rpms/sssd
3
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

New upstream release 1.16.2

Browse Source 
- https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_16_2.html

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
(cherry picked from commit a36f5fea4b)
This commit is contained in:
Fabiano Fidêncio 2018-06-11 12:19:53 +02:00
parent e56517d602
commit f14161ac08
66 changed files with 26 additions and 7142 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -79,3 +79,4 @@ sssd-1.2.91.tar.gz
/sssd-1.15.3.tar.gz
/sssd-1.16.0.tar.gz
/sssd-1.16.1.tar.gz
/sssd-1.16.2.tar.gz

87
0001-IPA-Handle-empty-nisDomainName.patch
View File

@ -1,87 +0,0 @@
From f9b7073e5cd057cf961b34f99ea1dff0c86b5b6a Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Fri, 17 Nov 2017 20:15:34 +0100
Subject: [PATCH 01/15] IPA: Handle empty nisDomainName
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Resolves:
https://pagure.io/SSSD/sssd/issue/3573
If nisdomain=, i.e. a blank NIS domain name, sssd was not processing the
netgroup at all. This is not in agreement with man innetgr which says "Any of
the elements in a triple can be empty, which means that anything matches. The
functions described here allow access to the netgroup databases".
This patch instead returns an empty domain as well, which eventually
produces the same output as if the netgroup was requested from the
compat tree.
To reproduce the bug:
$ ipa netgroup-add
Netgroup name: emptydom
-------------------------
Added netgroup "emptydom"
-------------------------
Netgroup name: emptydom
NIS domain name: ipa.test
IPA unique ID: 164bc15a-f4b3-11e7-acdb-525400ca6df3
$ ipa netgroup-add-member
Netgroup name: emptydom
[member user]: admin
[member group]:
[member host]:
[member host group]:
[member netgroup]:
Netgroup name: emptydom
NIS domain name: ipa.test
Member User: admin
-------------------------
Number of members added 1
-------------------------
$ ipa netgroup-mod --nisdomain="" emptydom
----------------------------
Modified netgroup "emptydom"
----------------------------
Netgroup name: emptydom
Member User: admin
Then run:
getent negroup emptydom
without the patch, the netgroup won't be resolvable. It will resolve to
a netgroup triple that looks like this after the patch:
emptydom (-,admin,)
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
---
src/providers/ipa/ipa_netgroups.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/src/providers/ipa/ipa_netgroups.c b/src/providers/ipa/ipa_netgroups.c
index 5c929a485..05ebac758 100644
--- a/src/providers/ipa/ipa_netgroups.c
+++ b/src/providers/ipa/ipa_netgroups.c
@@ -953,7 +953,9 @@ static int ipa_netgr_process_all(struct ipa_get_netgroups_state *state)
ret = sysdb_attrs_get_string(state->netgroups[i], SYSDB_NETGROUP_DOMAIN,
&domain);
- if (ret != EOK) {
+ if (ret == ENOENT) {
+ domain = NULL;
+ } else if (ret != EOK) {
goto done;
}
@@ -974,7 +976,7 @@ static int ipa_netgr_process_all(struct ipa_get_netgroups_state *state)
for (k = 0; k < hosts_count; k++) {
triple = talloc_asprintf(state, "(%s,%s,%s)",
hosts[k], uids[j],
- domain);
+ domain ? domain : "");
if (triple == NULL) {
ret = ENOMEM;
goto done;
--
2.14.3

85
0002-intg-enhance-netgroups-test.patch
View File

@ -1,85 +0,0 @@
From 3adc0a2fac5f7f1f30f6b1f75f098d4b50e7cf35 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Mon, 5 Mar 2018 12:29:58 +0100
Subject: [PATCH 02/15] intg: enhance netgroups test
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/tests/intg/sssd_netgroup.py | 9 ++++++---
src/tests/intg/test_netgroup.py | 26 ++++++++++++++++++++++++++
2 files changed, 32 insertions(+), 3 deletions(-)
diff --git a/src/tests/intg/sssd_netgroup.py b/src/tests/intg/sssd_netgroup.py
index 3668d2e29..4c34ea61f 100644
--- a/src/tests/intg/sssd_netgroup.py
+++ b/src/tests/intg/sssd_netgroup.py
@@ -209,9 +209,12 @@ class NetgroupRetriever(object):
if result_p[0].type == NetgroupType.TRIPLE_VAL:
triple = result_p[0].val.triple
- result.append((triple.host.decode('utf-8'),
- triple.user.decode('utf-8'),
- triple.domain.decode('utf-8')))
+ result.append((triple.host and triple.host.decode('utf-8')
+ or "",
+ triple.user and triple.user.decode('utf-8')
+ or "",
+ triple.domain and triple.domain.decode('utf-8')
+ or ""))
res, errno, result_p = self._getnetgrent_r(result_p, buff,
buff_len)
diff --git a/src/tests/intg/test_netgroup.py b/src/tests/intg/test_netgroup.py
index 3cf5dac2e..06a1cfafd 100644
--- a/src/tests/intg/test_netgroup.py
+++ b/src/tests/intg/test_netgroup.py
@@ -106,6 +106,8 @@ def format_basic_conf(ldap_conn, schema):
services = nss
disable_netlink = true
+ [nss]
+
[domain/LDAP]
{schema_conf}
id_provider = ldap
@@ -222,6 +224,14 @@ def add_tripled_netgroup(request, ldap_conn):
ent_list.add_netgroup("adv_tripled_netgroup", ["(host1,user1,domain1)",
"(host2,user2,domain2)"])
+ ent_list.add_netgroup("tripled_netgroup_no_domain", ["(host,user,)"])
+
+ ent_list.add_netgroup("tripled_netgroup_no_user", ["(host,,domain)"])
+
+ ent_list.add_netgroup("tripled_netgroup_no_host", ["(,user,domain)"])
+
+ ent_list.add_netgroup("tripled_netgroup_none", ["(,,)"])
+
create_ldap_fixture(request, ldap_conn, ent_list)
conf = format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS)
create_conf_fixture(request, conf)
@@ -243,6 +253,22 @@ def test_add_tripled_netgroup(add_tripled_netgroup):
assert sorted(netgrps) == sorted([("host1", "user1", "domain1"),
("host2", "user2", "domain2")])
+ res, _, netgrps = sssd_netgroup.get_sssd_netgroups("tripled_netgroup_no_domain")
+ assert res == sssd_netgroup.NssReturnCode.SUCCESS
+ assert netgrps == [("host", "user", "")]
+
+ res, _, netgrps = sssd_netgroup.get_sssd_netgroups("tripled_netgroup_no_user")
+ assert res == sssd_netgroup.NssReturnCode.SUCCESS
+ assert netgrps == [("host", "", "domain")]
+
+ res, _, netgrps = sssd_netgroup.get_sssd_netgroups("tripled_netgroup_no_host")
+ assert res == sssd_netgroup.NssReturnCode.SUCCESS
+ assert netgrps == [("", "user", "domain")]
+
+ res, _, netgrps = sssd_netgroup.get_sssd_netgroups("tripled_netgroup_none")
+ assert res == sssd_netgroup.NssReturnCode.SUCCESS
+ assert netgrps == [("", "", "")]
+
@pytest.fixture
def add_mixed_netgroup(request, ldap_conn):
--
2.14.3

94
0003-CONFDB-Start-a-ldb-transaction-from-sss_ldb_modify_p.patch
View File

@ -1,94 +0,0 @@
From d38421b5beb91de9213203bee87a3717952f52bc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
Date: Wed, 14 Mar 2018 22:55:21 +0100
Subject: [PATCH 03/15] CONFDB: Start a ldb transaction from
sss_ldb_modify_permissive()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The reason why confdb_expand_app_domains() always fails is because we
try to do a ldb_request() without starting a ldb transaction.
When we're dealing with ldb_modify(), ldb_add(), ldb_delete() kind of
messages, those call ldb_autotransaction_request() which will start a
new transaction and treat it properly when doing the ldb_request(). In
our case that we're calling ldb_request() by our own, we must ensure
that the transaction is started and properly deal with it._
It's never been noticed because in the only place the function is used
its errors are ignored.
Resolves:
https://pagure.io/SSSD/sssd/issue/3660
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/db/sysdb_ops.c | 39 ++++++++++++++++++++++++++++++++++++++-
1 file changed, 38 insertions(+), 1 deletion(-)
diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
index 15915101e..cc86a114e 100644
--- a/src/db/sysdb_ops.c
+++ b/src/db/sysdb_ops.c
@@ -66,7 +66,9 @@ int sss_ldb_modify_permissive(struct ldb_context *ldb,
struct ldb_message *msg)
{
struct ldb_request *req;
- int ret = EOK;
+ int ret;
+ int cancel_ret;
+ bool in_transaction = false;
ret = ldb_build_mod_req(&req, ldb, ldb,
msg,
@@ -84,9 +86,44 @@ int sss_ldb_modify_permissive(struct ldb_context *ldb,
return ret;
}
+ ret = ldb_transaction_start(ldb);
+ if (ret != LDB_SUCCESS) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Failed to start ldb transaction [%d]: %s\n",
+ ret, sss_strerror(ret));
+ goto done;
+ }
+
+ in_transaction = true;
+
ret = ldb_request(ldb, req);
if (ret == LDB_SUCCESS) {
ret = ldb_wait(req->handle, LDB_WAIT_ALL);
+ if (ret != LDB_SUCCESS) {
+ goto done;
+ }
+ }
+
+ ret = ldb_transaction_commit(ldb);
+ if (ret != LDB_SUCCESS) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Failed to commit ldb transaction [%d]: %s\n",
+ ret, sss_strerror(ret));
+ goto done;
+ }
+
+ in_transaction = false;
+
+ ret = LDB_SUCCESS;
+
+done:
+ if (in_transaction) {
+ cancel_ret = ldb_transaction_cancel(ldb);
+ if (cancel_ret != LDB_SUCCESS) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Failed to cancel ldb transaction [%d]: %s\n",
+ cancel_ret, sss_strerror(cancel_ret));
+ }
}
talloc_free(req);
--
2.14.3

44
0004-TOOLS-Take-into-consideration-app-domains.patch
View File

@ -1,44 +0,0 @@
From 692780f793f96815aaee0007515838fce30b6097 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
Date: Wed, 14 Mar 2018 23:01:39 +0100
Subject: [PATCH 04/15] TOOLS: Take into consideration app domains
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
In order to properly show an app domain when listing domains using
sssctl domain-list we have to expand the confdb, as already done in the
monitor code.
Resolves:
https://pagure.io/SSSD/sssd/issue/3658
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/tools/common/sss_tools.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/src/tools/common/sss_tools.c b/src/tools/common/sss_tools.c
index e491a1286..4832db5a0 100644
--- a/src/tools/common/sss_tools.c
+++ b/src/tools/common/sss_tools.c
@@ -117,6 +117,14 @@ static errno_t sss_tool_domains_init(TALLOC_CTX *mem_ctx,
struct sss_domain_info *dom;
errno_t ret;
+ ret = confdb_expand_app_domains(confdb);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Unable to expand application domains [%d]: %s\n",
+ ret, sss_strerror(ret));
+ return ret;
+ }
+
ret = confdb_get_domains(confdb, &domains);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to setup domains [%d]: %s\n",
--
2.14.3

66
0005-TESTS-Move-get_call_output-to-util.py.patch
View File

@ -1,66 +0,0 @@
From be7e7de999f93f57bfccdeeabcb8682d1e92023a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
Date: Fri, 16 Mar 2018 19:00:52 +0100
Subject: [PATCH 05/15] TESTS: Move get_call_output() to util.py
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This function will be reused outside of test_sssctl.py.
Related:
https://pagure.io/SSSD/sssd/issue/3658
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/tests/intg/test_sssctl.py | 9 +--------
src/tests/intg/util.py | 7 +++++++
2 files changed, 8 insertions(+), 8 deletions(-)
diff --git a/src/tests/intg/test_sssctl.py b/src/tests/intg/test_sssctl.py
index 0df5d0bc1..e8861dd86 100644
--- a/src/tests/intg/test_sssctl.py
+++ b/src/tests/intg/test_sssctl.py
@@ -28,7 +28,7 @@ import signal
import ds_openldap
import ldap_ent
import config
-from util import unindent
+from util import unindent, get_call_output
import sssd_netgroup
LDAP_BASE_DN = "dc=example,dc=com"
@@ -203,13 +203,6 @@ def fqname_case_insensitive_rfc2307(request, ldap_conn):
return None
-def get_call_output(cmd):
- process = subprocess.Popen(cmd, stdout=subprocess.PIPE,
- stderr=subprocess.PIPE)
- output, ret = process.communicate()
- return output.decode('utf-8')
-
-
def test_user_show_basic_sanity(ldap_conn, sanity_rfc2307, portable_LC_ALL):
# Fill the cache first
ent.assert_passwd_by_name(
diff --git a/src/tests/intg/util.py b/src/tests/intg/util.py
index 2b40311bd..a1c439648 100644
--- a/src/tests/intg/util.py
+++ b/src/tests/intg/util.py
@@ -78,3 +78,10 @@ def restore_envvar_file(name):
path = os.environ[name]
backup_path = path + ".bak"
os.rename(backup_path, path)
+
+
+def get_call_output(cmd):
+ process = subprocess.Popen(cmd, stdout=subprocess.PIPE,
+ stderr=subprocess.PIPE)
+ output, ret = process.communicate()
+ return output.decode('utf-8')
--
2.14.3

40
0006-TESTS-Make-get_call_output-more-flexible-about-the-s.patch
View File

@ -1,40 +0,0 @@
From e8c0527bf782de166722706db119ccb01258e78b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
Date: Fri, 16 Mar 2018 19:23:58 +0100
Subject: [PATCH 06/15] TESTS: Make get_call_output() more flexible about the
stderr log
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Future tests that will be added will need the stderr redirected to the
STDOUT.
Related:
https://pagure.io/SSSD/sssd/issue/3658
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/tests/intg/util.py | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/tests/intg/util.py b/src/tests/intg/util.py
index a1c439648..bfebbfb35 100644
--- a/src/tests/intg/util.py
+++ b/src/tests/intg/util.py
@@ -80,8 +80,8 @@ def restore_envvar_file(name):
os.rename(backup_path, path)
-def get_call_output(cmd):
+def get_call_output(cmd, stderr_output=subprocess.PIPE):
process = subprocess.Popen(cmd, stdout=subprocess.PIPE,
- stderr=subprocess.PIPE)
+ stderr=stderr_output)
output, ret = process.communicate()
return output.decode('utf-8')
--
2.14.3

73
0007-TESTS-Add-a-basic-test-of-sssctl-domain-list.patch
View File

@ -1,73 +0,0 @@
From 15ab42ad5349485c9156234f5a6d1c6635c36de3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
Date: Thu, 15 Mar 2018 16:28:41 +0100
Subject: [PATCH 07/15] TESTS: Add a basic test of `sssctl domain-list`
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Let's just add a test for `sssctl domain-list` in order to avoid
regressing https://pagure.io/SSSD/sssd/issue/3658.
The test has been added as part of test_infopipe.py in order to take
advantage of the machinery already provided there.
Resolves:
https://pagure.io/SSSD/sssd/issue/3658
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/tests/intg/test_infopipe.py | 17 +++++++++++++++--
1 file changed, 15 insertions(+), 2 deletions(-)
diff --git a/src/tests/intg/test_infopipe.py b/src/tests/intg/test_infopipe.py
index 3a7961403..b851bbd91 100644
--- a/src/tests/intg/test_infopipe.py
+++ b/src/tests/intg/test_infopipe.py
@@ -34,7 +34,7 @@ import dbus
import config
import ds_openldap
import ldap_ent
-from util import unindent
+from util import unindent, get_call_output
LDAP_BASE_DN = "dc=example,dc=com"
INTERACTIVE_TIMEOUT = 4
@@ -194,7 +194,7 @@ def format_basic_conf(ldap_conn, schema):
return unindent("""\
[sssd]
debug_level = 0xffff
- domains = LDAP
+ domains = LDAP, app
services = nss, ifp
enable_files_domain = false
@@ -212,6 +212,9 @@ def format_basic_conf(ldap_conn, schema):
id_provider = ldap
ldap_uri = {ldap_conn.ds_inst.ldap_url}
ldap_search_base = {ldap_conn.ds_inst.base_dn}
+
+ [application/app]
+ inherit_from = LDAP
""").format(**locals())
@@ -532,3 +535,13 @@ def test_get_user_groups(dbus_system_bus, ldap_conn, sanity_rfc2307):
assert len(res) == 2
assert sorted(res) == ['single_user_group', 'two_user_group']
+
+
+def test_sssctl_domain_list_app_domain(dbus_system_bus,
+ ldap_conn,
+ sanity_rfc2307):
+ output = get_call_output(["sssctl", "domain-list"], subprocess.STDOUT)
+
+ assert "Error" not in output
+ assert output.find("LDAP") != -1
+ assert output.find("app") != -1
--
2.14.3

67
0008-KCM-Use-json_loadb-when-dealing-with-sss_iobuf-data.patch
View File

@ -1,67 +0,0 @@
From 8a89fce38a2ad76eb4eebd74a0821c80154ac892 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
Date: Wed, 21 Mar 2018 16:38:22 +0100
Subject: [PATCH 08/15] KCM: Use json_loadb() when dealing with sss_iobuf data
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
As sss_iobuf data is *non* NULL terminated, we have to use json_loadb()
passing the data's length instead of just using json_loads().
Due to this issue, when running sssd-kcm under valgrind and performing a
`kinit foo` a bunch of erros like the following one could be seen:
==2638== Conditional jump or move depends on uninitialised value(s)
==2638== at 0x57DB678: stream_get.part.3 (load.c:172)
==2638== by 0x57DB9CA: stream_get (load.c:643)
==2638== by 0x57DB9CA: lex_get (load.c:246)
==2638== by 0x57DB9CA: lex_scan (load.c:601)
==2638== by 0x57DC56A: parse_json.constprop.7 (load.c:904)
==2638== by 0x57DC6AB: json_loads (load.c:959)
==2638== by 0x11ABEA: ??? (in /usr/libexec/sssd/sssd_kcm)
==2638== by 0x11AEF0: ??? (in /usr/libexec/sssd/sssd_kcm)
==2638== by 0x125D4A: ??? (in /usr/libexec/sssd/sssd_kcm)
==2638== by 0x12623B: ??? (in /usr/libexec/sssd/sssd_kcm)
==2638== by 0x9BCD71F: epoll_event_loop (tevent_epoll.c:728)
==2638== by 0x9BCD71F: epoll_event_loop_once (tevent_epoll.c:930)
==2638== by 0x9BCBBA6: std_event_loop_once (tevent_standard.c:114)
==2638== by 0x9BC7FEC: _tevent_loop_once (tevent.c:725)
==2638== by 0x9BC820A: tevent_common_loop_wait (tevent.c:848)
Related to:
https://pagure.io/SSSD/sssd/issue/3687
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/responder/kcm/kcmsrv_ccache_secrets.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/src/responder/kcm/kcmsrv_ccache_secrets.c b/src/responder/kcm/kcmsrv_ccache_secrets.c
index 8be7daea5..04dad9596 100644
--- a/src/responder/kcm/kcmsrv_ccache_secrets.c
+++ b/src/responder/kcm/kcmsrv_ccache_secrets.c
@@ -231,6 +231,7 @@ static errno_t sec_list_parse(struct sss_iobuf *outbuf,
{
json_t *root;
uint8_t *sec_http_list;
+ size_t sec_http_list_len;
json_error_t error;
json_t *element;
errno_t ret;
@@ -244,8 +245,10 @@ static errno_t sec_list_parse(struct sss_iobuf *outbuf,
DEBUG(SSSDBG_CRIT_FAILURE, "No data in output buffer?\n");
return EINVAL;
}
+ sec_http_list_len = sss_iobuf_get_len(outbuf);
- root = json_loads((const char *) sec_http_list, 0, &error);
+ root = json_loadb((const char *) sec_http_list,
+ sec_http_list_len, 0, &error);
if (root == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE,
"Failed to parse JSON payload on line %d: %s\n",
--
2.14.3

50
0009-KCM-Remove-mem_ctx-from-kcm_new_req.patch
View File

@ -1,50 +0,0 @@
From 48cff40315cfbfcfae3582935efda961757ceec6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
Date: Tue, 13 Mar 2018 21:11:16 +0100
Subject: [PATCH 09/15] KCM: Remove mem_ctx from kcm_new_req()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Let's remove the mem_ctx argument as we really want cctx to be the
memory context here, so that if the client disconnects the request goes
away.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/responder/kcm/kcmsrv_cmd.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/src/responder/kcm/kcmsrv_cmd.c b/src/responder/kcm/kcmsrv_cmd.c
index 0b933f0b4..d4ebb79bf 100644
--- a/src/responder/kcm/kcmsrv_cmd.c
+++ b/src/responder/kcm/kcmsrv_cmd.c
@@ -423,8 +423,10 @@ static errno_t kcm_recv_data(int fd, struct kcm_reqbuf *reqbuf)
return EOK;
}
-static struct kcm_req_ctx *kcm_new_req(TALLOC_CTX *mem_ctx,
- struct cli_ctx *cctx,
+/* Mind that kcm_new_req() does not take a mem_ctx argument on purpose as we
+ * really want the cctx to be the memory context here so that if the client
+ * disconnects, the request goes away. */
+static struct kcm_req_ctx *kcm_new_req(struct cli_ctx *cctx,
struct kcm_ctx *kctx)
{
struct kcm_req_ctx *req;
@@ -467,8 +469,8 @@ static void kcm_recv(struct cli_ctx *cctx)
kctx = talloc_get_type(cctx->rctx->pvt_ctx, struct kcm_ctx);
req = talloc_get_type(cctx->state_ctx, struct kcm_req_ctx);
if (req == NULL) {
- /* A new request comes in, setup data structures */
- req = kcm_new_req(cctx, cctx, kctx);
+ /* A new request comes in, setup data structures. */
+ req = kcm_new_req(cctx, kctx);
if (req == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE,
"Cannot set up client connection\n");
--
2.14.3

61
0010-KCM-Introduce-kcm_input_get_payload_len.patch
View File

@ -1,61 +0,0 @@
From 7fa69ab8152392b11490950ff8aeeef7e0ad14de Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
Date: Tue, 13 Mar 2018 23:13:35 +0100
Subject: [PATCH 10/15] KCM: Introduce kcm_input_get_payload_len()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
As this piece of code will be useful for us in the future patches of
this series, let's move it to a new function.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/responder/kcm/kcmsrv_cmd.c | 20 ++++++++++++--------
1 file changed, 12 insertions(+), 8 deletions(-)
diff --git a/src/responder/kcm/kcmsrv_cmd.c b/src/responder/kcm/kcmsrv_cmd.c
index d4ebb79bf..3ecba9df2 100644
--- a/src/responder/kcm/kcmsrv_cmd.c
+++ b/src/responder/kcm/kcmsrv_cmd.c
@@ -129,23 +129,27 @@ struct kcm_reqbuf {
struct kcm_iovec v_msg;
};
+static uint32_t kcm_input_get_payload_len(struct kcm_iovec *v)
+{
+ size_t lc = 0;
+ uint32_t len_be = 0;
+
+ /* The first 4 bytes before the payload is message length */
+ SAFEALIGN_COPY_UINT32_CHECK(&len_be, v->kiov_base, v->kiov_len, &lc);
+
+ return be32toh(len_be);
+}
+
static errno_t kcm_input_parse(struct kcm_reqbuf *reqbuf,
struct kcm_op_io *op_io)
{
- size_t lc = 0;
size_t mc = 0;
uint16_t opcode_be = 0;
- uint32_t len_be = 0;
uint32_t msglen;
uint8_t proto_maj = 0;
uint8_t proto_min = 0;
- /* The first 4 bytes before the payload is message length */
- SAFEALIGN_COPY_UINT32_CHECK(&len_be,
- reqbuf->v_len.kiov_base,
- reqbuf->v_len.kiov_len,
- &lc);
- msglen = be32toh(len_be);
+ msglen = kcm_input_get_payload_len(&reqbuf->v_len);
DEBUG(SSSDBG_TRACE_LIBS,
"Received message with length %"PRIu32"\n", msglen);
--
2.14.3

243
0011-KCM-Do-not-use-2048-as-fixed-size-for-the-payload.patch
View File

@ -1,243 +0,0 @@
From 9f078d2e9ec7e1803b6c7e2f8a51e0e185723e76 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
Date: Wed, 14 Mar 2018 00:57:39 +0100
Subject: [PATCH 11/15] KCM: Do not use 2048 as fixed size for the payload
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The KCM code has the limit set as 2048 only inside #ifdef __APPLE__,
while it should be normally set as 10 * 1024 * 1024, as seen in:
https://github.com/krb5/krb5/blob/master/src/lib/krb5/ccache/cc_kcm.c#L53
Last but not least, doesn't make much sense to use a fixed value as the
first 4 bytes received are the payload size ... so let's just allocate
the needed size instead of having a fixed value.
Resolves:
https://pagure.io/SSSD/sssd/issue/3671
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/responder/kcm/kcmsrv_cmd.c | 103 +++++++++++++++++++++++++----------------
1 file changed, 62 insertions(+), 41 deletions(-)
diff --git a/src/responder/kcm/kcmsrv_cmd.c b/src/responder/kcm/kcmsrv_cmd.c
index 3ecba9df2..728979da9 100644
--- a/src/responder/kcm/kcmsrv_cmd.c
+++ b/src/responder/kcm/kcmsrv_cmd.c
@@ -38,7 +38,7 @@
/* The maximum length of a request or reply as defined by the RPC
* protocol. This is the same constant size as MIT KRB5 uses
*/
-#define KCM_PACKET_MAX_SIZE 2048
+#define KCM_PACKET_MAX_SIZE 10*1024*1024
/* KCM operation, its raw input and raw output and result */
struct kcm_op_io {
@@ -125,7 +125,6 @@ struct kcm_reqbuf {
struct kcm_iovec v_len;
/* Includes the major, minor versions etc */
- uint8_t msgbuf[KCM_PACKET_MAX_SIZE];
struct kcm_iovec v_msg;
};
@@ -238,7 +237,6 @@ struct kcm_repbuf {
uint8_t rcbuf[KCM_RETCODE_SIZE];
struct kcm_iovec v_rc;
- uint8_t msgbuf[KCM_PACKET_MAX_SIZE];
struct kcm_iovec v_msg;
};
@@ -259,11 +257,13 @@ static errno_t kcm_failbuf_construct(errno_t ret,
/* retcode is 0 if the operation at least ran, non-zero if there
* was some kind of internal KCM error, like input couldn't be parsed
*/
-static errno_t kcm_output_construct(struct kcm_op_io *op_io,
+static errno_t kcm_output_construct(TALLOC_CTX *mem_ctx,
+ struct kcm_op_io *op_io,
struct kcm_repbuf *repbuf)
{
- size_t c;
+ uint8_t *rep;
size_t replen;
+ size_t c;
replen = sss_iobuf_get_len(op_io->reply);
if (replen > KCM_PACKET_MAX_SIZE) {
@@ -281,14 +281,22 @@ static errno_t kcm_output_construct(struct kcm_op_io *op_io,
SAFEALIGN_SETMEM_UINT32(repbuf->rcbuf, 0, &c);
if (replen > 0) {
+ rep = talloc_zero_array(mem_ctx, uint8_t, replen);
+ if (rep == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Failed to allocate memory for the message\n");
+ return ENOMEM;
+ }
+
c = 0;
- SAFEALIGN_MEMCPY_CHECK(repbuf->msgbuf,
+ SAFEALIGN_MEMCPY_CHECK(rep,
sss_iobuf_get_data(op_io->reply),
replen,
- repbuf->v_msg.kiov_len,
+ replen,
&c);
- /* Length of the buffer to send to KCM client */
+ /* Set the buffer and its length to send to KCM client */
+ repbuf->v_msg.kiov_base = rep;
repbuf->v_msg.kiov_len = replen;
}
@@ -321,24 +329,6 @@ static void kcm_reply_error(struct cli_ctx *cctx,
TEVENT_FD_WRITEABLE(cctx->cfde);
}
-static void kcm_send_reply(struct cli_ctx *cctx,
- struct kcm_op_io *op_io,
- struct kcm_repbuf *repbuf)
-{
- errno_t ret;
-
- DEBUG(SSSDBG_TRACE_INTERNAL, "Sending a reply\n");
- ret = kcm_output_construct(op_io, repbuf);
- if (ret != EOK) {
- DEBUG(SSSDBG_CRIT_FAILURE,
- "Cannot construct the reply buffer, terminating client\n");
- kcm_reply_error(cctx, ret, repbuf);
- return;
- }
-
- TEVENT_FD_WRITEABLE(cctx->cfde);
-}
-
/**
* Request-reply dispatcher
*/
@@ -356,6 +346,26 @@ struct kcm_req_ctx {
struct kcm_op_io op_io;
};
+static void kcm_send_reply(struct kcm_req_ctx *req_ctx)
+{
+ struct cli_ctx *cctx;
+ errno_t ret;
+
+ DEBUG(SSSDBG_TRACE_INTERNAL, "Sending a reply\n");
+
+ cctx = req_ctx->cctx;
+
+ ret = kcm_output_construct(cctx, &req_ctx->op_io, &req_ctx->repbuf);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Cannot construct the reply buffer, terminating client\n");
+ kcm_reply_error(cctx, ret, &req_ctx->repbuf);
+ return;
+ }
+
+ TEVENT_FD_WRITEABLE(cctx->cfde);
+}
+
static void kcm_cmd_request_done(struct tevent_req *req);
static errno_t kcm_cmd_dispatch(struct kcm_ctx *kctx,
@@ -385,11 +395,9 @@ static errno_t kcm_cmd_dispatch(struct kcm_ctx *kctx,
static void kcm_cmd_request_done(struct tevent_req *req)
{
struct kcm_req_ctx *req_ctx;
- struct cli_ctx *cctx;
errno_t ret;
req_ctx = tevent_req_callback_data(req, struct kcm_req_ctx);
- cctx = req_ctx->cctx;
ret = kcm_cmd_recv(req_ctx, req,
&req_ctx->op_io.reply);
@@ -397,15 +405,19 @@ static void kcm_cmd_request_done(struct tevent_req *req)
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE,
"KCM operation failed [%d]: %s\n", ret, sss_strerror(ret));
- kcm_reply_error(cctx, ret, &req_ctx->repbuf);
+ kcm_reply_error(req_ctx->cctx, ret, &req_ctx->repbuf);
return;
}
- kcm_send_reply(cctx, &req_ctx->op_io, &req_ctx->repbuf);
+ kcm_send_reply(req_ctx);
}
-static errno_t kcm_recv_data(int fd, struct kcm_reqbuf *reqbuf)
+static errno_t kcm_recv_data(TALLOC_CTX *mem_ctx,
+ int fd,
+ struct kcm_reqbuf *reqbuf)
{
+ uint8_t *msg;
+ uint32_t msglen;
errno_t ret;
ret = kcm_read_iovec(fd, &reqbuf->v_len);
@@ -416,6 +428,24 @@ static errno_t kcm_recv_data(int fd, struct kcm_reqbuf *reqbuf)
return ret;
}
+ msglen = kcm_input_get_payload_len(&reqbuf->v_len);
+ if (msglen > KCM_PACKET_MAX_SIZE) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Request exceeds the KCM protocol limit, aborting\n");
+ return E2BIG;
+ }
+
+ msg = talloc_zero_array(mem_ctx, uint8_t, msglen);
+ if (msg == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Failed to allocate memory for the message\n");
+ return ENOMEM;
+ }
+
+ /* Set the buffer and its expected len to receive the data */
+ reqbuf->v_msg.kiov_base = msg;
+ reqbuf->v_msg.kiov_len = msglen;
+
ret = kcm_read_iovec(fd, &reqbuf->v_msg);
if (ret != EOK) {
/* Not all errors are fatal, hence we don't print DEBUG messages
@@ -443,21 +473,12 @@ static struct kcm_req_ctx *kcm_new_req(struct cli_ctx *cctx,
req->reqbuf.v_len.kiov_base = req->reqbuf.lenbuf;
req->reqbuf.v_len.kiov_len = KCM_MSG_LEN_SIZE;
- req->reqbuf.v_msg.kiov_base = req->reqbuf.msgbuf;
- req->reqbuf.v_msg.kiov_len = KCM_PACKET_MAX_SIZE;
-
req->repbuf.v_len.kiov_base = req->repbuf.lenbuf;
req->repbuf.v_len.kiov_len = KCM_MSG_LEN_SIZE;
req->repbuf.v_rc.kiov_base = req->repbuf.rcbuf;
req->repbuf.v_rc.kiov_len = KCM_RETCODE_SIZE;
- req->repbuf.v_msg.kiov_base = req->repbuf.msgbuf;
- /* Length of the msg iobuf will be adjusted later, so far use the full
- * length so that constructing the reply can use that capacity
- */
- req->repbuf.v_msg.kiov_len = KCM_PACKET_MAX_SIZE;
-
req->cctx = cctx;
req->kctx = kctx;
@@ -485,7 +506,7 @@ static void kcm_recv(struct cli_ctx *cctx)
cctx->state_ctx = req;
}
- ret = kcm_recv_data(cctx->cfd, &req->reqbuf);
+ ret = kcm_recv_data(req, cctx->cfd, &req->reqbuf);
switch (ret) {
case ENODATA:
DEBUG(SSSDBG_TRACE_ALL, "Client closed connection.\n");
--
2.14.3

55
0012-KCM-Adjust-REPLY_MAX-to-the-one-used-in-krb5.patch
View File

@ -1,55 +0,0 @@
From d910ef0667a902b4ac0551f3e8d11121bb02214c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
Date: Wed, 14 Mar 2018 09:21:45 +0100
Subject: [PATCH 12/15] KCM: Adjust REPLY_MAX to the one used in krb5
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
krb5 has its MAX_REPLY_SIZE set as 10*1024*1024, as seen in:
https://github.com/krb5/krb5/blob/master/src/lib/krb5/ccache/cc_kcm.c#L53
Related:
https://pagure.io/SSSD/sssd/issue/3386
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/responder/kcm/kcmsrv_ops.c | 5 ++++-
src/util/tev_curl.c | 3 ++-
2 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/src/responder/kcm/kcmsrv_ops.c b/src/responder/kcm/kcmsrv_ops.c
index 7a78e9d6b..1e229adc4 100644
--- a/src/responder/kcm/kcmsrv_ops.c
+++ b/src/responder/kcm/kcmsrv_ops.c
@@ -31,7 +31,10 @@
#include "responder/kcm/kcmsrv_ops.h"
#include "responder/kcm/kcmsrv_ccache.h"
-#define KCM_REPLY_MAX 16384
+/* This limit comes from:
+ * https://github.com/krb5/krb5/blob/master/src/lib/krb5/ccache/cc_kcm.c#L53
+ */
+#define KCM_REPLY_MAX 10*1024*1024
struct kcm_op_ctx {
struct kcm_resp_ctx *kcm_data;
diff --git a/src/util/tev_curl.c b/src/util/tev_curl.c
index 4c2f1ec9f..f8bede6c5 100644
--- a/src/util/tev_curl.c
+++ b/src/util/tev_curl.c
@@ -35,7 +35,8 @@
#include "util/tev_curl.h"
#define TCURL_IOBUF_CHUNK 1024
-#define TCURL_IOBUF_MAX 16384
+/* This limit in the same one as KCM_REPLY_MAX */
+#define TCURL_IOBUF_MAX 10*1024*1024
static bool global_is_curl_initialized;
--
2.14.3

48
0013-intg-convert-results-returned-as-bytes-to-strings.patch
View File

@ -1,48 +0,0 @@
From 414ce6438a5450e5f1c1b03994f59d37f0ff8a36 Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Fri, 16 Mar 2018 13:43:17 +0100
Subject: [PATCH 13/15] intg: convert results returned as bytes to strings
With python3 comparisons between byte literals and strings will fail. To
make sure assertions will pass the search results must be converted to
(utf-8) strings first.
Resolves https://pagure.io/SSSD/sssd/issue/3666
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/tests/intg/test_ts_cache.py | 17 +++++++++++------
1 file changed, 11 insertions(+), 6 deletions(-)
diff --git a/src/tests/intg/test_ts_cache.py b/src/tests/intg/test_ts_cache.py
index 703e3b255..c3819e21a 100644
--- a/src/tests/intg/test_ts_cache.py
+++ b/src/tests/intg/test_ts_cache.py
@@ -212,12 +212,17 @@ def get_attrs(ldb_conn, type, name, domain, attr_list):
ts_attrs = dict()
for attr in attr_list:
- sysdb_attrs[attr] = ldb_conn.get_entry_attr(
- sssd_ldb.CacheType.sysdb,
- type, name, domain, attr)
- ts_attrs[attr] = ldb_conn.get_entry_attr(
- sssd_ldb.CacheType.timestamps,
- type, name, domain, attr)
+ val = ldb_conn.get_entry_attr(sssd_ldb.CacheType.sysdb,
+ type, name, domain, attr)
+ if val:
+ val = val.decode('utf-8')
+ sysdb_attrs[attr] = val
+
+ val = ldb_conn.get_entry_attr(sssd_ldb.CacheType.timestamps,
+ type, name, domain, attr)
+ if val:
+ val = val.decode('utf-8')
+ ts_attrs[attr] = val
return (sysdb_attrs, ts_attrs)
--
2.14.3

