rpms/sssd
7
0
Fork 0
Code Issues Pull Requests Releases Activity

New upstream release 1.14.2

Browse Source 
- https://fedorahosted.org/sssd/wiki/Releases/Notes-1.14.2
This commit is contained in:
Lukas Slebodnik 2016-10-20 16:06:13 +02:00
parent 856526f769
commit 85427c072c
83 changed files with 10 additions and 8503 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -72,3 +72,4 @@ sssd-1.2.91.tar.gz
/sssd-1.14.0beta1.tar.gz
/sssd-1.14.0.tar.gz
/sssd-1.14.1.tar.gz
/sssd-1.14.2.tar.gz

79
0001-CONFIG-selinux_provider-is-a-valid-provider-type.patch
View File

@ -1,79 +0,0 @@
From 78db9b76d9be4aa307fbaaba7315b121421e8826 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Fri, 19 Aug 2016 11:36:41 +0200
Subject: [PATCH 01/39] CONFIG: selinux_provider is a valid provider type
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
We should not warn about it in the validator and should allow
selinux_provider from the config API.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
(cherry picked from commit dec00197181ee8f7efbfbdadd73629f66f80f1ff)
---
src/config/SSSDConfig/__init__.py.in | 1 +
src/config/SSSDConfigTest.py | 2 ++
src/config/cfg_rules.ini | 1 +
src/config/etc/sssd.api.conf | 1 +
4 files changed, 5 insertions(+)
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
index 1718a9babf390b95710ec356f25f09ea679bdd73..9683ea63e042115c20010cfb0904b2f65d76468b 100644
--- a/src/config/SSSDConfig/__init__.py.in
+++ b/src/config/SSSDConfig/__init__.py.in
@@ -128,6 +128,7 @@ option_strings = {
'autofs_provider' : _('Autofs provider'),
'session_provider' : _('Session-loading provider'),
'hostid_provider' : _('Host identity provider'),
+ 'selinux_provider' : _('SELinux provider'),
# [domain]
'min_id' : _('Minimum user ID'),
diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py
index 00c688f1e57c5f481d3adba2fe0374145216bc33..09adf1faad767968dc1df2cc1668144526ffe504 100755
--- a/src/config/SSSDConfigTest.py
+++ b/src/config/SSSDConfigTest.py
@@ -557,6 +557,7 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase):
'session_provider',
'hostid_provider',
'subdomains_provider',
+ 'selinux_provider',
'realmd_tags',
'subdomain_refresh_interval',
'subdomain_inherit',
@@ -926,6 +927,7 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase):
'session_provider',
'hostid_provider',
'subdomains_provider',
+ 'selinux_provider',
'realmd_tags',
'subdomain_refresh_interval',
'subdomain_inherit',
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
index ef6435b08aee416e377fe854e6768f3fa4fd9650..f0b4c4e7640aa24cf14815b2717327c742fcd89a 100644
--- a/src/config/cfg_rules.ini
+++ b/src/config/cfg_rules.ini
@@ -251,6 +251,7 @@ option = autofs_provider
option = session_provider
option = hostid_provider
option = subdomains_provider
+option = selinux_provider
# Options available to all domains
option = min_id
diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
index 5ac6f79521f5f776fc17319c3afb87d44961afca..94edb45ad2b85e3f4200a917c914a8f4fcb29c28 100644
--- a/src/config/etc/sssd.api.conf
+++ b/src/config/etc/sssd.api.conf
@@ -106,6 +106,7 @@ autofs_provider = str, None, false
session_provider = str, None, false
hostid_provider = str, None, false
subdomains_provider = str, None, false
+selinux_provider = str, None, false
[domain]
# Options available to all domains
--
2.9.3

81
0002-CONFIG-session_provider-does-not-exist-anymore.patch
View File

@ -1,81 +0,0 @@
From b37a86a8a84255742bbcffcb47e9e1a1dded0113 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Fri, 19 Aug 2016 11:48:20 +0200
Subject: [PATCH 02/39] CONFIG: session_provider does not exist anymore
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The session_provider used to exist a long time ago when we used to set
the SELinux context from it, but the provider had been removed for a
long time. We just forgot to remove the value from the config API and
the validator.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
(cherry picked from commit d940593e647731c0caec1fd04cf16a1b23578f32)
---
src/config/SSSDConfig/__init__.py.in | 1 -
src/config/SSSDConfigTest.py | 2 --
src/config/cfg_rules.ini | 1 -
src/config/etc/sssd.api.conf | 1 -
4 files changed, 5 deletions(-)
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
index 9683ea63e042115c20010cfb0904b2f65d76468b..b3f04ac26309bb5b518fb87cd0dae2962e853179 100644
--- a/src/config/SSSDConfig/__init__.py.in
+++ b/src/config/SSSDConfig/__init__.py.in
@@ -126,7 +126,6 @@ option_strings = {
'chpass_provider' : _('Password change provider'),
'sudo_provider' : _('SUDO provider'),
'autofs_provider' : _('Autofs provider'),
- 'session_provider' : _('Session-loading provider'),
'hostid_provider' : _('Host identity provider'),
'selinux_provider' : _('SELinux provider'),
diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py
index 09adf1faad767968dc1df2cc1668144526ffe504..8fcd1a55c36035a7026f1fb4c8116aaae24e78ef 100755
--- a/src/config/SSSDConfigTest.py
+++ b/src/config/SSSDConfigTest.py
@@ -554,7 +554,6 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase):
'chpass_provider',
'sudo_provider',
'autofs_provider',
- 'session_provider',
'hostid_provider',
'subdomains_provider',
'selinux_provider',
@@ -924,7 +923,6 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase):
'chpass_provider',
'sudo_provider',
'autofs_provider',
- 'session_provider',
'hostid_provider',
'subdomains_provider',
'selinux_provider',
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
index f0b4c4e7640aa24cf14815b2717327c742fcd89a..df10538dee4a547a1b1af62a4cfe37b89e236b18 100644
--- a/src/config/cfg_rules.ini
+++ b/src/config/cfg_rules.ini
@@ -248,7 +248,6 @@ option = access_provider
option = chpass_provider
option = sudo_provider
option = autofs_provider
-option = session_provider
option = hostid_provider
option = subdomains_provider
option = selinux_provider
diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
index 94edb45ad2b85e3f4200a917c914a8f4fcb29c28..5e69414f2a490977bdaf1555325814ad61202071 100644
--- a/src/config/etc/sssd.api.conf
+++ b/src/config/etc/sssd.api.conf
@@ -103,7 +103,6 @@ access_provider = str, None, false
chpass_provider = str, None, false
sudo_provider = str, None, false
autofs_provider = str, None, false
-session_provider = str, None, false
hostid_provider = str, None, false
subdomains_provider = str, None, false
selinux_provider = str, None, false
--
2.9.3

40
0003-PROXY-Use-the-fqname-when-converting-to-lowercase.patch
View File

@ -1,40 +0,0 @@
From 224612480eb4a64b23e096a96e7c5ea0d746d25a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
Date: Tue, 23 Aug 2016 23:46:59 +0200
Subject: [PATCH 03/39] PROXY: Use the fqname when converting to lowercase
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
When saving the user there is a comparison between the "cased alias"
and the "lowercase password name". However, the first doesn't use fully
qualified name while the second does, resulting in a not expected
override of the "nameAlias" attribute of a stored user when trying to
authenticate more than once using an alias.
Resolves:
https://fedorahosted.org/sssd/ticket/3134
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit 5691b2d668541585d2a8ae3ddb834f29d828036e)
---
src/providers/proxy/proxy_id.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/providers/proxy/proxy_id.c b/src/providers/proxy/proxy_id.c
index 26f4d7499c02272e524ba9b713108189cd910bfd..b0c82807b42d91a4212578ca98af7f96484735b1 100644
--- a/src/providers/proxy/proxy_id.c
+++ b/src/providers/proxy/proxy_id.c
@@ -256,7 +256,7 @@ static int save_user(struct sss_domain_info *domain,
}
if (lowercase) {
- lc_pw_name = sss_tc_utf8_str_tolower(attrs, pwd->pw_name);
+ lc_pw_name = sss_tc_utf8_str_tolower(attrs, real_name);
if (lc_pw_name == NULL) {
DEBUG(SSSDBG_OP_FAILURE, "Cannot convert name to lowercase.\n");
ret = ENOMEM;
--
2.9.3

253
0004-sssd_netgroup.py-Resolve-nested-netgroups.patch
View File

@ -1,253 +0,0 @@
From 3c1c173bab2e3ee3058f5661562080d6a65e324f Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Wed, 10 Aug 2016 20:05:52 +0200
Subject: [PATCH 04/39] sssd_netgroup.py: Resolve nested netgroups
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reviewed-by: Petr Čech <pcech@redhat.com>
(cherry picked from commit c596fc4d75304ff224cbad0aa2aecd3cbe82d2ff)
---
src/tests/intg/sssd_netgroup.py | 204 ++++++++++++++++++++++++++++++----------
1 file changed, 154 insertions(+), 50 deletions(-)
diff --git a/src/tests/intg/sssd_netgroup.py b/src/tests/intg/sssd_netgroup.py
index 3525261cb28707db9031ee1dfeb144ae4c362833..2c7f76fad4da0003d1760a359ac9a1834abbb2f9 100644
--- a/src/tests/intg/sssd_netgroup.py
+++ b/src/tests/intg/sssd_netgroup.py
@@ -71,49 +71,173 @@ class Netgrent(Structure):
("nip", c_void_p)]
-def call_sssd_setnetgrent(netgroup):
- libnss_sss_path = config.NSS_MODULE_DIR + "/libnss_sss.so.2"
- libnss_sss = cdll.LoadLibrary(libnss_sss_path)
+class NetgroupRetriever(object):
+ def __init__(self, name):
+ self.name = name
+ self.needed_groups = []
+ self.known_groups = []
+ self.netgroups = []
- func = libnss_sss._nss_sss_setnetgrent
- func.restype = c_int
- func.argtypes = [c_char_p, POINTER(Netgrent)]
+ @staticmethod
+ def _setnetgrent(netgroup):
+ """
+ This private method is ctypes wrapper for
+ enum nss_status _nss_sss_setnetgrent(const char *netgroup,
+ struct __netgrent *result)
- result = Netgrent()
- result_p = POINTER(Netgrent)(result)
+ @param string name name of netgroup
- res = func(c_char_p(netgroup), result_p)
+ @return (int, POINTER(Netgrent)) (err, result_p)
+ err is a constant from class NssReturnCode and in case of SUCCESS
+ result_p will contain POINTER(Netgrent) which can be used in
+ _getnetgrent_r or _getnetgrent_r.
+ """
+ libnss_sss_path = config.NSS_MODULE_DIR + "/libnss_sss.so.2"
+ libnss_sss = cdll.LoadLibrary(libnss_sss_path)
- return (int(res), result_p)
+ func = libnss_sss._nss_sss_setnetgrent
+ func.restype = c_int
+ func.argtypes = [c_char_p, POINTER(Netgrent)]
+ result = Netgrent()
+ result_p = POINTER(Netgrent)(result)
-def call_sssd_getnetgrent_r(result_p, buff, buff_len):
- libnss_sss_path = config.NSS_MODULE_DIR + "/libnss_sss.so.2"
- libnss_sss = cdll.LoadLibrary(libnss_sss_path)
+ res = func(c_char_p(netgroup), result_p)
- func = libnss_sss._nss_sss_getnetgrent_r
- func.restype = c_int
- func.argtypes = [POINTER(Netgrent), POINTER(c_char), c_size_t,
- POINTER(c_int)]
+ return (int(res), result_p)
- errno = POINTER(c_int)(c_int(0))
+ @staticmethod
+ def _getnetgrent_r(result_p, buff, buff_len):
+ """
+ This private method is ctypes wrapper for
+ enum nss_status _nss_sss_getnetgrent_r(struct __netgrent *result,
+ char *buffer, size_t buflen,
+ int *errnop)
+ @param POINTER(Netgrent) result_p pointer to initialized C structure
+ struct __netgrent
+ @param ctypes.c_char_Array buff buffer used by C functions
+ @param int buff_len size of c_char_Array passed as a paramere buff
- res = func(result_p, buff, buff_len, errno)
+ @return (int, int, List[(string, string, string])
+ (err, errno, netgroups)
+ if err is NssReturnCode.SUCCESS netgroups will contain list of
+ touples. Each touple will consist of 3 elemets either string or
+ """
+ libnss_sss_path = config.NSS_MODULE_DIR + "/libnss_sss.so.2"
+ libnss_sss = cdll.LoadLibrary(libnss_sss_path)
- return (int(res), int(errno[0]), result_p)
+ func = libnss_sss._nss_sss_getnetgrent_r
+ func.restype = c_int
+ func.argtypes = [POINTER(Netgrent), POINTER(c_char), c_size_t,
+ POINTER(c_int)]
+ errno = POINTER(c_int)(c_int(0))
-def call_sssd_endnetgrent(result_p):
- libnss_sss_path = config.NSS_MODULE_DIR + "/libnss_sss.so.2"
- libnss_sss = cdll.LoadLibrary(libnss_sss_path)
+ res = func(result_p, buff, buff_len, errno)
- func = libnss_sss._nss_sss_endnetgrent
- func.restype = c_int
- func.argtypes = [POINTER(Netgrent)]
+ return (int(res), int(errno[0]), result_p)
- res = func(result_p)
+ @staticmethod
+ def _endnetgrent(result_p):
+ """
+ This private method is ctypes wrapper for
+ enum nss_status _nss_sss_endnetgrent(struct __netgrent *result)
- return int(res)
+ @param POINTER(Netgrent) result_p pointer to initialized C structure
+ struct __netgrent
+
+ @return int a constant from class NssReturnCode
+ """
+ libnss_sss_path = config.NSS_MODULE_DIR + "/libnss_sss.so.2"
+ libnss_sss = cdll.LoadLibrary(libnss_sss_path)
+
+ func = libnss_sss._nss_sss_endnetgrent
+ func.restype = c_int
+ func.argtypes = [POINTER(Netgrent)]
+
+ res = func(result_p)
+
+ return int(res)
+
+ def get_netgroups(self):
+ """
+ Function will return netgroup triplets for given user. All nested
+ netgroups will be retieved as part of executions and will content
+ will be merged with direct triplets.
+ Missing nested netgroups will not cause failure and are considered
+ as an empty netgroup without triplets.
+
+ @param string name name of netgroup
+
+ @return (int, int, List[(string, string, string])
+ (err, errno, netgroups)
+ if err is NssReturnCode.SUCCESS netgroups will contain list of
+ touples. Each touple will consist of 3 elemets either string or
+ None (host, user, domain).
+ """
+ res, errno, result = self._flat_fetch_netgroups(self.name)
+ if res != NssReturnCode.SUCCESS:
+ return (res, errno, self.netgroups)
+
+ self.netgroups += result
+
+ while self.needed_groups:
+ name = self.needed_groups.pop(0)
+
+ nest_res, nest_errno, result = self._flat_fetch_netgroups(name)
+ # do not fail for missing nested netgroup
+ if nest_res not in (NssReturnCode.SUCCESS, NssReturnCode.NOTFOUND):
+ return (nest_res, nest_errno, self.netgroups)
+
+ self.netgroups = result + self.netgroups
+
+ return (res, errno, self.netgroups)
+
+ def _flat_fetch_netgroups(self, name):
+ """
+ Function will return netgroup triplets for given user. The nested
+ netgroups will not be returned. Missing nested netgroups will be
+ appended to the array needed_groups
+
+ @param string name name of netgroup
+
+ @return (int, int, List[(string, string, string])
+ (err, errno, netgroups)
+ if err is NssReturnCode.SUCCESS netgroups will contain list of
+ touples. Each touple will consist of 3 elemets either string or
+ None (host, user, domain).
+ """
+ buff_len = 1024 * 1024
+ buff = create_string_buffer(buff_len)
+
+ result = []
+
+ res, result_p = self._setnetgrent(name)
+ if res != NssReturnCode.SUCCESS:
+ return (res, get_errno(), result)
+
+ res, errno, result_p = self._getnetgrent_r(result_p, buff, buff_len)
+ while res == NssReturnCode.SUCCESS:
+ if result_p[0].type == NetgroupType.GROUP_VAL:
+ nested_netgroup = result_p[0].val.group
+ if nested_netgroup not in self.known_groups:
+ self.needed_groups.append(nested_netgroup)
+ self.known_groups.append(nested_netgroup)
+
+ if result_p[0].type == NetgroupType.TRIPLE_VAL:
+ result.append((result_p[0].val.triple.host,
+ result_p[0].val.triple.user,
+ result_p[0].val.triple.domain))
+
+ res, errno, result_p = self._getnetgrent_r(result_p, buff,
+ buff_len)
+
+ if res != NssReturnCode.RETURN:
+ return (res, errno, result)
+
+ res = self._endnetgrent(result_p)
+
+ return (res, errno, result)
def get_sssd_netgroups(name):
@@ -129,27 +253,7 @@ def get_sssd_netgroups(name):
Each touple will consist of 3 elemets either string or None
(host, user, domain).
"""
- buff_len = 1024 * 1024
- buff = create_string_buffer(buff_len)
- result = []
+ retriever = NetgroupRetriever(name)
- res, result_p = call_sssd_setnetgrent(name)
- if res != NssReturnCode.SUCCESS:
- return (res, get_errno(), result)
-
- res, errno, result_p = call_sssd_getnetgrent_r(result_p, buff, buff_len)
- while res == NssReturnCode.SUCCESS:
- assert result_p[0].type == NetgroupType.TRIPLE_VAL
- result.append((result_p[0].val.triple.host,
- result_p[0].val.triple.user,
- result_p[0].val.triple.domain))
- res, errno, result_p = call_sssd_getnetgrent_r(result_p, buff,
- buff_len)
-
- if res != NssReturnCode.RETURN:
- return (res, errno, result)
-
- res = call_sssd_endnetgrent(result_p)
-
- return (res, errno, result)
+ return retriever.get_netgroups()
--
2.9.3

50
0005-LDAP-Fixing-of-removing-netgroup-from-cache.patch
View File

@ -1,50 +0,0 @@
From 5ac050f0f5160dc433aba21fd1ae2f2a8ffa9a88 Mon Sep 17 00:00:00 2001
From: Petr Cech <pcech@redhat.com>
Date: Fri, 22 Jul 2016 14:28:54 +0200
Subject: [PATCH 05/39] LDAP: Fixing of removing netgroup from cache
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
There were problem with local key which wasn't properly removed.
This patch fixes it.
Resolves:
https://fedorahosted.org/sssd/ticket/2841
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit bf141e052a81b28ee0ad2f61ff8b4879e4faa13b)
---
src/providers/ldap/sdap_async_netgroups.c | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
diff --git a/src/providers/ldap/sdap_async_netgroups.c b/src/providers/ldap/sdap_async_netgroups.c
index df233d956df70cfcb5f68bd2afc9e2a23c50c3bb..e1d69ad769f542cccffca50547932a5bfb352230 100644
--- a/src/providers/ldap/sdap_async_netgroups.c
+++ b/src/providers/ldap/sdap_async_netgroups.c
@@ -138,6 +138,22 @@ static errno_t sdap_save_netgroup(TALLOC_CTX *memctx,
goto fail;
}
+ /* We store memberNisNetgroup from LDAP as originalMemberNisNetgroup in
+ * sysdb. It may contain simple name or DN. That's the reason why we always
+ * translate/generate simple name and store it in SYSDB_NETGROUP_MEMBER
+ * (memberNisNetgroup) in sysdb which is internally used for searching
+ * netgropus.
+ * We need to ensure if originalMemberNisNetgroup is missing,
+ * memberNisNetgroup is missing too.
+ */
+ if (string_in_list(SYSDB_ORIG_NETGROUP_MEMBER, missing, false)) {
+ ret = add_string_to_list(attrs, SYSDB_NETGROUP_MEMBER, &missing);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Failed to add string into list\n");
+ goto fail;
+ }
+ }
+
ret = sysdb_add_netgroup(dom, name, NULL, netgroup_attrs, missing,
dom->netgroup_timeout, now);
if (ret) goto fail;
--
2.9.3

54
0006-INTG-Adding-support-for-netgroups-to-ldap_ent.patch
View File

@ -1,54 +0,0 @@
From f3f50d7a9ca36d0d56f29d25e4fceaa50c9a06e9 Mon Sep 17 00:00:00 2001
From: Petr Cech <pcech@redhat.com>
Date: Wed, 17 Aug 2016 14:01:09 +0200
Subject: [PATCH 06/39] INTG: Adding support for netgroups to ldap_ent
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Resolves:
https://fedorahosted.org/sssd/ticket/2841
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit 1cba321946084231c220e9561487555671b944c3)
---
src/tests/intg/ldap_ent.py | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
diff --git a/src/tests/intg/ldap_ent.py b/src/tests/intg/ldap_ent.py
index f8f2f7fe6977aec6fd704ad1c78a476a163a16f1..c912844b063cfeb9c48744d593685d0b7fbcc706 100644
--- a/src/tests/intg/ldap_ent.py
+++ b/src/tests/intg/ldap_ent.py
@@ -87,6 +87,20 @@ def group_bis(base_dn, cn, gidNumber, member_uids=[], member_gids=[]):
return ("cn=" + cn + ",ou=Groups," + base_dn, attr_list)
+def netgroup(base_dn, cn, triples=(), members=()):
+ """
+ Generate an RFC2307bis netgroup add-modlist for passing to ldap.add*.
+ """
+ attr_list = [
+ ('objectClass', ['top', 'nisNetgroup'])
+ ]
+ if triples:
+ attr_list.append(('nisNetgroupTriple', triples))
+ if members:
+ attr_list.append(('memberNisNetgroup', members))
+ return ("cn=" + cn + ",ou=Netgroups," + base_dn, attr_list)
+
+
class List(list):
"""LDAP add-modlist list"""
@@ -124,3 +138,8 @@ class List(list):
self.append(group_bis(base_dn or self.base_dn,
cn, gidNumber,
member_uids, member_gids))
+
+ def add_netgroup(self, cn, triples=(), members=(), base_dn=None):
+ """Add an RFC2307bis netgroup add-modlist."""
+ self.append(netgroup(base_dn or self.base_dn,
+ cn, triples, members))
--
2.9.3

501
0007-INTG-Tests-for-ldap-nested-netgroups.patch
View File

@ -1,501 +0,0 @@
From 620d402a126580a13730f446dd99bf50814c9fb8 Mon Sep 17 00:00:00 2001
From: Petr Cech <pcech@redhat.com>
Date: Wed, 17 Aug 2016 13:58:30 +0200
Subject: [PATCH 07/39] INTG: Tests for ldap nested netgroups
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This patch adds tests on reproducer of t2841.
Resolves:
https://fedorahosted.org/sssd/ticket/2841
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit 05457ed0e399aaacc919b7aacee5d8210e1c1072)
---
src/tests/intg/Makefile.am | 1 +
src/tests/intg/test_netgroup.py | 459 ++++++++++++++++++++++++++++++++++++++++
2 files changed, 460 insertions(+)
create mode 100644 src/tests/intg/test_netgroup.py
diff --git a/src/tests/intg/Makefile.am b/src/tests/intg/Makefile.am
index d73e4216310ccd1c90e6b7eb0a0e60068fc45bd5..75422a4417046116bec11a8a680fe2248e3afb69 100644
--- a/src/tests/intg/Makefile.am
+++ b/src/tests/intg/Makefile.am
@@ -15,6 +15,7 @@ dist_noinst_DATA = \
test_ldap.py \
test_memory_cache.py \
test_ts_cache.py \
+ test_netgroup.py \
$(NULL)
config.py: config.py.m4
diff --git a/src/tests/intg/test_netgroup.py b/src/tests/intg/test_netgroup.py
new file mode 100644
index 0000000000000000000000000000000000000000..b99476126844e35d5dbc1793077720b4020c2fb7
--- /dev/null
+++ b/src/tests/intg/test_netgroup.py
@@ -0,0 +1,459 @@
+#
+# Netgroup integration test
+#
+# Copyright (c) 2016 Red Hat, Inc.
+# Author: Petr Cech <pcech@redhat.com>
+#
+# This is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 only
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+import os
+import stat
+import signal
+import subprocess
+import time
+import ldap
+import ldap.modlist
+import pytest
+
+import config
+import ds_openldap
+import ldap_ent
+from util import unindent
+import sssd_netgroup
+
+LDAP_BASE_DN = "dc=example,dc=com"
+
+
+@pytest.fixture(scope="module")
+def ds_inst(request):
+ """LDAP server instance fixture"""
+ ds_inst = ds_openldap.DSOpenLDAP(
+ config.PREFIX, 10389, LDAP_BASE_DN,
+ "cn=admin", "Secret123"
+ )
+
+ try:
+ ds_inst.setup()
+ except:
+ ds_inst.teardown()
+ raise
+ request.addfinalizer(ds_inst.teardown)
+ return ds_inst
+
+
+@pytest.fixture(scope="module")
+def ldap_conn(request, ds_inst):
+ """LDAP server connection fixture"""
+ ldap_conn = ds_inst.bind()
+ ldap_conn.ds_inst = ds_inst
+ request.addfinalizer(ldap_conn.unbind_s)
+ return ldap_conn
+
+
+def create_ldap_entries(ldap_conn, ent_list=None):
+ """Add LDAP entries from ent_list"""
+ if ent_list is not None:
+ for entry in ent_list:
+ ldap_conn.add_s(entry[0], entry[1])
+
+
+def cleanup_ldap_entries(ldap_conn, ent_list=None):
+ """Remove LDAP entries added by create_ldap_entries"""
+ if ent_list is None:
+ for ou in ("Users", "Groups", "Netgroups", "Services", "Policies"):
+ for entry in ldap_conn.search_s("ou=" + ou + "," +
+ ldap_conn.ds_inst.base_dn,
+ ldap.SCOPE_ONELEVEL,
+ attrlist=[]):
+ ldap_conn.delete_s(entry[0])
+ else:
+ for entry in ent_list:
+ ldap_conn.delete_s(entry[0])
+
+
+def create_ldap_cleanup(request, ldap_conn, ent_list=None):
+ """Add teardown for removing all user/group LDAP entries"""
+ request.addfinalizer(lambda: cleanup_ldap_entries(ldap_conn, ent_list))
+
+
+def create_ldap_fixture(request, ldap_conn, ent_list=None):
+ """Add LDAP entries and add teardown for removing them"""
+ create_ldap_entries(ldap_conn, ent_list)
+ create_ldap_cleanup(request, ldap_conn, ent_list)
+
+
+SCHEMA_RFC2307_BIS = "rfc2307bis"
+
+
+def format_basic_conf(ldap_conn, schema):
+ """Format a basic SSSD configuration"""
+ schema_conf = "ldap_schema = " + schema + "\n"
+ schema_conf += "ldap_group_object_class = groupOfNames\n"
+ return unindent("""\
+ [sssd]
+ domains = LDAP
+ services = nss
+
+ [domain/LDAP]
+ {schema_conf}
+ id_provider = ldap
+ auth_provider = ldap
+ ldap_uri = {ldap_conn.ds_inst.ldap_url}
+ ldap_search_base = {ldap_conn.ds_inst.base_dn}
+ ldap_netgroup_search_base = ou=Netgroups,{ldap_conn.ds_inst.base_dn}
+ """).format(**locals())
+
+
+def create_conf_file(contents):
+ """Create sssd.conf with specified contents"""
+ conf = open(config.CONF_PATH, "w")
+ conf.write(contents)
+ conf.close()
+ os.chmod(config.CONF_PATH, stat.S_IRUSR | stat.S_IWUSR)
+
+
+def cleanup_conf_file():
+ """Remove sssd.conf, if it exists"""
+ if os.path.lexists(config.CONF_PATH):
+ os.unlink(config.CONF_PATH)
+
+
+def create_conf_cleanup(request):
+ """Add teardown for removing sssd.conf"""
+ request.addfinalizer(cleanup_conf_file)
+
+
+def create_conf_fixture(request, contents):
+ """
+ Create sssd.conf with specified contents and add teardown for removing it
+ """
+ create_conf_file(contents)
+ create_conf_cleanup(request)
+
+
+def create_sssd_process():
+ """Start the SSSD process"""
+ if subprocess.call(["sssd", "-D", "-f"]) != 0:
+ raise Exception("sssd start failed")
+
+
+def cleanup_sssd_process():
+ """Stop the SSSD process and remove its state"""
+ try:
+ pid_file = open(config.PIDFILE_PATH, "r")
+ pid = int(pid_file.read())
+ os.kill(pid, signal.SIGTERM)
+ while True:
+ try:
+ os.kill(pid, signal.SIGCONT)
+ except:
+ break
+ time.sleep(1)
+ except:
+ pass
+ for path in os.listdir(config.DB_PATH):
+ os.unlink(config.DB_PATH + "/" + path)
+ for path in os.listdir(config.MCACHE_PATH):
+ os.unlink(config.MCACHE_PATH + "/" + path)
+
+
+def create_sssd_cleanup(request):
+ """Add teardown for stopping SSSD and removing its state"""
+ request.addfinalizer(cleanup_sssd_process)
+
+
+def create_sssd_fixture(request):
+ """Start SSSD and add teardown for stopping it and removing its state"""
+ create_sssd_process()
+ create_sssd_cleanup(request)
+
+
+@pytest.fixture
+def add_empty_netgroup(request, ldap_conn):
+ ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn)
+
+ ent_list.add_netgroup("empty_netgroup")
+
+ create_ldap_fixture(request, ldap_conn, ent_list)
+ conf = format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS)
+ create_conf_fixture(request, conf)
+ create_sssd_fixture(request)
+ return None
+
+
+def test_add_empty_netgroup(add_empty_netgroup):
+ """
+ Adding empty netgroup.
+ """
+
+ res, _, netgroups = sssd_netgroup.get_sssd_netgroups("empty_netgroup")
+ assert res == sssd_netgroup.NssReturnCode.SUCCESS
+ assert netgroups == []
+
+
+@pytest.fixture
+def add_tripled_netgroup(request, ldap_conn):
+ ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn)
+
+ ent_list.add_netgroup("tripled_netgroup", ["(host,user,domain)"])
+
+ ent_list.add_netgroup("adv_tripled_netgroup", ["(host1,user1,domain1)",
+ "(host2,user2,domain2)"])
+
+ create_ldap_fixture(request, ldap_conn, ent_list)
+ conf = format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS)
+ create_conf_fixture(request, conf)
+ create_sssd_fixture(request)
+ return None
+
+
+def test_add_tripled_netgroup(add_tripled_netgroup):
+ """
+ Adding netgroup with triplet.
+ """
+
+ res, _, netgrps = sssd_netgroup.get_sssd_netgroups("tripled_netgroup")
+ assert res == sssd_netgroup.NssReturnCode.SUCCESS
+ assert netgrps == [("host", "user", "domain")]
+
+ res, _, netgrps = sssd_netgroup.get_sssd_netgroups("adv_tripled_netgroup")
+ assert res == sssd_netgroup.NssReturnCode.SUCCESS
+ assert sorted(netgrps) == sorted([("host1", "user1", "domain1"),
+ ("host2", "user2", "domain2")])
+
+
+@pytest.fixture
+def add_mixed_netgroup(request, ldap_conn):
+ ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn)
+
+ ent_list.add_netgroup("mixed_netgroup1")
+ ent_list.add_netgroup("mixed_netgroup2", members=["mixed_netgroup1"])
+
+ ent_list.add_netgroup("mixed_netgroup3", ["(host1,user1,domain1)"])
+ ent_list.add_netgroup("mixed_netgroup4",
+ ["(host2,user2,domain2)", "(host3,user3,domain3)"])
+
+ ent_list.add_netgroup("mixed_netgroup5",
+ ["(host4,user4,domain4)"],
+ ["mixed_netgroup1"])
+ ent_list.add_netgroup("mixed_netgroup6",
+ ["(host5,user5,domain5)"],
+ ["mixed_netgroup2"])
+
+ ent_list.add_netgroup("mixed_netgroup7", members=["mixed_netgroup3"])
+ ent_list.add_netgroup("mixed_netgroup8",
+ members=["mixed_netgroup3", "mixed_netgroup4"])
+
+ ent_list.add_netgroup("mixed_netgroup9",
+ ["(host6,user6,domain6)"],
+ ["mixed_netgroup3", "mixed_netgroup4"])
+
+ create_ldap_fixture(request, ldap_conn, ent_list)
+ conf = format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS)
+ create_conf_fixture(request, conf)
+ create_sssd_fixture(request)
+ return None
+
+
+def test_add_mixed_netgroup(add_mixed_netgroup):
+ """
+ Adding many netgroups of different type.
+ """
+
+ res, _, netgroups = sssd_netgroup.get_sssd_netgroups("mixed_netgroup1")
+ assert res == sssd_netgroup.NssReturnCode.SUCCESS
+ assert netgroups == []
+
+ res, _, netgroups = sssd_netgroup.get_sssd_netgroups("mixed_netgroup2")
+ assert res == sssd_netgroup.NssReturnCode.SUCCESS
+ assert netgroups == []
+
+ res, _, netgroups = sssd_netgroup.get_sssd_netgroups("mixed_netgroup3")
+ assert res == sssd_netgroup.NssReturnCode.SUCCESS
+ assert netgroups == [("host1", "user1", "domain1")]
+
+ res, _, netgroups = sssd_netgroup.get_sssd_netgroups("mixed_netgroup4")
+ assert res == sssd_netgroup.NssReturnCode.SUCCESS
+ assert sorted(netgroups) == sorted([("host2", "user2", "domain2"),
+ ("host3", "user3", "domain3")])
+
+ res, _, netgroups = sssd_netgroup.get_sssd_netgroups("mixed_netgroup5")
+ assert res == sssd_netgroup.NssReturnCode.SUCCESS
+ assert netgroups == [("host4", "user4", "domain4")]
+
+ res, _, netgroups = sssd_netgroup.get_sssd_netgroups("mixed_netgroup6")
+ assert res == sssd_netgroup.NssReturnCode.SUCCESS
+ assert netgroups == [("host5", "user5", "domain5")]
+
+ res, _, netgroups = sssd_netgroup.get_sssd_netgroups("mixed_netgroup7")
+ assert res == sssd_netgroup.NssReturnCode.SUCCESS
+ assert netgroups == [("host1", "user1", "domain1")]
+
+ res, _, netgroups = sssd_netgroup.get_sssd_netgroups("mixed_netgroup8")
+ assert res == sssd_netgroup.NssReturnCode.SUCCESS
+ assert sorted(netgroups) == sorted([("host1", "user1", "domain1"),
+ ("host2", "user2", "domain2"),
+ ("host3", "user3", "domain3")])
+
+ res, _, netgroups = sssd_netgroup.get_sssd_netgroups("mixed_netgroup9")
+ assert res == sssd_netgroup.NssReturnCode.SUCCESS
+ assert sorted(netgroups) == sorted([("host1", "user1", "domain1"),
+ ("host2", "user2", "domain2"),
+ ("host3", "user3", "domain3"),
+ ("host6", "user6", "domain6")])
+
+
+@pytest.fixture
+def remove_step_by_step(request, ldap_conn):
+ ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn)
+
+ ent_list.add_netgroup("rm_empty_netgroup1", ["(host1,user1,domain1)"])
+ ent_list.add_netgroup("rm_empty_netgroup2",
+ ["(host2,user2,domain2)"],
+ ["rm_empty_netgroup1"])
+
+ create_ldap_fixture(request, ldap_conn, ent_list)
+ conf = format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS)
+ create_conf_fixture(request, conf)
+ create_sssd_fixture(request)
+ return ent_list
+
+
+def test_remove_step_by_step(remove_step_by_step, ldap_conn):
+ """
+ Removing netgroups step by step.
+ """
+
+ ent_list = remove_step_by_step
+
+ res, _, netgroups = sssd_netgroup.get_sssd_netgroups("rm_empty_netgroup1")
+ assert res == sssd_netgroup.NssReturnCode.SUCCESS
+ assert netgroups == [('host1', 'user1', 'domain1')]
+
+ res, _, netgroups = sssd_netgroup.get_sssd_netgroups("rm_empty_netgroup2")
+ assert res == sssd_netgroup.NssReturnCode.SUCCESS
+ assert sorted(netgroups) == sorted([('host1', 'user1', 'domain1'),
+ ('host2', 'user2', 'domain2')])
+
+ # removing of rm_empty_netgroup1
+ ldap_conn.delete_s(ent_list[0][0])
+ ent_list.remove(ent_list[0])
+
+ if subprocess.call(["sss_cache", "-N"]) != 0:
+ raise Exception("sssd_cache failed")
+
+ res, _, netgroups = sssd_netgroup.get_sssd_netgroups("rm_empty_netgroup1")
+ assert res == sssd_netgroup.NssReturnCode.NOTFOUND
+ assert netgroups == []
+
+ res, _, netgroups = sssd_netgroup.get_sssd_netgroups("rm_empty_netgroup2")
+ assert res == sssd_netgroup.NssReturnCode.SUCCESS
+ assert netgroups == [('host2', 'user2', 'domain2')]
+
+ # removing of rm_empty_netgroup2
+ ldap_conn.delete_s(ent_list[0][0])
+ ent_list.remove(ent_list[0])
+
+ if subprocess.call(["sss_cache", "-N"]) != 0:
+ raise Exception("sssd_cache failed")
+
+ res, _, netgroups = sssd_netgroup.get_sssd_netgroups("rm_empty_netgroup1")
+ assert res == sssd_netgroup.NssReturnCode.NOTFOUND
+ assert netgroups == []
+
+ res, _, netgroups = sssd_netgroup.get_sssd_netgroups("rm_empty_netgroup2")
+ assert res == sssd_netgroup.NssReturnCode.NOTFOUND
+ assert netgroups == []
+
+
+@pytest.fixture
+def removing_nested_netgroups(request, ldap_conn):
+ ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn)
+
+ ent_list.add_netgroup("t2841_netgroup1", ["(host1,user1,domain1)"])
+ ent_list.add_netgroup("t2841_netgroup2", ["(host2,user2,domain2)"])
+ ent_list.add_netgroup("t2841_netgroup3",
+ members=["t2841_netgroup1", "t2841_netgroup2"])
+
+ create_ldap_fixture(request, ldap_conn, ent_list)
+ conf = format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS)
+ create_conf_fixture(request, conf)
+ create_sssd_fixture(request)
+ return None
+
+
+def test_removing_nested_netgroups(removing_nested_netgroups, ldap_conn):
+ """
+ Regression test for ticket 2841.
+ https://fedorahosted.org/sssd/ticket/2841
+ """
+
+ netgrp_dn = 'cn=t2841_netgroup3,ou=Netgroups,' + ldap_conn.ds_inst.base_dn
+
+ res, _, netgroups = sssd_netgroup.get_sssd_netgroups("t2841_netgroup1")
+ assert res == sssd_netgroup.NssReturnCode.SUCCESS
+ assert netgroups == [('host1', 'user1', 'domain1')]
+
+ res, _, netgroups = sssd_netgroup.get_sssd_netgroups("t2841_netgroup2")
+ assert res == sssd_netgroup.NssReturnCode.SUCCESS
+ assert netgroups == [('host2', 'user2', 'domain2')]
+
+ res, _, netgroups = sssd_netgroup.get_sssd_netgroups("t2841_netgroup3")
+ assert res == sssd_netgroup.NssReturnCode.SUCCESS
+ assert sorted(netgroups) == sorted([('host1', 'user1', 'domain1'),
+ ('host2', 'user2', 'domain2')])
+
+ # removing of t2841_netgroup1 from t2841_netgroup3
+ old = {'memberNisNetgroup': ["t2841_netgroup1", "t2841_netgroup2"]}
+ new = {'memberNisNetgroup': ["t2841_netgroup2"]}
+
+ ldif = ldap.modlist.modifyModlist(old, new)
+ ldap_conn.modify_s(netgrp_dn, ldif)
+
+ if subprocess.call(["sss_cache", "-N"]) != 0:
+ raise Exception("sssd_cache failed")
+
+ res, _, netgroups = sssd_netgroup.get_sssd_netgroups("t2841_netgroup1")
+ assert res == sssd_netgroup.NssReturnCode.SUCCESS
+ assert netgroups == [('host1', 'user1', 'domain1')]
+
+ res, _, netgroups = sssd_netgroup.get_sssd_netgroups("t2841_netgroup2")
+ assert res == sssd_netgroup.NssReturnCode.SUCCESS
+ assert netgroups == [('host2', 'user2', 'domain2')]
+
+ res, _, netgroups = sssd_netgroup.get_sssd_netgroups("t2841_netgroup3")
+ assert res == sssd_netgroup.NssReturnCode.SUCCESS
+ assert netgroups == [('host2', 'user2', 'domain2')]
+
+ # removing of t2841_netgroup2 from t2841_netgroup3
+ old = {'memberNisNetgroup': ["t2841_netgroup2"]}
+ new = {'memberNisNetgroup': []}
+
+ ldif = ldap.modlist.modifyModlist(old, new)
+ ldap_conn.modify_s(netgrp_dn, ldif)
+
+ if subprocess.call(["sss_cache", "-N"]) != 0:
+ raise Exception("sssd_cache failed")
+
+ res, _, netgroups = sssd_netgroup.get_sssd_netgroups("t2841_netgroup1")
+ assert res == sssd_netgroup.NssReturnCode.SUCCESS
+ assert netgroups == [('host1', 'user1', 'domain1')]
+
+ res, _, netgroups = sssd_netgroup.get_sssd_netgroups("t2841_netgroup2")
+ assert res == sssd_netgroup.NssReturnCode.SUCCESS
+ assert netgroups == [('host2', 'user2', 'domain2')]
+
+ res, _, netgroups = sssd_netgroup.get_sssd_netgroups("t2841_netgroup3")
+ assert res == sssd_netgroup.NssReturnCode.SUCCESS
+ assert netgroups == []
--
2.9.3

