diff --git a/0001-IPA-Don-t-call-tevent_req_post-outside-_send.patch b/0001-IPA-Don-t-call-tevent_req_post-outside-_send.patch deleted file mode 100644 index 41ad079..0000000 --- a/0001-IPA-Don-t-call-tevent_req_post-outside-_send.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 0c2004f594b219c39c684222a88226d7c2a3befb Mon Sep 17 00:00:00 2001 -From: Jakub Hrozek -Date: Wed, 19 Feb 2014 15:00:15 +0100 -Subject: [PATCH 1/6] IPA: Don't call tevent_req_post outside _send -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Reviewed-by: Pavel Březina -(cherry picked from commit 6d4574a8dd1a9cafbb15631e7d01bdf6e67f821b) ---- - src/providers/ipa/ipa_subdomains_id.c | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/src/providers/ipa/ipa_subdomains_id.c b/src/providers/ipa/ipa_subdomains_id.c -index b61c6a5f4d7605f0cdfa182bbc933d35c4613a79..c15bdaa703835ab07a9b3b21d1304220a01eac10 100644 ---- a/src/providers/ipa/ipa_subdomains_id.c -+++ b/src/providers/ipa/ipa_subdomains_id.c -@@ -580,7 +580,6 @@ ipa_get_ad_acct_ad_part_done(struct tevent_req *subreq) - fail: - state->dp_error = DP_ERR_FATAL; - tevent_req_error(req, ret); -- tevent_req_post(req, state->ev); - return; - } - --- -1.8.5.3 - diff --git a/0002-IPA-Don-t-fail-if-apply_subdomain_homedir-returns-EN.patch b/0002-IPA-Don-t-fail-if-apply_subdomain_homedir-returns-EN.patch deleted file mode 100644 index d0f2a55..0000000 --- a/0002-IPA-Don-t-fail-if-apply_subdomain_homedir-returns-EN.patch +++ /dev/null @@ -1,27 +0,0 @@ -From 22926e00fdfb838e9bb9c5b32b16b499cd2ee5f3 Mon Sep 17 00:00:00 2001 -From: Jakub Hrozek -Date: Wed, 19 Feb 2014 15:34:34 +0100 -Subject: [PATCH 2/6] IPA: Don't fail if apply_subdomain_homedir returns ENOENT - -Reviewed-by: Pavel Reichl -(cherry picked from commit 26786da26706aeedbda4caea0383c143ed4e59dc) ---- - src/providers/ipa/ipa_subdomains_id.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/providers/ipa/ipa_subdomains_id.c b/src/providers/ipa/ipa_subdomains_id.c -index c15bdaa703835ab07a9b3b21d1304220a01eac10..637dd61f9f272eb4ac4ecb8368d2210801bb0373 100644 ---- a/src/providers/ipa/ipa_subdomains_id.c -+++ b/src/providers/ipa/ipa_subdomains_id.c -@@ -550,7 +550,7 @@ ipa_get_ad_acct_ad_part_done(struct tevent_req *subreq) - ret = apply_subdomain_homedir(state, state->user_dom, - state->ar->filter_type, - state->ar->filter_value); -- if (ret != EOK) { -+ if (ret != EOK && ret != ENOENT) { - DEBUG(SSSDBG_OP_FAILURE, - ("apply_subdomain_homedir failed: [%d]: [%s].\n", - ret, sss_strerror(ret))); --- -1.8.5.3 - diff --git a/0003-ipa-server-mode-use-lower-case-user-name-for-home-di.patch b/0003-ipa-server-mode-use-lower-case-user-name-for-home-di.patch deleted file mode 100644 index 81180fe..0000000 --- a/0003-ipa-server-mode-use-lower-case-user-name-for-home-di.