rpms/sssd
3
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

New upstream release 1.13.1

Browse Source 
- https://fedorahosted.org/sssd/wiki/Releases/Notes-1.13.1
This commit is contained in:
Lukas Slebodnik 2015-10-01 08:00:25 +02:00
parent 996f9ec8f7
commit 05c3b14125
18 changed files with 11 additions and 1842 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -64,3 +64,4 @@ sssd-1.2.91.tar.gz
/sssd-1.12.5.tar.gz
/sssd-1.13.0alpha.tar.gz
/sssd-1.13.0.tar.gz
/sssd-1.13.1.tar.gz

25
0001-SSSDConfig-return-list-for-list_active_domains.patch
View File

@ -1,25 +0,0 @@
From adac3439a9f7de30400420c650b3f3b9c80fe285 Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Mon, 29 Jun 2015 21:54:26 +0200
Subject: [PATCH] SSSDConfig: return list for list_active_domains
---
src/config/SSSDConfig/__init__.py.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
index f2d9bf0190745d4a5296c56212e5ff97681db59c..b9219bf1ed52c765e70076faa45cc6621f73b50c 100644
--- a/src/config/SSSDConfig/__init__.py.in
+++ b/src/config/SSSDConfig/__init__.py.in
@@ -1778,7 +1778,7 @@ class SSSDConfig(SSSDChangeConf):
if dom not in configured_domains:
del domain_dict[dom]
- active_domains = domain_dict.keys()
+ active_domains = list(domain_dict.keys())
else:
active_domains = []
--
2.4.3

32
0002-KRB5-Return-right-data-provider-error-code.patch
View File

@ -1,32 +0,0 @@
From 3c0ed7ebf698f69ce1643d0f41d758fc730e06a7 Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Tue, 14 Jul 2015 12:48:47 +0200
Subject: [PATCH] KRB5: Return right data provider error code
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Resolves:
https://fedorahosted.org/sssd/ticket/2719
Reviewed-by: Michal Židek <mzidek@redhat.com>
---
src/providers/krb5/krb5_wait_queue.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/providers/krb5/krb5_wait_queue.c b/src/providers/krb5/krb5_wait_queue.c
index 126209620dcd22889cf7bcb1cbec1890b8891b41..b4d3f903a94c9fdfffc975f1dfd10a27ab653a8d 100644
--- a/src/providers/krb5/krb5_wait_queue.c
+++ b/src/providers/krb5/krb5_wait_queue.c
@@ -366,7 +366,7 @@ int krb5_auth_queue_recv(struct tevent_req *req,
}
if (_dp_err) {
- *_dp_err = state->pam_status;
+ *_dp_err = state->dp_err;
}
TEVENT_REQ_RETURN_ON_ERROR(req);
--
2.4.3

98
0003-DYNDNS-sss_iface_addr_list_get-return-ENOENT.patch
View File

@ -1,98 +0,0 @@
From a74f42e33fd62be175c30574242a214cdce14b06 Mon Sep 17 00:00:00 2001
From: Pavel Reichl <preichl@redhat.com>
Date: Wed, 8 Jul 2015 09:01:24 -0400
Subject: [PATCH 03/14] DYNDNS: sss_iface_addr_list_get return ENOENT
If none of eligible interfaces matches ifname then ENOENT is returned.
Resolves:
https://fedorahosted.org/sssd/ticket/2549
---
src/providers/dp_dyndns.c | 13 +++++++++++--
src/providers/ldap/sdap_dyndns.c | 6 +++++-
src/tests/cmocka/test_dyndns.c | 20 ++++++++++++++++++++
3 files changed, 36 insertions(+), 3 deletions(-)
diff --git a/src/providers/dp_dyndns.c b/src/providers/dp_dyndns.c
index 1cac3d0fae2454cea823ed640a4325f27580353f..2ac43a108ff6197d9e2662198a6da976ca348e76 100644
--- a/src/providers/dp_dyndns.c
+++ b/src/providers/dp_dyndns.c
@@ -222,8 +222,17 @@ sss_iface_addr_list_get(TALLOC_CTX *mem_ctx, const char *ifname,
}
}
- ret = EOK;
- *_addrlist = addrlist;
+ if (addrlist != NULL) {
+ /* OK, some result was found */
+ ret = EOK;
+ *_addrlist = addrlist;
+ } else {
+ /* No result was found */
+ DEBUG(SSSDBG_TRACE_FUNC,
+ "No IPs usable for DNS was found for interface: %s.\n", ifname);
+ ret = ENOENT;
+ }
+
done:
freeifaddrs(ifaces);
return ret;
diff --git a/src/providers/ldap/sdap_dyndns.c b/src/providers/ldap/sdap_dyndns.c
index 0d9c9205792062378aa25aad6ac706058001433a..e99a4f6687035928f6775c38b9df6b2a06d38f38 100644
--- a/src/providers/ldap/sdap_dyndns.c
+++ b/src/providers/ldap/sdap_dyndns.c
@@ -502,8 +502,12 @@ sdap_dyndns_get_addrs_send(TALLOC_CTX *mem_ctx,
if (iface) {
ret = sss_iface_addr_list_get(state, iface, &state->addresses);
if (ret != EOK) {
- DEBUG(SSSDBG_OP_FAILURE,
+ DEBUG(ret == ENOENT ? SSSDBG_MINOR_FAILURE : SSSDBG_OP_FAILURE,
"Cannot get list of addresses from interface %s\n", iface);
+ /* non critical failure */
+ if (ret == ENOENT) {
+ ret = EOK;
+ }
}
/* We're done. Just fake an async request completion */
goto done;
diff --git a/src/tests/cmocka/test_dyndns.c b/src/tests/cmocka/test_dyndns.c
index 689e333d4e68c4a2582894d06b8b7b20c76b9be8..3214e90c063ea9a4cf6f6bc6507bf4e37b7d23a4 100644
--- a/src/tests/cmocka/test_dyndns.c
+++ b/src/tests/cmocka/test_dyndns.c
@@ -247,6 +247,23 @@ void dyndns_test_get_multi_ifaddr(void **state)
assert_true(check_leaks_pop(dyndns_test_ctx) == true);
}
+void dyndns_test_get_ifaddr_enoent(void **state)
+{
+ errno_t ret;
+ struct sss_iface_addr *addrlist = NULL;
+
+ check_leaks_push(dyndns_test_ctx);
+ will_return_getifaddrs("eth0", "192.168.0.1");
+ will_return_getifaddrs("eth1", "192.168.0.2");
+ will_return_getifaddrs(NULL, NULL); /* sentinel */
+ ret = sss_iface_addr_list_get(dyndns_test_ctx, "non_existing_interface",
+ &addrlist);
+ assert_int_equal(ret, ENOENT);
+ talloc_free(addrlist);
+
+ assert_true(check_leaks_pop(dyndns_test_ctx) == true);
+}
+
void dyndns_test_ok(void **state)
{
struct tevent_req *req;
@@ -460,6 +477,9 @@ int main(int argc, const char *argv[])
cmocka_unit_test_setup_teardown(dyndns_test_get_multi_ifaddr,
dyndns_test_simple_setup,
dyndns_test_teardown),
+ cmocka_unit_test_setup_teardown(dyndns_test_get_ifaddr_enoent,
+ dyndns_test_simple_setup,
+ dyndns_test_teardown),
/* Dynamic DNS update unit tests*/
cmocka_unit_test_setup_teardown(dyndns_test_ok,
--
2.5.0

