Apply a number of patches from upstream to fix issues found post-beta
In particular: -- segfault with a high DEBUG level -- Fix IPA password migration (upstream #1873) -- Fix fail over when retrying SRV resolution (upstream #1886)
This commit is contained in:
parent
1577261624
commit
ba06c0ac1d
23
0001-Bumping-the-version-for-the-1.10-final-release.patch
Normal file
23
0001-Bumping-the-version-for-the-1.10-final-release.patch
Normal file
@ -0,0 +1,23 @@
|
||||
From 376e39bc7a7f49f08fd51b1a00aa5d2a456b2314 Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||
Date: Tue, 11 Jun 2013 17:44:04 +0200
|
||||
Subject: [PATCH 01/12] Bumping the version for the 1.10 final release
|
||||
|
||||
---
|
||||
version.m4 | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/version.m4 b/version.m4
|
||||
index 1435f6999f6d4ffb06ad0dfd4261b03357fd0cfa..4066d317aae67fee317d13a67abec0dae3ce14aa 100644
|
||||
--- a/version.m4
|
||||
+++ b/version.m4
|
||||
@@ -1,5 +1,5 @@
|
||||
# Primary version number
|
||||
-m4_define([VERSION_NUMBER], [1.9.94])
|
||||
+m4_define([VERSION_NUMBER], [1.9.95])
|
||||
|
||||
# If the PRERELEASE_VERSION_NUMBER is set, we'll append
|
||||
# it to the release tag when creating an RPM or SRPM
|
||||
--
|
||||
1.8.2.1
|
||||
|
31
0002-Change-order-of-libraries-in-linking-process.patch
Normal file
31
0002-Change-order-of-libraries-in-linking-process.patch
Normal file
@ -0,0 +1,31 @@
|
||||
From fd98a28d6e94080e52bbedc789b06606a6019b10 Mon Sep 17 00:00:00 2001
|
||||
From: Lukas Slebodnik <lslebodn@redhat.com>
|
||||
Date: Wed, 12 Jun 2013 13:24:12 +0200
|
||||
Subject: [PATCH 02/12] Change order of libraries in linking process.
|
||||
|
||||
It seems that some linkers have problem with wrong order of libraries.
|
||||
This commit only change order.
|
||||
---
|
||||
Makefile.am | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/Makefile.am b/Makefile.am
|
||||
index 93e3a6fc0ce063cb3c874bd90e0b1773fe053386..88e29fff4f6f1f3686c02ca23b5a6f4725f22797 100644
|
||||
--- a/Makefile.am
|
||||
+++ b/Makefile.am
|
||||
@@ -577,10 +577,10 @@ endif
|
||||
libsss_util_la_LDFLAGS = -avoid-version
|
||||
|
||||
SSSD_INTERNAL_LTLIBS = \
|
||||
+ libsss_util.la \
|
||||
libsss_crypt.la \
|
||||
libsss_debug.la \
|
||||
- libsss_child.la \
|
||||
- libsss_util.la
|
||||
+ libsss_child.la
|
||||
|
||||
lib_LTLIBRARIES = libipa_hbac.la libsss_idmap.la libsss_nss_idmap.la
|
||||
dist_pkgconfig_DATA += src/providers/ipa/ipa_hbac.pc
|
||||
--
|
||||
1.8.2.1
|
||||
|
@ -0,0 +1,92 @@
|
||||
From 460e43ee4dcc7a5860bcdc3c76ae51ed79921d79 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
||||
Date: Wed, 12 Jun 2013 09:50:54 +0200
|
||||
Subject: [PATCH 03/12] be_ptask: send and recv shadow a global declaration
|
||||
|
||||
---
|
||||
src/providers/dp_ptask.c | 18 +++++++++---------
|
||||
src/providers/dp_ptask.h | 4 ++--
|
||||
2 files changed, 11 insertions(+), 11 deletions(-)
|
||||
|
||||
diff --git a/src/providers/dp_ptask.c b/src/providers/dp_ptask.c
|
||||
index d3580981b4abea8471c280a647eb558341d738ef..d0f7c6d9700dd9d5cf588c9f72954590f65f82b5 100644
|
||||
--- a/src/providers/dp_ptask.c
|
||||
+++ b/src/providers/dp_ptask.c
|
||||
@@ -39,8 +39,8 @@ struct be_ptask {
|
||||
time_t enabled_delay;
|
||||
time_t timeout;
|
||||
enum be_ptask_offline offline;
|
||||
- be_ptask_send_t send;
|
||||
- be_ptask_recv_t recv;
|
||||
+ be_ptask_send_t send_fn;
|
||||
+ be_ptask_recv_t recv_fn;
|
||||
void *pvt;
|
||||
const char *name;
|
||||
|
||||
@@ -139,7 +139,7 @@ static void be_ptask_execute(struct tevent_context *ev,
|
||||
|
||||
task->last_execution = time(NULL);
|
||||
|
||||
- task->req = task->send(task, task->ev, task->be_ctx, task, task->pvt);
|
||||
+ task->req = task->send_fn(task, task->ev, task->be_ctx, task, task->pvt);
|
||||
if (task->req == NULL) {
|
||||
/* skip this iteration and try again later */
|
||||
DEBUG(SSSDBG_OP_FAILURE, ("Task [%s]: failed to execute task, "
|
||||
@@ -178,7 +178,7 @@ static void be_ptask_done(struct tevent_req *req)
|
||||
|
||||
task = tevent_req_callback_data(req, struct be_ptask);
