Apply a number of patches from upstream to fix issues found post-beta

In particular:
-- segfault with a high DEBUG level
-- Fix IPA password migration (upstream #1873)
-- Fix fail over when retrying SRV resolution (upstream #1886)
This commit is contained in:
Jakub Hrozek 2013-06-16 13:12:37 +02:00
parent 1577261624
commit ba06c0ac1d
14 changed files with 751 additions and 1 deletions

View File

@ -0,0 +1,23 @@
From 376e39bc7a7f49f08fd51b1a00aa5d2a456b2314 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Tue, 11 Jun 2013 17:44:04 +0200
Subject: [PATCH 01/12] Bumping the version for the 1.10 final release
---
version.m4 | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/version.m4 b/version.m4
index 1435f6999f6d4ffb06ad0dfd4261b03357fd0cfa..4066d317aae67fee317d13a67abec0dae3ce14aa 100644
--- a/version.m4
+++ b/version.m4
@@ -1,5 +1,5 @@
# Primary version number
-m4_define([VERSION_NUMBER], [1.9.94])
+m4_define([VERSION_NUMBER], [1.9.95])
# If the PRERELEASE_VERSION_NUMBER is set, we'll append
# it to the release tag when creating an RPM or SRPM
--
1.8.2.1

View File

@ -0,0 +1,31 @@
From fd98a28d6e94080e52bbedc789b06606a6019b10 Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Wed, 12 Jun 2013 13:24:12 +0200
Subject: [PATCH 02/12] Change order of libraries in linking process.
It seems that some linkers have problem with wrong order of libraries.
This commit only change order.
---
Makefile.am | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/Makefile.am b/Makefile.am
index 93e3a6fc0ce063cb3c874bd90e0b1773fe053386..88e29fff4f6f1f3686c02ca23b5a6f4725f22797 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -577,10 +577,10 @@ endif
libsss_util_la_LDFLAGS = -avoid-version
SSSD_INTERNAL_LTLIBS = \
+ libsss_util.la \
libsss_crypt.la \
libsss_debug.la \
- libsss_child.la \
- libsss_util.la
+ libsss_child.la
lib_LTLIBRARIES = libipa_hbac.la libsss_idmap.la libsss_nss_idmap.la
dist_pkgconfig_DATA += src/providers/ipa/ipa_hbac.pc
--
1.8.2.1

