops.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/providers/ldap/sdap_ops.c b/src/providers/ldap/sdap_ops.c
index 3fc968f0bf6782f91a5f5620bfe34eeeebcdc832..a90857469a4ed6f2cecb935ea70340060952c9df 100644
--- a/src/providers/ldap/sdap_ops.c
+++ b/src/providers/ldap/sdap_ops.c
@@ -101,7 +101,7 @@ sdap_search_bases_ex_send(TALLOC_CTX *mem_ctx,
state->map_num_attrs = 0;
}
- if (state->attrs == NULL) {
+ if (state->attrs == NULL && state->map != NULL) {
ret = build_attrs_from_map(state, state->map, state->map_num_attrs,
NULL, &state->attrs, NULL);
if (ret != EOK) {
--
2.12.2

88
0125-IPA-Use-search-bases-instead-of-domain_to_basedn-whe.patch Normal file
View File

@ -0,0 +1,88 @@
From 337dd8a87cd774ac20d15c16ec3d9a6c4d2defc7 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Tue, 18 Apr 2017 11:47:30 +0200
Subject: [PATCH 125/135] IPA: Use search bases instead of domain_to_basedn
when fetching external groups
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Instead of deriving the search base from the IPA domain name, actually
use the search base from the sdap_domain structure.
This has primarily the advantage of not matching groups in the compat
tree.
Resolves:
https://pagure.io/SSSD/sssd/issue/3378
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
src/providers/ipa/ipa_subdomains_ext_groups.c | 30 ++++++++++++---------------
1 file changed, 13 insertions(+), 17 deletions(-)
diff --git a/src/providers/ipa/ipa_subdomains_ext_groups.c b/src/providers/ipa/ipa_subdomains_ext_groups.c
index d5727cc46eb9834abeab1d15cada692f81754b2e..505d89a51423489a5e2c0e09c9aa49d93c15231b 100644
--- a/src/providers/ipa/ipa_subdomains_ext_groups.c
+++ b/src/providers/ipa/ipa_subdomains_ext_groups.c
@@ -27,6 +27,7 @@
#include "db/sysdb.h"
#include "providers/ldap/ldap_common.h"
#include "providers/ldap/sdap_async.h"
+#include "providers/ldap/sdap_ops.h"
#include "providers/ipa/ipa_id.h"
#include "providers/ad/ad_id.h"
#include "providers/ipa/ipa_subdomains.h"
@@ -529,7 +530,6 @@ static void ipa_get_ad_memberships_connect_done(struct tevent_req *subreq)
struct get_ad_membership_state *state = tevent_req_data(req,
struct get_ad_membership_state);
int ret;
- char *basedn;
ret = sdap_id_op_connect_recv(subreq, &state->dp_error);
talloc_zfree(subreq);
@@ -546,20 +546,14 @@ static void ipa_get_ad_memberships_connect_done(struct tevent_req *subreq)
goto fail;
}
-
- ret = domain_to_basedn(state, state->domain, &basedn);
- if (ret != EOK) {
- DEBUG(SSSDBG_OP_FAILURE, "domain_to_basedn failed.\n");
- goto fail;
- }
-
- subreq = sdap_get_generic_send(state, state->ev, state->sdap_id_ctx->opts,
- sdap_id_op_handle(state->sdap_op), basedn,
- LDAP_SCOPE_SUBTREE,
- IPA_EXT_GROUPS_FILTER, NULL, NULL, 0,
- dp_opt_get_int(state->sdap_id_ctx->opts->basic,
- SDAP_ENUM_SEARCH_TIMEOUT),
- false);
+ subreq = sdap_search_bases_send(state, state->ev, state->sdap_id_ctx->opts,
+ sdap_id_op_handle(state->sdap_op),
+ state->sdap_id_ctx->opts->sdom->group_search_bases,
+ NULL, false,
+ dp_opt_get_int(state->sdap_id_ctx->opts->basic,
+ SDAP_ENUM_SEARCH_TIMEOUT),
+ IPA_EXT_GROUPS_FILTER,
+ NULL);
if (subreq == NULL) {
DEBUG(SSSDBG_OP_FAILURE, "sdap_get_generic_send failed.\n");
ret = ENOMEM;
@@ -583,8 +577,10 @@ static void ipa_get_ext_groups_done(struct tevent_req *subreq)
int ret;
hash_table_t *ext_group_hash;
- ret = sdap_get_generic_recv(subreq, state,
- &state->reply_count, &state->reply);
+ ret = sdap_search_bases_recv(subreq,
+ state,
+ &state->reply_count,
+ &state->reply);
talloc_zfree(subreq);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, "ipa_get_ext_groups request failed.\n");
--
2.12.2

