Compare commits
No commits in common. "imports/c9/sssd-2.6.2-4.el9_0.1" and "c8" have entirely different histories.
imports/c9
...
c8
|
|
@ -1 +1 @@
|
|||
SOURCES/sssd-2.6.2.tar.gz
|
||||
SOURCES/sssd-2.9.4.tar.gz
|
||||
|
|
|
|||
|
|
@ -1 +1 @@
|
|||
c520edf841399668ed81881850a6581bd293b371 SOURCES/sssd-2.6.2.tar.gz
|
||||
574f6cec9ee12dd943e4305286845343ab7bb891 SOURCES/sssd-2.9.4.tar.gz
|
||||
|
|
|
|||
|
|
@ -1,33 +0,0 @@
|
|||
From 5a2e0ebe83913e317f66478daeff35987c278e27 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Tue, 4 Jan 2022 10:11:49 +0100
|
||||
Subject: [PATCH] ipa: fix reply socket of selinux_child
|
||||
|
||||
Commit c92d39a30fa0162d4efdfbe5883c8ea9911a2249 accidentally switched
|
||||
the reply socket of selinux_child from stdout to stderr while switching
|
||||
from exec_child to exec_child_ex. This patch returns the original
|
||||
behavior.
|
||||
|
||||
Resolves: https://github.com/SSSD/sssd/issues/5939
|
||||
|
||||
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
||||
---
|
||||
src/providers/ipa/ipa_selinux.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/providers/ipa/ipa_selinux.c b/src/providers/ipa/ipa_selinux.c
|
||||
index 6f885c0fd..2e0593dd7 100644
|
||||
--- a/src/providers/ipa/ipa_selinux.c
|
||||
+++ b/src/providers/ipa/ipa_selinux.c
|
||||
@@ -714,7 +714,7 @@ static errno_t selinux_fork_child(struct selinux_child_state *state)
|
||||
if (pid == 0) { /* child */
|
||||
exec_child_ex(state, pipefd_to_child, pipefd_from_child,
|
||||
SELINUX_CHILD, SELINUX_CHILD_LOG_FILE, extra_args,
|
||||
- false, STDIN_FILENO, STDERR_FILENO);
|
||||
+ false, STDIN_FILENO, STDOUT_FILENO);
|
||||
DEBUG(SSSDBG_CRIT_FAILURE, "Could not exec selinux_child: [%d][%s].\n",
|
||||
ret, sss_strerror(ret));
|
||||
return ret;
|
||||
--
|
||||
2.26.3
|
||||
|
||||
|
|
@ -0,0 +1,144 @@
|
|||
From dd0f63246aa75d5f53b44cbc185e88833e79976e Mon Sep 17 00:00:00 2001
|
||||
From: Andre Boscatto <andreboscatto@gmail.com>
|
||||
Date: Wed, 7 Feb 2024 12:28:28 +0100
|
||||
Subject: [PATCH] sssd: adding mail as case insensitive
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Resolves: https://github.com/SSSD/sssd/issues/7173
|
||||
|
||||
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
|
||||
Reviewed-by: Tomáš Halman <thalman@redhat.com>
|
||||
(cherry picked from commit 945cebcf72ef53ea0368f19c09e710f7fff11b51)
|
||||
---
|
||||
src/db/sysdb_init.c | 7 ++++++
|
||||
src/db/sysdb_private.h | 5 +++-
|
||||
src/db/sysdb_upgrade.c | 56 ++++++++++++++++++++++++++++++++++++++++++
|
||||
3 files changed, 67 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/db/sysdb_init.c b/src/db/sysdb_init.c
|
||||
index c2ea6c369..38a9cd64a 100644
|
||||
--- a/src/db/sysdb_init.c
|
||||
+++ b/src/db/sysdb_init.c
|
||||
@@ -603,6 +603,13 @@ static errno_t sysdb_domain_cache_upgrade(TALLOC_CTX *mem_ctx,
|
||||
}
|
||||
}
|
||||
|
||||
+ if (strcmp(version, SYSDB_VERSION_0_23) == 0) {
|
||||
+ ret = sysdb_upgrade_23(sysdb, &version);
|
||||
+ if (ret != EOK) {
|
||||
+ goto done;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
ret = EOK;
|
||||
done:
|
||||
sysdb->ldb = save_ldb;
|
||||
diff --git a/src/db/sysdb_private.h b/src/db/sysdb_private.h
|
||||
index 1f55007bc..63f7b5601 100644
|
||||
--- a/src/db/sysdb_private.h
|
||||
+++ b/src/db/sysdb_private.h
|
||||
@@ -23,6 +23,7 @@
|
||||
#ifndef __INT_SYS_DB_H__
|
||||
#define __INT_SYS_DB_H__
|
||||
|
||||
+#define SYSDB_VERSION_0_24 "0.24"
|
||||
#define SYSDB_VERSION_0_23 "0.23"
|
||||
#define SYSDB_VERSION_0_22 "0.22"
|
||||
#define SYSDB_VERSION_0_21 "0.21"
|
||||
@@ -47,7 +48,7 @@
|
||||
#define SYSDB_VERSION_0_2 "0.2"
|
||||
#define SYSDB_VERSION_0_1 "0.1"
|
||||
|
||||
-#define SYSDB_VERSION SYSDB_VERSION_0_23
|
||||
+#define SYSDB_VERSION SYSDB_VERSION_0_24
|
||||
|
||||
#define SYSDB_BASE_LDIF \
|
||||
"dn: @ATTRIBUTES\n" \
|
||||
@@ -60,6 +61,7 @@
|
||||
"objectclass: CASE_INSENSITIVE\n" \
|
||||
"ipHostNumber: CASE_INSENSITIVE\n" \
|
||||
"ipNetworkNumber: CASE_INSENSITIVE\n" \
|
||||
+ "mail: CASE_INSENSITIVE\n" \
|
||||
"\n" \
|
||||
"dn: @INDEXLIST\n" \
|
||||
"@IDXATTR: cn\n" \
|
||||
@@ -191,6 +193,7 @@ int sysdb_upgrade_19(struct sysdb_ctx *sysdb, const char **ver);
|
||||
int sysdb_upgrade_20(struct sysdb_ctx *sysdb, const char **ver);
|
||||
int sysdb_upgrade_21(struct sysdb_ctx *sysdb, const char **ver);
|
||||
int sysdb_upgrade_22(struct sysdb_ctx *sysdb, const char **ver);
|
||||
+int sysdb_upgrade_23(struct sysdb_ctx *sysdb, const char **ver);
|
||||
|
||||
int sysdb_ts_upgrade_01(struct sysdb_ctx *sysdb, const char **ver);
|
||||
|
||||
diff --git a/src/db/sysdb_upgrade.c b/src/db/sysdb_upgrade.c
|
||||
index 346a1cb0b..56083e6be 100644
|
||||
--- a/src/db/sysdb_upgrade.c
|
||||
+++ b/src/db/sysdb_upgrade.c
|
||||
@@ -2718,6 +2718,62 @@ done:
|
||||
return ret;
|
||||
}
|
||||
|
||||
+int sysdb_upgrade_23(struct sysdb_ctx *sysdb, const char **ver)
|
||||
+{
|
||||
+ TALLOC_CTX *tmp_ctx;
|
||||
+ int ret;
|
||||
+ struct ldb_message *msg;
|
||||
+ struct upgrade_ctx *ctx;
|
||||
+
|
||||
+ tmp_ctx = talloc_new(NULL);
|
||||
+ if (!tmp_ctx) {
|
||||
+ return ENOMEM;
|
||||
+ }
|
||||
+
|
||||
+ ret = commence_upgrade(sysdb, sysdb->ldb, SYSDB_VERSION_0_24, &ctx);
|
||||
+ if (ret) {
|
||||
+ return ret;
|
||||
+ }
|
||||
+
|
||||
+ /* Add new indexes */
|
||||
+ msg = ldb_msg_new(tmp_ctx);
|
||||
+ if (!msg) {
|
||||
+ ret = ENOMEM;
|
||||
+ goto done;
|
||||
+ }
|
||||
+ msg->dn = ldb_dn_new(tmp_ctx, sysdb->ldb, "@ATTRIBUTES");
|
||||
+ if (!msg->dn) {
|
||||
+ ret = ENOMEM;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ /* Case insensitive search for mail */
|
||||
+ ret = ldb_msg_add_empty(msg, SYSDB_USER_EMAIL, LDB_FLAG_MOD_ADD, NULL);
|
||||
+ if (ret != LDB_SUCCESS) {
|
||||
+ ret = ENOMEM;
|
||||
+ goto done;
|
||||
+ }
|
||||
+ ret = ldb_msg_add_string(msg, SYSDB_USER_EMAIL, "CASE_INSENSITIVE");
|
||||
+ if (ret != LDB_SUCCESS) {
|
||||
+ ret = ENOMEM;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ ret = ldb_modify(sysdb->ldb, msg);
|
||||
+ if (ret != LDB_SUCCESS) {
|
||||
+ ret = sysdb_error_to_errno(ret);
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ /* conversion done, update version number */
|
||||
+ ret = update_version(ctx);
|
||||
+
|
||||
+done:
|
||||
+ ret = finish_upgrade(ret, &ctx, ver);
|
||||
+ talloc_free(tmp_ctx);
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
int sysdb_ts_upgrade_01(struct sysdb_ctx *sysdb, const char **ver)
|
||||
{
|
||||
struct upgrade_ctx *ctx;
|
||||
--
|
||||
2.41.0
|
||||
|
||||
File diff suppressed because it is too large
Load Diff
|
|
@ -0,0 +1,154 @@
|
|||
From a7621a5b464af7a3c8409dcbde038b35fee2c895 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Tue, 23 Jan 2024 13:47:53 +0100
|
||||
Subject: [PATCH 2/3] sdap: add search_bases option to groups_by_user_send()
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
AD handles users and computer objects very similar and so does SSSD's
|
||||
GPO code when lookup up the host's group-memberships. But users and
|
||||
computers might be stored in different sub-tree of the AD LDAP tree and
|
||||
if a dedicated user search base is given with the ldap_user_search_base
|
||||
option in sssd.conf the host object might be in a different sub-tree. To
|
||||
make sure the host can still be found this patch uses the base DN of
|
||||
the LDAP tree when searching for hosts in the GPO code.
|
||||
|
||||
Resolves: https://github.com/SSSD/sssd/issues/5708
|
||||
|
||||
Reviewed-by: Alejandro López <allopez@redhat.com>
|
||||
Reviewed-by: Tomáš Halman <thalman@redhat.com>
|
||||
(cherry picked from commit 29a77c6e79020d7e8cb474b4d3b394d390eba196)
|
||||
---
|
||||
src/providers/ad/ad_gpo.c | 10 ++++++++++
|
||||
src/providers/ldap/ldap_common.h | 1 +
|
||||
src/providers/ldap/ldap_id.c | 6 +++++-
|
||||
src/providers/ldap/sdap_async.h | 1 +
|
||||
src/providers/ldap/sdap_async_initgroups.c | 4 +++-
|
||||
5 files changed, 20 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
|
||||
index 94959c36b..b0ee3e616 100644
|
||||
--- a/src/providers/ad/ad_gpo.c
|
||||
+++ b/src/providers/ad/ad_gpo.c
|
||||
@@ -2091,6 +2091,7 @@ ad_gpo_connect_done(struct tevent_req *subreq)
|
||||
char *server_uri;
|
||||
LDAPURLDesc *lud;
|
||||
struct sdap_domain *sdom;
|
||||
+ struct sdap_search_base **search_bases;
|
||||
|
||||
req = tevent_req_callback_data(subreq, struct tevent_req);
|
||||
state = tevent_req_data(req, struct ad_gpo_access_state);
|
||||
@@ -2184,9 +2185,18 @@ ad_gpo_connect_done(struct tevent_req *subreq)
|
||||
goto done;
|
||||
}
|
||||
|
||||
+ ret = common_parse_search_base(state, sdom->basedn, state->ldb_ctx,
|
||||
+ "AD_HOSTS", NULL, &search_bases);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE,
|
||||
+ "Failed to create dedicated search base for host lookups, "
|
||||
+ "trying with user search base.");
|
||||
+ }
|
||||
+
|
||||
subreq = groups_by_user_send(state, state->ev,
|
||||
state->access_ctx->ad_id_ctx->sdap_id_ctx,
|
||||
sdom, state->conn,
|
||||
+ search_bases,
|
||||
state->host_fqdn,
|
||||
BE_FILTER_NAME,
|
||||
NULL,
|
||||
diff --git a/src/providers/ldap/ldap_common.h b/src/providers/ldap/ldap_common.h
|
||||
index 7159d6356..2c984ef50 100644
|
||||
--- a/src/providers/ldap/ldap_common.h
|
||||
+++ b/src/providers/ldap/ldap_common.h
|
||||
@@ -304,6 +304,7 @@ struct tevent_req *groups_by_user_send(TALLOC_CTX *memctx,
|
||||
struct sdap_id_ctx *ctx,
|
||||
struct sdap_domain *sdom,
|
||||
struct sdap_id_conn_ctx *conn,
|
||||
+ struct sdap_search_base **search_bases,
|
||||
const char *filter_value,
|
||||
int filter_type,
|
||||
const char *extra_value,
|
||||
diff --git a/src/providers/ldap/ldap_id.c b/src/providers/ldap/ldap_id.c
|
||||
index da54816bd..b3ea2333f 100644
|
||||
--- a/src/providers/ldap/ldap_id.c
|
||||
+++ b/src/providers/ldap/ldap_id.c
|
||||
@@ -1139,6 +1139,7 @@ struct groups_by_user_state {
|
||||
struct sdap_id_op *op;
|
||||
struct sysdb_ctx *sysdb;
|
||||
struct sss_domain_info *domain;
|
||||
+ struct sdap_search_base **search_bases;
|
||||
|
||||
const char *filter_value;
|
||||
int filter_type;
|
||||
@@ -1160,6 +1161,7 @@ struct tevent_req *groups_by_user_send(TALLOC_CTX *memctx,
|
||||
struct sdap_id_ctx *ctx,
|
||||
struct sdap_domain *sdom,
|
||||
struct sdap_id_conn_ctx *conn,
|
||||
+ struct sdap_search_base **search_bases,
|
||||
const char *filter_value,
|
||||
int filter_type,
|
||||
const char *extra_value,
|
||||
@@ -1192,6 +1194,7 @@ struct tevent_req *groups_by_user_send(TALLOC_CTX *memctx,
|
||||
state->extra_value = extra_value;
|
||||
state->domain = sdom->dom;
|
||||
state->sysdb = sdom->dom->sysdb;
|
||||
+ state->search_bases = search_bases;
|
||||
|
||||
if (state->domain->type == DOM_TYPE_APPLICATION || set_non_posix) {
|
||||
state->non_posix = true;
|
||||
@@ -1254,6 +1257,7 @@ static void groups_by_user_connect_done(struct tevent_req *subreq)
|
||||
sdap_id_op_handle(state->op),
|
||||
state->ctx,
|
||||
state->conn,
|
||||
+ state->search_bases,
|
||||
state->filter_value,
|
||||
state->filter_type,
|
||||
state->extra_value,
|
||||
@@ -1449,7 +1453,7 @@ sdap_handle_acct_req_send(TALLOC_CTX *mem_ctx,
|
||||
}
|
||||
|
||||
subreq = groups_by_user_send(state, be_ctx->ev, id_ctx,
|
||||
- sdom, conn,
|
||||
+ sdom, conn, NULL,
|
||||
ar->filter_value,
|
||||
ar->filter_type,
|
||||
ar->extra_value,
|
||||
diff --git a/src/providers/ldap/sdap_async.h b/src/providers/ldap/sdap_async.h
|
||||
index 5458d21f1..89245f41f 100644
|
||||
--- a/src/providers/ldap/sdap_async.h
|
||||
+++ b/src/providers/ldap/sdap_async.h
|
||||
@@ -158,6 +158,7 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx,
|
||||
struct sdap_handle *sh,
|
||||
struct sdap_id_ctx *id_ctx,
|
||||
struct sdap_id_conn_ctx *conn,
|
||||
+ struct sdap_search_base **search_bases,
|
||||
const char *name,
|
||||
int filter_type,
|
||||
const char *extra_value,
|
||||
diff --git a/src/providers/ldap/sdap_async_initgroups.c b/src/providers/ldap/sdap_async_initgroups.c
|
||||
index 97be594a3..fb3d8fe24 100644
|
||||
--- a/src/providers/ldap/sdap_async_initgroups.c
|
||||
+++ b/src/providers/ldap/sdap_async_initgroups.c
|
||||
@@ -2732,6 +2732,7 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx,
|
||||
struct sdap_handle *sh,
|
||||
struct sdap_id_ctx *id_ctx,
|
||||
struct sdap_id_conn_ctx *conn,
|
||||
+ struct sdap_search_base **search_bases,
|
||||
const char *filter_value,
|
||||
int filter_type,
|
||||
const char *extra_value,
|
||||
@@ -2764,7 +2765,8 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx,
|
||||
state->orig_user = NULL;
|
||||
state->timeout = dp_opt_get_int(state->opts->basic, SDAP_SEARCH_TIMEOUT);
|
||||
state->user_base_iter = 0;
|
||||
- state->user_search_bases = sdom->user_search_bases;
|
||||
+ state->user_search_bases = (search_bases == NULL) ? sdom->user_search_bases
|
||||
+ : search_bases;
|
||||
if (!state->user_search_bases) {
|
||||
DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
"Initgroups lookup request without a user search base\n");
|
||||
--
|
||||
2.41.0
|
||||
|
||||
|
|
@ -1,42 +0,0 @@
|
|||
From bf6059eb55c8caa3111ef718db1676c96a67c084 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Thu, 16 Dec 2021 11:14:18 +0100
|
||||
Subject: [PATCH] ad: add required 'cn' attribute to subdomain object
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
If the forest root is not part of the return trusted domain objects
|
||||
from the local domain controller we generate an object for further
|
||||
processing. During this processing it is expected that the 'cn'
|
||||
attribute is set and contains the name of the forest root. So far this
|
||||
attribute was missing and it is now added by this patch.
|
||||
|
||||
Resolves: https://github.com/SSSD/sssd/issues/5926
|
||||
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
---
|
||||
src/providers/ad/ad_subdomains.c | 7 +++++++
|
||||
1 file changed, 7 insertions(+)
|
||||
|
||||
diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c
|
||||
index 0353de76f..0c3f8ac31 100644
|
||||
--- a/src/providers/ad/ad_subdomains.c
|
||||
+++ b/src/providers/ad/ad_subdomains.c
|
||||
@@ -1646,6 +1646,13 @@ static void ad_check_root_domain_done(struct tevent_req *subreq)
|
||||
goto done;
|
||||
}
|
||||
|
||||
+ ret = sysdb_attrs_add_string(state->reply[0], AD_AT_DOMAIN_NAME,
|
||||
+ state->forest);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_add_string() failed.\n");
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
err = sss_idmap_sid_to_bin_sid(state->idmap_ctx->map, id,
|
||||
&id_val.data, &id_val.length);
|
||||
if (err != IDMAP_SUCCESS) {
|
||||
--
|
||||
2.26.3
|
||||
|
||||
|
|
@ -0,0 +1,194 @@
|
|||
From 6a8e60df84d5d2565bec36be19c2def25a6ece1f Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Wed, 24 Jan 2024 14:21:12 +0100
|
||||
Subject: [PATCH 3/3] sdap: add naming_context as new member of struct
|
||||
sdap_domain
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
The naming_context could be a more reliable source than basedn for the
|
||||
actual base DN because basedn is set very early from the domain name
|
||||
given in sssd.conf. Although it is recommended to use the fully
|
||||
qualified DNS domain name here it is not required. As a result basedn
|
||||
might not reflect the actual based DN of the LDAP server. Also pure LDAP
|
||||
server (i.e. not AD or FreeIPA) might use different schemes to set the
|
||||
base DN which will not be based on the DNS domain of the LDAP server.
|
||||
|
||||
Resolves: https://github.com/SSSD/sssd/issues/5708
|
||||
|
||||
Reviewed-by: Alejandro López <allopez@redhat.com>
|
||||
Reviewed-by: Tomáš Halman <thalman@redhat.com>
|
||||
(cherry picked from commit a153f13f296401247a862df2b99048bb1bbb8e2e)
|
||||
---
|
||||
src/providers/ad/ad_gpo.c | 6 ++++--
|
||||
src/providers/ldap/sdap.c | 36 +++++++++++++-----------------------
|
||||
src/providers/ldap/sdap.h | 11 +++++++++++
|
||||
3 files changed, 28 insertions(+), 25 deletions(-)
|
||||
|
||||
diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
|
||||
index b0ee3e616..3d1ad39c7 100644
|
||||
--- a/src/providers/ad/ad_gpo.c
|
||||
+++ b/src/providers/ad/ad_gpo.c
|
||||
@@ -2185,8 +2185,10 @@ ad_gpo_connect_done(struct tevent_req *subreq)
|
||||
goto done;
|
||||
}
|
||||
|
||||
- ret = common_parse_search_base(state, sdom->basedn, state->ldb_ctx,
|
||||
- "AD_HOSTS", NULL, &search_bases);
|
||||
+ ret = common_parse_search_base(state,
|
||||
+ sdom->naming_context == NULL ? sdom->basedn
|
||||
+ : sdom->naming_context,
|
||||
+ state->ldb_ctx, "AD_HOSTS", NULL, &search_bases);
|
||||
if (ret != EOK) {
|
||||
DEBUG(SSSDBG_OP_FAILURE,
|
||||
"Failed to create dedicated search base for host lookups, "
|
||||
diff --git a/src/providers/ldap/sdap.c b/src/providers/ldap/sdap.c
|
||||
index f5637c5fb..956eba93a 100644
|
||||
--- a/src/providers/ldap/sdap.c
|
||||
+++ b/src/providers/ldap/sdap.c
|
||||
@@ -1252,19 +1252,10 @@ errno_t sdap_set_config_options_with_rootdse(struct sysdb_attrs *rootdse,
|
||||
struct sdap_domain *sdom)
|
||||
{
|
||||
int ret;
|
||||
- char *naming_context = NULL;
|
||||
|
||||
- if (!sdom->search_bases
|
||||
- || !sdom->user_search_bases
|
||||
- || !sdom->group_search_bases
|
||||
- || !sdom->netgroup_search_bases
|
||||
- || !sdom->host_search_bases
|
||||
- || !sdom->sudo_search_bases
|
||||
- || !sdom->iphost_search_bases
|
||||
- || !sdom->ipnetwork_search_bases
|
||||
- || !sdom->autofs_search_bases) {
|
||||
- naming_context = get_naming_context(opts->basic, rootdse);
|
||||
- if (naming_context == NULL) {
|
||||
+ if (!sdom->naming_context) {
|
||||
+ sdom->naming_context = get_naming_context(sdom, rootdse);
|
||||
+ if (sdom->naming_context == NULL) {
|
||||
DEBUG(SSSDBG_CRIT_FAILURE, "get_naming_context failed.\n");
|
||||
|
||||
/* This has to be non-fatal, since some servers offer
|
||||
@@ -1280,7 +1271,7 @@ errno_t sdap_set_config_options_with_rootdse(struct sysdb_attrs *rootdse,
|
||||
if (!sdom->search_bases) {
|
||||
ret = sdap_set_search_base(opts, sdom,
|
||||
SDAP_SEARCH_BASE,
|
||||
- naming_context);
|
||||
+ sdom->naming_context);
|
||||
if (ret != EOK) goto done;
|
||||
}
|
||||
|
||||
@@ -1288,7 +1279,7 @@ errno_t sdap_set_config_options_with_rootdse(struct sysdb_attrs *rootdse,
|
||||
if (!sdom->user_search_bases) {
|
||||
ret = sdap_set_search_base(opts, sdom,
|
||||
SDAP_USER_SEARCH_BASE,
|
||||
- naming_context);
|
||||
+ sdom->naming_context);
|
||||
if (ret != EOK) goto done;
|
||||
}
|
||||
|
||||
@@ -1296,7 +1287,7 @@ errno_t sdap_set_config_options_with_rootdse(struct sysdb_attrs *rootdse,
|
||||
if (!sdom->group_search_bases) {
|
||||
ret = sdap_set_search_base(opts, sdom,
|
||||
SDAP_GROUP_SEARCH_BASE,
|
||||
- naming_context);
|
||||
+ sdom->naming_context);
|
||||
if (ret != EOK) goto done;
|
||||
}
|
||||
|
||||
@@ -1304,7 +1295,7 @@ errno_t sdap_set_config_options_with_rootdse(struct sysdb_attrs *rootdse,
|
||||
if (!sdom->netgroup_search_bases) {
|
||||
ret = sdap_set_search_base(opts, sdom,
|
||||
SDAP_NETGROUP_SEARCH_BASE,
|
||||
- naming_context);
|
||||
+ sdom->naming_context);
|
||||
if (ret != EOK) goto done;
|
||||
}
|
||||
|
||||
@@ -1312,7 +1303,7 @@ errno_t sdap_set_config_options_with_rootdse(struct sysdb_attrs *rootdse,
|
||||
if (!sdom->host_search_bases) {
|
||||
ret = sdap_set_search_base(opts, sdom,
|
||||
SDAP_HOST_SEARCH_BASE,
|
||||
- naming_context);
|
||||
+ sdom->naming_context);
|
||||
if (ret != EOK) goto done;
|
||||
}
|
||||
|
||||
@@ -1320,7 +1311,7 @@ errno_t sdap_set_config_options_with_rootdse(struct sysdb_attrs *rootdse,
|
||||
if (!sdom->sudo_search_bases) {
|
||||
ret = sdap_set_search_base(opts, sdom,
|
||||
SDAP_SUDO_SEARCH_BASE,
|
||||
- naming_context);
|
||||
+ sdom->naming_context);
|
||||
if (ret != EOK) goto done;
|
||||
}
|
||||
|
||||
@@ -1328,7 +1319,7 @@ errno_t sdap_set_config_options_with_rootdse(struct sysdb_attrs *rootdse,
|
||||
if (!sdom->service_search_bases) {
|
||||
ret = sdap_set_search_base(opts, sdom,
|
||||
SDAP_SERVICE_SEARCH_BASE,
|
||||
- naming_context);
|
||||
+ sdom->naming_context);
|
||||
if (ret != EOK) goto done;
|
||||
}
|
||||
|
||||
@@ -1336,7 +1327,7 @@ errno_t sdap_set_config_options_with_rootdse(struct sysdb_attrs *rootdse,
|
||||
if (!sdom->autofs_search_bases) {
|
||||
ret = sdap_set_search_base(opts, sdom,
|
||||
SDAP_AUTOFS_SEARCH_BASE,
|
||||
- naming_context);
|
||||
+ sdom->naming_context);
|
||||
if (ret != EOK) goto done;
|
||||
}
|
||||
|
||||
@@ -1344,7 +1335,7 @@ errno_t sdap_set_config_options_with_rootdse(struct sysdb_attrs *rootdse,
|
||||
if (!sdom->iphost_search_bases) {
|
||||
ret = sdap_set_search_base(opts, sdom,
|
||||
SDAP_IPHOST_SEARCH_BASE,
|
||||
- naming_context);
|
||||
+ sdom->naming_context);
|
||||
if (ret != EOK) goto done;
|
||||
}
|
||||
|
||||
@@ -1352,14 +1343,13 @@ errno_t sdap_set_config_options_with_rootdse(struct sysdb_attrs *rootdse,
|
||||
if (!sdom->ipnetwork_search_bases) {
|
||||
ret = sdap_set_search_base(opts, sdom,
|
||||
SDAP_IPNETWORK_SEARCH_BASE,
|
||||
- naming_context);
|
||||
+ sdom->naming_context);
|
||||
if (ret != EOK) goto done;
|
||||
}
|
||||
|
||||
ret = EOK;
|
||||
|
||||
done:
|
||||
- talloc_free(naming_context);
|
||||
return ret;
|
||||
}
|
||||
|
||||
diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h
|
||||
index 161bc5c26..103d50ed4 100644
|
||||
--- a/src/providers/ldap/sdap.h
|
||||
+++ b/src/providers/ldap/sdap.h
|
||||
@@ -454,6 +454,17 @@ struct sdap_domain {
|
||||
|
||||
char *basedn;
|
||||
|
||||
+ /* The naming_context could be a more reliable source than basedn for the
|
||||
+ * actual base DN because basedn is set very early from the domain name
|
||||
+ * given in sssd.conf. Although it is recommended to use the fully
|
||||
+ * qualified DNS domain name here it is not required. As a result basedn
|
||||
+ * might not reflect the actual based DN of the LDAP server. Also pure
|
||||
+ * LDAP server (i.e. not AD or FreeIPA) might use different schemes to set
|
||||
+ * the base DN which will not be based on the DNS domain of the LDAP
|
||||
+ * server. naming_context might be NULL even after connection to an LDAP
|
||||
+ * server. */
|
||||
+ char *naming_context;
|
||||
+
|
||||
struct sdap_search_base **search_bases;
|
||||
struct sdap_search_base **user_search_bases;
|
||||
struct sdap_search_base **group_search_bases;
|
||||
--
|
||||
2.41.0
|
||||
|
||||
|
|
@ -1,140 +0,0 @@
|
|||
From ca8cef0fc2f6066811105f4c201070cda38c4064 Mon Sep 17 00:00:00 2001
|
||||
From: Iker Pedrosa <ipedrosa@redhat.com>
|
||||
Date: Thu, 13 Jan 2022 11:28:30 +0100
|
||||
Subject: [PATCH] krb5: AD and IPA don't change Kerberos port
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
AD and IPA providers use a common fo_server object for LDAP and
|
||||
Kerberos, which is created with the LDAP data. This means that due to
|
||||
the changes introduced in
|
||||
https://github.com/SSSD/sssd/commit/1e747fad4539ffb402010e73f78469fe57af408f
|
||||
the port in use for the Kerberos requests would be the one specified for
|
||||
LDAP, usually the default one (389).
|
||||
|
||||
In order to avoid that, AD and IPA providers shouldn't change the
|
||||
Kerberos port with the one provided for LDAP.
|
||||
|
||||
:fixes: A critical regression that prevented authentication of users via
|
||||
AD and IPA providers was fixed. LDAP port was reused for Kerberos
|
||||
communication and this provider would send incomprehensible information
|
||||
to this port.
|
||||
|
||||
Resolves: https://github.com/SSSD/sssd/issues/5947
|
||||
|
||||
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
|
||||
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
---
|
||||
src/providers/ad/ad_common.c | 1 +
|
||||
src/providers/ipa/ipa_common.c | 1 +
|
||||
src/providers/krb5/krb5_common.c | 34 +++++++++++++++++++-------------
|
||||
src/providers/krb5/krb5_common.h | 1 +
|
||||
4 files changed, 23 insertions(+), 14 deletions(-)
|
||||
|
||||
diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c
|
||||
index e263444c5..1ca5f8e3a 100644
|
||||
--- a/src/providers/ad/ad_common.c
|
||||
+++ b/src/providers/ad/ad_common.c
|
||||
@@ -1087,6 +1087,7 @@ ad_resolve_callback(void *private_data, struct fo_server *server)
|
||||
if (service->krb5_service->write_kdcinfo) {
|
||||
ret = write_krb5info_file_from_fo_server(service->krb5_service,
|
||||
server,
|
||||
+ true,
|
||||
SSS_KRB5KDC_FO_SRV,
|
||||
ad_krb5info_file_filter);
|
||||
if (ret != EOK) {
|
||||
diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c
|
||||
index 1509cb1ce..e6c1f9aa4 100644
|
||||
--- a/src/providers/ipa/ipa_common.c
|
||||
+++ b/src/providers/ipa/ipa_common.c
|
||||
@@ -925,6 +925,7 @@ static void ipa_resolve_callback(void *private_data, struct fo_server *server)
|
||||
if (service->krb5_service->write_kdcinfo) {
|
||||
ret = write_krb5info_file_from_fo_server(service->krb5_service,
|
||||
server,
|
||||
+ true,
|
||||
SSS_KRB5KDC_FO_SRV,
|
||||
NULL);
|
||||
if (ret != EOK) {
|
||||
diff --git a/src/providers/krb5/krb5_common.c b/src/providers/krb5/krb5_common.c
|
||||
index 719ce6a12..5ffa20809 100644
|
||||
--- a/src/providers/krb5/krb5_common.c
|
||||
+++ b/src/providers/krb5/krb5_common.c
|
||||
@@ -690,6 +690,7 @@ static const char* fo_server_address_or_name(TALLOC_CTX *tmp_ctx, struct fo_serv
|
||||
|
||||
errno_t write_krb5info_file_from_fo_server(struct krb5_service *krb5_service,
|
||||
struct fo_server *server,
|
||||
+ bool force_default_port,
|
||||
const char *service,
|
||||
bool (*filter)(struct fo_server *))
|
||||
{
|
||||
@@ -731,13 +732,15 @@ errno_t write_krb5info_file_from_fo_server(struct krb5_service *krb5_service,
|
||||
if (filter == NULL || filter(server) == false) {
|
||||
address = fo_server_address_or_name(tmp_ctx, server);
|
||||
if (address) {
|
||||
- port = fo_get_server_port(server);
|
||||
- if (port != 0) {
|
||||
- address = talloc_asprintf(tmp_ctx, "%s:%d", address, port);
|
||||
- if (address == NULL) {
|
||||
- DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n");
|
||||
- talloc_free(tmp_ctx);
|
||||
- return ENOMEM;
|
||||
+ if (!force_default_port) {
|
||||
+ port = fo_get_server_port(server);
|
||||
+ if (port != 0) {
|
||||
+ address = talloc_asprintf(tmp_ctx, "%s:%d", address, port);
|
||||
+ if (address == NULL) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n");
|
||||
+ talloc_free(tmp_ctx);
|
||||
+ return ENOMEM;
|
||||
+ }
|
||||
}
|
||||
}
|
||||
|
||||
@@ -775,13 +778,15 @@ errno_t write_krb5info_file_from_fo_server(struct krb5_service *krb5_service,
|
||||
continue;
|
||||
}
|
||||
|
||||
- port = fo_get_server_port(item);
|
||||
- if (port != 0) {
|
||||
- address = talloc_asprintf(tmp_ctx, "%s:%d", address, port);
|
||||
- if (address == NULL) {
|
||||
- DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n");
|
||||
- talloc_free(tmp_ctx);
|
||||
- return ENOMEM;
|
||||
+ if (!force_default_port) {
|
||||
+ port = fo_get_server_port(item);
|
||||
+ if (port != 0) {
|
||||
+ address = talloc_asprintf(tmp_ctx, "%s:%d", address, port);
|
||||
+ if (address == NULL) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n");
|
||||
+ talloc_free(tmp_ctx);
|
||||
+ return ENOMEM;
|
||||
+ }
|
||||
}
|
||||
}
|
||||
|
||||
@@ -821,6 +826,7 @@ static void krb5_resolve_callback(void *private_data, struct fo_server *server)
|
||||
if (krb5_service->write_kdcinfo) {
|
||||
ret = write_krb5info_file_from_fo_server(krb5_service,
|
||||
server,
|
||||
+ false,
|
||||
krb5_service->name,
|
||||
NULL);
|
||||
if (ret != EOK) {
|
||||
diff --git a/src/providers/krb5/krb5_common.h b/src/providers/krb5/krb5_common.h
|
||||
index 151f446d1..2fd39a751 100644
|
||||
--- a/src/providers/krb5/krb5_common.h
|
||||
+++ b/src/providers/krb5/krb5_common.h
|
||||
@@ -174,6 +174,7 @@ errno_t write_krb5info_file(struct krb5_service *krb5_service,
|
||||
|
||||
errno_t write_krb5info_file_from_fo_server(struct krb5_service *krb5_service,
|
||||
struct fo_server *server,
|
||||
+ bool force_default_port,
|
||||
const char *service,
|
||||
bool (*filter)(struct fo_server *));
|
||||
|
||||
--
|
||||
2.26.3
|
||||
|
||||
|
|
@ -0,0 +1,233 @@
|
|||
From 50077c3255177fe1b01837fbe31a7f8fd47dee74 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Thu, 18 Jan 2024 13:08:17 +0100
|
||||
Subject: [PATCH] pam: fix SC auth with multiple certs and missing login name
|
||||
|
||||
While introducing the local_auth_policy option a quite specific use-case
|
||||
was not covered correctly. If there are multiple matching certificates
|
||||
on the Smartcard, 'local_auth_policy = only' is set and GDM's Smartcard
|
||||
mode was used for login, i.e. there is no user name given and the user
|
||||
has to be derived from the certificate used for login, authentication
|
||||
failed. The main reason for the failure is that in this case the
|
||||
Smartcard interaction and the user mapping has to be done first to
|
||||
determine the user before local_auth_policy is evaluated. As a result
|
||||
when checking if the authentication can be finished the request was in
|
||||
an unexpected state because the indicator for local Smartcard
|
||||
authentication was not enabled.
|
||||
|
||||
Resolves: https://github.com/SSSD/sssd/issues/7109
|
||||
|
||||
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
|
||||
Reviewed-by: Scott Poore <spoore@redhat.com>
|
||||
(cherry picked from commit 44ec3e4638b0c6f7f45a3390a28c2e8745d52bc3)
|
||||
---
|
||||
src/responder/pam/pamsrv.h | 10 ++++
|
||||
src/responder/pam/pamsrv_cmd.c | 17 +++++--
|
||||
src/tests/intg/Makefile.am | 2 +
|
||||
src/tests/intg/test_pam_responder.py | 74 +++++++++++++++++++++++++++-
|
||||
4 files changed, 96 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/src/responder/pam/pamsrv.h b/src/responder/pam/pamsrv.h
|
||||
index 7013a8edd..618836189 100644
|
||||
--- a/src/responder/pam/pamsrv.h
|
||||
+++ b/src/responder/pam/pamsrv.h
|
||||
@@ -93,7 +93,17 @@ struct pam_auth_req {
|
||||
struct ldb_message *user_obj;
|
||||
struct cert_auth_info *cert_list;
|
||||
struct cert_auth_info *current_cert;
|
||||
+ /* Switched to 'true' if the backend indicates that it cannot handle
|
||||
+ * Smartcard authentication, but Smartcard authentication is
|
||||
+ * possible and local Smartcard authentication is allowed. */
|
||||
bool cert_auth_local;
|
||||
+ /* Switched to 'true' if authentication (not pre-authentication) was
|
||||
+ * started without a login name and the name had to be lookup up with the
|
||||
+ * certificate used for authentication. Since reading the certificate from
|
||||
+ * the Smartcard already involves the PIN validation in this case there
|
||||
+ * would be no need for an additional Smartcard interaction if only local
|
||||
+ * Smartcard authentication is possible. */
|
||||
+ bool initial_cert_auth_successful;
|
||||
|
||||
bool passkey_data_exists;
|
||||
uint32_t client_id_num;
|
||||
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
|
||||
index c23ea7ba4..a7c181733 100644
|
||||
--- a/src/responder/pam/pamsrv_cmd.c
|
||||
+++ b/src/responder/pam/pamsrv_cmd.c
|
||||
@@ -2200,8 +2200,8 @@ static void pam_forwarder_lookup_by_cert_done(struct tevent_req *req)
|
||||
ret = ENOENT;
|
||||
goto done;
|
||||
}
|
||||
-
|
||||
- if (cert_count > 1) {
|
||||
+ /* Multiple certificates are only expected during pre-auth */
|
||||
+ if (cert_count > 1 && preq->pd->cmd == SSS_PAM_PREAUTH) {
|
||||
for (preq->current_cert = preq->cert_list;
|
||||
preq->current_cert != NULL;
|
||||
preq->current_cert = sss_cai_get_next(preq->current_cert)) {
|
||||
@@ -2285,7 +2285,9 @@ static void pam_forwarder_lookup_by_cert_done(struct tevent_req *req)
|
||||
}
|
||||
|
||||
/* If logon_name was not given during authentication add a
|
||||
- * SSS_PAM_CERT_INFO message to send the name to the caller. */
|
||||
+ * SSS_PAM_CERT_INFO message to send the name to the caller.
|
||||
+ * Additionally initial_cert_auth_successful is set to
|
||||
+ * indicate that the user is already authenticated. */
|
||||
if (preq->pd->cmd == SSS_PAM_AUTHENTICATE
|
||||
&& preq->pd->logon_name == NULL) {
|
||||
ret = add_pam_cert_response(preq->pd,
|
||||
@@ -2297,6 +2299,8 @@ static void pam_forwarder_lookup_by_cert_done(struct tevent_req *req)
|
||||
preq->pd->pam_status = PAM_AUTHINFO_UNAVAIL;
|
||||
goto done;
|
||||
}
|
||||
+
|
||||
+ preq->initial_cert_auth_successful = true;
|
||||
}
|
||||
|
||||
/* cert_user will be returned to the PAM client as user name, so
|
||||
@@ -2851,12 +2855,15 @@ static void pam_dom_forwarder(struct pam_auth_req *preq)
|
||||
if (found) {
|
||||
if (local_policy != NULL && strcasecmp(local_policy, "only") == 0) {
|
||||
talloc_free(tmp_ctx);
|
||||
- DEBUG(SSSDBG_IMPORTANT_INFO, "Local auth only set, skipping online auth\n");
|
||||
+ DEBUG(SSSDBG_IMPORTANT_INFO,
|
||||
+ "Local auth only set and matching certificate was found, "
|
||||
+ "skipping online auth\n");
|
||||
if (preq->pd->cmd == SSS_PAM_PREAUTH) {
|
||||
preq->pd->pam_status = PAM_SUCCESS;
|
||||
} else if (preq->pd->cmd == SSS_PAM_AUTHENTICATE
|
||||
&& IS_SC_AUTHTOK(preq->pd->authtok)
|
||||
- && preq->cert_auth_local) {
|
||||
+ && (preq->cert_auth_local
|
||||
+ || preq->initial_cert_auth_successful)) {
|
||||
preq->pd->pam_status = PAM_SUCCESS;
|
||||
preq->callback = pam_reply;
|
||||
}
|
||||
diff --git a/src/tests/intg/Makefile.am b/src/tests/intg/Makefile.am
|
||||
index 3866d3ca6..0cfd268dc 100644
|
||||
--- a/src/tests/intg/Makefile.am
|
||||
+++ b/src/tests/intg/Makefile.am
|
||||
@@ -199,6 +199,7 @@ clean-local:
|
||||
|
||||
PAM_CERT_DB_PATH="$(abs_builddir)/../test_CA/SSSD_test_CA.pem"
|
||||
SOFTHSM2_CONF="$(abs_builddir)/../test_CA/softhsm2_one.conf"
|
||||
+SOFTHSM2_TWO_CONF="$(abs_builddir)/../test_CA/softhsm2_two.conf"
|
||||
|
||||
intgcheck-installed: config.py passwd group pam_sss_service pam_sss_alt_service pam_sss_sc_required pam_sss_try_sc pam_sss_allow_missing_name pam_sss_domains sss_netgroup_thread_test
|
||||
pipepath="$(DESTDIR)$(pipepath)"; \
|
||||
@@ -233,6 +234,7 @@ intgcheck-installed: config.py passwd group pam_sss_service pam_sss_alt_service
|
||||
PAM_CERT_DB_PATH=$(PAM_CERT_DB_PATH) \
|
||||
ABS_SRCDIR=$(abs_srcdir) \
|
||||
SOFTHSM2_CONF=$(SOFTHSM2_CONF) \
|
||||
+ SOFTHSM2_TWO_CONF=$(SOFTHSM2_TWO_CONF) \
|
||||
KCM_RENEW=$(KCM_RENEW) \
|
||||
FILES_PROVIDER=$(FILES_PROVIDER) \
|
||||
DBUS_SOCK_DIR="$(DESTDIR)$(runstatedir)/dbus/" \
|
||||
diff --git a/src/tests/intg/test_pam_responder.py b/src/tests/intg/test_pam_responder.py
|
||||
index 1fc3937e6..0fbf8065e 100644
|
||||
--- a/src/tests/intg/test_pam_responder.py
|
||||
+++ b/src/tests/intg/test_pam_responder.py
|
||||
@@ -168,7 +168,7 @@ def format_pam_cert_auth_conf(config, provider):
|
||||
{provider.p}
|
||||
|
||||
[certmap/auth_only/user1]
|
||||
- matchrule = <SUBJECT>.*CN=SSSD test cert 0001.*
|
||||
+ matchrule = <SUBJECT>.*CN=SSSD test cert 000[12].*
|
||||
""").format(**locals())
|
||||
|
||||
|
||||
@@ -201,7 +201,7 @@ def format_pam_cert_auth_conf_name_format(config, provider):
|
||||
{provider.p}
|
||||
|
||||
[certmap/auth_only/user1]
|
||||
- matchrule = <SUBJECT>.*CN=SSSD test cert 0001.*
|
||||
+ matchrule = <SUBJECT>.*CN=SSSD test cert 000[12].*
|
||||
""").format(**locals())
|
||||
|
||||
|
||||
@@ -380,6 +380,28 @@ def simple_pam_cert_auth_no_cert(request, passwd_ops_setup):
|
||||
return None
|
||||
|
||||
|
||||
+@pytest.fixture
|
||||
+def simple_pam_cert_auth_two_certs(request, passwd_ops_setup):
|
||||
+ """Setup SSSD with pam_cert_auth=True"""
|
||||
+ config.PAM_CERT_DB_PATH = os.environ['PAM_CERT_DB_PATH']
|
||||
+
|
||||
+ old_softhsm2_conf = os.environ['SOFTHSM2_CONF']
|
||||
+ softhsm2_two_conf = os.environ['SOFTHSM2_TWO_CONF']
|
||||
+ os.environ['SOFTHSM2_CONF'] = softhsm2_two_conf
|
||||
+
|
||||
+ conf = format_pam_cert_auth_conf(config, provider_switch(request.param))
|
||||
+ create_conf_fixture(request, conf)
|
||||
+ create_sssd_fixture(request)
|
||||
+
|
||||
+ os.environ['SOFTHSM2_CONF'] = old_softhsm2_conf
|
||||
+
|
||||
+ passwd_ops_setup.useradd(**USER1)
|
||||
+ passwd_ops_setup.useradd(**USER2)
|
||||
+ sync_files_provider(USER2['name'])
|
||||
+
|
||||
+ return None
|
||||
+
|
||||
+
|
||||
@pytest.fixture
|
||||
def simple_pam_cert_auth_name_format(request, passwd_ops_setup):
|
||||
"""Setup SSSD with pam_cert_auth=True and full_name_format"""
|
||||
@@ -522,6 +544,54 @@ def test_sc_auth(simple_pam_cert_auth, env_for_sssctl):
|
||||
assert err.find("pam_authenticate for user [user1]: Success") != -1
|
||||
|
||||
|
||||
+@pytest.mark.parametrize('simple_pam_cert_auth_two_certs', provider_list(), indirect=True)
|
||||
+def test_sc_auth_two(simple_pam_cert_auth_two_certs, env_for_sssctl):
|
||||
+
|
||||
+ sssctl = subprocess.Popen(["sssctl", "user-checks", "user1",
|
||||
+ "--action=auth", "--service=pam_sss_service"],
|
||||
+ universal_newlines=True,
|
||||
+ env=env_for_sssctl, stdin=subprocess.PIPE,
|
||||
+ stdout=subprocess.PIPE, stderr=subprocess.PIPE)
|
||||
+
|
||||
+ try:
|
||||
+ out, err = sssctl.communicate(input="2\n123456")
|
||||
+ except Exception:
|
||||
+ sssctl.kill()
|
||||
+ out, err = sssctl.communicate()
|
||||
+
|
||||
+ sssctl.stdin.close()
|
||||
+ sssctl.stdout.close()
|
||||
+
|
||||
+ if sssctl.wait() != 0:
|
||||
+ raise Exception("sssctl failed")
|
||||
+
|
||||
+ assert err.find("pam_authenticate for user [user1]: Success") != -1
|
||||
+
|
||||
+
|
||||
+@pytest.mark.parametrize('simple_pam_cert_auth_two_certs', provider_list(), indirect=True)
|
||||
+def test_sc_auth_two_missing_name(simple_pam_cert_auth_two_certs, env_for_sssctl):
|
||||
+
|
||||
+ sssctl = subprocess.Popen(["sssctl", "user-checks", "",
|
||||
+ "--action=auth", "--service=pam_sss_allow_missing_name"],
|
||||
+ universal_newlines=True,
|
||||
+ env=env_for_sssctl, stdin=subprocess.PIPE,
|
||||
+ stdout=subprocess.PIPE, stderr=subprocess.PIPE)
|
||||
+
|
||||
+ try:
|
||||
+ out, err = sssctl.communicate(input="2\n123456")
|
||||
+ except Exception:
|
||||
+ sssctl.kill()
|
||||
+ out, err = sssctl.communicate()
|
||||
+
|
||||
+ sssctl.stdin.close()
|
||||
+ sssctl.stdout.close()
|
||||
+
|
||||
+ if sssctl.wait() != 0:
|
||||
+ raise Exception("sssctl failed")
|
||||
+
|
||||
+ assert err.find("pam_authenticate for user [user1]: Success") != -1
|
||||
+
|
||||
+
|
||||
@pytest.mark.parametrize('simple_pam_cert_auth', ['proxy_password'], indirect=True)
|
||||
def test_sc_proxy_password_fallback(simple_pam_cert_auth, env_for_sssctl):
|
||||
"""
|
||||
--
|
||||
2.41.0
|
||||
|
||||
|
|
@ -1,432 +0,0 @@
|
|||
From 37f90057792a0b4543f34684ed9a240fe8e869c1 Mon Sep 17 00:00:00 2001
|
||||
From: Alexey Tikhonov <atikhono@redhat.com>
|
||||
Date: Mon, 11 Apr 2022 22:48:19 +0200
|
||||
Subject: [PATCH 5/6] Revert "usertools: force local user for sssd process
|
||||
user"
|
||||
|
||||
This reverts commit 9c447dc85853116c035bbc2f9e3b8553a65be621.
|
||||
|
||||
Resolves: https://github.com/SSSD/sssd/issues/6107
|
||||
|
||||
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
|
||||
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
||||
---
|
||||
Makefile.am | 3 -
|
||||
src/tests/cwrap/Makefile.am | 8 +--
|
||||
src/tests/cwrap/common_mock_nss_dl_load.c | 77 -----------------------
|
||||
src/tests/cwrap/common_mock_nss_dl_load.h | 30 ---------
|
||||
src/tests/cwrap/test_responder_common.c | 7 ---
|
||||
src/tests/cwrap/test_usertools.c | 6 --
|
||||
src/util/nss_dl_load.c | 13 +---
|
||||
src/util/nss_dl_load.h | 3 -
|
||||
src/util/nss_dl_load_extra.c | 40 ------------
|
||||
src/util/usertools.c | 32 +++-------
|
||||
10 files changed, 12 insertions(+), 207 deletions(-)
|
||||
delete mode 100644 src/tests/cwrap/common_mock_nss_dl_load.c
|
||||
delete mode 100644 src/tests/cwrap/common_mock_nss_dl_load.h
|
||||
delete mode 100644 src/util/nss_dl_load_extra.c
|
||||
|
||||
diff --git a/Makefile.am b/Makefile.am
|
||||
index 1121a3fb2..e0dd5220c 100644
|
||||
--- a/Makefile.am
|
||||
+++ b/Makefile.am
|
||||
@@ -888,7 +888,6 @@ dist_noinst_HEADERS = \
|
||||
src/tests/cmocka/test_expire_common.h \
|
||||
src/tests/cmocka/test_sdap_access.h \
|
||||
src/tests/cmocka/data_provider/mock_dp.h \
|
||||
- src/tests/cwrap/common_mock_nss_dl_load.h \
|
||||
src/sss_client/pam_message.h \
|
||||
src/sss_client/ssh/sss_ssh_client.h \
|
||||
src/sss_client/sudo/sss_sudo.h \
|
||||
@@ -1271,8 +1270,6 @@ libsss_util_la_SOURCES = \
|
||||
src/util/sss_regexp.c \
|
||||
src/util/sss_chain_id_tevent.c \
|
||||
src/util/sss_chain_id.c \
|
||||
- src/util/nss_dl_load.c \
|
||||
- src/util/nss_dl_load_extra.c \
|
||||
$(NULL)
|
||||
libsss_util_la_CFLAGS = \
|
||||
$(AM_CFLAGS) \
|
||||
diff --git a/src/tests/cwrap/Makefile.am b/src/tests/cwrap/Makefile.am
|
||||
index 4ac24a492..f25d2e3c6 100644
|
||||
--- a/src/tests/cwrap/Makefile.am
|
||||
+++ b/src/tests/cwrap/Makefile.am
|
||||
@@ -142,17 +142,15 @@ endif
|
||||
|
||||
usertools_tests_SOURCES = \
|
||||
test_usertools.c \
|
||||
- common_mock_nss_dl_load.c \
|
||||
- ../../../src/util/usertools.c \
|
||||
$(NULL)
|
||||
usertools_tests_CFLAGS = \
|
||||
$(AM_CFLAGS) \
|
||||
$(NULL)
|
||||
usertools_tests_LDADD = \
|
||||
- $(LIBADD_DL) \
|
||||
$(CMOCKA_LIBS) \
|
||||
$(POPT_LIBS) \
|
||||
$(TALLOC_LIBS) \
|
||||
+ $(abs_top_builddir)/libsss_util.la \
|
||||
$(abs_top_builddir)/libsss_debug.la \
|
||||
$(abs_top_builddir)/libsss_test_common.la \
|
||||
$(NULL)
|
||||
@@ -162,10 +160,9 @@ endif
|
||||
|
||||
responder_common_tests_SOURCES =\
|
||||
test_responder_common.c \
|
||||
- common_mock_nss_dl_load.c \
|
||||
$(SSSD_RESPONDER_IFACE_OBJ) \
|
||||
../../../src/responder/common/negcache_files.c \
|
||||
- ../../../src/util/usertools.c \
|
||||
+ ../../../src/util/nss_dl_load.c \
|
||||
../../../src/responder/common/negcache.c \
|
||||
../../../src/responder/common/responder_common.c \
|
||||
../../../src/responder/common/responder_packet.c \
|
||||
@@ -183,6 +180,7 @@ responder_common_tests_LDADD = \
|
||||
$(SSSD_LIBS) \
|
||||
$(SELINUX_LIBS) \
|
||||
$(SYSTEMD_DAEMON_LIBS) \
|
||||
+ $(abs_top_builddir)/libsss_util.la \
|
||||
$(abs_top_builddir)/libsss_debug.la \
|
||||
$(abs_top_builddir)/libsss_test_common.la \
|
||||
$(abs_top_builddir)/libsss_iface.la \
|
||||
diff --git a/src/tests/cwrap/common_mock_nss_dl_load.c b/src/tests/cwrap/common_mock_nss_dl_load.c
|
||||
deleted file mode 100644
|
||||
index 72f6c39ac..000000000
|
||||
--- a/src/tests/cwrap/common_mock_nss_dl_load.c
|
||||
+++ /dev/null
|
||||
@@ -1,77 +0,0 @@
|
||||
-/*
|
||||
- Authors:
|
||||
- Iker Pedrosa <ipedrosa@redhat.com>
|
||||
-
|
||||
- Copyright (C) 2021 Red Hat
|
||||
-
|
||||
- SSSD tests: Fake nss dl load
|
||||
-
|
||||
- This program is free software; you can redistribute it and/or modify
|
||||
- it under the terms of the GNU General Public License as published by
|
||||
- the Free Software Foundation; either version 3 of the License, or
|
||||
- (at your option) any later version.
|
||||
-
|
||||
- This program is distributed in the hope that it will be useful,
|
||||
- but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
- GNU General Public License for more details.
|
||||
-
|
||||
- You should have received a copy of the GNU General Public License
|
||||
- along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
-*/
|
||||
-
|
||||
-#include <sys/types.h>
|
||||
-#include <sys/stat.h>
|
||||
-#include <errno.h>
|
||||
-#include <stddef.h>
|
||||
-
|
||||
-#include "common_mock_nss_dl_load.h"
|
||||
-
|
||||
-
|
||||
-static enum nss_status
|
||||
-mock_getpwnam_r(const char *name, struct passwd *result,
|
||||
- char *buffer, size_t buflen, int *errnop)
|
||||
-{
|
||||
- void *pwd_pointer = NULL;
|
||||
- int rc;
|
||||
-
|
||||
- rc = getpwnam_r(name, result, buffer, buflen, (struct passwd **)&pwd_pointer);
|
||||
- if (rc == 0 && pwd_pointer == result) {
|
||||
- *errnop = 0;
|
||||
- return NSS_STATUS_SUCCESS;
|
||||
- } else if (rc == 0 && (pwd_pointer == NULL)) {
|
||||
- *errnop = ENOENT;
|
||||
- return NSS_STATUS_NOTFOUND;
|
||||
- } else {
|
||||
- *errnop = rc;
|
||||
- return NSS_STATUS_UNAVAIL;
|
||||
- }
|
||||
-}
|
||||
-
|
||||
-static enum nss_status
|
||||
-mock_getpwuid_r(uid_t uid, struct passwd *result,
|
||||
- char *buffer, size_t buflen, int *errnop)
|
||||
-{
|
||||
- void *pwd_pointer = NULL;
|
||||
- int rc;
|
||||
-
|
||||
- rc = getpwuid_r(uid, result, buffer, buflen, (struct passwd **)&pwd_pointer);
|
||||
- if (rc == 0 && pwd_pointer == result) {
|
||||
- *errnop = 0;
|
||||
- return NSS_STATUS_SUCCESS;
|
||||
- } else if (rc == 0 && (pwd_pointer == NULL)) {
|
||||
- *errnop = ENOENT;
|
||||
- return NSS_STATUS_NOTFOUND;
|
||||
- } else {
|
||||
- *errnop = rc;
|
||||
- return NSS_STATUS_UNAVAIL;
|
||||
- }
|
||||
-}
|
||||
-
|
||||
-errno_t mock_sss_load_nss_pw_symbols(struct sss_nss_ops *ops)
|
||||
-{
|
||||
- ops->getpwnam_r = mock_getpwnam_r;
|
||||
- ops->getpwuid_r = mock_getpwuid_r;
|
||||
-
|
||||
- return EOK;
|
||||
-}
|
||||
diff --git a/src/tests/cwrap/common_mock_nss_dl_load.h b/src/tests/cwrap/common_mock_nss_dl_load.h
|
||||
deleted file mode 100644
|
||||
index 6db411450..000000000
|
||||
--- a/src/tests/cwrap/common_mock_nss_dl_load.h
|
||||
+++ /dev/null
|
||||
@@ -1,30 +0,0 @@
|
||||
-/*
|
||||
- Authors:
|
||||
- Iker Pedrosa <ipedrosa@redhat.com>
|
||||
-
|
||||
- Copyright (C) 2021 Red Hat
|
||||
-
|
||||
- SSSD tests: Fake nss dl load
|
||||
-
|
||||
- This program is free software; you can redistribute it and/or modify
|
||||
- it under the terms of the GNU General Public License as published by
|
||||
- the Free Software Foundation; either version 3 of the License, or
|
||||
- (at your option) any later version.
|
||||
-
|
||||
- This program is distributed in the hope that it will be useful,
|
||||
- but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
- GNU General Public License for more details.
|
||||
-
|
||||
- You should have received a copy of the GNU General Public License
|
||||
- along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
-*/
|
||||
-
|
||||
-#ifndef __COMMON_MOCK_NSS_DL_LOAD_H_
|
||||
-#define __COMMON_MOCK_NSS_DL_LOAD_H_
|
||||
-
|
||||
-#include "util/nss_dl_load.h"
|
||||
-
|
||||
-errno_t mock_sss_load_nss_pw_symbols(struct sss_nss_ops *ops);
|
||||
-
|
||||
-#endif /* __COMMON_MOCK_NSS_DL_LOAD_H_ */
|
||||
diff --git a/src/tests/cwrap/test_responder_common.c b/src/tests/cwrap/test_responder_common.c
|
||||
index 571e95d36..11cc3abd8 100644
|
||||
--- a/src/tests/cwrap/test_responder_common.c
|
||||
+++ b/src/tests/cwrap/test_responder_common.c
|
||||
@@ -29,13 +29,6 @@
|
||||
#include "util/util.h"
|
||||
#include "responder/common/responder.h"
|
||||
#include "tests/cmocka/common_mock.h"
|
||||
-#include "tests/cwrap/common_mock_nss_dl_load.h"
|
||||
-
|
||||
-
|
||||
-errno_t sss_load_nss_pw_symbols(struct sss_nss_ops *ops)
|
||||
-{
|
||||
- return mock_sss_load_nss_pw_symbols(ops);
|
||||
-}
|
||||
|
||||
/* Just to satisfy dependencies */
|
||||
struct cli_protocol_version *register_cli_protocol_version(void)
|
||||
diff --git a/src/tests/cwrap/test_usertools.c b/src/tests/cwrap/test_usertools.c
|
||||
index eb30a540c..f61ae83e2 100644
|
||||
--- a/src/tests/cwrap/test_usertools.c
|
||||
+++ b/src/tests/cwrap/test_usertools.c
|
||||
@@ -27,12 +27,6 @@
|
||||
#include <popt.h>
|
||||
#include "util/util.h"
|
||||
#include "tests/cmocka/common_mock.h"
|
||||
-#include "tests/cwrap/common_mock_nss_dl_load.h"
|
||||
-
|
||||
-errno_t sss_load_nss_pw_symbols(struct sss_nss_ops *ops)
|
||||
-{
|
||||
- return mock_sss_load_nss_pw_symbols(ops);
|
||||
-}
|
||||
|
||||
void test_get_user_num(void **state)
|
||||
{
|
||||
diff --git a/src/util/nss_dl_load.c b/src/util/nss_dl_load.c
|
||||
index 379ccfa65..442108307 100644
|
||||
--- a/src/util/nss_dl_load.c
|
||||
+++ b/src/util/nss_dl_load.c
|
||||
@@ -48,16 +48,6 @@ static void *proxy_dlsym(void *handle,
|
||||
return funcptr;
|
||||
}
|
||||
|
||||
-static void sss_close_handle(struct sss_nss_ops *ops, const char *libname)
|
||||
-{
|
||||
- if (dlclose(ops->dl_handle) != 0) {
|
||||
- DEBUG(SSSDBG_OP_FAILURE,
|
||||
- "Error closing the handle for the '%s' library, error: %s.\n",
|
||||
- libname, dlerror());
|
||||
- }
|
||||
-
|
||||
- ops->dl_handle = NULL;
|
||||
-}
|
||||
|
||||
errno_t sss_load_nss_symbols(struct sss_nss_ops *ops, const char *libname,
|
||||
struct sss_nss_symbols *syms, size_t nsyms)
|
||||
@@ -82,7 +72,7 @@ errno_t sss_load_nss_symbols(struct sss_nss_ops *ops, const char *libname,
|
||||
|
||||
for (i = 0; i < nsyms; i++) {
|
||||
*(syms[i].fptr) = proxy_dlsym(ops->dl_handle, syms[i].fname,
|
||||
- libname);
|
||||
+ libname);
|
||||
|
||||
if (*(syms[i].fptr) == NULL) {
|
||||
if (syms[i].mandatory) {
|
||||
@@ -90,7 +80,6 @@ errno_t sss_load_nss_symbols(struct sss_nss_ops *ops, const char *libname,
|
||||
"mandatory symbol '%s', error: %s.\n", libpath,
|
||||
syms[i].fname, dlerror());
|
||||
ret = ELIBBAD;
|
||||
- sss_close_handle(ops, libname);
|
||||
goto out;
|
||||
} else {
|
||||
DEBUG(SSSDBG_OP_FAILURE, "Library '%s' did not provide "
|
||||
diff --git a/src/util/nss_dl_load.h b/src/util/nss_dl_load.h
|
||||
index 07c04e091..f1e882b96 100644
|
||||
--- a/src/util/nss_dl_load.h
|
||||
+++ b/src/util/nss_dl_load.h
|
||||
@@ -23,8 +23,6 @@
|
||||
#include <pwd.h>
|
||||
#include <grp.h>
|
||||
#include <netdb.h>
|
||||
-#include <stdbool.h>
|
||||
-
|
||||
#include "util/util_errors.h"
|
||||
#include "sss_client/nss_compat.h"
|
||||
|
||||
@@ -120,6 +118,5 @@ struct sss_nss_symbols {
|
||||
errno_t sss_load_nss_symbols(struct sss_nss_ops *ops, const char *libname,
|
||||
struct sss_nss_symbols *syms, size_t nsyms);
|
||||
|
||||
-errno_t sss_load_nss_pw_symbols(struct sss_nss_ops *ops);
|
||||
|
||||
#endif /* __SSSD_NSS_DL_LOAD_H__ */
|
||||
diff --git a/src/util/nss_dl_load_extra.c b/src/util/nss_dl_load_extra.c
|
||||
deleted file mode 100644
|
||||
index 162957025..000000000
|
||||
--- a/src/util/nss_dl_load_extra.c
|
||||
+++ /dev/null
|
||||
@@ -1,40 +0,0 @@
|
||||
-/*
|
||||
- SSSD
|
||||
-
|
||||
- nss_dl_load_extra.c
|
||||
-
|
||||
- Authors:
|
||||
- Sumit Bose <sbose@redhat.com>
|
||||
- Iker Pedrosa <ipedrosa@redhat.com>
|
||||
-
|
||||
- Copyright (C) 2021 Red Hat
|
||||
-
|
||||
- This program is free software; you can redistribute it and/or modify
|
||||
- it under the terms of the GNU General Public License as published by
|
||||
- the Free Software Foundation; either version 3 of the License, or
|
||||
- (at your option) any later version.
|
||||
-
|
||||
- This program is distributed in the hope that it will be useful,
|
||||
- but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
- GNU General Public License for more details.
|
||||
-
|
||||
- You should have received a copy of the GNU General Public License
|
||||
- along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
-*/
|
||||
-
|
||||
-#include "util/nss_dl_load.h"
|
||||
-
|
||||
-errno_t sss_load_nss_pw_symbols(struct sss_nss_ops *ops)
|
||||
-{
|
||||
- errno_t ret;
|
||||
- struct sss_nss_symbols syms[] = {
|
||||
- {(void*)&ops->getpwnam_r, true, "getpwnam_r" },
|
||||
- {(void*)&ops->getpwuid_r, true, "getpwuid_r" }
|
||||
- };
|
||||
- size_t nsyms = sizeof(syms) / sizeof(struct sss_nss_symbols);
|
||||
-
|
||||
- ret = sss_load_nss_symbols(ops, "files", syms, nsyms);
|
||||
-
|
||||
- return ret;
|
||||
-}
|
||||
diff --git a/src/util/usertools.c b/src/util/usertools.c
|
||||
index 33315a798..511fb2d5d 100644
|
||||
--- a/src/util/usertools.c
|
||||
+++ b/src/util/usertools.c
|
||||
@@ -27,14 +27,12 @@
|
||||
|
||||
#include "db/sysdb.h"
|
||||
#include "confdb/confdb.h"
|
||||
-#include "util/nss_dl_load.h"
|
||||
#include "util/strtonum.h"
|
||||
#include "util/util.h"
|
||||
#include "util/safe-format-string.h"
|
||||
#include "responder/common/responder.h"
|
||||
|
||||
#define NAME_DOMAIN_PATTERN_OPTIONS (SSS_REGEXP_DUPNAMES | SSS_REGEXP_EXTENDED)
|
||||
-#define NSS_BUFFER_SIZE 16384
|
||||
|
||||
/* Function returns given realm name as new uppercase string */
|
||||
char *get_uppercase_realm(TALLOC_CTX *memctx, const char *name)
|
||||
@@ -568,23 +566,10 @@ sss_fqname(char *str, size_t size, struct sss_names_ctx *nctx,
|
||||
|
||||
errno_t sss_user_by_name_or_uid(const char *input, uid_t *_uid, gid_t *_gid)
|
||||
{
|
||||
- static struct sss_nss_ops nss_ops;
|
||||
uid_t uid;
|
||||
errno_t ret;
|
||||
char *endptr;
|
||||
- struct passwd pwd = { 0 };
|
||||
- int errnop = 0;
|
||||
- enum nss_status status;
|
||||
- static char s_nss_buffer[NSS_BUFFER_SIZE];
|
||||
-
|
||||
- if (!nss_ops.dl_handle) {
|
||||
- ret = sss_load_nss_pw_symbols(&nss_ops);
|
||||
- if (ret != EOK) {
|
||||
- DEBUG(SSSDBG_OP_FAILURE, "Unable to load NSS symbols [%d]: %s\n",
|
||||
- ret, sss_strerror(ret));
|
||||
- return ret;
|
||||
- }
|
||||
- }
|
||||
+ struct passwd *pwd;
|
||||
|
||||
/* Try if it's an ID first */
|
||||
uid = strtouint32(input, &endptr, 10);
|
||||
@@ -596,27 +581,26 @@ errno_t sss_user_by_name_or_uid(const char *input, uid_t *_uid, gid_t *_gid)
|
||||
return ret;
|
||||
}
|
||||
|
||||
- status = nss_ops.getpwnam_r(input, &pwd, s_nss_buffer, NSS_BUFFER_SIZE, &errnop);
|
||||
+ /* Nope, maybe a username? */
|
||||
+ pwd = getpwnam(input);
|
||||
} else {
|
||||
- status = nss_ops.getpwuid_r(uid, &pwd, s_nss_buffer, NSS_BUFFER_SIZE, &errnop);
|
||||
+ pwd = getpwuid(uid);
|
||||
}
|
||||
|
||||
- if (status != NSS_STATUS_SUCCESS) {
|
||||
+ if (pwd == NULL) {
|
||||
DEBUG(SSSDBG_OP_FAILURE,
|
||||
"[%s] is neither a valid UID nor a user name which could be "
|
||||
- "resolved by getpwnam() [%d][%s]. status returned [%d]\n",
|
||||
- input, errnop, strerror(errnop), status);
|
||||
+ "resolved by getpwnam().\n", input);
|
||||
return EINVAL;
|
||||
}
|
||||
|
||||
if (_uid) {
|
||||
- *_uid = pwd.pw_uid;
|
||||
+ *_uid = pwd->pw_uid;
|
||||
}
|
||||
|
||||
if (_gid) {
|
||||
- *_gid = pwd.pw_gid;
|
||||
+ *_gid = pwd->pw_gid;
|
||||
}
|
||||
-
|
||||
return EOK;
|
||||
}
|
||||
|
||||
--
|
||||
2.26.3
|
||||
|
||||
|
|
@ -0,0 +1,218 @@
|
|||
From e1bfbc2493c4194988acc3b2413df3dde0735ae3 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Wed, 8 Nov 2023 14:50:24 +0100
|
||||
Subject: [PATCH] ad-gpo: use hash to store intermediate results
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Currently after the evaluation of a single GPO file the intermediate
|
||||
results are stored in the cache and this cache entry is updated until
|
||||
all applicable GPO files are evaluated. Finally the data in the cache is
|
||||
used to make the decision of access is granted or rejected.
|
||||
|
||||
If there are two or more access-control request running in parallel one
|
||||
request might overwrite the cache object with intermediate data while
|
||||
another request reads the cached data for the access decision and as a
|
||||
result will do this decision based on intermediate data.
|
||||
|
||||
To avoid this the intermediate results are not stored in the cache
|
||||
anymore but in hash tables which are specific to the request. Only the
|
||||
final result is written to the cache to have it available for offline
|
||||
authentication.
|
||||
|
||||
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
||||
Reviewed-by: Tomáš Halman <thalman@redhat.com>
|
||||
(cherry picked from commit d7db7971682da2dbf7642ac94940d6b0577ec35a)
|
||||
---
|
||||
src/providers/ad/ad_gpo.c | 116 +++++++++++++++++++++++++++++++++-----
|
||||
1 file changed, 102 insertions(+), 14 deletions(-)
|
||||
|
||||
diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
|
||||
index 3d1ad39c7..b879b0a08 100644
|
||||
--- a/src/providers/ad/ad_gpo.c
|
||||
+++ b/src/providers/ad/ad_gpo.c
|
||||
@@ -1431,6 +1431,33 @@ ad_gpo_extract_policy_setting(TALLOC_CTX *mem_ctx,
|
||||
return ret;
|
||||
}
|
||||
|
||||
+static errno_t
|
||||
+add_result_to_hash(hash_table_t *hash, const char *key, char *value)
|
||||
+{
|
||||
+ int hret;
|
||||
+ hash_key_t k;
|
||||
+ hash_value_t v;
|
||||
+
|
||||
+ if (hash == NULL || key == NULL || value == NULL) {
|
||||
+ return EINVAL;
|
||||
+ }
|
||||
+
|
||||
+ k.type = HASH_KEY_CONST_STRING;
|
||||
+ k.c_str = key;
|
||||
+
|
||||
+ v.type = HASH_VALUE_PTR;
|
||||
+ v.ptr = value;
|
||||
+
|
||||
+ hret = hash_enter(hash, &k, &v);
|
||||
+ if (hret != HASH_SUCCESS) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "Failed to add [%s][%s] to hash: [%s].\n",
|
||||
+ key, value, hash_error_string(hret));
|
||||
+ return EIO;
|
||||
+ }
|
||||
+
|
||||
+ return EOK;
|
||||
+}
|
||||
+
|
||||
/*
|
||||
* This function parses the cse-specific (GP_EXT_GUID_SECURITY) filename,
|
||||
* and stores the allow_key and deny_key of all of the gpo_map_types present
|
||||
@@ -1438,6 +1465,7 @@ ad_gpo_extract_policy_setting(TALLOC_CTX *mem_ctx,
|
||||
*/
|
||||
static errno_t
|
||||
ad_gpo_store_policy_settings(struct sss_domain_info *domain,
|
||||
+ hash_table_t *allow_maps, hash_table_t *deny_maps,
|
||||
const char *filename)
|
||||
{
|
||||
struct ini_cfgfile *file_ctx = NULL;
|
||||
@@ -1571,14 +1599,14 @@ ad_gpo_store_policy_settings(struct sss_domain_info *domain,
|
||||
goto done;
|
||||
} else if (ret != ENOENT) {
|
||||
const char *value = allow_value ? allow_value : empty_val;
|
||||
- ret = sysdb_gpo_store_gpo_result_setting(domain,
|
||||
- allow_key,
|
||||
- value);
|
||||
+ ret = add_result_to_hash(allow_maps, allow_key,
|
||||
+ talloc_strdup(allow_maps, value));
|
||||
if (ret != EOK) {
|
||||
- DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
- "sysdb_gpo_store_gpo_result_setting failed for key:"
|
||||
- "'%s' value:'%s' [%d][%s]\n", allow_key, allow_value,
|
||||
- ret, sss_strerror(ret));
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Failed to add key: [%s] "
|
||||
+ "value: [%s] to allow maps "
|
||||
+ "[%d][%s].\n",
|
||||
+ allow_key, value, ret,
|
||||
+ sss_strerror(ret));
|
||||
goto done;
|
||||
}
|
||||
}
|
||||
@@ -1598,14 +1626,14 @@ ad_gpo_store_policy_settings(struct sss_domain_info *domain,
|
||||
goto done;
|
||||
} else if (ret != ENOENT) {
|
||||
const char *value = deny_value ? deny_value : empty_val;
|
||||
- ret = sysdb_gpo_store_gpo_result_setting(domain,
|
||||
- deny_key,
|
||||
- value);
|
||||
+ ret = add_result_to_hash(deny_maps, deny_key,
|
||||
+ talloc_strdup(deny_maps, value));
|
||||
if (ret != EOK) {
|
||||
- DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
- "sysdb_gpo_store_gpo_result_setting failed for key:"
|
||||
- "'%s' value:'%s' [%d][%s]\n", deny_key, deny_value,
|
||||
- ret, sss_strerror(ret));
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Failed to add key: [%s] "
|
||||
+ "value: [%s] to deny maps "
|
||||
+ "[%d][%s].\n",
|
||||
+ deny_key, value, ret,
|
||||
+ sss_strerror(ret));
|
||||
goto done;
|
||||
}
|
||||
}
|
||||
@@ -1902,6 +1930,8 @@ struct ad_gpo_access_state {
|
||||
int num_cse_filtered_gpos;
|
||||
int cse_gpo_index;
|
||||
const char *ad_domain;
|
||||
+ hash_table_t *allow_maps;
|
||||
+ hash_table_t *deny_maps;
|
||||
};
|
||||
|
||||
static void ad_gpo_connect_done(struct tevent_req *subreq);
|
||||
@@ -2023,6 +2053,19 @@ ad_gpo_access_send(TALLOC_CTX *mem_ctx,
|
||||
goto immediately;
|
||||
}
|
||||
|
||||
+ ret = sss_hash_create(state, 0, &state->allow_maps);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_FATAL_FAILURE, "Could not create allow maps "
|
||||
+ "hash table [%d]: %s\n", ret, sss_strerror(ret));
|
||||
+ goto immediately;
|
||||
+ }
|
||||
+
|
||||
+ ret = sss_hash_create(state, 0, &state->deny_maps);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_FATAL_FAILURE, "Could not create deny maps "
|
||||
+ "hash table [%d]: %s\n", ret, sss_strerror(ret));
|
||||
+ goto immediately;
|
||||
+ }
|
||||
|
||||
subreq = sdap_id_op_connect_send(state->sdap_op, state, &ret);
|
||||
if (subreq == NULL) {
|
||||
@@ -2713,6 +2756,43 @@ ad_gpo_cse_step(struct tevent_req *req)
|
||||
return EAGAIN;
|
||||
}
|
||||
|
||||
+static errno_t
|
||||
+store_hash_maps_in_cache(struct sss_domain_info *domain,
|
||||
+ hash_table_t *allow_maps, hash_table_t *deny_maps)
|
||||
+{
|
||||
+ int ret;
|
||||
+ struct hash_iter_context_t *iter;
|
||||
+ hash_entry_t *entry;
|
||||
+ size_t c;
|
||||
+ hash_table_t *hash_list[] = { allow_maps, deny_maps, NULL};
|
||||
+
|
||||
+
|
||||
+ for (c = 0; hash_list[c] != NULL; c++) {
|
||||
+ iter = new_hash_iter_context(hash_list[c]);
|
||||
+ if (iter == NULL) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "Failed to create hash iterator.\n");
|
||||
+ return EINVAL;
|
||||
+ }
|
||||
+
|
||||
+ while ((entry = iter->next(iter)) != NULL) {
|
||||
+ ret = sysdb_gpo_store_gpo_result_setting(domain,
|
||||
+ entry->key.c_str,
|
||||
+ entry->value.ptr);
|
||||
+ if (ret != EOK) {
|
||||
+ free(iter);
|
||||
+ DEBUG(SSSDBG_OP_FAILURE,
|
||||
+ "sysdb_gpo_store_gpo_result_setting failed for key:"
|
||||
+ "[%s] value:[%s] [%d][%s]\n", entry->key.c_str,
|
||||
+ (char *) entry->value.ptr, ret, sss_strerror(ret));
|
||||
+ return ret;
|
||||
+ }
|
||||
+ }
|
||||
+ talloc_free(iter);
|
||||
+ }
|
||||
+
|
||||
+ return EOK;
|
||||
+}
|
||||
+
|
||||
/*
|
||||
* This cse-specific function (GP_EXT_GUID_SECURITY) increments the
|
||||
* cse_gpo_index until the policy settings for all applicable GPOs have been
|
||||
@@ -2754,6 +2834,7 @@ ad_gpo_cse_done(struct tevent_req *subreq)
|
||||
* (as part of the GPO Result object in the sysdb cache).
|
||||
*/
|
||||
ret = ad_gpo_store_policy_settings(state->host_domain,
|
||||
+ state->allow_maps, state->deny_maps,
|
||||
cse_filtered_gpo->policy_filename);
|
||||
if (ret != EOK && ret != ENOENT) {
|
||||
DEBUG(SSSDBG_OP_FAILURE,
|
||||
@@ -2767,6 +2848,13 @@ ad_gpo_cse_done(struct tevent_req *subreq)
|
||||
|
||||
if (ret == EOK) {
|
||||
/* ret is EOK only after all GPO policy files have been downloaded */
|
||||
+ ret = store_hash_maps_in_cache(state->host_domain,
|
||||
+ state->allow_maps, state->deny_maps);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "Failed to store evaluated GPO maps "
|
||||
+ "[%d][%s].\n", ret, sss_strerror(ret));
|
||||
+ goto done;
|
||||
+ }
|
||||
ret = ad_gpo_perform_hbac_processing(state,
|
||||
state->gpo_mode,
|
||||
state->gpo_map_type,
|
||||
--
|
||||
2.44.0
|
||||
|
||||
|
|
@ -1,62 +0,0 @@
|
|||
From 3c6218aa91026e066e793ee26333ea64fd6bc50e Mon Sep 17 00:00:00 2001
|
||||
From: Alexey Tikhonov <atikhono@redhat.com>
|
||||
Date: Mon, 11 Apr 2022 22:49:30 +0200
|
||||
Subject: [PATCH 6/6] Revert "man: sssd.conf and sssd-ifp clarify user option"
|
||||
|
||||
This reverts commit 3d25724dc63dffb6d734790e58b1647e3a64e84f.
|
||||
|
||||
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
|
||||
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
||||
---
|
||||
src/man/sssd-ifp.5.xml | 5 -----
|
||||
src/man/sssd.conf.5.xml | 11 -----------
|
||||
2 files changed, 16 deletions(-)
|
||||
|
||||
diff --git a/src/man/sssd-ifp.5.xml b/src/man/sssd-ifp.5.xml
|
||||
index d3080537a..1c35d58a8 100644
|
||||
--- a/src/man/sssd-ifp.5.xml
|
||||
+++ b/src/man/sssd-ifp.5.xml
|
||||
@@ -71,11 +71,6 @@
|
||||
responder. User names are resolved to UIDs at
|
||||
startup.
|
||||
</para>
|
||||
- <para>
|
||||
- Local user names are required, i.e. accessible via
|
||||
- <quote>files</quote> service of
|
||||
- <filename>nsswitch.conf</filename>.
|
||||
- </para>
|
||||
<para>
|
||||
Default: 0 (only the root user is allowed to access
|
||||
the InfoPipe responder)
|
||||
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
|
||||
index b6c5912f9..1b8ea7398 100644
|
||||
--- a/src/man/sssd.conf.5.xml
|
||||
+++ b/src/man/sssd.conf.5.xml
|
||||
@@ -423,12 +423,6 @@
|
||||
responder.
|
||||
</phrase>
|
||||
</para>
|
||||
- <para>
|
||||
- Both a user name and a uid can be used but the
|
||||
- user should be a local one, i.e. accessible via
|
||||
- <quote>files</quote> service of
|
||||
- <filename>nsswitch.conf</filename>.
|
||||
- </para>
|
||||
<para>
|
||||
Default: not set, process will run as root
|
||||
</para>
|
||||
@@ -2168,11 +2162,6 @@ pam_gssapi_indicators_map = sudo:pkinit, sudo-i:pkinit
|
||||
responder. User names are resolved to UIDs at
|
||||
startup.
|
||||
</para>
|
||||
- <para>
|
||||
- Local user names are required, i.e. accessible via
|
||||
- <quote>files</quote> service of
|
||||
- <filename>nsswitch.conf</filename>.
|
||||
- </para>
|
||||
<para>
|
||||
Default: 0 (only the root user is allowed to access
|
||||
the PAC responder)
|
||||
--
|
||||
2.26.3
|
||||
|
||||
|
|
@ -1,175 +0,0 @@
|
|||
From 51e92297157562511baf8902777f02a4aa2e70e6 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Tue, 15 Mar 2022 11:36:45 +0100
|
||||
Subject: [PATCH] ad: use right sdap_domain in ad_domain_info_send
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Originally ad_domain_info_send() was only called when there was only a
|
||||
single domain available and hence only a single sdap_domain struct with
|
||||
the search bases in the sdap_domain list. Since ad_domain_info_send() is
|
||||
now called at other times as well the right sdap_domain struct must be
|
||||
selected so that the right search bases are used.
|
||||
|
||||
Resolves: https://github.com/SSSD/sssd/issues/6063
|
||||
|
||||
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
---
|
||||
src/providers/ad/ad_domain_info.c | 10 +++++-
|
||||
src/providers/ldap/ldap_common.h | 3 ++
|
||||
src/providers/ldap/sdap_domain.c | 21 ++++++++++++
|
||||
src/tests/cmocka/test_search_bases.c | 48 +++++++++++++++++++++++++++-
|
||||
4 files changed, 80 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/providers/ad/ad_domain_info.c b/src/providers/ad/ad_domain_info.c
|
||||
index 52b2e2442..f3a82a198 100644
|
||||
--- a/src/providers/ad/ad_domain_info.c
|
||||
+++ b/src/providers/ad/ad_domain_info.c
|
||||
@@ -181,6 +181,7 @@ struct ad_domain_info_state {
|
||||
struct sdap_id_op *id_op;
|
||||
struct sdap_id_ctx *id_ctx;
|
||||
struct sdap_options *opts;
|
||||
+ struct sdap_domain *sdom;
|
||||
|
||||
const char *dom_name;
|
||||
int base_iter;
|
||||
@@ -215,6 +216,13 @@ ad_domain_info_send(TALLOC_CTX *mem_ctx,
|
||||
state->id_ctx = conn->id_ctx;
|
||||
state->opts = conn->id_ctx->opts;
|
||||
state->dom_name = dom_name;
|
||||
+ state->sdom = sdap_domain_get_by_name(state->opts, state->dom_name);
|
||||
+ if (state->sdom == NULL || state->sdom->search_bases == NULL) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "Missing internal domain data.\n");
|
||||
+ ret = EINVAL;
|
||||
+ goto immediate;
|
||||
+ }
|
||||
+
|
||||
|
||||
ret = ad_domain_info_next(req);
|
||||
if (ret != EOK && ret != EAGAIN) {
|
||||
@@ -243,7 +251,7 @@ ad_domain_info_next(struct tevent_req *req)
|
||||
struct ad_domain_info_state *state =
|
||||
tevent_req_data(req, struct ad_domain_info_state);
|
||||
|
||||
- base = state->opts->sdom->search_bases[state->base_iter];
|
||||
+ base = state->sdom->search_bases[state->base_iter];
|
||||
if (base == NULL) {
|
||||
return EOK;
|
||||
}
|
||||
diff --git a/src/providers/ldap/ldap_common.h b/src/providers/ldap/ldap_common.h
|
||||
index c78338b5d..426ee68df 100644
|
||||
--- a/src/providers/ldap/ldap_common.h
|
||||
+++ b/src/providers/ldap/ldap_common.h
|
||||
@@ -391,6 +391,9 @@ sdap_domain_remove(struct sdap_options *opts,
|
||||
struct sdap_domain *sdap_domain_get(struct sdap_options *opts,
|
||||
struct sss_domain_info *dom);
|
||||
|
||||
+struct sdap_domain *sdap_domain_get_by_name(struct sdap_options *opts,
|
||||
+ const char *dom_name);
|
||||
+
|
||||
struct sdap_domain *sdap_domain_get_by_dn(struct sdap_options *opts,
|
||||
const char *dn);
|
||||
|
||||
diff --git a/src/providers/ldap/sdap_domain.c b/src/providers/ldap/sdap_domain.c
|
||||
index fa6e9340d..1785dd20d 100644
|
||||
--- a/src/providers/ldap/sdap_domain.c
|
||||
+++ b/src/providers/ldap/sdap_domain.c
|
||||
@@ -44,6 +44,27 @@ sdap_domain_get(struct sdap_options *opts,
|
||||
return sditer;
|
||||
}
|
||||
|
||||
+struct sdap_domain *
|
||||
+sdap_domain_get_by_name(struct sdap_options *opts,
|
||||
+ const char *dom_name)
|
||||
+{
|
||||
+ struct sdap_domain *sditer = NULL;
|
||||
+
|
||||
+ if (dom_name == NULL) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "Missing domain name.\n");
|
||||
+ return NULL;
|
||||
+ }
|
||||
+
|
||||
+ DLIST_FOR_EACH(sditer, opts->sdom) {
|
||||
+ if (sditer->dom->name != NULL
|
||||
+ && strcasecmp(sditer->dom->name, dom_name) == 0) {
|
||||
+ break;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ return sditer;
|
||||
+}
|
||||
+
|
||||
struct sdap_domain *
|
||||
sdap_domain_get_by_dn(struct sdap_options *opts,
|
||||
const char *dn)
|
||||
diff --git a/src/tests/cmocka/test_search_bases.c b/src/tests/cmocka/test_search_bases.c
|
||||
index 109fa04bf..3276cf118 100644
|
||||
--- a/src/tests/cmocka/test_search_bases.c
|
||||
+++ b/src/tests/cmocka/test_search_bases.c
|
||||
@@ -176,6 +176,51 @@ void test_get_by_dn_fail(void **state)
|
||||
do_test_get_by_dn(dn, dns, 1, dns2, 1, DN_NOT_IN_DOMS);
|
||||
}
|
||||
|
||||
+void test_sdap_domain_get_by_name(void **state)
|
||||
+{
|
||||
+ struct sdap_options *opts;
|
||||
+ struct sss_domain_info dom1 = { 0 };
|
||||
+ dom1.name = discard_const("dom1");
|
||||
+ struct sss_domain_info dom2 = { 0 };
|
||||
+ dom2.name = discard_const("dom2");
|
||||
+ struct sss_domain_info dom3 = { 0 };
|
||||
+ dom3.name = discard_const("dom3");
|
||||
+ int ret;
|
||||
+ struct sdap_domain *sdom;
|
||||
+
|
||||
+ opts = talloc_zero(NULL, struct sdap_options);
|
||||
+ assert_non_null(opts);
|
||||
+
|
||||
+ ret = sdap_domain_add(opts, &dom1, NULL);
|
||||
+ assert_int_equal(ret, EOK);
|
||||
+
|
||||
+ ret = sdap_domain_add(opts, &dom2, NULL);
|
||||
+ assert_int_equal(ret, EOK);
|
||||
+
|
||||
+ ret = sdap_domain_add(opts, &dom3, NULL);
|
||||
+ assert_int_equal(ret, EOK);
|
||||
+
|
||||
+ sdom = sdap_domain_get_by_name(opts, NULL);
|
||||
+ assert_null(sdom);
|
||||
+
|
||||
+ sdom = sdap_domain_get_by_name(opts, "abc");
|
||||
+ assert_null(sdom);
|
||||
+
|
||||
+ sdom = sdap_domain_get_by_name(opts, "dom1");
|
||||
+ assert_non_null(sdom);
|
||||
+ assert_ptr_equal(sdom->dom, &dom1);
|
||||
+
|
||||
+ sdom = sdap_domain_get_by_name(opts, "dom2");
|
||||
+ assert_non_null(sdom);
|
||||
+ assert_ptr_equal(sdom->dom, &dom2);
|
||||
+
|
||||
+ sdom = sdap_domain_get_by_name(opts, "dom3");
|
||||
+ assert_non_null(sdom);
|
||||
+ assert_ptr_equal(sdom->dom, &dom3);
|
||||
+
|
||||
+ talloc_free(opts);
|
||||
+}
|
||||
+
|
||||
int main(void)
|
||||
{
|
||||
const struct CMUnitTest tests[] = {
|
||||
@@ -183,7 +228,8 @@ int main(void)
|
||||
cmocka_unit_test(test_search_bases_success),
|
||||
cmocka_unit_test(test_get_by_dn_fail),
|
||||
cmocka_unit_test(test_get_by_dn),
|
||||
- cmocka_unit_test(test_get_by_dn2)
|
||||
+ cmocka_unit_test(test_get_by_dn2),
|
||||
+ cmocka_unit_test(test_sdap_domain_get_by_name)
|
||||
};
|
||||
|
||||
return cmocka_run_group_tests(tests, NULL, NULL);
|
||||
--
|
||||
2.34.3
|
||||
|
||||
|
|
@ -1,58 +0,0 @@
|
|||
From 80ffa314c669feaaffe487d8ea5004c149d948c8 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Mon, 23 May 2022 09:05:43 +0200
|
||||
Subject: [PATCH] ad: add fallback in ad_domain_info_send()
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Commit 51e92297157562511baf8902777f02a4aa2e70e6 allowed
|
||||
ad_domain_info_send() to handle multiple domains by searching for the
|
||||
matching sdap_domain data. Unfortunately it assumed that the configured
|
||||
name and the DNS domain name are always matching. This is true for all
|
||||
sub-domains discovered at runtime by DNS lookups but might not be true
|
||||
for the domain configured in sssd.conf. Since the configured domain is
|
||||
the first in the list of sdap_domain data it will be used as a fallback
|
||||
in case no data could be found by name.
|
||||
|
||||
Resolves: https://github.com/SSSD/sssd/issues/6170
|
||||
|
||||
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
(cherry picked from commit 71b14474bec82a0c57065ad45915ebfeb9e3d03e)
|
||||
---
|
||||
src/providers/ad/ad_domain_info.c | 17 ++++++++++++++++-
|
||||
1 file changed, 16 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/providers/ad/ad_domain_info.c b/src/providers/ad/ad_domain_info.c
|
||||
index f3a82a198..9583c74b9 100644
|
||||
--- a/src/providers/ad/ad_domain_info.c
|
||||
+++ b/src/providers/ad/ad_domain_info.c
|
||||
@@ -217,8 +217,23 @@ ad_domain_info_send(TALLOC_CTX *mem_ctx,
|
||||
state->opts = conn->id_ctx->opts;
|
||||
state->dom_name = dom_name;
|
||||
state->sdom = sdap_domain_get_by_name(state->opts, state->dom_name);
|
||||
+ /* The first domain in the list is the domain configured in sssd.conf and
|
||||
+ * here it might be possible that the domain name from the config file and
|
||||
+ * the DNS domain name do not match. All other sub-domains are discovered
|
||||
+ * at runtime with the help of DNS lookups so it is expected that the
|
||||
+ * names matches. Hence it makes sense to fall back to the first entry in
|
||||
+ * the list if no matching domain was found since it is most probably
|
||||
+ * related to the configured domain. */
|
||||
+ if (state->sdom == NULL) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "No internal domain data found for [%s], "
|
||||
+ "falling back to first domain.\n",
|
||||
+ state->dom_name);
|
||||
+ state->sdom = state->opts->sdom;
|
||||
+ }
|
||||
if (state->sdom == NULL || state->sdom->search_bases == NULL) {
|
||||
- DEBUG(SSSDBG_OP_FAILURE, "Missing internal domain data.\n");
|
||||
+ DEBUG(SSSDBG_OP_FAILURE,
|
||||
+ "Missing internal domain data for domain [%s].\n",
|
||||
+ state->dom_name);
|
||||
ret = EINVAL;
|
||||
goto immediate;
|
||||
}
|
||||
--
|
||||
2.34.3
|
||||
|
||||
|
|
@ -1,34 +0,0 @@
|
|||
From 0eae7db9e06645ef88d0cf15672770776293edb5 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
||||
Date: Mon, 23 May 2022 11:05:01 +0200
|
||||
Subject: [PATCH] pam_sss_gss: KRB5CCNAME may be NULL
|
||||
|
||||
Resolves: https://github.com/SSSD/sssd/issues/6180
|
||||
|
||||
:fixes: A regression in pam_sss_gss module causing a failure if
|
||||
KRB5CCNAME environment variable was not set was fixed.
|
||||
|
||||
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
||||
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
||||
(cherry picked from commit 9aad30711a5928f0e8a3627305b6449291de507f)
|
||||
---
|
||||
src/sss_client/pam_sss_gss.c | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/sss_client/pam_sss_gss.c b/src/sss_client/pam_sss_gss.c
|
||||
index 51047efc3..77a58e4cf 100644
|
||||
--- a/src/sss_client/pam_sss_gss.c
|
||||
+++ b/src/sss_client/pam_sss_gss.c
|
||||
@@ -492,7 +492,8 @@ static errno_t sss_cli_getenv(const char *variable_name, char **_value)
|
||||
{
|
||||
char *value = getenv(variable_name);
|
||||
if (value == NULL) {
|
||||
- return ENOENT;
|
||||
+ *_value = NULL;
|
||||
+ return EOK;
|
||||
}
|
||||
|
||||
*_value = strdup(value);
|
||||
--
|
||||
2.34.3
|
||||
|
||||
1400
SPECS/sssd.spec
1400
SPECS/sssd.spec
File diff suppressed because it is too large
Load Diff
Loading…
Reference in New Issue