diff --git a/.gitignore b/.gitignore index 131a319..8e57730 100644 --- a/.gitignore +++ b/.gitignore @@ -59,3 +59,4 @@ sssd-1.2.91.tar.gz /sssd-1.12.0.tar.gz /sssd-1.12.1.tar.gz /sssd-1.12.2.tar.gz +/sssd-1.12.3.tar.gz diff --git a/0001-ipa-fix-issues-with-older-servers-not-supporting-vie.patch b/0001-ipa-fix-issues-with-older-servers-not-supporting-vie.patch deleted file mode 100644 index e17af0b..0000000 --- a/0001-ipa-fix-issues-with-older-servers-not-supporting-vie.patch +++ /dev/null @@ -1,97 +0,0 @@ -From c61100799c7d8e46c82a862eca3f543a4320490c Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Wed, 22 Oct 2014 10:03:09 +0200 -Subject: [PATCH 1/4] ipa: fix issues with older servers not supporting views - -Older FreeIPA servers which do not know about the ipaAssignedIDView -attribute will return an error during the LDAP dereference request -because SSSD marks LDAP extensions as critical. In this case we keep the -view name empty and skip override lookups. - -Reviewed-by: Jakub Hrozek ---- - src/providers/ipa/ipa_subdomains.c | 14 +++++++++++++- - src/providers/ipa/ipa_subdomains_id.c | 4 +++- - src/providers/ipa/ipa_views.c | 17 ++++++++++++----- - 3 files changed, 28 insertions(+), 7 deletions(-) - -diff --git a/src/providers/ipa/ipa_subdomains.c b/src/providers/ipa/ipa_subdomains.c -index bedc0f1a50e8a35ea65de45247b1814c9abc0bcd..eb172fdfc05ac4e482174f01d89ad28db1498fc1 100644 ---- a/src/providers/ipa/ipa_subdomains.c -+++ b/src/providers/ipa/ipa_subdomains.c -@@ -1002,7 +1002,19 @@ static void ipa_get_view_name_done(struct tevent_req *req) - ret = sdap_deref_search_with_filter_recv(req, ctx, &reply_count, &reply); - talloc_zfree(req); - if (ret != EOK) { -- DEBUG(SSSDBG_OP_FAILURE, "get_view_name request failed.\n"); -+ if (ret == EOPNOTSUPP) { -+ DEBUG(SSSDBG_TRACE_FUNC, "get_view_name request failed, looks " \ -+ "like server does not support views.\n"); -+ ret = ipa_check_master(ctx); -+ if (ret == EAGAIN) { -+ return; -+ } else if (ret != EOK) { -+ goto done; -+ } -+ -+ } else { -+ DEBUG(SSSDBG_OP_FAILURE, "get_view_name request failed.\n"); -+ } - goto done; - } - -diff --git a/src/providers/ipa/ipa_subdomains_id.c b/src/providers/ipa/ipa_subdomains_id.c -index 36f8b239249e5f0146610cfab148be20c39c66c2..b67006ce6e0b4bf9c794016c1dfc923ac6da3624 100644 ---- a/src/providers/ipa/ipa_subdomains_id.c -+++ b/src/providers/ipa/ipa_subdomains_id.c -@@ -106,11 +106,13 @@ struct tevent_req *ipa_subdomain_account_send(TALLOC_CTX *memctx, - * have to check first if the request matches an override in the given - * view. But there are cases where this can be skipped and the AD object - * can be searched directly: -+ * - if no view is defined, i.e. the server does not supprt views yet - * - searches by SID: because we do not override the SID - * - if the responder does not send the EXTRA_INPUT_MAYBE_WITH_VIEW flags, - * because in this case the entry was found in the cache and the - * original value is used for the search (e.g. during cache updates) */ -- if (state->ar->filter_type == BE_FILTER_SECID -+ if (state->ipa_ctx->view_name == NULL -+ || state->ar->filter_type == BE_FILTER_SECID - || (!state->ipa_server_mode - && state->ar->extra_value != NULL - && strcmp(state->ar->extra_value, -diff --git a/src/providers/ipa/ipa_views.c b/src/providers/ipa/ipa_views.c -index 33dbf7b1c17f188924ee7b50a77ab699f03392be..2eb77216ab9759d8b1d66fbdf0b2e90cd07a4604 100644 ---- a/src/providers/ipa/ipa_views.c -+++ b/src/providers/ipa/ipa_views.c -@@ -208,16 +208,23 @@ struct tevent_req *ipa_get_ad_override_send(TALLOC_CTX *mem_ctx, - state->sdap_id_ctx = sdap_id_ctx; - state->ipa_options = ipa_options; - state->ipa_realm = ipa_realm; -- if (strcmp(view_name, SYSDB_DEFAULT_VIEW_NAME) == 0) { -- state->ipa_view_name = IPA_DEFAULT_VIEW_NAME; -- } else { -- state->ipa_view_name = view_name; -- } - state->ar = ar; - state->dp_error = -1; - state->override_attrs = NULL; - state->filter = NULL; - -+ if (view_name == NULL) { -+ DEBUG(SSSDBG_TRACE_ALL, "View not defined, nothing to do.\n"); -+ ret = EOK; -+ goto done; -+ } -+ -+ if (strcmp(view_name, SYSDB_DEFAULT_VIEW_NAME) == 0) { -+ state->ipa_view_name = IPA_DEFAULT_VIEW_NAME; -+ } else { -+ state->ipa_view_name = view_name; -+ } -+ - state->sdap_op = sdap_id_op_create(state, - state->sdap_id_ctx->conn->conn_cache); - if (state->sdap_op == NULL) { --- -1.9.3 - diff --git a/0002-ipa-improve-error-reporting-for-extdom-LDAP-exop.patch b/0002-ipa-improve-error-reporting-for-extdom-LDAP-exop.patch deleted file mode 100644 index 9c80ef5..0000000 --- a/0002-ipa-improve-error-reporting-for-extdom-LDAP-exop.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 2e39a7b8c58ed6cc6077bef490482dbbd1ed81ac Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Mon, 20 Oct 2014 17:09:34 +0200 -Subject: [PATCH 2/4] ipa: improve error reporting for extdom LDAP exop - -This patch fixes a typo when calling ldap_parse_result() which prevented -the server-side error message to be used and adds a hint that more -information might be available on the server side. - -Fixes: https://fedorahosted.org/sssd/ticket/2456 - -Reviewed-by: Jakub Hrozek ---- - src/providers/ipa/ipa_s2n_exop.c | 9 ++++++--- - 1 file changed, 6 insertions(+), 3 deletions(-) - -diff --git a/src/providers/ipa/ipa_s2n_exop.c b/src/providers/ipa/ipa_s2n_exop.c -index 96528816a520b633f1f1caa975dee9b9515621c3..bd5c00b6a48018f8f904aaa03e8162425651b37a 100644 ---- a/src/providers/ipa/ipa_s2n_exop.c -+++ b/src/providers/ipa/ipa_s2n_exop.c -@@ -133,7 +133,7 @@ static void ipa_s2n_exop_done(struct sdap_op *op, - } - - ret = ldap_parse_result(state->sh->ldap, reply->msg, -- &result, &errmsg, NULL, NULL, -+ &result, NULL, &errmsg, NULL, - NULL, 0); - if (ret != LDAP_SUCCESS) { - DEBUG(SSSDBG_OP_FAILURE, "ldap_parse_result failed (%d)\n", -@@ -142,10 +142,13 @@ static void ipa_s2n_exop_done(struct sdap_op *op, - goto done; - } - -- DEBUG(SSSDBG_TRACE_FUNC, "ldap_extended_operation result: %s(%d), %s\n", -- sss_ldap_err2string(result), result, errmsg); -+ DEBUG(result == LDAP_SUCCESS ? SSSDBG_TRACE_FUNC : SSSDBG_OP_FAILURE, -+ "ldap_extended_operation result: %s(%d), %s.\n", -+ sss_ldap_err2string(result), result, errmsg); - - if (result != LDAP_SUCCESS) { -+ DEBUG(SSSDBG_OP_FAILURE, "ldap_extended_operation failed, " \ -+ "server logs might contain more details.\n"); - ret = ERR_NETWORK_IO; - goto done; - } --- -1.9.3 - diff --git a/0003-ipa_subdomains_handler_master_done-initialize-reply_.patch b/0003-ipa_subdomains_handler_master_done-initialize-reply_.patch deleted file mode 100644 index c3fc6e0..0000000 --- a/0003-ipa_subdomains_handler_master_done-initialize-reply_.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 13262a18f804638b40213a865e0a72e33123ccf1 Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Tue, 14 Oct 2014 16:52:04 +0200 -Subject: [PATCH 3/4] ipa_subdomains_handler_master_done: initialize - reply_count - -This patch should mainly silence a false-positive Coverity warning but -since further processing depends on this variable I think it is a good -idea anyways. - -Reviewed-by: Pavel Reichl ---- - src/providers/ipa/ipa_subdomains.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/providers/ipa/ipa_subdomains.c b/src/providers/ipa/ipa_subdomains.c -index eb172fdfc05ac4e482174f01d89ad28db1498fc1..c61c1c666908ec23f8a92e5568222e55ec47be0a 100644 ---- a/src/providers/ipa/ipa_subdomains.c -+++ b/src/providers/ipa/ipa_subdomains.c -@@ -1276,7 +1276,7 @@ static void ipa_subdomains_handler_master_done(struct tevent_req *req) - { - errno_t ret; - int dp_error = DP_ERR_FATAL; -- size_t reply_count; -+ size_t reply_count = 0; - struct sysdb_attrs **reply = NULL; - struct ipa_subdomains_req_ctx *ctx; - --- -1.9.3 - diff --git a/0004-IPA-Handle-NULL-members-in-process_members.patch b/0004-IPA-Handle-NULL-members-in-process_members.patch deleted file mode 100644 index 1ab81b9..0000000 --- a/0004-IPA-Handle-NULL-members-in-process_members.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 7bdd47bfbb558d948dd2afce0ae53d22046067ef Mon Sep 17 00:00:00 2001 -From: Jakub Hrozek -Date: Tue, 14 Oct 2014 14:15:25 +0200 -Subject: [PATCH 4/4] IPA: Handle NULL members in process_members() -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Reviewed-by: Lukáš Slebodník ---- - src/providers/ipa/ipa_s2n_exop.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/src/providers/ipa/ipa_s2n_exop.c b/src/providers/ipa/ipa_s2n_exop.c -index bd5c00b6a48018f8f904aaa03e8162425651b37a..2c31120b196353df52c87ef5b924a80bda134a17 100644 ---- a/src/providers/ipa/ipa_s2n_exop.c -+++ b/src/providers/ipa/ipa_s2n_exop.c -@@ -1196,6 +1196,11 @@ static errno_t process_members(struct sss_domain_info *domain, - struct sss_domain_info *obj_domain; - struct sss_domain_info *parent_domain; - -+ if (members == NULL) { -+ DEBUG(SSSDBG_TRACE_INTERNAL, "No members\n"); -+ return EOK; -+ } -+ - tmp_ctx = talloc_new(NULL); - if (tmp_ctx == NULL) { - DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n"); -@@ -1731,6 +1736,7 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom, - goto done; - } - } -+ DEBUG(SSSDBG_TRACE_FUNC, "Processing group %s\n", name); - - ret = sysdb_attrs_add_lc_name_alias(attrs->sysdb_attrs, name); - if (ret != EOK) { --- -1.9.3 - diff --git a/0005-GPO-Terminate-request-on-error.patch b/0005-GPO-Terminate-request-on-error.patch deleted file mode 100644 index 98284a2..0000000 --- a/0005-GPO-Terminate-request-on-error.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 08f261acfa442e38ff3d803b2ddeaa2f848b5fb8 Mon Sep 17 00:00:00 2001 -From: Jakub Hrozek -Date: Tue, 21 Oct 2014 16:18:02 +0200 -Subject: [PATCH 05/26] GPO: Terminate request on error - -Reviewed-by: Pavel Reichl ---- - src/providers/ad/ad_gpo.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c -index 3f5df75c5a9de53eac11ffcf785e929cf9b3165e..4dfbd4b6943b477bd93fdd730dfa5b1c5828a10a 100644 ---- a/src/providers/ad/ad_gpo.c -+++ b/src/providers/ad/ad_gpo.c -@@ -3954,11 +3954,13 @@ static void gpo_cse_done(struct tevent_req *subreq) - "ad_gpo_parse_gpo_child_response failed: [%d][%s]\n", - ret, strerror(ret)); - tevent_req_error(req, ret); -+ return; - } else if (child_result != 0){ - DEBUG(SSSDBG_CRIT_FAILURE, - "Error in gpo_child: [%d][%s]\n", - child_result, strerror(child_result)); - tevent_req_error(req, child_result); -+ return; - } - - now = time(NULL); --- -2.1.0 - diff --git a/0006-nss-group-enumeration-fix.patch b/0006-nss-group-enumeration-fix.patch deleted file mode 100644 index 70967df..0000000 --- a/0006-nss-group-enumeration-fix.patch +++ /dev/null @@ -1,36 +0,0 @@ -From e0f1b42c6b51d10b52749cdc2e1f018762f6004c Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Fri, 24 Oct 2014 11:28:54 +0200 -Subject: [PATCH 06/26] nss: group enumeration fix -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The view/override patches introduced and issue with group enumeration -where all groups are returned with the same name. This patch should fix -it. - -Fixes: https://fedorahosted.org/sssd/ticket/2475 - -Reviewed-by: Lukáš Slebodník ---- - src/responder/nss/nsssrv_cmd.