From 1fd6df717727f7b0ce09568f25e2988e72c33aa7 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Tue, 11 Mar 2014 13:35:03 +0100
Subject: [PATCH] Include couple of patches from upstream 1.11 branch

---
 ...t-call-tevent_req_post-outside-_send.patch |  29 ++++
 ...f-apply_subdomain_homedir-returns-EN.patch |  27 ++++
 ...use-lower-case-user-name-for-home-di.patch |  50 +++++++
 ...-not-save-intermediate-data-to-sysdb.patch | 101 ++++++++++++++
 ...w-when-FAST-only-preauth-methods-are.patch | 127 ++++++++++++++++++
 ...IPA-Use-GC-for-AD-initgroup-requests.patch |  46 +++++++
 sssd.spec                                     |  12 +-
 7 files changed, 391 insertions(+), 1 deletion(-)
 create mode 100644 0001-IPA-Don-t-call-tevent_req_post-outside-_send.patch
 create mode 100644 0002-IPA-Don-t-fail-if-apply_subdomain_homedir-returns-EN.patch
 create mode 100644 0003-ipa-server-mode-use-lower-case-user-name-for-home-di.patch
 create mode 100644 0004-IPA-Do-not-save-intermediate-data-to-sysdb.patch
 create mode 100644 0005-Fix-krb5-changepw-when-FAST-only-preauth-methods-are.patch
 create mode 100644 0006-IPA-Use-GC-for-AD-initgroup-requests.patch

diff --git a/0001-IPA-Don-t-call-tevent_req_post-outside-_send.patch b/0001-IPA-Don-t-call-tevent_req_post-outside-_send.patch
new file mode 100644
index 0000000..41ad079
--- /dev/null
+++ b/0001-IPA-Don-t-call-tevent_req_post-outside-_send.patch
@@ -0,0 +1,29 @@
+From 0c2004f594b219c39c684222a88226d7c2a3befb Mon Sep 17 00:00:00 2001
+From: Jakub Hrozek <jhrozek@redhat.com>
+Date: Wed, 19 Feb 2014 15:00:15 +0100
+Subject: [PATCH 1/6] IPA: Don't call tevent_req_post outside _send
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Reviewed-by: Pavel Březina <pbrezina@redhat.com>
+(cherry picked from commit 6d4574a8dd1a9cafbb15631e7d01bdf6e67f821b)
+---
+ src/providers/ipa/ipa_subdomains_id.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/src/providers/ipa/ipa_subdomains_id.c b/src/providers/ipa/ipa_subdomains_id.c
+index b61c6a5f4d7605f0cdfa182bbc933d35c4613a79..c15bdaa703835ab07a9b3b21d1304220a01eac10 100644
+--- a/src/providers/ipa/ipa_subdomains_id.c
++++ b/src/providers/ipa/ipa_subdomains_id.c
+@@ -580,7 +580,6 @@ ipa_get_ad_acct_ad_part_done(struct tevent_req *subreq)
+ fail:
+     state->dp_error = DP_ERR_FATAL;
+     tevent_req_error(req, ret);
+-    tevent_req_post(req, state->ev);
+     return;
+ }
+ 
+-- 
+1.8.5.3
+
diff --git a/0002-IPA-Don-t-fail-if-apply_subdomain_homedir-returns-EN.patch b/0002-IPA-Don-t-fail-if-apply_subdomain_homedir-returns-EN.patch
new file mode 100644
index 0000000..d0f2a55
--- /dev/null
+++ b/0002-IPA-Don-t-fail-if-apply_subdomain_homedir-returns-EN.patch
@@ -0,0 +1,27 @@
+From 22926e00fdfb838e9bb9c5b32b16b499cd2ee5f3 Mon Sep 17 00:00:00 2001
+From: Jakub Hrozek <jhrozek@redhat.com>
+Date: Wed, 19 Feb 2014 15:34:34 +0100
+Subject: [PATCH 2/6] IPA: Don't fail if apply_subdomain_homedir returns ENOENT
+
+Reviewed-by: Pavel Reichl <preichl@redhat.com>
+(cherry picked from commit 26786da26706aeedbda4caea0383c143ed4e59dc)
+---
+ src/providers/ipa/ipa_subdomains_id.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/providers/ipa/ipa_subdomains_id.c b/src/providers/ipa/ipa_subdomains_id.c
+index c15bdaa703835ab07a9b3b21d1304220a01eac10..637dd61f9f272eb4ac4ecb8368d2210801bb0373 100644
+--- a/src/providers/ipa/ipa_subdomains_id.c
++++ b/src/providers/ipa/ipa_subdomains_id.c
+@@ -550,7 +550,7 @@ ipa_get_ad_acct_ad_part_done(struct tevent_req *subreq)
+     ret = apply_subdomain_homedir(state, state->user_dom,
+                                   state->ar->filter_type,
+                                   state->ar->filter_value);
+-    if (ret != EOK) {