127
0126-CONFDB-Fix-standalone-application-domains.patch Normal file
View File

@ -0,0 +1,127 @@
From 734e73257fff1c1884b72b8cf988f6d75c3a7567 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Fri, 31 Mar 2017 17:12:56 +0200
Subject: [PATCH 126/135] CONFDB: Fix standalone application domains
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
When a standalone application domain was configured, for example:
-------------------------------------------------
[sssd]
domains = appdomain
[application/appdomain]
id_provider=ldap
ldap_uri = ldap://dc.ipa.test
ldap_search_base = cn=accounts,dc=ipa,dc=test
ldap_schema = rfc2307bis
sudo_provider = none
ldap_sasl_mech = gssapi
krb5_realm = IPA.TEST
krb5_server = dc.ipa.test
ldap_user_uid_number = telephonenumber
ldap_user_gid_number = mobile
ldap_user_extra_attrs = location:l
-------------------------------------------------
We would, when unrolling the application section into a domain section,
first add a domain stub, equivalent to:
-----------------------------
[domain/appdomain]
domain_type = application
-----------------------------
Which in config.ldb also contains cn. Then, whem we would add the parameters
from the [application] section, but try to add the cn again.
This didn't happen when inheriting from a POSIX domain, because there we
would set LDB_FLAG_REPLACE for any attributes that exist in the inherited
domain.
This patch skips the cn attribute both when replacing an inherited
domain's attributes and when writing a standalone application domain.
Resolves:
https://pagure.io/SSSD/sssd/issue/3355
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
src/confdb/confdb.c | 26 ++++++++++++++++++++++----
1 file changed, 22 insertions(+), 4 deletions(-)
diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
index 68693e8382c0fbf1015ee47f14fa7c6f64ae98b2..286dbb24377c6d0fdf2c2d070da04918c591ce05 100644
--- a/src/confdb/confdb.c
+++ b/src/confdb/confdb.c
@@ -1909,7 +1909,7 @@ static int confdb_add_app_domain(TALLOC_CTX *mem_ctx,
cdb_path = talloc_asprintf(mem_ctx, CONFDB_DOMAIN_PATH_TMPL, name);
if (cdb_path == NULL) {
- return ENOMEM;
+ return ENOMEM;
}
val[0] = CONFDB_DOMAIN_TYPE_APP;
@@ -1933,6 +1933,7 @@ static int confdb_merge_parent_domain(const char *name,
struct ldb_message *replace_msg = NULL;
struct ldb_message *app_msg = NULL;
struct ldb_dn *domain_dn;
+ struct ldb_message_element *el = NULL;
TALLOC_CTX *tmp_ctx = NULL;
tmp_ctx = talloc_new(NULL);
@@ -1974,6 +1975,12 @@ static int confdb_merge_parent_domain(const char *name,
replace_msg->elements[i].flags = LDB_FLAG_MOD_ADD;
}
+ el = ldb_msg_find_element(replace_msg, "cn");
+ if (el != NULL) {
+ /* Don't add second cn */
+ ldb_msg_remove_element(replace_msg, el);
+ }
+
ret = ldb_modify(cdb->ldb, replace_msg);
if (ret != LDB_SUCCESS) {
ret = sysdb_error_to_errno(ret);
@@ -1993,7 +2000,14 @@ static int confdb_merge_parent_domain(const char *name,
app_msg->dn = domain_dn;
for (unsigned i = 0; i < app_section->msgs[0]->num_elements; i++) {
- struct ldb_message_element *el = NULL;
+ struct ldb_message_element *app_el = &app_section->msgs[0]->elements[i];
+
+ /* These elements will be skipped when replacing attributes in
+ * a domain to avoid EEXIST errors
+ */
+ if (strcasecmp(app_el->name, "cn") == 0) {
+ continue;
+ }
if (replace_msg != NULL) {
el = ldb_msg_find_element(replace_msg,
@@ -2013,12 +2027,16 @@ static int confdb_merge_parent_domain(const char *name,
ret = ldb_msg_add(app_msg,
&app_section->msgs[0]->elements[i],
ldb_flag);
- if (ret != EOK) {
+ if (ret != LDB_SUCCESS) {
continue;
}
}
- ret = ldb_modify(cdb->ldb, app_msg);
+ /* We use permissive modification here because adding cn or
+ * distinguishedName from the app_section to the application
+ * message would throw EEXIST
+ */
+ ret = sss_ldb_modify_permissive(cdb->ldb, app_msg);
if (ret != LDB_SUCCESS) {
ret = sysdb_error_to_errno(ret);
DEBUG(SSSDBG_OP_FAILURE,
--
2.12.2

47
0127-utils-add-sss_domain_is_forest_root.patch Normal file
View File

@ -0,0 +1,47 @@
From 712e5b2e4465812c00a8667c75813322373bc657 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 4 Apr 2017 14:35:47 +0200
Subject: [PATCH 127/135] utils: add sss_domain_is_forest_root()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Related to https://pagure.io/SSSD/sssd/issue/3361
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
src/util/domain_info_utils.c | 5 +++++
src/util/util.h | 1 +
2 files changed, 6 insertions(+)
diff --git a/src/util/domain_info_utils.c b/src/util/domain_info_utils.c
index 2af7852f03f89b61f5b9fd8a244e98fb27b7e6a2..541058a16d585155b3b51511740f7db45281e2fd 100644
--- a/src/util/domain_info_utils.c
+++ b/src/util/domain_info_utils.c
@@ -844,6 +844,11 @@ void sss_domain_set_state(struct sss_domain_info *dom,
"Domain %s is %s\n", dom->name, domain_state_str(dom));
}
+bool sss_domain_is_forest_root(struct sss_domain_info *dom)
+{
+ return (dom->forest_root == dom);
+}
+
bool is_email_from_domain(const char *email, struct sss_domain_info *dom)
{
const char *p;
diff --git a/src/util/util.h b/src/util/util.h
index 436550f5078cc173b8ed8cb58836d366f813146b..4ef13ced48addc19403402d7d880176da24ceec6 100644
--- a/src/util/util.h
+++ b/src/util/util.h
@@ -539,6 +539,7 @@ enum sss_domain_state sss_domain_get_state(struct sss_domain_info *dom);
void sss_domain_set_state(struct sss_domain_info *dom,
enum sss_domain_state state);
bool is_email_from_domain(const char *email, struct sss_domain_info *dom);
+bool sss_domain_is_forest_root(struct sss_domain_info *dom);
const char *sss_domain_type_str(struct sss_domain_info *dom);
struct sss_domain_info*
--
2.12.2

103
0128-ad-handle-forest-root-not-listed-in-ad_enabled_domai.patch Normal file
View File