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 8ad066fb0ca6e543bd99b93bdd52866eddfceb12 Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Mon, 3 Mar 2014 12:40:43 +0100 -Subject: [PATCH 3/6] ipa-server-mode: use lower-case user name for home dir - -In older IPA server versions where the AD users where looked up by -winbind the user name component of the home directory path was always -lower case. This still holds for IPA clients as well. To avoid -regression this patch makes the user name component lower case as well. - -Fixes https://fedorahosted.org/sssd/ticket/2263 - -Reviewed-by: Jakub Hrozek -(cherry picked from commit 48b1db73639135dd4a15ee153f958c912836c621) ---- - src/providers/ipa/ipa_subdomains_id.c | 11 ++++++++++- - 1 file changed, 10 insertions(+), 1 deletion(-) - -diff --git a/src/providers/ipa/ipa_subdomains_id.c b/src/providers/ipa/ipa_subdomains_id.c -index 637dd61f9f272eb4ac4ecb8368d2210801bb0373..00993c496c1d100b37a780828c81492c2fac6157 100644 ---- a/src/providers/ipa/ipa_subdomains_id.c -+++ b/src/providers/ipa/ipa_subdomains_id.c -@@ -358,6 +358,7 @@ get_subdomain_homedir_of_user(TALLOC_CTX *mem_ctx, struct sss_domain_info *dom, - { - errno_t ret; - char *name; -+ char *lc_name; - const char *homedir; - TALLOC_CTX *tmp_ctx; - -@@ -372,7 +373,15 @@ get_subdomain_homedir_of_user(TALLOC_CTX *mem_ctx, struct sss_domain_info *dom, - goto done; - } - -- homedir = expand_homedir_template(tmp_ctx, dom->subdomain_homedir, name, -+ /* To be compatible with the old winbind based user lookups and IPA -+ * clients the user name in the home directory path will be lower-case. */ -+ lc_name = sss_tc_utf8_str_tolower(tmp_ctx, name); -+ if (lc_name == NULL) { -+ ret =ENOMEM; -+ goto done; -+ } -+ -+ homedir = expand_homedir_template(tmp_ctx, dom->subdomain_homedir, lc_name, - uid, NULL, dom->name, dom->flat_name); - - if (homedir == NULL) { --- -1.8.5.3 - diff --git a/0004-IPA-Do-not-save-intermediate-data-to-sysdb.patch b/0004-IPA-Do-not-save-intermediate-data-to-sysdb.patch deleted file mode 100644 index 946208c..0000000 --- a/0004-IPA-Do-not-save-intermediate-data-to-sysdb.patch +++ /dev/null @@ -1,101 +0,0 @@ -From e9383f540242084b9c61161642c1a62304607be5 Mon Sep 17 00:00:00 2001 -From: Jakub Hrozek -Date: Tue, 4 Mar 2014 13:48:36 +0100 -Subject: [PATCH 4/6] IPA: Do not save intermediate data to sysdb - -https://fedorahosted.org/sssd/ticket/2264 - -Reviewed-by: Sumit Bose ---- - src/providers/ipa/ipa_selinux.c | 68 ++++++++++++++++++++--------------------- - 1 file changed, 34 insertions(+), 34 deletions(-) - -diff --git a/src/providers/ipa/ipa_selinux.c b/src/providers/ipa/ipa_selinux.c -index c227db937a84228c0f3945dbe11ba904c7ad9744..2209ca188654d8c79ee402ba71beeadab2904093 100644 ---- a/src/providers/ipa/ipa_selinux.c -+++ b/src/providers/ipa/ipa_selinux.c -@@ -251,6 +251,40 @@ static void ipa_selinux_handler_done(struct tevent_req *req) - goto fail; - } - -+ ret = sysdb_transaction_start(sysdb); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_CRIT_FAILURE, ("Failed to start transaction\n")); -+ goto fail; -+ } -+ in_transaction = true; -+ -+ ret = sysdb_delete_usermaps(op_ctx->domain->sysdb, op_ctx->domain); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_CRIT_FAILURE, -+ ("Cannot delete existing maps from sysdb\n")); -+ goto fail; -+ } -+ -+ ret = sysdb_store_selinux_config(sysdb, op_ctx->domain, -+ default_user, map_order); -+ if (ret != EOK) { -+ goto fail; -+ } -+ -+ if (map_count > 0 && maps != NULL) { -+ ret = ipa_save_user_maps(sysdb, op_ctx->domain, map_count, maps); -+ if (ret != EOK) { -+ goto fail; -+ } -+ } -+ -+ ret = sysdb_transaction_commit(sysdb); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_OP_FAILURE, ("Could not commit transaction\n")); -+ goto fail; -+ } -+ in_transaction = false; -+ - /* Process the maps and return list of best matches (maps with - * highest priority). The input maps are also parent memory - * context for the output list of best matches. The best match -@@ -279,40 +313,6 @@ static void ipa_selinux_handler_done(struct tevent_req *req) - goto fail; - } - -- ret = sysdb_transaction_start(sysdb); -- if (ret != EOK) { -- DEBUG(SSSDBG_CRIT_FAILURE, ("Failed to start transaction\n")); -- goto fail; -- } -- in_transaction = true; -- -- ret = sysdb_delete_usermaps(op_ctx->domain->sysdb, op_ctx->domain); -- if (ret != EOK) { -- DEBUG(SSSDBG_CRIT_FAILURE, -- ("Cannot delete existing maps from sysdb\n")); -- goto fail; -- } -- -- ret = sysdb_store_selinux_config(sysdb, op_ctx->domain, -- default_user, map_order); -- if (ret != EOK) { -- goto fail; -- } -- -- if (map_count > 0 && maps != NULL) { -- ret = ipa_save_user_maps(sysdb, op_ctx->domain, map_count, maps); -- if (ret != EOK) { -- goto fail; -- } -- } -- -- ret = sysdb_transaction_commit(sysdb); -- if (ret != EOK) { -- DEBUG(SSSDBG_OP_FAILURE, ("Could not commit transaction\n")); -- goto fail; -- } -- in_transaction = false; -- - /* If we got here in online mode, set last_update to current time */ - if (!be_is_offline(be_ctx)) { - op_ctx->selinux_ctx->last_update = time(NULL); --- -1.8.5.3 - diff --git a/0005-Fix-krb5-changepw-when-FAST-only-preauth-methods-are.patch b/0005-Fix-krb5-changepw-when-FAST-only-preauth-methods-are.patch deleted file mode 100644 index 12745d1..0000000 --- a/0005-Fix-krb5-changepw-when-FAST-only-preauth-methods-are.patch +++ /dev/null @@ -1,127 +0,0 @@ -From 80e2cbb00c796a332cc5f13cfe17af9b040f8e57 Mon Sep 17 00:00:00 2001 -From: Nathaniel McCallum -Date: Fri, 7 Mar 2014 12:21:11 -0500 -Subject: [PATCH 5/6] Fix krb5 changepw when FAST-only preauth methods are used - (like OTP) - -Before this patch, a different set of options was used when calling -krb5_get_init_creds_password() for the changepw principal. Because -this set of options did not contain the same FAST settings as the -options for normal requests, all authentication would fail when the -password of a FAST-only account would expire. - -The two sets approach was cargo-cult from kinit where multiple -requests could be issued using the same options set. However, in the -case of krb5_child, only one request (or occasionally a well-defined -second request) will be issued. Two option sets are therefore not -required. - -To fix this problem we removed the second option set used for changepw -requests. All requests now use a single option set which is modified, -if needed, for well-defined subsequent requests. - -Reviewed-by: Jakub Hrozek -Reviewed-by: Sumit Bose ---- - src/providers/krb5/krb5_child.c | 40 ++++++---------------------------------- - 1 file changed, 6 insertions(+), 34 