View File

@ -0,0 +1,92 @@
From 460e43ee4dcc7a5860bcdc3c76ae51ed79921d79 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Wed, 12 Jun 2013 09:50:54 +0200
Subject: [PATCH 03/12] be_ptask: send and recv shadow a global declaration
---
src/providers/dp_ptask.c | 18 +++++++++---------
src/providers/dp_ptask.h | 4 ++--
2 files changed, 11 insertions(+), 11 deletions(-)
diff --git a/src/providers/dp_ptask.c b/src/providers/dp_ptask.c
index d3580981b4abea8471c280a647eb558341d738ef..d0f7c6d9700dd9d5cf588c9f72954590f65f82b5 100644
--- a/src/providers/dp_ptask.c
+++ b/src/providers/dp_ptask.c
@@ -39,8 +39,8 @@ struct be_ptask {
time_t enabled_delay;
time_t timeout;
enum be_ptask_offline offline;
- be_ptask_send_t send;
- be_ptask_recv_t recv;
+ be_ptask_send_t send_fn;
+ be_ptask_recv_t recv_fn;
void *pvt;
const char *name;
@@ -139,7 +139,7 @@ static void be_ptask_execute(struct tevent_context *ev,
task->last_execution = time(NULL);
- task->req = task->send(task, task->ev, task->be_ctx, task, task->pvt);
+ task->req = task->send_fn(task, task->ev, task->be_ctx, task, task->pvt);
if (task->req == NULL) {
/* skip this iteration and try again later */
DEBUG(SSSDBG_OP_FAILURE, ("Task [%s]: failed to execute task, "
@@ -178,7 +178,7 @@ static void be_ptask_done(struct tevent_req *req)
task = tevent_req_callback_data(req, struct be_ptask);
- ret = task->recv(req);
+ ret = task->recv_fn(req);
talloc_zfree(req);
task->req = NULL;
switch (ret) {
@@ -246,8 +246,8 @@ errno_t be_ptask_create(TALLOC_CTX *mem_ctx,
time_t enabled_delay,
time_t timeout,
enum be_ptask_offline offline,
- be_ptask_send_t send,
- be_ptask_recv_t recv,
+ be_ptask_send_t send_fn,
+ be_ptask_recv_t recv_fn,
void *pvt,
const char *name,
struct be_ptask **_task)
@@ -255,7 +255,7 @@ errno_t be_ptask_create(TALLOC_CTX *mem_ctx,
struct be_ptask *task = NULL;
errno_t ret;
- if (be_ctx == NULL || period == 0 || send == NULL || recv == NULL
+ if (be_ctx == NULL || period == 0 || send_fn == NULL || recv_fn == NULL
|| name == NULL) {
return EINVAL;
}
@@ -272,8 +272,8 @@ errno_t be_ptask_create(TALLOC_CTX *mem_ctx,
task->enabled_delay = enabled_delay;
task->timeout = timeout;
task->offline = offline;
- task->send = send;
- task->recv = recv;
+ task->send_fn = send_fn;
+ task->recv_fn = recv_fn;
task->pvt = pvt;
task->name = talloc_strdup(task, name);
if (task->name == NULL) {
diff --git a/src/providers/dp_ptask.h b/src/providers/dp_ptask.h
index ae5f78d586df69bdcfa34bb35f032ad1dbd1b983..7e45862e46c5d9da4eaedca5312e25dcc0eb8abe 100644
--- a/src/providers/dp_ptask.h
+++ b/src/providers/dp_ptask.h
@@ -81,8 +81,8 @@ errno_t be_ptask_create(TALLOC_CTX *mem_ctx,
time_t enabled_delay,
time_t timeout,
enum be_ptask_offline offline,
- be_ptask_send_t send,
- be_ptask_recv_t recv,
+ be_ptask_send_t send_fn,
+ be_ptask_recv_t recv_fn,
void *pvt,
const char *name,
struct be_ptask **_task);
--
1.8.2.1

View File

@ -0,0 +1,98 @@
From d24f0493002037a5809c9fc5ae27fa2ceb81036e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Wed, 12 Jun 2013 09:51:10 +0200