++    if (ret != EOK && ret != ENOENT) {
+         DEBUG(SSSDBG_OP_FAILURE,
+               ("apply_subdomain_homedir failed: [%d]: [%s].\n",
+                ret, sss_strerror(ret)));
+-- 
+1.8.5.3
+
diff --git a/0003-ipa-server-mode-use-lower-case-user-name-for-home-di.patch b/0003-ipa-server-mode-use-lower-case-user-name-for-home-di.patch
new file mode 100644
index 0000000..81180fe
--- /dev/null
+++ b/0003-ipa-server-mode-use-lower-case-user-name-for-home-di.patch
@@ -0,0 +1,50 @@
+From 8ad066fb0ca6e543bd99b93bdd52866eddfceb12 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Mon, 3 Mar 2014 12:40:43 +0100
+Subject: [PATCH 3/6] ipa-server-mode: use lower-case user name for home dir
+
+In older IPA server versions where the AD users where looked up by
+winbind the user name component of the home directory path was always
+lower case.  This still holds for IPA clients as well. To avoid
+regression this patch makes the user name component lower case as well.
+
+Fixes https://fedorahosted.org/sssd/ticket/2263
+
+Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
+(cherry picked from commit 48b1db73639135dd4a15ee153f958c912836c621)
+---
+ src/providers/ipa/ipa_subdomains_id.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/src/providers/ipa/ipa_subdomains_id.c b/src/providers/ipa/ipa_subdomains_id.c
+index 637dd61f9f272eb4ac4ecb8368d2210801bb0373..00993c496c1d100b37a780828c81492c2fac6157 100644
+--- a/src/providers/ipa/ipa_subdomains_id.c
++++ b/src/providers/ipa/ipa_subdomains_id.c
+@@ -358,6 +358,7 @@ get_subdomain_homedir_of_user(TALLOC_CTX *mem_ctx, struct sss_domain_info *dom,
+ {
+     errno_t ret;
+     char *name;
++    char *lc_name;
+     const char *homedir;
+     TALLOC_CTX *tmp_ctx;
+ 
+@@ -372,7 +373,15 @@ get_subdomain_homedir_of_user(TALLOC_CTX *mem_ctx, struct sss_domain_info *dom,
+         goto done;
+     }
+ 
+-    homedir = expand_homedir_template(tmp_ctx, dom->subdomain_homedir, name,
++    /* To be compatible with the old winbind based user lookups and IPA
++     * clients the user name in the home directory path will be lower-case. */
++    lc_name = sss_tc_utf8_str_tolower(tmp_ctx, name);
++    if (lc_name == NULL) {
++        ret =ENOMEM;
++        goto done;
++    }
++
++    homedir = expand_homedir_template(tmp_ctx, dom->subdomain_homedir, lc_name,
+                                       uid, NULL, dom->name, dom->flat_name);
+ 
+     if (homedir == NULL) {
+-- 
+1.8.5.3
+
diff --git a/0004-IPA-Do-not-save-intermediate-data-to-sysdb.patch b/0004-IPA-Do-not-save-intermediate-data-to-sysdb.patch
new file mode 100644
index 0000000..946208c
--- /dev/null
+++ b/0004-IPA-Do-not-save-intermediate-data-to-sysdb.patch
@@ -0,0 +1,101 @@
+From e9383f540242084b9c61161642c1a62304607be5 Mon Sep 17 00:00:00 2001
+From: Jakub Hrozek <jhrozek@redhat.com>
+Date: Tue, 4 Mar 2014 13:48:36 +0100
+Subject: [PATCH 4/6] IPA: Do not save intermediate data to sysdb
+
+https://fedorahosted.org/sssd/ticket/2264
+
+Reviewed-by: Sumit Bose <sbose@redhat.com>
+---
+ src/providers/ipa/ipa_selinux.c | 68 ++++++++++++++++++++---------------------
+ 1 file changed, 34 insertions(+), 34 deletions(-)
+
+diff --git a/src/providers/ipa/ipa_selinux.c b/src/providers/ipa/ipa_selinux.c
+index c227db937a84228c0f3945dbe11ba904c7ad9744..2209ca188654d8c79ee402ba71beeadab2904093 100644
+--- a/src/providers/ipa/ipa_selinux.c
++++ b/src/providers/ipa/ipa_selinux.c
+@@ -251,6 +251,40 @@ static void ipa_selinux_handler_done(struct tevent_req *req)
+         goto fail;
+     }
+ 
++    ret = sysdb_transaction_start(sysdb);
++    if (ret != EOK) {
++        DEBUG(SSSDBG_CRIT_FAILURE, ("Failed to start transaction\n"));
++        goto fail;
++    }
