rpms
/
sssd
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix regression with krb5_map_user 

- Resolves: rhbz#1375552 - krb5_map_user doesn't seem effective anymore
- Resolves: rhbz#1349286 - authconfig fails with SSSDConfig.NoDomainError:
                           default if nonexistent domain is mentioned
This commit is contained in:
Lukas Slebodnik 2016-09-22 22:28:47 +02:00
parent 0fe5246e1a
commit 640e44ca24
41 changed files with 4552 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
0040-SYSDB-Suppress-warning-from-clang-static-analyser.patch Normal file
View File

@ -0,0 +1,38 @@
From 344773c4c6949757d9719850191229481c9733a9 Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Thu, 1 Sep 2016 17:25:23 +0200
Subject: [PATCH 40/79] SYSDB: Suppress warning from clang static analyser
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
scan-build wrongly assumes that output variable
"version" is not initialized if function sysdb_cache_connect
returns ERR_SYSDB_VERSION_TOO_OLD or ERR_SYSDB_VERSION_TOO_NEW
The reality is that output variable "version" is initialized
especially for these two case. Initialisation to NULL suppresses
these false positive reports.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
(cherry picked from commit 3f6aecfe5061e165c10829142854ec7189029407)
---
src/db/sysdb_init.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/db/sysdb_init.c b/src/db/sysdb_init.c
index d110aa7a2878e47650db177cfd342d0ac32248ab..538ba027cd94e274ba328d398cc565b11ea56f39 100644
--- a/src/db/sysdb_init.c
+++ b/src/db/sysdb_init.c
@@ -688,7 +688,7 @@ static int sysdb_domain_cache_connect(struct sysdb_ctx *sysdb,
struct sysdb_dom_upgrade_ctx *upgrade_ctx)
{
errno_t ret;
- const char *version;
+ const char *version = NULL;
TALLOC_CTX *tmp_ctx;
struct ldb_context *ldb;
--
2.9.3

33
0041-TOOLS-Fix-a-typo-in-groupadd.patch Normal file
View File

@ -0,0 +1,33 @@
From 96e8cf44298c257d509219dd9c45b8cdae792ab5 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Tue, 6 Sep 2016 12:13:08 +0200
Subject: [PATCH 41/79] TOOLS: Fix a typo in groupadd()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Resolves:
https://fedorahosted.org/sssd/ticket/3173
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit 6be723a089a1e07a1cd19b4fa53fd142c13f0c69)
---
src/tools/sss_sync_ops.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/tools/sss_sync_ops.c b/src/tools/sss_sync_ops.c
index a23a0b8c30366d2fb68554bfed184b8fce675e2b..39ef5bec96bd3942da8a8adfd21c99b03a77e551 100644
--- a/src/tools/sss_sync_ops.c
+++ b/src/tools/sss_sync_ops.c
@@ -657,7 +657,7 @@ int groupadd(struct ops_ctx *data)
int ret;
data->sysdb_fqname = sss_create_internal_fqname(data,
- data->sysdb_fqname,
+ data->name,
data->domain->name);
if (data->sysdb_fqname == NULL) {
return ENOMEM;
--
2.9.3

60
0042-TOOLS-sss_groupshow-did-not-work.patch Normal file
View File

@ -0,0 +1,60 @@
From e69c1ed1452b43fafb31e252589d7a5aa37f9cf7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C5=BDidek?= <mzidek@redhat.com>
Date: Tue, 6 Sep 2016 13:46:53 +0200
Subject: [PATCH 42/79] TOOLS: sss_groupshow did not work
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
sss_groupshow used shortname to search
in sysdb database. We have to u e sysdb_fqname
(aka internal_fqname) format for all sysdb
oprations.
Resolves:
https://fedorahosted.org/sssd/ticket/3175
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit 5210c5d3a5a83b5d08396ee23d88f6ba0994097d)
---
src/tools/sss_groupshow.c | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
diff --git a/src/tools/sss_groupshow.c b/src/tools/sss_groupshow.c
index 41d7475cef1093a4cb214ec4b017db59e6c26fe2..5870cc802c70366c47a0d30cb0d9795cf6035bc5 100644
--- a/src/tools/sss_groupshow.c
+++ b/src/tools/sss_groupshow.c
@@ -318,7 +318,7 @@ int group_show(TALLOC_CTX *mem_ctx,
struct sysdb_ctx *sysdb,
struct sss_domain_info *domain,
bool recursive,
- const char *name,
+ const char *shortname,
struct group_info **res)
{
struct group_info *root;
@@ -326,11 +326,20 @@ int group_show(TALLOC_CTX *mem_ctx,
struct ldb_message *msg = NULL;
const char **group_members = NULL;
int nmembers = 0;
+ char *sysdb_fqname = NULL;
int ret;
int i;
+ sysdb_fqname = sss_create_internal_fqname(mem_ctx,
+ shortname,
+ domain->name);
+ if (sysdb_fqname == NULL) {
+ return ENOMEM;
+ }
+
/* First, search for the root group */
- ret = sysdb_search_group_by_name(mem_ctx, domain, name, attrs, &msg);
+ ret = sysdb_search_group_by_name(mem_ctx, domain, sysdb_fqname, attrs,
+ &msg);
if (ret) {
DEBUG(SSSDBG_OP_FAILURE,
"Search failed: %s (%d)\n", strerror(ret), ret);
--
2.9.3

76
0043-TESTS-sss_groupadd-groupshow-regressions.patch Normal file
View File

@ -0,0 +1,76 @@
From b5ce7cefc1af161f25e5857aacec88ebd9e47130 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C5=BDidek?= <mzidek@redhat.com>
Date: Tue, 6 Sep 2016 17:37:14 +0200
Subject: [PATCH 43/79] TESTS: sss_groupadd/groupshow regressions
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Adds regression CI test for ticket #3173 and #3175.
Resolves:
https://fedorahosted.org/sssd/ticket/3173
https://fedorahosted.org/sssd/ticket/3175
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit 20c2d76d9430a1fc069531ff537df046a74c8f61)
---
src/tests/intg/test_local_domain.py | 26 ++++++++++++++++++++++++++
1 file changed, 26 insertions(+)
diff --git a/src/tests/intg/test_local_domain.py b/src/tests/intg/test_local_domain.py
index b83e56d1b44619083506093ca8cfb9413437c821..56e3812b113b36301d1ec6049e5a1210d3070442 100644
--- a/src/tests/intg/test_local_domain.py
+++ b/src/tests/intg/test_local_domain.py
@@ -19,11 +19,13 @@
import os
import stat
import pwd
+import grp
import time
import config
import signal
import subprocess
import pytest
+import ent
from util import unindent
@@ -90,6 +92,11 @@ def assert_nonexistent_user(name):
pwd.getpwnam(name)
+def assert_nonexistent_group(name):
+ with pytest.raises(KeyError):
+ grp.getgrnam(name)
+
+
def test_wrong_LC_ALL(local_domain_only):
"""
Regression test for ticket
@@ -107,3 +114,22 @@ def test_wrong_LC_ALL(local_domain_only):
subprocess.check_call(["sss_userdel", "foo", "-R"])
assert_nonexistent_user("foo")
os.environ["LC_ALL"] = oldvalue
+
+
+def test_sss_group_add_show_del(local_domain_only):
+ """
+ Regression test for tickets
+ https://fedorahosted.org/sssd/ticket/3173
+ https://fedorahosted.org/sssd/ticket/3175
+ """
+
+ subprocess.check_call(["sss_groupadd", "foo", "-g", "10001"])
+
+ "This should not raise KeyError"
+ ent.assert_group_by_name("foo", dict(name="foo", gid=10001))
+
+ "sss_grupshow should return 0 with existing group name"
+ subprocess.check_call(["sss_groupshow", "foo"])
+
+ subprocess.check_call(["sss_groupdel", "foo"])
+ assert_nonexistent_group("foo")
--
2.9.3

57
0044-TOOLS-use-internal-fqdn-for-DN.patch Normal file
View File

@ -0,0 +1,57 @@
From aa17cda3887309ccd67c256a24b980fbd8c2f89a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C5=BDidek?= <mzidek@redhat.com>
Date: Wed, 7 Sep 2016 10:58:25 +0200
Subject: [PATCH 44/79] TOOLS: use internal fqdn for DN
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Use internal fqdn when creating sysdb group dn.
Resolves:
https://fedorahosted.org/sssd/ticket/3178
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit 5e2142b66589e5e50cb404fc972ed5418bbaa772)
---
src/tools/sss_sync_ops.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/src/tools/sss_sync_ops.c b/src/tools/sss_sync_ops.c
index 39ef5bec96bd3942da8a8adfd21c99b03a77e551..a0291baeada49b9f21e040a54e303214d5a46332 100644
--- a/src/tools/sss_sync_ops.c
+++ b/src/tools/sss_sync_ops.c
@@ -137,6 +137,7 @@ static int mod_groups_member(struct sss_domain_info *dom,
struct ldb_dn *parent_dn;
int ret;
int i;
+ char *grp_sysdb_fqname = NULL;
tmpctx = talloc_new(NULL);
if (!tmpctx) {
@@ -145,13 +146,21 @@ static int mod_groups_member(struct sss_domain_info *dom,
/* FIXME: add transaction around loop */
for (i = 0; grouplist[i]; i++) {
+ grp_sysdb_fqname = sss_create_internal_fqname(tmpctx, grouplist[i],
+ dom->name);
+ if (grp_sysdb_fqname == NULL) {
+ ret = ENOMEM;
+ goto done;
+ }
- parent_dn = sysdb_group_dn(tmpctx, dom, grouplist[i]);
+ parent_dn = sysdb_group_dn(tmpctx, dom, grp_sysdb_fqname);
if (!parent_dn) {
ret = ENOMEM;
goto done;
}
+ talloc_free(grp_sysdb_fqname);
+
ret = sysdb_mod_group_member(dom, member_dn, parent_dn, optype);
if (ret) {
goto done;
--
2.9.3

66
0045-TESTS-Test-for-sss_user-groupmod-a.patch Normal file
View File

@ -0,0 +1,66 @@
From 1b692a1142ec59e27ebb99666634a6e0464317d1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C5=BDidek?= <mzidek@redhat.com>
Date: Wed, 7 Sep 2016 13:08:59 +0200
Subject: [PATCH 45/79] TESTS: Test for sss_user/groupmod -a
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Regression tests for ticket #3178.
Resolves:
https://fedorahosted.org/sssd/ticket/3178
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit 7fa4964d84f41bd80a6d971ffaeef87a7c2f19be)
---
src/tests/intg/test_local_domain.py | 36 ++++++++++++++++++++++++++++++++++++
1 file changed, 36 insertions(+)
diff --git a/src/tests/intg/test_local_domain.py b/src/tests/intg/test_local_domain.py
index 56e3812b113b36301d1ec6049e5a1210d3070442..5e3e3d4d1cdc6db5d68a6e5b9d96d94c2c694b14 100644
--- a/src/tests/intg/test_local_domain.py
+++ b/src/tests/intg/test_local_domain.py
@@ -133,3 +133,39 @@ def test_sss_group_add_show_del(local_domain_only):
subprocess.check_call(["sss_groupdel", "foo"])
assert_nonexistent_group("foo")
+
+
+def test_add_local_user_to_local_group(local_domain_only):
+ """
+ Regression test for ticket
+ https://fedorahosted.org/sssd/ticket/3178
+ """
+ subprocess.check_call(["sss_groupadd", "-g", "10009", "group10009"])
+ subprocess.check_call(["sss_useradd", "-u", "10009", "-M", "user10009"])
+ subprocess.check_call(["sss_usermod", "-a", "group10009", "user10009"])
+
+ ent.assert_group_by_name(
+ "group10009",
+ dict(name="group10009", passwd="*", gid=10009,
+ mem=ent.contains_only("user10009")))
+
+
+def test_add_local_group_to_local_group(local_domain_only):
+ """
+ Regression test for tickets
+ https://fedorahosted.org/sssd/ticket/3178
+ """
+ subprocess.check_call(["sss_groupadd", "-g", "10009", "group_child"])
+ subprocess.check_call(["sss_useradd", "-u", "10009", "-M", "user_child"])
+ subprocess.check_call(["sss_usermod", "-a", "group_child", "user_child"])
+
+ subprocess.check_call(["sss_groupadd", "-g", "10008", "group_parent"])
+ subprocess.check_call(
+ ["sss_groupmod", "-a", "group_parent", "group_child"])
+
+ # User from child_group is member of parent_group, so child_group's
+ # member must be also parent_group's member
+ ent.assert_group_by_name(
+ "group_parent",
+ dict(name="group_parent", passwd="*", gid=10008,
+ mem=ent.contains_only("user_child")))
--
2.9.3

138
0046-TOOLS-sss_mc_refresh_nested_group-short-fqname-usage.patch Normal file
View File

@ -0,0 +1,138 @@
From ce402d01616b2a8ea5c3354085a07910e4903820 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C5=BDidek?= <mzidek@redhat.com>
Date: Wed, 7 Sep 2016 14:43:13 +0200
Subject: [PATCH 46/79] TOOLS: sss_mc_refresh_nested_group short/fqname usage
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
We use shortname to refresh memory cache, but in case of nested groups,
we used internal_fqname to refresh parent groups.
We also wrongly used the shortname for sysdb_search operation.
Which caused error message to be printed when sss_usermod -a or
sss_groupmod -a where called.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit cb54dbad6be907d277ce6aa39524338643e2f5a4)
---
src/tools/tools_mc_util.c | 66 +++++++++++++++++++++++++++++++++--------------
1 file changed, 47 insertions(+), 19 deletions(-)
diff --git a/src/tools/tools_mc_util.c b/src/tools/tools_mc_util.c
index 2516a1981ddd965d4cae8c469ed79aaef8fa7193..716e3760f67d958f2139adbb49998d9e352d23f4 100644
--- a/src/tools/tools_mc_util.c
+++ b/src/tools/tools_mc_util.c
@@ -293,62 +293,90 @@ errno_t sss_mc_refresh_group(const char *groupname)
return sss_mc_refresh_ent(groupname, SSS_TOOLS_GROUP);
}
-errno_t sss_mc_refresh_nested_group(struct tools_ctx *tctx,
- const char *name)
+static errno_t sss_mc_refresh_nested_group(struct tools_ctx *tctx,
+ const char *shortname)
{
errno_t ret;
- struct ldb_message *msg;
+ struct ldb_message *msg = NULL;
struct ldb_message_element *el;
const char *attrs[] = { SYSDB_MEMBEROF,
SYSDB_NAME,
NULL };
size_t i;
- char *parent_name;
+ char *parent_internal_name;
+ char *parent_outname;
+ char *internal_name;
+ TALLOC_CTX *tmpctx;
- ret = sss_mc_refresh_group(name);
+ tmpctx = talloc_new(tctx);
+ if (tmpctx == NULL) {
+ return ENOMEM;
+ }
+
+ internal_name = sss_create_internal_fqname(tmpctx, shortname,
+ tctx->local->name);
+ if (internal_name == NULL) {
+ ret = ENOMEM;
+ goto done;
+ }
+
+ ret = sss_mc_refresh_group(shortname);
if (ret != EOK) {
DEBUG(SSSDBG_MINOR_FAILURE,
- "Cannot refresh group %s from memory cache\n", name);
+ "Cannot refresh group %s from memory cache\n", shortname);
/* try to carry on */
}
- ret = sysdb_search_group_by_name(tctx, tctx->local, name, attrs, &msg);
+ ret = sysdb_search_group_by_name(tmpctx, tctx->local, internal_name, attrs,
+ &msg);
if (ret) {
DEBUG(SSSDBG_OP_FAILURE,
"Search failed: %s (%d)\n", strerror(ret), ret);
- return ret;
+ goto done;
}
el = ldb_msg_find_element(msg, SYSDB_MEMBEROF);
if (!el || el->num_values == 0) {
- DEBUG(SSSDBG_TRACE_INTERNAL, "Group %s has no parents\n", name);
- talloc_free(msg);
- return EOK;
+ DEBUG(SSSDBG_TRACE_INTERNAL, "Group %s has no parents\n",
+ internal_name);
+ ret = EOK;
+ goto done;
}
/* This group is nested. We need to invalidate all its parents, too */
for (i=0; i < el->num_values; i++) {
- ret = sysdb_group_dn_name(tctx->sysdb, tctx,
+ ret = sysdb_group_dn_name(tctx->sysdb, tmpctx,
(const char *) el->values[i].data,
- &parent_name);
+ &parent_internal_name);
if (ret != EOK) {
DEBUG(SSSDBG_MINOR_FAILURE, "Malformed DN [%s]? Skipping\n",
(const char *) el->values[i].data);
- talloc_free(parent_name);
+ talloc_free(parent_internal_name);
continue;
}
- ret = sss_mc_refresh_group(parent_name);
- talloc_free(parent_name);
+ parent_outname = sss_output_name(tmpctx, parent_internal_name,
+ tctx->local->case_preserve, 0);
+ if (parent_outname == NULL) {
+ ret = ENOMEM;
+ goto done;
+ }
+
+ ret = sss_mc_refresh_group(parent_outname);
+ talloc_free(parent_internal_name);
+ talloc_free(parent_outname);
if (ret != EOK) {
DEBUG(SSSDBG_MINOR_FAILURE,
- "Cannot refresh group %s from memory cache\n", name);
+ "Cannot refresh group %s from memory cache\n", parent_outname);
/* try to carry on */
}
}
- talloc_free(msg);
- return EOK;
+ ret = EOK;
+
+done:
+ talloc_free(tmpctx);
+ return ret;
}
errno_t sss_mc_refresh_grouplist(struct tools_ctx *tctx,
--
2.9.3

117
0047-TESTS-Add-FQDN-variants-for-some-tests.patch Normal file
View File

@ -0,0 +1,117 @@
From 8f08ebcc6897b8b18f18554adfa5c55ab1313f2a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C5=BDidek?= <mzidek@redhat.com>
Date: Wed, 7 Sep 2016 15:00:12 +0200
Subject: [PATCH 47/79] TESTS: Add FQDN variants for some tests
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Adds FQDN variants of some already existing tests.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit f2d1d90a14267c01155eab7bb95b8eb34128acc9)
---
src/tests/intg/test_local_domain.py | 83 +++++++++++++++++++++++++++++++++++++
1 file changed, 83 insertions(+)
diff --git a/src/tests/intg/test_local_domain.py b/src/tests/intg/test_local_domain.py
index 5e3e3d4d1cdc6db5d68a6e5b9d96d94c2c694b14..b34e4a3d31cdbc1dc257d8fffcf0f5a07803b20c 100644
--- a/src/tests/intg/test_local_domain.py
+++ b/src/tests/intg/test_local_domain.py
@@ -87,6 +87,27 @@ def local_domain_only(request):
return None
+@pytest.fixture
+def local_domain_only_fqdn(request):
+ conf = unindent("""\
+ [sssd]
+ domains = LOCAL
+ services = nss
+
+ [nss]
+ memcache_timeout = 0
+
+ [domain/LOCAL]
+ id_provider = local
+ min_id = 10000
+ max_id = 20000
+ use_fully_qualified_names = True
+ """).format(**locals())
+ create_conf_fixture(request, conf)
+ create_sssd_fixture(request)
+ return None
+
+
def assert_nonexistent_user(name):
with pytest.raises(KeyError):
pwd.getpwnam(name)
@@ -169,3 +190,65 @@ def test_add_local_group_to_local_group(local_domain_only):
"group_parent",
dict(name="group_parent", passwd="*", gid=10008,
mem=ent.contains_only("user_child")))
+
+
+def test_sss_group_add_show_del_fqdn(local_domain_only_fqdn):
+ """
+ Regression test for tickets
+ https://fedorahosted.org/sssd/ticket/3173
+ https://fedorahosted.org/sssd/ticket/3175
+ """
+
+ subprocess.check_call(["sss_groupadd", "foo@LOCAL", "-g", "10001"])
+
+ "This should not raise KeyError"
+ ent.assert_group_by_name("foo@LOCAL", dict(name="foo@LOCAL", gid=10001))
+
+ "sss_grupshow should return 0 with existing group name"
+ subprocess.check_call(["sss_groupshow", "foo@LOCAL"])
+
+ subprocess.check_call(["sss_groupdel", "foo@LOCAL"])
+ assert_nonexistent_group("foo@LOCAL")
+
+
+def test_add_local_user_to_local_group_fqdn(local_domain_only_fqdn):
+ """
+ Regression test for ticket
+ https://fedorahosted.org/sssd/ticket/3178
+ """
+ subprocess.check_call(
+ ["sss_groupadd", "-g", "10009", "group10009@LOCAL"])
+ subprocess.check_call(
+ ["sss_useradd", "-u", "10009", "-M", "user10009@LOCAL"])
+ subprocess.check_call(
+ ["sss_usermod", "-a", "group10009@LOCAL", "user10009@LOCAL"])
+
+ ent.assert_group_by_name(
+ "group10009@LOCAL",
+ dict(name="group10009@LOCAL", passwd="*", gid=10009,
+ mem=ent.contains_only("user10009@LOCAL")))
+
+
+def test_add_local_group_to_local_group_fqdn(local_domain_only_fqdn):
+ """
+ Regression test for tickets
+ https://fedorahosted.org/sssd/ticket/3178
+ """
+ subprocess.check_call(
+ ["sss_groupadd", "-g", "10009", "group_child@LOCAL"])
+ subprocess.check_call(
+ ["sss_useradd", "-u", "10009", "-M", "user_child@LOCAL"])
+ subprocess.check_call(
+ ["sss_usermod", "-a", "group_child@LOCAL", "user_child@LOCAL"])
+
+ subprocess.check_call(
+ ["sss_groupadd", "-g", "10008", "group_parent@LOCAL"])
+ subprocess.check_call(
+ ["sss_groupmod", "-a", "group_parent@LOCAL", "group_child@LOCAL"])
+
+ # User from child_group is member of parent_group, so child_group's
+ # member must be also parent_group's member
+ ent.assert_group_by_name(
+ "group_parent@LOCAL",
+ dict(name="group_parent@LOCAL", passwd="*", gid=10008,
+ mem=ent.contains_only("user_child@LOCAL")))
--
2.9.3

156
0048-KRB5-Send-the-output-username-not-internal-fqname-to.patch Normal file
View File