|
||||
|
||||
- ret = task->recv(req);
|
||||
+ ret = task->recv_fn(req);
|
||||
talloc_zfree(req);
|
||||
task->req = NULL;
|
||||
switch (ret) {
|
||||
@@ -246,8 +246,8 @@ errno_t be_ptask_create(TALLOC_CTX *mem_ctx,
|
||||
time_t enabled_delay,
|
||||
time_t timeout,
|
||||
enum be_ptask_offline offline,
|
||||
- be_ptask_send_t send,
|
||||
- be_ptask_recv_t recv,
|
||||
+ be_ptask_send_t send_fn,
|
||||
+ be_ptask_recv_t recv_fn,
|
||||
void *pvt,
|
||||
const char *name,
|
||||
struct be_ptask **_task)
|
||||
@@ -255,7 +255,7 @@ errno_t be_ptask_create(TALLOC_CTX *mem_ctx,
|
||||
struct be_ptask *task = NULL;
|
||||
errno_t ret;
|
||||
|
||||
- if (be_ctx == NULL || period == 0 || send == NULL || recv == NULL
|
||||
+ if (be_ctx == NULL || period == 0 || send_fn == NULL || recv_fn == NULL
|
||||
|| name == NULL) {
|
||||
return EINVAL;
|
||||
}
|
||||
@@ -272,8 +272,8 @@ errno_t be_ptask_create(TALLOC_CTX *mem_ctx,
|
||||
task->enabled_delay = enabled_delay;
|
||||
task->timeout = timeout;
|
||||
task->offline = offline;
|
||||
- task->send = send;
|
||||
- task->recv = recv;
|
||||
+ task->send_fn = send_fn;
|
||||
+ task->recv_fn = recv_fn;
|
||||
task->pvt = pvt;
|
||||
task->name = talloc_strdup(task, name);
|
||||
if (task->name == NULL) {
|
||||
diff --git a/src/providers/dp_ptask.h b/src/providers/dp_ptask.h
|
||||
index ae5f78d586df69bdcfa34bb35f032ad1dbd1b983..7e45862e46c5d9da4eaedca5312e25dcc0eb8abe 100644
|
||||
--- a/src/providers/dp_ptask.h
|
||||
+++ b/src/providers/dp_ptask.h
|
||||
@@ -81,8 +81,8 @@ errno_t be_ptask_create(TALLOC_CTX *mem_ctx,
|
||||
time_t enabled_delay,
|
||||
time_t timeout,
|
||||
enum be_ptask_offline offline,
|
||||
- be_ptask_send_t send,
|
||||
- be_ptask_recv_t recv,
|
||||
+ be_ptask_send_t send_fn,
|
||||
+ be_ptask_recv_t recv_fn,
|
||||
void *pvt,
|
||||
const char *name,
|
||||
struct be_ptask **_task);
|
||||
--
|
||||
1.8.2.1
|
||||
|
@ -0,0 +1,98 @@
|
||||
From d24f0493002037a5809c9fc5ae27fa2ceb81036e Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
||||
Date: Wed, 12 Jun 2013 09:51:10 +0200
|
||||
Subject: [PATCH 04/12] be_refresh: send and recv shadow a global declaration
|
||||
|
||||
---
|
||||
src/providers/dp_refresh.c | 22 +++++++++++-----------
|
||||
src/providers/dp_refresh.h | 4 ++--
|
||||
2 files changed, 13 insertions(+), 13 deletions(-)
|
||||
|
||||
diff --git a/src/providers/dp_refresh.c b/src/providers/dp_refresh.c
|
||||
index 59d858549d94660e4abd4f5610eda13dabb9b495..c368668e1def76a7a63cee87d6720239830e7c6b 100644
|
||||
--- a/src/providers/dp_refresh.c
|
||||
+++ b/src/providers/dp_refresh.c
|
||||
@@ -119,8 +119,8 @@ typedef errno_t
|
||||
struct be_refresh_cb {
|
||||
bool enabled;
|
||||
be_refresh_get_values_t get_values;
|
||||
- be_refresh_send_t send;
|
||||
- be_refresh_recv_t recv;
|
||||
+ be_refresh_send_t send_fn;
|
||||
+ be_refresh_recv_t recv_fn;
|
||||
void *pvt;
|
||||
};
|
||||
|
||||
@@ -145,11 +145,11 @@ struct be_refresh_ctx *be_refresh_ctx_init(TALLOC_CTX *mem_ctx)
|
||||
|
||||
errno_t be_refresh_add_cb(struct be_refresh_ctx *ctx,
|
||||
enum be_refresh_type type,
|
||||
- be_refresh_send_t send,
|
||||
- be_refresh_recv_t recv,
|
||||
+ be_refresh_send_t send_fn,
|
||||
+ be_refresh_recv_t recv_fn,
|
||||
void *pvt)
|
||||
{
|
||||
- if (ctx == NULL || send == NULL || recv == NULL
|
||||
+ if (ctx == NULL || send_fn == NULL || recv_fn == NULL
|
||||
|| type >= BE_REFRESH_TYPE_SENTINEL) {
|
||||
return EINVAL;
|
||||
}
|
||||
@@ -159,8 +159,8 @@ errno_t be_refresh_add_cb(struct be_refresh_ctx *ctx,
|
||||
}
|
||||
|
||||
ctx->callbacks[type].enabled = true;
|
||||
- ctx->callbacks[type].send = send;
|
||||
- ctx->callbacks[type].recv = recv;
|
||||
+ ctx->callbacks[type].send_fn = send_fn;
|
||||
+ ctx->callbacks[type].recv_fn = recv_fn;
|
||||
ctx->callbacks[type].pvt = pvt;
|
||||
|
||||
return EOK;
|
||||
@@ -246,8 +246,8 @@ static errno_t be_refresh_step(struct tevent_req *req)
|
||||
goto done;
|
||||
}
|
||||
|
||||
- if (state->cb->get_values == NULL || state->cb->send == NULL
|
||||
- || state->cb->recv == NULL) {
