Compare commits
30 Commits
Author | SHA1 | Date |
---|---|---|
|
9d173770c1 | |
|
02f5e752db | |
|
9693892a0e | |
|
1a0edee99c | |
|
7c9c06a21a | |
|
645243d3bf | |
|
32425edf44 | |
|
7e203ada3a | |
|
adc5e5a8d7 | |
|
e44e27dae9 | |
|
db015a65d2 | |
|
f039446636 | |
|
64b8fab9ec | |
|
176e0d7445 | |
|
3002fe4c7b | |
|
85e1a43076 | |
|
598f119a10 | |
|
7b5f1e6c49 | |
|
ca2cdbaab3 | |
|
bbae17c4b6 | |
|
4e230fd21a | |
|
811d26b870 | |
|
cd1eae72e6 | |
|
6a3fef3b19 | |
|
59b493bc1c | |
|
46ef46fca4 | |
|
529bdeaa4e | |
|
0d6cda6a21 | |
|
dbe69cb71b | |
|
a59be64342 |
|
@ -57,3 +57,8 @@ sssd-1.2.91.tar.gz
|
||||||
/sssd-1.12.0beta1.tar.gz
|
/sssd-1.12.0beta1.tar.gz
|
||||||
/sssd-1.12.0beta2.tar.gz
|
/sssd-1.12.0beta2.tar.gz
|
||||||
/sssd-1.12.0.tar.gz
|
/sssd-1.12.0.tar.gz
|
||||||
|
/sssd-1.12.1.tar.gz
|
||||||
|
/sssd-1.12.2.tar.gz
|
||||||
|
/sssd-1.12.3.tar.gz
|
||||||
|
/sssd-1.12.4.tar.gz
|
||||||
|
/sssd-1.12.5.tar.gz
|
||||||
|
|
|
@ -0,0 +1,88 @@
|
||||||
|
From 4cb5ab77926503943a9dc7bd1d47bcfb6ed6da68 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Lukas Slebodnik <lslebodn@redhat.com>
|
||||||
|
Date: Wed, 17 Jun 2015 21:35:22 +0200
|
||||||
|
Subject: [PATCH 01/21] SDAP: Remove user from cache for missing user in LDAP
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
Function sysdb_get_real_name overrode reurned code LDAP
|
||||||
|
and thus user was not removed from cache after removing it from LDAP.
|
||||||
|
This patch also do not try to set initgroups flag if user
|
||||||
|
does not exist. It reduce some error message.
|
||||||
|
|
||||||
|
Resolves:
|
||||||
|
https://fedorahosted.org/sssd/ticket/2681
|
||||||
|
|
||||||
|
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
||||||
|
(cherry picked from commit 9fc96a4a2b07b92585b02dba161ab1eb2dbdad98)
|
||||||
|
---
|
||||||
|
src/providers/ldap/ldap_id.c | 47 ++++++++++++++++++++++++--------------------
|
||||||
|
1 file changed, 26 insertions(+), 21 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/providers/ldap/ldap_id.c b/src/providers/ldap/ldap_id.c
|
||||||
|
index a53a7d7..4ebcd51 100644
|
||||||
|
--- a/src/providers/ldap/ldap_id.c
|
||||||
|
+++ b/src/providers/ldap/ldap_id.c
|
||||||
|
@@ -1142,32 +1142,37 @@ static void groups_by_user_done(struct tevent_req *subreq)
|
||||||
|
}
|
||||||
|
state->sdap_ret = ret;
|
||||||
|
|
||||||
|
- if (ret && ret != ENOENT) {
|
||||||
|
- state->dp_error = dp_error;
|
||||||
|
- tevent_req_error(req, ret);
|
||||||
|
- return;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- /* state->name is still the name used for the original request. The cached
|
||||||
|
- * object might have a different name, e.g. a fully-qualified name. */
|
||||||
|
- ret = sysdb_get_real_name(state, state->domain, state->name, &cname);
|
||||||
|
- if (ret != EOK) {
|
||||||
|
- cname = state->name;
|
||||||
|
- DEBUG(SSSDBG_OP_FAILURE, "Failed to canonicalize name, using [%s].\n",
|
||||||
|
- cname);
|
||||||
|
+ if (ret == EOK || ret == ENOENT) {
|
||||||
|
+ /* state->name is still the name used for the original req. The cached
|
||||||
|
+ * object might have a different name, e.g. a fully-qualified name. */
|
||||||
|
+ ret = sysdb_get_real_name(state, state->domain, state->name, &cname);
|
||||||
|
+ if (ret != EOK) {
|
||||||
|
+ cname = state->name;
|
||||||
|
+ DEBUG(SSSDBG_OP_FAILURE,
|
||||||
|
+ "Failed to canonicalize name, using [%s].\n", cname);
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
|
||||||
|
- if (ret == ENOENT && state->noexist_delete == true) {
|
||||||
|
- ret = sysdb_delete_user(state->domain, cname, 0);
|
||||||
|
- if (ret != EOK && ret != ENOENT) {
|
||||||
|
+ switch (state->sdap_ret) {
|
||||||
|
+ case ENOENT:
|
||||||
|
+ if (state->noexist_delete == true) {
|
||||||
|
+ ret = sysdb_delete_user(state->domain, cname, 0);
|
||||||
|
+ if (ret != EOK && ret != ENOENT) {
|
||||||
|
+ tevent_req_error(req, ret);
|
||||||
|
+ return;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ break;
|
||||||
|
+ case EOK:
|
||||||
|
+ ret = set_initgroups_expire_attribute(state->domain, cname);
|
||||||
|
+ if (ret != EOK) {
|
||||||
|
+ state->dp_error = DP_ERR_FATAL;
|
||||||
|
tevent_req_error(req, ret);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- ret = set_initgroups_expire_attribute(state->domain, cname);
|
||||||
|
- if (ret != EOK) {
|
||||||
|
- state->dp_error = DP_ERR_FATAL;
|
||||||
|
+ break;
|
||||||
|
+ default:
|
||||||
|
+ state->dp_error = dp_error;
|
||||||
|
tevent_req_error(req, ret);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
--
|
||||||
|
2.5.0
|
||||||
|
|
|
@ -0,0 +1,161 @@
|
||||||
|
From 0cd0887dc253527f51ed9b2eabe6229e9eb64705 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Lukas Slebodnik <lslebodn@redhat.com>
|
||||||
|
Date: Thu, 30 Jul 2015 10:50:47 +0200
|
||||||
|
Subject: [PATCH 02/21] sss_client: Update integrity check of records in mmap
|
||||||
|
cache
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
The function sss_nss_mc_get_record return copy of record from memory
|
||||||
|
cache in last argument. Because we should not access data directly
|
||||||
|
to avoid problems with consistency of record.
|
||||||
|
The function sss_nss_mc_get_record also check whether length of record
|
||||||
|
is within data area (with macro MC_CHECK_RECORD_LENGTH)
|
||||||
|
|
||||||
|
However we also tried to do the same check in functions sss_nss_mc_get{gr, pw}*
|
||||||
|
Pointer to end of strings in record was compared to pointer to the end
|
||||||
|
of data table. But these two pointers are not within the same allocated area
|
||||||
|
and does not make sense to compare them. Sometimes record can be allocated
|
||||||
|
before mmaped area and sometime after. Sometimes it will return cached data
|
||||||
|
and other time will fall back to responder.
|
||||||
|
|
||||||
|
Resolves:
|
||||||
|
https://fedorahosted.org/sssd/ticket/2743
|
||||||
|
|
||||||
|
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
||||||
|
---
|
||||||
|
src/sss_client/nss_mc_group.c | 19 ++++++++++---------
|
||||||
|
src/sss_client/nss_mc_passwd.c | 20 ++++++++++----------
|
||||||
|
2 files changed, 20 insertions(+), 19 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/sss_client/nss_mc_group.c b/src/sss_client/nss_mc_group.c
|
||||||
|
index e0fdb97..aacf59d 100644
|
||||||
|
--- a/src/sss_client/nss_mc_group.c
|
||||||
|
+++ b/src/sss_client/nss_mc_group.c
|
||||||
|
@@ -112,16 +112,16 @@ errno_t sss_nss_mc_getgrnam(const char *name, size_t name_len,
|
||||||
|
uint32_t hash;
|
||||||
|
uint32_t slot;
|
||||||
|
int ret;
|
||||||
|
- size_t strs_offset;
|
||||||
|
- uint8_t *max_addr;
|
||||||
|
+ const size_t strs_offset = offsetof(struct sss_mc_grp_data, strs);
|
||||||
|
+ size_t data_size;
|
||||||
|
|
||||||
|
ret = sss_nss_mc_get_ctx("group", &gr_mc_ctx);
|
||||||
|
if (ret) {
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
- /* Get max address of data table. */
|
||||||
|
- max_addr = gr_mc_ctx.data_table + gr_mc_ctx.dt_size;
|
||||||
|
+ /* Get max size of data table. */
|
||||||
|
+ data_size = gr_mc_ctx.dt_size;
|
||||||
|
|
||||||
|
/* hashes are calculated including the NULL terminator */
|
||||||
|
hash = sss_nss_mc_hash(&gr_mc_ctx, name, name_len + 1);
|
||||||
|
@@ -130,7 +130,7 @@ errno_t sss_nss_mc_getgrnam(const char *name, size_t name_len,
|
||||||
|
/* If slot is not within the bounds of mmaped region and
|
||||||
|
* it's value is not MC_INVALID_VAL, then the cache is
|
||||||
|
* probbably corrupted. */
|
||||||
|
- while (MC_SLOT_WITHIN_BOUNDS(slot, gr_mc_ctx.dt_size)) {
|
||||||
|
+ while (MC_SLOT_WITHIN_BOUNDS(slot, data_size)) {
|
||||||
|
/* free record from previous iteration */
|
||||||
|
free(rec);
|
||||||
|
rec = NULL;
|
||||||
|
@@ -147,15 +147,16 @@ errno_t sss_nss_mc_getgrnam(const char *name, size_t name_len,
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
|
||||||
|
- strs_offset = offsetof(struct sss_mc_grp_data, strs);
|
||||||
|
data = (struct sss_mc_grp_data *)rec->data;
|
||||||
|
/* Integrity check
|
||||||
|
* - name_len cannot be longer than all strings
|
||||||
|
* - data->name cannot point outside strings
|
||||||
|
- * - all strings must be within data_table */
|
||||||
|
+ * - all strings must be within copy of record
|
||||||
|
+ * - size of record must be lower that data table size */
|
||||||
|
if (name_len > data->strs_len
|
||||||
|
|| (data->name + name_len) > (strs_offset + data->strs_len)
|
||||||
|
- || (uint8_t *)data->strs + data->strs_len > max_addr) {
|
||||||
|
+ || data->strs_len > rec->len
|
||||||
|
+ || rec->len > data_size) {
|
||||||
|
ret = ENOENT;
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
@@ -168,7 +169,7 @@ errno_t sss_nss_mc_getgrnam(const char *name, size_t name_len,
|
||||||
|
slot = sss_nss_mc_next_slot_with_hash(rec, hash);
|
||||||
|
}
|
||||||
|
|
||||||
|
- if (!MC_SLOT_WITHIN_BOUNDS(slot, gr_mc_ctx.dt_size)) {
|
||||||
|
+ if (!MC_SLOT_WITHIN_BOUNDS(slot, data_size)) {
|
||||||
|
ret = ENOENT;
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
diff --git a/src/sss_client/nss_mc_passwd.c b/src/sss_client/nss_mc_passwd.c
|
||||||
|
index 10e43e2..0da7ad0 100644
|
||||||
|
--- a/src/sss_client/nss_mc_passwd.c
|
||||||
|
+++ b/src/sss_client/nss_mc_passwd.c
|
||||||
|
@@ -105,16 +105,16 @@ errno_t sss_nss_mc_getpwnam(const char *name, size_t name_len,
|
||||||
|
uint32_t hash;
|
||||||
|
uint32_t slot;
|
||||||
|
int ret;
|
||||||
|
- size_t strs_offset;
|
||||||
|
- uint8_t *max_addr;
|
||||||
|
+ const size_t strs_offset = offsetof(struct sss_mc_pwd_data, strs);
|
||||||
|
+ size_t data_size;
|
||||||
|
|
||||||
|
ret = sss_nss_mc_get_ctx("passwd", &pw_mc_ctx);
|
||||||
|
if (ret) {
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
- /* Get max address of data table. */
|
||||||
|
- max_addr = pw_mc_ctx.data_table + pw_mc_ctx.dt_size;
|
||||||
|
+ /* Get max size of data table. */
|
||||||
|
+ data_size = pw_mc_ctx.dt_size;
|
||||||
|
|
||||||
|
/* hashes are calculated including the NULL terminator */
|
||||||
|
hash = sss_nss_mc_hash(&pw_mc_ctx, name, name_len + 1);
|
||||||
|
@@ -123,7 +123,7 @@ errno_t sss_nss_mc_getpwnam(const char *name, size_t name_len,
|
||||||
|
/* If slot is not within the bounds of mmaped region and
|
||||||
|
* it's value is not MC_INVALID_VAL, then the cache is
|
||||||
|
* probbably corrupted. */
|
||||||
|
- while (MC_SLOT_WITHIN_BOUNDS(slot, pw_mc_ctx.dt_size)) {
|
||||||
|
+ while (MC_SLOT_WITHIN_BOUNDS(slot, data_size)) {
|
||||||
|
/* free record from previous iteration */
|
||||||
|
free(rec);
|
||||||
|
rec = NULL;
|
||||||
|
@@ -140,16 +140,16 @@ errno_t sss_nss_mc_getpwnam(const char *name, size_t name_len,
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
|
||||||
|
- strs_offset = offsetof(struct sss_mc_pwd_data, strs);
|
||||||
|
-
|
||||||
|
data = (struct sss_mc_pwd_data *)rec->data;
|
||||||
|
/* Integrity check
|
||||||
|
* - name_len cannot be longer than all strings
|
||||||
|
* - data->name cannot point outside strings
|
||||||
|
- * - all strings must be within data_table */
|
||||||
|
+ * - all strings must be within copy of record
|
||||||
|
+ * - size of record must be lower that data table size */
|
||||||
|
if (name_len > data->strs_len
|
||||||
|
|| (data->name + name_len) > (strs_offset + data->strs_len)
|
||||||
|
- || (uint8_t *)data->strs + data->strs_len > max_addr) {
|
||||||
|
+ || data->strs_len > rec->len
|
||||||
|
+ || rec->len > data_size) {
|
||||||
|
ret = ENOENT;
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
@@ -162,7 +162,7 @@ errno_t sss_nss_mc_getpwnam(const char *name, size_t name_len,
|
||||||
|
slot = sss_nss_mc_next_slot_with_hash(rec, hash);
|
||||||
|
}
|
||||||
|
|
||||||
|
- if (!MC_SLOT_WITHIN_BOUNDS(slot, pw_mc_ctx.dt_size)) {
|
||||||
|
+ if (!MC_SLOT_WITHIN_BOUNDS(slot, data_size)) {
|
||||||
|
ret = ENOENT;
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
--
|
||||||
|
2.5.0
|
||||||
|
|
|
@ -0,0 +1,95 @@
|
||||||
|
From 51a1e04122fda73847dc368b11b4e8b78335cc78 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Petr Cech <pcech@redhat.com>
|
||||||
|
Date: Mon, 27 Jul 2015 12:52:49 -0400
|
||||||
|
Subject: [PATCH 03/21] BUILD: Repair dependecies on deprecated libraries
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
Modules libsystemd-journal and libsystemd-login are
|
||||||
|
deprecated and "libsystemd" should be used instead
|
||||||
|
of them.
|
||||||
|
|
||||||
|
Resolves:
|
||||||
|
https://fedorahosted.org/sssd/ticket/2733
|
||||||
|
|
||||||
|
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
||||||
|
---
|
||||||
|
contrib/ci/deps.sh | 2 +-
|
||||||
|
src/external/systemd.m4 | 40 ++++++++++++++++++++++++++++------------
|
||||||
|
2 files changed, 29 insertions(+), 13 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/contrib/ci/deps.sh b/contrib/ci/deps.sh
|
||||||
|
index 0cdb996..50e4f44 100644
|
||||||
|
--- a/contrib/ci/deps.sh
|
||||||
|
+++ b/contrib/ci/deps.sh
|
||||||
|
@@ -84,7 +84,7 @@ if [[ "$DISTRO_BRANCH" == -debian-* ]]; then
|
||||||
|
libselinux1-dev
|
||||||
|
libsemanage1-dev
|
||||||
|
libsmbclient-dev
|
||||||
|
- libsystemd-journal-dev
|
||||||
|
+ libsystemd-dev
|
||||||
|
libtalloc-dev
|
||||||
|
libtdb-dev
|
||||||
|
libtevent-dev
|
||||||
|
diff --git a/src/external/systemd.m4 b/src/external/systemd.m4
|
||||||
|
index dbced0d..4c28445 100644
|
||||||
|
--- a/src/external/systemd.m4
|
||||||
|
+++ b/src/external/systemd.m4
|
||||||
|
@@ -1,25 +1,41 @@
|
||||||
|
+dnl There are no module libsystemd-journal and libsystem-login
|
||||||
|
+dnl up systemd version 209
|
||||||
|
+PKG_CHECK_EXISTS([libsystemd],
|
||||||
|
+ [HAVE_LIBSYSTEMD=yes],
|
||||||
|
+ [HAVE_LIBSYSTEMD=no])
|
||||||
|
+
|
||||||
|
dnl A macro to check presence of systemd on the system
|
||||||
|
AC_DEFUN([AM_CHECK_SYSTEMD],
|
||||||
|
[
|
||||||
|
PKG_CHECK_EXISTS(systemd,
|
||||||
|
[ HAVE_SYSTEMD=1, AC_SUBST(HAVE_SYSTEMD) ],
|
||||||
|
- [AC_MSG_ERROR([Could not detect systemd presence])]
|
||||||
|
- )
|
||||||
|
+ [AC_MSG_ERROR([Could not detect systemd presence])])
|
||||||
|
])
|
||||||
|
|
||||||
|
+AS_IF([test x$HAVE_LIBSYSTEMD = xyes],
|
||||||
|
+ [login_lib_name=libsystemd],
|
||||||
|
+ [login_lib_name=libsystemd-login])
|
||||||
|
+
|
||||||
|
AM_COND_IF([HAVE_SYSTEMD],
|
||||||
|
- [PKG_CHECK_MODULES([SYSTEMD_LOGIN], [libsystemd-login],
|
||||||
|
- [AC_DEFINE_UNQUOTED(HAVE_SYSTEMD_LOGIN, 1, [Build with libsystemdlogin support])],
|
||||||
|
- [AC_MSG_NOTICE([Build without libsystemd-login support])])])
|
||||||
|
+ [PKG_CHECK_MODULES([SYSTEMD_LOGIN],
|
||||||
|
+ [$login_lib_name],
|
||||||
|
+ [AC_DEFINE_UNQUOTED([HAVE_SYSTEMD_LOGIN], 1,
|
||||||
|
+ [Build with libsystemdlogin support])
|
||||||
|
+ ],
|
||||||
|
+ [AC_MSG_NOTICE([Build without libsystemd-login support])])])
|
||||||
|
|
||||||
|
dnl A macro to check presence of journald on the system
|
||||||
|
AC_DEFUN([AM_CHECK_JOURNALD],
|
||||||
|
[
|
||||||
|
- PKG_CHECK_MODULES(JOURNALD,
|
||||||
|
- libsystemd-journal,
|
||||||
|
- [AC_DEFINE_UNQUOTED([WITH_JOURNALD], 1, [journald is available])])
|
||||||
|
- dnl Some older versions of pkg-config might not set these automatically
|
||||||
|
- dnl while setting CFLAGS and LIBS manually twice doesn't hurt.