@ -0,0 +1,156 @@
From 99e3e869ae031ce70f6f7a0d7435bf9969cf3108 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Wed, 7 Sep 2016 12:07:36 +0200
Subject: [PATCH 48/79] KRB5: Send the output username, not internal fqname to
krb5_child
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
krb5_child calls krb5_kuserok() during the access phase which checks if
a particular user is allowed to authenticate as a particular principal.
We used to pass the internal fqname to krb5_kuserok() which broke the
functionality and all users were denied access.
This patch changes that to send the 'output' username to krb5_child,
because that's the username the system receives through getpwnam() or
getpwuid() anyway. The patch also adds a new structure member fo the
krb5child_req structure to avoid reusing the pd->user variable but have
an explicit one that serves as the input for the child process.
Resolves:
https://fedorahosted.org/sssd/ticket/3172
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit fedfb7c62b4efa89d18d0d3a7895a2a34ec4ce42)
---
src/providers/krb5/krb5_access.c | 10 ++++++++--
src/providers/krb5/krb5_auth.c | 18 ++++++++++++++----
src/providers/krb5/krb5_auth.h | 9 ++++++---
src/providers/krb5/krb5_child_handler.c | 4 ++--
4 files changed, 30 insertions(+), 11 deletions(-)
diff --git a/src/providers/krb5/krb5_access.c b/src/providers/krb5/krb5_access.c
index 3afb90150d77ef4ab2c1b5b79abb95d68eb131f6..be9068c0f9180f8de0de259aae368534effaf7fb 100644
--- a/src/providers/krb5/krb5_access.c
+++ b/src/providers/krb5/krb5_access.c
@@ -51,6 +51,7 @@ struct tevent_req *krb5_access_send(TALLOC_CTX *mem_ctx,
int ret;
const char **attrs;
struct ldb_result *res;
+ struct sss_domain_info *dom;
req = tevent_req_create(mem_ctx, &state, struct krb5_access_state);
if (req == NULL) {
@@ -64,8 +65,13 @@ struct tevent_req *krb5_access_send(TALLOC_CTX *mem_ctx,
state->krb5_ctx = krb5_ctx;
state->access_allowed = false;
- ret = krb5_setup(state, pd, krb5_ctx, be_ctx->domain->case_sensitive,
- &state->kr);
+ ret = get_domain_or_subdomain(be_ctx, pd->domain, &dom);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "get_domain_or_subdomain failed.\n");
+ goto done;
+ }
+
+ ret = krb5_setup(state, pd, dom, krb5_ctx, &state->kr);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE, "krb5_setup failed.\n");
goto done;
diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
index dabf55cf24a8afda16fee6697120c7c6f088b796..f0f2280022a3ee951ccfa0040b616c48c3b25706 100644
--- a/src/providers/krb5/krb5_auth.c
+++ b/src/providers/krb5/krb5_auth.c
@@ -174,8 +174,10 @@ done:
return ret;
}
-errno_t krb5_setup(TALLOC_CTX *mem_ctx, struct pam_data *pd,
- struct krb5_ctx *krb5_ctx, bool cs,
+errno_t krb5_setup(TALLOC_CTX *mem_ctx,
+ struct pam_data *pd,
+ struct sss_domain_info *dom,
+ struct krb5_ctx *krb5_ctx,
struct krb5child_req **_krb5_req)
{
struct krb5child_req *kr;
@@ -201,13 +203,21 @@ errno_t krb5_setup(TALLOC_CTX *mem_ctx, struct pam_data *pd,
kr->krb5_ctx = krb5_ctx;
ret = get_krb_primary(krb5_ctx->name_to_primary,
- pd->user, cs, &mapped_name);
+ pd->user, dom->case_sensitive, &mapped_name);
if (ret == EOK) {
DEBUG(SSSDBG_TRACE_FUNC, "Setting mapped name to: %s\n", mapped_name);
kr->user = mapped_name;
+ kr->kuserok_user = mapped_name;
} else if (ret == ENOENT) {
DEBUG(SSSDBG_TRACE_ALL, "No mapping for: %s\n", pd->user);
kr->user = pd->user;
+
+ kr->kuserok_user = sss_output_name(kr, kr->user,
+ dom->case_sensitive, 0);
+ if (kr->kuserok_user == NULL) {
+ ret = ENOMEM;
+ goto done;
+ }
} else {
DEBUG(SSSDBG_CRIT_FAILURE, "get_krb_primary failed - %s:[%d]\n",
sss_strerror(ret), ret);
@@ -534,7 +544,7 @@ struct tevent_req *krb5_auth_send(TALLOC_CTX *mem_ctx,
attrs[6] = SYSDB_AUTH_TYPE;
attrs[7] = NULL;
- ret = krb5_setup(state, pd, krb5_ctx, state->domain->case_sensitive,
+ ret = krb5_setup(state, pd, state->domain, krb5_ctx,
&state->kr);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE, "krb5_setup failed.\n");
diff --git a/src/providers/krb5/krb5_auth.h b/src/providers/krb5/krb5_auth.h
index dbad061f0203b6383daeeab506bf9950d892ea4b..11bb595833269177b7e2c5fc6372d6a6fb6d93d2 100644
--- a/src/providers/krb5/krb5_auth.h
+++ b/src/providers/krb5/krb5_auth.h
@@ -57,11 +57,14 @@ struct krb5child_req {
bool send_pac;
const char *user;
+ const char *kuserok_user;
};
-errno_t krb5_setup(TALLOC_CTX *mem_ctx, struct pam_data *pd,
- struct krb5_ctx *krb5_ctx, bool case_sensitive,
- struct krb5child_req **krb5_req);
+errno_t krb5_setup(TALLOC_CTX *mem_ctx,
+ struct pam_data *pd,
+ struct sss_domain_info *dom,
+ struct krb5_ctx *krb5_ctx,
+ struct krb5child_req **_krb5_req);
struct tevent_req *
krb5_pam_handler_send(TALLOC_CTX *mem_ctx,
diff --git a/src/providers/krb5/krb5_child_handler.c b/src/providers/krb5/krb5_child_handler.c
index 09a1e5f59494a5c07d5c9eefb94919ca9389cb27..1eec7261f00976b3725fee9323755edecd5409a5 100644
--- a/src/providers/krb5/krb5_child_handler.c
+++ b/src/providers/krb5/krb5_child_handler.c
@@ -161,7 +161,7 @@ static errno_t create_send_buffer(struct krb5child_req *kr,
}
if (kr->pd->cmd == SSS_PAM_ACCT_MGMT) {
- username_len = strlen(kr->pd->user);
+ username_len = strlen(kr->kuserok_user);
buf->size += sizeof(uint32_t) + username_len;
}
@@ -217,7 +217,7 @@ static errno_t create_send_buffer(struct krb5child_req *kr,
if (kr->pd->cmd == SSS_PAM_ACCT_MGMT) {
SAFEALIGN_SET_UINT32(&buf->data[rp], username_len, &rp);
- safealign_memcpy(&buf->data[rp], kr->pd->user, username_len, &rp);
+ safealign_memcpy(&buf->data[rp], kr->kuserok_user, username_len, &rp);
}
*io_buf = buf;
--
2.9.3

113
0049-MONITOR-Remove-disable-netlink-command-line-option.patch Normal file
View File

@ -0,0 +1,113 @@
From 29a4731b129d759870a4706525396948814c8e27 Mon Sep 17 00:00:00 2001
From: Justin Stephenson <jstephen@redhat.com>
Date: Fri, 26 Aug 2016 15:15:32 -0400
Subject: [PATCH 49/79] MONITOR: Remove --disable-netlink command-line option
Removing monitor command-line option, to be superceded by
sssd.conf option
Reviewed-by: Petr Cech <pcech@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 632fc5d8991d167eea20769c823163551c3f1d8c)
---
src/man/sssd.8.xml | 11 -----------
src/monitor/monitor.c | 33 ++++++++++++++++++++-------------
2 files changed, 20 insertions(+), 24 deletions(-)
diff --git a/src/man/sssd.8.xml b/src/man/sssd.8.xml
index ca8444d31ebca3d65a3baf83e20d458226ed5cd4..923da6824907f0d2d140d9ca83f87338e7664f83 100644
--- a/src/man/sssd.8.xml
+++ b/src/man/sssd.8.xml
@@ -114,17 +114,6 @@
</varlistentry>
<varlistentry>
<term>
- <option>--disable-netlink</option>
- </term>
- <listitem>
- <para>
- sssd will ignore Netlink changes when making decisions
- about resetting online and offline operational status.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>
<option>-c</option>,<option>--config</option>
</term>
<listitem>
diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c
index 1f89c5a79feab8a921ce2f9132763b37ab506596..442bdbc423aaa1224d17b9f357193ec73b045d29 100644
--- a/src/monitor/monitor.c
+++ b/src/monitor/monitor.c
@@ -2041,8 +2041,7 @@ static void missing_resolv_conf(struct tevent_context *ev,
}
static int monitor_process_init(struct mt_ctx *ctx,
- const char *config_file,
- bool opt_netlinkoff)
+ const char *config_file)
{
TALLOC_CTX *tmp_ctx;
struct tevent_signal *tes;
@@ -2173,14 +2172,12 @@ static int monitor_process_init(struct mt_ctx *ctx,
return ret;
}
- if (opt_netlinkoff == false) {
- ret = setup_netlink(ctx, ctx->ev, network_status_change_cb,
- ctx, &ctx->nlctx);
- if (ret != EOK) {
- DEBUG(SSSDBG_OP_FAILURE,
- "Cannot set up listening for network notifications\n");
- return ret;
- }
+ ret = setup_netlink(ctx, ctx->ev, network_status_change_cb,
+ ctx, &ctx->nlctx);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "Cannot set up listening for network notifications\n");
+ return ret;
}
/* start providers */
@@ -2488,7 +2485,8 @@ int main(int argc, const char *argv[])
_("Become a daemon (default)"), NULL }, \
{"interactive", 'i', POPT_ARG_NONE, &opt_interactive, 0, \
_("Run interactive (not a daemon)"), NULL}, \
- {"disable-netlink", '\0', POPT_ARG_NONE, &opt_netlinkoff, 0, \
+ {"disable-netlink", '\0', POPT_ARG_NONE | POPT_ARGFLAG_DOC_HIDDEN,
+ &opt_netlinkoff, 0, \
_("Disable netlink interface"), NULL}, \
{"config", 'c', POPT_ARG_STRING, &opt_config_file, 0, \
_("Specify a non-default config file"), NULL}, \
@@ -2575,6 +2573,15 @@ int main(int argc, const char *argv[])
config_file = talloc_strdup(tmp_ctx, SSSD_CONFIG_FILE);
}
+ if (opt_netlinkoff) {
+ DEBUG(SSSDBG_MINOR_FAILURE,
+ "Option --disable-netlink has been removed and "
+ "replaced as a monitor option in sssd.conf\n");
+ sss_log(SSS_LOG_ALERT,
+ "--disable-netlink has been deprecated, tunable option "
+ "disable_netlink available as replacement(man sssd.conf)");
+ }
+
if (!config_file) {
return 6;
}
@@ -2692,8 +2699,8 @@ int main(int argc, const char *argv[])
monitor->ev = main_ctx->event_ctx;
talloc_steal(main_ctx, monitor);
- ret = monitor_process_init(monitor, config_file,
- opt_netlinkoff);
+ ret = monitor_process_init(monitor, config_file);
+
if (ret != EOK) return 3;
talloc_free(tmp_ctx);
--
2.9.3

163
0050-MONITOR-Add-disable_netlink-option.patch Normal file
View File

@ -0,0 +1,163 @@
From ed7875afc4ab7e8441eb70f346c774dd49ddfd9b Mon Sep 17 00:00:00 2001
From: Justin Stephenson <jstephen@redhat.com>
Date: Fri, 26 Aug 2016 17:43:25 -0400
Subject: [PATCH 50/79] MONITOR: Add disable_netlink option
Adding a new monitor boolean option to disable netlink support.
This will give users more control over sssd state changes without
having to modify systemd unit files.
Resolves:
https://fedorahosted.org/sssd/ticket/3142
Reviewed-by: Petr Cech <pcech@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 081c6d8c7c8e75487d1c4e42862964be1e85b575)
---
src/confdb/confdb.h | 1 +
src/config/SSSDConfig/__init__.py.in | 1 +
src/config/SSSDConfigTest.py | 3 ++-
src/config/cfg_rules.ini | 1 +
src/config/etc/sssd.api.conf | 1 +
src/man/sssd.conf.5.xml | 18 ++++++++++++++++++
src/monitor/monitor.c | 21 ++++++++++++++++++---
7 files changed, 42 insertions(+), 4 deletions(-)
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
index 401e5fbf7ed6bb9e8d7158dfab378c8159aa03db..2d650900170d5f2214aa56f00fc749980e53f516 100644
--- a/src/confdb/confdb.h
+++ b/src/confdb/confdb.h
@@ -73,6 +73,7 @@
#define CONFDB_MONITOR_OVERRIDE_SPACE "override_space"
#define CONFDB_MONITOR_USER_RUNAS "user"
#define CONFDB_MONITOR_CERT_VERIFICATION "certificate_verification"
+#define CONFDB_MONITOR_DISABLE_NETLINK "disable_netlink"
/* Both monitor and domains */
#define CONFDB_NAME_REGEX "re_expression"
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
index 0191920f93ab9016508e08785c25dd043c180c0b..2027028f7b4e972c7bc0dd5156fd85157ae192f4 100644
--- a/src/config/SSSDConfig/__init__.py.in
+++ b/src/config/SSSDConfig/__init__.py.in
@@ -62,6 +62,7 @@ option_strings = {
'user' : _('The user to drop privileges to'),
'certificate_verification' : _('Tune certificate verification'),
'override_space': _('All spaces in group or user names will be replaced with this character'),
+ 'disable_netlink' : _('Tune sssd to honor or ignore netlink state changes'),
# [nss]
'enum_cache_timeout' : _('Enumeration cache timeout length (seconds)'),
diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py
index 6a0fdf0ea5215103b48dc8521a43ae945342c0e2..8a64a257ab978b81ae4b26918c683b25a30fe7c1 100755
--- a/src/config/SSSDConfigTest.py
+++ b/src/config/SSSDConfigTest.py
@@ -310,7 +310,8 @@ class SSSDConfigTestSSSDService(unittest.TestCase):
'client_idle_timeout',
'description',
'certificate_verification',
- 'override_space']
+ 'override_space',
+ 'disable_netlink']
self.assertTrue(type(options) == dict,
"Options should be a dictionary")
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
index 5e248066bd554d2a654a764f406f6b33c4d66733..93c10e2b7892027f0ee7a7af096814fb7cac333a 100644
--- a/src/config/cfg_rules.ini
+++ b/src/config/cfg_rules.ini
@@ -38,6 +38,7 @@ option = default_domain_suffix
option = certificate_verification
option = override_space
option = config_file_version
+option = disable_netlink
[rule/allowed_nss_options]
validator = ini_allowed_options
diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
index 525f939cd204f4d484caa7b490d85b0d50de00ef..9e4bf2f6e5d536099af75a82126bc577e10386b4 100644
--- a/src/config/etc/sssd.api.conf
+++ b/src/config/etc/sssd.api.conf
@@ -28,6 +28,7 @@ user = str, None, false
default_domain_suffix = str, None, false
certificate_verification = str, None, false
override_space = str, None, false
+disable_netlink = bool, None, false
[nss]
# Name service
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index ae291e0fc8f2f9afabcdf32f18a5ec12252bbbbf..6f231b8ab8fc078d83331bb7ef5b980528a30bd6 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -482,6 +482,24 @@
</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>disable_netlink (boolean)</term>
+ <listitem>
+ <para>
+ SSSD hooks into the netlink interface to
+ monitor changes to routes, addresses, links
+ and trigger certain actions.
+ </para>
+ <para>
+ The SSSD state changes caused by netlink
+ events may be undesirable and can be disabled
+ by setting this option to 'true'
+ </para>
+ <para>
+ Default: false (netlink changes are detected)
+ </para>
+ </listitem>
+ </varlistentry>
</variablelist>
</para>
</refsect2>
diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c
index 442bdbc423aaa1224d17b9f357193ec73b045d29..84a144e56294c7af5d818b71fbe3664cd2fc1a94 100644
--- a/src/monitor/monitor.c
+++ b/src/monitor/monitor.c
@@ -2052,6 +2052,7 @@ static int monitor_process_init(struct mt_ctx *ctx,
int num_providers;
int ret;
int error;
+ bool disable_netlink;
struct sysdb_upgrade_ctx db_up_ctx;
/* Set up the environment variable for the Kerberos Replay Cache */
@@ -2172,14 +2173,28 @@ static int monitor_process_init(struct mt_ctx *ctx,
return ret;
}
- ret = setup_netlink(ctx, ctx->ev, network_status_change_cb,
- ctx, &ctx->nlctx);
+ ret = confdb_get_bool(ctx->cdb,
+ CONFDB_MONITOR_CONF_ENTRY,
+ CONFDB_MONITOR_DISABLE_NETLINK,
+ false, &disable_netlink);
+
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE,
- "Cannot set up listening for network notifications\n");
+ "Failed to read disable_netlink from confdb: [%d] %s\n",
+ ret, sss_strerror(ret));
return ret;
}
+ if (disable_netlink == false) {
+ ret = setup_netlink(ctx, ctx->ev, network_status_change_cb,
+ ctx, &ctx->nlctx);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "Cannot set up listening for network notifications\n");
+ return ret;
+ }
+ }
+
/* start providers */
num_providers = 0;
for (dom = ctx->domains; dom; dom = get_next_domain(dom, 0)) {
--
2.9.3

67
0051-TOOLS-sss_override-without-name-override.patch Normal file
View File

@ -0,0 +1,67 @@
From 467253ff3b281f34668a482c5ece7ece11a4b213 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C5=BDidek?= <mzidek@redhat.com>
Date: Wed, 7 Sep 2016 17:09:53 +0200
Subject: [PATCH 51/79] TOOLS: sss_override without name override
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
sss_override failed to export user/group overrides
if user had no overrides for name.
Resolves:
https://fedorahosted.org/sssd/ticket/3179
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit 07e7683f5a86991feaa764e2055116554ada1b93)
---
src/tools/sss_override.c | 24 ++++++++++++++----------
1 file changed, 14 insertions(+), 10 deletions(-)
diff --git a/src/tools/sss_override.c b/src/tools/sss_override.c
index d41da52e69acdb67b5a6d624254e3b89a8aa27b8..212bf9ab84b20d4777fc2601359fad58596bb7c4 100644
--- a/src/tools/sss_override.c
+++ b/src/tools/sss_override.c
@@ -1159,12 +1159,14 @@ list_user_overrides(TALLOC_CTX *mem_ctx,
}
fqname = ldb_msg_find_attr_as_string(msgs[i], SYSDB_NAME, NULL);
- ret = sss_parse_internal_fqname(tmp_ctx, fqname, &name, NULL);
- if (ret != EOK) {
- ret = ERR_WRONG_NAME_FORMAT;
- goto done;
+ if (fqname != NULL) {
+ ret = sss_parse_internal_fqname(tmp_ctx, fqname, &name, NULL);
+ if (ret != EOK) {
+ ret = ERR_WRONG_NAME_FORMAT;
+ goto done;
+ }
+ objs[i].name = talloc_steal(objs, name);
}
- objs[i].name = talloc_steal(objs, name);
objs[i].uid = ldb_msg_find_attr_as_uint(msgs[i], SYSDB_UIDNUM, 0);
objs[i].gid = ldb_msg_find_attr_as_uint(msgs[i], SYSDB_GIDNUM, 0);
@@ -1248,12 +1250,14 @@ list_group_overrides(TALLOC_CTX *mem_ctx,
talloc_steal(objs, objs[i].orig_name);
fqname = ldb_msg_find_attr_as_string(msgs[i], SYSDB_NAME, NULL);
- ret = sss_parse_internal_fqname(tmp_ctx, fqname, &name, NULL);
- if (ret != EOK) {
- ret = ERR_WRONG_NAME_FORMAT;
- goto done;
+ if (fqname != NULL) {
+ ret = sss_parse_internal_fqname(tmp_ctx, fqname, &name, NULL);
+ if (ret != EOK) {
+ ret = ERR_WRONG_NAME_FORMAT;
+ goto done;
+ }
+ objs[i].name = talloc_steal(objs, name);
}
- objs[i].name = talloc_steal(objs, name);
objs[i].gid = ldb_msg_find_attr_as_uint(msgs[i], SYSDB_GIDNUM, 0);
}
--
2.9.3

203
0052-TEST-Add-regression-test-for-ticket-3179.patch Normal file
View File

@ -0,0 +1,203 @@
From b7886a50d6467d9130fade4d0e94a818c2cc6300 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C5=BDidek?= <mzidek@redhat.com>
Date: Wed, 7 Sep 2016 18:23:16 +0200
Subject: [PATCH 52/79] TEST: Add regression test for ticket #3179
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Resolves:
https://fedorahosted.org/sssd/ticket/3179
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit 1c72723cde8bea0d390b928c7cd29e48e7a7deab)
---
src/tests/intg/ldap_local_override_test.py | 126 ++++++++++++++++++++++++++---
1 file changed, 114 insertions(+), 12 deletions(-)
diff --git a/src/tests/intg/ldap_local_override_test.py b/src/tests/intg/ldap_local_override_test.py
index 63de836d4d645b2e2be968bb23ce84f0cb90189a..714268f024d0f7b01309c55a84f56d0d1aec58f9 100644
--- a/src/tests/intg/ldap_local_override_test.py
+++ b/src/tests/intg/ldap_local_override_test.py
@@ -205,27 +205,38 @@ def assert_user_default():
ent.assert_passwd_by_name('user2@LDAP', user2)
-def assert_user_overriden():
+def assert_user_overriden(override_name=True):
- user1 = dict(name='ov_user1', passwd='*', uid=10010, gid=20010,
+ if override_name:
+ name1 = "ov_user1"
+ name2 = "ov_user2"
+ else:
+ name1 = "user1"
+ name2 = "user2"
+
+ user1 = dict(name=name1, passwd='*', uid=10010, gid=20010,
gecos='Overriden User 1',
dir='/home/ov/user1',
shell='/bin/ov_user1_shell')
- user2 = dict(name='ov_user2', passwd='*', uid=10020, gid=20020,
+ user2 = dict(name=name2, passwd='*', uid=10020, gid=20020,
gecos='Overriden User 2',
dir='/home/ov/user2',
shell='/bin/ov_user2_shell')
ent.assert_passwd_by_name('user1', user1)
ent.assert_passwd_by_name('user1@LDAP', user1)
- ent.assert_passwd_by_name('ov_user1', user1)
- ent.assert_passwd_by_name('ov_user1@LDAP', user1)
+
+ if override_name:
+ ent.assert_passwd_by_name('ov_user1', user1)
+ ent.assert_passwd_by_name('ov_user1@LDAP', user1)
ent.assert_passwd_by_name('user2', user2)
ent.assert_passwd_by_name('user2@LDAP', user2)
- ent.assert_passwd_by_name('ov_user2', user2)
- ent.assert_passwd_by_name('ov_user2@LDAP', user2)
+
+ if override_name:
+ ent.assert_passwd_by_name('ov_user2', user2)
+ ent.assert_passwd_by_name('ov_user2@LDAP', user2)
#
@@ -514,6 +525,54 @@ def test_imp_exp_user_override(ldap_conn, env_imp_exp_user_override):
assert_user_overriden()
+# Regression test for bug 3179
+
+
+def test_imp_exp_user_overrride_noname(ldap_conn,
+ env_two_users_and_group):
+
+ # Override
+ subprocess.check_call(["sss_override", "user-add", "user1",
+ "-u", "10010",
+ "-g", "20010",
+ "-c", "Overriden User 1",
+ "-h", "/home/ov/user1",
+ "-s", "/bin/ov_user1_shell"])
+
+ subprocess.check_call(["sss_override", "user-add", "user2@LDAP",
+ "-u", "10020",
+ "-g", "20020",
+ "-c", "Overriden User 2",
+ "-h", "/home/ov/user2",
+ "-s", "/bin/ov_user2_shell"])
+
+ # Restart SSSD so the override might take effect
+ restart_sssd()
+
+ # Assert entries are overriden
+ assert_user_overriden(override_name=False)
+
+ # Export overrides
+ subprocess.check_call(["sss_override", "user-export", OVERRIDE_FILENAME])
+
+ # Drop all overrides
+ subprocess.check_call(["sss_override", "user-del", "user1"])
+ subprocess.check_call(["sss_override", "user-del", "user2@LDAP"])
+
+ # Avoid hitting memory cache
+ time.sleep(2)
+
+ # Assert entries are not overridden
+ assert_user_default()
+
+ # Import overrides
+ subprocess.check_call(["sss_override", "user-import",
+ OVERRIDE_FILENAME])
+ restart_sssd()
+
+ assert_user_overriden(override_name=False)
+
+
#
# Override user-show
#
@@ -581,7 +640,7 @@ def test_find_user_override(ldap_conn, env_find_user_override):
# Common group asserts
#
-def assert_group_overriden():
+def assert_group_overriden(override_name=True):
# Assert entries are overridden
empty_group = dict(gid=3002, mem=ent.contains_only())
@@ -589,13 +648,17 @@ def assert_group_overriden():
ent.assert_group_by_name("group", group)
ent.assert_group_by_name("group@LDAP", group)
- ent.assert_group_by_name("ov_group", group)
- ent.assert_group_by_name("ov_group@LDAP", group)
+
+ if override_name:
+ ent.assert_group_by_name("ov_group", group)
+ ent.assert_group_by_name("ov_group@LDAP", group)
ent.assert_group_by_name("empty_group", empty_group)
ent.assert_group_by_name("empty_group@LDAP", empty_group)
- ent.assert_group_by_name("ov_empty_group", empty_group)
- ent.assert_group_by_name("ov_empty_group@LDAP", empty_group)
+
+ if override_name:
+ ent.assert_group_by_name("ov_empty_group", empty_group)
+ ent.assert_group_by_name("ov_empty_group@LDAP", empty_group)
def assert_group_default():
@@ -841,6 +904,45 @@ def test_imp_exp_group_override(ldap_conn, env_imp_exp_group_override):
assert_group_overriden()
+# Regression test for bug 3179
+
+
+def test_imp_exp_group_override_noname(ldap_conn, env_group_basic):
+
+ # Override - do not use -n here)
+ subprocess.check_call(["sss_override", "group-add", "group",
+ "-g", "3001"])
+
+ subprocess.check_call(["sss_override", "group-add", "empty_group@LDAP",
+ "--gid", "3002"])
+
+ # Restart SSSD so the override might take effect
+ restart_sssd()
+
+ # Assert entries are overridden
+ assert_group_overriden(override_name=False)
+
+ # Export overrides
+ subprocess.check_call(["sss_override", "group-export",
+ OVERRIDE_FILENAME])
+
+ # Drop all overrides
+ subprocess.check_call(["sss_override", "group-del", "group"])
+ subprocess.check_call(["sss_override", "group-del", "empty_group@LDAP"])
+
+ # Avoid hitting memory cache
+ time.sleep(2)
+
+ assert_group_default()
+
+ # Import overrides
+ subprocess.check_call(["sss_override", "group-import",
+ OVERRIDE_FILENAME])
+ restart_sssd()
+
+ assert_group_overriden(override_name=False)
+
+
# Regression test for bug #2802
# sss_override segfaults when accidentally adding --help flag to some commands
--
2.9.3

