rpms/sssd
7
0
Fork 0
Code Issues Pull Requests Releases Activity

New upstream release 1.12.3

Browse Source 
- https://fedorahosted.org/sssd/wiki/Releases/Notes-1.12.3
- Fix spelling errors in description (fedpkg lint)
This commit is contained in:
Lukas Slebodnik 2015-01-08 20:51:31 +01:00
parent 5bb93bf105
commit d747a9c497
30 changed files with 15 additions and 2159 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -59,3 +59,4 @@ sssd-1.2.91.tar.gz
/sssd-1.12.0.tar.gz
/sssd-1.12.1.tar.gz
/sssd-1.12.2.tar.gz
/sssd-1.12.3.tar.gz

97
0001-ipa-fix-issues-with-older-servers-not-supporting-vie.patch
View File

@ -1,97 +0,0 @@
From c61100799c7d8e46c82a862eca3f543a4320490c Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 22 Oct 2014 10:03:09 +0200
Subject: [PATCH 1/4] ipa: fix issues with older servers not supporting views
Older FreeIPA servers which do not know about the ipaAssignedIDView
attribute will return an error during the LDAP dereference request
because SSSD marks LDAP extensions as critical. In this case we keep the
view name empty and skip override lookups.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/providers/ipa/ipa_subdomains.c | 14 +++++++++++++-
src/providers/ipa/ipa_subdomains_id.c | 4 +++-
src/providers/ipa/ipa_views.c | 17 ++++++++++++-----
3 files changed, 28 insertions(+), 7 deletions(-)
diff --git a/src/providers/ipa/ipa_subdomains.c b/src/providers/ipa/ipa_subdomains.c
index bedc0f1a50e8a35ea65de45247b1814c9abc0bcd..eb172fdfc05ac4e482174f01d89ad28db1498fc1 100644
--- a/src/providers/ipa/ipa_subdomains.c
+++ b/src/providers/ipa/ipa_subdomains.c
@@ -1002,7 +1002,19 @@ static void ipa_get_view_name_done(struct tevent_req *req)
ret = sdap_deref_search_with_filter_recv(req, ctx, &reply_count, &reply);
talloc_zfree(req);
if (ret != EOK) {
- DEBUG(SSSDBG_OP_FAILURE, "get_view_name request failed.\n");
+ if (ret == EOPNOTSUPP) {
+ DEBUG(SSSDBG_TRACE_FUNC, "get_view_name request failed, looks " \
+ "like server does not support views.\n");
+ ret = ipa_check_master(ctx);
+ if (ret == EAGAIN) {
+ return;
+ } else if (ret != EOK) {
+ goto done;
+ }
+
+ } else {
+ DEBUG(SSSDBG_OP_FAILURE, "get_view_name request failed.\n");
+ }
goto done;
}
diff --git a/src/providers/ipa/ipa_subdomains_id.c b/src/providers/ipa/ipa_subdomains_id.c
index 36f8b239249e5f0146610cfab148be20c39c66c2..b67006ce6e0b4bf9c794016c1dfc923ac6da3624 100644
--- a/src/providers/ipa/ipa_subdomains_id.c
+++ b/src/providers/ipa/ipa_subdomains_id.c
@@ -106,11 +106,13 @@ struct tevent_req *ipa_subdomain_account_send(TALLOC_CTX *memctx,
* have to check first if the request matches an override in the given
* view. But there are cases where this can be skipped and the AD object
* can be searched directly:
+ * - if no view is defined, i.e. the server does not supprt views yet
* - searches by SID: because we do not override the SID
* - if the responder does not send the EXTRA_INPUT_MAYBE_WITH_VIEW flags,
* because in this case the entry was found in the cache and the
* original value is used for the search (e.g. during cache updates) */
- if (state->ar->filter_type == BE_FILTER_SECID
+ if (state->ipa_ctx->view_name == NULL
+ || state->ar->filter_type == BE_FILTER_SECID
|| (!state->ipa_server_mode
&& state->ar->extra_value != NULL
&& strcmp(state->ar->extra_value,
diff --git a/src/providers/ipa/ipa_views.c b/src/providers/ipa/ipa_views.c
index 33dbf7b1c17f188924ee7b50a77ab699f03392be..2eb77216ab9759d8b1d66fbdf0b2e90cd07a4604 100644
--- a/src/providers/ipa/ipa_views.c
+++ b/src/providers/ipa/ipa_views.c
@@ -208,16 +208,23 @@ struct tevent_req *ipa_get_ad_override_send(TALLOC_CTX *mem_ctx,
state->sdap_id_ctx = sdap_id_ctx;
state->ipa_options = ipa_options;
state->ipa_realm = ipa_realm;
- if (strcmp(view_name, SYSDB_DEFAULT_VIEW_NAME) == 0) {
- state->ipa_view_name = IPA_DEFAULT_VIEW_NAME;
- } else {
- state->ipa_view_name = view_name;
- }
state->ar = ar;
state->dp_error = -1;
state->override_attrs = NULL;
state->filter = NULL;
+ if (view_name == NULL) {
+ DEBUG(SSSDBG_TRACE_ALL, "View not defined, nothing to do.\n");
+ ret = EOK;
+ goto done;
+ }
+
+ if (strcmp(view_name, SYSDB_DEFAULT_VIEW_NAME) == 0) {
+ state->ipa_view_name = IPA_DEFAULT_VIEW_NAME;
+ } else {
+ state->ipa_view_name = view_name;
+ }
+
state->sdap_op = sdap_id_op_create(state,
state->sdap_id_ctx->conn->conn_cache);
if (state->sdap_op == NULL) {
--
1.9.3

48
0002-ipa-improve-error-reporting-for-extdom-LDAP-exop.patch
View File

@ -1,48 +0,0 @@
From 2e39a7b8c58ed6cc6077bef490482dbbd1ed81ac Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Mon, 20 Oct 2014 17:09:34 +0200
Subject: [PATCH 2/4] ipa: improve error reporting for extdom LDAP exop
This patch fixes a typo when calling ldap_parse_result() which prevented
the server-side error message to be used and adds a hint that more
information might be available on the server side.
Fixes: https://fedorahosted.org/sssd/ticket/2456
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/providers/ipa/ipa_s2n_exop.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/src/providers/ipa/ipa_s2n_exop.c b/src/providers/ipa/ipa_s2n_exop.c
index 96528816a520b633f1f1caa975dee9b9515621c3..bd5c00b6a48018f8f904aaa03e8162425651b37a 100644
--- a/src/providers/ipa/ipa_s2n_exop.c
+++ b/src/providers/ipa/ipa_s2n_exop.c
@@ -133,7 +133,7 @@ static void ipa_s2n_exop_done(struct sdap_op *op,
}
ret = ldap_parse_result(state->sh->ldap, reply->msg,
- &result, &errmsg, NULL, NULL,
+ &result, NULL, &errmsg, NULL,
NULL, 0);
if (ret != LDAP_SUCCESS) {
DEBUG(SSSDBG_OP_FAILURE, "ldap_parse_result failed (%d)\n",
@@ -142,10 +142,13 @@ static void ipa_s2n_exop_done(struct sdap_op *op,
goto done;
}
- DEBUG(SSSDBG_TRACE_FUNC, "ldap_extended_operation result: %s(%d), %s\n",
- sss_ldap_err2string(result), result, errmsg);
+ DEBUG(result == LDAP_SUCCESS ? SSSDBG_TRACE_FUNC : SSSDBG_OP_FAILURE,
+ "ldap_extended_operation result: %s(%d), %s.\n",
+ sss_ldap_err2string(result), result, errmsg);
if (result != LDAP_SUCCESS) {
+ DEBUG(SSSDBG_OP_FAILURE, "ldap_extended_operation failed, " \
+ "server logs might contain more details.\n");
ret = ERR_NETWORK_IO;
goto done;
}
--
1.9.3

31
0003-ipa_subdomains_handler_master_done-initialize-reply_.patch
View File

@ -1,31 +0,0 @@
From 13262a18f804638b40213a865e0a72e33123ccf1 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 14 Oct 2014 16:52:04 +0200
Subject: [PATCH 3/4] ipa_subdomains_handler_master_done: initialize
reply_count
This patch should mainly silence a false-positive Coverity warning but
since further processing depends on this variable I think it is a good
idea anyways.
Reviewed-by: Pavel Reichl <preichl@redhat.com>
---
src/providers/ipa/ipa_subdomains.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/providers/ipa/ipa_subdomains.c b/src/providers/ipa/ipa_subdomains.c
index eb172fdfc05ac4e482174f01d89ad28db1498fc1..c61c1c666908ec23f8a92e5568222e55ec47be0a 100644
--- a/src/providers/ipa/ipa_subdomains.c
+++ b/src/providers/ipa/ipa_subdomains.c
@@ -1276,7 +1276,7 @@ static void ipa_subdomains_handler_master_done(struct tevent_req *req)
{
errno_t ret;
int dp_error = DP_ERR_FATAL;
- size_t reply_count;
+ size_t reply_count = 0;
struct sysdb_attrs **reply = NULL;
struct ipa_subdomains_req_ctx *ctx;
--
1.9.3

40
0004-IPA-Handle-NULL-members-in-process_members.patch
View File

@ -1,40 +0,0 @@
From 7bdd47bfbb558d948dd2afce0ae53d22046067ef Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Tue, 14 Oct 2014 14:15:25 +0200
Subject: [PATCH 4/4] IPA: Handle NULL members in process_members()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
---
src/providers/ipa/ipa_s2n_exop.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/src/providers/ipa/ipa_s2n_exop.c b/src/providers/ipa/ipa_s2n_exop.c
index bd5c00b6a48018f8f904aaa03e8162425651b37a..2c31120b196353df52c87ef5b924a80bda134a17 100644
--- a/src/providers/ipa/ipa_s2n_exop.c
+++ b/src/providers/ipa/ipa_s2n_exop.c
@@ -1196,6 +1196,11 @@ static errno_t process_members(struct sss_domain_info *domain,
struct sss_domain_info *obj_domain;
struct sss_domain_info *parent_domain;
+ if (members == NULL) {
+ DEBUG(SSSDBG_TRACE_INTERNAL, "No members\n");
+ return EOK;
+ }
+
tmp_ctx = talloc_new(NULL);
if (tmp_ctx == NULL) {
DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n");
@@ -1731,6 +1736,7 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom,
goto done;
}
}
+ DEBUG(SSSDBG_TRACE_FUNC, "Processing group %s\n", name);
ret = sysdb_attrs_add_lc_name_alias(attrs->sysdb_attrs, name);
if (ret != EOK) {
--
1.9.3

31
0005-GPO-Terminate-request-on-error.patch
View File

@ -1,31 +0,0 @@
From 08f261acfa442e38ff3d803b2ddeaa2f848b5fb8 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Tue, 21 Oct 2014 16:18:02 +0200
Subject: [PATCH 05/26] GPO: Terminate request on error
Reviewed-by: Pavel Reichl <preichl@redhat.com>
---
src/providers/ad/ad_gpo.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
index 3f5df75c5a9de53eac11ffcf785e929cf9b3165e..4dfbd4b6943b477bd93fdd730dfa5b1c5828a10a 100644
--- a/src/providers/ad/ad_gpo.c
+++ b/src/providers/ad/ad_gpo.c
@@ -3954,11 +3954,13 @@ static void gpo_cse_done(struct tevent_req *subreq)
"ad_gpo_parse_gpo_child_response failed: [%d][%s]\n",
ret, strerror(ret));
tevent_req_error(req, ret);
+ return;
} else if (child_result != 0){
DEBUG(SSSDBG_CRIT_FAILURE,
"Error in gpo_child: [%d][%s]\n",
child_result, strerror(child_result));
tevent_req_error(req, child_result);
+ return;
}
now = time(NULL);
--
2.1.0

36
0006-nss-group-enumeration-fix.patch
View File

@ -1,36 +0,0 @@
From e0f1b42c6b51d10b52749cdc2e1f018762f6004c Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 24 Oct 2014 11:28:54 +0200
Subject: [PATCH 06/26] nss: group enumeration fix
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The view/override patches introduced and issue with group enumeration
where all groups are returned with the same name. This patch should fix
it.
Fixes: https://fedorahosted.org/sssd/ticket/2475
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
---
src/responder/nss/nsssrv_cmd.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/responder/nss/nsssrv_cmd.c b/src/responder/nss/nsssrv_cmd.c
index 616f83dda58b11bb7b715e1eb6a2c43e91d2d9da..351ba671b980c589c875876116ed617c039d6000 100644
--- a/src/responder/nss/nsssrv_cmd.c
+++ b/src/responder/nss/nsssrv_cmd.c
@@ -2662,6 +2662,9 @@ static int fill_grent(struct sss_packet *packet,
rsize = 0;
/* find group name/gid */
+
+ /* start with an empty name for each iteration */
+ orig_name = NULL;
if (DOM_HAS_VIEWS(dom)) {
orig_name = ldb_msg_find_attr_as_string(msg,
OVERRIDE_PREFIX SYSDB_NAME,
--
2.1.0

