diff --git a/0099-DP-Fix-typo.patch b/0099-DP-Fix-typo.patch new file mode 100644 index 0000000..131aad2 --- /dev/null +++ b/0099-DP-Fix-typo.patch @@ -0,0 +1,38 @@ +From 6a611406e805a1707ca0b9e86b6aa96e02e43ecc Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Thu, 6 Apr 2017 11:23:43 +0200 +Subject: [PATCH 099/135] DP: Fix typo +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Reviewed-by: Lukáš Slebodník +--- + src/providers/data_provider/dp_target_id.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/providers/data_provider/dp_target_id.c b/src/providers/data_provider/dp_target_id.c +index 0bca9bac27b68a8b905a668992cb8f7650023f65..2088f9529cab83794ac793c7fd5a320f479dbf11 100644 +--- a/src/providers/data_provider/dp_target_id.c ++++ b/src/providers/data_provider/dp_target_id.c +@@ -210,7 +210,7 @@ static errno_t dp_initgroups(struct sbus_request *sbus_req, + + ret = sysdb_initgroups(sbus_req, domain, data->filter_value, &res); + if (ret == ENOENT || (ret == EOK && res->count == 0)) { +- /* There is no point in concacting NSS responder. Proceed as usual. */ ++ /* There is no point in contacting NSS responder. Proceed as usual. */ + return EAGAIN; + } else if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to get initgroups [%d]: %s\n", +@@ -274,7 +274,7 @@ errno_t dp_get_account_info_handler(struct sbus_request *sbus_req, + } + + if ((data->entry_type & BE_REQ_TYPE_MASK) == BE_REQ_INITGROUPS) { +- ret = dp_initgroups(sbus_req, dp_cli, key, dp_flags, data); ++ ret = dp_initgroups(sbus_req, dp_cli, key, dp_flags, data); + if (ret != EAGAIN) { + goto done; + } +-- +2.12.2 + diff --git a/0100-CONFDB-Fix-handling-of-enable_files_domain.patch b/0100-CONFDB-Fix-handling-of-enable_files_domain.patch new file mode 100644 index 0000000..4abe713 --- /dev/null +++ b/0100-CONFDB-Fix-handling-of-enable_files_domain.patch @@ -0,0 +1,77 @@ +From 3509bb03ecef49264820c9e287e8b2c7e0a8a508 Mon Sep 17 00:00:00 2001 +From: Lukas Slebodnik +Date: Wed, 5 Apr 2017 14:04:46 +0200 +Subject: [PATCH 100/135] CONFDB: Fix handling of enable_files_domain +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The option enable_files_domain worked only if sssd +was compiled with --enable-files-domain. But manual page described +something else. + +Resolves: +https://pagure.io/SSSD/sssd/issue/3340 + +Reviewed-by: Michal Židek +--- + src/confdb/confdb.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c +index 88e114457deac3ca50c291a131122624fb6f6fe4..68693e8382c0fbf1015ee47f14fa7c6f64ae98b2 100644 +--- a/src/confdb/confdb.c ++++ b/src/confdb/confdb.c +@@ -1695,7 +1695,6 @@ done: + return ret; + } + +-#ifdef ADD_FILES_DOMAIN + static int confdb_has_files_domain(struct confdb_ctx *cdb) + { + TALLOC_CTX *tmp_ctx = NULL; +@@ -1830,25 +1829,27 @@ done: + talloc_free(tmp_ctx); + return ret; + } +-#endif /* ADD_FILES_DOMAIN */ + + int confdb_ensure_files_domain(struct confdb_ctx *cdb, + const char *implicit_files_dom_name) + { +-#ifndef ADD_FILES_DOMAIN +- return EOK; ++#ifdef ADD_FILES_DOMAIN ++ const bool default_enable_files = true; + #else ++ const bool default_enable_files = false; ++#endif + errno_t ret; + bool enable_files; + + ret = confdb_get_bool(cdb, + CONFDB_MONITOR_CONF_ENTRY, + CONFDB_MONITOR_ENABLE_FILES_DOM, +- true, &enable_files); ++ default_enable_files, &enable_files); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, +- "Cannot get the value of %s assuming true\n", +- CONFDB_MONITOR_ENABLE_FILES_DOM); ++ "Cannot get the value of %s assuming %s\n", ++ CONFDB_MONITOR_ENABLE_FILES_DOM, ++ default_enable_files ? "true" : "false"); + return ret; + } + +@@ -1874,7 +1875,6 @@ int confdb_ensure_files_domain(struct confdb_ctx *cdb, + } + + return activate_files_domain(cdb, implicit_files_dom_name); +-#endif /* ADD_FILES_DOMAIN */ + } + + static int confdb_get_parent_domain(TALLOC_CTX *mem_ctx, +-- +2.12.2 + diff --git a/0101-pam_test_client-add-service-and-environment-to-PAM-t.patch b/0101-pam_test_client-add-service-and-environment-to-PAM-t.patch new file mode 100644 index 0000000..a854e24 --- /dev/null +++ b/0101-pam_test_client-add-service-and-environment-to-PAM-t.patch @@ -0,0 +1,104 @@ +From 7be6624d9eda369e9a4d70c8ee4939b3622229b3 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Tue, 24 Jan 2017 14:50:20 +0100 +Subject: [PATCH 101/135] pam_test_client: add service and environment to PAM + test client +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Related to https://pagure.io/SSSD/sssd/issue/3292 + +Reviewed-by: Pavel Březina +--- + src/sss_client/pam_test_client.c | 50 ++++++++++++++++++++++++++++++---------- + 1 file changed, 38 insertions(+), 12 deletions(-) + +diff --git a/src/sss_client/pam_test_client.c b/src/sss_client/pam_test_client.c +index 29d1fcbf01682668d51bf154736aec673bd46501..ea032a75b195a9bf8078ed7d248da154ab0c8430 100644 +--- a/src/sss_client/pam_test_client.c ++++ b/src/sss_client/pam_test_client.c +@@ -48,34 +48,44 @@ static struct pam_conv conv = { + # error "Missing text based pam conversation function" + #endif + ++#define DEFAULT_ACTION "acct" ++#define DEFAULT_SERVICE "system-auth" ++ + int main(int argc, char *argv[]) { + + pam_handle_t *pamh; + char *user; + char *action; ++ char *service; + int ret; ++ size_t c; ++ char **pam_env; + + if (argc == 1) { +- fprintf(stderr, "missing action and user name, using default\n"); +- action = strdup("auth"); +- user = strdup("dummy"); ++ fprintf(stderr, "Usage: pam_test_client USERNAME " ++ "[auth|acct|setc|chau|open|clos] [pam_service]\n"); ++ return 0; + } else if (argc == 2) { +- fprintf(stdout, "using first argument as action and default user name\n"); +- action = strdup(argv[1]); +- user = strdup("dummy"); +- } else { +- action = strdup(argv[1]); +- user = strdup(argv[2]); ++ fprintf(stderr, "using first argument as user name and default action " ++ "and service\n"); ++ } else if (argc == 3) { ++ fprintf(stderr, "using first argument as user name, second as action " ++ "and default service\n"); + } + +- if (action == NULL || user == NULL) { ++ user = strdup(argv[1]); ++ action = argc > 2 ? strdup(argv[2]) : strdup(DEFAULT_ACTION); ++ service = argc > 3 ? strdup(argv[3]) : strdup(DEFAULT_SERVICE); ++ ++ if (action == NULL || user == NULL || service == NULL) { + fprintf(stderr, "Out of memory!\n"); + return 1; + } + +- fprintf(stdout, "action: %s\nuser: %s\n", action,user); ++ fprintf(stdout, "user: %s\naction: %s\nservice: %s\n", ++ user, action, service); + +- ret = pam_start("sss_test", user, &conv, &pamh); ++ ret = pam_start(service, user, &conv, &pamh); + if (ret != PAM_SUCCESS) { + fprintf(stderr, "pam_start failed: %s\n", pam_strerror(pamh, ret)); + return 1; +@@ -109,7 +119,23 @@ int main(int argc, char *argv[]) { + fprintf(stderr, "unknown action\n"); + } + ++ fprintf(stderr, "PAM Environment:\n"); ++ pam_env = pam_getenvlist(pamh); ++ if (pam_env != NULL && pam_env[0] != NULL) { ++ for (c = 0; pam_env[c] != NULL; c++) { ++ fprintf(stderr, " - %s\n", pam_env[c]); ++ free(pam_env[c]); ++ } ++ } else { ++ fprintf(stderr, " - no env -\n"); ++ } ++ free(pam_env); ++ + pam_end(pamh, ret); + ++ free(user); ++ free(action); ++ free(service); ++ + return 0; + } +-- +2.12.2 + diff --git a/0102-pam_test_client-add-SSSD-getpwnam-lookup.patch b/0102-pam_test_client-add-SSSD-getpwnam-lookup.patch new file mode 100644 index 0000000..624fcae --- /dev/null +++ b/0102-pam_test_client-add-SSSD-getpwnam-lookup.patch @@ -0,0 +1,141 @@ +From 435b3678de25d22eb8a6e892109d26c32f0760a4 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Wed, 25 Jan 2017 16:50:00 +0100 +Subject: [PATCH 102/135] pam_test_client: add SSSD getpwnam lookup +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Related to https://pagure.io/SSSD/sssd/issue/3292 + +Reviewed-by: Pavel Březina +--- + Makefile.am | 10 ++++-- + src/sss_client/pam_test_client.c | 76 ++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 84 insertions(+), 2 deletions(-) + +diff --git a/Makefile.am b/Makefile.am +index d45c0ff757dfae378c71c6f8850fddce2c61cad8..7aca5b86f1275e89ae73f5594887f515773c2058 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -3461,8 +3461,14 @@ if BUILD_WITH_LIBCURL + noinst_PROGRAMS += tcurl-test-tool + endif + +-pam_test_client_SOURCES = src/sss_client/pam_test_client.c +-pam_test_client_LDADD = $(PAM_LIBS) $(PAM_MISC_LIBS) ++pam_test_client_SOURCES = \ ++ src/sss_client/pam_test_client.c \ ++ $(NULL) ++pam_test_client_LDADD = \ ++ $(PAM_LIBS) \ ++ $(PAM_MISC_LIBS) \ ++ $(LIBADD_DL) \ ++ $(NULL) + + if BUILD_AUTOFS + autofs_test_client_SOURCES = \ +diff --git a/src/sss_client/pam_test_client.c b/src/sss_client/pam_test_client.c +index ea032a75b195a9bf8078ed7d248da154ab0c8430..69af612270492968b56d1c11de2bf56ebf57471f 100644 +--- a/src/sss_client/pam_test_client.c ++++ b/src/sss_client/pam_test_client.c +@@ -25,6 +25,11 @@ + #include + #include + #include ++#include ++#include ++#include ++#include ++#include + + #include + +@@ -51,6 +56,70 @@ static struct pam_conv conv = { + #define DEFAULT_ACTION "acct" + #define DEFAULT_SERVICE "system-auth" + ++#define DEFAULT_BUFSIZE 4096 ++ ++static int sss_getpwnam_check(const char *user) ++{ ++ void *dl_handle = NULL; ++ enum nss_status (*sss_getpwnam_r)(const char *name, struct passwd *result, ++ char *buffer, size_t buflen, ++ int *errnop); ++ struct passwd pwd = { 0 }; ++ enum nss_status status; ++ char *buffer = NULL; ++ size_t buflen; ++ int nss_errno; ++ int ret; ++ ++ dl_handle = dlopen("libnss_sss.so.2", RTLD_NOW); ++ if (dl_handle == NULL) { ++ fprintf(stderr, "dlopen failed with [%s].\n", dlerror()); ++ ret = EIO; ++ goto done; ++ } ++ ++ sss_getpwnam_r = dlsym(dl_handle, "_nss_sss_getpwnam_r"); ++ if (sss_getpwnam_r == NULL) { ++ fprintf(stderr, "dlsym failed with [%s].\n", dlerror()); ++ ret = EIO; ++ goto done; ++ } ++ ++ buflen = DEFAULT_BUFSIZE; ++ buffer = malloc(buflen); ++ if (buffer == NULL) { ++ fprintf(stderr, "malloc failed.\n"); ++ ret = ENOMEM; ++ goto done; ++ } ++ ++ status = sss_getpwnam_r(user, &pwd, buffer, buflen, &nss_errno); ++ if (status != NSS_STATUS_SUCCESS) { ++ fprintf(stderr, "sss_getpwnam_r failed with [%d].\n", status); ++ ret = EIO; ++ goto done; ++ } ++ ++ fprintf(stdout, "SSSD nss user lookup result:\n"); ++ fprintf(stdout, " - user name: %s\n", pwd.pw_name); ++ fprintf(stdout, " - user id: %d\n", pwd.pw_uid); ++ fprintf(stdout, " - group id: %d\n", pwd.pw_gid); ++ fprintf(stdout, " - gecos: %s\n", pwd.pw_gecos); ++ fprintf(stdout, " - home directory: %s\n", pwd.pw_dir); ++ fprintf(stdout, " - shell: %s\n", pwd.pw_shell); ++ ++ ret = 0; ++ ++done: ++ if (dl_handle != NULL) { ++ dlclose(dl_handle); ++ } ++ ++ free(buffer); ++ ++ return ret; ++} ++ + int main(int argc, char *argv[]) { + + pam_handle_t *pamh; +@@ -85,6 +154,13 @@ int main(int argc, char *argv[]) { + fprintf(stdout, "user: %s\naction: %s\nservice: %s\n", + user, action, service); + ++ if (*user != '\0') { ++ ret = sss_getpwnam_check(user); ++ if (ret != 0) { ++ fprintf(stderr, "User name lookup with [%s] failed.\n", user); ++ } ++ } ++ + ret = pam_start(service, user, &conv, &pamh); + if (ret != PAM_SUCCESS) { + fprintf(stderr, "pam_start failed: %s\n", pam_strerror(pamh, ret)); +-- +2.12.2 + diff --git a/0103-sss_sifp-update-method-names.patch b/0103-sss_sifp-update-method-names.patch new file mode 100644 index 0000000..752c46c --- /dev/null +++ b/0103-sss_sifp-update-method-names.patch @@ -0,0 +1,53 @@ +From 40ff10d73063949ca699670ca212e96b809d5fcd Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Thu, 16 Mar 2017 11:37:41 +0100 +Subject: [PATCH 103/135] sss_sifp: update method names +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Related to https://pagure.io/SSSD/sssd/issue/3292 + +Reviewed-by: Pavel Březina +--- + Makefile.am | 2 +- + src/lib/sifp/sss_sifp_common.c | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/Makefile.am b/Makefile.am +index 7aca5b86f1275e89ae73f5594887f515773c2058..6f143000c2459d25f18b013b155248c9ddf93120 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -1221,7 +1221,7 @@ libsss_simpleifp_la_LIBADD = \ + $(DHASH_LIBS) + libsss_simpleifp_la_LDFLAGS = \ + -Wl,--version-script,$(srcdir)/src/lib/sifp/sss_simpleifp.exports \ +- -version-info 1:0:1 ++ -version-info 1:1:1 + + dist_noinst_DATA += src/lib/sifp/sss_simpleifp.exports + +diff --git a/src/lib/sifp/sss_sifp_common.c b/src/lib/sifp/sss_sifp_common.c +index bd1dc6a3108329d2c795dc0a259637e71964be9f..8913d0be3d43bd8707829001a5b476d9ab864fd8 100644 +--- a/src/lib/sifp/sss_sifp_common.c ++++ b/src/lib/sifp/sss_sifp_common.c +@@ -168,7 +168,7 @@ sss_sifp_fetch_user_by_uid(sss_sifp_ctx *ctx, + uint64_t _uid = uid; + + return sss_sifp_fetch_object_by_attr(ctx, IFP_PATH_USERS, IFACE_IFP_USERS, +- IFACE_IFP_USERS_USER, "UserByID", ++ IFACE_IFP_USERS_USER, "ByID", + DBUS_TYPE_UINT64, &_uid, _user); + } + +@@ -178,6 +178,6 @@ sss_sifp_fetch_user_by_name(sss_sifp_ctx *ctx, + sss_sifp_object **_user) + { + return sss_sifp_fetch_object_by_name(ctx, IFP_PATH_USERS, IFACE_IFP_USERS, +- IFACE_IFP_USERS_USER, "UserByName", ++ IFACE_IFP_USERS_USER, "ByName", + name, _user); + } +-- +2.12.2 + diff --git a/0104-pam_test_client-add-InfoPipe-user-lookup.patch b/0104-pam_test_client-add-InfoPipe-user-lookup.patch new file mode 100644 index 0000000..6c69b3e --- /dev/null +++ b/0104-pam_test_client-add-InfoPipe-user-lookup.patch @@ -0,0 +1,130 @@ +From 9be97c9cc69e5e6e568d7e21f61a46c3ae2dc387 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Thu, 16 Mar 2017 11:38:20 +0100 +Subject: [PATCH 104/135] pam_test_client: add InfoPipe user lookup +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Related to https://pagure.io/SSSD/sssd/issue/3292 + +Reviewed-by: Pavel Březina +--- + Makefile.am | 1 + + src/sss_client/pam_test_client.c | 71 ++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 72 insertions(+) + +diff --git a/Makefile.am b/Makefile.am +index 6f143000c2459d25f18b013b155248c9ddf93120..05a5ae89cbe5dccf39ce9bdfd95c1b115a64c768 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -3468,6 +3468,7 @@ pam_test_client_LDADD = \ + $(PAM_LIBS) \ + $(PAM_MISC_LIBS) \ + $(LIBADD_DL) \ ++ libsss_simpleifp.la \ + $(NULL) + + if BUILD_AUTOFS +diff --git a/src/sss_client/pam_test_client.c b/src/sss_client/pam_test_client.c +index 69af612270492968b56d1c11de2bf56ebf57471f..40ef3f6d480c0108c985fce7e34e983d145f237e 100644 +--- a/src/sss_client/pam_test_client.c ++++ b/src/sss_client/pam_test_client.c +@@ -30,9 +30,12 @@ + #include + #include + #include ++#include + + #include + ++#include "lib/sifp/sss_sifp.h" ++ + #ifdef HAVE_SECURITY_PAM_MISC_H + # include + #elif defined(HAVE_SECURITY_OPENPAM_H) +@@ -58,6 +61,69 @@ static struct pam_conv conv = { + + #define DEFAULT_BUFSIZE 4096 + ++static int get_ifp_user(const char *user) ++{ ++ sss_sifp_ctx *sifp; ++ sss_sifp_error error; ++ sss_sifp_object *user_obj; ++ const char *tmp_str; ++ uint32_t tmp_uint32; ++ size_t c; ++ ++ struct ifp_user_attr { ++ const char *name; ++ bool is_string; ++ } ifp_user_attr[] = { ++ { "name", true }, ++ { "uidNumber", false }, ++ { "gidNumber", false }, ++ { "gecos", true }, ++ { "homeDirectory", true }, ++ { "loginShell", true }, ++ { NULL, false } ++ }; ++ ++ error = sss_sifp_init(&sifp); ++ if (error != SSS_SIFP_OK) { ++ fprintf(stderr, "Unable to connect to the InfoPipe"); ++ return EFAULT; ++ } ++ ++ error = sss_sifp_fetch_user_by_name(sifp, user, &user_obj); ++ if (error != SSS_SIFP_OK) { ++ fprintf(stderr, "Unable to get user object"); ++ return EIO; ++ } ++ ++ fprintf(stdout, "SSSD InfoPipe user lookup result:\n"); ++ for (c = 0; ifp_user_attr[c].name != NULL; c++) { ++ if (ifp_user_attr[c].is_string) { ++ error = sss_sifp_find_attr_as_string(user_obj->attrs, ++ ifp_user_attr[c].name, ++ &tmp_str); ++ } else { ++ error = sss_sifp_find_attr_as_uint32(user_obj->attrs, ++ ifp_user_attr[c].name, ++ &tmp_uint32); ++ } ++ if (error != SSS_SIFP_OK) { ++ fprintf(stderr, "Unable to get user name attr"); ++ return EIO; ++ } ++ ++ if (ifp_user_attr[c].is_string) { ++ fprintf(stdout, " - %s: %s\n", ifp_user_attr[c].name, tmp_str); ++ } else { ++ fprintf(stdout, " - %s: %"PRIu32"\n", ifp_user_attr[c].name, ++ tmp_uint32); ++ } ++ } ++ ++ sss_sifp_free_object(sifp, &user_obj); ++ sss_sifp_free(&sifp); ++ return 0; ++} ++ + static int sss_getpwnam_check(const char *user) + { + void *dl_handle = NULL; +@@ -159,6 +225,11 @@ int main(int argc, char *argv[]) { + if (ret != 0) { + fprintf(stderr, "User name lookup with [%s] failed.