@ -0,0 +1,103 @@
From feeabf273aa7af580552366ce58655e6a482a0cd Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Mon, 3 Apr 2017 21:27:32 +0200
Subject: [PATCH 128/135] ad: handle forest root not listed in
ad_enabled_domains
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Although users and groups from the forest root should be ignored SSSD
will still try to get information about the forest topology from a DC
from the forest root. So even if the forest root domain is disabled we
should makes sure it is usable for those searches.
Resolves https://pagure.io/SSSD/sssd/issue/3361
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
src/providers/ad/ad_subdomains.c | 39 ++++++++++++++++++++++++++++++++++++---
1 file changed, 36 insertions(+), 3 deletions(-)
diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c
index bc659b2cb0a02723437d24d0021ec3592381e84c..ef166446e837c3f7cd824c1abf4b5cc587aec9da 100644
--- a/src/providers/ad/ad_subdomains.c
+++ b/src/providers/ad/ad_subdomains.c
@@ -433,6 +433,14 @@ static errno_t ad_subdomains_refresh(struct be_ctx *be_ctx,
if (c >= num_subdomains) {
/* ok this subdomain does not exist anymore, let's clean up */
sss_domain_set_state(dom, DOM_DISABLED);
+
+ /* Just disable the forest root but do not remove sdap data */
+ if (sss_domain_is_forest_root(dom)) {
+ DEBUG(SSSDBG_TRACE_ALL,
+ "Skipping removal of forest root sdap data.\n");
+ continue;
+ }
+
ret = sysdb_subdomain_delete(dom->sysdb, dom->name);
if (ret != EOK) {
goto done;
@@ -633,6 +641,7 @@ static errno_t ad_subdom_reinit(struct ad_subdomains_ctx *subdoms_ctx)
const char *path;
errno_t ret;
bool canonicalize = false;
+ struct sss_domain_info *dom;
path = dp_opt_get_string(subdoms_ctx->ad_id_ctx->ad_options->basic,
AD_KRB5_CONFD_PATH);
@@ -675,6 +684,17 @@ static errno_t ad_subdom_reinit(struct ad_subdomains_ctx *subdoms_ctx)
return ret;
}
+ /* Make sure disabled domains are not re-enabled accidentially */
+ if (subdoms_ctx->ad_enabled_domains != NULL) {
+ for (dom = subdoms_ctx->be_ctx->domain->subdomains; dom;
+ dom = get_next_domain(dom, false)) {
+ if (!is_domain_enabled(dom->name,
+ subdoms_ctx->ad_enabled_domains)) {
+ sss_domain_set_state(dom, DOM_DISABLED);
+ }
+ }
+ }
+
return EOK;
}
@@ -898,7 +918,7 @@ static errno_t ad_get_slave_domain_recv(struct tevent_req *req)
static struct sss_domain_info *
ads_get_root_domain(struct be_ctx *be_ctx, struct sysdb_attrs *attrs)
{
- struct sss_domain_info *root;
+ struct sss_domain_info *dom;
const char *name;
errno_t ret;
@@ -909,9 +929,22 @@ ads_get_root_domain(struct be_ctx *be_ctx, struct sysdb_attrs *attrs)
}
/* With a subsequent run, the root should already be known */
- root = find_domain_by_name(be_ctx->domain, name, false);
+ for (dom = be_ctx->domain; dom != NULL;
+ dom = get_next_domain(dom, SSS_GND_ALL_DOMAINS)) {
- return root;
+ if (strcasecmp(dom->name, name) == 0) {
+ /* The forest root is special, although it might be disabled for
+ * general lookups we still want to try to get the domains in the
+ * forest from a DC of the forest root */
+ if (sss_domain_get_state(dom) == DOM_DISABLED
+ && !sss_domain_is_forest_root(dom)) {
+ return NULL;
+ }
+ return dom;
+ }
+ }
+
+ return NULL;
}
static struct ad_id_ctx *
--
2.12.2

101
0129-overrides-add-certificates-to-mapped-attribute.patch Normal file
View File

@ -0,0 +1,101 @@
From 2e5fc89ef25434fab7febe2c52e97ef989b50d5b Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 27 Apr 2017 09:28:55 +0200
Subject: [PATCH 129/135] overrides: add certificates to mapped attribute
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Certificates in overrides are explicitly used to map users to
certificates, so we add them to SYSDB_USER_MAPPED_CERT as well.
Resolves https://pagure.io/SSSD/sssd/issue/3373
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
src/db/sysdb_views.c | 41 +++++++++++++++++++++++++++++++++++++++++
1 file changed, 41 insertions(+)
diff --git a/src/db/sysdb_views.c b/src/db/sysdb_views.c
index 20db9b06183d68b33bb19f498513d7f5cf84b1cf..3773dda77e16b35fa217be0aa7974da7e34c09f4 100644
--- a/src/db/sysdb_views.c
+++ b/src/db/sysdb_views.c
@@ -777,6 +777,7 @@ errno_t sysdb_apply_default_override(struct sss_domain_info *domain,
int ret;
TALLOC_CTX *tmp_ctx;
struct sysdb_attrs *attrs;
+ struct sysdb_attrs *mapped_attrs = NULL;
size_t c;
size_t d;
size_t num_values;
@@ -791,6 +792,7 @@ errno_t sysdb_apply_default_override(struct sss_domain_info *domain,
SYSDB_USER_CERT,
NULL };
bool override_attrs_found = false;
+ bool is_cert = false;
if (override_attrs == NULL) {
/* nothing to do */
@@ -846,6 +848,24 @@ errno_t sysdb_apply_default_override(struct sss_domain_info *domain,
num_values = 1;
}
+ is_cert = false;
+ if (strcmp(allowed_attrs[c], SYSDB_USER_CERT) == 0) {
+ /* Certificates in overrides are explicitly used to map
+ * users to certificates, so we add them to
+ * SYSDB_USER_MAPPED_CERT as well. */
+ is_cert = true;
+
+ if (mapped_attrs == NULL) {
+ mapped_attrs = sysdb_new_attrs(tmp_ctx);
+ if (mapped_attrs == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "sysdb_new_attrs failed.\n");
+ ret = ENOMEM;
+ goto done;
+ }
+ }
+ }
+
for (d = 0; d < num_values; d++) {
ret = sysdb_attrs_add_val(attrs, allowed_attrs[c],
&el->values[d]);
@@ -854,6 +874,18 @@ errno_t sysdb_apply_default_override(struct sss_domain_info *domain,
"sysdb_attrs_add_val failed.\n");
goto done;
}
+
+ if (is_cert) {
+ ret = sysdb_attrs_add_val(mapped_attrs,
+ SYSDB_USER_MAPPED_CERT,
+ &el->values[d]);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "sysdb_attrs_add_val failed.\n");
+ goto done;
+ }
+ }
+
DEBUG(SSSDBG_TRACE_ALL,
"Override [%s] with [%.*s] for [%s].\n",
allowed_attrs[c], (int) el->values[d].length,
@@ -878,6 +910,15 @@ errno_t sysdb_apply_default_override(struct sss_domain_info *domain,
DEBUG(SSSDBG_OP_FAILURE, "sysdb_set_entry_attr failed.\n");
goto done;
}
+
+ if (mapped_attrs != NULL) {
+ ret = sysdb_set_entry_attr(domain->sysdb, obj_dn, mapped_attrs,
+ SYSDB_MOD_ADD);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "sysdb_set_entry_attr failed, ignored.\n");
+ }
+ }
}
ret = EOK;
--
2.12.2