|
||||||
|
- AC_SUBST([JOURNALD_CFLAGS])
|
||||||
|
- AC_SUBST([JOURNALD_LIBS])
|
||||||
|
+ AS_IF([test x$HAVE_LIBSYSTEMD = xyes],
|
||||||
|
+ [journal_lib_name=libsystemd],
|
||||||
|
+ [journal_lib_name=libsystemd-journal])
|
||||||
|
+
|
||||||
|
+ PKG_CHECK_MODULES(JOURNALD, [$journal_lib_name],
|
||||||
|
+ [AC_DEFINE_UNQUOTED([WITH_JOURNALD], 1,
|
||||||
|
+ [journald is available])])
|
||||||
|
+ dnl Some older versions of pkg-config might not set these automatically
|
||||||
|
+ dnl while setting CFLAGS and LIBS manually twice doesn't hurt.
|
||||||
|
+ AC_SUBST([JOURNALD_CFLAGS])
|
||||||
|
+ AC_SUBST([JOURNALD_LIBS])
|
||||||
|
])
|
||||||
|
--
|
||||||
|
2.5.0
|
||||||
|
|
|
@ -0,0 +1,36 @@
|
||||||
|
From 5ad471f3523acc995f54a1058f4e99c8fc3cb8fa Mon Sep 17 00:00:00 2001
|
||||||
|
From: Lukas Slebodnik <lslebodn@redhat.com>
|
||||||
|
Date: Fri, 31 Jul 2015 14:09:25 +0200
|
||||||
|
Subject: [PATCH 04/21] SPEC: Workaround for build with rpm 4.13
|
||||||
|
|
||||||
|
If the tarball is generated with minimal dependencies extracted from spec file
|
||||||
|
then translated manual pages are not generated due to missing script po4a.
|
||||||
|
This step is not necessary for regular nightly/developer builds.
|
||||||
|
The tarball is created faster without such step. However rpm >= 4.13
|
||||||
|
will fail due to empty manifest file.
|
||||||
|
|
||||||
|
Resolves:
|
||||||
|
https://fedorahosted.org/sssd/ticket/2738
|
||||||
|
|
||||||
|
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||||
|
---
|
||||||
|
contrib/sssd.spec.in | 3 +++
|
||||||
|
1 file changed, 3 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
|
||||||
|
index 2600438..0828bb8 100644
|
||||||
|
--- a/contrib/sssd.spec.in
|
||||||
|
+++ b/contrib/sssd.spec.in
|
||||||
|
@@ -4,6 +4,9 @@
|
||||||
|
# we don't want to provide private python extension libs
|
||||||
|
%define __provides_exclude_from %{python_sitearch}/.*\.so$
|
||||||
|
|
||||||
|
+# workaround for rpm 4.13
|
||||||
|
+%define _empty_manifest_terminate_build 0
|
||||||
|
+
|
||||||
|
%if (0%{?fedora} || 0%{?rhel} >= 7)
|
||||||
|
%global use_systemd 1
|
||||||
|
%endif
|
||||||
|
--
|
||||||
|
2.5.0
|
||||||
|
|
|
@ -0,0 +1,163 @@
|
||||||
|
From 5249f1273a52040d30e3c7725a2ea84fdd158a4b Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Michal=20=C5=BDidek?= <mzidek@redhat.com>
|
||||||
|
Date: Tue, 7 Jul 2015 15:15:32 +0200
|
||||||
|
Subject: [PATCH 05/21] CONFDB: Assume config file version 2 if missing
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
Default to config file version 2 if the version
|
||||||
|
is not specified explicitly.
|
||||||
|
|
||||||
|
Ticket:
|
||||||
|
https://fedorahosted.org/sssd/ticket/2688
|
||||||
|
|
||||||
|
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
||||||
|
---
|
||||||
|
src/confdb/confdb.h | 1 +
|
||||||
|
src/confdb/confdb_setup.c | 48 ++++++++++++++--------------
|
||||||
|
src/config/SSSDConfig/__init__.py.in | 5 ---
|
||||||
|
src/config/SSSDConfig/sssd_upgrade_config.py | 3 +-
|
||||||
|
src/config/SSSDConfigTest.py | 11 ++-----
|
||||||
|
5 files changed, 29 insertions(+), 39 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
|
||||||
|
index e97c46b..68009fa 100644
|
||||||
|
--- a/src/confdb/confdb.h
|
||||||
|
+++ b/src/confdb/confdb.h
|
||||||
|
@@ -38,6 +38,7 @@
|
||||||
|
* @{
|
||||||
|
*/
|
||||||
|
|
||||||
|
+#define CONFDB_DEFAULT_CFG_FILE_VER 2
|
||||||
|
#define CONFDB_FILE "config.ldb"
|
||||||
|
#define CONFDB_DEFAULT_CONFIG_FILE SSSD_CONF_DIR"/sssd.conf"
|
||||||
|
#define SSSD_MIN_ID 1
|
||||||
|
diff --git a/src/confdb/confdb_setup.c b/src/confdb/confdb_setup.c
|
||||||
|
index 93a1a1b..694a7f0 100644
|
||||||
|
--- a/src/confdb/confdb_setup.c
|
||||||
|
+++ b/src/confdb/confdb_setup.c
|
||||||
|
@@ -224,30 +224,30 @@ int confdb_init_db(const char *config_file, struct confdb_ctx *cdb)
|
||||||
|
|
||||||
|
ret = sss_ini_check_config_obj(init_data);
|
||||||
|
if (ret != EOK) {
|
||||||
|
- /* No known version. Assumed to be version 1 */
|
||||||
|
- DEBUG(SSSDBG_FATAL_FAILURE,
|
||||||
|
- "Config file is an old version. "
|
||||||
|
- "Please run configuration upgrade script.\n");
|
||||||
|
- ret = EINVAL;
|
||||||
|
- goto done;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- version = sss_ini_get_int_config_value(init_data, 1, -1, &ret);
|
||||||
|
- if (ret != EOK) {
|
||||||
|
- DEBUG(SSSDBG_FATAL_FAILURE,
|
||||||
|
- "Config file version could not be determined\n");
|
||||||
|
- goto done;
|
||||||
|
- } else if (version < CONFDB_VERSION_INT) {
|
||||||
|
- DEBUG(SSSDBG_FATAL_FAILURE,
|
||||||
|
- "Config file is an old version. "
|
||||||
|
- "Please run configuration upgrade script.\n");
|
||||||
|
- ret = EINVAL;
|
||||||
|
- goto done;
|
||||||
|
- } else if (version > CONFDB_VERSION_INT) {
|
||||||
|
- DEBUG(SSSDBG_FATAL_FAILURE,
|
||||||
|
- "Config file version is newer than confdb\n");
|
||||||
|
- ret = EINVAL;
|
||||||
|
- goto done;
|
||||||
|
+ /* No known version. Use default. */
|
||||||
|
+ DEBUG(SSSDBG_CONF_SETTINGS,
|
||||||
|
+ "Value of config_file_version option not found. "
|
||||||
|
+ "Assumed to be version %d.\n", CONFDB_DEFAULT_CFG_FILE_VER);
|
||||||
|
+ } else {
|
||||||
|
+ version = sss_ini_get_int_config_value(init_data,
|
||||||
|
+ CONFDB_DEFAULT_CFG_FILE_VER,
|
||||||
|
+ -1, &ret);
|
||||||
|
+ if (ret != EOK) {
|
||||||
|
+ DEBUG(SSSDBG_FATAL_FAILURE,
|
||||||
|
+ "Config file version could not be determined\n");
|
||||||
|
+ goto done;
|
||||||
|
+ } else if (version < CONFDB_VERSION_INT) {
|
||||||
|
+ DEBUG(SSSDBG_FATAL_FAILURE,
|
||||||
|
+ "Config file is an old version. "
|
||||||
|
+ "Please run configuration upgrade script.\n");
|
||||||
|
+ ret = EINVAL;
|
||||||
|
+ goto done;
|
||||||
|
+ } else if (version > CONFDB_VERSION_INT) {
|
||||||
|
+ DEBUG(SSSDBG_FATAL_FAILURE,
|
||||||
|
+ "Config file version is newer than confdb\n");
|
||||||
|
+ ret = EINVAL;
|
||||||
|
+ goto done;
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Set up a transaction to replace the configuration */
|
||||||
|
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
|
||||||
|
index d72b892..fc87a2b 100644
|
||||||
|
--- a/src/config/SSSDConfig/__init__.py.in
|
||||||
|
+++ b/src/config/SSSDConfig/__init__.py.in
|
||||||
|
@@ -731,11 +731,6 @@ class SSSDService(SSSDConfigObject):
|
||||||
|
# Set up default options for this service
|
||||||
|
self.options.update(self.schema.get_defaults(self.name))
|
||||||
|
|
||||||
|
- # For the [sssd] service, force the config file version
|
||||||
|
- if servicename == 'sssd':
|
||||||
|
- self.options['config_file_version'] = 2
|
||||||
|
- self.hidden_options.append('config_file_version')
|
||||||
|
-
|
||||||
|
def list_options_with_mandatory(self):
|
||||||
|
"""
|
||||||
|
List options for the service, including the mandatory flag.
|
||||||
|
diff --git a/src/config/SSSDConfig/sssd_upgrade_config.py b/src/config/SSSDConfig/sssd_upgrade_config.py
|
||||||
|
index 282d6c4..767d06d 100644
|
||||||
|
--- a/src/config/SSSDConfig/sssd_upgrade_config.py
|
||||||
|
+++ b/src/config/SSSDConfig/sssd_upgrade_config.py
|
||||||
|
@@ -47,7 +47,8 @@ class SSSDConfigFile(SSSDChangeConf):
|
||||||
|
def get_version(self):
|
||||||
|
ver = self.get_option_index('sssd', 'config_file_version')[1]
|
||||||
|
if not ver:
|
||||||
|
- return 1
|
||||||
|
+ # config_file_version not found -> default to version 2
|
||||||
|
+ return 2
|
||||||
|
try:
|
||||||
|
return int(ver['value'])
|
||||||
|
except ValueError:
|
||||||
|
diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py
|
||||||
|
index aed76e5..868d1a5 100755
|
||||||
|
--- a/src/config/SSSDConfigTest.py
|
||||||
|
+++ b/src/config/SSSDConfigTest.py
|
||||||
|
@@ -396,9 +396,6 @@ class SSSDConfigTestSSSDService(unittest.TestCase):
|
||||||
|
def testGetOption(self):
|
||||||
|
service = SSSDConfig.SSSDService('sssd', self.schema)
|
||||||
|
|
||||||
|
- # Positive test - Single-valued
|
||||||
|
- self.assertEqual(service.get_option('config_file_version'), 2)
|
||||||
|
-
|
||||||
|
# Positive test - List of values
|
||||||
|
self.assertEqual(service.get_option('services'), ['nss', 'pam'])
|
||||||
|
|
||||||
|
@@ -410,9 +407,7 @@ class SSSDConfigTestSSSDService(unittest.TestCase):
|
||||||
|
|
||||||
|
#Positive test
|
||||||
|
options = service.get_all_options()
|
||||||
|
- control_list = [
|
||||||
|
- 'config_file_version',
|
||||||
|
- 'services']
|
||||||
|
+ control_list = ['services']
|
||||||
|
|
||||||
|
self.assertTrue(type(options) == dict,
|
||||||
|
"Options should be a dictionary")
|
||||||
|
@@ -1253,9 +1248,7 @@ class SSSDConfigTestSSSDConfig(unittest.TestCase):
|
||||||
|
for section in sssdconfig.sections():
|
||||||
|
self.assertTrue(section['name'] in control_list)
|
||||||
|
|
||||||
|
- control_list = [
|
||||||
|
- 'config_file_version',
|
||||||
|
- 'services']
|
||||||
|
+ control_list = ['services']
|
||||||
|
for option in control_list:
|
||||||
|
self.assertTrue(sssdconfig.has_option('sssd', option),
|
||||||
|
"Option [%s] missing from [sssd]" %
|
||||||
|
--
|
||||||
|
2.5.0
|
||||||
|
|
|
@ -0,0 +1,134 @@
|
||||||
|
From dab2f25c94a0f7509c10b42cfb98700c449e709c Mon Sep 17 00:00:00 2001
|
||||||
|
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||||
|
Date: Thu, 25 Jun 2015 17:33:47 +0200
|
||||||
|
Subject: [PATCH 06/21] SYSDB: Index the objectSIDString attribute
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
||||||
|
---
|
||||||
|
src/db/sysdb.c | 7 +++++++
|
||||||
|
src/db/sysdb_private.h | 5 ++++-
|
||||||
|
src/db/sysdb_upgrade.c | 50 ++++++++++++++++++++++++++++++++++++++++++++++++++
|
||||||
|
3 files changed, 61 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/src/db/sysdb.c b/src/db/sysdb.c
|
||||||
|
index 9da6557..07a83a8 100644
|
||||||
|
--- a/src/db/sysdb.c
|
||||||
|
+++ b/src/db/sysdb.c
|
||||||
|
@@ -1265,6 +1265,13 @@ int sysdb_domain_init_internal(TALLOC_CTX *mem_ctx,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
+ if (strcmp(version, SYSDB_VERSION_0_16) == 0) {
|
||||||
|
+ ret = sysdb_upgrade_16(sysdb, &version);
|
||||||
|
+ if (ret != EOK) {
|
||||||
|
+ goto done;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
/* The version should now match SYSDB_VERSION.
|
||||||
|
* If not, it means we didn't match any of the
|
||||||
|
* known older versions. The DB might be
|
||||||
|
diff --git a/src/db/sysdb_private.h b/src/db/sysdb_private.h
|
||||||
|
index 8a5b8be..9788206 100644
|
||||||
|
--- a/src/db/sysdb_private.h
|
||||||
|
+++ b/src/db/sysdb_private.h
|
||||||
|
@@ -23,6 +23,7 @@
|
||||||
|
#ifndef __INT_SYS_DB_H__
|
||||||
|
#define __INT_SYS_DB_H__
|
||||||
|
|
||||||
|
+#define SYSDB_VERSION_0_17 "0.17"
|
||||||
|
#define SYSDB_VERSION_0_16 "0.16"
|
||||||
|
#define SYSDB_VERSION_0_15 "0.15"
|
||||||
|
#define SYSDB_VERSION_0_14 "0.14"
|
||||||
|
@@ -40,7 +41,7 @@
|
||||||
|
#define SYSDB_VERSION_0_2 "0.2"
|
||||||
|
#define SYSDB_VERSION_0_1 "0.1"
|
||||||
|
|
||||||
|
-#define SYSDB_VERSION SYSDB_VERSION_0_16
|
||||||
|
+#define SYSDB_VERSION SYSDB_VERSION_0_17
|
||||||
|
|
||||||
|
#define SYSDB_BASE_LDIF \
|
||||||
|
"dn: @ATTRIBUTES\n" \
|
||||||
|
@@ -68,6 +69,7 @@
|
||||||
|
"@IDXATTR: serviceProtocol\n" \
|
||||||
|
"@IDXATTR: sudoUser\n" \
|
||||||
|
"@IDXATTR: sshKnownHostsExpire\n" \
|
||||||
|
+ "@IDXATTR: objectSIDString\n" \
|
||||||
|
"@IDXONE: 1\n" \
|
||||||
|
"\n" \
|
||||||
|
"dn: @MODULES\n" \
|
||||||
|
@@ -120,6 +122,7 @@ int sysdb_upgrade_12(struct sysdb_ctx *sysdb, const char **ver);
|
||||||
|
int sysdb_upgrade_13(struct sysdb_ctx *sysdb, const char **ver);
|
||||||
|
int sysdb_upgrade_14(struct sysdb_ctx *sysdb, const char **ver);
|
||||||
|
int sysdb_upgrade_15(struct sysdb_ctx *sysdb, const char **ver);
|
||||||
|
+int sysdb_upgrade_16(struct sysdb_ctx *sysdb, const char **ver);
|
||||||
|
|
||||||
|
int add_string(struct ldb_message *msg, int flags,
|
||||||
|
const char *attr, const char *value);
|
||||||
|
diff --git a/src/db/sysdb_upgrade.c b/src/db/sysdb_upgrade.c
|
||||||
|
index 558b4f5..1c90e7a 100644
|
||||||
|
--- a/src/db/sysdb_upgrade.c
|
||||||
|
+++ b/src/db/sysdb_upgrade.c
|
||||||
|
@@ -1587,6 +1587,56 @@ done:
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
+int sysdb_upgrade_16(struct sysdb_ctx *sysdb, const char **ver)
|
||||||
|
+{
|
||||||
|
+ struct ldb_message *msg;
|
||||||
|
+ struct upgrade_ctx *ctx;
|
||||||
|
+ errno_t ret;
|
||||||
|
+
|
||||||
|
+ ret = commence_upgrade(sysdb, sysdb->ldb, SYSDB_VERSION_0_17, &ctx);
|
||||||
|
+ if (ret) {
|
||||||
|
+ return ret;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ msg = ldb_msg_new(ctx);
|
||||||
|
+ if (msg == NULL) {
|
||||||
|
+ ret = ENOMEM;
|
||||||
|
+ goto done;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ msg->dn = ldb_dn_new(msg, sysdb->ldb, "@INDEXLIST");
|
||||||
|
+ if (msg->dn == NULL) {
|
||||||
|
+ ret = ENOMEM;
|
||||||
|
+ goto done;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ /* add index for objectSIDString */
|
||||||
|
+ ret = ldb_msg_add_empty(msg, "@IDXATTR", LDB_FLAG_MOD_ADD, NULL);
|
||||||
|
+ if (ret != LDB_SUCCESS) {
|
||||||
|
+ ret = ENOMEM;
|
||||||
|
+ goto done;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ ret = ldb_msg_add_string(msg, "@IDXATTR", "objectSIDString");
|
||||||
|
+ if (ret != LDB_SUCCESS) {
|
||||||
|
+ ret = ENOMEM;
|
||||||
|
+ goto done;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ ret = ldb_modify(sysdb->ldb, msg);
|
||||||
|
+ if (ret != LDB_SUCCESS) {
|
||||||
|
+ ret = sysdb_error_to_errno(ret);
|
||||||
|
+ goto done;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ /* conversion done, update version number */
|
||||||
|
+ ret = update_version(ctx);
|
||||||
|
+
|
||||||
|
+done:
|
||||||
|
+ ret = finish_upgrade(ret, &ctx, ver);
|
||||||
|
+ return ret;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
/*
|
||||||
|
* Example template for future upgrades.
|
||||||
|
* Copy and change version numbers as appropriate.