34
0014-KCM-Fix-typo-in-ccdb_sec_delete_list_done.patch
View File

@ -1,34 +0,0 @@
From 1c03afc703fb6e398915e2b2b200b7db19b4e6b8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
Date: Mon, 26 Mar 2018 15:40:15 +0200
Subject: [PATCH 14/15] KCM: Fix typo in ccdb_sec_delete_list_done()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
When deleting the ccache we want to check if sec_key_list_len is equal 0
and not if sec_key_list is 0.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/responder/kcm/kcmsrv_ccache_secrets.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/responder/kcm/kcmsrv_ccache_secrets.c b/src/responder/kcm/kcmsrv_ccache_secrets.c
index 04dad9596..8a7a577d8 100644
--- a/src/responder/kcm/kcmsrv_ccache_secrets.c
+++ b/src/responder/kcm/kcmsrv_ccache_secrets.c
@@ -2007,7 +2007,7 @@ static void ccdb_sec_delete_list_done(struct tevent_req *subreq)
return;
}
- if (sec_key_list == 0) {
+ if (state->sec_key_list_len == 0) {
DEBUG(SSSDBG_MINOR_FAILURE, "No ccaches to delete\n");
tevent_req_done(req);
return;
--
2.14.3

45
0015-KCM-Only-print-the-number-of-found-items-after-we-ha.patch
View File

@ -1,45 +0,0 @@
From 94897e5c82967528dae2a79e42cd1eb3c3be68f3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
Date: Tue, 27 Mar 2018 15:02:09 +0200
Subject: [PATCH 15/15] KCM: Only print the number of found items after we have
it
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
With the current code we've been always printing "Found 0 items" as
state->sec_key_list_len is only set by sec_list_parse().
In order to solve this, let's just print it *after* we have
state->sec_key_list_len set.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/responder/kcm/kcmsrv_ccache_secrets.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/responder/kcm/kcmsrv_ccache_secrets.c b/src/responder/kcm/kcmsrv_ccache_secrets.c
index 8a7a577d8..f2b46460e 100644
--- a/src/responder/kcm/kcmsrv_ccache_secrets.c
+++ b/src/responder/kcm/kcmsrv_ccache_secrets.c
@@ -207,7 +207,6 @@ static void sec_list_done(struct tevent_req *subreq)
return;
}
} else if (http_code == 200) {
- DEBUG(SSSDBG_TRACE_INTERNAL, "Found %zu items\n", state->sec_key_list_len);
ret = sec_list_parse(outbuf, state,
&state->sec_key_list,
&state->sec_key_list_len);
@@ -215,6 +214,7 @@ static void sec_list_done(struct tevent_req *subreq)
tevent_req_error(req, ret);
return;
}
+ DEBUG(SSSDBG_TRACE_INTERNAL, "Found %zu items\n", state->sec_key_list_len);
} else {
tevent_req_error(req, http2errno(http_code));
return;
--
2.14.3

120
0016-SYSDB-When-marking-an-entry-as-expired-also-set-the-.patch
View File

@ -1,120 +0,0 @@
From 68b14b6f94cf23fe2f66ee592e2e1fa5abfe3b9c Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Fri, 23 Mar 2018 13:40:34 +0100
Subject: [PATCH] SYSDB: When marking an entry as expired, also set the
originalModifyTimestamp to 1
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Resolves:
https://pagure.io/SSSD/sssd/issue/3684
If the cleanup task removes a user who was a fully resolved member (not a
ghost), but then the group the user was a member of is requested, unless
the group had changed, the user doesn't appear as a member of the group
again. This is because the modify timestamp would prevent the group from
updating and therefore the ghost attribute is not readded.
To mitigate this, let's also set the originalModifyTimestamp attribute
to 1, so that we never take the optimized path while updating the group.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
(cherry picked from commit 250751bf8b0532d6175e762b7f2f008cc1c39a78)
---
src/db/sysdb_ops.c | 13 +++++++++++
src/tests/intg/test_ldap.py | 54 +++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 67 insertions(+)
diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
index cc86a114e..09aa04a29 100644
--- a/src/db/sysdb_ops.c
+++ b/src/db/sysdb_ops.c
@@ -5410,6 +5410,19 @@ errno_t sysdb_mark_entry_as_expired_ldb_dn(struct sss_domain_info *dom,
goto done;
}
+ ret = ldb_msg_add_empty(msg, SYSDB_ORIG_MODSTAMP,
+ LDB_FLAG_MOD_REPLACE, NULL);
+ if (ret != LDB_SUCCESS) {
+ ret = sysdb_error_to_errno(ret);
+ goto done;
+ }
+
+ ret = ldb_msg_add_string(msg, SYSDB_ORIG_MODSTAMP, "1");
+ if (ret != LDB_SUCCESS) {
+ ret = sysdb_error_to_errno(ret);
+ goto done;
+ }
+
ret = ldb_modify(dom->sysdb->ldb, msg);
if (ret != LDB_SUCCESS) {
ret = sysdb_error_to_errno(ret);
diff --git a/src/tests/intg/test_ldap.py b/src/tests/intg/test_ldap.py
index a6659b1b7..db3253858 100644
--- a/src/tests/intg/test_ldap.py
+++ b/src/tests/intg/test_ldap.py
@@ -434,6 +434,60 @@ def test_refresh_after_cleanup_task(ldap_conn, refresh_after_cleanup_task):
dict(mem=ent.contains_only("user1")))
+@pytest.fixture
+def update_ts_after_cleanup_task(request, ldap_conn):
+ ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn)
+ ent_list.add_user("user1", 1001, 2001)
+ ent_list.add_user("user2", 1002, 2001)
+
+ ent_list.add_group_bis("group1", 2001, ["user1", "user2"])
+
+ create_ldap_fixture(request, ldap_conn, ent_list)
+
+ conf = \
+ format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS) + \
+ unindent("""
+ [domain/LDAP]
+ ldap_purge_cache_timeout = 3
+ """).format(**locals())
+ create_conf_fixture(request, conf)
+ create_sssd_fixture(request)
+ return None
+
+
+def test_update_ts_cache_after_cleanup_task(ldap_conn,
+ update_ts_after_cleanup_task):
+ """
+ Regression test for ticket:
+ https://fedorahosted.org/sssd/ticket/2676
+ """
+ ent.assert_group_by_name(
+ "group1",
+ dict(mem=ent.contains_only("user1", "user2")))
+
+ ent.assert_passwd_by_name(
+ 'user1',
+ dict(name='user1', passwd='*', uid=1001, gid=2001,
+ gecos='1001', shell='/bin/bash'))
+
+ ent.assert_passwd_by_name(
+ 'user2',
+ dict(name='user2', passwd='*', uid=1002, gid=2001,
+ gecos='1002', shell='/bin/bash'))
+
+ if subprocess.call(["sss_cache", "-u", "user1"]) != 0:
+ raise Exception("sssd_cache failed")
+
+ # The cleanup task runs every 3 seconds, so sleep for 6
+ # so that we know the cleanup task ran at least once
+ # even if we start sleeping during the first one
+ time.sleep(6)
+
+ ent.assert_group_by_name(
+ "group1",
+ dict(mem=ent.contains_only("user1", "user2")))
+
+
@pytest.fixture
def blank_rfc2307(request, ldap_conn):
"""Create blank RFC2307 directory fixture with interactive SSSD conf"""
--
2.14.3

39
0017-sudo-ldap-do-not-store-rules-without-sudoHost-attrib.patch
View File

@ -1,39 +0,0 @@
From d7795e33668b3e2ef212c5fa0bfaf4485e87db65 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Tue, 31 Oct 2017 15:14:52 +0100
Subject: [PATCH] sudo ldap: do not store rules without sudoHost attribute
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Unless it is cn=defaults.
Resolves:
https://pagure.io/SSSD/sssd/issue/3558
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 47ad0778be72994a2294b2e73cc5c670be6811a7)
---
src/providers/ldap/sdap_async_sudo.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/src/providers/ldap/sdap_async_sudo.c b/src/providers/ldap/sdap_async_sudo.c
index 5dc580128..3da76256e 100644
--- a/src/providers/ldap/sdap_async_sudo.c
+++ b/src/providers/ldap/sdap_async_sudo.c
@@ -158,8 +158,9 @@ static char *sdap_sudo_build_host_filter(TALLOC_CTX *mem_ctx,
goto done;
}
- /* sudoHost is not specified */
- filter = talloc_asprintf_append_buffer(filter, "(!(%s=*))",
+ /* sudoHost is not specified and it is a cn=defaults rule */
+ filter = talloc_asprintf_append_buffer(filter, "(&(!(%s=*))(%s=defaults))",
+ map[SDAP_AT_SUDO_HOST].name,
map[SDAP_AT_SUDO_HOST].name);
if (filter == NULL) {
goto done;
--
2.14.3

100
0018-sysdb-custom-completely-replace-old-object-instead-o.patch
View File

@ -1,100 +0,0 @@
From 547aebfde6fda8088682c9d12a3b5bcfa87c52a2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Tue, 31 Oct 2017 15:16:35 +0100
Subject: [PATCH] sysdb custom: completely replace old object instead of
merging it
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This patch is written primary for sudo use case, but it makes sure the we do
not merge two record in other parts of the code that uses sysdb_store_custom.
1) If there are two rules with the same cn (possible with multiple search bases
or organizational units) we would end up merging those two rules instead of
choosing one of them.
2) Also smart refresh would merge the diff insteand of removing the attributes
that are no longer present in ldap.
Since 1) is a rare use case and it is a misconfiguration we completely replace
the old rule with new one. It is simpler to implement and it solves both issues.
Resolves:
https://pagure.io/SSSD/sssd/issue/3558
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit cd4590de2a84b8143a6c75b5198f5e1b3c0a6d63)
---
src/db/sysdb_ops.c | 33 +++++----------------------------
1 file changed, 5 insertions(+), 28 deletions(-)
diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
index 09aa04a29..5d3cf643d 100644
--- a/src/db/sysdb_ops.c
+++ b/src/db/sysdb_ops.c
@@ -3399,12 +3399,7 @@ int sysdb_store_custom(struct sss_domain_info *domain,
struct sysdb_attrs *attrs)
{
TALLOC_CTX *tmp_ctx;
- const char *search_attrs[] = { "*", NULL };
- size_t resp_count = 0;
- struct ldb_message **resp;
struct ldb_message *msg;
- struct ldb_message_element *el;
- bool add_object = false;
int ret;
int i;
@@ -3423,17 +3418,12 @@ int sysdb_store_custom(struct sss_domain_info *domain,
goto done;
}
- ret = sysdb_search_custom_by_name(tmp_ctx, domain,
- object_name, subtree_name,
- search_attrs, &resp_count, &resp);
- if (ret != EOK && ret != ENOENT) {
+ /* Always add a new object. */
+ ret = sysdb_delete_custom(domain, object_name, subtree_name);
+ if (ret != EOK) {
goto done;
}
- if (ret == ENOENT) {
- add_object = true;
- }
-
msg = ldb_msg_new(tmp_ctx);
if (msg == NULL) {
ret = ENOMEM;
@@ -3455,24 +3445,11 @@ int sysdb_store_custom(struct sss_domain_info *domain,
for (i = 0; i < attrs->num; i++) {
msg->elements[i] = attrs->a[i];
- if (add_object) {
- msg->elements[i].flags = LDB_FLAG_MOD_ADD;
- } else {
- el = ldb_msg_find_element(resp[0], attrs->a[i].name);
- if (el == NULL) {
- msg->elements[i].flags = LDB_FLAG_MOD_ADD;
- } else {
- msg->elements[i].flags = LDB_FLAG_MOD_REPLACE;
- }
- }
+ msg->elements[i].flags = LDB_FLAG_MOD_ADD;
}
msg->num_elements = attrs->num;
- if (add_object) {
- ret = ldb_add(domain->sysdb->ldb, msg);
- } else {
- ret = ldb_modify(domain->sysdb->ldb, msg);
- }
+ ret = ldb_add(domain->sysdb->ldb, msg);
if (ret != LDB_SUCCESS) {
DEBUG(SSSDBG_CRIT_FAILURE, "Failed to store custom entry: %s(%d)[%s]\n",
ldb_strerror(ret), ret, ldb_errstring(domain->sysdb->ldb));
--
2.14.3

46
0019-SERVER-Tone-down-shutdown-messages-for-socket-activa.patch
View File

@ -1,46 +0,0 @@
From 778f7c61b8d55e0b8d8eccd2cf8649d730e7d4a5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
Date: Tue, 3 Apr 2018 21:43:28 +0200
Subject: [PATCH] SERVER: Tone down shutdown messages for socket-activated
responders
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
When dealing with socket-activated responders, those may be shut
themselves down after some inactivy period. And that's completely normal
and expected, thus should not be logged as an fatal error.
For the case when the responder is started by the monitor, however, it
still makes sense to keep the code as it is as the responders won't shut
themselves down in any normal scenario.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 519354d079731e673244a8e3851e5c5522d1b45e)
---
src/util/server.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/src/util/server.c b/src/util/server.c
index 62e09314c..f34bf49f6 100644
--- a/src/util/server.c
+++ b/src/util/server.c
@@ -248,8 +248,12 @@ void orderly_shutdown(int status)
{
#if HAVE_GETPGRP
static int sent_sigterm;
+ int debug;
+
if (sent_sigterm == 0 && getpgrp() == getpid()) {
- DEBUG(SSSDBG_FATAL_FAILURE, "SIGTERM: killing children\n");
+ debug = is_socket_activated() ? SSSDBG_TRACE_INTERNAL
+ : SSSDBG_FATAL_FAILURE;
+ DEBUG(debug, "SIGTERM: killing children\n");
sent_sigterm = 1;
kill(-getpgrp(), SIGTERM);
}
--
2.14.3

70
0020-IPA-Qualify-the-externalUser-sudo-attribute.patch
View File

@ -1,70 +0,0 @@
From 999420ed67439bb662e92b47792a06310d173c53 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Mon, 26 Mar 2018 11:36:00 +0200
Subject: [PATCH] IPA: Qualify the externalUser sudo attribute
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
We broke the externalUser support with the introduction of the fully
qualified attributes, because the provider was saving the data verbatim,
but the sudo responder expects a fully qualified name.
Reproducer:
on the server:
ipa sudocmd-add --desc='For reading log files' /usr/bin/less
ipa sudorule-add readfiles
ipa sudorule-add-user --users=lcluser
ipa sudorule-mod --hostcat=all readfiles
then on the client:
configure sssd with:
id_provider = files
sudo_provider = ipa
ipa_domain = ipa.test
run:
sudo useradd lcluser
sudo passwd lcluser
su - lcluser
sudo -l
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit 0f6b5b02afb35caae774ff4d52854a844d49f52e)
---
src/providers/ipa/ipa_sudo_conversion.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/src/providers/ipa/ipa_sudo_conversion.c b/src/providers/ipa/ipa_sudo_conversion.c
index a96ae3447..bfa66b2c6 100644
--- a/src/providers/ipa/ipa_sudo_conversion.c
+++ b/src/providers/ipa/ipa_sudo_conversion.c
@@ -873,6 +873,15 @@ convert_user_fqdn(TALLOC_CTX *mem_ctx,
return fqdn;
}
+static const char *
+convert_ext_user(TALLOC_CTX *mem_ctx,
+ struct ipa_sudo_conv *conv,
+ const char *value,
+ bool *skip_entry)
+{
+ return sss_create_internal_fqname(mem_ctx, value, conv->dom->name);
+}
+
static const char *
convert_group(TALLOC_CTX *mem_ctx,
struct ipa_sudo_conv *conv,
@@ -959,7 +968,7 @@ convert_attributes(struct ipa_sudo_conv *conv,
{SYSDB_IPA_SUDORULE_RUNASEXTUSER, SYSDB_SUDO_CACHE_AT_RUNASUSER , NULL},
{SYSDB_IPA_SUDORULE_RUNASEXTGROUP, SYSDB_SUDO_CACHE_AT_RUNASGROUP , NULL},
{SYSDB_IPA_SUDORULE_RUNASEXTUSERGROUP, SYSDB_SUDO_CACHE_AT_RUNASUSER , convert_runasextusergroup},
- {SYSDB_IPA_SUDORULE_EXTUSER, SYSDB_SUDO_CACHE_AT_USER , NULL},
+ {SYSDB_IPA_SUDORULE_EXTUSER, SYSDB_SUDO_CACHE_AT_USER , convert_ext_user},
{SYSDB_IPA_SUDORULE_ALLOWCMD, SYSDB_IPA_SUDORULE_ORIGCMD , NULL},
{SYSDB_IPA_SUDORULE_DENYCMD, SYSDB_IPA_SUDORULE_ORIGCMD , NULL},
{NULL, NULL, NULL}};
--
2.14.3

56
0021-NSS-Adjust-netgroup-setnetgrent-cache-lifetime-if-mi.patch
View File

@ -1,56 +0,0 @@
From d0801ecbac1300978fc864ae394e6ff43dda2781 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Mon, 5 Mar 2018 21:00:30 +0100
Subject: [PATCH] NSS: Adjust netgroup setnetgrent cache lifetime if midpoint
refresh is used
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This is a minor regression compared to the state of the code before we
converted the responders to cache_req. The NSS responder keeps a has
table of netgroup objects in memory for either the lifetime of the
netgroup, or, in case midpoint refresh is used, up to the midpoint
refresh time. The case with the midpoint refresh was removed in the
cache_req enabled code, which means that even if the netgroup was
updated in the cache with the background refresh task, the object was
never read from cache, but always still returned from the in-memory
enumeration hash.
Resolves:
https://pagure.io/SSSD/sssd/issue/3550
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
(cherry picked from commit f22528922c065f37ca928f95fd86ed2ea79e0d51)
---
src/responder/nss/nss_enum.c | 13 ++++++++++++-
1 file changed, 12 insertions(+), 1 deletion(-)
diff --git a/src/responder/nss/nss_enum.c b/src/responder/nss/nss_enum.c
index da844fbce..031db9f2e 100644
--- a/src/responder/nss/nss_enum.c
+++ b/src/responder/nss/nss_enum.c
@@ -280,7 +280,18 @@ nss_setnetgrent_set_timeout(struct tevent_context *ev,
struct timeval tv;
uint32_t timeout;
- timeout = enum_ctx->result[0]->domain->netgroup_timeout;
+ if (nss_ctx->cache_refresh_percent) {
+ timeout = enum_ctx->result[0]->domain->netgroup_timeout *
+ (nss_ctx->cache_refresh_percent / 100.0);
+ } else {
+ timeout = enum_ctx->result[0]->domain->netgroup_timeout;
+ }
+
+ /* In order to not trash the cache between setnetgrent()/getnetgrent()
+ * calls with too low timeout values, we only allow 10 seconds as
+ * the minimal timeout
+ */
+ if (timeout < 10) timeout = 10;
tv = tevent_timeval_current_ofs(timeout, 0);
te = tevent_add_timer(ev, enum_ctx, tv, nss_setnetgrent_timeout, enum_ctx);
--
2.14.3

165
0022-CONFDB-Add-passwd_files-and-group_files-options.patch
View File

@ -1,165 +0,0 @@
From a40215878688cf10e35e6ba27893201c686395b3 Mon Sep 17 00:00:00 2001
From: Justin Stephenson <jstephen@redhat.com>
Date: Fri, 14 Jul 2017 16:08:37 -0400
Subject: [PATCH] CONFDB: Add passwd_files and group_files options
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Add new options to the files provider allowing an administrator to
configure the files provider to read and monitor multiple or
non-standard passwd and group file sources. These options default to
/etc/passwd and /etc/group when unset.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit c1208b485924964a7a4fcf19562964acb47fc214)
---
Makefile.am | 3 ++-
src/confdb/confdb.h | 4 ++++
src/config/SSSDConfig/__init__.py.in | 6 +++++-
src/config/cfg_rules.ini | 4 ++++
src/config/etc/sssd.api.d/sssd-files.conf | 3 +++
src/man/sssd-files.5.xml | 36 +++++++++++++++++++++++++++++--
src/providers/files/files_init.c | 1 +
7 files changed, 53 insertions(+), 4 deletions(-)
create mode 100644 src/config/etc/sssd.api.d/sssd-files.conf
diff --git a/Makefile.am b/Makefile.am
index 25e996d2d..d52fe0670 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -4577,7 +4577,8 @@ dist_sssdapiplugin_DATA = \
src/config/etc/sssd.api.d/sssd-ldap.conf \
src/config/etc/sssd.api.d/sssd-local.conf \
src/config/etc/sssd.api.d/sssd-proxy.conf \
- src/config/etc/sssd.api.d/sssd-simple.conf
+ src/config/etc/sssd.api.d/sssd-simple.conf \
+ src/config/etc/sssd.api.d/sssd-files.conf
edit_cmd = $(SED) \
-e 's|@sbindir[@]|$(sbindir)|g' \
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
index c97a9b804..1d322aaac 100644
--- a/src/confdb/confdb.h
+++ b/src/confdb/confdb.h
@@ -242,6 +242,10 @@
#define CONFDB_PROXY_FAST_ALIAS "proxy_fast_alias"
#define CONFDB_PROXY_MAX_CHILDREN "proxy_max_children"
+/* Files Provider */
+#define CONFDB_FILES_PASSWD "passwd_files"
+#define CONFDB_FILES_GROUP "group_files"
+
/* Secrets Service */
#define CONFDB_SEC_CONF_ENTRY "config/secrets"
#define CONFDB_SEC_CONTAINERS_NEST_LEVEL "containers_nest_level"
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
index 857d56cb5..32b74e4c7 100644
--- a/src/config/SSSDConfig/__init__.py.in
+++ b/src/config/SSSDConfig/__init__.py.in
@@ -473,7 +473,11 @@ option_strings = {
'proxy_fast_alias' : _('Whether to look up canonical group name from cache if possible'),
# [provider/proxy/auth]
- 'proxy_pam_target' : _('PAM stack to use')
+ 'proxy_pam_target' : _('PAM stack to use'),
+
+ # [provider/files]
+ 'passwd_files' : _('Path of passwd file sources.'),
+ 'group_files' : _('Path of group file sources.')
}
def striplist(l):
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
index 4e70bf7b6..551322780 100644
--- a/src/config/cfg_rules.ini
+++ b/src/config/cfg_rules.ini
@@ -404,6 +404,10 @@ option = dyndns_force_tcp
option = dyndns_auth
option = dyndns_server
+# files provider specific options
+option = passwd_files
+option = group_files
+
# local provider specific options
option = create_homedir
option = remove_homedir
diff --git a/src/config/etc/sssd.api.d/sssd-files.conf b/src/config/etc/sssd.api.d/sssd-files.conf
new file mode 100644
index 000000000..2444d4924
--- /dev/null
+++ b/src/config/etc/sssd.api.d/sssd-files.conf
@@ -0,0 +1,3 @@
+[provider/files]
+passwd_files = str, None, false
+group_files = str, None, false
diff --git a/src/man/sssd-files.5.xml b/src/man/sssd-files.5.xml
index d44fffc03..59e1b6523 100644
--- a/src/man/sssd-files.5.xml
+++ b/src/man/sssd-files.5.xml
@@ -56,14 +56,46 @@
<refsect1 id='configuration-options'>
<title>CONFIGURATION OPTIONS</title>
<para>
- The files provider has no specific options of its own, however,
- generic SSSD domain options can be set where applicable.
+ In addition to the options listed below, generic SSSD domain options
+ can be set where applicable.
Refer to the section <quote>DOMAIN SECTIONS</quote> of the
<citerefentry>
<refentrytitle>sssd.conf</refentrytitle>
<manvolnum>5</manvolnum>
</citerefentry> manual page for details on the configuration
of an SSSD domain.
+ <variablelist>
+ <varlistentry>
+ <term>passwd_files (string)</term>
+ <listitem>
+ <para>
+ Comma-separated list of one or multiple password
+ filenames to be read and enumerated by the files
+ provider, inotify monitor watches will be set on
+ each file to detect changes dynamically.
+ </para>
+ <para>
+ Default: /etc/passwd
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>group_files (string)</term>
+ <listitem>
+ <para>
+ Comma-separated list of one or multiple group
+ filenames to be read and enumerated by the files
+ provider, inotify monitor watches will be set on
+ each file to detect changes dynamically.
+ </para>
+ <para>
+ Default: /etc/group
+ </para>
+ </listitem>
+ </varlistentry>
+
+ </variablelist>
</para>
</refsect1>
diff --git a/src/providers/files/files_init.c b/src/providers/files/files_init.c
index 8e5cd4cf9..b8a051c34 100644
--- a/src/providers/files/files_init.c
+++ b/src/providers/files/files_init.c
@@ -21,6 +21,7 @@
#include "providers/data_provider/dp.h"
#include "providers/files/files_private.h"
+#include "util/util.h"
int sssm_files_init(TALLOC_CTX *mem_ctx,
struct be_ctx *be_ctx,
--
2.14.3

721
0023-FILES-Handle-files-provider-sources.patch
View File

@ -1,721 +0,0 @@
From 2eb09d21d486e83a3a844fda0a504bbc479c9b3a Mon Sep 17 00:00:00 2001
From: Justin Stephenson <jstephen@redhat.com>
Date: Mon, 17 Jul 2017 15:01:36 -0400
Subject: [PATCH] FILES: Handle files provider sources
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Setup watches on passwd and group files provided with the files provider
options passwd_files and group_files lists
Resolves:
https://pagure.io/SSSD/sssd/issue/3402
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 0d6d493f68bb83a046d351cb3035b08ef5456b50)
---
src/providers/files/files_init.c | 161 +++++++++++++++++---
src/providers/files/files_ops.c | 285 ++++++++++++++++++++++--------------
src/providers/files/files_private.h | 8 +-
3 files changed, 327 insertions(+), 127 deletions(-)
diff --git a/src/providers/files/files_init.c b/src/providers/files/files_init.c
index b8a051c34..746c04af1 100644
--- a/src/providers/files/files_init.c
+++ b/src/providers/files/files_init.c
@@ -23,6 +23,138 @@
#include "providers/files/files_private.h"
#include "util/util.h"
+#define DEFAULT_PASSWD_FILE "/etc/passwd"
+#define DEFAULT_GROUP_FILE "/etc/group"
+
+static errno_t files_init_file_sources(TALLOC_CTX *mem_ctx,
+ struct be_ctx *be_ctx,
+ const char ***_passwd_files,
+ const char ***_group_files)
+{
+ TALLOC_CTX *tmp_ctx = NULL;
+ char *conf_passwd_files;
+ char *conf_group_files;
+ char **passwd_list = NULL;
+ char **group_list = NULL;
+ int num_passwd_files = 0;
+ int num_group_files = 0;
+ const char **passwd_files = NULL;
+ const char **group_files = NULL;
+ const char *dfl_passwd_files = NULL;
+ const char *env_group_files = NULL;
+ int i;
+ errno_t ret;
+
+ tmp_ctx = talloc_new(NULL);
+ if (tmp_ctx == NULL) {
+ ret = ENOMEM;
+ goto done;
+ }
+
+ dfl_passwd_files = getenv("SSS_FILES_PASSWD");
+ if (dfl_passwd_files) {
+ sss_log(SSS_LOG_ALERT,
+ "Defaulting to %s for the passwd file, "
+ "this should only be used for testing!\n",
+ dfl_passwd_files);
+ } else {
+ dfl_passwd_files = DEFAULT_PASSWD_FILE;
+ }
+ DEBUG(SSSDBG_TRACE_FUNC,
+ "Using default passwd file: [%s].\n", dfl_passwd_files);
+
+ env_group_files = getenv("SSS_FILES_GROUP");
+ if (env_group_files) {
+ sss_log(SSS_LOG_ALERT,
+ "Defaulting to %s for the group file, "
+ "this should only be used for testing!\n",
+ env_group_files);
+ } else {
+ env_group_files = DEFAULT_GROUP_FILE;
+ }
+ DEBUG(SSSDBG_TRACE_FUNC,
+ "Using default group file: [%s].\n", DEFAULT_GROUP_FILE);
+
+ ret = confdb_get_string(be_ctx->cdb, tmp_ctx, be_ctx->conf_path,
+ CONFDB_FILES_PASSWD, dfl_passwd_files,
+ &conf_passwd_files);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Failed to retrieve confdb passwd files!\n");
+ goto done;
+ }
+
+ ret = confdb_get_string(be_ctx->cdb, tmp_ctx, be_ctx->conf_path,
+ CONFDB_FILES_GROUP, env_group_files,
+ &conf_group_files);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Failed to retrieve confdb group files!\n");
+ goto done;
+ }
+
+ ret = split_on_separator(tmp_ctx, conf_passwd_files, ',', true, true,
+ &passwd_list, &num_passwd_files);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Failed to parse passwd list!\n");
+ goto done;
+ }
+
+ passwd_files = talloc_zero_array(tmp_ctx, const char *,
+ num_passwd_files + 1);
+ if (passwd_files == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "talloc_zero_array() failed\n");
+ ret = ENOMEM;
+ goto done;
+ }
+
+ for (i = 0; i < num_passwd_files; i++) {
+ DEBUG(SSSDBG_TRACE_FUNC,
+ "Using passwd file: [%s].\n", passwd_list[i]);
+
+ passwd_files[i] = talloc_strdup(passwd_files, passwd_list[i]);
+ if (passwd_files[i] == NULL) {
+ ret = ENOMEM;
+ goto done;
+ }
+ }
+
+ /* Retrieve list of group files */
+ ret = split_on_separator(tmp_ctx, conf_group_files, ',', true, true,
+ &group_list, &num_group_files);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Failed to parse group files!\n");
+ goto done;
+ }
+
+ group_files = talloc_zero_array(tmp_ctx, const char *,
+ num_group_files + 1);
+ if (group_files == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "talloc_zero_array() failed\n");
+ ret = ENOMEM;
+ goto done;
+ }
+
+ for (i = 0; i < num_group_files; i++) {
+ DEBUG(SSSDBG_TRACE_FUNC,
+ "Using group file: [%s].\n", group_list[i]);
+ group_files[i] = talloc_strdup(group_files, group_list[i]);
+ if (group_files[i] == NULL) {
+ ret = ENOMEM;
+ goto done;
+ }
+ }
+
+ *_passwd_files = talloc_steal(mem_ctx, passwd_files);
+ *_group_files = talloc_steal(mem_ctx, group_files);
+
+ ret = EOK;
+
+done:
+ talloc_free(tmp_ctx);
+ return ret;
+}
+
int sssm_files_init(TALLOC_CTX *mem_ctx,
struct be_ctx *be_ctx,
struct data_provider *provider,
@@ -30,32 +162,27 @@ int sssm_files_init(TALLOC_CTX *mem_ctx,
void **_module_data)
{
struct files_id_ctx *ctx;
- int ret;
- const char *passwd_file = NULL;
- const char *group_file = NULL;
-
- /* So far this is mostly useful for tests */
- passwd_file = getenv("SSS_FILES_PASSWD");
- if (passwd_file == NULL) {
- passwd_file = "/etc/passwd";
- }
-
- group_file = getenv("SSS_FILES_GROUP");
- if (group_file == NULL) {
- group_file = "/etc/group";
- }
+ errno_t ret;
ctx = talloc_zero(mem_ctx, struct files_id_ctx);
if (ctx == NULL) {
return ENOMEM;
}
+
ctx->be = be_ctx;
ctx->domain = be_ctx->domain;
- ctx->passwd_file = passwd_file;
- ctx->group_file = group_file;
+
+ ret = files_init_file_sources(ctx, be_ctx,
+ &ctx->passwd_files,
+ &ctx->group_files);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Cannot initialize the passwd/group source files\n");
+ goto done;
+ }
ctx->fctx = sf_init(ctx, be_ctx->ev,
- ctx->passwd_file, ctx->group_file,
+ ctx->passwd_files,
+ ctx->group_files,
ctx);
if (ctx->fctx == NULL) {
ret = ENOMEM;
diff --git a/src/providers/files/files_ops.c b/src/providers/files/files_ops.c
index b59a94252..a2a2798d3 100644
--- a/src/providers/files/files_ops.c
+++ b/src/providers/files/files_ops.c
@@ -44,6 +44,7 @@ struct files_ctx {
static errno_t enum_files_users(TALLOC_CTX *mem_ctx,
struct files_id_ctx *id_ctx,
+ const char *passwd_file,
struct passwd ***_users)
{
errno_t ret, close_ret;
@@ -53,12 +54,12 @@ static errno_t enum_files_users(TALLOC_CTX *mem_ctx,
FILE *pwd_handle = NULL;
size_t n_users = 0;
- pwd_handle = fopen(id_ctx->passwd_file, "r");
+ pwd_handle = fopen(passwd_file, "r");
if (pwd_handle == NULL) {
ret = errno;
DEBUG(SSSDBG_CRIT_FAILURE,
"Cannot open passwd file %s [%d]\n",
- id_ctx->passwd_file, ret);
+ passwd_file, ret);
goto done;
}
@@ -133,7 +134,7 @@ done:
close_ret = errno;
DEBUG(SSSDBG_CRIT_FAILURE,
"Cannot close passwd file %s [%d]\n",
- id_ctx->passwd_file, close_ret);
+ passwd_file, close_ret);
}
}
return ret;
@@ -141,6 +142,7 @@ done:
static errno_t enum_files_groups(TALLOC_CTX *mem_ctx,
struct files_id_ctx *id_ctx,
+ const char *group_file,
struct group ***_groups)
{
errno_t ret, close_ret;
@@ -150,12 +152,12 @@ static errno_t enum_files_groups(TALLOC_CTX *mem_ctx,
size_t n_groups = 0;
FILE *grp_handle = NULL;
- grp_handle = fopen(id_ctx->group_file, "r");
+ grp_handle = fopen(group_file, "r");
if (grp_handle == NULL) {
ret = errno;
DEBUG(SSSDBG_CRIT_FAILURE,
"Cannot open group file %s [%d]\n",
- id_ctx->group_file, ret);
+ group_file, ret);
goto done;
}
@@ -237,7 +239,7 @@ done:
close_ret = errno;
DEBUG(SSSDBG_CRIT_FAILURE,
"Cannot close group file %s [%d]\n",
- id_ctx->group_file, close_ret);
+ group_file, close_ret);
}
}
return ret;
@@ -446,35 +448,23 @@ done:
return ret;
}
-static errno_t sf_enum_groups(struct files_id_ctx *id_ctx);
+static errno_t sf_enum_groups(struct files_id_ctx *id_ctx,
+ const char *group_file);
-errno_t sf_enum_users(struct files_id_ctx *id_ctx)
+errno_t sf_enum_users(struct files_id_ctx *id_ctx,
+ const char *passwd_file)
{
errno_t ret;
- errno_t tret;
TALLOC_CTX *tmp_ctx = NULL;
struct passwd **users = NULL;
- bool in_transaction = false;
tmp_ctx = talloc_new(NULL);
if (tmp_ctx == NULL) {
return ENOMEM;
}
- ret = enum_files_users(tmp_ctx, id_ctx, &users);
- if (ret != EOK) {
- goto done;
- }
-
- ret = sysdb_transaction_start(id_ctx->domain->sysdb);
- if (ret != EOK) {
- goto done;
- }
- in_transaction = true;
-
- /* remove previous cache contents */
- /* FIXME - this is terribly inefficient */
- ret = delete_all_users(id_ctx->domain);
+ ret = enum_files_users(tmp_ctx, id_ctx, passwd_file,
+ &users);
if (ret != EOK) {
goto done;
}
@@ -496,31 +486,8 @@ errno_t sf_enum_users(struct files_id_ctx *id_ctx)
"override values might not be available.\n");
}
- ret = sysdb_transaction_commit(id_ctx->domain->sysdb);
- if (ret != EOK) {
- goto done;
- }
- in_transaction = false;
-
- /* Covers the case when someone edits /etc/group, adds a group member and
- * only then edits passwd and adds the user. The reverse is not needed,
- * because member/memberof links are established when groups are saved.
- */
- ret = sf_enum_groups(id_ctx);
- if (ret != EOK) {
- DEBUG(SSSDBG_OP_FAILURE, "Cannot refresh groups\n");
- goto done;
- }
-
ret = EOK;
done:
- if (in_transaction) {
- tret = sysdb_transaction_cancel(id_ctx->domain->sysdb);
- if (tret != EOK) {
- DEBUG(SSSDBG_CRIT_FAILURE,
- "Cannot cancel transaction: %d\n", ret);
- }
- }
talloc_free(tmp_ctx);
return ret;
}
@@ -698,13 +665,12 @@ done:
return ret;
}
-static errno_t sf_enum_groups(struct files_id_ctx *id_ctx)
+static errno_t sf_enum_groups(struct files_id_ctx *id_ctx,
+ const char *group_file)
{
errno_t ret;
- errno_t tret;
TALLOC_CTX *tmp_ctx = NULL;
struct group **groups = NULL;
- bool in_transaction = false;
const char **cached_users = NULL;
tmp_ctx = talloc_new(NULL);
@@ -712,7 +678,8 @@ static errno_t sf_enum_groups(struct files_id_ctx *id_ctx)
return ENOMEM;
}
- ret = enum_files_groups(tmp_ctx, id_ctx, &groups);
+ ret = enum_files_groups(tmp_ctx, id_ctx, group_file,
+ &groups);
if (ret != EOK) {
goto done;
}
@@ -722,18 +689,6 @@ static errno_t sf_enum_groups(struct files_id_ctx *id_ctx)
goto done;
}
- ret = sysdb_transaction_start(id_ctx->domain->sysdb);
- if (ret != EOK) {
- goto done;
- }
- in_transaction = true;
-
- /* remove previous cache contents */
- ret = delete_all_groups(id_ctx->domain);
- if (ret != EOK) {
- goto done;
- }
-
for (size_t i = 0; groups[i]; i++) {
ret = save_file_group(id_ctx, groups[i], cached_users);
if (ret != EOK) {
@@ -750,21 +705,8 @@ static errno_t sf_enum_groups(struct files_id_ctx *id_ctx)
"override values might not be available.\n");
}
- ret = sysdb_transaction_commit(id_ctx->domain->sysdb);
- if (ret != EOK) {
- goto done;
- }
- in_transaction = false;
-
ret = EOK;
done:
- if (in_transaction) {
- tret = sysdb_transaction_cancel(id_ctx->domain->sysdb);
- if (tret != EOK) {
- DEBUG(SSSDBG_CRIT_FAILURE,
- "Cannot cancel transaction: %d\n", ret);
- }
- }
talloc_free(tmp_ctx);
return ret;
}
@@ -783,21 +725,17 @@ static int sf_passwd_cb(const char *filename, uint32_t flags, void *pvt)
{
struct files_id_ctx *id_ctx;
errno_t ret;
+ errno_t tret;
+ bool in_transaction = false;
id_ctx = talloc_get_type(pvt, struct files_id_ctx);
if (id_ctx == NULL) {
- return EINVAL;
+ ret = EINVAL;
+ goto done;
}
DEBUG(SSSDBG_TRACE_FUNC, "passwd notification\n");
- if (strcmp(filename, id_ctx->passwd_file) != 0) {
- DEBUG(SSSDBG_CRIT_FAILURE,
- "Wrong file, expected %s, got %s\n",
- id_ctx->passwd_file, filename);
- return EINVAL;
- }
-
id_ctx->updating_passwd = true;
dp_sbus_domain_inconsistent(id_ctx->be->provider, id_ctx->domain);
@@ -805,11 +743,64 @@ static int sf_passwd_cb(const char *filename, uint32_t flags, void *pvt)
dp_sbus_reset_users_memcache(id_ctx->be->provider);
dp_sbus_reset_initgr_memcache(id_ctx->be->provider);
- ret = sf_enum_users(id_ctx);
+ ret = sysdb_transaction_start(id_ctx->domain->sysdb);
+ if (ret != EOK) {
+ goto done;
+ }
+ in_transaction = true;
+
+ ret = delete_all_users(id_ctx->domain);
+ if (ret != EOK) {
+ goto done;
+ }
+
+ /* All users were deleted, therefore we need to enumerate each file again */
+ for (size_t i = 0; id_ctx->passwd_files[i] != NULL; i++) {
+ ret = sf_enum_users(id_ctx, id_ctx->passwd_files[i]);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "Cannot enumerate users\n");
+ goto done;
+ }
+ }
+
+ /* Covers the case when someone edits /etc/group, adds a group member and
+ * only then edits passwd and adds the user. The reverse is not needed,
+ * because member/memberof links are established when groups are saved.
+ */
+ ret = delete_all_groups(id_ctx->domain);
+ if (ret != EOK) {
+ goto done;
+ }
+
+ /* All groups were deleted, therefore we need to enumerate each file again */
+ for (size_t i = 0; id_ctx->group_files[i] != NULL; i++) {
+ ret = sf_enum_groups(id_ctx, id_ctx->group_files[i]);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "Cannot enumerate groups\n");
+ goto done;
+ }
+ }
+
+ ret = sysdb_transaction_commit(id_ctx->domain->sysdb);
+ if (ret != EOK) {
+ goto done;
+ }
+ in_transaction = false;
id_ctx->updating_passwd = false;
sf_cb_done(id_ctx);
files_account_info_finished(id_ctx, BE_REQ_USER, ret);
+
+ ret = EOK;
+done:
+ if (in_transaction) {
+ tret = sysdb_transaction_cancel(id_ctx->domain->sysdb);
+ if (tret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Cannot cancel transaction: %d\n", ret);
+ }
+ }
+
return ret;
}
@@ -817,21 +808,17 @@ static int sf_group_cb(const char *filename, uint32_t flags, void *pvt)
{
struct files_id_ctx *id_ctx;
errno_t ret;
+ errno_t tret;
+ bool in_transaction = false;
id_ctx = talloc_get_type(pvt, struct files_id_ctx);
if (id_ctx == NULL) {
- return EINVAL;
+ ret = EINVAL;
+ goto done;
}
DEBUG(SSSDBG_TRACE_FUNC, "group notification\n");
- if (strcmp(filename, id_ctx->group_file) != 0) {
- DEBUG(SSSDBG_CRIT_FAILURE,
- "Wrong file, expected %s, got %s\n",
- id_ctx->group_file, filename);
- return EINVAL;
- }
-
id_ctx->updating_groups = true;
dp_sbus_domain_inconsistent(id_ctx->be->provider, id_ctx->domain);
@@ -839,11 +826,47 @@ static int sf_group_cb(const char *filename, uint32_t flags, void *pvt)
dp_sbus_reset_groups_memcache(id_ctx->be->provider);
dp_sbus_reset_initgr_memcache(id_ctx->be->provider);
- ret = sf_enum_groups(id_ctx);
+ ret = sysdb_transaction_start(id_ctx->domain->sysdb);
+ if (ret != EOK) {
+ goto done;
+ }
+ in_transaction = true;
+
+ ret = delete_all_groups(id_ctx->domain);
+ if (ret != EOK) {
+ goto done;
+ }
+
+ /* All groups were deleted, therefore we need to enumerate each file again */
+ for (size_t i = 0; id_ctx->group_files[i] != NULL; i++) {
+ ret = sf_enum_groups(id_ctx, id_ctx->group_files[i]);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "Cannot enumerate groups\n");
+ goto done;
+ }
+ }
+
+ ret = sysdb_transaction_commit(id_ctx->domain->sysdb);
+ if (ret != EOK) {
+ goto done;
+ }
+ in_transaction = false;
id_ctx->updating_groups = false;
sf_cb_done(id_ctx);
files_account_info_finished(id_ctx, BE_REQ_GROUP, ret);
+
+ ret = EOK;
+
+done:
+ if (in_transaction) {
+ tret = sysdb_transaction_cancel(id_ctx->domain->sysdb);
+ if (tret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Cannot cancel transaction: %d\n", ret);
+ }
+ }
+
return ret;
}
@@ -853,19 +876,62 @@ static void startup_enum_files(struct tevent_context *ev,
{
struct files_id_ctx *id_ctx = talloc_get_type(pvt, struct files_id_ctx);
errno_t ret;
+ errno_t tret;
+ bool in_transaction = false;
talloc_zfree(imm);
- ret = sf_enum_users(id_ctx);
+ ret = sysdb_transaction_start(id_ctx->domain->sysdb);
if (ret != EOK) {
- DEBUG(SSSDBG_CRIT_FAILURE,
- "Enumerating users failed, data might be inconsistent!\n");
+ goto done;
}
+ in_transaction = true;
- ret = sf_enum_groups(id_ctx);
+ ret = delete_all_users(id_ctx->domain);
if (ret != EOK) {
- DEBUG(SSSDBG_CRIT_FAILURE,
- "Enumerating groups failed, data might be inconsistent!\n");
+ goto done;
+ }
+
+ ret = delete_all_groups(id_ctx->domain);
+ if (ret != EOK) {
+ goto done;
+ }
+
+ for (size_t i = 0; id_ctx->passwd_files[i] != NULL; i++) {
+ DEBUG(SSSDBG_TRACE_FUNC,
+ "Startup user enumeration of [%s]\n", id_ctx->passwd_files[i]);
+ ret = sf_enum_users(id_ctx, id_ctx->passwd_files[i]);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Enumerating users failed, data might be inconsistent!\n");
+ goto done;
+ }
+ }
+
+ for (size_t i = 0; id_ctx->group_files[i] != NULL; i++) {
+ DEBUG(SSSDBG_TRACE_FUNC,
+ "Startup group enumeration of [%s]\n", id_ctx->group_files[i]);
+ ret = sf_enum_groups(id_ctx, id_ctx->group_files[i]);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Enumerating groups failed, data might be inconsistent!\n");
+ goto done;
+ }
+ }
+
+ ret = sysdb_transaction_commit(id_ctx->domain->sysdb);
+ if (ret != EOK) {
+ goto done;
+ }
+ in_transaction = false;
+
+done:
+ if (in_transaction) {
+ tret = sysdb_transaction_cancel(id_ctx->domain->sysdb);
+ if (tret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Cannot cancel transaction: %d\n", ret);
+ }
}
}
@@ -884,22 +950,29 @@ static struct snotify_ctx *sf_setup_watch(TALLOC_CTX *mem_ctx,
struct files_ctx *sf_init(TALLOC_CTX *mem_ctx,
struct tevent_context *ev,
- const char *passwd_file,
- const char *group_file,
+ const char **passwd_files,
+ const char **group_files,
struct files_id_ctx *id_ctx)
{
struct files_ctx *fctx;
struct tevent_immediate *imm;
+ int i;
fctx = talloc(mem_ctx, struct files_ctx);
if (fctx == NULL) {
return NULL;
}
- fctx->pwd_watch = sf_setup_watch(fctx, ev, passwd_file,
- sf_passwd_cb, id_ctx);
- fctx->grp_watch = sf_setup_watch(fctx, ev, group_file,
- sf_group_cb, id_ctx);
+ for (i = 0; passwd_files[i]; i++) {
+ fctx->pwd_watch = sf_setup_watch(fctx, ev, passwd_files[i],
+ sf_passwd_cb, id_ctx);
+ }
+
+ for (i = 0; group_files[i]; i++) {
+ fctx->grp_watch = sf_setup_watch(fctx, ev, group_files[i],
+ sf_group_cb, id_ctx);
+ }
+
if (fctx->pwd_watch == NULL || fctx->grp_watch == NULL) {
talloc_free(fctx);
return NULL;
diff --git a/src/providers/files/files_private.h b/src/providers/files/files_private.h
index a7d195c90..f44e6d458 100644
--- a/src/providers/files/files_private.h
+++ b/src/providers/files/files_private.h
@@ -39,8 +39,8 @@ struct files_id_ctx {
struct sss_domain_info *domain;
struct files_ctx *fctx;
- const char *passwd_file;
- const char *group_file;
+ const char **passwd_files;
+ const char **group_files;
bool updating_passwd;
bool updating_groups;
@@ -53,8 +53,8 @@ struct files_id_ctx {
/* files_ops.c */
struct files_ctx *sf_init(TALLOC_CTX *mem_ctx,
struct tevent_context *ev,
- const char *passwd_file,
- const char *group_file,
+ const char **passwd_files,
+ const char **group_files,
struct files_id_ctx *id_ctx);
/* files_id.c */
--
2.14.3