Subject: [PATCH 04/12] be_refresh: send and recv shadow a global declaration
---
src/providers/dp_refresh.c | 22 +++++++++++-----------
src/providers/dp_refresh.h | 4 ++--
2 files changed, 13 insertions(+), 13 deletions(-)
diff --git a/src/providers/dp_refresh.c b/src/providers/dp_refresh.c
index 59d858549d94660e4abd4f5610eda13dabb9b495..c368668e1def76a7a63cee87d6720239830e7c6b 100644
--- a/src/providers/dp_refresh.c
+++ b/src/providers/dp_refresh.c
@@ -119,8 +119,8 @@ typedef errno_t
struct be_refresh_cb {
bool enabled;
be_refresh_get_values_t get_values;
- be_refresh_send_t send;
- be_refresh_recv_t recv;
+ be_refresh_send_t send_fn;
+ be_refresh_recv_t recv_fn;
void *pvt;
};
@@ -145,11 +145,11 @@ struct be_refresh_ctx *be_refresh_ctx_init(TALLOC_CTX *mem_ctx)
errno_t be_refresh_add_cb(struct be_refresh_ctx *ctx,
enum be_refresh_type type,
- be_refresh_send_t send,
- be_refresh_recv_t recv,
+ be_refresh_send_t send_fn,
+ be_refresh_recv_t recv_fn,
void *pvt)
{
- if (ctx == NULL || send == NULL || recv == NULL
+ if (ctx == NULL || send_fn == NULL || recv_fn == NULL
|| type >= BE_REFRESH_TYPE_SENTINEL) {
return EINVAL;
}
@@ -159,8 +159,8 @@ errno_t be_refresh_add_cb(struct be_refresh_ctx *ctx,
}
ctx->callbacks[type].enabled = true;
- ctx->callbacks[type].send = send;
- ctx->callbacks[type].recv = recv;
+ ctx->callbacks[type].send_fn = send_fn;
+ ctx->callbacks[type].recv_fn = recv_fn;
ctx->callbacks[type].pvt = pvt;
return EOK;
@@ -246,8 +246,8 @@ static errno_t be_refresh_step(struct tevent_req *req)
goto done;
}
- if (state->cb->get_values == NULL || state->cb->send == NULL
- || state->cb->recv == NULL) {
+ if (state->cb->get_values == NULL || state->cb->send_fn == NULL
+ || state->cb->recv_fn == NULL) {
ret = EINVAL;
goto done;
}
@@ -260,7 +260,7 @@ static errno_t be_refresh_step(struct tevent_req *req)
goto done;
}
- subreq = state->cb->send(state, state->ev, state->be_ctx,
+ subreq = state->cb->send_fn(state, state->ev, state->be_ctx,
values, state->cb->pvt);
if (subreq == NULL) {
ret = ENOMEM;
@@ -288,7 +288,7 @@ static void be_refresh_done(struct tevent_req *subreq)
req = tevent_req_callback_data(subreq, struct tevent_req);
state = tevent_req_data(req, struct be_refresh_state);
- ret = state->cb->recv(subreq);
+ ret = state->cb->recv_fn(subreq);
talloc_zfree(subreq);
if (ret != EOK) {
goto done;
diff --git a/src/providers/dp_refresh.h b/src/providers/dp_refresh.h
index a7b324702b0546d8156e8fa395b39fa58b52812d..0dedbc3c14bfb661ebf296a9021fa397769dee66 100644
--- a/src/providers/dp_refresh.h
+++ b/src/providers/dp_refresh.h
@@ -54,8 +54,8 @@ struct be_refresh_ctx *be_refresh_ctx_init(TALLOC_CTX *mem_ctx);
errno_t be_refresh_add_cb(struct be_refresh_ctx *ctx,
enum be_refresh_type type,
- be_refresh_send_t send,
- be_refresh_recv_t recv,
+ be_refresh_send_t send_fn,
+ be_refresh_recv_t recv_fn,
void *pvt);
struct tevent_req *be_refresh_send(TALLOC_CTX *mem_ctx,
--
1.8.2.1