|
||||||
|
--
|
||||||
|
2.5.0
|
||||||
|
|
|
@ -0,0 +1,89 @@
|
||||||
|
From b93b4ac9b0d9f7900ffffe67765613e2057ac63a Mon Sep 17 00:00:00 2001
|
||||||
|
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||||
|
Date: Tue, 21 Jul 2015 11:44:03 +0200
|
||||||
|
Subject: [PATCH 07/21] IPA: Remove MPG groups if getgrgid was called before
|
||||||
|
getpw()
|
||||||
|
|
||||||
|
https://fedorahosted.org/sssd/ticket/2724
|
||||||
|
|
||||||
|
This bug only affects IPA clients that are connected to IPA servers with
|
||||||
|
AD trust and ID mapping in effect.
|
||||||
|
|
||||||
|
If an IPA client calls getgrgid() for an ID that matches a user, the
|
||||||
|
user's private group would be returned and stored as a group entry.
|
||||||
|
|
||||||
|
Subsequent queries for that user would fail, because MPG domains impose
|
||||||
|
uniqueness restriction for both the ID and name space across groups and
|
||||||
|
users.
|
||||||
|
|
||||||
|
To work around that, we remove the UPG groups in MPG domains during a
|
||||||
|
group lookup.
|
||||||
|
|
||||||
|
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
||||||
|
(cherry picked from commit 6fe057efb981ee4b45dcadf131c03f8501fce28d)
|
||||||
|
---
|
||||||
|
src/providers/ipa/ipa_s2n_exop.c | 41 ++++++++++++++++++++++++++++++++++++++--
|
||||||
|
1 file changed, 39 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/providers/ipa/ipa_s2n_exop.c b/src/providers/ipa/ipa_s2n_exop.c
|
||||||
|
index fa00691..08d8263 100644
|
||||||
|
--- a/src/providers/ipa/ipa_s2n_exop.c
|
||||||
|
+++ b/src/providers/ipa/ipa_s2n_exop.c
|
||||||
|
@@ -1768,6 +1768,7 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom,
|
||||||
|
int tret;
|
||||||
|
struct sysdb_attrs *gid_override_attrs = NULL;
|
||||||
|
char ** exop_grouplist;
|
||||||
|
+ struct ldb_message *msg;
|
||||||
|
|
||||||
|
tmp_ctx = talloc_new(NULL);
|
||||||
|
if (tmp_ctx == NULL) {
|
||||||
|
@@ -2009,8 +2010,44 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom,
|
||||||
|
attrs->a.user.pw_dir, attrs->a.user.pw_shell,
|
||||||
|
NULL, attrs->sysdb_attrs, NULL,
|
||||||
|
timeout, now);
|
||||||
|
- if (ret != EOK) {
|
||||||
|
- DEBUG(SSSDBG_OP_FAILURE, "sysdb_store_user failed.\n");
|
||||||
|
+ if (ret == EEXIST && dom->mpg == true) {
|
||||||
|
+ /* This handles the case where getgrgid() was called for
|
||||||
|
+ * this user, so a group was created in the cache
|
||||||
|
+ */
|
||||||
|
+ ret = sysdb_search_group_by_name(tmp_ctx, dom, name, NULL, &msg);
|
||||||
|
+ if (ret != EOK) {
|
||||||
|
+ /* Fail even on ENOENT, the group must be around */
|
||||||
|
+ DEBUG(SSSDBG_OP_FAILURE,
|
||||||
|
+ "Could not delete MPG group [%d]: %s\n",
|
||||||
|
+ ret, sss_strerror(ret));
|
||||||
|
+ goto done;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ ret = sysdb_delete_group(dom, NULL, attrs->a.user.pw_uid);
|
||||||
|
+ if (ret != EOK) {
|
||||||
|
+ DEBUG(SSSDBG_OP_FAILURE,
|
||||||
|
+ "sysdb_delete_group failed for MPG group [%d]: %s\n",
|
||||||
|
+ ret, sss_strerror(ret));
|
||||||
|
+ goto done;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ ret = sysdb_store_user(dom, name, NULL,
|
||||||
|
+ attrs->a.user.pw_uid,
|
||||||
|
+ gid, attrs->a.user.pw_gecos,
|
||||||
|
+ attrs->a.user.pw_dir,
|
||||||
|
+ attrs->a.user.pw_shell,
|
||||||
|
+ NULL, attrs->sysdb_attrs, NULL,
|
||||||
|
+ timeout, now);
|
||||||
|
+ if (ret != EOK) {
|
||||||
|
+ DEBUG(SSSDBG_OP_FAILURE,
|
||||||
|
+ "sysdb_store_user failed for MPG user [%d]: %s\n",
|
||||||
|
+ ret, sss_strerror(ret));
|
||||||
|
+ goto done;
|
||||||
|
+ }
|
||||||
|
+ } else if (ret != EOK) {
|
||||||
|
+ DEBUG(SSSDBG_OP_FAILURE,
|
||||||
|
+ "sysdb_store_user failed [%d]: %s\n",
|
||||||
|
+ ret, sss_strerror(ret));
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
|
||||||
|
--
|
||||||
|
2.5.0
|
||||||
|
|
|
@ -0,0 +1,56 @@
|
||||||
|
From ec0696be5f28804fefe61f8cfaf5d82e8d72f8a6 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Lukas Slebodnik <lslebodn@redhat.com>
|
||||||
|
Date: Fri, 24 Jul 2015 09:24:31 +0200
|
||||||
|
Subject: [PATCH 08/21] SPEC: Update spec file for krb5_local_auth_plugin
|
||||||
|
|
||||||
|
krb5_localauth_plugin could be build only with MIT kerberos >= 1.12.
|
||||||
|
However, this feature was backported in downstream to older version
|
||||||
|
of kerberos. So there were packaging failures
|
||||||
|
|
||||||
|
error: Installed (but unpackaged) file(s) found:
|
||||||
|
/usr/lib/sssd/modules/sssd_krb5_localauth_plugin.so
|
||||||
|
RPM build errors:
|
||||||
|
Installed (but unpackaged) file(s) found:
|
||||||
|
/usr/lib/sssd/modules/sssd_krb5_localauth_plugin.so
|
||||||
|
Child returncode was: 1
|
||||||
|
EXCEPTION: Command failed. See logs for output.
|
||||||
|
|
||||||
|
Reviewed-by: Petr Cech <pcech@redhat.com>
|
||||||
|
(cherry picked from commit b0ee27fd94f1d20d9c220754ae008a3189752287)
|
||||||
|
---
|
||||||
|
contrib/sssd.spec.in | 7 ++-----
|
||||||
|
1 file changed, 2 insertions(+), 5 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
|
||||||
|
index 0828bb8..bad078a 100644
|
||||||
|
--- a/contrib/sssd.spec.in
|
||||||
|
+++ b/contrib/sssd.spec.in
|
||||||
|
@@ -1,3 +1,4 @@
|
||||||
|
+%global rhel6_minor %(%{__grep} -o "6.[0-9]*" /etc/redhat-release |%{__sed} -s 's/6.//')
|
||||||
|
%global rhel7_minor %(%{__grep} -o "7.[0-9]*" /etc/redhat-release |%{__sed} -s 's/7.//')
|
||||||
|
|
||||||
|
# Fedora and RHEL 6+
|
||||||
|
@@ -37,7 +38,7 @@
|
||||||
|
%global with_cifs_utils_plugin_option --disable-cifs-idmap-plugin
|
||||||
|
%endif
|
||||||
|
|
||||||
|
-%if (0%{?fedora} >= 21 || (0%{?rhel} == 7 && 0%{?rhel7_minor} >= 1))
|
||||||
|
+%if (0%{?fedora} || (0%{?rhel} == 7 && 0%{?rhel7_minor} >= 1) || (0%{?rhel} == 6 && 0%{?rhel6_minor} >= 7))
|
||||||
|
%global with_krb5_localauth_plugin 1
|
||||||
|
%endif
|
||||||
|
|
||||||
|
@@ -96,11 +97,7 @@ BuildRequires: pcre-devel
|
||||||
|
BuildRequires: libxslt
|
||||||
|
BuildRequires: libxml2
|
||||||
|
BuildRequires: docbook-style-xsl
|
||||||
|
-%if (0%{?with_krb5_localauth_plugin} == 1)
|
||||||
|
-BuildRequires: krb5-devel >= 1.12
|
||||||
|
-%else
|
||||||
|
BuildRequires: krb5-devel
|
||||||
|
-%endif
|
||||||
|
BuildRequires: c-ares-devel
|
||||||
|
BuildRequires: python-devel
|
||||||
|
BuildRequires: check-devel
|
||||||
|
--
|
||||||
|
2.5.0
|
||||||
|
|
|
@ -0,0 +1,69 @@
|
||||||
|
From 4cbf713b41ae368bc03c1b469e2bb0f568545c82 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Lukas Slebodnik <lslebodn@redhat.com>
|
||||||
|
Date: Tue, 1 Sep 2015 06:58:50 +0200
|
||||||
|
Subject: [PATCH 09/21] LDAP: Sanitize group dn before using in filter
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
Each string should be sanitized(rfc4515) before using ldbsearch.
|
||||||
|
A group dn was not sanitized in the function cleanup_groups.
|
||||||
|
|
||||||
|
Resolves:
|
||||||
|
https://fedorahosted.org/sssd/ticket/2744
|
||||||
|
|
||||||
|
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||||
|
(cherry picked from commit 6cb5bad3c8e2f35ca9dce1800a506d626f90c079)
|
||||||
|
---
|
||||||
|
src/providers/ldap/ldap_id_cleanup.c | 18 ++++++++++++++++--
|
||||||
|
1 file changed, 16 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/providers/ldap/ldap_id_cleanup.c b/src/providers/ldap/ldap_id_cleanup.c
|
||||||
|
index 171c9b0..73e5e6f 100644
|
||||||
|
--- a/src/providers/ldap/ldap_id_cleanup.c
|
||||||
|
+++ b/src/providers/ldap/ldap_id_cleanup.c
|
||||||
|
@@ -359,6 +359,8 @@ static int cleanup_groups(TALLOC_CTX *memctx,
|
||||||
|
}
|
||||||
|
|
||||||
|
for (i = 0; i < count; i++) {
|
||||||
|
+ char *sanitized_dn;
|
||||||
|
+
|
||||||
|
dn = ldb_dn_get_linearized(msgs[i]->dn);
|
||||||
|
if (!dn) {
|
||||||
|
DEBUG(SSSDBG_CRIT_FAILURE, "Cannot linearize DN!\n");
|
||||||
|
@@ -366,6 +368,15 @@ static int cleanup_groups(TALLOC_CTX *memctx,
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ /* sanitize dn */
|
||||||
|
+ ret = sss_filter_sanitize(tmpctx, dn, &sanitized_dn);
|
||||||
|
+ if (ret != EOK) {
|
||||||
|
+ DEBUG(SSSDBG_MINOR_FAILURE,
|
||||||
|
+ "sss_filter_sanitize failed: %s:[%d]\n",
|
||||||
|
+ sss_strerror(ret), ret);
|
||||||
|
+ goto done;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
posix = ldb_msg_find_attr_as_string(msgs[i], SYSDB_POSIX, NULL);
|
||||||
|
if (!posix || strcmp(posix, "TRUE") == 0) {
|
||||||
|
/* Search for users that are members of this group, or
|
||||||
|
@@ -375,11 +386,14 @@ static int cleanup_groups(TALLOC_CTX *memctx,
|
||||||
|
gid = (gid_t) ldb_msg_find_attr_as_uint(msgs[i], SYSDB_GIDNUM, 0);
|
||||||
|
subfilter = talloc_asprintf(tmpctx, "(&(%s=%s)(|(%s=%s)(%s=%lu)))",
|
||||||
|
SYSDB_OBJECTCLASS, SYSDB_USER_CLASS,
|
||||||
|
- SYSDB_MEMBEROF, dn,
|
||||||
|
+ SYSDB_MEMBEROF, sanitized_dn,
|
||||||
|
SYSDB_GIDNUM, (long unsigned) gid);
|
||||||
|
} else {
|
||||||
|
- subfilter = talloc_asprintf(tmpctx, "(%s=%s)", SYSDB_MEMBEROF, dn);
|
||||||
|
+ subfilter = talloc_asprintf(tmpctx, "(%s=%s)", SYSDB_MEMBEROF,
|
||||||
|
+ sanitized_dn);
|
||||||
|
}
|
||||||
|
+ talloc_zfree(sanitized_dn);
|
||||||
|
+
|
||||||
|
if (!subfilter) {
|
||||||
|
DEBUG(SSSDBG_OP_FAILURE, "Failed to build filter\n");
|
||||||
|
ret = ENOMEM;
|
||||||
|
--
|
||||||
|
2.5.0
|
||||||
|
|
|
@ -0,0 +1,380 @@
|
||||||
|
From 562ee3c30bcb7d1997889c38f15eb2ef889ba7b1 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Pavel Reichl <preichl@redhat.com>
|
||||||
|
Date: Tue, 4 Aug 2015 09:25:08 -0400
|
||||||
|
Subject: [PATCH 10/21] tests: check special characters in cleanup_groups
|
||||||
|
|
||||||
|
Based on commits:
|
||||||
|
e2e334b2f51118cb14c7391c4e4e44ff247ef638
|
||||||
|
f02b62138466c876f6e8d6382769105f2e920d96
|
||||||
|
e0f2a783439fb7d3b85469f34ad6d672abf7e1fa
|
||||||
|
2cec08a3174bff951c048c57b4b0e4517ad6b7b1
|
||||||
|
---
|
||||||
|
Makefile.am | 22 +++
|
||||||
|
src/tests/cmocka/test_ldap_id_cleanup.c | 315 ++++++++++++++++++++++++++++++++
|
||||||
|
2 files changed, 337 insertions(+)
|
||||||
|
create mode 100644 src/tests/cmocka/test_ldap_id_cleanup.c
|
||||||
|
|
||||||
|
diff --git a/Makefile.am b/Makefile.am
|
||||||
|
index ac6a358..91ad413 100644
|
||||||
|
--- a/Makefile.am
|
||||||
|
+++ b/Makefile.am
|
||||||
|
@@ -212,6 +212,7 @@ if HAVE_CMOCKA
|
||||||
|
sbus-internal-tests \
|
||||||
|
sss_sifp-tests \
|
||||||
|
test_search_bases \
|
||||||
|
+ test_ldap_id_cleanup \
|
||||||
|
sdap-tests \
|
||||||
|
test_sysdb_views \
|
||||||
|
test_sysdb_utils \
|
||||||
|
@@ -1969,6 +1970,27 @@ test_search_bases_LDADD = \
|
||||||
|
libsss_krb5_common.la \
|
||||||
|
libsss_test_common.la
|
||||||
|
|
||||||
|
+test_ldap_id_cleanup_SOURCES = \
|
||||||
|
+ $(sssd_be_SOURCES) \
|
||||||
|
+ src/tests/cmocka/test_ldap_id_cleanup.c \
|
||||||
|
+ src/providers/ldap/ldap_id_cleanup.c \
|
||||||
|
+ $(NULL)
|
||||||
|
+test_ldap_id_cleanup_CFLAGS = \
|
||||||
|
+ $(AM_CFLAGS) \
|
||||||
|
+ -DUNIT_TESTING
|
||||||
|
+ $(NULL)
|
||||||
|
+test_ldap_id_cleanup_LDADD = \
|
||||||
|
+ $(PAM_LIBS) \
|
||||||
|
+ $(CMOCKA_LIBS) \
|
||||||
|
+ $(POPT_LIBS) \
|
||||||
|
+ $(SSSD_LIBS) \
|
||||||
|
+ $(CARES_LIBS) \
|
||||||
|
+ $(KRB5_LIBS) \
|
||||||
|
+ $(SSSD_INTERNAL_LTLIBS) \
|
||||||
|
+ libsss_ldap_common.la \
|
||||||
|
+ libsss_test_common.la \
|
||||||
|
+ $(NULL)
|
||||||
|
+
|
||||||
|
ad_access_filter_tests_SOURCES = \
|
||||||
|
$(sssd_be_SOURCES) \
|
||||||
|
src/providers/ad/ad_common.c \
|
||||||
|
diff --git a/src/tests/cmocka/test_ldap_id_cleanup.c b/src/tests/cmocka/test_ldap_id_cleanup.c
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000..9578bb7
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/src/tests/cmocka/test_ldap_id_cleanup.c
|
||||||
|
@@ -0,0 +1,315 @@
|
||||||
|
+/*
|
||||||
|
+ Authors:
|
||||||
|
+ Pavel Reichl <preichl@redhat.com>
|
||||||
|
+
|
||||||
|
+ Copyright (C) 2015 Red Hat
|
||||||
|
+
|
||||||
|
+ SSSD tests - id cleanup
|
||||||
|
+
|
||||||
|
+ This program is free software; you can redistribute it and/or modify
|
||||||
|
+ it under the terms of the GNU General Public License as published by
|
||||||
|
+ the Free Software Foundation; either version 3 of the License, or
|
||||||
|
+ (at your option) any later version.
|
||||||
|
+
|
||||||
|
+ This program is distributed in the hope that it will be useful,
|
||||||
|
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
+ GNU General Public License for more details.
