diff --git a/.gitignore b/.gitignore index ec20057..f225b9b 100644 --- a/.gitignore +++ b/.gitignore @@ -79,3 +79,4 @@ sssd-1.2.91.tar.gz /sssd-1.15.3.tar.gz /sssd-1.16.0.tar.gz /sssd-1.16.1.tar.gz +/sssd-1.16.2.tar.gz diff --git a/0001-IPA-Handle-empty-nisDomainName.patch b/0001-IPA-Handle-empty-nisDomainName.patch deleted file mode 100644 index 5bdca99..0000000 --- a/0001-IPA-Handle-empty-nisDomainName.patch +++ /dev/null @@ -1,87 +0,0 @@ -From f9b7073e5cd057cf961b34f99ea1dff0c86b5b6a Mon Sep 17 00:00:00 2001 -From: Jakub Hrozek -Date: Fri, 17 Nov 2017 20:15:34 +0100 -Subject: [PATCH 01/15] IPA: Handle empty nisDomainName -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Resolves: -https://pagure.io/SSSD/sssd/issue/3573 - -If nisdomain=, i.e. a blank NIS domain name, sssd was not processing the -netgroup at all. This is not in agreement with man innetgr which says "Any of -the elements in a triple can be empty, which means that anything matches. The -functions described here allow access to the netgroup databases". - -This patch instead returns an empty domain as well, which eventually -produces the same output as if the netgroup was requested from the -compat tree. - -To reproduce the bug: -$ ipa netgroup-add -Netgroup name: emptydom -------------------------- -Added netgroup "emptydom" -------------------------- - Netgroup name: emptydom - NIS domain name: ipa.test - IPA unique ID: 164bc15a-f4b3-11e7-acdb-525400ca6df3 -$ ipa netgroup-add-member -Netgroup name: emptydom -[member user]: admin -[member group]: -[member host]: -[member host group]: -[member netgroup]: - Netgroup name: emptydom - NIS domain name: ipa.test - Member User: admin -------------------------- -Number of members added 1 -------------------------- -$ ipa netgroup-mod --nisdomain="" emptydom ----------------------------- -Modified netgroup "emptydom" ----------------------------- - Netgroup name: emptydom - Member User: admin - -Then run: - getent negroup emptydom -without the patch, the netgroup won't be resolvable. It will resolve to -a netgroup triple that looks like this after the patch: - emptydom (-,admin,) - -Reviewed-by: Fabiano Fidêncio ---- - src/providers/ipa/ipa_netgroups.c | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/src/providers/ipa/ipa_netgroups.c b/src/providers/ipa/ipa_netgroups.c -index 5c929a485..05ebac758 100644 ---- a/src/providers/ipa/ipa_netgroups.c -+++ b/src/providers/ipa/ipa_netgroups.c -@@ -953,7 +953,9 @@ static int ipa_netgr_process_all(struct ipa_get_netgroups_state *state) - - ret = sysdb_attrs_get_string(state->netgroups[i], SYSDB_NETGROUP_DOMAIN, - &domain); -- if (ret != EOK) { -+ if (ret == ENOENT) { -+ domain = NULL; -+ } else if (ret != EOK) { - goto done; - } - -@@ -974,7 +976,7 @@ static int ipa_netgr_process_all(struct ipa_get_netgroups_state *state) - for (k = 0; k < hosts_count; k++) { - triple = talloc_asprintf(state, "(%s,%s,%s)", - hosts[k], uids[j], -- domain); -+ domain ? domain : ""); - if (triple == NULL) { - ret = ENOMEM; - goto done; --- -2.14.3 - diff --git a/0002-intg-enhance-netgroups-test.patch b/0002-intg-enhance-netgroups-test.patch deleted file mode 100644 index 1a3bfb1..0000000 --- a/0002-intg-enhance-netgroups-test.patch +++ /dev/null @@ -1,85 +0,0 @@ -From 3adc0a2fac5f7f1f30f6b1f75f098d4b50e7cf35 Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Mon, 5 Mar 2018 12:29:58 +0100 -Subject: [PATCH 02/15] intg: enhance netgroups test - -Reviewed-by: Jakub Hrozek ---- - src/tests/intg/sssd_netgroup.py | 9 ++++++--- - src/tests/intg/test_netgroup.py | 26 ++++++++++++++++++++++++++ - 2 files changed, 32 insertions(+), 3 deletions(-) - -diff --git a/src/tests/intg/sssd_netgroup.py b/src/tests/intg/sssd_netgroup.py -index 3668d2e29..4c34ea61f 100644 ---- a/src/tests/intg/sssd_netgroup.py -+++ b/src/tests/intg/sssd_netgroup.py -@@ -209,9 +209,12 @@ class NetgroupRetriever(object): - - if result_p[0].type == NetgroupType.TRIPLE_VAL: - triple = result_p[0].val.triple -- result.append((triple.host.decode('utf-8'), -- triple.user.decode('utf-8'), -- triple.domain.decode('utf-8'))) -+ result.append((triple.host and triple.host.decode('utf-8') -+ or "", -+ triple.user and triple.user.decode('utf-8') -+ or "", -+ triple.domain and triple.domain.decode('utf-8') -+ or "")) - - res, errno, result_p = self._getnetgrent_r(result_p, buff, - buff_len) -diff --git a/src/tests/intg/test_netgroup.py b/src/tests/intg/test_netgroup.py -index 3cf5dac2e..06a1cfafd 100644 ---- a/src/tests/intg/test_netgroup.py -+++ b/src/tests/intg/test_netgroup.py -@@ -106,6 +106,8 @@ def format_basic_conf(ldap_conn, schema): - services = nss - disable_netlink = true - -+ [nss] -+ - [domain/LDAP] - {schema_conf} - id_provider = ldap -@@ -222,6 +224,14 @@ def add_tripled_netgroup(request, ldap_conn): - ent_list.add_netgroup("adv_tripled_netgroup", ["(host1,user1,domain1)", - "(host2,user2,domain2)"]) - -+ ent_list.add_netgroup("tripled_netgroup_no_domain", ["(host,user,)"]) -+ -+ ent_list.add_netgroup("tripled_netgroup_no_user", ["(host,,domain)"]) -+ -+ ent_list.add_netgroup("tripled_netgroup_no_host", ["(,user,domain)"]) -+ -+ ent_list.add_netgroup("tripled_netgroup_none", ["(,,)"]) -+ - create_ldap_fixture(request, ldap_conn, ent_list) - conf = format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS) - create_conf_fixture(request, conf) -@@ -243,6 +253,22 @@ def test_add_tripled_netgroup(add_tripled_netgroup): - assert sorted(netgrps) == sorted([("host1", "user1", "domain1"), - ("host2", "user2", "domain2")]) - -+ res, _, netgrps = sssd_netgroup.get_sssd_netgroups("tripled_netgroup_no_domain") -+ assert res == sssd_netgroup.NssReturnCode.SUCCESS -+ assert netgrps == [("host", "user", "")] -+ -+ res, _, netgrps = sssd_netgroup.get_sssd_netgroups("tripled_netgroup_no_user") -+ assert res == sssd_netgroup.NssReturnCode.SUCCESS -+ assert netgrps == [("host", "", "domain")] -+ -+ res, _, netgrps = sssd_netgroup.get_sssd_netgroups("tripled_netgroup_no_host") -+ assert res == sssd_netgroup.NssReturnCode.SUCCESS -+ assert netgrps == [("", "user", "domain")] -+ -+ res, _, netgrps = sssd_netgroup.get_sssd_netgroups("tripled_netgroup_none") -+ assert res == sssd_netgroup.NssReturnCode.SUCCESS -+ assert netgrps == [("", "", "")] -+ - - @pytest.fixture - def add_mixed_netgroup(request, ldap_conn): --- -2.14.3 - diff --git a/0003-CONFDB-Start-a-ldb-transaction-from-sss_ldb_modify_p.patch b/0003-CONFDB-Start-a-ldb-transaction-from-sss_ldb_modify_p.patch deleted file mode 100644 index e4c2517..0000000 --- a/0003-CONFDB-Start-a-ldb-transaction-from-sss_ldb_modify_p.patch +++ /dev/null @@ -1,94 +0,0 @@ -From d38421b5beb91de9213203bee87a3717952f52bc Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= -Date: Wed, 14 Mar 2018 22:55:21 +0100 -Subject: [PATCH 03/15] CONFDB: Start a ldb transaction from - sss_ldb_modify_permissive() -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The reason why confdb_expand_app_domains() always fails is because we -try to do a ldb_request() without starting a ldb transaction. - -When we're dealing with ldb_modify(), ldb_add(), ldb_delete() kind of -messages, those call ldb_autotransaction_request() which will start a -new transaction and treat it properly when doing the ldb_request(). In -our case that we're calling ldb_request() by our own, we must ensure -that the transaction is started and properly deal with it._ - -It's never been noticed because in the only place the function is used -its errors are ignored. - -Resolves: -https://pagure.io/SSSD/sssd/issue/3660 - -Signed-off-by: Fabiano Fidêncio - -Reviewed-by: Jakub Hrozek ---- - src/db/sysdb_ops.c | 39 ++++++++++++++++++++++++++++++++++++++- - 1 file changed, 38 insertions(+), 1 deletion(-) - -diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c -index 15915101e..cc86a114e 100644 ---- a/src/db/sysdb_ops.c -+++ b/src/db/sysdb_ops.c -@@ -66,7 +66,9 @@ int sss_ldb_modify_permissive(struct ldb_context *ldb, - struct ldb_message *msg) - { - struct ldb_request *req; -- int ret = EOK; -+ int ret; -+ int cancel_ret; -+ bool in_transaction = false; - - ret = ldb_build_mod_req(&req, ldb, ldb, - msg, -@@ -84,9 +86,44 @@ int sss_ldb_modify_permissive(struct ldb_context *ldb, - return ret; - } - -+ ret = ldb_transaction_start(ldb); -+ if (ret != LDB_SUCCESS) { -+ DEBUG(SSSDBG_CRIT_FAILURE, -+ "Failed to start ldb transaction [%d]: %s\n", -+ ret, sss_strerror(ret)); -+ goto done; -+ } -+ -+ in_transaction = true; -+ - ret = ldb_request(ldb, req); - if (ret == LDB_SUCCESS) { - ret = ldb_wait(req->handle, LDB_WAIT_ALL); -+ if (ret != LDB_SUCCESS) { -+ goto done; -+ } -+ } -+ -+ ret = ldb_transaction_commit(ldb); -+ if (ret != LDB_SUCCESS) { -+ DEBUG(SSSDBG_CRIT_FAILURE, -+ "Failed to commit ldb transaction [%d]: %s\n", -+ ret, sss_strerror(ret)); -+ goto done; -+ } -+ -+ in_transaction = false; -+ -+ ret = LDB_SUCCESS; -+ -+done: -+ if (in_transaction) { -+ cancel_ret = ldb_transaction_cancel(ldb); -+ if (cancel_ret != LDB_SUCCESS) { -+ DEBUG(SSSDBG_CRIT_FAILURE, -+ "Failed to cancel ldb transaction [%d]: %s\n", -+ cancel_ret, sss_strerror(cancel_ret)); -+ } - } - - talloc_free(req); --- -2.14.3 - diff --git a/0004-TOOLS-Take-into-consideration-app-domains.patch b/0004-TOOLS-Take-into-consideration-app-domains.patch deleted file mode 100644 index 9ba25e3..0000000 --- a/0004-TOOLS-Take-into-consideration-app-domains.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 692780f793f96815aaee0007515838fce30b6097 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= -Date: Wed, 14 Mar 2018 23:01:39 +0100 -Subject: [PATCH 04/15] TOOLS: Take into consideration app domains -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -In order to properly show an app domain when listing domains using -sssctl domain-list we have to expand the confdb, as already done in the -monitor code. - -Resolves: -https://pagure.io/SSSD/sssd/issue/3658 - -Signed-off-by: Fabiano Fidêncio - -Reviewed-by: Jakub Hrozek ---- - src/tools/common/sss_tools.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/src/tools/common/sss_tools.c b/src/tools/common/sss_tools.c -index e491a1286..4832db5a0 100644 ---- a/src/tools/common/sss_tools.c -+++ b/src/tools/common/sss_tools.c -@@ -117,6 +117,14 @@ static errno_t sss_tool_domains_init(TALLOC_CTX *mem_ctx, - struct sss_domain_info *dom; - errno_t ret; - -+ ret = confdb_expand_app_domains(confdb); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_CRIT_FAILURE, -+ "Unable to expand application domains [%d]: %s\n", -+ ret, sss_strerror(ret)); -+ return ret; -+ } -+ - ret = confdb_get_domains(confdb, &domains); - if (ret != EOK) { - DEBUG(SSSDBG_CRIT_FAILURE, "Unable to setup domains [%d]: %s\n", --- -2.14.3 - diff --git a/0005-TESTS-Move-get_call_output-to-util.py.patch b/0005-TESTS-Move-get_call_output-to-util.py.patch deleted file mode 100644 index 4a10fd6..0000000 --- a/0005-TESTS-Move-get_call_output-to-util.py.patch +++ /dev/null @@ -1,66 +0,0 @@ -From be7e7de999f93f57bfccdeeabcb8682d1e92023a Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= -Date: Fri, 16 Mar 2018 19:00:52 +0100 -Subject: [PATCH 05/15] TESTS: Move get_call_output() to util.py -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -This function will be reused outside of test_sssctl.py. - -Related: -https://pagure.io/SSSD/sssd/issue/3658 - -Signed-off-by: Fabiano Fidêncio - -Reviewed-by: Jakub Hrozek ---- - src/tests/intg/test_sssctl.py | 9 +-------- - src/tests/intg/util.py | 7 +++++++ - 2 files changed, 8 insertions(+), 8 deletions(-) - -diff --git a/src/tests/intg/test_sssctl.py b/src/tests/intg/test_sssctl.py -index 0df5d0bc1..e8861dd86 100644 ---- a/src/tests/intg/test_sssctl.py -+++ b/src/tests/intg/test_sssctl.py -@@ -28,7 +28,7 @@ import signal - import ds_openldap - import ldap_ent - import config --from util import unindent -+from util import unindent, get_call_output - import sssd_netgroup - - LDAP_BASE_DN = "dc=example,dc=com" -@@ -203,13 +203,6 @@ def fqname_case_insensitive_rfc2307(request, ldap_conn): - return None - - --def get_call_output(cmd): -- process = subprocess.Popen(cmd, stdout=subprocess.PIPE, -- stderr=subprocess.PIPE) -- output, ret = process.communicate() -- return output.decode('utf-8') -- -- - def test_user_show_basic_sanity(ldap_conn, sanity_rfc2307, portable_LC_ALL): - # Fill the cache first - ent.assert_passwd_by_name( -diff --git a/src/tests/intg/util.py b/src/tests/intg/util.py -index 2b40311bd..a1c439648 100644 ---- a/src/tests/intg/util.py -+++ b/src/tests/intg/util.py -@@ -78,3 +78,10 @@ def restore_envvar_file(name): - path = os.environ[name] - backup_path = path + ".bak" - os.rename(backup_path, path) -+ -+ -+def get_call_output(cmd): -+ process = subprocess.Popen(cmd, stdout=subprocess.PIPE, -+ stderr=subprocess.PIPE) -+ output, ret = process.communicate() -+ return output.decode('utf-8') --- -2.14.3 - diff --git a/0006-TESTS-Make-get_call_output-more-flexible-about-the-s.patch b/0006-TESTS-Make-get_call_output-more-flexible-about-the-s.patch deleted file mode 100644 index 9450f9b..0000000 --- a/0006-TESTS-Make-get_call_output-more-flexible-about-the-s.patch +++ /dev/null @@ -1,40 +0,0 @@ -From e8c0527bf782de166722706db119ccb01258e78b Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= -Date: Fri, 16 Mar 2018 19:23:58 +0100 -Subject: [PATCH 06/15] TESTS: Make get_call_output() more flexible about the - stderr log -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Future tests that will be added will need the stderr redirected to the -STDOUT. - -Related: -https://pagure.io/SSSD/sssd/issue/3658 - -Signed-off-by: Fabiano Fidêncio - -Reviewed-by: Jakub Hrozek ---- - src/tests/intg/util.py | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/tests/intg/util.py b/src/tests/intg/util.py -index a1c439648..bfebbfb35 100644 ---- a/src/tests/intg/util.py -+++ b/src/tests/intg/util.py -@@ -80,8 +80,8 @@ def restore_envvar_file(name): - os.rename(backup_path, path) - - --def get_call_output(cmd): -+def get_call_output(cmd, stderr_output=subprocess.PIPE): - process = subprocess.Popen(cmd, stdout=subprocess.PIPE, -- stderr=subprocess.PIPE) -+ stderr=stderr_output) - output, ret = process.communicate() - return output.decode('utf-8') --- -2.14.3 - diff --git a/0007-TESTS-Add-a-basic-test-of-sssctl-domain-list.patch b/0007-TESTS-Add-a-basic-test-of-sssctl-domain-list.patch deleted file mode 100644 index 3c54b6f..0000000 --- a/0007-TESTS-Add-a-basic-test-of-sssctl-domain-list.patch +++ /dev/null @@ -1,73 +0,0 @@ -From 15ab42ad5349485c9156234f5a6d1c6635c36de3 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= -Date: Thu, 15 Mar 2018 16:28:41 +0100 -Subject: [PATCH 07/15] TESTS: Add a basic test of `sssctl domain-list` -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Let's just add a test for `sssctl domain-list` in order to avoid -regressing https://pagure.io/SSSD/sssd/issue/3658. - -The test has been added as part of test_infopipe.py in order to take -advantage of the machinery already provided there. - -Resolves: -https://pagure.io/SSSD/sssd/issue/3658 - -Signed-off-by: Fabiano Fidêncio - -Reviewed-by: Jakub Hrozek ---- - src/tests/intg/test_infopipe.py | 17 +++++++++++++++-- - 1 file changed, 15 insertions(+), 2 deletions(-) - -diff --git a/src/tests/intg/test_infopipe.py b/src/tests/intg/test_infopipe.py -index 3a7961403..b851bbd91 100644 ---- a/src/tests/intg/test_infopipe.py -+++ b/src/tests/intg/test_infopipe.py -@@ -34,7 +34,7 @@ import dbus - import config - import ds_openldap - import ldap_ent --from util import unindent -+from util import unindent, get_call_output - - LDAP_BASE_DN = "dc=example,dc=com" - INTERACTIVE_TIMEOUT = 4 -@@ -194,7 +194,7 @@ def format_basic_conf(ldap_conn, schema): - return unindent("""\ - [sssd] - debug_level = 0xffff -- domains = LDAP -+ domains = LDAP, app - services = nss, ifp - enable_files_domain = false - -@@ -212,6 +212,9 @@ def format_basic_conf(ldap_conn, schema): - id_provider = ldap - ldap_uri = {ldap_conn.ds_inst.ldap_url} - ldap_search_base = {ldap_conn.ds_inst.base_dn} -+ -+ [application/app] -+ inherit_from = LDAP - """).format(**locals()) - - -@@ -532,3 +535,13 @@ def test_get_user_groups(dbus_system_bus, ldap_conn, sanity_rfc2307): - - assert len(res) == 2 - assert sorted(res) == ['single_user_group', 'two_user_group'] -+ -+ -+def test_sssctl_domain_list_app_domain(dbus_system_bus, -+ ldap_conn, -+ sanity_rfc2307): -+ output = get_call_output(["sssctl", "domain-list"], subprocess.STDOUT) -+ -+ assert "Error" not in output -+ assert output.find("LDAP") != -1 -+ assert output.find("app") != -1 --- -2.14.3 - diff --git a/0008-KCM-Use-json_loadb-when-dealing-with-sss_iobuf-data.patch b/0008-KCM-Use-json_loadb-when-dealing-with-sss_iobuf-data.patch deleted file mode 100644 index 91ba3e7..0000000 --- a/0008-KCM-Use-json_loadb-when-dealing-with-sss_iobuf-data.patch +++ /dev/null @@ -1,67 +0,0 @@ -From 8a89fce38a2ad76eb4eebd74a0821c80154ac892 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= -Date: Wed, 21 Mar 2018 16:38:22 +0100 -Subject: [PATCH 08/15] KCM: Use json_loadb() when dealing with sss_iobuf data -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -As sss_iobuf data is *non* NULL terminated, we have to use json_loadb() -passing the data's length instead of just using json_loads(). - -Due to this issue, when running sssd-kcm under valgrind and performing a -`kinit foo` a bunch of erros like the following one could be seen: -==2638== Conditional jump or move depends on uninitialised value(s) -==2638== at 0x57DB678: stream_get.part.3 (load.c:172) -==2638== by 0x57DB9CA: stream_get (load.c:643) -==2638== by 0x57DB9CA: lex_get (load.c:246) -==2638== by 0x57DB9CA: lex_scan (load.c:601) -==2638== by 0x57DC56A: parse_json.constprop.7 (load.c:904) -==2638== by 0x57DC6AB: json_loads (load.c:959) -==2638== by 0x11ABEA: ??? (in /usr/libexec/sssd/sssd_kcm) -==2638== by 0x11AEF0: ??? (in /usr/libexec/sssd/sssd_kcm) -==2638== by 0x125D4A: ??? (in /usr/libexec/sssd/sssd_kcm) -==2638== by 0x12623B: ??? (in /usr/libexec/sssd/sssd_kcm) -==2638== by 0x9BCD71F: epoll_event_loop (tevent_epoll.c:728) -==2638== by 0x9BCD71F: epoll_event_loop_once (tevent_epoll.c:930) -==2638== by 0x9BCBBA6: std_event_loop_once (tevent_standard.c:114) -==2638== by 0x9BC7FEC: _tevent_loop_once (tevent.c:725) -==2638== by 0x9BC820A: tevent_common_loop_wait (tevent.c:848) - -Related to: -https://pagure.io/SSSD/sssd/issue/3687 - -Signed-off-by: Fabiano Fidêncio - -Reviewed-by: Jakub Hrozek ---- - src/responder/kcm/kcmsrv_ccache_secrets.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/src/responder/kcm/kcmsrv_ccache_secrets.c b/src/responder/kcm/kcmsrv_ccache_secrets.c -index 8be7daea5..04dad9596 100644 ---- a/src/responder/kcm/kcmsrv_ccache_secrets.c -+++ b/src/responder/kcm/kcmsrv_ccache_secrets.c -@@ -231,6 +231,7 @@ static errno_t sec_list_parse(struct sss_iobuf *outbuf, - { - json_t *root; - uint8_t *sec_http_list; -+ size_t sec_http_list_len; - json_error_t error; - json_t *element; - errno_t ret; -@@ -244,8 +245,10 @@ static errno_t sec_list_parse(struct sss_iobuf *outbuf, - DEBUG(SSSDBG_CRIT_FAILURE, "No data in output buffer?\n"); - return EINVAL; - } -+ sec_http_list_len = sss_iobuf_get_len(outbuf); - -- root = json_loads((const char *) sec_http_list, 0, &error); -+ root = json_loadb((const char *) sec_http_list, -+ sec_http_list_len, 0, &error); - if (root == NULL) { - DEBUG(SSSDBG_CRIT_FAILURE, - "Failed to parse JSON payload on line %d: %s\n", --- -2.14.3 - diff --git a/0009-KCM-Remove-mem_ctx-from-kcm_new_req.patch b/0009-KCM-Remove-mem_ctx-from-kcm_new_req.patch deleted file mode 100644 index fab80a1..0000000 --- a/0009-KCM-Remove-mem_ctx-from-kcm_new_req.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 48cff40315cfbfcfae3582935efda961757ceec6 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= -Date: Tue, 13 Mar 2018 21:11:16 +0100 -Subject: [PATCH 09/15] KCM: Remove mem_ctx from kcm_new_req() -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Let's remove the mem_ctx argument as we really want cctx to be the -memory context here, so that if the client disconnects the request goes -away. - -Signed-off-by: Fabiano Fidêncio - -Reviewed-by: Jakub Hrozek ---- - src/responder/kcm/kcmsrv_cmd.c | 10 ++++++---- - 1 file changed, 6 insertions(+), 4 deletions(-) - -diff --git a/src/responder/kcm/kcmsrv_cmd.c b/src/responder/kcm/kcmsrv_cmd.c -index 0b933f0b4..d4ebb79bf 100644 ---- a/src/responder/kcm/kcmsrv_cmd.c -+++ b/src/responder/kcm/kcmsrv_cmd.c -@@ -423,8 +423,10 @@ static errno_t kcm_recv_data(int fd, struct kcm_reqbuf *reqbuf) - return EOK; - } - --static struct kcm_req_ctx *kcm_new_req(TALLOC_CTX *mem_ctx, -- struct cli_ctx *cctx, -+/* Mind that kcm_new_req() does not take a mem_ctx argument on purpose as we -+ * really want the cctx to be the memory context here so that if the client -+ * disconnects, the request goes away. */ -+static struct kcm_req_ctx *kcm_new_req(struct cli_ctx *cctx, - struct kcm_ctx *kctx) - { - struct kcm_req_ctx *req; -@@ -467,8 +469,8 @@ static void kcm_recv(struct cli_ctx *cctx) - kctx = talloc_get_type(cctx->rctx->pvt_ctx, struct kcm_ctx); - req = talloc_get_type(cctx->state_ctx, struct kcm_req_ctx); - if (req == NULL) { -- /* A new request comes in, setup data structures */ -- req = kcm_new_req(cctx, cctx, kctx); -+ /* A new request comes in, setup data structures. */ -+ req = kcm_new_req(cctx, kctx); - if (req == NULL) { - DEBUG(SSSDBG_CRIT_FAILURE, - "Cannot set up client connection\n"); --- -2.14.3 - diff --git a/0010-KCM-Introduce-kcm_input_get_payload_len.patch b/0010-KCM-Introduce-kcm_input_get_payload_len.patch deleted file mode 100644 index e0ea83e..0000000 --- a/0010-KCM-Introduce-kcm_input_get_payload_len.patch +++ /dev/null @@ -1,61 +0,0 @@ -From 7fa69ab8152392b11490950ff8aeeef7e0ad14de Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= -Date: Tue, 13 Mar 2018 23:13:35 +0100 -Subject: [PATCH 10/15] KCM: Introduce kcm_input_get_payload_len() -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -As this piece of code will be useful for us in the future patches of -this series, let's move it to a new function. - -Signed-off-by: Fabiano Fidêncio - -Reviewed-by: Jakub Hrozek ---- - src/responder/kcm/kcmsrv_cmd.c | 20 ++++++++++++-------- - 1 file changed, 12 insertions(+), 8 deletions(-) - -diff --git a/src/responder/kcm/kcmsrv_cmd.c b/src/responder/kcm/kcmsrv_cmd.c -index d4ebb79bf..3ecba9df2 100644 ---- a/src/responder/kcm/kcmsrv_cmd.c -+++ b/src/responder/kcm/kcmsrv_cmd.c -@@ -129,23 +129,27 @@ struct kcm_reqbuf { - struct kcm_iovec v_msg; - }; - -+static uint32_t kcm_input_get_payload_len(struct kcm_iovec *v) -+{ -+ size_t lc = 0; -+ uint32_t len_be = 0; -+ -+ /* The first 4 bytes before the payload is message length */ -+ SAFEALIGN_COPY_UINT32_CHECK(&len_be, v->kiov_base, v->kiov_len, &lc); -+ -+ return be32toh(len_be); -+} -+ - static errno_t kcm_input_parse(struct kcm_reqbuf *reqbuf, - struct kcm_op_io *op_io) - { -- size_t lc = 0; - size_t mc = 0; - uint16_t opcode_be = 0; -- uint32_t len_be = 0; - uint32_t msglen; - uint8_t proto_maj = 0; - uint8_t proto_min = 0; - -- /* The first 4 bytes before the payload is message length */ -- SAFEALIGN_COPY_UINT32_CHECK(&len_be, -- reqbuf->v_len.kiov_base, -- reqbuf->v_len.kiov_len, -- &lc); -- msglen = be32toh(len_be); -+ msglen = kcm_input_get_payload_len(&reqbuf->v_len); - DEBUG(SSSDBG_TRACE_LIBS, - "Received message with length %"PRIu32"\n", msglen); - --- -2.14.3 - diff --git a/0011-KCM-Do-not-use-2048-as-fixed-size-for-the-payload.patch b/0011-KCM-Do-not-use-2048-as-fixed-size-for-the-payload.patch deleted file mode 100644 index 964bddb..0000000 --- a/0011-KCM-Do-not-use-2048-as-fixed-size-for-the-payload.patch +++ /dev/null @@ -1,243 +0,0 @@ -From 9f078d2e9ec7e1803b6c7e2f8a51e0e185723e76 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= -Date: Wed, 14 Mar 2018 00:57:39 +0100 -Subject: [PATCH 11/15] KCM: Do not use 2048 as fixed size for the payload -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The KCM code has the limit set as 2048 only inside #ifdef __APPLE__, -while it should be normally set as 10 * 1024 * 1024, as seen in: -https://github.com/krb5/krb5/blob/master/src/lib/krb5/ccache/cc_kcm.c#L53 - -Last but not least, doesn't make much sense to use a fixed value as the -first 4 bytes received are the payload size ... so let's just allocate -the needed size instead of having a fixed value. - -Resolves: -https://pagure.io/SSSD/sssd/issue/3671 - -Signed-off-by: Fabiano Fidêncio - -Reviewed-by: Jakub Hrozek ---- - src/responder/kcm/kcmsrv_cmd.c | 103 +++++++++++++++++++++++++---------------- - 1 file changed, 62 insertions(+), 41 deletions(-) - -diff --git a/src/responder/kcm/kcmsrv_cmd.c b/src/responder/kcm/kcmsrv_cmd.c -index 3ecba9df2..728979da9 100644 ---- a/src/responder/kcm/kcmsrv_cmd.c -+++ b/src/responder/kcm/kcmsrv_cmd.c -@@ -38,7 +38,7 @@ - /* The maximum length of a request or reply as defined by the RPC - * protocol. This is the same constant size as MIT KRB5 uses - */ --#define KCM_PACKET_MAX_SIZE 2048 -+#define KCM_PACKET_MAX_SIZE 10*1024*1024 - - /* KCM operation, its raw input and raw output and result */ - struct kcm_op_io { -@@ -125,7 +125,6 @@ struct kcm_reqbuf { - struct kcm_iovec v_len; - - /* Includes the major, minor versions etc */ -- uint8_t msgbuf[KCM_PACKET_MAX_SIZE]; - struct kcm_iovec v_msg; - }; - -@@ -238,7 +237,6 @@ struct kcm_repbuf { - uint8_t rcbuf[KCM_RETCODE_SIZE]; - struct kcm_iovec v_rc; - -- uint8_t msgbuf[KCM_PACKET_MAX_SIZE]; - struct kcm_iovec v_msg; - }; - -@@ -259,11 +257,13 @@ static errno_t kcm_failbuf_construct(errno_t ret, - /* retcode is 0 if the operation at least ran, non-zero if there - * was some kind of internal KCM error, like input couldn't be parsed - */ --static errno_t kcm_output_construct(struct kcm_op_io *op_io, -+static errno_t kcm_output_construct(TALLOC_CTX *mem_ctx, -+ struct kcm_op_io *op_io, - struct kcm_repbuf *repbuf) - { -- size_t c; -+ uint8_t *rep; - size_t replen; -+ size_t c; - - replen = sss_iobuf_get_len(op_io->reply); - if (replen > KCM_PACKET_MAX_SIZE) { -@@ -281,14 +281,22 @@ static errno_t kcm_output_construct(struct kcm_op_io *op_io, - SAFEALIGN_SETMEM_UINT32(repbuf->rcbuf, 0, &c); - - if (replen > 0) { -+ rep = talloc_zero_array(mem_ctx, uint8_t, replen); -+ if (rep == NULL) { -+ DEBUG(SSSDBG_CRIT_FAILURE, -+ "Failed to allocate memory for the message\n"); -+ return ENOMEM; -+ } -+ - c = 0; -- SAFEALIGN_MEMCPY_CHECK(repbuf->msgbuf, -+ SAFEALIGN_MEMCPY_CHECK(rep, - sss_iobuf_get_data(op_io->reply), - replen, -- repbuf->v_msg.kiov_len, -+ replen, - &c); - -- /* Length of the buffer to send to KCM client */ -+ /* Set the buffer and its length to send to KCM client */ -+ repbuf->v_msg.kiov_base = rep; - repbuf->v_msg.kiov_len = replen; - } - -@@ -321,24 +329,6 @@ static void kcm_reply_error(struct cli_ctx *cctx, - TEVENT_FD_WRITEABLE(cctx->cfde); - } - --static void kcm_send_reply(struct cli_ctx *cctx, -- struct kcm_op_io *op_io, -- struct kcm_repbuf *repbuf) --{ -- errno_t ret; -- -- DEBUG(SSSDBG_TRACE_INTERNAL, "Sending a reply\n"); -- ret = kcm_output_construct(op_io, repbuf); -- if (ret != EOK) { -- DEBUG(SSSDBG_CRIT_FAILURE, -- "Cannot construct the reply buffer, terminating client\n"); -- kcm_reply_error(cctx, ret, repbuf); -- return; -- } -- -- TEVENT_FD_WRITEABLE(cctx->cfde); --} -- - /** - * Request-reply dispatcher - */ -@@ -356,6 +346,26 @@ struct kcm_req_ctx { - struct kcm_op_io op_io; - }; - -+static void kcm_send_reply(struct kcm_req_ctx *req_ctx) -+{ -+ struct cli_ctx *cctx; -+ errno_t ret; -+ -+ DEBUG(SSSDBG_TRACE_INTERNAL, "Sending a reply\n"); -+ -+ cctx = req_ctx->cctx; -+ -+ ret = kcm_output_construct(cctx, &req_ctx->op_io, &req_ctx->repbuf); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_CRIT_FAILURE, -+ "Cannot construct the reply buffer, terminating client\n"); -+ kcm_reply_error(cctx, ret, &req_ctx->repbuf); -+ return; -+ } -+ -+ TEVENT_FD_WRITEABLE(cctx->cfde); -+} -+ - static void kcm_cmd_request_done(struct tevent_req *req); - - static errno_t kcm_cmd_dispatch(struct kcm_ctx *kctx, -@@ -385,11 +395,9 @@ static errno_t kcm_cmd_dispatch(struct kcm_ctx *kctx, - static void kcm_cmd_request_done(struct tevent_req *req) - { - struct kcm_req_ctx *req_ctx; -- struct cli_ctx *cctx; - errno_t ret; - - req_ctx = tevent_req_callback_data(req, struct kcm_req_ctx); -- cctx = req_ctx->cctx; - - ret = kcm_cmd_recv(req_ctx, req, - &req_ctx->op_io.reply); -@@ -397,15 +405,19 @@ static void kcm_cmd_request_done(struct tevent_req *req) - if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, - "KCM operation failed [%d]: %s\n", ret, sss_strerror(ret)); -- kcm_reply_error(cctx, ret, &req_ctx->repbuf); -+ kcm_reply_error(req_ctx->cctx, ret, &req_ctx->repbuf); - return; - } - -- kcm_send_reply(cctx, &req_ctx->op_io, &req_ctx->repbuf); -+ kcm_send_reply(req_ctx); - } - --static errno_t kcm_recv_data(int fd, struct kcm_reqbuf *reqbuf) -+static errno_t kcm_recv_data(TALLOC_CTX *mem_ctx, -+ int fd, -+ struct kcm_reqbuf *reqbuf) - { -+ uint8_t *msg; -+ uint32_t msglen; - errno_t ret; - - ret = kcm_read_iovec(fd, &reqbuf->v_len); -@@ -416,6 +428,24 @@ static errno_t kcm_recv_data(int fd, struct kcm_reqbuf *reqbuf) - return ret; - } - -+ msglen = kcm_input_get_payload_len(&reqbuf->v_len); -+ if (msglen > KCM_PACKET_MAX_SIZE) { -+ DEBUG(SSSDBG_CRIT_FAILURE, -+ "Request exceeds the KCM protocol limit, aborting\n"); -+ return E2BIG; -+ } -+ -+ msg = talloc_zero_array(mem_ctx, uint8_t, msglen); -+ if (msg == NULL) { -+ DEBUG(SSSDBG_CRIT_FAILURE, -+ "Failed to allocate memory for the message\n"); -+ return ENOMEM; -+ } -+ -+ /* Set the buffer and its expected len to receive the data */ -+ reqbuf->v_msg.kiov_base = msg; -+ reqbuf->v_msg.kiov_len = msglen; -+ - ret = kcm_read_iovec(fd, &reqbuf->v_msg); - if (ret != EOK) { - /* Not all errors are fatal, hence we don't print DEBUG messages -@@ -443,21 +473,12 @@ static struct kcm_req_ctx *kcm_new_req(struct cli_ctx *cctx, - req->reqbuf.v_len.kiov_base = req->reqbuf.lenbuf; - req->reqbuf.v_len.kiov_len = KCM_MSG_LEN_SIZE; - -- req->reqbuf.v_msg.kiov_base = req->reqbuf.msgbuf; -- req->reqbuf.v_msg.kiov_len = KCM_PACKET_MAX_SIZE; -- - req->repbuf.v_len.kiov_base = req->repbuf.lenbuf; - req->repbuf.v_len.kiov_len = KCM_MSG_LEN_SIZE; - - req->repbuf.v_rc.kiov_base = req->repbuf.rcbuf; - req->repbuf.v_rc.kiov_len = KCM_RETCODE_SIZE; - -- req->repbuf.v_msg.kiov_base = req->repbuf.msgbuf; -- /* Length of the msg iobuf will be adjusted later, so far use the full -- * length so that constructing the reply can use that capacity -- */ -- req->repbuf.v_msg.kiov_len = KCM_PACKET_MAX_SIZE; -- - req->cctx = cctx; - req->kctx = kctx; - -@@ -485,7 +506,7 @@ static void kcm_recv(struct cli_ctx *cctx) - cctx->state_ctx = req; - } - -- ret = kcm_recv_data(cctx->cfd, &req->reqbuf); -+ ret = kcm_recv_data(req, cctx->cfd, &req->reqbuf); - switch (ret) { - case ENODATA: - DEBUG(SSSDBG_TRACE_ALL, "Client closed connection.\n"); --- -2.14.3 - diff --git a/0012-KCM-Adjust-REPLY_MAX-to-the-one-used-in-krb5.patch b/0012-KCM-Adjust-REPLY_MAX-to-the-one-used-in-krb5.patch deleted file mode 100644 index 7df0643..0000000 --- a/0012-KCM-Adjust-REPLY_MAX-to-the-one-used-in-krb5.patch +++ /dev/null @@ -1,55 +0,0 @@ -From d910ef0667a902b4ac0551f3e8d11121bb02214c Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= -Date: Wed, 14 Mar 2018 09:21:45 +0100 -Subject: [PATCH 12/15] KCM: Adjust REPLY_MAX to the one used in krb5 -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -krb5 has its MAX_REPLY_SIZE set as 10*1024*1024, as seen in: -https://github.com/krb5/krb5/blob/master/src/lib/krb5/ccache/cc_kcm.c#L53 - -Related: -https://pagure.io/SSSD/sssd/issue/3386 - -Signed-off-by: Fabiano Fidêncio - -Reviewed-by: Jakub Hrozek ---- - src/responder/kcm/kcmsrv_ops.c | 5 ++++- - src/util/tev_curl.c | 3 ++- - 2 files changed, 6 insertions(+), 2 deletions(-) - -diff --git a/src/responder/kcm/kcmsrv_ops.c b/src/responder/kcm/kcmsrv_ops.c -index 7a78e9d6b..1e229adc4 100644 ---- a/src/responder/kcm/kcmsrv_ops.c -+++ b/src/responder/kcm/kcmsrv_ops.c -@@ -31,7 +31,10 @@ - #include "responder/kcm/kcmsrv_ops.h" - #include "responder/kcm/kcmsrv_ccache.h" - --#define KCM_REPLY_MAX 16384 -+/* This limit comes from: -+ * https://github.com/krb5/krb5/blob/master/src/lib/krb5/ccache/cc_kcm.c#L53 -+ */ -+#define KCM_REPLY_MAX 10*1024*1024 - - struct kcm_op_ctx { - struct kcm_resp_ctx *kcm_data; -diff --git a/src/util/tev_curl.c b/src/util/tev_curl.c -index 4c2f1ec9f..f8bede6c5 100644 ---- a/src/util/tev_curl.c -+++ b/src/util/tev_curl.c -@@ -35,7 +35,8 @@ - #include "util/tev_curl.h" - - #define TCURL_IOBUF_CHUNK 1024 --#define TCURL_IOBUF_MAX 16384 -+/* This limit in the same one as KCM_REPLY_MAX */ -+#define TCURL_IOBUF_MAX 10*1024*1024 - - static bool global_is_curl_initialized; - --- -2.14.3 - diff --git a/0013-intg-convert-results-returned-as-bytes-to-strings.patch b/0013-intg-convert-results-returned-as-bytes-to-strings.patch deleted file mode 100644 index 0174103..0000000 --- a/0013-intg-convert-results-returned-as-bytes-to-strings.