deletions(-) - -diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c -index bd937e8081df4a5637a4267c356c1f9a08965b42..e9febe4756ca5b56f0b1c04d21d1fcf450315b8b 100644 ---- a/src/providers/krb5/krb5_child.c -+++ b/src/providers/krb5/krb5_child.c -@@ -65,27 +65,14 @@ struct krb5_req { - static krb5_context krb5_error_ctx; - #define KRB5_CHILD_DEBUG(level, error) KRB5_DEBUG(level, krb5_error_ctx, error) - --static krb5_error_code get_changepw_options(krb5_context ctx, -- krb5_get_init_creds_opt **_options) -+static void set_changepw_options(krb5_context ctx, -+ krb5_get_init_creds_opt *options) - { -- krb5_get_init_creds_opt *options; -- krb5_error_code kerr; -- -- kerr = sss_krb5_get_init_creds_opt_alloc(ctx, &options); -- if (kerr != 0) { -- KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr); -- return kerr; -- } -- - sss_krb5_get_init_creds_opt_set_canonicalize(options, 0); - krb5_get_init_creds_opt_set_forwardable(options, 0); - krb5_get_init_creds_opt_set_proxiable(options, 0); - krb5_get_init_creds_opt_set_renew_life(options, 0); - krb5_get_init_creds_opt_set_tkt_life(options, 5*60); -- -- *_options = options; -- -- return 0; - } - - static errno_t sss_send_pac(krb5_authdata **pac_authdata) -@@ -1023,7 +1010,6 @@ static errno_t changepw_child(struct krb5_req *kr, bool prelim) - krb5_prompter_fct prompter = NULL; - const char *realm_name; - int realm_length; -- krb5_get_init_creds_opt *chagepw_options; - size_t msg_len; - uint8_t *msg; - -@@ -1041,12 +1027,7 @@ static errno_t changepw_child(struct krb5_req *kr, bool prelim) - prompter = sss_krb5_prompter; - } - -- kerr = get_changepw_options(kr->ctx, &chagepw_options); -- if (kerr != 0) { -- DEBUG(SSSDBG_OP_FAILURE, ("get_changepw_options failed.\n")); -- return kerr; -- } -- -+ set_changepw_options(kr->ctx, kr->options); - sss_krb5_princ_realm(kr->ctx, kr->princ, &realm_name, &realm_length); - - DEBUG(SSSDBG_TRACE_FUNC, -@@ -1055,8 +1036,7 @@ static errno_t changepw_child(struct krb5_req *kr, bool prelim) - discard_const(password), - prompter, kr, 0, - SSSD_KRB5_CHANGEPW_PRINCIPAL, -- chagepw_options); -- sss_krb5_get_init_creds_opt_free(kr->ctx, chagepw_options); -+ kr->options); - if (kerr != 0) { - ret = pack_user_info_chpass_error(kr->pd, "Old password not accepted.", - &msg_len, &msg); -@@ -1164,7 +1144,6 @@ static errno_t changepw_child(struct krb5_req *kr, bool prelim) - - static errno_t tgt_req_child(struct krb5_req *kr) - { -- krb5_get_init_creds_opt *chagepw_options; - const char *password = NULL; - krb5_error_code kerr; - int ret; -@@ -1210,19 +1189,12 @@ static errno_t tgt_req_child(struct krb5_req *kr) - DEBUG(1, ("Failed to unset expire callback, continue ...\n")); - } - -- kerr = get_changepw_options(kr->ctx, &chagepw_options); -- if (kerr != 0) { -- DEBUG(SSSDBG_OP_FAILURE, ("get_changepw_options failed.