|
||||||
|
+
|
||||||
|
+ You should have received a copy of the GNU General Public License
|
||||||
|
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
+*/
|
||||||
|
+
|
||||||
|
+#include <stdarg.h>
|
||||||
|
+#include <stdlib.h>
|
||||||
|
+#include <stddef.h>
|
||||||
|
+#include <setjmp.h>
|
||||||
|
+#include <unistd.h>
|
||||||
|
+#include <sys/types.h>
|
||||||
|
+#include <cmocka.h>
|
||||||
|
+#include <popt.h>
|
||||||
|
+
|
||||||
|
+#include "tests/cmocka/common_mock.h"
|
||||||
|
+#include "providers/ldap/ldap_auth.h"
|
||||||
|
+#include "providers/ldap/ldap_common.h"
|
||||||
|
+#include "providers/ldap/ldap_opts.h"
|
||||||
|
+#include "providers/ipa/ipa_opts.h"
|
||||||
|
+
|
||||||
|
+#define TESTS_PATH "tests_ldap_id_cleanup"
|
||||||
|
+#define TEST_CONF_FILE "tests_conf.ldb"
|
||||||
|
+
|
||||||
|
+struct sysdb_test_ctx {
|
||||||
|
+ struct sysdb_ctx *sysdb;
|
||||||
|
+ struct confdb_ctx *confdb;
|
||||||
|
+ struct tevent_context *ev;
|
||||||
|
+ struct sss_domain_info *domain;
|
||||||
|
+ struct sdap_options *opts;
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
+static int _setup_sysdb_tests(struct sysdb_test_ctx **ctx, bool enumerate)
|
||||||
|
+{
|
||||||
|
+ struct sysdb_test_ctx *test_ctx;
|
||||||
|
+ char *conf_db;
|
||||||
|
+ int ret;
|
||||||
|
+
|
||||||
|
+ const char *val[2];
|
||||||
|
+ val[1] = NULL;
|
||||||
|
+
|
||||||
|
+ /* Create tests directory if it doesn't exist */
|
||||||
|
+ /* (relative to current dir) */
|
||||||
|
+ ret = mkdir(TESTS_PATH, 0775);
|
||||||
|
+ assert_true(ret == 0 || errno == EEXIST);
|
||||||
|
+
|
||||||
|
+ test_ctx = talloc_zero(global_talloc_context, struct sysdb_test_ctx);
|
||||||
|
+ assert_non_null(test_ctx);
|
||||||
|
+
|
||||||
|
+ /* Create an event context
|
||||||
|
+ * It will not be used except in confdb_init and sysdb_init
|
||||||
|
+ */
|
||||||
|
+ test_ctx->ev = tevent_context_init(test_ctx);
|
||||||
|
+ assert_non_null(test_ctx->ev);
|
||||||
|
+
|
||||||
|
+ conf_db = talloc_asprintf(test_ctx, "%s/%s", TESTS_PATH, TEST_CONF_FILE);
|
||||||
|
+ assert_non_null(conf_db);
|
||||||
|
+ DEBUG(SSSDBG_MINOR_FAILURE, "CONFDB: %s\n", conf_db);
|
||||||
|
+
|
||||||
|
+ /* Connect to the conf db */
|
||||||
|
+ ret = confdb_init(test_ctx, &test_ctx->confdb, conf_db);
|
||||||
|
+ assert_int_equal(ret, EOK);
|
||||||
|
+
|
||||||
|
+ val[0] = "LOCAL";
|
||||||
|
+ ret = confdb_add_param(test_ctx->confdb, true,
|
||||||
|
+ "config/sssd", "domains", val);
|
||||||
|
+ assert_int_equal(ret, EOK);
|
||||||
|
+
|
||||||
|
+ val[0] = "local";
|
||||||
|
+ ret = confdb_add_param(test_ctx->confdb, true,
|
||||||
|
+ "config/domain/LOCAL", "id_provider", val);
|
||||||
|
+ assert_int_equal(ret, EOK);
|
||||||
|
+
|
||||||
|
+ val[0] = enumerate ? "TRUE" : "FALSE";
|
||||||
|
+ ret = confdb_add_param(test_ctx->confdb, true,
|
||||||
|
+ "config/domain/LOCAL", "enumerate", val);
|
||||||
|
+ assert_int_equal(ret, EOK);
|
||||||
|
+
|
||||||
|
+ val[0] = "TRUE";
|
||||||
|
+ ret = confdb_add_param(test_ctx->confdb, true,
|
||||||
|
+ "config/domain/LOCAL", "cache_credentials", val);
|
||||||
|
+ assert_int_equal(ret, EOK);
|
||||||
|
+
|
||||||
|
+ ret = sssd_domain_init(test_ctx, test_ctx->confdb, "local",
|
||||||
|
+ TESTS_PATH, &test_ctx->domain);
|
||||||
|
+ assert_int_equal(ret, EOK);
|
||||||
|
+
|
||||||
|
+ test_ctx->domain->has_views = true;
|
||||||
|
+ test_ctx->sysdb = test_ctx->domain->sysdb;
|
||||||
|
+
|
||||||
|
+ *ctx = test_ctx;
|
||||||
|
+ return EOK;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+#define setup_sysdb_tests(ctx) _setup_sysdb_tests((ctx), false)
|
||||||
|
+
|
||||||
|
+static int test_sysdb_setup(void **state)
|
||||||
|
+{
|
||||||
|
+ int ret;
|
||||||
|
+ struct sysdb_test_ctx *test_ctx;
|
||||||
|
+
|
||||||
|
+ assert_true(leak_check_setup());
|
||||||
|
+
|
||||||
|
+ ret = setup_sysdb_tests(&test_ctx);
|
||||||
|
+ assert_int_equal(ret, EOK);
|
||||||
|
+
|
||||||
|
+ test_ctx->domain->mpg = false;
|
||||||
|
+
|
||||||
|
+ /* set options */
|
||||||
|
+ test_ctx->opts = talloc_zero(test_ctx, struct sdap_options);
|
||||||
|
+ assert_non_null(test_ctx->opts);
|
||||||
|
+
|
||||||
|
+ ret = sdap_copy_map(test_ctx->opts, rfc2307_user_map,
|
||||||
|
+ SDAP_OPTS_USER, &test_ctx->opts->user_map);
|
||||||
|
+ assert_int_equal(ret, ERR_OK);
|
||||||
|
+
|
||||||
|
+ ret = dp_copy_defaults(test_ctx->opts, default_basic_opts,
|
||||||
|
+ SDAP_OPTS_BASIC, &test_ctx->opts->basic);
|
||||||
|
+ assert_int_equal(ret, ERR_OK);
|
||||||
|
+
|
||||||
|
+ dp_opt_set_int(test_ctx->opts->basic, SDAP_ACCOUNT_CACHE_EXPIRATION, 1);
|
||||||
|
+
|
||||||
|
+ *state = (void *) test_ctx;
|
||||||
|
+ return 0;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static int test_sysdb_teardown(void **state)
|
||||||
|
+{
|
||||||
|
+ struct sysdb_test_ctx *test_ctx = talloc_get_type_abort(*state,
|
||||||
|
+ struct sysdb_test_ctx);
|
||||||
|
+
|
||||||
|
+ talloc_free(test_ctx);
|
||||||
|
+ assert_true(leak_check_teardown());
|
||||||
|
+ return 0;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static errno_t invalidate_group(TALLOC_CTX *ctx,
|
||||||
|
+ struct sss_domain_info *domain,
|
||||||
|
+ const char *name)
|
||||||
|
+{
|
||||||
|
+ struct sysdb_attrs *sys_attrs = NULL;
|
||||||
|
+ errno_t ret;
|
||||||
|
+
|
||||||
|
+ sys_attrs = sysdb_new_attrs(ctx);
|
||||||
|
+ if (sys_attrs) {
|
||||||
|
+ ret = sysdb_attrs_add_time_t(sys_attrs,
|
||||||
|
+ SYSDB_CACHE_EXPIRE, 1);
|
||||||
|
+ if (ret == EOK) {
|
||||||
|
+ ret = sysdb_set_group_attr(domain, name, sys_attrs,
|
||||||
|
+ SYSDB_MOD_REP);
|
||||||
|
+ } else {
|
||||||
|
+ DEBUG(SSSDBG_MINOR_FAILURE,
|
||||||
|
+ "Could not add expiration time to attributes\n");
|
||||||
|
+ }
|
||||||
|
+ talloc_zfree(sys_attrs);
|
||||||
|
+ } else {
|
||||||
|
+ DEBUG(SSSDBG_MINOR_FAILURE, "Could not create sysdb attributes\n");
|
||||||
|
+ ret = ENOMEM;
|
||||||
|
+ }
|
||||||
|
+ return ret;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static void test_id_cleanup_exp_group(void **state)
|
||||||
|
+{
|
||||||
|
+ errno_t ret;
|
||||||
|
+ struct ldb_message *msg;
|
||||||
|
+ struct sdap_domain sdom;
|
||||||
|
+ const char *special_grp = "special_gr*o/u\\p(2016)";
|
||||||
|
+ const char *empty_special_grp = "empty_gr*o/u\\p(2016)";
|
||||||
|
+ const char *empty_grp = "empty_grp";
|
||||||
|
+ const char *grp = "grp";
|
||||||
|
+ /* This timeout can be bigger because we will call invalidate_group
|
||||||
|
+ * to expire entries without waiting. */
|
||||||
|
+ const uint64_t CACHE_TIMEOUT = 30;
|
||||||
|
+ struct sysdb_test_ctx *test_ctx = talloc_get_type_abort(*state,
|
||||||
|
+ struct sysdb_test_ctx);
|
||||||
|
+
|
||||||
|
+ ret = sysdb_store_group(test_ctx->domain, special_grp,
|
||||||
|
+ 10002, NULL, CACHE_TIMEOUT, 0);
|
||||||
|
+ assert_int_equal(ret, EOK);
|
||||||
|
+
|
||||||
|
+ ret = sysdb_store_group(test_ctx->domain, empty_special_grp,
|
||||||
|
+ 10003, NULL, CACHE_TIMEOUT, 0);
|
||||||
|
+ assert_int_equal(ret, EOK);
|
||||||
|
+
|
||||||
|
+ ret = sysdb_store_group(test_ctx->domain, grp,
|
||||||
|
+ 10004, NULL, CACHE_TIMEOUT, 0);
|
||||||
|
+ assert_int_equal(ret, EOK);
|
||||||
|
+
|
||||||
|
+ ret = sysdb_store_group(test_ctx->domain, empty_grp,
|
||||||
|
+ 10005, NULL, CACHE_TIMEOUT, 0);
|
||||||
|
+ assert_int_equal(ret, EOK);
|
||||||
|
+
|
||||||
|
+ ret = sysdb_store_user(test_ctx->domain, "test_user", NULL,
|
||||||
|
+ 10001, 10002, "Test user",
|
||||||
|
+ NULL, NULL, NULL, NULL, NULL,
|
||||||
|
+ 0, 0);
|
||||||
|
+ assert_int_equal(ret, EOK);
|
||||||
|
+
|
||||||
|
+ ret = sysdb_store_user(test_ctx->domain, "test_user2", NULL,
|
||||||
|
+ 10002, 10004, "Test user",
|
||||||
|
+ NULL, NULL, NULL, NULL, NULL,
|
||||||
|
+ 0, 0);
|
||||||
|
+ assert_int_equal(ret, EOK);
|
||||||
|
+
|
||||||
|
+ sdom.dom = test_ctx->domain;
|
||||||
|
+
|
||||||
|
+ /* not expired */
|
||||||
|
+ ret = ldap_id_cleanup(test_ctx->opts, &sdom);
|
||||||
|
+ assert_int_equal(ret, EOK);
|
||||||
|
+
|
||||||
|
+ ret = sysdb_search_group_by_name(test_ctx, test_ctx->domain,
|
||||||
|
+ special_grp, NULL, &msg);
|
||||||
|
+ assert_int_equal(ret, EOK);
|
||||||
|
+
|
||||||
|
+ ret = sysdb_search_group_by_name(test_ctx, test_ctx->domain,
|
||||||
|
+ empty_special_grp, NULL, &msg);
|
||||||
|
+ assert_int_equal(ret, EOK);
|
||||||
|
+
|
||||||
|
+ ret = sysdb_search_group_by_name(test_ctx, test_ctx->domain,
|
||||||
|
+ grp, NULL, &msg);
|
||||||
|
+ assert_int_equal(ret, EOK);
|
||||||
|
+
|
||||||
|
+ ret = sysdb_search_group_by_name(test_ctx, test_ctx->domain,
|
||||||
|
+ empty_grp, NULL, &msg);
|
||||||
|
+ assert_int_equal(ret, EOK);
|
||||||
|
+
|
||||||
|
+ /* let records to expire */
|
||||||
|
+ invalidate_group(test_ctx, test_ctx->domain, special_grp);
|
||||||
|
+ invalidate_group(test_ctx, test_ctx->domain, empty_special_grp);
|
||||||
|
+ invalidate_group(test_ctx, test_ctx->domain, grp);
|
||||||
|
+ invalidate_group(test_ctx, test_ctx->domain, empty_grp);
|
||||||
|
+
|
||||||
|
+ ret = ldap_id_cleanup(test_ctx->opts, &sdom);
|
||||||
|
+ assert_int_equal(ret, EOK);
|
||||||
|
+
|
||||||
|
+ ret = sysdb_search_group_by_name(test_ctx, test_ctx->domain,
|
||||||
|
+ special_grp, NULL, &msg);
|
||||||
|
+ assert_int_equal(ret, EOK);
|
||||||
|
+
|
||||||
|
+ ret = sysdb_search_group_by_name(test_ctx, test_ctx->domain,
|
||||||
|
+ empty_special_grp, NULL, &msg);
|
||||||
|
+ assert_int_equal(ret, ENOENT);
|
||||||
|
+
|
||||||
|
+ ret = sysdb_search_group_by_name(test_ctx, test_ctx->domain,
|
||||||
|
+ grp, NULL, &msg);
|
||||||
|
+ assert_int_equal(ret, EOK);
|
||||||
|
+
|
||||||
|
+ ret = sysdb_search_group_by_name(test_ctx, test_ctx->domain,
|
||||||
|
+ empty_grp, NULL, &msg);
|
||||||
|
+ assert_int_equal(ret, ENOENT);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+int main(int argc, const char *argv[])
|
||||||
|
+{
|
||||||
|
+ int rv;
|
||||||
|
+ int no_cleanup = 0;
|
||||||
|
+ poptContext pc;
|
||||||
|
+ int opt;
|
||||||
|
+ struct poptOption long_options[] = {
|
||||||
|
+ POPT_AUTOHELP
|
||||||
|
+ SSSD_DEBUG_OPTS
|
||||||
|
+ { "no-cleanup", 'n', POPT_ARG_NONE, &no_cleanup, 0,
|
||||||
|
+ _("Do not delete the test database after a test run"), NULL },
|
||||||
|
+ POPT_TABLEEND
|
||||||
|
+ };
|
||||||
|
+
|
||||||
|
+ const struct CMUnitTest tests[] = {
|
||||||
|
+ cmocka_unit_test_setup_teardown(test_id_cleanup_exp_group,
|
||||||
|
+ test_sysdb_setup, test_sysdb_teardown),
|
||||||
|
+ };
|
||||||
|
+
|
||||||
|
+ /* Set debug level to invalid value so we can deside if -d 0 was used. */
|
||||||
|
+ debug_level = SSSDBG_INVALID;
|
||||||
|
+
|
||||||
|
+ pc = poptGetContext(argv[0], argc, argv, long_options, 0);
|
||||||
|
+ while ((opt = poptGetNextOpt(pc)) != -1) {
|
||||||
|
+ switch (opt) {
|
||||||
|
+ default:
|
||||||
|
+ fprintf(stderr, "\nInvalid option %s: %s\n\n",
|
||||||
|
+ poptBadOption(pc, 0), poptStrerror(opt));
|
||||||
|
+ poptPrintUsage(pc, stderr, 0);
|
||||||
|
+ return 1;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ poptFreeContext(pc);
|
||||||
|
+
|
||||||
|
+ DEBUG_CLI_INIT(debug_level);
|
||||||
|
+
|
||||||
|
+ tests_set_cwd();
|
||||||
|
+ test_dom_suite_cleanup(TESTS_PATH, TEST_CONF_FILE, LOCAL_SYSDB_FILE);
|
||||||
|
+ test_dom_suite_setup(TESTS_PATH);
|
||||||
|
+ rv = cmocka_run_group_tests(tests, NULL, NULL);
|
||||||
|
+
|
||||||
|
+ if (rv == 0 && no_cleanup == 0) {
|
||||||
|
+ test_dom_suite_cleanup(TESTS_PATH, TEST_CONF_FILE, LOCAL_SYSDB_FILE);
|
||||||
|
+ }
|
||||||
|
+ return rv;
|
||||||
|
+}
|
||||||
|
--
|
||||||
|
2.5.0
|
||||||
|
|
|
@ -0,0 +1,30 @@
|
||||||
|
From 41a77e02689b48d0a3627b3fae97741ff49fa06f Mon Sep 17 00:00:00 2001
|
||||||
|
From: Thomas Oulevey <thomas.oulevey@cern.ch>
|
||||||
|
Date: Wed, 23 Sep 2015 10:55:59 +0200
|
||||||
|
Subject: [PATCH 11/21] Fix memory leak in sssdpac_verify()
|
||||||
|
|
||||||
|
Resolves https://fedorahosted.org/sssd/ticket/2803
|
||||||
|
|
||||||
|
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
||||||
|
(cherry picked from commit b4c44ebb8997d3debb33607c123ccfd9926e0cba)
|
||||||
|
---
|
||||||
|
src/sss_client/sssd_pac.c | 3 +++
|
||||||
|
1 file changed, 3 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/src/sss_client/sssd_pac.c b/src/sss_client/sssd_pac.c
|
||||||
|
index d1790df..8b5bb32 100644
|
||||||
|
--- a/src/sss_client/sssd_pac.c
|
||||||
|
+++ b/src/sss_client/sssd_pac.c
|
||||||
|
@@ -150,6 +150,9 @@ static krb5_error_code sssdpac_verify(krb5_context kcontext,
|
||||||
|
kerr = krb5_pac_verify(kcontext, pac,
|
||||||
|
req->ticket->enc_part2->times.authtime,
|
||||||
|
req->ticket->enc_part2->client, key, NULL);
|
||||||
|
+ /* deallocate pac */
|
||||||
|
+ krb5_pac_free(kcontext, pac);
|
||||||
|
+ pac = NULL;
|
||||||
|
if (kerr != 0) {
|
||||||
|
/* The krb5 documentation says:
|
||||||
|
* A checksum mismatch can occur if the PAC was copied from a
|
||||||
|
--
|
||||||
|
2.5.0
|
||||||
|
|
|
@ -0,0 +1,57 @@
|
||||||
|
From b87a8ad335503759f1542d3e1466476860c85a19 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Pavel Reichl <preichl@redhat.com>
|
||||||
|
Date: Tue, 22 Sep 2015 04:41:18 -0400
|
||||||
|
Subject: [PATCH 12/21] SDAP: Relax POSIX check
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
Relax the check on UID or GID just to check if at least one of them is
|
||||||
|
present but do not require them to be positive numbers.
|
||||||
|
|
||||||
|
Add requirement on objectclass attributes to be user or group to make
|
||||||
|
check more reliable.
