Compare commits
64 Commits
rawhide
...
sssd-1.16.
Author | SHA1 | Date | |
---|---|---|---|
|
cbe5286e50 | ||
|
1c3b8ca658 | ||
|
d1e432e9b2 | ||
|
e53cd13e55 | ||
|
1eeed2907c | ||
|
ef14f775ab | ||
|
8b69e46ea6 | ||
|
fcaaf702b0 | ||
|
f3ff7117fe | ||
|
7a496cc92e | ||
|
768be08a58 | ||
|
c45dd65f97 | ||
|
d4c0d50bdd | ||
|
c53d943117 | ||
|
8a7243b618 | ||
|
fc649668b2 | ||
|
79512b25c9 | ||
|
3d25ab1823 | ||
|
ff81ee82e5 | ||
|
ccec5b8fc8 | ||
|
e57d99137e | ||
|
d6e60d0953 | ||
|
5b40243f61 | ||
|
dd0a6fb1b9 | ||
|
9c95519f7a | ||
|
bb567c5aaf | ||
|
fd2fe89420 | ||
|
ae422acc48 | ||
|
a5d334e8a4 | ||
|
daca1aeb60 | ||
|
bc49fbfb56 | ||
|
e5687b3b70 | ||
|
5e5e26a2be | ||
|
187ee74a3f | ||
|
1feb809f48 | ||
|
be32b69605 | ||
|
e23577fdfa | ||
|
d2e63e3f19 | ||
|
85ed6ee372 | ||
|
5482e1b39f | ||
|
4110a2c340 | ||
|
9270bee8ca | ||
|
6f4bba5546 | ||
|
3efadc9185 | ||
|
68e1acc3da | ||
|
0982e5e83d | ||
|
8fca7e629a | ||
|
bbb90ca68c | ||
|
7e532024f0 | ||
|
7109e61605 | ||
|
52d4a1e424 | ||
|
c01badf69e | ||
|
e076a5639e | ||
|
39ce513212 | ||
|
a2beebd281 | ||
|
b88b74fcf2 | ||
|
c111ad7d59 | ||
|
b4e6dc0d82 | ||
|
90107469a7 | ||
|
9c949c17eb | ||
|
eecc431e93 | ||
|
22e5820a7b | ||
|
5c34393107 | ||
|
79cc292e27 |
5
.gitignore
vendored
5
.gitignore
vendored
@ -74,3 +74,8 @@ sssd-1.2.91.tar.gz
|
||||
/sssd-1.14.1.tar.gz
|
||||
/sssd-1.14.2.tar.gz
|
||||
/sssd-1.15.0.tar.gz
|
||||
/sssd-1.15.1.tar.gz
|
||||
/sssd-1.15.2.tar.gz
|
||||
/sssd-1.15.3.tar.gz
|
||||
/sssd-1.16.0.tar.gz
|
||||
/sssd-1.16.1.tar.gz
|
||||
|
87
0001-IPA-Handle-empty-nisDomainName.patch
Normal file
87
0001-IPA-Handle-empty-nisDomainName.patch
Normal file
@ -0,0 +1,87 @@
|
||||
From f9b7073e5cd057cf961b34f99ea1dff0c86b5b6a Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||
Date: Fri, 17 Nov 2017 20:15:34 +0100
|
||||
Subject: [PATCH 01/15] IPA: Handle empty nisDomainName
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Resolves:
|
||||
https://pagure.io/SSSD/sssd/issue/3573
|
||||
|
||||
If nisdomain=, i.e. a blank NIS domain name, sssd was not processing the
|
||||
netgroup at all. This is not in agreement with man innetgr which says "Any of
|
||||
the elements in a triple can be empty, which means that anything matches. The
|
||||
functions described here allow access to the netgroup databases".
|
||||
|
||||
This patch instead returns an empty domain as well, which eventually
|
||||
produces the same output as if the netgroup was requested from the
|
||||
compat tree.
|
||||
|
||||
To reproduce the bug:
|
||||
$ ipa netgroup-add
|
||||
Netgroup name: emptydom
|
||||
-------------------------
|
||||
Added netgroup "emptydom"
|
||||
-------------------------
|
||||
Netgroup name: emptydom
|
||||
NIS domain name: ipa.test
|
||||
IPA unique ID: 164bc15a-f4b3-11e7-acdb-525400ca6df3
|
||||
$ ipa netgroup-add-member
|
||||
Netgroup name: emptydom
|
||||
[member user]: admin
|
||||
[member group]:
|
||||
[member host]:
|
||||
[member host group]:
|
||||
[member netgroup]:
|
||||
Netgroup name: emptydom
|
||||
NIS domain name: ipa.test
|
||||
Member User: admin
|
||||
-------------------------
|
||||
Number of members added 1
|
||||
-------------------------
|
||||
$ ipa netgroup-mod --nisdomain="" emptydom
|
||||
----------------------------
|
||||
Modified netgroup "emptydom"
|
||||
----------------------------
|
||||
Netgroup name: emptydom
|
||||
Member User: admin
|
||||
|
||||
Then run:
|
||||
getent negroup emptydom
|
||||
without the patch, the netgroup won't be resolvable. It will resolve to
|
||||
a netgroup triple that looks like this after the patch:
|
||||
emptydom (-,admin,)
|
||||
|
||||
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
||||
---
|
||||
src/providers/ipa/ipa_netgroups.c | 6 ++++--
|
||||
1 file changed, 4 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/providers/ipa/ipa_netgroups.c b/src/providers/ipa/ipa_netgroups.c
|
||||
index 5c929a485..05ebac758 100644
|
||||
--- a/src/providers/ipa/ipa_netgroups.c
|
||||
+++ b/src/providers/ipa/ipa_netgroups.c
|
||||
@@ -953,7 +953,9 @@ static int ipa_netgr_process_all(struct ipa_get_netgroups_state *state)
|
||||
|
||||
ret = sysdb_attrs_get_string(state->netgroups[i], SYSDB_NETGROUP_DOMAIN,
|
||||
&domain);
|
||||
- if (ret != EOK) {
|
||||
+ if (ret == ENOENT) {
|
||||
+ domain = NULL;
|
||||
+ } else if (ret != EOK) {
|
||||
goto done;
|
||||
}
|
||||
|
||||
@@ -974,7 +976,7 @@ static int ipa_netgr_process_all(struct ipa_get_netgroups_state *state)
|
||||
for (k = 0; k < hosts_count; k++) {
|
||||
triple = talloc_asprintf(state, "(%s,%s,%s)",
|
||||
hosts[k], uids[j],
|
||||
- domain);
|
||||
+ domain ? domain : "");
|
||||
if (triple == NULL) {
|
||||
ret = ENOMEM;
|
||||
goto done;
|
||||
--
|
||||
2.14.3
|
||||
|
@ -1,23 +0,0 @@
|
||||
From 33da7b13eaed678789b7ccba00e49065a8838e9a Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||
Date: Wed, 25 Jan 2017 16:46:31 +0100
|
||||
Subject: [PATCH 01/79] Updating the version to track the 1.15.1 release
|
||||
|
||||
---
|
||||
version.m4 | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/version.m4 b/version.m4
|
||||
index 5ff77ba10a8e8a512057e4176377ba33713eb285..bec03afc6e4357e8f505978b0474888c2ab16a85 100644
|
||||
--- a/version.m4
|
||||
+++ b/version.m4
|
||||
@@ -1,5 +1,5 @@
|
||||
# Primary version number
|
||||
-m4_define([VERSION_NUMBER], [1.15.0])
|
||||
+m4_define([VERSION_NUMBER], [1.15.1])
|
||||
|
||||
# If the PRERELEASE_VERSION_NUMBER is set, we'll append
|
||||
# it to the release tag when creating an RPM or SRPM
|
||||
--
|
||||
2.9.3
|
||||
|
@ -1,40 +0,0 @@
|
||||
From c369b062182c746849196e495db467198039edf4 Mon Sep 17 00:00:00 2001
|
||||
From: Lukas Slebodnik <lslebodn@redhat.com>
|
||||
Date: Wed, 25 Jan 2017 16:12:02 +0100
|
||||
Subject: [PATCH 02/79] BUILD: Fix linking of test_wbc_calls
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Client code does not anymore depend on libpthread in master.
|
||||
This is a reason why we didn't notice any linking failure
|
||||
in master. But the test should be linked with CLIENT_LIBS.
|
||||
|
||||
CCLD test_wbc_calls
|
||||
/usr/bin/ld: src/sss_client/test_wbc_calls-common.o: undefined reference
|
||||
to symbol 'pthread_mutexattr_setrobust@@GLIBC_2.12'
|
||||
//lib/x86_64-linux-gnu/libpthread.so.0: error adding symbols: DSO missing
|
||||
from command line
|
||||
collect2: error: ld returned 1 exit status
|
||||
Makefile:12460: recipe for target 'test_wbc_calls' failed
|
||||
|
||||
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
||||
---
|
||||
Makefile.am | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/Makefile.am b/Makefile.am
|
||||
index 661e9447d56146cb756a23af3a1b0aa0fbf98fa4..674d328f52929cc2b20d1212af830c3777312bf1 100644
|
||||
--- a/Makefile.am
|
||||
+++ b/Makefile.am
|
||||
@@ -2703,6 +2703,7 @@ test_wbc_calls_LDFLAGS = \
|
||||
-Wl,-wrap,sss_nss_getnamebysid \
|
||||
$(NULL)
|
||||
test_wbc_calls_LDADD = \
|
||||
+ $(CLIENT_LIBS) \
|
||||
$(CMOCKA_LIBS) \
|
||||
$(POPT_LIBS) \
|
||||
$(TALLOC_LIBS) \
|
||||
--
|
||||
2.9.3
|
||||
|
85
0002-intg-enhance-netgroups-test.patch
Normal file
85
0002-intg-enhance-netgroups-test.patch
Normal file
@ -0,0 +1,85 @@
|
||||
From 3adc0a2fac5f7f1f30f6b1f75f098d4b50e7cf35 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Mon, 5 Mar 2018 12:29:58 +0100
|
||||
Subject: [PATCH 02/15] intg: enhance netgroups test
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
---
|
||||
src/tests/intg/sssd_netgroup.py | 9 ++++++---
|
||||
src/tests/intg/test_netgroup.py | 26 ++++++++++++++++++++++++++
|
||||
2 files changed, 32 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/src/tests/intg/sssd_netgroup.py b/src/tests/intg/sssd_netgroup.py
|
||||
index 3668d2e29..4c34ea61f 100644
|
||||
--- a/src/tests/intg/sssd_netgroup.py
|
||||
+++ b/src/tests/intg/sssd_netgroup.py
|
||||
@@ -209,9 +209,12 @@ class NetgroupRetriever(object):
|
||||
|
||||
if result_p[0].type == NetgroupType.TRIPLE_VAL:
|
||||
triple = result_p[0].val.triple
|
||||
- result.append((triple.host.decode('utf-8'),
|
||||
- triple.user.decode('utf-8'),
|
||||
- triple.domain.decode('utf-8')))
|
||||
+ result.append((triple.host and triple.host.decode('utf-8')
|
||||
+ or "",
|
||||
+ triple.user and triple.user.decode('utf-8')
|
||||
+ or "",
|
||||
+ triple.domain and triple.domain.decode('utf-8')
|
||||
+ or ""))
|
||||
|
||||
res, errno, result_p = self._getnetgrent_r(result_p, buff,
|
||||
buff_len)
|
||||
diff --git a/src/tests/intg/test_netgroup.py b/src/tests/intg/test_netgroup.py
|
||||
index 3cf5dac2e..06a1cfafd 100644
|
||||
--- a/src/tests/intg/test_netgroup.py
|
||||
+++ b/src/tests/intg/test_netgroup.py
|
||||
@@ -106,6 +106,8 @@ def format_basic_conf(ldap_conn, schema):
|
||||
services = nss
|
||||
disable_netlink = true
|
||||
|
||||
+ [nss]
|
||||
+
|
||||
[domain/LDAP]
|
||||
{schema_conf}
|
||||
id_provider = ldap
|
||||
@@ -222,6 +224,14 @@ def add_tripled_netgroup(request, ldap_conn):
|
||||
ent_list.add_netgroup("adv_tripled_netgroup", ["(host1,user1,domain1)",
|
||||
"(host2,user2,domain2)"])
|
||||
|
||||
+ ent_list.add_netgroup("tripled_netgroup_no_domain", ["(host,user,)"])
|
||||
+
|
||||
+ ent_list.add_netgroup("tripled_netgroup_no_user", ["(host,,domain)"])
|
||||
+
|
||||
+ ent_list.add_netgroup("tripled_netgroup_no_host", ["(,user,domain)"])
|
||||
+
|
||||
+ ent_list.add_netgroup("tripled_netgroup_none", ["(,,)"])
|
||||
+
|
||||
create_ldap_fixture(request, ldap_conn, ent_list)
|
||||
conf = format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS)
|
||||
create_conf_fixture(request, conf)
|
||||
@@ -243,6 +253,22 @@ def test_add_tripled_netgroup(add_tripled_netgroup):
|
||||
assert sorted(netgrps) == sorted([("host1", "user1", "domain1"),
|
||||
("host2", "user2", "domain2")])
|
||||
|
||||
+ res, _, netgrps = sssd_netgroup.get_sssd_netgroups("tripled_netgroup_no_domain")
|
||||
+ assert res == sssd_netgroup.NssReturnCode.SUCCESS
|
||||
+ assert netgrps == [("host", "user", "")]
|
||||
+
|
||||
+ res, _, netgrps = sssd_netgroup.get_sssd_netgroups("tripled_netgroup_no_user")
|
||||
+ assert res == sssd_netgroup.NssReturnCode.SUCCESS
|
||||
+ assert netgrps == [("host", "", "domain")]
|
||||
+
|
||||
+ res, _, netgrps = sssd_netgroup.get_sssd_netgroups("tripled_netgroup_no_host")
|
||||
+ assert res == sssd_netgroup.NssReturnCode.SUCCESS
|
||||
+ assert netgrps == [("", "user", "domain")]
|
||||
+
|
||||
+ res, _, netgrps = sssd_netgroup.get_sssd_netgroups("tripled_netgroup_none")
|
||||
+ assert res == sssd_netgroup.NssReturnCode.SUCCESS
|
||||
+ assert netgrps == [("", "", "")]
|
||||
+
|
||||
|
||||
@pytest.fixture
|
||||
def add_mixed_netgroup(request, ldap_conn):
|
||||
--
|
||||
2.14.3
|
||||
|
@ -0,0 +1,94 @@
|
||||
From d38421b5beb91de9213203bee87a3717952f52bc Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
|
||||
Date: Wed, 14 Mar 2018 22:55:21 +0100
|
||||
Subject: [PATCH 03/15] CONFDB: Start a ldb transaction from
|
||||
sss_ldb_modify_permissive()
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
The reason why confdb_expand_app_domains() always fails is because we
|
||||
try to do a ldb_request() without starting a ldb transaction.
|
||||
|
||||
When we're dealing with ldb_modify(), ldb_add(), ldb_delete() kind of
|
||||
messages, those call ldb_autotransaction_request() which will start a
|
||||
new transaction and treat it properly when doing the ldb_request(). In
|
||||
our case that we're calling ldb_request() by our own, we must ensure
|
||||
that the transaction is started and properly deal with it._
|
||||
|
||||
It's never been noticed because in the only place the function is used
|
||||
its errors are ignored.
|
||||
|
||||
Resolves:
|
||||
https://pagure.io/SSSD/sssd/issue/3660
|
||||
|
||||
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
---
|
||||
src/db/sysdb_ops.c | 39 ++++++++++++++++++++++++++++++++++++++-
|
||||
1 file changed, 38 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
|
||||
index 15915101e..cc86a114e 100644
|
||||
--- a/src/db/sysdb_ops.c
|
||||
+++ b/src/db/sysdb_ops.c
|
||||
@@ -66,7 +66,9 @@ int sss_ldb_modify_permissive(struct ldb_context *ldb,
|
||||
struct ldb_message *msg)
|
||||
{
|
||||
struct ldb_request *req;
|
||||
- int ret = EOK;
|
||||
+ int ret;
|
||||
+ int cancel_ret;
|
||||
+ bool in_transaction = false;
|
||||
|
||||
ret = ldb_build_mod_req(&req, ldb, ldb,
|
||||
msg,
|
||||
@@ -84,9 +86,44 @@ int sss_ldb_modify_permissive(struct ldb_context *ldb,
|
||||
return ret;
|
||||
}
|
||||
|
||||
+ ret = ldb_transaction_start(ldb);
|
||||
+ if (ret != LDB_SUCCESS) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
+ "Failed to start ldb transaction [%d]: %s\n",
|
||||
+ ret, sss_strerror(ret));
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ in_transaction = true;
|
||||
+
|
||||
ret = ldb_request(ldb, req);
|
||||
if (ret == LDB_SUCCESS) {
|
||||
ret = ldb_wait(req->handle, LDB_WAIT_ALL);
|
||||
+ if (ret != LDB_SUCCESS) {
|
||||
+ goto done;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ ret = ldb_transaction_commit(ldb);
|
||||
+ if (ret != LDB_SUCCESS) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
+ "Failed to commit ldb transaction [%d]: %s\n",
|
||||
+ ret, sss_strerror(ret));
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ in_transaction = false;
|
||||
+
|
||||
+ ret = LDB_SUCCESS;
|
||||
+
|
||||
+done:
|
||||
+ if (in_transaction) {
|
||||
+ cancel_ret = ldb_transaction_cancel(ldb);
|
||||
+ if (cancel_ret != LDB_SUCCESS) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
+ "Failed to cancel ldb transaction [%d]: %s\n",
|
||||
+ cancel_ret, sss_strerror(cancel_ret));
|
||||
+ }
|
||||
}
|
||||
|
||||
talloc_free(req);
|
||||
--
|
||||
2.14.3
|
||||
|
@ -1,201 +0,0 @@
|
||||
From 2e505786d6d9d537f5b6631099862f6b93e2e687 Mon Sep 17 00:00:00 2001
|
||||
From: Lukas Slebodnik <lslebodn@redhat.com>
|
||||
Date: Mon, 30 Jan 2017 12:17:25 +0100
|
||||
Subject: [PATCH 03/79] Suppres implicit-fallthrough from gcc 7
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Some kind of comments are recognized by gcc7 but they are ignored with
|
||||
-Wimplicit-fallthrough=5 and only attributes disable the warning.
|
||||
|
||||
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
||||
---
|
||||
configure.ac | 24 ++++++++++++++++++++++++
|
||||
src/db/sysdb_ops.c | 1 +
|
||||
src/providers/ad/ad_id.c | 1 +
|
||||
src/providers/fail_over.c | 4 ++++
|
||||
src/providers/krb5/krb5_auth.c | 1 +
|
||||
src/providers/ldap/sdap_idmap.c | 1 +
|
||||
src/providers/proxy/proxy_id.c | 1 +
|
||||
src/python/pyhbac.c | 1 +
|
||||
src/responder/common/responder_dp.c | 1 +
|
||||
src/util/murmurhash3.c | 3 +++
|
||||
10 files changed, 38 insertions(+)
|
||||
|
||||
diff --git a/configure.ac b/configure.ac
|
||||
index 291504652bf02e38c7edfd0cc4eefbe4ceaf09e6..d264abf3ebebbc1f3a96d1a450993e0933a5d789 100644
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -418,6 +418,30 @@ if test x"$sss_cv_attribute_warn_unused_result" = xyes ; then
|
||||
[whether compiler supports __attribute__((warn_unused_result))])
|
||||
fi
|
||||
|
||||
+SAFE_CFLAGS=$CFLAGS
|
||||
+CFLAGS="-Werror"
|
||||
+AC_CACHE_CHECK(
|
||||
+ [whether compiler supports __attribute__((fallthrough))],
|
||||
+ [sss_cv_attribute_fallthrough],
|
||||
+ [AC_COMPILE_IFELSE(
|
||||
+ [AC_LANG_SOURCE(
|
||||
+ [ __attribute__ ((fallthrough)); ])
|
||||
+ ],[
|
||||
+ sss_cv_attribute_fallthrough=yes
|
||||
+ sss_cv_attribute_fallthrough_val="__attribute__ ((fallthrough))"
|
||||
+ ],[
|
||||
+ sss_cv_attribute_fallthrough=no
|
||||
+ sss_cv_attribute_fallthrough_val=
|
||||
+ ])
|
||||
+ ])
|
||||
+CFLAGS=$SAFE_CFLAGS
|
||||
+
|
||||
+AC_DEFINE_UNQUOTED(
|
||||
+ [SSS_ATTRIBUTE_FALLTHROUGH],
|
||||
+ [$sss_cv_attribute_fallthrough_val],
|
||||
+ [__attribute__((fallthrough)) if supported])
|
||||
+
|
||||
+
|
||||
PKG_CHECK_MODULES([CHECK], [check >= 0.9.5], [have_check=1], [have_check=])
|
||||
if test x$have_check = x; then
|
||||
AC_MSG_WARN([Without the 'CHECK' libraries, you will be unable to run all tests in the 'make check' suite])
|
||||
diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
|
||||
index 77e4c1a699eded07d2b266b08d2f4c177e6181a6..7f6c127d4fa3ef7655d5eb931210d0248352e159 100644
|
||||
--- a/src/db/sysdb_ops.c
|
||||
+++ b/src/db/sysdb_ops.c
|
||||
@@ -116,6 +116,7 @@ static int sysdb_delete_cache_entry(struct ldb_context *ldb,
|
||||
return EOK;
|
||||
}
|
||||
/* fall through */
|
||||
+ SSS_ATTRIBUTE_FALLTHROUGH;
|
||||
default:
|
||||
DEBUG(SSSDBG_CRIT_FAILURE, "LDB Error: %s(%d)\nError Message: [%s]\n",
|
||||
ldb_strerror(ret), ret, ldb_errstring(ldb));
|
||||
diff --git a/src/providers/ad/ad_id.c b/src/providers/ad/ad_id.c
|
||||
index 46a41a37b96bb7734f61226e72e75b56f9deccf1..8f26cb8744d2372c6180342c0d1bca025b16f52c 100644
|
||||
--- a/src/providers/ad/ad_id.c
|
||||
+++ b/src/providers/ad/ad_id.c
|
||||
@@ -337,6 +337,7 @@ static bool ad_account_can_shortcut(struct be_ctx *be_ctx,
|
||||
goto done;
|
||||
}
|
||||
/* fall through */
|
||||
+ SSS_ATTRIBUTE_FALLTHROUGH;
|
||||
case BE_FILTER_SECID:
|
||||
csid = sid == NULL ? filter_value : sid;
|
||||
|
||||
diff --git a/src/providers/fail_over.c b/src/providers/fail_over.c
|
||||
index 77084098831a312bc8629513ccfc2a91165241ba..5d3c26d4a690769637f2fa4f41a76627cbdba77a 100644
|
||||
--- a/src/providers/fail_over.c
|
||||
+++ b/src/providers/fail_over.c
|
||||
@@ -1145,6 +1145,7 @@ fo_resolve_service_server(struct tevent_req *req)
|
||||
state->server->common);
|
||||
fo_set_server_status(state->server, SERVER_RESOLVING_NAME);
|
||||
/* FALLTHROUGH */
|
||||
+ SSS_ATTRIBUTE_FALLTHROUGH;
|
||||
case SERVER_RESOLVING_NAME:
|
||||
/* Name resolution is already under way. Just add ourselves into the
|
||||
* waiting queue so we get notified after the operation is finished. */
|
||||
@@ -1284,6 +1285,7 @@ resolve_srv_send(TALLOC_CTX *mem_ctx, struct tevent_context *ev,
|
||||
* "server" might be invalid now if the SRV
|
||||
* query collapsed
|
||||
* */
|
||||
+ SSS_ATTRIBUTE_FALLTHROUGH;
|
||||
case SRV_NEUTRAL: /* Request SRV lookup */
|
||||
if (server != NULL && server != state->meta) {
|
||||
/* A server created by expansion of meta server was marked as
|
||||
@@ -1443,9 +1445,11 @@ resolve_srv_done(struct tevent_req *subreq)
|
||||
break;
|
||||
case ERR_SRV_NOT_FOUND:
|
||||
/* fall through */
|
||||
+ SSS_ATTRIBUTE_FALLTHROUGH;
|
||||
case ERR_SRV_LOOKUP_ERROR:
|
||||
fo_set_port_status(state->meta, PORT_NOT_WORKING);
|
||||
/* fall through */
|
||||
+ SSS_ATTRIBUTE_FALLTHROUGH;
|
||||
default:
|
||||
DEBUG(SSSDBG_OP_FAILURE, "Unable to resolve SRV [%d]: %s\n",
|
||||
ret, sss_strerror(ret));
|
||||
diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
|
||||
index bdd8e24111b077bfb91f19987d2ed289d803b334..0e685618ec2de1f923ffd9d78bf2a9d8816019e1 100644
|
||||
--- a/src/providers/krb5/krb5_auth.c
|
||||
+++ b/src/providers/krb5/krb5_auth.c
|
||||
@@ -965,6 +965,7 @@ static void krb5_auth_done(struct tevent_req *subreq)
|
||||
DEBUG(SSSDBG_CRIT_FAILURE, "krb5_delete_ccname failed.\n");
|
||||
}
|
||||
/* FALLTHROUGH */
|
||||
+ SSS_ATTRIBUTE_FALLTHROUGH;
|
||||
|
||||
case ERR_CREDS_EXPIRED:
|
||||
/* If the password is expired we can safely remove the ccache from the
|
||||
diff --git a/src/providers/ldap/sdap_idmap.c b/src/providers/ldap/sdap_idmap.c
|
||||
index b5dfc6cefe3ceed4971042a5326dd2b9c7f5eec8..0fda815224b5ce278e6fae4a5264f82cd1ea4a9d 100644
|
||||
--- a/src/providers/ldap/sdap_idmap.c
|
||||
+++ b/src/providers/ldap/sdap_idmap.c
|
||||
@@ -516,6 +516,7 @@ sdap_idmap_sid_to_unix(struct sdap_idmap_ctx *idmap_ctx,
|
||||
"sssd-ad(5) for an explanation of how to resolve this issue.\n",
|
||||
sid_str);
|
||||
/* Fall through intentionally */
|
||||
+ SSS_ATTRIBUTE_FALLTHROUGH;
|
||||
default:
|
||||
DEBUG(SSSDBG_MINOR_FAILURE,
|
||||
"Could not convert objectSID [%s] to a UNIX ID\n",
|
||||
diff --git a/src/providers/proxy/proxy_id.c b/src/providers/proxy/proxy_id.c
|
||||
index 3d272897bda5622fa1e56e6b84448df7c3cefa2b..9b83f7a3cc942560186815b680e8b5f98508f18a 100644
|
||||
--- a/src/providers/proxy/proxy_id.c
|
||||
+++ b/src/providers/proxy/proxy_id.c
|
||||
@@ -1403,6 +1403,7 @@ static int get_initgr_groups_process(TALLOC_CTX *memctx,
|
||||
"Assume the user is only member of its "
|
||||
"primary group (%"SPRIgid")\n", pwd->pw_gid);
|
||||
/* fall through */
|
||||
+ SSS_ATTRIBUTE_FALLTHROUGH;
|
||||
case NSS_STATUS_SUCCESS:
|
||||
DEBUG(SSSDBG_CONF_SETTINGS, "User [%s] appears to be member of %lu "
|
||||
"groups\n", pwd->pw_name, num_gids);
|
||||
diff --git a/src/python/pyhbac.c b/src/python/pyhbac.c
|
||||
index 09d308a0f3c932c4077dfdc92b3a46fe3238b69b..f7633ee02c5f113fad64c5ee41736d8f63a1914a 100644
|
||||
--- a/src/python/pyhbac.c
|
||||
+++ b/src/python/pyhbac.c
|
||||
@@ -1621,6 +1621,7 @@ py_hbac_evaluate(HbacRequest *self, PyObject *args)
|
||||
goto fail;
|
||||
}
|
||||
/* FALLTHROUGH */
|
||||
+ SSS_ATTRIBUTE_FALLTHROUGH;
|
||||
case HBAC_EVAL_DENY:
|
||||
ret = PYNUMBER_FROMLONG(eres);
|
||||
break;
|
||||
diff --git a/src/responder/common/responder_dp.c b/src/responder/common/responder_dp.c
|
||||
index da67676675284db14fe7f6fcf8cb47e9f2baa7f9..11eb47ce1d41027f36998aba7b9fbca5fb4c7910 100644
|
||||
--- a/src/responder/common/responder_dp.c
|
||||
+++ b/src/responder/common/responder_dp.c
|
||||
@@ -221,6 +221,7 @@ static int sss_dp_get_reply(DBusPendingCall *pending,
|
||||
DEBUG(SSSDBG_FATAL_FAILURE,"The Data Provider returned an error [%s]\n",
|
||||
dbus_message_get_error_name(reply));
|
||||
/* Falling through to default intentionally*/
|
||||
+ SSS_ATTRIBUTE_FALLTHROUGH;
|
||||
default:
|
||||
/*
|
||||
* Timeout or other error occurred or something
|
||||
diff --git a/src/util/murmurhash3.c b/src/util/murmurhash3.c
|
||||
index 03d10ff6ae360350dcc96e3e40ece0a0ce3d6b58..061e64e990aa4d91d4a300e116d2fb1193e33392 100644
|
||||
--- a/src/util/murmurhash3.c
|
||||
+++ b/src/util/murmurhash3.c
|
||||
@@ -90,14 +90,17 @@ uint32_t murmurhash3(const char *key, int len, uint32_t seed)
|
||||
switch (len & 3) {
|
||||
case 3:
|
||||
k1 ^= tail[2] << 16;
|
||||
+ SSS_ATTRIBUTE_FALLTHROUGH;
|
||||
case 2:
|
||||
k1 ^= tail[1] << 8;
|
||||
+ SSS_ATTRIBUTE_FALLTHROUGH;
|
||||
case 1:
|
||||
k1 ^= tail[0];
|
||||
k1 *= c1;
|
||||
k1 = rotl(k1, 15);
|
||||
k1 *= c2;
|
||||
h1 ^= k1;
|
||||
+ break;
|
||||
default:
|
||||
break;
|
||||
}
|
||||
--
|
||||
2.9.3
|
||||
|
44
0004-TOOLS-Take-into-consideration-app-domains.patch
Normal file
44
0004-TOOLS-Take-into-consideration-app-domains.patch
Normal file
@ -0,0 +1,44 @@
|
||||
From 692780f793f96815aaee0007515838fce30b6097 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
|
||||
Date: Wed, 14 Mar 2018 23:01:39 +0100
|
||||
Subject: [PATCH 04/15] TOOLS: Take into consideration app domains
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
In order to properly show an app domain when listing domains using
|
||||
sssctl domain-list we have to expand the confdb, as already done in the
|
||||
monitor code.
|
||||
|
||||
Resolves:
|
||||
https://pagure.io/SSSD/sssd/issue/3658
|
||||
|
||||
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
---
|
||||
src/tools/common/sss_tools.c | 8 ++++++++
|
||||
1 file changed, 8 insertions(+)
|
||||
|
||||
diff --git a/src/tools/common/sss_tools.c b/src/tools/common/sss_tools.c
|
||||
index e491a1286..4832db5a0 100644
|
||||
--- a/src/tools/common/sss_tools.c
|
||||
+++ b/src/tools/common/sss_tools.c
|
||||
@@ -117,6 +117,14 @@ static errno_t sss_tool_domains_init(TALLOC_CTX *mem_ctx,
|
||||
struct sss_domain_info *dom;
|
||||
errno_t ret;
|
||||
|
||||
+ ret = confdb_expand_app_domains(confdb);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
+ "Unable to expand application domains [%d]: %s\n",
|
||||
+ ret, sss_strerror(ret));
|
||||
+ return ret;
|
||||
+ }
|
||||
+
|
||||
ret = confdb_get_domains(confdb, &domains);
|
||||
if (ret != EOK) {
|
||||
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to setup domains [%d]: %s\n",
|
||||
--
|
||||
2.14.3
|
||||
|
@ -1,47 +0,0 @@
|
||||
From cbb0e683ff11d7800328da3991f3e75ef88f937f Mon Sep 17 00:00:00 2001
|
||||
From: Lukas Slebodnik <lslebodn@redhat.com>
|
||||
Date: Mon, 30 Jan 2017 12:49:13 +0100
|
||||
Subject: [PATCH 04/79] pam_sss: Suppress warning format-truncation
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
src/sss_client/pam_sss.c: In function ‘send_and_receive’:
|
||||
src/sss_client/pam_sss.c:742:39: error: ‘%.*s’ directive output
|
||||
between 0 and 18446744073709551615 bytes may cause result to exceed
|
||||
‘INT_MAX’ [-Werror=format-truncation=]
|
||||
ret = snprintf(user_msg, bufsize, "%s%s%.*s",
|
||||
^~~~~~~~~~
|
||||
sssd/src/sss_client/pam_sss.c:742:39: note: assuming directive output
|
||||
of 4294967295 bytes
|
||||
|
||||
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
||||
---
|
||||
src/sss_client/pam_sss.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
|
||||
index be697c7fcfb47a57b5b498c61f60fcf4bfbbd57f..b4175ae2c7fc1385a19f81045695bcd73d43f754 100644
|
||||
--- a/src/sss_client/pam_sss.c
|
||||
+++ b/src/sss_client/pam_sss.c
|
||||
@@ -689,7 +689,7 @@ static int user_info_account_expired(pam_handle_t *pamh, size_t buflen,
|
||||
ret = snprintf(user_msg, bufsize, "%s%s%.*s",
|
||||
EXP_ACC_MSG,
|
||||
msg_len > 0 ? SRV_MSG : "",
|
||||
- msg_len,
|
||||
+ (int)msg_len,
|
||||
msg_len > 0 ? (char *)(buf + 2 * sizeof(uint32_t)) : "" );
|
||||
if (ret < 0 || ret > bufsize) {
|
||||
D(("snprintf failed."));
|
||||
@@ -744,7 +744,7 @@ static int user_info_chpass_error(pam_handle_t *pamh, size_t buflen,
|
||||
ret = snprintf(user_msg, bufsize, "%s%s%.*s",
|
||||
_("Password change failed. "),
|
||||
msg_len > 0 ? _("Server message: ") : "",
|
||||
- msg_len,
|
||||
+ (int)msg_len,
|
||||
msg_len > 0 ? (char *)(buf + 2 * sizeof(uint32_t)) : "" );
|
||||
if (ret < 0 || ret > bufsize) {
|
||||
D(("snprintf failed."));
|
||||
--
|
||||
2.9.3
|
||||
|
66
0005-TESTS-Move-get_call_output-to-util.py.patch
Normal file
66
0005-TESTS-Move-get_call_output-to-util.py.patch
Normal file
@ -0,0 +1,66 @@
|
||||
From be7e7de999f93f57bfccdeeabcb8682d1e92023a Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
|
||||
Date: Fri, 16 Mar 2018 19:00:52 +0100
|
||||
Subject: [PATCH 05/15] TESTS: Move get_call_output() to util.py
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
This function will be reused outside of test_sssctl.py.
|
||||
|
||||
Related:
|
||||
https://pagure.io/SSSD/sssd/issue/3658
|
||||
|
||||
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
---
|
||||
src/tests/intg/test_sssctl.py | 9 +--------
|
||||
src/tests/intg/util.py | 7 +++++++
|
||||
2 files changed, 8 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/src/tests/intg/test_sssctl.py b/src/tests/intg/test_sssctl.py
|
||||
index 0df5d0bc1..e8861dd86 100644
|
||||
--- a/src/tests/intg/test_sssctl.py
|
||||
+++ b/src/tests/intg/test_sssctl.py
|
||||
@@ -28,7 +28,7 @@ import signal
|
||||
import ds_openldap
|
||||
import ldap_ent
|
||||
import config
|
||||
-from util import unindent
|
||||
+from util import unindent, get_call_output
|
||||
import sssd_netgroup
|
||||
|
||||
LDAP_BASE_DN = "dc=example,dc=com"
|
||||
@@ -203,13 +203,6 @@ def fqname_case_insensitive_rfc2307(request, ldap_conn):
|
||||
return None
|
||||
|
||||
|
||||
-def get_call_output(cmd):
|
||||
- process = subprocess.Popen(cmd, stdout=subprocess.PIPE,
|
||||
- stderr=subprocess.PIPE)
|
||||
- output, ret = process.communicate()
|
||||
- return output.decode('utf-8')
|
||||
-
|
||||
-
|
||||
def test_user_show_basic_sanity(ldap_conn, sanity_rfc2307, portable_LC_ALL):
|
||||
# Fill the cache first
|
||||
ent.assert_passwd_by_name(
|
||||
diff --git a/src/tests/intg/util.py b/src/tests/intg/util.py
|
||||
index 2b40311bd..a1c439648 100644
|
||||
--- a/src/tests/intg/util.py
|
||||
+++ b/src/tests/intg/util.py
|
||||
@@ -78,3 +78,10 @@ def restore_envvar_file(name):
|
||||
path = os.environ[name]
|
||||
backup_path = path + ".bak"
|
||||
os.rename(backup_path, path)
|
||||
+
|
||||
+
|
||||
+def get_call_output(cmd):
|
||||
+ process = subprocess.Popen(cmd, stdout=subprocess.PIPE,
|
||||
+ stderr=subprocess.PIPE)
|
||||
+ output, ret = process.communicate()
|
||||
+ return output.decode('utf-8')
|
||||
--
|
||||
2.14.3
|
||||
|
@ -1,49 +0,0 @@
|
||||
From c587e9ae55c618c011bd4dde6a94fe5dc60fff01 Mon Sep 17 00:00:00 2001
|
||||
From: Lukas Slebodnik <lslebodn@redhat.com>
|
||||
Date: Mon, 30 Jan 2017 12:55:59 +0100
|
||||
Subject: [PATCH 05/79] TOOLS: Fix warning format-truncation
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
src/tools/sss_groupshow.c: In function ‘print_group_info’:
|
||||
src/tools/sss_groupshow.c:612:22: error: ‘%d’ directive output truncated
|
||||
writing between 10 and 11 bytes into a region of size 7 [-Werror=format-truncation=]
|
||||
snprintf(fmt, 8, "%%%ds", level*PADDING_SPACES);
|
||||
^~~~~~~
|
||||
src/tools/sss_groupshow.c:612:22: note: using the range
|
||||
[-2147483648, 2147483647] for directive argument
|
||||
src/tools/sss_groupshow.c:612:5: note: ‘snprintf’ output between 13 and 14
|
||||
bytes into a destination of size 8
|
||||
snprintf(fmt, 8, "%%%ds", level*PADDING_SPACES);
|
||||
|
||||
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
||||
---
|
||||
src/tools/sss_groupshow.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/tools/sss_groupshow.c b/src/tools/sss_groupshow.c
|
||||
index 258d458b0d1a4cb56c8fb61060cb43a1c88c1ed0..ac4c3dc912db3d418c2eace8b5b1f3476768c875 100644
|
||||
--- a/src/tools/sss_groupshow.c
|
||||
+++ b/src/tools/sss_groupshow.c
|
||||
@@ -603,7 +603,7 @@ fail:
|
||||
|
||||
/*==================The main program=================================== */
|
||||
|
||||
-static void print_group_info(struct group_info *g, int level)
|
||||
+static void print_group_info(struct group_info *g, unsigned level)
|
||||
{
|
||||
int i;
|
||||
char padding[512];
|
||||
@@ -634,7 +634,7 @@ static void print_group_info(struct group_info *g, int level)
|
||||
printf(_("\n%1$sMember groups: "), padding);
|
||||
}
|
||||
|
||||
-static void print_recursive(struct group_info **group_members, int level)
|
||||
+static void print_recursive(struct group_info **group_members, unsigned level)
|
||||
{
|
||||
int i;
|
||||
|
||||
--
|
||||
2.9.3
|
||||
|
@ -0,0 +1,40 @@
|
||||
From e8c0527bf782de166722706db119ccb01258e78b Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
|
||||
Date: Fri, 16 Mar 2018 19:23:58 +0100
|
||||
Subject: [PATCH 06/15] TESTS: Make get_call_output() more flexible about the
|
||||
stderr log
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Future tests that will be added will need the stderr redirected to the
|
||||
STDOUT.
|
||||
|
||||
Related:
|
||||
https://pagure.io/SSSD/sssd/issue/3658
|
||||
|
||||
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
---
|
||||
src/tests/intg/util.py | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/tests/intg/util.py b/src/tests/intg/util.py
|
||||
index a1c439648..bfebbfb35 100644
|
||||
--- a/src/tests/intg/util.py
|
||||
+++ b/src/tests/intg/util.py
|
||||
@@ -80,8 +80,8 @@ def restore_envvar_file(name):
|
||||
os.rename(backup_path, path)
|
||||
|
||||
|
||||
-def get_call_output(cmd):
|
||||
+def get_call_output(cmd, stderr_output=subprocess.PIPE):
|
||||
process = subprocess.Popen(cmd, stdout=subprocess.PIPE,
|
||||
- stderr=subprocess.PIPE)
|
||||
+ stderr=stderr_output)
|
||||
output, ret = process.communicate()
|
||||
return output.decode('utf-8')
|
||||
--
|
||||
2.14.3
|
||||
|
@ -1,50 +0,0 @@
|
||||
From bf0b4eb335ec1fb4fdd925f5cf80490ec8b8c24e Mon Sep 17 00:00:00 2001
|
||||
From: Lukas Slebodnik <lslebodn@redhat.com>
|
||||
Date: Mon, 30 Jan 2017 14:36:56 +0100
|
||||
Subject: [PATCH 06/79] sssctl: Fix warning may be used uninitialized
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
gcc 7 probably does some new optimisations which might cause few
|
||||
wariables to be uninitialized.
|
||||
|
||||
src/tools/sssctl/sssctl_cache.c: In function ‘sssctl_print_object’:
|
||||
src/tools/sssctl/sssctl_cache.c:523:13: error: ‘dom’ may be used uninitialized
|
||||
in this function [-Werror=maybe-uninitialized]
|
||||
ret = info[i].attr_fn(tmp_ctx, entry, dom, info[i].attr, &value);
|
||||
~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
src/tools/sssctl/sssctl_cache.c:472:15: error: ‘entry’ may be used
|
||||
uninitialized in this function [-Werror=maybe-uninitialized]
|
||||
*_entry = talloc_steal(mem_ctx, entry);
|
||||
^~~~~~~~~~~~
|
||||
src/tools/sssctl/sssctl_cache.c:437:25: note: ‘entry’ was declared here
|
||||
struct sysdb_attrs *entry;
|
||||
^~~~~
|
||||
|
||||
Another workaround would be to remove static modifier from function
|
||||
sssctl_find_object which probably prevents some inlinig + optimisation.
|
||||
|
||||
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
||||
---
|
||||
src/tools/sssctl/sssctl_cache.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/tools/sssctl/sssctl_cache.c b/src/tools/sssctl/sssctl_cache.c
|
||||
index 59c8cb473966d60848908fb8b9adcb7d769c8cd9..8f0fc281b73f38f408c1a2307192b3f207a97b5d 100644
|
||||
--- a/src/tools/sssctl/sssctl_cache.c
|
||||
+++ b/src/tools/sssctl/sssctl_cache.c
|
||||
@@ -434,8 +434,8 @@ static errno_t sssctl_fetch_object(TALLOC_CTX *mem_ctx,
|
||||
struct sss_domain_info **_dom)
|
||||
{
|
||||
TALLOC_CTX *tmp_ctx;
|
||||
- struct sysdb_attrs *entry;
|
||||
- struct sss_domain_info *dom;
|
||||
+ struct sysdb_attrs *entry = NULL;
|
||||
+ struct sss_domain_info *dom = NULL;
|
||||
const char **attrs;
|
||||
char *sanitized;
|
||||
errno_t ret;
|
||||
--
|
||||
2.9.3
|
||||
|
@ -1,57 +0,0 @@
|
||||
From bc898b360b9667195a7ae59537587c3ec696ac19 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
||||
Date: Tue, 24 Jan 2017 12:36:04 +0100
|
||||
Subject: [PATCH 07/79] SBUS: remove unused symbols
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
||||
---
|
||||
src/sbus/sssd_dbus.h | 2 --
|
||||
src/sbus/sssd_dbus_connection.c | 9 ---------
|
||||
2 files changed, 11 deletions(-)
|
||||
|
||||
diff --git a/src/sbus/sssd_dbus.h b/src/sbus/sssd_dbus.h
|
||||
index 5a66f09d550533839b22465170950fdfdd71aa1e..c6cca7d4edf5014576f41ed146919427f8e3255f 100644
|
||||
--- a/src/sbus/sssd_dbus.h
|
||||
+++ b/src/sbus/sssd_dbus.h
|
||||
@@ -247,8 +247,6 @@ sbus_opath_get_object_name(TALLOC_CTX *mem_ctx,
|
||||
const char *object_path,
|
||||
const char *base_path);
|
||||
|
||||
-bool sbus_conn_disconnecting(struct sbus_connection *conn);
|
||||
-
|
||||
/* max_retries < 0: retry forever
|
||||
* max_retries = 0: never retry (why are you calling this function?)
|
||||
* max_retries > 0: obvious
|
||||
diff --git a/src/sbus/sssd_dbus_connection.c b/src/sbus/sssd_dbus_connection.c
|
||||
index 450cee9045de88fcf84b3ca379dd9f1bd5c98ef2..9def7084e5d496a5e6aa40ec0eafd2471a64659f 100644
|
||||
--- a/src/sbus/sssd_dbus_connection.c
|
||||
+++ b/src/sbus/sssd_dbus_connection.c
|
||||
@@ -27,9 +27,6 @@
|
||||
#include "sbus/sssd_dbus_private.h"
|
||||
#include "sbus/sssd_dbus_meta.h"
|
||||
|
||||
-/* Types */
|
||||
-struct dbus_ctx_list;
|
||||
-
|
||||
static int sbus_auto_reconnect(struct sbus_connection *conn);
|
||||
|
||||
static void sbus_dispatch(struct tevent_context *ev,
|
||||
@@ -501,12 +498,6 @@ void sbus_reconnect_init(struct sbus_connection *conn,
|
||||
conn->reconnect_pvt = pvt;
|
||||
}
|
||||
|
||||
-bool sbus_conn_disconnecting(struct sbus_connection *conn)
|
||||
-{
|
||||
- if (conn->disconnect == 1) return true;
|
||||
- return false;
|
||||
-}
|
||||
-
|
||||
int sss_dbus_conn_send(DBusConnection *dbus_conn,
|
||||
DBusMessage *msg,
|
||||
int timeout_ms,
|
||||
--
|
||||
2.9.3
|
||||
|
73
0007-TESTS-Add-a-basic-test-of-sssctl-domain-list.patch
Normal file
73
0007-TESTS-Add-a-basic-test-of-sssctl-domain-list.patch
Normal file
@ -0,0 +1,73 @@
|
||||
From 15ab42ad5349485c9156234f5a6d1c6635c36de3 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
|
||||
Date: Thu, 15 Mar 2018 16:28:41 +0100
|
||||
Subject: [PATCH 07/15] TESTS: Add a basic test of `sssctl domain-list`
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Let's just add a test for `sssctl domain-list` in order to avoid
|
||||
regressing https://pagure.io/SSSD/sssd/issue/3658.
|
||||
|
||||
The test has been added as part of test_infopipe.py in order to take
|
||||
advantage of the machinery already provided there.
|
||||
|
||||
Resolves:
|
||||
https://pagure.io/SSSD/sssd/issue/3658
|
||||
|
||||
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
---
|
||||
src/tests/intg/test_infopipe.py | 17 +++++++++++++++--
|
||||
1 file changed, 15 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/tests/intg/test_infopipe.py b/src/tests/intg/test_infopipe.py
|
||||
index 3a7961403..b851bbd91 100644
|
||||
--- a/src/tests/intg/test_infopipe.py
|
||||
+++ b/src/tests/intg/test_infopipe.py
|
||||
@@ -34,7 +34,7 @@ import dbus
|
||||
import config
|
||||
import ds_openldap
|
||||
import ldap_ent
|
||||
-from util import unindent
|
||||
+from util import unindent, get_call_output
|
||||
|
||||
LDAP_BASE_DN = "dc=example,dc=com"
|
||||
INTERACTIVE_TIMEOUT = 4
|
||||
@@ -194,7 +194,7 @@ def format_basic_conf(ldap_conn, schema):
|
||||
return unindent("""\
|
||||
[sssd]
|
||||
debug_level = 0xffff
|
||||
- domains = LDAP
|
||||
+ domains = LDAP, app
|
||||
services = nss, ifp
|
||||
enable_files_domain = false
|
||||
|
||||
@@ -212,6 +212,9 @@ def format_basic_conf(ldap_conn, schema):
|
||||
id_provider = ldap
|
||||
ldap_uri = {ldap_conn.ds_inst.ldap_url}
|
||||
ldap_search_base = {ldap_conn.ds_inst.base_dn}
|
||||
+
|
||||
+ [application/app]
|
||||
+ inherit_from = LDAP
|
||||
""").format(**locals())
|
||||
|
||||
|
||||
@@ -532,3 +535,13 @@ def test_get_user_groups(dbus_system_bus, ldap_conn, sanity_rfc2307):
|
||||
|
||||
assert len(res) == 2
|
||||
assert sorted(res) == ['single_user_group', 'two_user_group']
|
||||
+
|
||||
+
|
||||
+def test_sssctl_domain_list_app_domain(dbus_system_bus,
|
||||
+ ldap_conn,
|
||||
+ sanity_rfc2307):
|
||||
+ output = get_call_output(["sssctl", "domain-list"], subprocess.STDOUT)
|
||||
+
|
||||
+ assert "Error" not in output
|
||||
+ assert output.find("LDAP") != -1
|
||||
+ assert output.find("app") != -1
|
||||
--
|
||||
2.14.3
|
||||
|
@ -0,0 +1,67 @@
|
||||
From 8a89fce38a2ad76eb4eebd74a0821c80154ac892 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
|
||||
Date: Wed, 21 Mar 2018 16:38:22 +0100
|
||||
Subject: [PATCH 08/15] KCM: Use json_loadb() when dealing with sss_iobuf data
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
As sss_iobuf data is *non* NULL terminated, we have to use json_loadb()
|
||||
passing the data's length instead of just using json_loads().
|
||||
|
||||
Due to this issue, when running sssd-kcm under valgrind and performing a
|
||||
`kinit foo` a bunch of erros like the following one could be seen:
|
||||
==2638== Conditional jump or move depends on uninitialised value(s)
|
||||
==2638== at 0x57DB678: stream_get.part.3 (load.c:172)
|
||||
==2638== by 0x57DB9CA: stream_get (load.c:643)
|
||||
==2638== by 0x57DB9CA: lex_get (load.c:246)
|
||||
==2638== by 0x57DB9CA: lex_scan (load.c:601)
|
||||
==2638== by 0x57DC56A: parse_json.constprop.7 (load.c:904)
|
||||
==2638== by 0x57DC6AB: json_loads (load.c:959)
|
||||
==2638== by 0x11ABEA: ??? (in /usr/libexec/sssd/sssd_kcm)
|
||||
==2638== by 0x11AEF0: ??? (in /usr/libexec/sssd/sssd_kcm)
|
||||
==2638== by 0x125D4A: ??? (in /usr/libexec/sssd/sssd_kcm)
|
||||
==2638== by 0x12623B: ??? (in /usr/libexec/sssd/sssd_kcm)
|
||||
==2638== by 0x9BCD71F: epoll_event_loop (tevent_epoll.c:728)
|
||||
==2638== by 0x9BCD71F: epoll_event_loop_once (tevent_epoll.c:930)
|
||||
==2638== by 0x9BCBBA6: std_event_loop_once (tevent_standard.c:114)
|
||||
==2638== by 0x9BC7FEC: _tevent_loop_once (tevent.c:725)
|
||||
==2638== by 0x9BC820A: tevent_common_loop_wait (tevent.c:848)
|
||||
|
||||
Related to:
|
||||
https://pagure.io/SSSD/sssd/issue/3687
|
||||
|
||||
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
---
|
||||
src/responder/kcm/kcmsrv_ccache_secrets.c | 5 ++++-
|
||||
1 file changed, 4 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/responder/kcm/kcmsrv_ccache_secrets.c b/src/responder/kcm/kcmsrv_ccache_secrets.c
|
||||
index 8be7daea5..04dad9596 100644
|
||||
--- a/src/responder/kcm/kcmsrv_ccache_secrets.c
|
||||
+++ b/src/responder/kcm/kcmsrv_ccache_secrets.c
|
||||
@@ -231,6 +231,7 @@ static errno_t sec_list_parse(struct sss_iobuf *outbuf,
|
||||
{
|
||||
json_t *root;
|
||||
uint8_t *sec_http_list;
|
||||
+ size_t sec_http_list_len;
|
||||
json_error_t error;
|
||||
json_t *element;
|
||||
errno_t ret;
|
||||
@@ -244,8 +245,10 @@ static errno_t sec_list_parse(struct sss_iobuf *outbuf,
|
||||
DEBUG(SSSDBG_CRIT_FAILURE, "No data in output buffer?\n");
|
||||
return EINVAL;
|
||||
}
|
||||
+ sec_http_list_len = sss_iobuf_get_len(outbuf);
|
||||
|
||||
- root = json_loads((const char *) sec_http_list, 0, &error);
|
||||
+ root = json_loadb((const char *) sec_http_list,
|
||||
+ sec_http_list_len, 0, &error);
|
||||
if (root == NULL) {
|
||||
DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
"Failed to parse JSON payload on line %d: %s\n",
|
||||
--
|
||||
2.14.3
|
||||
|
@ -1,255 +0,0 @@
|
||||
From a3b2bc38263191f23eba2ad98470d8ecd016a60b Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
||||
Date: Tue, 24 Jan 2017 13:14:47 +0100
|
||||
Subject: [PATCH 08/79] SBUS: use sss_ptr_hash for opath table
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
This patch reuses sss_ptr_hash module introduced in NSS patches in sbus code.
|
||||
|
||||
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
||||
---
|
||||
src/sbus/sssd_dbus_connection.c | 4 +-
|
||||
src/sbus/sssd_dbus_interface.c | 94 +++++++++++------------------------------
|
||||
src/sbus/sssd_dbus_private.h | 5 +--
|
||||
3 files changed, 28 insertions(+), 75 deletions(-)
|
||||
|
||||
diff --git a/src/sbus/sssd_dbus_connection.c b/src/sbus/sssd_dbus_connection.c
|
||||
index 9def7084e5d496a5e6aa40ec0eafd2471a64659f..6ca039e8e2a919141bf951ed0203dc2c48b3eb55 100644
|
||||
--- a/src/sbus/sssd_dbus_connection.c
|
||||
+++ b/src/sbus/sssd_dbus_connection.c
|
||||
@@ -163,8 +163,8 @@ int sbus_init_connection(TALLOC_CTX *ctx,
|
||||
conn->last_request_time = last_request_time;
|
||||
conn->client_destructor_data = client_destructor_data;
|
||||
|
||||
- ret = sbus_opath_hash_init(conn, conn, &conn->managed_paths);
|
||||
- if (ret != EOK) {
|
||||
+ conn->managed_paths = sbus_opath_hash_init(conn, conn);
|
||||
+ if (conn->managed_paths == NULL) {
|
||||
DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create object paths hash table\n");
|
||||
talloc_free(conn);
|
||||
return EIO;
|
||||
diff --git a/src/sbus/sssd_dbus_interface.c b/src/sbus/sssd_dbus_interface.c
|
||||
index 32e5b27e1f701898d96f5537b2bc72d491903b54..e8c8851231fab68024065a13c5f1e2642ba829e9 100644
|
||||
--- a/src/sbus/sssd_dbus_interface.c
|
||||
+++ b/src/sbus/sssd_dbus_interface.c
|
||||
@@ -23,6 +23,7 @@
|
||||
#include <dhash.h>
|
||||
|
||||
#include "util/util.h"
|
||||
+#include "util/sss_ptr_hash.h"
|
||||
#include "sbus/sssd_dbus.h"
|
||||
#include "sbus/sssd_dbus_meta.h"
|
||||
#include "sbus/sssd_dbus_private.h"
|
||||
@@ -492,13 +493,11 @@ sbus_opath_hash_delete_cb(hash_entry_t *item,
|
||||
dbus_connection_unregister_object_path(conn->dbus.conn, path);
|
||||
}
|
||||
|
||||
-errno_t
|
||||
+hash_table_t *
|
||||
sbus_opath_hash_init(TALLOC_CTX *mem_ctx,
|
||||
- struct sbus_connection *conn,
|
||||
- hash_table_t **_table)
|
||||
+ struct sbus_connection *conn)
|
||||
{
|
||||
- return sss_hash_create_ex(mem_ctx, 10, _table, 0, 0, 0, 0,
|
||||
- sbus_opath_hash_delete_cb, conn);
|
||||
+ return sss_ptr_hash_create(mem_ctx, sbus_opath_hash_delete_cb, conn);
|
||||
}
|
||||
|
||||
static errno_t
|
||||
@@ -511,11 +510,8 @@ sbus_opath_hash_add_iface(hash_table_t *table,
|
||||
struct sbus_interface_list *list = NULL;
|
||||
struct sbus_interface_list *item = NULL;
|
||||
const char *iface_name = iface->vtable->meta->name;
|
||||
- hash_key_t key;
|
||||
- hash_value_t value;
|
||||
bool path_known;
|
||||
errno_t ret;
|
||||
- int hret;
|
||||
|
||||
tmp_ctx = talloc_new(NULL);
|
||||
if (tmp_ctx == NULL) {
|
||||
@@ -536,22 +532,14 @@ sbus_opath_hash_add_iface(hash_table_t *table,
|
||||
|
||||
/* first lookup existing list in hash table */
|
||||
|
||||
- key.type = HASH_KEY_STRING;
|
||||
- key.str = talloc_strdup(tmp_ctx, object_path);
|
||||
- if (key.str == NULL) {
|
||||
- ret = ENOMEM;
|
||||
- goto done;
|
||||
- }
|
||||
-
|
||||
- hret = hash_lookup(table, &key, &value);
|
||||
- if (hret == HASH_SUCCESS) {
|
||||
+ list = sss_ptr_hash_lookup(table, object_path, struct sbus_interface_list);
|
||||
+ if (list != NULL) {
|
||||
/* This object path has already some interface registered. We will
|
||||
* check for existence of the interface currently being added and
|
||||
* add it if missing. */
|
||||
|
||||
path_known = true;
|
||||
|
||||
- list = talloc_get_type(value.ptr, struct sbus_interface_list);
|
||||
if (sbus_iface_list_lookup(list, iface_name) != NULL) {
|
||||
DEBUG(SSSDBG_MINOR_FAILURE, "Trying to register the same interface"
|
||||
" twice: iface=%s, opath=%s\n", iface_name, object_path);
|
||||
@@ -562,9 +550,6 @@ sbus_opath_hash_add_iface(hash_table_t *table,
|
||||
DLIST_ADD_END(list, item, struct sbus_interface_list *);
|
||||
ret = EOK;
|
||||
goto done;
|
||||
- } else if (hret != HASH_ERROR_KEY_NOT_FOUND) {
|
||||
- ret = EIO;
|
||||
- goto done;
|
||||
}
|
||||
|
||||
/* otherwise create new hash entry and new list */
|
||||
@@ -572,17 +557,8 @@ sbus_opath_hash_add_iface(hash_table_t *table,
|
||||
path_known = false;
|
||||
list = item;
|
||||
|
||||
- value.type = HASH_VALUE_PTR;
|
||||
- value.ptr = list;
|
||||
-
|
||||
- hret = hash_enter(table, &key, &value);
|
||||
- if (hret != HASH_SUCCESS) {
|
||||
- ret = EIO;
|
||||
- goto done;
|
||||
- }
|
||||
-
|
||||
- talloc_steal(table, key.str);
|
||||
- ret = EOK;
|
||||
+ ret = sss_ptr_hash_add(table, object_path, list,
|
||||
+ struct sbus_interface_list);
|
||||
|
||||
done:
|
||||
if (ret == EOK) {
|
||||
@@ -599,12 +575,7 @@ static bool
|
||||
sbus_opath_hash_has_path(hash_table_t *table,
|
||||
const char *object_path)
|
||||
{
|
||||
- hash_key_t key;
|
||||
-
|
||||
- key.type = HASH_KEY_STRING;
|
||||
- key.str = discard_const(object_path);
|
||||
-
|
||||
- return hash_has_key(table, &key);
|
||||
+ return sss_ptr_hash_has_key(table, object_path);
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -621,9 +592,6 @@ sbus_opath_hash_lookup_iface(hash_table_t *table,
|
||||
struct sbus_interface_list *list = NULL;
|
||||
struct sbus_interface *iface = NULL;
|
||||
char *lookup_path = NULL;
|
||||
- hash_key_t key;
|
||||
- hash_value_t value;
|
||||
- int hret;
|
||||
|
||||
tmp_ctx = talloc_new(NULL);
|
||||
if (tmp_ctx == NULL) {
|
||||
@@ -636,21 +604,13 @@ sbus_opath_hash_lookup_iface(hash_table_t *table,
|
||||
}
|
||||
|
||||
while (lookup_path != NULL) {
|
||||
- key.type = HASH_KEY_STRING;
|
||||
- key.str = lookup_path;
|
||||
-
|
||||
- hret = hash_lookup(table, &key, &value);
|
||||
- if (hret == HASH_SUCCESS) {
|
||||
- list = talloc_get_type(value.ptr, struct sbus_interface_list);
|
||||
+ list = sss_ptr_hash_lookup(table, lookup_path,
|
||||
+ struct sbus_interface_list);
|
||||
+ if (list != NULL) {
|
||||
iface = sbus_iface_list_lookup(list, iface_name);
|
||||
if (iface != NULL) {
|
||||
goto done;
|
||||
}
|
||||
- } else if (hret != HASH_ERROR_KEY_NOT_FOUND) {
|
||||
- DEBUG(SSSDBG_OP_FAILURE,
|
||||
- "Unable to search hash table: hret=%d\n", hret);
|
||||
- iface = NULL;
|
||||
- goto done;
|
||||
}
|
||||
|
||||
/* we will not free lookup path since it is freed with tmp_ctx
|
||||
@@ -674,13 +634,11 @@ sbus_opath_hash_lookup_supported(TALLOC_CTX *mem_ctx,
|
||||
{
|
||||
TALLOC_CTX *tmp_ctx = NULL;
|
||||
TALLOC_CTX *list_ctx = NULL;
|
||||
- struct sbus_interface_list *copy = NULL;
|
||||
- struct sbus_interface_list *list = NULL;
|
||||
+ struct sbus_interface_list *copy;
|
||||
+ struct sbus_interface_list *output_list;
|
||||
+ struct sbus_interface_list *table_list;
|
||||
char *lookup_path = NULL;
|
||||
- hash_key_t key;
|
||||
- hash_value_t value;
|
||||
errno_t ret;
|
||||
- int hret;
|
||||
|
||||
tmp_ctx = talloc_new(NULL);
|
||||
if (tmp_ctx == NULL) {
|
||||
@@ -699,23 +657,19 @@ sbus_opath_hash_lookup_supported(TALLOC_CTX *mem_ctx,
|
||||
goto done;
|
||||
}
|
||||
|
||||
- while (lookup_path != NULL) {
|
||||
- key.type = HASH_KEY_STRING;
|
||||
- key.str = lookup_path;
|
||||
+ /* Initialize output_list. */
|
||||
+ output_list = NULL;
|
||||
|
||||
- hret = hash_lookup(table, &key, &value);
|
||||
- if (hret == HASH_SUCCESS) {
|
||||
- ret = sbus_iface_list_copy(list_ctx, value.ptr, ©);
|
||||
+ while (lookup_path != NULL) {
|
||||
+ table_list = sss_ptr_hash_lookup(table, lookup_path,
|
||||
+ struct sbus_interface_list);
|
||||
+ if (table_list != NULL) {
|
||||
+ ret = sbus_iface_list_copy(list_ctx, table_list, ©);
|
||||
if (ret != EOK) {
|
||||
goto done;
|
||||
}
|
||||
|
||||
- DLIST_CONCATENATE(list, copy, struct sbus_interface_list *);
|
||||
- } else if (hret != HASH_ERROR_KEY_NOT_FOUND) {
|
||||
- DEBUG(SSSDBG_OP_FAILURE,
|
||||
- "Unable to search hash table: hret=%d\n", hret);
|
||||
- ret = EIO;
|
||||
- goto done;
|
||||
+ DLIST_CONCATENATE(output_list, copy, struct sbus_interface_list *);
|
||||
}
|
||||
|
||||
/* we will not free lookup path since it is freed with tmp_ctx
|
||||
@@ -724,7 +678,7 @@ sbus_opath_hash_lookup_supported(TALLOC_CTX *mem_ctx,
|
||||
}
|
||||
|
||||
talloc_steal(mem_ctx, list_ctx);
|
||||
- *_list = list;
|
||||
+ *_list = output_list;
|
||||
ret = EOK;
|
||||
|
||||
done:
|
||||
diff --git a/src/sbus/sssd_dbus_private.h b/src/sbus/sssd_dbus_private.h
|
||||
index 8abca66b087d9ce1081889feda2ca1e1372514ad..c8913d0f0c522147aacf3214000ef9d4855fdb0c 100644
|
||||
--- a/src/sbus/sssd_dbus_private.h
|
||||
+++ b/src/sbus/sssd_dbus_private.h
|
||||
@@ -121,10 +121,9 @@ struct sbus_interface_list {
|
||||
struct sbus_interface *interface;
|
||||
};
|
||||
|
||||
-errno_t
|
||||
+hash_table_t *
|
||||
sbus_opath_hash_init(TALLOC_CTX *mem_ctx,
|
||||
- struct sbus_connection *conn,
|
||||
- hash_table_t **_table);
|
||||
+ struct sbus_connection *conn);
|
||||
|
||||
struct sbus_interface *
|
||||
sbus_opath_hash_lookup_iface(hash_table_t *table,
|
||||
--
|
||||
2.9.3
|
||||
|
50
0009-KCM-Remove-mem_ctx-from-kcm_new_req.patch
Normal file
50
0009-KCM-Remove-mem_ctx-from-kcm_new_req.patch
Normal file
@ -0,0 +1,50 @@
|
||||
From 48cff40315cfbfcfae3582935efda961757ceec6 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
|
||||
Date: Tue, 13 Mar 2018 21:11:16 +0100
|
||||
Subject: [PATCH 09/15] KCM: Remove mem_ctx from kcm_new_req()
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Let's remove the mem_ctx argument as we really want cctx to be the
|
||||
memory context here, so that if the client disconnects the request goes
|
||||
away.
|
||||
|
||||
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
---
|
||||
src/responder/kcm/kcmsrv_cmd.c | 10 ++++++----
|
||||
1 file changed, 6 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/src/responder/kcm/kcmsrv_cmd.c b/src/responder/kcm/kcmsrv_cmd.c
|
||||
index 0b933f0b4..d4ebb79bf 100644
|
||||
--- a/src/responder/kcm/kcmsrv_cmd.c
|
||||
+++ b/src/responder/kcm/kcmsrv_cmd.c
|
||||
@@ -423,8 +423,10 @@ static errno_t kcm_recv_data(int fd, struct kcm_reqbuf *reqbuf)
|
||||
return EOK;
|
||||
}
|
||||
|
||||
-static struct kcm_req_ctx *kcm_new_req(TALLOC_CTX *mem_ctx,
|
||||
- struct cli_ctx *cctx,
|
||||
+/* Mind that kcm_new_req() does not take a mem_ctx argument on purpose as we
|
||||
+ * really want the cctx to be the memory context here so that if the client
|
||||
+ * disconnects, the request goes away. */
|
||||
+static struct kcm_req_ctx *kcm_new_req(struct cli_ctx *cctx,
|
||||
struct kcm_ctx *kctx)
|
||||
{
|
||||
struct kcm_req_ctx *req;
|
||||
@@ -467,8 +469,8 @@ static void kcm_recv(struct cli_ctx *cctx)
|
||||
kctx = talloc_get_type(cctx->rctx->pvt_ctx, struct kcm_ctx);
|
||||
req = talloc_get_type(cctx->state_ctx, struct kcm_req_ctx);
|
||||
if (req == NULL) {
|
||||
- /* A new request comes in, setup data structures */
|
||||
- req = kcm_new_req(cctx, cctx, kctx);
|
||||
+ /* A new request comes in, setup data structures. */
|
||||
+ req = kcm_new_req(cctx, kctx);
|
||||
if (req == NULL) {
|
||||
DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
"Cannot set up client connection\n");
|
||||
--
|
||||
2.14.3
|
||||
|
@ -1,165 +0,0 @@
|
||||
From ea872f140a04419fba3f2b9722da74d7fd1ca1ee Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
||||
Date: Tue, 24 Jan 2017 13:47:42 +0100
|
||||
Subject: [PATCH 09/79] SBUS: use sss_ptr_hash for nodes table
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
This patch reuses sss_ptr_hash module introduced in NSS patches in sbus code.