|
||||
+ if (state->cb->get_values == NULL || state->cb->send_fn == NULL
|
||||
+ || state->cb->recv_fn == NULL) {
|
||||
ret = EINVAL;
|
||||
goto done;
|
||||
}
|
||||
@@ -260,7 +260,7 @@ static errno_t be_refresh_step(struct tevent_req *req)
|
||||
goto done;
|
||||
}
|
||||
|
||||
- subreq = state->cb->send(state, state->ev, state->be_ctx,
|
||||
+ subreq = state->cb->send_fn(state, state->ev, state->be_ctx,
|
||||
values, state->cb->pvt);
|
||||
if (subreq == NULL) {
|
||||
ret = ENOMEM;
|
||||
@@ -288,7 +288,7 @@ static void be_refresh_done(struct tevent_req *subreq)
|
||||
req = tevent_req_callback_data(subreq, struct tevent_req);
|
||||
state = tevent_req_data(req, struct be_refresh_state);
|
||||
|
||||
- ret = state->cb->recv(subreq);
|
||||
+ ret = state->cb->recv_fn(subreq);
|
||||
talloc_zfree(subreq);
|
||||
if (ret != EOK) {
|
||||
goto done;
|
||||
diff --git a/src/providers/dp_refresh.h b/src/providers/dp_refresh.h
|
||||
index a7b324702b0546d8156e8fa395b39fa58b52812d..0dedbc3c14bfb661ebf296a9021fa397769dee66 100644
|
||||
--- a/src/providers/dp_refresh.h
|
||||
+++ b/src/providers/dp_refresh.h
|
||||
@@ -54,8 +54,8 @@ struct be_refresh_ctx *be_refresh_ctx_init(TALLOC_CTX *mem_ctx);
|
||||
|
||||
errno_t be_refresh_add_cb(struct be_refresh_ctx *ctx,
|
||||
enum be_refresh_type type,
|
||||
- be_refresh_send_t send,
|
||||
- be_refresh_recv_t recv,
|
||||
+ be_refresh_send_t send_fn,
|
||||
+ be_refresh_recv_t recv_fn,
|
||||
void *pvt);
|
||||
|
||||
struct tevent_req *be_refresh_send(TALLOC_CTX *mem_ctx,
|
||||
--
|
||||
1.8.2.1
|
||||
|
@ -0,0 +1,28 @@
|
||||
From 49f3aebcc8614d483c5753109a9d65aa33d301ea Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||
Date: Tue, 11 Jun 2013 12:48:06 +0200
|
||||
Subject: [PATCH 05/12] Use the correct talloc context when creating AD
|
||||
subdomains
|
||||
|
||||
sdom was only ever guaranteed to be set when a new domain was being
|
||||
created. sditer is a valid pointer in both cases, so just use that.
|
||||
---
|
||||
src/providers/ad/ad_subdomains.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c
|
||||
index f4eec6a48019d55436631487a6108be405254766..07b523df5466319739e1f44164b7f08156ea214b 100644
|
||||
--- a/src/providers/ad/ad_subdomains.c
|
||||
+++ b/src/providers/ad/ad_subdomains.c
|
||||
@@ -120,7 +120,7 @@ ads_store_sdap_subdom(struct ad_subdomains_ctx *ctx,
|
||||
}
|
||||
|
||||
/* Convert the domain name into search base */
|
||||
- ret = domain_to_basedn(sdom, sditer->dom->name, &basedn);
|
||||
+ ret = domain_to_basedn(sditer, sditer->dom->name, &basedn);
|
||||
if (ret != EOK) {
|
||||
DEBUG(SSSDBG_OP_FAILURE,
|
||||
("Cannot convert domain name [%s] to base DN [%d]: %s\n",
|
||||
--
|
||||
1.8.2.1
|
||||
|
90
0006-Fix-minor-typos.patch
Normal file
90
0006-Fix-minor-typos.patch
Normal file
@ -0,0 +1,90 @@
|
||||
From 1091c0ae2f1596ceb161e5b765a91c23c413b369 Mon Sep 17 00:00:00 2001
|
||||
From: Yuri Chornoivan <yurchor@ukr.net>
|
||||
Date: Tue, 11 Jun 2013 19:12:41 +0300
|
||||
Subject: [PATCH 06/12] Fix minor typos
|
||||
|
||||
---
|
||||
src/man/sssd-krb5.5.xml | 2 +-
|
||||
src/man/sssd-ldap.5.xml | 2 +-
|
||||
src/man/sssd.conf.5.xml | 4 ++--
|
||||
src/providers/ipa/ipa_hbac.h | 2 +-
|
||||
src/tools/tools_mc_util.c | 2 +-
|
||||
5 files changed, 6 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/src/man/sssd-krb5.5.xml b/src/man/sssd-krb5.5.xml
|
||||
index 906aee096d9815bcf32b992260a7f5254b93b947..df124b4d20f7f3b553d2eac554eaf5411c3c8436 100644
|
||||
--- a/src/man/sssd-krb5.5.xml
|
||||
+++ b/src/man/sssd-krb5.5.xml
|
||||
@@ -455,7 +455,7 @@
|
||||
<term>krb5_use_kdcinfo (boolean)</term>
|
||||
<listitem>
|
||||
<para>
|
||||
- Specifies if the SSSD should be instructing the Kerberos
|
||||
+ Specifies if the SSSD should instruct the Kerberos
|
||||
libraries what realm and which KDCs to use. This option
|
||||
is on by default, if you disable it, you need to configure
|
||||
the Kerberos library using the
|
||||
diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml
|
||||