|
||||||
|
|
||||||
|
Resolves:
|
||||||
|
https://fedorahosted.org/sssd/ticket/2800
|
||||||
|
(cherry picked from commit 6735c0451d4e80d7cd4b480a8c1f7dafb2b536ea)
|
||||||
|
|
||||||
|
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||||
|
(cherry picked from commit cc04876ec64b338f61ca275386f70baf91ce700f)
|
||||||
|
---
|
||||||
|
src/providers/ldap/sdap_async.c | 10 ++++++----
|
||||||
|
1 file changed, 6 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/providers/ldap/sdap_async.c b/src/providers/ldap/sdap_async.c
|
||||||
|
index c30a457..006aa49 100644
|
||||||
|
--- a/src/providers/ldap/sdap_async.c
|
||||||
|
+++ b/src/providers/ldap/sdap_async.c
|
||||||
|
@@ -2373,9 +2373,12 @@ sdap_posix_check_send(TALLOC_CTX *memctx, struct tevent_context *ev,
|
||||||
|
state->attrs[2] = opts->group_map[SDAP_AT_GROUP_GID].name;
|
||||||
|
state->attrs[3] = NULL;
|
||||||
|
|
||||||
|
- state->filter = talloc_asprintf(state, "(|(%s=*)(%s=*))",
|
||||||
|
+ state->filter = talloc_asprintf(state,
|
||||||
|
+ "(|(&(%s=*)(objectclass=%s))(&(%s=*)(objectclass=%s)))",
|
||||||
|
opts->user_map[SDAP_AT_USER_UID].name,
|
||||||
|
- opts->group_map[SDAP_AT_GROUP_GID].name);
|
||||||
|
+ opts->user_map[SDAP_OC_USER].name,
|
||||||
|
+ opts->group_map[SDAP_AT_GROUP_GID].name,
|
||||||
|
+ opts->group_map[SDAP_OC_GROUP].name);
|
||||||
|
if (state->filter == NULL) {
|
||||||
|
ret = ENOMEM;
|
||||||
|
goto fail;
|
||||||
|
@@ -2458,9 +2461,8 @@ static errno_t sdap_posix_check_parse(struct sdap_handle *sh,
|
||||||
|
errno = 0;
|
||||||
|
strtouint32(vals[0]->bv_val, &endptr, 10);
|
||||||
|
if (errno || *endptr || (vals[0]->bv_val == endptr)) {
|
||||||
|
- DEBUG(SSSDBG_OP_FAILURE,
|
||||||
|
+ DEBUG(SSSDBG_MINOR_FAILURE,
|
||||||
|
"POSIX attribute is not a number: %s\n", vals[0]->bv_val);
|
||||||
|
- goto done;
|
||||||
|
}
|
||||||
|
|
||||||
|
state->has_posix = true;
|
||||||
|
--
|
||||||
|
2.5.0
|
||||||
|
|
|
@ -0,0 +1,50 @@
|
||||||
|
From 6765f6226d293c30aa798ecb64c5d4826d7dfb2f Mon Sep 17 00:00:00 2001
|
||||||
|
From: Pavel Reichl <preichl@redhat.com>
|
||||||
|
Date: Thu, 3 Sep 2015 04:46:50 -0400
|
||||||
|
Subject: [PATCH 13/21] GPO: fix memory leak
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
Resolves:
|
||||||
|
https://fedorahosted.org/sssd/ticket/2777
|
||||||
|
|
||||||
|
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
||||||
|
(cherry picked from commit 5dbdcc2c7210a0e3eb60ad1e85ba33f27d7faeda)
|
||||||
|
---
|
||||||
|
src/providers/ad/ad_gpo.c | 6 +++---
|
||||||
|
1 file changed, 3 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
|
||||||
|
index af864df..bde810a 100644
|
||||||
|
--- a/src/providers/ad/ad_gpo.c
|
||||||
|
+++ b/src/providers/ad/ad_gpo.c
|
||||||
|
@@ -557,14 +557,14 @@ ad_gpo_get_sids(TALLOC_CTX *mem_ctx,
|
||||||
|
DEBUG(SSSDBG_OP_FAILURE,
|
||||||
|
"sysdb_initgroups failed: [%d](%s)\n",
|
||||||
|
ret, sss_strerror(ret));
|
||||||
|
- return ret;
|
||||||
|
+ goto done;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (res->count == 0) {
|
||||||
|
ret = ENOENT;
|
||||||
|
DEBUG(SSSDBG_OP_FAILURE,
|
||||||
|
"sysdb_initgroups returned empty result\n");
|
||||||
|
- return ret;
|
||||||
|
+ goto done;
|
||||||
|
}
|
||||||
|
|
||||||
|
user_sid = ldb_msg_find_attr_as_string(res->msgs[0], SYSDB_SID_STR, NULL);
|
||||||
|
@@ -599,7 +599,7 @@ ad_gpo_get_sids(TALLOC_CTX *mem_ctx,
|
||||||
|
*_group_size = num_group_sids + 1;
|
||||||
|
*_group_sids = talloc_steal(mem_ctx, group_sids);
|
||||||
|
*_user_sid = talloc_steal(mem_ctx, user_sid);
|
||||||
|
- return EOK;
|
||||||
|
+ ret = EOK;
|
||||||
|
|
||||||
|
done:
|
||||||
|
talloc_free(tmp_ctx);
|
||||||
|
--
|
||||||
|
2.5.0
|
||||||
|
|
|
@ -0,0 +1,63 @@
|
||||||
|
From 72315a4706e32001b9034b95ab7359a5ae92bc70 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Sumit Bose <sbose@redhat.com>
|
||||||
|
Date: Wed, 7 Oct 2015 15:22:34 +0200
|
||||||
|
Subject: [PATCH 14/21] nss: fix UPN lookups for sub-domain users
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
Resolves https://fedorahosted.org/sssd/ticket/2827
|
||||||
|
|
||||||
|
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||||
|
---
|
||||||
|
src/db/sysdb_ops.c | 3 +--
|
||||||
|
src/responder/nss/nsssrv_cmd.c | 12 ++++++++++--
|
||||||
|
2 files changed, 11 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
|
||||||
|
index ea786d5..34f1832 100644
|
||||||
|
--- a/src/db/sysdb_ops.c
|
||||||
|
+++ b/src/db/sysdb_ops.c
|
||||||
|
@@ -494,8 +494,7 @@ int sysdb_search_user_by_upn(TALLOC_CTX *mem_ctx,
|
||||||
|
return ENOMEM;
|
||||||
|
}
|
||||||
|
|
||||||
|
- basedn = ldb_dn_new_fmt(tmp_ctx, domain->sysdb->ldb,
|
||||||
|
- SYSDB_TMPL_USER_BASE, domain->name);
|
||||||
|
+ basedn = sysdb_base_dn(domain->sysdb, tmp_ctx);
|
||||||
|
if (basedn == NULL) {
|
||||||
|
ret = ENOMEM;
|
||||||
|
goto done;
|
||||||
|
diff --git a/src/responder/nss/nsssrv_cmd.c b/src/responder/nss/nsssrv_cmd.c
|
||||||
|
index 12134ce..4285473 100644
|
||||||
|
--- a/src/responder/nss/nsssrv_cmd.c
|
||||||
|
+++ b/src/responder/nss/nsssrv_cmd.c
|
||||||
|
@@ -849,7 +849,11 @@ static int nss_cmd_getpwnam_search(struct nss_dom_ctx *dctx)
|
||||||
|
name, dom->name);
|
||||||
|
/* if a multidomain search, try with next */
|
||||||
|
if (cmdctx->check_next) {
|
||||||
|
- dom = get_next_domain(dom, false);
|
||||||
|
+ if (cmdctx->name_is_upn) {
|
||||||
|
+ dom = get_next_domain(dom, true);
|
||||||
|
+ } else {
|
||||||
|
+ dom = get_next_domain(dom, false);
|
||||||
|
+ }
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
/* There are no further domains or this was a
|
||||||
|
@@ -924,7 +928,11 @@ static int nss_cmd_getpwnam_search(struct nss_dom_ctx *dctx)
|
||||||
|
|
||||||
|
/* if a multidomain search, try with next */
|
||||||
|
if (cmdctx->check_next) {
|
||||||
|
- dom = get_next_domain(dom, false);
|
||||||
|
+ if (cmdctx->name_is_upn) {
|
||||||
|
+ dom = get_next_domain(dom, true);
|
||||||
|
+ } else {
|
||||||
|
+ dom = get_next_domain(dom, false);
|
||||||
|
+ }
|
||||||
|
if (dom) continue;
|
||||||
|
}
|
||||||
|
|
||||||
|
--
|
||||||
|
2.5.0
|
||||||
|
|
|
@ -0,0 +1,58 @@
|
||||||
|
From d1047cceb993b1e4c0ae3901f709ac17819423cf Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Michal=20=C5=BDidek?= <mzidek@redhat.com>
|
||||||
|
Date: Thu, 15 Oct 2015 18:53:37 +0200
|
||||||
|
Subject: [PATCH 15/21] SSSDConfig: Do not raise exception if
|
||||||
|
config_file_version is missing
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
Ticket:
|
||||||
|
https://fedorahosted.org/sssd/ticket/2837
|
||||||
|
|
||||||
|
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
||||||
|
(cherry picked from commit 6a044fa43d53638c1d0b874d43f58c0428820362)
|
||||||
|
(cherry picked from commit a2363aa5984a707b8834816ea8538fe7de250a63)
|
||||||
|
---
|
||||||
|
src/config/SSSDConfig/__init__.py.in | 8 ++++----
|
||||||
|
src/config/SSSDConfigTest.py | 5 -----
|
||||||
|
2 files changed, 4 insertions(+), 9 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
|
||||||
|
index fc87a2b..626d0c7 100644
|
||||||
|
--- a/src/config/SSSDConfig/__init__.py.in
|
||||||
|
+++ b/src/config/SSSDConfig/__init__.py.in
|
||||||
|
@@ -1397,10 +1397,10 @@ class SSSDConfig(SSSDChangeConf):
|
||||||
|
try:
|
||||||
|
if int(self.get('sssd', 'config_file_version')) != self.API_VERSION:
|
||||||
|
raise ParsingError("Wrong config_file_version")
|
||||||
|
- except:
|
||||||
|
- # Either the 'sssd' section or the 'config_file_version' was not
|
||||||
|
- # present in the config file
|
||||||
|
- raise ParsingError("File contains no config_file_version")
|
||||||
|
+ except TypeError:
|
||||||
|
+ # This happens when config_file_version is missing. We
|
||||||
|
+ # can assume it is the default version and continue.
|
||||||
|
+ pass
|
||||||
|
|
||||||
|
def new_config(self):
|
||||||
|
"""
|
||||||
|
diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py
|
||||||
|
index 868d1a5..d303312 100755
|
||||||
|
--- a/src/config/SSSDConfigTest.py
|
||||||
|
+++ b/src/config/SSSDConfigTest.py
|
||||||
|
@@ -1213,11 +1213,6 @@ class SSSDConfigTestSSSDConfig(unittest.TestCase):
|
||||||
|
srcdir + "/etc/sssd.api.d")
|
||||||
|
self.assertRaises(SSSDConfig.ParsingError, sssdconfig.import_config, srcdir + "/testconfigs/sssd-badversion.conf")
|
||||||
|
|
||||||
|
- # Negative Test - No config file version
|
||||||
|
- sssdconfig = SSSDConfig.SSSDConfig(srcdir + "/etc/sssd.api.conf",
|
||||||
|
- srcdir + "/etc/sssd.api.d")
|
||||||
|
- self.assertRaises(SSSDConfig.ParsingError, sssdconfig.import_config, srcdir + "/testconfigs/sssd-noversion.conf")
|
||||||
|
-
|
||||||
|
# Negative Test - Already initialized
|
||||||
|
sssdconfig = SSSDConfig.SSSDConfig(srcdir + "/etc/sssd.api.conf",
|
||||||
|
srcdir + "/etc/sssd.api.d")
|
||||||
|
--
|
||||||
|
2.5.0
|
||||||
|
|
|
@ -0,0 +1,60 @@
|
||||||
|
From 4e0a4a355c4f158f9e7b8e7cbac2f7d0378650a4 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Lukas Slebodnik <lslebodn@redhat.com>
|
||||||
|
Date: Thu, 15 Oct 2015 10:32:09 +0200
|
||||||
|
Subject: [PATCH 16/21] SSSDConfigTest: Try load saved config
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
Python module SSSDConfig should be able to save configuration file
|
||||||
|
and later load the same configuration file without problem.
|
||||||
|
|
||||||
|
Unit test for:
|
||||||
|
https://fedorahosted.org/sssd/ticket/2837
|
||||||
|
|
||||||
|
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
||||||
|
(cherry picked from commit 87ef67286b64af98d32a3a5abcd28a9c2886f751)
|
||||||
|
(cherry picked from commit 69612bc5d0a9219ecccf3e8c6410059322aeecc6)
|
||||||
|
---
|
||||||
|
src/config/SSSDConfigTest.py | 12 +++++++++++-
|
||||||
|
1 file changed, 11 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py
|
||||||
|
index d303312..7bad874 100755
|
||||||
|
--- a/src/config/SSSDConfigTest.py
|
||||||
|
+++ b/src/config/SSSDConfigTest.py
|
||||||
|
@@ -150,10 +150,14 @@ class SSSDConfigTestValid(unittest.TestCase):
|
||||||
|
#non-owners, and should not be executable by anyone
|
||||||
|
self.assertFalse(S_IMODE(mode) & 0o177)
|
||||||
|
|
||||||
|
+ # try to import saved configuration file
|
||||||
|
+ config = SSSDConfig.SSSDConfig(srcdir + "/etc/sssd.api.conf",
|
||||||
|
+ srcdir + "/etc/sssd.api.d")
|
||||||
|
+ config.import_config(configfile=of)
|
||||||
|
+
|
||||||
|
#Remove the output file
|
||||||
|
os.unlink(of)
|
||||||
|
|
||||||
|
-
|
||||||
|
def testCreateNewLDAPConfig(self):
|
||||||
|
sssdconfig = SSSDConfig.SSSDConfig(srcdir + "/etc/sssd.api.conf",
|
||||||
|
srcdir + "/etc/sssd.api.d")
|
||||||
|
@@ -184,9 +188,15 @@ class SSSDConfigTestValid(unittest.TestCase):
|
||||||
|
#non-owners, and should not be executable by anyone
|
||||||
|
self.assertFalse(S_IMODE(mode) & 0o177)
|
||||||
|
|
||||||
|
+ # try to import saved configuration file
|
||||||
|
+ config = SSSDConfig.SSSDConfig(srcdir + "/etc/sssd.api.conf",
|
||||||
|
+ srcdir + "/etc/sssd.api.d")
|
||||||
|
+ config.import_config(configfile=of)
|
||||||
|
+
|
||||||
|
#Remove the output file
|
||||||
|
os.unlink(of)
|
||||||
|
|
||||||
|
+
|
||||||
|
def testModifyExistingConfig(self):
|
||||||
|
sssdconfig = SSSDConfig.SSSDConfig(srcdir + "/etc/sssd.api.conf",
|
||||||
|
srcdir + "/etc/sssd.api.d")
|
||||||
|
--
|
||||||
|
2.5.0
|
||||||
|
|
|
@ -0,0 +1,151 @@
|
||||||
|
From 523ed0ff50c2832e046fc87789561149e701e262 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Lukas Slebodnik <lslebodn@redhat.com>
|
||||||
|
Date: Thu, 15 Oct 2015 11:04:06 +0200
|
||||||
|
Subject: [PATCH 17/21] SSSDConfigTest: Test real config without
|
||||||
|
config_file_version
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
src/config/testconfigs/sssd-valid.conf explicitly contains
|
||||||
|
config_file_version. Recently we changed the default value to 2
|
||||||
|
and therefore it needn't be listed in configuration file.
|
||||||
|
This patch test real sssd.conf without config_file_version.
|
||||||
|
|
||||||
|
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
||||||
|
(cherry picked from commit 7388fc91bd6c22705e60632346ec815f4a4963f1)
|
||||||
|
(cherry picked from commit b1c6767617c082de2521976175bc2f499ec295e9)
|
||||||
|
---
|
||||||
|
src/config/SSSDConfigTest.py | 85 ++++++++++++++++++++++++++++++
|
||||||
|
src/config/testconfigs/sssd-noversion.conf | 22 ++++++++
|
||||||
|
2 files changed, 107 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py
|
||||||
|
index 7bad874..98101f6 100755
|
||||||
|
--- a/src/config/SSSDConfigTest.py
|
||||||
|
+++ b/src/config/SSSDConfigTest.py
|
||||||
|
@@ -1230,6 +1230,91 @@ class SSSDConfigTestSSSDConfig(unittest.TestCase):
|
||||||
|
self.assertRaises(SSSDConfig.AlreadyInitializedError,
|
||||||
|
sssdconfig.import_config, srcdir + "/testconfigs/sssd-valid.conf")
|
||||||
|
|
||||||
|
+ def testImportConfigNoVersion(self):
|
||||||
|
+ # Positive Test
|
||||||
|
+ sssdconfig = SSSDConfig.SSSDConfig(srcdir + "/etc/sssd.api.conf",
|
||||||
|
+ srcdir + "/etc/sssd.api.d")
|
||||||
|
+ sssdconfig.import_config(
|
||||||
|
+ srcdir + "/testconfigs/sssd-noversion.conf"
|
||||||
|
+ )
|
||||||
|
+
|
||||||
|
+ # Validate services
|
||||||
|
+ services = sssdconfig.list_services()
|
||||||
|
+ self.assertTrue('sssd' in services)
|
||||||
|
+ self.assertTrue('nss' in services)
|
||||||
|
+ self.assertTrue('pam' in services)
|
||||||
|
+ self.assertTrue('dp' in services)
|
||||||
|
+
|
||||||
|
+ #Verify service attributes
|
||||||
|
+ sssd_service = sssdconfig.get_service('sssd')
|
||||||
|
+ service_opts = sssd_service.list_options()
|
||||||
|
+
|
||||||
|
+ self.assertTrue('services' in service_opts.keys())
|
||||||
|
+ service_list = sssd_service.get_option('services')
|
||||||
|
+ self.assertTrue('nss' in service_list)
|
||||||
|
+ self.assertTrue('pam' in service_list)
|
||||||
|
+ self.assertTrue('reconnection_retries' in service_opts)
|
||||||
|
+
|
||||||
|
+ #Validate domain list
|
||||||
|
+ domains = sssdconfig.list_domains()
|
||||||
|
+ self.assertTrue('LOCAL' in domains)
|
||||||
|
+ self.assertTrue('LDAP' in domains)
|
||||||
|
+ self.assertTrue('PROXY' in domains)
|
||||||
|
+ self.assertTrue('IPA' in domains)
|
||||||
|
+
|
||||||
|
+ # Verify domain attributes
|
||||||
|
+ ipa_domain = sssdconfig.get_domain('IPA')
|
||||||
|
+ domain_opts = ipa_domain.list_options()
|
||||||
|
+ self.assertTrue('debug_level' in domain_opts.keys())
|
||||||
|
+ self.assertTrue('id_provider' in domain_opts.keys())
|
||||||
|
+ self.assertTrue('auth_provider' in domain_opts.keys())
|
||||||
|
+
|
||||||
|
+ # Verify domain attributes
|
||||||
|
+ proxy_domain = sssdconfig.get_domain('PROXY')
|
||||||
|
+ domain_opts = proxy_domain.list_options()
|
||||||
|
+ self.assertTrue('debug_level' in domain_opts.keys())
|
||||||
|
+ self.assertTrue('id_provider' in domain_opts.keys())
|
||||||
|
+ self.assertTrue('auth_provider' in domain_opts.keys())
|
||||||
|
+
|
||||||
|
+ # Verify domain attributes
|
||||||
|
+ local_domain = sssdconfig.get_domain('LOCAL')
|
||||||
|
+ domain_opts = local_domain.list_options()
|
||||||
|
+ self.assertTrue('debug_level' in domain_opts.keys())
|
||||||
|
+ self.assertTrue('id_provider' in domain_opts.keys())
|
||||||
|
+ self.assertTrue('auth_provider' in domain_opts.keys())
|
||||||
|
+
|
||||||
|
+ # Verify domain attributes
|
||||||
|
+ ldap_domain = sssdconfig.get_domain('LDAP')
|
||||||
|
+ domain_opts = ldap_domain.list_options()
|
||||||
|
+ self.assertTrue('debug_level' in domain_opts.keys())
|
||||||
|
+ self.assertTrue('id_provider' in domain_opts.keys())
|
||||||
|
+ self.assertTrue('auth_provider' in domain_opts.keys())
|
||||||
|
+
|
||||||
|
+ domain_control_list = [
|
||||||
|
+ 'cache_credentials',
|
||||||
|
+ 'id_provider',
|
||||||
|
+ 'auth_provider',
|
||||||
|
+ 'access_provider',
|
||||||
|
+ 'default_shell',
|
||||||
|
+ 'fallback_homedir',
|
||||||
|
+ 'cache_credentials',
|
||||||
|
+ 'use_fully_qualified_names',
|
||||||
|
+ ]
|
||||||
|
+
|
||||||
|
+ ad_domain = sssdconfig.get_domain("ad.example.com")
|
||||||
|
+
|
||||||
|
+ for option in ad_domain.get_all_options():
|
||||||
|
+ self.assertTrue(option in domain_control_list)
|
||||||
|
+
|
||||||
|
+ negative_domain_control_list = [
|
||||||
|
+ 'ad_server',
|
||||||
|
+ 'ldap_id_mapping',
|
||||||
|
+ 'ldap_sasl_authid',
|
||||||
|
+ ]
|
||||||
|
+
|
||||||
|
+ for option in ad_domain.get_all_options():
|
||||||
|
+ self.assertFalse(option in negative_domain_control_list)
|
||||||
|
+
|
||||||
|
def testNewConfig(self):
|
||||||
|
# Positive Test
|
||||||
|
sssdconfig = SSSDConfig.SSSDConfig(srcdir + "/etc/sssd.api.conf",
|
||||||
|
diff --git a/src/config/testconfigs/sssd-noversion.conf b/src/config/testconfigs/sssd-noversion.conf
|
||||||
|
index 71af85c..d5f524d 100644
|
||||||
|
--- a/src/config/testconfigs/sssd-noversion.conf
|
||||||
|
+++ b/src/config/testconfigs/sssd-noversion.conf
|
||||||
|
@@ -39,3 +39,25 @@ debug_level = 0
|
||||||
|
[dp]
|
||||||
|
debug_level = 0
|
||||||
|
|
||||||
|
+[domain/ad.example.com]
|
||||||
|
+cache_credentials = true
|
||||||
|
+
|
||||||
|
+id_provider = ad
|
||||||
|
+auth_provider = ad
|
||||||
|
+access_provider = ad
|
||||||
|
+
|
||||||
|
+# Uncomment if service discovery is not working
|
||||||
|
+# ad_server = server.ad.example.com
|
||||||
|
+
|
||||||
|
+# Uncomment if you want to use POSIX UIDs and GIDs set on the AD side
|
||||||
|
+# ldap_id_mapping = False
|
||||||
|
+
|
||||||
|
+# Comment out if the users have the shell and home dir set on the AD side
|
||||||
|
+default_shell = /bin/bash
|
||||||
|
+fallback_homedir = /home/%d/%u
|
||||||
|
+
|
||||||
|
+# Uncomment and adjust if the default principal SHORTNAME$@REALM is not available
|
||||||
|
+# ldap_sasl_authid = host/client.ad.example.com@AD.EXAMPLE.COM
|
||||||
|
+
|
||||||
|
+# Comment out if you prefer to user shortnames.