|
||||
|
||||
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
||||
---
|
||||
src/sbus/sssd_dbus_connection.c | 4 +--
|
||||
src/sbus/sssd_dbus_interface.c | 72 +++++++----------------------------------
|
||||
src/sbus/sssd_dbus_private.h | 6 ++--
|
||||
3 files changed, 16 insertions(+), 66 deletions(-)
|
||||
|
||||
diff --git a/src/sbus/sssd_dbus_connection.c b/src/sbus/sssd_dbus_connection.c
|
||||
index 6ca039e8e2a919141bf951ed0203dc2c48b3eb55..5e493fb03e835d5f939a599efdc07f7ab2f9be28 100644
|
||||
--- a/src/sbus/sssd_dbus_connection.c
|
||||
+++ b/src/sbus/sssd_dbus_connection.c
|
||||
@@ -170,8 +170,8 @@ int sbus_init_connection(TALLOC_CTX *ctx,
|
||||
return EIO;
|
||||
}
|
||||
|
||||
- ret = sbus_nodes_hash_init(conn, conn, &conn->nodes_fns);
|
||||
- if (ret != EOK) {
|
||||
+ conn->nodes_fns = sbus_nodes_hash_init(conn);
|
||||
+ if (conn->nodes_fns == NULL) {
|
||||
DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create node functions hash table\n");
|
||||
talloc_free(conn);
|
||||
return EIO;
|
||||
diff --git a/src/sbus/sssd_dbus_interface.c b/src/sbus/sssd_dbus_interface.c
|
||||
index e8c8851231fab68024065a13c5f1e2642ba829e9..1a11c6abcf23053e3b8c77f4d469d7c202a88eb8 100644
|
||||
--- a/src/sbus/sssd_dbus_interface.c
|
||||
+++ b/src/sbus/sssd_dbus_interface.c
|
||||
@@ -686,13 +686,10 @@ done:
|
||||
return ret;
|
||||
}
|
||||
|
||||
-errno_t
|
||||
-sbus_nodes_hash_init(TALLOC_CTX *mem_ctx,
|
||||
- struct sbus_connection *conn,
|
||||
- hash_table_t **_table)
|
||||
+hash_table_t *
|
||||
+sbus_nodes_hash_init(TALLOC_CTX *mem_ctx)
|
||||
{
|
||||
- return sss_hash_create_ex(mem_ctx, 10, _table, 0, 0, 0, 0,
|
||||
- NULL, conn);
|
||||
+ return sss_ptr_hash_create(mem_ctx, NULL, NULL);
|
||||
}
|
||||
|
||||
struct sbus_nodes_data {
|
||||
@@ -706,57 +703,24 @@ sbus_nodes_hash_add(hash_table_t *table,
|
||||
sbus_nodes_fn nodes_fn,
|
||||
void *handler_data)
|
||||
{
|
||||
- TALLOC_CTX *tmp_ctx;
|
||||
struct sbus_nodes_data *data;
|
||||
- hash_key_t key;
|
||||
- hash_value_t value;
|
||||
errno_t ret;
|
||||
- bool has_key;
|
||||
- int hret;
|
||||
|
||||
- tmp_ctx = talloc_new(NULL);
|
||||
- if (tmp_ctx == NULL) {
|
||||
- return ENOMEM;
|
||||
- }
|
||||
-
|
||||
- key.type = HASH_KEY_STRING;
|
||||
- key.str = talloc_strdup(tmp_ctx, object_path);
|
||||
- if (key.str == NULL) {
|
||||
- return ENOMEM;
|
||||
- }
|
||||
-
|
||||
- has_key = hash_has_key(table, &key);
|
||||
- if (has_key) {
|
||||
- ret = EEXIST;
|
||||
- goto done;
|
||||
- }
|
||||
-
|
||||
- data = talloc_zero(tmp_ctx, struct sbus_nodes_data);
|
||||
+ data = talloc_zero(table, struct sbus_nodes_data);
|
||||
if (data == NULL) {
|
||||
- ret = ENOMEM;
|
||||
- goto done;
|
||||
+ return ENOMEM;
|
||||
}
|
||||
|
||||
data->handler_data = handler_data;
|
||||
data->nodes_fn = nodes_fn;
|
||||
|
||||
- value.type = HASH_VALUE_PTR;
|
||||
- value.ptr = data;
|
||||
-
|
||||
- hret = hash_enter(table, &key, &value);
|
||||
- if (hret != HASH_SUCCESS) {
|
||||
- ret = EIO;
|
||||
- goto done;
|
||||
+ ret = sss_ptr_hash_add(table, object_path, data, struct sbus_nodes_data);
|
||||
+ if (ret != EOK) {
|
||||
+ talloc_free(data);
|
||||
+ return ret;
|
||||
}
|
||||
|
||||
- talloc_steal(table, key.str);
|
||||
- talloc_steal(table, data);
|
||||
-
|
||||
- ret = EOK;
|
||||
-
|
||||
-done:
|
||||
- talloc_free(tmp_ctx);
|
||||
- return ret;
|
||||
+ return EOK;
|
||||
}
|
||||
|
||||
const char **
|
||||
@@ -765,24 +729,12 @@ sbus_nodes_hash_lookup(TALLOC_CTX *mem_ctx,
|
||||
const char *object_path)
|
||||
{
|
||||
struct sbus_nodes_data *data;
|
||||
- hash_key_t key;
|
||||
- hash_value_t value;
|
||||
- int hret;
|
||||
|
||||
- key.type = HASH_KEY_STRING;
|
||||
- key.str = discard_const(object_path);
|
||||
-
|
||||
- hret = hash_lookup(table, &key, &value);
|
||||
- if (hret == HASH_ERROR_KEY_NOT_FOUND) {
|
||||
- return NULL;
|
||||
- } else if (hret != HASH_SUCCESS) {
|
||||
- DEBUG(SSSDBG_OP_FAILURE,
|
||||
- "Unable to search hash table: hret=%d\n", hret);
|
||||
+ data = sss_ptr_hash_lookup(table, object_path, struct sbus_nodes_data);
|
||||
+ if (data == NULL) {
|
||||
return NULL;
|
||||
}
|
||||
|
||||
- data = talloc_get_type(value.ptr, struct sbus_nodes_data);
|
||||
-
|
||||
return data->nodes_fn(mem_ctx, object_path, data->handler_data);
|
||||
}
|
||||
|
||||
diff --git a/src/sbus/sssd_dbus_private.h b/src/sbus/sssd_dbus_private.h
|
||||
index c8913d0f0c522147aacf3214000ef9d4855fdb0c..a5a2d47f4bfac99960fcca56aaa48077c36b96e4 100644
|
||||
--- a/src/sbus/sssd_dbus_private.h
|
||||
+++ b/src/sbus/sssd_dbus_private.h
|
||||
@@ -136,10 +136,8 @@ sbus_opath_hash_lookup_supported(TALLOC_CTX *mem_ctx,
|
||||
const char *object_path,
|
||||
struct sbus_interface_list **_list);
|
||||
|
||||
-errno_t
|
||||
-sbus_nodes_hash_init(TALLOC_CTX *mem_ctx,
|
||||
- struct sbus_connection *conn,
|
||||
- hash_table_t **_table);
|
||||
+hash_table_t *
|
||||
+sbus_nodes_hash_init(TALLOC_CTX *mem_ctx);
|
||||
|
||||
const char **
|
||||
sbus_nodes_hash_lookup(TALLOC_CTX *mem_ctx,
|
||||
--
|
||||
2.9.3
|
||||
|
61
0010-KCM-Introduce-kcm_input_get_payload_len.patch
Normal file
61
0010-KCM-Introduce-kcm_input_get_payload_len.patch
Normal file
@ -0,0 +1,61 @@
|
||||
From 7fa69ab8152392b11490950ff8aeeef7e0ad14de Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
|
||||
Date: Tue, 13 Mar 2018 23:13:35 +0100
|
||||
Subject: [PATCH 10/15] KCM: Introduce kcm_input_get_payload_len()
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
As this piece of code will be useful for us in the future patches of
|
||||
this series, let's move it to a new function.
|
||||
|
||||
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
---
|
||||
src/responder/kcm/kcmsrv_cmd.c | 20 ++++++++++++--------
|
||||
1 file changed, 12 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/src/responder/kcm/kcmsrv_cmd.c b/src/responder/kcm/kcmsrv_cmd.c
|
||||
index d4ebb79bf..3ecba9df2 100644
|
||||
--- a/src/responder/kcm/kcmsrv_cmd.c
|
||||
+++ b/src/responder/kcm/kcmsrv_cmd.c
|
||||
@@ -129,23 +129,27 @@ struct kcm_reqbuf {
|
||||
struct kcm_iovec v_msg;
|
||||
};
|
||||
|
||||
+static uint32_t kcm_input_get_payload_len(struct kcm_iovec *v)
|
||||
+{
|
||||
+ size_t lc = 0;
|
||||
+ uint32_t len_be = 0;
|
||||
+
|
||||
+ /* The first 4 bytes before the payload is message length */
|
||||
+ SAFEALIGN_COPY_UINT32_CHECK(&len_be, v->kiov_base, v->kiov_len, &lc);
|
||||
+
|
||||
+ return be32toh(len_be);
|
||||
+}
|
||||
+
|
||||
static errno_t kcm_input_parse(struct kcm_reqbuf *reqbuf,
|
||||
struct kcm_op_io *op_io)
|
||||
{
|
||||
- size_t lc = 0;
|
||||
size_t mc = 0;
|
||||
uint16_t opcode_be = 0;
|
||||
- uint32_t len_be = 0;
|
||||
uint32_t msglen;
|
||||
uint8_t proto_maj = 0;
|
||||
uint8_t proto_min = 0;
|
||||
|
||||
- /* The first 4 bytes before the payload is message length */
|
||||
- SAFEALIGN_COPY_UINT32_CHECK(&len_be,
|
||||
- reqbuf->v_len.kiov_base,
|
||||
- reqbuf->v_len.kiov_len,
|
||||
- &lc);
|
||||
- msglen = be32toh(len_be);
|
||||
+ msglen = kcm_input_get_payload_len(&reqbuf->v_len);
|
||||
DEBUG(SSSDBG_TRACE_LIBS,
|
||||
"Received message with length %"PRIu32"\n", msglen);
|
||||
|
||||
--
|
||||
2.14.3
|
||||
|
@ -1,168 +0,0 @@
|
||||
From b1afef0bc8d98c389a7f71307bee8ef9fc991ced Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
||||
Date: Tue, 24 Jan 2017 14:02:51 +0100
|
||||
Subject: [PATCH 10/79] SBUS: use sss_ptr_hash for signals table
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
This patch reuses sss_ptr_hash module introduced in NSS patches in sbus code.
|
||||
|
||||
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
||||
---
|
||||
src/sbus/sssd_dbus_connection.c | 4 +--
|
||||
src/sbus/sssd_dbus_private.h | 5 ++--
|
||||
src/sbus/sssd_dbus_signals.c | 58 ++++++++++-------------------------------
|
||||
3 files changed, 18 insertions(+), 49 deletions(-)
|
||||
|
||||
diff --git a/src/sbus/sssd_dbus_connection.c b/src/sbus/sssd_dbus_connection.c
|
||||
index 5e493fb03e835d5f939a599efdc07f7ab2f9be28..de134f2f21bfb9697fcc8a42622817bc50b54f2a 100644
|
||||
--- a/src/sbus/sssd_dbus_connection.c
|
||||
+++ b/src/sbus/sssd_dbus_connection.c
|
||||
@@ -177,8 +177,8 @@ int sbus_init_connection(TALLOC_CTX *ctx,
|
||||
return EIO;
|
||||
}
|
||||
|
||||
- ret = sbus_incoming_signal_hash_init(conn, &conn->incoming_signals);
|
||||
- if (ret != EOK) {
|
||||
+ conn->incoming_signals = sbus_incoming_signal_hash_init(conn);
|
||||
+ if (conn->incoming_signals == NULL) {
|
||||
DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create incoming singals "
|
||||
"hash table\n");
|
||||
talloc_free(conn);
|
||||
diff --git a/src/sbus/sssd_dbus_private.h b/src/sbus/sssd_dbus_private.h
|
||||
index a5a2d47f4bfac99960fcca56aaa48077c36b96e4..a3d4bae166d5a4d17037b16094248d22de7e8f62 100644
|
||||
--- a/src/sbus/sssd_dbus_private.h
|
||||
+++ b/src/sbus/sssd_dbus_private.h
|
||||
@@ -180,9 +180,8 @@ sbus_signal_handler(DBusConnection *conn,
|
||||
DBusMessage *message,
|
||||
void *handler_data);
|
||||
|
||||
-errno_t
|
||||
-sbus_incoming_signal_hash_init(TALLOC_CTX *mem_ctx,
|
||||
- hash_table_t **_table);
|
||||
+hash_table_t *
|
||||
+sbus_incoming_signal_hash_init(TALLOC_CTX *mem_ctx);
|
||||
|
||||
void sbus_register_common_signals(struct sbus_connection *conn, void *pvt);
|
||||
|
||||
diff --git a/src/sbus/sssd_dbus_signals.c b/src/sbus/sssd_dbus_signals.c
|
||||
index 3f463e603a625cae8415fb17f5cd811ef0c10e15..be1c8527e5513bc258e7764239d9b16af083ac65 100644
|
||||
--- a/src/sbus/sssd_dbus_signals.c
|
||||
+++ b/src/sbus/sssd_dbus_signals.c
|
||||
@@ -23,6 +23,7 @@
|
||||
#include <dhash.h>
|
||||
|
||||
#include "util/util.h"
|
||||
+#include "util/sss_ptr_hash.h"
|
||||
#include "sbus/sssd_dbus.h"
|
||||
#include "sbus/sssd_dbus_private.h"
|
||||
|
||||
@@ -60,11 +61,10 @@ struct sbus_incoming_signal_data {
|
||||
void *handler_data;
|
||||
};
|
||||
|
||||
-errno_t
|
||||
-sbus_incoming_signal_hash_init(TALLOC_CTX *mem_ctx,
|
||||
- hash_table_t **_table)
|
||||
+hash_table_t *
|
||||
+sbus_incoming_signal_hash_init(TALLOC_CTX *mem_ctx)
|
||||
{
|
||||
- return sss_hash_create(mem_ctx, 10, _table);
|
||||
+ return sss_ptr_hash_create(mem_ctx, NULL, NULL);
|
||||
}
|
||||
|
||||
static errno_t
|
||||
@@ -76,30 +76,20 @@ sbus_incoming_signal_hash_add(hash_table_t *table,
|
||||
{
|
||||
TALLOC_CTX *tmp_ctx;
|
||||
struct sbus_incoming_signal_data *data;
|
||||
- hash_key_t key;
|
||||
- hash_value_t value;
|
||||
+ char *key;
|
||||
errno_t ret;
|
||||
- bool has_key;
|
||||
- int hret;
|
||||
|
||||
tmp_ctx = talloc_new(NULL);
|
||||
if (tmp_ctx == NULL) {
|
||||
return ENOMEM;
|
||||
}
|
||||
|
||||
- key.type = HASH_KEY_STRING;
|
||||
- key.str = talloc_asprintf(tmp_ctx, "%s.%s", iface, a_signal);
|
||||
- if (key.str == NULL) {
|
||||
+ key = talloc_asprintf(tmp_ctx, "%s.%s", iface, a_signal);
|
||||
+ if (key == NULL) {
|
||||
ret = ENOMEM;
|
||||
goto done;
|
||||
}
|
||||
|
||||
- has_key = hash_has_key(table, &key);
|
||||
- if (has_key) {
|
||||
- ret = EEXIST;
|
||||
- goto done;
|
||||
- }
|
||||
-
|
||||
data = talloc_zero(tmp_ctx, struct sbus_incoming_signal_data);
|
||||
if (data == NULL) {
|
||||
ret = ENOMEM;
|
||||
@@ -109,16 +99,11 @@ sbus_incoming_signal_hash_add(hash_table_t *table,
|
||||
data->handler_data = handler_data;
|
||||
data->handler_fn = handler_fn;
|
||||
|
||||
- value.type = HASH_VALUE_PTR;
|
||||
- value.ptr = data;
|
||||
-
|
||||
- hret = hash_enter(table, &key, &value);
|
||||
- if (hret != HASH_SUCCESS) {
|
||||
- ret = EIO;
|
||||
+ ret = sss_ptr_hash_add(table, key, data, struct sbus_incoming_signal_data);
|
||||
+ if (ret != EOK) {
|
||||
goto done;
|
||||
}
|
||||
|
||||
- talloc_steal(table, key.str);
|
||||
talloc_steal(table, data);
|
||||
|
||||
ret = EOK;
|
||||
@@ -134,31 +119,16 @@ sbus_incoming_signal_hash_lookup(hash_table_t *table,
|
||||
const char *a_signal)
|
||||
{
|
||||
struct sbus_incoming_signal_data *data;
|
||||
- hash_key_t key;
|
||||
- hash_value_t value;
|
||||
- int hret;
|
||||
+ char *key;
|
||||
|
||||
- key.type = HASH_KEY_STRING;
|
||||
- key.str = talloc_asprintf(NULL, "%s.%s", iface, a_signal);
|
||||
- if (key.str == NULL) {
|
||||
+ key = talloc_asprintf(NULL, "%s.%s", iface, a_signal);
|
||||
+ if (key == NULL) {
|
||||
return NULL;
|
||||
}
|
||||
|
||||
- hret = hash_lookup(table, &key, &value);
|
||||
- if (hret == HASH_ERROR_KEY_NOT_FOUND) {
|
||||
- data = NULL;
|
||||
- goto done;
|
||||
- } else if (hret != HASH_SUCCESS) {
|
||||
- DEBUG(SSSDBG_OP_FAILURE,
|
||||
- "Unable to search hash table: hret=%d\n", hret);
|
||||
- data = NULL;
|
||||
- goto done;
|
||||
- }
|
||||
+ data = sss_ptr_hash_lookup(table, key, struct sbus_incoming_signal_data);
|
||||
+ talloc_free(key);
|
||||
|
||||
- data = talloc_get_type(value.ptr, struct sbus_incoming_signal_data);
|
||||
-
|
||||
-done:
|
||||
- talloc_free(key.str);
|
||||
return data;
|
||||
}
|
||||
|
||||
--
|
||||
2.9.3
|
||||
|
243
0011-KCM-Do-not-use-2048-as-fixed-size-for-the-payload.patch
Normal file
243
0011-KCM-Do-not-use-2048-as-fixed-size-for-the-payload.patch
Normal file
@ -0,0 +1,243 @@
|
||||
From 9f078d2e9ec7e1803b6c7e2f8a51e0e185723e76 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
|
||||
Date: Wed, 14 Mar 2018 00:57:39 +0100
|
||||
Subject: [PATCH 11/15] KCM: Do not use 2048 as fixed size for the payload
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
The KCM code has the limit set as 2048 only inside #ifdef __APPLE__,
|
||||
while it should be normally set as 10 * 1024 * 1024, as seen in:
|
||||
https://github.com/krb5/krb5/blob/master/src/lib/krb5/ccache/cc_kcm.c#L53
|
||||
|
||||
Last but not least, doesn't make much sense to use a fixed value as the
|
||||
first 4 bytes received are the payload size ... so let's just allocate
|
||||
the needed size instead of having a fixed value.
|
||||
|
||||
Resolves:
|
||||
https://pagure.io/SSSD/sssd/issue/3671
|
||||
|
||||
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
---
|
||||
src/responder/kcm/kcmsrv_cmd.c | 103 +++++++++++++++++++++++++----------------
|
||||
1 file changed, 62 insertions(+), 41 deletions(-)
|
||||
|
||||
diff --git a/src/responder/kcm/kcmsrv_cmd.c b/src/responder/kcm/kcmsrv_cmd.c
|
||||
index 3ecba9df2..728979da9 100644
|
||||
--- a/src/responder/kcm/kcmsrv_cmd.c
|
||||
+++ b/src/responder/kcm/kcmsrv_cmd.c
|
||||
@@ -38,7 +38,7 @@
|
||||
/* The maximum length of a request or reply as defined by the RPC
|
||||
* protocol. This is the same constant size as MIT KRB5 uses
|
||||
*/
|
||||
-#define KCM_PACKET_MAX_SIZE 2048
|
||||
+#define KCM_PACKET_MAX_SIZE 10*1024*1024
|
||||
|
||||
/* KCM operation, its raw input and raw output and result */
|
||||
struct kcm_op_io {
|
||||
@@ -125,7 +125,6 @@ struct kcm_reqbuf {
|
||||
struct kcm_iovec v_len;
|
||||
|
||||
/* Includes the major, minor versions etc */
|
||||
- uint8_t msgbuf[KCM_PACKET_MAX_SIZE];
|
||||
struct kcm_iovec v_msg;
|
||||
};
|
||||
|
||||
@@ -238,7 +237,6 @@ struct kcm_repbuf {
|
||||
uint8_t rcbuf[KCM_RETCODE_SIZE];
|
||||
struct kcm_iovec v_rc;
|
||||
|
||||
- uint8_t msgbuf[KCM_PACKET_MAX_SIZE];
|
||||
struct kcm_iovec v_msg;
|
||||
};
|
||||
|
||||
@@ -259,11 +257,13 @@ static errno_t kcm_failbuf_construct(errno_t ret,
|
||||
/* retcode is 0 if the operation at least ran, non-zero if there
|
||||
* was some kind of internal KCM error, like input couldn't be parsed
|
||||
*/
|
||||
-static errno_t kcm_output_construct(struct kcm_op_io *op_io,
|
||||
+static errno_t kcm_output_construct(TALLOC_CTX *mem_ctx,
|
||||
+ struct kcm_op_io *op_io,
|
||||
struct kcm_repbuf *repbuf)
|
||||
{
|
||||
- size_t c;
|
||||
+ uint8_t *rep;
|
||||
size_t replen;
|
||||
+ size_t c;
|
||||
|
||||
replen = sss_iobuf_get_len(op_io->reply);
|
||||
if (replen > KCM_PACKET_MAX_SIZE) {
|
||||
@@ -281,14 +281,22 @@ static errno_t kcm_output_construct(struct kcm_op_io *op_io,
|
||||
SAFEALIGN_SETMEM_UINT32(repbuf->rcbuf, 0, &c);
|
||||
|
||||
if (replen > 0) {
|
||||
+ rep = talloc_zero_array(mem_ctx, uint8_t, replen);
|
||||
+ if (rep == NULL) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
+ "Failed to allocate memory for the message\n");
|
||||
+ return ENOMEM;
|
||||
+ }
|
||||
+
|
||||
c = 0;
|
||||
- SAFEALIGN_MEMCPY_CHECK(repbuf->msgbuf,
|
||||
+ SAFEALIGN_MEMCPY_CHECK(rep,
|
||||
sss_iobuf_get_data(op_io->reply),
|
||||
replen,
|
||||
- repbuf->v_msg.kiov_len,
|
||||
+ replen,
|
||||
&c);
|
||||
|
||||
- /* Length of the buffer to send to KCM client */
|
||||
+ /* Set the buffer and its length to send to KCM client */
|
||||
+ repbuf->v_msg.kiov_base = rep;
|
||||
repbuf->v_msg.kiov_len = replen;
|
||||
}
|
||||
|
||||
@@ -321,24 +329,6 @@ static void kcm_reply_error(struct cli_ctx *cctx,
|
||||
TEVENT_FD_WRITEABLE(cctx->cfde);
|
||||
}
|
||||
|
||||
-static void kcm_send_reply(struct cli_ctx *cctx,
|
||||
- struct kcm_op_io *op_io,
|
||||
- struct kcm_repbuf *repbuf)
|
||||
-{
|
||||
- errno_t ret;
|
||||
-
|
||||
- DEBUG(SSSDBG_TRACE_INTERNAL, "Sending a reply\n");
|
||||
- ret = kcm_output_construct(op_io, repbuf);
|
||||
- if (ret != EOK) {
|
||||
- DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
- "Cannot construct the reply buffer, terminating client\n");
|
||||
- kcm_reply_error(cctx, ret, repbuf);
|
||||
- return;
|
||||
- }
|
||||
-
|
||||
- TEVENT_FD_WRITEABLE(cctx->cfde);
|
||||
-}
|
||||
-
|
||||
/**
|
||||
* Request-reply dispatcher
|
||||
*/
|
||||
@@ -356,6 +346,26 @@ struct kcm_req_ctx {
|
||||
struct kcm_op_io op_io;
|
||||
};
|
||||
|
||||
+static void kcm_send_reply(struct kcm_req_ctx *req_ctx)
|
||||
+{
|
||||
+ struct cli_ctx *cctx;
|
||||
+ errno_t ret;
|
||||
+
|
||||
+ DEBUG(SSSDBG_TRACE_INTERNAL, "Sending a reply\n");
|
||||
+
|
||||
+ cctx = req_ctx->cctx;
|
||||
+
|
||||
+ ret = kcm_output_construct(cctx, &req_ctx->op_io, &req_ctx->repbuf);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
+ "Cannot construct the reply buffer, terminating client\n");
|
||||
+ kcm_reply_error(cctx, ret, &req_ctx->repbuf);
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
+ TEVENT_FD_WRITEABLE(cctx->cfde);
|
||||
+}
|
||||
+
|
||||
static void kcm_cmd_request_done(struct tevent_req *req);
|
||||
|
||||
static errno_t kcm_cmd_dispatch(struct kcm_ctx *kctx,
|
||||
@@ -385,11 +395,9 @@ static errno_t kcm_cmd_dispatch(struct kcm_ctx *kctx,
|
||||
static void kcm_cmd_request_done(struct tevent_req *req)
|
||||
{
|
||||
struct kcm_req_ctx *req_ctx;
|
||||
- struct cli_ctx *cctx;
|
||||
errno_t ret;
|
||||
|
||||
req_ctx = tevent_req_callback_data(req, struct kcm_req_ctx);
|
||||
- cctx = req_ctx->cctx;
|
||||
|
||||
ret = kcm_cmd_recv(req_ctx, req,
|
||||
&req_ctx->op_io.reply);
|
||||
@@ -397,15 +405,19 @@ static void kcm_cmd_request_done(struct tevent_req *req)
|
||||
if (ret != EOK) {
|
||||
DEBUG(SSSDBG_OP_FAILURE,
|
||||
"KCM operation failed [%d]: %s\n", ret, sss_strerror(ret));
|
||||
- kcm_reply_error(cctx, ret, &req_ctx->repbuf);
|
||||
+ kcm_reply_error(req_ctx->cctx, ret, &req_ctx->repbuf);
|
||||
return;
|
||||
}
|
||||
|
||||
- kcm_send_reply(cctx, &req_ctx->op_io, &req_ctx->repbuf);
|
||||
+ kcm_send_reply(req_ctx);
|
||||
}
|
||||
|
||||
-static errno_t kcm_recv_data(int fd, struct kcm_reqbuf *reqbuf)
|
||||
+static errno_t kcm_recv_data(TALLOC_CTX *mem_ctx,
|
||||
+ int fd,
|
||||
+ struct kcm_reqbuf *reqbuf)
|
||||
{
|
||||
+ uint8_t *msg;
|
||||
+ uint32_t msglen;
|
||||
errno_t ret;
|
||||
|
||||
ret = kcm_read_iovec(fd, &reqbuf->v_len);
|
||||
@@ -416,6 +428,24 @@ static errno_t kcm_recv_data(int fd, struct kcm_reqbuf *reqbuf)
|
||||
return ret;
|
||||
}
|
||||
|
||||
+ msglen = kcm_input_get_payload_len(&reqbuf->v_len);
|
||||
+ if (msglen > KCM_PACKET_MAX_SIZE) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
+ "Request exceeds the KCM protocol limit, aborting\n");
|
||||
+ return E2BIG;
|
||||
+ }
|
||||
+
|
||||
+ msg = talloc_zero_array(mem_ctx, uint8_t, msglen);
|
||||
+ if (msg == NULL) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
+ "Failed to allocate memory for the message\n");
|
||||
+ return ENOMEM;
|
||||
+ }
|
||||
+
|
||||
+ /* Set the buffer and its expected len to receive the data */
|
||||
+ reqbuf->v_msg.kiov_base = msg;
|
||||
+ reqbuf->v_msg.kiov_len = msglen;
|
||||
+
|
||||
ret = kcm_read_iovec(fd, &reqbuf->v_msg);
|
||||
if (ret != EOK) {
|
||||
/* Not all errors are fatal, hence we don't print DEBUG messages
|
||||
@@ -443,21 +473,12 @@ static struct kcm_req_ctx *kcm_new_req(struct cli_ctx *cctx,
|
||||
req->reqbuf.v_len.kiov_base = req->reqbuf.lenbuf;
|
||||
req->reqbuf.v_len.kiov_len = KCM_MSG_LEN_SIZE;
|
||||
|
||||
- req->reqbuf.v_msg.kiov_base = req->reqbuf.msgbuf;
|
||||
- req->reqbuf.v_msg.kiov_len = KCM_PACKET_MAX_SIZE;
|
||||
-
|
||||
req->repbuf.v_len.kiov_base = req->repbuf.lenbuf;
|
||||
req->repbuf.v_len.kiov_len = KCM_MSG_LEN_SIZE;
|
||||
|
||||
req->repbuf.v_rc.kiov_base = req->repbuf.rcbuf;
|
||||
req->repbuf.v_rc.kiov_len = KCM_RETCODE_SIZE;
|
||||
|
||||
- req->repbuf.v_msg.kiov_base = req->repbuf.msgbuf;
|
||||
- /* Length of the msg iobuf will be adjusted later, so far use the full
|
||||
- * length so that constructing the reply can use that capacity
|
||||
- */
|
||||
- req->repbuf.v_msg.kiov_len = KCM_PACKET_MAX_SIZE;
|
||||
-
|
||||
req->cctx = cctx;
|
||||
req->kctx = kctx;
|
||||
|
||||
@@ -485,7 +506,7 @@ static void kcm_recv(struct cli_ctx *cctx)
|
||||
cctx->state_ctx = req;
|
||||
}
|
||||
|
||||
- ret = kcm_recv_data(cctx->cfd, &req->reqbuf);
|
||||
+ ret = kcm_recv_data(req, cctx->cfd, &req->reqbuf);
|
||||
switch (ret) {
|
||||
case ENODATA:
|
||||
DEBUG(SSSDBG_TRACE_ALL, "Client closed connection.\n");
|
||||
--
|
||||
2.14.3
|
||||
|
@ -1,139 +0,0 @@
|
||||
From cb831fbbcb0dac8b6202037d4cd1a0d82db54f54 Mon Sep 17 00:00:00 2001
|
||||
From: Lukas Slebodnik <lslebodn@redhat.com>
|
||||
Date: Tue, 17 Jan 2017 10:17:24 +0100
|
||||
Subject: [PATCH 11/79] ldap_child: Fix use after free
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
In case on any krb5 related error, we tried to send string
|
||||
interpretation of krb5 error tb parrent in prepare_response.
|
||||
|
||||
However, we cannot use global krb5 context (krb5_error_ctx)
|
||||
because the context is every time released in done section of
|
||||
ldap_child_get_tgt_sync.
|
||||
|
||||
This patch rather return duplicated string to prevent use after free.
|
||||
|
||||
Backtrace:
|
||||
#0 __strchr_sse42 () at ../sysdeps/x86_64/multiarch/strchr.S:100
|
||||
100 ../sysdeps/x86_64/multiarch/strchr.S: No such file or directory.
|
||||
|
||||
Thread 1 (Thread 0x7fc96cad5880 (LWP 11201)):
|
||||
#0 __strchr_sse42 () at ../sysdeps/x86_64/multiarch/strchr.S:100
|
||||
No locals.
|
||||
#1 0x00007fc96be43725 in err_fmt_fmt (msg=0x7fc96d1cf8d0 "Cannot find KDC for requested realm",
|
||||
code=-1765328230,
|
||||
err_fmt=<optimized out>) at kerrs.c:152
|
||||
buf = {buftype = K5BUF_DYNAMIC, data = 0x7fc96d1cdb10,
|
||||
space = 128, len = 0}
|
||||
p = <optimized out>
|
||||
s = 0xdededededededede <Address 0xdededededededede out of bounds>
|
||||
#2 krb5_get_error_message (ctx=<optimized out>,
|
||||
code=code@entry=-1765328230) at kerrs.c:184
|
||||
std = 0x7fc96d1cf8d0 "Cannot find KDC for requested realm"
|
||||
#3 0x00007fc96cb224e5 in sss_krb5_get_error_message (ctx=<optimized out>,
|
||||
ec=ec@entry=-1765328230) at src/util/sss_krb5.c:424
|
||||
No locals.
|
||||
#4 0x00007fc96cb1fbb0 in prepare_response (rsp=<synthetic pointer>,
|
||||
kerr=-1765328230, expire_time=0,
|
||||
ccname=0x0,
|
||||
mem_ctx=0x7fc96d1cb390) at src/providers/ldap/ldap_child.c:553
|
||||
ret = <optimized out>
|
||||
r = 0x7fc96d1cd8b0
|
||||
krb5_msg = 0x0
|
||||
|
||||
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
||||
---
|
||||
src/providers/ldap/ldap_child.c | 26 +++++++++++++++++---------
|
||||
1 file changed, 17 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/src/providers/ldap/ldap_child.c b/src/providers/ldap/ldap_child.c
|
||||
index ffcbc3985691b965c76a06805068118628adc198..3f88a28dcffc320ba66afccbdcee71432913b775 100644
|
||||
--- a/src/providers/ldap/ldap_child.c
|
||||
+++ b/src/providers/ldap/ldap_child.c
|
||||
@@ -276,7 +276,8 @@ static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx,
|
||||
const char *keytab_name,
|
||||
const krb5_deltat lifetime,
|
||||
const char **ccname_out,
|
||||
- time_t *expire_time_out)
|
||||
+ time_t *expire_time_out,
|
||||
+ char **_krb5_msg)
|
||||
{
|
||||
char *ccname;
|
||||
char *ccname_dummy;
|
||||
@@ -522,7 +523,14 @@ static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx,
|
||||
*expire_time_out = my_creds.times.endtime - kdc_time_offset;
|
||||
|
||||
done:
|
||||
- if (krberr != 0) KRB5_SYSLOG(krberr);
|
||||
+ if (krberr != 0) {
|
||||
+ const char *krb5_msg;
|
||||
+
|
||||
+ KRB5_SYSLOG(krberr);
|
||||
+ krb5_msg = sss_krb5_get_error_message(context, krberr);
|
||||
+ *_krb5_msg = talloc_strdup(memctx, krb5_msg);
|
||||
+ sss_krb5_free_error_message(context, krb5_msg);
|
||||
+ }
|
||||
if (keytab) krb5_kt_close(context, keytab);
|
||||
if (context) krb5_free_context(context);
|
||||
talloc_free(tmp_ctx);
|
||||
@@ -533,11 +541,11 @@ static int prepare_response(TALLOC_CTX *mem_ctx,
|
||||
const char *ccname,
|
||||
time_t expire_time,
|
||||
krb5_error_code kerr,
|
||||
+ char *krb5_msg,
|
||||
struct response **rsp)
|
||||
{
|
||||
int ret;
|
||||
struct response *r = NULL;
|
||||
- const char *krb5_msg = NULL;
|
||||
|
||||
r = talloc_zero(mem_ctx, struct response);
|
||||
if (!r) return ENOMEM;
|
||||
@@ -550,15 +558,13 @@ static int prepare_response(TALLOC_CTX *mem_ctx,
|
||||
if (kerr == 0) {
|
||||
ret = pack_buffer(r, EOK, kerr, ccname, expire_time);
|
||||
} else {
|
||||
- krb5_msg = sss_krb5_get_error_message(krb5_error_ctx, kerr);
|
||||
if (krb5_msg == NULL) {
|
||||
DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
- "sss_krb5_get_error_message failed.\n");
|
||||
+ "Empty krb5 error message for non-zero kerr: %"PRIi32"\n",
|
||||
+ kerr);
|
||||
return ENOMEM;
|
||||
}
|
||||
-
|
||||
ret = pack_buffer(r, EFAULT, kerr, krb5_msg, 0);
|
||||
- sss_krb5_free_error_message(krb5_error_ctx, krb5_msg);
|
||||
}
|
||||
|
||||
if (ret != EOK) {
|
||||
@@ -605,6 +611,7 @@ int main(int argc, const char *argv[])
|
||||
uint8_t *buf = NULL;
|
||||
ssize_t len = 0;
|
||||
const char *ccname = NULL;
|
||||
+ char *krb5_msg = NULL;
|
||||
time_t expire_time = 0;
|
||||
struct input_buffer *ibuf = NULL;
|
||||
struct response *resp = NULL;
|
||||
@@ -721,13 +728,14 @@ int main(int argc, const char *argv[])
|
||||
kerr = ldap_child_get_tgt_sync(main_ctx, ibuf->context,
|
||||
ibuf->realm_str, ibuf->princ_str,
|
||||
ibuf->keytab_name, ibuf->lifetime,
|
||||
- &ccname, &expire_time);
|
||||
+ &ccname, &expire_time, &krb5_msg);
|
||||
if (kerr != EOK) {
|
||||
DEBUG(SSSDBG_CRIT_FAILURE, "ldap_child_get_tgt_sync failed.\n");
|
||||
/* Do not return, must report failure */
|
||||
}
|
||||
|
||||
- ret = prepare_response(main_ctx, ccname, expire_time, kerr, &resp);
|
||||
+ ret = prepare_response(main_ctx, ccname, expire_time, kerr, krb5_msg,
|
||||
+ &resp);
|
||||
if (ret != EOK) {
|
||||
DEBUG(SSSDBG_CRIT_FAILURE, "prepare_response failed. [%d][%s].\n",
|
||||
ret, strerror(ret));
|
||||
--
|
||||
2.9.3
|
||||
|
@ -1,41 +0,0 @@
|
||||
From 1c7f9a676088ecee4c14df14b8688b391fb32a05 Mon Sep 17 00:00:00 2001
|
||||
From: Justin Stephenson <jstephen@redhat.com>
|
||||
Date: Mon, 19 Dec 2016 16:49:17 -0500
|
||||
Subject: [PATCH 12/79] FAILOVER: Improve port status log messages
|
||||
|
||||
It should be more clear to administrators that when SSSD internal
|
||||
port status is set as PORT_NOT_WORKING, this does not directly relate
|
||||
to an assumed network port-related issue.
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
---
|
||||
src/providers/fail_over.c | 8 +++++++-
|
||||
1 file changed, 7 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/providers/fail_over.c b/src/providers/fail_over.c
|
||||
index 5d3c26d4a690769637f2fa4f41a76627cbdba77a..168e59d6f4e9fc8abd827be21004daef2c6613f0 100644
|
||||
--- a/src/providers/fail_over.c
|
||||
+++ b/src/providers/fail_over.c
|
||||
@@ -376,12 +376,18 @@ get_port_status(struct fo_server *server)
|
||||
"Port status of port %d for server '%s' is '%s'\n", server->port,
|
||||
SERVER_NAME(server), str_port_status(server->port_status));
|
||||
|
||||
+ if (server->port_status == PORT_NOT_WORKING) {
|
||||
+ DEBUG(SSSDBG_MINOR_FAILURE, "SSSD is unable to complete the full "
|
||||
+ "connection request, this internal status does not necessarily "
|
||||
+ "indicate network port issues.\n");
|
||||
+ }
|
||||
+
|
||||
timeout = server->service->ctx->opts->retry_timeout;
|
||||
if (timeout != 0 && server->port_status == PORT_NOT_WORKING) {
|
||||
gettimeofday(&tv, NULL);
|
||||
if (STATUS_DIFF(server, tv) > timeout) {
|
||||
DEBUG(SSSDBG_CONF_SETTINGS,
|
||||
- "Reseting the status of port %d for server '%s'\n",
|
||||
+ "Resetting the status of port %d for server '%s'\n",
|
||||
server->port, SERVER_NAME(server));
|
||||
server->port_status = PORT_NEUTRAL;
|
||||
server->last_status_change.tv_sec = tv.tv_sec;
|
||||
--
|
||||
2.9.3
|
||||
|
55
0012-KCM-Adjust-REPLY_MAX-to-the-one-used-in-krb5.patch
Normal file
55
0012-KCM-Adjust-REPLY_MAX-to-the-one-used-in-krb5.patch
Normal file
@ -0,0 +1,55 @@
|
||||
From d910ef0667a902b4ac0551f3e8d11121bb02214c Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
|
||||
Date: Wed, 14 Mar 2018 09:21:45 +0100
|
||||
Subject: [PATCH 12/15] KCM: Adjust REPLY_MAX to the one used in krb5
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
krb5 has its MAX_REPLY_SIZE set as 10*1024*1024, as seen in:
|
||||
https://github.com/krb5/krb5/blob/master/src/lib/krb5/ccache/cc_kcm.c#L53
|
||||
|
||||
Related:
|
||||
https://pagure.io/SSSD/sssd/issue/3386
|
||||
|
||||
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
---
|
||||
src/responder/kcm/kcmsrv_ops.c | 5 ++++-
|
||||
src/util/tev_curl.c | 3 ++-
|
||||
2 files changed, 6 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/responder/kcm/kcmsrv_ops.c b/src/responder/kcm/kcmsrv_ops.c
|
||||
index 7a78e9d6b..1e229adc4 100644
|
||||
--- a/src/responder/kcm/kcmsrv_ops.c
|
||||
+++ b/src/responder/kcm/kcmsrv_ops.c
|
||||
@@ -31,7 +31,10 @@
|
||||
#include "responder/kcm/kcmsrv_ops.h"
|
||||
#include "responder/kcm/kcmsrv_ccache.h"
|
||||
|
||||
-#define KCM_REPLY_MAX 16384
|
||||
+/* This limit comes from:
|
||||
+ * https://github.com/krb5/krb5/blob/master/src/lib/krb5/ccache/cc_kcm.c#L53
|
||||
+ */
|
||||
+#define KCM_REPLY_MAX 10*1024*1024
|
||||
|
||||
struct kcm_op_ctx {
|
||||
struct kcm_resp_ctx *kcm_data;
|
||||
diff --git a/src/util/tev_curl.c b/src/util/tev_curl.c
|
||||
index 4c2f1ec9f..f8bede6c5 100644
|
||||
--- a/src/util/tev_curl.c
|
||||
+++ b/src/util/tev_curl.c
|
||||
@@ -35,7 +35,8 @@
|
||||
#include "util/tev_curl.h"
|
||||
|
||||
#define TCURL_IOBUF_CHUNK 1024
|
||||
-#define TCURL_IOBUF_MAX 16384
|
||||
+/* This limit in the same one as KCM_REPLY_MAX */
|
||||
+#define TCURL_IOBUF_MAX 10*1024*1024
|
||||
|
||||
static bool global_is_curl_initialized;
|
||||
|
||||
--
|
||||
2.14.3
|
||||
|
@ -1,44 +0,0 @@
|
||||
From 2ddcd5785f10de42bf03dfc36eca94dbc1fc1fb3 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
|
||||
Date: Mon, 6 Feb 2017 18:58:18 +0000
|
||||
Subject: [PATCH 13/79] IFP: Update ifp_iface_generated.c
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
These changes are leftovers from commit 78b4b7e.
|
||||
|
||||
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
---
|
||||
src/responder/ifp/ifp_iface_generated.c | 7 +------
|
||||
1 file changed, 1 insertion(+), 6 deletions(-)
|
||||
|
||||
diff --git a/src/responder/ifp/ifp_iface_generated.c b/src/responder/ifp/ifp_iface_generated.c
|
||||
index 90cd4ff9e3a4dff3e8d2e3d904bbf6bde6a748ae..d9df6c623b7f597b8ea9427a58488b340b1934ea 100644
|
||||
--- a/src/responder/ifp/ifp_iface_generated.c
|
||||
+++ b/src/responder/ifp/ifp_iface_generated.c
|
||||
@@ -263,11 +263,6 @@ const struct sbus_interface_meta iface_ifp_meta = {
|
||||
sbus_invoke_get_all, /* GetAll invoker */
|
||||
};
|
||||
|
||||
-/* methods for org.freedesktop.sssd.infopipe.Components */
|
||||
-const struct sbus_method_meta iface_ifp_components__methods[] = {
|
||||
- { NULL, }
|
||||
-};
|
||||
-
|
||||
/* property info for org.freedesktop.sssd.infopipe.Components */
|
||||
const struct sbus_property_meta iface_ifp_components__properties[] = {
|
||||
{
|
||||
@@ -321,7 +316,7 @@ const struct sbus_property_meta iface_ifp_components__properties[] = {
|
||||
/* interface info for org.freedesktop.sssd.infopipe.Components */
|
||||
const struct sbus_interface_meta iface_ifp_components_meta = {
|
||||
"org.freedesktop.sssd.infopipe.Components", /* name */
|
||||
- iface_ifp_components__methods,
|
||||
+ NULL, /* no methods */
|
||||
NULL, /* no signals */
|
||||
iface_ifp_components__properties,
|
||||
sbus_invoke_get_all, /* GetAll invoker */
|
||||
--
|
||||
2.9.3
|
||||
|
48
0013-intg-convert-results-returned-as-bytes-to-strings.patch
Normal file
48
0013-intg-convert-results-returned-as-bytes-to-strings.patch
Normal file
@ -0,0 +1,48 @@
|
||||
From 414ce6438a5450e5f1c1b03994f59d37f0ff8a36 Mon Sep 17 00:00:00 2001
|
||||
From: Lukas Slebodnik <lslebodn@redhat.com>
|
||||
Date: Fri, 16 Mar 2018 13:43:17 +0100
|
||||
Subject: [PATCH 13/15] intg: convert results returned as bytes to strings
|
||||
|
||||
With python3 comparisons between byte literals and strings will fail. To
|
||||
make sure assertions will pass the search results must be converted to
|
||||
(utf-8) strings first.
|
||||
|
||||
Resolves https://pagure.io/SSSD/sssd/issue/3666
|
||||
|
||||
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
---
|
||||
src/tests/intg/test_ts_cache.py | 17 +++++++++++------
|
||||
1 file changed, 11 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/src/tests/intg/test_ts_cache.py b/src/tests/intg/test_ts_cache.py
|
||||
index 703e3b255..c3819e21a 100644
|
||||
--- a/src/tests/intg/test_ts_cache.py
|
||||
+++ b/src/tests/intg/test_ts_cache.py
|
||||
@@ -212,12 +212,17 @@ def get_attrs(ldb_conn, type, name, domain, attr_list):
|
||||
ts_attrs = dict()
|
||||
|
||||
for attr in attr_list:
|
||||
- sysdb_attrs[attr] = ldb_conn.get_entry_attr(
|
||||
- sssd_ldb.CacheType.sysdb,
|
||||
- type, name, domain, attr)
|
||||
- ts_attrs[attr] = ldb_conn.get_entry_attr(
|
||||
- sssd_ldb.CacheType.timestamps,
|
||||
- type, name, domain, attr)
|
||||
+ val = ldb_conn.get_entry_attr(sssd_ldb.CacheType.sysdb,
|
||||
+ type, name, domain, attr)
|
||||
+ if val:
|
||||
+ val = val.decode('utf-8')
|
||||
+ sysdb_attrs[attr] = val
|
||||
+
|
||||
+ val = ldb_conn.get_entry_attr(sssd_ldb.CacheType.timestamps,
|
||||
+ type, name, domain, attr)
|
||||
+ if val:
|
||||
+ val = val.decode('utf-8')
|
||||
+ ts_attrs[attr] = val
|
||||
return (sysdb_attrs, ts_attrs)
|
||||
|
||||
|
||||
--
|
||||
2.14.3
|
||||
|
34
0014-KCM-Fix-typo-in-ccdb_sec_delete_list_done.patch
Normal file
34
0014-KCM-Fix-typo-in-ccdb_sec_delete_list_done.patch
Normal file
@ -0,0 +1,34 @@
|
||||
From 1c03afc703fb6e398915e2b2b200b7db19b4e6b8 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
|
||||
Date: Mon, 26 Mar 2018 15:40:15 +0200
|
||||
Subject: [PATCH 14/15] KCM: Fix typo in ccdb_sec_delete_list_done()
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
When deleting the ccache we want to check if sec_key_list_len is equal 0
|
||||
and not if sec_key_list is 0.
|
||||
|
||||
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
---
|
||||
src/responder/kcm/kcmsrv_ccache_secrets.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/responder/kcm/kcmsrv_ccache_secrets.c b/src/responder/kcm/kcmsrv_ccache_secrets.c
|
||||
index 04dad9596..8a7a577d8 100644
|
||||
--- a/src/responder/kcm/kcmsrv_ccache_secrets.c
|
||||
+++ b/src/responder/kcm/kcmsrv_ccache_secrets.c
|
||||
@@ -2007,7 +2007,7 @@ static void ccdb_sec_delete_list_done(struct tevent_req *subreq)
|
||||
return;
|
||||
}
|
||||
|
||||
- if (sec_key_list == 0) {
|
||||
+ if (state->sec_key_list_len == 0) {
|
||||
DEBUG(SSSDBG_MINOR_FAILURE, "No ccaches to delete\n");
|
||||
tevent_req_done(req);
|
||||
return;
|
||||
--
|
||||
2.14.3
|
||||
|
@ -1,30 +0,0 @@
|
||||
From 7b4704a10958bb7d3390db9eff863875d2b643f7 Mon Sep 17 00:00:00 2001
|
||||
From: Lukas Slebodnik <lslebodn@redhat.com>
|
||||
Date: Tue, 7 Feb 2017 09:52:59 +0100
|
||||
Subject: [PATCH 14/79] SYSTEMD: Update journald drop-in file
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
We changed type forking into type notify as part of commit
|
||||
d4063e9a21a4e203bee7e0a0144fa8cabb14cc46.
|
||||
But we forgot to update template drop-in file for logging into journald.
|
||||
|
||||
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
||||
---
|
||||
src/sysv/systemd/journal.conf.in | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/sysv/systemd/journal.conf.in b/src/sysv/systemd/journal.conf.in
|
||||
index d89325e0872881e3e8485102d9971871101098f3..9ce170b4893629792516aab41573adea1fb741f0 100644
|
||||
--- a/src/sysv/systemd/journal.conf.in
|
||||
+++ b/src/sysv/systemd/journal.conf.in
|
||||
@@ -4,4 +4,4 @@
|
||||
# run 'systemctl daemon-reload' and then restart the SSSD service
|
||||
# for this to take effect
|
||||
#ExecStart=
|
||||
-#ExecStart=@sbindir@/sssd -D
|
||||
+#ExecStart=@sbindir@/sssd -i
|
||||
--
|
||||
2.9.3
|
||||
|
@ -0,0 +1,45 @@
|
||||
From 94897e5c82967528dae2a79e42cd1eb3c3be68f3 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
|
||||
Date: Tue, 27 Mar 2018 15:02:09 +0200
|
||||
Subject: [PATCH 15/15] KCM: Only print the number of found items after we have
|
||||
it
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
With the current code we've been always printing "Found 0 items" as
|
||||
state->sec_key_list_len is only set by sec_list_parse().
|
||||
|
||||
In order to solve this, let's just print it *after* we have
|
||||
state->sec_key_list_len set.
|
||||
|
||||
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
---
|
||||
src/responder/kcm/kcmsrv_ccache_secrets.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/responder/kcm/kcmsrv_ccache_secrets.c b/src/responder/kcm/kcmsrv_ccache_secrets.c
|
||||
index 8a7a577d8..f2b46460e 100644
|
||||
--- a/src/responder/kcm/kcmsrv_ccache_secrets.c
|
||||
+++ b/src/responder/kcm/kcmsrv_ccache_secrets.c
|
||||
@@ -207,7 +207,6 @@ static void sec_list_done(struct tevent_req *subreq)
|
||||
return;
|
||||
}
|
||||
} else if (http_code == 200) {
|
||||
- DEBUG(SSSDBG_TRACE_INTERNAL, "Found %zu items\n", state->sec_key_list_len);
|
||||
ret = sec_list_parse(outbuf, state,
|
||||
&state->sec_key_list,
|
||||
&state->sec_key_list_len);
|
||||
@@ -215,6 +214,7 @@ static void sec_list_done(struct tevent_req *subreq)
|
||||
tevent_req_error(req, ret);
|
||||
return;
|
||||
}
|
||||
+ DEBUG(SSSDBG_TRACE_INTERNAL, "Found %zu items\n", state->sec_key_list_len);
|
||||
} else {
|
||||
tevent_req_error(req, http2errno(http_code));
|
||||
return;
|
||||
--
|
||||
2.14.3
|
||||
|
@ -1,119 +0,0 @@
|
||||
From c029f707d4847b01ff64bf3bb1fd46c0b5927cdb Mon Sep 17 00:00:00 2001
|
||||
From: Lukas Slebodnik <lslebodn@redhat.com>
|
||||
Date: Mon, 12 Dec 2016 18:33:48 +0100
|
||||
Subject: [PATCH 15/79] Partially revert "CONFIG: Use default config when none
|
||||
provided"
|
||||
|
||||
This reverts part of commit 59744cff6edb106ae799b2321cb8731edadf409a.
|
||||
|
||||
Removed is copying of default configuration into /etc/sssd/sssd.conf
|
||||
Sample configurations is still part of installation.
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
---
|
||||
Makefile.am | 3 ---
|
||||
src/confdb/confdb.h | 1 -
|
||||
src/confdb/confdb_setup.c | 40 ++++------------------------------------
|
||||
3 files changed, 4 insertions(+), 40 deletions(-)
|
||||
|
||||
diff --git a/Makefile.am b/Makefile.am
|
||||
index 674d328f52929cc2b20d1212af830c3777312bf1..6d21af8e8c455622d8c4c8b4e325789c4c1e34cb 100644
|
||||
--- a/Makefile.am
|
||||
+++ b/Makefile.am
|
||||
@@ -473,7 +473,6 @@ AM_CPPFLAGS = \
|
||||
-DSSSDDATADIR=\"$(sssddatadir)\" \
|
||||
-DSSSD_LIBEXEC_PATH=\"$(sssdlibexecdir)\" \
|
||||
-DSSSD_CONF_DIR=\"$(sssdconfdir)\" \
|
||||
- -DSSSD_DEFAULT_CONF_DIR=\"$(sssddefaultconfdir)\" \
|
||||
-DSSS_NSS_MCACHE_DIR=\"$(mcpath)\" \
|
||||
-DSSS_NSS_SOCKET_NAME=\"$(pipepath)/nss\" \
|
||||
-DSSS_PAM_SOCKET_NAME=\"$(pipepath)/pam\" \
|
||||
@@ -1252,8 +1251,6 @@ sssd_SOURCES = \
|
||||
src/confdb/confdb_setup.c \
|
||||
src/monitor/monitor_iface_generated.c \
|
||||
src/util/nscd.c \
|
||||
- src/tools/files.c \
|
||||
- src/tools/selinux.c \
|
||||
$(NULL)
|
||||
sssd_LDADD = \
|
||||
$(SSSD_LIBS) \
|
||||
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
|
||||
index 9055048865f008a2c3732551730c4a881cb9108c..dd6ac77f5a787b0434b56fccba49aa195b13297a 100644
|
||||
--- a/src/confdb/confdb.h
|
||||
+++ b/src/confdb/confdb.h
|
||||
@@ -40,7 +40,6 @@
|
||||
|
||||
#define CONFDB_DEFAULT_CFG_FILE_VER 2
|
||||
#define CONFDB_FILE "config.ldb"
|
||||
-#define SSSD_DEFAULT_CONFIG_FILE SSSD_DEFAULT_CONF_DIR"/sssd.conf"
|
||||
#define SSSD_CONFIG_FILE SSSD_CONF_DIR"/sssd.conf"
|
||||
#define CONFDB_DEFAULT_CONFIG_DIR SSSD_CONF_DIR"/conf.d"
|
||||
#define SSSD_MIN_ID 1
|
||||
diff --git a/src/confdb/confdb_setup.c b/src/confdb/confdb_setup.c
|
||||
index d6feab9000d54d2c3761de6d8e990053ade7e85f..a71d9dd1202824b3c9a7e69f1d8fa905ac1b8c02 100644
|
||||
--- a/src/confdb/confdb_setup.c
|
||||
+++ b/src/confdb/confdb_setup.c
|
||||
@@ -21,14 +21,12 @@
|
||||
|
||||
#include "config.h"
|
||||
#include <sys/stat.h>
|
||||
-#include <unistd.h>
|
||||
#include "util/util.h"
|
||||
#include "db/sysdb.h"
|
||||
#include "confdb.h"
|
||||
#include "confdb_private.h"
|
||||
#include "confdb_setup.h"
|
||||
#include "util/sss_ini.h"
|
||||
-#include "tools/tools_util.h"
|
||||
|
||||
|
||||
static int confdb_test(struct confdb_ctx *cdb)
|
||||
@@ -161,41 +159,11 @@ static int confdb_init_db(const char *config_file, const char *config_dir,
|
||||
DEBUG(SSSDBG_TRACE_FUNC,
|
||||
"sss_ini_config_file_open failed: %s [%d]\n", strerror(ret),
|
||||
ret);
|
||||
- if (ret != ENOENT) {
|
||||
- /* Anything other than ENOENT is unrecoverable */
|
||||
- goto done;
|
||||
- } else {
|
||||
- /* Copy the default configuration file to the standard location
|
||||
- * and then retry
|
||||
- */
|
||||
- ret = copy_file_secure(SSSD_DEFAULT_CONFIG_FILE,
|
||||
- SSSD_CONFIG_FILE,
|
||||
- 0600,
|
||||
- getuid(),
|
||||
- getgid(),
|
||||
- false);
|
||||
- if (ret != EOK) {
|
||||
- DEBUG(SSSDBG_FATAL_FAILURE,
|
||||
- "Could not copy default configuration: %s",
|
||||
- sss_strerror(ret));
|
||||
- /* sss specific error denoting missing configuration file */
|
||||
- ret = ERR_MISSING_CONF;
|
||||
- goto done;
|
||||
- }
|
||||
-
|
||||
- /* Try again */
|
||||
- ret = sss_ini_config_file_open(init_data, config_file);
|
||||
- if (ret != EOK) {
|
||||
- DEBUG(SSSDBG_TRACE_FUNC,
|
||||
- "sss_ini_config_file_open(default) failed: %s [%d]\n",
|
||||
- strerror(ret), ret);
|
||||
- if (ret == ENOENT) {
|
||||
- /* sss specific error denoting missing configuration file */
|
||||
- ret = ERR_MISSING_CONF;
|
||||
- }
|
||||
- goto done;
|
||||
- }
|
||||
+ if (ret == ENOENT) {
|
||||
+ /* sss specific error denoting missing configuration file */
|
||||
+ ret = ERR_MISSING_CONF;
|
||||
}
|
||||
+ goto done;
|
||||
}
|
||||
|
||||
ret = sss_ini_config_access_check(init_data);
|
||||
--
|
||||
2.9.3
|
||||
|
@ -1,177 +0,0 @@
|
||||
From d0aae3c1e87e2e51ab178b7b343261443094a974 Mon Sep 17 00:00:00 2001
|
||||
From: Justin Stephenson <jstephen@redhat.com>
|
||||
Date: Fri, 20 Jan 2017 15:43:34 -0500
|
||||
Subject: [PATCH 16/79] SUDO: Add skip_entry boolean to sudo conversions
|
||||
|
||||
Add boolean to convert_attributes function and pass boolean as argument
|
||||
to sudo conversion functions to add logic for skipping unexpected
|
||||
entries like replication conflicts.
|
||||
|
||||
Resolves:
|
||||
https://fedorahosted.org/sssd/ticket/3288
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
---
|
||||
src/providers/ipa/ipa_sudo_conversion.c | 55 ++++++++++++++++++++++++---------
|
||||
1 file changed, 41 insertions(+), 14 deletions(-)
|
||||
|
||||
diff --git a/src/providers/ipa/ipa_sudo_conversion.c b/src/providers/ipa/ipa_sudo_conversion.c
|
||||
index 9dbc8604df544ce0865a2e99facf92cfd697123b..05d863c20954c816e52d27fe4a5e1553776c6d41 100644
|
||||
--- a/src/providers/ipa/ipa_sudo_conversion.c
|
||||
+++ b/src/providers/ipa/ipa_sudo_conversion.c
|
||||
@@ -746,12 +746,15 @@ struct ipa_sudo_conv_result_ctx {
|
||||
static const char *
|
||||
convert_host(TALLOC_CTX *mem_ctx,
|
||||
struct ipa_sudo_conv *conv,
|
||||
- const char *value)
|
||||
+ const char *value,
|
||||
+ bool *skip_entry)
|
||||
{
|
||||
char *rdn;
|
||||
const char *group;
|
||||
errno_t ret;
|
||||
|
||||
+ *skip_entry = false;
|
||||
+
|
||||
ret = ipa_get_rdn(mem_ctx, conv->dom->sysdb, value, &rdn,
|
||||
MATCHRDN_HOST(conv->map_host));
|
||||
if (ret == EOK) {
|
||||
@@ -765,7 +768,8 @@ convert_host(TALLOC_CTX *mem_ctx,
|
||||
ret = ipa_get_rdn(mem_ctx, conv->dom->sysdb, value, &rdn,
|
||||
MATCHRDN_HOSTGROUP(conv->map_hostgroup));
|
||||
if (ret == ENOENT) {
|
||||
- DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected DN %s\n", value);
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected DN %s: Skipping\n", value);
|
||||
+ *skip_entry = true;
|
||||
return NULL;
|
||||
} else if (ret != EOK) {
|
||||
DEBUG(SSSDBG_OP_FAILURE, "ipa_get_rdn() failed on value %s [%d]: %s\n",
|
||||
@@ -782,12 +786,15 @@ convert_host(TALLOC_CTX *mem_ctx,
|
||||
static const char *
|
||||
convert_user(TALLOC_CTX *mem_ctx,
|
||||
struct ipa_sudo_conv *conv,
|
||||
- const char *value)
|
||||
+ const char *value,
|
||||
+ bool *skip_entry)
|
||||
{
|
||||
char *rdn;
|
||||
const char *group;
|
||||
errno_t ret;
|
||||
|
||||
+ *skip_entry = false;
|
||||
+
|
||||
ret = ipa_get_rdn(mem_ctx, conv->dom->sysdb, value, &rdn,
|
||||
MATCHRDN_USER(conv->map_user));
|
||||
if (ret == EOK) {
|
||||
@@ -801,7 +808,8 @@ convert_user(TALLOC_CTX *mem_ctx,
|
||||
ret = ipa_get_rdn(mem_ctx, conv->dom->sysdb, value, &rdn,
|
||||
MATCHRDN_GROUP(conv->map_group));
|
||||
if (ret == ENOENT) {
|
||||
- DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected DN %s\n", value);
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected DN %s: Skipping\n", value);
|
||||
+ *skip_entry = true;
|
||||
return NULL;
|
||||
} else if (ret != EOK) {
|
||||
DEBUG(SSSDBG_OP_FAILURE, "ipa_get_rdn() failed on value %s [%d]: %s\n",
|
||||
@@ -818,12 +826,15 @@ convert_user(TALLOC_CTX *mem_ctx,
|
||||
static const char *
|
||||
convert_user_fqdn(TALLOC_CTX *mem_ctx,
|
||||
struct ipa_sudo_conv *conv,
|
||||
- const char *value)
|
||||
+ const char *value,
|
||||
+ bool *skip_entry)
|
||||
{
|
||||
const char *shortname = NULL;
|
||||
char *fqdn = NULL;
|
||||
|
||||
- shortname = convert_user(mem_ctx, conv, value);
|
||||
+ *skip_entry = false;
|
||||
+
|
||||
+ shortname = convert_user(mem_ctx, conv, value, skip_entry);
|
||||
if (shortname == NULL) {
|
||||
return NULL;
|
||||
}
|
||||
@@ -836,15 +847,19 @@ convert_user_fqdn(TALLOC_CTX *mem_ctx,
|
||||
static const char *
|
||||
convert_group(TALLOC_CTX *mem_ctx,
|
||||
struct ipa_sudo_conv *conv,
|
||||
- const char *value)
|
||||
+ const char *value,
|
||||
+ bool *skip_entry)
|
||||
{
|
||||
char *rdn;
|
||||
errno_t ret;
|
||||
|
||||
+ *skip_entry = false;
|
||||
+
|
||||
ret = ipa_get_rdn(mem_ctx, conv->dom->sysdb, value, &rdn,
|
||||
MATCHRDN_GROUP(conv->map_group));
|
||||
if (ret == ENOENT) {
|
||||
- DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected DN %s\n", value);
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected DN %s: Skipping\n", value);
|
||||
+ *skip_entry = true;
|
||||
return NULL;
|
||||
} else if (ret != EOK) {
|
||||
DEBUG(SSSDBG_OP_FAILURE, "ipa_get_rdn() failed on value %s [%d]: %s\n",
|
||||
@@ -858,7 +873,8 @@ convert_group(TALLOC_CTX *mem_ctx,
|
||||
static const char *
|
||||
convert_runasextusergroup(TALLOC_CTX *mem_ctx,
|
||||
struct ipa_sudo_conv *conv,
|
||||
- const char *value)
|
||||
+ const char *value,
|
||||
+ bool *skip_entry)
|
||||
{
|
||||
return talloc_asprintf(mem_ctx, "%%%s", value);
|
||||
}
|
||||
@@ -866,8 +882,12 @@ convert_runasextusergroup(TALLOC_CTX *mem_ctx,
|
||||
static const char *
|
||||
convert_cat(TALLOC_CTX *mem_ctx,
|
||||
struct ipa_sudo_conv *conv,
|
||||
- const char *value)
|
||||
+ const char *value,
|
||||
+ bool *skip_entry)
|
||||
{
|
||||
+
|
||||
+ *skip_entry = false;
|
||||
+
|
||||
if (strcmp(value, "all") == 0) {
|
||||
return talloc_strdup(mem_ctx, "ALL");
|
||||
}
|
||||
@@ -885,12 +905,14 @@ convert_attributes(struct ipa_sudo_conv *conv,
|
||||
const char *value;
|
||||
errno_t ret;
|
||||
int i, j;
|
||||
+ bool skip_entry;
|
||||
static struct {
|
||||
const char *ipa;
|
||||
const char *sudo;
|
||||
const char *(*conv_fn)(TALLOC_CTX *mem_ctx,
|
||||
struct ipa_sudo_conv *conv,
|
||||
- const char *value);
|
||||
+ const char *value,
|
||||
+ bool *skip_entry);
|
||||
} table[] = {{SYSDB_NAME, SYSDB_SUDO_CACHE_AT_CN , NULL},
|
||||
{SYSDB_IPA_SUDORULE_HOST, SYSDB_SUDO_CACHE_AT_HOST , convert_host},
|
||||
{SYSDB_IPA_SUDORULE_USER, SYSDB_SUDO_CACHE_AT_USER , convert_user_fqdn},
|
||||
@@ -931,10 +953,15 @@ convert_attributes(struct ipa_sudo_conv *conv,
|
||||
|
||||
for (j = 0; values[j] != NULL; j++) {
|
||||
if (table[i].conv_fn != NULL) {
|
||||
- value = table[i].conv_fn(tmp_ctx, conv, values[j]);
|
||||
+ value = table[i].conv_fn(tmp_ctx, conv, values[j], &skip_entry);
|
||||
if (value == NULL) {
|
||||
- ret = ENOMEM;
|
||||
- goto done;
|
||||
+ if (skip_entry) {
|
||||
+ ret = ENOENT;
|
||||
+ continue;
|
||||
+ } else {
|
||||
+ ret = ENOMEM;
|
||||
+ goto done;
|
||||
+ }
|
||||
}
|
||||
} else {
|
||||
value = values[j];
|
||||
--
|
||||
2.9.3
|
||||
|
120
0016-SYSDB-When-marking-an-entry-as-expired-also-set-the-.patch
Normal file
120
0016-SYSDB-When-marking-an-entry-as-expired-also-set-the-.patch
Normal file
@ -0,0 +1,120 @@
|
||||
From 68b14b6f94cf23fe2f66ee592e2e1fa5abfe3b9c Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||
Date: Fri, 23 Mar 2018 13:40:34 +0100
|
||||
Subject: [PATCH] SYSDB: When marking an entry as expired, also set the
|
||||
originalModifyTimestamp to 1
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Resolves:
|
||||
https://pagure.io/SSSD/sssd/issue/3684
|
||||
|
||||
If the cleanup task removes a user who was a fully resolved member (not a
|
||||
ghost), but then the group the user was a member of is requested, unless
|
||||
the group had changed, the user doesn't appear as a member of the group
|
||||
again. This is because the modify timestamp would prevent the group from
|
||||
updating and therefore the ghost attribute is not readded.
|
||||
|
||||
To mitigate this, let's also set the originalModifyTimestamp attribute
|
||||
to 1, so that we never take the optimized path while updating the group.
|
||||
|
||||
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
||||
(cherry picked from commit 250751bf8b0532d6175e762b7f2f008cc1c39a78)
|
||||
---
|
||||
src/db/sysdb_ops.c | 13 +++++++++++
|
||||
src/tests/intg/test_ldap.py | 54 +++++++++++++++++++++++++++++++++++++++++++++
|
||||
2 files changed, 67 insertions(+)
|
||||
|
||||
diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
|
||||
index cc86a114e..09aa04a29 100644
|
||||
--- a/src/db/sysdb_ops.c
|
||||
+++ b/src/db/sysdb_ops.c
|
||||
@@ -5410,6 +5410,19 @@ errno_t sysdb_mark_entry_as_expired_ldb_dn(struct sss_domain_info *dom,
|
||||
goto done;
|
||||
}
|
||||
|
||||
+ ret = ldb_msg_add_empty(msg, SYSDB_ORIG_MODSTAMP,
|
||||
+ LDB_FLAG_MOD_REPLACE, NULL);
|
||||
+ if (ret != LDB_SUCCESS) {
|
||||
+ ret = sysdb_error_to_errno(ret);
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ ret = ldb_msg_add_string(msg, SYSDB_ORIG_MODSTAMP, "1");
|
||||
+ if (ret != LDB_SUCCESS) {
|
||||
+ ret = sysdb_error_to_errno(ret);
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
ret = ldb_modify(dom->sysdb->ldb, msg);
|
||||
if (ret != LDB_SUCCESS) {
|
||||
ret = sysdb_error_to_errno(ret);
|
||||
diff --git a/src/tests/intg/test_ldap.py b/src/tests/intg/test_ldap.py
|
||||
index a6659b1b7..db3253858 100644
|
||||
--- a/src/tests/intg/test_ldap.py
|
||||
+++ b/src/tests/intg/test_ldap.py
|
||||
@@ -434,6 +434,60 @@ def test_refresh_after_cleanup_task(ldap_conn, refresh_after_cleanup_task):
|
||||
dict(mem=ent.contains_only("user1")))
|
||||
|
||||
|
||||
+@pytest.fixture
|
||||
+def update_ts_after_cleanup_task(request, ldap_conn):
|
||||
+ ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn)
|
||||
+ ent_list.add_user("user1", 1001, 2001)
|
||||
+ ent_list.add_user("user2", 1002, 2001)
|
||||
+
|
||||
+ ent_list.add_group_bis("group1", 2001, ["user1", "user2"])
|
||||
+
|
||||
+ create_ldap_fixture(request, ldap_conn, ent_list)
|
||||
+
|
||||
+ conf = \
|
||||
+ format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS) + \
|
||||
+ unindent("""
|
||||
+ [domain/LDAP]
|
||||
+ ldap_purge_cache_timeout = 3
|
||||
+ """).format(**locals())
|
||||
+ create_conf_fixture(request, conf)
|
||||
+ create_sssd_fixture(request)
|
||||
+ return None
|
||||
+
|
||||
+
|
||||
+def test_update_ts_cache_after_cleanup_task(ldap_conn,
|
||||
+ update_ts_after_cleanup_task):
|
||||
+ """
|
||||
+ Regression test for ticket:
|
||||
+ https://fedorahosted.org/sssd/ticket/2676
|
||||
+ """
|
||||
+ ent.assert_group_by_name(
|
||||
+ "group1",
|
||||
+ dict(mem=ent.contains_only("user1", "user2")))
|
||||
+
|
||||
+ ent.assert_passwd_by_name(
|
||||
+ 'user1',
|
||||
+ dict(name='user1', passwd='*', uid=1001, gid=2001,
|
||||
+ gecos='1001', shell='/bin/bash'))
|
||||
+
|
||||
+ ent.assert_passwd_by_name(
|
||||
+ 'user2',
|
||||
+ dict(name='user2', passwd='*', uid=1002, gid=2001,
|
||||
+ gecos='1002', shell='/bin/bash'))
|
||||
+
|
||||
+ if subprocess.call(["sss_cache", "-u", "user1"]) != 0:
|
||||
+ raise Exception("sssd_cache failed")
|
||||
+
|
||||
+ # The cleanup task runs every 3 seconds, so sleep for 6
|
||||
+ # so that we know the cleanup task ran at least once
|
||||
+ # even if we start sleeping during the first one
|
||||
+ time.sleep(6)
|
||||
+
|
||||
+ ent.assert_group_by_name(
|
||||
+ "group1",
|
||||
+ dict(mem=ent.contains_only("user1", "user2")))
|
||||
+
|
||||
+
|
||||
@pytest.fixture
|
||||
def blank_rfc2307(request, ldap_conn):
|
||||
"""Create blank RFC2307 directory fixture with interactive SSSD conf"""
|
||||
--
|
||||
2.14.3
|
||||
|
@ -1,36 +0,0 @@
|
||||
From 1404f3aa541849d880cce591584ba1580014cb50 Mon Sep 17 00:00:00 2001
|
||||
From: Justin Stephenson <jstephen@redhat.com>
|
||||
Date: Wed, 25 Jan 2017 17:05:01 -0500
|
||||
Subject: [PATCH 17/79] TESTS: Add to IPA DN test
|
||||
|
||||
Add test to ensure conflict entries return ENOENT
|
||||
|
||||
Resolves:
|
||||
https://fedorahosted.org/sssd/ticket/3288
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
---
|
||||
src/tests/cmocka/test_ipa_dn.c | 7 +++++++
|
||||
1 file changed, 7 insertions(+)
|
||||
|
||||
diff --git a/src/tests/cmocka/test_ipa_dn.c b/src/tests/cmocka/test_ipa_dn.c
|
||||
index a6e26ec31ff25519ad895ef934dac0e3a3dd83ae..ff951f28acbb8a567c3d27027a688386ff08b475 100644
|
||||
--- a/src/tests/cmocka/test_ipa_dn.c
|
||||
+++ b/src/tests/cmocka/test_ipa_dn.c
|
||||
@@ -169,6 +169,13 @@ static void ipa_get_rdn_test(void **state)
|
||||
ret = ipa_get_rdn(test_ctx, test_ctx->sysdb, "cn=rdn,attr1=value1", &rdn, "cn", "attr1", "value1");
|
||||
assert_int_equal(ret, ENOENT);
|
||||
assert_null(rdn);
|
||||
+
|
||||
+ ret = ipa_get_rdn(test_ctx, test_ctx->sysdb,
|
||||
+ "cn=rdn+nsuniqueid=9b1e3301-c32611e6-bdcae37a-ef905e7c,"
|
||||
+ "attr1=value1,attr2=value2,dc=example,dc=com",
|
||||
+ &rdn, "cn", "attr1", "value1", "attr2", "value2");
|
||||
+ assert_int_equal(ret, ENOENT);
|
||||
+ assert_null(rdn);
|
||||
}
|
||||
|
||||
int main(int argc, const char *argv[])
|
||||
--
|
||||
2.9.3
|
||||
|
@ -0,0 +1,39 @@
|
||||
From d7795e33668b3e2ef212c5fa0bfaf4485e87db65 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
||||
Date: Tue, 31 Oct 2017 15:14:52 +0100
|
||||
Subject: [PATCH] sudo ldap: do not store rules without sudoHost attribute
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Unless it is cn=defaults.