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/src/responder/nss/nsssrv_cmd.c b/src/responder/nss/nsssrv_cmd.c -index 616f83dda58b11bb7b715e1eb6a2c43e91d2d9da..351ba671b980c589c875876116ed617c039d6000 100644 ---- a/src/responder/nss/nsssrv_cmd.c -+++ b/src/responder/nss/nsssrv_cmd.c -@@ -2662,6 +2662,9 @@ static int fill_grent(struct sss_packet *packet, - rsize = 0; - - /* find group name/gid */ -+ -+ /* start with an empty name for each iteration */ -+ orig_name = NULL; - if (DOM_HAS_VIEWS(dom)) { - orig_name = ldb_msg_find_attr_as_string(msg, - OVERRIDE_PREFIX SYSDB_NAME, --- -2.1.0 - diff --git a/0007-IPA-Don-t-fail-the-request-when-BE-doesn-t-find-the-.patch b/0007-IPA-Don-t-fail-the-request-when-BE-doesn-t-find-the-.patch deleted file mode 100644 index 3c6bc04..0000000 --- a/0007-IPA-Don-t-fail-the-request-when-BE-doesn-t-find-the-.patch +++ /dev/null @@ -1,53 +0,0 @@ -From 38b81775a27ce2f8a97aaaa18952263d83ad60f9 Mon Sep 17 00:00:00 2001 -From: Jakub Hrozek -Date: Wed, 29 Oct 2014 20:30:20 +0100 -Subject: [PATCH 07/26] IPA: Don't fail the request when BE doesn't find the - object - -The IPA subdomain code treated ENOENT as a fatal error, which resulted -in a loud error message and the whole request being aborted. This patch -ignores ENOENT. - -Reviewed-by: Pavel Reichl ---- - src/providers/ipa/ipa_subdomains_id.c | 10 ++++++---- - 1 file changed, 6 insertions(+), 4 deletions(-) - -diff --git a/src/providers/ipa/ipa_subdomains_id.c b/src/providers/ipa/ipa_subdomains_id.c -index b67006ce6e0b4bf9c794016c1dfc923ac6da3624..0a1c4c17eed37b2eb12a8c758e49fc17c3b642b5 100644 ---- a/src/providers/ipa/ipa_subdomains_id.c -+++ b/src/providers/ipa/ipa_subdomains_id.c -@@ -942,7 +942,7 @@ static errno_t get_object_from_cache(TALLOC_CTX *mem_ctx, - goto done; - } - -- if (ret != EOK) { -+ if (ret != EOK && ret != ENOENT) { - DEBUG(SSSDBG_OP_FAILURE, - "Failed to make request to our cache: [%d]: [%s]\n", - ret, sss_strerror(ret)); -@@ -951,8 +951,6 @@ static errno_t get_object_from_cache(TALLOC_CTX *mem_ctx, - - *_msg = msg; - -- ret = EOK; -- - done: - return ret; - } -@@ -978,7 +976,11 @@ ipa_get_ad_acct_ad_part_done(struct tevent_req *subreq) - - ret = get_object_from_cache(state, state->user_dom, state->ar, - &state->obj_msg); -- if (ret != EOK) { -+ if (ret == ENOENT) { -+ DEBUG(SSSDBG_MINOR_FAILURE, "Object not found, ending request\n"); -+ tevent_req_done(req); -+ return; -+ } else if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, "get_object_from_cache failed.\n"); - goto fail; - } --- -2.1.0 - diff --git a/0008-IPA-use-ipaUserGroup-object-class-for-groups.patch b/0008-IPA-use-ipaUserGroup-object-class-for-groups.patch deleted file mode 100644 index d018fab..0000000 --- a/0008-IPA-use-ipaUserGroup-object-class-for-groups.patch +++ /dev/null @@ -1,35 +0,0 @@ -From c5228b2d19709d284d1f82204184d98de86643af Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20B=C5=99ezina?= -Date: Fri, 31 Oct 2014 14:26:30 +0100 -Subject: [PATCH 08/26] IPA: use ipaUserGroup object class for groups - -dfb34c6c82ed5014599bf70de6791e6d79106fc2 changed object class -of IPA groups from posixGroups to more general groupOfNames. -However, this object class is used also for roles, permissions and -privileges which caused SSSD to consider those objects to be groups as -well during initgroups. - -Resolves: -https://fedorahosted.org/sssd/ticket/2471 - -Reviewed-by: Jakub Hrozek ---- - src/providers/ipa/ipa_opts.h | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/providers/ipa/ipa_opts.h b/src/providers/ipa/ipa_opts.h -index 4785e0164bf6d9efb574a8703b573f4e8086cab6..0e0eed49cd397fe88ce7bf41579c066088947d04 100644 ---- a/src/providers/ipa/ipa_opts.h -+++ b/src/providers/ipa/ipa_opts.h -@@ -205,7 +205,7 @@ struct sdap_attr_map ipa_user_map[] = { - }; - - struct sdap_attr_map ipa_group_map[] = { -- { "ldap_group_object_class", "groupOfNames", SYSDB_GROUP_CLASS, NULL }, -+ { "ldap_group_object_class", "ipaUserGroup", SYSDB_GROUP_CLASS, NULL }, - { "ldap_group_object_class_alt", "posixGroup", SYSDB_GROUP_CLASS, NULL }, - { "ldap_group_name", "cn", SYSDB_NAME, NULL }, - { "ldap_group_pwd", "userPassword", SYSDB_PWD, NULL }, --- -2.1.0 - diff --git a/0009-PAM-Remove-authtok-from-PAM-stack-with-OTP.patch b/0009-PAM-Remove-authtok-from-PAM-stack-with-OTP.patch deleted file mode 100644 index 43cd8cc..0000000 --- a/0009-PAM-Remove-authtok-from-PAM-stack-with-OTP.patch +++ /dev/null @@ -1,87 +0,0 @@ -From 0c58361481982fd356e2282c2640ee55bdf60abb Mon Sep 17 00:00:00 2001 -From: Lukas Slebodnik -Date: Mon, 20 Oct 2014 22:21:25 +0200 -Subject: [PATCH 09/26] PAM: Remove authtok from PAM stack with OTP - -We remove the password from the PAM stack when OTP is used to make sure -that other pam modules (pam-gnome-keyring, pam_mount) cannot use it anymore -and have to request a password on their own. - -Resolves: - https://fedorahosted.org/sssd/ticket/2287 - -Reviewed-by: Nathaniel McCallum ---- - src/providers/krb5/krb5_auth.c | 14 ++++++++++++++ - src/sss_client/pam_sss.c | 16 +++++++++++++++- - 2 files changed, 29 insertions(+), 1 deletion(-) - -diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c -index f539d5068ec29f7b06f734a3417864b43122b1b7..c96b7aee99da8c3d43a67a04bb1f67ee048d4705 100644 ---- a/src/providers/krb5/krb5_auth.c -+++ b/src/providers/krb5/krb5_auth.c -@@ -1161,6 +1161,20 @@ static void krb5_auth_done(struct tevent_req *subreq) - krb5_auth_store_creds(state->domain, pd); - } - -+ if (res->otp == true && pd->cmd == SSS_PAM_AUTHENTICATE) { -+ uint32_t otp_flag = 1; -+ ret = pam_add_response(pd, SSS_OTP, sizeof(uint32_t), -+ (const uint8_t *) &otp_flag); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_CRIT_FAILURE, -+ "pam_add_response failed: %d (%s).\n", -+ ret, sss_strerror(ret)); -+ state->pam_status = PAM_SYSTEM_ERR; -+ state->dp_err = DP_ERR_OK; -+ goto done; -+ } -+ } -+ - state->pam_status = PAM_SUCCESS; - state->dp_err = DP_ERR_OK; - ret = EOK; -diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c -index abe9b05478cbf480b3430dccd1951e9bfb0e29c1..d64e826daeb80be8998ef3b410047e3a44051b07 100644 ---- a/src/sss_client/pam_sss.c -+++ b/src/sss_client/pam_sss.c -@@ -206,7 +206,7 @@ static size_t add_string_item(enum pam_item_type type, const char *str, - return rp; - } - --static void overwrite_and_free_pam_items(struct pam_items *pi) -+static void overwrite_and_free_authtoks(struct pam_items *pi) - { - if (pi->pam_authtok != NULL) { - _pam_overwrite_n((void *)pi->pam_authtok, pi->pam_authtok_size); -@@ -222,6 +222,11 @@ static void overwrite_and_free_pam_items(struct pam_items *pi) - - pi->pamstack_authtok = NULL; - pi->pamstack_oldauthtok = NULL; -+} -+ -+static void overwrite_and_free_pam_items(struct pam_items *pi) -+{ -+ overwrite_and_free_authtoks(pi); - - free(pi->domain_name); - pi->domain_name = NULL; -@@ -998,6 +1003,15 @@ static int eval_response(pam_handle_t *pamh, size_t buflen, uint8_t *buf, - D(("do_pam_conversation failed.")); - } - break; -+ case SSS_OTP: -+ D(("OTP was used, removing authtokens.")); -+ overwrite_and_free_authtoks(pi); -+ ret = pam_set_item(pamh, PAM_AUTHTOK, NULL); -+ if (ret != PAM_SUCCESS) { -+ D(("Failed to remove PAM_AUTHTOK after using otp [%s]", -+ pam_strerror(pamh,ret))); -+ } -+ break; - default: - D(("Unknown response type [%d]", type)); - } --- -2.1.0 - diff --git a/0010-Revert-LDAP-Remove-unused-option-ldap_user_uuid.patch b/0010-Revert-LDAP-Remove-unused-option-ldap_user_uuid.patch deleted file mode 100644 index 1311370..0000000 --- a/0010-Revert-LDAP-Remove-unused-option-ldap_user_uuid.patch +++ /dev/null @@ -1,176 +0,0 @@ -From e7cffa789d0d41dfbd2f919406217396d004388d Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Wed, 5 Nov 2014 17:35:45 +0100 -Subject: [PATCH 10/26] Revert "LDAP: Remove unused option ldap_user_uuid" -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -This reverts commit dfb2960ab251f609466fa660449703835c97f99a. - -Reviewed-by: Lukáš Slebodník ---- - src/config/SSSDConfig/__init__.py.in | 1 + - src/config/SSSDConfig/sssd_upgrade_config.py | 1 + - src/config/etc/sssd.api.d/sssd-ad.conf | 1 + - src/config/etc/sssd.api.d/sssd-ipa.conf | 1 + - src/config/etc/sssd.api.d/sssd-ldap.conf | 1 + - src/man/sssd-ldap.5.xml | 13 +++++++++++++ - src/providers/ad/ad_opts.h | 1 + - src/providers/ipa/ipa_opts.h | 1 + - src/providers/ldap/ldap_opts.h | 4 ++++ - src/providers/ldap/sdap.h | 1 + - 10 files changed, 25 insertions(+) - -diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in -index 6c95530868d7c078ccf13622f3ba916392b0c732..769a29005c5fa392bcee3e746e7583d2f4ee05f0 100644 ---- a/src/config/SSSDConfig/__init__.py.in -+++ b/src/config/SSSDConfig/__init__.py.in -@@ -271,6 +271,7 @@ option_strings = { - 'ldap_user_gecos' : _('GECOS attribute'), - 'ldap_user_home_directory' : _('Home directory attribute'), - 'ldap_user_shell' : _('Shell attribute'), -+ 'ldap_user_uuid' : _('UUID attribute'), - 'ldap_user_objectsid' : _("objectSID attribute"), - 'ldap_user_primary_group' : _('Active Directory primary group attribute for ID-mapping'), - 'ldap_user_principal' : _('User principal attribute (for Kerberos)'), -diff --git a/src/config/SSSDConfig/sssd_upgrade_config.py b/src/config/SSSDConfig/sssd_upgrade_config.py -index 3d9f788c3b4707a8b6e8958d11d5068437d31156..97be6543f8f86eb0189843003f675d2efcfcc8a5 100644 ---- a/src/config/SSSDConfig/sssd_upgrade_config.py -+++ b/src/config/SSSDConfig/sssd_upgrade_config.py -@@ -170,6 +170,7 @@ class SSSDConfigFile(SSSDChangeConf): - 'ldap_user_gecos' : 'userGecos', - 'ldap_user_home_directory' : 'userHomeDirectory', - 'ldap_user_shell' : 'userShell', -+ 'ldap_user_uuid' : 'userUUID', - 'ldap_user_principal' : 'userPrincipal', - 'ldap_force_upper_case_realm' : 'force_upper_case_realm', - 'ldap_user_fullname' : 'userFullname', -diff --git a/src/config/etc/sssd.api.d/sssd-ad.conf b/src/config/etc/sssd.api.d/sssd-ad.conf -index 5dd4fb43526849e6b74fbe7cd354afda9af695b0..f8b200eaaf2f1b2ee17214faf2df70b14a2ec93c 100644 ---- a/src/config/etc/sssd.api.d/sssd-ad.conf -+++ b/src/config/etc/sssd.api.d/sssd-ad.conf -@@ -72,6 +72,7 @@ ldap_user_gid_number = str, None, false - ldap_user_gecos = str, None, false - ldap_user_home_directory = str, None, false - ldap_user_shell = str, None, false -+ldap_user_uuid = str, None, false - ldap_user_objectsid = str, None, false - ldap_user_primary_group = str, None, false - ldap_user_principal = str, None, false -diff --git a/src/config/etc/sssd.api.d/sssd-ipa.conf b/src/config/etc/sssd.api.d/sssd-ipa.conf -index 8713385fc2b6d3b03b75cd5c6557968fdcdad892..91dc9ec9d158758be32f8a3eb5d36be2446fc254 100644 ---- a/src/config/etc/sssd.api.d/sssd-ipa.conf -+++ b/src/config/etc/sssd.api.d/sssd-ipa.conf -@@ -69,6 +69,7 @@ ldap_user_gid_number = str, None, false - ldap_user_gecos = str, None, false - ldap_user_home_directory = str, None, false - ldap_user_shell = str, None, false -+ldap_user_uuid = str, None, false - ldap_user_objectsid = str, None, false - ldap_user_primary_group = str, None, false - ldap_user_principal = str, None, false -diff --git a/src/config/etc/sssd.api.d/sssd-ldap.conf b/src/config/etc/sssd.api.d/sssd-ldap.conf -index 29276bfd74b9fcc67042a138006959896c34fbae..68d5b4953a07398b159f3374ccba7380a642d818 