194
0004-DYNDNS-support-mult.-interfaces-for-dyndns_iface-opt.patch
View File

@ -1,194 +0,0 @@
From 7a7696e489087f3e02f7d484766dc55112fe7803 Mon Sep 17 00:00:00 2001
From: Pavel Reichl <preichl@redhat.com>
Date: Wed, 8 Jul 2015 09:08:03 -0400
Subject: [PATCH 04/14] DYNDNS: support mult. interfaces for dyndns_iface opt
Resolves:
https://fedorahosted.org/sssd/ticket/2549
---
src/man/sssd-ad.5.xml | 11 +++---
src/man/sssd-ipa.5.xml | 10 ++++--
src/providers/dp_dyndns.c | 6 ++++
src/providers/dp_dyndns.h | 4 +++
src/providers/ldap/sdap_dyndns.c | 72 +++++++++++++++++++++++++++++++++++-----
5 files changed, 87 insertions(+), 16 deletions(-)
diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml
index 938a443e027b9bf83c75c240a7d6b2a0876b92c8..ff43ea37066514a87934d07b141e680416dcc05b 100644
--- a/src/man/sssd-ad.5.xml
+++ b/src/man/sssd-ad.5.xml
@@ -754,15 +754,16 @@ ad_gpo_map_deny = +my_pam_service
<listitem>
<para>
Optional. Applicable only when dyndns_update
- is true. Choose the interface whose IP address
- should be used for dynamic DNS updates.
- </para>
- <para>
- NOTE: This option currently supports only one interface.
+ is true. Choose the interface or a list of interfaces
+ whose IP addresses should be used for dynamic DNS
+ updates.
</para>
<para>
Default: Use the IP address of the AD LDAP connection
</para>
+ <para>
+ Example: dyndns_iface = em1, vnet1, vnet2
+ </para>
</listitem>
</varlistentry>
diff --git a/src/man/sssd-ipa.5.xml b/src/man/sssd-ipa.5.xml
index 0716b6235f93965170983856b930799bfded6258..d450c2fadbb1713096ff766bf536702195cfd137 100644
--- a/src/man/sssd-ipa.5.xml
+++ b/src/man/sssd-ipa.5.xml
@@ -166,11 +166,12 @@
<listitem>
<para>
Optional. Applicable only when dyndns_update
- is true. Choose the interface whose IP address
- should be used for dynamic DNS updates.
+ is true. Choose the interface or a list of interfaces
+ whose IP addresses should be used for dynamic DNS
+ updates.
</para>
<para>
- NOTE: This option currently supports only one interface.
+ NOTE: This option currently supports multiple interfaces.
</para>
<para>
NOTE: While it is still possible to use the old
@@ -181,6 +182,9 @@
<para>
Default: Use the IP address of the IPA LDAP connection
</para>
+ <para>
+ Example: dyndns_iface = em1, vnet1, vnet2
+ </para>
</listitem>
</varlistentry>
diff --git a/src/providers/dp_dyndns.c b/src/providers/dp_dyndns.c
index 2ac43a108ff6197d9e2662198a6da976ca348e76..76562840ef1d427629e41617b871caaedab779d4 100644
--- a/src/providers/dp_dyndns.c
+++ b/src/providers/dp_dyndns.c
@@ -49,6 +49,12 @@ struct sss_iface_addr {
struct sockaddr_storage *addr;
};
+void sss_iface_addr_concatenate(struct sss_iface_addr **list,
+ struct sss_iface_addr *list2)
+{
+ DLIST_CONCATENATE((*list), list2, struct sss_iface_addr*);
+}
+
struct sss_iface_addr *
sss_iface_addr_add(TALLOC_CTX *mem_ctx, struct sss_iface_addr **list,
struct sockaddr_storage *ss)
diff --git a/src/providers/dp_dyndns.h b/src/providers/dp_dyndns.h
index 23b833dace58a0ecbb1e2e21963a55186f1d06a8..deba112538ad22cd7f59be07934778ee9d4361e7 100644
--- a/src/providers/dp_dyndns.h
+++ b/src/providers/dp_dyndns.h
@@ -128,4 +128,8 @@ nsupdate_get_addrs_recv(struct tevent_req *req,
struct sss_iface_addr **_addrlist,
size_t *_count);
+void
+sss_iface_addr_concatenate(struct sss_iface_addr **list,
+ struct sss_iface_addr *list2);
+
#endif /* DP_DYNDNS_H_ */
diff --git a/src/providers/ldap/sdap_dyndns.c b/src/providers/ldap/sdap_dyndns.c
index e99a4f6687035928f6775c38b9df6b2a06d38f38..f5929cff3db6f724efcedeb963e3a12d04f6e1d3 100644
--- a/src/providers/ldap/sdap_dyndns.c
+++ b/src/providers/ldap/sdap_dyndns.c
@@ -482,6 +482,65 @@ static void sdap_dyndns_get_addrs_done(struct tevent_req *subreq);
static errno_t sdap_dyndns_add_ldap_conn(struct sdap_dyndns_get_addrs_state *state,
struct sdap_handle *sh);
+static errno_t get_ifaces_addrs(TALLOC_CTX *mem_ctx,
+ const char *iface,
+ struct sss_iface_addr **_result)
+{
+ struct sss_iface_addr *result_addrs = NULL;
+ struct sss_iface_addr *intf_addrs;
+ TALLOC_CTX *tmp_ctx;
+ char **list_of_intfs;
+ int num_of_intfs;
+ errno_t ret;
+ int i;
+
+ tmp_ctx = talloc_new(NULL);
+ if (tmp_ctx == NULL) {
+ ret = ENOMEM;
+ goto done;
+ }
+
+ ret = split_on_separator(tmp_ctx, iface, ',', true, true, &list_of_intfs,
+ &num_of_intfs);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_MINOR_FAILURE,
+ "Parsing names of interfaces failed - %d:[%s].\n",
+ ret, sss_strerror(ret));
+ goto done;
+ }
+
+ for (i = 0; i < num_of_intfs; i++) {
+ ret = sss_iface_addr_list_get(tmp_ctx, list_of_intfs[i], &intf_addrs);
+ if (ret == EOK) {
+ if (result_addrs != NULL) {
+ /* If there is already an existing list, head of this existing
+ * list will be considered as parent talloc context for the
+ * new list.
+ */
+ talloc_steal(result_addrs, intf_addrs);
+ }
+ sss_iface_addr_concatenate(&result_addrs, intf_addrs);
+ } else if (ret == ENOENT) {
+ /* non-critical failure */
+ DEBUG(SSSDBG_TRACE_FUNC,
+ "Cannot get interface %s or there are no addresses "
+ "bind to it.\n", list_of_intfs[i]);
+ } else {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "Cannot get list of addresses from interface %s - %d:[%s]\n",
+ list_of_intfs[i], ret, sss_strerror(ret));
+ goto done;
+ }
+ }
+
+ ret = EOK;
+ *_result = talloc_steal(mem_ctx, result_addrs);
+
+done:
+ talloc_free(tmp_ctx);
+ return ret;
+}
+
static struct tevent_req *
sdap_dyndns_get_addrs_send(TALLOC_CTX *mem_ctx,
struct tevent_context *ev,
@@ -500,14 +559,11 @@ sdap_dyndns_get_addrs_send(TALLOC_CTX *mem_ctx,
}
if (iface) {
- ret = sss_iface_addr_list_get(state, iface, &state->addresses);
- if (ret != EOK) {
- DEBUG(ret == ENOENT ? SSSDBG_MINOR_FAILURE : SSSDBG_OP_FAILURE,
- "Cannot get list of addresses from interface %s\n", iface);
- /* non critical failure */
- if (ret == ENOENT) {
- ret = EOK;
- }
+ ret = get_ifaces_addrs(state, iface, &state->addresses);
+ if (ret != EOK || state->addresses == NULL) {
+ DEBUG(SSSDBG_MINOR_FAILURE,
+ "get_ifaces_addrs() failed: %d:[%s]\n",
+ ret, sss_strerror(ret));
}
/* We're done. Just fake an async request completion */
goto done;
--
2.5.0

107
0005-DYNDNS-special-value-for-dyndns_iface-option.patch
View File

@ -1,107 +0,0 @@
From ef7a48d5acc481a207ac2821fc43651641f1b298 Mon Sep 17 00:00:00 2001
From: Pavel Reichl <preichl@redhat.com>
Date: Tue, 14 Jul 2015 04:21:34 -0400
Subject: [PATCH 05/14] DYNDNS: special value '*' for dyndns_iface option
Option dyndns_iface has now special value '*' which implies that IPs
from add interfaces should be sent during DDNS update.
---
src/man/sssd-ad.5.xml | 6 ++++--
src/man/sssd-ipa.5.xml | 9 ++++-----
src/providers/dp_dyndns.c | 20 ++++++++++++++++----
3 files changed, 24 insertions(+), 11 deletions(-)
diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml
index ff43ea37066514a87934d07b141e680416dcc05b..3cbc10520098372d984d00425d03832d002d6672 100644
--- a/src/man/sssd-ad.5.xml
+++ b/src/man/sssd-ad.5.xml
@@ -756,10 +756,12 @@ ad_gpo_map_deny = +my_pam_service
Optional. Applicable only when dyndns_update
is true. Choose the interface or a list of interfaces
whose IP addresses should be used for dynamic DNS
- updates.
+ updates. Special value <quote>*</quote> implies that
+ IPs from all interfaces should be used.
</para>
<para>
- Default: Use the IP address of the AD LDAP connection
+ Default: Use the IP addresses of the interface which
+ is used for AD LDAP connection
</para>
<para>
Example: dyndns_iface = em1, vnet1, vnet2
diff --git a/src/man/sssd-ipa.5.xml b/src/man/sssd-ipa.5.xml
index d450c2fadbb1713096ff766bf536702195cfd137..2e985991fde10827aff0e7c8e67f29a009683450 100644
--- a/src/man/sssd-ipa.5.xml
+++ b/src/man/sssd-ipa.5.xml
@@ -168,10 +168,8 @@
Optional. Applicable only when dyndns_update
is true. Choose the interface or a list of interfaces
whose IP addresses should be used for dynamic DNS
- updates.
- </para>
- <para>
- NOTE: This option currently supports multiple interfaces.
+ updates. Special value <quote>*</quote> implies that
+ IPs from all interfaces should be used.
</para>
<para>
NOTE: While it is still possible to use the old
@@ -180,7 +178,8 @@
in their config file.
</para>
<para>
- Default: Use the IP address of the IPA LDAP connection
+ Default: Use the IP addresses of the interface which
+ is used for IPA LDAP connection
</para>
<para>
Example: dyndns_iface = em1, vnet1, vnet2
diff --git a/src/providers/dp_dyndns.c b/src/providers/dp_dyndns.c
index 76562840ef1d427629e41617b871caaedab779d4..03389acfba13e566540ca8b0570c0d009173575f 100644
--- a/src/providers/dp_dyndns.c
+++ b/src/providers/dp_dyndns.c
@@ -42,6 +42,9 @@
#define DYNDNS_TIMEOUT 15
#endif /* DYNDNS_TIMEOUT */
+/* MASK represents special value for matching all interfaces */
+#define MASK "*"
+
struct sss_iface_addr {
struct sss_iface_addr *next;
struct sss_iface_addr *prev;
@@ -171,6 +174,16 @@ ok_for_dns(struct sockaddr *sa)
return true;
}
+static bool supported_address_family(sa_family_t sa_family)
+{
+ return sa_family == AF_INET || sa_family == AF_INET6;
+}
+
+static bool matching_name(const char *ifname, const char *ifname2)
+{
+ return (strcmp(MASK, ifname) == 0) || (strcasecmp(ifname, ifname2) == 0);
+}
+
/* Collect IP addresses associated with an interface */
errno_t
sss_iface_addr_list_get(TALLOC_CTX *mem_ctx, const char *ifname,
@@ -200,10 +213,9 @@ sss_iface_addr_list_get(TALLOC_CTX *mem_ctx, const char *ifname,
if (!ifa->ifa_addr) continue;
/* Add IP addresses to the list */
- if ((ifa->ifa_addr->sa_family == AF_INET ||
- ifa->ifa_addr->sa_family == AF_INET6) &&
- strcasecmp(ifa->ifa_name, ifname) == 0 &&
- ok_for_dns(ifa->ifa_addr)) {
+ if (supported_address_family(ifa->ifa_addr->sa_family)
+ && matching_name(ifname, ifa->ifa_name)
+ && ok_for_dns(ifa->ifa_addr)) {
/* Add this address to the IP address list */
address = talloc_zero(mem_ctx, struct sss_iface_addr);
--
2.5.0

