import sssd-2.6.2-4.el9_0.1
This commit is contained in:
parent
b23640c607
commit
988112bf90
@ -0,0 +1,175 @@
|
|||||||
|
From 51e92297157562511baf8902777f02a4aa2e70e6 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Sumit Bose <sbose@redhat.com>
|
||||||
|
Date: Tue, 15 Mar 2022 11:36:45 +0100
|
||||||
|
Subject: [PATCH] ad: use right sdap_domain in ad_domain_info_send
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
Originally ad_domain_info_send() was only called when there was only a
|
||||||
|
single domain available and hence only a single sdap_domain struct with
|
||||||
|
the search bases in the sdap_domain list. Since ad_domain_info_send() is
|
||||||
|
now called at other times as well the right sdap_domain struct must be
|
||||||
|
selected so that the right search bases are used.
|
||||||
|
|
||||||
|
Resolves: https://github.com/SSSD/sssd/issues/6063
|
||||||
|
|
||||||
|
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
|
||||||
|
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||||
|
---
|
||||||
|
src/providers/ad/ad_domain_info.c | 10 +++++-
|
||||||
|
src/providers/ldap/ldap_common.h | 3 ++
|
||||||
|
src/providers/ldap/sdap_domain.c | 21 ++++++++++++
|
||||||
|
src/tests/cmocka/test_search_bases.c | 48 +++++++++++++++++++++++++++-
|
||||||
|
4 files changed, 80 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/providers/ad/ad_domain_info.c b/src/providers/ad/ad_domain_info.c
|
||||||
|
index 52b2e2442..f3a82a198 100644
|
||||||
|
--- a/src/providers/ad/ad_domain_info.c
|
||||||
|
+++ b/src/providers/ad/ad_domain_info.c
|
||||||
|
@@ -181,6 +181,7 @@ struct ad_domain_info_state {
|
||||||
|
struct sdap_id_op *id_op;
|
||||||
|
struct sdap_id_ctx *id_ctx;
|
||||||
|
struct sdap_options *opts;
|
||||||
|
+ struct sdap_domain *sdom;
|
||||||
|
|
||||||
|
const char *dom_name;
|
||||||
|
int base_iter;
|
||||||
|
@@ -215,6 +216,13 @@ ad_domain_info_send(TALLOC_CTX *mem_ctx,
|
||||||
|
state->id_ctx = conn->id_ctx;
|
||||||
|
state->opts = conn->id_ctx->opts;
|
||||||
|
state->dom_name = dom_name;
|
||||||
|
+ state->sdom = sdap_domain_get_by_name(state->opts, state->dom_name);
|
||||||
|
+ if (state->sdom == NULL || state->sdom->search_bases == NULL) {
|
||||||
|
+ DEBUG(SSSDBG_OP_FAILURE, "Missing internal domain data.\n");
|
||||||
|
+ ret = EINVAL;
|
||||||
|
+ goto immediate;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
|
||||||
|
ret = ad_domain_info_next(req);
|
||||||
|
if (ret != EOK && ret != EAGAIN) {
|
||||||
|
@@ -243,7 +251,7 @@ ad_domain_info_next(struct tevent_req *req)
|
||||||
|
struct ad_domain_info_state *state =
|
||||||
|
tevent_req_data(req, struct ad_domain_info_state);
|
||||||
|
|
||||||
|
- base = state->opts->sdom->search_bases[state->base_iter];
|
||||||
|
+ base = state->sdom->search_bases[state->base_iter];
|
||||||
|
if (base == NULL) {
|
||||||
|
return EOK;
|
||||||
|
}
|
||||||
|
diff --git a/src/providers/ldap/ldap_common.h b/src/providers/ldap/ldap_common.h
|
||||||
|
index c78338b5d..426ee68df 100644
|
||||||
|
--- a/src/providers/ldap/ldap_common.h
|
||||||
|
+++ b/src/providers/ldap/ldap_common.h
|
||||||
|
@@ -391,6 +391,9 @@ sdap_domain_remove(struct sdap_options *opts,
|
||||||
|
struct sdap_domain *sdap_domain_get(struct sdap_options *opts,
|
||||||
|
struct sss_domain_info *dom);
|
||||||
|
|
||||||
|
+struct sdap_domain *sdap_domain_get_by_name(struct sdap_options *opts,
|
||||||
|
+ const char *dom_name);
|
||||||
|
+
|
||||||
|
struct sdap_domain *sdap_domain_get_by_dn(struct sdap_options *opts,
|
||||||
|
const char *dn);
|
||||||
|
|
||||||
|
diff --git a/src/providers/ldap/sdap_domain.c b/src/providers/ldap/sdap_domain.c
|
||||||
|
index fa6e9340d..1785dd20d 100644