|
||||
|
||||
Resolves:
|
||||
https://pagure.io/SSSD/sssd/issue/3558
|
||||
|
||||
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
(cherry picked from commit 47ad0778be72994a2294b2e73cc5c670be6811a7)
|
||||
---
|
||||
src/providers/ldap/sdap_async_sudo.c | 5 +++--
|
||||
1 file changed, 3 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/providers/ldap/sdap_async_sudo.c b/src/providers/ldap/sdap_async_sudo.c
|
||||
index 5dc580128..3da76256e 100644
|
||||
--- a/src/providers/ldap/sdap_async_sudo.c
|
||||
+++ b/src/providers/ldap/sdap_async_sudo.c
|
||||
@@ -158,8 +158,9 @@ static char *sdap_sudo_build_host_filter(TALLOC_CTX *mem_ctx,
|
||||
goto done;
|
||||
}
|
||||
|
||||
- /* sudoHost is not specified */
|
||||
- filter = talloc_asprintf_append_buffer(filter, "(!(%s=*))",
|
||||
+ /* sudoHost is not specified and it is a cn=defaults rule */
|
||||
+ filter = talloc_asprintf_append_buffer(filter, "(&(!(%s=*))(%s=defaults))",
|
||||
+ map[SDAP_AT_SUDO_HOST].name,
|
||||
map[SDAP_AT_SUDO_HOST].name);
|
||||
if (filter == NULL) {
|
||||
goto done;
|
||||
--
|
||||
2.14.3
|
||||
|
@ -1,28 +0,0 @@
|
||||
From c3593f06da54315c88a08a46cfc0def366acad43 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Petr=20=C4=8Cech?= <pcech@redhat.com>
|
||||
Date: Thu, 19 Jan 2017 12:51:27 +0100
|
||||
Subject: [PATCH 18/79] LDAP: Better logging message
|
||||
|
||||
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
---
|
||||
src/providers/ldap/sdap.c | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/providers/ldap/sdap.c b/src/providers/ldap/sdap.c
|
||||
index dc7d5e0caf223c3ee3c43054aa44e796f1b37766..eb460d93bfb067e780868bc9f7bf4e6e0aa1b4a3 100644
|
||||
--- a/src/providers/ldap/sdap.c
|
||||
+++ b/src/providers/ldap/sdap.c
|
||||
@@ -1691,7 +1691,8 @@ static bool sdap_object_in_domain(struct sdap_options *opts,
|
||||
sdmatch = sdap_domain_get_by_dn(opts, original_dn);
|
||||
if (sdmatch == NULL) {
|
||||
DEBUG(SSSDBG_FUNC_DATA,
|
||||
- "The group has no original DN, assuming our domain\n");
|
||||
+ "The original DN of the group cannot "
|
||||
+ "be related to any search base\n");
|
||||
return true;
|
||||
}
|
||||
|
||||
--
|
||||
2.9.3
|
||||
|
100
0018-sysdb-custom-completely-replace-old-object-instead-o.patch
Normal file
100
0018-sysdb-custom-completely-replace-old-object-instead-o.patch
Normal file
@ -0,0 +1,100 @@
|
||||
From 547aebfde6fda8088682c9d12a3b5bcfa87c52a2 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
||||
Date: Tue, 31 Oct 2017 15:16:35 +0100
|
||||
Subject: [PATCH] sysdb custom: completely replace old object instead of
|
||||
merging it
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
This patch is written primary for sudo use case, but it makes sure the we do
|
||||
not merge two record in other parts of the code that uses sysdb_store_custom.
|
||||
|
||||
1) If there are two rules with the same cn (possible with multiple search bases
|
||||
or organizational units) we would end up merging those two rules instead of
|
||||
choosing one of them.
|
||||
|
||||
2) Also smart refresh would merge the diff insteand of removing the attributes
|
||||
that are no longer present in ldap.
|
||||
|
||||
Since 1) is a rare use case and it is a misconfiguration we completely replace
|
||||
the old rule with new one. It is simpler to implement and it solves both issues.
|
||||
|
||||
Resolves:
|
||||
https://pagure.io/SSSD/sssd/issue/3558
|
||||
|
||||
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
(cherry picked from commit cd4590de2a84b8143a6c75b5198f5e1b3c0a6d63)
|
||||
---
|
||||
src/db/sysdb_ops.c | 33 +++++----------------------------
|
||||
1 file changed, 5 insertions(+), 28 deletions(-)
|
||||
|
||||
diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
|
||||
index 09aa04a29..5d3cf643d 100644
|
||||
--- a/src/db/sysdb_ops.c
|
||||
+++ b/src/db/sysdb_ops.c
|
||||
@@ -3399,12 +3399,7 @@ int sysdb_store_custom(struct sss_domain_info *domain,
|
||||
struct sysdb_attrs *attrs)
|
||||
{
|
||||
TALLOC_CTX *tmp_ctx;
|
||||
- const char *search_attrs[] = { "*", NULL };
|
||||
- size_t resp_count = 0;
|
||||
- struct ldb_message **resp;
|
||||
struct ldb_message *msg;
|
||||
- struct ldb_message_element *el;
|
||||
- bool add_object = false;
|
||||
int ret;
|
||||
int i;
|
||||
|
||||
@@ -3423,17 +3418,12 @@ int sysdb_store_custom(struct sss_domain_info *domain,
|
||||
goto done;
|
||||
}
|
||||
|
||||
- ret = sysdb_search_custom_by_name(tmp_ctx, domain,
|
||||
- object_name, subtree_name,
|
||||
- search_attrs, &resp_count, &resp);
|
||||
- if (ret != EOK && ret != ENOENT) {
|
||||
+ /* Always add a new object. */
|
||||
+ ret = sysdb_delete_custom(domain, object_name, subtree_name);
|
||||
+ if (ret != EOK) {
|
||||
goto done;
|
||||
}
|
||||
|
||||
- if (ret == ENOENT) {
|
||||
- add_object = true;
|
||||
- }
|
||||
-
|
||||
msg = ldb_msg_new(tmp_ctx);
|
||||
if (msg == NULL) {
|
||||
ret = ENOMEM;
|
||||
@@ -3455,24 +3445,11 @@ int sysdb_store_custom(struct sss_domain_info *domain,
|
||||
|
||||
for (i = 0; i < attrs->num; i++) {
|
||||
msg->elements[i] = attrs->a[i];
|
||||
- if (add_object) {
|
||||
- msg->elements[i].flags = LDB_FLAG_MOD_ADD;
|
||||
- } else {
|
||||
- el = ldb_msg_find_element(resp[0], attrs->a[i].name);
|
||||
- if (el == NULL) {
|
||||
- msg->elements[i].flags = LDB_FLAG_MOD_ADD;
|
||||
- } else {
|
||||
- msg->elements[i].flags = LDB_FLAG_MOD_REPLACE;
|
||||
- }
|
||||
- }
|
||||
+ msg->elements[i].flags = LDB_FLAG_MOD_ADD;
|
||||
}
|
||||
msg->num_elements = attrs->num;
|
||||
|
||||
- if (add_object) {
|
||||
- ret = ldb_add(domain->sysdb->ldb, msg);
|
||||
- } else {
|
||||
- ret = ldb_modify(domain->sysdb->ldb, msg);
|
||||
- }
|
||||
+ ret = ldb_add(domain->sysdb->ldb, msg);
|
||||
if (ret != LDB_SUCCESS) {
|
||||
DEBUG(SSSDBG_CRIT_FAILURE, "Failed to store custom entry: %s(%d)[%s]\n",
|
||||
ldb_strerror(ret), ret, ldb_errstring(domain->sysdb->ldb));
|
||||
--
|
||||
2.14.3
|
||||
|
@ -0,0 +1,46 @@
|
||||
From 778f7c61b8d55e0b8d8eccd2cf8649d730e7d4a5 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
|
||||
Date: Tue, 3 Apr 2018 21:43:28 +0200
|
||||
Subject: [PATCH] SERVER: Tone down shutdown messages for socket-activated
|
||||
responders
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
When dealing with socket-activated responders, those may be shut
|
||||
themselves down after some inactivy period. And that's completely normal
|
||||
and expected, thus should not be logged as an fatal error.
|
||||
|
||||
For the case when the responder is started by the monitor, however, it
|
||||
still makes sense to keep the code as it is as the responders won't shut
|
||||
themselves down in any normal scenario.
|
||||
|
||||
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
(cherry picked from commit 519354d079731e673244a8e3851e5c5522d1b45e)
|
||||
---
|
||||
src/util/server.c | 6 +++++-
|
||||
1 file changed, 5 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/util/server.c b/src/util/server.c
|
||||
index 62e09314c..f34bf49f6 100644
|
||||
--- a/src/util/server.c
|
||||
+++ b/src/util/server.c
|
||||
@@ -248,8 +248,12 @@ void orderly_shutdown(int status)
|
||||
{
|
||||
#if HAVE_GETPGRP
|
||||
static int sent_sigterm;
|
||||
+ int debug;
|
||||
+
|
||||
if (sent_sigterm == 0 && getpgrp() == getpid()) {
|
||||
- DEBUG(SSSDBG_FATAL_FAILURE, "SIGTERM: killing children\n");
|
||||
+ debug = is_socket_activated() ? SSSDBG_TRACE_INTERNAL
|
||||
+ : SSSDBG_FATAL_FAILURE;
|
||||
+ DEBUG(debug, "SIGTERM: killing children\n");
|
||||
sent_sigterm = 1;
|
||||
kill(-getpgrp(), SIGTERM);
|
||||
}
|
||||
--
|
||||
2.14.3
|
||||
|
@ -1,592 +0,0 @@
|
||||
From 3ee411625aee19afda7477bb10b52c3da378b6fb Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Petr=20=C4=8Cech?= <pcech@redhat.com>
|
||||
Date: Wed, 4 Jan 2017 15:33:30 +0100
|
||||
Subject: [PATCH 19/79] SYSDB: Removing of sysdb_try_to_find_expected_dn()
|
||||
|
||||
Currently in order to match multiple LDAP search results we
|
||||
use two different functions - we have sysdb_try_to_find_expected_dn()
|
||||
but also sdap_object_in_domain().
|
||||
|
||||
This patch removes sysdb_try_to_find_expected_dn() and add new
|
||||
sdap_search_initgr_user_in_batch() based on sdap_object_in_domain().
|
||||
This function covers necessary logic.
|
||||
|
||||
Resolves:
|
||||
https://fedorahosted.org/sssd/ticket/3230
|
||||
|
||||
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
---
|
||||
src/db/sysdb.h | 6 -
|
||||
src/db/sysdb_subdomains.c | 332 -----------------------------
|
||||
src/providers/ldap/sdap.c | 6 +-
|
||||
src/providers/ldap/sdap.h | 4 +
|
||||
src/providers/ldap/sdap_async_initgroups.c | 28 ++-
|
||||
src/tests/cmocka/test_sysdb_subdomains.c | 104 ---------
|
||||
6 files changed, 30 insertions(+), 450 deletions(-)
|
||||
|
||||
diff --git a/src/db/sysdb.h b/src/db/sysdb.h
|
||||
index 8a363d09066806c4e7836e4e0cd19ce645d14ee2..809ca359a32f85ef3afbad082665c7eaa9374830 100644
|
||||
--- a/src/db/sysdb.h
|
||||
+++ b/src/db/sysdb.h
|
||||
@@ -1309,10 +1309,4 @@ errno_t sysdb_handle_original_uuid(const char *orig_name,
|
||||
struct sysdb_attrs *dest_attrs,
|
||||
const char *dest_name);
|
||||
|
||||
-errno_t sysdb_try_to_find_expected_dn(struct sss_domain_info *dom,
|
||||
- const char *domain_component_name,
|
||||
- const char *ldap_search_base,
|
||||
- struct sysdb_attrs **usr_attrs,
|
||||
- size_t count,
|
||||
- struct sysdb_attrs **exp_usr);
|
||||
#endif /* __SYS_DB_H__ */
|
||||
diff --git a/src/db/sysdb_subdomains.c b/src/db/sysdb_subdomains.c
|
||||
index 780140484f6f023bc6e8c12266e3b81ff016ec10..1f43bfc12e73a9fc7f3b66c85b47f38d2c1a3c19 100644
|
||||
--- a/src/db/sysdb_subdomains.c
|
||||
+++ b/src/db/sysdb_subdomains.c
|
||||
@@ -1144,335 +1144,3 @@ done:
|
||||
talloc_free(tmp_ctx);
|
||||
return ret;
|
||||
}
|
||||
-
|
||||
-static errno_t match_cn_users(TALLOC_CTX *tmp_ctx,
|
||||
- struct sysdb_attrs **usr_attrs,
|
||||
- size_t count,
|
||||
- const char *dom_basedn,
|
||||
- struct sysdb_attrs **_result)
|
||||
-{
|
||||
- errno_t ret;
|
||||
- const char *orig_dn;
|
||||
- size_t dn_len;
|
||||
- struct sysdb_attrs *result = NULL;
|
||||
- const char *result_dn_str = NULL;
|
||||
- char *cn_users_basedn;
|
||||
- size_t cn_users_basedn_len;
|
||||
-
|
||||
- cn_users_basedn = talloc_asprintf(tmp_ctx, "%s%s", "cn=users,", dom_basedn);
|
||||
- if (cn_users_basedn == NULL) {
|
||||
- ret = ENOMEM;
|
||||
- goto done;
|
||||
- }
|
||||
- cn_users_basedn_len = strlen(cn_users_basedn);
|
||||
- DEBUG(SSSDBG_TRACE_ALL, "cn=users baseDN is [%s].\n", cn_users_basedn);
|
||||
-
|
||||
- for (size_t c = 0; c < count; c++) {
|
||||
- ret = sysdb_attrs_get_string(usr_attrs[c], SYSDB_ORIG_DN, &orig_dn);
|
||||
- if (ret != EOK) {
|
||||
- DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_get_string failed.\n");
|
||||
- goto done;
|
||||
- }
|
||||
- dn_len = strlen(orig_dn);
|
||||
-
|
||||
- if (dn_len > cn_users_basedn_len
|
||||
- && strcasecmp(orig_dn + (dn_len - cn_users_basedn_len),
|
||||
- cn_users_basedn) == 0) {
|
||||
- DEBUG(SSSDBG_TRACE_ALL,
|
||||
- "Found matching dn [%s].\n", orig_dn);
|
||||
- if (result != NULL) {
|
||||
- DEBUG(SSSDBG_OP_FAILURE,
|
||||
- "Found 2 matching DN [%s] and [%s], expecting only 1.\n",
|
||||
- result_dn_str, orig_dn);
|
||||
- ret = EINVAL;
|
||||
- goto done;
|
||||
- }
|
||||
- result = usr_attrs[c];
|
||||
- result_dn_str = orig_dn;
|
||||
- }
|
||||
- }
|
||||
-
|
||||
- ret = EOK;
|
||||
-done:
|
||||
- *_result = result;
|
||||
- return ret;
|
||||
-}
|
||||
-
|
||||
-static errno_t match_non_dc_comp(TALLOC_CTX *tmp_ctx,
|
||||
- struct sss_domain_info *dom,
|
||||
- struct sysdb_attrs **usr_attrs,
|
||||
- size_t count,
|
||||
- struct ldb_dn *ldb_basedn,
|
||||
- const char *basedn,
|
||||
- const char *domain_component_name,
|
||||
- struct sysdb_attrs **_result)
|
||||
-{
|
||||
- errno_t ret;
|
||||
- const char *orig_dn;
|
||||
- size_t orig_dn_len;
|
||||
- size_t basedn_len;
|
||||
- struct ldb_context *ldb_ctx;
|
||||
- struct ldb_dn *ldb_orig_dn;
|
||||
- int dn_comp_num;
|
||||
- int basedn_comp_num;
|
||||
- const char *component_name;
|
||||
- struct sysdb_attrs *result = NULL;
|
||||
- const char *result_dn_str = NULL;
|
||||
-
|
||||
- ldb_ctx = sysdb_ctx_get_ldb(dom->sysdb);
|
||||
- if (ldb_ctx == NULL) {
|
||||
- DEBUG(SSSDBG_OP_FAILURE, "Missing ldb context.\n");
|
||||
- ret = EINVAL;
|
||||
- goto done;
|
||||
- }
|
||||
-
|
||||
- basedn_len = strlen(basedn);
|
||||
-
|
||||
- basedn_comp_num = ldb_dn_get_comp_num(ldb_basedn);
|
||||
- basedn_comp_num++;
|
||||
-
|
||||
- for (size_t c = 0; c < count; c++) {
|
||||
- ret = sysdb_attrs_get_string(usr_attrs[c], SYSDB_ORIG_DN, &orig_dn);
|
||||
- if (ret != EOK) {
|
||||
- DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_get_string failed.\n");
|
||||
- goto done;
|
||||
- }
|
||||
- orig_dn_len = strlen(orig_dn);
|
||||
-
|
||||
- if (orig_dn_len > basedn_len
|
||||
- /* Does the user's original DN with the non-domain part
|
||||
- * stripped match the domain base DN?
|
||||
- */
|
||||
- && strcasecmp(orig_dn + (orig_dn_len - basedn_len),
|
||||
- basedn) == 0) {
|
||||
- ldb_orig_dn = ldb_dn_new(tmp_ctx, ldb_ctx, orig_dn);
|
||||
- if (ldb_orig_dn == NULL) {
|
||||
- DEBUG(SSSDBG_OP_FAILURE, "ldb_dn_new failed");
|
||||
- ret = ENOMEM;
|
||||
- goto done;
|
||||
- }
|
||||
-
|
||||
- dn_comp_num = ldb_dn_get_comp_num(ldb_orig_dn);
|
||||
- if (dn_comp_num > basedn_comp_num) {
|
||||
- component_name = ldb_dn_get_component_name(ldb_orig_dn,
|
||||
- (dn_comp_num - basedn_comp_num));
|
||||
- DEBUG(SSSDBG_TRACE_ALL, "Comparing [%s] and [%s].\n",
|
||||
- component_name,
|
||||
- domain_component_name);
|
||||
- /* If the component is NOT a DC component, then the entry
|
||||
- * must come from our domain, perhaps from a child container.
|
||||
- * If it matched the DC component, the entry was from a child
|
||||
- * subdomain different from this one.
|
||||
- */
|
||||
- if (component_name != NULL
|
||||
- && strcasecmp(component_name,
|
||||
- domain_component_name) != 0) {
|
||||
- DEBUG(SSSDBG_TRACE_ALL,
|
||||
- "Found matching dn [%s].\n", orig_dn);
|
||||
- if (result != NULL) {
|
||||
- DEBUG(SSSDBG_OP_FAILURE,
|
||||
- "Found 2 matching DN [%s] and [%s], "
|
||||
- "expecting only 1.\n", result_dn_str, orig_dn);
|
||||
- ret = EINVAL;
|
||||
- goto done;
|
||||
- }
|
||||
- result = usr_attrs[c];
|
||||
- result_dn_str = orig_dn;
|
||||
- }
|
||||
- }
|
||||
- }
|
||||
- }
|
||||
-
|
||||
- ret = EOK;
|
||||
- *_result = result;
|
||||
-done:
|
||||
- return ret;
|
||||
-}
|
||||
-
|
||||
-static errno_t match_basedn(TALLOC_CTX *tmp_ctx,
|
||||
- struct sss_domain_info *dom,
|
||||
- struct sysdb_attrs **usr_attrs,
|
||||
- size_t count,
|
||||
- const char *dom_basedn,
|
||||
- const char *domain_component_name,
|
||||
- struct sysdb_attrs **_result)
|
||||
-{
|
||||
- struct ldb_context *ldb_ctx;
|
||||
- struct ldb_dn *ldb_dom_basedn;
|
||||
-
|
||||
- ldb_ctx = sysdb_ctx_get_ldb(dom->sysdb);
|
||||
- if (ldb_ctx == NULL) {
|
||||
- DEBUG(SSSDBG_OP_FAILURE, "Missing ldb context.\n");
|
||||
- return EINVAL;
|
||||
- }
|
||||
-
|
||||
-
|
||||
- ldb_dom_basedn = ldb_dn_new(tmp_ctx, ldb_ctx, dom_basedn);
|
||||
- if (ldb_dom_basedn == NULL) {
|
||||
- DEBUG(SSSDBG_OP_FAILURE, "ldb_dn_new failed.\n");
|
||||
- return ENOMEM;
|
||||
- }
|
||||
-
|
||||
- return match_non_dc_comp(tmp_ctx, dom,
|
||||
- usr_attrs, count,
|
||||
- ldb_dom_basedn, dom_basedn,
|
||||
- domain_component_name,
|
||||
- _result);
|
||||
-}
|
||||
-
|
||||
-static errno_t match_search_base(TALLOC_CTX *tmp_ctx,
|
||||
- struct sss_domain_info *dom,
|
||||
- const char *domain_component_name,
|
||||
- const char *domain_search_base,
|
||||
- struct sysdb_attrs **usr_attrs,
|
||||
- size_t count,
|
||||
- struct sysdb_attrs **_result)
|
||||
-{
|
||||
- errno_t ret;
|
||||
- bool ok;
|
||||
- const char *search_base;
|
||||
- struct ldb_context *ldb_ctx;
|
||||
- struct sysdb_attrs *result = NULL;
|
||||
- struct ldb_dn *ldb_search_base;
|
||||
- int search_base_comp_num;
|
||||
- int non_dc_comp_num;
|
||||
- const char *component_name;
|
||||
-
|
||||
- ldb_ctx = sysdb_ctx_get_ldb(dom->sysdb);
|
||||
- if (ldb_ctx == NULL) {
|
||||
- DEBUG(SSSDBG_OP_FAILURE, "Missing ldb context.\n");
|
||||
- ret = EINVAL;
|
||||
- goto done;
|
||||
- }
|
||||
-
|
||||
- ldb_search_base = ldb_dn_new(tmp_ctx, ldb_ctx, domain_search_base);
|
||||
- if (ldb_search_base == NULL) {
|
||||
- DEBUG(SSSDBG_OP_FAILURE, "ldb_dn_new failed.\n");
|
||||
- ret = ENOMEM;
|
||||
- goto done;
|
||||
- }
|
||||
-
|
||||
- /* strip non-DC components from the search base */
|
||||
- search_base_comp_num = ldb_dn_get_comp_num(ldb_search_base);
|
||||
- for (non_dc_comp_num = 0;
|
||||
- non_dc_comp_num < search_base_comp_num;
|
||||
- non_dc_comp_num++) {
|
||||
-
|
||||
- component_name = ldb_dn_get_component_name(ldb_search_base,
|
||||
- non_dc_comp_num);
|
||||
- if (strcasecmp(domain_component_name, component_name) == 0) {
|
||||
- break;
|
||||
- }
|
||||
- }
|
||||
-
|
||||
- if (non_dc_comp_num == search_base_comp_num) {
|
||||
- /* The search base does not have any non-DC components, the search wouldn't
|
||||
- * match anyway
|
||||
- */
|
||||
- ret = EOK;
|
||||
- *_result = NULL;
|
||||
- goto done;
|
||||
- }
|
||||
-
|
||||
- ok = ldb_dn_remove_child_components(ldb_search_base, non_dc_comp_num);
|
||||
- if (!ok) {
|
||||
- ret = EINVAL;
|
||||
- goto done;
|
||||
- }
|
||||
-
|
||||
- search_base = ldb_dn_get_linearized(ldb_search_base);
|
||||
- if (search_base == NULL) {
|
||||
- ret = ENOMEM;
|
||||
- goto done;
|
||||
- }
|
||||
-
|
||||
- ret = match_cn_users(tmp_ctx, usr_attrs, count, search_base, &result);
|
||||
- if (ret != EOK) {
|
||||
- goto done;
|
||||
- }
|
||||
-
|
||||
- if (result == NULL) {
|
||||
- ret = match_non_dc_comp(tmp_ctx, dom,
|
||||
- usr_attrs, count,
|
||||
- ldb_search_base, search_base,
|
||||
- domain_component_name,
|
||||
- &result);
|
||||
- if (ret != EOK) {
|
||||
- goto done;
|
||||
- }
|
||||
- }
|
||||
-
|
||||
- ret = EOK;
|
||||
- *_result = result;
|
||||
-done:
|
||||
- return ret;
|
||||
-}
|
||||
-
|
||||
-errno_t sysdb_try_to_find_expected_dn(struct sss_domain_info *dom,
|
||||
- const char *domain_component_name,
|
||||
- const char *domain_search_base,
|
||||
- struct sysdb_attrs **usr_attrs,
|
||||
- size_t count,
|
||||
- struct sysdb_attrs **exp_usr)
|
||||
-{
|
||||
- char *dom_basedn;
|
||||
- int ret;
|
||||
- TALLOC_CTX *tmp_ctx;
|
||||
- struct sysdb_attrs *result = NULL;
|
||||
-
|
||||
- if (dom == NULL || domain_component_name == NULL
|
||||
- || domain_search_base == NULL
|
||||
- || usr_attrs == NULL || count == 0) {
|
||||
- return EINVAL;
|
||||
- }
|
||||
-
|
||||
- tmp_ctx = talloc_new(NULL);
|
||||
- if (tmp_ctx == NULL) {
|
||||
- DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n");
|
||||
- return ENOMEM;
|
||||
- }
|
||||
-
|
||||
- ret = domain_to_basedn(tmp_ctx, dom->name, &dom_basedn);
|
||||
- if (ret != EOK) {
|
||||
- DEBUG(SSSDBG_OP_FAILURE, "domain_to_basedn failed.\n");
|
||||
- ret = EINVAL;
|
||||
- goto done;
|
||||
- }
|
||||
-
|
||||
- ret = match_cn_users(tmp_ctx, usr_attrs, count, dom_basedn, &result);
|
||||
- if (ret != EOK) {
|
||||
- goto done;
|
||||
- }
|
||||
-
|
||||
- if (result == NULL) {
|
||||
- ret = match_basedn(tmp_ctx, dom, usr_attrs,
|
||||
- count, dom_basedn, domain_component_name,
|
||||
- &result);
|
||||
- if (ret != EOK) {
|
||||
- goto done;
|
||||
- }
|
||||
- }
|
||||
-
|
||||
- if (result == NULL) {
|
||||
- ret = match_search_base(tmp_ctx, dom, domain_component_name,
|
||||
- domain_search_base, usr_attrs, count,
|
||||
- &result);
|
||||
- if (ret != EOK) {
|
||||
- goto done;
|
||||
- }
|
||||
- }
|
||||
-
|
||||
- if (result == NULL) {
|
||||
- DEBUG(SSSDBG_OP_FAILURE, "No matching DN found.\n");
|
||||
- ret = ENOENT;
|
||||
- goto done;
|
||||
- }
|
||||
-
|
||||
- *exp_usr = result;
|
||||
-
|
||||
- ret = EOK;
|
||||
-done:
|
||||
- talloc_free(tmp_ctx);
|
||||
-
|
||||
- return ret;
|
||||
-}
|
||||
diff --git a/src/providers/ldap/sdap.c b/src/providers/ldap/sdap.c
|
||||
index eb460d93bfb067e780868bc9f7bf4e6e0aa1b4a3..bfb7fc6d2a38debf56acae18b8e7eb7a08ccbd1b 100644
|
||||
--- a/src/providers/ldap/sdap.c
|
||||
+++ b/src/providers/ldap/sdap.c
|
||||
@@ -1673,9 +1673,9 @@ char *sdap_make_oc_list(TALLOC_CTX *mem_ctx, struct sdap_attr_map *map)
|
||||
}
|
||||
}
|
||||
|
||||
-static bool sdap_object_in_domain(struct sdap_options *opts,
|
||||
- struct sysdb_attrs *obj,
|
||||
- struct sss_domain_info *dom)
|
||||
+bool sdap_object_in_domain(struct sdap_options *opts,
|
||||
+ struct sysdb_attrs *obj,
|
||||
+ struct sss_domain_info *dom)
|
||||
{
|
||||
errno_t ret;
|
||||
const char *original_dn = NULL;
|
||||
diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h
|
||||
index e3cb8464ff40538e1e7f1ba853ed71d9a5cc3c98..6d4543ed48ce19f82252d34b6d0833a546a81bb9 100644
|
||||
--- a/src/providers/ldap/sdap.h
|
||||
+++ b/src/providers/ldap/sdap.h
|
||||
@@ -616,4 +616,8 @@ size_t sdap_steal_objects_in_dom(struct sdap_options *opts,
|
||||
size_t count,
|
||||
bool filter);
|
||||
|
||||
+bool sdap_object_in_domain(struct sdap_options *opts,
|
||||
+ struct sysdb_attrs *obj,
|
||||
+ struct sss_domain_info *dom);
|
||||
+
|
||||
#endif /* _SDAP_H_ */
|
||||
diff --git a/src/providers/ldap/sdap_async_initgroups.c b/src/providers/ldap/sdap_async_initgroups.c
|
||||
index 2cd9c15b9e284592b3e132eb3d1f35b09a69046e..8c7a65bf36abf341e077cf9eac18a234d3a07c07 100644
|
||||
--- a/src/providers/ldap/sdap_async_initgroups.c
|
||||
+++ b/src/providers/ldap/sdap_async_initgroups.c
|
||||
@@ -23,6 +23,7 @@
|
||||
|
||||
#include "util/util.h"
|
||||
#include "db/sysdb.h"
|
||||
+#include "providers/ldap/sdap.h"
|
||||
#include "providers/ldap/sdap_async_private.h"
|
||||
#include "providers/ldap/ldap_common.h"
|
||||
#include "providers/ldap/sdap_idmap.h"
|
||||
@@ -2890,6 +2891,25 @@ static errno_t sdap_get_initgr_next_base(struct tevent_req *req)
|
||||
return EOK;
|
||||
}
|
||||
|
||||
+static int sdap_search_initgr_user_in_batch(struct sdap_get_initgr_state *state,
|
||||
+ struct sysdb_attrs **users,
|
||||
+ size_t count)
|
||||
+{
|
||||
+ int ret = EINVAL;
|
||||
+
|
||||
+ for (size_t i = 0; i < count; i++) {
|
||||
+ if (sdap_object_in_domain(state->opts, users[i], state->dom) == false) {
|
||||
+ continue;
|
||||
+ }
|
||||
+
|
||||
+ state->orig_user = talloc_steal(state, users[i]);
|
||||
+ ret = EOK;
|
||||
+ break;
|
||||
+ }
|
||||
+
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
static void sdap_get_initgr_user(struct tevent_req *subreq)
|
||||
{
|
||||
struct tevent_req *req = tevent_req_callback_data(subreq,
|
||||
@@ -2951,13 +2971,11 @@ static void sdap_get_initgr_user(struct tevent_req *subreq)
|
||||
* the first search base because all bases in a single domain would
|
||||
* have the same DC= components
|
||||
*/
|
||||
- ret = sysdb_try_to_find_expected_dn(state->dom, "dc",
|
||||
- state->sdom->search_bases[0]->basedn,
|
||||
- usr_attrs, count,
|
||||
- &state->orig_user);
|
||||
+ ret = sdap_search_initgr_user_in_batch(state, usr_attrs, count);
|
||||
if (ret != EOK) {
|
||||
DEBUG(SSSDBG_OP_FAILURE,
|
||||
- "try_to_find_expected_dn failed. No matching DN found.\n");
|
||||
+ "sdap_search_initgr_user_in_batch failed. "
|
||||
+ "No matching DN found.\n");
|
||||
tevent_req_error(req, EINVAL);
|
||||
return;
|
||||
}
|
||||
diff --git a/src/tests/cmocka/test_sysdb_subdomains.c b/src/tests/cmocka/test_sysdb_subdomains.c
|
||||
index 52056e0435d2793893f1a4e336f38acf7a70b2c0..52242e516ed0490e5094ccc1392908207e00359d 100644
|
||||
--- a/src/tests/cmocka/test_sysdb_subdomains.c
|
||||
+++ b/src/tests/cmocka/test_sysdb_subdomains.c
|
||||
@@ -515,107 +515,6 @@ static void test_sysdb_link_ad_multidom(void **state)
|
||||
|
||||
}
|
||||
|
||||
-static void test_try_to_find_expected_dn(void **state)
|
||||
-{
|
||||
- int ret;
|
||||
- struct sysdb_attrs *result;
|
||||
- struct sysdb_attrs *usr_attrs[10] = { NULL };
|
||||
- struct sysdb_attrs *dom_usr_attrs[10] = { NULL };
|
||||
- struct sss_domain_info *dom;
|
||||
- char *dom_basedn;
|
||||
- struct subdom_test_ctx *test_ctx =
|
||||
- talloc_get_type(*state, struct subdom_test_ctx);
|
||||
-
|
||||
- dom = find_domain_by_name(test_ctx->tctx->dom,
|
||||
- "child2.test_sysdb_subdomains_2", true);
|
||||
- assert_non_null(dom);
|
||||
-
|
||||
- ret = domain_to_basedn(test_ctx, dom->name, &dom_basedn);
|
||||
- assert_int_equal(ret, EOK);
|
||||
-
|
||||
- usr_attrs[0] = sysdb_new_attrs(test_ctx);
|
||||
- assert_non_null(usr_attrs[0]);
|
||||
-
|
||||
- ret = sysdb_attrs_add_string(usr_attrs[0], SYSDB_ORIG_DN,
|
||||
- "uid=user,cn=abc,dc=c2,dc=child2,dc=test_sysdb_subdomains_2");
|
||||
- assert_int_equal(ret, EOK);
|
||||
-
|
||||
- ret = sysdb_try_to_find_expected_dn(NULL, NULL, NULL, NULL, 0, NULL);
|
||||
- assert_int_equal(ret, EINVAL);
|
||||
-
|
||||
- ret = sysdb_try_to_find_expected_dn(dom, "dc", dom_basedn, usr_attrs, 1, &result);
|
||||
- assert_int_equal(ret, ENOENT);
|
||||
-
|
||||
- ret = sysdb_try_to_find_expected_dn(dom, "xy", dom_basedn, usr_attrs, 1, &result);
|
||||
- assert_int_equal(ret, EOK);
|
||||
- assert_ptr_equal(result, usr_attrs[0]);
|
||||
-
|
||||
- usr_attrs[1] = sysdb_new_attrs(test_ctx);
|
||||
- assert_non_null(usr_attrs[1]);
|
||||
-
|
||||
- ret = sysdb_attrs_add_string(usr_attrs[1], SYSDB_ORIG_DN,
|
||||
- "uid=user1,cn=abc,dc=child2,dc=test_sysdb_subdomains_2");
|
||||
- assert_int_equal(ret, EOK);
|
||||
-
|
||||
- usr_attrs[2] = sysdb_new_attrs(test_ctx);
|
||||
- assert_non_null(usr_attrs[2]);
|
||||
-
|
||||
- ret = sysdb_attrs_add_string(usr_attrs[2], SYSDB_ORIG_DN,
|
||||
- "uid=user2,cn=abc,dc=c2,dc=child2,dc=test_sysdb_subdomains_2");
|
||||
- assert_int_equal(ret, EOK);
|
||||
-
|
||||
- ret = sysdb_try_to_find_expected_dn(dom, "dc", dom_basedn, usr_attrs, 3, &result);
|
||||
- assert_int_equal(ret, EOK);
|
||||
- assert_ptr_equal(result, usr_attrs[1]);
|
||||
-
|
||||
- ret = sysdb_try_to_find_expected_dn(dom, "xy", dom_basedn, usr_attrs, 3, &result);
|
||||
- assert_int_equal(ret, EINVAL);
|
||||
-
|
||||
- /* Make sure cn=users match is preferred */
|
||||
- talloc_free(usr_attrs[2]);
|
||||
- usr_attrs[2] = sysdb_new_attrs(test_ctx);
|
||||
- assert_non_null(usr_attrs[2]);
|
||||
-
|
||||
- ret = sysdb_attrs_add_string(usr_attrs[2], SYSDB_ORIG_DN,
|
||||
- "uid=user2,cn=abc,cn=users,dc=child2,dc=test_sysdb_subdomains_2");
|
||||
- assert_int_equal(ret, EOK);
|
||||
-
|
||||
- ret = sysdb_try_to_find_expected_dn(dom, "dc", dom_basedn, usr_attrs, 3, &result);
|
||||
- assert_int_equal(ret, EOK);
|
||||
- assert_ptr_equal(result, usr_attrs[2]);
|
||||
-
|
||||
- /* test a case where the domain name does not match the basedn */
|
||||
- dom->name = discard_const("default");
|
||||
- dom_usr_attrs[0] = usr_attrs[0];
|
||||
-
|
||||
- ret = sysdb_try_to_find_expected_dn(dom, "dc", dom_basedn, dom_usr_attrs, 1, &result);
|
||||
- assert_int_equal(ret, ENOENT);
|
||||
-
|
||||
- dom_usr_attrs[1] = usr_attrs[1];
|
||||
- dom_usr_attrs[2] = usr_attrs[2];
|
||||
-
|
||||
- /* Make sure cn=users match is preferred */
|
||||
- ret = sysdb_try_to_find_expected_dn(dom, "dc", dom_basedn, dom_usr_attrs, 3, &result);
|
||||
- assert_int_equal(ret, EOK);
|
||||
- assert_ptr_equal(result, dom_usr_attrs[2]);
|
||||
-
|
||||
- talloc_free(usr_attrs[2]);
|
||||
- usr_attrs[2] = sysdb_new_attrs(test_ctx);
|
||||
- assert_non_null(usr_attrs[2]);
|
||||
- ret = sysdb_attrs_add_string(usr_attrs[2], SYSDB_ORIG_DN,
|
||||
- "uid=user2,cn=abc,dc=c2,dc=child2,dc=test_sysdb_subdomains_2");
|
||||
- assert_int_equal(ret, EOK);
|
||||
-
|
||||
- dom_usr_attrs[2] = usr_attrs[2];
|
||||
- ret = sysdb_try_to_find_expected_dn(dom, "dc", dom_basedn, dom_usr_attrs, 3, &result);
|
||||
- assert_int_equal(ret, EOK);
|
||||
- assert_ptr_equal(result, usr_attrs[1]);
|
||||
-
|
||||
- talloc_free(usr_attrs[0]);
|
||||
- talloc_free(usr_attrs[1]);
|
||||
- talloc_free(usr_attrs[2]);
|
||||
-}
|
||||
-
|
||||
int main(int argc, const char *argv[])
|
||||
{
|
||||
int rv;
|
||||
@@ -649,9 +548,6 @@ int main(int argc, const char *argv[])
|
||||
cmocka_unit_test_setup_teardown(test_sysdb_link_ad_multidom,
|
||||
test_sysdb_subdom_setup,
|
||||
test_sysdb_subdom_teardown),
|
||||
- cmocka_unit_test_setup_teardown(test_try_to_find_expected_dn,
|
||||
- test_sysdb_subdom_setup,
|
||||
- test_sysdb_subdom_teardown),
|
||||
};
|
||||
|
||||
/* Set debug level to invalid value so we can deside if -d 0 was used. */
|
||||
--
|
||||
2.9.3
|
||||
|
70
0020-IPA-Qualify-the-externalUser-sudo-attribute.patch
Normal file
70
0020-IPA-Qualify-the-externalUser-sudo-attribute.patch
Normal file
@ -0,0 +1,70 @@
|
||||
From 999420ed67439bb662e92b47792a06310d173c53 Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||
Date: Mon, 26 Mar 2018 11:36:00 +0200
|
||||
Subject: [PATCH] IPA: Qualify the externalUser sudo attribute
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
We broke the externalUser support with the introduction of the fully
|
||||
qualified attributes, because the provider was saving the data verbatim,
|
||||
but the sudo responder expects a fully qualified name.
|
||||
|
||||
Reproducer:
|
||||
on the server:
|
||||
ipa sudocmd-add --desc='For reading log files' /usr/bin/less
|
||||
ipa sudorule-add readfiles
|
||||
ipa sudorule-add-user --users=lcluser
|
||||
ipa sudorule-mod --hostcat=all readfiles
|
||||
|
||||
then on the client:
|
||||
configure sssd with:
|
||||
id_provider = files
|
||||
sudo_provider = ipa
|
||||
ipa_domain = ipa.test
|
||||
|
||||
run:
|
||||
sudo useradd lcluser
|
||||
sudo passwd lcluser
|
||||
su - lcluser
|
||||
sudo -l
|
||||
|
||||
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
(cherry picked from commit 0f6b5b02afb35caae774ff4d52854a844d49f52e)
|
||||
---
|
||||
src/providers/ipa/ipa_sudo_conversion.c | 11 ++++++++++-
|
||||
1 file changed, 10 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/providers/ipa/ipa_sudo_conversion.c b/src/providers/ipa/ipa_sudo_conversion.c
|
||||
index a96ae3447..bfa66b2c6 100644
|
||||
--- a/src/providers/ipa/ipa_sudo_conversion.c
|
||||
+++ b/src/providers/ipa/ipa_sudo_conversion.c
|
||||
@@ -873,6 +873,15 @@ convert_user_fqdn(TALLOC_CTX *mem_ctx,
|
||||
return fqdn;
|
||||
}
|
||||
|
||||
+static const char *
|
||||
+convert_ext_user(TALLOC_CTX *mem_ctx,
|
||||
+ struct ipa_sudo_conv *conv,
|
||||
+ const char *value,
|
||||
+ bool *skip_entry)
|
||||
+{
|
||||
+ return sss_create_internal_fqname(mem_ctx, value, conv->dom->name);
|
||||
+}
|
||||
+
|
||||
static const char *
|
||||
convert_group(TALLOC_CTX *mem_ctx,
|
||||
struct ipa_sudo_conv *conv,
|
||||
@@ -959,7 +968,7 @@ convert_attributes(struct ipa_sudo_conv *conv,
|
||||
{SYSDB_IPA_SUDORULE_RUNASEXTUSER, SYSDB_SUDO_CACHE_AT_RUNASUSER , NULL},
|
||||
{SYSDB_IPA_SUDORULE_RUNASEXTGROUP, SYSDB_SUDO_CACHE_AT_RUNASGROUP , NULL},
|
||||
{SYSDB_IPA_SUDORULE_RUNASEXTUSERGROUP, SYSDB_SUDO_CACHE_AT_RUNASUSER , convert_runasextusergroup},
|
||||
- {SYSDB_IPA_SUDORULE_EXTUSER, SYSDB_SUDO_CACHE_AT_USER , NULL},
|
||||
+ {SYSDB_IPA_SUDORULE_EXTUSER, SYSDB_SUDO_CACHE_AT_USER , convert_ext_user},
|
||||
{SYSDB_IPA_SUDORULE_ALLOWCMD, SYSDB_IPA_SUDORULE_ORIGCMD , NULL},
|
||||
{SYSDB_IPA_SUDORULE_DENYCMD, SYSDB_IPA_SUDORULE_ORIGCMD , NULL},
|
||||
{NULL, NULL, NULL}};
|
||||
--
|
||||
2.14.3
|
||||
|
@ -1,138 +0,0 @@
|
||||
From f1e3364a72eb75673d10cf8c97ba8f1d7a385405 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Petr=20=C4=8Cech?= <pcech@redhat.com>
|
||||
Date: Thu, 12 Jan 2017 13:16:10 +0100
|
||||
Subject: [PATCH 20/79] TEST: create_multidom_test_ctx() extending
|
||||
|
||||
Function create_multidom_test_ctx() prepares test environment for
|
||||
multidomains. This patch enables setting of different params for
|
||||
each domain.
|
||||
|
||||
Resolves:
|
||||
https://fedorahosted.org/sssd/ticket/3230
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
||||
---
|
||||
src/tests/cmocka/test_ad_common.c | 5 +----
|
||||
src/tests/cmocka/test_sysdb_subdomains.c | 5 +----
|
||||
src/tests/cmocka/test_sysdb_ts_cache.c | 5 +----
|
||||
src/tests/common.h | 2 +-
|
||||
src/tests/common_dom.c | 6 +++---
|
||||
5 files changed, 7 insertions(+), 16 deletions(-)
|
||||
|
||||
diff --git a/src/tests/cmocka/test_ad_common.c b/src/tests/cmocka/test_ad_common.c
|
||||
index 7ec292092e0de6a3edabfe6e7480f777e47a475d..ea9998951d1214ad41429cad38a28efcea11dcd0 100644
|
||||
--- a/src/tests/cmocka/test_ad_common.c
|
||||
+++ b/src/tests/cmocka/test_ad_common.c
|
||||
@@ -78,9 +78,6 @@ struct ad_sysdb_test_ctx {
|
||||
static int test_ad_sysdb_setup(void **state)
|
||||
{
|
||||
struct ad_sysdb_test_ctx *test_ctx;
|
||||
- struct sss_test_conf_param params[] = {
|
||||
- { NULL, NULL }, /* Sentinel */
|
||||
- };
|
||||
|
||||
assert_true(leak_check_setup());
|
||||
|
||||
@@ -92,7 +89,7 @@ static int test_ad_sysdb_setup(void **state)
|
||||
|
||||
test_ctx->tctx = create_multidom_test_ctx(test_ctx, TESTS_PATH,
|
||||
TEST_CONF_DB, domains,
|
||||
- TEST_ID_PROVIDER, params);
|
||||
+ TEST_ID_PROVIDER, NULL);
|
||||
assert_non_null(test_ctx->tctx);
|
||||
|
||||
*state = test_ctx;
|
||||
diff --git a/src/tests/cmocka/test_sysdb_subdomains.c b/src/tests/cmocka/test_sysdb_subdomains.c
|
||||
index 52242e516ed0490e5094ccc1392908207e00359d..49f44998a06740d1df70ac354ee741824acd8f50 100644
|
||||
--- a/src/tests/cmocka/test_sysdb_subdomains.c
|
||||
+++ b/src/tests/cmocka/test_sysdb_subdomains.c
|
||||
@@ -60,9 +60,6 @@ struct subdom_test_ctx {
|
||||
static int test_sysdb_subdom_setup(void **state)
|
||||
{
|
||||
struct subdom_test_ctx *test_ctx;
|
||||
- struct sss_test_conf_param params[] = {
|
||||
- { NULL, NULL }, /* Sentinel */
|
||||
- };
|
||||
|
||||
assert_true(leak_check_setup());
|
||||
|
||||
@@ -74,7 +71,7 @@ static int test_sysdb_subdom_setup(void **state)
|
||||
|
||||
test_ctx->tctx = create_multidom_test_ctx(test_ctx, TESTS_PATH,
|
||||
TEST_CONF_DB, domains,
|
||||
- TEST_ID_PROVIDER, params);
|
||||
+ TEST_ID_PROVIDER, NULL);
|
||||
assert_non_null(test_ctx->tctx);
|
||||
|
||||
*state = test_ctx;
|
||||
diff --git a/src/tests/cmocka/test_sysdb_ts_cache.c b/src/tests/cmocka/test_sysdb_ts_cache.c
|
||||
index e950f88631e4c78573bbb7290edfe94b5ced57cd..f5aab73f001e8fdece1f85de987d6711a459e6aa 100644
|
||||
--- a/src/tests/cmocka/test_sysdb_ts_cache.c
|
||||
+++ b/src/tests/cmocka/test_sysdb_ts_cache.c
|
||||
@@ -74,9 +74,6 @@ const char *domains[] = { TEST_DOM1_NAME,
|
||||
static int test_sysdb_ts_setup(void **state)
|
||||
{
|
||||
struct sysdb_ts_test_ctx *test_ctx;
|
||||
- struct sss_test_conf_param params[] = {
|
||||
- { NULL, NULL }, /* Sentinel */
|
||||
- };
|
||||
|
||||
assert_true(leak_check_setup());
|
||||
|
||||
@@ -88,7 +85,7 @@ static int test_sysdb_ts_setup(void **state)
|
||||
|
||||
test_ctx->tctx = create_multidom_test_ctx(test_ctx, TESTS_PATH,
|
||||
TEST_CONF_DB, domains,
|
||||
- TEST_ID_PROVIDER, params);
|
||||
+ TEST_ID_PROVIDER, NULL);
|
||||
assert_non_null(test_ctx->tctx);
|
||||
|
||||
check_leaks_push(test_ctx);
|
||||
diff --git a/src/tests/common.h b/src/tests/common.h
|
||||
index b49cfea9b73d8b4b7b61c721912de9fd2c0ccf13..c06568d3820ab92ffd47b5c206c300842e8f8a39 100644
|
||||
--- a/src/tests/common.h
|
||||
+++ b/src/tests/common.h
|
||||
@@ -92,7 +92,7 @@ create_multidom_test_ctx(TALLOC_CTX *mem_ctx,
|
||||
const char *cdb_file,
|
||||
const char **domains,
|
||||
const char *id_provider,
|
||||
- struct sss_test_conf_param *params);
|
||||
+ struct sss_test_conf_param **params);
|
||||
|
||||
struct sss_test_ctx *
|
||||
create_dom_test_ctx(TALLOC_CTX *mem_ctx,
|
||||
diff --git a/src/tests/common_dom.c b/src/tests/common_dom.c
|
||||
index f1a92cc99f3423d5d7ef10327013a5972940c792..def28d5101efe9990c963a4180d9fb2bd6f71b42 100644
|
||||
--- a/src/tests/common_dom.c
|
||||
+++ b/src/tests/common_dom.c
|
||||
@@ -231,7 +231,7 @@ create_multidom_test_ctx(TALLOC_CTX *mem_ctx,
|
||||
const char *cdb_file,
|
||||
const char **domains,
|
||||
const char *id_provider,
|
||||
- struct sss_test_conf_param *params)
|
||||
+ struct sss_test_conf_param **params)
|
||||
{
|
||||
struct sss_domain_info *domain = NULL;
|
||||
struct sss_test_ctx *test_ctx = NULL;
|
||||
@@ -255,7 +255,7 @@ create_multidom_test_ctx(TALLOC_CTX *mem_ctx,
|
||||
/* create confdb objects for the domains */
|
||||
for (i = 0; domains[i] != NULL; i++) {
|
||||
ret = mock_confdb_domain(test_ctx, test_ctx->confdb, tests_path,
|
||||
- domains[i], id_provider, params,
|
||||
+ domains[i], id_provider, params != NULL ? params[i] : NULL,
|
||||
(cdb_path == NULL ? &cdb_path : NULL));
|
||||
if (ret != EOK) {
|
||||
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to initialize confdb domain "
|
||||
@@ -302,7 +302,7 @@ create_dom_test_ctx(TALLOC_CTX *mem_ctx,
|
||||
const char *domains[] = {domain_name, NULL};
|
||||
|
||||
return create_multidom_test_ctx(mem_ctx, tests_path, confdb_path, domains,
|
||||
- id_provider, params);
|
||||
+ id_provider, ¶ms);
|
||||
}
|
||||
|
||||
void test_multidom_suite_cleanup(const char *tests_path,
|
||||
--
|
||||
2.9.3
|
||||
|
@ -0,0 +1,56 @@
|
||||
From d0801ecbac1300978fc864ae394e6ff43dda2781 Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||
Date: Mon, 5 Mar 2018 21:00:30 +0100
|
||||
Subject: [PATCH] NSS: Adjust netgroup setnetgrent cache lifetime if midpoint
|
||||
refresh is used
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
This is a minor regression compared to the state of the code before we
|
||||
converted the responders to cache_req. The NSS responder keeps a has
|
||||
table of netgroup objects in memory for either the lifetime of the
|
||||
netgroup, or, in case midpoint refresh is used, up to the midpoint
|
||||
refresh time. The case with the midpoint refresh was removed in the
|
||||
cache_req enabled code, which means that even if the netgroup was
|
||||
updated in the cache with the background refresh task, the object was
|
||||
never read from cache, but always still returned from the in-memory
|
||||
enumeration hash.
|
||||
|
||||
Resolves:
|
||||
https://pagure.io/SSSD/sssd/issue/3550
|
||||
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
||||
(cherry picked from commit f22528922c065f37ca928f95fd86ed2ea79e0d51)
|
||||
---
|
||||
src/responder/nss/nss_enum.c | 13 ++++++++++++-
|
||||
1 file changed, 12 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/responder/nss/nss_enum.c b/src/responder/nss/nss_enum.c
|
||||
index da844fbce..031db9f2e 100644
|
||||
--- a/src/responder/nss/nss_enum.c
|
||||
+++ b/src/responder/nss/nss_enum.c
|
||||
@@ -280,7 +280,18 @@ nss_setnetgrent_set_timeout(struct tevent_context *ev,
|
||||
struct timeval tv;
|
||||
uint32_t timeout;
|
||||
|
||||
- timeout = enum_ctx->result[0]->domain->netgroup_timeout;
|
||||
+ if (nss_ctx->cache_refresh_percent) {
|
||||
+ timeout = enum_ctx->result[0]->domain->netgroup_timeout *
|
||||
+ (nss_ctx->cache_refresh_percent / 100.0);
|
||||
+ } else {
|
||||
+ timeout = enum_ctx->result[0]->domain->netgroup_timeout;
|
||||
+ }
|
||||
+
|
||||
+ /* In order to not trash the cache between setnetgrent()/getnetgrent()
|
||||
+ * calls with too low timeout values, we only allow 10 seconds as
|
||||
+ * the minimal timeout
|
||||
+ */
|
||||
+ if (timeout < 10) timeout = 10;
|
||||
|
||||
tv = tevent_timeval_current_ofs(timeout, 0);
|
||||
te = tevent_add_timer(ev, enum_ctx, tv, nss_setnetgrent_timeout, enum_ctx);
|
||||
--
|
||||
2.14.3
|
||||
|
@ -1,609 +0,0 @@
|
||||
From 0b7ded15e53b3f31f1570c366f04bc41e5761929 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Petr=20=C4=8Cech?= <pcech@redhat.com>
|
||||
Date: Tue, 10 Jan 2017 14:01:45 +0100
|
||||
Subject: [PATCH 21/79] TESTS: Tests for sdap_search_initgr_user_in_batch
|
||||
|
||||
This patch provides tests for core logic of
|
||||
sdap_search_initgr_user_in_batch() function. This function replaces
|
||||
old approach with sysdb_try_to_find_expected_dn() function.
|
||||
|
||||
Resolves:
|
||||
https://fedorahosted.org/sssd/ticket/3230
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
||||
---
|
||||
Makefile.am | 22 ++
|
||||
src/tests/cmocka/test_sdap_initgr.c | 540 ++++++++++++++++++++++++++++++++++++
|
||||
2 files changed, 562 insertions(+)
|
||||
create mode 100644 src/tests/cmocka/test_sdap_initgr.c
|
||||
|
||||
diff --git a/Makefile.am b/Makefile.am
|
||||
index 6d21af8e8c455622d8c4c8b4e325789c4c1e34cb..9dd2060c6615b1c23ae8adb61886341bcdc49560 100644
|
||||
--- a/Makefile.am
|
||||
+++ b/Makefile.am
|
||||
@@ -289,6 +289,7 @@ non_interactive_cmocka_based_tests += \
|
||||
ad_access_filter_tests \
|
||||
ad_gpo_tests \
|
||||
ad_common_tests \
|
||||
+ test_sdap_initgr \
|
||||
test_ad_subdom \
|
||||
test_ipa_subdom_server \
|
||||
$(NULL)
|
||||
@@ -2862,6 +2863,27 @@ test_fo_srv_LDADD = \
|
||||
libsss_test_common.la \
|
||||
$(NULL)
|
||||
|
||||
+test_sdap_initgr_SOURCES = \
|
||||
+ src/tests/cmocka/common_mock_sdap.c \
|
||||
+ src/tests/cmocka/common_mock_sysdb_objects.c \
|
||||
+ src/tests/cmocka/test_sdap_initgr.c \
|
||||
+ $(NULL)
|
||||
+test_sdap_initgr_CFLAGS = \
|
||||
+ $(AM_CFLAGS) \
|
||||
+ $(NDR_NBT_CFLAGS) \
|
||||
+ $(NULL)
|
||||
+test_sdap_initgr_LDADD = \
|
||||
+ $(CMOCKA_LIBS) \
|
||||
+ $(POPT_LIBS) \
|
||||
+ $(TALLOC_LIBS) \
|
||||
+ $(SSSD_INTERNAL_LTLIBS) \
|
||||
+ libsss_ldap_common.la \
|
||||
+ libsss_ad_tests.la \
|
||||
+ libsss_idmap.la \
|
||||
+ libsss_test_common.la \
|
||||
+ libdlopen_test_providers.la \
|
||||
+ $(NULL)
|
||||
+
|
||||
test_ad_subdom_SOURCES = \
|
||||
src/tests/cmocka/test_ad_subdomains.c \
|
||||
$(NULL)
|
||||
diff --git a/src/tests/cmocka/test_sdap_initgr.c b/src/tests/cmocka/test_sdap_initgr.c
|
||||
new file mode 100644
|
||||
index 0000000000000000000000000000000000000000..28c6ae33ef3dd2a343711b339554492c899dd7b5
|
||||
--- /dev/null
|
||||
+++ b/src/tests/cmocka/test_sdap_initgr.c
|
||||
@@ -0,0 +1,540 @@
|
||||
+/*
|
||||
+ Authors:
|
||||
+ Petr Čech <pcech@redhat.com>
|
||||
+
|
||||
+ Copyright (C) 2017 Red Hat
|
||||
+
|
||||
+ This program is free software; you can redistribute it and/or modify
|
||||
+ it under the terms of the GNU General Public License as published by
|
||||
+ the Free Software Foundation; either version 3 of the License, or
|
||||
+ (at your option) any later version.
|
||||
+
|
||||
+ This program is distributed in the hope that it will be useful,
|
||||
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
+ GNU General Public License for more details.