123
0024-TESTS-Add-a-test-for-the-multiple-files-feature.patch
View File

@ -1,123 +0,0 @@
From bb1455ce8d45d026f173f402bce29bf97af8c44d Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Mon, 26 Mar 2018 17:30:14 +0200
Subject: [PATCH] TESTS: Add a test for the multiple files feature
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Adds an integration test for the new feature.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit 4a9100a588ade253cecb2224b95bd8caa8136109)
---
src/tests/intg/test_files_provider.py | 61 ++++++++++++++++++++++++++++++++++-
1 file changed, 60 insertions(+), 1 deletion(-)
diff --git a/src/tests/intg/test_files_provider.py b/src/tests/intg/test_files_provider.py
index 41bfd8844..ce5c7b774 100644
--- a/src/tests/intg/test_files_provider.py
+++ b/src/tests/intg/test_files_provider.py
@@ -25,6 +25,7 @@ import subprocess
import pwd
import grp
import pytest
+import tempfile
import ent
import sssd_id
@@ -33,7 +34,7 @@ from sssd_passwd import (call_sssd_getpwnam,
call_sssd_enumeration,
call_sssd_getpwuid)
from sssd_group import call_sssd_getgrnam, call_sssd_getgrgid
-from files_ops import passwd_ops_setup, group_ops_setup
+from files_ops import passwd_ops_setup, group_ops_setup, PasswdOps, GroupOps
from util import unindent
# Sync this with files_ops.c
@@ -59,6 +60,11 @@ OV_USER1 = dict(name='ov_user1', passwd='x', uid=10010, gid=20010,
dir='/home/ov/user1',
shell='/bin/ov_user1_shell')
+ALT_USER1 = dict(name='altuser1', passwd='x', uid=60001, gid=70001,
+ gecos='User for tests from alt files',
+ dir='/home/altuser1',
+ shell='/bin/bash')
+
CANARY_GR = dict(name='canary',
gid=300001,
mem=[])
@@ -79,6 +85,10 @@ GROUP_NOMEM = dict(name='group_nomem',
gid=40000,
mem=[])
+ALT_GROUP1 = dict(name='alt_group1',
+ gid=80001,
+ mem=['alt_user1'])
+
def start_sssd():
"""Start sssd and add teardown for stopping it and removing state"""
@@ -145,6 +155,38 @@ def files_domain_only(request):
return None
+@pytest.fixture
+def files_multiple_sources(request):
+ _, alt_passwd_path = tempfile.mkstemp(prefix='altpasswd')
+ request.addfinalizer(lambda: os.unlink(alt_passwd_path))
+ alt_pwops = PasswdOps(alt_passwd_path)
+
+ _, alt_group_path = tempfile.mkstemp(prefix='altgroup')
+ request.addfinalizer(lambda: os.unlink(alt_group_path))
+ alt_grops = GroupOps(alt_group_path)
+
+ passwd_list = ",".join([os.environ["NSS_WRAPPER_PASSWD"], alt_passwd_path])
+ group_list = ",".join([os.environ["NSS_WRAPPER_GROUP"], alt_group_path])
+
+ conf = unindent("""\
+ [sssd]
+ domains = files
+ services = nss
+
+ [nss]
+ debug_level = 10
+
+ [domain/files]
+ id_provider = files
+ passwd_files = {passwd_list}
+ group_files = {group_list}
+ debug_level = 10
+ """).format(**locals())
+ create_conf_fixture(request, conf)
+ create_sssd_fixture(request)
+ return alt_pwops, alt_grops
+
+
@pytest.fixture
def proxy_to_files_domain_only(request):
conf = unindent("""\
@@ -1054,3 +1096,20 @@ def test_no_sssd_conf(add_user_with_canary, no_sssd_conf):
res, user = sssd_getpwnam_sync(USER1["name"])
assert res == NssReturnCode.SUCCESS
assert user == USER1
+
+
+def test_multiple_passwd_group_files(add_user_with_canary,
+ add_group_with_canary,
+ files_multiple_sources):
+ """
+ Test that users and groups can be mirrored from multiple files
+ """
+ alt_pwops, alt_grops = files_multiple_sources
+ alt_pwops.useradd(**ALT_USER1)
+ alt_grops.groupadd(**ALT_GROUP1)
+
+ check_user(USER1)
+ check_user(ALT_USER1)
+
+ check_group(GROUP1)
+ check_group(ALT_GROUP1)
--
2.14.3

30
0025-AD-Missing-header-in-ad_access.h.patch
View File

@ -1,30 +0,0 @@
From d81931454a0846fe503d090595fa5b0d4ffd93a5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C5=BDidek?= <mzidek@redhat.com>
Date: Wed, 4 Apr 2018 12:10:13 +0200
Subject: [PATCH] AD: Missing header in ad_access.h
ad_access.h depends on data_provider.h header but
does not include it.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit abf377672e0011da817b5105fe581b27f2f855b7)
---
src/providers/ad/ad_access.h | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/providers/ad/ad_access.h b/src/providers/ad/ad_access.h
index cc565a8e6..34d5597da 100644
--- a/src/providers/ad/ad_access.h
+++ b/src/providers/ad/ad_access.h
@@ -23,6 +23,8 @@
#ifndef AD_ACCESS_H_
#define AD_ACCESS_H_
+#include "providers/data_provider.h"
+
struct ad_access_ctx {
struct dp_option *ad_options;
struct sdap_access_ctx *sdap_access_ctx;
--
2.14.3

65
0026-GPO-Add-ad_options-to-ad_gpo_process_som_state.patch
View File

@ -1,65 +0,0 @@
From 5e47ae51f5cf11decdfec483ab1adef07ec2b7ef Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C5=BDidek?= <mzidek@redhat.com>
Date: Wed, 4 Apr 2018 12:17:37 +0200
Subject: [PATCH] GPO: Add ad_options to ad_gpo_process_som_state
We will need at least ad_site option from this
context available to get the AD site override
value.
Resolves:
https://pagure.io/SSSD/sssd/issue/3646
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 7a42831b208ed8d2fcb9d8beaa12bd2214bb7dce)
---
src/providers/ad/ad_gpo.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
index d9ea31141..028f6a2e7 100644
--- a/src/providers/ad/ad_gpo.c
+++ b/src/providers/ad/ad_gpo.c
@@ -146,6 +146,7 @@ struct tevent_req *ad_gpo_process_som_send(TALLOC_CTX *mem_ctx,
struct ldb_context *ldb_ctx,
struct sdap_id_op *sdap_op,
struct sdap_options *opts,
+ struct dp_option *ad_options,
int timeout,
const char *target_dn,
const char *domain_name);
@@ -1975,6 +1976,7 @@ ad_gpo_target_dn_retrieval_done(struct tevent_req *subreq)
state->ldb_ctx,
state->sdap_op,
state->opts,
+ state->access_ctx->ad_options,
state->timeout,
state->target_dn,
state->host_domain->name);
@@ -2701,6 +2703,7 @@ struct ad_gpo_process_som_state {
struct tevent_context *ev;
struct sdap_id_op *sdap_op;
struct sdap_options *opts;
+ struct dp_option *ad_options;
int timeout;
bool allow_enforced_only;
char *site_name;
@@ -2734,6 +2737,7 @@ ad_gpo_process_som_send(TALLOC_CTX *mem_ctx,
struct ldb_context *ldb_ctx,
struct sdap_id_op *sdap_op,
struct sdap_options *opts,
+ struct dp_option *ad_options,
int timeout,
const char *target_dn,
const char *domain_name)
@@ -2752,6 +2756,7 @@ ad_gpo_process_som_send(TALLOC_CTX *mem_ctx,
state->ev = ev;
state->sdap_op = sdap_op;
state->opts = opts;
+ state->ad_options = ad_options;
state->timeout = timeout;
state->som_index = 0;
state->allow_enforced_only = 0;
--
2.14.3

79
0027-GPO-Use-AD-site-override-if-set.patch
View File

@ -1,79 +0,0 @@
From 82096e7e4a6ccaf8a2828ddfc77a04c930a14148 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C5=BDidek?= <mzidek@redhat.com>
Date: Wed, 4 Apr 2018 13:24:21 +0200
Subject: [PATCH] GPO: Use AD site override if set
Use AD site override if it was set in SSSD configuration.
Resolves:
https://pagure.io/SSSD/sssd/issue/3646
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 744e2b4d0710c1dc850bfadbd75ae1ae7faf1148)
---
src/providers/ad/ad_gpo.c | 33 ++++++++++++++++++++++++++++++---
1 file changed, 30 insertions(+), 3 deletions(-)
diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
index 028f6a2e7..a48f264c7 100644
--- a/src/providers/ad/ad_gpo.c
+++ b/src/providers/ad/ad_gpo.c
@@ -2806,7 +2806,8 @@ ad_gpo_site_name_retrieval_done(struct tevent_req *subreq)
struct tevent_req *req;
struct ad_gpo_process_som_state *state;
int ret;
- char *site;
+ char *site = NULL;
+ char *site_override = NULL;
const char *attrs[] = {AD_AT_CONFIG_NC, NULL};
req = tevent_req_callback_data(subreq, struct tevent_req);
@@ -2817,17 +2818,43 @@ ad_gpo_site_name_retrieval_done(struct tevent_req *subreq)
talloc_zfree(subreq);
if (ret != EOK || site == NULL) {
- DEBUG(SSSDBG_OP_FAILURE, "Cannot retrieve master domain info\n");
+ DEBUG(SSSDBG_TRACE_FUNC,
+ "Could not autodiscover AD site. This is not fatal if "
+ "ad_site option was set.\n");
+ }
+
+ site_override = dp_opt_get_string(state->ad_options, AD_SITE);
+ if (site_override != NULL) {
+ DEBUG(SSSDBG_TRACE_FUNC,
+ "Overriding autodiscovered AD site value '%s' with '%s' from "
+ "configuration.\n", site ? site : "none", site_override);
+ }
+
+ if (site == NULL && site_override == NULL) {
+ sss_log(SSS_LOG_WARNING,
+ "Could not autodiscover AD site value using DNS and ad_site "
+ "option was not set in configuration. GPO will not work. "
+ "To work around this issue you can use ad_site option in SSSD "
+ "configuration.");
+ DEBUG(SSSDBG_OP_FAILURE,
+ "Could not autodiscover AD site value using DNS and ad_site "
+ "option was not set in configuration. GPO will not work. "
+ "To work around this issue you can use ad_site option in SSSD "
+ "configuration.\n");
tevent_req_error(req, ENOENT);
return;
}
- state->site_name = talloc_asprintf(state, "cn=%s", site);
+ state->site_name = talloc_asprintf(state, "cn=%s",
+ site_override ? site_override
+ : site);
if (state->site_name == NULL) {
tevent_req_error(req, ENOMEM);
return;
}
+ DEBUG(SSSDBG_TRACE_FUNC, "Using AD site '%s'.\n", state->site_name);
+
/*
* note: the configNC attribute is being retrieved here from the rootDSE
* entry. In future, since we already make an LDAP query for the rootDSE
--
2.14.3

36
0028-nss-initialize-nss_enum_index-in-nss_setnetgrent.patch
View File

@ -1,36 +0,0 @@
From 29f9df0162096d0e3ec4e85c1f1b5ce87062aa64 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 15 Mar 2018 12:43:34 +0100
Subject: [PATCH] nss: initialize nss_enum_index in nss_setnetgrent()
setnetgrent() is the first call when looking up a netgroup and sets the
netgroup name for upcoming getnetgrent() and endnetgrent() calls.
Currently the state is reset by calling endnetgrent() but it would be
more robust to unconditionally reset the state in setnetgrent() as well
in case calling endnetgrent() was forgotten.
Related to https://pagure.io/SSSD/sssd/issue/3679
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 37a84285aeb497ed4909d16916bbf934af3f68b3)
---
src/responder/nss/nss_cmd.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/responder/nss/nss_cmd.c b/src/responder/nss/nss_cmd.c
index 956ee53cb..9f8479b7b 100644
--- a/src/responder/nss/nss_cmd.c
+++ b/src/responder/nss/nss_cmd.c
@@ -756,6 +756,9 @@ static errno_t nss_setnetgrent(struct cli_ctx *cli_ctx,
goto done;
}
+ state_ctx->netgrent.domain = 0;
+ state_ctx->netgrent.result = 0;
+
talloc_zfree(state_ctx->netgroup);
state_ctx->netgroup = talloc_strdup(state_ctx, netgroup);
if (state_ctx->netgroup == NULL) {
--
2.14.3

116
0029-nss-add-a-netgroup-counter-to-struct-nss_enum_index.patch
View File

@ -1,116 +0,0 @@
From 9f85ab4d8eba042b43a9346ed6dfbf3fc60ea488 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 15 Mar 2018 12:50:20 +0100
Subject: [PATCH] nss: add a netgroup counter to struct nss_enum_index
Netgroups are not looked up with the help of a single request but by
calling setnetgrent(), getnetgrent() and endnetgrent() where
getnetgrent() might be called multiple times depending on the number of
netgroup elements. Since the caller does not provide a state the state
has to be maintained by the SSSD nss responder. Besides the netgroup
name this is mainly the number of elements already returned.
This number is used to select the next element to return and currently
it is assumed that there are not changes to the netgroup while the
client is requesting the individual elements. But if e.g. the 3 nss
calls are not used correctly or the netgroup is modified while the
client is sending getnetgrent() calls the stored number might be out of
range. To be on the safe side the stored number should be always
compared with the current number of netgroup elements.
Related to https://pagure.io/SSSD/sssd/issue/3679
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 08db22b1b1a2e742edbca92e35087294d963adda)
---
src/db/sysdb.h | 3 ++-
src/db/sysdb_search.c | 5 ++++-
src/responder/nss/nss_enum.c | 3 ++-
src/responder/nss/nss_private.h | 1 +
src/responder/nss/nss_protocol_netgr.c | 7 +++++++
5 files changed, 16 insertions(+), 3 deletions(-)
diff --git a/src/db/sysdb.h b/src/db/sysdb.h
index fd18ecefe..2660314a7 100644
--- a/src/db/sysdb.h
+++ b/src/db/sysdb.h
@@ -1219,7 +1219,8 @@ errno_t sysdb_attrs_to_list(TALLOC_CTX *mem_ctx,
errno_t sysdb_netgr_to_entries(TALLOC_CTX *mem_ctx,
struct ldb_result *res,
- struct sysdb_netgroup_ctx ***entries);
+ struct sysdb_netgroup_ctx ***entries,
+ size_t *netgroup_count);
errno_t sysdb_dn_sanitize(TALLOC_CTX *mem_ctx, const char *input,
char **sanitized);
diff --git a/src/db/sysdb_search.c b/src/db/sysdb_search.c
index dc0bd4f2c..b7ceb6e59 100644
--- a/src/db/sysdb_search.c
+++ b/src/db/sysdb_search.c
@@ -1831,7 +1831,8 @@ done:
errno_t sysdb_netgr_to_entries(TALLOC_CTX *mem_ctx,
struct ldb_result *res,
- struct sysdb_netgroup_ctx ***entries)
+ struct sysdb_netgroup_ctx ***entries,
+ size_t *netgroup_count)
{
errno_t ret;
size_t size = 0;
@@ -1935,6 +1936,8 @@ errno_t sysdb_netgr_to_entries(TALLOC_CTX *mem_ctx,
tmp_entry[c] = NULL;
*entries = talloc_steal(mem_ctx, tmp_entry);
+ *netgroup_count = c;
+
ret = EOK;
done:
diff --git a/src/responder/nss/nss_enum.c b/src/responder/nss/nss_enum.c
index 031db9f2e..a45b65233 100644
--- a/src/responder/nss/nss_enum.c
+++ b/src/responder/nss/nss_enum.c
@@ -144,7 +144,8 @@ static void nss_setent_internal_done(struct tevent_req *subreq)
/* We need to expand the netgroup into triples and members. */
ret = sysdb_netgr_to_entries(state->enum_ctx,
result[0]->ldb_result,
- &state->enum_ctx->netgroup);
+ &state->enum_ctx->netgroup,
+ &state->enum_ctx->netgroup_count);
if (ret != EOK) {
goto done;
}
diff --git a/src/responder/nss/nss_private.h b/src/responder/nss/nss_private.h
index 5fc19d26b..aa8d8e9cd 100644
--- a/src/responder/nss/nss_private.h
+++ b/src/responder/nss/nss_private.h
@@ -41,6 +41,7 @@ struct nss_enum_index {
struct nss_enum_ctx {
struct cache_req_result **result;
struct sysdb_netgroup_ctx **netgroup;
+ size_t netgroup_count;
/* Ongoing cache request that is constructing enumeration result. */
struct tevent_req *ongoing;
diff --git a/src/responder/nss/nss_protocol_netgr.c b/src/responder/nss/nss_protocol_netgr.c
index ed04fd258..9f27c6b78 100644
--- a/src/responder/nss/nss_protocol_netgr.c
+++ b/src/responder/nss/nss_protocol_netgr.c
@@ -126,6 +126,13 @@ nss_protocol_fill_netgrent(struct nss_ctx *nss_ctx,
idx = cmd_ctx->enum_index;
entries = cmd_ctx->enum_ctx->netgroup;
+ if (idx->result > cmd_ctx->enum_ctx->netgroup_count) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Unconsistent state while processing netgroups.\n");
+ ret = EINVAL;
+ goto done;
+ }
+
/* First two fields (length and reserved), filled up later. */
ret = sss_packet_grow(packet, 2 * sizeof(uint32_t));
if (ret != EOK) {
--
2.14.3

101
0030-sssctl-Showing-help-even-when-sssd-not-configured.patch
View File

@ -1,101 +0,0 @@
From 3d0fd106754c7614f5d9fb3875d0b40092d200f3 Mon Sep 17 00:00:00 2001
From: amitkuma <amitkuma@redhat.com>
Date: Thu, 15 Feb 2018 18:21:10 +0530
Subject: [PATCH] sssctl: Showing help even when sssd not configured
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
On a clean and unconfigured system, it's not possible
to use --help.
1) dnf install sssd-tools
2) sssctl cache-remove --help
Shows:
[confdb_get_domains] (0x0010): No domains configured, fatal error!
Solution: Donot check for confdb initialization when sssctl 3rd
command line argument passed is '--help'.
Please note when we run 'sssctl --help' on unconfigured system
confdb check is not done and proper o/p is seen.
Resolves: https://pagure.io/SSSD/sssd/issue/3634
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit b8db8c2d83d1d75c42c1e17145d3907211b3a146)
---
src/tools/common/sss_tools.c | 19 ++++++++++++-------
src/tools/common/sss_tools.h | 1 +
2 files changed, 13 insertions(+), 7 deletions(-)
diff --git a/src/tools/common/sss_tools.c b/src/tools/common/sss_tools.c
index 4832db5a0..d45584ce1 100644
--- a/src/tools/common/sss_tools.c
+++ b/src/tools/common/sss_tools.c
@@ -58,11 +58,14 @@ static void sss_tool_common_opts(struct sss_tool_ctx *tool_ctx,
poptContext pc;
int debug = SSSDBG_DEFAULT;
int orig_argc = *argc;
+ int help = 0;
int opt;
struct poptOption options[] = {
{"debug", '\0', POPT_ARG_INT | POPT_ARGFLAG_STRIP, &debug,
0, _("The debug level to run with"), NULL },
+ {"help", '?', POPT_ARG_VAL | POPT_ARGFLAG_DOC_HIDDEN, &help,
+ 1, NULL, NULL },
POPT_TABLEEND
};
@@ -74,6 +77,7 @@ static void sss_tool_common_opts(struct sss_tool_ctx *tool_ctx,
/* Strip common options from arguments. We will discard_const here,
* since it is not worth the trouble to convert it back and forth. */
*argc = poptStrippedArgv(pc, orig_argc, discard_const_p(char *, argv));
+ tool_ctx->print_help = help;
DEBUG_CLI_INIT(debug);
@@ -187,7 +191,6 @@ errno_t sss_tool_init(TALLOC_CTX *mem_ctx,
}
sss_tool_common_opts(tool_ctx, argc, argv);
-
*_tool_ctx = tool_ctx;
return EOK;
@@ -341,12 +344,14 @@ errno_t sss_tool_route(int argc, const char **argv,
return tool_ctx->init_err;
}
- ret = tool_cmd_init(tool_ctx, &commands[i]);
- if (ret != EOK) {
- DEBUG(SSSDBG_FATAL_FAILURE,
- "Command initialization failed [%d] %s\n",
- ret, sss_strerror(ret));
- return ret;
+ if (!tool_ctx->print_help) {
+ ret = tool_cmd_init(tool_ctx, &commands[i]);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_FATAL_FAILURE,
+ "Command initialization failed [%d] %s\n",
+ ret, sss_strerror(ret));
+ return ret;
+ }
}
return commands[i].fn(&cmdline, tool_ctx, pvt);
diff --git a/src/tools/common/sss_tools.h b/src/tools/common/sss_tools.h
index 848009365..0e4308ee6 100644
--- a/src/tools/common/sss_tools.h
+++ b/src/tools/common/sss_tools.h
@@ -29,6 +29,7 @@
struct sss_tool_ctx {
struct confdb_ctx *confdb;
+ bool print_help;
errno_t init_err;
char *default_domain;
struct sss_domain_info *domains;
--
2.14.3

90
0031-sssctl-move-check-for-version-error-to-correct-place.patch
View File

@ -1,90 +0,0 @@
From 08fced82ad1a8bc03c69f84bcfdb495a5f473165 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Tue, 3 Apr 2018 10:20:29 +0200
Subject: [PATCH] sssctl: move check for version error to correct place
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This check was added here:
284937e6 (Pavel Březina 2015-07-22 10:02:02 +0200 490) int sss_tool_main(int argc, const char **argv,
284937e6 (Pavel Březina 2015-07-22 10:02:02 +0200 491) struct sss_route_cmd *commands,
284937e6 (Pavel Březina 2015-07-22 10:02:02 +0200 492) void *pvt)
284937e6 (Pavel Březina 2015-07-22 10:02:02 +0200 493) {
284937e6 (Pavel Březina 2015-07-22 10:02:02 +0200 494) struct sss_tool_ctx *tool_ctx;
284937e6 (Pavel Březina 2015-07-22 10:02:02 +0200 495) uid_t uid;
e98ccef2 (Pavel Březina 2016-06-09 16:13:34 +0200 496) errno_t ret;
284937e6 (Pavel Březina 2015-07-22 10:02:02 +0200 497)
284937e6 (Pavel Březina 2015-07-22 10:02:02 +0200 498) uid = getuid();
284937e6 (Pavel Březina 2015-07-22 10:02:02 +0200 499) if (uid != 0) {
284937e6 (Pavel Březina 2015-07-22 10:02:02 +0200 500) DEBUG(SSSDBG_CRIT_FAILURE, "Running under %d, must be root\n", uid);
284937e6 (Pavel Březina 2015-07-22 10:02:02 +0200 501) ERROR("%1$s must be run as root\n", argv[0]);
284937e6 (Pavel Březina 2015-07-22 10:02:02 +0200 502) return EXIT_FAILURE;
284937e6 (Pavel Březina 2015-07-22 10:02:02 +0200 503) }
284937e6 (Pavel Březina 2015-07-22 10:02:02 +0200 504)
a0b824ac (Jakub Hrozek 2016-07-01 13:26:38 +0200 505) ret = sss_tool_init(NULL, &argc, argv, &tool_ctx);
a0b824ac (Jakub Hrozek 2016-07-01 13:26:38 +0200 506) if (ret == ERR_SYSDB_VERSION_TOO_OLD) {
a0b824ac (Jakub Hrozek 2016-07-01 13:26:38 +0200 507) tool_ctx->init_err = ret;
a0b824ac (Jakub Hrozek 2016-07-01 13:26:38 +0200 508) } else if (ret != EOK) {
284937e6 (Pavel Březina 2015-07-22 10:02:02 +0200 509) DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create tool context\n");
284937e6 (Pavel Březina 2015-07-22 10:02:02 +0200 510) return EXIT_FAILURE;
284937e6 (Pavel Březina 2015-07-22 10:02:02 +0200 511) }
But then the initialization code was moved from sss_tool_init to tool_cmd_init which is called from sss_tool_route.
a0b824ac (Jakub Hrozek 2016-07-01 13:26:38 +0200 328) if (!sss_tools_handles_init_error(&commands[i], tool_ctx->init_err)) {
a0b824ac (Jakub Hrozek 2016-07-01 13:26:38 +0200 329) DEBUG(SSSDBG_FATAL_FAILURE,
a0b824ac (Jakub Hrozek 2016-07-01 13:26:38 +0200 330) "Command %s does not handle initialization error [%d] %s\n",
a0b824ac (Jakub Hrozek 2016-07-01 13:26:38 +0200 331) cmdline.command, tool_ctx->init_err,
a0b824ac (Jakub Hrozek 2016-07-01 13:26:38 +0200 332) sss_strerror(tool_ctx->init_err));
a0b824ac (Jakub Hrozek 2016-07-01 13:26:38 +0200 333) return tool_ctx->init_err;
a0b824ac (Jakub Hrozek 2016-07-01 13:26:38 +0200 334) }
a0b824ac (Jakub Hrozek 2016-07-01 13:26:38 +0200 335)
cbee11e9 (Michal Židek 2016-10-12 13:09:37 +0200 336) ret = tool_cmd_init(tool_ctx, &commands[i]);
cbee11e9 (Michal Židek 2016-10-12 13:09:37 +0200 337) if (ret != EOK) {
cbee11e9 (Michal Židek 2016-10-12 13:09:37 +0200 338) DEBUG(SSSDBG_FATAL_FAILURE,
cbee11e9 (Michal Židek 2016-10-12 13:09:37 +0200 339) "Command initialization failed [%d] %s\n",
cbee11e9 (Michal Židek 2016-10-12 13:09:37 +0200 340) ret, sss_strerror(ret));
cbee11e9 (Michal Židek 2016-10-12 13:09:37 +0200 341) return ret;
cbee11e9 (Michal Židek 2016-10-12 13:09:37 +0200 342) }
cbee11e9 (Michal Židek 2016-10-12 13:09:37 +0200 343)
284937e6 (Pavel Březina 2015-07-22 10:02:02 +0200 344) return commands[i].fn(&cmdline, tool_ctx, pvt);
This rendered the original change a dead code, because sss_tool_init only returns ENOMEM or EOK.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
(cherry picked from commit fe58f0fbf34de5931ce3305396e5e4467796a325)
---
src/tools/common/sss_tools.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/src/tools/common/sss_tools.c b/src/tools/common/sss_tools.c
index d45584ce1..701db2d93 100644
--- a/src/tools/common/sss_tools.c
+++ b/src/tools/common/sss_tools.c
@@ -346,7 +346,9 @@ errno_t sss_tool_route(int argc, const char **argv,
if (!tool_ctx->print_help) {
ret = tool_cmd_init(tool_ctx, &commands[i]);
- if (ret != EOK) {
+ if (ret == ERR_SYSDB_VERSION_TOO_OLD) {
+ tool_ctx->init_err = ret;
+ } else if (ret != EOK) {
DEBUG(SSSDBG_FATAL_FAILURE,
"Command initialization failed [%d] %s\n",
ret, sss_strerror(ret));
@@ -516,9 +518,7 @@ int sss_tool_main(int argc, const char **argv,
}
ret = sss_tool_init(NULL, &argc, argv, &tool_ctx);
- if (ret == ERR_SYSDB_VERSION_TOO_OLD) {
- tool_ctx->init_err = ret;
- } else if (ret != EOK) {
+ if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create tool context\n");
return EXIT_FAILURE;
}
--
2.14.3

35
0032-MAN-Add-sss-certmap-man-page-regarding-priority-proc.patch
View File

@ -1,35 +0,0 @@
From 39539d7b882722336bb4bfad99ef3ebadfc9b276 Mon Sep 17 00:00:00 2001
From: amitkumar50 <amitkuma@redhat.com>
Date: Tue, 10 Apr 2018 15:29:01 +0530
Subject: [PATCH] MAN: Add sss-certmap man page regarding priority processing
PR adds following text in PRIORITY section of man sss-certmap:
The processing is stopped when a matched rule is found and no
further rules are checked.
Resolves: https://pagure.io/SSSD/sssd/issue/3469
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
(cherry picked from commit 56839605d139573319b7df24774b56ea78ec742b)
---
src/man/sss-certmap.5.xml | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/man/sss-certmap.5.xml b/src/man/sss-certmap.5.xml
index 593cd4666..db258d14a 100644
--- a/src/man/sss-certmap.5.xml
+++ b/src/man/sss-certmap.5.xml
@@ -44,7 +44,9 @@
<para>
The rules are processed by priority while the number '0' (zero)
indicates the highest priority. The higher the number the lower is
- the priority. A missing value indicates the lowest priority.
+ the priority. A missing value indicates the lowest priority. The
+ rules processing is stopped when a matched rule is found and no
+ further rules are checked.
</para>
<para>
Internally the priority is treated as unsigned 32bit integer, using
--
2.14.3