130
0006-TESTS-dyndns-tests-support-AAAA-addresses.patch
View File

@ -1,130 +0,0 @@
From cef454da178e7e7f097fade886f4d06ba6aa0f4f Mon Sep 17 00:00:00 2001
From: Pavel Reichl <preichl@redhat.com>
Date: Wed, 15 Jul 2015 10:58:38 -0400
Subject: [PATCH 06/14] TESTS: dyndns tests support AAAA addresses
Resolves:
https://fedorahosted.org/sssd/ticket/2558
---
src/tests/cmocka/test_dyndns.c | 51 +++++++++++++++++++++++++++++++-----------
1 file changed, 38 insertions(+), 13 deletions(-)
diff --git a/src/tests/cmocka/test_dyndns.c b/src/tests/cmocka/test_dyndns.c
index 3214e90c063ea9a4cf6f6bc6507bf4e37b7d23a4..e9d42cea37472b38ae2eb900368f2ce3f409fefc 100644
--- a/src/tests/cmocka/test_dyndns.c
+++ b/src/tests/cmocka/test_dyndns.c
@@ -97,7 +97,9 @@ int __wrap_getifaddrs(struct ifaddrs **_ifap)
struct ifaddrs *ifap_head = NULL;
char *name;
char *straddr;
+ int ad_family;
struct sockaddr_in *sa;
+ void *dst;
while ((name = sss_mock_ptr_type(char *)) != NULL) {
straddr = sss_mock_ptr_type(char *);
@@ -105,6 +107,7 @@ int __wrap_getifaddrs(struct ifaddrs **_ifap)
errno = EINVAL;
goto fail;
}
+ ad_family = sss_mock_type(int);
ifap = talloc_zero(global_mock_context, struct ifaddrs);
if (ifap == NULL) {
@@ -127,15 +130,33 @@ int __wrap_getifaddrs(struct ifaddrs **_ifap)
/* Do not alocate directly on ifap->ifa_addr to
* avoid alignment warnings */
- sa = talloc(ifap, struct sockaddr_in);
+ if (ad_family == AF_INET) {
+ sa = talloc(ifap, struct sockaddr_in);
+ } else if (ad_family == AF_INET6) {
+ sa = (struct sockaddr_in *) talloc(ifap, struct sockaddr_in6);
+ } else {
+ errno = EINVAL;
+ goto fail;
+ }
+
if (sa == NULL) {
errno = ENOMEM;
goto fail;
}
- sa->sin_family = AF_INET;
+
+ sa->sin_family = ad_family;
+
+ if (ad_family == AF_INET) {
+ dst = &sa->sin_addr;
+ } else if (ad_family == AF_INET6) {
+ dst = &((struct sockaddr_in6 *)sa)->sin6_addr;
+ } else {
+ errno = EINVAL;
+ goto fail;
+ }
/* convert straddr into ifa_addr */
- if (inet_pton(AF_INET, straddr, &sa->sin_addr) != 1) {
+ if (inet_pton(ad_family, straddr, dst) != 1) {
goto fail;
}
@@ -167,12 +188,16 @@ static void dyndns_test_done(struct tevent_req *req)
ctx->tctx->done = true;
}
-void will_return_getifaddrs(const char *ifname, const char *straddr)
+void will_return_getifaddrs(const char *ifname, const char *straddr,
+ int af_family)
{
will_return(__wrap_getifaddrs, ifname);
if (ifname) {
will_return(__wrap_getifaddrs, straddr);
}
+ if (straddr) {
+ will_return(__wrap_getifaddrs, af_family);
+ }
}
void dyndns_test_get_ifaddr(void **state)
@@ -182,9 +207,9 @@ void dyndns_test_get_ifaddr(void **state)
char straddr[128];
check_leaks_push(dyndns_test_ctx);
- will_return_getifaddrs("eth0", "192.168.0.1");
- will_return_getifaddrs("eth1", "192.168.0.2");
- will_return_getifaddrs(NULL, NULL); /* sentinel */
+ will_return_getifaddrs("eth0", "192.168.0.1", AF_INET);
+ will_return_getifaddrs("eth1", "192.168.0.2", AF_INET);
+ will_return_getifaddrs(NULL, NULL, 0); /* sentinel */
ret = sss_iface_addr_list_get(dyndns_test_ctx, "eth0", &addrlist);
assert_int_equal(ret, EOK);
@@ -212,9 +237,9 @@ void dyndns_test_get_multi_ifaddr(void **state)
char straddr[128];
check_leaks_push(dyndns_test_ctx);
- will_return_getifaddrs("eth0", "192.168.0.2");
- will_return_getifaddrs("eth0", "192.168.0.1");
- will_return_getifaddrs(NULL, NULL); /* sentinel */
+ will_return_getifaddrs("eth0", "192.168.0.2", AF_INET);
+ will_return_getifaddrs("eth0", "192.168.0.1", AF_INET);
+ will_return_getifaddrs(NULL, NULL, 0); /* sentinel */
ret = sss_iface_addr_list_get(dyndns_test_ctx, "eth0", &addrlist);
assert_int_equal(ret, EOK);
@@ -253,9 +278,9 @@ void dyndns_test_get_ifaddr_enoent(void **state)
struct sss_iface_addr *addrlist = NULL;
check_leaks_push(dyndns_test_ctx);
- will_return_getifaddrs("eth0", "192.168.0.1");
- will_return_getifaddrs("eth1", "192.168.0.2");
- will_return_getifaddrs(NULL, NULL); /* sentinel */
+ will_return_getifaddrs("eth0", "192.168.0.1", AF_INET);
+ will_return_getifaddrs("eth1", "192.168.0.2", AF_INET);
+ will_return_getifaddrs(NULL, NULL, 0); /* sentinel */
ret = sss_iface_addr_list_get(dyndns_test_ctx, "non_existing_interface",
&addrlist);
assert_int_equal(ret, ENOENT);
--
2.5.0

88
0007-IPA-Remove-MPG-groups-if-getgrgid-was-called-before-.patch
View File

@ -1,88 +0,0 @@
From 2322de0bd2fdc6b2ca64969df35662ab962620a4 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Tue, 21 Jul 2015 11:44:03 +0200
Subject: [PATCH 07/14] IPA: Remove MPG groups if getgrgid was called before
getpw()
https://fedorahosted.org/sssd/ticket/2724
This bug only affects IPA clients that are connected to IPA servers with
AD trust and ID mapping in effect.
If an IPA client calls getgrgid() for an ID that matches a user, the
user's private group would be returned and stored as a group entry.
Subsequent queries for that user would fail, because MPG domains impose
uniqueness restriction for both the ID and name space across groups and
users.
To work around that, we remove the UPG groups in MPG domains during a
group lookup.
Reviewed-by: Sumit Bose <sbose@redhat.com>
---
src/providers/ipa/ipa_s2n_exop.c | 41 ++++++++++++++++++++++++++++++++++++++--
1 file changed, 39 insertions(+), 2 deletions(-)
diff --git a/src/providers/ipa/ipa_s2n_exop.c b/src/providers/ipa/ipa_s2n_exop.c
index 812a4bbd707faf5c184594b562c148d1e704fd58..1e6368dc7ef1a6f60b541409f7f6740d602f0d43 100644
--- a/src/providers/ipa/ipa_s2n_exop.c
+++ b/src/providers/ipa/ipa_s2n_exop.c
@@ -1764,6 +1764,7 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom,
int tret;
struct sysdb_attrs *gid_override_attrs = NULL;
char ** exop_grouplist;
+ struct ldb_message *msg;
tmp_ctx = talloc_new(NULL);
if (tmp_ctx == NULL) {
@@ -2005,8 +2006,44 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom,
attrs->a.user.pw_dir, attrs->a.user.pw_shell,
NULL, attrs->sysdb_attrs, NULL,
timeout, now);
- if (ret != EOK) {
- DEBUG(SSSDBG_OP_FAILURE, "sysdb_store_user failed.\n");
+ if (ret == EEXIST && dom->mpg == true) {
+ /* This handles the case where getgrgid() was called for
+ * this user, so a group was created in the cache
+ */
+ ret = sysdb_search_group_by_name(tmp_ctx, dom, name, NULL, &msg);
+ if (ret != EOK) {
+ /* Fail even on ENOENT, the group must be around */
+ DEBUG(SSSDBG_OP_FAILURE,
+ "Could not delete MPG group [%d]: %s\n",
+ ret, sss_strerror(ret));
+ goto done;
+ }
+
+ ret = sysdb_delete_group(dom, NULL, attrs->a.user.pw_uid);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "sysdb_delete_group failed for MPG group [%d]: %s\n",
+ ret, sss_strerror(ret));
+ goto done;
+ }
+
+ ret = sysdb_store_user(dom, name, NULL,
+ attrs->a.user.pw_uid,
+ gid, attrs->a.user.pw_gecos,
+ attrs->a.user.pw_dir,
+ attrs->a.user.pw_shell,
+ NULL, attrs->sysdb_attrs, NULL,
+ timeout, now);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "sysdb_store_user failed for MPG user [%d]: %s\n",
+ ret, sss_strerror(ret));
+ goto done;
+ }
+ } else if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "sysdb_store_user failed [%d]: %s\n",
+ ret, sss_strerror(ret));
goto done;
}
--
2.5.0