|
||||
+
|
||||
+ You should have received a copy of the GNU General Public License
|
||||
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
+*/
|
||||
+
|
||||
+#include <talloc.h>
|
||||
+#include <tevent.h>
|
||||
+#include <errno.h>
|
||||
+#include <popt.h>
|
||||
+#include <arpa/inet.h>
|
||||
+#include <netinet/in.h>
|
||||
+#include <sys/types.h>
|
||||
+#include <stdarg.h>
|
||||
+#include <stdlib.h>
|
||||
+#include <pwd.h>
|
||||
+
|
||||
+#include "tests/cmocka/common_mock.h"
|
||||
+#include "tests/cmocka/common_mock_sysdb_objects.h"
|
||||
+#include "tests/cmocka/common_mock_sdap.h"
|
||||
+#include "providers/ad/ad_common.h"
|
||||
+
|
||||
+#include "providers/ad/ad_opts.c"
|
||||
+#include "providers/ldap/sdap_async_initgroups.c"
|
||||
+
|
||||
+/* Declarations from providers/ldap/sdap_async_initgroups.c */
|
||||
+struct sdap_get_initgr_state;
|
||||
+static int sdap_search_initgr_user_in_batch(struct sdap_get_initgr_state *state,
|
||||
+ struct sysdb_attrs **users,
|
||||
+ size_t count);
|
||||
+
|
||||
+#define TESTS_PATH "tp_" BASE_FILE_STEM
|
||||
+#define TEST_CONF_DB "test_sdap_initgr_conf.ldb"
|
||||
+#define TEST_ID_PROVIDER "ldap"
|
||||
+
|
||||
+#define TEST_DOM1_NAME "domain.test.com"
|
||||
+#define TEST_DOM2_NAME "subdom1.domain.test.com"
|
||||
+#define TEST_DOM3_NAME "another_domain.test.com"
|
||||
+
|
||||
+#define OBJECT_BASE_DN1 "dc=domain,dc=test,dc=com,cn=sysdb"
|
||||
+#define OBJECT_BASE_DN2 "dc=subdom1,dc=domain,dc=test,dc=com,cn=sysdb"
|
||||
+#define OBJECT_BASE_DN3 "dc=another_domain,dc=test,dc=com,cn=sysdb"
|
||||
+
|
||||
+#define TEST_USER_1 "test_user_1"
|
||||
+#define TEST_USER_2 "test_user_2"
|
||||
+#define TEST_USER_3 "test_user_3"
|
||||
+
|
||||
+const char *domains[] = { TEST_DOM1_NAME,
|
||||
+ TEST_DOM2_NAME,
|
||||
+ TEST_DOM3_NAME,
|
||||
+ NULL };
|
||||
+
|
||||
+const char *object_bases[] = { OBJECT_BASE_DN1,
|
||||
+ OBJECT_BASE_DN2,
|
||||
+ OBJECT_BASE_DN3,
|
||||
+ NULL };
|
||||
+
|
||||
+const char *test_users[] = { TEST_USER_1,
|
||||
+ TEST_USER_2,
|
||||
+ TEST_USER_3,
|
||||
+ NULL };
|
||||
+
|
||||
+/* ====================== Utilities =============================== */
|
||||
+
|
||||
+struct test_sdap_initgr_ctx {
|
||||
+ struct sss_test_ctx *tctx;
|
||||
+};
|
||||
+
|
||||
+static struct passwd **get_users(TALLOC_CTX *ctx)
|
||||
+{
|
||||
+ struct passwd **passwds = NULL;
|
||||
+ char *homedir = NULL;
|
||||
+ size_t user_count = 0;
|
||||
+
|
||||
+ for (int i = 0; test_users[i] != NULL; i++) {
|
||||
+ user_count++;
|
||||
+ }
|
||||
+ passwds = talloc_array(ctx, struct passwd *, user_count);
|
||||
+ assert_non_null(passwds);
|
||||
+
|
||||
+ for (int i = 0; i < user_count; i++) {
|
||||
+ passwds[i] = talloc(passwds, struct passwd);
|
||||
+ assert_non_null(passwds[i]);
|
||||
+
|
||||
+ homedir = talloc_strdup_append(homedir, "/home/");
|
||||
+ homedir = talloc_strdup_append(homedir, test_users[i]);
|
||||
+
|
||||
+ passwds[i]->pw_name = discard_const(test_users[i]);
|
||||
+ passwds[i]->pw_uid = 567 + i;
|
||||
+ passwds[i]->pw_gid = 890 + i;
|
||||
+ passwds[i]->pw_dir = talloc_strdup(passwds[i], homedir);
|
||||
+ passwds[i]->pw_gecos = discard_const(test_users[i]);
|
||||
+ passwds[i]->pw_shell = discard_const("/bin/sh");
|
||||
+ passwds[i]->pw_passwd = discard_const("*");
|
||||
+
|
||||
+ talloc_zfree(homedir);
|
||||
+ }
|
||||
+
|
||||
+ return passwds;
|
||||
+}
|
||||
+
|
||||
+static struct sss_test_conf_param **get_params(TALLOC_CTX *ctx)
|
||||
+{
|
||||
+ struct sss_test_conf_param **params;
|
||||
+ char *user_base_dn = NULL;
|
||||
+ char *group_base_dn = NULL;
|
||||
+ size_t base_count = 0;
|
||||
+
|
||||
+ for (int i = 0; object_bases[i] != NULL; i++) {
|
||||
+ base_count++;
|
||||
+ }
|
||||
+
|
||||
+ params = talloc_array(ctx, struct sss_test_conf_param *, base_count + 1);
|
||||
+ assert_non_null(params);
|
||||
+
|
||||
+ for (int i = 0; i < base_count; i++) {
|
||||
+ params[i] = talloc(params, struct sss_test_conf_param);
|
||||
+ assert_non_null(params[i]);
|
||||
+
|
||||
+ user_base_dn = talloc_strdup_append(user_base_dn, "cn=users,");
|
||||
+ user_base_dn = talloc_strdup_append(user_base_dn, object_bases[i]);
|
||||
+
|
||||
+ group_base_dn = talloc_strdup_append(group_base_dn, "cn=groups,");
|
||||
+ group_base_dn = talloc_strdup_append(group_base_dn, object_bases[i]);
|
||||
+
|
||||
+ params[i] = talloc_array(params[i], struct sss_test_conf_param, 5);
|
||||
+ params[i][0].key = "ldap_schema";
|
||||
+ params[i][0].value = "rfc2307bis";
|
||||
+ params[i][1].key = "ldap_search_base";
|
||||
+ params[i][1].value = talloc_strdup(params[i], object_bases[i]);
|
||||
+ params[i][2].key = "ldap_user_search_base";
|
||||
+ params[i][2].value = talloc_strdup(params[i], user_base_dn);
|
||||
+ params[i][3].key = "ldap_group_search_base";
|
||||
+ params[i][3].value = talloc_strdup(params[i], group_base_dn);
|
||||
+ params[i][4].key = NULL;
|
||||
+ params[i][4].value = NULL;
|
||||
+
|
||||
+ talloc_zfree(user_base_dn);
|
||||
+ talloc_zfree(group_base_dn);
|
||||
+ }
|
||||
+
|
||||
+ return params;
|
||||
+}
|
||||
+
|
||||
+struct sss_domain_info *get_domain_info(struct sss_domain_info *domain,
|
||||
+ const char *domain_name)
|
||||
+{
|
||||
+ struct sss_domain_info *dom = domain;
|
||||
+
|
||||
+ while(dom != NULL) {
|
||||
+ if (strcmp(dom->name, domain_name) == 0) {
|
||||
+ break;
|
||||
+ }
|
||||
+ dom = dom->next;
|
||||
+ }
|
||||
+
|
||||
+ return dom;
|
||||
+}
|
||||
+
|
||||
+struct sdap_get_initgr_state *prepare_state(struct test_sdap_initgr_ctx *ctx,
|
||||
+ const char **domain_names)
|
||||
+{
|
||||
+ struct sdap_get_initgr_state *state;
|
||||
+ struct sss_domain_info *dom_info = NULL;
|
||||
+ struct sss_domain_info *recent_dom_info = NULL;
|
||||
+
|
||||
+ state = talloc_zero(ctx->tctx, struct sdap_get_initgr_state);
|
||||
+ assert_non_null(state);
|
||||
+
|
||||
+ for (int i=0; domain_names[i] != NULL; i++) {
|
||||
+ dom_info = get_domain_info(ctx->tctx->dom, domain_names[i]);
|
||||
+ assert_non_null(dom_info);
|
||||
+
|
||||
+ if (i == 0) {
|
||||
+ state->dom = dom_info;
|
||||
+ recent_dom_info = state->dom;
|
||||
+ } else {
|
||||
+ recent_dom_info->next = dom_info;
|
||||
+ recent_dom_info = recent_dom_info->next;
|
||||
+ }
|
||||
+ }
|
||||
+ assert_non_null(state->dom);
|
||||
+ assert_non_null(recent_dom_info);
|
||||
+ recent_dom_info->next = NULL;
|
||||
+
|
||||
+ state->opts = mock_sdap_options_ldap(state, state->dom,
|
||||
+ ctx->tctx->confdb,
|
||||
+ ctx->tctx->conf_dom_path);
|
||||
+ assert_non_null(state->opts);
|
||||
+
|
||||
+ return state;
|
||||
+}
|
||||
+
|
||||
+/* TODO: This function is copied from test_nss_srv.c
|
||||
+ * It could be fine move both to one place,
|
||||
+ * for example src/tests/common_sysdb.c
|
||||
+ */
|
||||
+static errno_t store_user(TALLOC_CTX *ctx,
|
||||
+ struct sss_domain_info *dom,
|
||||
+ struct passwd *user,
|
||||
+ struct sysdb_attrs *attrs,
|
||||
+ time_t cache_update)
|
||||
+{
|
||||
+ errno_t ret;
|
||||
+ char *fqname;
|
||||
+
|
||||
+ fqname = sss_create_internal_fqname(ctx,
|
||||
+ user->pw_name,
|
||||
+ dom->name);
|
||||
+ if (fqname == NULL) {
|
||||
+ return ENOMEM;
|
||||
+ }
|
||||
+
|
||||
+ /* Prime the cache with a valid user */
|
||||
+ ret = sysdb_store_user(dom,
|
||||
+ fqname,
|
||||
+ user->pw_passwd,
|
||||
+ user->pw_uid,
|
||||
+ user->pw_gid,
|
||||
+ user->pw_gecos,
|
||||
+ user->pw_dir,
|
||||
+ user->pw_shell,
|
||||
+ NULL, attrs,
|
||||
+ NULL, 300, cache_update);
|
||||
+ talloc_free(fqname);
|
||||
+
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
+/* ====================== Setup =============================== */
|
||||
+
|
||||
+static int test_sdap_initgr_setup_one_domain(void **state)
|
||||
+{
|
||||
+ struct test_sdap_initgr_ctx *test_ctx;
|
||||
+ struct sss_test_conf_param **params;
|
||||
+
|
||||
+ assert_true(leak_check_setup());
|
||||
+
|
||||
+ test_ctx = talloc_zero(global_talloc_context, struct test_sdap_initgr_ctx);
|
||||
+ assert_non_null(test_ctx);
|
||||
+
|
||||
+ params = get_params(test_ctx);
|
||||
+ assert_non_null(params);
|
||||
+
|
||||
+ test_ctx->tctx = create_dom_test_ctx(test_ctx, TESTS_PATH,
|
||||
+ TEST_CONF_DB, domains[0],
|
||||
+ TEST_ID_PROVIDER, params[0]);
|
||||
+ assert_non_null(test_ctx->tctx);
|
||||
+
|
||||
+ check_leaks_push(test_ctx);
|
||||
+ *state = test_ctx;
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+static int test_sdap_initgr_setup_multi_domains(void **state)
|
||||
+{
|
||||
+ struct test_sdap_initgr_ctx *test_ctx;
|
||||
+ struct sss_test_conf_param **params;
|
||||
+
|
||||
+ assert_true(leak_check_setup());
|
||||
+
|
||||
+ test_ctx = talloc_zero(global_talloc_context, struct test_sdap_initgr_ctx);
|
||||
+ assert_non_null(test_ctx);
|
||||
+
|
||||
+ params = get_params(test_ctx);
|
||||
+ assert_non_null(params);
|
||||
+
|
||||
+ test_ctx->tctx = create_multidom_test_ctx(test_ctx, TESTS_PATH,
|
||||
+ TEST_CONF_DB, domains,
|
||||
+ TEST_ID_PROVIDER, params);
|
||||
+ assert_non_null(test_ctx->tctx);
|
||||
+
|
||||
+ check_leaks_push(test_ctx);
|
||||
+ *state = test_ctx;
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+static int test_sdap_initgr_setup_other_multi_domains(void **state)
|
||||
+{
|
||||
+ struct test_sdap_initgr_ctx *test_ctx;
|
||||
+ struct sss_test_conf_param **params;
|
||||
+ const char *domains_vith_other[] = { TEST_DOM1_NAME,
|
||||
+ TEST_DOM3_NAME,
|
||||
+ NULL };
|
||||
+
|
||||
+ assert_true(leak_check_setup());
|
||||
+
|
||||
+ test_ctx = talloc_zero(global_talloc_context, struct test_sdap_initgr_ctx);
|
||||
+ assert_non_null(test_ctx);
|
||||
+
|
||||
+ params = get_params(test_ctx);
|
||||
+ assert_non_null(params);
|
||||
+
|
||||
+ test_ctx->tctx = create_multidom_test_ctx(test_ctx, TESTS_PATH,
|
||||
+ TEST_CONF_DB, domains_vith_other,
|
||||
+ TEST_ID_PROVIDER, params);
|
||||
+ assert_non_null(test_ctx->tctx);
|
||||
+
|
||||
+ check_leaks_push(test_ctx);
|
||||
+ *state = test_ctx;
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+static int test_sdap_initgr_teardown(void **state)
|
||||
+{
|
||||
+ struct test_sdap_initgr_ctx *test_ctx;
|
||||
+
|
||||
+ test_ctx = talloc_get_type(*state, struct test_sdap_initgr_ctx);
|
||||
+ assert_non_null(test_ctx);
|
||||
+
|
||||
+ assert_true(check_leaks_pop(test_ctx) == true);
|
||||
+ talloc_free(test_ctx);
|
||||
+ assert_true(leak_check_teardown());
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+/* ====================== The tests =============================== */
|
||||
+
|
||||
+static void test_user_is_on_batch(void **state)
|
||||
+{
|
||||
+ struct test_sdap_initgr_ctx *test_ctx;
|
||||
+ struct sdap_get_initgr_state *initgr_state;
|
||||
+ const char *domains_set[] = { domains[0], NULL };
|
||||
+ struct sss_domain_info *dom1_info = NULL;
|
||||
+ struct sss_domain_info *dom2_info = NULL;
|
||||
+ struct passwd **passwd_users;
|
||||
+ struct sysdb_attrs **users;
|
||||
+ const char *user_name;
|
||||
+ errno_t ret;
|
||||
+
|
||||
+ test_ctx = talloc_get_type(*state, struct test_sdap_initgr_ctx);
|
||||
+ assert_non_null(test_ctx);
|
||||
+
|
||||
+ dom1_info = get_domain_info(test_ctx->tctx->dom, domains[0]);
|
||||
+ assert_non_null(dom1_info);
|
||||
+ dom2_info = get_domain_info(test_ctx->tctx->dom, domains[1]);
|
||||
+ assert_non_null(dom2_info);
|
||||
+
|
||||
+ initgr_state = prepare_state(test_ctx, domains_set);
|
||||
+ assert_non_null(initgr_state);
|
||||
+
|
||||
+ passwd_users = get_users(test_ctx);
|
||||
+ assert_non_null(passwd_users);
|
||||
+
|
||||
+ ret = store_user(test_ctx, dom1_info, passwd_users[0], NULL, 0);
|
||||
+ assert_int_equal(ret, 0);
|
||||
+ ret = store_user(test_ctx, dom2_info, passwd_users[1], NULL, 0);
|
||||
+ assert_int_equal(ret, 0);
|
||||
+
|
||||
+ users = talloc_array(test_ctx, struct sysdb_attrs *, 2);
|
||||
+ users[0] = mock_sysdb_user(users, object_bases[0],
|
||||
+ passwd_users[0]->pw_uid,
|
||||
+ passwd_users[0]->pw_name);
|
||||
+ users[1] = mock_sysdb_user(users, object_bases[1],
|
||||
+ passwd_users[1]->pw_uid,
|
||||
+ passwd_users[1]->pw_name);
|
||||
+
|
||||
+ ret = sdap_search_initgr_user_in_batch(initgr_state, users, 2);
|
||||
+ assert_int_equal(ret, 0);
|
||||
+
|
||||
+ ret = sysdb_attrs_get_string(initgr_state->orig_user, "name", &user_name);
|
||||
+ assert_int_equal(ret, 0);
|
||||
+ assert_string_equal(user_name, passwd_users[0]->pw_name);
|
||||
+
|
||||
+ talloc_zfree(initgr_state);
|
||||
+ talloc_zfree(passwd_users);
|
||||
+ talloc_zfree(users);
|
||||
+}
|
||||
+
|
||||
+static void test_user_is_from_subdomain(void **state)
|
||||
+{
|
||||
+ struct test_sdap_initgr_ctx *test_ctx;
|
||||
+ struct sdap_get_initgr_state *initgr_state;
|
||||
+ const char *domains_set[] = { domains[0], NULL };
|
||||
+ struct sss_domain_info *dom_info = NULL;
|
||||
+ struct passwd **passwd_users;
|
||||
+ struct sysdb_attrs **users;
|
||||
+ const char *user_name;
|
||||
+ errno_t ret;
|
||||
+
|
||||
+ test_ctx = talloc_get_type(*state, struct test_sdap_initgr_ctx);
|
||||
+ assert_non_null(test_ctx);
|
||||
+
|
||||
+ dom_info = get_domain_info(test_ctx->tctx->dom, domains[0]);
|
||||
+ assert_non_null(dom_info);
|
||||
+
|
||||
+ initgr_state = prepare_state(test_ctx, domains_set);
|
||||
+ assert_non_null(initgr_state);
|
||||
+
|
||||
+ passwd_users = get_users(test_ctx);
|
||||
+ assert_non_null(passwd_users);
|
||||
+
|
||||
+ ret = store_user(test_ctx, dom_info, passwd_users[0], NULL, 0);
|
||||
+ assert_int_equal(ret, 0);
|
||||
+
|
||||
+ users = talloc_array(test_ctx, struct sysdb_attrs *, 1);
|
||||
+ users[0] = mock_sysdb_user(users, object_bases[1],
|
||||
+ passwd_users[1]->pw_uid,
|
||||
+ passwd_users[1]->pw_name);
|
||||
+
|
||||
+ const char *original_dn = NULL;
|
||||
+ ret = sysdb_attrs_get_string(users[0], SYSDB_ORIG_DN, &original_dn);
|
||||
+
|
||||
+ ret = sdap_search_initgr_user_in_batch(initgr_state, users, 1);
|
||||
+ assert_int_equal(ret, 0);
|
||||
+
|
||||
+ ret = sysdb_attrs_get_string(initgr_state->orig_user, "name", &user_name);
|
||||
+ assert_int_equal(ret, 0);
|
||||
+ assert_string_equal(user_name, passwd_users[1]->pw_name);
|
||||
+
|
||||
+ talloc_zfree(initgr_state);
|
||||
+ talloc_zfree(passwd_users);
|
||||
+ talloc_zfree(users);
|
||||
+}
|
||||
+
|
||||
+static void test_user_is_from_another_domain(void **state)
|
||||
+{
|
||||
+ struct test_sdap_initgr_ctx *test_ctx;
|
||||
+ struct sdap_get_initgr_state *initgr_state;
|
||||
+ const char *domains_set[] = { domains[0], domains[2], NULL };
|
||||
+ struct sss_domain_info *dom_info = NULL;
|
||||
+ struct sss_domain_info *other_dom_info = NULL;
|
||||
+ struct sdap_domain *other_sdom = NULL;
|
||||
+ struct passwd **passwd_users;
|
||||
+ struct sysdb_attrs **users;
|
||||
+ errno_t ret;
|
||||
+
|
||||
+ test_ctx = talloc_get_type(*state, struct test_sdap_initgr_ctx);
|
||||
+ assert_non_null(test_ctx);
|
||||
+
|
||||
+ dom_info = get_domain_info(test_ctx->tctx->dom, domains[0]);
|
||||
+ assert_non_null(dom_info);
|
||||
+
|
||||
+ initgr_state = prepare_state(test_ctx, domains_set);
|
||||
+ assert_non_null(initgr_state);
|
||||
+
|
||||
+ other_dom_info = get_domain_info(test_ctx->tctx->dom, domains[2]);
|
||||
+ assert_non_null(other_dom_info);
|
||||
+
|
||||
+ ret = sdap_domain_add(initgr_state->opts, other_dom_info, &other_sdom);
|
||||
+ assert_int_equal(ret, EOK);
|
||||
+
|
||||
+ talloc_zfree(other_sdom->search_bases);
|
||||
+ other_sdom->search_bases = talloc_array(other_sdom,
|
||||
+ struct sdap_search_base *, 2);
|
||||
+ assert_non_null(other_sdom->search_bases);
|
||||
+ other_sdom->search_bases[1] = NULL;
|
||||
+
|
||||
+ ret = sdap_create_search_base(other_sdom, object_bases[2],
|
||||
+ LDAP_SCOPE_SUBTREE, NULL,
|
||||
+ &other_sdom->search_bases[0]);
|
||||
+ assert_int_equal(ret, EOK);
|
||||
+
|
||||
+ passwd_users = get_users(test_ctx);
|
||||
+ assert_non_null(passwd_users);
|
||||
+
|
||||
+ ret = store_user(test_ctx, dom_info, passwd_users[0], NULL, 0);
|
||||
+ assert_int_equal(ret, 0);
|
||||
+
|
||||
+ users = talloc_array(test_ctx, struct sysdb_attrs *, 1);
|
||||
+ users[0] = mock_sysdb_user(users, object_bases[2],
|
||||
+ passwd_users[2]->pw_uid,
|
||||
+ passwd_users[2]->pw_name);
|
||||
+
|
||||
+ ret = sdap_search_initgr_user_in_batch(initgr_state, users, 1);
|
||||
+ assert_int_equal(ret, EINVAL);
|
||||
+
|
||||
+ talloc_zfree(initgr_state);
|
||||
+ talloc_zfree(passwd_users);
|
||||
+ talloc_zfree(users);
|
||||
+}
|
||||
+
|
||||
+int main(int argc, const char *argv[])
|
||||
+{
|
||||
+ int rv;
|
||||
+ poptContext pc;
|
||||
+ int opt;
|
||||
+ struct poptOption long_options[] = {
|
||||
+ POPT_AUTOHELP
|
||||
+ SSSD_DEBUG_OPTS
|
||||
+ POPT_TABLEEND
|
||||
+ };
|
||||
+
|
||||
+ const struct CMUnitTest tests[] = {
|
||||
+ cmocka_unit_test_setup_teardown(test_user_is_on_batch,
|
||||
+ test_sdap_initgr_setup_multi_domains,
|
||||
+ test_sdap_initgr_teardown),
|
||||
+ cmocka_unit_test_setup_teardown(test_user_is_from_subdomain,
|
||||
+ test_sdap_initgr_setup_one_domain,
|
||||
+ test_sdap_initgr_teardown),
|
||||
+ cmocka_unit_test_setup_teardown(test_user_is_from_another_domain,
|
||||
+ test_sdap_initgr_setup_other_multi_domains,
|
||||
+ test_sdap_initgr_teardown),
|
||||
+ };
|
||||
+
|
||||
+ /* Set debug level to invalid value so we can deside if -d 0 was used. */
|
||||
+ debug_level = SSSDBG_INVALID;
|
||||
+
|
||||
+ pc = poptGetContext(argv[0], argc, argv, long_options, 0);
|
||||
+ while((opt = poptGetNextOpt(pc)) != -1) {
|
||||
+ switch(opt) {
|
||||
+ default:
|
||||
+ fprintf(stderr, "\nInvalid option %s: %s\n\n",
|
||||
+ poptBadOption(pc, 0), poptStrerror(opt));
|
||||
+ poptPrintUsage(pc, stderr, 0);
|
||||
+ return 1;
|
||||
+ }
|
||||
+ }
|
||||
+ poptFreeContext(pc);
|
||||
+
|
||||
+ DEBUG_CLI_INIT(debug_level);
|
||||
+
|
||||
+ /* Even though normally the tests should clean up after themselves
|
||||
+ * they might not after a failed run. Remove the old db to be sure */
|
||||
+ tests_set_cwd();
|
||||
+
|
||||
+ test_multidom_suite_cleanup(TESTS_PATH, TEST_CONF_DB, domains);
|
||||
+ test_dom_suite_setup(TESTS_PATH);
|
||||
+
|
||||
+ rv = cmocka_run_group_tests(tests, NULL, NULL);
|
||||
+ if (rv == 0) {
|
||||
+ test_multidom_suite_cleanup(TESTS_PATH, TEST_CONF_DB, domains);
|
||||
+ }
|
||||
+
|
||||
+ return rv;
|
||||
+}
|
||||
--
|
||||
2.9.3
|
||||
|
165
0022-CONFDB-Add-passwd_files-and-group_files-options.patch
Normal file
165
0022-CONFDB-Add-passwd_files-and-group_files-options.patch
Normal file
@ -0,0 +1,165 @@
|
||||
From a40215878688cf10e35e6ba27893201c686395b3 Mon Sep 17 00:00:00 2001
|
||||
From: Justin Stephenson <jstephen@redhat.com>
|
||||
Date: Fri, 14 Jul 2017 16:08:37 -0400
|
||||
Subject: [PATCH] CONFDB: Add passwd_files and group_files options
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Add new options to the files provider allowing an administrator to
|
||||
configure the files provider to read and monitor multiple or
|
||||
non-standard passwd and group file sources. These options default to
|
||||
/etc/passwd and /etc/group when unset.
|
||||
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
(cherry picked from commit c1208b485924964a7a4fcf19562964acb47fc214)
|
||||
---
|
||||
Makefile.am | 3 ++-
|
||||
src/confdb/confdb.h | 4 ++++
|
||||
src/config/SSSDConfig/__init__.py.in | 6 +++++-
|
||||
src/config/cfg_rules.ini | 4 ++++
|
||||
src/config/etc/sssd.api.d/sssd-files.conf | 3 +++
|
||||
src/man/sssd-files.5.xml | 36 +++++++++++++++++++++++++++++--
|
||||
src/providers/files/files_init.c | 1 +
|
||||
7 files changed, 53 insertions(+), 4 deletions(-)
|
||||
create mode 100644 src/config/etc/sssd.api.d/sssd-files.conf
|
||||
|
||||
diff --git a/Makefile.am b/Makefile.am
|
||||
index 25e996d2d..d52fe0670 100644
|
||||
--- a/Makefile.am
|
||||
+++ b/Makefile.am
|
||||
@@ -4577,7 +4577,8 @@ dist_sssdapiplugin_DATA = \
|
||||
src/config/etc/sssd.api.d/sssd-ldap.conf \
|
||||
src/config/etc/sssd.api.d/sssd-local.conf \
|
||||
src/config/etc/sssd.api.d/sssd-proxy.conf \
|
||||
- src/config/etc/sssd.api.d/sssd-simple.conf
|
||||
+ src/config/etc/sssd.api.d/sssd-simple.conf \
|
||||
+ src/config/etc/sssd.api.d/sssd-files.conf
|
||||
|
||||
edit_cmd = $(SED) \
|
||||
-e 's|@sbindir[@]|$(sbindir)|g' \
|
||||
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
|
||||
index c97a9b804..1d322aaac 100644
|
||||
--- a/src/confdb/confdb.h
|
||||
+++ b/src/confdb/confdb.h
|
||||
@@ -242,6 +242,10 @@
|
||||
#define CONFDB_PROXY_FAST_ALIAS "proxy_fast_alias"
|
||||
#define CONFDB_PROXY_MAX_CHILDREN "proxy_max_children"
|
||||
|
||||
+/* Files Provider */
|
||||
+#define CONFDB_FILES_PASSWD "passwd_files"
|
||||
+#define CONFDB_FILES_GROUP "group_files"
|
||||
+
|
||||
/* Secrets Service */
|
||||
#define CONFDB_SEC_CONF_ENTRY "config/secrets"
|
||||
#define CONFDB_SEC_CONTAINERS_NEST_LEVEL "containers_nest_level"
|
||||
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
|
||||
index 857d56cb5..32b74e4c7 100644
|
||||
--- a/src/config/SSSDConfig/__init__.py.in
|
||||
+++ b/src/config/SSSDConfig/__init__.py.in
|
||||
@@ -473,7 +473,11 @@ option_strings = {
|
||||
'proxy_fast_alias' : _('Whether to look up canonical group name from cache if possible'),
|
||||
|
||||
# [provider/proxy/auth]
|
||||
- 'proxy_pam_target' : _('PAM stack to use')
|
||||
+ 'proxy_pam_target' : _('PAM stack to use'),
|
||||
+
|
||||
+ # [provider/files]
|
||||
+ 'passwd_files' : _('Path of passwd file sources.'),
|
||||
+ 'group_files' : _('Path of group file sources.')
|
||||
}
|
||||
|
||||
def striplist(l):
|
||||
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
|
||||
index 4e70bf7b6..551322780 100644
|
||||
--- a/src/config/cfg_rules.ini
|
||||
+++ b/src/config/cfg_rules.ini
|
||||
@@ -404,6 +404,10 @@ option = dyndns_force_tcp
|
||||
option = dyndns_auth
|
||||
option = dyndns_server
|
||||
|
||||
+# files provider specific options
|
||||
+option = passwd_files
|
||||
+option = group_files
|
||||
+
|
||||
# local provider specific options
|
||||
option = create_homedir
|
||||
option = remove_homedir
|
||||
diff --git a/src/config/etc/sssd.api.d/sssd-files.conf b/src/config/etc/sssd.api.d/sssd-files.conf
|
||||
new file mode 100644
|
||||
index 000000000..2444d4924
|
||||
--- /dev/null
|
||||
+++ b/src/config/etc/sssd.api.d/sssd-files.conf
|
||||
@@ -0,0 +1,3 @@
|
||||
+[provider/files]
|
||||
+passwd_files = str, None, false
|
||||
+group_files = str, None, false
|
||||
diff --git a/src/man/sssd-files.5.xml b/src/man/sssd-files.5.xml
|
||||
index d44fffc03..59e1b6523 100644
|
||||
--- a/src/man/sssd-files.5.xml
|
||||
+++ b/src/man/sssd-files.5.xml
|
||||
@@ -56,14 +56,46 @@
|
||||
<refsect1 id='configuration-options'>
|
||||
<title>CONFIGURATION OPTIONS</title>
|
||||
<para>
|
||||
- The files provider has no specific options of its own, however,
|
||||
- generic SSSD domain options can be set where applicable.
|
||||
+ In addition to the options listed below, generic SSSD domain options
|
||||
+ can be set where applicable.
|
||||
Refer to the section <quote>DOMAIN SECTIONS</quote> of the
|
||||
<citerefentry>
|
||||
<refentrytitle>sssd.conf</refentrytitle>
|
||||
<manvolnum>5</manvolnum>
|
||||
</citerefentry> manual page for details on the configuration
|
||||
of an SSSD domain.
|
||||
+ <variablelist>
|
||||
+ <varlistentry>
|
||||
+ <term>passwd_files (string)</term>
|
||||
+ <listitem>
|
||||
+ <para>
|
||||
+ Comma-separated list of one or multiple password
|
||||
+ filenames to be read and enumerated by the files
|
||||
+ provider, inotify monitor watches will be set on
|
||||
+ each file to detect changes dynamically.
|
||||
+ </para>
|
||||
+ <para>
|
||||
+ Default: /etc/passwd
|
||||
+ </para>
|
||||
+ </listitem>
|
||||
+ </varlistentry>
|
||||
+
|
||||
+ <varlistentry>
|
||||
+ <term>group_files (string)</term>
|
||||
+ <listitem>
|
||||
+ <para>
|
||||
+ Comma-separated list of one or multiple group
|
||||
+ filenames to be read and enumerated by the files
|
||||
+ provider, inotify monitor watches will be set on
|
||||
+ each file to detect changes dynamically.
|
||||
+ </para>
|
||||
+ <para>
|
||||
+ Default: /etc/group
|
||||
+ </para>
|
||||
+ </listitem>
|
||||
+ </varlistentry>
|
||||
+
|
||||
+ </variablelist>
|
||||
</para>
|
||||
</refsect1>
|
||||
|
||||
diff --git a/src/providers/files/files_init.c b/src/providers/files/files_init.c
|
||||
index 8e5cd4cf9..b8a051c34 100644
|
||||
--- a/src/providers/files/files_init.c
|
||||
+++ b/src/providers/files/files_init.c
|
||||
@@ -21,6 +21,7 @@
|
||||
|
||||
#include "providers/data_provider/dp.h"
|
||||
#include "providers/files/files_private.h"
|
||||
+#include "util/util.h"
|
||||
|
||||
int sssm_files_init(TALLOC_CTX *mem_ctx,
|
||||
struct be_ctx *be_ctx,
|
||||
--
|
||||
2.14.3
|
||||
|
@ -1,31 +0,0 @@
|
||||
From d8c459feab7659a51c23c941fea486867c2b9dae Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
||||
Date: Tue, 17 Jan 2017 12:00:31 +0100
|
||||
Subject: [PATCH 22/79] ssh: fix number of output certificates
|
||||
|
||||
SSH responder returned invalid number of certificates when
|
||||
original ad pubkey attribute was not empty. Since we always
|
||||
return all certificates to the client we should add number
|
||||
of results to the output not override it.
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
---
|
||||
src/responder/ssh/sshsrv_cmd.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/responder/ssh/sshsrv_cmd.c b/src/responder/ssh/sshsrv_cmd.c
|
||||
index 2e64893dfc2018727e6fc5fb80b47bd7eb1fac58..bd6270d0f1b62323ef7d140193351fb8585ce2ec 100644
|
||||
--- a/src/responder/ssh/sshsrv_cmd.c
|
||||
+++ b/src/responder/ssh/sshsrv_cmd.c
|
||||
@@ -1012,7 +1012,7 @@ ssh_cmd_build_reply(struct ssh_cmd_ctx *cmd_ctx)
|
||||
el_orig = ldb_msg_find_element(cmd_ctx->result,
|
||||
ORIGINALAD_PREFIX SYSDB_SSH_PUBKEY);
|
||||
if (el_orig) {
|
||||
- count = el_orig->num_values;
|
||||
+ count += el_orig->num_values;
|
||||
}
|
||||
|
||||
if (DOM_HAS_VIEWS(cmd_ctx->domain)) {
|
||||
--
|
||||
2.9.3
|
||||
|
721
0023-FILES-Handle-files-provider-sources.patch
Normal file
721
0023-FILES-Handle-files-provider-sources.patch
Normal file
@ -0,0 +1,721 @@
|
||||
From 2eb09d21d486e83a3a844fda0a504bbc479c9b3a Mon Sep 17 00:00:00 2001
|
||||
From: Justin Stephenson <jstephen@redhat.com>
|
||||
Date: Mon, 17 Jul 2017 15:01:36 -0400
|
||||
Subject: [PATCH] FILES: Handle files provider sources
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Setup watches on passwd and group files provided with the files provider
|
||||
options passwd_files and group_files lists
|
||||
|
||||
Resolves:
|
||||
https://pagure.io/SSSD/sssd/issue/3402
|
||||
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
(cherry picked from commit 0d6d493f68bb83a046d351cb3035b08ef5456b50)
|
||||
---
|
||||
src/providers/files/files_init.c | 161 +++++++++++++++++---
|
||||
src/providers/files/files_ops.c | 285 ++++++++++++++++++++++--------------
|
||||
src/providers/files/files_private.h | 8 +-
|
||||
3 files changed, 327 insertions(+), 127 deletions(-)
|
||||
|
||||
diff --git a/src/providers/files/files_init.c b/src/providers/files/files_init.c
|
||||
index b8a051c34..746c04af1 100644
|
||||
--- a/src/providers/files/files_init.c
|
||||
+++ b/src/providers/files/files_init.c
|
||||
@@ -23,6 +23,138 @@
|
||||
#include "providers/files/files_private.h"
|
||||
#include "util/util.h"
|
||||
|
||||
+#define DEFAULT_PASSWD_FILE "/etc/passwd"
|
||||
+#define DEFAULT_GROUP_FILE "/etc/group"
|
||||
+
|
||||
+static errno_t files_init_file_sources(TALLOC_CTX *mem_ctx,
|
||||
+ struct be_ctx *be_ctx,
|
||||
+ const char ***_passwd_files,
|
||||
+ const char ***_group_files)
|
||||
+{
|
||||
+ TALLOC_CTX *tmp_ctx = NULL;
|
||||
+ char *conf_passwd_files;
|
||||
+ char *conf_group_files;
|
||||
+ char **passwd_list = NULL;
|
||||
+ char **group_list = NULL;
|
||||
+ int num_passwd_files = 0;
|
||||
+ int num_group_files = 0;
|
||||
+ const char **passwd_files = NULL;
|
||||
+ const char **group_files = NULL;
|
||||
+ const char *dfl_passwd_files = NULL;
|
||||
+ const char *env_group_files = NULL;
|
||||
+ int i;
|
||||
+ errno_t ret;
|
||||
+
|
||||
+ tmp_ctx = talloc_new(NULL);
|
||||
+ if (tmp_ctx == NULL) {
|
||||
+ ret = ENOMEM;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ dfl_passwd_files = getenv("SSS_FILES_PASSWD");
|
||||
+ if (dfl_passwd_files) {
|
||||
+ sss_log(SSS_LOG_ALERT,
|
||||
+ "Defaulting to %s for the passwd file, "
|
||||
+ "this should only be used for testing!\n",
|
||||
+ dfl_passwd_files);
|
||||
+ } else {
|
||||
+ dfl_passwd_files = DEFAULT_PASSWD_FILE;
|
||||
+ }
|
||||
+ DEBUG(SSSDBG_TRACE_FUNC,
|
||||
+ "Using default passwd file: [%s].\n", dfl_passwd_files);
|
||||
+
|
||||
+ env_group_files = getenv("SSS_FILES_GROUP");
|
||||
+ if (env_group_files) {
|
||||
+ sss_log(SSS_LOG_ALERT,
|
||||
+ "Defaulting to %s for the group file, "
|
||||
+ "this should only be used for testing!\n",
|
||||
+ env_group_files);
|
||||
+ } else {
|
||||
+ env_group_files = DEFAULT_GROUP_FILE;
|
||||
+ }
|
||||
+ DEBUG(SSSDBG_TRACE_FUNC,
|
||||
+ "Using default group file: [%s].\n", DEFAULT_GROUP_FILE);
|
||||
+
|
||||
+ ret = confdb_get_string(be_ctx->cdb, tmp_ctx, be_ctx->conf_path,
|
||||
+ CONFDB_FILES_PASSWD, dfl_passwd_files,
|
||||
+ &conf_passwd_files);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Failed to retrieve confdb passwd files!\n");
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ ret = confdb_get_string(be_ctx->cdb, tmp_ctx, be_ctx->conf_path,
|
||||
+ CONFDB_FILES_GROUP, env_group_files,
|
||||
+ &conf_group_files);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Failed to retrieve confdb group files!\n");
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ ret = split_on_separator(tmp_ctx, conf_passwd_files, ',', true, true,
|
||||
+ &passwd_list, &num_passwd_files);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
+ "Failed to parse passwd list!\n");
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ passwd_files = talloc_zero_array(tmp_ctx, const char *,
|
||||
+ num_passwd_files + 1);
|
||||
+ if (passwd_files == NULL) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "talloc_zero_array() failed\n");
|
||||
+ ret = ENOMEM;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ for (i = 0; i < num_passwd_files; i++) {
|
||||
+ DEBUG(SSSDBG_TRACE_FUNC,
|
||||
+ "Using passwd file: [%s].\n", passwd_list[i]);
|
||||
+
|
||||
+ passwd_files[i] = talloc_strdup(passwd_files, passwd_list[i]);
|
||||
+ if (passwd_files[i] == NULL) {
|
||||
+ ret = ENOMEM;
|
||||
+ goto done;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ /* Retrieve list of group files */
|
||||
+ ret = split_on_separator(tmp_ctx, conf_group_files, ',', true, true,
|
||||
+ &group_list, &num_group_files);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
+ "Failed to parse group files!\n");
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ group_files = talloc_zero_array(tmp_ctx, const char *,
|
||||
+ num_group_files + 1);
|
||||
+ if (group_files == NULL) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "talloc_zero_array() failed\n");
|
||||
+ ret = ENOMEM;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ for (i = 0; i < num_group_files; i++) {
|
||||
+ DEBUG(SSSDBG_TRACE_FUNC,
|
||||
+ "Using group file: [%s].\n", group_list[i]);
|
||||
+ group_files[i] = talloc_strdup(group_files, group_list[i]);
|
||||
+ if (group_files[i] == NULL) {
|
||||
+ ret = ENOMEM;
|
||||
+ goto done;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ *_passwd_files = talloc_steal(mem_ctx, passwd_files);
|
||||
+ *_group_files = talloc_steal(mem_ctx, group_files);
|
||||
+
|
||||
+ ret = EOK;
|
||||
+
|
||||
+done:
|
||||
+ talloc_free(tmp_ctx);
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
int sssm_files_init(TALLOC_CTX *mem_ctx,
|
||||
struct be_ctx *be_ctx,
|
||||
struct data_provider *provider,
|
||||
@@ -30,32 +162,27 @@ int sssm_files_init(TALLOC_CTX *mem_ctx,
|
||||
void **_module_data)
|
||||
{
|
||||
struct files_id_ctx *ctx;
|
||||
- int ret;
|
||||
- const char *passwd_file = NULL;
|
||||
- const char *group_file = NULL;
|
||||
-
|
||||
- /* So far this is mostly useful for tests */
|
||||
- passwd_file = getenv("SSS_FILES_PASSWD");
|
||||
- if (passwd_file == NULL) {
|
||||
- passwd_file = "/etc/passwd";
|
||||
- }
|
||||
-
|
||||
- group_file = getenv("SSS_FILES_GROUP");
|
||||
- if (group_file == NULL) {
|
||||
- group_file = "/etc/group";
|
||||
- }
|
||||
+ errno_t ret;
|
||||
|
||||
ctx = talloc_zero(mem_ctx, struct files_id_ctx);
|
||||
if (ctx == NULL) {
|
||||
return ENOMEM;
|
||||
}
|
||||
+
|
||||
ctx->be = be_ctx;
|
||||
ctx->domain = be_ctx->domain;
|
||||
- ctx->passwd_file = passwd_file;
|
||||
- ctx->group_file = group_file;
|
||||
+
|
||||
+ ret = files_init_file_sources(ctx, be_ctx,
|
||||
+ &ctx->passwd_files,
|
||||
+ &ctx->group_files);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Cannot initialize the passwd/group source files\n");
|
||||
+ goto done;
|
||||
+ }
|
||||
|
||||
ctx->fctx = sf_init(ctx, be_ctx->ev,
|
||||
- ctx->passwd_file, ctx->group_file,
|
||||
+ ctx->passwd_files,
|
||||
+ ctx->group_files,
|
||||
ctx);
|
||||
if (ctx->fctx == NULL) {
|
||||
ret = ENOMEM;
|
||||
diff --git a/src/providers/files/files_ops.c b/src/providers/files/files_ops.c
|
||||
index b59a94252..a2a2798d3 100644
|
||||
--- a/src/providers/files/files_ops.c
|
||||
+++ b/src/providers/files/files_ops.c
|
||||
@@ -44,6 +44,7 @@ struct files_ctx {
|
||||
|
||||
static errno_t enum_files_users(TALLOC_CTX *mem_ctx,
|
||||
struct files_id_ctx *id_ctx,
|
||||
+ const char *passwd_file,
|
||||
struct passwd ***_users)
|
||||
{
|
||||
errno_t ret, close_ret;
|
||||
@@ -53,12 +54,12 @@ static errno_t enum_files_users(TALLOC_CTX *mem_ctx,
|
||||
FILE *pwd_handle = NULL;
|
||||
size_t n_users = 0;
|
||||
|
||||
- pwd_handle = fopen(id_ctx->passwd_file, "r");
|
||||
+ pwd_handle = fopen(passwd_file, "r");
|
||||
if (pwd_handle == NULL) {
|
||||
ret = errno;
|
||||
DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
"Cannot open passwd file %s [%d]\n",
|
||||
- id_ctx->passwd_file, ret);
|
||||
+ passwd_file, ret);
|
||||
goto done;
|
||||
}
|
||||
|
||||
@@ -133,7 +134,7 @@ done:
|
||||
close_ret = errno;
|
||||
DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
"Cannot close passwd file %s [%d]\n",
|
||||
- id_ctx->passwd_file, close_ret);
|
||||
+ passwd_file, close_ret);
|
||||
}
|
||||
}
|
||||
return ret;
|
||||
@@ -141,6 +142,7 @@ done:
|
||||
|
||||
static errno_t enum_files_groups(TALLOC_CTX *mem_ctx,
|
||||
struct files_id_ctx *id_ctx,
|
||||
+ const char *group_file,
|
||||
struct group ***_groups)
|
||||
{
|
||||
errno_t ret, close_ret;
|
||||
@@ -150,12 +152,12 @@ static errno_t enum_files_groups(TALLOC_CTX *mem_ctx,
|
||||
size_t n_groups = 0;
|
||||
FILE *grp_handle = NULL;
|
||||
|
||||
- grp_handle = fopen(id_ctx->group_file, "r");
|
||||
+ grp_handle = fopen(group_file, "r");
|
||||
if (grp_handle == NULL) {
|
||||
ret = errno;
|
||||
DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
"Cannot open group file %s [%d]\n",
|
||||
- id_ctx->group_file, ret);
|
||||
+ group_file, ret);
|
||||
goto done;
|
||||
}
|
||||
|
||||
@@ -237,7 +239,7 @@ done:
|
||||
close_ret = errno;
|
||||
DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
"Cannot close group file %s [%d]\n",
|
||||
- id_ctx->group_file, close_ret);
|
||||
+ group_file, close_ret);
|
||||
}
|
||||
}
|
||||
return ret;
|
||||
@@ -446,35 +448,23 @@ done:
|
||||
return ret;
|
||||
}
|
||||
|
||||
-static errno_t sf_enum_groups(struct files_id_ctx *id_ctx);
|
||||
+static errno_t sf_enum_groups(struct files_id_ctx *id_ctx,
|
||||
+ const char *group_file);
|
||||
|
||||
-errno_t sf_enum_users(struct files_id_ctx *id_ctx)
|
||||
+errno_t sf_enum_users(struct files_id_ctx *id_ctx,
|
||||
+ const char *passwd_file)
|
||||
{
|
||||
errno_t ret;
|
||||
- errno_t tret;
|
||||
TALLOC_CTX *tmp_ctx = NULL;
|
||||
struct passwd **users = NULL;
|
||||
- bool in_transaction = false;
|
||||
|
||||
tmp_ctx = talloc_new(NULL);
|
||||
if (tmp_ctx == NULL) {
|
||||
return ENOMEM;
|
||||
}
|
||||
|
||||
- ret = enum_files_users(tmp_ctx, id_ctx, &users);
|
||||
- if (ret != EOK) {
|
||||
- goto done;
|
||||
- }
|
||||
-
|
||||
- ret = sysdb_transaction_start(id_ctx->domain->sysdb);
|
||||
- if (ret != EOK) {
|
||||
- goto done;
|
||||
- }
|
||||
- in_transaction = true;
|
||||
-
|
||||
- /* remove previous cache contents */
|
||||
- /* FIXME - this is terribly inefficient */
|
||||
- ret = delete_all_users(id_ctx->domain);
|
||||
+ ret = enum_files_users(tmp_ctx, id_ctx, passwd_file,
|
||||
+ &users);
|
||||
if (ret != EOK) {
|
||||
goto done;
|
||||
}
|
||||
@@ -496,31 +486,8 @@ errno_t sf_enum_users(struct files_id_ctx *id_ctx)
|
||||
"override values might not be available.\n");
|
||||
}
|
||||
|
||||
- ret = sysdb_transaction_commit(id_ctx->domain->sysdb);
|
||||
- if (ret != EOK) {
|
||||
- goto done;
|
||||
- }
|
||||
- in_transaction = false;
|
||||
-
|
||||
- /* Covers the case when someone edits /etc/group, adds a group member and
|
||||
- * only then edits passwd and adds the user. The reverse is not needed,
|
||||
- * because member/memberof links are established when groups are saved.
|
||||
- */
|
||||
- ret = sf_enum_groups(id_ctx);
|
||||
- if (ret != EOK) {
|
||||
- DEBUG(SSSDBG_OP_FAILURE, "Cannot refresh groups\n");
|
||||
- goto done;
|
||||
- }
|
||||
-
|
||||
ret = EOK;
|
||||
done:
|
||||
- if (in_transaction) {
|
||||
- tret = sysdb_transaction_cancel(id_ctx->domain->sysdb);
|
||||
- if (tret != EOK) {
|
||||
- DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
- "Cannot cancel transaction: %d\n", ret);
|
||||
- }
|
||||
- }
|
||||
talloc_free(tmp_ctx);
|
||||
return ret;
|
||||
}
|
||||
@@ -698,13 +665,12 @@ done:
|
||||
return ret;
|
||||
}
|
||||
|
||||
-static errno_t sf_enum_groups(struct files_id_ctx *id_ctx)
|
||||
+static errno_t sf_enum_groups(struct files_id_ctx *id_ctx,
|
||||
+ const char *group_file)
|
||||
{
|
||||
errno_t ret;
|
||||
- errno_t tret;
|
||||
TALLOC_CTX *tmp_ctx = NULL;
|
||||
struct group **groups = NULL;
|
||||
- bool in_transaction = false;
|
||||
const char **cached_users = NULL;
|
||||
|
||||
tmp_ctx = talloc_new(NULL);
|
||||
@@ -712,7 +678,8 @@ static errno_t sf_enum_groups(struct files_id_ctx *id_ctx)
|
||||
return ENOMEM;
|
||||
}
|
||||
|
||||
- ret = enum_files_groups(tmp_ctx, id_ctx, &groups);
|
||||
+ ret = enum_files_groups(tmp_ctx, id_ctx, group_file,
|
||||
+ &groups);
|
||||
if (ret != EOK) {
|
||||
goto done;
|
||||
}
|
||||
@@ -722,18 +689,6 @@ static errno_t sf_enum_groups(struct files_id_ctx *id_ctx)
|
||||
goto done;
|
||||
}
|
||||
|
||||
- ret = sysdb_transaction_start(id_ctx->domain->sysdb);
|
||||
- if (ret != EOK) {
|
||||
- goto done;
|
||||
- }
|
||||
- in_transaction = true;
|
||||
-
|
||||
- /* remove previous cache contents */
|
||||
- ret = delete_all_groups(id_ctx->domain);
|
||||
- if (ret != EOK) {
|
||||
- goto done;
|
||||
- }
|
||||
-
|
||||
for (size_t i = 0; groups[i]; i++) {
|
||||
ret = save_file_group(id_ctx, groups[i], cached_users);
|
||||
if (ret != EOK) {
|
||||
@@ -750,21 +705,8 @@ static errno_t sf_enum_groups(struct files_id_ctx *id_ctx)
|
||||
"override values might not be available.\n");
|
||||
}
|
||||
|
||||
- ret = sysdb_transaction_commit(id_ctx->domain->sysdb);
|
||||
- if (ret != EOK) {
|
||||
- goto done;
|
||||
- }
|
||||
- in_transaction = false;
|
||||
-
|
||||
ret = EOK;
|
||||
done:
|
||||
- if (in_transaction) {
|
||||
- tret = sysdb_transaction_cancel(id_ctx->domain->sysdb);
|
||||
- if (tret != EOK) {
|
||||
- DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
- "Cannot cancel transaction: %d\n", ret);
|
||||
- }
|
||||
- }
|
||||
talloc_free(tmp_ctx);
|
||||
return ret;
|
||||
}
|
||||
@@ -783,21 +725,17 @@ static int sf_passwd_cb(const char *filename, uint32_t flags, void *pvt)
|
||||
{
|
||||
struct files_id_ctx *id_ctx;
|
||||
errno_t ret;
|
||||
+ errno_t tret;
|
||||
+ bool in_transaction = false;
|
||||
|
||||
id_ctx = talloc_get_type(pvt, struct files_id_ctx);
|
||||
if (id_ctx == NULL) {
|
||||
- return EINVAL;
|
||||
+ ret = EINVAL;
|
||||
+ goto done;
|
||||
}
|
||||
|
||||
DEBUG(SSSDBG_TRACE_FUNC, "passwd notification\n");
|
||||
|
||||
- if (strcmp(filename, id_ctx->passwd_file) != 0) {
|
||||
- DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
- "Wrong file, expected %s, got %s\n",
|
||||
- id_ctx->passwd_file, filename);
|
||||
- return EINVAL;
|
||||
- }
|
||||
-
|
||||
id_ctx->updating_passwd = true;
|
||||
dp_sbus_domain_inconsistent(id_ctx->be->provider, id_ctx->domain);
|
||||
|
||||
@@ -805,11 +743,64 @@ static int sf_passwd_cb(const char *filename, uint32_t flags, void *pvt)
|
||||
dp_sbus_reset_users_memcache(id_ctx->be->provider);
|
||||
dp_sbus_reset_initgr_memcache(id_ctx->be->provider);
|
||||
|
||||
- ret = sf_enum_users(id_ctx);
|
||||
+ ret = sysdb_transaction_start(id_ctx->domain->sysdb);
|
||||
+ if (ret != EOK) {
|
||||
+ goto done;
|
||||
+ }
|
||||
+ in_transaction = true;
|
||||
+
|
||||
+ ret = delete_all_users(id_ctx->domain);
|
||||
+ if (ret != EOK) {
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ /* All users were deleted, therefore we need to enumerate each file again */
|
||||
+ for (size_t i = 0; id_ctx->passwd_files[i] != NULL; i++) {
|
||||
+ ret = sf_enum_users(id_ctx, id_ctx->passwd_files[i]);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "Cannot enumerate users\n");
|
||||
+ goto done;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ /* Covers the case when someone edits /etc/group, adds a group member and
|
||||
+ * only then edits passwd and adds the user. The reverse is not needed,
|
||||
+ * because member/memberof links are established when groups are saved.
|
||||
+ */
|
||||
+ ret = delete_all_groups(id_ctx->domain);
|
||||
+ if (ret != EOK) {
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ /* All groups were deleted, therefore we need to enumerate each file again */
|
||||
+ for (size_t i = 0; id_ctx->group_files[i] != NULL; i++) {
|
||||
+ ret = sf_enum_groups(id_ctx, id_ctx->group_files[i]);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "Cannot enumerate groups\n");
|
||||
+ goto done;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ ret = sysdb_transaction_commit(id_ctx->domain->sysdb);
|
||||
+ if (ret != EOK) {
|
||||
+ goto done;
|
||||
+ }
|
||||
+ in_transaction = false;
|
||||
|
||||
id_ctx->updating_passwd = false;
|
||||
sf_cb_done(id_ctx);
|
||||
files_account_info_finished(id_ctx, BE_REQ_USER, ret);
|
||||
+
|
||||
+ ret = EOK;
|
||||
+done:
|
||||
+ if (in_transaction) {
|
||||
+ tret = sysdb_transaction_cancel(id_ctx->domain->sysdb);
|
||||
+ if (tret != EOK) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
+ "Cannot cancel transaction: %d\n", ret);
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
return ret;
|
||||
}
|
||||
|
||||
@@ -817,21 +808,17 @@ static int sf_group_cb(const char *filename, uint32_t flags, void *pvt)
|
||||
{
|
||||
struct files_id_ctx *id_ctx;
|
||||
errno_t ret;
|
||||
+ errno_t tret;
|
||||
+ bool in_transaction = false;
|
||||
|
||||
id_ctx = talloc_get_type(pvt, struct files_id_ctx);
|
||||
if (id_ctx == NULL) {
|
||||
- return EINVAL;
|
||||
+ ret = EINVAL;
|
||||
+ goto done;
|
||||
}
|
||||
|
||||
DEBUG(SSSDBG_TRACE_FUNC, "group notification\n");
|
||||
|
||||
- if (strcmp(filename, id_ctx->group_file) != 0) {
|
||||
- DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
- "Wrong file, expected %s, got %s\n",
|
||||
- id_ctx->group_file, filename);
|
||||
- return EINVAL;
|
||||
- }
|
||||
-
|
||||
id_ctx->updating_groups = true;
|
||||
dp_sbus_domain_inconsistent(id_ctx->be->provider, id_ctx->domain);
|
||||
|
||||
@@ -839,11 +826,47 @@ static int sf_group_cb(const char *filename, uint32_t flags, void *pvt)
|
||||
dp_sbus_reset_groups_memcache(id_ctx->be->provider);
|
||||
dp_sbus_reset_initgr_memcache(id_ctx->be->provider);
|
||||
|
||||
- ret = sf_enum_groups(id_ctx);
|
||||
+ ret = sysdb_transaction_start(id_ctx->domain->sysdb);
|
||||
+ if (ret != EOK) {
|
||||
+ goto done;
|
||||
+ }
|
||||
+ in_transaction = true;
|
||||
+
|
||||
+ ret = delete_all_groups(id_ctx->domain);
|
||||
+ if (ret != EOK) {
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ /* All groups were deleted, therefore we need to enumerate each file again */
|
||||
+ for (size_t i = 0; id_ctx->group_files[i] != NULL; i++) {
|
||||
+ ret = sf_enum_groups(id_ctx, id_ctx->group_files[i]);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "Cannot enumerate groups\n");
|
||||
+ goto done;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ ret = sysdb_transaction_commit(id_ctx->domain->sysdb);
|
||||
+ if (ret != EOK) {
|
||||
+ goto done;
|
||||
+ }
|
||||
+ in_transaction = false;
|
||||
|
||||
id_ctx->updating_groups = false;
|
||||
sf_cb_done(id_ctx);
|
||||
files_account_info_finished(id_ctx, BE_REQ_GROUP, ret);
|
||||
+
|
||||
+ ret = EOK;
|
||||
+
|
||||
+done:
|
||||
+ if (in_transaction) {
|
||||
+ tret = sysdb_transaction_cancel(id_ctx->domain->sysdb);
|
||||
+ if (tret != EOK) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
+ "Cannot cancel transaction: %d\n", ret);
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
return ret;
|
||||
}
|
||||
|
||||
@@ -853,19 +876,62 @@ static void startup_enum_files(struct tevent_context *ev,
|
||||
{
|
||||
struct files_id_ctx *id_ctx = talloc_get_type(pvt, struct files_id_ctx);
|
||||
errno_t ret;
|
||||
+ errno_t tret;
|
||||
+ bool in_transaction = false;
|
||||
|
||||
talloc_zfree(imm);
|
||||
|
||||
- ret = sf_enum_users(id_ctx);
|
||||
+ ret = sysdb_transaction_start(id_ctx->domain->sysdb);
|
||||
if (ret != EOK) {
|
||||
- DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
- "Enumerating users failed, data might be inconsistent!\n");
|
||||
+ goto done;
|
||||
}
|
||||
+ in_transaction = true;
|
||||
|
||||
- ret = sf_enum_groups(id_ctx);
|
||||
+ ret = delete_all_users(id_ctx->domain);
|
||||
if (ret != EOK) {
|
||||
- DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
- "Enumerating groups failed, data might be inconsistent!\n");
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ ret = delete_all_groups(id_ctx->domain);
|
||||
+ if (ret != EOK) {
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ for (size_t i = 0; id_ctx->passwd_files[i] != NULL; i++) {
|
||||
+ DEBUG(SSSDBG_TRACE_FUNC,
|
||||
+ "Startup user enumeration of [%s]\n", id_ctx->passwd_files[i]);
|
||||
+ ret = sf_enum_users(id_ctx, id_ctx->passwd_files[i]);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
+ "Enumerating users failed, data might be inconsistent!\n");
|
||||
+ goto done;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ for (size_t i = 0; id_ctx->group_files[i] != NULL; i++) {
|
||||
+ DEBUG(SSSDBG_TRACE_FUNC,
|
||||
+ "Startup group enumeration of [%s]\n", id_ctx->group_files[i]);
|
||||
+ ret = sf_enum_groups(id_ctx, id_ctx->group_files[i]);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
+ "Enumerating groups failed, data might be inconsistent!\n");
|
||||
+ goto done;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ ret = sysdb_transaction_commit(id_ctx->domain->sysdb);
|
||||
+ if (ret != EOK) {
|
||||
+ goto done;
|
||||
+ }
|
||||
+ in_transaction = false;
|
||||
+
|
||||
+done:
|
||||
+ if (in_transaction) {
|
||||
+ tret = sysdb_transaction_cancel(id_ctx->domain->sysdb);
|
||||
+ if (tret != EOK) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
+ "Cannot cancel transaction: %d\n", ret);
|
||||
+ }
|
||||
}
|
||||
}
|
||||
|
||||
@@ -884,22 +950,29 @@ static struct snotify_ctx *sf_setup_watch(TALLOC_CTX *mem_ctx,
|
||||
|
||||
struct files_ctx *sf_init(TALLOC_CTX *mem_ctx,
|
||||
struct tevent_context *ev,
|
||||
- const char *passwd_file,
|
||||
- const char *group_file,
|
||||
+ const char **passwd_files,
|
||||
+ const char **group_files,
|
||||
struct files_id_ctx *id_ctx)
|
||||
{
|
||||
struct files_ctx *fctx;
|
||||
struct tevent_immediate *imm;
|
||||
+ int i;
|
||||
|
||||
fctx = talloc(mem_ctx, struct files_ctx);
|
||||
if (fctx == NULL) {
|
||||
return NULL;
|
||||
}
|
||||
|
||||
- fctx->pwd_watch = sf_setup_watch(fctx, ev, passwd_file,
|
||||
- sf_passwd_cb, id_ctx);
|
||||
- fctx->grp_watch = sf_setup_watch(fctx, ev, group_file,
|
||||
- sf_group_cb, id_ctx);
|
||||
+ for (i = 0; passwd_files[i]; i++) {
|
||||
+ fctx->pwd_watch = sf_setup_watch(fctx, ev, passwd_files[i],
|
||||
+ sf_passwd_cb, id_ctx);
|
||||
+ }
|
||||
+
|
||||
+ for (i = 0; group_files[i]; i++) {
|
||||
+ fctx->grp_watch = sf_setup_watch(fctx, ev, group_files[i],
|
||||
+ sf_group_cb, id_ctx);
|
||||
+ }
|
||||
+
|
||||
if (fctx->pwd_watch == NULL || fctx->grp_watch == NULL) {
|
||||
talloc_free(fctx);
|
||||
return NULL;
|
||||
diff --git a/src/providers/files/files_private.h b/src/providers/files/files_private.h
|
||||
index a7d195c90..f44e6d458 100644
|
||||
--- a/src/providers/files/files_private.h
|
||||
+++ b/src/providers/files/files_private.h
|
||||
@@ -39,8 +39,8 @@ struct files_id_ctx {
|
||||
struct sss_domain_info *domain;
|
||||
struct files_ctx *fctx;
|
||||
|
||||
- const char *passwd_file;
|
||||
- const char *group_file;
|
||||
+ const char **passwd_files;
|
||||
+ const char **group_files;
|
||||
|
||||
bool updating_passwd;
|
||||
bool updating_groups;
|
||||
@@ -53,8 +53,8 @@ struct files_id_ctx {
|
||||
/* files_ops.c */
|
||||
struct files_ctx *sf_init(TALLOC_CTX *mem_ctx,
|
||||
struct tevent_context *ev,
|
||||
- const char *passwd_file,
|
||||
- const char *group_file,
|
||||
+ const char **passwd_files,
|
||||
+ const char **group_files,
|
||||
struct files_id_ctx *id_ctx);
|
||||
|
||||
/* files_id.c */
|
||||
--
|
||||
2.14.3
|
||||
|
@ -1,76 +0,0 @@
|
||||
From e33744e8cc82390153c94ace53c16f72365b9fd9 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
||||
Date: Tue, 17 Jan 2017 11:58:06 +0100
|
||||
Subject: [PATCH 23/79] ssh: do not create again fq name
|
||||
|
||||
We store fully qualified name in sysdb so there is no need to append
|
||||
the domain part again which result in name@domain@domain string.
|
||||
This field is not actually used in ssh client so it doesn't cause
|
||||
any issue but we should stay correct here.
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
---
|
||||
src/responder/ssh/sshsrv_cmd.c | 20 ++++++--------------
|
||||
1 file changed, 6 insertions(+), 14 deletions(-)
|
||||
|
||||
diff --git a/src/responder/ssh/sshsrv_cmd.c b/src/responder/ssh/sshsrv_cmd.c
|
||||
index bd6270d0f1b62323ef7d140193351fb8585ce2ec..195d5763e9c5f4f9ff2f2f5ac49cd856d9198e7a 100644
|
||||
--- a/src/responder/ssh/sshsrv_cmd.c
|
||||
+++ b/src/responder/ssh/sshsrv_cmd.c
|
||||
@@ -982,8 +982,7 @@ ssh_cmd_build_reply(struct ssh_cmd_ctx *cmd_ctx)
|
||||
struct ldb_message_element *el_user_cert_keys = NULL;
|
||||
uint32_t count = 0;
|
||||
const char *name;
|
||||
- char *fqname;
|
||||
- uint32_t fqname_len;
|
||||
+ uint32_t name_len;
|
||||
TALLOC_CTX *tmp_ctx;
|
||||
struct ssh_ctx *ssh_ctx;
|
||||
struct cli_protocol *pctx;
|
||||
@@ -1060,38 +1059,31 @@ ssh_cmd_build_reply(struct ssh_cmd_ctx *cmd_ctx)
|
||||
goto done;
|
||||
}
|
||||
|
||||
- fqname = talloc_asprintf(cmd_ctx, "%s@%s",
|
||||
- name, cmd_ctx->domain->name);
|
||||
- if (!fqname) {
|
||||
- ret = ENOMEM;
|
||||
- goto done;
|
||||
- }
|
||||
-
|
||||
- fqname_len = strlen(fqname)+1;
|
||||
+ name_len = strlen(name) + 1;
|
||||
|
||||
ret = decode_and_add_base64_data(cmd_ctx, el, false, ssh_ctx,
|
||||
- fqname_len, fqname, &c);
|
||||
+ name_len, name, &c);
|
||||
if (ret != EOK) {
|
||||
DEBUG(SSSDBG_OP_FAILURE, "decode_and_add_base64_data failed.\n");
|
||||
goto done;
|
||||
}
|
||||
|
||||
ret = decode_and_add_base64_data(cmd_ctx, el_orig, false, ssh_ctx,
|
||||
- fqname_len, fqname, &c);
|
||||
+ name_len, name, &c);
|
||||
if (ret != EOK) {
|
||||
DEBUG(SSSDBG_OP_FAILURE, "decode_and_add_base64_data failed.\n");
|
||||
goto done;
|
||||
}
|
||||
|
||||
ret = decode_and_add_base64_data(cmd_ctx, el_override, false, ssh_ctx,
|
||||
- fqname_len, fqname, &c);
|
||||
+ name_len, name, &c);
|
||||
if (ret != EOK) {
|
||||
DEBUG(SSSDBG_OP_FAILURE, "decode_and_add_base64_data failed.\n");
|
||||
goto done;
|
||||
}
|
||||
|
||||
ret = decode_and_add_base64_data(cmd_ctx, el_user_cert_keys, true, ssh_ctx,
|
||||
- fqname_len, fqname, &c);
|
||||
+ name_len, name, &c);
|
||||
if (ret != EOK) {
|
||||
DEBUG(SSSDBG_OP_FAILURE, "decode_and_add_base64_data failed.\n");
|
||||
goto done;
|
||||
--
|
||||
2.9.3
|
||||
|
123
0024-TESTS-Add-a-test-for-the-multiple-files-feature.patch
Normal file
123
0024-TESTS-Add-a-test-for-the-multiple-files-feature.patch
Normal file
@ -0,0 +1,123 @@
|
||||
From bb1455ce8d45d026f173f402bce29bf97af8c44d Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||
Date: Mon, 26 Mar 2018 17:30:14 +0200
|
||||
Subject: [PATCH] TESTS: Add a test for the multiple files feature
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Adds an integration test for the new feature.
|
||||
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
(cherry picked from commit 4a9100a588ade253cecb2224b95bd8caa8136109)
|
||||
---
|
||||
src/tests/intg/test_files_provider.py | 61 ++++++++++++++++++++++++++++++++++-
|
||||
1 file changed, 60 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/tests/intg/test_files_provider.py b/src/tests/intg/test_files_provider.py
|
||||
index 41bfd8844..ce5c7b774 100644
|
||||
--- a/src/tests/intg/test_files_provider.py
|
||||
+++ b/src/tests/intg/test_files_provider.py
|
||||
@@ -25,6 +25,7 @@ import subprocess
|
||||
import pwd
|
||||
import grp
|
||||
import pytest
|
||||
+import tempfile
|
||||
|
||||
import ent
|
||||
import sssd_id
|
||||
@@ -33,7 +34,7 @@ from sssd_passwd import (call_sssd_getpwnam,
|
||||
call_sssd_enumeration,
|
||||
call_sssd_getpwuid)
|
||||
from sssd_group import call_sssd_getgrnam, call_sssd_getgrgid
|
||||
-from files_ops import passwd_ops_setup, group_ops_setup
|
||||
+from files_ops import passwd_ops_setup, group_ops_setup, PasswdOps, GroupOps
|
||||
from util import unindent
|
||||
|
||||
# Sync this with files_ops.c
|
||||
@@ -59,6 +60,11 @@ OV_USER1 = dict(name='ov_user1', passwd='x', uid=10010, gid=20010,
|
||||
dir='/home/ov/user1',
|
||||
shell='/bin/ov_user1_shell')
|
||||
|
||||
+ALT_USER1 = dict(name='altuser1', passwd='x', uid=60001, gid=70001,
|
||||
+ gecos='User for tests from alt files',
|
||||
+ dir='/home/altuser1',
|
||||
+ shell='/bin/bash')
|
||||
+
|
||||
CANARY_GR = dict(name='canary',
|
||||
gid=300001,
|
||||
mem=[])
|
||||
@@ -79,6 +85,10 @@ GROUP_NOMEM = dict(name='group_nomem',
|
||||
gid=40000,
|
||||
mem=[])
|
||||
|
||||
+ALT_GROUP1 = dict(name='alt_group1',
|
||||
+ gid=80001,
|
||||
+ mem=['alt_user1'])
|
||||
+
|
||||
|
||||
def start_sssd():
|
||||
"""Start sssd and add teardown for stopping it and removing state"""
|
||||
@@ -145,6 +155,38 @@ def files_domain_only(request):
|
||||
return None
|
||||
|
||||
|
||||
+@pytest.fixture
|
||||
+def files_multiple_sources(request):
|
||||
+ _, alt_passwd_path = tempfile.mkstemp(prefix='altpasswd')
|
||||
+ request.addfinalizer(lambda: os.unlink(alt_passwd_path))
|
||||
+ alt_pwops = PasswdOps(alt_passwd_path)
|
||||
+
|
||||
+ _, alt_group_path = tempfile.mkstemp(prefix='altgroup')
|
||||
+ request.addfinalizer(lambda: os.unlink(alt_group_path))
|
||||
+ alt_grops = GroupOps(alt_group_path)
|
||||
+
|
||||
+ passwd_list = ",".join([os.environ["NSS_WRAPPER_PASSWD"], alt_passwd_path])
|
||||
+ group_list = ",".join([os.environ["NSS_WRAPPER_GROUP"], alt_group_path])
|
||||
+
|
||||
+ conf = unindent("""\
|
||||
+ [sssd]
|
||||
+ domains = files
|
||||
+ services = nss
|
||||
+
|
||||
+ [nss]
|
||||
+ debug_level = 10
|
||||
+
|
||||
+ [domain/files]
|
||||
+ id_provider = files
|
||||
+ passwd_files = {passwd_list}
|
||||
+ group_files = {group_list}
|
||||
+ debug_level = 10
|
||||
+ """).format(**locals())
|
||||
+ create_conf_fixture(request, conf)
|
||||
+ create_sssd_fixture(request)
|
||||
+ return alt_pwops, alt_grops
|
||||
+
|
||||
+
|
||||
@pytest.fixture
|
||||
def proxy_to_files_domain_only(request):
|
||||
conf = unindent("""\
|
||||
@@ -1054,3 +1096,20 @@ def test_no_sssd_conf(add_user_with_canary, no_sssd_conf):
|
||||
res, user = sssd_getpwnam_sync(USER1["name"])
|
||||
assert res == NssReturnCode.SUCCESS
|
||||
assert user == USER1
|
||||
+
|
||||
+
|
||||
+def test_multiple_passwd_group_files(add_user_with_canary,
|
||||
+ add_group_with_canary,
|
||||
+ files_multiple_sources):
|
||||
+ """
|
||||
+ Test that users and groups can be mirrored from multiple files
|
||||
+ """
|
||||
+ alt_pwops, alt_grops = files_multiple_sources
|
||||
+ alt_pwops.useradd(**ALT_USER1)
|
||||
+ alt_grops.groupadd(**ALT_GROUP1)
|
||||
+
|
||||
+ check_user(USER1)
|
||||
+ check_user(ALT_USER1)
|
||||
+
|
||||
+ check_group(GROUP1)
|
||||
+ check_group(ALT_GROUP1)
|
||||
--
|
||||
2.14.3
|
||||
|
@ -1,198 +0,0 @@
|
||||
From 2b5704cd96a085b99d3b0d4f80f4414adc134750 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
||||
Date: Fri, 3 Feb 2017 12:44:15 +0100
|
||||
Subject: [PATCH 24/79] sss_parse_inp_send: provide default_domain as parameter
|
||||
|
||||
It is not always desirable to consider default_domain from configuration
|
||||
but expect none instead. For example when we search host certificates.
|
||||
|
||||
This is currently not used in this patch since host lookups parse
|
||||
name directly with sss_parse_name but it will be used in the next
|
||||
patch.
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
---
|
||||
src/responder/common/cache_req/cache_req.c | 3 ++-
|
||||
src/responder/common/responder.h | 5 ++++-
|
||||
src/responder/common/responder_get_domains.c | 30 ++++++++++++++++++++++++----
|
||||
src/responder/ifp/ifpsrv_cmd.c | 2 +-
|
||||
src/tests/cmocka/common_mock_resp_dp.c | 4 +++-
|
||||
src/tests/cmocka/test_responder_common.c | 12 +++++++----
|
||||
6 files changed, 44 insertions(+), 12 deletions(-)
|
||||
|
||||
diff --git a/src/responder/common/cache_req/cache_req.c b/src/responder/common/cache_req/cache_req.c
|
||||
index f546e6130a181f7b6d3fc1aca8ad0766e8a7f19d..e5026e1a869064fe81cc04e3b2bbd8c4cefec304 100644
|
||||
--- a/src/responder/common/cache_req/cache_req.c
|
||||
+++ b/src/responder/common/cache_req/cache_req.c
|
||||
@@ -415,7 +415,8 @@ static errno_t cache_req_process_input(TALLOC_CTX *mem_ctx,
|
||||
CACHE_REQ_DEBUG(SSSDBG_TRACE_FUNC, cr,
|
||||
"Parsing input name [%s]\n", cr->data->name.input);
|
||||
|
||||
- subreq = sss_parse_inp_send(mem_ctx, cr->rctx, cr->data->name.input);
|
||||
+ subreq = sss_parse_inp_send(mem_ctx, cr->rctx, cr->rctx->default_domain,
|
||||
+ cr->data->name.input);
|
||||
if (subreq == NULL) {
|
||||
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create tevent request!\n");
|
||||
return ENOMEM;
|
||||
diff --git a/src/responder/common/responder.h b/src/responder/common/responder.h
|
||||
index d1fa532be3402214842da50e037f5f8d149631fb..c387c6ec326c612eef8798673c1c70c67efd5452 100644
|
||||
--- a/src/responder/common/responder.h
|
||||
+++ b/src/responder/common/responder.h
|
||||
@@ -347,8 +347,11 @@ errno_t check_allowed_uids(uid_t uid, size_t allowed_uids_count,
|
||||
uid_t *allowed_uids);
|
||||
|
||||
struct tevent_req *
|
||||
-sss_parse_inp_send(TALLOC_CTX *mem_ctx, struct resp_ctx *rctx,
|
||||
+sss_parse_inp_send(TALLOC_CTX *mem_ctx,
|
||||
+ struct resp_ctx *rctx,
|
||||
+ const char *default_domain,
|
||||
const char *rawinp);
|
||||
+
|
||||
errno_t sss_parse_inp_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
|
||||
char **_name, char **_domname);
|
||||
|
||||
diff --git a/src/responder/common/responder_get_domains.c b/src/responder/common/responder_get_domains.c
|
||||
index cc7b99f30046569547a08f83e46cbbe9d6c19897..0f39d107dad6c458785b1b8d708e60d7c34e3901 100644
|
||||
--- a/src/responder/common/responder_get_domains.c
|
||||
+++ b/src/responder/common/responder_get_domains.c
|
||||
@@ -443,6 +443,7 @@ errno_t schedule_get_domains_task(TALLOC_CTX *mem_ctx,
|
||||
|
||||
struct sss_parse_inp_state {
|
||||
struct resp_ctx *rctx;
|
||||
+ const char *default_domain;
|
||||
const char *rawinp;
|
||||
|
||||
char *name;
|
||||
@@ -453,7 +454,9 @@ struct sss_parse_inp_state {
|
||||
static void sss_parse_inp_done(struct tevent_req *subreq);
|
||||
|
||||
struct tevent_req *
|
||||
-sss_parse_inp_send(TALLOC_CTX *mem_ctx, struct resp_ctx *rctx,
|
||||
+sss_parse_inp_send(TALLOC_CTX *mem_ctx,
|
||||
+ struct resp_ctx *rctx,
|
||||
+ const char *default_domain,
|
||||
const char *rawinp)
|
||||
{
|
||||
errno_t ret;
|
||||
@@ -465,16 +468,35 @@ sss_parse_inp_send(TALLOC_CTX *mem_ctx, struct resp_ctx *rctx,
|
||||
if (req == NULL) {
|
||||
return NULL;
|
||||
}
|
||||
- state->rawinp = rawinp;
|
||||
+
|
||||
+ if (rawinp == NULL) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Empty input!\n");
|
||||
+ ret = EINVAL;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
state->rctx = rctx;
|
||||
|
||||
+ state->rawinp = talloc_strdup(state, rawinp);
|
||||
+ if (state->rawinp == NULL) {
|
||||
+ ret = ENOMEM;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+
|
||||
+ state->default_domain = talloc_strdup(state, default_domain);
|
||||
+ if (default_domain != NULL && state->default_domain == NULL) {
|
||||
+ ret = ENOMEM;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
/* If the subdomains haven't been checked yet, we need to always
|
||||
* attach to the post-startup subdomain request and only then parse
|
||||
* the input. Otherwise, we might not be able to parse input with a
|
||||
* flat domain name specifier */
|
||||
if (rctx->get_domains_last_call.tv_sec > 0) {
|
||||
ret = sss_parse_name_for_domains(state, rctx->domains,
|
||||
- rctx->default_domain, rawinp,
|
||||
+ default_domain, rawinp,
|
||||
&state->domname, &state->name);
|
||||
if (ret == EOK) {
|
||||
/* Was able to use cached domains */
|
||||
@@ -532,7 +554,7 @@ static void sss_parse_inp_done(struct tevent_req *subreq)
|
||||
state->error = ERR_OK;
|
||||
|
||||
ret = sss_parse_name_for_domains(state, state->rctx->domains,
|
||||
- state->rctx->default_domain,
|
||||
+ state->default_domain,
|
||||
state->rawinp,
|
||||
&state->domname, &state->name);
|
||||
if (ret == EAGAIN && state->domname != NULL && state->name == NULL) {
|
||||
diff --git a/src/responder/ifp/ifpsrv_cmd.c b/src/responder/ifp/ifpsrv_cmd.c
|
||||
index 23f410a19ea985b4fcfcf34a770d37ea9a864e67..07edcddffa1091f8bbcf79a25962aadc791bb890 100644
|
||||
--- a/src/responder/ifp/ifpsrv_cmd.c
|
||||
+++ b/src/responder/ifp/ifpsrv_cmd.c
|
||||
@@ -453,7 +453,7 @@ ifp_user_get_attr_send(TALLOC_CTX *mem_ctx, struct resp_ctx *rctx,
|
||||
state->ncache = ncache;
|
||||
state->search_type = search_type;
|
||||
|
||||
- subreq = sss_parse_inp_send(req, rctx, inp);
|
||||
+ subreq = sss_parse_inp_send(req, rctx, rctx->default_domain, inp);
|
||||
if (subreq == NULL) {
|
||||
ret = ENOMEM;
|
||||
goto done;
|
||||
diff --git a/src/tests/cmocka/common_mock_resp_dp.c b/src/tests/cmocka/common_mock_resp_dp.c
|
||||
index f62606eb8a33b6417bbd32a7dccdbeaabd05818f..0b6870346c00954a3e2accf8f21625a14da8afb5 100644
|
||||
--- a/src/tests/cmocka/common_mock_resp_dp.c
|
||||
+++ b/src/tests/cmocka/common_mock_resp_dp.c
|
||||
@@ -80,7 +80,9 @@ void mock_account_recv_simple(void)
|
||||
}
|
||||
|
||||
struct tevent_req *
|
||||
-sss_parse_inp_send(TALLOC_CTX *mem_ctx, struct resp_ctx *rctx,
|
||||
+sss_parse_inp_send(TALLOC_CTX *mem_ctx,
|
||||
+ struct resp_ctx *rctx,
|
||||
+ const char *default_domain,
|
||||
const char *rawinp)
|
||||
{
|
||||
return test_req_succeed_send(mem_ctx, rctx->ev);
|
||||
diff --git a/src/tests/cmocka/test_responder_common.c b/src/tests/cmocka/test_responder_common.c
|
||||
index b25f8a8efcded664ed61be4d5a67b0f2e3adf327..fb7e4ee500570319999e6e85ee14a05cddea8de3 100644
|
||||
--- a/src/tests/cmocka/test_responder_common.c
|
||||
+++ b/src/tests/cmocka/test_responder_common.c
|
||||
@@ -192,7 +192,8 @@ void parse_inp_simple(void **state)
|
||||
|
||||
will_return(__wrap_sss_parse_name_for_domains, WRAP_CALL_REAL);
|
||||
|
||||
- req = sss_parse_inp_send(parse_inp_ctx, parse_inp_ctx->rctx, NAME);
|
||||
+ req = sss_parse_inp_send(parse_inp_ctx, parse_inp_ctx->rctx,
|
||||
+ parse_inp_ctx->rctx->default_domain, NAME);
|
||||
assert_non_null(req);
|
||||
tevent_req_set_callback(req, parse_inp_simple_done, parse_inp_ctx);
|
||||
|
||||
@@ -213,7 +214,8 @@ void parse_inp_call_dp(void **state)
|
||||
/* The second one will succeed as the domains are up-to-date */
|
||||
will_return(__wrap_sss_parse_name_for_domains, WRAP_CALL_REAL);
|
||||
|
||||
- req = sss_parse_inp_send(parse_inp_ctx, parse_inp_ctx->rctx, NAME);
|
||||
+ req = sss_parse_inp_send(parse_inp_ctx, parse_inp_ctx->rctx,
|
||||
+ parse_inp_ctx->rctx->default_domain, NAME);
|
||||
assert_non_null(req);
|
||||
tevent_req_set_callback(req, parse_inp_simple_done, parse_inp_ctx);
|
||||
|
||||
@@ -235,7 +237,8 @@ void parse_inp_call_attach(void **state)
|
||||
* as the domains are up-to-date */
|
||||
will_return(__wrap_sss_parse_name_for_domains, WRAP_CALL_REAL);
|
||||
|
||||
- req = sss_parse_inp_send(parse_inp_ctx, parse_inp_ctx->rctx, NAME);
|
||||
+ req = sss_parse_inp_send(parse_inp_ctx, parse_inp_ctx->rctx,
|
||||
+ parse_inp_ctx->rctx->default_domain, NAME);
|
||||
assert_non_null(req);
|
||||
tevent_req_set_callback(req, parse_inp_simple_done, parse_inp_ctx);
|
||||
|
||||
@@ -271,7 +274,8 @@ void parse_inp_call_neg(void **state)
|
||||
will_return(__wrap_sss_parse_name_for_domains, WRAP_CALL_WRAPPER);
|
||||
will_return(__wrap_sss_parse_name_for_domains, EINVAL);
|
||||
|
||||
- req = sss_parse_inp_send(parse_inp_ctx, parse_inp_ctx->rctx, NAME);
|
||||
+ req = sss_parse_inp_send(parse_inp_ctx, parse_inp_ctx->rctx,
|
||||
+ parse_inp_ctx->rctx->default_domain, NAME);
|
||||
assert_non_null(req);
|
||||
tevent_req_set_callback(req, parse_inp_neg_done, parse_inp_ctx);
|
||||
|
||||
--
|
||||
2.9.3
|
||||
|
30
0025-AD-Missing-header-in-ad_access.h.patch
Normal file
30
0025-AD-Missing-header-in-ad_access.h.patch
Normal file
@ -0,0 +1,30 @@
|
||||
From d81931454a0846fe503d090595fa5b0d4ffd93a5 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Michal=20=C5=BDidek?= <mzidek@redhat.com>
|
||||
Date: Wed, 4 Apr 2018 12:10:13 +0200
|
||||
Subject: [PATCH] AD: Missing header in ad_access.h
|
||||
|
||||
ad_access.h depends on data_provider.h header but
|
||||
does not include it.