index 9cd594c7bdcf682b8fd355e8e566229afcb18a43..fd29650e94db917b0afb3f3a73e4082773d1340f 100644
|
||||
--- a/src/man/sssd-ldap.5.xml
|
||||
+++ b/src/man/sssd-ldap.5.xml
|
||||
@@ -1592,7 +1592,7 @@
|
||||
<term>krb5_use_kdcinfo (boolean)</term>
|
||||
<listitem>
|
||||
<para>
|
||||
- Specifies if the SSSD should be instructing the Kerberos
|
||||
+ Specifies if the SSSD should instruct the Kerberos
|
||||
libraries what realm and which KDCs to use. This option
|
||||
is on by default, if you disable it, you need to configure
|
||||
the Kerberos library using the
|
||||
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
|
||||
index d3e393c83e3ba130bab35a4d2153560710e16ba6..8df2bd97c4edb793e74a698b9531b3e7ab7c1abe 100644
|
||||
--- a/src/man/sssd.conf.5.xml
|
||||
+++ b/src/man/sssd.conf.5.xml
|
||||
@@ -172,7 +172,7 @@
|
||||
<para>
|
||||
domain flat name. Mostly usable
|
||||
for Active Directory domains, both
|
||||
- directly configured or disovered
|
||||
+ directly configured or discovered
|
||||
via IPA trusts.
|
||||
</para>
|
||||
</listitem>
|
||||
@@ -1605,7 +1605,7 @@ override_homedir = /home/%u
|
||||
<para>
|
||||
domain flat name. Mostly usable
|
||||
for Active Directory domains, both
|
||||
- directly configured or disovered
|
||||
+ directly configured or discovered
|
||||
via IPA trusts.
|
||||
</para>
|
||||
</listitem>
|
||||
diff --git a/src/providers/ipa/ipa_hbac.h b/src/providers/ipa/ipa_hbac.h
|
||||
index 02077e37ebeebd99ba06a9d27311c0885c4e2b7f..8bc2c4f90f32a83d14240abb4979ae265913ae6a 100644
|
||||
--- a/src/providers/ipa/ipa_hbac.h
|
||||
+++ b/src/providers/ipa/ipa_hbac.h
|
||||
@@ -212,7 +212,7 @@ enum hbac_error_code {
|
||||
/** Unexpected error */
|
||||
HBAC_ERROR_UNKNOWN = -1,
|
||||
|
||||
- /** Succesful evaluation */
|
||||
+ /** Successful evaluation */
|
||||
HBAC_SUCCESS,
|
||||
|
||||
/** Function is not yet implemented */
|
||||
diff --git a/src/tools/tools_mc_util.c b/src/tools/tools_mc_util.c
|
||||
index 33d5d26dbefaa547da3a5c49947793b485896e83..5d4300fbe4c0fc8fd678d619277f1d8be18f0912 100644
|
||||
--- a/src/tools/tools_mc_util.c
|
||||
+++ b/src/tools/tools_mc_util.c
|
||||
@@ -111,7 +111,7 @@ done:
|
||||
/* Closing the file also releases the lock */
|
||||
close(mc_fd);
|
||||
|
||||
- /* Only unlink the file if invalidation was succesful */
|
||||
+ /* Only unlink the file if invalidation was successful */
|
||||
if (ret == EOK) {
|
||||
pret = unlink(mc_filename);
|
||||
if (pret == -1) {
|
||||
--
|
||||
1.8.2.1
|
||||
|
@ -0,0 +1,26 @@
|
||||
From d3b39cf07164b23d47bbce3d6e6541b13fc895f5 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
||||
Date: Thu, 13 Jun 2013 10:32:31 +0200
|
||||
Subject: [PATCH 07/12] failover: set state->out when meta server remains in
|
||||
SRV_RESOLVE_ERROR
|
||||
|
||||
https://fedorahosted.org/sssd/ticket/1886
|
||||
---
|
||||
src/providers/fail_over.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/src/providers/fail_over.c b/src/providers/fail_over.c
|
||||
index 12b6c37828b7da0e68579bbb94668c21574974f1..1d2813589495ebb2ff56e93cddaed9d5172e128e 100644
|
||||
--- a/src/providers/fail_over.c
|
||||
+++ b/src/providers/fail_over.c
|
||||
@@ -1207,6 +1207,7 @@ resolve_srv_send(TALLOC_CTX *mem_ctx, struct tevent_context *ev,
|
||||
break;
|
||||
case SRV_RESOLVE_ERROR: /* query could not be resolved but don't retry yet */
|
||||
ret = EIO;
|
||||
+ state->out = server;
|
||||
goto done;
|
||||
case SRV_RESOLVED: /* The query is resolved and valid. Return. */
|
||||
state->out = server;
|
||||
--
|
||||
1.8.2.1
|
||||
|
76
0008-KRB-Handle-preauthentication-error-correctly.patch
Normal file
76
0008-KRB-Handle-preauthentication-error-correctly.patch
Normal file
@ -0,0 +1,76 @@
|
||||
From 22a21e910fd216ec1468fe769dcc29f1621a52a4 Mon Sep 17 00:00:00 2001
|
||||
From: Ondrej Kos <okos@redhat.com>
|
||||
Date: Thu, 13 Jun 2013 15:28:23 +0200
|
||||
Subject: [PATCH 08/12] KRB: Handle preauthentication error correctly
|
||||
|
||||
https://fedorahosted.org/sssd/ticket/1873
|
||||
|
||||
KRB preauthentication error was later mishandled like authentication error.