|
||||||
|
+use_fully_qualified_names = True
|
||||||
|
--
|
||||||
|
2.5.0
|
||||||
|
|
|
@ -0,0 +1,29 @@
|
||||||
|
From 16e6d7ffedb52030f0301590f8c63beef44d7e96 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Lukas Slebodnik <lslebodn@redhat.com>
|
||||||
|
Date: Mon, 26 Oct 2015 07:00:50 +0100
|
||||||
|
Subject: [PATCH 18/21] BUILD: Accept krb5 1.14 for building the PAC plugin
|
||||||
|
|
||||||
|
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
||||||
|
(cherry picked from commit 8fe87c3d35bf301cbb6ed7d441b588327d831924)
|
||||||
|
(cherry picked from commit 3dd118ee870d4370e8bfff8bd71d7e9954ccac06)
|
||||||
|
---
|
||||||
|
src/external/pac_responder.m4 | 3 ++-
|
||||||
|
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/src/external/pac_responder.m4 b/src/external/pac_responder.m4
|
||||||
|
index b57305c..5c4239a 100644
|
||||||
|
--- a/src/external/pac_responder.m4
|
||||||
|
+++ b/src/external/pac_responder.m4
|
||||||
|
@@ -22,7 +22,8 @@ then
|
||||||
|
Kerberos\ 5\ release\ 1.10* | \
|
||||||
|
Kerberos\ 5\ release\ 1.11* | \
|
||||||
|
Kerberos\ 5\ release\ 1.12* | \
|
||||||
|
- Kerberos\ 5\ release\ 1.13*)
|
||||||
|
+ Kerberos\ 5\ release\ 1.13* | \
|
||||||
|
+ Kerberos\ 5\ release\ 1.14*)
|
||||||
|
krb5_version_ok=yes
|
||||||
|
AC_MSG_RESULT([yes])
|
||||||
|
;;
|
||||||
|
--
|
||||||
|
2.5.0
|
||||||
|
|
|
@ -0,0 +1,112 @@
|
||||||
|
From d453aacfbc937ceb87b9fd73c72d0bfe6699c005 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Lukas Slebodnik <lslebodn@redhat.com>
|
||||||
|
Date: Thu, 22 Oct 2015 10:30:12 +0200
|
||||||
|
Subject: [PATCH 19/21] LDAP: Fix leak of file descriptors
|
||||||
|
|
||||||
|
The state "struct sss_ldap_init_state" contains socket
|
||||||
|
created in function sss_ldap_init_send. We register callback
|
||||||
|
sdap_async_sys_connect_timeout for handling issue with connection
|
||||||
|
|
||||||
|
The tevent request "sss_ldap_init_send" is usually (nested) subrequest
|
||||||
|
of "struct resolve_service_state" related request created in fucntion
|
||||||
|
fo_resolve_service_send. Function fo_resolve_service_send also register
|
||||||
|
timeout callback fo_resolve_service_timeout to state "struct
|
||||||
|
resolve_service_state".
|
||||||
|
|
||||||
|
It might happen that fo_resolve_service_timeout will be called before
|
||||||
|
sss_ldap_init_send timeout and we could not handle tiemout error
|
||||||
|
for state "struct sss_ldap_init_state" and therefore created socket
|
||||||
|
was not closed.
|
||||||
|
|
||||||
|
We tried to release resources in function sdap_handle_release.
|
||||||
|
But the structure "struct sdap_handle" had not been initialized yet
|
||||||
|
with LDAP handle and therefore associated file descriptor could not be closed.
|
||||||
|
|
||||||
|
[fo_resolve_service_timeout] (0x0080): Service resolving timeout reached
|
||||||
|
[fo_resolve_service_recv] (0x0020): TEVENT_REQ_RETURN_ON_ERROR ret[110]
|
||||||
|
[sdap_handle_release] (0x2000): Trace: sh[0x7f6713410270], connected[0], ops[(nil)], ldap[(nil)], destructor_lock[0], release_memory
|
||||||
|
[be_resolve_server_done] (0x1000): Server resolution failed: 14
|
||||||
|
[be_resolve_server_recv] (0x0020): TEVENT_REQ_RETURN_ON_ERROR ret[14]
|
||||||
|
[check_online_callback] (0x0100): Backend returned: (1, 0, <NULL>) [Provider is Offline (Success)]
|
||||||
|
|
||||||
|
Resolves:
|
||||||
|
https://fedorahosted.org/sssd/ticket/2792
|
||||||
|
|
||||||
|
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||||
|
(cherry picked from commit a10f67d4c64f3b1243de5d86a996475361adf0ac)
|
||||||
|
(cherry picked from commit db2fdba6f3cecd0612439988e61be60d5d8576bf)
|
||||||
|
---
|
||||||
|
src/util/sss_ldap.c | 29 +++++++++++++++++++++--------
|
||||||
|
1 file changed, 21 insertions(+), 8 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/util/sss_ldap.c b/src/util/sss_ldap.c
|
||||||
|
index dd63b4b..f42f940 100644
|
||||||
|
--- a/src/util/sss_ldap.c
|
||||||
|
+++ b/src/util/sss_ldap.c
|
||||||
|
@@ -304,6 +304,22 @@ struct sss_ldap_init_state {
|
||||||
|
#endif
|
||||||
|
};
|
||||||
|
|
||||||
|
+static int sss_ldap_init_state_destructor(void *data)
|
||||||
|
+{
|
||||||
|
+ struct sss_ldap_init_state *state = (struct sss_ldap_init_state *)data;
|
||||||
|
+
|
||||||
|
+ if (state->ldap) {
|
||||||
|
+ DEBUG(SSSDBG_TRACE_FUNC,
|
||||||
|
+ "calling ldap_unbind_ext for ldap:[%p] sd:[%d]\n",
|
||||||
|
+ state->ldap, state->sd);
|
||||||
|
+ ldap_unbind_ext(state->ldap, NULL, NULL);
|
||||||
|
+ } else if (state->sd != -1) {
|
||||||
|
+ DEBUG(SSSDBG_TRACE_FUNC, "closing socket [%d]\n", state->sd);
|
||||||
|
+ close(state->sd);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ return 0;
|
||||||
|
+}
|
||||||
|
|
||||||
|
struct tevent_req *sss_ldap_init_send(TALLOC_CTX *mem_ctx,
|
||||||
|
struct tevent_context *ev,
|
||||||
|
@@ -321,6 +337,8 @@ struct tevent_req *sss_ldap_init_send(TALLOC_CTX *mem_ctx,
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ talloc_set_destructor((TALLOC_CTX *)state, sss_ldap_init_state_destructor);
|
||||||
|
+
|
||||||
|
state->ldap = NULL;
|
||||||
|
state->uri = uri;
|
||||||
|
|
||||||
|
@@ -370,9 +388,6 @@ struct tevent_req *sss_ldap_init_send(TALLOC_CTX *mem_ctx,
|
||||||
|
return req;
|
||||||
|
|
||||||
|
fail:
|
||||||
|
- if(state->sd >= 0) {
|
||||||
|
- close(state->sd);
|
||||||
|
- }
|
||||||
|
tevent_req_error(req, ret);
|
||||||
|
#else
|
||||||
|
DEBUG(SSSDBG_MINOR_FAILURE, "ldap_init_fd not available, "
|
||||||
|
@@ -455,11 +470,6 @@ static void sss_ldap_init_sys_connect_done(struct tevent_req *subreq)
|
||||||
|
return;
|
||||||
|
|
||||||
|
fail:
|
||||||
|
- if (state->ldap) {
|
||||||
|
- ldap_unbind_ext(state->ldap, NULL, NULL);
|
||||||
|
- } else {
|
||||||
|
- close(state->sd);
|
||||||
|
- }
|
||||||
|
tevent_req_error(req, ret);
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
@@ -470,6 +480,9 @@ int sss_ldap_init_recv(struct tevent_req *req, LDAP **ldap, int *sd)
|
||||||
|
struct sss_ldap_init_state);
|
||||||
|
TEVENT_REQ_RETURN_ON_ERROR(req);
|
||||||
|
|
||||||
|
+ /* Everything went well therefore we do not want to release resources */
|
||||||
|
+ talloc_set_destructor(state, NULL);
|
||||||
|
+
|
||||||
|
*ldap = state->ldap;
|
||||||
|
*sd = state->sd;
|
||||||
|
|
||||||
|
--
|
||||||
|
2.5.0
|
||||||
|
|
|
@ -0,0 +1,57 @@
|
||||||
|
From 11b7c82c2283993cc3fef0abeb598ee9f48eb310 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Lukas Slebodnik <lslebodn@redhat.com>
|
||||||
|
Date: Fri, 6 Nov 2015 08:48:05 +0100
|
||||||
|
Subject: [PATCH 20/21] sss_client: Fix underflow of active_threads
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
If the memory cache was not initialized and there was a failure in
|
||||||
|
initialisation of memory cache context (e.g. memory cache file
|
||||||
|
does not exist) then mc_context had to be destroyed to release
|
||||||
|
resources.
|
||||||
|
|
||||||
|
However the count of active threads in sss_cli_mc_ctx is already higher
|
||||||
|
than zero because current thread is working wih the mc_context.
|
||||||
|
But this counter was zero-ed with memset in sss_nss_mc_destroy_ctx
|
||||||
|
due to issue with initialisation of memory cache.
|
||||||
|
Then we have to decrease counter of active thread in function
|
||||||
|
sss_nss_mc_get_ctx because initialisation of mc failed.
|
||||||
|
And the result of this decrement is underflow of counter.
|
||||||
|
|
||||||
|
Related to:
|
||||||
|
https://fedorahosted.org/sssd/ticket/2726
|
||||||
|
|
||||||
|
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
||||||
|
(cherry picked from commit d4ff84434265dc959098ccfd4e8cd5d61d9052c9)
|
||||||
|
(cherry picked from commit 01c888be345ed8e77d97a83ed0bf4f57b3e5c740)
|
||||||
|
---
|
||||||
|
src/sss_client/nss_mc_common.c | 5 +++++
|
||||||
|
1 file changed, 5 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/src/sss_client/nss_mc_common.c b/src/sss_client/nss_mc_common.c
|
||||||
|
index 89ff6b4..182cc6d 100644
|
||||||
|
--- a/src/sss_client/nss_mc_common.c
|
||||||
|
+++ b/src/sss_client/nss_mc_common.c
|
||||||
|
@@ -104,6 +104,8 @@ errno_t sss_nss_check_header(struct sss_cli_mc_ctx *ctx)
|
||||||
|
|
||||||
|
static void sss_nss_mc_destroy_ctx(struct sss_cli_mc_ctx *ctx)
|
||||||
|
{
|
||||||
|
+ uint32_t active_threads = ctx->active_threads;
|
||||||
|
+
|
||||||
|
if ((ctx->mmap_base != NULL) && (ctx->mmap_size != 0)) {
|
||||||
|
munmap(ctx->mmap_base, ctx->mmap_size);
|
||||||
|
}
|
||||||
|
@@ -112,6 +114,9 @@ static void sss_nss_mc_destroy_ctx(struct sss_cli_mc_ctx *ctx)
|
||||||
|
}
|
||||||
|
memset(ctx, 0, sizeof(struct sss_cli_mc_ctx));
|
||||||
|
ctx->fd = -1;
|
||||||
|
+
|
||||||
|
+ /* restore count of active threads */
|
||||||
|
+ ctx->active_threads = active_threads;
|
||||||
|
}
|
||||||
|
|
||||||
|
static errno_t sss_nss_mc_init_ctx(const char *name,
|
||||||
|
--
|
||||||
|
2.5.0
|
||||||
|
|
|
@ -0,0 +1,51 @@
|
||||||
|
From 356f7e9ad047f66af55c7a1d783b98118fddbb92 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Lukas Slebodnik <lslebodn@redhat.com>
|
||||||
|
Date: Fri, 6 Nov 2015 09:39:05 +0100
|
||||||
|
Subject: [PATCH 21/21] sssd_client: Do not use removed memory cache
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
Resolves:
|
||||||
|
https://fedorahosted.org/sssd/ticket/2726
|
||||||
|
|
||||||
|
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
||||||
|
(cherry picked from commit c269ca2669706bddb25c5938b50277b0c0a94ea4)
|
||||||
|
(cherry picked from commit e360fa6e91ee3500435e85b9c51c4932d2b99f33)
|
||||||
|
---
|
||||||
|
src/sss_client/nss_mc_common.c | 12 ++++++++++++
|
||||||
|
1 file changed, 12 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/src/sss_client/nss_mc_common.c b/src/sss_client/nss_mc_common.c
|
||||||
|
index 182cc6d..b56ab8f 100644
|
||||||
|
--- a/src/sss_client/nss_mc_common.c
|
||||||
|
+++ b/src/sss_client/nss_mc_common.c
|
||||||
|
@@ -60,6 +60,8 @@ errno_t sss_nss_check_header(struct sss_cli_mc_ctx *ctx)
|
||||||
|
struct sss_mc_header h;
|
||||||
|
bool copy_ok;
|
||||||
|
int count;
|
||||||
|
+ int ret;
|
||||||
|
+ struct stat fdstat;
|
||||||
|
|
||||||
|
/* retry barrier protected reading max 5 times then give up */
|
||||||
|
for (count = 5; count > 0; count--) {
|
||||||
|
@@ -99,6 +101,16 @@ errno_t sss_nss_check_header(struct sss_cli_mc_ctx *ctx)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
+ ret = fstat(ctx->fd, &fdstat);
|
||||||
|
+ if (ret == -1) {
|
||||||
|
+ return EIO;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (fdstat.st_nlink == 0) {
|
||||||
|
+ /* memory cache was removed; we need to reinitialize it. */
|
||||||
|
+ return EINVAL;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
--
|
||||||
|
2.5.0
|
||||||
|
|
2
sources
2
sources
|
@ -1 +1 @@
|
||||||
f313613db186d478e9b40e10506c8838 sssd-1.12.0.tar.gz
|
4439852e76e221c9bcd60a8586c136e2 sssd-1.12.5.tar.gz
|
||||||
|
|
313
sssd.spec
313
sssd.spec
|
@ -1,19 +1,34 @@
|
||||||
|
%global rhel7_minor %(%{__grep} -o "7.[0-9]*" /etc/redhat-release |%{__sed} -s 's/7.//')
|
||||||
|
|
||||||
# we don't want to provide private python extension libs
|
# we don't want to provide private python extension libs
|
||||||
%define __provides_exclude_from %{python_sitearch}/.*\.so$
|
%define __provides_exclude_from %{python_sitearch}/.*\.so$|%{_libdir}/%{name}/modules/libwbclient.so.*$
|
||||||
%define _hardened_build 1
|
%define _hardened_build 1
|
||||||
|
|
||||||
%if (0%{?fedora} >= 17 || 0%{?rhel} >= 7)
|
|
||||||
%global with_cifs_utils_plugin 1
|
|
||||||
%else
|
|
||||||
%global with_cifs_utils_plugin_option --disable-cifs-idmap-plugin
|
|
||||||
%endif
|
|
||||||
|
|
||||||
# Determine the location of the LDB modules directory
|
# Determine the location of the LDB modules directory
|
||||||
%global ldb_modulesdir %(pkg-config --variable=modulesdir ldb)
|
%global ldb_modulesdir %(pkg-config --variable=modulesdir ldb)
|
||||||
%global ldb_version 1.1.17
|
%global ldb_version 1.1.17
|
||||||
|
|
||||||
|
%if (0%{?fedora} || 0%{?rhel} >= 7)
|
||||||
|
%global with_cifs_utils_plugin 1
|
||||||
|
%else
|
||||||
|
%global with_cifs_utils_plugin_option --disable-cifs-idmap-plugin
|
||||||
|
%endif
|
||||||
|
|
||||||
|
%if (0%{?fedora} >= 21 || (0%{?rhel} == 7 && 0%{?rhel7_minor} >= 1))
|
||||||
|
%global with_krb5_localauth_plugin 1
|
||||||
|
%endif
|
||||||
|
|
||||||
|
|
||||||
|
%global libwbc_alternatives_version 0.11
|
||||||
|
%global libwbc_lib_version 0.12.0
|
||||||
|
%global libwbc_alternatives_suffix %nil
|
||||||
|
%if 0%{?__isa_bits} == 64
|
||||||
|
%global libwbc_alternatives_suffix -64
|
||||||
|
%endif
|
||||||
|
|
||||||
Name: sssd
|
Name: sssd
|
||||||
Version: 1.12.0
|
Version: 1.12.5
|
||||||
Release: 5%{?dist}
|
Release: 5%{?dist}
|
||||||
Group: Applications/System
|
Group: Applications/System
|
||||||
Summary: System Security Services Daemon
|
Summary: System Security Services Daemon
|
||||||
|
@ -23,6 +38,27 @@ Source0: https://fedorahosted.org/released/sssd/%{name}-%{version}.tar.gz
|
||||||
BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
|
BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
|
||||||
|
|
||||||
### Patches ###
|
### Patches ###
|
||||||
|
Patch0001: 0001-SDAP-Remove-user-from-cache-for-missing-user-in-LDAP.patch
|
||||||
|
Patch0002: 0002-sss_client-Update-integrity-check-of-records-in-mmap.patch
|
||||||
|
