New upstream release 1.14.2
- https://fedorahosted.org/sssd/wiki/Releases/Notes-1.14.2
This commit is contained in:
parent
856526f769
commit
85427c072c
1
.gitignore
vendored
1
.gitignore
vendored
@ -72,3 +72,4 @@ sssd-1.2.91.tar.gz
|
|||||||
/sssd-1.14.0beta1.tar.gz
|
/sssd-1.14.0beta1.tar.gz
|
||||||
/sssd-1.14.0.tar.gz
|
/sssd-1.14.0.tar.gz
|
||||||
/sssd-1.14.1.tar.gz
|
/sssd-1.14.1.tar.gz
|
||||||
|
/sssd-1.14.2.tar.gz
|
||||||
|
@ -1,79 +0,0 @@
|
|||||||
From 78db9b76d9be4aa307fbaaba7315b121421e8826 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
|
||||||
Date: Fri, 19 Aug 2016 11:36:41 +0200
|
|
||||||
Subject: [PATCH 01/39] CONFIG: selinux_provider is a valid provider type
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
We should not warn about it in the validator and should allow
|
|
||||||
selinux_provider from the config API.
|
|
||||||
|
|
||||||
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
|
||||||
(cherry picked from commit dec00197181ee8f7efbfbdadd73629f66f80f1ff)
|
|
||||||
---
|
|
||||||
src/config/SSSDConfig/__init__.py.in | 1 +
|
|
||||||
src/config/SSSDConfigTest.py | 2 ++
|
|
||||||
src/config/cfg_rules.ini | 1 +
|
|
||||||
src/config/etc/sssd.api.conf | 1 +
|
|
||||||
4 files changed, 5 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
|
|
||||||
index 1718a9babf390b95710ec356f25f09ea679bdd73..9683ea63e042115c20010cfb0904b2f65d76468b 100644
|
|
||||||
--- a/src/config/SSSDConfig/__init__.py.in
|
|
||||||
+++ b/src/config/SSSDConfig/__init__.py.in
|
|
||||||
@@ -128,6 +128,7 @@ option_strings = {
|
|
||||||
'autofs_provider' : _('Autofs provider'),
|
|
||||||
'session_provider' : _('Session-loading provider'),
|
|
||||||
'hostid_provider' : _('Host identity provider'),
|
|
||||||
+ 'selinux_provider' : _('SELinux provider'),
|
|
||||||
|
|
||||||
# [domain]
|
|
||||||
'min_id' : _('Minimum user ID'),
|
|
||||||
diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py
|
|
||||||
index 00c688f1e57c5f481d3adba2fe0374145216bc33..09adf1faad767968dc1df2cc1668144526ffe504 100755
|
|
||||||
--- a/src/config/SSSDConfigTest.py
|
|
||||||
+++ b/src/config/SSSDConfigTest.py
|
|
||||||
@@ -557,6 +557,7 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase):
|
|
||||||
'session_provider',
|
|
||||||
'hostid_provider',
|
|
||||||
'subdomains_provider',
|
|
||||||
+ 'selinux_provider',
|
|
||||||
'realmd_tags',
|
|
||||||
'subdomain_refresh_interval',
|
|
||||||
'subdomain_inherit',
|
|
||||||
@@ -926,6 +927,7 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase):
|
|
||||||
'session_provider',
|
|
||||||
'hostid_provider',
|
|
||||||
'subdomains_provider',
|
|
||||||
+ 'selinux_provider',
|
|
||||||
'realmd_tags',
|
|
||||||
'subdomain_refresh_interval',
|
|
||||||
'subdomain_inherit',
|
|
||||||
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
|
|
||||||
index ef6435b08aee416e377fe854e6768f3fa4fd9650..f0b4c4e7640aa24cf14815b2717327c742fcd89a 100644
|
|
||||||
--- a/src/config/cfg_rules.ini
|
|
||||||
+++ b/src/config/cfg_rules.ini
|
|
||||||
@@ -251,6 +251,7 @@ option = autofs_provider
|
|
||||||
option = session_provider
|
|
||||||
option = hostid_provider
|
|
||||||
option = subdomains_provider
|
|
||||||
+option = selinux_provider
|
|
||||||
|
|
||||||
# Options available to all domains
|
|
||||||
option = min_id
|
|
||||||
diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
|
|
||||||
index 5ac6f79521f5f776fc17319c3afb87d44961afca..94edb45ad2b85e3f4200a917c914a8f4fcb29c28 100644
|
|
||||||
--- a/src/config/etc/sssd.api.conf
|
|
||||||
+++ b/src/config/etc/sssd.api.conf
|
|
||||||
@@ -106,6 +106,7 @@ autofs_provider = str, None, false
|
|
||||||
session_provider = str, None, false
|
|
||||||
hostid_provider = str, None, false
|
|
||||||
subdomains_provider = str, None, false
|
|
||||||
+selinux_provider = str, None, false
|
|
||||||
|
|
||||||
[domain]
|
|
||||||
# Options available to all domains
|
|
||||||
--
|
|
||||||
2.9.3
|
|
||||||
|
|
@ -1,81 +0,0 @@
|
|||||||
From b37a86a8a84255742bbcffcb47e9e1a1dded0113 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
|
||||||
Date: Fri, 19 Aug 2016 11:48:20 +0200
|
|
||||||
Subject: [PATCH 02/39] CONFIG: session_provider does not exist anymore
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
The session_provider used to exist a long time ago when we used to set
|
|
||||||
the SELinux context from it, but the provider had been removed for a
|
|
||||||
long time. We just forgot to remove the value from the config API and
|
|
||||||
the validator.
|
|
||||||
|
|
||||||
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
|
||||||
(cherry picked from commit d940593e647731c0caec1fd04cf16a1b23578f32)
|
|
||||||
---
|
|
||||||
src/config/SSSDConfig/__init__.py.in | 1 -
|
|
||||||
src/config/SSSDConfigTest.py | 2 --
|
|
||||||
src/config/cfg_rules.ini | 1 -
|
|
||||||
src/config/etc/sssd.api.conf | 1 -
|
|
||||||
4 files changed, 5 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
|
|
||||||
index 9683ea63e042115c20010cfb0904b2f65d76468b..b3f04ac26309bb5b518fb87cd0dae2962e853179 100644
|
|
||||||
--- a/src/config/SSSDConfig/__init__.py.in
|
|
||||||
+++ b/src/config/SSSDConfig/__init__.py.in
|
|
||||||
@@ -126,7 +126,6 @@ option_strings = {
|
|
||||||
'chpass_provider' : _('Password change provider'),
|
|
||||||
'sudo_provider' : _('SUDO provider'),
|
|
||||||
'autofs_provider' : _('Autofs provider'),
|
|
||||||
- 'session_provider' : _('Session-loading provider'),
|
|
||||||
'hostid_provider' : _('Host identity provider'),
|
|
||||||
'selinux_provider' : _('SELinux provider'),
|
|
||||||
|
|
||||||
diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py
|
|
||||||
index 09adf1faad767968dc1df2cc1668144526ffe504..8fcd1a55c36035a7026f1fb4c8116aaae24e78ef 100755
|
|
||||||
--- a/src/config/SSSDConfigTest.py
|
|
||||||
+++ b/src/config/SSSDConfigTest.py
|
|
||||||
@@ -554,7 +554,6 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase):
|
|
||||||
'chpass_provider',
|
|
||||||
'sudo_provider',
|
|
||||||
'autofs_provider',
|
|
||||||
- 'session_provider',
|
|
||||||
'hostid_provider',
|
|
||||||
'subdomains_provider',
|
|
||||||
'selinux_provider',
|
|
||||||
@@ -924,7 +923,6 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase):
|
|
||||||
'chpass_provider',
|
|
||||||
'sudo_provider',
|
|
||||||
'autofs_provider',
|
|
||||||
- 'session_provider',
|
|
||||||
'hostid_provider',
|
|
||||||
'subdomains_provider',
|
|
||||||
'selinux_provider',
|
|
||||||
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
|
|
||||||
index f0b4c4e7640aa24cf14815b2717327c742fcd89a..df10538dee4a547a1b1af62a4cfe37b89e236b18 100644
|
|
||||||
--- a/src/config/cfg_rules.ini
|
|
||||||
+++ b/src/config/cfg_rules.ini
|
|
||||||
@@ -248,7 +248,6 @@ option = access_provider
|
|
||||||
option = chpass_provider
|
|
||||||
option = sudo_provider
|
|
||||||
option = autofs_provider
|
|
||||||
-option = session_provider
|
|
||||||
option = hostid_provider
|
|
||||||
option = subdomains_provider
|
|
||||||
option = selinux_provider
|
|
||||||
diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
|
|
||||||
index 94edb45ad2b85e3f4200a917c914a8f4fcb29c28..5e69414f2a490977bdaf1555325814ad61202071 100644
|
|
||||||
--- a/src/config/etc/sssd.api.conf
|
|
||||||
+++ b/src/config/etc/sssd.api.conf
|
|
||||||
@@ -103,7 +103,6 @@ access_provider = str, None, false
|
|
||||||
chpass_provider = str, None, false
|
|
||||||
sudo_provider = str, None, false
|
|
||||||
autofs_provider = str, None, false
|
|
||||||
-session_provider = str, None, false
|
|
||||||
hostid_provider = str, None, false
|
|
||||||
subdomains_provider = str, None, false
|
|
||||||
selinux_provider = str, None, false
|
|
||||||
--
|
|
||||||
2.9.3
|
|
||||||
|
|
@ -1,40 +0,0 @@
|
|||||||
From 224612480eb4a64b23e096a96e7c5ea0d746d25a Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
|
|
||||||
Date: Tue, 23 Aug 2016 23:46:59 +0200
|
|
||||||
Subject: [PATCH 03/39] PROXY: Use the fqname when converting to lowercase
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
When saving the user there is a comparison between the "cased alias"
|
|
||||||
and the "lowercase password name". However, the first doesn't use fully
|
|
||||||
qualified name while the second does, resulting in a not expected
|
|
||||||
override of the "nameAlias" attribute of a stored user when trying to
|
|
||||||
authenticate more than once using an alias.
|
|
||||||
|
|
||||||
Resolves:
|
|
||||||
https://fedorahosted.org/sssd/ticket/3134
|
|
||||||
|
|
||||||
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
|
|
||||||
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
||||||
(cherry picked from commit 5691b2d668541585d2a8ae3ddb834f29d828036e)
|
|
||||||
---
|
|
||||||
src/providers/proxy/proxy_id.c | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/src/providers/proxy/proxy_id.c b/src/providers/proxy/proxy_id.c
|
|
||||||
index 26f4d7499c02272e524ba9b713108189cd910bfd..b0c82807b42d91a4212578ca98af7f96484735b1 100644
|
|
||||||
--- a/src/providers/proxy/proxy_id.c
|
|
||||||
+++ b/src/providers/proxy/proxy_id.c
|
|
||||||
@@ -256,7 +256,7 @@ static int save_user(struct sss_domain_info *domain,
|
|
||||||
}
|
|
||||||
|
|
||||||
if (lowercase) {
|
|
||||||
- lc_pw_name = sss_tc_utf8_str_tolower(attrs, pwd->pw_name);
|
|
||||||
+ lc_pw_name = sss_tc_utf8_str_tolower(attrs, real_name);
|
|
||||||
if (lc_pw_name == NULL) {
|
|
||||||
DEBUG(SSSDBG_OP_FAILURE, "Cannot convert name to lowercase.\n");
|
|
||||||
ret = ENOMEM;
|
|
||||||
--
|
|
||||||
2.9.3
|
|
||||||
|
|
@ -1,253 +0,0 @@
|
|||||||
From 3c1c173bab2e3ee3058f5661562080d6a65e324f Mon Sep 17 00:00:00 2001
|
|
||||||
From: Lukas Slebodnik <lslebodn@redhat.com>
|
|
||||||
Date: Wed, 10 Aug 2016 20:05:52 +0200
|
|
||||||
Subject: [PATCH 04/39] sssd_netgroup.py: Resolve nested netgroups
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
Reviewed-by: Petr Čech <pcech@redhat.com>
|
|
||||||
(cherry picked from commit c596fc4d75304ff224cbad0aa2aecd3cbe82d2ff)
|
|
||||||
---
|
|
||||||
src/tests/intg/sssd_netgroup.py | 204 ++++++++++++++++++++++++++++++----------
|
|
||||||
1 file changed, 154 insertions(+), 50 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/tests/intg/sssd_netgroup.py b/src/tests/intg/sssd_netgroup.py
|
|
||||||
index 3525261cb28707db9031ee1dfeb144ae4c362833..2c7f76fad4da0003d1760a359ac9a1834abbb2f9 100644
|
|
||||||
--- a/src/tests/intg/sssd_netgroup.py
|
|
||||||
+++ b/src/tests/intg/sssd_netgroup.py
|
|
||||||
@@ -71,49 +71,173 @@ class Netgrent(Structure):
|
|
||||||
("nip", c_void_p)]
|
|
||||||
|
|
||||||
|
|
||||||
-def call_sssd_setnetgrent(netgroup):
|
|
||||||
- libnss_sss_path = config.NSS_MODULE_DIR + "/libnss_sss.so.2"
|
|
||||||
- libnss_sss = cdll.LoadLibrary(libnss_sss_path)
|
|
||||||
+class NetgroupRetriever(object):
|
|
||||||
+ def __init__(self, name):
|
|
||||||
+ self.name = name
|
|
||||||
+ self.needed_groups = []
|
|
||||||
+ self.known_groups = []
|
|
||||||
+ self.netgroups = []
|
|
||||||
|
|
||||||
- func = libnss_sss._nss_sss_setnetgrent
|
|
||||||
- func.restype = c_int
|
|
||||||
- func.argtypes = [c_char_p, POINTER(Netgrent)]
|
|
||||||
+ @staticmethod
|
|
||||||
+ def _setnetgrent(netgroup):
|
|
||||||
+ """
|
|
||||||
+ This private method is ctypes wrapper for
|
|
||||||
+ enum nss_status _nss_sss_setnetgrent(const char *netgroup,
|
|
||||||
+ struct __netgrent *result)
|
|
||||||
|
|
||||||
- result = Netgrent()
|
|
||||||
- result_p = POINTER(Netgrent)(result)
|
|
||||||
+ @param string name name of netgroup
|
|
||||||
|
|
||||||
- res = func(c_char_p(netgroup), result_p)
|
|
||||||
+ @return (int, POINTER(Netgrent)) (err, result_p)
|
|
||||||
+ err is a constant from class NssReturnCode and in case of SUCCESS
|
|
||||||
+ result_p will contain POINTER(Netgrent) which can be used in
|
|
||||||
+ _getnetgrent_r or _getnetgrent_r.
|
|
||||||
+ """
|
|
||||||
+ libnss_sss_path = config.NSS_MODULE_DIR + "/libnss_sss.so.2"
|
|
||||||
+ libnss_sss = cdll.LoadLibrary(libnss_sss_path)
|
|
||||||
|
|
||||||
- return (int(res), result_p)
|
|
||||||
+ func = libnss_sss._nss_sss_setnetgrent
|
|
||||||
+ func.restype = c_int
|
|
||||||
+ func.argtypes = [c_char_p, POINTER(Netgrent)]
|
|
||||||
|
|
||||||
+ result = Netgrent()
|
|
||||||
+ result_p = POINTER(Netgrent)(result)
|
|
||||||
|
|
||||||
-def call_sssd_getnetgrent_r(result_p, buff, buff_len):
|
|
||||||
- libnss_sss_path = config.NSS_MODULE_DIR + "/libnss_sss.so.2"
|
|
||||||
- libnss_sss = cdll.LoadLibrary(libnss_sss_path)
|
|
||||||
+ res = func(c_char_p(netgroup), result_p)
|
|
||||||
|
|
||||||
- func = libnss_sss._nss_sss_getnetgrent_r
|
|
||||||
- func.restype = c_int
|
|
||||||
- func.argtypes = [POINTER(Netgrent), POINTER(c_char), c_size_t,
|
|
||||||
- POINTER(c_int)]
|
|
||||||
+ return (int(res), result_p)
|
|
||||||
|
|
||||||
- errno = POINTER(c_int)(c_int(0))
|
|
||||||
+ @staticmethod
|
|
||||||
+ def _getnetgrent_r(result_p, buff, buff_len):
|
|
||||||
+ """
|
|
||||||
+ This private method is ctypes wrapper for
|
|
||||||
+ enum nss_status _nss_sss_getnetgrent_r(struct __netgrent *result,
|
|
||||||
+ char *buffer, size_t buflen,
|
|
||||||
+ int *errnop)
|
|
||||||
+ @param POINTER(Netgrent) result_p pointer to initialized C structure
|
|
||||||
+ struct __netgrent
|
|
||||||
+ @param ctypes.c_char_Array buff buffer used by C functions
|
|
||||||
+ @param int buff_len size of c_char_Array passed as a paramere buff
|
|
||||||
|
|
||||||
- res = func(result_p, buff, buff_len, errno)
|
|
||||||
+ @return (int, int, List[(string, string, string])
|
|
||||||
+ (err, errno, netgroups)
|
|
||||||
+ if err is NssReturnCode.SUCCESS netgroups will contain list of
|
|
||||||
+ touples. Each touple will consist of 3 elemets either string or
|
|
||||||
+ """
|
|
||||||
+ libnss_sss_path = config.NSS_MODULE_DIR + "/libnss_sss.so.2"
|
|
||||||
+ libnss_sss = cdll.LoadLibrary(libnss_sss_path)
|
|
||||||
|
|
||||||
- return (int(res), int(errno[0]), result_p)
|
|
||||||
+ func = libnss_sss._nss_sss_getnetgrent_r
|
|
||||||
+ func.restype = c_int
|
|
||||||
+ func.argtypes = [POINTER(Netgrent), POINTER(c_char), c_size_t,
|
|
||||||
+ POINTER(c_int)]
|
|
||||||
|
|
||||||
+ errno = POINTER(c_int)(c_int(0))
|
|
||||||
|
|
||||||
-def call_sssd_endnetgrent(result_p):
|
|
||||||
- libnss_sss_path = config.NSS_MODULE_DIR + "/libnss_sss.so.2"
|
|
||||||
- libnss_sss = cdll.LoadLibrary(libnss_sss_path)
|
|
||||||
+ res = func(result_p, buff, buff_len, errno)
|
|
||||||
|
|
||||||
- func = libnss_sss._nss_sss_endnetgrent
|
|
||||||
- func.restype = c_int
|
|
||||||
- func.argtypes = [POINTER(Netgrent)]
|
|
||||||
+ return (int(res), int(errno[0]), result_p)
|
|
||||||
|
|
||||||
- res = func(result_p)
|
|
||||||
+ @staticmethod
|
|
||||||
+ def _endnetgrent(result_p):
|
|
||||||
+ """
|
|
||||||
+ This private method is ctypes wrapper for
|
|
||||||
+ enum nss_status _nss_sss_endnetgrent(struct __netgrent *result)
|
|
||||||
|
|
||||||
- return int(res)
|
|
||||||
+ @param POINTER(Netgrent) result_p pointer to initialized C structure
|
|
||||||
+ struct __netgrent
|
|
||||||
+
|
|
||||||
+ @return int a constant from class NssReturnCode
|
|
||||||
+ """
|
|
||||||
+ libnss_sss_path = config.NSS_MODULE_DIR + "/libnss_sss.so.2"
|
|
||||||
+ libnss_sss = cdll.LoadLibrary(libnss_sss_path)
|
|
||||||
+
|
|
||||||
+ func = libnss_sss._nss_sss_endnetgrent
|
|
||||||
+ func.restype = c_int
|
|
||||||
+ func.argtypes = [POINTER(Netgrent)]
|
|
||||||
+
|
|
||||||
+ res = func(result_p)
|
|
||||||
+
|
|
||||||
+ return int(res)
|
|
||||||
+
|
|
||||||
+ def get_netgroups(self):
|
|
||||||
+ """
|
|
||||||
+ Function will return netgroup triplets for given user. All nested
|
|
||||||
+ netgroups will be retieved as part of executions and will content
|
|
||||||
+ will be merged with direct triplets.
|
|
||||||
+ Missing nested netgroups will not cause failure and are considered
|
|
||||||
+ as an empty netgroup without triplets.
|
|
||||||
+
|
|
||||||
+ @param string name name of netgroup
|
|
||||||
+
|
|
||||||
+ @return (int, int, List[(string, string, string])
|
|
||||||
+ (err, errno, netgroups)
|
|
||||||
+ if err is NssReturnCode.SUCCESS netgroups will contain list of
|
|
||||||
+ touples. Each touple will consist of 3 elemets either string or
|
|
||||||
+ None (host, user, domain).
|
|
||||||
+ """
|
|
||||||
+ res, errno, result = self._flat_fetch_netgroups(self.name)
|
|
||||||
+ if res != NssReturnCode.SUCCESS:
|
|
||||||
+ return (res, errno, self.netgroups)
|
|
||||||
+
|
|
||||||
+ self.netgroups += result
|
|
||||||
+
|
|
||||||
+ while self.needed_groups:
|
|
||||||
+ name = self.needed_groups.pop(0)
|
|
||||||
+
|
|
||||||
+ nest_res, nest_errno, result = self._flat_fetch_netgroups(name)
|
|
||||||
+ # do not fail for missing nested netgroup
|
|
||||||
+ if nest_res not in (NssReturnCode.SUCCESS, NssReturnCode.NOTFOUND):
|
|
||||||
+ return (nest_res, nest_errno, self.netgroups)
|
|
||||||
+
|
|
||||||
+ self.netgroups = result + self.netgroups
|
|
||||||
+
|
|
||||||
+ return (res, errno, self.netgroups)
|
|
||||||
+
|
|
||||||
+ def _flat_fetch_netgroups(self, name):
|
|
||||||
+ """
|
|
||||||
+ Function will return netgroup triplets for given user. The nested
|
|
||||||
+ netgroups will not be returned. Missing nested netgroups will be
|
|
||||||
+ appended to the array needed_groups
|
|
||||||
+
|
|
||||||
+ @param string name name of netgroup
|
|
||||||
+
|
|
||||||
+ @return (int, int, List[(string, string, string])
|
|
||||||
+ (err, errno, netgroups)
|
|
||||||
+ if err is NssReturnCode.SUCCESS netgroups will contain list of
|
|
||||||
+ touples. Each touple will consist of 3 elemets either string or
|
|
||||||
+ None (host, user, domain).
|
|
||||||
+ """
|
|
||||||
+ buff_len = 1024 * 1024
|
|
||||||
+ buff = create_string_buffer(buff_len)
|
|
||||||
+
|
|
||||||
+ result = []
|
|
||||||
+
|
|
||||||
+ res, result_p = self._setnetgrent(name)
|
|
||||||
+ if res != NssReturnCode.SUCCESS:
|
|
||||||
+ return (res, get_errno(), result)
|
|
||||||
+
|
|
||||||
+ res, errno, result_p = self._getnetgrent_r(result_p, buff, buff_len)
|
|
||||||
+ while res == NssReturnCode.SUCCESS:
|
|
||||||
+ if result_p[0].type == NetgroupType.GROUP_VAL:
|
|
||||||
+ nested_netgroup = result_p[0].val.group
|
|
||||||
+ if nested_netgroup not in self.known_groups:
|
|
||||||
+ self.needed_groups.append(nested_netgroup)
|
|
||||||
+ self.known_groups.append(nested_netgroup)
|
|
||||||
+
|
|
||||||
+ if result_p[0].type == NetgroupType.TRIPLE_VAL:
|
|
||||||
+ result.append((result_p[0].val.triple.host,
|
|
||||||
+ result_p[0].val.triple.user,
|
|
||||||
+ result_p[0].val.triple.domain))
|
|
||||||
+
|
|
||||||
+ res, errno, result_p = self._getnetgrent_r(result_p, buff,
|
|
||||||
+ buff_len)
|
|
||||||
+
|
|
||||||
+ if res != NssReturnCode.RETURN:
|
|
||||||
+ return (res, errno, result)
|
|
||||||
+
|
|
||||||
+ res = self._endnetgrent(result_p)
|
|
||||||
+
|
|
||||||
+ return (res, errno, result)
|
|
||||||
|
|
||||||
|
|
||||||
def get_sssd_netgroups(name):
|
|
||||||
@@ -129,27 +253,7 @@ def get_sssd_netgroups(name):
|
|
||||||
Each touple will consist of 3 elemets either string or None
|
|
||||||
(host, user, domain).
|
|
||||||
"""
|
|
||||||
- buff_len = 1024 * 1024
|
|
||||||
- buff = create_string_buffer(buff_len)
|
|
||||||
|
|
||||||
- result = []
|
|
||||||
+ retriever = NetgroupRetriever(name)
|
|
||||||
|
|
||||||
- res, result_p = call_sssd_setnetgrent(name)
|
|
||||||
- if res != NssReturnCode.SUCCESS:
|
|
||||||
- return (res, get_errno(), result)
|
|
||||||
-
|
|
||||||
- res, errno, result_p = call_sssd_getnetgrent_r(result_p, buff, buff_len)
|
|
||||||
- while res == NssReturnCode.SUCCESS:
|
|
||||||
- assert result_p[0].type == NetgroupType.TRIPLE_VAL
|
|
||||||
- result.append((result_p[0].val.triple.host,
|
|
||||||
- result_p[0].val.triple.user,
|
|
||||||
- result_p[0].val.triple.domain))
|
|
||||||
- res, errno, result_p = call_sssd_getnetgrent_r(result_p, buff,
|
|
||||||
- buff_len)
|
|
||||||
-
|
|
||||||
- if res != NssReturnCode.RETURN:
|
|
||||||
- return (res, errno, result)
|
|
||||||
-
|
|
||||||
- res = call_sssd_endnetgrent(result_p)
|
|
||||||
-
|
|
||||||
- return (res, errno, result)
|
|
||||||
+ return retriever.get_netgroups()
|
|
||||||
--
|
|
||||||
2.9.3
|
|
||||||
|
|
@ -1,50 +0,0 @@
|
|||||||
From 5ac050f0f5160dc433aba21fd1ae2f2a8ffa9a88 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Petr Cech <pcech@redhat.com>
|
|
||||||
Date: Fri, 22 Jul 2016 14:28:54 +0200
|
|
||||||
Subject: [PATCH 05/39] LDAP: Fixing of removing netgroup from cache
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
There were problem with local key which wasn't properly removed.
|
|
||||||
This patch fixes it.
|
|
||||||
|
|
||||||
Resolves:
|
|
||||||
https://fedorahosted.org/sssd/ticket/2841
|
|
||||||
|
|
||||||
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
||||||
(cherry picked from commit bf141e052a81b28ee0ad2f61ff8b4879e4faa13b)
|
|
||||||
---
|
|
||||||
src/providers/ldap/sdap_async_netgroups.c | 16 ++++++++++++++++
|
|
||||||
1 file changed, 16 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/src/providers/ldap/sdap_async_netgroups.c b/src/providers/ldap/sdap_async_netgroups.c
|
|
||||||
index df233d956df70cfcb5f68bd2afc9e2a23c50c3bb..e1d69ad769f542cccffca50547932a5bfb352230 100644
|
|
||||||
--- a/src/providers/ldap/sdap_async_netgroups.c
|
|
||||||
+++ b/src/providers/ldap/sdap_async_netgroups.c
|
|
||||||
@@ -138,6 +138,22 @@ static errno_t sdap_save_netgroup(TALLOC_CTX *memctx,
|
|
||||||
goto fail;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ /* We store memberNisNetgroup from LDAP as originalMemberNisNetgroup in
|
|
||||||
+ * sysdb. It may contain simple name or DN. That's the reason why we always
|
|
||||||
+ * translate/generate simple name and store it in SYSDB_NETGROUP_MEMBER
|
|
||||||
+ * (memberNisNetgroup) in sysdb which is internally used for searching
|
|
||||||
+ * netgropus.
|
|
||||||
+ * We need to ensure if originalMemberNisNetgroup is missing,
|
|
||||||
+ * memberNisNetgroup is missing too.
|
|
||||||
+ */
|
|
||||||
+ if (string_in_list(SYSDB_ORIG_NETGROUP_MEMBER, missing, false)) {
|
|
||||||
+ ret = add_string_to_list(attrs, SYSDB_NETGROUP_MEMBER, &missing);
|
|
||||||
+ if (ret != EOK) {
|
|
||||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Failed to add string into list\n");
|
|
||||||
+ goto fail;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
ret = sysdb_add_netgroup(dom, name, NULL, netgroup_attrs, missing,
|
|
||||||
dom->netgroup_timeout, now);
|
|
||||||
if (ret) goto fail;
|
|
||||||
--
|
|
||||||
2.9.3
|
|
||||||
|
|
@ -1,54 +0,0 @@
|
|||||||
From f3f50d7a9ca36d0d56f29d25e4fceaa50c9a06e9 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Petr Cech <pcech@redhat.com>
|
|
||||||
Date: Wed, 17 Aug 2016 14:01:09 +0200
|
|
||||||
Subject: [PATCH 06/39] INTG: Adding support for netgroups to ldap_ent
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
Resolves:
|
|
||||||
https://fedorahosted.org/sssd/ticket/2841
|
|
||||||
|
|
||||||
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
||||||
(cherry picked from commit 1cba321946084231c220e9561487555671b944c3)
|
|
||||||
---
|
|
||||||
src/tests/intg/ldap_ent.py | 19 +++++++++++++++++++
|
|
||||||
1 file changed, 19 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/src/tests/intg/ldap_ent.py b/src/tests/intg/ldap_ent.py
|
|
||||||
index f8f2f7fe6977aec6fd704ad1c78a476a163a16f1..c912844b063cfeb9c48744d593685d0b7fbcc706 100644
|
|
||||||
--- a/src/tests/intg/ldap_ent.py
|
|
||||||
+++ b/src/tests/intg/ldap_ent.py
|
|
||||||
@@ -87,6 +87,20 @@ def group_bis(base_dn, cn, gidNumber, member_uids=[], member_gids=[]):
|
|
||||||
return ("cn=" + cn + ",ou=Groups," + base_dn, attr_list)
|
|
||||||
|
|
||||||
|
|
||||||
+def netgroup(base_dn, cn, triples=(), members=()):
|
|
||||||
+ """
|
|
||||||
+ Generate an RFC2307bis netgroup add-modlist for passing to ldap.add*.
|
|
||||||
+ """
|
|
||||||
+ attr_list = [
|
|
||||||
+ ('objectClass', ['top', 'nisNetgroup'])
|
|
||||||
+ ]
|
|
||||||
+ if triples:
|
|
||||||
+ attr_list.append(('nisNetgroupTriple', triples))
|
|
||||||
+ if members:
|
|
||||||
+ attr_list.append(('memberNisNetgroup', members))
|
|
||||||
+ return ("cn=" + cn + ",ou=Netgroups," + base_dn, attr_list)
|
|
||||||
+
|
|
||||||
+
|
|
||||||
class List(list):
|
|
||||||
"""LDAP add-modlist list"""
|
|
||||||
|
|
||||||
@@ -124,3 +138,8 @@ class List(list):
|
|
||||||
self.append(group_bis(base_dn or self.base_dn,
|
|
||||||
cn, gidNumber,
|
|
||||||
member_uids, member_gids))
|
|
||||||
+
|
|
||||||
+ def add_netgroup(self, cn, triples=(), members=(), base_dn=None):
|
|
||||||
+ """Add an RFC2307bis netgroup add-modlist."""
|
|
||||||
+ self.append(netgroup(base_dn or self.base_dn,
|
|
||||||
+ cn, triples, members))
|
|
||||||
--
|
|
||||||
2.9.3
|
|
||||||
|
|
@ -1,501 +0,0 @@
|
|||||||
From 620d402a126580a13730f446dd99bf50814c9fb8 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Petr Cech <pcech@redhat.com>
|
|
||||||
Date: Wed, 17 Aug 2016 13:58:30 +0200
|
|
||||||
Subject: [PATCH 07/39] INTG: Tests for ldap nested netgroups
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
This patch adds tests on reproducer of t2841.
|
|
||||||
|
|
||||||
Resolves:
|
|
||||||
https://fedorahosted.org/sssd/ticket/2841
|
|
||||||
|
|
||||||
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
||||||
(cherry picked from commit 05457ed0e399aaacc919b7aacee5d8210e1c1072)
|
|
||||||
---
|
|
||||||
src/tests/intg/Makefile.am | 1 +
|
|
||||||
src/tests/intg/test_netgroup.py | 459 ++++++++++++++++++++++++++++++++++++++++
|
|
||||||
2 files changed, 460 insertions(+)
|
|
||||||
create mode 100644 src/tests/intg/test_netgroup.py
|
|
||||||
|
|
||||||
diff --git a/src/tests/intg/Makefile.am b/src/tests/intg/Makefile.am
|
|
||||||
index d73e4216310ccd1c90e6b7eb0a0e60068fc45bd5..75422a4417046116bec11a8a680fe2248e3afb69 100644
|
|
||||||
--- a/src/tests/intg/Makefile.am
|
|
||||||
+++ b/src/tests/intg/Makefile.am
|
|
||||||
@@ -15,6 +15,7 @@ dist_noinst_DATA = \
|
|
||||||
test_ldap.py \
|
|
||||||
test_memory_cache.py \
|
|
||||||
test_ts_cache.py \
|
|
||||||
+ test_netgroup.py \
|
|
||||||
$(NULL)
|
|
||||||
|
|
||||||
config.py: config.py.m4
|
|
||||||
diff --git a/src/tests/intg/test_netgroup.py b/src/tests/intg/test_netgroup.py
|
|
||||||
new file mode 100644
|
|
||||||
index 0000000000000000000000000000000000000000..b99476126844e35d5dbc1793077720b4020c2fb7
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/src/tests/intg/test_netgroup.py
|
|
||||||
@@ -0,0 +1,459 @@
|
|
||||||
+#
|
|
||||||
+# Netgroup integration test
|
|
||||||
+#
|
|
||||||
+# Copyright (c) 2016 Red Hat, Inc.
|
|
||||||
+# Author: Petr Cech <pcech@redhat.com>
|
|
||||||
+#
|
|
||||||
+# This is free software; you can redistribute it and/or modify it
|
|
||||||
+# under the terms of the GNU General Public License as published by
|
|
||||||
+# the Free Software Foundation; version 2 only
|
|
||||||
+#
|
|
||||||
+# This program is distributed in the hope that it will be useful, but
|
|
||||||
+# WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
||||||
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
||||||
+# General Public License for more details.
|
|
||||||
+#
|
|
||||||
+# You should have received a copy of the GNU General Public License
|
|
||||||
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
||||||
+#
|
|
||||||
+
|
|
||||||
+import os
|
|
||||||
+import stat
|
|
||||||
+import signal
|
|
||||||
+import subprocess
|
|
||||||
+import time
|
|
||||||
+import ldap
|
|
||||||
+import ldap.modlist
|
|
||||||
+import pytest
|
|
||||||
+
|
|
||||||
+import config
|
|
||||||
+import ds_openldap
|
|
||||||
+import ldap_ent
|
|
||||||
+from util import unindent
|
|
||||||
+import sssd_netgroup
|
|
||||||
+
|
|
||||||
+LDAP_BASE_DN = "dc=example,dc=com"
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+@pytest.fixture(scope="module")
|
|
||||||
+def ds_inst(request):
|
|
||||||
+ """LDAP server instance fixture"""
|
|
||||||
+ ds_inst = ds_openldap.DSOpenLDAP(
|
|
||||||
+ config.PREFIX, 10389, LDAP_BASE_DN,
|
|
||||||
+ "cn=admin", "Secret123"
|
|
||||||
+ )
|
|
||||||
+
|
|
||||||
+ try:
|
|
||||||
+ ds_inst.setup()
|
|
||||||
+ except:
|
|
||||||
+ ds_inst.teardown()
|
|
||||||
+ raise
|
|
||||||
+ request.addfinalizer(ds_inst.teardown)
|
|
||||||
+ return ds_inst
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+@pytest.fixture(scope="module")
|
|
||||||
+def ldap_conn(request, ds_inst):
|
|
||||||
+ """LDAP server connection fixture"""
|
|
||||||
+ ldap_conn = ds_inst.bind()
|
|
||||||
+ ldap_conn.ds_inst = ds_inst
|
|
||||||
+ request.addfinalizer(ldap_conn.unbind_s)
|
|
||||||
+ return ldap_conn
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+def create_ldap_entries(ldap_conn, ent_list=None):
|
|
||||||
+ """Add LDAP entries from ent_list"""
|
|
||||||
+ if ent_list is not None:
|
|
||||||
+ for entry in ent_list:
|
|
||||||
+ ldap_conn.add_s(entry[0], entry[1])
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+def cleanup_ldap_entries(ldap_conn, ent_list=None):
|
|
||||||
+ """Remove LDAP entries added by create_ldap_entries"""
|
|
||||||
+ if ent_list is None:
|
|
||||||
+ for ou in ("Users", "Groups", "Netgroups", "Services", "Policies"):
|
|
||||||
+ for entry in ldap_conn.search_s("ou=" + ou + "," +
|
|
||||||
+ ldap_conn.ds_inst.base_dn,
|
|
||||||
+ ldap.SCOPE_ONELEVEL,
|
|
||||||
+ attrlist=[]):
|
|
||||||
+ ldap_conn.delete_s(entry[0])
|
|
||||||
+ else:
|
|
||||||
+ for entry in ent_list:
|
|
||||||
+ ldap_conn.delete_s(entry[0])
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+def create_ldap_cleanup(request, ldap_conn, ent_list=None):
|
|
||||||
+ """Add teardown for removing all user/group LDAP entries"""
|
|
||||||
+ request.addfinalizer(lambda: cleanup_ldap_entries(ldap_conn, ent_list))
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+def create_ldap_fixture(request, ldap_conn, ent_list=None):
|
|
||||||
+ """Add LDAP entries and add teardown for removing them"""
|
|
||||||
+ create_ldap_entries(ldap_conn, ent_list)
|
|
||||||
+ create_ldap_cleanup(request, ldap_conn, ent_list)
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+SCHEMA_RFC2307_BIS = "rfc2307bis"
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+def format_basic_conf(ldap_conn, schema):
|
|
||||||
+ """Format a basic SSSD configuration"""
|
|
||||||
+ schema_conf = "ldap_schema = " + schema + "\n"
|
|
||||||
+ schema_conf += "ldap_group_object_class = groupOfNames\n"
|
|
||||||
+ return unindent("""\
|
|
||||||
+ [sssd]
|
|
||||||
+ domains = LDAP
|
|
||||||
+ services = nss
|
|
||||||
+
|
|
||||||
+ [domain/LDAP]
|
|
||||||
+ {schema_conf}
|
|
||||||
+ id_provider = ldap
|
|
||||||
+ auth_provider = ldap
|
|
||||||
+ ldap_uri = {ldap_conn.ds_inst.ldap_url}
|
|
||||||
+ ldap_search_base = {ldap_conn.ds_inst.base_dn}
|
|
||||||
+ ldap_netgroup_search_base = ou=Netgroups,{ldap_conn.ds_inst.base_dn}
|
|
||||||
+ """).format(**locals())
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+def create_conf_file(contents):
|
|
||||||
+ """Create sssd.conf with specified contents"""
|
|
||||||
+ conf = open(config.CONF_PATH, "w")
|
|
||||||
+ conf.write(contents)
|
|
||||||
+ conf.close()
|
|
||||||
+ os.chmod(config.CONF_PATH, stat.S_IRUSR | stat.S_IWUSR)
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+def cleanup_conf_file():
|
|
||||||
+ """Remove sssd.conf, if it exists"""
|
|
||||||
+ if os.path.lexists(config.CONF_PATH):
|
|
||||||
+ os.unlink(config.CONF_PATH)
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+def create_conf_cleanup(request):
|
|
||||||
+ """Add teardown for removing sssd.conf"""
|
|
||||||
+ request.addfinalizer(cleanup_conf_file)
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+def create_conf_fixture(request, contents):
|
|
||||||
+ """
|
|
||||||
+ Create sssd.conf with specified contents and add teardown for removing it
|
|
||||||
+ """
|
|
||||||
+ create_conf_file(contents)
|
|
||||||
+ create_conf_cleanup(request)
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+def create_sssd_process():
|
|
||||||
+ """Start the SSSD process"""
|
|
||||||
+ if subprocess.call(["sssd", "-D", "-f"]) != 0:
|
|
||||||
+ raise Exception("sssd start failed")
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+def cleanup_sssd_process():
|
|
||||||
+ """Stop the SSSD process and remove its state"""
|
|
||||||
+ try:
|
|
||||||
+ pid_file = open(config.PIDFILE_PATH, "r")
|
|
||||||
+ pid = int(pid_file.read())
|
|
||||||
+ os.kill(pid, signal.SIGTERM)
|
|
||||||
+ while True:
|
|
||||||
+ try:
|
|
||||||
+ os.kill(pid, signal.SIGCONT)
|
|
||||||
+ except:
|
|
||||||
+ break
|
|
||||||
+ time.sleep(1)
|
|
||||||
+ except:
|
|
||||||
+ pass
|
|
||||||
+ for path in os.listdir(config.DB_PATH):
|
|
||||||
+ os.unlink(config.DB_PATH + "/" + path)
|
|
||||||
+ for path in os.listdir(config.MCACHE_PATH):
|
|
||||||
+ os.unlink(config.MCACHE_PATH + "/" + path)
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+def create_sssd_cleanup(request):
|
|
||||||
+ """Add teardown for stopping SSSD and removing its state"""
|
|
||||||
+ request.addfinalizer(cleanup_sssd_process)
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+def create_sssd_fixture(request):
|
|
||||||
+ """Start SSSD and add teardown for stopping it and removing its state"""
|
|
||||||
+ create_sssd_process()
|
|
||||||
+ create_sssd_cleanup(request)
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+@pytest.fixture
|
|
||||||
+def add_empty_netgroup(request, ldap_conn):
|
|
||||||
+ ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn)
|
|
||||||
+
|
|
||||||
+ ent_list.add_netgroup("empty_netgroup")
|
|
||||||
+
|
|
||||||
+ create_ldap_fixture(request, ldap_conn, ent_list)
|
|
||||||
+ conf = format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS)
|
|
||||||
+ create_conf_fixture(request, conf)
|
|
||||||
+ create_sssd_fixture(request)
|
|
||||||
+ return None
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+def test_add_empty_netgroup(add_empty_netgroup):
|
|
||||||
+ """
|
|
||||||
+ Adding empty netgroup.
|
|
||||||
+ """
|
|
||||||
+
|
|
||||||
+ res, _, netgroups = sssd_netgroup.get_sssd_netgroups("empty_netgroup")
|
|
||||||
+ assert res == sssd_netgroup.NssReturnCode.SUCCESS
|
|
||||||
+ assert netgroups == []
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+@pytest.fixture
|
|
||||||
+def add_tripled_netgroup(request, ldap_conn):
|
|
||||||
+ ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn)
|
|
||||||
+
|
|
||||||
+ ent_list.add_netgroup("tripled_netgroup", ["(host,user,domain)"])
|
|
||||||
+
|
|
||||||
+ ent_list.add_netgroup("adv_tripled_netgroup", ["(host1,user1,domain1)",
|
|
||||||
+ "(host2,user2,domain2)"])
|
|
||||||
+
|
|
||||||
+ create_ldap_fixture(request, ldap_conn, ent_list)
|
|
||||||
+ conf = format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS)
|
|
||||||
+ create_conf_fixture(request, conf)
|
|
||||||
+ create_sssd_fixture(request)
|
|
||||||
+ return None
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+def test_add_tripled_netgroup(add_tripled_netgroup):
|
|
||||||
+ """
|
|
||||||
+ Adding netgroup with triplet.
|
|
||||||
+ """
|
|
||||||
+
|
|
||||||
+ res, _, netgrps = sssd_netgroup.get_sssd_netgroups("tripled_netgroup")
|
|
||||||
+ assert res == sssd_netgroup.NssReturnCode.SUCCESS
|
|
||||||
+ assert netgrps == [("host", "user", "domain")]
|
|
||||||
+
|
|
||||||
+ res, _, netgrps = sssd_netgroup.get_sssd_netgroups("adv_tripled_netgroup")
|
|
||||||
+ assert res == sssd_netgroup.NssReturnCode.SUCCESS
|
|
||||||
+ assert sorted(netgrps) == sorted([("host1", "user1", "domain1"),
|
|
||||||
+ ("host2", "user2", "domain2")])
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+@pytest.fixture
|
|
||||||
+def add_mixed_netgroup(request, ldap_conn):
|
|
||||||
+ ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn)
|
|
||||||
+
|
|
||||||
+ ent_list.add_netgroup("mixed_netgroup1")
|
|
||||||
+ ent_list.add_netgroup("mixed_netgroup2", members=["mixed_netgroup1"])
|
|
||||||
+
|
|
||||||
+ ent_list.add_netgroup("mixed_netgroup3", ["(host1,user1,domain1)"])
|
|
||||||
+ ent_list.add_netgroup("mixed_netgroup4",
|
|
||||||
+ ["(host2,user2,domain2)", "(host3,user3,domain3)"])
|
|
||||||
+
|
|
||||||
+ ent_list.add_netgroup("mixed_netgroup5",
|
|
||||||
+ ["(host4,user4,domain4)"],
|
|
||||||
+ ["mixed_netgroup1"])
|
|
||||||
+ ent_list.add_netgroup("mixed_netgroup6",
|
|
||||||
+ ["(host5,user5,domain5)"],
|
|
||||||
+ ["mixed_netgroup2"])
|
|
||||||
+
|
|
||||||
+ ent_list.add_netgroup("mixed_netgroup7", members=["mixed_netgroup3"])
|
|
||||||
+ ent_list.add_netgroup("mixed_netgroup8",
|
|
||||||
+ members=["mixed_netgroup3", "mixed_netgroup4"])
|
|
||||||
+
|
|
||||||
+ ent_list.add_netgroup("mixed_netgroup9",
|
|
||||||
+ ["(host6,user6,domain6)"],
|
|
||||||
+ ["mixed_netgroup3", "mixed_netgroup4"])
|
|
||||||
+
|
|
||||||
+ create_ldap_fixture(request, ldap_conn, ent_list)
|
|
||||||
+ conf = format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS)
|
|
||||||
+ create_conf_fixture(request, conf)
|
|
||||||
+ create_sssd_fixture(request)
|
|
||||||
+ return None
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+def test_add_mixed_netgroup(add_mixed_netgroup):
|
|
||||||
+ """
|
|
||||||
+ Adding many netgroups of different type.
|
|
||||||
+ """
|
|
||||||
+
|
|
||||||
+ res, _, netgroups = sssd_netgroup.get_sssd_netgroups("mixed_netgroup1")
|
|
||||||
+ assert res == sssd_netgroup.NssReturnCode.SUCCESS
|
|
||||||
+ assert netgroups == []
|
|
||||||
+
|
|
||||||
+ res, _, netgroups = sssd_netgroup.get_sssd_netgroups("mixed_netgroup2")
|
|
||||||
+ assert res == sssd_netgroup.NssReturnCode.SUCCESS
|
|
||||||
+ assert netgroups == []
|
|
||||||
+
|
|
||||||
+ res, _, netgroups = sssd_netgroup.get_sssd_netgroups("mixed_netgroup3")
|
|
||||||
+ assert res == sssd_netgroup.NssReturnCode.SUCCESS
|
|
||||||
+ assert netgroups == [("host1", "user1", "domain1")]
|
|
||||||
+
|
|
||||||
+ res, _, netgroups = sssd_netgroup.get_sssd_netgroups("mixed_netgroup4")
|
|
||||||
+ assert res == sssd_netgroup.NssReturnCode.SUCCESS
|
|
||||||
+ assert sorted(netgroups) == sorted([("host2", "user2", "domain2"),
|
|
||||||
+ ("host3", "user3", "domain3")])
|
|
||||||
+
|
|
||||||
+ res, _, netgroups = sssd_netgroup.get_sssd_netgroups("mixed_netgroup5")
|
|
||||||
+ assert res == sssd_netgroup.NssReturnCode.SUCCESS
|
|
||||||
+ assert netgroups == [("host4", "user4", "domain4")]
|
|
||||||
+
|
|
||||||
+ res, _, netgroups = sssd_netgroup.get_sssd_netgroups("mixed_netgroup6")
|
|
||||||
+ assert res == sssd_netgroup.NssReturnCode.SUCCESS
|
|
||||||
+ assert netgroups == [("host5", "user5", "domain5")]
|
|
||||||
+
|
|
||||||
+ res, _, netgroups = sssd_netgroup.get_sssd_netgroups("mixed_netgroup7")
|
|
||||||
+ assert res == sssd_netgroup.NssReturnCode.SUCCESS
|
|
||||||
+ assert netgroups == [("host1", "user1", "domain1")]
|
|
||||||
+
|
|
||||||
+ res, _, netgroups = sssd_netgroup.get_sssd_netgroups("mixed_netgroup8")
|
|
||||||
+ assert res == sssd_netgroup.NssReturnCode.SUCCESS
|
|
||||||
+ assert sorted(netgroups) == sorted([("host1", "user1", "domain1"),
|
|
||||||
+ ("host2", "user2", "domain2"),
|
|
||||||
+ ("host3", "user3", "domain3")])
|
|
||||||
+
|
|
||||||
+ res, _, netgroups = sssd_netgroup.get_sssd_netgroups("mixed_netgroup9")
|
|
||||||
+ assert res == sssd_netgroup.NssReturnCode.SUCCESS
|
|
||||||
+ assert sorted(netgroups) == sorted([("host1", "user1", "domain1"),
|
|
||||||
+ ("host2", "user2", "domain2"),
|
|
||||||
+ ("host3", "user3", "domain3"),
|
|
||||||
+ ("host6", "user6", "domain6")])
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+@pytest.fixture
|
|
||||||
+def remove_step_by_step(request, ldap_conn):
|
|
||||||
+ ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn)
|
|
||||||
+
|
|
||||||
+ ent_list.add_netgroup("rm_empty_netgroup1", ["(host1,user1,domain1)"])
|
|
||||||
+ ent_list.add_netgroup("rm_empty_netgroup2",
|
|
||||||
+ ["(host2,user2,domain2)"],
|
|
||||||
+ ["rm_empty_netgroup1"])
|
|
||||||
+
|
|
||||||
+ create_ldap_fixture(request, ldap_conn, ent_list)
|
|
||||||
+ conf = format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS)
|
|
||||||
+ create_conf_fixture(request, conf)
|
|
||||||
+ create_sssd_fixture(request)
|
|
||||||
+ return ent_list
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+def test_remove_step_by_step(remove_step_by_step, ldap_conn):
|
|
||||||
+ """
|
|
||||||
+ Removing netgroups step by step.
|
|
||||||
+ """
|
|
||||||
+
|
|
||||||
+ ent_list = remove_step_by_step
|
|
||||||
+
|
|
||||||
+ res, _, netgroups = sssd_netgroup.get_sssd_netgroups("rm_empty_netgroup1")
|
|
||||||
+ assert res == sssd_netgroup.NssReturnCode.SUCCESS
|
|
||||||
+ assert netgroups == [('host1', 'user1', 'domain1')]
|
|
||||||
+
|
|
||||||
+ res, _, netgroups = sssd_netgroup.get_sssd_netgroups("rm_empty_netgroup2")
|
|
||||||
+ assert res == sssd_netgroup.NssReturnCode.SUCCESS
|
|
||||||
+ assert sorted(netgroups) == sorted([('host1', 'user1', 'domain1'),
|
|
||||||
+ ('host2', 'user2', 'domain2')])
|
|
||||||
+
|
|
||||||
+ # removing of rm_empty_netgroup1
|
|
||||||
+ ldap_conn.delete_s(ent_list[0][0])
|
|
||||||
+ ent_list.remove(ent_list[0])
|
|
||||||
+
|
|
||||||
+ if subprocess.call(["sss_cache", "-N"]) != 0:
|
|
||||||
+ raise Exception("sssd_cache failed")
|
|
||||||
+
|
|
||||||
+ res, _, netgroups = sssd_netgroup.get_sssd_netgroups("rm_empty_netgroup1")
|
|
||||||
+ assert res == sssd_netgroup.NssReturnCode.NOTFOUND
|
|
||||||
+ assert netgroups == []
|
|
||||||
+
|
|
||||||
+ res, _, netgroups = sssd_netgroup.get_sssd_netgroups("rm_empty_netgroup2")
|
|
||||||
+ assert res == sssd_netgroup.NssReturnCode.SUCCESS
|
|
||||||
+ assert netgroups == [('host2', 'user2', 'domain2')]
|
|
||||||
+
|
|
||||||
+ # removing of rm_empty_netgroup2
|
|
||||||
+ ldap_conn.delete_s(ent_list[0][0])
|
|
||||||
+ ent_list.remove(ent_list[0])
|
|
||||||
+
|
|
||||||
+ if subprocess.call(["sss_cache", "-N"]) != 0:
|
|
||||||
+ raise Exception("sssd_cache failed")
|
|
||||||
+
|
|
||||||
+ res, _, netgroups = sssd_netgroup.get_sssd_netgroups("rm_empty_netgroup1")
|
|
||||||
+ assert res == sssd_netgroup.NssReturnCode.NOTFOUND
|
|
||||||
+ assert netgroups == []
|
|
||||||
+
|
|
||||||
+ res, _, netgroups = sssd_netgroup.get_sssd_netgroups("rm_empty_netgroup2")
|
|
||||||
+ assert res == sssd_netgroup.NssReturnCode.NOTFOUND
|
|
||||||
+ assert netgroups == []
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+@pytest.fixture
|
|
||||||
+def removing_nested_netgroups(request, ldap_conn):
|
|
||||||
+ ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn)
|
|
||||||
+
|
|
||||||
+ ent_list.add_netgroup("t2841_netgroup1", ["(host1,user1,domain1)"])
|
|
||||||
+ ent_list.add_netgroup("t2841_netgroup2", ["(host2,user2,domain2)"])
|
|
||||||
+ ent_list.add_netgroup("t2841_netgroup3",
|
|
||||||
+ members=["t2841_netgroup1", "t2841_netgroup2"])
|
|
||||||
+
|
|
||||||
+ create_ldap_fixture(request, ldap_conn, ent_list)
|
|
||||||
+ conf = format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS)
|
|
||||||
+ create_conf_fixture(request, conf)
|
|
||||||
+ create_sssd_fixture(request)
|
|
||||||
+ return None
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+def test_removing_nested_netgroups(removing_nested_netgroups, ldap_conn):
|
|
||||||
+ """
|
|
||||||
+ Regression test for ticket 2841.
|
|
||||||
+ https://fedorahosted.org/sssd/ticket/2841
|
|
||||||
+ """
|
|
||||||
+
|
|
||||||
+ netgrp_dn = 'cn=t2841_netgroup3,ou=Netgroups,' + ldap_conn.ds_inst.base_dn
|
|
||||||
+
|
|
||||||
+ res, _, netgroups = sssd_netgroup.get_sssd_netgroups("t2841_netgroup1")
|
|
||||||
+ assert res == sssd_netgroup.NssReturnCode.SUCCESS
|
|
||||||
+ assert netgroups == [('host1', 'user1', 'domain1')]
|
|
||||||
+
|
|
||||||
+ res, _, netgroups = sssd_netgroup.get_sssd_netgroups("t2841_netgroup2")
|
|
||||||
+ assert res == sssd_netgroup.NssReturnCode.SUCCESS
|
|
||||||
+ assert netgroups == [('host2', 'user2', 'domain2')]
|
|
||||||
+
|
|
||||||
+ res, _, netgroups = sssd_netgroup.get_sssd_netgroups("t2841_netgroup3")
|
|
||||||
+ assert res == sssd_netgroup.NssReturnCode.SUCCESS
|
|
||||||
+ assert sorted(netgroups) == sorted([('host1', 'user1', 'domain1'),
|
|
||||||
+ ('host2', 'user2', 'domain2')])
|
|
||||||
+
|
|
||||||
+ # removing of t2841_netgroup1 from t2841_netgroup3
|
|
||||||
+ old = {'memberNisNetgroup': ["t2841_netgroup1", "t2841_netgroup2"]}
|
|
||||||
+ new = {'memberNisNetgroup': ["t2841_netgroup2"]}
|
|
||||||
+
|
|
||||||
+ ldif = ldap.modlist.modifyModlist(old, new)
|
|
||||||
+ ldap_conn.modify_s(netgrp_dn, ldif)
|
|
||||||
+
|
|
||||||
+ if subprocess.call(["sss_cache", "-N"]) != 0:
|
|
||||||
+ raise Exception("sssd_cache failed")
|
|
||||||
+
|
|
||||||
+ res, _, netgroups = sssd_netgroup.get_sssd_netgroups("t2841_netgroup1")
|
|
||||||
+ assert res == sssd_netgroup.NssReturnCode.SUCCESS
|
|
||||||
+ assert netgroups == [('host1', 'user1', 'domain1')]
|
|
||||||
+
|
|
||||||
+ res, _, netgroups = sssd_netgroup.get_sssd_netgroups("t2841_netgroup2")
|
|
||||||
+ assert res == sssd_netgroup.NssReturnCode.SUCCESS
|
|
||||||
+ assert netgroups == [('host2', 'user2', 'domain2')]
|
|
||||||
+
|
|
||||||
+ res, _, netgroups = sssd_netgroup.get_sssd_netgroups("t2841_netgroup3")
|
|
||||||
+ assert res == sssd_netgroup.NssReturnCode.SUCCESS
|
|
||||||
+ assert netgroups == [('host2', 'user2', 'domain2')]
|
|
||||||
+
|
|
||||||
+ # removing of t2841_netgroup2 from t2841_netgroup3
|
|
||||||
+ old = {'memberNisNetgroup': ["t2841_netgroup2"]}
|
|
||||||
+ new = {'memberNisNetgroup': []}
|
|
||||||
+
|
|
||||||
+ ldif = ldap.modlist.modifyModlist(old, new)
|
|
||||||
+ ldap_conn.modify_s(netgrp_dn, ldif)
|
|
||||||
+
|
|
||||||
+ if subprocess.call(["sss_cache", "-N"]) != 0:
|
|
||||||
+ raise Exception("sssd_cache failed")
|
|
||||||
+
|
|
||||||
+ res, _, netgroups = sssd_netgroup.get_sssd_netgroups("t2841_netgroup1")
|
|
||||||
+ assert res == sssd_netgroup.NssReturnCode.SUCCESS
|
|
||||||
+ assert netgroups == [('host1', 'user1', 'domain1')]
|
|
||||||
+
|
|
||||||
+ res, _, netgroups = sssd_netgroup.get_sssd_netgroups("t2841_netgroup2")
|
|
||||||
+ assert res == sssd_netgroup.NssReturnCode.SUCCESS
|
|
||||||
+ assert netgroups == [('host2', 'user2', 'domain2')]
|
|
||||||
+
|
|
||||||
+ res, _, netgroups = sssd_netgroup.get_sssd_netgroups("t2841_netgroup3")
|
|
||||||
+ assert res == sssd_netgroup.NssReturnCode.SUCCESS
|
|
||||||
+ assert netgroups == []
|
|
||||||
--
|
|
||||||
2.9.3
|
|
||||||
|
|
@ -1,97 +0,0 @@
|
|||||||
From 2263fb23bdbbf313535edf54440fe20627b57d7f Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
|
||||||
Date: Mon, 22 Aug 2016 13:15:04 +0200
|
|
||||||
Subject: [PATCH 08/39] watchdog: cope with time shift
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
When a time is changed into the past during sssd runtime
|
|
||||||
(e.g. on boot during time correction), it is possible that
|
|
||||||
we never hit watchdog tevent timer since it is based on
|
|
||||||
system time.
|
|
||||||
|
|
||||||
This patch adds a past-time shift detection mechanism. If a time
|
|
||||||
shift is detected we restart watchdog.