44
0130-IPA-Improve-s2n-debug-message-for-missing-ipaNTSecur.patch Normal file
View File

@ -0,0 +1,44 @@
From 0c5f463e9629ac08d647c70cffb30bccdd57ae96 Mon Sep 17 00:00:00 2001
From: Justin Stephenson <jstephen@redhat.com>
Date: Tue, 25 Apr 2017 13:02:10 -0400
Subject: [PATCH 130/135] IPA: Improve s2n debug message for missing
ipaNTSecurityIdentifier
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This patch improves the log message to be more information for
the SSSD user troubleshooting issues.
If the IDM POSIX group used for AD trust HBAC/SUDO operation is missing
the ipaNTSecurityIdentifier it can cause client s2n operations failures
resolving the group which resulted in the inability to login for the AD
user.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
src/providers/ipa/ipa_s2n_exop.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/src/providers/ipa/ipa_s2n_exop.c b/src/providers/ipa/ipa_s2n_exop.c
index 55ec904ca3188c7cf10ac41972e9ecf94ebf44bb..f5f4401f86615dc7f81f844e1096ad43e965c384 100644
--- a/src/providers/ipa/ipa_s2n_exop.c
+++ b/src/providers/ipa/ipa_s2n_exop.c
@@ -2580,7 +2580,13 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom,
ret = sysdb_attrs_get_string(attrs->sysdb_attrs, SYSDB_SID_STR, &sid_str);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE,
- "Cannot find SID of object with override.\n");
+ "Cannot find SID of object.\n");
+ if (name != NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Object [%s] has no SID, please check the "
+ "ipaNTSecurityIdentifier attribute on the server-side.\n",
+ name);
+ }
goto done;
}
--
2.12.2