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
(cherry picked from commit abf377672e0011da817b5105fe581b27f2f855b7)
|
||||
---
|
||||
src/providers/ad/ad_access.h | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/src/providers/ad/ad_access.h b/src/providers/ad/ad_access.h
|
||||
index cc565a8e6..34d5597da 100644
|
||||
--- a/src/providers/ad/ad_access.h
|
||||
+++ b/src/providers/ad/ad_access.h
|
||||
@@ -23,6 +23,8 @@
|
||||
#ifndef AD_ACCESS_H_
|
||||
#define AD_ACCESS_H_
|
||||
|
||||
+#include "providers/data_provider.h"
|
||||
+
|
||||
struct ad_access_ctx {
|
||||
struct dp_option *ad_options;
|
||||
struct sdap_access_ctx *sdap_access_ctx;
|
||||
--
|
||||
2.14.3
|
||||
|
@ -1,310 +0,0 @@
|
||||
From ddfd1900b26c66a062457d4fcc1a48bafd3eadf6 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
||||
Date: Fri, 3 Feb 2017 13:04:23 +0100
|
||||
Subject: [PATCH 25/79] cache_req: add ability to not use default domain suffix
|
||||
|
||||
This will be used in the next plugin "host by name" where
|
||||
it is not desirable to use default domain suffix if set.
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
---
|
||||
src/responder/common/cache_req/cache_req.c | 8 +++++++-
|
||||
src/responder/common/cache_req/cache_req_plugin.h | 5 +++++
|
||||
src/responder/common/cache_req/plugins/cache_req_enum_groups.c | 1 +
|
||||
src/responder/common/cache_req/plugins/cache_req_enum_svc.c | 1 +
|
||||
src/responder/common/cache_req/plugins/cache_req_enum_users.c | 1 +
|
||||
.../common/cache_req/plugins/cache_req_group_by_filter.c | 1 +
|
||||
src/responder/common/cache_req/plugins/cache_req_group_by_id.c | 1 +
|
||||
src/responder/common/cache_req/plugins/cache_req_group_by_name.c | 1 +
|
||||
.../common/cache_req/plugins/cache_req_initgroups_by_name.c | 1 +
|
||||
.../common/cache_req/plugins/cache_req_initgroups_by_upn.c | 1 +
|
||||
.../common/cache_req/plugins/cache_req_netgroup_by_name.c | 1 +
|
||||
src/responder/common/cache_req/plugins/cache_req_object_by_id.c | 1 +
|
||||
src/responder/common/cache_req/plugins/cache_req_object_by_name.c | 1 +
|
||||
src/responder/common/cache_req/plugins/cache_req_object_by_sid.c | 1 +
|
||||
src/responder/common/cache_req/plugins/cache_req_svc_by_name.c | 1 +
|
||||
src/responder/common/cache_req/plugins/cache_req_svc_by_port.c | 1 +
|
||||
src/responder/common/cache_req/plugins/cache_req_user_by_cert.c | 1 +
|
||||
src/responder/common/cache_req/plugins/cache_req_user_by_filter.c | 1 +
|
||||
src/responder/common/cache_req/plugins/cache_req_user_by_id.c | 1 +
|
||||
src/responder/common/cache_req/plugins/cache_req_user_by_name.c | 1 +
|
||||
src/responder/common/cache_req/plugins/cache_req_user_by_upn.c | 1 +
|
||||
21 files changed, 31 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/responder/common/cache_req/cache_req.c b/src/responder/common/cache_req/cache_req.c
|
||||
index e5026e1a869064fe81cc04e3b2bbd8c4cefec304..aed8f1b225899a1c470407e259d2068ef62922b7 100644
|
||||
--- a/src/responder/common/cache_req/cache_req.c
|
||||
+++ b/src/responder/common/cache_req/cache_req.c
|
||||
@@ -400,6 +400,7 @@ static errno_t cache_req_process_input(TALLOC_CTX *mem_ctx,
|
||||
const char *domain)
|
||||
{
|
||||
struct tevent_req *subreq;
|
||||
+ const char *default_domain;
|
||||
|
||||
if (cr->data->name.input == NULL) {
|
||||
/* Input was not name, there is no need to process it further. */
|
||||
@@ -411,11 +412,16 @@ static errno_t cache_req_process_input(TALLOC_CTX *mem_ctx,
|
||||
return cache_req_set_name(cr, cr->data->name.input);
|
||||
}
|
||||
|
||||
+ default_domain = NULL;
|
||||
+ if (!cr->plugin->ignore_default_domain) {
|
||||
+ default_domain = cr->rctx->default_domain;
|
||||
+ }
|
||||
+
|
||||
/* Parse name since it may contain a domain name. */
|
||||
CACHE_REQ_DEBUG(SSSDBG_TRACE_FUNC, cr,
|
||||
"Parsing input name [%s]\n", cr->data->name.input);
|
||||
|
||||
- subreq = sss_parse_inp_send(mem_ctx, cr->rctx, cr->rctx->default_domain,
|
||||
+ subreq = sss_parse_inp_send(mem_ctx, cr->rctx, default_domain,
|
||||
cr->data->name.input);
|
||||
if (subreq == NULL) {
|
||||
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create tevent request!\n");
|
||||
diff --git a/src/responder/common/cache_req/cache_req_plugin.h b/src/responder/common/cache_req/cache_req_plugin.h
|
||||
index e4d5eef91672a83e1ced47b394368a457acfbcb8..59ef8bad1697e094f729c53f33bda4f1d825cdff 100644
|
||||
--- a/src/responder/common/cache_req/cache_req_plugin.h
|
||||
+++ b/src/responder/common/cache_req/cache_req_plugin.h
|
||||
@@ -157,6 +157,11 @@ struct cache_req_plugin {
|
||||
bool parse_name;
|
||||
|
||||
/**
|
||||
+ * True if default domain suffix should be ignored when parsing name.
|
||||
+ */
|
||||
+ bool ignore_default_domain;
|
||||
+
|
||||
+ /**
|
||||
* True if we always contact data provider.
|
||||
*/
|
||||
bool bypass_cache;
|
||||
diff --git a/src/responder/common/cache_req/plugins/cache_req_enum_groups.c b/src/responder/common/cache_req/plugins/cache_req_enum_groups.c
|
||||
index de4bd968b18920cde0630dbd5142ce99d3b70a3e..2056dc2ccdadef98772402bde45aef8e043a0e76 100644
|
||||
--- a/src/responder/common/cache_req/plugins/cache_req_enum_groups.c
|
||||
+++ b/src/responder/common/cache_req/plugins/cache_req_enum_groups.c
|
||||
@@ -64,6 +64,7 @@ const struct cache_req_plugin cache_req_enum_groups = {
|
||||
.dp_type = SSS_DP_GROUP,
|
||||
.attr_expiration = SYSDB_CACHE_EXPIRE,
|
||||
.parse_name = false,
|
||||
+ .ignore_default_domain = false,
|
||||
.bypass_cache = true,
|
||||
.only_one_result = false,
|
||||
.search_all_domains = true,
|
||||
diff --git a/src/responder/common/cache_req/plugins/cache_req_enum_svc.c b/src/responder/common/cache_req/plugins/cache_req_enum_svc.c
|
||||
index c83564fdce8abc237a3a4dbe7a88b4bc6c2baaff..e850212977bb26dc13b900f6e5908865fffa59b0 100644
|
||||
--- a/src/responder/common/cache_req/plugins/cache_req_enum_svc.c
|
||||
+++ b/src/responder/common/cache_req/plugins/cache_req_enum_svc.c
|
||||
@@ -65,6 +65,7 @@ const struct cache_req_plugin cache_req_enum_svc = {
|
||||
.dp_type = SSS_DP_SERVICES,
|
||||
.attr_expiration = SYSDB_CACHE_EXPIRE,
|
||||
.parse_name = false,
|
||||
+ .ignore_default_domain = false,
|
||||
.bypass_cache = true,
|
||||
.only_one_result = false,
|
||||
.search_all_domains = true,
|
||||
diff --git a/src/responder/common/cache_req/plugins/cache_req_enum_users.c b/src/responder/common/cache_req/plugins/cache_req_enum_users.c
|
||||
index c4eeed7463cca6ecd17fe8042d62f4b72da46e68..2adeddb6b4bea044371f168f5d39aecc1f06cc45 100644
|
||||
--- a/src/responder/common/cache_req/plugins/cache_req_enum_users.c
|
||||
+++ b/src/responder/common/cache_req/plugins/cache_req_enum_users.c
|
||||
@@ -64,6 +64,7 @@ const struct cache_req_plugin cache_req_enum_users = {
|
||||
.dp_type = SSS_DP_USER,
|
||||
.attr_expiration = SYSDB_CACHE_EXPIRE,
|
||||
.parse_name = false,
|
||||
+ .ignore_default_domain = false,
|
||||
.bypass_cache = true,
|
||||
.only_one_result = false,
|
||||
.search_all_domains = true,
|
||||
diff --git a/src/responder/common/cache_req/plugins/cache_req_group_by_filter.c b/src/responder/common/cache_req/plugins/cache_req_group_by_filter.c
|
||||
index 1619cf7bdd6ad7ef7c1ea71ef0dd8f24611c1a6e..bc42eb7db0830ba31649c2cbb9525dfd1f7b1fae 100644
|
||||
--- a/src/responder/common/cache_req/plugins/cache_req_group_by_filter.c
|
||||
+++ b/src/responder/common/cache_req/plugins/cache_req_group_by_filter.c
|
||||
@@ -119,6 +119,7 @@ const struct cache_req_plugin cache_req_group_by_filter = {
|
||||
.dp_type = SSS_DP_WILDCARD_GROUP,
|
||||
.attr_expiration = SYSDB_CACHE_EXPIRE,
|
||||
.parse_name = true,
|
||||
+ .ignore_default_domain = false,
|
||||
.bypass_cache = true,
|
||||
.only_one_result = false,
|
||||
.search_all_domains = false,
|
||||
diff --git a/src/responder/common/cache_req/plugins/cache_req_group_by_id.c b/src/responder/common/cache_req/plugins/cache_req_group_by_id.c
|
||||
index 293994fa1e22a23b7ff19c50050e5c6c25274b5d..e48588087eafde68a4a85c546cf08e90eb6c7605 100644
|
||||
--- a/src/responder/common/cache_req/plugins/cache_req_group_by_id.c
|
||||
+++ b/src/responder/common/cache_req/plugins/cache_req_group_by_id.c
|
||||
@@ -107,6 +107,7 @@ const struct cache_req_plugin cache_req_group_by_id = {
|
||||
.dp_type = SSS_DP_GROUP,
|
||||
.attr_expiration = SYSDB_CACHE_EXPIRE,
|
||||
.parse_name = false,
|
||||
+ .ignore_default_domain = false,
|
||||
.bypass_cache = false,
|
||||
.only_one_result = true,
|
||||
.search_all_domains = false,
|
||||
diff --git a/src/responder/common/cache_req/plugins/cache_req_group_by_name.c b/src/responder/common/cache_req/plugins/cache_req_group_by_name.c
|
||||
index c88dbd4566297da98d306e20deb7f7c64c7991a4..962b38866a1408bbdff556e20df5a69b0d4bbba0 100644
|
||||
--- a/src/responder/common/cache_req/plugins/cache_req_group_by_name.c
|
||||
+++ b/src/responder/common/cache_req/plugins/cache_req_group_by_name.c
|
||||
@@ -157,6 +157,7 @@ const struct cache_req_plugin cache_req_group_by_name = {
|
||||
.dp_type = SSS_DP_GROUP,
|
||||
.attr_expiration = SYSDB_CACHE_EXPIRE,
|
||||
.parse_name = true,
|
||||
+ .ignore_default_domain = false,
|
||||
.bypass_cache = false,
|
||||
.only_one_result = true,
|
||||
.search_all_domains = false,
|
||||
diff --git a/src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c b/src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c
|
||||
index 9575ae70731875979f924dbf948222ed705fd923..d2f03cbea0780e4e0b88d56fcfbcf8903bcb3c85 100644
|
||||
--- a/src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c
|
||||
+++ b/src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c
|
||||
@@ -172,6 +172,7 @@ const struct cache_req_plugin cache_req_initgroups_by_name = {
|
||||
.dp_type = SSS_DP_INITGROUPS,
|
||||
.attr_expiration = SYSDB_INITGR_EXPIRE,
|
||||
.parse_name = true,
|
||||
+ .ignore_default_domain = false,
|
||||
.bypass_cache = false,
|
||||
.only_one_result = false,
|
||||
.search_all_domains = false,
|
||||
diff --git a/src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c b/src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c
|
||||
index 7a0b96b19f487e046c32235e02ec0fdbc7baa211..9b2d07d4afa98cbfca4a62f944b744f01897a0ee 100644
|
||||
--- a/src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c
|
||||
+++ b/src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c
|
||||
@@ -108,6 +108,7 @@ const struct cache_req_plugin cache_req_initgroups_by_upn = {
|
||||
.dp_type = SSS_DP_INITGROUPS,
|
||||
.attr_expiration = SYSDB_INITGR_EXPIRE,
|
||||
.parse_name = false,
|
||||
+ .ignore_default_domain = false,
|
||||
.bypass_cache = false,
|
||||
.only_one_result = false,
|
||||
.search_all_domains = false,
|
||||
diff --git a/src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c b/src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c
|
||||
index 15549adeff9e038387b21b6349b18683c14afe65..5b19edeb2952b83406ff20d001dd7d24449f69c9 100644
|
||||
--- a/src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c
|
||||
+++ b/src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c
|
||||
@@ -116,6 +116,7 @@ const struct cache_req_plugin cache_req_netgroup_by_name = {
|
||||
.dp_type = SSS_DP_NETGR,
|
||||
.attr_expiration = SYSDB_CACHE_EXPIRE,
|
||||
.parse_name = true,
|
||||
+ .ignore_default_domain = false,
|
||||
.bypass_cache = false,
|
||||
.only_one_result = true,
|
||||
.search_all_domains = false,
|
||||
diff --git a/src/responder/common/cache_req/plugins/cache_req_object_by_id.c b/src/responder/common/cache_req/plugins/cache_req_object_by_id.c
|
||||
index b8ad3b5e76cbf52fb61e22aa872e51e7f51bbf29..3f47807616054c644e27e4c240ad7c4b752a563e 100644
|
||||
--- a/src/responder/common/cache_req/plugins/cache_req_object_by_id.c
|
||||
+++ b/src/responder/common/cache_req/plugins/cache_req_object_by_id.c
|
||||
@@ -99,6 +99,7 @@ const struct cache_req_plugin cache_req_object_by_id = {
|
||||
.dp_type = SSS_DP_USER_AND_GROUP,
|
||||
.attr_expiration = SYSDB_CACHE_EXPIRE,
|
||||
.parse_name = false,
|
||||
+ .ignore_default_domain = false,
|
||||
.bypass_cache = false,
|
||||
.only_one_result = true,
|
||||
.search_all_domains = false,
|
||||
diff --git a/src/responder/common/cache_req/plugins/cache_req_object_by_name.c b/src/responder/common/cache_req/plugins/cache_req_object_by_name.c
|
||||
index 1ec906c7ad0c0f2d327667c697a96f2c2735d066..6829d0ec97c147aafda46b6eace25b97a28e626a 100644
|
||||
--- a/src/responder/common/cache_req/plugins/cache_req_object_by_name.c
|
||||
+++ b/src/responder/common/cache_req/plugins/cache_req_object_by_name.c
|
||||
@@ -192,6 +192,7 @@ const struct cache_req_plugin cache_req_object_by_name = {
|
||||
.dp_type = SSS_DP_USER_AND_GROUP,
|
||||
.attr_expiration = SYSDB_CACHE_EXPIRE,
|
||||
.parse_name = true,
|
||||
+ .ignore_default_domain = false,
|
||||
.bypass_cache = false,
|
||||
.only_one_result = true,
|
||||
.search_all_domains = false,
|
||||
diff --git a/src/responder/common/cache_req/plugins/cache_req_object_by_sid.c b/src/responder/common/cache_req/plugins/cache_req_object_by_sid.c
|
||||
index 35cb74f61fab0c72dda68c8f95e30be9127f938f..6a6eb8e72c52c069935ca4e612e60f602c7b91bd 100644
|
||||
--- a/src/responder/common/cache_req/plugins/cache_req_object_by_sid.c
|
||||
+++ b/src/responder/common/cache_req/plugins/cache_req_object_by_sid.c
|
||||
@@ -109,6 +109,7 @@ const struct cache_req_plugin cache_req_object_by_sid = {
|
||||
.dp_type = SSS_DP_SECID,
|
||||
.attr_expiration = SYSDB_CACHE_EXPIRE,
|
||||
.parse_name = false,
|
||||
+ .ignore_default_domain = false,
|
||||
.bypass_cache = false,
|
||||
.only_one_result = true,
|
||||
.search_all_domains = false,
|
||||
diff --git a/src/responder/common/cache_req/plugins/cache_req_svc_by_name.c b/src/responder/common/cache_req/plugins/cache_req_svc_by_name.c
|
||||
index 4de27571c199baeeec1064f6d9b626fef08212c7..9562354ed3a453e3aec7264bb32dbd5273fb0927 100644
|
||||
--- a/src/responder/common/cache_req/plugins/cache_req_svc_by_name.c
|
||||
+++ b/src/responder/common/cache_req/plugins/cache_req_svc_by_name.c
|
||||
@@ -140,6 +140,7 @@ const struct cache_req_plugin cache_req_svc_by_name = {
|
||||
.dp_type = SSS_DP_SERVICES,
|
||||
.attr_expiration = SYSDB_CACHE_EXPIRE,
|
||||
.parse_name = true,
|
||||
+ .ignore_default_domain = false,
|
||||
.bypass_cache = false,
|
||||
.only_one_result = false,
|
||||
.search_all_domains = false,
|
||||
diff --git a/src/responder/common/cache_req/plugins/cache_req_svc_by_port.c b/src/responder/common/cache_req/plugins/cache_req_svc_by_port.c
|
||||
index 1b17c71352678f7dfae830bea3ab3909fd62c564..55117492f6f8aa6a4e31c1e23862215255cdf660 100644
|
||||
--- a/src/responder/common/cache_req/plugins/cache_req_svc_by_port.c
|
||||
+++ b/src/responder/common/cache_req/plugins/cache_req_svc_by_port.c
|
||||
@@ -113,6 +113,7 @@ const struct cache_req_plugin cache_req_svc_by_port = {
|
||||
.dp_type = SSS_DP_SERVICES,
|
||||
.attr_expiration = SYSDB_CACHE_EXPIRE,
|
||||
.parse_name = false,
|
||||
+ .ignore_default_domain = false,
|
||||
.bypass_cache = false,
|
||||
.only_one_result = false,
|
||||
.search_all_domains = false,
|
||||
diff --git a/src/responder/common/cache_req/plugins/cache_req_user_by_cert.c b/src/responder/common/cache_req/plugins/cache_req_user_by_cert.c
|
||||
index 9a1bcc6aa1225c27362b11b9321994f65261d5cb..5203d3f94421715b711bcd1e01b7a42737b6fe41 100644
|
||||
--- a/src/responder/common/cache_req/plugins/cache_req_user_by_cert.c
|
||||
+++ b/src/responder/common/cache_req/plugins/cache_req_user_by_cert.c
|
||||
@@ -83,6 +83,7 @@ const struct cache_req_plugin cache_req_user_by_cert = {
|
||||
.dp_type = SSS_DP_CERT,
|
||||
.attr_expiration = SYSDB_CACHE_EXPIRE,
|
||||
.parse_name = false,
|
||||
+ .ignore_default_domain = false,
|
||||
.bypass_cache = false,
|
||||
.only_one_result = true,
|
||||
.search_all_domains = false,
|
||||
diff --git a/src/responder/common/cache_req/plugins/cache_req_user_by_filter.c b/src/responder/common/cache_req/plugins/cache_req_user_by_filter.c
|
||||
index ee9f60bf682629acf3b2ec3d16a3ed075084480d..4c328a5d900e37de0f3396a8c2f1c937360ce081 100644
|
||||
--- a/src/responder/common/cache_req/plugins/cache_req_user_by_filter.c
|
||||
+++ b/src/responder/common/cache_req/plugins/cache_req_user_by_filter.c
|
||||
@@ -119,6 +119,7 @@ const struct cache_req_plugin cache_req_user_by_filter = {
|
||||
.dp_type = SSS_DP_WILDCARD_USER,
|
||||
.attr_expiration = SYSDB_CACHE_EXPIRE,
|
||||
.parse_name = true,
|
||||
+ .ignore_default_domain = false,
|
||||
.bypass_cache = true,
|
||||
.only_one_result = false,
|
||||
.search_all_domains = false,
|
||||
diff --git a/src/responder/common/cache_req/plugins/cache_req_user_by_id.c b/src/responder/common/cache_req/plugins/cache_req_user_by_id.c
|
||||
index d710986d1102af4422d29a9943c903f23bea8b9e..d794d248b1e9b11cd41210b8180823e3a2565847 100644
|
||||
--- a/src/responder/common/cache_req/plugins/cache_req_user_by_id.c
|
||||
+++ b/src/responder/common/cache_req/plugins/cache_req_user_by_id.c
|
||||
@@ -107,6 +107,7 @@ const struct cache_req_plugin cache_req_user_by_id = {
|
||||
.dp_type = SSS_DP_USER,
|
||||
.attr_expiration = SYSDB_CACHE_EXPIRE,
|
||||
.parse_name = false,
|
||||
+ .ignore_default_domain = false,
|
||||
.bypass_cache = false,
|
||||
.only_one_result = true,
|
||||
.search_all_domains = false,
|
||||
diff --git a/src/responder/common/cache_req/plugins/cache_req_user_by_name.c b/src/responder/common/cache_req/plugins/cache_req_user_by_name.c
|
||||
index 46dd9434b34536b72b0966f53ab341c09542f16c..9ee7bef1cc904d25d156b3f64e039e47be58d1cc 100644
|
||||
--- a/src/responder/common/cache_req/plugins/cache_req_user_by_name.c
|
||||
+++ b/src/responder/common/cache_req/plugins/cache_req_user_by_name.c
|
||||
@@ -157,6 +157,7 @@ const struct cache_req_plugin cache_req_user_by_name = {
|
||||
.dp_type = SSS_DP_USER,
|
||||
.attr_expiration = SYSDB_CACHE_EXPIRE,
|
||||
.parse_name = true,
|
||||
+ .ignore_default_domain = false,
|
||||
.bypass_cache = false,
|
||||
.only_one_result = true,
|
||||
.search_all_domains = false,
|
||||
diff --git a/src/responder/common/cache_req/plugins/cache_req_user_by_upn.c b/src/responder/common/cache_req/plugins/cache_req_user_by_upn.c
|
||||
index 9d1e703d623cd830c2ab6db6e835c4bec49f57e5..4c6e6bcd056392abb729d416d406f28c28cdaa77 100644
|
||||
--- a/src/responder/common/cache_req/plugins/cache_req_user_by_upn.c
|
||||
+++ b/src/responder/common/cache_req/plugins/cache_req_user_by_upn.c
|
||||
@@ -112,6 +112,7 @@ const struct cache_req_plugin cache_req_user_by_upn = {
|
||||
.dp_type = SSS_DP_USER,
|
||||
.attr_expiration = SYSDB_CACHE_EXPIRE,
|
||||
.parse_name = false,
|
||||
+ .ignore_default_domain = false,
|
||||
.bypass_cache = false,
|
||||
.only_one_result = true,
|
||||
.search_all_domains = false,
|
||||
--
|
||||
2.9.3
|
||||
|
65
0026-GPO-Add-ad_options-to-ad_gpo_process_som_state.patch
Normal file
65
0026-GPO-Add-ad_options-to-ad_gpo_process_som_state.patch
Normal file
@ -0,0 +1,65 @@
|
||||
From 5e47ae51f5cf11decdfec483ab1adef07ec2b7ef Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Michal=20=C5=BDidek?= <mzidek@redhat.com>
|
||||
Date: Wed, 4 Apr 2018 12:17:37 +0200
|
||||
Subject: [PATCH] GPO: Add ad_options to ad_gpo_process_som_state
|
||||
|
||||
We will need at least ad_site option from this
|
||||
context available to get the AD site override
|
||||
value.
|
||||
|
||||
Resolves:
|
||||
https://pagure.io/SSSD/sssd/issue/3646
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
(cherry picked from commit 7a42831b208ed8d2fcb9d8beaa12bd2214bb7dce)
|
||||
---
|
||||
src/providers/ad/ad_gpo.c | 5 +++++
|
||||
1 file changed, 5 insertions(+)
|
||||
|
||||
diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
|
||||
index d9ea31141..028f6a2e7 100644
|
||||
--- a/src/providers/ad/ad_gpo.c
|
||||
+++ b/src/providers/ad/ad_gpo.c
|
||||
@@ -146,6 +146,7 @@ struct tevent_req *ad_gpo_process_som_send(TALLOC_CTX *mem_ctx,
|
||||
struct ldb_context *ldb_ctx,
|
||||
struct sdap_id_op *sdap_op,
|
||||
struct sdap_options *opts,
|
||||
+ struct dp_option *ad_options,
|
||||
int timeout,
|
||||
const char *target_dn,
|
||||
const char *domain_name);
|
||||
@@ -1975,6 +1976,7 @@ ad_gpo_target_dn_retrieval_done(struct tevent_req *subreq)
|
||||
state->ldb_ctx,
|
||||
state->sdap_op,
|
||||
state->opts,
|
||||
+ state->access_ctx->ad_options,
|
||||
state->timeout,
|
||||
state->target_dn,
|
||||
state->host_domain->name);
|
||||
@@ -2701,6 +2703,7 @@ struct ad_gpo_process_som_state {
|
||||
struct tevent_context *ev;
|
||||
struct sdap_id_op *sdap_op;
|
||||
struct sdap_options *opts;
|
||||
+ struct dp_option *ad_options;
|
||||
int timeout;
|
||||
bool allow_enforced_only;
|
||||
char *site_name;
|
||||
@@ -2734,6 +2737,7 @@ ad_gpo_process_som_send(TALLOC_CTX *mem_ctx,
|
||||
struct ldb_context *ldb_ctx,
|
||||
struct sdap_id_op *sdap_op,
|
||||
struct sdap_options *opts,
|
||||
+ struct dp_option *ad_options,
|
||||
int timeout,
|
||||
const char *target_dn,
|
||||
const char *domain_name)
|
||||
@@ -2752,6 +2756,7 @@ ad_gpo_process_som_send(TALLOC_CTX *mem_ctx,
|
||||
state->ev = ev;
|
||||
state->sdap_op = sdap_op;
|
||||
state->opts = opts;
|
||||
+ state->ad_options = ad_options;
|
||||
state->timeout = timeout;
|
||||
state->som_index = 0;
|
||||
state->allow_enforced_only = 0;
|
||||
--
|
||||
2.14.3
|
||||
|
@ -1,87 +0,0 @@
|
||||
From 7723e79f5a1fad4201360199037aea33f655bab6 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
||||
Date: Wed, 11 Jan 2017 11:36:50 +0100
|
||||
Subject: [PATCH 26/79] cache_req: search user by name with attrs
|
||||
|
||||
Sometime is is desirable to aquire more attribute from user object
|
||||
than SYSDB_PW_ATTRS set. such as user's public key.
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
---
|
||||
src/responder/common/cache_req/cache_req.h | 13 +++++++++
|
||||
.../cache_req/plugins/cache_req_user_by_name.c | 31 ++++++++++++++++++++--
|
||||
2 files changed, 42 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/responder/common/cache_req/cache_req.h b/src/responder/common/cache_req/cache_req.h
|
||||
index 7700091078c96698a5aaf12cf0d50f259cd186d8..2740c21ee0e390c64d94fedd6ab2cb7483cfe302 100644
|
||||
--- a/src/responder/common/cache_req/cache_req.h
|
||||
+++ b/src/responder/common/cache_req/cache_req.h
|
||||
@@ -186,6 +186,19 @@ cache_req_user_by_name_send(TALLOC_CTX *mem_ctx,
|
||||
cache_req_single_domain_recv(mem_ctx, req, _result)
|
||||
|
||||
struct tevent_req *
|
||||
+cache_req_user_by_name_attrs_send(TALLOC_CTX *mem_ctx,
|
||||
+ struct tevent_context *ev,
|
||||
+ struct resp_ctx *rctx,
|
||||
+ struct sss_nc_ctx *ncache,
|
||||
+ int cache_refresh_percent,
|
||||
+ const char *domain,
|
||||
+ const char *name,
|
||||
+ const char **attrs);
|
||||
+
|
||||
+#define cache_req_user_by_name_attrs_recv(mem_ctx, req, _result) \
|
||||
+ cache_req_single_domain_recv(mem_ctx, req, _result)
|
||||
+
|
||||
+struct tevent_req *
|
||||
cache_req_user_by_id_send(TALLOC_CTX *mem_ctx,
|
||||
struct tevent_context *ev,
|
||||
struct resp_ctx *rctx,
|
||||
diff --git a/src/responder/common/cache_req/plugins/cache_req_user_by_name.c b/src/responder/common/cache_req/plugins/cache_req_user_by_name.c
|
||||
index 9ee7bef1cc904d25d156b3f64e039e47be58d1cc..3f343870c7e7c28ac72f4e94272c6dee281b963c 100644
|
||||
--- a/src/responder/common/cache_req/plugins/cache_req_user_by_name.c
|
||||
+++ b/src/responder/common/cache_req/plugins/cache_req_user_by_name.c
|
||||
@@ -105,8 +105,13 @@ cache_req_user_by_name_lookup(TALLOC_CTX *mem_ctx,
|
||||
struct sss_domain_info *domain,
|
||||
struct ldb_result **_result)
|
||||
{
|
||||
- return sysdb_getpwnam_with_views(mem_ctx, domain, data->name.lookup,
|
||||
- _result);
|
||||
+ if (data->attrs == NULL) {
|
||||
+ return sysdb_getpwnam_with_views(mem_ctx, domain, data->name.lookup,
|
||||
+ _result);
|
||||
+ }
|
||||
+
|
||||
+ return sysdb_get_user_attr_with_views(mem_ctx, domain, data->name.lookup,
|
||||
+ data->attrs, _result);
|
||||
}
|
||||
|
||||
static errno_t
|
||||
@@ -196,3 +201,25 @@ cache_req_user_by_name_send(TALLOC_CTX *mem_ctx,
|
||||
return cache_req_steal_data_and_send(mem_ctx, ev, rctx, ncache,
|
||||
cache_refresh_percent, domain, data);
|
||||
}
|
||||
+
|
||||
+struct tevent_req *
|
||||
+cache_req_user_by_name_attrs_send(TALLOC_CTX *mem_ctx,
|
||||
+ struct tevent_context *ev,
|
||||
+ struct resp_ctx *rctx,
|
||||
+ struct sss_nc_ctx *ncache,
|
||||
+ int cache_refresh_percent,
|
||||
+ const char *domain,
|
||||
+ const char *name,
|
||||
+ const char **attrs)
|
||||
+{
|
||||
+ struct cache_req_data *data;
|
||||
+
|
||||
+ data = cache_req_data_name_attrs(mem_ctx, CACHE_REQ_USER_BY_NAME,
|
||||
+ name, attrs);
|
||||
+ if (data == NULL) {
|
||||
+ return NULL;
|
||||
+ }
|
||||
+
|
||||
+ return cache_req_steal_data_and_send(mem_ctx, ev, rctx, ncache,
|
||||
+ cache_refresh_percent, domain, data);
|
||||
+}
|
||||
--
|
||||
2.9.3
|
||||
|
79
0027-GPO-Use-AD-site-override-if-set.patch
Normal file
79
0027-GPO-Use-AD-site-override-if-set.patch
Normal file
@ -0,0 +1,79 @@
|
||||
From 82096e7e4a6ccaf8a2828ddfc77a04c930a14148 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Michal=20=C5=BDidek?= <mzidek@redhat.com>
|
||||
Date: Wed, 4 Apr 2018 13:24:21 +0200
|
||||
Subject: [PATCH] GPO: Use AD site override if set
|
||||
|
||||
Use AD site override if it was set in SSSD configuration.
|
||||
|
||||
Resolves:
|
||||
https://pagure.io/SSSD/sssd/issue/3646
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
(cherry picked from commit 744e2b4d0710c1dc850bfadbd75ae1ae7faf1148)
|
||||
---
|
||||
src/providers/ad/ad_gpo.c | 33 ++++++++++++++++++++++++++++++---
|
||||
1 file changed, 30 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
|
||||
index 028f6a2e7..a48f264c7 100644
|
||||
--- a/src/providers/ad/ad_gpo.c
|
||||
+++ b/src/providers/ad/ad_gpo.c
|
||||
@@ -2806,7 +2806,8 @@ ad_gpo_site_name_retrieval_done(struct tevent_req *subreq)
|
||||
struct tevent_req *req;
|
||||
struct ad_gpo_process_som_state *state;
|
||||
int ret;
|
||||
- char *site;
|
||||
+ char *site = NULL;
|
||||
+ char *site_override = NULL;
|
||||
const char *attrs[] = {AD_AT_CONFIG_NC, NULL};
|
||||
|
||||
req = tevent_req_callback_data(subreq, struct tevent_req);
|
||||
@@ -2817,17 +2818,43 @@ ad_gpo_site_name_retrieval_done(struct tevent_req *subreq)
|
||||
talloc_zfree(subreq);
|
||||
|
||||
if (ret != EOK || site == NULL) {
|
||||
- DEBUG(SSSDBG_OP_FAILURE, "Cannot retrieve master domain info\n");
|
||||
+ DEBUG(SSSDBG_TRACE_FUNC,
|
||||
+ "Could not autodiscover AD site. This is not fatal if "
|
||||
+ "ad_site option was set.\n");
|
||||
+ }
|
||||
+
|
||||
+ site_override = dp_opt_get_string(state->ad_options, AD_SITE);
|
||||
+ if (site_override != NULL) {
|
||||
+ DEBUG(SSSDBG_TRACE_FUNC,
|
||||
+ "Overriding autodiscovered AD site value '%s' with '%s' from "
|
||||
+ "configuration.\n", site ? site : "none", site_override);
|
||||
+ }
|
||||
+
|
||||
+ if (site == NULL && site_override == NULL) {
|
||||
+ sss_log(SSS_LOG_WARNING,
|
||||
+ "Could not autodiscover AD site value using DNS and ad_site "
|
||||
+ "option was not set in configuration. GPO will not work. "
|
||||
+ "To work around this issue you can use ad_site option in SSSD "
|
||||
+ "configuration.");
|
||||
+ DEBUG(SSSDBG_OP_FAILURE,
|
||||
+ "Could not autodiscover AD site value using DNS and ad_site "
|
||||
+ "option was not set in configuration. GPO will not work. "
|
||||
+ "To work around this issue you can use ad_site option in SSSD "
|
||||
+ "configuration.\n");
|
||||
tevent_req_error(req, ENOENT);
|
||||
return;
|
||||
}
|
||||
|
||||
- state->site_name = talloc_asprintf(state, "cn=%s", site);
|
||||
+ state->site_name = talloc_asprintf(state, "cn=%s",
|
||||
+ site_override ? site_override
|
||||
+ : site);
|
||||
if (state->site_name == NULL) {
|
||||
tevent_req_error(req, ENOMEM);
|
||||
return;
|
||||
}
|
||||
|
||||
+ DEBUG(SSSDBG_TRACE_FUNC, "Using AD site '%s'.\n", state->site_name);
|
||||
+
|
||||
/*
|
||||
* note: the configNC attribute is being retrieved here from the rootDSE
|
||||
* entry. In future, since we already make an LDAP query for the rootDSE
|
||||
--
|
||||
2.14.3
|
||||
|
@ -1,99 +0,0 @@
|
||||
From 9492b3b26ac0b1898f836094074a9d8b38916e13 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
||||
Date: Tue, 17 Jan 2017 14:11:32 +0100
|
||||
Subject: [PATCH 27/79] cache_req: add api to create ldb_result from message
|
||||
|
||||
Some sysdb methods doesn't return ldb_result as output but return
|
||||
ldb_message instead. Changing sysdb to be consistent is too big
|
||||
so I added this helper function that will wrap resulting message
|
||||
into ldb_result.
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
---
|
||||
src/responder/common/cache_req/cache_req.c | 47 ++++++++++++++++++------------
|
||||
1 file changed, 28 insertions(+), 19 deletions(-)
|
||||
|
||||
diff --git a/src/responder/common/cache_req/cache_req.c b/src/responder/common/cache_req/cache_req.c
|
||||
index aed8f1b225899a1c470407e259d2068ef62922b7..31c220b3a66db815100b10a4f2e04388c13eaf78 100644
|
||||
--- a/src/responder/common/cache_req/cache_req.c
|
||||
+++ b/src/responder/common/cache_req/cache_req.c
|
||||
@@ -78,7 +78,6 @@ static errno_t cache_req_set_plugin(struct cache_req *cr,
|
||||
}
|
||||
|
||||
cr->reqname = plugin->name;
|
||||
- cr->dp_type = plugin->dp_type;
|
||||
cr->plugin = plugin;
|
||||
|
||||
CACHE_REQ_DEBUG(SSSDBG_TRACE_INTERNAL, cr, "Setting \"%s\" plugin\n",
|
||||
@@ -820,16 +819,11 @@ cache_req_create_result(TALLOC_CTX *mem_ctx,
|
||||
return result;
|
||||
}
|
||||
|
||||
-struct cache_req_result *
|
||||
-cache_req_create_result_from_msg(TALLOC_CTX *mem_ctx,
|
||||
- struct sss_domain_info *domain,
|
||||
- struct ldb_message *ldb_msg,
|
||||
- const char *lookup_name,
|
||||
- const char *well_known_domain)
|
||||
+struct ldb_result *
|
||||
+cache_req_create_ldb_result_from_msg(TALLOC_CTX *mem_ctx,
|
||||
+ struct ldb_message *ldb_msg)
|
||||
{
|
||||
- struct cache_req_result *result;
|
||||
struct ldb_result *ldb_result;
|
||||
- errno_t ret;
|
||||
|
||||
if (ldb_msg == NULL) {
|
||||
DEBUG(SSSDBG_CRIT_FAILURE, "No message set!\n");
|
||||
@@ -847,23 +841,38 @@ cache_req_create_result_from_msg(TALLOC_CTX *mem_ctx,
|
||||
ldb_result->count = 1;
|
||||
ldb_result->msgs = talloc_zero_array(ldb_result, struct ldb_message *, 2);
|
||||
if (ldb_result->msgs == NULL) {
|
||||
- ret = ENOMEM;
|
||||
- goto done;
|
||||
+ talloc_free(ldb_result);
|
||||
+ return NULL;
|
||||
}
|
||||
|
||||
ldb_result->msgs[0] = talloc_steal(ldb_result->msgs, ldb_msg);
|
||||
|
||||
+ return ldb_result;
|
||||
+}
|
||||
+
|
||||
+struct cache_req_result *
|
||||
+cache_req_create_result_from_msg(TALLOC_CTX *mem_ctx,
|
||||
+ struct sss_domain_info *domain,
|
||||
+ struct ldb_message *ldb_msg,
|
||||
+ const char *lookup_name,
|
||||
+ const char *well_known_domain)
|
||||
+{
|
||||
+ struct cache_req_result *result;
|
||||
+ struct ldb_result *ldb_result;
|
||||
+
|
||||
+ if (ldb_msg == NULL) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "No message set!\n");
|
||||
+ return NULL;
|
||||
+ }
|
||||
+
|
||||
+ ldb_result = cache_req_create_ldb_result_from_msg(mem_ctx, ldb_msg);
|
||||
+ if (ldb_result == NULL) {
|
||||
+ return NULL;
|
||||
+ }
|
||||
+
|
||||
result = cache_req_create_result(mem_ctx, domain, ldb_result,
|
||||
lookup_name, well_known_domain);
|
||||
if (result == NULL) {
|
||||
- ret = ENOMEM;
|
||||
- goto done;
|
||||
- }
|
||||
-
|
||||
- ret = EOK;
|
||||
-
|
||||
-done:
|
||||
- if (ret != EOK) {
|
||||
talloc_free(ldb_result);
|
||||
return NULL;
|
||||
}
|
||||
--
|
||||
2.9.3
|
||||
|
File diff suppressed because it is too large
Load Diff
36
0028-nss-initialize-nss_enum_index-in-nss_setnetgrent.patch
Normal file
36
0028-nss-initialize-nss_enum_index-in-nss_setnetgrent.patch
Normal file
@ -0,0 +1,36 @@
|
||||
From 29f9df0162096d0e3ec4e85c1f1b5ce87062aa64 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Thu, 15 Mar 2018 12:43:34 +0100
|
||||
Subject: [PATCH] nss: initialize nss_enum_index in nss_setnetgrent()
|
||||
|
||||
setnetgrent() is the first call when looking up a netgroup and sets the
|
||||
netgroup name for upcoming getnetgrent() and endnetgrent() calls.
|
||||
Currently the state is reset by calling endnetgrent() but it would be
|
||||
more robust to unconditionally reset the state in setnetgrent() as well
|
||||
in case calling endnetgrent() was forgotten.
|
||||
|
||||
Related to https://pagure.io/SSSD/sssd/issue/3679
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
(cherry picked from commit 37a84285aeb497ed4909d16916bbf934af3f68b3)
|
||||
---
|
||||
src/responder/nss/nss_cmd.c | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/src/responder/nss/nss_cmd.c b/src/responder/nss/nss_cmd.c
|
||||
index 956ee53cb..9f8479b7b 100644
|
||||
--- a/src/responder/nss/nss_cmd.c
|
||||
+++ b/src/responder/nss/nss_cmd.c
|
||||
@@ -756,6 +756,9 @@ static errno_t nss_setnetgrent(struct cli_ctx *cli_ctx,
|
||||
goto done;
|
||||
}
|
||||
|
||||
+ state_ctx->netgrent.domain = 0;
|
||||
+ state_ctx->netgrent.result = 0;
|
||||
+
|
||||
talloc_zfree(state_ctx->netgroup);
|
||||
state_ctx->netgroup = talloc_strdup(state_ctx, netgroup);
|
||||
if (state_ctx->netgroup == NULL) {
|
||||
--
|
||||
2.14.3
|
||||
|
@ -1,453 +0,0 @@
|
||||
From 53c31b83e4d06ea4c2813eec2f1e647a613b4a2b Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
||||
Date: Wed, 18 Jan 2017 12:12:01 +0100
|
||||
Subject: [PATCH 29/79] cache_req: add host by name search
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
---
|
||||
Makefile.am | 3 +-
|
||||
src/responder/common/cache_req/cache_req.c | 2 +
|
||||
src/responder/common/cache_req/cache_req.h | 23 ++++
|
||||
src/responder/common/cache_req/cache_req_data.c | 39 +++++++
|
||||
src/responder/common/cache_req/cache_req_plugin.h | 1 +
|
||||
src/responder/common/cache_req/cache_req_private.h | 1 +
|
||||
.../cache_req/plugins/cache_req_host_by_name.c | 121 +++++++++++++++++++++
|
||||
src/responder/common/responder.h | 15 +++
|
||||
.../{ssh/sshsrv_dp.c => common/responder_dp_ssh.c} | 3 +-
|
||||
src/responder/ssh/sshsrv_private.h | 15 ---
|
||||
src/tests/cmocka/common_mock_resp_dp.c | 33 ++++++
|
||||
src/tests/cwrap/Makefile.am | 2 +
|
||||
12 files changed, 240 insertions(+), 18 deletions(-)
|
||||
create mode 100644 src/responder/common/cache_req/plugins/cache_req_host_by_name.c
|
||||
rename src/responder/{ssh/sshsrv_dp.c => common/responder_dp_ssh.c} (99%)
|
||||
|
||||
diff --git a/Makefile.am b/Makefile.am
|
||||
index 9dd2060c6615b1c23ae8adb61886341bcdc49560..6592261df87fc4fd0b83aba42e9f5cd12238a6cb 100644
|
||||
--- a/Makefile.am
|
||||
+++ b/Makefile.am
|
||||
@@ -513,6 +513,7 @@ SSSD_CACHE_REQ_OBJ = \
|
||||
src/responder/common/cache_req/plugins/cache_req_svc_by_name.c \
|
||||
src/responder/common/cache_req/plugins/cache_req_svc_by_port.c \
|
||||
src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c \
|
||||
+ src/responder/common/cache_req/plugins/cache_req_host_by_name.c \
|
||||
$(NULL)
|
||||
|
||||
SSSD_RESPONDER_OBJ = \
|
||||
@@ -521,6 +522,7 @@ SSSD_RESPONDER_OBJ = \
|
||||
src/responder/common/responder_cmd.c \
|
||||
src/responder/common/responder_common.c \
|
||||
src/responder/common/responder_dp.c \
|
||||
+ src/responder/common/responder_dp_ssh.c \
|
||||
src/responder/common/responder_packet.c \
|
||||
src/responder/common/responder_get_domains.c \
|
||||
src/responder/common/responder_utils.c \
|
||||
@@ -1331,7 +1333,6 @@ endif
|
||||
if BUILD_SSH
|
||||
sssd_ssh_SOURCES = \
|
||||
src/responder/ssh/sshsrv.c \
|
||||
- src/responder/ssh/sshsrv_dp.c \
|
||||
src/responder/ssh/sshsrv_cmd.c \
|
||||
$(SSSD_RESPONDER_OBJ) \
|
||||
$(NULL)
|
||||
diff --git a/src/responder/common/cache_req/cache_req.c b/src/responder/common/cache_req/cache_req.c
|
||||
index 31c220b3a66db815100b10a4f2e04388c13eaf78..16429c666a6db79afaad52b509fc63d639815b31 100644
|
||||
--- a/src/responder/common/cache_req/cache_req.c
|
||||
+++ b/src/responder/common/cache_req/cache_req.c
|
||||
@@ -56,6 +56,8 @@ cache_req_get_plugin(enum cache_req_type type)
|
||||
&cache_req_svc_by_port,
|
||||
|
||||
&cache_req_netgroup_by_name,
|
||||
+
|
||||
+ &cache_req_host_by_name,
|
||||
};
|
||||
|
||||
if (type >= CACHE_REQ_SENTINEL) {
|
||||
diff --git a/src/responder/common/cache_req/cache_req.h b/src/responder/common/cache_req/cache_req.h
|
||||
index 2740c21ee0e390c64d94fedd6ab2cb7483cfe302..185558d7d7abd03429e35f391616d249e52c2f76 100644
|
||||
--- a/src/responder/common/cache_req/cache_req.h
|
||||
+++ b/src/responder/common/cache_req/cache_req.h
|
||||
@@ -52,6 +52,8 @@ enum cache_req_type {
|
||||
|
||||
CACHE_REQ_NETGROUP_BY_NAME,
|
||||
|
||||
+ CACHE_REQ_HOST_BY_NAME,
|
||||
+
|
||||
CACHE_REQ_SENTINEL
|
||||
};
|
||||
|
||||
@@ -103,6 +105,13 @@ cache_req_data_svc(TALLOC_CTX *mem_ctx,
|
||||
const char *protocol,
|
||||
uint16_t port);
|
||||
|
||||
+struct cache_req_data *
|
||||
+cache_req_data_host(TALLOC_CTX *mem_ctx,
|
||||
+ enum cache_req_type type,
|
||||
+ const char *name,
|
||||
+ const char *alias,
|
||||
+ const char **attrs);
|
||||
+
|
||||
/* Output data. */
|
||||
|
||||
struct cache_req_result {
|
||||
@@ -377,4 +386,18 @@ cache_req_netgroup_by_name_send(TALLOC_CTX *mem_ctx,
|
||||
#define cache_req_netgroup_by_name_recv(mem_ctx, req, _result) \
|
||||
cache_req_single_domain_recv(mem_ctx, req, _result)
|
||||
|
||||
+struct tevent_req *
|
||||
+cache_req_host_by_name_send(TALLOC_CTX *mem_ctx,
|
||||
+ struct tevent_context *ev,
|
||||
+ struct resp_ctx *rctx,
|
||||
+ struct sss_nc_ctx *ncache,
|
||||
+ int cache_refresh_percent,
|
||||
+ const char *domain,
|
||||
+ const char *name,
|
||||
+ const char *alias,
|
||||
+ const char **attrs);
|
||||
+
|
||||
+#define cache_req_host_by_name_recv(mem_ctx, req, _result) \
|
||||
+ cache_req_single_domain_recv(mem_ctx, req, _result)
|
||||
+
|
||||
#endif /* _CACHE_REQ_H_ */
|
||||
diff --git a/src/responder/common/cache_req/cache_req_data.c b/src/responder/common/cache_req/cache_req_data.c
|
||||
index d0564785f7fc5ffe826b197a41da720e9f26a43a..b2e22ec1bab699ad71978df6905df19908369ff1 100644
|
||||
--- a/src/responder/common/cache_req/cache_req_data.c
|
||||
+++ b/src/responder/common/cache_req/cache_req_data.c
|
||||
@@ -188,6 +188,29 @@ cache_req_data_create(TALLOC_CTX *mem_ctx,
|
||||
}
|
||||
|
||||
break;
|
||||
+ case CACHE_REQ_HOST_BY_NAME:
|
||||
+ if (input->name.input == NULL) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Bug: name cannot be NULL!\n");
|
||||
+ ret = ERR_INTERNAL;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ data->name.input = talloc_strdup(data, input->name.input);
|
||||
+ if (data->name.input == NULL) {
|
||||
+ ret = ENOMEM;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ if (input->alias == NULL) {
|
||||
+ break;
|
||||
+ }
|
||||
+
|
||||
+ data->alias = talloc_strdup(data, input->alias);
|
||||
+ if (data->alias == NULL) {
|
||||
+ ret = ENOMEM;
|
||||
+ goto done;
|
||||
+ }
|
||||
+ break;
|
||||
case CACHE_REQ_SENTINEL:
|
||||
DEBUG(SSSDBG_CRIT_FAILURE, "Invalid cache request type!\n");
|
||||
ret = ERR_INTERNAL;
|
||||
@@ -318,3 +341,19 @@ cache_req_data_svc(TALLOC_CTX *mem_ctx,
|
||||
|
||||
return cache_req_data_create(mem_ctx, type, &input);
|
||||
}
|
||||
+
|
||||
+struct cache_req_data *
|
||||
+cache_req_data_host(TALLOC_CTX *mem_ctx,
|
||||
+ enum cache_req_type type,
|
||||
+ const char *name,
|
||||
+ const char *alias,
|
||||
+ const char **attrs)
|
||||
+{
|
||||
+ struct cache_req_data input = {0};
|
||||
+
|
||||
+ input.name.input = name;
|
||||
+ input.alias = alias;
|
||||
+ input.attrs = attrs;
|
||||
+
|
||||
+ return cache_req_data_create(mem_ctx, type, &input);
|
||||
+}
|
||||
diff --git a/src/responder/common/cache_req/cache_req_plugin.h b/src/responder/common/cache_req/cache_req_plugin.h
|
||||
index 61e346dacfe0d180fb2aae354bc7867093276ab0..e0b619528f6aa31a10a5b48c3c5acc96de90caa1 100644
|
||||
--- a/src/responder/common/cache_req/cache_req_plugin.h
|
||||
+++ b/src/responder/common/cache_req/cache_req_plugin.h
|
||||
@@ -231,5 +231,6 @@ extern const struct cache_req_plugin cache_req_enum_svc;
|
||||
extern const struct cache_req_plugin cache_req_svc_by_name;
|
||||
extern const struct cache_req_plugin cache_req_svc_by_port;
|
||||
extern const struct cache_req_plugin cache_req_netgroup_by_name;
|
||||
+extern const struct cache_req_plugin cache_req_host_by_name;
|
||||
|
||||
#endif /* _CACHE_REQ_PLUGIN_H_ */
|
||||
diff --git a/src/responder/common/cache_req/cache_req_private.h b/src/responder/common/cache_req/cache_req_private.h
|
||||
index b544b739e92552189f806f4675ff28689b91ce66..cc473759159fe324e37a4c51dc15ed136f6a09ef 100644
|
||||
--- a/src/responder/common/cache_req/cache_req_private.h
|
||||
+++ b/src/responder/common/cache_req/cache_req_private.h
|
||||
@@ -76,6 +76,7 @@ struct cache_req_data {
|
||||
uint32_t id;
|
||||
const char *cert;
|
||||
const char *sid;
|
||||
+ const char *alias;
|
||||
const char **attrs;
|
||||
|
||||
struct {
|
||||
diff --git a/src/responder/common/cache_req/plugins/cache_req_host_by_name.c b/src/responder/common/cache_req/plugins/cache_req_host_by_name.c
|
||||
new file mode 100644
|
||||
index 0000000000000000000000000000000000000000..18511e33bc18e44f418a26764f066ff287092d26
|
||||
--- /dev/null
|
||||
+++ b/src/responder/common/cache_req/plugins/cache_req_host_by_name.c
|
||||
@@ -0,0 +1,121 @@
|
||||
+/*
|
||||
+ Authors:
|
||||
+ Pavel Březina <pbrezina@redhat.com>
|
||||
+
|
||||
+ Copyright (C) 2016 Red Hat
|
||||
+
|
||||
+ This program is free software; you can redistribute it and/or modify
|
||||
+ it under the terms of the GNU General Public License as published by
|
||||
+ the Free Software Foundation; either version 3 of the License, or
|
||||
+ (at your option) any later version.
|
||||
+
|
||||
+ This program is distributed in the hope that it will be useful,
|
||||
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
+ GNU General Public License for more details.
|
||||
+
|
||||
+ You should have received a copy of the GNU General Public License
|
||||
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
+*/
|
||||
+
|
||||
+#include <talloc.h>
|
||||
+#include <ldb.h>
|
||||
+
|
||||
+#include "db/sysdb_ssh.h"
|
||||
+#include "util/util.h"
|
||||
+#include "providers/data_provider.h"
|
||||
+#include "responder/common/cache_req/cache_req_plugin.h"
|
||||
+
|
||||
+static const char *
|
||||
+cache_req_host_by_name_create_debug_name(TALLOC_CTX *mem_ctx,
|
||||
+ struct cache_req_data *data,
|
||||
+ struct sss_domain_info *domain)
|
||||
+{
|
||||
+ return talloc_strdup(mem_ctx, data->name.name);
|
||||
+}
|
||||
+
|
||||
+static errno_t
|
||||
+cache_req_host_by_name_lookup(TALLOC_CTX *mem_ctx,
|
||||
+ struct cache_req *cr,
|
||||
+ struct cache_req_data *data,
|
||||
+ struct sss_domain_info *domain,
|
||||
+ struct ldb_result **_result)
|
||||
+{
|
||||
+ struct ldb_result *result;
|
||||
+ struct ldb_message *msg;
|
||||
+ errno_t ret;
|
||||
+
|
||||
+ ret = sysdb_get_ssh_host(mem_ctx, domain, data->name.name,
|
||||
+ data->attrs, &msg);
|
||||
+ if (ret != EOK) {
|
||||
+ return ret;
|
||||
+ }
|
||||
+
|
||||
+ result = cache_req_create_ldb_result_from_msg(mem_ctx, msg);
|
||||
+ if (result == NULL) {
|
||||
+ return ENOMEM;
|
||||
+ }
|
||||
+
|
||||
+ *_result = result;
|
||||
+
|
||||
+ return EOK;
|
||||
+}
|
||||
+
|
||||
+struct tevent_req *
|
||||
+cache_req_host_by_name_dp_send(TALLOC_CTX *mem_ctx,
|
||||
+ struct cache_req *cr,
|
||||
+ struct cache_req_data *data,
|
||||
+ struct sss_domain_info *domain,
|
||||
+ struct ldb_result *result)
|
||||
+{
|
||||
+ return sss_dp_get_ssh_host_send(mem_ctx, cr->rctx, domain, false,
|
||||
+ data->name.name, data->alias);
|
||||
+}
|
||||
+
|
||||
+const struct cache_req_plugin cache_req_host_by_name = {
|
||||
+ .name = "Host by name",
|
||||
+ .attr_expiration = SYSDB_CACHE_EXPIRE,
|
||||
+ .parse_name = true,
|
||||
+ .ignore_default_domain = true,
|
||||
+ .bypass_cache = false,
|
||||
+ .only_one_result = true,
|
||||
+ .search_all_domains = false,
|
||||
+ .require_enumeration = false,
|
||||
+ .allow_missing_fqn = true,
|
||||
+ .allow_switch_to_upn = false,
|
||||
+ .upn_equivalent = CACHE_REQ_SENTINEL,
|
||||
+ .get_next_domain_flags = 0,
|
||||
+
|
||||
+ .is_well_known_fn = NULL,
|
||||
+ .prepare_domain_data_fn = NULL,
|
||||
+ .create_debug_name_fn = cache_req_host_by_name_create_debug_name,
|
||||
+ .global_ncache_add_fn = NULL,
|
||||
+ .ncache_check_fn = NULL,
|
||||
+ .ncache_add_fn = NULL,
|
||||
+ .lookup_fn = cache_req_host_by_name_lookup,
|
||||
+ .dp_send_fn = cache_req_host_by_name_dp_send,
|
||||
+ .dp_recv_fn = cache_req_common_dp_recv
|
||||
+};
|
||||
+
|
||||
+struct tevent_req *
|
||||
+cache_req_host_by_name_send(TALLOC_CTX *mem_ctx,
|
||||
+ struct tevent_context *ev,
|
||||
+ struct resp_ctx *rctx,
|
||||
+ struct sss_nc_ctx *ncache,
|
||||
+ int cache_refresh_percent,
|
||||
+ const char *domain,
|
||||
+ const char *name,
|
||||
+ const char *alias,
|
||||
+ const char **attrs)
|
||||
+{
|
||||
+ struct cache_req_data *data;
|
||||
+
|
||||
+ data = cache_req_data_host(mem_ctx, CACHE_REQ_HOST_BY_NAME, name,
|
||||
+ alias, attrs);
|
||||
+ if (data == NULL) {
|
||||
+ return NULL;
|
||||
+ }
|
||||
+
|
||||
+ return cache_req_steal_data_and_send(mem_ctx, ev, rctx, ncache,
|
||||
+ cache_refresh_percent, domain, data);
|
||||
+}
|
||||
diff --git a/src/responder/common/responder.h b/src/responder/common/responder.h
|
||||
index c387c6ec326c612eef8798673c1c70c67efd5452..748dec4301b4a018691d9b8c8fca0193d18167a5 100644
|
||||
--- a/src/responder/common/responder.h
|
||||
+++ b/src/responder/common/responder.h
|
||||
@@ -318,6 +318,21 @@ sss_dp_get_account_recv(TALLOC_CTX *mem_ctx,
|
||||
dbus_uint32_t *err_min,
|
||||
char **err_msg);
|
||||
|
||||
+struct tevent_req *
|
||||
+sss_dp_get_ssh_host_send(TALLOC_CTX *mem_ctx,
|
||||
+ struct resp_ctx *rctx,
|
||||
+ struct sss_domain_info *dom,
|
||||
+ bool fast_reply,
|
||||
+ const char *name,
|
||||
+ const char *alias);
|
||||
+
|
||||
+errno_t
|
||||
+sss_dp_get_ssh_host_recv(TALLOC_CTX *mem_ctx,
|
||||
+ struct tevent_req *req,
|
||||
+ dbus_uint16_t *dp_err,
|
||||
+ dbus_uint32_t *dp_ret,
|
||||
+ char **err_msg);
|
||||
+
|
||||
bool sss_utf8_check(const uint8_t *s, size_t n);
|
||||
|
||||
void responder_set_fd_limit(rlim_t fd_limit);
|
||||
diff --git a/src/responder/ssh/sshsrv_dp.c b/src/responder/common/responder_dp_ssh.c
|
||||
similarity index 99%
|
||||
rename from src/responder/ssh/sshsrv_dp.c
|
||||
rename to src/responder/common/responder_dp_ssh.c
|
||||
index f02c3f477e3789360075a6022086d21cfcd7aefd..303ba1568b6230b0d4dfa718e4a7c024ae84d4e9 100644
|
||||
--- a/src/responder/ssh/sshsrv_dp.c
|
||||
+++ b/src/responder/common/responder_dp_ssh.c
|
||||
@@ -21,13 +21,12 @@
|
||||
#include <talloc.h>
|
||||
#include <tevent.h>
|
||||
#include <dbus/dbus.h>
|
||||
-#include "sbus/sssd_dbus.h"
|
||||
|
||||
#include "util/util.h"
|
||||
#include "sbus/sbus_client.h"
|
||||
+#include "sbus/sssd_dbus.h"
|
||||
#include "providers/data_provider/dp_responder_iface.h"
|
||||
#include "responder/common/responder.h"
|
||||
-#include "responder/ssh/sshsrv_private.h"
|
||||
|
||||
struct sss_dp_get_ssh_host_info {
|
||||
struct sss_domain_info *dom;
|
||||
diff --git a/src/responder/ssh/sshsrv_private.h b/src/responder/ssh/sshsrv_private.h
|
||||
index 9553cd7940571bf107d9fb4562d11d8c1eab3624..3ea895536657cbfa82328b8a2661da56859eb929 100644
|
||||
--- a/src/responder/ssh/sshsrv_private.h
|
||||
+++ b/src/responder/ssh/sshsrv_private.h
|
||||
@@ -51,19 +51,4 @@ struct ssh_cmd_ctx {
|
||||
|
||||
struct sss_cmd_table *get_ssh_cmds(void);
|
||||
|
||||
-struct tevent_req *
|
||||
-sss_dp_get_ssh_host_send(TALLOC_CTX *mem_ctx,
|
||||
- struct resp_ctx *rctx,
|
||||
- struct sss_domain_info *dom,
|
||||
- bool fast_reply,
|
||||
- const char *name,
|
||||
- const char *alias);
|
||||
-
|
||||
-errno_t
|
||||
-sss_dp_get_ssh_host_recv(TALLOC_CTX *mem_ctx,
|
||||
- struct tevent_req *req,
|
||||
- dbus_uint16_t *dp_err,
|
||||
- dbus_uint32_t *dp_ret,
|
||||
- char **err_msg);
|
||||
-
|
||||
#endif /* _SSHSRV_PRIVATE_H_ */
|
||||
diff --git a/src/tests/cmocka/common_mock_resp_dp.c b/src/tests/cmocka/common_mock_resp_dp.c
|
||||
index cbdb65d745a63ae00613001847351d3dba0fe290..5db5255ab61231870982c4b78a39504ae8954bcd 100644
|
||||
--- a/src/tests/cmocka/common_mock_resp_dp.c
|
||||
+++ b/src/tests/cmocka/common_mock_resp_dp.c
|
||||
@@ -61,6 +61,39 @@ sss_dp_get_account_recv(TALLOC_CTX *mem_ctx,
|
||||
return test_request_recv(req);
|
||||
}
|
||||
|
||||
+struct tevent_req *
|
||||
+sss_dp_get_ssh_host_send(TALLOC_CTX *mem_ctx,
|
||||
+ struct resp_ctx *rctx,
|
||||
+ struct sss_domain_info *dom,
|
||||
+ bool fast_reply,
|
||||
+ const char *name,
|
||||
+ const char *alias)
|
||||
+{
|
||||
+ return test_req_succeed_send(mem_ctx, rctx->ev);
|
||||
+}
|
||||
+
|
||||
+
|
||||
+errno_t
|
||||
+sss_dp_get_ssh_host_recv(TALLOC_CTX *mem_ctx,
|
||||
+ struct tevent_req *req,
|
||||
+ dbus_uint16_t *dp_err,
|
||||
+ dbus_uint32_t *dp_ret,
|
||||
+ char **err_msg)
|
||||
+{
|
||||
+ acct_cb_t cb;
|
||||
+
|
||||
+ *dp_err = sss_mock_type(dbus_uint16_t);
|
||||
+ *dp_ret = sss_mock_type(dbus_uint32_t);
|
||||
+ *err_msg = sss_mock_ptr_type(char *);
|
||||
+
|
||||
+ cb = sss_mock_ptr_type(acct_cb_t);
|
||||
+ if (cb) {
|
||||
+ (cb)(sss_mock_ptr_type(void *));
|
||||
+ }
|
||||
+
|
||||
+ return test_request_recv(req);
|
||||
+}
|
||||
+
|
||||
errno_t
|
||||
sss_dp_req_recv(TALLOC_CTX *mem_ctx,
|
||||
struct tevent_req *req,
|
||||
diff --git a/src/tests/cwrap/Makefile.am b/src/tests/cwrap/Makefile.am
|
||||
index 8ca0026178d79271167a09d295940f7c5f55d98b..09a8b5307dd3ebf9c7f27148097a90eac527a213 100644
|
||||
--- a/src/tests/cwrap/Makefile.am
|
||||
+++ b/src/tests/cwrap/Makefile.am
|
||||
@@ -60,6 +60,7 @@ SSSD_CACHE_REQ_OBJ = \
|
||||
../../../src/responder/common/cache_req/plugins/cache_req_svc_by_name.c \
|
||||
../../../src/responder/common/cache_req/plugins/cache_req_svc_by_port.c \
|
||||
../../../src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c \
|
||||
+ ../../../src/responder/common/cache_req/plugins/cache_req_host_by_name.c \
|
||||
$(NULL)
|
||||
|
||||
SSSD_RESPONDER_OBJ = \
|
||||
@@ -68,6 +69,7 @@ SSSD_RESPONDER_OBJ = \
|
||||
../../../src/responder/common/responder_cmd.c \
|
||||
../../../src/responder/common/responder_common.c \
|
||||
../../../src/responder/common/responder_dp.c \
|
||||
+ ../../../src/responder/common/responder_dp_ssh.c \
|
||||
../../../src/responder/common/responder_packet.c \
|
||||
../../../src/responder/common/responder_get_domains.c \
|
||||
../../../src/responder/common/responder_utils.c \
|
||||
--
|
||||
2.9.3
|
||||
|
116
0029-nss-add-a-netgroup-counter-to-struct-nss_enum_index.patch
Normal file
116
0029-nss-add-a-netgroup-counter-to-struct-nss_enum_index.patch
Normal file
@ -0,0 +1,116 @@
|
||||
From 9f85ab4d8eba042b43a9346ed6dfbf3fc60ea488 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Thu, 15 Mar 2018 12:50:20 +0100
|
||||
Subject: [PATCH] nss: add a netgroup counter to struct nss_enum_index
|
||||
|
||||
Netgroups are not looked up with the help of a single request but by
|
||||
calling setnetgrent(), getnetgrent() and endnetgrent() where
|
||||
getnetgrent() might be called multiple times depending on the number of
|
||||
netgroup elements. Since the caller does not provide a state the state
|
||||
has to be maintained by the SSSD nss responder. Besides the netgroup
|
||||
name this is mainly the number of elements already returned.
|
||||
|
||||
This number is used to select the next element to return and currently
|
||||
it is assumed that there are not changes to the netgroup while the
|
||||
client is requesting the individual elements. But if e.g. the 3 nss
|
||||
calls are not used correctly or the netgroup is modified while the
|
||||
client is sending getnetgrent() calls the stored number might be out of
|
||||
range. To be on the safe side the stored number should be always
|
||||
compared with the current number of netgroup elements.