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 414ce6438a5450e5f1c1b03994f59d37f0ff8a36 Mon Sep 17 00:00:00 2001 -From: Lukas Slebodnik -Date: Fri, 16 Mar 2018 13:43:17 +0100 -Subject: [PATCH 13/15] intg: convert results returned as bytes to strings - -With python3 comparisons between byte literals and strings will fail. To -make sure assertions will pass the search results must be converted to -(utf-8) strings first. - -Resolves https://pagure.io/SSSD/sssd/issue/3666 - -Reviewed-by: Sumit Bose -Reviewed-by: Jakub Hrozek ---- - src/tests/intg/test_ts_cache.py | 17 +++++++++++------ - 1 file changed, 11 insertions(+), 6 deletions(-) - -diff --git a/src/tests/intg/test_ts_cache.py b/src/tests/intg/test_ts_cache.py -index 703e3b255..c3819e21a 100644 ---- a/src/tests/intg/test_ts_cache.py -+++ b/src/tests/intg/test_ts_cache.py -@@ -212,12 +212,17 @@ def get_attrs(ldb_conn, type, name, domain, attr_list): - ts_attrs = dict() - - for attr in attr_list: -- sysdb_attrs[attr] = ldb_conn.get_entry_attr( -- sssd_ldb.CacheType.sysdb, -- type, name, domain, attr) -- ts_attrs[attr] = ldb_conn.get_entry_attr( -- sssd_ldb.CacheType.timestamps, -- type, name, domain, attr) -+ val = ldb_conn.get_entry_attr(sssd_ldb.CacheType.sysdb, -+ type, name, domain, attr) -+ if val: -+ val = val.decode('utf-8') -+ sysdb_attrs[attr] = val -+ -+ val = ldb_conn.get_entry_attr(sssd_ldb.CacheType.timestamps, -+ type, name, domain, attr) -+ if val: -+ val = val.decode('utf-8') -+ ts_attrs[attr] = val - return (sysdb_attrs, ts_attrs) - - --- -2.14.3 - diff --git a/0014-KCM-Fix-typo-in-ccdb_sec_delete_list_done.patch b/0014-KCM-Fix-typo-in-ccdb_sec_delete_list_done.patch deleted file mode 100644 index 5edf89d..0000000 --- a/0014-KCM-Fix-typo-in-ccdb_sec_delete_list_done.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 1c03afc703fb6e398915e2b2b200b7db19b4e6b8 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= -Date: Mon, 26 Mar 2018 15:40:15 +0200 -Subject: [PATCH 14/15] KCM: Fix typo in ccdb_sec_delete_list_done() -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -When deleting the ccache we want to check if sec_key_list_len is equal 0 -and not if sec_key_list is 0. - -Signed-off-by: Fabiano Fidêncio - -Reviewed-by: Jakub Hrozek ---- - src/responder/kcm/kcmsrv_ccache_secrets.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/responder/kcm/kcmsrv_ccache_secrets.c b/src/responder/kcm/kcmsrv_ccache_secrets.c -index 04dad9596..8a7a577d8 100644 ---- a/src/responder/kcm/kcmsrv_ccache_secrets.c -+++ b/src/responder/kcm/kcmsrv_ccache_secrets.c -@@ -2007,7 +2007,7 @@ static void ccdb_sec_delete_list_done(struct tevent_req *subreq) - return; - } - -- if (sec_key_list == 0) { -+ if (state->sec_key_list_len == 0) { - DEBUG(SSSDBG_MINOR_FAILURE, "No ccaches to delete\n"); - tevent_req_done(req); - return; --- -2.14.3 - diff --git a/0015-KCM-Only-print-the-number-of-found-items-after-we-ha.patch b/0015-KCM-Only-print-the-number-of-found-items-after-we-ha.patch deleted file mode 100644 index 2a85141..0000000 --- a/0015-KCM-Only-print-the-number-of-found-items-after-we-ha.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 94897e5c82967528dae2a79e42cd1eb3c3be68f3 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= -Date: Tue, 27 Mar 2018 15:02:09 +0200 -Subject: [PATCH 15/15] KCM: Only print the number of found items after we have - it -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -With the current code we've been always printing "Found 0 items" as -state->sec_key_list_len is only set by sec_list_parse(). - -In order to solve this, let's just print it *after* we have -state->sec_key_list_len set. - -Signed-off-by: Fabiano Fidêncio - -Reviewed-by: Jakub Hrozek ---- - src/responder/kcm/kcmsrv_ccache_secrets.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/responder/kcm/kcmsrv_ccache_secrets.c b/src/responder/kcm/kcmsrv_ccache_secrets.c -index 8a7a577d8..f2b46460e 100644 ---- a/src/responder/kcm/kcmsrv_ccache_secrets.c -+++ b/src/responder/kcm/kcmsrv_ccache_secrets.c -@@ -207,7 +207,6 @@ static void sec_list_done(struct tevent_req *subreq) - return; - } - } else if (http_code == 200) { -- DEBUG(SSSDBG_TRACE_INTERNAL, "Found %zu items\n", state->sec_key_list_len); - ret = sec_list_parse(outbuf, state, - &state->sec_key_list, - &state->sec_key_list_len); -@@ -215,6 +214,7 @@ static void sec_list_done(struct tevent_req *subreq) - tevent_req_error(req, ret); - return; - } -+ DEBUG(SSSDBG_TRACE_INTERNAL, "Found %zu items\n", state->sec_key_list_len); - } else { - tevent_req_error(req, http2errno(http_code)); - return; --- -2.14.3 - diff --git a/0016-SYSDB-When-marking-an-entry-as-expired-also-set-the-.patch b/0016-SYSDB-When-marking-an-entry-as-expired-also-set-the-.patch deleted file mode 100644 index 7fef666..0000000 --- a/0016-SYSDB-When-marking-an-entry-as-expired-also-set-the-.patch +++ /dev/null @@ -1,120 +0,0 @@ -From 68b14b6f94cf23fe2f66ee592e2e1fa5abfe3b9c Mon Sep 17 00:00:00 2001 -From: Jakub Hrozek -Date: Fri, 23 Mar 2018 13:40:34 +0100 -Subject: [PATCH] SYSDB: When marking an entry as expired, also set the - originalModifyTimestamp to 1 -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Resolves: -https://pagure.io/SSSD/sssd/issue/3684 - -If the cleanup task removes a user who was a fully resolved member (not a -ghost), but then the group the user was a member of is requested, unless -the group had changed, the user doesn't appear as a member of the group -again. This is because the modify timestamp would prevent the group from -updating and therefore the ghost attribute is not readded. - -To mitigate this, let's also set the originalModifyTimestamp attribute -to 1, so that we never take the optimized path while updating the group. - -Reviewed-by: Fabiano Fidêncio -(cherry picked from commit 250751bf8b0532d6175e762b7f2f008cc1c39a78) ---- - src/db/sysdb_ops.c | 13 +++++++++++ - src/tests/intg/test_ldap.py | 54 +++++++++++++++++++++++++++++++++++++++++++++ - 2 files changed, 67 insertions(+) - -diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c -index cc86a114e..09aa04a29 100644 ---- a/src/db/sysdb_ops.c -+++ b/src/db/sysdb_ops.c -@@ -5410,6 +5410,19 @@ errno_t sysdb_mark_entry_as_expired_ldb_dn(struct sss_domain_info *dom, - goto done; - } - -+ ret = ldb_msg_add_empty(msg, SYSDB_ORIG_MODSTAMP, -+ LDB_FLAG_MOD_REPLACE, NULL); -+ if (ret != LDB_SUCCESS) { -+ ret = sysdb_error_to_errno(ret); -+ goto done; -+ } -+ -+ ret = ldb_msg_add_string(msg, SYSDB_ORIG_MODSTAMP, "1"); -+ if (ret != LDB_SUCCESS) { -+ ret = sysdb_error_to_errno(ret); -+ goto done; -+ } -+ - ret = ldb_modify(dom->sysdb->ldb, msg); - if (ret != LDB_SUCCESS) { - ret = sysdb_error_to_errno(ret); -diff --git a/src/tests/intg/test_ldap.py b/src/tests/intg/test_ldap.py -index a6659b1b7..db3253858 100644 ---- a/src/tests/intg/test_ldap.py -+++ b/src/tests/intg/test_ldap.py -@@ -434,6 +434,60 @@ def test_refresh_after_cleanup_task(ldap_conn, refresh_after_cleanup_task): - dict(mem=ent.contains_only("user1"))) - - -+@pytest.fixture -+def update_ts_after_cleanup_task(request, ldap_conn): -+ ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) -+ ent_list.add_user("user1", 1001, 2001) -+ ent_list.add_user("user2", 1002, 2001) -+ -+ ent_list.add_group_bis("group1", 2001, ["user1", "user2"]) -+ -+ create_ldap_fixture(request, ldap_conn, ent_list) -+ -+ conf = \ -+ format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS) + \ -+ unindent(""" -+ [domain/LDAP] -+ ldap_purge_cache_timeout = 3 -+ """).format(**locals()) -+ create_conf_fixture(request, conf) -+ create_sssd_fixture(request) -+ return None -+ -+ -+def test_update_ts_cache_after_cleanup_task(ldap_conn, -+ update_ts_after_cleanup_task): -+ """ -+ Regression test for ticket: -+ https://fedorahosted.org/sssd/ticket/2676 -+ """ -+ ent.assert_group_by_name( -+ "group1", -+ dict(mem=ent.contains_only("user1", "user2"))) -+ -+ ent.assert_passwd_by_name( -+ 'user1', -+ dict(name='user1', passwd='*', uid=1001, gid=2001, -+ gecos='1001', shell='/bin/bash')) -+ -+ ent.assert_passwd_by_name( -+ 'user2', -+ dict(name='user2', passwd='*', uid=1002, gid=2001, -+ gecos='1002', shell='/bin/bash')) -+ -+ if subprocess.call(["sss_cache", "-u", "user1"]) != 0: -+ raise Exception("sssd_cache failed") -+ -+ # The cleanup task runs every 3 seconds, so sleep for 6 -+ # so that we know the cleanup task ran at least once -+ # even if we start sleeping during the first one -+ time.sleep(6) -+ -+ ent.assert_group_by_name( -+ "group1", -+ dict(mem=ent.contains_only("user1", "user2"))) -+ -+ - @pytest.fixture - def blank_rfc2307(request, ldap_conn): - """Create blank RFC2307 directory fixture with interactive SSSD conf""" --- -2.14.3 - diff --git a/0017-sudo-ldap-do-not-store-rules-without-sudoHost-attrib.patch b/0017-sudo-ldap-do-not-store-rules-without-sudoHost-attrib.patch deleted file mode 100644 index fa51604..0000000 --- a/0017-sudo-ldap-do-not-store-rules-without-sudoHost-attrib.patch +++ /dev/null @@ -1,39 +0,0 @@ -From d7795e33668b3e2ef212c5fa0bfaf4485e87db65 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20B=C5=99ezina?= -Date: Tue, 31 Oct 2017 15:14:52 +0100 -Subject: [PATCH] sudo ldap: do not store rules without sudoHost attribute -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Unless it is cn=defaults. - -Resolves: -https://pagure.io/SSSD/sssd/issue/3558 - -Reviewed-by: Fabiano Fidêncio -Reviewed-by: Jakub Hrozek -(cherry picked from commit 47ad0778be72994a2294b2e73cc5c670be6811a7) ---- - src/providers/ldap/sdap_async_sudo.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/src/providers/ldap/sdap_async_sudo.c b/src/providers/ldap/sdap_async_sudo.c -index 5dc580128..3da76256e 100644 ---- a/src/providers/ldap/sdap_async_sudo.c -+++ b/src/providers/ldap/sdap_async_sudo.c -@@ -158,8 +158,9 @@ static char *sdap_sudo_build_host_filter(TALLOC_CTX *mem_ctx, - goto done; - } - -- /* sudoHost is not specified */ -- filter = talloc_asprintf_append_buffer(filter, "(!(%s=*))", -+ /* sudoHost is not specified and it is a cn=defaults rule */ -+ filter = talloc_asprintf_append_buffer(filter, "(&(!(%s=*))(%s=defaults))", -+ map[SDAP_AT_SUDO_HOST].name, - map[SDAP_AT_SUDO_HOST].name); - if (filter == NULL) { - goto done; --- -2.14.3 - diff --git a/0018-sysdb-custom-completely-replace-old-object-instead-o.patch b/0018-sysdb-custom-completely-replace-old-object-instead-o.patch deleted file mode 100644 index 0da0d09..0000000 --- a/0018-sysdb-custom-completely-replace-old-object-instead-o.patch +++ /dev/null @@ -1,100 +0,0 @@ -From 547aebfde6fda8088682c9d12a3b5bcfa87c52a2 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20B=C5=99ezina?= -Date: Tue, 31 Oct 2017 15:16:35 +0100 -Subject: [PATCH] sysdb custom: completely replace old object instead of - merging it -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -This patch is written primary for sudo use case, but it makes sure the we do -not merge two record in other parts of the code that uses sysdb_store_custom. - -1) If there are two rules with the same cn (possible with multiple search bases -or organizational units) we would end up merging those two rules instead of -choosing one of them. - -2) Also smart refresh would merge the diff insteand of removing the attributes -that are no longer present in ldap. - -Since 1) is a rare use case and it is a misconfiguration we completely replace -the old rule with new one. It is simpler to implement and it solves both issues. - -Resolves: -https://pagure.io/SSSD/sssd/issue/3558 - -Reviewed-by: Fabiano Fidêncio -Reviewed-by: Jakub Hrozek -(cherry picked from commit cd4590de2a84b8143a6c75b5198f5e1b3c0a6d63) ---- - src/db/sysdb_ops.c | 33 +++++---------------------------- - 1 file changed, 5 insertions(+), 28 deletions(-) - -diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c -index 09aa04a29..5d3cf643d 100644 ---- a/src/db/sysdb_ops.c -+++ b/src/db/sysdb_ops.c -@@ -3399,12 +3399,7 @@ int sysdb_store_custom(struct sss_domain_info *domain, - struct sysdb_attrs *attrs) - { - TALLOC_CTX *tmp_ctx; -- const char *search_attrs[] = { "*", NULL }; -- size_t resp_count = 0; -- struct ldb_message **resp; - struct ldb_message *msg; -- struct ldb_message_element *el; -- bool add_object = false; - int ret; - int i; - -@@ -3423,17 +3418,12 @@ int sysdb_store_custom(struct sss_domain_info *domain, - goto done; - } - -- ret = sysdb_search_custom_by_name(tmp_ctx, domain, -- object_name, subtree_name, -- search_attrs, &resp_count, &resp); -- if (ret != EOK && ret != ENOENT) { -+ /* Always add a new object. */ -+ ret = sysdb_delete_custom(domain, object_name, subtree_name); -+ if (ret != EOK) { - goto done; - } - -- if (ret == ENOENT) { -- add_object = true; -- } -- - msg = ldb_msg_new(tmp_ctx); - if (msg == NULL) { - ret = ENOMEM; -@@ -3455,24 +3445,11 @@ int sysdb_store_custom(struct sss_domain_info *domain, - - for (i = 0; i < attrs->num; i++) { - msg->elements[i] = attrs->a[i]; -- if (add_object) { -- msg->elements[i].flags = LDB_FLAG_MOD_ADD; -- } else { -- el = ldb_msg_find_element(resp[0], attrs->a[i].name); -- if (el == NULL) { -- msg->elements[i].flags = LDB_FLAG_MOD_ADD; -- } else { -- msg->elements[i].flags = LDB_FLAG_MOD_REPLACE; -- } -- } -+ msg->elements[i].flags = LDB_FLAG_MOD_ADD; - } - msg->num_elements = attrs->num; - -- if (add_object) { -- ret = ldb_add(domain->sysdb->ldb, msg); -- } else { -- ret = ldb_modify(domain->sysdb->ldb, msg); -- } -+ ret = ldb_add(domain->sysdb->ldb, msg); - if (ret != LDB_SUCCESS) { - DEBUG(SSSDBG_CRIT_FAILURE, "Failed to store custom entry: %s(%d)[%s]\n", - ldb_strerror(ret), ret, ldb_errstring(domain->sysdb->ldb)); --- -2.14.3 - diff --git a/0019-SERVER-Tone-down-shutdown-messages-for-socket-activa.patch b/0019-SERVER-Tone-down-shutdown-messages-for-socket-activa.patch deleted file mode 100644 index 26d15ca..0000000 --- a/0019-SERVER-Tone-down-shutdown-messages-for-socket-activa.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 778f7c61b8d55e0b8d8eccd2cf8649d730e7d4a5 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= -Date: Tue, 3 Apr 2018 21:43:28 +0200 -Subject: [PATCH] SERVER: Tone down shutdown messages for socket-activated - responders -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -When dealing with socket-activated responders, those may be shut -themselves down after some inactivy period. And that's completely normal -and expected, thus should not be logged as an fatal error. - -For the case when the responder is started by the monitor, however, it -still makes sense to keep the code as it is as the responders won't shut -themselves down in any normal scenario. - -Signed-off-by: Fabiano Fidêncio - -Reviewed-by: Jakub Hrozek -(cherry picked from commit 519354d079731e673244a8e3851e5c5522d1b45e) ---- - src/util/server.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/src/util/server.c b/src/util/server.c -index 62e09314c..f34bf49f6 100644 ---- a/src/util/server.c -+++ b/src/util/server.c -@@ -248,8 +248,12 @@ void orderly_shutdown(int status) - { - #if HAVE_GETPGRP - static int sent_sigterm; -+ int debug; -+ - if (sent_sigterm == 0 && getpgrp() == getpid()) { -- DEBUG(SSSDBG_FATAL_FAILURE, "SIGTERM: killing children\n"); -+ debug = is_socket_activated() ? SSSDBG_TRACE_INTERNAL -+ : SSSDBG_FATAL_FAILURE; -+ DEBUG(debug, "SIGTERM: killing children\n"); - sent_sigterm = 1; - kill(-getpgrp(), SIGTERM); - } --- -2.14.3 - diff --git a/0020-IPA-Qualify-the-externalUser-sudo-attribute.patch b/0020-IPA-Qualify-the-externalUser-sudo-attribute.patch deleted file mode 100644 index dd7e1a0..0000000 --- a/0020-IPA-Qualify-the-externalUser-sudo-attribute.patch +++ /dev/null @@ -1,70 +0,0 @@ -From 999420ed67439bb662e92b47792a06310d173c53 Mon Sep 17 00:00:00 2001 -From: Jakub Hrozek -Date: Mon, 26 Mar 2018 11:36:00 +0200 -Subject: [PATCH] IPA: Qualify the externalUser sudo attribute -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -We broke the externalUser support with the introduction of the fully -qualified attributes, because the provider was saving the data verbatim, -but the sudo responder expects a fully qualified name. - -Reproducer: - on the server: - ipa sudocmd-add --desc='For reading log files' /usr/bin/less - ipa sudorule-add readfiles - ipa sudorule-add-user --users=lcluser - ipa sudorule-mod --hostcat=all readfiles - - then on the client: - configure sssd with: - id_provider = files - sudo_provider = ipa - ipa_domain = ipa.test - - run: - sudo useradd lcluser - sudo passwd lcluser - su - lcluser - sudo -l - -Reviewed-by: Fabiano Fidêncio -Reviewed-by: Pavel Březina -(cherry picked from commit 0f6b5b02afb35caae774ff4d52854a844d49f52e) ---- - src/providers/ipa/ipa_sudo_conversion.c | 11 ++++++++++- - 1 file changed, 10 insertions(+), 1 deletion(-) - -diff --git a/src/providers/ipa/ipa_sudo_conversion.c b/src/providers/ipa/ipa_sudo_conversion.c -index a96ae3447..bfa66b2c6 100644 ---- a/src/providers/ipa/ipa_sudo_conversion.c -+++ b/src/providers/ipa/ipa_sudo_conversion.c -@@ -873,6 +873,15 @@ convert_user_fqdn(TALLOC_CTX *mem_ctx, - return fqdn; - } - -+static const char * -+convert_ext_user(TALLOC_CTX *mem_ctx, -+ struct ipa_sudo_conv *conv, -+ const char *value, -+ bool *skip_entry) -+{ -+ return sss_create_internal_fqname(mem_ctx, value, conv->dom->name); -+} -+ - static const char * - convert_group(TALLOC_CTX *mem_ctx, - struct ipa_sudo_conv *conv, -@@ -959,7 +968,7 @@ convert_attributes(struct ipa_sudo_conv *conv, - {SYSDB_IPA_SUDORULE_RUNASEXTUSER, SYSDB_SUDO_CACHE_AT_RUNASUSER , NULL}, - {SYSDB_IPA_SUDORULE_RUNASEXTGROUP, SYSDB_SUDO_CACHE_AT_RUNASGROUP , NULL}, - {SYSDB_IPA_SUDORULE_RUNASEXTUSERGROUP, SYSDB_SUDO_CACHE_AT_RUNASUSER , convert_runasextusergroup}, -- {SYSDB_IPA_SUDORULE_EXTUSER, SYSDB_SUDO_CACHE_AT_USER , NULL}, -+ {SYSDB_IPA_SUDORULE_EXTUSER, SYSDB_SUDO_CACHE_AT_USER , convert_ext_user}, - {SYSDB_IPA_SUDORULE_ALLOWCMD, SYSDB_IPA_SUDORULE_ORIGCMD , NULL}, - {SYSDB_IPA_SUDORULE_DENYCMD, SYSDB_IPA_SUDORULE_ORIGCMD , NULL}, - {NULL, NULL, NULL}}; --- -2.14.3 - diff --git a/0021-NSS-Adjust-netgroup-setnetgrent-cache-lifetime-if-mi.patch b/0021-NSS-Adjust-netgroup-setnetgrent-cache-lifetime-if-mi.patch deleted file mode 100644 index d24d232..0000000 --- a/0021-NSS-Adjust-netgroup-setnetgrent-cache-lifetime-if-mi.patch +++ /dev/null @@ -1,56 +0,0 @@ -From d0801ecbac1300978fc864ae394e6ff43dda2781 Mon Sep 17 00:00:00 2001 -From: Jakub Hrozek -Date: Mon, 5 Mar 2018 21:00:30 +0100 -Subject: [PATCH] NSS: Adjust netgroup setnetgrent cache lifetime if midpoint - refresh is used -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -This is a minor regression compared to the state of the code before we -converted the responders to cache_req. The NSS responder keeps a has -table of netgroup objects in memory for either the lifetime of the -netgroup, or, in case midpoint refresh is used, up to the midpoint -refresh time. The case with the midpoint refresh was removed in the -cache_req enabled code, which means that even if the netgroup was -updated in the cache with the background refresh task, the object was -never read from cache, but always still returned from the in-memory -enumeration hash. - -Resolves: -https://pagure.io/SSSD/sssd/issue/3550 - -Reviewed-by: Pavel Březina -Reviewed-by: Fabiano Fidêncio -(cherry picked from commit f22528922c065f37ca928f95fd86ed2ea79e0d51) ---- - src/responder/nss/nss_enum.c | 13 ++++++++++++- - 1 file changed, 12 insertions(+), 1 deletion(-) - -diff --git a/src/responder/nss/nss_enum.c b/src/responder/nss/nss_enum.c -index da844fbce..031db9f2e 100644 ---- a/src/responder/nss/nss_enum.c -+++ b/src/responder/nss/nss_enum.c -@@ -280,7 +280,18 @@ nss_setnetgrent_set_timeout(struct tevent_context *ev, - struct timeval tv; - uint32_t timeout; - -- timeout = enum_ctx->result[0]->domain->netgroup_timeout; -+ if (nss_ctx->cache_refresh_percent) { -+ timeout = enum_ctx->result[0]->domain->netgroup_timeout * -+ (nss_ctx->cache_refresh_percent / 100.0); -+ } else { -+ timeout = enum_ctx->result[0]->domain->netgroup_timeout; -+ } -+ -+ /* In order to not trash the cache between setnetgrent()/getnetgrent() -+ * calls with too low timeout values, we only allow 10 seconds as -+ * the minimal timeout -+ */ -+ if (timeout < 10) timeout = 10; - - tv = tevent_timeval_current_ofs(timeout, 0); - te = tevent_add_timer(ev, enum_ctx, tv, nss_setnetgrent_timeout, enum_ctx); --- -2.14.3 - diff --git a/0022-CONFDB-Add-passwd_files-and-group_files-options.patch b/0022-CONFDB-Add-passwd_files-and-group_files-options.patch deleted file mode 100644 index 70694a2..0000000 --- a/0022-CONFDB-Add-passwd_files-and-group_files-options.patch +++ /dev/null @@ -1,165 +0,0 @@ -From a40215878688cf10e35e6ba27893201c686395b3 Mon Sep 17 00:00:00 2001 -From: Justin Stephenson -Date: Fri, 14 Jul 2017 16:08:37 -0400 -Subject: [PATCH] CONFDB: Add passwd_files and group_files options -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Add new options to the files provider allowing an administrator to -configure the files provider to read and monitor multiple or -non-standard passwd and group file sources. These options default to -/etc/passwd and /etc/group when unset. - -Reviewed-by: Pavel Březina -Reviewed-by: Jakub Hrozek -(cherry picked from commit c1208b485924964a7a4fcf19562964acb47fc214) ---- - Makefile.am | 3 ++- - src/confdb/confdb.h | 4 ++++ - src/config/SSSDConfig/__init__.py.in | 6 +++++- - src/config/cfg_rules.ini | 4 ++++ - src/config/etc/sssd.api.d/sssd-files.conf | 3 +++ - src/man/sssd-files.5.xml | 36 +++++++++++++++++++++++++++++-- - src/providers/files/files_init.c | 1 + - 7 files changed, 53 insertions(+), 4 deletions(-) - create mode 100644 src/config/etc/sssd.api.d/sssd-files.conf - -diff --git a/Makefile.am b/Makefile.am -index 25e996d2d..d52fe0670 100644 ---- a/Makefile.am -+++ b/Makefile.am -@@ -4577,7 +4577,8 @@ dist_sssdapiplugin_DATA = \ - src/config/etc/sssd.api.d/sssd-ldap.conf \ - src/config/etc/sssd.api.d/sssd-local.conf \ - src/config/etc/sssd.api.d/sssd-proxy.conf \ -- src/config/etc/sssd.api.d/sssd-simple.conf -+ src/config/etc/sssd.api.d/sssd-simple.conf \ -+ src/config/etc/sssd.api.d/sssd-files.conf - - edit_cmd = $(SED) \ - -e 's|@sbindir[@]|$(sbindir)|g' \ -diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h -index c97a9b804..1d322aaac 100644 ---- a/src/confdb/confdb.h -+++ b/src/confdb/confdb.h -@@ -242,6 +242,10 @@ - #define CONFDB_PROXY_FAST_ALIAS "proxy_fast_alias" - #define CONFDB_PROXY_MAX_CHILDREN "proxy_max_children" - -+/* Files Provider */ -+#define CONFDB_FILES_PASSWD "passwd_files" -+#define CONFDB_FILES_GROUP "group_files" -+ - /* Secrets Service */ - #define CONFDB_SEC_CONF_ENTRY "config/secrets" - #define CONFDB_SEC_CONTAINERS_NEST_LEVEL "containers_nest_level" -diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in -index 857d56cb5..32b74e4c7 100644 ---- a/src/config/SSSDConfig/__init__.py.in -+++ b/src/config/SSSDConfig/__init__.py.in -@@ -473,7 +473,11 @@ option_strings = { - 'proxy_fast_alias' : _('Whether to look up canonical group name from cache if possible'), - - # [provider/proxy/auth] -- 'proxy_pam_target' : _('PAM stack to use') -+ 'proxy_pam_target' : _('PAM stack to use'), -+ -+ # [provider/files] -+ 'passwd_files' : _('Path of passwd file sources.'), -+ 'group_files' : _('Path of group file sources.') - } - - def striplist(l): -diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini -index 4e70bf7b6..551322780 100644 ---- a/src/config/cfg_rules.ini -+++ b/src/config/cfg_rules.ini -@@ -404,6 +404,10 @@ option = dyndns_force_tcp - option = dyndns_auth - option = dyndns_server - -+# files provider specific options -+option = passwd_files -+option = group_files -+ - # local provider specific options - option = create_homedir - option = remove_homedir -diff --git a/src/config/etc/sssd.api.d/sssd-files.conf b/src/config/etc/sssd.api.d/sssd-files.conf -new file mode 100644 -index 000000000..2444d4924 ---- /dev/null -+++ b/src/config/etc/sssd.api.d/sssd-files.conf -@@ -0,0 +1,3 @@ -+[provider/files] -+passwd_files = str, None, false -+group_files = str, None, false -diff --git a/src/man/sssd-files.5.xml b/src/man/sssd-files.5.xml -index d44fffc03..59e1b6523 100644 ---- a/src/man/sssd-files.5.xml -+++ b/src/man/sssd-files.5.xml -@@ -56,14 +56,46 @@ - - CONFIGURATION OPTIONS - -- The files provider has no specific options of its own, however, -- generic SSSD domain options can be set where applicable. -+ In addition to the options listed below, generic SSSD domain options -+ can be set where applicable. - Refer to the section DOMAIN SECTIONS of the - - sssd.conf - 5 - manual page for details on the configuration - of an SSSD domain. -+ -+ -+ passwd_files (string) -+ -+ -+ Comma-separated list of one or multiple password -+ filenames to be read and enumerated by the files -+ provider, inotify monitor watches will be set on -+ each file to detect changes dynamically. -+ -+ -+ Default: /etc/passwd -+ -+ -+ -+ -+ -+ group_files (string) -+ -+ -+ Comma-separated list of one or multiple group -+ filenames to be read and enumerated by the files -+ provider, inotify monitor watches will be set on -+ each file to detect changes dynamically. -+ -+ -+ Default: /etc/group -+ -+ -+ -+ -+ - - - -diff --git a/src/providers/files/files_init.c b/src/providers/files/files_init.c -index 8e5cd4cf9..b8a051c34 100644 ---- a/src/providers/files/files_init.c -+++ b/src/providers/files/files_init.c -@@ -21,6 +21,7 @@ - - #include "providers/data_provider/dp.h" - #include "providers/files/files_private.h" -+#include "util/util.h" - - int sssm_files_init(TALLOC_CTX *mem_ctx, - struct be_ctx *be_ctx, --- -2.14.3 - diff --git a/0023-FILES-Handle-files-provider-sources.patch b/0023-FILES-Handle-files-provider-sources.patch deleted file mode 100644 index 6565fb7..0000000 --- a/0023-FILES-Handle-files-provider-sources.patch +++ /dev/null @@ -1,721 +0,0 @@ -From 2eb09d21d486e83a3a844fda0a504bbc479c9b3a Mon Sep 17 00:00:00 2001 -From: Justin Stephenson -Date: Mon, 17 Jul 2017 15:01:36 -0400 -Subject: [PATCH] FILES: Handle files provider sources -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Setup watches on passwd and group files provided with the files provider -options passwd_files and group_files lists - -Resolves: -https://pagure.io/SSSD/sssd/issue/3402 - -Reviewed-by: Pavel Březina -Reviewed-by: Jakub Hrozek -(cherry picked from commit 0d6d493f68bb83a046d351cb3035b08ef5456b50) ---- - src/providers/files/files_init.c | 161 +++++++++++++++++--- - src/providers/files/files_ops.c | 285 ++++++++++++++++++++++-------------- - src/providers/files/files_private.h | 8 +- - 3 files changed, 327 insertions(+), 127 deletions(-) - -diff --git a/src/providers/files/files_init.c b/src/providers/files/files_init.c -index b8a051c34..746c04af1 100644 ---- a/src/providers/files/files_init.c -+++ b/src/providers/files/files_init.c -@@ -23,6 +23,138 @@ - #include "providers/files/files_private.h" - #include "util/util.h" - -+#define DEFAULT_PASSWD_FILE "/etc/passwd" -+#define DEFAULT_GROUP_FILE "/etc/group" -+ -+static errno_t files_init_file_sources(TALLOC_CTX *mem_ctx, -+ struct be_ctx *be_ctx, -+ const char ***_passwd_files, -+ const char ***_group_files) -+{ -+ TALLOC_CTX *tmp_ctx = NULL; -+ char *conf_passwd_files; -+ char *conf_group_files; -+ char **passwd_list = NULL; -+ char **group_list = NULL; -+ int num_passwd_files = 0; -+ int num_group_files = 0; -+ const char **passwd_files = NULL; -+ const char **group_files = NULL; -+ const char *dfl_passwd_files = NULL; -+ const char *env_group_files = NULL; -+ int i; -+ errno_t ret; -+ -+ tmp_ctx = talloc_new(NULL); -+ if (tmp_ctx == NULL) { -+ ret = ENOMEM; -+ goto done; -+ } -+ -+ dfl_passwd_files = getenv("SSS_FILES_PASSWD"); -+ if (dfl_passwd_files) { -+ sss_log(SSS_LOG_ALERT, -+ "Defaulting to %s for the passwd file, " -+ "this should only be used for testing!\n", -+ dfl_passwd_files); -+ } else { -+ dfl_passwd_files = DEFAULT_PASSWD_FILE; -+ } -+ DEBUG(SSSDBG_TRACE_FUNC, -+ "Using default passwd file: [%s].\n", dfl_passwd_files); -+ -+ env_group_files = getenv("SSS_FILES_GROUP"); -+ if (env_group_files) { -+ sss_log(SSS_LOG_ALERT, -+ "Defaulting to %s for the group file, " -+ "this should only be used for testing!\n", -+ env_group_files); -+ } else { -+ env_group_files = DEFAULT_GROUP_FILE; -+ } -+ DEBUG(SSSDBG_TRACE_FUNC, -+ "Using default group file: [%s].\n", DEFAULT_GROUP_FILE); -+ -+ ret = confdb_get_string(be_ctx->cdb, tmp_ctx, be_ctx->conf_path, -+ CONFDB_FILES_PASSWD, dfl_passwd_files, -+ &conf_passwd_files); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_CRIT_FAILURE, "Failed to retrieve confdb passwd files!\n"); -+ goto done; -+ } -+ -+ ret = confdb_get_string(be_ctx->cdb, tmp_ctx, be_ctx->conf_path, -+ CONFDB_FILES_GROUP, env_group_files, -+ &conf_group_files); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_CRIT_FAILURE, "Failed to retrieve confdb group files!\n"); -+ goto done; -+ } -+ -+ ret = split_on_separator(tmp_ctx, conf_passwd_files, ',', true, true, -+ &passwd_list, &num_passwd_files); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_CRIT_FAILURE, -+ "Failed to parse passwd list!\n"); -+ goto done; -+ } -+ -+ passwd_files = talloc_zero_array(tmp_ctx, const char *, -+ num_passwd_files + 1); -+ if (passwd_files == NULL) { -+ DEBUG(SSSDBG_CRIT_FAILURE, "talloc_zero_array() failed\n"); -+ ret = ENOMEM; -+ goto done; -+ } -+ -+ for (i = 0; i < num_passwd_files; i++) { -+ DEBUG(SSSDBG_TRACE_FUNC, -+ "Using passwd file: [%s].\n", passwd_list[i]); -+ -+ passwd_files[i] = talloc_strdup(passwd_files, passwd_list[i]); -+ if (passwd_files[i] == NULL) { -+ ret = ENOMEM; -+ goto done; -+ } -+ } -+ -+ /* Retrieve list of group files */ -+ ret = split_on_separator(tmp_ctx, conf_group_files, ',', true, true, -+ &group_list, &num_group_files); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_CRIT_FAILURE, -+ "Failed to parse group files!\n"); -+ goto done; -+ } -+ -+ group_files = talloc_zero_array(tmp_ctx, const char *, -+ num_group_files + 1); -+ if (group_files == NULL) { -+ DEBUG(SSSDBG_CRIT_FAILURE, "talloc_zero_array() failed\n"); -+ ret = ENOMEM; -+ goto done; -+ } -+ -+ for (i = 0; i < num_group_files; i++) { -+ DEBUG(SSSDBG_TRACE_FUNC, -+ "Using group file: [%s].