114
0131-Use-correct-spelling-of-override.patch Normal file
View File

@ -0,0 +1,114 @@
From 352f4832324839d358235de1236090b1fd4ddc0f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ren=C3=A9=20Genz?= <liebundartig@freenet.de>
Date: Tue, 25 Apr 2017 20:33:58 +0000
Subject: [PATCH 131/135] Use correct spelling of override
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/config/SSSDConfig/__init__.py.in | 2 +-
src/config/cfg_rules.ini | 2 +-
src/config/etc/sssd.api.d/sssd-ipa.conf | 2 +-
src/db/sysdb_views.c | 6 +++---
src/man/sssd-ipa.5.xml | 2 +-
src/providers/ipa/ipa_opts.c | 2 +-
6 files changed, 8 insertions(+), 8 deletions(-)
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
index 54ad722f07ef91a13a0df278ffd2b1c166bc8d36..5ca31cfefccbb09438d261d4287cd8db736d348e 100644
--- a/src/config/SSSDConfig/__init__.py.in
+++ b/src/config/SSSDConfig/__init__.py.in
@@ -211,7 +211,7 @@ option_strings = {
'ipa_views_search_base': _("Search base for view containers"),
'ipa_view_class': _("Objectclass for view containers"),
'ipa_view_name': _("Attribute with the name of the view"),
- 'ipa_overide_object_class': _("Objectclass for override objects"),
+ 'ipa_override_object_class': _("Objectclass for override objects"),
'ipa_anchor_uuid': _("Attribute with the reference to the original object"),
'ipa_user_override_object_class': _("Objectclass for user override objects"),
'ipa_group_override_object_class': _("Objectclass for group override objects"),
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
index e47ff33242d6a9e5979fe0eb8eea14c2af28685a..64cb1474fadba5d5372470a17cd9cd7c7cec7835 100644
--- a/src/config/cfg_rules.ini
+++ b/src/config/cfg_rules.ini
@@ -457,7 +457,7 @@ option = ipa_netgroup_member_user
option = ipa_netgroup_name
option = ipa_netgroup_object_class
option = ipa_netgroup_uuid
-option = ipa_overide_object_class
+option = ipa_override_object_class
option = ipa_ranges_search_base
option = ipa_selinux_refresh
option = ipa_selinux_usermap_enabled
diff --git a/src/config/etc/sssd.api.d/sssd-ipa.conf b/src/config/etc/sssd.api.d/sssd-ipa.conf
index 88da36ef4a0a067530dfd44b7a231f4f74c800f2..f36b568c3ea813db3f46fdd69059957f6373801e 100644
--- a/src/config/etc/sssd.api.d/sssd-ipa.conf
+++ b/src/config/etc/sssd.api.d/sssd-ipa.conf
@@ -143,7 +143,7 @@ ldap_pwdlockout_dn = str, None, false
ipa_views_search_base = str, None, false
ipa_view_class = str, None, false
ipa_view_name = str, None, false
-ipa_overide_object_class = str, None, false
+ipa_override_object_class = str, None, false
ipa_anchor_uuid = str, None, false
ipa_user_override_object_class = str, None, false
ipa_group_override_object_class = str, None, false
diff --git a/src/db/sysdb_views.c b/src/db/sysdb_views.c
index 3773dda77e16b35fa217be0aa7974da7e34c09f4..afc7852ecf402ef144beca9c1b94fbe3cc4bbb6a 100644
--- a/src/db/sysdb_views.c
+++ b/src/db/sysdb_views.c
@@ -521,7 +521,7 @@ errno_t sysdb_store_override(struct sss_domain_info *domain,
NULL);
if (obj_override_dn != NULL) {
/* obj_override_dn can either point to the object itself, i.e there is
- * no override, or to a overide object. This means it can change from
+ * no override, or to a override object. This means it can change from
* the object DN to a override DN and back but not from one override
* DN to a different override DN. If the new and the old DN are the
* same we do not need to update the original object. */
@@ -931,7 +931,7 @@ done:
#define SYSDB_USER_NAME_OVERRIDE_FILTER "(&(objectClass="SYSDB_OVERRIDE_USER_CLASS")(|("SYSDB_NAME_ALIAS"=%s)("SYSDB_NAME_ALIAS"=%s)("SYSDB_NAME"=%s)))"
#define SYSDB_USER_UID_OVERRIDE_FILTER "(&(objectClass="SYSDB_OVERRIDE_USER_CLASS")("SYSDB_UIDNUM"=%lu))"
-#define SYSDB_USER_CERT_OVERIDE_FILTER "(&(objectClass="SYSDB_OVERRIDE_USER_CLASS")%s)"
+#define SYSDB_USER_CERT_OVERRIDE_FILTER "(&(objectClass="SYSDB_OVERRIDE_USER_CLASS")%s)"
#define SYSDB_GROUP_NAME_OVERRIDE_FILTER "(&(objectClass="SYSDB_OVERRIDE_GROUP_CLASS")(|("SYSDB_NAME_ALIAS"=%s)("SYSDB_NAME_ALIAS"=%s)("SYSDB_NAME"=%s)))"
#define SYSDB_GROUP_GID_OVERRIDE_FILTER "(&(objectClass="SYSDB_OVERRIDE_GROUP_CLASS")("SYSDB_GIDNUM"=%lu))"
@@ -978,7 +978,7 @@ errno_t sysdb_search_override_by_cert(TALLOC_CTX *mem_ctx,
}
ret = ldb_search(domain->sysdb->ldb, tmp_ctx, &override_res, base_dn,
- LDB_SCOPE_SUBTREE, attrs, SYSDB_USER_CERT_OVERIDE_FILTER,
+ LDB_SCOPE_SUBTREE, attrs, SYSDB_USER_CERT_OVERRIDE_FILTER,
cert_filter);
if (ret != LDB_SUCCESS) {
ret = sysdb_error_to_errno(ret);
diff --git a/src/man/sssd-ipa.5.xml b/src/man/sssd-ipa.5.xml
index fee644186c9ed11eee18cd27450e56aea38d05bf..98db5b96d9abf157440440eab0882e49595efa5f 100644
--- a/src/man/sssd-ipa.5.xml
+++ b/src/man/sssd-ipa.5.xml
@@ -546,7 +546,7 @@
</varlistentry>
<varlistentry>
- <term>ipa_overide_object_class (string)</term>
+ <term>ipa_override_object_class (string)</term>
<listitem>
<para>
Objectclass of the override objects.
diff --git a/src/providers/ipa/ipa_opts.c b/src/providers/ipa/ipa_opts.c
index cd3fe9ae4302ff4837a500b9a0c834dadb11f87d..f9f3a2a6992be6cf5cb3c699b30c45ca9dbb42ab 100644
--- a/src/providers/ipa/ipa_opts.c
+++ b/src/providers/ipa/ipa_opts.c
@@ -277,7 +277,7 @@ struct sdap_attr_map ipa_view_map[] = {
};
struct sdap_attr_map ipa_override_map[] = {
- { "ipa_overide_object_class", "ipaOverrideAnchor", SYSDB_OVERRIDE_CLASS, NULL},
+ { "ipa_override_object_class", "ipaOverrideAnchor", SYSDB_OVERRIDE_CLASS, NULL},
{ "ipa_anchor_uuid", "ipaAnchorUUID", SYSDB_OVERRIDE_ANCHOR_UUID, NULL},
{ "ipa_user_override_object_class", "ipaUserOverride", SYSDB_OVERRIDE_USER_CLASS, NULL},
{ "ipa_group_override_object_class", "ipaGroupOverride", SYSDB_OVERRIDE_GROUP_CLASS, NULL},
--
2.12.2

49
0132-cache_req-Avoid-bool-in-switch-case.patch Normal file
View File

@ -0,0 +1,49 @@
From b70ec63cca034ce9c638f2dcefbd4358b654d2e1 Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Thu, 27 Apr 2017 10:45:30 +0200
Subject: [PATCH 132/135] cache_req: Avoid bool in switch/case
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Pair-Programmed-With: Michal Židek <mzidek@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Michal Židek <mzidek@redhat.com>
---
src/responder/common/cache_req/cache_req_domain.c | 18 +++++++-----------
1 file changed, 7 insertions(+), 11 deletions(-)
diff --git a/src/responder/common/cache_req/cache_req_domain.c b/src/responder/common/cache_req/cache_req_domain.c
index 2c238c9966d322bb542fa2047313ee9e5144edee..8bf7fc6dc155123b5525127d6ee23ce98a50f490 100644
--- a/src/responder/common/cache_req/cache_req_domain.c
+++ b/src/responder/common/cache_req/cache_req_domain.c
@@ -89,17 +89,13 @@ cache_req_domain_use_fqnames(struct sss_domain_info *domain,
* - false: in this case, the usage of fully-qualified-names will be
* done accordingly to what's set for the domain itself.
*/
- switch (head->fqnames) {
- case true:
- return true;
- case false:
- switch (enforce_non_fqnames) {
- case true:
- return false;
- case false:
- return domain->fqnames;
- }
- }
+ if (head->fqnames) {
+ return true;
+ } else if (enforce_non_fqnames) {
+ return false;
+ } else {
+ return domain->fqnames;
+ }
}
static struct cache_req_domain *
--
2.12.2