100644 ---- a/src/config/etc/sssd.api.d/sssd-ldap.conf -+++ b/src/config/etc/sssd.api.d/sssd-ldap.conf -@@ -56,6 +56,7 @@ ldap_user_gid_number = str, None, false - ldap_user_gecos = str, None, false - ldap_user_home_directory = str, None, false - ldap_user_shell = str, None, false -+ldap_user_uuid = str, None, false - ldap_user_objectsid = str, None, false - ldap_user_primary_group = str, None, false - ldap_user_principal = str, None, false -diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml -index a21ffc12986c4af10f4c0a5950eb43b88dac9d47..a8416d44dfc19c11091c54d847dc27eb66b431f7 100644 ---- a/src/man/sssd-ldap.5.xml -+++ b/src/man/sssd-ldap.5.xml -@@ -338,6 +338,19 @@ - - - -+ ldap_user_uuid (string) -+ -+ -+ The LDAP attribute that contains the UUID/GUID of -+ an LDAP user object. -+ -+ -+ Default: nsUniqueId -+ -+ -+ -+ -+ - ldap_user_objectsid (string) - - -diff --git a/src/providers/ad/ad_opts.h b/src/providers/ad/ad_opts.h -index 452516cd24aba4dfbf74376767deb8f5f487253d..ee70b3c4b71b87ab31ac07310a448d7960f8e9a8 100644 ---- a/src/providers/ad/ad_opts.h -+++ b/src/providers/ad/ad_opts.h -@@ -187,6 +187,7 @@ struct sdap_attr_map ad_2008r2_user_map[] = { - { "ldap_user_principal", "userPrincipalName", SYSDB_UPN, NULL }, - { "ldap_user_fullname", "name", SYSDB_FULLNAME, NULL }, - { "ldap_user_member_of", "memberOf", SYSDB_MEMBEROF, NULL }, -+ { "ldap_user_uuid", "objectGUID", SYSDB_UUID, NULL }, - { "ldap_user_objectsid", "objectSID", SYSDB_SID, NULL }, - { "ldap_user_primary_group", "primaryGroupID", SYSDB_PRIMARY_GROUP, NULL }, - { "ldap_user_modify_timestamp", "whenChanged", SYSDB_ORIG_MODSTAMP, NULL }, -diff --git a/src/providers/ipa/ipa_opts.h b/src/providers/ipa/ipa_opts.h -index 0e0eed49cd397fe88ce7bf41579c066088947d04..7ecf0ff218aa1767976ccc624d7d9bc2dd96cd41 100644 ---- a/src/providers/ipa/ipa_opts.h -+++ b/src/providers/ipa/ipa_opts.h -@@ -178,6 +178,7 @@ struct sdap_attr_map ipa_user_map[] = { - { "ldap_user_principal", "krbPrincipalName", SYSDB_UPN, NULL }, - { "ldap_user_fullname", "cn", SYSDB_FULLNAME, NULL }, - { "ldap_user_member_of", "memberOf", SYSDB_MEMBEROF, NULL }, -+ { "ldap_user_uuid", "nsUniqueId", SYSDB_UUID, NULL }, - { "ldap_user_objectsid", "ipaNTSecurityIdentifier", SYSDB_SID_STR, NULL }, - { "ldap_user_primary_group", NULL, SYSDB_PRIMARY_GROUP, NULL }, - { "ldap_user_modify_timestamp", "modifyTimestamp", SYSDB_ORIG_MODSTAMP, NULL }, -diff --git a/src/providers/ldap/ldap_opts.h b/src/providers/ldap/ldap_opts.h -index 61e3309fe73e72e82ecb471d9b608db7bea1d2e6..2e937412635e16b4bc541c59055b1c4e7896f045 100644 ---- a/src/providers/ldap/ldap_opts.h -+++ b/src/providers/ldap/ldap_opts.h -@@ -155,6 +155,7 @@ struct sdap_attr_map rfc2307_user_map[] = { - { "ldap_user_principal", "krbPrincipalName", SYSDB_UPN, NULL }, - { "ldap_user_fullname", "cn", SYSDB_FULLNAME, NULL }, - { "ldap_user_member_of", NULL, SYSDB_MEMBEROF, NULL }, -+ { "ldap_user_uuid", NULL, SYSDB_UUID, NULL }, - { "ldap_user_objectsid", "objectSID", SYSDB_SID, NULL }, - { "ldap_user_primary_group", NULL, SYSDB_PRIMARY_GROUP, NULL }, - { "ldap_user_modify_timestamp", "modifyTimestamp", SYSDB_ORIG_MODSTAMP, NULL }, -@@ -207,6 +208,8 @@ struct sdap_attr_map rfc2307bis_user_map[] = { - { "ldap_user_principal", "krbPrincipalName", SYSDB_UPN, NULL }, - { "ldap_user_fullname", "cn", SYSDB_FULLNAME, NULL }, - { "ldap_user_member_of", "memberOf", SYSDB_MEMBEROF, NULL }, -+ /* FIXME: this is 389ds specific */ -+ { "ldap_user_uuid", "nsUniqueId", SYSDB_UUID, NULL }, - { "ldap_user_objectsid", "objectSID", SYSDB_SID, NULL }, - { "ldap_user_primary_group", NULL, SYSDB_PRIMARY_GROUP, NULL }, - { "ldap_user_modify_timestamp", "modifyTimestamp", SYSDB_ORIG_MODSTAMP, NULL }, -@@ -259,6 +262,7 @@ struct sdap_attr_map gen_ad2008r2_user_map[] = { - { "ldap_user_principal", "userPrincipalName", SYSDB_UPN, NULL }, - { "ldap_user_fullname", "name", SYSDB_FULLNAME, NULL }, - { "ldap_user_member_of", "memberOf", SYSDB_MEMBEROF, NULL }, -+ { "ldap_user_uuid", "objectGUID", SYSDB_UUID, NULL }, - { "ldap_user_objectsid", "objectSID", SYSDB_SID, NULL }, - { "ldap_user_primary_group", "primaryGroupID", SYSDB_PRIMARY_GROUP, NULL }, - { "ldap_user_modify_timestamp", "whenChanged", SYSDB_ORIG_MODSTAMP, NULL }, -diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h -index e9e23561c4c74d3b33ebe35aab86fc257bde6237..906fd74090509802909b300d26234f96d324a769 100644 ---- a/src/providers/ldap/sdap.h -+++ b/src/providers/ldap/sdap.h -@@ -256,6 +256,7 @@ enum sdap_user_attrs { - SDAP_AT_USER_PRINC, - SDAP_AT_USER_FULLNAME, - SDAP_AT_USER_MEMBEROF, -+ SDAP_AT_USER_UUID, - SDAP_AT_USER_OBJECTSID, - SDAP_AT_USER_PRIMARY_GROUP, - SDAP_AT_USER_MODSTAMP, --- -2.1.0 - diff --git a/0011-Revert-LDAP-Remove-unused-option-ldap_group_uuid.patch b/0011-Revert-LDAP-Remove-unused-option-ldap_group_uuid.patch deleted file mode 100644 index 76bea9e..0000000 --- a/0011-Revert-LDAP-Remove-unused-option-ldap_group_uuid.patch +++ /dev/null @@ -1,176 +0,0 @@ -From b7ab4232ef04c1aa928284b4aed840f48ce4194b Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Wed, 5 Nov 2014 17:38:05 +0100 -Subject: [PATCH 11/26] Revert "LDAP: Remove unused option ldap_group_uuid" -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -This reverts commit b5242c146cc0ca96e2b898a74fb060efda15bc77. - -Reviewed-by: Lukáš Slebodník ---- - src/config/SSSDConfig/__init__.py.in | 1 + - src/config/SSSDConfig/sssd_upgrade_config.py | 1 + - src/config/etc/sssd.api.d/sssd-ad.conf | 1 + - src/config/etc/sssd.api.d/sssd-ipa.conf | 1 + - src/config/etc/sssd.api.d/sssd-ldap.conf | 1 + - src/man/sssd-ldap.5.xml | 13 +++++++++++++ - src/providers/ad/ad_opts.h | 1 + - src/providers/ipa/ipa_opts.h | 1 + - src/providers/ldap/ldap_opts.h | 4 ++++ - src/providers/ldap/sdap.h | 1 + - 10 files changed, 25 insertions(+) - -diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in -index 769a29005c5fa392bcee3e746e7583d2f4ee05f0..491112ae772d2da74da14f62ba1ff8fffb4c7778 100644 ---- a/src/config/SSSDConfig/__init__.py.in -+++ b/src/config/SSSDConfig/__init__.py.in -@@ -308,6 +308,7 @@ option_strings = { - 'ldap_group_pwd' : _('Group password'), - 'ldap_group_gid_number' : _('GID attribute'), - 'ldap_group_member' : _('Group member attribute'), -+ 'ldap_group_uuid' : _('Group UUID attribute'), - 'ldap_group_objectsid' : _("objectSID attribute"), - 'ldap_group_modify_timestamp' : _('Modification time attribute for groups'), - 'ldap_group_type' : _('Type of the group and other flags'), -diff --git a/src/config/SSSDConfig/sssd_upgrade_config.py b/src/config/SSSDConfig/sssd_upgrade_config.py -index 97be6543f8f86eb0189843003f675d2efcfcc8a5..33d9fed74424a7d3ee28e888aaed724d0a8a94ff 100644 ---- a/src/config/SSSDConfig/sssd_upgrade_config.py -+++ b/src/config/SSSDConfig/sssd_upgrade_config.py -@@ -184,6 +184,7 @@ class SSSDConfigFile(SSSDChangeConf): - 'ldap_group_pwd' : 'userPassword', - 'ldap_group_gid_number' : 'groupGidNumber', - 'ldap_group_member' : 'groupMember', -+ 'ldap_group_uuid' : 'groupUUID', - 'ldap_group_modify_timestamp' : 'modifyTimestamp', - 'ldap_network_timeout' : 'network_timeout', - 'ldap_offline_timeout' : 'offline_timeout', -diff --git a/src/config/etc/sssd.api.d/sssd-ad.conf b/src/config/etc/sssd.api.d/sssd-ad.conf -index f8b200eaaf2f1b2ee17214faf2df70b14a2ec93c..3daa2560b14d74f7686ed47cf1b09e2005eb8917 100644 ---- a/src/config/etc/sssd.api.d/sssd-ad.conf -+++ b/src/config/etc/sssd.api.d/sssd-ad.conf -@@ -98,6 +98,7 @@ ldap_group_object_class = str, None, false - ldap_group_name = str, None, false - ldap_group_gid_number = str, None, false - ldap_group_member = str, None, false -+ldap_group_uuid = str, None, false - ldap_group_objectsid = str, None, false - ldap_group_modify_timestamp = str, None, false - ldap_group_entry_usn = str, None, false -diff --git a/src/config/etc/sssd.api.d/sssd-ipa.conf b/src/config/etc/sssd.api.d/sssd-ipa.conf -index 91dc9ec9d158758be32f8a3eb5d36be2446fc254..5df52581e67657e41e2f08820b885f100ccd7ca9 100644 ---- a/src/config/etc/sssd.api.d/sssd-ipa.conf -+++ b/src/config/etc/sssd.api.d/sssd-ipa.conf -@@ -95,6 +95,7 @@ ldap_group_object_class = str, None, false - ldap_group_name = str, None, false - ldap_group_gid_number = str, None, false - ldap_group_member = str, None, false -+ldap_group_uuid = str, None, false - ldap_group_objectsid = str, None, false - ldap_group_modify_timestamp = str, None, false - ldap_group_entry_usn = str, None, false -diff --git a/src/config/etc/sssd.api.d/sssd-ldap.conf b/src/config/etc/sssd.api.d/sssd-ldap.conf -index 68d5b4953a07398b159f3374ccba7380a642d818..ba5f56f1942da552fc6ab8f82851714756683a8f 100644 ---- a/src/config/etc/sssd.api.d/sssd-ldap.conf -+++ b/src/config/etc/sssd.api.d/sssd-ldap.conf -@@ -90,6 +90,7 @@ ldap_group_object_class = str, None, false - ldap_group_name = str, None, false - ldap_group_gid_number = str, None, false - ldap_group_member = str, None, false -+ldap_group_uuid = str, None, false - ldap_group_objectsid = str, None, false - ldap_group_modify_timestamp = str, None, false - ldap_group_entry_usn = str, None, false -diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml -index a8416d44dfc19c11091c54d847dc27eb66b431f7..b8b6f2abe5bb79a055c02bd2abac72ee79266f09 100644 ---- a/src/man/sssd-ldap.5.xml -+++ b/src/man/sssd-ldap.5.xml -@@ -859,6 +859,19 @@ - - - -+ ldap_group_uuid (string) -+ -+ -+ The LDAP attribute that contains the UUID/GUID of -+ an LDAP group object. -+ -+ -+ Default: nsUniqueId -+ -+ -+ -+ -+ - ldap_group_objectsid (string) - - -diff --git a/src/providers/ad/ad_opts.h b/src/providers/ad/ad_opts.h -index ee70b3c4b71b87ab31ac07310a448d7960f8e9a8..ac6006c9200464956ccedb17ff53050fed5fc6ea 100644 ---- a/src/providers/ad/ad_opts.h -+++ b/src/providers/ad/ad_opts.h -@@ -221,6 +221,7 @@ struct sdap_attr_map ad_2008r2_group_map[] = { - { "ldap_group_pwd", NULL, SYSDB_PWD, NULL }, - { "ldap_group_gid_number", "gidNumber", SYSDB_GIDNUM, NULL }, - { "ldap_group_member", "member", SYSDB_MEMBER, NULL }, -+ { "ldap_group_uuid", "objectGUID", SYSDB_UUID, NULL }, - { "ldap_group_objectsid", "objectSID", SYSDB_SID, NULL }, - { "ldap_group_modify_timestamp", "whenChanged", SYSDB_ORIG_MODSTAMP, NULL }, - { "ldap_group_entry_usn", SDAP_AD_USN, SYSDB_USN, NULL }, -diff --git a/src/providers/ipa/ipa_opts.h b/src/providers/ipa/ipa_opts.h -index 7ecf0ff218aa1767976ccc624d7d9bc2dd96cd41..890a0437ae2fa81d111dcf0eba941786b2b83a1a 100644 ---- a/src/providers/ipa/ipa_opts.h -+++ b/src/providers/ipa/ipa_opts.h -@@ -212,6 +212,7 @@ struct sdap_attr_map ipa_group_map[] = { - { "ldap_group_pwd", "userPassword", SYSDB_PWD, NULL }, - { "ldap_group_gid_number", "gidNumber", SYSDB_GIDNUM, NULL }, - { "ldap_group_member", "member", SYSDB_MEMBER, NULL }, -+ { "ldap_group_uuid", "nsUniqueId", SYSDB_UUID, NULL }, - { "ldap_group_objectsid", "ipaNTSecurityIdentifier", SYSDB_SID_STR, NULL }, - { "ldap_group_modify_timestamp", "modifyTimestamp", SYSDB_ORIG_MODSTAMP, NULL }, - { "ldap_group_entry_usn", NULL, SYSDB_USN, NULL }, -diff --git a/src/providers/ldap/ldap_opts.h b/src/providers/ldap/ldap_opts.h -index 2e937412635e16b4bc541c59055b1c4e7896f045..096a63bd53918ba79378c01257a18e543597209a 