97
0008-watchdog-cope-with-time-shift.patch
View File

@ -1,97 +0,0 @@
From 2263fb23bdbbf313535edf54440fe20627b57d7f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Mon, 22 Aug 2016 13:15:04 +0200
Subject: [PATCH 08/39] watchdog: cope with time shift
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
When a time is changed into the past during sssd runtime
(e.g. on boot during time correction), it is possible that
we never hit watchdog tevent timer since it is based on
system time.
This patch adds a past-time shift detection mechanism. If a time
shift is detected we restart watchdog.
Resolves:
https://fedorahosted.org/sssd/ticket/3154
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
(cherry picked from commit b8ceaeb80cffb00c26390913ea959b77f7e848b9)
---
src/util/util_watchdog.c | 41 +++++++++++++++++++++++++++++++++++++++++
1 file changed, 41 insertions(+)
diff --git a/src/util/util_watchdog.c b/src/util/util_watchdog.c
index 5032fddba1b94b3fc7e560162c392dfa57d699cf..1c27d73f13b3042ecb549a2184e1368e8339d199 100644
--- a/src/util/util_watchdog.c
+++ b/src/util/util_watchdog.c
@@ -29,8 +29,39 @@ struct watchdog_ctx {
struct timeval interval;
struct tevent_timer *te;
volatile int ticks;
+
+ /* To detect time shift. */
+ struct tevent_context *ev;
+ int input_interval;
+ time_t timestamp;
} watchdog_ctx;
+static bool watchdog_detect_timeshift(void)
+{
+ time_t prev_time;
+ time_t cur_time;
+ errno_t ret;
+
+ prev_time = watchdog_ctx.timestamp;
+ cur_time = watchdog_ctx.timestamp = time(NULL);
+ if (cur_time < prev_time) {
+ /* Time shift detected. We need to restart watchdog. */
+ DEBUG(SSSDBG_IMPORTANT_INFO, "Time shift detected, "
+ "restarting watchdog!\n");
+ teardown_watchdog();
+ ret = setup_watchdog(watchdog_ctx.ev, watchdog_ctx.input_interval);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_FATAL_FAILURE, "Unable to restart watchdog "
+ "[%d]: %s\n", ret, sss_strerror(ret));
+ orderly_shutdown(1);
+ }
+
+ return true;
+ }
+
+ return false;
+}
+
/* the watchdog is purposefully *not* handled by the tevent
* signal handler as it is meant to check if the daemon is
* still processing the event queue itself. A stuck process
@@ -38,6 +69,12 @@ struct watchdog_ctx {
* signals either */
static void watchdog_handler(int sig)
{
+ /* Do not count ticks if time shift was detected
+ * since watchdog was restarted. */
+ if (watchdog_detect_timeshift()) {
+ return;
+ }
+
/* if 3 ticks passed by kills itself */
if (__sync_add_and_fetch(&watchdog_ctx.ticks, 1) > 3) {
@@ -101,6 +138,10 @@ int setup_watchdog(struct tevent_context *ev, int interval)
watchdog_ctx.interval.tv_sec = interval;
watchdog_ctx.interval.tv_usec = 0;
+ watchdog_ctx.ev = ev;
+ watchdog_ctx.input_interval = interval;
+ watchdog_ctx.timestamp = time(NULL);
+
/* Start the timer */
/* we give 1 second head start to the watchdog event */
its.it_value.tv_sec = interval + 1;
--
2.9.3

82
0009-BUILD-Allow-to-read-private-pipes-for-root.patch
View File

@ -1,82 +0,0 @@
From d5a5ff043c5872eb159aa096e1a1fa7863db4f86 Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Fri, 19 Aug 2016 10:46:12 +0200
Subject: [PATCH 09/39] BUILD: Allow to read private pipes for root
Root can read anything from any directory even with permissions 000.
However SELinux checks discretionary access control (DAC)
and deny access if access is not allowed for root by DAC.
The pam_sss use different unix socket /var/lib/sss/pipes/private/pam
for user with uid 0. Therefore root need to be able read content
of directory with private pipes.
type=AVC msg=audit(08/19/2016 10:58:34.081:3369) : avc: denied
{ dac_read_search } for pid=20257 comm=vsftpd capability=dac_read_search
scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023
tcontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(08/19/2016 10:58:34.081:3369) : avc: denied
{ dac_override } for pid=20257 comm=vsftpd capability=dac_override
scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023
tcontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tclass=capability
Resolves:
https://fedorahosted.org/sssd/ticket/3143
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit f49724cd6b3e0e3274302c3d475e93f7a7094f40)
---
Makefile.am | 8 ++++----
contrib/sssd.spec.in | 2 +-
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/Makefile.am b/Makefile.am
index 8b9240f4485c0bce976fdabff6904e648f44356e..6219682de0d1fd4b3a813ee2f95b8185531e62bf 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -3952,7 +3952,6 @@ SSSD_USER_DIRS = \
$(DESTDIR)$(keytabdir) \
$(DESTDIR)$(mcpath) \
$(DESTDIR)$(pipepath) \
- $(DESTDIR)$(pipepath)/private \
$(DESTDIR)$(pubconfpath) \
$(DESTDIR)$(pubconfpath)/krb5.include.d \
$(DESTDIR)$(gpocachepath) \
@@ -3979,16 +3978,17 @@ installsssddirs::
$(DESTDIR)$(sssddatadir) \
$(DESTDIR)$(sudolibdir) \
$(DESTDIR)$(autofslibdir) \
+ $(DESTDIR)$(pipepath)/private \
$(SSSD_USER_DIRS) \
$(NULL);
if SSSD_USER
- -chown $(SSSD_USER):$(SSSD_USER) \
- $(SSSD_USER_DIRS)
+ -chown $(SSSD_USER):$(SSSD_USER) $(SSSD_USER_DIRS)
+ -chown $(SSSD_USER) $(DESTDIR)$(pipepath)/private
endif
$(INSTALL) -d -m 0700 $(DESTDIR)$(dbpath) $(DESTDIR)$(logpath) \
- $(DESTDIR)$(pipepath)/private \
$(DESTDIR)$(keytabdir) \
$(NULL)
+ $(INSTALL) -d -m 0750 $(DESTDIR)$(pipepath)/private
$(INSTALL) -d -m 0755 $(DESTDIR)$(mcpath) $(DESTDIR)$(pipepath) \
$(DESTDIR)$(pubconfpath) \
$(DESTDIR)$(pubconfpath)/krb5.include.d $(DESTDIR)$(gpocachepath)
diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
index 24af8d518bd065388b14d812de7c1c61975f0cca..1e058ca63c25513253c4b350d286208f40f6b660 100644
--- a/contrib/sssd.spec.in
+++ b/contrib/sssd.spec.in
@@ -791,7 +791,7 @@ done
%ghost %attr(0644,sssd,sssd) %verify(not md5 size mtime) %{mcpath}/group
%ghost %attr(0644,sssd,sssd) %verify(not md5 size mtime) %{mcpath}/initgroups
%attr(755,sssd,sssd) %dir %{pipepath}
-%attr(700,sssd,sssd) %dir %{pipepath}/private
+%attr(750,sssd,root) %dir %{pipepath}/private
%attr(755,sssd,sssd) %dir %{pubconfpath}
%attr(755,sssd,sssd) %dir %{gpocachepath}
%attr(750,sssd,sssd) %dir %{_var}/log/%{name}
--
2.9.3

124
0010-SYSDB-Rework-sysdb_cache_connect.patch
View File

@ -1,124 +0,0 @@
From 3258fa9d328f364fa41fd1a5bc5fc3250e87df8e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
Date: Tue, 16 Aug 2016 11:20:49 +0200
Subject: [PATCH 10/39] SYSDB: Rework sysdb_cache_connect()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
As sysdb_cache_connect() has two very specific use cases (connect to the
cache and connect to the timestamp cache) and each of those calls have a
predetermined/fixed sets of values for a few parameters, let's try to
make the code a bit simpler to follow by having explicit functions for
connecting to the cache and connecting to the timestamp cache.
Macros could be used as well, but I have a slightly preference for
having two new functions instead of macros accessing internal parameters
of the macro's parameter.
Related:
https://fedorahosted.org/sssd/ticket/3128
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit b6d1cd5eaab4c7c73df8ee041944ec05630a9630)
---
src/db/sysdb_init.c | 53 ++++++++++++++++++++++++++++++++++-------------------
1 file changed, 34 insertions(+), 19 deletions(-)
diff --git a/src/db/sysdb_init.c b/src/db/sysdb_init.c
index 9e3646bfeb9a494ebff2d348ab1c53336f8a5c03..59934701c4d2b9d770385a202af058404a6d3eb9 100644
--- a/src/db/sysdb_init.c
+++ b/src/db/sysdb_init.c
@@ -511,14 +511,14 @@ done:
return ret;
}
-static errno_t sysdb_cache_connect(TALLOC_CTX *mem_ctx,
- struct sss_domain_info *domain,
- const char *ldb_file,
- int flags,
- const char *exp_version,
- const char *base_ldif,
- struct ldb_context **_ldb,
- const char **_version)
+static errno_t sysdb_cache_connect_helper(TALLOC_CTX *mem_ctx,
+ struct sss_domain_info *domain,
+ const char *ldb_file,
+ int flags,
+ const char *exp_version,
+ const char *base_ldif,
+ struct ldb_context **_ldb,
+ const char **_version)
{
TALLOC_CTX *tmp_ctx = NULL;
struct ldb_message_element *el;
@@ -619,6 +619,29 @@ done:
return ret;
}
+static errno_t sysdb_cache_connect(TALLOC_CTX *mem_ctx,
+ struct sysdb_ctx *sysdb,
+ struct sss_domain_info *domain,
+ struct ldb_context **ldb,
+ const char **version)
+{
+ return sysdb_cache_connect_helper(mem_ctx, domain, sysdb->ldb_file,
+ 0, SYSDB_VERSION, SYSDB_BASE_LDIF,
+ ldb, version);
+}
+
+static errno_t sysdb_ts_cache_connect(TALLOC_CTX *mem_ctx,
+ struct sysdb_ctx *sysdb,
+ struct sss_domain_info *domain,
+ struct ldb_context **ldb,
+ const char **version)
+{
+ return sysdb_cache_connect_helper(mem_ctx, domain, sysdb->ldb_ts_file,
+ LDB_FLG_NOSYNC, SYSDB_TS_VERSION,
+ SYSDB_TS_BASE_LDIF,
+ ldb, version);
+}
+
static errno_t remove_ts_cache(struct sysdb_ctx *sysdb)
{
errno_t ret;
@@ -649,9 +672,7 @@ static int sysdb_domain_cache_connect(struct sysdb_ctx *sysdb,
return ENOMEM;
}
- ret = sysdb_cache_connect(tmp_ctx, domain, sysdb->ldb_file, 0,
- SYSDB_VERSION, SYSDB_BASE_LDIF,
- &ldb, &version);
+ ret = sysdb_cache_connect(tmp_ctx, sysdb, domain, &ldb, &version);
switch (ret) {
case ERR_SYSDB_VERSION_TOO_OLD:
if (upgrade_ctx == NULL) {
@@ -731,10 +752,7 @@ static int sysdb_timestamp_cache_connect(struct sysdb_ctx *sysdb,
return ENOMEM;
}
- ret = sysdb_cache_connect(tmp_ctx, domain,
- sysdb->ldb_ts_file, LDB_FLG_NOSYNC,
- SYSDB_TS_VERSION, SYSDB_TS_BASE_LDIF,
- &ldb, &version);
+ ret = sysdb_ts_cache_connect(tmp_ctx, sysdb, domain, &ldb, &version);
switch (ret) {
case ERR_SYSDB_VERSION_TOO_OLD:
if (upgrade_ctx == NULL) {
@@ -801,10 +819,7 @@ static int sysdb_timestamp_cache_connect(struct sysdb_ctx *sysdb,
/* Now the connect must succeed because the previous cache doesn't
* exist anymore.
*/
- ret = sysdb_cache_connect(tmp_ctx, domain,
- sysdb->ldb_ts_file, LDB_FLG_NOSYNC,
- SYSDB_TS_VERSION, SYSDB_TS_BASE_LDIF,
- &ldb, &version);
+ ret = sysdb_ts_cache_connect(tmp_ctx, sysdb, domain, &ldb, &version);
if (ret != EOK) {
DEBUG(SSSDBG_MINOR_FAILURE,
"Could not delete the timestamp ldb file (%d) (%s)\n",
--
2.9.3

152
0011-SYSDB-Remove-the-timestamp-cache-for-a-newly-created.patch
View File

@ -1,152 +0,0 @@
From 85fed431388c7f7f70dbf5bcd0b4f8a889c60bc6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
Date: Tue, 16 Aug 2016 11:46:41 +0200
Subject: [PATCH 11/39] SYSDB: Remove the timestamp cache for a newly created
cache
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
As many users are used to remove the persistent cache without removing
the timestamp cache, let's throw away the timestamp cache in this case.
Resolves:
https://fedorahosted.org/sssd/ticket/3128
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 9023bf51de6c84337af024388f1860ac1051924c)
---
src/db/sysdb_init.c | 69 ++++++++++++++++++++++++++++++++++++-----------------
1 file changed, 47 insertions(+), 22 deletions(-)
diff --git a/src/db/sysdb_init.c b/src/db/sysdb_init.c
index 59934701c4d2b9d770385a202af058404a6d3eb9..c387c1b12c116f38d5a13f1adeac5ef64d593af8 100644
--- a/src/db/sysdb_init.c
+++ b/src/db/sysdb_init.c
@@ -511,12 +511,30 @@ done:
return ret;
}
+static errno_t remove_ts_cache(struct sysdb_ctx *sysdb)
+{
+ errno_t ret;
+
+ if (sysdb->ldb_ts_file == NULL) {
+ return EOK;
+ }
+
+ ret = unlink(sysdb->ldb_ts_file);
+ if (ret != EOK && errno != ENOENT) {
+ return errno;
+ }
+
+ return EOK;
+}
+
static errno_t sysdb_cache_connect_helper(TALLOC_CTX *mem_ctx,
+ struct sysdb_ctx *sysdb,
struct sss_domain_info *domain,
const char *ldb_file,
int flags,
const char *exp_version,
const char *base_ldif,
+ bool *_newly_created,
struct ldb_context **_ldb,
const char **_version)
{
@@ -527,6 +545,7 @@ static errno_t sysdb_cache_connect_helper(TALLOC_CTX *mem_ctx,
const char *version = NULL;
int ret;
struct ldb_context *ldb;
+ bool newly_created;
tmp_ctx = talloc_new(NULL);
if (!tmp_ctx) {
@@ -592,8 +611,9 @@ static errno_t sysdb_cache_connect_helper(TALLOC_CTX *mem_ctx,
goto done;
}
- /* The cache has been newly created.
- * We need to reopen the LDB to ensure that
+ newly_created = true;
+
+ /* We need to reopen the LDB to ensure that
* all of the special values take effect
* (such as enabling the memberOf plugin and
* the various indexes).
@@ -613,6 +633,9 @@ static errno_t sysdb_cache_connect_helper(TALLOC_CTX *mem_ctx,
}
done:
if (ret == EOK) {
+ if (_newly_created != NULL) {
+ *_newly_created = newly_created;
+ }
*_ldb = talloc_steal(mem_ctx, ldb);
}
talloc_free(tmp_ctx);
@@ -625,9 +648,27 @@ static errno_t sysdb_cache_connect(TALLOC_CTX *mem_ctx,
struct ldb_context **ldb,
const char **version)
{
- return sysdb_cache_connect_helper(mem_ctx, domain, sysdb->ldb_file,
+ bool newly_created;
+ bool ldb_file_exists;
+ errno_t ret;
+
+ ldb_file_exists = !(access(sysdb->ldb_file, F_OK) == -1 && errno == ENOENT);
+
+ ret = sysdb_cache_connect_helper(mem_ctx, sysdb, domain, sysdb->ldb_file,
0, SYSDB_VERSION, SYSDB_BASE_LDIF,
- ldb, version);
+ &newly_created, ldb, version);
+
+ /* The cache has been newly created. */
+ if (ret == EOK && newly_created && !ldb_file_exists) {
+ ret = remove_ts_cache(sysdb);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_MINOR_FAILURE,
+ "Could not delete the timestamp ldb file (%d) (%s)\n",
+ ret, sss_strerror(ret));
+ }
+ }
+
+ return ret;
}
static errno_t sysdb_ts_cache_connect(TALLOC_CTX *mem_ctx,
@@ -636,28 +677,12 @@ static errno_t sysdb_ts_cache_connect(TALLOC_CTX *mem_ctx,
struct ldb_context **ldb,
const char **version)
{
- return sysdb_cache_connect_helper(mem_ctx, domain, sysdb->ldb_ts_file,
+ return sysdb_cache_connect_helper(mem_ctx, sysdb, domain, sysdb->ldb_ts_file,
LDB_FLG_NOSYNC, SYSDB_TS_VERSION,
- SYSDB_TS_BASE_LDIF,
+ SYSDB_TS_BASE_LDIF, NULL,
ldb, version);
}
-static errno_t remove_ts_cache(struct sysdb_ctx *sysdb)
-{
- errno_t ret;
-
- if (sysdb->ldb_ts_file == NULL) {
- return EOK;
- }
-
- ret = unlink(sysdb->ldb_ts_file);
- if (ret != EOK && errno != ENOENT) {
- return errno;
- }
-
- return EOK;
-}
-
static int sysdb_domain_cache_connect(struct sysdb_ctx *sysdb,
struct sss_domain_info *domain,
struct sysdb_dom_upgrade_ctx *upgrade_ctx)
--
2.9.3

48
0012-SECRETS-Return-ENOENT-when_deleting-a-non-existent-s.patch
View File

@ -1,48 +0,0 @@
From 2a287173752a2854df5e4bdb6b27328837be4805 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
Date: Wed, 17 Aug 2016 13:12:21 +0200
Subject: [PATCH 12/39] SECRETS: Return ENOENT when_deleting a non-existent
secret
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
For this, just make use of the sysdb_error_to_errno() function.
Resolves:
https://fedorahosted.org/sssd/ticket/3125
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit c4a3b24dc70fb50c8c0cc5490c29a3755d8b1b73)
---
src/responder/secrets/local.c | 9 ++-------
1 file changed, 2 insertions(+), 7 deletions(-)
diff --git a/src/responder/secrets/local.c b/src/responder/secrets/local.c
index 17469249b357cbdc5e50ddff6b563fdf2f377577..ac3049b62fa77f69d44ec5792139fe3378afb3f4 100644
--- a/src/responder/secrets/local.c
+++ b/src/responder/secrets/local.c
@@ -375,15 +375,10 @@ int local_db_delete(TALLOC_CTX *mem_ctx,
int ret;
ret = local_db_dn(mem_ctx, lctx->ldb, req_path, &dn);
- if (ret != EOK) goto done;
+ if (ret != EOK) return ret;
ret = ldb_delete(lctx->ldb, dn);
- if (ret != EOK) {
- ret = EIO;
- }
-
-done:
- return ret;
+ return sysdb_error_to_errno(ret);
}
int local_db_create(TALLOC_CTX *mem_ctx,
--
2.9.3

27
0013-SPEC-Fix-typo-in-Summary.patch
View File

@ -1,27 +0,0 @@
From 8fbc37dac506556c53f7fcb63a219af71eeaa9be Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Fri, 19 Aug 2016 18:06:45 +0200
Subject: [PATCH 13/39] SPEC: Fix typo in Summary
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit afa6891a809db262a49f68913f82a3a6137d8e2e)
---
contrib/sssd.spec.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
index 1e058ca63c25513253c4b350d286208f40f6b660..1f79ca7cd0a56dc1ab9c951abe11dc216ef3ad03 100644
--- a/contrib/sssd.spec.in
+++ b/contrib/sssd.spec.in
@@ -588,7 +588,7 @@ License: GPLv3+ and LGPLv3+
Development libraries for the SSSD libwbclient implementation.
%package winbind-idmap
-Summary: SSSSD's idmap_sss Backend for Winbind
+Summary: SSSD's idmap_sss Backend for Winbind
Group: Applications/System
License: GPLv3+ and LGPLv3+
--
2.9.3

62
0014-IPA-Parse-qualified-names-when-guessing-AD-user-prin.patch
View File

@ -1,62 +0,0 @@
From 82ccc38b4143b996ca9741f3682c2bb1f2694bef Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Tue, 9 Aug 2016 22:08:27 +0200
Subject: [PATCH 14/39] IPA: Parse qualified names when guessing AD user
principal
Most AD users store their UPN in an attribute. If they don't, or the sssd
was configured (typically in earlier versions to work around a bug) to not
look at the principal attribute, then sssd is supposed to guess
the attribute.
That currently doesn't work in 1.14, because the username is already
qualified and then we also append the realm name to it. We need to parse
the simple username from the qualified name first.
The issue can be reproduced simply by authenticating as the Administrator
account in IPA-AD trust setups.
Resolves:
https://fedorahosted.org/sssd/ticket/3127
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit 0302e3e7b3b06b809bd63c7911a42ab3e0a7ebf9)
---
src/providers/ipa/ipa_s2n_exop.c | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
diff --git a/src/providers/ipa/ipa_s2n_exop.c b/src/providers/ipa/ipa_s2n_exop.c
index a8c415b4c86ccd3bd3b180c8df835c75420fbb21..07bbb2b4d252c8ca9ada4d890c36c903c9f75773 100644
--- a/src/providers/ipa/ipa_s2n_exop.c
+++ b/src/providers/ipa/ipa_s2n_exop.c
@@ -1941,6 +1941,7 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom,
struct sss_nss_homedir_ctx homedir_ctx;
char *name = NULL;
char *realm;
+ char *short_name = NULL;
char *upn = NULL;
gid_t gid;
gid_t orig_gid = 0;
@@ -2092,8 +2093,17 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom,
ret = ENOMEM;
goto done;
}
- upn = talloc_asprintf(tmp_ctx, "%s@%s",
- attrs->a.user.pw_name, realm);
+
+ ret = sss_parse_internal_fqname(tmp_ctx, attrs->a.user.pw_name,
+ &short_name, NULL);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Cannot parse internal name %s\n",
+ attrs->a.user.pw_name);
+ goto done;
+ }
+
+ upn = talloc_asprintf(tmp_ctx, "%s@%s", short_name, realm);
if (!upn) {
DEBUG(SSSDBG_OP_FAILURE, "failed to format UPN.\n");
ret = ENOMEM;
--
2.9.3

114
0015-PROXY-Remove-lowercase-attribute-from-save_user.patch
View File

@ -1,114 +0,0 @@
From 18c3db957a198351f8d3c13c51dff976ad736021 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
Date: Wed, 24 Aug 2016 13:16:31 +0200
Subject: [PATCH 15/39] PROXY: Remove lowercase attribute from save_user()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
As this function already receives a struct sss_domain_info * parameter
as argument, we can simply check whether we will need a lowercase name
by accessing domain->case_sensitive.
Related:
https://fedorahosted.org/sssd/ticket/3134
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit 413aef1529fb3d5ed4d0f38e219f5456d7fe3ae0)
---
src/providers/proxy/proxy_id.c | 22 +++++++++-------------
1 file changed, 9 insertions(+), 13 deletions(-)
diff --git a/src/providers/proxy/proxy_id.c b/src/providers/proxy/proxy_id.c
index b0c82807b42d91a4212578ca98af7f96484735b1..ff2631c9b493c8c688919139114da5520b428e04 100644
--- a/src/providers/proxy/proxy_id.c
+++ b/src/providers/proxy/proxy_id.c
@@ -31,7 +31,7 @@
/* =Getpwnam-wrapper======================================================*/
static int save_user(struct sss_domain_info *domain,
- bool lowercase, struct passwd *pwd, const char *real_name,
+ struct passwd *pwd, const char *real_name,
const char *alias, uint64_t cache_timeout);
static int
@@ -143,8 +143,7 @@ static int get_pw_name(struct proxy_id_ctx *ctx,
}
/* Both lookups went fine, we can save the user now */
- ret = save_user(dom, !dom->case_sensitive, pwd,
- real_name, i_name, dom->user_timeout);
+ ret = save_user(dom, pwd, real_name, i_name, dom->user_timeout);
done:
talloc_zfree(tmpctx);
@@ -224,7 +223,7 @@ delete_user(struct sss_domain_info *domain,
}
static int save_user(struct sss_domain_info *domain,
- bool lowercase, struct passwd *pwd, const char *real_name,
+ struct passwd *pwd, const char *real_name,
const char *alias, uint64_t cache_timeout)
{
const char *shell;
@@ -246,7 +245,7 @@ static int save_user(struct sss_domain_info *domain,
gecos = NULL;
}
- if (lowercase || alias) {
+ if (!domain->case_sensitive || alias) {
attrs = sysdb_new_attrs(NULL);
if (!attrs) {
DEBUG(SSSDBG_CRIT_FAILURE, "Allocation error ?!\n");
@@ -255,7 +254,7 @@ static int save_user(struct sss_domain_info *domain,
}
}
- if (lowercase) {
+ if (!domain->case_sensitive) {
lc_pw_name = sss_tc_utf8_str_tolower(attrs, real_name);
if (lc_pw_name == NULL) {
DEBUG(SSSDBG_OP_FAILURE, "Cannot convert name to lowercase.\n");
@@ -273,7 +272,7 @@ static int save_user(struct sss_domain_info *domain,
}
if (alias) {
- cased_alias = sss_get_cased_name(attrs, alias, !lowercase);
+ cased_alias = sss_get_cased_name(attrs, alias, domain->case_sensitive);
if (!cased_alias) {
ret = ENOMEM;
goto done;
@@ -366,8 +365,7 @@ static int get_pw_uid(struct proxy_id_ctx *ctx,
pwd->pw_name);
goto done;
}
- ret = save_user(dom, !dom->case_sensitive, pwd,
- name, NULL, dom->user_timeout);
+ ret = save_user(dom, pwd, name, NULL, dom->user_timeout);
done:
talloc_zfree(tmpctx);
@@ -497,8 +495,7 @@ static int enum_users(TALLOC_CTX *mem_ctx,
pwd->pw_name);
goto done;
}
- ret = save_user(dom, !dom->case_sensitive, pwd,
- name, NULL, dom->user_timeout);
+ ret = save_user(dom, pwd, name, NULL, dom->user_timeout);
if (ret) {
/* Do not fail completely on errors.
* Just report the failure to save and go on */
@@ -1331,8 +1328,7 @@ static int get_initgr(TALLOC_CTX *mem_ctx,
goto done;
}
- ret = save_user(dom, !dom->case_sensitive, pwd,
- real_name, i_name, dom->user_timeout);
+ ret = save_user(dom, pwd, real_name, i_name, dom->user_timeout);
if (ret) {
DEBUG(SSSDBG_OP_FAILURE, "Could not save user\n");
goto fail;
--
2.9.3

92
0016-PROXY-Remove-cache_timeout-attribute-from-save_user.patch
View File

@ -1,92 +0,0 @@
From 87bce14e200e16b3f6ec9a79333b2a9da0274fbf Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
Date: Wed, 24 Aug 2016 13:25:44 +0200
Subject: [PATCH 16/39] PROXY: Remove cache_timeout attribute from save_user()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
As this function already receives a struct sss_domain_info * parameter
as argument, we can simply get the cache_timeout attribute by accessing
domain->user_timeout.
Related:
https://fedorahosted.org/sssd/ticket/3134
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit 2537fe318a3866780abca100cf6eb7c258f9d02b)
---
src/providers/proxy/proxy_id.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/src/providers/proxy/proxy_id.c b/src/providers/proxy/proxy_id.c
index ff2631c9b493c8c688919139114da5520b428e04..bdcac66319897981c21e7fd7da7334ee97d010f6 100644
--- a/src/providers/proxy/proxy_id.c
+++ b/src/providers/proxy/proxy_id.c
@@ -32,7 +32,7 @@
static int save_user(struct sss_domain_info *domain,
struct passwd *pwd, const char *real_name,
- const char *alias, uint64_t cache_timeout);
+ const char *alias);
static int
handle_getpw_result(enum nss_status status, struct passwd *pwd,
@@ -143,7 +143,7 @@ static int get_pw_name(struct proxy_id_ctx *ctx,
}
/* Both lookups went fine, we can save the user now */
- ret = save_user(dom, pwd, real_name, i_name, dom->user_timeout);
+ ret = save_user(dom, pwd, real_name, i_name);
done:
talloc_zfree(tmpctx);
@@ -224,7 +224,7 @@ delete_user(struct sss_domain_info *domain,
static int save_user(struct sss_domain_info *domain,
struct passwd *pwd, const char *real_name,
- const char *alias, uint64_t cache_timeout)
+ const char *alias)
{
const char *shell;
const char *gecos;
@@ -299,7 +299,7 @@ static int save_user(struct sss_domain_info *domain,
NULL,
attrs,
NULL,
- cache_timeout,
+ domain->user_timeout,
0);
if (ret) {
DEBUG(SSSDBG_OP_FAILURE, "Could not add user to cache\n");
@@ -365,7 +365,7 @@ static int get_pw_uid(struct proxy_id_ctx *ctx,
pwd->pw_name);
goto done;
}
- ret = save_user(dom, pwd, name, NULL, dom->user_timeout);
+ ret = save_user(dom, pwd, name, NULL);
done:
talloc_zfree(tmpctx);
@@ -495,7 +495,7 @@ static int enum_users(TALLOC_CTX *mem_ctx,
pwd->pw_name);
goto done;
}
- ret = save_user(dom, pwd, name, NULL, dom->user_timeout);
+ ret = save_user(dom, pwd, name, NULL);
if (ret) {
/* Do not fail completely on errors.
* Just report the failure to save and go on */
@@ -1328,7 +1328,7 @@ static int get_initgr(TALLOC_CTX *mem_ctx,
goto done;
}
- ret = save_user(dom, pwd, real_name, i_name, dom->user_timeout);
+ ret = save_user(dom, pwd, real_name, i_name);
if (ret) {
DEBUG(SSSDBG_OP_FAILURE, "Could not save user\n");
goto fail;
--
2.9.3

76
0017-PROXY-Remove-cache_timeout-attribute-from-save_group.patch
View File

@ -1,76 +0,0 @@
From c919d358561f4b26b4017f4379fc7b9b791f5cd8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
Date: Wed, 24 Aug 2016 13:29:17 +0200
Subject: [PATCH 17/39] PROXY: Remove cache_timeout attribute from save_group()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
As this function already receives a struct sss_domain_info * parameter
as argument, we can simply get the cache_timeout attribute by accessing
domain->group_timeout.
Related:
https://fedorahosted.org/sssd/ticket/3134
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit 221d70ae3c5b7bc7384f57ffd3f88f89a3e6ae6a)
---
src/providers/proxy/proxy_id.c | 12 +++++-------
1 file changed, 5 insertions(+), 7 deletions(-)
diff --git a/src/providers/proxy/proxy_id.c b/src/providers/proxy/proxy_id.c
index bdcac66319897981c21e7fd7da7334ee97d010f6..c4d68f8e6855941dda386658758c37b4c9080712 100644
--- a/src/providers/proxy/proxy_id.c
+++ b/src/providers/proxy/proxy_id.c
@@ -558,8 +558,7 @@ static errno_t proxy_process_missing_users(struct sysdb_ctx *sysdb,
static int save_group(struct sysdb_ctx *sysdb, struct sss_domain_info *dom,
struct group *grp,
const char *real_name, /* already qualified */
- const char *alias, /* already qualified */
- uint64_t cache_timeout)
+ const char *alias) /* already qualified */
{
errno_t ret, sret;
struct sysdb_attrs *attrs = NULL;
@@ -664,7 +663,7 @@ static int save_group(struct sysdb_ctx *sysdb, struct sss_domain_info *dom,
real_name,
grp->gr_gid,
attrs,
- cache_timeout,
+ dom->group_timeout,
now);
if (ret) {
DEBUG(SSSDBG_OP_FAILURE, "Could not add group to cache\n");
@@ -947,7 +946,7 @@ static int get_gr_name(struct proxy_id_ctx *ctx,
goto done;
}
- ret = save_group(sysdb, dom, grp, real_name, i_name, dom->group_timeout);
+ ret = save_group(sysdb, dom, grp, real_name, i_name);
if (ret) {
DEBUG(SSSDBG_OP_FAILURE,
"Cannot save group [%d]: %s\n", ret, strerror(ret));
@@ -1032,7 +1031,7 @@ static int get_gr_gid(TALLOC_CTX *mem_ctx,
goto done;
}
- ret = save_group(sysdb, dom, grp, name, NULL, dom->group_timeout);
+ ret = save_group(sysdb, dom, grp, name, NULL);
if (ret) {
DEBUG(SSSDBG_OP_FAILURE,
"Cannot save user [%d]: %s\n", ret, strerror(ret));
@@ -1165,8 +1164,7 @@ static int enum_groups(TALLOC_CTX *mem_ctx,
"Ignoring\n");
ret = ENOMEM;
}
- ret = save_group(sysdb, dom, grp, name,
- NULL, dom->group_timeout);
+ ret = save_group(sysdb, dom, grp, name, NULL);
if (ret) {
/* Do not fail completely on errors.
* Just report the failure to save and go on */
--
2.9.3

40
0018-PROXY-Mention-that-save_user-s-parameters-are-alread.patch
View File

@ -1,40 +0,0 @@
From 232b543cb667cbd0769608b4e5c790ab73f4c2b4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
Date: Wed, 24 Aug 2016 13:32:10 +0200
Subject: [PATCH 18/39] PROXY: Mention that save_user()'s parameters are
already qualified
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Those comments are similar to what we have in the save_group() function.
Related:
https://fedorahosted.org/sssd/ticket/3134
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit 9900d2b153ebb7d994ccd05275f18b973556d5b3)
---
src/providers/proxy/proxy_id.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/src/providers/proxy/proxy_id.c b/src/providers/proxy/proxy_id.c
index c4d68f8e6855941dda386658758c37b4c9080712..921b5253a5ffe90526c73b8078067d69f83c75e6 100644
--- a/src/providers/proxy/proxy_id.c
+++ b/src/providers/proxy/proxy_id.c
@@ -223,8 +223,9 @@ delete_user(struct sss_domain_info *domain,
}
static int save_user(struct sss_domain_info *domain,
- struct passwd *pwd, const char *real_name,
- const char *alias)
+ struct passwd *pwd,
+ const char *real_name, /* already qualified */
+ const char *alias) /* already qualified */
{
const char *shell;
const char *gecos;
--
2.9.3

222
0019-PROXY-Share-common-code-of-save_-group-user.patch
View File

@ -1,222 +0,0 @@
From b05544a1ba3b49a880b14c8c5c9cafa378c86e24 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
Date: Wed, 24 Aug 2016 14:28:42 +0200
Subject: [PATCH 19/39] PROXY: Share common code of save_{group,user}()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
These two functions (save_user() and save_group()) share, between
themselves, the code preparing the attributes that are going to be
stored in the sysdb.
This patch basically splits this code out of those functions and
introduces the new prepare_attrs_for_saving_ops().
Related:
https://fedorahosted.org/sssd/ticket/3134
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit 69e8b7fcb9e3dc814a9ffc2a97fa656521cc4505)
---
src/providers/proxy/proxy_id.c | 155 +++++++++++++++++++----------------------
1 file changed, 70 insertions(+), 85 deletions(-)
diff --git a/src/providers/proxy/proxy_id.c b/src/providers/proxy/proxy_id.c
index 921b5253a5ffe90526c73b8078067d69f83c75e6..48f552925447d1f31c4282e89a5994364dbc074d 100644
--- a/src/providers/proxy/proxy_id.c
+++ b/src/providers/proxy/proxy_id.c
@@ -222,6 +222,68 @@ delete_user(struct sss_domain_info *domain,
return ret;
}
+static int
+prepare_attrs_for_saving_ops(TALLOC_CTX *mem_ctx,
+ bool case_sensitive,
+ const char *real_name, /* already_qualified */
+ const char *alias, /* already qualified */
+ struct sysdb_attrs **attrs)
+{
+ const char *lc_name = NULL;
+ const char *cased_alias = NULL;
+ errno_t ret;
+
+ if (!case_sensitive || alias != NULL) {
+ if (*attrs == NULL) {
+ *attrs = sysdb_new_attrs(mem_ctx);
+ if (*attrs == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Allocation error ?!\n");
+ ret = ENOMEM;
+ goto done;
+ }
+ }
+ }
+
+ if (!case_sensitive) {
+ lc_name = sss_tc_utf8_str_tolower(*attrs, real_name);
+ if (lc_name == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "Cannot convert name to lowercase.\n");
+ ret = ENOMEM;
+ goto done;
+ }
+
+ ret = sysdb_attrs_add_string(*attrs, SYSDB_NAME_ALIAS, lc_name);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "Could not add name alias\n");
+ ret = ENOMEM;
+ goto done;
+ }
+
+ }
+
+ if (alias != NULL) {
+ cased_alias = sss_get_cased_name(*attrs, alias, case_sensitive);
+ if (cased_alias == NULL) {
+ ret = ENOMEM;
+ goto done;
+ }
+
+ /* Add the alias only if it differs from lowercased pw_name */
+ if (lc_name == NULL || strcmp(cased_alias, lc_name) != 0) {
+ ret = sysdb_attrs_add_string(*attrs, SYSDB_NAME_ALIAS,
+ cased_alias);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "Could not add name alias\n");
+ goto done;
+ }
+ }
+ }
+
+ ret = EOK;
+done:
+ return ret;
+}
+
static int save_user(struct sss_domain_info *domain,
struct passwd *pwd,
const char *real_name, /* already qualified */
@@ -231,8 +293,6 @@ static int save_user(struct sss_domain_info *domain,
const char *gecos;
struct sysdb_attrs *attrs = NULL;
errno_t ret;
- const char *cased_alias;
- const char *lc_pw_name = NULL;
if (pwd->pw_shell && pwd->pw_shell[0] != '\0') {
shell = pwd->pw_shell;
@@ -246,47 +306,10 @@ static int save_user(struct sss_domain_info *domain,
gecos = NULL;
}
- if (!domain->case_sensitive || alias) {
- attrs = sysdb_new_attrs(NULL);
- if (!attrs) {
- DEBUG(SSSDBG_CRIT_FAILURE, "Allocation error ?!\n");
- ret = ENOMEM;
- goto done;
- }
- }
-
- if (!domain->case_sensitive) {
- lc_pw_name = sss_tc_utf8_str_tolower(attrs, real_name);
- if (lc_pw_name == NULL) {
- DEBUG(SSSDBG_OP_FAILURE, "Cannot convert name to lowercase.\n");
- ret = ENOMEM;
- goto done;
- }
-
- ret = sysdb_attrs_add_string(attrs, SYSDB_NAME_ALIAS, lc_pw_name);
- if (ret) {
- DEBUG(SSSDBG_OP_FAILURE, "Could not add name alias\n");
- ret = ENOMEM;
- goto done;
- }
-
- }
-
- if (alias) {
- cased_alias = sss_get_cased_name(attrs, alias, domain->case_sensitive);
- if (!cased_alias) {
- ret = ENOMEM;
- goto done;
- }
-
- /* Add the alias only if it differs from lowercased pw_name */
- if (lc_pw_name == NULL || strcmp(cased_alias, lc_pw_name) != 0) {
- ret = sysdb_attrs_add_string(attrs, SYSDB_NAME_ALIAS, cased_alias);
- if (ret) {
- DEBUG(SSSDBG_OP_FAILURE, "Could not add name alias\n");
- goto done;
- }
- }
+ ret = prepare_attrs_for_saving_ops(NULL, domain->case_sensitive,
+ real_name, alias, &attrs);
+ if (ret != EOK) {
+ goto done;
}
ret = sysdb_store_user(domain,
@@ -563,8 +586,6 @@ static int save_group(struct sysdb_ctx *sysdb, struct sss_domain_info *dom,
{
errno_t ret, sret;
struct sysdb_attrs *attrs = NULL;
- const char *cased_alias;
- const char *lc_gr_name = NULL;
TALLOC_CTX *tmp_ctx;
time_t now = time(NULL);
bool in_transaction = false;
@@ -618,46 +639,10 @@ static int save_group(struct sysdb_ctx *sysdb, struct sss_domain_info *dom,
}
}
- if (dom->case_sensitive == false || alias) {
- if (!attrs) {
- attrs = sysdb_new_attrs(tmp_ctx);
- if (!attrs) {
- DEBUG(SSSDBG_CRIT_FAILURE, "Allocation error ?!\n");
- ret = ENOMEM;
- goto done;
- }
- }
- }
-
- if (dom->case_sensitive == false) {
- lc_gr_name = sss_tc_utf8_str_tolower(attrs, real_name);
- if (lc_gr_name == NULL) {
- DEBUG(SSSDBG_OP_FAILURE, "Cannot convert name to lowercase.\n");
- ret = ENOMEM;
- goto done;
- }
-
- ret = sysdb_attrs_add_string(attrs, SYSDB_NAME_ALIAS, lc_gr_name);
- if (ret != EOK) {
- goto done;
- }
- }
-
- if (alias) {
- cased_alias = sss_get_cased_name(attrs, alias, dom->case_sensitive);
- if (!cased_alias) {
- ret = ENOMEM;
- DEBUG(SSSDBG_OP_FAILURE, "Could not add name alias\n");
- goto done;
- }
-
- if (lc_gr_name == NULL || strcmp(cased_alias, lc_gr_name)) {
- ret = sysdb_attrs_add_string(attrs, SYSDB_NAME_ALIAS, cased_alias);
- if (ret) {
- DEBUG(SSSDBG_OP_FAILURE, "Could not add name alias\n");
- goto done;
- }
- }
+ ret = prepare_attrs_for_saving_ops(tmp_ctx, dom->case_sensitive,
+ real_name, alias, &attrs);
+ if (ret != EOK) {
+ goto done;
}
ret = sysdb_store_group(dom,
--
2.9.3

