rpms/sssd
6
0
Fork 0
Code Issues Pull Requests Releases Activity

Resolves: upstream#3646 - SSSD's GPO code ignores ad_site option

Browse Source 
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
This commit is contained in:
Fabiano Fidêncio 2018-04-27 21:30:42 +02:00
parent 9709b73a3f
commit 8565df471c
4 changed files with 178 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
0025-AD-Missing-header-in-ad_access.h.patch Normal file
View File

@ -0,0 +1,30 @@
From d81931454a0846fe503d090595fa5b0d4ffd93a5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C5=BDidek?= <mzidek@redhat.com>
Date: Wed, 4 Apr 2018 12:10:13 +0200
Subject: [PATCH] AD: Missing header in ad_access.h
ad_access.h depends on data_provider.h header but
does not include it.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit abf377672e0011da817b5105fe581b27f2f855b7)
---
src/providers/ad/ad_access.h | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/providers/ad/ad_access.h b/src/providers/ad/ad_access.h
index cc565a8e6..34d5597da 100644
--- a/src/providers/ad/ad_access.h
+++ b/src/providers/ad/ad_access.h
@@ -23,6 +23,8 @@
#ifndef AD_ACCESS_H_
#define AD_ACCESS_H_
+#include "providers/data_provider.h"
+
struct ad_access_ctx {
struct dp_option *ad_options;
struct sdap_access_ctx *sdap_access_ctx;
--
2.14.3

65
0026-GPO-Add-ad_options-to-ad_gpo_process_som_state.patch Normal file
View File

@ -0,0 +1,65 @@
From 5e47ae51f5cf11decdfec483ab1adef07ec2b7ef Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C5=BDidek?= <mzidek@redhat.com>
Date: Wed, 4 Apr 2018 12:17:37 +0200
Subject: [PATCH] GPO: Add ad_options to ad_gpo_process_som_state
We will need at least ad_site option from this
context available to get the AD site override
value.
Resolves:
https://pagure.io/SSSD/sssd/issue/3646
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 7a42831b208ed8d2fcb9d8beaa12bd2214bb7dce)
---
src/providers/ad/ad_gpo.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
index d9ea31141..028f6a2e7 100644
--- a/src/providers/ad/ad_gpo.c
+++ b/src/providers/ad/ad_gpo.c
@@ -146,6 +146,7 @@ struct tevent_req *ad_gpo_process_som_send(TALLOC_CTX *mem_ctx,
struct ldb_context *ldb_ctx,
struct sdap_id_op *sdap_op,
struct sdap_options *opts,
+ struct dp_option *ad_options,
int timeout,
const char *target_dn,
const char *domain_name);
@@ -1975,6 +1976,7 @@ ad_gpo_target_dn_retrieval_done(struct tevent_req *subreq)
state->ldb_ctx,
state->sdap_op,
state->opts,
+ state->access_ctx->ad_options,
state->timeout,
state->target_dn,
state->host_domain->name);
@@ -2701,6 +2703,7 @@ struct ad_gpo_process_som_state {
struct tevent_context *ev;
struct sdap_id_op *sdap_op;
struct sdap_options *opts;
+ struct dp_option *ad_options;
int timeout;
bool allow_enforced_only;
char *site_name;
@@ -2734,6 +2737,7 @@ ad_gpo_process_som_send(TALLOC_CTX *mem_ctx,
struct ldb_context *ldb_ctx,
struct sdap_id_op *sdap_op,
struct sdap_options *opts,
+ struct dp_option *ad_options,
int timeout,
const char *target_dn,
const char *domain_name)
@@ -2752,6 +2756,7 @@ ad_gpo_process_som_send(TALLOC_CTX *mem_ctx,
state->ev = ev;
state->sdap_op = sdap_op;
state->opts = opts;
+ state->ad_options = ad_options;
state->timeout = timeout;
state->som_index = 0;
state->allow_enforced_only = 0;
--
2.14.3