51
0133-ssh-tools-The-ai-structure-is-not-an-array.patch Normal file
View File

@ -0,0 +1,51 @@
From 08084b1179bb9fc38bc22b464b3d44907107bfd3 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Tue, 25 Apr 2017 12:39:32 +0000
Subject: [PATCH 133/135] ssh tools: The ai structure is not an array,
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This structure is actually a linked list, so do not mislead readers by
treating it as an array.
Resolves:
https://pagure.io/SSSD/sssd/issue/1498
Merges: https://pagure.io/SSSD/sssd/pull-request/3383
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
---
src/sss_client/ssh/sss_ssh_knownhostsproxy.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/sss_client/ssh/sss_ssh_knownhostsproxy.c b/src/sss_client/ssh/sss_ssh_knownhostsproxy.c
index adb82288d435cefccf7e23e6ed2b2c551798a7f8..310243c2fc8091f711559d4afb412e619af687ad 100644
--- a/src/sss_client/ssh/sss_ssh_knownhostsproxy.c
+++ b/src/sss_client/ssh/sss_ssh_knownhostsproxy.c
@@ -268,10 +268,10 @@ int main(int argc, const char **argv)
DEBUG(SSSDBG_OP_FAILURE,
"getaddrinfo() failed (%d): %s\n", ret, gai_strerror(ret));
} else {
- host = ai[0].ai_canonname;
+ host = ai->ai_canonname;
}
} else {
- ret = getnameinfo(ai[0].ai_addr, ai[0].ai_addrlen,
+ ret = getnameinfo(ai->ai_addr, ai->ai_addrlen,
canonhost, NI_MAXHOST, NULL, 0, NI_NAMEREQD);
if (ret) {
DEBUG(SSSDBG_OP_FAILURE,
@@ -295,7 +295,7 @@ int main(int argc, const char **argv)
if (pc_args) {
ret = connect_proxy_command(discard_const(pc_args));
} else if (ai) {
- ret = connect_socket(ai[0].ai_family, ai[0].ai_addr, ai[0].ai_addrlen);
+ ret = connect_socket(ai->ai_family, ai->ai_addr, ai->ai_addrlen);
} else {
ret = EFAULT;
}
--
2.12.2

46
0134-ssh-tools-Fix-issues-with-multiple-IP-addresses.patch Normal file
View File

@ -0,0 +1,46 @@
From 5f6232c7e6d9635c1d6b6b09f799309b6094b143 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Tue, 25 Apr 2017 14:00:15 +0000
Subject: [PATCH 134/135] ssh tools: Fix issues with multiple IP addresses
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Cycle through all resolved address until one succeed or all fail.
This is needed for dual stack systems where either IPv4 or IPv6 are
improperly configured or selectively filtered at some point along the
route.
Resolves:
https://pagure.io/SSSD/sssd/issue/1498
Merges: https://pagure.io/SSSD/sssd/pull-request/3383
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
---
src/sss_client/ssh/sss_ssh_knownhostsproxy.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/src/sss_client/ssh/sss_ssh_knownhostsproxy.c b/src/sss_client/ssh/sss_ssh_knownhostsproxy.c
index 310243c2fc8091f711559d4afb412e619af687ad..b7b0c3bb66226be1c6453332a0b3af9fdf4e5a29 100644
--- a/src/sss_client/ssh/sss_ssh_knownhostsproxy.c
+++ b/src/sss_client/ssh/sss_ssh_knownhostsproxy.c
@@ -295,7 +295,13 @@ int main(int argc, const char **argv)
if (pc_args) {
ret = connect_proxy_command(discard_const(pc_args));
} else if (ai) {
- ret = connect_socket(ai->ai_family, ai->ai_addr, ai->ai_addrlen);
+ /* Try all IP addresses before giving up */
+ for (struct addrinfo *ti = ai; ti != NULL; ti = ti->ai_next) {
+ ret = connect_socket(ti->ai_family, ti->ai_addr, ti->ai_addrlen);
+ if (ret == 0) {
+ break;
+ }
+ }
} else {
ret = EFAULT;
}
--
2.12.2

95
0135-ssh-tools-Split-connect-and-communication-phases.patch Normal file
View File

@ -0,0 +1,95 @@
From 244adc327f7e29ba2c7ef60bc9f732d8fe3e68c9 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Tue, 25 Apr 2017 19:19:13 +0000
Subject: [PATCH 135/135] ssh tools: Split connect and communication phases
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
We can fallback after a connect error, but we cannot easily fall back
once we start sending data as we may have consumed part of the buffer so
reconnecting and sending what's left would not make sense.
Therefore we now fallback on connect errors, but we issue a hard fail if
error happens after communication has been established.
Resolves:
https://pagure.io/SSSD/sssd/issue/1498
Merges: https://pagure.io/SSSD/sssd/pull-request/3383
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
---
src/sss_client/ssh/sss_ssh_knownhostsproxy.c | 30 ++++++++++++++++++++--------
1 file changed, 22 insertions(+), 8 deletions(-)
diff --git a/src/sss_client/ssh/sss_ssh_knownhostsproxy.c b/src/sss_client/ssh/sss_ssh_knownhostsproxy.c
index b7b0c3bb66226be1c6453332a0b3af9fdf4e5a29..976ba86b321923cecad0703214e22b0a773ef585 100644
--- a/src/sss_client/ssh/sss_ssh_knownhostsproxy.c
+++ b/src/sss_client/ssh/sss_ssh_knownhostsproxy.c
@@ -40,14 +40,10 @@
/* connect to server using socket */
static int
-connect_socket(int family, struct sockaddr *addr, size_t addr_len)
+connect_socket(int family, struct sockaddr *addr, size_t addr_len, int *sd)
{
int flags;
int sock = -1;
- struct pollfd fds[2];
- char buffer[BUFFER_SIZE];
- int i;
- ssize_t res;
int ret;
/* set O_NONBLOCK on standard input */
@@ -85,6 +81,22 @@ connect_socket(int family, struct sockaddr *addr, size_t addr_len)
goto done;
}
+ *sd = sock;
+
+done:
+ if (ret != 0 && sock >= 0) close(sock);
+ return ret;
+}
+
+static int proxy_data(int sock)
+{
+ int flags;
+ struct pollfd fds[2];
+ char buffer[BUFFER_SIZE];
+ int i;
+ ssize_t res;
+ int ret;
+
/* set O_NONBLOCK on the socket */
flags = fcntl(sock, F_GETFL);
if (flags == -1) {
@@ -158,8 +170,7 @@ connect_socket(int family, struct sockaddr *addr, size_t addr_len)
}
done:
- if (sock >= 0) close(sock);
-
+ close(sock);
return ret;
}
@@ -297,8 +308,11 @@ int main(int argc, const char **argv)
} else if (ai) {
/* Try all IP addresses before giving up */
for (struct addrinfo *ti = ai; ti != NULL; ti = ti->ai_next) {
- ret = connect_socket(ti->ai_family, ti->ai_addr, ti->ai_addrlen);
+ int socket_descriptor = -1;
+ ret = connect_socket(ti->ai_family, ti->ai_addr, ti->ai_addrlen,
+ &socket_descriptor);
if (ret == 0) {
+ ret = proxy_data(socket_descriptor);
break;
}
}
--
2.12.2