42
0033-SDAP-Improve-a-DEBUG-message-about-GC-detection.patch
View File

@ -1,42 +0,0 @@
From ac1636acadcf8e799a93d799140e8ff2d533f313 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Tue, 23 Jan 2018 11:23:37 +0100
Subject: [PATCH] SDAP: Improve a DEBUG message about GC detection
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
It was not entirely clear what the message means. We should improve the
debug message to make it clear that all or none attributes should be
replicated to the Global Catalog.
This patch can be reverted once we fix
https://pagure.io/SSSD/sssd/issue/3538 and only use the GC to look up
the entry DN, not the entry itself.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
(cherry picked from commit 2d43eaf43540c375d39c5e1c2482595e919fb4df)
---
src/providers/ldap/sdap_async.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/src/providers/ldap/sdap_async.c b/src/providers/ldap/sdap_async.c
index 76cfce207..1e77b1c3c 100644
--- a/src/providers/ldap/sdap_async.c
+++ b/src/providers/ldap/sdap_async.c
@@ -2720,7 +2720,11 @@ static void sdap_gc_posix_check_done(struct tevent_req *subreq)
/* Positive hit is definitive, no need to search other bases */
if (state->has_posix == true) {
- DEBUG(SSSDBG_FUNC_DATA, "Server has POSIX attributes\n");
+ DEBUG(SSSDBG_FUNC_DATA, "Server has POSIX attributes. Global Catalog will "
+ "be used for user and group lookups. Note that if "
+ "only a subset of POSIX attributes is present "
+ "in GC, the non-replicated attributes are "
+ "currently not read from the LDAP port\n");
tevent_req_done(req);
return;
}
--
2.14.3

34
0034-MAN-Improve-docs-about-GC-detection.patch
View File

@ -1,34 +0,0 @@
From 1438765a294161b9b636e01ed86bc52c540183d3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
Date: Thu, 12 Apr 2018 10:38:42 +0200
Subject: [PATCH] MAN: Improve docs about GC detection
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Add the same note we have as part of our debug to the sssd-ad manual.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 4ab8734cc45fab2d1a0e690b566da1bda63df76c)
---
src/man/sssd-ad.5.xml | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml
index be2593dca..f43c7fcf4 100644
--- a/src/man/sssd-ad.5.xml
+++ b/src/man/sssd-ad.5.xml
@@ -100,6 +100,9 @@ ldap_id_mapping = False
domains in the forest sequentially. Please note that the
<quote>cache_first</quote> option might be also helpful in
speeding up domainless searches.
+ Note that if only a subset of POSIX attributes is present in
+ the Global Catalog, the non-replicated attributes are currently
+ not read from the LDAP port.
</para>
<para>
Users, groups and other entities served by SSSD are always treated as
--
2.14.3

34
0035-nss-idmap-do-not-set-a-limit.patch
View File

@ -1,34 +0,0 @@
From b489dcc998fc305f3a0a43b6484c042065320001 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 18 Apr 2018 10:20:06 +0200
Subject: [PATCH] nss-idmap: do not set a limit
If the limit is set the needed size to return all groups cannot be
returned.
Related to https://pagure.io/SSSD/sssd/issue/3715
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 46a4c265629d9b725c41f22849741ce7342bdd85)
---
src/sss_client/idmap/sss_nss_ex.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/sss_client/idmap/sss_nss_ex.c b/src/sss_client/idmap/sss_nss_ex.c
index c00e64cc4..b87b5e3b2 100644
--- a/src/sss_client/idmap/sss_nss_ex.c
+++ b/src/sss_client/idmap/sss_nss_ex.c
@@ -96,7 +96,9 @@ errno_t sss_nss_mc_get(struct nss_input *inp)
inp->result.initgrrep.start,
inp->result.initgrrep.ngroups,
&(inp->result.initgrrep.groups),
- *(inp->result.initgrrep.ngroups));
+ /* no limit so that needed size can
+ * be returned properly */
+ -1);
break;
default:
return EINVAL;
--
2.14.3

69
0036-nss-idmap-use-right-group-list-pointer-after-sss_get.patch
View File

@ -1,69 +0,0 @@
From b24ef81656fc3d0dce49b1756ba53c46b5881a14 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 18 Apr 2018 10:23:22 +0200
Subject: [PATCH] nss-idmap: use right group list pointer after sss_get_ex()
If the initial array is too small it will be reallocated during
sss_get_ex() and the pointer might change and the initial memory area
should not be used anymore.
Related to https://pagure.io/SSSD/sssd/issue/3715
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 2c4dc7a4d98c439c69625f12ba4c3c8253f4cc5b)
---
src/sss_client/idmap/sss_nss_ex.c | 18 +++++++++---------
1 file changed, 9 insertions(+), 9 deletions(-)
diff --git a/src/sss_client/idmap/sss_nss_ex.c b/src/sss_client/idmap/sss_nss_ex.c
index b87b5e3b2..971422063 100644
--- a/src/sss_client/idmap/sss_nss_ex.c
+++ b/src/sss_client/idmap/sss_nss_ex.c
@@ -485,7 +485,6 @@ int sss_nss_getgrouplist_timeout(const char *name, gid_t group,
uint32_t flags, unsigned int timeout)
{
int ret;
- gid_t *new_groups;
long int new_ngroups;
long int start = 1;
struct nss_input inp = {
@@ -498,27 +497,28 @@ int sss_nss_getgrouplist_timeout(const char *name, gid_t group,
}
new_ngroups = MAX(1, *ngroups);
- new_groups = malloc(new_ngroups * sizeof(gid_t));
- if (new_groups == NULL) {
+ inp.result.initgrrep.groups = malloc(new_ngroups * sizeof(gid_t));
+ if (inp.result.initgrrep.groups == NULL) {
free(discard_const(inp.rd.data));
return ENOMEM;
}
- new_groups[0] = group;
+ inp.result.initgrrep.groups[0] = group;
- inp.result.initgrrep.groups = new_groups,
inp.result.initgrrep.ngroups = &new_ngroups;
inp.result.initgrrep.start = &start;
-
+ /* inp.result.initgrrep.groups, inp.result.initgrrep.ngroups and
+ * inp.result.initgrrep.start might be modified by sss_get_ex() */
ret = sss_get_ex(&inp, flags, timeout);
free(discard_const(inp.rd.data));
if (ret != 0) {
- free(new_groups);
+ free(inp.result.initgrrep.groups);
return ret;
}
- memcpy(groups, new_groups, MIN(*ngroups, start) * sizeof(gid_t));
- free(new_groups);
+ memcpy(groups, inp.result.initgrrep.groups,
+ MIN(*ngroups, start) * sizeof(gid_t));
+ free(inp.result.initgrrep.groups);
if (start > *ngroups) {
ret = ERANGE;
--
2.14.3

177
0037-NSS-Add-InvalidateGroupById-handler.patch
View File

@ -1,177 +0,0 @@
From d1f38315fa7f8c9d3392af0feb32afc56a0f6c4e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
Date: Fri, 16 Feb 2018 13:55:53 +0100
Subject: [PATCH] NSS: Add InvalidateGroupById handler
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
There are some situations where, from the backend, the NSS responder
will have to be notified to invalidate a group.
In order to achieve this in a clean way, let's add the
InvalidateGroupById handler and make use of it later in this very same
series.
Related:
https://pagure.io/SSSD/sssd/issue/2653
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 851d31264c826d7e1bca38bb6d49e66b446707e7)
---
src/responder/nss/nss_iface.c | 16 ++++++++++++++
src/responder/nss/nss_iface.xml | 3 +++
src/responder/nss/nss_iface_generated.c | 38 +++++++++++++++++++++++++++++++++
src/responder/nss/nss_iface_generated.h | 5 +++++
4 files changed, 62 insertions(+)
diff --git a/src/responder/nss/nss_iface.c b/src/responder/nss/nss_iface.c
index 415af9550..805e4fcdf 100644
--- a/src/responder/nss/nss_iface.c
+++ b/src/responder/nss/nss_iface.c
@@ -199,12 +199,28 @@ int nss_memorycache_update_initgroups(struct sbus_request *sbus_req,
return iface_nss_memorycache_UpdateInitgroups_finish(sbus_req);
}
+int nss_memorycache_invalidate_group_by_id(struct sbus_request *sbus_req,
+ void *data,
+ gid_t gid)
+{
+ struct resp_ctx *rctx = talloc_get_type(data, struct resp_ctx);
+ struct nss_ctx *nctx = talloc_get_type(rctx->pvt_ctx, struct nss_ctx);
+
+ DEBUG(SSSDBG_TRACE_LIBS,
+ "Invalidating group %"PRIu32" from memory cache\n", gid);
+
+ sss_mmap_cache_gr_invalidate_gid(nctx->grp_mc_ctx, gid);
+
+ return iface_nss_memorycache_InvalidateGroupById_finish(sbus_req);
+}
+
struct iface_nss_memorycache iface_nss_memorycache = {
{ &iface_nss_memorycache_meta, 0 },
.UpdateInitgroups = nss_memorycache_update_initgroups,
.InvalidateAllUsers = nss_memorycache_invalidate_users,
.InvalidateAllGroups = nss_memorycache_invalidate_groups,
.InvalidateAllInitgroups = nss_memorycache_invalidate_initgroups,
+ .InvalidateGroupById = nss_memorycache_invalidate_group_by_id,
};
static struct sbus_iface_map iface_map[] = {
diff --git a/src/responder/nss/nss_iface.xml b/src/responder/nss/nss_iface.xml
index 27aae0197..4d8cf14f9 100644
--- a/src/responder/nss/nss_iface.xml
+++ b/src/responder/nss/nss_iface.xml
@@ -14,5 +14,8 @@
</method>
<method name="InvalidateAllInitgroups">
</method>
+ <method name="InvalidateGroupById">
+ <arg name="gid" type="u" direction="in" />
+ </method>
</interface>
</node>
diff --git a/src/responder/nss/nss_iface_generated.c b/src/responder/nss/nss_iface_generated.c
index 4a8b704da..8d5a4584b 100644
--- a/src/responder/nss/nss_iface_generated.c
+++ b/src/responder/nss/nss_iface_generated.c
@@ -12,6 +12,9 @@
/* invokes a handler with a 'ssau' DBus signature */
static int invoke_ssau_method(struct sbus_request *dbus_req, void *function_ptr);
+/* invokes a handler with a 'u' DBus signature */
+static int invoke_u_method(struct sbus_request *dbus_req, void *function_ptr);
+
/* arguments for org.freedesktop.sssd.nss.MemoryCache.UpdateInitgroups */
const struct sbus_arg_meta iface_nss_memorycache_UpdateInitgroups__in[] = {
{ "user", "s" },
@@ -44,6 +47,18 @@ int iface_nss_memorycache_InvalidateAllInitgroups_finish(struct sbus_request *re
DBUS_TYPE_INVALID);
}
+/* arguments for org.freedesktop.sssd.nss.MemoryCache.InvalidateGroupById */
+const struct sbus_arg_meta iface_nss_memorycache_InvalidateGroupById__in[] = {
+ { "gid", "u" },
+ { NULL, }
+};
+
+int iface_nss_memorycache_InvalidateGroupById_finish(struct sbus_request *req)
+{
+ return sbus_request_return_and_finish(req,
+ DBUS_TYPE_INVALID);
+}
+
/* methods for org.freedesktop.sssd.nss.MemoryCache */
const struct sbus_method_meta iface_nss_memorycache__methods[] = {
{
@@ -74,6 +89,13 @@ const struct sbus_method_meta iface_nss_memorycache__methods[] = {
offsetof(struct iface_nss_memorycache, InvalidateAllInitgroups),
NULL, /* no invoker */
},
+ {
+ "InvalidateGroupById", /* name */
+ iface_nss_memorycache_InvalidateGroupById__in,
+ NULL, /* no out_args */
+ offsetof(struct iface_nss_memorycache, InvalidateGroupById),
+ invoke_u_method,
+ },
{ NULL, }
};
@@ -86,6 +108,22 @@ const struct sbus_interface_meta iface_nss_memorycache_meta = {
sbus_invoke_get_all, /* GetAll invoker */
};
+/* invokes a handler with a 'u' DBus signature */
+static int invoke_u_method(struct sbus_request *dbus_req, void *function_ptr)
+{
+ uint32_t arg_0;
+ int (*handler)(struct sbus_request *, void *, uint32_t) = function_ptr;
+
+ if (!sbus_request_parse_or_finish(dbus_req,
+ DBUS_TYPE_UINT32, &arg_0,
+ DBUS_TYPE_INVALID)) {
+ return EOK; /* request handled */
+ }
+
+ return (handler)(dbus_req, dbus_req->intf->handler_data,
+ arg_0);
+}
+
/* invokes a handler with a 'ssau' DBus signature */
static int invoke_ssau_method(struct sbus_request *dbus_req, void *function_ptr)
{
diff --git a/src/responder/nss/nss_iface_generated.h b/src/responder/nss/nss_iface_generated.h
index 11fac7916..27a6d0853 100644
--- a/src/responder/nss/nss_iface_generated.h
+++ b/src/responder/nss/nss_iface_generated.h
@@ -18,6 +18,7 @@
#define IFACE_NSS_MEMORYCACHE_INVALIDATEALLUSERS "InvalidateAllUsers"
#define IFACE_NSS_MEMORYCACHE_INVALIDATEALLGROUPS "InvalidateAllGroups"
#define IFACE_NSS_MEMORYCACHE_INVALIDATEALLINITGROUPS "InvalidateAllInitgroups"
+#define IFACE_NSS_MEMORYCACHE_INVALIDATEGROUPBYID "InvalidateGroupById"
/* ------------------------------------------------------------------------
* DBus handlers
@@ -44,6 +45,7 @@ struct iface_nss_memorycache {
int (*InvalidateAllUsers)(struct sbus_request *req, void *data);
int (*InvalidateAllGroups)(struct sbus_request *req, void *data);
int (*InvalidateAllInitgroups)(struct sbus_request *req, void *data);
+ int (*InvalidateGroupById)(struct sbus_request *req, void *data, uint32_t arg_gid);
};
/* finish function for UpdateInitgroups */
@@ -58,6 +60,9 @@ int iface_nss_memorycache_InvalidateAllGroups_finish(struct sbus_request *req);
/* finish function for InvalidateAllInitgroups */
int iface_nss_memorycache_InvalidateAllInitgroups_finish(struct sbus_request *req);
+/* finish function for InvalidateGroupById */
+int iface_nss_memorycache_InvalidateGroupById_finish(struct sbus_request *req);
+
/* ------------------------------------------------------------------------
* DBus Interface Metadata
*
--
2.14.3

91
0038-DP-Add-dp_sbus_invalidate_group_memcache.patch
View File

@ -1,91 +0,0 @@
From efaabeae96f76036bbe06122f7fbf70a66d26c56 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
Date: Mon, 19 Feb 2018 08:42:10 +0100
Subject: [PATCH] DP: Add dp_sbus_invalidate_group_memcache()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This function will be called from the data provider to the NSS
responder, which will invalidate a group in the memcache.
Related:
https://pagure.io/SSSD/sssd/issue/2653
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 709c42f0cabc96d0e0edf72753a0967593206ff4)
---
src/providers/data_provider/dp.h | 2 ++
src/providers/data_provider/dp_resp_client.c | 45 ++++++++++++++++++++++++++++
2 files changed, 47 insertions(+)
diff --git a/src/providers/data_provider/dp.h b/src/providers/data_provider/dp.h
index ceb49da53..e8b2f9c8f 100644
--- a/src/providers/data_provider/dp.h
+++ b/src/providers/data_provider/dp.h
@@ -179,6 +179,8 @@ void dp_sbus_reset_groups_ncache(struct data_provider *provider,
void dp_sbus_reset_users_memcache(struct data_provider *provider);
void dp_sbus_reset_groups_memcache(struct data_provider *provider);
void dp_sbus_reset_initgr_memcache(struct data_provider *provider);
+void dp_sbus_invalidate_group_memcache(struct data_provider *provider,
+ gid_t gid);
/*
* A dummy handler for DPM_ACCT_DOMAIN_HANDLER.
diff --git a/src/providers/data_provider/dp_resp_client.c b/src/providers/data_provider/dp_resp_client.c
index 5735188a6..a61f7c59d 100644
--- a/src/providers/data_provider/dp_resp_client.c
+++ b/src/providers/data_provider/dp_resp_client.c
@@ -189,3 +189,48 @@ void dp_sbus_reset_initgr_memcache(struct data_provider *provider)
return dp_sbus_reset_memcache(provider,
IFACE_NSS_MEMORYCACHE_INVALIDATEALLINITGROUPS);
}
+
+void dp_sbus_invalidate_group_memcache(struct data_provider *provider,
+ gid_t gid)
+{
+ struct dp_client *dp_cli;
+ DBusMessage *msg;
+ dbus_bool_t dbret;
+
+ if (provider == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "No provider pointer\n");
+ return;
+ }
+
+ dp_cli = provider->clients[DPC_NSS];
+ if (dp_cli == NULL) {
+ return;
+ }
+
+ msg = dbus_message_new_method_call(NULL,
+ NSS_MEMORYCACHE_PATH,
+ IFACE_NSS_MEMORYCACHE,
+ IFACE_NSS_MEMORYCACHE_INVALIDATEGROUPBYID);
+ if (msg == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Out of memory?!\n");
+ return;
+ }
+
+ dbret = dbus_message_append_args(msg,
+ DBUS_TYPE_UINT32, &gid,
+ DBUS_TYPE_INVALID);
+ if (!dbret) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Out of memory?!\n");
+ dbus_message_unref(msg);
+ return;
+ }
+
+ DEBUG(SSSDBG_TRACE_FUNC,
+ "Ordering NSS responder to invalidate the group %"PRIu32" \n",
+ gid);
+
+ sbus_conn_send_reply(dp_client_conn(dp_cli), msg);
+ dbus_message_unref(msg);
+
+ return;
+}
--
2.14.3

49
0039-ERRORS-Add-ERR_GID_DUPLICATED.patch
View File

@ -1,49 +0,0 @@
From 454f493664bf117c27634e6efe33ebe7d5a85c56 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
Date: Mon, 19 Feb 2018 08:29:36 +0100
Subject: [PATCH] ERRORS: Add ERR_GID_DUPLICATED
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This new error will be returned from sysdb_add_incomplete_group()
when renaming a group which will case gid collision.
Related:
https://pagure.io/SSSD/sssd/issue/2653
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit ccd349f0274217e1f0cc118e3a6045e2235ce420)
---
src/util/util_errors.c | 1 +
src/util/util_errors.h | 1 +
2 files changed, 2 insertions(+)
diff --git a/src/util/util_errors.c b/src/util/util_errors.c
index 39ce3d7dc..e2bb2a014 100644
--- a/src/util/util_errors.c
+++ b/src/util/util_errors.c
@@ -118,6 +118,7 @@ struct err_string error_to_str[] = {
{ "GetAccountDomain() not supported" }, /* ERR_GET_ACCT_DOM_NOT_SUPPORTED */
{ "The last GetAccountDomain() result is still valid" }, /* ERR_GET_ACCT_DOM_CACHED */
{ "ID is outside the allowed range" }, /* ERR_ID_OUTSIDE_RANGE */
+ { "Group ID is duplicated" }, /* ERR_GID_DUPLICATED */
{ "ERR_LAST" } /* ERR_LAST */
};
diff --git a/src/util/util_errors.h b/src/util/util_errors.h
index ad4dad5f8..49501727d 100644
--- a/src/util/util_errors.h
+++ b/src/util/util_errors.h
@@ -140,6 +140,7 @@ enum sssd_errors {
ERR_GET_ACCT_DOM_NOT_SUPPORTED,
ERR_GET_ACCT_DOM_CACHED,
ERR_ID_OUTSIDE_RANGE,
+ ERR_GID_DUPLICATED,
ERR_LAST /* ALWAYS LAST */
};
--
2.14.3

380
0040-LDAP-Augment-the-sdap_opts-structure-with-a-data-pro.patch
View File

@ -1,380 +0,0 @@
From f60c77df9b7162f46d8639f940d5df31f64f5815 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Mon, 9 Apr 2018 12:36:45 +0200
Subject: [PATCH] LDAP: Augment the sdap_opts structure with a data provider
pointer
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
In order to be able to use the Data Provider methods from the SDAP code
to e.g. invalidate memcache when needed, add a new field to the
sdap_options structure with the data_provider structure pointer.
Fill the pointer value for all LDAP-based providers.
Related:
https://pagure.io/SSSD/sssd/issue/2653
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
(cherry picked from commit d2633d922eeed68f92be4248b9172b928c189920)
---
src/providers/ad/ad_common.c | 18 +++++++++++++-----
src/providers/ad/ad_common.h | 4 ++++
src/providers/ad/ad_init.c | 5 ++++-
src/providers/ad/ad_subdomains.c | 8 ++++++--
src/providers/ipa/ipa_common.c | 2 ++
src/providers/ipa/ipa_common.h | 1 +
src/providers/ipa/ipa_init.c | 5 ++++-
src/providers/ipa/ipa_subdomains_server.c | 2 ++
src/providers/ldap/ldap_common.h | 1 +
src/providers/ldap/ldap_init.c | 3 ++-
src/providers/ldap/ldap_options.c | 2 ++
src/providers/ldap/sdap.h | 1 +
src/tests/cmocka/common_mock_sdap.c | 2 +-
src/tests/cmocka/test_ad_common.c | 3 +++
14 files changed, 46 insertions(+), 11 deletions(-)
diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c
index 2a1647173..d92c68e6f 100644
--- a/src/providers/ad/ad_common.c
+++ b/src/providers/ad/ad_common.c
@@ -35,7 +35,8 @@ static errno_t ad_set_sdap_options(struct ad_options *ad_opts,
struct sdap_options *id_opts);
static struct sdap_options *
-ad_create_default_sdap_options(TALLOC_CTX *mem_ctx)
+ad_create_default_sdap_options(TALLOC_CTX *mem_ctx,
+ struct data_provider *dp)
{
struct sdap_options *id_opts;
errno_t ret;
@@ -44,6 +45,7 @@ ad_create_default_sdap_options(TALLOC_CTX *mem_ctx)
if (!id_opts) {
return NULL;
}
+ id_opts->dp = dp;
ret = dp_copy_defaults(id_opts,
ad_def_ldap_opts,
@@ -112,6 +114,7 @@ static errno_t
ad_create_sdap_options(TALLOC_CTX *mem_ctx,
struct confdb_ctx *cdb,
const char *conf_path,
+ struct data_provider *dp,
struct sdap_options **_id_opts)
{
struct sdap_options *id_opts;
@@ -119,7 +122,7 @@ ad_create_sdap_options(TALLOC_CTX *mem_ctx,
if (cdb == NULL || conf_path == NULL) {
/* Fallback to defaults if there is no confdb */
- id_opts = ad_create_default_sdap_options(mem_ctx);
+ id_opts = ad_create_default_sdap_options(mem_ctx, dp);
if (id_opts == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE,
"Failed to initialize default sdap options\n");
@@ -220,6 +223,7 @@ struct ad_options *
ad_create_options(TALLOC_CTX *mem_ctx,
struct confdb_ctx *cdb,
const char *conf_path,
+ struct data_provider *dp,
struct sss_domain_info *subdom)
{
struct ad_options *ad_options;
@@ -252,6 +256,7 @@ ad_create_options(TALLOC_CTX *mem_ctx,
ret = ad_create_sdap_options(ad_options,
cdb,
conf_path,
+ dp,
&ad_options->id);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, "Cannot initialize AD LDAP options\n");
@@ -304,6 +309,7 @@ struct ad_options *
ad_create_2way_trust_options(TALLOC_CTX *mem_ctx,
struct confdb_ctx *cdb,
const char *conf_path,
+ struct data_provider *dp,
const char *realm,
struct sss_domain_info *subdom,
const char *hostname,
@@ -315,7 +321,7 @@ ad_create_2way_trust_options(TALLOC_CTX *mem_ctx,
DEBUG(SSSDBG_TRACE_FUNC, "2way trust is defined to domain '%s'\n",
subdom->name);
- ad_options = ad_create_options(mem_ctx, cdb, conf_path, subdom);
+ ad_options = ad_create_options(mem_ctx, cdb, conf_path, dp, subdom);
if (ad_options == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE, "ad_create_options failed\n");
return NULL;
@@ -343,6 +349,7 @@ struct ad_options *
ad_create_1way_trust_options(TALLOC_CTX *mem_ctx,
struct confdb_ctx *cdb,
const char *subdom_conf_path,
+ struct data_provider *dp,
struct sss_domain_info *subdom,
const char *hostname,
const char *keytab,
@@ -355,7 +362,7 @@ ad_create_1way_trust_options(TALLOC_CTX *mem_ctx,
DEBUG(SSSDBG_TRACE_FUNC, "1way trust is defined to domain '%s'\n",
subdom->name);
- ad_options = ad_create_options(mem_ctx, cdb, subdom_conf_path, subdom);
+ ad_options = ad_create_options(mem_ctx, cdb, subdom_conf_path, dp, subdom);
if (ad_options == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE, "ad_create_options failed\n");
return NULL;
@@ -1056,12 +1063,13 @@ errno_t
ad_get_id_options(struct ad_options *ad_opts,
struct confdb_ctx *cdb,
const char *conf_path,
+ struct data_provider *dp,
struct sdap_options **_opts)
{
struct sdap_options *id_opts;
errno_t ret;
- ret = ad_create_sdap_options(ad_opts, cdb, conf_path, &id_opts);
+ ret = ad_create_sdap_options(ad_opts, cdb, conf_path, dp, &id_opts);
if (ret != EOK) {
return ENOMEM;
}
diff --git a/src/providers/ad/ad_common.h b/src/providers/ad/ad_common.h
index 931aafc6c..6eb2ba7e9 100644
--- a/src/providers/ad/ad_common.h
+++ b/src/providers/ad/ad_common.h
@@ -112,11 +112,13 @@ ad_get_common_options(TALLOC_CTX *mem_ctx,
struct ad_options *ad_create_options(TALLOC_CTX *mem_ctx,
struct confdb_ctx *cdb,
const char *conf_path,
+ struct data_provider *dp,
struct sss_domain_info *subdom);
struct ad_options *ad_create_2way_trust_options(TALLOC_CTX *mem_ctx,
struct confdb_ctx *cdb,
const char *conf_path,
+ struct data_provider *dp,
const char *realm,
struct sss_domain_info *subdom,
const char *hostname,
@@ -125,6 +127,7 @@ struct ad_options *ad_create_2way_trust_options(TALLOC_CTX *mem_ctx,
struct ad_options *ad_create_1way_trust_options(TALLOC_CTX *mem_ctx,
struct confdb_ctx *cdb,
const char *conf_path,
+ struct data_provider *dp,
struct sss_domain_info *subdom,
const char *hostname,
const char *keytab,
@@ -147,6 +150,7 @@ errno_t
ad_get_id_options(struct ad_options *ad_opts,
struct confdb_ctx *cdb,
const char *conf_path,
+ struct data_provider *dp,
struct sdap_options **_opts);
errno_t
ad_get_autofs_options(struct ad_options *ad_opts,
diff --git a/src/providers/ad/ad_init.c b/src/providers/ad/ad_init.c
index 8c485a7c2..b19624782 100644
--- a/src/providers/ad/ad_init.c
+++ b/src/providers/ad/ad_init.c
@@ -453,7 +453,10 @@ errno_t sssm_ad_init(TALLOC_CTX *mem_ctx,
init_ctx->options->id_ctx = init_ctx->id_ctx;
- ret = ad_get_id_options(init_ctx->options, be_ctx->cdb, be_ctx->conf_path,
+ ret = ad_get_id_options(init_ctx->options,
+ be_ctx->cdb,
+ be_ctx->conf_path,
+ be_ctx->provider,
&init_ctx->id_ctx->sdap_id_ctx->opts);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to init AD id options\n");
diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c
index bd94ba8ea..74b9f0751 100644
--- a/src/providers/ad/ad_subdomains.c
+++ b/src/providers/ad/ad_subdomains.c
@@ -265,8 +265,12 @@ ad_subdom_ad_ctx_new(struct be_ctx *be_ctx,
return ENOMEM;
}
- ad_options = ad_create_2way_trust_options(id_ctx, be_ctx->cdb,
- subdom_conf_path, realm, subdom,
+ ad_options = ad_create_2way_trust_options(id_ctx,
+ be_ctx->cdb,
+ subdom_conf_path,
+ be_ctx->provider,
+ realm,
+ subdom,
hostname, keytab);
talloc_free(subdom_conf_path);
if (ad_options == NULL) {
diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c
index 2b81d7f3f..87ed96767 100644
--- a/src/providers/ipa/ipa_common.c
+++ b/src/providers/ipa/ipa_common.c
@@ -171,6 +171,7 @@ static errno_t ipa_parse_search_base(TALLOC_CTX *mem_ctx,
int ipa_get_id_options(struct ipa_options *ipa_opts,
struct confdb_ctx *cdb,
const char *conf_path,
+ struct data_provider *dp,
struct sdap_options **_opts)
{
TALLOC_CTX *tmpctx;
@@ -190,6 +191,7 @@ int ipa_get_id_options(struct ipa_options *ipa_opts,
ret = ENOMEM;
goto done;
}
+ ipa_opts->id->dp = dp;
ret = sdap_domain_add(ipa_opts->id,
ipa_opts->id_ctx->sdap_id_ctx->be->domain,
diff --git a/src/providers/ipa/ipa_common.h b/src/providers/ipa/ipa_common.h
index 3a1259ccd..725e0e937 100644
--- a/src/providers/ipa/ipa_common.h
+++ b/src/providers/ipa/ipa_common.h
@@ -235,6 +235,7 @@ int ipa_get_options(TALLOC_CTX *memctx,
int ipa_get_id_options(struct ipa_options *ipa_opts,
struct confdb_ctx *cdb,
const char *conf_path,
+ struct data_provider *dp,
struct sdap_options **_opts);
int ipa_get_auth_options(struct ipa_options *ipa_opts,
diff --git a/src/providers/ipa/ipa_init.c b/src/providers/ipa/ipa_init.c
index cd2227896..931145985 100644
--- a/src/providers/ipa/ipa_init.c
+++ b/src/providers/ipa/ipa_init.c
@@ -161,7 +161,10 @@ static errno_t ipa_init_id_ctx(TALLOC_CTX *mem_ctx,
ipa_id_ctx->sdap_id_ctx = sdap_id_ctx;
ipa_options->id_ctx = ipa_id_ctx;
- ret = ipa_get_id_options(ipa_options, be_ctx->cdb, be_ctx->conf_path,
+ ret = ipa_get_id_options(ipa_options,
+ be_ctx->cdb,
+ be_ctx->conf_path,
+ be_ctx->provider,
&sdap_id_ctx->opts);
if (ret != EOK) {
goto done;
diff --git a/src/providers/ipa/ipa_subdomains_server.c b/src/providers/ipa/ipa_subdomains_server.c
index d670a156b..1e53e7a95 100644
--- a/src/providers/ipa/ipa_subdomains_server.c
+++ b/src/providers/ipa/ipa_subdomains_server.c
@@ -148,6 +148,7 @@ ipa_create_1way_trust_ctx(struct ipa_id_ctx *id_ctx,
ad_options = ad_create_1way_trust_options(id_ctx,
be_ctx->cdb,
subdom_conf_path,
+ be_ctx->provider,
subdom,
id_ctx->server_mode->hostname,
keytab,
@@ -186,6 +187,7 @@ static struct ad_options *ipa_ad_options_new(struct be_ctx *be_ctx,
ad_options = ad_create_2way_trust_options(id_ctx,
be_ctx->cdb,
subdom_conf_path,
+ be_ctx->provider,
id_ctx->server_mode->realm,
subdom,
id_ctx->server_mode->hostname,
diff --git a/src/providers/ldap/ldap_common.h b/src/providers/ldap/ldap_common.h
index 44dbc3fb0..548f0f985 100644
--- a/src/providers/ldap/ldap_common.h
+++ b/src/providers/ldap/ldap_common.h
@@ -193,6 +193,7 @@ int ldap_get_options(TALLOC_CTX *memctx,
struct sss_domain_info *dom,
struct confdb_ctx *cdb,
const char *conf_path,
+ struct data_provider *dp,
struct sdap_options **_opts);
int ldap_get_sudo_options(struct confdb_ctx *cdb,
diff --git a/src/providers/ldap/ldap_init.c b/src/providers/ldap/ldap_init.c
index 83075b5d3..44b3e9ab3 100644
--- a/src/providers/ldap/ldap_init.c
+++ b/src/providers/ldap/ldap_init.c
@@ -458,7 +458,8 @@ errno_t sssm_ldap_init(TALLOC_CTX *mem_ctx,
/* Always initialize options since it is needed everywhere. */
ret = ldap_get_options(init_ctx, be_ctx->domain, be_ctx->cdb,
- be_ctx->conf_path, &init_ctx->options);
+ be_ctx->conf_path, be_ctx->provider,
+ &init_ctx->options);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to initialize LDAP options "
"[%d]: %s\n", ret, sss_strerror(ret));
diff --git a/src/providers/ldap/ldap_options.c b/src/providers/ldap/ldap_options.c
index ccc1a2c5b..0b79715d2 100644
--- a/src/providers/ldap/ldap_options.c
+++ b/src/providers/ldap/ldap_options.c
@@ -27,6 +27,7 @@ int ldap_get_options(TALLOC_CTX *memctx,
struct sss_domain_info *dom,
struct confdb_ctx *cdb,
const char *conf_path,
+ struct data_provider *dp,
struct sdap_options **_opts)
{
struct sdap_attr_map *default_attr_map;
@@ -57,6 +58,7 @@ int ldap_get_options(TALLOC_CTX *memctx,
opts = talloc_zero(memctx, struct sdap_options);
if (!opts) return ENOMEM;
+ opts->dp = dp;
ret = sdap_domain_add(opts, dom, NULL);
if (ret != EOK) {
diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h
index ecf9c4d2e..e892c4071 100644
--- a/src/providers/ldap/sdap.h
+++ b/src/providers/ldap/sdap.h
@@ -465,6 +465,7 @@ struct sdap_certmap_ctx;
struct sdap_options {
struct dp_option *basic;
+ struct data_provider *dp;
struct sdap_attr_map *gen_map;
struct sdap_attr_map *user_map;
size_t user_map_cnt;
diff --git a/src/tests/cmocka/common_mock_sdap.c b/src/tests/cmocka/common_mock_sdap.c
index cef321613..fa4787c4b 100644
--- a/src/tests/cmocka/common_mock_sdap.c
+++ b/src/tests/cmocka/common_mock_sdap.c
@@ -48,7 +48,7 @@ struct sdap_options *mock_sdap_options_ldap(TALLOC_CTX *mem_ctx,
struct sdap_options *opts = NULL;
errno_t ret;
- ret = ldap_get_options(mem_ctx, domain, confdb_ctx, conf_path, &opts);
+ ret = ldap_get_options(mem_ctx, domain, confdb_ctx, conf_path, NULL, &opts);
if (ret != EOK) {
return NULL;
}
diff --git a/src/tests/cmocka/test_ad_common.c b/src/tests/cmocka/test_ad_common.c
index 94f351e19..39ebbc633 100644
--- a/src/tests/cmocka/test_ad_common.c
+++ b/src/tests/cmocka/test_ad_common.c
@@ -449,6 +449,7 @@ static void test_ad_create_1way_trust_options(void **state)
test_ctx->ad_ctx,
NULL,
NULL,
+ NULL,
test_ctx->subdom,
ONEWAY_HOST_NAME,
ONEWAY_KEYTAB_PATH,
@@ -515,6 +516,7 @@ static void test_ad_create_2way_trust_options(void **state)
test_ctx->ad_ctx,
NULL,
NULL,
+ NULL,
REALMNAME,
test_ctx->subdom,
HOST_NAME,
@@ -585,6 +587,7 @@ test_ldap_conn_setup(void **state)
ad_ctx,
NULL,
NULL,
+ NULL,
REALMNAME,
test_ctx->subdom,
HOST_NAME,
--
2.14.3