60
0053-TOOLS-sss_groupshow-fails-to-show-MPG.patch Normal file
View File

@ -0,0 +1,60 @@
From 5e42bd82ea08e3a45cf8369d51f68587f5bd796e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C5=BDidek?= <mzidek@redhat.com>
Date: Mon, 12 Sep 2016 19:22:56 +0200
Subject: [PATCH 53/79] TOOLS: sss_groupshow fails to show MPG
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The MPG search uses it's own search function
that used sysdb operation with shortname,
but it expects internal fqname.
Resolves:
https://fedorahosted.org/sssd/ticket/3184
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit 812bed08943df8bf3fd1ff9eabcaf5bedc635c92)
---
src/tools/sss_groupshow.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/src/tools/sss_groupshow.c b/src/tools/sss_groupshow.c
index 5870cc802c70366c47a0d30cb0d9795cf6035bc5..00f6f12939b6bef2dd10085f8cf99304e87f1211 100644
--- a/src/tools/sss_groupshow.c
+++ b/src/tools/sss_groupshow.c
@@ -553,13 +553,14 @@ int group_show_recurse(TALLOC_CTX *mem_ctx,
static int group_show_mpg(TALLOC_CTX *mem_ctx,
struct sss_domain_info *domain,
- const char *name,
+ const char *shortname,
struct group_info **res)
{
const char *attrs[] = GROUP_SHOW_MPG_ATTRS;
struct ldb_message *msg;
struct group_info *info;
int ret;
+ char *sysdb_fqname;
info = talloc_zero(mem_ctx, struct group_info);
if (!info) {
@@ -567,7 +568,14 @@ static int group_show_mpg(TALLOC_CTX *mem_ctx,
goto fail;
}
- ret = sysdb_search_user_by_name(info, domain, name, attrs, &msg);
+ sysdb_fqname = sss_create_internal_fqname(mem_ctx,
+ shortname,
+ domain->name);
+ if (sysdb_fqname == NULL) {
+ return ENOMEM;
+ }
+
+ ret = sysdb_search_user_by_name(info, domain, sysdb_fqname, attrs, &msg);
if (ret) {
DEBUG(SSSDBG_OP_FAILURE,
"Search failed: %s (%d)\n", strerror(ret), ret);
--
2.9.3

55
0054-TESTS-sss_groupshow-with-MPG.patch Normal file
View File

@ -0,0 +1,55 @@
From 702f4c8aed1bc997e99ab28349269c4cc151beda Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C5=BDidek?= <mzidek@redhat.com>
Date: Mon, 12 Sep 2016 19:25:13 +0200
Subject: [PATCH 54/79] TESTS: sss_groupshow with MPG
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Regression test for ticket #3184
Resolves:
https://fedorahosted.org/sssd/ticket/3184
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit bb14556c1df503314644fc424fbbf95759791db9)
---
src/tests/intg/test_local_domain.py | 22 ++++++++++++++++++++++
1 file changed, 22 insertions(+)
diff --git a/src/tests/intg/test_local_domain.py b/src/tests/intg/test_local_domain.py
index b34e4a3d31cdbc1dc257d8fffcf0f5a07803b20c..8e1d6fb2b69f5e6e033ae06d4bd52cc88e54872b 100644
--- a/src/tests/intg/test_local_domain.py
+++ b/src/tests/intg/test_local_domain.py
@@ -118,6 +118,28 @@ def assert_nonexistent_group(name):
grp.getgrnam(name)
+def test_groupshow_mpg(local_domain_only):
+ """
+ Regression test for ticket
+ https://fedorahosted.org/sssd/ticket/3184
+ """
+ subprocess.check_call(["sss_useradd", "foo", "-M"])
+
+ # The user's mpg has to be found (should return 0)
+ subprocess.check_call(["sss_groupshow", "foo"])
+
+
+def test_groupshow_mpg_fqdn(local_domain_only_fqdn):
+ """
+ Regression test for ticket (fq variant)
+ https://fedorahosted.org/sssd/ticket/3184
+ """
+ subprocess.check_call(["sss_useradd", "foo@LOCAL", "-M"])
+
+ # The user's mpg has to be found (should return 0)
+ subprocess.check_call(["sss_groupshow", "foo@LOCAL"])
+
+
def test_wrong_LC_ALL(local_domain_only):
"""
Regression test for ticket
--
2.9.3

37
0055-KRB5-Return-ERR_NETWORK_IO-on-clock-skew.patch Normal file
View File

@ -0,0 +1,37 @@
From 4add586753c50b3222c0899ced0d95a2263828c6 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Tue, 6 Sep 2016 12:27:51 +0200
Subject: [PATCH 55/79] KRB5: Return ERR_NETWORK_IO on clock skew
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Adds two more return codes to the list of codes we translate to
ERR_NETWORK_IO.
Resolves:
https://fedorahosted.org/sssd/ticket/3174
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit d3348f49260998880bb7cd3b2fb72d562b1b7a64)
---
src/providers/krb5/krb5_child.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
index a0a0f74d7e39866828c1c9ee4b18e57c36a30bb9..82522995e310f20c58922f814e14e81a84b9bcb9 100644
--- a/src/providers/krb5/krb5_child.c
+++ b/src/providers/krb5/krb5_child.c
@@ -1374,6 +1374,8 @@ static errno_t map_krb5_error(krb5_error_code kerr)
case KRB5_KDCREP_SKEW:
case KRB5KRB_AP_ERR_SKEW:
+ case KRB5KRB_AP_ERR_TKT_EXPIRED:
+ case KRB5KRB_AP_ERR_TKT_NYV:
case KRB5_KDC_UNREACH:
case KRB5_REALM_CANT_RESOLVE:
case KRB5_REALM_UNKNOWN:
--
2.9.3

54
0056-SDAP-Fix-settig-paging-attribute-in-sdap_get_generic.patch Normal file
View File

@ -0,0 +1,54 @@
From b42d29d5fed3df1662dc7b9b46a57ab27298b138 Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Tue, 30 Aug 2016 16:39:49 +0200
Subject: [PATCH 56/79] SDAP: Fix settig paging attribute in
sdap_get_generic_ext_send
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
We should set pagging flag in state and not in local
variable which is not read anywhere in the function.
Found by clang static analyzer.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
(cherry picked from commit 6c335dee38da943796710b5e336472a10cf641f2)
---
src/providers/ldap/sdap_async.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/providers/ldap/sdap_async.c b/src/providers/ldap/sdap_async.c
index 4195ba95d911f3956f8cca665310b4b92091e6cd..e9ce2d5fd7c835919fff615e7b553d95f72d65a7 100644
--- a/src/providers/ldap/sdap_async.c
+++ b/src/providers/ldap/sdap_async.c
@@ -1254,7 +1254,7 @@ sdap_get_generic_ext_send(TALLOC_CTX *memctx,
*/
if (scope == LDAP_SCOPE_BASE && (flags & SDAP_SRCH_FLG_PAGING)) {
/* Disable paging */
- flags &= ~SDAP_SRCH_FLG_PAGING;
+ state->flags &= ~SDAP_SRCH_FLG_PAGING;
DEBUG(SSSDBG_TRACE_FUNC,
"WARNING: Disabling paging because scope is set to base.\n");
}
@@ -1267,7 +1267,7 @@ sdap_get_generic_ext_send(TALLOC_CTX *memctx,
serverctrls,
NULL);
if (control) {
- flags |= SDAP_SRCH_FLG_PAGING;
+ state->flags |= SDAP_SRCH_FLG_PAGING;
}
/* ASQ */
@@ -1275,7 +1275,7 @@ sdap_get_generic_ext_send(TALLOC_CTX *memctx,
serverctrls,
NULL);
if (control) {
- flags |= SDAP_SRCH_FLG_PAGING;
+ state->flags |= SDAP_SRCH_FLG_PAGING;
}
for (state->nserverctrls=0;
--
2.9.3

151
0057-PROXY-Adding-proxy_max_children-option.patch Normal file
View File

@ -0,0 +1,151 @@
From a700cdddcc989d1820cbd71bc9a378772c3f87ed Mon Sep 17 00:00:00 2001
From: Petr Cech <pcech@redhat.com>
Date: Wed, 24 Aug 2016 14:41:09 +0200
Subject: [PATCH 57/79] PROXY: Adding proxy_max_children option
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The new option 'proxy_max_children' is applicable
in domain section. Default value is 10.
Resolves:
https://fedorahosted.org/sssd/ticket/3153
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit aef0171e0bdc9a683958d69c7ee984fb10cd5de7)
---
src/confdb/confdb.h | 1 +
src/config/SSSDConfig/__init__.py.in | 3 +++
src/config/cfg_rules.ini | 1 +
src/config/etc/sssd.api.d/sssd-proxy.conf | 1 +
src/man/sssd.conf.5.xml | 16 ++++++++++++++++
src/providers/proxy/proxy_init.c | 22 ++++++++++++++++++++--
6 files changed, 42 insertions(+), 2 deletions(-)
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
index 2d650900170d5f2214aa56f00fc749980e53f516..36a2f21a0ff07ac4ae94ffdbb47087de05907505 100644
--- a/src/confdb/confdb.h
+++ b/src/confdb/confdb.h
@@ -219,6 +219,7 @@
#define CONFDB_PROXY_LIBNAME "proxy_lib_name"
#define CONFDB_PROXY_PAM_TARGET "proxy_pam_target"
#define CONFDB_PROXY_FAST_ALIAS "proxy_fast_alias"
+#define CONFDB_PROXY_MAX_CHILDREN "proxy_max_children"
/* Secrets Service */
#define CONFDB_SEC_CONF_ENTRY "config/secrets"
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
index 2027028f7b4e972c7bc0dd5156fd85157ae192f4..0acb751e234ee0c3e6fee332a2ba22f9ac353221 100644
--- a/src/config/SSSDConfig/__init__.py.in
+++ b/src/config/SSSDConfig/__init__.py.in
@@ -429,6 +429,9 @@ option_strings = {
'default_shell' : _('Default shell, /bin/bash'),
'base_directory' : _('Base for home directories'),
+ # [provider/proxy]
+ 'proxy_max_children' : _('The number of preforked proxy children.'),
+
# [provider/proxy/id]
'proxy_lib_name' : _('The name of the NSS library to use'),
'proxy_fast_alias' : _('Whether to look up canonical group name from cache if possible'),
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
index 93c10e2b7892027f0ee7a7af096814fb7cac333a..01be0c6e610161b64897e3974cefe1ccdc317fd3 100644
--- a/src/config/cfg_rules.ini
+++ b/src/config/cfg_rules.ini
@@ -305,6 +305,7 @@ option = base_directory
option = proxy_lib_name
option = proxy_fast_alias
option = proxy_pam_target
+option = proxy_max_children
# simple access provider specific options
option = simple_allow_users
diff --git a/src/config/etc/sssd.api.d/sssd-proxy.conf b/src/config/etc/sssd.api.d/sssd-proxy.conf
index 89a6503f9b84b7eab5fb3b0dd591dea905b43adb..09bf82affcb4263de3abbb67d1d484f6b01a1824 100644
--- a/src/config/etc/sssd.api.d/sssd-proxy.conf
+++ b/src/config/etc/sssd.api.d/sssd-proxy.conf
@@ -1,4 +1,5 @@
[provider/proxy]
+proxy_max_children = int, None, false
[provider/proxy/id]
proxy_lib_name = str, None, true
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index 6f231b8ab8fc078d83331bb7ef5b980528a30bd6..8b862eb0cef7cb35215c4aba7a77a553f31e47c8 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -2482,6 +2482,22 @@ subdomain_inherit = ldap_purge_cache_timeout
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>proxy_max_children (integer)</term>
+ <listitem>
+ <para>
+ This option specifies the number of pre-forked
+ proxy children. It is useful for high-load SSSD
+ environments where sssd may run out of available
+ child slots, which would cause some issues due to
+ the requests being queued.
+ </para>
+ <para>
+ Default: 10
+ </para>
+ </listitem>
+ </varlistentry>
+
</variablelist>
</para>
diff --git a/src/providers/proxy/proxy_init.c b/src/providers/proxy/proxy_init.c
index 1edf4fd64e54f4f0df7a78a9e56eb232a1d3e948..2241dafb8e21bbc0b904df3fa548c906877a5194 100644
--- a/src/providers/proxy/proxy_init.c
+++ b/src/providers/proxy/proxy_init.c
@@ -29,6 +29,8 @@
#define NSS_FN_NAME "_nss_%s_%s"
+#define OPT_MAX_CHILDREN_DEFAULT 10
+
#define ERROR_INITGR "The '%s' library does not provides the " \
"_nss_XXX_initgroups_dyn function!\n" \
"initgroups will be slow as it will require " \
@@ -220,6 +222,7 @@ static errno_t proxy_init_auth_ctx(TALLOC_CTX *mem_ctx,
struct proxy_auth_ctx *auth_ctx;
errno_t ret;
int hret;
+ int max_children;
auth_ctx = talloc_zero(mem_ctx, struct proxy_auth_ctx);
if (auth_ctx == NULL) {
@@ -241,8 +244,23 @@ static errno_t proxy_init_auth_ctx(TALLOC_CTX *mem_ctx,
}
/* Set up request hash table */
- /* FIXME: get max_children from configuration file */
- auth_ctx->max_children = 10;
+ ret = confdb_get_int(be_ctx->cdb, be_ctx->conf_path,
+ CONFDB_PROXY_MAX_CHILDREN,
+ OPT_MAX_CHILDREN_DEFAULT,
+ &max_children);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Unable to read confdb [%d]: %s\n", ret, sss_strerror(ret));
+ goto done;
+ }
+
+ if (max_children < 1) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Option " CONFDB_PROXY_MAX_CHILDREN " must be higher then 0\n");
+ ret = EINVAL;
+ goto done;
+ }
+ auth_ctx->max_children = max_children;
hret = hash_create(auth_ctx->max_children * 2, &auth_ctx->request_table,
NULL, NULL);
--
2.9.3

50
0058-SECRETS-Search-by-the-right-type-when-checking-conta.patch Normal file
View File

@ -0,0 +1,50 @@
From 4a5e9bea88983643a6fd7b95a6cfcf16f29044ec Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
Date: Tue, 30 Aug 2016 10:42:58 +0200
Subject: [PATCH 58/79] SECRETS: Search by the right type when checking
containers
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
We've been searching for the wrong type ("simple") in
local_db_check_containers(), which always gives us a NULL result.
Let's introduce the new LOCAL_CONTAINER_FILTER and do the search for the
right type ("container") from now on.
Resolves:
https://fedorahosted.org/sssd/ticket/3137
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit a8361f37af31a8a9767056bd27c418c947293f56)
---
src/responder/secrets/local.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/responder/secrets/local.c b/src/responder/secrets/local.c
index ac3049b62fa77f69d44ec5792139fe3378afb3f4..5b5745d6732987c6057788b2099f45ad0799f151 100644
--- a/src/responder/secrets/local.c
+++ b/src/responder/secrets/local.c
@@ -168,6 +168,7 @@ char *local_dn_to_path(TALLOC_CTX *mem_ctx,
}
#define LOCAL_SIMPLE_FILTER "(type=simple)"
+#define LOCAL_CONTAINER_FILTER "(type=container)"
int local_db_get_simple(TALLOC_CTX *mem_ctx,
struct local_context *lctx,
@@ -306,7 +307,7 @@ int local_db_check_containers(TALLOC_CTX *mem_ctx,
/* and check the parent container exists */
ret = ldb_search(lctx->ldb, mem_ctx, &res, dn, LDB_SCOPE_BASE,
- attrs, LOCAL_SIMPLE_FILTER);
+ attrs, LOCAL_CONTAINER_FILTER);
if (ret != LDB_SUCCESS) return ENOENT;
if (res->count != 1) return ENOENT;
talloc_free(res);
--
2.9.3

42
0059-LDAP-Return-partial-results-from-adminlimit-exceeded.patch Normal file
View File

@ -0,0 +1,42 @@
From 2ee5783d8c8bb51f169988a0a45ec711cfd47e41 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Mon, 12 Sep 2016 17:36:09 +0200
Subject: [PATCH 59/79] LDAP: Return partial results from adminlimit exceeded
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Resolves:
https://fedorahosted.org/sssd/ticket/3185
Since commit c420ce830ac0b0b288a2a887ec2cfce5c748018c we try to move to
the next server on any error on the connection, which in case there is
only one server sends SSSD offline.
It's more graceful to try to process the results, same as we already do
with sizelimit exceeded.
Reviewed-by: Michal Židek <mzidek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit 3319d964721396c07daba383ded6aaaf33ed6e3b)
---
src/providers/ldap/sdap_async.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/providers/ldap/sdap_async.c b/src/providers/ldap/sdap_async.c
index e9ce2d5fd7c835919fff615e7b553d95f72d65a7..f374112935a7befa1d059df97f3119c14d8f5da5 100644
--- a/src/providers/ldap/sdap_async.c
+++ b/src/providers/ldap/sdap_async.c
@@ -1526,7 +1526,8 @@ static void sdap_get_generic_op_finished(struct sdap_op *op,
sss_ldap_err2string(result), result,
errmsg ? errmsg : "no errmsg set");
- if (result == LDAP_SIZELIMIT_EXCEEDED) {
+ if (result == LDAP_SIZELIMIT_EXCEEDED
+ || result == LDAP_ADMINLIMIT_EXCEEDED) {
/* Try to return what we've got */
if ( ! (state->flags & SDAP_SRCH_FLG_SIZELIMIT_SILENT)) {
--
2.9.3

44
0060-MAN-sssd-sudo-manual-update-IPA-native-LDAP-tree-sup.patch Normal file
View File

@ -0,0 +1,44 @@
From d7a48ee6cde1e80dc2e63500d94017afe498a52a Mon Sep 17 00:00:00 2001
From: Justin Stephenson <jstephen@redhat.com>
Date: Mon, 29 Aug 2016 11:20:00 -0400
Subject: [PATCH 60/79] MAN: sssd-sudo manual update IPA native LDAP tree
support
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Update sssd-sudo man page to reflect native IPA sudo support
Resolves:
https://fedorahosted.org/sssd/ticket/3145
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit 72bab5640b3ec57950b53dad0fb3042ea563592c)
---
src/man/sssd-sudo.5.xml | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/src/man/sssd-sudo.5.xml b/src/man/sssd-sudo.5.xml
index de276ad2d7647da9b7d510bf00fdf8fb58aed1c7..9be77725d679946bd09b86771cc7379b6ac64627 100644
--- a/src/man/sssd-sudo.5.xml
+++ b/src/man/sssd-sudo.5.xml
@@ -109,9 +109,12 @@ ldap_sudo_search_base = ou=sudoers,dc=example,dc=com
</programlisting>
</para>
<para>
- When the SSSD is configured to use IPA as the ID provider,
- the sudo provider is automatically enabled. The sudo search base
- is configured to use the compat tree (ou=sudoers,$DC).
+ When SSSD is configured to use IPA as the ID provider, the
+ sudo provider is automatically enabled. The sudo search base is
+ configured to use the IPA native LDAP tree (cn=sudo,$SUFFIX).
+ If any other search base is defined in sssd.conf, this value will be
+ used instead. The compat tree (ou=sudoers,$SUFFIX) is no longer
+ required for IPA sudo functionality.
</para>
</refsect1>
--
2.9.3

267
0061-p11-only-set-PKCS11_LOGIN_TOKEN_NAME-if-gdm-smartcar.patch Normal file
View File