|
||||
---
|
||||
src/providers/krb5/krb5_auth.c | 6 ++++++
|
||||
src/providers/krb5/krb5_child.c | 4 +++-
|
||||
src/util/util_errors.c | 1 +
|
||||
src/util/util_errors.h | 1 +
|
||||
4 files changed, 11 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
|
||||
index f65e5993d54a5a265e4217e7f23d9549915c6b32..f6acfb4891cf5e99878ccfa7994ffeddf5447e2c 100644
|
||||
--- a/src/providers/krb5/krb5_auth.c
|
||||
+++ b/src/providers/krb5/krb5_auth.c
|
||||
@@ -1026,6 +1026,12 @@ static void krb5_auth_done(struct tevent_req *subreq)
|
||||
ret = EOK;
|
||||
goto done;
|
||||
|
||||
+ case ERR_CREDS_INVALID:
|
||||
+ state->pam_status = PAM_CRED_ERR;
|
||||
+ state->dp_err = DP_ERR_OK;
|
||||
+ ret = EOK;
|
||||
+ goto done;
|
||||
+
|
||||
case ERR_NO_CREDS:
|
||||
state->pam_status = PAM_CRED_UNAVAIL;
|
||||
state->dp_err = DP_ERR_OK;
|
||||
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
|
||||
index 8f746a8db561928349ffed8b7434db2a113a1f86..74d730aaa2e84af111982a450dafd524d411f472 100644
|
||||
--- a/src/providers/krb5/krb5_child.c
|
||||
+++ b/src/providers/krb5/krb5_child.c
|
||||
@@ -1172,9 +1172,11 @@ static errno_t map_krb5_error(krb5_error_code kerr)
|
||||
return ERR_CREDS_EXPIRED;
|
||||
|
||||
case KRB5KRB_AP_ERR_BAD_INTEGRITY:
|
||||
+ return ERR_AUTH_FAILED;
|
||||
+
|
||||
case KRB5_PREAUTH_FAILED:
|
||||
case KRB5KDC_ERR_PREAUTH_FAILED:
|
||||
- return ERR_AUTH_FAILED;
|
||||
+ return ERR_CREDS_INVALID;
|
||||
|
||||
default:
|
||||
return ERR_INTERNAL;
|
||||
diff --git a/src/util/util_errors.c b/src/util/util_errors.c
|
||||
index b617f540691a245d1132469a1f019bcb0eb6e775..22a3045a6f9656d9ab8fe66673301a508e444771 100644
|
||||
--- a/src/util/util_errors.c
|
||||
+++ b/src/util/util_errors.c
|
||||
@@ -31,6 +31,7 @@ struct err_string error_to_str[] = {
|
||||
{ "Invalid credential type" }, /* ERR_INVALID_CRED_TYPE */
|
||||
{ "No credentials available" }, /* ERR_NO_CREDS */
|
||||
{ "Credentials are expired" }, /* ERR_CREDS_EXPIRED */
|
||||
+ { "Failure setting user credentials"}, /* ERR_CREDS_INVALID */
|
||||
{ "No cached credentials available" }, /* ERR_NO_CACHED_CREDS */
|
||||
{ "Cached credentials are expired" }, /* ERR_CACHED_CREDS_EXPIRED */
|
||||
{ "Authentication Denied" }, /* ERR_AUTH_DENIED */
|
||||
diff --git a/src/util/util_errors.h b/src/util/util_errors.h
|
||||
index a602a6ea92f72a51f5e21342940b2072bbe9296d..65d37aedb544bb303d7540fc59e1a802aee11898 100644
|
||||
--- a/src/util/util_errors.h
|
||||
+++ b/src/util/util_errors.h
|
||||
@@ -53,6 +53,7 @@ enum sssd_errors {
|
||||
ERR_INVALID_CRED_TYPE,
|
||||
ERR_NO_CREDS,
|
||||
ERR_CREDS_EXPIRED,
|
||||
+ ERR_CREDS_INVALID,
|
||||
ERR_NO_CACHED_CREDS,
|
||||
ERR_CACHED_CREDS_EXPIRED,
|
||||
ERR_AUTH_DENIED,
|
||||
--
|
||||
1.8.2.1
|
||||
|
25
0009-AD-Fix-segfault-in-DEBUG-message.patch
Normal file
25
0009-AD-Fix-segfault-in-DEBUG-message.patch
Normal file
@ -0,0 +1,25 @@
|
||||
From bb4172259e04925ffc3a92e4450029634d295134 Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||
Date: Fri, 14 Jun 2013 14:05:24 +0200
|
||||
Subject: [PATCH 09/12] AD: Fix segfault in DEBUG message
|
||||
|
||||
---
|
||||
src/providers/ad/ad_common.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c
|
||||
index 1aad85de337870ede08114490398dfbde32bf62f..d53acf9ee03a88c78bca58e664121142a7331ade 100644
|
||||
--- a/src/providers/ad/ad_common.c
|
||||
+++ b/src/providers/ad/ad_common.c
|
||||
@@ -854,7 +854,7 @@ ad_get_auth_options(TALLOC_CTX *mem_ctx,
|
||||
ad_opts->service->krb5_service->write_kdcinfo = \
|
||||
dp_opt_get_bool(krb5_options, KRB5_USE_KDCINFO);
|
||||
DEBUG(SSSDBG_CONF_SETTINGS, ("Option %s set to %s\n",
|
||||
- ad_opts->auth[KRB5_USE_KDCINFO].opt_name,
|
||||
+ krb5_options[KRB5_USE_KDCINFO].opt_name,
|
||||
ad_opts->service->krb5_service->write_kdcinfo ? "true" : "false"));
|
||||
|
||||
*_opts = talloc_steal(mem_ctx, krb5_options);
|
||||
--
|
||||
1.8.2.1
|
||||
|
26
0010-AD-Remove-ad_options-auth-options-reference.patch
Normal file
26
0010-AD-Remove-ad_options-auth-options-reference.patch
Normal file
@ -0,0 +1,26 @@
|
||||
From 9f1106573a4fca41b99a468d06fa392486faf43c Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||
Date: Fri, 14 Jun 2013 14:19:25 +0200
|
||||
Subject: [PATCH 10/12] AD: Remove ad_options->auth options reference
|
||||
|
||||
The options are stored in ad_options->auth_ctx->opts, this member was
|
||||
completely unused and confusing.