95
0041-SDAP-Add-sdap_handle_id_collision_for_incomplete_gro.patch
View File

@ -1,95 +0,0 @@
From 87a0027c7dbc54422ac519ef8eef0323baff4b60 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
Date: Mon, 19 Feb 2018 12:43:06 +0100
Subject: [PATCH] SDAP: Add sdap_handle_id_collision_for_incomplete_groups()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This newly added function is a helper to properly hadle group
id-collisions when renaming incomplete groups and it does:
- Deletes the group from sysdb
- Adds the new incomplete group
- Notifies the NSS responder that the entry also has to be deleted from
the memory cache
This function will be called from
sdap_ad_save_group_membership_with_idmapping() and from
sdap_add_incomplete_groups().
Related:
https://pagure.io/SSSD/sssd/issue/2653
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit a537df2ea99acb0181dc360ddf9a60b69c16faf0)
---
src/providers/ldap/sdap_async.h | 11 ++++++++++
src/providers/ldap/sdap_async_initgroups.c | 34 ++++++++++++++++++++++++++++++
2 files changed, 45 insertions(+)
diff --git a/src/providers/ldap/sdap_async.h b/src/providers/ldap/sdap_async.h
index 40da81fb9..6ca3ed8d8 100644
--- a/src/providers/ldap/sdap_async.h
+++ b/src/providers/ldap/sdap_async.h
@@ -412,4 +412,15 @@ sdap_ad_tokengroups_initgroups_send(TALLOC_CTX *mem_ctx,
errno_t
sdap_ad_tokengroups_initgroups_recv(struct tevent_req *req);
+errno_t
+sdap_handle_id_collision_for_incomplete_groups(struct data_provider *dp,
+ struct sss_domain_info *domain,
+ const char *name,
+ gid_t gid,
+ const char *original_dn,
+ const char *sid_str,
+ const char *uuid,
+ bool posix,
+ time_t now);
+
#endif /* _SDAP_ASYNC_H_ */
diff --git a/src/providers/ldap/sdap_async_initgroups.c b/src/providers/ldap/sdap_async_initgroups.c
index 326294a1c..34747be59 100644
--- a/src/providers/ldap/sdap_async_initgroups.c
+++ b/src/providers/ldap/sdap_async_initgroups.c
@@ -3543,3 +3543,37 @@ errno_t get_sysdb_grouplist_dn(TALLOC_CTX *mem_ctx,
return get_sysdb_grouplist_ex(mem_ctx, sysdb, domain,
name, grouplist, true);
}
+
+errno_t
+sdap_handle_id_collision_for_incomplete_groups(struct data_provider *dp,
+ struct sss_domain_info *domain,
+ const char *name,
+ gid_t gid,
+ const char *original_dn,
+ const char *sid_str,
+ const char *uuid,
+ bool posix,
+ time_t now)
+{
+ errno_t ret;
+
+ ret = sysdb_delete_group(domain, NULL, gid);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_MINOR_FAILURE,
+ "Due to an id collision, the new group with gid [\"%"PRIu32"\"] "
+ "will not be added as the old group (with the same gid) could "
+ "not be removed from the sysdb!",
+ gid);
+ return ret;
+ }
+
+ ret = sysdb_add_incomplete_group(domain, name, gid, original_dn, sid_str,
+ uuid, posix, now);
+ if (ret != EOK) {
+ return ret;
+ }
+
+ dp_sbus_invalidate_group_memcache(dp, gid);
+
+ return EOK;
+}
--
2.14.3

129
0042-SDAP-Properly-handle-group-id-collision-when-renamin.patch
View File

@ -1,129 +0,0 @@
From de891b231464f10ce029593d7ee2ebb401e8a0b3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
Date: Mon, 19 Feb 2018 12:51:57 +0100
Subject: [PATCH] SDAP: Properly handle group id-collision when renaming
incomplete groups
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Resolves:
https://pagure.io/SSSD/sssd/issue/2653
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit a2e743cd23e8e2033340612c77a8dbb8ef48c1e1)
---
src/providers/ad/ad_pac.c | 3 +++
src/providers/ldap/sdap_async_ad.h | 1 +
src/providers/ldap/sdap_async_initgroups.c | 13 +++++++++++++
src/providers/ldap/sdap_async_initgroups_ad.c | 15 +++++++++++++++
4 files changed, 32 insertions(+)
diff --git a/src/providers/ad/ad_pac.c b/src/providers/ad/ad_pac.c
index 6b47462cf..1a344725f 100644
--- a/src/providers/ad/ad_pac.c
+++ b/src/providers/ad/ad_pac.c
@@ -434,6 +434,7 @@ struct ad_handle_pac_initgr_state {
const char *err;
int dp_error;
int sdap_ret;
+ struct sdap_options *opts;
size_t num_missing_sids;
char **missing_sids;
@@ -471,6 +472,7 @@ struct tevent_req *ad_handle_pac_initgr_send(TALLOC_CTX *mem_ctx,
return NULL;
}
state->user_dom = sdom->dom;
+ state->opts = id_ctx->opts;
/* The following variables are currently unused because no sub-request
* returns any of them. But they are needed to allow the same signature as
@@ -514,6 +516,7 @@ struct tevent_req *ad_handle_pac_initgr_send(TALLOC_CTX *mem_ctx,
DEBUG(SSSDBG_TRACE_ALL, "Running PAC processing with id-mapping.\n");
ret = sdap_ad_save_group_membership_with_idmapping(state->username,
+ state->opts,
sdom->dom,
id_ctx->opts->idmap_ctx,
num_sids, group_sids);
diff --git a/src/providers/ldap/sdap_async_ad.h b/src/providers/ldap/sdap_async_ad.h
index 950f5a030..a5f47a1a9 100644
--- a/src/providers/ldap/sdap_async_ad.h
+++ b/src/providers/ldap/sdap_async_ad.h
@@ -25,6 +25,7 @@
#define SDAP_ASYNC_AD_H_
errno_t sdap_ad_save_group_membership_with_idmapping(const char *username,
+ struct sdap_options *opts,
struct sss_domain_info *user_dom,
struct sdap_idmap_ctx *idmap_ctx,
size_t num_sids,
diff --git a/src/providers/ldap/sdap_async_initgroups.c b/src/providers/ldap/sdap_async_initgroups.c
index 34747be59..03f6de01a 100644
--- a/src/providers/ldap/sdap_async_initgroups.c
+++ b/src/providers/ldap/sdap_async_initgroups.c
@@ -225,6 +225,19 @@ errno_t sdap_add_incomplete_groups(struct sysdb_ctx *sysdb,
ret = sysdb_add_incomplete_group(domain, groupname, gid,
original_dn, sid_str,
uuid, posix, now);
+ if (ret == ERR_GID_DUPLICATED) {
+ /* In case o group id-collision, do:
+ * - Delete the group from sysdb
+ * - Add the new incomplete group
+ * - Notify the NSS responder that the entry has also to be
+ * removed from the memory cache
+ */
+ ret = sdap_handle_id_collision_for_incomplete_groups(
+ opts->dp, domain, groupname, gid,
+ original_dn, sid_str, uuid, posix,
+ now);
+ }
+
if (ret != EOK) {
goto done;
}
diff --git a/src/providers/ldap/sdap_async_initgroups_ad.c b/src/providers/ldap/sdap_async_initgroups_ad.c
index 30f1d3db2..eab103652 100644
--- a/src/providers/ldap/sdap_async_initgroups_ad.c
+++ b/src/providers/ldap/sdap_async_initgroups_ad.c
@@ -836,6 +836,7 @@ sdap_ad_tokengroups_initgr_mapping_connect_done(struct tevent_req *subreq)
}
errno_t sdap_ad_save_group_membership_with_idmapping(const char *username,
+ struct sdap_options *opts,
struct sss_domain_info *user_dom,
struct sdap_idmap_ctx *idmap_ctx,
size_t num_sids,
@@ -921,6 +922,19 @@ errno_t sdap_ad_save_group_membership_with_idmapping(const char *username,
ret = sysdb_add_incomplete_group(domain, name, gid,
NULL, sid, NULL, false, now);
+ if (ret == ERR_GID_DUPLICATED) {
+ /* In case o group id-collision, do:
+ * - Delete the group from sysdb
+ * - Add the new incomplete group
+ * - Notify the NSS responder that the entry has also to be
+ * removed from the memory cache
+ */
+ ret = sdap_handle_id_collision_for_incomplete_groups(
+ idmap_ctx->id_ctx->be->provider,
+ domain, name, gid, NULL, sid, NULL,
+ false, now);
+ }
+
if (ret != EOK) {
DEBUG(SSSDBG_MINOR_FAILURE, "Could not create incomplete "
"group: [%s]\n", strerror(ret));
@@ -992,6 +1006,7 @@ static void sdap_ad_tokengroups_initgr_mapping_done(struct tevent_req *subreq)
}
ret = sdap_ad_save_group_membership_with_idmapping(state->username,
+ state->opts,
state->domain,
state->idmap_ctx,
num_sids,
--
2.14.3

64
0043-SYSDB_OPS-Error-out-on-id-collision-when-adding-an-i.patch
View File

@ -1,64 +0,0 @@
From 5da97dcfb8499348080b5c7a3980c704294f22fa Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
Date: Mon, 19 Feb 2018 08:53:56 +0100
Subject: [PATCH] SYSDB_OPS: Error out on id-collision when adding an
incomplete group
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This situation can be hit when renaming a group. For now, let's just
error this out so the caller can handle it properly on its own layer.
Related:
https://pagure.io/SSSD/sssd/issue/2653
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 514b2be089bfd0e2702d7e9ab883ab071a61b719)
---
src/db/sysdb_ops.c | 22 ++++++++++++++++++++++
1 file changed, 22 insertions(+)
diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
index 5d3cf643d..de4fdb592 100644
--- a/src/db/sysdb_ops.c
+++ b/src/db/sysdb_ops.c
@@ -2377,12 +2377,34 @@ int sysdb_add_incomplete_group(struct sss_domain_info *domain,
TALLOC_CTX *tmp_ctx;
int ret;
struct sysdb_attrs *attrs;
+ struct ldb_message *msg;
+ const char *previous = NULL;
+ const char *group_attrs[] = { SYSDB_SID_STR, SYSDB_UUID, SYSDB_ORIG_DN, NULL };
+ const char *values[] = { sid_str, uuid, original_dn, NULL };
+ bool same = false;
tmp_ctx = talloc_new(NULL);
if (!tmp_ctx) {
return ENOMEM;
}
+ ret = sysdb_search_group_by_gid(tmp_ctx, domain, gid, group_attrs, &msg);
+ if (ret == EOK) {
+ for (int i = 0; !same && group_attrs[i] != NULL; i++) {
+ previous = ldb_msg_find_attr_as_string(msg,
+ group_attrs[i],
+ NULL);
+ if (previous != NULL && values[i] != NULL) {
+ same = strcmp(previous, values[i]) == 0;
+ }
+ }
+ }
+
+ if (same) {
+ ret = ERR_GID_DUPLICATED;
+ goto done;
+ }
+
/* try to add the group */
ret = sysdb_add_basic_group(domain, name, gid);
if (ret) goto done;
--
2.14.3

194
0044-TESTS-Add-an-integration-test-for-renaming-incomplet.patch
View File

@ -1,194 +0,0 @@
From ead866b198034c0b3101732e09a5524d0182d1cb Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Mon, 19 Feb 2018 18:26:05 +0100
Subject: [PATCH] TESTS: Add an integration test for renaming incomplete groups
during initgroups
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
As we implemented the group renaming heuristics to rename only if we can
use another "hint" like the original DN or the SID to know the group is
the same, this patch adds two tests (positive and negative) to make sure
a group with a totally different RDN and hence different originalDN
cannot be renamed but a group whose name changed but the RDN stays the
same can be renamed.
Related:
https://pagure.io/SSSD/sssd/issue/3282
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
(cherry picked from commit 35d6fb7cabd6183252fd29b29aaf66264dca9135)
---
src/tests/intg/test_ldap.py | 149 +++++++++++++++++++++++++++++++++++++++++++-
1 file changed, 147 insertions(+), 2 deletions(-)
diff --git a/src/tests/intg/test_ldap.py b/src/tests/intg/test_ldap.py
index db3253858..98b6349a8 100644
--- a/src/tests/intg/test_ldap.py
+++ b/src/tests/intg/test_ldap.py
@@ -94,10 +94,11 @@ def create_ldap_cleanup(request, ldap_conn, ent_list=None):
request.addfinalizer(lambda: cleanup_ldap_entries(ldap_conn, ent_list))
-def create_ldap_fixture(request, ldap_conn, ent_list=None):
+def create_ldap_fixture(request, ldap_conn, ent_list=None, cleanup=True):
"""Add LDAP entries and add teardown for removing them"""
create_ldap_entries(ldap_conn, ent_list)
- create_ldap_cleanup(request, ldap_conn, ent_list)
+ if cleanup:
+ create_ldap_cleanup(request, ldap_conn, ent_list)
SCHEMA_RFC2307 = "rfc2307"
@@ -1437,3 +1438,147 @@ def test_ldap_auto_private_groups_direct_no_gid(ldap_conn, mpg_setup_no_gid):
", ".join(["%s" % s for s in sorted(gids)]),
", ".join(["%s" % s for s in sorted(user1_expected_gids)])
)
+
+
+def rename_setup_no_cleanup(request, ldap_conn, cleanup_ent=None):
+ ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn)
+ ent_list.add_user("user1", 1001, 2001)
+ ent_list.add_group_bis("user1_private", 2001)
+
+ ent_list.add_user("user2", 1002, 2002)
+ ent_list.add_group_bis("user2_private", 2002)
+
+ ent_list.add_group_bis("group1", 2015, ["user1", "user2"])
+
+ if cleanup_ent is None:
+ create_ldap_fixture(request, ldap_conn, ent_list)
+ else:
+ # Since the entries were renamed, we need to clean up
+ # the renamed entries..
+ create_ldap_fixture(request, ldap_conn, ent_list, cleanup=False)
+ create_ldap_cleanup(request, ldap_conn, None)
+
+
+@pytest.fixture
+def rename_setup_cleanup(request, ldap_conn):
+ cleanup_ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn)
+ cleanup_ent_list.add_user("user1", 1001, 2001)
+ cleanup_ent_list.add_group_bis("new_user1_private", 2001)
+
+ cleanup_ent_list.add_user("user2", 1002, 2002)
+ cleanup_ent_list.add_group_bis("new_user2_private", 2002)
+
+ cleanup_ent_list.add_group_bis("new_group1", 2015, ["user1", "user2"])
+
+ rename_setup_no_cleanup(request, ldap_conn, cleanup_ent_list)
+
+ conf = format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS)
+ create_conf_fixture(request, conf)
+ create_sssd_fixture(request)
+ return None
+
+
+@pytest.fixture
+def rename_setup_with_name(request, ldap_conn):
+ rename_setup_no_cleanup(request, ldap_conn)
+
+ conf = format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS) + \
+ unindent("""
+ [nss]
+ [domain/LDAP]
+ ldap_group_name = name
+ timeout = 3000
+ """).format(**locals())
+ create_conf_fixture(request, conf)
+ create_sssd_fixture(request)
+ return None
+
+
+def test_rename_incomplete_group_same_dn(ldap_conn, rename_setup_with_name):
+ """
+ Test that if a group's name attribute changes, but the DN stays the same,
+ the incomplete group object will be renamed.
+
+ Because the RDN attribute must be present in the entry, we add another
+ attribute "name" that is purposefully different from the CN and make
+ sure the group names are reflected in name
+
+ Regression test for https://pagure.io/SSSD/sssd/issue/3282
+ """
+ pvt_dn1 = 'cn=user1_private,ou=Groups,' + ldap_conn.ds_inst.base_dn
+ pvt_dn2 = 'cn=user2_private,ou=Groups,' + ldap_conn.ds_inst.base_dn
+ group1_dn = 'cn=group1,ou=Groups,' + ldap_conn.ds_inst.base_dn
+
+ # Add the name we want for both private and secondary group
+ old = {'name': []}
+ new = {'name': [b"user1_group1"]}
+ ldif = ldap.modlist.modifyModlist(old, new)
+ ldap_conn.modify_s(group1_dn, ldif)
+
+ new = {'name': [b"pvt_user1"]}
+ ldif = ldap.modlist.modifyModlist(old, new)
+ ldap_conn.modify_s(pvt_dn1, ldif)
+
+ new = {'name': [b"pvt_user2"]}
+ ldif = ldap.modlist.modifyModlist(old, new)
+ ldap_conn.modify_s(pvt_dn2, ldif)
+
+ # Make sure the old name shows up in the id output
+ (res, errno, grp_list) = sssd_id.get_user_groups("user1")
+ assert res == sssd_id.NssReturnCode.SUCCESS, \
+ "Could not find groups for user1, %d" % errno
+
+ assert sorted(grp_list) == sorted(["pvt_user1", "user1_group1"])
+
+ # Rename the group by changing the cn attribute, but keep the DN the same
+ old = {'name': [b"user1_group1"]}
+ new = {'name': [b"new_user1_group1"]}
+ ldif = ldap.modlist.modifyModlist(old, new)
+ ldap_conn.modify_s(group1_dn, ldif)
+
+ (res, errno, grp_list) = sssd_id.get_user_groups("user2")
+ assert res == sssd_id.NssReturnCode.SUCCESS, \
+ "Could not find groups for user2, %d" % errno
+
+ assert sorted(grp_list) == sorted(["pvt_user2", "new_user1_group1"])
+
+ (res, errno, grp_list) = sssd_id.get_user_groups("user1")
+ assert res == sssd_id.NssReturnCode.SUCCESS, \
+ "Could not find groups for user1, %d" % errno
+
+ assert sorted(grp_list) == sorted(["pvt_user1", "new_user1_group1"])
+
+
+def test_rename_incomplete_group_rdn_changed(ldap_conn, rename_setup_cleanup):
+ """
+ Test that if a group's name attribute changes, and the DN changes with
+ the RDN. Then adding the second group will fail because we can't tell if
+ there are two duplicate groups in LDAP when saving the group or if the
+ group was renamed.
+
+ Please note that with many directories (AD, IPA), the code can rely on
+ other heuristics (SID, UUID) to find out the group is in fact the same.
+
+ Regression test for https://pagure.io/SSSD/sssd/issue/3282
+ """
+ pvt_dn = 'cn=user1_private,ou=Groups,' + ldap_conn.ds_inst.base_dn
+ group1_dn = 'cn=group1,ou=Groups,' + ldap_conn.ds_inst.base_dn
+
+ # Make sure the old name shows up in the id output
+ (res, errno, grp_list) = sssd_id.get_user_groups("user1")
+ assert res == sssd_id.NssReturnCode.SUCCESS, \
+ "Could not find groups for user1, %d" % errno
+
+ assert sorted(grp_list) == sorted(["user1_private", "group1"])
+
+ # Rename the groups, changing the RDN
+ ldap_conn.rename_s(group1_dn, "cn=new_group1")
+ ldap_conn.rename_s(pvt_dn, "cn=new_user1_private")
+
+ (res, errno, grp_list) = sssd_id.get_user_groups("user2")
+ assert res == sssd_id.NssReturnCode.SUCCESS, \
+ "Could not find groups for user2, %d" % errno
+
+ # The initgroups succeeds, but because saving the new group fails,
+ # SSSD will revert to the cache contents and return what's in the cache
+ assert sorted(grp_list) == sorted(["user2_private", "group1"])
--
2.14.3

119
0045-SYSDB-sysdb_add_incomplete_group-now-returns-EEXIST-.patch
View File

@ -1,119 +0,0 @@
From 0a367914b87ef56dd4d5d56778e5770d1201f255 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Mon, 16 Apr 2018 20:29:28 +0200
Subject: [PATCH] SYSDB: sysdb_add_incomplete_group now returns EEXIST with a
duplicate GID
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Related:
https://pagure.io/SSSD/sssd/issue/2653
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
(cherry picked from commit ba2d5f7a0adefb017d3f85203d715b725ca8810f)
---
src/db/sysdb_ops.c | 13 ++++++++++---
src/tests/sysdb-tests.c | 47 ++++++++++++++++++++++++++++++++++++++++++++++-
2 files changed, 56 insertions(+), 4 deletions(-)
diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
index de4fdb592..93b967e75 100644
--- a/src/db/sysdb_ops.c
+++ b/src/db/sysdb_ops.c
@@ -2398,10 +2398,17 @@ int sysdb_add_incomplete_group(struct sss_domain_info *domain,
same = strcmp(previous, values[i]) == 0;
}
}
- }
- if (same) {
- ret = ERR_GID_DUPLICATED;
+ if (same == true) {
+ DEBUG(SSSDBG_TRACE_LIBS,
+ "The group with GID [%"SPRIgid"] was renamed\n", gid);
+ ret = ERR_GID_DUPLICATED;
+ goto done;
+ }
+
+ DEBUG(SSSDBG_OP_FAILURE,
+ "Another group with GID [%"SPRIgid"] already exists\n", gid);
+ ret = EEXIST;
goto done;
}
diff --git a/src/tests/sysdb-tests.c b/src/tests/sysdb-tests.c
index 32b8ca856..416dedb5e 100644
--- a/src/tests/sysdb-tests.c
+++ b/src/tests/sysdb-tests.c
@@ -989,6 +989,50 @@ START_TEST (test_sysdb_add_incomplete_group)
}
END_TEST
+START_TEST (test_sysdb_incomplete_group_rename)
+{
+ struct sysdb_test_ctx *test_ctx;
+ int ret;
+
+ ret = setup_sysdb_tests(&test_ctx);
+ if (ret != EOK) {
+ fail("Could not set up the test");
+ return;
+ }
+
+ ret = sysdb_add_incomplete_group(test_ctx->domain, "incomplete_group",
+ 20000, NULL,
+ "S-1-5-21-123-456-789-111",
+ NULL, true, 0);
+ fail_unless(ret == EOK,
+ "sysdb_add_incomplete_group error [%d][%s]",
+ ret, strerror(ret));
+
+ /* Adding a group with the same GID and all the other characteristics uknown should fail */
+ ret = sysdb_add_incomplete_group(test_ctx->domain, "incomplete_group_new",
+ 20000, NULL, NULL, NULL, true, 0);
+ fail_unless(ret == EEXIST, "Did not caught a duplicate\n");
+
+ /* A different SID should also trigger a failure */
+ ret = sysdb_add_incomplete_group(test_ctx->domain, "incomplete_group_new",
+ 20000, NULL,
+ "S-1-5-21-123-456-789-222",
+ NULL, true, 0);
+ fail_unless(ret == EEXIST, "Did not caught a duplicate\n");
+
+ /* But if we know based on a SID that the group is in fact the same,
+ * let's just change its name
+ */
+ ret = sysdb_add_incomplete_group(test_ctx->domain, "incomplete_group_new",
+ 20000, NULL,
+ "S-1-5-21-123-456-789-111",
+ NULL, true, 0);
+ fail_unless(ret == ERR_GID_DUPLICATED,
+ "Did not catch a legitimate rename",
+ ret, strerror(ret));
+}
+END_TEST
+
START_TEST (test_sysdb_getpwnam)
{
struct sysdb_test_ctx *test_ctx;
@@ -5526,7 +5570,7 @@ START_TEST(test_sysdb_search_sid_str)
ret = setup_sysdb_tests(&test_ctx);
fail_if(ret != EOK, "Could not set up the test");
- data = test_data_new_group(test_ctx, 2900);
+ data = test_data_new_group(test_ctx, 2902);
fail_if(data == NULL);
data->sid_str = "S-1-2-3-4";
@@ -7166,6 +7210,7 @@ Suite *create_sysdb_suite(void)
tcase_add_loop_test(tc_sysdb,
test_sysdb_remove_local_group_by_gid,
28000, 28010);
+ tcase_add_test(tc_sysdb, test_sysdb_incomplete_group_rename);
/* test custom operations */
tcase_add_loop_test(tc_sysdb, test_sysdb_store_custom, 29010, 29020);
--
2.14.3

47
0046-MAN-Document-which-principal-does-the-AD-provider-us.patch
View File

@ -1,47 +0,0 @@
From 549a960554f44e79d74c65d9f889ccaef497b11d Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Thu, 19 Apr 2018 09:38:47 +0200
Subject: [PATCH] MAN: Document which principal does the AD provider use
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Administrators are often confused by the difference between what
principal is used to authenticate to AD. Let's document that.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit 91d1e4c134b7c90abd2ff86b313175c542cd834c)
---
src/man/include/ad_modified_defaults.xml | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
diff --git a/src/man/include/ad_modified_defaults.xml b/src/man/include/ad_modified_defaults.xml
index c41b454f8..818a2bf78 100644
--- a/src/man/include/ad_modified_defaults.xml
+++ b/src/man/include/ad_modified_defaults.xml
@@ -58,6 +58,22 @@
ldap_use_tokengroups = true
</para>
</listitem>
+ <listitem>
+ <para>
+ ldap_sasl_authid = sAMAccountName@REALM (typically SHORTNAME$@REALM)
+ </para>
+ <para>
+ The AD provider looks for a different principal than the
+ LDAP provider by default, because in an Active Directory
+ environment the principals are divided into two groups
+ - User Principals and Service Principals. Only User
+ Principal can be used to obtain a TGT and by default,
+ computer object's principal is constructed from
+ its sAMAccountName and the AD realm. The well-known
+ host/hostname@REALM principal is a Service Principal
+ and thus cannot be used to get a TGT with.
+ </para>
+ </listitem>
</itemizedlist>
</refsect2>
</refsect1>
--
2.14.3

77
0047-GPO-Fix-bug-with-empty-GPO-rules.patch
View File

@ -1,77 +0,0 @@
From c83f6c6da3958475ca4782ffcb49fbc41f8c8f17 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C5=BDidek?= <mzidek@redhat.com>
Date: Wed, 11 Apr 2018 18:56:53 +0200
Subject: [PATCH] GPO: Fix bug with empty GPO rules
When two or more GPO rules were defined on the server
and one of them contained no SIDs (no users or groups
were specified), then SSSD failed to store such rule
and users were denied access (system error).
This patch changes the behavior so that in case
there are no SIDs in the rule a special value is
stored with the rule to indicate that the rule
was actually specified, but this value will not
match any real SID (because the rule should be
empty).
Resolves:
https://pagure.io/SSSD/sssd/issue/3680
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit e6e5fe349aa6ed85eb9acb3273007fa90ee99450)
---
src/providers/ad/ad_gpo.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
index a48f264c7..ae3329b90 100644
--- a/src/providers/ad/ad_gpo.c
+++ b/src/providers/ad/ad_gpo.c
@@ -1132,6 +1132,7 @@ ad_gpo_store_policy_settings(struct sss_domain_info *domain,
int i;
char *allow_value = NULL;
char *deny_value = NULL;
+ const char *empty_val = "NO_SID";
const char *allow_key = NULL;
const char *deny_key = NULL;
TALLOC_CTX *tmp_ctx = NULL;
@@ -1236,7 +1237,10 @@ ad_gpo_store_policy_settings(struct sss_domain_info *domain,
}
for (i = 0; i < GPO_MAP_NUM_OPTS; i++) {
-
+ /* The NO_SID val is used as special SID value for the case when
+ * no SIDs are found in the rule, but we need to store some
+ * value (SID) with the key (rule name) so that it is clear
+ * that the rule is defined on the server. */
struct gpo_map_option_entry entry = gpo_map_option_entries[i];
allow_key = entry.allow_key;
@@ -1252,9 +1256,10 @@ ad_gpo_store_policy_settings(struct sss_domain_info *domain,
allow_key, ret, sss_strerror(ret));
goto done;
} else if (ret != ENOENT) {
+ const char *value = allow_value ? allow_value : empty_val;
ret = sysdb_gpo_store_gpo_result_setting(domain,
allow_key,
- allow_value);
+ value);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE,
"sysdb_gpo_store_gpo_result_setting failed for key:"
@@ -1278,9 +1283,10 @@ ad_gpo_store_policy_settings(struct sss_domain_info *domain,
deny_key, ret, sss_strerror(ret));
goto done;
} else if (ret != ENOENT) {
+ const char *value = deny_value ? deny_value : empty_val;
ret = sysdb_gpo_store_gpo_result_setting(domain,
deny_key,
- deny_value);
+ value);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE,
"sysdb_gpo_store_gpo_result_setting failed for key:"
--
2.14.3

88
0048-FILES-Do-not-overwrite-and-actually-remove-files_ctx.patch
View File

@ -1,88 +0,0 @@
From 8c86f78e41bdb0fa4d77ffaffd13e602b77cdf2f Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Wed, 4 Apr 2018 14:18:10 +0200
Subject: [PATCH] FILES: Do not overwrite and actually remove
files_ctx.{pwd,grp}_watch
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The snotify_ctx structures were unused, are completely opaque (their
only value is that if they are freed, the watches disappear which
the files provider never does).
And moreover, since the patches to support multiple files, the watches
were overwritten with subsequent assignments.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit d69e1da370fa33c5085b31eb6302a30d81817534)
---
src/providers/files/files_ops.c | 35 +++++++++++++++++++++++------------
1 file changed, 23 insertions(+), 12 deletions(-)
diff --git a/src/providers/files/files_ops.c b/src/providers/files/files_ops.c
index a2a2798d3..95c4d2a06 100644
--- a/src/providers/files/files_ops.c
+++ b/src/providers/files/files_ops.c
@@ -36,9 +36,6 @@
#define GRP_MAXSIZE 2048
struct files_ctx {
- struct snotify_ctx *pwd_watch;
- struct snotify_ctx *grp_watch;
-
struct files_ops_ctx *ops;
};
@@ -957,6 +954,7 @@ struct files_ctx *sf_init(TALLOC_CTX *mem_ctx,
struct files_ctx *fctx;
struct tevent_immediate *imm;
int i;
+ struct snotify_ctx *snctx;
fctx = talloc(mem_ctx, struct files_ctx);
if (fctx == NULL) {
@@ -964,18 +962,31 @@ struct files_ctx *sf_init(TALLOC_CTX *mem_ctx,
}
for (i = 0; passwd_files[i]; i++) {
- fctx->pwd_watch = sf_setup_watch(fctx, ev, passwd_files[i],
- sf_passwd_cb, id_ctx);
+ snctx = sf_setup_watch(fctx, ev, passwd_files[i],
+ sf_passwd_cb, id_ctx);
+ if (snctx == NULL) {
+ DEBUG(SSSDBG_FATAL_FAILURE,
+ "Cannot set watch for passwd file %s\n", passwd_files[i]);
+ /* Rather than reporting incomplete or inconsistent information
+ * in case e.g. group memberships span multiple files, just abort
+ */
+ talloc_free(fctx);
+ return NULL;
}
-
- for (i = 0; group_files[i]; i++) {
- fctx->grp_watch = sf_setup_watch(fctx, ev, group_files[i],
- sf_group_cb, id_ctx);
}
- if (fctx->pwd_watch == NULL || fctx->grp_watch == NULL) {
- talloc_free(fctx);
- return NULL;
+ for (i = 0; group_files[i]; i++) {
+ snctx = sf_setup_watch(fctx, ev, group_files[i],
+ sf_group_cb, id_ctx);
+ if (snctx == NULL) {
+ DEBUG(SSSDBG_FATAL_FAILURE,
+ "Cannot set watch for group file %s\n", group_files[i]);
+ /* Rather than reporting incomplete or inconsistent information
+ * in case e.g. group memberships span multiple files, just abort
+ */
+ talloc_free(fctx);
+ return NULL;
+ }
}
/* Enumerate users and groups on startup to process any changes when
--
2.14.3

310
0049-FILES-Reduce-code-duplication.patch
View File

@ -1,310 +0,0 @@
From 601e30e9d6e7c0da2e1648dc2d9bc37bddf512d8 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Tue, 17 Apr 2018 14:22:39 +0200
Subject: [PATCH] FILES: Reduce code duplication
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit 1f8bfb6975becda07ff29f557f82b6ac1eaa0be9)
---
src/providers/files/files_ops.c | 213 +++++++++++++++-------------------------
1 file changed, 81 insertions(+), 132 deletions(-)
diff --git a/src/providers/files/files_ops.c b/src/providers/files/files_ops.c
index 95c4d2a06..370af1274 100644
--- a/src/providers/files/files_ops.c
+++ b/src/providers/files/files_ops.c
@@ -35,6 +35,10 @@
#define PWD_MAXSIZE 1024
#define GRP_MAXSIZE 2048
+#define SF_UPDATE_PASSWD 1<<0
+#define SF_UPDATE_GROUP 1<<1
+#define SF_UPDATE_BOTH (SF_UPDATE_PASSWD | SF_UPDATE_GROUP)
+
struct files_ctx {
struct files_ops_ctx *ops;
};
@@ -708,6 +712,70 @@ done:
return ret;
}
+static errno_t sf_enum_files(struct files_id_ctx *id_ctx,
+ uint8_t flags)
+{
+ errno_t ret;
+ errno_t tret;
+ bool in_transaction = false;
+
+ ret = sysdb_transaction_start(id_ctx->domain->sysdb);
+ if (ret != EOK) {
+ goto done;
+ }
+ in_transaction = true;
+
+ if (flags & SF_UPDATE_PASSWD) {
+ ret = delete_all_users(id_ctx->domain);
+ if (ret != EOK) {
+ goto done;
+ }
+
+ /* All users were deleted, therefore we need to enumerate each file again */
+ for (size_t i = 0; id_ctx->passwd_files[i] != NULL; i++) {
+ ret = sf_enum_users(id_ctx, id_ctx->passwd_files[i]);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "Cannot enumerate users\n");
+ goto done;
+ }
+ }
+ }
+
+ if (flags & SF_UPDATE_GROUP) {
+ ret = delete_all_groups(id_ctx->domain);
+ if (ret != EOK) {
+ goto done;
+ }
+
+ /* All groups were deleted, therefore we need to enumerate each file again */
+ for (size_t i = 0; id_ctx->group_files[i] != NULL; i++) {
+ ret = sf_enum_groups(id_ctx, id_ctx->group_files[i]);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "Cannot enumerate groups\n");
+ goto done;
+ }
+ }
+ }
+
+ ret = sysdb_transaction_commit(id_ctx->domain->sysdb);
+ if (ret != EOK) {
+ goto done;
+ }
+ in_transaction = false;
+
+ ret = EOK;
+done:
+ if (in_transaction) {
+ tret = sysdb_transaction_cancel(id_ctx->domain->sysdb);
+ if (tret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Cannot cancel transaction: %d\n", ret);
+ }
+ }
+
+ return ret;
+}
+
static void sf_cb_done(struct files_id_ctx *id_ctx)
{
/* Only activate a domain when both callbacks are done */
@@ -722,8 +790,6 @@ static int sf_passwd_cb(const char *filename, uint32_t flags, void *pvt)
{
struct files_id_ctx *id_ctx;
errno_t ret;
- errno_t tret;
- bool in_transaction = false;
id_ctx = talloc_get_type(pvt, struct files_id_ctx);
if (id_ctx == NULL) {
@@ -740,49 +806,17 @@ static int sf_passwd_cb(const char *filename, uint32_t flags, void *pvt)
dp_sbus_reset_users_memcache(id_ctx->be->provider);
dp_sbus_reset_initgr_memcache(id_ctx->be->provider);
- ret = sysdb_transaction_start(id_ctx->domain->sysdb);
- if (ret != EOK) {
- goto done;
- }
- in_transaction = true;
-
- ret = delete_all_users(id_ctx->domain);
- if (ret != EOK) {
- goto done;
- }
-
- /* All users were deleted, therefore we need to enumerate each file again */
- for (size_t i = 0; id_ctx->passwd_files[i] != NULL; i++) {
- ret = sf_enum_users(id_ctx, id_ctx->passwd_files[i]);
- if (ret != EOK) {
- DEBUG(SSSDBG_OP_FAILURE, "Cannot enumerate users\n");
- goto done;
- }
- }
-
- /* Covers the case when someone edits /etc/group, adds a group member and
+ /* Using SF_UDPATE_BOTH here the case when someone edits /etc/group, adds a group member and
* only then edits passwd and adds the user. The reverse is not needed,
* because member/memberof links are established when groups are saved.
*/
- ret = delete_all_groups(id_ctx->domain);
- if (ret != EOK) {
- goto done;
- }
-
- /* All groups were deleted, therefore we need to enumerate each file again */
- for (size_t i = 0; id_ctx->group_files[i] != NULL; i++) {
- ret = sf_enum_groups(id_ctx, id_ctx->group_files[i]);
- if (ret != EOK) {
- DEBUG(SSSDBG_OP_FAILURE, "Cannot enumerate groups\n");
- goto done;
- }
- }
-
- ret = sysdb_transaction_commit(id_ctx->domain->sysdb);
+ ret = sf_enum_files(id_ctx, SF_UPDATE_BOTH);
if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "Could not update files: [%d]: %s\n",
+ ret, sss_strerror(ret));
goto done;
}
- in_transaction = false;
id_ctx->updating_passwd = false;
sf_cb_done(id_ctx);
@@ -790,14 +824,6 @@ static int sf_passwd_cb(const char *filename, uint32_t flags, void *pvt)
ret = EOK;
done:
- if (in_transaction) {
- tret = sysdb_transaction_cancel(id_ctx->domain->sysdb);
- if (tret != EOK) {
- DEBUG(SSSDBG_CRIT_FAILURE,
- "Cannot cancel transaction: %d\n", ret);
- }
- }
-
return ret;
}
@@ -805,8 +831,6 @@ static int sf_group_cb(const char *filename, uint32_t flags, void *pvt)
{
struct files_id_ctx *id_ctx;
errno_t ret;
- errno_t tret;
- bool in_transaction = false;
id_ctx = talloc_get_type(pvt, struct files_id_ctx);
if (id_ctx == NULL) {
@@ -823,47 +847,20 @@ static int sf_group_cb(const char *filename, uint32_t flags, void *pvt)
dp_sbus_reset_groups_memcache(id_ctx->be->provider);
dp_sbus_reset_initgr_memcache(id_ctx->be->provider);
- ret = sysdb_transaction_start(id_ctx->domain->sysdb);
- if (ret != EOK) {
- goto done;
- }
- in_transaction = true;
-
- ret = delete_all_groups(id_ctx->domain);
- if (ret != EOK) {
- goto done;
- }
-
- /* All groups were deleted, therefore we need to enumerate each file again */
- for (size_t i = 0; id_ctx->group_files[i] != NULL; i++) {
- ret = sf_enum_groups(id_ctx, id_ctx->group_files[i]);
- if (ret != EOK) {
- DEBUG(SSSDBG_OP_FAILURE, "Cannot enumerate groups\n");
- goto done;
- }
- }
-
- ret = sysdb_transaction_commit(id_ctx->domain->sysdb);
+ ret = sf_enum_files(id_ctx, SF_UPDATE_GROUP);
if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "Could not update files: [%d]: %s\n",
+ ret, sss_strerror(ret));
goto done;
}
- in_transaction = false;
id_ctx->updating_groups = false;
sf_cb_done(id_ctx);
files_account_info_finished(id_ctx, BE_REQ_GROUP, ret);
ret = EOK;
-
done:
- if (in_transaction) {
- tret = sysdb_transaction_cancel(id_ctx->domain->sysdb);
- if (tret != EOK) {
- DEBUG(SSSDBG_CRIT_FAILURE,
- "Cannot cancel transaction: %d\n", ret);
- }
- }
-
return ret;
}
@@ -873,62 +870,14 @@ static void startup_enum_files(struct tevent_context *ev,
{
struct files_id_ctx *id_ctx = talloc_get_type(pvt, struct files_id_ctx);
errno_t ret;
- errno_t tret;
- bool in_transaction = false;
talloc_zfree(imm);
- ret = sysdb_transaction_start(id_ctx->domain->sysdb);
- if (ret != EOK) {
- goto done;
- }
- in_transaction = true;
-
- ret = delete_all_users(id_ctx->domain);
- if (ret != EOK) {
- goto done;
- }
-
- ret = delete_all_groups(id_ctx->domain);
+ ret = sf_enum_files(id_ctx, SF_UPDATE_BOTH);
if (ret != EOK) {
- goto done;
- }
-
- for (size_t i = 0; id_ctx->passwd_files[i] != NULL; i++) {
- DEBUG(SSSDBG_TRACE_FUNC,
- "Startup user enumeration of [%s]\n", id_ctx->passwd_files[i]);
- ret = sf_enum_users(id_ctx, id_ctx->passwd_files[i]);
- if (ret != EOK) {
- DEBUG(SSSDBG_CRIT_FAILURE,
- "Enumerating users failed, data might be inconsistent!\n");
- goto done;
- }
- }
-
- for (size_t i = 0; id_ctx->group_files[i] != NULL; i++) {
- DEBUG(SSSDBG_TRACE_FUNC,
- "Startup group enumeration of [%s]\n", id_ctx->group_files[i]);
- ret = sf_enum_groups(id_ctx, id_ctx->group_files[i]);
- if (ret != EOK) {
- DEBUG(SSSDBG_CRIT_FAILURE,
- "Enumerating groups failed, data might be inconsistent!\n");
- goto done;
- }
- }
-
- ret = sysdb_transaction_commit(id_ctx->domain->sysdb);
- if (ret != EOK) {
- goto done;
- }
- in_transaction = false;
-
-done:
- if (in_transaction) {
- tret = sysdb_transaction_cancel(id_ctx->domain->sysdb);
- if (tret != EOK) {
- DEBUG(SSSDBG_CRIT_FAILURE,
- "Cannot cancel transaction: %d\n", ret);
- }
+ DEBUG(SSSDBG_OP_FAILURE,
+ "Could not update files after startup: [%d]: %s\n",
+ ret, sss_strerror(ret));
}
}
--
2.14.3