|
||||||
|
--- a/src/providers/ldap/sdap_domain.c
|
||||||
|
+++ b/src/providers/ldap/sdap_domain.c
|
||||||
|
@@ -44,6 +44,27 @@ sdap_domain_get(struct sdap_options *opts,
|
||||||
|
return sditer;
|
||||||
|
}
|
||||||
|
|
||||||
|
+struct sdap_domain *
|
||||||
|
+sdap_domain_get_by_name(struct sdap_options *opts,
|
||||||
|
+ const char *dom_name)
|
||||||
|
+{
|
||||||
|
+ struct sdap_domain *sditer = NULL;
|
||||||
|
+
|
||||||
|
+ if (dom_name == NULL) {
|
||||||
|
+ DEBUG(SSSDBG_OP_FAILURE, "Missing domain name.\n");
|
||||||
|
+ return NULL;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ DLIST_FOR_EACH(sditer, opts->sdom) {
|
||||||
|
+ if (sditer->dom->name != NULL
|
||||||
|
+ && strcasecmp(sditer->dom->name, dom_name) == 0) {
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ return sditer;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
struct sdap_domain *
|
||||||
|
sdap_domain_get_by_dn(struct sdap_options *opts,
|
||||||
|
const char *dn)
|
||||||
|
diff --git a/src/tests/cmocka/test_search_bases.c b/src/tests/cmocka/test_search_bases.c
|
||||||
|
index 109fa04bf..3276cf118 100644
|
||||||
|
--- a/src/tests/cmocka/test_search_bases.c
|
||||||
|
+++ b/src/tests/cmocka/test_search_bases.c
|
||||||
|
@@ -176,6 +176,51 @@ void test_get_by_dn_fail(void **state)
|
||||||
|
do_test_get_by_dn(dn, dns, 1, dns2, 1, DN_NOT_IN_DOMS);
|
||||||
|
}
|
||||||
|
|
||||||
|
+void test_sdap_domain_get_by_name(void **state)
|
||||||
|
+{
|
||||||
|
+ struct sdap_options *opts;
|
||||||
|
+ struct sss_domain_info dom1 = { 0 };
|
||||||
|
+ dom1.name = discard_const("dom1");
|
||||||
|
+ struct sss_domain_info dom2 = { 0 };
|
||||||
|
+ dom2.name = discard_const("dom2");
|
||||||
|
+ struct sss_domain_info dom3 = { 0 };
|
||||||
|
+ dom3.name = discard_const("dom3");
|
||||||
|
+ int ret;
|
||||||
|
+ struct sdap_domain *sdom;
|
||||||
|
+
|
||||||
|
+ opts = talloc_zero(NULL, struct sdap_options);
|
||||||
|
+ assert_non_null(opts);
|
||||||
|
+
|
||||||
|
+ ret = sdap_domain_add(opts, &dom1, NULL);
|
||||||
|
+ assert_int_equal(ret, EOK);
|
||||||
|
+
|
||||||
|
+ ret = sdap_domain_add(opts, &dom2, NULL);
|
||||||
|
+ assert_int_equal(ret, EOK);
|
||||||
|
+
|
||||||
|
+ ret = sdap_domain_add(opts, &dom3, NULL);
|
||||||
|
+ assert_int_equal(ret, EOK);
|
||||||
|
+
|
||||||
|
+ sdom = sdap_domain_get_by_name(opts, NULL);
|
||||||
|
+ assert_null(sdom);
|
||||||
|
+
|
||||||
|
+ sdom = sdap_domain_get_by_name(opts, "abc");
|
||||||
|
+ assert_null(sdom);
|
||||||
|
+
|
||||||
|
+ sdom = sdap_domain_get_by_name(opts, "dom1");
|
||||||
|
+ assert_non_null(sdom);
|
||||||
|
+ assert_ptr_equal(sdom->dom, &dom1);
|
||||||
|
+
|
||||||
|
+ sdom = sdap_domain_get_by_name(opts, "dom2");
|
||||||
|
+ assert_non_null(sdom);
|
||||||
|
+ assert_ptr_equal(sdom->dom, &dom2);
|
||||||
|
+
|
||||||
|
+ sdom = sdap_domain_get_by_name(opts, "dom3");
|
||||||
|
+ assert_non_null(sdom);
|
||||||
|
+ assert_ptr_equal(sdom->dom, &dom3);
|
||||||
|
+
|
||||||
|
+ talloc_free(opts);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
int main(void)
|
||||||
|
{
|
||||||
|
const struct CMUnitTest tests[] = {
|
||||||
|
@@ -183,7 +228,8 @@ int main(void)
|
||||||
|
cmocka_unit_test(test_search_bases_success),
|
||||||
|
cmocka_unit_test(test_get_by_dn_fail),
|
||||||
|
cmocka_unit_test(test_get_by_dn),
|
||||||
|
- cmocka_unit_test(test_get_by_dn2)
|
||||||
|
+ cmocka_unit_test(test_get_by_dn2),
|
||||||
|
+ cmocka_unit_test(test_sdap_domain_get_by_name)
|
||||||
|
};
|
||||||
|
|
||||||
|
return cmocka_run_group_tests(tests, NULL, NULL);
|
||||||
|
--
|
||||||
|
2.34.3
|
||||||
|
|
58
SOURCES/0008-ad-add-fallback-in-ad_domain_info_send.patch
Normal file
58