27
0008-IPA-Better-debugging.patch
View File

@ -1,27 +0,0 @@
From f2fd03807a6a7d92b706f0964bd1bcf172766cd6 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Wed, 22 Jul 2015 15:17:57 +0200
Subject: [PATCH 08/14] IPA: Better debugging
Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com>
---
src/providers/ipa/ipa_subdomains_server.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/providers/ipa/ipa_subdomains_server.c b/src/providers/ipa/ipa_subdomains_server.c
index cd8c6301c4e4fbbf194ca98ce7a7bfe6215b381c..a9e2c1f700ef47716be868bad68590b8d5d0d42a 100644
--- a/src/providers/ipa/ipa_subdomains_server.c
+++ b/src/providers/ipa/ipa_subdomains_server.c
@@ -623,6 +623,9 @@ ipa_server_trust_add_send(TALLOC_CTX *mem_ctx,
immediate:
if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "Could not add trusted subdomain %s from forest %s\n",
+ subdom->name, state->forest);
tevent_req_error(req, ret);
} else {
tevent_req_done(req);
--
2.5.0

50
0009-UTIL-Lower-debug-level-in-perform_checks.patch
View File

@ -1,50 +0,0 @@
From b5e5c04b5af74537c95213a72d4c916b50c05588 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Wed, 22 Jul 2015 16:29:09 +0200
Subject: [PATCH 09/14] UTIL: Lower debug level in perform_checks()
Failures in perform_checks() don't have to be fatal, therefore the debug
messages shouldn't be either.
Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com>
---
src/util/check_and_open.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/src/util/check_and_open.c b/src/util/check_and_open.c
index 59b90bf4b96731e385fcf92ed8bc251cb94abfda..b40ae2003e3de22ce9e4ca07cecc68e18a7abab4 100644
--- a/src/util/check_and_open.c
+++ b/src/util/check_and_open.c
@@ -99,12 +99,12 @@ static errno_t perform_checks(struct stat *stat_buf,
}
if ((mode & S_IFMT) != (st_mode & S_IFMT)) {
- DEBUG(SSSDBG_CRIT_FAILURE, "File is not the right type.\n");
+ DEBUG(SSSDBG_TRACE_LIBS, "File is not the right type.\n");
return EINVAL;
}
if ((st_mode & ALLPERMS) != (mode & ALLPERMS)) {
- DEBUG(SSSDBG_CRIT_FAILURE,
+ DEBUG(SSSDBG_TRACE_LIBS,
"File has the wrong (bit masked) mode [%.7o], "
"expected [%.7o].\n",
(st_mode & ALLPERMS), (mode & ALLPERMS));
@@ -112,12 +112,12 @@ static errno_t perform_checks(struct stat *stat_buf,
}
if (uid != (uid_t)(-1) && stat_buf->st_uid != uid) {
- DEBUG(SSSDBG_CRIT_FAILURE, "File must be owned by uid [%d].\n", uid);
+ DEBUG(SSSDBG_TRACE_LIBS, "File must be owned by uid [%d].\n", uid);
return EINVAL;
}
if (gid != (gid_t)(-1) && stat_buf->st_gid != gid) {
- DEBUG(SSSDBG_CRIT_FAILURE, "File must be owned by gid [%d].\n", gid);
+ DEBUG(SSSDBG_TRACE_LIBS, "File must be owned by gid [%d].\n", gid);
return EINVAL;
}
--
2.5.0

116
0010-IPA-Handle-sssd-owned-keytabs-when-running-as-root.patch
View File

@ -1,116 +0,0 @@
From 629fba06bc02e6ff4b25680532d298552fa55b22 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Wed, 22 Jul 2015 17:20:11 +0200
Subject: [PATCH 10/14] IPA: Handle sssd-owned keytabs when running as root
https://fedorahosted.org/sssd/ticket/2718
This patch handles the case where the keytab is created with sssd:sssd
ownership (perhaps by the IPA oddjob script) but SSSD runs as root,
which is the default in many distributions.
Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com>
---
src/providers/ipa/ipa_subdomains.h | 3 ++
src/providers/ipa/ipa_subdomains_server.c | 46 +++++++++++++++++++++++++------
2 files changed, 41 insertions(+), 8 deletions(-)
diff --git a/src/providers/ipa/ipa_subdomains.h b/src/providers/ipa/ipa_subdomains.h
index 5bc63a173a1a8967eb5de30a2da84a81377d3900..2302c5f03e80de2ea1efad424769e777cd6dd8d5 100644
--- a/src/providers/ipa/ipa_subdomains.h
+++ b/src/providers/ipa/ipa_subdomains.h
@@ -94,6 +94,9 @@ struct ipa_server_mode_ctx {
struct ipa_ad_server_ctx *trusts;
struct ipa_ext_groups *ext_groups;
+
+ uid_t kt_owner_uid;
+ uid_t kt_owner_gid;
};
int ipa_ad_subdom_init(struct be_ctx *be_ctx,
diff --git a/src/providers/ipa/ipa_subdomains_server.c b/src/providers/ipa/ipa_subdomains_server.c
index a9e2c1f700ef47716be868bad68590b8d5d0d42a..4bfea61e6dd0a02f6b723a39f7ba236c914009b0 100644
--- a/src/providers/ipa/ipa_subdomains_server.c
+++ b/src/providers/ipa/ipa_subdomains_server.c
@@ -520,16 +520,28 @@ static errno_t ipa_getkeytab_recv(struct tevent_req *req, int *child_status)
return EOK;
}
-static errno_t ipa_check_keytab(const char *keytab)
+static errno_t ipa_check_keytab(const char *keytab,
+ uid_t kt_owner_uid,
+ gid_t kt_owner_gid)
{
errno_t ret;
ret = check_file(keytab, getuid(), getgid(), S_IFREG|0600, 0, NULL, false);
- if (ret != EOK) {
- if (ret != ENOENT) {
- DEBUG(SSSDBG_OP_FAILURE, "Failed to check for %s\n", keytab);
- } else {
- DEBUG(SSSDBG_TRACE_FUNC, "Keytab %s is not present\n", keytab);
+ if (ret == ENOENT) {
+ DEBUG(SSSDBG_TRACE_FUNC, "Keytab %s is not present\n", keytab);
+ goto done;
+ } else if (ret != EOK) {
+ if (kt_owner_uid) {
+ ret = check_file(keytab, kt_owner_uid, kt_owner_gid,
+ S_IFREG|0600, 0, NULL, false);
+ }
+
+ if (ret != EOK) {
+ if (ret != ENOENT) {
+ DEBUG(SSSDBG_OP_FAILURE, "Failed to check for %s\n", keytab);
+ } else {
+ DEBUG(SSSDBG_TRACE_FUNC, "Keytab %s is not present\n", keytab);
+ }
}
goto done;
}
@@ -648,7 +660,9 @@ static errno_t ipa_server_trust_add_1way(struct tevent_req *req)
return EIO;
}
- ret = ipa_check_keytab(state->keytab);
+ ret = ipa_check_keytab(state->keytab,
+ state->id_ctx->server_mode->kt_owner_uid,
+ state->id_ctx->server_mode->kt_owner_gid);
if (ret == EOK) {
DEBUG(SSSDBG_TRACE_FUNC,
"Keytab already present, can add the trust\n");
@@ -704,7 +718,9 @@ static void ipa_server_trust_1way_kt_done(struct tevent_req *subreq)
DEBUG(SSSDBG_TRACE_FUNC,
"Keytab successfully retrieved to %s\n", state->keytab);
- ret = ipa_check_keytab(state->keytab);
+ ret = ipa_check_keytab(state->keytab,
+ state->id_ctx->server_mode->kt_owner_uid,
+ state->id_ctx->server_mode->kt_owner_gid);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, "ipa_check_keytab failed: %d\n", ret);
tevent_req_error(req, ret);
@@ -1029,6 +1045,20 @@ int ipa_ad_subdom_init(struct be_ctx *be_ctx,
id_ctx->server_mode->hostname = hostname;
id_ctx->server_mode->trusts = NULL;
id_ctx->server_mode->ext_groups = NULL;
+ id_ctx->server_mode->kt_owner_uid = 0;
+ id_ctx->server_mode->kt_owner_gid = 0;
+
+ if (getuid() == 0) {
+ /* We need to handle keytabs created by IPA oddjob script gracefully
+ * even if we're running as root and IPA creates them as the SSSD user
+ */
+ ret = sss_user_by_name_or_uid(SSSD_USER,
+ &id_ctx->server_mode->kt_owner_uid,
+ &id_ctx->server_mode->kt_owner_gid);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_MINOR_FAILURE, "Failed to get ID of %s\n", SSSD_USER);
+ }
+ }
ret = ipa_ad_subdom_reinit(be_ctx, be_ctx->ev,
be_ctx, id_ctx, be_ctx->domain);
--
2.5.0

47
0011-LDAP-use-ldb_binary_encode-when-printing-attribute-v.patch
View File

@ -1,47 +0,0 @@
From 4c4bc726cfc0207681c00fc386e3707d47bfe3a4 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Mon, 10 Aug 2015 12:40:30 +0200
Subject: [PATCH 11/14] LDAP: use ldb_binary_encode when printing attribute
values
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
src/providers/ldap/sdap_utils.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/src/providers/ldap/sdap_utils.c b/src/providers/ldap/sdap_utils.c
index f5ce8ee54f60a6c4c4cdbd5e50b20d973c175e83..9da46ea70bf80e7f4d12fdfc7d1c97e99de8d000 100644
--- a/src/providers/ldap/sdap_utils.c
+++ b/src/providers/ldap/sdap_utils.c
@@ -35,6 +35,7 @@ sdap_attrs_add_ldap_attr(struct sysdb_attrs *ldap_attrs,
const char *objname = name ?: "object";
const char *desc = attr_desc ?: attr_name;
unsigned int num_values, i;
+ char *printable;
ret = sysdb_attrs_get_el(ldap_attrs, attr_name, &el);
if (ret) {
@@ -50,8 +51,16 @@ sdap_attrs_add_ldap_attr(struct sysdb_attrs *ldap_attrs,
} else {
num_values = multivalued ? el->num_values : 1;
for (i = 0; i < num_values; i++) {
+ printable = ldb_binary_encode(ldap_attrs, el->values[i]);
+ if (printable == NULL) {
+ DEBUG(SSSDBG_MINOR_FAILURE, "ldb_binary_encode failed..\n");
+ continue;
+ }
+
DEBUG(SSSDBG_TRACE_INTERNAL, "Adding %s [%s] to attributes "
- "of [%s].\n", desc, el->values[i].data, objname);
+ "of [%s].\n", desc, printable, objname);
+
+ talloc_zfree(printable);
ret = sysdb_attrs_add_mem(attrs, attr_name, el->values[i].data,
el->values[i].length);
--
2.5.0