++    in_transaction = true;
++
++    ret = sysdb_delete_usermaps(op_ctx->domain->sysdb, op_ctx->domain);
++    if (ret != EOK) {
++        DEBUG(SSSDBG_CRIT_FAILURE,
++              ("Cannot delete existing maps from sysdb\n"));
++        goto fail;
++    }
++
++    ret = sysdb_store_selinux_config(sysdb, op_ctx->domain,
++                                     default_user, map_order);
++    if (ret != EOK) {
++        goto fail;
++    }
++
++    if (map_count > 0 && maps != NULL) {
++        ret = ipa_save_user_maps(sysdb, op_ctx->domain, map_count, maps);
++        if (ret != EOK) {
++            goto fail;
++        }
++    }
++
++    ret = sysdb_transaction_commit(sysdb);
++    if (ret != EOK) {
++        DEBUG(SSSDBG_OP_FAILURE, ("Could not commit transaction\n"));
++        goto fail;
++    }
++    in_transaction = false;
++
+     /* Process the maps and return list of best matches (maps with
+      * highest priority). The input maps are also parent memory
+      * context for the output list of best matches. The best match
+@@ -279,40 +313,6 @@ static void ipa_selinux_handler_done(struct tevent_req *req)
+         goto fail;
+     }
+ 
+-    ret = sysdb_transaction_start(sysdb);
+-    if (ret != EOK) {
+-        DEBUG(SSSDBG_CRIT_FAILURE, ("Failed to start transaction\n"));
+-        goto fail;
+-    }
+-    in_transaction = true;
+-
+-    ret = sysdb_delete_usermaps(op_ctx->domain->sysdb, op_ctx->domain);
+-    if (ret != EOK) {
+-        DEBUG(SSSDBG_CRIT_FAILURE,
+-              ("Cannot delete existing maps from sysdb\n"));
+-        goto fail;
+-    }
+-
+-    ret = sysdb_store_selinux_config(sysdb, op_ctx->domain,
+-                                     default_user, map_order);
+-    if (ret != EOK) {
+-        goto fail;
+-    }
+-
+-    if (map_count > 0 && maps != NULL) {
+-        ret = ipa_save_user_maps(sysdb, op_ctx->domain, map_count, maps);
+-        if (ret != EOK) {
+-            goto fail;
+-        }
+-    }
+-
+-    ret = sysdb_transaction_commit(sysdb);
+-    if (ret != EOK) {
+-        DEBUG(SSSDBG_OP_FAILURE, ("Could not commit transaction\n"));
+-        goto fail;
+-    }
+-    in_transaction = false;
+-
+     /* If we got here in online mode, set last_update to current time */
+     if (!be_is_offline(be_ctx)) {
+         op_ctx->selinux_ctx->last_update = time(NULL);
+-- 
+1.8.5.3
+
diff --git a/0005-Fix-krb5-changepw-when-FAST-only-preauth-methods-are.patch b/0005-Fix-krb5-changepw-when-FAST-only-preauth-methods-are.patch
new file mode 100644
index 0000000..12745d1
--- /dev/null
+++ b/0005-Fix-krb5-changepw-when-FAST-only-preauth-methods-are.patch
@@ -0,0 +1,127 @@
+From 80e2cbb00c796a332cc5f13cfe17af9b040f8e57 Mon Sep 17 00:00:00 2001
+From: Nathaniel McCallum <npmccallum@redhat.com>
+Date: Fri, 7 Mar 2014 12:21:11 -0500
+Subject: [PATCH 5/6] Fix krb5 changepw when FAST-only preauth methods are used
+ (like OTP)
+
+Before this patch, a different set of options was used when calling
+krb5_get_init_creds_password() for the changepw principal. Because
+this set of options did not contain the same FAST settings as the
+options for normal requests, all authentication would fail when the
+password of a FAST-only account would expire.
+
+The two sets approach was cargo-cult from kinit where multiple
+requests could be issued using the same options set. However, in the
+case of krb5_child, only one request (or occasionally a well-defined
+second request) will be issued. Two option sets are therefore not
+required.
+
+To fix this problem we removed the second option set used for changepw
+requests. All requests now use a single option set which is modified,
+if needed, for well-defined subsequent requests.