75
0050-FILES-Reset-the-domain-status-back-even-on-errors.patch
View File

@ -1,75 +0,0 @@
From 12876995fe664ac05149fa5d843836aed5ce33e9 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Tue, 17 Apr 2018 14:38:03 +0200
Subject: [PATCH] FILES: Reset the domain status back even on errors
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The block that resets the domain status was only called on success, so
on error, the domain would have been permanently stuck in an
inconsistent state.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit 81f16996c980a75e98538c7dd91baf9e0e635f58)
---
src/providers/files/files_ops.c | 16 ++++++----------
1 file changed, 6 insertions(+), 10 deletions(-)
diff --git a/src/providers/files/files_ops.c b/src/providers/files/files_ops.c
index 370af1274..b91078417 100644
--- a/src/providers/files/files_ops.c
+++ b/src/providers/files/files_ops.c
@@ -793,8 +793,7 @@ static int sf_passwd_cb(const char *filename, uint32_t flags, void *pvt)
id_ctx = talloc_get_type(pvt, struct files_id_ctx);
if (id_ctx == NULL) {
- ret = EINVAL;
- goto done;
+ return EINVAL;
}
DEBUG(SSSDBG_TRACE_FUNC, "passwd notification\n");
@@ -818,12 +817,11 @@ static int sf_passwd_cb(const char *filename, uint32_t flags, void *pvt)
goto done;
}
+ ret = EOK;
+done:
id_ctx->updating_passwd = false;
sf_cb_done(id_ctx);
files_account_info_finished(id_ctx, BE_REQ_USER, ret);
-
- ret = EOK;
-done:
return ret;
}
@@ -834,8 +832,7 @@ static int sf_group_cb(const char *filename, uint32_t flags, void *pvt)
id_ctx = talloc_get_type(pvt, struct files_id_ctx);
if (id_ctx == NULL) {
- ret = EINVAL;
- goto done;
+ return EINVAL;
}
DEBUG(SSSDBG_TRACE_FUNC, "group notification\n");
@@ -855,12 +852,11 @@ static int sf_group_cb(const char *filename, uint32_t flags, void *pvt)
goto done;
}
+ ret = EOK;
+done:
id_ctx->updating_groups = false;
sf_cb_done(id_ctx);
files_account_info_finished(id_ctx, BE_REQ_GROUP, ret);
-
- ret = EOK;
-done:
return ret;
}
--
2.14.3

145
0051-FILES-Skip-files-that-are-not-created-yet.patch
View File

@ -1,145 +0,0 @@
From 7703a7efe1ed4800a7676cfaac9bd00fec7de1c4 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Wed, 4 Apr 2018 14:13:56 +0200
Subject: [PATCH] FILES: Skip files that are not created yet
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
In order to avoid complex ordering logic, even if one file is updated,
we flush all the entries. In theory, we could only flush the individual
file and all the files preceding it, but it's safer to just create a
complete mirror every time.
And this can be problematic if one of the files we try to update is not
created yet during the update. This can happen e.g. when a file is not
created during early boot.
To solve this, try to be very defensive and always flush the whole
database, ignore ENOENT errors, but abort on all other errors.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit c1bce7da6c33b352dc708a5dd9712a4d96c63057)
---
src/providers/files/files_ops.c | 22 ++++++++++---
src/tests/intg/test_files_provider.py | 60 +++++++++++++++++++++++++++++++++++
2 files changed, 78 insertions(+), 4 deletions(-)
diff --git a/src/providers/files/files_ops.c b/src/providers/files/files_ops.c
index b91078417..f5a40297a 100644
--- a/src/providers/files/files_ops.c
+++ b/src/providers/files/files_ops.c
@@ -734,8 +734,15 @@ static errno_t sf_enum_files(struct files_id_ctx *id_ctx,
/* All users were deleted, therefore we need to enumerate each file again */
for (size_t i = 0; id_ctx->passwd_files[i] != NULL; i++) {
ret = sf_enum_users(id_ctx, id_ctx->passwd_files[i]);
- if (ret != EOK) {
- DEBUG(SSSDBG_OP_FAILURE, "Cannot enumerate users\n");
+ if (ret == ENOENT) {
+ DEBUG(SSSDBG_MINOR_FAILURE,
+ "The file %s does not exist (yet), skipping\n",
+ id_ctx->passwd_files[i]);
+ continue;
+ } else if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "Cannot enumerate users from %s, aborting\n",
+ id_ctx->passwd_files[i]);
goto done;
}
}
@@ -750,8 +757,15 @@ static errno_t sf_enum_files(struct files_id_ctx *id_ctx,
/* All groups were deleted, therefore we need to enumerate each file again */
for (size_t i = 0; id_ctx->group_files[i] != NULL; i++) {
ret = sf_enum_groups(id_ctx, id_ctx->group_files[i]);
- if (ret != EOK) {
- DEBUG(SSSDBG_OP_FAILURE, "Cannot enumerate groups\n");
+ if (ret == ENOENT) {
+ DEBUG(SSSDBG_MINOR_FAILURE,
+ "The file %s does not exist (yet), skipping\n",
+ id_ctx->group_files[i]);
+ continue;
+ } else if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "Cannot enumerate groups from %s, aborting\n",
+ id_ctx->group_files[i]);
goto done;
}
}
diff --git a/src/tests/intg/test_files_provider.py b/src/tests/intg/test_files_provider.py
index ce5c7b774..cc9c1f1c7 100644
--- a/src/tests/intg/test_files_provider.py
+++ b/src/tests/intg/test_files_provider.py
@@ -187,6 +187,40 @@ def files_multiple_sources(request):
return alt_pwops, alt_grops
+@pytest.fixture
+def files_multiple_sources_nocreate(request):
+ """
+ Sets up SSSD with multiple sources, but does not actually create
+ the files.
+ """
+ alt_passwd_path = tempfile.mktemp(prefix='altpasswd')
+ request.addfinalizer(lambda: os.unlink(alt_passwd_path))
+
+ alt_group_path = tempfile.mktemp(prefix='altgroup')
+ request.addfinalizer(lambda: os.unlink(alt_group_path))
+
+ passwd_list = ",".join([os.environ["NSS_WRAPPER_PASSWD"], alt_passwd_path])
+ group_list = ",".join([os.environ["NSS_WRAPPER_GROUP"], alt_group_path])
+
+ conf = unindent("""\
+ [sssd]
+ domains = files
+ services = nss
+
+ [nss]
+ debug_level = 10
+
+ [domain/files]
+ id_provider = files
+ passwd_files = {passwd_list}
+ group_files = {group_list}
+ debug_level = 10
+ """).format(**locals())
+ create_conf_fixture(request, conf)
+ create_sssd_fixture(request)
+ return alt_passwd_path, alt_group_path
+
+
@pytest.fixture
def proxy_to_files_domain_only(request):
conf = unindent("""\
@@ -1113,3 +1147,29 @@ def test_multiple_passwd_group_files(add_user_with_canary,
check_group(GROUP1)
check_group(ALT_GROUP1)
+
+
+def test_multiple_files_created_after_startup(add_user_with_canary,
+ add_group_with_canary,
+ files_multiple_sources_nocreate):
+ """
+ Test that users and groups can be mirrored from multiple files,
+ but those files are not created when SSSD starts, only afterwards.
+ """
+ alt_passwd_path, alt_group_path = files_multiple_sources_nocreate
+
+ check_user(USER1)
+ check_group(GROUP1)
+
+ # touch the files
+ for fpath in (alt_passwd_path, alt_group_path):
+ with open(fpath, "w") as f:
+ pass
+
+ alt_pwops = PasswdOps(alt_passwd_path)
+ alt_grops = GroupOps(alt_group_path)
+ alt_pwops.useradd(**ALT_USER1)
+ alt_grops.groupadd(**ALT_GROUP1)
+
+ check_user(ALT_USER1)
+ check_group(ALT_GROUP1)
--
2.14.3

41
0052-FILES-Only-send-the-request-for-update-if-the-files-.patch
View File

@ -1,41 +0,0 @@
From faba3074869b069a64a66844385cf170f149be4f Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Tue, 17 Apr 2018 12:32:11 +0200
Subject: [PATCH] FILES: Only send the request for update if the files domain
is inconsistent
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Resolves:
https://pagure.io/SSSD/sssd/issue/3520
The code was probably commented out as a mistake..
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit 77d63f561830c15341b2ffe915a4c86b3c0f88a3)
---
src/responder/common/responder_dp.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/responder/common/responder_dp.c b/src/responder/common/responder_dp.c
index 8cc734813..9669b5fee 100644
--- a/src/responder/common/responder_dp.c
+++ b/src/responder/common/responder_dp.c
@@ -598,11 +598,11 @@ static int sss_dp_account_files_params(struct sss_domain_info *dom,
enum sss_dp_acct_type *_type_out,
const char **_opt_name_out)
{
-#if 0
if (sss_domain_get_state(dom) != DOM_INCONSISTENT) {
+ DEBUG(SSSDBG_TRACE_INTERNAL,
+ "The entries in the files domain are up-to-date\n");
return EOK;
}
-#endif
DEBUG(SSSDBG_TRACE_INTERNAL,
"Domain files is not consistent, issuing update\n");
--
2.14.3

551
0053-TESTS-simple-CA-to-generate-certificates-for-test.patch
View File

@ -1,551 +0,0 @@
From 0e53e397599da4b5d86121f6ee3de50c0389783e Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 14 Feb 2019 18:35:40 +0100
Subject: [PATCH] TESTS: simple CA to generate certificates for test
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
To avoid issue with certificate lifetimes a simple OpenSSL based CA is
used to generate certificates for tests.
To make management easy all related data is kept in
src/tests/test_CA. Since some header files will be generated the
generation of the needed files is added to BUILT_SOURCES as other
generated code.
Related to https://pagure.io/SSSD/sssd/issue/3436
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit 19f5dd0b8dc4eff3373a0ac9ea17c2440628fd4c)
---
Makefile.am | 15 ++-
configure.ac | 4 +-
contrib/sssd.spec.in | 8 ++
src/external/test_ca.m4 | 42 +++++++++
src/tests/test_CA/Makefile.am | 93 +++++++++++++++++++
src/tests/test_CA/README | 26 ++++++
src/tests/test_CA/SSSD_test_CA.config | 47 ++++++++++
src/tests/test_CA/SSSD_test_CA_key.pem | 52 +++++++++++
src/tests/test_CA/SSSD_test_cert_0001.config | 20 ++++
src/tests/test_CA/SSSD_test_cert_0002.config | 19 ++++
src/tests/test_CA/SSSD_test_cert_key_0001.pem | 28 ++++++
src/tests/test_CA/SSSD_test_cert_key_0002.pem | 28 ++++++
12 files changed, 380 insertions(+), 2 deletions(-)
create mode 100644 src/external/test_ca.m4
create mode 100644 src/tests/test_CA/Makefile.am
create mode 100644 src/tests/test_CA/README
create mode 100644 src/tests/test_CA/SSSD_test_CA.config
create mode 100644 src/tests/test_CA/SSSD_test_CA_key.pem
create mode 100644 src/tests/test_CA/SSSD_test_cert_0001.config
create mode 100644 src/tests/test_CA/SSSD_test_cert_0002.config
create mode 100644 src/tests/test_CA/SSSD_test_cert_key_0001.pem
create mode 100644 src/tests/test_CA/SSSD_test_cert_key_0002.pem
diff --git a/Makefile.am b/Makefile.am
index d52fe0670..d9477cb64 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -21,7 +21,7 @@ if HAVE_MANPAGES
SUBDIRS += src/man
endif
-SUBDIRS += . src/tests/cwrap src/tests/intg
+SUBDIRS += . src/tests/cwrap src/tests/intg src/tests/test_CA
# Some old versions of automake don't define builddir
builddir ?= .
@@ -2411,6 +2411,7 @@ pam_srv_tests_SOURCES = \
$(NULL)
pam_srv_tests_CFLAGS = \
-U SSSD_LIBEXEC_PATH -DSSSD_LIBEXEC_PATH=\"$(abs_builddir)\" \
+ -I$(abs_builddir)/src \
$(AM_CFLAGS) \
$(NULL)
pam_srv_tests_LDFLAGS = \
@@ -3286,6 +3287,7 @@ test_cert_utils_SOURCES = \
$(NULL)
test_cert_utils_CFLAGS = \
$(AM_CFLAGS) \
+ -I$(abs_builddir)/src \
$(CRYPTO_CFLAGS) \
$(NULL)
test_cert_utils_LDADD = \
@@ -4975,6 +4977,17 @@ endif
CLEANFILES += *.X */*.X */*/*.X
+test_CA: test_CA.stamp
+
+test_CA.stamp: $(srcdir)/src/tests/test_CA/*
+ $(MAKE) -C src/tests/test_CA ca_all
+ touch $@
+
+if BUILD_TEST_CA
+BUILT_SOURCES += test_CA
+endif
+CLEANFILES += test_CA.stamp
+
tests: all $(check_PROGRAMS)
(cd src/tests/cwrap && $(MAKE) $(AM_MAKEFLAGS) $@) || exit 1;
diff --git a/configure.ac b/configure.ac
index 69deb811e..725c28f52 100644
--- a/configure.ac
+++ b/configure.ac
@@ -208,6 +208,7 @@ m4_include([src/external/libresolv.m4])
m4_include([src/external/intgcheck.m4])
m4_include([src/external/systemtap.m4])
m4_include([src/external/service.m4])
+m4_include([src/external/test_ca.m4])
if test x$with_secrets = xyes; then
m4_include([src/external/libhttp_parser.m4])
@@ -483,6 +484,7 @@ AM_CONDITIONAL([HAVE_CHECK], [test x$have_check != x])
AM_CHECK_CMOCKA
AM_CHECK_UID_WRAPPER
AM_CHECK_NSS_WRAPPER
+AM_CHECK_TEST_CA
# Check if the user wants SSSD to be compiled with systemtap probes
AM_CHECK_SYSTEMTAP
@@ -506,7 +508,7 @@ AC_CONFIG_FILES([Makefile contrib/sssd.spec src/examples/rwtab src/doxy.config
contrib/sssd-pcsc.rules
src/sysv/sssd src/sysv/gentoo/sssd src/sysv/SUSE/sssd
po/Makefile.in src/man/Makefile src/tests/cwrap/Makefile
- src/tests/intg/Makefile
+ src/tests/intg/Makefile src/tests/test_CA/Makefile
src/lib/ipa_hbac/ipa_hbac.pc src/lib/ipa_hbac/ipa_hbac.doxy
src/lib/idmap/sss_idmap.pc src/lib/idmap/sss_idmap.doxy
src/lib/certmap/sss_certmap.pc src/lib/certmap/sss_certmap.doxy
diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
index f69f192fe..25314596b 100644
--- a/contrib/sssd.spec.in
+++ b/contrib/sssd.spec.in
@@ -209,6 +209,14 @@ BuildRequires: selinux-policy-targeted
BuildRequires: libcmocka-devel >= 1.0.0
BuildRequires: uid_wrapper
BuildRequires: nss_wrapper
+
+# Test CA requires openssl independent if SSSD is build with NSS or openssl,
+# openssh is needed for ssh-keygen and NSS builds need nss-tools for certutil.
+# Currently only cmocka based tests use the test CA. If it is used elsewhere
+# you might want to move the following requires out of the if-block.
+BuildRequires: openssl
+BuildRequires: openssh
+BuildRequires: nss-tools
%endif
BuildRequires: libnl3-devel
%if (0%{?use_systemd} == 1)
diff --git a/src/external/test_ca.m4 b/src/external/test_ca.m4
new file mode 100644
index 000000000..eb624acf3
--- /dev/null
+++ b/src/external/test_ca.m4
@@ -0,0 +1,42 @@
+dnl Check for tools needed to run the test CA
+AC_DEFUN([AM_CHECK_TEST_CA],
+[
+ AC_PATH_PROG([OPENSSL], [openssl])
+ if test ! -x "$OPENSSL"; then
+ AC_MSG_NOTICE([Could not find openssl])
+ fi
+
+ AC_PATH_PROG([SSH_KEYGEN], [ssh-keygen])
+ if test ! -x "$SSH_KEYGEN"; then
+ AC_MSG_NOTICE([Could not find ssh-keygen])
+ else
+ AC_MSG_CHECKING([for -m option of ssh-keygen])
+ if AC_RUN_LOG([$SSH_KEYGEN --help 2>&1 |grep -- '-m ' > /dev/null]); then
+ AC_MSG_RESULT([yes])
+ else
+ SSH_KEYGEN=""
+ AC_MSG_RESULT([no])
+ fi
+ fi
+
+ if test x$cryptolib = xnss; then
+ AC_PATH_PROG([CERTUTIL], [certutil])
+ if test ! -x "$CERTUTIL"; then
+ AC_MSG_NOTICE([Could not find certutil])
+ fi
+
+ AC_PATH_PROG([PK12UTIL], [pk12util])
+ if test ! -x "$PK12UTIL"; then
+ AC_MSG_NOTICE([Could not find pk12util])
+ fi
+
+ AM_CONDITIONAL([BUILD_TEST_CA], [test -x "$OPENSSL" -a -x "$SSH_KEYGEN" -a -x "$CERTUTIL" -a -x "$PK12UTIL"])
+ else
+ AM_CONDITIONAL([BUILD_TEST_CA], [test -x "$OPENSSL" -a -x "$SSH_KEYGEN"])
+ fi
+
+ AM_COND_IF([BUILD_TEST_CA],
+ [AC_DEFINE_UNQUOTED(HAVE_TEST_CA, 1,
+ [Build with certificates from test CA])],
+ [AC_MSG_WARN([Test CA cannot be build, skiping some tests])])
+])
diff --git a/src/tests/test_CA/Makefile.am b/src/tests/test_CA/Makefile.am
new file mode 100644
index 000000000..a23a3feef
--- /dev/null
+++ b/src/tests/test_CA/Makefile.am
@@ -0,0 +1,93 @@
+dist_noinst_DATA = \
+ SSSD_test_CA.config \
+ SSSD_test_CA_key.pem \
+ SSSD_test_cert_0001.config \
+ SSSD_test_cert_0002.config \
+ SSSD_test_cert_key_0001.pem \
+ SSSD_test_cert_key_0002.pem \
+ $(NULL)
+
+openssl_ca_config = $(srcdir)/SSSD_test_CA.config
+openssl_ca_key = $(srcdir)/SSSD_test_CA_key.pem
+pwdfile = pwdfile
+
+configs := $(notdir $(wildcard $(srcdir)/SSSD_test_cert_*.config))
+ids := $(subst SSSD_test_cert_,,$(basename $(configs)))
+certs = $(addprefix SSSD_test_cert_x509_,$(addsuffix .pem,$(ids)))
+certs_h = $(addprefix SSSD_test_cert_x509_,$(addsuffix .h,$(ids)))
+pubkeys = $(addprefix SSSD_test_cert_pubsshkey_,$(addsuffix .pub,$(ids)))
+pubkeys_h = $(addprefix SSSD_test_cert_pubsshkey_,$(addsuffix .h,$(ids)))
+pkcs12 = $(addprefix SSSD_test_cert_pkcs12_,$(addsuffix .pem,$(ids)))
+
+if HAVE_NSS
+nssdb = p11_nssdb p11_nssdb_2certs
+endif
+
+# If openssl is run in parallel there might be conflicts with the serial
+.NOTPARALLEL:
+
+ca_all: clean serial SSSD_test_CA.pem $(certs) $(certs_h) $(pubkeys) $(pubkeys_h) $(pkcs12) $(nssdb)
+
+$(pwdfile):
+ @echo "12345678" > $@
+
+SSSD_test_CA.pem: $(openssl_ca_key) $(openssl_ca_config) serial
+ $(OPENSSL) req -batch -config ${openssl_ca_config} -x509 -new -nodes -key $< -sha256 -days 1024 -set_serial 0 -extensions v3_ca -out $@
+
+
+SSSD_test_cert_req_%.pem: $(srcdir)/SSSD_test_cert_key_%.pem $(srcdir)/SSSD_test_cert_%.config
+ $(OPENSSL) req -new -nodes -key $< -reqexts req_exts -config $(srcdir)/SSSD_test_cert_$*.config -out $@
+
+SSSD_test_cert_x509_%.pem: SSSD_test_cert_req_%.pem $(openssl_ca_config) SSSD_test_CA.pem
+ $(OPENSSL) ca -config ${openssl_ca_config} -batch -notext -keyfile $(openssl_ca_key) -in $< -days 200 -extensions usr_cert -out $@
+
+SSSD_test_cert_pkcs12_%.pem: SSSD_test_cert_x509_%.pem $(srcdir)/SSSD_test_cert_key_%.pem $(pwdfile)
+ $(OPENSSL) pkcs12 -export -in SSSD_test_cert_x509_$*.pem -inkey $(srcdir)/SSSD_test_cert_key_$*.pem -nodes -passout file:$(pwdfile) -out $@
+
+SSSD_test_cert_pubkey_%.pem: SSSD_test_cert_x509_%.pem
+ $(OPENSSL) x509 -in $< -pubkey -noout > $@
+
+SSSD_test_cert_pubsshkey_%.pub: SSSD_test_cert_pubkey_%.pem
+ $(SSH_KEYGEN) -i -m PKCS8 -f $< > $@
+
+SSSD_test_cert_x509_%.h: SSSD_test_cert_x509_%.pem
+ @echo "#define SSSD_TEST_CERT_$* \""$(shell cat $< |openssl x509 -outform der | base64 -w 0)"\"" > $@
+
+SSSD_test_cert_pubsshkey_%.h: SSSD_test_cert_pubsshkey_%.pub
+ @echo "#define SSSD_TEST_CERT_SSH_KEY_$* \""$(shell cut -d' ' -f2 $<)"\"" > $@
+
+# This nss db is used in
+# - src/tests/cmocka/test_cert_utils.c (validation only)
+# - src/tests/cmocka/test_pam_srv.c
+p11_nssdb: SSSD_test_cert_pkcs12_0001.pem SSSD_test_CA.pem $(pwdfile)
+ mkdir $@
+ $(CERTUTIL) -d sql:./$@ -N --empty-password
+ $(CERTUTIL) -d sql:./$@ -A -n 'SSSD test CA' -t CT,CT,CT -a -i SSSD_test_CA.pem
+ $(PK12UTIL) -d sql:./$@ -i SSSD_test_cert_pkcs12_0001.pem -w $(pwdfile)
+
+# This nss db is used in
+# - src/tests/cmocka/test_pam_srv.c
+p11_nssdb_2certs: SSSD_test_cert_pkcs12_0001.pem SSSD_test_cert_pkcs12_0002.pem SSSD_test_CA.pem $(pwdfile)
+ mkdir $@
+ $(CERTUTIL) -d sql:./$@ -N --empty-password
+ $(CERTUTIL) -d sql:./$@ -A -n 'SSSD test CA' -t CT,CT,CT -a -i SSSD_test_CA.pem
+ $(PK12UTIL) -d sql:./$@ p11_nssdb -i SSSD_test_cert_pkcs12_0001.pem -w $(pwdfile)
+ $(PK12UTIL) -d sql:./$@ p11_nssdb -i SSSD_test_cert_pkcs12_0002.pem -w $(pwdfile)
+
+CLEANFILES = \
+ index.txt index.txt.attr \
+ index.txt.attr.old index.txt.old \
+ serial serial.old \
+ SSSD_test_CA.pem $(pwdfile) \
+ $(certs) $(certs_h) $(pubkeys) $(pubkeys_h) $(pkcs12) \
+ $(NULL)
+
+clean-local:
+ rm -rf newcerts
+ rm -rf p11_nssdb
+ rm -rf p11_nssdb_2certs
+
+serial: clean
+ touch index.txt
+ mkdir newcerts
+ echo -n 01 > serial
diff --git a/src/tests/test_CA/README b/src/tests/test_CA/README
new file mode 100644
index 000000000..342fd5890
--- /dev/null
+++ b/src/tests/test_CA/README
@@ -0,0 +1,26 @@
+Simple CA for SSSD tests
+
+To avoid issues with certificate lifetimes during tests certificates can be
+generated with a simple OpenSSL based CA.
+
+To create a new certificate add a suitable and valid OpenSSL config file with a
+[req] section for a certificate signing request (CSR) which must use the name
+pattern SSSD_test_cert_*.config. Additionally a matching key file
+SSSD_test_cert_key_%.pem should be added e.g. with
+
+ openssl genpkey -algorithm RSA -out SSSD_test_cert_key_XYZ.pem -pkeyopt rsa_keygen_bits:2048
+
+It would be possible to generate the keys automatically as well but
+pre-created keys will safe some resources on the hosts running the tests,
+allow more flexibility with algorithms and key lengths and make the tests
+more reproducible.
+
+The Makefile will pick up the config and the keys and generate a X.509
+certificate. For usage in C-code it will generate a header file
+SSSD_test_cert_x509_*.h where the base64 encoded binary certificate is made
+available in a macro called SSSD_TEST_CERT_*. To run test with derived ssh-keys
+the ssh key is available in SSSD_test_cert_pubsshkey_*.h as
+SSSD_TEST_CERT_SSH_KEY_*.
+
+Other targets for other types of tests can be added to the Makefile and should
+be documented here.
diff --git a/src/tests/test_CA/SSSD_test_CA.config b/src/tests/test_CA/SSSD_test_CA.config
new file mode 100644
index 000000000..90ae2233c
--- /dev/null
+++ b/src/tests/test_CA/SSSD_test_CA.config
@@ -0,0 +1,47 @@
+[ ca ]
+default_ca = CA_default
+
+[ CA_default ]
+dir = .
+database = $dir/index.txt
+new_certs_dir = $dir/newcerts
+
+certificate = $dir/SSSD_test_CA.pem
+serial = $dir/serial
+private_key = $dir/SSSD_test_CA_key.pem
+RANDFILE = $dir/rand
+
+default_days = 365
+default_crl_days = 30
+default_md = sha256
+
+policy = policy_any
+email_in_dn = no
+
+name_opt = ca_default
+cert_opt = ca_default
+copy_extensions = copy
+
+[ usr_cert ]
+authorityKeyIdentifier = keyid, issuer
+
+[ v3_ca ]
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer:always
+basicConstraints = CA:true
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+
+[ policy_any ]
+organizationName = supplied
+organizationalUnitName = supplied
+commonName = supplied
+emailAddress = optional
+
+[ req ]
+distinguished_name = req_distinguished_name
+prompt = no
+
+[ req_distinguished_name ]
+O = SSSD
+OU = SSSD test
+CN = SSSD test CA
diff --git a/src/tests/test_CA/SSSD_test_CA_key.pem b/src/tests/test_CA/SSSD_test_CA_key.pem
new file mode 100644
index 000000000..4838d0379
--- /dev/null
+++ b/src/tests/test_CA/SSSD_test_CA_key.pem
@@ -0,0 +1,52 @@
+-----BEGIN PRIVATE KEY-----
+MIIJRAIBADANBgkqhkiG9w0BAQEFAASCCS4wggkqAgEAAoICAQDkKj9R0/ato8Qq
+8iww/4BZc14oTk4e94pGssERG2b8wkcnq9gjn7rDaW0j7sqcEnEtR4nbn4dtjZz5
+pObXDRPebsZKf+jPac+PiIKwGMdEQFcrt/hZGlpxDrJKUt144ZmMH69CkBC1MREx
+8GHl3oQ9hnLCE82j4D6i+iVRAFhD6dsmL8YWvzMtjklAiyF6yboD1Vjkxwv06wcZ
+xgJptyFOcIM4RfRu212SQUmOZvfxIl9zmu6h4Vaz4Vm/e9qmRHJZ5cOJPC6wyhLn
+iPyEiuRg7DAI226GO04Kl/Frus5fFrih/hq/GyqYVLHQHBdOZ0MgY/zcwD+eEVOX
+KDFYKAbOwN9rDZC6UW3fPLHMnc0f/6q75s4Qvs3MyP0jtJaqjEe+DpW14u9kivUm
+f6L/nFHgDMoYHavsUOXKHZu0NRAKAxj+IvAnHRlInPQktIzZQ2abYWix//bb7aDx
+WhtOFN/rUXA1mqPahRxSgEst4QnSMxU0hPVET0TQO0A/XwozpkrM80NXOoq8m4kH
+83vknwVurg3VaupctX5fsSZvSYunK4bJ/8+Om7c3pyrxqbV0Y/nwGzjMYIU/iQSM
+XkDzs5MQfdWTmzQMsFUY7huQo0VA4s2mY96LmbABVCFnZTFSf+li3dNMadPpuTO+
+w5jhoR1tcYiWtIDPBuwIFMCwdN1N6QIDAQABAoICAC7SgKYBMokVp2cMxYbUl/lD
+VJo+34c5U1YIztf84JiUIdgBStycpc3+L5iFI2z9193r5V19kmQoAIO2lGyjUWV/
+JBAbyaHu29pfsDoFC7d04K6nFT7ryo2S74GTGcH5wfHgeq3VNKiKRjYSV3S9wjOC
+CMDNIZE0roXxgYDq6jIdpoxil2sJl64Mmfm104wII7Uvrgtc0ZZUOOPQH6SkISCg
+tDzzFiM9vykJXtfrR4xjemUV8UylGo7Vev5xo0AlobXTEdpy0D4VaeW71d45Rn6h
+WYYnybmgJ/bCkZeDAWDAH+mWZNS89XPHRaooaZv8Uuktu7FtfmCou5e0dtPZevPF
+qSCExRRnEvBHxqR71e7NDZt8mHR5H9S+4Io6OMFEfTwFC13TNBEiNspg9XovAjfX
+4u6wSYPKKLH88R5LAuLoBiD6dO+3SiimbaTeD/a+URCfIWUNycExS/3SnWCS2oxW
+h8uS18DwbCbW0b5N8VYldfZ8QK3+GH2B4vV7ZGOFtUW43HUUPlxqL9lpakbAgPba
+enrO2+YqzAIM5NWCvL1+fnaPVGc9deDi63sgq75VkJwBMoiBqIpwSUMUwOmL3RiC
+NdixXJR/HgjP85UrZHQRlcCfSFMduNNjof0WgamXu2TLA4K2clbdiz1DwAgCBpLP
+INKo4fiZZkjiEs3VS9iBAoIBAQD2DjnFAZ0USGpmRqecHhFOL9nZX/we/DCUrkRv
+noiEP9lIz/ITmAzCvvUuyFQcDp3LBplB+T74nvfyMJ6AzbV1Kuw7CluIje5i3wKs
+zYSc49EKxG3PvNlkpbrQkY2/FrBuwakZro/ByzrcCf783cey36IXc5s0EdXiqyB8
+Gn2yQQvyYShAmE1HjBjcURSC8bCn1OKQNR04gbnIIUbe5kn8IIM2SD8cUPIuvBTf
+PAzAMT//6bKwi2v6Y9QK0qOIYEFLTEzonKeLlnErXxytb0wbwCbDWQLprYdSQR/3
+ctVykylPYuTXdCW5qLL5TGuxHKzJodOI0RF8A07CYj7dcQf5AoIBAQDtYuuKp+AT
+ro7Oe4J1bUx/8YlAPDU4UgWbIQjAPUvdiRLZxVRecomNjDMvnz2G/lE8P3CPD0fD
+DZSPhUqUnqanTYLAoVyQh8Zo8NjKJ1wlE9F5CZECeGz1RGZcQBUwK7tZr3EGNw/K
+IShV8/6RVs+I3jjTll2oAoquJ4el0V7sitI6O3Bsh1AoVgZYmJV3qMdODcDJQjNj
+SVetxExhsd2SJztjp5U0uTMf6fXH41CVKo3seRPvaxAhIDpG1He1XEKeeeq3l6Uu
+vzpKmXvNmmzjCZLLY6APvLYv1o65UTn3N/MLIXjgEs07e2JNzhLhAuz5h6sPH0aM
+bx+vOhugy1FxAoIBAQCvFcxRvSYzCpx7jocx9ctGoZIYtc5HlhhTk/Wqn1pxEKXi
+w+Vzv9xEr3D0CySeml/52gYwBdWjQCsasTH4YWhfqV1TXbloX+ZjgGD86XkV0p4r
+VT72dWET10Ipq4j7kn+VMETNu4Mb2StW693/vSiexbcnjOHBmXdixXZmGMucjeCc
+ZjooTLeg07XU//TigGy94CQfjUvvq4+xMsylS6UVvWTguWP/GDJcwwTvHGHOWL07
+suWt7me1UlfOI7iuECAmHnMTinVGRJTe0d0sJGg5zu9GTg5ejVYfV6wRfisYTlM0
+5CAGl+VISRyhfJmc+9SP3ZESaAJTBl+CvjoRhJ6xAoIBAQC3Blq2mAJzClX+q0mF
+ghTGXJLG3OTnnI3H8mtN1LTGhKXtE3CeNU8KvHrGj88fYrt9aSg+lLhukezlzw4W
+kk/JlEBohsDYimaWiIONMVWhHKuX16FfNzxCyk7ld18euckEN/k7on5hCLmRs8Kl
+ijoOu88yi6+AFx2XctDqLwgx9kJqNWPTuWw6/UB9VH+BN7ca3g2y3oDCX0zjpAKE
+HF/KDMeEaTPn55acV4VxbTi3GY09MokFQhW4hKGJ9MyrHwwaJcOrc5ce+L9Xvwiu
+GA816S6t9Az3tTb+oT1/cjnv+so/3bnVgYmM/+9mL6lspRXSuiBQU3vQUOkr7/BX
+RAtxAoIBAQC2AQjrhdjyIhuzDGpL7A/IUfV9Fr37ytRY1r7pOwIVthGK3SmLbV2t
+byT4LeS1XMkpuwfiM/w4uAbRz3QhMGfgv9wUjNCpR9fBd4VZqU9HPk6TasQhxxLU
+q4O+XpvylEqPPzHkvpJUiVEfh7bXSoqbvTP7fUnJ/YzqMyq+NNkJzKccz8+I2BfN
+/WXp6HmKAKhvF2mkFbo+2IXzJoCzHRorBvj/HzMc349cvHtYErJvHZQ2wgfY5CFC
+y2/x/t1pQ6BhrJiNyC1s8jYtboY7mc1yAp6cvtWraOYYk6LCTLbRLPLNqEOKPUFH
+xHflFSh7K6rCRfJGMKKFYtdA09/CAqh+
+-----END PRIVATE KEY-----
diff --git a/src/tests/test_CA/SSSD_test_cert_0001.config b/src/tests/test_CA/SSSD_test_cert_0001.config
new file mode 100644
index 000000000..b6c52a148
--- /dev/null
+++ b/src/tests/test_CA/SSSD_test_cert_0001.config
@@ -0,0 +1,20 @@
+# This certificate is used in
+# - src/tests/cmocka/test_cert_utils.c
+# - src/tests/cmocka/test_pam_srv.c
+[ req ]
+distinguished_name = req_distinguished_name
+prompt = no
+
+[ req_distinguished_name ]
+O = SSSD
+OU = SSSD test
+CN = SSSD test cert 0001
+
+[ req_exts ]
+basicConstraints = CA:FALSE
+nsCertType = client, email
+nsComment = "SSSD test Certificate"
+subjectKeyIdentifier = hash
+keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
+extendedKeyUsage = clientAuth, emailProtection
+subjectAltName = email:sssd-devel@lists.fedorahosted.org,URI:https://pagure.io/SSSD/sssd//
diff --git a/src/tests/test_CA/SSSD_test_cert_0002.config b/src/tests/test_CA/SSSD_test_cert_0002.config
new file mode 100644
index 000000000..8722ffa7e
--- /dev/null
+++ b/src/tests/test_CA/SSSD_test_cert_0002.config
@@ -0,0 +1,19 @@
+# This certificate is used in
+# - src/tests/cmocka/test_pam_srv.c
+[ req ]
+distinguished_name = req_distinguished_name
+prompt = no
+
+[ req_distinguished_name ]
+O = SSSD
+OU = SSSD test
+CN = SSSD test cert 0002
+
+[ req_exts ]
+basicConstraints = CA:FALSE
+nsCertType = client
+nsComment = "SSSD test Certificate"
+subjectKeyIdentifier = hash
+keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
+extendedKeyUsage = clientAuth
+subjectAltName = email:sssd-devel@lists.fedorahosted.org,URI:https://pagure.io/SSSD/sssd//
diff --git a/src/tests/test_CA/SSSD_test_cert_key_0001.pem b/src/tests/test_CA/SSSD_test_cert_key_0001.pem
new file mode 100644
index 000000000..365c9897a
--- /dev/null
+++ b/src/tests/test_CA/SSSD_test_cert_key_0001.pem
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDX8xglLP+D54dG
+V/lndmQ7YRg1GDuaZilzh/jfAva3psSYDnn1f9wmygNx0HUjlpG72pBOaYthdp1D
+ZGayTlpSUY/3y7+pvokFlY0v9Xhg3yhUyRK95uS/LuY4L8uaoZxMXPW2iP3kzv2v
+BQQlMuBCjL+ji/tX2Zl8CHUldY7QPtSLZcklXmRvu5jHPK5W/eh8E66UNeb/dueq
+ZAzLBZb5g8Blv9dMjf/eSlM/R//au40ZBBa3CRpddaf/gOa9sNGVd6RmzwejZ47k
+hPwkx6t23ZQ7bZkk0NI3H8+/sKkM6aWZaywmLvnyClIgjgZh5zKJgv0ZFAaQ/nST
+a6ke3OetAgMBAAECggEAIHaO3qfREYcwssZu27rUfoiuFu05qJBLEu8R3pSXeiw7
+yZADjYBXHA2qTuXDdkIgTlkg8Gi1Z0VphsQFHDDjKxTPy7R5b48REiHVQ6xnGEjz
+yysfAiU/pe3q9e9ZcDlzQZeH6JTXdhoX0MO0R9NKGzcFaBSXCDHR/O9YjPULLwq8
+K9wZpHV6DPajoPGmZgw1qQr7Lc35nVi9AeNyTGnSrUf4hdjKiA2WA0aC3fkeKQxp
+8z6FJWKot84dGbhYK0fyM0uIMb4wS8gvTmvhjE5pltEstOY3bFebxJ5DtBJPqE5K
+FL6k2tfcctuhiwDsRWar39H5SvXzxHbyaz0nwpI9AQKBgQD2Z+vpncVGZgnV0rwK
+0dcdEMSCOj7i91OVS8IGAvwfpI6n8Hs6upO1PtqvWtnwt8lOMwF3omA5/25ZF1+K
+Y6iPxnqcg4nApG1DVDXMrV1cWUa6Sc95afJE224sZA+yKiyTZsWdxfV5y5rc5V3L
+ZOzXjHOW40W/ZuuNwKR5D9fyUQKBgQDgW5h+9NwyPg+01I9qQgsnlHPA9ndKamcH
+QgnAhdM75wadPnVZTNsOa46pfg0Uy/yqYSo2NZz5CmN6W3baVanyUMMmhDWHmCuV
+6nHmzwlJDiJz7S0ieEUi62NConZbU3YE6zjmKkMU0K8pZEisvX/Hb3K8Py4Jxyhy
+JdX5FRmMnQKBgQCzK2GpX6VgyTWBm1hMbcUDR3v8TaoIk1rdhlaw1F7MC3YHu59/
+Vses1OVi+KbcmGbyS7hXa2SZB5kPgyVflZOt596kDCmQQH+Ko6LzD2SBkBETyDPq
+zxTw6LW15ZRcMrpy/BnZ3WXfiCM1WDrZeKuXGHO8VcoToRzK2DdAKDsX4QKBgQCv
+NHhrNHa8uaB0W8Y/eaHSX+jhWNehgmRA075f3WIvFmQg6cSkXxN2OGJpVCmNAxum
+Rki7mrSh+w3iYIj5Sgp0U8OCUZ6n7BqlcTdPwoCCz4nyM9aaY4fCFEYopEx/VzcD
+8lk1zO0j1S/kyA7E7xtZOFxGS6R9OE0KjyeA44xXNQKBgFRbzhYNerXwepfYi0bR
+plJ8Jg4q4DI+m5QlKGjQLsX4e0sdyOgD8mV3iYofzrull5KZeRQy5qbO9EypFXQ5
++16FbR7VTYgKcwHNtC+8EcsSVwgk57ox4jDY6A/X1DBKUT+m/XyJYE79ZCsFVvl+
+O8zzsFaOeoxTVyVxjHmuhZ6U
+-----END PRIVATE KEY-----
diff --git a/src/tests/test_CA/SSSD_test_cert_key_0002.pem b/src/tests/test_CA/SSSD_test_cert_key_0002.pem
new file mode 100644
index 000000000..d80349f50
--- /dev/null
+++ b/src/tests/test_CA/SSSD_test_cert_key_0002.pem
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCvhgVEGejE4Gcr
+b2lXw2scPpvXa2BaJ2DtFNgofEKhPlBoS7E913YXIG+kSE2i7YezAzHyd0hVEBqR
+QVlhGg5LCeOrQTRASSNUCgWzEXnRbPrvQbeZc7T6k1QIAmTNlpIc7mrO5bjOkR6Y
+DVNTDmW90aCo4IyarJAru1xQTjS+TDtJNvIgqI1BtnpH67JXt/2UsQYAD4lQQmAf
+gEj3a2bD+EuJVVFt4rar+QE3EUZi265cK3IfV6OkzDP/ZuN9sxr5adk0QE/2jC+b
+1sB0VxLxWhGszuOtdhkO/bxcfjWj/EWGa0nezukDeob3k+b4f6Z5kfW9GJCdCOOQ
+Rr1Mv6oZAgMBAAECggEAUICdZbCka7eoWemNXS1JsPieLV0YIgExmUsYIOls/dtA
+sbUVo5FwngbIbYaj5PggZuAuRlCjIjBynvBj9/8lUxFEFEWhm2JwC5lVJ936Cy16
+ocV4Wa8R8GMmBU5jwU8v0Ikg/6eo7UTtzTs/XjaaP0cn8oyasE45CXWzTzmvQx+d
+FwfcTkhc6KALf+CHTk7mE8QT3vMgVQMRiisF998fnJDkW9U4pPygcg1BAq8wjix8
+YwVAlk/Vq6MxmOViqTNEmnBd5dfZ/f9SYGkR7AvZgENEDNtkd7fE37YXdTSYfBWd
+lhHm4UkTUSsHl+Xx5w5r/e9xcK/z/49WUJnK2mVcAQKBgQDUv+szGloLyy0OT9SK
+qqqiL7AtUtfCRPH9Gk/UYBGLzktuioac9m1tDo5RsiInFjSmBe4wTGrkhrAJP1Vh
+DOpXGqMe0cV/QqOL/XnsJi6ySHzGhiR+F+iBQLk13ya1TIiGIG65mxVU7ZceBWzH
+AoAjkwV9c/lUGX3yhJ8zUPPYQQKBgQDTNL/WNNHx5PD8XV9voupVFh5nLA9CqCYR
+/07O8pMKve/DjswT40mz/Bwd8xKPFIjTtPMuRd1mORnkF/Q/1WuO5dZG6UUTQT5V
+KdtI8VwhQlTz7/DjXm4O+mkwY9vfhTQylUsqh2rX6WkIedj1b6rT5Jg6fHMn34N2
+/9UGEp6b2QKBgQCIJ4MIo3a5UYA2RpTJYcvuHALuHrSCWclcp/gq/Ih+JrpTtkfM
+MFF7l/MxCYWd6jIrhmQXePB37FLAuE2V3MQklqGKWcnBVg6Ayum6Xf1Ij+d6zeKQ
+6BAemCNv/K4zHRXKcPsrwbp3Lc6moeYpvsnu+mprDUulrOLT0FhqaQaFgQKBgQDG
+dqfZUlMBub8VdWwri+wkvh8dldJVMYpsmPrmDh1MF8TIf1OXUJm+TiXhorqKxqH4
+Re3JSo9L8lY49qVmolZqteCPS73D5Sf8gNN1DJAlFJ6dhpdWIDLNUlMrzHoc5J9y
+9MToFs24S7WN6GmN4Dum1wSQ2Mag7jArzyTOiwqNqQKBgFh12/YF4tiePqG1aOaB
++L5GgA/ux+6SNj5TkqeiKqPaptg1tnM/T/ChiWmwZzee1ZeMEBbDWtbEMf15In7/
+OM5OSMU+SIgWposXDTDKM9ZMQZW6h9IQy/IxwvF8BrroS0vF9vOXKOz4Aw+5Kugq
+JxM2HRDRdC23CGRuGjv+hO4d
+-----END PRIVATE KEY-----
--
2.17.0