View File

@ -0,0 +1,28 @@
From 49f3aebcc8614d483c5753109a9d65aa33d301ea Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Tue, 11 Jun 2013 12:48:06 +0200
Subject: [PATCH 05/12] Use the correct talloc context when creating AD
subdomains
sdom was only ever guaranteed to be set when a new domain was being
created. sditer is a valid pointer in both cases, so just use that.
---
src/providers/ad/ad_subdomains.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c
index f4eec6a48019d55436631487a6108be405254766..07b523df5466319739e1f44164b7f08156ea214b 100644
--- a/src/providers/ad/ad_subdomains.c
+++ b/src/providers/ad/ad_subdomains.c
@@ -120,7 +120,7 @@ ads_store_sdap_subdom(struct ad_subdomains_ctx *ctx,
}
/* Convert the domain name into search base */
- ret = domain_to_basedn(sdom, sditer->dom->name, &basedn);
+ ret = domain_to_basedn(sditer, sditer->dom->name, &basedn);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE,
("Cannot convert domain name [%s] to base DN [%d]: %s\n",
--
1.8.2.1

View File

@ -0,0 +1,90 @@
From 1091c0ae2f1596ceb161e5b765a91c23c413b369 Mon Sep 17 00:00:00 2001
From: Yuri Chornoivan <yurchor@ukr.net>
Date: Tue, 11 Jun 2013 19:12:41 +0300
Subject: [PATCH 06/12] Fix minor typos
---
src/man/sssd-krb5.5.xml | 2 +-
src/man/sssd-ldap.5.xml | 2 +-
src/man/sssd.conf.5.xml | 4 ++--
src/providers/ipa/ipa_hbac.h | 2 +-
src/tools/tools_mc_util.c | 2 +-
5 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/src/man/sssd-krb5.5.xml b/src/man/sssd-krb5.5.xml
index 906aee096d9815bcf32b992260a7f5254b93b947..df124b4d20f7f3b553d2eac554eaf5411c3c8436 100644
--- a/src/man/sssd-krb5.5.xml
+++ b/src/man/sssd-krb5.5.xml
@@ -455,7 +455,7 @@
<term>krb5_use_kdcinfo (boolean)</term>
<listitem>
<para>
- Specifies if the SSSD should be instructing the Kerberos
+ Specifies if the SSSD should instruct the Kerberos
libraries what realm and which KDCs to use. This option
is on by default, if you disable it, you need to configure
the Kerberos library using the
diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml
index 9cd594c7bdcf682b8fd355e8e566229afcb18a43..fd29650e94db917b0afb3f3a73e4082773d1340f 100644
--- a/src/man/sssd-ldap.5.xml
+++ b/src/man/sssd-ldap.5.xml
@@ -1592,7 +1592,7 @@
<term>krb5_use_kdcinfo (boolean)</term>
<listitem>
<para>
- Specifies if the SSSD should be instructing the Kerberos
+ Specifies if the SSSD should instruct the Kerberos
libraries what realm and which KDCs to use. This option
is on by default, if you disable it, you need to configure
the Kerberos library using the
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index d3e393c83e3ba130bab35a4d2153560710e16ba6..8df2bd97c4edb793e74a698b9531b3e7ab7c1abe 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -172,7 +172,7 @@
<para>
domain flat name. Mostly usable
for Active Directory domains, both
- directly configured or disovered
+ directly configured or discovered
via IPA trusts.
</para>
</listitem>
@@ -1605,7 +1605,7 @@ override_homedir = /home/%u
<para>
domain flat name. Mostly usable
for Active Directory domains, both
- directly configured or disovered
+ directly configured or discovered
via IPA trusts.
</para>
</listitem>
diff --git a/src/providers/ipa/ipa_hbac.h b/src/providers/ipa/ipa_hbac.h
index 02077e37ebeebd99ba06a9d27311c0885c4e2b7f..8bc2c4f90f32a83d14240abb4979ae265913ae6a 100644
--- a/src/providers/ipa/ipa_hbac.h
+++ b/src/providers/ipa/ipa_hbac.h
@@ -212,7 +212,7 @@ enum hbac_error_code {
/** Unexpected error */
HBAC_ERROR_UNKNOWN = -1,
- /** Succesful evaluation */
+ /** Successful evaluation */
HBAC_SUCCESS,
/** Function is not yet implemented */
diff --git a/src/tools/tools_mc_util.c b/src/tools/tools_mc_util.c
index 33d5d26dbefaa547da3a5c49947793b485896e83..5d4300fbe4c0fc8fd678d619277f1d8be18f0912 100644
--- a/src/tools/tools_mc_util.c
+++ b/src/tools/tools_mc_util.c
@@ -111,7 +111,7 @@ done:
/* Closing the file also releases the lock */
close(mc_fd);
- /* Only unlink the file if invalidation was succesful */
+ /* Only unlink the file if invalidation was successful */
if (ret == EOK) {
pret = unlink(mc_filename);
if (pret == -1) {
--
1.8.2.1

View File

@ -0,0 +1,26 @@
From d3b39cf07164b23d47bbce3d6e6541b13fc895f5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Thu, 13 Jun 2013 10:32:31 +0200
Subject: [PATCH 07/12] failover: set state->out when meta server remains in
SRV_RESOLVE_ERROR
https://fedorahosted.org/sssd/ticket/1886
---
src/providers/fail_over.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/providers/fail_over.c b/src/providers/fail_over.c
index 12b6c37828b7da0e68579bbb94668c21574974f1..1d2813589495ebb2ff56e93cddaed9d5172e128e 100644
--- a/src/providers/fail_over.c
+++ b/src/providers/fail_over.c
@@ -1207,6 +1207,7 @@ resolve_srv_send(TALLOC_CTX *mem_ctx, struct tevent_context *ev,
break;
case SRV_RESOLVE_ERROR: /* query could not be resolved but don't retry yet */
ret = EIO;
+ state->out = server;
goto done;
case SRV_RESOLVED: /* The query is resolved and valid. Return. */
state->out = server;
--
1.8.2.1