SOURCES/0008-ad-add-fallback-in-ad_domain_info_send.patch
Normal file
@ -0,0 +1,58 @@
|
|||||||
|
From 80ffa314c669feaaffe487d8ea5004c149d948c8 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Sumit Bose <sbose@redhat.com>
|
||||||
|
Date: Mon, 23 May 2022 09:05:43 +0200
|
||||||
|
Subject: [PATCH] ad: add fallback in ad_domain_info_send()
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
Commit 51e92297157562511baf8902777f02a4aa2e70e6 allowed
|
||||||
|
ad_domain_info_send() to handle multiple domains by searching for the
|
||||||
|
matching sdap_domain data. Unfortunately it assumed that the configured
|
||||||
|
name and the DNS domain name are always matching. This is true for all
|
||||||
|
sub-domains discovered at runtime by DNS lookups but might not be true
|
||||||
|
for the domain configured in sssd.conf. Since the configured domain is
|
||||||
|
the first in the list of sdap_domain data it will be used as a fallback
|
||||||
|
in case no data could be found by name.
|
||||||
|
|
||||||
|
Resolves: https://github.com/SSSD/sssd/issues/6170
|
||||||
|
|
||||||
|
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
|
||||||
|
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||||
|
(cherry picked from commit 71b14474bec82a0c57065ad45915ebfeb9e3d03e)
|
||||||
|
---
|
||||||
|
src/providers/ad/ad_domain_info.c | 17 ++++++++++++++++-
|
||||||
|
1 file changed, 16 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/src/providers/ad/ad_domain_info.c b/src/providers/ad/ad_domain_info.c
|
||||||
|
index f3a82a198..9583c74b9 100644
|
||||||
|
--- a/src/providers/ad/ad_domain_info.c
|
||||||
|
+++ b/src/providers/ad/ad_domain_info.c
|
||||||
|
@@ -217,8 +217,23 @@ ad_domain_info_send(TALLOC_CTX *mem_ctx,
|
||||||
|
state->opts = conn->id_ctx->opts;
|
||||||
|
state->dom_name = dom_name;
|
||||||
|
state->sdom = sdap_domain_get_by_name(state->opts, state->dom_name);
|
||||||
|
+ /* The first domain in the list is the domain configured in sssd.conf and
|
||||||
|
+ * here it might be possible that the domain name from the config file and
|
||||||
|
+ * the DNS domain name do not match. All other sub-domains are discovered
|
||||||
|
+ * at runtime with the help of DNS lookups so it is expected that the
|
||||||
|
+ * names matches. Hence it makes sense to fall back to the first entry in
|
||||||
|
+ * the list if no matching domain was found since it is most probably
|
||||||
|
+ * related to the configured domain. */
|
||||||
|
+ if (state->sdom == NULL) {
|
||||||
|
+ DEBUG(SSSDBG_OP_FAILURE, "No internal domain data found for [%s], "
|
||||||
|
+ "falling back to first domain.\n",
|
||||||
|
+ state->dom_name);
|
||||||
|
+ state->sdom = state->opts->sdom;
|
||||||
|
+ }
|
||||||
|
if (state->sdom == NULL || state->sdom->search_bases == NULL) {
|
||||||
|
- DEBUG(SSSDBG_OP_FAILURE, "Missing internal domain data.\n");
|
||||||
|
+ DEBUG(SSSDBG_OP_FAILURE,
|
||||||
|
+ "Missing internal domain data for domain [%s].\n",
|
||||||
|
+ state->dom_name);
|
||||||
|
ret = EINVAL;
|
||||||
|
goto immediate;
|
||||||
|
}
|
||||||
|
--
|
||||||
|
2.34.3
|
||||||
|
|
34
SOURCES/0009-pam_sss_gss-KRB5CCNAME-may-be-NULL.patch
Normal file
34
SOURCES/0009-pam_sss_gss-KRB5CCNAME-may-be-NULL.patch
Normal file
@ -0,0 +1,34 @@
|
|||||||
|
From 0eae7db9e06645ef88d0cf15672770776293edb5 Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
||||||
|
Date: Mon, 23 May 2022 11:05:01 +0200
|
||||||
|
Subject: [PATCH] pam_sss_gss: KRB5CCNAME may be NULL
|
||||||
|
|
||||||
|
Resolves: https://github.com/SSSD/sssd/issues/6180
|
||||||
|
|
||||||
|
:fixes: A regression in pam_sss_gss module causing a failure if
|
||||||
|
KRB5CCNAME environment variable was not set was fixed.