53
0007-IPA-Don-t-fail-the-request-when-BE-doesn-t-find-the-.patch
View File

@ -1,53 +0,0 @@
From 38b81775a27ce2f8a97aaaa18952263d83ad60f9 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Wed, 29 Oct 2014 20:30:20 +0100
Subject: [PATCH 07/26] IPA: Don't fail the request when BE doesn't find the
object
The IPA subdomain code treated ENOENT as a fatal error, which resulted
in a loud error message and the whole request being aborted. This patch
ignores ENOENT.
Reviewed-by: Pavel Reichl <preichl@redhat.com>
---
src/providers/ipa/ipa_subdomains_id.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/src/providers/ipa/ipa_subdomains_id.c b/src/providers/ipa/ipa_subdomains_id.c
index b67006ce6e0b4bf9c794016c1dfc923ac6da3624..0a1c4c17eed37b2eb12a8c758e49fc17c3b642b5 100644
--- a/src/providers/ipa/ipa_subdomains_id.c
+++ b/src/providers/ipa/ipa_subdomains_id.c
@@ -942,7 +942,7 @@ static errno_t get_object_from_cache(TALLOC_CTX *mem_ctx,
goto done;
}
- if (ret != EOK) {
+ if (ret != EOK && ret != ENOENT) {
DEBUG(SSSDBG_OP_FAILURE,
"Failed to make request to our cache: [%d]: [%s]\n",
ret, sss_strerror(ret));
@@ -951,8 +951,6 @@ static errno_t get_object_from_cache(TALLOC_CTX *mem_ctx,
*_msg = msg;
- ret = EOK;
-
done:
return ret;
}
@@ -978,7 +976,11 @@ ipa_get_ad_acct_ad_part_done(struct tevent_req *subreq)
ret = get_object_from_cache(state, state->user_dom, state->ar,
&state->obj_msg);
- if (ret != EOK) {
+ if (ret == ENOENT) {
+ DEBUG(SSSDBG_MINOR_FAILURE, "Object not found, ending request\n");
+ tevent_req_done(req);
+ return;
+ } else if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, "get_object_from_cache failed.\n");
goto fail;
}
--
2.1.0

35
0008-IPA-use-ipaUserGroup-object-class-for-groups.patch
View File

@ -1,35 +0,0 @@
From c5228b2d19709d284d1f82204184d98de86643af Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Fri, 31 Oct 2014 14:26:30 +0100
Subject: [PATCH 08/26] IPA: use ipaUserGroup object class for groups
dfb34c6c82ed5014599bf70de6791e6d79106fc2 changed object class
of IPA groups from posixGroups to more general groupOfNames.
However, this object class is used also for roles, permissions and
privileges which caused SSSD to consider those objects to be groups as
well during initgroups.
Resolves:
https://fedorahosted.org/sssd/ticket/2471
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/providers/ipa/ipa_opts.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/providers/ipa/ipa_opts.h b/src/providers/ipa/ipa_opts.h
index 4785e0164bf6d9efb574a8703b573f4e8086cab6..0e0eed49cd397fe88ce7bf41579c066088947d04 100644
--- a/src/providers/ipa/ipa_opts.h
+++ b/src/providers/ipa/ipa_opts.h
@@ -205,7 +205,7 @@ struct sdap_attr_map ipa_user_map[] = {
};
struct sdap_attr_map ipa_group_map[] = {
- { "ldap_group_object_class", "groupOfNames", SYSDB_GROUP_CLASS, NULL },
+ { "ldap_group_object_class", "ipaUserGroup", SYSDB_GROUP_CLASS, NULL },
{ "ldap_group_object_class_alt", "posixGroup", SYSDB_GROUP_CLASS, NULL },
{ "ldap_group_name", "cn", SYSDB_NAME, NULL },
{ "ldap_group_pwd", "userPassword", SYSDB_PWD, NULL },
--
2.1.0

87
0009-PAM-Remove-authtok-from-PAM-stack-with-OTP.patch
View File

@ -1,87 +0,0 @@
From 0c58361481982fd356e2282c2640ee55bdf60abb Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Mon, 20 Oct 2014 22:21:25 +0200
Subject: [PATCH 09/26] PAM: Remove authtok from PAM stack with OTP
We remove the password from the PAM stack when OTP is used to make sure
that other pam modules (pam-gnome-keyring, pam_mount) cannot use it anymore
and have to request a password on their own.
Resolves:
https://fedorahosted.org/sssd/ticket/2287
Reviewed-by: Nathaniel McCallum <npmccallum@redhat.com>
---
src/providers/krb5/krb5_auth.c | 14 ++++++++++++++
src/sss_client/pam_sss.c | 16 +++++++++++++++-
2 files changed, 29 insertions(+), 1 deletion(-)
diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
index f539d5068ec29f7b06f734a3417864b43122b1b7..c96b7aee99da8c3d43a67a04bb1f67ee048d4705 100644
--- a/src/providers/krb5/krb5_auth.c
+++ b/src/providers/krb5/krb5_auth.c
@@ -1161,6 +1161,20 @@ static void krb5_auth_done(struct tevent_req *subreq)
krb5_auth_store_creds(state->domain, pd);
}
+ if (res->otp == true && pd->cmd == SSS_PAM_AUTHENTICATE) {
+ uint32_t otp_flag = 1;
+ ret = pam_add_response(pd, SSS_OTP, sizeof(uint32_t),
+ (const uint8_t *) &otp_flag);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "pam_add_response failed: %d (%s).\n",
+ ret, sss_strerror(ret));
+ state->pam_status = PAM_SYSTEM_ERR;
+ state->dp_err = DP_ERR_OK;
+ goto done;
+ }
+ }
+
state->pam_status = PAM_SUCCESS;
state->dp_err = DP_ERR_OK;
ret = EOK;
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
index abe9b05478cbf480b3430dccd1951e9bfb0e29c1..d64e826daeb80be8998ef3b410047e3a44051b07 100644
--- a/src/sss_client/pam_sss.c
+++ b/src/sss_client/pam_sss.c
@@ -206,7 +206,7 @@ static size_t add_string_item(enum pam_item_type type, const char *str,
return rp;
}
-static void overwrite_and_free_pam_items(struct pam_items *pi)
+static void overwrite_and_free_authtoks(struct pam_items *pi)
{
if (pi->pam_authtok != NULL) {
_pam_overwrite_n((void *)pi->pam_authtok, pi->pam_authtok_size);
@@ -222,6 +222,11 @@ static void overwrite_and_free_pam_items(struct pam_items *pi)
pi->pamstack_authtok = NULL;
pi->pamstack_oldauthtok = NULL;
+}
+
+static void overwrite_and_free_pam_items(struct pam_items *pi)
+{
+ overwrite_and_free_authtoks(pi);
free(pi->domain_name);
pi->domain_name = NULL;
@@ -998,6 +1003,15 @@ static int eval_response(pam_handle_t *pamh, size_t buflen, uint8_t *buf,
D(("do_pam_conversation failed."));
}
break;
+ case SSS_OTP:
+ D(("OTP was used, removing authtokens."));
+ overwrite_and_free_authtoks(pi);
+ ret = pam_set_item(pamh, PAM_AUTHTOK, NULL);
+ if (ret != PAM_SUCCESS) {
+ D(("Failed to remove PAM_AUTHTOK after using otp [%s]",
+ pam_strerror(pamh,ret)));
+ }
+ break;
default:
D(("Unknown response type [%d]", type));
}
--
2.1.0