\n", group_list[i]); -+ group_files[i] = talloc_strdup(group_files, group_list[i]); -+ if (group_files[i] == NULL) { -+ ret = ENOMEM; -+ goto done; -+ } -+ } -+ -+ *_passwd_files = talloc_steal(mem_ctx, passwd_files); -+ *_group_files = talloc_steal(mem_ctx, group_files); -+ -+ ret = EOK; -+ -+done: -+ talloc_free(tmp_ctx); -+ return ret; -+} -+ - int sssm_files_init(TALLOC_CTX *mem_ctx, - struct be_ctx *be_ctx, - struct data_provider *provider, -@@ -30,32 +162,27 @@ int sssm_files_init(TALLOC_CTX *mem_ctx, - void **_module_data) - { - struct files_id_ctx *ctx; -- int ret; -- const char *passwd_file = NULL; -- const char *group_file = NULL; -- -- /* So far this is mostly useful for tests */ -- passwd_file = getenv("SSS_FILES_PASSWD"); -- if (passwd_file == NULL) { -- passwd_file = "/etc/passwd"; -- } -- -- group_file = getenv("SSS_FILES_GROUP"); -- if (group_file == NULL) { -- group_file = "/etc/group"; -- } -+ errno_t ret; - - ctx = talloc_zero(mem_ctx, struct files_id_ctx); - if (ctx == NULL) { - return ENOMEM; - } -+ - ctx->be = be_ctx; - ctx->domain = be_ctx->domain; -- ctx->passwd_file = passwd_file; -- ctx->group_file = group_file; -+ -+ ret = files_init_file_sources(ctx, be_ctx, -+ &ctx->passwd_files, -+ &ctx->group_files); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_CRIT_FAILURE, "Cannot initialize the passwd/group source files\n"); -+ goto done; -+ } - - ctx->fctx = sf_init(ctx, be_ctx->ev, -- ctx->passwd_file, ctx->group_file, -+ ctx->passwd_files, -+ ctx->group_files, - ctx); - if (ctx->fctx == NULL) { - ret = ENOMEM; -diff --git a/src/providers/files/files_ops.c b/src/providers/files/files_ops.c -index b59a94252..a2a2798d3 100644 ---- a/src/providers/files/files_ops.c -+++ b/src/providers/files/files_ops.c -@@ -44,6 +44,7 @@ struct files_ctx { - - static errno_t enum_files_users(TALLOC_CTX *mem_ctx, - struct files_id_ctx *id_ctx, -+ const char *passwd_file, - struct passwd ***_users) - { - errno_t ret, close_ret; -@@ -53,12 +54,12 @@ static errno_t enum_files_users(TALLOC_CTX *mem_ctx, - FILE *pwd_handle = NULL; - size_t n_users = 0; - -- pwd_handle = fopen(id_ctx->passwd_file, "r"); -+ pwd_handle = fopen(passwd_file, "r"); - if (pwd_handle == NULL) { - ret = errno; - DEBUG(SSSDBG_CRIT_FAILURE, - "Cannot open passwd file %s [%d]\n", -- id_ctx->passwd_file, ret); -+ passwd_file, ret); - goto done; - } - -@@ -133,7 +134,7 @@ done: - close_ret = errno; - DEBUG(SSSDBG_CRIT_FAILURE, - "Cannot close passwd file %s [%d]\n", -- id_ctx->passwd_file, close_ret); -+ passwd_file, close_ret); - } - } - return ret; -@@ -141,6 +142,7 @@ done: - - static errno_t enum_files_groups(TALLOC_CTX *mem_ctx, - struct files_id_ctx *id_ctx, -+ const char *group_file, - struct group ***_groups) - { - errno_t ret, close_ret; -@@ -150,12 +152,12 @@ static errno_t enum_files_groups(TALLOC_CTX *mem_ctx, - size_t n_groups = 0; - FILE *grp_handle = NULL; - -- grp_handle = fopen(id_ctx->group_file, "r"); -+ grp_handle = fopen(group_file, "r"); - if (grp_handle == NULL) { - ret = errno; - DEBUG(SSSDBG_CRIT_FAILURE, - "Cannot open group file %s [%d]\n", -- id_ctx->group_file, ret); -+ group_file, ret); - goto done; - } - -@@ -237,7 +239,7 @@ done: - close_ret = errno; - DEBUG(SSSDBG_CRIT_FAILURE, - "Cannot close group file %s [%d]\n", -- id_ctx->group_file, close_ret); -+ group_file, close_ret); - } - } - return ret; -@@ -446,35 +448,23 @@ done: - return ret; - } - --static errno_t sf_enum_groups(struct files_id_ctx *id_ctx); -+static errno_t sf_enum_groups(struct files_id_ctx *id_ctx, -+ const char *group_file); - --errno_t sf_enum_users(struct files_id_ctx *id_ctx) -+errno_t sf_enum_users(struct files_id_ctx *id_ctx, -+ const char *passwd_file) - { - errno_t ret; -- errno_t tret; - TALLOC_CTX *tmp_ctx = NULL; - struct passwd **users = NULL; -- bool in_transaction = false; - - tmp_ctx = talloc_new(NULL); - if (tmp_ctx == NULL) { - return ENOMEM; - } - -- ret = enum_files_users(tmp_ctx, id_ctx, &users); -- if (ret != EOK) { -- goto done; -- } -- -- ret = sysdb_transaction_start(id_ctx->domain->sysdb); -- if (ret != EOK) { -- goto done; -- } -- in_transaction = true; -- -- /* remove previous cache contents */ -- /* FIXME - this is terribly inefficient */ -- ret = delete_all_users(id_ctx->domain); -+ ret = enum_files_users(tmp_ctx, id_ctx, passwd_file, -+ &users); - if (ret != EOK) { - goto done; - } -@@ -496,31 +486,8 @@ errno_t sf_enum_users(struct files_id_ctx *id_ctx) - "override values might not be available.\n"); - } - -- ret = sysdb_transaction_commit(id_ctx->domain->sysdb); -- if (ret != EOK) { -- goto done; -- } -- in_transaction = false; -- -- /* Covers the case when someone edits /etc/group, adds a group member and -- * only then edits passwd and adds the user. The reverse is not needed, -- * because member/memberof links are established when groups are saved. -- */ -- ret = sf_enum_groups(id_ctx); -- if (ret != EOK) { -- DEBUG(SSSDBG_OP_FAILURE, "Cannot refresh groups\n"); -- goto done; -- } -- - ret = EOK; - done: -- if (in_transaction) { -- tret = sysdb_transaction_cancel(id_ctx->domain->sysdb); -- if (tret != EOK) { -- DEBUG(SSSDBG_CRIT_FAILURE, -- "Cannot cancel transaction: %d\n", ret); -- } -- } - talloc_free(tmp_ctx); - return ret; - } -@@ -698,13 +665,12 @@ done: - return ret; - } - --static errno_t sf_enum_groups(struct files_id_ctx *id_ctx) -+static errno_t sf_enum_groups(struct files_id_ctx *id_ctx, -+ const char *group_file) - { - errno_t ret; -- errno_t tret; - TALLOC_CTX *tmp_ctx = NULL; - struct group **groups = NULL; -- bool in_transaction = false; - const char **cached_users = NULL; - - tmp_ctx = talloc_new(NULL); -@@ -712,7 +678,8 @@ static errno_t sf_enum_groups(struct files_id_ctx *id_ctx) - return ENOMEM; - } - -- ret = enum_files_groups(tmp_ctx, id_ctx, &groups); -+ ret = enum_files_groups(tmp_ctx, id_ctx, group_file, -+ &groups); - if (ret != EOK) { - goto done; - } -@@ -722,18 +689,6 @@ static errno_t sf_enum_groups(struct files_id_ctx *id_ctx) - goto done; - } - -- ret = sysdb_transaction_start(id_ctx->domain->sysdb); -- if (ret != EOK) { -- goto done; -- } -- in_transaction = true; -- -- /* remove previous cache contents */ -- ret = delete_all_groups(id_ctx->domain); -- if (ret != EOK) { -- goto done; -- } -- - for (size_t i = 0; groups[i]; i++) { - ret = save_file_group(id_ctx, groups[i], cached_users); - if (ret != EOK) { -@@ -750,21 +705,8 @@ static errno_t sf_enum_groups(struct files_id_ctx *id_ctx) - "override values might not be available.\n"); - } - -- ret = sysdb_transaction_commit(id_ctx->domain->sysdb); -- if (ret != EOK) { -- goto done; -- } -- in_transaction = false; -- - ret = EOK; - done: -- if (in_transaction) { -- tret = sysdb_transaction_cancel(id_ctx->domain->sysdb); -- if (tret != EOK) { -- DEBUG(SSSDBG_CRIT_FAILURE, -- "Cannot cancel transaction: %d\n", ret); -- } -- } - talloc_free(tmp_ctx); - return ret; - } -@@ -783,21 +725,17 @@ static int sf_passwd_cb(const char *filename, uint32_t flags, void *pvt) - { - struct files_id_ctx *id_ctx; - errno_t ret; -+ errno_t tret; -+ bool in_transaction = false; - - id_ctx = talloc_get_type(pvt, struct files_id_ctx); - if (id_ctx == NULL) { -- return EINVAL; -+ ret = EINVAL; -+ goto done; - } - - DEBUG(SSSDBG_TRACE_FUNC, "passwd notification\n"); - -- if (strcmp(filename, id_ctx->passwd_file) != 0) { -- DEBUG(SSSDBG_CRIT_FAILURE, -- "Wrong file, expected %s, got %s\n", -- id_ctx->passwd_file, filename); -- return EINVAL; -- } -- - id_ctx->updating_passwd = true; - dp_sbus_domain_inconsistent(id_ctx->be->provider, id_ctx->domain); - -@@ -805,11 +743,64 @@ static int sf_passwd_cb(const char *filename, uint32_t flags, void *pvt) - dp_sbus_reset_users_memcache(id_ctx->be->provider); - dp_sbus_reset_initgr_memcache(id_ctx->be->provider); - -- ret = sf_enum_users(id_ctx); -+ ret = sysdb_transaction_start(id_ctx->domain->sysdb); -+ if (ret != EOK) { -+ goto done; -+ } -+ in_transaction = true; -+ -+ ret = delete_all_users(id_ctx->domain); -+ if (ret != EOK) { -+ goto done; -+ } -+ -+ /* All users were deleted, therefore we need to enumerate each file again */ -+ for (size_t i = 0; id_ctx->passwd_files[i] != NULL; i++) { -+ ret = sf_enum_users(id_ctx, id_ctx->passwd_files[i]); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_OP_FAILURE, "Cannot enumerate users\n"); -+ goto done; -+ } -+ } -+ -+ /* Covers the case when someone edits /etc/group, adds a group member and -+ * only then edits passwd and adds the user. The reverse is not needed, -+ * because member/memberof links are established when groups are saved. -+ */ -+ ret = delete_all_groups(id_ctx->domain); -+ if (ret != EOK) { -+ goto done; -+ } -+ -+ /* All groups were deleted, therefore we need to enumerate each file again */ -+ for (size_t i = 0; id_ctx->group_files[i] != NULL; i++) { -+ ret = sf_enum_groups(id_ctx, id_ctx->group_files[i]); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_OP_FAILURE, "Cannot enumerate groups\n"); -+ goto done; -+ } -+ } -+ -+ ret = sysdb_transaction_commit(id_ctx->domain->sysdb); -+ if (ret != EOK) { -+ goto done; -+ } -+ in_transaction = false; - - id_ctx->updating_passwd = false; - sf_cb_done(id_ctx); - files_account_info_finished(id_ctx, BE_REQ_USER, ret); -+ -+ ret = EOK; -+done: -+ if (in_transaction) { -+ tret = sysdb_transaction_cancel(id_ctx->domain->sysdb); -+ if (tret != EOK) { -+ DEBUG(SSSDBG_CRIT_FAILURE, -+ "Cannot cancel transaction: %d\n", ret); -+ } -+ } -+ - return ret; - } - -@@ -817,21 +808,17 @@ static int sf_group_cb(const char *filename, uint32_t flags, void *pvt) - { - struct files_id_ctx *id_ctx; - errno_t ret; -+ errno_t tret; -+ bool in_transaction = false; - - id_ctx = talloc_get_type(pvt, struct files_id_ctx); - if (id_ctx == NULL) { -- return EINVAL; -+ ret = EINVAL; -+ goto done; - } - - DEBUG(SSSDBG_TRACE_FUNC, "group notification\n"); - -- if (strcmp(filename, id_ctx->group_file) != 0) { -- DEBUG(SSSDBG_CRIT_FAILURE, -- "Wrong file, expected %s, got %s\n", -- id_ctx->group_file, filename); -- return EINVAL; -- } -- - id_ctx->updating_groups = true; - dp_sbus_domain_inconsistent(id_ctx->be->provider, id_ctx->domain); - -@@ -839,11 +826,47 @@ static int sf_group_cb(const char *filename, uint32_t flags, void *pvt) - dp_sbus_reset_groups_memcache(id_ctx->be->provider); - dp_sbus_reset_initgr_memcache(id_ctx->be->provider); - -- ret = sf_enum_groups(id_ctx); -+ ret = sysdb_transaction_start(id_ctx->domain->sysdb); -+ if (ret != EOK) { -+ goto done; -+ } -+ in_transaction = true; -+ -+ ret = delete_all_groups(id_ctx->domain); -+ if (ret != EOK) { -+ goto done; -+ } -+ -+ /* All groups were deleted, therefore we need to enumerate each file again */ -+ for (size_t i = 0; id_ctx->group_files[i] != NULL; i++) { -+ ret = sf_enum_groups(id_ctx, id_ctx->group_files[i]); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_OP_FAILURE, "Cannot enumerate groups\n"); -+ goto done; -+ } -+ } -+ -+ ret = sysdb_transaction_commit(id_ctx->domain->sysdb); -+ if (ret != EOK) { -+ goto done; -+ } -+ in_transaction = false; - - id_ctx->updating_groups = false; - sf_cb_done(id_ctx); - files_account_info_finished(id_ctx, BE_REQ_GROUP, ret); -+ -+ ret = EOK; -+ -+done: -+ if (in_transaction) { -+ tret = sysdb_transaction_cancel(id_ctx->domain->sysdb); -+ if (tret != EOK) { -+ DEBUG(SSSDBG_CRIT_FAILURE, -+ "Cannot cancel transaction: %d\n", ret); -+ } -+ } -+ - return ret; - } - -@@ -853,19 +876,62 @@ static void startup_enum_files(struct tevent_context *ev, - { - struct files_id_ctx *id_ctx = talloc_get_type(pvt, struct files_id_ctx); - errno_t ret; -+ errno_t tret; -+ bool in_transaction = false; - - talloc_zfree(imm); - -- ret = sf_enum_users(id_ctx); -+ ret = sysdb_transaction_start(id_ctx->domain->sysdb); - if (ret != EOK) { -- DEBUG(SSSDBG_CRIT_FAILURE, -- "Enumerating users failed, data might be inconsistent!\n"); -+ goto done; - } -+ in_transaction = true; - -- ret = sf_enum_groups(id_ctx); -+ ret = delete_all_users(id_ctx->domain); - if (ret != EOK) { -- DEBUG(SSSDBG_CRIT_FAILURE, -- "Enumerating groups failed, data might be inconsistent!\n"); -+ goto done; -+ } -+ -+ ret = delete_all_groups(id_ctx->domain); -+ if (ret != EOK) { -+ goto done; -+ } -+ -+ for (size_t i = 0; id_ctx->passwd_files[i] != NULL; i++) { -+ DEBUG(SSSDBG_TRACE_FUNC, -+ "Startup user enumeration of [%s]\n", id_ctx->passwd_files[i]); -+ ret = sf_enum_users(id_ctx, id_ctx->passwd_files[i]); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_CRIT_FAILURE, -+ "Enumerating users failed, data might be inconsistent!\n"); -+ goto done; -+ } -+ } -+ -+ for (size_t i = 0; id_ctx->group_files[i] != NULL; i++) { -+ DEBUG(SSSDBG_TRACE_FUNC, -+ "Startup group enumeration of [%s]\n", id_ctx->group_files[i]); -+ ret = sf_enum_groups(id_ctx, id_ctx->group_files[i]); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_CRIT_FAILURE, -+ "Enumerating groups failed, data might be inconsistent!\n"); -+ goto done; -+ } -+ } -+ -+ ret = sysdb_transaction_commit(id_ctx->domain->sysdb); -+ if (ret != EOK) { -+ goto done; -+ } -+ in_transaction = false; -+ -+done: -+ if (in_transaction) { -+ tret = sysdb_transaction_cancel(id_ctx->domain->sysdb); -+ if (tret != EOK) { -+ DEBUG(SSSDBG_CRIT_FAILURE, -+ "Cannot cancel transaction: %d\n", ret); -+ } - } - } - -@@ -884,22 +950,29 @@ static struct snotify_ctx *sf_setup_watch(TALLOC_CTX *mem_ctx, - - struct files_ctx *sf_init(TALLOC_CTX *mem_ctx, - struct tevent_context *ev, -- const char *passwd_file, -- const char *group_file, -+ const char **passwd_files, -+ const char **group_files, - struct files_id_ctx *id_ctx) - { - struct files_ctx *fctx; - struct tevent_immediate *imm; -+ int i; - - fctx = talloc(mem_ctx, struct files_ctx); - if (fctx == NULL) { - return NULL; - } - -- fctx->pwd_watch = sf_setup_watch(fctx, ev, passwd_file, -- sf_passwd_cb, id_ctx); -- fctx->grp_watch = sf_setup_watch(fctx, ev, group_file, -- sf_group_cb, id_ctx); -+ for (i = 0; passwd_files[i]; i++) { -+ fctx->pwd_watch = sf_setup_watch(fctx, ev, passwd_files[i], -+ sf_passwd_cb, id_ctx); -+ } -+ -+ for (i = 0; group_files[i]; i++) { -+ fctx->grp_watch = sf_setup_watch(fctx, ev, group_files[i], -+ sf_group_cb, id_ctx); -+ } -+ - if (fctx->pwd_watch == NULL || fctx->grp_watch == NULL) { - talloc_free(fctx); - return NULL; -diff --git a/src/providers/files/files_private.h b/src/providers/files/files_private.h -index a7d195c90..f44e6d458 100644 ---- a/src/providers/files/files_private.h -+++ b/src/providers/files/files_private.h -@@ -39,8 +39,8 @@ struct files_id_ctx { - struct sss_domain_info *domain; - struct files_ctx *fctx; - -- const char *passwd_file; -- const char *group_file; -+ const char **passwd_files; -+ const char **group_files; - - bool updating_passwd; - bool updating_groups; -@@ -53,8 +53,8 @@ struct files_id_ctx { - /* files_ops.c */ - struct files_ctx *sf_init(TALLOC_CTX *mem_ctx, - struct tevent_context *ev, -- const char *passwd_file, -- const char *group_file, -+ const char **passwd_files, -+ const char **group_files, - struct files_id_ctx *id_ctx); - - /* files_id.c */ --- -2.14.3 - diff --git a/0024-TESTS-Add-a-test-for-the-multiple-files-feature.patch b/0024-TESTS-Add-a-test-for-the-multiple-files-feature.patch deleted file mode 100644 index a21c0b3..0000000 --- a/0024-TESTS-Add-a-test-for-the-multiple-files-feature.patch +++ /dev/null @@ -1,123 +0,0 @@ -From bb1455ce8d45d026f173f402bce29bf97af8c44d Mon Sep 17 00:00:00 2001 -From: Jakub Hrozek -Date: Mon, 26 Mar 2018 17:30:14 +0200 -Subject: [PATCH] TESTS: Add a test for the multiple files feature -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Adds an integration test for the new feature. - -Reviewed-by: Pavel Březina -(cherry picked from commit 4a9100a588ade253cecb2224b95bd8caa8136109) ---- - src/tests/intg/test_files_provider.py | 61 ++++++++++++++++++++++++++++++++++- - 1 file changed, 60 insertions(+), 1 deletion(-) - -diff --git a/src/tests/intg/test_files_provider.py b/src/tests/intg/test_files_provider.py -index 41bfd8844..ce5c7b774 100644 ---- a/src/tests/intg/test_files_provider.py -+++ b/src/tests/intg/test_files_provider.py -@@ -25,6 +25,7 @@ import subprocess - import pwd - import grp - import pytest -+import tempfile - - import ent - import sssd_id -@@ -33,7 +34,7 @@ from sssd_passwd import (call_sssd_getpwnam, - call_sssd_enumeration, - call_sssd_getpwuid) - from sssd_group import call_sssd_getgrnam, call_sssd_getgrgid --from files_ops import passwd_ops_setup, group_ops_setup -+from files_ops import passwd_ops_setup, group_ops_setup, PasswdOps, GroupOps - from util import unindent - - # Sync this with files_ops.c -@@ -59,6 +60,11 @@ OV_USER1 = dict(name='ov_user1', passwd='x', uid=10010, gid=20010, - dir='/home/ov/user1', - shell='/bin/ov_user1_shell') - -+ALT_USER1 = dict(name='altuser1', passwd='x', uid=60001, gid=70001, -+ gecos='User for tests from alt files', -+ dir='/home/altuser1', -+ shell='/bin/bash') -+ - CANARY_GR = dict(name='canary', - gid=300001, - mem=[]) -@@ -79,6 +85,10 @@ GROUP_NOMEM = dict(name='group_nomem', - gid=40000, - mem=[]) - -+ALT_GROUP1 = dict(name='alt_group1', -+ gid=80001, -+ mem=['alt_user1']) -+ - - def start_sssd(): - """Start sssd and add teardown for stopping it and removing state""" -@@ -145,6 +155,38 @@ def files_domain_only(request): - return None - - -+@pytest.fixture -+def files_multiple_sources(request): -+ _, alt_passwd_path = tempfile.mkstemp(prefix='altpasswd') -+ request.addfinalizer(lambda: os.unlink(alt_passwd_path)) -+ alt_pwops = PasswdOps(alt_passwd_path) -+ -+ _, alt_group_path = tempfile.mkstemp(prefix='altgroup') -+ request.addfinalizer(lambda: os.unlink(alt_group_path)) -+ alt_grops = GroupOps(alt_group_path) -+ -+ passwd_list = ",".join([os.environ["NSS_WRAPPER_PASSWD"], alt_passwd_path]) -+ group_list = ",".join([os.environ["NSS_WRAPPER_GROUP"], alt_group_path]) -+ -+ conf = unindent("""\ -+ [sssd] -+ domains = files -+ services = nss -+ -+ [nss] -+ debug_level = 10 -+ -+ [domain/files] -+ id_provider = files -+ passwd_files = {passwd_list} -+ group_files = {group_list} -+ debug_level = 10 -+ """).format(**locals()) -+ create_conf_fixture(request, conf) -+ create_sssd_fixture(request) -+ return alt_pwops, alt_grops -+ -+ - @pytest.fixture - def proxy_to_files_domain_only(request): - conf = unindent("""\ -@@ -1054,3 +1096,20 @@ def test_no_sssd_conf(add_user_with_canary, no_sssd_conf): - res, user = sssd_getpwnam_sync(USER1["name"]) - assert res == NssReturnCode.SUCCESS - assert user == USER1 -+ -+ -+def test_multiple_passwd_group_files(add_user_with_canary, -+ add_group_with_canary, -+ files_multiple_sources): -+ """ -+ Test that users and groups can be mirrored from multiple files -+ """ -+ alt_pwops, alt_grops = files_multiple_sources -+ alt_pwops.useradd(**ALT_USER1) -+ alt_grops.groupadd(**ALT_GROUP1) -+ -+ check_user(USER1) -+ check_user(ALT_USER1) -+ -+ check_group(GROUP1) -+ check_group(ALT_GROUP1) --- -2.14.3 - diff --git a/0025-AD-Missing-header-in-ad_access.h.patch b/0025-AD-Missing-header-in-ad_access.h.patch deleted file mode 100644 index b00bb67..0000000 --- a/0025-AD-Missing-header-in-ad_access.h.patch +++ /dev/null @@ -1,30 +0,0 @@ -From d81931454a0846fe503d090595fa5b0d4ffd93a5 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Michal=20=C5=BDidek?= -Date: Wed, 4 Apr 2018 12:10:13 +0200 -Subject: [PATCH] AD: Missing header in ad_access.h - -ad_access.h depends on data_provider.h header but -does not include it. - -Reviewed-by: Jakub Hrozek -(cherry picked from commit abf377672e0011da817b5105fe581b27f2f855b7) ---- - src/providers/ad/ad_access.h | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/src/providers/ad/ad_access.h b/src/providers/ad/ad_access.h -index cc565a8e6..34d5597da 100644 ---- a/src/providers/ad/ad_access.h -+++ b/src/providers/ad/ad_access.h -@@ -23,6 +23,8 @@ - #ifndef AD_ACCESS_H_ - #define AD_ACCESS_H_ - -+#include "providers/data_provider.h" -+ - struct ad_access_ctx { - struct dp_option *ad_options; - struct sdap_access_ctx *sdap_access_ctx; --- -2.14.3 - diff --git a/0026-GPO-Add-ad_options-to-ad_gpo_process_som_state.patch b/0026-GPO-Add-ad_options-to-ad_gpo_process_som_state.patch deleted file mode 100644 index 34ef7ce..0000000 --- a/0026-GPO-Add-ad_options-to-ad_gpo_process_som_state.patch +++ /dev/null @@ -1,65 +0,0 @@ -From 5e47ae51f5cf11decdfec483ab1adef07ec2b7ef Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Michal=20=C5=BDidek?= -Date: Wed, 4 Apr 2018 12:17:37 +0200 -Subject: [PATCH] GPO: Add ad_options to ad_gpo_process_som_state - -We will need at least ad_site option from this -context available to get the AD site override -value. - -Resolves: -https://pagure.io/SSSD/sssd/issue/3646 - -Reviewed-by: Jakub Hrozek -(cherry picked from commit 7a42831b208ed8d2fcb9d8beaa12bd2214bb7dce) ---- - src/providers/ad/ad_gpo.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c -index d9ea31141..028f6a2e7 100644 ---- a/src/providers/ad/ad_gpo.c -+++ b/src/providers/ad/ad_gpo.c -@@ -146,6 +146,7 @@ struct tevent_req *ad_gpo_process_som_send(TALLOC_CTX *mem_ctx, - struct ldb_context *ldb_ctx, - struct sdap_id_op *sdap_op, - struct sdap_options *opts, -+ struct dp_option *ad_options, - int timeout, - const char *target_dn, - const char *domain_name); -@@ -1975,6 +1976,7 @@ ad_gpo_target_dn_retrieval_done(struct tevent_req *subreq) - state->ldb_ctx, - state->sdap_op, - state->opts, -+ state->access_ctx->ad_options, - state->timeout, - state->target_dn, - state->host_domain->name); -@@ -2701,6 +2703,7 @@ struct ad_gpo_process_som_state { - struct tevent_context *ev; - struct sdap_id_op *sdap_op; - struct sdap_options *opts; -+ struct dp_option *ad_options; - int timeout; - bool allow_enforced_only; - char *site_name; -@@ -2734,6 +2737,7 @@ ad_gpo_process_som_send(TALLOC_CTX *mem_ctx, - struct ldb_context *ldb_ctx, - struct sdap_id_op *sdap_op, - struct sdap_options *opts, -+ struct dp_option *ad_options, - int timeout, - const char *target_dn, - const char *domain_name) -@@ -2752,6 +2756,7 @@ ad_gpo_process_som_send(TALLOC_CTX *mem_ctx, - state->ev = ev; - state->sdap_op = sdap_op; - state->opts = opts; -+ state->ad_options = ad_options; - state->timeout = timeout; - state->som_index = 0; - state->allow_enforced_only = 0; --- -2.14.3 - diff --git a/0027-GPO-Use-AD-site-override-if-set.patch b/0027-GPO-Use-AD-site-override-if-set.patch deleted file mode 100644 index 59066dd..0000000 --- a/0027-GPO-Use-AD-site-override-if-set.patch +++ /dev/null @@ -1,79 +0,0 @@ -From 82096e7e4a6ccaf8a2828ddfc77a04c930a14148 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Michal=20=C5=BDidek?= -Date: Wed, 4 Apr 2018 13:24:21 +0200 -Subject: [PATCH] GPO: Use AD site override if set - -Use AD site override if it was set in SSSD configuration. - -Resolves: -https://pagure.io/SSSD/sssd/issue/3646 - -Reviewed-by: Jakub Hrozek -(cherry picked from commit 744e2b4d0710c1dc850bfadbd75ae1ae7faf1148) ---- - src/providers/ad/ad_gpo.c | 33 ++++++++++++++++++++++++++++++--- - 1 file changed, 30 insertions(+), 3 deletions(-) - -diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c -index 028f6a2e7..a48f264c7 100644 ---- a/src/providers/ad/ad_gpo.c -+++ b/src/providers/ad/ad_gpo.c -@@ -2806,7 +2806,8 @@ ad_gpo_site_name_retrieval_done(struct tevent_req *subreq) - struct tevent_req *req; - struct ad_gpo_process_som_state *state; - int ret; -- char *site; -+ char *site = NULL; -+ char *site_override = NULL; - const char *attrs[] = {AD_AT_CONFIG_NC, NULL}; - - req = tevent_req_callback_data(subreq, struct tevent_req); -@@ -2817,17 +2818,43 @@ ad_gpo_site_name_retrieval_done(struct tevent_req *subreq) - talloc_zfree(subreq); - - if (ret != EOK || site == NULL) { -- DEBUG(SSSDBG_OP_FAILURE, "Cannot retrieve master domain info\n"); -+ DEBUG(SSSDBG_TRACE_FUNC, -+ "Could not autodiscover AD site. This is not fatal if " -+ "ad_site option was set.\n"); -+ } -+ -+ site_override = dp_opt_get_string(state->ad_options, AD_SITE); -+ if (site_override != NULL) { -+ DEBUG(SSSDBG_TRACE_FUNC, -+ "Overriding autodiscovered AD site value '%s' with '%s' from " -+ "configuration.\n", site ? site : "none", site_override); -+ } -+ -+ if (site == NULL && site_override == NULL) { -+ sss_log(SSS_LOG_WARNING, -+ "Could not autodiscover AD site value using DNS and ad_site " -+ "option was not set in configuration. GPO will not work. " -+ "To work around this issue you can use ad_site option in SSSD " -+ "configuration."); -+ DEBUG(SSSDBG_OP_FAILURE, -+ "Could not autodiscover AD site value using DNS and ad_site " -+ "option was not set in configuration. GPO will not work. " -+ "To work around this issue you can use ad_site option in SSSD " -+ "configuration.\n"); - tevent_req_error(req, ENOENT); - return; - } - -- state->site_name = talloc_asprintf(state, "cn=%s", site); -+ state->site_name = talloc_asprintf(state, "cn=%s", -+ site_override ? site_override -+ : site); - if (state->site_name == NULL) { - tevent_req_error(req, ENOMEM); - return; - } - -+ DEBUG(SSSDBG_TRACE_FUNC, "Using AD site '%s'.\n", state->site_name); -+ - /* - * note: the configNC attribute is being retrieved here from the rootDSE - * entry. In future, since we already make an LDAP query for the rootDSE --- -2.14.3 - diff --git a/0028-nss-initialize-nss_enum_index-in-nss_setnetgrent.patch b/0028-nss-initialize-nss_enum_index-in-nss_setnetgrent.patch deleted file mode 100644 index ea41680..0000000 --- a/0028-nss-initialize-nss_enum_index-in-nss_setnetgrent.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 29f9df0162096d0e3ec4e85c1f1b5ce87062aa64 Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Thu, 15 Mar 2018 12:43:34 +0100 -Subject: [PATCH] nss: initialize nss_enum_index in nss_setnetgrent() - -setnetgrent() is the first call when looking up a netgroup and sets the -netgroup name for upcoming getnetgrent() and endnetgrent() calls. -Currently the state is reset by calling endnetgrent() but it would be -more robust to unconditionally reset the state in setnetgrent() as well -in case calling endnetgrent() was forgotten. - -Related to https://pagure.io/SSSD/sssd/issue/3679 - -Reviewed-by: Jakub Hrozek -(cherry picked from commit 37a84285aeb497ed4909d16916bbf934af3f68b3) ---- - src/responder/nss/nss_cmd.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/src/responder/nss/nss_cmd.c b/src/responder/nss/nss_cmd.c -index 956ee53cb..9f8479b7b 100644 ---- a/src/responder/nss/nss_cmd.c -+++ b/src/responder/nss/nss_cmd.c -@@ -756,6 +756,9 @@ static errno_t nss_setnetgrent(struct cli_ctx *cli_ctx, - goto done; - } - -+ state_ctx->netgrent.domain = 0; -+ state_ctx->netgrent.result = 0; -+ - talloc_zfree(state_ctx->netgroup); - state_ctx->netgroup = talloc_strdup(state_ctx, netgroup); - if (state_ctx->netgroup == NULL) { --- -2.14.3 - diff --git a/0029-nss-add-a-netgroup-counter-to-struct-nss_enum_index.patch b/0029-nss-add-a-netgroup-counter-to-struct-nss_enum_index.patch deleted file mode 100644 index 5af0f87..0000000 --- a/0029-nss-add-a-netgroup-counter-to-struct-nss_enum_index.patch +++ /dev/null @@ -1,116 +0,0 @@ -From 9f85ab4d8eba042b43a9346ed6dfbf3fc60ea488 Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Thu, 15 Mar 2018 12:50:20 +0100 -Subject: [PATCH] nss: add a netgroup counter to struct nss_enum_index - -Netgroups are not looked up with the help of a single request but by -calling setnetgrent(), getnetgrent() and endnetgrent() where -getnetgrent() might be called multiple times depending on the number of -netgroup elements. Since the caller does not provide a state the state -has to be maintained by the SSSD nss responder. Besides the netgroup -name this is mainly the number of elements already returned. - -This number is used to select the next element to return and currently -it is assumed that there are not changes to the netgroup while the -client is requesting the individual elements. But if e.g. the 3 nss -calls are not used correctly or the netgroup is modified while the -client is sending getnetgrent() calls the stored number might be out of -range. To be on the safe side the stored number should be always -compared with the current number of netgroup elements. - -Related to https://pagure.io/SSSD/sssd/issue/3679 - -Reviewed-by: Jakub Hrozek -(cherry picked from commit 08db22b1b1a2e742edbca92e35087294d963adda) ---- - src/db/sysdb.h | 3 ++- - src/db/sysdb_search.c | 5 ++++- - src/responder/nss/nss_enum.c | 3 ++- - src/responder/nss/nss_private.h | 1 + - src/responder/nss/nss_protocol_netgr.c | 7 +++++++ - 5 files changed, 16 insertions(+), 3 deletions(-) - -diff --git a/src/db/sysdb.h b/src/db/sysdb.h -index fd18ecefe..2660314a7 100644 ---- a/src/db/sysdb.h -+++ b/src/db/sysdb.h -@@ -1219,7 +1219,8 @@ errno_t sysdb_attrs_to_list(TALLOC_CTX *mem_ctx, - - errno_t sysdb_netgr_to_entries(TALLOC_CTX *mem_ctx, - struct ldb_result *res, -- struct sysdb_netgroup_ctx ***entries); -+ struct sysdb_netgroup_ctx ***entries, -+ size_t *netgroup_count); - - errno_t sysdb_dn_sanitize(TALLOC_CTX *mem_ctx, const char *input, - char **sanitized); -diff --git a/src/db/sysdb_search.c b/src/db/sysdb_search.c -index dc0bd4f2c..b7ceb6e59 100644 ---- a/src/db/sysdb_search.c -+++ b/src/db/sysdb_search.c -@@ -1831,7 +1831,8 @@ done: - - errno_t sysdb_netgr_to_entries(TALLOC_CTX *mem_ctx, - struct ldb_result *res, -- struct sysdb_netgroup_ctx ***entries) -+ struct sysdb_netgroup_ctx ***entries, -+ size_t *netgroup_count) - { - errno_t ret; - size_t size = 0; -@@ -1935,6 +1936,8 @@ errno_t sysdb_netgr_to_entries(TALLOC_CTX *mem_ctx, - tmp_entry[c] = NULL; - - *entries = talloc_steal(mem_ctx, tmp_entry); -+ *netgroup_count = c; -+ - ret = EOK; - - done: -diff --git a/src/responder/nss/nss_enum.c b/src/responder/nss/nss_enum.c -index 031db9f2e..a45b65233 100644 ---- a/src/responder/nss/nss_enum.c -+++ b/src/responder/nss/nss_enum.c -@@ -144,7 +144,8 @@ static void nss_setent_internal_done(struct tevent_req *subreq) - /* We need to expand the netgroup into triples and members. */ - ret = sysdb_netgr_to_entries(state->enum_ctx, - result[0]->ldb_result, -- &state->enum_ctx->netgroup); -+ &state->enum_ctx->netgroup, -+ &state->enum_ctx->netgroup_count); - if (ret != EOK) { - goto done; - } -diff --git a/src/responder/nss/nss_private.h b/src/responder/nss/nss_private.h -index 5fc19d26b..aa8d8e9cd 100644 ---- a/src/responder/nss/nss_private.h -+++ b/src/responder/nss/nss_private.h -@@ -41,6 +41,7 @@ struct nss_enum_index { - struct nss_enum_ctx { - struct cache_req_result **result; - struct sysdb_netgroup_ctx **netgroup; -+ size_t netgroup_count; - - /* Ongoing cache request that is constructing enumeration result. */ - struct tevent_req *ongoing; -diff --git a/src/responder/nss/nss_protocol_netgr.c b/src/responder/nss/nss_protocol_netgr.c -index ed04fd258..9f27c6b78 100644 ---- a/src/responder/nss/nss_protocol_netgr.c -+++ b/src/responder/nss/nss_protocol_netgr.c -@@ -126,6 +126,13 @@ nss_protocol_fill_netgrent(struct nss_ctx *nss_ctx, - idx = cmd_ctx->enum_index; - entries = cmd_ctx->enum_ctx->netgroup; - -+ if (idx->result > cmd_ctx->enum_ctx->netgroup_count) { -+ DEBUG(SSSDBG_CRIT_FAILURE, -+ "Unconsistent state while processing netgroups.\n"); -+ ret = EINVAL; -+ goto done; -+ } -+ - /* First two fields (length and reserved), filled up later. */ - ret = sss_packet_grow(packet, 2 * sizeof(uint32_t)); - if (ret != EOK) { --- -2.14.3 - diff --git a/0030-sssctl-Showing-help-even-when-sssd-not-configured.patch b/0030-sssctl-Showing-help-even-when-sssd-not-configured.patch deleted file mode 100644 index 949cb9a..0000000 --- a/0030-sssctl-Showing-help-even-when-sssd-not-configured.patch +++ /dev/null @@ -1,101 +0,0 @@ -From 3d0fd106754c7614f5d9fb3875d0b40092d200f3 Mon Sep 17 00:00:00 2001 -From: amitkuma -Date: Thu, 15 Feb 2018 18:21:10 +0530 -Subject: [PATCH] sssctl: Showing help even when sssd not configured -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -On a clean and unconfigured system, it's not possible -to use --help. -1) dnf install sssd-tools -2) sssctl cache-remove --help -Shows: -[confdb_get_domains] (0x0010): No domains configured, fatal error! - -Solution: Donot check for confdb initialization when sssctl 3rd -command line argument passed is '--help'. - -Please note when we run 'sssctl --help' on unconfigured system -confdb check is not done and proper o/p is seen. - -Resolves: https://pagure.io/SSSD/sssd/issue/3634 - -Reviewed-by: Pavel Březina -(cherry picked from commit b8db8c2d83d1d75c42c1e17145d3907211b3a146) ---- - src/tools/common/sss_tools.c | 19 ++++++++++++------- - src/tools/common/sss_tools.h | 1 + - 2 files changed, 13 insertions(+), 7 deletions(-) - -diff --git a/src/tools/common/sss_tools.c b/src/tools/common/sss_tools.c -index 4832db5a0..d45584ce1 100644 ---- a/src/tools/common/sss_tools.c -+++ b/src/tools/common/sss_tools.c -@@ -58,11 +58,14 @@ static void sss_tool_common_opts(struct sss_tool_ctx *tool_ctx, - poptContext pc; - int debug = SSSDBG_DEFAULT; - int orig_argc = *argc; -+ int help = 0; - int opt; - - struct poptOption options[] = { - {"debug", '\0', POPT_ARG_INT | POPT_ARGFLAG_STRIP, &debug, - 0, _("The debug level to run with"), NULL }, -+ {"help", '?', POPT_ARG_VAL | POPT_ARGFLAG_DOC_HIDDEN, &help, -+ 1, NULL, NULL }, - POPT_TABLEEND - }; - -@@ -74,6 +77,7 @@ static void sss_tool_common_opts(struct sss_tool_ctx *tool_ctx, - /* Strip common options from arguments. We will discard_const here, - * since it is not worth the trouble to convert it back and forth. */ - *argc = poptStrippedArgv(pc, orig_argc, discard_const_p(char *, argv)); -+ tool_ctx->print_help = help; - - DEBUG_CLI_INIT(debug); - -@@ -187,7 +191,6 @@ errno_t sss_tool_init(TALLOC_CTX *mem_ctx, - } - - sss_tool_common_opts(tool_ctx, argc, argv); -- - *_tool_ctx = tool_ctx; - - return EOK; -@@ -341,12 +344,14 @@ errno_t sss_tool_route(int argc, const char **argv, - return tool_ctx->init_err; - } - -- ret = tool_cmd_init(tool_ctx, &commands[i]); -- if (ret != EOK) { -- DEBUG(SSSDBG_FATAL_FAILURE, -- "Command initialization failed [%d] %s\n", -- ret, sss_strerror(ret)); -- return ret; -+ if (!tool_ctx->print_help) { -+ ret = tool_cmd_init(tool_ctx, &commands[i]); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_FATAL_FAILURE, -+ "Command initialization failed [%d] %s\n", -+ ret, sss_strerror(ret)); -+ return ret; -+ } - } - - return commands[i].fn(&cmdline, tool_ctx, pvt); -diff --git a/src/tools/common/sss_tools.h b/src/tools/common/sss_tools.h -index 848009365..0e4308ee6 100644 ---- a/src/tools/common/sss_tools.h -+++ b/src/tools/common/sss_tools.h -@@ -29,6 +29,7 @@ - struct sss_tool_ctx { - struct confdb_ctx *confdb; - -+ bool print_help; - errno_t init_err; - char *default_domain; - struct sss_domain_info *domains; --- -2.14.3 - diff --git a/0031-sssctl-move-check-for-version-error-to-correct-place.patch b/0031-sssctl-move-check-for-version-error-to-correct-place.patch deleted file mode 100644 index 2ee637f..0000000 --- a/0031-sssctl-move-check-for-version-error-to-correct-place.patch +++ /dev/null @@ -1,90 +0,0 @@ -From 08fced82ad1a8bc03c69f84bcfdb495a5f473165 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20B=C5=99ezina?