85
sssd.spec
View File

@ -34,7 +34,7 @@
Name: sssd
Version: 1.15.3
Release: 0.beta.2%{?dist}
Release: 0.beta.3%{?dist}
Group: Applications/System
Summary: System Security Services Daemon
License: GPLv3+
@ -141,6 +141,44 @@ Patch0095: 0095-BUILD-Fix-compilation-of-libsss_certmap-with-libcryp.patch
Patch0096: 0096-responders-do-not-leak-selinux-context-on-clients-de.patch
Patch0097: 0097-ipa_s2n_get_acct_info_send-provide-correct-req_input.patch
Patch0098: 0098-selinux-Do-not-fail-if-SELinux-is-not-managed.patch
Patch0099: 0099-DP-Fix-typo.patch
Patch0100: 0100-CONFDB-Fix-handling-of-enable_files_domain.patch
Patch0101: 0101-pam_test_client-add-service-and-environment-to-PAM-t.patch
Patch0102: 0102-pam_test_client-add-SSSD-getpwnam-lookup.patch
Patch0103: 0103-sss_sifp-update-method-names.patch
Patch0104: 0104-pam_test_client-add-InfoPipe-user-lookup.patch
Patch0105: 0105-sssctl-integrate-pam_test_client-into-sssctl.patch
Patch0106: 0106-i18n-adding-sssctl-files.patch
Patch0107: 0107-config-check-Message-when-sssd.conf-is-missing.patch
Patch0108: 0108-KRB5_LOCATOR-add-env-variable-to-disable-plugin.patch
Patch0109: 0109-sbus-check-connection-for-NULL-before-unregister-it.patch
Patch0110: 0110-UTIL-Use-max-15-characters-for-AD-host-UPN.patch
Patch0111: 0111-minor-typo-fixes.patch
Patch0112: 0112-SPEC-Drop-conditional-build-for-krb5_local_auth_plug.patch
Patch0113: 0113-README-Update-links-to-mailing-lists.patch
Patch0114: 0114-Move-sized_output_name-and-sized_domain_name-into-re.patch
Patch0115: 0115-IFP-Use-sized_domain_name-to-format-the-groups-the-u.patch
Patch0116: 0116-SECRETS-remove-unused-variable.patch
Patch0117: 0117-IPA-Improve-DEBUG-message-if-a-group-has-no-ipaNTSec.patch
Patch0118: 0118-RESPONDER-Fallback-to-global-domain-resolution-order.patch
Patch0119: 0119-NSS-TESTS-Improve-non-fqnames-tests.patch
Patch0120: 0120-CACHE_REQ-Allow-configurationless-shortname-lookups.patch
Patch0121: 0121-CACHE_REQ_DOMAIN-Add-some-comments-to-cache_req_doma.patch
Patch0122: 0122-RESPONDER_COMMON-Improve-domaiN_resolution_order-deb.patch
Patch0123: 0123-CACHE_REQ_DOMAIN-debug-the-set-domain-resolution-ord.patch
Patch0124: 0124-LDAP-Allow-passing-a-NULL-map-to-sdap_search_bases_e.patch
Patch0125: 0125-IPA-Use-search-bases-instead-of-domain_to_basedn-whe.patch
Patch0126: 0126-CONFDB-Fix-standalone-application-domains.patch
Patch0127: 0127-utils-add-sss_domain_is_forest_root.patch
Patch0128: 0128-ad-handle-forest-root-not-listed-in-ad_enabled_domai.patch
Patch0129: 0129-overrides-add-certificates-to-mapped-attribute.patch
Patch0130: 0130-IPA-Improve-s2n-debug-message-for-missing-ipaNTSecur.patch
Patch0131: 0131-Use-correct-spelling-of-override.patch
Patch0132: 0132-cache_req-Avoid-bool-in-switch-case.patch
Patch0133: 0133-ssh-tools-The-ai-structure-is-not-an-array.patch
Patch0134: 0134-ssh-tools-Fix-issues-with-multiple-IP-addresses.patch
Patch0135: 0135-ssh-tools-Split-connect-and-communication-phases.patch
Patch0502: 0502-SYSTEMD-Use-capabilities.patch
@ -280,6 +318,7 @@ Group: Development/Libraries
License: LGPLv3+
Requires(post): /sbin/ldconfig
Requires(postun): /sbin/ldconfig
Conflicts: sssd-common < %{version}-%{release}
%description -n libsss_sudo
A utility library to allow communication between SUDO and SSSD
@ -288,6 +327,7 @@ A utility library to allow communication between SUDO and SSSD
Summary: A library to allow communication between Autofs and SSSD
Group: Development/Libraries
License: LGPLv3+
Conflicts: sssd-common < %{version}-%{release}
%description -n libsss_autofs
A utility library to allow communication between Autofs and SSSD
@ -609,6 +649,7 @@ Summary: The SSSD libwbclient implementation
Group: Applications/System
License: GPLv3+ and LGPLv3+
Conflicts: libwbclient < 4.2.0-0.2.rc2
Conflicts: sssd-common < %{version}-%{release}
%description libwbclient
The SSSD libwbclient implementation.
@ -627,6 +668,7 @@ Development libraries for the SSSD libwbclient implementation.
Summary: SSSD's idmap_sss Backend for Winbind
Group: Applications/System