176
0010-Revert-LDAP-Remove-unused-option-ldap_user_uuid.patch
View File

@ -1,176 +0,0 @@
From e7cffa789d0d41dfbd2f919406217396d004388d Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 5 Nov 2014 17:35:45 +0100
Subject: [PATCH 10/26] Revert "LDAP: Remove unused option ldap_user_uuid"
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This reverts commit dfb2960ab251f609466fa660449703835c97f99a.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
---
src/config/SSSDConfig/__init__.py.in | 1 +
src/config/SSSDConfig/sssd_upgrade_config.py | 1 +
src/config/etc/sssd.api.d/sssd-ad.conf | 1 +
src/config/etc/sssd.api.d/sssd-ipa.conf | 1 +
src/config/etc/sssd.api.d/sssd-ldap.conf | 1 +
src/man/sssd-ldap.5.xml | 13 +++++++++++++
src/providers/ad/ad_opts.h | 1 +
src/providers/ipa/ipa_opts.h | 1 +
src/providers/ldap/ldap_opts.h | 4 ++++
src/providers/ldap/sdap.h | 1 +
10 files changed, 25 insertions(+)
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
index 6c95530868d7c078ccf13622f3ba916392b0c732..769a29005c5fa392bcee3e746e7583d2f4ee05f0 100644
--- a/src/config/SSSDConfig/__init__.py.in
+++ b/src/config/SSSDConfig/__init__.py.in
@@ -271,6 +271,7 @@ option_strings = {
'ldap_user_gecos' : _('GECOS attribute'),
'ldap_user_home_directory' : _('Home directory attribute'),
'ldap_user_shell' : _('Shell attribute'),
+ 'ldap_user_uuid' : _('UUID attribute'),
'ldap_user_objectsid' : _("objectSID attribute"),
'ldap_user_primary_group' : _('Active Directory primary group attribute for ID-mapping'),
'ldap_user_principal' : _('User principal attribute (for Kerberos)'),
diff --git a/src/config/SSSDConfig/sssd_upgrade_config.py b/src/config/SSSDConfig/sssd_upgrade_config.py
index 3d9f788c3b4707a8b6e8958d11d5068437d31156..97be6543f8f86eb0189843003f675d2efcfcc8a5 100644
--- a/src/config/SSSDConfig/sssd_upgrade_config.py
+++ b/src/config/SSSDConfig/sssd_upgrade_config.py
@@ -170,6 +170,7 @@ class SSSDConfigFile(SSSDChangeConf):
'ldap_user_gecos' : 'userGecos',
'ldap_user_home_directory' : 'userHomeDirectory',
'ldap_user_shell' : 'userShell',
+ 'ldap_user_uuid' : 'userUUID',
'ldap_user_principal' : 'userPrincipal',
'ldap_force_upper_case_realm' : 'force_upper_case_realm',
'ldap_user_fullname' : 'userFullname',
diff --git a/src/config/etc/sssd.api.d/sssd-ad.conf b/src/config/etc/sssd.api.d/sssd-ad.conf
index 5dd4fb43526849e6b74fbe7cd354afda9af695b0..f8b200eaaf2f1b2ee17214faf2df70b14a2ec93c 100644
--- a/src/config/etc/sssd.api.d/sssd-ad.conf
+++ b/src/config/etc/sssd.api.d/sssd-ad.conf
@@ -72,6 +72,7 @@ ldap_user_gid_number = str, None, false
ldap_user_gecos = str, None, false
ldap_user_home_directory = str, None, false
ldap_user_shell = str, None, false
+ldap_user_uuid = str, None, false
ldap_user_objectsid = str, None, false
ldap_user_primary_group = str, None, false
ldap_user_principal = str, None, false
diff --git a/src/config/etc/sssd.api.d/sssd-ipa.conf b/src/config/etc/sssd.api.d/sssd-ipa.conf
index 8713385fc2b6d3b03b75cd5c6557968fdcdad892..91dc9ec9d158758be32f8a3eb5d36be2446fc254 100644
--- a/src/config/etc/sssd.api.d/sssd-ipa.conf
+++ b/src/config/etc/sssd.api.d/sssd-ipa.conf
@@ -69,6 +69,7 @@ ldap_user_gid_number = str, None, false
ldap_user_gecos = str, None, false
ldap_user_home_directory = str, None, false
ldap_user_shell = str, None, false
+ldap_user_uuid = str, None, false
ldap_user_objectsid = str, None, false
ldap_user_primary_group = str, None, false
ldap_user_principal = str, None, false
diff --git a/src/config/etc/sssd.api.d/sssd-ldap.conf b/src/config/etc/sssd.api.d/sssd-ldap.conf
index 29276bfd74b9fcc67042a138006959896c34fbae..68d5b4953a07398b159f3374ccba7380a642d818 100644
--- a/src/config/etc/sssd.api.d/sssd-ldap.conf
+++ b/src/config/etc/sssd.api.d/sssd-ldap.conf
@@ -56,6 +56,7 @@ ldap_user_gid_number = str, None, false
ldap_user_gecos = str, None, false
ldap_user_home_directory = str, None, false
ldap_user_shell = str, None, false
+ldap_user_uuid = str, None, false
ldap_user_objectsid = str, None, false
ldap_user_primary_group = str, None, false
ldap_user_principal = str, None, false
diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml
index a21ffc12986c4af10f4c0a5950eb43b88dac9d47..a8416d44dfc19c11091c54d847dc27eb66b431f7 100644
--- a/src/man/sssd-ldap.5.xml
+++ b/src/man/sssd-ldap.5.xml
@@ -338,6 +338,19 @@
</varlistentry>
<varlistentry>
+ <term>ldap_user_uuid (string)</term>
+ <listitem>
+ <para>
+ The LDAP attribute that contains the UUID/GUID of
+ an LDAP user object.
+ </para>
+ <para>
+ Default: nsUniqueId
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
<term>ldap_user_objectsid (string)</term>
<listitem>
<para>
diff --git a/src/providers/ad/ad_opts.h b/src/providers/ad/ad_opts.h
index 452516cd24aba4dfbf74376767deb8f5f487253d..ee70b3c4b71b87ab31ac07310a448d7960f8e9a8 100644
--- a/src/providers/ad/ad_opts.h
+++ b/src/providers/ad/ad_opts.h
@@ -187,6 +187,7 @@ struct sdap_attr_map ad_2008r2_user_map[] = {
{ "ldap_user_principal", "userPrincipalName", SYSDB_UPN, NULL },
{ "ldap_user_fullname", "name", SYSDB_FULLNAME, NULL },
{ "ldap_user_member_of", "memberOf", SYSDB_MEMBEROF, NULL },
+ { "ldap_user_uuid", "objectGUID", SYSDB_UUID, NULL },
{ "ldap_user_objectsid", "objectSID", SYSDB_SID, NULL },
{ "ldap_user_primary_group", "primaryGroupID", SYSDB_PRIMARY_GROUP, NULL },
{ "ldap_user_modify_timestamp", "whenChanged", SYSDB_ORIG_MODSTAMP, NULL },
diff --git a/src/providers/ipa/ipa_opts.h b/src/providers/ipa/ipa_opts.h
index 0e0eed49cd397fe88ce7bf41579c066088947d04..7ecf0ff218aa1767976ccc624d7d9bc2dd96cd41 100644
--- a/src/providers/ipa/ipa_opts.h
+++ b/src/providers/ipa/ipa_opts.h
@@ -178,6 +178,7 @@ struct sdap_attr_map ipa_user_map[] = {
{ "ldap_user_principal", "krbPrincipalName", SYSDB_UPN, NULL },
{ "ldap_user_fullname", "cn", SYSDB_FULLNAME, NULL },
{ "ldap_user_member_of", "memberOf", SYSDB_MEMBEROF, NULL },
+ { "ldap_user_uuid", "nsUniqueId", SYSDB_UUID, NULL },
{ "ldap_user_objectsid", "ipaNTSecurityIdentifier", SYSDB_SID_STR, NULL },
{ "ldap_user_primary_group", NULL, SYSDB_PRIMARY_GROUP, NULL },
{ "ldap_user_modify_timestamp", "modifyTimestamp", SYSDB_ORIG_MODSTAMP, NULL },
diff --git a/src/providers/ldap/ldap_opts.h b/src/providers/ldap/ldap_opts.h
index 61e3309fe73e72e82ecb471d9b608db7bea1d2e6..2e937412635e16b4bc541c59055b1c4e7896f045 100644
--- a/src/providers/ldap/ldap_opts.h
+++ b/src/providers/ldap/ldap_opts.h
@@ -155,6 +155,7 @@ struct sdap_attr_map rfc2307_user_map[] = {
{ "ldap_user_principal", "krbPrincipalName", SYSDB_UPN, NULL },
{ "ldap_user_fullname", "cn", SYSDB_FULLNAME, NULL },
{ "ldap_user_member_of", NULL, SYSDB_MEMBEROF, NULL },
+ { "ldap_user_uuid", NULL, SYSDB_UUID, NULL },
{ "ldap_user_objectsid", "objectSID", SYSDB_SID, NULL },
{ "ldap_user_primary_group", NULL, SYSDB_PRIMARY_GROUP, NULL },
{ "ldap_user_modify_timestamp", "modifyTimestamp", SYSDB_ORIG_MODSTAMP, NULL },
@@ -207,6 +208,8 @@ struct sdap_attr_map rfc2307bis_user_map[] = {
{ "ldap_user_principal", "krbPrincipalName", SYSDB_UPN, NULL },
{ "ldap_user_fullname", "cn", SYSDB_FULLNAME, NULL },
{ "ldap_user_member_of", "memberOf", SYSDB_MEMBEROF, NULL },
+ /* FIXME: this is 389ds specific */
+ { "ldap_user_uuid", "nsUniqueId", SYSDB_UUID, NULL },
{ "ldap_user_objectsid", "objectSID", SYSDB_SID, NULL },
{ "ldap_user_primary_group", NULL, SYSDB_PRIMARY_GROUP, NULL },
{ "ldap_user_modify_timestamp", "modifyTimestamp", SYSDB_ORIG_MODSTAMP, NULL },
@@ -259,6 +262,7 @@ struct sdap_attr_map gen_ad2008r2_user_map[] = {
{ "ldap_user_principal", "userPrincipalName", SYSDB_UPN, NULL },
{ "ldap_user_fullname", "name", SYSDB_FULLNAME, NULL },
{ "ldap_user_member_of", "memberOf", SYSDB_MEMBEROF, NULL },
+ { "ldap_user_uuid", "objectGUID", SYSDB_UUID, NULL },
{ "ldap_user_objectsid", "objectSID", SYSDB_SID, NULL },
{ "ldap_user_primary_group", "primaryGroupID", SYSDB_PRIMARY_GROUP, NULL },
{ "ldap_user_modify_timestamp", "whenChanged", SYSDB_ORIG_MODSTAMP, NULL },
diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h
index e9e23561c4c74d3b33ebe35aab86fc257bde6237..906fd74090509802909b300d26234f96d324a769 100644
--- a/src/providers/ldap/sdap.h
+++ b/src/providers/ldap/sdap.h
@@ -256,6 +256,7 @@ enum sdap_user_attrs {
SDAP_AT_USER_PRINC,
SDAP_AT_USER_FULLNAME,
SDAP_AT_USER_MEMBEROF,
+ SDAP_AT_USER_UUID,
SDAP_AT_USER_OBJECTSID,
SDAP_AT_USER_PRIMARY_GROUP,
SDAP_AT_USER_MODSTAMP,
--
2.1.0

176
0011-Revert-LDAP-Remove-unused-option-ldap_group_uuid.patch
View File

@ -1,176 +0,0 @@
From b7ab4232ef04c1aa928284b4aed840f48ce4194b Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 5 Nov 2014 17:38:05 +0100
Subject: [PATCH 11/26] Revert "LDAP: Remove unused option ldap_group_uuid"
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This reverts commit b5242c146cc0ca96e2b898a74fb060efda15bc77.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
---
src/config/SSSDConfig/__init__.py.in | 1 +
src/config/SSSDConfig/sssd_upgrade_config.py | 1 +
src/config/etc/sssd.api.d/sssd-ad.conf | 1 +
src/config/etc/sssd.api.d/sssd-ipa.conf | 1 +
src/config/etc/sssd.api.d/sssd-ldap.conf | 1 +
src/man/sssd-ldap.5.xml | 13 +++++++++++++
src/providers/ad/ad_opts.h | 1 +
src/providers/ipa/ipa_opts.h | 1 +
src/providers/ldap/ldap_opts.h | 4 ++++
src/providers/ldap/sdap.h | 1 +
10 files changed, 25 insertions(+)
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
index 769a29005c5fa392bcee3e746e7583d2f4ee05f0..491112ae772d2da74da14f62ba1ff8fffb4c7778 100644
--- a/src/config/SSSDConfig/__init__.py.in
+++ b/src/config/SSSDConfig/__init__.py.in
@@ -308,6 +308,7 @@ option_strings = {
'ldap_group_pwd' : _('Group password'),
'ldap_group_gid_number' : _('GID attribute'),
'ldap_group_member' : _('Group member attribute'),
+ 'ldap_group_uuid' : _('Group UUID attribute'),
'ldap_group_objectsid' : _("objectSID attribute"),
'ldap_group_modify_timestamp' : _('Modification time attribute for groups'),
'ldap_group_type' : _('Type of the group and other flags'),
diff --git a/src/config/SSSDConfig/sssd_upgrade_config.py b/src/config/SSSDConfig/sssd_upgrade_config.py
index 97be6543f8f86eb0189843003f675d2efcfcc8a5..33d9fed74424a7d3ee28e888aaed724d0a8a94ff 100644
--- a/src/config/SSSDConfig/sssd_upgrade_config.py
+++ b/src/config/SSSDConfig/sssd_upgrade_config.py
@@ -184,6 +184,7 @@ class SSSDConfigFile(SSSDChangeConf):
'ldap_group_pwd' : 'userPassword',
'ldap_group_gid_number' : 'groupGidNumber',
'ldap_group_member' : 'groupMember',
+ 'ldap_group_uuid' : 'groupUUID',
'ldap_group_modify_timestamp' : 'modifyTimestamp',
'ldap_network_timeout' : 'network_timeout',
'ldap_offline_timeout' : 'offline_timeout',
diff --git a/src/config/etc/sssd.api.d/sssd-ad.conf b/src/config/etc/sssd.api.d/sssd-ad.conf
index f8b200eaaf2f1b2ee17214faf2df70b14a2ec93c..3daa2560b14d74f7686ed47cf1b09e2005eb8917 100644
--- a/src/config/etc/sssd.api.d/sssd-ad.conf
+++ b/src/config/etc/sssd.api.d/sssd-ad.conf
@@ -98,6 +98,7 @@ ldap_group_object_class = str, None, false
ldap_group_name = str, None, false
ldap_group_gid_number = str, None, false
ldap_group_member = str, None, false
+ldap_group_uuid = str, None, false
ldap_group_objectsid = str, None, false
ldap_group_modify_timestamp = str, None, false
ldap_group_entry_usn = str, None, false
diff --git a/src/config/etc/sssd.api.d/sssd-ipa.conf b/src/config/etc/sssd.api.d/sssd-ipa.conf
index 91dc9ec9d158758be32f8a3eb5d36be2446fc254..5df52581e67657e41e2f08820b885f100ccd7ca9 100644
--- a/src/config/etc/sssd.api.d/sssd-ipa.conf
+++ b/src/config/etc/sssd.api.d/sssd-ipa.conf
@@ -95,6 +95,7 @@ ldap_group_object_class = str, None, false
ldap_group_name = str, None, false
ldap_group_gid_number = str, None, false
ldap_group_member = str, None, false
+ldap_group_uuid = str, None, false
ldap_group_objectsid = str, None, false
ldap_group_modify_timestamp = str, None, false
ldap_group_entry_usn = str, None, false
diff --git a/src/config/etc/sssd.api.d/sssd-ldap.conf b/src/config/etc/sssd.api.d/sssd-ldap.conf
index 68d5b4953a07398b159f3374ccba7380a642d818..ba5f56f1942da552fc6ab8f82851714756683a8f 100644
--- a/src/config/etc/sssd.api.d/sssd-ldap.conf
+++ b/src/config/etc/sssd.api.d/sssd-ldap.conf
@@ -90,6 +90,7 @@ ldap_group_object_class = str, None, false
ldap_group_name = str, None, false
ldap_group_gid_number = str, None, false
ldap_group_member = str, None, false
+ldap_group_uuid = str, None, false
ldap_group_objectsid = str, None, false
ldap_group_modify_timestamp = str, None, false
ldap_group_entry_usn = str, None, false
diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml
index a8416d44dfc19c11091c54d847dc27eb66b431f7..b8b6f2abe5bb79a055c02bd2abac72ee79266f09 100644
--- a/src/man/sssd-ldap.5.xml
+++ b/src/man/sssd-ldap.5.xml
@@ -859,6 +859,19 @@
</varlistentry>
<varlistentry>
+ <term>ldap_group_uuid (string)</term>
+ <listitem>
+ <para>
+ The LDAP attribute that contains the UUID/GUID of
+ an LDAP group object.
+ </para>
+ <para>
+ Default: nsUniqueId
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
<term>ldap_group_objectsid (string)</term>
<listitem>
<para>
diff --git a/src/providers/ad/ad_opts.h b/src/providers/ad/ad_opts.h
index ee70b3c4b71b87ab31ac07310a448d7960f8e9a8..ac6006c9200464956ccedb17ff53050fed5fc6ea 100644
--- a/src/providers/ad/ad_opts.h
+++ b/src/providers/ad/ad_opts.h
@@ -221,6 +221,7 @@ struct sdap_attr_map ad_2008r2_group_map[] = {
{ "ldap_group_pwd", NULL, SYSDB_PWD, NULL },
{ "ldap_group_gid_number", "gidNumber", SYSDB_GIDNUM, NULL },
{ "ldap_group_member", "member", SYSDB_MEMBER, NULL },
+ { "ldap_group_uuid", "objectGUID", SYSDB_UUID, NULL },
{ "ldap_group_objectsid", "objectSID", SYSDB_SID, NULL },
{ "ldap_group_modify_timestamp", "whenChanged", SYSDB_ORIG_MODSTAMP, NULL },
{ "ldap_group_entry_usn", SDAP_AD_USN, SYSDB_USN, NULL },
diff --git a/src/providers/ipa/ipa_opts.h b/src/providers/ipa/ipa_opts.h
index 7ecf0ff218aa1767976ccc624d7d9bc2dd96cd41..890a0437ae2fa81d111dcf0eba941786b2b83a1a 100644
--- a/src/providers/ipa/ipa_opts.h
+++ b/src/providers/ipa/ipa_opts.h
@@ -212,6 +212,7 @@ struct sdap_attr_map ipa_group_map[] = {
{ "ldap_group_pwd", "userPassword", SYSDB_PWD, NULL },
{ "ldap_group_gid_number", "gidNumber", SYSDB_GIDNUM, NULL },
{ "ldap_group_member", "member", SYSDB_MEMBER, NULL },
+ { "ldap_group_uuid", "nsUniqueId", SYSDB_UUID, NULL },
{ "ldap_group_objectsid", "ipaNTSecurityIdentifier", SYSDB_SID_STR, NULL },
{ "ldap_group_modify_timestamp", "modifyTimestamp", SYSDB_ORIG_MODSTAMP, NULL },
{ "ldap_group_entry_usn", NULL, SYSDB_USN, NULL },
diff --git a/src/providers/ldap/ldap_opts.h b/src/providers/ldap/ldap_opts.h
index 2e937412635e16b4bc541c59055b1c4e7896f045..096a63bd53918ba79378c01257a18e543597209a 100644
--- a/src/providers/ldap/ldap_opts.h
+++ b/src/providers/ldap/ldap_opts.h
@@ -189,6 +189,7 @@ struct sdap_attr_map rfc2307_group_map[] = {
{ "ldap_group_pwd", "userPassword", SYSDB_PWD, NULL },
{ "ldap_group_gid_number", "gidNumber", SYSDB_GIDNUM, NULL },
{ "ldap_group_member", "memberuid", SYSDB_MEMBER, NULL },
+ { "ldap_group_uuid", NULL, SYSDB_UUID, NULL },
{ "ldap_group_objectsid", "objectSID", SYSDB_SID, NULL },
{ "ldap_group_modify_timestamp", "modifyTimestamp", SYSDB_ORIG_MODSTAMP, NULL },
{ "ldap_group_entry_usn", NULL, SYSDB_USN, NULL },
@@ -243,6 +244,8 @@ struct sdap_attr_map rfc2307bis_group_map[] = {
{ "ldap_group_pwd", "userPassword", SYSDB_PWD, NULL },
{ "ldap_group_gid_number", "gidNumber", SYSDB_GIDNUM, NULL },
{ "ldap_group_member", "member", SYSDB_MEMBER, NULL },
+ /* FIXME: this is 389ds specific */
+ { "ldap_group_uuid", "nsUniqueId", SYSDB_UUID, NULL },
{ "ldap_group_objectsid", "objectSID", SYSDB_SID, NULL },
{ "ldap_group_modify_timestamp", "modifyTimestamp", SYSDB_ORIG_MODSTAMP, NULL },
{ "ldap_group_entry_usn", NULL, SYSDB_USN, NULL },
@@ -296,6 +299,7 @@ struct sdap_attr_map gen_ad2008r2_group_map[] = {
{ "ldap_group_pwd", NULL, SYSDB_PWD, NULL },
{ "ldap_group_gid_number", "gidNumber", SYSDB_GIDNUM, NULL },
{ "ldap_group_member", "member", SYSDB_MEMBER, NULL },
+ { "ldap_group_uuid", "objectGUID", SYSDB_UUID, NULL },
{ "ldap_group_objectsid", "objectSID", SYSDB_SID, NULL },
{ "ldap_group_modify_timestamp", "whenChanged", SYSDB_ORIG_MODSTAMP, NULL },
{ "ldap_group_entry_usn", SDAP_AD_USN, SYSDB_USN, NULL },
diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h
index 906fd74090509802909b300d26234f96d324a769..aa10623a58d7d667205b09e744dc2b924ca821ed 100644
--- a/src/providers/ldap/sdap.h
+++ b/src/providers/ldap/sdap.h
@@ -295,6 +295,7 @@ enum sdap_group_attrs {
SDAP_AT_GROUP_PWD,
SDAP_AT_GROUP_GID,
SDAP_AT_GROUP_MEMBER,
+ SDAP_AT_GROUP_UUID,
SDAP_AT_GROUP_OBJECTSID,
SDAP_AT_GROUP_MODSTAMP,
SDAP_AT_GROUP_USN,
--
2.1.0