Patch0003: 0003-BUILD-Repair-dependecies-on-deprecated-libraries.patch
|
||||||
|
Patch0004: 0004-SPEC-Workaround-for-build-with-rpm-4.13.patch
|
||||||
|
Patch0005: 0005-CONFDB-Assume-config-file-version-2-if-missing.patch
|
||||||
|
Patch0006: 0006-SYSDB-Index-the-objectSIDString-attribute.patch
|
||||||
|
Patch0007: 0007-IPA-Remove-MPG-groups-if-getgrgid-was-called-before-.patch
|
||||||
|
Patch0008: 0008-SPEC-Update-spec-file-for-krb5_local_auth_plugin.patch
|
||||||
|
Patch0009: 0009-LDAP-Sanitize-group-dn-before-using-in-filter.patch
|
||||||
|
Patch0010: 0010-tests-check-special-characters-in-cleanup_groups.patch
|
||||||
|
Patch0011: 0011-Fix-memory-leak-in-sssdpac_verify.patch
|
||||||
|
Patch0012: 0012-SDAP-Relax-POSIX-check.patch
|
||||||
|
Patch0013: 0013-GPO-fix-memory-leak.patch
|
||||||
|
Patch0014: 0014-nss-fix-UPN-lookups-for-sub-domain-users.patch
|
||||||
|
Patch0015: 0015-SSSDConfig-Do-not-raise-exception-if-config_file_ver.patch
|
||||||
|
Patch0016: 0016-SSSDConfigTest-Try-load-saved-config.patch
|
||||||
|
Patch0017: 0017-SSSDConfigTest-Test-real-config-without-config_file_.patch
|
||||||
|
Patch0018: 0018-BUILD-Accept-krb5-1.14-for-building-the-PAC-plugin.patch
|
||||||
|
Patch0019: 0019-LDAP-Fix-leak-of-file-descriptors.patch
|
||||||
|
Patch0020: 0020-sss_client-Fix-underflow-of-active_threads.patch
|
||||||
|
Patch0021: 0021-sssd_client-Do-not-use-removed-memory-cache.patch
|
||||||
|
|
||||||
### Dependencies ###
|
### Dependencies ###
|
||||||
Requires: sssd-common = %{version}-%{release}
|
Requires: sssd-common = %{version}-%{release}
|
||||||
|
@ -40,6 +76,7 @@ Requires: python-sssdconfig = %{version}-%{release}
|
||||||
%global pipepath %{sssdstatedir}/pipes
|
%global pipepath %{sssdstatedir}/pipes
|
||||||
%global mcpath %{sssdstatedir}/mc
|
%global mcpath %{sssdstatedir}/mc
|
||||||
%global pubconfpath %{sssdstatedir}/pubconf
|
%global pubconfpath %{sssdstatedir}/pubconf
|
||||||
|
%global gpocachepath %{sssdstatedir}/gpo_cache
|
||||||
|
|
||||||
### Build Dependencies ###
|
### Build Dependencies ###
|
||||||
|
|
||||||
|
@ -56,7 +93,7 @@ BuildRequires: libtdb-devel
|
||||||
BuildRequires: libldb-devel = %{ldb_version}
|
BuildRequires: libldb-devel = %{ldb_version}
|
||||||
BuildRequires: libdhash-devel >= 0.4.2
|
BuildRequires: libdhash-devel >= 0.4.2
|
||||||
BuildRequires: libcollection-devel
|
BuildRequires: libcollection-devel
|
||||||
BuildRequires: libini_config-devel >= 1.0.0.1
|
BuildRequires: libini_config-devel >= 1.1
|
||||||
BuildRequires: dbus-devel
|
BuildRequires: dbus-devel
|
||||||
BuildRequires: dbus-libs
|
BuildRequires: dbus-libs
|
||||||
BuildRequires: openldap-devel
|
BuildRequires: openldap-devel
|
||||||
|
@ -67,7 +104,11 @@ BuildRequires: pcre-devel
|
||||||
BuildRequires: libxslt
|
BuildRequires: libxslt
|
||||||
BuildRequires: libxml2
|
BuildRequires: libxml2
|
||||||
BuildRequires: docbook-style-xsl
|
BuildRequires: docbook-style-xsl
|
||||||
BuildRequires: krb5-devel >= 1.10
|
%if (0%{?with_krb5_localauth_plugin} == 1)
|
||||||
|
BuildRequires: krb5-devel >= 1.12
|
||||||
|
%else
|
||||||
|
BuildRequires: krb5-devel
|
||||||
|
%endif
|
||||||
BuildRequires: c-ares-devel
|
BuildRequires: c-ares-devel
|
||||||
BuildRequires: python-devel
|
BuildRequires: python-devel
|
||||||
BuildRequires: check-devel
|
BuildRequires: check-devel
|
||||||
|
@ -76,31 +117,37 @@ BuildRequires: libselinux-devel
|
||||||
BuildRequires: libsemanage-devel
|
BuildRequires: libsemanage-devel
|
||||||
BuildRequires: bind-utils
|
BuildRequires: bind-utils
|
||||||
BuildRequires: keyutils-libs-devel
|
BuildRequires: keyutils-libs-devel
|
||||||
BuildRequires: libnl3-devel
|
|
||||||
BuildRequires: gettext-devel
|
BuildRequires: gettext-devel
|
||||||
BuildRequires: pkgconfig
|
BuildRequires: pkgconfig
|
||||||
BuildRequires: glib2-devel
|
|
||||||
BuildRequires: diffstat
|
BuildRequires: diffstat
|
||||||
BuildRequires: findutils
|
BuildRequires: findutils
|
||||||
BuildRequires: samba4-devel >= 4.0.0-59beta2
|
BuildRequires: glib2-devel
|
||||||
BuildRequires: selinux-policy-targeted
|
BuildRequires: selinux-policy-targeted
|
||||||
BuildRequires: systemd-devel
|
|
||||||
BuildRequires: libsmbclient-devel
|
|
||||||
%ifarch %{ix86} x86_64 %{arm}
|
%ifarch %{ix86} x86_64 %{arm}
|
||||||
BuildRequires: libcmocka-devel
|
BuildRequires: libcmocka-devel
|
||||||
%endif
|
%endif
|
||||||
|
%if (0%{?fedora} >= 20)
|
||||||
|
BuildRequires: uid_wrapper
|
||||||
|
BuildRequires: nss_wrapper
|
||||||
|
%endif
|
||||||
|
BuildRequires: libnl3-devel
|
||||||
|
BuildRequires: systemd-devel
|
||||||
%if (0%{?with_cifs_utils_plugin} == 1)
|
%if (0%{?with_cifs_utils_plugin} == 1)
|
||||||
BuildRequires: cifs-utils-devel
|
BuildRequires: cifs-utils-devel
|
||||||
%endif
|
%endif
|
||||||
|
BuildRequires: libnfsidmap-devel
|
||||||
|
|
||||||
|
BuildRequires: samba4-devel >= 4.0.0-59beta2
|
||||||
|
BuildRequires: libsmbclient-devel
|
||||||
|
|
||||||
%description
|
%description
|
||||||
Provides a set of daemons to manage access to remote directories and
|
Provides a set of daemons to manage access to remote directories and
|
||||||
authentication mechanisms. It provides an NSS and PAM interface toward
|
authentication mechanisms. It provides an NSS and PAM interface toward
|
||||||
the system and a pluggable backend system to connect to multiple different
|
the system and a plug-gable back-end system to connect to multiple different
|
||||||
account sources. It is also the basis to provide client auditing and policy
|
account sources. It is also the basis to provide client auditing and policy
|
||||||
services for projects like FreeIPA.
|
services for projects like FreeIPA.
|
||||||
|
|
||||||
The sssd subpackage is a meta-package that contains the deamon as well as all
|
The sssd sub-package is a meta-package that contains the daemon as well as all
|
||||||
the existing back ends.
|
the existing back ends.
|
||||||
|
|
||||||
%package common
|
%package common
|
||||||
|
@ -137,7 +184,7 @@ Obsoletes: libsss_autofs <= 1.10.0-7%{?dist}.beta1
|
||||||
%description common
|
%description common
|
||||||
Common files for the SSSD. The common package includes all the files needed
|
Common files for the SSSD. The common package includes all the files needed
|
||||||
to run a particular back end, however, the back ends are packaged in separate
|
to run a particular back end, however, the back ends are packaged in separate
|
||||||
subpackages such as sssd-ldap.
|
sub-packages such as sssd-ldap.
|
||||||
|
|
||||||
%package client
|
%package client
|
||||||
Summary: SSSD Client libraries for NSS and PAM
|
Summary: SSSD Client libraries for NSS and PAM
|
||||||
|
@ -212,8 +259,6 @@ Requires: sssd-krb5-common = %{version}-%{release}
|
||||||
Provides the Kerberos back end that the SSSD can utilize authenticate
|
Provides the Kerberos back end that the SSSD can utilize authenticate
|
||||||
against a Kerberos server.
|
against a Kerberos server.
|
||||||
|
|
||||||
# RHEL 5 is too old to support the PAC responder
|
|
||||||
%if !0%{?is_rhel5}
|
|
||||||
%package common-pac
|
%package common-pac
|
||||||
Summary: Common files needed for supporting PAC processing
|
Summary: Common files needed for supporting PAC processing
|
||||||
Group: Applications/System
|
Group: Applications/System
|
||||||
|
@ -223,7 +268,6 @@ Requires: sssd-common = %{version}-%{release}
|
||||||
%description common-pac
|
%description common-pac
|
||||||
Provides common files needed by SSSD providers such as IPA and Active Directory
|
Provides common files needed by SSSD providers such as IPA and Active Directory
|
||||||
for handling Kerberos PACs.
|
for handling Kerberos PACs.
|
||||||
%endif #is_rhel5
|
|
||||||
|
|
||||||
%package ipa
|
%package ipa
|
||||||
Summary: The IPA back end of the SSSD
|
Summary: The IPA back end of the SSSD
|
||||||
|
@ -234,10 +278,7 @@ Requires: sssd-common = %{version}-%{release}
|
||||||
Requires: sssd-krb5-common = %{version}-%{release}
|
Requires: sssd-krb5-common = %{version}-%{release}
|
||||||
Requires: libipa_hbac%{?_isa} = %{version}-%{release}
|
Requires: libipa_hbac%{?_isa} = %{version}-%{release}
|
||||||
Requires: bind-utils
|
Requires: bind-utils
|
||||||
# RHEL 5 is too old to support the PAC responder
|
|
||||||
%if !0%{?is_rhel5}
|
|
||||||
Requires: sssd-common-pac = %{version}-%{release}
|
Requires: sssd-common-pac = %{version}-%{release}
|
||||||
%endif
|
|
||||||
|
|
||||||
%description ipa
|
%description ipa
|
||||||
Provides the IPA back end that the SSSD can utilize to fetch identity data
|
Provides the IPA back end that the SSSD can utilize to fetch identity data
|
||||||
|
@ -251,10 +292,7 @@ Conflicts: sssd < 1.10.0-8.beta2
|
||||||
Requires: sssd-common = %{version}-%{release}
|
Requires: sssd-common = %{version}-%{release}
|
||||||
Requires: sssd-krb5-common = %{version}-%{release}
|
Requires: sssd-krb5-common = %{version}-%{release}
|
||||||
Requires: bind-utils
|
Requires: bind-utils
|
||||||
# RHEL 5 is too old to support the PAC responder
|
|
||||||
%if !0%{?is_rhel5}
|
|
||||||
Requires: sssd-common-pac = %{version}-%{release}
|
Requires: sssd-common-pac = %{version}-%{release}
|
||||||
%endif
|
|
||||||
|
|
||||||
%description ad
|
%description ad
|
||||||
Provides the Active Directory back end that the SSSD can utilize to fetch
|
Provides the Active Directory back end that the SSSD can utilize to fetch
|
||||||
|
@ -364,6 +402,7 @@ Summary: The SSSD D-Bus responder helper library
|
||||||
Group: Development/Libraries
|
Group: Development/Libraries
|
||||||
License: GPLv3+
|
License: GPLv3+
|
||||||
Requires: dbus-libs
|
Requires: dbus-libs
|
||||||
|
Requires: sssd-dbus = %{version}-%{release}
|
||||||
Requires(post): /sbin/ldconfig
|
Requires(post): /sbin/ldconfig
|
||||||
Requires(postun): /sbin/ldconfig
|
Requires(postun): /sbin/ldconfig
|
||||||
|
|
||||||
|
@ -380,6 +419,25 @@ Requires: libsss_simpleifp = %{version}-%{release}
|
||||||
%description -n libsss_simpleifp-devel
|
%description -n libsss_simpleifp-devel
|
||||||
Provides library that simplifies D-Bus API for the SSSD InfoPipe responder.
|
Provides library that simplifies D-Bus API for the SSSD InfoPipe responder.
|
||||||
|
|
||||||
|
%package libwbclient
|
||||||
|
Summary: The SSSD libwbclient implementation
|
||||||
|
Group: Applications/System
|
||||||
|
License: GPLv3+ and LGPLv3+
|
||||||
|
Conflicts: libwbclient < 4.1.12
|
||||||
|
|
||||||
|
%description libwbclient
|
||||||
|
The SSSD libwbclient implementation.
|
||||||
|
|
||||||
|
%package libwbclient-devel
|
||||||
|
Summary: Development libraries for the SSSD libwbclient implementation
|
||||||
|
Group: Development/Libraries
|
||||||
|
License: GPLv3+ and LGPLv3+
|
||||||
|
Requires: sssd-libwbclient = %{version}-%{release}
|
||||||
|
Conflicts: libwbclient < 4.1.12
|
||||||
|
|
||||||
|
%description libwbclient-devel
|
||||||
|
Development libraries for the SSSD libwbclient implementation.
|
||||||
|
|
||||||
%prep
|
%prep
|
||||||
# Update timestamps on the files touched by a patch, to avoid non-equal
|
# Update timestamps on the files touched by a patch, to avoid non-equal
|
||||||
# .pyc/.pyo files across the multilib peers within a build, where "Level"
|
# .pyc/.pyo files across the multilib peers within a build, where "Level"
|
||||||
|
@ -405,28 +463,32 @@ done
|
||||||
|
|
||||||
%build
|
%build
|
||||||
autoreconf -ivf
|
autoreconf -ivf
|
||||||
|
|
||||||
%configure \
|
%configure \
|
||||||
|
--with-test-dir=/dev/shm \
|
||||||
--with-db-path=%{dbpath} \
|
--with-db-path=%{dbpath} \
|
||||||
|
--with-mcache-path=%{mcpath} \
|
||||||
--with-pipe-path=%{pipepath} \
|
--with-pipe-path=%{pipepath} \
|
||||||
--with-pubconf-path=%{pubconfpath} \
|
--with-pubconf-path=%{pubconfpath} \
|
||||||
--with-mcache-path=%{mcpath} \
|
--with-gpo-cache-path=%{gpocachepath} \
|
||||||
--with-init-dir=%{_initrddir} \
|
--with-init-dir=%{_initrddir} \
|
||||||
--with-krb5-rcache-dir=%{_localstatedir}/cache/krb5rcache \
|
--with-krb5-rcache-dir=%{_localstatedir}/cache/krb5rcache \
|
||||||
--enable-nsslibdir=%{_libdir} \
|
--enable-nsslibdir=%{_libdir} \
|
||||||
--enable-pammoddir=%{_libdir}/security \
|
--enable-pammoddir=%{_libdir}/security \
|
||||||
--enable-ldb-version-check \
|
--enable-nfsidmaplibdir=%{_libdir}/libnfsidmap \
|
||||||
--disable-static \
|
--disable-static \
|
||||||
--disable-rpath \
|
--disable-rpath \
|
||||||
--with-initscript=systemd \
|
--with-initscript=systemd \
|
||||||
--with-syslog=journald \
|
--with-syslog=journald \
|
||||||
--with-test-dir=/dev/shm \
|
%{?with_cifs_utils_plugin_option} \
|
||||||
%{?with_cifs_utils_plugin_option}
|
--enable-ldb-version-check \
|
||||||
|
--enable-sss-default-nss-plugin
|
||||||
|
|
||||||
make %{?_smp_mflags} all docs
|
make %{?_smp_mflags} all docs
|
||||||
|
|
||||||
%check
|
%check
|
||||||
export CK_TIMEOUT_MULTIPLIER=10
|
export CK_TIMEOUT_MULTIPLIER=10
|
||||||
make %{?_smp_mflags} check
|
make %{?_smp_mflags} check VERBOSE=yes
|
||||||
unset CK_TIMEOUT_MULTIPLIER
|
unset CK_TIMEOUT_MULTIPLIER
|
||||||
|
|
||||||
%install
|
%install
|
||||||
|
@ -434,6 +496,12 @@ rm -rf $RPM_BUILD_ROOT
|
||||||
|
|
||||||
make install DESTDIR=$RPM_BUILD_ROOT
|
make install DESTDIR=$RPM_BUILD_ROOT
|
||||||
|
|
||||||
|
if [ ! -f %{buildroot}/%{_libdir}/%{name}/modules/libwbclient.so.%{libwbc_lib_version} ]
|
||||||
|
then
|
||||||
|
echo "Expected libwbclient version not found, please check if version has changed."