View File

@ -0,0 +1,76 @@
From 22a21e910fd216ec1468fe769dcc29f1621a52a4 Mon Sep 17 00:00:00 2001
From: Ondrej Kos <okos@redhat.com>
Date: Thu, 13 Jun 2013 15:28:23 +0200
Subject: [PATCH 08/12] KRB: Handle preauthentication error correctly
https://fedorahosted.org/sssd/ticket/1873
KRB preauthentication error was later mishandled like authentication error.
---
src/providers/krb5/krb5_auth.c | 6 ++++++
src/providers/krb5/krb5_child.c | 4 +++-
src/util/util_errors.c | 1 +
src/util/util_errors.h | 1 +
4 files changed, 11 insertions(+), 1 deletion(-)
diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
index f65e5993d54a5a265e4217e7f23d9549915c6b32..f6acfb4891cf5e99878ccfa7994ffeddf5447e2c 100644
--- a/src/providers/krb5/krb5_auth.c
+++ b/src/providers/krb5/krb5_auth.c
@@ -1026,6 +1026,12 @@ static void krb5_auth_done(struct tevent_req *subreq)
ret = EOK;
goto done;
+ case ERR_CREDS_INVALID:
+ state->pam_status = PAM_CRED_ERR;
+ state->dp_err = DP_ERR_OK;
+ ret = EOK;
+ goto done;
+
case ERR_NO_CREDS:
state->pam_status = PAM_CRED_UNAVAIL;
state->dp_err = DP_ERR_OK;
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
index 8f746a8db561928349ffed8b7434db2a113a1f86..74d730aaa2e84af111982a450dafd524d411f472 100644
--- a/src/providers/krb5/krb5_child.c
+++ b/src/providers/krb5/krb5_child.c
@@ -1172,9 +1172,11 @@ static errno_t map_krb5_error(krb5_error_code kerr)
return ERR_CREDS_EXPIRED;
case KRB5KRB_AP_ERR_BAD_INTEGRITY:
+ return ERR_AUTH_FAILED;
+
case KRB5_PREAUTH_FAILED:
case KRB5KDC_ERR_PREAUTH_FAILED:
- return ERR_AUTH_FAILED;
+ return ERR_CREDS_INVALID;
default:
return ERR_INTERNAL;
diff --git a/src/util/util_errors.c b/src/util/util_errors.c
index b617f540691a245d1132469a1f019bcb0eb6e775..22a3045a6f9656d9ab8fe66673301a508e444771 100644
--- a/src/util/util_errors.c
+++ b/src/util/util_errors.c
@@ -31,6 +31,7 @@ struct err_string error_to_str[] = {
{ "Invalid credential type" }, /* ERR_INVALID_CRED_TYPE */
{ "No credentials available" }, /* ERR_NO_CREDS */
{ "Credentials are expired" }, /* ERR_CREDS_EXPIRED */
+ { "Failure setting user credentials"}, /* ERR_CREDS_INVALID */
{ "No cached credentials available" }, /* ERR_NO_CACHED_CREDS */
{ "Cached credentials are expired" }, /* ERR_CACHED_CREDS_EXPIRED */
{ "Authentication Denied" }, /* ERR_AUTH_DENIED */
diff --git a/src/util/util_errors.h b/src/util/util_errors.h
index a602a6ea92f72a51f5e21342940b2072bbe9296d..65d37aedb544bb303d7540fc59e1a802aee11898 100644
--- a/src/util/util_errors.h
+++ b/src/util/util_errors.h
@@ -53,6 +53,7 @@ enum sssd_errors {
ERR_INVALID_CRED_TYPE,
ERR_NO_CREDS,
ERR_CREDS_EXPIRED,
+ ERR_CREDS_INVALID,
ERR_NO_CACHED_CREDS,
ERR_CACHED_CREDS_EXPIRED,
ERR_AUTH_DENIED,
--
1.8.2.1

View File

@ -0,0 +1,25 @@
From bb4172259e04925ffc3a92e4450029634d295134 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Fri, 14 Jun 2013 14:05:24 +0200
Subject: [PATCH 09/12] AD: Fix segfault in DEBUG message
---
src/providers/ad/ad_common.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c
index 1aad85de337870ede08114490398dfbde32bf62f..d53acf9ee03a88c78bca58e664121142a7331ade 100644
--- a/src/providers/ad/ad_common.c
+++ b/src/providers/ad/ad_common.c
@@ -854,7 +854,7 @@ ad_get_auth_options(TALLOC_CTX *mem_ctx,
ad_opts->service->krb5_service->write_kdcinfo = \
dp_opt_get_bool(krb5_options, KRB5_USE_KDCINFO);
DEBUG(SSSDBG_CONF_SETTINGS, ("Option %s set to %s\n",
- ad_opts->auth[KRB5_USE_KDCINFO].opt_name,
+ krb5_options[KRB5_USE_KDCINFO].opt_name,
ad_opts->service->krb5_service->write_kdcinfo ? "true" : "false"));
*_opts = talloc_steal(mem_ctx, krb5_options);
--
1.8.2.1