|
||||||
|
|
||||||
|
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
||||||
|
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
||||||
|
(cherry picked from commit 9aad30711a5928f0e8a3627305b6449291de507f)
|
||||||
|
---
|
||||||
|
src/sss_client/pam_sss_gss.c | 3 ++-
|
||||||
|
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/src/sss_client/pam_sss_gss.c b/src/sss_client/pam_sss_gss.c
|
||||||
|
index 51047efc3..77a58e4cf 100644
|
||||||
|
--- a/src/sss_client/pam_sss_gss.c
|
||||||
|
+++ b/src/sss_client/pam_sss_gss.c
|
||||||
|
@@ -492,7 +492,8 @@ static errno_t sss_cli_getenv(const char *variable_name, char **_value)
|
||||||
|
{
|
||||||
|
char *value = getenv(variable_name);
|
||||||
|
if (value == NULL) {
|
||||||
|
- return ENOENT;
|
||||||
|
+ *_value = NULL;
|
||||||
|
+ return EOK;
|
||||||
|
}
|
||||||
|
|
||||||
|
*_value = strdup(value);
|
||||||
|
--
|
||||||
|
2.34.3
|
||||||
|
|
@ -27,7 +27,7 @@
|
|||||||
|
|
||||||
Name: sssd
|
Name: sssd
|
||||||
Version: 2.6.2
|
Version: 2.6.2
|
||||||
Release: 4%{?dist}
|
Release: 4%{?dist}.1
|
||||||
Summary: System Security Services Daemon
|
Summary: System Security Services Daemon
|
||||||
License: GPLv3+
|
License: GPLv3+
|
||||||
URL: https://github.com/SSSD/sssd/
|
URL: https://github.com/SSSD/sssd/
|
||||||
@ -40,6 +40,9 @@ Patch0003: 0003-ad-add-required-cn-attribute-to-subdomain-object.patch
|
|||||||
Patch0004: 0004-krb5-AD-and-IPA-don-t-change-Kerberos-port.patch
|
Patch0004: 0004-krb5-AD-and-IPA-don-t-change-Kerberos-port.patch
|
||||||
Patch0005: 0005-Revert-usertools-force-local-user-for-sssd-process-u.patch
|
Patch0005: 0005-Revert-usertools-force-local-user-for-sssd-process-u.patch
|
||||||
Patch0006: 0006-Revert-man-sssd.conf-and-sssd-ifp-clarify-user-optio.patch
|
Patch0006: 0006-Revert-man-sssd.conf-and-sssd-ifp-clarify-user-optio.patch
|
||||||
|
Patch0007: 0007-ad-use-right-sdap_domain-in-ad_domain_info_send.patch
|
||||||
|
Patch0008: 0008-ad-add-fallback-in-ad_domain_info_send.patch
|
||||||
|
Patch0009: 0009-pam_sss_gss-KRB5CCNAME-may-be-NULL.patch
|
||||||
|
|
||||||
### Dependencies ###
|
### Dependencies ###
|
||||||
|
|
||||||
@ -1040,6 +1043,10 @@ fi
|
|||||||
%systemd_postun_with_restart sssd.service
|
%systemd_postun_with_restart sssd.service
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Jun 2 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.6.2-4.1
|
||||||
|
- Resolves: rhbz#2072959 - Use right sdap_domain in ad_domain_info_send [rhel-9.0.0.z]
|
||||||
|
- Resolves: rhbz#2089251 - pam_sss_gss ceased to work after upgrade to 8.6 [rhel-9.0.0.z]
|
||||||
|
|
||||||
* Mon Apr 25 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.6.2-4
|
* Mon Apr 25 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.6.2-4
|
||||||
- Resolves: rhbz#2075539 - sssd_nss exiting (due to missing 'sssd' local user) making SSSD service to restart in a loop [rhel-9.0.0.z]
|
- Resolves: rhbz#2075539 - sssd_nss exiting (due to missing 'sssd' local user) making SSSD service to restart in a loop [rhel-9.0.0.z]
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user