50
0012-IPA-Change-the-default-of-ldap_user_certificate-to-u.patch
View File

@ -1,50 +0,0 @@
From 4c8af4a9bd8b0cdfa6820b3a39ae958869957dcb Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Mon, 10 Aug 2015 12:40:39 +0200
Subject: [PATCH 12/14] IPA: Change the default of ldap_user_certificate to
userCertificate;binary
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This is safe from ldb point of view, because ldb gurantees the data is
NULL-terminated. We must be careful before we save the data, though.
Resolves:
https://fedorahosted.org/sssd/ticket/2742
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
src/man/sssd-ldap.5.xml | 2 +-
src/providers/ipa/ipa_opts.h | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml
index f14090843fd32141ad4f491b69868aa7b2412301..0239f656e4fab7d8d85a922fdd0978acd80a236b 100644
--- a/src/man/sssd-ldap.5.xml
+++ b/src/man/sssd-ldap.5.xml
@@ -821,7 +821,7 @@
certificate of the user.
</para>
<para>
- Default: no set in the general case, userCertificate
+ Default: no set in the general case, userCertificate;binary
for IPA
</para>
</listitem>
diff --git a/src/providers/ipa/ipa_opts.h b/src/providers/ipa/ipa_opts.h
index 253c0715355536cc181c57beed5326a77e87e464..2f92ad765a1ca53611ed82e5e749c39d6f20a150 100644
--- a/src/providers/ipa/ipa_opts.h
+++ b/src/providers/ipa/ipa_opts.h
@@ -203,7 +203,7 @@ struct sdap_attr_map ipa_user_map[] = {
{ "ldap_user_nds_login_allowed_time_map", "loginAllowedTimeMap", SYSDB_NDS_LOGIN_ALLOWED_TIME_MAP, NULL },
{ "ldap_user_ssh_public_key", "ipaSshPubKey", SYSDB_SSH_PUBKEY, NULL },
{ "ldap_user_auth_type", "ipaUserAuthType", SYSDB_AUTH_TYPE, NULL },
- { "ldap_user_certificate", "userCertificate", SYSDB_USER_CERT, NULL },
+ { "ldap_user_certificate", "userCertificate;binary", SYSDB_USER_CERT, NULL },
SDAP_ATTR_MAP_TERMINATOR
};
--
2.5.0

377
0013-UTIL-Provide-a-common-interface-to-safely-create-tem.patch
View File

@ -1,377 +0,0 @@
From e3f5577a446e1f6f37c1dfd2c7d6c95f5c4551ab Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Wed, 12 Aug 2015 12:41:44 +0200
Subject: [PATCH 13/14] UTIL: Provide a common interface to safely create
temporary files
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
src/tests/cmocka/test_utils.c | 175 ++++++++++++++++++++++++++++++++++++++++++
src/util/util.c | 127 ++++++++++++++++++++++++++++++
src/util/util.h | 21 +++++
3 files changed, 323 insertions(+)
diff --git a/src/tests/cmocka/test_utils.c b/src/tests/cmocka/test_utils.c
index d3d00feda0bdd4048519f90ba48ae9d1042a95a1..c7ebe0997ec00197e8852bedbcf26ef1f6394fc3 100644
--- a/src/tests/cmocka/test_utils.c
+++ b/src/tests/cmocka/test_utils.c
@@ -1212,6 +1212,168 @@ void test_fix_domain_in_name_list(void **state)
talloc_free(dom);
}
+struct unique_file_test_ctx {
+ char *filename;
+};
+
+static int unique_file_test_setup(void **state)
+{
+ struct unique_file_test_ctx *test_ctx;
+
+ assert_true(leak_check_setup());
+ check_leaks_push(global_talloc_context);
+
+ test_ctx = talloc_zero(global_talloc_context, struct unique_file_test_ctx);
+ assert_non_null(test_ctx);
+
+ test_ctx->filename = talloc_strdup(test_ctx, "test_unique_file_XXXXXX");
+ assert_non_null(test_ctx);
+
+ *state = test_ctx;
+ return 0;
+}
+
+static int unique_file_test_teardown(void **state)
+{
+ struct unique_file_test_ctx *test_ctx;
+ errno_t ret;
+
+ test_ctx = talloc_get_type(*state, struct unique_file_test_ctx);
+
+ errno = 0;
+ ret = unlink(test_ctx->filename);
+ if (ret != 0 && errno != ENOENT) {
+ fail();
+ }
+
+ talloc_free(test_ctx);
+ assert_true(check_leaks_pop(global_talloc_context) == true);
+ assert_true(leak_check_teardown());
+ return 0;
+}
+
+static void assert_destructor(TALLOC_CTX *owner,
+ struct unique_file_test_ctx *test_ctx)
+{
+ int fd;
+ errno_t ret;
+ char *check_filename;
+
+ /* Test that the destructor works */
+ if (owner == NULL) {
+ return;
+ }
+
+ check_filename = talloc_strdup(test_ctx, test_ctx->filename);
+ assert_non_null(check_filename);
+
+ talloc_free(owner);
+
+ ret = check_and_open_readonly(test_ctx->filename, &fd,
+ geteuid(), getegid(),
+ (S_IRUSR | S_IWUSR | S_IFREG), 0);
+ close(fd);
+ assert_int_not_equal(ret, EOK);
+}
+
+static void sss_unique_file_test(struct unique_file_test_ctx *test_ctx,
+ bool test_destructor)
+{
+ int fd;
+ errno_t ret;
+ struct stat sb;
+ TALLOC_CTX *owner = NULL;
+
+ if (test_destructor) {
+ owner = talloc_new(test_ctx);
+ assert_non_null(owner);
+ }
+
+ fd = sss_unique_file(owner, test_ctx->filename, &ret);
+ assert_int_not_equal(fd, -1);
+ assert_int_equal(ret, EOK);
+
+ ret = check_fd(fd, geteuid(), getegid(),
+ (S_IRUSR | S_IWUSR | S_IFREG), 0, &sb);
+ close(fd);
+ assert_int_equal(ret, EOK);
+
+ assert_destructor(owner, test_ctx);
+}
+
+static void test_sss_unique_file(void **state)
+{
+ struct unique_file_test_ctx *test_ctx;
+ test_ctx = talloc_get_type(*state, struct unique_file_test_ctx);
+ sss_unique_file_test(test_ctx, false);
+}
+
+static void test_sss_unique_file_destruct(void **state)
+{
+ struct unique_file_test_ctx *test_ctx;
+ test_ctx = talloc_get_type(*state, struct unique_file_test_ctx);
+ sss_unique_file_test(test_ctx, true);
+}
+
+static void test_sss_unique_file_neg(void **state)
+{
+ int fd;
+ errno_t ret;
+
+ fd = sss_unique_file(NULL, discard_const("badpattern"), &ret);
+ assert_int_equal(fd, -1);
+ assert_int_equal(ret, EINVAL);
+}
+
+static void sss_unique_filename_test(struct unique_file_test_ctx *test_ctx,
+ bool test_destructor)
+{
+ int fd;
+ errno_t ret;
+ char *tmp_filename;
+ TALLOC_CTX *owner = NULL;
+
+ tmp_filename = talloc_strdup(test_ctx, test_ctx->filename);
+ assert_non_null(tmp_filename);
+
+ if (test_destructor) {
+ owner = talloc_new(test_ctx);
+ assert_non_null(owner);
+ }
+
+ ret = sss_unique_filename(owner, test_ctx->filename);
+ assert_int_equal(ret, EOK);
+
+ assert_int_equal(strncmp(test_ctx->filename,
+ tmp_filename,
+ strlen(tmp_filename) - sizeof("XXXXXX")),
+ 0);
+
+ ret = check_and_open_readonly(test_ctx->filename, &fd,
+ geteuid(), getegid(),
+ (S_IRUSR | S_IWUSR | S_IFREG), 0);
+ close(fd);
+ assert_int_equal(ret, EOK);
+
+ assert_destructor(owner, test_ctx);
+}
+
+static void test_sss_unique_filename(void **state)
+{
+ struct unique_file_test_ctx *test_ctx;
+
+ test_ctx = talloc_get_type(*state, struct unique_file_test_ctx);
+ sss_unique_filename_test(test_ctx, false);
+}
+
+static void test_sss_unique_filename_destruct(void **state)
+{
+ struct unique_file_test_ctx *test_ctx;
+
+ test_ctx = talloc_get_type(*state, struct unique_file_test_ctx);
+ sss_unique_filename_test(test_ctx, true);
+}
+
int main(int argc, const char *argv[])
{
poptContext pc;
@@ -1275,6 +1437,19 @@ int main(int argc, const char *argv[])
cmocka_unit_test_setup_teardown(test_fix_domain_in_name_list,
confdb_test_setup,
confdb_test_teardown),
+ cmocka_unit_test_setup_teardown(test_sss_unique_file,
+ unique_file_test_setup,
+ unique_file_test_teardown),
+ cmocka_unit_test_setup_teardown(test_sss_unique_file_destruct,
+ unique_file_test_setup,
+ unique_file_test_teardown),
+ cmocka_unit_test(test_sss_unique_file_neg),
+ cmocka_unit_test_setup_teardown(test_sss_unique_filename,
+ unique_file_test_setup,
+ unique_file_test_teardown),
+ cmocka_unit_test_setup_teardown(test_sss_unique_filename_destruct,
+ unique_file_test_setup,
+ unique_file_test_teardown),
};
/* Set debug level to invalid value so we can deside if -d 0 was used. */
diff --git a/src/util/util.c b/src/util/util.c
index cfd26a58b31048996e9669163b821282b219b2de..61e5efedce45ba4a70d57ce19406eafe8373692c 100644
--- a/src/util/util.c
+++ b/src/util/util.c
@@ -957,3 +957,130 @@ errno_t sss_utc_to_time_t(const char *str, const char *format, time_t *_unix_tim
*_unix_time = ut;
return EOK;
}
+
+struct tmpfile_watch {
+ const char *filename;
+};
+
+static int unlink_dbg(const char *filename)
+{
+ errno_t ret;
+
+ ret = unlink(filename);
+ if (ret != 0) {
+ if (errno == 2) {
+ DEBUG(SSSDBG_TRACE_INTERNAL,
+ "File already removed: [%s]\n", filename);
+ return 0;
+ } else {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Cannot remove temporary file [%s]\n", filename);
+ return -1;
+ }
+ }
+
+ return 0;
+}
+
+static int unique_filename_destructor(void *memptr)
+{
+ struct tmpfile_watch *tw = talloc_get_type(memptr, struct tmpfile_watch);
+
+ if (tw == NULL || tw->filename == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "BUG: Wrong private pointer\n");
+ return -1;
+ }
+
+ DEBUG(SSSDBG_TRACE_INTERNAL, "Unlinking [%s]\n", tw->filename);
+
+ return unlink_dbg(tw->filename);
+}
+
+static struct tmpfile_watch *tmpfile_watch_set(TALLOC_CTX *owner,
+ const char *filename)
+{
+ struct tmpfile_watch *tw = NULL;
+
+ tw = talloc_zero(owner, struct tmpfile_watch);
+ if (tw == NULL) {
+ return NULL;
+ }
+
+ tw->filename = talloc_strdup(tw, filename);
+ if (tw->filename == NULL) {
+ talloc_free(tw);
+ return NULL;
+ }
+
+ talloc_set_destructor((TALLOC_CTX *) tw,
+ unique_filename_destructor);
+ return tw;
+}
+
+int sss_unique_file_ex(TALLOC_CTX *owner,
+ char *path_tmpl,
+ mode_t file_umask,
+ errno_t *_err)
+{
+ size_t tmpl_len;
+ errno_t ret;
+ int fd = -1;
+ mode_t old_umask;
+ struct tmpfile_watch *tw = NULL;
+
+ tmpl_len = strlen(path_tmpl);
+ if (tmpl_len < 6 || strcmp(path_tmpl + (tmpl_len - 6), "XXXXXX") != 0) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "Template too short or doesn't end with XXXXXX!\n");
+ ret = EINVAL;
+ goto done;
+ }
+
+ old_umask = umask(file_umask);
+ fd = mkstemp(path_tmpl);
+ umask(old_umask);
+ if (fd == -1) {
+ ret = errno;
+ DEBUG(SSSDBG_OP_FAILURE,
+ "mkstemp(\"%s\") failed [%d]: %s!\n",
+ path_tmpl, ret, strerror(ret));
+ goto done;
+ }
+
+ if (owner != NULL) {
+ tw = tmpfile_watch_set(owner, path_tmpl);
+ if (tw == NULL) {
+ unlink_dbg(path_tmpl);
+ ret = ENOMEM;
+ goto done;
+ }
+ }
+
+ ret = EOK;
+done:
+ if (_err) {
+ *_err = ret;
+ }
+ return fd;
+}
+
+int sss_unique_file(TALLOC_CTX *owner,
+ char *path_tmpl,
+ errno_t *_err)
+{
+ return sss_unique_file_ex(owner, path_tmpl, 077, _err);
+}
+
+errno_t sss_unique_filename(TALLOC_CTX *owner, char *path_tmpl)
+{
+ int fd;
+ errno_t ret;
+
+ fd = sss_unique_file(owner, path_tmpl, &ret);
+ /* We only care about a unique file name */
+ if (fd >= 0) {
+ close(fd);
+ }
+
+ return ret;
+}
diff --git a/src/util/util.h b/src/util/util.h
index 3d90cf0d1024b93016987a4d3e8a515359fd974d..ecbed1c9843b16ba6cf31927c6fd3db8c72aefde 100644
--- a/src/util/util.h
+++ b/src/util/util.h
@@ -653,4 +653,25 @@ int get_seuser(TALLOC_CTX *mem_ctx, const char *login_name,
/* convert time from generalized form to unix time */
errno_t sss_utc_to_time_t(const char *str, const char *format, time_t *unix_time);
+/* Creates a unique file using mkstemp with provided umask. The template
+ * must end with XXXXXX. Returns the fd, sets _err to an errno value on error.
+ *
+ * Prefer using sss_unique_file() as it uses a secure umask internally.
+ */
+int sss_unique_file_ex(TALLOC_CTX *mem_ctx,
+ char *path_tmpl,
+ mode_t file_umask,
+ errno_t *_err);
+int sss_unique_file(TALLOC_CTX *owner,
+ char *path_tmpl,
+ errno_t *_err);
+
+/* Creates a unique filename using mkstemp with secure umask. The template
+ * must end with XXXXXX
+ *
+ * path_tmpl must be a talloc context. Destructor would be set on the filename
+ * so that it's guaranteed the file is removed.
+ */
+int sss_unique_filename(TALLOC_CTX *owner, char *path_tmpl);
+
#endif /* __SSSD_UTIL_H__ */
--
2.5.0