365
0054-TESTS-replace-hardcoded-certificates.patch
View File

@ -1,365 +0,0 @@
From a6514e1829c018c7b68b168e6206ec51bd8a7e08 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 14 Feb 2019 18:35:49 +0100
Subject: [PATCH] TESTS: replace hardcoded certificates
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Since the hardcoded certificates have a limited lifetime they are
replaces by certificates from the test CA.
Related to https://pagure.io/SSSD/sssd/issue/3436
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit 0dc7f90667df6420bc9e93ae2c8bacd6ea148f0f)
---
src/tests/cmocka/test_cert_utils.c | 41 ++++--------
src/tests/cmocka/test_pam_srv.c | 104 +++++++++++------------------
2 files changed, 50 insertions(+), 95 deletions(-)
diff --git a/src/tests/cmocka/test_cert_utils.c b/src/tests/cmocka/test_cert_utils.c
index f50030e49..dd58b73a7 100644
--- a/src/tests/cmocka/test_cert_utils.c
+++ b/src/tests/cmocka/test_cert_utils.c
@@ -34,6 +34,13 @@
#include "util/crypto/nss/nss_util.h"
#include "util/crypto/sss_crypto.h"
+#ifdef HAVE_TEST_CA
+#include "tests/test_CA/SSSD_test_cert_pubsshkey_0001.h"
+#include "tests/test_CA/SSSD_test_cert_x509_0001.h"
+#else
+#define SSSD_TEST_CERT_0001 ""
+#define SSSD_TEST_CERT_SSH_KEY_0001 ""
+#endif
/* TODO: create a certificate for this test */
const uint8_t test_cert_der[] = {
@@ -325,32 +332,6 @@ void test_sss_cert_derb64_to_ldap_filter(void **state)
talloc_free(filter);
}
-#define SSH_TEST_CERT \
-"MIIECTCCAvGgAwIBAgIBCDANBgkqhkiG9w0BAQsFADA0MRIwEAYDVQQKDAlJUEEu" \
-"REVWRUwxHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xNjA1MjMx" \
-"NDEzNDlaFw0xODA1MjQxNDEzNDlaMDIxEjAQBgNVBAoMCUlQQS5ERVZFTDEcMBoG" \
-"A1UEAwwTaXBhLWRldmVsLmlwYS5kZXZlbDCCASIwDQYJKoZIhvcNAQEBBQADggEP" \
-"ADCCAQoCggEBALfEAE0IUlOAgDTdZQGcYA03IPooixNnkUQruh0eU3uw+KYGQoS1" \
-"YCdCHJzRc+IfuqdNntgtGDIpWADRwB4h963pBImpMSU5L1T4uiHNCpvl9eMt4ynk" \
-"xduOa+JmJUvqvwe7Gj9iDql4lWmJcXvq74/yOc3MBSPQCdg/pHZU65+NjSZmZzlN" \
-"eNV3tQKrhMe6tM00pai2igXilfUpzOU2v+AX69oOesrqTUl9i2eCUirGanR9l95d" \
-"yVCcmIDJd2P2NLIkhbHGRitfTC/tQZ4G+Edg9STw8Y+4ljp2rTHs59dWRBe2Gn8Z" \
-"Zt8zZ5WuNxARVF1THI9X6ydX/uoaz8R7pfkCAwEAAaOCASYwggEiMB8GA1UdIwQY" \
-"MBaAFPci/0Km5D/L5z7YqwEc7E1/GwgcMDsGCCsGAQUFBwEBBC8wLTArBggrBgEF" \
-"BQcwAYYfaHR0cDovL2lwYS1jYS5pcGEuZGV2ZWwvY2Evb2NzcDAOBgNVHQ8BAf8E" \
-"BAMCBPAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMHQGA1UdHwRtMGsw" \
-"aaAxoC+GLWh0dHA6Ly9pcGEtY2EuaXBhLmRldmVsL2lwYS9jcmwvTWFzdGVyQ1JM" \
-"LmJpbqI0pDIwMDEOMAwGA1UECgwFaXBhY2ExHjAcBgNVBAMMFUNlcnRpZmljYXRl" \
-"IEF1dGhvcml0eTAdBgNVHQ4EFgQUMydoshxYXhDXOMo/EETvrZaQuBwwDQYJKoZI" \
-"hvcNAQELBQADggEBADIrTFNvEdZGna7jD1xpiLGGUwCi11GQT+Txg5B7dydUn5U5" \
-"32zSBBZV6bsy0E+PiiAgehJObv9hBaOWnhp7ltNyQod1OLdI1t988ow2wxHvUEEi" \
-"MhRF0h2RJwdYIUIIF7XC01mKBOFj/84vvMOgLToZnGqVzArkzpr1aCaHI7EoTkpb" \
-"V16v+drZkXc47JuHg5CRjTHV/kFPm63gQ8Fstmw/dQZBzbCiVzmcG0Xm9r4jMOOf" \
-"YjVueMt/jk1LP4KoSCBY6kLMcpL5rQm53hO82rPAgV695rjdPlIUm09dvkCl28ZD" \
-"109Ju18eAaaVFewK82NDg9rsNraBKxMCBSgg0es="
-
-#define SSH_PUB_KEY "AAAAB3NzaC1yc2EAAAADAQABAAABAQC3xABNCFJTgIA03WUBnGANNyD6KIsTZ5FEK7odHlN7sPimBkKEtWAnQhyc0XPiH7qnTZ7YLRgyKVgA0cAeIfet6QSJqTElOS9U+LohzQqb5fXjLeMp5MXbjmviZiVL6r8Huxo/Yg6peJVpiXF76u+P8jnNzAUj0AnYP6R2VOufjY0mZmc5TXjVd7UCq4THurTNNKWotooF4pX1KczlNr/gF+vaDnrK6k1JfYtnglIqxmp0fZfeXclQnJiAyXdj9jSyJIWxxkYrX0wv7UGeBvhHYPUk8PGPuJY6dq0x7OfXVkQXthp/GWbfM2eVrjcQEVRdUxyPV+snV/7qGs/Ee6X5"
-
void test_cert_to_ssh_key(void **state)
{
int ret;
@@ -366,13 +347,13 @@ void test_cert_to_ssh_key(void **state)
struct test_state *ts = talloc_get_type_abort(*state, struct test_state);
assert_non_null(ts);
- der = sss_base64_decode(ts, SSH_TEST_CERT, &der_size);
+ der = sss_base64_decode(ts, SSSD_TEST_CERT_0001, &der_size);
assert_non_null(der);
- exp_key = sss_base64_decode(ts, SSH_PUB_KEY, &exp_key_size);
+ exp_key = sss_base64_decode(ts, SSSD_TEST_CERT_SSH_KEY_0001, &exp_key_size);
assert_non_null(exp_key);
- ret = cert_to_ssh_key(ts, "sql:" ABS_SRC_DIR "/src/tests/cmocka/p11_nssdb",
+ ret = cert_to_ssh_key(ts, "sql:" ABS_BUILD_DIR "/src/tests/test_CA/p11_nssdb",
der, der_size, &cert_verify_opts, &key, &key_size);
assert_int_equal(ret, EOK);
assert_int_equal(key_size, exp_key_size);
@@ -407,8 +388,10 @@ int main(int argc, const char *argv[])
setup, teardown),
cmocka_unit_test_setup_teardown(test_sss_cert_derb64_to_ldap_filter,
setup, teardown),
+#ifdef HAVE_TEST_CA
cmocka_unit_test_setup_teardown(test_cert_to_ssh_key,
setup, teardown),
+#endif
};
/* Set debug level to invalid value so we can decide if -d 0 was used. */
diff --git a/src/tests/cmocka/test_pam_srv.c b/src/tests/cmocka/test_pam_srv.c
index c510c2d3b..e68e81f97 100644
--- a/src/tests/cmocka/test_pam_srv.c
+++ b/src/tests/cmocka/test_pam_srv.c
@@ -38,6 +38,14 @@
#include "util/crypto/nss/nss_util.h"
#endif
+#ifdef HAVE_TEST_CA
+#include "tests/test_CA/SSSD_test_cert_x509_0001.h"
+#include "tests/test_CA/SSSD_test_cert_x509_0002.h"
+#else
+#define SSSD_TEST_CERT_0001 ""
+#define SSSD_TEST_CERT_0002 ""
+#endif
+
#define TESTS_PATH "tp_" BASE_FILE_STEM
#define TEST_CONF_DB "test_pam_conf.ldb"
#define TEST_DOM_NAME "pam_test"
@@ -52,55 +60,11 @@
#define TEST_TOKEN_NAME "SSSD Test Token"
#define TEST_MODULE_NAME "NSS-Internal"
-#define TEST_KEY_ID "A5EF7DEE625CA5996C8D1BA7D036708161FD49E7"
-#define TEST_PROMPT "Server-Cert\nCN=ipa-devel.ipa.devel,O=IPA.DEVEL"
-#define TEST_TOKEN_CERT \
-"MIIECTCCAvGgAwIBAgIBCTANBgkqhkiG9w0BAQsFADA0MRIwEAYDVQQKDAlJUEEu" \
-"REVWRUwxHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xNjA1MjMx" \
-"NDE0MTVaFw0xODA1MjQxNDE0MTVaMDIxEjAQBgNVBAoMCUlQQS5ERVZFTDEcMBoG" \
-"A1UEAwwTaXBhLWRldmVsLmlwYS5kZXZlbDCCASIwDQYJKoZIhvcNAQEBBQADggEP" \
-"ADCCAQoCggEBALHvOzZy/3llvoAYxrtOpux0gDVvSuSRpTGOW/bjpgdTowvXoOb5" \
-"G9Cy/9S6be7ZJ9D95lc/J9W8tX+ShKN8Q4b74l4WjmILQJ4dUsJ/BXfvoMPR8tw/" \
-"G47dGbLZanMXdWGBSTuXhoiogZWib2DhSwrX2DbEH5L3OWooeAVU5ZWOw55/HD7O" \
-"Q/7Of7H3tf4bvxNTFkxh39KQMG28wjPZSv+SZWNHMB+rj2yZgyeHBMkoPOPesAEi" \
-"7KKHxw1MHSv2xBI1AiV+aMdKfYUMy0Rq3PrRU4274i3eaBX4Q9GnDi36K/7bHjbt" \
-"LW0YTIW/L5/cH/BO88BREjxS3bEXAQqlKOcCAwEAAaOCASYwggEiMB8GA1UdIwQY" \
-"MBaAFPci/0Km5D/L5z7YqwEc7E1/GwgcMDsGCCsGAQUFBwEBBC8wLTArBggrBgEF" \
-"BQcwAYYfaHR0cDovL2lwYS1jYS5pcGEuZGV2ZWwvY2Evb2NzcDAOBgNVHQ8BAf8E" \
-"BAMCBPAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMHQGA1UdHwRtMGsw" \
-"aaAxoC+GLWh0dHA6Ly9pcGEtY2EuaXBhLmRldmVsL2lwYS9jcmwvTWFzdGVyQ1JM" \
-"LmJpbqI0pDIwMDEOMAwGA1UECgwFaXBhY2ExHjAcBgNVBAMMFUNlcnRpZmljYXRl" \
-"IEF1dGhvcml0eTAdBgNVHQ4EFgQUIJuWIts3m3uEYqJ9pUL0y7utTiEwDQYJKoZI" \
-"hvcNAQELBQADggEBAB0GyqGxtZ99fsXA1+fHfAwKOwznT7Hh8hN9efEMBJICVud+" \
-"ivUBOH6JpSTWgNLuBhrpebV/b/DSjhn+ayuvoPWng3hjwMbSEIe0euzCEdwVcokt" \
-"bwNMMSeTxSg6wbJnEyZqQEIr2h/TR9dRNxE+RbQXyamW0fUxSVT16iueL0hMwszT" \
-"jCfI/UZv3tDMHbh6D4811A0HO8daW7ufMGb/M+kDxYigJiL2gllMZ+6xba1RRgzF" \
-"8Z+9gqZhCa7FEKJOPNR9RVtJs0qUUutMZrp1zpyx0GTmXQBA7LbgPxy8L68uymEQ" \
-"XyQBwOYRORlnfGyu+Yc9c3E0Wx8Tlznz0lqPR9g="
-
-#define TEST2_KEY_ID "C8D60E009EB195D01A7083EE1D5419251AA87C2C"
-#define TEST2_PROMPT "ipaCert\nCN=IPA RA,O=IPA.DEVEL"
-#define TEST_TOKEN_2ND_CERT \
-"MIIDazCCAlOgAwIBAgIBBzANBgkqhkiG9w0BAQsFADA0MRIwEAYDVQQKDAlJUEEu" \
-"REVWRUwxHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xNjA1MjMx" \
-"NDEzMDFaFw0xODA1MTMxNDEzMDFaMCUxEjAQBgNVBAoMCUlQQS5ERVZFTDEPMA0G" \
-"A1UEAwwGSVBBIFJBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3abE" \
-"8LmIc6QN16VVxsMlN/rrCOoZKyyJolSzpP4+K66t+KZUiW/1j1MZogjyYyD39U1F" \
-"zpa2H+pID74XYrdiqP7sp+uE9/k2XOv/nN3FobXDt+fSINLDriCmxNhUZqpgo2uq" \
-"Mmka+yx2iJZwkntEoJTcd3aynoa2Sa2ZZbkMBy5p6/pUQKwnD6scOwe6mUDppIBK" \
-"+ZZRm+u/NDdIRFI5wfKLRR1r/ONaJA9nz1TxSEsgLsjG/1m+Zbb6lGG4pePIFkQ9" \
-"Iotpi64obBh93oIxzQR29lBG/FMjQVHlPIbx+xuGx11Vtp5pAomgFz0HRrj0leI7" \
-"bROE+jnC/VGPLQD2aQIDAQABo4GWMIGTMB8GA1UdIwQYMBaAFPci/0Km5D/L5z7Y" \
-"qwEc7E1/GwgcMEEGCCsGAQUFBwEBBDUwMzAxBggrBgEFBQcwAYYlaHR0cDovL2lw" \
-"YS1kZXZlbC5pcGEuZGV2ZWw6ODAvY2Evb2NzcDAOBgNVHQ8BAf8EBAMCBPAwHQYD" \
-"VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBCwUAA4IBAQBg" \
-"4Sppx2C3eXPJ4Pd9XElkQPOaBReXf1vV0uk/GlK+rG+aAqAkA2Lryx5PK/iAuzAU" \
-"M6JUpELuQYgqugoCgBXMgsMlpAO/0C3CFq4ZH3KgIsRlRngKPrt6RG0UPMRD1CE2" \
-"tSVkwUWvyK83lDiu2BbWDXyMyz5eZOlp7uHusf5BKvob8jEndHj1YzaNTmVSsDM5" \
-"kiIwf8qgFhsO1HCq08PtAnbVHhqkcvnmIJN98eNWNfTKodDmFVbN8gB0wK+WB5ii" \
-"WVOw7+3/zF1QgqnYX3t+kPLRryip/wvTZkzXWwMNj/W6UHgjNF/4gWGoBgCHu+u3" \
-"EvjMmbVSrEkesibpGQS5"
+#define TEST_KEY_ID "C554C9F82C2A9D58B70921C143304153A8A42F17"
+#define TEST_PROMPT "SSSD test cert 0001 - SSSD\nCN=SSSD test cert 0001,OU=SSSD test,O=SSSD"
+#define TEST2_KEY_ID "5405842D56CF31F0BB025A695C5F3E907051C5B9"
+#define TEST2_PROMPT "SSSD test cert 0002 - SSSD\nCN=SSSD test cert 0002,OU=SSSD test,O=SSSD"
static char CACHED_AUTH_TIMEOUT_STR[] = "4";
static const int CACHED_AUTH_TIMEOUT = 4;
@@ -187,7 +151,7 @@ static errno_t setup_nss_db(void)
DEBUG(SSSDBG_FATAL_FAILURE, "fprintf() failed.\n");
return ret;
}
- ret = fprintf(fp, "parameters=configdir='sql:%s/src/tests/cmocka/p11_nssdb' dbSlotDescription='SSSD Test Slot' dbTokenDescription='SSSD Test Token' secmod='secmod.db' flags=readOnly \n\n", ABS_SRC_DIR);
+ ret = fprintf(fp, "parameters=configdir='sql:%s/src/tests/test_CA/p11_nssdb' dbSlotDescription='SSSD Test Slot' dbTokenDescription='SSSD Test Token' secmod='secmod.db' flags=readOnly \n\n", ABS_BUILD_DIR);
if (ret < 0) {
DEBUG(SSSDBG_FATAL_FAILURE, "fprintf() failed.\n");
return ret;
@@ -208,7 +172,7 @@ static errno_t setup_nss_db(void)
DEBUG(SSSDBG_FATAL_FAILURE, "fprintf() failed.\n");
return ret;
}
- ret = fprintf(fp, "parameters=configdir='sql:%s/src/tests/cmocka/p11_nssdb_2certs' dbSlotDescription='SSSD Test Slot' dbTokenDescription='SSSD Test Token' secmod='secmod.db' flags=readOnly \n\n", ABS_SRC_DIR);
+ ret = fprintf(fp, "parameters=configdir='sql:%s/src/tests/test_CA/p11_nssdb_2certs' dbSlotDescription='SSSD Test Slot' dbTokenDescription='SSSD Test Token' secmod='secmod.db' flags=readOnly \n\n", ABS_BUILD_DIR);
if (ret < 0) {
DEBUG(SSSDBG_FATAL_FAILURE, "fprintf() failed.\n");
return ret;
@@ -451,6 +415,7 @@ static int pam_test_setup(void **state)
return 0;
}
+#ifdef HAVE_TEST_CA
#ifdef HAVE_NSS
static int pam_test_setup_no_verification(void **state)
{
@@ -476,6 +441,7 @@ static int pam_test_setup_no_verification(void **state)
return 0;
}
#endif /* HAVE_NSS */
+#endif /* HAVE_TEST_CA */
static int pam_cached_test_setup(void **state)
{
@@ -1915,6 +1881,7 @@ static int test_lookup_by_cert_cb(void *pvt)
return EOK;
}
+
static int test_lookup_by_cert_cb_2nd_cert_same_user(void *pvt)
{
int ret;
@@ -1927,7 +1894,7 @@ static int test_lookup_by_cert_cb_2nd_cert_same_user(void *pvt)
attrs = sysdb_new_attrs(pam_test_ctx);
assert_non_null(attrs);
- der = sss_base64_decode(pam_test_ctx, TEST_TOKEN_2ND_CERT, &der_size);
+ der = sss_base64_decode(pam_test_ctx, SSSD_TEST_CERT_0002, &der_size);
assert_non_null(der);
ret = sysdb_attrs_add_mem(attrs, SYSDB_USER_MAPPED_CERT, der, der_size);
@@ -2033,7 +2000,7 @@ void test_pam_preauth_cert_match(void **state)
set_cert_auth_param(pam_test_ctx->pctx, NSS_DB);
mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, NULL, NULL, NULL, NULL,
- test_lookup_by_cert_cb, TEST_TOKEN_CERT, false);
+ test_lookup_by_cert_cb, SSSD_TEST_CERT_0001, false);
will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH);
will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
@@ -2057,7 +2024,7 @@ void test_pam_preauth_cert_match_gdm_smartcard(void **state)
mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, NULL, NULL, NULL,
"gdm-smartcard", test_lookup_by_cert_cb,
- TEST_TOKEN_CERT, false);
+ SSSD_TEST_CERT_0001, false);
will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH);
will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
@@ -2080,7 +2047,7 @@ void test_pam_preauth_cert_match_wrong_user(void **state)
mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, NULL, NULL, NULL, NULL,
test_lookup_by_cert_wrong_user_cb,
- TEST_TOKEN_CERT, false);
+ SSSD_TEST_CERT_0001, false);
will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH);
will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
@@ -2111,7 +2078,7 @@ void test_pam_preauth_cert_no_logon_name(void **state)
* request will be done with the username found by the certificate
* lookup. */
mock_input_pam_cert(pam_test_ctx, NULL, NULL, NULL, NULL, NULL, NULL,
- test_lookup_by_cert_cb, TEST_TOKEN_CERT, false);
+ test_lookup_by_cert_cb, SSSD_TEST_CERT_0001, false);
mock_account_recv_simple();
mock_parse_inp("pamuser", NULL, EOK);
@@ -2140,7 +2107,7 @@ void test_pam_preauth_cert_no_logon_name_with_hint(void **state)
* during pre-auth and there is no need for an extra mocked response as in
* test_pam_preauth_cert_no_logon_name. */
mock_input_pam_cert(pam_test_ctx, NULL, NULL, NULL, NULL, NULL, NULL,
- test_lookup_by_cert_cb, TEST_TOKEN_CERT, false);
+ test_lookup_by_cert_cb, SSSD_TEST_CERT_0001, false);
will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH);
will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
@@ -2162,7 +2129,8 @@ void test_pam_preauth_cert_no_logon_name_double_cert(void **state)
set_cert_auth_param(pam_test_ctx->pctx, NSS_DB);
mock_input_pam_cert(pam_test_ctx, NULL, NULL, NULL, NULL, NULL, NULL,
- test_lookup_by_cert_double_cb, TEST_TOKEN_CERT, false);
+ test_lookup_by_cert_double_cb, SSSD_TEST_CERT_0001,
+ false);
will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH);
will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
@@ -2185,7 +2153,8 @@ void test_pam_preauth_cert_no_logon_name_double_cert_with_hint(void **state)
pam_test_ctx->rctx->domains->user_name_hint = true;
mock_input_pam_cert(pam_test_ctx, NULL, NULL, NULL, NULL, NULL, NULL,
- test_lookup_by_cert_double_cb, TEST_TOKEN_CERT, false);
+ test_lookup_by_cert_double_cb, SSSD_TEST_CERT_0001,
+ false);
will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH);
will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
@@ -2258,8 +2227,8 @@ void test_pam_cert_auth(void **state)
* in the cache and no second request to the backend is needed. */
mock_input_pam_cert(pam_test_ctx, "pamuser", "123456", "SSSD Test Token",
"NSS-Internal",
- "A5EF7DEE625CA5996C8D1BA7D036708161FD49E7", NULL,
- test_lookup_by_cert_cb, TEST_TOKEN_CERT, true);
+ "C554C9F82C2A9D58B70921C143304153A8A42F17", NULL,
+ test_lookup_by_cert_cb, SSSD_TEST_CERT_0001, true);
will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE);
will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
@@ -2292,8 +2261,8 @@ void test_pam_cert_auth_no_logon_name(void **state)
* in the cache and no second request to the backend is needed. */
mock_input_pam_cert(pam_test_ctx, NULL, "123456", "SSSD Test Token",
"NSS-Internal",
- "A5EF7DEE625CA5996C8D1BA7D036708161FD49E7", NULL,
- test_lookup_by_cert_cb, TEST_TOKEN_CERT, true);
+ "C554C9F82C2A9D58B70921C143304153A8A42F17", NULL,
+ test_lookup_by_cert_cb, SSSD_TEST_CERT_0001, true);
mock_account_recv_simple();
mock_parse_inp("pamuser", NULL, EOK);
@@ -2354,8 +2323,9 @@ void test_pam_cert_auth_double_cert(void **state)
mock_input_pam_cert(pam_test_ctx, "pamuser", "123456", "SSSD Test Token",
"NSS-Internal",
- "A5EF7DEE625CA5996C8D1BA7D036708161FD49E7", NULL,
- test_lookup_by_cert_double_cb, TEST_TOKEN_CERT, true);
+ "C554C9F82C2A9D58B70921C143304153A8A42F17", NULL,
+ test_lookup_by_cert_double_cb, SSSD_TEST_CERT_0001,
+ true);
will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE);
will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
@@ -2380,7 +2350,7 @@ void test_pam_cert_preauth_2certs_one_mapping(void **state)
set_cert_auth_param(pam_test_ctx->pctx, NSS_DB_2CERTS);
mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, NULL, NULL, NULL, NULL,
- test_lookup_by_cert_cb, TEST_TOKEN_CERT, false);
+ test_lookup_by_cert_cb, SSSD_TEST_CERT_0001, false);
will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH);
will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
@@ -2403,7 +2373,7 @@ void test_pam_cert_preauth_2certs_two_mappings(void **state)
mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, NULL, NULL, NULL, NULL,
test_lookup_by_cert_cb_2nd_cert_same_user,
- TEST_TOKEN_CERT, false);
+ SSSD_TEST_CERT_0001, false);
will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH);
will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
@@ -2812,6 +2782,7 @@ int main(int argc, const char *argv[])
cmocka_unit_test_setup_teardown(test_pam_cached_auth_failed_combined_pw_with_cached_2fa,
pam_cached_test_setup,
pam_test_teardown),
+#ifdef HAVE_TEST_CA
/* p11_child is not built without NSS */
#ifdef HAVE_NSS
cmocka_unit_test_setup_teardown(test_pam_preauth_cert_nocert,
@@ -2856,6 +2827,7 @@ int main(int argc, const char *argv[])
cmocka_unit_test_setup_teardown(test_pam_cert_auth_no_logon_name_no_key_id,
pam_test_setup, pam_test_teardown),
#endif /* HAVE_NSS */
+#endif /* HAVE_TEST_CA */
cmocka_unit_test_setup_teardown(test_filter_response,
pam_test_setup, pam_test_teardown),
--
2.17.0

63
0055-DYNDNS-Move-the-retry-logic-into-a-separate-function.patch
View File

@ -1,63 +0,0 @@
From 4452b5e6adb03378ccb8e581e60e73c2237644cf Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Mon, 30 Apr 2018 11:16:25 +0200
Subject: [PATCH] DYNDNS: Move the retry logic into a separate function
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Let's not repeat ourselves
Related to:
https://pagure.io/SSSD/sssd/issue/3725
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
(cherry picked from commit 65034a715e5071ad944bf37b414c6a36bf60cf29)
---
src/providers/ldap/sdap_dyndns.c | 16 ++++++++++++----
1 file changed, 12 insertions(+), 4 deletions(-)
diff --git a/src/providers/ldap/sdap_dyndns.c b/src/providers/ldap/sdap_dyndns.c
index 9d28b5758..f791ba9f3 100644
--- a/src/providers/ldap/sdap_dyndns.c
+++ b/src/providers/ldap/sdap_dyndns.c
@@ -79,6 +79,16 @@ static struct sss_iface_addr*
sdap_get_address_to_delete(struct sss_iface_addr *address_it,
uint8_t remove_af);
+static bool should_retry(int child_status)
+{
+ if (WIFEXITED(child_status)
+ && WEXITSTATUS(child_status) != 0) {
+ return true;
+ }
+
+ return false;
+}
+
struct tevent_req *
sdap_dyndns_update_send(TALLOC_CTX *mem_ctx,
struct tevent_context *ev,
@@ -371,8 +381,7 @@ sdap_dyndns_update_done(struct tevent_req *subreq)
if (ret != EOK) {
/* If the update didn't succeed, we can retry using the server name */
if (state->fallback_mode == false
- && WIFEXITED(child_status)
- && WEXITSTATUS(child_status) != 0) {
+ && should_retry(child_status)) {
state->fallback_mode = true;
DEBUG(SSSDBG_MINOR_FAILURE,
"nsupdate failed, retrying.\n");
@@ -514,8 +523,7 @@ sdap_dyndns_update_ptr_done(struct tevent_req *subreq)
if (ret != EOK) {
/* If the update didn't succeed, we can retry using the server name */
if (state->fallback_mode == false
- && WIFEXITED(child_status)
- && WEXITSTATUS(child_status) != 0) {
+ && should_retry(child_status)) {
state->fallback_mode = true;
DEBUG(SSSDBG_MINOR_FAILURE, "nsupdate failed, retrying\n");
ret = sdap_dyndns_update_ptr_step(req);
--
2.17.0

65
0056-DYNDNS-Retry-also-on-timeouts.patch
View File

@ -1,65 +0,0 @@
From 288c9c42534f0ae24af51ad4b439cdd2656266f9 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Mon, 30 Apr 2018 11:18:49 +0200
Subject: [PATCH] DYNDNS: Retry also on timeouts
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
There is the dyndns_server option that is supposed to make it possible
for the admin to select a server to update DNS with if the server
detected by nsupdate does not work. The fallback works OK for the case
where nsupdate fails with a non-zero return code, but doesn't work
for the case where nsupdate times out.
This patch extends the retry condition to also fallback to the
dyndns_server directive if nsupdate return ERR_DYNDNS_TIMEOUT.
Resolves:
https://pagure.io/SSSD/sssd/issue/3725
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
(cherry picked from commit b57dfac8a047494162395422447ed5675806cfdc)
---
src/providers/ldap/sdap_dyndns.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/src/providers/ldap/sdap_dyndns.c b/src/providers/ldap/sdap_dyndns.c
index f791ba9f3..20d97ca41 100644
--- a/src/providers/ldap/sdap_dyndns.c
+++ b/src/providers/ldap/sdap_dyndns.c
@@ -79,10 +79,10 @@ static struct sss_iface_addr*
sdap_get_address_to_delete(struct sss_iface_addr *address_it,
uint8_t remove_af);
-static bool should_retry(int child_status)
+static bool should_retry(int nsupdate_ret, int child_status)
{
- if (WIFEXITED(child_status)
- && WEXITSTATUS(child_status) != 0) {
+ if ((WIFEXITED(child_status) && WEXITSTATUS(child_status) != 0)
+ || nsupdate_ret == ERR_DYNDNS_TIMEOUT) {
return true;
}
@@ -381,7 +381,7 @@ sdap_dyndns_update_done(struct tevent_req *subreq)
if (ret != EOK) {
/* If the update didn't succeed, we can retry using the server name */
if (state->fallback_mode == false
- && should_retry(child_status)) {
+ && should_retry(ret, child_status)) {
state->fallback_mode = true;
DEBUG(SSSDBG_MINOR_FAILURE,
"nsupdate failed, retrying.\n");
@@ -523,7 +523,7 @@ sdap_dyndns_update_ptr_done(struct tevent_req *subreq)
if (ret != EOK) {
/* If the update didn't succeed, we can retry using the server name */
if (state->fallback_mode == false
- && should_retry(child_status)) {
+ && should_retry(ret, child_status)) {
state->fallback_mode = true;
DEBUG(SSSDBG_MINOR_FAILURE, "nsupdate failed, retrying\n");
ret = sdap_dyndns_update_ptr_step(req);
--
2.17.0