|
|
||||||
|
|
||||||
Resolves:
|
|
||||||
https://fedorahosted.org/sssd/ticket/3154
|
|
||||||
|
|
||||||
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
||||||
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
|
||||||
(cherry picked from commit b8ceaeb80cffb00c26390913ea959b77f7e848b9)
|
|
||||||
---
|
|
||||||
src/util/util_watchdog.c | 41 +++++++++++++++++++++++++++++++++++++++++
|
|
||||||
1 file changed, 41 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/src/util/util_watchdog.c b/src/util/util_watchdog.c
|
|
||||||
index 5032fddba1b94b3fc7e560162c392dfa57d699cf..1c27d73f13b3042ecb549a2184e1368e8339d199 100644
|
|
||||||
--- a/src/util/util_watchdog.c
|
|
||||||
+++ b/src/util/util_watchdog.c
|
|
||||||
@@ -29,8 +29,39 @@ struct watchdog_ctx {
|
|
||||||
struct timeval interval;
|
|
||||||
struct tevent_timer *te;
|
|
||||||
volatile int ticks;
|
|
||||||
+
|
|
||||||
+ /* To detect time shift. */
|
|
||||||
+ struct tevent_context *ev;
|
|
||||||
+ int input_interval;
|
|
||||||
+ time_t timestamp;
|
|
||||||
} watchdog_ctx;
|
|
||||||
|
|
||||||
+static bool watchdog_detect_timeshift(void)
|
|
||||||
+{
|
|
||||||
+ time_t prev_time;
|
|
||||||
+ time_t cur_time;
|
|
||||||
+ errno_t ret;
|
|
||||||
+
|
|
||||||
+ prev_time = watchdog_ctx.timestamp;
|
|
||||||
+ cur_time = watchdog_ctx.timestamp = time(NULL);
|
|
||||||
+ if (cur_time < prev_time) {
|
|
||||||
+ /* Time shift detected. We need to restart watchdog. */
|
|
||||||
+ DEBUG(SSSDBG_IMPORTANT_INFO, "Time shift detected, "
|
|
||||||
+ "restarting watchdog!\n");
|
|
||||||
+ teardown_watchdog();
|
|
||||||
+ ret = setup_watchdog(watchdog_ctx.ev, watchdog_ctx.input_interval);
|
|
||||||
+ if (ret != EOK) {
|
|
||||||
+ DEBUG(SSSDBG_FATAL_FAILURE, "Unable to restart watchdog "
|
|
||||||
+ "[%d]: %s\n", ret, sss_strerror(ret));
|
|
||||||
+ orderly_shutdown(1);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ return true;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ return false;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
/* the watchdog is purposefully *not* handled by the tevent
|
|
||||||
* signal handler as it is meant to check if the daemon is
|
|
||||||
* still processing the event queue itself. A stuck process
|
|
||||||
@@ -38,6 +69,12 @@ struct watchdog_ctx {
|
|
||||||
* signals either */
|
|
||||||
static void watchdog_handler(int sig)
|
|
||||||
{
|
|
||||||
+ /* Do not count ticks if time shift was detected
|
|
||||||
+ * since watchdog was restarted. */
|
|
||||||
+ if (watchdog_detect_timeshift()) {
|
|
||||||
+ return;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
/* if 3 ticks passed by kills itself */
|
|
||||||
|
|
||||||
if (__sync_add_and_fetch(&watchdog_ctx.ticks, 1) > 3) {
|
|
||||||
@@ -101,6 +138,10 @@ int setup_watchdog(struct tevent_context *ev, int interval)
|
|
||||||
watchdog_ctx.interval.tv_sec = interval;
|
|
||||||
watchdog_ctx.interval.tv_usec = 0;
|
|
||||||
|
|
||||||
+ watchdog_ctx.ev = ev;
|
|
||||||
+ watchdog_ctx.input_interval = interval;
|
|
||||||
+ watchdog_ctx.timestamp = time(NULL);
|
|
||||||
+
|
|
||||||
/* Start the timer */
|
|
||||||
/* we give 1 second head start to the watchdog event */
|
|
||||||
its.it_value.tv_sec = interval + 1;
|
|
||||||
--
|
|
||||||
2.9.3
|
|
||||||
|
|
@ -1,82 +0,0 @@
|
|||||||
From d5a5ff043c5872eb159aa096e1a1fa7863db4f86 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Lukas Slebodnik <lslebodn@redhat.com>
|
|
||||||
Date: Fri, 19 Aug 2016 10:46:12 +0200
|
|
||||||
Subject: [PATCH 09/39] BUILD: Allow to read private pipes for root
|
|
||||||
|
|
||||||
Root can read anything from any directory even with permissions 000.
|
|
||||||
|
|
||||||
However SELinux checks discretionary access control (DAC)
|
|
||||||
and deny access if access is not allowed for root by DAC.
|
|
||||||
The pam_sss use different unix socket /var/lib/sss/pipes/private/pam
|
|
||||||
for user with uid 0. Therefore root need to be able read content
|
|
||||||
of directory with private pipes.
|
|
||||||
|
|
||||||
type=AVC msg=audit(08/19/2016 10:58:34.081:3369) : avc: denied
|
|
||||||
{ dac_read_search } for pid=20257 comm=vsftpd capability=dac_read_search
|
|
||||||
scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023
|
|
||||||
tcontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tclass=capability
|
|
||||||
|
|
||||||
type=AVC msg=audit(08/19/2016 10:58:34.081:3369) : avc: denied
|
|
||||||
{ dac_override } for pid=20257 comm=vsftpd capability=dac_override
|
|
||||||
scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023
|
|
||||||
tcontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tclass=capability
|
|
||||||
|
|
||||||
Resolves:
|
|
||||||
https://fedorahosted.org/sssd/ticket/3143
|
|
||||||
|
|
||||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
||||||
(cherry picked from commit f49724cd6b3e0e3274302c3d475e93f7a7094f40)
|
|
||||||
---
|
|
||||||
Makefile.am | 8 ++++----
|
|
||||||
contrib/sssd.spec.in | 2 +-
|
|
||||||
2 files changed, 5 insertions(+), 5 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/Makefile.am b/Makefile.am
|
|
||||||
index 8b9240f4485c0bce976fdabff6904e648f44356e..6219682de0d1fd4b3a813ee2f95b8185531e62bf 100644
|
|
||||||
--- a/Makefile.am
|
|
||||||
+++ b/Makefile.am
|
|
||||||
@@ -3952,7 +3952,6 @@ SSSD_USER_DIRS = \
|
|
||||||
$(DESTDIR)$(keytabdir) \
|
|
||||||
$(DESTDIR)$(mcpath) \
|
|
||||||
$(DESTDIR)$(pipepath) \
|
|
||||||
- $(DESTDIR)$(pipepath)/private \
|
|
||||||
$(DESTDIR)$(pubconfpath) \
|
|
||||||
$(DESTDIR)$(pubconfpath)/krb5.include.d \
|
|
||||||
$(DESTDIR)$(gpocachepath) \
|
|
||||||
@@ -3979,16 +3978,17 @@ installsssddirs::
|
|
||||||
$(DESTDIR)$(sssddatadir) \
|
|
||||||
$(DESTDIR)$(sudolibdir) \
|
|
||||||
$(DESTDIR)$(autofslibdir) \
|
|
||||||
+ $(DESTDIR)$(pipepath)/private \
|
|
||||||
$(SSSD_USER_DIRS) \
|
|
||||||
$(NULL);
|
|
||||||
if SSSD_USER
|
|
||||||
- -chown $(SSSD_USER):$(SSSD_USER) \
|
|
||||||
- $(SSSD_USER_DIRS)
|
|
||||||
+ -chown $(SSSD_USER):$(SSSD_USER) $(SSSD_USER_DIRS)
|
|
||||||
+ -chown $(SSSD_USER) $(DESTDIR)$(pipepath)/private
|
|
||||||
endif
|
|
||||||
$(INSTALL) -d -m 0700 $(DESTDIR)$(dbpath) $(DESTDIR)$(logpath) \
|
|
||||||
- $(DESTDIR)$(pipepath)/private \
|
|
||||||
$(DESTDIR)$(keytabdir) \
|
|
||||||
$(NULL)
|
|
||||||
+ $(INSTALL) -d -m 0750 $(DESTDIR)$(pipepath)/private
|
|
||||||
$(INSTALL) -d -m 0755 $(DESTDIR)$(mcpath) $(DESTDIR)$(pipepath) \
|
|
||||||
$(DESTDIR)$(pubconfpath) \
|
|
||||||
$(DESTDIR)$(pubconfpath)/krb5.include.d $(DESTDIR)$(gpocachepath)
|
|
||||||
diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
|
|
||||||
index 24af8d518bd065388b14d812de7c1c61975f0cca..1e058ca63c25513253c4b350d286208f40f6b660 100644
|
|
||||||
--- a/contrib/sssd.spec.in
|
|
||||||
+++ b/contrib/sssd.spec.in
|
|
||||||
@@ -791,7 +791,7 @@ done
|
|
||||||
%ghost %attr(0644,sssd,sssd) %verify(not md5 size mtime) %{mcpath}/group
|
|
||||||
%ghost %attr(0644,sssd,sssd) %verify(not md5 size mtime) %{mcpath}/initgroups
|
|
||||||
%attr(755,sssd,sssd) %dir %{pipepath}
|
|
||||||
-%attr(700,sssd,sssd) %dir %{pipepath}/private
|
|
||||||
+%attr(750,sssd,root) %dir %{pipepath}/private
|
|
||||||
%attr(755,sssd,sssd) %dir %{pubconfpath}
|
|
||||||
%attr(755,sssd,sssd) %dir %{gpocachepath}
|
|
||||||
%attr(750,sssd,sssd) %dir %{_var}/log/%{name}
|
|
||||||
--
|
|
||||||
2.9.3
|
|
||||||
|
|
@ -1,124 +0,0 @@
|
|||||||
From 3258fa9d328f364fa41fd1a5bc5fc3250e87df8e Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
|
|
||||||
Date: Tue, 16 Aug 2016 11:20:49 +0200
|
|
||||||
Subject: [PATCH 10/39] SYSDB: Rework sysdb_cache_connect()
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
As sysdb_cache_connect() has two very specific use cases (connect to the
|
|
||||||
cache and connect to the timestamp cache) and each of those calls have a
|
|
||||||
predetermined/fixed sets of values for a few parameters, let's try to
|
|
||||||
make the code a bit simpler to follow by having explicit functions for
|
|
||||||
connecting to the cache and connecting to the timestamp cache.
|
|
||||||
|
|
||||||
Macros could be used as well, but I have a slightly preference for
|
|
||||||
having two new functions instead of macros accessing internal parameters
|
|
||||||
of the macro's parameter.
|
|
||||||
|
|
||||||
Related:
|
|
||||||
https://fedorahosted.org/sssd/ticket/3128
|
|
||||||
|
|
||||||
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
|
|
||||||
|
|
||||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
||||||
(cherry picked from commit b6d1cd5eaab4c7c73df8ee041944ec05630a9630)
|
|
||||||
---
|
|
||||||
src/db/sysdb_init.c | 53 ++++++++++++++++++++++++++++++++++-------------------
|
|
||||||
1 file changed, 34 insertions(+), 19 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/db/sysdb_init.c b/src/db/sysdb_init.c
|
|
||||||
index 9e3646bfeb9a494ebff2d348ab1c53336f8a5c03..59934701c4d2b9d770385a202af058404a6d3eb9 100644
|
|
||||||
--- a/src/db/sysdb_init.c
|
|
||||||
+++ b/src/db/sysdb_init.c
|
|
||||||
@@ -511,14 +511,14 @@ done:
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
-static errno_t sysdb_cache_connect(TALLOC_CTX *mem_ctx,
|
|
||||||
- struct sss_domain_info *domain,
|
|
||||||
- const char *ldb_file,
|
|
||||||
- int flags,
|
|
||||||
- const char *exp_version,
|
|
||||||
- const char *base_ldif,
|
|
||||||
- struct ldb_context **_ldb,
|
|
||||||
- const char **_version)
|
|
||||||
+static errno_t sysdb_cache_connect_helper(TALLOC_CTX *mem_ctx,
|
|
||||||
+ struct sss_domain_info *domain,
|
|
||||||
+ const char *ldb_file,
|
|
||||||
+ int flags,
|
|
||||||
+ const char *exp_version,
|
|
||||||
+ const char *base_ldif,
|
|
||||||
+ struct ldb_context **_ldb,
|
|
||||||
+ const char **_version)
|
|
||||||
{
|
|
||||||
TALLOC_CTX *tmp_ctx = NULL;
|
|
||||||
struct ldb_message_element *el;
|
|
||||||
@@ -619,6 +619,29 @@ done:
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
+static errno_t sysdb_cache_connect(TALLOC_CTX *mem_ctx,
|
|
||||||
+ struct sysdb_ctx *sysdb,
|
|
||||||
+ struct sss_domain_info *domain,
|
|
||||||
+ struct ldb_context **ldb,
|
|
||||||
+ const char **version)
|
|
||||||
+{
|
|
||||||
+ return sysdb_cache_connect_helper(mem_ctx, domain, sysdb->ldb_file,
|
|
||||||
+ 0, SYSDB_VERSION, SYSDB_BASE_LDIF,
|
|
||||||
+ ldb, version);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static errno_t sysdb_ts_cache_connect(TALLOC_CTX *mem_ctx,
|
|
||||||
+ struct sysdb_ctx *sysdb,
|
|
||||||
+ struct sss_domain_info *domain,
|
|
||||||
+ struct ldb_context **ldb,
|
|
||||||
+ const char **version)
|
|
||||||
+{
|
|
||||||
+ return sysdb_cache_connect_helper(mem_ctx, domain, sysdb->ldb_ts_file,
|
|
||||||
+ LDB_FLG_NOSYNC, SYSDB_TS_VERSION,
|
|
||||||
+ SYSDB_TS_BASE_LDIF,
|
|
||||||
+ ldb, version);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
static errno_t remove_ts_cache(struct sysdb_ctx *sysdb)
|
|
||||||
{
|
|
||||||
errno_t ret;
|
|
||||||
@@ -649,9 +672,7 @@ static int sysdb_domain_cache_connect(struct sysdb_ctx *sysdb,
|
|
||||||
return ENOMEM;
|
|
||||||
}
|
|
||||||
|
|
||||||
- ret = sysdb_cache_connect(tmp_ctx, domain, sysdb->ldb_file, 0,
|
|
||||||
- SYSDB_VERSION, SYSDB_BASE_LDIF,
|
|
||||||
- &ldb, &version);
|
|
||||||
+ ret = sysdb_cache_connect(tmp_ctx, sysdb, domain, &ldb, &version);
|
|
||||||
switch (ret) {
|
|
||||||
case ERR_SYSDB_VERSION_TOO_OLD:
|
|
||||||
if (upgrade_ctx == NULL) {
|
|
||||||
@@ -731,10 +752,7 @@ static int sysdb_timestamp_cache_connect(struct sysdb_ctx *sysdb,
|
|
||||||
return ENOMEM;
|
|
||||||
}
|
|
||||||
|
|
||||||
- ret = sysdb_cache_connect(tmp_ctx, domain,
|
|
||||||
- sysdb->ldb_ts_file, LDB_FLG_NOSYNC,
|
|
||||||
- SYSDB_TS_VERSION, SYSDB_TS_BASE_LDIF,
|
|
||||||
- &ldb, &version);
|
|
||||||
+ ret = sysdb_ts_cache_connect(tmp_ctx, sysdb, domain, &ldb, &version);
|
|
||||||
switch (ret) {
|
|
||||||
case ERR_SYSDB_VERSION_TOO_OLD:
|
|
||||||
if (upgrade_ctx == NULL) {
|
|
||||||
@@ -801,10 +819,7 @@ static int sysdb_timestamp_cache_connect(struct sysdb_ctx *sysdb,
|
|
||||||
/* Now the connect must succeed because the previous cache doesn't
|
|
||||||
* exist anymore.
|
|
||||||
*/
|
|
||||||
- ret = sysdb_cache_connect(tmp_ctx, domain,
|
|
||||||
- sysdb->ldb_ts_file, LDB_FLG_NOSYNC,
|
|
||||||
- SYSDB_TS_VERSION, SYSDB_TS_BASE_LDIF,
|
|
||||||
- &ldb, &version);
|
|
||||||
+ ret = sysdb_ts_cache_connect(tmp_ctx, sysdb, domain, &ldb, &version);
|
|
||||||
if (ret != EOK) {
|
|
||||||
DEBUG(SSSDBG_MINOR_FAILURE,
|
|
||||||
"Could not delete the timestamp ldb file (%d) (%s)\n",
|
|
||||||
--
|
|
||||||
2.9.3
|
|
||||||
|
|
@ -1,152 +0,0 @@
|
|||||||
From 85fed431388c7f7f70dbf5bcd0b4f8a889c60bc6 Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
|
|
||||||
Date: Tue, 16 Aug 2016 11:46:41 +0200
|
|
||||||
Subject: [PATCH 11/39] SYSDB: Remove the timestamp cache for a newly created
|
|
||||||
cache
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
As many users are used to remove the persistent cache without removing
|
|
||||||
the timestamp cache, let's throw away the timestamp cache in this case.
|
|
||||||
|
|
||||||
Resolves:
|
|
||||||
https://fedorahosted.org/sssd/ticket/3128
|
|
||||||
|
|
||||||
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
|
|
||||||
|
|
||||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
||||||
(cherry picked from commit 9023bf51de6c84337af024388f1860ac1051924c)
|
|
||||||
---
|
|
||||||
src/db/sysdb_init.c | 69 ++++++++++++++++++++++++++++++++++++-----------------
|
|
||||||
1 file changed, 47 insertions(+), 22 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/db/sysdb_init.c b/src/db/sysdb_init.c
|
|
||||||
index 59934701c4d2b9d770385a202af058404a6d3eb9..c387c1b12c116f38d5a13f1adeac5ef64d593af8 100644
|
|
||||||
--- a/src/db/sysdb_init.c
|
|
||||||
+++ b/src/db/sysdb_init.c
|
|
||||||
@@ -511,12 +511,30 @@ done:
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
+static errno_t remove_ts_cache(struct sysdb_ctx *sysdb)
|
|
||||||
+{
|
|
||||||
+ errno_t ret;
|
|
||||||
+
|
|
||||||
+ if (sysdb->ldb_ts_file == NULL) {
|
|
||||||
+ return EOK;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ ret = unlink(sysdb->ldb_ts_file);
|
|
||||||
+ if (ret != EOK && errno != ENOENT) {
|
|
||||||
+ return errno;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ return EOK;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
static errno_t sysdb_cache_connect_helper(TALLOC_CTX *mem_ctx,
|
|
||||||
+ struct sysdb_ctx *sysdb,
|
|
||||||
struct sss_domain_info *domain,
|
|
||||||
const char *ldb_file,
|
|
||||||
int flags,
|
|
||||||
const char *exp_version,
|
|
||||||
const char *base_ldif,
|
|
||||||
+ bool *_newly_created,
|
|
||||||
struct ldb_context **_ldb,
|
|
||||||
const char **_version)
|
|
||||||
{
|
|
||||||
@@ -527,6 +545,7 @@ static errno_t sysdb_cache_connect_helper(TALLOC_CTX *mem_ctx,
|
|
||||||
const char *version = NULL;
|
|
||||||
int ret;
|
|
||||||
struct ldb_context *ldb;
|
|
||||||
+ bool newly_created;
|
|
||||||
|
|
||||||
tmp_ctx = talloc_new(NULL);
|
|
||||||
if (!tmp_ctx) {
|
|
||||||
@@ -592,8 +611,9 @@ static errno_t sysdb_cache_connect_helper(TALLOC_CTX *mem_ctx,
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
|
|
||||||
- /* The cache has been newly created.
|
|
||||||
- * We need to reopen the LDB to ensure that
|
|
||||||
+ newly_created = true;
|
|
||||||
+
|
|
||||||
+ /* We need to reopen the LDB to ensure that
|
|
||||||
* all of the special values take effect
|
|
||||||
* (such as enabling the memberOf plugin and
|
|
||||||
* the various indexes).
|
|
||||||
@@ -613,6 +633,9 @@ static errno_t sysdb_cache_connect_helper(TALLOC_CTX *mem_ctx,
|
|
||||||
}
|
|
||||||
done:
|
|
||||||
if (ret == EOK) {
|
|
||||||
+ if (_newly_created != NULL) {
|
|
||||||
+ *_newly_created = newly_created;
|
|
||||||
+ }
|
|
||||||
*_ldb = talloc_steal(mem_ctx, ldb);
|
|
||||||
}
|
|
||||||
talloc_free(tmp_ctx);
|
|
||||||
@@ -625,9 +648,27 @@ static errno_t sysdb_cache_connect(TALLOC_CTX *mem_ctx,
|
|
||||||
struct ldb_context **ldb,
|
|
||||||
const char **version)
|
|
||||||
{
|
|
||||||
- return sysdb_cache_connect_helper(mem_ctx, domain, sysdb->ldb_file,
|
|
||||||
+ bool newly_created;
|
|
||||||
+ bool ldb_file_exists;
|
|
||||||
+ errno_t ret;
|
|
||||||
+
|
|
||||||
+ ldb_file_exists = !(access(sysdb->ldb_file, F_OK) == -1 && errno == ENOENT);
|
|
||||||
+
|
|
||||||
+ ret = sysdb_cache_connect_helper(mem_ctx, sysdb, domain, sysdb->ldb_file,
|
|
||||||
0, SYSDB_VERSION, SYSDB_BASE_LDIF,
|
|
||||||
- ldb, version);
|
|
||||||
+ &newly_created, ldb, version);
|
|
||||||
+
|
|
||||||
+ /* The cache has been newly created. */
|
|
||||||
+ if (ret == EOK && newly_created && !ldb_file_exists) {
|
|
||||||
+ ret = remove_ts_cache(sysdb);
|
|
||||||
+ if (ret != EOK) {
|
|
||||||
+ DEBUG(SSSDBG_MINOR_FAILURE,
|
|
||||||
+ "Could not delete the timestamp ldb file (%d) (%s)\n",
|
|
||||||
+ ret, sss_strerror(ret));
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
static errno_t sysdb_ts_cache_connect(TALLOC_CTX *mem_ctx,
|
|
||||||
@@ -636,28 +677,12 @@ static errno_t sysdb_ts_cache_connect(TALLOC_CTX *mem_ctx,
|
|
||||||
struct ldb_context **ldb,
|
|
||||||
const char **version)
|
|
||||||
{
|
|
||||||
- return sysdb_cache_connect_helper(mem_ctx, domain, sysdb->ldb_ts_file,
|
|
||||||
+ return sysdb_cache_connect_helper(mem_ctx, sysdb, domain, sysdb->ldb_ts_file,
|
|
||||||
LDB_FLG_NOSYNC, SYSDB_TS_VERSION,
|
|
||||||
- SYSDB_TS_BASE_LDIF,
|
|
||||||
+ SYSDB_TS_BASE_LDIF, NULL,
|
|
||||||
ldb, version);
|
|
||||||
}
|
|
||||||
|
|
||||||
-static errno_t remove_ts_cache(struct sysdb_ctx *sysdb)
|
|
||||||
-{
|
|
||||||
- errno_t ret;
|
|
||||||
-
|
|
||||||
- if (sysdb->ldb_ts_file == NULL) {
|
|
||||||
- return EOK;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- ret = unlink(sysdb->ldb_ts_file);
|
|
||||||
- if (ret != EOK && errno != ENOENT) {
|
|
||||||
- return errno;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- return EOK;
|
|
||||||
-}
|
|
||||||
-
|
|
||||||
static int sysdb_domain_cache_connect(struct sysdb_ctx *sysdb,
|
|
||||||
struct sss_domain_info *domain,
|
|
||||||
struct sysdb_dom_upgrade_ctx *upgrade_ctx)
|
|
||||||
--
|
|
||||||
2.9.3
|
|
||||||
|
|
@ -1,48 +0,0 @@
|
|||||||
From 2a287173752a2854df5e4bdb6b27328837be4805 Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
|
|
||||||
Date: Wed, 17 Aug 2016 13:12:21 +0200
|
|
||||||
Subject: [PATCH 12/39] SECRETS: Return ENOENT when_deleting a non-existent
|
|
||||||
secret
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
For this, just make use of the sysdb_error_to_errno() function.
|
|
||||||
|
|
||||||
Resolves:
|
|
||||||
https://fedorahosted.org/sssd/ticket/3125
|
|
||||||
|
|
||||||
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
|
|
||||||
|
|
||||||
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
||||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
||||||
(cherry picked from commit c4a3b24dc70fb50c8c0cc5490c29a3755d8b1b73)
|
|
||||||
---
|
|
||||||
src/responder/secrets/local.c | 9 ++-------
|
|
||||||
1 file changed, 2 insertions(+), 7 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/responder/secrets/local.c b/src/responder/secrets/local.c
|
|
||||||
index 17469249b357cbdc5e50ddff6b563fdf2f377577..ac3049b62fa77f69d44ec5792139fe3378afb3f4 100644
|
|
||||||
--- a/src/responder/secrets/local.c
|
|
||||||
+++ b/src/responder/secrets/local.c
|
|
||||||
@@ -375,15 +375,10 @@ int local_db_delete(TALLOC_CTX *mem_ctx,
|
|
||||||
int ret;
|
|
||||||
|
|
||||||
ret = local_db_dn(mem_ctx, lctx->ldb, req_path, &dn);
|
|
||||||
- if (ret != EOK) goto done;
|
|
||||||
+ if (ret != EOK) return ret;
|
|
||||||
|
|
||||||
ret = ldb_delete(lctx->ldb, dn);
|
|
||||||
- if (ret != EOK) {
|
|
||||||
- ret = EIO;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
-done:
|
|
||||||
- return ret;
|
|
||||||
+ return sysdb_error_to_errno(ret);
|
|
||||||
}
|
|
||||||
|
|
||||||
int local_db_create(TALLOC_CTX *mem_ctx,
|
|
||||||
--
|
|
||||||
2.9.3
|
|
||||||
|
|
@ -1,27 +0,0 @@
|
|||||||
From 8fbc37dac506556c53f7fcb63a219af71eeaa9be Mon Sep 17 00:00:00 2001
|
|
||||||
From: Lukas Slebodnik <lslebodn@redhat.com>
|
|
||||||
Date: Fri, 19 Aug 2016 18:06:45 +0200
|
|
||||||
Subject: [PATCH 13/39] SPEC: Fix typo in Summary
|
|
||||||
|
|
||||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
||||||
(cherry picked from commit afa6891a809db262a49f68913f82a3a6137d8e2e)
|
|
||||||
---
|
|
||||||
contrib/sssd.spec.in | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
|
|
||||||
index 1e058ca63c25513253c4b350d286208f40f6b660..1f79ca7cd0a56dc1ab9c951abe11dc216ef3ad03 100644
|
|
||||||
--- a/contrib/sssd.spec.in
|
|
||||||
+++ b/contrib/sssd.spec.in
|
|
||||||
@@ -588,7 +588,7 @@ License: GPLv3+ and LGPLv3+
|
|
||||||
Development libraries for the SSSD libwbclient implementation.
|
|
||||||
|
|
||||||
%package winbind-idmap
|
|
||||||
-Summary: SSSSD's idmap_sss Backend for Winbind
|
|
||||||
+Summary: SSSD's idmap_sss Backend for Winbind
|
|
||||||
Group: Applications/System
|
|
||||||
License: GPLv3+ and LGPLv3+
|
|
||||||
|
|
||||||
--
|
|
||||||
2.9.3
|
|
||||||
|
|
@ -1,62 +0,0 @@
|
|||||||
From 82ccc38b4143b996ca9741f3682c2bb1f2694bef Mon Sep 17 00:00:00 2001
|
|
||||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
|
||||||
Date: Tue, 9 Aug 2016 22:08:27 +0200
|
|
||||||
Subject: [PATCH 14/39] IPA: Parse qualified names when guessing AD user
|
|
||||||
principal
|
|
||||||
|
|
||||||
Most AD users store their UPN in an attribute. If they don't, or the sssd
|
|
||||||
was configured (typically in earlier versions to work around a bug) to not
|
|
||||||
look at the principal attribute, then sssd is supposed to guess
|
|
||||||
the attribute.
|
|
||||||
|
|
||||||
That currently doesn't work in 1.14, because the username is already
|
|
||||||
qualified and then we also append the realm name to it. We need to parse
|
|
||||||
the simple username from the qualified name first.
|
|
||||||
|
|
||||||
The issue can be reproduced simply by authenticating as the Administrator
|
|
||||||
account in IPA-AD trust setups.
|
|
||||||
|
|
||||||
Resolves:
|
|
||||||
https://fedorahosted.org/sssd/ticket/3127
|
|
||||||
|
|
||||||
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
||||||
(cherry picked from commit 0302e3e7b3b06b809bd63c7911a42ab3e0a7ebf9)
|
|
||||||
---
|
|
||||||
src/providers/ipa/ipa_s2n_exop.c | 14 ++++++++++++--
|
|
||||||
1 file changed, 12 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/providers/ipa/ipa_s2n_exop.c b/src/providers/ipa/ipa_s2n_exop.c
|
|
||||||
index a8c415b4c86ccd3bd3b180c8df835c75420fbb21..07bbb2b4d252c8ca9ada4d890c36c903c9f75773 100644
|
|
||||||
--- a/src/providers/ipa/ipa_s2n_exop.c
|
|
||||||
+++ b/src/providers/ipa/ipa_s2n_exop.c
|
|
||||||
@@ -1941,6 +1941,7 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom,
|
|
||||||
struct sss_nss_homedir_ctx homedir_ctx;
|
|
||||||
char *name = NULL;
|
|
||||||
char *realm;
|
|
||||||
+ char *short_name = NULL;
|
|
||||||
char *upn = NULL;
|
|
||||||
gid_t gid;
|
|
||||||
gid_t orig_gid = 0;
|
|
||||||
@@ -2092,8 +2093,17 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom,
|
|
||||||
ret = ENOMEM;
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
- upn = talloc_asprintf(tmp_ctx, "%s@%s",
|
|
||||||
- attrs->a.user.pw_name, realm);
|
|
||||||
+
|
|
||||||
+ ret = sss_parse_internal_fqname(tmp_ctx, attrs->a.user.pw_name,
|
|
||||||
+ &short_name, NULL);
|
|
||||||
+ if (ret != EOK) {
|
|
||||||
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
|
||||||
+ "Cannot parse internal name %s\n",
|
|
||||||
+ attrs->a.user.pw_name);
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ upn = talloc_asprintf(tmp_ctx, "%s@%s", short_name, realm);
|
|
||||||
if (!upn) {
|
|
||||||
DEBUG(SSSDBG_OP_FAILURE, "failed to format UPN.\n");
|
|
||||||
ret = ENOMEM;
|
|
||||||
--
|
|
||||||
2.9.3
|
|
||||||
|
|
@ -1,114 +0,0 @@
|
|||||||
From 18c3db957a198351f8d3c13c51dff976ad736021 Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
|
|
||||||
Date: Wed, 24 Aug 2016 13:16:31 +0200
|
|
||||||
Subject: [PATCH 15/39] PROXY: Remove lowercase attribute from save_user()
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
As this function already receives a struct sss_domain_info * parameter
|
|
||||||
as argument, we can simply check whether we will need a lowercase name
|
|
||||||
by accessing domain->case_sensitive.
|
|
||||||
|
|
||||||
Related:
|
|
||||||
https://fedorahosted.org/sssd/ticket/3134
|
|
||||||
|
|
||||||
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
|
|
||||||
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
||||||
(cherry picked from commit 413aef1529fb3d5ed4d0f38e219f5456d7fe3ae0)
|
|
||||||
---
|
|
||||||
src/providers/proxy/proxy_id.c | 22 +++++++++-------------
|
|
||||||
1 file changed, 9 insertions(+), 13 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/providers/proxy/proxy_id.c b/src/providers/proxy/proxy_id.c
|
|
||||||
index b0c82807b42d91a4212578ca98af7f96484735b1..ff2631c9b493c8c688919139114da5520b428e04 100644
|
|
||||||
--- a/src/providers/proxy/proxy_id.c
|
|
||||||
+++ b/src/providers/proxy/proxy_id.c
|
|
||||||
@@ -31,7 +31,7 @@
|
|
||||||
/* =Getpwnam-wrapper======================================================*/
|
|
||||||
|
|
||||||
static int save_user(struct sss_domain_info *domain,
|
|
||||||
- bool lowercase, struct passwd *pwd, const char *real_name,
|
|
||||||
+ struct passwd *pwd, const char *real_name,
|
|
||||||
const char *alias, uint64_t cache_timeout);
|
|
||||||
|
|
||||||
static int
|
|
||||||
@@ -143,8 +143,7 @@ static int get_pw_name(struct proxy_id_ctx *ctx,
|
|
||||||
}
|
|
||||||
|
|
||||||
/* Both lookups went fine, we can save the user now */
|
|
||||||
- ret = save_user(dom, !dom->case_sensitive, pwd,
|
|
||||||
- real_name, i_name, dom->user_timeout);
|
|
||||||
+ ret = save_user(dom, pwd, real_name, i_name, dom->user_timeout);
|
|
||||||
|
|
||||||
done:
|
|
||||||
talloc_zfree(tmpctx);
|
|
||||||
@@ -224,7 +223,7 @@ delete_user(struct sss_domain_info *domain,
|
|
||||||
}
|
|
||||||
|
|
||||||
static int save_user(struct sss_domain_info *domain,
|
|
||||||
- bool lowercase, struct passwd *pwd, const char *real_name,
|
|
||||||
+ struct passwd *pwd, const char *real_name,
|
|
||||||
const char *alias, uint64_t cache_timeout)
|
|
||||||
{
|
|
||||||
const char *shell;
|
|
||||||
@@ -246,7 +245,7 @@ static int save_user(struct sss_domain_info *domain,
|
|
||||||
gecos = NULL;
|
|
||||||
}
|
|
||||||
|
|
||||||
- if (lowercase || alias) {
|
|
||||||
+ if (!domain->case_sensitive || alias) {
|
|
||||||
attrs = sysdb_new_attrs(NULL);
|
|
||||||
if (!attrs) {
|
|
||||||
DEBUG(SSSDBG_CRIT_FAILURE, "Allocation error ?!\n");
|
|
||||||
@@ -255,7 +254,7 @@ static int save_user(struct sss_domain_info *domain,
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
- if (lowercase) {
|
|
||||||
+ if (!domain->case_sensitive) {
|
|
||||||
lc_pw_name = sss_tc_utf8_str_tolower(attrs, real_name);
|
|
||||||
if (lc_pw_name == NULL) {
|
|
||||||
DEBUG(SSSDBG_OP_FAILURE, "Cannot convert name to lowercase.\n");
|
|
||||||
@@ -273,7 +272,7 @@ static int save_user(struct sss_domain_info *domain,
|
|
||||||
}
|
|
||||||
|
|
||||||
if (alias) {
|
|
||||||
- cased_alias = sss_get_cased_name(attrs, alias, !lowercase);
|
|
||||||
+ cased_alias = sss_get_cased_name(attrs, alias, domain->case_sensitive);
|
|
||||||
if (!cased_alias) {
|
|
||||||
ret = ENOMEM;
|
|
||||||
goto done;
|
|
||||||
@@ -366,8 +365,7 @@ static int get_pw_uid(struct proxy_id_ctx *ctx,
|
|
||||||
pwd->pw_name);
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
- ret = save_user(dom, !dom->case_sensitive, pwd,
|
|
||||||
- name, NULL, dom->user_timeout);
|
|
||||||
+ ret = save_user(dom, pwd, name, NULL, dom->user_timeout);
|
|
||||||
|
|
||||||
done:
|
|
||||||
talloc_zfree(tmpctx);
|
|
||||||
@@ -497,8 +495,7 @@ static int enum_users(TALLOC_CTX *mem_ctx,
|
|
||||||
pwd->pw_name);
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
- ret = save_user(dom, !dom->case_sensitive, pwd,
|
|
||||||
- name, NULL, dom->user_timeout);
|
|
||||||
+ ret = save_user(dom, pwd, name, NULL, dom->user_timeout);
|
|
||||||
if (ret) {
|
|
||||||
/* Do not fail completely on errors.
|
|
||||||
* Just report the failure to save and go on */
|
|
||||||
@@ -1331,8 +1328,7 @@ static int get_initgr(TALLOC_CTX *mem_ctx,
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
|
|
||||||
- ret = save_user(dom, !dom->case_sensitive, pwd,
|
|
||||||
- real_name, i_name, dom->user_timeout);
|
|
||||||
+ ret = save_user(dom, pwd, real_name, i_name, dom->user_timeout);
|
|
||||||
if (ret) {
|
|
||||||
DEBUG(SSSDBG_OP_FAILURE, "Could not save user\n");
|
|
||||||
goto fail;
|
|
||||||
--
|
|
||||||
2.9.3
|
|
||||||
|
|
@ -1,92 +0,0 @@
|
|||||||
From 87bce14e200e16b3f6ec9a79333b2a9da0274fbf Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
|
|
||||||
Date: Wed, 24 Aug 2016 13:25:44 +0200
|
|
||||||
Subject: [PATCH 16/39] PROXY: Remove cache_timeout attribute from save_user()
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
As this function already receives a struct sss_domain_info * parameter
|
|
||||||
as argument, we can simply get the cache_timeout attribute by accessing
|
|
||||||
domain->user_timeout.
|
|
||||||
|
|
||||||
Related:
|
|
||||||
https://fedorahosted.org/sssd/ticket/3134
|
|
||||||
|
|
||||||
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
|
|
||||||
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
||||||
(cherry picked from commit 2537fe318a3866780abca100cf6eb7c258f9d02b)
|
|
||||||
---
|
|
||||||
src/providers/proxy/proxy_id.c | 14 +++++++-------
|
|
||||||
1 file changed, 7 insertions(+), 7 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/providers/proxy/proxy_id.c b/src/providers/proxy/proxy_id.c
|
|
||||||
index ff2631c9b493c8c688919139114da5520b428e04..bdcac66319897981c21e7fd7da7334ee97d010f6 100644
|
|
||||||
--- a/src/providers/proxy/proxy_id.c
|
|
||||||
+++ b/src/providers/proxy/proxy_id.c
|
|
||||||
@@ -32,7 +32,7 @@
|
|
||||||
|
|
||||||
static int save_user(struct sss_domain_info *domain,
|
|
||||||
struct passwd *pwd, const char *real_name,
|
|
||||||
- const char *alias, uint64_t cache_timeout);
|
|
||||||
+ const char *alias);
|
|
||||||
|
|
||||||
static int
|
|
||||||
handle_getpw_result(enum nss_status status, struct passwd *pwd,
|
|
||||||
@@ -143,7 +143,7 @@ static int get_pw_name(struct proxy_id_ctx *ctx,
|
|
||||||
}
|
|
||||||
|
|
||||||
/* Both lookups went fine, we can save the user now */
|
|
||||||
- ret = save_user(dom, pwd, real_name, i_name, dom->user_timeout);
|
|
||||||
+ ret = save_user(dom, pwd, real_name, i_name);
|
|
||||||
|
|
||||||
done:
|
|
||||||
talloc_zfree(tmpctx);
|
|
||||||
@@ -224,7 +224,7 @@ delete_user(struct sss_domain_info *domain,
|
|
||||||
|
|
||||||
static int save_user(struct sss_domain_info *domain,
|
|
||||||
struct passwd *pwd, const char *real_name,
|
|
||||||
- const char *alias, uint64_t cache_timeout)
|
|
||||||
+ const char *alias)
|
|
||||||
{
|
|
||||||
const char *shell;
|
|
||||||
const char *gecos;
|
|
||||||
@@ -299,7 +299,7 @@ static int save_user(struct sss_domain_info *domain,
|
|
||||||
NULL,
|
|
||||||
attrs,
|
|
||||||
NULL,
|
|
||||||
- cache_timeout,
|
|
||||||
+ domain->user_timeout,
|
|
||||||
0);
|
|
||||||
if (ret) {
|
|
||||||
DEBUG(SSSDBG_OP_FAILURE, "Could not add user to cache\n");
|
|
||||||
@@ -365,7 +365,7 @@ static int get_pw_uid(struct proxy_id_ctx *ctx,
|
|
||||||
pwd->pw_name);
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
- ret = save_user(dom, pwd, name, NULL, dom->user_timeout);
|
|
||||||
+ ret = save_user(dom, pwd, name, NULL);
|
|
||||||
|
|
||||||
done:
|
|
||||||
talloc_zfree(tmpctx);
|
|
||||||
@@ -495,7 +495,7 @@ static int enum_users(TALLOC_CTX *mem_ctx,
|
|
||||||
pwd->pw_name);
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
- ret = save_user(dom, pwd, name, NULL, dom->user_timeout);
|
|
||||||
+ ret = save_user(dom, pwd, name, NULL);
|
|
||||||
if (ret) {
|
|
||||||
/* Do not fail completely on errors.
|
|
||||||
* Just report the failure to save and go on */
|
|
||||||
@@ -1328,7 +1328,7 @@ static int get_initgr(TALLOC_CTX *mem_ctx,
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
|
|
||||||
- ret = save_user(dom, pwd, real_name, i_name, dom->user_timeout);
|
|
||||||
+ ret = save_user(dom, pwd, real_name, i_name);
|
|
||||||
if (ret) {
|
|
||||||
DEBUG(SSSDBG_OP_FAILURE, "Could not save user\n");
|
|
||||||
goto fail;
|
|
||||||
--
|
|
||||||
2.9.3
|
|
||||||
|
|
@ -1,76 +0,0 @@
|
|||||||
From c919d358561f4b26b4017f4379fc7b9b791f5cd8 Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
|
|
||||||
Date: Wed, 24 Aug 2016 13:29:17 +0200
|
|
||||||
Subject: [PATCH 17/39] PROXY: Remove cache_timeout attribute from save_group()
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
As this function already receives a struct sss_domain_info * parameter
|
|
||||||
as argument, we can simply get the cache_timeout attribute by accessing
|
|
||||||
domain->group_timeout.
|
|
||||||
|
|
||||||
Related:
|
|
||||||
https://fedorahosted.org/sssd/ticket/3134
|
|
||||||
|
|
||||||
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
|
|
||||||
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
||||||
(cherry picked from commit 221d70ae3c5b7bc7384f57ffd3f88f89a3e6ae6a)
|
|
||||||
---
|
|
||||||
src/providers/proxy/proxy_id.c | 12 +++++-------
|
|
||||||
1 file changed, 5 insertions(+), 7 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/providers/proxy/proxy_id.c b/src/providers/proxy/proxy_id.c
|
|
||||||
index bdcac66319897981c21e7fd7da7334ee97d010f6..c4d68f8e6855941dda386658758c37b4c9080712 100644
|
|
||||||
--- a/src/providers/proxy/proxy_id.c
|
|
||||||
+++ b/src/providers/proxy/proxy_id.c
|
|
||||||
@@ -558,8 +558,7 @@ static errno_t proxy_process_missing_users(struct sysdb_ctx *sysdb,
|
|
||||||
static int save_group(struct sysdb_ctx *sysdb, struct sss_domain_info *dom,
|
|
||||||
struct group *grp,
|
|
||||||
const char *real_name, /* already qualified */
|
|
||||||
- const char *alias, /* already qualified */
|
|
||||||
- uint64_t cache_timeout)
|
|
||||||
+ const char *alias) /* already qualified */
|
|
||||||
{
|
|
||||||
errno_t ret, sret;
|
|
||||||
struct sysdb_attrs *attrs = NULL;
|
|
||||||
@@ -664,7 +663,7 @@ static int save_group(struct sysdb_ctx *sysdb, struct sss_domain_info *dom,
|
|
||||||
real_name,
|
|
||||||
grp->gr_gid,
|
|
||||||
attrs,
|
|
||||||
- cache_timeout,
|
|
||||||
+ dom->group_timeout,
|
|
||||||
now);
|
|
||||||
if (ret) {
|
|
||||||
DEBUG(SSSDBG_OP_FAILURE, "Could not add group to cache\n");
|
|
||||||
@@ -947,7 +946,7 @@ static int get_gr_name(struct proxy_id_ctx *ctx,
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
|
|
||||||
- ret = save_group(sysdb, dom, grp, real_name, i_name, dom->group_timeout);
|
|
||||||
+ ret = save_group(sysdb, dom, grp, real_name, i_name);
|
|
||||||
if (ret) {
|
|
||||||
DEBUG(SSSDBG_OP_FAILURE,
|
|
||||||
"Cannot save group [%d]: %s\n", ret, strerror(ret));
|
|
||||||
@@ -1032,7 +1031,7 @@ static int get_gr_gid(TALLOC_CTX *mem_ctx,
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
|
|
||||||
- ret = save_group(sysdb, dom, grp, name, NULL, dom->group_timeout);
|
|
||||||
+ ret = save_group(sysdb, dom, grp, name, NULL);
|
|
||||||
if (ret) {
|
|
||||||
DEBUG(SSSDBG_OP_FAILURE,
|
|
||||||
"Cannot save user [%d]: %s\n", ret, strerror(ret));
|
|
||||||
@@ -1165,8 +1164,7 @@ static int enum_groups(TALLOC_CTX *mem_ctx,
|
|
||||||
"Ignoring\n");
|
|
||||||
ret = ENOMEM;
|
|
||||||
}
|
|
||||||
- ret = save_group(sysdb, dom, grp, name,
|
|
||||||
- NULL, dom->group_timeout);
|
|
||||||
+ ret = save_group(sysdb, dom, grp, name, NULL);
|
|
||||||
if (ret) {
|
|
||||||
/* Do not fail completely on errors.
|
|
||||||
* Just report the failure to save and go on */
|
|
||||||
--
|
|
||||||
2.9.3
|
|
||||||
|
|
@ -1,40 +0,0 @@
|
|||||||
From 232b543cb667cbd0769608b4e5c790ab73f4c2b4 Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
|
|
||||||
Date: Wed, 24 Aug 2016 13:32:10 +0200
|
|
||||||
Subject: [PATCH 18/39] PROXY: Mention that save_user()'s parameters are
|
|
||||||
already qualified
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
Those comments are similar to what we have in the save_group() function.
|
|
||||||
|
|
||||||
Related:
|
|
||||||
https://fedorahosted.org/sssd/ticket/3134
|
|
||||||
|
|
||||||
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
|
|
||||||
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
||||||
(cherry picked from commit 9900d2b153ebb7d994ccd05275f18b973556d5b3)
|
|
||||||
---
|
|
||||||
src/providers/proxy/proxy_id.c | 5 +++--
|
|
||||||
1 file changed, 3 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/providers/proxy/proxy_id.c b/src/providers/proxy/proxy_id.c
|
|
||||||
index c4d68f8e6855941dda386658758c37b4c9080712..921b5253a5ffe90526c73b8078067d69f83c75e6 100644
|
|
||||||
--- a/src/providers/proxy/proxy_id.c
|
|
||||||
+++ b/src/providers/proxy/proxy_id.c
|
|
||||||
@@ -223,8 +223,9 @@ delete_user(struct sss_domain_info *domain,
|
|
||||||
}
|
|
||||||
|
|
||||||
static int save_user(struct sss_domain_info *domain,
|
|
||||||
- struct passwd *pwd, const char *real_name,
|
|
||||||
- const char *alias)
|
|
||||||
+ struct passwd *pwd,
|
|
||||||
+ const char *real_name, /* already qualified */
|
|
||||||
+ const char *alias) /* already qualified */
|
|
||||||
{
|
|
||||||
const char *shell;
|
|
||||||
const char *gecos;
|
|
||||||
--
|
|
||||||
2.9.3
|
|
||||||
|
|
@ -1,222 +0,0 @@
|
|||||||
From b05544a1ba3b49a880b14c8c5c9cafa378c86e24 Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
|
|
||||||
Date: Wed, 24 Aug 2016 14:28:42 +0200
|
|
||||||
Subject: [PATCH 19/39] PROXY: Share common code of save_{group,user}()
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
These two functions (save_user() and save_group()) share, between
|
|
||||||
themselves, the code preparing the attributes that are going to be
|
|
||||||
stored in the sysdb.
|
|
||||||
|
|
||||||
This patch basically splits this code out of those functions and
|
|
||||||
introduces the new prepare_attrs_for_saving_ops().
|
|
||||||
|
|
||||||
Related:
|
|
||||||
https://fedorahosted.org/sssd/ticket/3134
|
|
||||||
|
|
||||||
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
|
|
||||||
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
||||||
(cherry picked from commit 69e8b7fcb9e3dc814a9ffc2a97fa656521cc4505)
|
|
||||||
---
|
|
||||||
src/providers/proxy/proxy_id.c | 155 +++++++++++++++++++----------------------
|
|
||||||
1 file changed, 70 insertions(+), 85 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/providers/proxy/proxy_id.c b/src/providers/proxy/proxy_id.c
|
|
||||||
index 921b5253a5ffe90526c73b8078067d69f83c75e6..48f552925447d1f31c4282e89a5994364dbc074d 100644
|
|
||||||
--- a/src/providers/proxy/proxy_id.c
|
|
||||||
+++ b/src/providers/proxy/proxy_id.c
|
|
||||||
@@ -222,6 +222,68 @@ delete_user(struct sss_domain_info *domain,
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
+static int
|
|
||||||
+prepare_attrs_for_saving_ops(TALLOC_CTX *mem_ctx,
|
|
||||||
+ bool case_sensitive,
|
|
||||||
+ const char *real_name, /* already_qualified */
|
|
||||||
+ const char *alias, /* already qualified */
|
|
||||||
+ struct sysdb_attrs **attrs)
|
|
||||||
+{
|
|
||||||
+ const char *lc_name = NULL;
|
|
||||||
+ const char *cased_alias = NULL;
|
|
||||||
+ errno_t ret;
|
|
||||||
+
|
|
||||||
+ if (!case_sensitive || alias != NULL) {
|
|
||||||
+ if (*attrs == NULL) {
|
|
||||||
+ *attrs = sysdb_new_attrs(mem_ctx);
|
|
||||||
+ if (*attrs == NULL) {
|
|
||||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Allocation error ?!\n");
|
|
||||||
+ ret = ENOMEM;
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (!case_sensitive) {
|
|
||||||
+ lc_name = sss_tc_utf8_str_tolower(*attrs, real_name);
|
|
||||||
+ if (lc_name == NULL) {
|
|
||||||
+ DEBUG(SSSDBG_OP_FAILURE, "Cannot convert name to lowercase.\n");
|
|
||||||
+ ret = ENOMEM;
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ ret = sysdb_attrs_add_string(*attrs, SYSDB_NAME_ALIAS, lc_name);
|
|
||||||
+ if (ret != EOK) {
|
|
||||||
+ DEBUG(SSSDBG_OP_FAILURE, "Could not add name alias\n");
|
|
||||||
+ ret = ENOMEM;
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (alias != NULL) {
|
|
||||||
+ cased_alias = sss_get_cased_name(*attrs, alias, case_sensitive);
|
|
||||||
+ if (cased_alias == NULL) {
|
|
||||||
+ ret = ENOMEM;
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ /* Add the alias only if it differs from lowercased pw_name */
|
|
||||||
+ if (lc_name == NULL || strcmp(cased_alias, lc_name) != 0) {
|
|
||||||
+ ret = sysdb_attrs_add_string(*attrs, SYSDB_NAME_ALIAS,
|
|
||||||
+ cased_alias);
|
|
||||||
+ if (ret != EOK) {
|
|
||||||
+ DEBUG(SSSDBG_OP_FAILURE, "Could not add name alias\n");
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ ret = EOK;
|
|
||||||
+done:
|
|
||||||
+ return ret;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
static int save_user(struct sss_domain_info *domain,
|
|
||||||
struct passwd *pwd,
|
|
||||||
const char *real_name, /* already qualified */
|
|
||||||
@@ -231,8 +293,6 @@ static int save_user(struct sss_domain_info *domain,
|
|
||||||
const char *gecos;
|
|
||||||
struct sysdb_attrs *attrs = NULL;
|
|
||||||
errno_t ret;
|
|
||||||
- const char *cased_alias;
|
|
||||||
- const char *lc_pw_name = NULL;
|
|
||||||
|
|
||||||
if (pwd->pw_shell && pwd->pw_shell[0] != '\0') {
|
|
||||||
shell = pwd->pw_shell;
|
|
||||||
@@ -246,47 +306,10 @@ static int save_user(struct sss_domain_info *domain,
|
|
||||||
gecos = NULL;
|
|
||||||
}
|
|
||||||
|
|
||||||
- if (!domain->case_sensitive || alias) {
|
|
||||||
- attrs = sysdb_new_attrs(NULL);
|
|
||||||
- if (!attrs) {
|
|
||||||
- DEBUG(SSSDBG_CRIT_FAILURE, "Allocation error ?!\n");
|
|
||||||
- ret = ENOMEM;
|
|
||||||
- goto done;
|
|
||||||
- }
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- if (!domain->case_sensitive) {
|
|
||||||
- lc_pw_name = sss_tc_utf8_str_tolower(attrs, real_name);
|
|
||||||
- if (lc_pw_name == NULL) {
|
|
||||||
- DEBUG(SSSDBG_OP_FAILURE, "Cannot convert name to lowercase.\n");
|
|
||||||
- ret = ENOMEM;
|
|
||||||
- goto done;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- ret = sysdb_attrs_add_string(attrs, SYSDB_NAME_ALIAS, lc_pw_name);
|
|
||||||
- if (ret) {
|
|
||||||
- DEBUG(SSSDBG_OP_FAILURE, "Could not add name alias\n");
|
|
||||||
- ret = ENOMEM;
|
|
||||||
- goto done;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- if (alias) {
|
|
||||||
- cased_alias = sss_get_cased_name(attrs, alias, domain->case_sensitive);
|
|
||||||
- if (!cased_alias) {
|
|
||||||
- ret = ENOMEM;
|
|
||||||
- goto done;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- /* Add the alias only if it differs from lowercased pw_name */
|
|
||||||
- if (lc_pw_name == NULL || strcmp(cased_alias, lc_pw_name) != 0) {
|
|
||||||
- ret = sysdb_attrs_add_string(attrs, SYSDB_NAME_ALIAS, cased_alias);
|
|
||||||
- if (ret) {
|
|
||||||
- DEBUG(SSSDBG_OP_FAILURE, "Could not add name alias\n");
|
|
||||||
- goto done;
|
|
||||||
- }
|
|
||||||
- }
|
|
||||||
+ ret = prepare_attrs_for_saving_ops(NULL, domain->case_sensitive,
|
|
||||||
+ real_name, alias, &attrs);
|
|
||||||
+ if (ret != EOK) {
|
|
||||||
+ goto done;
|
|
||||||
}
|
|
||||||
|
|
||||||
ret = sysdb_store_user(domain,
|
|
||||||
@@ -563,8 +586,6 @@ static int save_group(struct sysdb_ctx *sysdb, struct sss_domain_info *dom,
|
|
||||||
{
|
|
||||||
errno_t ret, sret;
|
|
||||||
struct sysdb_attrs *attrs = NULL;
|
|
||||||
- const char *cased_alias;
|
|
||||||
- const char *lc_gr_name = NULL;
|
|
||||||
TALLOC_CTX *tmp_ctx;
|
|
||||||
time_t now = time(NULL);
|
|
||||||
bool in_transaction = false;
|
|
||||||
@@ -618,46 +639,10 @@ static int save_group(struct sysdb_ctx *sysdb, struct sss_domain_info *dom,
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
- if (dom->case_sensitive == false || alias) {
|
|
||||||
- if (!attrs) {
|
|
||||||
- attrs = sysdb_new_attrs(tmp_ctx);
|
|
||||||
- if (!attrs) {
|
|
||||||
- DEBUG(SSSDBG_CRIT_FAILURE, "Allocation error ?!\n");
|
|
||||||
- ret = ENOMEM;
|
|
||||||
- goto done;
|
|
||||||
- }
|
|
||||||
- }
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- if (dom->case_sensitive == false) {
|
|
||||||
- lc_gr_name = sss_tc_utf8_str_tolower(attrs, real_name);
|
|
||||||
- if (lc_gr_name == NULL) {
|
|
||||||
- DEBUG(SSSDBG_OP_FAILURE, "Cannot convert name to lowercase.\n");
|
|
||||||
- ret = ENOMEM;
|
|
||||||
- goto done;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- ret = sysdb_attrs_add_string(attrs, SYSDB_NAME_ALIAS, lc_gr_name);
|
|
||||||
- if (ret != EOK) {
|
|
||||||
- goto done;
|
|
||||||
- }
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- if (alias) {
|
|
||||||
- cased_alias = sss_get_cased_name(attrs, alias, dom->case_sensitive);
|
|
||||||
- if (!cased_alias) {
|
|
||||||
- ret = ENOMEM;
|
|
||||||
- DEBUG(SSSDBG_OP_FAILURE, "Could not add name alias\n");
|
|
||||||
- goto done;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- if (lc_gr_name == NULL || strcmp(cased_alias, lc_gr_name)) {
|
|
||||||
- ret = sysdb_attrs_add_string(attrs, SYSDB_NAME_ALIAS, cased_alias);
|
|
||||||
- if (ret) {
|
|
||||||
- DEBUG(SSSDBG_OP_FAILURE, "Could not add name alias\n");
|
|
||||||
- goto done;
|
|
||||||
- }
|
|
||||||
- }
|
|
||||||
+ ret = prepare_attrs_for_saving_ops(tmp_ctx, dom->case_sensitive,
|
|
||||||
+ real_name, alias, &attrs);
|
|
||||||
+ if (ret != EOK) {
|
|
||||||
+ goto done;
|
|
||||||
}
|
|
||||||
|
|
||||||
ret = sysdb_store_group(dom,
|
|
||||||
--
|
|
||||||
2.9.3
|
|
||||||
|
|
@ -1,36 +0,0 @@
|
|||||||
From 007341bedfcc7e356f4bcb1af8b29acab133300a Mon Sep 17 00:00:00 2001
|
|
||||||
From: Lukas Slebodnik <lslebodn@redhat.com>
|
|
||||||
Date: Mon, 29 Aug 2016 09:13:49 +0200
|
|
||||||
Subject: [PATCH 20/39] SYSDB: Fix uninitialized scalar variable
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
The boolean variable newly_created could be used uninitialized
|
|
||||||
in done section in case of failure. The variable was firstly initialized
|
|
||||||
to true after succesfull execution of function sysdb_cache_create_empty.
|
|
||||||
|
|
||||||
Uninitialized variable usually means true for boolean variable.
|
|
||||||
|
|
||||||
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
|
||||||
(cherry picked from commit 975d0b67a40847265523d195438bf4753d18ff1c)
|
|
||||||
---
|
|
||||||
src/db/sysdb_init.c | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/src/db/sysdb_init.c b/src/db/sysdb_init.c
|
|
||||||
index c387c1b12c116f38d5a13f1adeac5ef64d593af8..d110aa7a2878e47650db177cfd342d0ac32248ab 100644
|
|
||||||
--- a/src/db/sysdb_init.c
|
|
||||||
+++ b/src/db/sysdb_init.c
|
|
||||||
@@ -545,7 +545,7 @@ static errno_t sysdb_cache_connect_helper(TALLOC_CTX *mem_ctx,
|
|
||||||
const char *version = NULL;
|
|
||||||
int ret;
|
|
||||||
struct ldb_context *ldb;
|
|
||||||
- bool newly_created;
|
|
||||||
+ bool newly_created = false;
|
|
||||||
|
|
||||||
tmp_ctx = talloc_new(NULL);
|
|
||||||
if (!tmp_ctx) {
|
|
||||||
--
|
|
||||||
2.9.3
|
|
||||||
|
|
@ -1,82 +0,0 @@
|
|||||||
From 9a3ae9e00405501c964b489ac3415482ba3b3974 Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
|
|
||||||
Date: Thu, 18 Aug 2016 16:24:17 +0200
|
|
||||||
Subject: [PATCH 21/39] BUILD: Add a few more targets for intg tests
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
Running "make intgcheck" has been proven to be a bit painful (mainly
|
|
||||||
when the developer is just writing down a single test case), as it
|
|
||||||
cleans up the build directory and fireis a new build before, finally,
|
|
||||||
run the tests.