36
0020-SYSDB-Fix-uninitialized-scalar-variable.patch
View File

@ -1,36 +0,0 @@
From 007341bedfcc7e356f4bcb1af8b29acab133300a Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Mon, 29 Aug 2016 09:13:49 +0200
Subject: [PATCH 20/39] SYSDB: Fix uninitialized scalar variable
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The boolean variable newly_created could be used uninitialized
in done section in case of failure. The variable was firstly initialized
to true after succesfull execution of function sysdb_cache_create_empty.
Uninitialized variable usually means true for boolean variable.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
(cherry picked from commit 975d0b67a40847265523d195438bf4753d18ff1c)
---
src/db/sysdb_init.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/db/sysdb_init.c b/src/db/sysdb_init.c
index c387c1b12c116f38d5a13f1adeac5ef64d593af8..d110aa7a2878e47650db177cfd342d0ac32248ab 100644
--- a/src/db/sysdb_init.c
+++ b/src/db/sysdb_init.c
@@ -545,7 +545,7 @@ static errno_t sysdb_cache_connect_helper(TALLOC_CTX *mem_ctx,
const char *version = NULL;
int ret;
struct ldb_context *ldb;
- bool newly_created;
+ bool newly_created = false;
tmp_ctx = talloc_new(NULL);
if (!tmp_ctx) {
--
2.9.3

82
0021-BUILD-Add-a-few-more-targets-for-intg-tests.patch
View File

@ -1,82 +0,0 @@
From 9a3ae9e00405501c964b489ac3415482ba3b3974 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
Date: Thu, 18 Aug 2016 16:24:17 +0200
Subject: [PATCH 21/39] BUILD: Add a few more targets for intg tests
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Running "make intgcheck" has been proven to be a bit painful (mainly
when the developer is just writing down a single test case), as it
cleans up the build directory and fireis a new build before, finally,
run the tests.
In order to make it a little less painful, let's break the whole
operation into 3 new targets:
intgcheck-{prepare,run,clean}.
As expected, "make intgcheck" calls these 3 new operations in the same
order they were presented, not changing then the current behavior.
Each operation will trigger the previous one in case there is no
"$$prefix" directory created and the directory is _only_ created in the
very first operation (intghcheck-prepare).
A note must be done about how to run a simple test file or a simple test
from a test file when running "make intgcheck-run". The option always
been here but only makes sense now that we have the intgcheck split in a
few useful steps. See the examples below (and for more detailed
information, check the py.test documentation):
#Run a single file
make intgcheck-run INTGCHECK_PYTEST_ARGS="-k test_netgroup.py"
#Run a single test from a single file
make intgcheck-run INTGCHECK_PYTEST_ARGS="-k test_add_empty_netgroup"
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit 6159c33125f8ee82e88d495ea2aa5d00018ea844)
---
Makefile.am | 17 +++++++++++++++--
1 file changed, 15 insertions(+), 2 deletions(-)
diff --git a/Makefile.am b/Makefile.am
index 6219682de0d1fd4b3a813ee2f95b8185531e62bf..6299ac7a7bf1c2ed41dfeeda7063c8901214941a 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -3076,7 +3076,7 @@ endif
# Integration tests #
#####################
-intgcheck:
+intgcheck-prepare:
echo "temporarily disabled"
set -e; \
rm -Rf intg; \
@@ -3096,10 +3096,23 @@ intgcheck:
$(MAKE) $(AM_MAKEFLAGS) -j1 install; \
: Remove .la files from LDB module directory to avoid loader warnings; \
rm "$$prefix"/lib/ldb/*.la; \
+ cd ../..
+
+intgcheck-run:
+ if [ ! -d intg/pfx ]; then $(MAKE) intgcheck-build; fi; \
+ cd intg/bld; \
$(MAKE) $(AM_MAKEFLAGS) -C src/tests/intg intgcheck-installed; \
- cd ../..; \
+ cd ../..
+
+intgcheck-clean:
+ prefix=`readlink -e intg/pfx`; \
rm -Rf "$$prefix" intg
+intgcheck:
+ $(MAKE) intgcheck-prepare
+ $(MAKE) intgcheck-run
+ $(MAKE) intgcheck-clean
+
####################
# Client Libraries #
####################
--
2.9.3

60
0022-BUILD-Clean-up-prerelease-targets.patch
View File

@ -1,60 +0,0 @@
From 557e0e8c28a77b423a3746168a3be8e8a8d5462d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
Date: Wed, 17 Aug 2016 21:08:23 +0200
Subject: [PATCH 22/39] BUILD: Clean up prerelease targets
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Clean up the pre-release targets in order to avoid lines exceeding 80
characters.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit 01d970a8afa6ffed82b3e8dda96e08118222e16e)
---
Makefile.am | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
diff --git a/Makefile.am b/Makefile.am
index 6299ac7a7bf1c2ed41dfeeda7063c8901214941a..4a56d8b0a3ea49c9fae35bf5717871ea515813b8 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -4202,6 +4202,14 @@ rpmroot:
$(MKDIR_P) $(RPMBUILD)/SPECS
$(MKDIR_P) $(RPMBUILD)/SRPMS
+# pre-release related vars
+
+PR_VERSION_DATE := $(shell date +%Y%m%d.%H%M)
+PR_VERSION_COMMIT_HASH := $(shell git log -1 --pretty=format:%h)
+PR_VERSION_NUMBER = $(PR_VERSION_DATE).git$(PR_VERSION_COMMIT_HASH)
+PR_VERSION_REGEX = m4_define(\[PRERELEASE_VERSION_NUMBER\], \[.*\])
+PR_VERSION_REPL = m4_define(\[PRERELEASE_VERSION_NUMBER\], \[.$(PR_VERSION_NUMBER)\])
+
rpmbrprep: dist-gzip rpmroot
if GIT_CHECKOUT
# When we're building RPMs from a git checkout,
@@ -4219,7 +4227,8 @@ rpms: rpmbrprep
if GIT_CHECKOUT
prerelease-rpms:
cp $(srcdir)/version.m4 $(srcdir)/version.m4.orig
- sed -e "s/m4_define(\[PRERELEASE_VERSION_NUMBER\], \[.*\])/m4_define(\[PRERELEASE_VERSION_NUMBER\], \[.`date +%Y%m%d.%H%M`.git`git log -1 --pretty=format:%h`\])/" < $(srcdir)/version.m4.orig > $(srcdir)/version.m4
+ sed -e "s/$(PR_VERSION_REGEX)/$(PR_VERSION_REPL)/" \
+ < $(srcdir)/version.m4.orig > $(srcdir)/version.m4
$(MAKE) rpms
mv $(srcdir)/version.m4.orig $(srcdir)/version.m4
endif
@@ -4234,7 +4243,8 @@ srpm: rpmbrprep
if GIT_CHECKOUT
prerelease-srpm:
cp $(srcdir)/version.m4 $(srcdir)/version.m4.orig
- sed -e "s/m4_define(\[PRERELEASE_VERSION_NUMBER\], \[.*\])/m4_define(\[PRERELEASE_VERSION_NUMBER\], \[.`date +%Y%m%d.%H%M`.git`git log -1 --pretty=format:%h`\])/" < $(srcdir)/version.m4.orig > $(srcdir)/version.m4
+ sed -e "s/$(PR_VERSION_REGEX)/$(PR_VERSION_REPL)/" \
+ < $(srcdir)/version.m4.orig > $(srcdir)/version.m4
$(MAKE) srpm
mv $(srcdir)/version.m4.orig $(srcdir)/version.m4
endif
--
2.9.3

34
0023-BUILD-Fix-typo-in-intgcheck-run-rule.patch
View File

@ -1,34 +0,0 @@
From 665ef221b1c2144a78ed9f98263bb8b9acce6f6d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
Date: Mon, 29 Aug 2016 16:01:59 +0200
Subject: [PATCH 23/39] BUILD: Fix typo in intgcheck-run rule
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
During the review process "intgcheck-build" ended up being merged to the
"intgcheck-prepare" rule.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit 9639cf410dd6ba9670748535811f061e0c475bc6)
---
Makefile.am | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Makefile.am b/Makefile.am
index 4a56d8b0a3ea49c9fae35bf5717871ea515813b8..25a81b93b8881ec6dfa18397ddcc3430e6a3ebd0 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -3099,7 +3099,7 @@ intgcheck-prepare:
cd ../..
intgcheck-run:
- if [ ! -d intg/pfx ]; then $(MAKE) intgcheck-build; fi; \
+ if [ ! -d intg/pfx ]; then $(MAKE) intgcheck-prepare; fi; \
cd intg/bld; \
$(MAKE) $(AM_MAKEFLAGS) -C src/tests/intg intgcheck-installed; \
cd ../..
--
2.9.3

29
0024-BUILD-Remove-leftover-after-sysdb-refactoring.patch
View File

@ -1,29 +0,0 @@
From ce87fa6dd3fb47f28f9e80b730c50f23b099e835 Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Mon, 29 Aug 2016 17:50:17 +0200
Subject: [PATCH 24/39] BUILD: Remove leftover after sysdb refactoring
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
(cherry picked from commit 4229ffb929bd7029f8b94d92099032d3350f5cf4)
---
Makefile.am | 1 -
1 file changed, 1 deletion(-)
diff --git a/Makefile.am b/Makefile.am
index 25a81b93b8881ec6dfa18397ddcc3430e6a3ebd0..f89af5a9d6d26c732574aa3651de8c175f538b28 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -3077,7 +3077,6 @@ endif
#####################
intgcheck-prepare:
- echo "temporarily disabled"
set -e; \
rm -Rf intg; \
$(MKDIR_P) intg/bld; \
--
2.9.3

239
0025-MONITOR-Remove-the-no-longer-used-diag_cmd-command.patch
View File

@ -1,239 +0,0 @@
From 854db7ed3fc4c0c58b1df0f93bb5b896eea417e8 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Sun, 8 May 2016 14:41:35 +0200
Subject: [PATCH 25/39] MONITOR: Remove the no longer used diag_cmd command
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
After introducing the watchdog, the diag_cmd is longer used and makes no
sense trying to make it usable by watchdog as the result of "pstack %p"
seems next to useless in this context.
Related:
https://fedorahosted.org/sssd/ticket/3051
Reviewed-by: Petr Čech <pcech@redhat.com>
(cherry picked from commit 1620f435dbe7013f985128dcdf001e9158cb00e3)
---
src/confdb/confdb.h | 1 -
src/monitor/monitor.c | 163 --------------------------------------------------
2 files changed, 164 deletions(-)
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
index 72adbd80ea534eb0becd3e517c00b0c26d00444c..58a085ba954cf75a5c756d6f8fbd04e6fa49a687 100644
--- a/src/confdb/confdb.h
+++ b/src/confdb/confdb.h
@@ -73,7 +73,6 @@
#define CONFDB_MONITOR_DEFAULT_DOMAIN "default_domain_suffix"
#define CONFDB_MONITOR_OVERRIDE_SPACE "override_space"
#define CONFDB_MONITOR_USER_RUNAS "user"
-#define CONFDB_MONITOR_PRE_KILL_CMD "diag_cmd"
#define CONFDB_MONITOR_CERT_VERIFICATION "certificate_verification"
/* Both monitor and domains */
diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c
index 7a9ef569bbd565d6240cebed8493d0bd85aba89e..f97b2a960b1835540357714b608feac54c2d72c5 100644
--- a/src/monitor/monitor.c
+++ b/src/monitor/monitor.c
@@ -112,7 +112,6 @@ struct mt_svc {
char *identity;
pid_t pid;
- char *diag_cmd;
int kill_time;
struct tevent_timer *kill_timer;
@@ -373,77 +372,6 @@ static int add_svc_conn_spy(struct mt_svc *svc)
return EOK;
}
-static char *expand_diag_cmd(struct mt_svc *svc,
- const char *template)
-{
- TALLOC_CTX *tmp_ctx = NULL;
- char *copy;
- char *p_copy;
- char *n;
- char *result = NULL;
- char action;
- char *res = NULL;
-
- if (template == NULL) {
- DEBUG(SSSDBG_CRIT_FAILURE, "Missing template.\n");
- return NULL;
- }
-
- tmp_ctx = talloc_new(NULL);
- if (!tmp_ctx) return NULL;
-
- copy = talloc_strdup(tmp_ctx, template);
- if (copy == NULL) {
- DEBUG(SSSDBG_CRIT_FAILURE, "talloc_strdup failed.\n");
- goto done;
- }
-
- result = talloc_strdup(tmp_ctx, "");
- if (result == NULL) {
- DEBUG(SSSDBG_CRIT_FAILURE, "talloc_strdup failed.\n");
- goto done;
- }
-
- p_copy = copy;
- while ((n = strchr(p_copy, '%')) != NULL) {
- *n = '\0';
- n++;
- if ( *n == '\0' ) {
- DEBUG(SSSDBG_CRIT_FAILURE,
- "format error, single %% at the end of the template.\n");
- goto done;
- }
-
- action = *n;
- switch (action) {
- case 'p':
- result = talloc_asprintf_append(result, "%s%d", p_copy, svc->pid);
- break;
- default:
- DEBUG(SSSDBG_CRIT_FAILURE,
- "format error, unknown template [%%%c].\n", *n);
- goto done;
- }
-
- if (result == NULL) {
- DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf_append failed.\n");
- goto done;
- }
-
- p_copy = n + 1;
- }
-
- result = talloc_asprintf_append(result, "%s", p_copy);
- if (result == NULL) {
- DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf_append failed.\n");
- goto done;
- }
-
- res = talloc_move(svc, &result);
-done:
- talloc_zfree(tmp_ctx);
- return res;
-}
static void svc_child_info(struct mt_svc *svc, int wait_status)
{
@@ -467,82 +395,6 @@ static void svc_child_info(struct mt_svc *svc, int wait_status)
}
}
-static void svc_diag_cmd_exit_handler(int pid, int wait_status, void *pvt)
-{
- struct mt_svc *svc = talloc_get_type(pvt, struct mt_svc);
-
- svc_child_info(svc, wait_status);
-}
-
-static void svc_run_diag_cmd(struct mt_svc *svc)
-{
- pid_t pkc_pid;
- char **args;
- int ret;
- int debug_fd;
- char *diag_cmd;
- struct sss_child_ctx *diag_child_ctx;
-
- if (svc->diag_cmd == NULL) {
- return;
- }
-
- pkc_pid = fork();
- if (pkc_pid != 0) {
- /* parent, schedule SIGKILL */
-
- ret = sss_child_register(svc,
- svc->mt_ctx->sigchld_ctx,
- pkc_pid,
- svc_diag_cmd_exit_handler,
- svc,
- &diag_child_ctx);
- if (ret != EOK) {
- DEBUG(SSSDBG_CRIT_FAILURE, "Cannot register child %d\n", pkc_pid);
- /* Try to go on ... */
- }
-
- return;
- }
-
- /* child, execute diagnostics */
- diag_cmd = expand_diag_cmd(svc, svc->diag_cmd);
- if (diag_cmd == NULL) {
- DEBUG(SSSDBG_CRIT_FAILURE,
- "Failed to expand [%s]\n", svc->diag_cmd);
- _exit(1);
- }
-
- if (debug_level >= SSSDBG_TRACE_LIBS) {
- debug_fd = get_fd_from_debug_file();
- ret = dup2(debug_fd, STDERR_FILENO);
- if (ret == -1) {
- ret = errno;
- DEBUG(SSSDBG_MINOR_FAILURE,
- "dup2 failed for stderr [%d][%s].\n", ret, sss_strerror(ret));
- /* failure to redirect stderr is not fatal */
- }
-
- ret = dup2(debug_fd, STDOUT_FILENO);
- if (ret == -1) {
- ret = errno;
- DEBUG(SSSDBG_MINOR_FAILURE,
- "dup2 failed for stdout [%d][%s].\n", ret, sss_strerror(ret));
- /* failure to redirect stdout is not fatal */
- }
- }
-
- args = parse_args(diag_cmd);
- execvp(args[0], args);
-
- /* If we are here, exec() has failed
- * Print errno and abort quickly */
- ret = errno;
- DEBUG(SSSDBG_FATAL_FAILURE,
- "Could not exec %s, reason: %s\n", svc->diag_cmd, strerror(ret));
- _exit(1);
-}
-
static int mark_service_as_started(struct mt_svc *svc)
{
struct mt_ctx *ctx = svc->mt_ctx;
@@ -712,8 +564,6 @@ static int monitor_kill_service (struct mt_svc *svc)
return EOK;
}
- svc_run_diag_cmd(svc);
-
/* Set up a timer to send SIGKILL if this process
* doesn't exit within the configured interval
*/
@@ -1147,19 +997,6 @@ static errno_t get_kill_config(struct mt_ctx *ctx, const char *path,
{
errno_t ret;
- ret = confdb_get_string(ctx->cdb, svc, path,
- CONFDB_MONITOR_PRE_KILL_CMD,
- NULL, &svc->diag_cmd);
- if (ret != EOK) {
- DEBUG(SSSDBG_CRIT_FAILURE,
- "Failed to get diagnostics command for %s\n", svc->name);
- return ret;
- }
- if (svc->diag_cmd) {
- DEBUG(SSSDBG_CONF_SETTINGS,
- "Diagnostics command: [%s]\n", svc->diag_cmd);
- }
-
ret = confdb_get_int(ctx->cdb, path,
CONFDB_SERVICE_FORCE_TIMEOUT,
MONITOR_DEF_FORCE_TIME, &svc->kill_time);
--
2.9.3

289
0026-MONITOR-Remove-the-no-longer-used-kill_service-comma.patch
View File

@ -1,289 +0,0 @@
From 10e635167418fdf7a896b2cb3d095fd345053103 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Sun, 8 May 2016 14:46:25 +0200
Subject: [PATCH 26/39] MONITOR: Remove the no longer used kill_service command
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
After introducing the watchdog, the force_timeout option is no longer
used.
Resolves:
https://fedorahosted.org/sssd/ticket/3052
Reviewed-by: Petr Čech <pcech@redhat.com>
(cherry picked from commit fa93cd0f0fc75a6d635079e67788f8a9fe183c3c)
---
src/confdb/confdb.h | 1 -
src/man/sssd.conf.5.xml | 33 ------------
src/monitor/monitor.c | 141 ------------------------------------------------
3 files changed, 175 deletions(-)
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
index 58a085ba954cf75a5c756d6f8fbd04e6fa49a687..401e5fbf7ed6bb9e8d7158dfab378c8159aa03db 100644
--- a/src/confdb/confdb.h
+++ b/src/confdb/confdb.h
@@ -58,7 +58,6 @@
#define CONFDB_SERVICE_DEBUG_TIMESTAMPS "debug_timestamps"
#define CONFDB_SERVICE_DEBUG_MICROSECONDS "debug_microseconds"
#define CONFDB_SERVICE_DEBUG_TO_FILES "debug_to_files"
-#define CONFDB_SERVICE_FORCE_TIMEOUT "force_timeout"
#define CONFDB_SERVICE_RECON_RETRIES "reconnection_retries"
#define CONFDB_SERVICE_FD_LIMIT "fd_limit"
#define CONFDB_SERVICE_ALLOWED_UIDS "allowed_uids"
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index e95a7e7e213e07c15e79185730d481e5afceb69c..ae291e0fc8f2f9afabcdf32f18a5ec12252bbbbf 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -549,22 +549,6 @@
</listitem>
</varlistentry>
<varlistentry>
- <term>force_timeout (integer)</term>
- <listitem>
- <para>
- If a service is not responding to ping checks (see
- the <quote>timeout</quote> option), it is first sent
- the SIGTERM signal that instructs it to quit gracefully.
- If the service does not terminate after <quote>force_timeout</quote>
- seconds, the monitor will forcibly shut it down by
- sending a SIGKILL signal.
- </para>
- <para>
- Default: 60
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
<term>offline_timeout (integer)</term>
<listitem>
<para>
@@ -1453,23 +1437,6 @@ pam_account_locked_message = Account locked, please contact help desk.
</varlistentry>
<varlistentry>
- <term>force_timeout (integer)</term>
- <listitem>
- <para>
- If a service is not responding to ping checks (see
- the <quote>timeout</quote> option), it is first sent
- the SIGTERM signal that instructs it to quit gracefully.
- If the service does not terminate after <quote>force_timeout</quote>
- seconds, the monitor will forcibly shut it down by
- sending a SIGKILL signal.
- </para>
- <para>
- Default: 60
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
<term>entry_cache_timeout (integer)</term>
<listitem>
<para>
diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c
index f97b2a960b1835540357714b608feac54c2d72c5..1f89c5a79feab8a921ce2f9132763b37ab506596 100644
--- a/src/monitor/monitor.c
+++ b/src/monitor/monitor.c
@@ -114,8 +114,6 @@ struct mt_svc {
int kill_time;
- struct tevent_timer *kill_timer;
-
bool svc_started;
int restarts;
@@ -176,8 +174,6 @@ static int monitor_service_init(struct sbus_connection *conn, void *data);
static int service_signal_reset_offline(struct mt_svc *svc);
-static int monitor_kill_service (struct mt_svc *svc);
-
static int get_service_config(struct mt_ctx *ctx, const char *name,
struct mt_svc **svc_cfg);
static int get_provider_config(struct mt_ctx *ctx, const char *name,
@@ -542,95 +538,6 @@ static int monitor_dbus_init(struct mt_ctx *ctx)
}
static void monitor_restart_service(struct mt_svc *svc);
-static void mt_svc_sigkill(struct tevent_context *ev,
- struct tevent_timer *te,
- struct timeval t, void *ptr);
-static int monitor_kill_service (struct mt_svc *svc)
-{
- int ret;
- struct timeval tv;
-
- ret = kill(svc->pid, SIGTERM);
- if (ret == -1) {
- ret = errno;
- DEBUG(SSSDBG_FATAL_FAILURE,
- "Sending signal to child (%s:%d) failed: [%d]: %s! "
- "Ignore and pretend child is dead.\n",
- svc->name, svc->pid, ret, strerror(ret));
- /* The only thing we can try here is to launch a new process
- * and hope that it works.
- */
- monitor_restart_service(svc);
- return EOK;
- }
-
- /* Set up a timer to send SIGKILL if this process
- * doesn't exit within the configured interval
- */
- tv = tevent_timeval_current_ofs(svc->kill_time, 0);
- svc->kill_timer = tevent_add_timer(svc->mt_ctx->ev,
- svc,
- tv,
- mt_svc_sigkill,
- svc);
- if (svc->kill_timer == NULL) {
- /* Nothing much we can do */
- DEBUG(SSSDBG_CRIT_FAILURE,
- "Failed to allocate timed event: mt_svc_sigkill.\n");
- /* We'll just have to hope that the SIGTERM succeeds */
- }
- return EOK;
-}
-
-static void mt_svc_sigkill(struct tevent_context *ev,
- struct tevent_timer *te,
- struct timeval t, void *ptr)
-{
- int ret;
- struct mt_svc *svc = talloc_get_type(ptr, struct mt_svc);
-
- DEBUG(SSSDBG_FATAL_FAILURE,
- "[%s][%d] is not responding to SIGTERM. Sending SIGKILL.\n",
- svc->name, svc->pid);
- sss_log(SSS_LOG_ERR,
- "[%s][%d] is not responding to SIGTERM. Sending SIGKILL.\n",
- svc->name, svc->pid);
-
- /* timer was succesfully executed and it will be released by tevent */
- svc->kill_timer = NULL;
-
- ret = kill(svc->pid, SIGKILL);
- if (ret != EOK) {
- ret = errno;
- DEBUG(SSSDBG_FATAL_FAILURE,
- "Sending signal to child (%s:%d) failed! "
- "Ignore and pretend child is dead.\n",
- svc->name, svc->pid);
-
- if (ret == ESRCH) {
- /* The process doesn't exist
- * This most likely means we hit a race where
- * the SIGTERM concluded just after the timer
- * fired but before we called kill() here.
- * We'll just do nothing, since the
- * mt_svc_exit_handler() should be doing the
- * necessary work.
- */
- return;
- }
-
- /* Something went really wrong.
- * The only thing we can try here is to launch a new process
- * and hope that it works.
- */
- monitor_restart_service(svc);
- }
-
- /* The process should terminate immediately and then be
- * restarted by the mt_svc_exit_handler()
- */
- return;
-}
static void reload_reply(DBusPendingCall *pending, void *data)
{
@@ -708,7 +615,6 @@ static int service_signal(struct mt_svc *svc, const char *svc_signal)
DEBUG(SSSDBG_FATAL_FAILURE,
"Out of memory trying to allocate memory to invoke: %s\n",
svc_signal);
- monitor_kill_service(svc);
return ENOMEM;
}
@@ -992,32 +898,6 @@ static int get_monitor_config(struct mt_ctx *ctx)
return EOK;
}
-static errno_t get_kill_config(struct mt_ctx *ctx, const char *path,
- struct mt_svc *svc)
-{
- errno_t ret;
-
- ret = confdb_get_int(ctx->cdb, path,
- CONFDB_SERVICE_FORCE_TIMEOUT,
- MONITOR_DEF_FORCE_TIME, &svc->kill_time);
- if (ret != EOK) {
- DEBUG(SSSDBG_CRIT_FAILURE,
- "Failed to get kill timeout for %s\n", svc->name);
- return ret;
- }
-
- /* 'force_timeout = 0' should be translated to the default */
- if (svc->kill_time == 0) {
- svc->kill_time = MONITOR_DEF_FORCE_TIME;
- }
-
- DEBUG(SSSDBG_CONF_SETTINGS,
- "Time between SIGTERM and SIGKILL for [%s]: [%d]\n",
- svc->name, svc->kill_time);
-
- return EOK;
-}
-
/* This is a temporary function that returns false if the service
* being started was only tested when running as root.
*/
@@ -1154,14 +1034,6 @@ static int get_service_config(struct mt_ctx *ctx, const char *name,
}
}
- ret = get_kill_config(ctx, path, svc);
- if (ret != EOK) {
- DEBUG(SSSDBG_CRIT_FAILURE,
- "Failed to get kill timeouts for %s\n", svc->name);
- talloc_free(svc);
- return ret;
- }
-
svc->last_restart = now;
*svc_cfg = svc;
@@ -1249,14 +1121,6 @@ static int get_provider_config(struct mt_ctx *ctx, const char *name,
return ret;
}
- ret = get_kill_config(ctx, path, svc);
- if (ret != EOK) {
- DEBUG(SSSDBG_CRIT_FAILURE,
- "Failed to get kill timeouts for %s\n", svc->name);
- talloc_free(svc);
- return ret;
- }
-
talloc_free(path);
/* if no provider is present do not run the domain */
@@ -2540,11 +2404,6 @@ static void mt_svc_exit_handler(int pid, int wait_status, void *pvt)
"SIGCHLD handler of service %s called\n", svc->name);
svc_child_info(svc, wait_status);
- /* Clear the kill_timer so we don't try to SIGKILL it after it's
- * already gone.
- */
- talloc_zfree(svc->kill_timer);
-
/* Check the number of restart tries and relaunch the service */
monitor_restart_service(svc);
--
2.9.3

44
0027-WATCHDOG-define-and-use-_MAX_TICKS-as-3.patch
View File

@ -1,44 +0,0 @@
From e293e3a1418e95560498f29147c4e5b1be0b729a Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Mon, 15 Aug 2016 12:54:20 +0200
Subject: [PATCH 27/39] WATCHDOG: define and use _MAX_TICKS as 3
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Instead of using the number 3 directly, let's introduce and use
WATCHDOG_MAX_TICKS.
Reviewed-by: Petr Čech <pcech@redhat.com>
(cherry picked from commit d7075a255a1f28e890539072e06d0140ffe0927c)
---
src/util/util_watchdog.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/util/util_watchdog.c b/src/util/util_watchdog.c
index 1c27d73f13b3042ecb549a2184e1368e8339d199..c184fbd759bdbca4a9eae379ff0d87e2d1628470 100644
--- a/src/util/util_watchdog.c
+++ b/src/util/util_watchdog.c
@@ -22,6 +22,7 @@
#include "util/util.h"
#define WATCHDOG_DEF_INTERVAL 10
+#define WATCHDOG_MAX_TICKS 3
/* this is intentionally a global variable */
struct watchdog_ctx {
@@ -75,9 +76,8 @@ static void watchdog_handler(int sig)
return;
}
- /* if 3 ticks passed by kills itself */
-
- if (__sync_add_and_fetch(&watchdog_ctx.ticks, 1) > 3) {
+ /* if a pre-defined number of ticks passed by kills itself */
+ if (__sync_add_and_fetch(&watchdog_ctx.ticks, 1) > WATCHDOG_MAX_TICKS) {
DEBUG(SSSDBG_FATAL_FAILURE,
"Watchdog timer overflow, killing process!\n");
orderly_shutdown(1);
--
2.9.3

52
0028-PROXY-Use-right-name-in-ldap-filter.patch
View File

@ -1,52 +0,0 @@
From f7c519962070d797822c960d297f7de7fa42426a Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Fri, 26 Aug 2016 14:57:22 +0200
Subject: [PATCH 28/39] PROXY: Use right name in ldap filter
We used internal fq name in ldap filter
with id_provider proxy to files and auth provider
ldap
[sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x0400): calling ldap_search_ext with
[(&(uid=testuser1@ldap)(objectclass=posixAccount))][dc=example,dc=com].
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit b4c6060b10b14257e6f01038ae44e46c5a429f33)
---
src/providers/ldap/ldap_auth.c | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c
index 35f16b0d4a6f8e566b0cf63b65ba46f31e7c1bcd..00d38284e428eea42254820fd08ee4fb125235a6 100644
--- a/src/providers/ldap/ldap_auth.c
+++ b/src/providers/ldap/ldap_auth.c
@@ -361,7 +361,7 @@ shadow_fail:
/* ==Get-User-DN========================================================== */
struct get_user_dn_state {
- const char *username;
+ char *username;
char *orig_dn;
};
@@ -386,9 +386,14 @@ static struct tevent_req *get_user_dn_send(TALLOC_CTX *memctx,
req = tevent_req_create(memctx, &state, struct get_user_dn_state);
if (!req) return NULL;
- state->username = username;
+ ret = sss_parse_internal_fqname(state, username,
+ &state->username, NULL);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "Cannot parse %s\n", username);
+ goto done;
+ }
- ret = sss_filter_sanitize(state, username, &clean_name);
+ ret = sss_filter_sanitize(state, state->username, &clean_name);
if (ret != EOK) {
goto done;
}
--
2.9.3

31
0029-SECRETS-Make-internal-function-static.patch
View File

@ -1,31 +0,0 @@
From 2dc376b266eb5f3b3aecc980f1a854eeac7d151b Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Tue, 16 Aug 2016 20:53:19 +0200
Subject: [PATCH 29/39] SECRETS: Make internal function static
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit cf902c2b247c1b5793ae0ba58fd2dcbb0f78b686)
---
src/responder/secrets/providers.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/responder/secrets/providers.c b/src/responder/secrets/providers.c
index 8d815b4837ce71bac648f38a6a8956771dd0520d..4c601988696dac7856cb1c1eb27264180a9347f9 100644
--- a/src/responder/secrets/providers.c
+++ b/src/responder/secrets/providers.c
@@ -24,7 +24,8 @@
#include "responder/secrets/secsrv_proxy.h"
#include <jansson.h>
-int sec_map_url_to_user_path(struct sec_req_ctx *secreq, char **mapped_path)
+static int sec_map_url_to_user_path(struct sec_req_ctx *secreq,
+ char **mapped_path)
{
uid_t c_euid;
--
2.9.3

34
0030-SECRETS-Make-reading-the-config-options-more-uniform.patch
View File

@ -1,34 +0,0 @@
From e099a2654aa25f98a5f9e7a0e1f0820e8322c372 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Tue, 16 Aug 2016 20:59:30 +0200
Subject: [PATCH 30/39] SECRETS: Make reading the config options more uniform
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
One of confdb_get_ calls in sec_get_config() used a variable referenced
from rctx, the other used a hardcoded string. Use one of them on both
places instead.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit ff35d4ffe5eedcb484deb7ef1a04c02c19e634c9)
---
src/responder/secrets/secsrv.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/responder/secrets/secsrv.c b/src/responder/secrets/secsrv.c
index 6f8052bdf25fe903683d6b26d92b2a4c31743470..eb194a179ae5e3a48547fb00a038f31b8e0264cd 100644
--- a/src/responder/secrets/secsrv.c
+++ b/src/responder/secrets/secsrv.c
@@ -35,7 +35,7 @@ static int sec_get_config(struct sec_ctx *sctx)
int ret;
ret = confdb_get_int(sctx->rctx->cdb,
- CONFDB_SEC_CONF_ENTRY,
+ sctx->rctx->confdb_service_path,
CONFDB_SERVICE_FD_LIMIT,
DEFAULT_SEC_FD_LIMIT,
&sctx->fd_limit);
--
2.9.3

46
0031-dyndns-fix-typo-and-unify-ipa-with-ad-debug-message-.patch
View File

@ -1,46 +0,0 @@
From 279b4f57263abcdb84e2386f4cb4256981fb8c2d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Thu, 4 Aug 2016 14:10:09 +0200
Subject: [PATCH 31/39] dyndns: fix typo and unify ipa with ad debug message
when off
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reviewed-by: Petr Čech <pcech@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit b3851e86af91dc1aa6e265d5b2e4279b2611ff43)
---
src/providers/ad/ad_dyndns.c | 2 +-
src/providers/ipa/ipa_init.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/providers/ad/ad_dyndns.c b/src/providers/ad/ad_dyndns.c
index e3f1812837f7cee9d18ef001233871e0fcc16b4c..00190485e8f0ca7362ed60b2df022c74c53988c9 100644
--- a/src/providers/ad/ad_dyndns.c
+++ b/src/providers/ad/ad_dyndns.c
@@ -47,7 +47,7 @@ errno_t ad_dyndns_init(struct be_ctx *be_ctx,
if (dp_opt_get_bool(ad_opts->dyndns_ctx->opts,
DP_OPT_DYNDNS_UPDATE) == false) {
- DEBUG(SSSDBG_CONF_SETTINGS, "Dynamic DNS updates not set\n");
+ DEBUG(SSSDBG_CONF_SETTINGS, "Dynamic DNS updates are off.\n");
return EOK;
}
diff --git a/src/providers/ipa/ipa_init.c b/src/providers/ipa/ipa_init.c
index ca99200a1ba1d9508ac0affffecaa08149552fee..7dec4d1fb8541a48470d4e44f10838e5bea67ad5 100644
--- a/src/providers/ipa/ipa_init.c
+++ b/src/providers/ipa/ipa_init.c
@@ -200,7 +200,7 @@ static errno_t ipa_init_dyndns(struct be_ctx *be_ctx,
enabled = dp_opt_get_bool(ipa_options->dyndns_ctx->opts,
DP_OPT_DYNDNS_UPDATE);
if (!enabled) {
- DEBUG(SSSDBG_CONF_SETTINGS, "Dynamic DNS updates are of.\n");
+ DEBUG(SSSDBG_CONF_SETTINGS, "Dynamic DNS updates are off.\n");
return EOK;
}
--
2.9.3

42
0032-netlink-Don-t-define-USE_GNU.patch
View File

@ -1,42 +0,0 @@
From 2d1d157a07a2b445d6d26573a9763ec62928790f Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Tue, 30 Aug 2016 15:26:27 +0200
Subject: [PATCH 32/39] netlink: Don't define USE_GNU
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Applications should never #define USE_GNU themselves, but rather
_GNU_SOURCE. This patch removes USE_GNU and replaces it with including
config.h which has _GNU_SOURCE defined if applicable for that platform
See for example:
https://gcc.gnu.org/ml/fortran/2005-10/msg00365.html
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
(cherry picked from commit 1384d0ce6ea741aefb56b0006b6268d76e6cc2c2)
---
src/monitor/monitor_netlink.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/monitor/monitor_netlink.c b/src/monitor/monitor_netlink.c
index 22262949c67744493dfa722ff38257a75a5b8291..c4d56b39f29b7686b60da1d561d7db390c272a4d 100644
--- a/src/monitor/monitor_netlink.c
+++ b/src/monitor/monitor_netlink.c
@@ -21,11 +21,12 @@
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
+#include "config.h"
+
#include <talloc.h>
#include <tevent.h>
#include <sys/types.h>
#include <sys/ioctl.h>
-#define __USE_GNU /* needed for struct ucred */
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
--
2.9.3

140
0033-MONITOR-Remove-leftovers-from-diag_cmd.patch
View File

@ -1,140 +0,0 @@
From d58c29636abcd20ef8e90fae90d8754419c394fa Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
Date: Tue, 30 Aug 2016 18:17:46 +0200
Subject: [PATCH 33/39] MONITOR: Remove leftovers from diag_cmd
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Seems that when I sent the v2 of 7579cf99 I attached the wrong patch
that ended up being pushed.
That patch was incomplete as there are still some leftovers.
Related:
https://fedorahosted.org/sssd/ticket/3051
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Petr Čech <pcech@redhat.com>
(cherry picked from commit e04df9feca0c9877c69aa46450d04c556bcb23ad)
---
src/config/SSSDConfig/__init__.py.in | 1 -
src/config/SSSDConfigTest.py | 1 -
src/config/cfg_rules.ini | 9 ---------
src/config/etc/sssd.api.conf | 1 -
4 files changed, 12 deletions(-)
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
index b3f04ac26309bb5b518fb87cd0dae2962e853179..fb071270208341f4e993fef95af4e8dc6b58fdbd 100644
--- a/src/config/SSSDConfig/__init__.py.in
+++ b/src/config/SSSDConfig/__init__.py.in
@@ -51,7 +51,6 @@ option_strings = {
'reconnection_retries' : _('Number of times to attempt connection to Data Providers'),
'fd_limit' : _('The number of file descriptors that may be opened by this responder'),
'client_idle_timeout' : _('Idle time before automatic disconnection of a client'),
- 'diag_cmd' : _('The command to run when a service ping times out'),
# [sssd]
'services' : _('SSSD Services to start'),
diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py
index 8fcd1a55c36035a7026f1fb4c8116aaae24e78ef..575a12450eec2e23e7fa30acf72030a0e7e07a50 100755
--- a/src/config/SSSDConfigTest.py
+++ b/src/config/SSSDConfigTest.py
@@ -309,7 +309,6 @@ class SSSDConfigTestSSSDService(unittest.TestCase):
'reconnection_retries',
'fd_limit',
'client_idle_timeout',
- 'diag_cmd',
'description',
'certificate_verification',
'override_space']
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
index df10538dee4a547a1b1af62a4cfe37b89e236b18..a2c3fa2d5994dc051b72be17e13c512d7f124141 100644
--- a/src/config/cfg_rules.ini
+++ b/src/config/cfg_rules.ini
@@ -25,7 +25,6 @@ option = fd_limit
option = client_idle_timeout
option = force_timeout
option = description
-option = diag_cmd
# Monitor service
option = services
@@ -57,7 +56,6 @@ option = fd_limit
option = client_idle_timeout
option = force_timeout
option = description
-option = diag_cmd
# Name service
option = user_attributes
@@ -96,7 +94,6 @@ option = fd_limit
option = client_idle_timeout
option = force_timeout
option = description
-option = diag_cmd
# Authentication service
option = offline_credentials_expiration
@@ -130,7 +127,6 @@ option = fd_limit
option = client_idle_timeout
option = force_timeout
option = description
-option = diag_cmd
# sudo service
option = sudo_timed
@@ -152,7 +148,6 @@ option = fd_limit
option = client_idle_timeout
option = force_timeout
option = description
-option = diag_cmd
# autofs service
option = autofs_negative_timeout
@@ -173,7 +168,6 @@ option = fd_limit
option = client_idle_timeout
option = force_timeout
option = description
-option = diag_cmd
# ssh service
option = ssh_hash_known_hosts
@@ -196,7 +190,6 @@ option = fd_limit
option = client_idle_timeout
option = force_timeout
option = description
-option = diag_cmd
# PAC responder
option = allowed_uids
@@ -218,7 +211,6 @@ option = fd_limit
option = client_idle_timeout
option = force_timeout
option = description
-option = diag_cmd
# InfoPipe responder
option = allowed_uids
@@ -239,7 +231,6 @@ option = fd_limit
option = client_idle_timeout
option = force_timeout
option = description
-option = diag_cmd
#Available provider types
option = id_provider
diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
index 5e69414f2a490977bdaf1555325814ad61202071..b2f20c5b71fa6bf94656d6270ccd08385a88c06e 100644
--- a/src/config/etc/sssd.api.conf
+++ b/src/config/etc/sssd.api.conf
@@ -15,7 +15,6 @@ fd_limit = int, None, false
client_idle_timeout = int, None, false
force_timeout = int, None, false
description = str, None, false
-diag_cmd = str, None, false
[sssd]
# Monitor service
--
2.9.3