100644 ---- a/src/providers/ldap/ldap_opts.h -+++ b/src/providers/ldap/ldap_opts.h -@@ -189,6 +189,7 @@ struct sdap_attr_map rfc2307_group_map[] = { - { "ldap_group_pwd", "userPassword", SYSDB_PWD, NULL }, - { "ldap_group_gid_number", "gidNumber", SYSDB_GIDNUM, NULL }, - { "ldap_group_member", "memberuid", SYSDB_MEMBER, NULL }, -+ { "ldap_group_uuid", NULL, SYSDB_UUID, NULL }, - { "ldap_group_objectsid", "objectSID", SYSDB_SID, NULL }, - { "ldap_group_modify_timestamp", "modifyTimestamp", SYSDB_ORIG_MODSTAMP, NULL }, - { "ldap_group_entry_usn", NULL, SYSDB_USN, NULL }, -@@ -243,6 +244,8 @@ struct sdap_attr_map rfc2307bis_group_map[] = { - { "ldap_group_pwd", "userPassword", SYSDB_PWD, NULL }, - { "ldap_group_gid_number", "gidNumber", SYSDB_GIDNUM, NULL }, - { "ldap_group_member", "member", SYSDB_MEMBER, NULL }, -+ /* FIXME: this is 389ds specific */ -+ { "ldap_group_uuid", "nsUniqueId", SYSDB_UUID, NULL }, - { "ldap_group_objectsid", "objectSID", SYSDB_SID, NULL }, - { "ldap_group_modify_timestamp", "modifyTimestamp", SYSDB_ORIG_MODSTAMP, NULL }, - { "ldap_group_entry_usn", NULL, SYSDB_USN, NULL }, -@@ -296,6 +299,7 @@ struct sdap_attr_map gen_ad2008r2_group_map[] = { - { "ldap_group_pwd", NULL, SYSDB_PWD, NULL }, - { "ldap_group_gid_number", "gidNumber", SYSDB_GIDNUM, NULL }, - { "ldap_group_member", "member", SYSDB_MEMBER, NULL }, -+ { "ldap_group_uuid", "objectGUID", SYSDB_UUID, NULL }, - { "ldap_group_objectsid", "objectSID", SYSDB_SID, NULL }, - { "ldap_group_modify_timestamp", "whenChanged", SYSDB_ORIG_MODSTAMP, NULL }, - { "ldap_group_entry_usn", SDAP_AD_USN, SYSDB_USN, NULL }, -diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h -index 906fd74090509802909b300d26234f96d324a769..aa10623a58d7d667205b09e744dc2b924ca821ed 100644 ---- a/src/providers/ldap/sdap.h -+++ b/src/providers/ldap/sdap.h -@@ -295,6 +295,7 @@ enum sdap_group_attrs { - SDAP_AT_GROUP_PWD, - SDAP_AT_GROUP_GID, - SDAP_AT_GROUP_MEMBER, -+ SDAP_AT_GROUP_UUID, - SDAP_AT_GROUP_OBJECTSID, - SDAP_AT_GROUP_MODSTAMP, - SDAP_AT_GROUP_USN, --- -2.1.0 - diff --git a/0012-Fix-uuid-defaults.patch b/0012-Fix-uuid-defaults.patch deleted file mode 100644 index 9cd9d64..0000000 --- a/0012-Fix-uuid-defaults.patch +++ /dev/null @@ -1,102 +0,0 @@ -From da75b87ffc1ff98d8a3685a6ccbf00265838cf7a Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Wed, 5 Nov 2014 18:01:07 +0100 -Subject: [PATCH 12/26] Fix uuid defaults -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Recently the uuid attributes for user and groups were removed because -it was found that there are not used at all and that some of them where -causing issues (https://fedorahosted.org/sssd/ticket/2383). - -The new views/overrides feature of FreeIPA uses the ipaUniqueID attribute -to relate overrides with the original IPA objects. The previous two -patches revert the removal of the uuid attributes from users and groups -with this patch set the default value of these attributes to -ipaUniqueID from the IPA provider, to objectGUID for the AD provider and -leaves them unset for the general LDAP case to avoid issues like the one -from ticket #2383. - -Related to https://fedorahosted.org/sssd/ticket/2481 - -Reviewed-by: Lukáš Slebodník ---- - src/man/sssd-ldap.5.xml | 6 ++++-- - src/providers/ipa/ipa_opts.h | 4 ++-- - src/providers/ldap/ldap_opts.h | 6 ++---- - 3 files changed, 8 insertions(+), 8 deletions(-) - -diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml -index b8b6f2abe5bb79a055c02bd2abac72ee79266f09..aa47ed7a6dd41f7f82ea80e1deb34f9ccc894dc9 100644 ---- a/src/man/sssd-ldap.5.xml -+++ b/src/man/sssd-ldap.5.xml -@@ -345,7 +345,8 @@ - an LDAP user object. - - -- Default: nsUniqueId -+ Default: not set in the general case, objectGUID for -+ AD and ipaUniqueID for IPA - - - -@@ -866,7 +867,8 @@ - an LDAP group object. - - -- Default: nsUniqueId -+ Default: not set in the general case, objectGUID for -+ AD and ipaUniqueID for IPA - - - -diff --git a/src/providers/ipa/ipa_opts.h b/src/providers/ipa/ipa_opts.h -index 890a0437ae2fa81d111dcf0eba941786b2b83a1a..3cde1a4362c1fa81259d7764e182a9163d272577 100644 ---- a/src/providers/ipa/ipa_opts.h -+++ b/src/providers/ipa/ipa_opts.h -@@ -178,7 +178,7 @@ struct sdap_attr_map ipa_user_map[] = { - { "ldap_user_principal", "krbPrincipalName", SYSDB_UPN, NULL }, - { "ldap_user_fullname", "cn", SYSDB_FULLNAME, NULL }, - { "ldap_user_member_of", "memberOf", SYSDB_MEMBEROF, NULL }, -- { "ldap_user_uuid", "nsUniqueId", SYSDB_UUID, NULL }, -+ { "ldap_user_uuid", "ipaUniqueID", SYSDB_UUID, NULL }, - { "ldap_user_objectsid", "ipaNTSecurityIdentifier", SYSDB_SID_STR, NULL }, - { "ldap_user_primary_group", NULL, SYSDB_PRIMARY_GROUP, NULL }, - { "ldap_user_modify_timestamp", "modifyTimestamp", SYSDB_ORIG_MODSTAMP, NULL }, -@@ -212,7 +212,7 @@ struct sdap_attr_map ipa_group_map[] = { - { "ldap_group_pwd", "userPassword", SYSDB_PWD, NULL }, - { "ldap_group_gid_number", "gidNumber", SYSDB_GIDNUM, NULL }, - { "ldap_group_member", "member", SYSDB_MEMBER, NULL }, -- { "ldap_group_uuid", "nsUniqueId", SYSDB_UUID, NULL }, -+ { "ldap_group_uuid", "ipaUniqueID", SYSDB_UUID, NULL }, - { "ldap_group_objectsid", "ipaNTSecurityIdentifier", SYSDB_SID_STR, NULL }, - { "ldap_group_modify_timestamp", "modifyTimestamp", SYSDB_ORIG_MODSTAMP, NULL }, - { "ldap_group_entry_usn", NULL, SYSDB_USN, NULL }, -diff --git a/src/providers/ldap/ldap_opts.h b/src/providers/ldap/ldap_opts.h -index 096a63bd53918ba79378c01257a18e543597209a..29d9faf99784bfc3526398488be837a2716ee11d 100644 ---- a/src/providers/ldap/ldap_opts.h -+++ b/src/providers/ldap/ldap_opts.h -@@ -209,8 +209,7 @@ struct sdap_attr_map rfc2307bis_user_map[] = { - { "ldap_user_principal", "krbPrincipalName", SYSDB_UPN, NULL }, - { "ldap_user_fullname", "cn", SYSDB_FULLNAME, NULL }, - { "ldap_user_member_of", "memberOf", SYSDB_MEMBEROF, NULL }, -- /* FIXME: this is 389ds specific */ -- { "ldap_user_uuid", "nsUniqueId", SYSDB_UUID, NULL }, -+ { "ldap_user_uuid", NULL, SYSDB_UUID, NULL }, - { "ldap_user_objectsid", "objectSID", SYSDB_SID, NULL }, - { "ldap_user_primary_group", NULL, SYSDB_PRIMARY_GROUP, NULL }, - { "ldap_user_modify_timestamp", "modifyTimestamp", SYSDB_ORIG_MODSTAMP, NULL }, -@@ -244,8 +243,7 @@ struct sdap_attr_map rfc2307bis_group_map[] = { - { "ldap_group_pwd", "userPassword", SYSDB_PWD, NULL }, - { "ldap_group_gid_number", "gidNumber", SYSDB_GIDNUM, NULL }, - { "ldap_group_member", "member", SYSDB_MEMBER, NULL }, -- /* FIXME: this is 389ds specific */ -- { "ldap_group_uuid", "nsUniqueId", SYSDB_UUID, NULL }, -+ { "ldap_group_uuid", NULL, SYSDB_UUID, NULL }, - { "ldap_group_objectsid", "objectSID", SYSDB_SID, NULL }, - { "ldap_group_modify_timestamp", "modifyTimestamp", SYSDB_ORIG_MODSTAMP, NULL }, - { "ldap_group_entry_usn", NULL, SYSDB_USN, NULL }, --- -2.1.0 - diff --git a/0013-Revert-LDAP-Change-defaults-for-ldap_user-group_obje.patch b/0013-Revert-LDAP-Change-defaults-for-ldap_user-group_obje.patch deleted file mode 100644 index 59b8483..0000000 --- a/0013-Revert-LDAP-Change-defaults-for-ldap_user-group_obje.patch +++ /dev/null @@ -1,88 +0,0 @@ -From 395daba605dd4fb4134db1a2e6883125a3d83f29 Mon Sep 17 00:00:00 2001 -From: Lukas Slebodnik -Date: Fri, 7 Nov 2014 13:27:53 +0100 -Subject: [PATCH 13/26] Revert "LDAP: Change defaults for - ldap_user/group_objectsid" -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -This reverts commit f834f712548db811695ea0fd6d6b31d3bd03e2a3. - -OpenLDAP server cannot dereference unknown attributes. The attribute objectSID -isn't in any standard objectclass on OpenLDAP server. This is a reason why -objectSID cannot be set by default in rfc2307 map and rfc2307bis map. -It is the same problem as using non standard attribute "nsUniqueId" -in ticket https://fedorahosted.org/sssd/ticket/2383 - -Reviewed-by: Michal Židek ---- - src/man/sssd-ldap.5.xml | 4 ++-- - src/providers/ldap/ldap_opts.h | 8 ++++---- - 2 files changed, 6 insertions(+), 6 deletions(-) - -diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml -index aa47ed7a6dd41f7f82ea80e1deb34f9ccc894dc9..815b06250e826a36ef023e8a43a8925df89d2bbf 100644 ---- a/src/man/sssd-ldap.5.xml -+++ b/src/man/sssd-ldap.5.xml -@@ -360,7 +360,7 @@ - necessary for ActiveDirectory servers. - - -- Default: ipaNTSecurityIdentifier for IPA, objectSID -+ Default: objectSid for ActiveDirectory, not set - for other servers. - - -@@ -882,7 +882,7 @@ - necessary for ActiveDirectory servers. - - -- Default: ipaNTSecurityIdentifier for IPA, objectSID -+ Default: objectSid for ActiveDirectory, not set - for other servers. - - -diff --git a/src/providers/ldap/ldap_opts.h b/src/providers/ldap/ldap_opts.h -index 29d9faf99784bfc3526398488be837a2716ee11d..dedbdac0bcf647337d4c00b1fbb82d6b46be5b54 100644 ---- a/src/providers/ldap/ldap_opts.h -+++ b/src/providers/ldap/ldap_opts.h -@@ -156,7 +156,7 @@ struct sdap_attr_map rfc2307_user_map[] = { - { "ldap_user_fullname", "cn", SYSDB_FULLNAME, NULL }, - { "ldap_user_member_of", NULL, SYSDB_MEMBEROF, NULL }, - { "ldap_user_uuid", NULL, SYSDB_UUID, NULL }, -- { "ldap_user_objectsid", "objectSID", SYSDB_SID, NULL }, -+ { "ldap_user_objectsid", NULL, SYSDB_SID, NULL }, - { "ldap_user_primary_group", NULL, SYSDB_PRIMARY_GROUP, NULL }, - { "ldap_user_modify_timestamp", "modifyTimestamp", SYSDB_ORIG_MODSTAMP, NULL }, - { "ldap_user_entry_usn", NULL, SYSDB_USN, NULL }, -@@ -190,7 +190,7 @@ struct sdap_attr_map rfc2307_group_map[] = { - { "ldap_group_gid_number", "gidNumber", SYSDB_GIDNUM, NULL }, - { "ldap_group_member", "memberuid", SYSDB_MEMBER, NULL }, - { "ldap_group_uuid", NULL, SYSDB_UUID, NULL }, -- { "ldap_group_objectsid", "objectSID", SYSDB_SID, NULL }, -+ { "ldap_group_objectsid", NULL, SYSDB_SID, NULL }, - { "ldap_group_modify_timestamp", "modifyTimestamp", SYSDB_ORIG_MODSTAMP, NULL }, - { "ldap_group_entry_usn", NULL, SYSDB_USN, NULL }, - { "ldap_group_type", NULL, SYSDB_GROUP_TYPE, NULL }, -@@ -210,7 +210,7 @@ struct sdap_attr_map rfc2307bis_user_map[] = { - { "ldap_user_fullname", "cn", SYSDB_FULLNAME, NULL }, - { "ldap_user_member_of", "memberOf", SYSDB_MEMBEROF, NULL }, - { "ldap_user_uuid", NULL, SYSDB_UUID, NULL }, -- { "ldap_user_objectsid", "objectSID", SYSDB_SID, NULL }, -+ { "ldap_user_objectsid", NULL, SYSDB_SID, NULL }, - { "ldap_user_primary_group", NULL, SYSDB_PRIMARY_GROUP, NULL }, - { "ldap_user_modify_timestamp", "modifyTimestamp", SYSDB_ORIG_MODSTAMP, NULL }, - { "ldap_user_entry_usn", NULL, SYSDB_USN, NULL }, -@@ -244,7 +244,7 @@ struct sdap_attr_map rfc2307bis_group_map[] = { - { "ldap_group_gid_number", "gidNumber", SYSDB_GIDNUM, NULL }, - { "ldap_group_member", "member", SYSDB_MEMBER, NULL }, - { "ldap_group_uuid", NULL, SYSDB_UUID, NULL }, -- { "ldap_group_objectsid", "objectSID", SYSDB_SID, NULL }, -+ { "ldap_group_objectsid", NULL, SYSDB_SID, NULL }, - { "ldap_group_modify_timestamp", "modifyTimestamp", SYSDB_ORIG_MODSTAMP, NULL }, - { "ldap_group_entry_usn", NULL, SYSDB_USN, NULL }, - { "ldap_group_type", NULL, SYSDB_GROUP_TYPE, NULL }, --- -2.1.0 - diff --git a/0014-LDAP-Disable-token-groups-by-default.patch b/0014-LDAP-Disable-token-groups-by-default.patch deleted file mode 