|
|
||||||
|
|
||||||
In order to make it a little less painful, let's break the whole
|
|
||||||
operation into 3 new targets:
|
|
||||||
intgcheck-{prepare,run,clean}.
|
|
||||||
|
|
||||||
As expected, "make intgcheck" calls these 3 new operations in the same
|
|
||||||
order they were presented, not changing then the current behavior.
|
|
||||||
|
|
||||||
Each operation will trigger the previous one in case there is no
|
|
||||||
"$$prefix" directory created and the directory is _only_ created in the
|
|
||||||
very first operation (intghcheck-prepare).
|
|
||||||
|
|
||||||
A note must be done about how to run a simple test file or a simple test
|
|
||||||
from a test file when running "make intgcheck-run". The option always
|
|
||||||
been here but only makes sense now that we have the intgcheck split in a
|
|
||||||
few useful steps. See the examples below (and for more detailed
|
|
||||||
information, check the py.test documentation):
|
|
||||||
#Run a single file
|
|
||||||
make intgcheck-run INTGCHECK_PYTEST_ARGS="-k test_netgroup.py"
|
|
||||||
#Run a single test from a single file
|
|
||||||
make intgcheck-run INTGCHECK_PYTEST_ARGS="-k test_add_empty_netgroup"
|
|
||||||
|
|
||||||
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
|
|
||||||
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
||||||
(cherry picked from commit 6159c33125f8ee82e88d495ea2aa5d00018ea844)
|
|
||||||
---
|
|
||||||
Makefile.am | 17 +++++++++++++++--
|
|
||||||
1 file changed, 15 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/Makefile.am b/Makefile.am
|
|
||||||
index 6219682de0d1fd4b3a813ee2f95b8185531e62bf..6299ac7a7bf1c2ed41dfeeda7063c8901214941a 100644
|
|
||||||
--- a/Makefile.am
|
|
||||||
+++ b/Makefile.am
|
|
||||||
@@ -3076,7 +3076,7 @@ endif
|
|
||||||
# Integration tests #
|
|
||||||
#####################
|
|
||||||
|
|
||||||
-intgcheck:
|
|
||||||
+intgcheck-prepare:
|
|
||||||
echo "temporarily disabled"
|
|
||||||
set -e; \
|
|
||||||
rm -Rf intg; \
|
|
||||||
@@ -3096,10 +3096,23 @@ intgcheck:
|
|
||||||
$(MAKE) $(AM_MAKEFLAGS) -j1 install; \
|
|
||||||
: Remove .la files from LDB module directory to avoid loader warnings; \
|
|
||||||
rm "$$prefix"/lib/ldb/*.la; \
|
|
||||||
+ cd ../..
|
|
||||||
+
|
|
||||||
+intgcheck-run:
|
|
||||||
+ if [ ! -d intg/pfx ]; then $(MAKE) intgcheck-build; fi; \
|
|
||||||
+ cd intg/bld; \
|
|
||||||
$(MAKE) $(AM_MAKEFLAGS) -C src/tests/intg intgcheck-installed; \
|
|
||||||
- cd ../..; \
|
|
||||||
+ cd ../..
|
|
||||||
+
|
|
||||||
+intgcheck-clean:
|
|
||||||
+ prefix=`readlink -e intg/pfx`; \
|
|
||||||
rm -Rf "$$prefix" intg
|
|
||||||
|
|
||||||
+intgcheck:
|
|
||||||
+ $(MAKE) intgcheck-prepare
|
|
||||||
+ $(MAKE) intgcheck-run
|
|
||||||
+ $(MAKE) intgcheck-clean
|
|
||||||
+
|
|
||||||
####################
|
|
||||||
# Client Libraries #
|
|
||||||
####################
|
|
||||||
--
|
|
||||||
2.9.3
|
|
||||||
|
|
@ -1,60 +0,0 @@
|
|||||||
From 557e0e8c28a77b423a3746168a3be8e8a8d5462d Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
|
|
||||||
Date: Wed, 17 Aug 2016 21:08:23 +0200
|
|
||||||
Subject: [PATCH 22/39] BUILD: Clean up prerelease targets
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
Clean up the pre-release targets in order to avoid lines exceeding 80
|
|
||||||
characters.
|
|
||||||
|
|
||||||
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
|
|
||||||
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
||||||
(cherry picked from commit 01d970a8afa6ffed82b3e8dda96e08118222e16e)
|
|
||||||
---
|
|
||||||
Makefile.am | 14 ++++++++++++--
|
|
||||||
1 file changed, 12 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/Makefile.am b/Makefile.am
|
|
||||||
index 6299ac7a7bf1c2ed41dfeeda7063c8901214941a..4a56d8b0a3ea49c9fae35bf5717871ea515813b8 100644
|
|
||||||
--- a/Makefile.am
|
|
||||||
+++ b/Makefile.am
|
|
||||||
@@ -4202,6 +4202,14 @@ rpmroot:
|
|
||||||
$(MKDIR_P) $(RPMBUILD)/SPECS
|
|
||||||
$(MKDIR_P) $(RPMBUILD)/SRPMS
|
|
||||||
|
|
||||||
+# pre-release related vars
|
|
||||||
+
|
|
||||||
+PR_VERSION_DATE := $(shell date +%Y%m%d.%H%M)
|
|
||||||
+PR_VERSION_COMMIT_HASH := $(shell git log -1 --pretty=format:%h)
|
|
||||||
+PR_VERSION_NUMBER = $(PR_VERSION_DATE).git$(PR_VERSION_COMMIT_HASH)
|
|
||||||
+PR_VERSION_REGEX = m4_define(\[PRERELEASE_VERSION_NUMBER\], \[.*\])
|
|
||||||
+PR_VERSION_REPL = m4_define(\[PRERELEASE_VERSION_NUMBER\], \[.$(PR_VERSION_NUMBER)\])
|
|
||||||
+
|
|
||||||
rpmbrprep: dist-gzip rpmroot
|
|
||||||
if GIT_CHECKOUT
|
|
||||||
# When we're building RPMs from a git checkout,
|
|
||||||
@@ -4219,7 +4227,8 @@ rpms: rpmbrprep
|
|
||||||
if GIT_CHECKOUT
|
|
||||||
prerelease-rpms:
|
|
||||||
cp $(srcdir)/version.m4 $(srcdir)/version.m4.orig
|
|
||||||
- sed -e "s/m4_define(\[PRERELEASE_VERSION_NUMBER\], \[.*\])/m4_define(\[PRERELEASE_VERSION_NUMBER\], \[.`date +%Y%m%d.%H%M`.git`git log -1 --pretty=format:%h`\])/" < $(srcdir)/version.m4.orig > $(srcdir)/version.m4
|
|
||||||
+ sed -e "s/$(PR_VERSION_REGEX)/$(PR_VERSION_REPL)/" \
|
|
||||||
+ < $(srcdir)/version.m4.orig > $(srcdir)/version.m4
|
|
||||||
$(MAKE) rpms
|
|
||||||
mv $(srcdir)/version.m4.orig $(srcdir)/version.m4
|
|
||||||
endif
|
|
||||||
@@ -4234,7 +4243,8 @@ srpm: rpmbrprep
|
|
||||||
if GIT_CHECKOUT
|
|
||||||
prerelease-srpm:
|
|
||||||
cp $(srcdir)/version.m4 $(srcdir)/version.m4.orig
|
|
||||||
- sed -e "s/m4_define(\[PRERELEASE_VERSION_NUMBER\], \[.*\])/m4_define(\[PRERELEASE_VERSION_NUMBER\], \[.`date +%Y%m%d.%H%M`.git`git log -1 --pretty=format:%h`\])/" < $(srcdir)/version.m4.orig > $(srcdir)/version.m4
|
|
||||||
+ sed -e "s/$(PR_VERSION_REGEX)/$(PR_VERSION_REPL)/" \
|
|
||||||
+ < $(srcdir)/version.m4.orig > $(srcdir)/version.m4
|
|
||||||
$(MAKE) srpm
|
|
||||||
mv $(srcdir)/version.m4.orig $(srcdir)/version.m4
|
|
||||||
endif
|
|
||||||
--
|
|
||||||
2.9.3
|
|
||||||
|
|
@ -1,34 +0,0 @@
|
|||||||
From 665ef221b1c2144a78ed9f98263bb8b9acce6f6d Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
|
|
||||||
Date: Mon, 29 Aug 2016 16:01:59 +0200
|
|
||||||
Subject: [PATCH 23/39] BUILD: Fix typo in intgcheck-run rule
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
During the review process "intgcheck-build" ended up being merged to the
|
|
||||||
"intgcheck-prepare" rule.
|
|
||||||
|
|
||||||
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
|
|
||||||
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
||||||
(cherry picked from commit 9639cf410dd6ba9670748535811f061e0c475bc6)
|
|
||||||
---
|
|
||||||
Makefile.am | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/Makefile.am b/Makefile.am
|
|
||||||
index 4a56d8b0a3ea49c9fae35bf5717871ea515813b8..25a81b93b8881ec6dfa18397ddcc3430e6a3ebd0 100644
|
|
||||||
--- a/Makefile.am
|
|
||||||
+++ b/Makefile.am
|
|
||||||
@@ -3099,7 +3099,7 @@ intgcheck-prepare:
|
|
||||||
cd ../..
|
|
||||||
|
|
||||||
intgcheck-run:
|
|
||||||
- if [ ! -d intg/pfx ]; then $(MAKE) intgcheck-build; fi; \
|
|
||||||
+ if [ ! -d intg/pfx ]; then $(MAKE) intgcheck-prepare; fi; \
|
|
||||||
cd intg/bld; \
|
|
||||||
$(MAKE) $(AM_MAKEFLAGS) -C src/tests/intg intgcheck-installed; \
|
|
||||||
cd ../..
|
|
||||||
--
|
|
||||||
2.9.3
|
|
||||||
|
|
@ -1,29 +0,0 @@
|
|||||||
From ce87fa6dd3fb47f28f9e80b730c50f23b099e835 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Lukas Slebodnik <lslebodn@redhat.com>
|
|
||||||
Date: Mon, 29 Aug 2016 17:50:17 +0200
|
|
||||||
Subject: [PATCH 24/39] BUILD: Remove leftover after sysdb refactoring
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
|
||||||
(cherry picked from commit 4229ffb929bd7029f8b94d92099032d3350f5cf4)
|
|
||||||
---
|
|
||||||
Makefile.am | 1 -
|
|
||||||
1 file changed, 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/Makefile.am b/Makefile.am
|
|
||||||
index 25a81b93b8881ec6dfa18397ddcc3430e6a3ebd0..f89af5a9d6d26c732574aa3651de8c175f538b28 100644
|
|
||||||
--- a/Makefile.am
|
|
||||||
+++ b/Makefile.am
|
|
||||||
@@ -3077,7 +3077,6 @@ endif
|
|
||||||
#####################
|
|
||||||
|
|
||||||
intgcheck-prepare:
|
|
||||||
- echo "temporarily disabled"
|
|
||||||
set -e; \
|
|
||||||
rm -Rf intg; \
|
|
||||||
$(MKDIR_P) intg/bld; \
|
|
||||||
--
|
|
||||||
2.9.3
|
|
||||||
|
|
@ -1,239 +0,0 @@
|
|||||||
From 854db7ed3fc4c0c58b1df0f93bb5b896eea417e8 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
|
||||||
Date: Sun, 8 May 2016 14:41:35 +0200
|
|
||||||
Subject: [PATCH 25/39] MONITOR: Remove the no longer used diag_cmd command
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
After introducing the watchdog, the diag_cmd is longer used and makes no
|
|
||||||
sense trying to make it usable by watchdog as the result of "pstack %p"
|
|
||||||
seems next to useless in this context.
|
|
||||||
|
|
||||||
Related:
|
|
||||||
https://fedorahosted.org/sssd/ticket/3051
|
|
||||||
|
|
||||||
Reviewed-by: Petr Čech <pcech@redhat.com>
|
|
||||||
(cherry picked from commit 1620f435dbe7013f985128dcdf001e9158cb00e3)
|
|
||||||
---
|
|
||||||
src/confdb/confdb.h | 1 -
|
|
||||||
src/monitor/monitor.c | 163 --------------------------------------------------
|
|
||||||
2 files changed, 164 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
|
|
||||||
index 72adbd80ea534eb0becd3e517c00b0c26d00444c..58a085ba954cf75a5c756d6f8fbd04e6fa49a687 100644
|
|
||||||
--- a/src/confdb/confdb.h
|
|
||||||
+++ b/src/confdb/confdb.h
|
|
||||||
@@ -73,7 +73,6 @@
|
|
||||||
#define CONFDB_MONITOR_DEFAULT_DOMAIN "default_domain_suffix"
|
|
||||||
#define CONFDB_MONITOR_OVERRIDE_SPACE "override_space"
|
|
||||||
#define CONFDB_MONITOR_USER_RUNAS "user"
|
|
||||||
-#define CONFDB_MONITOR_PRE_KILL_CMD "diag_cmd"
|
|
||||||
#define CONFDB_MONITOR_CERT_VERIFICATION "certificate_verification"
|
|
||||||
|
|
||||||
/* Both monitor and domains */
|
|
||||||
diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c
|
|
||||||
index 7a9ef569bbd565d6240cebed8493d0bd85aba89e..f97b2a960b1835540357714b608feac54c2d72c5 100644
|
|
||||||
--- a/src/monitor/monitor.c
|
|
||||||
+++ b/src/monitor/monitor.c
|
|
||||||
@@ -112,7 +112,6 @@ struct mt_svc {
|
|
||||||
char *identity;
|
|
||||||
pid_t pid;
|
|
||||||
|
|
||||||
- char *diag_cmd;
|
|
||||||
int kill_time;
|
|
||||||
|
|
||||||
struct tevent_timer *kill_timer;
|
|
||||||
@@ -373,77 +372,6 @@ static int add_svc_conn_spy(struct mt_svc *svc)
|
|
||||||
return EOK;
|
|
||||||
}
|
|
||||||
|
|
||||||
-static char *expand_diag_cmd(struct mt_svc *svc,
|
|
||||||
- const char *template)
|
|
||||||
-{
|
|
||||||
- TALLOC_CTX *tmp_ctx = NULL;
|
|
||||||
- char *copy;
|
|
||||||
- char *p_copy;
|
|
||||||
- char *n;
|
|
||||||
- char *result = NULL;
|
|
||||||
- char action;
|
|
||||||
- char *res = NULL;
|
|
||||||
-
|
|
||||||
- if (template == NULL) {
|
|
||||||
- DEBUG(SSSDBG_CRIT_FAILURE, "Missing template.\n");
|
|
||||||
- return NULL;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- tmp_ctx = talloc_new(NULL);
|
|
||||||
- if (!tmp_ctx) return NULL;
|
|
||||||
-
|
|
||||||
- copy = talloc_strdup(tmp_ctx, template);
|
|
||||||
- if (copy == NULL) {
|
|
||||||
- DEBUG(SSSDBG_CRIT_FAILURE, "talloc_strdup failed.\n");
|
|
||||||
- goto done;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- result = talloc_strdup(tmp_ctx, "");
|
|
||||||
- if (result == NULL) {
|
|
||||||
- DEBUG(SSSDBG_CRIT_FAILURE, "talloc_strdup failed.\n");
|
|
||||||
- goto done;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- p_copy = copy;
|
|
||||||
- while ((n = strchr(p_copy, '%')) != NULL) {
|
|
||||||
- *n = '\0';
|
|
||||||
- n++;
|
|
||||||
- if ( *n == '\0' ) {
|
|
||||||
- DEBUG(SSSDBG_CRIT_FAILURE,
|
|
||||||
- "format error, single %% at the end of the template.\n");
|
|
||||||
- goto done;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- action = *n;
|
|
||||||
- switch (action) {
|
|
||||||
- case 'p':
|
|
||||||
- result = talloc_asprintf_append(result, "%s%d", p_copy, svc->pid);
|
|
||||||
- break;
|
|
||||||
- default:
|
|
||||||
- DEBUG(SSSDBG_CRIT_FAILURE,
|
|
||||||
- "format error, unknown template [%%%c].\n", *n);
|
|
||||||
- goto done;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- if (result == NULL) {
|
|
||||||
- DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf_append failed.\n");
|
|
||||||
- goto done;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- p_copy = n + 1;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- result = talloc_asprintf_append(result, "%s", p_copy);
|
|
||||||
- if (result == NULL) {
|
|
||||||
- DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf_append failed.\n");
|
|
||||||
- goto done;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- res = talloc_move(svc, &result);
|
|
||||||
-done:
|
|
||||||
- talloc_zfree(tmp_ctx);
|
|
||||||
- return res;
|
|
||||||
-}
|
|
||||||
|
|
||||||
static void svc_child_info(struct mt_svc *svc, int wait_status)
|
|
||||||
{
|
|
||||||
@@ -467,82 +395,6 @@ static void svc_child_info(struct mt_svc *svc, int wait_status)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
-static void svc_diag_cmd_exit_handler(int pid, int wait_status, void *pvt)
|
|
||||||
-{
|
|
||||||
- struct mt_svc *svc = talloc_get_type(pvt, struct mt_svc);
|
|
||||||
-
|
|
||||||
- svc_child_info(svc, wait_status);
|
|
||||||
-}
|
|
||||||
-
|
|
||||||
-static void svc_run_diag_cmd(struct mt_svc *svc)
|
|
||||||
-{
|
|
||||||
- pid_t pkc_pid;
|
|
||||||
- char **args;
|
|
||||||
- int ret;
|
|
||||||
- int debug_fd;
|
|
||||||
- char *diag_cmd;
|
|
||||||
- struct sss_child_ctx *diag_child_ctx;
|
|
||||||
-
|
|
||||||
- if (svc->diag_cmd == NULL) {
|
|
||||||
- return;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- pkc_pid = fork();
|
|
||||||
- if (pkc_pid != 0) {
|
|
||||||
- /* parent, schedule SIGKILL */
|
|
||||||
-
|
|
||||||
- ret = sss_child_register(svc,
|
|
||||||
- svc->mt_ctx->sigchld_ctx,
|
|
||||||
- pkc_pid,
|
|
||||||
- svc_diag_cmd_exit_handler,
|
|
||||||
- svc,
|
|
||||||
- &diag_child_ctx);
|
|
||||||
- if (ret != EOK) {
|
|
||||||
- DEBUG(SSSDBG_CRIT_FAILURE, "Cannot register child %d\n", pkc_pid);
|
|
||||||
- /* Try to go on ... */
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- return;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- /* child, execute diagnostics */
|
|
||||||
- diag_cmd = expand_diag_cmd(svc, svc->diag_cmd);
|
|
||||||
- if (diag_cmd == NULL) {
|
|
||||||
- DEBUG(SSSDBG_CRIT_FAILURE,
|
|
||||||
- "Failed to expand [%s]\n", svc->diag_cmd);
|
|
||||||
- _exit(1);
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- if (debug_level >= SSSDBG_TRACE_LIBS) {
|
|
||||||
- debug_fd = get_fd_from_debug_file();
|
|
||||||
- ret = dup2(debug_fd, STDERR_FILENO);
|
|
||||||
- if (ret == -1) {
|
|
||||||
- ret = errno;
|
|
||||||
- DEBUG(SSSDBG_MINOR_FAILURE,
|
|
||||||
- "dup2 failed for stderr [%d][%s].\n", ret, sss_strerror(ret));
|
|
||||||
- /* failure to redirect stderr is not fatal */
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- ret = dup2(debug_fd, STDOUT_FILENO);
|
|
||||||
- if (ret == -1) {
|
|
||||||
- ret = errno;
|
|
||||||
- DEBUG(SSSDBG_MINOR_FAILURE,
|
|
||||||
- "dup2 failed for stdout [%d][%s].\n", ret, sss_strerror(ret));
|
|
||||||
- /* failure to redirect stdout is not fatal */
|
|
||||||
- }
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- args = parse_args(diag_cmd);
|
|
||||||
- execvp(args[0], args);
|
|
||||||
-
|
|
||||||
- /* If we are here, exec() has failed
|
|
||||||
- * Print errno and abort quickly */
|
|
||||||
- ret = errno;
|
|
||||||
- DEBUG(SSSDBG_FATAL_FAILURE,
|
|
||||||
- "Could not exec %s, reason: %s\n", svc->diag_cmd, strerror(ret));
|
|
||||||
- _exit(1);
|
|
||||||
-}
|
|
||||||
-
|
|
||||||
static int mark_service_as_started(struct mt_svc *svc)
|
|
||||||
{
|
|
||||||
struct mt_ctx *ctx = svc->mt_ctx;
|
|
||||||
@@ -712,8 +564,6 @@ static int monitor_kill_service (struct mt_svc *svc)
|
|
||||||
return EOK;
|
|
||||||
}
|
|
||||||
|
|
||||||
- svc_run_diag_cmd(svc);
|
|
||||||
-
|
|
||||||
/* Set up a timer to send SIGKILL if this process
|
|
||||||
* doesn't exit within the configured interval
|
|
||||||
*/
|
|
||||||
@@ -1147,19 +997,6 @@ static errno_t get_kill_config(struct mt_ctx *ctx, const char *path,
|
|
||||||
{
|
|
||||||
errno_t ret;
|
|
||||||
|
|
||||||
- ret = confdb_get_string(ctx->cdb, svc, path,
|
|
||||||
- CONFDB_MONITOR_PRE_KILL_CMD,
|
|
||||||
- NULL, &svc->diag_cmd);
|
|
||||||
- if (ret != EOK) {
|
|
||||||
- DEBUG(SSSDBG_CRIT_FAILURE,
|
|
||||||
- "Failed to get diagnostics command for %s\n", svc->name);
|
|
||||||
- return ret;
|
|
||||||
- }
|
|
||||||
- if (svc->diag_cmd) {
|
|
||||||
- DEBUG(SSSDBG_CONF_SETTINGS,
|
|
||||||
- "Diagnostics command: [%s]\n", svc->diag_cmd);
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
ret = confdb_get_int(ctx->cdb, path,
|
|
||||||
CONFDB_SERVICE_FORCE_TIMEOUT,
|
|
||||||
MONITOR_DEF_FORCE_TIME, &svc->kill_time);
|
|
||||||
--
|
|
||||||
2.9.3
|
|
||||||
|
|
@ -1,289 +0,0 @@
|
|||||||
From 10e635167418fdf7a896b2cb3d095fd345053103 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
|
||||||
Date: Sun, 8 May 2016 14:46:25 +0200
|
|
||||||
Subject: [PATCH 26/39] MONITOR: Remove the no longer used kill_service command
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
After introducing the watchdog, the force_timeout option is no longer
|
|
||||||
used.
|
|
||||||
|
|
||||||
Resolves:
|
|
||||||
https://fedorahosted.org/sssd/ticket/3052
|
|
||||||
|
|
||||||
Reviewed-by: Petr Čech <pcech@redhat.com>
|
|
||||||
(cherry picked from commit fa93cd0f0fc75a6d635079e67788f8a9fe183c3c)
|
|
||||||
---
|
|
||||||
src/confdb/confdb.h | 1 -
|
|
||||||
src/man/sssd.conf.5.xml | 33 ------------
|
|
||||||
src/monitor/monitor.c | 141 ------------------------------------------------
|
|
||||||
3 files changed, 175 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
|
|
||||||
index 58a085ba954cf75a5c756d6f8fbd04e6fa49a687..401e5fbf7ed6bb9e8d7158dfab378c8159aa03db 100644
|
|
||||||
--- a/src/confdb/confdb.h
|
|
||||||
+++ b/src/confdb/confdb.h
|
|
||||||
@@ -58,7 +58,6 @@
|
|
||||||
#define CONFDB_SERVICE_DEBUG_TIMESTAMPS "debug_timestamps"
|
|
||||||
#define CONFDB_SERVICE_DEBUG_MICROSECONDS "debug_microseconds"
|
|
||||||
#define CONFDB_SERVICE_DEBUG_TO_FILES "debug_to_files"
|
|
||||||
-#define CONFDB_SERVICE_FORCE_TIMEOUT "force_timeout"
|
|
||||||
#define CONFDB_SERVICE_RECON_RETRIES "reconnection_retries"
|
|
||||||
#define CONFDB_SERVICE_FD_LIMIT "fd_limit"
|
|
||||||
#define CONFDB_SERVICE_ALLOWED_UIDS "allowed_uids"
|
|
||||||
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
|
|
||||||
index e95a7e7e213e07c15e79185730d481e5afceb69c..ae291e0fc8f2f9afabcdf32f18a5ec12252bbbbf 100644
|
|
||||||
--- a/src/man/sssd.conf.5.xml
|
|
||||||
+++ b/src/man/sssd.conf.5.xml
|
|
||||||
@@ -549,22 +549,6 @@
|
|
||||||
</listitem>
|
|
||||||
</varlistentry>
|
|
||||||
<varlistentry>
|
|
||||||
- <term>force_timeout (integer)</term>
|
|
||||||
- <listitem>
|
|
||||||
- <para>
|
|
||||||
- If a service is not responding to ping checks (see
|
|
||||||
- the <quote>timeout</quote> option), it is first sent
|
|
||||||
- the SIGTERM signal that instructs it to quit gracefully.
|
|
||||||
- If the service does not terminate after <quote>force_timeout</quote>
|
|
||||||
- seconds, the monitor will forcibly shut it down by
|
|
||||||
- sending a SIGKILL signal.
|
|
||||||
- </para>
|
|
||||||
- <para>
|
|
||||||
- Default: 60
|
|
||||||
- </para>
|
|
||||||
- </listitem>
|
|
||||||
- </varlistentry>
|
|
||||||
- <varlistentry>
|
|
||||||
<term>offline_timeout (integer)</term>
|
|
||||||
<listitem>
|
|
||||||
<para>
|
|
||||||
@@ -1453,23 +1437,6 @@ pam_account_locked_message = Account locked, please contact help desk.
|
|
||||||
</varlistentry>
|
|
||||||
|
|
||||||
<varlistentry>
|
|
||||||
- <term>force_timeout (integer)</term>
|
|
||||||
- <listitem>
|
|
||||||
- <para>
|
|
||||||
- If a service is not responding to ping checks (see
|
|
||||||
- the <quote>timeout</quote> option), it is first sent
|
|
||||||
- the SIGTERM signal that instructs it to quit gracefully.
|
|
||||||
- If the service does not terminate after <quote>force_timeout</quote>
|
|
||||||
- seconds, the monitor will forcibly shut it down by
|
|
||||||
- sending a SIGKILL signal.
|
|
||||||
- </para>
|
|
||||||
- <para>
|
|
||||||
- Default: 60
|
|
||||||
- </para>
|
|
||||||
- </listitem>
|
|
||||||
- </varlistentry>
|
|
||||||
-
|
|
||||||
- <varlistentry>
|
|
||||||
<term>entry_cache_timeout (integer)</term>
|
|
||||||
<listitem>
|
|
||||||
<para>
|
|
||||||
diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c
|
|
||||||
index f97b2a960b1835540357714b608feac54c2d72c5..1f89c5a79feab8a921ce2f9132763b37ab506596 100644
|
|
||||||
--- a/src/monitor/monitor.c
|
|
||||||
+++ b/src/monitor/monitor.c
|
|
||||||
@@ -114,8 +114,6 @@ struct mt_svc {
|
|
||||||
|
|
||||||
int kill_time;
|
|
||||||
|
|
||||||
- struct tevent_timer *kill_timer;
|
|
||||||
-
|
|
||||||
bool svc_started;
|
|
||||||
|
|
||||||
int restarts;
|
|
||||||
@@ -176,8 +174,6 @@ static int monitor_service_init(struct sbus_connection *conn, void *data);
|
|
||||||
|
|
||||||
static int service_signal_reset_offline(struct mt_svc *svc);
|
|
||||||
|
|
||||||
-static int monitor_kill_service (struct mt_svc *svc);
|
|
||||||
-
|
|
||||||
static int get_service_config(struct mt_ctx *ctx, const char *name,
|
|
||||||
struct mt_svc **svc_cfg);
|
|
||||||
static int get_provider_config(struct mt_ctx *ctx, const char *name,
|
|
||||||
@@ -542,95 +538,6 @@ static int monitor_dbus_init(struct mt_ctx *ctx)
|
|
||||||
}
|
|
||||||
|
|
||||||
static void monitor_restart_service(struct mt_svc *svc);
|
|
||||||
-static void mt_svc_sigkill(struct tevent_context *ev,
|
|
||||||
- struct tevent_timer *te,
|
|
||||||
- struct timeval t, void *ptr);
|
|
||||||
-static int monitor_kill_service (struct mt_svc *svc)
|
|
||||||
-{
|
|
||||||
- int ret;
|
|
||||||
- struct timeval tv;
|
|
||||||
-
|
|
||||||
- ret = kill(svc->pid, SIGTERM);
|
|
||||||
- if (ret == -1) {
|
|
||||||
- ret = errno;
|
|
||||||
- DEBUG(SSSDBG_FATAL_FAILURE,
|
|
||||||
- "Sending signal to child (%s:%d) failed: [%d]: %s! "
|
|
||||||
- "Ignore and pretend child is dead.\n",
|
|
||||||
- svc->name, svc->pid, ret, strerror(ret));
|
|
||||||
- /* The only thing we can try here is to launch a new process
|
|
||||||
- * and hope that it works.
|
|
||||||
- */
|
|
||||||
- monitor_restart_service(svc);
|
|
||||||
- return EOK;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- /* Set up a timer to send SIGKILL if this process
|
|
||||||
- * doesn't exit within the configured interval
|
|
||||||
- */
|
|
||||||
- tv = tevent_timeval_current_ofs(svc->kill_time, 0);
|
|
||||||
- svc->kill_timer = tevent_add_timer(svc->mt_ctx->ev,
|
|
||||||
- svc,
|
|
||||||
- tv,
|
|
||||||
- mt_svc_sigkill,
|
|
||||||
- svc);
|
|
||||||
- if (svc->kill_timer == NULL) {
|
|
||||||
- /* Nothing much we can do */
|
|
||||||
- DEBUG(SSSDBG_CRIT_FAILURE,
|
|
||||||
- "Failed to allocate timed event: mt_svc_sigkill.\n");
|
|
||||||
- /* We'll just have to hope that the SIGTERM succeeds */
|
|
||||||
- }
|
|
||||||
- return EOK;
|
|
||||||
-}
|
|
||||||
-
|
|
||||||
-static void mt_svc_sigkill(struct tevent_context *ev,
|
|
||||||
- struct tevent_timer *te,
|
|
||||||
- struct timeval t, void *ptr)
|
|
||||||
-{
|
|
||||||
- int ret;
|
|
||||||
- struct mt_svc *svc = talloc_get_type(ptr, struct mt_svc);
|
|
||||||
-
|
|
||||||
- DEBUG(SSSDBG_FATAL_FAILURE,
|
|
||||||
- "[%s][%d] is not responding to SIGTERM. Sending SIGKILL.\n",
|
|
||||||
- svc->name, svc->pid);
|
|
||||||
- sss_log(SSS_LOG_ERR,
|
|
||||||
- "[%s][%d] is not responding to SIGTERM. Sending SIGKILL.\n",
|
|
||||||
- svc->name, svc->pid);
|
|
||||||
-
|
|
||||||
- /* timer was succesfully executed and it will be released by tevent */
|
|
||||||
- svc->kill_timer = NULL;
|
|
||||||
-
|
|
||||||
- ret = kill(svc->pid, SIGKILL);
|
|
||||||
- if (ret != EOK) {
|
|
||||||
- ret = errno;
|
|
||||||
- DEBUG(SSSDBG_FATAL_FAILURE,
|
|
||||||
- "Sending signal to child (%s:%d) failed! "
|
|
||||||
- "Ignore and pretend child is dead.\n",
|
|
||||||
- svc->name, svc->pid);
|
|
||||||
-
|
|
||||||
- if (ret == ESRCH) {
|
|
||||||
- /* The process doesn't exist
|
|
||||||
- * This most likely means we hit a race where
|
|
||||||
- * the SIGTERM concluded just after the timer
|
|
||||||
- * fired but before we called kill() here.
|
|
||||||
- * We'll just do nothing, since the
|
|
||||||
- * mt_svc_exit_handler() should be doing the
|
|
||||||
- * necessary work.
|
|
||||||
- */
|
|
||||||
- return;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- /* Something went really wrong.
|
|
||||||
- * The only thing we can try here is to launch a new process
|
|
||||||
- * and hope that it works.
|
|
||||||
- */
|
|
||||||
- monitor_restart_service(svc);
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- /* The process should terminate immediately and then be
|
|
||||||
- * restarted by the mt_svc_exit_handler()
|
|
||||||
- */
|
|
||||||
- return;
|
|
||||||
-}
|
|
||||||
|
|
||||||
static void reload_reply(DBusPendingCall *pending, void *data)
|
|
||||||
{
|
|
||||||
@@ -708,7 +615,6 @@ static int service_signal(struct mt_svc *svc, const char *svc_signal)
|
|
||||||
DEBUG(SSSDBG_FATAL_FAILURE,
|
|
||||||
"Out of memory trying to allocate memory to invoke: %s\n",
|
|
||||||
svc_signal);
|
|
||||||
- monitor_kill_service(svc);
|
|
||||||
return ENOMEM;
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -992,32 +898,6 @@ static int get_monitor_config(struct mt_ctx *ctx)
|
|
||||||
return EOK;
|
|
||||||
}
|
|
||||||
|
|
||||||
-static errno_t get_kill_config(struct mt_ctx *ctx, const char *path,
|
|
||||||
- struct mt_svc *svc)
|
|
||||||
-{
|
|
||||||
- errno_t ret;
|
|
||||||
-
|
|
||||||
- ret = confdb_get_int(ctx->cdb, path,
|
|
||||||
- CONFDB_SERVICE_FORCE_TIMEOUT,
|
|
||||||
- MONITOR_DEF_FORCE_TIME, &svc->kill_time);
|
|
||||||
- if (ret != EOK) {
|
|
||||||
- DEBUG(SSSDBG_CRIT_FAILURE,
|
|
||||||
- "Failed to get kill timeout for %s\n", svc->name);
|
|
||||||
- return ret;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- /* 'force_timeout = 0' should be translated to the default */
|
|
||||||
- if (svc->kill_time == 0) {
|
|
||||||
- svc->kill_time = MONITOR_DEF_FORCE_TIME;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- DEBUG(SSSDBG_CONF_SETTINGS,
|
|
||||||
- "Time between SIGTERM and SIGKILL for [%s]: [%d]\n",
|
|
||||||
- svc->name, svc->kill_time);
|
|
||||||
-
|
|
||||||
- return EOK;
|
|
||||||
-}
|
|
||||||
-
|
|
||||||
/* This is a temporary function that returns false if the service
|
|
||||||
* being started was only tested when running as root.
|
|
||||||
*/
|
|
||||||
@@ -1154,14 +1034,6 @@ static int get_service_config(struct mt_ctx *ctx, const char *name,
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
- ret = get_kill_config(ctx, path, svc);
|
|
||||||
- if (ret != EOK) {
|
|
||||||
- DEBUG(SSSDBG_CRIT_FAILURE,
|
|
||||||
- "Failed to get kill timeouts for %s\n", svc->name);
|
|
||||||
- talloc_free(svc);
|
|
||||||
- return ret;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
svc->last_restart = now;
|
|
||||||
|
|
||||||
*svc_cfg = svc;
|
|
||||||
@@ -1249,14 +1121,6 @@ static int get_provider_config(struct mt_ctx *ctx, const char *name,
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
- ret = get_kill_config(ctx, path, svc);
|
|
||||||
- if (ret != EOK) {
|
|
||||||
- DEBUG(SSSDBG_CRIT_FAILURE,
|
|
||||||
- "Failed to get kill timeouts for %s\n", svc->name);
|
|
||||||
- talloc_free(svc);
|
|
||||||
- return ret;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
talloc_free(path);
|
|
||||||
|
|
||||||
/* if no provider is present do not run the domain */
|
|
||||||
@@ -2540,11 +2404,6 @@ static void mt_svc_exit_handler(int pid, int wait_status, void *pvt)
|
|
||||||
"SIGCHLD handler of service %s called\n", svc->name);
|
|
||||||
svc_child_info(svc, wait_status);
|
|
||||||
|
|
||||||
- /* Clear the kill_timer so we don't try to SIGKILL it after it's
|
|
||||||
- * already gone.
|
|
||||||
- */
|
|
||||||
- talloc_zfree(svc->kill_timer);
|
|
||||||
-
|
|
||||||
/* Check the number of restart tries and relaunch the service */
|
|
||||||
monitor_restart_service(svc);
|
|
||||||
|
|
||||||
--
|
|
||||||
2.9.3
|
|
||||||
|
|
@ -1,44 +0,0 @@
|
|||||||
From e293e3a1418e95560498f29147c4e5b1be0b729a Mon Sep 17 00:00:00 2001
|
|
||||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
|
||||||
Date: Mon, 15 Aug 2016 12:54:20 +0200
|
|
||||||
Subject: [PATCH 27/39] WATCHDOG: define and use _MAX_TICKS as 3
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
Instead of using the number 3 directly, let's introduce and use
|
|
||||||
WATCHDOG_MAX_TICKS.
|
|
||||||
|
|
||||||
Reviewed-by: Petr Čech <pcech@redhat.com>
|
|
||||||
(cherry picked from commit d7075a255a1f28e890539072e06d0140ffe0927c)
|
|
||||||
---
|
|
||||||
src/util/util_watchdog.c | 6 +++---
|
|
||||||
1 file changed, 3 insertions(+), 3 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/util/util_watchdog.c b/src/util/util_watchdog.c
|
|
||||||
index 1c27d73f13b3042ecb549a2184e1368e8339d199..c184fbd759bdbca4a9eae379ff0d87e2d1628470 100644
|
|
||||||
--- a/src/util/util_watchdog.c
|
|
||||||
+++ b/src/util/util_watchdog.c
|
|
||||||
@@ -22,6 +22,7 @@
|
|
||||||
#include "util/util.h"
|
|
||||||
|
|
||||||
#define WATCHDOG_DEF_INTERVAL 10
|
|
||||||
+#define WATCHDOG_MAX_TICKS 3
|
|
||||||
|
|
||||||
/* this is intentionally a global variable */
|
|
||||||
struct watchdog_ctx {
|
|
||||||
@@ -75,9 +76,8 @@ static void watchdog_handler(int sig)
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
|
|
||||||
- /* if 3 ticks passed by kills itself */
|
|
||||||
-
|
|
||||||
- if (__sync_add_and_fetch(&watchdog_ctx.ticks, 1) > 3) {
|
|
||||||
+ /* if a pre-defined number of ticks passed by kills itself */
|
|
||||||
+ if (__sync_add_and_fetch(&watchdog_ctx.ticks, 1) > WATCHDOG_MAX_TICKS) {
|
|
||||||
DEBUG(SSSDBG_FATAL_FAILURE,
|
|
||||||
"Watchdog timer overflow, killing process!\n");
|
|
||||||
orderly_shutdown(1);
|
|
||||||
--
|
|
||||||
2.9.3
|
|
||||||
|
|
@ -1,52 +0,0 @@
|
|||||||
From f7c519962070d797822c960d297f7de7fa42426a Mon Sep 17 00:00:00 2001
|
|
||||||
From: Lukas Slebodnik <lslebodn@redhat.com>
|
|
||||||
Date: Fri, 26 Aug 2016 14:57:22 +0200
|
|
||||||
Subject: [PATCH 28/39] PROXY: Use right name in ldap filter
|
|
||||||
|
|
||||||
We used internal fq name in ldap filter
|
|
||||||
with id_provider proxy to files and auth provider
|
|
||||||
ldap
|
|
||||||
|
|
||||||
[sssd[be[LDAP]]] [sdap_get_generic_ext_step]
|
|
||||||
(0x0400): calling ldap_search_ext with
|
|
||||||
[(&(uid=testuser1@ldap)(objectclass=posixAccount))][dc=example,dc=com].
|
|
||||||
|
|
||||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
||||||
(cherry picked from commit b4c6060b10b14257e6f01038ae44e46c5a429f33)
|
|
||||||
---
|
|
||||||
src/providers/ldap/ldap_auth.c | 11 ++++++++---
|
|
||||||
1 file changed, 8 insertions(+), 3 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c
|
|
||||||
index 35f16b0d4a6f8e566b0cf63b65ba46f31e7c1bcd..00d38284e428eea42254820fd08ee4fb125235a6 100644
|
|
||||||
--- a/src/providers/ldap/ldap_auth.c
|
|
||||||
+++ b/src/providers/ldap/ldap_auth.c
|
|
||||||
@@ -361,7 +361,7 @@ shadow_fail:
|
|
||||||
|
|
||||||
/* ==Get-User-DN========================================================== */
|
|
||||||
struct get_user_dn_state {
|
|
||||||
- const char *username;
|
|
||||||
+ char *username;
|
|
||||||
|
|
||||||
char *orig_dn;
|
|
||||||
};
|
|
||||||
@@ -386,9 +386,14 @@ static struct tevent_req *get_user_dn_send(TALLOC_CTX *memctx,
|
|
||||||
req = tevent_req_create(memctx, &state, struct get_user_dn_state);
|
|
||||||
if (!req) return NULL;
|
|
||||||
|
|
||||||
- state->username = username;
|
|
||||||
+ ret = sss_parse_internal_fqname(state, username,
|
|
||||||
+ &state->username, NULL);
|
|
||||||
+ if (ret != EOK) {
|
|
||||||
+ DEBUG(SSSDBG_OP_FAILURE, "Cannot parse %s\n", username);
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
- ret = sss_filter_sanitize(state, username, &clean_name);
|
|
||||||
+ ret = sss_filter_sanitize(state, state->username, &clean_name);
|
|
||||||
if (ret != EOK) {
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
--
|
|
||||||
2.9.3
|
|
||||||
|
|
@ -1,31 +0,0 @@
|
|||||||
From 2dc376b266eb5f3b3aecc980f1a854eeac7d151b Mon Sep 17 00:00:00 2001
|
|
||||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
|
||||||
Date: Tue, 16 Aug 2016 20:53:19 +0200
|
|
||||||
Subject: [PATCH 29/39] SECRETS: Make internal function static
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
||||||
(cherry picked from commit cf902c2b247c1b5793ae0ba58fd2dcbb0f78b686)
|
|
||||||
---
|
|
||||||
src/responder/secrets/providers.c | 3 ++-
|
|
||||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/src/responder/secrets/providers.c b/src/responder/secrets/providers.c
|
|
||||||
index 8d815b4837ce71bac648f38a6a8956771dd0520d..4c601988696dac7856cb1c1eb27264180a9347f9 100644
|
|
||||||
--- a/src/responder/secrets/providers.c
|
|
||||||
+++ b/src/responder/secrets/providers.c
|
|
||||||
@@ -24,7 +24,8 @@
|
|
||||||
#include "responder/secrets/secsrv_proxy.h"
|
|
||||||
#include <jansson.h>
|
|
||||||
|
|
||||||
-int sec_map_url_to_user_path(struct sec_req_ctx *secreq, char **mapped_path)
|
|
||||||
+static int sec_map_url_to_user_path(struct sec_req_ctx *secreq,
|
|
||||||
+ char **mapped_path)
|
|
||||||
{
|
|
||||||
uid_t c_euid;
|
|
||||||
|
|
||||||
--
|
|
||||||
2.9.3
|
|
||||||
|
|
@ -1,34 +0,0 @@
|
|||||||
From e099a2654aa25f98a5f9e7a0e1f0820e8322c372 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
|
||||||
Date: Tue, 16 Aug 2016 20:59:30 +0200
|
|
||||||
Subject: [PATCH 30/39] SECRETS: Make reading the config options more uniform
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
One of confdb_get_ calls in sec_get_config() used a variable referenced
|
|
||||||
from rctx, the other used a hardcoded string. Use one of them on both
|
|
||||||
places instead.
|
|
||||||
|
|
||||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
||||||
(cherry picked from commit ff35d4ffe5eedcb484deb7ef1a04c02c19e634c9)
|
|
||||||
---
|
|
||||||
src/responder/secrets/secsrv.c | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/src/responder/secrets/secsrv.c b/src/responder/secrets/secsrv.c
|
|
||||||
index 6f8052bdf25fe903683d6b26d92b2a4c31743470..eb194a179ae5e3a48547fb00a038f31b8e0264cd 100644
|
|
||||||
--- a/src/responder/secrets/secsrv.c
|
|
||||||
+++ b/src/responder/secrets/secsrv.c
|
|
||||||
@@ -35,7 +35,7 @@ static int sec_get_config(struct sec_ctx *sctx)
|
|
||||||
int ret;
|
|
||||||
|
|
||||||
ret = confdb_get_int(sctx->rctx->cdb,
|
|
||||||
- CONFDB_SEC_CONF_ENTRY,
|
|
||||||
+ sctx->rctx->confdb_service_path,
|
|
||||||
CONFDB_SERVICE_FD_LIMIT,
|
|
||||||
DEFAULT_SEC_FD_LIMIT,
|
|
||||||
&sctx->fd_limit);
|
|
||||||
--
|
|
||||||
2.9.3
|
|
||||||
|
|
@ -1,46 +0,0 @@
|
|||||||
From 279b4f57263abcdb84e2386f4cb4256981fb8c2d Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
|
||||||
Date: Thu, 4 Aug 2016 14:10:09 +0200
|
|
||||||
Subject: [PATCH 31/39] dyndns: fix typo and unify ipa with ad debug message
|
|
||||||
when off
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
Reviewed-by: Petr Čech <pcech@redhat.com>
|
|
||||||
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
||||||
(cherry picked from commit b3851e86af91dc1aa6e265d5b2e4279b2611ff43)
|
|
||||||
---
|
|
||||||
src/providers/ad/ad_dyndns.c | 2 +-
|
|
||||||
src/providers/ipa/ipa_init.c | 2 +-
|
|
||||||
2 files changed, 2 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/providers/ad/ad_dyndns.c b/src/providers/ad/ad_dyndns.c
|
|
||||||
index e3f1812837f7cee9d18ef001233871e0fcc16b4c..00190485e8f0ca7362ed60b2df022c74c53988c9 100644
|
|
||||||
--- a/src/providers/ad/ad_dyndns.c
|
|
||||||
+++ b/src/providers/ad/ad_dyndns.c
|
|
||||||
@@ -47,7 +47,7 @@ errno_t ad_dyndns_init(struct be_ctx *be_ctx,
|
|
||||||
|
|
||||||
if (dp_opt_get_bool(ad_opts->dyndns_ctx->opts,
|
|
||||||
DP_OPT_DYNDNS_UPDATE) == false) {
|
|
||||||
- DEBUG(SSSDBG_CONF_SETTINGS, "Dynamic DNS updates not set\n");
|
|
||||||
+ DEBUG(SSSDBG_CONF_SETTINGS, "Dynamic DNS updates are off.\n");
|
|
||||||
return EOK;
|
|
||||||
}
|
|
||||||
|
|
||||||
diff --git a/src/providers/ipa/ipa_init.c b/src/providers/ipa/ipa_init.c
|
|
||||||
index ca99200a1ba1d9508ac0affffecaa08149552fee..7dec4d1fb8541a48470d4e44f10838e5bea67ad5 100644
|
|
||||||
--- a/src/providers/ipa/ipa_init.c
|
|
||||||
+++ b/src/providers/ipa/ipa_init.c
|
|
||||||
@@ -200,7 +200,7 @@ static errno_t ipa_init_dyndns(struct be_ctx *be_ctx,
|
|
||||||
enabled = dp_opt_get_bool(ipa_options->dyndns_ctx->opts,
|
|
||||||
DP_OPT_DYNDNS_UPDATE);
|
|
||||||
if (!enabled) {
|
|
||||||
- DEBUG(SSSDBG_CONF_SETTINGS, "Dynamic DNS updates are of.\n");
|
|
||||||
+ DEBUG(SSSDBG_CONF_SETTINGS, "Dynamic DNS updates are off.\n");
|
|
||||||
return EOK;
|
|
||||||
}
|
|
||||||
|
|
||||||
--
|
|
||||||
2.9.3
|
|
||||||
|
|
@ -1,42 +0,0 @@
|
|||||||
From 2d1d157a07a2b445d6d26573a9763ec62928790f Mon Sep 17 00:00:00 2001
|
|
||||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
|
||||||
Date: Tue, 30 Aug 2016 15:26:27 +0200
|
|
||||||
Subject: [PATCH 32/39] netlink: Don't define USE_GNU
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
Applications should never #define USE_GNU themselves, but rather
|
|
||||||
_GNU_SOURCE. This patch removes USE_GNU and replaces it with including
|
|
||||||
config.h which has _GNU_SOURCE defined if applicable for that platform
|
|
||||||
|
|
||||||
See for example:
|
|
||||||
https://gcc.gnu.org/ml/fortran/2005-10/msg00365.html
|
|
||||||
|
|
||||||
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
|
||||||
(cherry picked from commit 1384d0ce6ea741aefb56b0006b6268d76e6cc2c2)
|
|
||||||
---
|
|
||||||
src/monitor/monitor_netlink.c | 3 ++-
|
|
||||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/src/monitor/monitor_netlink.c b/src/monitor/monitor_netlink.c
|
|
||||||
index 22262949c67744493dfa722ff38257a75a5b8291..c4d56b39f29b7686b60da1d561d7db390c272a4d 100644
|
|
||||||
--- a/src/monitor/monitor_netlink.c
|
|
||||||
+++ b/src/monitor/monitor_netlink.c
|
|
||||||
@@ -21,11 +21,12 @@
|
|
||||||
along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
||||||
*/
|
|
||||||
|
|
||||||
+#include "config.h"
|
|
||||||
+
|
|
||||||
#include <talloc.h>
|
|
||||||
#include <tevent.h>
|
|
||||||
#include <sys/types.h>
|
|
||||||
#include <sys/ioctl.h>
|
|
||||||
-#define __USE_GNU /* needed for struct ucred */
|
|
||||||
#include <sys/socket.h>
|
|
||||||
#include <netinet/in.h>
|
|
||||||
#include <arpa/inet.h>
|
|
||||||
--
|
|
||||||
2.9.3
|
|
||||||
|
|
@ -1,140 +0,0 @@
|
|||||||
From d58c29636abcd20ef8e90fae90d8754419c394fa Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
|
|
||||||
Date: Tue, 30 Aug 2016 18:17:46 +0200
|
|
||||||
Subject: [PATCH 33/39] MONITOR: Remove leftovers from diag_cmd
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
Seems that when I sent the v2 of 7579cf99 I attached the wrong patch
|
|
||||||
that ended up being pushed.
|
|
||||||
That patch was incomplete as there are still some leftovers.
|
|
||||||
|
|
||||||
Related:
|
|
||||||
https://fedorahosted.org/sssd/ticket/3051
|
|
||||||
|
|
||||||
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
|
|
||||||
Reviewed-by: Petr Čech <pcech@redhat.com>
|
|
||||||
(cherry picked from commit e04df9feca0c9877c69aa46450d04c556bcb23ad)
|
|
||||||
---
|
|
||||||
src/config/SSSDConfig/__init__.py.in | 1 -
|
|
||||||
src/config/SSSDConfigTest.py | 1 -
|
|
||||||
src/config/cfg_rules.ini | 9 ---------
|
|
||||||
src/config/etc/sssd.api.conf | 1 -
|
|
||||||
4 files changed, 12 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
|
|
||||||
index b3f04ac26309bb5b518fb87cd0dae2962e853179..fb071270208341f4e993fef95af4e8dc6b58fdbd 100644
|
|
||||||
--- a/src/config/SSSDConfig/__init__.py.in
|
|
||||||
+++ b/src/config/SSSDConfig/__init__.py.in
|
|
||||||
@@ -51,7 +51,6 @@ option_strings = {
|
|
||||||
'reconnection_retries' : _('Number of times to attempt connection to Data Providers'),
|
|
||||||
'fd_limit' : _('The number of file descriptors that may be opened by this responder'),
|
|
||||||
'client_idle_timeout' : _('Idle time before automatic disconnection of a client'),
|
|
||||||
- 'diag_cmd' : _('The command to run when a service ping times out'),
|
|
||||||
|
|
||||||
# [sssd]
|
|
||||||
'services' : _('SSSD Services to start'),
|
|
||||||
diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py
|
|
||||||
index 8fcd1a55c36035a7026f1fb4c8116aaae24e78ef..575a12450eec2e23e7fa30acf72030a0e7e07a50 100755
|
|
||||||
--- a/src/config/SSSDConfigTest.py
|
|
||||||
+++ b/src/config/SSSDConfigTest.py
|
|
||||||
@@ -309,7 +309,6 @@ class SSSDConfigTestSSSDService(unittest.TestCase):
|
|
||||||
'reconnection_retries',
|
|
||||||
'fd_limit',
|
|
||||||
'client_idle_timeout',
|
|
||||||
- 'diag_cmd',
|
|
||||||
'description',
|
|
||||||
'certificate_verification',
|
|
||||||
'override_space']
|
|
||||||
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
|
|
||||||
index df10538dee4a547a1b1af62a4cfe37b89e236b18..a2c3fa2d5994dc051b72be17e13c512d7f124141 100644
|
|
||||||
--- a/src/config/cfg_rules.ini
|
|
||||||
+++ b/src/config/cfg_rules.ini
|
|
||||||
@@ -25,7 +25,6 @@ option = fd_limit
|
|
||||||
option = client_idle_timeout
|
|
||||||
option = force_timeout
|
|
||||||
option = description
|
|
||||||
-option = diag_cmd
|
|
||||||
|
|
||||||
# Monitor service
|
|
||||||
option = services
|
|
||||||
@@ -57,7 +56,6 @@ option = fd_limit
|
|
||||||
option = client_idle_timeout
|
|
||||||
option = force_timeout
|
|
||||||
option = description
|
|
||||||
-option = diag_cmd
|
|
||||||
|
|
||||||
# Name service
|
|
||||||
option = user_attributes
|
|
||||||
@@ -96,7 +94,6 @@ option = fd_limit
|
|
||||||
option = client_idle_timeout
|
|
||||||
option = force_timeout
|
|
||||||
option = description
|
|
||||||
-option = diag_cmd
|
|
||||||
|
|
||||||
# Authentication service
|
|
||||||
option = offline_credentials_expiration
|
|
||||||
@@ -130,7 +127,6 @@ option = fd_limit
|
|
||||||
option = client_idle_timeout
|
|
||||||
option = force_timeout
|
|
||||||
option = description
|
|
||||||
-option = diag_cmd
|
|
||||||
|
|
||||||
# sudo service
|
|
||||||
option = sudo_timed
|
|
||||||
@@ -152,7 +148,6 @@ option = fd_limit
|
|
||||||
option = client_idle_timeout
|
|
||||||
option = force_timeout
|
|
||||||
option = description
|
|
||||||
-option = diag_cmd
|
|
||||||
|
|
||||||
# autofs service
|
|
||||||
option = autofs_negative_timeout
|
|
||||||
@@ -173,7 +168,6 @@ option = fd_limit
|
|
||||||
option = client_idle_timeout
|
|
||||||
option = force_timeout
|
|
||||||
option = description
|
|
||||||
-option = diag_cmd
|
|
||||||
|
|
||||||
# ssh service
|
|
||||||
option = ssh_hash_known_hosts
|
|
||||||
@@ -196,7 +190,6 @@ option = fd_limit
|
|
||||||
option = client_idle_timeout
|
|
||||||
option = force_timeout
|
|
||||||
option = description
|
|
||||||
-option = diag_cmd
|
|
||||||
|
|
||||||
# PAC responder
|
|
||||||
option = allowed_uids
|
|
||||||
@@ -218,7 +211,6 @@ option = fd_limit
|
|
||||||
option = client_idle_timeout
|
|
||||||
option = force_timeout
|
|
||||||
option = description
|
|
||||||
-option = diag_cmd
|
|
||||||
|
|
||||||
# InfoPipe responder
|
|
||||||
option = allowed_uids
|
|
||||||
@@ -239,7 +231,6 @@ option = fd_limit
|
|
||||||
option = client_idle_timeout
|
|
||||||
option = force_timeout
|
|
||||||
option = description
|
|
||||||
-option = diag_cmd
|
|
||||||
|
|
||||||
#Available provider types
|
|
||||||
option = id_provider
|
|
||||||
diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
|
|
||||||
index 5e69414f2a490977bdaf1555325814ad61202071..b2f20c5b71fa6bf94656d6270ccd08385a88c06e 100644
|
|
||||||
--- a/src/config/etc/sssd.api.conf
|
|
||||||
+++ b/src/config/etc/sssd.api.conf
|
|
||||||
@@ -15,7 +15,6 @@ fd_limit = int, None, false
|
|
||||||
client_idle_timeout = int, None, false
|
|
||||||
force_timeout = int, None, false
|
|
||||||
description = str, None, false
|
|
||||||
-diag_cmd = str, None, false
|
|
||||||
|
|
||||||
[sssd]
|
|
||||||
# Monitor service
|
|
||||||
--
|
|
||||||
2.9.3
|
|
||||||
|
|
@ -1,175 +0,0 @@
|
|||||||
From a2145190df8f4faa68a9662a2b5162dd87eca0a6 Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
|
|
||||||
Date: Tue, 30 Aug 2016 18:25:21 +0200
|
|
||||||
Subject: [PATCH 34/39] MONITOR: Remove leftovers from kill_service
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
Seems that wen I sent the v2 of ac35fe74 I attached the wrong pacth that
|
|
||||||
ended up being pushed.
|
|
||||||
The patch was incomplete as there are still some leftovers.
|
|
||||||
|
|
||||||
The .po and sssd-docs.pot were not touched as I do believe they are
|
|
||||||
autogenerated from Zanata.