|
||||
---
|
||||
src/providers/ad/ad_common.h | 1 -
|
||||
1 file changed, 1 deletion(-)
|
||||
|
||||
diff --git a/src/providers/ad/ad_common.h b/src/providers/ad/ad_common.h
|
||||
index 801815528c30ef05956eb51dce7cc6f8b161ffa8..1503059e87d60c90d33c00cdd3ebb55b4f4530f0 100644
|
||||
--- a/src/providers/ad/ad_common.h
|
||||
+++ b/src/providers/ad/ad_common.h
|
||||
@@ -67,7 +67,6 @@ struct ad_options {
|
||||
struct ad_id_ctx *id_ctx;
|
||||
|
||||
/* Auth and chpass Provider */
|
||||
- struct dp_option *auth;
|
||||
struct krb5_ctx *auth_ctx;
|
||||
|
||||
/* Dynamic DNS updates */
|
||||
--
|
||||
1.8.2.1
|
||||
|
122
0011-subdomains-touch-krb5.conf-when-creating-new-domain-.patch
Normal file
122
0011-subdomains-touch-krb5.conf-when-creating-new-domain-.patch
Normal file
@ -0,0 +1,122 @@
|
||||
From 03713859dffacc7142393e53c73d8d4cf7dee8d5 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
||||
Date: Wed, 12 Jun 2013 13:44:19 +0200
|
||||
Subject: [PATCH 11/12] subdomains: touch krb5.conf when creating new
|
||||
domain-realm mappings
|
||||
|
||||
https://fedorahosted.org/sssd/ticket/1815
|
||||
---
|
||||
configure.ac | 1 +
|
||||
src/conf_macros.m4 | 13 +++++++++++++
|
||||
src/providers/ipa/ipa_subdomains.c | 8 ++++++++
|
||||
src/util/sss_krb5.c | 22 ++++++++++++++++++++++
|
||||
src/util/sss_krb5.h | 3 +++
|
||||
5 files changed, 47 insertions(+)
|
||||
|
||||
diff --git a/configure.ac b/configure.ac
|
||||
index e63e678705ee059b984612a6ffab1a10a4f7e7f8..7eeee2e2a069b2c4f7a3408798740cb7aba88513 100644
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -110,6 +110,7 @@ WITH_XML_CATALOG
|
||||
WITH_KRB5_PLUGIN_PATH
|
||||
WITH_KRB5_RCACHE_DIR
|
||||
WITH_KRB5AUTHDATA_PLUGIN_PATH
|
||||
+WITH_KRB5_CONF
|
||||
WITH_PYTHON_BINDINGS
|
||||
WITH_SELINUX
|
||||
WITH_NSCD
|
||||
diff --git a/src/conf_macros.m4 b/src/conf_macros.m4
|
||||
index c72b3dd73d5a3eac76c17d8ce2568088f78cfcb3..1dd296039719fb29b2dbd40710fe7428ef417e16 100644
|
||||
--- a/src/conf_macros.m4
|
||||
+++ b/src/conf_macros.m4
|
||||
@@ -291,6 +291,19 @@ AC_DEFUN([WITH_KRB5AUTHDATA_PLUGIN_PATH],
|
||||
AC_SUBST(krb5authdatapluginpath)
|
||||
])
|
||||
|
||||
+AC_DEFUN([WITH_KRB5_CONF],
|
||||
+ [ AC_ARG_WITH([krb5_conf],
|
||||
+ [AC_HELP_STRING([--with-krb5-conf=PATH], [Path to krb5.conf file [/etc/krb5.conf]])
|
||||
+ ]
|
||||
+ )
|
||||
+
|
||||
+ KRB5_CONF_PATH="${sysconfdir}/krb5.conf"
|
||||
+ if test x"$with_krb5_conf" != x; then
|
||||
+ KRB5_CONF_PATH=$with_krb5_conf
|
||||
+ fi
|
||||
+ AC_DEFINE_UNQUOTED([KRB5_CONF_PATH], ["$KRB5_CONF_PATH"], [KRB5 configuration file])
|
||||
+ ])
|
||||
+
|
||||
AC_DEFUN([WITH_PYTHON_BINDINGS],
|
||||
[ AC_ARG_WITH([python-bindings],
|
||||
[AC_HELP_STRING([--with-python-bindings],
|
||||
diff --git a/src/providers/ipa/ipa_subdomains.c b/src/providers/ipa/ipa_subdomains.c
|
||||
index 18878ae33dc014639cfce0be54f9ca3a44c4ddbb..881f27c5d83f03a7e3bb1afb74fee765906e9148 100644
|
||||
--- a/src/providers/ipa/ipa_subdomains.c
|
||||
+++ b/src/providers/ipa/ipa_subdomains.c
|
||||
@@ -382,6 +382,14 @@ ipa_subdomains_write_mappings(struct sss_domain_info *domain)
|
||||
goto done;
|
||||
}
|
||||
|
||||
+ /* touch krb5.conf to ensure that new mappings are loaded */
|
||||
+ ret = sss_krb5_touch_config();
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, ("Unable to change last modification time "
|
||||
+ "of krb5.conf. Created mappings may not be loaded.\n"));
|
||||
+ /* just continue */
|
||||
+ }
|
||||
+
|
||||
ret = EOK;
|
||||
done:
|
||||
if (fstream) {
|
||||
diff --git a/src/util/sss_krb5.c b/src/util/sss_krb5.c
|
||||