100644 index e483114..0000000 --- a/0014-LDAP-Disable-token-groups-by-default.patch +++ /dev/null @@ -1,55 +0,0 @@ -From c28482b2d23865e3d068e4b9fb39c363c0d18b19 Mon Sep 17 00:00:00 2001 -From: Lukas Slebodnik -Date: Fri, 7 Nov 2014 13:58:17 +0100 -Subject: [PATCH 14/26] LDAP: Disable token groups by default -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -We tried to speed up processing of initgroup lookups with tokenGroups even for -the LDAP provider (if remote server is Active Directory), but it turns out that -there are too many corner cases that we didn't catch during development that -break. For instance, groups from other trusted domains might appear in TG and -the LDAP provider isn't equipped to handle them. - -Overall, users who wish to use the added speed benefits of tokenGroups are -advised to use the AD provider. - -Resolves: -https://fedorahosted.org/sssd/ticket/2483 - -Reviewed-by: Michal Židek ---- - src/man/sssd-ldap.5.xml | 2 +- - src/providers/ldap/ldap_opts.h | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml -index 815b06250e826a36ef023e8a43a8925df89d2bbf..47d05a736403859325e61a9ebebe78df0601917a 100644 ---- a/src/man/sssd-ldap.5.xml -+++ b/src/man/sssd-ldap.5.xml -@@ -1022,7 +1022,7 @@ - Active Directory Server 2008 and later. - - -- Default: True -+ Default: True for AD and IPA otherwise False. - - - -diff --git a/src/providers/ldap/ldap_opts.h b/src/providers/ldap/ldap_opts.h -index dedbdac0bcf647337d4c00b1fbb82d6b46be5b54..f46381e9fac7b93730ce0767154989f2e3b7ebbf 100644 ---- a/src/providers/ldap/ldap_opts.h -+++ b/src/providers/ldap/ldap_opts.h -@@ -116,7 +116,7 @@ struct dp_option default_basic_opts[] = { - { "ldap_idmap_default_domain_sid", DP_OPT_STRING, NULL_STRING, NULL_STRING }, - { "ldap_groups_use_matching_rule_in_chain", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, - { "ldap_initgroups_use_matching_rule_in_chain", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, -- { "ldap_use_tokengroups", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE}, -+ { "ldap_use_tokengroups", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE}, - { "ldap_rfc2307_fallback_to_local_users", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, - { "ldap_disable_range_retrieval", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, - { "ldap_min_id", DP_OPT_NUMBER, NULL_NUMBER, NULL_NUMBER}, --- -2.1.0 - diff --git a/0015-sss_client-Extract-destroying-of-mmap-cache-to-funct.patch b/0015-sss_client-Extract-destroying-of-mmap-cache-to-funct.patch deleted file mode 100644 index 833fbac..0000000 --- a/0015-sss_client-Extract-destroying-of-mmap-cache-to-funct.patch +++ /dev/null @@ -1,72 +0,0 @@ -From 730dc6fc96bd1903e4fdae5c2a040034c187558d Mon Sep 17 00:00:00 2001 -From: Lukas Slebodnik -Date: Fri, 21 Nov 2014 14:00:23 +0100 -Subject: [PATCH 15/26] sss_client: Extract destroying of mmap cache to - function -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Reviewed-by: Michal Židek ---- - src/sss_client/nss_mc_common.c | 30 ++++++++++++++---------------- - 1 file changed, 14 insertions(+), 16 deletions(-) - -diff --git a/src/sss_client/nss_mc_common.c b/src/sss_client/nss_mc_common.c -index 6c9b35de280c637bf957207993e539c889b16c23..9c6e1af1642275fc7738b51d7ca80d712d49b2ac 100644 ---- a/src/sss_client/nss_mc_common.c -+++ b/src/sss_client/nss_mc_common.c -@@ -102,6 +102,18 @@ errno_t sss_nss_check_header(struct sss_cli_mc_ctx *ctx) - return 0; - } - -+static void sss_nss_mc_destroy_ctx(struct sss_cli_mc_ctx *ctx) -+{ -+ if ((ctx->mmap_base != NULL) && (ctx->mmap_size != 0)) { -+ munmap(ctx->mmap_base, ctx->mmap_size); -+ } -+ if (ctx->fd != -1) { -+ close(ctx->fd); -+ } -+ memset(ctx, 0, sizeof(struct sss_cli_mc_ctx)); -+ ctx->fd = -1; -+} -+ - static errno_t sss_nss_mc_init_ctx(const char *name, - struct sss_cli_mc_ctx *ctx) - { -@@ -157,14 +169,7 @@ static errno_t sss_nss_mc_init_ctx(const char *name, - - done: - if (ret) { -- if ((ctx->mmap_base != NULL) && (ctx->mmap_size != 0)) { -- munmap(ctx->mmap_base, ctx->mmap_size); -- } -- if (ctx->fd != -1) { -- close(ctx->fd); -- } -- memset(ctx, 0, sizeof(struct sss_cli_mc_ctx)); -- ctx->fd = -1; -+ sss_nss_mc_destroy_ctx(ctx); - } - free(file); - sss_nss_unlock(); -@@ -191,14 +196,7 @@ errno_t sss_nss_mc_get_ctx(const char *name, struct sss_cli_mc_ctx *ctx) - - done: - if (ret) { -- if ((ctx->mmap_base != NULL) && (ctx->mmap_size != 0)) { -- munmap(ctx->mmap_base, ctx->mmap_size); -- } -- if (ctx->fd != -1) { -- close(ctx->fd); -- } -- memset(ctx, 0, sizeof(struct sss_cli_mc_ctx)); -- ctx->fd = -1; -+ sss_nss_mc_destroy_ctx(ctx); - } - return ret; - } --- -2.1.0 - diff --git a/0016-sss_client-Fix-race-condition-in-memory-cache.patch b/0016-sss_client-Fix-race-condition-in-memory-cache.patch deleted file mode 100644 index f38531f..0000000 --- a/0016-sss_client-Fix-race-condition-in-memory-cache.patch +++ /dev/null @@ -1,243 +0,0 @@ -From d1d01b99e0388e5c2fadb10db8e73917669a3383 Mon Sep 17 00:00:00 2001 -From: Lukas Slebodnik -Date: Fri, 21 Nov 2014 11:28:36 +0100 -Subject: [PATCH 16/26] sss_client: Fix race condition in memory cache -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Thread safe initialisation was fixed in ticket #2380, but there is -still race condition in reinitialisation. - -If caches is invalidated with command sss_cache -U (-G or -E) then -client code will need to reinitialize fast memory cache. -Let say we have two threads. The 1st thread find out that memory cache -should be reinitialized; therefore the fast memory cached is unmapped -and context destroyed. In the same time, 2nd thread tried to check -header of memory cache whether it is initialized and valid. As a result -of previously unmapped memory the 2nd thread access -out of bound memory (SEGFAULT). - -The destroying of fast memory cache cannot be done any time. We need -to be sure that there isn't any other thread which uses mmaped memory. -The new counter of active threads was added for this purpose. The state -of fast memory cache was converted from boolean to three value state -(UNINITIALIZED, INITIALIZED, RECYCLED) -UNINITIALIZED - - the fast memory cache need to be initialized. - - if there is a problem with initialisation the state will not change - - after successful initialisation, the state will change to INITIALIZED -INITIALIZED - - if the cahe was invalidated or there is any other problem was - detected in memory cache header the state will change to RECYCLED - and memory cache IS NOT destroyed. -RECYCLED - - nothing will be done is there are any active threads which may use - the data from mmaped memory - - if there aren't active threads the fast memory cahe is destroyed and - state is changed to UNINITIALIZED. - -https://fedorahosted.org/sssd/ticket/2445 - -Reviewed-by: Michal Židek ---- - src/sss_client/nss_mc.h | 10 ++++++++- - src/sss_client/nss_mc_common.c | 46 ++++++++++++++++++++++++++++++++++-------- - src/sss_client/nss_mc_group.c | 8 ++++++-- - src/sss_client/nss_mc_passwd.c | 8 ++++++-- - 4 files changed, 59 insertions(+), 13 deletions(-) - -diff --git a/src/sss_client/nss_mc.h b/src/sss_client/nss_mc.h -index 685cc41c0530750d890050f0917dc88be14d96ea..050bd4100dec091cb096a7d97bfe6615b12654da 100644 ---- a/src/sss_client/nss_mc.h -+++ b/src/sss_client/nss_mc.h -@@ -33,9 +33,15 @@ - typedef int errno_t; - #endif - -+enum sss_mc_state { -+ UNINITIALIZED = 0, -+ INITIALIZED, -+ RECYCLED, -+}; -+ - /* common stuff */ - struct sss_cli_mc_ctx { -- bool initialized; -+ enum sss_mc_state initialized; - int fd; - - uint32_t seed; /* seed from the tables header */ -@@ -48,6 +54,8 @@ struct sss_cli_mc_ctx { - - uint32_t *hash_table; /* hash table address (in mmap) */ - uint32_t ht_size; /* size of hash table */ -+ -+ uint32_t active_threads; /* count of threads which use memory cache */ - }; - - errno_t sss_nss_mc_get_ctx(const char *name, struct sss_cli_mc_ctx *ctx); -diff --git a/src/sss_client/nss_mc_common.c b/src/sss_client/nss_mc_common.c -index 9c6e1af1642275fc7738b51d7ca80d712d49b2ac..89ff6b46e2abee03039cfd632ef50231eab92eec 100644 ---- a/src/sss_client/nss_mc_common.c -+++ b/src/sss_client/nss_mc_common.c -@@ -123,7 +123,7 @@ static errno_t sss_nss_mc_init_ctx(const char *name, - - sss_nss_lock(); - /* check if ctx is initialised by previous thread. */ -- if (ctx->initialized) { -+ if (ctx->initialized != UNINITIALIZED) { - ret = sss_nss_check_header(ctx); - goto done; - } -@@ -163,7 +163,7 @@ static errno_t sss_nss_mc_init_ctx(const char *name, - goto done; - } - -- ctx->initialized = true; -+ ctx->initialized = INITIALIZED; - - ret = 0; - -@@ -181,22 +181,52 @@ errno_t sss_nss_mc_get_ctx(const char *name, struct sss_cli_mc_ctx *ctx) - { - char *envval; - int ret; -+ bool need_decrement = false; - - envval = getenv("SSS_NSS_USE_MEMCACHE"); - if (envval && strcasecmp(envval, "NO") == 0) { - return EPERM; - } - -- if (ctx->initialized) { -+ switch (ctx->initialized) { -+ case UNINITIALIZED: -+ __sync_add_and_fetch(&ctx->active_threads, 1); -+ ret = sss_nss_mc_init_ctx(name, ctx); -+ if (ret) { -+ need_decrement = true; -+ } -+ break; -+ case INITIALIZED: -+ __sync_add_and_fetch(&ctx->active_threads, 1); - ret = sss_nss_check_header(ctx); -- goto done; -+ if (ret) { -+ need_decrement = true; -+ } -+ break; -+ case RECYCLED: -+ /* we need to safely destroy memory cache */ -+ ret = EAGAIN; -+ break; -+ default: -+ ret = EFAULT; - } - -- ret = sss_nss_mc_init_ctx(name, ctx); -- --done: - if (ret) { -- sss_nss_mc_destroy_ctx(ctx); -+ if (ctx->initialized == INITIALIZED) { -+ ctx->initialized = RECYCLED; -+ } -+ if (ctx->initialized == RECYCLED && ctx->active_threads == 0) { -+ /* just one thread should call munmap */ -+ sss_nss_lock(); -+ if (ctx->initialized == RECYCLED) { -+ sss_nss_mc_destroy_ctx(ctx); -+ } -+ sss_nss_unlock(); -+ } -+ if (need_decrement) { -+ /* In case of error, we will not touch mmapped area => decrement */ -+ __sync_sub_and_fetch(&ctx->active_threads, 1); -+ } - } - return ret; - } -diff --git a/src/sss_client/nss_mc_group.c b/src/sss_client/nss_mc_group.c -index 268b40ef02f2a621c4f61755ce4dfe2c3786bfa6..e0fdb97f628ac19741409be29566e4af5a391f74 100644 ---- a/src/sss_client/nss_mc_group.c -+++ b/src/sss_client/nss_mc_group.c -@@ -29,7 +29,8 @@ - #include "nss_mc.h" - #include "util/util_safealign.h" - --struct sss_cli_mc_ctx gr_mc_ctx = { false, -1, 0, NULL, 0, NULL, 0, NULL, 0 }; -+struct sss_cli_mc_ctx gr_mc_ctx = { UNINITIALIZED, -1, 0, NULL, 0, NULL, 0, -+ NULL, 0, 0 }; - - static errno_t sss_nss_mc_parse_result(struct sss_mc_rec *rec, - struct group *result, -@@ -176,6 +177,7 @@ errno_t sss_nss_mc_getgrnam(const char *name, size_t name_len, - - done: - free(rec); -+ __sync_sub_and_fetch(&gr_mc_ctx.active_threads, 1); - return ret; - } - -@@ -198,7 +200,8 @@ errno_t sss_nss_mc_getgrgid(gid_t gid, - - len = snprintf(gidstr, 11, "%ld", (long)gid); - if (len > 10) { -- return EINVAL; -+ ret = EINVAL; -+ goto done; - } - - /* hashes are calculated including the NULL terminator */ -@@ -242,6 +245,7 @@ errno_t sss_nss_mc_getgrgid(gid_t gid, - - done: - free(rec); -+ __sync_sub_and_fetch(&gr_mc_ctx.active_threads, 1); - return ret; - } - -diff --git a/src/sss_client/nss_mc_passwd.c b/src/sss_client/nss_mc_passwd.c -index fa19afc3c0e468430183ed3f13b80e086251ee01..10e43e2af43c5e7f1738e281b3ed260d89f3a004 100644 ---- a/src/sss_client/nss_mc_passwd.c -+++ b/src/sss_client/nss_mc_passwd.c -@@ -28,7 +28,8 @@ - #include - #include "nss_mc.h" - --struct sss_cli_mc_ctx pw_mc_ctx = { false, -1, 0, NULL, 0, NULL, 0, NULL, 0 }; -+struct sss_cli_mc_ctx pw_mc_ctx = { UNINITIALIZED, -1, 0, NULL, 0, NULL, 0, -+ NULL, 0, 0 }; - - static errno_t sss_nss_mc_parse_result(struct sss_mc_rec *rec, - struct passwd *result, -@@ -170,6 +171,7 @@ errno_t sss_nss_mc_getpwnam(const char *name, size_t name_len, - - done: - free(rec); -+ __sync_sub_and_fetch(&pw_mc_ctx.active_threads, 1); - return ret; - } - -@@ -192,7 +194,8 @@ errno_t sss_nss_mc_getpwuid(uid_t uid, - - len = snprintf(uidstr, 11, "%ld", (long)uid); - if (len > 10) { -- return EINVAL; -+ ret = EINVAL; -+ goto done; - } - - /* hashes are calculated including the NULL terminator */ -@@ -236,6 +239,7 @@ errno_t sss_nss_mc_getpwuid(uid_t uid, - - done: - free(rec); -+ __sync_sub_and_fetch(&pw_mc_ctx.active_threads, 1); - return ret; - } - --- -2.1.0 - diff --git a/0017-test-Wrong-parameter-type-in-sss_parse_name_check.patch b/0017-test-Wrong-parameter-type-in-sss_parse_name_check.patch deleted file mode 100644 index 9dff73f..0000000 --- a/0017-test-Wrong-parameter-type-in-sss_parse_name_check.