+
+Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
+Reviewed-by: Sumit Bose <sbose@redhat.com>
+---
+ src/providers/krb5/krb5_child.c | 40 ++++++----------------------------------
+ 1 file changed, 6 insertions(+), 34 deletions(-)
+
+diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
+index bd937e8081df4a5637a4267c356c1f9a08965b42..e9febe4756ca5b56f0b1c04d21d1fcf450315b8b 100644
+--- a/src/providers/krb5/krb5_child.c
++++ b/src/providers/krb5/krb5_child.c
+@@ -65,27 +65,14 @@ struct krb5_req {
+ static krb5_context krb5_error_ctx;
+ #define KRB5_CHILD_DEBUG(level, error) KRB5_DEBUG(level, krb5_error_ctx, error)
+ 
+-static krb5_error_code get_changepw_options(krb5_context ctx,
+-                                            krb5_get_init_creds_opt **_options)
++static void set_changepw_options(krb5_context ctx,
++                                 krb5_get_init_creds_opt *options)
+ {
+-    krb5_get_init_creds_opt *options;
+-    krb5_error_code kerr;
+-
+-    kerr = sss_krb5_get_init_creds_opt_alloc(ctx, &options);
+-    if (kerr != 0) {
+-        KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr);
+-        return kerr;
+-    }
+-
+     sss_krb5_get_init_creds_opt_set_canonicalize(options, 0);
+     krb5_get_init_creds_opt_set_forwardable(options, 0);
+     krb5_get_init_creds_opt_set_proxiable(options, 0);
+     krb5_get_init_creds_opt_set_renew_life(options, 0);
+     krb5_get_init_creds_opt_set_tkt_life(options, 5*60);
+-
+-    *_options = options;
+-
+-    return 0;
+ }
+ 
+ static errno_t sss_send_pac(krb5_authdata **pac_authdata)
+@@ -1023,7 +1010,6 @@ static errno_t changepw_child(struct krb5_req *kr, bool prelim)
+     krb5_prompter_fct prompter = NULL;
+     const char *realm_name;
+     int realm_length;
+-    krb5_get_init_creds_opt *chagepw_options;
+     size_t msg_len;
+     uint8_t *msg;
+ 
+@@ -1041,12 +1027,7 @@ static errno_t changepw_child(struct krb5_req *kr, bool prelim)
+         prompter = sss_krb5_prompter;
+     }
+ 
+-    kerr = get_changepw_options(kr->ctx, &chagepw_options);
+-    if (kerr != 0) {
+-        DEBUG(SSSDBG_OP_FAILURE, ("get_changepw_options failed.\n"));
+-        return kerr;
+-    }
+-
++    set_changepw_options(kr->ctx, kr->options);
+     sss_krb5_princ_realm(kr->ctx, kr->princ, &realm_name, &realm_length);
+ 
+     DEBUG(SSSDBG_TRACE_FUNC,
+@@ -1055,8 +1036,7 @@ static errno_t changepw_child(struct krb5_req *kr, bool prelim)
+                                         discard_const(password),
+                                         prompter, kr, 0,
+                                         SSSD_KRB5_CHANGEPW_PRINCIPAL,
+-                                        chagepw_options);
+-    sss_krb5_get_init_creds_opt_free(kr->ctx, chagepw_options);
++                                        kr->options);
+     if (kerr != 0) {
+         ret = pack_user_info_chpass_error(kr->pd, "Old password not accepted.",
+                                           &msg_len, &msg);
+@@ -1164,7 +1144,6 @@ static errno_t changepw_child(struct krb5_req *kr, bool prelim)
+ 
+ static errno_t tgt_req_child(struct krb5_req *kr)
+ {
+-    krb5_get_init_creds_opt *chagepw_options;
+     const char *password = NULL;
+     krb5_error_code kerr;
+     int ret;
+@@ -1210,19 +1189,12 @@ static errno_t tgt_req_child(struct krb5_req *kr)
+         DEBUG(1, ("Failed to unset expire callback, continue ...\n"));
+     }
+ 
+-    kerr = get_changepw_options(kr->ctx, &chagepw_options);
+-    if (kerr != 0) {
+-        DEBUG(SSSDBG_OP_FAILURE, ("get_changepw_options failed.\n"));
+-        return kerr;
+-    }
+-
++    set_changepw_options(kr->ctx, kr->options);
+     kerr = krb5_get_init_creds_password(kr->ctx, kr->creds, kr->princ,