index 674e9fcdd99e3d1df26b0db9854a80a6e3870d33..74db98fe9ee4cba858de5b459f0a5540003c63f8 100644
|
||||
--- a/src/util/sss_krb5.c
|
||||
+++ b/src/util/sss_krb5.c
|
||||
@@ -20,6 +20,7 @@
|
||||
#include <stdio.h>
|
||||
#include <errno.h>
|
||||
#include <talloc.h>
|
||||
+#include <utime.h>
|
||||
|
||||
#include "config.h"
|
||||
|
||||
@@ -1176,3 +1177,24 @@ done:
|
||||
return ENOTSUP;
|
||||
#endif
|
||||
}
|
||||
+
|
||||
+errno_t sss_krb5_touch_config(void)
|
||||
+{
|
||||
+ const char *config = NULL;
|
||||
+ errno_t ret;
|
||||
+
|
||||
+ config = getenv("KRB5_CONFIG");
|
||||
+ if (config == NULL) {
|
||||
+ config = KRB5_CONF_PATH;
|
||||
+ }
|
||||
+
|
||||
+ ret = utime(config, NULL);
|
||||
+ if (ret == -1) {
|
||||
+ ret = errno;
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, ("Unable to change mtime of \"%s\" "
|
||||
+ "[%d]: %s\n", config, strerror(ret)));
|
||||
+ return ret;
|
||||
+ }
|
||||
+
|
||||
+ return EOK;
|
||||
+}
|
||||
diff --git a/src/util/sss_krb5.h b/src/util/sss_krb5.h
|
||||
index 5fe7178c1aed8afaa9d85be99dd91634e0cedb36..9bae2f92b6d132ffd2631773deee4e9c56ad483d 100644
|
||||
--- a/src/util/sss_krb5.h
|
||||
+++ b/src/util/sss_krb5.h
|
||||
@@ -191,4 +191,7 @@ krb5_error_code sss_extract_pac(krb5_context ctx,
|
||||
krb5_principal client_principal,
|
||||
krb5_keytab keytab,
|
||||
krb5_authdata ***_pac_authdata);
|
||||
+
|
||||
+errno_t sss_krb5_touch_config(void);
|
||||
+
|
||||
#endif /* __SSS_KRB5_H__ */
|
||||
--
|
||||
1.8.2.1
|
||||
|
39
0012-rpm-couple-of-small-fixes.patch
Normal file
39
0012-rpm-couple-of-small-fixes.patch
Normal file
@ -0,0 +1,39 @@
|
||||
From 47d19d62aaabb9e7f09353ecad9f48aa4054e3b1 Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||
Date: Wed, 12 Jun 2013 14:14:41 +0200
|
||||
Subject: [PATCH 12/12] rpm: couple of small fixes
|
||||
|
||||
* Include localized pam_sss manpages in sssd-client
|
||||
* Call ldconfig after libsss_nss_idmap is installed or removed
|
||||
---
|
||||
contrib/sssd.spec.in | 7 +++++++
|
||||
1 file changed, 7 insertions(+)
|
||||
|
||||
diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
|
||||
index b9f852201dd9b9d53876c4dcd1c280bb5a31c73c..bee939092a135f5d7d97f9e361c3b4b8583a630c 100644
|
||||
--- a/contrib/sssd.spec.in
|
||||
+++ b/contrib/sssd.spec.in
|
||||
@@ -471,6 +471,9 @@ do
|
||||
sssd_krb5_*)
|
||||
echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_client.lang
|
||||
;;
|
||||
+ pam_sss*)
|
||||
+ echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_client.lang
|
||||
+ ;;
|
||||
sssd-ldap*)
|
||||
echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_ldap.lang
|
||||
;;
|
||||
@@ -775,6 +778,10 @@ fi
|
||||
|
||||
%postun -n libsss_idmap -p /sbin/ldconfig
|
||||
|
||||
+%post -n libsss_nss_idmap -p /sbin/ldconfig
|
||||
+
|
||||
+%postun -n libsss_nss_idmap -p /sbin/ldconfig
|
||||
+
|
||||
%changelog
|
||||
* Mon Mar 15 2010 Stephen Gallagher <sgallagh@redhat.com> - @PACKAGE_VERSION@-0@PRERELEASE_VERSION@
|
||||
- Automated build of the SSSD
|
||||
--
|
||||
1.8.2.1
|
||||
|
@ -0,0 +1,53 @@
|
||||
From 354febd0c5647e16c9ce5d3985600baa4b8a86ab Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
||||
Date: Fri, 14 Jun 2013 13:49:47 +0200
|
||||
Subject: [PATCH] nested groups: allocate more space if deref returns more
|
||||
members
|
||||
|
||||
https://fedorahosted.org/sssd/ticket/1894
|
||||
---
|
||||
src/providers/ldap/sdap_async_nested_groups.c | 21 +++++++++++++++++++++
|
||||
1 file changed, 21 insertions(+)
|
||||
|
||||
diff --git a/src/providers/ldap/sdap_async_nested_groups.c b/src/providers/ldap/sdap_async_nested_groups.c
|
||||