102
0012-Fix-uuid-defaults.patch
View File

@ -1,102 +0,0 @@
From da75b87ffc1ff98d8a3685a6ccbf00265838cf7a Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 5 Nov 2014 18:01:07 +0100
Subject: [PATCH 12/26] Fix uuid defaults
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Recently the uuid attributes for user and groups were removed because
it was found that there are not used at all and that some of them where
causing issues (https://fedorahosted.org/sssd/ticket/2383).
The new views/overrides feature of FreeIPA uses the ipaUniqueID attribute
to relate overrides with the original IPA objects. The previous two
patches revert the removal of the uuid attributes from users and groups
with this patch set the default value of these attributes to
ipaUniqueID from the IPA provider, to objectGUID for the AD provider and
leaves them unset for the general LDAP case to avoid issues like the one
from ticket #2383.
Related to https://fedorahosted.org/sssd/ticket/2481
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
---
src/man/sssd-ldap.5.xml | 6 ++++--
src/providers/ipa/ipa_opts.h | 4 ++--
src/providers/ldap/ldap_opts.h | 6 ++----
3 files changed, 8 insertions(+), 8 deletions(-)
diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml
index b8b6f2abe5bb79a055c02bd2abac72ee79266f09..aa47ed7a6dd41f7f82ea80e1deb34f9ccc894dc9 100644
--- a/src/man/sssd-ldap.5.xml
+++ b/src/man/sssd-ldap.5.xml
@@ -345,7 +345,8 @@
an LDAP user object.
</para>
<para>
- Default: nsUniqueId
+ Default: not set in the general case, objectGUID for
+ AD and ipaUniqueID for IPA
</para>
</listitem>
</varlistentry>
@@ -866,7 +867,8 @@
an LDAP group object.
</para>
<para>
- Default: nsUniqueId
+ Default: not set in the general case, objectGUID for
+ AD and ipaUniqueID for IPA
</para>
</listitem>
</varlistentry>
diff --git a/src/providers/ipa/ipa_opts.h b/src/providers/ipa/ipa_opts.h
index 890a0437ae2fa81d111dcf0eba941786b2b83a1a..3cde1a4362c1fa81259d7764e182a9163d272577 100644
--- a/src/providers/ipa/ipa_opts.h
+++ b/src/providers/ipa/ipa_opts.h
@@ -178,7 +178,7 @@ struct sdap_attr_map ipa_user_map[] = {
{ "ldap_user_principal", "krbPrincipalName", SYSDB_UPN, NULL },
{ "ldap_user_fullname", "cn", SYSDB_FULLNAME, NULL },
{ "ldap_user_member_of", "memberOf", SYSDB_MEMBEROF, NULL },
- { "ldap_user_uuid", "nsUniqueId", SYSDB_UUID, NULL },
+ { "ldap_user_uuid", "ipaUniqueID", SYSDB_UUID, NULL },
{ "ldap_user_objectsid", "ipaNTSecurityIdentifier", SYSDB_SID_STR, NULL },
{ "ldap_user_primary_group", NULL, SYSDB_PRIMARY_GROUP, NULL },
{ "ldap_user_modify_timestamp", "modifyTimestamp", SYSDB_ORIG_MODSTAMP, NULL },
@@ -212,7 +212,7 @@ struct sdap_attr_map ipa_group_map[] = {
{ "ldap_group_pwd", "userPassword", SYSDB_PWD, NULL },
{ "ldap_group_gid_number", "gidNumber", SYSDB_GIDNUM, NULL },
{ "ldap_group_member", "member", SYSDB_MEMBER, NULL },
- { "ldap_group_uuid", "nsUniqueId", SYSDB_UUID, NULL },
+ { "ldap_group_uuid", "ipaUniqueID", SYSDB_UUID, NULL },
{ "ldap_group_objectsid", "ipaNTSecurityIdentifier", SYSDB_SID_STR, NULL },
{ "ldap_group_modify_timestamp", "modifyTimestamp", SYSDB_ORIG_MODSTAMP, NULL },
{ "ldap_group_entry_usn", NULL, SYSDB_USN, NULL },
diff --git a/src/providers/ldap/ldap_opts.h b/src/providers/ldap/ldap_opts.h
index 096a63bd53918ba79378c01257a18e543597209a..29d9faf99784bfc3526398488be837a2716ee11d 100644
--- a/src/providers/ldap/ldap_opts.h
+++ b/src/providers/ldap/ldap_opts.h
@@ -209,8 +209,7 @@ struct sdap_attr_map rfc2307bis_user_map[] = {
{ "ldap_user_principal", "krbPrincipalName", SYSDB_UPN, NULL },
{ "ldap_user_fullname", "cn", SYSDB_FULLNAME, NULL },
{ "ldap_user_member_of", "memberOf", SYSDB_MEMBEROF, NULL },
- /* FIXME: this is 389ds specific */
- { "ldap_user_uuid", "nsUniqueId", SYSDB_UUID, NULL },
+ { "ldap_user_uuid", NULL, SYSDB_UUID, NULL },
{ "ldap_user_objectsid", "objectSID", SYSDB_SID, NULL },
{ "ldap_user_primary_group", NULL, SYSDB_PRIMARY_GROUP, NULL },
{ "ldap_user_modify_timestamp", "modifyTimestamp", SYSDB_ORIG_MODSTAMP, NULL },
@@ -244,8 +243,7 @@ struct sdap_attr_map rfc2307bis_group_map[] = {
{ "ldap_group_pwd", "userPassword", SYSDB_PWD, NULL },
{ "ldap_group_gid_number", "gidNumber", SYSDB_GIDNUM, NULL },
{ "ldap_group_member", "member", SYSDB_MEMBER, NULL },
- /* FIXME: this is 389ds specific */
- { "ldap_group_uuid", "nsUniqueId", SYSDB_UUID, NULL },
+ { "ldap_group_uuid", NULL, SYSDB_UUID, NULL },
{ "ldap_group_objectsid", "objectSID", SYSDB_SID, NULL },
{ "ldap_group_modify_timestamp", "modifyTimestamp", SYSDB_ORIG_MODSTAMP, NULL },
{ "ldap_group_entry_usn", NULL, SYSDB_USN, NULL },
--
2.1.0

88
0013-Revert-LDAP-Change-defaults-for-ldap_user-group_obje.patch
View File

@ -1,88 +0,0 @@
From 395daba605dd4fb4134db1a2e6883125a3d83f29 Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Fri, 7 Nov 2014 13:27:53 +0100
Subject: [PATCH 13/26] Revert "LDAP: Change defaults for
ldap_user/group_objectsid"
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This reverts commit f834f712548db811695ea0fd6d6b31d3bd03e2a3.
OpenLDAP server cannot dereference unknown attributes. The attribute objectSID
isn't in any standard objectclass on OpenLDAP server. This is a reason why
objectSID cannot be set by default in rfc2307 map and rfc2307bis map.
It is the same problem as using non standard attribute "nsUniqueId"
in ticket https://fedorahosted.org/sssd/ticket/2383
Reviewed-by: Michal Židek <mzidek@redhat.com>
---
src/man/sssd-ldap.5.xml | 4 ++--
src/providers/ldap/ldap_opts.h | 8 ++++----
2 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml
index aa47ed7a6dd41f7f82ea80e1deb34f9ccc894dc9..815b06250e826a36ef023e8a43a8925df89d2bbf 100644
--- a/src/man/sssd-ldap.5.xml
+++ b/src/man/sssd-ldap.5.xml
@@ -360,7 +360,7 @@
necessary for ActiveDirectory servers.
</para>
<para>
- Default: ipaNTSecurityIdentifier for IPA, objectSID
+ Default: objectSid for ActiveDirectory, not set
for other servers.
</para>
</listitem>
@@ -882,7 +882,7 @@
necessary for ActiveDirectory servers.
</para>
<para>
- Default: ipaNTSecurityIdentifier for IPA, objectSID
+ Default: objectSid for ActiveDirectory, not set
for other servers.
</para>
</listitem>
diff --git a/src/providers/ldap/ldap_opts.h b/src/providers/ldap/ldap_opts.h
index 29d9faf99784bfc3526398488be837a2716ee11d..dedbdac0bcf647337d4c00b1fbb82d6b46be5b54 100644
--- a/src/providers/ldap/ldap_opts.h
+++ b/src/providers/ldap/ldap_opts.h
@@ -156,7 +156,7 @@ struct sdap_attr_map rfc2307_user_map[] = {
{ "ldap_user_fullname", "cn", SYSDB_FULLNAME, NULL },
{ "ldap_user_member_of", NULL, SYSDB_MEMBEROF, NULL },
{ "ldap_user_uuid", NULL, SYSDB_UUID, NULL },
- { "ldap_user_objectsid", "objectSID", SYSDB_SID, NULL },
+ { "ldap_user_objectsid", NULL, SYSDB_SID, NULL },
{ "ldap_user_primary_group", NULL, SYSDB_PRIMARY_GROUP, NULL },
{ "ldap_user_modify_timestamp", "modifyTimestamp", SYSDB_ORIG_MODSTAMP, NULL },
{ "ldap_user_entry_usn", NULL, SYSDB_USN, NULL },
@@ -190,7 +190,7 @@ struct sdap_attr_map rfc2307_group_map[] = {
{ "ldap_group_gid_number", "gidNumber", SYSDB_GIDNUM, NULL },
{ "ldap_group_member", "memberuid", SYSDB_MEMBER, NULL },
{ "ldap_group_uuid", NULL, SYSDB_UUID, NULL },
- { "ldap_group_objectsid", "objectSID", SYSDB_SID, NULL },
+ { "ldap_group_objectsid", NULL, SYSDB_SID, NULL },
{ "ldap_group_modify_timestamp", "modifyTimestamp", SYSDB_ORIG_MODSTAMP, NULL },
{ "ldap_group_entry_usn", NULL, SYSDB_USN, NULL },
{ "ldap_group_type", NULL, SYSDB_GROUP_TYPE, NULL },
@@ -210,7 +210,7 @@ struct sdap_attr_map rfc2307bis_user_map[] = {
{ "ldap_user_fullname", "cn", SYSDB_FULLNAME, NULL },
{ "ldap_user_member_of", "memberOf", SYSDB_MEMBEROF, NULL },
{ "ldap_user_uuid", NULL, SYSDB_UUID, NULL },
- { "ldap_user_objectsid", "objectSID", SYSDB_SID, NULL },
+ { "ldap_user_objectsid", NULL, SYSDB_SID, NULL },
{ "ldap_user_primary_group", NULL, SYSDB_PRIMARY_GROUP, NULL },
{ "ldap_user_modify_timestamp", "modifyTimestamp", SYSDB_ORIG_MODSTAMP, NULL },
{ "ldap_user_entry_usn", NULL, SYSDB_USN, NULL },
@@ -244,7 +244,7 @@ struct sdap_attr_map rfc2307bis_group_map[] = {
{ "ldap_group_gid_number", "gidNumber", SYSDB_GIDNUM, NULL },
{ "ldap_group_member", "member", SYSDB_MEMBER, NULL },
{ "ldap_group_uuid", NULL, SYSDB_UUID, NULL },
- { "ldap_group_objectsid", "objectSID", SYSDB_SID, NULL },
+ { "ldap_group_objectsid", NULL, SYSDB_SID, NULL },
{ "ldap_group_modify_timestamp", "modifyTimestamp", SYSDB_ORIG_MODSTAMP, NULL },
{ "ldap_group_entry_usn", NULL, SYSDB_USN, NULL },
{ "ldap_group_type", NULL, SYSDB_GROUP_TYPE, NULL },
--
2.1.0