79
0027-GPO-Use-AD-site-override-if-set.patch Normal file
View File

@ -0,0 +1,79 @@
From 82096e7e4a6ccaf8a2828ddfc77a04c930a14148 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C5=BDidek?= <mzidek@redhat.com>
Date: Wed, 4 Apr 2018 13:24:21 +0200
Subject: [PATCH] GPO: Use AD site override if set
Use AD site override if it was set in SSSD configuration.
Resolves:
https://pagure.io/SSSD/sssd/issue/3646
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 744e2b4d0710c1dc850bfadbd75ae1ae7faf1148)
---
src/providers/ad/ad_gpo.c | 33 ++++++++++++++++++++++++++++++---
1 file changed, 30 insertions(+), 3 deletions(-)
diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
index 028f6a2e7..a48f264c7 100644
--- a/src/providers/ad/ad_gpo.c
+++ b/src/providers/ad/ad_gpo.c
@@ -2806,7 +2806,8 @@ ad_gpo_site_name_retrieval_done(struct tevent_req *subreq)
struct tevent_req *req;
struct ad_gpo_process_som_state *state;
int ret;
- char *site;
+ char *site = NULL;
+ char *site_override = NULL;
const char *attrs[] = {AD_AT_CONFIG_NC, NULL};
req = tevent_req_callback_data(subreq, struct tevent_req);
@@ -2817,17 +2818,43 @@ ad_gpo_site_name_retrieval_done(struct tevent_req *subreq)
talloc_zfree(subreq);
if (ret != EOK || site == NULL) {
- DEBUG(SSSDBG_OP_FAILURE, "Cannot retrieve master domain info\n");
+ DEBUG(SSSDBG_TRACE_FUNC,
+ "Could not autodiscover AD site. This is not fatal if "
+ "ad_site option was set.\n");
+ }
+
+ site_override = dp_opt_get_string(state->ad_options, AD_SITE);
+ if (site_override != NULL) {
+ DEBUG(SSSDBG_TRACE_FUNC,
+ "Overriding autodiscovered AD site value '%s' with '%s' from "
+ "configuration.\n", site ? site : "none", site_override);
+ }
+
+ if (site == NULL && site_override == NULL) {
+ sss_log(SSS_LOG_WARNING,
+ "Could not autodiscover AD site value using DNS and ad_site "
+ "option was not set in configuration. GPO will not work. "
+ "To work around this issue you can use ad_site option in SSSD "
+ "configuration.");
+ DEBUG(SSSDBG_OP_FAILURE,
+ "Could not autodiscover AD site value using DNS and ad_site "
+ "option was not set in configuration. GPO will not work. "
+ "To work around this issue you can use ad_site option in SSSD "
+ "configuration.\n");
tevent_req_error(req, ENOENT);
return;
}
- state->site_name = talloc_asprintf(state, "cn=%s", site);
+ state->site_name = talloc_asprintf(state, "cn=%s",
+ site_override ? site_override
+ : site);
if (state->site_name == NULL) {
tevent_req_error(req, ENOMEM);
return;
}
+ DEBUG(SSSDBG_TRACE_FUNC, "Using AD site '%s'.\n", state->site_name);
+
/*
* note: the configNC attribute is being retrieved here from the rootDSE
* entry. In future, since we already make an LDAP query for the rootDSE
--
2.14.3

4
sssd.spec
View File

@ -66,6 +66,9 @@ Patch0021: 0021-NSS-Adjust-netgroup-setnetgrent-cache-lifetime-if-mi.patch
Patch0022: 0022-CONFDB-Add-passwd_files-and-group_files-options.patch
Patch0023: 0023-FILES-Handle-files-provider-sources.patch
Patch0024: 0024-TESTS-Add-a-test-for-the-multiple-files-feature.patch
Patch0025: 0025-AD-Missing-header-in-ad_access.h.patch
Patch0026: 0026-GPO-Add-ad_options-to-ad_gpo_process_som_state.patch
Patch0027: 0027-GPO-Use-AD-site-override-if-set.patch
Patch0502: 0502-SYSTEMD-Use-capabilities.patch
Patch0503: 0503-Disable-stopping-idle-socket-activated-responders.patch
@ -1276,6 +1279,7 @@ fi
- Resolves: upstream#3550 - refresh_expired_interval does not work with
netgrous in 1.15
- Resolves: upstream#3402 - Support alternative sources for the files provider
- Resolves: upstream#3646 - SSSD's GPO code ignores ad_site option
* Fri Mar 30 2018 Fabiano Fidêncio <fidencio@fedoraproject.org> - 1.16.1-2
- Resolves: upstream#3573 - sssd won't show netgroups with blank domain