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 0942d9245ed1a7de573e3af17deac2332a52b58a Mon Sep 17 00:00:00 2001 -From: Michal Zidek -Date: Mon, 24 Nov 2014 19:10:01 +0100 -Subject: [PATCH 17/26] test: Wrong parameter type in sss_parse_name_check -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -This caused aritmetic overflow when SSSD specific error -codes where used. - -Reviewed-by: Lukáš Slebodník ---- - src/tests/cmocka/test_fqnames.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/tests/cmocka/test_fqnames.c b/src/tests/cmocka/test_fqnames.c -index 71429c8773ef199c72163837d4b313660cf813c2..de208437d3d11429ebb4fd92ac6b1469564d9174 100644 ---- a/src/tests/cmocka/test_fqnames.c -+++ b/src/tests/cmocka/test_fqnames.c -@@ -326,7 +326,7 @@ void parse_name_test_teardown(void **state) - - void sss_parse_name_check(struct parse_name_test_ctx *test_ctx, - const char *input_name, -- const char exp_ret, -+ const int exp_ret, - const char *exp_name, - const char *exp_domain) - { --- -2.1.0 - diff --git a/0018-util-Special-case-PCRE_ERROR_NOMATCH-in-sss_parse_na.patch b/0018-util-Special-case-PCRE_ERROR_NOMATCH-in-sss_parse_na.patch deleted file mode 100644 index c574e99..0000000 --- a/0018-util-Special-case-PCRE_ERROR_NOMATCH-in-sss_parse_na.patch +++ /dev/null @@ -1,88 +0,0 @@ -From 0370ef147287888604147bea95153795ffed318f Mon Sep 17 00:00:00 2001 -From: Michal Zidek -Date: Mon, 24 Nov 2014 19:50:14 +0100 -Subject: [PATCH 18/26] util: Special-case PCRE_ERROR_NOMATCH in sss_parse_name -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Add new SSSD specific error code for the case when -pcre_exec returns PCRE_ERROR_NOMATCH. - -Reviewed-by: Lukáš Slebodník - -Conflicts: - src/util/util_errors.c - src/util/util_errors.h ---- - src/tests/cmocka/test_fqnames.c | 14 +++++++------- - src/util/usertools.c | 2 +- - src/util/util_errors.c | 1 + - src/util/util_errors.h | 1 + - 4 files changed, 10 insertions(+), 8 deletions(-) - -diff --git a/src/tests/cmocka/test_fqnames.c b/src/tests/cmocka/test_fqnames.c -index de208437d3d11429ebb4fd92ac6b1469564d9174..b9b6230b9e2c86dafae159630d5202e46992f5f3 100644 ---- a/src/tests/cmocka/test_fqnames.c -+++ b/src/tests/cmocka/test_fqnames.c -@@ -471,13 +471,13 @@ void sss_parse_name_fail(void **state) - struct parse_name_test_ctx *test_ctx = talloc_get_type(*state, - struct parse_name_test_ctx); - -- sss_parse_name_check(test_ctx, "", EINVAL, NULL, NULL); -- sss_parse_name_check(test_ctx, "@", EINVAL, NULL, NULL); -- sss_parse_name_check(test_ctx, "\\", EINVAL, NULL, NULL); -- sss_parse_name_check(test_ctx, "\\"NAME, EINVAL, NULL, NULL); -- sss_parse_name_check(test_ctx, "@"NAME, EINVAL, NULL, NULL); -- sss_parse_name_check(test_ctx, NAME"@", EINVAL, NULL, NULL); -- sss_parse_name_check(test_ctx, NAME"\\", EINVAL, NULL, NULL); -+ sss_parse_name_check(test_ctx, "", ERR_REGEX_NOMATCH, NULL, NULL); -+ sss_parse_name_check(test_ctx, "@", ERR_REGEX_NOMATCH, NULL, NULL); -+ sss_parse_name_check(test_ctx, "\\", ERR_REGEX_NOMATCH, NULL, NULL); -+ sss_parse_name_check(test_ctx, "\\"NAME, ERR_REGEX_NOMATCH, NULL, NULL); -+ sss_parse_name_check(test_ctx, "@"NAME, ERR_REGEX_NOMATCH, NULL, NULL); -+ sss_parse_name_check(test_ctx, NAME"@", ERR_REGEX_NOMATCH, NULL, NULL); -+ sss_parse_name_check(test_ctx, NAME"\\", ERR_REGEX_NOMATCH, NULL, NULL); - } - - void test_sss_get_domain_name(void **state) -diff --git a/src/util/usertools.c b/src/util/usertools.c -index 809b42d67c7b1cdfa0729c3a7e835fab37297596..16478998d8936cd2e260c1e53db6b68f1563b0f8 100644 ---- a/src/util/usertools.c -+++ b/src/util/usertools.c -@@ -306,7 +306,7 @@ int sss_parse_name(TALLOC_CTX *memctx, - - ret = pcre_exec(re, NULL, orig, origlen, 0, PCRE_NOTEMPTY, ovec, 30); - if (ret == PCRE_ERROR_NOMATCH) { -- return EINVAL; -+ return ERR_REGEX_NOMATCH; - } else if (ret < 0) { - DEBUG(SSSDBG_MINOR_FAILURE, "PCRE Matching error, %d\n", ret); - return EINVAL; -diff --git a/src/util/util_errors.c b/src/util/util_errors.c -index 5b36780ffcdc6733241cdb942865ecdf38da3bca..c1ac45ac5f8a53871d548bb0d218eabb03c69aa9 100644 ---- a/src/util/util_errors.c -+++ b/src/util/util_errors.c -@@ -62,6 +62,7 @@ struct err_string error_to_str[] = { - { "Bus method not supported" }, /* ERR_SBUS_NOSUP */ - { "Cannot connect to system bus" }, /* ERR_NO_SYSBUS */ - { "LDAP search returned a referral" }, /* ERR_REFERRAL */ -+ { "Username format not allowed by re_expression" }, /* ERR_REGEX_NOMATCH */ - }; - - -diff --git a/src/util/util_errors.h b/src/util/util_errors.h -index e040ba903b27d06ec75cea31485d2f3111ca5302..8609dca22dcef33641efd0d717085d77c10224f8 100644 ---- a/src/util/util_errors.h -+++ b/src/util/util_errors.h -@@ -84,6 +84,7 @@ enum sssd_errors { - ERR_SBUS_NOSUP, - ERR_NO_SYSBUS, - ERR_REFERRAL, -+ ERR_REGEX_NOMATCH, - ERR_LAST /* ALWAYS LAST */ - }; - --- -2.1.0 - diff --git a/0019-util-sss_get_domain_name-regex-mismatch-not-fatal.patch b/0019-util-sss_get_domain_name-regex-mismatch-not-fatal.patch deleted file mode 100644 index 0f617a1..0000000 --- a/0019-util-sss_get_domain_name-regex-mismatch-not-fatal.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 01a4b2b31d5279c90e7c596f9321eb0e9ec38d69 Mon Sep 17 00:00:00 2001 -From: Michal Zidek -Date: Fri, 21 Nov 2014 20:06:32 +0100 -Subject: [PATCH 19/26] util: sss_get_domain_name regex mismatch not fatal -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Assume name is not FQDN if sss_parse_name fails to -match domain with regular expression. - -Fixes: -https://fedorahosted.org/sssd/ticket/2487 - -Reviewed-by: Lukáš Slebodník ---- - src/util/usertools.c | 8 +++++++- - 1 file changed, 7 insertions(+), 1 deletion(-) - -diff --git a/src/util/usertools.c b/src/util/usertools.c -index 16478998d8936cd2e260c1e53db6b68f1563b0f8..2804953a3e854ddf1a122b389ac1e14c4ff7f865 100644 ---- a/src/util/usertools.c -+++ b/src/util/usertools.c -@@ -643,7 +643,13 @@ sss_get_domain_name(TALLOC_CTX *mem_ctx, - /* check if the name already contains domain part */ - if (dom->names != NULL) { - ret = sss_parse_name(mem_ctx, dom->names, orig_name, &domain, NULL); -- if (ret != EOK) { -+ if (ret == ERR_REGEX_NOMATCH) { -+ DEBUG(SSSDBG_TRACE_FUNC, -+ "sss_parse_name could not parse domain from [%s]. " -+ "Assuming it is not FQDN.\n", orig_name); -+ } else if (ret != EOK) { -+ DEBUG(SSSDBG_TRACE_FUNC, -+ "sss_parse_name failed [%d]: %s\n", ret, sss_strerror(ret)); - return NULL; - } - } --- -2.1.0 - diff --git a/0020-SBUS-Initialize-DBusError-before-using-it.patch b/0020-SBUS-Initialize-DBusError-before-using-it.patch deleted file mode 100644 index 851f670..0000000 --- a/0020-SBUS-Initialize-DBusError-before-using-it.patch +++ /dev/null @@ -1,32 +0,0 @@ -From ee280ed38752e60d7cba0abc1c9370b016ca3a27 Mon Sep 17 00:00:00 2001 -From: Jakub Hrozek -Date: Sun, 23 Nov 2014 19:58:45 +0100 -Subject: [PATCH 20/26] SBUS: Initialize DBusError before using it -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -In case either handler_fn() or invoker_fn() failed in -sbus_request_invoke_or_finish() we would have accessed an uninitialized -DBusError variable, causing a segfault. - -Reviewed-by: Lukáš Slebodník ---- - src/sbus/sssd_dbus_request.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/src/sbus/sssd_dbus_request.c b/src/sbus/sssd_dbus_request.c -index 7729d4e0d7bf6e517e2efce4dbeb064f6f471b87..0028d3537adeddc26e7b8480eb37e979a6cdb7ba 100644 ---- a/src/sbus/sssd_dbus_request.c -+++ b/src/sbus/sssd_dbus_request.c -@@ -79,6 +79,7 @@ sbus_request_invoke_or_finish(struct sbus_request *dbus_req, - sbus_request_finish(dbus_req, NULL); - break; - default: -+ dbus_error_init(&error); - dbus_set_error_const(&error, DBUS_ERROR_FAILED, INTERNAL_ERROR); - sbus_request_fail_and_finish(dbus_req, &error); - break; --- -2.1.0 - diff --git a/0021-krb5-handle-KRB5KRB_ERR_GENERIC-as-unspecific-error.patch b/0021-krb5-handle-KRB5KRB_ERR_GENERIC-as-unspecific-error.patch deleted file mode 100644 index d658c00..0000000 --- a/0021-krb5-handle-KRB5KRB_ERR_GENERIC-as-unspecific-error.patch +++ /dev/null @@ -1,54 +0,0 @@ -From 05e9fd3773a886424610adca97eba1ad86e72daf Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Wed, 17 Dec 2014 09:42:57 +0100 -Subject: [PATCH 21/26] krb5: handle KRB5KRB_ERR_GENERIC as unspecific error -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -KRB5KRB_ERR_GENERIC is a generic error and we cannot make any -assumptions about the cause. If there are cases where -KRB5KRB_ERR_GENERIC is returned and SSSD should behave differently this -must be solved by other means. - -Resolves https://fedorahosted.org/sssd/ticket/2535 - -Reviewed-by: Lukáš Slebodník ---- - src/providers/krb5/krb5_child.c | 13 ++++++++++++- - 1 file changed, 12 insertions(+), 1 deletion(-) - -diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c -index 3234a4e6c740db5e05f7db8eb7f4ea0cc126e7ce..533e4139fee2abd9a0b8f939522a0819d91426ff 100644 ---- a/src/providers/krb5/krb5_child.c -+++ b/src/providers/krb5/krb5_child.c -@@ -1049,7 +1049,6 @@ static errno_t map_krb5_error(krb5_error_code kerr) - case KRB5_LIBOS_CANTREADPWD: - return ERR_NO_CREDS; - -- case KRB5KRB_ERR_GENERIC: - case KRB5KRB_AP_ERR_SKEW: - case KRB5_KDC_UNREACH: - case KRB5_REALM_CANT_RESOLVE: -@@ -1072,6 +1071,18 @@ static errno_t map_krb5_error(krb5_error_code kerr) - case KRB5KDC_ERR_PREAUTH_FAILED: - return ERR_CREDS_INVALID; - -+ /* Please do not remove KRB5KRB_ERR_GENERIC here, it is a _generic_ error -+ * code and we cannot make any assumptions about the reason for the error. -+ * As a consequence we cannot return a different error code than a generic -+ * one which unfortunately might result in a unspecific system error -+ * message to the user. -+ * -+ * If there are cases where libkrb5 calls return KRB5KRB_ERR_GENERIC where -+ * SSSD should behave differently this has to be detected by different -+ * means, e.g. by evaluation error messages, and then the error code -+ * should be changed to a more suitable KRB5* error code or immediately to -+ * a SSSD ERR_* error code to avoid the default handling here. */ -+ case KRB5KRB_ERR_GENERIC: - default: - return ERR_INTERNAL; - } --- -2.1.0 - diff --git a/0022-IPA-Handle-IPA-groups-returned-from-extop-plugin.patch b/0022-IPA-Handle-IPA-groups-returned-from-extop-plugin.patch deleted file mode 100644 index fb1e54b..0000000 --- a/0022-IPA-Handle-IPA-groups-returned-from-extop-plugin.