+                                         discard_const(password),
+                                         sss_krb5_prompter, kr, 0,
+                                         SSSD_KRB5_CHANGEPW_PRINCIPAL,
+-                                        chagepw_options);
+-
+-    sss_krb5_get_init_creds_opt_free(kr->ctx, chagepw_options);
++                                        kr->options);
+ 
+     krb5_free_cred_contents(kr->ctx, kr->creds);
+     if (kerr == 0) {
+-- 
+1.8.5.3
+
diff --git a/0006-IPA-Use-GC-for-AD-initgroup-requests.patch b/0006-IPA-Use-GC-for-AD-initgroup-requests.patch
new file mode 100644
index 0000000..6407cc0
--- /dev/null
+++ b/0006-IPA-Use-GC-for-AD-initgroup-requests.patch
@@ -0,0 +1,46 @@
+From f87c0437c9c94a7f447688c0152220ad51dc3a0e Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Thu, 6 Mar 2014 15:37:57 +0100
+Subject: [PATCH 6/6] IPA: Use GC for AD initgroup requests
+
+Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
+---
+ src/providers/ipa/ipa_subdomains_id.c | 21 +++++++++++++++------
+ 1 file changed, 15 insertions(+), 6 deletions(-)
+
+diff --git a/src/providers/ipa/ipa_subdomains_id.c b/src/providers/ipa/ipa_subdomains_id.c
+index 00993c496c1d100b37a780828c81492c2fac6157..978ccc261d7525662e835b867044b6a5238a29df 100644
+--- a/src/providers/ipa/ipa_subdomains_id.c
++++ b/src/providers/ipa/ipa_subdomains_id.c
+@@ -307,13 +307,22 @@ ipa_get_ad_acct_send(TALLOC_CTX *mem_ctx,
+     /* Currently only LDAP port for AD is used because POSIX
+      * attributes are not replicated to GC by default
+      */
+-    clist = talloc_zero_array(req, struct sdap_id_conn_ctx *, 2);
+-    if (clist == NULL) {
+-        ret = ENOMEM;
+-        goto fail;
++
++    if ((state->ar->entry_type & BE_REQ_TYPE_MASK) == BE_REQ_INITGROUPS) {
++        clist = ad_gc_conn_list(req, ad_id_ctx, state->user_dom);
++        if (clist == NULL) {
++            ret = ENOMEM;
++            goto fail;
++        }
++    } else {
++        clist = talloc_zero_array(req, struct sdap_id_conn_ctx *, 2);
++        if (clist == NULL) {
++            ret = ENOMEM;
++            goto fail;
++        }
++        clist[0] = ad_id_ctx->ldap_ctx;
++        clist[1] = NULL;
+     }
+-    clist[0] = ad_id_ctx->ldap_ctx;
+-    clist[1] = NULL;
+ 
+     /* Now we already need ad_id_ctx in particular sdap_id_conn_ctx */
+     sdom = sdap_domain_get(sdap_id_ctx->opts, state->user_dom);
+-- 
+1.8.5.3
+
diff --git a/sssd.spec b/sssd.spec
index 13e022f..cfd434a 100644
--- a/sssd.spec
+++ b/sssd.spec
@@ -14,7 +14,7 @@
 
 Name: sssd
 Version: 1.11.4
-Release: 1%{?dist}
+Release: 2%{?dist}
 Group: Applications/System
 Summary: System Security Services Daemon
 License: GPLv3+
@@ -23,6 +23,13 @@ Source0: https://fedorahosted.org/released/sssd/%{name}-%{version}.tar.gz
 BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
 
 ### Patches ###
+Patch0001: 0001-IPA-Don-t-call-tevent_req_post-outside-_send.patch
+Patch0002: 0002-IPA-Don-t-fail-if-apply_subdomain_homedir-returns-EN.patch
+Patch0003: 0003-ipa-server-mode-use-lower-case-user-name-for-home-di.patch
+Patch0004: 0004-IPA-Do-not-save-intermediate-data-to-sysdb.patch
+Patch0005: 0005-Fix-krb5-changepw-when-FAST-only-preauth-methods-are.patch
+Patch0006: 0006-IPA-Use-GC-for-AD-initgroup-requests.patch
+
 Patch0602:  0602-FEDORA-Add-CIFS-idmap-plugin.patch
 
 ### Dependencies ###
@@ -730,6 +737,9 @@ fi
 %postun -n libsss_idmap -p /sbin/ldconfig
 
 %changelog
+* Mon Mar 11 2014 Jakub Hrozek <jhrozek@redhat.com> - 1.11.4-2
+- Include couple of patches from upstream 1.11 branch
+
 * Mon Feb 17 2014 Jakub Hrozek <jhrozek@redhat.com> - 1.11.4-1
 - New upstream release 1.11.4
 - Remove upstreamed patch