\n")); -- return kerr; -- } -- -+ set_changepw_options(kr->ctx, kr->options); - kerr = krb5_get_init_creds_password(kr->ctx, kr->creds, kr->princ, - discard_const(password), - sss_krb5_prompter, kr, 0, - SSSD_KRB5_CHANGEPW_PRINCIPAL, -- chagepw_options); -- -- sss_krb5_get_init_creds_opt_free(kr->ctx, chagepw_options); -+ kr->options); - - krb5_free_cred_contents(kr->ctx, kr->creds); - if (kerr == 0) { --- -1.8.5.3 - diff --git a/0006-IPA-Use-GC-for-AD-initgroup-requests.patch b/0006-IPA-Use-GC-for-AD-initgroup-requests.patch deleted file mode 100644 index 6407cc0..0000000 --- a/0006-IPA-Use-GC-for-AD-initgroup-requests.patch +++ /dev/null @@ -1,46 +0,0 @@ -From f87c0437c9c94a7f447688c0152220ad51dc3a0e Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Thu, 6 Mar 2014 15:37:57 +0100 -Subject: [PATCH 6/6] IPA: Use GC for AD initgroup requests - -Reviewed-by: Jakub Hrozek ---- - src/providers/ipa/ipa_subdomains_id.c | 21 +++++++++++++++------ - 1 file changed, 15 insertions(+), 6 deletions(-) - -diff --git a/src/providers/ipa/ipa_subdomains_id.c b/src/providers/ipa/ipa_subdomains_id.c -index 00993c496c1d100b37a780828c81492c2fac6157..978ccc261d7525662e835b867044b6a5238a29df 100644 ---- a/src/providers/ipa/ipa_subdomains_id.c -+++ b/src/providers/ipa/ipa_subdomains_id.c -@@ -307,13 +307,22 @@ ipa_get_ad_acct_send(TALLOC_CTX *mem_ctx, - /* Currently only LDAP port for AD is used because POSIX - * attributes are not replicated to GC by default - */ -- clist = talloc_zero_array(req, struct sdap_id_conn_ctx *, 2); -- if (clist == NULL) { -- ret = ENOMEM; -- goto fail; -+ -+ if ((state->ar->entry_type & BE_REQ_TYPE_MASK) == BE_REQ_INITGROUPS) { -+ clist = ad_gc_conn_list(req, ad_id_ctx, state->user_dom); -+ if (clist == NULL) { -+ ret = ENOMEM; -+ goto fail; -+ } -+ } else { -+ clist = talloc_zero_array(req, struct sdap_id_conn_ctx *, 2); -+ if (clist == NULL) { -+ ret = ENOMEM; -+ goto fail; -+ } -+ clist[0] = ad_id_ctx->ldap_ctx; -+ clist[1] = NULL; - } -- clist[0] = ad_id_ctx->ldap_ctx; -- clist[1] = NULL; - - /* Now we already need ad_id_ctx in particular sdap_id_conn_ctx */ - sdom = sdap_domain_get(sdap_id_ctx->opts, state->user_dom); --- -1.8.5.3 - diff --git a/0007-IPA-KRB5-handle-KRB5_PROG_ETYPE_NOSUPP-during-IPA-pa.patch b/0007-IPA-KRB5-handle-KRB5_PROG_ETYPE_NOSUPP-during-IPA-pa.patch deleted file mode 100644 index a72dd18..0000000 --- a/0007-IPA-KRB5-handle-KRB5_PROG_ETYPE_NOSUPP-during-IPA-pa.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 63bf0b7697d5a51b5338070d0e2652d49a4728ce Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Tue, 11 Mar 2014 13:16:14 +0100 -Subject: [PATCH] IPA/KRB5: handle KRB5_PROG_ETYPE_NOSUPP during IPA password - migration - -Fixes https://fedorahosted.org/sssd/ticket/2279 - -Reviewed-by: Jakub Hrozek ---- - src/providers/krb5/krb5_child.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c -index 1a677b8..1bff0e9 100644 ---- a/src/providers/krb5/krb5_child.c -+++ b/src/providers/krb5/krb5_child.c -@@ -990,6 +990,10 @@ static errno_t map_krb5_error(krb5_error_code kerr) - case KRB5KRB_AP_ERR_BAD_INTEGRITY: - return ERR_AUTH_FAILED; - -+ /* ERR_CREDS_INVALID is used to indicate to the IPA provider that trying -+ * password migration would make sense. All Kerberos error codes which can -+ * be seen while migrating LDAP users to IPA should be added here. */ -+ case KRB5_PROG_ETYPE_NOSUPP: - case KRB5_PREAUTH_FAILED: - case KRB5KDC_ERR_PREAUTH_FAILED: - return ERR_CREDS_INVALID; --- -1.8.3.1 -