|
|
||||||
|
|
||||||
Related:
|
|
||||||
https://fedorahosted.org/sssd/ticket/3052
|
|
||||||
|
|
||||||
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
|
|
||||||
Reviewed-by: Petr Čech <pcech@redhat.com>
|
|
||||||
(cherry picked from commit 5b0735876aa66464b24cb7736a74fafd8ec82128)
|
|
||||||
---
|
|
||||||
src/config/SSSDConfig/__init__.py.in | 1 -
|
|
||||||
src/config/SSSDConfigTest.py | 3 ---
|
|
||||||
src/config/cfg_rules.ini | 10 ----------
|
|
||||||
src/config/etc/sssd.api.conf | 2 --
|
|
||||||
4 files changed, 16 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
|
|
||||||
index fb071270208341f4e993fef95af4e8dc6b58fdbd..0191920f93ab9016508e08785c25dd043c180c0b 100644
|
|
||||||
--- a/src/config/SSSDConfig/__init__.py.in
|
|
||||||
+++ b/src/config/SSSDConfig/__init__.py.in
|
|
||||||
@@ -46,7 +46,6 @@ option_strings = {
|
|
||||||
'debug_microseconds' : _('Include microseconds in timestamps in debug logs'),
|
|
||||||
'debug_to_files' : _('Write debug messages to logfiles'),
|
|
||||||
'timeout' : _('Watchdog timeout before restarting service'),
|
|
||||||
- 'force_timeout' : _('Timeout between three failed ping checks and forcibly killing the service'),
|
|
||||||
'command' : _('Command to start service'),
|
|
||||||
'reconnection_retries' : _('Number of times to attempt connection to Data Providers'),
|
|
||||||
'fd_limit' : _('The number of file descriptors that may be opened by this responder'),
|
|
||||||
diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py
|
|
||||||
index 575a12450eec2e23e7fa30acf72030a0e7e07a50..6a0fdf0ea5215103b48dc8521a43ae945342c0e2 100755
|
|
||||||
--- a/src/config/SSSDConfigTest.py
|
|
||||||
+++ b/src/config/SSSDConfigTest.py
|
|
||||||
@@ -293,7 +293,6 @@ class SSSDConfigTestSSSDService(unittest.TestCase):
|
|
||||||
'services',
|
|
||||||
'domains',
|
|
||||||
'timeout',
|
|
||||||
- 'force_timeout',
|
|
||||||
'sbus_timeout',
|
|
||||||
're_expression',
|
|
||||||
'full_name_format',
|
|
||||||
@@ -505,7 +504,6 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase):
|
|
||||||
'min_id',
|
|
||||||
'max_id',
|
|
||||||
'timeout',
|
|
||||||
- 'force_timeout',
|
|
||||||
'offline_timeout',
|
|
||||||
'try_inotify',
|
|
||||||
'command',
|
|
||||||
@@ -874,7 +872,6 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase):
|
|
||||||
'min_id',
|
|
||||||
'max_id',
|
|
||||||
'timeout',
|
|
||||||
- 'force_timeout',
|
|
||||||
'offline_timeout',
|
|
||||||
'try_inotify',
|
|
||||||
'command',
|
|
||||||
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
|
|
||||||
index a2c3fa2d5994dc051b72be17e13c512d7f124141..5e248066bd554d2a654a764f406f6b33c4d66733 100644
|
|
||||||
--- a/src/config/cfg_rules.ini
|
|
||||||
+++ b/src/config/cfg_rules.ini
|
|
||||||
@@ -23,7 +23,6 @@ option = command
|
|
||||||
option = reconnection_retries
|
|
||||||
option = fd_limit
|
|
||||||
option = client_idle_timeout
|
|
||||||
-option = force_timeout
|
|
||||||
option = description
|
|
||||||
|
|
||||||
# Monitor service
|
|
||||||
@@ -54,7 +53,6 @@ option = command
|
|
||||||
option = reconnection_retries
|
|
||||||
option = fd_limit
|
|
||||||
option = client_idle_timeout
|
|
||||||
-option = force_timeout
|
|
||||||
option = description
|
|
||||||
|
|
||||||
# Name service
|
|
||||||
@@ -92,7 +90,6 @@ option = command
|
|
||||||
option = reconnection_retries
|
|
||||||
option = fd_limit
|
|
||||||
option = client_idle_timeout
|
|
||||||
-option = force_timeout
|
|
||||||
option = description
|
|
||||||
|
|
||||||
# Authentication service
|
|
||||||
@@ -125,7 +122,6 @@ option = command
|
|
||||||
option = reconnection_retries
|
|
||||||
option = fd_limit
|
|
||||||
option = client_idle_timeout
|
|
||||||
-option = force_timeout
|
|
||||||
option = description
|
|
||||||
|
|
||||||
# sudo service
|
|
||||||
@@ -146,7 +142,6 @@ option = command
|
|
||||||
option = reconnection_retries
|
|
||||||
option = fd_limit
|
|
||||||
option = client_idle_timeout
|
|
||||||
-option = force_timeout
|
|
||||||
option = description
|
|
||||||
|
|
||||||
# autofs service
|
|
||||||
@@ -166,7 +161,6 @@ option = command
|
|
||||||
option = reconnection_retries
|
|
||||||
option = fd_limit
|
|
||||||
option = client_idle_timeout
|
|
||||||
-option = force_timeout
|
|
||||||
option = description
|
|
||||||
|
|
||||||
# ssh service
|
|
||||||
@@ -188,7 +182,6 @@ option = command
|
|
||||||
option = reconnection_retries
|
|
||||||
option = fd_limit
|
|
||||||
option = client_idle_timeout
|
|
||||||
-option = force_timeout
|
|
||||||
option = description
|
|
||||||
|
|
||||||
# PAC responder
|
|
||||||
@@ -209,7 +202,6 @@ option = command
|
|
||||||
option = reconnection_retries
|
|
||||||
option = fd_limit
|
|
||||||
option = client_idle_timeout
|
|
||||||
-option = force_timeout
|
|
||||||
option = description
|
|
||||||
|
|
||||||
# InfoPipe responder
|
|
||||||
@@ -229,7 +221,6 @@ option = command
|
|
||||||
option = reconnection_retries
|
|
||||||
option = fd_limit
|
|
||||||
option = client_idle_timeout
|
|
||||||
-option = force_timeout
|
|
||||||
option = description
|
|
||||||
|
|
||||||
#Available provider types
|
|
||||||
@@ -250,7 +241,6 @@ option = timeout
|
|
||||||
option = try_inotify
|
|
||||||
option = enumerate
|
|
||||||
option = subdomain_enumerate
|
|
||||||
-option = force_timeout
|
|
||||||
option = offline_timeout
|
|
||||||
option = cache_credentials
|
|
||||||
option = cache_credentials_minimal_first_factor_length
|
|
||||||
diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
|
|
||||||
index b2f20c5b71fa6bf94656d6270ccd08385a88c06e..525f939cd204f4d484caa7b490d85b0d50de00ef 100644
|
|
||||||
--- a/src/config/etc/sssd.api.conf
|
|
||||||
+++ b/src/config/etc/sssd.api.conf
|
|
||||||
@@ -13,7 +13,6 @@ command = str, None, false
|
|
||||||
reconnection_retries = int, None, false
|
|
||||||
fd_limit = int, None, false
|
|
||||||
client_idle_timeout = int, None, false
|
|
||||||
-force_timeout = int, None, false
|
|
||||||
description = str, None, false
|
|
||||||
|
|
||||||
[sssd]
|
|
||||||
@@ -119,7 +118,6 @@ timeout = int, None, false
|
|
||||||
try_inotify = bool, None, false
|
|
||||||
enumerate = bool, None, false
|
|
||||||
subdomain_enumerate = str, None, false
|
|
||||||
-force_timeout = int, None, false
|
|
||||||
offline_timeout = int, None, false
|
|
||||||
cache_credentials = bool, None, false
|
|
||||||
cache_credentials_minimal_first_factor_length = int, None, false
|
|
||||||
--
|
|
||||||
2.9.3
|
|
||||||
|
|
@ -1,51 +0,0 @@
|
|||||||
From 223395a44a3016c3124aa5ed841c7023068607d8 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Lukas Slebodnik <lslebodn@redhat.com>
|
|
||||||
Date: Tue, 30 Aug 2016 15:37:43 +0200
|
|
||||||
Subject: [PATCH 35/39] SYSDB: Fix error handling in
|
|
||||||
sysdb_get_user_members_recursively
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
We ignored failures from sysdb_search_entry
|
|
||||||
|
|
||||||
Reviewed-by: Petr Čech <pcech@redhat.com>
|
|
||||||
(cherry picked from commit b969ccc2cc58fdf761e5d314de9217f2d914bc9b)
|
|
||||||
---
|
|
||||||
src/db/sysdb_ops.c | 3 +++
|
|
||||||
src/db/sysdb_views.c | 5 ++++-
|
|
||||||
2 files changed, 7 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
|
|
||||||
index 44fb5b70e6d33fffbca5824f831a3229254ecb57..e4c8e1e285e3bc49710f71c896ba9a30c742d4fa 100644
|
|
||||||
--- a/src/db/sysdb_ops.c
|
|
||||||
+++ b/src/db/sysdb_ops.c
|
|
||||||
@@ -4738,6 +4738,9 @@ errno_t sysdb_get_user_members_recursively(TALLOC_CTX *mem_ctx,
|
|
||||||
|
|
||||||
ret = sysdb_search_entry(tmp_ctx, dom->sysdb, base_dn, LDB_SCOPE_SUBTREE,
|
|
||||||
filter, attrs, &count, &msgs);
|
|
||||||
+ if (ret != EOK) {
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
res = talloc_zero(tmp_ctx, struct ldb_result);
|
|
||||||
if (res == NULL) {
|
|
||||||
diff --git a/src/db/sysdb_views.c b/src/db/sysdb_views.c
|
|
||||||
index 79f513d13ba41212a6cd84e1d9e609df6acba29c..9dc48f5b6c414bbc7c64bcd1fe73553f388588bd 100644
|
|
||||||
--- a/src/db/sysdb_views.c
|
|
||||||
+++ b/src/db/sysdb_views.c
|
|
||||||
@@ -1374,7 +1374,10 @@ errno_t sysdb_add_group_member_overrides(struct sss_domain_info *domain,
|
|
||||||
|
|
||||||
ret = sysdb_get_user_members_recursively(tmp_ctx, domain, obj->dn,
|
|
||||||
&res_members);
|
|
||||||
- if (ret != EOK) {
|
|
||||||
+ if (ret == ENOENT) {
|
|
||||||
+ ret = EOK;
|
|
||||||
+ goto done;
|
|
||||||
+ } else if (ret != EOK) {
|
|
||||||
DEBUG(SSSDBG_OP_FAILURE,
|
|
||||||
"sysdb_get_user_members_recursively failed.\n");
|
|
||||||
goto done;
|
|
||||||
--
|
|
||||||
2.9.3
|
|
||||||
|
|
@ -1,34 +0,0 @@
|
|||||||
From 9e21f9157d7eaf62e48ee9ab43332d336c12708c Mon Sep 17 00:00:00 2001
|
|
||||||
From: Lukas Slebodnik <lslebodn@redhat.com>
|
|
||||||
Date: Thu, 1 Sep 2016 08:08:00 +0200
|
|
||||||
Subject: [PATCH 36/39] DEBUG: Apend line feed to messages from libsemanage
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
It wasn't simple to read log files from libsemanage
|
|
||||||
because they were on single line.
|
|
||||||
|
|
||||||
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
|
||||||
(cherry picked from commit a6d279489c35896432e60daa70be5728f0b6c243)
|
|
||||||
---
|
|
||||||
src/util/sss_semanage.c | 3 ++-
|
|
||||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/src/util/sss_semanage.c b/src/util/sss_semanage.c
|
|
||||||
index 81068da98db611e55df8ac2de1a55f5980c3e552..fe06bee1dfec3abca3aa3cd5e85e55386ac11343 100644
|
|
||||||
--- a/src/util/sss_semanage.c
|
|
||||||
+++ b/src/util/sss_semanage.c
|
|
||||||
@@ -55,7 +55,8 @@ static void sss_semanage_error_callback(void *varg,
|
|
||||||
|
|
||||||
va_start(ap, fmt);
|
|
||||||
if (DEBUG_IS_SET(level)) {
|
|
||||||
- sss_vdebug_fn(__FILE__, __LINE__, "libsemanage", level, 0, fmt, ap);
|
|
||||||
+ sss_vdebug_fn(__FILE__, __LINE__, "libsemanage", level,
|
|
||||||
+ APPEND_LINE_FEED, fmt, ap);
|
|
||||||
}
|
|
||||||
va_end(ap);
|
|
||||||
}
|
|
||||||
--
|
|
||||||
2.9.3
|
|
||||||
|
|
@ -1,43 +0,0 @@
|
|||||||
From 4417b8170e7bb09fd8d724e36e23ddf89d95cb33 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
|
||||||
Date: Wed, 31 Aug 2016 10:17:17 +0200
|
|
||||||
Subject: [PATCH 37/39] MAN: Document the ldap_user_primary_group option
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
||||||
(cherry picked from commit 6f59bb822d1e54e178207be45e382f4ee173c434)
|
|
||||||
---
|
|
||||||
src/man/sssd-ldap.5.xml | 15 +++++++++++++++
|
|
||||||
1 file changed, 15 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml
|
|
||||||
index 6009dd8dfa787874c085c293b2d1f8aac6d95714..bfccfab2222e5b2d68b83ca473e9a3aa0f5308e5 100644
|
|
||||||
--- a/src/man/sssd-ldap.5.xml
|
|
||||||
+++ b/src/man/sssd-ldap.5.xml
|
|
||||||
@@ -299,6 +299,21 @@
|
|
||||||
</varlistentry>
|
|
||||||
|
|
||||||
<varlistentry>
|
|
||||||
+ <term>ldap_user_primary_group (string)</term>
|
|
||||||
+ <listitem>
|
|
||||||
+ <para>
|
|
||||||
+ Active Directory primary group attribute
|
|
||||||
+ for ID-mapping. Note that this attribute should
|
|
||||||
+ only be set manually if you are running the
|
|
||||||
+ <quote>ldap</quote> provider with ID mapping.
|
|
||||||
+ </para>
|
|
||||||
+ <para>
|
|
||||||
+ Default: unset (LDAP), primaryGroupID (AD)
|
|
||||||
+ </para>
|
|
||||||
+ </listitem>
|
|
||||||
+ </varlistentry>
|
|
||||||
+
|
|
||||||
+ <varlistentry>
|
|
||||||
<term>ldap_user_gecos (string)</term>
|
|
||||||
<listitem>
|
|
||||||
<para>
|
|
||||||
--
|
|
||||||
2.9.3
|
|
||||||
|
|
@ -1,36 +0,0 @@
|
|||||||
From 1a28f2ce26d49617eaf865e39d52136181d9663d Mon Sep 17 00:00:00 2001
|
|
||||||
From: Sumit Bose <sbose@redhat.com>
|
|
||||||
Date: Tue, 30 Aug 2016 17:30:10 +0200
|
|
||||||
Subject: [PATCH 38/39] sdap_initgr_nested_get_membership_diff: use
|
|
||||||
fully-qualified names
|
|
||||||
|
|
||||||
I think this is a leftover from the change to use fully-qualified names
|
|
||||||
in sysdb. To verify this you can create a nested group in IPA. Without
|
|
||||||
this patch the id command will only show the groups the user is a direct
|
|
||||||
member of. With the patch the indirect groups memberships should be
|
|
||||||
shown as well.
|
|
||||||
|
|
||||||
https://fedorahosted.org/sssd/ticket/3163
|
|
||||||
|
|
||||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
||||||
(cherry picked from commit 5bd3bef4a655fdfacd2f5df8a2343fe7bc68a771)
|
|
||||||
---
|
|
||||||
src/providers/ldap/sdap_async_initgroups.c | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/src/providers/ldap/sdap_async_initgroups.c b/src/providers/ldap/sdap_async_initgroups.c
|
|
||||||
index 82c708c226bf1a645ff5a395947dfdbad71e0f1f..f9593f0dfaa2dc6e33fd6c9d1f0c9b78cad3a1d9 100644
|
|
||||||
--- a/src/providers/ldap/sdap_async_initgroups.c
|
|
||||||
+++ b/src/providers/ldap/sdap_async_initgroups.c
|
|
||||||
@@ -1414,7 +1414,7 @@ sdap_initgr_nested_get_membership_diff(TALLOC_CTX *mem_ctx,
|
|
||||||
group_name, parents_count);
|
|
||||||
|
|
||||||
if (parents_count > 0) {
|
|
||||||
- ret = sysdb_attrs_primary_name_list(dom, tmp_ctx,
|
|
||||||
+ ret = sysdb_attrs_primary_fqdn_list(dom, tmp_ctx,
|
|
||||||
ldap_parentlist,
|
|
||||||
parents_count,
|
|
||||||
opts->group_map[SDAP_AT_GROUP_NAME].name,
|
|
||||||
--
|
|
||||||
2.9.3
|
|
||||||
|
|
@ -1,50 +0,0 @@
|
|||||||
From c620bb359ff03f40ffbc36a03d74c921346ecfc3 Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Petr=20=C4=8Cech?= <pcech@redhat.com>
|
|
||||||
Date: Wed, 31 Aug 2016 08:50:01 +0200
|
|
||||||
Subject: [PATCH 39/39] SYSDB: Removing of unused parameter
|
|
||||||
|
|
||||||
There were unused parameter struct ldb_message *cached_group
|
|
||||||
in sysdb_store_group_attrs().
|
|
||||||
|
|
||||||
This parameter was introduced by
|
|
||||||
40de79d69860ec7f04bf7795bd88b641ec42fd23
|
|
||||||
SYSDB: Check if group attributes differ before saving a group
|
|
||||||
|
|
||||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
||||||
(cherry picked from commit 0d1d9d8001232f74eca63cbba6c400d507b33823)
|
|
||||||
---
|
|
||||||
src/db/sysdb_ops.c | 4 +---
|
|
||||||
1 file changed, 1 insertion(+), 3 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
|
|
||||||
index e4c8e1e285e3bc49710f71c896ba9a30c742d4fa..5d9c9fb24a149f8215b3027dcb4b0e1a183e4b43 100644
|
|
||||||
--- a/src/db/sysdb_ops.c
|
|
||||||
+++ b/src/db/sysdb_ops.c
|
|
||||||
@@ -2661,7 +2661,6 @@ static errno_t sysdb_store_new_group(struct sss_domain_info *domain,
|
|
||||||
static errno_t sysdb_store_group_attrs(struct sss_domain_info *domain,
|
|
||||||
const char *name,
|
|
||||||
gid_t gid,
|
|
||||||
- struct ldb_message *cached_group,
|
|
||||||
struct sysdb_attrs *attrs,
|
|
||||||
uint64_t cache_timeout,
|
|
||||||
time_t now);
|
|
||||||
@@ -2731,7 +2730,7 @@ int sysdb_store_group(struct sss_domain_info *domain,
|
|
||||||
ret = sysdb_store_new_group(domain, name, gid, attrs,
|
|
||||||
cache_timeout, now);
|
|
||||||
} else {
|
|
||||||
- ret = sysdb_store_group_attrs(domain, name, gid, msg, attrs,
|
|
||||||
+ ret = sysdb_store_group_attrs(domain, name, gid, attrs,
|
|
||||||
cache_timeout, now);
|
|
||||||
}
|
|
||||||
if (ret != EOK) {
|
|
||||||
@@ -2811,7 +2810,6 @@ static errno_t sysdb_store_new_group(struct sss_domain_info *domain,
|
|
||||||
static errno_t sysdb_store_group_attrs(struct sss_domain_info *domain,
|
|
||||||
const char *name,
|
|
||||||
gid_t gid,
|
|
||||||
- struct ldb_message *cached_group,
|
|
||||||
struct sysdb_attrs *attrs,
|
|
||||||
uint64_t cache_timeout,
|
|
||||||
time_t now)
|
|
||||||
--
|
|
||||||
2.9.3
|
|
||||||
|
|
@ -1,38 +0,0 @@
|
|||||||
From 344773c4c6949757d9719850191229481c9733a9 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Lukas Slebodnik <lslebodn@redhat.com>
|
|
||||||
Date: Thu, 1 Sep 2016 17:25:23 +0200
|
|
||||||
Subject: [PATCH 40/79] SYSDB: Suppress warning from clang static analyser
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
scan-build wrongly assumes that output variable
|
|
||||||
"version" is not initialized if function sysdb_cache_connect
|
|
||||||
returns ERR_SYSDB_VERSION_TOO_OLD or ERR_SYSDB_VERSION_TOO_NEW
|
|
||||||
|
|
||||||
The reality is that output variable "version" is initialized
|
|
||||||
especially for these two case. Initialisation to NULL suppresses
|
|
||||||
these false positive reports.
|
|
||||||
|
|
||||||
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
|
||||||
(cherry picked from commit 3f6aecfe5061e165c10829142854ec7189029407)
|
|
||||||
---
|
|
||||||
src/db/sysdb_init.c | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/src/db/sysdb_init.c b/src/db/sysdb_init.c
|
|
||||||
index d110aa7a2878e47650db177cfd342d0ac32248ab..538ba027cd94e274ba328d398cc565b11ea56f39 100644
|
|
||||||
--- a/src/db/sysdb_init.c
|
|
||||||
+++ b/src/db/sysdb_init.c
|
|
||||||
@@ -688,7 +688,7 @@ static int sysdb_domain_cache_connect(struct sysdb_ctx *sysdb,
|
|
||||||
struct sysdb_dom_upgrade_ctx *upgrade_ctx)
|
|
||||||
{
|
|
||||||
errno_t ret;
|
|
||||||
- const char *version;
|
|
||||||
+ const char *version = NULL;
|
|
||||||
TALLOC_CTX *tmp_ctx;
|
|
||||||
struct ldb_context *ldb;
|
|
||||||
|
|
||||||
--
|
|
||||||
2.9.3
|
|
||||||
|
|
@ -1,33 +0,0 @@
|
|||||||
From 96e8cf44298c257d509219dd9c45b8cdae792ab5 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
|
||||||
Date: Tue, 6 Sep 2016 12:13:08 +0200
|
|
||||||
Subject: [PATCH 41/79] TOOLS: Fix a typo in groupadd()
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
Resolves:
|
|
||||||
https://fedorahosted.org/sssd/ticket/3173
|
|
||||||
|
|
||||||
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
||||||
(cherry picked from commit 6be723a089a1e07a1cd19b4fa53fd142c13f0c69)
|
|
||||||
---
|
|
||||||
src/tools/sss_sync_ops.c | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/src/tools/sss_sync_ops.c b/src/tools/sss_sync_ops.c
|
|
||||||
index a23a0b8c30366d2fb68554bfed184b8fce675e2b..39ef5bec96bd3942da8a8adfd21c99b03a77e551 100644
|
|
||||||
--- a/src/tools/sss_sync_ops.c
|
|
||||||
+++ b/src/tools/sss_sync_ops.c
|
|
||||||
@@ -657,7 +657,7 @@ int groupadd(struct ops_ctx *data)
|
|
||||||
int ret;
|
|
||||||
|
|
||||||
data->sysdb_fqname = sss_create_internal_fqname(data,
|
|
||||||
- data->sysdb_fqname,
|
|
||||||
+ data->name,
|
|
||||||
data->domain->name);
|
|
||||||
if (data->sysdb_fqname == NULL) {
|
|
||||||
return ENOMEM;
|
|
||||||
--
|
|
||||||
2.9.3
|
|
||||||
|
|
@ -1,60 +0,0 @@
|
|||||||
From e69c1ed1452b43fafb31e252589d7a5aa37f9cf7 Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Michal=20=C5=BDidek?= <mzidek@redhat.com>
|
|
||||||
Date: Tue, 6 Sep 2016 13:46:53 +0200
|
|
||||||
Subject: [PATCH 42/79] TOOLS: sss_groupshow did not work
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
sss_groupshow used shortname to search
|
|
||||||
in sysdb database. We have to u e sysdb_fqname
|
|
||||||
(aka internal_fqname) format for all sysdb
|
|
||||||
oprations.
|
|
||||||
|
|
||||||
Resolves:
|
|
||||||
https://fedorahosted.org/sssd/ticket/3175
|
|
||||||
|
|
||||||
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
||||||
(cherry picked from commit 5210c5d3a5a83b5d08396ee23d88f6ba0994097d)
|
|
||||||
---
|
|
||||||
src/tools/sss_groupshow.c | 13 +++++++++++--
|
|
||||||
1 file changed, 11 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/tools/sss_groupshow.c b/src/tools/sss_groupshow.c
|
|
||||||
index 41d7475cef1093a4cb214ec4b017db59e6c26fe2..5870cc802c70366c47a0d30cb0d9795cf6035bc5 100644
|
|
||||||
--- a/src/tools/sss_groupshow.c
|
|
||||||
+++ b/src/tools/sss_groupshow.c
|
|
||||||
@@ -318,7 +318,7 @@ int group_show(TALLOC_CTX *mem_ctx,
|
|
||||||
struct sysdb_ctx *sysdb,
|
|
||||||
struct sss_domain_info *domain,
|
|
||||||
bool recursive,
|
|
||||||
- const char *name,
|
|
||||||
+ const char *shortname,
|
|
||||||
struct group_info **res)
|
|
||||||
{
|
|
||||||
struct group_info *root;
|
|
||||||
@@ -326,11 +326,20 @@ int group_show(TALLOC_CTX *mem_ctx,
|
|
||||||
struct ldb_message *msg = NULL;
|
|
||||||
const char **group_members = NULL;
|
|
||||||
int nmembers = 0;
|
|
||||||
+ char *sysdb_fqname = NULL;
|
|
||||||
int ret;
|
|
||||||
int i;
|
|
||||||
|
|
||||||
+ sysdb_fqname = sss_create_internal_fqname(mem_ctx,
|
|
||||||
+ shortname,
|
|
||||||
+ domain->name);
|
|
||||||
+ if (sysdb_fqname == NULL) {
|
|
||||||
+ return ENOMEM;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
/* First, search for the root group */
|
|
||||||
- ret = sysdb_search_group_by_name(mem_ctx, domain, name, attrs, &msg);
|
|
||||||
+ ret = sysdb_search_group_by_name(mem_ctx, domain, sysdb_fqname, attrs,
|
|
||||||
+ &msg);
|
|
||||||
if (ret) {
|
|
||||||
DEBUG(SSSDBG_OP_FAILURE,
|
|
||||||
"Search failed: %s (%d)\n", strerror(ret), ret);
|
|
||||||
--
|
|
||||||
2.9.3
|
|
||||||
|
|
@ -1,76 +0,0 @@
|
|||||||
From b5ce7cefc1af161f25e5857aacec88ebd9e47130 Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Michal=20=C5=BDidek?= <mzidek@redhat.com>
|
|
||||||
Date: Tue, 6 Sep 2016 17:37:14 +0200
|
|
||||||
Subject: [PATCH 43/79] TESTS: sss_groupadd/groupshow regressions
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
Adds regression CI test for ticket #3173 and #3175.
|
|
||||||
|
|
||||||
Resolves:
|
|
||||||
https://fedorahosted.org/sssd/ticket/3173
|
|
||||||
https://fedorahosted.org/sssd/ticket/3175
|
|
||||||
|
|
||||||
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
||||||
(cherry picked from commit 20c2d76d9430a1fc069531ff537df046a74c8f61)
|
|
||||||
---
|
|
||||||
src/tests/intg/test_local_domain.py | 26 ++++++++++++++++++++++++++
|
|
||||||
1 file changed, 26 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/src/tests/intg/test_local_domain.py b/src/tests/intg/test_local_domain.py
|
|
||||||
index b83e56d1b44619083506093ca8cfb9413437c821..56e3812b113b36301d1ec6049e5a1210d3070442 100644
|
|
||||||
--- a/src/tests/intg/test_local_domain.py
|
|
||||||
+++ b/src/tests/intg/test_local_domain.py
|
|
||||||
@@ -19,11 +19,13 @@
|
|
||||||
import os
|
|
||||||
import stat
|
|
||||||
import pwd
|
|
||||||
+import grp
|
|
||||||
import time
|
|
||||||
import config
|
|
||||||
import signal
|
|
||||||
import subprocess
|
|
||||||
import pytest
|
|
||||||
+import ent
|
|
||||||
from util import unindent
|
|
||||||
|
|
||||||
|
|
||||||
@@ -90,6 +92,11 @@ def assert_nonexistent_user(name):
|
|
||||||
pwd.getpwnam(name)
|
|
||||||
|
|
||||||
|
|
||||||
+def assert_nonexistent_group(name):
|
|
||||||
+ with pytest.raises(KeyError):
|
|
||||||
+ grp.getgrnam(name)
|
|
||||||
+
|
|
||||||
+
|
|
||||||
def test_wrong_LC_ALL(local_domain_only):
|
|
||||||
"""
|
|
||||||
Regression test for ticket
|
|
||||||
@@ -107,3 +114,22 @@ def test_wrong_LC_ALL(local_domain_only):
|
|
||||||
subprocess.check_call(["sss_userdel", "foo", "-R"])
|
|
||||||
assert_nonexistent_user("foo")
|
|
||||||
os.environ["LC_ALL"] = oldvalue
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+def test_sss_group_add_show_del(local_domain_only):
|
|
||||||
+ """
|
|
||||||
+ Regression test for tickets
|
|
||||||
+ https://fedorahosted.org/sssd/ticket/3173
|
|
||||||
+ https://fedorahosted.org/sssd/ticket/3175
|
|
||||||
+ """
|
|
||||||
+
|
|
||||||
+ subprocess.check_call(["sss_groupadd", "foo", "-g", "10001"])
|
|
||||||
+
|
|
||||||
+ "This should not raise KeyError"
|
|
||||||
+ ent.assert_group_by_name("foo", dict(name="foo", gid=10001))
|
|
||||||
+
|
|
||||||
+ "sss_grupshow should return 0 with existing group name"
|
|
||||||
+ subprocess.check_call(["sss_groupshow", "foo"])
|
|
||||||
+
|
|
||||||
+ subprocess.check_call(["sss_groupdel", "foo"])
|
|
||||||
+ assert_nonexistent_group("foo")
|
|
||||||
--
|
|
||||||
2.9.3
|
|
||||||
|
|
@ -1,57 +0,0 @@
|
|||||||
From aa17cda3887309ccd67c256a24b980fbd8c2f89a Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Michal=20=C5=BDidek?= <mzidek@redhat.com>
|
|
||||||
Date: Wed, 7 Sep 2016 10:58:25 +0200
|
|
||||||
Subject: [PATCH 44/79] TOOLS: use internal fqdn for DN
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
Use internal fqdn when creating sysdb group dn.
|
|
||||||
|
|
||||||
Resolves:
|
|
||||||
https://fedorahosted.org/sssd/ticket/3178
|
|
||||||
|
|
||||||
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
||||||
(cherry picked from commit 5e2142b66589e5e50cb404fc972ed5418bbaa772)
|
|
||||||
---
|
|
||||||
src/tools/sss_sync_ops.c | 11 ++++++++++-
|
|
||||||
1 file changed, 10 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/src/tools/sss_sync_ops.c b/src/tools/sss_sync_ops.c
|
|
||||||
index 39ef5bec96bd3942da8a8adfd21c99b03a77e551..a0291baeada49b9f21e040a54e303214d5a46332 100644
|
|
||||||
--- a/src/tools/sss_sync_ops.c
|
|
||||||
+++ b/src/tools/sss_sync_ops.c
|
|
||||||
@@ -137,6 +137,7 @@ static int mod_groups_member(struct sss_domain_info *dom,
|
|
||||||
struct ldb_dn *parent_dn;
|
|
||||||
int ret;
|
|
||||||
int i;
|
|
||||||
+ char *grp_sysdb_fqname = NULL;
|
|
||||||
|
|
||||||
tmpctx = talloc_new(NULL);
|
|
||||||
if (!tmpctx) {
|
|
||||||
@@ -145,13 +146,21 @@ static int mod_groups_member(struct sss_domain_info *dom,
|
|
||||||
|
|
||||||
/* FIXME: add transaction around loop */
|
|
||||||
for (i = 0; grouplist[i]; i++) {
|
|
||||||
+ grp_sysdb_fqname = sss_create_internal_fqname(tmpctx, grouplist[i],
|
|
||||||
+ dom->name);
|
|
||||||
+ if (grp_sysdb_fqname == NULL) {
|
|
||||||
+ ret = ENOMEM;
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
- parent_dn = sysdb_group_dn(tmpctx, dom, grouplist[i]);
|
|
||||||
+ parent_dn = sysdb_group_dn(tmpctx, dom, grp_sysdb_fqname);
|
|
||||||
if (!parent_dn) {
|
|
||||||
ret = ENOMEM;
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ talloc_free(grp_sysdb_fqname);
|
|
||||||
+
|
|
||||||
ret = sysdb_mod_group_member(dom, member_dn, parent_dn, optype);
|
|
||||||
if (ret) {
|
|
||||||
goto done;
|
|
||||||
--
|
|
||||||
2.9.3
|
|
||||||
|
|
@ -1,66 +0,0 @@
|
|||||||
From 1b692a1142ec59e27ebb99666634a6e0464317d1 Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Michal=20=C5=BDidek?= <mzidek@redhat.com>
|
|
||||||
Date: Wed, 7 Sep 2016 13:08:59 +0200
|
|
||||||
Subject: [PATCH 45/79] TESTS: Test for sss_user/groupmod -a
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
Regression tests for ticket #3178.
|
|
||||||
|
|
||||||
Resolves:
|
|
||||||
https://fedorahosted.org/sssd/ticket/3178
|
|
||||||
|
|
||||||
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
||||||
(cherry picked from commit 7fa4964d84f41bd80a6d971ffaeef87a7c2f19be)
|
|
||||||
---
|
|
||||||
src/tests/intg/test_local_domain.py | 36 ++++++++++++++++++++++++++++++++++++
|
|
||||||
1 file changed, 36 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/src/tests/intg/test_local_domain.py b/src/tests/intg/test_local_domain.py
|
|
||||||
index 56e3812b113b36301d1ec6049e5a1210d3070442..5e3e3d4d1cdc6db5d68a6e5b9d96d94c2c694b14 100644
|
|
||||||
--- a/src/tests/intg/test_local_domain.py
|
|
||||||
+++ b/src/tests/intg/test_local_domain.py
|
|
||||||
@@ -133,3 +133,39 @@ def test_sss_group_add_show_del(local_domain_only):
|
|
||||||
|
|
||||||
subprocess.check_call(["sss_groupdel", "foo"])
|
|
||||||
assert_nonexistent_group("foo")
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+def test_add_local_user_to_local_group(local_domain_only):
|
|
||||||
+ """
|
|
||||||
+ Regression test for ticket
|
|
||||||
+ https://fedorahosted.org/sssd/ticket/3178
|
|
||||||
+ """
|
|
||||||
+ subprocess.check_call(["sss_groupadd", "-g", "10009", "group10009"])
|
|
||||||
+ subprocess.check_call(["sss_useradd", "-u", "10009", "-M", "user10009"])
|
|
||||||
+ subprocess.check_call(["sss_usermod", "-a", "group10009", "user10009"])
|
|
||||||
+
|
|
||||||
+ ent.assert_group_by_name(
|
|
||||||
+ "group10009",
|
|
||||||
+ dict(name="group10009", passwd="*", gid=10009,
|
|
||||||
+ mem=ent.contains_only("user10009")))
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+def test_add_local_group_to_local_group(local_domain_only):
|
|
||||||
+ """
|
|
||||||
+ Regression test for tickets
|
|
||||||
+ https://fedorahosted.org/sssd/ticket/3178
|
|
||||||
+ """
|
|
||||||
+ subprocess.check_call(["sss_groupadd", "-g", "10009", "group_child"])
|
|
||||||
+ subprocess.check_call(["sss_useradd", "-u", "10009", "-M", "user_child"])
|
|
||||||
+ subprocess.check_call(["sss_usermod", "-a", "group_child", "user_child"])
|
|
||||||
+
|
|
||||||
+ subprocess.check_call(["sss_groupadd", "-g", "10008", "group_parent"])
|
|
||||||
+ subprocess.check_call(
|
|
||||||
+ ["sss_groupmod", "-a", "group_parent", "group_child"])
|
|
||||||
+
|
|
||||||
+ # User from child_group is member of parent_group, so child_group's
|
|
||||||
+ # member must be also parent_group's member
|
|
||||||
+ ent.assert_group_by_name(
|
|
||||||
+ "group_parent",
|
|
||||||
+ dict(name="group_parent", passwd="*", gid=10008,
|
|
||||||
+ mem=ent.contains_only("user_child")))
|
|
||||||
--
|
|
||||||
2.9.3
|
|
||||||
|
|
@ -1,138 +0,0 @@
|
|||||||
From ce402d01616b2a8ea5c3354085a07910e4903820 Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Michal=20=C5=BDidek?= <mzidek@redhat.com>
|
|
||||||
Date: Wed, 7 Sep 2016 14:43:13 +0200
|
|
||||||
Subject: [PATCH 46/79] TOOLS: sss_mc_refresh_nested_group short/fqname usage
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
We use shortname to refresh memory cache, but in case of nested groups,
|
|
||||||
we used internal_fqname to refresh parent groups.
|
|
||||||
|
|
||||||
We also wrongly used the shortname for sysdb_search operation.
|
|
||||||
Which caused error message to be printed when sss_usermod -a or
|
|
||||||
sss_groupmod -a where called.
|
|
||||||
|
|
||||||
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
||||||
(cherry picked from commit cb54dbad6be907d277ce6aa39524338643e2f5a4)
|
|
||||||
---
|
|
||||||
src/tools/tools_mc_util.c | 66 +++++++++++++++++++++++++++++++++--------------
|
|
||||||
1 file changed, 47 insertions(+), 19 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/tools/tools_mc_util.c b/src/tools/tools_mc_util.c
|
|
||||||
index 2516a1981ddd965d4cae8c469ed79aaef8fa7193..716e3760f67d958f2139adbb49998d9e352d23f4 100644
|
|
||||||
--- a/src/tools/tools_mc_util.c
|
|
||||||
+++ b/src/tools/tools_mc_util.c
|
|
||||||
@@ -293,62 +293,90 @@ errno_t sss_mc_refresh_group(const char *groupname)
|
|
||||||
return sss_mc_refresh_ent(groupname, SSS_TOOLS_GROUP);
|
|
||||||
}
|
|
||||||
|
|
||||||
-errno_t sss_mc_refresh_nested_group(struct tools_ctx *tctx,
|
|
||||||
- const char *name)
|
|
||||||
+static errno_t sss_mc_refresh_nested_group(struct tools_ctx *tctx,
|
|
||||||
+ const char *shortname)
|
|
||||||
{
|
|
||||||
errno_t ret;
|
|
||||||
- struct ldb_message *msg;
|
|
||||||
+ struct ldb_message *msg = NULL;
|
|
||||||
struct ldb_message_element *el;
|
|
||||||
const char *attrs[] = { SYSDB_MEMBEROF,
|
|
||||||
SYSDB_NAME,
|
|
||||||
NULL };
|
|
||||||
size_t i;
|
|
||||||
- char *parent_name;
|
|
||||||
+ char *parent_internal_name;
|
|
||||||
+ char *parent_outname;
|
|
||||||
+ char *internal_name;
|
|
||||||
+ TALLOC_CTX *tmpctx;
|
|
||||||
|
|
||||||
- ret = sss_mc_refresh_group(name);
|
|
||||||
+ tmpctx = talloc_new(tctx);
|
|
||||||
+ if (tmpctx == NULL) {
|
|
||||||
+ return ENOMEM;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ internal_name = sss_create_internal_fqname(tmpctx, shortname,
|
|
||||||
+ tctx->local->name);
|
|
||||||
+ if (internal_name == NULL) {
|
|
||||||
+ ret = ENOMEM;
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ ret = sss_mc_refresh_group(shortname);
|
|
||||||
if (ret != EOK) {
|
|
||||||
DEBUG(SSSDBG_MINOR_FAILURE,
|
|
||||||
- "Cannot refresh group %s from memory cache\n", name);
|
|
||||||
+ "Cannot refresh group %s from memory cache\n", shortname);
|
|
||||||
/* try to carry on */
|
|
||||||
}
|
|
||||||
|
|
||||||
- ret = sysdb_search_group_by_name(tctx, tctx->local, name, attrs, &msg);
|
|
||||||
+ ret = sysdb_search_group_by_name(tmpctx, tctx->local, internal_name, attrs,
|
|
||||||
+ &msg);
|
|
||||||
if (ret) {
|
|
||||||
DEBUG(SSSDBG_OP_FAILURE,
|
|
||||||
"Search failed: %s (%d)\n", strerror(ret), ret);
|
|
||||||
- return ret;
|
|
||||||
+ goto done;
|
|
||||||
}
|
|
||||||
|
|
||||||
el = ldb_msg_find_element(msg, SYSDB_MEMBEROF);
|
|
||||||
if (!el || el->num_values == 0) {
|
|
||||||
- DEBUG(SSSDBG_TRACE_INTERNAL, "Group %s has no parents\n", name);
|
|
||||||
- talloc_free(msg);
|
|
||||||
- return EOK;
|
|
||||||
+ DEBUG(SSSDBG_TRACE_INTERNAL, "Group %s has no parents\n",
|
|
||||||
+ internal_name);
|
|
||||||
+ ret = EOK;
|
|
||||||
+ goto done;
|
|
||||||
}
|
|
||||||
|
|
||||||
/* This group is nested. We need to invalidate all its parents, too */
|
|
||||||
for (i=0; i < el->num_values; i++) {
|
|
||||||
- ret = sysdb_group_dn_name(tctx->sysdb, tctx,
|
|
||||||
+ ret = sysdb_group_dn_name(tctx->sysdb, tmpctx,
|
|
||||||
(const char *) el->values[i].data,
|
|
||||||
- &parent_name);
|
|
||||||
+ &parent_internal_name);
|
|
||||||
if (ret != EOK) {
|
|
||||||
DEBUG(SSSDBG_MINOR_FAILURE, "Malformed DN [%s]? Skipping\n",
|
|
||||||
(const char *) el->values[i].data);
|
|
||||||
- talloc_free(parent_name);
|
|
||||||
+ talloc_free(parent_internal_name);
|
|
||||||
continue;
|
|
||||||
}
|
|
||||||
|
|
||||||
- ret = sss_mc_refresh_group(parent_name);
|
|
||||||
- talloc_free(parent_name);
|
|
||||||
+ parent_outname = sss_output_name(tmpctx, parent_internal_name,
|
|
||||||
+ tctx->local->case_preserve, 0);
|
|
||||||
+ if (parent_outname == NULL) {
|
|
||||||
+ ret = ENOMEM;
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ ret = sss_mc_refresh_group(parent_outname);
|
|
||||||
+ talloc_free(parent_internal_name);
|
|
||||||
+ talloc_free(parent_outname);
|
|
||||||
if (ret != EOK) {
|
|
||||||
DEBUG(SSSDBG_MINOR_FAILURE,
|
|
||||||
- "Cannot refresh group %s from memory cache\n", name);
|
|
||||||
+ "Cannot refresh group %s from memory cache\n", parent_outname);
|
|
||||||
/* try to carry on */
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
- talloc_free(msg);
|
|
||||||
- return EOK;
|
|
||||||
+ ret = EOK;
|
|
||||||
+
|
|
||||||
+done:
|
|
||||||
+ talloc_free(tmpctx);
|
|
||||||
+ return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
errno_t sss_mc_refresh_grouplist(struct tools_ctx *tctx,
|
|
||||||
--
|
|
||||||
2.9.3
|
|
||||||
|
|
@ -1,117 +0,0 @@
|
|||||||
From 8f08ebcc6897b8b18f18554adfa5c55ab1313f2a Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Michal=20=C5=BDidek?= <mzidek@redhat.com>
|
|
||||||
Date: Wed, 7 Sep 2016 15:00:12 +0200
|
|
||||||
Subject: [PATCH 47/79] TESTS: Add FQDN variants for some tests
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
Adds FQDN variants of some already existing tests.
|
|
||||||
|
|
||||||
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
||||||
(cherry picked from commit f2d1d90a14267c01155eab7bb95b8eb34128acc9)
|
|
||||||
---
|
|
||||||
src/tests/intg/test_local_domain.py | 83 +++++++++++++++++++++++++++++++++++++
|
|
||||||
1 file changed, 83 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/src/tests/intg/test_local_domain.py b/src/tests/intg/test_local_domain.py
|
|
||||||
index 5e3e3d4d1cdc6db5d68a6e5b9d96d94c2c694b14..b34e4a3d31cdbc1dc257d8fffcf0f5a07803b20c 100644
|
|
||||||
--- a/src/tests/intg/test_local_domain.py
|
|
||||||
+++ b/src/tests/intg/test_local_domain.py
|
|
||||||
@@ -87,6 +87,27 @@ def local_domain_only(request):
|
|
||||||
return None
|
|
||||||
|
|
||||||
|
|
||||||
+@pytest.fixture
|
|
||||||
+def local_domain_only_fqdn(request):
|
|
||||||
+ conf = unindent("""\
|
|
||||||
+ [sssd]
|
|
||||||
+ domains = LOCAL
|
|
||||||
+ services = nss
|
|
||||||
+
|
|
||||||
+ [nss]
|
|
||||||
+ memcache_timeout = 0
|
|
||||||
+
|
|
||||||
+ [domain/LOCAL]
|
|
||||||
+ id_provider = local
|
|
||||||
+ min_id = 10000
|
|
||||||
+ max_id = 20000
|
|
||||||
+ use_fully_qualified_names = True
|
|
||||||
+ """).format(**locals())
|
|
||||||
+ create_conf_fixture(request, conf)
|
|
||||||
+ create_sssd_fixture(request)
|
|
||||||
+ return None
|
|
||||||
+
|
|
||||||
+
|
|
||||||
def assert_nonexistent_user(name):
|
|
||||||
with pytest.raises(KeyError):
|
|
||||||
pwd.getpwnam(name)
|
|
||||||
@@ -169,3 +190,65 @@ def test_add_local_group_to_local_group(local_domain_only):
|
|
||||||
"group_parent",
|
|
||||||
dict(name="group_parent", passwd="*", gid=10008,
|
|
||||||
mem=ent.contains_only("user_child")))
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+def test_sss_group_add_show_del_fqdn(local_domain_only_fqdn):
|
|
||||||
+ """
|
|
||||||
+ Regression test for tickets
|
|
||||||
+ https://fedorahosted.org/sssd/ticket/3173
|
|
||||||
+ https://fedorahosted.org/sssd/ticket/3175
|
|
||||||
+ """
|
|
||||||
+
|
|
||||||
+ subprocess.check_call(["sss_groupadd", "foo@LOCAL", "-g", "10001"])
|
|
||||||
+
|
|
||||||
+ "This should not raise KeyError"
|
|
||||||
+ ent.assert_group_by_name("foo@LOCAL", dict(name="foo@LOCAL", gid=10001))
|
|
||||||
+
|
|
||||||
+ "sss_grupshow should return 0 with existing group name"
|
|
||||||
+ subprocess.check_call(["sss_groupshow", "foo@LOCAL"])
|
|
||||||
+
|
|
||||||
+ subprocess.check_call(["sss_groupdel", "foo@LOCAL"])
|
|
||||||
+ assert_nonexistent_group("foo@LOCAL")
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+def test_add_local_user_to_local_group_fqdn(local_domain_only_fqdn):
|
|
||||||
+ """
|
|
||||||
+ Regression test for ticket
|
|
||||||
+ https://fedorahosted.org/sssd/ticket/3178
|
|
||||||
+ """
|
|
||||||
+ subprocess.check_call(
|
|
||||||
+ ["sss_groupadd", "-g", "10009", "group10009@LOCAL"])
|
|
||||||
+ subprocess.check_call(
|
|
||||||
+ ["sss_useradd", "-u", "10009", "-M", "user10009@LOCAL"])
|
|
||||||
+ subprocess.check_call(
|
|
||||||
+ ["sss_usermod", "-a", "group10009@LOCAL", "user10009@LOCAL"])
|
|
||||||
+
|
|
||||||
+ ent.assert_group_by_name(
|
|
||||||
+ "group10009@LOCAL",
|
|
||||||
+ dict(name="group10009@LOCAL", passwd="*", gid=10009,
|
|
||||||
+ mem=ent.contains_only("user10009@LOCAL")))
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+def test_add_local_group_to_local_group_fqdn(local_domain_only_fqdn):
|
|
||||||
+ """
|
|
||||||
+ Regression test for tickets
|
|
||||||
+ https://fedorahosted.org/sssd/ticket/3178
|
|
||||||
+ """
|
|
||||||
+ subprocess.check_call(
|
|
||||||
+ ["sss_groupadd", "-g", "10009", "group_child@LOCAL"])
|
|
||||||
+ subprocess.check_call(
|
|
||||||
+ ["sss_useradd", "-u", "10009", "-M", "user_child@LOCAL"])
|
|
||||||
+ subprocess.check_call(
|
|
||||||
+ ["sss_usermod", "-a", "group_child@LOCAL", "user_child@LOCAL"])
|
|
||||||
+
|
|
||||||
+ subprocess.check_call(
|
|
||||||
+ ["sss_groupadd", "-g", "10008", "group_parent@LOCAL"])
|
|
||||||
+ subprocess.check_call(
|
|
||||||
+ ["sss_groupmod", "-a", "group_parent@LOCAL", "group_child@LOCAL"])
|
|
||||||
+
|
|
||||||
+ # User from child_group is member of parent_group, so child_group's
|
|
||||||
+ # member must be also parent_group's member
|
|
||||||
+ ent.assert_group_by_name(
|
|
||||||
+ "group_parent@LOCAL",
|
|
||||||
+ dict(name="group_parent@LOCAL", passwd="*", gid=10008,
|
|
||||||
+ mem=ent.contains_only("user_child@LOCAL")))
|
|
||||||
--
|
|
||||||
2.9.3
|
|
||||||
|
|
@ -1,156 +0,0 @@
|
|||||||
From 99e3e869ae031ce70f6f7a0d7435bf9969cf3108 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
|
||||||
Date: Wed, 7 Sep 2016 12:07:36 +0200
|
|
||||||
Subject: [PATCH 48/79] KRB5: Send the output username, not internal fqname to
|
|
||||||
krb5_child
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
krb5_child calls krb5_kuserok() during the access phase which checks if
|
|
||||||
a particular user is allowed to authenticate as a particular principal.
|
|
||||||
We used to pass the internal fqname to krb5_kuserok() which broke the
|
|
||||||
functionality and all users were denied access.
|
|
||||||
|
|
||||||
This patch changes that to send the 'output' username to krb5_child,
|
|
||||||
because that's the username the system receives through getpwnam() or
|
|
||||||
getpwuid() anyway. The patch also adds a new structure member fo the
|
|
||||||
krb5child_req structure to avoid reusing the pd->user variable but have
|
|
||||||
an explicit one that serves as the input for the child process.
|
|
||||||
|
|
||||||
Resolves:
|
|
||||||
https://fedorahosted.org/sssd/ticket/3172
|
|
||||||
|
|
||||||
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
||||||
(cherry picked from commit fedfb7c62b4efa89d18d0d3a7895a2a34ec4ce42)
|
|
||||||
---
|
|
||||||
src/providers/krb5/krb5_access.c | 10 ++++++++--
|
|
||||||
src/providers/krb5/krb5_auth.c | 18 ++++++++++++++----
|
|
||||||
src/providers/krb5/krb5_auth.h | 9 ++++++---
|
|
||||||
src/providers/krb5/krb5_child_handler.c | 4 ++--
|
|
||||||
4 files changed, 30 insertions(+), 11 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/providers/krb5/krb5_access.c b/src/providers/krb5/krb5_access.c
|
|
||||||
index 3afb90150d77ef4ab2c1b5b79abb95d68eb131f6..be9068c0f9180f8de0de259aae368534effaf7fb 100644
|
|
||||||
--- a/src/providers/krb5/krb5_access.c
|
|
||||||
+++ b/src/providers/krb5/krb5_access.c
|
|
||||||
@@ -51,6 +51,7 @@ struct tevent_req *krb5_access_send(TALLOC_CTX *mem_ctx,
|
|
||||||
int ret;
|
|
||||||
const char **attrs;
|
|
||||||
struct ldb_result *res;
|
|
||||||
+ struct sss_domain_info *dom;
|
|
||||||
|
|
||||||
req = tevent_req_create(mem_ctx, &state, struct krb5_access_state);
|
|
||||||
if (req == NULL) {
|
|
||||||
@@ -64,8 +65,13 @@ struct tevent_req *krb5_access_send(TALLOC_CTX *mem_ctx,
|
|
||||||
state->krb5_ctx = krb5_ctx;
|
|
||||||
state->access_allowed = false;
|
|
||||||
|
|
||||||
- ret = krb5_setup(state, pd, krb5_ctx, be_ctx->domain->case_sensitive,
|
|
||||||
- &state->kr);
|
|
||||||
+ ret = get_domain_or_subdomain(be_ctx, pd->domain, &dom);
|
|
||||||
+ if (ret != EOK) {
|
|
||||||
+ DEBUG(SSSDBG_OP_FAILURE, "get_domain_or_subdomain failed.\n");
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ ret = krb5_setup(state, pd, dom, krb5_ctx, &state->kr);
|
|
||||||
if (ret != EOK) {
|
|
||||||
DEBUG(SSSDBG_CRIT_FAILURE, "krb5_setup failed.\n");
|
|
||||||
goto done;
|
|
||||||
diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
|
|
||||||
index dabf55cf24a8afda16fee6697120c7c6f088b796..f0f2280022a3ee951ccfa0040b616c48c3b25706 100644
|
|
||||||
--- a/src/providers/krb5/krb5_auth.c
|
|
||||||
+++ b/src/providers/krb5/krb5_auth.c
|
|
||||||
@@ -174,8 +174,10 @@ done:
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
-errno_t krb5_setup(TALLOC_CTX *mem_ctx, struct pam_data *pd,
|
|
||||||
- struct krb5_ctx *krb5_ctx, bool cs,
|
|
||||||
+errno_t krb5_setup(TALLOC_CTX *mem_ctx,
|
|
||||||
+ struct pam_data *pd,
|
|
||||||
+ struct sss_domain_info *dom,
|
|
||||||
+ struct krb5_ctx *krb5_ctx,
|
|
||||||
struct krb5child_req **_krb5_req)
|
|
||||||
{
|
|
||||||
struct krb5child_req *kr;
|
|
||||||
@@ -201,13 +203,21 @@ errno_t krb5_setup(TALLOC_CTX *mem_ctx, struct pam_data *pd,
|
|
||||||
kr->krb5_ctx = krb5_ctx;
|
|
||||||
|
|
||||||
ret = get_krb_primary(krb5_ctx->name_to_primary,
|
|
||||||
- pd->user, cs, &mapped_name);
|
|
||||||
+ pd->user, dom->case_sensitive, &mapped_name);
|
|
||||||
if (ret == EOK) {
|
|
||||||
DEBUG(SSSDBG_TRACE_FUNC, "Setting mapped name to: %s\n", mapped_name);
|
|
||||||
kr->user = mapped_name;
|
|
||||||
+ kr->kuserok_user = mapped_name;
|
|
||||||
} else if (ret == ENOENT) {
|
|
||||||
DEBUG(SSSDBG_TRACE_ALL, "No mapping for: %s\n", pd->user);
|
|
||||||
kr->user = pd->user;
|
|
||||||
+
|
|
||||||
+ kr->kuserok_user = sss_output_name(kr, kr->user,
|
|
||||||
+ dom->case_sensitive, 0);
|
|
||||||
+ if (kr->kuserok_user == NULL) {
|
|
||||||
+ ret = ENOMEM;
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
} else {
|
|
||||||
DEBUG(SSSDBG_CRIT_FAILURE, "get_krb_primary failed - %s:[%d]\n",
|
|
||||||
sss_strerror(ret), ret);
|
|
||||||
@@ -534,7 +544,7 @@ struct tevent_req *krb5_auth_send(TALLOC_CTX *mem_ctx,
|
|
||||||
attrs[6] = SYSDB_AUTH_TYPE;
|
|
||||||
attrs[7] = NULL;
|
|
||||||
|
|
||||||
- ret = krb5_setup(state, pd, krb5_ctx, state->domain->case_sensitive,
|
|
||||||
+ ret = krb5_setup(state, pd, state->domain, krb5_ctx,
|
|
||||||
&state->kr);
|
|
||||||
if (ret != EOK) {
|
|
||||||
DEBUG(SSSDBG_CRIT_FAILURE, "krb5_setup failed.\n");
|
|
||||||
diff --git a/src/providers/krb5/krb5_auth.h b/src/providers/krb5/krb5_auth.h
|
|
||||||
index dbad061f0203b6383daeeab506bf9950d892ea4b..11bb595833269177b7e2c5fc6372d6a6fb6d93d2 100644
|
|
||||||
--- a/src/providers/krb5/krb5_auth.h
|
|
||||||
+++ b/src/providers/krb5/krb5_auth.h
|
|
||||||
@@ -57,11 +57,14 @@ struct krb5child_req {
|
|
||||||
bool send_pac;
|
|
||||||
|
|
||||||
const char *user;
|
|
||||||
+ const char *kuserok_user;
|
|
||||||
};
|
|
||||||
|
|
||||||
-errno_t krb5_setup(TALLOC_CTX *mem_ctx, struct pam_data *pd,
|
|
||||||
- struct krb5_ctx *krb5_ctx, bool case_sensitive,
|
|
||||||
- struct krb5child_req **krb5_req);
|
|
||||||
+errno_t krb5_setup(TALLOC_CTX *mem_ctx,
|
|
||||||
+ struct pam_data *pd,
|
|
||||||
+ struct sss_domain_info *dom,
|
|
||||||
+ struct krb5_ctx *krb5_ctx,
|
|
||||||
+ struct krb5child_req **_krb5_req);
|
|
||||||
|
|
||||||
struct tevent_req *
|
|
||||||
krb5_pam_handler_send(TALLOC_CTX *mem_ctx,
|
|
||||||
diff --git a/src/providers/krb5/krb5_child_handler.c b/src/providers/krb5/krb5_child_handler.c
|
|
||||||
index 09a1e5f59494a5c07d5c9eefb94919ca9389cb27..1eec7261f00976b3725fee9323755edecd5409a5 100644
|
|
||||||
--- a/src/providers/krb5/krb5_child_handler.c
|
|
||||||
+++ b/src/providers/krb5/krb5_child_handler.c
|
|
||||||
@@ -161,7 +161,7 @@ static errno_t create_send_buffer(struct krb5child_req *kr,
|
|
||||||
}
|
|
||||||
|
|
||||||
if (kr->pd->cmd == SSS_PAM_ACCT_MGMT) {
|
|
||||||
- username_len = strlen(kr->pd->user);
|
|
||||||
+ username_len = strlen(kr->kuserok_user);
|
|
||||||
buf->size += sizeof(uint32_t) + username_len;
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -217,7 +217,7 @@ static errno_t create_send_buffer(struct krb5child_req *kr,
|
|
||||||
|
|
||||||
if (kr->pd->cmd == SSS_PAM_ACCT_MGMT) {
|
|
||||||
SAFEALIGN_SET_UINT32(&buf->data[rp], username_len, &rp);
|
|
||||||
- safealign_memcpy(&buf->data[rp], kr->pd->user, username_len, &rp);
|
|
||||||
+ safealign_memcpy(&buf->data[rp], kr->kuserok_user, username_len, &rp);
|
|
||||||
}
|
|
||||||
|
|
||||||
*io_buf = buf;
|
|
||||||
--
|
|
||||||
2.9.3
|
|
||||||
|
|
@ -1,113 +0,0 @@
|
|||||||
From 29a4731b129d759870a4706525396948814c8e27 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Justin Stephenson <jstephen@redhat.com>
|
|
||||||
Date: Fri, 26 Aug 2016 15:15:32 -0400
|
|
||||||
Subject: [PATCH 49/79] MONITOR: Remove --disable-netlink command-line option
|
|
||||||
|
|
||||||
Removing monitor command-line option, to be superceded by
|
|
||||||
sssd.conf option
|
|
||||||
|
|
||||||
Reviewed-by: Petr Cech <pcech@redhat.com>
|
|
||||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
||||||
(cherry picked from commit 632fc5d8991d167eea20769c823163551c3f1d8c)
|
|
||||||
---
|
|
||||||
src/man/sssd.8.xml | 11 -----------
|
|
||||||
src/monitor/monitor.c | 33 ++++++++++++++++++++-------------
|
|
||||||
2 files changed, 20 insertions(+), 24 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/man/sssd.8.xml b/src/man/sssd.8.xml
|
|
||||||
index ca8444d31ebca3d65a3baf83e20d458226ed5cd4..923da6824907f0d2d140d9ca83f87338e7664f83 100644
|
|
||||||
--- a/src/man/sssd.8.xml
|
|
||||||
+++ b/src/man/sssd.8.xml
|
|
||||||
@@ -114,17 +114,6 @@
|
|
||||||
</varlistentry>
|
|
||||||
<varlistentry>
|
|
||||||
<term>
|
|
||||||
- <option>--disable-netlink</option>
|
|
||||||
- </term>
|
|
||||||
- <listitem>
|
|
||||||
- <para>
|
|
||||||
- sssd will ignore Netlink changes when making decisions
|
|
||||||
- about resetting online and offline operational status.