\n", user); + } ++ ++ ret = get_ifp_user(user); ++ if (ret != 0) { ++ fprintf(stderr, "InforPipe User lookup with [%s] failed.\n", user); ++ } + } + + ret = pam_start(service, user, &conv, &pamh); +-- +2.12.2 + diff --git a/0105-sssctl-integrate-pam_test_client-into-sssctl.patch b/0105-sssctl-integrate-pam_test_client-into-sssctl.patch new file mode 100644 index 0000000..36063fa --- /dev/null +++ b/0105-sssctl-integrate-pam_test_client-into-sssctl.patch @@ -0,0 +1,358 @@ +From 4a9160e2b3b9c531e2b4a7884f49bfbb4a07a992 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Thu, 30 Mar 2017 16:21:15 +0200 +Subject: [PATCH 105/135] sssctl: integrate pam_test_client into sssctl +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Reviewed-by: Pavel Březina +--- + Makefile.am | 16 +-- + po/POTFILES.in | 1 - + src/tools/sssctl/sssctl.c | 1 + + src/tools/sssctl/sssctl.h | 4 + + .../sssctl/sssctl_user_checks.c} | 122 +++++++++++---------- + 5 files changed, 72 insertions(+), 72 deletions(-) + rename src/{sss_client/pam_test_client.c => tools/sssctl/sssctl_user_checks.c} (62%) + +diff --git a/Makefile.am b/Makefile.am +index 05a5ae89cbe5dccf39ce9bdfd95c1b115a64c768..c947e31e5530c842d0d0024a5825ddd7b593d518 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -1724,11 +1724,15 @@ sssctl_SOURCES = \ + src/tools/sssctl/sssctl_domains.c \ + src/tools/sssctl/sssctl_sifp.c \ + src/tools/sssctl/sssctl_config.c \ ++ src/tools/sssctl/sssctl_user_checks.c \ + $(SSSD_TOOLS_OBJ) \ + $(NULL) + sssctl_LDADD = \ + $(TOOLS_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ ++ $(PAM_LIBS) \ ++ $(PAM_MISC_LIBS) \ ++ $(LIBADD_DL) \ + libsss_simpleifp.la \ + $(NULL) + sssctl_CFLAGS = \ +@@ -3450,7 +3454,7 @@ endif # BUILD_KCM + + endif # HAVE_CMOCKA + +-noinst_PROGRAMS = pam_test_client ++noinst_PROGRAMS = + if BUILD_SUDO + noinst_PROGRAMS += sss_sudo_cli + endif +@@ -3461,16 +3465,6 @@ if BUILD_WITH_LIBCURL + noinst_PROGRAMS += tcurl-test-tool + endif + +-pam_test_client_SOURCES = \ +- src/sss_client/pam_test_client.c \ +- $(NULL) +-pam_test_client_LDADD = \ +- $(PAM_LIBS) \ +- $(PAM_MISC_LIBS) \ +- $(LIBADD_DL) \ +- libsss_simpleifp.la \ +- $(NULL) +- + if BUILD_AUTOFS + autofs_test_client_SOURCES = \ + src/sss_client/autofs/autofs_test_client.c \ +diff --git a/po/POTFILES.in b/po/POTFILES.in +index ee532def223fdd5db632ad98fd11a57e38d0e125..f4e4e095f9e4025d129b6b13422bdd0bc07c8e1a 100644 +--- a/po/POTFILES.in ++++ b/po/POTFILES.in +@@ -9,7 +9,6 @@ src/sss_client/common.c + src/sss_client/nss_group.c + src/sss_client/nss_passwd.c + src/sss_client/pam_sss.c +-src/sss_client/pam_test_client.c + src/sss_client/ssh/sss_ssh_authorizedkeys.c + src/sss_client/ssh/sss_ssh_knownhostsproxy.c + src/tools/sss_useradd.c +diff --git a/src/tools/sssctl/sssctl.c b/src/tools/sssctl/sssctl.c +index e1cf46382cd1dee54cd372ca500368f149411b78..509d2e1a00d3b57b541590ce7db5f94d2ff43add 100644 +--- a/src/tools/sssctl/sssctl.c ++++ b/src/tools/sssctl/sssctl.c +@@ -263,6 +263,7 @@ int main(int argc, const char **argv) + SSS_TOOL_DELIMITER("SSSD Status:"), + SSS_TOOL_COMMAND("domain-list", "List available domains", 0, sssctl_domain_list), + SSS_TOOL_COMMAND("domain-status", "Print information about domain", 0, sssctl_domain_status), ++ SSS_TOOL_COMMAND("user-checks", "Print information about a user and check authentication", 0, sssctl_user_checks), + SSS_TOOL_DELIMITER("Information about cached content:"), + SSS_TOOL_COMMAND("user-show", "Information about cached user", 0, sssctl_user_show), + SSS_TOOL_COMMAND("group-show", "Information about cached group", 0, sssctl_group_show), +diff --git a/src/tools/sssctl/sssctl.h b/src/tools/sssctl/sssctl.h +index 5270a9ec62dfb288511af179a99e9a542ea26ec4..22626e2210252e5e3fadeb6c5d01d4620cd60e5b 100644 +--- a/src/tools/sssctl/sssctl.h ++++ b/src/tools/sssctl/sssctl.h +@@ -121,4 +121,8 @@ errno_t sssctl_netgroup_show(struct sss_cmdline *cmdline, + errno_t sssctl_config_check(struct sss_cmdline *cmdline, + struct sss_tool_ctx *tool_ctx, + void *pvt); ++ ++errno_t sssctl_user_checks(struct sss_cmdline *cmdline, ++ struct sss_tool_ctx *tool_ctx, ++ void *pvt); + #endif /* _SSSCTL_H_ */ +diff --git a/src/sss_client/pam_test_client.c b/src/tools/sssctl/sssctl_user_checks.c +similarity index 62% +rename from src/sss_client/pam_test_client.c +rename to src/tools/sssctl/sssctl_user_checks.c +index 40ef3f6d480c0108c985fce7e34e983d145f237e..7c7b564bd29100382c9bbef7a3131c379e9aa97e 100644 +--- a/src/sss_client/pam_test_client.c ++++ b/src/tools/sssctl/sssctl_user_checks.c +@@ -35,6 +35,9 @@ + #include + + #include "lib/sifp/sss_sifp.h" ++#include "util/util.h" ++#include "tools/common/sss_tools.h" ++#include "tools/sssctl/sssctl.h" + + #ifdef HAVE_SECURITY_PAM_MISC_H + # include +@@ -85,17 +88,17 @@ static int get_ifp_user(const char *user) + + error = sss_sifp_init(&sifp); + if (error != SSS_SIFP_OK) { +- fprintf(stderr, "Unable to connect to the InfoPipe"); ++ fprintf(stderr, _("Unable to connect to the InfoPipe")); + return EFAULT; + } + + error = sss_sifp_fetch_user_by_name(sifp, user, &user_obj); + if (error != SSS_SIFP_OK) { +- fprintf(stderr, "Unable to get user object"); ++ fprintf(stderr, _("Unable to get user object")); + return EIO; + } + +- fprintf(stdout, "SSSD InfoPipe user lookup result:\n"); ++ fprintf(stdout, _("SSSD InfoPipe user lookup result:\n")); + for (c = 0; ifp_user_attr[c].name != NULL; c++) { + if (ifp_user_attr[c].is_string) { + error = sss_sifp_find_attr_as_string(user_obj->attrs, +@@ -107,7 +110,7 @@ static int get_ifp_user(const char *user) + &tmp_uint32); + } + if (error != SSS_SIFP_OK) { +- fprintf(stderr, "Unable to get user name attr"); ++ fprintf(stderr, _("Unable to get user name attr")); + return EIO; + } + +@@ -118,6 +121,7 @@ static int get_ifp_user(const char *user) + tmp_uint32); + } + } ++ fprintf(stdout, "\n"); + + sss_sifp_free_object(sifp, &user_obj); + sss_sifp_free(&sifp); +@@ -139,14 +143,14 @@ static int sss_getpwnam_check(const char *user) + + dl_handle = dlopen("libnss_sss.so.2", RTLD_NOW); + if (dl_handle == NULL) { +- fprintf(stderr, "dlopen failed with [%s].\n", dlerror()); ++ fprintf(stderr, _("dlopen failed with [%s].\n"), dlerror()); + ret = EIO; + goto done; + } + + sss_getpwnam_r = dlsym(dl_handle, "_nss_sss_getpwnam_r"); + if (sss_getpwnam_r == NULL) { +- fprintf(stderr, "dlsym failed with [%s].\n", dlerror()); ++ fprintf(stderr, _("dlsym failed with [%s].\n"), dlerror()); + ret = EIO; + goto done; + } +@@ -154,25 +158,25 @@ static int sss_getpwnam_check(const char *user) + buflen = DEFAULT_BUFSIZE; + buffer = malloc(buflen); + if (buffer == NULL) { +- fprintf(stderr, "malloc failed.\n"); ++ fprintf(stderr, _("malloc failed.\n")); + ret = ENOMEM; + goto done; + } + + status = sss_getpwnam_r(user, &pwd, buffer, buflen, &nss_errno); + if (status != NSS_STATUS_SUCCESS) { +- fprintf(stderr, "sss_getpwnam_r failed with [%d].\n", status); ++ fprintf(stderr, _("sss_getpwnam_r failed with [%d].\n"), status); + ret = EIO; + goto done; + } + +- fprintf(stdout, "SSSD nss user lookup result:\n"); +- fprintf(stdout, " - user name: %s\n", pwd.pw_name); +- fprintf(stdout, " - user id: %d\n", pwd.pw_uid); +- fprintf(stdout, " - group id: %d\n", pwd.pw_gid); +- fprintf(stdout, " - gecos: %s\n", pwd.pw_gecos); +- fprintf(stdout, " - home directory: %s\n", pwd.pw_dir); +- fprintf(stdout, " - shell: %s\n", pwd.pw_shell); ++ fprintf(stdout, _("SSSD nss user lookup result:\n")); ++ fprintf(stdout, _(" - user name: %s\n"), pwd.pw_name); ++ fprintf(stdout, _(" - user id: %d\n"), pwd.pw_uid); ++ fprintf(stdout, _(" - group id: %d\n"), pwd.pw_gid); ++ fprintf(stdout, _(" - gecos: %s\n"), pwd.pw_gecos); ++ fprintf(stdout, _(" - home directory: %s\n"), pwd.pw_dir); ++ fprintf(stdout, _(" - shell: %s\n\n"), pwd.pw_shell); + + ret = 0; + +@@ -186,87 +190,89 @@ done: + return ret; + } + +-int main(int argc, char *argv[]) { ++errno_t sssctl_user_checks(struct sss_cmdline *cmdline, ++ struct sss_tool_ctx *tool_ctx, ++ void *pvt) ++{ + + pam_handle_t *pamh; +- char *user; +- char *action; +- char *service; ++ const char *user = NULL; ++ const char *action = DEFAULT_ACTION; ++ const char *service = DEFAULT_SERVICE; + int ret; + size_t c; + char **pam_env; + +- if (argc == 1) { +- fprintf(stderr, "Usage: pam_test_client USERNAME " +- "[auth|acct|setc|chau|open|clos] [pam_service]\n"); +- return 0; +- } else if (argc == 2) { +- fprintf(stderr, "using first argument as user name and default action " +- "and service\n"); +- } else if (argc == 3) { +- fprintf(stderr, "using first argument as user name, second as action " +- "and default service\n"); +- } +- +- user = strdup(argv[1]); +- action = argc > 2 ? strdup(argv[2]) : strdup(DEFAULT_ACTION); +- service = argc > 3 ? strdup(argv[3]) : strdup(DEFAULT_SERVICE); ++ /* Parse command line. */ ++ struct poptOption options[] = { ++ { "action", 'a', POPT_ARG_STRING, &action, 0, ++ _("PAM action [auth|acct|setc|chau|open|clos], default: " ++ DEFAULT_ACTION), NULL }, ++ { "service", 's', POPT_ARG_STRING, &service, 0, ++ _("PAM service, default: " DEFAULT_SERVICE), NULL }, ++ POPT_TABLEEND ++ }; + +- if (action == NULL || user == NULL || service == NULL) { +- fprintf(stderr, "Out of memory!\n"); +- return 1; ++ ret = sss_tool_popt_ex(cmdline, options, SSS_TOOL_OPT_OPTIONAL, ++ NULL, NULL, "USERNAME", _("Specify user name."), ++ &user, NULL); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to parse command arguments\n"); ++ return ret; + } + +- fprintf(stdout, "user: %s\naction: %s\nservice: %s\n", ++ fprintf(stdout, _("user: %s\naction: %s\nservice: %s\n\n"), + user, action, service); + + if (*user != '\0') { + ret = sss_getpwnam_check(user); + if (ret != 0) { +- fprintf(stderr, "User name lookup with [%s] failed.\n", user); ++ fprintf(stderr, _("User name lookup with [%s] failed.\n"), user); + } + + ret = get_ifp_user(user); + if (ret != 0) { +- fprintf(stderr, "InforPipe User lookup with [%s] failed.\n", user); ++ fprintf(stderr, _("InforPipe User lookup with [%s] failed.\n"), ++ user); + } + } + + ret = pam_start(service, user, &conv, &pamh); + if (ret != PAM_SUCCESS) { +- fprintf(stderr, "pam_start failed: %s\n", pam_strerror(pamh, ret)); ++ fprintf(stderr, _("pam_start failed: %s\n"), pam_strerror(pamh, ret)); + return 1; + } + + if ( strncmp(action, "auth", 4)== 0 ) { +- fprintf(stdout, "testing pam_authenticate\n"); ++ fprintf(stdout, _("testing pam_authenticate\n\n")); + ret = pam_authenticate(pamh, 0); +- fprintf(stderr, "pam_authenticate: %s\n", pam_strerror(pamh, ret)); ++ fprintf(stderr, _("pam_authenticate: %s\n\n"), pam_strerror(pamh, ret)); + } else if ( strncmp(action, "chau", 4)== 0 ) { +- fprintf(stdout, "testing pam_chauthtok\n"); ++ fprintf(stdout, _("testing pam_chauthtok\n\n")); + ret = pam_chauthtok(pamh, 0); +- fprintf(stderr, "pam_chauthtok: %s\n", pam_strerror(pamh, ret)); ++ fprintf(stderr, _("pam_chauthtok: %s\n\n"), pam_strerror(pamh, ret)); + } else if ( strncmp(action, "acct", 4)== 0 ) { +- fprintf(stdout, "testing pam_acct_mgmt\n"); ++ fprintf(stdout, _("testing pam_acct_mgmt\n\n")); + ret = pam_acct_mgmt(pamh, 0); +- fprintf(stderr, "pam_acct_mgmt: %s\n", pam_strerror(pamh, ret)); ++ fprintf(stderr, _("pam_acct_mgmt: %s\n\n"), pam_strerror(pamh, ret)); + } else if ( strncmp(action, "setc", 4)== 0 ) { +- fprintf(stdout, "testing pam_setcred\n"); ++ fprintf(stdout, _("testing pam_setcred\n\n")); + ret = pam_setcred(pamh, 0); +- fprintf(stderr, "pam_setcred: %d[%s]\n", ret, pam_strerror(pamh, ret)); ++ fprintf(stderr, _("pam_setcred: [%s]\n\n"), pam_strerror(pamh, ret)); + } else if ( strncmp(action, "open", 4)== 0 ) { +- fprintf(stdout, "testing pam_open_session\n"); ++ fprintf(stdout, _("testing pam_open_session\n\n")); + ret = pam_open_session(pamh, 0); +- fprintf(stderr, "pam_open_session: %s\n", pam_strerror(pamh, ret)); ++ fprintf(stderr, _("pam_open_session: %s\n\n"), pam_strerror(pamh, ret)); + } else if ( strncmp(action, "clos", 4)== 0 ) { +- fprintf(stdout, "testing pam_close_session\n"); ++ fprintf(stdout, _("testing pam_close_session\n\n")); + ret = pam_close_session(pamh, 0); +- fprintf(stderr, "pam_close_session: %s\n", pam_strerror(pamh, ret)); ++ fprintf(stderr, _("pam_close_session: %s\n\n"), ++ pam_strerror(pamh, ret)); + } else { +- fprintf(stderr, "unknown action\n"); ++ fprintf(stderr, _("unknown action\n")); + } + +- fprintf(stderr, "PAM Environment:\n"); ++ fprintf(stderr, _("PAM Environment:\n")); + pam_env = pam_getenvlist(pamh); + if (pam_env != NULL && pam_env[0] != NULL) { + for (c = 0; pam_env[c] != NULL; c++) { +@@ -274,15 +280,11 @@ int main(int argc, char *argv[]) { + free(pam_env[c]); + } + } else { +- fprintf(stderr, " - no env -\n"); ++ fprintf(stderr, _(" - no env -\n")); + } + free(pam_env); + + pam_end(pamh, ret); + +- free(user); +- free(action); +- free(service); +- + return 0; + } +-- +2.12.2 + diff --git a/0106-i18n-adding-sssctl-files.patch b/0106-i18n-adding-sssctl-files.patch new file mode 100644 index 0000000..6a4be02 --- /dev/null +++ b/0106-i18n-adding-sssctl-files.patch @@ -0,0 +1,33 @@ +From dbeae483464e42238a84c6a5b8c3c4f5312ae643 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Fri, 7 Apr 2017 14:24:10 +0200 +Subject: [PATCH 106/135] i18n: adding sssctl files +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Reviewed-by: Pavel Březina +--- + po/POTFILES.in | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/po/POTFILES.in b/po/POTFILES.in +index f4e4e095f9e4025d129b6b13422bdd0bc07c8e1a..33e7ed7f9e9bc19f33fca8a1f2649b69b79a882f 100644 +--- a/po/POTFILES.in ++++ b/po/POTFILES.in +@@ -23,4 +23,12 @@ src/tools/sss_cache.c + src/tools/sss_debuglevel.c + src/tools/tools_util.c + src/tools/tools_util.h ++src/tools/sssctl/sssctl.c ++src/tools/sssctl/sssctl_cache.c ++src/tools/sssctl/sssctl_config.c ++src/tools/sssctl/sssctl_data.c ++src/tools/sssctl/sssctl_domains.c ++src/tools/sssctl/sssctl_logs.c ++src/tools/sssctl/sssctl_sifp.c ++src/tools/sssctl/sssctl_user_checks.c + src/util/util.h +-- +2.12.2 + diff --git a/0107-config-check-Message-when-sssd.conf-is-missing.patch b/0107-config-check-Message-when-sssd.conf-is-missing.patch new file mode 100644 index 0000000..9d992e9 --- /dev/null +++ b/0107-config-check-Message-when-sssd.conf-is-missing.patch @@ -0,0 +1,38 @@ +From 955574eeb3a3b937abc3df150e9bbbb79b75c889 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Michal=20=C5=BDidek?= +Date: Tue, 14 Mar 2017 15:43:41 +0100 +Subject: [PATCH 107/135] config-check: Message when sssd.conf is missing +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +sssctl config-check should print a message for user +if no sssd.conf was found. + +Resolves: +https://pagure.io/SSSD/sssd/issue/3330 + +Reviewed-by: Lukáš Slebodník +--- + src/tools/sssctl/sssctl_config.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/src/tools/sssctl/sssctl_config.c b/src/tools/sssctl/sssctl_config.c +index 630df3c8ff5368ef253bb9753380e94c8c0a307d..7e3ebf5428ce3fef232eee7334c7fd90e904b2d3 100644 +--- a/src/tools/sssctl/sssctl_config.c ++++ b/src/tools/sssctl/sssctl_config.c +@@ -63,7 +63,10 @@ errno_t sssctl_config_check(struct sss_cmdline *cmdline, + + /* Open config file */ + ret = sss_ini_config_file_open(init_data, SSSD_CONFIG_FILE); +- if (ret != EOK) { ++ if (ret == ENOENT) { ++ ERROR("File %1$s does not exist.\n", SSSD_CONFIG_FILE); ++ goto done; ++ } else if (ret != EOK) { + DEBUG(SSSDBG_TRACE_FUNC, + "sss_ini_config_file_open failed: %s [%d]\n", + sss_strerror(ret), +-- +2.12.2 + diff --git a/0108-KRB5_LOCATOR-add-env-variable-to-disable-plugin.patch b/0108-KRB5_LOCATOR-add-env-variable-to-disable-plugin.patch new file mode 100644 index 0000000..ceddb75 --- /dev/null +++ b/0108-KRB5_LOCATOR-add-env-variable-to-disable-plugin.patch @@ -0,0 +1,89 @@ +From 1193f20a8267e506d863b27c74870c86c085902b Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Thu, 17 Nov 2016 10:55:43 +0100 +Subject: [PATCH 108/135] KRB5_LOCATOR: add env variable to disable plugin +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +If the new environment variable SSSD_KRB5_LOCATOR_DISABLE is set to any +value SSSD's krb5 locator plugin is disabled. The variable is needed +because there is currently no other way than removing the plugin +completely to disable it. For a use-case see e.g. +https://bugzilla.redhat.com/show_bug.cgi?id=1072939. + +Resolves: +https://pagure.io/SSSD/sssd/issue/3359 + +Reviewed-by: Lukáš Slebodník +--- + src/krb5_plugin/sssd_krb5_locator_plugin.c | 15 +++++++++++++++ + src/man/sssd_krb5_locator_plugin.8.xml | 5 +++++ + 2 files changed, 20 insertions(+) + +diff --git a/src/krb5_plugin/sssd_krb5_locator_plugin.c b/src/krb5_plugin/sssd_krb5_locator_plugin.c +index aa8d387a5d0be302e5cc98ddcf10ebce6957f3a5..7c17fcb33373293fbbbe2be967dca57b31ef13de 100644 +--- a/src/krb5_plugin/sssd_krb5_locator_plugin.c ++++ b/src/krb5_plugin/sssd_krb5_locator_plugin.c +@@ -45,6 +45,7 @@ + #define BUFSIZE 512 + #define PORT_STR_SIZE 7 + #define SSSD_KRB5_LOCATOR_DEBUG "SSSD_KRB5_LOCATOR_DEBUG" ++#define SSSD_KRB5_LOCATOR_DISABLE "SSSD_KRB5_LOCATOR_DISABLE" + #define DEBUG_KEY "[sssd_krb5_locator] " + #define PLUGIN_DEBUG(body) do { \ + if (ctx->debug) { \ +@@ -59,6 +60,7 @@ struct sssd_ctx { + char *kpasswd_addr; + uint16_t kpasswd_port; + bool debug; ++ bool disabled; + }; + + void plugin_debug_fn(const char *format, ...) +@@ -232,6 +234,14 @@ krb5_error_code sssd_krb5_locator_init(krb5_context context, + PLUGIN_DEBUG(("sssd_krb5_locator_init called\n")); + } + ++ dummy = getenv(SSSD_KRB5_LOCATOR_DISABLE); ++ if (dummy == NULL) { ++ ctx->disabled = false; ++ } else { ++ ctx->disabled = true; ++ PLUGIN_DEBUG(("SSSD KRB5 locator plugin is disabled.