rpms/sssd
3
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Resolves: upstream#3573 - sssd won't show netgroups with blank domai

Browse Source 
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
This commit is contained in:
Fabiano Fidêncio 2018-03-30 14:30:01 +02:00
parent 62a3258629
commit 40fe76feb8
3 changed files with 178 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

87
0001-IPA-Handle-empty-nisDomainName.patch Normal file
View File

@ -0,0 +1,87 @@
From f9b7073e5cd057cf961b34f99ea1dff0c86b5b6a Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Fri, 17 Nov 2017 20:15:34 +0100
Subject: [PATCH 01/15] IPA: Handle empty nisDomainName
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Resolves:
https://pagure.io/SSSD/sssd/issue/3573
If nisdomain=, i.e. a blank NIS domain name, sssd was not processing the
netgroup at all. This is not in agreement with man innetgr which says "Any of
the elements in a triple can be empty, which means that anything matches. The
functions described here allow access to the netgroup databases".
This patch instead returns an empty domain as well, which eventually
produces the same output as if the netgroup was requested from the
compat tree.
To reproduce the bug:
$ ipa netgroup-add
Netgroup name: emptydom
-------------------------
Added netgroup "emptydom"
-------------------------
Netgroup name: emptydom
NIS domain name: ipa.test
IPA unique ID: 164bc15a-f4b3-11e7-acdb-525400ca6df3
$ ipa netgroup-add-member
Netgroup name: emptydom
[member user]: admin
[member group]:
[member host]:
[member host group]:
[member netgroup]:
Netgroup name: emptydom
NIS domain name: ipa.test
Member User: admin
-------------------------
Number of members added 1
-------------------------
$ ipa netgroup-mod --nisdomain="" emptydom
----------------------------
Modified netgroup "emptydom"
----------------------------
Netgroup name: emptydom
Member User: admin
Then run:
getent negroup emptydom
without the patch, the netgroup won't be resolvable. It will resolve to
a netgroup triple that looks like this after the patch:
emptydom (-,admin,)
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
---
src/providers/ipa/ipa_netgroups.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/src/providers/ipa/ipa_netgroups.c b/src/providers/ipa/ipa_netgroups.c
index 5c929a485..05ebac758 100644
--- a/src/providers/ipa/ipa_netgroups.c
+++ b/src/providers/ipa/ipa_netgroups.c
@@ -953,7 +953,9 @@ static int ipa_netgr_process_all(struct ipa_get_netgroups_state *state)
ret = sysdb_attrs_get_string(state->netgroups[i], SYSDB_NETGROUP_DOMAIN,
&domain);
- if (ret != EOK) {
+ if (ret == ENOENT) {
+ domain = NULL;
+ } else if (ret != EOK) {
goto done;
}
@@ -974,7 +976,7 @@ static int ipa_netgr_process_all(struct ipa_get_netgroups_state *state)
for (k = 0; k < hosts_count; k++) {
triple = talloc_asprintf(state, "(%s,%s,%s)",
hosts[k], uids[j],
- domain);
+ domain ? domain : "");
if (triple == NULL) {
ret = ENOMEM;
goto done;
--
2.14.3