= -Date: Tue, 3 Apr 2018 10:20:29 +0200 -Subject: [PATCH] sssctl: move check for version error to correct place -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -This check was added here: - -284937e6 (Pavel Březina 2015-07-22 10:02:02 +0200 490) int sss_tool_main(int argc, const char **argv, -284937e6 (Pavel Březina 2015-07-22 10:02:02 +0200 491) struct sss_route_cmd *commands, -284937e6 (Pavel Březina 2015-07-22 10:02:02 +0200 492) void *pvt) -284937e6 (Pavel Březina 2015-07-22 10:02:02 +0200 493) { -284937e6 (Pavel Březina 2015-07-22 10:02:02 +0200 494) struct sss_tool_ctx *tool_ctx; -284937e6 (Pavel Březina 2015-07-22 10:02:02 +0200 495) uid_t uid; -e98ccef2 (Pavel Březina 2016-06-09 16:13:34 +0200 496) errno_t ret; -284937e6 (Pavel Březina 2015-07-22 10:02:02 +0200 497) -284937e6 (Pavel Březina 2015-07-22 10:02:02 +0200 498) uid = getuid(); -284937e6 (Pavel Březina 2015-07-22 10:02:02 +0200 499) if (uid != 0) { -284937e6 (Pavel Březina 2015-07-22 10:02:02 +0200 500) DEBUG(SSSDBG_CRIT_FAILURE, "Running under %d, must be root\n", uid); -284937e6 (Pavel Březina 2015-07-22 10:02:02 +0200 501) ERROR("%1$s must be run as root\n", argv[0]); -284937e6 (Pavel Březina 2015-07-22 10:02:02 +0200 502) return EXIT_FAILURE; -284937e6 (Pavel Březina 2015-07-22 10:02:02 +0200 503) } -284937e6 (Pavel Březina 2015-07-22 10:02:02 +0200 504) -a0b824ac (Jakub Hrozek 2016-07-01 13:26:38 +0200 505) ret = sss_tool_init(NULL, &argc, argv, &tool_ctx); -a0b824ac (Jakub Hrozek 2016-07-01 13:26:38 +0200 506) if (ret == ERR_SYSDB_VERSION_TOO_OLD) { -a0b824ac (Jakub Hrozek 2016-07-01 13:26:38 +0200 507) tool_ctx->init_err = ret; -a0b824ac (Jakub Hrozek 2016-07-01 13:26:38 +0200 508) } else if (ret != EOK) { -284937e6 (Pavel Březina 2015-07-22 10:02:02 +0200 509) DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create tool context\n"); -284937e6 (Pavel Březina 2015-07-22 10:02:02 +0200 510) return EXIT_FAILURE; -284937e6 (Pavel Březina 2015-07-22 10:02:02 +0200 511) } - -But then the initialization code was moved from sss_tool_init to tool_cmd_init which is called from sss_tool_route. - -a0b824ac (Jakub Hrozek 2016-07-01 13:26:38 +0200 328) if (!sss_tools_handles_init_error(&commands[i], tool_ctx->init_err)) { -a0b824ac (Jakub Hrozek 2016-07-01 13:26:38 +0200 329) DEBUG(SSSDBG_FATAL_FAILURE, -a0b824ac (Jakub Hrozek 2016-07-01 13:26:38 +0200 330) "Command %s does not handle initialization error [%d] %s\n", -a0b824ac (Jakub Hrozek 2016-07-01 13:26:38 +0200 331) cmdline.command, tool_ctx->init_err, -a0b824ac (Jakub Hrozek 2016-07-01 13:26:38 +0200 332) sss_strerror(tool_ctx->init_err)); -a0b824ac (Jakub Hrozek 2016-07-01 13:26:38 +0200 333) return tool_ctx->init_err; -a0b824ac (Jakub Hrozek 2016-07-01 13:26:38 +0200 334) } -a0b824ac (Jakub Hrozek 2016-07-01 13:26:38 +0200 335) -cbee11e9 (Michal Židek 2016-10-12 13:09:37 +0200 336) ret = tool_cmd_init(tool_ctx, &commands[i]); -cbee11e9 (Michal Židek 2016-10-12 13:09:37 +0200 337) if (ret != EOK) { -cbee11e9 (Michal Židek 2016-10-12 13:09:37 +0200 338) DEBUG(SSSDBG_FATAL_FAILURE, -cbee11e9 (Michal Židek 2016-10-12 13:09:37 +0200 339) "Command initialization failed [%d] %s\n", -cbee11e9 (Michal Židek 2016-10-12 13:09:37 +0200 340) ret, sss_strerror(ret)); -cbee11e9 (Michal Židek 2016-10-12 13:09:37 +0200 341) return ret; -cbee11e9 (Michal Židek 2016-10-12 13:09:37 +0200 342) } -cbee11e9 (Michal Židek 2016-10-12 13:09:37 +0200 343) -284937e6 (Pavel Březina 2015-07-22 10:02:02 +0200 344) return commands[i].fn(&cmdline, tool_ctx, pvt); - -This rendered the original change a dead code, because sss_tool_init only returns ENOMEM or EOK. - -Reviewed-by: Fabiano Fidêncio -(cherry picked from commit fe58f0fbf34de5931ce3305396e5e4467796a325) ---- - src/tools/common/sss_tools.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/src/tools/common/sss_tools.c b/src/tools/common/sss_tools.c -index d45584ce1..701db2d93 100644 ---- a/src/tools/common/sss_tools.c -+++ b/src/tools/common/sss_tools.c -@@ -346,7 +346,9 @@ errno_t sss_tool_route(int argc, const char **argv, - - if (!tool_ctx->print_help) { - ret = tool_cmd_init(tool_ctx, &commands[i]); -- if (ret != EOK) { -+ if (ret == ERR_SYSDB_VERSION_TOO_OLD) { -+ tool_ctx->init_err = ret; -+ } else if (ret != EOK) { - DEBUG(SSSDBG_FATAL_FAILURE, - "Command initialization failed [%d] %s\n", - ret, sss_strerror(ret)); -@@ -516,9 +518,7 @@ int sss_tool_main(int argc, const char **argv, - } - - ret = sss_tool_init(NULL, &argc, argv, &tool_ctx); -- if (ret == ERR_SYSDB_VERSION_TOO_OLD) { -- tool_ctx->init_err = ret; -- } else if (ret != EOK) { -+ if (ret != EOK) { - DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create tool context\n"); - return EXIT_FAILURE; - } --- -2.14.3 - diff --git a/0032-MAN-Add-sss-certmap-man-page-regarding-priority-proc.patch b/0032-MAN-Add-sss-certmap-man-page-regarding-priority-proc.patch deleted file mode 100644 index 9fac092..0000000 --- a/0032-MAN-Add-sss-certmap-man-page-regarding-priority-proc.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 39539d7b882722336bb4bfad99ef3ebadfc9b276 Mon Sep 17 00:00:00 2001 -From: amitkumar50 -Date: Tue, 10 Apr 2018 15:29:01 +0530 -Subject: [PATCH] MAN: Add sss-certmap man page regarding priority processing - -PR adds following text in PRIORITY section of man sss-certmap: -The processing is stopped when a matched rule is found and no -further rules are checked. - -Resolves: https://pagure.io/SSSD/sssd/issue/3469 - -Reviewed-by: Justin Stephenson -(cherry picked from commit 56839605d139573319b7df24774b56ea78ec742b) ---- - src/man/sss-certmap.5.xml | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/src/man/sss-certmap.5.xml b/src/man/sss-certmap.5.xml -index 593cd4666..db258d14a 100644 ---- a/src/man/sss-certmap.5.xml -+++ b/src/man/sss-certmap.5.xml -@@ -44,7 +44,9 @@ - - The rules are processed by priority while the number '0' (zero) - indicates the highest priority. The higher the number the lower is -- the priority. A missing value indicates the lowest priority. -+ the priority. A missing value indicates the lowest priority. The -+ rules processing is stopped when a matched rule is found and no -+ further rules are checked. - - - Internally the priority is treated as unsigned 32bit integer, using --- -2.14.3 - diff --git a/0033-SDAP-Improve-a-DEBUG-message-about-GC-detection.patch b/0033-SDAP-Improve-a-DEBUG-message-about-GC-detection.patch deleted file mode 100644 index df640fd..0000000 --- a/0033-SDAP-Improve-a-DEBUG-message-about-GC-detection.patch +++ /dev/null @@ -1,42 +0,0 @@ -From ac1636acadcf8e799a93d799140e8ff2d533f313 Mon Sep 17 00:00:00 2001 -From: Jakub Hrozek -Date: Tue, 23 Jan 2018 11:23:37 +0100 -Subject: [PATCH] SDAP: Improve a DEBUG message about GC detection -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -It was not entirely clear what the message means. We should improve the -debug message to make it clear that all or none attributes should be -replicated to the Global Catalog. - -This patch can be reverted once we fix -https://pagure.io/SSSD/sssd/issue/3538 and only use the GC to look up -the entry DN, not the entry itself. - -Reviewed-by: Fabiano Fidêncio -(cherry picked from commit 2d43eaf43540c375d39c5e1c2482595e919fb4df) ---- - src/providers/ldap/sdap_async.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/src/providers/ldap/sdap_async.c b/src/providers/ldap/sdap_async.c -index 76cfce207..1e77b1c3c 100644 ---- a/src/providers/ldap/sdap_async.c -+++ b/src/providers/ldap/sdap_async.c -@@ -2720,7 +2720,11 @@ static void sdap_gc_posix_check_done(struct tevent_req *subreq) - - /* Positive hit is definitive, no need to search other bases */ - if (state->has_posix == true) { -- DEBUG(SSSDBG_FUNC_DATA, "Server has POSIX attributes\n"); -+ DEBUG(SSSDBG_FUNC_DATA, "Server has POSIX attributes. Global Catalog will " -+ "be used for user and group lookups. Note that if " -+ "only a subset of POSIX attributes is present " -+ "in GC, the non-replicated attributes are " -+ "currently not read from the LDAP port\n"); - tevent_req_done(req); - return; - } --- -2.14.3 - diff --git a/0034-MAN-Improve-docs-about-GC-detection.patch b/0034-MAN-Improve-docs-about-GC-detection.patch deleted file mode 100644 index d9fe8d4..0000000 --- a/0034-MAN-Improve-docs-about-GC-detection.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 1438765a294161b9b636e01ed86bc52c540183d3 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= -Date: Thu, 12 Apr 2018 10:38:42 +0200 -Subject: [PATCH] MAN: Improve docs about GC detection -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Add the same note we have as part of our debug to the sssd-ad manual. - -Signed-off-by: Fabiano Fidêncio -Reviewed-by: Jakub Hrozek -(cherry picked from commit 4ab8734cc45fab2d1a0e690b566da1bda63df76c) ---- - src/man/sssd-ad.5.xml | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml -index be2593dca..f43c7fcf4 100644 ---- a/src/man/sssd-ad.5.xml -+++ b/src/man/sssd-ad.5.xml -@@ -100,6 +100,9 @@ ldap_id_mapping = False - domains in the forest sequentially. Please note that the - cache_first option might be also helpful in - speeding up domainless searches. -+ Note that if only a subset of POSIX attributes is present in -+ the Global Catalog, the non-replicated attributes are currently -+ not read from the LDAP port. - - - Users, groups and other entities served by SSSD are always treated as --- -2.14.3 - diff --git a/0035-nss-idmap-do-not-set-a-limit.patch b/0035-nss-idmap-do-not-set-a-limit.patch deleted file mode 100644 index 7975f19..0000000 --- a/0035-nss-idmap-do-not-set-a-limit.patch +++ /dev/null @@ -1,34 +0,0 @@ -From b489dcc998fc305f3a0a43b6484c042065320001 Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Wed, 18 Apr 2018 10:20:06 +0200 -Subject: [PATCH] nss-idmap: do not set a limit - -If the limit is set the needed size to return all groups cannot be -returned. - -Related to https://pagure.io/SSSD/sssd/issue/3715 - -Reviewed-by: Jakub Hrozek -(cherry picked from commit 46a4c265629d9b725c41f22849741ce7342bdd85) ---- - src/sss_client/idmap/sss_nss_ex.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/src/sss_client/idmap/sss_nss_ex.c b/src/sss_client/idmap/sss_nss_ex.c -index c00e64cc4..b87b5e3b2 100644 ---- a/src/sss_client/idmap/sss_nss_ex.c -+++ b/src/sss_client/idmap/sss_nss_ex.c -@@ -96,7 +96,9 @@ errno_t sss_nss_mc_get(struct nss_input *inp) - inp->result.initgrrep.start, - inp->result.initgrrep.ngroups, - &(inp->result.initgrrep.groups), -- *(inp->result.initgrrep.ngroups)); -+ /* no limit so that needed size can -+ * be returned properly */ -+ -1); - break; - default: - return EINVAL; --- -2.14.3 - diff --git a/0036-nss-idmap-use-right-group-list-pointer-after-sss_get.patch b/0036-nss-idmap-use-right-group-list-pointer-after-sss_get.patch deleted file mode 100644 index 012a426..0000000 --- a/0036-nss-idmap-use-right-group-list-pointer-after-sss_get.patch +++ /dev/null @@ -1,69 +0,0 @@ -From b24ef81656fc3d0dce49b1756ba53c46b5881a14 Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Wed, 18 Apr 2018 10:23:22 +0200 -Subject: [PATCH] nss-idmap: use right group list pointer after sss_get_ex() - -If the initial array is too small it will be reallocated during -sss_get_ex() and the pointer might change and the initial memory area -should not be used anymore. - -Related to https://pagure.io/SSSD/sssd/issue/3715 - -Reviewed-by: Jakub Hrozek -(cherry picked from commit 2c4dc7a4d98c439c69625f12ba4c3c8253f4cc5b) ---- - src/sss_client/idmap/sss_nss_ex.c | 18 +++++++++--------- - 1 file changed, 9 insertions(+), 9 deletions(-) - -diff --git a/src/sss_client/idmap/sss_nss_ex.c b/src/sss_client/idmap/sss_nss_ex.c -index b87b5e3b2..971422063 100644 ---- a/src/sss_client/idmap/sss_nss_ex.c -+++ b/src/sss_client/idmap/sss_nss_ex.c -@@ -485,7 +485,6 @@ int sss_nss_getgrouplist_timeout(const char *name, gid_t group, - uint32_t flags, unsigned int timeout) - { - int ret; -- gid_t *new_groups; - long int new_ngroups; - long int start = 1; - struct nss_input inp = { -@@ -498,27 +497,28 @@ int sss_nss_getgrouplist_timeout(const char *name, gid_t group, - } - - new_ngroups = MAX(1, *ngroups); -- new_groups = malloc(new_ngroups * sizeof(gid_t)); -- if (new_groups == NULL) { -+ inp.result.initgrrep.groups = malloc(new_ngroups * sizeof(gid_t)); -+ if (inp.result.initgrrep.groups == NULL) { - free(discard_const(inp.rd.data)); - return ENOMEM; - } -- new_groups[0] = group; -+ inp.result.initgrrep.groups[0] = group; - -- inp.result.initgrrep.groups = new_groups, - inp.result.initgrrep.ngroups = &new_ngroups; - inp.result.initgrrep.start = &start; - -- -+ /* inp.result.initgrrep.groups, inp.result.initgrrep.ngroups and -+ * inp.result.initgrrep.start might be modified by sss_get_ex() */ - ret = sss_get_ex(&inp, flags, timeout); - free(discard_const(inp.rd.data)); - if (ret != 0) { -- free(new_groups); -+ free(inp.result.initgrrep.groups); - return ret; - } - -- memcpy(groups, new_groups, MIN(*ngroups, start) * sizeof(gid_t)); -- free(new_groups); -+ memcpy(groups, inp.result.initgrrep.groups, -+ MIN(*ngroups, start) * sizeof(gid_t)); -+ free(inp.result.initgrrep.groups); - - if (start > *ngroups) { - ret = ERANGE; --- -2.14.3 - diff --git a/0037-NSS-Add-InvalidateGroupById-handler.patch b/0037-NSS-Add-InvalidateGroupById-handler.patch deleted file mode 100644 index 7cb604e..0000000 --- a/0037-NSS-Add-InvalidateGroupById-handler.patch +++ /dev/null @@ -1,177 +0,0 @@ -From d1f38315fa7f8c9d3392af0feb32afc56a0f6c4e Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= -Date: Fri, 16 Feb 2018 13:55:53 +0100 -Subject: [PATCH] NSS: Add InvalidateGroupById handler -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -There are some situations where, from the backend, the NSS responder -will have to be notified to invalidate a group. - -In order to achieve this in a clean way, let's add the -InvalidateGroupById handler and make use of it later in this very same -series. - -Related: -https://pagure.io/SSSD/sssd/issue/2653 - -Signed-off-by: Fabiano Fidêncio -Reviewed-by: Jakub Hrozek -(cherry picked from commit 851d31264c826d7e1bca38bb6d49e66b446707e7) ---- - src/responder/nss/nss_iface.c | 16 ++++++++++++++ - src/responder/nss/nss_iface.xml | 3 +++ - src/responder/nss/nss_iface_generated.c | 38 +++++++++++++++++++++++++++++++++ - src/responder/nss/nss_iface_generated.h | 5 +++++ - 4 files changed, 62 insertions(+) - -diff --git a/src/responder/nss/nss_iface.c b/src/responder/nss/nss_iface.c -index 415af9550..805e4fcdf 100644 ---- a/src/responder/nss/nss_iface.c -+++ b/src/responder/nss/nss_iface.c -@@ -199,12 +199,28 @@ int nss_memorycache_update_initgroups(struct sbus_request *sbus_req, - return iface_nss_memorycache_UpdateInitgroups_finish(sbus_req); - } - -+int nss_memorycache_invalidate_group_by_id(struct sbus_request *sbus_req, -+ void *data, -+ gid_t gid) -+{ -+ struct resp_ctx *rctx = talloc_get_type(data, struct resp_ctx); -+ struct nss_ctx *nctx = talloc_get_type(rctx->pvt_ctx, struct nss_ctx); -+ -+ DEBUG(SSSDBG_TRACE_LIBS, -+ "Invalidating group %"PRIu32" from memory cache\n", gid); -+ -+ sss_mmap_cache_gr_invalidate_gid(nctx->grp_mc_ctx, gid); -+ -+ return iface_nss_memorycache_InvalidateGroupById_finish(sbus_req); -+} -+ - struct iface_nss_memorycache iface_nss_memorycache = { - { &iface_nss_memorycache_meta, 0 }, - .UpdateInitgroups = nss_memorycache_update_initgroups, - .InvalidateAllUsers = nss_memorycache_invalidate_users, - .InvalidateAllGroups = nss_memorycache_invalidate_groups, - .InvalidateAllInitgroups = nss_memorycache_invalidate_initgroups, -+ .InvalidateGroupById = nss_memorycache_invalidate_group_by_id, - }; - - static struct sbus_iface_map iface_map[] = { -diff --git a/src/responder/nss/nss_iface.xml b/src/responder/nss/nss_iface.xml -index 27aae0197..4d8cf14f9 100644 ---- a/src/responder/nss/nss_iface.xml -+++ b/src/responder/nss/nss_iface.xml -@@ -14,5 +14,8 @@ - - - -+ -+ -+ - - -diff --git a/src/responder/nss/nss_iface_generated.c b/src/responder/nss/nss_iface_generated.c -index 4a8b704da..8d5a4584b 100644 ---- a/src/responder/nss/nss_iface_generated.c -+++ b/src/responder/nss/nss_iface_generated.c -@@ -12,6 +12,9 @@ - /* invokes a handler with a 'ssau' DBus signature */ - static int invoke_ssau_method(struct sbus_request *dbus_req, void *function_ptr); - -+/* invokes a handler with a 'u' DBus signature */ -+static int invoke_u_method(struct sbus_request *dbus_req, void *function_ptr); -+ - /* arguments for org.freedesktop.sssd.nss.MemoryCache.UpdateInitgroups */ - const struct sbus_arg_meta iface_nss_memorycache_UpdateInitgroups__in[] = { - { "user", "s" }, -@@ -44,6 +47,18 @@ int iface_nss_memorycache_InvalidateAllInitgroups_finish(struct sbus_request *re - DBUS_TYPE_INVALID); - } - -+/* arguments for org.freedesktop.sssd.nss.MemoryCache.InvalidateGroupById */ -+const struct sbus_arg_meta iface_nss_memorycache_InvalidateGroupById__in[] = { -+ { "gid", "u" }, -+ { NULL, } -+}; -+ -+int iface_nss_memorycache_InvalidateGroupById_finish(struct sbus_request *req) -+{ -+ return sbus_request_return_and_finish(req, -+ DBUS_TYPE_INVALID); -+} -+ - /* methods for org.freedesktop.sssd.nss.MemoryCache */ - const struct sbus_method_meta iface_nss_memorycache__methods[] = { - { -@@ -74,6 +89,13 @@ const struct sbus_method_meta iface_nss_memorycache__methods[] = { - offsetof(struct iface_nss_memorycache, InvalidateAllInitgroups), - NULL, /* no invoker */ - }, -+ { -+ "InvalidateGroupById", /* name */ -+ iface_nss_memorycache_InvalidateGroupById__in, -+ NULL, /* no out_args */ -+ offsetof(struct iface_nss_memorycache, InvalidateGroupById), -+ invoke_u_method, -+ }, - { NULL, } - }; - -@@ -86,6 +108,22 @@ const struct sbus_interface_meta iface_nss_memorycache_meta = { - sbus_invoke_get_all, /* GetAll invoker */ - }; - -+/* invokes a handler with a 'u' DBus signature */ -+static int invoke_u_method(struct sbus_request *dbus_req, void *function_ptr) -+{ -+ uint32_t arg_0; -+ int (*handler)(struct sbus_request *, void *, uint32_t) = function_ptr; -+ -+ if (!sbus_request_parse_or_finish(dbus_req, -+ DBUS_TYPE_UINT32, &arg_0, -+ DBUS_TYPE_INVALID)) { -+ return EOK; /* request handled */ -+ } -+ -+ return (handler)(dbus_req, dbus_req->intf->handler_data, -+ arg_0); -+} -+ - /* invokes a handler with a 'ssau' DBus signature */ - static int invoke_ssau_method(struct sbus_request *dbus_req, void *function_ptr) - { -diff --git a/src/responder/nss/nss_iface_generated.h b/src/responder/nss/nss_iface_generated.h -index 11fac7916..27a6d0853 100644 ---- a/src/responder/nss/nss_iface_generated.h -+++ b/src/responder/nss/nss_iface_generated.h -@@ -18,6 +18,7 @@ - #define IFACE_NSS_MEMORYCACHE_INVALIDATEALLUSERS "InvalidateAllUsers" - #define IFACE_NSS_MEMORYCACHE_INVALIDATEALLGROUPS "InvalidateAllGroups" - #define IFACE_NSS_MEMORYCACHE_INVALIDATEALLINITGROUPS "InvalidateAllInitgroups" -+#define IFACE_NSS_MEMORYCACHE_INVALIDATEGROUPBYID "InvalidateGroupById" - - /* ------------------------------------------------------------------------ - * DBus handlers -@@ -44,6 +45,7 @@ struct iface_nss_memorycache { - int (*InvalidateAllUsers)(struct sbus_request *req, void *data); - int (*InvalidateAllGroups)(struct sbus_request *req, void *data); - int (*InvalidateAllInitgroups)(struct sbus_request *req, void *data); -+ int (*InvalidateGroupById)(struct sbus_request *req, void *data, uint32_t arg_gid); - }; - - /* finish function for UpdateInitgroups */ -@@ -58,6 +60,9 @@ int iface_nss_memorycache_InvalidateAllGroups_finish(struct sbus_request *req); - /* finish function for InvalidateAllInitgroups */ - int iface_nss_memorycache_InvalidateAllInitgroups_finish(struct sbus_request *req); - -+/* finish function for InvalidateGroupById */ -+int iface_nss_memorycache_InvalidateGroupById_finish(struct sbus_request *req); -+ - /* ------------------------------------------------------------------------ - * DBus Interface Metadata - * --- -2.14.3 - diff --git a/0038-DP-Add-dp_sbus_invalidate_group_memcache.patch b/0038-DP-Add-dp_sbus_invalidate_group_memcache.patch deleted file mode 100644 index 7f738c6..0000000 --- a/0038-DP-Add-dp_sbus_invalidate_group_memcache.patch +++ /dev/null @@ -1,91 +0,0 @@ -From efaabeae96f76036bbe06122f7fbf70a66d26c56 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= -Date: Mon, 19 Feb 2018 08:42:10 +0100 -Subject: [PATCH] DP: Add dp_sbus_invalidate_group_memcache() -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -This function will be called from the data provider to the NSS -responder, which will invalidate a group in the memcache. - -Related: -https://pagure.io/SSSD/sssd/issue/2653 - -Signed-off-by: Fabiano Fidêncio -Reviewed-by: Jakub Hrozek -(cherry picked from commit 709c42f0cabc96d0e0edf72753a0967593206ff4) ---- - src/providers/data_provider/dp.h | 2 ++ - src/providers/data_provider/dp_resp_client.c | 45 ++++++++++++++++++++++++++++ - 2 files changed, 47 insertions(+) - -diff --git a/src/providers/data_provider/dp.h b/src/providers/data_provider/dp.h -index ceb49da53..e8b2f9c8f 100644 ---- a/src/providers/data_provider/dp.h -+++ b/src/providers/data_provider/dp.h -@@ -179,6 +179,8 @@ void dp_sbus_reset_groups_ncache(struct data_provider *provider, - void dp_sbus_reset_users_memcache(struct data_provider *provider); - void dp_sbus_reset_groups_memcache(struct data_provider *provider); - void dp_sbus_reset_initgr_memcache(struct data_provider *provider); -+void dp_sbus_invalidate_group_memcache(struct data_provider *provider, -+ gid_t gid); - - /* - * A dummy handler for DPM_ACCT_DOMAIN_HANDLER. -diff --git a/src/providers/data_provider/dp_resp_client.c b/src/providers/data_provider/dp_resp_client.c -index 5735188a6..a61f7c59d 100644 ---- a/src/providers/data_provider/dp_resp_client.c -+++ b/src/providers/data_provider/dp_resp_client.c -@@ -189,3 +189,48 @@ void dp_sbus_reset_initgr_memcache(struct data_provider *provider) - return dp_sbus_reset_memcache(provider, - IFACE_NSS_MEMORYCACHE_INVALIDATEALLINITGROUPS); - } -+ -+void dp_sbus_invalidate_group_memcache(struct data_provider *provider, -+ gid_t gid) -+{ -+ struct dp_client *dp_cli; -+ DBusMessage *msg; -+ dbus_bool_t dbret; -+ -+ if (provider == NULL) { -+ DEBUG(SSSDBG_CRIT_FAILURE, "No provider pointer\n"); -+ return; -+ } -+ -+ dp_cli = provider->clients[DPC_NSS]; -+ if (dp_cli == NULL) { -+ return; -+ } -+ -+ msg = dbus_message_new_method_call(NULL, -+ NSS_MEMORYCACHE_PATH, -+ IFACE_NSS_MEMORYCACHE, -+ IFACE_NSS_MEMORYCACHE_INVALIDATEGROUPBYID); -+ if (msg == NULL) { -+ DEBUG(SSSDBG_CRIT_FAILURE, "Out of memory?!\n"); -+ return; -+ } -+ -+ dbret = dbus_message_append_args(msg, -+ DBUS_TYPE_UINT32, &gid, -+ DBUS_TYPE_INVALID); -+ if (!dbret) { -+ DEBUG(SSSDBG_CRIT_FAILURE, "Out of memory?!\n"); -+ dbus_message_unref(msg); -+ return; -+ } -+ -+ DEBUG(SSSDBG_TRACE_FUNC, -+ "Ordering NSS responder to invalidate the group %"PRIu32" \n", -+ gid); -+ -+ sbus_conn_send_reply(dp_client_conn(dp_cli), msg); -+ dbus_message_unref(msg); -+ -+ return; -+} --- -2.14.3 - diff --git a/0039-ERRORS-Add-ERR_GID_DUPLICATED.patch b/0039-ERRORS-Add-ERR_GID_DUPLICATED.patch deleted file mode 100644 index 8dbcc78..0000000 --- a/0039-ERRORS-Add-ERR_GID_DUPLICATED.patch +++ /dev/null @@ -1,49 +0,0 @@ -From 454f493664bf117c27634e6efe33ebe7d5a85c56 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= -Date: Mon, 19 Feb 2018 08:29:36 +0100 -Subject: [PATCH] ERRORS: Add ERR_GID_DUPLICATED -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -This new error will be returned from sysdb_add_incomplete_group() -when renaming a group which will case gid collision. - -Related: -https://pagure.io/SSSD/sssd/issue/2653 - -Signed-off-by: Fabiano Fidêncio -Reviewed-by: Jakub Hrozek -(cherry picked from commit ccd349f0274217e1f0cc118e3a6045e2235ce420) ---- - src/util/util_errors.c | 1 + - src/util/util_errors.h | 1 + - 2 files changed, 2 insertions(+) - -diff --git a/src/util/util_errors.c b/src/util/util_errors.c -index 39ce3d7dc..e2bb2a014 100644 ---- a/src/util/util_errors.c -+++ b/src/util/util_errors.c -@@ -118,6 +118,7 @@ struct err_string error_to_str[] = { - { "GetAccountDomain() not supported" }, /* ERR_GET_ACCT_DOM_NOT_SUPPORTED */ - { "The last GetAccountDomain() result is still valid" }, /* ERR_GET_ACCT_DOM_CACHED */ - { "ID is outside the allowed range" }, /* ERR_ID_OUTSIDE_RANGE */ -+ { "Group ID is duplicated" }, /* ERR_GID_DUPLICATED */ - { "ERR_LAST" } /* ERR_LAST */ - }; - -diff --git a/src/util/util_errors.h b/src/util/util_errors.h -index ad4dad5f8..49501727d 100644 ---- a/src/util/util_errors.h -+++ b/src/util/util_errors.h -@@ -140,6 +140,7 @@ enum sssd_errors { - ERR_GET_ACCT_DOM_NOT_SUPPORTED, - ERR_GET_ACCT_DOM_CACHED, - ERR_ID_OUTSIDE_RANGE, -+ ERR_GID_DUPLICATED, - ERR_LAST /* ALWAYS LAST */ - }; - --- -2.14.3 - diff --git a/0040-LDAP-Augment-the-sdap_opts-structure-with-a-data-pro.patch b/0040-LDAP-Augment-the-sdap_opts-structure-with-a-data-pro.patch deleted file mode 100644 index d2df4bf..0000000 --- a/0040-LDAP-Augment-the-sdap_opts-structure-with-a-data-pro.patch +++ /dev/null @@ -1,380 +0,0 @@ -From f60c77df9b7162f46d8639f940d5df31f64f5815 Mon Sep 17 00:00:00 2001 -From: Jakub Hrozek -Date: Mon, 9 Apr 2018 12:36:45 +0200 -Subject: [PATCH] LDAP: Augment the sdap_opts structure with a data provider - pointer -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -In order to be able to use the Data Provider methods from the SDAP code -to e.g. invalidate memcache when needed, add a new field to the -sdap_options structure with the data_provider structure pointer. - -Fill the pointer value for all LDAP-based providers. - -Related: -https://pagure.io/SSSD/sssd/issue/2653 - -Reviewed-by: Fabiano Fidêncio -(cherry picked from commit d2633d922eeed68f92be4248b9172b928c189920) ---- - src/providers/ad/ad_common.c | 18 +++++++++++++----- - src/providers/ad/ad_common.h | 4 ++++ - src/providers/ad/ad_init.c | 5 ++++- - src/providers/ad/ad_subdomains.c | 8 ++++++-- - src/providers/ipa/ipa_common.c | 2 ++ - src/providers/ipa/ipa_common.h | 1 + - src/providers/ipa/ipa_init.c | 5 ++++- - src/providers/ipa/ipa_subdomains_server.c | 2 ++ - src/providers/ldap/ldap_common.h | 1 + - src/providers/ldap/ldap_init.c | 3 ++- - src/providers/ldap/ldap_options.c | 2 ++ - src/providers/ldap/sdap.h | 1 + - src/tests/cmocka/common_mock_sdap.c | 2 +- - src/tests/cmocka/test_ad_common.c | 3 +++ - 14 files changed, 46 insertions(+), 11 deletions(-) - -diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c -index 2a1647173..d92c68e6f 100644 ---- a/src/providers/ad/ad_common.c -+++ b/src/providers/ad/ad_common.c -@@ -35,7 +35,8 @@ static errno_t ad_set_sdap_options(struct ad_options *ad_opts, - struct sdap_options *id_opts); - - static struct sdap_options * --ad_create_default_sdap_options(TALLOC_CTX *mem_ctx) -+ad_create_default_sdap_options(TALLOC_CTX *mem_ctx, -+ struct data_provider *dp) - { - struct sdap_options *id_opts; - errno_t ret; -@@ -44,6 +45,7 @@ ad_create_default_sdap_options(TALLOC_CTX *mem_ctx) - if (!id_opts) { - return NULL; - } -+ id_opts->dp = dp; - - ret = dp_copy_defaults(id_opts, - ad_def_ldap_opts, -@@ -112,6 +114,7 @@ static errno_t - ad_create_sdap_options(TALLOC_CTX *mem_ctx, - struct confdb_ctx *cdb, - const char *conf_path, -+ struct data_provider *dp, - struct sdap_options **_id_opts) - { - struct sdap_options *id_opts; -@@ -119,7 +122,7 @@ ad_create_sdap_options(TALLOC_CTX *mem_ctx, - - if (cdb == NULL || conf_path == NULL) { - /* Fallback to defaults if there is no confdb */ -- id_opts = ad_create_default_sdap_options(mem_ctx); -+ id_opts = ad_create_default_sdap_options(mem_ctx, dp); - if (id_opts == NULL) { - DEBUG(SSSDBG_CRIT_FAILURE, - "Failed to initialize default sdap options\n"); -@@ -220,6 +223,7 @@ struct ad_options * - ad_create_options(TALLOC_CTX *mem_ctx, - struct confdb_ctx *cdb, - const char *conf_path, -+ struct data_provider *dp, - struct sss_domain_info *subdom) - { - struct ad_options *ad_options; -@@ -252,6 +256,7 @@ ad_create_options(TALLOC_CTX *mem_ctx, - ret = ad_create_sdap_options(ad_options, - cdb, - conf_path, -+ dp, - &ad_options->id); - if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, "Cannot initialize AD LDAP options\n"); -@@ -304,6 +309,7 @@ struct ad_options * - ad_create_2way_trust_options(TALLOC_CTX *mem_ctx, - struct confdb_ctx *cdb, - const char *conf_path, -+ struct data_provider *dp, - const char *realm, - struct sss_domain_info *subdom, - const char *hostname, -@@ -315,7 +321,7 @@ ad_create_2way_trust_options(TALLOC_CTX *mem_ctx, - DEBUG(SSSDBG_TRACE_FUNC, "2way trust is defined to domain '%s'\n", - subdom->name); - -- ad_options = ad_create_options(mem_ctx, cdb, conf_path, subdom); -+ ad_options = ad_create_options(mem_ctx, cdb, conf_path, dp, subdom); - if (ad_options == NULL) { - DEBUG(SSSDBG_CRIT_FAILURE, "ad_create_options failed\n"); - return NULL; -@@ -343,6 +349,7 @@ struct ad_options * - ad_create_1way_trust_options(TALLOC_CTX *mem_ctx, - struct confdb_ctx *cdb, - const char *subdom_conf_path, -+ struct data_provider *dp, - struct sss_domain_info *subdom, - const char *hostname, - const char *keytab, -@@ -355,7 +362,7 @@ ad_create_1way_trust_options(TALLOC_CTX *mem_ctx, - DEBUG(SSSDBG_TRACE_FUNC, "1way trust is defined to domain '%s'\n", - subdom->name); - -- ad_options = ad_create_options(mem_ctx, cdb, subdom_conf_path, subdom); -+ ad_options = ad_create_options(mem_ctx, cdb, subdom_conf_path, dp, subdom); - if (ad_options == NULL) { - DEBUG(SSSDBG_CRIT_FAILURE, "ad_create_options failed\n"); - return NULL; -@@ -1056,12 +1063,13 @@ errno_t - ad_get_id_options(struct ad_options *ad_opts, - struct confdb_ctx *cdb, - const char *conf_path, -+ struct data_provider *dp, - struct sdap_options **_opts) - { - struct sdap_options *id_opts; - errno_t ret; - -- ret = ad_create_sdap_options(ad_opts, cdb, conf_path, &id_opts); -+ ret = ad_create_sdap_options(ad_opts, cdb, conf_path, dp, &id_opts); - if (ret != EOK) { - return ENOMEM; - } -diff --git a/src/providers/ad/ad_common.h b/src/providers/ad/ad_common.h -index 931aafc6c..6eb2ba7e9 100644 ---- a/src/providers/ad/ad_common.h -+++ b/src/providers/ad/ad_common.h -@@ -112,11 +112,13 @@ ad_get_common_options(TALLOC_CTX *mem_ctx, - struct ad_options *ad_create_options(TALLOC_CTX *mem_ctx, - struct confdb_ctx *cdb, - const char *conf_path, -+ struct data_provider *dp, - struct sss_domain_info *subdom); - - struct ad_options *ad_create_2way_trust_options(TALLOC_CTX *mem_ctx, - struct confdb_ctx *cdb, - const char *conf_path, -+ struct data_provider *dp, - const char *realm, - struct sss_domain_info *subdom, - const char *hostname, -@@ -125,6 +127,7 @@ struct ad_options *ad_create_2way_trust_options(TALLOC_CTX *mem_ctx, - struct ad_options *ad_create_1way_trust_options(TALLOC_CTX *mem_ctx, - struct confdb_ctx *cdb, - const char *conf_path, -+ struct data_provider *dp, - struct sss_domain_info *subdom, - const char *hostname, - const char *keytab, -@@ -147,6 +150,7 @@ errno_t - ad_get_id_options(struct ad_options *ad_opts, - struct confdb_ctx *cdb, - const char *conf_path, -+ struct data_provider *dp, - struct sdap_options **_opts); - errno_t - ad_get_autofs_options(struct ad_options *ad_opts, -diff --git a/src/providers/ad/ad_init.c b/src/providers/ad/ad_init.c -index 8c485a7c2..b19624782 100644 ---- a/src/providers/ad/ad_init.c -+++ b/src/providers/ad/ad_init.c -@@ -453,7 +453,10 @@ errno_t sssm_ad_init(TALLOC_CTX *mem_ctx, - - init_ctx->options->id_ctx = init_ctx->id_ctx; - -- ret = ad_get_id_options(init_ctx->options, be_ctx->cdb, be_ctx->conf_path, -+ ret = ad_get_id_options(init_ctx->options, -+ be_ctx->cdb, -+ be_ctx->conf_path, -+ be_ctx->provider, - &init_ctx->id_ctx->sdap_id_ctx->opts); - if (ret != EOK) { - DEBUG(SSSDBG_CRIT_FAILURE, "Unable to init AD id options\n"); -diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c -index bd94ba8ea..74b9f0751 100644 ---- a/src/providers/ad/ad_subdomains.c -+++ b/src/providers/ad/ad_subdomains.c -@@ -265,8 +265,12 @@ ad_subdom_ad_ctx_new(struct be_ctx *be_ctx, - return