\n")); ++ } ++ + *private_data = ctx; + + return 0; +@@ -273,6 +283,11 @@ krb5_error_code sssd_krb5_locator_lookup(void *private_data, + if (private_data == NULL) return KRB5_PLUGIN_NO_HANDLE; + ctx = (struct sssd_ctx *) private_data; + ++ if (ctx->disabled) { ++ PLUGIN_DEBUG(("Plugin disabled, nothing to do.\n")); ++ return KRB5_PLUGIN_NO_HANDLE; ++ } ++ + if (ctx->sssd_realm == NULL || strcmp(ctx->sssd_realm, realm) != 0) { + free(ctx->sssd_realm); + ctx->sssd_realm = strdup(realm); +diff --git a/src/man/sssd_krb5_locator_plugin.8.xml b/src/man/sssd_krb5_locator_plugin.8.xml +index 25a20c88fcd4c2b3f644da24b34a4d5e9eb80ed3..d28546012802955c2594680e53698518f0178ab1 100644 +--- a/src/man/sssd_krb5_locator_plugin.8.xml ++++ b/src/man/sssd_krb5_locator_plugin.8.xml +@@ -69,6 +69,11 @@ + If the environment variable SSSD_KRB5_LOCATOR_DEBUG is set to any + value debug messages will be sent to stderr. + ++ ++ If the environment variable SSSD_KRB5_LOCATOR_DISABLE is set to any ++ value the plugin is disabled and will just return ++ KRB5_PLUGIN_NO_HANDLE to the caller. ++ + + + +-- +2.12.2 + diff --git a/0109-sbus-check-connection-for-NULL-before-unregister-it.patch b/0109-sbus-check-connection-for-NULL-before-unregister-it.patch new file mode 100644 index 0000000..2f6e728 --- /dev/null +++ b/0109-sbus-check-connection-for-NULL-before-unregister-it.patch @@ -0,0 +1,43 @@ +From 35186217d44d0138a1aedf7a4db72249b2c40e66 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Mon, 10 Apr 2017 13:45:27 +0200 +Subject: [PATCH 109/135] sbus: check connection for NULL before unregister it +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +There seem to be code paths where the data is a added to the hash before +the connection is properly initialized, to avoid core dump during shut +down we only call dbus_conection_unregister_object_path() if there is a +connection. + +Resolves: +https://pagure.io/SSSD/sssd/issue/3367 + +Reviewed-by: Pavel Březina +--- + src/sbus/sssd_dbus_interface.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/src/sbus/sssd_dbus_interface.c b/src/sbus/sssd_dbus_interface.c +index 1a11c6abcf23053e3b8c77f4d469d7c202a88eb8..c9007a4814e09e26fedaf605ca7313234d5ebf2c 100644 +--- a/src/sbus/sssd_dbus_interface.c ++++ b/src/sbus/sssd_dbus_interface.c +@@ -490,7 +490,13 @@ sbus_opath_hash_delete_cb(hash_entry_t *item, + conn = talloc_get_type(pvt, struct sbus_connection); + path = sbus_opath_get_base_path(NULL, item->key.str); + +- dbus_connection_unregister_object_path(conn->dbus.conn, path); ++ /* There seem to be code paths where the data is added to the hash ++ * before the connection is properly initialized, to avoid core dump ++ * during shut down we only call dbus_connection_unregister_object_path() ++ * if there is a connection. */ ++ if (conn->dbus.conn != NULL) { ++ dbus_connection_unregister_object_path(conn->dbus.conn, path); ++ } + } + + hash_table_t * +-- +2.12.2 + diff --git a/0110-UTIL-Use-max-15-characters-for-AD-host-UPN.patch b/0110-UTIL-Use-max-15-characters-for-AD-host-UPN.patch new file mode 100644 index 0000000..29f1a1f --- /dev/null +++ b/0110-UTIL-Use-max-15-characters-for-AD-host-UPN.patch @@ -0,0 +1,48 @@ +From c6f1bc32774a7cf2f8678499dfbced420be3a3a1 Mon Sep 17 00:00:00 2001 +From: Lukas Slebodnik +Date: Tue, 14 Mar 2017 10:34:00 +0100 +Subject: [PATCH 110/135] UTIL: Use max 15 characters for AD host UPN +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +We do not want to use host principal with AD +"host/name.domain.tld@DOMAIN.TLD" because it does not work. +We need to use correct user principal for AD hosts. And we cannot +rely all fallback "*$" because of other principals in keytab. + +The NetBIOS naming convention allows for 16 characters in a NetBIOS +name. Microsoft, however, limits NetBIOS names to 15 characters and +uses the 16th character as a NetBIOS suffix. +https://support.microsoft.com/en-us/help/163409/netbios-suffixes-16th-character-of-the-netbios-name + +Resolves: +https://pagure.io/SSSD/sssd/issue/3329 + +Reviewed-by: Michal Židek +--- + src/util/sss_krb5.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/src/util/sss_krb5.c b/src/util/sss_krb5.c +index d461cf881566af37f31524c16f6a5f1511a5dc89..a3f066e8add5b7d7575c1e0f537c5729e4a0dad0 100644 +--- a/src/util/sss_krb5.c ++++ b/src/util/sss_krb5.c +@@ -51,7 +51,13 @@ sss_krb5_get_primary(TALLOC_CTX *mem_ctx, + *c = toupper(*c); + } + +- primary = talloc_asprintf(mem_ctx, "%s$", shortname); ++ /* The samAccountName is recommended to be less than 20 characters. ++ * This is only for users and groups. For machine accounts, ++ * the real limit is caused by NetBIOS protocol. ++ * NetBIOS names are limited to 16 (15 + $) ++ * https://support.microsoft.com/en-us/help/163409/netbios-suffixes-16th-character-of-the-netbios-name ++ */ ++ primary = talloc_asprintf(mem_ctx, "%.15s$", shortname); + talloc_free(shortname); + return primary; + } +-- +2.12.2 + diff --git a/0111-minor-typo-fixes.patch b/0111-minor-typo-fixes.patch new file mode 100644 index 0000000..08958fd --- /dev/null +++ b/0111-minor-typo-fixes.patch @@ -0,0 +1,169 @@ +From 0a86dede8773ecce91b5bd2ae75a02f9ff89a358 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ren=C3=A9=20Genz?= +Date: Wed, 19 Apr 2017 08:36:12 +0000 +Subject: [PATCH 111/135] minor typo fixes +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Merges: https://pagure.io/SSSD/sssd/pull-request/3374 + +Reviewed-by: Lukáš Slebodník +Reviewed-by: Justin Stephenson +--- + src/man/idmap_sss.8.xml | 2 +- + src/man/sssd-kcm.8.xml | 2 +- + src/man/sssd-ldap.5.xml | 8 ++++---- + src/man/sssd.conf.5.xml | 18 +++++++++--------- + src/tests/intg/test_files_provider.py | 2 +- + 5 files changed, 16 insertions(+), 16 deletions(-) + +diff --git a/src/man/idmap_sss.8.xml b/src/man/idmap_sss.8.xml +index 4c26a17f958fbf7251ad64de916db9de02c48364..0b73966e5952705a0f340ac169775c30153c392d 100644 +--- a/src/man/idmap_sss.8.xml ++++ b/src/man/idmap_sss.8.xml +@@ -32,7 +32,7 @@ + + range = low - high + +- Defines the available matching uid and gid range for which the ++ Defines the available matching UID and GID range for which the + backend is authoritative. + + +diff --git a/src/man/sssd-kcm.8.xml b/src/man/sssd-kcm.8.xml +index 5dc93838e48723bdb470c0a9c8575bd17c7593e8..db50ed8b49294057da99b01655a4b158f2908dcb 100644 +--- a/src/man/sssd-kcm.8.xml ++++ b/src/man/sssd-kcm.8.xml +@@ -48,7 +48,7 @@ + + + +- since the process runs in userspace, it is subject to UID namespacing, ulike the kernel keyring ++ since the process runs in userspace, it is subject to UID namespacing, unlike the kernel keyring + + + +diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml +index fae669a8d0c1119b68e087bb16def7bd9a4464d3..739ae15c359da4e8dad9bc225ea60cff9dc96b91 100644 +--- a/src/man/sssd-ldap.5.xml ++++ b/src/man/sssd-ldap.5.xml +@@ -965,7 +965,7 @@ + domains. + + +- Default: groupType in the AD provider, othewise not ++ Default: groupType in the AD provider, otherwise not + set + + +@@ -1591,7 +1591,7 @@ + + + +- ldap_min_id, ldap_max_id (interger) ++ ldap_min_id, ldap_max_id (integer) + + + In contrast to the SID based ID mapping which is +@@ -1939,7 +1939,7 @@ ldap_access_filter = (employeeType=admin) + was granted access permission. If they were + granted access during their last login, they will + continue to be granted access while offline and +- vice-versa. ++ vice versa. + + + Default: Empty +@@ -2633,7 +2633,7 @@ ldap_access_filter = (employeeType=admin) + If the option ldap_use_tokengroups is + enabled. The searches against Active Directory will + not be restricted and return all groups memberships, +- even with no gid mapping. It is recommended to disable ++ even with no GID mapping. It is recommended to disable + this feature, if group names are not being displayed + correctly. + +diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml +index c4e30396f16c40db37af2f56ac218b6e37201ef7..c71287029f132906e4f17ff6618d5234a27617f1 100644 +--- a/src/man/sssd.conf.5.xml ++++ b/src/man/sssd.conf.5.xml +@@ -246,7 +246,7 @@ + information. SSSD can use more domains + at the same time, but at least one + must be configured or SSSD won't start. +- This parameter described the list of domains ++ This parameter describes the list of domains + in the order you want them to be queried. + A domain name should only consist of alphanumeric + ASCII characters, dashes, dots and underscores. +@@ -264,7 +264,7 @@ + + Each domain can have an individual regular + expression configured. For some ID providers +- there are also default regular expressions. See ++ there are also default regular expressions. See + DOMAIN SECTIONS for more info on these regular + expressions. + +@@ -490,7 +490,7 @@ + The nickname of the cert to trust + (expected) to sign the OCSP responses. + The certificate with the given nickname +- must be availble in the systems NSS ++ must be available in the systems NSS + database. + This option must be used together + with ocsp_default_responder. +@@ -1253,7 +1253,7 @@ fallback_homedir = /home/%u + + + Note: Please be aware that message is only +- printed for the SSH service unless pam_verbostiy ++ printed for the SSH service unless pam_verbosity + is set to 3 (show all messages and debug + information). + +@@ -1456,13 +1456,13 @@ pam_account_locked_message = Account locked, please contact help desk. + authentication to the PAC responder. The sub-domain provider + collects domain SID and ID ranges of the domain the client is + joined to and of remote trusted domains from the local domain +- controller. If the PAC is decoded and evaluated some of the ++ controller. If the PAC is decoded and evaluated some of the + following operations are done: + + If the remote user does not exist in the +- cache, it is created. The uid is determined with the help +- of the SID, trusted domains will have UPGs and the gid +- will have the same value as the uid. The home directory is ++ cache, it is created. The UID is determined with the help ++ of the SID, trusted domains will have UPGs and the GID ++ will have the same value as the UID. The home directory is + set based on the subdomain_homedir parameter. The shell will + be empty by default, i.e. the system defaults are used, but + can be overwritten with the default_shell parameter. +@@ -2110,7 +2110,7 @@ pam_account_locked_message = Account locked, please contact help desk. + + + ldap to change a password stored +- in a LDAP server. See ++ in a LDAP server. See + + sssd-ldap + 5 +diff --git a/src/tests/intg/test_files_provider.py b/src/tests/intg/test_files_provider.py +index 8748ac10b089087056b1b93950c8d890a190c8d0..eced3997cd061b155f68ec5b2d15552061ffe3e3 100644 +--- a/src/tests/intg/test_files_provider.py ++++ b/src/tests/intg/test_files_provider.py +@@ -433,7 +433,7 @@ def test_incomplete_user_fail(setup_pw_with_canary, files_domain_only): + Test resolving an incomplete user where the missing field is required + to be present in the user record and thus the user shouldn't resolve. + +- We cannot test uid and gid missing because nss_wrapper doesn't even ++ We cannot test UID and GID missing because nss_wrapper doesn't even + load the malformed passwd file, then. + """ + bad_incomplete_user_setup(setup_pw_with_canary, 'name') +-- +2.12.2 + diff --git a/0112-SPEC-Drop-conditional-build-for-krb5_local_auth_plug.patch b/0112-SPEC-Drop-conditional-build-for-krb5_local_auth_plug.patch new file mode 100644 index 0000000..338a595 --- /dev/null +++ b/0112-SPEC-Drop-conditional-build-for-krb5_local_auth_plug.patch @@ -0,0 +1,46 @@ +From bf8f119774dc2eabc5b9bc9f348cd95063ab2199 Mon Sep 17 00:00:00 2001 +From: Lukas Slebodnik +Date: Wed, 15 Mar 2017 12:07:37 +0100 +Subject: [PATCH 112/135] SPEC: Drop conditional build for + krb5_local_auth_plugin + +It was mainly aimed for time when stable CentOS and +rhel nightly had different versions of krb5. + +Anyway, rhel7.0 and rhel <= 6.6 are already out of support + +Reviewed-by: Jakub Hrozek +--- + contrib/sssd.spec.in | 6 ------ + 1 file changed, 6 deletions(-) + +diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in +index 39a974edebba3dbcd7625d1729b4a7330eaa8a27..84400e03e3fa6ead6d6cac57b3843ef79ef9ee6b 100644 +--- a/contrib/sssd.spec.in ++++ b/contrib/sssd.spec.in +@@ -97,10 +97,6 @@ + %global with_cifs_utils_plugin_option --disable-cifs-idmap-plugin + %endif + +-%if (0%{?fedora} || (0%{?rhel} == 7 && 0%{?rhel7_minor} >= 1) || (0%{?rhel} == 6 && 0%{?rhel6_minor} >= 7)) +- %global with_krb5_localauth_plugin 1 +-%endif +- + %if (0%{?fedora}) + %global with_python3 1 + %else +@@ -1046,11 +1042,9 @@ done + %dir %{_sysconfdir}/cifs-utils + %ghost %{_sysconfdir}/cifs-utils/idmap-plugin + %endif +-%if (0%{?with_krb5_localauth_plugin} == 1) + %dir %{_libdir}/%{name} + %dir %{_libdir}/%{name}/modules + %{_libdir}/%{name}/modules/sssd_krb5_localauth_plugin.so +-%endif + %{_mandir}/man8/pam_sss.8* + %{_mandir}/man8/sssd_krb5_locator_plugin.8* + +-- +2.12.2 + diff --git a/0113-README-Update-links-to-mailing-lists.patch b/0113-README-Update-links-to-mailing-lists.patch new file mode 100644 index 0000000..6f829e7 --- /dev/null +++ b/0113-README-Update-links-to-mailing-lists.patch @@ -0,0 +1,39 @@ +From 363e4c407085ea5623850b1dadb1344f2edd3c34 Mon Sep 17 00:00:00 2001 +From: Lukas Slebodnik +Date: Wed, 12 Apr 2017 15:13:45 +0200 +Subject: [PATCH 113/135] README: Update links to mailing lists +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Old links are redirected to information about Fedorahosted-retirement + +e.g. + https://fedorahosted.org/mailman/listinfo/sssd-devel + -> https://fedoraproject.org/wiki/Infrastructure/Fedorahosted-retirement + +Reviewed-by: Pavel Březina +--- + README.md | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/README.md b/README.md +index 40c88c08070b986a634496ac2d6ffba8643bd8a7..600802da1b9a432ecf691137082b0ba2794e3ca7 100644 +--- a/README.md ++++ b/README.md +@@ -21,8 +21,10 @@ Please see the file called COPYING. + ## Contacts + There are several ways to contact us: + +-* the sssd-devel mailing list: [Development of the System Security Services Daemon](https://fedorahosted.org/mailman/listinfo/sssd-devel) +-* the sssd-users mailing list: [End-user discussions about the System Security Services Daemon](https://fedorahosted.org/mailman/listinfo/sssd-users) ++* the sssd-devel mailing list: [Development of the System Security Services Daemon]( ++ https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org/) ++* the sssd-users mailing list: [End-user discussions about the System Security Services Daemon]( ++ https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org/) + * the #sssd and #freeipa IRC channels on freenode: + * irc://irc.freenode.net/sssd + * irc://irc.freenode.net/freeipa +-- +2.12.2 + diff --git a/0114-Move-sized_output_name-and-sized_domain_name-into-re.patch b/0114-Move-sized_output_name-and-sized_domain_name-into-re.patch new file mode 100644 index 0000000..3f2a3c7 --- /dev/null +++ b/0114-Move-sized_output_name-and-sized_domain_name-into-re.patch @@ -0,0 +1,299 @@ +From 7c074ba2f923985ab0d4f9d6a5e01ff3f2f0a7a8 Mon Sep 17 00:00:00 2001 +From: Jakub Hrozek +Date: Wed, 19 Apr 2017 17:44:40 +0200 +Subject: [PATCH 114/135] Move sized_output_name() and sized_domain_name() into + responder common code +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +These functions are used to format a name into a format that the user +configured for output, including case sensitiveness, replacing +whitespace and qualified format. They were used only in the NSS +responder, which typically returns strings to the NSS client library and +then the user. + +But it makes sense to just reuse the same code in the IFP responder as +well, since it does essentially the same job. + +The patch also renames sized_member_name to sized_domain_name. +Previously, the function was only used to format a group member, the IFP +responder would use the same function to format a group the user is a +member of. + +Related to: + https://pagure.io/SSSD/sssd/issue/3268 + +Reviewed-by: Pavel Březina +--- + src/responder/common/responder.h | 21 ++++++++ + src/responder/common/responder_common.c | 90 +++++++++++++++++++++++++++++++++ + src/responder/nss/nss_private.h | 11 ---- + src/responder/nss/nss_protocol_grent.c | 2 +- + src/responder/nss/nss_utils.c | 87 ------------------------------- + 5 files changed, 112 insertions(+), 99 deletions(-) + +diff --git a/src/responder/common/responder.h b/src/responder/common/responder.h +index 4210307489fe25829a1674f254ecc7d185029698..dfe1ec455e355de263c3550306e53fea3ada85df 100644 +--- a/src/responder/common/responder.h ++++ b/src/responder/common/responder.h +@@ -393,4 +393,25 @@ char *sss_resp_create_fqname(TALLOC_CTX *mem_ctx, + + errno_t sss_resp_populate_cr_domains(struct resp_ctx *rctx); + ++/** ++ * Helper functions to format output names ++ */ ++ ++/* Format orig_name into a sized_string in output format as prescribed ++ * by the name_dom domain ++ */ ++int sized_output_name(TALLOC_CTX *mem_ctx, ++ struct resp_ctx *rctx, ++ const char *orig_name, ++ struct sss_domain_info *name_dom, ++ struct sized_string **_name); ++ ++/* Format orig_name into a sized_string in output format as prescribed ++ * by the domain read from the fully qualified name. ++ */ ++int sized_domain_name(TALLOC_CTX *mem_ctx, ++ struct resp_ctx *rctx, ++ const char *member_name, ++ struct sized_string **_name); ++ + #endif /* __SSS_RESPONDER_H__ */ +diff --git a/src/responder/common/responder_common.c b/src/responder/common/responder_common.c +index 67e1deefdfde19c95a68029b11099579d851513f..ac6320b08de09bc6c7e8dd1af72e0a493a449f7a 100644 +--- a/src/responder/common/responder_common.c ++++ b/src/responder/common/responder_common.c +@@ -1651,3 +1651,93 @@ done: + + return ret; + } ++ ++/** ++ * Helper functions to format output names ++ */ ++int sized_output_name(TALLOC_CTX *mem_ctx, ++ struct resp_ctx *rctx, ++ const char *orig_name, ++ struct sss_domain_info *name_dom, ++ struct sized_string **_name) ++{ ++ TALLOC_CTX *tmp_ctx = NULL; ++ errno_t ret; ++ char *username; ++ struct sized_string *name; ++ ++ tmp_ctx = talloc_new(NULL); ++ if (tmp_ctx == NULL) { ++ return ENOMEM; ++ } ++ ++ username = sss_output_name(tmp_ctx, orig_name, name_dom->case_preserve, ++ rctx->override_space); ++ if (username == NULL) { ++ ret = EIO; ++ goto done; ++ } ++ ++ if (name_dom->fqnames) { ++ username = sss_tc_fqname(tmp_ctx, name_dom->names, name_dom, username); ++ if (username == NULL) { ++ DEBUG(SSSDBG_CRIT_FAILURE, "sss_replace_space failed\n"); ++ ret = EIO; ++ goto done; ++ } ++ } ++ ++ name = talloc_zero(tmp_ctx, struct sized_string); ++ if (name == NULL) { ++ ret = ENOMEM; ++ goto done; ++ } ++ ++ to_sized_string(name, username); ++ name->str = talloc_steal(name, username); ++ *_name = talloc_steal(mem_ctx, name); ++ ret = EOK; ++done: ++ talloc_zfree(tmp_ctx); ++ return ret; ++} ++ ++int sized_domain_name(TALLOC_CTX *mem_ctx, ++ struct resp_ctx *rctx, ++ const char *member_name, ++ struct sized_string **_name) ++{ ++ TALLOC_CTX *tmp_ctx = NULL; ++ errno_t ret; ++ char *domname; ++ struct sss_domain_info *member_dom; ++ ++ tmp_ctx = talloc_new(NULL); ++ if (tmp_ctx == NULL) { ++ return ENOMEM; ++ } ++ ++ ret = sss_parse_internal_fqname(tmp_ctx, member_name, NULL, &domname); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_CRIT_FAILURE, "sss_parse_internal_fqname failed\n"); ++ goto done; ++ } ++ ++ if (domname == NULL) { ++ ret = ERR_WRONG_NAME_FORMAT; ++ goto done; ++ } ++ ++ member_dom = find_domain_by_name(get_domains_head(rctx->domains), ++ domname, true); ++ if (member_dom == NULL) { ++ ret = ERR_DOMAIN_NOT_FOUND; ++ goto done; ++ } ++ ++ ret = sized_output_name(mem_ctx, rctx, member_name, ++ member_dom, _name); ++done: ++ talloc_free(tmp_ctx); ++ return ret; ++} +diff --git a/src/responder/nss/nss_private.h b/src/responder/nss/nss_private.h +index acb3c4aa504e538ca56dca8d43ee04b0f60954a9..13de83226177bbaa8b8237e3e27b7e72da369194 100644 +--- a/src/responder/nss/nss_private.h ++++ b/src/responder/nss/nss_private.h +@@ -140,17 +140,6 @@ const char * + nss_get_name_from_msg(struct sss_domain_info *domain, + struct ldb_message *msg); + +-int sized_output_name(TALLOC_CTX *mem_ctx, +- struct resp_ctx *rctx, +- const char *orig_name, +- struct sss_domain_info *name_dom, +- struct sized_string **_name); +- +-int sized_member_name(TALLOC_CTX *mem_ctx, +- struct resp_ctx *rctx, +- const char *member_name, +- struct sized_string **_name); +- + const char * + nss_get_pwfield(struct nss_ctx *nctx, + struct sss_domain_info *dom); +diff --git a/src/responder/nss/nss_protocol_grent.c b/src/responder/nss/nss_protocol_grent.c +index 283ab9f6731bc4c8261ca79075ab030005bf70db..fae1d47d7b217beafba75740e2e6d9cb8cdbc1d0 100644 +--- a/src/responder/nss/nss_protocol_grent.c ++++ b/src/responder/nss/nss_protocol_grent.c +@@ -163,7 +163,7 @@ nss_protocol_fill_members(struct sss_packet *packet, + } + } + +- ret = sized_member_name(tmp_ctx, rctx, member_name, &name); ++ ret = sized_domain_name(tmp_ctx, rctx, member_name, &name); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Unable to get sized name [%d]: %s\n", + ret, sss_strerror(ret)); +diff --git a/src/responder/nss/nss_utils.c b/src/responder/nss/nss_utils.c +index f839930a275db56e8d729888af870562d7b6f260..2cd9c33b42f7e018ea89d2df206637f35646489e 100644 +--- a/src/responder/nss/nss_utils.c ++++ b/src/responder/nss/nss_utils.c +@@ -53,93 +53,6 @@ nss_get_name_from_msg(struct sss_domain_info *domain, + return ldb_msg_find_attr_as_string(msg, SYSDB_NAME, NULL); + } + +-int sized_output_name(TALLOC_CTX *mem_ctx, +- struct resp_ctx *rctx, +- const char *orig_name, +- struct sss_domain_info *name_dom, +- struct sized_string **_name) +-{ +- TALLOC_CTX *tmp_ctx = NULL; +- errno_t ret; +- char *username; +- struct sized_string *name; +- +- tmp_ctx = talloc_new(NULL); +- if (tmp_ctx == NULL) { +- return ENOMEM; +- } +- +- username = sss_output_name(tmp_ctx, orig_name, name_dom->case_preserve, +- rctx->override_space); +- if (username == NULL) { +- ret = EIO; +- goto done; +- } +- +- if (name_dom->fqnames) { +- username = sss_tc_fqname(tmp_ctx, name_dom->names, name_dom, username); +- if (username == NULL) { +- DEBUG(SSSDBG_CRIT_FAILURE, "sss_replace_space failed\n"); +- ret = EIO; +- goto done; +- } +- } +- +- name = talloc_zero(tmp_ctx, struct sized_string); +- if (name == NULL) { +- ret = ENOMEM; +- goto done; +- } +- +- to_sized_string(name, username); +- name->str = talloc_steal(name, username); +- *_name = talloc_steal(mem_ctx, name); +- ret = EOK; +-done: +- talloc_zfree(tmp_ctx); +- return ret; +-} +- +-int sized_member_name(TALLOC_CTX *mem_ctx, +- struct resp_ctx *rctx, +- const char *member_name, +- struct sized_string **_name) +-{ +- TALLOC_CTX *tmp_ctx = NULL; +- errno_t ret; +- char *domname; +- struct sss_domain_info *member_dom; +- +- tmp_ctx = talloc_new(NULL); +- if (tmp_ctx == NULL) { +- return ENOMEM; +- } +- +- ret = sss_parse_internal_fqname(tmp_ctx, member_name, NULL, &domname); +- if (ret != EOK) { +- DEBUG(SSSDBG_CRIT_FAILURE, "sss_parse_internal_fqname failed\n"); +- goto done; +- } +- +- if (domname == NULL) { +- ret = ERR_WRONG_NAME_FORMAT; +- goto done; +- } +- +- member_dom = find_domain_by_name(get_domains_head(rctx->domains), +- domname, true); +- if (member_dom == NULL) { +- ret = ERR_DOMAIN_NOT_FOUND; +- goto done; +- } +- +- ret = sized_output_name(mem_ctx, rctx, member_name, +- member_dom, _name); +-done: +- talloc_free(tmp_ctx); +- return ret; +-} +- + const char * + nss_get_pwfield(struct nss_ctx *nctx, + struct sss_domain_info *dom) +-- +2.12.2 + diff --git a/0115-IFP-Use-sized_domain_name-to-format-the-groups-the-u.patch b/0115-IFP-Use-sized_domain_name-to-format-the-groups-the-u.patch new file mode 100644 index 0000000..2394f0b --- /dev/null +++ b/0115-IFP-Use-sized_domain_name-to-format-the-groups-the-u.patch @@ -0,0 +1,94 @@ +From c9a73bb6ffa010ef206896a0d1c2801bc056fa45 Mon Sep 17 00:00:00 2001 +From: Jakub Hrozek +Date: Wed, 19 Apr 2017 17:46:03 +0200 +Subject: [PATCH 115/135] IFP: Use sized_domain_name to format the groups the + user is a member of +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Resolves: + https://pagure.io/SSSD/sssd/issue/3268 + +Uses the common function sized_domain_name() to format a group the user +is a member of to the appropriate format. + +To see the code is working correctly, run: + dbus-send --system --print-reply --dest=org.freedesktop.sssd.infopipe + /org/freedesktop/sssd/infopipe + org.freedesktop.sssd.infopipe.GetUserGroups + string:trusted_user + +Where trusted_user is a user from a trusted domain that is a member of groups +from the joined domain and a trusted domain as well. The groups from the +joined domain should not be qualified, the groups from the trusted +domain should be qualified. + +Reviewed-by: Pavel Březina +--- + src/responder/ifp/ifpsrv_cmd.c | 29 +++++++++++++++-------------- + 1 file changed, 15 insertions(+), 14 deletions(-) + +diff --git a/src/responder/ifp/ifpsrv_cmd.c b/src/responder/ifp/ifpsrv_cmd.c +index d10f35e41dbb1623a0b9de37a4c43363cbefc1a3..e4d6c42ef35ef372472803d3d26b17d4181021a8 100644 +--- a/src/responder/ifp/ifpsrv_cmd.c ++++ b/src/responder/ifp/ifpsrv_cmd.c +@@ -369,10 +369,11 @@ ifp_user_get_groups_reply(struct sss_domain_info *domain, + struct ifp_req *ireq, + struct ldb_result *res) + { +- int i, num; ++ int i, gri, num; + const char *name; + const char **groupnames; +- char *out_name; ++ struct sized_string *group_name; ++ errno_t ret; + + /* one less, the first one is the user entry */ + num = res->count - 1; +@@ -381,6 +382,7 @@ ifp_user_get_groups_reply(struct sss_domain_info *domain, + return sbus_request_finish(ireq->dbus_req, NULL); + } + ++ gri = 0; + for (i = 0; i < num; i++) { + name = sss_view_ldb_msg_find_attr_as_string(domain, + res->msgs[i + 1], +@@ -390,22 +392,21 @@ ifp_user_get_groups_reply(struct sss_domain_info *domain, + continue; + } + +- out_name = sss_output_name(ireq, name, domain->case_preserve, +- ireq->ifp_ctx->rctx->override_space); +- if (out_name == NULL) { ++ ret = sized_domain_name(ireq, ireq->ifp_ctx->rctx, name, &group_name); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_MINOR_FAILURE, ++ "Unable to get sized name for %s [%d]: %s\n", ++ name, ret, sss_strerror(ret)); + continue; + } + +- if (domain->fqnames) { +- groupnames[i] = sss_tc_fqname(groupnames, domain->names, +- domain, out_name); +- if (out_name == NULL) { +- DEBUG(SSSDBG_CRIT_FAILURE, "sss_tc_fqname failed\n"); +- continue; +- } +- } else { +- groupnames[i] = talloc_steal(groupnames, out_name); ++ groupnames[gri] = talloc_strndup(groupnames, ++ group_name->str, group_name->len); ++ if (groupnames[gri] == NULL) { ++ DEBUG(SSSDBG_MINOR_FAILURE, "talloc_strndup failed\n"); ++ continue; + } ++ gri++; + + DEBUG(SSSDBG_TRACE_FUNC, "Adding group %s\n", groupnames[i]); + } +-- +2.12.2 + diff --git a/0116-SECRETS-remove-unused-variable.patch b/0116-SECRETS-remove-unused-variable.patch new file mode 100644 index 0000000..83d7d8d --- /dev/null +++ b/0116-SECRETS-remove-unused-variable.patch @@ -0,0 +1,32 @@ +From 0e8f0c06cad5805b1a1161f60e3f2cdb7a5a2921 Mon Sep 17 00:00:00 2001 +From: Lukas Slebodnik +Date: Wed, 19 Apr 2017 17:56:20 +0200 +Subject: [PATCH 116/135] SECRETS: remove unused variable +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Reviewed-by: Pavel Březina +--- + src/responder/secrets/proxy.c | 5 ----- + 1 file changed, 5 deletions(-) + +diff --git a/src/responder/secrets/proxy.c b/src/responder/secrets/proxy.c +index fd96e985c897e2cb470a9b5d6eecbd34350fb7d2..9c2aa425d414728d10aa830f640632e98def3c1c 100644 +--- a/src/responder/secrets/proxy.c ++++ b/src/responder/secrets/proxy.c +@@ -570,11 +570,6 @@ static void proxy_secret_req_done(struct tevent_req *subreq) + } + } + +-struct provider_handle proxy_secrets_handle = { +- .fn = proxy_secret_req, +- .context = NULL, +-}; +- + int proxy_secrets_provider_handle(struct sec_ctx *sctx, + struct provider_handle **out_handle) + { +-- +2.12.2 + diff --git a/0117-IPA-Improve-DEBUG-message-if-a-group-has-no-ipaNTSec.patch b/0117-IPA-Improve-DEBUG-message-if-a-group-has-no-ipaNTSec.patch new file mode 100644 index 0000000..2d8edd5 --- /dev/null +++ b/0117-IPA-Improve-DEBUG-message-if-a-group-has-no-ipaNTSec.patch @@ -0,0 +1,41 @@ +From ef019268d2d112ebff3577e551cd19478d73d93b Mon Sep 17 00:00:00 2001 +From: Jakub Hrozek +Date: Fri, 21 Apr 2017 12:39:44 +0200 +Subject: [PATCH 117/135] IPA: Improve DEBUG message if a group has no + ipaNTSecurityIdentifier +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +There was an issue in a production deployment where the admin selected a +GID outside the IDM range for a group that contained a user from the +trusted domain. This resulted in not adding a SID for the IPA group, +which in turn meant the group couldn't be resolved on the client. + +This patch just improves the DEBUG message so that it's clearer for the +admins where the issue is. + +Reviewed-by: Lukáš Slebodník +--- + src/providers/ipa/ipa_s2n_exop.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/src/providers/ipa/ipa_s2n_exop.c b/src/providers/ipa/ipa_s2n_exop.c +index 2173db357700499a6140aa61841e443139981483..55ec904ca3188c7cf10ac41972e9ecf94ebf44bb 100644 +--- a/src/providers/ipa/ipa_s2n_exop.c ++++ b/src/providers/ipa/ipa_s2n_exop.c +@@ -1308,7 +1308,10 @@ static void ipa_s2n_get_list_next(struct tevent_req *subreq) + ret = sysdb_attrs_get_string(state->attrs->sysdb_attrs, SYSDB_SID_STR, + &sid_str); + if (ret != EOK) { +- DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_get_string failed.\n"); ++ DEBUG(SSSDBG_CRIT_FAILURE, ++ "Object [%s] has no SID, please check the " ++ "ipaNTSecurityIdentifier attribute on the server-side", ++ state->attrs->a.name); + goto fail; + } + +-- +2.12.2 + diff --git a/0118-RESPONDER-Fallback-to-global-domain-resolution-order.patch b/0118-RESPONDER-Fallback-to-global-domain-resolution-order.patch new file mode 100644 index 0000000..9b52466 --- /dev/null +++ b/0118-RESPONDER-Fallback-to-global-domain-resolution-order.patch @@ -0,0 +1,312 @@ +From a3faad0e4dc1ca4473746c3822ecfc5aed876e6d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= +Date: Wed, 12 Apr 2017 10:43:25 +0200 +Subject: [PATCH 118/135] RESPONDER: Fallback to global domain resolution order + in case the view doesn't have this option set +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The current code has been ignoring the domain resolution order set +globally on IPA in case there's a view but this doesn't have any domain +resolution order set. + +It happens because we haven't been checking whether the view attribute +didn't exist and then we ended up populating the list cache_req domains' +list assuming that no order has been set instead of falling back to the +next preferred method. + +Related: +https://pagure.io/SSSD/sssd/issue/3001 + +Signed-off-by: Fabiano Fidêncio + +Reviewed-by: Pavel Březina +--- + src/responder/common/cache_req/cache_req_domain.c | 14 ++- + src/responder/common/cache_req/cache_req_domain.h | 5 +- + src/responder/common/responder_common.c | 108 +++++++++++++--------- + 3 files changed, 74 insertions(+), 53 deletions(-) + +diff --git a/src/responder/common/cache_req/cache_req_domain.c b/src/responder/common/cache_req/cache_req_domain.c +index bbabd695f1c6b6c29b7e61f571382ab9adfb0ea2..86a88efd54ca0f4a0748b44ece1b8515438d4628 100644 +--- a/src/responder/common/cache_req/cache_req_domain.c ++++ b/src/responder/common/cache_req/cache_req_domain.c +@@ -120,20 +120,21 @@ done: + return cr_domains; + } + +-struct cache_req_domain * ++errno_t + cache_req_domain_new_list_from_domain_resolution_order( + TALLOC_CTX *mem_ctx, + struct sss_domain_info *domains, +- const char *domain_resolution_order) ++ const char *domain_resolution_order, ++ struct cache_req_domain **_cr_domains) + { + TALLOC_CTX *tmp_ctx; +- struct cache_req_domain *cr_domains = NULL; ++ struct cache_req_domain *cr_domains; + char **list = NULL; + errno_t ret; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { +- return NULL; ++ return ENOMEM; + } + + if (domain_resolution_order != NULL) { +@@ -160,7 +161,10 @@ cache_req_domain_new_list_from_domain_resolution_order( + goto done; + } + ++ *_cr_domains = cr_domains; ++ ret = EOK; ++ + done: + talloc_free(tmp_ctx); +- return cr_domains; ++ return ret; + } +diff --git a/src/responder/common/cache_req/cache_req_domain.h b/src/responder/common/cache_req/cache_req_domain.h +index 41c50e8c293d7b032cb2f05482c40e93e4f723dc..000087e5ca2074f22169a4af627810f4f287e430 100644 +--- a/src/responder/common/cache_req/cache_req_domain.h ++++ b/src/responder/common/cache_req/cache_req_domain.h +@@ -34,11 +34,12 @@ struct cache_req_domain * + cache_req_domain_get_domain_by_name(struct cache_req_domain *domains, + const char *name); + +-struct cache_req_domain * ++errno_t + cache_req_domain_new_list_from_domain_resolution_order( + TALLOC_CTX *mem_ctx, + struct sss_domain_info *domains, +- const char *domain_resolution_order); ++ const char *domain_resolution_order, ++ struct cache_req_domain **_cr_domains); + + void cache_req_domain_list_zfree(struct cache_req_domain **cr_domains); + +diff --git a/src/responder/common/responder_common.c b/src/responder/common/responder_common.c +index ac6320b08de09bc6c7e8dd1af72e0a493a449f7a..62b71b5104fdbb585d086d44d2ca2ab9717dd788 100644 +--- a/src/responder/common/responder_common.c ++++ b/src/responder/common/responder_common.c +@@ -1486,10 +1486,11 @@ fail: + } + + /* ====== Helper functions for the domain resolution order ======= */ +-static struct cache_req_domain * ++static errno_t + sss_resp_new_cr_domains_from_ipa_id_view(TALLOC_CTX *mem_ctx, + struct sss_domain_info *domains, +- struct sysdb_ctx *sysdb) ++ struct sysdb_ctx *sysdb, ++ struct cache_req_domain **_cr_domains) + { + TALLOC_CTX *tmp_ctx; + struct cache_req_domain *cr_domains = NULL; +@@ -1498,7 +1499,7 @@ sss_resp_new_cr_domains_from_ipa_id_view(TALLOC_CTX *mem_ctx, + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { +- return NULL; ++ return ENOMEM; + } + + ret = sysdb_get_view_domain_resolution_order(tmp_ctx, sysdb, +@@ -1510,12 +1511,13 @@ sss_resp_new_cr_domains_from_ipa_id_view(TALLOC_CTX *mem_ctx, + goto done; + } + +- /* Using mem_ctx (which is rctx) directly here to avoid copying +- * this memory around. */ +- cr_domains = cache_req_domain_new_list_from_domain_resolution_order( +- mem_ctx, domains, domain_resolution_order); +- if (cr_domains == NULL) { +- ret = ENOMEM; ++ if (ret == ENOENT) { ++ goto done; ++ } ++ ++ ret = cache_req_domain_new_list_from_domain_resolution_order( ++ mem_ctx, domains, domain_resolution_order, &cr_domains); ++ if (ret != EOK) { + DEBUG(SSSDBG_DEFAULT, + "cache_req_domain_new_list_from_domain_resolution_order() " + "failed [%d]: [%s].\n", +@@ -1523,25 +1525,31 @@ sss_resp_new_cr_domains_from_ipa_id_view(TALLOC_CTX *mem_ctx, + goto done; + } + ++ *_cr_domains = cr_domains; ++ ++ ret = EOK; ++ + done: + talloc_free(tmp_ctx); +- return cr_domains; ++ return ret; + } + +-static struct cache_req_domain * ++static errno_t + sss_resp_new_cr_domains_from_ipa_config(TALLOC_CTX *mem_ctx, + struct sss_domain_info *domains, + struct sysdb_ctx *sysdb, +- const char *domain) ++ const char *domain, ++ struct cache_req_domain **_cr_domains) + { + TALLOC_CTX *tmp_ctx; +- struct cache_req_domain *cr_domains = NULL; + const char *domain_resolution_order = NULL; + errno_t ret; + ++ *_cr_domains = NULL; ++ + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { +- return NULL; ++ return ENOMEM; + } + + ret = sysdb_domain_get_domain_resolution_order(tmp_ctx, sysdb, domain, +@@ -1554,11 +1562,13 @@ sss_resp_new_cr_domains_from_ipa_config(TALLOC_CTX *mem_ctx, + goto done; + } + +- /* Using mem_ctx (which is rctx) directly here to avoid copying +- * this memory around. */ +- cr_domains = cache_req_domain_new_list_from_domain_resolution_order( +- mem_ctx, domains, domain_resolution_order); +- if (cr_domains == NULL) { ++ if (ret == ENOENT) { ++ goto done; ++ } ++ ++ ret = cache_req_domain_new_list_from_domain_resolution_order( ++ mem_ctx, domains, domain_resolution_order, _cr_domains); ++ if (ret != EOK) { + DEBUG(SSSDBG_DEFAULT, + "cache_req_domain_new_list_from_domain_resolution_order() " + "failed [%d]: [%s].\n", +@@ -1566,9 +1576,11 @@ sss_resp_new_cr_domains_from_ipa_config(TALLOC_CTX *mem_ctx, + goto done; + } + ++ ret = EOK; ++ + done: + talloc_free(tmp_ctx); +- return cr_domains; ++ return ret; + } + + errno_t sss_resp_populate_cr_domains(struct resp_ctx *rctx) +@@ -1578,16 +1590,16 @@ errno_t sss_resp_populate_cr_domains(struct resp_ctx *rctx) + errno_t ret; + + if (rctx->domain_resolution_order != NULL) { +- cr_domains = cache_req_domain_new_list_from_domain_resolution_order( +- rctx, rctx->domains, rctx->domain_resolution_order); +- +- if (cr_domains == NULL) { ++ ret = cache_req_domain_new_list_from_domain_resolution_order( ++ rctx, rctx->domains, ++ rctx->domain_resolution_order, &cr_domains); ++ if (ret == EOK) { ++ goto done; ++ } else { + DEBUG(SSSDBG_MINOR_FAILURE, + "Failed to use domain_resolution_order set in the config file.\n" + "Trying to fallback to use ipaDomainOrderResolution setup by " + "IPA.\n"); +- } else { +- goto done; + } + } + +@@ -1598,9 +1610,9 @@ errno_t sss_resp_populate_cr_domains(struct resp_ctx *rctx) + } + + if (dom == NULL) { +- cr_domains = cache_req_domain_new_list_from_domain_resolution_order( +- rctx, rctx->domains, NULL); +- if (cr_domains == NULL) { ++ ret = cache_req_domain_new_list_from_domain_resolution_order( ++ rctx, rctx->domains, NULL, &cr_domains); ++ if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to flatten the list of domains.\n"); + } +@@ -1608,44 +1620,48 @@ errno_t sss_resp_populate_cr_domains(struct resp_ctx *rctx) + } + + if (dom->has_views) { +- cr_domains = sss_resp_new_cr_domains_from_ipa_id_view(rctx, +- rctx->domains, +- dom->sysdb); +- if (cr_domains == NULL) { ++ ret = sss_resp_new_cr_domains_from_ipa_id_view(rctx, rctx->domains, ++ dom->sysdb, ++ &cr_domains); ++ if (ret == EOK) { ++ goto done; ++ } ++ ++ if (ret != ENOENT) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Failed to use ipaDomainResolutionOrder set for the " + "view \"%s\".\n" + "Trying to fallback to use ipaDomainOrderResolution " + "set in ipaConfig for the domain: %s.\n", + dom->view_name, dom->name); +- } else { +- goto done; + } + } + +- cr_domains = sss_resp_new_cr_domains_from_ipa_config(rctx, rctx->domains, +- dom->sysdb, +- dom->name); +- if (cr_domains == NULL) { ++ ret = sss_resp_new_cr_domains_from_ipa_config(rctx, rctx->domains, ++ dom->sysdb, dom->name, ++ &cr_domains); ++ if (ret == EOK) { ++ goto done; ++ } ++ ++ if (ret != ENOENT) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Failed to use ipaDomainResolutionOrder set in ipaConfig " + "for the domain: \"%s\".\n" + "No ipaDomainResolutionOrder will be followed.\n", + dom->name); +- } else { +- goto done; + } + +- cr_domains = cache_req_domain_new_list_from_domain_resolution_order( +- rctx, rctx->domains, NULL); +- if (cr_domains == NULL) { ++ ret = cache_req_domain_new_list_from_domain_resolution_order( ++ rctx, rctx->domains, NULL, &cr_domains); ++ if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to flatten the list of domains.\n"); + goto done; + } + +-done: +- ret = cr_domains != NULL ? EOK : ENOMEM; ++ ret = EOK; + ++done: + cache_req_domain_list_zfree(&rctx->cr_domains); + rctx->cr_domains = cr_domains; + +-- +2.12.2 + diff --git a/0119-NSS-TESTS-Improve-non-fqnames-tests.patch b/0119-NSS-TESTS-Improve-non-fqnames-tests.patch new file mode 100644 index 0000000..6af99d8 --- /dev/null +++ b/0119-NSS-TESTS-Improve-non-fqnames-tests.patch @@ -0,0 +1,163 @@ +From ed518f61f1a5d4cf5d87eec492c158725a73d6a1 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= +Date: Mon, 17 Apr 2017 09:32:39 +0200 +Subject: [PATCH 119/135] NSS/TESTS: Improve non-fqnames tests +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +With the changes that are about to happen we have to have the subdomain's +fqnames flag set by the time we populate the cr_domains list (as it +actually occurs with the real code), as this list may set its own fqnames +flag based on the subdomain's fqnames flag. + +Currently the flag is set to false only when running the tests itself so +the cr_domains list doesn't get populate properly (although it still +works with the current code). + +For the changes that are comming, let's introduce a new setup function +that ensures that the subdomain's fqnames flag is set up in the right +time. + +Related: +https://pagure.io/SSSD/sssd/issue/3001 + +Signed-off-by: Fabiano Fidêncio + +Reviewed-by: Pavel Březina +--- + src/tests/cmocka/test_nss_srv.c | 45 +++++++++++++++++++++++++++-------------- + 1 file changed, 30 insertions(+), 15 deletions(-) + +diff --git a/src/tests/cmocka/test_nss_srv.c b/src/tests/cmocka/test_nss_srv.c +index 2f526660cbbbf2443dbae4e213c1336feb6c661e..8c72f44f1869558893627e1f2f91b5f3b96c6317 100644 +--- a/src/tests/cmocka/test_nss_srv.c ++++ b/src/tests/cmocka/test_nss_srv.c +@@ -1709,8 +1709,6 @@ void test_nss_getgrnam_members_subdom_nonfqnames(void **state) + { + errno_t ret; + +- nss_test_ctx->subdom->fqnames = false; +- + mock_input_user_or_group("testsubdomgroup"); + mock_account_recv_simple(); + will_return(__wrap_sss_packet_get_cmd, SSS_NSS_GETGRNAM); +@@ -1802,8 +1800,6 @@ void test_nss_getgrnam_mix_dom_nonfqnames(void **state) + { + errno_t ret; + +- nss_test_ctx->subdom->fqnames = false; +- + ret = store_group_member(nss_test_ctx, + testgroup_members.gr_name, + nss_test_ctx->tctx->dom, +@@ -1917,6 +1913,7 @@ void test_nss_getgrnam_mix_dom_fqdn(void **state) + assert_int_equal(ret, EOK); + } + ++ + void test_nss_getgrnam_mix_dom_fqdn_nonfqnames(void **state) + { + errno_t ret; +@@ -1929,10 +1926,6 @@ void test_nss_getgrnam_mix_dom_fqdn_nonfqnames(void **state) + SYSDB_MEMBER_USER); + assert_int_equal(ret, EOK); + +- nss_test_ctx->tctx->dom->fqnames = false; +- nss_test_ctx->subdom->fqnames = false; +- +- + mock_input_user_or_group("testgroup_members"); + will_return(__wrap_sss_packet_get_cmd, SSS_NSS_GETGRNAM); + will_return_always(__wrap_sss_packet_get_body, WRAP_CALL_REAL); +@@ -2044,8 +2037,6 @@ void test_nss_getgrnam_mix_subdom_nonfqnames(void **state) + { + errno_t ret; + +- nss_test_ctx->subdom->fqnames = false; +- + ret = store_group_member(nss_test_ctx, + testsubdomgroup.gr_name, + nss_test_ctx->subdom, +@@ -3417,9 +3408,11 @@ static int nss_test_setup_extra_attr(void **state) + return 0; + } + +-static int nss_subdom_test_setup(void **state) ++static int nss_subdom_test_setup_common(void **state, bool nonfqnames) + { + const char *const testdom[4] = { TEST_SUBDOM_NAME, "TEST.SUB", "test", "S-3" }; ++ struct sss_domain_info *dom; ++ + struct sss_domain_info *subdomain; + errno_t ret; + +@@ -3440,6 +3433,17 @@ static int nss_subdom_test_setup(void **state) + nss_test_ctx->tctx->confdb); + assert_int_equal(ret, EOK); + ++ if (nonfqnames) { ++ for (dom = nss_test_ctx->rctx->domains; ++ dom != NULL; ++ dom = get_next_domain(dom, SSS_GND_ALL_DOMAINS)) { ++ if (strcmp(dom->name, subdomain->name) == 0) { ++ dom->fqnames = false; ++ break; ++ } ++ } ++ } ++ + ret = sss_resp_populate_cr_domains(nss_test_ctx->rctx); + assert_int_equal(ret, EOK); + assert_non_null(nss_test_ctx->rctx->cr_domains); +@@ -3475,6 +3479,17 @@ static int nss_subdom_test_setup(void **state) + assert_int_equal(ret, EOK); + + return 0; ++ ++} ++ ++static int nss_subdom_test_setup(void **state) ++{ ++ return nss_subdom_test_setup_common(state, false); ++} ++ ++static int nss_subdom_test_setup_nonfqnames(void **state) ++{ ++ return nss_subdom_test_setup_common(state, true); + } + + static int nss_fqdn_fancy_test_setup(void **state) +@@ -4192,25 +4207,25 @@ int main(int argc, const char *argv[]) + nss_subdom_test_setup, + nss_subdom_test_teardown), + cmocka_unit_test_setup_teardown(test_nss_getgrnam_members_subdom_nonfqnames, +- nss_subdom_test_setup, ++ nss_subdom_test_setup_nonfqnames, + nss_subdom_test_teardown), + cmocka_unit_test_setup_teardown(test_nss_getgrnam_mix_dom, + nss_subdom_test_setup, + nss_subdom_test_teardown), + cmocka_unit_test_setup_teardown(test_nss_getgrnam_mix_dom_nonfqnames, +- nss_subdom_test_setup, ++ nss_subdom_test_setup_nonfqnames, + nss_subdom_test_teardown), + cmocka_unit_test_setup_teardown(test_nss_getgrnam_mix_dom_fqdn, + nss_subdom_test_setup, + nss_subdom_test_teardown), + cmocka_unit_test_setup_teardown(test_nss_getgrnam_mix_dom_fqdn_nonfqnames, +- nss_subdom_test_setup, ++ nss_subdom_test_setup_nonfqnames, + nss_subdom_test_teardown), + cmocka_unit_test_setup_teardown(test_nss_getgrnam_mix_subdom, + nss_subdom_test_setup, + nss_subdom_test_teardown), + cmocka_unit_test_setup_teardown(test_nss_getgrnam_mix_subdom_nonfqnames, +- nss_subdom_test_setup, ++ nss_subdom_test_setup_nonfqnames, + nss_subdom_test_teardown), + cmocka_unit_test_setup_teardown(test_nss_getgrnam_space, + nss_test_setup, nss_test_teardown), +-- +2.12.2 + diff --git a/0120-CACHE_REQ-Allow-configurationless-shortname-lookups.patch b/0120-CACHE_REQ-Allow-configurationless-shortname-lookups.patch new file mode 100644 index 0000000..de5d757 --- /dev/null +++ b/0120-CACHE_REQ-Allow-configurationless-shortname-lookups.patch @@ -0,0 +1,138 @@ +From dae798231fc2c575f213785768bc24ed765ba243 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= +Date: Tue, 11 Apr 2017 17:19:29 +0200 +Subject: [PATCH 120/135] CACHE_REQ: Allow configurationless shortname lookups +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Configurationless shortnames lookups must be allowed when a domains' +resolution order is present and the (head) domain is not enforcing the +usage of fully-qualified-names. + +With this patch SSSD does not require any kind of changes from client +side for taking advantage of shortname lookups. + +Related: +https://pagure.io/SSSD/sssd/issue/3001 + +Signed-off-by: Fabiano Fidêncio + +Reviewed-by: Pavel Březina +--- + src/responder/common/cache_req/cache_req.c | 2 +- + src/responder/common/cache_req/cache_req_domain.c | 48 +++++++++++++++++++++++ + src/responder/common/cache_req/cache_req_domain.h | 1 + + 3 files changed, 50 insertions(+), 1 deletion(-) + +diff --git a/src/responder/common/cache_req/cache_req.c b/src/responder/common/cache_req/cache_req.c +index 3a5fecf34427437bbf95317e05c5bd8b07b4537d..797325a30e6c1ed5f1d4b4c147c65391d5204b52 100644 +--- a/src/responder/common/cache_req/cache_req.c ++++ b/src/responder/common/cache_req/cache_req.c +@@ -480,7 +480,7 @@ static errno_t cache_req_search_domains_next(struct tevent_req *req) + * qualified names on domain less search. We do not descend into + * subdomains here since those are implicitly qualified. + */ +- if (state->check_next && !allow_no_fqn && domain->fqnames) { ++ if (state->check_next && !allow_no_fqn && state->cr_domain->fqnames) { + state->cr_domain = state->cr_domain->next; + continue; + } +diff --git a/src/responder/common/cache_req/cache_req_domain.c b/src/responder/common/cache_req/cache_req_domain.c +index 86a88efd54ca0f4a0748b44ece1b8515438d4628..bfdd2b7f640178f6d0a0d92f2fed329c856b478c 100644 +--- a/src/responder/common/cache_req/cache_req_domain.c ++++ b/src/responder/common/cache_req/cache_req_domain.c +@@ -60,6 +60,48 @@ void cache_req_domain_list_zfree(struct cache_req_domain **cr_domains) + *cr_domains = NULL; + } + ++static bool ++cache_req_domain_use_fqnames(struct sss_domain_info *domain, ++ bool enforce_non_fqnames) ++{ ++ struct sss_domain_info *head; ++ ++ head = get_domains_head(domain); ++ ++ /* ++ * In order to decide whether fully_qualified_names must be used on the ++ * lookups we have to take into consideration: ++ * - use_fully_qualified_name value of the head of the domains; ++ * (head->fqnames) ++ * - the presence of a domains' resolution order list; ++ * (non_fqnames_enforced) ++ * ++ * The relationship between those two can be described by: ++ * - head->fqnames: ++ * - true: in this case doesn't matter whether it's enforced or not, ++ * fully-qualified-names will _always_ be used ++ * - false: in this case (which is also the default case), the usage ++ * depends on it being enforced; ++ * ++ * - enforce_non_fqnames: ++ * - true: in