175
0034-MONITOR-Remove-leftovers-from-kill_service.patch
View File

@ -1,175 +0,0 @@
From a2145190df8f4faa68a9662a2b5162dd87eca0a6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
Date: Tue, 30 Aug 2016 18:25:21 +0200
Subject: [PATCH 34/39] MONITOR: Remove leftovers from kill_service
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Seems that wen I sent the v2 of ac35fe74 I attached the wrong pacth that
ended up being pushed.
The patch was incomplete as there are still some leftovers.
The .po and sssd-docs.pot were not touched as I do believe they are
autogenerated from Zanata.
Related:
https://fedorahosted.org/sssd/ticket/3052
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Petr Čech <pcech@redhat.com>
(cherry picked from commit 5b0735876aa66464b24cb7736a74fafd8ec82128)
---
src/config/SSSDConfig/__init__.py.in | 1 -
src/config/SSSDConfigTest.py | 3 ---
src/config/cfg_rules.ini | 10 ----------
src/config/etc/sssd.api.conf | 2 --
4 files changed, 16 deletions(-)
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
index fb071270208341f4e993fef95af4e8dc6b58fdbd..0191920f93ab9016508e08785c25dd043c180c0b 100644
--- a/src/config/SSSDConfig/__init__.py.in
+++ b/src/config/SSSDConfig/__init__.py.in
@@ -46,7 +46,6 @@ option_strings = {
'debug_microseconds' : _('Include microseconds in timestamps in debug logs'),
'debug_to_files' : _('Write debug messages to logfiles'),
'timeout' : _('Watchdog timeout before restarting service'),
- 'force_timeout' : _('Timeout between three failed ping checks and forcibly killing the service'),
'command' : _('Command to start service'),
'reconnection_retries' : _('Number of times to attempt connection to Data Providers'),
'fd_limit' : _('The number of file descriptors that may be opened by this responder'),
diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py
index 575a12450eec2e23e7fa30acf72030a0e7e07a50..6a0fdf0ea5215103b48dc8521a43ae945342c0e2 100755
--- a/src/config/SSSDConfigTest.py
+++ b/src/config/SSSDConfigTest.py
@@ -293,7 +293,6 @@ class SSSDConfigTestSSSDService(unittest.TestCase):
'services',
'domains',
'timeout',
- 'force_timeout',
'sbus_timeout',
're_expression',
'full_name_format',
@@ -505,7 +504,6 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase):
'min_id',
'max_id',
'timeout',
- 'force_timeout',
'offline_timeout',
'try_inotify',
'command',
@@ -874,7 +872,6 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase):
'min_id',
'max_id',
'timeout',
- 'force_timeout',
'offline_timeout',
'try_inotify',
'command',
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
index a2c3fa2d5994dc051b72be17e13c512d7f124141..5e248066bd554d2a654a764f406f6b33c4d66733 100644
--- a/src/config/cfg_rules.ini
+++ b/src/config/cfg_rules.ini
@@ -23,7 +23,6 @@ option = command
option = reconnection_retries
option = fd_limit
option = client_idle_timeout
-option = force_timeout
option = description
# Monitor service
@@ -54,7 +53,6 @@ option = command
option = reconnection_retries
option = fd_limit
option = client_idle_timeout
-option = force_timeout
option = description
# Name service
@@ -92,7 +90,6 @@ option = command
option = reconnection_retries
option = fd_limit
option = client_idle_timeout
-option = force_timeout
option = description
# Authentication service
@@ -125,7 +122,6 @@ option = command
option = reconnection_retries
option = fd_limit
option = client_idle_timeout
-option = force_timeout
option = description
# sudo service
@@ -146,7 +142,6 @@ option = command
option = reconnection_retries
option = fd_limit
option = client_idle_timeout
-option = force_timeout
option = description
# autofs service
@@ -166,7 +161,6 @@ option = command
option = reconnection_retries
option = fd_limit
option = client_idle_timeout
-option = force_timeout
option = description
# ssh service
@@ -188,7 +182,6 @@ option = command
option = reconnection_retries
option = fd_limit
option = client_idle_timeout
-option = force_timeout
option = description
# PAC responder
@@ -209,7 +202,6 @@ option = command
option = reconnection_retries
option = fd_limit
option = client_idle_timeout
-option = force_timeout
option = description
# InfoPipe responder
@@ -229,7 +221,6 @@ option = command
option = reconnection_retries
option = fd_limit
option = client_idle_timeout
-option = force_timeout
option = description
#Available provider types
@@ -250,7 +241,6 @@ option = timeout
option = try_inotify
option = enumerate
option = subdomain_enumerate
-option = force_timeout
option = offline_timeout
option = cache_credentials
option = cache_credentials_minimal_first_factor_length
diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
index b2f20c5b71fa6bf94656d6270ccd08385a88c06e..525f939cd204f4d484caa7b490d85b0d50de00ef 100644
--- a/src/config/etc/sssd.api.conf
+++ b/src/config/etc/sssd.api.conf
@@ -13,7 +13,6 @@ command = str, None, false
reconnection_retries = int, None, false
fd_limit = int, None, false
client_idle_timeout = int, None, false
-force_timeout = int, None, false
description = str, None, false
[sssd]
@@ -119,7 +118,6 @@ timeout = int, None, false
try_inotify = bool, None, false
enumerate = bool, None, false
subdomain_enumerate = str, None, false
-force_timeout = int, None, false
offline_timeout = int, None, false
cache_credentials = bool, None, false
cache_credentials_minimal_first_factor_length = int, None, false
--
2.9.3

51
0035-SYSDB-Fix-error-handling-in-sysdb_get_user_members_r.patch
View File

@ -1,51 +0,0 @@
From 223395a44a3016c3124aa5ed841c7023068607d8 Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Tue, 30 Aug 2016 15:37:43 +0200
Subject: [PATCH 35/39] SYSDB: Fix error handling in
sysdb_get_user_members_recursively
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
We ignored failures from sysdb_search_entry
Reviewed-by: Petr Čech <pcech@redhat.com>
(cherry picked from commit b969ccc2cc58fdf761e5d314de9217f2d914bc9b)
---
src/db/sysdb_ops.c | 3 +++
src/db/sysdb_views.c | 5 ++++-
2 files changed, 7 insertions(+), 1 deletion(-)
diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
index 44fb5b70e6d33fffbca5824f831a3229254ecb57..e4c8e1e285e3bc49710f71c896ba9a30c742d4fa 100644
--- a/src/db/sysdb_ops.c
+++ b/src/db/sysdb_ops.c
@@ -4738,6 +4738,9 @@ errno_t sysdb_get_user_members_recursively(TALLOC_CTX *mem_ctx,
ret = sysdb_search_entry(tmp_ctx, dom->sysdb, base_dn, LDB_SCOPE_SUBTREE,
filter, attrs, &count, &msgs);
+ if (ret != EOK) {
+ goto done;
+ }
res = talloc_zero(tmp_ctx, struct ldb_result);
if (res == NULL) {
diff --git a/src/db/sysdb_views.c b/src/db/sysdb_views.c
index 79f513d13ba41212a6cd84e1d9e609df6acba29c..9dc48f5b6c414bbc7c64bcd1fe73553f388588bd 100644
--- a/src/db/sysdb_views.c
+++ b/src/db/sysdb_views.c
@@ -1374,7 +1374,10 @@ errno_t sysdb_add_group_member_overrides(struct sss_domain_info *domain,
ret = sysdb_get_user_members_recursively(tmp_ctx, domain, obj->dn,
&res_members);
- if (ret != EOK) {
+ if (ret == ENOENT) {
+ ret = EOK;
+ goto done;
+ } else if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE,
"sysdb_get_user_members_recursively failed.\n");
goto done;
--
2.9.3

34
0036-DEBUG-Apend-line-feed-to-messages-from-libsemanage.patch
View File

@ -1,34 +0,0 @@
From 9e21f9157d7eaf62e48ee9ab43332d336c12708c Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Thu, 1 Sep 2016 08:08:00 +0200
Subject: [PATCH 36/39] DEBUG: Apend line feed to messages from libsemanage
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
It wasn't simple to read log files from libsemanage
because they were on single line.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
(cherry picked from commit a6d279489c35896432e60daa70be5728f0b6c243)
---
src/util/sss_semanage.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/util/sss_semanage.c b/src/util/sss_semanage.c
index 81068da98db611e55df8ac2de1a55f5980c3e552..fe06bee1dfec3abca3aa3cd5e85e55386ac11343 100644
--- a/src/util/sss_semanage.c
+++ b/src/util/sss_semanage.c
@@ -55,7 +55,8 @@ static void sss_semanage_error_callback(void *varg,
va_start(ap, fmt);
if (DEBUG_IS_SET(level)) {
- sss_vdebug_fn(__FILE__, __LINE__, "libsemanage", level, 0, fmt, ap);
+ sss_vdebug_fn(__FILE__, __LINE__, "libsemanage", level,
+ APPEND_LINE_FEED, fmt, ap);
}
va_end(ap);
}
--
2.9.3

43
0037-MAN-Document-the-ldap_user_primary_group-option.patch
View File

@ -1,43 +0,0 @@
From 4417b8170e7bb09fd8d724e36e23ddf89d95cb33 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Wed, 31 Aug 2016 10:17:17 +0200
Subject: [PATCH 37/39] MAN: Document the ldap_user_primary_group option
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit 6f59bb822d1e54e178207be45e382f4ee173c434)
---
src/man/sssd-ldap.5.xml | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml
index 6009dd8dfa787874c085c293b2d1f8aac6d95714..bfccfab2222e5b2d68b83ca473e9a3aa0f5308e5 100644
--- a/src/man/sssd-ldap.5.xml
+++ b/src/man/sssd-ldap.5.xml
@@ -299,6 +299,21 @@
</varlistentry>
<varlistentry>
+ <term>ldap_user_primary_group (string)</term>
+ <listitem>
+ <para>
+ Active Directory primary group attribute
+ for ID-mapping. Note that this attribute should
+ only be set manually if you are running the
+ <quote>ldap</quote> provider with ID mapping.
+ </para>
+ <para>
+ Default: unset (LDAP), primaryGroupID (AD)
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
<term>ldap_user_gecos (string)</term>
<listitem>
<para>
--
2.9.3

36
0038-sdap_initgr_nested_get_membership_diff-use-fully-qua.patch
View File

@ -1,36 +0,0 @@
From 1a28f2ce26d49617eaf865e39d52136181d9663d Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 30 Aug 2016 17:30:10 +0200
Subject: [PATCH 38/39] sdap_initgr_nested_get_membership_diff: use
fully-qualified names
I think this is a leftover from the change to use fully-qualified names
in sysdb. To verify this you can create a nested group in IPA. Without
this patch the id command will only show the groups the user is a direct
member of. With the patch the indirect groups memberships should be
shown as well.
https://fedorahosted.org/sssd/ticket/3163
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 5bd3bef4a655fdfacd2f5df8a2343fe7bc68a771)
---
src/providers/ldap/sdap_async_initgroups.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/providers/ldap/sdap_async_initgroups.c b/src/providers/ldap/sdap_async_initgroups.c
index 82c708c226bf1a645ff5a395947dfdbad71e0f1f..f9593f0dfaa2dc6e33fd6c9d1f0c9b78cad3a1d9 100644
--- a/src/providers/ldap/sdap_async_initgroups.c
+++ b/src/providers/ldap/sdap_async_initgroups.c
@@ -1414,7 +1414,7 @@ sdap_initgr_nested_get_membership_diff(TALLOC_CTX *mem_ctx,
group_name, parents_count);
if (parents_count > 0) {
- ret = sysdb_attrs_primary_name_list(dom, tmp_ctx,
+ ret = sysdb_attrs_primary_fqdn_list(dom, tmp_ctx,
ldap_parentlist,
parents_count,
opts->group_map[SDAP_AT_GROUP_NAME].name,
--
2.9.3

50
0039-SYSDB-Removing-of-unused-parameter.patch
View File

@ -1,50 +0,0 @@
From c620bb359ff03f40ffbc36a03d74c921346ecfc3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20=C4=8Cech?= <pcech@redhat.com>
Date: Wed, 31 Aug 2016 08:50:01 +0200
Subject: [PATCH 39/39] SYSDB: Removing of unused parameter
There were unused parameter struct ldb_message *cached_group
in sysdb_store_group_attrs().
This parameter was introduced by
40de79d69860ec7f04bf7795bd88b641ec42fd23
SYSDB: Check if group attributes differ before saving a group
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 0d1d9d8001232f74eca63cbba6c400d507b33823)
---
src/db/sysdb_ops.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
index e4c8e1e285e3bc49710f71c896ba9a30c742d4fa..5d9c9fb24a149f8215b3027dcb4b0e1a183e4b43 100644
--- a/src/db/sysdb_ops.c
+++ b/src/db/sysdb_ops.c
@@ -2661,7 +2661,6 @@ static errno_t sysdb_store_new_group(struct sss_domain_info *domain,
static errno_t sysdb_store_group_attrs(struct sss_domain_info *domain,
const char *name,
gid_t gid,
- struct ldb_message *cached_group,
struct sysdb_attrs *attrs,
uint64_t cache_timeout,
time_t now);
@@ -2731,7 +2730,7 @@ int sysdb_store_group(struct sss_domain_info *domain,
ret = sysdb_store_new_group(domain, name, gid, attrs,
cache_timeout, now);
} else {
- ret = sysdb_store_group_attrs(domain, name, gid, msg, attrs,
+ ret = sysdb_store_group_attrs(domain, name, gid, attrs,
cache_timeout, now);
}
if (ret != EOK) {
@@ -2811,7 +2810,6 @@ static errno_t sysdb_store_new_group(struct sss_domain_info *domain,
static errno_t sysdb_store_group_attrs(struct sss_domain_info *domain,
const char *name,
gid_t gid,
- struct ldb_message *cached_group,
struct sysdb_attrs *attrs,
uint64_t cache_timeout,
time_t now)
--
2.9.3

38
0040-SYSDB-Suppress-warning-from-clang-static-analyser.patch
View File

@ -1,38 +0,0 @@
From 344773c4c6949757d9719850191229481c9733a9 Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Thu, 1 Sep 2016 17:25:23 +0200
Subject: [PATCH 40/79] SYSDB: Suppress warning from clang static analyser
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
scan-build wrongly assumes that output variable
"version" is not initialized if function sysdb_cache_connect
returns ERR_SYSDB_VERSION_TOO_OLD or ERR_SYSDB_VERSION_TOO_NEW
The reality is that output variable "version" is initialized
especially for these two case. Initialisation to NULL suppresses
these false positive reports.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
(cherry picked from commit 3f6aecfe5061e165c10829142854ec7189029407)
---
src/db/sysdb_init.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/db/sysdb_init.c b/src/db/sysdb_init.c
index d110aa7a2878e47650db177cfd342d0ac32248ab..538ba027cd94e274ba328d398cc565b11ea56f39 100644
--- a/src/db/sysdb_init.c
+++ b/src/db/sysdb_init.c
@@ -688,7 +688,7 @@ static int sysdb_domain_cache_connect(struct sysdb_ctx *sysdb,
struct sysdb_dom_upgrade_ctx *upgrade_ctx)
{
errno_t ret;
- const char *version;
+ const char *version = NULL;
TALLOC_CTX *tmp_ctx;
struct ldb_context *ldb;
--
2.9.3

33
0041-TOOLS-Fix-a-typo-in-groupadd.patch
View File

@ -1,33 +0,0 @@
From 96e8cf44298c257d509219dd9c45b8cdae792ab5 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Tue, 6 Sep 2016 12:13:08 +0200
Subject: [PATCH 41/79] TOOLS: Fix a typo in groupadd()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Resolves:
https://fedorahosted.org/sssd/ticket/3173
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit 6be723a089a1e07a1cd19b4fa53fd142c13f0c69)
---
src/tools/sss_sync_ops.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/tools/sss_sync_ops.c b/src/tools/sss_sync_ops.c
index a23a0b8c30366d2fb68554bfed184b8fce675e2b..39ef5bec96bd3942da8a8adfd21c99b03a77e551 100644
--- a/src/tools/sss_sync_ops.c
+++ b/src/tools/sss_sync_ops.c
@@ -657,7 +657,7 @@ int groupadd(struct ops_ctx *data)
int ret;
data->sysdb_fqname = sss_create_internal_fqname(data,
- data->sysdb_fqname,
+ data->name,
data->domain->name);
if (data->sysdb_fqname == NULL) {
return ENOMEM;
--
2.9.3

60
0042-TOOLS-sss_groupshow-did-not-work.patch
View File

@ -1,60 +0,0 @@
From e69c1ed1452b43fafb31e252589d7a5aa37f9cf7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C5=BDidek?= <mzidek@redhat.com>
Date: Tue, 6 Sep 2016 13:46:53 +0200
Subject: [PATCH 42/79] TOOLS: sss_groupshow did not work
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
sss_groupshow used shortname to search
in sysdb database. We have to u e sysdb_fqname
(aka internal_fqname) format for all sysdb
oprations.
Resolves:
https://fedorahosted.org/sssd/ticket/3175
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit 5210c5d3a5a83b5d08396ee23d88f6ba0994097d)
---
src/tools/sss_groupshow.c | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
diff --git a/src/tools/sss_groupshow.c b/src/tools/sss_groupshow.c
index 41d7475cef1093a4cb214ec4b017db59e6c26fe2..5870cc802c70366c47a0d30cb0d9795cf6035bc5 100644
--- a/src/tools/sss_groupshow.c
+++ b/src/tools/sss_groupshow.c
@@ -318,7 +318,7 @@ int group_show(TALLOC_CTX *mem_ctx,
struct sysdb_ctx *sysdb,
struct sss_domain_info *domain,
bool recursive,
- const char *name,
+ const char *shortname,
struct group_info **res)
{
struct group_info *root;
@@ -326,11 +326,20 @@ int group_show(TALLOC_CTX *mem_ctx,
struct ldb_message *msg = NULL;
const char **group_members = NULL;
int nmembers = 0;
+ char *sysdb_fqname = NULL;
int ret;
int i;
+ sysdb_fqname = sss_create_internal_fqname(mem_ctx,
+ shortname,
+ domain->name);
+ if (sysdb_fqname == NULL) {
+ return ENOMEM;
+ }
+
/* First, search for the root group */
- ret = sysdb_search_group_by_name(mem_ctx, domain, name, attrs, &msg);
+ ret = sysdb_search_group_by_name(mem_ctx, domain, sysdb_fqname, attrs,
+ &msg);
if (ret) {
DEBUG(SSSDBG_OP_FAILURE,
"Search failed: %s (%d)\n", strerror(ret), ret);
--
2.9.3

76
0043-TESTS-sss_groupadd-groupshow-regressions.patch
View File

@ -1,76 +0,0 @@
From b5ce7cefc1af161f25e5857aacec88ebd9e47130 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C5=BDidek?= <mzidek@redhat.com>
Date: Tue, 6 Sep 2016 17:37:14 +0200
Subject: [PATCH 43/79] TESTS: sss_groupadd/groupshow regressions
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Adds regression CI test for ticket #3173 and #3175.
Resolves:
https://fedorahosted.org/sssd/ticket/3173
https://fedorahosted.org/sssd/ticket/3175
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit 20c2d76d9430a1fc069531ff537df046a74c8f61)
---
src/tests/intg/test_local_domain.py | 26 ++++++++++++++++++++++++++
1 file changed, 26 insertions(+)
diff --git a/src/tests/intg/test_local_domain.py b/src/tests/intg/test_local_domain.py
index b83e56d1b44619083506093ca8cfb9413437c821..56e3812b113b36301d1ec6049e5a1210d3070442 100644
--- a/src/tests/intg/test_local_domain.py
+++ b/src/tests/intg/test_local_domain.py
@@ -19,11 +19,13 @@
import os
import stat
import pwd
+import grp
import time
import config
import signal
import subprocess
import pytest
+import ent
from util import unindent
@@ -90,6 +92,11 @@ def assert_nonexistent_user(name):
pwd.getpwnam(name)
+def assert_nonexistent_group(name):
+ with pytest.raises(KeyError):
+ grp.getgrnam(name)
+
+
def test_wrong_LC_ALL(local_domain_only):
"""
Regression test for ticket
@@ -107,3 +114,22 @@ def test_wrong_LC_ALL(local_domain_only):
subprocess.check_call(["sss_userdel", "foo", "-R"])
assert_nonexistent_user("foo")
os.environ["LC_ALL"] = oldvalue
+
+
+def test_sss_group_add_show_del(local_domain_only):
+ """
+ Regression test for tickets
+ https://fedorahosted.org/sssd/ticket/3173
+ https://fedorahosted.org/sssd/ticket/3175
+ """
+
+ subprocess.check_call(["sss_groupadd", "foo", "-g", "10001"])
+
+ "This should not raise KeyError"
+ ent.assert_group_by_name("foo", dict(name="foo", gid=10001))
+
+ "sss_grupshow should return 0 with existing group name"
+ subprocess.check_call(["sss_groupshow", "foo"])
+
+ subprocess.check_call(["sss_groupdel", "foo"])
+ assert_nonexistent_group("foo")
--
2.9.3

57
0044-TOOLS-use-internal-fqdn-for-DN.patch
View File

@ -1,57 +0,0 @@
From aa17cda3887309ccd67c256a24b980fbd8c2f89a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C5=BDidek?= <mzidek@redhat.com>
Date: Wed, 7 Sep 2016 10:58:25 +0200
Subject: [PATCH 44/79] TOOLS: use internal fqdn for DN
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Use internal fqdn when creating sysdb group dn.
Resolves:
https://fedorahosted.org/sssd/ticket/3178
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit 5e2142b66589e5e50cb404fc972ed5418bbaa772)
---
src/tools/sss_sync_ops.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/src/tools/sss_sync_ops.c b/src/tools/sss_sync_ops.c
index 39ef5bec96bd3942da8a8adfd21c99b03a77e551..a0291baeada49b9f21e040a54e303214d5a46332 100644
--- a/src/tools/sss_sync_ops.c
+++ b/src/tools/sss_sync_ops.c
@@ -137,6 +137,7 @@ static int mod_groups_member(struct sss_domain_info *dom,
struct ldb_dn *parent_dn;
int ret;
int i;
+ char *grp_sysdb_fqname = NULL;
tmpctx = talloc_new(NULL);
if (!tmpctx) {
@@ -145,13 +146,21 @@ static int mod_groups_member(struct sss_domain_info *dom,
/* FIXME: add transaction around loop */
for (i = 0; grouplist[i]; i++) {
+ grp_sysdb_fqname = sss_create_internal_fqname(tmpctx, grouplist[i],
+ dom->name);
+ if (grp_sysdb_fqname == NULL) {
+ ret = ENOMEM;
+ goto done;
+ }
- parent_dn = sysdb_group_dn(tmpctx, dom, grouplist[i]);
+ parent_dn = sysdb_group_dn(tmpctx, dom, grp_sysdb_fqname);
if (!parent_dn) {
ret = ENOMEM;
goto done;
}
+ talloc_free(grp_sysdb_fqname);
+
ret = sysdb_mod_group_member(dom, member_dn, parent_dn, optype);
if (ret) {
goto done;
--
2.9.3

66
0045-TESTS-Test-for-sss_user-groupmod-a.patch
View File

@ -1,66 +0,0 @@
From 1b692a1142ec59e27ebb99666634a6e0464317d1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C5=BDidek?= <mzidek@redhat.com>
Date: Wed, 7 Sep 2016 13:08:59 +0200
Subject: [PATCH 45/79] TESTS: Test for sss_user/groupmod -a
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Regression tests for ticket #3178.
Resolves:
https://fedorahosted.org/sssd/ticket/3178
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit 7fa4964d84f41bd80a6d971ffaeef87a7c2f19be)
---
src/tests/intg/test_local_domain.py | 36 ++++++++++++++++++++++++++++++++++++
1 file changed, 36 insertions(+)
diff --git a/src/tests/intg/test_local_domain.py b/src/tests/intg/test_local_domain.py
index 56e3812b113b36301d1ec6049e5a1210d3070442..5e3e3d4d1cdc6db5d68a6e5b9d96d94c2c694b14 100644
--- a/src/tests/intg/test_local_domain.py
+++ b/src/tests/intg/test_local_domain.py
@@ -133,3 +133,39 @@ def test_sss_group_add_show_del(local_domain_only):
subprocess.check_call(["sss_groupdel", "foo"])
assert_nonexistent_group("foo")
+
+
+def test_add_local_user_to_local_group(local_domain_only):
+ """
+ Regression test for ticket
+ https://fedorahosted.org/sssd/ticket/3178
+ """
+ subprocess.check_call(["sss_groupadd", "-g", "10009", "group10009"])
+ subprocess.check_call(["sss_useradd", "-u", "10009", "-M", "user10009"])
+ subprocess.check_call(["sss_usermod", "-a", "group10009", "user10009"])
+
+ ent.assert_group_by_name(
+ "group10009",
+ dict(name="group10009", passwd="*", gid=10009,
+ mem=ent.contains_only("user10009")))
+
+
+def test_add_local_group_to_local_group(local_domain_only):
+ """
+ Regression test for tickets
+ https://fedorahosted.org/sssd/ticket/3178
+ """
+ subprocess.check_call(["sss_groupadd", "-g", "10009", "group_child"])
+ subprocess.check_call(["sss_useradd", "-u", "10009", "-M", "user_child"])
+ subprocess.check_call(["sss_usermod", "-a", "group_child", "user_child"])
+
+ subprocess.check_call(["sss_groupadd", "-g", "10008", "group_parent"])
+ subprocess.check_call(
+ ["sss_groupmod", "-a", "group_parent", "group_child"])
+
+ # User from child_group is member of parent_group, so child_group's
+ # member must be also parent_group's member
+ ent.assert_group_by_name(
+ "group_parent",
+ dict(name="group_parent", passwd="*", gid=10008,
+ mem=ent.contains_only("user_child")))
--
2.9.3

138
0046-TOOLS-sss_mc_refresh_nested_group-short-fqname-usage.patch
View File

@ -1,138 +0,0 @@
From ce402d01616b2a8ea5c3354085a07910e4903820 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C5=BDidek?= <mzidek@redhat.com>
Date: Wed, 7 Sep 2016 14:43:13 +0200
Subject: [PATCH 46/79] TOOLS: sss_mc_refresh_nested_group short/fqname usage
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
We use shortname to refresh memory cache, but in case of nested groups,
we used internal_fqname to refresh parent groups.
We also wrongly used the shortname for sysdb_search operation.
Which caused error message to be printed when sss_usermod -a or
sss_groupmod -a where called.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit cb54dbad6be907d277ce6aa39524338643e2f5a4)
---
src/tools/tools_mc_util.c | 66 +++++++++++++++++++++++++++++++++--------------
1 file changed, 47 insertions(+), 19 deletions(-)
diff --git a/src/tools/tools_mc_util.c b/src/tools/tools_mc_util.c
index 2516a1981ddd965d4cae8c469ed79aaef8fa7193..716e3760f67d958f2139adbb49998d9e352d23f4 100644
--- a/src/tools/tools_mc_util.c
+++ b/src/tools/tools_mc_util.c
@@ -293,62 +293,90 @@ errno_t sss_mc_refresh_group(const char *groupname)
return sss_mc_refresh_ent(groupname, SSS_TOOLS_GROUP);
}
-errno_t sss_mc_refresh_nested_group(struct tools_ctx *tctx,
- const char *name)
+static errno_t sss_mc_refresh_nested_group(struct tools_ctx *tctx,
+ const char *shortname)
{
errno_t ret;
- struct ldb_message *msg;
+ struct ldb_message *msg = NULL;
struct ldb_message_element *el;
const char *attrs[] = { SYSDB_MEMBEROF,
SYSDB_NAME,
NULL };
size_t i;
- char *parent_name;
+ char *parent_internal_name;
+ char *parent_outname;
+ char *internal_name;
+ TALLOC_CTX *tmpctx;
- ret = sss_mc_refresh_group(name);
+ tmpctx = talloc_new(tctx);
+ if (tmpctx == NULL) {
+ return ENOMEM;
+ }
+
+ internal_name = sss_create_internal_fqname(tmpctx, shortname,
+ tctx->local->name);
+ if (internal_name == NULL) {
+ ret = ENOMEM;
+ goto done;
+ }
+
+ ret = sss_mc_refresh_group(shortname);
if (ret != EOK) {
DEBUG(SSSDBG_MINOR_FAILURE,
- "Cannot refresh group %s from memory cache\n", name);
+ "Cannot refresh group %s from memory cache\n", shortname);
/* try to carry on */
}
- ret = sysdb_search_group_by_name(tctx, tctx->local, name, attrs, &msg);
+ ret = sysdb_search_group_by_name(tmpctx, tctx->local, internal_name, attrs,
+ &msg);
if (ret) {
DEBUG(SSSDBG_OP_FAILURE,
"Search failed: %s (%d)\n", strerror(ret), ret);
- return ret;
+ goto done;
}
el = ldb_msg_find_element(msg, SYSDB_MEMBEROF);
if (!el || el->num_values == 0) {
- DEBUG(SSSDBG_TRACE_INTERNAL, "Group %s has no parents\n", name);
- talloc_free(msg);
- return EOK;
+ DEBUG(SSSDBG_TRACE_INTERNAL, "Group %s has no parents\n",
+ internal_name);
+ ret = EOK;
+ goto done;
}
/* This group is nested. We need to invalidate all its parents, too */
for (i=0; i < el->num_values; i++) {
- ret = sysdb_group_dn_name(tctx->sysdb, tctx,
+ ret = sysdb_group_dn_name(tctx->sysdb, tmpctx,
(const char *) el->values[i].data,
- &parent_name);
+ &parent_internal_name);
if (ret != EOK) {
DEBUG(SSSDBG_MINOR_FAILURE, "Malformed DN [%s]? Skipping\n",
(const char *) el->values[i].data);
- talloc_free(parent_name);
+ talloc_free(parent_internal_name);
continue;
}
- ret = sss_mc_refresh_group(parent_name);
- talloc_free(parent_name);
+ parent_outname = sss_output_name(tmpctx, parent_internal_name,
+ tctx->local->case_preserve, 0);
+ if (parent_outname == NULL) {
+ ret = ENOMEM;
+ goto done;
+ }
+
+ ret = sss_mc_refresh_group(parent_outname);
+ talloc_free(parent_internal_name);
+ talloc_free(parent_outname);
if (ret != EOK) {
DEBUG(SSSDBG_MINOR_FAILURE,
- "Cannot refresh group %s from memory cache\n", name);
+ "Cannot refresh group %s from memory cache\n", parent_outname);
/* try to carry on */
}
}
- talloc_free(msg);
- return EOK;
+ ret = EOK;
+
+done:
+ talloc_free(tmpctx);
+ return ret;
}
errno_t sss_mc_refresh_grouplist(struct tools_ctx *tctx,
--
2.9.3

117
0047-TESTS-Add-FQDN-variants-for-some-tests.patch
View File

@ -1,117 +0,0 @@
From 8f08ebcc6897b8b18f18554adfa5c55ab1313f2a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C5=BDidek?= <mzidek@redhat.com>
Date: Wed, 7 Sep 2016 15:00:12 +0200
Subject: [PATCH 47/79] TESTS: Add FQDN variants for some tests
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Adds FQDN variants of some already existing tests.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit f2d1d90a14267c01155eab7bb95b8eb34128acc9)
---
src/tests/intg/test_local_domain.py | 83 +++++++++++++++++++++++++++++++++++++
1 file changed, 83 insertions(+)
diff --git a/src/tests/intg/test_local_domain.py b/src/tests/intg/test_local_domain.py
index 5e3e3d4d1cdc6db5d68a6e5b9d96d94c2c694b14..b34e4a3d31cdbc1dc257d8fffcf0f5a07803b20c 100644
--- a/src/tests/intg/test_local_domain.py
+++ b/src/tests/intg/test_local_domain.py
@@ -87,6 +87,27 @@ def local_domain_only(request):
return None
+@pytest.fixture
+def local_domain_only_fqdn(request):
+ conf = unindent("""\
+ [sssd]
+ domains = LOCAL
+ services = nss
+
+ [nss]
+ memcache_timeout = 0
+
+ [domain/LOCAL]
+ id_provider = local
+ min_id = 10000
+ max_id = 20000
+ use_fully_qualified_names = True
+ """).format(**locals())
+ create_conf_fixture(request, conf)
+ create_sssd_fixture(request)
+ return None
+
+
def assert_nonexistent_user(name):
with pytest.raises(KeyError):
pwd.getpwnam(name)
@@ -169,3 +190,65 @@ def test_add_local_group_to_local_group(local_domain_only):
"group_parent",
dict(name="group_parent", passwd="*", gid=10008,
mem=ent.contains_only("user_child")))
+
+
+def test_sss_group_add_show_del_fqdn(local_domain_only_fqdn):
+ """
+ Regression test for tickets
+ https://fedorahosted.org/sssd/ticket/3173
+ https://fedorahosted.org/sssd/ticket/3175
+ """
+
+ subprocess.check_call(["sss_groupadd", "foo@LOCAL", "-g", "10001"])
+
+ "This should not raise KeyError"
+ ent.assert_group_by_name("foo@LOCAL", dict(name="foo@LOCAL", gid=10001))
+
+ "sss_grupshow should return 0 with existing group name"
+ subprocess.check_call(["sss_groupshow", "foo@LOCAL"])
+
+ subprocess.check_call(["sss_groupdel", "foo@LOCAL"])
+ assert_nonexistent_group("foo@LOCAL")
+
+
+def test_add_local_user_to_local_group_fqdn(local_domain_only_fqdn):
+ """
+ Regression test for ticket
+ https://fedorahosted.org/sssd/ticket/3178
+ """
+ subprocess.check_call(
+ ["sss_groupadd", "-g", "10009", "group10009@LOCAL"])
+ subprocess.check_call(
+ ["sss_useradd", "-u", "10009", "-M", "user10009@LOCAL"])
+ subprocess.check_call(
+ ["sss_usermod", "-a", "group10009@LOCAL", "user10009@LOCAL"])
+
+ ent.assert_group_by_name(
+ "group10009@LOCAL",
+ dict(name="group10009@LOCAL", passwd="*", gid=10009,
+ mem=ent.contains_only("user10009@LOCAL")))
+
+
+def test_add_local_group_to_local_group_fqdn(local_domain_only_fqdn):
+ """
+ Regression test for tickets
+ https://fedorahosted.org/sssd/ticket/3178
+ """
+ subprocess.check_call(
+ ["sss_groupadd", "-g", "10009", "group_child@LOCAL"])
+ subprocess.check_call(
+ ["sss_useradd", "-u", "10009", "-M", "user_child@LOCAL"])
+ subprocess.check_call(
+ ["sss_usermod", "-a", "group_child@LOCAL", "user_child@LOCAL"])
+
+ subprocess.check_call(
+ ["sss_groupadd", "-g", "10008", "group_parent@LOCAL"])
+ subprocess.check_call(
+ ["sss_groupmod", "-a", "group_parent@LOCAL", "group_child@LOCAL"])
+
+ # User from child_group is member of parent_group, so child_group's
+ # member must be also parent_group's member
+ ent.assert_group_by_name(
+ "group_parent@LOCAL",
+ dict(name="group_parent@LOCAL", passwd="*", gid=10008,
+ mem=ent.contains_only("user_child@LOCAL")))
--
2.9.3

156
0048-KRB5-Send-the-output-username-not-internal-fqname-to.patch
View File

@ -1,156 +0,0 @@
From 99e3e869ae031ce70f6f7a0d7435bf9969cf3108 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Wed, 7 Sep 2016 12:07:36 +0200
Subject: [PATCH 48/79] KRB5: Send the output username, not internal fqname to
krb5_child
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
krb5_child calls krb5_kuserok() during the access phase which checks if
a particular user is allowed to authenticate as a particular principal.
We used to pass the internal fqname to krb5_kuserok() which broke the
functionality and all users were denied access.
This patch changes that to send the 'output' username to krb5_child,
because that's the username the system receives through getpwnam() or
getpwuid() anyway. The patch also adds a new structure member fo the
krb5child_req structure to avoid reusing the pd->user variable but have
an explicit one that serves as the input for the child process.
Resolves:
https://fedorahosted.org/sssd/ticket/3172
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit fedfb7c62b4efa89d18d0d3a7895a2a34ec4ce42)
---
src/providers/krb5/krb5_access.c | 10 ++++++++--
src/providers/krb5/krb5_auth.c | 18 ++++++++++++++----
src/providers/krb5/krb5_auth.h | 9 ++++++---
src/providers/krb5/krb5_child_handler.c | 4 ++--
4 files changed, 30 insertions(+), 11 deletions(-)
diff --git a/src/providers/krb5/krb5_access.c b/src/providers/krb5/krb5_access.c
index 3afb90150d77ef4ab2c1b5b79abb95d68eb131f6..be9068c0f9180f8de0de259aae368534effaf7fb 100644
--- a/src/providers/krb5/krb5_access.c
+++ b/src/providers/krb5/krb5_access.c
@@ -51,6 +51,7 @@ struct tevent_req *krb5_access_send(TALLOC_CTX *mem_ctx,
int ret;
const char **attrs;
struct ldb_result *res;
+ struct sss_domain_info *dom;
req = tevent_req_create(mem_ctx, &state, struct krb5_access_state);
if (req == NULL) {
@@ -64,8 +65,13 @@ struct tevent_req *krb5_access_send(TALLOC_CTX *mem_ctx,
state->krb5_ctx = krb5_ctx;
state->access_allowed = false;
- ret = krb5_setup(state, pd, krb5_ctx, be_ctx->domain->case_sensitive,
- &state->kr);
+ ret = get_domain_or_subdomain(be_ctx, pd->domain, &dom);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "get_domain_or_subdomain failed.\n");
+ goto done;
+ }
+
+ ret = krb5_setup(state, pd, dom, krb5_ctx, &state->kr);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE, "krb5_setup failed.\n");
goto done;
diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
index dabf55cf24a8afda16fee6697120c7c6f088b796..f0f2280022a3ee951ccfa0040b616c48c3b25706 100644
--- a/src/providers/krb5/krb5_auth.c
+++ b/src/providers/krb5/krb5_auth.c
@@ -174,8 +174,10 @@ done:
return ret;
}
-errno_t krb5_setup(TALLOC_CTX *mem_ctx, struct pam_data *pd,
- struct krb5_ctx *krb5_ctx, bool cs,
+errno_t krb5_setup(TALLOC_CTX *mem_ctx,
+ struct pam_data *pd,
+ struct sss_domain_info *dom,
+ struct krb5_ctx *krb5_ctx,
struct krb5child_req **_krb5_req)
{
struct krb5child_req *kr;
@@ -201,13 +203,21 @@ errno_t krb5_setup(TALLOC_CTX *mem_ctx, struct pam_data *pd,
kr->krb5_ctx = krb5_ctx;
ret = get_krb_primary(krb5_ctx->name_to_primary,
- pd->user, cs, &mapped_name);
+ pd->user, dom->case_sensitive, &mapped_name);
if (ret == EOK) {
DEBUG(SSSDBG_TRACE_FUNC, "Setting mapped name to: %s\n", mapped_name);
kr->user = mapped_name;
+ kr->kuserok_user = mapped_name;
} else if (ret == ENOENT) {
DEBUG(SSSDBG_TRACE_ALL, "No mapping for: %s\n", pd->user);
kr->user = pd->user;
+
+ kr->kuserok_user = sss_output_name(kr, kr->user,
+ dom->case_sensitive, 0);
+ if (kr->kuserok_user == NULL) {
+ ret = ENOMEM;
+ goto done;
+ }
} else {
DEBUG(SSSDBG_CRIT_FAILURE, "get_krb_primary failed - %s:[%d]\n",
sss_strerror(ret), ret);
@@ -534,7 +544,7 @@ struct tevent_req *krb5_auth_send(TALLOC_CTX *mem_ctx,
attrs[6] = SYSDB_AUTH_TYPE;
attrs[7] = NULL;
- ret = krb5_setup(state, pd, krb5_ctx, state->domain->case_sensitive,
+ ret = krb5_setup(state, pd, state->domain, krb5_ctx,
&state->kr);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE, "krb5_setup failed.\n");
diff --git a/src/providers/krb5/krb5_auth.h b/src/providers/krb5/krb5_auth.h
index dbad061f0203b6383daeeab506bf9950d892ea4b..11bb595833269177b7e2c5fc6372d6a6fb6d93d2 100644
--- a/src/providers/krb5/krb5_auth.h
+++ b/src/providers/krb5/krb5_auth.h
@@ -57,11 +57,14 @@ struct krb5child_req {
bool send_pac;
const char *user;
+ const char *kuserok_user;
};
-errno_t krb5_setup(TALLOC_CTX *mem_ctx, struct pam_data *pd,
- struct krb5_ctx *krb5_ctx, bool case_sensitive,
- struct krb5child_req **krb5_req);
+errno_t krb5_setup(TALLOC_CTX *mem_ctx,
+ struct pam_data *pd,
+ struct sss_domain_info *dom,
+ struct krb5_ctx *krb5_ctx,
+ struct krb5child_req **_krb5_req);
struct tevent_req *
krb5_pam_handler_send(TALLOC_CTX *mem_ctx,
diff --git a/src/providers/krb5/krb5_child_handler.c b/src/providers/krb5/krb5_child_handler.c
index 09a1e5f59494a5c07d5c9eefb94919ca9389cb27..1eec7261f00976b3725fee9323755edecd5409a5 100644
--- a/src/providers/krb5/krb5_child_handler.c
+++ b/src/providers/krb5/krb5_child_handler.c
@@ -161,7 +161,7 @@ static errno_t create_send_buffer(struct krb5child_req *kr,
}
if (kr->pd->cmd == SSS_PAM_ACCT_MGMT) {
- username_len = strlen(kr->pd->user);
+ username_len = strlen(kr->kuserok_user);
buf->size += sizeof(uint32_t) + username_len;
}
@@ -217,7 +217,7 @@ static errno_t create_send_buffer(struct krb5child_req *kr,
if (kr->pd->cmd == SSS_PAM_ACCT_MGMT) {
SAFEALIGN_SET_UINT32(&buf->data[rp], username_len, &rp);
- safealign_memcpy(&buf->data[rp], kr->pd->user, username_len, &rp);
+ safealign_memcpy(&buf->data[rp], kr->kuserok_user, username_len, &rp);
}
*io_buf = buf;
--
2.9.3