|
|
||||||
- </para>
|
|
||||||
- </listitem>
|
|
||||||
- </varlistentry>
|
|
||||||
- <varlistentry>
|
|
||||||
- <term>
|
|
||||||
<option>-c</option>,<option>--config</option>
|
|
||||||
</term>
|
|
||||||
<listitem>
|
|
||||||
diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c
|
|
||||||
index 1f89c5a79feab8a921ce2f9132763b37ab506596..442bdbc423aaa1224d17b9f357193ec73b045d29 100644
|
|
||||||
--- a/src/monitor/monitor.c
|
|
||||||
+++ b/src/monitor/monitor.c
|
|
||||||
@@ -2041,8 +2041,7 @@ static void missing_resolv_conf(struct tevent_context *ev,
|
|
||||||
}
|
|
||||||
|
|
||||||
static int monitor_process_init(struct mt_ctx *ctx,
|
|
||||||
- const char *config_file,
|
|
||||||
- bool opt_netlinkoff)
|
|
||||||
+ const char *config_file)
|
|
||||||
{
|
|
||||||
TALLOC_CTX *tmp_ctx;
|
|
||||||
struct tevent_signal *tes;
|
|
||||||
@@ -2173,14 +2172,12 @@ static int monitor_process_init(struct mt_ctx *ctx,
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
- if (opt_netlinkoff == false) {
|
|
||||||
- ret = setup_netlink(ctx, ctx->ev, network_status_change_cb,
|
|
||||||
- ctx, &ctx->nlctx);
|
|
||||||
- if (ret != EOK) {
|
|
||||||
- DEBUG(SSSDBG_OP_FAILURE,
|
|
||||||
- "Cannot set up listening for network notifications\n");
|
|
||||||
- return ret;
|
|
||||||
- }
|
|
||||||
+ ret = setup_netlink(ctx, ctx->ev, network_status_change_cb,
|
|
||||||
+ ctx, &ctx->nlctx);
|
|
||||||
+ if (ret != EOK) {
|
|
||||||
+ DEBUG(SSSDBG_OP_FAILURE,
|
|
||||||
+ "Cannot set up listening for network notifications\n");
|
|
||||||
+ return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
/* start providers */
|
|
||||||
@@ -2488,7 +2485,8 @@ int main(int argc, const char *argv[])
|
|
||||||
_("Become a daemon (default)"), NULL }, \
|
|
||||||
{"interactive", 'i', POPT_ARG_NONE, &opt_interactive, 0, \
|
|
||||||
_("Run interactive (not a daemon)"), NULL}, \
|
|
||||||
- {"disable-netlink", '\0', POPT_ARG_NONE, &opt_netlinkoff, 0, \
|
|
||||||
+ {"disable-netlink", '\0', POPT_ARG_NONE | POPT_ARGFLAG_DOC_HIDDEN,
|
|
||||||
+ &opt_netlinkoff, 0, \
|
|
||||||
_("Disable netlink interface"), NULL}, \
|
|
||||||
{"config", 'c', POPT_ARG_STRING, &opt_config_file, 0, \
|
|
||||||
_("Specify a non-default config file"), NULL}, \
|
|
||||||
@@ -2575,6 +2573,15 @@ int main(int argc, const char *argv[])
|
|
||||||
config_file = talloc_strdup(tmp_ctx, SSSD_CONFIG_FILE);
|
|
||||||
}
|
|
||||||
|
|
||||||
+ if (opt_netlinkoff) {
|
|
||||||
+ DEBUG(SSSDBG_MINOR_FAILURE,
|
|
||||||
+ "Option --disable-netlink has been removed and "
|
|
||||||
+ "replaced as a monitor option in sssd.conf\n");
|
|
||||||
+ sss_log(SSS_LOG_ALERT,
|
|
||||||
+ "--disable-netlink has been deprecated, tunable option "
|
|
||||||
+ "disable_netlink available as replacement(man sssd.conf)");
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
if (!config_file) {
|
|
||||||
return 6;
|
|
||||||
}
|
|
||||||
@@ -2692,8 +2699,8 @@ int main(int argc, const char *argv[])
|
|
||||||
monitor->ev = main_ctx->event_ctx;
|
|
||||||
talloc_steal(main_ctx, monitor);
|
|
||||||
|
|
||||||
- ret = monitor_process_init(monitor, config_file,
|
|
||||||
- opt_netlinkoff);
|
|
||||||
+ ret = monitor_process_init(monitor, config_file);
|
|
||||||
+
|
|
||||||
if (ret != EOK) return 3;
|
|
||||||
talloc_free(tmp_ctx);
|
|
||||||
|
|
||||||
--
|
|
||||||
2.9.3
|
|
||||||
|
|
@ -1,163 +0,0 @@
|
|||||||
From ed7875afc4ab7e8441eb70f346c774dd49ddfd9b Mon Sep 17 00:00:00 2001
|
|
||||||
From: Justin Stephenson <jstephen@redhat.com>
|
|
||||||
Date: Fri, 26 Aug 2016 17:43:25 -0400
|
|
||||||
Subject: [PATCH 50/79] MONITOR: Add disable_netlink option
|
|
||||||
|
|
||||||
Adding a new monitor boolean option to disable netlink support.
|
|
||||||
This will give users more control over sssd state changes without
|
|
||||||
having to modify systemd unit files.
|
|
||||||
|
|
||||||
Resolves:
|
|
||||||
https://fedorahosted.org/sssd/ticket/3142
|
|
||||||
|
|
||||||
Reviewed-by: Petr Cech <pcech@redhat.com>
|
|
||||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
||||||
(cherry picked from commit 081c6d8c7c8e75487d1c4e42862964be1e85b575)
|
|
||||||
---
|
|
||||||
src/confdb/confdb.h | 1 +
|
|
||||||
src/config/SSSDConfig/__init__.py.in | 1 +
|
|
||||||
src/config/SSSDConfigTest.py | 3 ++-
|
|
||||||
src/config/cfg_rules.ini | 1 +
|
|
||||||
src/config/etc/sssd.api.conf | 1 +
|
|
||||||
src/man/sssd.conf.5.xml | 18 ++++++++++++++++++
|
|
||||||
src/monitor/monitor.c | 21 ++++++++++++++++++---
|
|
||||||
7 files changed, 42 insertions(+), 4 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
|
|
||||||
index 401e5fbf7ed6bb9e8d7158dfab378c8159aa03db..2d650900170d5f2214aa56f00fc749980e53f516 100644
|
|
||||||
--- a/src/confdb/confdb.h
|
|
||||||
+++ b/src/confdb/confdb.h
|
|
||||||
@@ -73,6 +73,7 @@
|
|
||||||
#define CONFDB_MONITOR_OVERRIDE_SPACE "override_space"
|
|
||||||
#define CONFDB_MONITOR_USER_RUNAS "user"
|
|
||||||
#define CONFDB_MONITOR_CERT_VERIFICATION "certificate_verification"
|
|
||||||
+#define CONFDB_MONITOR_DISABLE_NETLINK "disable_netlink"
|
|
||||||
|
|
||||||
/* Both monitor and domains */
|
|
||||||
#define CONFDB_NAME_REGEX "re_expression"
|
|
||||||
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
|
|
||||||
index 0191920f93ab9016508e08785c25dd043c180c0b..2027028f7b4e972c7bc0dd5156fd85157ae192f4 100644
|
|
||||||
--- a/src/config/SSSDConfig/__init__.py.in
|
|
||||||
+++ b/src/config/SSSDConfig/__init__.py.in
|
|
||||||
@@ -62,6 +62,7 @@ option_strings = {
|
|
||||||
'user' : _('The user to drop privileges to'),
|
|
||||||
'certificate_verification' : _('Tune certificate verification'),
|
|
||||||
'override_space': _('All spaces in group or user names will be replaced with this character'),
|
|
||||||
+ 'disable_netlink' : _('Tune sssd to honor or ignore netlink state changes'),
|
|
||||||
|
|
||||||
# [nss]
|
|
||||||
'enum_cache_timeout' : _('Enumeration cache timeout length (seconds)'),
|
|
||||||
diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py
|
|
||||||
index 6a0fdf0ea5215103b48dc8521a43ae945342c0e2..8a64a257ab978b81ae4b26918c683b25a30fe7c1 100755
|
|
||||||
--- a/src/config/SSSDConfigTest.py
|
|
||||||
+++ b/src/config/SSSDConfigTest.py
|
|
||||||
@@ -310,7 +310,8 @@ class SSSDConfigTestSSSDService(unittest.TestCase):
|
|
||||||
'client_idle_timeout',
|
|
||||||
'description',
|
|
||||||
'certificate_verification',
|
|
||||||
- 'override_space']
|
|
||||||
+ 'override_space',
|
|
||||||
+ 'disable_netlink']
|
|
||||||
|
|
||||||
self.assertTrue(type(options) == dict,
|
|
||||||
"Options should be a dictionary")
|
|
||||||
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
|
|
||||||
index 5e248066bd554d2a654a764f406f6b33c4d66733..93c10e2b7892027f0ee7a7af096814fb7cac333a 100644
|
|
||||||
--- a/src/config/cfg_rules.ini
|
|
||||||
+++ b/src/config/cfg_rules.ini
|
|
||||||
@@ -38,6 +38,7 @@ option = default_domain_suffix
|
|
||||||
option = certificate_verification
|
|
||||||
option = override_space
|
|
||||||
option = config_file_version
|
|
||||||
+option = disable_netlink
|
|
||||||
|
|
||||||
[rule/allowed_nss_options]
|
|
||||||
validator = ini_allowed_options
|
|
||||||
diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
|
|
||||||
index 525f939cd204f4d484caa7b490d85b0d50de00ef..9e4bf2f6e5d536099af75a82126bc577e10386b4 100644
|
|
||||||
--- a/src/config/etc/sssd.api.conf
|
|
||||||
+++ b/src/config/etc/sssd.api.conf
|
|
||||||
@@ -28,6 +28,7 @@ user = str, None, false
|
|
||||||
default_domain_suffix = str, None, false
|
|
||||||
certificate_verification = str, None, false
|
|
||||||
override_space = str, None, false
|
|
||||||
+disable_netlink = bool, None, false
|
|
||||||
|
|
||||||
[nss]
|
|
||||||
# Name service
|
|
||||||
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
|
|
||||||
index ae291e0fc8f2f9afabcdf32f18a5ec12252bbbbf..6f231b8ab8fc078d83331bb7ef5b980528a30bd6 100644
|
|
||||||
--- a/src/man/sssd.conf.5.xml
|
|
||||||
+++ b/src/man/sssd.conf.5.xml
|
|
||||||
@@ -482,6 +482,24 @@
|
|
||||||
</para>
|
|
||||||
</listitem>
|
|
||||||
</varlistentry>
|
|
||||||
+ <varlistentry>
|
|
||||||
+ <term>disable_netlink (boolean)</term>
|
|
||||||
+ <listitem>
|
|
||||||
+ <para>
|
|
||||||
+ SSSD hooks into the netlink interface to
|
|
||||||
+ monitor changes to routes, addresses, links
|
|
||||||
+ and trigger certain actions.
|
|
||||||
+ </para>
|
|
||||||
+ <para>
|
|
||||||
+ The SSSD state changes caused by netlink
|
|
||||||
+ events may be undesirable and can be disabled
|
|
||||||
+ by setting this option to 'true'
|
|
||||||
+ </para>
|
|
||||||
+ <para>
|
|
||||||
+ Default: false (netlink changes are detected)
|
|
||||||
+ </para>
|
|
||||||
+ </listitem>
|
|
||||||
+ </varlistentry>
|
|
||||||
</variablelist>
|
|
||||||
</para>
|
|
||||||
</refsect2>
|
|
||||||
diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c
|
|
||||||
index 442bdbc423aaa1224d17b9f357193ec73b045d29..84a144e56294c7af5d818b71fbe3664cd2fc1a94 100644
|
|
||||||
--- a/src/monitor/monitor.c
|
|
||||||
+++ b/src/monitor/monitor.c
|
|
||||||
@@ -2052,6 +2052,7 @@ static int monitor_process_init(struct mt_ctx *ctx,
|
|
||||||
int num_providers;
|
|
||||||
int ret;
|
|
||||||
int error;
|
|
||||||
+ bool disable_netlink;
|
|
||||||
struct sysdb_upgrade_ctx db_up_ctx;
|
|
||||||
|
|
||||||
/* Set up the environment variable for the Kerberos Replay Cache */
|
|
||||||
@@ -2172,14 +2173,28 @@ static int monitor_process_init(struct mt_ctx *ctx,
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
- ret = setup_netlink(ctx, ctx->ev, network_status_change_cb,
|
|
||||||
- ctx, &ctx->nlctx);
|
|
||||||
+ ret = confdb_get_bool(ctx->cdb,
|
|
||||||
+ CONFDB_MONITOR_CONF_ENTRY,
|
|
||||||
+ CONFDB_MONITOR_DISABLE_NETLINK,
|
|
||||||
+ false, &disable_netlink);
|
|
||||||
+
|
|
||||||
if (ret != EOK) {
|
|
||||||
DEBUG(SSSDBG_OP_FAILURE,
|
|
||||||
- "Cannot set up listening for network notifications\n");
|
|
||||||
+ "Failed to read disable_netlink from confdb: [%d] %s\n",
|
|
||||||
+ ret, sss_strerror(ret));
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ if (disable_netlink == false) {
|
|
||||||
+ ret = setup_netlink(ctx, ctx->ev, network_status_change_cb,
|
|
||||||
+ ctx, &ctx->nlctx);
|
|
||||||
+ if (ret != EOK) {
|
|
||||||
+ DEBUG(SSSDBG_OP_FAILURE,
|
|
||||||
+ "Cannot set up listening for network notifications\n");
|
|
||||||
+ return ret;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
/* start providers */
|
|
||||||
num_providers = 0;
|
|
||||||
for (dom = ctx->domains; dom; dom = get_next_domain(dom, 0)) {
|
|
||||||
--
|
|
||||||
2.9.3
|
|
||||||
|
|
@ -1,67 +0,0 @@
|
|||||||
From 467253ff3b281f34668a482c5ece7ece11a4b213 Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Michal=20=C5=BDidek?= <mzidek@redhat.com>
|
|
||||||
Date: Wed, 7 Sep 2016 17:09:53 +0200
|
|
||||||
Subject: [PATCH 51/79] TOOLS: sss_override without name override
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
sss_override failed to export user/group overrides
|
|
||||||
if user had no overrides for name.
|
|
||||||
|
|
||||||
Resolves:
|
|
||||||
https://fedorahosted.org/sssd/ticket/3179
|
|
||||||
|
|
||||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
||||||
(cherry picked from commit 07e7683f5a86991feaa764e2055116554ada1b93)
|
|
||||||
---
|
|
||||||
src/tools/sss_override.c | 24 ++++++++++++++----------
|
|
||||||
1 file changed, 14 insertions(+), 10 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/tools/sss_override.c b/src/tools/sss_override.c
|
|
||||||
index d41da52e69acdb67b5a6d624254e3b89a8aa27b8..212bf9ab84b20d4777fc2601359fad58596bb7c4 100644
|
|
||||||
--- a/src/tools/sss_override.c
|
|
||||||
+++ b/src/tools/sss_override.c
|
|
||||||
@@ -1159,12 +1159,14 @@ list_user_overrides(TALLOC_CTX *mem_ctx,
|
|
||||||
}
|
|
||||||
|
|
||||||
fqname = ldb_msg_find_attr_as_string(msgs[i], SYSDB_NAME, NULL);
|
|
||||||
- ret = sss_parse_internal_fqname(tmp_ctx, fqname, &name, NULL);
|
|
||||||
- if (ret != EOK) {
|
|
||||||
- ret = ERR_WRONG_NAME_FORMAT;
|
|
||||||
- goto done;
|
|
||||||
+ if (fqname != NULL) {
|
|
||||||
+ ret = sss_parse_internal_fqname(tmp_ctx, fqname, &name, NULL);
|
|
||||||
+ if (ret != EOK) {
|
|
||||||
+ ret = ERR_WRONG_NAME_FORMAT;
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+ objs[i].name = talloc_steal(objs, name);
|
|
||||||
}
|
|
||||||
- objs[i].name = talloc_steal(objs, name);
|
|
||||||
|
|
||||||
objs[i].uid = ldb_msg_find_attr_as_uint(msgs[i], SYSDB_UIDNUM, 0);
|
|
||||||
objs[i].gid = ldb_msg_find_attr_as_uint(msgs[i], SYSDB_GIDNUM, 0);
|
|
||||||
@@ -1248,12 +1250,14 @@ list_group_overrides(TALLOC_CTX *mem_ctx,
|
|
||||||
talloc_steal(objs, objs[i].orig_name);
|
|
||||||
|
|
||||||
fqname = ldb_msg_find_attr_as_string(msgs[i], SYSDB_NAME, NULL);
|
|
||||||
- ret = sss_parse_internal_fqname(tmp_ctx, fqname, &name, NULL);
|
|
||||||
- if (ret != EOK) {
|
|
||||||
- ret = ERR_WRONG_NAME_FORMAT;
|
|
||||||
- goto done;
|
|
||||||
+ if (fqname != NULL) {
|
|
||||||
+ ret = sss_parse_internal_fqname(tmp_ctx, fqname, &name, NULL);
|
|
||||||
+ if (ret != EOK) {
|
|
||||||
+ ret = ERR_WRONG_NAME_FORMAT;
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+ objs[i].name = talloc_steal(objs, name);
|
|
||||||
}
|
|
||||||
- objs[i].name = talloc_steal(objs, name);
|
|
||||||
|
|
||||||
objs[i].gid = ldb_msg_find_attr_as_uint(msgs[i], SYSDB_GIDNUM, 0);
|
|
||||||
}
|
|
||||||
--
|
|
||||||
2.9.3
|
|
||||||
|
|
@ -1,203 +0,0 @@
|
|||||||
From b7886a50d6467d9130fade4d0e94a818c2cc6300 Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Michal=20=C5=BDidek?= <mzidek@redhat.com>
|
|
||||||
Date: Wed, 7 Sep 2016 18:23:16 +0200
|
|
||||||
Subject: [PATCH 52/79] TEST: Add regression test for ticket #3179
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
Resolves:
|
|
||||||
https://fedorahosted.org/sssd/ticket/3179
|
|
||||||
|
|
||||||
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
||||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
||||||
(cherry picked from commit 1c72723cde8bea0d390b928c7cd29e48e7a7deab)
|
|
||||||
---
|
|
||||||
src/tests/intg/ldap_local_override_test.py | 126 ++++++++++++++++++++++++++---
|
|
||||||
1 file changed, 114 insertions(+), 12 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/tests/intg/ldap_local_override_test.py b/src/tests/intg/ldap_local_override_test.py
|
|
||||||
index 63de836d4d645b2e2be968bb23ce84f0cb90189a..714268f024d0f7b01309c55a84f56d0d1aec58f9 100644
|
|
||||||
--- a/src/tests/intg/ldap_local_override_test.py
|
|
||||||
+++ b/src/tests/intg/ldap_local_override_test.py
|
|
||||||
@@ -205,27 +205,38 @@ def assert_user_default():
|
|
||||||
ent.assert_passwd_by_name('user2@LDAP', user2)
|
|
||||||
|
|
||||||
|
|
||||||
-def assert_user_overriden():
|
|
||||||
+def assert_user_overriden(override_name=True):
|
|
||||||
|
|
||||||
- user1 = dict(name='ov_user1', passwd='*', uid=10010, gid=20010,
|
|
||||||
+ if override_name:
|
|
||||||
+ name1 = "ov_user1"
|
|
||||||
+ name2 = "ov_user2"
|
|
||||||
+ else:
|
|
||||||
+ name1 = "user1"
|
|
||||||
+ name2 = "user2"
|
|
||||||
+
|
|
||||||
+ user1 = dict(name=name1, passwd='*', uid=10010, gid=20010,
|
|
||||||
gecos='Overriden User 1',
|
|
||||||
dir='/home/ov/user1',
|
|
||||||
shell='/bin/ov_user1_shell')
|
|
||||||
|
|
||||||
- user2 = dict(name='ov_user2', passwd='*', uid=10020, gid=20020,
|
|
||||||
+ user2 = dict(name=name2, passwd='*', uid=10020, gid=20020,
|
|
||||||
gecos='Overriden User 2',
|
|
||||||
dir='/home/ov/user2',
|
|
||||||
shell='/bin/ov_user2_shell')
|
|
||||||
|
|
||||||
ent.assert_passwd_by_name('user1', user1)
|
|
||||||
ent.assert_passwd_by_name('user1@LDAP', user1)
|
|
||||||
- ent.assert_passwd_by_name('ov_user1', user1)
|
|
||||||
- ent.assert_passwd_by_name('ov_user1@LDAP', user1)
|
|
||||||
+
|
|
||||||
+ if override_name:
|
|
||||||
+ ent.assert_passwd_by_name('ov_user1', user1)
|
|
||||||
+ ent.assert_passwd_by_name('ov_user1@LDAP', user1)
|
|
||||||
|
|
||||||
ent.assert_passwd_by_name('user2', user2)
|
|
||||||
ent.assert_passwd_by_name('user2@LDAP', user2)
|
|
||||||
- ent.assert_passwd_by_name('ov_user2', user2)
|
|
||||||
- ent.assert_passwd_by_name('ov_user2@LDAP', user2)
|
|
||||||
+
|
|
||||||
+ if override_name:
|
|
||||||
+ ent.assert_passwd_by_name('ov_user2', user2)
|
|
||||||
+ ent.assert_passwd_by_name('ov_user2@LDAP', user2)
|
|
||||||
|
|
||||||
|
|
||||||
#
|
|
||||||
@@ -514,6 +525,54 @@ def test_imp_exp_user_override(ldap_conn, env_imp_exp_user_override):
|
|
||||||
assert_user_overriden()
|
|
||||||
|
|
||||||
|
|
||||||
+# Regression test for bug 3179
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+def test_imp_exp_user_overrride_noname(ldap_conn,
|
|
||||||
+ env_two_users_and_group):
|
|
||||||
+
|
|
||||||
+ # Override
|
|
||||||
+ subprocess.check_call(["sss_override", "user-add", "user1",
|
|
||||||
+ "-u", "10010",
|
|
||||||
+ "-g", "20010",
|
|
||||||
+ "-c", "Overriden User 1",
|
|
||||||
+ "-h", "/home/ov/user1",
|
|
||||||
+ "-s", "/bin/ov_user1_shell"])
|
|
||||||
+
|
|
||||||
+ subprocess.check_call(["sss_override", "user-add", "user2@LDAP",
|
|
||||||
+ "-u", "10020",
|
|
||||||
+ "-g", "20020",
|
|
||||||
+ "-c", "Overriden User 2",
|
|
||||||
+ "-h", "/home/ov/user2",
|
|
||||||
+ "-s", "/bin/ov_user2_shell"])
|
|
||||||
+
|
|
||||||
+ # Restart SSSD so the override might take effect
|
|
||||||
+ restart_sssd()
|
|
||||||
+
|
|
||||||
+ # Assert entries are overriden
|
|
||||||
+ assert_user_overriden(override_name=False)
|
|
||||||
+
|
|
||||||
+ # Export overrides
|
|
||||||
+ subprocess.check_call(["sss_override", "user-export", OVERRIDE_FILENAME])
|
|
||||||
+
|
|
||||||
+ # Drop all overrides
|
|
||||||
+ subprocess.check_call(["sss_override", "user-del", "user1"])
|
|
||||||
+ subprocess.check_call(["sss_override", "user-del", "user2@LDAP"])
|
|
||||||
+
|
|
||||||
+ # Avoid hitting memory cache
|
|
||||||
+ time.sleep(2)
|
|
||||||
+
|
|
||||||
+ # Assert entries are not overridden
|
|
||||||
+ assert_user_default()
|
|
||||||
+
|
|
||||||
+ # Import overrides
|
|
||||||
+ subprocess.check_call(["sss_override", "user-import",
|
|
||||||
+ OVERRIDE_FILENAME])
|
|
||||||
+ restart_sssd()
|
|
||||||
+
|
|
||||||
+ assert_user_overriden(override_name=False)
|
|
||||||
+
|
|
||||||
+
|
|
||||||
#
|
|
||||||
# Override user-show
|
|
||||||
#
|
|
||||||
@@ -581,7 +640,7 @@ def test_find_user_override(ldap_conn, env_find_user_override):
|
|
||||||
# Common group asserts
|
|
||||||
#
|
|
||||||
|
|
||||||
-def assert_group_overriden():
|
|
||||||
+def assert_group_overriden(override_name=True):
|
|
||||||
|
|
||||||
# Assert entries are overridden
|
|
||||||
empty_group = dict(gid=3002, mem=ent.contains_only())
|
|
||||||
@@ -589,13 +648,17 @@ def assert_group_overriden():
|
|
||||||
|
|
||||||
ent.assert_group_by_name("group", group)
|
|
||||||
ent.assert_group_by_name("group@LDAP", group)
|
|
||||||
- ent.assert_group_by_name("ov_group", group)
|
|
||||||
- ent.assert_group_by_name("ov_group@LDAP", group)
|
|
||||||
+
|
|
||||||
+ if override_name:
|
|
||||||
+ ent.assert_group_by_name("ov_group", group)
|
|
||||||
+ ent.assert_group_by_name("ov_group@LDAP", group)
|
|
||||||
|
|
||||||
ent.assert_group_by_name("empty_group", empty_group)
|
|
||||||
ent.assert_group_by_name("empty_group@LDAP", empty_group)
|
|
||||||
- ent.assert_group_by_name("ov_empty_group", empty_group)
|
|
||||||
- ent.assert_group_by_name("ov_empty_group@LDAP", empty_group)
|
|
||||||
+
|
|
||||||
+ if override_name:
|
|
||||||
+ ent.assert_group_by_name("ov_empty_group", empty_group)
|
|
||||||
+ ent.assert_group_by_name("ov_empty_group@LDAP", empty_group)
|
|
||||||
|
|
||||||
|
|
||||||
def assert_group_default():
|
|
||||||
@@ -841,6 +904,45 @@ def test_imp_exp_group_override(ldap_conn, env_imp_exp_group_override):
|
|
||||||
assert_group_overriden()
|
|
||||||
|
|
||||||
|
|
||||||
+# Regression test for bug 3179
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+def test_imp_exp_group_override_noname(ldap_conn, env_group_basic):
|
|
||||||
+
|
|
||||||
+ # Override - do not use -n here)
|
|
||||||
+ subprocess.check_call(["sss_override", "group-add", "group",
|
|
||||||
+ "-g", "3001"])
|
|
||||||
+
|
|
||||||
+ subprocess.check_call(["sss_override", "group-add", "empty_group@LDAP",
|
|
||||||
+ "--gid", "3002"])
|
|
||||||
+
|
|
||||||
+ # Restart SSSD so the override might take effect
|
|
||||||
+ restart_sssd()
|
|
||||||
+
|
|
||||||
+ # Assert entries are overridden
|
|
||||||
+ assert_group_overriden(override_name=False)
|
|
||||||
+
|
|
||||||
+ # Export overrides
|
|
||||||
+ subprocess.check_call(["sss_override", "group-export",
|
|
||||||
+ OVERRIDE_FILENAME])
|
|
||||||
+
|
|
||||||
+ # Drop all overrides
|
|
||||||
+ subprocess.check_call(["sss_override", "group-del", "group"])
|
|
||||||
+ subprocess.check_call(["sss_override", "group-del", "empty_group@LDAP"])
|
|
||||||
+
|
|
||||||
+ # Avoid hitting memory cache
|
|
||||||
+ time.sleep(2)
|
|
||||||
+
|
|
||||||
+ assert_group_default()
|
|
||||||
+
|
|
||||||
+ # Import overrides
|
|
||||||
+ subprocess.check_call(["sss_override", "group-import",
|
|
||||||
+ OVERRIDE_FILENAME])
|
|
||||||
+ restart_sssd()
|
|
||||||
+
|
|
||||||
+ assert_group_overriden(override_name=False)
|
|
||||||
+
|
|
||||||
+
|
|
||||||
# Regression test for bug #2802
|
|
||||||
# sss_override segfaults when accidentally adding --help flag to some commands
|
|
||||||
|
|
||||||
--
|
|
||||||
2.9.3
|
|
||||||
|
|
@ -1,60 +0,0 @@
|
|||||||
From 5e42bd82ea08e3a45cf8369d51f68587f5bd796e Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Michal=20=C5=BDidek?= <mzidek@redhat.com>
|
|
||||||
Date: Mon, 12 Sep 2016 19:22:56 +0200
|
|
||||||
Subject: [PATCH 53/79] TOOLS: sss_groupshow fails to show MPG
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
The MPG search uses it's own search function
|
|
||||||
that used sysdb operation with shortname,
|
|
||||||
but it expects internal fqname.
|
|
||||||
|
|
||||||
Resolves:
|
|
||||||
https://fedorahosted.org/sssd/ticket/3184
|
|
||||||
|
|
||||||
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
||||||
(cherry picked from commit 812bed08943df8bf3fd1ff9eabcaf5bedc635c92)
|
|
||||||
---
|
|
||||||
src/tools/sss_groupshow.c | 12 ++++++++++--
|
|
||||||
1 file changed, 10 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/tools/sss_groupshow.c b/src/tools/sss_groupshow.c
|
|
||||||
index 5870cc802c70366c47a0d30cb0d9795cf6035bc5..00f6f12939b6bef2dd10085f8cf99304e87f1211 100644
|
|
||||||
--- a/src/tools/sss_groupshow.c
|
|
||||||
+++ b/src/tools/sss_groupshow.c
|
|
||||||
@@ -553,13 +553,14 @@ int group_show_recurse(TALLOC_CTX *mem_ctx,
|
|
||||||
|
|
||||||
static int group_show_mpg(TALLOC_CTX *mem_ctx,
|
|
||||||
struct sss_domain_info *domain,
|
|
||||||
- const char *name,
|
|
||||||
+ const char *shortname,
|
|
||||||
struct group_info **res)
|
|
||||||
{
|
|
||||||
const char *attrs[] = GROUP_SHOW_MPG_ATTRS;
|
|
||||||
struct ldb_message *msg;
|
|
||||||
struct group_info *info;
|
|
||||||
int ret;
|
|
||||||
+ char *sysdb_fqname;
|
|
||||||
|
|
||||||
info = talloc_zero(mem_ctx, struct group_info);
|
|
||||||
if (!info) {
|
|
||||||
@@ -567,7 +568,14 @@ static int group_show_mpg(TALLOC_CTX *mem_ctx,
|
|
||||||
goto fail;
|
|
||||||
}
|
|
||||||
|
|
||||||
- ret = sysdb_search_user_by_name(info, domain, name, attrs, &msg);
|
|
||||||
+ sysdb_fqname = sss_create_internal_fqname(mem_ctx,
|
|
||||||
+ shortname,
|
|
||||||
+ domain->name);
|
|
||||||
+ if (sysdb_fqname == NULL) {
|
|
||||||
+ return ENOMEM;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ ret = sysdb_search_user_by_name(info, domain, sysdb_fqname, attrs, &msg);
|
|
||||||
if (ret) {
|
|
||||||
DEBUG(SSSDBG_OP_FAILURE,
|
|
||||||
"Search failed: %s (%d)\n", strerror(ret), ret);
|
|
||||||
--
|
|
||||||
2.9.3
|
|
||||||
|
|
@ -1,55 +0,0 @@
|
|||||||
From 702f4c8aed1bc997e99ab28349269c4cc151beda Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Michal=20=C5=BDidek?= <mzidek@redhat.com>
|
|
||||||
Date: Mon, 12 Sep 2016 19:25:13 +0200
|
|
||||||
Subject: [PATCH 54/79] TESTS: sss_groupshow with MPG
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
Regression test for ticket #3184
|
|
||||||
|
|
||||||
Resolves:
|
|
||||||
https://fedorahosted.org/sssd/ticket/3184
|
|
||||||
|
|
||||||
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
||||||
(cherry picked from commit bb14556c1df503314644fc424fbbf95759791db9)
|
|
||||||
---
|
|
||||||
src/tests/intg/test_local_domain.py | 22 ++++++++++++++++++++++
|
|
||||||
1 file changed, 22 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/src/tests/intg/test_local_domain.py b/src/tests/intg/test_local_domain.py
|
|
||||||
index b34e4a3d31cdbc1dc257d8fffcf0f5a07803b20c..8e1d6fb2b69f5e6e033ae06d4bd52cc88e54872b 100644
|
|
||||||
--- a/src/tests/intg/test_local_domain.py
|
|
||||||
+++ b/src/tests/intg/test_local_domain.py
|
|
||||||
@@ -118,6 +118,28 @@ def assert_nonexistent_group(name):
|
|
||||||
grp.getgrnam(name)
|
|
||||||
|
|
||||||
|
|
||||||
+def test_groupshow_mpg(local_domain_only):
|
|
||||||
+ """
|
|
||||||
+ Regression test for ticket
|
|
||||||
+ https://fedorahosted.org/sssd/ticket/3184
|
|
||||||
+ """
|
|
||||||
+ subprocess.check_call(["sss_useradd", "foo", "-M"])
|
|
||||||
+
|
|
||||||
+ # The user's mpg has to be found (should return 0)
|
|
||||||
+ subprocess.check_call(["sss_groupshow", "foo"])
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+def test_groupshow_mpg_fqdn(local_domain_only_fqdn):
|
|
||||||
+ """
|
|
||||||
+ Regression test for ticket (fq variant)
|
|
||||||
+ https://fedorahosted.org/sssd/ticket/3184
|
|
||||||
+ """
|
|
||||||
+ subprocess.check_call(["sss_useradd", "foo@LOCAL", "-M"])
|
|
||||||
+
|
|
||||||
+ # The user's mpg has to be found (should return 0)
|
|
||||||
+ subprocess.check_call(["sss_groupshow", "foo@LOCAL"])
|
|
||||||
+
|
|
||||||
+
|
|
||||||
def test_wrong_LC_ALL(local_domain_only):
|
|
||||||
"""
|
|
||||||
Regression test for ticket
|
|
||||||
--
|
|
||||||
2.9.3
|
|
||||||
|
|
@ -1,37 +0,0 @@
|
|||||||
From 4add586753c50b3222c0899ced0d95a2263828c6 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
|
||||||
Date: Tue, 6 Sep 2016 12:27:51 +0200
|
|
||||||
Subject: [PATCH 55/79] KRB5: Return ERR_NETWORK_IO on clock skew
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
Adds two more return codes to the list of codes we translate to
|
|
||||||
ERR_NETWORK_IO.
|
|
||||||
|
|
||||||
Resolves:
|
|
||||||
https://fedorahosted.org/sssd/ticket/3174
|
|
||||||
|
|
||||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
||||||
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
||||||
(cherry picked from commit d3348f49260998880bb7cd3b2fb72d562b1b7a64)
|
|
||||||
---
|
|
||||||
src/providers/krb5/krb5_child.c | 2 ++
|
|
||||||
1 file changed, 2 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
|
|
||||||
index a0a0f74d7e39866828c1c9ee4b18e57c36a30bb9..82522995e310f20c58922f814e14e81a84b9bcb9 100644
|
|
||||||
--- a/src/providers/krb5/krb5_child.c
|
|
||||||
+++ b/src/providers/krb5/krb5_child.c
|
|
||||||
@@ -1374,6 +1374,8 @@ static errno_t map_krb5_error(krb5_error_code kerr)
|
|
||||||
|
|
||||||
case KRB5_KDCREP_SKEW:
|
|
||||||
case KRB5KRB_AP_ERR_SKEW:
|
|
||||||
+ case KRB5KRB_AP_ERR_TKT_EXPIRED:
|
|
||||||
+ case KRB5KRB_AP_ERR_TKT_NYV:
|
|
||||||
case KRB5_KDC_UNREACH:
|
|
||||||
case KRB5_REALM_CANT_RESOLVE:
|
|
||||||
case KRB5_REALM_UNKNOWN:
|
|
||||||
--
|
|
||||||
2.9.3
|
|
||||||
|
|
@ -1,54 +0,0 @@
|
|||||||
From b42d29d5fed3df1662dc7b9b46a57ab27298b138 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Lukas Slebodnik <lslebodn@redhat.com>
|
|
||||||
Date: Tue, 30 Aug 2016 16:39:49 +0200
|
|
||||||
Subject: [PATCH 56/79] SDAP: Fix settig paging attribute in
|
|
||||||
sdap_get_generic_ext_send
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
We should set pagging flag in state and not in local
|
|
||||||
variable which is not read anywhere in the function.
|
|
||||||
|
|
||||||
Found by clang static analyzer.
|
|
||||||
|
|
||||||
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
|
||||||
(cherry picked from commit 6c335dee38da943796710b5e336472a10cf641f2)
|
|
||||||
---
|
|
||||||
src/providers/ldap/sdap_async.c | 6 +++---
|
|
||||||
1 file changed, 3 insertions(+), 3 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/providers/ldap/sdap_async.c b/src/providers/ldap/sdap_async.c
|
|
||||||
index 4195ba95d911f3956f8cca665310b4b92091e6cd..e9ce2d5fd7c835919fff615e7b553d95f72d65a7 100644
|
|
||||||
--- a/src/providers/ldap/sdap_async.c
|
|
||||||
+++ b/src/providers/ldap/sdap_async.c
|
|
||||||
@@ -1254,7 +1254,7 @@ sdap_get_generic_ext_send(TALLOC_CTX *memctx,
|
|
||||||
*/
|
|
||||||
if (scope == LDAP_SCOPE_BASE && (flags & SDAP_SRCH_FLG_PAGING)) {
|
|
||||||
/* Disable paging */
|
|
||||||
- flags &= ~SDAP_SRCH_FLG_PAGING;
|
|
||||||
+ state->flags &= ~SDAP_SRCH_FLG_PAGING;
|
|
||||||
DEBUG(SSSDBG_TRACE_FUNC,
|
|
||||||
"WARNING: Disabling paging because scope is set to base.\n");
|
|
||||||
}
|
|
||||||
@@ -1267,7 +1267,7 @@ sdap_get_generic_ext_send(TALLOC_CTX *memctx,
|
|
||||||
serverctrls,
|
|
||||||
NULL);
|
|
||||||
if (control) {
|
|
||||||
- flags |= SDAP_SRCH_FLG_PAGING;
|
|
||||||
+ state->flags |= SDAP_SRCH_FLG_PAGING;
|
|
||||||
}
|
|
||||||
|
|
||||||
/* ASQ */
|
|
||||||
@@ -1275,7 +1275,7 @@ sdap_get_generic_ext_send(TALLOC_CTX *memctx,
|
|
||||||
serverctrls,
|
|
||||||
NULL);
|
|
||||||
if (control) {
|
|
||||||
- flags |= SDAP_SRCH_FLG_PAGING;
|
|
||||||
+ state->flags |= SDAP_SRCH_FLG_PAGING;
|
|
||||||
}
|
|
||||||
|
|
||||||
for (state->nserverctrls=0;
|
|
||||||
--
|
|
||||||
2.9.3
|
|
||||||
|
|
@ -1,151 +0,0 @@
|
|||||||
From a700cdddcc989d1820cbd71bc9a378772c3f87ed Mon Sep 17 00:00:00 2001
|
|
||||||
From: Petr Cech <pcech@redhat.com>
|
|
||||||
Date: Wed, 24 Aug 2016 14:41:09 +0200
|
|
||||||
Subject: [PATCH 57/79] PROXY: Adding proxy_max_children option
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
The new option 'proxy_max_children' is applicable
|
|
||||||
in domain section. Default value is 10.
|
|
||||||
|
|
||||||
Resolves:
|
|
||||||
https://fedorahosted.org/sssd/ticket/3153
|
|
||||||
|
|
||||||
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
|
||||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
||||||
(cherry picked from commit aef0171e0bdc9a683958d69c7ee984fb10cd5de7)
|
|
||||||
---
|
|
||||||
src/confdb/confdb.h | 1 +
|
|
||||||
src/config/SSSDConfig/__init__.py.in | 3 +++
|
|
||||||
src/config/cfg_rules.ini | 1 +
|
|
||||||
src/config/etc/sssd.api.d/sssd-proxy.conf | 1 +
|
|
||||||
src/man/sssd.conf.5.xml | 16 ++++++++++++++++
|
|
||||||
src/providers/proxy/proxy_init.c | 22 ++++++++++++++++++++--
|
|
||||||
6 files changed, 42 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
|
|
||||||
index 2d650900170d5f2214aa56f00fc749980e53f516..36a2f21a0ff07ac4ae94ffdbb47087de05907505 100644
|
|
||||||
--- a/src/confdb/confdb.h
|
|
||||||
+++ b/src/confdb/confdb.h
|
|
||||||
@@ -219,6 +219,7 @@
|
|
||||||
#define CONFDB_PROXY_LIBNAME "proxy_lib_name"
|
|
||||||
#define CONFDB_PROXY_PAM_TARGET "proxy_pam_target"
|
|
||||||
#define CONFDB_PROXY_FAST_ALIAS "proxy_fast_alias"
|
|
||||||
+#define CONFDB_PROXY_MAX_CHILDREN "proxy_max_children"
|
|
||||||
|
|
||||||
/* Secrets Service */
|
|
||||||
#define CONFDB_SEC_CONF_ENTRY "config/secrets"
|
|
||||||
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
|
|
||||||
index 2027028f7b4e972c7bc0dd5156fd85157ae192f4..0acb751e234ee0c3e6fee332a2ba22f9ac353221 100644
|
|
||||||
--- a/src/config/SSSDConfig/__init__.py.in
|
|
||||||
+++ b/src/config/SSSDConfig/__init__.py.in
|
|
||||||
@@ -429,6 +429,9 @@ option_strings = {
|
|
||||||
'default_shell' : _('Default shell, /bin/bash'),
|
|
||||||
'base_directory' : _('Base for home directories'),
|
|
||||||
|
|
||||||
+ # [provider/proxy]
|
|
||||||
+ 'proxy_max_children' : _('The number of preforked proxy children.'),
|
|
||||||
+
|
|
||||||
# [provider/proxy/id]
|
|
||||||
'proxy_lib_name' : _('The name of the NSS library to use'),
|
|
||||||
'proxy_fast_alias' : _('Whether to look up canonical group name from cache if possible'),
|
|
||||||
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
|
|
||||||
index 93c10e2b7892027f0ee7a7af096814fb7cac333a..01be0c6e610161b64897e3974cefe1ccdc317fd3 100644
|
|
||||||
--- a/src/config/cfg_rules.ini
|
|
||||||
+++ b/src/config/cfg_rules.ini
|
|
||||||
@@ -305,6 +305,7 @@ option = base_directory
|
|
||||||
option = proxy_lib_name
|
|
||||||
option = proxy_fast_alias
|
|
||||||
option = proxy_pam_target
|
|
||||||
+option = proxy_max_children
|
|
||||||
|
|
||||||
# simple access provider specific options
|
|
||||||
option = simple_allow_users
|
|
||||||
diff --git a/src/config/etc/sssd.api.d/sssd-proxy.conf b/src/config/etc/sssd.api.d/sssd-proxy.conf
|
|
||||||
index 89a6503f9b84b7eab5fb3b0dd591dea905b43adb..09bf82affcb4263de3abbb67d1d484f6b01a1824 100644
|
|
||||||
--- a/src/config/etc/sssd.api.d/sssd-proxy.conf
|
|
||||||
+++ b/src/config/etc/sssd.api.d/sssd-proxy.conf
|
|
||||||
@@ -1,4 +1,5 @@
|
|
||||||
[provider/proxy]
|
|
||||||
+proxy_max_children = int, None, false
|
|
||||||
|
|
||||||
[provider/proxy/id]
|
|
||||||
proxy_lib_name = str, None, true
|
|
||||||
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
|
|
||||||
index 6f231b8ab8fc078d83331bb7ef5b980528a30bd6..8b862eb0cef7cb35215c4aba7a77a553f31e47c8 100644
|
|
||||||
--- a/src/man/sssd.conf.5.xml
|
|
||||||
+++ b/src/man/sssd.conf.5.xml
|
|
||||||
@@ -2482,6 +2482,22 @@ subdomain_inherit = ldap_purge_cache_timeout
|
|
||||||
</listitem>
|
|
||||||
</varlistentry>
|
|
||||||
|
|
||||||
+ <varlistentry>
|
|
||||||
+ <term>proxy_max_children (integer)</term>
|
|
||||||
+ <listitem>
|
|
||||||
+ <para>
|
|
||||||
+ This option specifies the number of pre-forked
|
|
||||||
+ proxy children. It is useful for high-load SSSD
|
|
||||||
+ environments where sssd may run out of available
|
|
||||||
+ child slots, which would cause some issues due to
|
|
||||||
+ the requests being queued.
|
|
||||||
+ </para>
|
|
||||||
+ <para>
|
|
||||||
+ Default: 10
|
|
||||||
+ </para>
|
|
||||||
+ </listitem>
|
|
||||||
+ </varlistentry>
|
|
||||||
+
|
|
||||||
</variablelist>
|
|
||||||
</para>
|
|
||||||
|
|
||||||
diff --git a/src/providers/proxy/proxy_init.c b/src/providers/proxy/proxy_init.c
|
|
||||||
index 1edf4fd64e54f4f0df7a78a9e56eb232a1d3e948..2241dafb8e21bbc0b904df3fa548c906877a5194 100644
|
|
||||||
--- a/src/providers/proxy/proxy_init.c
|
|
||||||
+++ b/src/providers/proxy/proxy_init.c
|
|
||||||
@@ -29,6 +29,8 @@
|
|
||||||
|
|
||||||
#define NSS_FN_NAME "_nss_%s_%s"
|
|
||||||
|
|
||||||
+#define OPT_MAX_CHILDREN_DEFAULT 10
|
|
||||||
+
|
|
||||||
#define ERROR_INITGR "The '%s' library does not provides the " \
|
|
||||||
"_nss_XXX_initgroups_dyn function!\n" \
|
|
||||||
"initgroups will be slow as it will require " \
|
|
||||||
@@ -220,6 +222,7 @@ static errno_t proxy_init_auth_ctx(TALLOC_CTX *mem_ctx,
|
|
||||||
struct proxy_auth_ctx *auth_ctx;
|
|
||||||
errno_t ret;
|
|
||||||
int hret;
|
|
||||||
+ int max_children;
|
|
||||||
|
|
||||||
auth_ctx = talloc_zero(mem_ctx, struct proxy_auth_ctx);
|
|
||||||
if (auth_ctx == NULL) {
|
|
||||||
@@ -241,8 +244,23 @@ static errno_t proxy_init_auth_ctx(TALLOC_CTX *mem_ctx,
|
|
||||||
}
|
|
||||||
|
|
||||||
/* Set up request hash table */
|
|
||||||
- /* FIXME: get max_children from configuration file */
|
|
||||||
- auth_ctx->max_children = 10;
|
|
||||||
+ ret = confdb_get_int(be_ctx->cdb, be_ctx->conf_path,
|
|
||||||
+ CONFDB_PROXY_MAX_CHILDREN,
|
|
||||||
+ OPT_MAX_CHILDREN_DEFAULT,
|
|
||||||
+ &max_children);
|
|
||||||
+ if (ret != EOK) {
|
|
||||||
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
|
||||||
+ "Unable to read confdb [%d]: %s\n", ret, sss_strerror(ret));
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (max_children < 1) {
|
|
||||||
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
|
||||||
+ "Option " CONFDB_PROXY_MAX_CHILDREN " must be higher then 0\n");
|
|
||||||
+ ret = EINVAL;
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+ auth_ctx->max_children = max_children;
|
|
||||||
|
|
||||||
hret = hash_create(auth_ctx->max_children * 2, &auth_ctx->request_table,
|
|
||||||
NULL, NULL);
|
|
||||||
--
|
|
||||||
2.9.3
|
|
||||||
|
|
@ -1,50 +0,0 @@
|
|||||||
From 4a5e9bea88983643a6fd7b95a6cfcf16f29044ec Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
|
|
||||||
Date: Tue, 30 Aug 2016 10:42:58 +0200
|
|
||||||
Subject: [PATCH 58/79] SECRETS: Search by the right type when checking
|
|
||||||
containers
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
We've been searching for the wrong type ("simple") in
|
|
||||||
local_db_check_containers(), which always gives us a NULL result.
|
|
||||||
|
|
||||||
Let's introduce the new LOCAL_CONTAINER_FILTER and do the search for the
|
|
||||||
right type ("container") from now on.
|
|
||||||
|
|
||||||
Resolves:
|
|
||||||
https://fedorahosted.org/sssd/ticket/3137
|
|
||||||
|
|
||||||
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
|
|
||||||
|
|
||||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
||||||
(cherry picked from commit a8361f37af31a8a9767056bd27c418c947293f56)
|
|
||||||
---
|
|
||||||
src/responder/secrets/local.c | 3 ++-
|
|
||||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/src/responder/secrets/local.c b/src/responder/secrets/local.c
|
|
||||||
index ac3049b62fa77f69d44ec5792139fe3378afb3f4..5b5745d6732987c6057788b2099f45ad0799f151 100644
|
|
||||||
--- a/src/responder/secrets/local.c
|
|
||||||
+++ b/src/responder/secrets/local.c
|
|
||||||
@@ -168,6 +168,7 @@ char *local_dn_to_path(TALLOC_CTX *mem_ctx,
|
|
||||||
}
|
|
||||||
|
|
||||||
#define LOCAL_SIMPLE_FILTER "(type=simple)"
|
|
||||||
+#define LOCAL_CONTAINER_FILTER "(type=container)"
|
|
||||||
|
|
||||||
int local_db_get_simple(TALLOC_CTX *mem_ctx,
|
|
||||||
struct local_context *lctx,
|
|
||||||
@@ -306,7 +307,7 @@ int local_db_check_containers(TALLOC_CTX *mem_ctx,
|
|
||||||
|
|
||||||
/* and check the parent container exists */
|
|
||||||
ret = ldb_search(lctx->ldb, mem_ctx, &res, dn, LDB_SCOPE_BASE,
|
|
||||||
- attrs, LOCAL_SIMPLE_FILTER);
|
|
||||||
+ attrs, LOCAL_CONTAINER_FILTER);
|
|
||||||
if (ret != LDB_SUCCESS) return ENOENT;
|
|
||||||
if (res->count != 1) return ENOENT;
|
|
||||||
talloc_free(res);
|
|
||||||
--
|
|
||||||
2.9.3
|
|
||||||
|
|
@ -1,42 +0,0 @@
|
|||||||
From 2ee5783d8c8bb51f169988a0a45ec711cfd47e41 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
|
||||||
Date: Mon, 12 Sep 2016 17:36:09 +0200
|
|
||||||
Subject: [PATCH 59/79] LDAP: Return partial results from adminlimit exceeded
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
Resolves:
|
|
||||||
https://fedorahosted.org/sssd/ticket/3185
|
|
||||||
|
|
||||||
Since commit c420ce830ac0b0b288a2a887ec2cfce5c748018c we try to move to
|
|
||||||
the next server on any error on the connection, which in case there is
|
|
||||||
only one server sends SSSD offline.
|
|
||||||
|
|
||||||
It's more graceful to try to process the results, same as we already do
|
|
||||||
with sizelimit exceeded.
|
|
||||||
|
|
||||||
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
|
||||||
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
||||||
(cherry picked from commit 3319d964721396c07daba383ded6aaaf33ed6e3b)
|
|
||||||
---
|
|
||||||
src/providers/ldap/sdap_async.c | 3 ++-
|
|
||||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/src/providers/ldap/sdap_async.c b/src/providers/ldap/sdap_async.c
|
|
||||||
index e9ce2d5fd7c835919fff615e7b553d95f72d65a7..f374112935a7befa1d059df97f3119c14d8f5da5 100644
|
|
||||||
--- a/src/providers/ldap/sdap_async.c
|
|
||||||
+++ b/src/providers/ldap/sdap_async.c
|
|
||||||
@@ -1526,7 +1526,8 @@ static void sdap_get_generic_op_finished(struct sdap_op *op,
|
|
||||||
sss_ldap_err2string(result), result,
|
|
||||||
errmsg ? errmsg : "no errmsg set");
|
|
||||||
|
|
||||||
- if (result == LDAP_SIZELIMIT_EXCEEDED) {
|
|
||||||
+ if (result == LDAP_SIZELIMIT_EXCEEDED
|
|
||||||
+ || result == LDAP_ADMINLIMIT_EXCEEDED) {
|
|
||||||
/* Try to return what we've got */
|
|
||||||
|
|
||||||
if ( ! (state->flags & SDAP_SRCH_FLG_SIZELIMIT_SILENT)) {
|
|
||||||
--
|
|
||||||
2.9.3
|
|
||||||
|
|
@ -1,44 +0,0 @@
|
|||||||
From d7a48ee6cde1e80dc2e63500d94017afe498a52a Mon Sep 17 00:00:00 2001
|
|
||||||
From: Justin Stephenson <jstephen@redhat.com>
|
|
||||||
Date: Mon, 29 Aug 2016 11:20:00 -0400
|
|
||||||
Subject: [PATCH 60/79] MAN: sssd-sudo manual update IPA native LDAP tree
|
|
||||||
support
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
Update sssd-sudo man page to reflect native IPA sudo support
|
|
||||||
|
|
||||||
Resolves:
|
|
||||||
https://fedorahosted.org/sssd/ticket/3145
|
|
||||||
|
|
||||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
||||||
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
||||||
(cherry picked from commit 72bab5640b3ec57950b53dad0fb3042ea563592c)
|
|
||||||
---
|
|
||||||
src/man/sssd-sudo.5.xml | 9 ++++++---
|
|
||||||
1 file changed, 6 insertions(+), 3 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/man/sssd-sudo.5.xml b/src/man/sssd-sudo.5.xml
|
|
||||||
index de276ad2d7647da9b7d510bf00fdf8fb58aed1c7..9be77725d679946bd09b86771cc7379b6ac64627 100644
|
|
||||||
--- a/src/man/sssd-sudo.5.xml
|
|
||||||
+++ b/src/man/sssd-sudo.5.xml
|
|
||||||
@@ -109,9 +109,12 @@ ldap_sudo_search_base = ou=sudoers,dc=example,dc=com
|
|
||||||
</programlisting>
|
|
||||||
</para>
|
|
||||||
<para>
|
|
||||||
- When the SSSD is configured to use IPA as the ID provider,
|
|
||||||
- the sudo provider is automatically enabled. The sudo search base
|
|
||||||
- is configured to use the compat tree (ou=sudoers,$DC).
|
|
||||||
+ When SSSD is configured to use IPA as the ID provider, the
|
|
||||||
+ sudo provider is automatically enabled. The sudo search base is
|
|
||||||
+ configured to use the IPA native LDAP tree (cn=sudo,$SUFFIX).
|
|
||||||
+ If any other search base is defined in sssd.conf, this value will be
|
|
||||||
+ used instead. The compat tree (ou=sudoers,$SUFFIX) is no longer
|
|
||||||
+ required for IPA sudo functionality.
