From 90dd145c92e9709293337bb31c50f91b045e4a0e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Fri, 27 Apr 2018 22:05:04 +0200 Subject: [PATCH] Resolves: upstream#3520 - Files provider supports only BE_FILTER_ENUM MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Also ... Resolves: rhbz#1540703 - FreeIPA/SSSD implicit_file sssd_nss error: The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Fatal] Signed-off-by: Fabiano Fidêncio --- ...rwrite-and-actually-remove-files_ctx.patch | 88 +++++ 0049-FILES-Reduce-code-duplication.patch | 310 ++++++++++++++++++ ...he-domain-status-back-even-on-errors.patch | 75 +++++ ...-Skip-files-that-are-not-created-yet.patch | 145 ++++++++ ...the-request-for-update-if-the-files-.patch | 41 +++ sssd.spec | 9 + 6 files changed, 668 insertions(+) create mode 100644 0048-FILES-Do-not-overwrite-and-actually-remove-files_ctx.patch create mode 100644 0049-FILES-Reduce-code-duplication.patch create mode 100644 0050-FILES-Reset-the-domain-status-back-even-on-errors.patch create mode 100644 0051-FILES-Skip-files-that-are-not-created-yet.patch create mode 100644 0052-FILES-Only-send-the-request-for-update-if-the-files-.patch diff --git a/0048-FILES-Do-not-overwrite-and-actually-remove-files_ctx.patch b/0048-FILES-Do-not-overwrite-and-actually-remove-files_ctx.patch new file mode 100644 index 0000000..797bfa8 --- /dev/null +++ b/0048-FILES-Do-not-overwrite-and-actually-remove-files_ctx.patch @@ -0,0 +1,88 @@ +From 8c86f78e41bdb0fa4d77ffaffd13e602b77cdf2f Mon Sep 17 00:00:00 2001 +From: Jakub Hrozek +Date: Wed, 4 Apr 2018 14:18:10 +0200 +Subject: [PATCH] FILES: Do not overwrite and actually remove + files_ctx.{pwd,grp}_watch +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The snotify_ctx structures were unused, are completely opaque (their +only value is that if they are freed, the watches disappear which +the files provider never does). + +And moreover, since the patches to support multiple files, the watches +were overwritten with subsequent assignments. + +Reviewed-by: Pavel Březina +(cherry picked from commit d69e1da370fa33c5085b31eb6302a30d81817534) +--- + src/providers/files/files_ops.c | 35 +++++++++++++++++++++++------------ + 1 file changed, 23 insertions(+), 12 deletions(-) + +diff --git a/src/providers/files/files_ops.c b/src/providers/files/files_ops.c +index a2a2798d3..95c4d2a06 100644 +--- a/src/providers/files/files_ops.c ++++ b/src/providers/files/files_ops.c +@@ -36,9 +36,6 @@ + #define GRP_MAXSIZE 2048 + + struct files_ctx { +- struct snotify_ctx *pwd_watch; +- struct snotify_ctx *grp_watch; +- + struct files_ops_ctx *ops; + }; + +@@ -957,6 +954,7 @@ struct files_ctx *sf_init(TALLOC_CTX *mem_ctx, + struct files_ctx *fctx; + struct tevent_immediate *imm; + int i; ++ struct snotify_ctx *snctx; + + fctx = talloc(mem_ctx, struct files_ctx); + if (fctx == NULL) { +@@ -964,18 +962,31 @@ struct files_ctx *sf_init(TALLOC_CTX *mem_ctx, + } + + for (i = 0; passwd_files[i]; i++) { +- fctx->pwd_watch = sf_setup_watch(fctx, ev, passwd_files[i], +- sf_passwd_cb, id_ctx); ++ snctx = sf_setup_watch(fctx, ev, passwd_files[i], ++ sf_passwd_cb, id_ctx); ++ if (snctx == NULL) { ++ DEBUG(SSSDBG_FATAL_FAILURE, ++ "Cannot set watch for passwd file %s\n", passwd_files[i]); ++ /* Rather than reporting