171 lines
6.3 KiB
Diff
171 lines
6.3 KiB
Diff
|
From 1e7b7da3aa56060c26f8ba1c08318cdee77753ea Mon Sep 17 00:00:00 2001
|
||
|
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
|
||
|
Date: Mon, 14 Aug 2017 15:46:10 +0200
|
||
|
Subject: [PATCH 64/93] NEGCACHE: Always add "root" to the negative cache
|
||
|
MIME-Version: 1.0
|
||
|
Content-Type: text/plain; charset=UTF-8
|
||
|
Content-Transfer-Encoding: 8bit
|
||
|
|
||
|
The current code only adds "root" to the negative cache in case there's
|
||
|
any other user or group set up in to be added.
|
||
|
|
||
|
As SSSD doesn't handle "root", it should *always* be added to the
|
||
|
negative cache.
|
||
|
|
||
|
Related: https://pagure.io/SSSD/sssd/issue/3460
|
||
|
|
||
|
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
|
||
|
|
||
|
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||
|
---
|
||
|
src/responder/common/negcache.c | 88 +++++++++++++++++++++++++----------------
|
||
|
1 file changed, 54 insertions(+), 34 deletions(-)
|
||
|
|
||
|
diff --git a/src/responder/common/negcache.c b/src/responder/common/negcache.c
|
||
|
index 376c3e6565f218067b57f564ffab06f40e0ae0ca..fc5ae76bce2daf0575d19c89fcd4682f771cc0a2 100644
|
||
|
--- a/src/responder/common/negcache.c
|
||
|
+++ b/src/responder/common/negcache.c
|
||
|
@@ -771,8 +771,8 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache,
|
||
|
struct resp_ctx *rctx)
|
||
|
{
|
||
|
errno_t ret;
|
||
|
- bool filter_set = false;
|
||
|
char **filter_list = NULL;
|
||
|
+ char **default_list = NULL;
|
||
|
char *name = NULL;
|
||
|
struct sss_domain_info *dom = NULL;
|
||
|
struct sss_domain_info *domain_list = rctx->domains;
|
||
|
@@ -801,7 +801,6 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache,
|
||
|
&filter_list);
|
||
|
if (ret == ENOENT) continue;
|
||
|
if (ret != EOK) goto done;
|
||
|
- filter_set = true;
|
||
|
|
||
|
for (i = 0; (filter_list && filter_list[i]); i++) {
|
||
|
ret = sss_parse_name_for_domains(tmpctx, domain_list,
|
||
|
@@ -847,22 +846,9 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache,
|
||
|
/* Populate non domain-specific negative cache user entries */
|
||
|
ret = confdb_get_string_as_list(cdb, tmpctx, CONFDB_NSS_CONF_ENTRY,
|
||
|
CONFDB_NSS_FILTER_USERS, &filter_list);
|
||
|
- if (ret == ENOENT) {
|
||
|
- if (!filter_set) {
|
||
|
- filter_list = talloc_array(tmpctx, char *, 2);
|
||
|
- if (!filter_list) {
|
||
|
- ret = ENOMEM;
|
||
|
- goto done;
|
||
|
- }
|
||
|
- filter_list[0] = talloc_strdup(tmpctx, "root");
|
||
|
- if (!filter_list[0]) {
|
||
|
- ret = ENOMEM;
|
||
|
- goto done;
|
||
|
- }
|
||
|
- filter_list[1] = NULL;
|
||
|
- }
|
||
|
+ if (ret != EOK && ret != ENOENT) {
|
||
|
+ goto done;
|
||
|
}
|
||
|
- else if (ret != EOK) goto done;
|
||
|
|
||
|
for (i = 0; (filter_list && filter_list[i]); i++) {
|
||
|
ret = sss_parse_name_for_domains(tmpctx, domain_list,
|
||
|
@@ -922,7 +908,6 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache,
|
||
|
}
|
||
|
|
||
|
/* Populate domain-specific negative cache group entries */
|
||
|
- filter_set = false;
|
||
|
for (dom = domain_list; dom; dom = get_next_domain(dom, 0)) {