|
||||
|
||||
Related to https://pagure.io/SSSD/sssd/issue/3679
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
(cherry picked from commit 08db22b1b1a2e742edbca92e35087294d963adda)
|
||||
---
|
||||
src/db/sysdb.h | 3 ++-
|
||||
src/db/sysdb_search.c | 5 ++++-
|
||||
src/responder/nss/nss_enum.c | 3 ++-
|
||||
src/responder/nss/nss_private.h | 1 +
|
||||
src/responder/nss/nss_protocol_netgr.c | 7 +++++++
|
||||
5 files changed, 16 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/src/db/sysdb.h b/src/db/sysdb.h
|
||||
index fd18ecefe..2660314a7 100644
|
||||
--- a/src/db/sysdb.h
|
||||
+++ b/src/db/sysdb.h
|
||||
@@ -1219,7 +1219,8 @@ errno_t sysdb_attrs_to_list(TALLOC_CTX *mem_ctx,
|
||||
|
||||
errno_t sysdb_netgr_to_entries(TALLOC_CTX *mem_ctx,
|
||||
struct ldb_result *res,
|
||||
- struct sysdb_netgroup_ctx ***entries);
|
||||
+ struct sysdb_netgroup_ctx ***entries,
|
||||
+ size_t *netgroup_count);
|
||||
|
||||
errno_t sysdb_dn_sanitize(TALLOC_CTX *mem_ctx, const char *input,
|
||||
char **sanitized);
|
||||
diff --git a/src/db/sysdb_search.c b/src/db/sysdb_search.c
|
||||
index dc0bd4f2c..b7ceb6e59 100644
|
||||
--- a/src/db/sysdb_search.c
|
||||
+++ b/src/db/sysdb_search.c
|
||||
@@ -1831,7 +1831,8 @@ done:
|
||||
|
||||
errno_t sysdb_netgr_to_entries(TALLOC_CTX *mem_ctx,
|
||||
struct ldb_result *res,
|
||||
- struct sysdb_netgroup_ctx ***entries)
|
||||
+ struct sysdb_netgroup_ctx ***entries,
|
||||
+ size_t *netgroup_count)
|
||||
{
|
||||
errno_t ret;
|
||||
size_t size = 0;
|
||||
@@ -1935,6 +1936,8 @@ errno_t sysdb_netgr_to_entries(TALLOC_CTX *mem_ctx,
|
||||
tmp_entry[c] = NULL;
|
||||
|
||||
*entries = talloc_steal(mem_ctx, tmp_entry);
|
||||
+ *netgroup_count = c;
|
||||
+
|
||||
ret = EOK;
|
||||
|
||||
done:
|
||||
diff --git a/src/responder/nss/nss_enum.c b/src/responder/nss/nss_enum.c
|
||||
index 031db9f2e..a45b65233 100644
|
||||
--- a/src/responder/nss/nss_enum.c
|
||||
+++ b/src/responder/nss/nss_enum.c
|
||||
@@ -144,7 +144,8 @@ static void nss_setent_internal_done(struct tevent_req *subreq)
|
||||
/* We need to expand the netgroup into triples and members. */
|
||||
ret = sysdb_netgr_to_entries(state->enum_ctx,
|
||||
result[0]->ldb_result,
|
||||
- &state->enum_ctx->netgroup);
|
||||
+ &state->enum_ctx->netgroup,
|
||||
+ &state->enum_ctx->netgroup_count);
|
||||
if (ret != EOK) {
|
||||
goto done;
|
||||
}
|
||||
diff --git a/src/responder/nss/nss_private.h b/src/responder/nss/nss_private.h
|
||||
index 5fc19d26b..aa8d8e9cd 100644
|
||||
--- a/src/responder/nss/nss_private.h
|
||||
+++ b/src/responder/nss/nss_private.h
|
||||
@@ -41,6 +41,7 @@ struct nss_enum_index {
|
||||
struct nss_enum_ctx {
|
||||
struct cache_req_result **result;
|
||||
struct sysdb_netgroup_ctx **netgroup;
|
||||
+ size_t netgroup_count;
|
||||
|
||||
/* Ongoing cache request that is constructing enumeration result. */
|
||||
struct tevent_req *ongoing;
|
||||
diff --git a/src/responder/nss/nss_protocol_netgr.c b/src/responder/nss/nss_protocol_netgr.c
|
||||
index ed04fd258..9f27c6b78 100644
|
||||
--- a/src/responder/nss/nss_protocol_netgr.c
|
||||
+++ b/src/responder/nss/nss_protocol_netgr.c
|
||||
@@ -126,6 +126,13 @@ nss_protocol_fill_netgrent(struct nss_ctx *nss_ctx,
|
||||
idx = cmd_ctx->enum_index;
|
||||
entries = cmd_ctx->enum_ctx->netgroup;
|
||||
|
||||
+ if (idx->result > cmd_ctx->enum_ctx->netgroup_count) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
+ "Unconsistent state while processing netgroups.\n");
|
||||
+ ret = EINVAL;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
/* First two fields (length and reserved), filled up later. */
|
||||
ret = sss_packet_grow(packet, 2 * sizeof(uint32_t));
|
||||
if (ret != EOK) {
|
||||
--
|
||||
2.14.3
|
||||
|
File diff suppressed because it is too large
Load Diff
101
0030-sssctl-Showing-help-even-when-sssd-not-configured.patch
Normal file
101
0030-sssctl-Showing-help-even-when-sssd-not-configured.patch
Normal file
@ -0,0 +1,101 @@
|
||||
From 3d0fd106754c7614f5d9fb3875d0b40092d200f3 Mon Sep 17 00:00:00 2001
|
||||
From: amitkuma <amitkuma@redhat.com>
|
||||
Date: Thu, 15 Feb 2018 18:21:10 +0530
|
||||
Subject: [PATCH] sssctl: Showing help even when sssd not configured
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
On a clean and unconfigured system, it's not possible
|
||||
to use --help.
|
||||
1) dnf install sssd-tools
|
||||
2) sssctl cache-remove --help
|
||||
Shows:
|
||||
[confdb_get_domains] (0x0010): No domains configured, fatal error!
|
||||
|
||||
Solution: Donot check for confdb initialization when sssctl 3rd
|
||||
command line argument passed is '--help'.
|
||||
|
||||
Please note when we run 'sssctl --help' on unconfigured system
|
||||
confdb check is not done and proper o/p is seen.
|
||||
|
||||
Resolves: https://pagure.io/SSSD/sssd/issue/3634
|
||||
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
(cherry picked from commit b8db8c2d83d1d75c42c1e17145d3907211b3a146)
|
||||
---
|
||||
src/tools/common/sss_tools.c | 19 ++++++++++++-------
|
||||
src/tools/common/sss_tools.h | 1 +
|
||||
2 files changed, 13 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/src/tools/common/sss_tools.c b/src/tools/common/sss_tools.c
|
||||
index 4832db5a0..d45584ce1 100644
|
||||
--- a/src/tools/common/sss_tools.c
|
||||
+++ b/src/tools/common/sss_tools.c
|
||||
@@ -58,11 +58,14 @@ static void sss_tool_common_opts(struct sss_tool_ctx *tool_ctx,
|
||||
poptContext pc;
|
||||
int debug = SSSDBG_DEFAULT;
|
||||
int orig_argc = *argc;
|
||||
+ int help = 0;
|
||||
int opt;
|
||||
|
||||
struct poptOption options[] = {
|
||||
{"debug", '\0', POPT_ARG_INT | POPT_ARGFLAG_STRIP, &debug,
|
||||
0, _("The debug level to run with"), NULL },
|
||||
+ {"help", '?', POPT_ARG_VAL | POPT_ARGFLAG_DOC_HIDDEN, &help,
|
||||
+ 1, NULL, NULL },
|
||||
POPT_TABLEEND
|
||||
};
|
||||
|
||||
@@ -74,6 +77,7 @@ static void sss_tool_common_opts(struct sss_tool_ctx *tool_ctx,
|
||||
/* Strip common options from arguments. We will discard_const here,
|
||||
* since it is not worth the trouble to convert it back and forth. */
|
||||
*argc = poptStrippedArgv(pc, orig_argc, discard_const_p(char *, argv));
|
||||
+ tool_ctx->print_help = help;
|
||||
|
||||
DEBUG_CLI_INIT(debug);
|
||||
|
||||
@@ -187,7 +191,6 @@ errno_t sss_tool_init(TALLOC_CTX *mem_ctx,
|
||||
}
|
||||
|
||||
sss_tool_common_opts(tool_ctx, argc, argv);
|
||||
-
|
||||
*_tool_ctx = tool_ctx;
|
||||
|
||||
return EOK;
|
||||
@@ -341,12 +344,14 @@ errno_t sss_tool_route(int argc, const char **argv,
|
||||
return tool_ctx->init_err;
|
||||
}
|
||||
|
||||
- ret = tool_cmd_init(tool_ctx, &commands[i]);
|
||||
- if (ret != EOK) {
|
||||
- DEBUG(SSSDBG_FATAL_FAILURE,
|
||||
- "Command initialization failed [%d] %s\n",
|
||||
- ret, sss_strerror(ret));
|
||||
- return ret;
|
||||
+ if (!tool_ctx->print_help) {
|
||||
+ ret = tool_cmd_init(tool_ctx, &commands[i]);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_FATAL_FAILURE,
|
||||
+ "Command initialization failed [%d] %s\n",
|
||||
+ ret, sss_strerror(ret));
|
||||
+ return ret;
|
||||
+ }
|
||||
}
|
||||
|
||||
return commands[i].fn(&cmdline, tool_ctx, pvt);
|
||||
diff --git a/src/tools/common/sss_tools.h b/src/tools/common/sss_tools.h
|
||||
index 848009365..0e4308ee6 100644
|
||||
--- a/src/tools/common/sss_tools.h
|
||||
+++ b/src/tools/common/sss_tools.h
|
||||
@@ -29,6 +29,7 @@
|
||||
struct sss_tool_ctx {
|
||||
struct confdb_ctx *confdb;
|
||||
|
||||
+ bool print_help;
|
||||
errno_t init_err;
|
||||
char *default_domain;
|
||||
struct sss_domain_info *domains;
|
||||
--
|
||||
2.14.3
|
||||
|
@ -1,76 +0,0 @@
|
||||
From e947a871f7d3cfc4389e981a147fe10bedca0569 Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||
Date: Tue, 7 Feb 2017 11:05:47 +0100
|
||||
Subject: [PATCH 31/79] AD: Use ad_domain to match forest root domain, not the
|
||||
configured domain from sssd.conf
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
If the sssd.conf domain name was different from the joined domain name,
|
||||
but sssd was joined to the forest root, the AD subdomains code considered
|
||||
sssd joined to a non-root domain and tried to discover the forest root.
|
||||
|
||||
This could be reproduced by joining sssd to a domain, for example
|
||||
win.trust.test but calling the sssd.conf domain otherwise, for example:
|
||||
[domain/addomain]
|
||||
ad_domain = win.trust.test
|
||||
|
||||
This is/was a frequent use-case in the RHEL world, where authconfig
|
||||
often names the sssd.conf domain 'default'.
|
||||
|
||||
Without the patch, the trusted domains were not detected.
|
||||
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
---
|
||||
src/providers/ad/ad_subdomains.c | 13 +++++++++++--
|
||||
1 file changed, 11 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c
|
||||
index 5e57d218c072a2627f165ae072cb761e1a146048..ad075c19a5824b98092ddf534004680784577c0f 100644
|
||||
--- a/src/providers/ad/ad_subdomains.c
|
||||
+++ b/src/providers/ad/ad_subdomains.c
|
||||
@@ -948,6 +948,7 @@ static void ad_get_root_domain_done(struct tevent_req *subreq);
|
||||
static struct tevent_req *
|
||||
ad_get_root_domain_send(TALLOC_CTX *mem_ctx,
|
||||
struct tevent_context *ev,
|
||||
+ const char *domain,
|
||||
const char *forest,
|
||||
struct sdap_handle *sh,
|
||||
struct ad_subdomains_ctx *sd_ctx)
|
||||
@@ -968,7 +969,7 @@ ad_get_root_domain_send(TALLOC_CTX *mem_ctx,
|
||||
return NULL;
|
||||
}
|
||||
|
||||
- if (forest != NULL && strcasecmp(sd_ctx->be_ctx->domain->name, forest) == 0) {
|
||||
+ if (forest != NULL && strcasecmp(domain, forest) == 0) {
|
||||
state->root_id_ctx = sd_ctx->ad_id_ctx;
|
||||
state->root_domain_attrs = NULL;
|
||||
ret = EOK;
|
||||
@@ -1230,6 +1231,7 @@ static void ad_subdomains_refresh_master_done(struct tevent_req *subreq)
|
||||
struct ad_subdomains_refresh_state *state;
|
||||
struct tevent_req *req;
|
||||
const char *realm;
|
||||
+ const char *ad_domain;
|
||||
char *master_sid;
|
||||
char *flat_name;
|
||||
char *forest;
|
||||
@@ -1277,7 +1279,14 @@ static void ad_subdomains_refresh_master_done(struct tevent_req *subreq)
|
||||
}
|
||||
}
|
||||
|
||||
- subreq = ad_get_root_domain_send(state, state->ev, forest,
|
||||
+ ad_domain = dp_opt_get_cstring(state->ad_options->basic, AD_DOMAIN);
|
||||
+ if (ad_domain == NULL) {
|
||||
+ DEBUG(SSSDBG_CONF_SETTINGS,
|
||||
+ "Missing AD domain name, falling back to sssd domain name\n");
|
||||
+ ad_domain = state->sd_ctx->be_ctx->domain->name;
|
||||
+ }
|
||||
+
|
||||
+ subreq = ad_get_root_domain_send(state, state->ev, ad_domain, forest,
|
||||
sdap_id_op_handle(state->sdap_op),
|
||||
state->sd_ctx);
|
||||
if (subreq == NULL) {
|
||||
--
|
||||
2.9.3
|
||||
|
@ -0,0 +1,90 @@
|
||||
From 08fced82ad1a8bc03c69f84bcfdb495a5f473165 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
||||
Date: Tue, 3 Apr 2018 10:20:29 +0200
|
||||
Subject: [PATCH] sssctl: move check for version error to correct place
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
This check was added here:
|
||||
|
||||
284937e6 (Pavel Březina 2015-07-22 10:02:02 +0200 490) int sss_tool_main(int argc, const char **argv,
|
||||
284937e6 (Pavel Březina 2015-07-22 10:02:02 +0200 491) struct sss_route_cmd *commands,
|
||||
284937e6 (Pavel Březina 2015-07-22 10:02:02 +0200 492) void *pvt)
|
||||
284937e6 (Pavel Březina 2015-07-22 10:02:02 +0200 493) {
|
||||
284937e6 (Pavel Březina 2015-07-22 10:02:02 +0200 494) struct sss_tool_ctx *tool_ctx;
|
||||
284937e6 (Pavel Březina 2015-07-22 10:02:02 +0200 495) uid_t uid;
|
||||
e98ccef2 (Pavel Březina 2016-06-09 16:13:34 +0200 496) errno_t ret;
|
||||
284937e6 (Pavel Březina 2015-07-22 10:02:02 +0200 497)
|
||||
284937e6 (Pavel Březina 2015-07-22 10:02:02 +0200 498) uid = getuid();
|
||||
284937e6 (Pavel Březina 2015-07-22 10:02:02 +0200 499) if (uid != 0) {
|
||||
284937e6 (Pavel Březina 2015-07-22 10:02:02 +0200 500) DEBUG(SSSDBG_CRIT_FAILURE, "Running under %d, must be root\n", uid);
|
||||
284937e6 (Pavel Březina 2015-07-22 10:02:02 +0200 501) ERROR("%1$s must be run as root\n", argv[0]);
|
||||
284937e6 (Pavel Březina 2015-07-22 10:02:02 +0200 502) return EXIT_FAILURE;
|
||||
284937e6 (Pavel Březina 2015-07-22 10:02:02 +0200 503) }
|
||||
284937e6 (Pavel Březina 2015-07-22 10:02:02 +0200 504)
|
||||
a0b824ac (Jakub Hrozek 2016-07-01 13:26:38 +0200 505) ret = sss_tool_init(NULL, &argc, argv, &tool_ctx);
|
||||
a0b824ac (Jakub Hrozek 2016-07-01 13:26:38 +0200 506) if (ret == ERR_SYSDB_VERSION_TOO_OLD) {
|
||||
a0b824ac (Jakub Hrozek 2016-07-01 13:26:38 +0200 507) tool_ctx->init_err = ret;
|
||||
a0b824ac (Jakub Hrozek 2016-07-01 13:26:38 +0200 508) } else if (ret != EOK) {
|
||||
284937e6 (Pavel Březina 2015-07-22 10:02:02 +0200 509) DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create tool context\n");
|
||||
284937e6 (Pavel Březina 2015-07-22 10:02:02 +0200 510) return EXIT_FAILURE;
|
||||
284937e6 (Pavel Březina 2015-07-22 10:02:02 +0200 511) }
|
||||
|
||||
But then the initialization code was moved from sss_tool_init to tool_cmd_init which is called from sss_tool_route.
|
||||
|
||||
a0b824ac (Jakub Hrozek 2016-07-01 13:26:38 +0200 328) if (!sss_tools_handles_init_error(&commands[i], tool_ctx->init_err)) {
|
||||
a0b824ac (Jakub Hrozek 2016-07-01 13:26:38 +0200 329) DEBUG(SSSDBG_FATAL_FAILURE,
|
||||
a0b824ac (Jakub Hrozek 2016-07-01 13:26:38 +0200 330) "Command %s does not handle initialization error [%d] %s\n",
|
||||
a0b824ac (Jakub Hrozek 2016-07-01 13:26:38 +0200 331) cmdline.command, tool_ctx->init_err,
|
||||
a0b824ac (Jakub Hrozek 2016-07-01 13:26:38 +0200 332) sss_strerror(tool_ctx->init_err));
|
||||
a0b824ac (Jakub Hrozek 2016-07-01 13:26:38 +0200 333) return tool_ctx->init_err;
|
||||
a0b824ac (Jakub Hrozek 2016-07-01 13:26:38 +0200 334) }
|
||||
a0b824ac (Jakub Hrozek 2016-07-01 13:26:38 +0200 335)
|
||||
cbee11e9 (Michal Židek 2016-10-12 13:09:37 +0200 336) ret = tool_cmd_init(tool_ctx, &commands[i]);
|
||||
cbee11e9 (Michal Židek 2016-10-12 13:09:37 +0200 337) if (ret != EOK) {
|
||||
cbee11e9 (Michal Židek 2016-10-12 13:09:37 +0200 338) DEBUG(SSSDBG_FATAL_FAILURE,
|
||||
cbee11e9 (Michal Židek 2016-10-12 13:09:37 +0200 339) "Command initialization failed [%d] %s\n",
|
||||
cbee11e9 (Michal Židek 2016-10-12 13:09:37 +0200 340) ret, sss_strerror(ret));
|
||||
cbee11e9 (Michal Židek 2016-10-12 13:09:37 +0200 341) return ret;
|
||||
cbee11e9 (Michal Židek 2016-10-12 13:09:37 +0200 342) }
|
||||
cbee11e9 (Michal Židek 2016-10-12 13:09:37 +0200 343)
|
||||
284937e6 (Pavel Březina 2015-07-22 10:02:02 +0200 344) return commands[i].fn(&cmdline, tool_ctx, pvt);
|
||||
|
||||
This rendered the original change a dead code, because sss_tool_init only returns ENOMEM or EOK.
|
||||
|
||||
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
||||
(cherry picked from commit fe58f0fbf34de5931ce3305396e5e4467796a325)
|
||||
---
|
||||
src/tools/common/sss_tools.c | 8 ++++----
|
||||
1 file changed, 4 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/src/tools/common/sss_tools.c b/src/tools/common/sss_tools.c
|
||||
index d45584ce1..701db2d93 100644
|
||||
--- a/src/tools/common/sss_tools.c
|
||||
+++ b/src/tools/common/sss_tools.c
|
||||
@@ -346,7 +346,9 @@ errno_t sss_tool_route(int argc, const char **argv,
|
||||
|
||||
if (!tool_ctx->print_help) {
|
||||
ret = tool_cmd_init(tool_ctx, &commands[i]);
|
||||
- if (ret != EOK) {
|
||||
+ if (ret == ERR_SYSDB_VERSION_TOO_OLD) {
|
||||
+ tool_ctx->init_err = ret;
|
||||
+ } else if (ret != EOK) {
|
||||
DEBUG(SSSDBG_FATAL_FAILURE,
|
||||
"Command initialization failed [%d] %s\n",
|
||||
ret, sss_strerror(ret));
|
||||
@@ -516,9 +518,7 @@ int sss_tool_main(int argc, const char **argv,
|
||||
}
|
||||
|
||||
ret = sss_tool_init(NULL, &argc, argv, &tool_ctx);
|
||||
- if (ret == ERR_SYSDB_VERSION_TOO_OLD) {
|
||||
- tool_ctx->init_err = ret;
|
||||
- } else if (ret != EOK) {
|
||||
+ if (ret != EOK) {
|
||||
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create tool context\n");
|
||||
return EXIT_FAILURE;
|
||||
}
|
||||
--
|
||||
2.14.3
|
||||
|
@ -1,44 +0,0 @@
|
||||
From e5d8b0e10238490c5d199063c0a258ba53c2ac65 Mon Sep 17 00:00:00 2001
|
||||
From: Lukas Slebodnik <lslebodn@redhat.com>
|
||||
Date: Wed, 8 Feb 2017 17:58:41 +0100
|
||||
Subject: [PATCH 32/79] BUILD: Fix linking of test_sdap_initgr
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
There was a linking fialure on debian:
|
||||
/usr/bin/ld: src/tests/cmocka/test_sdap_initgr-test_sdap_initgr.o:
|
||||
undefined reference to symbol 'hash_iterate@@DHASH_0.4.3'
|
||||
//usr/lib64/libdhash.so.1: error adding symbols: DSO missing from command line
|
||||
collect2: error: ld returned 1 exit status
|
||||
|
||||
This patch adds some missing libraries and remove unnecessary libraries.
|
||||
Bug was intoduced in commit 0b7ded15e53b3f31f1570c366f04bc41e5761929
|
||||
|
||||
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
||||
---
|
||||
Makefile.am | 5 +++--
|
||||
1 file changed, 3 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/Makefile.am b/Makefile.am
|
||||
index 713a83ce0b5c2b8d71495ff05b52e52e413b5c95..2304b39c7eb75225f7cd8cbc30d23592506c146e 100644
|
||||
--- a/Makefile.am
|
||||
+++ b/Makefile.am
|
||||
@@ -2879,11 +2879,12 @@ test_sdap_initgr_CFLAGS = \
|
||||
test_sdap_initgr_LDADD = \
|
||||
$(CMOCKA_LIBS) \
|
||||
$(POPT_LIBS) \
|
||||
+ $(DHASH_LIBS) \
|
||||
$(TALLOC_LIBS) \
|
||||
+ $(TEVENT_LIBS) \
|
||||
+ $(LDB_LIBS) \
|
||||
$(SSSD_INTERNAL_LTLIBS) \
|
||||
libsss_ldap_common.la \
|
||||
- libsss_ad_tests.la \
|
||||
- libsss_idmap.la \
|
||||
libsss_test_common.la \
|
||||
libdlopen_test_providers.la \
|
||||
$(NULL)
|
||||
--
|
||||
2.9.3
|
||||
|
@ -0,0 +1,35 @@
|
||||
From 39539d7b882722336bb4bfad99ef3ebadfc9b276 Mon Sep 17 00:00:00 2001
|
||||
From: amitkumar50 <amitkuma@redhat.com>
|
||||
Date: Tue, 10 Apr 2018 15:29:01 +0530
|
||||
Subject: [PATCH] MAN: Add sss-certmap man page regarding priority processing
|
||||
|
||||
PR adds following text in PRIORITY section of man sss-certmap:
|
||||
The processing is stopped when a matched rule is found and no
|
||||
further rules are checked.
|
||||
|
||||
Resolves: https://pagure.io/SSSD/sssd/issue/3469
|
||||
|
||||
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
|
||||
(cherry picked from commit 56839605d139573319b7df24774b56ea78ec742b)
|
||||
---
|
||||
src/man/sss-certmap.5.xml | 4 +++-
|
||||
1 file changed, 3 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/man/sss-certmap.5.xml b/src/man/sss-certmap.5.xml
|
||||
index 593cd4666..db258d14a 100644
|
||||
--- a/src/man/sss-certmap.5.xml
|
||||
+++ b/src/man/sss-certmap.5.xml
|
||||
@@ -44,7 +44,9 @@
|
||||
<para>
|
||||
The rules are processed by priority while the number '0' (zero)
|
||||
indicates the highest priority. The higher the number the lower is
|
||||
- the priority. A missing value indicates the lowest priority.
|
||||
+ the priority. A missing value indicates the lowest priority. The
|
||||
+ rules processing is stopped when a matched rule is found and no
|
||||
+ further rules are checked.
|
||||
</para>
|
||||
<para>
|
||||
Internally the priority is treated as unsigned 32bit integer, using
|
||||
--
|
||||
2.14.3
|
||||
|
42
0033-SDAP-Improve-a-DEBUG-message-about-GC-detection.patch
Normal file
42
0033-SDAP-Improve-a-DEBUG-message-about-GC-detection.patch
Normal file
@ -0,0 +1,42 @@
|
||||
From ac1636acadcf8e799a93d799140e8ff2d533f313 Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||
Date: Tue, 23 Jan 2018 11:23:37 +0100
|
||||
Subject: [PATCH] SDAP: Improve a DEBUG message about GC detection
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
It was not entirely clear what the message means. We should improve the
|
||||
debug message to make it clear that all or none attributes should be
|
||||
replicated to the Global Catalog.
|
||||
|
||||
This patch can be reverted once we fix
|
||||
https://pagure.io/SSSD/sssd/issue/3538 and only use the GC to look up
|
||||
the entry DN, not the entry itself.
|
||||
|
||||
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
||||
(cherry picked from commit 2d43eaf43540c375d39c5e1c2482595e919fb4df)
|
||||
---
|
||||
src/providers/ldap/sdap_async.c | 6 +++++-
|
||||
1 file changed, 5 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/providers/ldap/sdap_async.c b/src/providers/ldap/sdap_async.c
|
||||
index 76cfce207..1e77b1c3c 100644
|
||||
--- a/src/providers/ldap/sdap_async.c
|
||||
+++ b/src/providers/ldap/sdap_async.c
|
||||
@@ -2720,7 +2720,11 @@ static void sdap_gc_posix_check_done(struct tevent_req *subreq)
|
||||
|
||||
/* Positive hit is definitive, no need to search other bases */
|
||||
if (state->has_posix == true) {
|
||||
- DEBUG(SSSDBG_FUNC_DATA, "Server has POSIX attributes\n");
|
||||
+ DEBUG(SSSDBG_FUNC_DATA, "Server has POSIX attributes. Global Catalog will "
|
||||
+ "be used for user and group lookups. Note that if "
|
||||
+ "only a subset of POSIX attributes is present "
|
||||
+ "in GC, the non-replicated attributes are "
|
||||
+ "currently not read from the LDAP port\n");
|
||||
tevent_req_done(req);
|
||||
return;
|
||||
}
|
||||
--
|
||||
2.14.3
|
||||
|
@ -1,31 +0,0 @@
|
||||
From 2ffa245e79a5ed66e69d141f4001c13697e01450 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
||||
Date: Wed, 8 Feb 2017 13:22:11 +0100
|
||||
Subject: [PATCH 33/79] ssh: fix typo
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Those macros are the same so there is no functional difference.
|
||||
|
||||
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
||||
---
|
||||
src/responder/ssh/ssh_cmd.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/responder/ssh/ssh_cmd.c b/src/responder/ssh/ssh_cmd.c
|
||||
index a1188280dc2d1f73c726aec7c203692a63c37a32..1b9aff2b5053b436a9a0bf2797d812a954f25984 100644
|
||||
--- a/src/responder/ssh/ssh_cmd.c
|
||||
+++ b/src/responder/ssh/ssh_cmd.c
|
||||
@@ -213,7 +213,7 @@ static void ssh_cmd_get_host_pubkeys_done(struct tevent_req *subreq)
|
||||
cmd_ctx = tevent_req_callback_data(subreq, struct ssh_cmd_ctx);
|
||||
ssh_ctx = talloc_get_type(cmd_ctx->cli_ctx->rctx->pvt_ctx, struct ssh_ctx);
|
||||
|
||||
- ret = cache_req_user_by_name_attrs_recv(cmd_ctx, subreq, &result);
|
||||
+ ret = cache_req_host_by_name_recv(cmd_ctx, subreq, &result);
|
||||
talloc_zfree(subreq);
|
||||
|
||||
if (ret == EOK || ret == ENOENT) {
|
||||
--
|
||||
2.9.3
|
||||
|
34
0034-MAN-Improve-docs-about-GC-detection.patch
Normal file
34
0034-MAN-Improve-docs-about-GC-detection.patch
Normal file
@ -0,0 +1,34 @@
|
||||
From 1438765a294161b9b636e01ed86bc52c540183d3 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
|
||||
Date: Thu, 12 Apr 2018 10:38:42 +0200
|
||||
Subject: [PATCH] MAN: Improve docs about GC detection
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Add the same note we have as part of our debug to the sssd-ad manual.
|
||||
|
||||
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
(cherry picked from commit 4ab8734cc45fab2d1a0e690b566da1bda63df76c)
|
||||
---
|
||||
src/man/sssd-ad.5.xml | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml
|
||||
index be2593dca..f43c7fcf4 100644
|
||||
--- a/src/man/sssd-ad.5.xml
|
||||
+++ b/src/man/sssd-ad.5.xml
|
||||
@@ -100,6 +100,9 @@ ldap_id_mapping = False
|
||||
domains in the forest sequentially. Please note that the
|
||||
<quote>cache_first</quote> option might be also helpful in
|
||||
speeding up domainless searches.
|
||||
+ Note that if only a subset of POSIX attributes is present in
|
||||
+ the Global Catalog, the non-replicated attributes are currently
|
||||
+ not read from the LDAP port.
|
||||
</para>
|
||||
<para>
|
||||
Users, groups and other entities served by SSSD are always treated as
|
||||
--
|
||||
2.14.3
|
||||
|
@ -1,32 +0,0 @@
|
||||
From d9780d2860b2f2c9d707bfd8f2fc72099b9545d7 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
||||
Date: Wed, 8 Feb 2017 13:22:42 +0100
|
||||
Subject: [PATCH 34/79] cache_req: always go to dp first when looking up host
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
We need to always lookup host in DP first to update host certificates so
|
||||
we are consinstent during ssh authentication.
|
||||
|
||||
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
||||
---
|
||||
src/responder/common/cache_req/plugins/cache_req_host_by_name.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/responder/common/cache_req/plugins/cache_req_host_by_name.c b/src/responder/common/cache_req/plugins/cache_req_host_by_name.c
|
||||
index 18511e33bc18e44f418a26764f066ff287092d26..77b46831fec3abc4126ef9d9be67221469801094 100644
|
||||
--- a/src/responder/common/cache_req/plugins/cache_req_host_by_name.c
|
||||
+++ b/src/responder/common/cache_req/plugins/cache_req_host_by_name.c
|
||||
@@ -77,7 +77,7 @@ const struct cache_req_plugin cache_req_host_by_name = {
|
||||
.attr_expiration = SYSDB_CACHE_EXPIRE,
|
||||
.parse_name = true,
|
||||
.ignore_default_domain = true,
|
||||
- .bypass_cache = false,
|
||||
+ .bypass_cache = true,
|
||||
.only_one_result = true,
|
||||
.search_all_domains = false,
|
||||
.require_enumeration = false,
|
||||
--
|
||||
2.9.3
|
||||
|
@ -1,74 +0,0 @@
|
||||
From 040ade7b2e11fecf615aedf58592cc7245900e86 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
|
||||
Date: Sun, 5 Feb 2017 01:48:35 +0100
|
||||
Subject: [PATCH 35/79] MONITOR: Wrap up sending sd_notify "ready" into a new
|
||||
function
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
This new function will be used later on in this series as we also will
|
||||
need to notify systemd that we're up in at least one more scenario (for
|
||||
now).
|
||||
|
||||
Related:
|
||||
https://fedorahosted.org/sssd/ticket/3299
|
||||
|
||||
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
|
||||
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
---
|
||||
src/monitor/monitor.c | 30 +++++++++++++++++++++---------
|
||||
1 file changed, 21 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c
|
||||
index b82c6e5fb651796e977085a1fcb87330632fbf3b..f55a89edc38900c3eaaf2a294fb26125e571cf82 100644
|
||||
--- a/src/monitor/monitor.c
|
||||
+++ b/src/monitor/monitor.c
|
||||
@@ -487,6 +487,26 @@ static void svc_child_info(struct mt_svc *svc, int wait_status)
|
||||
}
|
||||
}
|
||||
|
||||
+static int notify_startup(void)
|
||||
+{
|
||||
+#ifdef HAVE_SYSTEMD
|
||||
+ int ret;
|
||||
+
|
||||
+ DEBUG(SSSDBG_TRACE_FUNC, "Sending startup notification to systemd\n");
|
||||
+ ret = sd_notify(0, "READY=1");
|
||||
+ if (ret < 0) {
|
||||
+ ret = -ret;
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
+ "Error sending notification to systemd %d: %s\n",
|
||||
+ ret, sss_strerror(ret));
|
||||
+
|
||||
+ return ret;
|
||||
+ }
|
||||
+#endif
|
||||
+
|
||||
+ return EOK;
|
||||
+}
|
||||
+
|
||||
static int mark_service_as_started(struct mt_svc *svc)
|
||||
{
|
||||
struct mt_ctx *ctx = svc->mt_ctx;
|
||||
@@ -557,15 +577,7 @@ static int mark_service_as_started(struct mt_svc *svc)
|
||||
|
||||
ctx->pid_file_created = true;
|
||||
|
||||
-#ifdef HAVE_SYSTEMD
|
||||
- DEBUG(SSSDBG_TRACE_FUNC, "Sending startup notification to systemd\n");
|
||||
- ret = sd_notify(0, "READY=1");
|
||||
- if (ret < 0) {
|
||||
- DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
- "Error sending notification to systemd %d: %s\n",
|
||||
- -ret, strerror(-ret));
|
||||
- }
|
||||
-#endif
|
||||
+ notify_startup();
|
||||
|
||||
/* Initialization is complete, terminate parent process if in daemon
|
||||
* mode. Make sure we send the signal to the right process */
|
||||
--
|
||||
2.9.3
|
||||
|
34
0035-nss-idmap-do-not-set-a-limit.patch
Normal file
34
0035-nss-idmap-do-not-set-a-limit.patch
Normal file
@ -0,0 +1,34 @@
|
||||
From b489dcc998fc305f3a0a43b6484c042065320001 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Wed, 18 Apr 2018 10:20:06 +0200
|
||||
Subject: [PATCH] nss-idmap: do not set a limit
|
||||
|
||||
If the limit is set the needed size to return all groups cannot be
|
||||
returned.
|
||||
|
||||
Related to https://pagure.io/SSSD/sssd/issue/3715
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
(cherry picked from commit 46a4c265629d9b725c41f22849741ce7342bdd85)
|
||||
---
|
||||
src/sss_client/idmap/sss_nss_ex.c | 4 +++-
|
||||
1 file changed, 3 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/sss_client/idmap/sss_nss_ex.c b/src/sss_client/idmap/sss_nss_ex.c
|
||||
index c00e64cc4..b87b5e3b2 100644
|
||||
--- a/src/sss_client/idmap/sss_nss_ex.c
|
||||
+++ b/src/sss_client/idmap/sss_nss_ex.c
|
||||
@@ -96,7 +96,9 @@ errno_t sss_nss_mc_get(struct nss_input *inp)
|
||||
inp->result.initgrrep.start,
|
||||
inp->result.initgrrep.ngroups,
|
||||
&(inp->result.initgrrep.groups),
|
||||
- *(inp->result.initgrrep.ngroups));
|
||||
+ /* no limit so that needed size can
|
||||
+ * be returned properly */
|
||||
+ -1);
|
||||
break;
|
||||
default:
|
||||
return EINVAL;
|
||||
--
|
||||
2.14.3
|
||||
|
@ -1,51 +0,0 @@
|
||||
From 00c0b7bc6969d31deab9e8e7541b4a6483b78b3e Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
|
||||
Date: Sun, 5 Feb 2017 01:55:56 +0100
|
||||
Subject: [PATCH 36/79] MONITOR: Don't timeout if using local provider +
|
||||
socket-activated responders
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
When using only the local provider with socket-activated services SSSD
|
||||
ends up never notifying systemd its startup has been done, as notifying
|
||||
systemd is done *only* when a service (provider or responder) is started
|
||||
up, leading SSSD's startup to fail due to a timeout.
|
||||
|
||||
So, in order to avoid this situation, let's just notify the startup
|
||||
earlier in case we have *only* socket-activated services and the *only*
|
||||
provider set up is the LOCAL one.
|
||||
|
||||
Resolves:
|
||||
https://fedorahosted.org/sssd/ticket/3299
|
||||
|
||||
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
|
||||
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
---
|
||||
src/monitor/monitor.c | 9 +++++++++
|
||||
1 file changed, 9 insertions(+)
|
||||
|
||||
diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c
|
||||
index f55a89edc38900c3eaaf2a294fb26125e571cf82..1fa3d4baf579f15b9f93355a4b0c8b9d706bbacf 100644
|
||||
--- a/src/monitor/monitor.c
|
||||
+++ b/src/monitor/monitor.c
|
||||
@@ -2403,6 +2403,15 @@ static int monitor_process_init(struct mt_ctx *ctx,
|
||||
}
|
||||
}
|
||||
|
||||
+ /* When the only provider set up is the local one (num_providers == 0) and
|
||||
+ * there's no responder explicitly set up it means that we should notify
|
||||
+ * systemd that SSSD is ready right now as any other provider/responder
|
||||
+ * would be able to do so and the SSSD would end up hitting a systemd
|
||||
+ * timeout! */
|
||||
+ if (num_providers == 0 && ctx->services == NULL) {
|
||||
+ ret = notify_startup();
|
||||
+ }
|
||||
+
|
||||
return EOK;
|
||||
}
|
||||
|
||||
--
|
||||
2.9.3
|
||||
|
@ -0,0 +1,69 @@
|
||||
From b24ef81656fc3d0dce49b1756ba53c46b5881a14 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Wed, 18 Apr 2018 10:23:22 +0200
|
||||
Subject: [PATCH] nss-idmap: use right group list pointer after sss_get_ex()
|
||||
|
||||
If the initial array is too small it will be reallocated during
|
||||
sss_get_ex() and the pointer might change and the initial memory area
|
||||
should not be used anymore.
|
||||
|
||||
Related to https://pagure.io/SSSD/sssd/issue/3715
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
(cherry picked from commit 2c4dc7a4d98c439c69625f12ba4c3c8253f4cc5b)
|
||||
---
|
||||
src/sss_client/idmap/sss_nss_ex.c | 18 +++++++++---------
|
||||
1 file changed, 9 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/src/sss_client/idmap/sss_nss_ex.c b/src/sss_client/idmap/sss_nss_ex.c
|
||||
index b87b5e3b2..971422063 100644
|
||||
--- a/src/sss_client/idmap/sss_nss_ex.c
|
||||
+++ b/src/sss_client/idmap/sss_nss_ex.c
|
||||
@@ -485,7 +485,6 @@ int sss_nss_getgrouplist_timeout(const char *name, gid_t group,
|
||||
uint32_t flags, unsigned int timeout)
|
||||
{
|
||||
int ret;
|
||||
- gid_t *new_groups;
|
||||
long int new_ngroups;
|
||||
long int start = 1;
|
||||
struct nss_input inp = {
|
||||
@@ -498,27 +497,28 @@ int sss_nss_getgrouplist_timeout(const char *name, gid_t group,
|
||||
}
|
||||
|
||||
new_ngroups = MAX(1, *ngroups);
|
||||
- new_groups = malloc(new_ngroups * sizeof(gid_t));
|
||||
- if (new_groups == NULL) {
|
||||
+ inp.result.initgrrep.groups = malloc(new_ngroups * sizeof(gid_t));
|
||||
+ if (inp.result.initgrrep.groups == NULL) {
|
||||
free(discard_const(inp.rd.data));
|
||||
return ENOMEM;
|
||||
}
|
||||
- new_groups[0] = group;
|
||||
+ inp.result.initgrrep.groups[0] = group;
|
||||
|
||||
- inp.result.initgrrep.groups = new_groups,
|
||||
inp.result.initgrrep.ngroups = &new_ngroups;
|
||||
inp.result.initgrrep.start = &start;
|
||||
|
||||
-
|
||||
+ /* inp.result.initgrrep.groups, inp.result.initgrrep.ngroups and
|
||||
+ * inp.result.initgrrep.start might be modified by sss_get_ex() */
|
||||
ret = sss_get_ex(&inp, flags, timeout);
|
||||
free(discard_const(inp.rd.data));
|
||||
if (ret != 0) {
|
||||
- free(new_groups);
|
||||
+ free(inp.result.initgrrep.groups);
|
||||
return ret;
|
||||
}
|
||||
|
||||
- memcpy(groups, new_groups, MIN(*ngroups, start) * sizeof(gid_t));
|
||||
- free(new_groups);
|
||||
+ memcpy(groups, inp.result.initgrrep.groups,
|
||||
+ MIN(*ngroups, start) * sizeof(gid_t));
|
||||
+ free(inp.result.initgrrep.groups);
|
||||
|
||||
if (start > *ngroups) {
|
||||
ret = ERANGE;
|
||||
--
|
||||
2.14.3
|
||||
|
177
0037-NSS-Add-InvalidateGroupById-handler.patch
Normal file
177
0037-NSS-Add-InvalidateGroupById-handler.patch
Normal file
@ -0,0 +1,177 @@
|
||||
From d1f38315fa7f8c9d3392af0feb32afc56a0f6c4e Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
|
||||
Date: Fri, 16 Feb 2018 13:55:53 +0100
|
||||
Subject: [PATCH] NSS: Add InvalidateGroupById handler
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
There are some situations where, from the backend, the NSS responder
|
||||
will have to be notified to invalidate a group.
|
||||
|
||||
In order to achieve this in a clean way, let's add the
|
||||
InvalidateGroupById handler and make use of it later in this very same
|
||||
series.
|
||||
|
||||
Related:
|
||||
https://pagure.io/SSSD/sssd/issue/2653
|
||||
|
||||
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
(cherry picked from commit 851d31264c826d7e1bca38bb6d49e66b446707e7)
|
||||
---
|
||||
src/responder/nss/nss_iface.c | 16 ++++++++++++++
|
||||
src/responder/nss/nss_iface.xml | 3 +++
|
||||
src/responder/nss/nss_iface_generated.c | 38 +++++++++++++++++++++++++++++++++
|
||||
src/responder/nss/nss_iface_generated.h | 5 +++++
|
||||
4 files changed, 62 insertions(+)
|
||||
|
||||
diff --git a/src/responder/nss/nss_iface.c b/src/responder/nss/nss_iface.c
|
||||
index 415af9550..805e4fcdf 100644
|
||||
--- a/src/responder/nss/nss_iface.c
|
||||
+++ b/src/responder/nss/nss_iface.c
|
||||
@@ -199,12 +199,28 @@ int nss_memorycache_update_initgroups(struct sbus_request *sbus_req,
|
||||
return iface_nss_memorycache_UpdateInitgroups_finish(sbus_req);
|
||||
}
|
||||
|
||||
+int nss_memorycache_invalidate_group_by_id(struct sbus_request *sbus_req,
|
||||
+ void *data,
|
||||
+ gid_t gid)
|
||||
+{
|
||||
+ struct resp_ctx *rctx = talloc_get_type(data, struct resp_ctx);
|
||||
+ struct nss_ctx *nctx = talloc_get_type(rctx->pvt_ctx, struct nss_ctx);
|
||||
+
|
||||
+ DEBUG(SSSDBG_TRACE_LIBS,
|
||||
+ "Invalidating group %"PRIu32" from memory cache\n", gid);
|
||||
+
|
||||
+ sss_mmap_cache_gr_invalidate_gid(nctx->grp_mc_ctx, gid);
|
||||
+
|
||||
+ return iface_nss_memorycache_InvalidateGroupById_finish(sbus_req);
|
||||
+}
|
||||
+
|
||||
struct iface_nss_memorycache iface_nss_memorycache = {
|
||||
{ &iface_nss_memorycache_meta, 0 },
|
||||
.UpdateInitgroups = nss_memorycache_update_initgroups,
|
||||
.InvalidateAllUsers = nss_memorycache_invalidate_users,
|
||||
.InvalidateAllGroups = nss_memorycache_invalidate_groups,
|
||||
.InvalidateAllInitgroups = nss_memorycache_invalidate_initgroups,
|
||||
+ .InvalidateGroupById = nss_memorycache_invalidate_group_by_id,
|
||||
};
|
||||
|
||||
static struct sbus_iface_map iface_map[] = {
|
||||
diff --git a/src/responder/nss/nss_iface.xml b/src/responder/nss/nss_iface.xml
|
||||
index 27aae0197..4d8cf14f9 100644
|
||||
--- a/src/responder/nss/nss_iface.xml
|
||||
+++ b/src/responder/nss/nss_iface.xml
|
||||
@@ -14,5 +14,8 @@
|
||||
</method>
|
||||
<method name="InvalidateAllInitgroups">
|
||||
</method>
|
||||
+ <method name="InvalidateGroupById">
|
||||
+ <arg name="gid" type="u" direction="in" />
|
||||
+ </method>
|
||||
</interface>
|
||||
</node>
|
||||
diff --git a/src/responder/nss/nss_iface_generated.c b/src/responder/nss/nss_iface_generated.c
|
||||
index 4a8b704da..8d5a4584b 100644
|
||||
--- a/src/responder/nss/nss_iface_generated.c
|
||||
+++ b/src/responder/nss/nss_iface_generated.c
|
||||
@@ -12,6 +12,9 @@
|
||||
/* invokes a handler with a 'ssau' DBus signature */
|
||||
static int invoke_ssau_method(struct sbus_request *dbus_req, void *function_ptr);
|
||||
|
||||
+/* invokes a handler with a 'u' DBus signature */
|
||||
+static int invoke_u_method(struct sbus_request *dbus_req, void *function_ptr);
|
||||
+
|
||||
/* arguments for org.freedesktop.sssd.nss.MemoryCache.UpdateInitgroups */
|
||||
const struct sbus_arg_meta iface_nss_memorycache_UpdateInitgroups__in[] = {
|
||||
{ "user", "s" },
|
||||
@@ -44,6 +47,18 @@ int iface_nss_memorycache_InvalidateAllInitgroups_finish(struct sbus_request *re
|
||||
DBUS_TYPE_INVALID);
|
||||
}
|
||||
|
||||
+/* arguments for org.freedesktop.sssd.nss.MemoryCache.InvalidateGroupById */
|
||||
+const struct sbus_arg_meta iface_nss_memorycache_InvalidateGroupById__in[] = {
|
||||
+ { "gid", "u" },
|
||||
+ { NULL, }
|
||||
+};
|
||||
+
|
||||
+int iface_nss_memorycache_InvalidateGroupById_finish(struct sbus_request *req)
|
||||
+{
|
||||
+ return sbus_request_return_and_finish(req,
|
||||
+ DBUS_TYPE_INVALID);
|
||||
+}
|
||||
+
|
||||
/* methods for org.freedesktop.sssd.nss.MemoryCache */
|
||||
const struct sbus_method_meta iface_nss_memorycache__methods[] = {
|
||||
{
|
||||
@@ -74,6 +89,13 @@ const struct sbus_method_meta iface_nss_memorycache__methods[] = {
|
||||
offsetof(struct iface_nss_memorycache, InvalidateAllInitgroups),
|
||||
NULL, /* no invoker */
|
||||
},
|
||||
+ {
|
||||
+ "InvalidateGroupById", /* name */
|
||||
+ iface_nss_memorycache_InvalidateGroupById__in,
|
||||
+ NULL, /* no out_args */
|
||||
+ offsetof(struct iface_nss_memorycache, InvalidateGroupById),
|
||||
+ invoke_u_method,
|
||||
+ },
|
||||
{ NULL, }
|
||||
};
|
||||
|
||||
@@ -86,6 +108,22 @@ const struct sbus_interface_meta iface_nss_memorycache_meta = {
|
||||
sbus_invoke_get_all, /* GetAll invoker */
|
||||
};
|
||||
|
||||
+/* invokes a handler with a 'u' DBus signature */
|
||||
+static int invoke_u_method(struct sbus_request *dbus_req, void *function_ptr)
|
||||
+{
|
||||
+ uint32_t arg_0;
|
||||
+ int (*handler)(struct sbus_request *, void *, uint32_t) = function_ptr;
|
||||
+
|
||||
+ if (!sbus_request_parse_or_finish(dbus_req,
|
||||
+ DBUS_TYPE_UINT32, &arg_0,
|
||||
+ DBUS_TYPE_INVALID)) {
|
||||
+ return EOK; /* request handled */
|
||||
+ }
|
||||
+
|
||||
+ return (handler)(dbus_req, dbus_req->intf->handler_data,
|
||||
+ arg_0);
|
||||
+}
|
||||
+
|
||||
/* invokes a handler with a 'ssau' DBus signature */
|
||||
static int invoke_ssau_method(struct sbus_request *dbus_req, void *function_ptr)
|
||||
{
|
||||
diff --git a/src/responder/nss/nss_iface_generated.h b/src/responder/nss/nss_iface_generated.h
|
||||
index 11fac7916..27a6d0853 100644
|
||||
--- a/src/responder/nss/nss_iface_generated.h
|
||||
+++ b/src/responder/nss/nss_iface_generated.h
|
||||
@@ -18,6 +18,7 @@
|
||||
#define IFACE_NSS_MEMORYCACHE_INVALIDATEALLUSERS "InvalidateAllUsers"
|
||||
#define IFACE_NSS_MEMORYCACHE_INVALIDATEALLGROUPS "InvalidateAllGroups"
|
||||
#define IFACE_NSS_MEMORYCACHE_INVALIDATEALLINITGROUPS "InvalidateAllInitgroups"
|
||||
+#define IFACE_NSS_MEMORYCACHE_INVALIDATEGROUPBYID "InvalidateGroupById"
|
||||
|
||||
/* ------------------------------------------------------------------------
|
||||
* DBus handlers
|
||||
@@ -44,6 +45,7 @@ struct iface_nss_memorycache {
|
||||
int (*InvalidateAllUsers)(struct sbus_request *req, void *data);
|
||||
int (*InvalidateAllGroups)(struct sbus_request *req, void *data);
|
||||
int (*InvalidateAllInitgroups)(struct sbus_request *req, void *data);
|
||||
+ int (*InvalidateGroupById)(struct sbus_request *req, void *data, uint32_t arg_gid);
|
||||
};
|
||||
|
||||
/* finish function for UpdateInitgroups */
|
||||
@@ -58,6 +60,9 @@ int iface_nss_memorycache_InvalidateAllGroups_finish(struct sbus_request *req);
|
||||
/* finish function for InvalidateAllInitgroups */
|
||||
int iface_nss_memorycache_InvalidateAllInitgroups_finish(struct sbus_request *req);
|
||||
|
||||
+/* finish function for InvalidateGroupById */
|
||||
+int iface_nss_memorycache_InvalidateGroupById_finish(struct sbus_request *req);
|
||||
+
|
||||
/* ------------------------------------------------------------------------
|
||||
* DBus Interface Metadata
|
||||
*
|
||||
--
|
||||
2.14.3
|
||||
|
@ -1,83 +0,0 @@
|
||||
From a5ecc93abb01cece628fdef04ebad43bba267419 Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||
Date: Sun, 5 Feb 2017 20:25:23 +0100
|
||||
Subject: [PATCH 37/79] SUDO: Only store lowercased attribute value once
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
The current code doesn't handle the situation where lowercasing the
|
||||
sudoUser attribute would yield the same value again.
|
||||
|
||||
For example:
|
||||
sudoUser: TUSER
|
||||
sudoUser tuser
|
||||
would break.
|
||||
|
||||
This patch switches to using the utility function
|
||||
sysdb_attrs_add_lower_case_string() which already checks for duplicates.
|
||||
|
||||
Resolves:
|
||||
https://fedorahosted.org/sssd/ticket/3301
|
||||
|
||||
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
---
|
||||
src/db/sysdb_sudo.c | 17 +++--------------
|
||||
src/tests/cmocka/test_sysdb_sudo.c | 5 +++++
|
||||
2 files changed, 8 insertions(+), 14 deletions(-)
|
||||
|
||||
diff --git a/src/db/sysdb_sudo.c b/src/db/sysdb_sudo.c
|
||||
index f5160f19012028f92723b9012fad85d803aa5137..97a1bee99c0255579f42cc7263d3d755429cd417 100644
|
||||
--- a/src/db/sysdb_sudo.c
|
||||
+++ b/src/db/sysdb_sudo.c
|
||||
@@ -857,7 +857,6 @@ static errno_t sysdb_sudo_add_lowered_users(struct sss_domain_info *domain,
|
||||
{
|
||||
TALLOC_CTX *tmp_ctx;
|
||||
const char **users = NULL;
|
||||
- const char *lowered = NULL;
|
||||
errno_t ret;
|
||||
|
||||
if (domain->case_sensitive == true || rule == NULL) {
|
||||
@@ -884,19 +883,9 @@ static errno_t sysdb_sudo_add_lowered_users(struct sss_domain_info *domain,
|
||||
}
|
||||
|
||||
for (int i = 0; users[i] != NULL; i++) {
|
||||
- lowered = sss_tc_utf8_str_tolower(tmp_ctx, users[i]);
|
||||
- if (lowered == NULL) {
|
||||
- DEBUG(SSSDBG_OP_FAILURE, "Cannot convert name to lowercase.\n");
|
||||
- ret = ENOMEM;
|
||||
- goto done;
|
||||
- }
|
||||
-
|
||||
- if (strcmp(users[i], lowered) == 0) {
|
||||
- /* It protects us from adding duplicate. */
|
||||
- continue;
|
||||
- }
|
||||
-
|
||||
- ret = sysdb_attrs_add_string(rule, SYSDB_SUDO_CACHE_AT_USER, lowered);
|
||||
+ ret = sysdb_attrs_add_lower_case_string(rule, true,
|
||||
+ SYSDB_SUDO_CACHE_AT_USER,
|
||||
+ users[i]);
|
||||
if (ret != EOK) {
|
||||
DEBUG(SSSDBG_OP_FAILURE,
|
||||
"Unable to add %s attribute [%d]: %s\n",
|
||||
diff --git a/src/tests/cmocka/test_sysdb_sudo.c b/src/tests/cmocka/test_sysdb_sudo.c
|
||||
index f21ff3655efbdc5b66a1fdbc24a51ec8174c3c8c..34afe120d97e99e3213a85bf7489a5e0f6309e4b 100644
|
||||
--- a/src/tests/cmocka/test_sysdb_sudo.c
|
||||
+++ b/src/tests/cmocka/test_sysdb_sudo.c
|
||||
@@ -335,6 +335,11 @@ void test_store_sudo_case_insensitive(void **state)
|
||||
|
||||
test_ctx->tctx->dom->case_sensitive = false;
|
||||
|
||||
+ ret = sysdb_attrs_add_lower_case_string(rule, false,
|
||||
+ SYSDB_SUDO_CACHE_AT_USER,
|
||||
+ users[0].name);
|
||||
+ assert_int_equal(ret, EOK);
|
||||
+
|
||||
ret = sysdb_sudo_store(test_ctx->tctx->dom, &rule, 1);
|
||||
assert_int_equal(ret, EOK);
|
||||
|
||||
--
|
||||
2.9.3
|
||||
|
91
0038-DP-Add-dp_sbus_invalidate_group_memcache.patch
Normal file
91
0038-DP-Add-dp_sbus_invalidate_group_memcache.patch
Normal file
@ -0,0 +1,91 @@
|
||||
From efaabeae96f76036bbe06122f7fbf70a66d26c56 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
|
||||
Date: Mon, 19 Feb 2018 08:42:10 +0100
|
||||
Subject: [PATCH] DP: Add dp_sbus_invalidate_group_memcache()
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
This function will be called from the data provider to the NSS
|
||||
responder, which will invalidate a group in the memcache.
|
||||
|
||||
Related:
|
||||
https://pagure.io/SSSD/sssd/issue/2653
|
||||
|
||||
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
(cherry picked from commit 709c42f0cabc96d0e0edf72753a0967593206ff4)
|
||||
---
|
||||
src/providers/data_provider/dp.h | 2 ++
|
||||
src/providers/data_provider/dp_resp_client.c | 45 ++++++++++++++++++++++++++++
|
||||
2 files changed, 47 insertions(+)
|
||||
|
||||
diff --git a/src/providers/data_provider/dp.h b/src/providers/data_provider/dp.h
|
||||
index ceb49da53..e8b2f9c8f 100644
|
||||
--- a/src/providers/data_provider/dp.h
|
||||
+++ b/src/providers/data_provider/dp.h
|
||||
@@ -179,6 +179,8 @@ void dp_sbus_reset_groups_ncache(struct data_provider *provider,
|
||||
void dp_sbus_reset_users_memcache(struct data_provider *provider);
|
||||
void dp_sbus_reset_groups_memcache(struct data_provider *provider);
|
||||
void dp_sbus_reset_initgr_memcache(struct data_provider *provider);
|
||||
+void dp_sbus_invalidate_group_memcache(struct data_provider *provider,
|
||||
+ gid_t gid);
|
||||
|
||||
/*
|
||||
* A dummy handler for DPM_ACCT_DOMAIN_HANDLER.
|
||||
diff --git a/src/providers/data_provider/dp_resp_client.c b/src/providers/data_provider/dp_resp_client.c
|
||||
index 5735188a6..a61f7c59d 100644
|
||||
--- a/src/providers/data_provider/dp_resp_client.c
|
||||
+++ b/src/providers/data_provider/dp_resp_client.c
|
||||
@@ -189,3 +189,48 @@ void dp_sbus_reset_initgr_memcache(struct data_provider *provider)
|
||||
return dp_sbus_reset_memcache(provider,
|
||||
IFACE_NSS_MEMORYCACHE_INVALIDATEALLINITGROUPS);
|
||||
}
|
||||
+
|
||||
+void dp_sbus_invalidate_group_memcache(struct data_provider *provider,
|
||||
+ gid_t gid)
|
||||
+{
|
||||
+ struct dp_client *dp_cli;
|
||||
+ DBusMessage *msg;
|
||||
+ dbus_bool_t dbret;
|
||||
+
|
||||
+ if (provider == NULL) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "No provider pointer\n");
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
+ dp_cli = provider->clients[DPC_NSS];
|
||||
+ if (dp_cli == NULL) {
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
+ msg = dbus_message_new_method_call(NULL,
|
||||
+ NSS_MEMORYCACHE_PATH,
|
||||
+ IFACE_NSS_MEMORYCACHE,
|
||||
+ IFACE_NSS_MEMORYCACHE_INVALIDATEGROUPBYID);
|
||||
+ if (msg == NULL) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Out of memory?!\n");
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
+ dbret = dbus_message_append_args(msg,
|
||||
+ DBUS_TYPE_UINT32, &gid,
|
||||
+ DBUS_TYPE_INVALID);
|
||||
+ if (!dbret) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Out of memory?!\n");
|
||||
+ dbus_message_unref(msg);
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
+ DEBUG(SSSDBG_TRACE_FUNC,
|
||||
+ "Ordering NSS responder to invalidate the group %"PRIu32" \n",
|
||||
+ gid);
|
||||
+
|
||||
+ sbus_conn_send_reply(dp_client_conn(dp_cli), msg);
|
||||
+ dbus_message_unref(msg);
|
||||
+
|
||||
+ return;
|
||||
+}
|
||||
--
|
||||
2.14.3
|
||||
|
@ -1,190 +0,0 @@
|
||||
From 99a32e4f5164e174d5a3ffa5a1fe622075a8fe45 Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||
Date: Wed, 2 Nov 2016 16:59:12 +0100
|
||||
Subject: [PATCH 38/79] NEGCACHE: Add API to reset all users and groups
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Adds a negative cache API to reset negatively cached users and groups.
|
||||
This will be used when the files back end finishes enumeration to make
|
||||
sure all results are available.
|
||||
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
---
|
||||
src/responder/common/negcache.c | 56 ++++++++++++++++++++++++++++++++
|
||||
src/responder/common/negcache.h | 2 ++
|
||||
src/tests/cmocka/test_negcache.c | 70 ++++++++++++++++++++++++++++++++++++++++
|
||||
3 files changed, 128 insertions(+)
|
||||
|
||||
diff --git a/src/responder/common/negcache.c b/src/responder/common/negcache.c
|
||||
index 5b7ad69f432518be94b88e92e24265add722c852..944a06e158f778948c16bb931f0af5659a00b13b 100644
|
||||
--- a/src/responder/common/negcache.c
|
||||
+++ b/src/responder/common/negcache.c
|
||||
@@ -674,6 +674,62 @@ int sss_ncache_reset_permanent(struct sss_nc_ctx *ctx)
|
||||
return EOK;
|
||||
}
|
||||
|
||||
+static int delete_prefix(struct tdb_context *tdb,
|
||||
+ TDB_DATA key, TDB_DATA data, void *state)
|
||||
+{
|
||||
+ const char *prefix = (const char *) state;
|
||||
+
|
||||
+ if (strncmp((char *)key.dptr, prefix, strlen(prefix) - 1) != 0) {
|
||||
+ /* not interested in this key */
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
+ return tdb_delete(tdb, key);
|
||||
+}
|
||||
+
|
||||
+static int sss_ncache_reset_pfx(struct sss_nc_ctx *ctx,
|
||||
+ const char **prefixes)
|
||||
+{
|
||||
+ int ret;
|
||||
+
|
||||
+ if (prefixes == NULL) {
|
||||
+ return EOK;
|
||||
+ }
|
||||
+
|
||||
+ for (int i = 0; prefixes[i] != NULL; i++) {
|
||||
+ ret = tdb_traverse(ctx->tdb,
|
||||
+ delete_prefix,
|
||||
+ discard_const(prefixes[i]));
|
||||
+ if (ret < 0) {
|
||||
+ return EIO;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ return EOK;
|
||||
+}
|
||||
+
|
||||
+int sss_ncache_reset_users(struct sss_nc_ctx *ctx)
|
||||
+{
|
||||
+ const char *prefixes[] = {
|
||||
+ NC_USER_PREFIX,
|
||||
+ NC_UID_PREFIX,
|
||||
+ NULL,
|
||||
+ };
|
||||
+
|
||||
+ return sss_ncache_reset_pfx(ctx, prefixes);
|
||||
+}
|
||||
+
|
||||
+int sss_ncache_reset_groups(struct sss_nc_ctx *ctx)
|
||||
+{
|
||||
+ const char *prefixes[] = {
|
||||
+ NC_GROUP_PREFIX,
|
||||
+ NC_GID_PREFIX,
|
||||
+ NULL,
|
||||
+ };
|
||||
+
|
||||
+ return sss_ncache_reset_pfx(ctx, prefixes);
|
||||
+}
|
||||
+
|
||||
errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache,
|
||||
struct confdb_ctx *cdb,
|
||||
struct resp_ctx *rctx)
|
||||
diff --git a/src/responder/common/negcache.h b/src/responder/common/negcache.h
|
||||
index 377f97c8b3b20ec5b4a284e08d891737e2e25225..8af736a67aada91d6ac42495399f5de469dec753 100644
|
||||
--- a/src/responder/common/negcache.h
|
||||
+++ b/src/responder/common/negcache.h
|
||||
@@ -78,6 +78,8 @@ int sss_ncache_set_service_port(struct sss_nc_ctx *ctx, bool permanent,
|
||||
uint16_t port, const char *proto);
|
||||
|
||||
int sss_ncache_reset_permanent(struct sss_nc_ctx *ctx);
|
||||
+int sss_ncache_reset_users(struct sss_nc_ctx *ctx);
|
||||
+int sss_ncache_reset_groups(struct sss_nc_ctx *ctx);
|
||||
|
||||
struct resp_ctx;
|
||||
|
||||
diff --git a/src/tests/cmocka/test_negcache.c b/src/tests/cmocka/test_negcache.c
|
||||
index 14e4fa639a056d712b2453230745d7dc49853dec..d608c20ad3248c80e68029c8c27b826395a61ddc 100644
|
||||
--- a/src/tests/cmocka/test_negcache.c
|
||||
+++ b/src/tests/cmocka/test_negcache.c
|
||||
@@ -785,6 +785,74 @@ static void test_sss_ncache_reset_prepopulate(void **state)
|
||||
ret = check_group_in_ncache(ncache, dom2, "testgroup2");
|
||||
assert_int_equal(ret, EEXIST);
|
||||
}
|
||||
+
|
||||
+static void test_sss_ncache_reset(void **state)
|
||||
+{
|
||||
+ errno_t ret;
|
||||
+ struct test_state *ts;
|
||||
+ struct sss_domain_info *dom;
|
||||
+
|
||||
+ ts = talloc_get_type_abort(*state, struct test_state);
|
||||
+ dom = talloc(ts, struct sss_domain_info);
|
||||
+ assert_non_null(dom);
|
||||
+ dom->case_sensitive = true;
|
||||
+
|
||||
+ dom->name = discard_const_p(char, TEST_DOM_NAME);
|
||||
+
|
||||
+ /* Set users */
|
||||
+ ret = sss_ncache_check_uid(ts->ctx, NULL, 123);
|
||||
+ assert_int_equal(ret, ENOENT);
|
||||
+ ret = sss_ncache_set_uid(ts->ctx, false, NULL, 123);
|
||||
+ assert_int_equal(ret, EOK);
|
||||
+ ret = sss_ncache_check_uid(ts->ctx, NULL, 123);
|
||||
+ assert_int_equal(ret, EEXIST);
|
||||
+
|
||||
+ ret = sss_ncache_check_user(ts->ctx, dom, "foo");
|
||||
+ assert_int_equal(ret, ENOENT);
|
||||
+ ret = sss_ncache_set_user(ts->ctx, false, dom, "foo");
|
||||
+ assert_int_equal(ret, EOK);
|
||||
+ ret = sss_ncache_check_user(ts->ctx, dom, "foo");
|
||||
+ assert_int_equal(ret, EEXIST);
|
||||
+
|
||||
+ /* Set groups */
|
||||
+ ret = sss_ncache_check_gid(ts->ctx, NULL, 456);
|
||||
+ assert_int_equal(ret, ENOENT);
|
||||
+ ret = sss_ncache_set_gid(ts->ctx, false, NULL, 456);
|
||||
+ assert_int_equal(ret, EOK);
|
||||
+ ret = sss_ncache_check_gid(ts->ctx, NULL, 456);
|
||||
+ assert_int_equal(ret, EEXIST);
|
||||
+
|
||||
+ ret = sss_ncache_check_group(ts->ctx, dom, "bar");
|
||||
+ assert_int_equal(ret, ENOENT);
|
||||
+ ret = sss_ncache_set_group(ts->ctx, false, dom, "bar");
|
||||
+ assert_int_equal(ret, EOK);
|
||||
+ ret = sss_ncache_check_group(ts->ctx, dom, "bar");
|
||||
+ assert_int_equal(ret, EEXIST);
|
||||
+
|
||||
+ ret = sss_ncache_reset_users(ts->ctx);
|
||||
+ assert_int_equal(ret, EOK);
|
||||
+
|
||||
+ /* Users are no longer negatively cached */
|
||||
+ ret = sss_ncache_check_user(ts->ctx, dom, "foo");
|
||||
+ assert_int_equal(ret, ENOENT);
|
||||
+ ret = sss_ncache_check_uid(ts->ctx, NULL, 123);
|
||||
+ assert_int_equal(ret, ENOENT);
|
||||
+
|
||||
+ /* Groups still are */
|
||||
+ ret = sss_ncache_check_gid(ts->ctx, NULL, 456);
|
||||
+ assert_int_equal(ret, EEXIST);
|
||||
+ ret = sss_ncache_check_group(ts->ctx, dom, "bar");
|
||||
+ assert_int_equal(ret, EEXIST);
|
||||
+
|
||||
+ ret = sss_ncache_reset_groups(ts->ctx);
|
||||
+ assert_int_equal(ret, EOK);
|
||||
+
|
||||
+ ret = sss_ncache_check_gid(ts->ctx, NULL, 456);
|
||||
+ assert_int_equal(ret, ENOENT);
|
||||
+ ret = sss_ncache_check_group(ts->ctx, dom, "bar");
|
||||
+ assert_int_equal(ret, ENOENT);
|
||||
+}
|
||||
+
|
||||
int main(void)
|
||||
{
|
||||
int rv;
|
||||
@@ -809,6 +877,8 @@ int main(void)
|
||||
setup, teardown),
|
||||
cmocka_unit_test_setup_teardown(test_sss_ncache_reset_prepopulate,
|
||||
setup, teardown),
|
||||
+ cmocka_unit_test_setup_teardown(test_sss_ncache_reset,
|
||||
+ setup, teardown),
|
||||
};
|
||||
|
||||
tests_set_cwd();
|
||||
--
|
||||
2.9.3
|
||||
|
49
0039-ERRORS-Add-ERR_GID_DUPLICATED.patch
Normal file
49
0039-ERRORS-Add-ERR_GID_DUPLICATED.patch
Normal file
@ -0,0 +1,49 @@
|
||||
From 454f493664bf117c27634e6efe33ebe7d5a85c56 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
|
||||
Date: Mon, 19 Feb 2018 08:29:36 +0100
|
||||
Subject: [PATCH] ERRORS: Add ERR_GID_DUPLICATED
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
This new error will be returned from sysdb_add_incomplete_group()
|
||||
when renaming a group which will case gid collision.