113
0049-MONITOR-Remove-disable-netlink-command-line-option.patch
View File

@ -1,113 +0,0 @@
From 29a4731b129d759870a4706525396948814c8e27 Mon Sep 17 00:00:00 2001
From: Justin Stephenson <jstephen@redhat.com>
Date: Fri, 26 Aug 2016 15:15:32 -0400
Subject: [PATCH 49/79] MONITOR: Remove --disable-netlink command-line option
Removing monitor command-line option, to be superceded by
sssd.conf option
Reviewed-by: Petr Cech <pcech@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 632fc5d8991d167eea20769c823163551c3f1d8c)
---
src/man/sssd.8.xml | 11 -----------
src/monitor/monitor.c | 33 ++++++++++++++++++++-------------
2 files changed, 20 insertions(+), 24 deletions(-)
diff --git a/src/man/sssd.8.xml b/src/man/sssd.8.xml
index ca8444d31ebca3d65a3baf83e20d458226ed5cd4..923da6824907f0d2d140d9ca83f87338e7664f83 100644
--- a/src/man/sssd.8.xml
+++ b/src/man/sssd.8.xml
@@ -114,17 +114,6 @@
</varlistentry>
<varlistentry>
<term>
- <option>--disable-netlink</option>
- </term>
- <listitem>
- <para>
- sssd will ignore Netlink changes when making decisions
- about resetting online and offline operational status.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>
<option>-c</option>,<option>--config</option>
</term>
<listitem>
diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c
index 1f89c5a79feab8a921ce2f9132763b37ab506596..442bdbc423aaa1224d17b9f357193ec73b045d29 100644
--- a/src/monitor/monitor.c
+++ b/src/monitor/monitor.c
@@ -2041,8 +2041,7 @@ static void missing_resolv_conf(struct tevent_context *ev,
}
static int monitor_process_init(struct mt_ctx *ctx,
- const char *config_file,
- bool opt_netlinkoff)
+ const char *config_file)
{
TALLOC_CTX *tmp_ctx;
struct tevent_signal *tes;
@@ -2173,14 +2172,12 @@ static int monitor_process_init(struct mt_ctx *ctx,
return ret;
}
- if (opt_netlinkoff == false) {
- ret = setup_netlink(ctx, ctx->ev, network_status_change_cb,
- ctx, &ctx->nlctx);
- if (ret != EOK) {
- DEBUG(SSSDBG_OP_FAILURE,
- "Cannot set up listening for network notifications\n");
- return ret;
- }
+ ret = setup_netlink(ctx, ctx->ev, network_status_change_cb,
+ ctx, &ctx->nlctx);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "Cannot set up listening for network notifications\n");
+ return ret;
}
/* start providers */
@@ -2488,7 +2485,8 @@ int main(int argc, const char *argv[])
_("Become a daemon (default)"), NULL }, \
{"interactive", 'i', POPT_ARG_NONE, &opt_interactive, 0, \
_("Run interactive (not a daemon)"), NULL}, \
- {"disable-netlink", '\0', POPT_ARG_NONE, &opt_netlinkoff, 0, \
+ {"disable-netlink", '\0', POPT_ARG_NONE | POPT_ARGFLAG_DOC_HIDDEN,
+ &opt_netlinkoff, 0, \
_("Disable netlink interface"), NULL}, \
{"config", 'c', POPT_ARG_STRING, &opt_config_file, 0, \
_("Specify a non-default config file"), NULL}, \
@@ -2575,6 +2573,15 @@ int main(int argc, const char *argv[])
config_file = talloc_strdup(tmp_ctx, SSSD_CONFIG_FILE);
}
+ if (opt_netlinkoff) {
+ DEBUG(SSSDBG_MINOR_FAILURE,
+ "Option --disable-netlink has been removed and "
+ "replaced as a monitor option in sssd.conf\n");
+ sss_log(SSS_LOG_ALERT,
+ "--disable-netlink has been deprecated, tunable option "
+ "disable_netlink available as replacement(man sssd.conf)");
+ }
+
if (!config_file) {
return 6;
}
@@ -2692,8 +2699,8 @@ int main(int argc, const char *argv[])
monitor->ev = main_ctx->event_ctx;
talloc_steal(main_ctx, monitor);
- ret = monitor_process_init(monitor, config_file,
- opt_netlinkoff);
+ ret = monitor_process_init(monitor, config_file);
+
if (ret != EOK) return 3;
talloc_free(tmp_ctx);
--
2.9.3

163
0050-MONITOR-Add-disable_netlink-option.patch
View File

@ -1,163 +0,0 @@
From ed7875afc4ab7e8441eb70f346c774dd49ddfd9b Mon Sep 17 00:00:00 2001
From: Justin Stephenson <jstephen@redhat.com>
Date: Fri, 26 Aug 2016 17:43:25 -0400
Subject: [PATCH 50/79] MONITOR: Add disable_netlink option
Adding a new monitor boolean option to disable netlink support.
This will give users more control over sssd state changes without
having to modify systemd unit files.
Resolves:
https://fedorahosted.org/sssd/ticket/3142
Reviewed-by: Petr Cech <pcech@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 081c6d8c7c8e75487d1c4e42862964be1e85b575)
---
src/confdb/confdb.h | 1 +
src/config/SSSDConfig/__init__.py.in | 1 +
src/config/SSSDConfigTest.py | 3 ++-
src/config/cfg_rules.ini | 1 +
src/config/etc/sssd.api.conf | 1 +
src/man/sssd.conf.5.xml | 18 ++++++++++++++++++
src/monitor/monitor.c | 21 ++++++++++++++++++---
7 files changed, 42 insertions(+), 4 deletions(-)
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
index 401e5fbf7ed6bb9e8d7158dfab378c8159aa03db..2d650900170d5f2214aa56f00fc749980e53f516 100644
--- a/src/confdb/confdb.h
+++ b/src/confdb/confdb.h
@@ -73,6 +73,7 @@
#define CONFDB_MONITOR_OVERRIDE_SPACE "override_space"
#define CONFDB_MONITOR_USER_RUNAS "user"
#define CONFDB_MONITOR_CERT_VERIFICATION "certificate_verification"
+#define CONFDB_MONITOR_DISABLE_NETLINK "disable_netlink"
/* Both monitor and domains */
#define CONFDB_NAME_REGEX "re_expression"
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
index 0191920f93ab9016508e08785c25dd043c180c0b..2027028f7b4e972c7bc0dd5156fd85157ae192f4 100644
--- a/src/config/SSSDConfig/__init__.py.in
+++ b/src/config/SSSDConfig/__init__.py.in
@@ -62,6 +62,7 @@ option_strings = {
'user' : _('The user to drop privileges to'),
'certificate_verification' : _('Tune certificate verification'),
'override_space': _('All spaces in group or user names will be replaced with this character'),
+ 'disable_netlink' : _('Tune sssd to honor or ignore netlink state changes'),
# [nss]
'enum_cache_timeout' : _('Enumeration cache timeout length (seconds)'),
diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py
index 6a0fdf0ea5215103b48dc8521a43ae945342c0e2..8a64a257ab978b81ae4b26918c683b25a30fe7c1 100755
--- a/src/config/SSSDConfigTest.py
+++ b/src/config/SSSDConfigTest.py
@@ -310,7 +310,8 @@ class SSSDConfigTestSSSDService(unittest.TestCase):
'client_idle_timeout',
'description',
'certificate_verification',
- 'override_space']
+ 'override_space',
+ 'disable_netlink']
self.assertTrue(type(options) == dict,
"Options should be a dictionary")
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
index 5e248066bd554d2a654a764f406f6b33c4d66733..93c10e2b7892027f0ee7a7af096814fb7cac333a 100644
--- a/src/config/cfg_rules.ini
+++ b/src/config/cfg_rules.ini
@@ -38,6 +38,7 @@ option = default_domain_suffix
option = certificate_verification
option = override_space
option = config_file_version
+option = disable_netlink
[rule/allowed_nss_options]
validator = ini_allowed_options
diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
index 525f939cd204f4d484caa7b490d85b0d50de00ef..9e4bf2f6e5d536099af75a82126bc577e10386b4 100644
--- a/src/config/etc/sssd.api.conf
+++ b/src/config/etc/sssd.api.conf
@@ -28,6 +28,7 @@ user = str, None, false
default_domain_suffix = str, None, false
certificate_verification = str, None, false
override_space = str, None, false
+disable_netlink = bool, None, false
[nss]
# Name service
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index ae291e0fc8f2f9afabcdf32f18a5ec12252bbbbf..6f231b8ab8fc078d83331bb7ef5b980528a30bd6 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -482,6 +482,24 @@
</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>disable_netlink (boolean)</term>
+ <listitem>
+ <para>
+ SSSD hooks into the netlink interface to
+ monitor changes to routes, addresses, links
+ and trigger certain actions.
+ </para>
+ <para>
+ The SSSD state changes caused by netlink
+ events may be undesirable and can be disabled
+ by setting this option to 'true'
+ </para>
+ <para>
+ Default: false (netlink changes are detected)
+ </para>
+ </listitem>
+ </varlistentry>
</variablelist>
</para>
</refsect2>
diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c
index 442bdbc423aaa1224d17b9f357193ec73b045d29..84a144e56294c7af5d818b71fbe3664cd2fc1a94 100644
--- a/src/monitor/monitor.c
+++ b/src/monitor/monitor.c
@@ -2052,6 +2052,7 @@ static int monitor_process_init(struct mt_ctx *ctx,
int num_providers;
int ret;
int error;
+ bool disable_netlink;
struct sysdb_upgrade_ctx db_up_ctx;
/* Set up the environment variable for the Kerberos Replay Cache */
@@ -2172,14 +2173,28 @@ static int monitor_process_init(struct mt_ctx *ctx,
return ret;
}
- ret = setup_netlink(ctx, ctx->ev, network_status_change_cb,
- ctx, &ctx->nlctx);
+ ret = confdb_get_bool(ctx->cdb,
+ CONFDB_MONITOR_CONF_ENTRY,
+ CONFDB_MONITOR_DISABLE_NETLINK,
+ false, &disable_netlink);
+
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE,
- "Cannot set up listening for network notifications\n");
+ "Failed to read disable_netlink from confdb: [%d] %s\n",
+ ret, sss_strerror(ret));
return ret;
}
+ if (disable_netlink == false) {
+ ret = setup_netlink(ctx, ctx->ev, network_status_change_cb,
+ ctx, &ctx->nlctx);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "Cannot set up listening for network notifications\n");
+ return ret;
+ }
+ }
+
/* start providers */
num_providers = 0;
for (dom = ctx->domains; dom; dom = get_next_domain(dom, 0)) {
--
2.9.3

67
0051-TOOLS-sss_override-without-name-override.patch
View File

@ -1,67 +0,0 @@
From 467253ff3b281f34668a482c5ece7ece11a4b213 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C5=BDidek?= <mzidek@redhat.com>
Date: Wed, 7 Sep 2016 17:09:53 +0200
Subject: [PATCH 51/79] TOOLS: sss_override without name override
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
sss_override failed to export user/group overrides
if user had no overrides for name.
Resolves:
https://fedorahosted.org/sssd/ticket/3179
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit 07e7683f5a86991feaa764e2055116554ada1b93)
---
src/tools/sss_override.c | 24 ++++++++++++++----------
1 file changed, 14 insertions(+), 10 deletions(-)
diff --git a/src/tools/sss_override.c b/src/tools/sss_override.c
index d41da52e69acdb67b5a6d624254e3b89a8aa27b8..212bf9ab84b20d4777fc2601359fad58596bb7c4 100644
--- a/src/tools/sss_override.c
+++ b/src/tools/sss_override.c
@@ -1159,12 +1159,14 @@ list_user_overrides(TALLOC_CTX *mem_ctx,
}
fqname = ldb_msg_find_attr_as_string(msgs[i], SYSDB_NAME, NULL);
- ret = sss_parse_internal_fqname(tmp_ctx, fqname, &name, NULL);
- if (ret != EOK) {
- ret = ERR_WRONG_NAME_FORMAT;
- goto done;
+ if (fqname != NULL) {
+ ret = sss_parse_internal_fqname(tmp_ctx, fqname, &name, NULL);
+ if (ret != EOK) {
+ ret = ERR_WRONG_NAME_FORMAT;
+ goto done;
+ }
+ objs[i].name = talloc_steal(objs, name);
}
- objs[i].name = talloc_steal(objs, name);
objs[i].uid = ldb_msg_find_attr_as_uint(msgs[i], SYSDB_UIDNUM, 0);
objs[i].gid = ldb_msg_find_attr_as_uint(msgs[i], SYSDB_GIDNUM, 0);
@@ -1248,12 +1250,14 @@ list_group_overrides(TALLOC_CTX *mem_ctx,
talloc_steal(objs, objs[i].orig_name);
fqname = ldb_msg_find_attr_as_string(msgs[i], SYSDB_NAME, NULL);
- ret = sss_parse_internal_fqname(tmp_ctx, fqname, &name, NULL);
- if (ret != EOK) {
- ret = ERR_WRONG_NAME_FORMAT;
- goto done;
+ if (fqname != NULL) {
+ ret = sss_parse_internal_fqname(tmp_ctx, fqname, &name, NULL);
+ if (ret != EOK) {
+ ret = ERR_WRONG_NAME_FORMAT;
+ goto done;
+ }
+ objs[i].name = talloc_steal(objs, name);
}
- objs[i].name = talloc_steal(objs, name);
objs[i].gid = ldb_msg_find_attr_as_uint(msgs[i], SYSDB_GIDNUM, 0);
}
--
2.9.3

203
0052-TEST-Add-regression-test-for-ticket-3179.patch
View File

@ -1,203 +0,0 @@
From b7886a50d6467d9130fade4d0e94a818c2cc6300 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C5=BDidek?= <mzidek@redhat.com>
Date: Wed, 7 Sep 2016 18:23:16 +0200
Subject: [PATCH 52/79] TEST: Add regression test for ticket #3179
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Resolves:
https://fedorahosted.org/sssd/ticket/3179
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit 1c72723cde8bea0d390b928c7cd29e48e7a7deab)
---
src/tests/intg/ldap_local_override_test.py | 126 ++++++++++++++++++++++++++---
1 file changed, 114 insertions(+), 12 deletions(-)
diff --git a/src/tests/intg/ldap_local_override_test.py b/src/tests/intg/ldap_local_override_test.py
index 63de836d4d645b2e2be968bb23ce84f0cb90189a..714268f024d0f7b01309c55a84f56d0d1aec58f9 100644
--- a/src/tests/intg/ldap_local_override_test.py
+++ b/src/tests/intg/ldap_local_override_test.py
@@ -205,27 +205,38 @@ def assert_user_default():
ent.assert_passwd_by_name('user2@LDAP', user2)
-def assert_user_overriden():
+def assert_user_overriden(override_name=True):
- user1 = dict(name='ov_user1', passwd='*', uid=10010, gid=20010,
+ if override_name:
+ name1 = "ov_user1"
+ name2 = "ov_user2"
+ else:
+ name1 = "user1"
+ name2 = "user2"
+
+ user1 = dict(name=name1, passwd='*', uid=10010, gid=20010,
gecos='Overriden User 1',
dir='/home/ov/user1',
shell='/bin/ov_user1_shell')
- user2 = dict(name='ov_user2', passwd='*', uid=10020, gid=20020,
+ user2 = dict(name=name2, passwd='*', uid=10020, gid=20020,
gecos='Overriden User 2',
dir='/home/ov/user2',
shell='/bin/ov_user2_shell')
ent.assert_passwd_by_name('user1', user1)
ent.assert_passwd_by_name('user1@LDAP', user1)
- ent.assert_passwd_by_name('ov_user1', user1)
- ent.assert_passwd_by_name('ov_user1@LDAP', user1)
+
+ if override_name:
+ ent.assert_passwd_by_name('ov_user1', user1)
+ ent.assert_passwd_by_name('ov_user1@LDAP', user1)
ent.assert_passwd_by_name('user2', user2)
ent.assert_passwd_by_name('user2@LDAP', user2)
- ent.assert_passwd_by_name('ov_user2', user2)
- ent.assert_passwd_by_name('ov_user2@LDAP', user2)
+
+ if override_name:
+ ent.assert_passwd_by_name('ov_user2', user2)
+ ent.assert_passwd_by_name('ov_user2@LDAP', user2)
#
@@ -514,6 +525,54 @@ def test_imp_exp_user_override(ldap_conn, env_imp_exp_user_override):
assert_user_overriden()
+# Regression test for bug 3179
+
+
+def test_imp_exp_user_overrride_noname(ldap_conn,
+ env_two_users_and_group):
+
+ # Override
+ subprocess.check_call(["sss_override", "user-add", "user1",
+ "-u", "10010",
+ "-g", "20010",
+ "-c", "Overriden User 1",
+ "-h", "/home/ov/user1",
+ "-s", "/bin/ov_user1_shell"])
+
+ subprocess.check_call(["sss_override", "user-add", "user2@LDAP",
+ "-u", "10020",
+ "-g", "20020",
+ "-c", "Overriden User 2",
+ "-h", "/home/ov/user2",
+ "-s", "/bin/ov_user2_shell"])
+
+ # Restart SSSD so the override might take effect
+ restart_sssd()
+
+ # Assert entries are overriden
+ assert_user_overriden(override_name=False)
+
+ # Export overrides
+ subprocess.check_call(["sss_override", "user-export", OVERRIDE_FILENAME])
+
+ # Drop all overrides
+ subprocess.check_call(["sss_override", "user-del", "user1"])
+ subprocess.check_call(["sss_override", "user-del", "user2@LDAP"])
+
+ # Avoid hitting memory cache
+ time.sleep(2)
+
+ # Assert entries are not overridden
+ assert_user_default()
+
+ # Import overrides
+ subprocess.check_call(["sss_override", "user-import",
+ OVERRIDE_FILENAME])
+ restart_sssd()
+
+ assert_user_overriden(override_name=False)
+
+
#
# Override user-show
#
@@ -581,7 +640,7 @@ def test_find_user_override(ldap_conn, env_find_user_override):
# Common group asserts
#
-def assert_group_overriden():
+def assert_group_overriden(override_name=True):
# Assert entries are overridden
empty_group = dict(gid=3002, mem=ent.contains_only())
@@ -589,13 +648,17 @@ def assert_group_overriden():
ent.assert_group_by_name("group", group)
ent.assert_group_by_name("group@LDAP", group)
- ent.assert_group_by_name("ov_group", group)
- ent.assert_group_by_name("ov_group@LDAP", group)
+
+ if override_name:
+ ent.assert_group_by_name("ov_group", group)
+ ent.assert_group_by_name("ov_group@LDAP", group)
ent.assert_group_by_name("empty_group", empty_group)
ent.assert_group_by_name("empty_group@LDAP", empty_group)
- ent.assert_group_by_name("ov_empty_group", empty_group)
- ent.assert_group_by_name("ov_empty_group@LDAP", empty_group)
+
+ if override_name:
+ ent.assert_group_by_name("ov_empty_group", empty_group)
+ ent.assert_group_by_name("ov_empty_group@LDAP", empty_group)
def assert_group_default():
@@ -841,6 +904,45 @@ def test_imp_exp_group_override(ldap_conn, env_imp_exp_group_override):
assert_group_overriden()
+# Regression test for bug 3179
+
+
+def test_imp_exp_group_override_noname(ldap_conn, env_group_basic):
+
+ # Override - do not use -n here)
+ subprocess.check_call(["sss_override", "group-add", "group",
+ "-g", "3001"])
+
+ subprocess.check_call(["sss_override", "group-add", "empty_group@LDAP",
+ "--gid", "3002"])
+
+ # Restart SSSD so the override might take effect
+ restart_sssd()
+
+ # Assert entries are overridden
+ assert_group_overriden(override_name=False)
+
+ # Export overrides
+ subprocess.check_call(["sss_override", "group-export",
+ OVERRIDE_FILENAME])
+
+ # Drop all overrides
+ subprocess.check_call(["sss_override", "group-del", "group"])
+ subprocess.check_call(["sss_override", "group-del", "empty_group@LDAP"])
+
+ # Avoid hitting memory cache
+ time.sleep(2)
+
+ assert_group_default()
+
+ # Import overrides
+ subprocess.check_call(["sss_override", "group-import",
+ OVERRIDE_FILENAME])
+ restart_sssd()
+
+ assert_group_overriden(override_name=False)
+
+
# Regression test for bug #2802
# sss_override segfaults when accidentally adding --help flag to some commands
--
2.9.3

60
0053-TOOLS-sss_groupshow-fails-to-show-MPG.patch
View File

@ -1,60 +0,0 @@
From 5e42bd82ea08e3a45cf8369d51f68587f5bd796e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C5=BDidek?= <mzidek@redhat.com>
Date: Mon, 12 Sep 2016 19:22:56 +0200
Subject: [PATCH 53/79] TOOLS: sss_groupshow fails to show MPG
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The MPG search uses it's own search function
that used sysdb operation with shortname,
but it expects internal fqname.
Resolves:
https://fedorahosted.org/sssd/ticket/3184
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit 812bed08943df8bf3fd1ff9eabcaf5bedc635c92)
---
src/tools/sss_groupshow.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/src/tools/sss_groupshow.c b/src/tools/sss_groupshow.c
index 5870cc802c70366c47a0d30cb0d9795cf6035bc5..00f6f12939b6bef2dd10085f8cf99304e87f1211 100644
--- a/src/tools/sss_groupshow.c
+++ b/src/tools/sss_groupshow.c
@@ -553,13 +553,14 @@ int group_show_recurse(TALLOC_CTX *mem_ctx,
static int group_show_mpg(TALLOC_CTX *mem_ctx,
struct sss_domain_info *domain,
- const char *name,
+ const char *shortname,
struct group_info **res)
{
const char *attrs[] = GROUP_SHOW_MPG_ATTRS;
struct ldb_message *msg;
struct group_info *info;
int ret;
+ char *sysdb_fqname;
info = talloc_zero(mem_ctx, struct group_info);
if (!info) {
@@ -567,7 +568,14 @@ static int group_show_mpg(TALLOC_CTX *mem_ctx,
goto fail;
}
- ret = sysdb_search_user_by_name(info, domain, name, attrs, &msg);
+ sysdb_fqname = sss_create_internal_fqname(mem_ctx,
+ shortname,
+ domain->name);
+ if (sysdb_fqname == NULL) {
+ return ENOMEM;
+ }
+
+ ret = sysdb_search_user_by_name(info, domain, sysdb_fqname, attrs, &msg);
if (ret) {
DEBUG(SSSDBG_OP_FAILURE,
"Search failed: %s (%d)\n", strerror(ret), ret);
--
2.9.3

55
0054-TESTS-sss_groupshow-with-MPG.patch
View File

@ -1,55 +0,0 @@
From 702f4c8aed1bc997e99ab28349269c4cc151beda Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C5=BDidek?= <mzidek@redhat.com>
Date: Mon, 12 Sep 2016 19:25:13 +0200
Subject: [PATCH 54/79] TESTS: sss_groupshow with MPG
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Regression test for ticket #3184
Resolves:
https://fedorahosted.org/sssd/ticket/3184
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit bb14556c1df503314644fc424fbbf95759791db9)
---
src/tests/intg/test_local_domain.py | 22 ++++++++++++++++++++++
1 file changed, 22 insertions(+)
diff --git a/src/tests/intg/test_local_domain.py b/src/tests/intg/test_local_domain.py
index b34e4a3d31cdbc1dc257d8fffcf0f5a07803b20c..8e1d6fb2b69f5e6e033ae06d4bd52cc88e54872b 100644
--- a/src/tests/intg/test_local_domain.py
+++ b/src/tests/intg/test_local_domain.py
@@ -118,6 +118,28 @@ def assert_nonexistent_group(name):
grp.getgrnam(name)
+def test_groupshow_mpg(local_domain_only):
+ """
+ Regression test for ticket
+ https://fedorahosted.org/sssd/ticket/3184
+ """
+ subprocess.check_call(["sss_useradd", "foo", "-M"])
+
+ # The user's mpg has to be found (should return 0)
+ subprocess.check_call(["sss_groupshow", "foo"])
+
+
+def test_groupshow_mpg_fqdn(local_domain_only_fqdn):
+ """
+ Regression test for ticket (fq variant)
+ https://fedorahosted.org/sssd/ticket/3184
+ """
+ subprocess.check_call(["sss_useradd", "foo@LOCAL", "-M"])
+
+ # The user's mpg has to be found (should return 0)
+ subprocess.check_call(["sss_groupshow", "foo@LOCAL"])
+
+
def test_wrong_LC_ALL(local_domain_only):
"""
Regression test for ticket
--
2.9.3

37
0055-KRB5-Return-ERR_NETWORK_IO-on-clock-skew.patch
View File

@ -1,37 +0,0 @@
From 4add586753c50b3222c0899ced0d95a2263828c6 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Tue, 6 Sep 2016 12:27:51 +0200
Subject: [PATCH 55/79] KRB5: Return ERR_NETWORK_IO on clock skew
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Adds two more return codes to the list of codes we translate to
ERR_NETWORK_IO.
Resolves:
https://fedorahosted.org/sssd/ticket/3174
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit d3348f49260998880bb7cd3b2fb72d562b1b7a64)
---
src/providers/krb5/krb5_child.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
index a0a0f74d7e39866828c1c9ee4b18e57c36a30bb9..82522995e310f20c58922f814e14e81a84b9bcb9 100644
--- a/src/providers/krb5/krb5_child.c
+++ b/src/providers/krb5/krb5_child.c
@@ -1374,6 +1374,8 @@ static errno_t map_krb5_error(krb5_error_code kerr)
case KRB5_KDCREP_SKEW:
case KRB5KRB_AP_ERR_SKEW:
+ case KRB5KRB_AP_ERR_TKT_EXPIRED:
+ case KRB5KRB_AP_ERR_TKT_NYV:
case KRB5_KDC_UNREACH:
case KRB5_REALM_CANT_RESOLVE:
case KRB5_REALM_UNKNOWN:
--
2.9.3

54
0056-SDAP-Fix-settig-paging-attribute-in-sdap_get_generic.patch
View File

@ -1,54 +0,0 @@
From b42d29d5fed3df1662dc7b9b46a57ab27298b138 Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Tue, 30 Aug 2016 16:39:49 +0200
Subject: [PATCH 56/79] SDAP: Fix settig paging attribute in
sdap_get_generic_ext_send
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
We should set pagging flag in state and not in local
variable which is not read anywhere in the function.
Found by clang static analyzer.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
(cherry picked from commit 6c335dee38da943796710b5e336472a10cf641f2)
---
src/providers/ldap/sdap_async.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/providers/ldap/sdap_async.c b/src/providers/ldap/sdap_async.c
index 4195ba95d911f3956f8cca665310b4b92091e6cd..e9ce2d5fd7c835919fff615e7b553d95f72d65a7 100644
--- a/src/providers/ldap/sdap_async.c
+++ b/src/providers/ldap/sdap_async.c
@@ -1254,7 +1254,7 @@ sdap_get_generic_ext_send(TALLOC_CTX *memctx,
*/
if (scope == LDAP_SCOPE_BASE && (flags & SDAP_SRCH_FLG_PAGING)) {
/* Disable paging */
- flags &= ~SDAP_SRCH_FLG_PAGING;
+ state->flags &= ~SDAP_SRCH_FLG_PAGING;
DEBUG(SSSDBG_TRACE_FUNC,
"WARNING: Disabling paging because scope is set to base.\n");
}
@@ -1267,7 +1267,7 @@ sdap_get_generic_ext_send(TALLOC_CTX *memctx,
serverctrls,
NULL);
if (control) {
- flags |= SDAP_SRCH_FLG_PAGING;
+ state->flags |= SDAP_SRCH_FLG_PAGING;
}
/* ASQ */
@@ -1275,7 +1275,7 @@ sdap_get_generic_ext_send(TALLOC_CTX *memctx,
serverctrls,
NULL);
if (control) {
- flags |= SDAP_SRCH_FLG_PAGING;
+ state->flags |= SDAP_SRCH_FLG_PAGING;
}
for (state->nserverctrls=0;
--
2.9.3

151
0057-PROXY-Adding-proxy_max_children-option.patch
View File

@ -1,151 +0,0 @@
From a700cdddcc989d1820cbd71bc9a378772c3f87ed Mon Sep 17 00:00:00 2001
From: Petr Cech <pcech@redhat.com>
Date: Wed, 24 Aug 2016 14:41:09 +0200
Subject: [PATCH 57/79] PROXY: Adding proxy_max_children option
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The new option 'proxy_max_children' is applicable
in domain section. Default value is 10.
Resolves:
https://fedorahosted.org/sssd/ticket/3153
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit aef0171e0bdc9a683958d69c7ee984fb10cd5de7)
---
src/confdb/confdb.h | 1 +
src/config/SSSDConfig/__init__.py.in | 3 +++
src/config/cfg_rules.ini | 1 +
src/config/etc/sssd.api.d/sssd-proxy.conf | 1 +
src/man/sssd.conf.5.xml | 16 ++++++++++++++++
src/providers/proxy/proxy_init.c | 22 ++++++++++++++++++++--
6 files changed, 42 insertions(+), 2 deletions(-)
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
index 2d650900170d5f2214aa56f00fc749980e53f516..36a2f21a0ff07ac4ae94ffdbb47087de05907505 100644
--- a/src/confdb/confdb.h
+++ b/src/confdb/confdb.h
@@ -219,6 +219,7 @@
#define CONFDB_PROXY_LIBNAME "proxy_lib_name"
#define CONFDB_PROXY_PAM_TARGET "proxy_pam_target"
#define CONFDB_PROXY_FAST_ALIAS "proxy_fast_alias"
+#define CONFDB_PROXY_MAX_CHILDREN "proxy_max_children"
/* Secrets Service */
#define CONFDB_SEC_CONF_ENTRY "config/secrets"
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
index 2027028f7b4e972c7bc0dd5156fd85157ae192f4..0acb751e234ee0c3e6fee332a2ba22f9ac353221 100644
--- a/src/config/SSSDConfig/__init__.py.in
+++ b/src/config/SSSDConfig/__init__.py.in
@@ -429,6 +429,9 @@ option_strings = {
'default_shell' : _('Default shell, /bin/bash'),
'base_directory' : _('Base for home directories'),
+ # [provider/proxy]
+ 'proxy_max_children' : _('The number of preforked proxy children.'),
+
# [provider/proxy/id]
'proxy_lib_name' : _('The name of the NSS library to use'),
'proxy_fast_alias' : _('Whether to look up canonical group name from cache if possible'),
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
index 93c10e2b7892027f0ee7a7af096814fb7cac333a..01be0c6e610161b64897e3974cefe1ccdc317fd3 100644
--- a/src/config/cfg_rules.ini
+++ b/src/config/cfg_rules.ini
@@ -305,6 +305,7 @@ option = base_directory
option = proxy_lib_name
option = proxy_fast_alias
option = proxy_pam_target
+option = proxy_max_children
# simple access provider specific options
option = simple_allow_users
diff --git a/src/config/etc/sssd.api.d/sssd-proxy.conf b/src/config/etc/sssd.api.d/sssd-proxy.conf
index 89a6503f9b84b7eab5fb3b0dd591dea905b43adb..09bf82affcb4263de3abbb67d1d484f6b01a1824 100644
--- a/src/config/etc/sssd.api.d/sssd-proxy.conf
+++ b/src/config/etc/sssd.api.d/sssd-proxy.conf
@@ -1,4 +1,5 @@
[provider/proxy]
+proxy_max_children = int, None, false
[provider/proxy/id]
proxy_lib_name = str, None, true
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index 6f231b8ab8fc078d83331bb7ef5b980528a30bd6..8b862eb0cef7cb35215c4aba7a77a553f31e47c8 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -2482,6 +2482,22 @@ subdomain_inherit = ldap_purge_cache_timeout
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>proxy_max_children (integer)</term>
+ <listitem>
+ <para>
+ This option specifies the number of pre-forked
+ proxy children. It is useful for high-load SSSD
+ environments where sssd may run out of available
+ child slots, which would cause some issues due to
+ the requests being queued.
+ </para>
+ <para>
+ Default: 10
+ </para>
+ </listitem>
+ </varlistentry>
+
</variablelist>
</para>
diff --git a/src/providers/proxy/proxy_init.c b/src/providers/proxy/proxy_init.c
index 1edf4fd64e54f4f0df7a78a9e56eb232a1d3e948..2241dafb8e21bbc0b904df3fa548c906877a5194 100644
--- a/src/providers/proxy/proxy_init.c
+++ b/src/providers/proxy/proxy_init.c
@@ -29,6 +29,8 @@
#define NSS_FN_NAME "_nss_%s_%s"
+#define OPT_MAX_CHILDREN_DEFAULT 10
+
#define ERROR_INITGR "The '%s' library does not provides the " \
"_nss_XXX_initgroups_dyn function!\n" \
"initgroups will be slow as it will require " \
@@ -220,6 +222,7 @@ static errno_t proxy_init_auth_ctx(TALLOC_CTX *mem_ctx,
struct proxy_auth_ctx *auth_ctx;
errno_t ret;
int hret;
+ int max_children;
auth_ctx = talloc_zero(mem_ctx, struct proxy_auth_ctx);
if (auth_ctx == NULL) {
@@ -241,8 +244,23 @@ static errno_t proxy_init_auth_ctx(TALLOC_CTX *mem_ctx,
}
/* Set up request hash table */
- /* FIXME: get max_children from configuration file */
- auth_ctx->max_children = 10;
+ ret = confdb_get_int(be_ctx->cdb, be_ctx->conf_path,
+ CONFDB_PROXY_MAX_CHILDREN,
+ OPT_MAX_CHILDREN_DEFAULT,
+ &max_children);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Unable to read confdb [%d]: %s\n", ret, sss_strerror(ret));
+ goto done;
+ }
+
+ if (max_children < 1) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Option " CONFDB_PROXY_MAX_CHILDREN " must be higher then 0\n");
+ ret = EINVAL;
+ goto done;
+ }
+ auth_ctx->max_children = max_children;
hret = hash_create(auth_ctx->max_children * 2, &auth_ctx->request_table,
NULL, NULL);
--
2.9.3

50
0058-SECRETS-Search-by-the-right-type-when-checking-conta.patch
View File

@ -1,50 +0,0 @@
From 4a5e9bea88983643a6fd7b95a6cfcf16f29044ec Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
Date: Tue, 30 Aug 2016 10:42:58 +0200
Subject: [PATCH 58/79] SECRETS: Search by the right type when checking
containers
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
We've been searching for the wrong type ("simple") in
local_db_check_containers(), which always gives us a NULL result.
Let's introduce the new LOCAL_CONTAINER_FILTER and do the search for the
right type ("container") from now on.
Resolves:
https://fedorahosted.org/sssd/ticket/3137
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit a8361f37af31a8a9767056bd27c418c947293f56)
---
src/responder/secrets/local.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/responder/secrets/local.c b/src/responder/secrets/local.c
index ac3049b62fa77f69d44ec5792139fe3378afb3f4..5b5745d6732987c6057788b2099f45ad0799f151 100644
--- a/src/responder/secrets/local.c
+++ b/src/responder/secrets/local.c
@@ -168,6 +168,7 @@ char *local_dn_to_path(TALLOC_CTX *mem_ctx,
}
#define LOCAL_SIMPLE_FILTER "(type=simple)"
+#define LOCAL_CONTAINER_FILTER "(type=container)"
int local_db_get_simple(TALLOC_CTX *mem_ctx,
struct local_context *lctx,
@@ -306,7 +307,7 @@ int local_db_check_containers(TALLOC_CTX *mem_ctx,
/* and check the parent container exists */
ret = ldb_search(lctx->ldb, mem_ctx, &res, dn, LDB_SCOPE_BASE,
- attrs, LOCAL_SIMPLE_FILTER);
+ attrs, LOCAL_CONTAINER_FILTER);
if (ret != LDB_SUCCESS) return ENOENT;
if (res->count != 1) return ENOENT;
talloc_free(res);
--
2.9.3

42
0059-LDAP-Return-partial-results-from-adminlimit-exceeded.patch
View File

@ -1,42 +0,0 @@
From 2ee5783d8c8bb51f169988a0a45ec711cfd47e41 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Mon, 12 Sep 2016 17:36:09 +0200
Subject: [PATCH 59/79] LDAP: Return partial results from adminlimit exceeded
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Resolves:
https://fedorahosted.org/sssd/ticket/3185
Since commit c420ce830ac0b0b288a2a887ec2cfce5c748018c we try to move to
the next server on any error on the connection, which in case there is
only one server sends SSSD offline.
It's more graceful to try to process the results, same as we already do
with sizelimit exceeded.
Reviewed-by: Michal Židek <mzidek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit 3319d964721396c07daba383ded6aaaf33ed6e3b)
---
src/providers/ldap/sdap_async.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/providers/ldap/sdap_async.c b/src/providers/ldap/sdap_async.c
index e9ce2d5fd7c835919fff615e7b553d95f72d65a7..f374112935a7befa1d059df97f3119c14d8f5da5 100644
--- a/src/providers/ldap/sdap_async.c
+++ b/src/providers/ldap/sdap_async.c
@@ -1526,7 +1526,8 @@ static void sdap_get_generic_op_finished(struct sdap_op *op,
sss_ldap_err2string(result), result,
errmsg ? errmsg : "no errmsg set");
- if (result == LDAP_SIZELIMIT_EXCEEDED) {
+ if (result == LDAP_SIZELIMIT_EXCEEDED
+ || result == LDAP_ADMINLIMIT_EXCEEDED) {
/* Try to return what we've got */
if ( ! (state->flags & SDAP_SRCH_FLG_SIZELIMIT_SILENT)) {
--
2.9.3

44
0060-MAN-sssd-sudo-manual-update-IPA-native-LDAP-tree-sup.patch
View File

@ -1,44 +0,0 @@
From d7a48ee6cde1e80dc2e63500d94017afe498a52a Mon Sep 17 00:00:00 2001
From: Justin Stephenson <jstephen@redhat.com>
Date: Mon, 29 Aug 2016 11:20:00 -0400
Subject: [PATCH 60/79] MAN: sssd-sudo manual update IPA native LDAP tree
support
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Update sssd-sudo man page to reflect native IPA sudo support
Resolves:
https://fedorahosted.org/sssd/ticket/3145
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit 72bab5640b3ec57950b53dad0fb3042ea563592c)
---
src/man/sssd-sudo.5.xml | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/src/man/sssd-sudo.5.xml b/src/man/sssd-sudo.5.xml
index de276ad2d7647da9b7d510bf00fdf8fb58aed1c7..9be77725d679946bd09b86771cc7379b6ac64627 100644
--- a/src/man/sssd-sudo.5.xml
+++ b/src/man/sssd-sudo.5.xml
@@ -109,9 +109,12 @@ ldap_sudo_search_base = ou=sudoers,dc=example,dc=com
</programlisting>
</para>
<para>
- When the SSSD is configured to use IPA as the ID provider,
- the sudo provider is automatically enabled. The sudo search base
- is configured to use the compat tree (ou=sudoers,$DC).
+ When SSSD is configured to use IPA as the ID provider, the
+ sudo provider is automatically enabled. The sudo search base is
+ configured to use the IPA native LDAP tree (cn=sudo,$SUFFIX).
+ If any other search base is defined in sssd.conf, this value will be
+ used instead. The compat tree (ou=sudoers,$SUFFIX) is no longer
+ required for IPA sudo functionality.
</para>
</refsect1>
--
2.9.3