ENOMEM; - } - -- ad_options = ad_create_2way_trust_options(id_ctx, be_ctx->cdb, -- subdom_conf_path, realm, subdom, -+ ad_options = ad_create_2way_trust_options(id_ctx, -+ be_ctx->cdb, -+ subdom_conf_path, -+ be_ctx->provider, -+ realm, -+ subdom, - hostname, keytab); - talloc_free(subdom_conf_path); - if (ad_options == NULL) { -diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c -index 2b81d7f3f..87ed96767 100644 ---- a/src/providers/ipa/ipa_common.c -+++ b/src/providers/ipa/ipa_common.c -@@ -171,6 +171,7 @@ static errno_t ipa_parse_search_base(TALLOC_CTX *mem_ctx, - int ipa_get_id_options(struct ipa_options *ipa_opts, - struct confdb_ctx *cdb, - const char *conf_path, -+ struct data_provider *dp, - struct sdap_options **_opts) - { - TALLOC_CTX *tmpctx; -@@ -190,6 +191,7 @@ int ipa_get_id_options(struct ipa_options *ipa_opts, - ret = ENOMEM; - goto done; - } -+ ipa_opts->id->dp = dp; - - ret = sdap_domain_add(ipa_opts->id, - ipa_opts->id_ctx->sdap_id_ctx->be->domain, -diff --git a/src/providers/ipa/ipa_common.h b/src/providers/ipa/ipa_common.h -index 3a1259ccd..725e0e937 100644 ---- a/src/providers/ipa/ipa_common.h -+++ b/src/providers/ipa/ipa_common.h -@@ -235,6 +235,7 @@ int ipa_get_options(TALLOC_CTX *memctx, - int ipa_get_id_options(struct ipa_options *ipa_opts, - struct confdb_ctx *cdb, - const char *conf_path, -+ struct data_provider *dp, - struct sdap_options **_opts); - - int ipa_get_auth_options(struct ipa_options *ipa_opts, -diff --git a/src/providers/ipa/ipa_init.c b/src/providers/ipa/ipa_init.c -index cd2227896..931145985 100644 ---- a/src/providers/ipa/ipa_init.c -+++ b/src/providers/ipa/ipa_init.c -@@ -161,7 +161,10 @@ static errno_t ipa_init_id_ctx(TALLOC_CTX *mem_ctx, - ipa_id_ctx->sdap_id_ctx = sdap_id_ctx; - ipa_options->id_ctx = ipa_id_ctx; - -- ret = ipa_get_id_options(ipa_options, be_ctx->cdb, be_ctx->conf_path, -+ ret = ipa_get_id_options(ipa_options, -+ be_ctx->cdb, -+ be_ctx->conf_path, -+ be_ctx->provider, - &sdap_id_ctx->opts); - if (ret != EOK) { - goto done; -diff --git a/src/providers/ipa/ipa_subdomains_server.c b/src/providers/ipa/ipa_subdomains_server.c -index d670a156b..1e53e7a95 100644 ---- a/src/providers/ipa/ipa_subdomains_server.c -+++ b/src/providers/ipa/ipa_subdomains_server.c -@@ -148,6 +148,7 @@ ipa_create_1way_trust_ctx(struct ipa_id_ctx *id_ctx, - ad_options = ad_create_1way_trust_options(id_ctx, - be_ctx->cdb, - subdom_conf_path, -+ be_ctx->provider, - subdom, - id_ctx->server_mode->hostname, - keytab, -@@ -186,6 +187,7 @@ static struct ad_options *ipa_ad_options_new(struct be_ctx *be_ctx, - ad_options = ad_create_2way_trust_options(id_ctx, - be_ctx->cdb, - subdom_conf_path, -+ be_ctx->provider, - id_ctx->server_mode->realm, - subdom, - id_ctx->server_mode->hostname, -diff --git a/src/providers/ldap/ldap_common.h b/src/providers/ldap/ldap_common.h -index 44dbc3fb0..548f0f985 100644 ---- a/src/providers/ldap/ldap_common.h -+++ b/src/providers/ldap/ldap_common.h -@@ -193,6 +193,7 @@ int ldap_get_options(TALLOC_CTX *memctx, - struct sss_domain_info *dom, - struct confdb_ctx *cdb, - const char *conf_path, -+ struct data_provider *dp, - struct sdap_options **_opts); - - int ldap_get_sudo_options(struct confdb_ctx *cdb, -diff --git a/src/providers/ldap/ldap_init.c b/src/providers/ldap/ldap_init.c -index 83075b5d3..44b3e9ab3 100644 ---- a/src/providers/ldap/ldap_init.c -+++ b/src/providers/ldap/ldap_init.c -@@ -458,7 +458,8 @@ errno_t sssm_ldap_init(TALLOC_CTX *mem_ctx, - - /* Always initialize options since it is needed everywhere. */ - ret = ldap_get_options(init_ctx, be_ctx->domain, be_ctx->cdb, -- be_ctx->conf_path, &init_ctx->options); -+ be_ctx->conf_path, be_ctx->provider, -+ &init_ctx->options); - if (ret != EOK) { - DEBUG(SSSDBG_CRIT_FAILURE, "Unable to initialize LDAP options " - "[%d]: %s\n", ret, sss_strerror(ret)); -diff --git a/src/providers/ldap/ldap_options.c b/src/providers/ldap/ldap_options.c -index ccc1a2c5b..0b79715d2 100644 ---- a/src/providers/ldap/ldap_options.c -+++ b/src/providers/ldap/ldap_options.c -@@ -27,6 +27,7 @@ int ldap_get_options(TALLOC_CTX *memctx, - struct sss_domain_info *dom, - struct confdb_ctx *cdb, - const char *conf_path, -+ struct data_provider *dp, - struct sdap_options **_opts) - { - struct sdap_attr_map *default_attr_map; -@@ -57,6 +58,7 @@ int ldap_get_options(TALLOC_CTX *memctx, - - opts = talloc_zero(memctx, struct sdap_options); - if (!opts) return ENOMEM; -+ opts->dp = dp; - - ret = sdap_domain_add(opts, dom, NULL); - if (ret != EOK) { -diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h -index ecf9c4d2e..e892c4071 100644 ---- a/src/providers/ldap/sdap.h -+++ b/src/providers/ldap/sdap.h -@@ -465,6 +465,7 @@ struct sdap_certmap_ctx; - - struct sdap_options { - struct dp_option *basic; -+ struct data_provider *dp; - struct sdap_attr_map *gen_map; - struct sdap_attr_map *user_map; - size_t user_map_cnt; -diff --git a/src/tests/cmocka/common_mock_sdap.c b/src/tests/cmocka/common_mock_sdap.c -index cef321613..fa4787c4b 100644 ---- a/src/tests/cmocka/common_mock_sdap.c -+++ b/src/tests/cmocka/common_mock_sdap.c -@@ -48,7 +48,7 @@ struct sdap_options *mock_sdap_options_ldap(TALLOC_CTX *mem_ctx, - struct sdap_options *opts = NULL; - errno_t ret; - -- ret = ldap_get_options(mem_ctx, domain, confdb_ctx, conf_path, &opts); -+ ret = ldap_get_options(mem_ctx, domain, confdb_ctx, conf_path, NULL, &opts); - if (ret != EOK) { - return NULL; - } -diff --git a/src/tests/cmocka/test_ad_common.c b/src/tests/cmocka/test_ad_common.c -index 94f351e19..39ebbc633 100644 ---- a/src/tests/cmocka/test_ad_common.c -+++ b/src/tests/cmocka/test_ad_common.c -@@ -449,6 +449,7 @@ static void test_ad_create_1way_trust_options(void **state) - test_ctx->ad_ctx, - NULL, - NULL, -+ NULL, - test_ctx->subdom, - ONEWAY_HOST_NAME, - ONEWAY_KEYTAB_PATH, -@@ -515,6 +516,7 @@ static void test_ad_create_2way_trust_options(void **state) - test_ctx->ad_ctx, - NULL, - NULL, -+ NULL, - REALMNAME, - test_ctx->subdom, - HOST_NAME, -@@ -585,6 +587,7 @@ test_ldap_conn_setup(void **state) - ad_ctx, - NULL, - NULL, -+ NULL, - REALMNAME, - test_ctx->subdom, - HOST_NAME, --- -2.14.3 - diff --git a/0041-SDAP-Add-sdap_handle_id_collision_for_incomplete_gro.patch b/0041-SDAP-Add-sdap_handle_id_collision_for_incomplete_gro.patch deleted file mode 100644 index bcba007..0000000 --- a/0041-SDAP-Add-sdap_handle_id_collision_for_incomplete_gro.patch +++ /dev/null @@ -1,95 +0,0 @@ -From 87a0027c7dbc54422ac519ef8eef0323baff4b60 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= -Date: Mon, 19 Feb 2018 12:43:06 +0100 -Subject: [PATCH] SDAP: Add sdap_handle_id_collision_for_incomplete_groups() -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -This newly added function is a helper to properly hadle group -id-collisions when renaming incomplete groups and it does: -- Deletes the group from sysdb -- Adds the new incomplete group -- Notifies the NSS responder that the entry also has to be deleted from - the memory cache - -This function will be called from -sdap_ad_save_group_membership_with_idmapping() and from -sdap_add_incomplete_groups(). - -Related: -https://pagure.io/SSSD/sssd/issue/2653 - -Signed-off-by: Fabiano Fidêncio -Reviewed-by: Jakub Hrozek -(cherry picked from commit a537df2ea99acb0181dc360ddf9a60b69c16faf0) ---- - src/providers/ldap/sdap_async.h | 11 ++++++++++ - src/providers/ldap/sdap_async_initgroups.c | 34 ++++++++++++++++++++++++++++++ - 2 files changed, 45 insertions(+) - -diff --git a/src/providers/ldap/sdap_async.h b/src/providers/ldap/sdap_async.h -index 40da81fb9..6ca3ed8d8 100644 ---- a/src/providers/ldap/sdap_async.h -+++ b/src/providers/ldap/sdap_async.h -@@ -412,4 +412,15 @@ sdap_ad_tokengroups_initgroups_send(TALLOC_CTX *mem_ctx, - errno_t - sdap_ad_tokengroups_initgroups_recv(struct tevent_req *req); - -+errno_t -+sdap_handle_id_collision_for_incomplete_groups(struct data_provider *dp, -+ struct sss_domain_info *domain, -+ const char *name, -+ gid_t gid, -+ const char *original_dn, -+ const char *sid_str, -+ const char *uuid, -+ bool posix, -+ time_t now); -+ - #endif /* _SDAP_ASYNC_H_ */ -diff --git a/src/providers/ldap/sdap_async_initgroups.c b/src/providers/ldap/sdap_async_initgroups.c -index 326294a1c..34747be59 100644 ---- a/src/providers/ldap/sdap_async_initgroups.c -+++ b/src/providers/ldap/sdap_async_initgroups.c -@@ -3543,3 +3543,37 @@ errno_t get_sysdb_grouplist_dn(TALLOC_CTX *mem_ctx, - return get_sysdb_grouplist_ex(mem_ctx, sysdb, domain, - name, grouplist, true); - } -+ -+errno_t -+sdap_handle_id_collision_for_incomplete_groups(struct data_provider *dp, -+ struct sss_domain_info *domain, -+ const char *name, -+ gid_t gid, -+ const char *original_dn, -+ const char *sid_str, -+ const char *uuid, -+ bool posix, -+ time_t now) -+{ -+ errno_t ret; -+ -+ ret = sysdb_delete_group(domain, NULL, gid); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_MINOR_FAILURE, -+ "Due to an id collision, the new group with gid [\"%"PRIu32"\"] " -+ "will not be added as the old group (with the same gid) could " -+ "not be removed from the sysdb!", -+ gid); -+ return ret; -+ } -+ -+ ret = sysdb_add_incomplete_group(domain, name, gid, original_dn, sid_str, -+ uuid, posix, now); -+ if (ret != EOK) { -+ return ret; -+ } -+ -+ dp_sbus_invalidate_group_memcache(dp, gid); -+ -+ return EOK; -+} --- -2.14.3 - diff --git a/0042-SDAP-Properly-handle-group-id-collision-when-renamin.patch b/0042-SDAP-Properly-handle-group-id-collision-when-renamin.patch deleted file mode 100644 index 71cdc20..0000000 --- a/0042-SDAP-Properly-handle-group-id-collision-when-renamin.patch +++ /dev/null @@ -1,129 +0,0 @@ -From de891b231464f10ce029593d7ee2ebb401e8a0b3 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= -Date: Mon, 19 Feb 2018 12:51:57 +0100 -Subject: [PATCH] SDAP: Properly handle group id-collision when renaming - incomplete groups -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Resolves: -https://pagure.io/SSSD/sssd/issue/2653 - -Signed-off-by: Fabiano Fidêncio -Reviewed-by: Jakub Hrozek -(cherry picked from commit a2e743cd23e8e2033340612c77a8dbb8ef48c1e1) ---- - src/providers/ad/ad_pac.c | 3 +++ - src/providers/ldap/sdap_async_ad.h | 1 + - src/providers/ldap/sdap_async_initgroups.c | 13 +++++++++++++ - src/providers/ldap/sdap_async_initgroups_ad.c | 15 +++++++++++++++ - 4 files changed, 32 insertions(+) - -diff --git a/src/providers/ad/ad_pac.c b/src/providers/ad/ad_pac.c -index 6b47462cf..1a344725f 100644 ---- a/src/providers/ad/ad_pac.c -+++ b/src/providers/ad/ad_pac.c -@@ -434,6 +434,7 @@ struct ad_handle_pac_initgr_state { - const char *err; - int dp_error; - int sdap_ret; -+ struct sdap_options *opts; - - size_t num_missing_sids; - char **missing_sids; -@@ -471,6 +472,7 @@ struct tevent_req *ad_handle_pac_initgr_send(TALLOC_CTX *mem_ctx, - return NULL; - } - state->user_dom = sdom->dom; -+ state->opts = id_ctx->opts; - - /* The following variables are currently unused because no sub-request - * returns any of them. But they are needed to allow the same signature as -@@ -514,6 +516,7 @@ struct tevent_req *ad_handle_pac_initgr_send(TALLOC_CTX *mem_ctx, - DEBUG(SSSDBG_TRACE_ALL, "Running PAC processing with id-mapping.\n"); - - ret = sdap_ad_save_group_membership_with_idmapping(state->username, -+ state->opts, - sdom->dom, - id_ctx->opts->idmap_ctx, - num_sids, group_sids); -diff --git a/src/providers/ldap/sdap_async_ad.h b/src/providers/ldap/sdap_async_ad.h -index 950f5a030..a5f47a1a9 100644 ---- a/src/providers/ldap/sdap_async_ad.h -+++ b/src/providers/ldap/sdap_async_ad.h -@@ -25,6 +25,7 @@ - #define SDAP_ASYNC_AD_H_ - - errno_t sdap_ad_save_group_membership_with_idmapping(const char *username, -+ struct sdap_options *opts, - struct sss_domain_info *user_dom, - struct sdap_idmap_ctx *idmap_ctx, - size_t num_sids, -diff --git a/src/providers/ldap/sdap_async_initgroups.c b/src/providers/ldap/sdap_async_initgroups.c -index 34747be59..03f6de01a 100644 ---- a/src/providers/ldap/sdap_async_initgroups.c -+++ b/src/providers/ldap/sdap_async_initgroups.c -@@ -225,6 +225,19 @@ errno_t sdap_add_incomplete_groups(struct sysdb_ctx *sysdb, - ret = sysdb_add_incomplete_group(domain, groupname, gid, - original_dn, sid_str, - uuid, posix, now); -+ if (ret == ERR_GID_DUPLICATED) { -+ /* In case o group id-collision, do: -+ * - Delete the group from sysdb -+ * - Add the new incomplete group -+ * - Notify the NSS responder that the entry has also to be -+ * removed from the memory cache -+ */ -+ ret = sdap_handle_id_collision_for_incomplete_groups( -+ opts->dp, domain, groupname, gid, -+ original_dn, sid_str, uuid, posix, -+ now); -+ } -+ - if (ret != EOK) { - goto done; - } -diff --git a/src/providers/ldap/sdap_async_initgroups_ad.c b/src/providers/ldap/sdap_async_initgroups_ad.c -index 30f1d3db2..eab103652 100644 ---- a/src/providers/ldap/sdap_async_initgroups_ad.c -+++ b/src/providers/ldap/sdap_async_initgroups_ad.c -@@ -836,6 +836,7 @@ sdap_ad_tokengroups_initgr_mapping_connect_done(struct tevent_req *subreq) - } - - errno_t sdap_ad_save_group_membership_with_idmapping(const char *username, -+ struct sdap_options *opts, - struct sss_domain_info *user_dom, - struct sdap_idmap_ctx *idmap_ctx, - size_t num_sids, -@@ -921,6 +922,19 @@ errno_t sdap_ad_save_group_membership_with_idmapping(const char *username, - - ret = sysdb_add_incomplete_group(domain, name, gid, - NULL, sid, NULL, false, now); -+ if (ret == ERR_GID_DUPLICATED) { -+ /* In case o group id-collision, do: -+ * - Delete the group from sysdb -+ * - Add the new incomplete group -+ * - Notify the NSS responder that the entry has also to be -+ * removed from the memory cache -+ */ -+ ret = sdap_handle_id_collision_for_incomplete_groups( -+ idmap_ctx->id_ctx->be->provider, -+ domain, name, gid, NULL, sid, NULL, -+ false, now); -+ } -+ - if (ret != EOK) { - DEBUG(SSSDBG_MINOR_FAILURE, "Could not create incomplete " - "group: [%s]\n", strerror(ret)); -@@ -992,6 +1006,7 @@ static void sdap_ad_tokengroups_initgr_mapping_done(struct tevent_req *subreq) - } - - ret = sdap_ad_save_group_membership_with_idmapping(state->username, -+ state->opts, - state->domain, - state->idmap_ctx, - num_sids, --- -2.14.3 - diff --git a/0043-SYSDB_OPS-Error-out-on-id-collision-when-adding-an-i.patch b/0043-SYSDB_OPS-Error-out-on-id-collision-when-adding-an-i.patch deleted file mode 100644 index 04c20b7..0000000 --- a/0043-SYSDB_OPS-Error-out-on-id-collision-when-adding-an-i.patch +++ /dev/null @@ -1,64 +0,0 @@ -From 5da97dcfb8499348080b5c7a3980c704294f22fa Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= -Date: Mon, 19 Feb 2018 08:53:56 +0100 -Subject: [PATCH] SYSDB_OPS: Error out on id-collision when adding an - incomplete group -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -This situation can be hit when renaming a group. For now, let's just -error this out so the caller can handle it properly on its own layer. - -Related: -https://pagure.io/SSSD/sssd/issue/2653 - -Signed-off-by: Fabiano Fidêncio -Reviewed-by: Jakub Hrozek -(cherry picked from commit 514b2be089bfd0e2702d7e9ab883ab071a61b719) ---- - src/db/sysdb_ops.c | 22 ++++++++++++++++++++++ - 1 file changed, 22 insertions(+) - -diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c -index 5d3cf643d..de4fdb592 100644 ---- a/src/db/sysdb_ops.c -+++ b/src/db/sysdb_ops.c -@@ -2377,12 +2377,34 @@ int sysdb_add_incomplete_group(struct sss_domain_info *domain, - TALLOC_CTX *tmp_ctx; - int ret; - struct sysdb_attrs *attrs; -+ struct ldb_message *msg; -+ const char *previous = NULL; -+ const char *group_attrs[] = { SYSDB_SID_STR, SYSDB_UUID, SYSDB_ORIG_DN, NULL }; -+ const char *values[] = { sid_str, uuid, original_dn, NULL }; -+ bool same = false; - - tmp_ctx = talloc_new(NULL); - if (!tmp_ctx) { - return ENOMEM; - } - -+ ret = sysdb_search_group_by_gid(tmp_ctx, domain, gid, group_attrs, &msg); -+ if (ret == EOK) { -+ for (int i = 0; !same && group_attrs[i] != NULL; i++) { -+ previous = ldb_msg_find_attr_as_string(msg, -+ group_attrs[i], -+ NULL); -+ if (previous != NULL && values[i] != NULL) { -+ same = strcmp(previous, values[i]) == 0; -+ } -+ } -+ } -+ -+ if (same) { -+ ret = ERR_GID_DUPLICATED; -+ goto done; -+ } -+ - /* try to add the group */ - ret = sysdb_add_basic_group(domain, name, gid); - if (ret) goto done; --- -2.14.3 - diff --git a/0044-TESTS-Add-an-integration-test-for-renaming-incomplet.patch b/0044-TESTS-Add-an-integration-test-for-renaming-incomplet.patch deleted file mode 100644 index ef547d4..0000000 --- a/0044-TESTS-Add-an-integration-test-for-renaming-incomplet.patch +++ /dev/null @@ -1,194 +0,0 @@ -From ead866b198034c0b3101732e09a5524d0182d1cb Mon Sep 17 00:00:00 2001 -From: Jakub Hrozek -Date: Mon, 19 Feb 2018 18:26:05 +0100 -Subject: [PATCH] TESTS: Add an integration test for renaming incomplete groups - during initgroups -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -As we implemented the group renaming heuristics to rename only if we can -use another "hint" like the original DN or the SID to know the group is -the same, this patch adds two tests (positive and negative) to make sure -a group with a totally different RDN and hence different originalDN -cannot be renamed but a group whose name changed but the RDN stays the -same can be renamed. - -Related: -https://pagure.io/SSSD/sssd/issue/3282 - -Reviewed-by: Fabiano Fidêncio -(cherry picked from commit 35d6fb7cabd6183252fd29b29aaf66264dca9135) ---- - src/tests/intg/test_ldap.py | 149 +++++++++++++++++++++++++++++++++++++++++++- - 1 file changed, 147 insertions(+), 2 deletions(-) - -diff --git a/src/tests/intg/test_ldap.py b/src/tests/intg/test_ldap.py -index db3253858..98b6349a8 100644 ---- a/src/tests/intg/test_ldap.py -+++ b/src/tests/intg/test_ldap.py -@@ -94,10 +94,11 @@ def create_ldap_cleanup(request, ldap_conn, ent_list=None): - request.addfinalizer(lambda: cleanup_ldap_entries(ldap_conn, ent_list)) - - --def create_ldap_fixture(request, ldap_conn, ent_list=None): -+def create_ldap_fixture(request, ldap_conn, ent_list=None, cleanup=True): - """Add LDAP entries and add teardown for removing them""" - create_ldap_entries(ldap_conn, ent_list) -- create_ldap_cleanup(request, ldap_conn, ent_list) -+ if cleanup: -+ create_ldap_cleanup(request, ldap_conn, ent_list) - - - SCHEMA_RFC2307 = "rfc2307" -@@ -1437,3 +1438,147 @@ def test_ldap_auto_private_groups_direct_no_gid(ldap_conn, mpg_setup_no_gid): - ", ".join(["%s" % s for s in sorted(gids)]), - ", ".join(["%s" % s for s in sorted(user1_expected_gids)]) - ) -+ -+ -+def rename_setup_no_cleanup(request, ldap_conn, cleanup_ent=None): -+ ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) -+ ent_list.add_user("user1", 1001, 2001) -+ ent_list.add_group_bis("user1_private", 2001) -+ -+ ent_list.add_user("user2", 1002, 2002) -+ ent_list.add_group_bis("user2_private", 2002) -+ -+ ent_list.add_group_bis("group1", 2015, ["user1", "user2"]) -+ -+ if cleanup_ent is None: -+ create_ldap_fixture(request, ldap_conn, ent_list) -+ else: -+ # Since the entries were renamed, we need to clean up -+ # the renamed entries.. -+ create_ldap_fixture(request, ldap_conn, ent_list, cleanup=False) -+ create_ldap_cleanup(request, ldap_conn, None) -+ -+ -+@pytest.fixture -+def rename_setup_cleanup(request, ldap_conn): -+ cleanup_ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) -+ cleanup_ent_list.add_user("user1", 1001, 2001) -+ cleanup_ent_list.add_group_bis("new_user1_private", 2001) -+ -+ cleanup_ent_list.add_user("user2", 1002, 2002) -+ cleanup_ent_list.add_group_bis("new_user2_private", 2002) -+ -+ cleanup_ent_list.add_group_bis("new_group1", 2015, ["user1", "user2"]) -+ -+ rename_setup_no_cleanup(request, ldap_conn, cleanup_ent_list) -+ -+ conf = format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS) -+ create_conf_fixture(request, conf) -+ create_sssd_fixture(request) -+ return None -+ -+ -+@pytest.fixture -+def rename_setup_with_name(request, ldap_conn): -+ rename_setup_no_cleanup(request, ldap_conn) -+ -+ conf = format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS) + \ -+ unindent(""" -+ [nss] -+ [domain/LDAP] -+ ldap_group_name = name -+ timeout = 3000 -+ """).format(**locals()) -+ create_conf_fixture(request, conf) -+ create_sssd_fixture(request) -+ return None -+ -+ -+def test_rename_incomplete_group_same_dn(ldap_conn, rename_setup_with_name): -+ """ -+ Test that if a group's name attribute changes, but the DN stays the same, -+ the incomplete group object will be renamed. -+ -+ Because the RDN attribute must be present in the entry, we add another -+ attribute "name" that is purposefully different from the CN and make -+ sure the group names are reflected in name -+ -+ Regression test for https://pagure.io/SSSD/sssd/issue/3282 -+ """ -+ pvt_dn1 = 'cn=user1_private,ou=Groups,' + ldap_conn.ds_inst.base_dn -+ pvt_dn2 = 'cn=user2_private,ou=Groups,' + ldap_conn.ds_inst.base_dn -+ group1_dn = 'cn=group1,ou=Groups,' + ldap_conn.ds_inst.base_dn -+ -+ # Add the name we want for both private and secondary group -+ old = {'name': []} -+ new = {'name': [b"user1_group1"]} -+ ldif = ldap.modlist.modifyModlist(old, new) -+ ldap_conn.modify_s(group1_dn, ldif) -+ -+ new = {'name': [b"pvt_user1"]} -+ ldif = ldap.modlist.modifyModlist(old, new) -+ ldap_conn.modify_s(pvt_dn1, ldif) -+ -+ new = {'name': [b"pvt_user2"]} -+ ldif = ldap.modlist.modifyModlist(old, new) -+ ldap_conn.modify_s(pvt_dn2, ldif) -+ -+ # Make sure the old name shows up in the id output -+ (res, errno, grp_list) = sssd_id.get_user_groups("user1") -+ assert res == sssd_id.NssReturnCode.SUCCESS, \ -+ "Could not find groups for user1, %d" % errno -+ -+ assert sorted(grp_list) == sorted(["pvt_user1", "user1_group1"]) -+ -+ # Rename the group by changing the cn attribute, but keep the DN the same -+ old = {'name': [b"user1_group1"]} -+ new = {'name': [b"new_user1_group1"]} -+ ldif = ldap.modlist.modifyModlist(old, new) -+ ldap_conn.modify_s(group1_dn, ldif) -+ -+ (res, errno, grp_list) = sssd_id.get_user_groups("user2") -+ assert res == sssd_id.NssReturnCode.SUCCESS, \ -+ "Could not find groups for user2, %d" % errno -+ -+ assert sorted(grp_list) == sorted(["pvt_user2", "new_user1_group1"]) -+ -+ (res, errno, grp_list) = sssd_id.get_user_groups("user1") -+ assert res == sssd_id.NssReturnCode.SUCCESS, \ -+ "Could not find groups for user1, %d" % errno -+ -+ assert sorted(grp_list) == sorted(["pvt_user1", "new_user1_group1"]) -+ -+ -+def test_rename_incomplete_group_rdn_changed(ldap_conn, rename_setup_cleanup): -+ """ -+ Test that if a group's name attribute changes, and the DN changes with -+ the RDN. Then adding the second group will fail because we can't tell if -+ there are two duplicate groups in LDAP when saving the group or if the -+ group was renamed. -+ -+ Please note that with many directories (AD, IPA), the code can rely on -+ other heuristics (SID, UUID) to find out the group is in fact the same. -+ -+ Regression test for https://pagure.io/SSSD/sssd/issue/3282 -+ """ -+ pvt_dn = 'cn=user1_private,ou=Groups,' + ldap_conn.ds_inst.base_dn -+ group1_dn = 'cn=group1,ou=Groups,' + ldap_conn.ds_inst.base_dn -+ -+ # Make sure the old name shows up in the id output -+ (res, errno, grp_list) = sssd_id.get_user_groups("user1") -+ assert res == sssd_id.NssReturnCode.SUCCESS, \ -+ "Could not find groups for user1, %d" % errno -+ -+ assert sorted(grp_list) == sorted(["user1_private", "group1"]) -+ -+ # Rename the groups, changing the RDN -+ ldap_conn.rename_s(group1_dn, "cn=new_group1") -+ ldap_conn.rename_s(pvt_dn, "cn=new_user1_private") -+ -+ (res, errno, grp_list) = sssd_id.get_user_groups("user2") -+ assert res == sssd_id.NssReturnCode.SUCCESS, \ -+ "Could not find groups for user2, %d" % errno -+ -+ # The initgroups succeeds, but because saving the new group fails, -+ # SSSD will revert to the cache contents and return what's in the cache -+ assert sorted(grp_list) == sorted(["user2_private", "group1"]) --- -2.14.3 - diff --git a/0045-SYSDB-sysdb_add_incomplete_group-now-returns-EEXIST-.patch b/0045-SYSDB-sysdb_add_incomplete_group-now-returns-EEXIST-.patch deleted file mode 100644 index b314815..0000000 --- a/0045-SYSDB-sysdb_add_incomplete_group-now-returns-EEXIST-.patch +++ /dev/null @@ -1,119 +0,0 @@ -From 0a367914b87ef56dd4d5d56778e5770d1201f255 Mon Sep 17 00:00:00 2001 -From: Jakub Hrozek -Date: Mon, 16 Apr 2018 20:29:28 +0200 -Subject: [PATCH] SYSDB: sysdb_add_incomplete_group now returns EEXIST with a - duplicate GID -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Related: -https://pagure.io/SSSD/sssd/issue/2653 - -Reviewed-by: Fabiano Fidêncio -(cherry picked from commit ba2d5f7a0adefb017d3f85203d715b725ca8810f) ---- - src/db/sysdb_ops.c | 13 ++++++++++--- - src/tests/sysdb-tests.c | 47 ++++++++++++++++++++++++++++++++++++++++++++++- - 2 files changed, 56 insertions(+), 4 deletions(-) - -diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c -index de4fdb592..93b967e75 100644 ---- a/src/db/sysdb_ops.c -+++ b/src/db/sysdb_ops.c -@@ -2398,10 +2398,17 @@ int sysdb_add_incomplete_group(struct sss_domain_info *domain, - same = strcmp(previous, values[i]) == 0; - } - } -- } - -- if (same) { -- ret = ERR_GID_DUPLICATED; -+ if (same == true) { -+ DEBUG(SSSDBG_TRACE_LIBS, -+ "The group with GID [%"SPRIgid"] was renamed\n", gid); -+ ret = ERR_GID_DUPLICATED; -+ goto done; -+ } -+ -+ DEBUG(SSSDBG_OP_FAILURE, -+ "Another group with GID [%"SPRIgid"] already exists\n", gid); -+ ret = EEXIST; - goto done; - } - -diff --git a/src/tests/sysdb-tests.c b/src/tests/sysdb-tests.c -index 32b8ca856..416dedb5e 100644 ---- a/src/tests/sysdb-tests.c -+++ b/src/tests/sysdb-tests.c -@@ -989,6 +989,50 @@ START_TEST (test_sysdb_add_incomplete_group) - } - END_TEST - -+START_TEST (test_sysdb_incomplete_group_rename) -+{ -+ struct sysdb_test_ctx *test_ctx; -+ int ret; -+ -+ ret = setup_sysdb_tests(&test_ctx); -+ if (ret != EOK) { -+ fail("Could not set up the test"); -+ return; -+ } -+ -+ ret = sysdb_add_incomplete_group(test_ctx->domain, "incomplete_group", -+ 20000, NULL, -+ "S-1-5-21-123-456-789-111", -+ NULL, true, 0); -+ fail_unless(ret == EOK, -+ "sysdb_add_incomplete_group error [%d][%s]", -+ ret, strerror(ret)); -+ -+ /* Adding a group with the same GID and all the other characteristics uknown should fail */ -+ ret = sysdb_add_incomplete_group(test_ctx->domain, "incomplete_group_new", -+ 20000, NULL, NULL, NULL, true, 0); -+ fail_unless(ret == EEXIST, "Did not caught a duplicate\n"); -+ -+ /* A different SID should also trigger a failure */ -+ ret = sysdb_add_incomplete_group(test_ctx->domain, "incomplete_group_new", -+ 20000, NULL, -+ "S-1-5-21-123-456-789-222", -+ NULL, true, 0); -+ fail_unless(ret == EEXIST, "Did not caught a duplicate\n"); -+ -+ /* But if we know based on a SID that the group is in fact the same, -+ * let's just change its name -+ */ -+ ret = sysdb_add_incomplete_group(test_ctx->domain, "incomplete_group_new", -+ 20000, NULL, -+ "S-1-5-21-123-456-789-111", -+ NULL, true, 0); -+ fail_unless(ret == ERR_GID_DUPLICATED, -+ "Did not catch a legitimate rename", -+ ret, strerror(ret)); -+} -+END_TEST -+ - START_TEST (test_sysdb_getpwnam) - { - struct sysdb_test_ctx *test_ctx; -@@ -5526,7 +5570,7 @@ START_TEST(test_sysdb_search_sid_str) - ret = setup_sysdb_tests(&test_ctx); - fail_if(ret != EOK, "Could not set up the test"); - -- data = test_data_new_group(test_ctx, 2900); -+ data = test_data_new_group(test_ctx, 2902); - fail_if(data == NULL); - data->sid_str = "S-1-2-3-4"; - -@@ -7166,6 +7210,7 @@ Suite *create_sysdb_suite(void) - tcase_add_loop_test(tc_sysdb, - test_sysdb_remove_local_group_by_gid, - 28000, 28010); -+ tcase_add_test(tc_sysdb, test_sysdb_incomplete_group_rename); - - /* test custom operations */ - tcase_add_loop_test(tc_sysdb, test_sysdb_store_custom, 29010, 29020); --- -2.14.3 - diff --git a/0046-MAN-Document-which-principal-does-the-AD-provider-us.patch b/0046-MAN-Document-which-principal-does-the-AD-provider-us.patch deleted file mode 100644 index 028814b..0000000 --- a/0046-MAN-Document-which-principal-does-the-AD-provider-us.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 549a960554f44e79d74c65d9f889ccaef497b11d Mon Sep 17 00:00:00 2001 -From: Jakub Hrozek -Date: Thu, 19 Apr 2018 09:38:47 +0200 -Subject: [PATCH] MAN: Document which principal does the AD provider use -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Administrators are often confused by the difference between what -principal is used to authenticate to AD. Let's document that. - -Reviewed-by: Pavel Březina -(cherry picked from commit 91d1e4c134b7c90abd2ff86b313175c542cd834c) ---- - src/man/include/ad_modified_defaults.xml | 16 ++++++++++++++++ - 1 file changed, 16 insertions(+) - -diff --git a/src/man/include/ad_modified_defaults.xml b/src/man/include/ad_modified_defaults.xml -index c41b454f8..818a2bf78 100644 ---- a/src/man/include/ad_modified_defaults.xml -+++ b/src/man/include/ad_modified_defaults.xml -@@ -58,6 +58,22 @@ - ldap_use_tokengroups = true - - -+ -+ -+ ldap_sasl_authid = sAMAccountName@REALM (typically SHORTNAME$@REALM) -+ -+ -+ The AD provider looks for a different principal than the -+ LDAP provider by default, because in an Active Directory -+ environment the principals are divided into two groups -+ - User Principals and Service Principals. Only User -+ Principal can be used to obtain a TGT and by default, -+ computer object's principal is constructed from -+ its sAMAccountName and the AD realm. The well-known -+ host/hostname@REALM principal is a Service Principal -+ and thus cannot be used to get a TGT with. -+ -+ - - - --- -2.14.3 - diff --git a/0047-GPO-Fix-bug-with-empty-GPO-rules.patch b/0047-GPO-Fix-bug-with-empty-GPO-rules.patch deleted file mode 100644 index 331cf5a..0000000 --- a/0047-GPO-Fix-bug-with-empty-GPO-rules.patch +++ /dev/null @@ -1,77 +0,0 @@ -From c83f6c6da3958475ca4782ffcb49fbc41f8c8f17 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Michal=20=C5=BDidek?= -Date: Wed, 11 Apr 2018 18:56:53 +0200 -Subject: [PATCH] GPO: Fix bug with empty GPO rules - -When two or more GPO rules were defined on the server -and one of them contained no SIDs (no users or groups -were specified), then SSSD failed to store such rule -and users were denied access (system error). - -This patch changes the behavior so that in case -there are no SIDs in the rule a special value is -stored with the rule to indicate that the rule -was actually specified, but this value will not -match any real SID (because the rule should be -empty). - -Resolves: -https://pagure.io/SSSD/sssd/issue/3680 - -Reviewed-by: Jakub Hrozek -(cherry picked from commit e6e5fe349aa6ed85eb9acb3273007fa90ee99450) ---- - src/providers/ad/ad_gpo.c | 12 +++++++++--- - 1 file changed, 9 insertions(+), 3 deletions(-) - -diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c -index a48f264c7..ae3329b90 100644 ---- a/src/providers/ad/ad_gpo.c -+++ b/src/providers/ad/ad_gpo.c -@@ -1132,6 +1132,7 @@ ad_gpo_store_policy_settings(struct sss_domain_info *domain, - int i; - char *allow_value = NULL; - char *deny_value = NULL; -+ const char *empty_val = "NO_SID"; - const char *allow_key = NULL; - const char *deny_key = NULL; - TALLOC_CTX *tmp_ctx = NULL; -@@ -1236,7 +1237,10 @@ ad_gpo_store_policy_settings(struct sss_domain_info *domain, - } - - for (i = 0; i < GPO_MAP_NUM_OPTS; i++) { -- -+ /* The NO_SID val is used as special SID value for the case when -+ * no SIDs are found in the rule, but we need to store some -+ * value (SID) with the key (rule name) so that it is clear -+ * that the rule is defined on the server. */ - struct gpo_map_option_entry entry = gpo_map_option_entries[i]; - - allow_key = entry.allow_key; -@@ -1252,9 +1256,10 @@ ad_gpo_store_policy_settings(struct sss_domain_info *domain, - allow_key, ret, sss_strerror(ret)); - goto done; - } else if (ret != ENOENT) { -+ const char *value = allow_value ? allow_value : empty_val; - ret = sysdb_gpo_store_gpo_result_setting(domain, - allow_key, -- allow_value); -+ value); - if (ret != EOK) { - DEBUG(SSSDBG_CRIT_FAILURE, - "sysdb_gpo_store_gpo_result_setting failed for key:" -@@ -1278,9 +1283,10 @@ ad_gpo_store_policy_settings(struct sss_domain_info *domain, - deny_key, ret, sss_strerror(ret)); - goto done; - } else if (ret != ENOENT) { -+ const char *value = deny_value ? deny_value : empty_val; - ret = sysdb_gpo_store_gpo_result_setting(domain, - deny_key, -- deny_value); -+ value); - if (ret != EOK) { - DEBUG(SSSDBG_CRIT_FAILURE, - "sysdb_gpo_store_gpo_result_setting failed for key:" --- -2.14.3 - diff --git a/0048-FILES-Do-not-overwrite-and-actually-remove-files_ctx.patch b/0048-FILES-Do-not-overwrite-and-actually-remove-files_ctx.patch deleted file mode 100644 index 797bfa8..0000000 --- a/0048-FILES-Do-not-overwrite-and-actually-remove-files_ctx.patch +++ /dev/null @@ -1,88 +0,0 @@ -From 8c86f78e41bdb0fa4d77ffaffd13e602b77cdf2f Mon Sep 17 00:00:00 2001 -From: Jakub Hrozek -Date: Wed, 4 Apr 2018 14:18:10 +0200 -Subject: [PATCH] FILES: Do not overwrite and actually remove - files_ctx.