50
0057-AD-Warn-if-the-LDAP-schema-is-overriden-with-the-AD-.patch
View File

@ -1,50 +0,0 @@
From 1ff0edffde5b86e73c20c485236b9b20f22f6f7a Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Mon, 30 Apr 2018 15:31:49 +0200
Subject: [PATCH] AD: Warn if the LDAP schema is overriden with the AD provider
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Resolves:
https://pagure.io/SSSD/sssd/issue/3726
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
(cherry picked from commit 3cff2c5e563d967366d534bd3fc8c410f6467ea6)
---
src/providers/ad/ad_common.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c
index d92c68e6f..c39dcfad6 100644
--- a/src/providers/ad/ad_common.c
+++ b/src/providers/ad/ad_common.c
@@ -1000,6 +1000,7 @@ ad_set_sdap_options(struct ad_options *ad_opts,
errno_t ret;
char *krb5_realm;
char *keytab_path;
+ const char *schema;
/* We only support Kerberos password policy with AD, so
* force that on.
@@ -1050,6 +1051,17 @@ ad_set_sdap_options(struct ad_options *ad_opts,
goto done;
}
+ /* Warn if the user is doing something silly like overriding the schema
+ * with the AD provider
+ */
+ schema = dp_opt_get_string(id_opts->basic, SDAP_SCHEMA);
+ if (schema != NULL && strcasecmp(schema, "ad") != 0) {
+ DEBUG(SSSDBG_IMPORTANT_INFO,
+ "The AD provider only supports the AD LDAP schema. "
+ "SSSD will ignore the ldap_schema option value and proceed "
+ "with ldap_schema=ad\n");
+ }
+
/* fix schema to AD */
id_opts->schema_type = SDAP_SCHEMA_AD;
--
2.17.0

144
0058-SYSDB-Only-check-non-POSIX-groups-for-GID-conflicts.patch
View File

@ -1,144 +0,0 @@
From f2c1a2c4a209f1d8db13ec8a875b5787747dca61 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Tue, 1 May 2018 21:05:21 +0200
Subject: [PATCH] SYSDB: Only check non-POSIX groups for GID conflicts
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
When checking for a GID conflict, it doesn't make sense to check for one
when the group being added is a non-POSIX one, because then the GID will
always be 0.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
(cherry picked from commit 8a8285cf515c78709e16ec03b254c89466fe3ea2)
---
src/db/sysdb_ops.c | 38 ++++++++++++++++---------------
src/tests/sysdb-tests.c | 50 ++++++++++++++++++++++++++++++++++++++++-
2 files changed, 69 insertions(+), 19 deletions(-)
diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
index 93b967e75..124c1285e 100644
--- a/src/db/sysdb_ops.c
+++ b/src/db/sysdb_ops.c
@@ -2388,28 +2388,30 @@ int sysdb_add_incomplete_group(struct sss_domain_info *domain,
return ENOMEM;
}
- ret = sysdb_search_group_by_gid(tmp_ctx, domain, gid, group_attrs, &msg);
- if (ret == EOK) {
- for (int i = 0; !same && group_attrs[i] != NULL; i++) {
- previous = ldb_msg_find_attr_as_string(msg,
- group_attrs[i],
- NULL);
- if (previous != NULL && values[i] != NULL) {
- same = strcmp(previous, values[i]) == 0;
+ if (posix) {
+ ret = sysdb_search_group_by_gid(tmp_ctx, domain, gid, group_attrs, &msg);
+ if (ret == EOK) {
+ for (int i = 0; !same && group_attrs[i] != NULL; i++) {
+ previous = ldb_msg_find_attr_as_string(msg,
+ group_attrs[i],
+ NULL);
+ if (previous != NULL && values[i] != NULL) {
+ same = strcmp(previous, values[i]) == 0;
+ }
+ }
+
+ if (same == true) {
+ DEBUG(SSSDBG_TRACE_LIBS,
+ "The group with GID [%"SPRIgid"] was renamed\n", gid);
+ ret = ERR_GID_DUPLICATED;
+ goto done;
}
- }
- if (same == true) {
- DEBUG(SSSDBG_TRACE_LIBS,
- "The group with GID [%"SPRIgid"] was renamed\n", gid);
- ret = ERR_GID_DUPLICATED;
+ DEBUG(SSSDBG_OP_FAILURE,
+ "Another group with GID [%"SPRIgid"] already exists\n", gid);
+ ret = EEXIST;
goto done;
}
-
- DEBUG(SSSDBG_OP_FAILURE,
- "Another group with GID [%"SPRIgid"] already exists\n", gid);
- ret = EEXIST;
- goto done;
}
/* try to add the group */
diff --git a/src/tests/sysdb-tests.c b/src/tests/sysdb-tests.c
index 416dedb5e..19cdcc2f8 100644
--- a/src/tests/sysdb-tests.c
+++ b/src/tests/sysdb-tests.c
@@ -1557,6 +1557,53 @@ START_TEST (test_sysdb_add_nonposix_user)
}
END_TEST
+static void add_nonposix_incomplete_group(struct sysdb_test_ctx *test_ctx,
+ const char *groupname)
+{
+ const char *get_attrs[] = { SYSDB_GIDNUM,
+ SYSDB_POSIX,
+ NULL };
+ struct ldb_message *msg;
+ const char *attrval;
+ const char *fq_name;
+ int ret;
+ uint64_t id;
+
+ /* Create group */
+ fq_name = sss_create_internal_fqname(test_ctx, groupname, test_ctx->domain->name);
+ fail_if(fq_name == NULL, "Failed to create fq name.");
+
+ ret = sysdb_add_incomplete_group(test_ctx->domain, fq_name, 0,
+ NULL, NULL, NULL, false, 0);
+ fail_if(ret != EOK, "sysdb_add_group failed.");
+
+ /* Test */
+ ret = sysdb_search_group_by_name(test_ctx, test_ctx->domain, fq_name, get_attrs, &msg);
+ fail_if(ret != EOK, "sysdb_search_group_by_name failed.");
+
+ attrval = ldb_msg_find_attr_as_string(msg, SYSDB_POSIX, NULL);
+ fail_if(strcasecmp(attrval, "false") != 0, "Got bad attribute value.");
+
+ id = ldb_msg_find_attr_as_uint64(msg, SYSDB_GIDNUM, 123);
+ fail_unless(id == 0, "Wrong GID value");
+}
+
+START_TEST (test_sysdb_add_nonposix_group)
+{
+ struct sysdb_test_ctx *test_ctx;
+ int ret;
+
+ /* Setup */
+ ret = setup_sysdb_tests(&test_ctx);
+ fail_if(ret != EOK, "Could not set up the test");
+
+ add_nonposix_incomplete_group(test_ctx, "nonposix1");
+ add_nonposix_incomplete_group(test_ctx, "nonposix2");
+
+ talloc_free(test_ctx);
+}
+END_TEST
+
START_TEST (test_sysdb_add_group_member)
{
struct sysdb_test_ctx *test_ctx;
@@ -7268,8 +7315,9 @@ Suite *create_sysdb_suite(void)
/* Test GetUserAttr with subdomain user */
tcase_add_test(tc_sysdb, test_sysdb_get_user_attr_subdomain);
- /* Test adding a non-POSIX user */
+ /* Test adding a non-POSIX user and group */
tcase_add_test(tc_sysdb, test_sysdb_add_nonposix_user);
+ tcase_add_test(tc_sysdb, test_sysdb_add_nonposix_group);
/* ===== NETGROUP TESTS ===== */
--
2.17.0

56
0059-Do-not-keep-allocating-external-groups-on-a-long-liv.patch
View File

@ -1,56 +0,0 @@
From dfcc67f54823bee15632cf52704842863e8b8a93 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Tue, 3 Apr 2018 21:48:37 +0200
Subject: [PATCH] Do not keep allocating external groups on a long-lived
context
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The hash table with the external groups was never freed, so the
server_mode->ext_groups context was growing over time.
This patch keeps the new hash on the state if something failed, then
frees the previous hash and finally steals the new hash onto the server
mode.
Resolves:
https://pagure.io/SSSD/sssd/issue/3719
Signed-off-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
(cherry picked from commit 10213efaf1f9f587b47a82778a252d79863f665e)
---
src/providers/ipa/ipa_subdomains_ext_groups.c | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/src/providers/ipa/ipa_subdomains_ext_groups.c b/src/providers/ipa/ipa_subdomains_ext_groups.c
index 9e1d6c3a9..63ff7c7d7 100644
--- a/src/providers/ipa/ipa_subdomains_ext_groups.c
+++ b/src/providers/ipa/ipa_subdomains_ext_groups.c
@@ -583,14 +583,19 @@ static void ipa_get_ext_groups_done(struct tevent_req *subreq)
DEBUG(SSSDBG_TRACE_FUNC, "[%zu] external groups found.\n",
state->reply_count);
- ret = process_ext_groups(state->server_mode->ext_groups,
- state->reply_count, state->reply, &ext_group_hash);
+ ret = process_ext_groups(state,
+ state->reply_count,
+ state->reply,
+ &ext_group_hash);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, "process_ext_groups failed.\n");
goto fail;
}
- state->server_mode->ext_groups->ext_groups = ext_group_hash;
+ talloc_free(state->server_mode->ext_groups->ext_groups);
+ state->server_mode->ext_groups->ext_groups = talloc_steal(
+ state->server_mode->ext_groups,
+ ext_group_hash);
/* Do we have to make the update timeout configurable? */
state->server_mode->ext_groups->next_update = time(NULL) + 10;
--
2.17.0

124
0060-CACHE_REQ-Do-not-fail-the-domain-locator-plugin-if-I.patch
View File

@ -1,124 +0,0 @@
From 2b965403ecc5a6685602859945a4b73d0f5cddcd Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Wed, 2 May 2018 11:37:55 +0200
Subject: [PATCH] CACHE_REQ: Do not fail the domain locator plugin if ID
outside the domain range is looked up
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
A fix for upstream bug #3569 and the domain-locator feature were both
developed in the context of the same upstream version and therefore
touched the same code, but the domain locator did not account for the
ERR_ID_OUTSIDE_RANGE error code.
Therefore lookups for IDs that are outside the range for the domain
caused the whole lookup to fail instead of carrying on to the next
domain.
This patch just handles ERR_ID_OUTSIDE_RANGE the same way as if the ID
was not found at all. Also some whitespace errors are fixed.
Resolves:
https://pagure.io/SSSD/sssd/issue/3728
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
(cherry picked from commit 2952de740f2ec1da9cbd682fb1d9219e5370e6a1)
---
src/responder/common/cache_req/cache_req.c | 1 +
.../cache_req/plugins/cache_req_common.c | 2 +-
.../cache_req/plugins/cache_req_group_by_id.c | 2 +-
src/tests/cmocka/test_responder_cache_req.c | 32 +++++++++++++++++++
4 files changed, 35 insertions(+), 2 deletions(-)
diff --git a/src/responder/common/cache_req/cache_req.c b/src/responder/common/cache_req/cache_req.c
index 134688b0f..28b563392 100644
--- a/src/responder/common/cache_req/cache_req.c
+++ b/src/responder/common/cache_req/cache_req.c
@@ -523,6 +523,7 @@ static void cache_req_locate_dom_cache_done(struct tevent_req *subreq)
DEBUG(SSSDBG_TRACE_INTERNAL, "Result found in the cache\n");
tevent_req_done(req);
return;
+ case ERR_ID_OUTSIDE_RANGE:
case ENOENT:
/* Not cached and locator was requested, run the locator
* DP request plugin
diff --git a/src/responder/common/cache_req/plugins/cache_req_common.c b/src/responder/common/cache_req/plugins/cache_req_common.c
index 240416803..d19ca8912 100644
--- a/src/responder/common/cache_req/plugins/cache_req_common.c
+++ b/src/responder/common/cache_req/plugins/cache_req_common.c
@@ -27,7 +27,7 @@
#include "responder/common/cache_req/cache_req_plugin.h"
errno_t cache_req_idminmax_check(struct cache_req_data *data,
- struct sss_domain_info *domain)
+ struct sss_domain_info *domain)
{
if (((domain->id_min != 0) && (data->id < domain->id_min)) ||
((domain->id_max != 0) && (data->id > domain->id_max))) {
diff --git a/src/responder/common/cache_req/plugins/cache_req_group_by_id.c b/src/responder/common/cache_req/plugins/cache_req_group_by_id.c
index 3fb81032b..e0c6b6515 100644
--- a/src/responder/common/cache_req/plugins/cache_req_group_by_id.c
+++ b/src/responder/common/cache_req/plugins/cache_req_group_by_id.c
@@ -85,7 +85,7 @@ cache_req_group_by_id_lookup(TALLOC_CTX *mem_ctx,
ret = cache_req_idminmax_check(data, domain);
if (ret != EOK) {
- return ret;
+ return ret;
}
return sysdb_getgrgid_with_views(mem_ctx, domain, data->id, _result);
}
diff --git a/src/tests/cmocka/test_responder_cache_req.c b/src/tests/cmocka/test_responder_cache_req.c
index 252d89dad..45d71b83b 100644
--- a/src/tests/cmocka/test_responder_cache_req.c
+++ b/src/tests/cmocka/test_responder_cache_req.c
@@ -1827,6 +1827,37 @@ void test_group_by_id_multiple_domains_notfound(void **state)
assert_true(test_ctx->dp_called);
}
+void test_group_by_id_multiple_domains_outside_id_range(void **state)
+{
+ struct cache_req_test_ctx *test_ctx = NULL;
+ struct sss_domain_info *domain = NULL;
+ struct sss_domain_info *domain_a = NULL;
+
+ test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+
+ domain_a = find_domain_by_name(test_ctx->tctx->dom,
+ "responder_cache_req_test_a", true);
+ assert_non_null(domain_a);
+ domain_a->id_min = 1;
+ domain_a->id_max = 100;
+
+ /* Setup group. */
+ domain = find_domain_by_name(test_ctx->tctx->dom,
+ "responder_cache_req_test_d", true);
+ assert_non_null(domain);
+ prepare_group(domain, &groups[0], 1000, time(NULL));
+
+ /* Mock values. */
+ will_return_always(__wrap_sss_dp_get_account_send, test_ctx);
+ will_return_always(sss_dp_req_recv, 0);
+ will_return_always(sss_dp_get_account_domain_recv, ERR_GET_ACCT_DOM_NOT_SUPPORTED);
+
+ /* Test. */
+ run_group_by_id(test_ctx, NULL, 0, ERR_OK);
+ assert_true(test_ctx->dp_called);
+ check_group(test_ctx, &groups[0], domain);
+}
+
void test_group_by_id_multiple_domains_locator_cache_valid(void **state)
{
struct cache_req_test_ctx *test_ctx = NULL;
@@ -3970,6 +4001,7 @@ int main(int argc, const char *argv[])
new_single_domain_test(group_by_id_missing_notfound),
new_multi_domain_test(group_by_id_multiple_domains_found),
new_multi_domain_test(group_by_id_multiple_domains_notfound),
+ new_multi_domain_test(group_by_id_multiple_domains_outside_id_range),
new_multi_domain_test(group_by_id_multiple_domains_locator_cache_valid),
new_multi_domain_test(group_by_id_multiple_domains_locator_cache_expired),
--
2.17.0

52
0061-NSS-nss_clear_netgroup_hash_table-do-not-free-data.patch
View File

@ -1,52 +0,0 @@
From b96c60f55789527b1f9232ddae03e5c7566bf578 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 4 May 2018 17:00:55 +0200
Subject: [PATCH] NSS: nss_clear_netgroup_hash_table() do not free data
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
nss_clear_netgroup_hash_table() is called during the clearEnumCache SBUS
request, which is e.g. used during 'sss_cache -E', to remove netgroup
data cached in the memory of the NSS responder.
Currently nss_clear_netgroup_hash_table() calls
'sss_ptr_hash_delete_all(nss_ctx->netgrent, true);' which not only
removes all entries in the 'netgerent' hash table but frees them as
well.
The second step is not needed because nss_setnetgrent_set_timeout()
takes care that the data is freed after a timeout. Additionally freeing
the data in nss_clear_netgroup_hash_table() can even do harm when the
request is received by the NSS responder while waiting for the backend
to acquire the netgroup data. Because if the backend is done the NSS
responder tries do use enum_ctx which might have been freed in the
meantime.
Because of this nss_clear_netgroup_hash_table() should only remove the
data from the hash table but not free it.
Related to https://pagure.io/SSSD/sssd/issue/3731
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit b13cc2d1413a0d5bbe36e06e5ffd87dbf5c0cb9f)
---
src/responder/nss/nsssrv.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/responder/nss/nsssrv.c b/src/responder/nss/nsssrv.c
index 171c2a5ca..004e6c1a1 100644
--- a/src/responder/nss/nsssrv.c
+++ b/src/responder/nss/nsssrv.c
@@ -142,7 +142,7 @@ static int nss_clear_netgroup_hash_table(struct sbus_request *dbus_req, void *da
DEBUG(SSSDBG_TRACE_FUNC, "Invalidating netgroup hash table\n");
- sss_ptr_hash_delete_all(nss_ctx->netgrent, true);
+ sss_ptr_hash_delete_all(nss_ctx->netgrent, false);
return sbus_request_return_and_finish(dbus_req, DBUS_TYPE_INVALID);
}
--
2.17.0

218
0062-SYSDB-Properly-handle-name-gid-override-when-using-d.patch
View File

@ -1,218 +0,0 @@
From e7aee44602eb36ee1e1201ad6c7234562b8bb703 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
Date: Tue, 5 Dec 2017 21:14:09 +0100
Subject: [PATCH] SYSDB: Properly handle name/gid override when using domain
resolution order
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
When using name/gid override together with domain resolution order the
mpg name/gid may be returned instead of the overridden one.
In order to avoid that, let's add a check in case the domain supports
mpg so we can ensure that the originalADname and originalADgidNumber
attributes are the very same as the ones searched and then normally
proceed with the current flow in the code. In case those are not the
same, we *must* follow the code path for the non-mpg domains and then
return the proper values.
Resolves: https://pagure.io/SSSD/sssd/issue/3595
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit cf4f5e031ecbdfba0b55a4f69a06175a2e718e67)
---
src/db/sysdb.h | 2 +
src/db/sysdb_search.c | 116 ++++++++++++++++++++++++++++++++++--------
2 files changed, 97 insertions(+), 21 deletions(-)
diff --git a/src/db/sysdb.h b/src/db/sysdb.h
index 2660314a7..d9c8fd5d6 100644
--- a/src/db/sysdb.h
+++ b/src/db/sysdb.h
@@ -258,6 +258,8 @@
SYSDB_OVERRIDE_OBJECT_DN, \
SYSDB_DEFAULT_OVERRIDE_NAME, \
SYSDB_UUID, \
+ ORIGINALAD_PREFIX SYSDB_NAME, \
+ ORIGINALAD_PREFIX SYSDB_GIDNUM, \
NULL}
#define SYSDB_NETGR_ATTRS {SYSDB_NAME, SYSDB_NETGROUP_TRIPLE, \
diff --git a/src/db/sysdb_search.c b/src/db/sysdb_search.c
index b7ceb6e59..66c4977b3 100644
--- a/src/db/sysdb_search.c
+++ b/src/db/sysdb_search.c
@@ -893,8 +893,9 @@ int sysdb_getgrnam(TALLOC_CTX *mem_ctx,
const char *fmt_filter;
char *sanitized_name;
struct ldb_dn *base_dn;
- struct ldb_result *res;
+ struct ldb_result *res = NULL;
char *lc_sanitized_name;
+ const char *originalad_sanitized_name;
int ret;
tmp_ctx = talloc_new(NULL);
@@ -902,30 +903,67 @@ int sysdb_getgrnam(TALLOC_CTX *mem_ctx,
return ENOMEM;
}
+ ret = sss_filter_sanitize_for_dom(tmp_ctx, name, domain,
+ &sanitized_name, &lc_sanitized_name);
+ if (ret != EOK) {
+ goto done;
+ }
+
if (domain->mpg) {
+ /* In case the domain supports magic private groups we *must*
+ * check whether the searched name is the very same as the
+ * originalADname attribute.
+ *
+ * In case those are not the same, we're dealing with an
+ * override and in order to return the proper overridden group
+ * we must use the very same search used by a non-mpg domain
+ */
fmt_filter = SYSDB_GRNAM_MPG_FILTER;
base_dn = sysdb_domain_dn(tmp_ctx, domain);
+ if (base_dn == NULL) {
+ ret = ENOMEM;
+ goto done;
+ }
+
+ ret = ldb_search(domain->sysdb->ldb, tmp_ctx, &res, base_dn,
+ LDB_SCOPE_SUBTREE, attrs, fmt_filter,
+ lc_sanitized_name, sanitized_name, sanitized_name);
+ if (ret != EOK) {
+ ret = sysdb_error_to_errno(ret);
+ goto done;
+ }
+
+ if (res->count > 0) {
+ originalad_sanitized_name = ldb_msg_find_attr_as_string(
+ res->msgs[0], ORIGINALAD_PREFIX SYSDB_NAME, NULL);
+
+ if (originalad_sanitized_name != NULL
+ && strcmp(originalad_sanitized_name, sanitized_name) != 0) {
+ fmt_filter = SYSDB_GRNAM_FILTER;
+ base_dn = sysdb_group_base_dn(tmp_ctx, domain);
+ res = NULL;
+ }
+ }
} else {
fmt_filter = SYSDB_GRNAM_FILTER;
base_dn = sysdb_group_base_dn(tmp_ctx, domain);
}
- if (!base_dn) {
+ if (base_dn == NULL) {
ret = ENOMEM;
goto done;
}
- ret = sss_filter_sanitize_for_dom(tmp_ctx, name, domain,
- &sanitized_name, &lc_sanitized_name);
- if (ret != EOK) {
- goto done;
- }
-
- ret = ldb_search(domain->sysdb->ldb, tmp_ctx, &res, base_dn,
- LDB_SCOPE_SUBTREE, attrs, fmt_filter,
- lc_sanitized_name, sanitized_name, sanitized_name);
- if (ret) {
- ret = sysdb_error_to_errno(ret);
- goto done;
+ /* We just do the ldb_search here in case domain is *not* a MPG *or*
+ * it's a MPG and we're dealing with a overriden group, which has to
+ * use the very same filter as a non MPG domain. */
+ if (res == NULL) {
+ ret = ldb_search(domain->sysdb->ldb, tmp_ctx, &res, base_dn,
+ LDB_SCOPE_SUBTREE, attrs, fmt_filter,
+ lc_sanitized_name, sanitized_name, sanitized_name);
+ if (ret != EOK) {
+ ret = sysdb_error_to_errno(ret);
+ goto done;
+ }
}
ret = mpg_res_convert(res);
@@ -1045,10 +1083,11 @@ int sysdb_getgrgid(TALLOC_CTX *mem_ctx,
{
TALLOC_CTX *tmp_ctx;
unsigned long int ul_gid = gid;
+ unsigned long int ul_originalad_gid;
static const char *attrs[] = SYSDB_GRSRC_ATTRS;
const char *fmt_filter;
struct ldb_dn *base_dn;
- struct ldb_result *res;
+ struct ldb_result *res = NULL;
int ret;
tmp_ctx = talloc_new(NULL);
@@ -1057,22 +1096,57 @@ int sysdb_getgrgid(TALLOC_CTX *mem_ctx,
}
if (domain->mpg) {
+ /* In case the domain supports magic private groups we *must*
+ * check whether the searched gid is the very same as the
+ * originalADgidNumber attribute.
+ *
+ * In case those are not the same, we're dealing with an
+ * override and in order to return the proper overridden group
+ * we must use the very same search used by a non-mpg domain
+ */
fmt_filter = SYSDB_GRGID_MPG_FILTER;
base_dn = sysdb_domain_dn(tmp_ctx, domain);
+ if (base_dn == NULL) {
+ ret = ENOMEM;
+ goto done;
+ }
+
+ ret = ldb_search(domain->sysdb->ldb, tmp_ctx, &res, base_dn,
+ LDB_SCOPE_SUBTREE, attrs, fmt_filter, ul_gid);
+ if (ret != EOK) {
+ ret = sysdb_error_to_errno(ret);
+ goto done;
+ }
+
+ if (res->count > 0) {
+ ul_originalad_gid = ldb_msg_find_attr_as_uint64(
+ res->msgs[0], ORIGINALAD_PREFIX SYSDB_GIDNUM, 0);
+
+ if (ul_originalad_gid != 0 && ul_originalad_gid != ul_gid) {
+ fmt_filter = SYSDB_GRGID_FILTER;
+ base_dn = sysdb_group_base_dn(tmp_ctx, domain);
+ res = NULL;
+ }
+ }
} else {
fmt_filter = SYSDB_GRGID_FILTER;
base_dn = sysdb_group_base_dn(tmp_ctx, domain);
}
- if (!base_dn) {
+ if (base_dn == NULL) {
ret = ENOMEM;
goto done;
}
- ret = ldb_search(domain->sysdb->ldb, tmp_ctx, &res, base_dn,
- LDB_SCOPE_SUBTREE, attrs, fmt_filter, ul_gid);
- if (ret) {
- ret = sysdb_error_to_errno(ret);
- goto done;
+ /* We just do the ldb_search here in case domain is *not* a MPG *or*
+ * it's a MPG and we're dealing with a overriden group, which has to
+ * use the very same filter as a non MPG domain. */
+ if (res == NULL) {
+ ret = ldb_search(domain->sysdb->ldb, tmp_ctx, &res, base_dn,
+ LDB_SCOPE_SUBTREE, attrs, fmt_filter, ul_gid);
+ if (ret != EOK) {
+ ret = sysdb_error_to_errno(ret);
+ goto done;
+ }
}
ret = mpg_res_convert(res);
--
2.17.0

42
0063-test_ca-add-empty-index.txt.attr-file.patch
View File

@ -1,42 +0,0 @@
From f6d3289ca95bcaca68647f0db76c100d616679bc Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 14 Mar 2018 15:15:19 +0100
Subject: [PATCH] test_ca: add empty index.txt.attr file
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Although is does not harm because 'openssl ca' creates the
index.tx.tattr file with a suitable content automatically this patch
adds the file to the test_CA directory to silence a message like:
Can't open ./index.txt.attr for reading, No such file or directory
139867607979840:error:02001002:system library:fopen:No such file or
directory:crypto/bio/bss_file.c:74:fopen('./index.txt.attr','r')
139867607979840:error:2006D080:BIO routines:BIO_new_file:no such
file:crypto/bio/bss_file.c:81:
which is show by recent versions of OpenSSL.
Related to https://pagure.io/SSSD/sssd/issue/3436
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
(cherry picked from commit 86c06c3b3d1cb4f590bcd951939bf3ef0001c4d3)
---
src/tests/test_CA/Makefile.am | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/tests/test_CA/Makefile.am b/src/tests/test_CA/Makefile.am
index a23a3feef..bfcd908e3 100644
--- a/src/tests/test_CA/Makefile.am
+++ b/src/tests/test_CA/Makefile.am
@@ -89,5 +89,6 @@ clean-local:
serial: clean
touch index.txt
+ touch index.txt.attr
mkdir newcerts
echo -n 01 > serial
--
2.17.0

2
sources
View File

@ -1 +1 @@
SHA512 (sssd-1.16.1.tar.gz) = fb9611cecf4c74b5a82224f9f8d3b98341c144d248094b6cb12975343db9b85142ded620e5f26fef63b2db29cdb45eb8abd698db82e9a1334bc6e001001109fd
SHA512 (sssd-1.16.2.tar.gz) = de029e60c509d1ca9d716074c6c30bc469793440ad11452be6756df110911772d3d9d6bf555acb65f510957d6b8a265f0accc0940622101fa9cf809ac9c6d999

91
sssd.spec
View File

@ -25,6 +25,10 @@
%global with_gdm_pam_extensions 1
%if (0%{?fedora} > 28)
%global use_openssl 1
%endif
%global libwbc_alternatives_version 0.14
%global libwbc_lib_version %{libwbc_alternatives_version}.0
%global libwbc_alternatives_suffix %nil
@ -33,8 +37,8 @@
%endif
Name: sssd
Version: 1.16.1
Release: 9%{?dist}
Version: 1.16.2
Release: 1%{?dist}
Group: Applications/System
Summary: System Security Services Daemon
License: GPLv3+
@ -42,69 +46,6 @@ URL: https://pagure.io/SSSD/sssd/
Source0: https://releases.pagure.org/SSSD/sssd/%{name}-%{version}.tar.gz
### Patches ###
Patch0001: 0001-IPA-Handle-empty-nisDomainName.patch
Patch0002: 0002-intg-enhance-netgroups-test.patch
Patch0003: 0003-CONFDB-Start-a-ldb-transaction-from-sss_ldb_modify_p.patch
Patch0004: 0004-TOOLS-Take-into-consideration-app-domains.patch
Patch0005: 0005-TESTS-Move-get_call_output-to-util.py.patch
Patch0006: 0006-TESTS-Make-get_call_output-more-flexible-about-the-s.patch
Patch0007: 0007-TESTS-Add-a-basic-test-of-sssctl-domain-list.patch
Patch0008: 0008-KCM-Use-json_loadb-when-dealing-with-sss_iobuf-data.patch
Patch0009: 0009-KCM-Remove-mem_ctx-from-kcm_new_req.patch
Patch0010: 0010-KCM-Introduce-kcm_input_get_payload_len.patch
Patch0011: 0011-KCM-Do-not-use-2048-as-fixed-size-for-the-payload.patch
Patch0012: 0012-KCM-Adjust-REPLY_MAX-to-the-one-used-in-krb5.patch
Patch0013: 0013-intg-convert-results-returned-as-bytes-to-strings.patch
Patch0014: 0014-KCM-Fix-typo-in-ccdb_sec_delete_list_done.patch
Patch0015: 0015-KCM-Only-print-the-number-of-found-items-after-we-ha.patch
Patch0016: 0016-SYSDB-When-marking-an-entry-as-expired-also-set-the-.patch
#Patch0017: 0017-sudo-ldap-do-not-store-rules-without-sudoHost-attrib.patch
#Patch0018: 0018-sysdb-custom-completely-replace-old-object-instead-o.patch
Patch0019: 0019-SERVER-Tone-down-shutdown-messages-for-socket-activa.patch
Patch0020: 0020-IPA-Qualify-the-externalUser-sudo-attribute.patch
Patch0021: 0021-NSS-Adjust-netgroup-setnetgrent-cache-lifetime-if-mi.patch
Patch0022: 0022-CONFDB-Add-passwd_files-and-group_files-options.patch
Patch0023: 0023-FILES-Handle-files-provider-sources.patch
Patch0024: 0024-TESTS-Add-a-test-for-the-multiple-files-feature.patch
Patch0025: 0025-AD-Missing-header-in-ad_access.h.patch
Patch0026: 0026-GPO-Add-ad_options-to-ad_gpo_process_som_state.patch
Patch0027: 0027-GPO-Use-AD-site-override-if-set.patch
Patch0028: 0028-nss-initialize-nss_enum_index-in-nss_setnetgrent.patch
Patch0029: 0029-nss-add-a-netgroup-counter-to-struct-nss_enum_index.patch
Patch0030: 0030-sssctl-Showing-help-even-when-sssd-not-configured.patch
Patch0031: 0031-sssctl-move-check-for-version-error-to-correct-place.patch
Patch0032: 0032-MAN-Add-sss-certmap-man-page-regarding-priority-proc.patch
Patch0033: 0033-SDAP-Improve-a-DEBUG-message-about-GC-detection.patch
Patch0034: 0034-MAN-Improve-docs-about-GC-detection.patch
Patch0035: 0035-nss-idmap-do-not-set-a-limit.patch
Patch0036: 0036-nss-idmap-use-right-group-list-pointer-after-sss_get.patch
Patch0037: 0037-NSS-Add-InvalidateGroupById-handler.patch
Patch0038: 0038-DP-Add-dp_sbus_invalidate_group_memcache.patch
Patch0039: 0039-ERRORS-Add-ERR_GID_DUPLICATED.patch
Patch0040: 0040-LDAP-Augment-the-sdap_opts-structure-with-a-data-pro.patch
Patch0041: 0041-SDAP-Add-sdap_handle_id_collision_for_incomplete_gro.patch
Patch0042: 0042-SDAP-Properly-handle-group-id-collision-when-renamin.patch
Patch0043: 0043-SYSDB_OPS-Error-out-on-id-collision-when-adding-an-i.patch
Patch0044: 0044-TESTS-Add-an-integration-test-for-renaming-incomplet.patch
Patch0045: 0045-SYSDB-sysdb_add_incomplete_group-now-returns-EEXIST-.patch
Patch0046: 0046-MAN-Document-which-principal-does-the-AD-provider-us.patch
Patch0047: 0047-GPO-Fix-bug-with-empty-GPO-rules.patch
Patch0048: 0048-FILES-Do-not-overwrite-and-actually-remove-files_ctx.patch
Patch0049: 0049-FILES-Reduce-code-duplication.patch
Patch0050: 0050-FILES-Reset-the-domain-status-back-even-on-errors.patch
Patch0051: 0051-FILES-Skip-files-that-are-not-created-yet.patch
Patch0052: 0052-FILES-Only-send-the-request-for-update-if-the-files-.patch
Patch0053: 0053-TESTS-simple-CA-to-generate-certificates-for-test.patch
Patch0054: 0054-TESTS-replace-hardcoded-certificates.patch
Patch0055: 0055-DYNDNS-Move-the-retry-logic-into-a-separate-function.patch
Patch0056: 0056-DYNDNS-Retry-also-on-timeouts.patch
Patch0057: 0057-AD-Warn-if-the-LDAP-schema-is-overriden-with-the-AD-.patch
Patch0058: 0058-SYSDB-Only-check-non-POSIX-groups-for-GID-conflicts.patch
Patch0059: 0059-Do-not-keep-allocating-external-groups-on-a-long-liv.patch
Patch0060: 0060-CACHE_REQ-Do-not-fail-the-domain-locator-plugin-if-I.patch
Patch0061: 0061-NSS-nss_clear_netgroup_hash_table-do-not-free-data.patch
Patch0062: 0062-SYSDB-Properly-handle-name-gid-override-when-using-d.patch
Patch0063: 0063-test_ca-add-empty-index.txt.attr-file.patch
Patch0502: 0502-SYSTEMD-Use-capabilities.patch
Patch0503: 0503-Disable-stopping-idle-socket-activated-responders.patch
@ -181,12 +122,19 @@ BuildRequires: cifs-utils-devel
BuildRequires: libnfsidmap-devel
BuildRequires: samba4-devel
BuildRequires: libsmbclient-devel
BuildRequires: samba-winbind
BuildRequires: systemtap-sdt-devel
BuildRequires: http-parser-devel
BuildRequires: libuuid-devel
BuildRequires: jansson-devel
BuildRequires: libcurl-devel
BuildRequires: gdm-pam-extensions-devel
%if (0%{?use_openssl} == 1)
BuildRequires: p11-kit-devel
BuildRequires: openssl-devel
BuildRequires: gnutls-utils
BuildRequires: softhsm >= 2.1.0
%endif
BuildRequires: openssl
BuildRequires: openssh
BuildRequires: nss-tools
@ -687,11 +635,13 @@ autoreconf -ivf
--disable-rpath \
--with-initscript=systemd \
--with-syslog=journald \
%if (0%{?use_openssl} == 1)
--with-crypto=libcrypto \
%endif
--enable-sss-default-nss-plugin \
--enable-files-domain \
%{?with_cifs_utils_plugin_option} \
%{?enable_systemtap_opt} \
%{?enable_systemtap_opt}
make %{?_smp_mflags} all docs
@ -908,6 +858,9 @@ done
%attr(750,root,root) %dir %{_var}/log/%{name}
%attr(700,root,root) %dir %{_sysconfdir}/sssd
%attr(711,root,root) %dir %{_sysconfdir}/sssd/conf.d
%if (0%{?use_openssl} == 1)
%attr(711,sssd,sssd) %dir %{_sysconfdir}/sssd/pki
%endif
%ghost %attr(0600,root,root) %config(noreplace) %{_sysconfdir}/sssd/sssd.conf
%dir %{_sysconfdir}/logrotate.d
%config(noreplace) %{_sysconfdir}/logrotate.d/sssd
@ -1308,6 +1261,10 @@ fi
%{_libdir}/%{name}/modules/libwbclient.so
%changelog
* Mon Jun 11 2018 Fabiano Fidêncio <fidencio@fedoraproject.org> - 1.16.2-1
- New upstream release 1.16.2
- https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_16_2.html
* Thu May 24 2018 Fabiano Fidêncio <fidencio@fedoraproject.org> - 1.16.1-9
- Related: upstream#3742 - Change of: User may not run sudo --> a password is
required