447
0014-IPA-Always-re-fetch-the-keytab-from-the-IPA-server.patch
View File

@ -1,447 +0,0 @@
From b2d318b91bb9d6ea1bef827031b980b8d6ec7b44 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Fri, 24 Jul 2015 13:13:08 +0200
Subject: [PATCH 14/14] IPA: Always re-fetch the keytab from the IPA server
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Even if a keytab for one-way trust exists, re-fetch the keytab again and
try to use it. Fall back to the previous one if it exists.
This is in order to allow the admin to re-establish the trust keytabs
with a simple sssd restart.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
Makefile.am | 2 +
src/providers/ipa/ipa_subdomains.c | 4 +-
src/providers/ipa/ipa_subdomains_server.c | 83 +++++++++----
src/tests/cmocka/test_ipa_subdomains_server.c | 166 ++++++++++++++++++++++++--
4 files changed, 221 insertions(+), 34 deletions(-)
diff --git a/Makefile.am b/Makefile.am
index b8cbc6df23ded1edb945a709b6dbe1c44eb54017..4e58b4f419607272f35363875054320af0899dcf 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -2501,6 +2501,8 @@ test_ipa_subdom_server_LDFLAGS = \
-Wl,-wrap,krb5_kt_default \
-Wl,-wrap,execle \
-Wl,-wrap,execve \
+ -Wl,-wrap,rename \
+ -Wl,-wrap,sss_unique_filename \
$(NULL)
test_ipa_subdom_server_LDADD = \
$(PAM_LIBS) \
diff --git a/src/providers/ipa/ipa_subdomains.c b/src/providers/ipa/ipa_subdomains.c
index cf72784473747c67d44a5d887faf867cfe62ce2b..c688ddb9bb9b643e0695c1901a4ca467f71853da 100644
--- a/src/providers/ipa/ipa_subdomains.c
+++ b/src/providers/ipa/ipa_subdomains.c
@@ -264,7 +264,7 @@ static errno_t ipa_ranges_parse_results(TALLOC_CTX *mem_ctx,
ret = get_idmap_data_from_range(r, domain_name, &name1, &sid1, &rid1,
&range1, &mapping1);
if (ret != EOK) {
- DEBUG(SSSDBG_OP_FAILURE, ("get_idmap_data_from_range failed.\n"));
+ DEBUG(SSSDBG_OP_FAILURE, "get_idmap_data_from_range failed.\n");
goto done;
}
for (d = 0; d < c; d++) {
@@ -272,7 +272,7 @@ static errno_t ipa_ranges_parse_results(TALLOC_CTX *mem_ctx,
&sid2, &rid2, &range2, &mapping2);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE,
- ("get_idmap_data_from_range failed.\n"));
+ "get_idmap_data_from_range failed.\n");
goto done;
}
diff --git a/src/providers/ipa/ipa_subdomains_server.c b/src/providers/ipa/ipa_subdomains_server.c
index 4bfea61e6dd0a02f6b723a39f7ba236c914009b0..dfecab1bc362b5772379bae6d51f9cef8443f225 100644
--- a/src/providers/ipa/ipa_subdomains_server.c
+++ b/src/providers/ipa/ipa_subdomains_server.c
@@ -445,6 +445,17 @@ static void ipa_getkeytab_exec(const char *ccache,
exit(1);
}
+ /* ipa-getkeytab cannot add keys to an empty file, let's unlink it and only
+ * use the filename */
+ ret = unlink(keytab_path);
+ if (ret == -1) {
+ ret = errno;
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Failed to unlink the temporary ccname [%d][%s]\n",
+ ret, sss_strerror(ret));
+ exit(1);
+ }
+
errno = 0;
ret = execle(IPA_GETKEYTAB_PATH, IPA_GETKEYTAB_PATH,
"-r", "-s", server, "-p", principal, "-k", keytab_path, NULL,
@@ -561,6 +572,7 @@ struct ipa_server_trust_add_state {
uint32_t direction;
const char *forest;
const char *keytab;
+ char *new_keytab;
const char *principal;
const char *forest_realm;
const char *ccache;
@@ -660,21 +672,20 @@ static errno_t ipa_server_trust_add_1way(struct tevent_req *req)
return EIO;
}
- ret = ipa_check_keytab(state->keytab,
- state->id_ctx->server_mode->kt_owner_uid,
- state->id_ctx->server_mode->kt_owner_gid);
- if (ret == EOK) {
- DEBUG(SSSDBG_TRACE_FUNC,
- "Keytab already present, can add the trust\n");
- return EOK;
- } else if (ret != ENOENT) {
- DEBUG(SSSDBG_OP_FAILURE,
- "Failed to check for keytab: %d\n", ret);
+ state->new_keytab = talloc_asprintf(state, "%sXXXXXX", state->keytab);
+ if (state->new_keytab == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Cannot set up ipa_get_keytab\n");
+ return ENOMEM;
+ }
+
+ ret = sss_unique_filename(state, state->new_keytab);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create temporary keytab name\n");
return ret;
}
DEBUG(SSSDBG_TRACE_FUNC,
- "No keytab for %s\n", state->subdom->name);
+ "Will re-fetch keytab for %s\n", state->subdom->name);
hostname = dp_opt_get_string(state->id_ctx->ipa_options->basic,
IPA_HOSTNAME);
@@ -691,7 +702,7 @@ static errno_t ipa_server_trust_add_1way(struct tevent_req *req)
state->ccache,
hostname,
state->principal,
- state->keytab);
+ state->new_keytab);
if (subreq == NULL) {
return ENOMEM;
}
@@ -710,23 +721,49 @@ static void ipa_server_trust_1way_kt_done(struct tevent_req *subreq)
ret = ipa_getkeytab_recv(subreq, NULL);
talloc_zfree(subreq);
if (ret != EOK) {
- DEBUG(SSSDBG_OP_FAILURE, "ipa_getkeytab_recv failed: %d\n", ret);
- tevent_req_error(req, ret);
- return;
+ /* Do not fail here, but try to check and use the previous keytab,
+ * if any */
+ DEBUG(SSSDBG_MINOR_FAILURE, "ipa_getkeytab_recv failed: %d\n", ret);
+ } else {
+ DEBUG(SSSDBG_TRACE_FUNC,
+ "Keytab successfully retrieved to %s\n", state->new_keytab);
}
- DEBUG(SSSDBG_TRACE_FUNC,
- "Keytab successfully retrieved to %s\n", state->keytab);
-
- ret = ipa_check_keytab(state->keytab,
+ ret = ipa_check_keytab(state->new_keytab,
state->id_ctx->server_mode->kt_owner_uid,
state->id_ctx->server_mode->kt_owner_gid);
- if (ret != EOK) {
- DEBUG(SSSDBG_OP_FAILURE, "ipa_check_keytab failed: %d\n", ret);
- tevent_req_error(req, ret);
- return;
+ if (ret == EOK) {
+ ret = rename(state->new_keytab, state->keytab);
+ if (ret == -1) {
+ ret = errno;
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "rename failed [%d][%s].\n", ret, strerror(ret));
+ tevent_req_error(req, ret);
+ return;
+ }
+ DEBUG(SSSDBG_TRACE_INTERNAL, "Keytab renamed to %s\n", state->keytab);
+ } else if (ret != EOK) {
+ DEBUG(SSSDBG_MINOR_FAILURE,
+ "Trying to recover and use the previous keytab, if available\n");
+ ret = ipa_check_keytab(state->keytab,
+ state->id_ctx->server_mode->kt_owner_uid,
+ state->id_ctx->server_mode->kt_owner_gid);
+ if (ret == EOK) {
+ DEBUG(SSSDBG_TRACE_FUNC,
+ "The previous keytab %s contains the expected principal\n",
+ state->keytab);
+ } else {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "Cannot use the old keytab: %d\n", ret);
+ /* Nothing we can do now */
+ tevent_req_error(req, ret);
+ return;
+ }
}
+ DEBUG(SSSDBG_TRACE_FUNC,
+ "Keytab %s contains the expected principals\n", state->new_keytab);
+
ret = ipa_server_trust_add_step(req);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE,
diff --git a/src/tests/cmocka/test_ipa_subdomains_server.c b/src/tests/cmocka/test_ipa_subdomains_server.c
index a4cb8c2b7538dc84b74e0227205b73780844b652..fb9bd80e299c05fa230599d442fa361ae757dcd3 100644