{pwd,grp}_watch -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The snotify_ctx structures were unused, are completely opaque (their -only value is that if they are freed, the watches disappear which -the files provider never does). - -And moreover, since the patches to support multiple files, the watches -were overwritten with subsequent assignments. - -Reviewed-by: Pavel Březina -(cherry picked from commit d69e1da370fa33c5085b31eb6302a30d81817534) ---- - src/providers/files/files_ops.c | 35 +++++++++++++++++++++++------------ - 1 file changed, 23 insertions(+), 12 deletions(-) - -diff --git a/src/providers/files/files_ops.c b/src/providers/files/files_ops.c -index a2a2798d3..95c4d2a06 100644 ---- a/src/providers/files/files_ops.c -+++ b/src/providers/files/files_ops.c -@@ -36,9 +36,6 @@ - #define GRP_MAXSIZE 2048 - - struct files_ctx { -- struct snotify_ctx *pwd_watch; -- struct snotify_ctx *grp_watch; -- - struct files_ops_ctx *ops; - }; - -@@ -957,6 +954,7 @@ struct files_ctx *sf_init(TALLOC_CTX *mem_ctx, - struct files_ctx *fctx; - struct tevent_immediate *imm; - int i; -+ struct snotify_ctx *snctx; - - fctx = talloc(mem_ctx, struct files_ctx); - if (fctx == NULL) { -@@ -964,18 +962,31 @@ struct files_ctx *sf_init(TALLOC_CTX *mem_ctx, - } - - for (i = 0; passwd_files[i]; i++) { -- fctx->pwd_watch = sf_setup_watch(fctx, ev, passwd_files[i], -- sf_passwd_cb, id_ctx); -+ snctx = sf_setup_watch(fctx, ev, passwd_files[i], -+ sf_passwd_cb, id_ctx); -+ if (snctx == NULL) { -+ DEBUG(SSSDBG_FATAL_FAILURE, -+ "Cannot set watch for passwd file %s\n", passwd_files[i]); -+ /* Rather than reporting incomplete or inconsistent information -+ * in case e.g. group memberships span multiple files, just abort -+ */ -+ talloc_free(fctx); -+ return NULL; - } -- -- for (i = 0; group_files[i]; i++) { -- fctx->grp_watch = sf_setup_watch(fctx, ev, group_files[i], -- sf_group_cb, id_ctx); - } - -- if (fctx->pwd_watch == NULL || fctx->grp_watch == NULL) { -- talloc_free(fctx); -- return NULL; -+ for (i = 0; group_files[i]; i++) { -+ snctx = sf_setup_watch(fctx, ev, group_files[i], -+ sf_group_cb, id_ctx); -+ if (snctx == NULL) { -+ DEBUG(SSSDBG_FATAL_FAILURE, -+ "Cannot set watch for group file %s\n", group_files[i]); -+ /* Rather than reporting incomplete or inconsistent information -+ * in case e.g. group memberships span multiple files, just abort -+ */ -+ talloc_free(fctx); -+ return NULL; -+ } - } - - /* Enumerate users and groups on startup to process any changes when --- -2.14.3 - diff --git a/0049-FILES-Reduce-code-duplication.patch b/0049-FILES-Reduce-code-duplication.patch deleted file mode 100644 index ef0a2e8..0000000 --- a/0049-FILES-Reduce-code-duplication.patch +++ /dev/null @@ -1,310 +0,0 @@ -From 601e30e9d6e7c0da2e1648dc2d9bc37bddf512d8 Mon Sep 17 00:00:00 2001 -From: Jakub Hrozek -Date: Tue, 17 Apr 2018 14:22:39 +0200 -Subject: [PATCH] FILES: Reduce code duplication -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Reviewed-by: Pavel Březina -(cherry picked from commit 1f8bfb6975becda07ff29f557f82b6ac1eaa0be9) ---- - src/providers/files/files_ops.c | 213 +++++++++++++++------------------------- - 1 file changed, 81 insertions(+), 132 deletions(-) - -diff --git a/src/providers/files/files_ops.c b/src/providers/files/files_ops.c -index 95c4d2a06..370af1274 100644 ---- a/src/providers/files/files_ops.c -+++ b/src/providers/files/files_ops.c -@@ -35,6 +35,10 @@ - #define PWD_MAXSIZE 1024 - #define GRP_MAXSIZE 2048 - -+#define SF_UPDATE_PASSWD 1<<0 -+#define SF_UPDATE_GROUP 1<<1 -+#define SF_UPDATE_BOTH (SF_UPDATE_PASSWD | SF_UPDATE_GROUP) -+ - struct files_ctx { - struct files_ops_ctx *ops; - }; -@@ -708,6 +712,70 @@ done: - return ret; - } - -+static errno_t sf_enum_files(struct files_id_ctx *id_ctx, -+ uint8_t flags) -+{ -+ errno_t ret; -+ errno_t tret; -+ bool in_transaction = false; -+ -+ ret = sysdb_transaction_start(id_ctx->domain->sysdb); -+ if (ret != EOK) { -+ goto done; -+ } -+ in_transaction = true; -+ -+ if (flags & SF_UPDATE_PASSWD) { -+ ret = delete_all_users(id_ctx->domain); -+ if (ret != EOK) { -+ goto done; -+ } -+ -+ /* All users were deleted, therefore we need to enumerate each file again */ -+ for (size_t i = 0; id_ctx->passwd_files[i] != NULL; i++) { -+ ret = sf_enum_users(id_ctx, id_ctx->passwd_files[i]); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_OP_FAILURE, "Cannot enumerate users\n"); -+ goto done; -+ } -+ } -+ } -+ -+ if (flags & SF_UPDATE_GROUP) { -+ ret = delete_all_groups(id_ctx->domain); -+ if (ret != EOK) { -+ goto done; -+ } -+ -+ /* All groups were deleted, therefore we need to enumerate each file again */ -+ for (size_t i = 0; id_ctx->group_files[i] != NULL; i++) { -+ ret = sf_enum_groups(id_ctx, id_ctx->group_files[i]); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_OP_FAILURE, "Cannot enumerate groups\n"); -+ goto done; -+ } -+ } -+ } -+ -+ ret = sysdb_transaction_commit(id_ctx->domain->sysdb); -+ if (ret != EOK) { -+ goto done; -+ } -+ in_transaction = false; -+ -+ ret = EOK; -+done: -+ if (in_transaction) { -+ tret = sysdb_transaction_cancel(id_ctx->domain->sysdb); -+ if (tret != EOK) { -+ DEBUG(SSSDBG_CRIT_FAILURE, -+ "Cannot cancel transaction: %d\n", ret); -+ } -+ } -+ -+ return ret; -+} -+ - static void sf_cb_done(struct files_id_ctx *id_ctx) - { - /* Only activate a domain when both callbacks are done */ -@@ -722,8 +790,6 @@ static int sf_passwd_cb(const char *filename, uint32_t flags, void *pvt) - { - struct files_id_ctx *id_ctx; - errno_t ret; -- errno_t tret; -- bool in_transaction = false; - - id_ctx = talloc_get_type(pvt, struct files_id_ctx); - if (id_ctx == NULL) { -@@ -740,49 +806,17 @@ static int sf_passwd_cb(const char *filename, uint32_t flags, void *pvt) - dp_sbus_reset_users_memcache(id_ctx->be->provider); - dp_sbus_reset_initgr_memcache(id_ctx->be->provider); - -- ret = sysdb_transaction_start(id_ctx->domain->sysdb); -- if (ret != EOK) { -- goto done; -- } -- in_transaction = true; -- -- ret = delete_all_users(id_ctx->domain); -- if (ret != EOK) { -- goto done; -- } -- -- /* All users were deleted, therefore we need to enumerate each file again */ -- for (size_t i = 0; id_ctx->passwd_files[i] != NULL; i++) { -- ret = sf_enum_users(id_ctx, id_ctx->passwd_files[i]); -- if (ret != EOK) { -- DEBUG(SSSDBG_OP_FAILURE, "Cannot enumerate users\n"); -- goto done; -- } -- } -- -- /* Covers the case when someone edits /etc/group, adds a group member and -+ /* Using SF_UDPATE_BOTH here the case when someone edits /etc/group, adds a group member and - * only then edits passwd and adds the user. The reverse is not needed, - * because member/memberof links are established when groups are saved. - */ -- ret = delete_all_groups(id_ctx->domain); -- if (ret != EOK) { -- goto done; -- } -- -- /* All groups were deleted, therefore we need to enumerate each file again */ -- for (size_t i = 0; id_ctx->group_files[i] != NULL; i++) { -- ret = sf_enum_groups(id_ctx, id_ctx->group_files[i]); -- if (ret != EOK) { -- DEBUG(SSSDBG_OP_FAILURE, "Cannot enumerate groups\n"); -- goto done; -- } -- } -- -- ret = sysdb_transaction_commit(id_ctx->domain->sysdb); -+ ret = sf_enum_files(id_ctx, SF_UPDATE_BOTH); - if (ret != EOK) { -+ DEBUG(SSSDBG_OP_FAILURE, -+ "Could not update files: [%d]: %s\n", -+ ret, sss_strerror(ret)); - goto done; - } -- in_transaction = false; - - id_ctx->updating_passwd = false; - sf_cb_done(id_ctx); -@@ -790,14 +824,6 @@ static int sf_passwd_cb(const char *filename, uint32_t flags, void *pvt) - - ret = EOK; - done: -- if (in_transaction) { -- tret = sysdb_transaction_cancel(id_ctx->domain->sysdb); -- if (tret != EOK) { -- DEBUG(SSSDBG_CRIT_FAILURE, -- "Cannot cancel transaction: %d\n", ret); -- } -- } -- - return ret; - } - -@@ -805,8 +831,6 @@ static int sf_group_cb(const char *filename, uint32_t flags, void *pvt) - { - struct files_id_ctx *id_ctx; - errno_t ret; -- errno_t tret; -- bool in_transaction = false; - - id_ctx = talloc_get_type(pvt, struct files_id_ctx); - if (id_ctx == NULL) { -@@ -823,47 +847,20 @@ static int sf_group_cb(const char *filename, uint32_t flags, void *pvt) - dp_sbus_reset_groups_memcache(id_ctx->be->provider); - dp_sbus_reset_initgr_memcache(id_ctx->be->provider); - -- ret = sysdb_transaction_start(id_ctx->domain->sysdb); -- if (ret != EOK) { -- goto done; -- } -- in_transaction = true; -- -- ret = delete_all_groups(id_ctx->domain); -- if (ret != EOK) { -- goto done; -- } -- -- /* All groups were deleted, therefore we need to enumerate each file again */ -- for (size_t i = 0; id_ctx->group_files[i] != NULL; i++) { -- ret = sf_enum_groups(id_ctx, id_ctx->group_files[i]); -- if (ret != EOK) { -- DEBUG(SSSDBG_OP_FAILURE, "Cannot enumerate groups\n"); -- goto done; -- } -- } -- -- ret = sysdb_transaction_commit(id_ctx->domain->sysdb); -+ ret = sf_enum_files(id_ctx, SF_UPDATE_GROUP); - if (ret != EOK) { -+ DEBUG(SSSDBG_OP_FAILURE, -+ "Could not update files: [%d]: %s\n", -+ ret, sss_strerror(ret)); - goto done; - } -- in_transaction = false; - - id_ctx->updating_groups = false; - sf_cb_done(id_ctx); - files_account_info_finished(id_ctx, BE_REQ_GROUP, ret); - - ret = EOK; -- - done: -- if (in_transaction) { -- tret = sysdb_transaction_cancel(id_ctx->domain->sysdb); -- if (tret != EOK) { -- DEBUG(SSSDBG_CRIT_FAILURE, -- "Cannot cancel transaction: %d\n", ret); -- } -- } -- - return ret; - } - -@@ -873,62 +870,14 @@ static void startup_enum_files(struct tevent_context *ev, - { - struct files_id_ctx *id_ctx = talloc_get_type(pvt, struct files_id_ctx); - errno_t ret; -- errno_t tret; -- bool in_transaction = false; - - talloc_zfree(imm); - -- ret = sysdb_transaction_start(id_ctx->domain->sysdb); -- if (ret != EOK) { -- goto done; -- } -- in_transaction = true; -- -- ret = delete_all_users(id_ctx->domain); -- if (ret != EOK) { -- goto done; -- } -- -- ret = delete_all_groups(id_ctx->domain); -+ ret = sf_enum_files(id_ctx, SF_UPDATE_BOTH); - if (ret != EOK) { -- goto done; -- } -- -- for (size_t i = 0; id_ctx->passwd_files[i] != NULL; i++) { -- DEBUG(SSSDBG_TRACE_FUNC, -- "Startup user enumeration of [%s]\n", id_ctx->passwd_files[i]); -- ret = sf_enum_users(id_ctx, id_ctx->passwd_files[i]); -- if (ret != EOK) { -- DEBUG(SSSDBG_CRIT_FAILURE, -- "Enumerating users failed, data might be inconsistent!\n"); -- goto done; -- } -- } -- -- for (size_t i = 0; id_ctx->group_files[i] != NULL; i++) { -- DEBUG(SSSDBG_TRACE_FUNC, -- "Startup group enumeration of [%s]\n", id_ctx->group_files[i]); -- ret = sf_enum_groups(id_ctx, id_ctx->group_files[i]); -- if (ret != EOK) { -- DEBUG(SSSDBG_CRIT_FAILURE, -- "Enumerating groups failed, data might be inconsistent!\n"); -- goto done; -- } -- } -- -- ret = sysdb_transaction_commit(id_ctx->domain->sysdb); -- if (ret != EOK) { -- goto done; -- } -- in_transaction = false; -- --done: -- if (in_transaction) { -- tret = sysdb_transaction_cancel(id_ctx->domain->sysdb); -- if (tret != EOK) { -- DEBUG(SSSDBG_CRIT_FAILURE, -- "Cannot cancel transaction: %d\n", ret); -- } -+ DEBUG(SSSDBG_OP_FAILURE, -+ "Could not update files after startup: [%d]: %s\n", -+ ret, sss_strerror(ret)); - } - } - --- -2.14.3 - diff --git a/0050-FILES-Reset-the-domain-status-back-even-on-errors.patch b/0050-FILES-Reset-the-domain-status-back-even-on-errors.patch deleted file mode 100644 index acf6488..0000000 --- a/0050-FILES-Reset-the-domain-status-back-even-on-errors.patch +++ /dev/null @@ -1,75 +0,0 @@ -From 12876995fe664ac05149fa5d843836aed5ce33e9 Mon Sep 17 00:00:00 2001 -From: Jakub Hrozek -Date: Tue, 17 Apr 2018 14:38:03 +0200 -Subject: [PATCH] FILES: Reset the domain status back even on errors -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The block that resets the domain status was only called on success, so -on error, the domain would have been permanently stuck in an -inconsistent state. - -Reviewed-by: Pavel Březina -(cherry picked from commit 81f16996c980a75e98538c7dd91baf9e0e635f58) ---- - src/providers/files/files_ops.c | 16 ++++++---------- - 1 file changed, 6 insertions(+), 10 deletions(-) - -diff --git a/src/providers/files/files_ops.c b/src/providers/files/files_ops.c -index 370af1274..b91078417 100644 ---- a/src/providers/files/files_ops.c -+++ b/src/providers/files/files_ops.c -@@ -793,8 +793,7 @@ static int sf_passwd_cb(const char *filename, uint32_t flags, void *pvt) - - id_ctx = talloc_get_type(pvt, struct files_id_ctx); - if (id_ctx == NULL) { -- ret = EINVAL; -- goto done; -+ return EINVAL; - } - - DEBUG(SSSDBG_TRACE_FUNC, "passwd notification\n"); -@@ -818,12 +817,11 @@ static int sf_passwd_cb(const char *filename, uint32_t flags, void *pvt) - goto done; - } - -+ ret = EOK; -+done: - id_ctx->updating_passwd = false; - sf_cb_done(id_ctx); - files_account_info_finished(id_ctx, BE_REQ_USER, ret); -- -- ret = EOK; --done: - return ret; - } - -@@ -834,8 +832,7 @@ static int sf_group_cb(const char *filename, uint32_t flags, void *pvt) - - id_ctx = talloc_get_type(pvt, struct files_id_ctx); - if (id_ctx == NULL) { -- ret = EINVAL; -- goto done; -+ return EINVAL; - } - - DEBUG(SSSDBG_TRACE_FUNC, "group notification\n"); -@@ -855,12 +852,11 @@ static int sf_group_cb(const char *filename, uint32_t flags, void *pvt) - goto done; - } - -+ ret = EOK; -+done: - id_ctx->updating_groups = false; - sf_cb_done(id_ctx); - files_account_info_finished(id_ctx, BE_REQ_GROUP, ret); -- -- ret = EOK; --done: - return ret; - } - --- -2.14.3 - diff --git a/0051-FILES-Skip-files-that-are-not-created-yet.patch b/0051-FILES-Skip-files-that-are-not-created-yet.patch deleted file mode 100644 index 5cfa708..0000000 --- a/0051-FILES-Skip-files-that-are-not-created-yet.patch +++ /dev/null @@ -1,145 +0,0 @@ -From 7703a7efe1ed4800a7676cfaac9bd00fec7de1c4 Mon Sep 17 00:00:00 2001 -From: Jakub Hrozek -Date: Wed, 4 Apr 2018 14:13:56 +0200 -Subject: [PATCH] FILES: Skip files that are not created yet -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -In order to avoid complex ordering logic, even if one file is updated, -we flush all the entries. In theory, we could only flush the individual -file and all the files preceding it, but it's safer to just create a -complete mirror every time. - -And this can be problematic if one of the files we try to update is not -created yet during the update. This can happen e.g. when a file is not -created during early boot. - -To solve this, try to be very defensive and always flush the whole -database, ignore ENOENT errors, but abort on all other errors. - -Reviewed-by: Pavel Březina -(cherry picked from commit c1bce7da6c33b352dc708a5dd9712a4d96c63057) ---- - src/providers/files/files_ops.c | 22 ++++++++++--- - src/tests/intg/test_files_provider.py | 60 +++++++++++++++++++++++++++++++++++ - 2 files changed, 78 insertions(+), 4 deletions(-) - -diff --git a/src/providers/files/files_ops.c b/src/providers/files/files_ops.c -index b91078417..f5a40297a 100644 ---- a/src/providers/files/files_ops.c -+++ b/src/providers/files/files_ops.c -@@ -734,8 +734,15 @@ static errno_t sf_enum_files(struct files_id_ctx *id_ctx, - /* All users were deleted, therefore we need to enumerate each file again */ - for (size_t i = 0; id_ctx->passwd_files[i] != NULL; i++) { - ret = sf_enum_users(id_ctx, id_ctx->passwd_files[i]); -- if (ret != EOK) { -- DEBUG(SSSDBG_OP_FAILURE, "Cannot enumerate users\n"); -+ if (ret == ENOENT) { -+ DEBUG(SSSDBG_MINOR_FAILURE, -+ "The file %s does not exist (yet), skipping\n", -+ id_ctx->passwd_files[i]); -+ continue; -+ } else if (ret != EOK) { -+ DEBUG(SSSDBG_OP_FAILURE, -+ "Cannot enumerate users from %s, aborting\n", -+ id_ctx->passwd_files[i]); - goto done; - } - } -@@ -750,8 +757,15 @@ static errno_t sf_enum_files(struct files_id_ctx *id_ctx, - /* All groups were deleted, therefore we need to enumerate each file again */ - for (size_t i = 0; id_ctx->group_files[i] != NULL; i++) { - ret = sf_enum_groups(id_ctx, id_ctx->group_files[i]); -- if (ret != EOK) { -- DEBUG(SSSDBG_OP_FAILURE, "Cannot enumerate groups\n"); -+ if (ret == ENOENT) { -+ DEBUG(SSSDBG_MINOR_FAILURE, -+ "The file %s does not exist (yet), skipping\n", -+ id_ctx->group_files[i]); -+ continue; -+ } else if (ret != EOK) { -+ DEBUG(SSSDBG_OP_FAILURE, -+ "Cannot enumerate groups from %s, aborting\n", -+ id_ctx->group_files[i]); - goto done; - } - } -diff --git a/src/tests/intg/test_files_provider.py b/src/tests/intg/test_files_provider.py -index ce5c7b774..cc9c1f1c7 100644 ---- a/src/tests/intg/test_files_provider.py -+++ b/src/tests/intg/test_files_provider.py -@@ -187,6 +187,40 @@ def files_multiple_sources(request): - return alt_pwops, alt_grops - - -+@pytest.fixture -+def files_multiple_sources_nocreate(request): -+ """ -+ Sets up SSSD with multiple sources, but does not actually create -+ the files. -+ """ -+ alt_passwd_path = tempfile.mktemp(prefix='altpasswd') -+ request.addfinalizer(lambda: os.unlink(alt_passwd_path)) -+ -+ alt_group_path = tempfile.mktemp(prefix='altgroup') -+ request.addfinalizer(lambda: os.unlink(alt_group_path)) -+ -+ passwd_list = ",".join([os.environ["NSS_WRAPPER_PASSWD"], alt_passwd_path]) -+ group_list = ",".join([os.environ["NSS_WRAPPER_GROUP"], alt_group_path]) -+ -+ conf = unindent("""\ -+ [sssd] -+ domains = files -+ services = nss -+ -+ [nss] -+ debug_level = 10 -+ -+ [domain/files] -+ id_provider = files -+ passwd_files = {passwd_list} -+ group_files = {group_list} -+ debug_level = 10 -+ """).format(**locals()) -+ create_conf_fixture(request, conf) -+ create_sssd_fixture(request) -+ return alt_passwd_path, alt_group_path -+ -+ - @pytest.fixture - def proxy_to_files_domain_only(request): - conf = unindent("""\ -@@ -1113,3 +1147,29 @@ def test_multiple_passwd_group_files(add_user_with_canary, - - check_group(GROUP1) - check_group(ALT_GROUP1) -+ -+ -+def test_multiple_files_created_after_startup(add_user_with_canary, -+ add_group_with_canary, -+ files_multiple_sources_nocreate): -+ """ -+ Test that users and groups can be mirrored from multiple files, -+ but those files are not created when SSSD starts, only afterwards. -+ """ -+ alt_passwd_path, alt_group_path = files_multiple_sources_nocreate -+ -+ check_user(USER1) -+ check_group(GROUP1) -+ -+ # touch the files -+ for fpath in (alt_passwd_path, alt_group_path): -+ with open(fpath, "w") as f: -+ pass -+ -+ alt_pwops = PasswdOps(alt_passwd_path) -+ alt_grops = GroupOps(alt_group_path) -+ alt_pwops.useradd(**ALT_USER1) -+ alt_grops.groupadd(**ALT_GROUP1) -+ -+ check_user(ALT_USER1) -+ check_group(ALT_GROUP1) --- -2.14.3 - diff --git a/0052-FILES-Only-send-the-request-for-update-if-the-files-.patch b/0052-FILES-Only-send-the-request-for-update-if-the-files-.patch deleted file mode 100644 index e99d8a6..0000000 --- a/0052-FILES-Only-send-the-request-for-update-if-the-files-.patch +++ /dev/null @@ -1,41 +0,0 @@ -From faba3074869b069a64a66844385cf170f149be4f Mon Sep 17 00:00:00 2001 -From: Jakub Hrozek -Date: Tue, 17 Apr 2018 12:32:11 +0200 -Subject: [PATCH] FILES: Only send the request for update if the files domain - is inconsistent -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Resolves: -https://pagure.io/SSSD/sssd/issue/3520 - -The code was probably commented out as a mistake.. - -Reviewed-by: Pavel Březina -(cherry picked from commit 77d63f561830c15341b2ffe915a4c86b3c0f88a3) ---- - src/responder/common/responder_dp.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/responder/common/responder_dp.c b/src/responder/common/responder_dp.c -index 8cc734813..9669b5fee 100644 ---- a/src/responder/common/responder_dp.c -+++ b/src/responder/common/responder_dp.c -@@ -598,11 +598,11 @@ static int sss_dp_account_files_params(struct sss_domain_info *dom, - enum sss_dp_acct_type *_type_out, - const char **_opt_name_out) - { --#if 0 - if (sss_domain_get_state(dom) != DOM_INCONSISTENT) { -+ DEBUG(SSSDBG_TRACE_INTERNAL, -+ "The entries in the files domain are up-to-date\n"); - return EOK; - } --#endif - - DEBUG(SSSDBG_TRACE_INTERNAL, - "Domain files is not consistent, issuing update\n"); --- -2.14.3 - diff --git a/0053-TESTS-simple-CA-to-generate-certificates-for-test.patch b/0053-TESTS-simple-CA-to-generate-certificates-for-test.patch deleted file mode 100644 index d49546b..0000000 --- a/0053-TESTS-simple-CA-to-generate-certificates-for-test.patch +++ /dev/null @@ -1,551 +0,0 @@ -From 0e53e397599da4b5d86121f6ee3de50c0389783e Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Thu, 14 Feb 2019 18:35:40 +0100 -Subject: [PATCH] TESTS: simple CA to generate certificates for test -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -To avoid issue with certificate lifetimes a simple OpenSSL based CA is -used to generate certificates for tests. - -To make management easy all related data is kept in -src/tests/test_CA. Since some header files will be generated the -generation of the needed files is added to BUILT_SOURCES as other -generated code. - -Related to https://pagure.io/SSSD/sssd/issue/3436 - -Reviewed-by: Lukáš Slebodník -(cherry picked from commit 19f5dd0b8dc4eff3373a0ac9ea17c2440628fd4c) ---- - Makefile.am | 15 ++- - configure.ac | 4 +- - contrib/sssd.spec.in | 8 ++ - src/external/test_ca.m4 | 42 +++++++++ - src/tests/test_CA/Makefile.am | 93 +++++++++++++++++++ - src/tests/test_CA/README | 26 ++++++ - src/tests/test_CA/SSSD_test_CA.config | 47 ++++++++++ - src/tests/test_CA/SSSD_test_CA_key.pem | 52 +++++++++++ - src/tests/test_CA/SSSD_test_cert_0001.config | 20 ++++ - src/tests/test_CA/SSSD_test_cert_0002.config | 19 ++++ - src/tests/test_CA/SSSD_test_cert_key_0001.pem | 28 ++++++ - src/tests/test_CA/SSSD_test_cert_key_0002.pem | 28 ++++++ - 12 files changed, 380 insertions(+), 2 deletions(-) - create mode 100644 src/external/test_ca.m4 - create mode 100644 src/tests/test_CA/Makefile.am - create mode 100644 src/tests/test_CA/README - create mode 100644 src/tests/test_CA/SSSD_test_CA.config - create mode 100644 src/tests/test_CA/SSSD_test_CA_key.pem - create mode 100644 src/tests/test_CA/SSSD_test_cert_0001.config - create mode 100644 src/tests/test_CA/SSSD_test_cert_0002.config - create mode 100644 src/tests/test_CA/SSSD_test_cert_key_0001.pem - create mode 100644 src/tests/test_CA/SSSD_test_cert_key_0002.pem - -diff --git a/Makefile.am b/Makefile.am -index d52fe0670..d9477cb64 100644 ---- a/Makefile.am -+++ b/Makefile.am -@@ -21,7 +21,7 @@ if HAVE_MANPAGES - SUBDIRS += src/man - endif - --SUBDIRS += . src/tests/cwrap src/tests/intg -+SUBDIRS += . src/tests/cwrap src/tests/intg src/tests/test_CA - - # Some old versions of automake don't define builddir - builddir ?= . -@@ -2411,6 +2411,7 @@ pam_srv_tests_SOURCES = \ - $(NULL) - pam_srv_tests_CFLAGS = \ - -U SSSD_LIBEXEC_PATH -DSSSD_LIBEXEC_PATH=\"$(abs_builddir)\" \ -+ -I$(abs_builddir)/src \ - $(AM_CFLAGS) \ - $(NULL) - pam_srv_tests_LDFLAGS = \ -@@ -3286,6 +3287,7 @@ test_cert_utils_SOURCES = \ - $(NULL) - test_cert_utils_CFLAGS = \ - $(AM_CFLAGS) \ -+ -I$(abs_builddir)/src \ - $(CRYPTO_CFLAGS) \ - $(NULL) - test_cert_utils_LDADD = \ -@@ -4975,6 +4977,17 @@ endif - - CLEANFILES += *.X */*.X */*/*.X - -+test_CA: test_CA.stamp -+ -+test_CA.stamp: $(srcdir)/src/tests/test_CA/* -+ $(MAKE) -C src/tests/test_CA ca_all -+ touch $@ -+ -+if BUILD_TEST_CA -+BUILT_SOURCES += test_CA -+endif -+CLEANFILES += test_CA.stamp -+ - tests: all $(check_PROGRAMS) - (cd src/tests/cwrap && $(MAKE) $(AM_MAKEFLAGS) $@) || exit 1; - -diff --git a/configure.ac b/configure.ac -index 69deb811e..725c28f52 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -208,6 +208,7 @@ m4_include([src/external/libresolv.m4]) - m4_include([src/external/intgcheck.m4]) - m4_include([src/external/systemtap.m4]) - m4_include([src/external/service.m4]) -+m4_include([src/external/test_ca.m4]) - - if test x$with_secrets = xyes; then - m4_include([src/external/libhttp_parser.m4]) -@@ -483,6 +484,7 @@ AM_CONDITIONAL([HAVE_CHECK], [test x$have_check != x]) - AM_CHECK_CMOCKA - AM_CHECK_UID_WRAPPER - AM_CHECK_NSS_WRAPPER -+AM_CHECK_TEST_CA - - # Check if the user wants SSSD to be compiled with systemtap probes - AM_CHECK_SYSTEMTAP -@@ -506,7 +508,7 @@ AC_CONFIG_FILES([Makefile contrib/sssd.spec src/examples/rwtab src/doxy.config - contrib/sssd-pcsc.rules - src/sysv/sssd src/sysv/gentoo/sssd src/sysv/SUSE/sssd - po/Makefile.in src/man/Makefile src/tests/cwrap/Makefile -- src/tests/intg/Makefile -+ src/tests/intg/Makefile src/tests/test_CA/Makefile - src/lib/ipa_hbac/ipa_hbac.pc src/lib/ipa_hbac/ipa_hbac.doxy - src/lib/idmap/sss_idmap.pc src/lib/idmap/sss_idmap.doxy - src/lib/certmap/sss_certmap.pc src/lib/certmap/sss_certmap.doxy -diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in -index f69f192fe..25314596b 100644 ---- a/contrib/sssd.spec.in -+++ b/contrib/sssd.spec.in -@@ -209,6 +209,14 @@ BuildRequires: selinux-policy-targeted - BuildRequires: libcmocka-devel >= 1.0.0 - BuildRequires: uid_wrapper - BuildRequires: nss_wrapper -+ -+# Test CA requires openssl independent if SSSD is build with NSS or openssl, -+# openssh is needed for ssh-keygen and NSS builds need nss-tools for certutil. -+# Currently only cmocka based tests use the test CA. If it is used elsewhere -+# you might want to move the following requires out of the if-block. -+BuildRequires: openssl -+BuildRequires: openssh -+BuildRequires: nss-tools - %endif - BuildRequires: libnl3-devel - %if (0%{?use_systemd} == 1) -diff --git a/src/external/test_ca.m4 b/src/external/test_ca.m4 -new file mode 100644 -index 000000000..eb624acf3 ---- /dev/null -+++ b/src/external/test_ca.m4 -@@ -0,0 +1,42 @@ -+dnl Check for tools needed to run the test CA -+AC_DEFUN([AM_CHECK_TEST_CA], -+[ -+ AC_PATH_PROG([OPENSSL], [openssl]) -+ if test ! -x "$OPENSSL"; then -+ AC_MSG_NOTICE([Could not find openssl]) -+ fi -+ -+ AC_PATH_PROG([SSH_KEYGEN], [ssh-keygen]) -+ if test ! -x "$SSH_KEYGEN"; then -+ AC_MSG_NOTICE([Could not find ssh-keygen]) -+ else -+ AC_MSG_CHECKING([for -m option of ssh-keygen]) -+ if AC_RUN_LOG([$SSH_KEYGEN --help 2>&1 |grep -- '-m ' > /dev/null]); then -+ AC_MSG_RESULT([yes]) -+ else -+ SSH_KEYGEN="" -+ AC_MSG_RESULT([no]) -+ fi -+ fi -+ -+ if test x$cryptolib = xnss; then -+ AC_PATH_PROG([CERTUTIL], [certutil]) -+ if test ! -x "$CERTUTIL"; then -+ AC_MSG_NOTICE([Could not find certutil]) -+ fi -+ -+ AC_PATH_PROG([PK12UTIL], [pk12util]) -+ if test ! -x "$PK12UTIL"; then -+ AC_MSG_NOTICE([Could not find pk12util]) -+ fi -+ -+ AM_CONDITIONAL([BUILD_TEST_CA], [test -x "$OPENSSL" -a -x "$SSH_KEYGEN" -a -x "$CERTUTIL" -a -x "$PK12UTIL"]) -+ else -+ AM_CONDITIONAL([BUILD_TEST_CA], [test -x "$OPENSSL" -a -x "$SSH_KEYGEN"]) -+ fi -+ -+ AM_COND_IF([BUILD_TEST_CA], -+ [AC_DEFINE_UNQUOTED(HAVE_TEST_CA, 1, -+ [Build with certificates from test CA])], -+ [AC_MSG_WARN([Test CA cannot be build, skiping some tests])]) -+]) -diff --git a/src/tests/test_CA/Makefile.am b/src/tests/test_CA/Makefile.am -new file mode 100644 -index 000000000..a23a3feef ---- /dev/null -+++ b/src/tests/test_CA/Makefile.am -@@ -0,0 +1,93 @@ -+dist_noinst_DATA = \ -+ SSSD_test_CA.config \ -+ SSSD_test_CA_key.pem \ -+ SSSD_test_cert_0001.config \ -+ SSSD_test_cert_0002.config \ -+ SSSD_test_cert_key_0001.pem \ -+ SSSD_test_cert_key_0002.pem \ -+ $(NULL) -+ -+openssl_ca_config = $(srcdir)/SSSD_test_CA.config -+openssl_ca_key = $(srcdir)/SSSD_test_CA_key.pem -+pwdfile = pwdfile -+ -+configs := $(notdir $(wildcard $(srcdir)/SSSD_test_cert_*.config)) -+ids := $(subst SSSD_test_cert_,,$(basename $(configs))) -+certs = $(addprefix SSSD_test_cert_x509_,$(addsuffix .pem,$(ids))) -+certs_h = $(addprefix SSSD_test_cert_x509_,$(addsuffix .h,$(ids))) -+pubkeys = $(addprefix SSSD_test_cert_pubsshkey_,$(addsuffix .pub,$(ids))) -+pubkeys_h = $(addprefix SSSD_test_cert_pubsshkey_,$(addsuffix .h,$(ids))) -+pkcs12 = $(addprefix SSSD_test_cert_pkcs12_,$(addsuffix .pem,$(ids))) -+ -+if HAVE_NSS -+nssdb = p11_nssdb p11_nssdb_2certs -+endif -+ -+# If openssl is run in parallel there might be conflicts with the serial -+.NOTPARALLEL: -+ -+ca_all: clean serial SSSD_test_CA.pem $(certs) $(certs_h) $(pubkeys) $(pubkeys_h) $(pkcs12) $(nssdb) -+ -+$(pwdfile): -+ @echo "12345678" > $@ -+ -+SSSD_test_CA.pem: $(openssl_ca_key) $(openssl_ca_config) serial -+ $(OPENSSL) req -batch -config ${openssl_ca_config} -x509 -new -nodes -key $< -sha256 -days 1024 -set_serial 0 -extensions v3_ca -out $@ -+ -+ -+SSSD_test_cert_req_%.pem: $(srcdir)/SSSD_test_cert_key_%.pem $(srcdir)/SSSD_test_cert_%.config -+ $(OPENSSL) req -new -nodes -key $< -reqexts req_exts -config $(srcdir)/SSSD_test_cert_$*.config -out $@ -+ -+SSSD_test_cert_x509_%.pem: SSSD_test_cert_req_%.pem $(openssl_ca_config) SSSD_test_CA.pem -+ $(OPENSSL) ca -config ${openssl_ca_config} -batch -notext -keyfile $(openssl_ca_key) -in $< -days 200 -extensions usr_cert -out $@ -+ -+SSSD_test_cert_pkcs12_%.pem: SSSD_test_cert_x509_%.pem $(srcdir)/SSSD_test_cert_key_%.pem $(pwdfile) -+ $(OPENSSL) pkcs12 -export -in SSSD_test_cert_x509_$*.pem -inkey $(srcdir)/SSSD_test_cert_key_$*.pem -nodes -passout file:$(pwdfile) -out $@ -+ -+SSSD_test_cert_pubkey_%.pem: SSSD_test_cert_x509_%.pem -+ $(OPENSSL) x509 -in $< -pubkey -noout > $@ -+ -+SSSD_test_cert_pubsshkey_%.pub: SSSD_test_cert_pubkey_%.pem -+ $(SSH_KEYGEN) -i -m PKCS8 -f $< > $@ -+ -+SSSD_test_cert_x509_%.h: SSSD_test_cert_x509_%.pem -+ @echo "#define SSSD_TEST_CERT_$* \""$(shell cat $< |openssl x509 -outform der | base64 -w 0)"\"" > $@ -+ -+SSSD_test_cert_pubsshkey_%.h: SSSD_test_cert_pubsshkey_%.pub -+ @echo "#define SSSD_TEST_CERT_SSH_KEY_$* \""$(shell cut -d' ' -f2 $<)"\"" > $@ -+ -+# This nss db is used in -+# - src/tests/cmocka/test_cert_utils.c (validation only) -+# - src/tests/cmocka/test_pam_srv.c -+p11_nssdb: SSSD_test_cert_pkcs12_0001.pem SSSD_test_CA.pem $(pwdfile) -+ mkdir $@ -+ $(CERTUTIL) -d sql:./$@ -N --empty-password -+ $(CERTUTIL) -d sql:./$@ -A -n 'SSSD test CA' -t CT,CT,CT -a -i SSSD_test_CA.pem -+ $(PK12UTIL) -d sql:./$@ -i SSSD_test_cert_pkcs12_0001.pem -w $(pwdfile) -+ -+# This nss db is used in -+# - src/tests/cmocka/test_pam_srv.c -+p11_nssdb_2certs: SSSD_test_cert_pkcs12_0001.pem SSSD_test_cert_pkcs12_0002.pem SSSD_test_CA.pem $(pwdfile) -+ mkdir $@ -+ $(CERTUTIL) -d sql:./$@ -N --empty-password -+ $(CERTUTIL) -d sql:./$@ -A -n 'SSSD test CA' -t CT,CT,CT -a -i SSSD_test_CA.pem -+ $(PK12UTIL) -d sql:./$@ p11_nssdb -i SSSD_test_cert_pkcs12_0001.pem -w $(pwdfile) -+ $(PK12UTIL) -d sql:./$@ p11_nssdb -i SSSD_test_cert_pkcs12_0002.pem -w $(pwdfile) -+ -+CLEANFILES = \ -+ index.txt index.txt.attr \ -+ index.txt.attr.old index.txt.old \ -+ serial serial.old \ -+ SSSD_test_CA.pem $(pwdfile) \ -+ $(certs) $(certs_h) $(pubkeys) $(pubkeys_h) $(pkcs12) \ -+ $(NULL) -+ -+clean-local: -+ rm -rf newcerts -+ rm -rf p11_nssdb -+ rm -rf p11_nssdb_2certs -+ -+serial: clean -+ touch index.txt -+ mkdir newcerts -+ echo -n 01 > serial -diff --git a/src/tests/test_CA/README b/src/tests/test_CA/README -new file mode 100644 -index 000000000..342fd5890 ---- /dev/null -+++ b/src/tests/test_CA/README -@@ -0,0 +1,26 @@ -+Simple CA for SSSD tests -+ -+To avoid issues with certificate lifetimes during tests certificates can be -+generated with a simple OpenSSL based CA. -+ -+To create a new certificate add a suitable and valid OpenSSL config file with a -+[req] section for a certificate signing request (CSR) which must use the name -+pattern SSSD_test_cert_*.config. Additionally a matching key file -+SSSD_test_cert_key_%.pem should be added e.g. with -+ -+ openssl genpkey -algorithm RSA -out SSSD_test_cert_key_XYZ.pem -pkeyopt rsa_keygen_bits:2048 -+ -+It would be possible to generate the keys automatically as well but -+pre-created keys will safe some resources on the hosts running the tests, -+allow more flexibility with algorithms and key lengths and make the tests -+more reproducible. -+ -+The Makefile will pick up the config and the keys and generate a X.509 -+certificate. For usage in C-code it will generate a header file -+SSSD_test_cert_x509_*.h where the base64 encoded binary certificate is made -+available in a macro called SSSD_TEST_CERT_*. To run test with derived ssh-keys -+the ssh key is available in SSSD_test_cert_pubsshkey_*.h as -+SSSD_TEST_CERT_SSH_KEY_*. -+ -+Other targets for other types of tests can be added to the Makefile and should -+be documented here. -diff --git a/src/tests/test_CA/SSSD_test_CA.config