@ -0,0 +1,267 @@
From 8173003ed876f1cc0831a838e20332b274b39c4f Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 31 Aug 2016 14:32:31 +0200
Subject: [PATCH 61/79] p11: only set PKCS11_LOGIN_TOKEN_NAME if gdm-smartcard
is used
Resolves https://fedorahosted.org/sssd/ticket/3165
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 71cd9f98150577224559bdc12c53c01ce6f2c3d9)
---
src/responder/pam/pamsrv_p11.c | 33 +++++++++------
src/tests/cmocka/test_pam_srv.c | 89 +++++++++++++++++++++++++++++++++++------
2 files changed, 97 insertions(+), 25 deletions(-)
diff --git a/src/responder/pam/pamsrv_p11.c b/src/responder/pam/pamsrv_p11.c
index a2514f6a1d699de3a245063f49db1b7e51a2b10b..22da33067d5c479153376927855dcd6b43322d8b 100644
--- a/src/responder/pam/pamsrv_p11.c
+++ b/src/responder/pam/pamsrv_p11.c
@@ -505,7 +505,11 @@ errno_t pam_check_cert_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
}
/* The PKCS11_LOGIN_TOKEN_NAME environment variable is e.g. used by the Gnome
- * Settings Daemon to determine the name of the token used for login */
+ * Settings Daemon to determine the name of the token used for login but it
+ * should be only set if SSSD is called by gdm-smartcard. Otherwise desktop
+ * components might assume that gdm-smartcard PAM stack is configured
+ * correctly which might not be the case e.g. if Smartcard authentication was
+ * used when running gdm-password. */
#define PKCS11_LOGIN_TOKEN_ENV_NAME "PKCS11_LOGIN_TOKEN_NAME"
errno_t add_pam_cert_response(struct pam_data *pd, const char *sysdb_username,
@@ -553,19 +557,22 @@ errno_t add_pam_cert_response(struct pam_data *pd, const char *sysdb_username,
return ret;
}
- env = talloc_asprintf(pd, "%s=%s", PKCS11_LOGIN_TOKEN_ENV_NAME, token_name);
- if (env == NULL) {
- DEBUG(SSSDBG_OP_FAILURE, "talloc_asprintf failed.\n");
- return ENOMEM;
- }
+ if (strcmp(pd->service, "gdm-smartcard") == 0) {
+ env = talloc_asprintf(pd, "%s=%s", PKCS11_LOGIN_TOKEN_ENV_NAME,
+ token_name);
+ if (env == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_asprintf failed.\n");
+ return ENOMEM;
+ }
- ret = pam_add_response(pd, SSS_PAM_ENV_ITEM, strlen(env) + 1,
- (uint8_t *)env);
- talloc_free(env);
- if (ret != EOK) {
- DEBUG(SSSDBG_OP_FAILURE,
- "pam_add_response failed to add environment variable.\n");
- return ret;
+ ret = pam_add_response(pd, SSS_PAM_ENV_ITEM, strlen(env) + 1,
+ (uint8_t *)env);
+ talloc_free(env);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "pam_add_response failed to add environment variable.\n");
+ return ret;
+ }
}
return ret;
diff --git a/src/tests/cmocka/test_pam_srv.c b/src/tests/cmocka/test_pam_srv.c
index 5de092d0f19318d1d6c773355dbb38e345600133..02199e6f121cab0784389256cdaac38baf9d73e3 100644
--- a/src/tests/cmocka/test_pam_srv.c
+++ b/src/tests/cmocka/test_pam_srv.c
@@ -554,7 +554,7 @@ static void mock_input_pam(TALLOC_CTX *mem_ctx, const char *name,
}
static void mock_input_pam_cert(TALLOC_CTX *mem_ctx, const char *name,
- const char *pin)
+ const char *pin, const char *service)
{
size_t buf_size;
uint8_t *m_buf;
@@ -576,7 +576,7 @@ static void mock_input_pam_cert(TALLOC_CTX *mem_ctx, const char *name,
pi.pam_authtok_type = SSS_AUTHTOK_TYPE_SC_PIN;
}
- pi.pam_service = "login";
+ pi.pam_service = service == NULL ? "login" : service;
pi.pam_service_size = strlen(pi.pam_service) + 1;
pi.pam_tty = "/dev/tty";
pi.pam_tty_size = strlen(pi.pam_tty) + 1;
@@ -626,7 +626,8 @@ static int test_pam_simple_check(uint32_t status, uint8_t *body, size_t blen)
#define PKCS11_LOGIN_TOKEN_ENV_NAME "PKCS11_LOGIN_TOKEN_NAME"
-static int test_pam_cert_check(uint32_t status, uint8_t *body, size_t blen)
+static int test_pam_cert_check_gdm_smartcard(uint32_t status, uint8_t *body,
+ size_t blen)
{
size_t rp = 0;
uint32_t val;
@@ -675,6 +676,44 @@ static int test_pam_cert_check(uint32_t status, uint8_t *body, size_t blen)
return EOK;
}
+static int test_pam_cert_check(uint32_t status, uint8_t *body, size_t blen)
+{
+ size_t rp = 0;
+ uint32_t val;
+
+ assert_int_equal(status, 0);
+
+ SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);
+ assert_int_equal(val, pam_test_ctx->exp_pam_status);
+
+ SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);
+ assert_int_equal(val, 2);
+
+ SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);
+ assert_int_equal(val, SSS_PAM_DOMAIN_NAME);
+
+ SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);
+ assert_int_equal(val, 9);
+
+ assert_int_equal(*(body + rp + val - 1), 0);
+ assert_string_equal(body + rp, TEST_DOM_NAME);
+ rp += val;
+
+ SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);
+ assert_int_equal(val, SSS_PAM_CERT_INFO);
+
+ SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);
+ assert_int_equal(val, (sizeof("pamuser") + sizeof(TEST_TOKEN_NAME)));
+
+ assert_int_equal(*(body + rp + sizeof("pamuser") - 1), 0);
+ assert_string_equal(body + rp, "pamuser");
+ rp += sizeof("pamuser");
+
+ assert_int_equal(*(body + rp + sizeof(TEST_TOKEN_NAME) - 1), 0);
+ assert_string_equal(body + rp, TEST_TOKEN_NAME);
+
+ return EOK;
+}
static int test_pam_offline_chauthtok_check(uint32_t status,
uint8_t *body, size_t blen)
@@ -1438,7 +1477,7 @@ void test_pam_preauth_no_logon_name(void **state)
{
int ret;
- mock_input_pam_cert(pam_test_ctx, NULL, NULL);
+ mock_input_pam_cert(pam_test_ctx, NULL, NULL, NULL);
will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH);
will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
@@ -1465,7 +1504,7 @@ void test_pam_preauth_cert_nocert(void **state)
set_cert_auth_param(pam_test_ctx->pctx, "/no/path");
- mock_input_pam_cert(pam_test_ctx, "pamuser", NULL);
+ mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, NULL);
will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH);
will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
@@ -1544,7 +1583,7 @@ void test_pam_preauth_cert_nomatch(void **state)
set_cert_auth_param(pam_test_ctx->pctx, NSS_DB);
- mock_input_pam_cert(pam_test_ctx, "pamuser", NULL);
+ mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, NULL);
will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH);
will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
@@ -1566,7 +1605,7 @@ void test_pam_preauth_cert_match(void **state)
set_cert_auth_param(pam_test_ctx->pctx, NSS_DB);
- mock_input_pam_cert(pam_test_ctx, "pamuser", NULL);
+ mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, NULL);
will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH);
will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
@@ -1583,13 +1622,37 @@ void test_pam_preauth_cert_match(void **state)
assert_int_equal(ret, EOK);
}
+/* Test if PKCS11_LOGIN_TOKEN_NAME is added for the gdm-smartcard service */
+void test_pam_preauth_cert_match_gdm_smartcard(void **state)
+{
+ int ret;
+
+ set_cert_auth_param(pam_test_ctx->pctx, NSS_DB);
+
+ mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, "gdm-smartcard");
+
+ will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH);
+ will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
+ mock_account_recv(0, 0, NULL, test_lookup_by_cert_cb,
+ discard_const(TEST_TOKEN_CERT));
+
+ set_cmd_cb(test_pam_cert_check_gdm_smartcard);
+ ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_PREAUTH,
+ pam_test_ctx->pam_cmds);
+ assert_int_equal(ret, EOK);
+
+ /* Wait until the test finishes with EOK */
+ ret = test_ev_loop(pam_test_ctx->tctx);
+ assert_int_equal(ret, EOK);
+}
+
void test_pam_preauth_cert_match_wrong_user(void **state)
{
int ret;
set_cert_auth_param(pam_test_ctx->pctx, NSS_DB);
- mock_input_pam_cert(pam_test_ctx, "pamuser", NULL);
+ mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, NULL);
will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH);
will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
@@ -1613,7 +1676,7 @@ void test_pam_preauth_cert_no_logon_name(void **state)
set_cert_auth_param(pam_test_ctx->pctx, NSS_DB);
- mock_input_pam_cert(pam_test_ctx, NULL, NULL);
+ mock_input_pam_cert(pam_test_ctx, NULL, NULL, NULL);
will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH);
will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
@@ -1636,7 +1699,7 @@ void test_pam_preauth_no_cert_no_logon_name(void **state)
set_cert_auth_param(pam_test_ctx->pctx, "/no/path");
- mock_input_pam_cert(pam_test_ctx, NULL, NULL);
+ mock_input_pam_cert(pam_test_ctx, NULL, NULL, NULL);
will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH);
will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
@@ -1657,7 +1720,7 @@ void test_pam_preauth_cert_no_logon_name_no_match(void **state)
set_cert_auth_param(pam_test_ctx->pctx, NSS_DB);
- mock_input_pam_cert(pam_test_ctx, NULL, NULL);
+ mock_input_pam_cert(pam_test_ctx, NULL, NULL, NULL);
will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH);
will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
@@ -1679,7 +1742,7 @@ void test_pam_cert_auth(void **state)
set_cert_auth_param(pam_test_ctx->pctx, NSS_DB);
- mock_input_pam_cert(pam_test_ctx, "pamuser", "123456");
+ mock_input_pam_cert(pam_test_ctx, "pamuser", "123456", NULL);
will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE);
will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
@@ -1790,6 +1853,8 @@ int main(int argc, const char *argv[])
pam_test_setup, pam_test_teardown),
cmocka_unit_test_setup_teardown(test_pam_preauth_cert_match,
pam_test_setup, pam_test_teardown),
+ cmocka_unit_test_setup_teardown(test_pam_preauth_cert_match_gdm_smartcard,
+ pam_test_setup, pam_test_teardown),
cmocka_unit_test_setup_teardown(test_pam_preauth_cert_match_wrong_user,
pam_test_setup, pam_test_teardown),
cmocka_unit_test_setup_teardown(test_pam_preauth_cert_no_logon_name,
--
2.9.3

100
0062-p11-return-a-fully-qualified-name.patch Normal file
View File

@ -0,0 +1,100 @@
From aeb1038017723e473eeb2f405d3b5ff4f5d4af02 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 16 Sep 2016 11:47:40 +0200
Subject: [PATCH 62/79] p11: return a fully-qualified name
Related to https://fedorahosted.org/sssd/ticket/3165
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 3649b959709f1ab187092f054d4aace0798c98fa)
---
src/responder/pam/pamsrv_p11.c | 20 +++++++++-----------
src/tests/cmocka/test_pam_srv.c | 16 ++++++++--------
2 files changed, 17 insertions(+), 19 deletions(-)
diff --git a/src/responder/pam/pamsrv_p11.c b/src/responder/pam/pamsrv_p11.c
index 22da33067d5c479153376927855dcd6b43322d8b..570bfe09d4385a038e7e03fcb64c72dd794774a6 100644
--- a/src/responder/pam/pamsrv_p11.c
+++ b/src/responder/pam/pamsrv_p11.c
@@ -521,33 +521,31 @@ errno_t add_pam_cert_response(struct pam_data *pd, const char *sysdb_username,
size_t msg_len;
size_t slot_len;
int ret;
- char *username;
if (sysdb_username == NULL || token_name == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE, "Missing mandatory user or slot name.\n");
return EINVAL;
}
- ret = sss_parse_internal_fqname(pd, sysdb_username, &username, NULL);
- if (ret != EOK) {
- DEBUG(SSSDBG_CRIT_FAILURE, "Cannot parse [%s]\n", sysdb_username);
- return ret;
- }
-
- user_len = strlen(username) + 1;
+ user_len = strlen(sysdb_username) + 1;
slot_len = strlen(token_name) + 1;
msg_len = user_len + slot_len;
msg = talloc_zero_size(pd, msg_len);
if (msg == NULL) {
DEBUG(SSSDBG_OP_FAILURE, "talloc_zero_size failed.\n");
- talloc_free(username);
return ENOMEM;
}
- memcpy(msg, username, user_len);
+ /* sysdb_username is a fully-qualified name which is used by pam_sss when
+ * prompting the user for the PIN and as login name if it wasn't set by
+ * the PAM caller but has to be determined based on the inserted
+ * Smartcard. If this type of name is irritating at the PIN prompt or the
+ * re_expression config option was set in a way that user@domain cannot be
+ * handled anymore some more logic has to be added here. But for the time
+ * being I think using sysdb_username is fine. */
+ memcpy(msg, sysdb_username, user_len);
memcpy(msg + user_len, token_name, slot_len);
- talloc_free(username);
ret = pam_add_response(pd, SSS_PAM_CERT_INFO, msg_len, msg);
talloc_free(msg);
diff --git a/src/tests/cmocka/test_pam_srv.c b/src/tests/cmocka/test_pam_srv.c
index 02199e6f121cab0784389256cdaac38baf9d73e3..4b2dea4be6a819b23afd243ba99cd9bd57c16c20 100644
--- a/src/tests/cmocka/test_pam_srv.c
+++ b/src/tests/cmocka/test_pam_srv.c
@@ -664,11 +664,11 @@ static int test_pam_cert_check_gdm_smartcard(uint32_t status, uint8_t *body,
assert_int_equal(val, SSS_PAM_CERT_INFO);
SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);
- assert_int_equal(val, (sizeof("pamuser") + sizeof(TEST_TOKEN_NAME)));
+ assert_int_equal(val, (sizeof("pamuser@"TEST_DOM_NAME) + sizeof(TEST_TOKEN_NAME)));
- assert_int_equal(*(body + rp + sizeof("pamuser") - 1), 0);
- assert_string_equal(body + rp, "pamuser");
- rp += sizeof("pamuser");
+ assert_int_equal(*(body + rp + sizeof("pamuser@"TEST_DOM_NAME) - 1), 0);
+ assert_string_equal(body + rp, "pamuser@"TEST_DOM_NAME);
+ rp += sizeof("pamuser@"TEST_DOM_NAME);
assert_int_equal(*(body + rp + sizeof(TEST_TOKEN_NAME) - 1), 0);
assert_string_equal(body + rp, TEST_TOKEN_NAME);
@@ -703,11 +703,11 @@ static int test_pam_cert_check(uint32_t status, uint8_t *body, size_t blen)
assert_int_equal(val, SSS_PAM_CERT_INFO);
SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);
- assert_int_equal(val, (sizeof("pamuser") + sizeof(TEST_TOKEN_NAME)));
+ assert_int_equal(val, (sizeof("pamuser@"TEST_DOM_NAME) + sizeof(TEST_TOKEN_NAME)));
- assert_int_equal(*(body + rp + sizeof("pamuser") - 1), 0);
- assert_string_equal(body + rp, "pamuser");
- rp += sizeof("pamuser");
+ assert_int_equal(*(body + rp + sizeof("pamuser@"TEST_DOM_NAME) - 1), 0);
+ assert_string_equal(body + rp, "pamuser@"TEST_DOM_NAME);
+ rp += sizeof("pamuser@"TEST_DOM_NAME);
assert_int_equal(*(body + rp + sizeof(TEST_TOKEN_NAME) - 1), 0);
assert_string_equal(body + rp, TEST_TOKEN_NAME);
--
2.9.3

109
0063-pam_sss-check-PKCS11_LOGIN_TOKEN_NAME.patch Normal file
View File

@ -0,0 +1,109 @@
From 540f0f9e2b35315703b56989d398c11da49992e2 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 16 Sep 2016 11:48:18 +0200
Subject: [PATCH 63/79] pam_sss: check PKCS11_LOGIN_TOKEN_NAME
Check if PKCS11_LOGIN_TOKEN_NAME is set and prompt the user if the
matching Smartcard is not inserted.
Related to https://fedorahosted.org/sssd/ticket/3165
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 35ba922bc51416f02877b53a6f25c04104ae5f03)
---
src/sss_client/pam_sss.c | 65 ++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 65 insertions(+)
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
index fdb9c907644f1317b6f8e58619f01ad2753deafc..2049d5fb0c6092aaaa914385c79d02d8f44b447e 100644
--- a/src/sss_client/pam_sss.c
+++ b/src/sss_client/pam_sss.c
@@ -1410,6 +1410,7 @@ done:
}
#define SC_PROMPT_FMT "PIN for %s for user %s"
+
static int prompt_sc_pin(pam_handle_t *pamh, struct pam_items *pi)
{
int ret;
@@ -1691,6 +1692,62 @@ static int get_authtok_for_password_change(pam_handle_t *pamh,
return PAM_SUCCESS;
}
+#define SC_ENTER_FMT "Please enter smart card labeled\n %s\nand press enter"
+
+static int check_login_token_name(pam_handle_t *pamh, struct pam_items *pi,
+ bool quiet_mode)
+{
+ int ret;
+ int pam_status;
+ char *login_token_name;
+ char *prompt = NULL;
+ size_t size;
+ char *answer = NULL;
+
+ login_token_name = getenv("PKCS11_LOGIN_TOKEN_NAME");
+ if (login_token_name == NULL) {
+ return PAM_SUCCESS;
+ }
+
+ while (pi->token_name == NULL
+ || strcmp(login_token_name, pi->token_name) != 0) {
+ size = sizeof(SC_ENTER_FMT) + strlen(login_token_name);
+ prompt = malloc(size);
+ if (prompt == NULL) {
+ D(("malloc failed."));
+ return ENOMEM;
+ }
+
+ ret = snprintf(prompt, size, SC_ENTER_FMT,
+ login_token_name);
+ if (ret < 0 || ret >= size) {
+ D(("snprintf failed."));
+ free(prompt);
+ return EFAULT;
+ }
+
+ ret = do_pam_conversation(pamh, PAM_PROMPT_ECHO_OFF, prompt,
+ NULL, &answer);
+ free(prompt);
+ free(answer);
+ if (ret != PAM_SUCCESS) {
+ D(("do_pam_conversation failed."));
+ return ret;
+ }
+
+ pam_status = send_and_receive(pamh, pi, SSS_PAM_PREAUTH, quiet_mode);
+ if (pam_status != PAM_SUCCESS) {
+ D(("send_and_receive returned [%d] during pre-auth", pam_status));
+ /*
+ * Since we are waiting for the right Smartcard to be inserted errors
+ * can be ignored here.
+ */
+ }
+ }
+
+ return PAM_SUCCESS;
+}
+
static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
int pam_flags, int argc, const char **argv)
{
@@ -1758,6 +1815,14 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
}
}
+ if (strcmp(pi.pam_service, "gdm-smartcard") == 0) {
+ ret = check_login_token_name(pamh, &pi, quiet_mode);
+ if (ret != PAM_SUCCESS) {
+ D(("check_login_token_name failed.\n"));
+ return ret;
+ }
+ }
+
ret = get_authtok_for_authentication(pamh, &pi, flags);
if (ret != PAM_SUCCESS) {
D(("failed to get authentication token: %s",
--
2.9.3

81
0064-SECRETS-Don-t-remove-a-container-when-it-has-childre.patch Normal file
View File

@ -0,0 +1,81 @@
From b1fe893002a506ace1b2930a0cb5d5bd5d4fa9f7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
Date: Thu, 1 Sep 2016 12:04:30 +0200
Subject: [PATCH 64/79] SECRETS: Don't remove a container when it has children
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Let's return and log an error in case the container to be removed has
children.
The approach taken introduced at least one new search in every delete
operation. As far as I understand searching in the BASE scope is quite
cheap and that's the reason I decided to just do the search in the
ONELEVEL scope when the requested to be deleted dn is for sure a
container.
Resolves:
https://fedorahosted.org/sssd/ticket/3167
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit ab7b33fd7d820688545d5994a402cedf4bcdb6e1)
---
src/responder/secrets/local.c | 33 +++++++++++++++++++++++++++++++--
1 file changed, 31 insertions(+), 2 deletions(-)
diff --git a/src/responder/secrets/local.c b/src/responder/secrets/local.c
index 5b5745d6732987c6057788b2099f45ad0799f151..b13e77f0453f3201d1f9f352bb0b331792de1106 100644
--- a/src/responder/secrets/local.c
+++ b/src/responder/secrets/local.c
@@ -372,14 +372,43 @@ int local_db_delete(TALLOC_CTX *mem_ctx,
struct local_context *lctx,
const char *req_path)
{
+ TALLOC_CTX *tmp_ctx;
struct ldb_dn *dn;
+ static const char *attrs[] = { NULL };
+ struct ldb_result *res;
int ret;
+ tmp_ctx = talloc_new(mem_ctx);
+ if (!tmp_ctx) return ENOMEM;
+
ret = local_db_dn(mem_ctx, lctx->ldb, req_path, &dn);
- if (ret != EOK) return ret;
+ if (ret != EOK) goto done;
+
+ ret = ldb_search(lctx->ldb, tmp_ctx, &res, dn, LDB_SCOPE_BASE,
+ attrs, LOCAL_CONTAINER_FILTER);
+ if (ret != EOK) goto done;
+
+ if (res->count == 1) {
+ ret = ldb_search(lctx->ldb, tmp_ctx, &res, dn, LDB_SCOPE_ONELEVEL,
+ attrs, NULL);
+ if (ret != EOK) goto done;
+
+ if (res->count > 0) {
+ ret = EEXIST;
+ DEBUG(SSSDBG_OP_FAILURE,
+ "Failed to remove '%s': Container is not empty\n",
+ ldb_dn_get_linearized(dn));
+
+ goto done;
+ }
+ }
ret = ldb_delete(lctx->ldb, dn);
- return sysdb_error_to_errno(ret);
+ ret = sysdb_error_to_errno(ret);
+
+done:
+ talloc_free(tmp_ctx);
+ return ret;
}
int local_db_create(TALLOC_CTX *mem_ctx,
--
2.9.3

37
0065-PAM-call-free-only-when-memory-is-expected-to-be-all.patch Normal file
View File

@ -0,0 +1,37 @@
From 958e633f0cc364f758f9d417002e9eba60f15642 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Mon, 19 Sep 2016 10:53:51 +0200
Subject: [PATCH 65/79] PAM: call free only when memory is expected to be
allocated
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reborted by Coverity
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit a8631161c47cbaefe7fd14b88202238bbdcc3dc8)
---
src/sss_client/pam_sss.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
index 2049d5fb0c6092aaaa914385c79d02d8f44b447e..be697c7fcfb47a57b5b498c61f60fcf4bfbbd57f 100644
--- a/src/sss_client/pam_sss.c
+++ b/src/sss_client/pam_sss.c
@@ -1729,10 +1729,11 @@ static int check_login_token_name(pam_handle_t *pamh, struct pam_items *pi,
ret = do_pam_conversation(pamh, PAM_PROMPT_ECHO_OFF, prompt,
NULL, &answer);
free(prompt);
- free(answer);
if (ret != PAM_SUCCESS) {
D(("do_pam_conversation failed."));
return ret;
+ } else {
+ free(answer);
}
pam_status = send_and_receive(pamh, pi, SSS_PAM_PREAUTH, quiet_mode);
--
2.9.3