this case, the usage of fully-qualified-names is not ++ * needed; ++ * - false: in this case, the usage of fully-qualified-names will be ++ * done accordingly to what's set for the domain itself. ++ */ ++ switch (head->fqnames) { ++ case true: ++ return true; ++ case false: ++ switch (enforce_non_fqnames) { ++ case true: ++ return false; ++ case false: ++ return domain->fqnames; ++ } ++ } ++} ++ + static struct cache_req_domain * + cache_req_domain_new_list_from_string_list(TALLOC_CTX *mem_ctx, + struct sss_domain_info *domains, +@@ -71,9 +113,11 @@ cache_req_domain_new_list_from_string_list(TALLOC_CTX *mem_ctx, + char *name; + int flag = SSS_GND_ALL_DOMAINS; + int i; ++ bool enforce_non_fqnames = false; + errno_t ret; + + if (resolution_order != NULL) { ++ enforce_non_fqnames = true; + for (i = 0; resolution_order[i] != NULL; i++) { + name = resolution_order[i]; + for (dom = domains; dom; dom = get_next_domain(dom, flag)) { +@@ -87,6 +131,8 @@ cache_req_domain_new_list_from_string_list(TALLOC_CTX *mem_ctx, + goto done; + } + cr_domain->domain = dom; ++ cr_domain->fqnames = ++ cache_req_domain_use_fqnames(dom, enforce_non_fqnames); + + DLIST_ADD_END(cr_domains, cr_domain, + struct cache_req_domain *); +@@ -106,6 +152,8 @@ cache_req_domain_new_list_from_string_list(TALLOC_CTX *mem_ctx, + goto done; + } + cr_domain->domain = dom; ++ cr_domain->fqnames = ++ cache_req_domain_use_fqnames(dom, enforce_non_fqnames); + + DLIST_ADD_END(cr_domains, cr_domain, struct cache_req_domain *); + } +diff --git a/src/responder/common/cache_req/cache_req_domain.h b/src/responder/common/cache_req/cache_req_domain.h +index 000087e5ca2074f22169a4af627810f4f287e430..5bcbb9b493caf05bf71aac5cf7633ded91f22e73 100644 +--- a/src/responder/common/cache_req/cache_req_domain.h ++++ b/src/responder/common/cache_req/cache_req_domain.h +@@ -25,6 +25,7 @@ + + struct cache_req_domain { + struct sss_domain_info *domain; ++ bool fqnames; + + struct cache_req_domain *prev; + struct cache_req_domain *next; +-- +2.12.2 + diff --git a/0121-CACHE_REQ_DOMAIN-Add-some-comments-to-cache_req_doma.patch b/0121-CACHE_REQ_DOMAIN-Add-some-comments-to-cache_req_doma.patch new file mode 100644 index 0000000..2d76440 --- /dev/null +++ b/0121-CACHE_REQ_DOMAIN-Add-some-comments-to-cache_req_doma.patch @@ -0,0 +1,41 @@ +From f9bac02756aa05cc9c6ac07ae581dba67240c1a4 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= +Date: Mon, 24 Apr 2017 21:04:58 +0200 +Subject: [PATCH 121/135] CACHE_REQ_DOMAIN: Add some comments to + cache_req_domain_new_list_from_string_list() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Signed-off-by: Fabiano Fidêncio + +Reviewed-by: Pavel Březina +--- + src/responder/common/cache_req/cache_req_domain.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/responder/common/cache_req/cache_req_domain.c b/src/responder/common/cache_req/cache_req_domain.c +index bfdd2b7f640178f6d0a0d92f2fed329c856b478c..6d37db0f109d5343eb6d7f4272bea522d4c34cf7 100644 +--- a/src/responder/common/cache_req/cache_req_domain.c ++++ b/src/responder/common/cache_req/cache_req_domain.c +@@ -116,6 +116,8 @@ cache_req_domain_new_list_from_string_list(TALLOC_CTX *mem_ctx, + bool enforce_non_fqnames = false; + errno_t ret; + ++ /* Firstly, in case a domains' resolution order is passed ... iterate over ++ * the list adding its domains to the flatten cache req domains' list */ + if (resolution_order != NULL) { + enforce_non_fqnames = true; + for (i = 0; resolution_order[i] != NULL; i++) { +@@ -141,6 +143,8 @@ cache_req_domain_new_list_from_string_list(TALLOC_CTX *mem_ctx, + } + } + ++ /* Then iterate through all the other domains (and subdomains) and add them ++ * to the flatten cache req domains' list */ + for (dom = domains; dom; dom = get_next_domain(dom, flag)) { + if (string_in_list(dom->name, resolution_order, false)) { + continue; +-- +2.12.2 + diff --git a/0122-RESPONDER_COMMON-Improve-domaiN_resolution_order-deb.patch b/0122-RESPONDER_COMMON-Improve-domaiN_resolution_order-deb.patch new file mode 100644 index 0000000..f8a37b3 --- /dev/null +++ b/0122-RESPONDER_COMMON-Improve-domaiN_resolution_order-deb.patch @@ -0,0 +1,53 @@ +From 213048fd9a5e800deb74cb5b7f0eaf465945c640 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= +Date: Mon, 24 Apr 2017 21:09:02 +0200 +Subject: [PATCH 122/135] RESPONDER_COMMON: Improve domaiN_resolution_order + debug messages +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Indicate whether a domain_resolution_order has been used and where +it came from. + +Signed-off-by: Fabiano Fidêncio + +Reviewed-by: Pavel Březina +--- + src/responder/common/responder_common.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/src/responder/common/responder_common.c b/src/responder/common/responder_common.c +index 62b71b5104fdbb585d086d44d2ca2ab9717dd788..7496d293fddb3e947d59a4f2aaeb2c83234dfcc7 100644 +--- a/src/responder/common/responder_common.c ++++ b/src/responder/common/responder_common.c +@@ -1594,6 +1594,8 @@ errno_t sss_resp_populate_cr_domains(struct resp_ctx *rctx) + rctx, rctx->domains, + rctx->domain_resolution_order, &cr_domains); + if (ret == EOK) { ++ DEBUG(SSSDBG_TRACE_FUNC, ++ "Using domain_resolution_order from sssd.conf\n"); + goto done; + } else { + DEBUG(SSSDBG_MINOR_FAILURE, +@@ -1624,6 +1626,8 @@ errno_t sss_resp_populate_cr_domains(struct resp_ctx *rctx) + dom->sysdb, + &cr_domains); + if (ret == EOK) { ++ DEBUG(SSSDBG_TRACE_FUNC, ++ "Using domain_resolution_order from IPA ID View\n"); + goto done; + } + +@@ -1641,6 +1645,8 @@ errno_t sss_resp_populate_cr_domains(struct resp_ctx *rctx) + dom->sysdb, dom->name, + &cr_domains); + if (ret == EOK) { ++ DEBUG(SSSDBG_TRACE_FUNC, ++ "Using domain_resolution_order from IPA Config\n"); + goto done; + } + +-- +2.12.2 + diff --git a/0123-CACHE_REQ_DOMAIN-debug-the-set-domain-resolution-ord.patch b/0123-CACHE_REQ_DOMAIN-debug-the-set-domain-resolution-ord.patch new file mode 100644 index 0000000..6bc04ba --- /dev/null +++ b/0123-CACHE_REQ_DOMAIN-debug-the-set-domain-resolution-ord.patch @@ -0,0 +1,49 @@ +From b78febe4c579f86f8007a27599605d1eb9f97a62 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= +Date: Tue, 25 Apr 2017 14:25:12 +0200 +Subject: [PATCH 123/135] CACHE_REQ_DOMAIN: debug the set domain resolution + order +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Signed-off-by: Fabiano Fidêncio + +Reviewed-by: Pavel Březina +--- + src/responder/common/cache_req/cache_req_domain.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/src/responder/common/cache_req/cache_req_domain.c b/src/responder/common/cache_req/cache_req_domain.c +index 6d37db0f109d5343eb6d7f4272bea522d4c34cf7..2c238c9966d322bb542fa2047313ee9e5144edee 100644 +--- a/src/responder/common/cache_req/cache_req_domain.c ++++ b/src/responder/common/cache_req/cache_req_domain.c +@@ -191,6 +191,10 @@ cache_req_domain_new_list_from_domain_resolution_order( + + if (domain_resolution_order != NULL) { + if (strcmp(domain_resolution_order, ":") != 0) { ++ DEBUG(SSSDBG_TRACE_FUNC, ++ "Domain resolution order list (split by ':'): \"%s\"\n", ++ domain_resolution_order); ++ + ret = split_on_separator(tmp_ctx, domain_resolution_order, ':', + true, true, &list, NULL); + if (ret != EOK) { +@@ -199,7 +203,14 @@ cache_req_domain_new_list_from_domain_resolution_order( + ret, sss_strerror(ret)); + goto done; + } ++ } else { ++ DEBUG(SSSDBG_TRACE_FUNC, ++ "Domain resolution order list: ':' " ++ "(do not use any specific order)\n"); + } ++ } else { ++ DEBUG(SSSDBG_TRACE_FUNC, ++ "Domain resolution order list: not set\n"); + } + + cr_domains = cache_req_domain_new_list_from_string_list(mem_ctx, domains, +-- +2.12.2 + diff --git a/0124-LDAP-Allow-passing-a-NULL-map-to-sdap_search_bases_e.patch b/0124-LDAP-Allow-passing-a-NULL-map-to-sdap_search_bases_e.patch new file mode 100644 index 0000000..546d1b4 --- /dev/null +++ b/0124-LDAP-Allow-passing-a-NULL-map-to-sdap_search_bases_e.patch @@ -0,0 +1,36 @@ +From 53e9a5aef4a688f7c81a4a1e77013e05313e5f9a Mon Sep 17 00:00:00 2001 +From: Jakub Hrozek +Date: Fri, 21 Apr 2017 15:30:37 +0200 +Subject: [PATCH 124/135] LDAP: Allow passing a NULL map to + sdap_search_bases_ex_send +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +NULL attribute map and a NULL list of attributes should translate into +"fetch all entry attributes" + +Required for: + https://pagure.io/SSSD/sssd/issue/3378 + +Reviewed-by: Pavel Březina +--- + src/providers/ldap/sdap_ops.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/providers/ldap/sdap_ops.c b/src/providers/ldap/sdap_ops.c +index 3fc968f0bf6782f91a5f5620bfe34eeeebcdc832..a90857469a4ed6f2cecb935ea70340060952c9df 100644 +--- a/src/providers/ldap/sdap_ops.c ++++ b/src/providers/ldap/sdap_ops.c +@@ -101,7 +101,7 @@ sdap_search_bases_ex_send(TALLOC_CTX *mem_ctx, + state->map_num_attrs = 0; + } + +- if (state->attrs == NULL) { ++ if (state->attrs == NULL && state->map != NULL) { + ret = build_attrs_from_map(state, state->map, state->map_num_attrs, + NULL, &state->attrs, NULL); + if (ret != EOK) { +-- +2.12.2 + diff --git a/0125-IPA-Use-search-bases-instead-of-domain_to_basedn-whe.patch b/0125-IPA-Use-search-bases-instead-of-domain_to_basedn-whe.patch new file mode 100644 index 0000000..29435e9 --- /dev/null +++ b/0125-IPA-Use-search-bases-instead-of-domain_to_basedn-whe.patch @@ -0,0 +1,88 @@ +From 337dd8a87cd774ac20d15c16ec3d9a6c4d2defc7 Mon Sep 17 00:00:00 2001 +From: Jakub Hrozek +Date: Tue, 18 Apr 2017 11:47:30 +0200 +Subject: [PATCH 125/135] IPA: Use search bases instead of domain_to_basedn + when fetching external groups +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Instead of deriving the search base from the IPA domain name, actually +use the search base from the sdap_domain structure. + +This has primarily the advantage of not matching groups in the compat +tree. + +Resolves: + https://pagure.io/SSSD/sssd/issue/3378 + +Reviewed-by: Pavel Březina +--- + src/providers/ipa/ipa_subdomains_ext_groups.c | 30 ++++++++++++--------------- + 1 file changed, 13 insertions(+), 17 deletions(-) + +diff --git a/src/providers/ipa/ipa_subdomains_ext_groups.c b/src/providers/ipa/ipa_subdomains_ext_groups.c +index d5727cc46eb9834abeab1d15cada692f81754b2e..505d89a51423489a5e2c0e09c9aa49d93c15231b 100644 +--- a/src/providers/ipa/ipa_subdomains_ext_groups.c ++++ b/src/providers/ipa/ipa_subdomains_ext_groups.c +@@ -27,6 +27,7 @@ + #include "db/sysdb.h" + #include "providers/ldap/ldap_common.h" + #include "providers/ldap/sdap_async.h" ++#include "providers/ldap/sdap_ops.h" + #include "providers/ipa/ipa_id.h" + #include "providers/ad/ad_id.h" + #include "providers/ipa/ipa_subdomains.h" +@@ -529,7 +530,6 @@ static void ipa_get_ad_memberships_connect_done(struct tevent_req *subreq) + struct get_ad_membership_state *state = tevent_req_data(req, + struct get_ad_membership_state); + int ret; +- char *basedn; + + ret = sdap_id_op_connect_recv(subreq, &state->dp_error); + talloc_zfree(subreq); +@@ -546,20 +546,14 @@ static void ipa_get_ad_memberships_connect_done(struct tevent_req *subreq) + goto fail; + } + +- +- ret = domain_to_basedn(state, state->domain, &basedn); +- if (ret != EOK) { +- DEBUG(SSSDBG_OP_FAILURE, "domain_to_basedn failed.\n"); +- goto fail; +- } +- +- subreq = sdap_get_generic_send(state, state->ev, state->sdap_id_ctx->opts, +- sdap_id_op_handle(state->sdap_op), basedn, +- LDAP_SCOPE_SUBTREE, +- IPA_EXT_GROUPS_FILTER, NULL, NULL, 0, +- dp_opt_get_int(state->sdap_id_ctx->opts->basic, +- SDAP_ENUM_SEARCH_TIMEOUT), +- false); ++ subreq = sdap_search_bases_send(state, state->ev, state->sdap_id_ctx->opts, ++ sdap_id_op_handle(state->sdap_op), ++ state->sdap_id_ctx->opts->sdom->group_search_bases, ++ NULL, false, ++ dp_opt_get_int(state->sdap_id_ctx->opts->basic, ++ SDAP_ENUM_SEARCH_TIMEOUT), ++ IPA_EXT_GROUPS_FILTER, ++ NULL); + if (subreq == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "sdap_get_generic_send failed.\n"); + ret = ENOMEM; +@@ -583,8 +577,10 @@ static void ipa_get_ext_groups_done(struct tevent_req *subreq) + int ret; + hash_table_t *ext_group_hash; + +- ret = sdap_get_generic_recv(subreq, state, +- &state->reply_count, &state->reply); ++ ret = sdap_search_bases_recv(subreq, ++ state, ++ &state->reply_count, ++ &state->reply); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "ipa_get_ext_groups request failed.\n"); +-- +2.12.2 + diff --git a/0126-CONFDB-Fix-standalone-application-domains.patch b/0126-CONFDB-Fix-standalone-application-domains.patch new file mode 100644 index 0000000..f9d824e --- /dev/null +++ b/0126-CONFDB-Fix-standalone-application-domains.patch @@ -0,0 +1,127 @@ +From 734e73257fff1c1884b72b8cf988f6d75c3a7567 Mon Sep 17 00:00:00 2001 +From: Jakub Hrozek +Date: Fri, 31 Mar 2017 17:12:56 +0200 +Subject: [PATCH 126/135] CONFDB: Fix standalone application domains +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +When a standalone application domain was configured, for example: + +------------------------------------------------- +[sssd] +domains = appdomain + +[application/appdomain] +id_provider=ldap +ldap_uri = ldap://dc.ipa.test +ldap_search_base = cn=accounts,dc=ipa,dc=test +ldap_schema = rfc2307bis +sudo_provider = none + +ldap_sasl_mech = gssapi +krb5_realm = IPA.TEST +krb5_server = dc.ipa.test + +ldap_user_uid_number = telephonenumber +ldap_user_gid_number = mobile +ldap_user_extra_attrs = location:l +------------------------------------------------- + +We would, when unrolling the application section into a domain section, +first add a domain stub, equivalent to: +----------------------------- +[domain/appdomain] +domain_type = application +----------------------------- + +Which in config.ldb also contains cn. Then, whem we would add the parameters +from the [application] section, but try to add the cn again. + +This didn't happen when inheriting from a POSIX domain, because there we +would set LDB_FLAG_REPLACE for any attributes that exist in the inherited +domain. + +This patch skips the cn attribute both when replacing an inherited +domain's attributes and when writing a standalone application domain. + +Resolves: +https://pagure.io/SSSD/sssd/issue/3355 + +Reviewed-by: Pavel Březina +--- + src/confdb/confdb.c | 26 ++++++++++++++++++++++---- + 1 file changed, 22 insertions(+), 4 deletions(-) + +diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c +index 68693e8382c0fbf1015ee47f14fa7c6f64ae98b2..286dbb24377c6d0fdf2c2d070da04918c591ce05 100644 +--- a/src/confdb/confdb.c ++++ b/src/confdb/confdb.c +@@ -1909,7 +1909,7 @@ static int confdb_add_app_domain(TALLOC_CTX *mem_ctx, + + cdb_path = talloc_asprintf(mem_ctx, CONFDB_DOMAIN_PATH_TMPL, name); + if (cdb_path == NULL) { +- return ENOMEM; ++ return ENOMEM; + } + + val[0] = CONFDB_DOMAIN_TYPE_APP; +@@ -1933,6 +1933,7 @@ static int confdb_merge_parent_domain(const char *name, + struct ldb_message *replace_msg = NULL; + struct ldb_message *app_msg = NULL; + struct ldb_dn *domain_dn; ++ struct ldb_message_element *el = NULL; + TALLOC_CTX *tmp_ctx = NULL; + + tmp_ctx = talloc_new(NULL); +@@ -1974,6 +1975,12 @@ static int confdb_merge_parent_domain(const char *name, + replace_msg->elements[i].flags = LDB_FLAG_MOD_ADD; + } + ++ el = ldb_msg_find_element(replace_msg, "cn"); ++ if (el != NULL) { ++ /* Don't add second cn */ ++ ldb_msg_remove_element(replace_msg, el); ++ } ++ + ret = ldb_modify(cdb->ldb, replace_msg); + if (ret != LDB_SUCCESS) { + ret = sysdb_error_to_errno(ret); +@@ -1993,7 +2000,14 @@ static int confdb_merge_parent_domain(const char *name, + app_msg->dn = domain_dn; + + for (unsigned i = 0; i < app_section->msgs[0]->num_elements; i++) { +- struct ldb_message_element *el = NULL; ++ struct ldb_message_element *app_el = &app_section->msgs[0]->elements[i]; ++ ++ /* These elements will be skipped when replacing attributes in ++ * a domain to avoid EEXIST errors ++ */ ++ if (strcasecmp(app_el->name, "cn") == 0) { ++ continue; ++ } + + if (replace_msg != NULL) { + el = ldb_msg_find_element(replace_msg, +@@ -2013,12 +2027,16 @@ static int confdb_merge_parent_domain(const char *name, + ret = ldb_msg_add(app_msg, + &app_section->msgs[0]->elements[i], + ldb_flag); +- if (ret != EOK) { ++ if (ret != LDB_SUCCESS) { + continue; + } + } + +- ret = ldb_modify(cdb->ldb, app_msg); ++ /* We use permissive modification here because adding cn or ++ * distinguishedName from the app_section to the application ++ * message would throw EEXIST ++ */ ++ ret = sss_ldb_modify_permissive(cdb->ldb, app_msg); + if (ret != LDB_SUCCESS) { + ret = sysdb_error_to_errno(ret); + DEBUG(SSSDBG_OP_FAILURE, +-- +2.12.2 + diff --git a/0127-utils-add-sss_domain_is_forest_root.patch b/0127-utils-add-sss_domain_is_forest_root.patch new file mode 100644 index 0000000..d5f4839 --- /dev/null +++ b/0127-utils-add-sss_domain_is_forest_root.patch @@ -0,0 +1,47 @@ +From 712e5b2e4465812c00a8667c75813322373bc657 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Tue, 4 Apr 2017 14:35:47 +0200 +Subject: [PATCH 127/135] utils: add sss_domain_is_forest_root() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Related to https://pagure.io/SSSD/sssd/issue/3361 + +Reviewed-by: Pavel Březina +--- + src/util/domain_info_utils.c | 5 +++++ + src/util/util.h | 1 + + 2 files changed, 6 insertions(+) + +diff --git a/src/util/domain_info_utils.c b/src/util/domain_info_utils.c +index 2af7852f03f89b61f5b9fd8a244e98fb27b7e6a2..541058a16d585155b3b51511740f7db45281e2fd 100644 +--- a/src/util/domain_info_utils.c ++++ b/src/util/domain_info_utils.c +@@ -844,6 +844,11 @@ void sss_domain_set_state(struct sss_domain_info *dom, + "Domain %s is %s\n", dom->name, domain_state_str(dom)); + } + ++bool sss_domain_is_forest_root(struct sss_domain_info *dom) ++{ ++ return (dom->forest_root == dom); ++} ++ + bool is_email_from_domain(const char *email, struct sss_domain_info *dom) + { + const char *p; +diff --git a/src/util/util.h b/src/util/util.h +index 436550f5078cc173b8ed8cb58836d366f813146b..4ef13ced48addc19403402d7d880176da24ceec6 100644 +--- a/src/util/util.h ++++ b/src/util/util.h +@@ -539,6 +539,7 @@ enum sss_domain_state sss_domain_get_state(struct sss_domain_info *dom); + void sss_domain_set_state(struct sss_domain_info *dom, + enum sss_domain_state state); + bool is_email_from_domain(const char *email, struct sss_domain_info *dom); ++bool sss_domain_is_forest_root(struct sss_domain_info *dom); + const char *sss_domain_type_str(struct sss_domain_info *dom); + + struct sss_domain_info* +-- +2.12.2 + diff --git a/0128-ad-handle-forest-root-not-listed-in-ad_enabled_domai.patch b/0128-ad-handle-forest-root-not-listed-in-ad_enabled_domai.patch new file mode 100644 index 0000000..c944478 --- /dev/null +++ b/0128-ad-handle-forest-root-not-listed-in-ad_enabled_domai.patch @@ -0,0 +1,103 @@ +From feeabf273aa7af580552366ce58655e6a482a0cd Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Mon, 3 Apr 2017 21:27:32 +0200 +Subject: [PATCH 128/135] ad: handle forest root not listed in + ad_enabled_domains +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Although users and groups from the forest root should be ignored SSSD +will still try to get information about the forest topology from a DC +from the forest root. So even if the forest root domain is disabled we +should makes sure it is usable for those searches. + +Resolves https://pagure.io/SSSD/sssd/issue/3361 + +Reviewed-by: Pavel Březina +--- + src/providers/ad/ad_subdomains.c | 39 ++++++++++++++++++++++++++++++++++++--- + 1 file changed, 36 insertions(+), 3 deletions(-) + +diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c +index bc659b2cb0a02723437d24d0021ec3592381e84c..ef166446e837c3f7cd824c1abf4b5cc587aec9da 100644 +--- a/src/providers/ad/ad_subdomains.c ++++ b/src/providers/ad/ad_subdomains.c +@@ -433,6 +433,14 @@ static errno_t ad_subdomains_refresh(struct be_ctx *be_ctx, + if (c >= num_subdomains) { + /* ok this subdomain does not exist anymore, let's clean up */ + sss_domain_set_state(dom, DOM_DISABLED); ++ ++ /* Just disable the forest root but do not remove sdap data */ ++ if (sss_domain_is_forest_root(dom)) { ++ DEBUG(SSSDBG_TRACE_ALL, ++ "Skipping removal of forest root sdap data.\n"); ++ continue; ++ } ++ + ret = sysdb_subdomain_delete(dom->sysdb, dom->name); + if (ret != EOK) { + goto done; +@@ -633,6 +641,7 @@ static errno_t ad_subdom_reinit(struct ad_subdomains_ctx *subdoms_ctx) + const char *path; + errno_t ret; + bool canonicalize = false; ++ struct sss_domain_info *dom; + + path = dp_opt_get_string(subdoms_ctx->ad_id_ctx->ad_options->basic, + AD_KRB5_CONFD_PATH); +@@ -675,6 +684,17 @@ static errno_t ad_subdom_reinit(struct ad_subdomains_ctx *subdoms_ctx) + return ret; + } + ++ /* Make sure disabled domains are not re-enabled accidentially */ ++ if (subdoms_ctx->ad_enabled_domains != NULL) { ++ for (dom = subdoms_ctx->be_ctx->domain->subdomains; dom; ++ dom = get_next_domain(dom, false)) { ++ if (!is_domain_enabled(dom->name, ++ subdoms_ctx->ad_enabled_domains)) { ++ sss_domain_set_state(dom, DOM_DISABLED); ++ } ++ } ++ } ++ + return EOK; + } + +@@ -898,7 +918,7 @@ static errno_t ad_get_slave_domain_recv(struct tevent_req *req) + static struct sss_domain_info * + ads_get_root_domain(struct be_ctx *be_ctx, struct sysdb_attrs *attrs) + { +- struct sss_domain_info *root; ++ struct sss_domain_info *dom; + const char *name; + errno_t ret; + +@@ -909,9 +929,22 @@ ads_get_root_domain(struct be_ctx *be_ctx, struct sysdb_attrs *attrs) + } + + /* With a subsequent run, the root should already be known */ +- root = find_domain_by_name(be_ctx->domain, name, false); ++ for (dom = be_ctx->domain; dom != NULL; ++ dom = get_next_domain(dom, SSS_GND_ALL_DOMAINS)) { + +- return root; ++ if (strcasecmp(dom->name, name) == 0) { ++ /* The forest root is special, although it might be disabled for ++ * general lookups we still want to try to get the domains in the ++ * forest from a DC of the forest root */ ++ if (sss_domain_get_state(dom) == DOM_DISABLED ++ && !sss_domain_is_forest_root(dom)) { ++ return NULL; ++ } ++ return dom; ++ } ++ } ++ ++ return NULL; + } + + static struct ad_id_ctx * +-- +2.12.2 + diff --git a/0129-overrides-add-certificates-to-mapped-attribute.patch b/0129-overrides-add-certificates-to-mapped-attribute.patch new file mode 100644 index 0000000..c428c25 --- /dev/null +++ b/0129-overrides-add-certificates-to-mapped-attribute.patch @@ -0,0 +1,101 @@ +From 2e5fc89ef25434fab7febe2c52e97ef989b50d5b Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Thu, 27 Apr 2017 09:28:55 +0200 +Subject: [PATCH 129/135] overrides: add certificates to mapped attribute +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Certificates in overrides are explicitly used to map users to +certificates, so we add them to SYSDB_USER_MAPPED_CERT as well. + +Resolves https://pagure.io/SSSD/sssd/issue/3373 + +Reviewed-by: Pavel Březina +--- + src/db/sysdb_views.c | 41 +++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 41 insertions(+) + +diff --git a/src/db/sysdb_views.c b/src/db/sysdb_views.c +index 20db9b06183d68b33bb19f498513d7f5cf84b1cf..3773dda77e16b35fa217be0aa7974da7e34c09f4 100644 +--- a/src/db/sysdb_views.c ++++ b/src/db/sysdb_views.c +@@ -777,6 +777,7 @@ errno_t sysdb_apply_default_override(struct sss_domain_info *domain, + int ret; + TALLOC_CTX *tmp_ctx; + struct sysdb_attrs *attrs; ++ struct sysdb_attrs *mapped_attrs = NULL; + size_t c; + size_t d; + size_t num_values; +@@ -791,6 +792,7 @@ errno_t sysdb_apply_default_override(struct sss_domain_info *domain, + SYSDB_USER_CERT, + NULL }; + bool override_attrs_found = false; ++ bool is_cert = false; + + if (override_attrs == NULL) { + /* nothing to do */ +@@ -846,6 +848,24 @@ errno_t sysdb_apply_default_override(struct sss_domain_info *domain, + num_values = 1; + } + ++ is_cert = false; ++ if (strcmp(allowed_attrs[c], SYSDB_USER_CERT) == 0) { ++ /* Certificates in overrides are explicitly used to map ++ * users to certificates, so we add them to ++ * SYSDB_USER_MAPPED_CERT as well. */ ++ is_cert = true; ++ ++ if (mapped_attrs == NULL) { ++ mapped_attrs = sysdb_new_attrs(tmp_ctx); ++ if (mapped_attrs == NULL) { ++ DEBUG(SSSDBG_OP_FAILURE, ++ "sysdb_new_attrs failed.\n"); ++ ret = ENOMEM; ++ goto done; ++ } ++ } ++ } ++ + for (d = 0; d < num_values; d++) { + ret = sysdb_attrs_add_val(attrs, allowed_attrs[c], + &el->values[d]); +@@ -854,6 +874,18 @@ errno_t sysdb_apply_default_override(struct sss_domain_info *domain, + "sysdb_attrs_add_val failed.\n"); + goto done; + } ++ ++ if (is_cert) { ++ ret = sysdb_attrs_add_val(mapped_attrs, ++ SYSDB_USER_MAPPED_CERT, ++ &el->values[d]); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_OP_FAILURE, ++ "sysdb_attrs_add_val failed.\n"); ++ goto done; ++ } ++ } ++ + DEBUG(SSSDBG_TRACE_ALL, + "Override [%s] with [%.*s] for [%s].\n", + allowed_attrs[c], (int) el->values[d].length, +@@ -878,6 +910,15 @@ errno_t sysdb_apply_default_override(struct sss_domain_info *domain, + DEBUG(SSSDBG_OP_FAILURE, "sysdb_set_entry_attr failed.\n"); + goto done; + } ++ ++ if (mapped_attrs != NULL) { ++ ret = sysdb_set_entry_attr(domain->sysdb, obj_dn, mapped_attrs, ++ SYSDB_MOD_ADD); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_OP_FAILURE, ++ "sysdb_set_entry_attr failed, ignored.\n"); ++ } ++ } + } + + ret = EOK; +-- +2.12.2 + diff --git a/0130-IPA-Improve-s2n-debug-message-for-missing-ipaNTSecur.patch b/0130-IPA-Improve-s2n-debug-message-for-missing-ipaNTSecur.patch new file mode 100644 index 0000000..1f3abf6 --- /dev/null +++ b/0130-IPA-Improve-s2n-debug-message-for-missing-ipaNTSecur.patch @@ -0,0 +1,44 @@ +From 0c5f463e9629ac08d647c70cffb30bccdd57ae96 Mon Sep 17 00:00:00 2001 +From: Justin Stephenson +Date: Tue, 25 Apr 2017 13:02:10 -0400 +Subject: [PATCH 130/135] IPA: Improve s2n debug message for missing + ipaNTSecurityIdentifier +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This patch improves the log message to be more information for +the SSSD user troubleshooting issues. + +If the IDM POSIX group used for AD trust HBAC/SUDO operation is missing +the ipaNTSecurityIdentifier it can cause client s2n operations failures +resolving the group which resulted in the inability to login for the AD +user. + +Reviewed-by: Pavel Březina +--- + src/providers/ipa/ipa_s2n_exop.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/src/providers/ipa/ipa_s2n_exop.c b/src/providers/ipa/ipa_s2n_exop.c +index 55ec904ca3188c7cf10ac41972e9ecf94ebf44bb..f5f4401f86615dc7f81f844e1096ad43e965c384 100644 +--- a/src/providers/ipa/ipa_s2n_exop.c ++++ b/src/providers/ipa/ipa_s2n_exop.c +@@ -2580,7 +2580,13 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom, + ret = sysdb_attrs_get_string(attrs->sysdb_attrs, SYSDB_SID_STR, &sid_str); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, +- "Cannot find SID of object with override.\n"); ++ "Cannot find SID of object.\n"); ++ if (name != NULL) { ++ DEBUG(SSSDBG_CRIT_FAILURE, ++ "Object [%s] has no SID, please check the " ++ "ipaNTSecurityIdentifier attribute on the server-side.\n", ++ name); ++ } + goto done; + } + +-- +2.12.2 + diff --git a/0131-Use-correct-spelling-of-override.patch b/0131-Use-correct-spelling-of-override.patch new file mode 100644 index 0000000..251c4d4 --- /dev/null +++ b/0131-Use-correct-spelling-of-override.patch @@ -0,0 +1,114 @@ +From 352f4832324839d358235de1236090b1fd4ddc0f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ren=C3=A9=20Genz?= +Date: Tue, 25 Apr 2017 20:33:58 +0000 +Subject: [PATCH 131/135] Use correct spelling of override + +Reviewed-by: Jakub Hrozek +--- + src/config/SSSDConfig/__init__.py.in | 2 +- + src/config/cfg_rules.ini | 2 +- + src/config/etc/sssd.api.d/sssd-ipa.conf | 2 +- + src/db/sysdb_views.c | 6 +++--- + src/man/sssd-ipa.5.xml | 2 +- + src/providers/ipa/ipa_opts.c | 2 +- + 6 files changed, 8 insertions(+), 8 deletions(-) + +diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in +index 54ad722f07ef91a13a0df278ffd2b1c166bc8d36..5ca31cfefccbb09438d261d4287cd8db736d348e 100644 +--- a/src/config/SSSDConfig/__init__.py.in ++++ b/src/config/SSSDConfig/__init__.py.in +@@ -211,7 +211,7 @@ option_strings = { + 'ipa_views_search_base': _("Search base for view containers"), + 'ipa_view_class': _("Objectclass for view containers"), + 'ipa_view_name': _("Attribute with the name of the view"), +- 'ipa_overide_object_class': _("Objectclass for override objects"), ++ 'ipa_override_object_class': _("Objectclass for override objects"), + 'ipa_anchor_uuid': _("Attribute with the reference to the original object"), + 'ipa_user_override_object_class': _("Objectclass for user override objects"), + 'ipa_group_override_object_class': _("Objectclass for group override objects"), +diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini +index e47ff33242d6a9e5979fe0eb8eea14c2af28685a..64cb1474fadba5d5372470a17cd9cd7c7cec7835 100644 +--- a/src/config/cfg_rules.ini ++++ b/src/config/cfg_rules.ini +@@ -457,7 +457,7 @@ option = ipa_netgroup_member_user + option = ipa_netgroup_name + option = ipa_netgroup_object_class + option = ipa_netgroup_uuid +-option = ipa_overide_object_class ++option = ipa_override_object_class + option = ipa_ranges_search_base + option = ipa_selinux_refresh + option = ipa_selinux_usermap_enabled +diff --git a/src/config/etc/sssd.api.d/sssd-ipa.conf b/src/config/etc/sssd.api.d/sssd-ipa.conf +index 88da36ef4a0a067530dfd44b7a231f4f74c800f2..f36b568c3ea813db3f46fdd69059957f6373801e 100644 +--- a/src/config/etc/sssd.api.d/sssd-ipa.conf ++++ b/src/config/etc/sssd.api.d/sssd-ipa.conf +@@ -143,7 +143,7 @@ ldap_pwdlockout_dn = str, None, false + ipa_views_search_base = str, None, false + ipa_view_class = str, None, false + ipa_view_name = str, None, false +-ipa_overide_object_class = str, None, false ++ipa_override_object_class = str, None, false + ipa_anchor_uuid = str, None, false + ipa_user_override_object_class = str, None, false + ipa_group_override_object_class = str, None, false +diff --git a/src/db/sysdb_views.c b/src/db/sysdb_views.c +index 3773dda77e16b35fa217be0aa7974da7e34c09f4..afc7852ecf402ef144beca9c1b94fbe3cc4bbb6a 100644 +--- a/src/db/sysdb_views.c ++++ b/src/db/sysdb_views.c +@@ -521,7 +521,7 @@ errno_t sysdb_store_override(struct sss_domain_info *domain, + NULL); + if (obj_override_dn != NULL) { + /* obj_override_dn can either point to the object itself, i.e there is +- * no override, or to a overide object. This means it can change from ++ * no override, or to a override object. This means it can change from + * the object DN to a override DN and back but not from one override + * DN to a different override DN. If the new and the old DN are the + * same we do not need to update the original object. */ +@@ -931,7 +931,7 @@ done: + + #define SYSDB_USER_NAME_OVERRIDE_FILTER "(&(objectClass="SYSDB_OVERRIDE_USER_CLASS")(|("SYSDB_NAME_ALIAS"=%s)("SYSDB_NAME_ALIAS"=%s)("SYSDB_NAME"=%s)))" + #define SYSDB_USER_UID_OVERRIDE_FILTER "(&(objectClass="SYSDB_OVERRIDE_USER_CLASS")("SYSDB_UIDNUM"=%lu))" +-#define SYSDB_USER_CERT_OVERIDE_FILTER "(&(objectClass="SYSDB_OVERRIDE_USER_CLASS")%s)" ++#define SYSDB_USER_CERT_OVERRIDE_FILTER "(&(objectClass="SYSDB_OVERRIDE_USER_CLASS")%s)" + #define SYSDB_GROUP_NAME_OVERRIDE_FILTER "(&(objectClass="SYSDB_OVERRIDE_GROUP_CLASS")(|("SYSDB_NAME_ALIAS"=%s)("SYSDB_NAME_ALIAS"=%s)("SYSDB_NAME"=%s)))" + #define SYSDB_GROUP_GID_OVERRIDE_FILTER "(&(objectClass="SYSDB_OVERRIDE_GROUP_CLASS")("SYSDB_GIDNUM"=%lu))" + +@@ -978,7 +978,7 @@ errno_t sysdb_search_override_by_cert(TALLOC_CTX *mem_ctx, + } + + ret = ldb_search(domain->sysdb->ldb, tmp_ctx, &override_res, base_dn, +- LDB_SCOPE_SUBTREE, attrs, SYSDB_USER_CERT_OVERIDE_FILTER, ++ LDB_SCOPE_SUBTREE, attrs, SYSDB_USER_CERT_OVERRIDE_FILTER, + cert_filter); + if (ret != LDB_SUCCESS) { + ret = sysdb_error_to_errno(ret); +diff --git a/src/man/sssd-ipa.5.xml b/src/man/sssd-ipa.5.xml +index fee644186c9ed11eee18cd27450e56aea38d05bf..98db5b96d9abf157440440eab0882e49595efa5f 100644 +--- a/src/man/sssd-ipa.5.xml ++++ b/src/man/sssd-ipa.5.xml +@@ -546,7 +546,7 @@ + + + +- ipa_overide_object_class (string) ++ ipa_override_object_class (string) + + + Objectclass of the override objects. +diff --git a/src/providers/ipa/ipa_opts.c b/src/providers/ipa/ipa_opts.c +index cd3fe9ae4302ff4837a500b9a0c834dadb11f87d..f9f3a2a6992be6cf5cb3c699b30c45ca9dbb42ab 100644 +--- a/src/providers/ipa/ipa_opts.c ++++ b/src/providers/ipa/ipa_opts.c +@@ -277,7 +277,7 @@ struct sdap_attr_map ipa_view_map[] = { + }; + + struct sdap_attr_map ipa_override_map[] = { +- { "ipa_overide_object_class", "ipaOverrideAnchor", SYSDB_OVERRIDE_CLASS, NULL}, ++ { "ipa_override_object_class", "ipaOverrideAnchor", SYSDB_OVERRIDE_CLASS, NULL}, + { "ipa_anchor_uuid", "ipaAnchorUUID", SYSDB_OVERRIDE_ANCHOR_UUID, NULL}, + { "ipa_user_override_object_class", "ipaUserOverride", SYSDB_OVERRIDE_USER_CLASS, NULL}, + { "ipa_group_override_object_class", "ipaGroupOverride", SYSDB_OVERRIDE_GROUP_CLASS, NULL}, +-- +2.12.2 + diff --git a/0132-cache_req-Avoid-bool-in-switch-case.patch b/0132-cache_req-Avoid-bool-in-switch-case.patch new file mode 100644 index 0000000..080042e --- /dev/null +++ b/0132-cache_req-Avoid-bool-in-switch-case.patch @@ -0,0 +1,49 @@ +From b70ec63cca034ce9c638f2dcefbd4358b654d2e1 Mon Sep 17 00:00:00 2001 +From: Lukas Slebodnik +Date: Thu, 27 Apr 2017 10:45:30 +0200 +Subject: [PATCH 132/135] cache_req: Avoid bool in switch/case +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Pair-Programmed-With: Michal Židek + +Reviewed-by: Fabiano Fidêncio +Reviewed-by: Pavel Březina +Reviewed-by: Michal Židek +--- + src/responder/common/cache_req/cache_req_domain.c | 18 +++++++----------- + 1 file changed, 7 insertions(+), 11 deletions(-) + +diff --git a/src/responder/common/cache_req/cache_req_domain.c b/src/responder/common/cache_req/cache_req_domain.c +index 2c238c9966d322bb542fa2047313ee9e5144edee..8bf7fc6dc155123b5525127d6ee23ce98a50f490 100644 +--- a/src/responder/common/cache_req/cache_req_domain.c ++++ b/src/responder/common/cache_req/cache_req_domain.c +@@ -89,17 +89,13 @@ cache_req_domain_use_fqnames(struct sss_domain_info *domain, + * - false: in this case, the usage of fully-qualified-names will be + * done accordingly to what's set for the domain itself. + */ +- switch (head->fqnames) { +- case true: +- return true; +- case false: +- switch (enforce_non_fqnames) { +- case true: +- return false; +- case false: +- return domain->fqnames; +- } +- } ++ if (head->fqnames) { ++ return true; ++ } else if (enforce_non_fqnames) { ++ return false; ++ } else { ++ return domain->fqnames; ++ } + } + + static struct cache_req_domain * +-- +2.12.2 + diff --git a/0133-ssh-tools-The-ai-structure-is-not-an-array.patch b/0133-ssh-tools-The-ai-structure-is-not-an-array.patch new file mode 100644 index 0000000..2718f47 --- /dev/null +++ b/0133-ssh-tools-The-ai-structure-is-not-an-array.patch @@ -0,0 +1,51 @@ +From 08084b1179bb9fc38bc22b464b3d44907107bfd3 Mon Sep 17 00:00:00 2001 +From: Simo Sorce +Date: Tue, 25 Apr 2017 12:39:32 +0000 +Subject: [PATCH 133/135] ssh tools: The ai structure is not an array, +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This structure is actually a linked list, so do not mislead readers by +treating it as an array. + +Resolves: +https://pagure.io/SSSD/sssd/issue/1498 + +Merges: https://pagure.io/SSSD/sssd/pull-request/3383 + +Signed-off-by: Simo Sorce +Reviewed-by: Lukáš Slebodník +--- + src/sss_client/ssh/sss_ssh_knownhostsproxy.