b/src/tests/test_CA/SSSD_test_CA.config -new file mode 100644 -index 000000000..90ae2233c ---- /dev/null -+++ b/src/tests/test_CA/SSSD_test_CA.config -@@ -0,0 +1,47 @@ -+[ ca ] -+default_ca = CA_default -+ -+[ CA_default ] -+dir = . -+database = $dir/index.txt -+new_certs_dir = $dir/newcerts -+ -+certificate = $dir/SSSD_test_CA.pem -+serial = $dir/serial -+private_key = $dir/SSSD_test_CA_key.pem -+RANDFILE = $dir/rand -+ -+default_days = 365 -+default_crl_days = 30 -+default_md = sha256 -+ -+policy = policy_any -+email_in_dn = no -+ -+name_opt = ca_default -+cert_opt = ca_default -+copy_extensions = copy -+ -+[ usr_cert ] -+authorityKeyIdentifier = keyid, issuer -+ -+[ v3_ca ] -+subjectKeyIdentifier = hash -+authorityKeyIdentifier = keyid:always,issuer:always -+basicConstraints = CA:true -+keyUsage = critical, digitalSignature, cRLSign, keyCertSign -+ -+[ policy_any ] -+organizationName = supplied -+organizationalUnitName = supplied -+commonName = supplied -+emailAddress = optional -+ -+[ req ] -+distinguished_name = req_distinguished_name -+prompt = no -+ -+[ req_distinguished_name ] -+O = SSSD -+OU = SSSD test -+CN = SSSD test CA -diff --git a/src/tests/test_CA/SSSD_test_CA_key.pem b/src/tests/test_CA/SSSD_test_CA_key.pem -new file mode 100644 -index 000000000..4838d0379 ---- /dev/null -+++ b/src/tests/test_CA/SSSD_test_CA_key.pem -@@ -0,0 +1,52 @@ -+-----BEGIN PRIVATE KEY----- -+MIIJRAIBADANBgkqhkiG9w0BAQEFAASCCS4wggkqAgEAAoICAQDkKj9R0/ato8Qq -+8iww/4BZc14oTk4e94pGssERG2b8wkcnq9gjn7rDaW0j7sqcEnEtR4nbn4dtjZz5 -+pObXDRPebsZKf+jPac+PiIKwGMdEQFcrt/hZGlpxDrJKUt144ZmMH69CkBC1MREx -+8GHl3oQ9hnLCE82j4D6i+iVRAFhD6dsmL8YWvzMtjklAiyF6yboD1Vjkxwv06wcZ -+xgJptyFOcIM4RfRu212SQUmOZvfxIl9zmu6h4Vaz4Vm/e9qmRHJZ5cOJPC6wyhLn -+iPyEiuRg7DAI226GO04Kl/Frus5fFrih/hq/GyqYVLHQHBdOZ0MgY/zcwD+eEVOX -+KDFYKAbOwN9rDZC6UW3fPLHMnc0f/6q75s4Qvs3MyP0jtJaqjEe+DpW14u9kivUm -+f6L/nFHgDMoYHavsUOXKHZu0NRAKAxj+IvAnHRlInPQktIzZQ2abYWix//bb7aDx -+WhtOFN/rUXA1mqPahRxSgEst4QnSMxU0hPVET0TQO0A/XwozpkrM80NXOoq8m4kH -+83vknwVurg3VaupctX5fsSZvSYunK4bJ/8+Om7c3pyrxqbV0Y/nwGzjMYIU/iQSM -+XkDzs5MQfdWTmzQMsFUY7huQo0VA4s2mY96LmbABVCFnZTFSf+li3dNMadPpuTO+ -+w5jhoR1tcYiWtIDPBuwIFMCwdN1N6QIDAQABAoICAC7SgKYBMokVp2cMxYbUl/lD -+VJo+34c5U1YIztf84JiUIdgBStycpc3+L5iFI2z9193r5V19kmQoAIO2lGyjUWV/ -+JBAbyaHu29pfsDoFC7d04K6nFT7ryo2S74GTGcH5wfHgeq3VNKiKRjYSV3S9wjOC -+CMDNIZE0roXxgYDq6jIdpoxil2sJl64Mmfm104wII7Uvrgtc0ZZUOOPQH6SkISCg -+tDzzFiM9vykJXtfrR4xjemUV8UylGo7Vev5xo0AlobXTEdpy0D4VaeW71d45Rn6h -+WYYnybmgJ/bCkZeDAWDAH+mWZNS89XPHRaooaZv8Uuktu7FtfmCou5e0dtPZevPF -+qSCExRRnEvBHxqR71e7NDZt8mHR5H9S+4Io6OMFEfTwFC13TNBEiNspg9XovAjfX -+4u6wSYPKKLH88R5LAuLoBiD6dO+3SiimbaTeD/a+URCfIWUNycExS/3SnWCS2oxW -+h8uS18DwbCbW0b5N8VYldfZ8QK3+GH2B4vV7ZGOFtUW43HUUPlxqL9lpakbAgPba -+enrO2+YqzAIM5NWCvL1+fnaPVGc9deDi63sgq75VkJwBMoiBqIpwSUMUwOmL3RiC -+NdixXJR/HgjP85UrZHQRlcCfSFMduNNjof0WgamXu2TLA4K2clbdiz1DwAgCBpLP -+INKo4fiZZkjiEs3VS9iBAoIBAQD2DjnFAZ0USGpmRqecHhFOL9nZX/we/DCUrkRv -+noiEP9lIz/ITmAzCvvUuyFQcDp3LBplB+T74nvfyMJ6AzbV1Kuw7CluIje5i3wKs -+zYSc49EKxG3PvNlkpbrQkY2/FrBuwakZro/ByzrcCf783cey36IXc5s0EdXiqyB8 -+Gn2yQQvyYShAmE1HjBjcURSC8bCn1OKQNR04gbnIIUbe5kn8IIM2SD8cUPIuvBTf -+PAzAMT//6bKwi2v6Y9QK0qOIYEFLTEzonKeLlnErXxytb0wbwCbDWQLprYdSQR/3 -+ctVykylPYuTXdCW5qLL5TGuxHKzJodOI0RF8A07CYj7dcQf5AoIBAQDtYuuKp+AT -+ro7Oe4J1bUx/8YlAPDU4UgWbIQjAPUvdiRLZxVRecomNjDMvnz2G/lE8P3CPD0fD -+DZSPhUqUnqanTYLAoVyQh8Zo8NjKJ1wlE9F5CZECeGz1RGZcQBUwK7tZr3EGNw/K -+IShV8/6RVs+I3jjTll2oAoquJ4el0V7sitI6O3Bsh1AoVgZYmJV3qMdODcDJQjNj -+SVetxExhsd2SJztjp5U0uTMf6fXH41CVKo3seRPvaxAhIDpG1He1XEKeeeq3l6Uu -+vzpKmXvNmmzjCZLLY6APvLYv1o65UTn3N/MLIXjgEs07e2JNzhLhAuz5h6sPH0aM -+bx+vOhugy1FxAoIBAQCvFcxRvSYzCpx7jocx9ctGoZIYtc5HlhhTk/Wqn1pxEKXi -+w+Vzv9xEr3D0CySeml/52gYwBdWjQCsasTH4YWhfqV1TXbloX+ZjgGD86XkV0p4r -+VT72dWET10Ipq4j7kn+VMETNu4Mb2StW693/vSiexbcnjOHBmXdixXZmGMucjeCc -+ZjooTLeg07XU//TigGy94CQfjUvvq4+xMsylS6UVvWTguWP/GDJcwwTvHGHOWL07 -+suWt7me1UlfOI7iuECAmHnMTinVGRJTe0d0sJGg5zu9GTg5ejVYfV6wRfisYTlM0 -+5CAGl+VISRyhfJmc+9SP3ZESaAJTBl+CvjoRhJ6xAoIBAQC3Blq2mAJzClX+q0mF -+ghTGXJLG3OTnnI3H8mtN1LTGhKXtE3CeNU8KvHrGj88fYrt9aSg+lLhukezlzw4W -+kk/JlEBohsDYimaWiIONMVWhHKuX16FfNzxCyk7ld18euckEN/k7on5hCLmRs8Kl -+ijoOu88yi6+AFx2XctDqLwgx9kJqNWPTuWw6/UB9VH+BN7ca3g2y3oDCX0zjpAKE -+HF/KDMeEaTPn55acV4VxbTi3GY09MokFQhW4hKGJ9MyrHwwaJcOrc5ce+L9Xvwiu -+GA816S6t9Az3tTb+oT1/cjnv+so/3bnVgYmM/+9mL6lspRXSuiBQU3vQUOkr7/BX -+RAtxAoIBAQC2AQjrhdjyIhuzDGpL7A/IUfV9Fr37ytRY1r7pOwIVthGK3SmLbV2t -+byT4LeS1XMkpuwfiM/w4uAbRz3QhMGfgv9wUjNCpR9fBd4VZqU9HPk6TasQhxxLU -+q4O+XpvylEqPPzHkvpJUiVEfh7bXSoqbvTP7fUnJ/YzqMyq+NNkJzKccz8+I2BfN -+/WXp6HmKAKhvF2mkFbo+2IXzJoCzHRorBvj/HzMc349cvHtYErJvHZQ2wgfY5CFC -+y2/x/t1pQ6BhrJiNyC1s8jYtboY7mc1yAp6cvtWraOYYk6LCTLbRLPLNqEOKPUFH -+xHflFSh7K6rCRfJGMKKFYtdA09/CAqh+ -+-----END PRIVATE KEY----- -diff --git a/src/tests/test_CA/SSSD_test_cert_0001.config b/src/tests/test_CA/SSSD_test_cert_0001.config -new file mode 100644 -index 000000000..b6c52a148 ---- /dev/null -+++ b/src/tests/test_CA/SSSD_test_cert_0001.config -@@ -0,0 +1,20 @@ -+# This certificate is used in -+# - src/tests/cmocka/test_cert_utils.c -+# - src/tests/cmocka/test_pam_srv.c -+[ req ] -+distinguished_name = req_distinguished_name -+prompt = no -+ -+[ req_distinguished_name ] -+O = SSSD -+OU = SSSD test -+CN = SSSD test cert 0001 -+ -+[ req_exts ] -+basicConstraints = CA:FALSE -+nsCertType = client, email -+nsComment = "SSSD test Certificate" -+subjectKeyIdentifier = hash -+keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment -+extendedKeyUsage = clientAuth, emailProtection -+subjectAltName = email:sssd-devel@lists.fedorahosted.org,URI:https://pagure.io/SSSD/sssd// -diff --git a/src/tests/test_CA/SSSD_test_cert_0002.config b/src/tests/test_CA/SSSD_test_cert_0002.config -new file mode 100644 -index 000000000..8722ffa7e ---- /dev/null -+++ b/src/tests/test_CA/SSSD_test_cert_0002.config -@@ -0,0 +1,19 @@ -+# This certificate is used in -+# - src/tests/cmocka/test_pam_srv.c -+[ req ] -+distinguished_name = req_distinguished_name -+prompt = no -+ -+[ req_distinguished_name ] -+O = SSSD -+OU = SSSD test -+CN = SSSD test cert 0002 -+ -+[ req_exts ] -+basicConstraints = CA:FALSE -+nsCertType = client -+nsComment = "SSSD test Certificate" -+subjectKeyIdentifier = hash -+keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment -+extendedKeyUsage = clientAuth -+subjectAltName = email:sssd-devel@lists.fedorahosted.org,URI:https://pagure.io/SSSD/sssd// -diff --git a/src/tests/test_CA/SSSD_test_cert_key_0001.pem b/src/tests/test_CA/SSSD_test_cert_key_0001.pem -new file mode 100644 -index 000000000..365c9897a ---- /dev/null -+++ b/src/tests/test_CA/SSSD_test_cert_key_0001.pem -@@ -0,0 +1,28 @@ -+-----BEGIN PRIVATE KEY----- -+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDX8xglLP+D54dG -+V/lndmQ7YRg1GDuaZilzh/jfAva3psSYDnn1f9wmygNx0HUjlpG72pBOaYthdp1D -+ZGayTlpSUY/3y7+pvokFlY0v9Xhg3yhUyRK95uS/LuY4L8uaoZxMXPW2iP3kzv2v -+BQQlMuBCjL+ji/tX2Zl8CHUldY7QPtSLZcklXmRvu5jHPK5W/eh8E66UNeb/dueq -+ZAzLBZb5g8Blv9dMjf/eSlM/R//au40ZBBa3CRpddaf/gOa9sNGVd6RmzwejZ47k -+hPwkx6t23ZQ7bZkk0NI3H8+/sKkM6aWZaywmLvnyClIgjgZh5zKJgv0ZFAaQ/nST -+a6ke3OetAgMBAAECggEAIHaO3qfREYcwssZu27rUfoiuFu05qJBLEu8R3pSXeiw7 -+yZADjYBXHA2qTuXDdkIgTlkg8Gi1Z0VphsQFHDDjKxTPy7R5b48REiHVQ6xnGEjz -+yysfAiU/pe3q9e9ZcDlzQZeH6JTXdhoX0MO0R9NKGzcFaBSXCDHR/O9YjPULLwq8 -+K9wZpHV6DPajoPGmZgw1qQr7Lc35nVi9AeNyTGnSrUf4hdjKiA2WA0aC3fkeKQxp -+8z6FJWKot84dGbhYK0fyM0uIMb4wS8gvTmvhjE5pltEstOY3bFebxJ5DtBJPqE5K -+FL6k2tfcctuhiwDsRWar39H5SvXzxHbyaz0nwpI9AQKBgQD2Z+vpncVGZgnV0rwK -+0dcdEMSCOj7i91OVS8IGAvwfpI6n8Hs6upO1PtqvWtnwt8lOMwF3omA5/25ZF1+K -+Y6iPxnqcg4nApG1DVDXMrV1cWUa6Sc95afJE224sZA+yKiyTZsWdxfV5y5rc5V3L -+ZOzXjHOW40W/ZuuNwKR5D9fyUQKBgQDgW5h+9NwyPg+01I9qQgsnlHPA9ndKamcH -+QgnAhdM75wadPnVZTNsOa46pfg0Uy/yqYSo2NZz5CmN6W3baVanyUMMmhDWHmCuV -+6nHmzwlJDiJz7S0ieEUi62NConZbU3YE6zjmKkMU0K8pZEisvX/Hb3K8Py4Jxyhy -+JdX5FRmMnQKBgQCzK2GpX6VgyTWBm1hMbcUDR3v8TaoIk1rdhlaw1F7MC3YHu59/ -+Vses1OVi+KbcmGbyS7hXa2SZB5kPgyVflZOt596kDCmQQH+Ko6LzD2SBkBETyDPq -+zxTw6LW15ZRcMrpy/BnZ3WXfiCM1WDrZeKuXGHO8VcoToRzK2DdAKDsX4QKBgQCv -+NHhrNHa8uaB0W8Y/eaHSX+jhWNehgmRA075f3WIvFmQg6cSkXxN2OGJpVCmNAxum -+Rki7mrSh+w3iYIj5Sgp0U8OCUZ6n7BqlcTdPwoCCz4nyM9aaY4fCFEYopEx/VzcD -+8lk1zO0j1S/kyA7E7xtZOFxGS6R9OE0KjyeA44xXNQKBgFRbzhYNerXwepfYi0bR -+plJ8Jg4q4DI+m5QlKGjQLsX4e0sdyOgD8mV3iYofzrull5KZeRQy5qbO9EypFXQ5 -++16FbR7VTYgKcwHNtC+8EcsSVwgk57ox4jDY6A/X1DBKUT+m/XyJYE79ZCsFVvl+ -+O8zzsFaOeoxTVyVxjHmuhZ6U -+-----END PRIVATE KEY----- -diff --git a/src/tests/test_CA/SSSD_test_cert_key_0002.pem b/src/tests/test_CA/SSSD_test_cert_key_0002.pem -new file mode 100644 -index 000000000..d80349f50 ---- /dev/null -+++ b/src/tests/test_CA/SSSD_test_cert_key_0002.pem -@@ -0,0 +1,28 @@ -+-----BEGIN PRIVATE KEY----- -+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCvhgVEGejE4Gcr -+b2lXw2scPpvXa2BaJ2DtFNgofEKhPlBoS7E913YXIG+kSE2i7YezAzHyd0hVEBqR -+QVlhGg5LCeOrQTRASSNUCgWzEXnRbPrvQbeZc7T6k1QIAmTNlpIc7mrO5bjOkR6Y -+DVNTDmW90aCo4IyarJAru1xQTjS+TDtJNvIgqI1BtnpH67JXt/2UsQYAD4lQQmAf -+gEj3a2bD+EuJVVFt4rar+QE3EUZi265cK3IfV6OkzDP/ZuN9sxr5adk0QE/2jC+b -+1sB0VxLxWhGszuOtdhkO/bxcfjWj/EWGa0nezukDeob3k+b4f6Z5kfW9GJCdCOOQ -+Rr1Mv6oZAgMBAAECggEAUICdZbCka7eoWemNXS1JsPieLV0YIgExmUsYIOls/dtA -+sbUVo5FwngbIbYaj5PggZuAuRlCjIjBynvBj9/8lUxFEFEWhm2JwC5lVJ936Cy16 -+ocV4Wa8R8GMmBU5jwU8v0Ikg/6eo7UTtzTs/XjaaP0cn8oyasE45CXWzTzmvQx+d -+FwfcTkhc6KALf+CHTk7mE8QT3vMgVQMRiisF998fnJDkW9U4pPygcg1BAq8wjix8 -+YwVAlk/Vq6MxmOViqTNEmnBd5dfZ/f9SYGkR7AvZgENEDNtkd7fE37YXdTSYfBWd -+lhHm4UkTUSsHl+Xx5w5r/e9xcK/z/49WUJnK2mVcAQKBgQDUv+szGloLyy0OT9SK -+qqqiL7AtUtfCRPH9Gk/UYBGLzktuioac9m1tDo5RsiInFjSmBe4wTGrkhrAJP1Vh -+DOpXGqMe0cV/QqOL/XnsJi6ySHzGhiR+F+iBQLk13ya1TIiGIG65mxVU7ZceBWzH -+AoAjkwV9c/lUGX3yhJ8zUPPYQQKBgQDTNL/WNNHx5PD8XV9voupVFh5nLA9CqCYR -+/07O8pMKve/DjswT40mz/Bwd8xKPFIjTtPMuRd1mORnkF/Q/1WuO5dZG6UUTQT5V -+KdtI8VwhQlTz7/DjXm4O+mkwY9vfhTQylUsqh2rX6WkIedj1b6rT5Jg6fHMn34N2 -+/9UGEp6b2QKBgQCIJ4MIo3a5UYA2RpTJYcvuHALuHrSCWclcp/gq/Ih+JrpTtkfM -+MFF7l/MxCYWd6jIrhmQXePB37FLAuE2V3MQklqGKWcnBVg6Ayum6Xf1Ij+d6zeKQ -+6BAemCNv/K4zHRXKcPsrwbp3Lc6moeYpvsnu+mprDUulrOLT0FhqaQaFgQKBgQDG -+dqfZUlMBub8VdWwri+wkvh8dldJVMYpsmPrmDh1MF8TIf1OXUJm+TiXhorqKxqH4 -+Re3JSo9L8lY49qVmolZqteCPS73D5Sf8gNN1DJAlFJ6dhpdWIDLNUlMrzHoc5J9y -+9MToFs24S7WN6GmN4Dum1wSQ2Mag7jArzyTOiwqNqQKBgFh12/YF4tiePqG1aOaB -++L5GgA/ux+6SNj5TkqeiKqPaptg1tnM/T/ChiWmwZzee1ZeMEBbDWtbEMf15In7/ -+OM5OSMU+SIgWposXDTDKM9ZMQZW6h9IQy/IxwvF8BrroS0vF9vOXKOz4Aw+5Kugq -+JxM2HRDRdC23CGRuGjv+hO4d -+-----END PRIVATE KEY----- --- -2.17.0 - diff --git a/0054-TESTS-replace-hardcoded-certificates.patch b/0054-TESTS-replace-hardcoded-certificates.patch deleted file mode 100644 index 3923899..0000000 --- a/0054-TESTS-replace-hardcoded-certificates.patch +++ /dev/null @@ -1,365 +0,0 @@ -From a6514e1829c018c7b68b168e6206ec51bd8a7e08 Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Thu, 14 Feb 2019 18:35:49 +0100 -Subject: [PATCH] TESTS: replace hardcoded certificates -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Since the hardcoded certificates have a limited lifetime they are -replaces by certificates from the test CA. - -Related to https://pagure.io/SSSD/sssd/issue/3436 - -Reviewed-by: Lukáš Slebodník -(cherry picked from commit 0dc7f90667df6420bc9e93ae2c8bacd6ea148f0f) ---- - src/tests/cmocka/test_cert_utils.c | 41 ++++-------- - src/tests/cmocka/test_pam_srv.c | 104 +++++++++++------------------ - 2 files changed, 50 insertions(+), 95 deletions(-) - -diff --git a/src/tests/cmocka/test_cert_utils.c b/src/tests/cmocka/test_cert_utils.c -index f50030e49..dd58b73a7 100644 ---- a/src/tests/cmocka/test_cert_utils.c -+++ b/src/tests/cmocka/test_cert_utils.c -@@ -34,6 +34,13 @@ - #include "util/crypto/nss/nss_util.h" - #include "util/crypto/sss_crypto.h" - -+#ifdef HAVE_TEST_CA -+#include "tests/test_CA/SSSD_test_cert_pubsshkey_0001.h" -+#include "tests/test_CA/SSSD_test_cert_x509_0001.h" -+#else -+#define SSSD_TEST_CERT_0001 "" -+#define SSSD_TEST_CERT_SSH_KEY_0001 "" -+#endif - - /* TODO: create a certificate for this test */ - const uint8_t test_cert_der[] = { -@@ -325,32 +332,6 @@ void test_sss_cert_derb64_to_ldap_filter(void **state) - talloc_free(filter); - } - --#define SSH_TEST_CERT \ --"MIIECTCCAvGgAwIBAgIBCDANBgkqhkiG9w0BAQsFADA0MRIwEAYDVQQKDAlJUEEu" \ --"REVWRUwxHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xNjA1MjMx" \ --"NDEzNDlaFw0xODA1MjQxNDEzNDlaMDIxEjAQBgNVBAoMCUlQQS5ERVZFTDEcMBoG" \ --"A1UEAwwTaXBhLWRldmVsLmlwYS5kZXZlbDCCASIwDQYJKoZIhvcNAQEBBQADggEP" \ --"ADCCAQoCggEBALfEAE0IUlOAgDTdZQGcYA03IPooixNnkUQruh0eU3uw+KYGQoS1" \ --"YCdCHJzRc+IfuqdNntgtGDIpWADRwB4h963pBImpMSU5L1T4uiHNCpvl9eMt4ynk" \ --"xduOa+JmJUvqvwe7Gj9iDql4lWmJcXvq74/yOc3MBSPQCdg/pHZU65+NjSZmZzlN" \ --"eNV3tQKrhMe6tM00pai2igXilfUpzOU2v+AX69oOesrqTUl9i2eCUirGanR9l95d" \ --"yVCcmIDJd2P2NLIkhbHGRitfTC/tQZ4G+Edg9STw8Y+4ljp2rTHs59dWRBe2Gn8Z" \ --"Zt8zZ5WuNxARVF1THI9X6ydX/uoaz8R7pfkCAwEAAaOCASYwggEiMB8GA1UdIwQY" \ --"MBaAFPci/0Km5D/L5z7YqwEc7E1/GwgcMDsGCCsGAQUFBwEBBC8wLTArBggrBgEF" \ --"BQcwAYYfaHR0cDovL2lwYS1jYS5pcGEuZGV2ZWwvY2Evb2NzcDAOBgNVHQ8BAf8E" \ --"BAMCBPAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMHQGA1UdHwRtMGsw" \ --"aaAxoC+GLWh0dHA6Ly9pcGEtY2EuaXBhLmRldmVsL2lwYS9jcmwvTWFzdGVyQ1JM" \ --"LmJpbqI0pDIwMDEOMAwGA1UECgwFaXBhY2ExHjAcBgNVBAMMFUNlcnRpZmljYXRl" \ --"IEF1dGhvcml0eTAdBgNVHQ4EFgQUMydoshxYXhDXOMo/EETvrZaQuBwwDQYJKoZI" \ --"hvcNAQELBQADggEBADIrTFNvEdZGna7jD1xpiLGGUwCi11GQT+Txg5B7dydUn5U5" \ --"32zSBBZV6bsy0E+PiiAgehJObv9hBaOWnhp7ltNyQod1OLdI1t988ow2wxHvUEEi" \ --"MhRF0h2RJwdYIUIIF7XC01mKBOFj/84vvMOgLToZnGqVzArkzpr1aCaHI7EoTkpb" \ --"V16v+drZkXc47JuHg5CRjTHV/kFPm63gQ8Fstmw/dQZBzbCiVzmcG0Xm9r4jMOOf" \ --"YjVueMt/jk1LP4KoSCBY6kLMcpL5rQm53hO82rPAgV695rjdPlIUm09dvkCl28ZD" \ --"109Ju18eAaaVFewK82NDg9rsNraBKxMCBSgg0es=" -- --#define SSH_PUB_KEY "AAAAB3NzaC1yc2EAAAADAQABAAABAQC3xABNCFJTgIA03WUBnGANNyD6KIsTZ5FEK7odHlN7sPimBkKEtWAnQhyc0XPiH7qnTZ7YLRgyKVgA0cAeIfet6QSJqTElOS9U+LohzQqb5fXjLeMp5MXbjmviZiVL6r8Huxo/Yg6peJVpiXF76u+P8jnNzAUj0AnYP6R2VOufjY0mZmc5TXjVd7UCq4THurTNNKWotooF4pX1KczlNr/gF+vaDnrK6k1JfYtnglIqxmp0fZfeXclQnJiAyXdj9jSyJIWxxkYrX0wv7UGeBvhHYPUk8PGPuJY6dq0x7OfXVkQXthp/GWbfM2eVrjcQEVRdUxyPV+snV/7qGs/Ee6X5" -- - void test_cert_to_ssh_key(void **state) - { - int ret; -@@ -366,13 +347,13 @@ void test_cert_to_ssh_key(void **state) - struct test_state *ts = talloc_get_type_abort(*state, struct test_state); - assert_non_null(ts); - -- der = sss_base64_decode(ts, SSH_TEST_CERT, &der_size); -+ der = sss_base64_decode(ts, SSSD_TEST_CERT_0001, &der_size); - assert_non_null(der); - -- exp_key = sss_base64_decode(ts, SSH_PUB_KEY, &exp_key_size); -+ exp_key = sss_base64_decode(ts, SSSD_TEST_CERT_SSH_KEY_0001, &exp_key_size); - assert_non_null(exp_key); - -- ret = cert_to_ssh_key(ts, "sql:" ABS_SRC_DIR "/src/tests/cmocka/p11_nssdb", -+ ret = cert_to_ssh_key(ts, "sql:" ABS_BUILD_DIR "/src/tests/test_CA/p11_nssdb", - der, der_size, &cert_verify_opts, &key, &key_size); - assert_int_equal(ret, EOK); - assert_int_equal(key_size, exp_key_size); -@@ -407,8 +388,10 @@ int main(int argc, const char *argv[]) - setup, teardown), - cmocka_unit_test_setup_teardown(test_sss_cert_derb64_to_ldap_filter, - setup, teardown), -+#ifdef HAVE_TEST_CA - cmocka_unit_test_setup_teardown(test_cert_to_ssh_key, - setup, teardown), -+#endif - }; - - /* Set debug level to invalid value so we can decide if -d 0 was used. */ -diff --git a/src/tests/cmocka/test_pam_srv.c b/src/tests/cmocka/test_pam_srv.c -index c510c2d3b..e68e81f97 100644 ---- a/src/tests/cmocka/test_pam_srv.c -+++ b/src/tests/cmocka/test_pam_srv.c -@@ -38,6 +38,14 @@ - #include "util/crypto/nss/nss_util.h" - #endif - -+#ifdef HAVE_TEST_CA -+#include "tests/test_CA/SSSD_test_cert_x509_0001.h" -+#include "tests/test_CA/SSSD_test_cert_x509_0002.h" -+#else -+#define SSSD_TEST_CERT_0001 "" -+#define SSSD_TEST_CERT_0002 "" -+#endif -+ - #define TESTS_PATH "tp_" BASE_FILE_STEM - #define TEST_CONF_DB "test_pam_conf.ldb" - #define TEST_DOM_NAME "pam_test" -@@ -52,55 +60,11 @@ - - #define TEST_TOKEN_NAME "SSSD Test Token" - #define TEST_MODULE_NAME "NSS-Internal" --#define TEST_KEY_ID "A5EF7DEE625CA5996C8D1BA7D036708161FD49E7" --#define TEST_PROMPT "Server-Cert\nCN=ipa-devel.ipa.devel,O=IPA.DEVEL" --#define TEST_TOKEN_CERT \ --"MIIECTCCAvGgAwIBAgIBCTANBgkqhkiG9w0BAQsFADA0MRIwEAYDVQQKDAlJUEEu" \ --"REVWRUwxHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xNjA1MjMx" \ --"NDE0MTVaFw0xODA1MjQxNDE0MTVaMDIxEjAQBgNVBAoMCUlQQS5ERVZFTDEcMBoG" \ --"A1UEAwwTaXBhLWRldmVsLmlwYS5kZXZlbDCCASIwDQYJKoZIhvcNAQEBBQADggEP" \ --"ADCCAQoCggEBALHvOzZy/3llvoAYxrtOpux0gDVvSuSRpTGOW/bjpgdTowvXoOb5" \ --"G9Cy/9S6be7ZJ9D95lc/J9W8tX+ShKN8Q4b74l4WjmILQJ4dUsJ/BXfvoMPR8tw/" \ --"G47dGbLZanMXdWGBSTuXhoiogZWib2DhSwrX2DbEH5L3OWooeAVU5ZWOw55/HD7O" \ --"Q/7Of7H3tf4bvxNTFkxh39KQMG28wjPZSv+SZWNHMB+rj2yZgyeHBMkoPOPesAEi" \ --"7KKHxw1MHSv2xBI1AiV+aMdKfYUMy0Rq3PrRU4274i3eaBX4Q9GnDi36K/7bHjbt" \ --"LW0YTIW/L5/cH/BO88BREjxS3bEXAQqlKOcCAwEAAaOCASYwggEiMB8GA1UdIwQY" \ --"MBaAFPci/0Km5D/L5z7YqwEc7E1/GwgcMDsGCCsGAQUFBwEBBC8wLTArBggrBgEF" \ --"BQcwAYYfaHR0cDovL2lwYS1jYS5pcGEuZGV2ZWwvY2Evb2NzcDAOBgNVHQ8BAf8E" \ --"BAMCBPAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMHQGA1UdHwRtMGsw" \ --"aaAxoC+GLWh0dHA6Ly9pcGEtY2EuaXBhLmRldmVsL2lwYS9jcmwvTWFzdGVyQ1JM" \ --"LmJpbqI0pDIwMDEOMAwGA1UECgwFaXBhY2ExHjAcBgNVBAMMFUNlcnRpZmljYXRl" \ --"IEF1dGhvcml0eTAdBgNVHQ4EFgQUIJuWIts3m3uEYqJ9pUL0y7utTiEwDQYJKoZI" \ --"hvcNAQELBQADggEBAB0GyqGxtZ99fsXA1+fHfAwKOwznT7Hh8hN9efEMBJICVud+" \ --"ivUBOH6JpSTWgNLuBhrpebV/b/DSjhn+ayuvoPWng3hjwMbSEIe0euzCEdwVcokt" \ --"bwNMMSeTxSg6wbJnEyZqQEIr2h/TR9dRNxE+RbQXyamW0fUxSVT16iueL0hMwszT" \ --"jCfI/UZv3tDMHbh6D4811A0HO8daW7ufMGb/M+kDxYigJiL2gllMZ+6xba1RRgzF" \ --"8Z+9gqZhCa7FEKJOPNR9RVtJs0qUUutMZrp1zpyx0GTmXQBA7LbgPxy8L68uymEQ" \ --"XyQBwOYRORlnfGyu+Yc9c3E0Wx8Tlznz0lqPR9g=" -- --#define TEST2_KEY_ID "C8D60E009EB195D01A7083EE1D5419251AA87C2C" --#define TEST2_PROMPT "ipaCert\nCN=IPA RA,O=IPA.DEVEL" --#define TEST_TOKEN_2ND_CERT \ --"MIIDazCCAlOgAwIBAgIBBzANBgkqhkiG9w0BAQsFADA0MRIwEAYDVQQKDAlJUEEu" \ --"REVWRUwxHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xNjA1MjMx" \ --"NDEzMDFaFw0xODA1MTMxNDEzMDFaMCUxEjAQBgNVBAoMCUlQQS5ERVZFTDEPMA0G" \ --"A1UEAwwGSVBBIFJBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3abE" \ --"8LmIc6QN16VVxsMlN/rrCOoZKyyJolSzpP4+K66t+KZUiW/1j1MZogjyYyD39U1F" \ --"zpa2H+pID74XYrdiqP7sp+uE9/k2XOv/nN3FobXDt+fSINLDriCmxNhUZqpgo2uq" \ --"Mmka+yx2iJZwkntEoJTcd3aynoa2Sa2ZZbkMBy5p6/pUQKwnD6scOwe6mUDppIBK" \ --"+ZZRm+u/NDdIRFI5wfKLRR1r/ONaJA9nz1TxSEsgLsjG/1m+Zbb6lGG4pePIFkQ9" \ --"Iotpi64obBh93oIxzQR29lBG/FMjQVHlPIbx+xuGx11Vtp5pAomgFz0HRrj0leI7" \ --"bROE+jnC/VGPLQD2aQIDAQABo4GWMIGTMB8GA1UdIwQYMBaAFPci/0Km5D/L5z7Y" \ --"qwEc7E1/GwgcMEEGCCsGAQUFBwEBBDUwMzAxBggrBgEFBQcwAYYlaHR0cDovL2lw" \ --"YS1kZXZlbC5pcGEuZGV2ZWw6ODAvY2Evb2NzcDAOBgNVHQ8BAf8EBAMCBPAwHQYD" \ --"VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBCwUAA4IBAQBg" \ --"4Sppx2C3eXPJ4Pd9XElkQPOaBReXf1vV0uk/GlK+rG+aAqAkA2Lryx5PK/iAuzAU" \ --"M6JUpELuQYgqugoCgBXMgsMlpAO/0C3CFq4ZH3KgIsRlRngKPrt6RG0UPMRD1CE2" \ --"tSVkwUWvyK83lDiu2BbWDXyMyz5eZOlp7uHusf5BKvob8jEndHj1YzaNTmVSsDM5" \ --"kiIwf8qgFhsO1HCq08PtAnbVHhqkcvnmIJN98eNWNfTKodDmFVbN8gB0wK+WB5ii" \ --"WVOw7+3/zF1QgqnYX3t+kPLRryip/wvTZkzXWwMNj/W6UHgjNF/4gWGoBgCHu+u3" \ --"EvjMmbVSrEkesibpGQS5" -+#define TEST_KEY_ID "C554C9F82C2A9D58B70921C143304153A8A42F17" -+#define TEST_PROMPT "SSSD test cert 0001 - SSSD\nCN=SSSD test cert 0001,OU=SSSD test,O=SSSD" - -+#define TEST2_KEY_ID "5405842D56CF31F0BB025A695C5F3E907051C5B9" -+#define TEST2_PROMPT "SSSD test cert 0002 - SSSD\nCN=SSSD test cert 0002,OU=SSSD test,O=SSSD" - - static char CACHED_AUTH_TIMEOUT_STR[] = "4"; - static const int CACHED_AUTH_TIMEOUT = 4; -@@ -187,7 +151,7 @@ static errno_t setup_nss_db(void) - DEBUG(SSSDBG_FATAL_FAILURE, "fprintf() failed.\n"); - return ret; - } -- ret = fprintf(fp, "parameters=configdir='sql:%s/src/tests/cmocka/p11_nssdb' dbSlotDescription='SSSD Test Slot' dbTokenDescription='SSSD Test Token' secmod='secmod.db' flags=readOnly \n\n", ABS_SRC_DIR); -+ ret = fprintf(fp, "parameters=configdir='sql:%s/src/tests/test_CA/p11_nssdb' dbSlotDescription='SSSD Test Slot' dbTokenDescription='SSSD Test Token' secmod='secmod.db' flags=readOnly \n\n", ABS_BUILD_DIR); - if (ret < 0) { - DEBUG(SSSDBG_FATAL_FAILURE, "fprintf() failed.\n"); - return ret; -@@ -208,7 +172,7 @@ static errno_t setup_nss_db(void) - DEBUG(SSSDBG_FATAL_FAILURE, "fprintf() failed.\n"); - return ret; - } -- ret = fprintf(fp, "parameters=configdir='sql:%s/src/tests/cmocka/p11_nssdb_2certs' dbSlotDescription='SSSD Test Slot' dbTokenDescription='SSSD Test Token' secmod='secmod.db' flags=readOnly \n\n", ABS_SRC_DIR); -+ ret = fprintf(fp, "parameters=configdir='sql:%s/src/tests/test_CA/p11_nssdb_2certs' dbSlotDescription='SSSD Test Slot' dbTokenDescription='SSSD Test Token' secmod='secmod.db' flags=readOnly \n\n", ABS_BUILD_DIR); - if (ret < 0) { - DEBUG(SSSDBG_FATAL_FAILURE, "fprintf() failed.\n"); - return ret; -@@ -451,6 +415,7 @@ static int pam_test_setup(void **state) - return 0; - } - -+#ifdef HAVE_TEST_CA - #ifdef HAVE_NSS - static int pam_test_setup_no_verification(void **state) - { -@@ -476,6 +441,7 @@ static int pam_test_setup_no_verification(void **state) - return 0; - } - #endif /* HAVE_NSS */ -+#endif /* HAVE_TEST_CA */ - - static int pam_cached_test_setup(void **state) - { -@@ -1915,6 +1881,7 @@ static int test_lookup_by_cert_cb(void *pvt) - - return EOK; - } -+ - static int test_lookup_by_cert_cb_2nd_cert_same_user(void *pvt) - { - int ret; -@@ -1927,7 +1894,7 @@ static int test_lookup_by_cert_cb_2nd_cert_same_user(void *pvt) - attrs = sysdb_new_attrs(pam_test_ctx); - assert_non_null(attrs); - -- der = sss_base64_decode(pam_test_ctx, TEST_TOKEN_2ND_CERT, &der_size); -+ der = sss_base64_decode(pam_test_ctx, SSSD_TEST_CERT_0002, &der_size); - assert_non_null(der); - - ret = sysdb_attrs_add_mem(attrs, SYSDB_USER_MAPPED_CERT, der, der_size); -@@ -2033,7 +2000,7 @@ void test_pam_preauth_cert_match(void **state) - set_cert_auth_param(pam_test_ctx->pctx, NSS_DB); - - mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, NULL, NULL, NULL, NULL, -- test_lookup_by_cert_cb, TEST_TOKEN_CERT, false); -+ test_lookup_by_cert_cb, SSSD_TEST_CERT_0001, false); - - will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH); - will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); -@@ -2057,7 +2024,7 @@ void test_pam_preauth_cert_match_gdm_smartcard(void **state) - - mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, NULL, NULL, NULL, - "gdm-smartcard", test_lookup_by_cert_cb, -- TEST_TOKEN_CERT, false); -+ SSSD_TEST_CERT_0001, false); - - will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH); - will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); -@@ -2080,7 +2047,7 @@ void test_pam_preauth_cert_match_wrong_user(void **state) - - mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, NULL, NULL, NULL, NULL, - test_lookup_by_cert_wrong_user_cb, -- TEST_TOKEN_CERT, false); -+ SSSD_TEST_CERT_0001, false); - - will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH); - will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); -@@ -2111,7 +2078,7 @@ void test_pam_preauth_cert_no_logon_name(void **state) - * request will be done with the username found by the certificate - * lookup. */ - mock_input_pam_cert(pam_test_ctx, NULL, NULL, NULL, NULL, NULL, NULL, -- test_lookup_by_cert_cb, TEST_TOKEN_CERT, false); -+ test_lookup_by_cert_cb, SSSD_TEST_CERT_0001, false); - mock_account_recv_simple(); - mock_parse_inp("pamuser", NULL, EOK); - -@@ -2140,7 +2107,7 @@ void test_pam_preauth_cert_no_logon_name_with_hint(void **state) - * during pre-auth and there is no need for an extra mocked response as in - * test_pam_preauth_cert_no_logon_name. */ - mock_input_pam_cert(pam_test_ctx, NULL, NULL, NULL, NULL, NULL, NULL, -- test_lookup_by_cert_cb, TEST_TOKEN_CERT, false); -+ test_lookup_by_cert_cb, SSSD_TEST_CERT_0001, false); - - will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH); - will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); -@@ -2162,7 +2129,8 @@ void test_pam_preauth_cert_no_logon_name_double_cert(void **state) - set_cert_auth_param(pam_test_ctx->pctx, NSS_DB); - - mock_input_pam_cert(pam_test_ctx, NULL, NULL, NULL, NULL, NULL, NULL, -- test_lookup_by_cert_double_cb, TEST_TOKEN_CERT, false); -+ test_lookup_by_cert_double_cb, SSSD_TEST_CERT_0001, -+ false); - - will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH); - will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); -@@ -2185,7 +2153,8 @@ void test_pam_preauth_cert_no_logon_name_double_cert_with_hint(void **state) - pam_test_ctx->rctx->domains->user_name_hint = true; - - mock_input_pam_cert(pam_test_ctx, NULL, NULL, NULL, NULL, NULL, NULL, -- test_lookup_by_cert_double_cb, TEST_TOKEN_CERT, false); -+ test_lookup_by_cert_double_cb, SSSD_TEST_CERT_0001, -+ false); - - will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH); - will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); -@@ -2258,8 +2227,8 @@ void test_pam_cert_auth(void **state) - * in the cache and no second request to the backend is needed. */ - mock_input_pam_cert(pam_test_ctx, "pamuser", "123456", "SSSD Test Token", - "NSS-Internal", -- "A5EF7DEE625CA5996C8D1BA7D036708161FD49E7", NULL, -- test_lookup_by_cert_cb, TEST_TOKEN_CERT, true); -+ "C554C9F82C2A9D58B70921C143304153A8A42F17", NULL, -+ test_lookup_by_cert_cb, SSSD_TEST_CERT_0001, true); - - will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE); - will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); -@@ -2292,8 +2261,8 @@ void test_pam_cert_auth_no_logon_name(void **state) - * in the cache and no second request to the backend is needed. */ - mock_input_pam_cert(pam_test_ctx, NULL, "123456", "SSSD Test Token", - "NSS-Internal", -- "A5EF7DEE625CA5996C8D1BA7D036708161FD49E7", NULL, -- test_lookup_by_cert_cb, TEST_TOKEN_CERT, true); -+ "C554C9F82C2A9D58B70921C143304153A8A42F17", NULL, -+ test_lookup_by_cert_cb, SSSD_TEST_CERT_0001, true); - - mock_account_recv_simple(); - mock_parse_inp("pamuser", NULL, EOK); -@@ -2354,8 +2323,9 @@ void test_pam_cert_auth_double_cert(void **state) - - mock_input_pam_cert(pam_test_ctx, "pamuser", "123456", "SSSD Test Token", - "NSS-Internal", -- "A5EF7DEE625CA5996C8D1BA7D036708161FD49E7", NULL, -- test_lookup_by_cert_double_cb, TEST_TOKEN_CERT, true); -+ "C554C9F82C2A9D58B70921C143304153A8A42F17", NULL, -+ test_lookup_by_cert_double_cb, SSSD_TEST_CERT_0001, -+ true); - - will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE); - will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); -@@ -2380,7 +2350,7 @@ void test_pam_cert_preauth_2certs_one_mapping(void **state) - set_cert_auth_param(pam_test_ctx->pctx, NSS_DB_2CERTS); - - mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, NULL, NULL, NULL, NULL, -- test_lookup_by_cert_cb, TEST_TOKEN_CERT, false); -+ test_lookup_by_cert_cb, SSSD_TEST_CERT_0001, false); - - will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH); - will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); -@@ -2403,7 +2373,7 @@ void test_pam_cert_preauth_2certs_two_mappings(void **state) - - mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, NULL, NULL, NULL, NULL, - test_lookup_by_cert_cb_2nd_cert_same_user, -- TEST_TOKEN_CERT, false); -+ SSSD_TEST_CERT_0001, false); - - will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH); - will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); -@@ -2812,6 +2782,7 @@ int main(int argc, const char *argv[]) - cmocka_unit_test_setup_teardown(test_pam_cached_auth_failed_combined_pw_with_cached_2fa, - pam_cached_test_setup, - pam_test_teardown), -+#ifdef HAVE_TEST_CA - /* p11_child is not built without NSS */ - #ifdef HAVE_NSS - cmocka_unit_test_setup_teardown(test_pam_preauth_cert_nocert, -@@ -2856,6 +2827,7 @@ int main(int argc, const char *argv[]) - cmocka_unit_test_setup_teardown(test_pam_cert_auth_no_logon_name_no_key_id, - pam_test_setup, pam_test_teardown), - #endif /* HAVE_NSS */ -+#endif /* HAVE_TEST_CA */ - - cmocka_unit_test_setup_teardown(test_filter_response, - pam_test_setup, pam_test_teardown), --- -2.17.0 - diff --git a/0055-DYNDNS-Move-the-retry-logic-into-a-separate-function.patch b/0055-DYNDNS-Move-the-retry-logic-into-a-separate-function.patch deleted file mode 100644 index e176b6d..0000000 --- a/0055-DYNDNS-Move-the-retry-logic-into-a-separate-function.patch +++ /dev/null @@ -1,63 +0,0 @@ -From 4452b5e6adb03378ccb8e581e60e73c2237644cf Mon Sep 17 00:00:00 2001 -From: Jakub Hrozek -Date: Mon, 30 Apr 2018 11:16:25 +0200 -Subject: [PATCH] DYNDNS: Move the retry logic into a separate function -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Let's not repeat ourselves - -Related to: -https://pagure.io/SSSD/sssd/issue/3725 - -Reviewed-by: Fabiano Fidêncio -(cherry picked from commit 65034a715e5071ad944bf37b414c6a36bf60cf29) ---- - src/providers/ldap/sdap_dyndns.c | 16 ++++++++++++---- - 1 file changed, 12 insertions(+), 4 deletions(-) - -diff --git a/src/providers/ldap/sdap_dyndns.c b/src/providers/ldap/sdap_dyndns.c -index 9d28b5758..f791ba9f3 100644 ---- a/src/providers/ldap/sdap_dyndns.c -+++ b/src/providers/ldap/sdap_dyndns.c -@@ -79,6 +79,16 @@ static struct sss_iface_addr* - sdap_get_address_to_delete(struct sss_iface_addr *address_it, - uint8_t remove_af); - -+static bool should_retry(int child_status) -+{ -+ if (WIFEXITED(child_status) -+ && WEXITSTATUS(child_status) != 0) { -+ return true; -+ } -+ -+ return false; -+} -+ - struct tevent_req * - sdap_dyndns_update_send(TALLOC_CTX *mem_ctx, - struct tevent_context *ev, -@@ -371,8 +381,7 @@ sdap_dyndns_update_done(struct tevent_req *subreq) - if (ret != EOK) { - /* If the update didn't succeed, we can retry using the server name */ - if (state->fallback_mode == false -- && WIFEXITED(child_status) -- && WEXITSTATUS(child_status) != 0) { -+ && should_retry(child_status)) { - state->fallback_mode = true; - DEBUG(SSSDBG_MINOR_FAILURE, - "nsupdate failed, retrying.\n"); -@@ -514,8 +523,7 @@ sdap_dyndns_update_ptr_done(struct tevent_req *subreq) - if (ret != EOK) { - /* If the update didn't succeed, we can retry using the server name */ - if (state->fallback_mode == false -- && WIFEXITED(child_status) -- && WEXITSTATUS(child_status) != 0) { -+ && should_retry(child_status)) { - state->fallback_mode = true; - DEBUG(SSSDBG_MINOR_FAILURE, "nsupdate failed, retrying\n"); - ret = sdap_dyndns_update_ptr_step(req); --- -2.17.0 - diff --git a/0056-DYNDNS-Retry-also-on-timeouts.patch b/0056-DYNDNS-Retry-also-on-timeouts.patch deleted file mode 100644 index 98ebfd0..0000000 --- a/0056-DYNDNS-Retry-also-on-timeouts.patch +++ /dev/null @@ -1,65 +0,0 @@ -From 288c9c42534f0ae24af51ad4b439cdd2656266f9 Mon Sep 17 00:00:00 2001 -From: Jakub Hrozek -Date: Mon, 30 Apr 2018 11:18:49 +0200 -Subject: [PATCH] DYNDNS: Retry also on timeouts -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -There is the dyndns_server option that is supposed to make it possible -for the admin to select a server to update DNS with if the server -detected by nsupdate does not work. The fallback works OK for the case -where nsupdate fails with a non-zero return code, but doesn't work -for the case where nsupdate times out. - -This patch extends the retry condition to also fallback to the -dyndns_server directive if nsupdate return ERR_DYNDNS_TIMEOUT. - -Resolves: -https://pagure.io/SSSD/sssd/issue/3725 - -Reviewed-by: Fabiano Fidêncio -(cherry picked from commit b57dfac8a047494162395422447ed5675806cfdc) ---- - src/providers/ldap/sdap_dyndns.c | 10 +++++----- - 1 file changed, 5 insertions(+), 5 deletions(-) - -diff --git a/src/providers/ldap/sdap_dyndns.c b/src/providers/ldap/sdap_dyndns.c -index f791ba9f3..20d97ca41 100644 ---- a/src/providers/ldap/sdap_dyndns.c -+++ b/src/providers/ldap/sdap_dyndns.c -@@ -79,10 +79,10 @@ static struct sss_iface_addr* - sdap_get_address_to_delete(struct sss_iface_addr *address_it, - uint8_t remove_af); - --static bool should_retry(int child_status) -+static bool should_retry(int nsupdate_ret, int child_status) - { -- if (WIFEXITED(child_status) -- && WEXITSTATUS(child_status) != 0) { -+ if ((WIFEXITED(child_status) && WEXITSTATUS(child_status) != 0) -+ || nsupdate_ret == ERR_DYNDNS_TIMEOUT) { - return true; - } - -@@ -381,7 +381,7 @@ sdap_dyndns_update_done(struct tevent_req *subreq) - if (ret != EOK) { - /* If the update didn't succeed, we can retry using the server name */ - if (state->fallback_mode == false -- && should_retry(child_status)) { -+ && should_retry(ret, child_status)) { - state->fallback_mode = true; - DEBUG(SSSDBG_MINOR_FAILURE, - "nsupdate failed, retrying.\n"); -@@ -523,7 +523,7 @@ sdap_dyndns_update_ptr_done(struct tevent_req *subreq) - if (ret != EOK) { - /* If the update didn't succeed, we can retry using the server name */ - if (state->fallback_mode == false -- && should_retry(child_status)) { -+ && should_retry(ret, child_status)) { - state->fallback_mode = true; - DEBUG(SSSDBG_MINOR_FAILURE, "nsupdate failed, retrying\n"); - ret = sdap_dyndns_update_ptr_step(req); --- -2.17.0 - diff --git a/0057-AD-Warn-if-the-LDAP-schema-is-overriden-with-the-AD-.patch b/0057-AD-Warn-if-the-LDAP-schema-is-overriden-with-the-AD-.patch deleted file mode 100644 index a787a96..0000000 --- a/0057-AD-Warn-if-the-LDAP-schema-is-overriden-with-the-AD-.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 1ff0edffde5b86e73c20c485236b9b20f22f6f7a Mon Sep 17 00:00:00 2001 -From: Jakub Hrozek -Date: Mon, 30 Apr 2018 15:31:49 +0200 -Subject: [PATCH] AD: Warn if the LDAP schema is overriden with the AD provider -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Resolves: -https://pagure.io/SSSD/sssd/issue/3726 - -Reviewed-by: Fabiano Fidêncio -(cherry picked from commit 3cff2c5e563d967366d534bd3fc8c410f6467ea6) ---- - src/providers/ad/ad_common.c | 12 ++++++++++++ - 1 file changed, 12 insertions(+) - -diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c -index d92c68e6f..c39dcfad6 100644 ---- a/src/providers/ad/ad_common.c -+++ b/src/providers/ad/ad_common.c -@@ -1000,6 +1000,7 @@ ad_set_sdap_options(struct ad_options *ad_opts, - errno_t ret; - char *krb5_realm; - char *keytab_path; -+ const char *schema; - - /* We only support Kerberos password policy with AD, so - * force that on. -@@ -1050,6 +1051,17 @@ ad_set_sdap_options(struct ad_options *ad_opts, - goto done; - } - -+ /* Warn if the user is doing something silly like overriding the schema -+ * with the AD provider -+ */ -+ schema = dp_opt_get_string(id_opts->basic, SDAP_SCHEMA); -+ if (schema != NULL && strcasecmp(schema, "ad") != 0) { -+ DEBUG(SSSDBG_IMPORTANT_INFO, -+ "The AD provider only supports the AD LDAP schema. " -+ "SSSD will ignore the ldap_schema option value and proceed " -+ "with ldap_schema=ad\n"); -+ } -+ - /* fix schema to AD */ - id_opts->schema_type = SDAP_SCHEMA_AD; - --- -2.17.0 - diff --git a/0058-SYSDB-Only-check-non-POSIX-groups-for-GID-conflicts.patch b/0058-SYSDB-Only-check-non-POSIX-groups-for-GID-conflicts.patch deleted file mode 100644 index 6088872..0000000 --- a/0058-SYSDB-Only-check-non-POSIX-groups-for-GID-conflicts.patch +++ /dev/null @@ -1,144 +0,0 @@ -From f2c1a2c4a209f1d8db13ec8a875b5787747dca61 Mon Sep 17 00:00:00 2001 -From: Jakub Hrozek -Date: Tue, 1 May 2018 21:05:21 +0200 -Subject: [PATCH] SYSDB: Only check non-POSIX groups for GID conflicts -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -When checking for a GID conflict, it doesn't make sense to check for one -when the group being added is a non-POSIX one, because then the GID will -always be 0. - -Reviewed-by: Fabiano Fidêncio -(cherry picked from commit 8a8285cf515c78709e16ec03b254c89466fe3ea2) ---- - src/db/sysdb_ops.c | 38 ++++++++++++++++--------------- - src/tests/sysdb-tests.c | 50 ++++++++++++++++++++++++++++++++++++++++- - 2 files changed, 69 insertions(+), 19 deletions(-) - -diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c -index 93b967e75..124c1285e 100644 ---- a/src/db/sysdb_ops.c -+++ b/src/db/sysdb_ops.c -@@ -2388,28 +2388,30 @@ int sysdb_add_incomplete_group(struct sss_domain_info *domain, - return ENOMEM; - } - -- ret = sysdb_search_group_by_gid(tmp_ctx, domain, gid, group_attrs, &msg); -- if (ret == EOK) { -- for (int i = 0; !same && group_attrs[i] != NULL; i++) { -- previous = ldb_msg_find_attr_as_string(msg, -- group_attrs[i], -- NULL); -- if (previous != NULL && values[i] != NULL) { -- same = strcmp(previous, values[i]) == 0; -+ if (posix) { -+ ret = sysdb_search_group_by_gid(tmp_ctx, domain, gid, group_attrs, &msg); -+ if (ret == EOK) { -+ for (int i = 0; !same && group_attrs[i] != NULL; i++) { -+ previous = ldb_msg_find_attr_as_string(msg, -+ group_attrs[i], -+ NULL); -+ if (previous != NULL && values[i] != NULL) { -+ same = strcmp(previous, values[i]) == 0; -+ } -+ } -+ -+ if (same == true) { -+ DEBUG(SSSDBG_TRACE_LIBS, -+ "The group with GID [%"SPRIgid"] was renamed\n", gid); -+ ret = ERR_GID_DUPLICATED; -+ goto done; - } -- } - -- if (same == true) { -- DEBUG(SSSDBG_TRACE_LIBS, -- "The group with GID [%"SPRIgid"] was renamed\n", gid); -- ret = ERR_GID_DUPLICATED; -+ DEBUG(SSSDBG_OP_FAILURE, -+ "Another group with GID [%"SPRIgid"] already exists\n", gid); -+ ret = EEXIST; - goto done; - } -- -- DEBUG(SSSDBG_OP_FAILURE, -- "Another group with GID [%"SPRIgid"] already exists\n", gid); -- ret = EEXIST; -- goto done; - } - - /* try to add the group */ -diff --git a/src/tests/sysdb-tests.c b/src/tests/sysdb-tests.c -index 416dedb5e..19cdcc2f8 100644 ---- a/src/tests/sysdb-tests.c -+++ b/src/tests/sysdb-tests.c -@@ -1557,6 +1557,53 @@ START_TEST (test_sysdb_add_nonposix_user) - } - END_TEST - -+static void add_nonposix_incomplete_group(struct sysdb_test_ctx *test_ctx, -+ const char *groupname) -+{ -+ const char *get_attrs[] = { SYSDB_GIDNUM, -+ SYSDB_POSIX, -+ NULL }; -+ struct ldb_message *msg; -+ const char *attrval; -+ const char *fq_name; -+ int ret; -+ uint64_t id; -+ -+ /* Create group */ -+ fq_name = sss_create_internal_fqname(test_ctx, groupname, test_ctx->domain->name); -+ fail_if(fq_name == NULL, "Failed to create fq name."); -+ -+ ret = sysdb_add_incomplete_group(test_ctx->domain, fq_name, 0, -+ NULL, NULL, NULL, false, 0); -+ fail_if(ret != EOK, "sysdb_add_group failed."); -+ -+ /* Test */ -+ ret = sysdb_search_group_by_name(test_ctx, test_ctx->domain, fq_name, get_attrs, &msg); -+ fail_if(ret != EOK, "sysdb_search_group_by_name failed."); -+ -+ attrval = ldb_msg_find_attr_as_string(msg, SYSDB_POSIX, NULL); -+ fail_if(strcasecmp(attrval, "false") != 0, "Got bad attribute value."); -+ -+ id = ldb_msg_find_attr_as_uint64(msg, SYSDB_GIDNUM, 123); -+ fail_unless(id == 0, "Wrong GID value"); -+} -+ -+START_TEST (test_sysdb_add_nonposix_group) -+{ -+ struct sysdb_test_ctx *test_ctx; -+ int ret; -+ -+ /* Setup */ -+ ret = setup_sysdb_tests(&test_ctx); -+ fail_if(ret != EOK, "Could not set up the test"); -+ -+ add_nonposix_incomplete_group(test_ctx, "nonposix1"); -+ add_nonposix_incomplete_group(test_ctx, "nonposix2"); -+ -+ talloc_free(test_ctx); -+} -+END_TEST -+ - START_TEST (test_sysdb_add_group_member) - { - struct sysdb_test_ctx *test_ctx; -@@ -7268,8 +7315,9 @@ Suite *create_sysdb_suite(void) - /* Test GetUserAttr with subdomain user */ - tcase_add_test(tc_sysdb, test_sysdb_get_user_attr_subdomain); - -- /* Test adding a non-POSIX user */ -+ /* Test adding a non-POSIX user and group */ - tcase_add_test(tc_sysdb, test_sysdb_add_nonposix_user); -+ tcase_add_test(tc_sysdb, test_sysdb_add_nonposix_group); - - /* ===== NETGROUP TESTS ===== */ - --- -2.17.0 - diff --git a/0059-Do-not-keep-allocating-external-groups-on-a-long-liv.patch b/0059-Do-not-keep-allocating-external-groups-on-a-long-liv.patch deleted file mode 100644 index dbb2c02..0000000 --- a/0059-Do-not-keep-allocating-external-groups-on-a-long-liv.patch +++ /dev/null @@ -1,56 +0,0 @@ -From dfcc67f54823bee15632cf52704842863e8b8a93 Mon Sep 17 00:00:00 2001 -From: Jakub Hrozek -Date: Tue, 3 Apr 2018 21:48:37 +0200 -Subject: [PATCH] Do not keep allocating external groups on a long-lived - context -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The hash table with the external groups was never freed, so the -server_mode->ext_groups context was growing over time. - -This patch keeps the new hash on the state if something failed, then -frees the previous hash and finally steals the new hash onto the server -mode. - -Resolves: -https://pagure.io/SSSD/sssd/issue/3719 - -Signed-off-by: Sumit Bose -Reviewed-by: Fabiano Fidêncio -(cherry picked from commit 10213efaf1f9f587b47a82778a252d79863f665e) ---- - src/providers/ipa/ipa_subdomains_ext_groups.c | 11 ++++++++--- - 1 file changed, 8 insertions(+), 3 deletions(-) - -diff --git a/src/providers/ipa/ipa_subdomains_ext_groups.c b/src/providers/ipa/ipa_subdomains_ext_groups.c -index 9e1d6c3a9..63ff7c7d7 100644 ---- a/src/providers/ipa/ipa_subdomains_ext_groups.c -+++ b/src/providers/ipa/ipa_subdomains_ext_groups.c -@@ -583,14 +583,19 @@ static void ipa_get_ext_groups_done(struct tevent_req *subreq) - DEBUG(SSSDBG_TRACE_FUNC, "[%zu] external groups found.\n", - state->reply_count); - -- ret = process_ext_groups(state->server_mode->ext_groups, -- state->reply_count, state->reply, &ext_group_hash); -+ ret = process_ext_groups(state, -+ state->reply_count, -+ state->reply, -+ &ext_group_hash); - if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, "process_ext_groups failed.\n"); - goto fail; - } - -- state->server_mode->ext_groups->ext_groups = ext_group_hash; -+ talloc_free(state->server_mode->ext_groups->ext_groups); -+ state->server_mode->ext_groups->ext_groups = talloc_steal( -+ state->server_mode->ext_groups, -+ ext_group_hash); - /* Do we have to make the update timeout configurable? */ - state->server_mode->ext_groups->next_update = time(NULL) + 10; - --- -2.17.0 - diff --git a/0060-CACHE_REQ-Do-not-fail-the-domain-locator-plugin-if-I.patch b/0060-CACHE_REQ-Do-not-fail-the-domain-locator-plugin-if-I.patch deleted file mode 100644 index a379cd0..0000000 --- a/0060-CACHE_REQ-Do-not-fail-the-domain-locator-plugin-if-I.patch +++ /dev/null @@ -1,124 +0,0 @@ -From 2b965403ecc5a6685602859945a4b73d0f5cddcd Mon Sep 17 00:00:00 2001 -From: Jakub Hrozek -Date: Wed, 2 May 2018 11:37:55 +0200 -Subject: [PATCH] CACHE_REQ: Do not fail the domain locator plugin if ID - outside the domain range is looked up -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -A fix for upstream bug #3569 and the domain-locator feature were both -developed in the context of the same upstream version and therefore -touched the same code, but the domain locator did not account for the -ERR_ID_OUTSIDE_RANGE error code. - -Therefore lookups for IDs that are outside the range for the domain -caused the whole lookup to fail instead of carrying on to the next -domain. - -This patch just handles ERR_ID_OUTSIDE_RANGE the same way as if the ID -was not found at all. Also some whitespace errors are fixed. - -Resolves: -https://pagure.io/SSSD/sssd/issue/3728 - -Reviewed-by: Fabiano Fidêncio -(cherry picked from commit 2952de740f2ec1da9cbd682fb1d9219e5370e6a1) ---- - src/responder/common/cache_req/cache_req.c | 1 + - .../cache_req/plugins/cache_req_common.c | 2 +- - .../cache_req/plugins/cache_req_group_by_id.c | 2 +- - src/tests/cmocka/test_responder_cache_req.c | 32 +++++++++++++++++++ - 4 files changed, 35 insertions(+), 2 deletions(-) - -diff --git a/src/responder/common/cache_req/cache_req.c b/src/responder/common/cache_req/cache_req.c -index 134688b0f..28b563392 100644 ---- a/src/responder/common/cache_req/cache_req.c -+++ b/src/responder/common/cache_req/cache_req.c -@@ -523,6 +523,7 @@ static void cache_req_locate_dom_cache_done(struct tevent_req *subreq) - DEBUG(SSSDBG_TRACE_INTERNAL, "Result found in the cache\n"); - tevent_req_done(req); - return; -+ case ERR_ID_OUTSIDE_RANGE: - case ENOENT: - /* Not cached and locator was requested, run the locator - * DP request plugin -diff --git a/src/responder/common/cache_req/plugins/cache_req_common.c b/src/responder/common/cache_req/plugins/cache_req_common.c -index 240416803..d19ca8912 100644 ---- a/src/responder/common/cache_req/plugins/cache_req_common.c -+++ b/src/responder/common/cache_req/plugins/cache_req_common.c -@@ -27,7 +27,7 @@ - #include "responder/common/cache_req/cache_req_plugin.h" - - errno_t cache_req_idminmax_check(struct cache_req_data *data, -- struct sss_domain_info *domain) -+ struct sss_domain_info *domain) - { - if (((domain->id_min != 0) && (data->id < domain->id_min)) || - ((domain->id_max != 0) && (data->id > domain->id_max))) { -diff --git a/src/responder/common/cache_req/plugins/cache_req_group_by_id.c b/src/responder/common/cache_req/plugins/cache_req_group_by_id.c -index 3fb81032b..e0c6b6515 100644 ---- a/src/responder/common/cache_req/plugins/cache_req_group_by_id.c -+++ b/src/responder/common/cache_req/plugins/cache_req_group_by_id.c -@@ -85,7 +85,7 @@ cache_req_group_by_id_lookup(TALLOC_CTX *mem_ctx, - - ret = cache_req_idminmax_check(data, domain); - if (ret != EOK) { -- return ret; -+ return ret; - } - return sysdb_getgrgid_with_views(mem_ctx, domain, data->id, _result); - } -diff --git a/src/tests/cmocka/test_responder_cache_req.c b/src/tests/cmocka/test_responder_cache_req.c -index 252d89dad..45d71b83b 100644 ---- a/src/tests/cmocka/test_responder_cache_req.c -+++ b/src/tests/cmocka/test_responder_cache_req.c -@@ -1827,6 +1827,37 @@ void test_group_by_id_multiple_domains_notfound(void **state) - assert_true(test_ctx->dp_called); - } - -+void test_group_by_id_multiple_domains_outside_id_range(void **state) -+{ -+ struct cache_req_test_ctx *test_ctx = NULL; -+ struct sss_domain_info *domain = NULL; -+ struct sss_domain_info *domain_a = NULL; -+ -+ test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); -+ -+ domain_a = find_domain_by_name(test_ctx->tctx->dom, -+ "responder_cache_req_test_a", true); -+ assert_non_null(domain_a); -+ domain_a->id_min = 1; -+ domain_a->id_max = 100; -+ -+ /* Setup group. */ -+ domain = find_domain_by_name(test_ctx->tctx->dom, -+ "responder_cache_req_test_d", true); -+ assert_non_null(domain); -+ prepare_group(domain, &groups[0], 1000, time(NULL)); -+ -+ /* Mock values. */ -+ will_return_always(__wrap_sss_dp_get_account_send, test_ctx); -+ will_return_always(sss_dp_req_recv, 0); -+ will_return_always(sss_dp_get_account_domain_recv, ERR_GET_ACCT_DOM_NOT_SUPPORTED); -+ -+ /* Test. */ -+ run_group_by_id(test_ctx, NULL, 0, ERR_OK); -+ assert_true(test_ctx->dp_called); -+ check_group(test_ctx, &groups[0], domain); -+} -+ - void test_group_by_id_multiple_domains_locator_cache_valid(void **state) - { - struct cache_req_test_ctx *test_ctx = NULL; -@@ -3970,6 +4001,7 @@ int main(int argc, const char *argv[]) - new_single_domain_test(group_by_id_missing_notfound), - new_multi_domain_test(group_by_id_multiple_domains_found), - new_multi_domain_test(group_by_id_multiple_domains_notfound), -+ new_multi_domain_test(group_by_id_multiple_domains_outside_id_range), - - new_multi_domain_test(group_by_id_multiple_domains_locator_cache_valid), - new_multi_domain_test(group_by_id_multiple_domains_locator_cache_expired), --- -2.17.0 - diff --git a/0061-NSS-nss_clear_netgroup_hash_table-do-not-free-data.patch b/0061-NSS-nss_clear_netgroup_hash_table-do-not-free-data.patch deleted file mode 100644 index 05e8249..0000000 --- a/0061-NSS-nss_clear_netgroup_hash_table-do-not-free-data.patch +++ /dev/null @@ -1,52 +0,0 @@ -From b96c60f55789527b1f9232ddae03e5c7566bf578 Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Fri, 4 May 2018 17:00:55 +0200 -Subject: [PATCH] NSS: nss_clear_netgroup_hash_table() do not free data -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -nss_clear_netgroup_hash_table() is called during the clearEnumCache SBUS -request, which is e.g. used during 'sss_cache -E', to remove netgroup -data cached in the memory of the NSS responder. - -Currently nss_clear_netgroup_hash_table() calls -'sss_ptr_hash_delete_all(nss_ctx->netgrent, true);' which not only -removes all entries in the 'netgerent' hash table but frees them as -well. - -The second step is not needed because nss_setnetgrent_set_timeout() -takes care that the data is freed after a timeout. Additionally freeing -the data in nss_clear_netgroup_hash_table() can even do harm when the -request is received by the NSS responder while waiting for the backend -to acquire the netgroup data. Because if the backend is done the NSS -responder tries do use enum_ctx which might have been freed in the -meantime. - -Because of this nss_clear_netgroup_hash_table() should only remove the -data from the hash table but not free it. - -Related to https://pagure.io/SSSD/sssd/issue/3731 - -Reviewed-by: Pavel Březina -(cherry picked from commit b13cc2d1413a0d5bbe36e06e5ffd87dbf5c0cb9f) ---- - src/responder/nss/nsssrv.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/responder/nss/nsssrv.c b/src/responder/nss/nsssrv.c -index 171c2a5ca..004e6c1a1 100644 ---- a/src/responder/nss/nsssrv.c -+++ b/src/responder/nss/nsssrv.c -@@ -142,7 +142,7 @@ static int nss_clear_netgroup_hash_table(struct sbus_request *dbus_req, void *da - - DEBUG(SSSDBG_TRACE_FUNC, "Invalidating netgroup hash table\n"); - -- sss_ptr_hash_delete_all(nss_ctx->netgrent, true); -+ sss_ptr_hash_delete_all(nss_ctx->netgrent, false); - - return sbus_request_return_and_finish(dbus_req, DBUS_TYPE_INVALID); - } --- -2.17.0 - diff --git a/0062-SYSDB-Properly-handle-name-gid-override-when-using-d.patch b/0062-SYSDB-Properly-handle-name-gid-override-when-using-d.patch deleted file mode 100644 index fa87f50..0000000 --- a/0062-SYSDB-Properly-handle-name-gid-override-when-using-d.patch +++ /dev/null @@ -1,218 +0,0 @@ -From e7aee44602eb36ee1e1201ad6c7234562b8bb703 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= -Date: Tue, 5 Dec 2017 21:14:09 +0100 -Subject: [PATCH] SYSDB: Properly handle name/gid override when using domain - resolution order -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -When using name/gid override together with domain resolution order the -mpg name/gid may be returned instead of the overridden one. - -In order to avoid that, let's add a check in case the domain supports -mpg so we can ensure that the originalADname and originalADgidNumber -attributes are the very same as the ones searched and then normally -proceed with the current flow in the code. In case those are not the -same, we *must* follow the code path for the non-mpg domains and then -return the proper values. - -Resolves: https://pagure.io/SSSD/sssd/issue/3595 - -Signed-off-by: Fabiano Fidêncio -Reviewed-by: Sumit Bose -(cherry picked from commit cf4f5e031ecbdfba0b55a4f69a06175a2e718e67) ---- - src/db/sysdb.h | 2 + - src/db/sysdb_search.c | 116 ++++++++++++++++++++++++++++++++++-------- - 2 files changed, 97 insertions(+), 21 deletions(-) - -diff --git a/src/db/sysdb.h b/src/db/sysdb.h -index 2660314a7..d9c8fd5d6 100644 ---- a/src/db/sysdb.h -+++ b/src/db/sysdb.h -@@ -258,6 +258,8 @@ - SYSDB_OVERRIDE_OBJECT_DN, \ - SYSDB_DEFAULT_OVERRIDE_NAME, \ - SYSDB_UUID, \ -+ ORIGINALAD_PREFIX SYSDB_NAME, \ -+ ORIGINALAD_PREFIX SYSDB_GIDNUM, \ - NULL} - - #define SYSDB_NETGR_ATTRS {SYSDB_NAME, SYSDB_NETGROUP_TRIPLE, \ -diff --git a/src/db/sysdb_search.c b/src/db/sysdb_search.c -index b7ceb6e59..66c4977b3 100644 ---- a/src/db/sysdb_search.c -+++ b/src/db/sysdb_search.c -@@ -893,8 +893,9 @@ int sysdb_getgrnam(TALLOC_CTX *mem_ctx, - const char *fmt_filter; - char *sanitized_name; - struct ldb_dn *base_dn; -- struct ldb_result *res; -+ struct ldb_result *res = NULL; - char *lc_sanitized_name; -+ const char *originalad_sanitized_name; - int ret; - - tmp_ctx = talloc_new(NULL); -@@ -902,30 +903,67 @@ int sysdb_getgrnam(TALLOC_CTX *mem_ctx, - return ENOMEM; - } - -+ ret = sss_filter_sanitize_for_dom(tmp_ctx, name, domain, -+ &sanitized_name, &lc_sanitized_name); -+ if (ret != EOK) { -+ goto done; -+ } -+ - if (domain->mpg) { -+ /* In case the domain supports magic private groups we *must* -+ * check whether the searched name is the very same as the -+ * originalADname attribute. -+ * -+ * In case those are not the same, we're dealing with an -+ * override and in order to return the proper overridden group -+ * we must use the very same search used by a non-mpg domain -+ */ - fmt_filter = SYSDB_GRNAM_MPG_FILTER; - base_dn = sysdb_domain_dn(tmp_ctx, domain); -+ if (base_dn == NULL) { -+ ret = ENOMEM; -+ goto done; -+ } -+ -+ ret = ldb_search(domain->sysdb->ldb, tmp_ctx, &res, base_dn, -+ LDB_SCOPE_SUBTREE, attrs, fmt_filter, -+ lc_sanitized_name, sanitized_name, sanitized_name); -+ if (ret != EOK) { -+ ret = sysdb_error_to_errno(ret); -+ goto done; -+ } -+ -+ if (res->count > 0) { -+ originalad_sanitized_name = ldb_msg_find_attr_as_string( -+ res->msgs[0], ORIGINALAD_PREFIX SYSDB_NAME, NULL); -+ -+ if (originalad_sanitized_name != NULL -+ && strcmp(originalad_sanitized_name, sanitized_name) != 0) { -+ fmt_filter = SYSDB_GRNAM_FILTER; -+ base_dn = sysdb_group_base_dn(tmp_ctx, domain); -+ res = NULL; -+ } -+ } - } else { - fmt_filter = SYSDB_GRNAM_FILTER; - base_dn = sysdb_group_base_dn(tmp_ctx, domain); - } -- if (!base_dn) { -+ if (base_dn == NULL) { - ret = ENOMEM; - goto done; - } - -- ret = sss_filter_sanitize_for_dom(tmp_ctx, name, domain, -- &sanitized_name, &lc_sanitized_name); -- if (ret != EOK) { -- goto done; -- } -- -- ret = ldb_search(domain->sysdb->ldb, tmp_ctx, &res, base_dn, -- LDB_SCOPE_SUBTREE, attrs, fmt_filter, -- lc_sanitized_name, sanitized_name, sanitized_name); -- if (ret) { -- ret = sysdb_error_to_errno(ret); -- goto done; -+ /* We just do the ldb_search here in case domain is *not* a MPG *or* -+ * it's a MPG and we're dealing with a overriden group, which has to -+ * use the very same filter as a non MPG domain. */ -+ if (res == NULL) { -+ ret = ldb_search(domain->sysdb->ldb, tmp_ctx, &res, base_dn, -+ LDB_SCOPE_SUBTREE, attrs, fmt_filter, -+ lc_sanitized_name, sanitized_name, sanitized_name); -+ if (ret != EOK) { -+ ret = sysdb_error_to_errno(ret); -+ goto done; -+ } - } - - ret = mpg_res_convert(res); -@@ -1045,10 +1083,11 @@ int sysdb_getgrgid(TALLOC_CTX *mem_ctx, - { - TALLOC_CTX *tmp_ctx; - unsigned long int ul_gid = gid; -+ unsigned long int ul_originalad_gid; - static const char *attrs[] = SYSDB_GRSRC_ATTRS; - const char *fmt_filter; - struct ldb_dn *base_dn; -- struct ldb_result *res; -+ struct ldb_result *res = NULL; - int ret; - - tmp_ctx = talloc_new(NULL); -@@ -1057,22 +1096,57 @@ int sysdb_getgrgid(TALLOC_CTX *mem_ctx, - } - - if (domain->mpg) { -+ /* In case the domain supports magic private groups we *must* -+ * check whether the searched gid is the very same as the -+ * originalADgidNumber attribute. -+ * -+ * In case those are not the same, we're dealing with an -+ * override and in order to return the proper overridden group -+ * we must use the very same search used by a non-mpg domain -+ */ - fmt_filter = SYSDB_GRGID_MPG_FILTER; - base_dn = sysdb_domain_dn(tmp_ctx, domain); -+ if (base_dn == NULL) { -+ ret = ENOMEM; -+ goto done; -+ } -+ -+ ret = ldb_search(domain->sysdb->ldb, tmp_ctx, &res, base_dn, -+ LDB_SCOPE_SUBTREE, attrs, fmt_filter, ul_gid); -+ if (ret != EOK) { -+ ret = sysdb_error_to_errno(ret); -+ goto done; -+ } -+ -+ if (res->count > 0) { -+ ul_originalad_gid = ldb_msg_find_attr_as_uint64( -+ res->msgs[0], ORIGINALAD_PREFIX SYSDB_GIDNUM, 0); -+ -+ if (ul_originalad_gid != 0 && ul_originalad_gid != ul_gid) { -+ fmt_filter = SYSDB_GRGID_FILTER; -+ base_dn = sysdb_group_base_dn(tmp_ctx, domain); -+ res = NULL; -+ } -+ } - } else { - fmt_filter = SYSDB_GRGID_FILTER; - base_dn = sysdb_group_base_dn(tmp_ctx, domain); - } -- if (!base_dn) { -+ if (base_dn == NULL) { - ret = ENOMEM; - goto done; - } - -- ret = ldb_search(domain->sysdb->ldb, tmp_ctx, &res, base_dn, -- LDB_SCOPE_SUBTREE, attrs, fmt_filter, ul_gid); -- if (ret) { -- ret = sysdb_error_to_errno(ret); -- goto done; -+ /* We just do the ldb_search here in case domain is *not* a MPG *or* -+ * it's a MPG and we're dealing with a overriden group, which has to -+ * use the very same filter as a non MPG domain. */ -+ if (res == NULL) { -+ ret = ldb_search(domain->sysdb->ldb, tmp_ctx, &res, base_dn, -+ LDB_SCOPE_SUBTREE, attrs, fmt_filter, ul_gid); -+ if (ret != EOK) { -+ ret = sysdb_error_to_errno(ret); -+ goto done; -+ } - } - - ret = mpg_res_convert(res); --- -2.17.0 - diff --git a/0063-test_ca-add-empty-index.txt.attr-file.patch b/0063-test_ca-add-empty-index.txt.attr-file.patch deleted file mode 100644 index 72c9145..0000000 --- a/0063-test_ca-add-empty-index.txt.attr-file.patch +++ /dev/null @@ -1,42 +0,0 @@ -From f6d3289ca95bcaca68647f0db76c100d616679bc Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Wed, 14 Mar 2018 15:15:19 +0100 -Subject: [PATCH] test_ca: add empty index.txt.attr file -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Although is does not harm because 'openssl ca' creates the -index.tx.tattr file with a suitable content automatically this patch -adds the file to the test_CA directory to silence a message like: - -Can't open ./index.txt.attr for reading, No such file or directory -139867607979840:error:02001002:system library:fopen:No such file or -directory:crypto/bio/bss_file.c:74:fopen('./index.txt.attr','r') -139867607979840:error:2006D080:BIO routines:BIO_new_file:no such -file:crypto/bio/bss_file.c:81: - -which is show by recent versions of OpenSSL. - -Related to https://pagure.io/SSSD/sssd/issue/3436 - -Reviewed-by: Fabiano Fidêncio -(cherry picked from commit 86c06c3b3d1cb4f590bcd951939bf3ef0001c4d3) ---- - src/tests/test_CA/Makefile.am | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/src/tests/test_CA/Makefile.am b/src/tests/test_CA/Makefile.am -index a23a3feef..bfcd908e3 100644 ---- a/src/tests/test_CA/Makefile.am -+++ b/src/tests/test_CA/Makefile.am -@@ -89,5 +89,6 @@ clean-local: - - serial: clean - touch index.txt -+ touch index.txt.attr - mkdir newcerts - echo -n 01 > serial --- -2.17.0 - diff --git a/sources b/sources index 5488873..f3ab243 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (sssd-1.16.1.tar.gz) = fb9611cecf4c74b5a82224f9f8d3b98341c144d248094b6cb12975343db9b85142ded620e5f26fef63b2db29cdb45eb8abd698db82e9a1334bc6e001001109fd +SHA512 (sssd-1.16.2.tar.gz) = de029e60c509d1ca9d716074c6c30bc469793440ad11452be6756df110911772d3d9d6bf555acb65f510957d6b8a265f0accc0940622101fa9cf809ac9c6d999 diff --git a/sssd.spec b/sssd.spec index b099c4a..9ce5d02 100644 --- a/sssd.spec +++ b/sssd.spec @@ -25,6 +25,10 @@ %global with_gdm_pam_extensions 1 +%if (0%{?fedora} > 28) + %global use_openssl 1 +%endif + %global libwbc_alternatives_version 0.14 %global libwbc_lib_version %{libwbc_alternatives_version}.0 %global libwbc_alternatives_suffix %nil @@ -33,8 +37,8 @@ %endif Name: sssd -Version: 1.16.1 -Release: 9%{?dist} +Version: 1.16.2 +Release: 1%{?dist} Group: Applications/System Summary: System Security Services Daemon License: GPLv3+ @@ -42,69 +46,6 @@ URL: https://pagure.io/SSSD/sssd/ Source0: https://releases.pagure.org/SSSD/sssd/%{name}-%{version}.tar.gz ### Patches ### -Patch0001: 0001-IPA-Handle-empty-nisDomainName.patch -Patch0002: 0002-intg-enhance-netgroups-test.patch -Patch0003: 0003-CONFDB-Start-a-ldb-transaction-from-sss_ldb_modify_p.patch -Patch0004: 0004-TOOLS-Take-into-consideration-app-domains.patch -Patch0005: 0005-TESTS-Move-get_call_output-to-util.py.patch -Patch0006: 0006-TESTS-Make-get_call_output-more-flexible-about-the-s.patch -Patch0007: 0007-TESTS-Add-a-basic-test-of-sssctl-domain-list.patch -Patch0008: 0008-KCM-Use-json_loadb-when-dealing-with-sss_iobuf-data.patch -Patch0009: 0009-KCM-Remove-mem_ctx-from-kcm_new_req.patch -Patch0010: 0010-KCM-Introduce-kcm_input_get_payload_len.patch -Patch0011: 0011-KCM-Do-not-use-2048-as-fixed-size-for-the-payload.patch -Patch0012: 0012-KCM-Adjust-REPLY_MAX-to-the-one-used-in-krb5.patch -Patch0013: 0013-intg-convert-results-returned-as-bytes-to-strings.patch -Patch0014: 0014-KCM-Fix-typo-in-ccdb_sec_delete_list_done.patch -Patch0015: 0015-KCM-Only-print-the-number-of-found-items-after-we-ha.patch -Patch0016: 0016-SYSDB-When-marking-an-entry-as-expired-also-set-the-.patch -#Patch0017: 0017-sudo-ldap-do-not-store-rules-without-sudoHost-attrib.patch -#Patch0018: 0018-sysdb-custom-completely-replace-old-object-instead-o.patch -Patch0019: 0019-SERVER-Tone-down-shutdown-messages-for-socket-activa.patch -Patch0020: 0020-IPA-Qualify-the-externalUser-sudo-attribute.patch -Patch0021: 0021-NSS-Adjust-netgroup-setnetgrent-cache-lifetime-if-mi.patch -Patch0022: 0022-CONFDB-Add-passwd_files-and-group_files-options.patch -Patch0023: 0023-FILES-Handle-files-provider-sources.patch -Patch0024: 0024-TESTS-Add-a-test-for-the-multiple-files-feature.patch -Patch0025: 0025-AD-Missing-header-in-ad_access.h.patch -Patch0026: 0026-GPO-Add-ad_options-to-ad_gpo_process_som_state.patch -Patch0027: 0027-GPO-Use-AD-site-override-if-set.patch -Patch0028: 0028-nss-initialize-nss_enum_index-in-nss_setnetgrent.patch -Patch0029: 0029-nss-add-a-netgroup-counter-to-struct-nss_enum_index.patch -Patch0030: 0030-sssctl-Showing-help-even-when-sssd-not-configured.patch -Patch0031: 0031-sssctl-move-check-for-version-error-to-correct-place.patch -Patch0032: 0032-MAN-Add-sss-certmap-man-page-regarding-priority-proc.patch -Patch0033: 0033-SDAP-Improve-a-DEBUG-message-about-GC-detection.patch -Patch0034: 0034-MAN-Improve-docs-about-GC-detection.patch -Patch0035: 0035-nss-idmap-do-not-set-a-limit.patch -Patch0036: 0036-nss-idmap-use-right-group-list-pointer-after-sss_get.patch -Patch0037: 0037-NSS-Add-InvalidateGroupById-handler.patch -Patch0038: 0038-DP-Add-dp_sbus_invalidate_group_memcache.patch -Patch0039: 0039-ERRORS-Add-ERR_GID_DUPLICATED.patch -Patch0040: 0040-LDAP-Augment-the-sdap_opts-structure-with-a-data-pro.patch -Patch0041: 0041-SDAP-Add-sdap_handle_id_collision_for_incomplete_gro.patch -Patch0042: 0042-SDAP-Properly-handle-group-id-collision-when-renamin.patch -Patch0043: 0043-SYSDB_OPS-Error-out-on-id-collision-when-adding-an-i.patch -Patch0044: 0044-TESTS-Add-an-integration-test-for-renaming-incomplet.patch -Patch0045: 0045-SYSDB-sysdb_add_incomplete_group-now-returns-EEXIST-.patch -Patch0046: 0046-MAN-Document-which-principal-does-the-AD-provider-us.patch -Patch0047: 0047-GPO-Fix-bug-with-empty-GPO-rules.patch -Patch0048: 0048-FILES-Do-not-overwrite-and-actually-remove-files_ctx.patch -Patch0049: 0049-FILES-Reduce-code-duplication.patch -Patch0050: 0050-FILES-Reset-the-domain-status-back-even-on-errors.patch -Patch0051: 0051-FILES-Skip-files-that-are-not-created-yet.patch -Patch0052: 0052-FILES-Only-send-the-request-for-update-if-the-files-.patch -Patch0053: 0053-TESTS-simple-CA-to-generate-certificates-for-test.patch -Patch0054: 0054-TESTS-replace-hardcoded-certificates.patch -Patch0055: 0055-DYNDNS-Move-the-retry-logic-into-a-separate-function.patch -Patch0056: 0056-DYNDNS-Retry-also-on-timeouts.patch -Patch0057: 0057-AD-Warn-if-the-LDAP-schema-is-overriden-with-the-AD-.patch -Patch0058: 0058-SYSDB-Only-check-non-POSIX-groups-for-GID-conflicts.patch -Patch0059: 0059-Do-not-keep-allocating-external-groups-on-a-long-liv.patch -Patch0060: 0060-CACHE_REQ-Do-not-fail-the-domain-locator-plugin-if-I.patch -Patch0061: 0061-NSS-nss_clear_netgroup_hash_table-do-not-free-data.patch -Patch0062: 0062-SYSDB-Properly-handle-name-gid-override-when-using-d.patch -Patch0063: 0063-test_ca-add-empty-index.txt.attr-file.patch Patch0502: 0502-SYSTEMD-Use-capabilities.patch Patch0503: 0503-Disable-stopping-idle-socket-activated-responders.patch @@ -182,12 +123,19 @@ BuildRequires: cifs-utils-devel BuildRequires: libnfsidmap-devel BuildRequires: samba4-devel BuildRequires: libsmbclient-devel +BuildRequires: samba-winbind BuildRequires: systemtap-sdt-devel BuildRequires: http-parser-devel BuildRequires: libuuid-devel BuildRequires: jansson-devel BuildRequires: libcurl-devel BuildRequires: gdm-pam-extensions-devel +%if (0%{?use_openssl} == 1) +BuildRequires: p11-kit-devel +BuildRequires: openssl-devel +BuildRequires: gnutls-utils +BuildRequires: softhsm >= 2.1.0 +%endif BuildRequires: openssl BuildRequires: openssh BuildRequires: nss-tools @@ -688,11 +636,13 @@ autoreconf -ivf --disable-rpath \ --with-initscript=systemd \ --with-syslog=journald \ +%if (0%{?use_openssl} == 1) + --with-crypto=libcrypto \ +%endif --enable-sss-default-nss-plugin \ --enable-files-domain \ %{?with_cifs_utils_plugin_option} \ - %{?enable_systemtap_opt} \ - + %{?enable_systemtap_opt} make %{?_smp_mflags} all docs @@ -909,6 +859,9 @@ done %attr(750,root,root) %dir %{_var}/log/%{name} %attr(700,root,root) %dir %{_sysconfdir}/sssd %attr(711,root,root) %dir %{_sysconfdir}/sssd/conf.d +%if (0%{?use_openssl} == 1) +%attr(711,sssd,sssd) %dir %{_sysconfdir}/sssd/pki +%endif %ghost %attr(0600,root,root) %config(noreplace) %{_sysconfdir}/sssd/sssd.conf %dir %{_sysconfdir}/logrotate.d %config(noreplace) %{_sysconfdir}/logrotate.d/sssd @@ -1309,6 +1262,10 @@ fi %{_libdir}/%{name}/modules/libwbclient.so %changelog +* Mon Jun 11 2018 Fabiano Fidêncio - 1.16.2-1 +- New upstream release 1.16.2 +- https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_16_2.html + * Thu May 24 2018 Fabiano Fidêncio - 1.16.1-9 - Related: upstream#3742 - Change of: User may not run sudo --> a password is required