|
|
||||||
</para>
|
|
||||||
</refsect1>
|
|
||||||
|
|
||||||
--
|
|
||||||
2.9.3
|
|
||||||
|
|
@ -1,267 +0,0 @@
|
|||||||
From 8173003ed876f1cc0831a838e20332b274b39c4f Mon Sep 17 00:00:00 2001
|
|
||||||
From: Sumit Bose <sbose@redhat.com>
|
|
||||||
Date: Wed, 31 Aug 2016 14:32:31 +0200
|
|
||||||
Subject: [PATCH 61/79] p11: only set PKCS11_LOGIN_TOKEN_NAME if gdm-smartcard
|
|
||||||
is used
|
|
||||||
|
|
||||||
Resolves https://fedorahosted.org/sssd/ticket/3165
|
|
||||||
|
|
||||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
||||||
(cherry picked from commit 71cd9f98150577224559bdc12c53c01ce6f2c3d9)
|
|
||||||
---
|
|
||||||
src/responder/pam/pamsrv_p11.c | 33 +++++++++------
|
|
||||||
src/tests/cmocka/test_pam_srv.c | 89 +++++++++++++++++++++++++++++++++++------
|
|
||||||
2 files changed, 97 insertions(+), 25 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/responder/pam/pamsrv_p11.c b/src/responder/pam/pamsrv_p11.c
|
|
||||||
index a2514f6a1d699de3a245063f49db1b7e51a2b10b..22da33067d5c479153376927855dcd6b43322d8b 100644
|
|
||||||
--- a/src/responder/pam/pamsrv_p11.c
|
|
||||||
+++ b/src/responder/pam/pamsrv_p11.c
|
|
||||||
@@ -505,7 +505,11 @@ errno_t pam_check_cert_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
|
|
||||||
}
|
|
||||||
|
|
||||||
/* The PKCS11_LOGIN_TOKEN_NAME environment variable is e.g. used by the Gnome
|
|
||||||
- * Settings Daemon to determine the name of the token used for login */
|
|
||||||
+ * Settings Daemon to determine the name of the token used for login but it
|
|
||||||
+ * should be only set if SSSD is called by gdm-smartcard. Otherwise desktop
|
|
||||||
+ * components might assume that gdm-smartcard PAM stack is configured
|
|
||||||
+ * correctly which might not be the case e.g. if Smartcard authentication was
|
|
||||||
+ * used when running gdm-password. */
|
|
||||||
#define PKCS11_LOGIN_TOKEN_ENV_NAME "PKCS11_LOGIN_TOKEN_NAME"
|
|
||||||
|
|
||||||
errno_t add_pam_cert_response(struct pam_data *pd, const char *sysdb_username,
|
|
||||||
@@ -553,19 +557,22 @@ errno_t add_pam_cert_response(struct pam_data *pd, const char *sysdb_username,
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
- env = talloc_asprintf(pd, "%s=%s", PKCS11_LOGIN_TOKEN_ENV_NAME, token_name);
|
|
||||||
- if (env == NULL) {
|
|
||||||
- DEBUG(SSSDBG_OP_FAILURE, "talloc_asprintf failed.\n");
|
|
||||||
- return ENOMEM;
|
|
||||||
- }
|
|
||||||
+ if (strcmp(pd->service, "gdm-smartcard") == 0) {
|
|
||||||
+ env = talloc_asprintf(pd, "%s=%s", PKCS11_LOGIN_TOKEN_ENV_NAME,
|
|
||||||
+ token_name);
|
|
||||||
+ if (env == NULL) {
|
|
||||||
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_asprintf failed.\n");
|
|
||||||
+ return ENOMEM;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
- ret = pam_add_response(pd, SSS_PAM_ENV_ITEM, strlen(env) + 1,
|
|
||||||
- (uint8_t *)env);
|
|
||||||
- talloc_free(env);
|
|
||||||
- if (ret != EOK) {
|
|
||||||
- DEBUG(SSSDBG_OP_FAILURE,
|
|
||||||
- "pam_add_response failed to add environment variable.\n");
|
|
||||||
- return ret;
|
|
||||||
+ ret = pam_add_response(pd, SSS_PAM_ENV_ITEM, strlen(env) + 1,
|
|
||||||
+ (uint8_t *)env);
|
|
||||||
+ talloc_free(env);
|
|
||||||
+ if (ret != EOK) {
|
|
||||||
+ DEBUG(SSSDBG_OP_FAILURE,
|
|
||||||
+ "pam_add_response failed to add environment variable.\n");
|
|
||||||
+ return ret;
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
|
|
||||||
return ret;
|
|
||||||
diff --git a/src/tests/cmocka/test_pam_srv.c b/src/tests/cmocka/test_pam_srv.c
|
|
||||||
index 5de092d0f19318d1d6c773355dbb38e345600133..02199e6f121cab0784389256cdaac38baf9d73e3 100644
|
|
||||||
--- a/src/tests/cmocka/test_pam_srv.c
|
|
||||||
+++ b/src/tests/cmocka/test_pam_srv.c
|
|
||||||
@@ -554,7 +554,7 @@ static void mock_input_pam(TALLOC_CTX *mem_ctx, const char *name,
|
|
||||||
}
|
|
||||||
|
|
||||||
static void mock_input_pam_cert(TALLOC_CTX *mem_ctx, const char *name,
|
|
||||||
- const char *pin)
|
|
||||||
+ const char *pin, const char *service)
|
|
||||||
{
|
|
||||||
size_t buf_size;
|
|
||||||
uint8_t *m_buf;
|
|
||||||
@@ -576,7 +576,7 @@ static void mock_input_pam_cert(TALLOC_CTX *mem_ctx, const char *name,
|
|
||||||
pi.pam_authtok_type = SSS_AUTHTOK_TYPE_SC_PIN;
|
|
||||||
}
|
|
||||||
|
|
||||||
- pi.pam_service = "login";
|
|
||||||
+ pi.pam_service = service == NULL ? "login" : service;
|
|
||||||
pi.pam_service_size = strlen(pi.pam_service) + 1;
|
|
||||||
pi.pam_tty = "/dev/tty";
|
|
||||||
pi.pam_tty_size = strlen(pi.pam_tty) + 1;
|
|
||||||
@@ -626,7 +626,8 @@ static int test_pam_simple_check(uint32_t status, uint8_t *body, size_t blen)
|
|
||||||
|
|
||||||
#define PKCS11_LOGIN_TOKEN_ENV_NAME "PKCS11_LOGIN_TOKEN_NAME"
|
|
||||||
|
|
||||||
-static int test_pam_cert_check(uint32_t status, uint8_t *body, size_t blen)
|
|
||||||
+static int test_pam_cert_check_gdm_smartcard(uint32_t status, uint8_t *body,
|
|
||||||
+ size_t blen)
|
|
||||||
{
|
|
||||||
size_t rp = 0;
|
|
||||||
uint32_t val;
|
|
||||||
@@ -675,6 +676,44 @@ static int test_pam_cert_check(uint32_t status, uint8_t *body, size_t blen)
|
|
||||||
return EOK;
|
|
||||||
}
|
|
||||||
|
|
||||||
+static int test_pam_cert_check(uint32_t status, uint8_t *body, size_t blen)
|
|
||||||
+{
|
|
||||||
+ size_t rp = 0;
|
|
||||||
+ uint32_t val;
|
|
||||||
+
|
|
||||||
+ assert_int_equal(status, 0);
|
|
||||||
+
|
|
||||||
+ SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);
|
|
||||||
+ assert_int_equal(val, pam_test_ctx->exp_pam_status);
|
|
||||||
+
|
|
||||||
+ SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);
|
|
||||||
+ assert_int_equal(val, 2);
|
|
||||||
+
|
|
||||||
+ SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);
|
|
||||||
+ assert_int_equal(val, SSS_PAM_DOMAIN_NAME);
|
|
||||||
+
|
|
||||||
+ SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);
|
|
||||||
+ assert_int_equal(val, 9);
|
|
||||||
+
|
|
||||||
+ assert_int_equal(*(body + rp + val - 1), 0);
|
|
||||||
+ assert_string_equal(body + rp, TEST_DOM_NAME);
|
|
||||||
+ rp += val;
|
|
||||||
+
|
|
||||||
+ SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);
|
|
||||||
+ assert_int_equal(val, SSS_PAM_CERT_INFO);
|
|
||||||
+
|
|
||||||
+ SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);
|
|
||||||
+ assert_int_equal(val, (sizeof("pamuser") + sizeof(TEST_TOKEN_NAME)));
|
|
||||||
+
|
|
||||||
+ assert_int_equal(*(body + rp + sizeof("pamuser") - 1), 0);
|
|
||||||
+ assert_string_equal(body + rp, "pamuser");
|
|
||||||
+ rp += sizeof("pamuser");
|
|
||||||
+
|
|
||||||
+ assert_int_equal(*(body + rp + sizeof(TEST_TOKEN_NAME) - 1), 0);
|
|
||||||
+ assert_string_equal(body + rp, TEST_TOKEN_NAME);
|
|
||||||
+
|
|
||||||
+ return EOK;
|
|
||||||
+}
|
|
||||||
|
|
||||||
static int test_pam_offline_chauthtok_check(uint32_t status,
|
|
||||||
uint8_t *body, size_t blen)
|
|
||||||
@@ -1438,7 +1477,7 @@ void test_pam_preauth_no_logon_name(void **state)
|
|
||||||
{
|
|
||||||
int ret;
|
|
||||||
|
|
||||||
- mock_input_pam_cert(pam_test_ctx, NULL, NULL);
|
|
||||||
+ mock_input_pam_cert(pam_test_ctx, NULL, NULL, NULL);
|
|
||||||
|
|
||||||
will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH);
|
|
||||||
will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
|
|
||||||
@@ -1465,7 +1504,7 @@ void test_pam_preauth_cert_nocert(void **state)
|
|
||||||
|
|
||||||
set_cert_auth_param(pam_test_ctx->pctx, "/no/path");
|
|
||||||
|
|
||||||
- mock_input_pam_cert(pam_test_ctx, "pamuser", NULL);
|
|
||||||
+ mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, NULL);
|
|
||||||
|
|
||||||
will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH);
|
|
||||||
will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
|
|
||||||
@@ -1544,7 +1583,7 @@ void test_pam_preauth_cert_nomatch(void **state)
|
|
||||||
|
|
||||||
set_cert_auth_param(pam_test_ctx->pctx, NSS_DB);
|
|
||||||
|
|
||||||
- mock_input_pam_cert(pam_test_ctx, "pamuser", NULL);
|
|
||||||
+ mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, NULL);
|
|
||||||
|
|
||||||
will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH);
|
|
||||||
will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
|
|
||||||
@@ -1566,7 +1605,7 @@ void test_pam_preauth_cert_match(void **state)
|
|
||||||
|
|
||||||
set_cert_auth_param(pam_test_ctx->pctx, NSS_DB);
|
|
||||||
|
|
||||||
- mock_input_pam_cert(pam_test_ctx, "pamuser", NULL);
|
|
||||||
+ mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, NULL);
|
|
||||||
|
|
||||||
will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH);
|
|
||||||
will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
|
|
||||||
@@ -1583,13 +1622,37 @@ void test_pam_preauth_cert_match(void **state)
|
|
||||||
assert_int_equal(ret, EOK);
|
|
||||||
}
|
|
||||||
|
|
||||||
+/* Test if PKCS11_LOGIN_TOKEN_NAME is added for the gdm-smartcard service */
|
|
||||||
+void test_pam_preauth_cert_match_gdm_smartcard(void **state)
|
|
||||||
+{
|
|
||||||
+ int ret;
|
|
||||||
+
|
|
||||||
+ set_cert_auth_param(pam_test_ctx->pctx, NSS_DB);
|
|
||||||
+
|
|
||||||
+ mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, "gdm-smartcard");
|
|
||||||
+
|
|
||||||
+ will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH);
|
|
||||||
+ will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
|
|
||||||
+ mock_account_recv(0, 0, NULL, test_lookup_by_cert_cb,
|
|
||||||
+ discard_const(TEST_TOKEN_CERT));
|
|
||||||
+
|
|
||||||
+ set_cmd_cb(test_pam_cert_check_gdm_smartcard);
|
|
||||||
+ ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_PREAUTH,
|
|
||||||
+ pam_test_ctx->pam_cmds);
|
|
||||||
+ assert_int_equal(ret, EOK);
|
|
||||||
+
|
|
||||||
+ /* Wait until the test finishes with EOK */
|
|
||||||
+ ret = test_ev_loop(pam_test_ctx->tctx);
|
|
||||||
+ assert_int_equal(ret, EOK);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
void test_pam_preauth_cert_match_wrong_user(void **state)
|
|
||||||
{
|
|
||||||
int ret;
|
|
||||||
|
|
||||||
set_cert_auth_param(pam_test_ctx->pctx, NSS_DB);
|
|
||||||
|
|
||||||
- mock_input_pam_cert(pam_test_ctx, "pamuser", NULL);
|
|
||||||
+ mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, NULL);
|
|
||||||
|
|
||||||
will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH);
|
|
||||||
will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
|
|
||||||
@@ -1613,7 +1676,7 @@ void test_pam_preauth_cert_no_logon_name(void **state)
|
|
||||||
|
|
||||||
set_cert_auth_param(pam_test_ctx->pctx, NSS_DB);
|
|
||||||
|
|
||||||
- mock_input_pam_cert(pam_test_ctx, NULL, NULL);
|
|
||||||
+ mock_input_pam_cert(pam_test_ctx, NULL, NULL, NULL);
|
|
||||||
|
|
||||||
will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH);
|
|
||||||
will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
|
|
||||||
@@ -1636,7 +1699,7 @@ void test_pam_preauth_no_cert_no_logon_name(void **state)
|
|
||||||
|
|
||||||
set_cert_auth_param(pam_test_ctx->pctx, "/no/path");
|
|
||||||
|
|
||||||
- mock_input_pam_cert(pam_test_ctx, NULL, NULL);
|
|
||||||
+ mock_input_pam_cert(pam_test_ctx, NULL, NULL, NULL);
|
|
||||||
|
|
||||||
will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH);
|
|
||||||
will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
|
|
||||||
@@ -1657,7 +1720,7 @@ void test_pam_preauth_cert_no_logon_name_no_match(void **state)
|
|
||||||
|
|
||||||
set_cert_auth_param(pam_test_ctx->pctx, NSS_DB);
|
|
||||||
|
|
||||||
- mock_input_pam_cert(pam_test_ctx, NULL, NULL);
|
|
||||||
+ mock_input_pam_cert(pam_test_ctx, NULL, NULL, NULL);
|
|
||||||
|
|
||||||
will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH);
|
|
||||||
will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
|
|
||||||
@@ -1679,7 +1742,7 @@ void test_pam_cert_auth(void **state)
|
|
||||||
|
|
||||||
set_cert_auth_param(pam_test_ctx->pctx, NSS_DB);
|
|
||||||
|
|
||||||
- mock_input_pam_cert(pam_test_ctx, "pamuser", "123456");
|
|
||||||
+ mock_input_pam_cert(pam_test_ctx, "pamuser", "123456", NULL);
|
|
||||||
|
|
||||||
will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE);
|
|
||||||
will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
|
|
||||||
@@ -1790,6 +1853,8 @@ int main(int argc, const char *argv[])
|
|
||||||
pam_test_setup, pam_test_teardown),
|
|
||||||
cmocka_unit_test_setup_teardown(test_pam_preauth_cert_match,
|
|
||||||
pam_test_setup, pam_test_teardown),
|
|
||||||
+ cmocka_unit_test_setup_teardown(test_pam_preauth_cert_match_gdm_smartcard,
|
|
||||||
+ pam_test_setup, pam_test_teardown),
|
|
||||||
cmocka_unit_test_setup_teardown(test_pam_preauth_cert_match_wrong_user,
|
|
||||||
pam_test_setup, pam_test_teardown),
|
|
||||||
cmocka_unit_test_setup_teardown(test_pam_preauth_cert_no_logon_name,
|
|
||||||
--
|
|
||||||
2.9.3
|
|
||||||
|
|
@ -1,100 +0,0 @@
|
|||||||
From aeb1038017723e473eeb2f405d3b5ff4f5d4af02 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Sumit Bose <sbose@redhat.com>
|
|
||||||
Date: Fri, 16 Sep 2016 11:47:40 +0200
|
|
||||||
Subject: [PATCH 62/79] p11: return a fully-qualified name
|
|
||||||
|
|
||||||
Related to https://fedorahosted.org/sssd/ticket/3165
|
|
||||||
|
|
||||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
||||||
(cherry picked from commit 3649b959709f1ab187092f054d4aace0798c98fa)
|
|
||||||
---
|
|
||||||
src/responder/pam/pamsrv_p11.c | 20 +++++++++-----------
|
|
||||||
src/tests/cmocka/test_pam_srv.c | 16 ++++++++--------
|
|
||||||
2 files changed, 17 insertions(+), 19 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/responder/pam/pamsrv_p11.c b/src/responder/pam/pamsrv_p11.c
|
|
||||||
index 22da33067d5c479153376927855dcd6b43322d8b..570bfe09d4385a038e7e03fcb64c72dd794774a6 100644
|
|
||||||
--- a/src/responder/pam/pamsrv_p11.c
|
|
||||||
+++ b/src/responder/pam/pamsrv_p11.c
|
|
||||||
@@ -521,33 +521,31 @@ errno_t add_pam_cert_response(struct pam_data *pd, const char *sysdb_username,
|
|
||||||
size_t msg_len;
|
|
||||||
size_t slot_len;
|
|
||||||
int ret;
|
|
||||||
- char *username;
|
|
||||||
|
|
||||||
if (sysdb_username == NULL || token_name == NULL) {
|
|
||||||
DEBUG(SSSDBG_CRIT_FAILURE, "Missing mandatory user or slot name.\n");
|
|
||||||
return EINVAL;
|
|
||||||
}
|
|
||||||
|
|
||||||
- ret = sss_parse_internal_fqname(pd, sysdb_username, &username, NULL);
|
|
||||||
- if (ret != EOK) {
|
|
||||||
- DEBUG(SSSDBG_CRIT_FAILURE, "Cannot parse [%s]\n", sysdb_username);
|
|
||||||
- return ret;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- user_len = strlen(username) + 1;
|
|
||||||
+ user_len = strlen(sysdb_username) + 1;
|
|
||||||
slot_len = strlen(token_name) + 1;
|
|
||||||
msg_len = user_len + slot_len;
|
|
||||||
|
|
||||||
msg = talloc_zero_size(pd, msg_len);
|
|
||||||
if (msg == NULL) {
|
|
||||||
DEBUG(SSSDBG_OP_FAILURE, "talloc_zero_size failed.\n");
|
|
||||||
- talloc_free(username);
|
|
||||||
return ENOMEM;
|
|
||||||
}
|
|
||||||
|
|
||||||
- memcpy(msg, username, user_len);
|
|
||||||
+ /* sysdb_username is a fully-qualified name which is used by pam_sss when
|
|
||||||
+ * prompting the user for the PIN and as login name if it wasn't set by
|
|
||||||
+ * the PAM caller but has to be determined based on the inserted
|
|
||||||
+ * Smartcard. If this type of name is irritating at the PIN prompt or the
|
|
||||||
+ * re_expression config option was set in a way that user@domain cannot be
|
|
||||||
+ * handled anymore some more logic has to be added here. But for the time
|
|
||||||
+ * being I think using sysdb_username is fine. */
|
|
||||||
+ memcpy(msg, sysdb_username, user_len);
|
|
||||||
memcpy(msg + user_len, token_name, slot_len);
|
|
||||||
- talloc_free(username);
|
|
||||||
|
|
||||||
ret = pam_add_response(pd, SSS_PAM_CERT_INFO, msg_len, msg);
|
|
||||||
talloc_free(msg);
|
|
||||||
diff --git a/src/tests/cmocka/test_pam_srv.c b/src/tests/cmocka/test_pam_srv.c
|
|
||||||
index 02199e6f121cab0784389256cdaac38baf9d73e3..4b2dea4be6a819b23afd243ba99cd9bd57c16c20 100644
|
|
||||||
--- a/src/tests/cmocka/test_pam_srv.c
|
|
||||||
+++ b/src/tests/cmocka/test_pam_srv.c
|
|
||||||
@@ -664,11 +664,11 @@ static int test_pam_cert_check_gdm_smartcard(uint32_t status, uint8_t *body,
|
|
||||||
assert_int_equal(val, SSS_PAM_CERT_INFO);
|
|
||||||
|
|
||||||
SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);
|
|
||||||
- assert_int_equal(val, (sizeof("pamuser") + sizeof(TEST_TOKEN_NAME)));
|
|
||||||
+ assert_int_equal(val, (sizeof("pamuser@"TEST_DOM_NAME) + sizeof(TEST_TOKEN_NAME)));
|
|
||||||
|
|
||||||
- assert_int_equal(*(body + rp + sizeof("pamuser") - 1), 0);
|
|
||||||
- assert_string_equal(body + rp, "pamuser");
|
|
||||||
- rp += sizeof("pamuser");
|
|
||||||
+ assert_int_equal(*(body + rp + sizeof("pamuser@"TEST_DOM_NAME) - 1), 0);
|
|
||||||
+ assert_string_equal(body + rp, "pamuser@"TEST_DOM_NAME);
|
|
||||||
+ rp += sizeof("pamuser@"TEST_DOM_NAME);
|
|
||||||
|
|
||||||
assert_int_equal(*(body + rp + sizeof(TEST_TOKEN_NAME) - 1), 0);
|
|
||||||
assert_string_equal(body + rp, TEST_TOKEN_NAME);
|
|
||||||
@@ -703,11 +703,11 @@ static int test_pam_cert_check(uint32_t status, uint8_t *body, size_t blen)
|
|
||||||
assert_int_equal(val, SSS_PAM_CERT_INFO);
|
|
||||||
|
|
||||||
SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);
|
|
||||||
- assert_int_equal(val, (sizeof("pamuser") + sizeof(TEST_TOKEN_NAME)));
|
|
||||||
+ assert_int_equal(val, (sizeof("pamuser@"TEST_DOM_NAME) + sizeof(TEST_TOKEN_NAME)));
|
|
||||||
|
|
||||||
- assert_int_equal(*(body + rp + sizeof("pamuser") - 1), 0);
|
|
||||||
- assert_string_equal(body + rp, "pamuser");
|
|
||||||
- rp += sizeof("pamuser");
|
|
||||||
+ assert_int_equal(*(body + rp + sizeof("pamuser@"TEST_DOM_NAME) - 1), 0);
|
|
||||||
+ assert_string_equal(body + rp, "pamuser@"TEST_DOM_NAME);
|
|
||||||
+ rp += sizeof("pamuser@"TEST_DOM_NAME);
|
|
||||||
|
|
||||||
assert_int_equal(*(body + rp + sizeof(TEST_TOKEN_NAME) - 1), 0);
|
|
||||||
assert_string_equal(body + rp, TEST_TOKEN_NAME);
|
|
||||||
--
|
|
||||||
2.9.3
|
|
||||||
|
|
@ -1,109 +0,0 @@
|
|||||||
From 540f0f9e2b35315703b56989d398c11da49992e2 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Sumit Bose <sbose@redhat.com>
|
|
||||||
Date: Fri, 16 Sep 2016 11:48:18 +0200
|
|
||||||
Subject: [PATCH 63/79] pam_sss: check PKCS11_LOGIN_TOKEN_NAME
|
|
||||||
|
|
||||||
Check if PKCS11_LOGIN_TOKEN_NAME is set and prompt the user if the
|
|
||||||
matching Smartcard is not inserted.
|
|
||||||
|
|
||||||
Related to https://fedorahosted.org/sssd/ticket/3165
|
|
||||||
|
|
||||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
||||||
(cherry picked from commit 35ba922bc51416f02877b53a6f25c04104ae5f03)
|
|
||||||
---
|
|
||||||
src/sss_client/pam_sss.c | 65 ++++++++++++++++++++++++++++++++++++++++++++++++
|
|
||||||
1 file changed, 65 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
|
|
||||||
index fdb9c907644f1317b6f8e58619f01ad2753deafc..2049d5fb0c6092aaaa914385c79d02d8f44b447e 100644
|
|
||||||
--- a/src/sss_client/pam_sss.c
|
|
||||||
+++ b/src/sss_client/pam_sss.c
|
|
||||||
@@ -1410,6 +1410,7 @@ done:
|
|
||||||
}
|
|
||||||
|
|
||||||
#define SC_PROMPT_FMT "PIN for %s for user %s"
|
|
||||||
+
|
|
||||||
static int prompt_sc_pin(pam_handle_t *pamh, struct pam_items *pi)
|
|
||||||
{
|
|
||||||
int ret;
|
|
||||||
@@ -1691,6 +1692,62 @@ static int get_authtok_for_password_change(pam_handle_t *pamh,
|
|
||||||
return PAM_SUCCESS;
|
|
||||||
}
|
|
||||||
|
|
||||||
+#define SC_ENTER_FMT "Please enter smart card labeled\n %s\nand press enter"
|
|
||||||
+
|
|
||||||
+static int check_login_token_name(pam_handle_t *pamh, struct pam_items *pi,
|
|
||||||
+ bool quiet_mode)
|
|
||||||
+{
|
|
||||||
+ int ret;
|
|
||||||
+ int pam_status;
|
|
||||||
+ char *login_token_name;
|
|
||||||
+ char *prompt = NULL;
|
|
||||||
+ size_t size;
|
|
||||||
+ char *answer = NULL;
|
|
||||||
+
|
|
||||||
+ login_token_name = getenv("PKCS11_LOGIN_TOKEN_NAME");
|
|
||||||
+ if (login_token_name == NULL) {
|
|
||||||
+ return PAM_SUCCESS;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ while (pi->token_name == NULL
|
|
||||||
+ || strcmp(login_token_name, pi->token_name) != 0) {
|
|
||||||
+ size = sizeof(SC_ENTER_FMT) + strlen(login_token_name);
|
|
||||||
+ prompt = malloc(size);
|
|
||||||
+ if (prompt == NULL) {
|
|
||||||
+ D(("malloc failed."));
|
|
||||||
+ return ENOMEM;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ ret = snprintf(prompt, size, SC_ENTER_FMT,
|
|
||||||
+ login_token_name);
|
|
||||||
+ if (ret < 0 || ret >= size) {
|
|
||||||
+ D(("snprintf failed."));
|
|
||||||
+ free(prompt);
|
|
||||||
+ return EFAULT;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ ret = do_pam_conversation(pamh, PAM_PROMPT_ECHO_OFF, prompt,
|
|
||||||
+ NULL, &answer);
|
|
||||||
+ free(prompt);
|
|
||||||
+ free(answer);
|
|
||||||
+ if (ret != PAM_SUCCESS) {
|
|
||||||
+ D(("do_pam_conversation failed."));
|
|
||||||
+ return ret;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ pam_status = send_and_receive(pamh, pi, SSS_PAM_PREAUTH, quiet_mode);
|
|
||||||
+ if (pam_status != PAM_SUCCESS) {
|
|
||||||
+ D(("send_and_receive returned [%d] during pre-auth", pam_status));
|
|
||||||
+ /*
|
|
||||||
+ * Since we are waiting for the right Smartcard to be inserted errors
|
|
||||||
+ * can be ignored here.
|
|
||||||
+ */
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ return PAM_SUCCESS;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
|
|
||||||
int pam_flags, int argc, const char **argv)
|
|
||||||
{
|
|
||||||
@@ -1758,6 +1815,14 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
+ if (strcmp(pi.pam_service, "gdm-smartcard") == 0) {
|
|
||||||
+ ret = check_login_token_name(pamh, &pi, quiet_mode);
|
|
||||||
+ if (ret != PAM_SUCCESS) {
|
|
||||||
+ D(("check_login_token_name failed.\n"));
|
|
||||||
+ return ret;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
ret = get_authtok_for_authentication(pamh, &pi, flags);
|
|
||||||
if (ret != PAM_SUCCESS) {
|
|
||||||
D(("failed to get authentication token: %s",
|
|
||||||
--
|
|
||||||
2.9.3
|
|
||||||
|
|
@ -1,81 +0,0 @@
|
|||||||
From b1fe893002a506ace1b2930a0cb5d5bd5d4fa9f7 Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
|
|
||||||
Date: Thu, 1 Sep 2016 12:04:30 +0200
|
|
||||||
Subject: [PATCH 64/79] SECRETS: Don't remove a container when it has children
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
Let's return and log an error in case the container to be removed has
|
|
||||||
children.
|
|
||||||
|
|
||||||
The approach taken introduced at least one new search in every delete
|
|
||||||
operation. As far as I understand searching in the BASE scope is quite
|
|
||||||
cheap and that's the reason I decided to just do the search in the
|
|
||||||
ONELEVEL scope when the requested to be deleted dn is for sure a
|
|
||||||
container.
|
|
||||||
|
|
||||||
Resolves:
|
|
||||||
https://fedorahosted.org/sssd/ticket/3167
|
|
||||||
|
|
||||||
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
|
|
||||||
|
|
||||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
||||||
(cherry picked from commit ab7b33fd7d820688545d5994a402cedf4bcdb6e1)
|
|
||||||
---
|
|
||||||
src/responder/secrets/local.c | 33 +++++++++++++++++++++++++++++++--
|
|
||||||
1 file changed, 31 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/responder/secrets/local.c b/src/responder/secrets/local.c
|
|
||||||
index 5b5745d6732987c6057788b2099f45ad0799f151..b13e77f0453f3201d1f9f352bb0b331792de1106 100644
|
|
||||||
--- a/src/responder/secrets/local.c
|
|
||||||
+++ b/src/responder/secrets/local.c
|
|
||||||
@@ -372,14 +372,43 @@ int local_db_delete(TALLOC_CTX *mem_ctx,
|
|
||||||
struct local_context *lctx,
|
|
||||||
const char *req_path)
|
|
||||||
{
|
|
||||||
+ TALLOC_CTX *tmp_ctx;
|
|
||||||
struct ldb_dn *dn;
|
|
||||||
+ static const char *attrs[] = { NULL };
|
|
||||||
+ struct ldb_result *res;
|
|
||||||
int ret;
|
|
||||||
|
|
||||||
+ tmp_ctx = talloc_new(mem_ctx);
|
|
||||||
+ if (!tmp_ctx) return ENOMEM;
|
|
||||||
+
|
|
||||||
ret = local_db_dn(mem_ctx, lctx->ldb, req_path, &dn);
|
|
||||||
- if (ret != EOK) return ret;
|
|
||||||
+ if (ret != EOK) goto done;
|
|
||||||
+
|
|
||||||
+ ret = ldb_search(lctx->ldb, tmp_ctx, &res, dn, LDB_SCOPE_BASE,
|
|
||||||
+ attrs, LOCAL_CONTAINER_FILTER);
|
|
||||||
+ if (ret != EOK) goto done;
|
|
||||||
+
|
|
||||||
+ if (res->count == 1) {
|
|
||||||
+ ret = ldb_search(lctx->ldb, tmp_ctx, &res, dn, LDB_SCOPE_ONELEVEL,
|
|
||||||
+ attrs, NULL);
|
|
||||||
+ if (ret != EOK) goto done;
|
|
||||||
+
|
|
||||||
+ if (res->count > 0) {
|
|
||||||
+ ret = EEXIST;
|
|
||||||
+ DEBUG(SSSDBG_OP_FAILURE,
|
|
||||||
+ "Failed to remove '%s': Container is not empty\n",
|
|
||||||
+ ldb_dn_get_linearized(dn));
|
|
||||||
+
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
|
|
||||||
ret = ldb_delete(lctx->ldb, dn);
|
|
||||||
- return sysdb_error_to_errno(ret);
|
|
||||||
+ ret = sysdb_error_to_errno(ret);
|
|
||||||
+
|
|
||||||
+done:
|
|
||||||
+ talloc_free(tmp_ctx);
|
|
||||||
+ return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
int local_db_create(TALLOC_CTX *mem_ctx,
|
|
||||||
--
|
|
||||||
2.9.3
|
|
||||||
|
|
@ -1,37 +0,0 @@
|
|||||||
From 958e633f0cc364f758f9d417002e9eba60f15642 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Sumit Bose <sbose@redhat.com>
|
|
||||||
Date: Mon, 19 Sep 2016 10:53:51 +0200
|
|
||||||
Subject: [PATCH 65/79] PAM: call free only when memory is expected to be
|
|
||||||
allocated
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
Reborted by Coverity
|
|
||||||
|
|
||||||
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
||||||
(cherry picked from commit a8631161c47cbaefe7fd14b88202238bbdcc3dc8)
|
|
||||||
---
|
|
||||||
src/sss_client/pam_sss.c | 3 ++-
|
|
||||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
|
|
||||||
index 2049d5fb0c6092aaaa914385c79d02d8f44b447e..be697c7fcfb47a57b5b498c61f60fcf4bfbbd57f 100644
|
|
||||||
--- a/src/sss_client/pam_sss.c
|
|
||||||
+++ b/src/sss_client/pam_sss.c
|
|
||||||
@@ -1729,10 +1729,11 @@ static int check_login_token_name(pam_handle_t *pamh, struct pam_items *pi,
|
|
||||||
ret = do_pam_conversation(pamh, PAM_PROMPT_ECHO_OFF, prompt,
|
|
||||||
NULL, &answer);
|
|
||||||
free(prompt);
|
|
||||||
- free(answer);
|
|
||||||
if (ret != PAM_SUCCESS) {
|
|
||||||
D(("do_pam_conversation failed."));
|
|
||||||
return ret;
|
|
||||||
+ } else {
|
|
||||||
+ free(answer);
|
|
||||||
}
|
|
||||||
|
|
||||||
pam_status = send_and_receive(pamh, pi, SSS_PAM_PREAUTH, quiet_mode);
|
|
||||||
--
|
|
||||||
2.9.3
|
|
||||||
|
|
@ -1,82 +0,0 @@
|
|||||||
From b44ec31e6fe2b41e52c3f055d4322c253303471d Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Petr=20=C4=8Cech?= <pcech@redhat.com>
|
|
||||||
Date: Mon, 19 Sep 2016 06:28:57 -0400
|
|
||||||
Subject: [PATCH 66/79] TESTS: Fixing of 'const' warnings in sbus tests
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
||||||
(cherry picked from commit 626d8217a2e578ba641ae3c968752aa15284a210)
|
|
||||||
---
|
|
||||||
src/tests/sbus_codegen_tests.c | 13 +++++++------
|
|
||||||
src/tests/sbus_tests.c | 4 ++--
|
|
||||||
2 files changed, 9 insertions(+), 8 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/tests/sbus_codegen_tests.c b/src/tests/sbus_codegen_tests.c
|
|
||||||
index 55d4657385cfc697985b570e4310164558e2d647..262bfd49e34be72196e1cf1fe451d96b43b067ae 100644
|
|
||||||
--- a/src/tests/sbus_codegen_tests.c
|
|
||||||
+++ b/src/tests/sbus_codegen_tests.c
|
|
||||||
@@ -634,7 +634,7 @@ static int pilot_test_server_init(struct sbus_connection *server, void *unused)
|
|
||||||
int ret;
|
|
||||||
|
|
||||||
ret = sbus_conn_register_iface(server, &pilot_iface.vtable, "/test/leela",
|
|
||||||
- "Crash into the billboard");
|
|
||||||
+ discard_const("Crash into the billboard"));
|
|
||||||
ck_assert_int_eq(ret, EOK);
|
|
||||||
|
|
||||||
return EOK;
|
|
||||||
@@ -645,7 +645,8 @@ static int special_test_server_init(struct sbus_connection *server, void *unused
|
|
||||||
int ret;
|
|
||||||
|
|
||||||
ret = sbus_conn_register_iface(server, &special_iface.vtable,
|
|
||||||
- "/test/special", "Crash into the billboard");
|
|
||||||
+ "/test/special",
|
|
||||||
+ discard_const("Crash into the billboard"));
|
|
||||||
ck_assert_int_eq(ret, EOK);
|
|
||||||
|
|
||||||
return EOK;
|
|
||||||
@@ -673,8 +674,8 @@ START_TEST(test_marshal_basic_types)
|
|
||||||
dbus_int64_t v_int64[] = { INT64_C(-6666666666666666), INT64_C(7777777777777777) };
|
|
||||||
dbus_uint64_t v_uint64[] = { UINT64_C(7777777777777777), INT64_C(888888888888888888) };
|
|
||||||
double v_double[] = { 1.1, 2.2, 3.3 };
|
|
||||||
- char *v_string[] = { "bears", "bears", "bears" };
|
|
||||||
- char *v_object_path[] = { "/original", "/original" };
|
|
||||||
+ const char *v_string[] = { "bears", "bears", "bears" };
|
|
||||||
+ const char *v_object_path[] = { "/original", "/original" };
|
|
||||||
|
|
||||||
unsigned char *arr_byte = v_byte;
|
|
||||||
dbus_int16_t *arr_int16 = v_int16;
|
|
||||||
@@ -684,8 +685,8 @@ START_TEST(test_marshal_basic_types)
|
|
||||||
dbus_int64_t *arr_int64 = v_int64;
|
|
||||||
dbus_uint64_t *arr_uint64 = v_uint64;
|
|
||||||
double *arr_double = v_double;
|
|
||||||
- char **arr_string = v_string;
|
|
||||||
- char **arr_object_path = v_object_path;
|
|
||||||
+ char **arr_string = discard_const(v_string);
|
|
||||||
+ char **arr_object_path = discard_const(v_object_path);
|
|
||||||
|
|
||||||
int len_byte = N_ELEMENTS(v_byte);
|
|
||||||
int len_int16 = N_ELEMENTS(v_int16);
|
|
||||||
diff --git a/src/tests/sbus_tests.c b/src/tests/sbus_tests.c
|
|
||||||
index b472659639e3dce0733dde4ed54a55dcb40c191e..6bf71dc1bbe73b52455c18353531865da1ba6eac 100644
|
|
||||||
--- a/src/tests/sbus_tests.c
|
|
||||||
+++ b/src/tests/sbus_tests.c
|
|
||||||
@@ -201,12 +201,12 @@ static int pilot_test_server_init(struct sbus_connection *server, void *unused)
|
|
||||||
int ret;
|
|
||||||
|
|
||||||
ret = sbus_conn_register_iface(server, &pilot_impl.vtable, "/test/leela",
|
|
||||||
- "Crash into the billboard");
|
|
||||||
+ discard_const("Crash into the billboard"));
|
|
||||||
ck_assert_int_eq(ret, EOK);
|
|
||||||
|
|
||||||
|
|
||||||
ret = sbus_conn_register_iface(server, &pilot_impl.vtable, "/test/fry",
|
|
||||||
- "Don't crash");
|
|
||||||
+ discard_const("Don't crash"));
|
|
||||||
ck_assert_int_eq(ret, EOK);
|
|
||||||
|
|
||||||
return EOK;
|
|
||||||
--
|
|
||||||
2.9.3
|
|
||||||
|
|
@ -1,61 +0,0 @@
|
|||||||
From 4fe173d0e1333659479da47306b3b7957bc2e6d7 Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Petr=20=C4=8Cech?= <pcech@redhat.com>
|
|
||||||
Date: Thu, 15 Sep 2016 09:54:18 -0400
|
|
||||||
Subject: [PATCH 67/79] MAKEFILE: Fixing CFLAGS in some tests
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
||||||
(cherry picked from commit 4f2509f8d23d9e921f07b2ead63392ae82ad3a38)
|
|
||||||
---
|
|
||||||
Makefile.am | 5 +++++
|
|
||||||
1 file changed, 5 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/Makefile.am b/Makefile.am
|
|
||||||
index f89af5a9d6d26c732574aa3651de8c175f538b28..f792ed6a6b531d9e6e2c886c2fbe64e1e2345b73 100644
|
|
||||||
--- a/Makefile.am
|
|
||||||
+++ b/Makefile.am
|
|
||||||
@@ -1828,6 +1828,7 @@ refcount_tests_SOURCES = \
|
|
||||||
src/tests/refcount-tests.c \
|
|
||||||
$(NULL)
|
|
||||||
refcount_tests_CFLAGS = \
|
|
||||||
+ $(AM_CFLAGS) \
|
|
||||||
$(CHECK_CFLAGS)
|
|
||||||
refcount_tests_LDADD = \
|
|
||||||
$(SSSD_LIBS) \
|
|
||||||
@@ -1840,6 +1841,7 @@ fail_over_tests_SOURCES = \
|
|
||||||
$(SSSD_FAILOVER_OBJ) \
|
|
||||||
$(NULL)
|
|
||||||
fail_over_tests_CFLAGS = \
|
|
||||||
+ $(AM_CFLAGS) \
|
|
||||||
$(CHECK_CFLAGS)
|
|
||||||
fail_over_tests_LDADD = \
|
|
||||||
$(SSSD_LIBS) \
|
|
||||||
@@ -2044,6 +2046,7 @@ sbus_tests_SOURCES = \
|
|
||||||
src/tests/common_dbus.c \
|
|
||||||
src/tests/sbus_tests.c
|
|
||||||
sbus_tests_CFLAGS = \
|
|
||||||
+ $(AM_CFLAGS) \
|
|
||||||
$(CHECK_CFLAGS)
|
|
||||||
sbus_tests_LDADD = \
|
|
||||||
$(SSSD_INTERNAL_LTLIBS) \
|
|
||||||
@@ -2056,6 +2059,7 @@ sbus_codegen_tests_SOURCES = \
|
|
||||||
src/tests/sbus_codegen_tests_generated.c \
|
|
||||||
$(NULL)
|
|
||||||
sbus_codegen_tests_CFLAGS = \
|
|
||||||
+ $(AM_CFLAGS) \
|
|
||||||
$(CHECK_CFLAGS)
|
|
||||||
sbus_codegen_tests_LDADD = \
|
|
||||||
$(SSSD_INTERNAL_LTLIBS) \
|
|
||||||
@@ -2468,6 +2472,7 @@ ad_common_tests_SOURCES = \
|
|
||||||
src/providers/ldap/sdap_async_initgroups_ad.c \
|
|
||||||
$(NULL)
|
|
||||||
ad_common_tests_CFLAGS = \
|
|
||||||
+ $(AM_CFLAGS) \
|
|
||||||
$(NDR_NBT_CFLAGS) \
|
|
||||||
$(NDR_KRB5PAC_CFLAGS) \
|
|
||||||
$(NULL)
|
|
||||||
--
|
|
||||||
2.9.3
|
|
||||||
|
|
@ -1,395 +0,0 @@
|
|||||||
From 0718b1bf4af69712d18f6ea3a427c1cab2e377da Mon Sep 17 00:00:00 2001
|
|
||||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
|
||||||
Date: Mon, 8 Aug 2016 17:49:05 +0200
|
|
||||||
Subject: [PATCH 68/79] TESTS: Add integration tests for the sssd-secrets
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
Implements a simple HTTP client and uses it to talk to the sssd-secrets
|
|
||||||
responder. Only the local provider is tested at the moment.
|
|
||||||
|
|
||||||
Resolves:
|
|
||||||
https://fedorahosted.org/sssd/ticket/3054
|
|
||||||
|
|
||||||
Reviewed-by: Petr Čech <pcech@redhat.com>
|
|
||||||
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
||||||
(cherry picked from commit db0982c52294ee5ea08ed242d27660783fde29cd)
|
|
||||||
---
|
|
||||||
contrib/ci/deps.sh | 2 +
|
|
||||||
src/tests/intg/Makefile.am | 5 ++
|
|
||||||
src/tests/intg/config.py.m4 | 3 +
|
|
||||||
src/tests/intg/secrets.py | 137 ++++++++++++++++++++++++++++++++++
|
|
||||||
src/tests/intg/test_secrets.py | 162 +++++++++++++++++++++++++++++++++++++++++
|
|
||||||
5 files changed, 309 insertions(+)
|
|
||||||
create mode 100644 src/tests/intg/secrets.py
|
|
||||||
create mode 100644 src/tests/intg/test_secrets.py
|
|
||||||
|
|
||||||
diff --git a/contrib/ci/deps.sh b/contrib/ci/deps.sh
|
|
||||||
index 1a94e3df2ee1d43dd34ef8cda1542aab1166bccd..9a7098c399df319753858a4a7fee23d4204c1f1c 100644
|
|
||||||
--- a/contrib/ci/deps.sh
|
|
||||||
+++ b/contrib/ci/deps.sh
|
|
||||||
@@ -45,6 +45,7 @@ if [[ "$DISTRO_BRANCH" == -redhat-* ]]; then
|
|
||||||
pyldb
|
|
||||||
rpm-build
|
|
||||||
uid_wrapper
|
|
||||||
+ python-requests
|
|
||||||
)
|
|
||||||
_DEPS_LIST_SPEC=`
|
|
||||||
sed -e 's/@PACKAGE_VERSION@/0/g' \
|
|
||||||
@@ -114,6 +115,7 @@ if [[ "$DISTRO_BRANCH" == -debian-* ]]; then
|
|
||||||
python-pytest
|
|
||||||
python-ldap
|
|
||||||
python-ldb
|
|
||||||
+ python-requests
|
|
||||||
ldap-utils
|
|
||||||
slapd
|
|
||||||
systemtap-sdt-dev
|
|
||||||
diff --git a/src/tests/intg/Makefile.am b/src/tests/intg/Makefile.am
|
|
||||||
index 75422a4417046116bec11a8a680fe2248e3afb69..1e08eadcbbdebcca6f0f3550cc084c1a1762c0c4 100644
|
|
||||||
--- a/src/tests/intg/Makefile.am
|
|
||||||
+++ b/src/tests/intg/Makefile.am
|
|
||||||
@@ -16,6 +16,8 @@ dist_noinst_DATA = \
|
|
||||||
test_memory_cache.py \
|
|
||||||
test_ts_cache.py \
|
|
||||||
test_netgroup.py \
|
|
||||||
+ secrets.py \
|
|
||||||
+ test_secrets.py \
|
|
||||||
$(NULL)
|
|
||||||
|
|
||||||
config.py: config.py.m4
|
|
||||||
@@ -25,6 +27,9 @@ config.py: config.py.m4
|
|
||||||
-D "pidpath=\`$(pidpath)'" \
|
|
||||||
-D "logpath=\`$(logpath)'" \
|
|
||||||
-D "mcpath=\`$(mcpath)'" \
|
|
||||||
+ -D "secdbpath=\`$(secdbpath)'" \
|
|
||||||
+ -D "libexecpath=\`$(libexecdir)'" \
|
|
||||||
+ -D "runstatedir=\`$(runstatedir)'" \
|
|
||||||
$< > $@
|
|
||||||
|
|
||||||
root:
|
|
||||||
diff --git a/src/tests/intg/config.py.m4 b/src/tests/intg/config.py.m4
|
|
||||||
index 77aa47b7958783217132b724159d9d3d247e1079..65e17e55a25372754ff7e49ac75607bcc985912c 100644
|
|
||||||
--- a/src/tests/intg/config.py.m4
|
|
||||||
+++ b/src/tests/intg/config.py.m4
|
|
||||||
@@ -12,3 +12,6 @@ PID_PATH = "pidpath"
|
|
||||||
PIDFILE_PATH = PID_PATH + "/sssd.pid"
|
|
||||||
LOG_PATH = "logpath"
|
|
||||||
MCACHE_PATH = "mcpath"
|
|
||||||
+SECDB_PATH = "secdbpath"
|
|
||||||
+LIBEXEC_PATH = "libexecpath"
|
|
||||||
+RUNSTATEDIR = "runstatedir"
|
|
||||||
diff --git a/src/tests/intg/secrets.py b/src/tests/intg/secrets.py
|
|
||||||
new file mode 100644
|
|
||||||
index 0000000000000000000000000000000000000000..5d4c0e2f28db9601fa0e3a21dd90a7444c7c8978
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/src/tests/intg/secrets.py
|
|
||||||
@@ -0,0 +1,137 @@
|
|
||||||
+#
|
|
||||||
+# Secrets responder test client
|
|
||||||
+#
|
|
||||||
+# Copyright (c) 2016 Red Hat, Inc.
|
|
||||||
+#
|
|
||||||
+# This is free software; you can redistribute it and/or modify it
|
|
||||||
+# under the terms of the GNU General Public License as published by
|
|
||||||
+# the Free Software Foundation; version 2 only
|
|
||||||
+#
|
|
||||||
+# This program is distributed in the hope that it will be useful, but
|
|
||||||
+# WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
||||||
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
||||||
+# General Public License for more details.
|
|
||||||
+#
|
|
||||||
+# You should have received a copy of the GNU General Public License
|
|
||||||
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
||||||
+#
|
|
||||||
+
|
|
||||||
+import socket
|
|
||||||
+import requests
|
|
||||||
+
|
|
||||||
+from requests.adapters import HTTPAdapter
|
|
||||||
+from requests.packages.urllib3.connection import HTTPConnection
|
|
||||||
+from requests.packages.urllib3.connectionpool import HTTPConnectionPool
|
|
||||||
+from requests.compat import quote, unquote, urlparse
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+class HTTPUnixConnection(HTTPConnection):
|
|
||||||
+ def __init__(self, host, timeout=60, **kwargs):
|
|
||||||
+ super(HTTPUnixConnection, self).__init__('localhost')
|
|
||||||
+ self.unix_socket = host
|
|
||||||
+ self.timeout = timeout
|
|
||||||
+
|
|
||||||
+ def connect(self):
|
|
||||||
+ sock = socket.socket(family=socket.AF_UNIX)
|
|
||||||
+ sock.settimeout(self.timeout)
|
|
||||||
+ sock.connect(self.unix_socket)
|
|
||||||
+ self.sock = sock
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+class HTTPUnixConnectionPool(HTTPConnectionPool):
|
|
||||||
+ scheme = 'http+unix'
|
|
||||||
+ ConnectionCls = HTTPUnixConnection
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+class HTTPUnixAdapter(HTTPAdapter):
|
|
||||||
+ def get_connection(self, url, proxies=None):
|
|
||||||
+ # proxies, silently ignored
|
|
||||||
+ path = unquote(urlparse(url).netloc)
|
|
||||||
+ return HTTPUnixConnectionPool(path)
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+class SecretsHttpClient(object):
|
|
||||||
+ secrets_sock_path = '/var/run/secrets.socket'
|
|
||||||
+ secrets_container = 'secrets'
|
|
||||||
+
|
|
||||||
+ def __init__(self, content_type='application/json', sock_path=None):
|
|
||||||
+ if sock_path is None:
|
|
||||||
+ sock_path = self.secrets_sock_path
|
|
||||||
+
|
|
||||||
+ self.content_type = content_type
|
|
||||||
+ self.session = requests.Session()
|
|
||||||
+ self.session.mount('http+unix://', HTTPUnixAdapter())
|
|
||||||
+ self.headers = dict({'Content-Type': content_type})
|
|
||||||
+ self.url = 'http+unix://' + \
|
|
||||||
+ quote(sock_path, safe='') + \
|
|
||||||
+ '/' + \
|
|
||||||
+ self.secrets_container
|
|
||||||
+ self._last_response = None
|
|
||||||
+
|
|
||||||
+ def _join_url(self, resource):
|
|
||||||
+ path = self.url.rstrip('/') + '/'
|
|
||||||
+ if resource is not None:
|
|
||||||
+ path = path + resource.lstrip('/')
|
|
||||||
+ return path
|
|
||||||
+
|
|
||||||
+ def _add_headers(self, **kwargs):
|
|
||||||
+ headers = kwargs.get('headers', None)
|
|
||||||
+ if headers is None:
|
|
||||||
+ headers = dict()
|
|
||||||
+ headers.update(self.headers)
|
|
||||||
+ return headers
|
|
||||||
+
|
|
||||||
+ def _request(self, cmd, path, **kwargs):
|
|
||||||
+ self._last_response = None
|
|
||||||
+ url = self._join_url(path)
|
|
||||||
+ kwargs['headers'] = self._add_headers(**kwargs)
|
|
||||||
+ self._last_response = cmd(url, **kwargs)
|
|
||||||
+ return self._last_response
|
|
||||||
+
|
|
||||||
+ @property
|
|
||||||
+ def last_response(self):
|
|
||||||
+ return self._last_response
|
|
||||||
+
|
|
||||||
+ def get(self, path, **kwargs):
|
|
||||||
+ return self._request(self.session.get, path, **kwargs)
|
|
||||||
+
|
|
||||||
+ def list(self, **kwargs):
|
|
||||||
+ return self._request(self.session.get, None, **kwargs)
|
|
||||||
+
|
|
||||||
+ def put(self, name, **kwargs):
|
|
||||||
+ return self._request(self.session.put, name, **kwargs)
|
|
||||||
+
|
|
||||||
+ def delete(self, name, **kwargs):
|
|
||||||
+ return self._request(self.session.delete, name, **kwargs)
|
|
||||||
+
|
|
||||||
+ def post(self, name, **kwargs):
|
|
||||||
+ return self._request(self.session.post, name, **kwargs)
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+class SecretsLocalClient(SecretsHttpClient):
|
|
||||||
+ def list_secrets(self):
|
|
||||||
+ res = self.list()
|
|
||||||
+ res.raise_for_status()
|
|
||||||
+ simple = res.json()
|
|
||||||
+ return simple
|
|
||||||
+
|
|
||||||
+ def get_secret(self, name):
|
|
||||||
+ res = self.get(name)
|
|
||||||
+ res.raise_for_status()
|
|
||||||
+ simple = res.json()
|
|
||||||
+ ktype = simple.get("type", None)
|
|
||||||
+ if ktype != "simple":
|
|
||||||
+ raise TypeError("Invalid key type: %s" % ktype)
|
|
||||||
+ return simple["value"]
|
|
||||||
+
|
|
||||||
+ def set_secret(self, name, value):
|
|
||||||
+ res = self.put(name, json={"type": "simple", "value": value})
|
|
||||||
+ res.raise_for_status()
|
|
||||||
+
|
|
||||||
+ def del_secret(self, name):
|
|
||||||
+ res = self.delete(name)
|
|
||||||
+ res.raise_for_status()
|
|
||||||
+
|
|
||||||
+ def create_container(self, name):
|
|
||||||
+ res = self.post(name)
|
|
||||||
+ res.raise_for_status()
|
|
||||||
diff --git a/src/tests/intg/test_secrets.py b/src/tests/intg/test_secrets.py
|
|
||||||
new file mode 100644
|
|
||||||
index 0000000000000000000000000000000000000000..e394d1275e35e686a14a604943796e793fe29119
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/src/tests/intg/test_secrets.py
|
|
||||||
@@ -0,0 +1,162 @@
|
|
||||||
+#
|
|
||||||
+# Secrets responder integration tests
|
|
||||||
+#
|
|
||||||
+# Copyright (c) 2016 Red Hat, Inc.
|
|
||||||
+#
|
|
||||||
+# This is free software; you can redistribute it and/or modify it
|
|
||||||
+# under the terms of the GNU General Public License as published by
|
|
||||||
+# the Free Software Foundation; version 2 only
|
|
||||||
+#
|
|
||||||
+# This program is distributed in the hope that it will be useful, but
|
|
||||||
+# WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
||||||
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
||||||
+# General Public License for more details.
|
|
||||||
+#
|
|
||||||
+# You should have received a copy of the GNU General Public License
|
|
||||||
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
||||||
+#
|
|
||||||
+
|
|
||||||
+import os
|
|
||||||
+import stat
|
|
||||||
+import config
|
|
||||||
+import signal
|
|
||||||
+import subprocess
|
|
||||||
+import time
|
|
||||||
+import socket
|
|
||||||
+import pytest
|
|
||||||
+from requests import HTTPError
|
|
||||||
+
|
|
||||||
+from util import unindent
|
|
||||||
+from secrets import SecretsLocalClient
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+def create_conf_fixture(request, contents):
|
|
||||||
+ """Generate sssd.conf and add teardown for removing it"""
|
|
||||||
+ conf = open(config.CONF_PATH, "w")
|
|
||||||
+ conf.write(contents)
|
|
||||||
+ conf.close()
|
|
||||||
+ os.chmod(config.CONF_PATH, stat.S_IRUSR | stat.S_IWUSR)
|
|
||||||
+ request.addfinalizer(lambda: os.unlink(config.CONF_PATH))
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+def create_sssd_secrets_fixture(request):
|
|
||||||
+ if subprocess.call(['sssd', "--genconf"]) != 0:
|
|
||||||
+ raise Exception("failed to regenerate confdb")
|
|
||||||
+
|
|
||||||
+ resp_path = os.path.join(config.LIBEXEC_PATH, "sssd", "sssd_secrets")
|
|
||||||
+
|
|
||||||
+ secpid = os.fork()
|
|
||||||
+ if secpid == 0:
|
|
||||||
+ if subprocess.call([resp_path, "--uid=0", "--gid=0"]) != 0:
|
|
||||||
+ raise Exception("sssd_secrets failed to start")
|
|
||||||
+
|
|
||||||
+ sock_path = os.path.join(config.RUNSTATEDIR, "secrets.socket")
|
|
||||||
+ sck = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
|
|
||||||
+ for _ in range(1, 10):
|
|
||||||
+ try:
|
|
||||||
+ sck.connect(sock_path)
|
|
||||||
+ except:
|
|
||||||
+ time.sleep(0.1)
|
|
||||||
+ else:
|
|
||||||
+ break
|
|
||||||
+ sck.close()
|
|
||||||
+
|
|
||||||
+ def sec_teardown():
|
|
||||||
+ if secpid == 0:
|
|
||||||
+ return
|
|
||||||
+
|
|
||||||
+ os.kill(secpid, signal.SIGTERM)
|
|
||||||
+ for secdb_file in os.listdir(config.SECDB_PATH):
|
|
||||||
+ os.unlink(config.SECDB_PATH + "/" + secdb_file)
|
|
||||||
+ request.addfinalizer(sec_teardown)
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+@pytest.fixture
|
|
||||||
+def setup_for_secrets(request):
|
|
||||||
+ """
|
|
||||||
+ Just set up the local provider for tests and enable the secrets
|
|
||||||
+ responder
|
|
||||||
+ """
|
|
||||||
+ conf = unindent("""\
|
|
||||||
+ [sssd]
|
|
||||||
+ domains = local
|
|
||||||
+ services = nss
|
|
||||||
+
|
|
||||||
+ [domain/local]
|
|
||||||
+ id_provider = local
|
|
||||||
+ """).format(**locals())
|
|
||||||
+
|
|
||||||
+ create_conf_fixture(request, conf)
|
|
||||||
+ create_sssd_secrets_fixture(request)
|
|
||||||
+ return None
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+@pytest.fixture
|
|
||||||
+def secrets_cli(request):
|
|
||||||
+ sock_path = os.path.join(config.RUNSTATEDIR, "secrets.socket")
|
|
||||||
+ cli = SecretsLocalClient(sock_path=sock_path)
|
|
||||||
+ return cli
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+def test_crd_ops(setup_for_secrets, secrets_cli):
|
|
||||||
+ """
|
|
||||||
+ Test that the basic Create, Retrieve, Delete operations work
|
|
||||||
+ """
|
|
||||||
+ cli = secrets_cli
|
|
||||||
+
|
|
||||||
+ # Listing a totally empty database yields a 404 error, no secrets are there
|
|
||||||
+ with pytest.raises(HTTPError) as err404:
|
|
||||||
+ secrets = cli.list_secrets()
|
|
||||||
+ assert str(err404.value).startswith("404")
|
|
||||||
+
|
|
||||||
+ # Set some value, should succeed
|
|
||||||
+ cli.set_secret("foo", "bar")
|
|
||||||
+
|
|
||||||
+ fooval = cli.get_secret("foo")
|
|
||||||
+ assert fooval == "bar"
|
|
||||||
+
|
|
||||||
+ # Listing secrets should work now as well
|
|
||||||
+ secrets = cli.list_secrets()
|
|
||||||
+ assert len(secrets) == 1
|
|
||||||
+ assert "foo" in secrets
|
|
||||||
+
|
|
||||||
+ # Overwriting a secret is an error
|
|
||||||
+ with pytest.raises(HTTPError) as err409:
|
|
||||||
+ cli.set_secret("foo", "baz")
|
|
||||||
+ assert str(err409.value).startswith("409")
|
|
||||||
+
|
|
||||||
+ # Delete a secret
|
|
||||||
+ cli.del_secret("foo")
|
|
||||||
+ with pytest.raises(HTTPError) as err404:
|
|
||||||
+ fooval = cli.get_secret("foo")
|
|
||||||
+ assert str(err404.value).startswith("404")
|
|
||||||
+
|
|
||||||
+ # Delete a non-existent secret must yield a 404
|
|
||||||
+ with pytest.raises(HTTPError) as err404:
|
|
||||||
+ cli.del_secret("foo")
|
|
||||||
+ assert str(err404.value).startswith("404")
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+def test_containers(setup_for_secrets, secrets_cli):
|
|
||||||
+ """
|
|
||||||
+ Test that storing secrets inside containers works
|
|
||||||
+ """
|
|
||||||
+ cli = secrets_cli
|
|
||||||
+
|
|
||||||
+ # No trailing slash, no game..
|
|
||||||
+ with pytest.raises(HTTPError) as err400:
|
|
||||||
+ cli.create_container("mycontainer")
|
|
||||||
+ assert str(err400.value).startswith("400")
|
|
||||||
+
|
|
||||||
+ cli.create_container("mycontainer/")
|
|
||||||
+ cli.set_secret("mycontainer/foo", "containedfooval")
|
|
||||||
+ assert cli.get_secret("mycontainer/foo") == "containedfooval"
|
|
||||||
+
|
|
||||||
+ # Removing a non-empty container should not succeed
|
|
||||||
+ with pytest.raises(HTTPError) as err409:
|
|
||||||
+ cli.del_secret("mycontainer/")
|
|
||||||
+ assert str(err409.value).startswith("409")
|
|
||||||
+
|
|
||||||
+ # Try removing the secret first, then the container
|
|
||||||
+ cli.del_secret("mycontainer/foo")
|
|
||||||
+ cli.del_secret("mycontainer/")
|
|
||||||
--
|
|
||||||
2.9.3
|
|
||||||
|
|
@ -1,58 +0,0 @@
|
|||||||
From c0f663b1a497182cfd2eaf92dda0459342ba6685 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
|
||||||
Date: Thu, 4 Aug 2016 17:58:32 +0200
|
|
||||||
Subject: [PATCH 69/79] AUTOFS: Fix offline resolution of autofs maps
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
If talking to the Data Provider failed, we never re-tried looking into
|
|
||||||
the cache. We should consult the cache on DP failures and return cached
|
|
||||||
results, if possible.
|
|
||||||
|
|
||||||
Resolves:
|
|
||||||
https://fedorahosted.org/sssd/ticket/3080
|
|
||||||
|
|
||||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
||||||
(cherry picked from commit b9e155da725e711ab306ca8a96e3ba6fbda41a3a)
|
|
||||||
---
|
|
||||||
src/responder/autofs/autofssrv_cmd.c | 16 ++++++++++++----
|
|
||||||
1 file changed, 12 insertions(+), 4 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/responder/autofs/autofssrv_cmd.c b/src/responder/autofs/autofssrv_cmd.c
|
|
||||||
index 9666ab2d195a581f18eaa7ff9bbc4c8167a71b15..f5aa25a483c3b3352f40e8cc66dfd3a24a60af0d 100644
|
|
||||||
--- a/src/responder/autofs/autofssrv_cmd.c
|
|
||||||
+++ b/src/responder/autofs/autofssrv_cmd.c
|
|
||||||
@@ -871,17 +871,25 @@ static void lookup_automntmap_cache_updated(uint16_t err_maj, uint32_t err_min,
|
|
||||||
if (err_maj) {
|
|
||||||
DEBUG(SSSDBG_CRIT_FAILURE,
|
|
||||||
"Unable to get information from Data Provider\n"
|
|
||||||
- "Error: %u, %u, %s\n"
|
|
||||||
- "Will try to return what we have in cache\n",
|
|
||||||
+ "Error: %u, %u, %s\n"
|
|
||||||
+ "Will try to return what we have in cache\n",
|
|
||||||
(unsigned int)err_maj, (unsigned int)err_min, err_msg);
|
|
||||||
- /* Loop to the next domain if possible */
|
|
||||||
+
|
|
||||||
+ /* Try to fall back to cache */
|
|
||||||
+ ret = lookup_automntmap_step(lookup_ctx);
|
|
||||||
+ if (ret == EOK) {
|
|
||||||
+ /* We have cached results to return */
|
|
||||||
+ autofs_setent_notify(lookup_ctx->map, ret);
|
|
||||||
+ return;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ /* Otherwise try the next domain */
|
|
||||||
if (dctx->cmd_ctx->check_next
|
|
||||||
&& (dctx->domain = get_next_domain(dctx->domain, 0))) {
|
|
||||||
dctx->check_provider = NEED_CHECK_PROVIDER(dctx->domain->provider);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
- /* ok the backend returned, search to see if we have updated results */
|
|
||||||
ret = lookup_automntmap_step(lookup_ctx);
|
|
||||||
if (ret != EOK) {
|
|
||||||
if (ret == EAGAIN) {
|
|
||||||
--
|
|
||||||
2.9.3
|
|
||||||
|
|
@ -1,44 +0,0 @@
|
|||||||
From 068aadc5169380c37459c7cb50d397e93d5f121d Mon Sep 17 00:00:00 2001
|
|
||||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
|
||||||
Date: Thu, 4 Aug 2016 17:58:47 +0200
|
|
||||||
Subject: [PATCH 70/79] NSS: Fix offline resolution of netgroups
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
If talking to the Data Provider failed, we never re-tried looking into
|
|
||||||
the cache. We should consult the cache on DP failures and return cached
|
|
||||||
results, if possible.