55
0014-LDAP-Disable-token-groups-by-default.patch
View File

@ -1,55 +0,0 @@
From c28482b2d23865e3d068e4b9fb39c363c0d18b19 Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Fri, 7 Nov 2014 13:58:17 +0100
Subject: [PATCH 14/26] LDAP: Disable token groups by default
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
We tried to speed up processing of initgroup lookups with tokenGroups even for
the LDAP provider (if remote server is Active Directory), but it turns out that
there are too many corner cases that we didn't catch during development that
break. For instance, groups from other trusted domains might appear in TG and
the LDAP provider isn't equipped to handle them.
Overall, users who wish to use the added speed benefits of tokenGroups are
advised to use the AD provider.
Resolves:
https://fedorahosted.org/sssd/ticket/2483
Reviewed-by: Michal Židek <mzidek@redhat.com>
---
src/man/sssd-ldap.5.xml | 2 +-
src/providers/ldap/ldap_opts.h | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml
index 815b06250e826a36ef023e8a43a8925df89d2bbf..47d05a736403859325e61a9ebebe78df0601917a 100644
--- a/src/man/sssd-ldap.5.xml
+++ b/src/man/sssd-ldap.5.xml
@@ -1022,7 +1022,7 @@
Active Directory Server 2008 and later.
</para>
<para>
- Default: True
+ Default: True for AD and IPA otherwise False.
</para>
</listitem>
</varlistentry>
diff --git a/src/providers/ldap/ldap_opts.h b/src/providers/ldap/ldap_opts.h
index dedbdac0bcf647337d4c00b1fbb82d6b46be5b54..f46381e9fac7b93730ce0767154989f2e3b7ebbf 100644
--- a/src/providers/ldap/ldap_opts.h
+++ b/src/providers/ldap/ldap_opts.h
@@ -116,7 +116,7 @@ struct dp_option default_basic_opts[] = {
{ "ldap_idmap_default_domain_sid", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "ldap_groups_use_matching_rule_in_chain", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
{ "ldap_initgroups_use_matching_rule_in_chain", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
- { "ldap_use_tokengroups", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE},
+ { "ldap_use_tokengroups", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE},
{ "ldap_rfc2307_fallback_to_local_users", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
{ "ldap_disable_range_retrieval", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
{ "ldap_min_id", DP_OPT_NUMBER, NULL_NUMBER, NULL_NUMBER},
--
2.1.0

72
0015-sss_client-Extract-destroying-of-mmap-cache-to-funct.patch
View File

@ -1,72 +0,0 @@
From 730dc6fc96bd1903e4fdae5c2a040034c187558d Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Fri, 21 Nov 2014 14:00:23 +0100
Subject: [PATCH 15/26] sss_client: Extract destroying of mmap cache to
function
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reviewed-by: Michal Židek <mzidek@redhat.com>
---
src/sss_client/nss_mc_common.c | 30 ++++++++++++++----------------
1 file changed, 14 insertions(+), 16 deletions(-)
diff --git a/src/sss_client/nss_mc_common.c b/src/sss_client/nss_mc_common.c
index 6c9b35de280c637bf957207993e539c889b16c23..9c6e1af1642275fc7738b51d7ca80d712d49b2ac 100644
--- a/src/sss_client/nss_mc_common.c
+++ b/src/sss_client/nss_mc_common.c
@@ -102,6 +102,18 @@ errno_t sss_nss_check_header(struct sss_cli_mc_ctx *ctx)
return 0;
}
+static void sss_nss_mc_destroy_ctx(struct sss_cli_mc_ctx *ctx)
+{
+ if ((ctx->mmap_base != NULL) && (ctx->mmap_size != 0)) {
+ munmap(ctx->mmap_base, ctx->mmap_size);
+ }
+ if (ctx->fd != -1) {
+ close(ctx->fd);
+ }
+ memset(ctx, 0, sizeof(struct sss_cli_mc_ctx));
+ ctx->fd = -1;
+}
+
static errno_t sss_nss_mc_init_ctx(const char *name,
struct sss_cli_mc_ctx *ctx)
{
@@ -157,14 +169,7 @@ static errno_t sss_nss_mc_init_ctx(const char *name,
done:
if (ret) {
- if ((ctx->mmap_base != NULL) && (ctx->mmap_size != 0)) {
- munmap(ctx->mmap_base, ctx->mmap_size);
- }
- if (ctx->fd != -1) {
- close(ctx->fd);
- }
- memset(ctx, 0, sizeof(struct sss_cli_mc_ctx));
- ctx->fd = -1;
+ sss_nss_mc_destroy_ctx(ctx);
}
free(file);
sss_nss_unlock();
@@ -191,14 +196,7 @@ errno_t sss_nss_mc_get_ctx(const char *name, struct sss_cli_mc_ctx *ctx)
done:
if (ret) {
- if ((ctx->mmap_base != NULL) && (ctx->mmap_size != 0)) {
- munmap(ctx->mmap_base, ctx->mmap_size);
- }
- if (ctx->fd != -1) {
- close(ctx->fd);
- }
- memset(ctx, 0, sizeof(struct sss_cli_mc_ctx));
- ctx->fd = -1;
+ sss_nss_mc_destroy_ctx(ctx);
}
return ret;
}
--
2.1.0

243
0016-sss_client-Fix-race-condition-in-memory-cache.patch
View File

@ -1,243 +0,0 @@
From d1d01b99e0388e5c2fadb10db8e73917669a3383 Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Fri, 21 Nov 2014 11:28:36 +0100
Subject: [PATCH 16/26] sss_client: Fix race condition in memory cache
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Thread safe initialisation was fixed in ticket #2380, but there is
still race condition in reinitialisation.
If caches is invalidated with command sss_cache -U (-G or -E) then
client code will need to reinitialize fast memory cache.
Let say we have two threads. The 1st thread find out that memory cache
should be reinitialized; therefore the fast memory cached is unmapped
and context destroyed. In the same time, 2nd thread tried to check
header of memory cache whether it is initialized and valid. As a result
of previously unmapped memory the 2nd thread access
out of bound memory (SEGFAULT).
The destroying of fast memory cache cannot be done any time. We need
to be sure that there isn't any other thread which uses mmaped memory.
The new counter of active threads was added for this purpose. The state
of fast memory cache was converted from boolean to three value state
(UNINITIALIZED, INITIALIZED, RECYCLED)
UNINITIALIZED
- the fast memory cache need to be initialized.
- if there is a problem with initialisation the state will not change
- after successful initialisation, the state will change to INITIALIZED
INITIALIZED
- if the cahe was invalidated or there is any other problem was
detected in memory cache header the state will change to RECYCLED
and memory cache IS NOT destroyed.
RECYCLED
- nothing will be done is there are any active threads which may use
the data from mmaped memory
- if there aren't active threads the fast memory cahe is destroyed and
state is changed to UNINITIALIZED.
https://fedorahosted.org/sssd/ticket/2445
Reviewed-by: Michal Židek <mzidek@redhat.com>
---
src/sss_client/nss_mc.h | 10 ++++++++-
src/sss_client/nss_mc_common.c | 46 ++++++++++++++++++++++++++++++++++--------
src/sss_client/nss_mc_group.c | 8 ++++++--
src/sss_client/nss_mc_passwd.c | 8 ++++++--
4 files changed, 59 insertions(+), 13 deletions(-)
diff --git a/src/sss_client/nss_mc.h b/src/sss_client/nss_mc.h
index 685cc41c0530750d890050f0917dc88be14d96ea..050bd4100dec091cb096a7d97bfe6615b12654da 100644
--- a/src/sss_client/nss_mc.h
+++ b/src/sss_client/nss_mc.h
@@ -33,9 +33,15 @@
typedef int errno_t;
#endif
+enum sss_mc_state {
+ UNINITIALIZED = 0,
+ INITIALIZED,
+ RECYCLED,
+};
+
/* common stuff */
struct sss_cli_mc_ctx {
- bool initialized;
+ enum sss_mc_state initialized;
int fd;
uint32_t seed; /* seed from the tables header */
@@ -48,6 +54,8 @@ struct sss_cli_mc_ctx {
uint32_t *hash_table; /* hash table address (in mmap) */
uint32_t ht_size; /* size of hash table */
+
+ uint32_t active_threads; /* count of threads which use memory cache */
};
errno_t sss_nss_mc_get_ctx(const char *name, struct sss_cli_mc_ctx *ctx);
diff --git a/src/sss_client/nss_mc_common.c b/src/sss_client/nss_mc_common.c
index 9c6e1af1642275fc7738b51d7ca80d712d49b2ac..89ff6b46e2abee03039cfd632ef50231eab92eec 100644
--- a/src/sss_client/nss_mc_common.c
+++ b/src/sss_client/nss_mc_common.c
@@ -123,7 +123,7 @@ static errno_t sss_nss_mc_init_ctx(const char *name,
sss_nss_lock();
/* check if ctx is initialised by previous thread. */
- if (ctx->initialized) {
+ if (ctx->initialized != UNINITIALIZED) {
ret = sss_nss_check_header(ctx);
goto done;
}
@@ -163,7 +163,7 @@ static errno_t sss_nss_mc_init_ctx(const char *name,
goto done;
}
- ctx->initialized = true;
+ ctx->initialized = INITIALIZED;
ret = 0;
@@ -181,22 +181,52 @@ errno_t sss_nss_mc_get_ctx(const char *name, struct sss_cli_mc_ctx *ctx)
{
char *envval;
int ret;
+ bool need_decrement = false;
envval = getenv("SSS_NSS_USE_MEMCACHE");
if (envval && strcasecmp(envval, "NO") == 0) {
return EPERM;
}
- if (ctx->initialized) {
+ switch (ctx->initialized) {
+ case UNINITIALIZED:
+ __sync_add_and_fetch(&ctx->active_threads, 1);
+ ret = sss_nss_mc_init_ctx(name, ctx);
+ if (ret) {
+ need_decrement = true;
+ }
+ break;
+ case INITIALIZED:
+ __sync_add_and_fetch(&ctx->active_threads, 1);
ret = sss_nss_check_header(ctx);
- goto done;
+ if (ret) {
+ need_decrement = true;
+ }
+ break;
+ case RECYCLED:
+ /* we need to safely destroy memory cache */
+ ret = EAGAIN;
+ break;
+ default:
+ ret = EFAULT;
}
- ret = sss_nss_mc_init_ctx(name, ctx);
-
-done:
if (ret) {
- sss_nss_mc_destroy_ctx(ctx);
+ if (ctx->initialized == INITIALIZED) {
+ ctx->initialized = RECYCLED;
+ }
+ if (ctx->initialized == RECYCLED && ctx->active_threads == 0) {
+ /* just one thread should call munmap */
+ sss_nss_lock();
+ if (ctx->initialized == RECYCLED) {
+ sss_nss_mc_destroy_ctx(ctx);
+ }
+ sss_nss_unlock();
+ }
+ if (need_decrement) {
+ /* In case of error, we will not touch mmapped area => decrement */
+ __sync_sub_and_fetch(&ctx->active_threads, 1);
+ }
}
return ret;
}
diff --git a/src/sss_client/nss_mc_group.c b/src/sss_client/nss_mc_group.c
index 268b40ef02f2a621c4f61755ce4dfe2c3786bfa6..e0fdb97f628ac19741409be29566e4af5a391f74 100644
--- a/src/sss_client/nss_mc_group.c
+++ b/src/sss_client/nss_mc_group.c
@@ -29,7 +29,8 @@
#include "nss_mc.h"
#include "util/util_safealign.h"
-struct sss_cli_mc_ctx gr_mc_ctx = { false, -1, 0, NULL, 0, NULL, 0, NULL, 0 };
+struct sss_cli_mc_ctx gr_mc_ctx = { UNINITIALIZED, -1, 0, NULL, 0, NULL, 0,
+ NULL, 0, 0 };
static errno_t sss_nss_mc_parse_result(struct sss_mc_rec *rec,
struct group *result,
@@ -176,6 +177,7 @@ errno_t sss_nss_mc_getgrnam(const char *name, size_t name_len,
done:
free(rec);
+ __sync_sub_and_fetch(&gr_mc_ctx.active_threads, 1);
return ret;
}
@@ -198,7 +200,8 @@ errno_t sss_nss_mc_getgrgid(gid_t gid,
len = snprintf(gidstr, 11, "%ld", (long)gid);
if (len > 10) {
- return EINVAL;
+ ret = EINVAL;
+ goto done;
}
/* hashes are calculated including the NULL terminator */
@@ -242,6 +245,7 @@ errno_t sss_nss_mc_getgrgid(gid_t gid,
done:
free(rec);
+ __sync_sub_and_fetch(&gr_mc_ctx.active_threads, 1);
return ret;
}
diff --git a/src/sss_client/nss_mc_passwd.c b/src/sss_client/nss_mc_passwd.c
index fa19afc3c0e468430183ed3f13b80e086251ee01..10e43e2af43c5e7f1738e281b3ed260d89f3a004 100644
--- a/src/sss_client/nss_mc_passwd.c
+++ b/src/sss_client/nss_mc_passwd.c
@@ -28,7 +28,8 @@
#include <time.h>
#include "nss_mc.h"
-struct sss_cli_mc_ctx pw_mc_ctx = { false, -1, 0, NULL, 0, NULL, 0, NULL, 0 };
+struct sss_cli_mc_ctx pw_mc_ctx = { UNINITIALIZED, -1, 0, NULL, 0, NULL, 0,
+ NULL, 0, 0 };
static errno_t sss_nss_mc_parse_result(struct sss_mc_rec *rec,
struct passwd *result,
@@ -170,6 +171,7 @@ errno_t sss_nss_mc_getpwnam(const char *name, size_t name_len,
done:
free(rec);
+ __sync_sub_and_fetch(&pw_mc_ctx.active_threads, 1);
return ret;
}
@@ -192,7 +194,8 @@ errno_t sss_nss_mc_getpwuid(uid_t uid,
len = snprintf(uidstr, 11, "%ld", (long)uid);
if (len > 10) {
- return EINVAL;
+ ret = EINVAL;
+ goto done;
}
/* hashes are calculated including the NULL terminator */
@@ -236,6 +239,7 @@ errno_t sss_nss_mc_getpwuid(uid_t uid,
done:
free(rec);
+ __sync_sub_and_fetch(&pw_mc_ctx.active_threads, 1);
return ret;
}
--
2.1.0