267
0061-p11-only-set-PKCS11_LOGIN_TOKEN_NAME-if-gdm-smartcar.patch
View File

@ -1,267 +0,0 @@
From 8173003ed876f1cc0831a838e20332b274b39c4f Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 31 Aug 2016 14:32:31 +0200
Subject: [PATCH 61/79] p11: only set PKCS11_LOGIN_TOKEN_NAME if gdm-smartcard
is used
Resolves https://fedorahosted.org/sssd/ticket/3165
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 71cd9f98150577224559bdc12c53c01ce6f2c3d9)
---
src/responder/pam/pamsrv_p11.c | 33 +++++++++------
src/tests/cmocka/test_pam_srv.c | 89 +++++++++++++++++++++++++++++++++++------
2 files changed, 97 insertions(+), 25 deletions(-)
diff --git a/src/responder/pam/pamsrv_p11.c b/src/responder/pam/pamsrv_p11.c
index a2514f6a1d699de3a245063f49db1b7e51a2b10b..22da33067d5c479153376927855dcd6b43322d8b 100644
--- a/src/responder/pam/pamsrv_p11.c
+++ b/src/responder/pam/pamsrv_p11.c
@@ -505,7 +505,11 @@ errno_t pam_check_cert_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
}
/* The PKCS11_LOGIN_TOKEN_NAME environment variable is e.g. used by the Gnome
- * Settings Daemon to determine the name of the token used for login */
+ * Settings Daemon to determine the name of the token used for login but it
+ * should be only set if SSSD is called by gdm-smartcard. Otherwise desktop
+ * components might assume that gdm-smartcard PAM stack is configured
+ * correctly which might not be the case e.g. if Smartcard authentication was
+ * used when running gdm-password. */
#define PKCS11_LOGIN_TOKEN_ENV_NAME "PKCS11_LOGIN_TOKEN_NAME"
errno_t add_pam_cert_response(struct pam_data *pd, const char *sysdb_username,
@@ -553,19 +557,22 @@ errno_t add_pam_cert_response(struct pam_data *pd, const char *sysdb_username,
return ret;
}
- env = talloc_asprintf(pd, "%s=%s", PKCS11_LOGIN_TOKEN_ENV_NAME, token_name);
- if (env == NULL) {
- DEBUG(SSSDBG_OP_FAILURE, "talloc_asprintf failed.\n");
- return ENOMEM;
- }
+ if (strcmp(pd->service, "gdm-smartcard") == 0) {
+ env = talloc_asprintf(pd, "%s=%s", PKCS11_LOGIN_TOKEN_ENV_NAME,
+ token_name);
+ if (env == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_asprintf failed.\n");
+ return ENOMEM;
+ }
- ret = pam_add_response(pd, SSS_PAM_ENV_ITEM, strlen(env) + 1,
- (uint8_t *)env);
- talloc_free(env);
- if (ret != EOK) {
- DEBUG(SSSDBG_OP_FAILURE,
- "pam_add_response failed to add environment variable.\n");
- return ret;
+ ret = pam_add_response(pd, SSS_PAM_ENV_ITEM, strlen(env) + 1,
+ (uint8_t *)env);
+ talloc_free(env);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "pam_add_response failed to add environment variable.\n");
+ return ret;
+ }
}
return ret;
diff --git a/src/tests/cmocka/test_pam_srv.c b/src/tests/cmocka/test_pam_srv.c
index 5de092d0f19318d1d6c773355dbb38e345600133..02199e6f121cab0784389256cdaac38baf9d73e3 100644
--- a/src/tests/cmocka/test_pam_srv.c
+++ b/src/tests/cmocka/test_pam_srv.c
@@ -554,7 +554,7 @@ static void mock_input_pam(TALLOC_CTX *mem_ctx, const char *name,
}
static void mock_input_pam_cert(TALLOC_CTX *mem_ctx, const char *name,
- const char *pin)
+ const char *pin, const char *service)
{
size_t buf_size;
uint8_t *m_buf;
@@ -576,7 +576,7 @@ static void mock_input_pam_cert(TALLOC_CTX *mem_ctx, const char *name,
pi.pam_authtok_type = SSS_AUTHTOK_TYPE_SC_PIN;
}
- pi.pam_service = "login";
+ pi.pam_service = service == NULL ? "login" : service;
pi.pam_service_size = strlen(pi.pam_service) + 1;
pi.pam_tty = "/dev/tty";
pi.pam_tty_size = strlen(pi.pam_tty) + 1;
@@ -626,7 +626,8 @@ static int test_pam_simple_check(uint32_t status, uint8_t *body, size_t blen)
#define PKCS11_LOGIN_TOKEN_ENV_NAME "PKCS11_LOGIN_TOKEN_NAME"
-static int test_pam_cert_check(uint32_t status, uint8_t *body, size_t blen)
+static int test_pam_cert_check_gdm_smartcard(uint32_t status, uint8_t *body,
+ size_t blen)
{
size_t rp = 0;
uint32_t val;
@@ -675,6 +676,44 @@ static int test_pam_cert_check(uint32_t status, uint8_t *body, size_t blen)
return EOK;
}
+static int test_pam_cert_check(uint32_t status, uint8_t *body, size_t blen)
+{
+ size_t rp = 0;
+ uint32_t val;
+
+ assert_int_equal(status, 0);
+
+ SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);
+ assert_int_equal(val, pam_test_ctx->exp_pam_status);
+
+ SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);
+ assert_int_equal(val, 2);
+
+ SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);
+ assert_int_equal(val, SSS_PAM_DOMAIN_NAME);
+
+ SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);
+ assert_int_equal(val, 9);
+
+ assert_int_equal(*(body + rp + val - 1), 0);
+ assert_string_equal(body + rp, TEST_DOM_NAME);
+ rp += val;
+
+ SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);
+ assert_int_equal(val, SSS_PAM_CERT_INFO);
+
+ SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);
+ assert_int_equal(val, (sizeof("pamuser") + sizeof(TEST_TOKEN_NAME)));
+
+ assert_int_equal(*(body + rp + sizeof("pamuser") - 1), 0);
+ assert_string_equal(body + rp, "pamuser");
+ rp += sizeof("pamuser");
+
+ assert_int_equal(*(body + rp + sizeof(TEST_TOKEN_NAME) - 1), 0);
+ assert_string_equal(body + rp, TEST_TOKEN_NAME);
+
+ return EOK;
+}
static int test_pam_offline_chauthtok_check(uint32_t status,
uint8_t *body, size_t blen)
@@ -1438,7 +1477,7 @@ void test_pam_preauth_no_logon_name(void **state)
{
int ret;
- mock_input_pam_cert(pam_test_ctx, NULL, NULL);
+ mock_input_pam_cert(pam_test_ctx, NULL, NULL, NULL);
will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH);
will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
@@ -1465,7 +1504,7 @@ void test_pam_preauth_cert_nocert(void **state)
set_cert_auth_param(pam_test_ctx->pctx, "/no/path");
- mock_input_pam_cert(pam_test_ctx, "pamuser", NULL);
+ mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, NULL);
will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH);
will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
@@ -1544,7 +1583,7 @@ void test_pam_preauth_cert_nomatch(void **state)
set_cert_auth_param(pam_test_ctx->pctx, NSS_DB);
- mock_input_pam_cert(pam_test_ctx, "pamuser", NULL);
+ mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, NULL);
will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH);
will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
@@ -1566,7 +1605,7 @@ void test_pam_preauth_cert_match(void **state)
set_cert_auth_param(pam_test_ctx->pctx, NSS_DB);
- mock_input_pam_cert(pam_test_ctx, "pamuser", NULL);
+ mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, NULL);
will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH);
will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
@@ -1583,13 +1622,37 @@ void test_pam_preauth_cert_match(void **state)
assert_int_equal(ret, EOK);
}
+/* Test if PKCS11_LOGIN_TOKEN_NAME is added for the gdm-smartcard service */
+void test_pam_preauth_cert_match_gdm_smartcard(void **state)
+{
+ int ret;
+
+ set_cert_auth_param(pam_test_ctx->pctx, NSS_DB);
+
+ mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, "gdm-smartcard");
+
+ will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH);
+ will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
+ mock_account_recv(0, 0, NULL, test_lookup_by_cert_cb,
+ discard_const(TEST_TOKEN_CERT));
+
+ set_cmd_cb(test_pam_cert_check_gdm_smartcard);
+ ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_PREAUTH,
+ pam_test_ctx->pam_cmds);
+ assert_int_equal(ret, EOK);
+
+ /* Wait until the test finishes with EOK */
+ ret = test_ev_loop(pam_test_ctx->tctx);
+ assert_int_equal(ret, EOK);
+}
+
void test_pam_preauth_cert_match_wrong_user(void **state)
{
int ret;
set_cert_auth_param(pam_test_ctx->pctx, NSS_DB);
- mock_input_pam_cert(pam_test_ctx, "pamuser", NULL);
+ mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, NULL);
will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH);
will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
@@ -1613,7 +1676,7 @@ void test_pam_preauth_cert_no_logon_name(void **state)
set_cert_auth_param(pam_test_ctx->pctx, NSS_DB);
- mock_input_pam_cert(pam_test_ctx, NULL, NULL);
+ mock_input_pam_cert(pam_test_ctx, NULL, NULL, NULL);
will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH);
will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
@@ -1636,7 +1699,7 @@ void test_pam_preauth_no_cert_no_logon_name(void **state)
set_cert_auth_param(pam_test_ctx->pctx, "/no/path");
- mock_input_pam_cert(pam_test_ctx, NULL, NULL);
+ mock_input_pam_cert(pam_test_ctx, NULL, NULL, NULL);
will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH);
will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
@@ -1657,7 +1720,7 @@ void test_pam_preauth_cert_no_logon_name_no_match(void **state)
set_cert_auth_param(pam_test_ctx->pctx, NSS_DB);
- mock_input_pam_cert(pam_test_ctx, NULL, NULL);
+ mock_input_pam_cert(pam_test_ctx, NULL, NULL, NULL);
will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH);
will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
@@ -1679,7 +1742,7 @@ void test_pam_cert_auth(void **state)
set_cert_auth_param(pam_test_ctx->pctx, NSS_DB);
- mock_input_pam_cert(pam_test_ctx, "pamuser", "123456");
+ mock_input_pam_cert(pam_test_ctx, "pamuser", "123456", NULL);
will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE);
will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
@@ -1790,6 +1853,8 @@ int main(int argc, const char *argv[])
pam_test_setup, pam_test_teardown),
cmocka_unit_test_setup_teardown(test_pam_preauth_cert_match,
pam_test_setup, pam_test_teardown),
+ cmocka_unit_test_setup_teardown(test_pam_preauth_cert_match_gdm_smartcard,
+ pam_test_setup, pam_test_teardown),
cmocka_unit_test_setup_teardown(test_pam_preauth_cert_match_wrong_user,
pam_test_setup, pam_test_teardown),
cmocka_unit_test_setup_teardown(test_pam_preauth_cert_no_logon_name,
--
2.9.3

100
0062-p11-return-a-fully-qualified-name.patch
View File

@ -1,100 +0,0 @@
From aeb1038017723e473eeb2f405d3b5ff4f5d4af02 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 16 Sep 2016 11:47:40 +0200
Subject: [PATCH 62/79] p11: return a fully-qualified name
Related to https://fedorahosted.org/sssd/ticket/3165
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 3649b959709f1ab187092f054d4aace0798c98fa)
---
src/responder/pam/pamsrv_p11.c | 20 +++++++++-----------
src/tests/cmocka/test_pam_srv.c | 16 ++++++++--------
2 files changed, 17 insertions(+), 19 deletions(-)
diff --git a/src/responder/pam/pamsrv_p11.c b/src/responder/pam/pamsrv_p11.c
index 22da33067d5c479153376927855dcd6b43322d8b..570bfe09d4385a038e7e03fcb64c72dd794774a6 100644
--- a/src/responder/pam/pamsrv_p11.c
+++ b/src/responder/pam/pamsrv_p11.c
@@ -521,33 +521,31 @@ errno_t add_pam_cert_response(struct pam_data *pd, const char *sysdb_username,
size_t msg_len;
size_t slot_len;
int ret;
- char *username;
if (sysdb_username == NULL || token_name == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE, "Missing mandatory user or slot name.\n");
return EINVAL;
}
- ret = sss_parse_internal_fqname(pd, sysdb_username, &username, NULL);
- if (ret != EOK) {
- DEBUG(SSSDBG_CRIT_FAILURE, "Cannot parse [%s]\n", sysdb_username);
- return ret;
- }
-
- user_len = strlen(username) + 1;
+ user_len = strlen(sysdb_username) + 1;
slot_len = strlen(token_name) + 1;
msg_len = user_len + slot_len;
msg = talloc_zero_size(pd, msg_len);
if (msg == NULL) {
DEBUG(SSSDBG_OP_FAILURE, "talloc_zero_size failed.\n");
- talloc_free(username);
return ENOMEM;
}
- memcpy(msg, username, user_len);
+ /* sysdb_username is a fully-qualified name which is used by pam_sss when
+ * prompting the user for the PIN and as login name if it wasn't set by
+ * the PAM caller but has to be determined based on the inserted
+ * Smartcard. If this type of name is irritating at the PIN prompt or the
+ * re_expression config option was set in a way that user@domain cannot be
+ * handled anymore some more logic has to be added here. But for the time
+ * being I think using sysdb_username is fine. */
+ memcpy(msg, sysdb_username, user_len);
memcpy(msg + user_len, token_name, slot_len);
- talloc_free(username);
ret = pam_add_response(pd, SSS_PAM_CERT_INFO, msg_len, msg);
talloc_free(msg);
diff --git a/src/tests/cmocka/test_pam_srv.c b/src/tests/cmocka/test_pam_srv.c
index 02199e6f121cab0784389256cdaac38baf9d73e3..4b2dea4be6a819b23afd243ba99cd9bd57c16c20 100644
--- a/src/tests/cmocka/test_pam_srv.c
+++ b/src/tests/cmocka/test_pam_srv.c
@@ -664,11 +664,11 @@ static int test_pam_cert_check_gdm_smartcard(uint32_t status, uint8_t *body,
assert_int_equal(val, SSS_PAM_CERT_INFO);
SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);
- assert_int_equal(val, (sizeof("pamuser") + sizeof(TEST_TOKEN_NAME)));
+ assert_int_equal(val, (sizeof("pamuser@"TEST_DOM_NAME) + sizeof(TEST_TOKEN_NAME)));
- assert_int_equal(*(body + rp + sizeof("pamuser") - 1), 0);
- assert_string_equal(body + rp, "pamuser");
- rp += sizeof("pamuser");
+ assert_int_equal(*(body + rp + sizeof("pamuser@"TEST_DOM_NAME) - 1), 0);
+ assert_string_equal(body + rp, "pamuser@"TEST_DOM_NAME);
+ rp += sizeof("pamuser@"TEST_DOM_NAME);
assert_int_equal(*(body + rp + sizeof(TEST_TOKEN_NAME) - 1), 0);
assert_string_equal(body + rp, TEST_TOKEN_NAME);
@@ -703,11 +703,11 @@ static int test_pam_cert_check(uint32_t status, uint8_t *body, size_t blen)
assert_int_equal(val, SSS_PAM_CERT_INFO);
SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);
- assert_int_equal(val, (sizeof("pamuser") + sizeof(TEST_TOKEN_NAME)));
+ assert_int_equal(val, (sizeof("pamuser@"TEST_DOM_NAME) + sizeof(TEST_TOKEN_NAME)));
- assert_int_equal(*(body + rp + sizeof("pamuser") - 1), 0);
- assert_string_equal(body + rp, "pamuser");
- rp += sizeof("pamuser");
+ assert_int_equal(*(body + rp + sizeof("pamuser@"TEST_DOM_NAME) - 1), 0);
+ assert_string_equal(body + rp, "pamuser@"TEST_DOM_NAME);
+ rp += sizeof("pamuser@"TEST_DOM_NAME);
assert_int_equal(*(body + rp + sizeof(TEST_TOKEN_NAME) - 1), 0);
assert_string_equal(body + rp, TEST_TOKEN_NAME);
--
2.9.3

109
0063-pam_sss-check-PKCS11_LOGIN_TOKEN_NAME.patch
View File

@ -1,109 +0,0 @@
From 540f0f9e2b35315703b56989d398c11da49992e2 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 16 Sep 2016 11:48:18 +0200
Subject: [PATCH 63/79] pam_sss: check PKCS11_LOGIN_TOKEN_NAME
Check if PKCS11_LOGIN_TOKEN_NAME is set and prompt the user if the
matching Smartcard is not inserted.
Related to https://fedorahosted.org/sssd/ticket/3165
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 35ba922bc51416f02877b53a6f25c04104ae5f03)
---
src/sss_client/pam_sss.c | 65 ++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 65 insertions(+)
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
index fdb9c907644f1317b6f8e58619f01ad2753deafc..2049d5fb0c6092aaaa914385c79d02d8f44b447e 100644
--- a/src/sss_client/pam_sss.c
+++ b/src/sss_client/pam_sss.c
@@ -1410,6 +1410,7 @@ done:
}
#define SC_PROMPT_FMT "PIN for %s for user %s"
+
static int prompt_sc_pin(pam_handle_t *pamh, struct pam_items *pi)
{
int ret;
@@ -1691,6 +1692,62 @@ static int get_authtok_for_password_change(pam_handle_t *pamh,
return PAM_SUCCESS;
}
+#define SC_ENTER_FMT "Please enter smart card labeled\n %s\nand press enter"
+
+static int check_login_token_name(pam_handle_t *pamh, struct pam_items *pi,
+ bool quiet_mode)
+{
+ int ret;
+ int pam_status;
+ char *login_token_name;
+ char *prompt = NULL;
+ size_t size;
+ char *answer = NULL;
+
+ login_token_name = getenv("PKCS11_LOGIN_TOKEN_NAME");
+ if (login_token_name == NULL) {
+ return PAM_SUCCESS;
+ }
+
+ while (pi->token_name == NULL
+ || strcmp(login_token_name, pi->token_name) != 0) {
+ size = sizeof(SC_ENTER_FMT) + strlen(login_token_name);
+ prompt = malloc(size);
+ if (prompt == NULL) {
+ D(("malloc failed."));
+ return ENOMEM;
+ }
+
+ ret = snprintf(prompt, size, SC_ENTER_FMT,
+ login_token_name);
+ if (ret < 0 || ret >= size) {
+ D(("snprintf failed."));
+ free(prompt);
+ return EFAULT;
+ }
+
+ ret = do_pam_conversation(pamh, PAM_PROMPT_ECHO_OFF, prompt,
+ NULL, &answer);
+ free(prompt);
+ free(answer);
+ if (ret != PAM_SUCCESS) {
+ D(("do_pam_conversation failed."));
+ return ret;
+ }
+
+ pam_status = send_and_receive(pamh, pi, SSS_PAM_PREAUTH, quiet_mode);
+ if (pam_status != PAM_SUCCESS) {
+ D(("send_and_receive returned [%d] during pre-auth", pam_status));
+ /*
+ * Since we are waiting for the right Smartcard to be inserted errors
+ * can be ignored here.
+ */
+ }
+ }
+
+ return PAM_SUCCESS;
+}
+
static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
int pam_flags, int argc, const char **argv)
{
@@ -1758,6 +1815,14 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
}
}
+ if (strcmp(pi.pam_service, "gdm-smartcard") == 0) {
+ ret = check_login_token_name(pamh, &pi, quiet_mode);
+ if (ret != PAM_SUCCESS) {
+ D(("check_login_token_name failed.\n"));
+ return ret;
+ }
+ }
+
ret = get_authtok_for_authentication(pamh, &pi, flags);
if (ret != PAM_SUCCESS) {
D(("failed to get authentication token: %s",
--
2.9.3

81
0064-SECRETS-Don-t-remove-a-container-when-it-has-childre.patch
View File

@ -1,81 +0,0 @@
From b1fe893002a506ace1b2930a0cb5d5bd5d4fa9f7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
Date: Thu, 1 Sep 2016 12:04:30 +0200
Subject: [PATCH 64/79] SECRETS: Don't remove a container when it has children
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Let's return and log an error in case the container to be removed has
children.
The approach taken introduced at least one new search in every delete
operation. As far as I understand searching in the BASE scope is quite
cheap and that's the reason I decided to just do the search in the
ONELEVEL scope when the requested to be deleted dn is for sure a
container.
Resolves:
https://fedorahosted.org/sssd/ticket/3167
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit ab7b33fd7d820688545d5994a402cedf4bcdb6e1)
---
src/responder/secrets/local.c | 33 +++++++++++++++++++++++++++++++--
1 file changed, 31 insertions(+), 2 deletions(-)
diff --git a/src/responder/secrets/local.c b/src/responder/secrets/local.c
index 5b5745d6732987c6057788b2099f45ad0799f151..b13e77f0453f3201d1f9f352bb0b331792de1106 100644
--- a/src/responder/secrets/local.c
+++ b/src/responder/secrets/local.c
@@ -372,14 +372,43 @@ int local_db_delete(TALLOC_CTX *mem_ctx,
struct local_context *lctx,
const char *req_path)
{
+ TALLOC_CTX *tmp_ctx;
struct ldb_dn *dn;
+ static const char *attrs[] = { NULL };
+ struct ldb_result *res;
int ret;
+ tmp_ctx = talloc_new(mem_ctx);
+ if (!tmp_ctx) return ENOMEM;
+
ret = local_db_dn(mem_ctx, lctx->ldb, req_path, &dn);
- if (ret != EOK) return ret;
+ if (ret != EOK) goto done;
+
+ ret = ldb_search(lctx->ldb, tmp_ctx, &res, dn, LDB_SCOPE_BASE,
+ attrs, LOCAL_CONTAINER_FILTER);
+ if (ret != EOK) goto done;
+
+ if (res->count == 1) {
+ ret = ldb_search(lctx->ldb, tmp_ctx, &res, dn, LDB_SCOPE_ONELEVEL,
+ attrs, NULL);
+ if (ret != EOK) goto done;
+
+ if (res->count > 0) {
+ ret = EEXIST;
+ DEBUG(SSSDBG_OP_FAILURE,
+ "Failed to remove '%s': Container is not empty\n",
+ ldb_dn_get_linearized(dn));
+
+ goto done;
+ }
+ }
ret = ldb_delete(lctx->ldb, dn);
- return sysdb_error_to_errno(ret);
+ ret = sysdb_error_to_errno(ret);
+
+done:
+ talloc_free(tmp_ctx);
+ return ret;
}
int local_db_create(TALLOC_CTX *mem_ctx,
--
2.9.3

37
0065-PAM-call-free-only-when-memory-is-expected-to-be-all.patch
View File

@ -1,37 +0,0 @@
From 958e633f0cc364f758f9d417002e9eba60f15642 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Mon, 19 Sep 2016 10:53:51 +0200
Subject: [PATCH 65/79] PAM: call free only when memory is expected to be
allocated
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reborted by Coverity
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit a8631161c47cbaefe7fd14b88202238bbdcc3dc8)
---
src/sss_client/pam_sss.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
index 2049d5fb0c6092aaaa914385c79d02d8f44b447e..be697c7fcfb47a57b5b498c61f60fcf4bfbbd57f 100644
--- a/src/sss_client/pam_sss.c
+++ b/src/sss_client/pam_sss.c
@@ -1729,10 +1729,11 @@ static int check_login_token_name(pam_handle_t *pamh, struct pam_items *pi,
ret = do_pam_conversation(pamh, PAM_PROMPT_ECHO_OFF, prompt,
NULL, &answer);
free(prompt);
- free(answer);
if (ret != PAM_SUCCESS) {
D(("do_pam_conversation failed."));
return ret;
+ } else {
+ free(answer);
}
pam_status = send_and_receive(pamh, pi, SSS_PAM_PREAUTH, quiet_mode);
--
2.9.3

82
0066-TESTS-Fixing-of-const-warnings-in-sbus-tests.patch
View File

@ -1,82 +0,0 @@
From b44ec31e6fe2b41e52c3f055d4322c253303471d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20=C4=8Cech?= <pcech@redhat.com>
Date: Mon, 19 Sep 2016 06:28:57 -0400
Subject: [PATCH 66/79] TESTS: Fixing of 'const' warnings in sbus tests
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit 626d8217a2e578ba641ae3c968752aa15284a210)
---
src/tests/sbus_codegen_tests.c | 13 +++++++------
src/tests/sbus_tests.c | 4 ++--
2 files changed, 9 insertions(+), 8 deletions(-)
diff --git a/src/tests/sbus_codegen_tests.c b/src/tests/sbus_codegen_tests.c
index 55d4657385cfc697985b570e4310164558e2d647..262bfd49e34be72196e1cf1fe451d96b43b067ae 100644
--- a/src/tests/sbus_codegen_tests.c
+++ b/src/tests/sbus_codegen_tests.c
@@ -634,7 +634,7 @@ static int pilot_test_server_init(struct sbus_connection *server, void *unused)
int ret;
ret = sbus_conn_register_iface(server, &pilot_iface.vtable, "/test/leela",
- "Crash into the billboard");
+ discard_const("Crash into the billboard"));
ck_assert_int_eq(ret, EOK);
return EOK;
@@ -645,7 +645,8 @@ static int special_test_server_init(struct sbus_connection *server, void *unused
int ret;
ret = sbus_conn_register_iface(server, &special_iface.vtable,
- "/test/special", "Crash into the billboard");
+ "/test/special",
+ discard_const("Crash into the billboard"));
ck_assert_int_eq(ret, EOK);
return EOK;
@@ -673,8 +674,8 @@ START_TEST(test_marshal_basic_types)
dbus_int64_t v_int64[] = { INT64_C(-6666666666666666), INT64_C(7777777777777777) };
dbus_uint64_t v_uint64[] = { UINT64_C(7777777777777777), INT64_C(888888888888888888) };
double v_double[] = { 1.1, 2.2, 3.3 };
- char *v_string[] = { "bears", "bears", "bears" };
- char *v_object_path[] = { "/original", "/original" };
+ const char *v_string[] = { "bears", "bears", "bears" };
+ const char *v_object_path[] = { "/original", "/original" };
unsigned char *arr_byte = v_byte;
dbus_int16_t *arr_int16 = v_int16;
@@ -684,8 +685,8 @@ START_TEST(test_marshal_basic_types)
dbus_int64_t *arr_int64 = v_int64;
dbus_uint64_t *arr_uint64 = v_uint64;
double *arr_double = v_double;
- char **arr_string = v_string;
- char **arr_object_path = v_object_path;
+ char **arr_string = discard_const(v_string);
+ char **arr_object_path = discard_const(v_object_path);
int len_byte = N_ELEMENTS(v_byte);
int len_int16 = N_ELEMENTS(v_int16);
diff --git a/src/tests/sbus_tests.c b/src/tests/sbus_tests.c
index b472659639e3dce0733dde4ed54a55dcb40c191e..6bf71dc1bbe73b52455c18353531865da1ba6eac 100644
--- a/src/tests/sbus_tests.c
+++ b/src/tests/sbus_tests.c
@@ -201,12 +201,12 @@ static int pilot_test_server_init(struct sbus_connection *server, void *unused)
int ret;
ret = sbus_conn_register_iface(server, &pilot_impl.vtable, "/test/leela",
- "Crash into the billboard");
+ discard_const("Crash into the billboard"));
ck_assert_int_eq(ret, EOK);
ret = sbus_conn_register_iface(server, &pilot_impl.vtable, "/test/fry",
- "Don't crash");
+ discard_const("Don't crash"));
ck_assert_int_eq(ret, EOK);
return EOK;
--
2.9.3

61
0067-MAKEFILE-Fixing-CFLAGS-in-some-tests.patch
View File

@ -1,61 +0,0 @@
From 4fe173d0e1333659479da47306b3b7957bc2e6d7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20=C4=8Cech?= <pcech@redhat.com>
Date: Thu, 15 Sep 2016 09:54:18 -0400
Subject: [PATCH 67/79] MAKEFILE: Fixing CFLAGS in some tests
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit 4f2509f8d23d9e921f07b2ead63392ae82ad3a38)
---
Makefile.am | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/Makefile.am b/Makefile.am
index f89af5a9d6d26c732574aa3651de8c175f538b28..f792ed6a6b531d9e6e2c886c2fbe64e1e2345b73 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -1828,6 +1828,7 @@ refcount_tests_SOURCES = \
src/tests/refcount-tests.c \
$(NULL)
refcount_tests_CFLAGS = \
+ $(AM_CFLAGS) \
$(CHECK_CFLAGS)
refcount_tests_LDADD = \
$(SSSD_LIBS) \
@@ -1840,6 +1841,7 @@ fail_over_tests_SOURCES = \
$(SSSD_FAILOVER_OBJ) \
$(NULL)
fail_over_tests_CFLAGS = \
+ $(AM_CFLAGS) \
$(CHECK_CFLAGS)
fail_over_tests_LDADD = \
$(SSSD_LIBS) \
@@ -2044,6 +2046,7 @@ sbus_tests_SOURCES = \
src/tests/common_dbus.c \
src/tests/sbus_tests.c
sbus_tests_CFLAGS = \
+ $(AM_CFLAGS) \
$(CHECK_CFLAGS)
sbus_tests_LDADD = \
$(SSSD_INTERNAL_LTLIBS) \
@@ -2056,6 +2059,7 @@ sbus_codegen_tests_SOURCES = \
src/tests/sbus_codegen_tests_generated.c \
$(NULL)
sbus_codegen_tests_CFLAGS = \
+ $(AM_CFLAGS) \
$(CHECK_CFLAGS)
sbus_codegen_tests_LDADD = \
$(SSSD_INTERNAL_LTLIBS) \
@@ -2468,6 +2472,7 @@ ad_common_tests_SOURCES = \
src/providers/ldap/sdap_async_initgroups_ad.c \
$(NULL)
ad_common_tests_CFLAGS = \
+ $(AM_CFLAGS) \
$(NDR_NBT_CFLAGS) \
$(NDR_KRB5PAC_CFLAGS) \
$(NULL)
--
2.9.3

395
0068-TESTS-Add-integration-tests-for-the-sssd-secrets.patch
View File

@ -1,395 +0,0 @@
From 0718b1bf4af69712d18f6ea3a427c1cab2e377da Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Mon, 8 Aug 2016 17:49:05 +0200
Subject: [PATCH 68/79] TESTS: Add integration tests for the sssd-secrets
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Implements a simple HTTP client and uses it to talk to the sssd-secrets
responder. Only the local provider is tested at the moment.
Resolves:
https://fedorahosted.org/sssd/ticket/3054
Reviewed-by: Petr Čech <pcech@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit db0982c52294ee5ea08ed242d27660783fde29cd)
---
contrib/ci/deps.sh | 2 +
src/tests/intg/Makefile.am | 5 ++
src/tests/intg/config.py.m4 | 3 +
src/tests/intg/secrets.py | 137 ++++++++++++++++++++++++++++++++++
src/tests/intg/test_secrets.py | 162 +++++++++++++++++++++++++++++++++++++++++
5 files changed, 309 insertions(+)
create mode 100644 src/tests/intg/secrets.py
create mode 100644 src/tests/intg/test_secrets.py
diff --git a/contrib/ci/deps.sh b/contrib/ci/deps.sh
index 1a94e3df2ee1d43dd34ef8cda1542aab1166bccd..9a7098c399df319753858a4a7fee23d4204c1f1c 100644
--- a/contrib/ci/deps.sh
+++ b/contrib/ci/deps.sh
@@ -45,6 +45,7 @@ if [[ "$DISTRO_BRANCH" == -redhat-* ]]; then
pyldb
rpm-build
uid_wrapper
+ python-requests
)
_DEPS_LIST_SPEC=`
sed -e 's/@PACKAGE_VERSION@/0/g' \
@@ -114,6 +115,7 @@ if [[ "$DISTRO_BRANCH" == -debian-* ]]; then
python-pytest
python-ldap
python-ldb
+ python-requests
ldap-utils
slapd
systemtap-sdt-dev
diff --git a/src/tests/intg/Makefile.am b/src/tests/intg/Makefile.am
index 75422a4417046116bec11a8a680fe2248e3afb69..1e08eadcbbdebcca6f0f3550cc084c1a1762c0c4 100644
--- a/src/tests/intg/Makefile.am
+++ b/src/tests/intg/Makefile.am
@@ -16,6 +16,8 @@ dist_noinst_DATA = \
test_memory_cache.py \
test_ts_cache.py \
test_netgroup.py \
+ secrets.py \
+ test_secrets.py \
$(NULL)
config.py: config.py.m4
@@ -25,6 +27,9 @@ config.py: config.py.m4
-D "pidpath=\`$(pidpath)'" \
-D "logpath=\`$(logpath)'" \
-D "mcpath=\`$(mcpath)'" \
+ -D "secdbpath=\`$(secdbpath)'" \
+ -D "libexecpath=\`$(libexecdir)'" \
+ -D "runstatedir=\`$(runstatedir)'" \
$< > $@
root:
diff --git a/src/tests/intg/config.py.m4 b/src/tests/intg/config.py.m4
index 77aa47b7958783217132b724159d9d3d247e1079..65e17e55a25372754ff7e49ac75607bcc985912c 100644
--- a/src/tests/intg/config.py.m4
+++ b/src/tests/intg/config.py.m4
@@ -12,3 +12,6 @@ PID_PATH = "pidpath"
PIDFILE_PATH = PID_PATH + "/sssd.pid"
LOG_PATH = "logpath"
MCACHE_PATH = "mcpath"
+SECDB_PATH = "secdbpath"
+LIBEXEC_PATH = "libexecpath"
+RUNSTATEDIR = "runstatedir"
diff --git a/src/tests/intg/secrets.py b/src/tests/intg/secrets.py
new file mode 100644
index 0000000000000000000000000000000000000000..5d4c0e2f28db9601fa0e3a21dd90a7444c7c8978
--- /dev/null
+++ b/src/tests/intg/secrets.py
@@ -0,0 +1,137 @@
+#
+# Secrets responder test client
+#
+# Copyright (c) 2016 Red Hat, Inc.
+#
+# This is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 only
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+import socket
+import requests
+
+from requests.adapters import HTTPAdapter
+from requests.packages.urllib3.connection import HTTPConnection
+from requests.packages.urllib3.connectionpool import HTTPConnectionPool
+from requests.compat import quote, unquote, urlparse
+
+
+class HTTPUnixConnection(HTTPConnection):
+ def __init__(self, host, timeout=60, **kwargs):
+ super(HTTPUnixConnection, self).__init__('localhost')
+ self.unix_socket = host
+ self.timeout = timeout
+
+ def connect(self):
+ sock = socket.socket(family=socket.AF_UNIX)
+ sock.settimeout(self.timeout)
+ sock.connect(self.unix_socket)
+ self.sock = sock
+
+
+class HTTPUnixConnectionPool(HTTPConnectionPool):
+ scheme = 'http+unix'
+ ConnectionCls = HTTPUnixConnection
+
+
+class HTTPUnixAdapter(HTTPAdapter):
+ def get_connection(self, url, proxies=None):
+ # proxies, silently ignored
+ path = unquote(urlparse(url).netloc)
+ return HTTPUnixConnectionPool(path)
+
+
+class SecretsHttpClient(object):
+ secrets_sock_path = '/var/run/secrets.socket'
+ secrets_container = 'secrets'
+
+ def __init__(self, content_type='application/json', sock_path=None):
+ if sock_path is None:
+ sock_path = self.secrets_sock_path
+
+ self.content_type = content_type
+ self.session = requests.Session()
+ self.session.mount('http+unix://', HTTPUnixAdapter())
+ self.headers = dict({'Content-Type': content_type})
+ self.url = 'http+unix://' + \
+ quote(sock_path, safe='') + \
+ '/' + \
+ self.secrets_container
+ self._last_response = None
+
+ def _join_url(self, resource):
+ path = self.url.rstrip('/') + '/'
+ if resource is not None:
+ path = path + resource.lstrip('/')
+ return path
+
+ def _add_headers(self, **kwargs):
+ headers = kwargs.get('headers', None)
+ if headers is None:
+ headers = dict()
+ headers.update(self.headers)
+ return headers
+
+ def _request(self, cmd, path, **kwargs):
+ self._last_response = None
+ url = self._join_url(path)
+ kwargs['headers'] = self._add_headers(**kwargs)
+ self._last_response = cmd(url, **kwargs)
+ return self._last_response
+
+ @property
+ def last_response(self):
+ return self._last_response
+
+ def get(self, path, **kwargs):
+ return self._request(self.session.get, path, **kwargs)
+
+ def list(self, **kwargs):
+ return self._request(self.session.get, None, **kwargs)
+
+ def put(self, name, **kwargs):
+ return self._request(self.session.put, name, **kwargs)
+
+ def delete(self, name, **kwargs):
+ return self._request(self.session.delete, name, **kwargs)
+
+ def post(self, name, **kwargs):
+ return self._request(self.session.post, name, **kwargs)
+
+
+class SecretsLocalClient(SecretsHttpClient):
+ def list_secrets(self):
+ res = self.list()
+ res.raise_for_status()
+ simple = res.json()
+ return simple
+
+ def get_secret(self, name):
+ res = self.get(name)
+ res.raise_for_status()
+ simple = res.json()
+ ktype = simple.get("type", None)
+ if ktype != "simple":
+ raise TypeError("Invalid key type: %s" % ktype)
+ return simple["value"]
+
+ def set_secret(self, name, value):
+ res = self.put(name, json={"type": "simple", "value": value})
+ res.raise_for_status()
+
+ def del_secret(self, name):
+ res = self.delete(name)
+ res.raise_for_status()
+
+ def create_container(self, name):
+ res = self.post(name)
+ res.raise_for_status()
diff --git a/src/tests/intg/test_secrets.py b/src/tests/intg/test_secrets.py
new file mode 100644
index 0000000000000000000000000000000000000000..e394d1275e35e686a14a604943796e793fe29119
--- /dev/null
+++ b/src/tests/intg/test_secrets.py
@@ -0,0 +1,162 @@
+#
+# Secrets responder integration tests
+#
+# Copyright (c) 2016 Red Hat, Inc.
+#
+# This is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 only
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+import os
+import stat
+import config
+import signal
+import subprocess
+import time
+import socket
+import pytest
+from requests import HTTPError
+
+from util import unindent
+from secrets import SecretsLocalClient
+
+
+def create_conf_fixture(request, contents):
+ """Generate sssd.conf and add teardown for removing it"""
+ conf = open(config.CONF_PATH, "w")
+ conf.write(contents)
+ conf.close()
+ os.chmod(config.CONF_PATH, stat.S_IRUSR | stat.S_IWUSR)
+ request.addfinalizer(lambda: os.unlink(config.CONF_PATH))
+
+
+def create_sssd_secrets_fixture(request):
+ if subprocess.call(['sssd', "--genconf"]) != 0:
+ raise Exception("failed to regenerate confdb")
+
+ resp_path = os.path.join(config.LIBEXEC_PATH, "sssd", "sssd_secrets")
+
+ secpid = os.fork()
+ if secpid == 0:
+ if subprocess.call([resp_path, "--uid=0", "--gid=0"]) != 0:
+ raise Exception("sssd_secrets failed to start")
+
+ sock_path = os.path.join(config.RUNSTATEDIR, "secrets.socket")
+ sck = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
+ for _ in range(1, 10):
+ try:
+ sck.connect(sock_path)
+ except:
+ time.sleep(0.1)
+ else:
+ break
+ sck.close()
+
+ def sec_teardown():
+ if secpid == 0:
+ return
+
+ os.kill(secpid, signal.SIGTERM)
+ for secdb_file in os.listdir(config.SECDB_PATH):
+ os.unlink(config.SECDB_PATH + "/" + secdb_file)
+ request.addfinalizer(sec_teardown)
+
+
+@pytest.fixture
+def setup_for_secrets(request):
+ """
+ Just set up the local provider for tests and enable the secrets
+ responder
+ """
+ conf = unindent("""\
+ [sssd]
+ domains = local
+ services = nss
+
+ [domain/local]
+ id_provider = local
+ """).format(**locals())
+
+ create_conf_fixture(request, conf)
+ create_sssd_secrets_fixture(request)
+ return None
+
+
+@pytest.fixture
+def secrets_cli(request):
+ sock_path = os.path.join(config.RUNSTATEDIR, "secrets.socket")
+ cli = SecretsLocalClient(sock_path=sock_path)
+ return cli
+
+
+def test_crd_ops(setup_for_secrets, secrets_cli):
+ """
+ Test that the basic Create, Retrieve, Delete operations work
+ """
+ cli = secrets_cli
+
+ # Listing a totally empty database yields a 404 error, no secrets are there
+ with pytest.raises(HTTPError) as err404:
+ secrets = cli.list_secrets()
+ assert str(err404.value).startswith("404")
+
+ # Set some value, should succeed
+ cli.set_secret("foo", "bar")
+
+ fooval = cli.get_secret("foo")
+ assert fooval == "bar"
+
+ # Listing secrets should work now as well
+ secrets = cli.list_secrets()
+ assert len(secrets) == 1
+ assert "foo" in secrets
+
+ # Overwriting a secret is an error
+ with pytest.raises(HTTPError) as err409:
+ cli.set_secret("foo", "baz")
+ assert str(err409.value).startswith("409")
+
+ # Delete a secret
+ cli.del_secret("foo")
+ with pytest.raises(HTTPError) as err404:
+ fooval = cli.get_secret("foo")
+ assert str(err404.value).startswith("404")
+
+ # Delete a non-existent secret must yield a 404
+ with pytest.raises(HTTPError) as err404:
+ cli.del_secret("foo")
+ assert str(err404.value).startswith("404")
+
+
+def test_containers(setup_for_secrets, secrets_cli):
+ """
+ Test that storing secrets inside containers works
+ """
+ cli = secrets_cli
+
+ # No trailing slash, no game..
+ with pytest.raises(HTTPError) as err400:
+ cli.create_container("mycontainer")
+ assert str(err400.value).startswith("400")
+
+ cli.create_container("mycontainer/")
+ cli.set_secret("mycontainer/foo", "containedfooval")
+ assert cli.get_secret("mycontainer/foo") == "containedfooval"
+
+ # Removing a non-empty container should not succeed
+ with pytest.raises(HTTPError) as err409:
+ cli.del_secret("mycontainer/")
+ assert str(err409.value).startswith("409")
+
+ # Try removing the secret first, then the container
+ cli.del_secret("mycontainer/foo")
+ cli.del_secret("mycontainer/")
--
2.9.3

58
0069-AUTOFS-Fix-offline-resolution-of-autofs-maps.patch
View File

@ -1,58 +0,0 @@
From c0f663b1a497182cfd2eaf92dda0459342ba6685 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Thu, 4 Aug 2016 17:58:32 +0200
Subject: [PATCH 69/79] AUTOFS: Fix offline resolution of autofs maps
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
If talking to the Data Provider failed, we never re-tried looking into
the cache. We should consult the cache on DP failures and return cached
results, if possible.
Resolves:
https://fedorahosted.org/sssd/ticket/3080
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit b9e155da725e711ab306ca8a96e3ba6fbda41a3a)
---
src/responder/autofs/autofssrv_cmd.c | 16 ++++++++++++----
1 file changed, 12 insertions(+), 4 deletions(-)
diff --git a/src/responder/autofs/autofssrv_cmd.c b/src/responder/autofs/autofssrv_cmd.c
index 9666ab2d195a581f18eaa7ff9bbc4c8167a71b15..f5aa25a483c3b3352f40e8cc66dfd3a24a60af0d 100644
--- a/src/responder/autofs/autofssrv_cmd.c
+++ b/src/responder/autofs/autofssrv_cmd.c
@@ -871,17 +871,25 @@ static void lookup_automntmap_cache_updated(uint16_t err_maj, uint32_t err_min,
if (err_maj) {
DEBUG(SSSDBG_CRIT_FAILURE,
"Unable to get information from Data Provider\n"
- "Error: %u, %u, %s\n"
- "Will try to return what we have in cache\n",
+ "Error: %u, %u, %s\n"
+ "Will try to return what we have in cache\n",
(unsigned int)err_maj, (unsigned int)err_min, err_msg);
- /* Loop to the next domain if possible */
+
+ /* Try to fall back to cache */
+ ret = lookup_automntmap_step(lookup_ctx);
+ if (ret == EOK) {
+ /* We have cached results to return */
+ autofs_setent_notify(lookup_ctx->map, ret);
+ return;
+ }
+
+ /* Otherwise try the next domain */
if (dctx->cmd_ctx->check_next
&& (dctx->domain = get_next_domain(dctx->domain, 0))) {
dctx->check_provider = NEED_CHECK_PROVIDER(dctx->domain->provider);
}
}
- /* ok the backend returned, search to see if we have updated results */
ret = lookup_automntmap_step(lookup_ctx);
if (ret != EOK) {
if (ret == EAGAIN) {
--
2.9.3

44
0070-NSS-Fix-offline-resolution-of-netgroups.patch
View File

@ -1,44 +0,0 @@
From 068aadc5169380c37459c7cb50d397e93d5f121d Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Thu, 4 Aug 2016 17:58:47 +0200
Subject: [PATCH 70/79] NSS: Fix offline resolution of netgroups
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
If talking to the Data Provider failed, we never re-tried looking into
the cache. We should consult the cache on DP failures and return cached
results, if possible.
Resolves:
https://fedorahosted.org/sssd/ticket/3123
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit a3108c5cd1ebb05c133c8e8990278ac4f4b8e25c)
---
src/responder/nss/nsssrv_netgroup.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/src/responder/nss/nsssrv_netgroup.c b/src/responder/nss/nsssrv_netgroup.c
index e42976b245952291cd1eb36480138514e3d4ec09..49ef0f5c9b264a6252880a2944e8a1bd38ae0527 100644
--- a/src/responder/nss/nsssrv_netgroup.c
+++ b/src/responder/nss/nsssrv_netgroup.c
@@ -674,6 +674,15 @@ static void lookup_netgr_dp_callback(uint16_t err_maj, uint32_t err_min,
"Error: %u, %u, %s\n"
"Will try to return what we have in cache\n",
(unsigned int)err_maj, (unsigned int)err_min, err_msg);
+
+ /* Try to fall back to cache */
+ ret = lookup_netgr_step(step_ctx);
+ if (ret == EOK) {
+ /* We have cached results to return */
+ nss_setent_notify_done(dctx->netgr);
+ return;
+ }
+
/* Loop to the next domain if possible */
if (cmdctx->check_next
&& (dctx->domain = get_next_domain(dctx->domain, 0))) {
--
2.9.3