incomplete or inconsistent information ++ * in case e.g. group memberships span multiple files, just abort ++ */ ++ talloc_free(fctx); ++ return NULL; + } +- +- for (i = 0; group_files[i]; i++) { +- fctx->grp_watch = sf_setup_watch(fctx, ev, group_files[i], +- sf_group_cb, id_ctx); + } + +- if (fctx->pwd_watch == NULL || fctx->grp_watch == NULL) { +- talloc_free(fctx); +- return NULL; ++ for (i = 0; group_files[i]; i++) { ++ snctx = sf_setup_watch(fctx, ev, group_files[i], ++ sf_group_cb, id_ctx); ++ if (snctx == NULL) { ++ DEBUG(SSSDBG_FATAL_FAILURE, ++ "Cannot set watch for group file %s\n", group_files[i]); ++ /* Rather than reporting incomplete or inconsistent information ++ * in case e.g. group memberships span multiple files, just abort ++ */ ++ talloc_free(fctx); ++ return NULL; ++ } + } + + /* Enumerate users and groups on startup to process any changes when +-- +2.14.3 + diff --git a/0049-FILES-Reduce-code-duplication.patch b/0049-FILES-Reduce-code-duplication.patch new file mode 100644 index 0000000..ef0a2e8 --- /dev/null +++ b/0049-FILES-Reduce-code-duplication.patch @@ -0,0 +1,310 @@ +From 601e30e9d6e7c0da2e1648dc2d9bc37bddf512d8 Mon Sep 17 00:00:00 2001 +From: Jakub Hrozek +Date: Tue, 17 Apr 2018 14:22:39 +0200 +Subject: [PATCH] FILES: Reduce code duplication +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Reviewed-by: Pavel Březina +(cherry picked from commit 1f8bfb6975becda07ff29f557f82b6ac1eaa0be9) +--- + src/providers/files/files_ops.c | 213 +++++++++++++++------------------------- + 1 file changed, 81 insertions(+), 132 deletions(-) + +diff --git a/src/providers/files/files_ops.c b/src/providers/files/files_ops.c +index 95c4d2a06..370af1274 100644 +--- a/src/providers/files/files_ops.c ++++ b/src/providers/files/files_ops.c +@@ -35,6 +35,10 @@ + #define PWD_MAXSIZE 1024 + #define GRP_MAXSIZE 2048 + ++#define SF_UPDATE_PASSWD 1<<0 ++#define SF_UPDATE_GROUP 1<<1 ++#define SF_UPDATE_BOTH (SF_UPDATE_PASSWD | SF_UPDATE_GROUP) ++ + struct files_ctx { + struct files_ops_ctx *ops; + }; +@@ -708,6 +712,70 @@ done: + return ret; + } + ++static errno_t sf_enum_files(struct files_id_ctx *id_ctx, ++ uint8_t flags) ++{ ++ errno_t ret; ++ errno_t tret; ++ bool in_transaction = false; ++ ++ ret = sysdb_transaction_start(id_ctx->domain->sysdb); ++ if (ret != EOK) { ++ goto done; ++ } ++ in_transaction = true; ++ ++ if (flags & SF_UPDATE_PASSWD) { ++ ret = delete_all_users(id_ctx->domain); ++ if (ret != EOK) { ++ goto done; ++ } ++ ++ /* All users were deleted, therefore we need to enumerate each file again */ ++ for (size_t i = 0; id_ctx->passwd_files[i] != NULL; i++) { ++ ret = sf_enum_users(id_ctx, id_ctx->passwd_files[i]); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_OP_FAILURE, "Cannot enumerate users\n"); ++ goto done; ++ } ++ } ++ } ++ ++ if (flags & SF_UPDATE_GROUP) { ++ ret = delete_all_groups(id_ctx->domain); ++ if (ret != EOK) { ++ goto done; ++ } ++ ++ /* All groups were deleted, therefore we need to enumerate each file again */ ++ for (size_t i = 0; id_ctx->group_files[i] != NULL; i++) { ++ ret = sf_enum_groups(id_ctx, id_ctx->group_files[i]); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_OP_FAILURE, "Cannot enumerate groups\n"); ++ goto done; ++ } ++ } ++ } ++ ++ ret = sysdb_transaction_commit(id_ctx->domain->sysdb); ++ if (ret != EOK) { ++ goto done; ++ } ++ in_transaction = false; ++ ++ ret = EOK; ++done: ++ if (in_transaction) { ++ tret = sysdb_transaction_cancel(id_ctx->domain->sysdb); ++ if (tret != EOK) { ++ DEBUG(SSSDBG_CRIT_FAILURE, ++ "Cannot cancel transaction: %d\n", ret); ++ } ++ } ++ ++ return ret; ++} ++ + static void sf_cb_done(struct files_id_ctx *id_ctx) + { + /* Only activate a domain when both callbacks are done */ +@@ -722,8 +790,6 @@ static int sf_passwd_cb(const char *filename, uint32_t flags, void *pvt) + { + struct files_id_ctx *id_ctx; + errno_t ret; +- errno_t tret; +- bool in_transaction = false; + + id_ctx = talloc_get_type(pvt, struct files_id_ctx); + if (id_ctx == NULL) { +@@ -740,49 +806,17 @@ static int sf_passwd_cb(const char *filename, uint32_t flags, void *pvt) + dp_sbus_reset_users_memcache(id_ctx->be->provider); + dp_sbus_reset_initgr_memcache(id_ctx->be->provider); + +- ret = sysdb_transaction_start(id_ctx->domain->sysdb); +- if (ret != EOK) { +- goto done; +- } +- in_transaction = true; +- +- ret = delete_all_users(id_ctx->domain); +- if (ret != EOK) { +- goto done; +- } +- +- /* All users were deleted, therefore we need to enumerate each file again */ +- for (size_t i = 0; id_ctx->passwd_files[i] != NULL; i++) { +- ret = sf_enum_users(id_ctx, id_ctx->passwd_files[i]); +- if (ret != EOK) { +- DEBUG(SSSDBG_OP_FAILURE, "Cannot enumerate users\n"); +- goto done; +- } +- } +- +- /* Covers the case when someone edits /etc/group, adds a group member and ++ /* Using SF_UDPATE_BOTH here the case when someone edits /etc/group, adds a group member and + * only then edits passwd and adds the user. The reverse is not needed, + * because member/memberof links are established when groups are saved. + */ +- ret = delete_all_groups(id_ctx->domain); +- if (ret != EOK) { +- goto done; +- } +- +- /* All groups were deleted, therefore we need to enumerate each file again */ +- for (size_t i = 0; id_ctx->group_files[i] != NULL; i++) { +- ret = sf_enum_groups(id_ctx, id_ctx->group_files[i]); +- if (ret != EOK) { +- DEBUG(SSSDBG_OP_FAILURE, "Cannot enumerate groups\n"); +- goto done; +- } +- } +- +- ret = sysdb_transaction_commit(id_ctx->domain->sysdb); ++ ret = sf_enum_files(id_ctx, SF_UPDATE_BOTH); + if (ret != EOK) { ++ DEBUG(SSSDBG_OP_FAILURE, ++ "Could not update files: [%d]: %s\n", ++ ret, sss_strerror(ret)); + goto done; + } +- in_transaction = false; + + id_ctx->updating_passwd = false; + sf_cb_done(id_ctx); +@@ -790,14 +824,6 @@ static int sf_passwd_cb(const char *filename, uint32_t flags, void *pvt) + + ret = EOK; + done: +- if (in_transaction) { +- tret = sysdb_transaction_cancel(id_ctx->domain->sysdb); +- if (tret != EOK) { +- DEBUG(SSSDBG_CRIT_FAILURE, +- "Cannot cancel transaction: %d\n", ret); +- } +- } +- + return ret; + } + +@@ -805,8 +831,6 @@ static int sf_group_cb(const char *filename, uint32_t flags, void *pvt) + { + struct files_id_ctx *id_ctx; + errno_t ret; +- errno_t tret; +- bool in_transaction = false; + + id_ctx = talloc_get_type(pvt, struct files_id_ctx); + if (id_ctx == NULL) { +@@ -823,47 +847,20 @@ static int sf_group_cb(const char *filename, uint32_t flags, void *pvt) + dp_sbus_reset_groups_memcache(id_ctx->be->provider); + dp_sbus_reset_initgr_memcache(id_ctx->be->provider); + +- ret = sysdb_transaction_start(id_ctx->domain->sysdb); +- if (ret != EOK) { +- goto done; +- } +- in_transaction = true; +- +- ret = delete_all_groups(id_ctx->domain); +- if (ret != EOK) { +- goto done; +- } +- +- /* All groups were deleted, therefore we need to enumerate each file again */ +- for (size_t i = 0; id_ctx->group_files[i] != NULL; i++) { +- ret = sf_enum_groups(id_ctx, id_ctx->group_files[i]); +- if (ret != EOK) { +- DEBUG(SSSDBG_OP_FAILURE, "Cannot enumerate groups\n"); +- goto done; +- } +- } +- +- ret = sysdb_transaction_commit(id_ctx->domain->sysdb); ++ ret = sf_enum_files(id_ctx, SF_UPDATE_GROUP); + if (ret != EOK) { ++ DEBUG(SSSDBG_OP_FAILURE, ++ "Could not update files: [%d]: %s\n", ++ ret, sss_strerror(ret)); + goto done; + } +- in_transaction = false; + + id_ctx->updating_groups = false; + sf_cb_done(id_ctx); + files_account_info_finished(id_ctx, BE_REQ_GROUP, ret); + + ret = EOK; +- + done: +- if (in_transaction) { +- tret = sysdb_transaction_cancel(id_ctx->domain->sysdb); +- if (tret != EOK) { +- DEBUG(SSSDBG_CRIT_FAILURE, +- "Cannot cancel transaction: %d\n", ret); +- } +- } +- + return ret; + } + +@@ -873,62 +870,14 @@ static void startup_enum_files(struct tevent_context *ev, + { + struct files_id_ctx *id_ctx = talloc_get_type(pvt, struct files_id_ctx); + errno_t ret; +- errno_t tret; +- bool in_transaction = false; + + talloc_zfree(imm); + +- ret = sysdb_transaction_start(id_ctx->domain->sysdb); +- if (ret != EOK) { +- goto done; +- } +- in_transaction = true; +- +- ret = delete_all_users(id_ctx->domain); +- if (ret != EOK) { +- goto done; +- } +- +- ret = delete_all_groups(id_ctx->domain); ++ ret = sf_enum_files(id_ctx, SF_UPDATE_BOTH); + if (ret != EOK) { +- goto done; +- } +- +- for (size_t i = 0; id_ctx->passwd_files[i] != NULL; i++) { +- DEBUG(SSSDBG_TRACE_FUNC, +- "Startup user enumeration of [%s]\n", id_ctx->passwd_files[i]); +- ret = sf_enum_users(id_ctx, id_ctx->passwd_files[i]); +- if (ret != EOK) { +- DEBUG(SSSDBG_CRIT_FAILURE, +- "Enumerating users failed, data might be inconsistent!\n"); +- goto done; +- } +- } +- +- for (size_t i = 0; id_ctx->group_files[i] != NULL; i++) { +- DEBUG(SSSDBG_TRACE_FUNC, +- "Startup group enumeration of [%s]\n", id_ctx->group_files[i]); +- ret = sf_enum_groups(id_ctx, id_ctx->group_files[i]); +- if (ret != EOK) { +- DEBUG(SSSDBG_CRIT_FAILURE, +- "Enumerating groups failed, data might be inconsistent!\n"); +- goto done; +- } +- } +- +- ret = sysdb_transaction_commit(id_ctx->domain->sysdb); +- if (ret != EOK) { +- goto done; +- } +- in_transaction = false; +- +-done: +- if (in_transaction) { +- tret = sysdb_transaction_cancel(id_ctx->domain->sysdb); +- if (tret != EOK) { +- DEBUG(SSSDBG_CRIT_FAILURE, +- "Cannot cancel transaction: %d\n", ret); +- } ++ DEBUG(SSSDBG_OP_FAILURE, ++ "Could not update files after startup: [%d]: %s\n", ++ ret, sss_strerror(ret)); + } + } + +-- +2.14.3 + diff --git a/0050-FILES-Reset-the-domain-status-back-even-on-errors.patch b/0050-FILES-Reset-the-domain-status-back-even-on-errors.patch new file mode 100644 index 0000000..acf6488 --- /dev/null +++ b/0050-FILES-Reset-the-domain-status-back-even-on-errors.patch @@ -0,0 +1,75 @@ +From 12876995fe664ac05149fa5d843836aed5ce33e9 Mon Sep 17 00:00:00 2001 +From: Jakub Hrozek +Date: Tue, 17 Apr 2018 14:38:03 +0200 +Subject: [PATCH] FILES: Reset the domain status back even on errors +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The block that resets the domain status was only called on success, so +on error, the domain would have been permanently stuck in an +inconsistent state. + +Reviewed-by: Pavel Březina +(cherry picked from commit 81f16996c980a75e98538c7dd91baf9e0e635f58) +--- + src/providers/files/files_ops.c | 16 ++++++---------- + 1 file changed, 6 insertions(+), 10 deletions(-) + +diff --git a/src/providers/files/files_ops.c b/src/providers/files/files_ops.c +index 370af1274..b91078417 100644 +--- a/src/providers/files/files_ops.c ++++ b/src/providers/files/files_ops.c +@@ -793,8 +793,7 @@ static int sf_passwd_cb(const char *filename, uint32_t flags, void *pvt) + + id_ctx = talloc_get_type(pvt, struct files_id_ctx); + if (id_ctx == NULL) { +- ret = EINVAL; +- goto done; ++ return EINVAL; + } + + DEBUG(SSSDBG_TRACE_FUNC, "passwd notification\n"); +@@ -818,12 +817,11 @@ static int sf_passwd_cb(const char *filename, uint32_t flags, void *pvt) + goto done; + } + ++ ret = EOK; ++done: + id_ctx->updating_passwd = false; + sf_cb_done(id_ctx); + files_account_info_finished(id_ctx, BE_REQ_USER, ret); +- +- ret = EOK; +-done: + return ret; + } + +@@ -834,8 +832,7 @@ static int sf_group_cb(const char *filename, uint32_t flags, void *pvt) + + id_ctx = talloc_get_type(pvt, struct files_id_ctx); + if (id_ctx == NULL) { +- ret = EINVAL; +- goto done; ++ return EINVAL; + } + + DEBUG(SSSDBG_TRACE_FUNC, "group notification\n"); +@@ -855,12 +852,11 @@ static int sf_group_cb(const char *filename, uint32_t flags, void *pvt) + goto done; + } + ++ ret = EOK; ++done: + id_ctx->updating_groups = false; + sf_cb_done(id_ctx); + files_account_info_finished(id_ctx, BE_REQ_GROUP, ret); +- +- ret = EOK; +-done: + return ret; + } + +-- +2.14.3 + diff --git a/0051-FILES-Skip-files-that-are-not-created-yet.patch b/0051-FILES-Skip-files-that-are-not-created-yet.patch new file mode 100644 index 0000000..5cfa708 --- /dev/null +++ b/0051-FILES-Skip-files-that-are-not-created-yet.patch @@ -0,0 +1,145 @@ +From 7703a7efe1ed4800a7676cfaac9bd00fec7de1c4 Mon Sep 17 00:00:00 2001 +From: Jakub Hrozek +Date: Wed, 4 Apr 2018 14:13:56 +0200 +Subject: [PATCH] FILES: Skip files that are not created yet +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +In order to avoid complex ordering logic, even if one file is updated, +we flush all the entries. In theory, we could only flush the individual +file and all the files preceding it, but it's safer to just create a +complete mirror every time. + +And this can be problematic if one of the files we try to update is not +created yet during the update. This can happen e.g. when a file is not +created during early boot. + +To solve this, try to be very defensive and always flush the whole +database, ignore ENOENT errors, but abort on all other errors. + +Reviewed-by: Pavel Březina +(cherry picked from commit c1bce7da6c33b352dc708a5dd9712a4d96c63057) +--- + src/providers/files/files_ops.c | 22 ++++++++++--- + src/tests/intg/test_files_provider.py | 60 +++++++++++++++++++++++++++++++++++ + 2 files changed, 78 insertions(+), 4 deletions(-) + +diff --git a/src/providers/files/files_ops.c