32
0017-test-Wrong-parameter-type-in-sss_parse_name_check.patch
View File

@ -1,32 +0,0 @@
From 0942d9245ed1a7de573e3af17deac2332a52b58a Mon Sep 17 00:00:00 2001
From: Michal Zidek <mzidek@redhat.com>
Date: Mon, 24 Nov 2014 19:10:01 +0100
Subject: [PATCH 17/26] test: Wrong parameter type in sss_parse_name_check
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This caused aritmetic overflow when SSSD specific error
codes where used.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
---
src/tests/cmocka/test_fqnames.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/tests/cmocka/test_fqnames.c b/src/tests/cmocka/test_fqnames.c
index 71429c8773ef199c72163837d4b313660cf813c2..de208437d3d11429ebb4fd92ac6b1469564d9174 100644
--- a/src/tests/cmocka/test_fqnames.c
+++ b/src/tests/cmocka/test_fqnames.c
@@ -326,7 +326,7 @@ void parse_name_test_teardown(void **state)
void sss_parse_name_check(struct parse_name_test_ctx *test_ctx,
const char *input_name,
- const char exp_ret,
+ const int exp_ret,
const char *exp_name,
const char *exp_domain)
{
--
2.1.0

88
0018-util-Special-case-PCRE_ERROR_NOMATCH-in-sss_parse_na.patch
View File

@ -1,88 +0,0 @@
From 0370ef147287888604147bea95153795ffed318f Mon Sep 17 00:00:00 2001
From: Michal Zidek <mzidek@redhat.com>
Date: Mon, 24 Nov 2014 19:50:14 +0100
Subject: [PATCH 18/26] util: Special-case PCRE_ERROR_NOMATCH in sss_parse_name
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Add new SSSD specific error code for the case when
pcre_exec returns PCRE_ERROR_NOMATCH.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Conflicts:
src/util/util_errors.c
src/util/util_errors.h
---
src/tests/cmocka/test_fqnames.c | 14 +++++++-------
src/util/usertools.c | 2 +-
src/util/util_errors.c | 1 +
src/util/util_errors.h | 1 +
4 files changed, 10 insertions(+), 8 deletions(-)
diff --git a/src/tests/cmocka/test_fqnames.c b/src/tests/cmocka/test_fqnames.c
index de208437d3d11429ebb4fd92ac6b1469564d9174..b9b6230b9e2c86dafae159630d5202e46992f5f3 100644
--- a/src/tests/cmocka/test_fqnames.c
+++ b/src/tests/cmocka/test_fqnames.c
@@ -471,13 +471,13 @@ void sss_parse_name_fail(void **state)
struct parse_name_test_ctx *test_ctx = talloc_get_type(*state,
struct parse_name_test_ctx);
- sss_parse_name_check(test_ctx, "", EINVAL, NULL, NULL);
- sss_parse_name_check(test_ctx, "@", EINVAL, NULL, NULL);
- sss_parse_name_check(test_ctx, "\\", EINVAL, NULL, NULL);
- sss_parse_name_check(test_ctx, "\\"NAME, EINVAL, NULL, NULL);
- sss_parse_name_check(test_ctx, "@"NAME, EINVAL, NULL, NULL);
- sss_parse_name_check(test_ctx, NAME"@", EINVAL, NULL, NULL);
- sss_parse_name_check(test_ctx, NAME"\\", EINVAL, NULL, NULL);
+ sss_parse_name_check(test_ctx, "", ERR_REGEX_NOMATCH, NULL, NULL);
+ sss_parse_name_check(test_ctx, "@", ERR_REGEX_NOMATCH, NULL, NULL);
+ sss_parse_name_check(test_ctx, "\\", ERR_REGEX_NOMATCH, NULL, NULL);
+ sss_parse_name_check(test_ctx, "\\"NAME, ERR_REGEX_NOMATCH, NULL, NULL);
+ sss_parse_name_check(test_ctx, "@"NAME, ERR_REGEX_NOMATCH, NULL, NULL);
+ sss_parse_name_check(test_ctx, NAME"@", ERR_REGEX_NOMATCH, NULL, NULL);
+ sss_parse_name_check(test_ctx, NAME"\\", ERR_REGEX_NOMATCH, NULL, NULL);
}
void test_sss_get_domain_name(void **state)
diff --git a/src/util/usertools.c b/src/util/usertools.c
index 809b42d67c7b1cdfa0729c3a7e835fab37297596..16478998d8936cd2e260c1e53db6b68f1563b0f8 100644
--- a/src/util/usertools.c
+++ b/src/util/usertools.c
@@ -306,7 +306,7 @@ int sss_parse_name(TALLOC_CTX *memctx,
ret = pcre_exec(re, NULL, orig, origlen, 0, PCRE_NOTEMPTY, ovec, 30);
if (ret == PCRE_ERROR_NOMATCH) {
- return EINVAL;
+ return ERR_REGEX_NOMATCH;
} else if (ret < 0) {
DEBUG(SSSDBG_MINOR_FAILURE, "PCRE Matching error, %d\n", ret);
return EINVAL;
diff --git a/src/util/util_errors.c b/src/util/util_errors.c
index 5b36780ffcdc6733241cdb942865ecdf38da3bca..c1ac45ac5f8a53871d548bb0d218eabb03c69aa9 100644
--- a/src/util/util_errors.c
+++ b/src/util/util_errors.c
@@ -62,6 +62,7 @@ struct err_string error_to_str[] = {
{ "Bus method not supported" }, /* ERR_SBUS_NOSUP */
{ "Cannot connect to system bus" }, /* ERR_NO_SYSBUS */
{ "LDAP search returned a referral" }, /* ERR_REFERRAL */
+ { "Username format not allowed by re_expression" }, /* ERR_REGEX_NOMATCH */
};
diff --git a/src/util/util_errors.h b/src/util/util_errors.h
index e040ba903b27d06ec75cea31485d2f3111ca5302..8609dca22dcef33641efd0d717085d77c10224f8 100644
--- a/src/util/util_errors.h
+++ b/src/util/util_errors.h
@@ -84,6 +84,7 @@ enum sssd_errors {
ERR_SBUS_NOSUP,
ERR_NO_SYSBUS,
ERR_REFERRAL,
+ ERR_REGEX_NOMATCH,
ERR_LAST /* ALWAYS LAST */
};
--
2.1.0

41
0019-util-sss_get_domain_name-regex-mismatch-not-fatal.patch
View File

@ -1,41 +0,0 @@
From 01a4b2b31d5279c90e7c596f9321eb0e9ec38d69 Mon Sep 17 00:00:00 2001
From: Michal Zidek <mzidek@redhat.com>
Date: Fri, 21 Nov 2014 20:06:32 +0100
Subject: [PATCH 19/26] util: sss_get_domain_name regex mismatch not fatal
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Assume name is not FQDN if sss_parse_name fails to
match domain with regular expression.
Fixes:
https://fedorahosted.org/sssd/ticket/2487
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
---
src/util/usertools.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/src/util/usertools.c b/src/util/usertools.c
index 16478998d8936cd2e260c1e53db6b68f1563b0f8..2804953a3e854ddf1a122b389ac1e14c4ff7f865 100644
--- a/src/util/usertools.c
+++ b/src/util/usertools.c
@@ -643,7 +643,13 @@ sss_get_domain_name(TALLOC_CTX *mem_ctx,
/* check if the name already contains domain part */
if (dom->names != NULL) {
ret = sss_parse_name(mem_ctx, dom->names, orig_name, &domain, NULL);
- if (ret != EOK) {
+ if (ret == ERR_REGEX_NOMATCH) {
+ DEBUG(SSSDBG_TRACE_FUNC,
+ "sss_parse_name could not parse domain from [%s]. "
+ "Assuming it is not FQDN.\n", orig_name);
+ } else if (ret != EOK) {
+ DEBUG(SSSDBG_TRACE_FUNC,
+ "sss_parse_name failed [%d]: %s\n", ret, sss_strerror(ret));
return NULL;
}
}
--
2.1.0

32
0020-SBUS-Initialize-DBusError-before-using-it.patch
View File

@ -1,32 +0,0 @@
From ee280ed38752e60d7cba0abc1c9370b016ca3a27 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Sun, 23 Nov 2014 19:58:45 +0100
Subject: [PATCH 20/26] SBUS: Initialize DBusError before using it
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
In case either handler_fn() or invoker_fn() failed in
sbus_request_invoke_or_finish() we would have accessed an uninitialized
DBusError variable, causing a segfault.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
---
src/sbus/sssd_dbus_request.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/sbus/sssd_dbus_request.c b/src/sbus/sssd_dbus_request.c
index 7729d4e0d7bf6e517e2efce4dbeb064f6f471b87..0028d3537adeddc26e7b8480eb37e979a6cdb7ba 100644
--- a/src/sbus/sssd_dbus_request.c
+++ b/src/sbus/sssd_dbus_request.c
@@ -79,6 +79,7 @@ sbus_request_invoke_or_finish(struct sbus_request *dbus_req,
sbus_request_finish(dbus_req, NULL);
break;
default:
+ dbus_error_init(&error);
dbus_set_error_const(&error, DBUS_ERROR_FAILED, INTERNAL_ERROR);
sbus_request_fail_and_finish(dbus_req, &error);
break;
--
2.1.0