index e8d5295cc31319599212f96d7b58c8f5bd38245a..4f8dca9f50cdd150bacc14b1e834847e940b5e75 100644
|
||||
--- a/src/providers/ldap/sdap_async_nested_groups.c
|
||||
+++ b/src/providers/ldap/sdap_async_nested_groups.c
|
||||
@@ -2048,6 +2048,18 @@ sdap_nested_group_deref_direct_process(struct tevent_req *subreq)
|
||||
DEBUG(SSSDBG_TRACE_INTERNAL, ("Received %d dereference results, "
|
||||
"about to process them\n", num_entries));
|
||||
|
||||
+ if (num_entries != members->num_values) {
|
||||
+ /* Dereference returned more values than obtained earlier. We need
|
||||
+ * to adjust group array size. */
|
||||
+ state->nested_groups = talloc_realloc(state, state->nested_groups,
|
||||
+ struct sysdb_attrs *,
|
||||
+ num_entries);
|
||||
+ if (state->nested_groups == NULL) {
|
||||
+ ret = ENOMEM;
|
||||
+ goto done;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
for (i = 0; i < num_entries; i++) {
|
||||
ret = sysdb_attrs_get_string(entries[i]->attrs,
|
||||
SYSDB_ORIG_DN, &orig_dn);
|
||||
@@ -2155,6 +2167,15 @@ sdap_nested_group_deref_direct_process(struct tevent_req *subreq)
|
||||
}
|
||||
}
|
||||
|
||||
+ /* adjust size of nested groups array */
|
||||
+ state->nested_groups = talloc_realloc(state, state->nested_groups,
|
||||
+ struct sysdb_attrs *,
|
||||
+ state->num_groups);
|
||||
+ if (state->nested_groups == NULL) {
|
||||
+ ret = ENOMEM;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
ret = EOK;
|
||||
|
||||
done:
|
||||
--
|
||||
1.7.11.7
|
||||
|
23
sssd.spec
23
sssd.spec
@ -16,7 +16,7 @@
|
||||
|
||||
Name: sssd
|
||||
Version: 1.10.0
|
||||
Release: 10%{?dist}.beta2
|
||||
Release: 11%{?dist}.beta2
|
||||
Group: Applications/System
|
||||
Summary: System Security Services Daemon
|
||||
License: GPLv3+
|
||||
@ -25,6 +25,20 @@ Source0: https://fedorahosted.org/released/sssd/%{name}-%{version}beta2.tar.gz
|
||||
BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
|
||||
|
||||
### Patches ###
|
||||
Patch0001: 0001-Bumping-the-version-for-the-1.10-final-release.patch
|
||||
Patch0002: 0002-Change-order-of-libraries-in-linking-process.patch
|
||||
Patch0003: 0003-be_ptask-send-and-recv-shadow-a-global-declaration.patch
|
||||
Patch0004: 0004-be_refresh-send-and-recv-shadow-a-global-declaration.patch
|
||||
Patch0005: 0005-Use-the-correct-talloc-context-when-creating-AD-subd.patch
|
||||
Patch0006: 0006-Fix-minor-typos.patch
|
||||
Patch0007: 0007-failover-set-state-out-when-meta-server-remains-in-S.patch
|
||||
Patch0008: 0008-KRB-Handle-preauthentication-error-correctly.patch
|
||||
Patch0009: 0009-AD-Fix-segfault-in-DEBUG-message.patch
|
||||
Patch0010: 0010-AD-Remove-ad_options-auth-options-reference.patch
|
||||
Patch0011: 0011-subdomains-touch-krb5.conf-when-creating-new-domain-.patch
|
||||
Patch0012: 0012-rpm-couple-of-small-fixes.patch
|
||||
Patch0013: 0013-nested-groups-allocate-more-space-if-deref-returns-m.patch
|
||||
|
||||
Patch0501: 0501-FEDORA-Switch-the-default-ccache-location.patch
|
||||
|
||||
### Dependencies ###
|
||||
@ -714,6 +728,13 @@ fi
|
||||
%postun -n libsss_idmap -p /sbin/ldconfig
|
||||
|
||||
%changelog
|
||||
* Sun Jun 16 2013 Jakub Hrozek <jhrozek@redhat.com> - 1.10.0-11.beta2
|
||||
- Apply a number of patches from upstream to fix issues found post-beta,
|
||||
in particular:
|
||||
-- segfault with a high DEBUG level
|
||||
-- Fix IPA password migration (upstream #1873)
|
||||
-- Fix fail over when retrying SRV resolution (upstream #1886)
|
||||
|
||||
* Thu Jun 13 2013 Jakub Hrozek <jhrozek@redhat.com> - 1.10.0-10.beta2
|
||||
- Only BuildRequire libcmocka on Fedora
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user