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/sss_client/ssh/sss_ssh_knownhostsproxy.c b/src/sss_client/ssh/sss_ssh_knownhostsproxy.c +index adb82288d435cefccf7e23e6ed2b2c551798a7f8..310243c2fc8091f711559d4afb412e619af687ad 100644 +--- a/src/sss_client/ssh/sss_ssh_knownhostsproxy.c ++++ b/src/sss_client/ssh/sss_ssh_knownhostsproxy.c +@@ -268,10 +268,10 @@ int main(int argc, const char **argv) + DEBUG(SSSDBG_OP_FAILURE, + "getaddrinfo() failed (%d): %s\n", ret, gai_strerror(ret)); + } else { +- host = ai[0].ai_canonname; ++ host = ai->ai_canonname; + } + } else { +- ret = getnameinfo(ai[0].ai_addr, ai[0].ai_addrlen, ++ ret = getnameinfo(ai->ai_addr, ai->ai_addrlen, + canonhost, NI_MAXHOST, NULL, 0, NI_NAMEREQD); + if (ret) { + DEBUG(SSSDBG_OP_FAILURE, +@@ -295,7 +295,7 @@ int main(int argc, const char **argv) + if (pc_args) { + ret = connect_proxy_command(discard_const(pc_args)); + } else if (ai) { +- ret = connect_socket(ai[0].ai_family, ai[0].ai_addr, ai[0].ai_addrlen); ++ ret = connect_socket(ai->ai_family, ai->ai_addr, ai->ai_addrlen); + } else { + ret = EFAULT; + } +-- +2.12.2 + diff --git a/0134-ssh-tools-Fix-issues-with-multiple-IP-addresses.patch b/0134-ssh-tools-Fix-issues-with-multiple-IP-addresses.patch new file mode 100644 index 0000000..ff53910 --- /dev/null +++ b/0134-ssh-tools-Fix-issues-with-multiple-IP-addresses.patch @@ -0,0 +1,46 @@ +From 5f6232c7e6d9635c1d6b6b09f799309b6094b143 Mon Sep 17 00:00:00 2001 +From: Simo Sorce +Date: Tue, 25 Apr 2017 14:00:15 +0000 +Subject: [PATCH 134/135] ssh tools: Fix issues with multiple IP addresses +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Cycle through all resolved address until one succeed or all fail. +This is needed for dual stack systems where either IPv4 or IPv6 are +improperly configured or selectively filtered at some point along the +route. + +Resolves: +https://pagure.io/SSSD/sssd/issue/1498 + +Merges: https://pagure.io/SSSD/sssd/pull-request/3383 + +Signed-off-by: Simo Sorce +Reviewed-by: Lukáš Slebodník +--- + src/sss_client/ssh/sss_ssh_knownhostsproxy.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/src/sss_client/ssh/sss_ssh_knownhostsproxy.c b/src/sss_client/ssh/sss_ssh_knownhostsproxy.c +index 310243c2fc8091f711559d4afb412e619af687ad..b7b0c3bb66226be1c6453332a0b3af9fdf4e5a29 100644 +--- a/src/sss_client/ssh/sss_ssh_knownhostsproxy.c ++++ b/src/sss_client/ssh/sss_ssh_knownhostsproxy.c +@@ -295,7 +295,13 @@ int main(int argc, const char **argv) + if (pc_args) { + ret = connect_proxy_command(discard_const(pc_args)); + } else if (ai) { +- ret = connect_socket(ai->ai_family, ai->ai_addr, ai->ai_addrlen); ++ /* Try all IP addresses before giving up */ ++ for (struct addrinfo *ti = ai; ti != NULL; ti = ti->ai_next) { ++ ret = connect_socket(ti->ai_family, ti->ai_addr, ti->ai_addrlen); ++ if (ret == 0) { ++ break; ++ } ++ } + } else { + ret = EFAULT; + } +-- +2.12.2 + diff --git a/0135-ssh-tools-Split-connect-and-communication-phases.patch b/0135-ssh-tools-Split-connect-and-communication-phases.patch new file mode 100644 index 0000000..bcc71c1 --- /dev/null +++ b/0135-ssh-tools-Split-connect-and-communication-phases.patch @@ -0,0 +1,95 @@ +From 244adc327f7e29ba2c7ef60bc9f732d8fe3e68c9 Mon Sep 17 00:00:00 2001 +From: Simo Sorce +Date: Tue, 25 Apr 2017 19:19:13 +0000 +Subject: [PATCH 135/135] ssh tools: Split connect and communication phases +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +We can fallback after a connect error, but we cannot easily fall back +once we start sending data as we may have consumed part of the buffer so +reconnecting and sending what's left would not make sense. + +Therefore we now fallback on connect errors, but we issue a hard fail if +error happens after communication has been established. + +Resolves: +https://pagure.io/SSSD/sssd/issue/1498 + +Merges: https://pagure.io/SSSD/sssd/pull-request/3383 + +Signed-off-by: Simo Sorce +Reviewed-by: Lukáš Slebodník +--- + src/sss_client/ssh/sss_ssh_knownhostsproxy.c | 30 ++++++++++++++++++++-------- + 1 file changed, 22 insertions(+), 8 deletions(-) + +diff --git a/src/sss_client/ssh/sss_ssh_knownhostsproxy.c b/src/sss_client/ssh/sss_ssh_knownhostsproxy.c +index b7b0c3bb66226be1c6453332a0b3af9fdf4e5a29..976ba86b321923cecad0703214e22b0a773ef585 100644 +--- a/src/sss_client/ssh/sss_ssh_knownhostsproxy.c ++++ b/src/sss_client/ssh/sss_ssh_knownhostsproxy.c +@@ -40,14 +40,10 @@ + + /* connect to server using socket */ + static int +-connect_socket(int family, struct sockaddr *addr, size_t addr_len) ++connect_socket(int family, struct sockaddr *addr, size_t addr_len, int *sd) + { + int flags; + int sock = -1; +- struct pollfd fds[2]; +- char buffer[BUFFER_SIZE]; +- int i; +- ssize_t res; + int ret; + + /* set O_NONBLOCK on standard input */ +@@ -85,6 +81,22 @@ connect_socket(int family, struct sockaddr *addr, size_t addr_len) + goto done; + } + ++ *sd = sock; ++ ++done: ++ if (ret != 0 && sock >= 0) close(sock); ++ return ret; ++} ++ ++static int proxy_data(int sock) ++{ ++ int flags; ++ struct pollfd fds[2]; ++ char buffer[BUFFER_SIZE]; ++ int i; ++ ssize_t res; ++ int ret; ++ + /* set O_NONBLOCK on the socket */ + flags = fcntl(sock, F_GETFL); + if (flags == -1) { +@@ -158,8 +170,7 @@ connect_socket(int family, struct sockaddr *addr, size_t addr_len) + } + + done: +- if (sock >= 0) close(sock); +- ++ close(sock); + return ret; + } + +@@ -297,8 +308,11 @@ int main(int argc, const char **argv) + } else if (ai) { + /* Try all IP addresses before giving up */ + for (struct addrinfo *ti = ai; ti != NULL; ti = ti->ai_next) { +- ret = connect_socket(ti->ai_family, ti->ai_addr, ti->ai_addrlen); ++ int socket_descriptor = -1; ++ ret = connect_socket(ti->ai_family, ti->ai_addr, ti->ai_addrlen, ++ &socket_descriptor); + if (ret == 0) { ++ ret = proxy_data(socket_descriptor); + break; + } + } +-- +2.12.2 + diff --git a/sssd.spec b/sssd.spec index 750c896..41655b8 100644 --- a/sssd.spec +++ b/sssd.spec @@ -34,7 +34,7 @@ Name: sssd Version: 1.15.3 -Release: 0.beta.2%{?dist} +Release: 0.beta.3%{?dist} Group: Applications/System Summary: System Security Services Daemon License: GPLv3+ @@ -141,6 +141,44 @@ Patch0095: 0095-BUILD-Fix-compilation-of-libsss_certmap-with-libcryp.patch Patch0096: 0096-responders-do-not-leak-selinux-context-on-clients-de.patch Patch0097: 0097-ipa_s2n_get_acct_info_send-provide-correct-req_input.patch Patch0098: 0098-selinux-Do-not-fail-if-SELinux-is-not-managed.patch +Patch0099: 0099-DP-Fix-typo.patch +Patch0100: 0100-CONFDB-Fix-handling-of-enable_files_domain.patch +Patch0101: 0101-pam_test_client-add-service-and-environment-to-PAM-t.patch +Patch0102: 0102-pam_test_client-add-SSSD-getpwnam-lookup.patch +Patch0103: 0103-sss_sifp-update-method-names.patch +Patch0104: 0104-pam_test_client-add-InfoPipe-user-lookup.patch +Patch0105: 0105-sssctl-integrate-pam_test_client-into-sssctl.patch +Patch0106: 0106-i18n-adding-sssctl-files.patch +Patch0107: 0107-config-check-Message-when-sssd.conf-is-missing.patch +Patch0108: 0108-KRB5_LOCATOR-add-env-variable-to-disable-plugin.patch +Patch0109: 0109-sbus-check-connection-for-NULL-before-unregister-it.patch +Patch0110: 0110-UTIL-Use-max-15-characters-for-AD-host-UPN.patch +Patch0111: 0111-minor-typo-fixes.patch +Patch0112: 0112-SPEC-Drop-conditional-build-for-krb5_local_auth_plug.patch +Patch0113: 0113-README-Update-links-to-mailing-lists.patch +Patch0114: 0114-Move-sized_output_name-and-sized_domain_name-into-re.patch +Patch0115: 0115-IFP-Use-sized_domain_name-to-format-the-groups-the-u.patch +Patch0116: 0116-SECRETS-remove-unused-variable.patch +Patch0117: 0117-IPA-Improve-DEBUG-message-if-a-group-has-no-ipaNTSec.patch +Patch0118: 0118-RESPONDER-Fallback-to-global-domain-resolution-order.patch +Patch0119: 0119-NSS-TESTS-Improve-non-fqnames-tests.patch +Patch0120: 0120-CACHE_REQ-Allow-configurationless-shortname-lookups.patch +Patch0121: 0121-CACHE_REQ_DOMAIN-Add-some-comments-to-cache_req_doma.patch +Patch0122: 0122-RESPONDER_COMMON-Improve-domaiN_resolution_order-deb.patch +Patch0123: 0123-CACHE_REQ_DOMAIN-debug-the-set-domain-resolution-ord.patch +Patch0124: 0124-LDAP-Allow-passing-a-NULL-map-to-sdap_search_bases_e.patch +Patch0125: 0125-IPA-Use-search-bases-instead-of-domain_to_basedn-whe.patch +Patch0126: 0126-CONFDB-Fix-standalone-application-domains.patch +Patch0127: 0127-utils-add-sss_domain_is_forest_root.patch +Patch0128: 0128-ad-handle-forest-root-not-listed-in-ad_enabled_domai.patch +Patch0129: 0129-overrides-add-certificates-to-mapped-attribute.patch +Patch0130: 0130-IPA-Improve-s2n-debug-message-for-missing-ipaNTSecur.patch +Patch0131: 0131-Use-correct-spelling-of-override.patch +Patch0132: 0132-cache_req-Avoid-bool-in-switch-case.patch +Patch0133: 0133-ssh-tools-The-ai-structure-is-not-an-array.patch +Patch0134: 0134-ssh-tools-Fix-issues-with-multiple-IP-addresses.patch +Patch0135: 0135-ssh-tools-Split-connect-and-communication-phases.patch + Patch0502: 0502-SYSTEMD-Use-capabilities.patch @@ -280,6 +318,7 @@ Group: Development/Libraries License: LGPLv3+ Requires(post): /sbin/ldconfig Requires(postun): /sbin/ldconfig +Conflicts: sssd-common < %{version}-%{release} %description -n libsss_sudo A utility library to allow communication between SUDO and SSSD @@ -288,6 +327,7 @@ A utility library to allow communication between SUDO and SSSD Summary: A library to allow communication between Autofs and SSSD Group: Development/Libraries License: LGPLv3+ +Conflicts: sssd-common < %{version}-%{release} %description -n libsss_autofs A utility library to allow communication between Autofs and SSSD @@ -609,6 +649,7 @@ Summary: The SSSD libwbclient implementation Group: Applications/System License: GPLv3+ and LGPLv3+ Conflicts: libwbclient < 4.2.0-0.2.rc2 +Conflicts: sssd-common < %{version}-%{release} %description libwbclient The SSSD libwbclient implementation. @@ -627,6 +668,7 @@ Development libraries for the SSSD libwbclient implementation. Summary: SSSD's idmap_sss Backend for Winbind Group: Applications/System License: GPLv3+ and LGPLv3+ +Conflicts: sssd-common < %{version}-%{release} %description winbind-idmap The idmap_sss module provides a way for Winbind to call SSSD to map UIDs/GIDs @@ -636,6 +678,7 @@ and SIDs. Summary: SSSD plug-in for NFSv4 rpc.idmapd Group: Applications/System License: GPLv3+ +Conflicts: sssd-common < %{version}-%{release} %description nfs-idmap The libnfsidmap sssd module provides a way for rpc.idmapd to call SSSD to map @@ -648,6 +691,7 @@ Group: Development/Libraries License: LGPLv3+ Requires(post): /sbin/ldconfig Requires(postun): /sbin/ldconfig +Conflicts: sssd-common < %{version}-%{release} %description -n libsss_certmap Library to map certificates to users based on rules @@ -775,10 +819,11 @@ do done touch sssd.lang -for subpackage in ldap krb5 ipa ad proxy tools client dbus nfs_idmap \ - winbind_idmap +for subpackage in sssd_ldap sssd_krb5 sssd_ipa sssd_ad sssd_proxy sssd_tools \ + sssd_client sssd_dbus sssd_nfs_idmap sssd_winbind_idmap \ + libsss_certmap sssd_kcm do - touch sssd_$subpackage.lang + touch $subpackage.lang done for man in `find $RPM_BUILD_ROOT/%{_mandir}/??/man?/ -type f | sed -e "s#$RPM_BUILD_ROOT/%{_mandir}/##"` @@ -824,9 +869,15 @@ do sssd-ifp*) echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_dbus.lang ;; + sssd-kcm*) + echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_kcm.lang + ;; idmap_sss*) echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_winbind_idmap.lang ;; + sss-certmap*) + echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> libsss_certmap.lang + ;; *) echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd.lang ;; @@ -843,11 +894,12 @@ cat python2_sssdconfig.lang echo "python3_sssdconfig.lang:" cat python3_sssdconfig.lang -for subpackage in ldap krb5 ipa ad proxy tools client dbus nfs_idmap \ - winbind_idmap +for subpackage in sssd_ldap sssd_krb5 sssd_ipa sssd_ad sssd_proxy sssd_tools \ + sssd_client sssd_dbus sssd_nfs_idmap sssd_winbind_idmap \ + libsss_certmap sssd_kcm do - echo "sssd_$subpackage.lang:" - cat sssd_$subpackage.lang + echo "$subpackage.lang:" + cat $subpackage.lang done %files @@ -1183,26 +1235,27 @@ done %{_mandir}/man5/sss_rpcidmapd.5* %{_libdir}/libnfsidmap/sss.so -%files -n libsss_certmap +%files -n libsss_certmap -f libsss_certmap.lang %defattr(-,root,root,-) %license src/sss_client/COPYING src/sss_client/COPYING.LESSER %{_libdir}/libsss_certmap.so.* +%{_mandir}/man5/sss-certmap.5* %files -n libsss_certmap-devel %defattr(-,root,root,-) %doc certmap_doc/html -%{_mandir}/man5/sss-certmap.5* %{_includedir}/sss_certmap.h %{_libdir}/libsss_certmap.so %{_libdir}/pkgconfig/sss_certmap.pc -%files kcm +%files kcm -f sssd_kcm.lang %{_libexecdir}/%{servicename}/sssd_kcm %dir %{_sysconfdir}/krb5.conf.d %config(noreplace) %{_sysconfdir}/krb5.conf.d/kcm_default_ccache %{_unitdir}/sssd-kcm.socket %{_unitdir}/sssd-kcm.service %{_mandir}/man8/sssd-kcm.8* + %post common %systemd_post sssd.service %systemd_post sssd-autofs.socket @@ -1226,7 +1279,6 @@ done %systemd_preun sssd-sudo.socket %postun common -%systemd_postun_with_restart sssd.service %systemd_postun_with_restart sssd-autofs.socket %systemd_postun_with_restart sssd-autofs.service %systemd_postun_with_restart sssd-nss.socket @@ -1301,6 +1353,9 @@ fi %postun -n libsss_certmap -p /sbin/ldconfig +%posttrans common +%systemd_postun_with_restart sssd.service + %posttrans libwbclient %{_sbindir}/update-alternatives \ --install %{_libdir}/libwbclient.so.%{libwbc_alternatives_version} \ @@ -1325,6 +1380,12 @@ fi %{_libdir}/%{name}/modules/libwbclient.so %changelog +* Sat Apr 29 2017 Lukas Slebodnik - 1.15.3-0.beta.3 +- Resolves: rhbz#1445680 - Properly fall back to local Smartcard authentication +- Resolves: rhbz#1437199 - sssd-nfs-idmap-1.15.2-1.fc25.x86_64 conflicts with + file from package sssd-common-1.15.1-1.fc25.x86_64 +- Resolves: rhbz#1063278 - sss_ssh_knownhostsproxy doesn't fall back to ipv4 + * Thu Apr 06 2017 Lukas Slebodnik - 1.15.3-0.beta.2 - Fix issue with IPA + SELinux in containers - Resolves: upstream https://fedorahosted.org/sssd/ticket/3297