54
0021-krb5-handle-KRB5KRB_ERR_GENERIC-as-unspecific-error.patch
View File

@ -1,54 +0,0 @@
From 05e9fd3773a886424610adca97eba1ad86e72daf Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 17 Dec 2014 09:42:57 +0100
Subject: [PATCH 21/26] krb5: handle KRB5KRB_ERR_GENERIC as unspecific error
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
KRB5KRB_ERR_GENERIC is a generic error and we cannot make any
assumptions about the cause. If there are cases where
KRB5KRB_ERR_GENERIC is returned and SSSD should behave differently this
must be solved by other means.
Resolves https://fedorahosted.org/sssd/ticket/2535
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
---
src/providers/krb5/krb5_child.c | 13 ++++++++++++-
1 file changed, 12 insertions(+), 1 deletion(-)
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
index 3234a4e6c740db5e05f7db8eb7f4ea0cc126e7ce..533e4139fee2abd9a0b8f939522a0819d91426ff 100644
--- a/src/providers/krb5/krb5_child.c
+++ b/src/providers/krb5/krb5_child.c
@@ -1049,7 +1049,6 @@ static errno_t map_krb5_error(krb5_error_code kerr)
case KRB5_LIBOS_CANTREADPWD:
return ERR_NO_CREDS;
- case KRB5KRB_ERR_GENERIC:
case KRB5KRB_AP_ERR_SKEW:
case KRB5_KDC_UNREACH:
case KRB5_REALM_CANT_RESOLVE:
@@ -1072,6 +1071,18 @@ static errno_t map_krb5_error(krb5_error_code kerr)
case KRB5KDC_ERR_PREAUTH_FAILED:
return ERR_CREDS_INVALID;
+ /* Please do not remove KRB5KRB_ERR_GENERIC here, it is a _generic_ error
+ * code and we cannot make any assumptions about the reason for the error.
+ * As a consequence we cannot return a different error code than a generic
+ * one which unfortunately might result in a unspecific system error
+ * message to the user.
+ *
+ * If there are cases where libkrb5 calls return KRB5KRB_ERR_GENERIC where
+ * SSSD should behave differently this has to be detected by different
+ * means, e.g. by evaluation error messages, and then the error code
+ * should be changed to a more suitable KRB5* error code or immediately to
+ * a SSSD ERR_* error code to avoid the default handling here. */
+ case KRB5KRB_ERR_GENERIC:
default:
return ERR_INTERNAL;
}
--
2.1.0

37
0022-IPA-Handle-IPA-groups-returned-from-extop-plugin.patch
View File

@ -1,37 +0,0 @@
From 1901cd172918c842c57098cf8d13b6325813be7f Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Sun, 23 Nov 2014 20:47:59 +0100
Subject: [PATCH 22/26] IPA: Handle IPA groups returned from extop plugin
Reviewed-by: Sumit Bose <sbose@redhat.com>
---
src/providers/ipa/ipa_s2n_exop.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
diff --git a/src/providers/ipa/ipa_s2n_exop.c b/src/providers/ipa/ipa_s2n_exop.c
index 2c31120b196353df52c87ef5b924a80bda134a17..0eab1afc36e4d2c1d770c596c512a641fd276425 100644
--- a/src/providers/ipa/ipa_s2n_exop.c
+++ b/src/providers/ipa/ipa_s2n_exop.c
@@ -960,10 +960,15 @@ static errno_t ipa_s2n_get_groups_step(struct tevent_req *req)
return ret;
}
- state->obj_domain = find_domain_by_name(parent_domain, domain_name, true);
- if (state->obj_domain == NULL) {
- DEBUG(SSSDBG_OP_FAILURE, "find_domain_by_name failed.\n");
- return ENOMEM;
+ if (domain_name) {
+ state->obj_domain = find_domain_by_name(parent_domain,
+ domain_name, true);
+ if (state->obj_domain == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "find_domain_by_name failed.\n");
+ return ENOMEM;
+ }
+ } else {
+ state->obj_domain = parent_domain;
}
state->req_input.inp.name = group_name;
--
2.1.0

215
0023-IPA-verify-group-memberships-of-trusted-domain-users.patch
View File

@ -1,215 +0,0 @@
From b438c890894bde80b6494512d9fa1660fae431a6 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 11 Dec 2014 10:49:39 +0100
Subject: [PATCH 23/26] IPA: verify group memberships of trusted domain users
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Depending on the state of the cache group object a freshly created or
updates user entry for a trusted domain user might already be a member
of the group or not. This cache makes sure the requested user is a
member of all groups returned from the extdom request. Special care has
to be taken to cover cross-domain group-memberships properly.
Resolves https://fedorahosted.org/sssd/ticket/2529
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
---
src/providers/ipa/ipa_s2n_exop.c | 145 ++++++++++++++++++++++++++++++++++++++-
1 file changed, 144 insertions(+), 1 deletion(-)
diff --git a/src/providers/ipa/ipa_s2n_exop.c b/src/providers/ipa/ipa_s2n_exop.c
index 0eab1afc36e4d2c1d770c596c512a641fd276425..677d1625860186ad02d4d8c7290d45b782bc4c38 100644
--- a/src/providers/ipa/ipa_s2n_exop.c
+++ b/src/providers/ipa/ipa_s2n_exop.c
@@ -568,7 +568,7 @@ static errno_t add_v1_user_data(BerElement *ber, struct resp_attrs *attrs)
attrs->ngroups++);
if (attrs->ngroups > 0) {
- attrs->groups = talloc_array(attrs, char *, attrs->ngroups);
+ attrs->groups = talloc_zero_array(attrs, char *, attrs->ngroups + 1);
if (attrs->groups == NULL) {
DEBUG(SSSDBG_OP_FAILURE, "talloc_array failed.\n");
ret = ENOMEM;
@@ -1528,6 +1528,81 @@ done:
return;
}
+static errno_t get_groups_dns(TALLOC_CTX *mem_ctx, struct sss_domain_info *dom,
+ char **name_list, char ***_dn_list)
+{
+ int ret;
+ TALLOC_CTX *tmp_ctx;
+ int c;
+ struct sss_domain_info *root_domain;
+ char **dn_list;
+
+ if (name_list == NULL) {
+ *_dn_list = NULL;
+ return EOK;
+ }
+
+ /* To handle cross-domain memberships we have to check the domain for
+ * each group the member should be added or deleted. Since sub-domains
+ * use fully-qualified names by default any short name can only belong
+ * to the root/head domain. find_domain_by_object_name() will return
+ * the domain given in the first argument if the second argument is a
+ * a short name hence we always use root_domain as first argument. */
+ root_domain = get_domains_head(dom);
+ if (root_domain->fqnames) {
+ DEBUG(SSSDBG_TRACE_FUNC,
+ "Root domain uses fully-qualified names, " \
+ "objects might not be correctly added to groups with " \
+ "short names.\n");
+ }
+
+ tmp_ctx = talloc_new(NULL);
+ if (tmp_ctx == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n");
+ return ENOMEM;
+ }
+
+ for (c = 0; name_list[c] != NULL; c++);
+
+ dn_list = talloc_zero_array(tmp_ctx, char *, c + 1);
+ if (dn_list == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_zero_array failed.\n");
+ ret = ENOMEM;
+ goto done;
+ }
+
+ for (c = 0; name_list[c] != NULL; c++) {
+ dom = find_domain_by_object_name(root_domain, name_list[c]);
+ if (dom == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Cannot find domain for [%s].\n", name_list[c]);
+ ret = ENOENT;
+ goto done;
+ }
+
+ /* This might fail if some unexpected cases are used. But current
+ * sysdb code which handles group membership constructs DNs this way
+ * as well, IPA names are lowercased and AD names by default will be
+ * lowercased as well. If there are really use-cases which cause an
+ * issue here, sysdb_group_strdn() has to be replaced by a proper
+ * search. */
+ dn_list[c] = sysdb_group_strdn(dn_list, dom->name, name_list[c]);
+ if (dn_list[c] == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "sysdb_group_strdn failed.\n");
+ ret = ENOMEM;
+ goto done;
+ }
+ }
+
+ *_dn_list = talloc_steal(mem_ctx, dn_list);
+ ret = EOK;
+
+done:
+ talloc_free(tmp_ctx);
+
+ return ret;
+}
+
static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom,
struct req_input *req_input,
struct resp_attrs *attrs,
@@ -1548,6 +1623,13 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom,
const char *tmp_str;
struct ldb_result *res;
enum sysdb_member_type type;
+ char **sysdb_grouplist;
+ char **add_groups;
+ char **add_groups_dns;
+ char **del_groups;
+ char **del_groups_dns;
+ bool in_transaction = false;
+ int tret;
tmp_ctx = talloc_new(NULL);
if (tmp_ctx == NULL) {
@@ -1716,6 +1798,13 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom,
gid = attrs->a.user.pw_gid;
}
+ ret = sysdb_transaction_start(dom->sysdb);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Failed to start transaction\n");
+ goto done;
+ }
+ in_transaction = true;
+
ret = sysdb_store_user(dom, name, NULL,
attrs->a.user.pw_uid,
gid, attrs->a.user.pw_gecos,
@@ -1726,6 +1815,53 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom,
DEBUG(SSSDBG_OP_FAILURE, "sysdb_store_user failed.\n");
goto done;
}
+
+ if (attrs->response_type == RESP_USER_GROUPLIST) {
+ ret = get_sysdb_grouplist(tmp_ctx, dom->sysdb, dom, name,
+ &sysdb_grouplist);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "get_sysdb_grouplist failed.\n");
+ goto done;
+ }
+
+ ret = diff_string_lists(tmp_ctx, attrs->groups, sysdb_grouplist,
+ &add_groups, &del_groups, NULL);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "diff_string_lists failed.\n");
+ goto done;
+ }
+
+ ret = get_groups_dns(tmp_ctx, dom, add_groups, &add_groups_dns);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "get_groups_dns failed.\n");
+ goto done;
+ }
+
+ ret = get_groups_dns(tmp_ctx, dom, del_groups, &del_groups_dns);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "get_groups_dns failed.\n");
+ goto done;
+ }
+
+ DEBUG(SSSDBG_TRACE_INTERNAL, "Updating memberships for %s\n",
+ name);
+ ret = sysdb_update_members_dn(dom, name, SYSDB_MEMBER_USER,
+ (const char *const *) add_groups_dns,
+ (const char *const *) del_groups_dns);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Membership update failed [%d]: %s\n",
+ ret, sss_strerror(ret));
+ goto done;
+ }
+ }
+
+ ret = sysdb_transaction_commit(dom->sysdb);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Failed to commit transaction\n");
+ goto done;
+ }
+ in_transaction = false;
+
break;
case RESP_GROUP:
case RESP_GROUP_MEMBERS:
@@ -1818,6 +1954,13 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom,
}
done:
+ if (in_transaction) {
+ tret = sysdb_transaction_cancel(dom->sysdb);
+ if (tret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Failed to cancel transaction\n");
+ }
+ }
+
talloc_free(tmp_ctx);
return ret;
--
2.1.0

51
0024-IPA-properly-handle-groups-from-different-domains.patch
View File

@ -1,51 +0,0 @@
From d58be56e09962a311d3599d4e134e1f7bbadc90f Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Fri, 12 Dec 2014 13:07:55 -0500
Subject: [PATCH 24/26] IPA: properly handle groups from different domains
When groups are resolved on IPA clients as part of a user lookup not all
groups have to be from the same domain as the used. This has to be
checked to store the group object properly in the cache.
Related to https://fedorahosted.org/sssd/ticket/2529
and https://fedorahosted.org/sssd/ticket/2524
Reviewed-by: Sumit Bose <sbose@redhat.com>
---
src/providers/ipa/ipa_s2n_exop.c | 18 ++++++++++++++++--
1 file changed, 16 insertions(+), 2 deletions(-)
diff --git a/src/providers/ipa/ipa_s2n_exop.c b/src/providers/ipa/ipa_s2n_exop.c
index 677d1625860186ad02d4d8c7290d45b782bc4c38..6d5b45edf20f720f5b97f0ed5c8ec591c580de0d 100644
--- a/src/providers/ipa/ipa_s2n_exop.c
+++ b/src/providers/ipa/ipa_s2n_exop.c
@@ -1867,10 +1867,24 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom,
case RESP_GROUP_MEMBERS:
type = SYSDB_MEMBER_GROUP;
+ if (0 != strcmp(dom->name, attrs->domain_name)) {
+ dom = find_domain_by_name(get_domains_head(dom),
+ attrs->domain_name, true);
+ if (dom == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "Cannot find domain: [%s]\n", attrs->domain_name);
+ ret = EINVAL;
+ goto done;
+ }
+ }
+
if (name == NULL) {
+ name = attrs->a.group.gr_name;
+ }
+
+ if (IS_SUBDOMAIN(dom)) {
/* we always use the fully qualified name for subdomain users */
- name = sss_tc_fqname(tmp_ctx, dom->names, dom,
- attrs->a.group.gr_name);
+ name = sss_tc_fqname(tmp_ctx, dom->names, dom, name);
if (!name) {
DEBUG(SSSDBG_OP_FAILURE, "failed to format user name,\n");
ret = ENOMEM;
--
2.1.0