85
0002-intg-enhance-netgroups-test.patch Normal file
View File

@ -0,0 +1,85 @@
From 3adc0a2fac5f7f1f30f6b1f75f098d4b50e7cf35 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Mon, 5 Mar 2018 12:29:58 +0100
Subject: [PATCH 02/15] intg: enhance netgroups test
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/tests/intg/sssd_netgroup.py | 9 ++++++---
src/tests/intg/test_netgroup.py | 26 ++++++++++++++++++++++++++
2 files changed, 32 insertions(+), 3 deletions(-)
diff --git a/src/tests/intg/sssd_netgroup.py b/src/tests/intg/sssd_netgroup.py
index 3668d2e29..4c34ea61f 100644
--- a/src/tests/intg/sssd_netgroup.py
+++ b/src/tests/intg/sssd_netgroup.py
@@ -209,9 +209,12 @@ class NetgroupRetriever(object):
if result_p[0].type == NetgroupType.TRIPLE_VAL:
triple = result_p[0].val.triple
- result.append((triple.host.decode('utf-8'),
- triple.user.decode('utf-8'),
- triple.domain.decode('utf-8')))
+ result.append((triple.host and triple.host.decode('utf-8')
+ or "",
+ triple.user and triple.user.decode('utf-8')
+ or "",
+ triple.domain and triple.domain.decode('utf-8')
+ or ""))
res, errno, result_p = self._getnetgrent_r(result_p, buff,
buff_len)
diff --git a/src/tests/intg/test_netgroup.py b/src/tests/intg/test_netgroup.py
index 3cf5dac2e..06a1cfafd 100644
--- a/src/tests/intg/test_netgroup.py
+++ b/src/tests/intg/test_netgroup.py
@@ -106,6 +106,8 @@ def format_basic_conf(ldap_conn, schema):
services = nss
disable_netlink = true
+ [nss]
+
[domain/LDAP]
{schema_conf}
id_provider = ldap
@@ -222,6 +224,14 @@ def add_tripled_netgroup(request, ldap_conn):
ent_list.add_netgroup("adv_tripled_netgroup", ["(host1,user1,domain1)",
"(host2,user2,domain2)"])
+ ent_list.add_netgroup("tripled_netgroup_no_domain", ["(host,user,)"])
+
+ ent_list.add_netgroup("tripled_netgroup_no_user", ["(host,,domain)"])
+
+ ent_list.add_netgroup("tripled_netgroup_no_host", ["(,user,domain)"])
+
+ ent_list.add_netgroup("tripled_netgroup_none", ["(,,)"])
+
create_ldap_fixture(request, ldap_conn, ent_list)
conf = format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS)
create_conf_fixture(request, conf)
@@ -243,6 +253,22 @@ def test_add_tripled_netgroup(add_tripled_netgroup):
assert sorted(netgrps) == sorted([("host1", "user1", "domain1"),
("host2", "user2", "domain2")])
+ res, _, netgrps = sssd_netgroup.get_sssd_netgroups("tripled_netgroup_no_domain")
+ assert res == sssd_netgroup.NssReturnCode.SUCCESS
+ assert netgrps == [("host", "user", "")]
+
+ res, _, netgrps = sssd_netgroup.get_sssd_netgroups("tripled_netgroup_no_user")
+ assert res == sssd_netgroup.NssReturnCode.SUCCESS
+ assert netgrps == [("host", "", "domain")]
+
+ res, _, netgrps = sssd_netgroup.get_sssd_netgroups("tripled_netgroup_no_host")
+ assert res == sssd_netgroup.NssReturnCode.SUCCESS
+ assert netgrps == [("", "user", "domain")]
+
+ res, _, netgrps = sssd_netgroup.get_sssd_netgroups("tripled_netgroup_none")
+ assert res == sssd_netgroup.NssReturnCode.SUCCESS
+ assert netgrps == [("", "", "")]
+
@pytest.fixture
def add_mixed_netgroup(request, ldap_conn):
--
2.14.3

7
sssd.spec
View File

@ -34,7 +34,7 @@
Name: sssd
Version: 1.16.1
Release: 1%{?dist}
Release: 2%{?dist}
Group: Applications/System
Summary: System Security Services Daemon
License: GPLv3+
@ -42,6 +42,8 @@ URL: https://pagure.io/SSSD/sssd/
Source0: https://releases.pagure.org/SSSD/sssd/%{name}-%{version}.tar.gz
### Patches ###
Patch0001: 0001-IPA-Handle-empty-nisDomainName.patch
Patch0002: 0002-intg-enhance-netgroups-test.patch
Patch0502: 0502-SYSTEMD-Use-capabilities.patch
Patch0503: 0503-Disable-stopping-idle-socket-activated-responders.patch
@ -1243,6 +1245,9 @@ fi
%{_libdir}/%{name}/modules/libwbclient.so
%changelog
* Fri Mar 30 2018 Fabiano Fidêncio <fidencio@fedoraproject.org> - 1.16.1-2
- Resolves: upstream#3573 - sssd won't show netgroups with blank domain
* Fri Mar 9 2018 Fabiano Fidêncio <fidencio@fedoraproject.org> - 1.16.1-1
- New upstream release 1.16.1
- https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_16_1.html