78
0071-TESTS-Test-offline-netgroups-resolution.patch
View File

@ -1,78 +0,0 @@
From 39ab6bfc8f822c77144d0056bb87b82ca3e8af3e Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Fri, 9 Sep 2016 12:23:04 +0200
Subject: [PATCH 71/79] TESTS: Test offline netgroups resolution
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit c0ee12832555b42c17e48cdf731731454a97972e)
---
src/tests/intg/test_netgroup.py | 29 +++++++++++++++++++++++++++--
1 file changed, 27 insertions(+), 2 deletions(-)
diff --git a/src/tests/intg/test_netgroup.py b/src/tests/intg/test_netgroup.py
index b99476126844e35d5dbc1793077720b4020c2fb7..f1d801f48a954baf4d244ec533348a1de2f2d2c8 100644
--- a/src/tests/intg/test_netgroup.py
+++ b/src/tests/intg/test_netgroup.py
@@ -104,6 +104,7 @@ def format_basic_conf(ldap_conn, schema):
[sssd]
domains = LDAP
services = nss
+ disable_netlink = true
[domain/LDAP]
{schema_conf}
@@ -148,11 +149,16 @@ def create_sssd_process():
raise Exception("sssd start failed")
+def get_sssd_pid():
+ pid_file = open(config.PIDFILE_PATH, "r")
+ pid = int(pid_file.read())
+ return pid
+
+
def cleanup_sssd_process():
"""Stop the SSSD process and remove its state"""
try:
- pid_file = open(config.PIDFILE_PATH, "r")
- pid = int(pid_file.read())
+ pid = get_sssd_pid()
os.kill(pid, signal.SIGTERM)
while True:
try:
@@ -173,6 +179,11 @@ def create_sssd_cleanup(request):
request.addfinalizer(cleanup_sssd_process)
+def simulate_offline():
+ pid = get_sssd_pid()
+ os.kill(pid, signal.SIGUSR1)
+
+
def create_sssd_fixture(request):
"""Start SSSD and add teardown for stopping it and removing its state"""
create_sssd_process()
@@ -457,3 +468,17 @@ def test_removing_nested_netgroups(removing_nested_netgroups, ldap_conn):
res, _, netgroups = sssd_netgroup.get_sssd_netgroups("t2841_netgroup3")
assert res == sssd_netgroup.NssReturnCode.SUCCESS
assert netgroups == []
+
+
+def test_offline_netgroups(add_tripled_netgroup):
+ res, _, netgrps = sssd_netgroup.get_sssd_netgroups("tripled_netgroup")
+ assert res == sssd_netgroup.NssReturnCode.SUCCESS
+ assert netgrps == [("host", "user", "domain")]
+
+ subprocess.check_call(["sss_cache", "-N"])
+
+ simulate_offline()
+
+ res, _, netgrps = sssd_netgroup.get_sssd_netgroups("tripled_netgroup")
+ assert res == sssd_netgroup.NssReturnCode.SUCCESS
+ assert netgrps == [("host", "user", "domain")]
--
2.9.3

289
0072-Remove-double-semicolon-at-the-end-of-line.patch
View File

@ -1,289 +0,0 @@
From e166ad6facb9812249376683ae936c5f3f5682af Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Sat, 17 Sep 2016 21:05:36 +0200
Subject: [PATCH 72/79] Remove double semicolon at the end of line
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit b9941359b3181c42f415530d5ccad0f4664d85fa)
---
src/db/sysdb_ops.c | 2 +-
src/lib/idmap/sss_idmap.c | 2 +-
src/lib/sifp/sss_sifp_parser.c | 2 +-
src/providers/ad/ad_gpo.c | 2 +-
src/providers/ipa/ipa_subdomains_id.c | 2 +-
src/providers/ipa/ipa_sudo_conversion.c | 2 +-
src/providers/krb5/krb5_child.c | 2 +-
src/providers/ldap/sdap_async.c | 6 +++---
src/providers/ldap/sdap_async_initgroups.c | 2 +-
src/providers/ldap/sdap_async_netgroups.c | 2 +-
src/responder/pam/pamsrv_cmd.c | 2 +-
src/sss_client/sudo/sss_sudo.c | 2 +-
src/tests/krb5_child-test.c | 10 +++++-----
src/tests/sbus_codegen_tests.c | 4 ++--
src/tools/sss_groupshow.c | 2 +-
src/util/string_utils.c | 2 +-
src/util/usertools.c | 2 +-
17 files changed, 24 insertions(+), 24 deletions(-)
diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
index 5d9c9fb24a149f8215b3027dcb4b0e1a183e4b43..29f4b1d1597bd98541a152dd6462caa864fbf2fd 100644
--- a/src/db/sysdb_ops.c
+++ b/src/db/sysdb_ops.c
@@ -4815,7 +4815,7 @@ errno_t sysdb_handle_original_uuid(const char *orig_name,
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_add_string failed.\n");
- return ret;;
+ return ret;
}
return EOK;
diff --git a/src/lib/idmap/sss_idmap.c b/src/lib/idmap/sss_idmap.c
index 58b0ec62118c9e01b61d987bf77179e774313b11..ffb218c844bff18e8a000398e9d646556ca295cf 100644
--- a/src/lib/idmap/sss_idmap.c
+++ b/src/lib/idmap/sss_idmap.c
@@ -916,7 +916,7 @@ get_range(struct sss_idmap_ctx *ctx,
long long rid,
struct idmap_range_params **_range)
{
- char *secondary_name = NULL;;
+ char *secondary_name = NULL;
enum idmap_error_code err;
int first_rid;
struct idmap_range_params *range;
diff --git a/src/lib/sifp/sss_sifp_parser.c b/src/lib/sifp/sss_sifp_parser.c
index eaa57d8d5e67ec07d0fe89e003ee011dcd40a75f..65babb5bc5430a541ade4cec0350e0846962fd67 100644
--- a/src/lib/sifp/sss_sifp_parser.c
+++ b/src/lib/sifp/sss_sifp_parser.c
@@ -469,7 +469,7 @@ sss_sifp_parse_variant(sss_sifp_ctx *ctx,
/* case DBUS_TYPE_DICT_ENTRY may only be contained within an array
* in variant */
case DBUS_TYPE_ARRAY:
- ret = sss_sifp_parse_array(ctx, &variant_iter, attr);;
+ ret = sss_sifp_parse_array(ctx, &variant_iter, attr);
break;
default:
ret = SSS_SIFP_NOT_SUPPORTED;
diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
index 63c68ce35922ca0407ae6ea32c0a78100e14504b..2b06a0ec8c24a0da44b0da00718c84c228242d24 100644
--- a/src/providers/ad/ad_gpo.c
+++ b/src/providers/ad/ad_gpo.c
@@ -2491,7 +2491,7 @@ ad_gpo_populate_som_list(TALLOC_CTX *mem_ctx,
}
/* first, populate the OU and Domain SOMs */
- tmp_dn = target_dn;;
+ tmp_dn = target_dn;
while ((ad_gpo_parent_dn(tmp_ctx, ldb_ctx, tmp_dn, &parent_dn)) == EOK) {
if ((strncasecmp(parent_dn, "OU=", strlen("OU=")) == 0) ||
diff --git a/src/providers/ipa/ipa_subdomains_id.c b/src/providers/ipa/ipa_subdomains_id.c
index 5369ec4c624544f7f3aec88ddaa30eac91c51735..97c96e3818f37d0cf3e282f68d3a013122a2a55b 100644
--- a/src/providers/ipa/ipa_subdomains_id.c
+++ b/src/providers/ipa/ipa_subdomains_id.c
@@ -669,7 +669,7 @@ ipa_get_ad_acct_send(TALLOC_CTX *mem_ctx,
struct ipa_get_ad_acct_state *state;
struct sdap_domain *sdom;
struct sdap_id_conn_ctx **clist;
- struct sdap_id_ctx *sdap_id_ctx;;
+ struct sdap_id_ctx *sdap_id_ctx;
struct ad_id_ctx *ad_id_ctx;
req = tevent_req_create(mem_ctx, &state, struct ipa_get_ad_acct_state);
diff --git a/src/providers/ipa/ipa_sudo_conversion.c b/src/providers/ipa/ipa_sudo_conversion.c
index 21186d2455fb28c2743131ef98920eb00753f0d6..9dbc8604df544ce0865a2e99facf92cfd697123b 100644
--- a/src/providers/ipa/ipa_sudo_conversion.c
+++ b/src/providers/ipa/ipa_sudo_conversion.c
@@ -634,7 +634,7 @@ static errno_t get_sudo_cmd_rdn(TALLOC_CTX *mem_ctx,
}
*_rdn_val = rdn_val;
- *_rdn_attr = map[IPA_AT_SUDOCMD_CMD].name;;
+ *_rdn_attr = map[IPA_AT_SUDOCMD_CMD].name;
return EOK;
}
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
index 82522995e310f20c58922f814e14e81a84b9bcb9..df94bc4c481b090d50f9b0119ccde5a373d9e20b 100644
--- a/src/providers/krb5/krb5_child.c
+++ b/src/providers/krb5/krb5_child.c
@@ -2612,7 +2612,7 @@ static krb5_error_code privileged_krb5_setup(struct krb5_req *kr,
ret = check_use_fast(&kr->fast_val);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE, "check_use_fast failed.\n");
- return ret;;
+ return ret;
}
/* For ccache types FILE: and DIR: we might need to create some directory
diff --git a/src/providers/ldap/sdap_async.c b/src/providers/ldap/sdap_async.c
index f374112935a7befa1d059df97f3119c14d8f5da5..246e12a1f386da1841963d5c1d1c4d2870cc1b6b 100644
--- a/src/providers/ldap/sdap_async.c
+++ b/src/providers/ldap/sdap_async.c
@@ -2097,7 +2097,7 @@ static void sdap_x_deref_search_done(struct tevent_req *subreq)
static int sdap_x_deref_search_ctrls_destructor(void *ptr)
{
- LDAPControl **ctrls = talloc_get_type(ptr, LDAPControl *);;
+ LDAPControl **ctrls = talloc_get_type(ptr, LDAPControl *);
if (ctrls && ctrls[0]) {
ldap_control_free(ctrls[0]);
@@ -2289,7 +2289,7 @@ static void sdap_sd_search_done(struct tevent_req *subreq)
static int sdap_sd_search_ctrls_destructor(void *ptr)
{
- LDAPControl **ctrls = talloc_get_type(ptr, LDAPControl *);;
+ LDAPControl **ctrls = talloc_get_type(ptr, LDAPControl *);
if (ctrls && ctrls[0]) {
ldap_control_free(ctrls[0]);
}
@@ -2548,7 +2548,7 @@ static void sdap_asq_search_done(struct tevent_req *subreq)
static int sdap_asq_search_ctrls_destructor(void *ptr)
{
- LDAPControl **ctrls = talloc_get_type(ptr, LDAPControl *);;
+ LDAPControl **ctrls = talloc_get_type(ptr, LDAPControl *);
if (ctrls && ctrls[0]) {
ldap_control_free(ctrls[0]);
diff --git a/src/providers/ldap/sdap_async_initgroups.c b/src/providers/ldap/sdap_async_initgroups.c
index f9593f0dfaa2dc6e33fd6c9d1f0c9b78cad3a1d9..df39de3cc5daf9ce23e1d9abe8b72f06ae45e9cd 100644
--- a/src/providers/ldap/sdap_async_initgroups.c
+++ b/src/providers/ldap/sdap_async_initgroups.c
@@ -816,7 +816,7 @@ static struct tevent_req *sdap_initgr_nested_send(TALLOC_CTX *memctx,
}
state->groups = talloc_zero_array(state, struct sysdb_attrs *,
- state->memberof->num_values + 1);;
+ state->memberof->num_values + 1);
if (!state->groups) {
ret = ENOMEM;
goto immediate;
diff --git a/src/providers/ldap/sdap_async_netgroups.c b/src/providers/ldap/sdap_async_netgroups.c
index e1d69ad769f542cccffca50547932a5bfb352230..f4a1d165f77a15f150e99844d69716c6c8785bee 100644
--- a/src/providers/ldap/sdap_async_netgroups.c
+++ b/src/providers/ldap/sdap_async_netgroups.c
@@ -313,7 +313,7 @@ struct tevent_req *netgr_translate_members_send(TALLOC_CTX *memctx,
dn_filter = talloc_strdup(state, "(|");
if (dn_filter == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE, "talloc_strdup failed.\n");
- ret = ENOMEM;;
+ ret = ENOMEM;
goto fail;
}
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index be54fbf9b627d0ec1c3b0416401885245794cf9f..e52fc764245a2dd604bd149b956f8204fa865342 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -1286,7 +1286,7 @@ static void pam_forwarder_cert_cb(struct tevent_req *req)
if (pd->logon_name == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE,
"No certificate found and no logon name given, " \
- "authentication not possible.\n");;
+ "authentication not possible.\n");
ret = ENOENT;
} else {
if (pd->cmd == SSS_PAM_AUTHENTICATE) {
diff --git a/src/sss_client/sudo/sss_sudo.c b/src/sss_client/sudo/sss_sudo.c
index 202029934ccb7c979b9b740fc7e466888825e042..3651740019349c590877a18f9e42c23b9ad41d0d 100644
--- a/src/sss_client/sudo/sss_sudo.c
+++ b/src/sss_client/sudo/sss_sudo.c
@@ -226,7 +226,7 @@ void sss_sudo_free_rules(unsigned int num_rules, struct sss_sudo_rule *rules)
void sss_sudo_free_attrs(unsigned int num_attrs, struct sss_sudo_attr *attrs)
{
- struct sss_sudo_attr *attr = NULL;;
+ struct sss_sudo_attr *attr = NULL;
int i, j;
if (attrs == NULL) {
diff --git a/src/tests/krb5_child-test.c b/src/tests/krb5_child-test.c
index 50acc88ed0c312b2662f01fe41247781f235a54d..d570d52229a23a557d1f32b90cbb815239b57e74 100644
--- a/src/tests/krb5_child-test.c
+++ b/src/tests/krb5_child-test.c
@@ -390,11 +390,11 @@ main(int argc, const char *argv[])
int pc_debug = 0;
int pc_timeout = 0;
- const char *pc_user = NULL;;
- const char *pc_passwd = NULL;;
- const char *pc_realm = NULL;;
- const char *pc_ccname = NULL;;
- const char *pc_ccname_tp = NULL;;
+ const char *pc_user = NULL;
+ const char *pc_passwd = NULL;
+ const char *pc_realm = NULL;
+ const char *pc_ccname = NULL;
+ const char *pc_ccname_tp = NULL;
char *password = NULL;
bool rm_ccache = true;
diff --git a/src/tests/sbus_codegen_tests.c b/src/tests/sbus_codegen_tests.c
index 262bfd49e34be72196e1cf1fe451d96b43b067ae..05eb78d7d8f0917a62a47bf684d7f7135fe7b005 100644
--- a/src/tests/sbus_codegen_tests.c
+++ b/src/tests/sbus_codegen_tests.c
@@ -967,7 +967,7 @@ static void parse_get_array_reply(DBusMessage *reply, const int type,
ck_assert_int_eq(dbus_message_iter_get_element_type(&variter), type);
dbus_message_iter_recurse(&variter, &arriter);
if (type == DBUS_TYPE_STRING || type == DBUS_TYPE_OBJECT_PATH) {
- int n = 0, i = 0;;
+ int n = 0, i = 0;
const char **strings;
const char *s;
@@ -1326,7 +1326,7 @@ void check_arr_prop(DBusMessageIter *variter, struct prop_test *p)
dbus_message_iter_recurse(variter, &arriter);
if (type == DBUS_TYPE_STRING || type == DBUS_TYPE_OBJECT_PATH) {
- int n = 0, i = 0;;
+ int n = 0, i = 0;
const char *s;
do {
diff --git a/src/tools/sss_groupshow.c b/src/tools/sss_groupshow.c
index 00f6f12939b6bef2dd10085f8cf99304e87f1211..258d458b0d1a4cb56c8fb61060cb43a1c88c1ed0 100644
--- a/src/tools/sss_groupshow.c
+++ b/src/tools/sss_groupshow.c
@@ -58,7 +58,7 @@ const char *rdn_as_string(TALLOC_CTX *mem_ctx,
return NULL;
}
- return ldb_dn_escape_value(mem_ctx, *val);;
+ return ldb_dn_escape_value(mem_ctx, *val);
}
static int parse_memberofs(struct ldb_context *ldb,
diff --git a/src/util/string_utils.c b/src/util/string_utils.c
index 5e43bbef34e8b514e29ffc5e576f8b57dbab4890..872b7e29e55e8628085affd07f3363019aae5ee9 100644
--- a/src/util/string_utils.c
+++ b/src/util/string_utils.c
@@ -100,7 +100,7 @@ errno_t guid_blob_to_string_buf(const uint8_t *blob, char *str_buf,
blob[5], blob[4],
blob[7], blob[6],
blob[8], blob[9],
- blob[10], blob[11],blob[12], blob[13],blob[14], blob[15]);;
+ blob[10], blob[11],blob[12], blob[13],blob[14], blob[15]);
if (ret != (GUID_STR_BUF_SIZE -1)) {
DEBUG(SSSDBG_CRIT_FAILURE, "snprintf failed.\n");
return EIO;
diff --git a/src/util/usertools.c b/src/util/usertools.c
index e0d520ad1057b4ddcfd7830674afa9dfa3b37ebd..12fc85b8f20858975b01c49468834be158b43f1c 100644
--- a/src/util/usertools.c
+++ b/src/util/usertools.c
@@ -210,7 +210,7 @@ int sss_names_init(TALLOC_CTX *mem_ctx, struct confdb_ctx *cdb,
{
TALLOC_CTX *tmpctx = NULL;
char *conf_path = NULL;
- char *re_pattern = NULL;;
+ char *re_pattern = NULL;
char *fq_fmt = NULL;
int ret;
--
2.9.3

98
0073-TESTS-Add-simple-test-for-double-semicolon.patch
View File

@ -1,98 +0,0 @@
From 7017c022affd3ad1d0c29cb89aa825231c93fa29 Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Sat, 17 Sep 2016 21:12:36 +0200
Subject: [PATCH 73/79] TESTS: Add simple test for double semicolon
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit 6ad1f2da4055e2cfe9bf8c79b79e408dba171691)
---
Makefile.am | 2 ++
contrib/ci/run | 3 ++-
src/tests/double_semicolon_test | 38 ++++++++++++++++++++++++++++++++++++++
3 files changed, 42 insertions(+), 1 deletion(-)
create mode 100755 src/tests/double_semicolon_test
diff --git a/Makefile.am b/Makefile.am
index f792ed6a6b531d9e6e2c886c2fbe64e1e2345b73..17c5f26ce9db1e183b30178f1a8714deca1dab03 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -321,6 +321,7 @@ TESTS = \
$(non_interactive_cmocka_based_tests) \
$(non_interactive_check_based_tests) \
src/tests/whitespace_test \
+ src/tests/double_semicolon_test \
$(NULL)
sssdlib_LTLIBRARIES = \
@@ -410,6 +411,7 @@ dist_noinst_SCRIPTS = \
src/tests/pysss_murmur-test.py3.sh \
src/tests/python-test.py \
src/tests/whitespace_test \
+ src/tests/double_semicolon_test \
src/tests/krb5_proxy_check_test_data.conf \
$(NULL)
diff --git a/contrib/ci/run b/contrib/ci/run
index 1b230f584b7c42d66bfc8c99c118420478d4128b..f96476ff8d4e118375777abf7f1e3475c1ed07bb 100755
--- a/contrib/ci/run
+++ b/contrib/ci/run
@@ -187,7 +187,8 @@ function build_debug()
{
# Extended glob pattern matching tests to run under Valgrind.
# NOTE: The particular pattern below is inverted
- declare -r valgrind_test_pattern="!(*.py|*/dlopen-tests|*/whitespace_test)"
+ declare -r valgrind_test_pattern="\
+ !(*.py|*/dlopen-tests|*/whitespace_test|*/double_semicolon_test)"
export CFLAGS="$DEBUG_CFLAGS"
declare test_dir
declare test_dir_distcheck
diff --git a/src/tests/double_semicolon_test b/src/tests/double_semicolon_test
new file mode 100755
index 0000000000000000000000000000000000000000..bbc05fa22ab557919daacbf5a222bb6f1d9678b4
--- /dev/null
+++ b/src/tests/double_semicolon_test
@@ -0,0 +1,38 @@
+#!/bin/bash
+
+set -e -u -o pipefail
+
+# An AWK regex matching tracked file paths to be included for the search.
+# Example: '.*\.po|README'
+PATH_INCLUDE_REGEX='.*\.c|.*\.h'
+
+export GIT_DIR="$ABS_TOP_SRCDIR/.git"
+export GIT_WORK_TREE="$ABS_TOP_SRCDIR"
+
+if [ ! -d "$GIT_DIR" ]; then
+ echo "Git repository is required for this test!" 1>&2
+ exit 77
+fi
+
+{
+ # Look for lines with double semicolon at the end of line
+ # in all files tracked by Git
+ git grep -n -I ';\s*;$' -- "$(git rev-parse --show-toplevel)" ||
+ # Don't fail if no such lines were found anywhere
+ [[ $? == 1 ]]
+} |
+ awk -- "
+ BEGIN {
+ found = 0
+ }
+ /^($PATH_INCLUDE_REGEX):/ {
+ if (!found) {
+ print \"Double semicolon found:\"
+ found = 1
+ }
+ print
+ }
+ END {
+ exit found
+ }
+ "
--
2.9.3

81
0074-failover-proceed-normally-when-no-new-server-is-foun.patch
View File

@ -1,81 +0,0 @@
From 3b5dc99956715bb0251c48f18c05b3e0317b661f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Wed, 24 Aug 2016 14:21:12 +0200
Subject: [PATCH 74/79] failover: proceed normally when no new server is found
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Multiple failover requests come in same time, the first one will
result in collapsing the meta server but multiple resolution of
SRV records are triggered. The first one finishes normally but the
others won't find any new server thus ends with an error.
This patch makes failover to proceed normally even in such case.
Resolves:
https://fedorahosted.org/sssd/ticket/3131
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
(cherry picked from commit 03cb5ac6aa4c60d2c64c6fdc2daae656bf5493f4)
---
src/providers/fail_over.c | 25 +++++++++++++++++++++----
1 file changed, 21 insertions(+), 4 deletions(-)
diff --git a/src/providers/fail_over.c b/src/providers/fail_over.c
index 8ab39f27f77e19e601855632196006a8dbbdf136..77084098831a312bc8629513ccfc2a91165241ba 100644
--- a/src/providers/fail_over.c
+++ b/src/providers/fail_over.c
@@ -1112,7 +1112,9 @@ fo_resolve_service_cont(struct tevent_req *subreq)
ret = resolve_srv_recv(subreq, &state->server);
talloc_zfree(subreq);
- if (ret) {
+ /* We will proceed normally on ERR_SRV_DUPLICATES and if the server
+ * is already being resolved, we hook to that request. */
+ if (ret != EOK && ret != ERR_SRV_DUPLICATES) {
tevent_req_error(req, ret);
return;
}
@@ -1398,11 +1400,23 @@ resolve_srv_done(struct tevent_req *subreq)
}
if (last_server == state->meta) {
- /* SRV lookup returned only those servers
- * that are already present. */
+ /* SRV lookup returned only those servers that are already present.
+ * This may happen only when an ongoing SRV resolution already
+ * exist. We will return server, but won't set any state. */
DEBUG(SSSDBG_TRACE_FUNC, "SRV lookup did not return "
"any new server.\n");
ret = ERR_SRV_DUPLICATES;
+
+ /* Since no new server is returned, state->meta->next is NULL.
+ * We return last tried server if possible which is server
+ * from previous resolution of SRV record, and first server
+ * otherwise. */
+ if (state->service->last_tried_server != NULL) {
+ state->out = state->service->last_tried_server;
+ goto done;
+ }
+
+ state->out = state->service->server_list;
goto done;
}
@@ -1438,7 +1452,10 @@ resolve_srv_done(struct tevent_req *subreq)
}
done:
- if (ret != EOK) {
+ if (ret == ERR_SRV_DUPLICATES) {
+ tevent_req_error(req, ret);
+ return;
+ } else if (ret != EOK) {
state->out = state->meta;
set_srv_data_status(state->meta->srv_data, SRV_RESOLVE_ERROR);
tevent_req_error(req, ret);
--
2.9.3

111
0075-tests-Add-a-regression-test-for-upstream-ticket-3131.patch
View File

@ -1,111 +0,0 @@
From 0db69ed514decc0ccdc0084c44b31102b1314bef Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Wed, 21 Sep 2016 10:44:36 +0200
Subject: [PATCH 75/79] tests: Add a regression test for upstream ticket #3131
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Tests that running two duplicate SRV resolution queries succeeds
and returns a valid host name.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit a299f900981343904d7c9c5d148e30b8e0b2c460)
---
src/tests/cmocka/test_fo_srv.c | 66 ++++++++++++++++++++++++++++++++++++++++++
1 file changed, 66 insertions(+)
diff --git a/src/tests/cmocka/test_fo_srv.c b/src/tests/cmocka/test_fo_srv.c
index a84ce4348d2e59aaab4fc9ac1bd4cfd853ff491d..197f8de5c2f0b5dffa7949a874ea0ca1330554b9 100644
--- a/src/tests/cmocka/test_fo_srv.c
+++ b/src/tests/cmocka/test_fo_srv.c
@@ -203,6 +203,8 @@ struct test_fo_ctx {
int ttl;
struct fo_server *srv;
+
+ int num_done;
};
int test_fo_srv_data_cmp(void *ud1, void *ud2)
@@ -691,6 +693,67 @@ static void test_fo_hostlist(void **state)
assert_int_equal(ret, ERR_OK);
}
+static void test_fo_srv_dup_done(struct tevent_req *req);
+
+/* Test that running two parallel SRV queries doesn't return an error.
+ * This is a regression test for https://fedorahosted.org/sssd/ticket/3131
+ */
+void test_fo_srv_duplicates(void **state)
+{
+ errno_t ret;
+ struct tevent_req *req;
+ struct test_fo_ctx *test_ctx =
+ talloc_get_type(*state, struct test_fo_ctx);
+
+ test_fo_srv_mock_dns(test_ctx, test_ctx->ttl);
+ test_fo_srv_mock_dns(test_ctx, test_ctx->ttl);
+
+ ret = fo_add_srv_server(test_ctx->fo_svc, "_ldap", "sssd.com",
+ "sssd.local", "tcp", test_ctx);
+ assert_int_equal(ret, ERR_OK);
+
+ ret = fo_add_server(test_ctx->fo_svc, "ldap1.sssd.com",
+ 389, (void *) discard_const("ldap://ldap1.sssd.com"),
+ true);
+ assert_int_equal(ret, ERR_OK);
+
+ req = fo_resolve_service_send(test_ctx, test_ctx->ctx->ev,
+ test_ctx->resolv, test_ctx->fo_ctx,
+ test_ctx->fo_svc);
+ assert_non_null(req);
+ tevent_req_set_callback(req, test_fo_srv_dup_done, test_ctx);
+
+ req = fo_resolve_service_send(test_ctx, test_ctx->ctx->ev,
+ test_ctx->resolv, test_ctx->fo_ctx,
+ test_ctx->fo_svc);
+ assert_non_null(req);
+ tevent_req_set_callback(req, test_fo_srv_dup_done, test_ctx);
+
+ ret = test_ev_loop(test_ctx->ctx);
+ assert_int_equal(ret, ERR_OK);
+}
+
+static void test_fo_srv_dup_done(struct tevent_req *req)
+{
+ struct test_fo_ctx *test_ctx = \
+ tevent_req_callback_data(req, struct test_fo_ctx);
+ errno_t ret;
+ const char *name;
+
+ ret = fo_resolve_service_recv(req, test_ctx, &test_ctx->srv);
+ talloc_zfree(req);
+ assert_int_equal(ret, EOK);
+
+ name = fo_get_server_name(test_ctx->srv);
+ assert_string_equal(name, "ldap1.sssd.com");
+
+ test_ctx->num_done++;
+ if (test_ctx->num_done == 2) {
+ test_ctx->ctx->error = ERR_OK;
+ test_ctx->ctx->done = true;
+ }
+}
+
int main(int argc, const char *argv[])
{
int rv;
@@ -715,6 +778,9 @@ int main(int argc, const char *argv[])
cmocka_unit_test_setup_teardown(test_fo_srv_ttl_zero,
test_fo_srv_setup,
test_fo_srv_teardown),
+ cmocka_unit_test_setup_teardown(test_fo_srv_duplicates,
+ test_fo_srv_setup,
+ test_fo_srv_teardown),
};
/* Set debug level to invalid value so we can deside if -d 0 was used. */
--
2.9.3

239
0076-IFP-expose-user-and-group-unique-IDs-through-DBus.patch
View File

@ -1,239 +0,0 @@
From 407eca9a7167145158272e3d41316b6079b4eb74 Mon Sep 17 00:00:00 2001
From: Thomas Equeter <firstname@lastname.com>
Date: Fri, 26 Aug 2016 10:35:30 +0200
Subject: [PATCH 76/79] IFP: expose user and group unique IDs through DBus
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This adds a uniqueID property on User and Group InfoPipe objects. It has a
useful value on AD- and IPA-backed domains. For Active Directory, this is the
GUID.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit e9a2e7afbd09c23dd8748246e09831ed7b17d7c5)
---
src/db/sysdb.h | 2 ++
src/responder/ifp/ifp_groups.c | 19 +++++++++++++++++++
src/responder/ifp/ifp_groups.h | 4 ++++
src/responder/ifp/ifp_iface.c | 2 ++
src/responder/ifp/ifp_iface.xml | 2 ++
src/responder/ifp/ifp_iface_generated.c | 18 ++++++++++++++++++
src/responder/ifp/ifp_iface_generated.h | 4 ++++
src/responder/ifp/ifp_users.c | 7 +++++++
src/responder/ifp/ifp_users.h | 4 ++++
9 files changed, 62 insertions(+)
diff --git a/src/db/sysdb.h b/src/db/sysdb.h
index 8713efa6e8fcc6fb620340fe152989a5dae58434..7de3acdf343e0c013ab39a249268c93cbb2d0dbc 100644
--- a/src/db/sysdb.h
+++ b/src/db/sysdb.h
@@ -224,6 +224,7 @@
SYSDB_OVERRIDE_DN, \
SYSDB_OVERRIDE_OBJECT_DN, \
SYSDB_DEFAULT_OVERRIDE_NAME, \
+ SYSDB_UUID, \
NULL}
#define SYSDB_GRSRC_ATTRS {SYSDB_NAME, SYSDB_GIDNUM, \
@@ -235,6 +236,7 @@
SYSDB_OVERRIDE_DN, \
SYSDB_OVERRIDE_OBJECT_DN, \
SYSDB_DEFAULT_OVERRIDE_NAME, \
+ SYSDB_UUID, \
NULL}
#define SYSDB_NETGR_ATTRS {SYSDB_NAME, SYSDB_NETGROUP_TRIPLE, \
diff --git a/src/responder/ifp/ifp_groups.c b/src/responder/ifp/ifp_groups.c
index babd8ec3f57b0469c8ca35f9f2464a0a32076967..29aebe45e710e53538c317a688077689ece4c979 100644
--- a/src/responder/ifp/ifp_groups.c
+++ b/src/responder/ifp/ifp_groups.c
@@ -751,6 +751,25 @@ void ifp_groups_group_get_gid_number(struct sbus_request *sbus_req,
return;
}
+void ifp_groups_group_get_unique_id(struct sbus_request *sbus_req,
+ void *data,
+ const char **_out)
+{
+ struct ldb_message *msg;
+ struct sss_domain_info *domain;
+ errno_t ret;
+
+ ret = ifp_groups_group_get(sbus_req, data, NULL, &domain, &msg);
+ if (ret != EOK) {
+ *_out = 0;
+ return;
+ }
+
+ *_out = sss_view_ldb_msg_find_attr_as_string(domain, msg, SYSDB_UUID, 0);
+
+ return;
+}
+
static errno_t
ifp_groups_group_get_members(TALLOC_CTX *mem_ctx,
struct sbus_request *sbus_req,
diff --git a/src/responder/ifp/ifp_groups.h b/src/responder/ifp/ifp_groups.h
index 4cfabb9d70df92cda02de02cd1dcf7cc5b071ba8..1e0377fae6101473f5fcc6f9f69f12c3adf33f79 100644
--- a/src/responder/ifp/ifp_groups.h
+++ b/src/responder/ifp/ifp_groups.h
@@ -64,6 +64,10 @@ void ifp_groups_group_get_gid_number(struct sbus_request *sbus_req,
void *data,
uint32_t *_out);
+void ifp_groups_group_get_unique_id(struct sbus_request *sbus_req,
+ void *data,
+ const char **_out);
+
void ifp_groups_group_get_users(struct sbus_request *sbus_req,
void *data,
const char ***_out,
diff --git a/src/responder/ifp/ifp_iface.c b/src/responder/ifp/ifp_iface.c
index e6ddc687ba9db878ee39fee5868d1f924d58482d..ff306adf3243994ee7f71850226dc1c5e0831f16 100644
--- a/src/responder/ifp/ifp_iface.c
+++ b/src/responder/ifp/ifp_iface.c
@@ -104,6 +104,7 @@ struct iface_ifp_users_user iface_ifp_users_user = {
.get_gecos = ifp_users_user_get_gecos,
.get_homeDirectory = ifp_users_user_get_home_directory,
.get_loginShell = ifp_users_user_get_login_shell,
+ .get_uniqueID = ifp_users_user_get_unique_id,
.get_groups = ifp_users_user_get_groups,
.get_extraAttributes = ifp_users_user_get_extra_attributes
};
@@ -121,6 +122,7 @@ struct iface_ifp_groups_group iface_ifp_groups_group = {
.UpdateMemberList = ifp_groups_group_update_member_list,
.get_name = ifp_groups_group_get_name,
.get_gidNumber = ifp_groups_group_get_gid_number,
+ .get_uniqueID = ifp_groups_group_get_unique_id,
.get_users = ifp_groups_group_get_users,
.get_groups = ifp_groups_group_get_groups
};
diff --git a/src/responder/ifp/ifp_iface.xml b/src/responder/ifp/ifp_iface.xml
index 25b104ad70c0fd84b6c0fe9dbb0dc6e6439c1376..41e9f1d026fa434705ea50999ab3d9ad116f7f29 100644
--- a/src/responder/ifp/ifp_iface.xml
+++ b/src/responder/ifp/ifp_iface.xml
@@ -186,6 +186,7 @@
<property name="gecos" type="s" access="read" />
<property name="homeDirectory" type="s" access="read" />
<property name="loginShell" type="s" access="read" />
+ <property name="uniqueID" type="s" access="read" />
<property name="groups" type="ao" access="read" />
<property name="extraAttributes" type="a{sas}" access="read" />
</interface>
@@ -221,6 +222,7 @@
<property name="name" type="s" access="read" />
<property name="gidNumber" type="u" access="read" />
+ <property name="uniqueID" type="s" access="read" />
<property name="users" type="ao" access="read" />
<property name="groups" type="ao" access="read" />
</interface>
diff --git a/src/responder/ifp/ifp_iface_generated.c b/src/responder/ifp/ifp_iface_generated.c
index 6156ca2947434f301d206232f83cfc0647007707..ed018a044bd01c69554116946450aca7aacd5fd8 100644
--- a/src/responder/ifp/ifp_iface_generated.c
+++ b/src/responder/ifp/ifp_iface_generated.c
@@ -976,6 +976,15 @@ const struct sbus_property_meta iface_ifp_users_user__properties[] = {
NULL, /* no invoker */
},
{
+ "uniqueID", /* name */
+ "s", /* type */
+ SBUS_PROPERTY_READABLE,
+ offsetof(struct iface_ifp_users_user, get_uniqueID),
+ sbus_invoke_get_s,
+ 0, /* not writable */
+ NULL, /* no invoker */
+ },
+ {
"groups", /* name */
"ao", /* type */
SBUS_PROPERTY_READABLE,
@@ -1165,6 +1174,15 @@ const struct sbus_property_meta iface_ifp_groups_group__properties[] = {
NULL, /* no invoker */
},
{
+ "uniqueID", /* name */
+ "s", /* type */
+ SBUS_PROPERTY_READABLE,
+ offsetof(struct iface_ifp_groups_group, get_uniqueID),
+ sbus_invoke_get_s,
+ 0, /* not writable */
+ NULL, /* no invoker */
+ },
+ {
"users", /* name */
"ao", /* type */
SBUS_PROPERTY_READABLE,
diff --git a/src/responder/ifp/ifp_iface_generated.h b/src/responder/ifp/ifp_iface_generated.h
index 141348249d2da5447fa04495564a8c6a55d67a1b..0c6fd151cd674cdbd4582cb95ef43c9fcc133d6f 100644
--- a/src/responder/ifp/ifp_iface_generated.h
+++ b/src/responder/ifp/ifp_iface_generated.h
@@ -88,6 +88,7 @@
#define IFACE_IFP_USERS_USER_GECOS "gecos"
#define IFACE_IFP_USERS_USER_HOMEDIRECTORY "homeDirectory"
#define IFACE_IFP_USERS_USER_LOGINSHELL "loginShell"
+#define IFACE_IFP_USERS_USER_UNIQUEID "uniqueID"
#define IFACE_IFP_USERS_USER_GROUPS "groups"
#define IFACE_IFP_USERS_USER_EXTRAATTRIBUTES "extraAttributes"
@@ -103,6 +104,7 @@
#define IFACE_IFP_GROUPS_GROUP_UPDATEMEMBERLIST "UpdateMemberList"
#define IFACE_IFP_GROUPS_GROUP_NAME "name"
#define IFACE_IFP_GROUPS_GROUP_GIDNUMBER "gidNumber"
+#define IFACE_IFP_GROUPS_GROUP_UNIQUEID "uniqueID"
#define IFACE_IFP_GROUPS_GROUP_USERS "users"
#define IFACE_IFP_GROUPS_GROUP_GROUPS "groups"
@@ -294,6 +296,7 @@ struct iface_ifp_users_user {
void (*get_gecos)(struct sbus_request *, void *data, const char **);
void (*get_homeDirectory)(struct sbus_request *, void *data, const char **);
void (*get_loginShell)(struct sbus_request *, void *data, const char **);
+ void (*get_uniqueID)(struct sbus_request *, void *data, const char **);
void (*get_groups)(struct sbus_request *, void *data, const char ***, int *);
void (*get_extraAttributes)(struct sbus_request *, void *data, hash_table_t **);
};
@@ -328,6 +331,7 @@ struct iface_ifp_groups_group {
int (*UpdateMemberList)(struct sbus_request *req, void *data);
void (*get_name)(struct sbus_request *, void *data, const char **);
void (*get_gidNumber)(struct sbus_request *, void *data, uint32_t*);
+ void (*get_uniqueID)(struct sbus_request *, void *data, const char **);
void (*get_users)(struct sbus_request *, void *data, const char ***, int *);
void (*get_groups)(struct sbus_request *, void *data, const char ***, int *);
};
diff --git a/src/responder/ifp/ifp_users.c b/src/responder/ifp/ifp_users.c
index 5481413ef908785ecf276aad7154e4a7b511fd45..a2bafff5853683443f25f857124214a048132c4a 100644
--- a/src/responder/ifp/ifp_users.c
+++ b/src/responder/ifp/ifp_users.c
@@ -774,6 +774,13 @@ void ifp_users_user_get_login_shell(struct sbus_request *sbus_req,
ifp_users_get_as_string(sbus_req, data, SYSDB_SHELL, _out);
}
+void ifp_users_user_get_unique_id(struct sbus_request *sbus_req,
+ void *data,
+ const char **_out)
+{
+ ifp_users_get_as_string(sbus_req, data, SYSDB_UUID, _out);
+}
+
void ifp_users_user_get_groups(struct sbus_request *sbus_req,
void *data,
const char ***_out,
diff --git a/src/responder/ifp/ifp_users.h b/src/responder/ifp/ifp_users.h
index 99114fe9562f237204b3121ae3fe1f29dbc256a8..6a3a66951ff2c68cdc220364d28651d53b9d6a68 100644
--- a/src/responder/ifp/ifp_users.h
+++ b/src/responder/ifp/ifp_users.h
@@ -84,6 +84,10 @@ void ifp_users_user_get_login_shell(struct sbus_request *sbus_req,
void *data,
const char **_out);
+void ifp_users_user_get_unique_id(struct sbus_request *sbus_req,
+ void *data,
+ const char **_out);
+
void ifp_users_user_get_groups(struct sbus_request *sbus_req,
void *data,
const char ***_out,
--
2.9.3