|
||||
|
||||
Related:
|
||||
https://pagure.io/SSSD/sssd/issue/2653
|
||||
|
||||
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
(cherry picked from commit ccd349f0274217e1f0cc118e3a6045e2235ce420)
|
||||
---
|
||||
src/util/util_errors.c | 1 +
|
||||
src/util/util_errors.h | 1 +
|
||||
2 files changed, 2 insertions(+)
|
||||
|
||||
diff --git a/src/util/util_errors.c b/src/util/util_errors.c
|
||||
index 39ce3d7dc..e2bb2a014 100644
|
||||
--- a/src/util/util_errors.c
|
||||
+++ b/src/util/util_errors.c
|
||||
@@ -118,6 +118,7 @@ struct err_string error_to_str[] = {
|
||||
{ "GetAccountDomain() not supported" }, /* ERR_GET_ACCT_DOM_NOT_SUPPORTED */
|
||||
{ "The last GetAccountDomain() result is still valid" }, /* ERR_GET_ACCT_DOM_CACHED */
|
||||
{ "ID is outside the allowed range" }, /* ERR_ID_OUTSIDE_RANGE */
|
||||
+ { "Group ID is duplicated" }, /* ERR_GID_DUPLICATED */
|
||||
{ "ERR_LAST" } /* ERR_LAST */
|
||||
};
|
||||
|
||||
diff --git a/src/util/util_errors.h b/src/util/util_errors.h
|
||||
index ad4dad5f8..49501727d 100644
|
||||
--- a/src/util/util_errors.h
|
||||
+++ b/src/util/util_errors.h
|
||||
@@ -140,6 +140,7 @@ enum sssd_errors {
|
||||
ERR_GET_ACCT_DOM_NOT_SUPPORTED,
|
||||
ERR_GET_ACCT_DOM_CACHED,
|
||||
ERR_ID_OUTSIDE_RANGE,
|
||||
+ ERR_GID_DUPLICATED,
|
||||
ERR_LAST /* ALWAYS LAST */
|
||||
};
|
||||
|
||||
--
|
||||
2.14.3
|
||||
|
@ -1,193 +0,0 @@
|
||||
From c3a225d4d735d3a01883125592dda7a030a64e00 Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||
Date: Wed, 2 Nov 2016 15:59:37 +0100
|
||||
Subject: [PATCH 39/79] NSS: Add sbus interface to clear memory cache
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Adds three new NSS interface sbus methods to disable memory caches of
|
||||
users, groups and initgroups. It's enough to add this interface to the
|
||||
NSS responder because the NSS responder is the only writer to the memory
|
||||
cache.
|
||||
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
---
|
||||
src/responder/nss/nss_iface.c | 40 ++++++++++++++++++++++++++++++++-
|
||||
src/responder/nss/nss_iface.xml | 6 +++++
|
||||
src/responder/nss/nss_iface_generated.c | 39 ++++++++++++++++++++++++++++++++
|
||||
src/responder/nss/nss_iface_generated.h | 15 +++++++++++++
|
||||
4 files changed, 99 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/responder/nss/nss_iface.c b/src/responder/nss/nss_iface.c
|
||||
index 58c70c8a01bfcc143eda14c9185672302345ef75..4a38681b54d6c9d0ac9adece69bdebb3d305fcf9 100644
|
||||
--- a/src/responder/nss/nss_iface.c
|
||||
+++ b/src/responder/nss/nss_iface.c
|
||||
@@ -144,6 +144,41 @@ done:
|
||||
talloc_free(tmp_ctx);
|
||||
}
|
||||
|
||||
+int nss_memorycache_invalidate_users(struct sbus_request *req, void *data)
|
||||
+{
|
||||
+ struct resp_ctx *rctx = talloc_get_type(data, struct resp_ctx);
|
||||
+ struct nss_ctx *nctx = talloc_get_type(rctx->pvt_ctx, struct nss_ctx);
|
||||
+
|
||||
+ DEBUG(SSSDBG_TRACE_LIBS, "Invalidating all users in memory cache\n");
|
||||
+ sss_mmap_cache_reset(nctx->pwd_mc_ctx);
|
||||
+
|
||||
+ return iface_nss_memorycache_InvalidateAllUsers_finish(req);
|
||||
+}
|
||||
+
|
||||
+int nss_memorycache_invalidate_groups(struct sbus_request *req, void *data)
|
||||
+{
|
||||
+ struct resp_ctx *rctx = talloc_get_type(data, struct resp_ctx);
|
||||
+ struct nss_ctx *nctx = talloc_get_type(rctx->pvt_ctx, struct nss_ctx);
|
||||
+
|
||||
+ DEBUG(SSSDBG_TRACE_LIBS, "Invalidating all groups in memory cache\n");
|
||||
+ sss_mmap_cache_reset(nctx->grp_mc_ctx);
|
||||
+
|
||||
+ return iface_nss_memorycache_InvalidateAllGroups_finish(req);
|
||||
+}
|
||||
+
|
||||
+int nss_memorycache_invalidate_initgroups(struct sbus_request *req, void *data)
|
||||
+{
|
||||
+ struct resp_ctx *rctx = talloc_get_type(data, struct resp_ctx);
|
||||
+ struct nss_ctx *nctx = talloc_get_type(rctx->pvt_ctx, struct nss_ctx);
|
||||
+
|
||||
+ DEBUG(SSSDBG_TRACE_LIBS,
|
||||
+ "Invalidating all initgroup records in memory cache\n");
|
||||
+ sss_mmap_cache_reset(nctx->initgr_mc_ctx);
|
||||
+
|
||||
+ return iface_nss_memorycache_InvalidateAllInitgrRecords_finish(req);
|
||||
+}
|
||||
+
|
||||
+
|
||||
int nss_memorycache_update_initgroups(struct sbus_request *sbus_req,
|
||||
void *data,
|
||||
const char *user,
|
||||
@@ -164,7 +199,10 @@ int nss_memorycache_update_initgroups(struct sbus_request *sbus_req,
|
||||
|
||||
struct iface_nss_memorycache iface_nss_memorycache = {
|
||||
{ &iface_nss_memorycache_meta, 0 },
|
||||
- .UpdateInitgroups = nss_memorycache_update_initgroups
|
||||
+ .UpdateInitgroups = nss_memorycache_update_initgroups,
|
||||
+ .InvalidateAllUsers = nss_memorycache_invalidate_users,
|
||||
+ .InvalidateAllGroups = nss_memorycache_invalidate_groups,
|
||||
+ .InvalidateAllInitgrRecords = nss_memorycache_invalidate_initgroups,
|
||||
};
|
||||
|
||||
static struct sbus_iface_map iface_map[] = {
|
||||
diff --git a/src/responder/nss/nss_iface.xml b/src/responder/nss/nss_iface.xml
|
||||
index b7cc4deb77135a592bad2ca62570f206231129b7..79e42c7424e800601bdc2dbe9ecd3e4a49829d68 100644
|
||||
--- a/src/responder/nss/nss_iface.xml
|
||||
+++ b/src/responder/nss/nss_iface.xml
|
||||
@@ -8,5 +8,11 @@
|
||||
<arg name="domain" type="s" direction="in" />
|
||||
<arg name="groups" type="au" direction="in" />
|
||||
</method>
|
||||
+ <method name="InvalidateAllUsers">
|
||||
+ </method>
|
||||
+ <method name="InvalidateAllGroups">
|
||||
+ </method>
|
||||
+ <method name="InvalidateAllInitgrRecords">
|
||||
+ </method>
|
||||
</interface>
|
||||
</node>
|
||||
diff --git a/src/responder/nss/nss_iface_generated.c b/src/responder/nss/nss_iface_generated.c
|
||||
index 2d0031090e33df9c9e9d9fbf1a18825026509803..4c07080148f62c1d8e18e51e1be62bb261a13566 100644
|
||||
--- a/src/responder/nss/nss_iface_generated.c
|
||||
+++ b/src/responder/nss/nss_iface_generated.c
|
||||
@@ -23,6 +23,24 @@ int iface_nss_memorycache_UpdateInitgroups_finish(struct sbus_request *req)
|
||||
DBUS_TYPE_INVALID);
|
||||
}
|
||||
|
||||
+int iface_nss_memorycache_InvalidateAllUsers_finish(struct sbus_request *req)
|
||||
+{
|
||||
+ return sbus_request_return_and_finish(req,
|
||||
+ DBUS_TYPE_INVALID);
|
||||
+}
|
||||
+
|
||||
+int iface_nss_memorycache_InvalidateAllGroups_finish(struct sbus_request *req)
|
||||
+{
|
||||
+ return sbus_request_return_and_finish(req,
|
||||
+ DBUS_TYPE_INVALID);
|
||||
+}
|
||||
+
|
||||
+int iface_nss_memorycache_InvalidateAllInitgrRecords_finish(struct sbus_request *req)
|
||||
+{
|
||||
+ return sbus_request_return_and_finish(req,
|
||||
+ DBUS_TYPE_INVALID);
|
||||
+}
|
||||
+
|
||||
/* methods for org.freedesktop.sssd.nss.MemoryCache */
|
||||
const struct sbus_method_meta iface_nss_memorycache__methods[] = {
|
||||
{
|
||||
@@ -32,6 +50,27 @@ const struct sbus_method_meta iface_nss_memorycache__methods[] = {
|
||||
offsetof(struct iface_nss_memorycache, UpdateInitgroups),
|
||||
invoke_ssau_method,
|
||||
},
|
||||
+ {
|
||||
+ "InvalidateAllUsers", /* name */
|
||||
+ NULL, /* no in_args */
|
||||
+ NULL, /* no out_args */
|
||||
+ offsetof(struct iface_nss_memorycache, InvalidateAllUsers),
|
||||
+ NULL, /* no invoker */
|
||||
+ },
|
||||
+ {
|
||||
+ "InvalidateAllGroups", /* name */
|
||||
+ NULL, /* no in_args */
|
||||
+ NULL, /* no out_args */
|
||||
+ offsetof(struct iface_nss_memorycache, InvalidateAllGroups),
|
||||
+ NULL, /* no invoker */
|
||||
+ },
|
||||
+ {
|
||||
+ "InvalidateAllInitgrRecords", /* name */
|
||||
+ NULL, /* no in_args */
|
||||
+ NULL, /* no out_args */
|
||||
+ offsetof(struct iface_nss_memorycache, InvalidateAllInitgrRecords),
|
||||
+ NULL, /* no invoker */
|
||||
+ },
|
||||
{ NULL, }
|
||||
};
|
||||
|
||||
diff --git a/src/responder/nss/nss_iface_generated.h b/src/responder/nss/nss_iface_generated.h
|
||||
index ad902482a9be03a60cbf3663b6f771d0a2020b88..6f4d13a35dc5cbe33182ad8744769b37ce449d50 100644
|
||||
--- a/src/responder/nss/nss_iface_generated.h
|
||||
+++ b/src/responder/nss/nss_iface_generated.h
|
||||
@@ -14,6 +14,9 @@
|
||||
/* constants for org.freedesktop.sssd.nss.MemoryCache */
|
||||
#define IFACE_NSS_MEMORYCACHE "org.freedesktop.sssd.nss.MemoryCache"
|
||||
#define IFACE_NSS_MEMORYCACHE_UPDATEINITGROUPS "UpdateInitgroups"
|
||||
+#define IFACE_NSS_MEMORYCACHE_INVALIDATEALLUSERS "InvalidateAllUsers"
|
||||
+#define IFACE_NSS_MEMORYCACHE_INVALIDATEALLGROUPS "InvalidateAllGroups"
|
||||
+#define IFACE_NSS_MEMORYCACHE_INVALIDATEALLINITGRRECORDS "InvalidateAllInitgrRecords"
|
||||
|
||||
/* ------------------------------------------------------------------------
|
||||
* DBus handlers
|
||||
@@ -37,11 +40,23 @@
|
||||
struct iface_nss_memorycache {
|
||||
struct sbus_vtable vtable; /* derive from sbus_vtable */
|
||||
int (*UpdateInitgroups)(struct sbus_request *req, void *data, const char *arg_user, const char *arg_domain, uint32_t arg_groups[], int len_groups);
|
||||
+ int (*InvalidateAllUsers)(struct sbus_request *req, void *data);
|
||||
+ int (*InvalidateAllGroups)(struct sbus_request *req, void *data);
|
||||
+ int (*InvalidateAllInitgrRecords)(struct sbus_request *req, void *data);
|
||||
};
|
||||
|
||||
/* finish function for UpdateInitgroups */
|
||||
int iface_nss_memorycache_UpdateInitgroups_finish(struct sbus_request *req);
|
||||
|
||||
+/* finish function for InvalidateAllUsers */
|
||||
+int iface_nss_memorycache_InvalidateAllUsers_finish(struct sbus_request *req);
|
||||
+
|
||||
+/* finish function for InvalidateAllGroups */
|
||||
+int iface_nss_memorycache_InvalidateAllGroups_finish(struct sbus_request *req);
|
||||
+
|
||||
+/* finish function for InvalidateAllInitgrRecords */
|
||||
+int iface_nss_memorycache_InvalidateAllInitgrRecords_finish(struct sbus_request *req);
|
||||
+
|
||||
/* ------------------------------------------------------------------------
|
||||
* DBus Interface Metadata
|
||||
*
|
||||
--
|
||||
2.9.3
|
||||
|
380
0040-LDAP-Augment-the-sdap_opts-structure-with-a-data-pro.patch
Normal file
380
0040-LDAP-Augment-the-sdap_opts-structure-with-a-data-pro.patch
Normal file
@ -0,0 +1,380 @@
|
||||
From f60c77df9b7162f46d8639f940d5df31f64f5815 Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||
Date: Mon, 9 Apr 2018 12:36:45 +0200
|
||||
Subject: [PATCH] LDAP: Augment the sdap_opts structure with a data provider
|
||||
pointer
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
In order to be able to use the Data Provider methods from the SDAP code
|
||||
to e.g. invalidate memcache when needed, add a new field to the
|
||||
sdap_options structure with the data_provider structure pointer.
|
||||
|
||||
Fill the pointer value for all LDAP-based providers.
|
||||
|
||||
Related:
|
||||
https://pagure.io/SSSD/sssd/issue/2653
|
||||
|
||||
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
||||
(cherry picked from commit d2633d922eeed68f92be4248b9172b928c189920)
|
||||
---
|
||||
src/providers/ad/ad_common.c | 18 +++++++++++++-----
|
||||
src/providers/ad/ad_common.h | 4 ++++
|
||||
src/providers/ad/ad_init.c | 5 ++++-
|
||||
src/providers/ad/ad_subdomains.c | 8 ++++++--
|
||||
src/providers/ipa/ipa_common.c | 2 ++
|
||||
src/providers/ipa/ipa_common.h | 1 +
|
||||
src/providers/ipa/ipa_init.c | 5 ++++-
|
||||
src/providers/ipa/ipa_subdomains_server.c | 2 ++
|
||||
src/providers/ldap/ldap_common.h | 1 +
|
||||
src/providers/ldap/ldap_init.c | 3 ++-
|
||||
src/providers/ldap/ldap_options.c | 2 ++
|
||||
src/providers/ldap/sdap.h | 1 +
|
||||
src/tests/cmocka/common_mock_sdap.c | 2 +-
|
||||
src/tests/cmocka/test_ad_common.c | 3 +++
|
||||
14 files changed, 46 insertions(+), 11 deletions(-)
|
||||
|
||||
diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c
|
||||
index 2a1647173..d92c68e6f 100644
|
||||
--- a/src/providers/ad/ad_common.c
|
||||
+++ b/src/providers/ad/ad_common.c
|
||||
@@ -35,7 +35,8 @@ static errno_t ad_set_sdap_options(struct ad_options *ad_opts,
|
||||
struct sdap_options *id_opts);
|
||||
|
||||
static struct sdap_options *
|
||||
-ad_create_default_sdap_options(TALLOC_CTX *mem_ctx)
|
||||
+ad_create_default_sdap_options(TALLOC_CTX *mem_ctx,
|
||||
+ struct data_provider *dp)
|
||||
{
|
||||
struct sdap_options *id_opts;
|
||||
errno_t ret;
|
||||
@@ -44,6 +45,7 @@ ad_create_default_sdap_options(TALLOC_CTX *mem_ctx)
|
||||
if (!id_opts) {
|
||||
return NULL;
|
||||
}
|
||||
+ id_opts->dp = dp;
|
||||
|
||||
ret = dp_copy_defaults(id_opts,
|
||||
ad_def_ldap_opts,
|
||||
@@ -112,6 +114,7 @@ static errno_t
|
||||
ad_create_sdap_options(TALLOC_CTX *mem_ctx,
|
||||
struct confdb_ctx *cdb,
|
||||
const char *conf_path,
|
||||
+ struct data_provider *dp,
|
||||
struct sdap_options **_id_opts)
|
||||
{
|
||||
struct sdap_options *id_opts;
|
||||
@@ -119,7 +122,7 @@ ad_create_sdap_options(TALLOC_CTX *mem_ctx,
|
||||
|
||||
if (cdb == NULL || conf_path == NULL) {
|
||||
/* Fallback to defaults if there is no confdb */
|
||||
- id_opts = ad_create_default_sdap_options(mem_ctx);
|
||||
+ id_opts = ad_create_default_sdap_options(mem_ctx, dp);
|
||||
if (id_opts == NULL) {
|
||||
DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
"Failed to initialize default sdap options\n");
|
||||
@@ -220,6 +223,7 @@ struct ad_options *
|
||||
ad_create_options(TALLOC_CTX *mem_ctx,
|
||||
struct confdb_ctx *cdb,
|
||||
const char *conf_path,
|
||||
+ struct data_provider *dp,
|
||||
struct sss_domain_info *subdom)
|
||||
{
|
||||
struct ad_options *ad_options;
|
||||
@@ -252,6 +256,7 @@ ad_create_options(TALLOC_CTX *mem_ctx,
|
||||
ret = ad_create_sdap_options(ad_options,
|
||||
cdb,
|
||||
conf_path,
|
||||
+ dp,
|
||||
&ad_options->id);
|
||||
if (ret != EOK) {
|
||||
DEBUG(SSSDBG_OP_FAILURE, "Cannot initialize AD LDAP options\n");
|
||||
@@ -304,6 +309,7 @@ struct ad_options *
|
||||
ad_create_2way_trust_options(TALLOC_CTX *mem_ctx,
|
||||
struct confdb_ctx *cdb,
|
||||
const char *conf_path,
|
||||
+ struct data_provider *dp,
|
||||
const char *realm,
|
||||
struct sss_domain_info *subdom,
|
||||
const char *hostname,
|
||||
@@ -315,7 +321,7 @@ ad_create_2way_trust_options(TALLOC_CTX *mem_ctx,
|
||||
DEBUG(SSSDBG_TRACE_FUNC, "2way trust is defined to domain '%s'\n",
|
||||
subdom->name);
|
||||
|
||||
- ad_options = ad_create_options(mem_ctx, cdb, conf_path, subdom);
|
||||
+ ad_options = ad_create_options(mem_ctx, cdb, conf_path, dp, subdom);
|
||||
if (ad_options == NULL) {
|
||||
DEBUG(SSSDBG_CRIT_FAILURE, "ad_create_options failed\n");
|
||||
return NULL;
|
||||
@@ -343,6 +349,7 @@ struct ad_options *
|
||||
ad_create_1way_trust_options(TALLOC_CTX *mem_ctx,
|
||||
struct confdb_ctx *cdb,
|
||||
const char *subdom_conf_path,
|
||||
+ struct data_provider *dp,
|
||||
struct sss_domain_info *subdom,
|
||||
const char *hostname,
|
||||
const char *keytab,
|
||||
@@ -355,7 +362,7 @@ ad_create_1way_trust_options(TALLOC_CTX *mem_ctx,
|
||||
DEBUG(SSSDBG_TRACE_FUNC, "1way trust is defined to domain '%s'\n",
|
||||
subdom->name);
|
||||
|
||||
- ad_options = ad_create_options(mem_ctx, cdb, subdom_conf_path, subdom);
|
||||
+ ad_options = ad_create_options(mem_ctx, cdb, subdom_conf_path, dp, subdom);
|
||||
if (ad_options == NULL) {
|
||||
DEBUG(SSSDBG_CRIT_FAILURE, "ad_create_options failed\n");
|
||||
return NULL;
|
||||
@@ -1056,12 +1063,13 @@ errno_t
|
||||
ad_get_id_options(struct ad_options *ad_opts,
|
||||
struct confdb_ctx *cdb,
|
||||
const char *conf_path,
|
||||
+ struct data_provider *dp,
|
||||
struct sdap_options **_opts)
|
||||
{
|
||||
struct sdap_options *id_opts;
|
||||
errno_t ret;
|
||||
|
||||
- ret = ad_create_sdap_options(ad_opts, cdb, conf_path, &id_opts);
|
||||
+ ret = ad_create_sdap_options(ad_opts, cdb, conf_path, dp, &id_opts);
|
||||
if (ret != EOK) {
|
||||
return ENOMEM;
|
||||
}
|
||||
diff --git a/src/providers/ad/ad_common.h b/src/providers/ad/ad_common.h
|
||||
index 931aafc6c..6eb2ba7e9 100644
|
||||
--- a/src/providers/ad/ad_common.h
|
||||
+++ b/src/providers/ad/ad_common.h
|
||||
@@ -112,11 +112,13 @@ ad_get_common_options(TALLOC_CTX *mem_ctx,
|
||||
struct ad_options *ad_create_options(TALLOC_CTX *mem_ctx,
|
||||
struct confdb_ctx *cdb,
|
||||
const char *conf_path,
|
||||
+ struct data_provider *dp,
|
||||
struct sss_domain_info *subdom);
|
||||
|
||||
struct ad_options *ad_create_2way_trust_options(TALLOC_CTX *mem_ctx,
|
||||
struct confdb_ctx *cdb,
|
||||
const char *conf_path,
|
||||
+ struct data_provider *dp,
|
||||
const char *realm,
|
||||
struct sss_domain_info *subdom,
|
||||
const char *hostname,
|
||||
@@ -125,6 +127,7 @@ struct ad_options *ad_create_2way_trust_options(TALLOC_CTX *mem_ctx,
|
||||
struct ad_options *ad_create_1way_trust_options(TALLOC_CTX *mem_ctx,
|
||||
struct confdb_ctx *cdb,
|
||||
const char *conf_path,
|
||||
+ struct data_provider *dp,
|
||||
struct sss_domain_info *subdom,
|
||||
const char *hostname,
|
||||
const char *keytab,
|
||||
@@ -147,6 +150,7 @@ errno_t
|
||||
ad_get_id_options(struct ad_options *ad_opts,
|
||||
struct confdb_ctx *cdb,
|
||||
const char *conf_path,
|
||||
+ struct data_provider *dp,
|
||||
struct sdap_options **_opts);
|
||||
errno_t
|
||||
ad_get_autofs_options(struct ad_options *ad_opts,
|
||||
diff --git a/src/providers/ad/ad_init.c b/src/providers/ad/ad_init.c
|
||||
index 8c485a7c2..b19624782 100644
|
||||
--- a/src/providers/ad/ad_init.c
|
||||
+++ b/src/providers/ad/ad_init.c
|
||||
@@ -453,7 +453,10 @@ errno_t sssm_ad_init(TALLOC_CTX *mem_ctx,
|
||||
|
||||
init_ctx->options->id_ctx = init_ctx->id_ctx;
|
||||
|
||||
- ret = ad_get_id_options(init_ctx->options, be_ctx->cdb, be_ctx->conf_path,
|
||||
+ ret = ad_get_id_options(init_ctx->options,
|
||||
+ be_ctx->cdb,
|
||||
+ be_ctx->conf_path,
|
||||
+ be_ctx->provider,
|
||||
&init_ctx->id_ctx->sdap_id_ctx->opts);
|
||||
if (ret != EOK) {
|
||||
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to init AD id options\n");
|
||||
diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c
|
||||
index bd94ba8ea..74b9f0751 100644
|
||||
--- a/src/providers/ad/ad_subdomains.c
|
||||
+++ b/src/providers/ad/ad_subdomains.c
|
||||
@@ -265,8 +265,12 @@ ad_subdom_ad_ctx_new(struct be_ctx *be_ctx,
|
||||
return ENOMEM;
|
||||
}
|
||||
|
||||
- ad_options = ad_create_2way_trust_options(id_ctx, be_ctx->cdb,
|
||||
- subdom_conf_path, realm, subdom,
|
||||
+ ad_options = ad_create_2way_trust_options(id_ctx,
|
||||
+ be_ctx->cdb,
|
||||
+ subdom_conf_path,
|
||||
+ be_ctx->provider,
|
||||
+ realm,
|
||||
+ subdom,
|
||||
hostname, keytab);
|
||||
talloc_free(subdom_conf_path);
|
||||
if (ad_options == NULL) {
|
||||
diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c
|
||||
index 2b81d7f3f..87ed96767 100644
|
||||
--- a/src/providers/ipa/ipa_common.c
|
||||
+++ b/src/providers/ipa/ipa_common.c
|
||||
@@ -171,6 +171,7 @@ static errno_t ipa_parse_search_base(TALLOC_CTX *mem_ctx,
|
||||
int ipa_get_id_options(struct ipa_options *ipa_opts,
|
||||
struct confdb_ctx *cdb,
|
||||
const char *conf_path,
|
||||
+ struct data_provider *dp,
|
||||
struct sdap_options **_opts)
|
||||
{
|
||||
TALLOC_CTX *tmpctx;
|
||||
@@ -190,6 +191,7 @@ int ipa_get_id_options(struct ipa_options *ipa_opts,
|
||||
ret = ENOMEM;
|
||||
goto done;
|
||||
}
|
||||
+ ipa_opts->id->dp = dp;
|
||||
|
||||
ret = sdap_domain_add(ipa_opts->id,
|
||||
ipa_opts->id_ctx->sdap_id_ctx->be->domain,
|
||||
diff --git a/src/providers/ipa/ipa_common.h b/src/providers/ipa/ipa_common.h
|
||||
index 3a1259ccd..725e0e937 100644
|
||||
--- a/src/providers/ipa/ipa_common.h
|
||||
+++ b/src/providers/ipa/ipa_common.h
|
||||
@@ -235,6 +235,7 @@ int ipa_get_options(TALLOC_CTX *memctx,
|
||||
int ipa_get_id_options(struct ipa_options *ipa_opts,
|
||||
struct confdb_ctx *cdb,
|
||||
const char *conf_path,
|
||||
+ struct data_provider *dp,
|
||||
struct sdap_options **_opts);
|
||||
|
||||
int ipa_get_auth_options(struct ipa_options *ipa_opts,
|
||||
diff --git a/src/providers/ipa/ipa_init.c b/src/providers/ipa/ipa_init.c
|
||||
index cd2227896..931145985 100644
|
||||
--- a/src/providers/ipa/ipa_init.c
|
||||
+++ b/src/providers/ipa/ipa_init.c
|
||||
@@ -161,7 +161,10 @@ static errno_t ipa_init_id_ctx(TALLOC_CTX *mem_ctx,
|
||||
ipa_id_ctx->sdap_id_ctx = sdap_id_ctx;
|
||||
ipa_options->id_ctx = ipa_id_ctx;
|
||||
|
||||
- ret = ipa_get_id_options(ipa_options, be_ctx->cdb, be_ctx->conf_path,
|
||||
+ ret = ipa_get_id_options(ipa_options,
|
||||
+ be_ctx->cdb,
|
||||
+ be_ctx->conf_path,
|
||||
+ be_ctx->provider,
|
||||
&sdap_id_ctx->opts);
|
||||
if (ret != EOK) {
|
||||
goto done;
|
||||
diff --git a/src/providers/ipa/ipa_subdomains_server.c b/src/providers/ipa/ipa_subdomains_server.c
|
||||
index d670a156b..1e53e7a95 100644
|
||||
--- a/src/providers/ipa/ipa_subdomains_server.c
|
||||
+++ b/src/providers/ipa/ipa_subdomains_server.c
|
||||
@@ -148,6 +148,7 @@ ipa_create_1way_trust_ctx(struct ipa_id_ctx *id_ctx,
|
||||
ad_options = ad_create_1way_trust_options(id_ctx,
|
||||
be_ctx->cdb,
|
||||
subdom_conf_path,
|
||||
+ be_ctx->provider,
|
||||
subdom,
|
||||
id_ctx->server_mode->hostname,
|
||||
keytab,
|
||||
@@ -186,6 +187,7 @@ static struct ad_options *ipa_ad_options_new(struct be_ctx *be_ctx,
|
||||
ad_options = ad_create_2way_trust_options(id_ctx,
|
||||
be_ctx->cdb,
|
||||
subdom_conf_path,
|
||||
+ be_ctx->provider,
|
||||
id_ctx->server_mode->realm,
|
||||
subdom,
|
||||
id_ctx->server_mode->hostname,
|
||||
diff --git a/src/providers/ldap/ldap_common.h b/src/providers/ldap/ldap_common.h
|
||||
index 44dbc3fb0..548f0f985 100644
|
||||
--- a/src/providers/ldap/ldap_common.h
|
||||
+++ b/src/providers/ldap/ldap_common.h
|
||||
@@ -193,6 +193,7 @@ int ldap_get_options(TALLOC_CTX *memctx,
|
||||
struct sss_domain_info *dom,
|
||||
struct confdb_ctx *cdb,
|
||||
const char *conf_path,
|
||||
+ struct data_provider *dp,
|
||||
struct sdap_options **_opts);
|
||||
|
||||
int ldap_get_sudo_options(struct confdb_ctx *cdb,
|
||||
diff --git a/src/providers/ldap/ldap_init.c b/src/providers/ldap/ldap_init.c
|
||||
index 83075b5d3..44b3e9ab3 100644
|
||||
--- a/src/providers/ldap/ldap_init.c
|
||||
+++ b/src/providers/ldap/ldap_init.c
|
||||
@@ -458,7 +458,8 @@ errno_t sssm_ldap_init(TALLOC_CTX *mem_ctx,
|
||||
|
||||
/* Always initialize options since it is needed everywhere. */
|
||||
ret = ldap_get_options(init_ctx, be_ctx->domain, be_ctx->cdb,
|
||||
- be_ctx->conf_path, &init_ctx->options);
|
||||
+ be_ctx->conf_path, be_ctx->provider,
|
||||
+ &init_ctx->options);
|
||||
if (ret != EOK) {
|
||||
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to initialize LDAP options "
|
||||
"[%d]: %s\n", ret, sss_strerror(ret));
|
||||
diff --git a/src/providers/ldap/ldap_options.c b/src/providers/ldap/ldap_options.c
|
||||
index ccc1a2c5b..0b79715d2 100644
|
||||
--- a/src/providers/ldap/ldap_options.c
|
||||
+++ b/src/providers/ldap/ldap_options.c
|
||||
@@ -27,6 +27,7 @@ int ldap_get_options(TALLOC_CTX *memctx,
|
||||
struct sss_domain_info *dom,
|
||||
struct confdb_ctx *cdb,
|
||||
const char *conf_path,
|
||||
+ struct data_provider *dp,
|
||||
struct sdap_options **_opts)
|
||||
{
|
||||
struct sdap_attr_map *default_attr_map;
|
||||
@@ -57,6 +58,7 @@ int ldap_get_options(TALLOC_CTX *memctx,
|
||||
|
||||
opts = talloc_zero(memctx, struct sdap_options);
|
||||
if (!opts) return ENOMEM;
|
||||
+ opts->dp = dp;
|
||||
|
||||
ret = sdap_domain_add(opts, dom, NULL);
|
||||
if (ret != EOK) {
|
||||
diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h
|
||||
index ecf9c4d2e..e892c4071 100644
|
||||
--- a/src/providers/ldap/sdap.h
|
||||
+++ b/src/providers/ldap/sdap.h
|
||||
@@ -465,6 +465,7 @@ struct sdap_certmap_ctx;
|
||||
|
||||
struct sdap_options {
|
||||
struct dp_option *basic;
|
||||
+ struct data_provider *dp;
|
||||
struct sdap_attr_map *gen_map;
|
||||
struct sdap_attr_map *user_map;
|
||||
size_t user_map_cnt;
|
||||
diff --git a/src/tests/cmocka/common_mock_sdap.c b/src/tests/cmocka/common_mock_sdap.c
|
||||
index cef321613..fa4787c4b 100644
|
||||
--- a/src/tests/cmocka/common_mock_sdap.c
|
||||
+++ b/src/tests/cmocka/common_mock_sdap.c
|
||||
@@ -48,7 +48,7 @@ struct sdap_options *mock_sdap_options_ldap(TALLOC_CTX *mem_ctx,
|
||||
struct sdap_options *opts = NULL;
|
||||
errno_t ret;
|
||||
|
||||
- ret = ldap_get_options(mem_ctx, domain, confdb_ctx, conf_path, &opts);
|
||||
+ ret = ldap_get_options(mem_ctx, domain, confdb_ctx, conf_path, NULL, &opts);
|
||||
if (ret != EOK) {
|
||||
return NULL;
|
||||
}
|
||||
diff --git a/src/tests/cmocka/test_ad_common.c b/src/tests/cmocka/test_ad_common.c
|
||||
index 94f351e19..39ebbc633 100644
|
||||
--- a/src/tests/cmocka/test_ad_common.c
|
||||
+++ b/src/tests/cmocka/test_ad_common.c
|
||||
@@ -449,6 +449,7 @@ static void test_ad_create_1way_trust_options(void **state)
|
||||
test_ctx->ad_ctx,
|
||||
NULL,
|
||||
NULL,
|
||||
+ NULL,
|
||||
test_ctx->subdom,
|
||||
ONEWAY_HOST_NAME,
|
||||
ONEWAY_KEYTAB_PATH,
|
||||
@@ -515,6 +516,7 @@ static void test_ad_create_2way_trust_options(void **state)
|
||||
test_ctx->ad_ctx,
|
||||
NULL,
|
||||
NULL,
|
||||
+ NULL,
|
||||
REALMNAME,
|
||||
test_ctx->subdom,
|
||||
HOST_NAME,
|
||||
@@ -585,6 +587,7 @@ test_ldap_conn_setup(void **state)
|
||||
ad_ctx,
|
||||
NULL,
|
||||
NULL,
|
||||
+ NULL,
|
||||
REALMNAME,
|
||||
test_ctx->subdom,
|
||||
HOST_NAME,
|
||||
--
|
||||
2.14.3
|
||||
|
@ -1,111 +0,0 @@
|
||||
From f2047f6c5b56d6759bd8e6d504f572a593476c65 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
||||
Date: Mon, 23 Jan 2017 22:55:20 +0100
|
||||
Subject: [PATCH 40/79] NSS: Rename the interface to invalidate memory cache
|
||||
initgroup records for consistency
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
---
|
||||
src/responder/nss/nss_iface.c | 4 ++--
|
||||
src/responder/nss/nss_iface.xml | 2 +-
|
||||
src/responder/nss/nss_iface_generated.c | 6 +++---
|
||||
src/responder/nss/nss_iface_generated.h | 8 ++++----
|
||||
4 files changed, 10 insertions(+), 10 deletions(-)
|
||||
|
||||
diff --git a/src/responder/nss/nss_iface.c b/src/responder/nss/nss_iface.c
|
||||
index 4a38681b54d6c9d0ac9adece69bdebb3d305fcf9..fee95f8fc6806d2e70112d02690469fb094efa17 100644
|
||||
--- a/src/responder/nss/nss_iface.c
|
||||
+++ b/src/responder/nss/nss_iface.c
|
||||
@@ -175,7 +175,7 @@ int nss_memorycache_invalidate_initgroups(struct sbus_request *req, void *data)
|
||||
"Invalidating all initgroup records in memory cache\n");
|
||||
sss_mmap_cache_reset(nctx->initgr_mc_ctx);
|
||||
|
||||
- return iface_nss_memorycache_InvalidateAllInitgrRecords_finish(req);
|
||||
+ return iface_nss_memorycache_InvalidateAllInitgroups_finish(req);
|
||||
}
|
||||
|
||||
|
||||
@@ -202,7 +202,7 @@ struct iface_nss_memorycache iface_nss_memorycache = {
|
||||
.UpdateInitgroups = nss_memorycache_update_initgroups,
|
||||
.InvalidateAllUsers = nss_memorycache_invalidate_users,
|
||||
.InvalidateAllGroups = nss_memorycache_invalidate_groups,
|
||||
- .InvalidateAllInitgrRecords = nss_memorycache_invalidate_initgroups,
|
||||
+ .InvalidateAllInitgroups = nss_memorycache_invalidate_initgroups,
|
||||
};
|
||||
|
||||
static struct sbus_iface_map iface_map[] = {
|
||||
diff --git a/src/responder/nss/nss_iface.xml b/src/responder/nss/nss_iface.xml
|
||||
index 79e42c7424e800601bdc2dbe9ecd3e4a49829d68..27aae019758c49ab7ec04161394d58da88077b60 100644
|
||||
--- a/src/responder/nss/nss_iface.xml
|
||||
+++ b/src/responder/nss/nss_iface.xml
|
||||
@@ -12,7 +12,7 @@
|
||||
</method>
|
||||
<method name="InvalidateAllGroups">
|
||||
</method>
|
||||
- <method name="InvalidateAllInitgrRecords">
|
||||
+ <method name="InvalidateAllInitgroups">
|
||||
</method>
|
||||
</interface>
|
||||
</node>
|
||||
diff --git a/src/responder/nss/nss_iface_generated.c b/src/responder/nss/nss_iface_generated.c
|
||||
index 4c07080148f62c1d8e18e51e1be62bb261a13566..e4f3aec2d1394fbbe75185acfa68b6f947c0e142 100644
|
||||
--- a/src/responder/nss/nss_iface_generated.c
|
||||
+++ b/src/responder/nss/nss_iface_generated.c
|
||||
@@ -35,7 +35,7 @@ int iface_nss_memorycache_InvalidateAllGroups_finish(struct sbus_request *req)
|
||||
DBUS_TYPE_INVALID);
|
||||
}
|
||||
|
||||
-int iface_nss_memorycache_InvalidateAllInitgrRecords_finish(struct sbus_request *req)
|
||||
+int iface_nss_memorycache_InvalidateAllInitgroups_finish(struct sbus_request *req)
|
||||
{
|
||||
return sbus_request_return_and_finish(req,
|
||||
DBUS_TYPE_INVALID);
|
||||
@@ -65,10 +65,10 @@ const struct sbus_method_meta iface_nss_memorycache__methods[] = {
|
||||
NULL, /* no invoker */
|
||||
},
|
||||
{
|
||||
- "InvalidateAllInitgrRecords", /* name */
|
||||
+ "InvalidateAllInitgroups", /* name */
|
||||
NULL, /* no in_args */
|
||||
NULL, /* no out_args */
|
||||
- offsetof(struct iface_nss_memorycache, InvalidateAllInitgrRecords),
|
||||
+ offsetof(struct iface_nss_memorycache, InvalidateAllInitgroups),
|
||||
NULL, /* no invoker */
|
||||
},
|
||||
{ NULL, }
|
||||
diff --git a/src/responder/nss/nss_iface_generated.h b/src/responder/nss/nss_iface_generated.h
|
||||
index 6f4d13a35dc5cbe33182ad8744769b37ce449d50..cacadc57808d6f16998889cccf0c5973682bbe5d 100644
|
||||
--- a/src/responder/nss/nss_iface_generated.h
|
||||
+++ b/src/responder/nss/nss_iface_generated.h
|
||||
@@ -16,7 +16,7 @@
|
||||
#define IFACE_NSS_MEMORYCACHE_UPDATEINITGROUPS "UpdateInitgroups"
|
||||
#define IFACE_NSS_MEMORYCACHE_INVALIDATEALLUSERS "InvalidateAllUsers"
|
||||
#define IFACE_NSS_MEMORYCACHE_INVALIDATEALLGROUPS "InvalidateAllGroups"
|
||||
-#define IFACE_NSS_MEMORYCACHE_INVALIDATEALLINITGRRECORDS "InvalidateAllInitgrRecords"
|
||||
+#define IFACE_NSS_MEMORYCACHE_INVALIDATEALLINITGROUPS "InvalidateAllInitgroups"
|
||||
|
||||
/* ------------------------------------------------------------------------
|
||||
* DBus handlers
|
||||
@@ -42,7 +42,7 @@ struct iface_nss_memorycache {
|
||||
int (*UpdateInitgroups)(struct sbus_request *req, void *data, const char *arg_user, const char *arg_domain, uint32_t arg_groups[], int len_groups);
|
||||
int (*InvalidateAllUsers)(struct sbus_request *req, void *data);
|
||||
int (*InvalidateAllGroups)(struct sbus_request *req, void *data);
|
||||
- int (*InvalidateAllInitgrRecords)(struct sbus_request *req, void *data);
|
||||
+ int (*InvalidateAllInitgroups)(struct sbus_request *req, void *data);
|
||||
};
|
||||
|
||||
/* finish function for UpdateInitgroups */
|
||||
@@ -54,8 +54,8 @@ int iface_nss_memorycache_InvalidateAllUsers_finish(struct sbus_request *req);
|
||||
/* finish function for InvalidateAllGroups */
|
||||
int iface_nss_memorycache_InvalidateAllGroups_finish(struct sbus_request *req);
|
||||
|
||||
-/* finish function for InvalidateAllInitgrRecords */
|
||||
-int iface_nss_memorycache_InvalidateAllInitgrRecords_finish(struct sbus_request *req);
|
||||
+/* finish function for InvalidateAllInitgroups */
|
||||
+int iface_nss_memorycache_InvalidateAllInitgroups_finish(struct sbus_request *req);
|
||||
|
||||
/* ------------------------------------------------------------------------
|
||||
* DBus Interface Metadata
|
||||
--
|
||||
2.9.3
|
||||
|
@ -0,0 +1,95 @@
|
||||
From 87a0027c7dbc54422ac519ef8eef0323baff4b60 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
|
||||
Date: Mon, 19 Feb 2018 12:43:06 +0100
|
||||
Subject: [PATCH] SDAP: Add sdap_handle_id_collision_for_incomplete_groups()
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
This newly added function is a helper to properly hadle group
|
||||
id-collisions when renaming incomplete groups and it does:
|
||||
- Deletes the group from sysdb
|
||||
- Adds the new incomplete group
|
||||
- Notifies the NSS responder that the entry also has to be deleted from
|
||||
the memory cache
|
||||
|
||||
This function will be called from
|
||||
sdap_ad_save_group_membership_with_idmapping() and from
|
||||
sdap_add_incomplete_groups().
|
||||
|
||||
Related:
|
||||
https://pagure.io/SSSD/sssd/issue/2653
|
||||
|
||||
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
(cherry picked from commit a537df2ea99acb0181dc360ddf9a60b69c16faf0)
|
||||
---
|
||||
src/providers/ldap/sdap_async.h | 11 ++++++++++
|
||||
src/providers/ldap/sdap_async_initgroups.c | 34 ++++++++++++++++++++++++++++++
|
||||
2 files changed, 45 insertions(+)
|
||||
|
||||
diff --git a/src/providers/ldap/sdap_async.h b/src/providers/ldap/sdap_async.h
|
||||
index 40da81fb9..6ca3ed8d8 100644
|
||||
--- a/src/providers/ldap/sdap_async.h
|
||||
+++ b/src/providers/ldap/sdap_async.h
|
||||
@@ -412,4 +412,15 @@ sdap_ad_tokengroups_initgroups_send(TALLOC_CTX *mem_ctx,
|
||||
errno_t
|
||||
sdap_ad_tokengroups_initgroups_recv(struct tevent_req *req);
|
||||
|
||||
+errno_t
|
||||
+sdap_handle_id_collision_for_incomplete_groups(struct data_provider *dp,
|
||||
+ struct sss_domain_info *domain,
|
||||
+ const char *name,
|
||||
+ gid_t gid,
|
||||
+ const char *original_dn,
|
||||
+ const char *sid_str,
|
||||
+ const char *uuid,
|
||||
+ bool posix,
|
||||
+ time_t now);
|
||||
+
|
||||
#endif /* _SDAP_ASYNC_H_ */
|
||||
diff --git a/src/providers/ldap/sdap_async_initgroups.c b/src/providers/ldap/sdap_async_initgroups.c
|
||||
index 326294a1c..34747be59 100644
|
||||
--- a/src/providers/ldap/sdap_async_initgroups.c
|
||||
+++ b/src/providers/ldap/sdap_async_initgroups.c
|
||||
@@ -3543,3 +3543,37 @@ errno_t get_sysdb_grouplist_dn(TALLOC_CTX *mem_ctx,
|
||||
return get_sysdb_grouplist_ex(mem_ctx, sysdb, domain,
|
||||
name, grouplist, true);
|
||||
}
|
||||
+
|
||||
+errno_t
|
||||
+sdap_handle_id_collision_for_incomplete_groups(struct data_provider *dp,
|
||||
+ struct sss_domain_info *domain,
|
||||
+ const char *name,
|
||||
+ gid_t gid,
|
||||
+ const char *original_dn,
|
||||
+ const char *sid_str,
|
||||
+ const char *uuid,
|
||||
+ bool posix,
|
||||
+ time_t now)
|
||||
+{
|
||||
+ errno_t ret;
|
||||
+
|
||||
+ ret = sysdb_delete_group(domain, NULL, gid);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_MINOR_FAILURE,
|
||||
+ "Due to an id collision, the new group with gid [\"%"PRIu32"\"] "
|
||||
+ "will not be added as the old group (with the same gid) could "
|
||||
+ "not be removed from the sysdb!",
|
||||
+ gid);
|
||||
+ return ret;
|
||||
+ }
|
||||
+
|
||||
+ ret = sysdb_add_incomplete_group(domain, name, gid, original_dn, sid_str,
|
||||
+ uuid, posix, now);
|
||||
+ if (ret != EOK) {
|
||||
+ return ret;
|
||||
+ }
|
||||
+
|
||||
+ dp_sbus_invalidate_group_memcache(dp, gid);
|
||||
+
|
||||
+ return EOK;
|
||||
+}
|
||||
--
|
||||
2.14.3
|
||||
|
@ -1,56 +0,0 @@
|
||||
From 2d1a59f6c2cf3cf4667cf2d01b2d780db916db42 Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||
Date: Fri, 10 Feb 2017 12:22:23 +0100
|
||||
Subject: [PATCH 41/79] UTIL: Add a new domain state called DOM_INCONSISTENT
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
This is a new domain state that indicates to the responder that it
|
||||
should always send a DP request because the provider is rebuilding the
|
||||
cache.
|
||||
|
||||
Currently it will be only used by the files provider when it is updating
|
||||
the cache to make sure sssd always returns current data and updating the
|
||||
cache from files is not as racy.
|
||||
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
---
|
||||
src/confdb/confdb.h | 4 ++++
|
||||
src/providers/data_provider_be.c | 4 +++-
|
||||
2 files changed, 7 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
|
||||
index dd6ac77f5a787b0434b56fccba49aa195b13297a..7c944698157619652441fb0722a4363053d6a8f3 100644
|
||||
--- a/src/confdb/confdb.h
|
||||
+++ b/src/confdb/confdb.h
|
||||
@@ -248,6 +248,10 @@ enum sss_domain_state {
|
||||
* return cached data
|
||||
*/
|
||||
DOM_INACTIVE,
|
||||
+ /** Domain is being updated. Responders should ignore cached data and
|
||||
+ * always contact the DP
|
||||
+ */
|
||||
+ DOM_INCONSISTENT,
|
||||
};
|
||||
|
||||
/**
|
||||
diff --git a/src/providers/data_provider_be.c b/src/providers/data_provider_be.c
|
||||
index 12b5f43d0b5d514ce06ae8875ae2a75d37f84f88..7e7b74c36993489a93c15ad9acb33af7864f852d 100644
|
||||
--- a/src/providers/data_provider_be.c
|
||||
+++ b/src/providers/data_provider_be.c
|
||||
@@ -166,8 +166,10 @@ static void be_mark_subdom_offline(struct sss_domain_info *subdom,
|
||||
tv = tevent_timeval_current_ofs(reset_status_timeout, 0);
|
||||
|
||||
switch (subdom->state) {
|
||||
+ case DOM_INCONSISTENT:
|
||||
case DOM_DISABLED:
|
||||
- DEBUG(SSSDBG_MINOR_FAILURE, "Won't touch disabled subdomain\n");
|
||||
+ DEBUG(SSSDBG_MINOR_FAILURE,
|
||||
+ "Won't touch disabled or inconsistent subdomain\n");
|
||||
return;
|
||||
case DOM_INACTIVE:
|
||||
DEBUG(SSSDBG_TRACE_ALL, "Subdomain already inactive\n");
|
||||
--
|
||||
2.9.3
|
||||
|
@ -1,561 +0,0 @@
|
||||
From c109f063b4469818fd335b8b509f0458e7b33b0a Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||
Date: Sun, 30 Oct 2016 07:05:43 +0100
|
||||
Subject: [PATCH 42/79] RESPONDER: Add a responder sbus interface to set domain
|
||||
state
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Adds a generic responder s-bus interface that all responders implement.
|
||||
The interface currently contains methods that make it possible for a sssd
|
||||
domain to be marked as active or inconsistent by a back end.
|
||||
|
||||
In the future, this commit will be superseded by sbus signals.
|
||||
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
---
|
||||
Makefile.am | 18 ++++-
|
||||
src/responder/common/iface/responder_domain.c | 73 ++++++++++++++++++++
|
||||
src/responder/common/iface/responder_iface.c | 36 ++++++++++
|
||||
src/responder/common/iface/responder_iface.h | 37 ++++++++++
|
||||
src/responder/common/iface/responder_iface.xml | 13 ++++
|
||||
.../common/iface/responder_iface_generated.c | 78 ++++++++++++++++++++++
|
||||
.../common/iface/responder_iface_generated.h | 63 +++++++++++++++++
|
||||
src/responder/common/responder_common.c | 15 +++++
|
||||
src/tests/cwrap/Makefile.am | 12 ++++
|
||||
src/util/domain_info_utils.c | 19 ++++++
|
||||
10 files changed, 362 insertions(+), 2 deletions(-)
|
||||
create mode 100644 src/responder/common/iface/responder_domain.c
|
||||
create mode 100644 src/responder/common/iface/responder_iface.c
|
||||
create mode 100644 src/responder/common/iface/responder_iface.h
|
||||
create mode 100644 src/responder/common/iface/responder_iface.xml
|
||||
create mode 100644 src/responder/common/iface/responder_iface_generated.c
|
||||
create mode 100644 src/responder/common/iface/responder_iface_generated.h
|
||||
|
||||
diff --git a/Makefile.am b/Makefile.am
|
||||
index 2304b39c7eb75225f7cd8cbc30d23592506c146e..32f62b5b4391e5d6efb7f7dc19e9b29eaa658550 100644
|
||||
--- a/Makefile.am
|
||||
+++ b/Makefile.am
|
||||
@@ -516,6 +516,12 @@ SSSD_CACHE_REQ_OBJ = \
|
||||
src/responder/common/cache_req/plugins/cache_req_host_by_name.c \
|
||||
$(NULL)
|
||||
|
||||
+SSSD_RESPONDER_IFACE_OBJ = \
|
||||
+ src/responder/common/iface/responder_iface.c \
|
||||
+ src/responder/common/iface/responder_domain.c \
|
||||
+ src/responder/common/iface/responder_iface_generated.c \
|
||||
+ $(NULL)
|
||||
+
|
||||
SSSD_RESPONDER_OBJ = \
|
||||
src/responder/common/negcache_files.c \
|
||||
src/responder/common/negcache.c \
|
||||
@@ -530,6 +536,7 @@ SSSD_RESPONDER_OBJ = \
|
||||
src/responder/common/data_provider/rdp_client.c \
|
||||
src/monitor/monitor_iface_generated.c \
|
||||
src/providers/data_provider_req.c \
|
||||
+ $(SSSD_RESPONDER_IFACE_OBJ) \
|
||||
$(SSSD_CACHE_REQ_OBJ) \
|
||||
$(NULL)
|
||||
|
||||
@@ -640,6 +647,8 @@ dist_noinst_HEADERS = \
|
||||
src/responder/common/responder.h \
|
||||
src/responder/common/responder_packet.h \
|
||||
src/responder/common/responder_sbus.h \
|
||||
+ src/responder/common/iface/responder_iface.h \
|
||||
+ src/responder/common/iface/responder_iface_generated.h \
|
||||
src/responder/common/cache_req/cache_req.h \
|
||||
src/responder/common/cache_req/cache_req_plugin.h \
|
||||
src/responder/common/cache_req/cache_req_private.h \
|
||||
@@ -1221,7 +1230,9 @@ CODEGEN_XML = \
|
||||
$(srcdir)/src/providers/data_provider/dp_iface.xml \
|
||||
$(srcdir)/src/providers/proxy/proxy_iface.xml \
|
||||
$(srcdir)/src/responder/ifp/ifp_iface.xml \
|
||||
- $(srcdir)/src/responder/nss/nss_iface.xml
|
||||
+ $(srcdir)/src/responder/nss/nss_iface.xml \
|
||||
+ $(srcdir)/src/responder/common/iface/responder_iface.xml \
|
||||
+ $(NULL)
|
||||
|
||||
SBUS_CODEGEN = src/sbus/sbus_codegen
|
||||
|
||||
@@ -2038,7 +2049,9 @@ responder_socket_access_tests_SOURCES = \
|
||||
src/responder/common/responder_packet.c \
|
||||
src/responder/common/responder_cmd.c \
|
||||
src/responder/common/data_provider/rdp_message.c \
|
||||
- src/responder/common/data_provider/rdp_client.c
|
||||
+ src/responder/common/data_provider/rdp_client.c \
|
||||
+ $(SSSD_RESPONDER_IFACE_OBJ) \
|
||||
+ $(NULL)
|
||||
responder_socket_access_tests_CFLAGS = \
|
||||
$(AM_CFLAGS) \
|
||||
$(CHECK_CFLAGS)
|
||||
@@ -2125,6 +2138,7 @@ TEST_MOCK_RESP_OBJ = \
|
||||
src/responder/common/data_provider/rdp_client.c \
|
||||
src/responder/common/responder_utils.c \
|
||||
$(SSSD_CACHE_REQ_OBJ) \
|
||||
+ $(SSSD_RESPONDER_IFACE_OBJ) \
|
||||
$(NULL)
|
||||
|
||||
TEST_MOCK_PROVIDER_OBJ = \
|
||||
diff --git a/src/responder/common/iface/responder_domain.c b/src/responder/common/iface/responder_domain.c
|
||||
new file mode 100644
|
||||
index 0000000000000000000000000000000000000000..2e7f788550b3cd0dcec20fc5b91fe8a4cb366875
|
||||
--- /dev/null
|
||||
+++ b/src/responder/common/iface/responder_domain.c
|
||||
@@ -0,0 +1,73 @@
|
||||
+/*
|
||||
+ Copyright (C) 2016 Red Hat
|
||||
+
|
||||
+ This program is free software; you can redistribute it and/or modify
|
||||
+ it under the terms of the GNU General Public License as published by
|
||||
+ the Free Software Foundation; either version 3 of the License, or
|
||||
+ (at your option) any later version.
|
||||
+
|
||||
+ This program is distributed in the hope that it will be useful,
|
||||
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
+ GNU General Public License for more details.
|
||||
+
|
||||
+ You should have received a copy of the GNU General Public License
|
||||
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
+*/
|
||||
+
|
||||
+#include <string.h>
|
||||
+#include <errno.h>
|
||||
+
|
||||
+#include "util/util.h"
|
||||
+#include "sbus/sssd_dbus.h"
|
||||
+#include "responder/common/responder.h"
|
||||
+#include "responder/common/iface/responder_iface.h"
|
||||
+
|
||||
+static void set_domain_state_by_name(struct resp_ctx *rctx,
|
||||
+ const char *domain_name,
|
||||
+ enum sss_domain_state state)
|
||||
+{
|
||||
+ struct sss_domain_info *dom;
|
||||
+
|
||||
+ if (domain_name == NULL) {
|
||||
+ DEBUG(SSSDBG_MINOR_FAILURE, "BUG: NULL domain name\n");
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
+ DEBUG(SSSDBG_TRACE_LIBS, "Setting state of domain %s\n", domain_name);
|
||||
+
|
||||
+ for (dom = rctx->domains;
|
||||
+ dom != NULL;
|
||||
+ dom = get_next_domain(dom, SSS_GND_ALL_DOMAINS)) {
|
||||
+
|
||||
+ if (strcasecmp(dom->name, domain_name) == 0) {
|
||||
+ break;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ if (dom != NULL) {
|
||||
+ sss_domain_set_state(dom, state);
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+int sss_resp_domain_active(struct sbus_request *req,
|
||||
+ void *data,
|
||||
+ const char *domain_name)
|
||||
+{
|
||||
+ struct resp_ctx *rctx = talloc_get_type(data, struct resp_ctx);
|
||||
+
|
||||
+ DEBUG(SSSDBG_TRACE_LIBS, "Enabling domain %s\n", domain_name);
|
||||
+ set_domain_state_by_name(rctx, domain_name, DOM_ACTIVE);
|
||||
+ return iface_responder_domain_SetActive_finish(req);
|
||||
+}
|
||||
+
|
||||
+int sss_resp_domain_inconsistent(struct sbus_request *req,
|
||||
+ void *data,
|
||||
+ const char *domain_name)
|
||||
+{
|
||||
+ struct resp_ctx *rctx = talloc_get_type(data, struct resp_ctx);
|
||||
+
|
||||
+ DEBUG(SSSDBG_TRACE_LIBS, "Disabling domain %s\n", domain_name);
|
||||
+ set_domain_state_by_name(rctx, domain_name, DOM_INCONSISTENT);
|
||||
+ return iface_responder_domain_SetInconsistent_finish(req);
|
||||
+}
|
||||
diff --git a/src/responder/common/iface/responder_iface.c b/src/responder/common/iface/responder_iface.c
|
||||
new file mode 100644
|
||||
index 0000000000000000000000000000000000000000..f1e618b659af3e7a5ffa1b7307f3d61124180f0c
|
||||
--- /dev/null
|
||||
+++ b/src/responder/common/iface/responder_iface.c
|
||||
@@ -0,0 +1,36 @@
|
||||
+/*
|
||||
+ Copyright (C) 2016 Red Hat
|
||||
+
|
||||
+ This program is free software; you can redistribute it and/or modify
|
||||
+ it under the terms of the GNU General Public License as published by
|
||||
+ the Free Software Foundation; either version 3 of the License, or
|
||||
+ (at your option) any later version.
|
||||
+
|
||||
+ This program is distributed in the hope that it will be useful,
|
||||
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
+ GNU General Public License for more details.
|
||||
+
|
||||
+ You should have received a copy of the GNU General Public License
|
||||
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
+*/
|
||||
+
|
||||
+#include "sbus/sssd_dbus.h"
|
||||
+#include "responder/common/iface/responder_iface.h"
|
||||
+#include "responder/common/responder.h"
|
||||
+
|
||||
+struct iface_responder_domain iface_responder_domain = {
|
||||
+ { &iface_responder_domain_meta, 0 },
|
||||
+ .SetActive = sss_resp_domain_active,
|
||||
+ .SetInconsistent = sss_resp_domain_inconsistent,
|
||||
+};
|
||||
+
|
||||
+static struct sbus_iface_map iface_map[] = {
|
||||
+ { RESPONDER_PATH, &iface_responder_domain.vtable },
|
||||
+ { NULL, NULL }
|
||||
+};
|
||||
+
|
||||
+struct sbus_iface_map *responder_get_sbus_interface()
|
||||
+{
|
||||
+ return iface_map;
|
||||
+}
|
||||
diff --git a/src/responder/common/iface/responder_iface.h b/src/responder/common/iface/responder_iface.h
|
||||
new file mode 100644
|
||||
index 0000000000000000000000000000000000000000..abd7c83ce0b0efbc13867ffb56ec871503c92567
|
||||
--- /dev/null
|
||||
+++ b/src/responder/common/iface/responder_iface.h
|
||||
@@ -0,0 +1,37 @@
|
||||
+/*
|
||||
+ Copyright (C) 2016 Red Hat
|
||||
+
|
||||
+ This program is free software; you can redistribute it and/or modify
|
||||
+ it under the terms of the GNU General Public License as published by
|
||||
+ the Free Software Foundation; either version 3 of the License, or
|
||||
+ (at your option) any later version.
|
||||
+
|
||||
+ This program is distributed in the hope that it will be useful,
|
||||
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
+ GNU General Public License for more details.
|
||||
+
|
||||
+ You should have received a copy of the GNU General Public License
|
||||
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
+*/
|
||||
+
|
||||
+#ifndef _RESPONDER_IFACE_H_
|
||||
+#define _RESPONDER_IFACE_H_
|
||||
+
|
||||
+#include "responder/common/iface/responder_iface_generated.h"
|
||||
+
|
||||
+#define RESPONDER_PATH "/org/freedesktop/sssd/responder"
|
||||
+
|
||||
+struct sbus_iface_map *responder_get_sbus_interface(void);
|
||||
+
|
||||
+/* org.freedesktop.sssd.Responder.Domain */
|
||||
+
|
||||
+int sss_resp_domain_active(struct sbus_request *req,
|
||||
+ void *data,
|
||||
+ const char *domain_name);
|
||||
+
|
||||
+int sss_resp_domain_inconsistent(struct sbus_request *req,
|
||||
+ void *data,
|
||||
+ const char *domain_name);
|
||||
+
|
||||
+#endif /* _RESPONDER_IFACE_H_ */
|
||||
diff --git a/src/responder/common/iface/responder_iface.xml b/src/responder/common/iface/responder_iface.xml
|
||||
new file mode 100644
|
||||
index 0000000000000000000000000000000000000000..d3d0ff40ed5a8457492f2f54d551d9ae20cc56c3
|
||||
--- /dev/null
|
||||
+++ b/src/responder/common/iface/responder_iface.xml
|
||||
@@ -0,0 +1,13 @@
|
||||
+<!DOCTYPE node PUBLIC "-//freedesktop//DTD D-BUS Object Introspection 1.0//EN"
|
||||
+ "http://www.freedesktop.org/standards/dbus/1.0/introspect.dtd">
|
||||
+<node>
|
||||
+ <interface name="org.freedesktop.sssd.Responder.Domain">
|
||||
+ <annotation value="iface_responder_domain" name="org.freedesktop.DBus.GLib.CSymbol"/>
|
||||
+ <method name="SetActive">
|
||||
+ <arg name="name" type="s" direction="in" />
|
||||
+ </method>
|
||||
+ <method name="SetInconsistent">
|
||||
+ <arg name="name" type="s" direction="in" />
|
||||
+ </method>
|
||||
+ </interface>
|
||||
+</node>
|
||||
diff --git a/src/responder/common/iface/responder_iface_generated.c b/src/responder/common/iface/responder_iface_generated.c
|
||||
new file mode 100644
|
||||
index 0000000000000000000000000000000000000000..1d59eafed0eb739fb208c864b5b726cf9883df94
|
||||
--- /dev/null
|
||||
+++ b/src/responder/common/iface/responder_iface_generated.c
|
||||
@@ -0,0 +1,78 @@
|
||||
+/* The following definitions are auto-generated from responder_iface.xml */
|
||||
+
|
||||
+#include "util/util.h"
|
||||
+#include "sbus/sssd_dbus.h"
|
||||
+#include "sbus/sssd_dbus_meta.h"
|
||||
+#include "sbus/sssd_dbus_invokers.h"
|
||||
+#include "responder_iface_generated.h"
|
||||
+
|
||||
+/* invokes a handler with a 's' DBus signature */
|
||||
+static int invoke_s_method(struct sbus_request *dbus_req, void *function_ptr);
|
||||
+
|
||||
+/* arguments for org.freedesktop.sssd.Responder.Domain.SetActive */
|
||||
+const struct sbus_arg_meta iface_responder_domain_SetActive__in[] = {
|
||||
+ { "name", "s" },
|
||||
+ { NULL, }
|
||||
+};
|
||||
+
|
||||
+int iface_responder_domain_SetActive_finish(struct sbus_request *req)
|
||||
+{
|
||||
+ return sbus_request_return_and_finish(req,
|
||||
+ DBUS_TYPE_INVALID);
|
||||
+}
|
||||
+
|
||||
+/* arguments for org.freedesktop.sssd.Responder.Domain.SetInconsistent */
|
||||
+const struct sbus_arg_meta iface_responder_domain_SetInconsistent__in[] = {
|
||||
+ { "name", "s" },
|
||||
+ { NULL, }
|
||||
+};
|
||||
+
|
||||
+int iface_responder_domain_SetInconsistent_finish(struct sbus_request *req)
|
||||
+{
|
||||
+ return sbus_request_return_and_finish(req,
|
||||
+ DBUS_TYPE_INVALID);
|
||||
+}
|
||||
+
|
||||
+/* methods for org.freedesktop.sssd.Responder.Domain */
|
||||
+const struct sbus_method_meta iface_responder_domain__methods[] = {
|
||||
+ {
|
||||
+ "SetActive", /* name */
|
||||
+ iface_responder_domain_SetActive__in,
|
||||
+ NULL, /* no out_args */
|
||||
+ offsetof(struct iface_responder_domain, SetActive),
|
||||
+ invoke_s_method,
|
||||
+ },
|
||||
+ {
|
||||
+ "SetInconsistent", /* name */
|
||||
+ iface_responder_domain_SetInconsistent__in,
|
||||
+ NULL, /* no out_args */
|
||||
+ offsetof(struct iface_responder_domain, SetInconsistent),
|
||||
+ invoke_s_method,
|
||||
+ },
|
||||
+ { NULL, }
|
||||
+};
|
||||
+
|
||||
+/* interface info for org.freedesktop.sssd.Responder.Domain */
|
||||
+const struct sbus_interface_meta iface_responder_domain_meta = {
|
||||
+ "org.freedesktop.sssd.Responder.Domain", /* name */
|
||||
+ iface_responder_domain__methods,
|
||||
+ NULL, /* no signals */
|
||||
+ NULL, /* no properties */
|
||||
+ sbus_invoke_get_all, /* GetAll invoker */
|
||||
+};
|
||||
+
|
||||
+/* invokes a handler with a 's' DBus signature */
|
||||
+static int invoke_s_method(struct sbus_request *dbus_req, void *function_ptr)
|
||||
+{
|
||||
+ const char * arg_0;
|
||||
+ int (*handler)(struct sbus_request *, void *, const char *) = function_ptr;
|
||||
+
|
||||
+ if (!sbus_request_parse_or_finish(dbus_req,
|
||||
+ DBUS_TYPE_STRING, &arg_0,
|
||||
+ DBUS_TYPE_INVALID)) {
|
||||
+ return EOK; /* request handled */
|
||||
+ }
|
||||
+
|
||||
+ return (handler)(dbus_req, dbus_req->intf->handler_data,
|
||||
+ arg_0);
|
||||
+}
|
||||
diff --git a/src/responder/common/iface/responder_iface_generated.h b/src/responder/common/iface/responder_iface_generated.h
|
||||
new file mode 100644
|
||||
index 0000000000000000000000000000000000000000..e7f5c64feb062e13dc04352128cada6883f6f4fa
|
||||
--- /dev/null
|
||||
+++ b/src/responder/common/iface/responder_iface_generated.h
|
||||
@@ -0,0 +1,63 @@
|
||||
+/* The following declarations are auto-generated from responder_iface.xml */
|
||||
+
|
||||
+#ifndef __RESPONDER_IFACE_XML__
|
||||
+#define __RESPONDER_IFACE_XML__
|
||||
+
|
||||
+#include "sbus/sssd_dbus.h"
|
||||
+
|
||||
+/* ------------------------------------------------------------------------
|
||||
+ * DBus Constants
|
||||
+ *
|
||||
+ * Various constants of interface and method names mostly for use by clients
|
||||
+ */
|
||||
+
|
||||
+/* constants for org.freedesktop.sssd.Responder.Domain */
|
||||
+#define IFACE_RESPONDER_DOMAIN "org.freedesktop.sssd.Responder.Domain"
|
||||
+#define IFACE_RESPONDER_DOMAIN_SETACTIVE "SetActive"
|
||||
+#define IFACE_RESPONDER_DOMAIN_SETINCONSISTENT "SetInconsistent"
|
||||
+
|
||||
+/* ------------------------------------------------------------------------
|
||||
+ * DBus handlers
|
||||
+ *
|
||||
+ * These structures are filled in by implementors of the different
|
||||
+ * dbus interfaces to handle method calls.
|
||||
+ *
|
||||
+ * Handler functions of type sbus_msg_handler_fn accept raw messages,
|
||||
+ * other handlers are typed appropriately. If a handler that is
|
||||
+ * set to NULL is invoked it will result in a
|
||||
+ * org.freedesktop.DBus.Error.NotSupported error for the caller.
|
||||
+ *
|
||||
+ * Handlers have a matching xxx_finish() function (unless the method has
|
||||
+ * accepts raw messages). These finish functions the
|
||||
+ * sbus_request_return_and_finish() with the appropriate arguments to
|
||||
+ * construct a valid reply. Once a finish function has been called, the
|
||||
+ * @dbus_req it was called with is freed and no longer valid.
|
||||
+ */
|
||||
+
|
||||
+/* vtable for org.freedesktop.sssd.Responder.Domain */
|
||||
+struct iface_responder_domain {
|
||||
+ struct sbus_vtable vtable; /* derive from sbus_vtable */
|
||||
+ int (*SetActive)(struct sbus_request *req, void *data, const char *arg_name);
|
||||
+ int (*SetInconsistent)(struct sbus_request *req, void *data, const char *arg_name);
|
||||
+};
|
||||
+
|
||||
+/* finish function for SetActive */
|
||||
+int iface_responder_domain_SetActive_finish(struct sbus_request *req);
|
||||
+
|
||||
+/* finish function for SetInconsistent */
|
||||
+int iface_responder_domain_SetInconsistent_finish(struct sbus_request *req);
|
||||
+
|
||||
+/* ------------------------------------------------------------------------
|
||||
+ * DBus Interface Metadata
|
||||
+ *
|
||||
+ * These structure definitions are filled in with the information about
|
||||
+ * the interfaces, methods, properties and so on.
|
||||
+ *
|
||||
+ * The actual definitions are found in the accompanying C file next
|
||||
+ * to this header.