License: GPLv3+ and LGPLv3+
Conflicts: sssd-common < %{version}-%{release}
%description winbind-idmap
The idmap_sss module provides a way for Winbind to call SSSD to map UIDs/GIDs
@ -636,6 +678,7 @@ and SIDs.
Summary: SSSD plug-in for NFSv4 rpc.idmapd
Group: Applications/System
License: GPLv3+
Conflicts: sssd-common < %{version}-%{release}
%description nfs-idmap
The libnfsidmap sssd module provides a way for rpc.idmapd to call SSSD to map
@ -648,6 +691,7 @@ Group: Development/Libraries
License: LGPLv3+
Requires(post): /sbin/ldconfig
Requires(postun): /sbin/ldconfig
Conflicts: sssd-common < %{version}-%{release}
%description -n libsss_certmap
Library to map certificates to users based on rules
@ -775,10 +819,11 @@ do
done
touch sssd.lang
for subpackage in ldap krb5 ipa ad proxy tools client dbus nfs_idmap \
winbind_idmap
for subpackage in sssd_ldap sssd_krb5 sssd_ipa sssd_ad sssd_proxy sssd_tools \
sssd_client sssd_dbus sssd_nfs_idmap sssd_winbind_idmap \
libsss_certmap sssd_kcm
do
touch sssd_$subpackage.lang
touch $subpackage.lang
done
for man in `find $RPM_BUILD_ROOT/%{_mandir}/??/man?/ -type f | sed -e "s#$RPM_BUILD_ROOT/%{_mandir}/##"`
@ -824,9 +869,15 @@ do
sssd-ifp*)
echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_dbus.lang
;;
sssd-kcm*)
echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_kcm.lang
;;
idmap_sss*)
echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_winbind_idmap.lang
;;
sss-certmap*)
echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> libsss_certmap.lang
;;
*)
echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd.lang
;;
@ -843,11 +894,12 @@ cat python2_sssdconfig.lang
echo "python3_sssdconfig.lang:"
cat python3_sssdconfig.lang
for subpackage in ldap krb5 ipa ad proxy tools client dbus nfs_idmap \
winbind_idmap
for subpackage in sssd_ldap sssd_krb5 sssd_ipa sssd_ad sssd_proxy sssd_tools \
sssd_client sssd_dbus sssd_nfs_idmap sssd_winbind_idmap \
libsss_certmap sssd_kcm
do
echo "sssd_$subpackage.lang:"
cat sssd_$subpackage.lang
echo "$subpackage.lang:"
cat $subpackage.lang
done
%files
@ -1183,26 +1235,27 @@ done
%{_mandir}/man5/sss_rpcidmapd.5*
%{_libdir}/libnfsidmap/sss.so
%files -n libsss_certmap
%files -n libsss_certmap -f libsss_certmap.lang
%defattr(-,root,root,-)
%license src/sss_client/COPYING src/sss_client/COPYING.LESSER
%{_libdir}/libsss_certmap.so.*
%{_mandir}/man5/sss-certmap.5*
%files -n libsss_certmap-devel
%defattr(-,root,root,-)
%doc certmap_doc/html
%{_mandir}/man5/sss-certmap.5*
%{_includedir}/sss_certmap.h
%{_libdir}/libsss_certmap.so
%{_libdir}/pkgconfig/sss_certmap.pc
%files kcm
%files kcm -f sssd_kcm.lang
%{_libexecdir}/%{servicename}/sssd_kcm
%dir %{_sysconfdir}/krb5.conf.d
%config(noreplace) %{_sysconfdir}/krb5.conf.d/kcm_default_ccache
%{_unitdir}/sssd-kcm.socket
%{_unitdir}/sssd-kcm.service
%{_mandir}/man8/sssd-kcm.8*
%post common
%systemd_post sssd.service
%systemd_post sssd-autofs.socket
@ -1226,7 +1279,6 @@ done
%systemd_preun sssd-sudo.socket
%postun common
%systemd_postun_with_restart sssd.service
%systemd_postun_with_restart sssd-autofs.socket
%systemd_postun_with_restart sssd-autofs.service
%systemd_postun_with_restart sssd-nss.socket
@ -1301,6 +1353,9 @@ fi
%postun -n libsss_certmap -p /sbin/ldconfig
%posttrans common
%systemd_postun_with_restart sssd.service
%posttrans libwbclient
%{_sbindir}/update-alternatives \
--install %{_libdir}/libwbclient.so.%{libwbc_alternatives_version} \
@ -1325,6 +1380,12 @@ fi
%{_libdir}/%{name}/modules/libwbclient.so
%changelog
* Sat Apr 29 2017 Lukas Slebodnik <lslebodn@redhat.com> - 1.15.3-0.beta.3
- Resolves: rhbz#1445680 - Properly fall back to local Smartcard authentication
- Resolves: rhbz#1437199 - sssd-nfs-idmap-1.15.2-1.fc25.x86_64 conflicts with
file from package sssd-common-1.15.1-1.fc25.x86_64
- Resolves: rhbz#1063278 - sss_ssh_knownhostsproxy doesn't fall back to ipv4
* Thu Apr 06 2017 Lukas Slebodnik <lslebodn@redhat.com> - 1.15.3-0.beta.2
- Fix issue with IPA + SELinux in containers
- Resolves: upstream https://fedorahosted.org/sssd/ticket/3297