125
0077-SSSDConfig-Do-not-fail-with-nonexisting-domains-serv.patch
View File

@ -1,125 +0,0 @@
From 3e8165ff6c5251809beb8f8e11ffd45f8bfd69ca Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Wed, 21 Sep 2016 13:56:43 +0200
Subject: [PATCH 77/79] SSSDConfig: Do not fail with nonexisting
domains/services
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
dict.keys() returns iterator in python3 and not list
Chaging data in dictionary while using iterator
fails with "RuntimeError: dictionary changed size during iteration"
https://fedorahosted.org/sssd/ticket/3107
Reviewed-by: Michal Židek <mzidek@redhat.com>
(cherry picked from commit 1773fdad2730f3f910782781fa286f402ce36cca)
---
Makefile.am | 1 +
src/config/SSSDConfig/__init__.py.in | 4 +--
src/config/SSSDConfigTest.py | 33 ++++++++++++++++++++++
.../sssd-nonexisting-services-domains.conf | 13 +++++++++
4 files changed, 49 insertions(+), 2 deletions(-)
create mode 100644 src/config/testconfigs/sssd-nonexisting-services-domains.conf
diff --git a/Makefile.am b/Makefile.am
index 17c5f26ce9db1e183b30178f1a8714deca1dab03..4385268b21b2de2054d3958f98f28f5ea7cfa191 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -422,6 +422,7 @@ dist_noinst_DATA = \
src/config/testconfigs/sssd-badversion.conf \
src/config/testconfigs/sssd-invalid.conf \
src/config/testconfigs/sssd-invalid-badbool.conf \
+ src/config/testconfigs/sssd-nonexisting-services-domains.conf \
src/config/etc/sssd.api.d/crash_test_dummy \
contrib/ci/README.md \
contrib/ci/configure.sh \
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
index 0acb751e234ee0c3e6fee332a2ba22f9ac353221..e616ce3dcc7357280418e9abd0bcdeb370b861e6 100644
--- a/src/config/SSSDConfig/__init__.py.in
+++ b/src/config/SSSDConfig/__init__.py.in
@@ -1511,7 +1511,7 @@ class SSSDConfig(SSSDChangeConf):
# Remove any entries in this list that don't
# correspond to an active service, for integrity
configured_services = self.list_services()
- for srv in service_dict.keys():
+ for srv in list(service_dict):
if srv not in configured_services:
del service_dict[srv]
@@ -1794,7 +1794,7 @@ class SSSDConfig(SSSDChangeConf):
# Remove any entries in this list that don't
# correspond to an active domain, for integrity
configured_domains = self.list_domains()
- for dom in domain_dict.keys():
+ for dom in list(domain_dict):
if dom not in configured_domains:
del domain_dict[dom]
diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py
index 8a64a257ab978b81ae4b26918c683b25a30fe7c1..006a034477dd64e3c5a0b2dbd1554bdc1b2635b4 100755
--- a/src/config/SSSDConfigTest.py
+++ b/src/config/SSSDConfigTest.py
@@ -1683,6 +1683,39 @@ class SSSDConfigTestSSSDConfig(unittest.TestCase):
"Domain [%s] unexpectedly found" %
domain)
+ def testListWithInvalidDomain(self):
+ sssdconfig = SSSDConfig.SSSDConfig(srcdir + "/etc/sssd.api.conf",
+ srcdir + "/etc/sssd.api.d")
+
+ # Negative Test - Not Initialized
+ self.assertRaises(SSSDConfig.NotInitializedError,
+ sssdconfig.list_domains)
+
+ # Positive Test
+ sssdconfig.import_config(
+ srcdir + '/testconfigs/sssd-nonexisting-services-domains.conf'
+ )
+
+ domains = sssdconfig.list_active_domains()
+ self.assertTrue("active" in domains and len(domains) == 1,
+ "domain 'active' not found among active domains")
+
+ domains = sssdconfig.list_inactive_domains()
+ self.assertTrue("inactive" in domains and len(domains) == 1,
+ "domain 'inactive' not found among inactive domains")
+
+ services = sssdconfig.list_active_services()
+ self.assertTrue("nss" in services and len(services) == 1,
+ "service 'nss' not found among active services")
+
+ services = sssdconfig.list_inactive_services()
+ self.assertTrue(len(services) == 2,
+ "unexpected count of inactive services")
+ for service in ("sssd", "pam"):
+ self.assertTrue(service in services,
+ "service '%s' not found among inactive services"
+ % service)
+
def testGetDomain(self):
sssdconfig = SSSDConfig.SSSDConfig(srcdir + "/etc/sssd.api.conf",
srcdir + "/etc/sssd.api.d")
diff --git a/src/config/testconfigs/sssd-nonexisting-services-domains.conf b/src/config/testconfigs/sssd-nonexisting-services-domains.conf
new file mode 100644
index 0000000000000000000000000000000000000000..d1e248001e76c65fa667d55f469e15aa5696faed
--- /dev/null
+++ b/src/config/testconfigs/sssd-nonexisting-services-domains.conf
@@ -0,0 +1,13 @@
+[domain/active]
+
+[domain/inactive]
+
+[sssd]
+domains = nonexistent, active
+services = nonexistent, nss
+
+[nss]
+debug_level = 1
+
+[pam]
+debug_level = 2
--
2.9.3

268
0078-SPEC-Rename-python-packages-using-macro-python_provi.patch
View File

@ -1,268 +0,0 @@
From f87452ae46dd917d47b63673da42d371912aee8d Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Wed, 14 Sep 2016 14:31:29 +0200
Subject: [PATCH 78/79] SPEC: Rename python packages using macro
%python_provide
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Fedora and epel contains macro %python_provide
for simpler renaming of python packages. It will generate correct
provides and obsoletes.
Reviewed-by: Michal Židek <mzidek@redhat.com>
(cherry picked from commit 705bc4480a68f69d287b1c89fe9463a0191987c8)
---
contrib/sssd.spec.in | 90 ++++++++++++++++++++++++++++++++++++++++------------
1 file changed, 70 insertions(+), 20 deletions(-)
diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
index 1f79ca7cd0a56dc1ab9c951abe11dc216ef3ad03..a0937d54903002521f07fb012742eb11f2584c54 100644
--- a/contrib/sssd.spec.in
+++ b/contrib/sssd.spec.in
@@ -11,6 +11,46 @@
%{!?python2_sitearch: %global python2_sitearch %(%{__python2} -c "from distutils.sysconfig import get_python_lib; print(get_python_lib(1))")}
%endif
+%{!?python_provide: %global need_python_provide 1}
+%if 0%{?need_python_provide}
+%define python_provide() %{lua:
+ function string.starts(String, Start)
+ return string.sub(String, 1, string.len(Start)) == Start
+ end
+ package = rpm.expand("%{?1:%{1}}");
+ vr = rpm.expand("%{?epoch:%{epoch}:}%{version}-%{release}")
+ if (string.starts(package, "python2-")) then
+ if (rpm.expand("%{?buildarch}") ~= "noarch") then
+ str = "Provides: python-" ..
+ string.sub(package, 9, string.len(package)) ..
+ "%{?_isa} = " .. vr;
+ print(rpm.expand(str));
+ end
+ print("\\nProvides: python-");
+ print(string.sub(package, 9, string.len(package)));
+ print(" = ");
+ print(vr);
+ --Obsoleting the previous default python package
+ if (rpm.expand("%{?buildarch}") ~= "noarch") then
+ str = "\\nObsoletes: python-" ..
+ string.sub(package, 9, string.len(package)) ..
+ "%{?_isa} < " .. vr;
+ print(rpm.expand(str));
+ end
+ print("\\nObsoletes: python-");
+ print(string.sub(package, 9, string.len(package)));
+ print(" < ");
+ print(vr);
+ elseif (string.starts(package, "python3-")) then
+ --No unversioned provides as python3 is not default
+ else
+ print("%python_provide: ERROR: ");
+ print(package);
+ print(" not recognized.");
+ end
+}
+%endif
+
# Fedora and RHEL 6+
# we don't want to provide private python extension libs
%define __provides_exclude_from %{python2_sitearch}/.*\.so$
@@ -95,7 +135,7 @@ Requires: sssd-proxy = %{version}-%{release}
%if (0%{?with_python3} == 1)
Requires: python3-sssdconfig = %{version}-%{release}
%else
-Requires: python-sssdconfig = %{version}-%{release}
+Requires: python2-sssdconfig = %{version}-%{release}
%endif
%global servicename sssd
@@ -253,8 +293,8 @@ Requires: sssd-common = %{version}-%{release}
Requires: python3-sss = %{version}-%{release}
Requires: python3-sssdconfig = %{version}-%{release}
%else
-Requires: python-sss = %{version}-%{release}
-Requires: python-sssdconfig = %{version}-%{release}
+Requires: python2-sss = %{version}-%{release}
+Requires: python2-sssdconfig = %{version}-%{release}
%endif
%description tools
@@ -267,13 +307,14 @@ Also provides several other administrative tools:
* sss_obfuscate for generating an obfuscated LDAP password
* sssctl -- an sssd status and control utility
-%package -n python-sssdconfig
+%package -n python2-sssdconfig
Summary: SSSD and IPA configuration file manipulation classes and functions
Group: Applications/System
License: GPLv3+
BuildArch: noarch
+%{python_provide python2-sssdconfig}
-%description -n python-sssdconfig
+%description -n python2-sssdconfig
Provides python2 files for manipulation SSSD and IPA configuration files.
%if (0%{?with_python3} == 1)
@@ -282,18 +323,20 @@ Summary: SSSD and IPA configuration file manipulation classes and functions
Group: Applications/System
License: GPLv3+
BuildArch: noarch
+%{python_provide python3-sssdconfig}
%description -n python3-sssdconfig
Provides python3 files for manipulation SSSD and IPA configuration files.
%endif
-%package -n python-sss
+%package -n python2-sss
Summary: Python2 bindings for sssd
Group: Development/Libraries
License: LGPLv3+
Requires: sssd-common = %{version}-%{release}
+%{python_provide python2-sss}
-%description -n python-sss
+%description -n python2-sss
Provides python2 module for manipulating users, groups, and nested groups in
SSSD when using id_provider = local in /etc/sssd/sssd.conf.
@@ -307,6 +350,7 @@ Summary: Python3 bindings for sssd
Group: Development/Libraries
License: LGPLv3+
Requires: sssd-common = %{version}-%{release}
+%{python_provide python3-sss}
%description -n python3-sss
Provides python3 module for manipulating users, groups, and nested groups in
@@ -317,12 +361,13 @@ Also provides several other useful python3 bindings:
* class for obfuscation of passwords
%endif
-%package -n python-sss-murmur
+%package -n python2-sss-murmur
Summary: Python2 bindings for murmur hash function
Group: Development/Libraries
License: LGPLv3+
+%{python_provide python2-sss-murmur}
-%description -n python-sss-murmur
+%description -n python2-sss-murmur
Provides python2 module for calculating the murmur hash version 3
%if (0%{?with_python3} == 1)
@@ -330,6 +375,7 @@ Provides python2 module for calculating the murmur hash version 3
Summary: Python3 bindings for murmur hash function
Group: Development/Libraries
License: LGPLv3+
+%{python_provide python3-sss-murmur}
%description -n python3-sss-murmur
Provides python3 module for calculating the murmur hash version 3
@@ -459,16 +505,17 @@ Requires: libipa_hbac = %{version}-%{release}
%description -n libipa_hbac-devel
Utility library to validate FreeIPA HBAC rules for authorization requests
-%package -n python-libipa_hbac
+%package -n python2-libipa_hbac
Summary: Python2 bindings for the FreeIPA HBAC Evaluator library
Group: Development/Libraries
License: LGPLv3+
Requires: libipa_hbac = %{version}-%{release}
Provides: libipa_hbac-python = %{version}-%{release}
Obsoletes: libipa_hbac-python < 1.12.90
+%{python_provide python2-libipa_hbac}
-%description -n python-libipa_hbac
-The python-libipa_hbac contains the bindings so that libipa_hbac can be
+%description -n python2-libipa_hbac
+The python2-libipa_hbac contains the bindings so that libipa_hbac can be
used by Python applications.
%if (0%{?with_python3} == 1)
@@ -477,6 +524,7 @@ Summary: Python3 bindings for the FreeIPA HBAC Evaluator library
Group: Development/Libraries
License: LGPLv3+
Requires: libipa_hbac = %{version}-%{release}
+%{python_provide python3-libipa_hbac}
%description -n python3-libipa_hbac
The python3-libipa_hbac contains the bindings so that libipa_hbac can be
@@ -502,16 +550,17 @@ Requires: libsss_nss_idmap = %{version}-%{release}
%description -n libsss_nss_idmap-devel
Utility library for SID and certificate based lookups
-%package -n python-libsss_nss_idmap
+%package -n python2-libsss_nss_idmap
Summary: Python2 bindings for libsss_nss_idmap
Group: Development/Libraries
License: LGPLv3+
Requires: libsss_nss_idmap = %{version}-%{release}
Provides: libsss_nss_idmap-python = %{version}-%{release}
Obsoletes: libsss_nss_idmap-python < 1.12.90
+%{python_provide python2-libsss_nss_idmap}
-%description -n python-libsss_nss_idmap
-The python-libsss_nss_idmap contains the bindings so that libsss_nss_idmap can
+%description -n python2-libsss_nss_idmap
+The python2-libsss_nss_idmap contains the bindings so that libsss_nss_idmap can
be used by Python applications.
%if (0%{?with_python3} == 1)
@@ -520,6 +569,7 @@ Summary: Python3 bindings for libsss_nss_idmap
Group: Development/Libraries
License: LGPLv3+
Requires: libsss_nss_idmap = %{version}-%{release}
+%{python_provide python3-libsss_nss_idmap}
%description -n python3-libsss_nss_idmap
The python3-libsss_nss_idmap contains the bindings so that libsss_nss_idmap can
@@ -963,7 +1013,7 @@ done
%{_mandir}/man8/sss_seed.8*
%{_mandir}/man8/sssctl.8*
-%files -n python-sssdconfig -f python2_sssdconfig.lang
+%files -n python2-sssdconfig -f python2_sssdconfig.lang
%defattr(-,root,root,-)
%dir %{python2_sitelib}/SSSDConfig
%{python2_sitelib}/SSSDConfig/*.py*
@@ -977,7 +1027,7 @@ done
%{python3_sitelib}/SSSDConfig/__pycache__/*.py*
%endif
-%files -n python-sss
+%files -n python2-sss
%defattr(-,root,root,-)
%{python2_sitearch}/pysss.so
@@ -987,7 +1037,7 @@ done
%{python3_sitearch}/pysss.so
%endif
-%files -n python-sss-murmur
+%files -n python2-sss-murmur
%defattr(-,root,root,-)
%{python2_sitearch}/pysss_murmur.so
@@ -1033,7 +1083,7 @@ done
%{_libdir}/libsss_nss_idmap.so
%{_libdir}/pkgconfig/sss_nss_idmap.pc
-%files -n python-libsss_nss_idmap
+%files -n python2-libsss_nss_idmap
%defattr(-,root,root,-)
%{python2_sitearch}/pysss_nss_idmap.so
@@ -1043,7 +1093,7 @@ done
%{python3_sitearch}/pysss_nss_idmap.so
%endif
-%files -n python-libipa_hbac
+%files -n python2-libipa_hbac
%defattr(-,root,root,-)
%{python2_sitearch}/pyhbac.so
--
2.9.3

202
0079-KRB5-Fixing-FQ-name-of-user-in-krb5_setup.patch
View File

@ -1,202 +0,0 @@
From 6f97e6da7389e541f74855c702f8dafa02bbee67 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20=C4=8Cech?= <pcech@redhat.com>
Date: Wed, 14 Sep 2016 09:00:06 -0400
Subject: [PATCH 79/79] KRB5: Fixing FQ name of user in krb5_setup()
This patch fixes creation of FQ username if krb5_map_user option
ise used.
Resolves:
https://fedorahosted.org/sssd/ticket/3188
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit b34ffbf33729c557c3d1aebf4707ad0ffe4f1904)
---
src/providers/krb5/krb5_auth.c | 8 +++++++-
src/providers/krb5/krb5_init_shared.c | 1 +
src/providers/krb5/krb5_utils.c | 26 +++++++++++++++++++++++++-
src/providers/krb5/krb5_utils.h | 4 +++-
src/tests/krb5_utils-tests.c | 33 ++++++++++++++++++++-------------
5 files changed, 56 insertions(+), 16 deletions(-)
diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
index f0f2280022a3ee951ccfa0040b616c48c3b25706..a5ecb24323d3d413bc08f100b90195d3619172d3 100644
--- a/src/providers/krb5/krb5_auth.c
+++ b/src/providers/krb5/krb5_auth.c
@@ -207,7 +207,13 @@ errno_t krb5_setup(TALLOC_CTX *mem_ctx,
if (ret == EOK) {
DEBUG(SSSDBG_TRACE_FUNC, "Setting mapped name to: %s\n", mapped_name);
kr->user = mapped_name;
- kr->kuserok_user = mapped_name;
+
+ kr->kuserok_user = sss_output_name(kr, kr->user,
+ dom->case_sensitive, 0);
+ if (kr->kuserok_user == NULL) {
+ ret = ENOMEM;
+ goto done;
+ }
} else if (ret == ENOENT) {
DEBUG(SSSDBG_TRACE_ALL, "No mapping for: %s\n", pd->user);
kr->user = pd->user;
diff --git a/src/providers/krb5/krb5_init_shared.c b/src/providers/krb5/krb5_init_shared.c
index 767291c0b953ea3f227f64a7e21f191262424cf5..c8fd8593a8b6d304fe314254c940351fa5ee12f3 100644
--- a/src/providers/krb5/krb5_init_shared.c
+++ b/src/providers/krb5/krb5_init_shared.c
@@ -94,6 +94,7 @@ errno_t krb5_child_init(struct krb5_ctx *krb5_auth_ctx,
ret = parse_krb5_map_user(krb5_auth_ctx,
dp_opt_get_cstring(krb5_auth_ctx->opts,
KRB5_MAP_USER),
+ bectx->domain->name,
&krb5_auth_ctx->name_to_primary);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, "parse_krb5_map_user failed: %s:[%d]\n",
diff --git a/src/providers/krb5/krb5_utils.c b/src/providers/krb5/krb5_utils.c
index 0ac60daee533ea1264bc55d0d65054ed38b3a092..e968dfa5fe50c43c51e624507261ae2c8263b67d 100644
--- a/src/providers/krb5/krb5_utils.c
+++ b/src/providers/krb5/krb5_utils.c
@@ -521,7 +521,9 @@ done:
}
errno_t
-parse_krb5_map_user(TALLOC_CTX *mem_ctx, const char *krb5_map_user,
+parse_krb5_map_user(TALLOC_CTX *mem_ctx,
+ const char *krb5_map_user,
+ const char *dom_name,
struct map_id_name_to_krb_primary **_name_to_primary)
{
int size;
@@ -570,6 +572,28 @@ parse_krb5_map_user(TALLOC_CTX *mem_ctx, const char *krb5_map_user,
}
}
+ /* conversion names to fully-qualified names */
+ for (int i = 0; i < size; i++) {
+ name_to_primary[i].id_name = sss_create_internal_fqname(
+ name_to_primary,
+ name_to_primary[i].id_name,
+ dom_name);
+ if (name_to_primary[i].id_name == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "sss_create_internal_fqname failed\n");
+ ret = ENOMEM;
+ goto done;
+ }
+
+ name_to_primary[i].krb_primary = sss_create_internal_fqname(
+ name_to_primary,
+ name_to_primary[i].krb_primary,
+ dom_name);
+ if (name_to_primary[i].krb_primary == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "sss_create_internal_fqname failed\n");
+ ret = ENOMEM;
+ goto done;
+ }
+ }
ret = EOK;
done:
diff --git a/src/providers/krb5/krb5_utils.h b/src/providers/krb5/krb5_utils.h
index 75b93c30ef5be5d16f2ce73f44abef674c6e98ff..3051a99445054638d04fbee34415e9cf3d226588 100644
--- a/src/providers/krb5/krb5_utils.h
+++ b/src/providers/krb5/krb5_utils.h
@@ -51,7 +51,9 @@ errno_t get_domain_or_subdomain(struct be_ctx *be_ctx,
struct sss_domain_info **dom);
errno_t
-parse_krb5_map_user(TALLOC_CTX *mem_ctx, const char *krb5_map_user,
+parse_krb5_map_user(TALLOC_CTX *mem_ctx,
+ const char *krb5_map_user,
+ const char *dom_name,
struct map_id_name_to_krb_primary **_name_to_primary);
#endif /* __KRB5_UTILS_H__ */
diff --git a/src/tests/krb5_utils-tests.c b/src/tests/krb5_utils-tests.c
index 515a1941509c13ca4ad8d9953687f9047da29426..36bd0324475e161e627006de0ddcbc775f8a749b 100644
--- a/src/tests/krb5_utils-tests.c
+++ b/src/tests/krb5_utils-tests.c
@@ -614,25 +614,25 @@ START_TEST(test_parse_krb5_map_user)
/* empty input */
{
check_leaks_push(mem_ctx);
- ret = parse_krb5_map_user(mem_ctx, NULL, &name_to_primary);
+ ret = parse_krb5_map_user(mem_ctx, NULL, DOMAIN_NAME, &name_to_primary);
fail_unless(ret == EOK);
fail_unless(name_to_primary[0].id_name == NULL &&
name_to_primary[0].krb_primary == NULL);
talloc_free(name_to_primary);
- ret = parse_krb5_map_user(mem_ctx, "", &name_to_primary);
+ ret = parse_krb5_map_user(mem_ctx, "", DOMAIN_NAME, &name_to_primary);
fail_unless(ret == EOK);
fail_unless(name_to_primary[0].id_name == NULL &&
name_to_primary[0].krb_primary == NULL);
talloc_free(name_to_primary);
- ret = parse_krb5_map_user(mem_ctx, ",", &name_to_primary);
+ ret = parse_krb5_map_user(mem_ctx, ",", DOMAIN_NAME, &name_to_primary);
fail_unless(ret == EOK);
fail_unless(name_to_primary[0].id_name == NULL &&
name_to_primary[0].krb_primary == NULL);
talloc_free(name_to_primary);
- ret = parse_krb5_map_user(mem_ctx, ",,", &name_to_primary);
+ ret = parse_krb5_map_user(mem_ctx, ",,", DOMAIN_NAME, &name_to_primary);
fail_unless(ret == EOK);
fail_unless(name_to_primary[0].id_name == NULL &&
name_to_primary[0].krb_primary == NULL);
@@ -645,14 +645,16 @@ START_TEST(test_parse_krb5_map_user)
check_leaks_push(mem_ctx);
const char *p = "pája:preichl,joe:juser,jdoe:ßlack";
const char *p2 = " pája : preichl , joe:\njuser,jdoe\t: ßlack ";
- const char *expected[] = {"pája", "preichl", "joe", "juser", "jdoe", "ßlack"};
- ret = parse_krb5_map_user(mem_ctx, p, &name_to_primary);
+ const char *expected[] = { "pája@testdomain", "preichl@" DOMAIN_NAME,
+ "joe@testdomain", "juser@testdomain",
+ "jdoe@testdomain", "ßlack@testdomain" };
+ ret = parse_krb5_map_user(mem_ctx, p, DOMAIN_NAME, &name_to_primary);
fail_unless(ret == EOK);
compare_map_id_name_to_krb_primary(name_to_primary, expected,
sizeof(expected)/sizeof(const char*)/2);
talloc_free(name_to_primary);
- ret = parse_krb5_map_user(mem_ctx, p2, &name_to_primary);
+ ret = parse_krb5_map_user(mem_ctx, p2, DOMAIN_NAME, &name_to_primary);
fail_unless(ret == EOK);
compare_map_id_name_to_krb_primary(name_to_primary, expected,
sizeof(expected)/sizeof(const char*)/2);
@@ -663,22 +665,27 @@ START_TEST(test_parse_krb5_map_user)
{
check_leaks_push(mem_ctx);
- ret = parse_krb5_map_user(mem_ctx, ":", &name_to_primary);
+ ret = parse_krb5_map_user(mem_ctx, ":", DOMAIN_NAME, &name_to_primary);
fail_unless(ret == EINVAL);
- ret = parse_krb5_map_user(mem_ctx, "joe:", &name_to_primary);
+ ret = parse_krb5_map_user(mem_ctx, "joe:", DOMAIN_NAME,
+ &name_to_primary);
fail_unless(ret == EINVAL);
- ret = parse_krb5_map_user(mem_ctx, ":joe", &name_to_primary);
+ ret = parse_krb5_map_user(mem_ctx, ":joe", DOMAIN_NAME,
+ &name_to_primary);
fail_unless(ret == EINVAL);
- ret = parse_krb5_map_user(mem_ctx, "joe:,", &name_to_primary);
+ ret = parse_krb5_map_user(mem_ctx, "joe:,", DOMAIN_NAME,
+ &name_to_primary);
fail_unless(ret == EINVAL);
- ret = parse_krb5_map_user(mem_ctx, ",joe", &name_to_primary);
+ ret = parse_krb5_map_user(mem_ctx, ",joe", DOMAIN_NAME,
+ &name_to_primary);
fail_unless(ret == EINVAL);
- ret = parse_krb5_map_user(mem_ctx, "joe:j:user", &name_to_primary);
+ ret = parse_krb5_map_user(mem_ctx, "joe:j:user", DOMAIN_NAME,
+ &name_to_primary);
fail_unless(ret == EINVAL);
fail_unless(check_leaks_pop(mem_ctx));
--
2.9.3

161
0080-libwbclient-sssd-update-interface-to-version-0.13.patch
View File

@ -1,161 +0,0 @@
From 08421a1e4416e0992e95c797536864e86ea6cccc Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 7 Oct 2016 17:47:59 +0200
Subject: [PATCH 80/80] libwbclient-sssd: update interface to version 0.13
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This patch adds wbcCtxUnixIdsToSids() and wbcUnixIdsToSids() to SSSD's
libwbclient and implements the latter.
Resolves:
https://fedorahosted.org/sssd/ticket/3181
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
(cherry picked from commit f3347a0c72afc75b4d829e9981d1bac6b05a8306)
---
src/conf_macros.m4 | 4 ++--
src/sss_client/libwbclient/wbc_ctx_sssd.c | 7 +++++++
src/sss_client/libwbclient/wbc_idmap_sssd.c | 26 ++++++++++++++++++++++++
src/sss_client/libwbclient/wbclient.exports | 6 ++++++
src/sss_client/libwbclient/wbclient_sssd.h | 31 ++++++++++++++++++++++++++++-
5 files changed, 71 insertions(+), 3 deletions(-)
diff --git a/src/conf_macros.m4 b/src/conf_macros.m4
index bc295c5e79d3c699b25cebf38e8c0f0112de010d..427b0e08d400d6e5628537b28bb93bc2fc6239a4 100644
--- a/src/conf_macros.m4
+++ b/src/conf_macros.m4
@@ -727,10 +727,10 @@ AC_DEFUN([WITH_LIBWBCLIENT],
if test x"$with_libwbclient" = xyes; then
AC_DEFINE(BUILD_LIBWBCLIENT, 1, [whether to build SSSD implementation of libwbclient])
- libwbclient_version="0.12"
+ libwbclient_version="0.13"
AC_SUBST(libwbclient_version)
- libwbclient_version_info="12:0:12"
+ libwbclient_version_info="13:0:13"
AC_SUBST(libwbclient_version_info)
fi
AM_CONDITIONAL([BUILD_LIBWBCLIENT], [test x"$with_libwbclient" = xyes])
diff --git a/src/sss_client/libwbclient/wbc_ctx_sssd.c b/src/sss_client/libwbclient/wbc_ctx_sssd.c
index 1f259ee00e48d68d8da3f6b0abc12175a70c1f20..0f5aff473e984fbc630fc0ca8aa1647de51cbde4 100644
--- a/src/sss_client/libwbclient/wbc_ctx_sssd.c
+++ b/src/sss_client/libwbclient/wbc_ctx_sssd.c
@@ -167,6 +167,13 @@ wbcErr wbcCtxSidsToUnixIds(struct wbcContext *ctx,
WBC_SSSD_NOT_IMPLEMENTED;
}
+wbcErr wbcCtxUnixIdsToSids(struct wbcContext *ctx,
+ const struct wbcUnixId *ids, uint32_t num_ids,
+ struct wbcDomainSid *sids)
+{
+ WBC_SSSD_NOT_IMPLEMENTED;
+}
+
wbcErr wbcCtxAllocateUid(struct wbcContext *ctx, uid_t *puid)
{
WBC_SSSD_NOT_IMPLEMENTED;
diff --git a/src/sss_client/libwbclient/wbc_idmap_sssd.c b/src/sss_client/libwbclient/wbc_idmap_sssd.c
index 6b5f525f0433c948e4d570d177dc6cffd82eff40..c8da9754265a1ad3ef098c545a2b2d8d3c548d4d 100644
--- a/src/sss_client/libwbclient/wbc_idmap_sssd.c
+++ b/src/sss_client/libwbclient/wbc_idmap_sssd.c
@@ -202,3 +202,29 @@ wbcErr wbcSidsToUnixIds(const struct wbcDomainSid *sids, uint32_t num_sids,
return WBC_ERR_SUCCESS;
}
+
+wbcErr wbcUnixIdsToSids(const struct wbcUnixId *ids, uint32_t num_ids,
+ struct wbcDomainSid *sids)
+{
+ size_t c;
+ wbcErr wbc_status;
+
+ for (c = 0; c < num_ids; c++) {
+ switch (ids[c].type) {
+ case WBC_ID_TYPE_UID:
+ wbc_status = wbcUidToSid(ids[c].id.uid, &sids[c]);
+ break;
+ case WBC_ID_TYPE_GID:
+ wbc_status = wbcGidToSid(ids[c].id.gid, &sids[c]);
+ break;
+ default:
+ wbc_status = WBC_ERR_INVALID_PARAM;
+ }
+
+ if (!WBC_ERROR_IS_OK(wbc_status)) {
+ sids[c] = (struct wbcDomainSid){ 0 };
+ };
+ }
+
+ return WBC_ERR_SUCCESS;
+}
diff --git a/src/sss_client/libwbclient/wbclient.exports b/src/sss_client/libwbclient/wbclient.exports
index 574c1d1fe232fad0a4c104de086977515a05ab84..9d3c2040e7d393c0057d44864826cefc2e3f7a31 100644
--- a/src/sss_client/libwbclient/wbclient.exports
+++ b/src/sss_client/libwbclient/wbclient.exports
@@ -144,3 +144,9 @@ WBCLIENT_0.12 {
wbcCtxPingDc;
wbcCtxPingDc2;
} WBCLIENT_0.11;
+
+WBCLIENT_0.13 {
+ global:
+ wbcUnixIdsToSids;
+ wbcCtxUnixIdsToSids;
+} WBCLIENT_0.12;
diff --git a/src/sss_client/libwbclient/wbclient_sssd.h b/src/sss_client/libwbclient/wbclient_sssd.h
index ec6d032814445bff0819b4de0df07ccf4008aefc..50ba7f84304df5f24a31cbbad857f22d1c70964d 100644
--- a/src/sss_client/libwbclient/wbclient_sssd.h
+++ b/src/sss_client/libwbclient/wbclient_sssd.h
@@ -73,9 +73,10 @@ const char *wbcErrorString(wbcErr error);
* 0.10: Added wbcPingDc2()
* 0.11: Extended wbcAuthenticateUserEx to provide PAC parsing
* 0.12: Added wbcCtxCreate and friends
+ * 0.13: Added wbcCtxUnixIdsToSids and wbcUnixIdsToSids
**/
#define WBCLIENT_MAJOR_VERSION 0
-#define WBCLIENT_MINOR_VERSION 12
+#define WBCLIENT_MINOR_VERSION 13
#define WBCLIENT_VENDOR_VERSION "Samba libwbclient"
struct wbcLibraryDetails {
uint16_t major_version;
@@ -1031,6 +1032,34 @@ wbcErr wbcSidsToUnixIds(const struct wbcDomainSid *sids, uint32_t num_sids,
struct wbcUnixId *ids);
/**
+ * @brief Convert a list of unix ids to sids
+ *
+ * @param ctx wbclient Context
+ * @param ids Pointer to an array of UNIX IDs to convert
+ * @param num_ids Number of UNIX IDs
+ * @param sids Preallocated output array for translated SIDs
+ *
+ * @return #wbcErr
+ *
+ **/
+wbcErr wbcCtxUnixIdsToSids(struct wbcContext *ctx,
+ const struct wbcUnixId *ids, uint32_t num_ids,
+ struct wbcDomainSid *sids);
+
+/**
+ * @brief Convert a list of unix ids to sids
+ *
+ * @param ids Pointer to an array of UNIX IDs to convert
+ * @param num_ids Number of UNIX IDs
+ * @param sids Preallocated output array for translated SIDs
+ *
+ * @return #wbcErr
+ *
+ **/
+wbcErr wbcUnixIdsToSids(const struct wbcUnixId *ids, uint32_t num_ids,
+ struct wbcDomainSid *sids);
+
+/**
* @brief Obtain a new uid from Winbind
*
* @param *ctx wbclient Context
--
2.9.3

2
sources
View File

@ -1 +1 @@
cb79e3a391a537fd2be487d822bbf7c1 sssd-1.14.1.tar.gz
8ddcc386b539c1adb6de85e6b290f572 sssd-1.14.2.tar.gz

103
sssd.spec
View File

@ -25,8 +25,8 @@
%endif
Name: sssd
Version: 1.14.1
Release: 4%{?dist}
Version: 1.14.2
Release: 1%{?dist}
Group: Applications/System
Summary: System Security Services Daemon
License: GPLv3+
@ -35,86 +35,6 @@ Source0: https://fedorahosted.org/released/sssd/%{name}-%{version}.tar.gz
BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
### Patches ###
Patch0001: 0001-CONFIG-selinux_provider-is-a-valid-provider-type.patch
Patch0002: 0002-CONFIG-session_provider-does-not-exist-anymore.patch
Patch0003: 0003-PROXY-Use-the-fqname-when-converting-to-lowercase.patch
Patch0004: 0004-sssd_netgroup.py-Resolve-nested-netgroups.patch
Patch0005: 0005-LDAP-Fixing-of-removing-netgroup-from-cache.patch
Patch0006: 0006-INTG-Adding-support-for-netgroups-to-ldap_ent.patch
Patch0007: 0007-INTG-Tests-for-ldap-nested-netgroups.patch
Patch0008: 0008-watchdog-cope-with-time-shift.patch
Patch0009: 0009-BUILD-Allow-to-read-private-pipes-for-root.patch
Patch0010: 0010-SYSDB-Rework-sysdb_cache_connect.patch
Patch0011: 0011-SYSDB-Remove-the-timestamp-cache-for-a-newly-created.patch
Patch0012: 0012-SECRETS-Return-ENOENT-when_deleting-a-non-existent-s.patch
Patch0013: 0013-SPEC-Fix-typo-in-Summary.patch
Patch0014: 0014-IPA-Parse-qualified-names-when-guessing-AD-user-prin.patch
Patch0015: 0015-PROXY-Remove-lowercase-attribute-from-save_user.patch
Patch0016: 0016-PROXY-Remove-cache_timeout-attribute-from-save_user.patch
Patch0017: 0017-PROXY-Remove-cache_timeout-attribute-from-save_group.patch
Patch0018: 0018-PROXY-Mention-that-save_user-s-parameters-are-alread.patch
Patch0019: 0019-PROXY-Share-common-code-of-save_-group-user.patch
Patch0020: 0020-SYSDB-Fix-uninitialized-scalar-variable.patch
Patch0021: 0021-BUILD-Add-a-few-more-targets-for-intg-tests.patch
Patch0022: 0022-BUILD-Clean-up-prerelease-targets.patch
Patch0023: 0023-BUILD-Fix-typo-in-intgcheck-run-rule.patch
Patch0024: 0024-BUILD-Remove-leftover-after-sysdb-refactoring.patch
Patch0025: 0025-MONITOR-Remove-the-no-longer-used-diag_cmd-command.patch
Patch0026: 0026-MONITOR-Remove-the-no-longer-used-kill_service-comma.patch
Patch0027: 0027-WATCHDOG-define-and-use-_MAX_TICKS-as-3.patch
Patch0028: 0028-PROXY-Use-right-name-in-ldap-filter.patch
Patch0029: 0029-SECRETS-Make-internal-function-static.patch
Patch0030: 0030-SECRETS-Make-reading-the-config-options-more-uniform.patch
Patch0031: 0031-dyndns-fix-typo-and-unify-ipa-with-ad-debug-message-.patch
Patch0032: 0032-netlink-Don-t-define-USE_GNU.patch
Patch0033: 0033-MONITOR-Remove-leftovers-from-diag_cmd.patch
Patch0034: 0034-MONITOR-Remove-leftovers-from-kill_service.patch
Patch0035: 0035-SYSDB-Fix-error-handling-in-sysdb_get_user_members_r.patch
Patch0036: 0036-DEBUG-Apend-line-feed-to-messages-from-libsemanage.patch
Patch0037: 0037-MAN-Document-the-ldap_user_primary_group-option.patch
Patch0038: 0038-sdap_initgr_nested_get_membership_diff-use-fully-qua.patch
Patch0039: 0039-SYSDB-Removing-of-unused-parameter.patch
Patch0040: 0040-SYSDB-Suppress-warning-from-clang-static-analyser.patch
Patch0041: 0041-TOOLS-Fix-a-typo-in-groupadd.patch
Patch0042: 0042-TOOLS-sss_groupshow-did-not-work.patch
Patch0043: 0043-TESTS-sss_groupadd-groupshow-regressions.patch
Patch0044: 0044-TOOLS-use-internal-fqdn-for-DN.patch
Patch0045: 0045-TESTS-Test-for-sss_user-groupmod-a.patch
Patch0046: 0046-TOOLS-sss_mc_refresh_nested_group-short-fqname-usage.patch
Patch0047: 0047-TESTS-Add-FQDN-variants-for-some-tests.patch
Patch0048: 0048-KRB5-Send-the-output-username-not-internal-fqname-to.patch
Patch0049: 0049-MONITOR-Remove-disable-netlink-command-line-option.patch
Patch0050: 0050-MONITOR-Add-disable_netlink-option.patch
Patch0051: 0051-TOOLS-sss_override-without-name-override.patch
Patch0052: 0052-TEST-Add-regression-test-for-ticket-3179.patch
Patch0053: 0053-TOOLS-sss_groupshow-fails-to-show-MPG.patch
Patch0054: 0054-TESTS-sss_groupshow-with-MPG.patch
Patch0055: 0055-KRB5-Return-ERR_NETWORK_IO-on-clock-skew.patch
Patch0056: 0056-SDAP-Fix-settig-paging-attribute-in-sdap_get_generic.patch
Patch0057: 0057-PROXY-Adding-proxy_max_children-option.patch
Patch0058: 0058-SECRETS-Search-by-the-right-type-when-checking-conta.patch
Patch0059: 0059-LDAP-Return-partial-results-from-adminlimit-exceeded.patch
Patch0060: 0060-MAN-sssd-sudo-manual-update-IPA-native-LDAP-tree-sup.patch
Patch0061: 0061-p11-only-set-PKCS11_LOGIN_TOKEN_NAME-if-gdm-smartcar.patch
Patch0062: 0062-p11-return-a-fully-qualified-name.patch
Patch0063: 0063-pam_sss-check-PKCS11_LOGIN_TOKEN_NAME.patch
Patch0064: 0064-SECRETS-Don-t-remove-a-container-when-it-has-childre.patch
Patch0065: 0065-PAM-call-free-only-when-memory-is-expected-to-be-all.patch
Patch0066: 0066-TESTS-Fixing-of-const-warnings-in-sbus-tests.patch
Patch0067: 0067-MAKEFILE-Fixing-CFLAGS-in-some-tests.patch
Patch0068: 0068-TESTS-Add-integration-tests-for-the-sssd-secrets.patch
Patch0069: 0069-AUTOFS-Fix-offline-resolution-of-autofs-maps.patch
Patch0070: 0070-NSS-Fix-offline-resolution-of-netgroups.patch
Patch0071: 0071-TESTS-Test-offline-netgroups-resolution.patch
Patch0072: 0072-Remove-double-semicolon-at-the-end-of-line.patch
Patch0073: 0073-TESTS-Add-simple-test-for-double-semicolon.patch
Patch0074: 0074-failover-proceed-normally-when-no-new-server-is-foun.patch
Patch0075: 0075-tests-Add-a-regression-test-for-upstream-ticket-3131.patch
Patch0076: 0076-IFP-expose-user-and-group-unique-IDs-through-DBus.patch
Patch0077: 0077-SSSDConfig-Do-not-fail-with-nonexisting-domains-serv.patch
Patch0078: 0078-SPEC-Rename-python-packages-using-macro-python_provi.patch
Patch0079: 0079-KRB5-Fixing-FQ-name-of-user-in-krb5_setup.patch
Patch0080: 0080-libwbclient-sssd-update-interface-to-version-0.13.patch
### Dependencies ###
@ -484,7 +404,7 @@ Obsoletes: libipa_hbac-python < 1.13.0
%{?python_provide:%python_provide python2-libipa_hbac}
%description -n python2-libipa_hbac
The python-libipa_hbac contains the bindings so that libipa_hbac can be
The python2-libipa_hbac contains the bindings so that libipa_hbac can be
used by Python applications.
%package -n python3-libipa_hbac
@ -661,10 +581,6 @@ autoreconf -ivf
make %{?_smp_mflags} all docs
%check
# workaround for wrong permissing in test introduced in patch
# remove after rebase to 1.14.2
chmod a+x ./src/tests/double_semicolon_test
export CK_TIMEOUT_MULTIPLIER=10
make %{?_smp_mflags} check VERBOSE=yes
unset CK_TIMEOUT_MULTIPLIER
@ -853,6 +769,7 @@ done
%{_mandir}/man5/sssd.conf.5*
%{_mandir}/man5/sssd-simple.5*
%{_mandir}/man5/sssd-sudo.5*
%{_mandir}/man5/sssd-secrets.5*
%{_mandir}/man5/sss_rpcidmapd.5*
%{_mandir}/man8/sssd.8*
%{_mandir}/man8/sss_cache.8*
@ -1141,14 +1058,6 @@ fi
%postun -n libsss_simpleifp -p /sbin/ldconfig
%posttrans libwbclient
# Alternatives was removed only if package was uninstalled
# However in cease of package upgrade and soname bump the
# the old alternative was not removed.
# This is a workaround/fix for unused alternative
%{_sbindir}/update-alternatives \
--remove libwbclient.so.0.11%{libwbc_alternatives_suffix} \
%{_libdir}/%{name}/modules/libwbclient.so.0.11.0
%{_sbindir}/update-alternatives \
--install %{_libdir}/libwbclient.so.%{libwbc_alternatives_version} \
libwbclient.so.%{libwbc_alternatives_version}%{libwbc_alternatives_suffix} \
@ -1172,6 +1081,10 @@ fi
%{_libdir}/%{name}/modules/libwbclient.so
%changelog
* Thu Oct 20 2016 Lukas Slebodnik <lslebodn@redhat.com> - 1.14.2-1
- New upstream release 1.14.2
- https://fedorahosted.org/sssd/wiki/Releases/Notes-1.14.2
* Fri Oct 14 2016 Lukas Slebodnik <lslebodn@redhat.com> - 1.14.1-4
- libwbclient-sssd: update interface to version 0.13