|
|
||||||
|
|
||||||
Resolves:
|
|
||||||
https://fedorahosted.org/sssd/ticket/3123
|
|
||||||
|
|
||||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
||||||
(cherry picked from commit a3108c5cd1ebb05c133c8e8990278ac4f4b8e25c)
|
|
||||||
---
|
|
||||||
src/responder/nss/nsssrv_netgroup.c | 9 +++++++++
|
|
||||||
1 file changed, 9 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/src/responder/nss/nsssrv_netgroup.c b/src/responder/nss/nsssrv_netgroup.c
|
|
||||||
index e42976b245952291cd1eb36480138514e3d4ec09..49ef0f5c9b264a6252880a2944e8a1bd38ae0527 100644
|
|
||||||
--- a/src/responder/nss/nsssrv_netgroup.c
|
|
||||||
+++ b/src/responder/nss/nsssrv_netgroup.c
|
|
||||||
@@ -674,6 +674,15 @@ static void lookup_netgr_dp_callback(uint16_t err_maj, uint32_t err_min,
|
|
||||||
"Error: %u, %u, %s\n"
|
|
||||||
"Will try to return what we have in cache\n",
|
|
||||||
(unsigned int)err_maj, (unsigned int)err_min, err_msg);
|
|
||||||
+
|
|
||||||
+ /* Try to fall back to cache */
|
|
||||||
+ ret = lookup_netgr_step(step_ctx);
|
|
||||||
+ if (ret == EOK) {
|
|
||||||
+ /* We have cached results to return */
|
|
||||||
+ nss_setent_notify_done(dctx->netgr);
|
|
||||||
+ return;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
/* Loop to the next domain if possible */
|
|
||||||
if (cmdctx->check_next
|
|
||||||
&& (dctx->domain = get_next_domain(dctx->domain, 0))) {
|
|
||||||
--
|
|
||||||
2.9.3
|
|
||||||
|
|
@ -1,78 +0,0 @@
|
|||||||
From 39ab6bfc8f822c77144d0056bb87b82ca3e8af3e Mon Sep 17 00:00:00 2001
|
|
||||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
|
||||||
Date: Fri, 9 Sep 2016 12:23:04 +0200
|
|
||||||
Subject: [PATCH 71/79] TESTS: Test offline netgroups resolution
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
||||||
(cherry picked from commit c0ee12832555b42c17e48cdf731731454a97972e)
|
|
||||||
---
|
|
||||||
src/tests/intg/test_netgroup.py | 29 +++++++++++++++++++++++++++--
|
|
||||||
1 file changed, 27 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/tests/intg/test_netgroup.py b/src/tests/intg/test_netgroup.py
|
|
||||||
index b99476126844e35d5dbc1793077720b4020c2fb7..f1d801f48a954baf4d244ec533348a1de2f2d2c8 100644
|
|
||||||
--- a/src/tests/intg/test_netgroup.py
|
|
||||||
+++ b/src/tests/intg/test_netgroup.py
|
|
||||||
@@ -104,6 +104,7 @@ def format_basic_conf(ldap_conn, schema):
|
|
||||||
[sssd]
|
|
||||||
domains = LDAP
|
|
||||||
services = nss
|
|
||||||
+ disable_netlink = true
|
|
||||||
|
|
||||||
[domain/LDAP]
|
|
||||||
{schema_conf}
|
|
||||||
@@ -148,11 +149,16 @@ def create_sssd_process():
|
|
||||||
raise Exception("sssd start failed")
|
|
||||||
|
|
||||||
|
|
||||||
+def get_sssd_pid():
|
|
||||||
+ pid_file = open(config.PIDFILE_PATH, "r")
|
|
||||||
+ pid = int(pid_file.read())
|
|
||||||
+ return pid
|
|
||||||
+
|
|
||||||
+
|
|
||||||
def cleanup_sssd_process():
|
|
||||||
"""Stop the SSSD process and remove its state"""
|
|
||||||
try:
|
|
||||||
- pid_file = open(config.PIDFILE_PATH, "r")
|
|
||||||
- pid = int(pid_file.read())
|
|
||||||
+ pid = get_sssd_pid()
|
|
||||||
os.kill(pid, signal.SIGTERM)
|
|
||||||
while True:
|
|
||||||
try:
|
|
||||||
@@ -173,6 +179,11 @@ def create_sssd_cleanup(request):
|
|
||||||
request.addfinalizer(cleanup_sssd_process)
|
|
||||||
|
|
||||||
|
|
||||||
+def simulate_offline():
|
|
||||||
+ pid = get_sssd_pid()
|
|
||||||
+ os.kill(pid, signal.SIGUSR1)
|
|
||||||
+
|
|
||||||
+
|
|
||||||
def create_sssd_fixture(request):
|
|
||||||
"""Start SSSD and add teardown for stopping it and removing its state"""
|
|
||||||
create_sssd_process()
|
|
||||||
@@ -457,3 +468,17 @@ def test_removing_nested_netgroups(removing_nested_netgroups, ldap_conn):
|
|
||||||
res, _, netgroups = sssd_netgroup.get_sssd_netgroups("t2841_netgroup3")
|
|
||||||
assert res == sssd_netgroup.NssReturnCode.SUCCESS
|
|
||||||
assert netgroups == []
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+def test_offline_netgroups(add_tripled_netgroup):
|
|
||||||
+ res, _, netgrps = sssd_netgroup.get_sssd_netgroups("tripled_netgroup")
|
|
||||||
+ assert res == sssd_netgroup.NssReturnCode.SUCCESS
|
|
||||||
+ assert netgrps == [("host", "user", "domain")]
|
|
||||||
+
|
|
||||||
+ subprocess.check_call(["sss_cache", "-N"])
|
|
||||||
+
|
|
||||||
+ simulate_offline()
|
|
||||||
+
|
|
||||||
+ res, _, netgrps = sssd_netgroup.get_sssd_netgroups("tripled_netgroup")
|
|
||||||
+ assert res == sssd_netgroup.NssReturnCode.SUCCESS
|
|
||||||
+ assert netgrps == [("host", "user", "domain")]
|
|
||||||
--
|
|
||||||
2.9.3
|
|
||||||
|
|
@ -1,289 +0,0 @@
|
|||||||
From e166ad6facb9812249376683ae936c5f3f5682af Mon Sep 17 00:00:00 2001
|
|
||||||
From: Lukas Slebodnik <lslebodn@redhat.com>
|
|
||||||
Date: Sat, 17 Sep 2016 21:05:36 +0200
|
|
||||||
Subject: [PATCH 72/79] Remove double semicolon at the end of line
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
||||||
(cherry picked from commit b9941359b3181c42f415530d5ccad0f4664d85fa)
|
|
||||||
---
|
|
||||||
src/db/sysdb_ops.c | 2 +-
|
|
||||||
src/lib/idmap/sss_idmap.c | 2 +-
|
|
||||||
src/lib/sifp/sss_sifp_parser.c | 2 +-
|
|
||||||
src/providers/ad/ad_gpo.c | 2 +-
|
|
||||||
src/providers/ipa/ipa_subdomains_id.c | 2 +-
|
|
||||||
src/providers/ipa/ipa_sudo_conversion.c | 2 +-
|
|
||||||
src/providers/krb5/krb5_child.c | 2 +-
|
|
||||||
src/providers/ldap/sdap_async.c | 6 +++---
|
|
||||||
src/providers/ldap/sdap_async_initgroups.c | 2 +-
|
|
||||||
src/providers/ldap/sdap_async_netgroups.c | 2 +-
|
|
||||||
src/responder/pam/pamsrv_cmd.c | 2 +-
|
|
||||||
src/sss_client/sudo/sss_sudo.c | 2 +-
|
|
||||||
src/tests/krb5_child-test.c | 10 +++++-----
|
|
||||||
src/tests/sbus_codegen_tests.c | 4 ++--
|
|
||||||
src/tools/sss_groupshow.c | 2 +-
|
|
||||||
src/util/string_utils.c | 2 +-
|
|
||||||
src/util/usertools.c | 2 +-
|
|
||||||
17 files changed, 24 insertions(+), 24 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
|
|
||||||
index 5d9c9fb24a149f8215b3027dcb4b0e1a183e4b43..29f4b1d1597bd98541a152dd6462caa864fbf2fd 100644
|
|
||||||
--- a/src/db/sysdb_ops.c
|
|
||||||
+++ b/src/db/sysdb_ops.c
|
|
||||||
@@ -4815,7 +4815,7 @@ errno_t sysdb_handle_original_uuid(const char *orig_name,
|
|
||||||
|
|
||||||
if (ret != EOK) {
|
|
||||||
DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_add_string failed.\n");
|
|
||||||
- return ret;;
|
|
||||||
+ return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
return EOK;
|
|
||||||
diff --git a/src/lib/idmap/sss_idmap.c b/src/lib/idmap/sss_idmap.c
|
|
||||||
index 58b0ec62118c9e01b61d987bf77179e774313b11..ffb218c844bff18e8a000398e9d646556ca295cf 100644
|
|
||||||
--- a/src/lib/idmap/sss_idmap.c
|
|
||||||
+++ b/src/lib/idmap/sss_idmap.c
|
|
||||||
@@ -916,7 +916,7 @@ get_range(struct sss_idmap_ctx *ctx,
|
|
||||||
long long rid,
|
|
||||||
struct idmap_range_params **_range)
|
|
||||||
{
|
|
||||||
- char *secondary_name = NULL;;
|
|
||||||
+ char *secondary_name = NULL;
|
|
||||||
enum idmap_error_code err;
|
|
||||||
int first_rid;
|
|
||||||
struct idmap_range_params *range;
|
|
||||||
diff --git a/src/lib/sifp/sss_sifp_parser.c b/src/lib/sifp/sss_sifp_parser.c
|
|
||||||
index eaa57d8d5e67ec07d0fe89e003ee011dcd40a75f..65babb5bc5430a541ade4cec0350e0846962fd67 100644
|
|
||||||
--- a/src/lib/sifp/sss_sifp_parser.c
|
|
||||||
+++ b/src/lib/sifp/sss_sifp_parser.c
|
|
||||||
@@ -469,7 +469,7 @@ sss_sifp_parse_variant(sss_sifp_ctx *ctx,
|
|
||||||
/* case DBUS_TYPE_DICT_ENTRY may only be contained within an array
|
|
||||||
* in variant */
|
|
||||||
case DBUS_TYPE_ARRAY:
|
|
||||||
- ret = sss_sifp_parse_array(ctx, &variant_iter, attr);;
|
|
||||||
+ ret = sss_sifp_parse_array(ctx, &variant_iter, attr);
|
|
||||||
break;
|
|
||||||
default:
|
|
||||||
ret = SSS_SIFP_NOT_SUPPORTED;
|
|
||||||
diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
|
|
||||||
index 63c68ce35922ca0407ae6ea32c0a78100e14504b..2b06a0ec8c24a0da44b0da00718c84c228242d24 100644
|
|
||||||
--- a/src/providers/ad/ad_gpo.c
|
|
||||||
+++ b/src/providers/ad/ad_gpo.c
|
|
||||||
@@ -2491,7 +2491,7 @@ ad_gpo_populate_som_list(TALLOC_CTX *mem_ctx,
|
|
||||||
}
|
|
||||||
|
|
||||||
/* first, populate the OU and Domain SOMs */
|
|
||||||
- tmp_dn = target_dn;;
|
|
||||||
+ tmp_dn = target_dn;
|
|
||||||
while ((ad_gpo_parent_dn(tmp_ctx, ldb_ctx, tmp_dn, &parent_dn)) == EOK) {
|
|
||||||
|
|
||||||
if ((strncasecmp(parent_dn, "OU=", strlen("OU=")) == 0) ||
|
|
||||||
diff --git a/src/providers/ipa/ipa_subdomains_id.c b/src/providers/ipa/ipa_subdomains_id.c
|
|
||||||
index 5369ec4c624544f7f3aec88ddaa30eac91c51735..97c96e3818f37d0cf3e282f68d3a013122a2a55b 100644
|
|
||||||
--- a/src/providers/ipa/ipa_subdomains_id.c
|
|
||||||
+++ b/src/providers/ipa/ipa_subdomains_id.c
|
|
||||||
@@ -669,7 +669,7 @@ ipa_get_ad_acct_send(TALLOC_CTX *mem_ctx,
|
|
||||||
struct ipa_get_ad_acct_state *state;
|
|
||||||
struct sdap_domain *sdom;
|
|
||||||
struct sdap_id_conn_ctx **clist;
|
|
||||||
- struct sdap_id_ctx *sdap_id_ctx;;
|
|
||||||
+ struct sdap_id_ctx *sdap_id_ctx;
|
|
||||||
struct ad_id_ctx *ad_id_ctx;
|
|
||||||
|
|
||||||
req = tevent_req_create(mem_ctx, &state, struct ipa_get_ad_acct_state);
|
|
||||||
diff --git a/src/providers/ipa/ipa_sudo_conversion.c b/src/providers/ipa/ipa_sudo_conversion.c
|
|
||||||
index 21186d2455fb28c2743131ef98920eb00753f0d6..9dbc8604df544ce0865a2e99facf92cfd697123b 100644
|
|
||||||
--- a/src/providers/ipa/ipa_sudo_conversion.c
|
|
||||||
+++ b/src/providers/ipa/ipa_sudo_conversion.c
|
|
||||||
@@ -634,7 +634,7 @@ static errno_t get_sudo_cmd_rdn(TALLOC_CTX *mem_ctx,
|
|
||||||
}
|
|
||||||
|
|
||||||
*_rdn_val = rdn_val;
|
|
||||||
- *_rdn_attr = map[IPA_AT_SUDOCMD_CMD].name;;
|
|
||||||
+ *_rdn_attr = map[IPA_AT_SUDOCMD_CMD].name;
|
|
||||||
|
|
||||||
return EOK;
|
|
||||||
}
|
|
||||||
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
|
|
||||||
index 82522995e310f20c58922f814e14e81a84b9bcb9..df94bc4c481b090d50f9b0119ccde5a373d9e20b 100644
|
|
||||||
--- a/src/providers/krb5/krb5_child.c
|
|
||||||
+++ b/src/providers/krb5/krb5_child.c
|
|
||||||
@@ -2612,7 +2612,7 @@ static krb5_error_code privileged_krb5_setup(struct krb5_req *kr,
|
|
||||||
ret = check_use_fast(&kr->fast_val);
|
|
||||||
if (ret != EOK) {
|
|
||||||
DEBUG(SSSDBG_CRIT_FAILURE, "check_use_fast failed.\n");
|
|
||||||
- return ret;;
|
|
||||||
+ return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
/* For ccache types FILE: and DIR: we might need to create some directory
|
|
||||||
diff --git a/src/providers/ldap/sdap_async.c b/src/providers/ldap/sdap_async.c
|
|
||||||
index f374112935a7befa1d059df97f3119c14d8f5da5..246e12a1f386da1841963d5c1d1c4d2870cc1b6b 100644
|
|
||||||
--- a/src/providers/ldap/sdap_async.c
|
|
||||||
+++ b/src/providers/ldap/sdap_async.c
|
|
||||||
@@ -2097,7 +2097,7 @@ static void sdap_x_deref_search_done(struct tevent_req *subreq)
|
|
||||||
|
|
||||||
static int sdap_x_deref_search_ctrls_destructor(void *ptr)
|
|
||||||
{
|
|
||||||
- LDAPControl **ctrls = talloc_get_type(ptr, LDAPControl *);;
|
|
||||||
+ LDAPControl **ctrls = talloc_get_type(ptr, LDAPControl *);
|
|
||||||
|
|
||||||
if (ctrls && ctrls[0]) {
|
|
||||||
ldap_control_free(ctrls[0]);
|
|
||||||
@@ -2289,7 +2289,7 @@ static void sdap_sd_search_done(struct tevent_req *subreq)
|
|
||||||
|
|
||||||
static int sdap_sd_search_ctrls_destructor(void *ptr)
|
|
||||||
{
|
|
||||||
- LDAPControl **ctrls = talloc_get_type(ptr, LDAPControl *);;
|
|
||||||
+ LDAPControl **ctrls = talloc_get_type(ptr, LDAPControl *);
|
|
||||||
if (ctrls && ctrls[0]) {
|
|
||||||
ldap_control_free(ctrls[0]);
|
|
||||||
}
|
|
||||||
@@ -2548,7 +2548,7 @@ static void sdap_asq_search_done(struct tevent_req *subreq)
|
|
||||||
|
|
||||||
static int sdap_asq_search_ctrls_destructor(void *ptr)
|
|
||||||
{
|
|
||||||
- LDAPControl **ctrls = talloc_get_type(ptr, LDAPControl *);;
|
|
||||||
+ LDAPControl **ctrls = talloc_get_type(ptr, LDAPControl *);
|
|
||||||
|
|
||||||
if (ctrls && ctrls[0]) {
|
|
||||||
ldap_control_free(ctrls[0]);
|
|
||||||
diff --git a/src/providers/ldap/sdap_async_initgroups.c b/src/providers/ldap/sdap_async_initgroups.c
|
|
||||||
index f9593f0dfaa2dc6e33fd6c9d1f0c9b78cad3a1d9..df39de3cc5daf9ce23e1d9abe8b72f06ae45e9cd 100644
|
|
||||||
--- a/src/providers/ldap/sdap_async_initgroups.c
|
|
||||||
+++ b/src/providers/ldap/sdap_async_initgroups.c
|
|
||||||
@@ -816,7 +816,7 @@ static struct tevent_req *sdap_initgr_nested_send(TALLOC_CTX *memctx,
|
|
||||||
}
|
|
||||||
|
|
||||||
state->groups = talloc_zero_array(state, struct sysdb_attrs *,
|
|
||||||
- state->memberof->num_values + 1);;
|
|
||||||
+ state->memberof->num_values + 1);
|
|
||||||
if (!state->groups) {
|
|
||||||
ret = ENOMEM;
|
|
||||||
goto immediate;
|
|
||||||
diff --git a/src/providers/ldap/sdap_async_netgroups.c b/src/providers/ldap/sdap_async_netgroups.c
|
|
||||||
index e1d69ad769f542cccffca50547932a5bfb352230..f4a1d165f77a15f150e99844d69716c6c8785bee 100644
|
|
||||||
--- a/src/providers/ldap/sdap_async_netgroups.c
|
|
||||||
+++ b/src/providers/ldap/sdap_async_netgroups.c
|
|
||||||
@@ -313,7 +313,7 @@ struct tevent_req *netgr_translate_members_send(TALLOC_CTX *memctx,
|
|
||||||
dn_filter = talloc_strdup(state, "(|");
|
|
||||||
if (dn_filter == NULL) {
|
|
||||||
DEBUG(SSSDBG_CRIT_FAILURE, "talloc_strdup failed.\n");
|
|
||||||
- ret = ENOMEM;;
|
|
||||||
+ ret = ENOMEM;
|
|
||||||
goto fail;
|
|
||||||
}
|
|
||||||
|
|
||||||
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
|
|
||||||
index be54fbf9b627d0ec1c3b0416401885245794cf9f..e52fc764245a2dd604bd149b956f8204fa865342 100644
|
|
||||||
--- a/src/responder/pam/pamsrv_cmd.c
|
|
||||||
+++ b/src/responder/pam/pamsrv_cmd.c
|
|
||||||
@@ -1286,7 +1286,7 @@ static void pam_forwarder_cert_cb(struct tevent_req *req)
|
|
||||||
if (pd->logon_name == NULL) {
|
|
||||||
DEBUG(SSSDBG_CRIT_FAILURE,
|
|
||||||
"No certificate found and no logon name given, " \
|
|
||||||
- "authentication not possible.\n");;
|
|
||||||
+ "authentication not possible.\n");
|
|
||||||
ret = ENOENT;
|
|
||||||
} else {
|
|
||||||
if (pd->cmd == SSS_PAM_AUTHENTICATE) {
|
|
||||||
diff --git a/src/sss_client/sudo/sss_sudo.c b/src/sss_client/sudo/sss_sudo.c
|
|
||||||
index 202029934ccb7c979b9b740fc7e466888825e042..3651740019349c590877a18f9e42c23b9ad41d0d 100644
|
|
||||||
--- a/src/sss_client/sudo/sss_sudo.c
|
|
||||||
+++ b/src/sss_client/sudo/sss_sudo.c
|
|
||||||
@@ -226,7 +226,7 @@ void sss_sudo_free_rules(unsigned int num_rules, struct sss_sudo_rule *rules)
|
|
||||||
|
|
||||||
void sss_sudo_free_attrs(unsigned int num_attrs, struct sss_sudo_attr *attrs)
|
|
||||||
{
|
|
||||||
- struct sss_sudo_attr *attr = NULL;;
|
|
||||||
+ struct sss_sudo_attr *attr = NULL;
|
|
||||||
int i, j;
|
|
||||||
|
|
||||||
if (attrs == NULL) {
|
|
||||||
diff --git a/src/tests/krb5_child-test.c b/src/tests/krb5_child-test.c
|
|
||||||
index 50acc88ed0c312b2662f01fe41247781f235a54d..d570d52229a23a557d1f32b90cbb815239b57e74 100644
|
|
||||||
--- a/src/tests/krb5_child-test.c
|
|
||||||
+++ b/src/tests/krb5_child-test.c
|
|
||||||
@@ -390,11 +390,11 @@ main(int argc, const char *argv[])
|
|
||||||
|
|
||||||
int pc_debug = 0;
|
|
||||||
int pc_timeout = 0;
|
|
||||||
- const char *pc_user = NULL;;
|
|
||||||
- const char *pc_passwd = NULL;;
|
|
||||||
- const char *pc_realm = NULL;;
|
|
||||||
- const char *pc_ccname = NULL;;
|
|
||||||
- const char *pc_ccname_tp = NULL;;
|
|
||||||
+ const char *pc_user = NULL;
|
|
||||||
+ const char *pc_passwd = NULL;
|
|
||||||
+ const char *pc_realm = NULL;
|
|
||||||
+ const char *pc_ccname = NULL;
|
|
||||||
+ const char *pc_ccname_tp = NULL;
|
|
||||||
char *password = NULL;
|
|
||||||
bool rm_ccache = true;
|
|
||||||
|
|
||||||
diff --git a/src/tests/sbus_codegen_tests.c b/src/tests/sbus_codegen_tests.c
|
|
||||||
index 262bfd49e34be72196e1cf1fe451d96b43b067ae..05eb78d7d8f0917a62a47bf684d7f7135fe7b005 100644
|
|
||||||
--- a/src/tests/sbus_codegen_tests.c
|
|
||||||
+++ b/src/tests/sbus_codegen_tests.c
|
|
||||||
@@ -967,7 +967,7 @@ static void parse_get_array_reply(DBusMessage *reply, const int type,
|
|
||||||
ck_assert_int_eq(dbus_message_iter_get_element_type(&variter), type);
|
|
||||||
dbus_message_iter_recurse(&variter, &arriter);
|
|
||||||
if (type == DBUS_TYPE_STRING || type == DBUS_TYPE_OBJECT_PATH) {
|
|
||||||
- int n = 0, i = 0;;
|
|
||||||
+ int n = 0, i = 0;
|
|
||||||
const char **strings;
|
|
||||||
const char *s;
|
|
||||||
|
|
||||||
@@ -1326,7 +1326,7 @@ void check_arr_prop(DBusMessageIter *variter, struct prop_test *p)
|
|
||||||
|
|
||||||
dbus_message_iter_recurse(variter, &arriter);
|
|
||||||
if (type == DBUS_TYPE_STRING || type == DBUS_TYPE_OBJECT_PATH) {
|
|
||||||
- int n = 0, i = 0;;
|
|
||||||
+ int n = 0, i = 0;
|
|
||||||
const char *s;
|
|
||||||
|
|
||||||
do {
|
|
||||||
diff --git a/src/tools/sss_groupshow.c b/src/tools/sss_groupshow.c
|
|
||||||
index 00f6f12939b6bef2dd10085f8cf99304e87f1211..258d458b0d1a4cb56c8fb61060cb43a1c88c1ed0 100644
|
|
||||||
--- a/src/tools/sss_groupshow.c
|
|
||||||
+++ b/src/tools/sss_groupshow.c
|
|
||||||
@@ -58,7 +58,7 @@ const char *rdn_as_string(TALLOC_CTX *mem_ctx,
|
|
||||||
return NULL;
|
|
||||||
}
|
|
||||||
|
|
||||||
- return ldb_dn_escape_value(mem_ctx, *val);;
|
|
||||||
+ return ldb_dn_escape_value(mem_ctx, *val);
|
|
||||||
}
|
|
||||||
|
|
||||||
static int parse_memberofs(struct ldb_context *ldb,
|
|
||||||
diff --git a/src/util/string_utils.c b/src/util/string_utils.c
|
|
||||||
index 5e43bbef34e8b514e29ffc5e576f8b57dbab4890..872b7e29e55e8628085affd07f3363019aae5ee9 100644
|
|
||||||
--- a/src/util/string_utils.c
|
|
||||||
+++ b/src/util/string_utils.c
|
|
||||||
@@ -100,7 +100,7 @@ errno_t guid_blob_to_string_buf(const uint8_t *blob, char *str_buf,
|
|
||||||
blob[5], blob[4],
|
|
||||||
blob[7], blob[6],
|
|
||||||
blob[8], blob[9],
|
|
||||||
- blob[10], blob[11],blob[12], blob[13],blob[14], blob[15]);;
|
|
||||||
+ blob[10], blob[11],blob[12], blob[13],blob[14], blob[15]);
|
|
||||||
if (ret != (GUID_STR_BUF_SIZE -1)) {
|
|
||||||
DEBUG(SSSDBG_CRIT_FAILURE, "snprintf failed.\n");
|
|
||||||
return EIO;
|
|
||||||
diff --git a/src/util/usertools.c b/src/util/usertools.c
|
|
||||||
index e0d520ad1057b4ddcfd7830674afa9dfa3b37ebd..12fc85b8f20858975b01c49468834be158b43f1c 100644
|
|
||||||
--- a/src/util/usertools.c
|
|
||||||
+++ b/src/util/usertools.c
|
|
||||||
@@ -210,7 +210,7 @@ int sss_names_init(TALLOC_CTX *mem_ctx, struct confdb_ctx *cdb,
|
|
||||||
{
|
|
||||||
TALLOC_CTX *tmpctx = NULL;
|
|
||||||
char *conf_path = NULL;
|
|
||||||
- char *re_pattern = NULL;;
|
|
||||||
+ char *re_pattern = NULL;
|
|
||||||
char *fq_fmt = NULL;
|
|
||||||
int ret;
|
|
||||||
|
|
||||||
--
|
|
||||||
2.9.3
|
|
||||||
|
|
@ -1,98 +0,0 @@
|
|||||||
From 7017c022affd3ad1d0c29cb89aa825231c93fa29 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Lukas Slebodnik <lslebodn@redhat.com>
|
|
||||||
Date: Sat, 17 Sep 2016 21:12:36 +0200
|
|
||||||
Subject: [PATCH 73/79] TESTS: Add simple test for double semicolon
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
||||||
(cherry picked from commit 6ad1f2da4055e2cfe9bf8c79b79e408dba171691)
|
|
||||||
---
|
|
||||||
Makefile.am | 2 ++
|
|
||||||
contrib/ci/run | 3 ++-
|
|
||||||
src/tests/double_semicolon_test | 38 ++++++++++++++++++++++++++++++++++++++
|
|
||||||
3 files changed, 42 insertions(+), 1 deletion(-)
|
|
||||||
create mode 100755 src/tests/double_semicolon_test
|
|
||||||
|
|
||||||
diff --git a/Makefile.am b/Makefile.am
|
|
||||||
index f792ed6a6b531d9e6e2c886c2fbe64e1e2345b73..17c5f26ce9db1e183b30178f1a8714deca1dab03 100644
|
|
||||||
--- a/Makefile.am
|
|
||||||
+++ b/Makefile.am
|
|
||||||
@@ -321,6 +321,7 @@ TESTS = \
|
|
||||||
$(non_interactive_cmocka_based_tests) \
|
|
||||||
$(non_interactive_check_based_tests) \
|
|
||||||
src/tests/whitespace_test \
|
|
||||||
+ src/tests/double_semicolon_test \
|
|
||||||
$(NULL)
|
|
||||||
|
|
||||||
sssdlib_LTLIBRARIES = \
|
|
||||||
@@ -410,6 +411,7 @@ dist_noinst_SCRIPTS = \
|
|
||||||
src/tests/pysss_murmur-test.py3.sh \
|
|
||||||
src/tests/python-test.py \
|
|
||||||
src/tests/whitespace_test \
|
|
||||||
+ src/tests/double_semicolon_test \
|
|
||||||
src/tests/krb5_proxy_check_test_data.conf \
|
|
||||||
$(NULL)
|
|
||||||
|
|
||||||
diff --git a/contrib/ci/run b/contrib/ci/run
|
|
||||||
index 1b230f584b7c42d66bfc8c99c118420478d4128b..f96476ff8d4e118375777abf7f1e3475c1ed07bb 100755
|
|
||||||
--- a/contrib/ci/run
|
|
||||||
+++ b/contrib/ci/run
|
|
||||||
@@ -187,7 +187,8 @@ function build_debug()
|
|
||||||
{
|
|
||||||
# Extended glob pattern matching tests to run under Valgrind.
|
|
||||||
# NOTE: The particular pattern below is inverted
|
|
||||||
- declare -r valgrind_test_pattern="!(*.py|*/dlopen-tests|*/whitespace_test)"
|
|
||||||
+ declare -r valgrind_test_pattern="\
|
|
||||||
+ !(*.py|*/dlopen-tests|*/whitespace_test|*/double_semicolon_test)"
|
|
||||||
export CFLAGS="$DEBUG_CFLAGS"
|
|
||||||
declare test_dir
|
|
||||||
declare test_dir_distcheck
|
|
||||||
diff --git a/src/tests/double_semicolon_test b/src/tests/double_semicolon_test
|
|
||||||
new file mode 100755
|
|
||||||
index 0000000000000000000000000000000000000000..bbc05fa22ab557919daacbf5a222bb6f1d9678b4
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/src/tests/double_semicolon_test
|
|
||||||
@@ -0,0 +1,38 @@
|
|
||||||
+#!/bin/bash
|
|
||||||
+
|
|
||||||
+set -e -u -o pipefail
|
|
||||||
+
|
|
||||||
+# An AWK regex matching tracked file paths to be included for the search.
|
|
||||||
+# Example: '.*\.po|README'
|
|
||||||
+PATH_INCLUDE_REGEX='.*\.c|.*\.h'
|
|
||||||
+
|
|
||||||
+export GIT_DIR="$ABS_TOP_SRCDIR/.git"
|
|
||||||
+export GIT_WORK_TREE="$ABS_TOP_SRCDIR"
|
|
||||||
+
|
|
||||||
+if [ ! -d "$GIT_DIR" ]; then
|
|
||||||
+ echo "Git repository is required for this test!" 1>&2
|
|
||||||
+ exit 77
|
|
||||||
+fi
|
|
||||||
+
|
|
||||||
+{
|
|
||||||
+ # Look for lines with double semicolon at the end of line
|
|
||||||
+ # in all files tracked by Git
|
|
||||||
+ git grep -n -I ';\s*;$' -- "$(git rev-parse --show-toplevel)" ||
|
|
||||||
+ # Don't fail if no such lines were found anywhere
|
|
||||||
+ [[ $? == 1 ]]
|
|
||||||
+} |
|
|
||||||
+ awk -- "
|
|
||||||
+ BEGIN {
|
|
||||||
+ found = 0
|
|
||||||
+ }
|
|
||||||
+ /^($PATH_INCLUDE_REGEX):/ {
|
|
||||||
+ if (!found) {
|
|
||||||
+ print \"Double semicolon found:\"
|
|
||||||
+ found = 1
|
|
||||||
+ }
|
|
||||||
+ print
|
|
||||||
+ }
|
|
||||||
+ END {
|
|
||||||
+ exit found
|
|
||||||
+ }
|
|
||||||
+ "
|
|
||||||
--
|
|
||||||
2.9.3
|
|
||||||
|
|
@ -1,81 +0,0 @@
|
|||||||
From 3b5dc99956715bb0251c48f18c05b3e0317b661f Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
|
||||||
Date: Wed, 24 Aug 2016 14:21:12 +0200
|
|
||||||
Subject: [PATCH 74/79] failover: proceed normally when no new server is found
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
Multiple failover requests come in same time, the first one will
|
|
||||||
result in collapsing the meta server but multiple resolution of
|
|
||||||
SRV records are triggered. The first one finishes normally but the
|
|
||||||
others won't find any new server thus ends with an error.
|
|
||||||
|
|
||||||
This patch makes failover to proceed normally even in such case.
|
|
||||||
|
|
||||||
Resolves:
|
|
||||||
https://fedorahosted.org/sssd/ticket/3131
|
|
||||||
|
|
||||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
||||||
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
|
||||||
(cherry picked from commit 03cb5ac6aa4c60d2c64c6fdc2daae656bf5493f4)
|
|
||||||
---
|
|
||||||
src/providers/fail_over.c | 25 +++++++++++++++++++++----
|
|
||||||
1 file changed, 21 insertions(+), 4 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/providers/fail_over.c b/src/providers/fail_over.c
|
|
||||||
index 8ab39f27f77e19e601855632196006a8dbbdf136..77084098831a312bc8629513ccfc2a91165241ba 100644
|
|
||||||
--- a/src/providers/fail_over.c
|
|
||||||
+++ b/src/providers/fail_over.c
|
|
||||||
@@ -1112,7 +1112,9 @@ fo_resolve_service_cont(struct tevent_req *subreq)
|
|
||||||
ret = resolve_srv_recv(subreq, &state->server);
|
|
||||||
talloc_zfree(subreq);
|
|
||||||
|
|
||||||
- if (ret) {
|
|
||||||
+ /* We will proceed normally on ERR_SRV_DUPLICATES and if the server
|
|
||||||
+ * is already being resolved, we hook to that request. */
|
|
||||||
+ if (ret != EOK && ret != ERR_SRV_DUPLICATES) {
|
|
||||||
tevent_req_error(req, ret);
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
@@ -1398,11 +1400,23 @@ resolve_srv_done(struct tevent_req *subreq)
|
|
||||||
}
|
|
||||||
|
|
||||||
if (last_server == state->meta) {
|
|
||||||
- /* SRV lookup returned only those servers
|
|
||||||
- * that are already present. */
|
|
||||||
+ /* SRV lookup returned only those servers that are already present.
|
|
||||||
+ * This may happen only when an ongoing SRV resolution already
|
|
||||||
+ * exist. We will return server, but won't set any state. */
|
|
||||||
DEBUG(SSSDBG_TRACE_FUNC, "SRV lookup did not return "
|
|
||||||
"any new server.\n");
|
|
||||||
ret = ERR_SRV_DUPLICATES;
|
|
||||||
+
|
|
||||||
+ /* Since no new server is returned, state->meta->next is NULL.
|
|
||||||
+ * We return last tried server if possible which is server
|
|
||||||
+ * from previous resolution of SRV record, and first server
|
|
||||||
+ * otherwise. */
|
|
||||||
+ if (state->service->last_tried_server != NULL) {
|
|
||||||
+ state->out = state->service->last_tried_server;
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ state->out = state->service->server_list;
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -1438,7 +1452,10 @@ resolve_srv_done(struct tevent_req *subreq)
|
|
||||||
}
|
|
||||||
|
|
||||||
done:
|
|
||||||
- if (ret != EOK) {
|
|
||||||
+ if (ret == ERR_SRV_DUPLICATES) {
|
|
||||||
+ tevent_req_error(req, ret);
|
|
||||||
+ return;
|
|
||||||
+ } else if (ret != EOK) {
|
|
||||||
state->out = state->meta;
|
|
||||||
set_srv_data_status(state->meta->srv_data, SRV_RESOLVE_ERROR);
|
|
||||||
tevent_req_error(req, ret);
|
|
||||||
--
|
|
||||||
2.9.3
|
|
||||||
|
|
@ -1,111 +0,0 @@
|
|||||||
From 0db69ed514decc0ccdc0084c44b31102b1314bef Mon Sep 17 00:00:00 2001
|
|
||||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
|
||||||
Date: Wed, 21 Sep 2016 10:44:36 +0200
|
|
||||||
Subject: [PATCH 75/79] tests: Add a regression test for upstream ticket #3131
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
Tests that running two duplicate SRV resolution queries succeeds
|
|
||||||
and returns a valid host name.
|
|
||||||
|
|
||||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
||||||
(cherry picked from commit a299f900981343904d7c9c5d148e30b8e0b2c460)
|
|
||||||
---
|
|
||||||
src/tests/cmocka/test_fo_srv.c | 66 ++++++++++++++++++++++++++++++++++++++++++
|
|
||||||
1 file changed, 66 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/src/tests/cmocka/test_fo_srv.c b/src/tests/cmocka/test_fo_srv.c
|
|
||||||
index a84ce4348d2e59aaab4fc9ac1bd4cfd853ff491d..197f8de5c2f0b5dffa7949a874ea0ca1330554b9 100644
|
|
||||||
--- a/src/tests/cmocka/test_fo_srv.c
|
|
||||||
+++ b/src/tests/cmocka/test_fo_srv.c
|
|
||||||
@@ -203,6 +203,8 @@ struct test_fo_ctx {
|
|
||||||
int ttl;
|
|
||||||
|
|
||||||
struct fo_server *srv;
|
|
||||||
+
|
|
||||||
+ int num_done;
|
|
||||||
};
|
|
||||||
|
|
||||||
int test_fo_srv_data_cmp(void *ud1, void *ud2)
|
|
||||||
@@ -691,6 +693,67 @@ static void test_fo_hostlist(void **state)
|
|
||||||
assert_int_equal(ret, ERR_OK);
|
|
||||||
}
|
|
||||||
|
|
||||||
+static void test_fo_srv_dup_done(struct tevent_req *req);
|
|
||||||
+
|
|
||||||
+/* Test that running two parallel SRV queries doesn't return an error.
|
|
||||||
+ * This is a regression test for https://fedorahosted.org/sssd/ticket/3131
|
|
||||||
+ */
|
|
||||||
+void test_fo_srv_duplicates(void **state)
|
|
||||||
+{
|
|
||||||
+ errno_t ret;
|
|
||||||
+ struct tevent_req *req;
|
|
||||||
+ struct test_fo_ctx *test_ctx =
|
|
||||||
+ talloc_get_type(*state, struct test_fo_ctx);
|
|
||||||
+
|
|
||||||
+ test_fo_srv_mock_dns(test_ctx, test_ctx->ttl);
|
|
||||||
+ test_fo_srv_mock_dns(test_ctx, test_ctx->ttl);
|
|
||||||
+
|
|
||||||
+ ret = fo_add_srv_server(test_ctx->fo_svc, "_ldap", "sssd.com",
|
|
||||||
+ "sssd.local", "tcp", test_ctx);
|
|
||||||
+ assert_int_equal(ret, ERR_OK);
|
|
||||||
+
|
|
||||||
+ ret = fo_add_server(test_ctx->fo_svc, "ldap1.sssd.com",
|
|
||||||
+ 389, (void *) discard_const("ldap://ldap1.sssd.com"),
|
|
||||||
+ true);
|
|
||||||
+ assert_int_equal(ret, ERR_OK);
|
|
||||||
+
|
|
||||||
+ req = fo_resolve_service_send(test_ctx, test_ctx->ctx->ev,
|
|
||||||
+ test_ctx->resolv, test_ctx->fo_ctx,
|
|
||||||
+ test_ctx->fo_svc);
|
|
||||||
+ assert_non_null(req);
|
|
||||||
+ tevent_req_set_callback(req, test_fo_srv_dup_done, test_ctx);
|
|
||||||
+
|
|
||||||
+ req = fo_resolve_service_send(test_ctx, test_ctx->ctx->ev,
|
|
||||||
+ test_ctx->resolv, test_ctx->fo_ctx,
|
|
||||||
+ test_ctx->fo_svc);
|
|
||||||
+ assert_non_null(req);
|
|
||||||
+ tevent_req_set_callback(req, test_fo_srv_dup_done, test_ctx);
|
|
||||||
+
|
|
||||||
+ ret = test_ev_loop(test_ctx->ctx);
|
|
||||||
+ assert_int_equal(ret, ERR_OK);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static void test_fo_srv_dup_done(struct tevent_req *req)
|
|
||||||
+{
|
|
||||||
+ struct test_fo_ctx *test_ctx = \
|
|
||||||
+ tevent_req_callback_data(req, struct test_fo_ctx);
|
|
||||||
+ errno_t ret;
|
|
||||||
+ const char *name;
|
|
||||||
+
|
|
||||||
+ ret = fo_resolve_service_recv(req, test_ctx, &test_ctx->srv);
|
|
||||||
+ talloc_zfree(req);
|
|
||||||
+ assert_int_equal(ret, EOK);
|
|
||||||
+
|
|
||||||
+ name = fo_get_server_name(test_ctx->srv);
|
|
||||||
+ assert_string_equal(name, "ldap1.sssd.com");
|
|
||||||
+
|
|
||||||
+ test_ctx->num_done++;
|
|
||||||
+ if (test_ctx->num_done == 2) {
|
|
||||||
+ test_ctx->ctx->error = ERR_OK;
|
|
||||||
+ test_ctx->ctx->done = true;
|
|
||||||
+ }
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
int main(int argc, const char *argv[])
|
|
||||||
{
|
|
||||||
int rv;
|
|
||||||
@@ -715,6 +778,9 @@ int main(int argc, const char *argv[])
|
|
||||||
cmocka_unit_test_setup_teardown(test_fo_srv_ttl_zero,
|
|
||||||
test_fo_srv_setup,
|
|
||||||
test_fo_srv_teardown),
|
|
||||||
+ cmocka_unit_test_setup_teardown(test_fo_srv_duplicates,
|
|
||||||
+ test_fo_srv_setup,
|
|
||||||
+ test_fo_srv_teardown),
|
|
||||||
};
|
|
||||||
|
|
||||||
/* Set debug level to invalid value so we can deside if -d 0 was used. */
|
|
||||||
--
|
|
||||||
2.9.3
|
|
||||||
|
|
@ -1,239 +0,0 @@
|
|||||||
From 407eca9a7167145158272e3d41316b6079b4eb74 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Thomas Equeter <firstname@lastname.com>
|
|
||||||
Date: Fri, 26 Aug 2016 10:35:30 +0200
|
|
||||||
Subject: [PATCH 76/79] IFP: expose user and group unique IDs through DBus
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
This adds a uniqueID property on User and Group InfoPipe objects. It has a
|
|
||||||
useful value on AD- and IPA-backed domains. For Active Directory, this is the
|
|
||||||
GUID.
|
|
||||||
|
|
||||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
||||||
(cherry picked from commit e9a2e7afbd09c23dd8748246e09831ed7b17d7c5)
|
|
||||||
---
|
|
||||||
src/db/sysdb.h | 2 ++
|
|
||||||
src/responder/ifp/ifp_groups.c | 19 +++++++++++++++++++
|
|
||||||
src/responder/ifp/ifp_groups.h | 4 ++++
|
|
||||||
src/responder/ifp/ifp_iface.c | 2 ++
|
|
||||||
src/responder/ifp/ifp_iface.xml | 2 ++
|
|
||||||
src/responder/ifp/ifp_iface_generated.c | 18 ++++++++++++++++++
|
|
||||||
src/responder/ifp/ifp_iface_generated.h | 4 ++++
|
|
||||||
src/responder/ifp/ifp_users.c | 7 +++++++
|
|
||||||
src/responder/ifp/ifp_users.h | 4 ++++
|
|
||||||
9 files changed, 62 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/src/db/sysdb.h b/src/db/sysdb.h
|
|
||||||
index 8713efa6e8fcc6fb620340fe152989a5dae58434..7de3acdf343e0c013ab39a249268c93cbb2d0dbc 100644
|
|
||||||
--- a/src/db/sysdb.h
|
|
||||||
+++ b/src/db/sysdb.h
|
|
||||||
@@ -224,6 +224,7 @@
|
|
||||||
SYSDB_OVERRIDE_DN, \
|
|
||||||
SYSDB_OVERRIDE_OBJECT_DN, \
|
|
||||||
SYSDB_DEFAULT_OVERRIDE_NAME, \
|
|
||||||
+ SYSDB_UUID, \
|
|
||||||
NULL}
|
|
||||||
|
|
||||||
#define SYSDB_GRSRC_ATTRS {SYSDB_NAME, SYSDB_GIDNUM, \
|
|
||||||
@@ -235,6 +236,7 @@
|
|
||||||
SYSDB_OVERRIDE_DN, \
|
|
||||||
SYSDB_OVERRIDE_OBJECT_DN, \
|
|
||||||
SYSDB_DEFAULT_OVERRIDE_NAME, \
|
|
||||||
+ SYSDB_UUID, \
|
|
||||||
NULL}
|
|
||||||
|
|
||||||
#define SYSDB_NETGR_ATTRS {SYSDB_NAME, SYSDB_NETGROUP_TRIPLE, \
|
|
||||||
diff --git a/src/responder/ifp/ifp_groups.c b/src/responder/ifp/ifp_groups.c
|
|
||||||
index babd8ec3f57b0469c8ca35f9f2464a0a32076967..29aebe45e710e53538c317a688077689ece4c979 100644
|
|
||||||
--- a/src/responder/ifp/ifp_groups.c
|
|
||||||
+++ b/src/responder/ifp/ifp_groups.c
|
|
||||||
@@ -751,6 +751,25 @@ void ifp_groups_group_get_gid_number(struct sbus_request *sbus_req,
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
|
|
||||||
+void ifp_groups_group_get_unique_id(struct sbus_request *sbus_req,
|
|
||||||
+ void *data,
|
|
||||||
+ const char **_out)
|
|
||||||
+{
|
|
||||||
+ struct ldb_message *msg;
|
|
||||||
+ struct sss_domain_info *domain;
|
|
||||||
+ errno_t ret;
|
|
||||||
+
|
|
||||||
+ ret = ifp_groups_group_get(sbus_req, data, NULL, &domain, &msg);
|
|
||||||
+ if (ret != EOK) {
|
|
||||||
+ *_out = 0;
|
|
||||||
+ return;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ *_out = sss_view_ldb_msg_find_attr_as_string(domain, msg, SYSDB_UUID, 0);
|
|
||||||
+
|
|
||||||
+ return;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
static errno_t
|
|
||||||
ifp_groups_group_get_members(TALLOC_CTX *mem_ctx,
|
|
||||||
struct sbus_request *sbus_req,
|
|
||||||
diff --git a/src/responder/ifp/ifp_groups.h b/src/responder/ifp/ifp_groups.h
|
|
||||||
index 4cfabb9d70df92cda02de02cd1dcf7cc5b071ba8..1e0377fae6101473f5fcc6f9f69f12c3adf33f79 100644
|
|
||||||
--- a/src/responder/ifp/ifp_groups.h
|
|
||||||
+++ b/src/responder/ifp/ifp_groups.h
|
|
||||||
@@ -64,6 +64,10 @@ void ifp_groups_group_get_gid_number(struct sbus_request *sbus_req,
|
|
||||||
void *data,
|
|
||||||
uint32_t *_out);
|
|
||||||
|
|
||||||
+void ifp_groups_group_get_unique_id(struct sbus_request *sbus_req,
|
|
||||||
+ void *data,
|
|
||||||
+ const char **_out);
|
|
||||||
+
|
|
||||||
void ifp_groups_group_get_users(struct sbus_request *sbus_req,
|
|
||||||
void *data,
|
|
||||||
const char ***_out,
|
|
||||||
diff --git a/src/responder/ifp/ifp_iface.c b/src/responder/ifp/ifp_iface.c
|
|
||||||
index e6ddc687ba9db878ee39fee5868d1f924d58482d..ff306adf3243994ee7f71850226dc1c5e0831f16 100644
|
|
||||||
--- a/src/responder/ifp/ifp_iface.c
|
|
||||||
+++ b/src/responder/ifp/ifp_iface.c
|
|
||||||
@@ -104,6 +104,7 @@ struct iface_ifp_users_user iface_ifp_users_user = {
|
|
||||||
.get_gecos = ifp_users_user_get_gecos,
|
|
||||||
.get_homeDirectory = ifp_users_user_get_home_directory,
|
|
||||||
.get_loginShell = ifp_users_user_get_login_shell,
|
|
||||||
+ .get_uniqueID = ifp_users_user_get_unique_id,
|
|
||||||
.get_groups = ifp_users_user_get_groups,
|
|
||||||
.get_extraAttributes = ifp_users_user_get_extra_attributes
|
|
||||||
};
|
|
||||||
@@ -121,6 +122,7 @@ struct iface_ifp_groups_group iface_ifp_groups_group = {
|
|
||||||
.UpdateMemberList = ifp_groups_group_update_member_list,
|
|
||||||
.get_name = ifp_groups_group_get_name,
|
|
||||||
.get_gidNumber = ifp_groups_group_get_gid_number,
|
|
||||||
+ .get_uniqueID = ifp_groups_group_get_unique_id,
|
|
||||||
.get_users = ifp_groups_group_get_users,
|
|
||||||
.get_groups = ifp_groups_group_get_groups
|
|
||||||
};
|
|
||||||
diff --git a/src/responder/ifp/ifp_iface.xml b/src/responder/ifp/ifp_iface.xml
|
|
||||||
index 25b104ad70c0fd84b6c0fe9dbb0dc6e6439c1376..41e9f1d026fa434705ea50999ab3d9ad116f7f29 100644
|
|
||||||
--- a/src/responder/ifp/ifp_iface.xml
|
|
||||||
+++ b/src/responder/ifp/ifp_iface.xml
|
|
||||||
@@ -186,6 +186,7 @@
|
|
||||||
<property name="gecos" type="s" access="read" />
|
|
||||||
<property name="homeDirectory" type="s" access="read" />
|
|
||||||
<property name="loginShell" type="s" access="read" />
|
|
||||||
+ <property name="uniqueID" type="s" access="read" />
|
|
||||||
<property name="groups" type="ao" access="read" />
|
|
||||||
<property name="extraAttributes" type="a{sas}" access="read" />
|
|
||||||
</interface>
|
|
||||||
@@ -221,6 +222,7 @@
|
|
||||||
|
|
||||||
<property name="name" type="s" access="read" />
|
|
||||||
<property name="gidNumber" type="u" access="read" />
|
|
||||||
+ <property name="uniqueID" type="s" access="read" />
|
|
||||||
<property name="users" type="ao" access="read" />
|
|
||||||
<property name="groups" type="ao" access="read" />
|
|
||||||
</interface>
|
|
||||||
diff --git a/src/responder/ifp/ifp_iface_generated.c b/src/responder/ifp/ifp_iface_generated.c
|
|
||||||
index 6156ca2947434f301d206232f83cfc0647007707..ed018a044bd01c69554116946450aca7aacd5fd8 100644
|
|
||||||
--- a/src/responder/ifp/ifp_iface_generated.c
|
|
||||||
+++ b/src/responder/ifp/ifp_iface_generated.c
|
|
||||||
@@ -976,6 +976,15 @@ const struct sbus_property_meta iface_ifp_users_user__properties[] = {
|
|
||||||
NULL, /* no invoker */
|
|
||||||
},
|
|
||||||
{
|
|
||||||
+ "uniqueID", /* name */
|
|
||||||
+ "s", /* type */
|
|
||||||
+ SBUS_PROPERTY_READABLE,
|
|
||||||
+ offsetof(struct iface_ifp_users_user, get_uniqueID),
|
|
||||||
+ sbus_invoke_get_s,
|
|
||||||
+ 0, /* not writable */
|
|
||||||
+ NULL, /* no invoker */
|
|
||||||
+ },
|
|
||||||
+ {
|
|
||||||
"groups", /* name */
|
|
||||||
"ao", /* type */
|
|
||||||
SBUS_PROPERTY_READABLE,
|
|
||||||
@@ -1165,6 +1174,15 @@ const struct sbus_property_meta iface_ifp_groups_group__properties[] = {
|
|
||||||
NULL, /* no invoker */
|
|
||||||
},
|
|
||||||
{
|
|
||||||
+ "uniqueID", /* name */
|
|
||||||
+ "s", /* type */
|
|
||||||
+ SBUS_PROPERTY_READABLE,
|
|
||||||
+ offsetof(struct iface_ifp_groups_group, get_uniqueID),
|
|
||||||
+ sbus_invoke_get_s,
|
|
||||||
+ 0, /* not writable */
|
|
||||||
+ NULL, /* no invoker */
|
|
||||||
+ },
|
|
||||||
+ {
|
|
||||||
"users", /* name */
|
|
||||||
"ao", /* type */
|
|
||||||
SBUS_PROPERTY_READABLE,
|
|
||||||
diff --git a/src/responder/ifp/ifp_iface_generated.h b/src/responder/ifp/ifp_iface_generated.h
|
|
||||||
index 141348249d2da5447fa04495564a8c6a55d67a1b..0c6fd151cd674cdbd4582cb95ef43c9fcc133d6f 100644
|
|
||||||
--- a/src/responder/ifp/ifp_iface_generated.h
|
|
||||||
+++ b/src/responder/ifp/ifp_iface_generated.h
|
|
||||||
@@ -88,6 +88,7 @@
|
|
||||||
#define IFACE_IFP_USERS_USER_GECOS "gecos"
|
|
||||||
#define IFACE_IFP_USERS_USER_HOMEDIRECTORY "homeDirectory"
|
|
||||||
#define IFACE_IFP_USERS_USER_LOGINSHELL "loginShell"
|
|
||||||
+#define IFACE_IFP_USERS_USER_UNIQUEID "uniqueID"
|
|
||||||
#define IFACE_IFP_USERS_USER_GROUPS "groups"
|
|
||||||
#define IFACE_IFP_USERS_USER_EXTRAATTRIBUTES "extraAttributes"
|
|
||||||
|
|
||||||
@@ -103,6 +104,7 @@
|
|
||||||
#define IFACE_IFP_GROUPS_GROUP_UPDATEMEMBERLIST "UpdateMemberList"
|
|
||||||
#define IFACE_IFP_GROUPS_GROUP_NAME "name"
|
|
||||||
#define IFACE_IFP_GROUPS_GROUP_GIDNUMBER "gidNumber"
|
|
||||||
+#define IFACE_IFP_GROUPS_GROUP_UNIQUEID "uniqueID"
|
|
||||||
#define IFACE_IFP_GROUPS_GROUP_USERS "users"
|
|
||||||
#define IFACE_IFP_GROUPS_GROUP_GROUPS "groups"
|
|
||||||
|
|
||||||
@@ -294,6 +296,7 @@ struct iface_ifp_users_user {
|
|
||||||
void (*get_gecos)(struct sbus_request *, void *data, const char **);
|
|
||||||
void (*get_homeDirectory)(struct sbus_request *, void *data, const char **);
|
|
||||||
void (*get_loginShell)(struct sbus_request *, void *data, const char **);
|
|
||||||
+ void (*get_uniqueID)(struct sbus_request *, void *data, const char **);
|
|
||||||
void (*get_groups)(struct sbus_request *, void *data, const char ***, int *);
|
|
||||||
void (*get_extraAttributes)(struct sbus_request *, void *data, hash_table_t **);
|
|
||||||
};
|
|
||||||
@@ -328,6 +331,7 @@ struct iface_ifp_groups_group {
|
|
||||||
int (*UpdateMemberList)(struct sbus_request *req, void *data);
|
|
||||||
void (*get_name)(struct sbus_request *, void *data, const char **);
|
|
||||||
void (*get_gidNumber)(struct sbus_request *, void *data, uint32_t*);
|
|
||||||
+ void (*get_uniqueID)(struct sbus_request *, void *data, const char **);
|
|
||||||
void (*get_users)(struct sbus_request *, void *data, const char ***, int *);
|
|
||||||
void (*get_groups)(struct sbus_request *, void *data, const char ***, int *);
|
|
||||||
};
|
|
||||||
diff --git a/src/responder/ifp/ifp_users.c b/src/responder/ifp/ifp_users.c
|
|
||||||
index 5481413ef908785ecf276aad7154e4a7b511fd45..a2bafff5853683443f25f857124214a048132c4a 100644
|
|
||||||
--- a/src/responder/ifp/ifp_users.c
|
|
||||||
+++ b/src/responder/ifp/ifp_users.c
|
|
||||||
@@ -774,6 +774,13 @@ void ifp_users_user_get_login_shell(struct sbus_request *sbus_req,
|
|
||||||
ifp_users_get_as_string(sbus_req, data, SYSDB_SHELL, _out);
|
|
||||||
}
|
|
||||||
|
|
||||||
+void ifp_users_user_get_unique_id(struct sbus_request *sbus_req,
|
|
||||||
+ void *data,
|
|
||||||
+ const char **_out)
|
|
||||||
+{
|
|
||||||
+ ifp_users_get_as_string(sbus_req, data, SYSDB_UUID, _out);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
void ifp_users_user_get_groups(struct sbus_request *sbus_req,
|
|
||||||
void *data,
|
|
||||||
const char ***_out,
|
|
||||||
diff --git a/src/responder/ifp/ifp_users.h b/src/responder/ifp/ifp_users.h
|
|
||||||
index 99114fe9562f237204b3121ae3fe1f29dbc256a8..6a3a66951ff2c68cdc220364d28651d53b9d6a68 100644
|
|
||||||
--- a/src/responder/ifp/ifp_users.h
|
|
||||||
+++ b/src/responder/ifp/ifp_users.h
|
|
||||||
@@ -84,6 +84,10 @@ void ifp_users_user_get_login_shell(struct sbus_request *sbus_req,
|
|
||||||
void *data,
|
|
||||||
const char **_out);
|
|
||||||
|
|
||||||
+void ifp_users_user_get_unique_id(struct sbus_request *sbus_req,
|
|
||||||
+ void *data,
|
|
||||||
+ const char **_out);
|
|
||||||
+
|
|
||||||
void ifp_users_user_get_groups(struct sbus_request *sbus_req,
|
|
||||||
void *data,
|
|
||||||
const char ***_out,
|
|
||||||
--
|
|
||||||
2.9.3
|
|
||||||
|
|
@ -1,125 +0,0 @@
|
|||||||
From 3e8165ff6c5251809beb8f8e11ffd45f8bfd69ca Mon Sep 17 00:00:00 2001
|
|
||||||
From: Lukas Slebodnik <lslebodn@redhat.com>
|
|
||||||
Date: Wed, 21 Sep 2016 13:56:43 +0200
|
|
||||||
Subject: [PATCH 77/79] SSSDConfig: Do not fail with nonexisting
|
|
||||||
domains/services
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
dict.keys() returns iterator in python3 and not list
|
|
||||||
Chaging data in dictionary while using iterator
|
|
||||||
fails with "RuntimeError: dictionary changed size during iteration"
|
|
||||||
|
|
||||||
https://fedorahosted.org/sssd/ticket/3107
|
|
||||||
|
|
||||||
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
|
||||||
(cherry picked from commit 1773fdad2730f3f910782781fa286f402ce36cca)
|
|
||||||
---
|
|
||||||
Makefile.am | 1 +
|
|
||||||
src/config/SSSDConfig/__init__.py.in | 4 +--
|
|
||||||
src/config/SSSDConfigTest.py | 33 ++++++++++++++++++++++
|
|
||||||
.../sssd-nonexisting-services-domains.conf | 13 +++++++++
|
|
||||||
4 files changed, 49 insertions(+), 2 deletions(-)
|
|
||||||
create mode 100644 src/config/testconfigs/sssd-nonexisting-services-domains.conf
|
|
||||||
|
|
||||||
diff --git a/Makefile.am b/Makefile.am
|
|
||||||
index 17c5f26ce9db1e183b30178f1a8714deca1dab03..4385268b21b2de2054d3958f98f28f5ea7cfa191 100644
|
|
||||||
--- a/Makefile.am
|
|
||||||
+++ b/Makefile.am
|
|
||||||
@@ -422,6 +422,7 @@ dist_noinst_DATA = \
|
|
||||||
src/config/testconfigs/sssd-badversion.conf \
|
|
||||||
src/config/testconfigs/sssd-invalid.conf \
|
|
||||||
src/config/testconfigs/sssd-invalid-badbool.conf \
|
|
||||||
+ src/config/testconfigs/sssd-nonexisting-services-domains.conf \
|
|
||||||
src/config/etc/sssd.api.d/crash_test_dummy \
|
|
||||||
contrib/ci/README.md \
|
|
||||||
contrib/ci/configure.sh \
|
|
||||||
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
|
|
||||||
index 0acb751e234ee0c3e6fee332a2ba22f9ac353221..e616ce3dcc7357280418e9abd0bcdeb370b861e6 100644
|
|
||||||
--- a/src/config/SSSDConfig/__init__.py.in
|
|
||||||
+++ b/src/config/SSSDConfig/__init__.py.in
|
|
||||||
@@ -1511,7 +1511,7 @@ class SSSDConfig(SSSDChangeConf):
|
|
||||||
# Remove any entries in this list that don't
|
|
||||||
# correspond to an active service, for integrity
|
|
||||||
configured_services = self.list_services()
|
|
||||||
- for srv in service_dict.keys():
|
|
||||||
+ for srv in list(service_dict):
|
|
||||||
if srv not in configured_services:
|
|
||||||
del service_dict[srv]
|
|
||||||
|
|
||||||
@@ -1794,7 +1794,7 @@ class SSSDConfig(SSSDChangeConf):
|
|
||||||
# Remove any entries in this list that don't
|
|
||||||
# correspond to an active domain, for integrity
|
|
||||||
configured_domains = self.list_domains()
|
|
||||||
- for dom in domain_dict.keys():
|
|
||||||
+ for dom in list(domain_dict):
|
|
||||||
if dom not in configured_domains:
|
|
||||||
del domain_dict[dom]
|
|
||||||
|
|
||||||
diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py
|
|
||||||
index 8a64a257ab978b81ae4b26918c683b25a30fe7c1..006a034477dd64e3c5a0b2dbd1554bdc1b2635b4 100755
|
|
||||||
--- a/src/config/SSSDConfigTest.py
|
|
||||||
+++ b/src/config/SSSDConfigTest.py
|
|
||||||
@@ -1683,6 +1683,39 @@ class SSSDConfigTestSSSDConfig(unittest.TestCase):
|
|
||||||
"Domain [%s] unexpectedly found" %
|
|
||||||
domain)
|
|
||||||
|
|
||||||
+ def testListWithInvalidDomain(self):
|
|
||||||
+ sssdconfig = SSSDConfig.SSSDConfig(srcdir + "/etc/sssd.api.conf",
|
|
||||||
+ srcdir + "/etc/sssd.api.d")
|
|
||||||
+
|
|
||||||
+ # Negative Test - Not Initialized
|
|
||||||
+ self.assertRaises(SSSDConfig.NotInitializedError,
|
|
||||||
+ sssdconfig.list_domains)
|
|
||||||
+
|
|
||||||
+ # Positive Test
|
|
||||||
+ sssdconfig.import_config(
|
|
||||||
+ srcdir + '/testconfigs/sssd-nonexisting-services-domains.conf'
|
|
||||||
+ )
|
|
||||||
+
|
|
||||||
+ domains = sssdconfig.list_active_domains()
|
|
||||||
+ self.assertTrue("active" in domains and len(domains) == 1,
|
|
||||||
+ "domain 'active' not found among active domains")
|
|
||||||
+
|
|
||||||
+ domains = sssdconfig.list_inactive_domains()
|
|
||||||
+ self.assertTrue("inactive" in domains and len(domains) == 1,
|
|
||||||
+ "domain 'inactive' not found among inactive domains")
|
|
||||||
+
|
|
||||||
+ services = sssdconfig.list_active_services()
|
|
||||||
+ self.assertTrue("nss" in services and len(services) == 1,
|
|
||||||
+ "service 'nss' not found among active services")
|
|
||||||
+
|
|
||||||
+ services = sssdconfig.list_inactive_services()
|
|
||||||
+ self.assertTrue(len(services) == 2,
|
|
||||||
+ "unexpected count of inactive services")
|
|
||||||
+ for service in ("sssd", "pam"):
|
|
||||||
+ self.assertTrue(service in services,
|
|
||||||
+ "service '%s' not found among inactive services"
|
|
||||||
+ % service)
|
|
||||||
+
|
|
||||||
def testGetDomain(self):
|
|
||||||
sssdconfig = SSSDConfig.SSSDConfig(srcdir + "/etc/sssd.api.conf",
|
|
||||||
srcdir + "/etc/sssd.api.d")
|
|
||||||
diff --git a/src/config/testconfigs/sssd-nonexisting-services-domains.conf b/src/config/testconfigs/sssd-nonexisting-services-domains.conf
|
|
||||||
new file mode 100644
|
|
||||||
index 0000000000000000000000000000000000000000..d1e248001e76c65fa667d55f469e15aa5696faed
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/src/config/testconfigs/sssd-nonexisting-services-domains.conf
|
|
||||||
@@ -0,0 +1,13 @@
|
|
||||||
+[domain/active]
|
|
||||||
+
|
|
||||||
+[domain/inactive]
|
|
||||||
+
|
|
||||||
+[sssd]
|
|
||||||
+domains = nonexistent, active
|
|
||||||
+services = nonexistent, nss
|
|
||||||
+
|
|
||||||
+[nss]
|
|
||||||
+debug_level = 1
|
|
||||||
+
|
|
||||||
+[pam]
|
|
||||||
+debug_level = 2
|
|
||||||
--
|
|
||||||
2.9.3
|
|
||||||
|
|
@ -1,268 +0,0 @@
|
|||||||
From f87452ae46dd917d47b63673da42d371912aee8d Mon Sep 17 00:00:00 2001
|
|
||||||
From: Lukas Slebodnik <lslebodn@redhat.com>
|
|
||||||
Date: Wed, 14 Sep 2016 14:31:29 +0200
|
|
||||||
Subject: [PATCH 78/79] SPEC: Rename python packages using macro
|
|
||||||
%python_provide
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
Fedora and epel contains macro %python_provide
|
|
||||||
for simpler renaming of python packages. It will generate correct
|
|
||||||
provides and obsoletes.