View File

@ -0,0 +1,26 @@
From 9f1106573a4fca41b99a468d06fa392486faf43c Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Fri, 14 Jun 2013 14:19:25 +0200
Subject: [PATCH 10/12] AD: Remove ad_options->auth options reference
The options are stored in ad_options->auth_ctx->opts, this member was
completely unused and confusing.
---
src/providers/ad/ad_common.h | 1 -
1 file changed, 1 deletion(-)
diff --git a/src/providers/ad/ad_common.h b/src/providers/ad/ad_common.h
index 801815528c30ef05956eb51dce7cc6f8b161ffa8..1503059e87d60c90d33c00cdd3ebb55b4f4530f0 100644
--- a/src/providers/ad/ad_common.h
+++ b/src/providers/ad/ad_common.h
@@ -67,7 +67,6 @@ struct ad_options {
struct ad_id_ctx *id_ctx;
/* Auth and chpass Provider */
- struct dp_option *auth;
struct krb5_ctx *auth_ctx;
/* Dynamic DNS updates */
--
1.8.2.1

View File

@ -0,0 +1,122 @@
From 03713859dffacc7142393e53c73d8d4cf7dee8d5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Wed, 12 Jun 2013 13:44:19 +0200
Subject: [PATCH 11/12] subdomains: touch krb5.conf when creating new
domain-realm mappings
https://fedorahosted.org/sssd/ticket/1815
---
configure.ac | 1 +
src/conf_macros.m4 | 13 +++++++++++++
src/providers/ipa/ipa_subdomains.c | 8 ++++++++
src/util/sss_krb5.c | 22 ++++++++++++++++++++++
src/util/sss_krb5.h | 3 +++
5 files changed, 47 insertions(+)
diff --git a/configure.ac b/configure.ac
index e63e678705ee059b984612a6ffab1a10a4f7e7f8..7eeee2e2a069b2c4f7a3408798740cb7aba88513 100644
--- a/configure.ac
+++ b/configure.ac
@@ -110,6 +110,7 @@ WITH_XML_CATALOG
WITH_KRB5_PLUGIN_PATH
WITH_KRB5_RCACHE_DIR
WITH_KRB5AUTHDATA_PLUGIN_PATH
+WITH_KRB5_CONF
WITH_PYTHON_BINDINGS
WITH_SELINUX
WITH_NSCD
diff --git a/src/conf_macros.m4 b/src/conf_macros.m4
index c72b3dd73d5a3eac76c17d8ce2568088f78cfcb3..1dd296039719fb29b2dbd40710fe7428ef417e16 100644
--- a/src/conf_macros.m4
+++ b/src/conf_macros.m4
@@ -291,6 +291,19 @@ AC_DEFUN([WITH_KRB5AUTHDATA_PLUGIN_PATH],
AC_SUBST(krb5authdatapluginpath)
])
+AC_DEFUN([WITH_KRB5_CONF],
+ [ AC_ARG_WITH([krb5_conf],
+ [AC_HELP_STRING([--with-krb5-conf=PATH], [Path to krb5.conf file [/etc/krb5.conf]])
+ ]
+ )
+
+ KRB5_CONF_PATH="${sysconfdir}/krb5.conf"
+ if test x"$with_krb5_conf" != x; then
+ KRB5_CONF_PATH=$with_krb5_conf
+ fi
+ AC_DEFINE_UNQUOTED([KRB5_CONF_PATH], ["$KRB5_CONF_PATH"], [KRB5 configuration file])
+ ])
+
AC_DEFUN([WITH_PYTHON_BINDINGS],
[ AC_ARG_WITH([python-bindings],
[AC_HELP_STRING([--with-python-bindings],
diff --git a/src/providers/ipa/ipa_subdomains.c b/src/providers/ipa/ipa_subdomains.c
index 18878ae33dc014639cfce0be54f9ca3a44c4ddbb..881f27c5d83f03a7e3bb1afb74fee765906e9148 100644
--- a/src/providers/ipa/ipa_subdomains.c
+++ b/src/providers/ipa/ipa_subdomains.c