--- a/src/tests/cmocka/test_ipa_subdomains_server.c
+++ b/src/tests/cmocka/test_ipa_subdomains_server.c
@@ -66,33 +66,79 @@
#define ONEWAY_PRINC DOM_FLAT"$"
#define ONEWAY_AUTHID ONEWAY_PRINC"@"SUBDOM_REALM
+static bool global_rename_called;
+
krb5_error_code __wrap_krb5_kt_default(krb5_context context, krb5_keytab *id)
{
return krb5_kt_resolve(context, KEYTAB_PATH, id);
}
-static void create_dummy_keytab(void)
+static void create_dummy_keytab(const char *dummy_kt)
{
errno_t ret;
- assert_non_null(ONEWAY_KEYTAB);
+ assert_non_null(dummy_kt);
mock_keytab_with_contents(global_talloc_context,
- ONEWAY_KEYTAB, ONEWAY_AUTHID);
+ dummy_kt, ONEWAY_AUTHID);
- ret = access(ONEWAY_KEYTAB, R_OK);
+ ret = access(dummy_kt, R_OK);
assert_int_equal(ret, 0);
}
+static int wrap_exec(void)
+{
+ const char *test_kt;
+ const char *fail_creating_kt;
+
+ test_kt = getenv("TEST_KT_ENV");
+ if (test_kt == NULL) {
+ _exit(1);
+ }
+ unsetenv("TEST_KT_ENV");
+
+ fail_creating_kt = getenv("KT_CREATE_FAIL");
+ if (fail_creating_kt != NULL) {
+ _exit(1);
+ }
+
+ create_dummy_keytab(test_kt);
+ _exit(0);
+
+ return 1; /* Should not happen */
+}
+
int __wrap_execle(const char *path, const char *arg, ...)
{
- create_dummy_keytab();
- _exit(0);
+ return wrap_exec();
}
int __wrap_execve(const char *path, const char *arg, ...)
{
- create_dummy_keytab();
- _exit(0);
+ return wrap_exec();
+}
+
+errno_t __real_sss_unique_filename(TALLOC_CTX *owner, char *path_tmpl);
+
+errno_t __wrap_sss_unique_filename(TALLOC_CTX *owner, char *path_tmpl)
+{
+ int ret;
+ int sret;
+
+ ret = __real_sss_unique_filename(owner, path_tmpl);
+ if (ret == EOK) {
+
+ sret = setenv("TEST_KT_ENV", path_tmpl, 1);
+ assert_int_equal(sret, 0);
+ }
+ return ret;
+}
+
+int __real_rename(const char *old, const char *new);
+
+int __wrap_rename(const char *old, const char *new)
+{
+ global_rename_called = true;
+ return __real_rename(old, new);
}
struct trust_test_ctx {
@@ -100,6 +146,7 @@ struct trust_test_ctx {
struct be_ctx *be_ctx;
struct ipa_id_ctx *ipa_ctx;
+ bool expect_rename;
};
static struct ipa_id_ctx *mock_ipa_ctx(TALLOC_CTX *mem_ctx,
@@ -244,6 +291,8 @@ static int test_ipa_server_create_trusts_setup(void **state)
mock_keytab_with_contents(test_ctx, KEYTAB_PATH, KEYTAB_TEST_PRINC);
+ global_rename_called = false;
+
*state = test_ctx;
return 0;
}
@@ -260,6 +309,11 @@ static int test_ipa_server_create_trusts_teardown(void **state)
unlink(ONEWAY_KEYTAB);
/* Ignore failures */
+ /* If a test needs this variable, it should be set again in
+ * each test
+ */
+ unsetenv("KT_CREATE_FAIL");
+
talloc_free(test_ctx);
return 0;
}
@@ -612,6 +666,8 @@ static void test_ipa_server_create_oneway(void **state)
assert_null(test_ctx->ipa_ctx->server_mode->trusts);
+ test_ctx->expect_rename = true;
+
req = ipa_server_create_trusts_send(test_ctx,
test_ctx->tctx->ev,
test_ctx->be_ctx,
@@ -635,6 +691,8 @@ static void test_ipa_server_create_trusts_oneway(struct tevent_req *req)
talloc_zfree(req);
assert_int_equal(ret, EOK);
+ assert_true(test_ctx->expect_rename == global_rename_called);
+
ret = access(ONEWAY_KEYTAB, R_OK);
assert_int_equal(ret, 0);
@@ -674,10 +732,46 @@ static void test_ipa_server_create_oneway_kt_exists(void **state)
add_test_1way_subdomains(test_ctx);
- create_dummy_keytab();
+ create_dummy_keytab(ONEWAY_KEYTAB);
ret = access(ONEWAY_KEYTAB, R_OK);
assert_int_equal(ret, 0);
+ test_ctx->expect_rename = true;
+
+ assert_null(test_ctx->ipa_ctx->server_mode->trusts);
+
+ req = ipa_server_create_trusts_send(test_ctx,
+ test_ctx->tctx->ev,
+ test_ctx->be_ctx,
+ test_ctx->ipa_ctx,
+ test_ctx->be_ctx->domain);
+ assert_non_null(req);
+
+ tevent_req_set_callback(req, test_ipa_server_create_trusts_oneway, test_ctx);
+
+ ret = test_ev_loop(test_ctx->tctx);
+ assert_int_equal(ret, ERR_OK);
+}
+
+/* Test scenario where a keytab already exists, but refresh fails. In this case,
+ * sssd should attempt to reuse the previous keytab
+ */
+static void test_ipa_server_create_oneway_kt_refresh_fallback(void **state)
+{
+ struct trust_test_ctx *test_ctx =
+ talloc_get_type(*state, struct trust_test_ctx);
+ struct tevent_req *req;
+ errno_t ret;
+
+ add_test_1way_subdomains(test_ctx);
+
+ create_dummy_keytab(ONEWAY_KEYTAB);
+ ret = access(ONEWAY_KEYTAB, R_OK);
+ assert_int_equal(ret, 0);
+
+ setenv("KT_CREATE_FAIL", "1", 1);
+ test_ctx->expect_rename = false;
+
assert_null(test_ctx->ipa_ctx->server_mode->trusts);
req = ipa_server_create_trusts_send(test_ctx,
@@ -693,6 +787,54 @@ static void test_ipa_server_create_oneway_kt_exists(void **state)
assert_int_equal(ret, ERR_OK);
}
+/* Tests case where there's no keytab and retrieving fails. Just fail the
+ * request in that case
+ */
+static void test_ipa_server_create_trusts_oneway_fail(struct tevent_req *req);
+
+static void test_ipa_server_create_oneway_kt_refresh_fail(void **state)
+{
+ struct trust_test_ctx *test_ctx =
+ talloc_get_type(*state, struct trust_test_ctx);
+ struct tevent_req *req;
+ errno_t ret;
+
+ add_test_1way_subdomains(test_ctx);
+
+ setenv("KT_CREATE_FAIL", "1", 1);
+ test_ctx->expect_rename = false;
+
+ assert_null(test_ctx->ipa_ctx->server_mode->trusts);
+
+ req = ipa_server_create_trusts_send(test_ctx,
+ test_ctx->tctx->ev,
+ test_ctx->be_ctx,
+ test_ctx->ipa_ctx,
+ test_ctx->be_ctx->domain);
+ assert_non_null(req);
+
+ tevent_req_set_callback(req,
+ test_ipa_server_create_trusts_oneway_fail,
+ test_ctx);
+
+ ret = test_ev_loop(test_ctx->tctx);
+ assert_int_equal(ret, ERR_OK);
+}
+
+static void test_ipa_server_create_trusts_oneway_fail(struct tevent_req *req)
+{
+ struct trust_test_ctx *test_ctx = \
+ tevent_req_callback_data(req, struct trust_test_ctx);
+ errno_t ret;
+
+ ret = ipa_server_create_trusts_recv(req);
+ assert_int_not_equal(ret, EOK);
+
+ assert_true(test_ctx->expect_rename == global_rename_called);
+
+ test_ev_done(test_ctx->tctx, EOK);
+}
+
static void test_ipa_server_trust_oneway_init(void **state)
{
struct trust_test_ctx *test_ctx =
@@ -749,6 +891,12 @@ int main(int argc, const char *argv[])
cmocka_unit_test_setup_teardown(test_ipa_server_create_oneway_kt_exists,
test_ipa_server_create_trusts_setup,
test_ipa_server_create_trusts_teardown),
+ cmocka_unit_test_setup_teardown(test_ipa_server_create_oneway_kt_refresh_fallback,
+ test_ipa_server_create_trusts_setup,
+ test_ipa_server_create_trusts_teardown),
+ cmocka_unit_test_setup_teardown(test_ipa_server_create_oneway_kt_refresh_fail,
+ test_ipa_server_create_trusts_setup,
+ test_ipa_server_create_trusts_teardown),
cmocka_unit_test_setup_teardown(test_ipa_server_trust_oneway_init,
test_ipa_server_create_trusts_setup,
test_ipa_server_create_trusts_teardown),
--
2.5.0