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 1901cd172918c842c57098cf8d13b6325813be7f Mon Sep 17 00:00:00 2001 -From: Jakub Hrozek -Date: Sun, 23 Nov 2014 20:47:59 +0100 -Subject: [PATCH 22/26] IPA: Handle IPA groups returned from extop plugin - -Reviewed-by: Sumit Bose ---- - src/providers/ipa/ipa_s2n_exop.c | 13 +++++++++---- - 1 file changed, 9 insertions(+), 4 deletions(-) - -diff --git a/src/providers/ipa/ipa_s2n_exop.c b/src/providers/ipa/ipa_s2n_exop.c -index 2c31120b196353df52c87ef5b924a80bda134a17..0eab1afc36e4d2c1d770c596c512a641fd276425 100644 ---- a/src/providers/ipa/ipa_s2n_exop.c -+++ b/src/providers/ipa/ipa_s2n_exop.c -@@ -960,10 +960,15 @@ static errno_t ipa_s2n_get_groups_step(struct tevent_req *req) - return ret; - } - -- state->obj_domain = find_domain_by_name(parent_domain, domain_name, true); -- if (state->obj_domain == NULL) { -- DEBUG(SSSDBG_OP_FAILURE, "find_domain_by_name failed.\n"); -- return ENOMEM; -+ if (domain_name) { -+ state->obj_domain = find_domain_by_name(parent_domain, -+ domain_name, true); -+ if (state->obj_domain == NULL) { -+ DEBUG(SSSDBG_OP_FAILURE, "find_domain_by_name failed.\n"); -+ return ENOMEM; -+ } -+ } else { -+ state->obj_domain = parent_domain; - } - - state->req_input.inp.name = group_name; --- -2.1.0 - diff --git a/0023-IPA-verify-group-memberships-of-trusted-domain-users.patch b/0023-IPA-verify-group-memberships-of-trusted-domain-users.patch deleted file mode 100644 index e041c36..0000000 --- a/0023-IPA-verify-group-memberships-of-trusted-domain-users.patch +++ /dev/null @@ -1,215 +0,0 @@ -From b438c890894bde80b6494512d9fa1660fae431a6 Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Thu, 11 Dec 2014 10:49:39 +0100 -Subject: [PATCH 23/26] IPA: verify group memberships of trusted domain users -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Depending on the state of the cache group object a freshly created or -updates user entry for a trusted domain user might already be a member -of the group or not. This cache makes sure the requested user is a -member of all groups returned from the extdom request. Special care has -to be taken to cover cross-domain group-memberships properly. - -Resolves https://fedorahosted.org/sssd/ticket/2529 - -Reviewed-by: Lukáš Slebodník ---- - src/providers/ipa/ipa_s2n_exop.c | 145 ++++++++++++++++++++++++++++++++++++++- - 1 file changed, 144 insertions(+), 1 deletion(-) - -diff --git a/src/providers/ipa/ipa_s2n_exop.c b/src/providers/ipa/ipa_s2n_exop.c -index 0eab1afc36e4d2c1d770c596c512a641fd276425..677d1625860186ad02d4d8c7290d45b782bc4c38 100644 ---- a/src/providers/ipa/ipa_s2n_exop.c -+++ b/src/providers/ipa/ipa_s2n_exop.c -@@ -568,7 +568,7 @@ static errno_t add_v1_user_data(BerElement *ber, struct resp_attrs *attrs) - attrs->ngroups++); - - if (attrs->ngroups > 0) { -- attrs->groups = talloc_array(attrs, char *, attrs->ngroups); -+ attrs->groups = talloc_zero_array(attrs, char *, attrs->ngroups + 1); - if (attrs->groups == NULL) { - DEBUG(SSSDBG_OP_FAILURE, "talloc_array failed.\n"); - ret = ENOMEM; -@@ -1528,6 +1528,81 @@ done: - return; - } - -+static errno_t get_groups_dns(TALLOC_CTX *mem_ctx, struct sss_domain_info *dom, -+ char **name_list, char ***_dn_list) -+{ -+ int ret; -+ TALLOC_CTX *tmp_ctx; -+ int c; -+ struct sss_domain_info *root_domain; -+ char **dn_list; -+ -+ if (name_list == NULL) { -+ *_dn_list = NULL; -+ return EOK; -+ } -+ -+ /* To handle cross-domain memberships we have to check the domain for -+ * each group the member should be added or deleted. Since sub-domains -+ * use fully-qualified names by default any short name can only belong -+ * to the root/head domain. find_domain_by_object_name() will return -+ * the domain given in the first argument if the second argument is a -+ * a short name hence we always use root_domain as first argument. */ -+ root_domain = get_domains_head(dom); -+ if (root_domain->fqnames) { -+ DEBUG(SSSDBG_TRACE_FUNC, -+ "Root domain uses fully-qualified names, " \ -+ "objects might not be correctly added to groups with " \ -+ "short names.\n"); -+ } -+ -+ tmp_ctx = talloc_new(NULL); -+ if (tmp_ctx == NULL) { -+ DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n"); -+ return ENOMEM; -+ } -+ -+ for (c = 0; name_list[c] != NULL; c++); -+ -+ dn_list = talloc_zero_array(tmp_ctx, char *, c + 1); -+ if (dn_list == NULL) { -+ DEBUG(SSSDBG_OP_FAILURE, "talloc_zero_array failed.\n"); -+ ret = ENOMEM; -+ goto done; -+ } -+ -+ for (c = 0; name_list[c] != NULL; c++) { -+ dom = find_domain_by_object_name(root_domain, name_list[c]); -+ if (dom == NULL) { -+ DEBUG(SSSDBG_CRIT_FAILURE, -+ "Cannot find domain for [%s].\n", name_list[c]); -+ ret = ENOENT; -+ goto done; -+ } -+ -+ /* This might fail if some unexpected cases are used. But current -+ * sysdb code which handles group membership constructs DNs this way -+ * as well, IPA names are lowercased and AD names by default will be -+ * lowercased as well. If there are really use-cases which cause an -+ * issue here, sysdb_group_strdn() has to be replaced by a proper -+ * search. */ -+ dn_list[c] = sysdb_group_strdn(dn_list, dom->name, name_list[c]); -+ if (dn_list[c] == NULL) { -+ DEBUG(SSSDBG_OP_FAILURE, "sysdb_group_strdn failed.\n"); -+ ret = ENOMEM; -+ goto done; -+ } -+ } -+ -+ *_dn_list = talloc_steal(mem_ctx, dn_list); -+ ret = EOK; -+ -+done: -+ talloc_free(tmp_ctx); -+ -+ return ret; -+} -+ - static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom, - struct req_input *req_input, - struct resp_attrs *attrs, -@@ -1548,6 +1623,13 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom, - const char *tmp_str; - struct ldb_result *res; - enum sysdb_member_type type; -+ char **sysdb_grouplist; -+ char **add_groups; -+ char **add_groups_dns; -+ char **del_groups; -+ char **del_groups_dns; -+ bool in_transaction = false; -+ int tret; - - tmp_ctx = talloc_new(NULL); - if (tmp_ctx == NULL) { -@@ -1716,6 +1798,13 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom, - gid = attrs->a.user.pw_gid; - } - -+ ret = sysdb_transaction_start(dom->sysdb); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_CRIT_FAILURE, "Failed to start transaction\n"); -+ goto done; -+ } -+ in_transaction = true; -+ - ret = sysdb_store_user(dom, name, NULL, - attrs->a.user.pw_uid, - gid, attrs->a.user.pw_gecos, -@@ -1726,6 +1815,53 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom, - DEBUG(SSSDBG_OP_FAILURE, "sysdb_store_user failed.\n"); - goto done; - } -+ -+ if (attrs->response_type == RESP_USER_GROUPLIST) { -+ ret = get_sysdb_grouplist(tmp_ctx, dom->sysdb, dom, name, -+ &sysdb_grouplist); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_OP_FAILURE, "get_sysdb_grouplist failed.\n"); -+ goto done; -+ } -+ -+ ret = diff_string_lists(tmp_ctx, attrs->groups, sysdb_grouplist, -+ &add_groups, &del_groups, NULL); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_OP_FAILURE, "diff_string_lists failed.\n"); -+ goto done; -+ } -+ -+ ret = get_groups_dns(tmp_ctx, dom, add_groups, &add_groups_dns); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_OP_FAILURE, "get_groups_dns failed.\n"); -+ goto done; -+ } -+ -+ ret = get_groups_dns(tmp_ctx, dom, del_groups, &del_groups_dns); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_OP_FAILURE, "get_groups_dns failed.\n"); -+ goto done; -+ } -+ -+ DEBUG(SSSDBG_TRACE_INTERNAL, "Updating memberships for %s\n", -+ name); -+ ret = sysdb_update_members_dn(dom, name, SYSDB_MEMBER_USER, -+ (const char *const *) add_groups_dns, -+ (const char *const *) del_groups_dns); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_CRIT_FAILURE, "Membership update failed [%d]: %s\n", -+ ret, sss_strerror(ret)); -+ goto done; -+ } -+ } -+ -+ ret = sysdb_transaction_commit(dom->sysdb); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_CRIT_FAILURE, "Failed to commit transaction\n"); -+ goto done; -+ } -+ in_transaction = false; -+ - break; - case RESP_GROUP: - case RESP_GROUP_MEMBERS: -@@ -1818,6 +1954,13 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom, - } - - done: -+ if (in_transaction) { -+ tret = sysdb_transaction_cancel(dom->sysdb); -+ if (tret != EOK) { -+ DEBUG(SSSDBG_CRIT_FAILURE, "Failed to cancel transaction\n"); -+ } -+ } -+ - talloc_free(tmp_ctx); - - return ret; --- -2.1.0 - diff --git a/0024-IPA-properly-handle-groups-from-different-domains.patch b/0024-IPA-properly-handle-groups-from-different-domains.patch deleted file mode 100644 index ba5a11d..0000000 --- a/0024-IPA-properly-handle-groups-from-different-domains.patch +++ /dev/null @@ -1,51 +0,0 @@ -From d58be56e09962a311d3599d4e134e1f7bbadc90f Mon Sep 17 00:00:00 2001 -From: Lukas Slebodnik -Date: Fri, 12 Dec 2014 13:07:55 -0500 -Subject: [PATCH 24/26] IPA: properly handle groups from different domains - -When groups are resolved on IPA clients as part of a user lookup not all -groups have to be from the same domain as the used. This has to be -checked to store the group object properly in the cache. - -Related to https://fedorahosted.org/sssd/ticket/2529 - and https://fedorahosted.org/sssd/ticket/2524 - -Reviewed-by: Sumit Bose ---- - src/providers/ipa/ipa_s2n_exop.c | 18 ++++++++++++++++-- - 1 file changed, 16 insertions(+), 2 deletions(-) - -diff --git a/src/providers/ipa/ipa_s2n_exop.c b/src/providers/ipa/ipa_s2n_exop.c -index 677d1625860186ad02d4d8c7290d45b782bc4c38..6d5b45edf20f720f5b97f0ed5c8ec591c580de0d 100644 ---- a/src/providers/ipa/ipa_s2n_exop.c -+++ b/src/providers/ipa/ipa_s2n_exop.c -@@ -1867,10 +1867,24 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom, - case RESP_GROUP_MEMBERS: - type = SYSDB_MEMBER_GROUP; - -+ if (0 != strcmp(dom->name, attrs->domain_name)) { -+ dom = find_domain_by_name(get_domains_head(dom), -+ attrs->domain_name, true); -+ if (dom == NULL) { -+ DEBUG(SSSDBG_OP_FAILURE, -+ "Cannot find domain: [%s]\n", attrs->domain_name); -+ ret = EINVAL; -+ goto done; -+ } -+ } -+ - if (name == NULL) { -+ name = attrs->a.group.gr_name; -+ } -+ -+ if (IS_SUBDOMAIN(dom)) { - /* we always use the fully qualified name for subdomain users */ -- name = sss_tc_fqname(tmp_ctx, dom->names, dom, -- attrs->a.group.gr_name); -+ name = sss_tc_fqname(tmp_ctx, dom->names, dom, name); - if (!name) { - DEBUG(SSSDBG_OP_FAILURE, "failed to format user name,\n"); - ret = ENOMEM; --- -2.1.0 - diff --git a/0025-IPA-do-not-try-to-add-override-gid-twice.patch b/0025-IPA-do-not-try-to-add-override-gid-twice.patch deleted file mode 100644 index 932a645..0000000 --- a/0025-IPA-do-not-try-to-add-override-gid-twice.