@@ -382,6 +382,14 @@ ipa_subdomains_write_mappings(struct sss_domain_info *domain)
goto done;
}
+ /* touch krb5.conf to ensure that new mappings are loaded */
+ ret = sss_krb5_touch_config();
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE, ("Unable to change last modification time "
+ "of krb5.conf. Created mappings may not be loaded.\n"));
+ /* just continue */
+ }
+
ret = EOK;
done:
if (fstream) {
diff --git a/src/util/sss_krb5.c b/src/util/sss_krb5.c
index 674e9fcdd99e3d1df26b0db9854a80a6e3870d33..74db98fe9ee4cba858de5b459f0a5540003c63f8 100644
--- a/src/util/sss_krb5.c
+++ b/src/util/sss_krb5.c
@@ -20,6 +20,7 @@
#include <stdio.h>
#include <errno.h>
#include <talloc.h>
+#include <utime.h>
#include "config.h"
@@ -1176,3 +1177,24 @@ done:
return ENOTSUP;
#endif
}
+
+errno_t sss_krb5_touch_config(void)
+{
+ const char *config = NULL;
+ errno_t ret;
+
+ config = getenv("KRB5_CONFIG");
+ if (config == NULL) {
+ config = KRB5_CONF_PATH;
+ }
+
+ ret = utime(config, NULL);
+ if (ret == -1) {
+ ret = errno;
+ DEBUG(SSSDBG_CRIT_FAILURE, ("Unable to change mtime of \"%s\" "
+ "[%d]: %s\n", config, strerror(ret)));
+ return ret;
+ }
+
+ return EOK;
+}
diff --git a/src/util/sss_krb5.h b/src/util/sss_krb5.h
index 5fe7178c1aed8afaa9d85be99dd91634e0cedb36..9bae2f92b6d132ffd2631773deee4e9c56ad483d 100644
--- a/src/util/sss_krb5.h
+++ b/src/util/sss_krb5.h
@@ -191,4 +191,7 @@ krb5_error_code sss_extract_pac(krb5_context ctx,
krb5_principal client_principal,
krb5_keytab keytab,
krb5_authdata ***_pac_authdata);
+
+errno_t sss_krb5_touch_config(void);
+
#endif /* __SSS_KRB5_H__ */
--
1.8.2.1

View File

@ -0,0 +1,39 @@
From 47d19d62aaabb9e7f09353ecad9f48aa4054e3b1 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Wed, 12 Jun 2013 14:14:41 +0200
Subject: [PATCH 12/12] rpm: couple of small fixes
* Include localized pam_sss manpages in sssd-client
* Call ldconfig after libsss_nss_idmap is installed or removed
---
contrib/sssd.spec.in | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
index b9f852201dd9b9d53876c4dcd1c280bb5a31c73c..bee939092a135f5d7d97f9e361c3b4b8583a630c 100644
--- a/contrib/sssd.spec.in
+++ b/contrib/sssd.spec.in
@@ -471,6 +471,9 @@ do
sssd_krb5_*)
echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_client.lang
;;
+ pam_sss*)
+ echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_client.lang
+ ;;
sssd-ldap*)
echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_ldap.lang
;;
@@ -775,6 +778,10 @@ fi
%postun -n libsss_idmap -p /sbin/ldconfig
+%post -n libsss_nss_idmap -p /sbin/ldconfig
+
+%postun -n libsss_nss_idmap -p /sbin/ldconfig
+
%changelog
* Mon Mar 15 2010 Stephen Gallagher <sgallagh@redhat.com> - @PACKAGE_VERSION@-0@PRERELEASE_VERSION@
- Automated build of the SSSD
--
1.8.2.1

