sssd/0082-IPA-lookup-idview-name-even-if-there-is-no-master-do.patch
Lukas Slebodnik e37379577b Resolves: rhbz#1276868 - Sudo PAM Login should support multiple password
prompts (e.g. Password + Token)
- Resolves: rhbz#1313041 - ssh with sssd proxy fails with "Connection closed
                           by remote host" if locale not available
2016-03-22 09:06:29 +01:00

144 lines
5.4 KiB
Diff

From 75dabe3ec5398359f4cccfcd616959cd921cced2 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 18 Feb 2016 13:03:44 +0100
Subject: [PATCH 082/108] IPA: lookup idview name even if there is no master
domain record
Currently the IPA subdomain provider returns with a error if there is no
master domain record found. Since this record contains data which is
only needed to create a trust with AD, like e.g. the IPA domain SID,
this record is only created by ipa-adtrust-install. But the idview name
is read after the master domain record. To make the idview feature work
with a plain FreeIPA setup without running ipa-adtrust-install the
missing master domain record should be handled gracefully and the
following lookup should run as well.
Resolves https://fedorahosted.org/sssd/ticket/2960
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit b25d33b0a775e2337014a334699156ac56b08f9b)
(cherry picked from commit 022e4575980324c2c68a05b3f250bd1a72bc9885)
---
src/providers/ipa/ipa_subdomains.c | 80 +++++++++++++++++++++-----------------
1 file changed, 44 insertions(+), 36 deletions(-)
diff --git a/src/providers/ipa/ipa_subdomains.c b/src/providers/ipa/ipa_subdomains.c
index f13847f12a7eae42b13a51e3fe1d09b60878633b..c888279229c891f1d5b8763aa851617a5daedd51 100644
--- a/src/providers/ipa/ipa_subdomains.c
+++ b/src/providers/ipa/ipa_subdomains.c
@@ -1219,6 +1219,9 @@ static void ipa_subdomains_handler_master_done(struct tevent_req *req)
size_t reply_count = 0;
struct sysdb_attrs **reply = NULL;
struct ipa_subdomains_req_ctx *ctx;
+ const char *flat = NULL;
+ const char *id = NULL;
+ const char *realm = NULL;
ctx = tevent_req_callback_data(req, struct ipa_subdomains_req_ctx);
@@ -1230,10 +1233,6 @@ static void ipa_subdomains_handler_master_done(struct tevent_req *req)
}
if (reply_count) {
- const char *flat = NULL;
- const char *id = NULL;
- const char *realm;
-
ret = sysdb_attrs_get_string(reply[0], IPA_FLATNAME, &flat);
if (ret != EOK) {
goto done;
@@ -1244,31 +1243,9 @@ static void ipa_subdomains_handler_master_done(struct tevent_req *req)
goto done;
}
- realm = dp_opt_get_string(ctx->sd_ctx->id_ctx->ipa_options->basic,
- IPA_KRB5_REALM);
- if (realm == NULL) {
- DEBUG(SSSDBG_CRIT_FAILURE, "No Kerberos realm for IPA?\n");
- ret = EINVAL;
- goto done;
- }
-
- ret = sysdb_master_domain_add_info(ctx->sd_ctx->be_ctx->domain,
- realm, flat, id, NULL);
- if (ret != EOK) {
- goto done;
- }
-
/* There is only one master record. Don't bother checking other IPA
* search bases; move to checking subdomains instead
*/
- ret = ipa_subdomains_handler_get_start(ctx,
- ctx->sd_ctx->search_bases,
- IPA_SUBDOMAINS_SLAVE);
- if (ret == EAGAIN) {
- return;
- }
-
- /* Either no search bases or an error. End the request in both cases */
} else {
ret = ipa_subdomains_handler_get_cont(ctx, IPA_SUBDOMAINS_MASTER);
if (ret == EAGAIN) {
@@ -1277,17 +1254,48 @@ static void ipa_subdomains_handler_master_done(struct tevent_req *req)
goto done;
}
- /* Right now we know there has been an error
- * and we don't have the master domain record
- */
- DEBUG(SSSDBG_CRIT_FAILURE, "Master domain record not found!\n");
-
- if (!ctx->sd_ctx->configured_explicit) {
- ctx->sd_ctx->disabled_until = time(NULL) +
- IPA_SUBDOMAIN_DISABLED_PERIOD;
+ /* All search paths are searched and no master domain record was
+ * found.
+ *
+ * A default IPA installation will not have a master domain record,
+ * this is only created by ipa-adtrust-install. Nevertheless we should
+ * continue to read other data like the idview on IPA clients. */
+
+ DEBUG(SSSDBG_TRACE_INTERNAL, "Master domain record not found!\n");
+
+ }
+
+ realm = dp_opt_get_string(ctx->sd_ctx->id_ctx->ipa_options->basic,
+ IPA_KRB5_REALM);
+ if (realm == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "No Kerberos realm for IPA?\n");
+ ret = EINVAL;
+ goto done;
+ }
+
+ ret = sysdb_master_domain_add_info(ctx->sd_ctx->be_ctx->domain,
+ realm, flat, id, NULL);
+ if (ret != EOK) {
+ goto done;
+ }
+
+ ret = ipa_subdomains_handler_get_start(ctx,
+ ctx->sd_ctx->search_bases,
+ IPA_SUBDOMAINS_SLAVE);
+ if (ret == EAGAIN) {
+ return;
+ } else if (ret == EOK) {
+ /* If there are no search bases defined for subdomains try to get the
+ * idview before ending the request */
+ if (ctx->sd_ctx->id_ctx->server_mode == NULL) {
+ /* Only get view on clients, on servers it is always 'default' */
+ ret = ipa_get_view_name(ctx);
+ if (ret == EAGAIN) {
+ return;
+ } else if (ret != EOK) {
+ goto done;
+ }
}
-
- ret = EIO;
}
done:
--
2.7.3