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 46da6ab87c8065ab36de30f1f9d882736425777c Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Tue, 2 Dec 2014 21:10:01 +0100 -Subject: [PATCH 25/26] IPA: do not try to add override gid twice -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -By default user and group overrides use the same attribute name for the -GID and this cause SSSD machinery to add the same value twice which -cause an error in ldb_add() or ldm_modify(). - -Related to https://fedorahosted.org/sssd/ticket/2514 - -Reviewed-by: Lukáš Slebodník ---- - src/db/sysdb_views.c | 8 +++++++- - 1 file changed, 7 insertions(+), 1 deletion(-) - -diff --git a/src/db/sysdb_views.c b/src/db/sysdb_views.c -index 926cd847c8dd8ddc33c0b517642a11bbe78059b5..6011fd09db4528b0b1c7aa0a6266ea719e47792f 100644 ---- a/src/db/sysdb_views.c -+++ b/src/db/sysdb_views.c -@@ -371,8 +371,14 @@ errno_t sysdb_store_override(struct sss_domain_info *domain, - goto done; - } - -- /* TODO: add nameAlias for case-insentitive searches */ - for (c = 0; c < attrs->num; c++) { -+ /* Set num_values to 1 because by default user and group overrides -+ * use the same attribute name for the GID and this cause SSSD -+ * machinery to add the same value twice */ -+ if (attrs->a[c].num_values > 1 -+ && strcmp(attrs->a[c].name, SYSDB_GIDNUM) == 0) { -+ attrs->a[c].num_values = 1; -+ } - msg->elements[c] = attrs->a[c]; - msg->elements[c].flags = LDB_FLAG_MOD_ADD; - } --- -2.1.0 - diff --git a/0026-IPA-handle-GID-overrides-for-MPG-domains-on-clients.patch b/0026-IPA-handle-GID-overrides-for-MPG-domains-on-clients.patch deleted file mode 100644 index 5216055..0000000 --- a/0026-IPA-handle-GID-overrides-for-MPG-domains-on-clients.patch +++ /dev/null @@ -1,62 +0,0 @@ -From 51ecb61c7c6e2f002c2da188e30f69d67f767ead Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Thu, 4 Dec 2014 12:50:03 +0100 -Subject: [PATCH 26/26] IPA: handle GID overrides for MPG domains on clients -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Resolves https://fedorahosted.org/sssd/ticket/2514 - -Reviewed-by: Lukáš Slebodník ---- - src/providers/ipa/ipa_s2n_exop.c | 26 ++++++++++++++++++++++++++ - 1 file changed, 26 insertions(+) - -diff --git a/src/providers/ipa/ipa_s2n_exop.c b/src/providers/ipa/ipa_s2n_exop.c -index 6d5b45edf20f720f5b97f0ed5c8ec591c580de0d..55450c7029391a99bfc33b8446765f71c4d0928a 100644 ---- a/src/providers/ipa/ipa_s2n_exop.c -+++ b/src/providers/ipa/ipa_s2n_exop.c -@@ -1618,6 +1618,7 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom, - char *realm; - char *upn = NULL; - gid_t gid; -+ gid_t orig_gid = 0; - TALLOC_CTX *tmp_ctx; - const char *sid_str; - const char *tmp_str; -@@ -1796,6 +1797,31 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom, - gid = 0; - if (dom->mpg == false) { - gid = attrs->a.user.pw_gid; -+ } else { -+ /* The extdom plugin always returns the objects with the -+ * default view applied. Since the GID is handled specially -+ * for MPG domains we have add any overridden GID separately. -+ */ -+ ret = sysdb_attrs_get_uint32_t(attrs->sysdb_attrs, -+ ORIGINALAD_PREFIX SYSDB_GIDNUM, -+ &orig_gid); -+ if (ret == EOK || ret == ENOENT) { -+ if ((orig_gid != 0 && orig_gid != attrs->a.user.pw_gid) -+ || attrs->a.user.pw_uid != attrs->a.user.pw_gid) { -+ ret = sysdb_attrs_add_uint32(attrs->sysdb_attrs, -+ SYSDB_GIDNUM, -+ attrs->a.user.pw_gid); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_OP_FAILURE, -+ "sysdb_attrs_add_uint32 failed.\n"); -+ goto done; -+ } -+ } -+ } else { -+ DEBUG(SSSDBG_OP_FAILURE, -+ "sysdb_attrs_get_uint32_t failed.\n"); -+ goto done; -+ } - } - - ret = sysdb_transaction_start(dom->sysdb); --- -2.1.0 - diff --git a/0027-libwbclient-initialize-some-return-values.patch b/0027-libwbclient-initialize-some-return-values.patch deleted file mode 100644 index 6bcb02d..0000000 --- a/0027-libwbclient-initialize-some-return-values.patch +++ /dev/null @@ -1,101 +0,0 @@ -From 082e13dba488ebb2b948d6a362095153714b669f Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Fri, 19 Dec 2014 11:21:41 +0100 -Subject: [PATCH] libwbclient: initialize some return values - -Some callers of libwbclient functions expects the return values are -initialized even it the functions returns an error. This patch adds some -initializations to meet this requirement. - -Resolves https://fedorahosted.org/sssd/ticket/2537 - -Reviewed-by: Pavel Reichl ---- - src/sss_client/libwbclient/wbc_pam_sssd.c | 36 +++++++++++++++++++++++++++++++ - 1 file changed, 36 insertions(+) - -diff --git a/src/sss_client/libwbclient/wbc_pam_sssd.c b/src/sss_client/libwbclient/wbc_pam_sssd.c -index 893a5c16cf0e020e0570ea838d96fa82292373fa..174cf1310fad0243036fe591978cc89700903896 100644 ---- a/src/sss_client/libwbclient/wbc_pam_sssd.c -+++ b/src/sss_client/libwbclient/wbc_pam_sssd.c -@@ -45,6 +45,10 @@ wbcErr wbcAuthenticateUserEx(const struct wbcAuthUserParams *params, - struct wbcAuthUserInfo **info, - struct wbcAuthErrorInfo **error) - { -+ if (error != NULL) { -+ *error = NULL; -+ } -+ - WBC_SSSD_NOT_IMPLEMENTED; - } - -@@ -52,6 +56,10 @@ wbcErr wbcAuthenticateUserEx(const struct wbcAuthUserParams *params, - wbcErr wbcCheckTrustCredentials(const char *domain, - struct wbcAuthErrorInfo **error) - { -+ if (error != NULL) { -+ *error = NULL; -+ } -+ - WBC_SSSD_NOT_IMPLEMENTED; - } - -@@ -59,6 +67,10 @@ wbcErr wbcCheckTrustCredentials(const char *domain, - wbcErr wbcChangeTrustCredentials(const char *domain, - struct wbcAuthErrorInfo **error) - { -+ if (error != NULL) { -+ *error = NULL; -+ } -+ - WBC_SSSD_NOT_IMPLEMENTED; - } - -@@ -102,6 +114,14 @@ wbcErr wbcChangeUserPasswordEx(const struct wbcChangePasswordParams *params, - enum wbcPasswordChangeRejectReason *reject_reason, - struct wbcUserPasswordPolicyInfo **policy) - { -+ if (error != NULL) { -+ *error = NULL; -+ } -+ -+ if (policy != NULL) { -+ *policy = NULL; -+ } -+ - WBC_SSSD_NOT_IMPLEMENTED; - } - -@@ -129,6 +149,18 @@ wbcErr wbcLogonUser(const struct wbcLogonUserParams *params, - struct wbcAuthErrorInfo **error, - struct wbcUserPasswordPolicyInfo **policy) - { -+ if (info != NULL) { -+ *info = NULL; -+ } -+ -+ if (error != NULL) { -+ *error = NULL; -+ } -+ -+ if (policy != NULL) { -+ *policy = NULL; -+ } -+ - WBC_SSSD_NOT_IMPLEMENTED; - } - -@@ -137,6 +169,10 @@ wbcErr wbcCredentialCache(struct wbcCredentialCacheParams *params, - struct wbcCredentialCacheInfo **info, - struct wbcAuthErrorInfo **error) - { -+ if (error != NULL) { -+ *error = NULL; -+ } -+ - WBC_SSSD_NOT_IMPLEMENTED; - } - --- -1.9.3 - diff --git a/sources b/sources index 0197ade..dab3c57 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -46d445ac060782027098eb6d572e4f13 sssd-1.12.2.tar.gz +b891c263819a1dde062d7065448a4d58 sssd-1.12.3.tar.gz diff --git a/sssd.spec b/sssd.spec index 8bff45a..1ee2e1e 100644 --- a/sssd.spec +++ b/sssd.spec @@ -24,8 +24,8 @@ %endif Name: sssd -Version: 1.12.2 -Release: 8%{?dist} +Version: 1.12.3 +Release: 1%{?dist} Group: Applications/System Summary: System Security Services Daemon License: GPLv3+ @@ -34,33 +34,6 @@ Source0: https://fedorahosted.org/released/sssd/%{name}-%{version}.tar.gz BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX) ### Patches ### -Patch0001: 0001-ipa-fix-issues-with-older-servers-not-supporting-vie.patch -Patch0002: 0002-ipa-improve-error-reporting-for-extdom-LDAP-exop.patch -Patch0003: 0003-ipa_subdomains_handler_master_done-initialize-reply_.patch -Patch0004: 0004-IPA-Handle-NULL-members-in-process_members.patch -Patch0005: 0005-GPO-Terminate-request-on-error.patch -Patch0006: 0006-nss-group-enumeration-fix.patch -Patch0007: 0007-IPA-Don-t-fail-the-request-when-BE-doesn-t-find-the-.patch -Patch0008: 0008-IPA-use-ipaUserGroup-object-class-for-groups.patch -Patch0009: 0009-PAM-Remove-authtok-from-PAM-stack-with-OTP.patch -Patch0010: 0010-Revert-LDAP-Remove-unused-option-ldap_user_uuid.patch -Patch0011: 0011-Revert-LDAP-Remove-unused-option-ldap_group_uuid.patch -Patch0012: 0012-Fix-uuid-defaults.patch -Patch0013: 0013-Revert-LDAP-Change-defaults-for-ldap_user-group_obje.patch -Patch0014: 0014-LDAP-Disable-token-groups-by-default.patch -Patch0015: 0015-sss_client-Extract-destroying-of-mmap-cache-to-funct.patch -Patch0016: 0016-sss_client-Fix-race-condition-in-memory-cache.patch -Patch0017: 0017-test-Wrong-parameter-type-in-sss_parse_name_check.patch -Patch0018: 0018-util-Special-case-PCRE_ERROR_NOMATCH-in-sss_parse_na.patch -Patch0019: 0019-util-sss_get_domain_name-regex-mismatch-not-fatal.patch -Patch0020: 0020-SBUS-Initialize-DBusError-before-using-it.patch -Patch0021: 0021-krb5-handle-KRB5KRB_ERR_GENERIC-as-unspecific-error.patch -Patch0022: 0022-IPA-Handle-IPA-groups-returned-from-extop-plugin.patch -Patch0023: 0023-IPA-verify-group-memberships-of-trusted-domain-users.patch -Patch0024: 0024-IPA-properly-handle-groups-from-different-domains.patch -Patch0025: 0025-IPA-do-not-try-to-add-override-gid-twice.patch -Patch0026: 0026-IPA-handle-GID-overrides-for-MPG-domains-on-clients.patch -PAtch0027: 0027-libwbclient-initialize-some-return-values.patch ### Dependencies ### Requires: sssd-common = %{version}-%{release} @@ -144,11 +117,11 @@ BuildRequires: libnfsidmap-devel %description Provides a set of daemons to manage access to remote directories and authentication mechanisms. It provides an NSS and PAM interface toward -the system and a pluggable backend system to connect to multiple different +the system and a plug-gable back-end system to connect to multiple different account sources. It is also the basis to provide client auditing and policy services for projects like FreeIPA. -The sssd subpackage is a meta-package that contains the deamon as well as all +The sssd sub-package is a meta-package that contains the daemon as well as all the existing back ends. %package common @@ -185,7 +158,7 @@ Obsoletes: libsss_autofs <= 1.10.0-7%{?dist}.beta1 %description common Common files for the SSSD. The common package includes all the files needed to run a particular back end, however, the back ends are packaged in separate -subpackages such as sssd-ldap. +sub-packages such as sssd-ldap. %package client Summary: SSSD Client libraries for NSS and PAM @@ -488,7 +461,7 @@ make %{?_smp_mflags} all docs %check export CK_TIMEOUT_MULTIPLIER=10 -make %{?_smp_mflags} check +make %{?_smp_mflags} check VERBOSE=yes unset CK_TIMEOUT_MULTIPLIER %install @@ -621,6 +594,7 @@ rm -rf $RPM_BUILD_ROOT %{_libdir}/%{name}/libsss_debug.so %{_libdir}/%{name}/libsss_ldap_common.so %{_libdir}/%{name}/libsss_util.so +%{_libdir}/%{name}/libsss_semanage.so # 3rd party application libraries %{_libdir}/sssd/modules/libsss_autofs.so @@ -693,6 +667,7 @@ rm -rf $RPM_BUILD_ROOT %doc COPYING %attr(755,root,root) %dir %{pubconfpath}/krb5.include.d %{_libdir}/%{name}/libsss_ipa.so +%{_libexecdir}/%{servicename}/selinux_child %{_mandir}/man5/sssd-ipa.5* %files ad -f sssd_ad.lang @@ -905,6 +880,11 @@ if [ $1 -eq 0 ]; then fi %changelog +* Thu Jan 08 2015 Lukas Slebodnik - 1.12.3-1 +- New upstream release 1.12.3 +- https://fedorahosted.org/sssd/wiki/Releases/Notes-1.12.3 +- Fix spelling errors in description (fedpkg lint) + * Tue Jan 6 2015 Lukas Slebodnik - 1.12.2-8 - Rebuild for libldb 1.1.19