View File

@ -0,0 +1,53 @@
From 354febd0c5647e16c9ce5d3985600baa4b8a86ab Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Fri, 14 Jun 2013 13:49:47 +0200
Subject: [PATCH] nested groups: allocate more space if deref returns more
members
https://fedorahosted.org/sssd/ticket/1894
---
src/providers/ldap/sdap_async_nested_groups.c | 21 +++++++++++++++++++++
1 file changed, 21 insertions(+)
diff --git a/src/providers/ldap/sdap_async_nested_groups.c b/src/providers/ldap/sdap_async_nested_groups.c
index e8d5295cc31319599212f96d7b58c8f5bd38245a..4f8dca9f50cdd150bacc14b1e834847e940b5e75 100644
--- a/src/providers/ldap/sdap_async_nested_groups.c
+++ b/src/providers/ldap/sdap_async_nested_groups.c
@@ -2048,6 +2048,18 @@ sdap_nested_group_deref_direct_process(struct tevent_req *subreq)
DEBUG(SSSDBG_TRACE_INTERNAL, ("Received %d dereference results, "
"about to process them\n", num_entries));
+ if (num_entries != members->num_values) {
+ /* Dereference returned more values than obtained earlier. We need
+ * to adjust group array size. */
+ state->nested_groups = talloc_realloc(state, state->nested_groups,
+ struct sysdb_attrs *,
+ num_entries);
+ if (state->nested_groups == NULL) {
+ ret = ENOMEM;
+ goto done;
+ }
+ }
+
for (i = 0; i < num_entries; i++) {
ret = sysdb_attrs_get_string(entries[i]->attrs,
SYSDB_ORIG_DN, &orig_dn);
@@ -2155,6 +2167,15 @@ sdap_nested_group_deref_direct_process(struct tevent_req *subreq)
}
}
+ /* adjust size of nested groups array */
+ state->nested_groups = talloc_realloc(state, state->nested_groups,
+ struct sysdb_attrs *,
+ state->num_groups);
+ if (state->nested_groups == NULL) {
+ ret = ENOMEM;
+ goto done;
+ }
+
ret = EOK;
done:
--
1.7.11.7

View File

@ -16,7 +16,7 @@
Name: sssd
Version: 1.10.0
Release: 10%{?dist}.beta2
Release: 11%{?dist}.beta2
Group: Applications/System
Summary: System Security Services Daemon
License: GPLv3+
@ -25,6 +25,20 @@ Source0: https://fedorahosted.org/released/sssd/%{name}-%{version}beta2.tar.gz
BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
### Patches ###
Patch0001: 0001-Bumping-the-version-for-the-1.10-final-release.patch
Patch0002: 0002-Change-order-of-libraries-in-linking-process.patch
Patch0003: 0003-be_ptask-send-and-recv-shadow-a-global-declaration.patch
Patch0004: 0004-be_refresh-send-and-recv-shadow-a-global-declaration.patch
Patch0005: 0005-Use-the-correct-talloc-context-when-creating-AD-subd.patch
Patch0006: 0006-Fix-minor-typos.patch
Patch0007: 0007-failover-set-state-out-when-meta-server-remains-in-S.patch
Patch0008: 0008-KRB-Handle-preauthentication-error-correctly.patch
Patch0009: 0009-AD-Fix-segfault-in-DEBUG-message.patch
Patch0010: 0010-AD-Remove-ad_options-auth-options-reference.patch
Patch0011: 0011-subdomains-touch-krb5.conf-when-creating-new-domain-.patch
Patch0012: 0012-rpm-couple-of-small-fixes.patch
Patch0013: 0013-nested-groups-allocate-more-space-if-deref-returns-m.patch
Patch0501: 0501-FEDORA-Switch-the-default-ccache-location.patch
### Dependencies ###
@ -714,6 +728,13 @@ fi
%postun -n libsss_idmap -p /sbin/ldconfig
%changelog
* Sun Jun 16 2013 Jakub Hrozek <jhrozek@redhat.com> - 1.10.0-11.beta2
- Apply a number of patches from upstream to fix issues found post-beta,
in particular:
-- segfault with a high DEBUG level
-- Fix IPA password migration (upstream #1873)
-- Fix fail over when retrying SRV resolution (upstream #1886)
* Thu Jun 13 2013 Jakub Hrozek <jhrozek@redhat.com> - 1.10.0-10.beta2
- Only BuildRequire libcmocka on Fedora