|
||
|
conf_path = talloc_asprintf(tmpctx, CONFDB_DOMAIN_PATH_TMPL, dom->name);
|
||
|
if (!conf_path) {
|
||
|
@@ -935,7 +920,6 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache,
|
||
|
CONFDB_NSS_FILTER_GROUPS, &filter_list);
|
||
|
if (ret == ENOENT) continue;
|
||
|
if (ret != EOK) goto done;
|
||
|
- filter_set = true;
|
||
|
|
||
|
for (i = 0; (filter_list && filter_list[i]); i++) {
|
||
|
ret = sss_parse_name(tmpctx, dom->names, filter_list[i],
|
||
|
@@ -975,22 +959,9 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache,
|
||
|
/* Populate non domain-specific negative cache group entries */
|
||
|
ret = confdb_get_string_as_list(cdb, tmpctx, CONFDB_NSS_CONF_ENTRY,
|
||
|
CONFDB_NSS_FILTER_GROUPS, &filter_list);
|
||
|
- if (ret == ENOENT) {
|
||
|
- if (!filter_set) {
|
||
|
- filter_list = talloc_array(tmpctx, char *, 2);
|
||
|
- if (!filter_list) {
|
||
|
- ret = ENOMEM;
|
||
|
- goto done;
|
||
|
- }
|
||
|
- filter_list[0] = talloc_strdup(tmpctx, "root");
|
||
|
- if (!filter_list[0]) {
|
||
|
- ret = ENOMEM;
|
||
|
- goto done;
|
||
|
- }
|
||
|
- filter_list[1] = NULL;
|
||
|
- }
|
||
|
+ if (ret != EOK && ret != ENOENT) {
|
||
|
+ goto done;
|
||
|
}
|
||
|
- else if (ret != EOK) goto done;
|
||
|
|
||
|
for (i = 0; (filter_list && filter_list[i]); i++) {
|
||
|
ret = sss_parse_name_for_domains(tmpctx, domain_list,
|
||
|
@@ -1049,6 +1020,55 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache,
|
||
|
}
|
||
|
}
|
||
|
|
||
|
+ /* SSSD doesn't handle "root", thus it'll be added to the negative cache
|
||
|
+ * nonetheless what's already added there. */
|
||
|
+ default_list = talloc_array(tmpctx, char *, 2);
|
||
|
+ if (default_list == NULL) {
|
||
|
+ ret= ENOMEM;
|
||
|
+ goto done;
|
||
|
+ }
|
||
|
+ default_list[0] = talloc_strdup(tmpctx, "root");
|
||
|
+ if (default_list[0] == NULL) {
|
||
|
+ ret = ENOMEM;
|
||
|
+ goto done;
|
||
|
+ }
|
||
|
+ default_list[1] = NULL;
|
||
|
+
|
||
|
+ /* Populate negative cache users and groups entries for the
|
||
|
+ * "default_list" */
|
||
|
+ for (i = 0; (default_list != NULL && default_list[i] != NULL); i++) {
|
||
|
+ for (dom = domain_list;
|
||
|
+ dom != NULL;
|
||
|
+ dom = get_next_domain(dom, SSS_GND_ALL_DOMAINS)) {
|
||
|
+ fqname = sss_create_internal_fqname(tmpctx,
|
||
|
+ default_list[i],
|
||
|
+ dom->name);
|
||
|
+ if (fqname == NULL) {
|
||
|
+ continue;
|
||
|
+ }
|
||
|
+
|
||
|
+ ret = sss_ncache_set_user(ncache, true, dom, fqname);
|
||
|
+ if (ret != EOK) {
|
||
|
+ DEBUG(SSSDBG_MINOR_FAILURE,
|
||
|
+ "Failed to store permanent user filter for"
|
||
|
+ " [%s:%s] (%d [%s])\n",
|
||
|
+ dom->name, default_list[i],
|
||
|
+ ret, strerror(ret));
|
||
|
+ continue;
|
||
|
+ }
|
||
|
+
|
||
|
+ ret = sss_ncache_set_group(ncache, true, dom, fqname);
|
||
|
+ if (ret != EOK) {
|
||
|
+ DEBUG(SSSDBG_MINOR_FAILURE,
|
||
|
+ "Failed to store permanent group filter for"
|
||
|
+ " [%s:%s] (%d [%s])\n",
|
||
|
+ dom->name, default_list[i],
|
||
|
+ ret, strerror(ret));
|
||
|
+ continue;
|
||
|
+ }
|
||
|
+ }
|
||
|
+ }
|
||
|
+
|
||
|
ret = EOK;
|
||
|
|
||
|
done:
|
||
|
--
|
||
|
2.14.1
|
||
|
|