|
|
||||||
|
|
||||||
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
|
||||||
(cherry picked from commit 705bc4480a68f69d287b1c89fe9463a0191987c8)
|
|
||||||
---
|
|
||||||
contrib/sssd.spec.in | 90 ++++++++++++++++++++++++++++++++++++++++------------
|
|
||||||
1 file changed, 70 insertions(+), 20 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
|
|
||||||
index 1f79ca7cd0a56dc1ab9c951abe11dc216ef3ad03..a0937d54903002521f07fb012742eb11f2584c54 100644
|
|
||||||
--- a/contrib/sssd.spec.in
|
|
||||||
+++ b/contrib/sssd.spec.in
|
|
||||||
@@ -11,6 +11,46 @@
|
|
||||||
%{!?python2_sitearch: %global python2_sitearch %(%{__python2} -c "from distutils.sysconfig import get_python_lib; print(get_python_lib(1))")}
|
|
||||||
%endif
|
|
||||||
|
|
||||||
+%{!?python_provide: %global need_python_provide 1}
|
|
||||||
+%if 0%{?need_python_provide}
|
|
||||||
+%define python_provide() %{lua:
|
|
||||||
+ function string.starts(String, Start)
|
|
||||||
+ return string.sub(String, 1, string.len(Start)) == Start
|
|
||||||
+ end
|
|
||||||
+ package = rpm.expand("%{?1:%{1}}");
|
|
||||||
+ vr = rpm.expand("%{?epoch:%{epoch}:}%{version}-%{release}")
|
|
||||||
+ if (string.starts(package, "python2-")) then
|
|
||||||
+ if (rpm.expand("%{?buildarch}") ~= "noarch") then
|
|
||||||
+ str = "Provides: python-" ..
|
|
||||||
+ string.sub(package, 9, string.len(package)) ..
|
|
||||||
+ "%{?_isa} = " .. vr;
|
|
||||||
+ print(rpm.expand(str));
|
|
||||||
+ end
|
|
||||||
+ print("\\nProvides: python-");
|
|
||||||
+ print(string.sub(package, 9, string.len(package)));
|
|
||||||
+ print(" = ");
|
|
||||||
+ print(vr);
|
|
||||||
+ --Obsoleting the previous default python package
|
|
||||||
+ if (rpm.expand("%{?buildarch}") ~= "noarch") then
|
|
||||||
+ str = "\\nObsoletes: python-" ..
|
|
||||||
+ string.sub(package, 9, string.len(package)) ..
|
|
||||||
+ "%{?_isa} < " .. vr;
|
|
||||||
+ print(rpm.expand(str));
|
|
||||||
+ end
|
|
||||||
+ print("\\nObsoletes: python-");
|
|
||||||
+ print(string.sub(package, 9, string.len(package)));
|
|
||||||
+ print(" < ");
|
|
||||||
+ print(vr);
|
|
||||||
+ elseif (string.starts(package, "python3-")) then
|
|
||||||
+ --No unversioned provides as python3 is not default
|
|
||||||
+ else
|
|
||||||
+ print("%python_provide: ERROR: ");
|
|
||||||
+ print(package);
|
|
||||||
+ print(" not recognized.");
|
|
||||||
+ end
|
|
||||||
+}
|
|
||||||
+%endif
|
|
||||||
+
|
|
||||||
# Fedora and RHEL 6+
|
|
||||||
# we don't want to provide private python extension libs
|
|
||||||
%define __provides_exclude_from %{python2_sitearch}/.*\.so$
|
|
||||||
@@ -95,7 +135,7 @@ Requires: sssd-proxy = %{version}-%{release}
|
|
||||||
%if (0%{?with_python3} == 1)
|
|
||||||
Requires: python3-sssdconfig = %{version}-%{release}
|
|
||||||
%else
|
|
||||||
-Requires: python-sssdconfig = %{version}-%{release}
|
|
||||||
+Requires: python2-sssdconfig = %{version}-%{release}
|
|
||||||
%endif
|
|
||||||
|
|
||||||
%global servicename sssd
|
|
||||||
@@ -253,8 +293,8 @@ Requires: sssd-common = %{version}-%{release}
|
|
||||||
Requires: python3-sss = %{version}-%{release}
|
|
||||||
Requires: python3-sssdconfig = %{version}-%{release}
|
|
||||||
%else
|
|
||||||
-Requires: python-sss = %{version}-%{release}
|
|
||||||
-Requires: python-sssdconfig = %{version}-%{release}
|
|
||||||
+Requires: python2-sss = %{version}-%{release}
|
|
||||||
+Requires: python2-sssdconfig = %{version}-%{release}
|
|
||||||
%endif
|
|
||||||
|
|
||||||
%description tools
|
|
||||||
@@ -267,13 +307,14 @@ Also provides several other administrative tools:
|
|
||||||
* sss_obfuscate for generating an obfuscated LDAP password
|
|
||||||
* sssctl -- an sssd status and control utility
|
|
||||||
|
|
||||||
-%package -n python-sssdconfig
|
|
||||||
+%package -n python2-sssdconfig
|
|
||||||
Summary: SSSD and IPA configuration file manipulation classes and functions
|
|
||||||
Group: Applications/System
|
|
||||||
License: GPLv3+
|
|
||||||
BuildArch: noarch
|
|
||||||
+%{python_provide python2-sssdconfig}
|
|
||||||
|
|
||||||
-%description -n python-sssdconfig
|
|
||||||
+%description -n python2-sssdconfig
|
|
||||||
Provides python2 files for manipulation SSSD and IPA configuration files.
|
|
||||||
|
|
||||||
%if (0%{?with_python3} == 1)
|
|
||||||
@@ -282,18 +323,20 @@ Summary: SSSD and IPA configuration file manipulation classes and functions
|
|
||||||
Group: Applications/System
|
|
||||||
License: GPLv3+
|
|
||||||
BuildArch: noarch
|
|
||||||
+%{python_provide python3-sssdconfig}
|
|
||||||
|
|
||||||
%description -n python3-sssdconfig
|
|
||||||
Provides python3 files for manipulation SSSD and IPA configuration files.
|
|
||||||
%endif
|
|
||||||
|
|
||||||
-%package -n python-sss
|
|
||||||
+%package -n python2-sss
|
|
||||||
Summary: Python2 bindings for sssd
|
|
||||||
Group: Development/Libraries
|
|
||||||
License: LGPLv3+
|
|
||||||
Requires: sssd-common = %{version}-%{release}
|
|
||||||
+%{python_provide python2-sss}
|
|
||||||
|
|
||||||
-%description -n python-sss
|
|
||||||
+%description -n python2-sss
|
|
||||||
Provides python2 module for manipulating users, groups, and nested groups in
|
|
||||||
SSSD when using id_provider = local in /etc/sssd/sssd.conf.
|
|
||||||
|
|
||||||
@@ -307,6 +350,7 @@ Summary: Python3 bindings for sssd
|
|
||||||
Group: Development/Libraries
|
|
||||||
License: LGPLv3+
|
|
||||||
Requires: sssd-common = %{version}-%{release}
|
|
||||||
+%{python_provide python3-sss}
|
|
||||||
|
|
||||||
%description -n python3-sss
|
|
||||||
Provides python3 module for manipulating users, groups, and nested groups in
|
|
||||||
@@ -317,12 +361,13 @@ Also provides several other useful python3 bindings:
|
|
||||||
* class for obfuscation of passwords
|
|
||||||
%endif
|
|
||||||
|
|
||||||
-%package -n python-sss-murmur
|
|
||||||
+%package -n python2-sss-murmur
|
|
||||||
Summary: Python2 bindings for murmur hash function
|
|
||||||
Group: Development/Libraries
|
|
||||||
License: LGPLv3+
|
|
||||||
+%{python_provide python2-sss-murmur}
|
|
||||||
|
|
||||||
-%description -n python-sss-murmur
|
|
||||||
+%description -n python2-sss-murmur
|
|
||||||
Provides python2 module for calculating the murmur hash version 3
|
|
||||||
|
|
||||||
%if (0%{?with_python3} == 1)
|
|
||||||
@@ -330,6 +375,7 @@ Provides python2 module for calculating the murmur hash version 3
|
|
||||||
Summary: Python3 bindings for murmur hash function
|
|
||||||
Group: Development/Libraries
|
|
||||||
License: LGPLv3+
|
|
||||||
+%{python_provide python3-sss-murmur}
|
|
||||||
|
|
||||||
%description -n python3-sss-murmur
|
|
||||||
Provides python3 module for calculating the murmur hash version 3
|
|
||||||
@@ -459,16 +505,17 @@ Requires: libipa_hbac = %{version}-%{release}
|
|
||||||
%description -n libipa_hbac-devel
|
|
||||||
Utility library to validate FreeIPA HBAC rules for authorization requests
|
|
||||||
|
|
||||||
-%package -n python-libipa_hbac
|
|
||||||
+%package -n python2-libipa_hbac
|
|
||||||
Summary: Python2 bindings for the FreeIPA HBAC Evaluator library
|
|
||||||
Group: Development/Libraries
|
|
||||||
License: LGPLv3+
|
|
||||||
Requires: libipa_hbac = %{version}-%{release}
|
|
||||||
Provides: libipa_hbac-python = %{version}-%{release}
|
|
||||||
Obsoletes: libipa_hbac-python < 1.12.90
|
|
||||||
+%{python_provide python2-libipa_hbac}
|
|
||||||
|
|
||||||
-%description -n python-libipa_hbac
|
|
||||||
-The python-libipa_hbac contains the bindings so that libipa_hbac can be
|
|
||||||
+%description -n python2-libipa_hbac
|
|
||||||
+The python2-libipa_hbac contains the bindings so that libipa_hbac can be
|
|
||||||
used by Python applications.
|
|
||||||
|
|
||||||
%if (0%{?with_python3} == 1)
|
|
||||||
@@ -477,6 +524,7 @@ Summary: Python3 bindings for the FreeIPA HBAC Evaluator library
|
|
||||||
Group: Development/Libraries
|
|
||||||
License: LGPLv3+
|
|
||||||
Requires: libipa_hbac = %{version}-%{release}
|
|
||||||
+%{python_provide python3-libipa_hbac}
|
|
||||||
|
|
||||||
%description -n python3-libipa_hbac
|
|
||||||
The python3-libipa_hbac contains the bindings so that libipa_hbac can be
|
|
||||||
@@ -502,16 +550,17 @@ Requires: libsss_nss_idmap = %{version}-%{release}
|
|
||||||
%description -n libsss_nss_idmap-devel
|
|
||||||
Utility library for SID and certificate based lookups
|
|
||||||
|
|
||||||
-%package -n python-libsss_nss_idmap
|
|
||||||
+%package -n python2-libsss_nss_idmap
|
|
||||||
Summary: Python2 bindings for libsss_nss_idmap
|
|
||||||
Group: Development/Libraries
|
|
||||||
License: LGPLv3+
|
|
||||||
Requires: libsss_nss_idmap = %{version}-%{release}
|
|
||||||
Provides: libsss_nss_idmap-python = %{version}-%{release}
|
|
||||||
Obsoletes: libsss_nss_idmap-python < 1.12.90
|
|
||||||
+%{python_provide python2-libsss_nss_idmap}
|
|
||||||
|
|
||||||
-%description -n python-libsss_nss_idmap
|
|
||||||
-The python-libsss_nss_idmap contains the bindings so that libsss_nss_idmap can
|
|
||||||
+%description -n python2-libsss_nss_idmap
|
|
||||||
+The python2-libsss_nss_idmap contains the bindings so that libsss_nss_idmap can
|
|
||||||
be used by Python applications.
|
|
||||||
|
|
||||||
%if (0%{?with_python3} == 1)
|
|
||||||
@@ -520,6 +569,7 @@ Summary: Python3 bindings for libsss_nss_idmap
|
|
||||||
Group: Development/Libraries
|
|
||||||
License: LGPLv3+
|
|
||||||
Requires: libsss_nss_idmap = %{version}-%{release}
|
|
||||||
+%{python_provide python3-libsss_nss_idmap}
|
|
||||||
|
|
||||||
%description -n python3-libsss_nss_idmap
|
|
||||||
The python3-libsss_nss_idmap contains the bindings so that libsss_nss_idmap can
|
|
||||||
@@ -963,7 +1013,7 @@ done
|
|
||||||
%{_mandir}/man8/sss_seed.8*
|
|
||||||
%{_mandir}/man8/sssctl.8*
|
|
||||||
|
|
||||||
-%files -n python-sssdconfig -f python2_sssdconfig.lang
|
|
||||||
+%files -n python2-sssdconfig -f python2_sssdconfig.lang
|
|
||||||
%defattr(-,root,root,-)
|
|
||||||
%dir %{python2_sitelib}/SSSDConfig
|
|
||||||
%{python2_sitelib}/SSSDConfig/*.py*
|
|
||||||
@@ -977,7 +1027,7 @@ done
|
|
||||||
%{python3_sitelib}/SSSDConfig/__pycache__/*.py*
|
|
||||||
%endif
|
|
||||||
|
|
||||||
-%files -n python-sss
|
|
||||||
+%files -n python2-sss
|
|
||||||
%defattr(-,root,root,-)
|
|
||||||
%{python2_sitearch}/pysss.so
|
|
||||||
|
|
||||||
@@ -987,7 +1037,7 @@ done
|
|
||||||
%{python3_sitearch}/pysss.so
|
|
||||||
%endif
|
|
||||||
|
|
||||||
-%files -n python-sss-murmur
|
|
||||||
+%files -n python2-sss-murmur
|
|
||||||
%defattr(-,root,root,-)
|
|
||||||
%{python2_sitearch}/pysss_murmur.so
|
|
||||||
|
|
||||||
@@ -1033,7 +1083,7 @@ done
|
|
||||||
%{_libdir}/libsss_nss_idmap.so
|
|
||||||
%{_libdir}/pkgconfig/sss_nss_idmap.pc
|
|
||||||
|
|
||||||
-%files -n python-libsss_nss_idmap
|
|
||||||
+%files -n python2-libsss_nss_idmap
|
|
||||||
%defattr(-,root,root,-)
|
|
||||||
%{python2_sitearch}/pysss_nss_idmap.so
|
|
||||||
|
|
||||||
@@ -1043,7 +1093,7 @@ done
|
|
||||||
%{python3_sitearch}/pysss_nss_idmap.so
|
|
||||||
%endif
|
|
||||||
|
|
||||||
-%files -n python-libipa_hbac
|
|
||||||
+%files -n python2-libipa_hbac
|
|
||||||
%defattr(-,root,root,-)
|
|
||||||
%{python2_sitearch}/pyhbac.so
|
|
||||||
|
|
||||||
--
|
|
||||||
2.9.3
|
|
||||||
|
|
@ -1,202 +0,0 @@
|
|||||||
From 6f97e6da7389e541f74855c702f8dafa02bbee67 Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Petr=20=C4=8Cech?= <pcech@redhat.com>
|
|
||||||
Date: Wed, 14 Sep 2016 09:00:06 -0400
|
|
||||||
Subject: [PATCH 79/79] KRB5: Fixing FQ name of user in krb5_setup()
|
|
||||||
|
|
||||||
This patch fixes creation of FQ username if krb5_map_user option
|
|
||||||
ise used.
|
|
||||||
|
|
||||||
Resolves:
|
|
||||||
https://fedorahosted.org/sssd/ticket/3188
|
|
||||||
|
|
||||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
||||||
(cherry picked from commit b34ffbf33729c557c3d1aebf4707ad0ffe4f1904)
|
|
||||||
---
|
|
||||||
src/providers/krb5/krb5_auth.c | 8 +++++++-
|
|
||||||
src/providers/krb5/krb5_init_shared.c | 1 +
|
|
||||||
src/providers/krb5/krb5_utils.c | 26 +++++++++++++++++++++++++-
|
|
||||||
src/providers/krb5/krb5_utils.h | 4 +++-
|
|
||||||
src/tests/krb5_utils-tests.c | 33 ++++++++++++++++++++-------------
|
|
||||||
5 files changed, 56 insertions(+), 16 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
|
|
||||||
index f0f2280022a3ee951ccfa0040b616c48c3b25706..a5ecb24323d3d413bc08f100b90195d3619172d3 100644
|
|
||||||
--- a/src/providers/krb5/krb5_auth.c
|
|
||||||
+++ b/src/providers/krb5/krb5_auth.c
|
|
||||||
@@ -207,7 +207,13 @@ errno_t krb5_setup(TALLOC_CTX *mem_ctx,
|
|
||||||
if (ret == EOK) {
|
|
||||||
DEBUG(SSSDBG_TRACE_FUNC, "Setting mapped name to: %s\n", mapped_name);
|
|
||||||
kr->user = mapped_name;
|
|
||||||
- kr->kuserok_user = mapped_name;
|
|
||||||
+
|
|
||||||
+ kr->kuserok_user = sss_output_name(kr, kr->user,
|
|
||||||
+ dom->case_sensitive, 0);
|
|
||||||
+ if (kr->kuserok_user == NULL) {
|
|
||||||
+ ret = ENOMEM;
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
} else if (ret == ENOENT) {
|
|
||||||
DEBUG(SSSDBG_TRACE_ALL, "No mapping for: %s\n", pd->user);
|
|
||||||
kr->user = pd->user;
|
|
||||||
diff --git a/src/providers/krb5/krb5_init_shared.c b/src/providers/krb5/krb5_init_shared.c
|
|
||||||
index 767291c0b953ea3f227f64a7e21f191262424cf5..c8fd8593a8b6d304fe314254c940351fa5ee12f3 100644
|
|
||||||
--- a/src/providers/krb5/krb5_init_shared.c
|
|
||||||
+++ b/src/providers/krb5/krb5_init_shared.c
|
|
||||||
@@ -94,6 +94,7 @@ errno_t krb5_child_init(struct krb5_ctx *krb5_auth_ctx,
|
|
||||||
ret = parse_krb5_map_user(krb5_auth_ctx,
|
|
||||||
dp_opt_get_cstring(krb5_auth_ctx->opts,
|
|
||||||
KRB5_MAP_USER),
|
|
||||||
+ bectx->domain->name,
|
|
||||||
&krb5_auth_ctx->name_to_primary);
|
|
||||||
if (ret != EOK) {
|
|
||||||
DEBUG(SSSDBG_OP_FAILURE, "parse_krb5_map_user failed: %s:[%d]\n",
|
|
||||||
diff --git a/src/providers/krb5/krb5_utils.c b/src/providers/krb5/krb5_utils.c
|
|
||||||
index 0ac60daee533ea1264bc55d0d65054ed38b3a092..e968dfa5fe50c43c51e624507261ae2c8263b67d 100644
|
|
||||||
--- a/src/providers/krb5/krb5_utils.c
|
|
||||||
+++ b/src/providers/krb5/krb5_utils.c
|
|
||||||
@@ -521,7 +521,9 @@ done:
|
|
||||||
}
|
|
||||||
|
|
||||||
errno_t
|
|
||||||
-parse_krb5_map_user(TALLOC_CTX *mem_ctx, const char *krb5_map_user,
|
|
||||||
+parse_krb5_map_user(TALLOC_CTX *mem_ctx,
|
|
||||||
+ const char *krb5_map_user,
|
|
||||||
+ const char *dom_name,
|
|
||||||
struct map_id_name_to_krb_primary **_name_to_primary)
|
|
||||||
{
|
|
||||||
int size;
|
|
||||||
@@ -570,6 +572,28 @@ parse_krb5_map_user(TALLOC_CTX *mem_ctx, const char *krb5_map_user,
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
+ /* conversion names to fully-qualified names */
|
|
||||||
+ for (int i = 0; i < size; i++) {
|
|
||||||
+ name_to_primary[i].id_name = sss_create_internal_fqname(
|
|
||||||
+ name_to_primary,
|
|
||||||
+ name_to_primary[i].id_name,
|
|
||||||
+ dom_name);
|
|
||||||
+ if (name_to_primary[i].id_name == NULL) {
|
|
||||||
+ DEBUG(SSSDBG_OP_FAILURE, "sss_create_internal_fqname failed\n");
|
|
||||||
+ ret = ENOMEM;
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ name_to_primary[i].krb_primary = sss_create_internal_fqname(
|
|
||||||
+ name_to_primary,
|
|
||||||
+ name_to_primary[i].krb_primary,
|
|
||||||
+ dom_name);
|
|
||||||
+ if (name_to_primary[i].krb_primary == NULL) {
|
|
||||||
+ DEBUG(SSSDBG_OP_FAILURE, "sss_create_internal_fqname failed\n");
|
|
||||||
+ ret = ENOMEM;
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
ret = EOK;
|
|
||||||
|
|
||||||
done:
|
|
||||||
diff --git a/src/providers/krb5/krb5_utils.h b/src/providers/krb5/krb5_utils.h
|
|
||||||
index 75b93c30ef5be5d16f2ce73f44abef674c6e98ff..3051a99445054638d04fbee34415e9cf3d226588 100644
|
|
||||||
--- a/src/providers/krb5/krb5_utils.h
|
|
||||||
+++ b/src/providers/krb5/krb5_utils.h
|
|
||||||
@@ -51,7 +51,9 @@ errno_t get_domain_or_subdomain(struct be_ctx *be_ctx,
|
|
||||||
struct sss_domain_info **dom);
|
|
||||||
|
|
||||||
errno_t
|
|
||||||
-parse_krb5_map_user(TALLOC_CTX *mem_ctx, const char *krb5_map_user,
|
|
||||||
+parse_krb5_map_user(TALLOC_CTX *mem_ctx,
|
|
||||||
+ const char *krb5_map_user,
|
|
||||||
+ const char *dom_name,
|
|
||||||
struct map_id_name_to_krb_primary **_name_to_primary);
|
|
||||||
|
|
||||||
#endif /* __KRB5_UTILS_H__ */
|
|
||||||
diff --git a/src/tests/krb5_utils-tests.c b/src/tests/krb5_utils-tests.c
|
|
||||||
index 515a1941509c13ca4ad8d9953687f9047da29426..36bd0324475e161e627006de0ddcbc775f8a749b 100644
|
|
||||||
--- a/src/tests/krb5_utils-tests.c
|
|
||||||
+++ b/src/tests/krb5_utils-tests.c
|
|
||||||
@@ -614,25 +614,25 @@ START_TEST(test_parse_krb5_map_user)
|
|
||||||
/* empty input */
|
|
||||||
{
|
|
||||||
check_leaks_push(mem_ctx);
|
|
||||||
- ret = parse_krb5_map_user(mem_ctx, NULL, &name_to_primary);
|
|
||||||
+ ret = parse_krb5_map_user(mem_ctx, NULL, DOMAIN_NAME, &name_to_primary);
|
|
||||||
fail_unless(ret == EOK);
|
|
||||||
fail_unless(name_to_primary[0].id_name == NULL &&
|
|
||||||
name_to_primary[0].krb_primary == NULL);
|
|
||||||
talloc_free(name_to_primary);
|
|
||||||
|
|
||||||
- ret = parse_krb5_map_user(mem_ctx, "", &name_to_primary);
|
|
||||||
+ ret = parse_krb5_map_user(mem_ctx, "", DOMAIN_NAME, &name_to_primary);
|
|
||||||
fail_unless(ret == EOK);
|
|
||||||
fail_unless(name_to_primary[0].id_name == NULL &&
|
|
||||||
name_to_primary[0].krb_primary == NULL);
|
|
||||||
talloc_free(name_to_primary);
|
|
||||||
|
|
||||||
- ret = parse_krb5_map_user(mem_ctx, ",", &name_to_primary);
|
|
||||||
+ ret = parse_krb5_map_user(mem_ctx, ",", DOMAIN_NAME, &name_to_primary);
|
|
||||||
fail_unless(ret == EOK);
|
|
||||||
fail_unless(name_to_primary[0].id_name == NULL &&
|
|
||||||
name_to_primary[0].krb_primary == NULL);
|
|
||||||
talloc_free(name_to_primary);
|
|
||||||
|
|
||||||
- ret = parse_krb5_map_user(mem_ctx, ",,", &name_to_primary);
|
|
||||||
+ ret = parse_krb5_map_user(mem_ctx, ",,", DOMAIN_NAME, &name_to_primary);
|
|
||||||
fail_unless(ret == EOK);
|
|
||||||
fail_unless(name_to_primary[0].id_name == NULL &&
|
|
||||||
name_to_primary[0].krb_primary == NULL);
|
|
||||||
@@ -645,14 +645,16 @@ START_TEST(test_parse_krb5_map_user)
|
|
||||||
check_leaks_push(mem_ctx);
|
|
||||||
const char *p = "pája:preichl,joe:juser,jdoe:ßlack";
|
|
||||||
const char *p2 = " pája : preichl , joe:\njuser,jdoe\t: ßlack ";
|
|
||||||
- const char *expected[] = {"pája", "preichl", "joe", "juser", "jdoe", "ßlack"};
|
|
||||||
- ret = parse_krb5_map_user(mem_ctx, p, &name_to_primary);
|
|
||||||
+ const char *expected[] = { "pája@testdomain", "preichl@" DOMAIN_NAME,
|
|
||||||
+ "joe@testdomain", "juser@testdomain",
|
|
||||||
+ "jdoe@testdomain", "ßlack@testdomain" };
|
|
||||||
+ ret = parse_krb5_map_user(mem_ctx, p, DOMAIN_NAME, &name_to_primary);
|
|
||||||
fail_unless(ret == EOK);
|
|
||||||
compare_map_id_name_to_krb_primary(name_to_primary, expected,
|
|
||||||
sizeof(expected)/sizeof(const char*)/2);
|
|
||||||
talloc_free(name_to_primary);
|
|
||||||
|
|
||||||
- ret = parse_krb5_map_user(mem_ctx, p2, &name_to_primary);
|
|
||||||
+ ret = parse_krb5_map_user(mem_ctx, p2, DOMAIN_NAME, &name_to_primary);
|
|
||||||
fail_unless(ret == EOK);
|
|
||||||
compare_map_id_name_to_krb_primary(name_to_primary, expected,
|
|
||||||
sizeof(expected)/sizeof(const char*)/2);
|
|
||||||
@@ -663,22 +665,27 @@ START_TEST(test_parse_krb5_map_user)
|
|
||||||
{
|
|
||||||
check_leaks_push(mem_ctx);
|
|
||||||
|
|
||||||
- ret = parse_krb5_map_user(mem_ctx, ":", &name_to_primary);
|
|
||||||
+ ret = parse_krb5_map_user(mem_ctx, ":", DOMAIN_NAME, &name_to_primary);
|
|
||||||
fail_unless(ret == EINVAL);
|
|
||||||
|
|
||||||
- ret = parse_krb5_map_user(mem_ctx, "joe:", &name_to_primary);
|
|
||||||
+ ret = parse_krb5_map_user(mem_ctx, "joe:", DOMAIN_NAME,
|
|
||||||
+ &name_to_primary);
|
|
||||||
fail_unless(ret == EINVAL);
|
|
||||||
|
|
||||||
- ret = parse_krb5_map_user(mem_ctx, ":joe", &name_to_primary);
|
|
||||||
+ ret = parse_krb5_map_user(mem_ctx, ":joe", DOMAIN_NAME,
|
|
||||||
+ &name_to_primary);
|
|
||||||
fail_unless(ret == EINVAL);
|
|
||||||
|
|
||||||
- ret = parse_krb5_map_user(mem_ctx, "joe:,", &name_to_primary);
|
|
||||||
+ ret = parse_krb5_map_user(mem_ctx, "joe:,", DOMAIN_NAME,
|
|
||||||
+ &name_to_primary);
|
|
||||||
fail_unless(ret == EINVAL);
|
|
||||||
|
|
||||||
- ret = parse_krb5_map_user(mem_ctx, ",joe", &name_to_primary);
|
|
||||||
+ ret = parse_krb5_map_user(mem_ctx, ",joe", DOMAIN_NAME,
|
|
||||||
+ &name_to_primary);
|
|
||||||
fail_unless(ret == EINVAL);
|
|
||||||
|
|
||||||
- ret = parse_krb5_map_user(mem_ctx, "joe:j:user", &name_to_primary);
|
|
||||||
+ ret = parse_krb5_map_user(mem_ctx, "joe:j:user", DOMAIN_NAME,
|
|
||||||
+ &name_to_primary);
|
|
||||||
fail_unless(ret == EINVAL);
|
|
||||||
|
|
||||||
fail_unless(check_leaks_pop(mem_ctx));
|
|
||||||
--
|
|
||||||
2.9.3
|
|
||||||
|
|
@ -1,161 +0,0 @@
|
|||||||
From 08421a1e4416e0992e95c797536864e86ea6cccc Mon Sep 17 00:00:00 2001
|
|
||||||
From: Sumit Bose <sbose@redhat.com>
|
|
||||||
Date: Fri, 7 Oct 2016 17:47:59 +0200
|
|
||||||
Subject: [PATCH 80/80] libwbclient-sssd: update interface to version 0.13
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
This patch adds wbcCtxUnixIdsToSids() and wbcUnixIdsToSids() to SSSD's
|
|
||||||
libwbclient and implements the latter.
|
|
||||||
|
|
||||||
Resolves:
|
|
||||||
https://fedorahosted.org/sssd/ticket/3181
|
|
||||||
|
|
||||||
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
|
||||||
(cherry picked from commit f3347a0c72afc75b4d829e9981d1bac6b05a8306)
|
|
||||||
---
|
|
||||||
src/conf_macros.m4 | 4 ++--
|
|
||||||
src/sss_client/libwbclient/wbc_ctx_sssd.c | 7 +++++++
|
|
||||||
src/sss_client/libwbclient/wbc_idmap_sssd.c | 26 ++++++++++++++++++++++++
|
|
||||||
src/sss_client/libwbclient/wbclient.exports | 6 ++++++
|
|
||||||
src/sss_client/libwbclient/wbclient_sssd.h | 31 ++++++++++++++++++++++++++++-
|
|
||||||
5 files changed, 71 insertions(+), 3 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/conf_macros.m4 b/src/conf_macros.m4
|
|
||||||
index bc295c5e79d3c699b25cebf38e8c0f0112de010d..427b0e08d400d6e5628537b28bb93bc2fc6239a4 100644
|
|
||||||
--- a/src/conf_macros.m4
|
|
||||||
+++ b/src/conf_macros.m4
|
|
||||||
@@ -727,10 +727,10 @@ AC_DEFUN([WITH_LIBWBCLIENT],
|
|
||||||
if test x"$with_libwbclient" = xyes; then
|
|
||||||
AC_DEFINE(BUILD_LIBWBCLIENT, 1, [whether to build SSSD implementation of libwbclient])
|
|
||||||
|
|
||||||
- libwbclient_version="0.12"
|
|
||||||
+ libwbclient_version="0.13"
|
|
||||||
AC_SUBST(libwbclient_version)
|
|
||||||
|
|
||||||
- libwbclient_version_info="12:0:12"
|
|
||||||
+ libwbclient_version_info="13:0:13"
|
|
||||||
AC_SUBST(libwbclient_version_info)
|
|
||||||
fi
|
|
||||||
AM_CONDITIONAL([BUILD_LIBWBCLIENT], [test x"$with_libwbclient" = xyes])
|
|
||||||
diff --git a/src/sss_client/libwbclient/wbc_ctx_sssd.c b/src/sss_client/libwbclient/wbc_ctx_sssd.c
|
|
||||||
index 1f259ee00e48d68d8da3f6b0abc12175a70c1f20..0f5aff473e984fbc630fc0ca8aa1647de51cbde4 100644
|
|
||||||
--- a/src/sss_client/libwbclient/wbc_ctx_sssd.c
|
|
||||||
+++ b/src/sss_client/libwbclient/wbc_ctx_sssd.c
|
|
||||||
@@ -167,6 +167,13 @@ wbcErr wbcCtxSidsToUnixIds(struct wbcContext *ctx,
|
|
||||||
WBC_SSSD_NOT_IMPLEMENTED;
|
|
||||||
}
|
|
||||||
|
|
||||||
+wbcErr wbcCtxUnixIdsToSids(struct wbcContext *ctx,
|
|
||||||
+ const struct wbcUnixId *ids, uint32_t num_ids,
|
|
||||||
+ struct wbcDomainSid *sids)
|
|
||||||
+{
|
|
||||||
+ WBC_SSSD_NOT_IMPLEMENTED;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
wbcErr wbcCtxAllocateUid(struct wbcContext *ctx, uid_t *puid)
|
|
||||||
{
|
|
||||||
WBC_SSSD_NOT_IMPLEMENTED;
|
|
||||||
diff --git a/src/sss_client/libwbclient/wbc_idmap_sssd.c b/src/sss_client/libwbclient/wbc_idmap_sssd.c
|
|
||||||
index 6b5f525f0433c948e4d570d177dc6cffd82eff40..c8da9754265a1ad3ef098c545a2b2d8d3c548d4d 100644
|
|
||||||
--- a/src/sss_client/libwbclient/wbc_idmap_sssd.c
|
|
||||||
+++ b/src/sss_client/libwbclient/wbc_idmap_sssd.c
|
|
||||||
@@ -202,3 +202,29 @@ wbcErr wbcSidsToUnixIds(const struct wbcDomainSid *sids, uint32_t num_sids,
|
|
||||||
|
|
||||||
return WBC_ERR_SUCCESS;
|
|
||||||
}
|
|
||||||
+
|
|
||||||
+wbcErr wbcUnixIdsToSids(const struct wbcUnixId *ids, uint32_t num_ids,
|
|
||||||
+ struct wbcDomainSid *sids)
|
|
||||||
+{
|
|
||||||
+ size_t c;
|
|
||||||
+ wbcErr wbc_status;
|
|
||||||
+
|
|
||||||
+ for (c = 0; c < num_ids; c++) {
|
|
||||||
+ switch (ids[c].type) {
|
|
||||||
+ case WBC_ID_TYPE_UID:
|
|
||||||
+ wbc_status = wbcUidToSid(ids[c].id.uid, &sids[c]);
|
|
||||||
+ break;
|
|
||||||
+ case WBC_ID_TYPE_GID:
|
|
||||||
+ wbc_status = wbcGidToSid(ids[c].id.gid, &sids[c]);
|
|
||||||
+ break;
|
|
||||||
+ default:
|
|
||||||
+ wbc_status = WBC_ERR_INVALID_PARAM;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (!WBC_ERROR_IS_OK(wbc_status)) {
|
|
||||||
+ sids[c] = (struct wbcDomainSid){ 0 };
|
|
||||||
+ };
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ return WBC_ERR_SUCCESS;
|
|
||||||
+}
|
|
||||||
diff --git a/src/sss_client/libwbclient/wbclient.exports b/src/sss_client/libwbclient/wbclient.exports
|
|
||||||
index 574c1d1fe232fad0a4c104de086977515a05ab84..9d3c2040e7d393c0057d44864826cefc2e3f7a31 100644
|
|
||||||
--- a/src/sss_client/libwbclient/wbclient.exports
|
|
||||||
+++ b/src/sss_client/libwbclient/wbclient.exports
|
|
||||||
@@ -144,3 +144,9 @@ WBCLIENT_0.12 {
|
|
||||||
wbcCtxPingDc;
|
|
||||||
wbcCtxPingDc2;
|
|
||||||
} WBCLIENT_0.11;
|
|
||||||
+
|
|
||||||
+WBCLIENT_0.13 {
|
|
||||||
+ global:
|
|
||||||
+ wbcUnixIdsToSids;
|
|
||||||
+ wbcCtxUnixIdsToSids;
|
|
||||||
+} WBCLIENT_0.12;
|
|
||||||
diff --git a/src/sss_client/libwbclient/wbclient_sssd.h b/src/sss_client/libwbclient/wbclient_sssd.h
|
|
||||||
index ec6d032814445bff0819b4de0df07ccf4008aefc..50ba7f84304df5f24a31cbbad857f22d1c70964d 100644
|
|
||||||
--- a/src/sss_client/libwbclient/wbclient_sssd.h
|
|
||||||
+++ b/src/sss_client/libwbclient/wbclient_sssd.h
|
|
||||||
@@ -73,9 +73,10 @@ const char *wbcErrorString(wbcErr error);
|
|
||||||
* 0.10: Added wbcPingDc2()
|
|
||||||
* 0.11: Extended wbcAuthenticateUserEx to provide PAC parsing
|
|
||||||
* 0.12: Added wbcCtxCreate and friends
|
|
||||||
+ * 0.13: Added wbcCtxUnixIdsToSids and wbcUnixIdsToSids
|
|
||||||
**/
|
|
||||||
#define WBCLIENT_MAJOR_VERSION 0
|
|
||||||
-#define WBCLIENT_MINOR_VERSION 12
|
|
||||||
+#define WBCLIENT_MINOR_VERSION 13
|
|
||||||
#define WBCLIENT_VENDOR_VERSION "Samba libwbclient"
|
|
||||||
struct wbcLibraryDetails {
|
|
||||||
uint16_t major_version;
|
|
||||||
@@ -1031,6 +1032,34 @@ wbcErr wbcSidsToUnixIds(const struct wbcDomainSid *sids, uint32_t num_sids,
|
|
||||||
struct wbcUnixId *ids);
|
|
||||||
|
|
||||||
/**
|
|
||||||
+ * @brief Convert a list of unix ids to sids
|
|
||||||
+ *
|
|
||||||
+ * @param ctx wbclient Context
|
|
||||||
+ * @param ids Pointer to an array of UNIX IDs to convert
|
|
||||||
+ * @param num_ids Number of UNIX IDs
|
|
||||||
+ * @param sids Preallocated output array for translated SIDs
|
|
||||||
+ *
|
|
||||||
+ * @return #wbcErr
|
|
||||||
+ *
|
|
||||||
+ **/
|
|
||||||
+wbcErr wbcCtxUnixIdsToSids(struct wbcContext *ctx,
|
|
||||||
+ const struct wbcUnixId *ids, uint32_t num_ids,
|
|
||||||
+ struct wbcDomainSid *sids);
|
|
||||||
+
|
|
||||||
+/**
|
|
||||||
+ * @brief Convert a list of unix ids to sids
|
|
||||||
+ *
|
|
||||||
+ * @param ids Pointer to an array of UNIX IDs to convert
|
|
||||||
+ * @param num_ids Number of UNIX IDs
|
|
||||||
+ * @param sids Preallocated output array for translated SIDs
|
|
||||||
+ *
|
|
||||||
+ * @return #wbcErr
|
|
||||||
+ *
|
|
||||||
+ **/
|
|
||||||
+wbcErr wbcUnixIdsToSids(const struct wbcUnixId *ids, uint32_t num_ids,
|
|
||||||
+ struct wbcDomainSid *sids);
|
|
||||||
+
|
|
||||||
+/**
|
|
||||||
* @brief Obtain a new uid from Winbind
|
|
||||||
*
|
|
||||||
* @param *ctx wbclient Context
|
|
||||||
--
|
|
||||||
2.9.3
|
|
||||||
|
|
2
sources
2
sources
@ -1 +1 @@
|
|||||||
cb79e3a391a537fd2be487d822bbf7c1 sssd-1.14.1.tar.gz
|
8ddcc386b539c1adb6de85e6b290f572 sssd-1.14.2.tar.gz
|
||||||
|
103
sssd.spec
103
sssd.spec
@ -25,8 +25,8 @@
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
Name: sssd
|
Name: sssd
|
||||||
Version: 1.14.1
|
Version: 1.14.2
|
||||||
Release: 4%{?dist}
|
Release: 1%{?dist}
|
||||||
Group: Applications/System
|
Group: Applications/System
|
||||||
Summary: System Security Services Daemon
|
Summary: System Security Services Daemon
|
||||||
License: GPLv3+
|
License: GPLv3+
|
||||||
@ -35,86 +35,6 @@ Source0: https://fedorahosted.org/released/sssd/%{name}-%{version}.tar.gz
|
|||||||
BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
|
BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
|
||||||
|
|
||||||
### Patches ###
|
### Patches ###
|
||||||
Patch0001: 0001-CONFIG-selinux_provider-is-a-valid-provider-type.patch
|
|
||||||
Patch0002: 0002-CONFIG-session_provider-does-not-exist-anymore.patch
|
|
||||||
Patch0003: 0003-PROXY-Use-the-fqname-when-converting-to-lowercase.patch
|
|
||||||
Patch0004: 0004-sssd_netgroup.py-Resolve-nested-netgroups.patch
|
|
||||||
Patch0005: 0005-LDAP-Fixing-of-removing-netgroup-from-cache.patch
|
|
||||||
Patch0006: 0006-INTG-Adding-support-for-netgroups-to-ldap_ent.patch
|
|
||||||
Patch0007: 0007-INTG-Tests-for-ldap-nested-netgroups.patch
|
|
||||||
Patch0008: 0008-watchdog-cope-with-time-shift.patch
|
|
||||||
Patch0009: 0009-BUILD-Allow-to-read-private-pipes-for-root.patch
|
|
||||||
Patch0010: 0010-SYSDB-Rework-sysdb_cache_connect.patch
|
|
||||||
Patch0011: 0011-SYSDB-Remove-the-timestamp-cache-for-a-newly-created.patch
|
|
||||||
Patch0012: 0012-SECRETS-Return-ENOENT-when_deleting-a-non-existent-s.patch
|
|
||||||
Patch0013: 0013-SPEC-Fix-typo-in-Summary.patch
|
|
||||||
Patch0014: 0014-IPA-Parse-qualified-names-when-guessing-AD-user-prin.patch
|
|
||||||
Patch0015: 0015-PROXY-Remove-lowercase-attribute-from-save_user.patch
|
|
||||||
Patch0016: 0016-PROXY-Remove-cache_timeout-attribute-from-save_user.patch
|
|
||||||
Patch0017: 0017-PROXY-Remove-cache_timeout-attribute-from-save_group.patch
|
|
||||||
Patch0018: 0018-PROXY-Mention-that-save_user-s-parameters-are-alread.patch
|
|
||||||
Patch0019: 0019-PROXY-Share-common-code-of-save_-group-user.patch
|
|
||||||
Patch0020: 0020-SYSDB-Fix-uninitialized-scalar-variable.patch
|
|
||||||
Patch0021: 0021-BUILD-Add-a-few-more-targets-for-intg-tests.patch
|
|
||||||
Patch0022: 0022-BUILD-Clean-up-prerelease-targets.patch
|
|
||||||
Patch0023: 0023-BUILD-Fix-typo-in-intgcheck-run-rule.patch
|
|
||||||
Patch0024: 0024-BUILD-Remove-leftover-after-sysdb-refactoring.patch
|
|
||||||
Patch0025: 0025-MONITOR-Remove-the-no-longer-used-diag_cmd-command.patch
|
|
||||||
Patch0026: 0026-MONITOR-Remove-the-no-longer-used-kill_service-comma.patch
|
|
||||||
Patch0027: 0027-WATCHDOG-define-and-use-_MAX_TICKS-as-3.patch
|
|
||||||
Patch0028: 0028-PROXY-Use-right-name-in-ldap-filter.patch
|
|
||||||
Patch0029: 0029-SECRETS-Make-internal-function-static.patch
|
|
||||||
Patch0030: 0030-SECRETS-Make-reading-the-config-options-more-uniform.patch
|
|
||||||
Patch0031: 0031-dyndns-fix-typo-and-unify-ipa-with-ad-debug-message-.patch
|
|
||||||
Patch0032: 0032-netlink-Don-t-define-USE_GNU.patch
|
|
||||||
Patch0033: 0033-MONITOR-Remove-leftovers-from-diag_cmd.patch
|
|
||||||
Patch0034: 0034-MONITOR-Remove-leftovers-from-kill_service.patch
|
|
||||||
Patch0035: 0035-SYSDB-Fix-error-handling-in-sysdb_get_user_members_r.patch
|
|
||||||
Patch0036: 0036-DEBUG-Apend-line-feed-to-messages-from-libsemanage.patch
|
|
||||||
Patch0037: 0037-MAN-Document-the-ldap_user_primary_group-option.patch
|
|
||||||
Patch0038: 0038-sdap_initgr_nested_get_membership_diff-use-fully-qua.patch
|
|
||||||
Patch0039: 0039-SYSDB-Removing-of-unused-parameter.patch
|
|
||||||
Patch0040: 0040-SYSDB-Suppress-warning-from-clang-static-analyser.patch
|
|
||||||
Patch0041: 0041-TOOLS-Fix-a-typo-in-groupadd.patch
|
|
||||||
Patch0042: 0042-TOOLS-sss_groupshow-did-not-work.patch
|
|
||||||
Patch0043: 0043-TESTS-sss_groupadd-groupshow-regressions.patch
|
|
||||||
Patch0044: 0044-TOOLS-use-internal-fqdn-for-DN.patch
|
|
||||||
Patch0045: 0045-TESTS-Test-for-sss_user-groupmod-a.patch
|
|
||||||
Patch0046: 0046-TOOLS-sss_mc_refresh_nested_group-short-fqname-usage.patch
|
|
||||||
Patch0047: 0047-TESTS-Add-FQDN-variants-for-some-tests.patch
|
|
||||||
Patch0048: 0048-KRB5-Send-the-output-username-not-internal-fqname-to.patch
|
|
||||||
Patch0049: 0049-MONITOR-Remove-disable-netlink-command-line-option.patch
|
|
||||||
Patch0050: 0050-MONITOR-Add-disable_netlink-option.patch
|
|
||||||
Patch0051: 0051-TOOLS-sss_override-without-name-override.patch
|
|
||||||
Patch0052: 0052-TEST-Add-regression-test-for-ticket-3179.patch
|
|
||||||
Patch0053: 0053-TOOLS-sss_groupshow-fails-to-show-MPG.patch
|
|
||||||
Patch0054: 0054-TESTS-sss_groupshow-with-MPG.patch
|
|
||||||
Patch0055: 0055-KRB5-Return-ERR_NETWORK_IO-on-clock-skew.patch
|
|
||||||
Patch0056: 0056-SDAP-Fix-settig-paging-attribute-in-sdap_get_generic.patch
|
|
||||||
Patch0057: 0057-PROXY-Adding-proxy_max_children-option.patch
|
|
||||||
Patch0058: 0058-SECRETS-Search-by-the-right-type-when-checking-conta.patch
|
|
||||||
Patch0059: 0059-LDAP-Return-partial-results-from-adminlimit-exceeded.patch
|
|
||||||
Patch0060: 0060-MAN-sssd-sudo-manual-update-IPA-native-LDAP-tree-sup.patch
|
|
||||||
Patch0061: 0061-p11-only-set-PKCS11_LOGIN_TOKEN_NAME-if-gdm-smartcar.patch
|
|
||||||
Patch0062: 0062-p11-return-a-fully-qualified-name.patch
|
|
||||||
Patch0063: 0063-pam_sss-check-PKCS11_LOGIN_TOKEN_NAME.patch
|
|
||||||
Patch0064: 0064-SECRETS-Don-t-remove-a-container-when-it-has-childre.patch
|
|
||||||
Patch0065: 0065-PAM-call-free-only-when-memory-is-expected-to-be-all.patch
|
|
||||||
Patch0066: 0066-TESTS-Fixing-of-const-warnings-in-sbus-tests.patch
|
|
||||||
Patch0067: 0067-MAKEFILE-Fixing-CFLAGS-in-some-tests.patch
|
|
||||||
Patch0068: 0068-TESTS-Add-integration-tests-for-the-sssd-secrets.patch
|
|
||||||
Patch0069: 0069-AUTOFS-Fix-offline-resolution-of-autofs-maps.patch
|
|
||||||
Patch0070: 0070-NSS-Fix-offline-resolution-of-netgroups.patch
|
|
||||||
Patch0071: 0071-TESTS-Test-offline-netgroups-resolution.patch
|
|
||||||
Patch0072: 0072-Remove-double-semicolon-at-the-end-of-line.patch
|
|
||||||
Patch0073: 0073-TESTS-Add-simple-test-for-double-semicolon.patch
|
|
||||||
Patch0074: 0074-failover-proceed-normally-when-no-new-server-is-foun.patch
|
|
||||||
Patch0075: 0075-tests-Add-a-regression-test-for-upstream-ticket-3131.patch
|
|
||||||
Patch0076: 0076-IFP-expose-user-and-group-unique-IDs-through-DBus.patch
|
|
||||||
Patch0077: 0077-SSSDConfig-Do-not-fail-with-nonexisting-domains-serv.patch
|
|
||||||
Patch0078: 0078-SPEC-Rename-python-packages-using-macro-python_provi.patch
|
|
||||||
Patch0079: 0079-KRB5-Fixing-FQ-name-of-user-in-krb5_setup.patch
|
|
||||||
Patch0080: 0080-libwbclient-sssd-update-interface-to-version-0.13.patch
|
|
||||||
|
|
||||||
### Dependencies ###
|
### Dependencies ###
|
||||||
|
|
||||||
@ -484,7 +404,7 @@ Obsoletes: libipa_hbac-python < 1.13.0
|
|||||||
%{?python_provide:%python_provide python2-libipa_hbac}
|
%{?python_provide:%python_provide python2-libipa_hbac}
|
||||||
|
|
||||||
%description -n python2-libipa_hbac
|
%description -n python2-libipa_hbac
|
||||||
The python-libipa_hbac contains the bindings so that libipa_hbac can be
|
The python2-libipa_hbac contains the bindings so that libipa_hbac can be
|
||||||
used by Python applications.
|
used by Python applications.
|
||||||
|
|
||||||
%package -n python3-libipa_hbac
|
%package -n python3-libipa_hbac
|
||||||
@ -661,10 +581,6 @@ autoreconf -ivf
|
|||||||
make %{?_smp_mflags} all docs
|
make %{?_smp_mflags} all docs
|
||||||
|
|
||||||
%check
|
%check
|
||||||
# workaround for wrong permissing in test introduced in patch
|
|
||||||
# remove after rebase to 1.14.2
|
|
||||||
chmod a+x ./src/tests/double_semicolon_test
|
|
||||||
|
|
||||||
export CK_TIMEOUT_MULTIPLIER=10
|
export CK_TIMEOUT_MULTIPLIER=10
|
||||||
make %{?_smp_mflags} check VERBOSE=yes
|
make %{?_smp_mflags} check VERBOSE=yes
|
||||||
unset CK_TIMEOUT_MULTIPLIER
|
unset CK_TIMEOUT_MULTIPLIER
|
||||||
@ -853,6 +769,7 @@ done
|
|||||||
%{_mandir}/man5/sssd.conf.5*
|
%{_mandir}/man5/sssd.conf.5*
|
||||||
%{_mandir}/man5/sssd-simple.5*
|
%{_mandir}/man5/sssd-simple.5*
|
||||||
%{_mandir}/man5/sssd-sudo.5*
|
%{_mandir}/man5/sssd-sudo.5*
|
||||||
|
%{_mandir}/man5/sssd-secrets.5*
|
||||||
%{_mandir}/man5/sss_rpcidmapd.5*
|
%{_mandir}/man5/sss_rpcidmapd.5*
|
||||||
%{_mandir}/man8/sssd.8*
|
%{_mandir}/man8/sssd.8*
|
||||||
%{_mandir}/man8/sss_cache.8*
|
%{_mandir}/man8/sss_cache.8*
|
||||||
@ -1141,14 +1058,6 @@ fi
|
|||||||
%postun -n libsss_simpleifp -p /sbin/ldconfig
|
%postun -n libsss_simpleifp -p /sbin/ldconfig
|
||||||
|
|
||||||
%posttrans libwbclient
|
%posttrans libwbclient
|
||||||
# Alternatives was removed only if package was uninstalled
|
|
||||||
# However in cease of package upgrade and soname bump the
|
|
||||||
# the old alternative was not removed.
|
|
||||||
# This is a workaround/fix for unused alternative
|
|
||||||
%{_sbindir}/update-alternatives \
|
|
||||||
--remove libwbclient.so.0.11%{libwbc_alternatives_suffix} \
|
|
||||||
%{_libdir}/%{name}/modules/libwbclient.so.0.11.0
|
|
||||||
|
|
||||||
%{_sbindir}/update-alternatives \
|
%{_sbindir}/update-alternatives \
|
||||||
--install %{_libdir}/libwbclient.so.%{libwbc_alternatives_version} \
|
--install %{_libdir}/libwbclient.so.%{libwbc_alternatives_version} \
|
||||||
libwbclient.so.%{libwbc_alternatives_version}%{libwbc_alternatives_suffix} \
|
libwbclient.so.%{libwbc_alternatives_version}%{libwbc_alternatives_suffix} \
|
||||||
@ -1172,6 +1081,10 @@ fi
|
|||||||
%{_libdir}/%{name}/modules/libwbclient.so
|
%{_libdir}/%{name}/modules/libwbclient.so
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Oct 20 2016 Lukas Slebodnik <lslebodn@redhat.com> - 1.14.2-1
|
||||||
|
- New upstream release 1.14.2
|
||||||
|
- https://fedorahosted.org/sssd/wiki/Releases/Notes-1.14.2
|
||||||
|
|
||||||
* Fri Oct 14 2016 Lukas Slebodnik <lslebodn@redhat.com> - 1.14.1-4
|
* Fri Oct 14 2016 Lukas Slebodnik <lslebodn@redhat.com> - 1.14.1-4
|
||||||
- libwbclient-sssd: update interface to version 0.13
|
- libwbclient-sssd: update interface to version 0.13
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user