82
0066-TESTS-Fixing-of-const-warnings-in-sbus-tests.patch Normal file
View File

@ -0,0 +1,82 @@
From b44ec31e6fe2b41e52c3f055d4322c253303471d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20=C4=8Cech?= <pcech@redhat.com>
Date: Mon, 19 Sep 2016 06:28:57 -0400
Subject: [PATCH 66/79] TESTS: Fixing of 'const' warnings in sbus tests
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit 626d8217a2e578ba641ae3c968752aa15284a210)
---
src/tests/sbus_codegen_tests.c | 13 +++++++------
src/tests/sbus_tests.c | 4 ++--
2 files changed, 9 insertions(+), 8 deletions(-)
diff --git a/src/tests/sbus_codegen_tests.c b/src/tests/sbus_codegen_tests.c
index 55d4657385cfc697985b570e4310164558e2d647..262bfd49e34be72196e1cf1fe451d96b43b067ae 100644
--- a/src/tests/sbus_codegen_tests.c
+++ b/src/tests/sbus_codegen_tests.c
@@ -634,7 +634,7 @@ static int pilot_test_server_init(struct sbus_connection *server, void *unused)
int ret;
ret = sbus_conn_register_iface(server, &pilot_iface.vtable, "/test/leela",
- "Crash into the billboard");
+ discard_const("Crash into the billboard"));
ck_assert_int_eq(ret, EOK);
return EOK;
@@ -645,7 +645,8 @@ static int special_test_server_init(struct sbus_connection *server, void *unused
int ret;
ret = sbus_conn_register_iface(server, &special_iface.vtable,
- "/test/special", "Crash into the billboard");
+ "/test/special",
+ discard_const("Crash into the billboard"));
ck_assert_int_eq(ret, EOK);
return EOK;
@@ -673,8 +674,8 @@ START_TEST(test_marshal_basic_types)
dbus_int64_t v_int64[] = { INT64_C(-6666666666666666), INT64_C(7777777777777777) };
dbus_uint64_t v_uint64[] = { UINT64_C(7777777777777777), INT64_C(888888888888888888) };
double v_double[] = { 1.1, 2.2, 3.3 };
- char *v_string[] = { "bears", "bears", "bears" };
- char *v_object_path[] = { "/original", "/original" };
+ const char *v_string[] = { "bears", "bears", "bears" };
+ const char *v_object_path[] = { "/original", "/original" };
unsigned char *arr_byte = v_byte;
dbus_int16_t *arr_int16 = v_int16;
@@ -684,8 +685,8 @@ START_TEST(test_marshal_basic_types)
dbus_int64_t *arr_int64 = v_int64;
dbus_uint64_t *arr_uint64 = v_uint64;
double *arr_double = v_double;
- char **arr_string = v_string;
- char **arr_object_path = v_object_path;
+ char **arr_string = discard_const(v_string);
+ char **arr_object_path = discard_const(v_object_path);
int len_byte = N_ELEMENTS(v_byte);
int len_int16 = N_ELEMENTS(v_int16);
diff --git a/src/tests/sbus_tests.c b/src/tests/sbus_tests.c
index b472659639e3dce0733dde4ed54a55dcb40c191e..6bf71dc1bbe73b52455c18353531865da1ba6eac 100644
--- a/src/tests/sbus_tests.c
+++ b/src/tests/sbus_tests.c
@@ -201,12 +201,12 @@ static int pilot_test_server_init(struct sbus_connection *server, void *unused)
int ret;
ret = sbus_conn_register_iface(server, &pilot_impl.vtable, "/test/leela",
- "Crash into the billboard");
+ discard_const("Crash into the billboard"));
ck_assert_int_eq(ret, EOK);
ret = sbus_conn_register_iface(server, &pilot_impl.vtable, "/test/fry",
- "Don't crash");
+ discard_const("Don't crash"));
ck_assert_int_eq(ret, EOK);
return EOK;
--
2.9.3

61
0067-MAKEFILE-Fixing-CFLAGS-in-some-tests.patch Normal file
View File

@ -0,0 +1,61 @@
From 4fe173d0e1333659479da47306b3b7957bc2e6d7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20=C4=8Cech?= <pcech@redhat.com>
Date: Thu, 15 Sep 2016 09:54:18 -0400
Subject: [PATCH 67/79] MAKEFILE: Fixing CFLAGS in some tests
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit 4f2509f8d23d9e921f07b2ead63392ae82ad3a38)
---
Makefile.am | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/Makefile.am b/Makefile.am
index f89af5a9d6d26c732574aa3651de8c175f538b28..f792ed6a6b531d9e6e2c886c2fbe64e1e2345b73 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -1828,6 +1828,7 @@ refcount_tests_SOURCES = \
src/tests/refcount-tests.c \
$(NULL)
refcount_tests_CFLAGS = \
+ $(AM_CFLAGS) \
$(CHECK_CFLAGS)
refcount_tests_LDADD = \
$(SSSD_LIBS) \
@@ -1840,6 +1841,7 @@ fail_over_tests_SOURCES = \
$(SSSD_FAILOVER_OBJ) \
$(NULL)
fail_over_tests_CFLAGS = \
+ $(AM_CFLAGS) \
$(CHECK_CFLAGS)
fail_over_tests_LDADD = \
$(SSSD_LIBS) \
@@ -2044,6 +2046,7 @@ sbus_tests_SOURCES = \
src/tests/common_dbus.c \
src/tests/sbus_tests.c
sbus_tests_CFLAGS = \
+ $(AM_CFLAGS) \
$(CHECK_CFLAGS)
sbus_tests_LDADD = \
$(SSSD_INTERNAL_LTLIBS) \
@@ -2056,6 +2059,7 @@ sbus_codegen_tests_SOURCES = \
src/tests/sbus_codegen_tests_generated.c \
$(NULL)
sbus_codegen_tests_CFLAGS = \
+ $(AM_CFLAGS) \
$(CHECK_CFLAGS)
sbus_codegen_tests_LDADD = \
$(SSSD_INTERNAL_LTLIBS) \
@@ -2468,6 +2472,7 @@ ad_common_tests_SOURCES = \
src/providers/ldap/sdap_async_initgroups_ad.c \
$(NULL)
ad_common_tests_CFLAGS = \
+ $(AM_CFLAGS) \
$(NDR_NBT_CFLAGS) \
$(NDR_KRB5PAC_CFLAGS) \
$(NULL)
--
2.9.3

395
0068-TESTS-Add-integration-tests-for-the-sssd-secrets.patch Normal file
View File

@ -0,0 +1,395 @@
From 0718b1bf4af69712d18f6ea3a427c1cab2e377da Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Mon, 8 Aug 2016 17:49:05 +0200
Subject: [PATCH 68/79] TESTS: Add integration tests for the sssd-secrets
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Implements a simple HTTP client and uses it to talk to the sssd-secrets
responder. Only the local provider is tested at the moment.
Resolves:
https://fedorahosted.org/sssd/ticket/3054
Reviewed-by: Petr Čech <pcech@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit db0982c52294ee5ea08ed242d27660783fde29cd)
---
contrib/ci/deps.sh | 2 +
src/tests/intg/Makefile.am | 5 ++
src/tests/intg/config.py.m4 | 3 +
src/tests/intg/secrets.py | 137 ++++++++++++++++++++++++++++++++++
src/tests/intg/test_secrets.py | 162 +++++++++++++++++++++++++++++++++++++++++
5 files changed, 309 insertions(+)
create mode 100644 src/tests/intg/secrets.py
create mode 100644 src/tests/intg/test_secrets.py
diff --git a/contrib/ci/deps.sh b/contrib/ci/deps.sh
index 1a94e3df2ee1d43dd34ef8cda1542aab1166bccd..9a7098c399df319753858a4a7fee23d4204c1f1c 100644
--- a/contrib/ci/deps.sh
+++ b/contrib/ci/deps.sh
@@ -45,6 +45,7 @@ if [[ "$DISTRO_BRANCH" == -redhat-* ]]; then
pyldb
rpm-build
uid_wrapper
+ python-requests
)
_DEPS_LIST_SPEC=`
sed -e 's/@PACKAGE_VERSION@/0/g' \
@@ -114,6 +115,7 @@ if [[ "$DISTRO_BRANCH" == -debian-* ]]; then
python-pytest
python-ldap
python-ldb
+ python-requests
ldap-utils
slapd
systemtap-sdt-dev
diff --git a/src/tests/intg/Makefile.am b/src/tests/intg/Makefile.am
index 75422a4417046116bec11a8a680fe2248e3afb69..1e08eadcbbdebcca6f0f3550cc084c1a1762c0c4 100644
--- a/src/tests/intg/Makefile.am
+++ b/src/tests/intg/Makefile.am
@@ -16,6 +16,8 @@ dist_noinst_DATA = \
test_memory_cache.py \
test_ts_cache.py \
test_netgroup.py \
+ secrets.py \
+ test_secrets.py \
$(NULL)
config.py: config.py.m4
@@ -25,6 +27,9 @@ config.py: config.py.m4
-D "pidpath=\`$(pidpath)'" \
-D "logpath=\`$(logpath)'" \
-D "mcpath=\`$(mcpath)'" \
+ -D "secdbpath=\`$(secdbpath)'" \
+ -D "libexecpath=\`$(libexecdir)'" \
+ -D "runstatedir=\`$(runstatedir)'" \
$< > $@
root:
diff --git a/src/tests/intg/config.py.m4 b/src/tests/intg/config.py.m4
index 77aa47b7958783217132b724159d9d3d247e1079..65e17e55a25372754ff7e49ac75607bcc985912c 100644
--- a/src/tests/intg/config.py.m4
+++ b/src/tests/intg/config.py.m4
@@ -12,3 +12,6 @@ PID_PATH = "pidpath"
PIDFILE_PATH = PID_PATH + "/sssd.pid"
LOG_PATH = "logpath"
MCACHE_PATH = "mcpath"
+SECDB_PATH = "secdbpath"
+LIBEXEC_PATH = "libexecpath"
+RUNSTATEDIR = "runstatedir"
diff --git a/src/tests/intg/secrets.py b/src/tests/intg/secrets.py
new file mode 100644
index 0000000000000000000000000000000000000000..5d4c0e2f28db9601fa0e3a21dd90a7444c7c8978
--- /dev/null
+++ b/src/tests/intg/secrets.py
@@ -0,0 +1,137 @@
+#
+# Secrets responder test client
+#
+# Copyright (c) 2016 Red Hat, Inc.
+#
+# This is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 only
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+import socket
+import requests
+
+from requests.adapters import HTTPAdapter
+from requests.packages.urllib3.connection import HTTPConnection
+from requests.packages.urllib3.connectionpool import HTTPConnectionPool
+from requests.compat import quote, unquote, urlparse
+
+
+class HTTPUnixConnection(HTTPConnection):
+ def __init__(self, host, timeout=60, **kwargs):
+ super(HTTPUnixConnection, self).__init__('localhost')
+ self.unix_socket = host
+ self.timeout = timeout
+
+ def connect(self):
+ sock = socket.socket(family=socket.AF_UNIX)
+ sock.settimeout(self.timeout)
+ sock.connect(self.unix_socket)
+ self.sock = sock
+
+
+class HTTPUnixConnectionPool(HTTPConnectionPool):
+ scheme = 'http+unix'
+ ConnectionCls = HTTPUnixConnection
+
+
+class HTTPUnixAdapter(HTTPAdapter):
+ def get_connection(self, url, proxies=None):
+ # proxies, silently ignored
+ path = unquote(urlparse(url).netloc)
+ return HTTPUnixConnectionPool(path)
+
+
+class SecretsHttpClient(object):
+ secrets_sock_path = '/var/run/secrets.socket'
+ secrets_container = 'secrets'
+
+ def __init__(self, content_type='application/json', sock_path=None):
+ if sock_path is None:
+ sock_path = self.secrets_sock_path
+
+ self.content_type = content_type
+ self.session = requests.Session()
+ self.session.mount('http+unix://', HTTPUnixAdapter())
+ self.headers = dict({'Content-Type': content_type})
+ self.url = 'http+unix://' + \
+ quote(sock_path, safe='') + \
+ '/' + \
+ self.secrets_container
+ self._last_response = None
+
+ def _join_url(self, resource):
+ path = self.url.rstrip('/') + '/'
+ if resource is not None:
+ path = path + resource.lstrip('/')
+ return path
+
+ def _add_headers(self, **kwargs):
+ headers = kwargs.get('headers', None)
+ if headers is None:
+ headers = dict()
+ headers.update(self.headers)
+ return headers
+
+ def _request(self, cmd, path, **kwargs):
+ self._last_response = None
+ url = self._join_url(path)
+ kwargs['headers'] = self._add_headers(**kwargs)
+ self._last_response = cmd(url, **kwargs)
+ return self._last_response
+
+ @property
+ def last_response(self):
+ return self._last_response
+
+ def get(self, path, **kwargs):
+ return self._request(self.session.get, path, **kwargs)
+
+ def list(self, **kwargs):
+ return self._request(self.session.get, None, **kwargs)
+
+ def put(self, name, **kwargs):
+ return self._request(self.session.put, name, **kwargs)
+
+ def delete(self, name, **kwargs):
+ return self._request(self.session.delete, name, **kwargs)
+
+ def post(self, name, **kwargs):
+ return self._request(self.session.post, name, **kwargs)
+
+
+class SecretsLocalClient(SecretsHttpClient):
+ def list_secrets(self):
+ res = self.list()
+ res.raise_for_status()
+ simple = res.json()
+ return simple
+
+ def get_secret(self, name):
+ res = self.get(name)
+ res.raise_for_status()
+ simple = res.json()
+ ktype = simple.get("type", None)
+ if ktype != "simple":
+ raise TypeError("Invalid key type: %s" % ktype)
+ return simple["value"]
+
+ def set_secret(self, name, value):
+ res = self.put(name, json={"type": "simple", "value": value})
+ res.raise_for_status()
+
+ def del_secret(self, name):
+ res = self.delete(name)
+ res.raise_for_status()
+
+ def create_container(self, name):
+ res = self.post(name)
+ res.raise_for_status()
diff --git a/src/tests/intg/test_secrets.py b/src/tests/intg/test_secrets.py
new file mode 100644
index 0000000000000000000000000000000000000000..e394d1275e35e686a14a604943796e793fe29119
--- /dev/null
+++ b/src/tests/intg/test_secrets.py
@@ -0,0 +1,162 @@
+#
+# Secrets responder integration tests
+#
+# Copyright (c) 2016 Red Hat, Inc.
+#
+# This is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 only
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+import os
+import stat
+import config
+import signal
+import subprocess
+import time
+import socket
+import pytest
+from requests import HTTPError
+
+from util import unindent
+from secrets import SecretsLocalClient
+
+
+def create_conf_fixture(request, contents):
+ """Generate sssd.conf and add teardown for removing it"""
+ conf = open(config.CONF_PATH, "w")
+ conf.write(contents)
+ conf.close()
+ os.chmod(config.CONF_PATH, stat.S_IRUSR | stat.S_IWUSR)
+ request.addfinalizer(lambda: os.unlink(config.CONF_PATH))
+
+
+def create_sssd_secrets_fixture(request):
+ if subprocess.call(['sssd', "--genconf"]) != 0:
+ raise Exception("failed to regenerate confdb")
+
+ resp_path = os.path.join(config.LIBEXEC_PATH, "sssd", "sssd_secrets")
+
+ secpid = os.fork()
+ if secpid == 0:
+ if subprocess.call([resp_path, "--uid=0", "--gid=0"]) != 0:
+ raise Exception("sssd_secrets failed to start")
+
+ sock_path = os.path.join(config.RUNSTATEDIR, "secrets.socket")
+ sck = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
+ for _ in range(1, 10):
+ try:
+ sck.connect(sock_path)
+ except:
+ time.sleep(0.1)
+ else:
+ break
+ sck.close()
+
+ def sec_teardown():
+ if secpid == 0:
+ return
+
+ os.kill(secpid, signal.SIGTERM)
+ for secdb_file in os.listdir(config.SECDB_PATH):
+ os.unlink(config.SECDB_PATH + "/" + secdb_file)
+ request.addfinalizer(sec_teardown)
+
+
+@pytest.fixture
+def setup_for_secrets(request):
+ """
+ Just set up the local provider for tests and enable the secrets
+ responder
+ """
+ conf = unindent("""\
+ [sssd]
+ domains = local
+ services = nss
+
+ [domain/local]
+ id_provider = local
+ """).format(**locals())
+
+ create_conf_fixture(request, conf)
+ create_sssd_secrets_fixture(request)
+ return None
+
+
+@pytest.fixture
+def secrets_cli(request):
+ sock_path = os.path.join(config.RUNSTATEDIR, "secrets.socket")
+ cli = SecretsLocalClient(sock_path=sock_path)
+ return cli
+
+
+def test_crd_ops(setup_for_secrets, secrets_cli):
+ """
+ Test that the basic Create, Retrieve, Delete operations work
+ """
+ cli = secrets_cli
+
+ # Listing a totally empty database yields a 404 error, no secrets are there
+ with pytest.raises(HTTPError) as err404:
+ secrets = cli.list_secrets()
+ assert str(err404.value).startswith("404")
+
+ # Set some value, should succeed
+ cli.set_secret("foo", "bar")
+
+ fooval = cli.get_secret("foo")
+ assert fooval == "bar"
+
+ # Listing secrets should work now as well
+ secrets = cli.list_secrets()
+ assert len(secrets) == 1
+ assert "foo" in secrets
+
+ # Overwriting a secret is an error
+ with pytest.raises(HTTPError) as err409:
+ cli.set_secret("foo", "baz")
+ assert str(err409.value).startswith("409")
+
+ # Delete a secret
+ cli.del_secret("foo")
+ with pytest.raises(HTTPError) as err404:
+ fooval = cli.get_secret("foo")
+ assert str(err404.value).startswith("404")
+
+ # Delete a non-existent secret must yield a 404
+ with pytest.raises(HTTPError) as err404:
+ cli.del_secret("foo")
+ assert str(err404.value).startswith("404")
+
+
+def test_containers(setup_for_secrets, secrets_cli):
+ """
+ Test that storing secrets inside containers works
+ """
+ cli = secrets_cli
+
+ # No trailing slash, no game..
+ with pytest.raises(HTTPError) as err400:
+ cli.create_container("mycontainer")
+ assert str(err400.value).startswith("400")
+
+ cli.create_container("mycontainer/")
+ cli.set_secret("mycontainer/foo", "containedfooval")
+ assert cli.get_secret("mycontainer/foo") == "containedfooval"
+
+ # Removing a non-empty container should not succeed
+ with pytest.raises(HTTPError) as err409:
+ cli.del_secret("mycontainer/")
+ assert str(err409.value).startswith("409")
+
+ # Try removing the secret first, then the container
+ cli.del_secret("mycontainer/foo")
+ cli.del_secret("mycontainer/")
--
2.9.3

58
0069-AUTOFS-Fix-offline-resolution-of-autofs-maps.patch Normal file
View File

@ -0,0 +1,58 @@
From c0f663b1a497182cfd2eaf92dda0459342ba6685 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Thu, 4 Aug 2016 17:58:32 +0200
Subject: [PATCH 69/79] AUTOFS: Fix offline resolution of autofs maps
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
If talking to the Data Provider failed, we never re-tried looking into
the cache. We should consult the cache on DP failures and return cached
results, if possible.
Resolves:
https://fedorahosted.org/sssd/ticket/3080
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit b9e155da725e711ab306ca8a96e3ba6fbda41a3a)
---
src/responder/autofs/autofssrv_cmd.c | 16 ++++++++++++----
1 file changed, 12 insertions(+), 4 deletions(-)
diff --git a/src/responder/autofs/autofssrv_cmd.c b/src/responder/autofs/autofssrv_cmd.c
index 9666ab2d195a581f18eaa7ff9bbc4c8167a71b15..f5aa25a483c3b3352f40e8cc66dfd3a24a60af0d 100644
--- a/src/responder/autofs/autofssrv_cmd.c
+++ b/src/responder/autofs/autofssrv_cmd.c
@@ -871,17 +871,25 @@ static void lookup_automntmap_cache_updated(uint16_t err_maj, uint32_t err_min,
if (err_maj) {
DEBUG(SSSDBG_CRIT_FAILURE,
"Unable to get information from Data Provider\n"
- "Error: %u, %u, %s\n"
- "Will try to return what we have in cache\n",
+ "Error: %u, %u, %s\n"
+ "Will try to return what we have in cache\n",
(unsigned int)err_maj, (unsigned int)err_min, err_msg);
- /* Loop to the next domain if possible */
+
+ /* Try to fall back to cache */
+ ret = lookup_automntmap_step(lookup_ctx);
+ if (ret == EOK) {
+ /* We have cached results to return */
+ autofs_setent_notify(lookup_ctx->map, ret);
+ return;
+ }
+
+ /* Otherwise try the next domain */
if (dctx->cmd_ctx->check_next
&& (dctx->domain = get_next_domain(dctx->domain, 0))) {
dctx->check_provider = NEED_CHECK_PROVIDER(dctx->domain->provider);
}
}
- /* ok the backend returned, search to see if we have updated results */
ret = lookup_automntmap_step(lookup_ctx);
if (ret != EOK) {
if (ret == EAGAIN) {
--
2.9.3

44
0070-NSS-Fix-offline-resolution-of-netgroups.patch Normal file
View File

@ -0,0 +1,44 @@
From 068aadc5169380c37459c7cb50d397e93d5f121d Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Thu, 4 Aug 2016 17:58:47 +0200
Subject: [PATCH 70/79] NSS: Fix offline resolution of netgroups
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
If talking to the Data Provider failed, we never re-tried looking into
the cache. We should consult the cache on DP failures and return cached
results, if possible.
Resolves:
https://fedorahosted.org/sssd/ticket/3123
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit a3108c5cd1ebb05c133c8e8990278ac4f4b8e25c)
---
src/responder/nss/nsssrv_netgroup.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/src/responder/nss/nsssrv_netgroup.c b/src/responder/nss/nsssrv_netgroup.c
index e42976b245952291cd1eb36480138514e3d4ec09..49ef0f5c9b264a6252880a2944e8a1bd38ae0527 100644
--- a/src/responder/nss/nsssrv_netgroup.c
+++ b/src/responder/nss/nsssrv_netgroup.c
@@ -674,6 +674,15 @@ static void lookup_netgr_dp_callback(uint16_t err_maj, uint32_t err_min,
"Error: %u, %u, %s\n"
"Will try to return what we have in cache\n",
(unsigned int)err_maj, (unsigned int)err_min, err_msg);
+
+ /* Try to fall back to cache */
+ ret = lookup_netgr_step(step_ctx);
+ if (ret == EOK) {
+ /* We have cached results to return */
+ nss_setent_notify_done(dctx->netgr);
+ return;
+ }
+
/* Loop to the next domain if possible */
if (cmdctx->check_next
&& (dctx->domain = get_next_domain(dctx->domain, 0))) {
--
2.9.3

78
0071-TESTS-Test-offline-netgroups-resolution.patch Normal file
View File

@ -0,0 +1,78 @@
From 39ab6bfc8f822c77144d0056bb87b82ca3e8af3e Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Fri, 9 Sep 2016 12:23:04 +0200
Subject: [PATCH 71/79] TESTS: Test offline netgroups resolution
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit c0ee12832555b42c17e48cdf731731454a97972e)
---
src/tests/intg/test_netgroup.py | 29 +++++++++++++++++++++++++++--
1 file changed, 27 insertions(+), 2 deletions(-)
diff --git a/src/tests/intg/test_netgroup.py b/src/tests/intg/test_netgroup.py
index b99476126844e35d5dbc1793077720b4020c2fb7..f1d801f48a954baf4d244ec533348a1de2f2d2c8 100644
--- a/src/tests/intg/test_netgroup.py
+++ b/src/tests/intg/test_netgroup.py
@@ -104,6 +104,7 @@ def format_basic_conf(ldap_conn, schema):
[sssd]
domains = LDAP
services = nss
+ disable_netlink = true
[domain/LDAP]
{schema_conf}
@@ -148,11 +149,16 @@ def create_sssd_process():
raise Exception("sssd start failed")
+def get_sssd_pid():
+ pid_file = open(config.PIDFILE_PATH, "r")
+ pid = int(pid_file.read())
+ return pid
+
+
def cleanup_sssd_process():
"""Stop the SSSD process and remove its state"""
try:
- pid_file = open(config.PIDFILE_PATH, "r")
- pid = int(pid_file.read())
+ pid = get_sssd_pid()
os.kill(pid, signal.SIGTERM)
while True:
try:
@@ -173,6 +179,11 @@ def create_sssd_cleanup(request):
request.addfinalizer(cleanup_sssd_process)
+def simulate_offline():
+ pid = get_sssd_pid()
+ os.kill(pid, signal.SIGUSR1)
+
+
def create_sssd_fixture(request):
"""Start SSSD and add teardown for stopping it and removing its state"""
create_sssd_process()
@@ -457,3 +468,17 @@ def test_removing_nested_netgroups(removing_nested_netgroups, ldap_conn):
res, _, netgroups = sssd_netgroup.get_sssd_netgroups("t2841_netgroup3")
assert res == sssd_netgroup.NssReturnCode.SUCCESS
assert netgroups == []
+
+
+def test_offline_netgroups(add_tripled_netgroup):
+ res, _, netgrps = sssd_netgroup.get_sssd_netgroups("tripled_netgroup")
+ assert res == sssd_netgroup.NssReturnCode.SUCCESS
+ assert netgrps == [("host", "user", "domain")]
+
+ subprocess.check_call(["sss_cache", "-N"])
+
+ simulate_offline()
+
+ res, _, netgrps = sssd_netgroup.get_sssd_netgroups("tripled_netgroup")
+ assert res == sssd_netgroup.NssReturnCode.SUCCESS
+ assert netgrps == [("host", "user", "domain")]
--
2.9.3

289
0072-Remove-double-semicolon-at-the-end-of-line.patch Normal file
View File

@ -0,0 +1,289 @@
From e166ad6facb9812249376683ae936c5f3f5682af Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Sat, 17 Sep 2016 21:05:36 +0200
Subject: [PATCH 72/79] Remove double semicolon at the end of line
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit b9941359b3181c42f415530d5ccad0f4664d85fa)
---
src/db/sysdb_ops.c | 2 +-
src/lib/idmap/sss_idmap.c | 2 +-
src/lib/sifp/sss_sifp_parser.c | 2 +-
src/providers/ad/ad_gpo.c | 2 +-
src/providers/ipa/ipa_subdomains_id.c | 2 +-
src/providers/ipa/ipa_sudo_conversion.c | 2 +-
src/providers/krb5/krb5_child.c | 2 +-
src/providers/ldap/sdap_async.c | 6 +++---
src/providers/ldap/sdap_async_initgroups.c | 2 +-
src/providers/ldap/sdap_async_netgroups.c | 2 +-
src/responder/pam/pamsrv_cmd.c | 2 +-
src/sss_client/sudo/sss_sudo.c | 2 +-
src/tests/krb5_child-test.c | 10 +++++-----
src/tests/sbus_codegen_tests.c | 4 ++--
src/tools/sss_groupshow.c | 2 +-
src/util/string_utils.c | 2 +-
src/util/usertools.c | 2 +-
17 files changed, 24 insertions(+), 24 deletions(-)
diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
index 5d9c9fb24a149f8215b3027dcb4b0e1a183e4b43..29f4b1d1597bd98541a152dd6462caa864fbf2fd 100644
--- a/src/db/sysdb_ops.c
+++ b/src/db/sysdb_ops.c
@@ -4815,7 +4815,7 @@ errno_t sysdb_handle_original_uuid(const char *orig_name,
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_add_string failed.\n");
- return ret;;
+ return ret;
}
return EOK;
diff --git a/src/lib/idmap/sss_idmap.c b/src/lib/idmap/sss_idmap.c
index 58b0ec62118c9e01b61d987bf77179e774313b11..ffb218c844bff18e8a000398e9d646556ca295cf 100644
--- a/src/lib/idmap/sss_idmap.c
+++ b/src/lib/idmap/sss_idmap.c
@@ -916,7 +916,7 @@ get_range(struct sss_idmap_ctx *ctx,
long long rid,
struct idmap_range_params **_range)
{
- char *secondary_name = NULL;;
+ char *secondary_name = NULL;
enum idmap_error_code err;
int first_rid;
struct idmap_range_params *range;
diff --git a/src/lib/sifp/sss_sifp_parser.c b/src/lib/sifp/sss_sifp_parser.c
index eaa57d8d5e67ec07d0fe89e003ee011dcd40a75f..65babb5bc5430a541ade4cec0350e0846962fd67 100644
--- a/src/lib/sifp/sss_sifp_parser.c
+++ b/src/lib/sifp/sss_sifp_parser.c
@@ -469,7 +469,7 @@ sss_sifp_parse_variant(sss_sifp_ctx *ctx,
/* case DBUS_TYPE_DICT_ENTRY may only be contained within an array
* in variant */
case DBUS_TYPE_ARRAY:
- ret = sss_sifp_parse_array(ctx, &variant_iter, attr);;
+ ret = sss_sifp_parse_array(ctx, &variant_iter, attr);
break;
default:
ret = SSS_SIFP_NOT_SUPPORTED;
diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
index 63c68ce35922ca0407ae6ea32c0a78100e14504b..2b06a0ec8c24a0da44b0da00718c84c228242d24 100644
--- a/src/providers/ad/ad_gpo.c
+++ b/src/providers/ad/ad_gpo.c
@@ -2491,7 +2491,7 @@ ad_gpo_populate_som_list(TALLOC_CTX *mem_ctx,
}
/* first, populate the OU and Domain SOMs */
- tmp_dn = target_dn;;
+ tmp_dn = target_dn;
while ((ad_gpo_parent_dn(tmp_ctx, ldb_ctx, tmp_dn, &parent_dn)) == EOK) {
if ((strncasecmp(parent_dn, "OU=", strlen("OU=")) == 0) ||
diff --git a/src/providers/ipa/ipa_subdomains_id.c b/src/providers/ipa/ipa_subdomains_id.c
index 5369ec4c624544f7f3aec88ddaa30eac91c51735..97c96e3818f37d0cf3e282f68d3a013122a2a55b 100644
--- a/src/providers/ipa/ipa_subdomains_id.c
+++ b/src/providers/ipa/ipa_subdomains_id.c
@@ -669,7 +669,7 @@ ipa_get_ad_acct_send(TALLOC_CTX *mem_ctx,
struct ipa_get_ad_acct_state *state;
struct sdap_domain *sdom;
struct sdap_id_conn_ctx **clist;
- struct sdap_id_ctx *sdap_id_ctx;;
+ struct sdap_id_ctx *sdap_id_ctx;
struct ad_id_ctx *ad_id_ctx;
req = tevent_req_create(mem_ctx, &state, struct ipa_get_ad_acct_state);
diff --git a/src/providers/ipa/ipa_sudo_conversion.c b/src/providers/ipa/ipa_sudo_conversion.c
index 21186d2455fb28c2743131ef98920eb00753f0d6..9dbc8604df544ce0865a2e99facf92cfd697123b 100644
--- a/src/providers/ipa/ipa_sudo_conversion.c
+++ b/src/providers/ipa/ipa_sudo_conversion.c
@@ -634,7 +634,7 @@ static errno_t get_sudo_cmd_rdn(TALLOC_CTX *mem_ctx,
}
*_rdn_val = rdn_val;
- *_rdn_attr = map[IPA_AT_SUDOCMD_CMD].name;;
+ *_rdn_attr = map[IPA_AT_SUDOCMD_CMD].name;
return EOK;
}
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
index 82522995e310f20c58922f814e14e81a84b9bcb9..df94bc4c481b090d50f9b0119ccde5a373d9e20b 100644
--- a/src/providers/krb5/krb5_child.c
+++ b/src/providers/krb5/krb5_child.c
@@ -2612,7 +2612,7 @@ static krb5_error_code privileged_krb5_setup(struct krb5_req *kr,
ret = check_use_fast(&kr->fast_val);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE, "check_use_fast failed.\n");
- return ret;;
+ return ret;
}
/* For ccache types FILE: and DIR: we might need to create some directory
diff --git a/src/providers/ldap/sdap_async.c b/src/providers/ldap/sdap_async.c
index f374112935a7befa1d059df97f3119c14d8f5da5..246e12a1f386da1841963d5c1d1c4d2870cc1b6b 100644
--- a/src/providers/ldap/sdap_async.c
+++ b/src/providers/ldap/sdap_async.c
@@ -2097,7 +2097,7 @@ static void sdap_x_deref_search_done(struct tevent_req *subreq)
static int sdap_x_deref_search_ctrls_destructor(void *ptr)
{
- LDAPControl **ctrls = talloc_get_type(ptr, LDAPControl *);;
+ LDAPControl **ctrls = talloc_get_type(ptr, LDAPControl *);
if (ctrls && ctrls[0]) {
ldap_control_free(ctrls[0]);
@@ -2289,7 +2289,7 @@ static void sdap_sd_search_done(struct tevent_req *subreq)
static int sdap_sd_search_ctrls_destructor(void *ptr)
{
- LDAPControl **ctrls = talloc_get_type(ptr, LDAPControl *);;
+ LDAPControl **ctrls = talloc_get_type(ptr, LDAPControl *);
if (ctrls && ctrls[0]) {
ldap_control_free(ctrls[0]);
}
@@ -2548,7 +2548,7 @@ static void sdap_asq_search_done(struct tevent_req *subreq)
static int sdap_asq_search_ctrls_destructor(void *ptr)
{
- LDAPControl **ctrls = talloc_get_type(ptr, LDAPControl *);;
+ LDAPControl **ctrls = talloc_get_type(ptr, LDAPControl *);
if (ctrls && ctrls[0]) {
ldap_control_free(ctrls[0]);
diff --git a/src/providers/ldap/sdap_async_initgroups.c b/src/providers/ldap/sdap_async_initgroups.c
index f9593f0dfaa2dc6e33fd6c9d1f0c9b78cad3a1d9..df39de3cc5daf9ce23e1d9abe8b72f06ae45e9cd 100644
--- a/src/providers/ldap/sdap_async_initgroups.c
+++ b/src/providers/ldap/sdap_async_initgroups.c
@@ -816,7 +816,7 @@ static struct tevent_req *sdap_initgr_nested_send(TALLOC_CTX *memctx,
}
state->groups = talloc_zero_array(state, struct sysdb_attrs *,
- state->memberof->num_values + 1);;
+ state->memberof->num_values + 1);
if (!state->groups) {
ret = ENOMEM;
goto immediate;
diff --git a/src/providers/ldap/sdap_async_netgroups.c b/src/providers/ldap/sdap_async_netgroups.c
index e1d69ad769f542cccffca50547932a5bfb352230..f4a1d165f77a15f150e99844d69716c6c8785bee 100644
--- a/src/providers/ldap/sdap_async_netgroups.c
+++ b/src/providers/ldap/sdap_async_netgroups.c
@@ -313,7 +313,7 @@ struct tevent_req *netgr_translate_members_send(TALLOC_CTX *memctx,
dn_filter = talloc_strdup(state, "(|");
if (dn_filter == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE, "talloc_strdup failed.\n");
- ret = ENOMEM;;
+ ret = ENOMEM;
goto fail;
}
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index be54fbf9b627d0ec1c3b0416401885245794cf9f..e52fc764245a2dd604bd149b956f8204fa865342 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -1286,7 +1286,7 @@ static void pam_forwarder_cert_cb(struct tevent_req *req)
if (pd->logon_name == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE,
"No certificate found and no logon name given, " \
- "authentication not possible.\n");;
+ "authentication not possible.\n");
ret = ENOENT;
} else {
if (pd->cmd == SSS_PAM_AUTHENTICATE) {
diff --git a/src/sss_client/sudo/sss_sudo.c b/src/sss_client/sudo/sss_sudo.c
index 202029934ccb7c979b9b740fc7e466888825e042..3651740019349c590877a18f9e42c23b9ad41d0d 100644
--- a/src/sss_client/sudo/sss_sudo.c
+++ b/src/sss_client/sudo/sss_sudo.c
@@ -226,7 +226,7 @@ void sss_sudo_free_rules(unsigned int num_rules, struct sss_sudo_rule *rules)
void sss_sudo_free_attrs(unsigned int num_attrs, struct sss_sudo_attr *attrs)
{
- struct sss_sudo_attr *attr = NULL;;
+ struct sss_sudo_attr *attr = NULL;
int i, j;
if (attrs == NULL) {
diff --git a/src/tests/krb5_child-test.c b/src/tests/krb5_child-test.c
index 50acc88ed0c312b2662f01fe41247781f235a54d..d570d52229a23a557d1f32b90cbb815239b57e74 100644
--- a/src/tests/krb5_child-test.c
+++ b/src/tests/krb5_child-test.c
@@ -390,11 +390,11 @@ main(int argc, const char *argv[])
int pc_debug = 0;
int pc_timeout = 0;
- const char *pc_user = NULL;;
- const char *pc_passwd = NULL;;
- const char *pc_realm = NULL;;
- const char *pc_ccname = NULL;;
- const char *pc_ccname_tp = NULL;;
+ const char *pc_user = NULL;
+ const char *pc_passwd = NULL;
+ const char *pc_realm = NULL;
+ const char *pc_ccname = NULL;
+ const char *pc_ccname_tp = NULL;
char *password = NULL;
bool rm_ccache = true;
diff --git a/src/tests/sbus_codegen_tests.c b/src/tests/sbus_codegen_tests.c
index 262bfd49e34be72196e1cf1fe451d96b43b067ae..05eb78d7d8f0917a62a47bf684d7f7135fe7b005 100644
--- a/src/tests/sbus_codegen_tests.c
+++ b/src/tests/sbus_codegen_tests.c
@@ -967,7 +967,7 @@ static void parse_get_array_reply(DBusMessage *reply, const int type,
ck_assert_int_eq(dbus_message_iter_get_element_type(&variter), type);
dbus_message_iter_recurse(&variter, &arriter);
if (type == DBUS_TYPE_STRING || type == DBUS_TYPE_OBJECT_PATH) {
- int n = 0, i = 0;;
+ int n = 0, i = 0;
const char **strings;
const char *s;
@@ -1326,7 +1326,7 @@ void check_arr_prop(DBusMessageIter *variter, struct prop_test *p)
dbus_message_iter_recurse(variter, &arriter);
if (type == DBUS_TYPE_STRING || type == DBUS_TYPE_OBJECT_PATH) {
- int n = 0, i = 0;;
+ int n = 0, i = 0;
const char *s;
do {
diff --git a/src/tools/sss_groupshow.c b/src/tools/sss_groupshow.c
index 00f6f12939b6bef2dd10085f8cf99304e87f1211..258d458b0d1a4cb56c8fb61060cb43a1c88c1ed0 100644
--- a/src/tools/sss_groupshow.c
+++ b/src/tools/sss_groupshow.c
@@ -58,7 +58,7 @@ const char *rdn_as_string(TALLOC_CTX *mem_ctx,
return NULL;
}
- return ldb_dn_escape_value(mem_ctx, *val);;
+ return ldb_dn_escape_value(mem_ctx, *val);
}
static int parse_memberofs(struct ldb_context *ldb,
diff --git a/src/util/string_utils.c b/src/util/string_utils.c
index 5e43bbef34e8b514e29ffc5e576f8b57dbab4890..872b7e29e55e8628085affd07f3363019aae5ee9 100644
--- a/src/util/string_utils.c
+++ b/src/util/string_utils.c
@@ -100,7 +100,7 @@ errno_t guid_blob_to_string_buf(const uint8_t *blob, char *str_buf,
blob[5], blob[4],
blob[7], blob[6],
blob[8], blob[9],
- blob[10], blob[11],blob[12], blob[13],blob[14], blob[15]);;
+ blob[10], blob[11],blob[12], blob[13],blob[14], blob[15]);
if (ret != (GUID_STR_BUF_SIZE -1)) {
DEBUG(SSSDBG_CRIT_FAILURE, "snprintf failed.\n");
return EIO;
diff --git a/src/util/usertools.c b/src/util/usertools.c
index e0d520ad1057b4ddcfd7830674afa9dfa3b37ebd..12fc85b8f20858975b01c49468834be158b43f1c 100644
--- a/src/util/usertools.c
+++ b/src/util/usertools.c
@@ -210,7 +210,7 @@ int sss_names_init(TALLOC_CTX *mem_ctx, struct confdb_ctx *cdb,
{
TALLOC_CTX *tmpctx = NULL;
char *conf_path = NULL;
- char *re_pattern = NULL;;
+ char *re_pattern = NULL;
char *fq_fmt = NULL;
int ret;
--
2.9.3

98
0073-TESTS-Add-simple-test-for-double-semicolon.patch Normal file
View File

@ -0,0 +1,98 @@
From 7017c022affd3ad1d0c29cb89aa825231c93fa29 Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Sat, 17 Sep 2016 21:12:36 +0200
Subject: [PATCH 73/79] TESTS: Add simple test for double semicolon
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit 6ad1f2da4055e2cfe9bf8c79b79e408dba171691)
---
Makefile.am | 2 ++
contrib/ci/run | 3 ++-
src/tests/double_semicolon_test | 38 ++++++++++++++++++++++++++++++++++++++
3 files changed, 42 insertions(+), 1 deletion(-)
create mode 100755 src/tests/double_semicolon_test
diff --git a/Makefile.am b/Makefile.am
index f792ed6a6b531d9e6e2c886c2fbe64e1e2345b73..17c5f26ce9db1e183b30178f1a8714deca1dab03 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -321,6 +321,7 @@ TESTS = \
$(non_interactive_cmocka_based_tests) \
$(non_interactive_check_based_tests) \
src/tests/whitespace_test \
+ src/tests/double_semicolon_test \
$(NULL)
sssdlib_LTLIBRARIES = \
@@ -410,6 +411,7 @@ dist_noinst_SCRIPTS = \
src/tests/pysss_murmur-test.py3.sh \
src/tests/python-test.py \
src/tests/whitespace_test \
+ src/tests/double_semicolon_test \
src/tests/krb5_proxy_check_test_data.conf \
$(NULL)
diff --git a/contrib/ci/run b/contrib/ci/run
index 1b230f584b7c42d66bfc8c99c118420478d4128b..f96476ff8d4e118375777abf7f1e3475c1ed07bb 100755
--- a/contrib/ci/run
+++ b/contrib/ci/run
@@ -187,7 +187,8 @@ function build_debug()
{
# Extended glob pattern matching tests to run under Valgrind.
# NOTE: The particular pattern below is inverted
- declare -r valgrind_test_pattern="!(*.py|*/dlopen-tests|*/whitespace_test)"
+ declare -r valgrind_test_pattern="\
+ !(*.py|*/dlopen-tests|*/whitespace_test|*/double_semicolon_test)"
export CFLAGS="$DEBUG_CFLAGS"
declare test_dir
declare test_dir_distcheck
diff --git a/src/tests/double_semicolon_test b/src/tests/double_semicolon_test
new file mode 100755
index 0000000000000000000000000000000000000000..bbc05fa22ab557919daacbf5a222bb6f1d9678b4
--- /dev/null
+++ b/src/tests/double_semicolon_test
@@ -0,0 +1,38 @@
+#!/bin/bash
+
+set -e -u -o pipefail
+
+# An AWK regex matching tracked file paths to be included for the search.
+# Example: '.*\.po|README'
+PATH_INCLUDE_REGEX='.*\.c|.*\.h'
+
+export GIT_DIR="$ABS_TOP_SRCDIR/.git"
+export GIT_WORK_TREE="$ABS_TOP_SRCDIR"
+
+if [ ! -d "$GIT_DIR" ]; then
+ echo "Git repository is required for this test!" 1>&2
+ exit 77
+fi
+
+{
+ # Look for lines with double semicolon at the end of line
+ # in all files tracked by Git
+ git grep -n -I ';\s*;$' -- "$(git rev-parse --show-toplevel)" ||
+ # Don't fail if no such lines were found anywhere
+ [[ $? == 1 ]]
+} |
+ awk -- "
+ BEGIN {
+ found = 0
+ }
+ /^($PATH_INCLUDE_REGEX):/ {
+ if (!found) {
+ print \"Double semicolon found:\"
+ found = 1
+ }
+ print
+ }
+ END {
+ exit found
+ }
+ "
--
2.9.3

81
0074-failover-proceed-normally-when-no-new-server-is-foun.patch Normal file
View File

@ -0,0 +1,81 @@
From 3b5dc99956715bb0251c48f18c05b3e0317b661f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Wed, 24 Aug 2016 14:21:12 +0200
Subject: [PATCH 74/79] failover: proceed normally when no new server is found
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Multiple failover requests come in same time, the first one will
result in collapsing the meta server but multiple resolution of
SRV records are triggered. The first one finishes normally but the
others won't find any new server thus ends with an error.
This patch makes failover to proceed normally even in such case.
Resolves:
https://fedorahosted.org/sssd/ticket/3131
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
(cherry picked from commit 03cb5ac6aa4c60d2c64c6fdc2daae656bf5493f4)
---
src/providers/fail_over.c | 25 +++++++++++++++++++++----
1 file changed, 21 insertions(+), 4 deletions(-)
diff --git a/src/providers/fail_over.c b/src/providers/fail_over.c
index 8ab39f27f77e19e601855632196006a8dbbdf136..77084098831a312bc8629513ccfc2a91165241ba 100644
--- a/src/providers/fail_over.c
+++ b/src/providers/fail_over.c
@@ -1112,7 +1112,9 @@ fo_resolve_service_cont(struct tevent_req *subreq)
ret = resolve_srv_recv(subreq, &state->server);
talloc_zfree(subreq);
- if (ret) {
+ /* We will proceed normally on ERR_SRV_DUPLICATES and if the server
+ * is already being resolved, we hook to that request. */
+ if (ret != EOK && ret != ERR_SRV_DUPLICATES) {
tevent_req_error(req, ret);
return;
}
@@ -1398,11 +1400,23 @@ resolve_srv_done(struct tevent_req *subreq)
}
if (last_server == state->meta) {
- /* SRV lookup returned only those servers
- * that are already present. */
+ /* SRV lookup returned only those servers that are already present.
+ * This may happen only when an ongoing SRV resolution already
+ * exist. We will return server, but won't set any state. */
DEBUG(SSSDBG_TRACE_FUNC, "SRV lookup did not return "
"any new server.\n");
ret = ERR_SRV_DUPLICATES;
+
+ /* Since no new server is returned, state->meta->next is NULL.
+ * We return last tried server if possible which is server
+ * from previous resolution of SRV record, and first server
+ * otherwise. */
+ if (state->service->last_tried_server != NULL) {
+ state->out = state->service->last_tried_server;
+ goto done;
+ }
+
+ state->out = state->service->server_list;
goto done;
}
@@ -1438,7 +1452,10 @@ resolve_srv_done(struct tevent_req *subreq)
}
done:
- if (ret != EOK) {
+ if (ret == ERR_SRV_DUPLICATES) {
+ tevent_req_error(req, ret);
+ return;
+ } else if (ret != EOK) {
state->out = state->meta;
set_srv_data_status(state->meta->srv_data, SRV_RESOLVE_ERROR);
tevent_req_error(req, ret);
--
2.9.3

111
0075-tests-Add-a-regression-test-for-upstream-ticket-3131.patch Normal file
View File

@ -0,0 +1,111 @@
From 0db69ed514decc0ccdc0084c44b31102b1314bef Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Wed, 21 Sep 2016 10:44:36 +0200
Subject: [PATCH 75/79] tests: Add a regression test for upstream ticket #3131
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Tests that running two duplicate SRV resolution queries succeeds
and returns a valid host name.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit a299f900981343904d7c9c5d148e30b8e0b2c460)
---
src/tests/cmocka/test_fo_srv.c | 66 ++++++++++++++++++++++++++++++++++++++++++
1 file changed, 66 insertions(+)
diff --git a/src/tests/cmocka/test_fo_srv.c b/src/tests/cmocka/test_fo_srv.c
index a84ce4348d2e59aaab4fc9ac1bd4cfd853ff491d..197f8de5c2f0b5dffa7949a874ea0ca1330554b9 100644
--- a/src/tests/cmocka/test_fo_srv.c
+++ b/src/tests/cmocka/test_fo_srv.c
@@ -203,6 +203,8 @@ struct test_fo_ctx {
int ttl;
struct fo_server *srv;
+
+ int num_done;
};
int test_fo_srv_data_cmp(void *ud1, void *ud2)
@@ -691,6 +693,67 @@ static void test_fo_hostlist(void **state)
assert_int_equal(ret, ERR_OK);
}
+static void test_fo_srv_dup_done(struct tevent_req *req);
+
+/* Test that running two parallel SRV queries doesn't return an error.
+ * This is a regression test for https://fedorahosted.org/sssd/ticket/3131
+ */
+void test_fo_srv_duplicates(void **state)
+{
+ errno_t ret;
+ struct tevent_req *req;
+ struct test_fo_ctx *test_ctx =
+ talloc_get_type(*state, struct test_fo_ctx);
+
+ test_fo_srv_mock_dns(test_ctx, test_ctx->ttl);
+ test_fo_srv_mock_dns(test_ctx, test_ctx->ttl);
+
+ ret = fo_add_srv_server(test_ctx->fo_svc, "_ldap", "sssd.com",
+ "sssd.local", "tcp", test_ctx);
+ assert_int_equal(ret, ERR_OK);
+
+ ret = fo_add_server(test_ctx->fo_svc, "ldap1.sssd.com",
+ 389, (void *) discard_const("ldap://ldap1.sssd.com"),
+ true);
+ assert_int_equal(ret, ERR_OK);
+
+ req = fo_resolve_service_send(test_ctx, test_ctx->ctx->ev,
+ test_ctx->resolv, test_ctx->fo_ctx,
+ test_ctx->fo_svc);
+ assert_non_null(req);
+ tevent_req_set_callback(req, test_fo_srv_dup_done, test_ctx);
+
+ req = fo_resolve_service_send(test_ctx, test_ctx->ctx->ev,
+ test_ctx->resolv, test_ctx->fo_ctx,
+ test_ctx->fo_svc);
+ assert_non_null(req);
+ tevent_req_set_callback(req, test_fo_srv_dup_done, test_ctx);
+
+ ret = test_ev_loop(test_ctx->ctx);
+ assert_int_equal(ret, ERR_OK);
+}
+
+static void test_fo_srv_dup_done(struct tevent_req *req)
+{
+ struct test_fo_ctx *test_ctx = \
+ tevent_req_callback_data(req, struct test_fo_ctx);
+ errno_t ret;
+ const char *name;
+
+ ret = fo_resolve_service_recv(req, test_ctx, &test_ctx->srv);
+ talloc_zfree(req);
+ assert_int_equal(ret, EOK);
+
+ name = fo_get_server_name(test_ctx->srv);
+ assert_string_equal(name, "ldap1.sssd.com");
+
+ test_ctx->num_done++;
+ if (test_ctx->num_done == 2) {
+ test_ctx->ctx->error = ERR_OK;
+ test_ctx->ctx->done = true;
+ }
+}
+
int main(int argc, const char *argv[])
{
int rv;
@@ -715,6 +778,9 @@ int main(int argc, const char *argv[])
cmocka_unit_test_setup_teardown(test_fo_srv_ttl_zero,
test_fo_srv_setup,
test_fo_srv_teardown),
+ cmocka_unit_test_setup_teardown(test_fo_srv_duplicates,
+ test_fo_srv_setup,
+ test_fo_srv_teardown),
};
/* Set debug level to invalid value so we can deside if -d 0 was used. */
--
2.9.3

239
0076-IFP-expose-user-and-group-unique-IDs-through-DBus.patch Normal file
View File

@ -0,0 +1,239 @@
From 407eca9a7167145158272e3d41316b6079b4eb74 Mon Sep 17 00:00:00 2001
From: Thomas Equeter <firstname@lastname.com>
Date: Fri, 26 Aug 2016 10:35:30 +0200
Subject: [PATCH 76/79] IFP: expose user and group unique IDs through DBus
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This adds a uniqueID property on User and Group InfoPipe objects. It has a
useful value on AD- and IPA-backed domains. For Active Directory, this is the
GUID.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit e9a2e7afbd09c23dd8748246e09831ed7b17d7c5)
---
src/db/sysdb.h | 2 ++
src/responder/ifp/ifp_groups.c | 19 +++++++++++++++++++
src/responder/ifp/ifp_groups.h | 4 ++++
src/responder/ifp/ifp_iface.c | 2 ++
src/responder/ifp/ifp_iface.xml | 2 ++
src/responder/ifp/ifp_iface_generated.c | 18 ++++++++++++++++++
src/responder/ifp/ifp_iface_generated.h | 4 ++++
src/responder/ifp/ifp_users.c | 7 +++++++
src/responder/ifp/ifp_users.h | 4 ++++
9 files changed, 62 insertions(+)
diff --git a/src/db/sysdb.h b/src/db/sysdb.h
index 8713efa6e8fcc6fb620340fe152989a5dae58434..7de3acdf343e0c013ab39a249268c93cbb2d0dbc 100644
--- a/src/db/sysdb.h
+++ b/src/db/sysdb.h
@@ -224,6 +224,7 @@
SYSDB_OVERRIDE_DN, \
SYSDB_OVERRIDE_OBJECT_DN, \
SYSDB_DEFAULT_OVERRIDE_NAME, \
+ SYSDB_UUID, \
NULL}
#define SYSDB_GRSRC_ATTRS {SYSDB_NAME, SYSDB_GIDNUM, \
@@ -235,6 +236,7 @@
SYSDB_OVERRIDE_DN, \
SYSDB_OVERRIDE_OBJECT_DN, \
SYSDB_DEFAULT_OVERRIDE_NAME, \
+ SYSDB_UUID, \
NULL}
#define SYSDB_NETGR_ATTRS {SYSDB_NAME, SYSDB_NETGROUP_TRIPLE, \
diff --git a/src/responder/ifp/ifp_groups.c b/src/responder/ifp/ifp_groups.c
index babd8ec3f57b0469c8ca35f9f2464a0a32076967..29aebe45e710e53538c317a688077689ece4c979 100644
--- a/src/responder/ifp/ifp_groups.c
+++ b/src/responder/ifp/ifp_groups.c
@@ -751,6 +751,25 @@ void ifp_groups_group_get_gid_number(struct sbus_request *sbus_req,
return;
}
+void ifp_groups_group_get_unique_id(struct sbus_request *sbus_req,
+ void *data,
+ const char **_out)
+{
+ struct ldb_message *msg;
+ struct sss_domain_info *domain;
+ errno_t ret;
+
+ ret = ifp_groups_group_get(sbus_req, data, NULL, &domain, &msg);
+ if (ret != EOK) {
+ *_out = 0;
+ return;
+ }
+
+ *_out = sss_view_ldb_msg_find_attr_as_string(domain, msg, SYSDB_UUID, 0);
+
+ return;
+}
+
static errno_t
ifp_groups_group_get_members(TALLOC_CTX *mem_ctx,
struct sbus_request *sbus_req,
diff --git a/src/responder/ifp/ifp_groups.h b/src/responder/ifp/ifp_groups.h
index 4cfabb9d70df92cda02de02cd1dcf7cc5b071ba8..1e0377fae6101473f5fcc6f9f69f12c3adf33f79 100644
--- a/src/responder/ifp/ifp_groups.h
+++ b/src/responder/ifp/ifp_groups.h
@@ -64,6 +64,10 @@ void ifp_groups_group_get_gid_number(struct sbus_request *sbus_req,
void *data,
uint32_t *_out);
+void ifp_groups_group_get_unique_id(struct sbus_request *sbus_req,
+ void *data,
+ const char **_out);
+
void ifp_groups_group_get_users(struct sbus_request *sbus_req,
void *data,
const char ***_out,
diff --git a/src/responder/ifp/ifp_iface.c b/src/responder/ifp/ifp_iface.c
index e6ddc687ba9db878ee39fee5868d1f924d58482d..ff306adf3243994ee7f71850226dc1c5e0831f16 100644
--- a/src/responder/ifp/ifp_iface.c
+++ b/src/responder/ifp/ifp_iface.c
@@ -104,6 +104,7 @@ struct iface_ifp_users_user iface_ifp_users_user = {
.get_gecos = ifp_users_user_get_gecos,
.get_homeDirectory = ifp_users_user_get_home_directory,
.get_loginShell = ifp_users_user_get_login_shell,
+ .get_uniqueID = ifp_users_user_get_unique_id,
.get_groups = ifp_users_user_get_groups,
.get_extraAttributes = ifp_users_user_get_extra_attributes
};
@@ -121,6 +122,7 @@ struct iface_ifp_groups_group iface_ifp_groups_group = {
.UpdateMemberList = ifp_groups_group_update_member_list,
.get_name = ifp_groups_group_get_name,
.get_gidNumber = ifp_groups_group_get_gid_number,
+ .get_uniqueID = ifp_groups_group_get_unique_id,
.get_users = ifp_groups_group_get_users,
.get_groups = ifp_groups_group_get_groups
};
diff --git a/src/responder/ifp/ifp_iface.xml b/src/responder/ifp/ifp_iface.xml
index 25b104ad70c0fd84b6c0fe9dbb0dc6e6439c1376..41e9f1d026fa434705ea50999ab3d9ad116f7f29 100644
--- a/src/responder/ifp/ifp_iface.xml
+++ b/src/responder/ifp/ifp_iface.xml
@@ -186,6 +186,7 @@
<property name="gecos" type="s" access="read" />
<property name="homeDirectory" type="s" access="read" />
<property name="loginShell" type="s" access="read" />
+ <property name="uniqueID" type="s" access="read" />
<property name="groups" type="ao" access="read" />
<property name="extraAttributes" type="a{sas}" access="read" />
</interface>
@@ -221,6 +222,7 @@
<property name="name" type="s" access="read" />
<property name="gidNumber" type="u" access="read" />
+ <property name="uniqueID" type="s" access="read" />
<property name="users" type="ao" access="read" />
<property name="groups" type="ao" access="read" />
</interface>
diff --git a/src/responder/ifp/ifp_iface_generated.c b/src/responder/ifp/ifp_iface_generated.c
index 6156ca2947434f301d206232f83cfc0647007707..ed018a044bd01c69554116946450aca7aacd5fd8 100644
--- a/src/responder/ifp/ifp_iface_generated.c
+++ b/src/responder/ifp/ifp_iface_generated.c
@@ -976,6 +976,15 @@ const struct sbus_property_meta iface_ifp_users_user__properties[] = {
NULL, /* no invoker */
},
{
+ "uniqueID", /* name */
+ "s", /* type */
+ SBUS_PROPERTY_READABLE,
+ offsetof(struct iface_ifp_users_user, get_uniqueID),
+ sbus_invoke_get_s,
+ 0, /* not writable */
+ NULL, /* no invoker */
+ },
+ {
"groups", /* name */
"ao", /* type */
SBUS_PROPERTY_READABLE,
@@ -1165,6 +1174,15 @@ const struct sbus_property_meta iface_ifp_groups_group__properties[] = {
NULL, /* no invoker */
},
{
+ "uniqueID", /* name */
+ "s", /* type */
+ SBUS_PROPERTY_READABLE,
+ offsetof(struct iface_ifp_groups_group, get_uniqueID),
+ sbus_invoke_get_s,
+ 0, /* not writable */
+ NULL, /* no invoker */
+ },
+ {
"users", /* name */
"ao", /* type */
SBUS_PROPERTY_READABLE,
diff --git a/src/responder/ifp/ifp_iface_generated.h b/src/responder/ifp/ifp_iface_generated.h
index 141348249d2da5447fa04495564a8c6a55d67a1b..0c6fd151cd674cdbd4582cb95ef43c9fcc133d6f 100644
--- a/src/responder/ifp/ifp_iface_generated.h
+++ b/src/responder/ifp/ifp_iface_generated.h
@@ -88,6 +88,7 @@
#define IFACE_IFP_USERS_USER_GECOS "gecos"
#define IFACE_IFP_USERS_USER_HOMEDIRECTORY "homeDirectory"
#define IFACE_IFP_USERS_USER_LOGINSHELL "loginShell"
+#define IFACE_IFP_USERS_USER_UNIQUEID "uniqueID"
#define IFACE_IFP_USERS_USER_GROUPS "groups"
#define IFACE_IFP_USERS_USER_EXTRAATTRIBUTES "extraAttributes"
@@ -103,6 +104,7 @@
#define IFACE_IFP_GROUPS_GROUP_UPDATEMEMBERLIST "UpdateMemberList"
#define IFACE_IFP_GROUPS_GROUP_NAME "name"
#define IFACE_IFP_GROUPS_GROUP_GIDNUMBER "gidNumber"
+#define IFACE_IFP_GROUPS_GROUP_UNIQUEID "uniqueID"
#define IFACE_IFP_GROUPS_GROUP_USERS "users"
#define IFACE_IFP_GROUPS_GROUP_GROUPS "groups"
@@ -294,6 +296,7 @@ struct iface_ifp_users_user {
void (*get_gecos)(struct sbus_request *, void *data, const char **);
void (*get_homeDirectory)(struct sbus_request *, void *data, const char **);
void (*get_loginShell)(struct sbus_request *, void *data, const char **);
+ void (*get_uniqueID)(struct sbus_request *, void *data, const char **);
void (*get_groups)(struct sbus_request *, void *data, const char ***, int *);
void (*get_extraAttributes)(struct sbus_request *, void *data, hash_table_t **);
};
@@ -328,6 +331,7 @@ struct iface_ifp_groups_group {
int (*UpdateMemberList)(struct sbus_request *req, void *data);
void (*get_name)(struct sbus_request *, void *data, const char **);
void (*get_gidNumber)(struct sbus_request *, void *data, uint32_t*);
+ void (*get_uniqueID)(struct sbus_request *, void *data, const char **);
void (*get_users)(struct sbus_request *, void *data, const char ***, int *);
void (*get_groups)(struct sbus_request *, void *data, const char ***, int *);
};
diff --git a/src/responder/ifp/ifp_users.c b/src/responder/ifp/ifp_users.c
index 5481413ef908785ecf276aad7154e4a7b511fd45..a2bafff5853683443f25f857124214a048132c4a 100644
--- a/src/responder/ifp/ifp_users.c
+++ b/src/responder/ifp/ifp_users.c
@@ -774,6 +774,13 @@ void ifp_users_user_get_login_shell(struct sbus_request *sbus_req,
ifp_users_get_as_string(sbus_req, data, SYSDB_SHELL, _out);
}
+void ifp_users_user_get_unique_id(struct sbus_request *sbus_req,
+ void *data,
+ const char **_out)
+{
+ ifp_users_get_as_string(sbus_req, data, SYSDB_UUID, _out);
+}
+
void ifp_users_user_get_groups(struct sbus_request *sbus_req,
void *data,
const char ***_out,
diff --git a/src/responder/ifp/ifp_users.h b/src/responder/ifp/ifp_users.h
index 99114fe9562f237204b3121ae3fe1f29dbc256a8..6a3a66951ff2c68cdc220364d28651d53b9d6a68 100644
--- a/src/responder/ifp/ifp_users.h
+++ b/src/responder/ifp/ifp_users.h
@@ -84,6 +84,10 @@ void ifp_users_user_get_login_shell(struct sbus_request *sbus_req,
void *data,
const char **_out);
+void ifp_users_user_get_unique_id(struct sbus_request *sbus_req,
+ void *data,
+ const char **_out);
+
void ifp_users_user_get_groups(struct sbus_request *sbus_req,
void *data,
const char ***_out,
--
2.9.3

125
0077-SSSDConfig-Do-not-fail-with-nonexisting-domains-serv.patch Normal file
View File

@ -0,0 +1,125 @@
From 3e8165ff6c5251809beb8f8e11ffd45f8bfd69ca Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Wed, 21 Sep 2016 13:56:43 +0200
Subject: [PATCH 77/79] SSSDConfig: Do not fail with nonexisting
domains/services
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
dict.keys() returns iterator in python3 and not list
Chaging data in dictionary while using iterator
fails with "RuntimeError: dictionary changed size during iteration"
https://fedorahosted.org/sssd/ticket/3107
Reviewed-by: Michal Židek <mzidek@redhat.com>
(cherry picked from commit 1773fdad2730f3f910782781fa286f402ce36cca)
---
Makefile.am | 1 +
src/config/SSSDConfig/__init__.py.in | 4 +--
src/config/SSSDConfigTest.py | 33 ++++++++++++++++++++++
.../sssd-nonexisting-services-domains.conf | 13 +++++++++
4 files changed, 49 insertions(+), 2 deletions(-)
create mode 100644 src/config/testconfigs/sssd-nonexisting-services-domains.conf
diff --git a/Makefile.am b/Makefile.am
index 17c5f26ce9db1e183b30178f1a8714deca1dab03..4385268b21b2de2054d3958f98f28f5ea7cfa191 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -422,6 +422,7 @@ dist_noinst_DATA = \
src/config/testconfigs/sssd-badversion.conf \
src/config/testconfigs/sssd-invalid.conf \
src/config/testconfigs/sssd-invalid-badbool.conf \
+ src/config/testconfigs/sssd-nonexisting-services-domains.conf \
src/config/etc/sssd.api.d/crash_test_dummy \
contrib/ci/README.md \
contrib/ci/configure.sh \
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
index 0acb751e234ee0c3e6fee332a2ba22f9ac353221..e616ce3dcc7357280418e9abd0bcdeb370b861e6 100644
--- a/src/config/SSSDConfig/__init__.py.in
+++ b/src/config/SSSDConfig/__init__.py.in
@@ -1511,7 +1511,7 @@ class SSSDConfig(SSSDChangeConf):
# Remove any entries in this list that don't
# correspond to an active service, for integrity
configured_services = self.list_services()
- for srv in service_dict.keys():
+ for srv in list(service_dict):
if srv not in configured_services:
del service_dict[srv]
@@ -1794,7 +1794,7 @@ class SSSDConfig(SSSDChangeConf):
# Remove any entries in this list that don't
# correspond to an active domain, for integrity
configured_domains = self.list_domains()
- for dom in domain_dict.keys():
+ for dom in list(domain_dict):
if dom not in configured_domains:
del domain_dict[dom]
diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py
index 8a64a257ab978b81ae4b26918c683b25a30fe7c1..006a034477dd64e3c5a0b2dbd1554bdc1b2635b4 100755
--- a/src/config/SSSDConfigTest.py
+++ b/src/config/SSSDConfigTest.py
@@ -1683,6 +1683,39 @@ class SSSDConfigTestSSSDConfig(unittest.TestCase):
"Domain [%s] unexpectedly found" %
domain)
+ def testListWithInvalidDomain(self):
+ sssdconfig = SSSDConfig.SSSDConfig(srcdir + "/etc/sssd.api.conf",
+ srcdir + "/etc/sssd.api.d")
+
+ # Negative Test - Not Initialized
+ self.assertRaises(SSSDConfig.NotInitializedError,
+ sssdconfig.list_domains)
+
+ # Positive Test
+ sssdconfig.import_config(
+ srcdir + '/testconfigs/sssd-nonexisting-services-domains.conf'
+ )
+
+ domains = sssdconfig.list_active_domains()
+ self.assertTrue("active" in domains and len(domains) == 1,
+ "domain 'active' not found among active domains")
+
+ domains = sssdconfig.list_inactive_domains()
+ self.assertTrue("inactive" in domains and len(domains) == 1,
+ "domain 'inactive' not found among inactive domains")
+
+ services = sssdconfig.list_active_services()
+ self.assertTrue("nss" in services and len(services) == 1,
+ "service 'nss' not found among active services")
+
+ services = sssdconfig.list_inactive_services()
+ self.assertTrue(len(services) == 2,
+ "unexpected count of inactive services")
+ for service in ("sssd", "pam"):
+ self.assertTrue(service in services,
+ "service '%s' not found among inactive services"
+ % service)
+
def testGetDomain(self):
sssdconfig = SSSDConfig.SSSDConfig(srcdir + "/etc/sssd.api.conf",
srcdir + "/etc/sssd.api.d")
diff --git a/src/config/testconfigs/sssd-nonexisting-services-domains.conf b/src/config/testconfigs/sssd-nonexisting-services-domains.conf
new file mode 100644
index 0000000000000000000000000000000000000000..d1e248001e76c65fa667d55f469e15aa5696faed
--- /dev/null
+++ b/src/config/testconfigs/sssd-nonexisting-services-domains.conf
@@ -0,0 +1,13 @@
+[domain/active]
+
+[domain/inactive]
+
+[sssd]
+domains = nonexistent, active
+services = nonexistent, nss
+
+[nss]
+debug_level = 1
+
+[pam]
+debug_level = 2
--
2.9.3

268
0078-SPEC-Rename-python-packages-using-macro-python_provi.patch Normal file
View File

@ -0,0 +1,268 @@
From f87452ae46dd917d47b63673da42d371912aee8d Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Wed, 14 Sep 2016 14:31:29 +0200
Subject: [PATCH 78/79] SPEC: Rename python packages using macro
%python_provide
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Fedora and epel contains macro %python_provide
for simpler renaming of python packages. It will generate correct
provides and obsoletes.
Reviewed-by: Michal Židek <mzidek@redhat.com>
(cherry picked from commit 705bc4480a68f69d287b1c89fe9463a0191987c8)
---
contrib/sssd.spec.in | 90 ++++++++++++++++++++++++++++++++++++++++------------
1 file changed, 70 insertions(+), 20 deletions(-)
diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
index 1f79ca7cd0a56dc1ab9c951abe11dc216ef3ad03..a0937d54903002521f07fb012742eb11f2584c54 100644
--- a/contrib/sssd.spec.in
+++ b/contrib/sssd.spec.in
@@ -11,6 +11,46 @@
%{!?python2_sitearch: %global python2_sitearch %(%{__python2} -c "from distutils.sysconfig import get_python_lib; print(get_python_lib(1))")}
%endif
+%{!?python_provide: %global need_python_provide 1}
+%if 0%{?need_python_provide}
+%define python_provide() %{lua:
+ function string.starts(String, Start)
+ return string.sub(String, 1, string.len(Start)) == Start
+ end
+ package = rpm.expand("%{?1:%{1}}");
+ vr = rpm.expand("%{?epoch:%{epoch}:}%{version}-%{release}")
+ if (string.starts(package, "python2-")) then
+ if (rpm.expand("%{?buildarch}") ~= "noarch") then
+ str = "Provides: python-" ..
+ string.sub(package, 9, string.len(package)) ..
+ "%{?_isa} = " .. vr;
+ print(rpm.expand(str));
+ end
+ print("\\nProvides: python-");
+ print(string.sub(package, 9, string.len(package)));
+ print(" = ");
+ print(vr);
+ --Obsoleting the previous default python package
+ if (rpm.expand("%{?buildarch}") ~= "noarch") then
+ str = "\\nObsoletes: python-" ..
+ string.sub(package, 9, string.len(package)) ..
+ "%{?_isa} < " .. vr;
+ print(rpm.expand(str));
+ end
+ print("\\nObsoletes: python-");
+ print(string.sub(package, 9, string.len(package)));
+ print(" < ");
+ print(vr);
+ elseif (string.starts(package, "python3-")) then
+ --No unversioned provides as python3 is not default
+ else
+ print("%python_provide: ERROR: ");
+ print(package);
+ print(" not recognized.");
+ end
+}
+%endif
+
# Fedora and RHEL 6+
# we don't want to provide private python extension libs
%define __provides_exclude_from %{python2_sitearch}/.*\.so$
@@ -95,7 +135,7 @@ Requires: sssd-proxy = %{version}-%{release}
%if (0%{?with_python3} == 1)
Requires: python3-sssdconfig = %{version}-%{release}
%else
-Requires: python-sssdconfig = %{version}-%{release}
+Requires: python2-sssdconfig = %{version}-%{release}
%endif
%global servicename sssd
@@ -253,8 +293,8 @@ Requires: sssd-common = %{version}-%{release}
Requires: python3-sss = %{version}-%{release}
Requires: python3-sssdconfig = %{version}-%{release}
%else
-Requires: python-sss = %{version}-%{release}
-Requires: python-sssdconfig = %{version}-%{release}
+Requires: python2-sss = %{version}-%{release}
+Requires: python2-sssdconfig = %{version}-%{release}
%endif
%description tools
@@ -267,13 +307,14 @@ Also provides several other administrative tools:
* sss_obfuscate for generating an obfuscated LDAP password
* sssctl -- an sssd status and control utility
-%package -n python-sssdconfig
+%package -n python2-sssdconfig
Summary: SSSD and IPA configuration file manipulation classes and functions
Group: Applications/System
License: GPLv3+
BuildArch: noarch
+%{python_provide python2-sssdconfig}
-%description -n python-sssdconfig
+%description -n python2-sssdconfig
Provides python2 files for manipulation SSSD and IPA configuration files.
%if (0%{?with_python3} == 1)
@@ -282,18 +323,20 @@ Summary: SSSD and IPA configuration file manipulation classes and functions
Group: Applications/System
License: GPLv3+
BuildArch: noarch
+%{python_provide python3-sssdconfig}
%description -n python3-sssdconfig
Provides python3 files for manipulation SSSD and IPA configuration files.
%endif
-%package -n python-sss
+%package -n python2-sss
Summary: Python2 bindings for sssd
Group: Development/Libraries
License: LGPLv3+
Requires: sssd-common = %{version}-%{release}
+%{python_provide python2-sss}
-%description -n python-sss
+%description -n python2-sss
Provides python2 module for manipulating users, groups, and nested groups in
SSSD when using id_provider = local in /etc/sssd/sssd.conf.
@@ -307,6 +350,7 @@ Summary: Python3 bindings for sssd
Group: Development/Libraries
License: LGPLv3+
Requires: sssd-common = %{version}-%{release}
+%{python_provide python3-sss}
%description -n python3-sss
Provides python3 module for manipulating users, groups, and nested groups in
@@ -317,12 +361,13 @@ Also provides several other useful python3 bindings:
* class for obfuscation of passwords
%endif
-%package -n python-sss-murmur
+%package -n python2-sss-murmur
Summary: Python2 bindings for murmur hash function
Group: Development/Libraries
License: LGPLv3+
+%{python_provide python2-sss-murmur}
-%description -n python-sss-murmur
+%description -n python2-sss-murmur
Provides python2 module for calculating the murmur hash version 3
%if (0%{?with_python3} == 1)
@@ -330,6 +375,7 @@ Provides python2 module for calculating the murmur hash version 3
Summary: Python3 bindings for murmur hash function
Group: Development/Libraries
License: LGPLv3+
+%{python_provide python3-sss-murmur}
%description -n python3-sss-murmur
Provides python3 module for calculating the murmur hash version 3
@@ -459,16 +505,17 @@ Requires: libipa_hbac = %{version}-%{release}
%description -n libipa_hbac-devel
Utility library to validate FreeIPA HBAC rules for authorization requests
-%package -n python-libipa_hbac
+%package -n python2-libipa_hbac
Summary: Python2 bindings for the FreeIPA HBAC Evaluator library
Group: Development/Libraries
License: LGPLv3+
Requires: libipa_hbac = %{version}-%{release}
Provides: libipa_hbac-python = %{version}-%{release}
Obsoletes: libipa_hbac-python < 1.12.90
+%{python_provide python2-libipa_hbac}
-%description -n python-libipa_hbac
-The python-libipa_hbac contains the bindings so that libipa_hbac can be
+%description -n python2-libipa_hbac
+The python2-libipa_hbac contains the bindings so that libipa_hbac can be
used by Python applications.
%if (0%{?with_python3} == 1)
@@ -477,6 +524,7 @@ Summary: Python3 bindings for the FreeIPA HBAC Evaluator library
Group: Development/Libraries
License: LGPLv3+
Requires: libipa_hbac = %{version}-%{release}
+%{python_provide python3-libipa_hbac}
%description -n python3-libipa_hbac
The python3-libipa_hbac contains the bindings so that libipa_hbac can be
@@ -502,16 +550,17 @@ Requires: libsss_nss_idmap = %{version}-%{release}
%description -n libsss_nss_idmap-devel
Utility library for SID and certificate based lookups
-%package -n python-libsss_nss_idmap
+%package -n python2-libsss_nss_idmap
Summary: Python2 bindings for libsss_nss_idmap
Group: Development/Libraries
License: LGPLv3+
Requires: libsss_nss_idmap = %{version}-%{release}
Provides: libsss_nss_idmap-python = %{version}-%{release}
Obsoletes: libsss_nss_idmap-python < 1.12.90
+%{python_provide python2-libsss_nss_idmap}
-%description -n python-libsss_nss_idmap
-The python-libsss_nss_idmap contains the bindings so that libsss_nss_idmap can
+%description -n python2-libsss_nss_idmap
+The python2-libsss_nss_idmap contains the bindings so that libsss_nss_idmap can
be used by Python applications.
%if (0%{?with_python3} == 1)
@@ -520,6 +569,7 @@ Summary: Python3 bindings for libsss_nss_idmap
Group: Development/Libraries
License: LGPLv3+
Requires: libsss_nss_idmap = %{version}-%{release}
+%{python_provide python3-libsss_nss_idmap}
%description -n python3-libsss_nss_idmap
The python3-libsss_nss_idmap contains the bindings so that libsss_nss_idmap can
@@ -963,7 +1013,7 @@ done
%{_mandir}/man8/sss_seed.8*
%{_mandir}/man8/sssctl.8*
-%files -n python-sssdconfig -f python2_sssdconfig.lang
+%files -n python2-sssdconfig -f python2_sssdconfig.lang
%defattr(-,root,root,-)
%dir %{python2_sitelib}/SSSDConfig
%{python2_sitelib}/SSSDConfig/*.py*
@@ -977,7 +1027,7 @@ done
%{python3_sitelib}/SSSDConfig/__pycache__/*.py*
%endif
-%files -n python-sss
+%files -n python2-sss
%defattr(-,root,root,-)
%{python2_sitearch}/pysss.so
@@ -987,7 +1037,7 @@ done
%{python3_sitearch}/pysss.so
%endif
-%files -n python-sss-murmur
+%files -n python2-sss-murmur
%defattr(-,root,root,-)
%{python2_sitearch}/pysss_murmur.so
@@ -1033,7 +1083,7 @@ done
%{_libdir}/libsss_nss_idmap.so
%{_libdir}/pkgconfig/sss_nss_idmap.pc
-%files -n python-libsss_nss_idmap
+%files -n python2-libsss_nss_idmap
%defattr(-,root,root,-)
%{python2_sitearch}/pysss_nss_idmap.so
@@ -1043,7 +1093,7 @@ done
%{python3_sitearch}/pysss_nss_idmap.so
%endif
-%files -n python-libipa_hbac
+%files -n python2-libipa_hbac
%defattr(-,root,root,-)
%{python2_sitearch}/pyhbac.so
--
2.9.3

202
0079-KRB5-Fixing-FQ-name-of-user-in-krb5_setup.patch Normal file
View File

@ -0,0 +1,202 @@
From 6f97e6da7389e541f74855c702f8dafa02bbee67 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20=C4=8Cech?= <pcech@redhat.com>
Date: Wed, 14 Sep 2016 09:00:06 -0400
Subject: [PATCH 79/79] KRB5: Fixing FQ name of user in krb5_setup()
This patch fixes creation of FQ username if krb5_map_user option
ise used.
Resolves:
https://fedorahosted.org/sssd/ticket/3188
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit b34ffbf33729c557c3d1aebf4707ad0ffe4f1904)
---
src/providers/krb5/krb5_auth.c | 8 +++++++-
src/providers/krb5/krb5_init_shared.c | 1 +
src/providers/krb5/krb5_utils.c | 26 +++++++++++++++++++++++++-
src/providers/krb5/krb5_utils.h | 4 +++-
src/tests/krb5_utils-tests.c | 33 ++++++++++++++++++++-------------
5 files changed, 56 insertions(+), 16 deletions(-)
diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
index f0f2280022a3ee951ccfa0040b616c48c3b25706..a5ecb24323d3d413bc08f100b90195d3619172d3 100644
--- a/src/providers/krb5/krb5_auth.c
+++ b/src/providers/krb5/krb5_auth.c
@@ -207,7 +207,13 @@ errno_t krb5_setup(TALLOC_CTX *mem_ctx,
if (ret == EOK) {
DEBUG(SSSDBG_TRACE_FUNC, "Setting mapped name to: %s\n", mapped_name);
kr->user = mapped_name;
- kr->kuserok_user = mapped_name;
+
+ kr->kuserok_user = sss_output_name(kr, kr->user,
+ dom->case_sensitive, 0);
+ if (kr->kuserok_user == NULL) {
+ ret = ENOMEM;
+ goto done;
+ }
} else if (ret == ENOENT) {
DEBUG(SSSDBG_TRACE_ALL, "No mapping for: %s\n", pd->user);
kr->user = pd->user;
diff --git a/src/providers/krb5/krb5_init_shared.c b/src/providers/krb5/krb5_init_shared.c
index 767291c0b953ea3f227f64a7e21f191262424cf5..c8fd8593a8b6d304fe314254c940351fa5ee12f3 100644
--- a/src/providers/krb5/krb5_init_shared.c
+++ b/src/providers/krb5/krb5_init_shared.c
@@ -94,6 +94,7 @@ errno_t krb5_child_init(struct krb5_ctx *krb5_auth_ctx,
ret = parse_krb5_map_user(krb5_auth_ctx,
dp_opt_get_cstring(krb5_auth_ctx->opts,
KRB5_MAP_USER),
+ bectx->domain->name,
&krb5_auth_ctx->name_to_primary);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, "parse_krb5_map_user failed: %s:[%d]\n",
diff --git a/src/providers/krb5/krb5_utils.c b/src/providers/krb5/krb5_utils.c
index 0ac60daee533ea1264bc55d0d65054ed38b3a092..e968dfa5fe50c43c51e624507261ae2c8263b67d 100644
--- a/src/providers/krb5/krb5_utils.c
+++ b/src/providers/krb5/krb5_utils.c
@@ -521,7 +521,9 @@ done:
}
errno_t
-parse_krb5_map_user(TALLOC_CTX *mem_ctx, const char *krb5_map_user,
+parse_krb5_map_user(TALLOC_CTX *mem_ctx,
+ const char *krb5_map_user,
+ const char *dom_name,
struct map_id_name_to_krb_primary **_name_to_primary)
{
int size;
@@ -570,6 +572,28 @@ parse_krb5_map_user(TALLOC_CTX *mem_ctx, const char *krb5_map_user,
}
}
+ /* conversion names to fully-qualified names */
+ for (int i = 0; i < size; i++) {
+ name_to_primary[i].id_name = sss_create_internal_fqname(
+ name_to_primary,
+ name_to_primary[i].id_name,
+ dom_name);
+ if (name_to_primary[i].id_name == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "sss_create_internal_fqname failed\n");
+ ret = ENOMEM;
+ goto done;
+ }
+
+ name_to_primary[i].krb_primary = sss_create_internal_fqname(
+ name_to_primary,
+ name_to_primary[i].krb_primary,
+ dom_name);
+ if (name_to_primary[i].krb_primary == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "sss_create_internal_fqname failed\n");
+ ret = ENOMEM;
+ goto done;
+ }
+ }
ret = EOK;
done:
diff --git a/src/providers/krb5/krb5_utils.h b/src/providers/krb5/krb5_utils.h
index 75b93c30ef5be5d16f2ce73f44abef674c6e98ff..3051a99445054638d04fbee34415e9cf3d226588 100644
--- a/src/providers/krb5/krb5_utils.h
+++ b/src/providers/krb5/krb5_utils.h
@@ -51,7 +51,9 @@ errno_t get_domain_or_subdomain(struct be_ctx *be_ctx,
struct sss_domain_info **dom);
errno_t
-parse_krb5_map_user(TALLOC_CTX *mem_ctx, const char *krb5_map_user,
+parse_krb5_map_user(TALLOC_CTX *mem_ctx,
+ const char *krb5_map_user,
+ const char *dom_name,
struct map_id_name_to_krb_primary **_name_to_primary);
#endif /* __KRB5_UTILS_H__ */
diff --git a/src/tests/krb5_utils-tests.c b/src/tests/krb5_utils-tests.c
index 515a1941509c13ca4ad8d9953687f9047da29426..36bd0324475e161e627006de0ddcbc775f8a749b 100644
--- a/src/tests/krb5_utils-tests.c
+++ b/src/tests/krb5_utils-tests.c
@@ -614,25 +614,25 @@ START_TEST(test_parse_krb5_map_user)
/* empty input */
{
check_leaks_push(mem_ctx);
- ret = parse_krb5_map_user(mem_ctx, NULL, &name_to_primary);
+ ret = parse_krb5_map_user(mem_ctx, NULL, DOMAIN_NAME, &name_to_primary);
fail_unless(ret == EOK);
fail_unless(name_to_primary[0].id_name == NULL &&
name_to_primary[0].krb_primary == NULL);
talloc_free(name_to_primary);
- ret = parse_krb5_map_user(mem_ctx, "", &name_to_primary);
+ ret = parse_krb5_map_user(mem_ctx, "", DOMAIN_NAME, &name_to_primary);
fail_unless(ret == EOK);
fail_unless(name_to_primary[0].id_name == NULL &&
name_to_primary[0].krb_primary == NULL);
talloc_free(name_to_primary);
- ret = parse_krb5_map_user(mem_ctx, ",", &name_to_primary);
+ ret = parse_krb5_map_user(mem_ctx, ",", DOMAIN_NAME, &name_to_primary);
fail_unless(ret == EOK);
fail_unless(name_to_primary[0].id_name == NULL &&
name_to_primary[0].krb_primary == NULL);
talloc_free(name_to_primary);
- ret = parse_krb5_map_user(mem_ctx, ",,", &name_to_primary);
+ ret = parse_krb5_map_user(mem_ctx, ",,", DOMAIN_NAME, &name_to_primary);
fail_unless(ret == EOK);
fail_unless(name_to_primary[0].id_name == NULL &&
name_to_primary[0].krb_primary == NULL);
@@ -645,14 +645,16 @@ START_TEST(test_parse_krb5_map_user)
check_leaks_push(mem_ctx);
const char *p = "pája:preichl,joe:juser,jdoe:ßlack";
const char *p2 = " pája : preichl , joe:\njuser,jdoe\t: ßlack ";
- const char *expected[] = {"pája", "preichl", "joe", "juser", "jdoe", "ßlack"};
- ret = parse_krb5_map_user(mem_ctx, p, &name_to_primary);
+ const char *expected[] = { "pája@testdomain", "preichl@" DOMAIN_NAME,
+ "joe@testdomain", "juser@testdomain",
+ "jdoe@testdomain", "ßlack@testdomain" };
+ ret = parse_krb5_map_user(mem_ctx, p, DOMAIN_NAME, &name_to_primary);
fail_unless(ret == EOK);
compare_map_id_name_to_krb_primary(name_to_primary, expected,
sizeof(expected)/sizeof(const char*)/2);
talloc_free(name_to_primary);
- ret = parse_krb5_map_user(mem_ctx, p2, &name_to_primary);
+ ret = parse_krb5_map_user(mem_ctx, p2, DOMAIN_NAME, &name_to_primary);
fail_unless(ret == EOK);
compare_map_id_name_to_krb_primary(name_to_primary, expected,
sizeof(expected)/sizeof(const char*)/2);
@@ -663,22 +665,27 @@ START_TEST(test_parse_krb5_map_user)
{
check_leaks_push(mem_ctx);
- ret = parse_krb5_map_user(mem_ctx, ":", &name_to_primary);
+ ret = parse_krb5_map_user(mem_ctx, ":", DOMAIN_NAME, &name_to_primary);
fail_unless(ret == EINVAL);
- ret = parse_krb5_map_user(mem_ctx, "joe:", &name_to_primary);
+ ret = parse_krb5_map_user(mem_ctx, "joe:", DOMAIN_NAME,
+ &name_to_primary);
fail_unless(ret == EINVAL);
- ret = parse_krb5_map_user(mem_ctx, ":joe", &name_to_primary);
+ ret = parse_krb5_map_user(mem_ctx, ":joe", DOMAIN_NAME,
+ &name_to_primary);
fail_unless(ret == EINVAL);
- ret = parse_krb5_map_user(mem_ctx, "joe:,", &name_to_primary);
+ ret = parse_krb5_map_user(mem_ctx, "joe:,", DOMAIN_NAME,
+ &name_to_primary);
fail_unless(ret == EINVAL);
- ret = parse_krb5_map_user(mem_ctx, ",joe", &name_to_primary);
+ ret = parse_krb5_map_user(mem_ctx, ",joe", DOMAIN_NAME,
+ &name_to_primary);
fail_unless(ret == EINVAL);
- ret = parse_krb5_map_user(mem_ctx, "joe:j:user", &name_to_primary);
+ ret = parse_krb5_map_user(mem_ctx, "joe:j:user", DOMAIN_NAME,
+ &name_to_primary);
fail_unless(ret == EINVAL);
fail_unless(check_leaks_pop(mem_ctx));
--
2.9.3

49
sssd.spec
View File

@ -26,7 +26,7 @@
Name: sssd
Version: 1.14.1
Release: 2%{?dist}
Release: 3%{?dist}
Group: Applications/System
Summary: System Security Services Daemon
License: GPLv3+
@ -74,6 +74,46 @@ Patch0036: 0036-DEBUG-Apend-line-feed-to-messages-from-libsemanage.patch
Patch0037: 0037-MAN-Document-the-ldap_user_primary_group-option.patch
Patch0038: 0038-sdap_initgr_nested_get_membership_diff-use-fully-qua.patch
Patch0039: 0039-SYSDB-Removing-of-unused-parameter.patch
Patch0040: 0040-SYSDB-Suppress-warning-from-clang-static-analyser.patch
Patch0041: 0041-TOOLS-Fix-a-typo-in-groupadd.patch
Patch0042: 0042-TOOLS-sss_groupshow-did-not-work.patch
Patch0043: 0043-TESTS-sss_groupadd-groupshow-regressions.patch
Patch0044: 0044-TOOLS-use-internal-fqdn-for-DN.patch
Patch0045: 0045-TESTS-Test-for-sss_user-groupmod-a.patch
Patch0046: 0046-TOOLS-sss_mc_refresh_nested_group-short-fqname-usage.patch
Patch0047: 0047-TESTS-Add-FQDN-variants-for-some-tests.patch
Patch0048: 0048-KRB5-Send-the-output-username-not-internal-fqname-to.patch
Patch0049: 0049-MONITOR-Remove-disable-netlink-command-line-option.patch
Patch0050: 0050-MONITOR-Add-disable_netlink-option.patch
Patch0051: 0051-TOOLS-sss_override-without-name-override.patch
Patch0052: 0052-TEST-Add-regression-test-for-ticket-3179.patch
Patch0053: 0053-TOOLS-sss_groupshow-fails-to-show-MPG.patch
Patch0054: 0054-TESTS-sss_groupshow-with-MPG.patch
Patch0055: 0055-KRB5-Return-ERR_NETWORK_IO-on-clock-skew.patch
Patch0056: 0056-SDAP-Fix-settig-paging-attribute-in-sdap_get_generic.patch
Patch0057: 0057-PROXY-Adding-proxy_max_children-option.patch
Patch0058: 0058-SECRETS-Search-by-the-right-type-when-checking-conta.patch
Patch0059: 0059-LDAP-Return-partial-results-from-adminlimit-exceeded.patch
Patch0060: 0060-MAN-sssd-sudo-manual-update-IPA-native-LDAP-tree-sup.patch
Patch0061: 0061-p11-only-set-PKCS11_LOGIN_TOKEN_NAME-if-gdm-smartcar.patch
Patch0062: 0062-p11-return-a-fully-qualified-name.patch
Patch0063: 0063-pam_sss-check-PKCS11_LOGIN_TOKEN_NAME.patch
Patch0064: 0064-SECRETS-Don-t-remove-a-container-when-it-has-childre.patch
Patch0065: 0065-PAM-call-free-only-when-memory-is-expected-to-be-all.patch
Patch0066: 0066-TESTS-Fixing-of-const-warnings-in-sbus-tests.patch
Patch0067: 0067-MAKEFILE-Fixing-CFLAGS-in-some-tests.patch
Patch0068: 0068-TESTS-Add-integration-tests-for-the-sssd-secrets.patch
Patch0069: 0069-AUTOFS-Fix-offline-resolution-of-autofs-maps.patch
Patch0070: 0070-NSS-Fix-offline-resolution-of-netgroups.patch
Patch0071: 0071-TESTS-Test-offline-netgroups-resolution.patch
Patch0072: 0072-Remove-double-semicolon-at-the-end-of-line.patch
Patch0073: 0073-TESTS-Add-simple-test-for-double-semicolon.patch
Patch0074: 0074-failover-proceed-normally-when-no-new-server-is-foun.patch
Patch0075: 0075-tests-Add-a-regression-test-for-upstream-ticket-3131.patch
Patch0076: 0076-IFP-expose-user-and-group-unique-IDs-through-DBus.patch
Patch0077: 0077-SSSDConfig-Do-not-fail-with-nonexisting-domains-serv.patch
Patch0078: 0078-SPEC-Rename-python-packages-using-macro-python_provi.patch
Patch0079: 0079-KRB5-Fixing-FQ-name-of-user-in-krb5_setup.patch
### Dependencies ###
@ -1127,13 +1167,18 @@ fi
%{_libdir}/%{name}/modules/libwbclient.so
%changelog
* Thu Sep 22 2016 Lukas Slebodnik <lslebodn@redhat.com> - 1.14.1-3
- Fix regression with krb5_map_user
- Resolves: rhbz#1375552 - krb5_map_user doesn't seem effective anymore
- Resolves: rhbz#1349286 - authconfig fails with SSSDConfig.NoDomainError:
default if nonexistent domain is mentioned
* Thu Sep 01 2016 Lukas Slebodnik <lslebodn@redhat.com> - 1.14.1-2
- Backport important patches from upstream 1.14.2 prerelease
- Resolves: upstream #3154 - sssd exits if clock is adjusted backwards after
boot
- Resolves: upstream #3163 - resolving IPA nested user group is broken in 1.14
* Fri Aug 19 2016 Lukas Slebodnik <lslebodn@redhat.com> - 1.14.1-1
- New upstream release 1.14.0
- https://fedorahosted.org/sssd/wiki/Releases/Notes-1.14.1