33
0015-krb5-do-not-send-SSS_OTP-if-two-factors-were-used.patch
View File

@ -1,33 +0,0 @@
From 560c4cdf6568c049102ccf47cb302f2e10de023a Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 23 Jul 2015 15:56:44 +0200
Subject: [PATCH 15/15] krb5: do not send SSS_OTP if two factors were used
Resolves https://fedorahosted.org/sssd/ticket/2729
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/providers/krb5/krb5_auth.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
index 8886456c00c86914da364fd08efc25a488b0e686..d1bf4025b052d82413d1f370a36b0b99720d6f05 100644
--- a/src/providers/krb5/krb5_auth.c
+++ b/src/providers/krb5/krb5_auth.c
@@ -1091,7 +1091,12 @@ static void krb5_auth_done(struct tevent_req *subreq)
krb5_auth_store_creds(state->domain, pd);
}
- if (res->otp == true && pd->cmd == SSS_PAM_AUTHENTICATE) {
+ /* The SSS_OTP message will prevent pam_sss from putting the entered
+ * password on the PAM stack for other modules to use. This is not needed
+ * when both factors were entered separately because here the first factor
+ * (long term password) can be passed to the other modules. */
+ if (res->otp == true && pd->cmd == SSS_PAM_AUTHENTICATE
+ && sss_authtok_get_type(pd->authtok) != SSS_AUTHTOK_TYPE_2FA) {
uint32_t otp_flag = 1;
ret = pam_add_response(pd, SSS_OTP, sizeof(uint32_t),
(const uint8_t *) &otp_flag);
--
2.5.0

2
sources
View File

@ -1 +1 @@
2c3f3e6b2cd875879e6a55f49f13d8db sssd-1.13.0.tar.gz
56623de935ab1c8e7a2535528f4b95b2 sssd-1.13.1.tar.gz

29
sssd.spec
View File

@ -28,8 +28,8 @@
%endif
Name: sssd
Version: 1.13.0
Release: 6%{?dist}
Version: 1.13.1
Release: 1%{?dist}
Group: Applications/System
Summary: System Security Services Daemon
License: GPLv3+
@ -38,21 +38,6 @@ Source0: https://fedorahosted.org/released/sssd/%{name}-%{version}.tar.gz
BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
### Patches ###
Patch0001: 0001-SSSDConfig-return-list-for-list_active_domains.patch
Patch0002: 0002-KRB5-Return-right-data-provider-error-code.patch
Patch0003: 0003-DYNDNS-sss_iface_addr_list_get-return-ENOENT.patch
Patch0004: 0004-DYNDNS-support-mult.-interfaces-for-dyndns_iface-opt.patch
Patch0005: 0005-DYNDNS-special-value-for-dyndns_iface-option.patch
Patch0006: 0006-TESTS-dyndns-tests-support-AAAA-addresses.patch
Patch0007: 0007-IPA-Remove-MPG-groups-if-getgrgid-was-called-before-.patch
Patch0008: 0008-IPA-Better-debugging.patch
Patch0009: 0009-UTIL-Lower-debug-level-in-perform_checks.patch
Patch0010: 0010-IPA-Handle-sssd-owned-keytabs-when-running-as-root.patch
Patch0011: 0011-LDAP-use-ldb_binary_encode-when-printing-attribute-v.patch
Patch0012: 0012-IPA-Change-the-default-of-ldap_user_certificate-to-u.patch
Patch0013: 0013-UTIL-Provide-a-common-interface-to-safely-create-tem.patch
Patch0014: 0014-IPA-Always-re-fetch-the-keytab-from-the-IPA-server.patch
Patch0015: 0015-krb5-do-not-send-SSS_OTP-if-two-factors-were-used.patch
### Dependencies ###
Requires: sssd-common = %{version}-%{release}
@ -83,7 +68,6 @@ BuildRequires: popt-devel
BuildRequires: libtalloc-devel
BuildRequires: libtevent-devel
BuildRequires: libtdb-devel
BuildRequires: libldb-devel >= %{ldb_version}
BuildRequires: libdhash-devel >= 0.4.2
BuildRequires: libcollection-devel
@ -93,7 +77,6 @@ BuildRequires: dbus-libs
BuildRequires: openldap-devel
BuildRequires: pam-devel
BuildRequires: nss-devel
BuildRequires: openssl-devel
BuildRequires: nspr-devel
BuildRequires: pcre-devel
BuildRequires: libxslt
@ -686,6 +669,7 @@ rm -rf $RPM_BUILD_ROOT
%{_libexecdir}/%{servicename}/sssd_autofs
%{_libexecdir}/%{servicename}/sssd_ssh
%{_libexecdir}/%{servicename}/sssd_sudo
%{_libexecdir}/%{servicename}/p11_child
%dir %{_libdir}/%{name}
%{_libdir}/%{name}/libsss_simple.so
@ -776,7 +760,6 @@ rm -rf $RPM_BUILD_ROOT
%defattr(-,root,root,-)
%doc COPYING
%{_libdir}/%{name}/libsss_ad.so
%{_libdir}/%{name}/libsss_ad_common.so
%{_libexecdir}/%{servicename}/gpo_child
%{_mandir}/man5/sssd-ad.5*
@ -836,6 +819,7 @@ rm -rf $RPM_BUILD_ROOT
%{_sbindir}/sss_groupmod
%{_sbindir}/sss_groupshow
%{_sbindir}/sss_obfuscate
%{_sbindir}/sss_override
%{_sbindir}/sss_debuglevel
%{_sbindir}/sss_seed
%{_mandir}/man8/sss_groupadd.8*
@ -846,6 +830,7 @@ rm -rf $RPM_BUILD_ROOT
%{_mandir}/man8/sss_userdel.8*
%{_mandir}/man8/sss_usermod.8*
%{_mandir}/man8/sss_obfuscate.8*
%{_mandir}/man8/sss_override.8*
%{_mandir}/man8/sss_debuglevel.8*
%{_mandir}/man8/sss_seed.8*
@ -1025,6 +1010,10 @@ fi
%{_libdir}/%{name}/modules/libwbclient.so
%changelog
* Thu Oct 01 2015 Lukas Slebodnik <lslebodn@redhat.com> - 1.13.1-0
- New upstream release 1.13.1
- https://fedorahosted.org/sssd/wiki/Releases/Notes-1.13.1
* Thu Sep 10 2015 Lukas Slebodnik <lslebodn@redhat.com> - 1.13.0-6
- Fix OTP bug
- Resolves: upstream #2729 - Do not send SSS_OTP if both factors were