42
0025-IPA-do-not-try-to-add-override-gid-twice.patch
View File

@ -1,42 +0,0 @@
From 46da6ab87c8065ab36de30f1f9d882736425777c Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 2 Dec 2014 21:10:01 +0100
Subject: [PATCH 25/26] IPA: do not try to add override gid twice
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
By default user and group overrides use the same attribute name for the
GID and this cause SSSD machinery to add the same value twice which
cause an error in ldb_add() or ldm_modify().
Related to https://fedorahosted.org/sssd/ticket/2514
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
---
src/db/sysdb_views.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/src/db/sysdb_views.c b/src/db/sysdb_views.c
index 926cd847c8dd8ddc33c0b517642a11bbe78059b5..6011fd09db4528b0b1c7aa0a6266ea719e47792f 100644
--- a/src/db/sysdb_views.c
+++ b/src/db/sysdb_views.c
@@ -371,8 +371,14 @@ errno_t sysdb_store_override(struct sss_domain_info *domain,
goto done;
}
- /* TODO: add nameAlias for case-insentitive searches */
for (c = 0; c < attrs->num; c++) {
+ /* Set num_values to 1 because by default user and group overrides
+ * use the same attribute name for the GID and this cause SSSD
+ * machinery to add the same value twice */
+ if (attrs->a[c].num_values > 1
+ && strcmp(attrs->a[c].name, SYSDB_GIDNUM) == 0) {
+ attrs->a[c].num_values = 1;
+ }
msg->elements[c] = attrs->a[c];
msg->elements[c].flags = LDB_FLAG_MOD_ADD;
}
--
2.1.0

62
0026-IPA-handle-GID-overrides-for-MPG-domains-on-clients.patch
View File

@ -1,62 +0,0 @@
From 51ecb61c7c6e2f002c2da188e30f69d67f767ead Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 4 Dec 2014 12:50:03 +0100
Subject: [PATCH 26/26] IPA: handle GID overrides for MPG domains on clients
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Resolves https://fedorahosted.org/sssd/ticket/2514
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
---
src/providers/ipa/ipa_s2n_exop.c | 26 ++++++++++++++++++++++++++
1 file changed, 26 insertions(+)
diff --git a/src/providers/ipa/ipa_s2n_exop.c b/src/providers/ipa/ipa_s2n_exop.c
index 6d5b45edf20f720f5b97f0ed5c8ec591c580de0d..55450c7029391a99bfc33b8446765f71c4d0928a 100644
--- a/src/providers/ipa/ipa_s2n_exop.c
+++ b/src/providers/ipa/ipa_s2n_exop.c
@@ -1618,6 +1618,7 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom,
char *realm;
char *upn = NULL;
gid_t gid;
+ gid_t orig_gid = 0;
TALLOC_CTX *tmp_ctx;
const char *sid_str;
const char *tmp_str;
@@ -1796,6 +1797,31 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom,
gid = 0;
if (dom->mpg == false) {
gid = attrs->a.user.pw_gid;
+ } else {
+ /* The extdom plugin always returns the objects with the
+ * default view applied. Since the GID is handled specially
+ * for MPG domains we have add any overridden GID separately.
+ */
+ ret = sysdb_attrs_get_uint32_t(attrs->sysdb_attrs,
+ ORIGINALAD_PREFIX SYSDB_GIDNUM,
+ &orig_gid);
+ if (ret == EOK || ret == ENOENT) {
+ if ((orig_gid != 0 && orig_gid != attrs->a.user.pw_gid)
+ || attrs->a.user.pw_uid != attrs->a.user.pw_gid) {
+ ret = sysdb_attrs_add_uint32(attrs->sysdb_attrs,
+ SYSDB_GIDNUM,
+ attrs->a.user.pw_gid);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "sysdb_attrs_add_uint32 failed.\n");
+ goto done;
+ }
+ }
+ } else {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "sysdb_attrs_get_uint32_t failed.\n");
+ goto done;
+ }
}
ret = sysdb_transaction_start(dom->sysdb);
--
2.1.0

101
0027-libwbclient-initialize-some-return-values.patch
View File

@ -1,101 +0,0 @@
From 082e13dba488ebb2b948d6a362095153714b669f Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 19 Dec 2014 11:21:41 +0100
Subject: [PATCH] libwbclient: initialize some return values
Some callers of libwbclient functions expects the return values are
initialized even it the functions returns an error. This patch adds some
initializations to meet this requirement.
Resolves https://fedorahosted.org/sssd/ticket/2537
Reviewed-by: Pavel Reichl <preichl@redhat.com>
---
src/sss_client/libwbclient/wbc_pam_sssd.c | 36 +++++++++++++++++++++++++++++++
1 file changed, 36 insertions(+)
diff --git a/src/sss_client/libwbclient/wbc_pam_sssd.c b/src/sss_client/libwbclient/wbc_pam_sssd.c
index 893a5c16cf0e020e0570ea838d96fa82292373fa..174cf1310fad0243036fe591978cc89700903896 100644
--- a/src/sss_client/libwbclient/wbc_pam_sssd.c
+++ b/src/sss_client/libwbclient/wbc_pam_sssd.c
@@ -45,6 +45,10 @@ wbcErr wbcAuthenticateUserEx(const struct wbcAuthUserParams *params,
struct wbcAuthUserInfo **info,
struct wbcAuthErrorInfo **error)
{
+ if (error != NULL) {
+ *error = NULL;
+ }
+
WBC_SSSD_NOT_IMPLEMENTED;
}
@@ -52,6 +56,10 @@ wbcErr wbcAuthenticateUserEx(const struct wbcAuthUserParams *params,
wbcErr wbcCheckTrustCredentials(const char *domain,
struct wbcAuthErrorInfo **error)
{
+ if (error != NULL) {
+ *error = NULL;
+ }
+
WBC_SSSD_NOT_IMPLEMENTED;
}
@@ -59,6 +67,10 @@ wbcErr wbcCheckTrustCredentials(const char *domain,
wbcErr wbcChangeTrustCredentials(const char *domain,
struct wbcAuthErrorInfo **error)
{
+ if (error != NULL) {
+ *error = NULL;
+ }
+
WBC_SSSD_NOT_IMPLEMENTED;
}
@@ -102,6 +114,14 @@ wbcErr wbcChangeUserPasswordEx(const struct wbcChangePasswordParams *params,
enum wbcPasswordChangeRejectReason *reject_reason,
struct wbcUserPasswordPolicyInfo **policy)
{
+ if (error != NULL) {
+ *error = NULL;
+ }
+
+ if (policy != NULL) {
+ *policy = NULL;
+ }
+
WBC_SSSD_NOT_IMPLEMENTED;
}
@@ -129,6 +149,18 @@ wbcErr wbcLogonUser(const struct wbcLogonUserParams *params,
struct wbcAuthErrorInfo **error,
struct wbcUserPasswordPolicyInfo **policy)
{
+ if (info != NULL) {
+ *info = NULL;
+ }
+
+ if (error != NULL) {
+ *error = NULL;
+ }
+
+ if (policy != NULL) {
+ *policy = NULL;
+ }
+
WBC_SSSD_NOT_IMPLEMENTED;
}
@@ -137,6 +169,10 @@ wbcErr wbcCredentialCache(struct wbcCredentialCacheParams *params,
struct wbcCredentialCacheInfo **info,
struct wbcAuthErrorInfo **error)
{
+ if (error != NULL) {
+ *error = NULL;
+ }
+
WBC_SSSD_NOT_IMPLEMENTED;
}
--
1.9.3

2
sources
View File

@ -1 +1 @@
46d445ac060782027098eb6d572e4f13 sssd-1.12.2.tar.gz
b891c263819a1dde062d7065448a4d58 sssd-1.12.3.tar.gz

46
sssd.spec
View File

@ -24,8 +24,8 @@
%endif
Name: sssd
Version: 1.12.2
Release: 8%{?dist}
Version: 1.12.3
Release: 1%{?dist}
Group: Applications/System
Summary: System Security Services Daemon
License: GPLv3+
@ -34,33 +34,6 @@ Source0: https://fedorahosted.org/released/sssd/%{name}-%{version}.tar.gz
BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
### Patches ###
Patch0001: 0001-ipa-fix-issues-with-older-servers-not-supporting-vie.patch
Patch0002: 0002-ipa-improve-error-reporting-for-extdom-LDAP-exop.patch
Patch0003: 0003-ipa_subdomains_handler_master_done-initialize-reply_.patch
Patch0004: 0004-IPA-Handle-NULL-members-in-process_members.patch
Patch0005: 0005-GPO-Terminate-request-on-error.patch
Patch0006: 0006-nss-group-enumeration-fix.patch
Patch0007: 0007-IPA-Don-t-fail-the-request-when-BE-doesn-t-find-the-.patch
Patch0008: 0008-IPA-use-ipaUserGroup-object-class-for-groups.patch
Patch0009: 0009-PAM-Remove-authtok-from-PAM-stack-with-OTP.patch
Patch0010: 0010-Revert-LDAP-Remove-unused-option-ldap_user_uuid.patch
Patch0011: 0011-Revert-LDAP-Remove-unused-option-ldap_group_uuid.patch
Patch0012: 0012-Fix-uuid-defaults.patch
Patch0013: 0013-Revert-LDAP-Change-defaults-for-ldap_user-group_obje.patch
Patch0014: 0014-LDAP-Disable-token-groups-by-default.patch
Patch0015: 0015-sss_client-Extract-destroying-of-mmap-cache-to-funct.patch
Patch0016: 0016-sss_client-Fix-race-condition-in-memory-cache.patch
Patch0017: 0017-test-Wrong-parameter-type-in-sss_parse_name_check.patch
Patch0018: 0018-util-Special-case-PCRE_ERROR_NOMATCH-in-sss_parse_na.patch
Patch0019: 0019-util-sss_get_domain_name-regex-mismatch-not-fatal.patch
Patch0020: 0020-SBUS-Initialize-DBusError-before-using-it.patch
Patch0021: 0021-krb5-handle-KRB5KRB_ERR_GENERIC-as-unspecific-error.patch
Patch0022: 0022-IPA-Handle-IPA-groups-returned-from-extop-plugin.patch
Patch0023: 0023-IPA-verify-group-memberships-of-trusted-domain-users.patch
Patch0024: 0024-IPA-properly-handle-groups-from-different-domains.patch
Patch0025: 0025-IPA-do-not-try-to-add-override-gid-twice.patch
Patch0026: 0026-IPA-handle-GID-overrides-for-MPG-domains-on-clients.patch
PAtch0027: 0027-libwbclient-initialize-some-return-values.patch
### Dependencies ###
Requires: sssd-common = %{version}-%{release}
@ -144,11 +117,11 @@ BuildRequires: libnfsidmap-devel
%description
Provides a set of daemons to manage access to remote directories and
authentication mechanisms. It provides an NSS and PAM interface toward
the system and a pluggable backend system to connect to multiple different
the system and a plug-gable back-end system to connect to multiple different
account sources. It is also the basis to provide client auditing and policy
services for projects like FreeIPA.
The sssd subpackage is a meta-package that contains the deamon as well as all
The sssd sub-package is a meta-package that contains the daemon as well as all
the existing back ends.
%package common
@ -185,7 +158,7 @@ Obsoletes: libsss_autofs <= 1.10.0-7%{?dist}.beta1
%description common
Common files for the SSSD. The common package includes all the files needed
to run a particular back end, however, the back ends are packaged in separate
subpackages such as sssd-ldap.
sub-packages such as sssd-ldap.
%package client
Summary: SSSD Client libraries for NSS and PAM
@ -488,7 +461,7 @@ make %{?_smp_mflags} all docs
%check
export CK_TIMEOUT_MULTIPLIER=10
make %{?_smp_mflags} check
make %{?_smp_mflags} check VERBOSE=yes
unset CK_TIMEOUT_MULTIPLIER
%install
@ -621,6 +594,7 @@ rm -rf $RPM_BUILD_ROOT
%{_libdir}/%{name}/libsss_debug.so
%{_libdir}/%{name}/libsss_ldap_common.so
%{_libdir}/%{name}/libsss_util.so
%{_libdir}/%{name}/libsss_semanage.so
# 3rd party application libraries
%{_libdir}/sssd/modules/libsss_autofs.so
@ -693,6 +667,7 @@ rm -rf $RPM_BUILD_ROOT
%doc COPYING
%attr(755,root,root) %dir %{pubconfpath}/krb5.include.d
%{_libdir}/%{name}/libsss_ipa.so
%{_libexecdir}/%{servicename}/selinux_child
%{_mandir}/man5/sssd-ipa.5*
%files ad -f sssd_ad.lang
@ -905,6 +880,11 @@ if [ $1 -eq 0 ]; then
fi
%changelog
* Thu Jan 08 2015 Lukas Slebodnik <lslebodn@redhat.com> - 1.12.3-1
- New upstream release 1.12.3
- https://fedorahosted.org/sssd/wiki/Releases/Notes-1.12.3
- Fix spelling errors in description (fedpkg lint)
* Tue Jan 6 2015 Lukas Slebodnik <lslebodn@redhat.com> - 1.12.2-8
- Rebuild for libldb 1.1.19