b/src/providers/files/files_ops.c +index b91078417..f5a40297a 100644 +--- a/src/providers/files/files_ops.c ++++ b/src/providers/files/files_ops.c +@@ -734,8 +734,15 @@ static errno_t sf_enum_files(struct files_id_ctx *id_ctx, + /* All users were deleted, therefore we need to enumerate each file again */ + for (size_t i = 0; id_ctx->passwd_files[i] != NULL; i++) { + ret = sf_enum_users(id_ctx, id_ctx->passwd_files[i]); +- if (ret != EOK) { +- DEBUG(SSSDBG_OP_FAILURE, "Cannot enumerate users\n"); ++ if (ret == ENOENT) { ++ DEBUG(SSSDBG_MINOR_FAILURE, ++ "The file %s does not exist (yet), skipping\n", ++ id_ctx->passwd_files[i]); ++ continue; ++ } else if (ret != EOK) { ++ DEBUG(SSSDBG_OP_FAILURE, ++ "Cannot enumerate users from %s, aborting\n", ++ id_ctx->passwd_files[i]); + goto done; + } + } +@@ -750,8 +757,15 @@ static errno_t sf_enum_files(struct files_id_ctx *id_ctx, + /* All groups were deleted, therefore we need to enumerate each file again */ + for (size_t i = 0; id_ctx->group_files[i] != NULL; i++) { + ret = sf_enum_groups(id_ctx, id_ctx->group_files[i]); +- if (ret != EOK) { +- DEBUG(SSSDBG_OP_FAILURE, "Cannot enumerate groups\n"); ++ if (ret == ENOENT) { ++ DEBUG(SSSDBG_MINOR_FAILURE, ++ "The file %s does not exist (yet), skipping\n", ++ id_ctx->group_files[i]); ++ continue; ++ } else if (ret != EOK) { ++ DEBUG(SSSDBG_OP_FAILURE, ++ "Cannot enumerate groups from %s, aborting\n", ++ id_ctx->group_files[i]); + goto done; + } + } +diff --git a/src/tests/intg/test_files_provider.py b/src/tests/intg/test_files_provider.py +index ce5c7b774..cc9c1f1c7 100644 +--- a/src/tests/intg/test_files_provider.py ++++ b/src/tests/intg/test_files_provider.py +@@ -187,6 +187,40 @@ def files_multiple_sources(request): + return alt_pwops, alt_grops + + ++@pytest.fixture ++def files_multiple_sources_nocreate(request): ++ """ ++ Sets up SSSD with multiple sources, but does not actually create ++ the files. ++ """ ++ alt_passwd_path = tempfile.mktemp(prefix='altpasswd') ++ request.addfinalizer(lambda: os.unlink(alt_passwd_path)) ++ ++ alt_group_path = tempfile.mktemp(prefix='altgroup') ++ request.addfinalizer(lambda: os.unlink(alt_group_path)) ++ ++ passwd_list = ",".join([os.environ["NSS_WRAPPER_PASSWD"], alt_passwd_path]) ++ group_list = ",".join([os.environ["NSS_WRAPPER_GROUP"], alt_group_path]) ++ ++ conf = unindent("""\ ++ [sssd] ++ domains = files ++ services = nss ++ ++ [nss] ++ debug_level = 10 ++ ++ [domain/files] ++ id_provider = files ++ passwd_files = {passwd_list} ++ group_files = {group_list} ++ debug_level = 10 ++ """).format(**locals()) ++ create_conf_fixture(request, conf) ++ create_sssd_fixture(request) ++ return alt_passwd_path, alt_group_path ++ ++ + @pytest.fixture + def proxy_to_files_domain_only(request): + conf = unindent("""\ +@@ -1113,3 +1147,29 @@ def test_multiple_passwd_group_files(add_user_with_canary, + + check_group(GROUP1) + check_group(ALT_GROUP1) ++ ++ ++def test_multiple_files_created_after_startup(add_user_with_canary, ++ add_group_with_canary, ++ files_multiple_sources_nocreate): ++ """ ++ Test that users and groups can be mirrored from multiple files, ++ but those files are not created when SSSD starts, only afterwards. ++ """ ++ alt_passwd_path, alt_group_path = files_multiple_sources_nocreate ++ ++ check_user(USER1) ++ check_group(GROUP1) ++ ++ # touch the files ++ for fpath in (alt_passwd_path, alt_group_path): ++ with open(fpath, "w") as f: ++ pass ++ ++ alt_pwops = PasswdOps(alt_passwd_path) ++ alt_grops = GroupOps(alt_group_path) ++ alt_pwops.useradd(**ALT_USER1) ++ alt_grops.groupadd(**ALT_GROUP1) ++ ++ check_user(ALT_USER1) ++ check_group(ALT_GROUP1) +-- +2.14.3 + diff --git a/0052-FILES-Only-send-the-request-for-update-if-the-files-.patch b/0052-FILES-Only-send-the-request-for-update-if-the-files-.patch new file mode 100644 index 0000000..e99d8a6 --- /dev/null +++ b/0052-FILES-Only-send-the-request-for-update-if-the-files-.patch @@ -0,0 +1,41 @@ +From faba3074869b069a64a66844385cf170f149be4f Mon Sep 17 00:00:00 2001 +From: Jakub Hrozek +Date: Tue, 17 Apr 2018 12:32:11 +0200 +Subject: [PATCH] FILES: Only send the request for update if the files domain + is inconsistent +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Resolves: +https://pagure.io/SSSD/sssd/issue/3520 + +The code was probably commented out as a mistake.. + +Reviewed-by: Pavel Březina +(cherry picked from commit 77d63f561830c15341b2ffe915a4c86b3c0f88a3) +--- + src/responder/common/responder_dp.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/responder/common/responder_dp.c b/src/responder/common/responder_dp.c +index 8cc734813..9669b5fee 100644 +--- a/src/responder/common/responder_dp.c ++++ b/src/responder/common/responder_dp.c +@@ -598,11 +598,11 @@ static int sss_dp_account_files_params(struct sss_domain_info *dom, + enum sss_dp_acct_type *_type_out, + const char **_opt_name_out) + { +-#if 0 + if (sss_domain_get_state(dom) != DOM_INCONSISTENT) { ++ DEBUG(SSSDBG_TRACE_INTERNAL, ++ "The entries in the files domain are up-to-date\n"); + return EOK; + } +-#endif + + DEBUG(SSSDBG_TRACE_INTERNAL, + "Domain files is not consistent, issuing update\n"); +-- +2.14.3 + diff --git a/sssd.spec b/sssd.spec index ad3a26e..281de21 100644 --- a/sssd.spec +++ b/sssd.spec @@ -89,6 +89,11 @@ Patch0044: 0044-TESTS-Add-an-integration-test-for-renaming-incomplet.patch Patch0045: 0045-SYSDB-sysdb_add_incomplete_group-now-returns-EEXIST-.patch Patch0046: 0046-MAN-Document-which-principal-does-the-AD-provider-us.patch Patch0047: 0047-GPO-Fix-bug-with-empty-GPO-rules.patch +Patch0048: 0048-FILES-Do-not-overwrite-and-actually-remove-files_ctx.patch +Patch0049: 0049-FILES-Reduce-code-duplication.patch +Patch0050: 0050-FILES-Reset-the-domain-status-back-even-on-errors.patch +Patch0051: 0051-FILES-Skip-files-that-are-not-created-yet.patch +Patch0052: 0052-FILES-Only-send-the-request-for-update-if-the-files-.patch Patch0502: 0502-SYSTEMD-Use-capabilities.patch Patch0503: 0503-Disable-stopping-idle-socket-activated-responders.patch @@ -1313,6 +1318,10 @@ fi - Document which principal does the AD provider use - Resolves: upstream#3680 - GPO: SSSD fails to process GPOs If a rule is defined, but contains no SIDs +- Resolves: upstream#3520 - Files provider supports only BE_FILTER_ENUM +- Resolves: rhbz#1540703 - FreeIPA/SSSD implicit_file sssd_nss error: The Data + Provider returned an error + [org.freedesktop.sssd.Error.DataProvider.Fatal] * Fri Mar 30 2018 Fabiano Fidêncio - 1.16.1-2 - Resolves: upstream#3573 - sssd won't show netgroups with blank domain