|
||||||
|
exit -1
|
||||||
|
fi
|
||||||
|
|
||||||
# Prepare language files
|
# Prepare language files
|
||||||
/usr/lib/rpm/find-lang.sh $RPM_BUILD_ROOT sssd
|
/usr/lib/rpm/find-lang.sh $RPM_BUILD_ROOT sssd
|
||||||
|
|
||||||
|
@ -539,8 +607,8 @@ rm -rf $RPM_BUILD_ROOT
|
||||||
%defattr(-,root,root,-)
|
%defattr(-,root,root,-)
|
||||||
%doc COPYING
|
%doc COPYING
|
||||||
%doc src/examples/sssd-example.conf
|
%doc src/examples/sssd-example.conf
|
||||||
%{_unitdir}/sssd.service
|
|
||||||
%{_sbindir}/sssd
|
%{_sbindir}/sssd
|
||||||
|
%{_unitdir}/sssd.service
|
||||||
|
|
||||||
%dir %{_libexecdir}/%{servicename}
|
%dir %{_libexecdir}/%{servicename}
|
||||||
%{_libexecdir}/%{servicename}/sssd_be
|
%{_libexecdir}/%{servicename}/sssd_be
|
||||||
|
@ -559,10 +627,12 @@ rm -rf $RPM_BUILD_ROOT
|
||||||
%{_libdir}/%{name}/libsss_debug.so
|
%{_libdir}/%{name}/libsss_debug.so
|
||||||
%{_libdir}/%{name}/libsss_ldap_common.so
|
%{_libdir}/%{name}/libsss_ldap_common.so
|
||||||
%{_libdir}/%{name}/libsss_util.so
|
%{_libdir}/%{name}/libsss_util.so
|
||||||
|
%{_libdir}/%{name}/libsss_semanage.so
|
||||||
|
|
||||||
# 3rd party application libraries
|
# 3rd party application libraries
|
||||||
%{_libdir}/sssd/modules/libsss_autofs.so
|
%{_libdir}/sssd/modules/libsss_autofs.so
|
||||||
%{_libdir}/libsss_sudo.so
|
%{_libdir}/libsss_sudo.so
|
||||||
|
%{_libdir}/libnfsidmap/sss.so
|
||||||
|
|
||||||
%{ldb_modulesdir}/memberof.so
|
%{ldb_modulesdir}/memberof.so
|
||||||
%{_bindir}/sss_ssh_authorizedkeys
|
%{_bindir}/sss_ssh_authorizedkeys
|
||||||
|
@ -578,6 +648,7 @@ rm -rf $RPM_BUILD_ROOT
|
||||||
%ghost %attr(0644,root,root) %verify(not md5 size mtime) %{mcpath}/group
|
%ghost %attr(0644,root,root) %verify(not md5 size mtime) %{mcpath}/group
|
||||||
%attr(755,root,root) %dir %{pipepath}
|
%attr(755,root,root) %dir %{pipepath}
|
||||||
%attr(755,root,root) %dir %{pubconfpath}
|
%attr(755,root,root) %dir %{pubconfpath}
|
||||||
|
%attr(755,root,root) %dir %{gpocachepath}
|
||||||
%attr(700,root,root) %dir %{pipepath}/private
|
%attr(700,root,root) %dir %{pipepath}/private
|
||||||
%attr(750,root,root) %dir %{_var}/log/%{name}
|
%attr(750,root,root) %dir %{_var}/log/%{name}
|
||||||
%attr(700,root,root) %dir %{_sysconfdir}/sssd
|
%attr(700,root,root) %dir %{_sysconfdir}/sssd
|
||||||
|
@ -594,6 +665,7 @@ rm -rf $RPM_BUILD_ROOT
|
||||||
%{_mandir}/man5/sssd.conf.5*
|
%{_mandir}/man5/sssd.conf.5*
|
||||||
%{_mandir}/man5/sssd-simple.5*
|
%{_mandir}/man5/sssd-simple.5*
|
||||||
%{_mandir}/man5/sssd-sudo.5*
|
%{_mandir}/man5/sssd-sudo.5*
|
||||||
|
%{_mandir}/man5/sss_rpcidmapd.5*
|
||||||
%{_mandir}/man8/sssd.8*
|
%{_mandir}/man8/sssd.8*
|
||||||
%{_mandir}/man8/sss_cache.8*
|
%{_mandir}/man8/sss_cache.8*
|
||||||
%{python_sitearch}/pysss.so
|
%{python_sitearch}/pysss.so
|
||||||
|
@ -618,19 +690,17 @@ rm -rf $RPM_BUILD_ROOT
|
||||||
%{_libdir}/%{name}/libsss_krb5.so
|
%{_libdir}/%{name}/libsss_krb5.so
|
||||||
%{_mandir}/man5/sssd-krb5.5*
|
%{_mandir}/man5/sssd-krb5.5*
|
||||||
|
|
||||||
# RHEL 5 is too old to support the PAC responder
|
|
||||||
%if !0%{?is_rhel5}
|
|
||||||
%files common-pac
|
%files common-pac
|
||||||
%defattr(-,root,root,-)
|
%defattr(-,root,root,-)
|
||||||
%doc COPYING
|
%doc COPYING
|
||||||
%{_libexecdir}/%{servicename}/sssd_pac
|
%{_libexecdir}/%{servicename}/sssd_pac
|
||||||
%endif
|
|
||||||
|
|
||||||
%files ipa -f sssd_ipa.lang
|
%files ipa -f sssd_ipa.lang
|
||||||
%defattr(-,root,root,-)
|
%defattr(-,root,root,-)
|
||||||
%doc COPYING
|
%doc COPYING
|
||||||
%attr(755,root,root) %dir %{pubconfpath}/krb5.include.d
|
%attr(755,root,root) %dir %{pubconfpath}/krb5.include.d
|
||||||
%{_libdir}/%{name}/libsss_ipa.so
|
%{_libdir}/%{name}/libsss_ipa.so
|
||||||
|
%{_libexecdir}/%{servicename}/selinux_child
|
||||||
%{_mandir}/man5/sssd-ipa.5*
|
%{_mandir}/man5/sssd-ipa.5*
|
||||||
|
|
||||||
%files ad -f sssd_ad.lang
|
%files ad -f sssd_ad.lang
|
||||||
|
@ -663,12 +733,7 @@ rm -rf $RPM_BUILD_ROOT
|
||||||
|
|
||||||
%files -n libsss_simpleifp-devel
|
%files -n libsss_simpleifp-devel
|
||||||
%defattr(-,root,root,-)
|
%defattr(-,root,root,-)
|
||||||
%if 0%{?fedora}
|
|
||||||
%doc sss_simpleifp_doc/html
|
%doc sss_simpleifp_doc/html
|
||||||
%endif
|
|
||||||
%if 0%{?rhel} >= 6
|
|
||||||
%doc sss_simpleifp_doc/html
|
|
||||||
%endif
|
|
||||||
%{_includedir}/sss_sifp.h
|
%{_includedir}/sss_sifp.h
|
||||||
%{_includedir}/sss_sifp_dbus.h
|
%{_includedir}/sss_sifp_dbus.h
|
||||||
%{_libdir}/libsss_simpleifp.so
|
%{_libdir}/libsss_simpleifp.so
|
||||||
|
@ -685,6 +750,9 @@ rm -rf $RPM_BUILD_ROOT
|
||||||
%{_libdir}/cifs-utils/cifs_idmap_sss.so
|
%{_libdir}/cifs-utils/cifs_idmap_sss.so
|
||||||
%ghost %{_sysconfdir}/cifs-utils/idmap-plugin
|
%ghost %{_sysconfdir}/cifs-utils/idmap-plugin
|
||||||
%endif
|
%endif
|
||||||
|
%if (0%{?with_krb5_localauth_plugin} == 1)
|
||||||
|
%{_libdir}/%{name}/modules/sssd_krb5_localauth_plugin.so
|
||||||
|
%endif
|
||||||
%{_mandir}/man8/pam_sss.8*
|
%{_mandir}/man8/pam_sss.8*
|
||||||
%{_mandir}/man8/sssd_krb5_locator_plugin.8*
|
%{_mandir}/man8/sssd_krb5_locator_plugin.8*
|
||||||
|
|
||||||
|
@ -741,10 +809,6 @@ rm -rf $RPM_BUILD_ROOT
|
||||||
%{_libdir}/libipa_hbac.so
|
%{_libdir}/libipa_hbac.so
|
||||||
%{_libdir}/pkgconfig/ipa_hbac.pc
|
%{_libdir}/pkgconfig/ipa_hbac.pc
|
||||||
|
|
||||||
%files -n libipa_hbac-python
|
|
||||||
%defattr(-,root,root,-)
|
|
||||||
%{python_sitearch}/pyhbac.so
|
|
||||||
|
|
||||||
%files -n libsss_nss_idmap
|
%files -n libsss_nss_idmap
|
||||||
%defattr(-,root,root,-)
|
%defattr(-,root,root,-)
|
||||||
%doc src/sss_client/COPYING src/sss_client/COPYING.LESSER
|
%doc src/sss_client/COPYING src/sss_client/COPYING.LESSER
|
||||||
|
@ -761,6 +825,20 @@ rm -rf $RPM_BUILD_ROOT
|
||||||
%defattr(-,root,root,-)
|
%defattr(-,root,root,-)
|
||||||
%{python_sitearch}/pysss_nss_idmap.so
|
%{python_sitearch}/pysss_nss_idmap.so
|
||||||
|
|
||||||
|
%files -n libipa_hbac-python
|
||||||
|
%defattr(-,root,root,-)
|
||||||
|
%{python_sitearch}/pyhbac.so
|
||||||
|
|
||||||
|
%files libwbclient
|
||||||
|
%defattr(-,root,root,-)
|
||||||
|
%{_libdir}/%{name}/modules/libwbclient.so.*
|
||||||
|
|
||||||
|
%files libwbclient-devel
|
||||||
|
%defattr(-,root,root,-)
|
||||||
|
%{_includedir}/wbclient_sssd.h
|
||||||
|
%{_libdir}/%{name}/modules/libwbclient.so
|
||||||
|
%{_libdir}/pkgconfig/wbclient_sssd.pc
|
||||||
|
|
||||||
%post common
|
%post common
|
||||||
if [ $1 -ge 1 ] ; then
|
if [ $1 -ge 1 ] ; then
|
||||||
# Initial installation
|
# Initial installation
|
||||||
|
@ -777,6 +855,7 @@ fi
|
||||||
%postun common
|
%postun common
|
||||||
/bin/systemctl daemon-reload >/dev/null 2>&1 || :
|
/bin/systemctl daemon-reload >/dev/null 2>&1 || :
|
||||||
if [ $1 -ge 1 ] ; then
|
if [ $1 -ge 1 ] ; then
|
||||||
|
# Package upgrade, not uninstall
|
||||||
/bin/systemctl try-restart sssd.service >/dev/null 2>&1 || :
|
/bin/systemctl try-restart sssd.service >/dev/null 2>&1 || :
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
@ -803,7 +882,153 @@ fi
|
||||||
|
|
||||||
%postun -n libsss_idmap -p /sbin/ldconfig
|
%postun -n libsss_idmap -p /sbin/ldconfig
|
||||||
|
|
||||||
|
%post -n libsss_nss_idmap -p /sbin/ldconfig
|
||||||
|
|
||||||
|
%postun -n libsss_nss_idmap -p /sbin/ldconfig
|
||||||
|
|
||||||
|
%posttrans libwbclient
|
||||||
|
# Alternatives was removed only if package was uninstalled
|
||||||
|
# However in cease of package upgrade and soname bump the
|
||||||
|
# the old alternative was not removed.
|
||||||
|
# This is a workaround/fix for unused alternative
|
||||||
|
%{_sbindir}/update-alternatives \
|
||||||
|
--remove libwbclient.so.0.11%{libwbc_alternatives_suffix} \
|
||||||
|
%{_libdir}/%{name}/modules/libwbclient.so.0.11.0
|
||||||
|
|
||||||
|
%{_sbindir}/update-alternatives \
|
||||||
|
--install %{_libdir}/libwbclient.so.%{libwbc_alternatives_version} \
|
||||||
|
libwbclient.so.%{libwbc_alternatives_version}%{libwbc_alternatives_suffix} \
|
||||||
|
%{_libdir}/%{name}/modules/libwbclient.so.%{libwbc_lib_version} 5
|
||||||
|
/sbin/ldconfig
|
||||||
|
|
||||||
|
%preun libwbclient
|
||||||
|
%{_sbindir}/update-alternatives \
|
||||||
|
--remove libwbclient.so.%{libwbc_alternatives_version}%{libwbc_alternatives_suffix} \
|
||||||
|
%{_libdir}/%{name}/modules/libwbclient.so.%{libwbc_lib_version}
|
||||||
|
/sbin/ldconfig
|
||||||
|
|
||||||
|
%posttrans libwbclient-devel
|
||||||
|
update-alternatives --display libwbclient.so%{libwbc_alternatives_suffix} | grep auto
|
||||||
|
if [ $? -eq 0 ]; then
|
||||||
|
# alternative is in auto mode.
|
||||||
|
# it need to be removed before changing priority (20 -> 5) sssd-1.12.3-4
|
||||||
|
%{_sbindir}/update-alternatives --remove \
|
||||||
|
libwbclient.so%{libwbc_alternatives_suffix} \
|
||||||
|
%{_libdir}/%{name}/modules/libwbclient.so 5
|
||||||
|
fi
|
||||||
|
|
||||||
|
%{_sbindir}/update-alternatives --install %{_libdir}/libwbclient.so \
|
||||||
|
libwbclient.so%{libwbc_alternatives_suffix} \
|
||||||
|
%{_libdir}/%{name}/modules/libwbclient.so 5
|
||||||
|
|
||||||
|
%preun libwbclient-devel
|
||||||
|
%{_sbindir}/update-alternatives --remove \
|
||||||
|
libwbclient.so%{libwbc_alternatives_suffix} \
|
||||||
|
%{_libdir}/%{name}/modules/libwbclient.so
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Nov 20 2015 Lukas Slebodnik <lslebodn@redhat.com> - 1.12.5-5
|
||||||
|
- Backport fixes from upstream 1.12
|
||||||
|
|
||||||
|
* Wed Oct 07 2015 Lukas Slebodnik <lslebodn@redhat.com> - 1.12.5-4
|
||||||
|
- Fix memory leaks (GPO; PAC client)
|
||||||
|
- Resolves: rhbz#1268807 (CVE-2015-5292)
|
||||||
|
|
||||||
|
* Tue Jul 21 2015 Lukas Slebodnik <lslebodn@redhat.com> - 1.12.5-3
|
||||||
|
- Fix known bug in 1.12.5
|
||||||
|
- Resolves: upstream #2681 - SSSD cache is not updated after user is deleted
|
||||||
|
from ldap server
|
||||||
|
|
||||||
|
* Fri Jun 12 2015 Lukas Slebodnik <lslebodn@redhat.com> - 1.12.5-2
|
||||||
|
- Fix libwbclient alternatives
|
||||||
|
|
||||||
|
* Fri Jun 12 2015 Lukas Slebodnik <lslebodn@redhat.com> - 1.12.5-1
|
||||||
|
- New upstream release 1.12.5
|
||||||
|
- https://fedorahosted.org/sssd/wiki/Releases/Notes-1.12.5
|
||||||
|
|
||||||
|
* Wed Apr 15 2015 Lukas Slebodnik <lslebodn@redhat.com> - 1.12.4-3
|
||||||
|
- Fix slow login with ipa and SELinux
|
||||||
|
- Resolves: upstream #2624 - Only set the selinux context if the context
|
||||||
|
differs from the local one
|
||||||
|
|
||||||
|
* Mon Mar 23 2015 Lukas Slebodnik <lslebodn@redhat.com> - 1.12.4-2
|
||||||
|
- Fix regressions with ipa and SELinux
|
||||||
|
- Resolves: upstream #2587 - With empty ipaselinuxusermapdefault security
|
||||||
|
context on client is staff_u
|
||||||
|
- Additional fix for rhbz#1175511
|
||||||
|
|
||||||
|
* Wed Feb 18 2015 Lukas Slebodnik <lslebodn@redhat.com> - 1.12.4-1
|
||||||
|
- New upstream release 1.12.4
|
||||||
|
- https://fedorahosted.org/sssd/wiki/Releases/Notes-1.12.4
|
||||||
|
|
||||||
|
* Thu Feb 12 2015 Lukas Slebodnik <lslebodn@redhat.com> - 1.12.3-5
|
||||||
|
- Fix double free in monitor
|
||||||
|
- Resolves: rhbz#1186887 [abrt] sssd-common: talloc_abort():
|
||||||
|
sssd killed by SIGABRT
|
||||||
|
|
||||||
|
* Thu Jan 22 2015 Lukas Slebodnik <lslebodn@redhat.com> - 1.12.3-4
|
||||||
|
- Decrease priority of sssd-libwbclient 20 -> 5
|
||||||
|
- It should be lower than priority of samba veriosn of libwbclient.
|
||||||
|
- https://bugzilla.redhat.com/show_bug.cgi?id=1175511#c18
|
||||||
|
|
||||||
|
* Mon Jan 19 2015 Lukas Slebodnik <lslebodn@redhat.com> - 1.12.3-3
|
||||||
|
- Apply a number of patches from upstream to fix issues found 1.12.3
|
||||||
|
- Resolves: rhbz#1176373 - dyndns_iface does not accept multiple
|
||||||
|
interfaces, or isn't documented to be able to
|
||||||
|
- Resolves: rhbz#988068 - getpwnam_r fails for non-existing users when sssd is
|
||||||
|
not running
|
||||||
|
- Resolves: upstream #2557 authentication failure with user from AD
|
||||||
|
|
||||||
|
* Fri Jan 09 2015 Lukas Slebodnik <lslebodn@redhat.com> - 1.12.3-2
|
||||||
|
- Resolves: rhbz#1164156 - libsss_simpleifp should pull sssd-dbus
|
||||||
|
- Resolves: rhbz#1179379 - gzip: stdin: file size changed while
|
||||||
|
zipping when rotating logfile
|
||||||
|
|
||||||
|
* Thu Jan 08 2015 Lukas Slebodnik <lslebodn@redhat.com> - 1.12.3-1
|
||||||
|
- New upstream release 1.12.3
|
||||||
|
- https://fedorahosted.org/sssd/wiki/Releases/Notes-1.12.3
|
||||||
|
- Fix spelling errors in description (fedpkg lint)
|
||||||
|
|
||||||
|
* Fri Dec 19 2014 Sumit Bose <sbose@redhat.com> - 1.12.2-6
|
||||||
|
- Resolves: rhbz#1175511 - sssd-libwbclient conflicts with Samba's and causes
|
||||||
|
crash in wbinfo
|
||||||
|
- in addition to the patch libwbclient.so is
|
||||||
|
filtered out of the Provides list of the package
|
||||||
|
|
||||||
|
* Wed Dec 17 2014 Lukas Slebodnik <lslebodn@redhat.com> - 1.12.2-5
|
||||||
|
- Fix regressions and bugs in sssd upstream 1.12.2
|
||||||
|
- https://fedorahosted.org/sssd/ticket/{id}
|
||||||
|
- Regressions: #2471, #2475, #2483, #2487, #2529, #2535
|
||||||
|
- Bugs: #2287, #2445
|
||||||
|
|
||||||
|
* Wed Nov 26 2014 Jakub Hrozek <jhrozek@redhat.com> - 1.12.2-4
|
||||||
|
- Fix typo in libwbclient-devel %preun
|
||||||
|
|
||||||
|
* Tue Nov 25 2014 Jakub Hrozek <jhrozek@redhat.com> - 1.12.2-3
|
||||||
|
- Use alternatives for libwbclient
|
||||||
|
|
||||||
|
* Wed Oct 22 2014 Jakub Hrozek <jhrozek@redhat.com> - 1.12.2-2
|
||||||
|
- Backport several patches from upstream.
|
||||||
|
- Fix a potential crash against old (pre-4.0) IPA servers
|
||||||
|
|
||||||
|
* Mon Oct 20 2014 Jakub Hrozek <jhrozek@redhat.com> - 1.12.2-1
|
||||||
|
- New upstream release 1.12.2
|
||||||
|
- https://fedorahosted.org/sssd/wiki/Releases/Notes-1.12.2
|
||||||
|
|
||||||
|
* Mon Sep 15 2014 Jakub Hrozek <jhrozek@redhat.com> - 1.12.1-2
|
||||||
|
- Resolves: rhbz#1139962 - Fedora 21, FreeIPA 4.0.2: sssd does not find user
|
||||||
|
private group from server
|
||||||
|
|
||||||
|
* Mon Sep 8 2014 Jakub Hrozek <jhrozek@redhat.com> - 1.12.1-1
|
||||||
|
- New upstream release 1.12.1
|
||||||
|
- https://fedorahosted.org/sssd/wiki/Releases/Notes-1.12.1
|
||||||
|
|
||||||
|
* Fri Aug 22 2014 Jakub Hrozek <jhrozek@redhat.com> - 1.12.0-7
|
||||||
|
- Do not crash on resolving a group SID in IPA server mode
|
||||||
|
|
||||||
|
* Mon Aug 18 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.12.0-6
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
|
||||||
|
|
||||||
* Thu Jul 10 2014 Stephen Gallagher <sgallagh@redhat.com> 1.12.0-5
|
* Thu Jul 10 2014 Stephen Gallagher <sgallagh@redhat.com> 1.12.0-5
|
||||||
- Fix release version for upgrades
|
- Fix release version for upgrades
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue