e37379577b
prompts (e.g. Password + Token) - Resolves: rhbz#1313041 - ssh with sssd proxy fails with "Connection closed by remote host" if locale not available
144 lines
5.4 KiB
Diff
144 lines
5.4 KiB
Diff
From 75dabe3ec5398359f4cccfcd616959cd921cced2 Mon Sep 17 00:00:00 2001
|
|
From: Sumit Bose <sbose@redhat.com>
|
|
Date: Thu, 18 Feb 2016 13:03:44 +0100
|
|
Subject: [PATCH 082/108] IPA: lookup idview name even if there is no master
|
|
domain record
|
|
|
|
Currently the IPA subdomain provider returns with a error if there is no
|
|
master domain record found. Since this record contains data which is
|
|
only needed to create a trust with AD, like e.g. the IPA domain SID,
|
|
this record is only created by ipa-adtrust-install. But the idview name
|
|
is read after the master domain record. To make the idview feature work
|
|
with a plain FreeIPA setup without running ipa-adtrust-install the
|
|
missing master domain record should be handled gracefully and the
|
|
following lookup should run as well.
|
|
|
|
Resolves https://fedorahosted.org/sssd/ticket/2960
|
|
|
|
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
(cherry picked from commit b25d33b0a775e2337014a334699156ac56b08f9b)
|
|
(cherry picked from commit 022e4575980324c2c68a05b3f250bd1a72bc9885)
|
|
---
|
|
src/providers/ipa/ipa_subdomains.c | 80 +++++++++++++++++++++-----------------
|
|
1 file changed, 44 insertions(+), 36 deletions(-)
|
|
|
|
diff --git a/src/providers/ipa/ipa_subdomains.c b/src/providers/ipa/ipa_subdomains.c
|
|
index f13847f12a7eae42b13a51e3fe1d09b60878633b..c888279229c891f1d5b8763aa851617a5daedd51 100644
|
|
--- a/src/providers/ipa/ipa_subdomains.c
|
|
+++ b/src/providers/ipa/ipa_subdomains.c
|
|
@@ -1219,6 +1219,9 @@ static void ipa_subdomains_handler_master_done(struct tevent_req *req)
|
|
size_t reply_count = 0;
|
|
struct sysdb_attrs **reply = NULL;
|
|
struct ipa_subdomains_req_ctx *ctx;
|
|
+ const char *flat = NULL;
|
|
+ const char *id = NULL;
|
|
+ const char *realm = NULL;
|
|
|
|
ctx = tevent_req_callback_data(req, struct ipa_subdomains_req_ctx);
|
|
|
|
@@ -1230,10 +1233,6 @@ static void ipa_subdomains_handler_master_done(struct tevent_req *req)
|
|
}
|
|
|
|
if (reply_count) {
|
|
- const char *flat = NULL;
|
|
- const char *id = NULL;
|
|
- const char *realm;
|
|
-
|
|
ret = sysdb_attrs_get_string(reply[0], IPA_FLATNAME, &flat);
|
|
if (ret != EOK) {
|
|
goto done;
|
|
@@ -1244,31 +1243,9 @@ static void ipa_subdomains_handler_master_done(struct tevent_req *req)
|
|
goto done;
|
|
}
|
|
|
|
- realm = dp_opt_get_string(ctx->sd_ctx->id_ctx->ipa_options->basic,
|
|
- IPA_KRB5_REALM);
|
|
- if (realm == NULL) {
|
|
- DEBUG(SSSDBG_CRIT_FAILURE, "No Kerberos realm for IPA?\n");
|
|
- ret = EINVAL;
|
|
- goto done;
|
|
- }
|
|
-
|
|
- ret = sysdb_master_domain_add_info(ctx->sd_ctx->be_ctx->domain,
|
|
- realm, flat, id, NULL);
|
|
- if (ret != EOK) {
|
|
- goto done;
|
|
- }
|
|
-
|
|
/* There is only one master record. Don't bother checking other IPA
|
|
* search bases; move to checking subdomains instead
|
|
*/
|
|
- ret = ipa_subdomains_handler_get_start(ctx,
|
|
- ctx->sd_ctx->search_bases,
|
|
- IPA_SUBDOMAINS_SLAVE);
|
|
- if (ret == EAGAIN) {
|
|
- return;
|
|
- }
|
|
-
|
|
- /* Either no search bases or an error. End the request in both cases */
|
|
} else {
|
|
ret = ipa_subdomains_handler_get_cont(ctx, IPA_SUBDOMAINS_MASTER);
|
|
if (ret == EAGAIN) {
|
|
@@ -1277,17 +1254,48 @@ static void ipa_subdomains_handler_master_done(struct tevent_req *req)
|
|
goto done;
|
|
}
|
|
|
|
- /* Right now we know there has been an error
|
|
- * and we don't have the master domain record
|
|
- */
|
|
- DEBUG(SSSDBG_CRIT_FAILURE, "Master domain record not found!\n");
|
|
-
|
|
- if (!ctx->sd_ctx->configured_explicit) {
|
|
- ctx->sd_ctx->disabled_until = time(NULL) +
|
|
- IPA_SUBDOMAIN_DISABLED_PERIOD;
|
|
+ /* All search paths are searched and no master domain record was
|
|
+ * found.
|
|
+ *
|
|
+ * A default IPA installation will not have a master domain record,
|
|
+ * this is only created by ipa-adtrust-install. Nevertheless we should
|
|
+ * continue to read other data like the idview on IPA clients. */
|
|
+
|
|
+ DEBUG(SSSDBG_TRACE_INTERNAL, "Master domain record not found!\n");
|
|
+
|
|
+ }
|
|
+
|
|
+ realm = dp_opt_get_string(ctx->sd_ctx->id_ctx->ipa_options->basic,
|
|
+ IPA_KRB5_REALM);
|
|
+ if (realm == NULL) {
|
|
+ DEBUG(SSSDBG_CRIT_FAILURE, "No Kerberos realm for IPA?\n");
|
|
+ ret = EINVAL;
|
|
+ goto done;
|
|
+ }
|
|
+
|
|
+ ret = sysdb_master_domain_add_info(ctx->sd_ctx->be_ctx->domain,
|
|
+ realm, flat, id, NULL);
|
|
+ if (ret != EOK) {
|
|
+ goto done;
|
|
+ }
|
|
+
|
|
+ ret = ipa_subdomains_handler_get_start(ctx,
|
|
+ ctx->sd_ctx->search_bases,
|
|
+ IPA_SUBDOMAINS_SLAVE);
|
|
+ if (ret == EAGAIN) {
|
|
+ return;
|
|
+ } else if (ret == EOK) {
|
|
+ /* If there are no search bases defined for subdomains try to get the
|
|
+ * idview before ending the request */
|
|
+ if (ctx->sd_ctx->id_ctx->server_mode == NULL) {
|
|
+ /* Only get view on clients, on servers it is always 'default' */
|
|
+ ret = ipa_get_view_name(ctx);
|
|
+ if (ret == EAGAIN) {
|
|
+ return;
|
|
+ } else if (ret != EOK) {
|
|
+ goto done;
|
|
+ }
|
|
}
|
|
-
|
|
- ret = EIO;
|
|
}
|
|
|
|
done:
|
|
--
|
|
2.7.3
|
|
|