|
||||
+ */
|
||||
+
|
||||
+/* interface info for org.freedesktop.sssd.Responder.Domain */
|
||||
+extern const struct sbus_interface_meta iface_responder_domain_meta;
|
||||
+
|
||||
+#endif /* __RESPONDER_IFACE_XML__ */
|
||||
diff --git a/src/responder/common/responder_common.c b/src/responder/common/responder_common.c
|
||||
index 67922bfccda8f00f256a4d1281aebfe20950d169..1959247ffda76d5041bc031c4c774aef9e0295d8 100644
|
||||
--- a/src/responder/common/responder_common.c
|
||||
+++ b/src/responder/common/responder_common.c
|
||||
@@ -38,6 +38,7 @@
|
||||
#include "confdb/confdb.h"
|
||||
#include "sbus/sssd_dbus.h"
|
||||
#include "responder/common/responder.h"
|
||||
+#include "responder/common/iface/responder_iface.h"
|
||||
#include "responder/common/responder_packet.h"
|
||||
#include "providers/data_provider.h"
|
||||
#include "monitor/monitor_interfaces.h"
|
||||
@@ -666,6 +667,7 @@ static int sss_dp_init(struct resp_ctx *rctx,
|
||||
{
|
||||
struct be_conn *be_conn;
|
||||
int ret;
|
||||
+ struct sbus_iface_map *resp_sbus_iface;
|
||||
|
||||
be_conn = talloc_zero(rctx, struct be_conn);
|
||||
if (!be_conn) return ENOMEM;
|
||||
@@ -697,6 +699,19 @@ static int sss_dp_init(struct resp_ctx *rctx,
|
||||
}
|
||||
}
|
||||
|
||||
+ resp_sbus_iface = responder_get_sbus_interface();
|
||||
+ if (resp_sbus_iface != NULL) {
|
||||
+ ret = sbus_conn_register_iface_map(be_conn->conn,
|
||||
+ resp_sbus_iface,
|
||||
+ rctx);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_FATAL_FAILURE,
|
||||
+ "Cannot register generic responder iface at %s: %d\n",
|
||||
+ resp_sbus_iface->path, ret);
|
||||
+ return ret;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
DLIST_ADD_END(rctx->be_conns, be_conn, struct be_conn *);
|
||||
|
||||
/* Identify ourselves to the DP */
|
||||
diff --git a/src/tests/cwrap/Makefile.am b/src/tests/cwrap/Makefile.am
|
||||
index 09a8b5307dd3ebf9c7f27148097a90eac527a213..f50e9aa58fa5f2b0b8aa144582500d925a0a6438 100644
|
||||
--- a/src/tests/cwrap/Makefile.am
|
||||
+++ b/src/tests/cwrap/Makefile.am
|
||||
@@ -63,6 +63,12 @@ SSSD_CACHE_REQ_OBJ = \
|
||||
../../../src/responder/common/cache_req/plugins/cache_req_host_by_name.c \
|
||||
$(NULL)
|
||||
|
||||
+SSSD_RESPONDER_IFACE_OBJ = \
|
||||
+ ../../../src/responder/common/iface/responder_iface.c \
|
||||
+ ../../../src/responder/common/iface/responder_domain.c \
|
||||
+ ../../../src/responder/common/iface/responder_iface_generated.c \
|
||||
+ $(NULL)
|
||||
+
|
||||
SSSD_RESPONDER_OBJ = \
|
||||
../../../src/responder/common/negcache_files.c \
|
||||
../../../src/responder/common/negcache.c \
|
||||
@@ -77,6 +83,7 @@ SSSD_RESPONDER_OBJ = \
|
||||
../../../src/responder/common/data_provider/rdp_client.c \
|
||||
../../../src/monitor/monitor_iface_generated.c \
|
||||
../../../src/providers/data_provider_req.c \
|
||||
+ $(SSSD_RESPONDER_IFACE_OBJ) \
|
||||
$(SSSD_CACHE_REQ_OBJ) \
|
||||
$(NULL)
|
||||
|
||||
@@ -158,6 +165,9 @@ endif
|
||||
|
||||
responder_common_tests_SOURCES =\
|
||||
test_responder_common.c \
|
||||
+ ../../../src/responder/common/iface/responder_iface.c \
|
||||
+ ../../../src/responder/common/iface/responder_domain.c \
|
||||
+ ../../../src/responder/common/iface/responder_iface_generated.c \
|
||||
../../../src/responder/common/negcache_files.c \
|
||||
../../../src/responder/common/negcache.c \
|
||||
../../../src/responder/common/data_provider/rdp_message.c \
|
||||
@@ -165,6 +175,8 @@ responder_common_tests_SOURCES =\
|
||||
../../../src/responder/common/responder_common.c \
|
||||
../../../src/responder/common/responder_packet.c \
|
||||
../../../src/responder/common/responder_cmd.c \
|
||||
+ ../../../src/tests/cmocka/common_mock_resp_dp.c \
|
||||
+ $(SSSD_CACHE_REQ_OBJ) \
|
||||
$(NULL)
|
||||
responder_common_tests_CFLAGS = \
|
||||
$(AM_CFLAGS) \
|
||||
diff --git a/src/util/domain_info_utils.c b/src/util/domain_info_utils.c
|
||||
index 0feda148bd44b9cefc43c094ddc5a72820412322..6ef6bcfb8c078a360673b6bdd2364fc2918cb324 100644
|
||||
--- a/src/util/domain_info_utils.c
|
||||
+++ b/src/util/domain_info_utils.c
|
||||
@@ -814,8 +814,25 @@ done:
|
||||
return ret;
|
||||
}
|
||||
|
||||
+static const char *domain_state_str(struct sss_domain_info *dom)
|
||||
+{
|
||||
+ switch (dom->state) {
|
||||
+ case DOM_ACTIVE:
|
||||
+ return "Active";
|
||||
+ case DOM_DISABLED:
|
||||
+ return "Disabled";
|
||||
+ case DOM_INACTIVE:
|
||||
+ return "Inactive";
|
||||
+ case DOM_INCONSISTENT:
|
||||
+ return "Inconsistent";
|
||||
+ }
|
||||
+ return "Unknown";
|
||||
+}
|
||||
+
|
||||
enum sss_domain_state sss_domain_get_state(struct sss_domain_info *dom)
|
||||
{
|
||||
+ DEBUG(SSSDBG_TRACE_LIBS,
|
||||
+ "Domain %s is %s\n", dom->name, domain_state_str(dom));
|
||||
return dom->state;
|
||||
}
|
||||
|
||||
@@ -823,6 +840,8 @@ void sss_domain_set_state(struct sss_domain_info *dom,
|
||||
enum sss_domain_state state)
|
||||
{
|
||||
dom->state = state;
|
||||
+ DEBUG(SSSDBG_TRACE_LIBS,
|
||||
+ "Domain %s is %s\n", dom->name, domain_state_str(dom));
|
||||
}
|
||||
|
||||
bool is_email_from_domain(const char *email, struct sss_domain_info *dom)
|
||||
--
|
||||
2.9.3
|
||||
|
129
0042-SDAP-Properly-handle-group-id-collision-when-renamin.patch
Normal file
129
0042-SDAP-Properly-handle-group-id-collision-when-renamin.patch
Normal file
@ -0,0 +1,129 @@
|
||||
From de891b231464f10ce029593d7ee2ebb401e8a0b3 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
|
||||
Date: Mon, 19 Feb 2018 12:51:57 +0100
|
||||
Subject: [PATCH] SDAP: Properly handle group id-collision when renaming
|
||||
incomplete groups
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Resolves:
|
||||
https://pagure.io/SSSD/sssd/issue/2653
|
||||
|
||||
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
(cherry picked from commit a2e743cd23e8e2033340612c77a8dbb8ef48c1e1)
|
||||
---
|
||||
src/providers/ad/ad_pac.c | 3 +++
|
||||
src/providers/ldap/sdap_async_ad.h | 1 +
|
||||
src/providers/ldap/sdap_async_initgroups.c | 13 +++++++++++++
|
||||
src/providers/ldap/sdap_async_initgroups_ad.c | 15 +++++++++++++++
|
||||
4 files changed, 32 insertions(+)
|
||||
|
||||
diff --git a/src/providers/ad/ad_pac.c b/src/providers/ad/ad_pac.c
|
||||
index 6b47462cf..1a344725f 100644
|
||||
--- a/src/providers/ad/ad_pac.c
|
||||
+++ b/src/providers/ad/ad_pac.c
|
||||
@@ -434,6 +434,7 @@ struct ad_handle_pac_initgr_state {
|
||||
const char *err;
|
||||
int dp_error;
|
||||
int sdap_ret;
|
||||
+ struct sdap_options *opts;
|
||||
|
||||
size_t num_missing_sids;
|
||||
char **missing_sids;
|
||||
@@ -471,6 +472,7 @@ struct tevent_req *ad_handle_pac_initgr_send(TALLOC_CTX *mem_ctx,
|
||||
return NULL;
|
||||
}
|
||||
state->user_dom = sdom->dom;
|
||||
+ state->opts = id_ctx->opts;
|
||||
|
||||
/* The following variables are currently unused because no sub-request
|
||||
* returns any of them. But they are needed to allow the same signature as
|
||||
@@ -514,6 +516,7 @@ struct tevent_req *ad_handle_pac_initgr_send(TALLOC_CTX *mem_ctx,
|
||||
DEBUG(SSSDBG_TRACE_ALL, "Running PAC processing with id-mapping.\n");
|
||||
|
||||
ret = sdap_ad_save_group_membership_with_idmapping(state->username,
|
||||
+ state->opts,
|
||||
sdom->dom,
|
||||
id_ctx->opts->idmap_ctx,
|
||||
num_sids, group_sids);
|
||||
diff --git a/src/providers/ldap/sdap_async_ad.h b/src/providers/ldap/sdap_async_ad.h
|
||||
index 950f5a030..a5f47a1a9 100644
|
||||
--- a/src/providers/ldap/sdap_async_ad.h
|
||||
+++ b/src/providers/ldap/sdap_async_ad.h
|
||||
@@ -25,6 +25,7 @@
|
||||
#define SDAP_ASYNC_AD_H_
|
||||
|
||||
errno_t sdap_ad_save_group_membership_with_idmapping(const char *username,
|
||||
+ struct sdap_options *opts,
|
||||
struct sss_domain_info *user_dom,
|
||||
struct sdap_idmap_ctx *idmap_ctx,
|
||||
size_t num_sids,
|
||||
diff --git a/src/providers/ldap/sdap_async_initgroups.c b/src/providers/ldap/sdap_async_initgroups.c
|
||||
index 34747be59..03f6de01a 100644
|
||||
--- a/src/providers/ldap/sdap_async_initgroups.c
|
||||
+++ b/src/providers/ldap/sdap_async_initgroups.c
|
||||
@@ -225,6 +225,19 @@ errno_t sdap_add_incomplete_groups(struct sysdb_ctx *sysdb,
|
||||
ret = sysdb_add_incomplete_group(domain, groupname, gid,
|
||||
original_dn, sid_str,
|
||||
uuid, posix, now);
|
||||
+ if (ret == ERR_GID_DUPLICATED) {
|
||||
+ /* In case o group id-collision, do:
|
||||
+ * - Delete the group from sysdb
|
||||
+ * - Add the new incomplete group
|
||||
+ * - Notify the NSS responder that the entry has also to be
|
||||
+ * removed from the memory cache
|
||||
+ */
|
||||
+ ret = sdap_handle_id_collision_for_incomplete_groups(
|
||||
+ opts->dp, domain, groupname, gid,
|
||||
+ original_dn, sid_str, uuid, posix,
|
||||
+ now);
|
||||
+ }
|
||||
+
|
||||
if (ret != EOK) {
|
||||
goto done;
|
||||
}
|
||||
diff --git a/src/providers/ldap/sdap_async_initgroups_ad.c b/src/providers/ldap/sdap_async_initgroups_ad.c
|
||||
index 30f1d3db2..eab103652 100644
|
||||
--- a/src/providers/ldap/sdap_async_initgroups_ad.c
|
||||
+++ b/src/providers/ldap/sdap_async_initgroups_ad.c
|
||||
@@ -836,6 +836,7 @@ sdap_ad_tokengroups_initgr_mapping_connect_done(struct tevent_req *subreq)
|
||||
}
|
||||
|
||||
errno_t sdap_ad_save_group_membership_with_idmapping(const char *username,
|
||||
+ struct sdap_options *opts,
|
||||
struct sss_domain_info *user_dom,
|
||||
struct sdap_idmap_ctx *idmap_ctx,
|
||||
size_t num_sids,
|
||||
@@ -921,6 +922,19 @@ errno_t sdap_ad_save_group_membership_with_idmapping(const char *username,
|
||||
|
||||
ret = sysdb_add_incomplete_group(domain, name, gid,
|
||||
NULL, sid, NULL, false, now);
|
||||
+ if (ret == ERR_GID_DUPLICATED) {
|
||||
+ /* In case o group id-collision, do:
|
||||
+ * - Delete the group from sysdb
|
||||
+ * - Add the new incomplete group
|
||||
+ * - Notify the NSS responder that the entry has also to be
|
||||
+ * removed from the memory cache
|
||||
+ */
|
||||
+ ret = sdap_handle_id_collision_for_incomplete_groups(
|
||||
+ idmap_ctx->id_ctx->be->provider,
|
||||
+ domain, name, gid, NULL, sid, NULL,
|
||||
+ false, now);
|
||||
+ }
|
||||
+
|
||||
if (ret != EOK) {
|
||||
DEBUG(SSSDBG_MINOR_FAILURE, "Could not create incomplete "
|
||||
"group: [%s]\n", strerror(ret));
|
||||
@@ -992,6 +1006,7 @@ static void sdap_ad_tokengroups_initgr_mapping_done(struct tevent_req *subreq)
|
||||
}
|
||||
|
||||
ret = sdap_ad_save_group_membership_with_idmapping(state->username,
|
||||
+ state->opts,
|
||||
state->domain,
|
||||
state->idmap_ctx,
|
||||
num_sids,
|
||||
--
|
||||
2.14.3
|
||||
|
@ -1,259 +0,0 @@
|
||||
From 205a0b9e9234327730fa808be95b2e1db7ffee95 Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||
Date: Wed, 2 Nov 2016 17:13:32 +0100
|
||||
Subject: [PATCH 43/79] RESPONDER: A sbus interface to reset negatively cached
|
||||
users and groups
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Adds two new responder sbus interface functions: ResetNegcacheUsers and
|
||||
ResetNegcacheGroups. These functions can be called by a Data Provider to
|
||||
signal to a responder that it should drop its negative cache.
|
||||
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
---
|
||||
Makefile.am | 1 +
|
||||
src/responder/common/iface/responder_iface.c | 7 ++++
|
||||
src/responder/common/iface/responder_iface.h | 5 +++
|
||||
src/responder/common/iface/responder_iface.xml | 6 ++++
|
||||
.../common/iface/responder_iface_generated.c | 40 ++++++++++++++++++++++
|
||||
.../common/iface/responder_iface_generated.h | 21 ++++++++++++
|
||||
.../{responder_iface.c => responder_ncache.c} | 31 ++++++++++-------
|
||||
src/tests/cwrap/Makefile.am | 2 ++
|
||||
8 files changed, 100 insertions(+), 13 deletions(-)
|
||||
copy src/responder/common/iface/{responder_iface.c => responder_ncache.c} (55%)
|
||||
|
||||
diff --git a/Makefile.am b/Makefile.am
|
||||
index 32f62b5b4391e5d6efb7f7dc19e9b29eaa658550..aa28a27f992f9a42b78d37d6de8fd8271c99afef 100644
|
||||
--- a/Makefile.am
|
||||
+++ b/Makefile.am
|
||||
@@ -519,6 +519,7 @@ SSSD_CACHE_REQ_OBJ = \
|
||||
SSSD_RESPONDER_IFACE_OBJ = \
|
||||
src/responder/common/iface/responder_iface.c \
|
||||
src/responder/common/iface/responder_domain.c \
|
||||
+ src/responder/common/iface/responder_ncache.c \
|
||||
src/responder/common/iface/responder_iface_generated.c \
|
||||
$(NULL)
|
||||
|
||||
diff --git a/src/responder/common/iface/responder_iface.c b/src/responder/common/iface/responder_iface.c
|
||||
index f1e618b659af3e7a5ffa1b7307f3d61124180f0c..07fd1ff6276ae9b847ff50b949ce91550fe68296 100644
|
||||
--- a/src/responder/common/iface/responder_iface.c
|
||||
+++ b/src/responder/common/iface/responder_iface.c
|
||||
@@ -25,8 +25,15 @@ struct iface_responder_domain iface_responder_domain = {
|
||||
.SetInconsistent = sss_resp_domain_inconsistent,
|
||||
};
|
||||
|
||||
+struct iface_responder_ncache iface_responder_ncache = {
|
||||
+ { &iface_responder_ncache_meta, 0 },
|
||||
+ .ResetUsers = sss_resp_reset_ncache_users,
|
||||
+ .ResetGroups = sss_resp_reset_ncache_groups,
|
||||
+};
|
||||
+
|
||||
static struct sbus_iface_map iface_map[] = {
|
||||
{ RESPONDER_PATH, &iface_responder_domain.vtable },
|
||||
+ { RESPONDER_PATH, &iface_responder_ncache.vtable },
|
||||
{ NULL, NULL }
|
||||
};
|
||||
|
||||
diff --git a/src/responder/common/iface/responder_iface.h b/src/responder/common/iface/responder_iface.h
|
||||
index abd7c83ce0b0efbc13867ffb56ec871503c92567..5166b624cf9f7278c46f10dfc26c717ac4462408 100644
|
||||
--- a/src/responder/common/iface/responder_iface.h
|
||||
+++ b/src/responder/common/iface/responder_iface.h
|
||||
@@ -34,4 +34,9 @@ int sss_resp_domain_inconsistent(struct sbus_request *req,
|
||||
void *data,
|
||||
const char *domain_name);
|
||||
|
||||
+/* org.freedesktop.sssd.Responder.NegativeCache */
|
||||
+
|
||||
+int sss_resp_reset_ncache_users(struct sbus_request *req, void *data);
|
||||
+int sss_resp_reset_ncache_groups(struct sbus_request *req, void *data);
|
||||
+
|
||||
#endif /* _RESPONDER_IFACE_H_ */
|
||||
diff --git a/src/responder/common/iface/responder_iface.xml b/src/responder/common/iface/responder_iface.xml
|
||||
index d3d0ff40ed5a8457492f2f54d551d9ae20cc56c3..9f092e00ffc5354efe98b6c8bde1cdf414ee36d2 100644
|
||||
--- a/src/responder/common/iface/responder_iface.xml
|
||||
+++ b/src/responder/common/iface/responder_iface.xml
|
||||
@@ -10,4 +10,10 @@
|
||||
<arg name="name" type="s" direction="in" />
|
||||
</method>
|
||||
</interface>
|
||||
+
|
||||
+ <interface name="org.freedesktop.sssd.Responder.NegativeCache">
|
||||
+ <annotation value="iface_responder_ncache" name="org.freedesktop.DBus.GLib.CSymbol"/>
|
||||
+ <method name="ResetUsers" />
|
||||
+ <method name="ResetGroups" />
|
||||
+ </interface>
|
||||
</node>
|
||||
diff --git a/src/responder/common/iface/responder_iface_generated.c b/src/responder/common/iface/responder_iface_generated.c
|
||||
index 1d59eafed0eb739fb208c864b5b726cf9883df94..837e67cfd4305494be6ee3de949d56d47179707c 100644
|
||||
--- a/src/responder/common/iface/responder_iface_generated.c
|
||||
+++ b/src/responder/common/iface/responder_iface_generated.c
|
||||
@@ -61,6 +61,46 @@ const struct sbus_interface_meta iface_responder_domain_meta = {
|
||||
sbus_invoke_get_all, /* GetAll invoker */
|
||||
};
|
||||
|
||||
+int iface_responder_ncache_ResetUsers_finish(struct sbus_request *req)
|
||||
+{
|
||||
+ return sbus_request_return_and_finish(req,
|
||||
+ DBUS_TYPE_INVALID);
|
||||
+}
|
||||
+
|
||||
+int iface_responder_ncache_ResetGroups_finish(struct sbus_request *req)
|
||||
+{
|
||||
+ return sbus_request_return_and_finish(req,
|
||||
+ DBUS_TYPE_INVALID);
|
||||
+}
|
||||
+
|
||||
+/* methods for org.freedesktop.sssd.Responder.NegativeCache */
|
||||
+const struct sbus_method_meta iface_responder_ncache__methods[] = {
|
||||
+ {
|
||||
+ "ResetUsers", /* name */
|
||||
+ NULL, /* no in_args */
|
||||
+ NULL, /* no out_args */
|
||||
+ offsetof(struct iface_responder_ncache, ResetUsers),
|
||||
+ NULL, /* no invoker */
|
||||
+ },
|
||||
+ {
|
||||
+ "ResetGroups", /* name */
|
||||
+ NULL, /* no in_args */
|
||||
+ NULL, /* no out_args */
|
||||
+ offsetof(struct iface_responder_ncache, ResetGroups),
|
||||
+ NULL, /* no invoker */
|
||||
+ },
|
||||
+ { NULL, }
|
||||
+};
|
||||
+
|
||||
+/* interface info for org.freedesktop.sssd.Responder.NegativeCache */
|
||||
+const struct sbus_interface_meta iface_responder_ncache_meta = {
|
||||
+ "org.freedesktop.sssd.Responder.NegativeCache", /* name */
|
||||
+ iface_responder_ncache__methods,
|
||||
+ NULL, /* no signals */
|
||||
+ NULL, /* no properties */
|
||||
+ sbus_invoke_get_all, /* GetAll invoker */
|
||||
+};
|
||||
+
|
||||
/* invokes a handler with a 's' DBus signature */
|
||||
static int invoke_s_method(struct sbus_request *dbus_req, void *function_ptr)
|
||||
{
|
||||
diff --git a/src/responder/common/iface/responder_iface_generated.h b/src/responder/common/iface/responder_iface_generated.h
|
||||
index e7f5c64feb062e13dc04352128cada6883f6f4fa..964f19b732595c261e84f857497678490a113412 100644
|
||||
--- a/src/responder/common/iface/responder_iface_generated.h
|
||||
+++ b/src/responder/common/iface/responder_iface_generated.h
|
||||
@@ -16,6 +16,11 @@
|
||||
#define IFACE_RESPONDER_DOMAIN_SETACTIVE "SetActive"
|
||||
#define IFACE_RESPONDER_DOMAIN_SETINCONSISTENT "SetInconsistent"
|
||||
|
||||
+/* constants for org.freedesktop.sssd.Responder.NegativeCache */
|
||||
+#define IFACE_RESPONDER_NCACHE "org.freedesktop.sssd.Responder.NegativeCache"
|
||||
+#define IFACE_RESPONDER_NCACHE_RESETUSERS "ResetUsers"
|
||||
+#define IFACE_RESPONDER_NCACHE_RESETGROUPS "ResetGroups"
|
||||
+
|
||||
/* ------------------------------------------------------------------------
|
||||
* DBus handlers
|
||||
*
|
||||
@@ -47,6 +52,19 @@ int iface_responder_domain_SetActive_finish(struct sbus_request *req);
|
||||
/* finish function for SetInconsistent */
|
||||
int iface_responder_domain_SetInconsistent_finish(struct sbus_request *req);
|
||||
|
||||
+/* vtable for org.freedesktop.sssd.Responder.NegativeCache */
|
||||
+struct iface_responder_ncache {
|
||||
+ struct sbus_vtable vtable; /* derive from sbus_vtable */
|
||||
+ int (*ResetUsers)(struct sbus_request *req, void *data);
|
||||
+ int (*ResetGroups)(struct sbus_request *req, void *data);
|
||||
+};
|
||||
+
|
||||
+/* finish function for ResetUsers */
|
||||
+int iface_responder_ncache_ResetUsers_finish(struct sbus_request *req);
|
||||
+
|
||||
+/* finish function for ResetGroups */
|
||||
+int iface_responder_ncache_ResetGroups_finish(struct sbus_request *req);
|
||||
+
|
||||
/* ------------------------------------------------------------------------
|
||||
* DBus Interface Metadata
|
||||
*
|
||||
@@ -60,4 +78,7 @@ int iface_responder_domain_SetInconsistent_finish(struct sbus_request *req);
|
||||
/* interface info for org.freedesktop.sssd.Responder.Domain */
|
||||
extern const struct sbus_interface_meta iface_responder_domain_meta;
|
||||
|
||||
+/* interface info for org.freedesktop.sssd.Responder.NegativeCache */
|
||||
+extern const struct sbus_interface_meta iface_responder_ncache_meta;
|
||||
+
|
||||
#endif /* __RESPONDER_IFACE_XML__ */
|
||||
diff --git a/src/responder/common/iface/responder_iface.c b/src/responder/common/iface/responder_ncache.c
|
||||
similarity index 55%
|
||||
copy from src/responder/common/iface/responder_iface.c
|
||||
copy to src/responder/common/iface/responder_ncache.c
|
||||
index f1e618b659af3e7a5ffa1b7307f3d61124180f0c..c7aa0a3a40f386aa2d2f0d0a00a4fa90a59ffb34 100644
|
||||
--- a/src/responder/common/iface/responder_iface.c
|
||||
+++ b/src/responder/common/iface/responder_ncache.c
|
||||
@@ -1,5 +1,8 @@
|
||||
/*
|
||||
- Copyright (C) 2016 Red Hat
|
||||
+ Authors:
|
||||
+ Pavel Březina <pbrezina@redhat.com>
|
||||
+
|
||||
+ Copyright (C) 2017 Red Hat
|
||||
|
||||
This program is free software; you can redistribute it and/or modify
|
||||
it under the terms of the GNU General Public License as published by
|
||||
@@ -15,22 +18,24 @@
|
||||
along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
*/
|
||||
|
||||
+#include "util/util.h"
|
||||
#include "sbus/sssd_dbus.h"
|
||||
-#include "responder/common/iface/responder_iface.h"
|
||||
#include "responder/common/responder.h"
|
||||
+#include "responder/common/negcache.h"
|
||||
+#include "responder/common/iface/responder_iface.h"
|
||||
|
||||
-struct iface_responder_domain iface_responder_domain = {
|
||||
- { &iface_responder_domain_meta, 0 },
|
||||
- .SetActive = sss_resp_domain_active,
|
||||
- .SetInconsistent = sss_resp_domain_inconsistent,
|
||||
-};
|
||||
+int sss_resp_reset_ncache_users(struct sbus_request *req, void *data)
|
||||
+{
|
||||
+ struct resp_ctx *rctx = talloc_get_type(data, struct resp_ctx);
|
||||
|
||||
-static struct sbus_iface_map iface_map[] = {
|
||||
- { RESPONDER_PATH, &iface_responder_domain.vtable },
|
||||
- { NULL, NULL }
|
||||
-};
|
||||
+ sss_ncache_reset_users(rctx->ncache);
|
||||
+ return iface_responder_ncache_ResetUsers_finish(req);
|
||||
+}
|
||||
|
||||
-struct sbus_iface_map *responder_get_sbus_interface()
|
||||
+int sss_resp_reset_ncache_groups(struct sbus_request *req, void *data)
|
||||
{
|
||||
- return iface_map;
|
||||
+ struct resp_ctx *rctx = talloc_get_type(data, struct resp_ctx);
|
||||
+
|
||||
+ sss_ncache_reset_groups(rctx->ncache);
|
||||
+ return iface_responder_ncache_ResetGroups_finish(req);
|
||||
}
|
||||
diff --git a/src/tests/cwrap/Makefile.am b/src/tests/cwrap/Makefile.am
|
||||
index f50e9aa58fa5f2b0b8aa144582500d925a0a6438..b4bef8fee1830c1d6798dde50f114ecb4608c645 100644
|
||||
--- a/src/tests/cwrap/Makefile.am
|
||||
+++ b/src/tests/cwrap/Makefile.am
|
||||
@@ -66,6 +66,7 @@ SSSD_CACHE_REQ_OBJ = \
|
||||
SSSD_RESPONDER_IFACE_OBJ = \
|
||||
../../../src/responder/common/iface/responder_iface.c \
|
||||
../../../src/responder/common/iface/responder_domain.c \
|
||||
+ ../../../src/responder/common/iface/responder_ncache.c \
|
||||
../../../src/responder/common/iface/responder_iface_generated.c \
|
||||
$(NULL)
|
||||
|
||||
@@ -167,6 +168,7 @@ responder_common_tests_SOURCES =\
|
||||
test_responder_common.c \
|
||||
../../../src/responder/common/iface/responder_iface.c \
|
||||
../../../src/responder/common/iface/responder_domain.c \
|
||||
+ ../../../src/responder/common/iface/responder_ncache.c \
|
||||
../../../src/responder/common/iface/responder_iface_generated.c \
|
||||
../../../src/responder/common/negcache_files.c \
|
||||
../../../src/responder/common/negcache.c \
|
||||
--
|
||||
2.9.3
|
||||
|
@ -0,0 +1,64 @@
|
||||
From 5da97dcfb8499348080b5c7a3980c704294f22fa Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
|
||||
Date: Mon, 19 Feb 2018 08:53:56 +0100
|
||||
Subject: [PATCH] SYSDB_OPS: Error out on id-collision when adding an
|
||||
incomplete group
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
This situation can be hit when renaming a group. For now, let's just
|
||||
error this out so the caller can handle it properly on its own layer.
|
||||
|
||||
Related:
|
||||
https://pagure.io/SSSD/sssd/issue/2653
|
||||
|
||||
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
(cherry picked from commit 514b2be089bfd0e2702d7e9ab883ab071a61b719)
|
||||
---
|
||||
src/db/sysdb_ops.c | 22 ++++++++++++++++++++++
|
||||
1 file changed, 22 insertions(+)
|
||||
|
||||
diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
|
||||
index 5d3cf643d..de4fdb592 100644
|
||||
--- a/src/db/sysdb_ops.c
|
||||
+++ b/src/db/sysdb_ops.c
|
||||
@@ -2377,12 +2377,34 @@ int sysdb_add_incomplete_group(struct sss_domain_info *domain,
|
||||
TALLOC_CTX *tmp_ctx;
|
||||
int ret;
|
||||
struct sysdb_attrs *attrs;
|
||||
+ struct ldb_message *msg;
|
||||
+ const char *previous = NULL;
|
||||
+ const char *group_attrs[] = { SYSDB_SID_STR, SYSDB_UUID, SYSDB_ORIG_DN, NULL };
|
||||
+ const char *values[] = { sid_str, uuid, original_dn, NULL };
|
||||
+ bool same = false;
|
||||
|
||||
tmp_ctx = talloc_new(NULL);
|
||||
if (!tmp_ctx) {
|
||||
return ENOMEM;
|
||||
}
|
||||
|
||||
+ ret = sysdb_search_group_by_gid(tmp_ctx, domain, gid, group_attrs, &msg);
|
||||
+ if (ret == EOK) {
|
||||
+ for (int i = 0; !same && group_attrs[i] != NULL; i++) {
|
||||
+ previous = ldb_msg_find_attr_as_string(msg,
|
||||
+ group_attrs[i],
|
||||
+ NULL);
|
||||
+ if (previous != NULL && values[i] != NULL) {
|
||||
+ same = strcmp(previous, values[i]) == 0;
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ if (same) {
|
||||
+ ret = ERR_GID_DUPLICATED;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
/* try to add the group */
|
||||
ret = sysdb_add_basic_group(domain, name, gid);
|
||||
if (ret) goto done;
|
||||
--
|
||||
2.14.3
|
||||
|
@ -1,148 +0,0 @@
|
||||
From b3ee4be9e1794fa823696d70d4958f3b0269939c Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||
Date: Wed, 2 Nov 2016 17:18:07 +0100
|
||||
Subject: [PATCH 44/79] DP: Add internal DP interface to set domain state
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Adds functions to the interface Data Provider publishes towards back
|
||||
ends that allows the back ends to notify responders that a domain has
|
||||
been enabled or disabled.
|
||||
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
---
|
||||
Makefile.am | 1 +
|
||||
src/providers/data_provider/dp.h | 5 ++
|
||||
src/providers/data_provider/dp_resp_client.c | 93 ++++++++++++++++++++++++++++
|
||||
3 files changed, 99 insertions(+)
|
||||
create mode 100644 src/providers/data_provider/dp_resp_client.c
|
||||
|
||||
diff --git a/Makefile.am b/Makefile.am
|
||||
index aa28a27f992f9a42b78d37d6de8fd8271c99afef..5cf496002ff54b8df1c0fdf29179a5b69e4b62c0 100644
|
||||
--- a/Makefile.am
|
||||
+++ b/Makefile.am
|
||||
@@ -1464,6 +1464,7 @@ sssd_be_SOURCES = \
|
||||
src/providers/data_provider/dp_iface_backend.c \
|
||||
src/providers/data_provider/dp_iface_failover.c \
|
||||
src/providers/data_provider/dp_client.c \
|
||||
+ src/providers/data_provider/dp_resp_client.c \
|
||||
src/providers/data_provider/dp_iface_generated.c \
|
||||
src/providers/data_provider/dp_request.c \
|
||||
src/providers/data_provider/dp_request_reply.c \
|
||||
diff --git a/src/providers/data_provider/dp.h b/src/providers/data_provider/dp.h
|
||||
index 5b36baf3489be4cce463dfb42c65a0b7f7ece9ef..68db75521bd9d78eb6e7944746ea2054918e298d 100644
|
||||
--- a/src/providers/data_provider/dp.h
|
||||
+++ b/src/providers/data_provider/dp.h
|
||||
@@ -161,4 +161,9 @@ bool dp_method_enabled(struct data_provider *provider,
|
||||
void dp_terminate_domain_requests(struct data_provider *provider,
|
||||
const char *domain);
|
||||
|
||||
+void dp_sbus_domain_active(struct data_provider *provider,
|
||||
+ struct sss_domain_info *dom);
|
||||
+void dp_sbus_domain_inconsistent(struct data_provider *provider,
|
||||
+ struct sss_domain_info *dom);
|
||||
+
|
||||
#endif /* _DP_H_ */
|
||||
diff --git a/src/providers/data_provider/dp_resp_client.c b/src/providers/data_provider/dp_resp_client.c
|
||||
new file mode 100644
|
||||
index 0000000000000000000000000000000000000000..3d386eac1cd779e2776e23745a18292c5ce835cd
|
||||
--- /dev/null
|
||||
+++ b/src/providers/data_provider/dp_resp_client.c
|
||||
@@ -0,0 +1,93 @@
|
||||
+/*
|
||||
+ SSSD
|
||||
+
|
||||
+ Data Provider Responder client - DP calls responder interface
|
||||
+
|
||||
+ This program is free software; you can redistribute it and/or modify
|
||||
+ it under the terms of the GNU General Public License as published by
|
||||
+ the Free Software Foundation; either version 3 of the License, or
|
||||
+ (at your option) any later version.
|
||||
+
|
||||
+ This program is distributed in the hope that it will be useful,
|
||||
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
+ GNU General Public License for more details.
|
||||
+
|
||||
+ You should have received a copy of the GNU General Public License
|
||||
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
+*/
|
||||
+
|
||||
+#include "config.h"
|
||||
+#include <talloc.h>
|
||||
+#include <tevent.h>
|
||||
+
|
||||
+#include "confdb/confdb.h"
|
||||
+#include "sbus/sssd_dbus.h"
|
||||
+#include "providers/data_provider.h"
|
||||
+#include "providers/data_provider/dp_private.h"
|
||||
+#include "responder/common/iface/responder_iface.h"
|
||||
+#include "src/responder/nss/nss_iface.h"
|
||||
+
|
||||
+static void send_msg_to_all_clients(struct data_provider *provider,
|
||||
+ struct DBusMessage *msg)
|
||||
+{
|
||||
+ struct dp_client *cli;
|
||||
+ int i;
|
||||
+
|
||||
+ for (i = 0; provider->clients[i] != NULL; i++) {
|
||||
+ cli = provider->clients[i];
|
||||
+ if (cli != NULL) {
|
||||
+ sbus_conn_send_reply(dp_client_conn(cli), msg);
|
||||
+ }
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+static void dp_sbus_set_domain_state(struct data_provider *provider,
|
||||
+ struct sss_domain_info *dom,
|
||||
+ enum sss_domain_state state)
|
||||
+{
|
||||
+ DBusMessage *msg;
|
||||
+ const char *method = NULL;
|
||||
+
|
||||
+ switch (state) {
|
||||
+ case DOM_ACTIVE:
|
||||
+ DEBUG(SSSDBG_TRACE_FUNC, "Ordering responders to enable domain %s\n",
|
||||
+ dom->name);
|
||||
+ method = IFACE_RESPONDER_DOMAIN_SETACTIVE;
|
||||
+ break;
|
||||
+ case DOM_INCONSISTENT:
|
||||
+ DEBUG(SSSDBG_TRACE_FUNC, "Ordering responders to disable domain %s\n",
|
||||
+ dom->name);
|
||||
+ method = IFACE_RESPONDER_DOMAIN_SETINCONSISTENT;
|
||||
+ break;
|
||||
+ default:
|
||||
+ /* No other methods provided at the moment */
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
+ sss_domain_set_state(dom, state);
|
||||
+
|
||||
+ msg = sbus_create_message(NULL, NULL, RESPONDER_PATH,
|
||||
+ IFACE_RESPONDER_DOMAIN, method,
|
||||
+ DBUS_TYPE_STRING, &dom->name);
|
||||
+ if (msg == NULL) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Out of memory?!\n");
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
+ send_msg_to_all_clients(provider, msg);
|
||||
+ dbus_message_unref(msg);
|
||||
+ return;
|
||||
+}
|
||||
+
|
||||
+void dp_sbus_domain_active(struct data_provider *provider,
|
||||
+ struct sss_domain_info *dom)
|
||||
+{
|
||||
+ return dp_sbus_set_domain_state(provider, dom, DOM_ACTIVE);
|
||||
+}
|
||||
+
|
||||
+void dp_sbus_domain_inconsistent(struct data_provider *provider,
|
||||
+ struct sss_domain_info *dom)
|
||||
+{
|
||||
+ return dp_sbus_set_domain_state(provider, dom, DOM_INCONSISTENT);
|
||||
+}
|
||||
--
|
||||
2.9.3
|
||||
|
194
0044-TESTS-Add-an-integration-test-for-renaming-incomplet.patch
Normal file
194
0044-TESTS-Add-an-integration-test-for-renaming-incomplet.patch
Normal file
@ -0,0 +1,194 @@
|
||||
From ead866b198034c0b3101732e09a5524d0182d1cb Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||
Date: Mon, 19 Feb 2018 18:26:05 +0100
|
||||
Subject: [PATCH] TESTS: Add an integration test for renaming incomplete groups
|
||||
during initgroups
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
As we implemented the group renaming heuristics to rename only if we can
|
||||
use another "hint" like the original DN or the SID to know the group is
|
||||
the same, this patch adds two tests (positive and negative) to make sure
|
||||
a group with a totally different RDN and hence different originalDN
|
||||
cannot be renamed but a group whose name changed but the RDN stays the
|
||||
same can be renamed.
|
||||
|
||||
Related:
|
||||
https://pagure.io/SSSD/sssd/issue/3282
|
||||
|
||||
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
||||
(cherry picked from commit 35d6fb7cabd6183252fd29b29aaf66264dca9135)
|
||||
---
|
||||
src/tests/intg/test_ldap.py | 149 +++++++++++++++++++++++++++++++++++++++++++-
|
||||
1 file changed, 147 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/tests/intg/test_ldap.py b/src/tests/intg/test_ldap.py
|
||||
index db3253858..98b6349a8 100644
|
||||
--- a/src/tests/intg/test_ldap.py
|
||||
+++ b/src/tests/intg/test_ldap.py
|
||||
@@ -94,10 +94,11 @@ def create_ldap_cleanup(request, ldap_conn, ent_list=None):
|
||||
request.addfinalizer(lambda: cleanup_ldap_entries(ldap_conn, ent_list))
|
||||
|
||||
|
||||
-def create_ldap_fixture(request, ldap_conn, ent_list=None):
|
||||
+def create_ldap_fixture(request, ldap_conn, ent_list=None, cleanup=True):
|
||||
"""Add LDAP entries and add teardown for removing them"""
|
||||
create_ldap_entries(ldap_conn, ent_list)
|
||||
- create_ldap_cleanup(request, ldap_conn, ent_list)
|
||||
+ if cleanup:
|
||||
+ create_ldap_cleanup(request, ldap_conn, ent_list)
|
||||
|
||||
|
||||
SCHEMA_RFC2307 = "rfc2307"
|
||||
@@ -1437,3 +1438,147 @@ def test_ldap_auto_private_groups_direct_no_gid(ldap_conn, mpg_setup_no_gid):
|
||||
", ".join(["%s" % s for s in sorted(gids)]),
|
||||
", ".join(["%s" % s for s in sorted(user1_expected_gids)])
|
||||
)
|
||||
+
|
||||
+
|
||||
+def rename_setup_no_cleanup(request, ldap_conn, cleanup_ent=None):
|
||||
+ ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn)
|
||||
+ ent_list.add_user("user1", 1001, 2001)
|
||||
+ ent_list.add_group_bis("user1_private", 2001)
|
||||
+
|
||||
+ ent_list.add_user("user2", 1002, 2002)
|
||||
+ ent_list.add_group_bis("user2_private", 2002)
|
||||
+
|
||||
+ ent_list.add_group_bis("group1", 2015, ["user1", "user2"])
|
||||
+
|
||||
+ if cleanup_ent is None:
|
||||
+ create_ldap_fixture(request, ldap_conn, ent_list)
|
||||
+ else:
|
||||
+ # Since the entries were renamed, we need to clean up
|
||||
+ # the renamed entries..
|
||||
+ create_ldap_fixture(request, ldap_conn, ent_list, cleanup=False)
|
||||
+ create_ldap_cleanup(request, ldap_conn, None)
|
||||
+
|
||||
+
|
||||
+@pytest.fixture
|
||||
+def rename_setup_cleanup(request, ldap_conn):
|
||||
+ cleanup_ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn)
|
||||
+ cleanup_ent_list.add_user("user1", 1001, 2001)
|
||||
+ cleanup_ent_list.add_group_bis("new_user1_private", 2001)
|
||||
+
|
||||
+ cleanup_ent_list.add_user("user2", 1002, 2002)
|
||||
+ cleanup_ent_list.add_group_bis("new_user2_private", 2002)
|
||||
+
|
||||
+ cleanup_ent_list.add_group_bis("new_group1", 2015, ["user1", "user2"])
|
||||
+
|
||||
+ rename_setup_no_cleanup(request, ldap_conn, cleanup_ent_list)
|
||||
+
|
||||
+ conf = format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS)
|
||||
+ create_conf_fixture(request, conf)
|
||||
+ create_sssd_fixture(request)
|
||||
+ return None
|
||||
+
|
||||
+
|
||||
+@pytest.fixture
|
||||
+def rename_setup_with_name(request, ldap_conn):
|
||||
+ rename_setup_no_cleanup(request, ldap_conn)
|
||||
+
|
||||
+ conf = format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS) + \
|
||||
+ unindent("""
|
||||
+ [nss]
|
||||
+ [domain/LDAP]
|
||||
+ ldap_group_name = name
|
||||
+ timeout = 3000
|
||||
+ """).format(**locals())
|
||||
+ create_conf_fixture(request, conf)
|
||||
+ create_sssd_fixture(request)
|
||||
+ return None
|
||||
+
|
||||
+
|
||||
+def test_rename_incomplete_group_same_dn(ldap_conn, rename_setup_with_name):
|
||||
+ """
|
||||
+ Test that if a group's name attribute changes, but the DN stays the same,
|
||||
+ the incomplete group object will be renamed.
|
||||
+
|
||||
+ Because the RDN attribute must be present in the entry, we add another
|
||||
+ attribute "name" that is purposefully different from the CN and make
|
||||
+ sure the group names are reflected in name
|
||||
+
|
||||
+ Regression test for https://pagure.io/SSSD/sssd/issue/3282
|
||||
+ """
|
||||
+ pvt_dn1 = 'cn=user1_private,ou=Groups,' + ldap_conn.ds_inst.base_dn
|
||||
+ pvt_dn2 = 'cn=user2_private,ou=Groups,' + ldap_conn.ds_inst.base_dn
|
||||
+ group1_dn = 'cn=group1,ou=Groups,' + ldap_conn.ds_inst.base_dn
|
||||
+
|
||||
+ # Add the name we want for both private and secondary group
|
||||
+ old = {'name': []}
|
||||
+ new = {'name': [b"user1_group1"]}
|
||||
+ ldif = ldap.modlist.modifyModlist(old, new)
|
||||
+ ldap_conn.modify_s(group1_dn, ldif)
|
||||
+
|
||||
+ new = {'name': [b"pvt_user1"]}
|
||||
+ ldif = ldap.modlist.modifyModlist(old, new)
|
||||
+ ldap_conn.modify_s(pvt_dn1, ldif)
|
||||
+
|
||||
+ new = {'name': [b"pvt_user2"]}
|
||||
+ ldif = ldap.modlist.modifyModlist(old, new)
|
||||
+ ldap_conn.modify_s(pvt_dn2, ldif)
|
||||
+
|
||||
+ # Make sure the old name shows up in the id output
|
||||
+ (res, errno, grp_list) = sssd_id.get_user_groups("user1")
|
||||
+ assert res == sssd_id.NssReturnCode.SUCCESS, \
|
||||
+ "Could not find groups for user1, %d" % errno
|
||||
+
|
||||
+ assert sorted(grp_list) == sorted(["pvt_user1", "user1_group1"])
|
||||
+
|
||||
+ # Rename the group by changing the cn attribute, but keep the DN the same
|
||||
+ old = {'name': [b"user1_group1"]}
|
||||
+ new = {'name': [b"new_user1_group1"]}
|
||||
+ ldif = ldap.modlist.modifyModlist(old, new)
|
||||
+ ldap_conn.modify_s(group1_dn, ldif)
|
||||
+
|
||||
+ (res, errno, grp_list) = sssd_id.get_user_groups("user2")
|
||||
+ assert res == sssd_id.NssReturnCode.SUCCESS, \
|
||||
+ "Could not find groups for user2, %d" % errno
|
||||
+
|
||||
+ assert sorted(grp_list) == sorted(["pvt_user2", "new_user1_group1"])
|
||||
+
|
||||
+ (res, errno, grp_list) = sssd_id.get_user_groups("user1")
|
||||
+ assert res == sssd_id.NssReturnCode.SUCCESS, \
|
||||
+ "Could not find groups for user1, %d" % errno
|
||||
+
|
||||
+ assert sorted(grp_list) == sorted(["pvt_user1", "new_user1_group1"])
|
||||
+
|
||||
+
|
||||
+def test_rename_incomplete_group_rdn_changed(ldap_conn, rename_setup_cleanup):
|
||||
+ """
|
||||
+ Test that if a group's name attribute changes, and the DN changes with
|
||||
+ the RDN. Then adding the second group will fail because we can't tell if
|
||||
+ there are two duplicate groups in LDAP when saving the group or if the
|
||||
+ group was renamed.
|
||||
+
|
||||
+ Please note that with many directories (AD, IPA), the code can rely on
|
||||
+ other heuristics (SID, UUID) to find out the group is in fact the same.
|
||||
+
|
||||
+ Regression test for https://pagure.io/SSSD/sssd/issue/3282
|
||||
+ """
|
||||
+ pvt_dn = 'cn=user1_private,ou=Groups,' + ldap_conn.ds_inst.base_dn
|
||||
+ group1_dn = 'cn=group1,ou=Groups,' + ldap_conn.ds_inst.base_dn
|
||||
+
|
||||
+ # Make sure the old name shows up in the id output
|
||||
+ (res, errno, grp_list) = sssd_id.get_user_groups("user1")
|
||||
+ assert res == sssd_id.NssReturnCode.SUCCESS, \
|
||||
+ "Could not find groups for user1, %d" % errno
|
||||
+
|
||||
+ assert sorted(grp_list) == sorted(["user1_private", "group1"])
|
||||
+
|
||||
+ # Rename the groups, changing the RDN
|
||||
+ ldap_conn.rename_s(group1_dn, "cn=new_group1")
|
||||
+ ldap_conn.rename_s(pvt_dn, "cn=new_user1_private")
|
||||
+
|
||||
+ (res, errno, grp_list) = sssd_id.get_user_groups("user2")
|
||||
+ assert res == sssd_id.NssReturnCode.SUCCESS, \
|
||||
+ "Could not find groups for user2, %d" % errno
|
||||
+
|
||||
+ # The initgroups succeeds, but because saving the new group fails,
|
||||
+ # SSSD will revert to the cache contents and return what's in the cache
|
||||
+ assert sorted(grp_list) == sorted(["user2_private", "group1"])
|
||||
--
|
||||
2.14.3
|
||||
|
@ -1,122 +0,0 @@
|
||||
From af28fa659f7ffcd12ecf8bda64e79cf5dd225651 Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||
Date: Wed, 16 Nov 2016 17:00:57 +0100
|
||||
Subject: [PATCH 45/79] DP: Add internal interface to reset negative cache from
|
||||
DP
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Adds a an interface that allows the Data Provider to notify responders
|
||||
to drop their negative cache.
|
||||
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
---
|
||||
src/providers/data_provider/dp.h | 5 +++
|
||||
src/providers/data_provider/dp_resp_client.c | 65 +++++++++++++++++++++++++++-
|
||||
2 files changed, 69 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/providers/data_provider/dp.h b/src/providers/data_provider/dp.h
|
||||
index 68db75521bd9d78eb6e7944746ea2054918e298d..79d02d469c5eb04d5e27b27af48b77f72d132416 100644
|
||||
--- a/src/providers/data_provider/dp.h
|
||||
+++ b/src/providers/data_provider/dp.h
|
||||
@@ -166,4 +166,9 @@ void dp_sbus_domain_active(struct data_provider *provider,
|
||||
void dp_sbus_domain_inconsistent(struct data_provider *provider,
|
||||
struct sss_domain_info *dom);
|
||||
|
||||
+void dp_sbus_reset_users_ncache(struct data_provider *provider,
|
||||
+ struct sss_domain_info *dom);
|
||||
+void dp_sbus_reset_groups_ncache(struct data_provider *provider,
|
||||
+ struct sss_domain_info *dom);
|
||||
+
|
||||
#endif /* _DP_H_ */
|
||||
diff --git a/src/providers/data_provider/dp_resp_client.c b/src/providers/data_provider/dp_resp_client.c
|
||||
index 3d386eac1cd779e2776e23745a18292c5ce835cd..6828610acce3771f2b628c877a1d463c3f635015 100644
|
||||
--- a/src/providers/data_provider/dp_resp_client.c
|
||||
+++ b/src/providers/data_provider/dp_resp_client.c
|
||||
@@ -26,7 +26,23 @@
|
||||
#include "providers/data_provider.h"
|
||||
#include "providers/data_provider/dp_private.h"
|
||||
#include "responder/common/iface/responder_iface.h"
|
||||
-#include "src/responder/nss/nss_iface.h"
|
||||
+#include "responder/nss/nss_iface.h"
|
||||
+
|
||||
+/* List of DP clients that deal with users or groups */
|
||||
+/* FIXME - it would be much cleaner to implement sbus signals
|
||||
+ * and let the responder subscribe to these messages rather than
|
||||
+ * keep a list here..
|
||||
+ * https://fedorahosted.org/sssd/ticket/2233
|
||||
+ */
|
||||
+static enum dp_clients user_clients[] = {
|
||||
+ DPC_NSS,
|
||||
+ DPC_PAM,
|
||||
+ DPC_IFP,
|
||||
+ DPC_PAC,
|
||||
+ DPC_SUDO,
|
||||
+
|
||||
+ DP_CLIENT_SENTINEL
|
||||
+};
|
||||
|
||||
static void send_msg_to_all_clients(struct data_provider *provider,
|
||||
struct DBusMessage *msg)
|
||||
@@ -42,6 +58,21 @@ static void send_msg_to_all_clients(struct data_provider *provider,
|
||||
}
|
||||
}
|
||||
|
||||
+static void send_msg_to_selected_clients(struct data_provider *provider,
|
||||
+ struct DBusMessage *msg,
|
||||
+ enum dp_clients *clients)
|
||||
+{
|
||||
+ struct dp_client *cli;
|
||||
+ int i;
|
||||
+
|
||||
+ for (i = 0; clients[i] != DP_CLIENT_SENTINEL; i++) {
|
||||
+ cli = provider->clients[clients[i]];
|
||||
+ if (cli != NULL) {
|
||||
+ sbus_conn_send_reply(dp_client_conn(cli), msg);
|
||||
+ }
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
static void dp_sbus_set_domain_state(struct data_provider *provider,
|
||||
struct sss_domain_info *dom,
|
||||
enum sss_domain_state state)
|
||||
@@ -91,3 +122,35 @@ void dp_sbus_domain_inconsistent(struct data_provider *provider,
|
||||
{
|
||||
return dp_sbus_set_domain_state(provider, dom, DOM_INCONSISTENT);
|
||||
}
|
||||
+
|
||||
+static void dp_sbus_reset_ncache(struct data_provider *provider,
|
||||
+ struct sss_domain_info *dom,
|
||||
+ const char *method)
|
||||
+{
|
||||
+ DBusMessage *msg;
|
||||
+
|
||||
+ msg = sbus_create_message(NULL, NULL, RESPONDER_PATH,
|
||||
+ IFACE_RESPONDER_NCACHE, method);
|
||||
+ if (msg == NULL) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Out of memory?!\n");
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
+ send_msg_to_selected_clients(provider, msg, user_clients);
|
||||
+ dbus_message_unref(msg);
|
||||
+ return;
|
||||
+}
|
||||
+
|
||||
+void dp_sbus_reset_users_ncache(struct data_provider *provider,
|
||||
+ struct sss_domain_info *dom)
|
||||
+{
|
||||
+ return dp_sbus_reset_ncache(provider, dom,
|
||||
+ IFACE_RESPONDER_NCACHE_RESETUSERS);
|
||||
+}
|
||||
+
|
||||
+void dp_sbus_reset_groups_ncache(struct data_provider *provider,
|
||||
+ struct sss_domain_info *dom)
|
||||
+{
|
||||
+ return dp_sbus_reset_ncache(provider, dom,
|
||||
+ IFACE_RESPONDER_NCACHE_RESETGROUPS);
|
||||
+}
|
||||
--
|
||||
2.9.3
|
||||
|
119
0045-SYSDB-sysdb_add_incomplete_group-now-returns-EEXIST-.patch
Normal file
119
0045-SYSDB-sysdb_add_incomplete_group-now-returns-EEXIST-.patch
Normal file
@ -0,0 +1,119 @@
|
||||
From 0a367914b87ef56dd4d5d56778e5770d1201f255 Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||
Date: Mon, 16 Apr 2018 20:29:28 +0200
|
||||
Subject: [PATCH] SYSDB: sysdb_add_incomplete_group now returns EEXIST with a
|
||||
duplicate GID
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Related:
|
||||
https://pagure.io/SSSD/sssd/issue/2653
|
||||
|
||||
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
||||
(cherry picked from commit ba2d5f7a0adefb017d3f85203d715b725ca8810f)
|
||||
---
|
||||
src/db/sysdb_ops.c | 13 ++++++++++---
|
||||
src/tests/sysdb-tests.c | 47 ++++++++++++++++++++++++++++++++++++++++++++++-
|
||||
2 files changed, 56 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
|
||||
index de4fdb592..93b967e75 100644
|
||||
--- a/src/db/sysdb_ops.c
|
||||
+++ b/src/db/sysdb_ops.c
|
||||
@@ -2398,10 +2398,17 @@ int sysdb_add_incomplete_group(struct sss_domain_info *domain,
|
||||
same = strcmp(previous, values[i]) == 0;
|
||||
}
|
||||
}
|
||||
- }
|
||||
|
||||
- if (same) {
|
||||
- ret = ERR_GID_DUPLICATED;
|
||||
+ if (same == true) {
|
||||
+ DEBUG(SSSDBG_TRACE_LIBS,
|
||||
+ "The group with GID [%"SPRIgid"] was renamed\n", gid);
|
||||
+ ret = ERR_GID_DUPLICATED;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ DEBUG(SSSDBG_OP_FAILURE,
|
||||
+ "Another group with GID [%"SPRIgid"] already exists\n", gid);
|
||||
+ ret = EEXIST;
|
||||
goto done;
|
||||
}
|
||||
|
||||
diff --git a/src/tests/sysdb-tests.c b/src/tests/sysdb-tests.c
|
||||
index 32b8ca856..416dedb5e 100644
|
||||
--- a/src/tests/sysdb-tests.c
|
||||
+++ b/src/tests/sysdb-tests.c
|
||||
@@ -989,6 +989,50 @@ START_TEST (test_sysdb_add_incomplete_group)
|
||||
}
|
||||
END_TEST
|
||||
|
||||
+START_TEST (test_sysdb_incomplete_group_rename)
|
||||
+{
|
||||
+ struct sysdb_test_ctx *test_ctx;
|
||||
+ int ret;
|
||||
+
|
||||
+ ret = setup_sysdb_tests(&test_ctx);
|
||||
+ if (ret != EOK) {
|
||||
+ fail("Could not set up the test");
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
+ ret = sysdb_add_incomplete_group(test_ctx->domain, "incomplete_group",
|
||||
+ 20000, NULL,
|
||||
+ "S-1-5-21-123-456-789-111",
|
||||
+ NULL, true, 0);
|
||||
+ fail_unless(ret == EOK,
|
||||
+ "sysdb_add_incomplete_group error [%d][%s]",
|
||||
+ ret, strerror(ret));
|
||||
+
|
||||
+ /* Adding a group with the same GID and all the other characteristics uknown should fail */
|
||||
+ ret = sysdb_add_incomplete_group(test_ctx->domain, "incomplete_group_new",
|
||||
+ 20000, NULL, NULL, NULL, true, 0);
|
||||
+ fail_unless(ret == EEXIST, "Did not caught a duplicate\n");
|
||||
+
|
||||
+ /* A different SID should also trigger a failure */
|
||||
+ ret = sysdb_add_incomplete_group(test_ctx->domain, "incomplete_group_new",
|
||||
+ 20000, NULL,
|
||||
+ "S-1-5-21-123-456-789-222",
|
||||
+ NULL, true, 0);
|
||||
+ fail_unless(ret == EEXIST, "Did not caught a duplicate\n");
|
||||
+
|
||||
+ /* But if we know based on a SID that the group is in fact the same,
|
||||
+ * let's just change its name
|
||||
+ */
|
||||
+ ret = sysdb_add_incomplete_group(test_ctx->domain, "incomplete_group_new",
|
||||
+ 20000, NULL,
|
||||
+ "S-1-5-21-123-456-789-111",
|
||||
+ NULL, true, 0);
|
||||
+ fail_unless(ret == ERR_GID_DUPLICATED,
|
||||
+ "Did not catch a legitimate rename",
|
||||
+ ret, strerror(ret));
|
||||
+}
|
||||
+END_TEST
|
||||
+
|
||||
START_TEST (test_sysdb_getpwnam)
|
||||
{
|
||||
struct sysdb_test_ctx *test_ctx;
|
||||
@@ -5526,7 +5570,7 @@ START_TEST(test_sysdb_search_sid_str)
|
||||
ret = setup_sysdb_tests(&test_ctx);
|
||||
fail_if(ret != EOK, "Could not set up the test");
|
||||
|
||||
- data = test_data_new_group(test_ctx, 2900);
|
||||
+ data = test_data_new_group(test_ctx, 2902);
|
||||
fail_if(data == NULL);
|
||||
data->sid_str = "S-1-2-3-4";
|
||||
|
||||
@@ -7166,6 +7210,7 @@ Suite *create_sysdb_suite(void)
|
||||
tcase_add_loop_test(tc_sysdb,
|
||||
test_sysdb_remove_local_group_by_gid,
|
||||
28000, 28010);
|
||||
+ tcase_add_test(tc_sysdb, test_sysdb_incomplete_group_rename);
|
||||
|
||||
/* test custom operations */
|
||||
tcase_add_loop_test(tc_sysdb, test_sysdb_store_custom, 29010, 29020);
|
||||
--
|
||||
2.14.3
|
||||
|
@ -1,77 +0,0 @@
|
||||
From 5007103e82f34e64a0ff3b278797b9fa42ba1dda Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||
Date: Tue, 14 Feb 2017 20:37:58 +0100
|
||||
Subject: [PATCH 46/79] DP: Add internal interface to invalidate memory cache
|
||||
from DP
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Adds an interfae to the Data Provider that allows the DP to notify the
|
||||
NSS responder to invalidate its memory cache records.
|
||||
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
---
|
||||
src/providers/data_provider/dp.h | 4 ++++
|
||||
src/providers/data_provider/dp_resp_client.c | 35 ++++++++++++++++++++++++++++
|
||||
2 files changed, 39 insertions(+)
|
||||
|
||||
diff --git a/src/providers/data_provider/dp.h b/src/providers/data_provider/dp.h
|
||||
index 79d02d469c5eb04d5e27b27af48b77f72d132416..e80a6c3398784dfc176baeff2daf7203c52fc072 100644
|
||||
--- a/src/providers/data_provider/dp.h
|
||||
+++ b/src/providers/data_provider/dp.h
|
||||
@@ -171,4 +171,8 @@ void dp_sbus_reset_users_ncache(struct data_provider *provider,
|
||||
void dp_sbus_reset_groups_ncache(struct data_provider *provider,
|
||||
struct sss_domain_info *dom);
|
||||
|
||||
+void dp_sbus_reset_users_memcache(struct data_provider *provider);
|
||||
+void dp_sbus_reset_groups_memcache(struct data_provider *provider);
|
||||
+void dp_sbus_reset_initgr_memcache(struct data_provider *provider);
|
||||
+
|
||||
#endif /* _DP_H_ */
|
||||
diff --git a/src/providers/data_provider/dp_resp_client.c b/src/providers/data_provider/dp_resp_client.c
|
||||
index 6828610acce3771f2b628c877a1d463c3f635015..5735188a603b16c35ad6e1050c06a685fdf7ed8d 100644
|
||||
--- a/src/providers/data_provider/dp_resp_client.c
|
||||
+++ b/src/providers/data_provider/dp_resp_client.c
|
||||
@@ -154,3 +154,38 @@ void dp_sbus_reset_groups_ncache(struct data_provider *provider,
|
||||
return dp_sbus_reset_ncache(provider, dom,
|
||||
IFACE_RESPONDER_NCACHE_RESETGROUPS);
|
||||
}
|
||||
+
|
||||
+static void dp_sbus_reset_memcache(struct data_provider *provider,
|
||||
+ const char *method)
|
||||
+{
|
||||
+ DBusMessage *msg;
|
||||
+
|
||||
+ msg = sbus_create_message(NULL, NULL, NSS_MEMORYCACHE_PATH,
|
||||
+ IFACE_NSS_MEMORYCACHE, method);
|
||||
+ if (msg == NULL) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Out of memory?!\n");
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
+ send_msg_to_selected_clients(provider, msg, user_clients);
|
||||
+ dbus_message_unref(msg);
|
||||
+ return;
|
||||
+}
|
||||
+
|
||||
+void dp_sbus_reset_users_memcache(struct data_provider *provider)
|
||||
+{
|
||||
+ return dp_sbus_reset_memcache(provider,
|
||||
+ IFACE_NSS_MEMORYCACHE_INVALIDATEALLUSERS);
|
||||
+}
|
||||
+
|
||||
+void dp_sbus_reset_groups_memcache(struct data_provider *provider)
|
||||
+{
|
||||
+ return dp_sbus_reset_memcache(provider,
|
||||
+ IFACE_NSS_MEMORYCACHE_INVALIDATEALLGROUPS);
|
||||
+}
|
||||
+
|
||||
+void dp_sbus_reset_initgr_memcache(struct data_provider *provider)
|
||||
+{
|
||||
+ return dp_sbus_reset_memcache(provider,
|
||||
+ IFACE_NSS_MEMORYCACHE_INVALIDATEALLINITGROUPS);
|
||||
+}
|
||||
--
|
||||
2.9.3
|
||||
|
@ -0,0 +1,47 @@
|
||||
From 549a960554f44e79d74c65d9f889ccaef497b11d Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||
Date: Thu, 19 Apr 2018 09:38:47 +0200
|
||||
Subject: [PATCH] MAN: Document which principal does the AD provider use
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Administrators are often confused by the difference between what
|
||||
principal is used to authenticate to AD. Let's document that.
|
||||
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
(cherry picked from commit 91d1e4c134b7c90abd2ff86b313175c542cd834c)
|
||||
---
|
||||
src/man/include/ad_modified_defaults.xml | 16 ++++++++++++++++
|
||||
1 file changed, 16 insertions(+)
|
||||
|
||||
diff --git a/src/man/include/ad_modified_defaults.xml b/src/man/include/ad_modified_defaults.xml
|
||||
index c41b454f8..818a2bf78 100644
|
||||
--- a/src/man/include/ad_modified_defaults.xml
|
||||
+++ b/src/man/include/ad_modified_defaults.xml
|
||||
@@ -58,6 +58,22 @@
|
||||
ldap_use_tokengroups = true
|
||||
</para>
|
||||
</listitem>
|
||||
+ <listitem>
|
||||
+ <para>
|
||||
+ ldap_sasl_authid = sAMAccountName@REALM (typically SHORTNAME$@REALM)
|
||||
+ </para>
|
||||
+ <para>
|
||||
+ The AD provider looks for a different principal than the
|
||||
+ LDAP provider by default, because in an Active Directory
|
||||
+ environment the principals are divided into two groups
|
||||
+ - User Principals and Service Principals. Only User
|
||||
+ Principal can be used to obtain a TGT and by default,
|
||||
+ computer object's principal is constructed from
|
||||
+ its sAMAccountName and the AD realm. The well-known
|
||||
+ host/hostname@REALM principal is a Service Principal
|
||||
+ and thus cannot be used to get a TGT with.
|
||||
+ </para>
|
||||
+ </listitem>
|
||||
</itemizedlist>
|
||||
</refsect2>
|
||||
</refsect1>
|
||||
--
|
||||
2.14.3
|
||||
|
77
0047-GPO-Fix-bug-with-empty-GPO-rules.patch
Normal file
77
0047-GPO-Fix-bug-with-empty-GPO-rules.patch
Normal file
@ -0,0 +1,77 @@
|
||||
From c83f6c6da3958475ca4782ffcb49fbc41f8c8f17 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Michal=20=C5=BDidek?= <mzidek@redhat.com>
|
||||
Date: Wed, 11 Apr 2018 18:56:53 +0200
|
||||
Subject: [PATCH] GPO: Fix bug with empty GPO rules
|
||||
|
||||
When two or more GPO rules were defined on the server
|
||||
and one of them contained no SIDs (no users or groups
|
||||
were specified), then SSSD failed to store such rule
|
||||
and users were denied access (system error).
|
||||
|
||||
This patch changes the behavior so that in case
|
||||
there are no SIDs in the rule a special value is
|
||||
stored with the rule to indicate that the rule
|
||||
was actually specified, but this value will not
|
||||
match any real SID (because the rule should be
|
||||
empty).
|
||||
|
||||
Resolves:
|
||||
https://pagure.io/SSSD/sssd/issue/3680
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
(cherry picked from commit e6e5fe349aa6ed85eb9acb3273007fa90ee99450)
|
||||
---
|
||||
src/providers/ad/ad_gpo.c | 12 +++++++++---
|
||||
1 file changed, 9 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
|
||||
index a48f264c7..ae3329b90 100644
|
||||
--- a/src/providers/ad/ad_gpo.c
|
||||
+++ b/src/providers/ad/ad_gpo.c
|
||||
@@ -1132,6 +1132,7 @@ ad_gpo_store_policy_settings(struct sss_domain_info *domain,
|
||||
int i;
|
||||
char *allow_value = NULL;
|
||||
char *deny_value = NULL;
|
||||
+ const char *empty_val = "NO_SID";
|
||||
const char *allow_key = NULL;
|
||||
const char *deny_key = NULL;
|
||||
TALLOC_CTX *tmp_ctx = NULL;
|
||||
@@ -1236,7 +1237,10 @@ ad_gpo_store_policy_settings(struct sss_domain_info *domain,
|
||||
}
|
||||
|
||||
for (i = 0; i < GPO_MAP_NUM_OPTS; i++) {
|
||||
-
|
||||
+ /* The NO_SID val is used as special SID value for the case when
|
||||
+ * no SIDs are found in the rule, but we need to store some
|
||||
+ * value (SID) with the key (rule name) so that it is clear
|
||||
+ * that the rule is defined on the server. */
|
||||
struct gpo_map_option_entry entry = gpo_map_option_entries[i];
|
||||
|
||||
allow_key = entry.allow_key;
|
||||
@@ -1252,9 +1256,10 @@ ad_gpo_store_policy_settings(struct sss_domain_info *domain,
|
||||
allow_key, ret, sss_strerror(ret));
|
||||
goto done;
|
||||
} else if (ret != ENOENT) {
|
||||
+ const char *value = allow_value ? allow_value : empty_val;
|
||||
ret = sysdb_gpo_store_gpo_result_setting(domain,
|
||||
allow_key,
|
||||
- allow_value);
|
||||
+ value);
|
||||
if (ret != EOK) {
|
||||
DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
"sysdb_gpo_store_gpo_result_setting failed for key:"
|
||||
@@ -1278,9 +1283,10 @@ ad_gpo_store_policy_settings(struct sss_domain_info *domain,
|
||||
deny_key, ret, sss_strerror(ret));
|
||||
goto done;
|
||||
} else if (ret != ENOENT) {
|
||||
+ const char *value = deny_value ? deny_value : empty_val;
|
||||
ret = sysdb_gpo_store_gpo_result_setting(domain,
|
||||
deny_key,
|
||||
- deny_value);
|
||||
+ value);
|
||||
if (ret != EOK) {
|
||||
DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
"sysdb_gpo_store_gpo_result_setting failed for key:"
|
||||
--
|
||||
2.14.3
|
||||
|
@ -1,50 +0,0 @@
|
||||
From 2c61b6eee24d90b11f3d2cab7b9cd8690df29f34 Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||
Date: Mon, 2 Jan 2017 16:41:31 +0100
|
||||
Subject: [PATCH 47/79] RESPONDER: Use the NEED_CHECK_DOMAIN macro
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
This is to avoid a needless round-trip between the responder and the
|
||||
back end for domains that do not have a traditional back end such as
|
||||
local or files.
|
||||
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
---
|
||||
src/responder/common/responder_dp.c | 12 +++++++++++-
|
||||
1 file changed, 11 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/responder/common/responder_dp.c b/src/responder/common/responder_dp.c
|
||||
index 11eb47ce1d41027f36998aba7b9fbca5fb4c7910..cfd12569a5068d0ffaa7fee5a35e12fe4512fb50 100644
|
||||
--- a/src/responder/common/responder_dp.c
|
||||
+++ b/src/responder/common/responder_dp.c
|
||||
@@ -495,6 +495,12 @@ sss_dp_get_account_send(TALLOC_CTX *mem_ctx,
|
||||
goto error;
|
||||
}
|
||||
|
||||
+ if (NEED_CHECK_PROVIDER(dom->provider) == false) {
|
||||
+ DEBUG(SSSDBG_TRACE_INTERNAL, "Domain %s does not check DP\n", dom->name);
|
||||
+ ret = EOK;
|
||||
+ goto error;
|
||||
+ }
|
||||
+
|
||||
info = talloc_zero(state, struct sss_dp_account_info);
|
||||
info->fast_reply = fast_reply;
|
||||
info->type = type;
|
||||
@@ -539,7 +545,11 @@ sss_dp_get_account_send(TALLOC_CTX *mem_ctx,
|
||||
return req;
|
||||
|
||||
error:
|
||||
- tevent_req_error(req, ret);
|
||||
+ if (ret == EOK) {
|
||||
+ tevent_req_done(req);
|
||||
+ } else {
|
||||
+ tevent_req_error(req, ret);
|
||||
+ }
|
||||
tevent_req_post(req, rctx->ev);
|
||||
return req;
|
||||
}
|
||||
--
|
||||
2.9.3
|
||||
|
@ -0,0 +1,88 @@
|
||||
From 8c86f78e41bdb0fa4d77ffaffd13e602b77cdf2f Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||
Date: Wed, 4 Apr 2018 14:18:10 +0200
|
||||
Subject: [PATCH] FILES: Do not overwrite and actually remove
|
||||
files_ctx.{pwd,grp}_watch
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
The snotify_ctx structures were unused, are completely opaque (their
|
||||
only value is that if they are freed, the watches disappear which
|
||||
the files provider never does).
|
||||
|
||||
And moreover, since the patches to support multiple files, the watches
|
||||
were overwritten with subsequent assignments.
|
||||
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
(cherry picked from commit d69e1da370fa33c5085b31eb6302a30d81817534)
|
||||
---
|
||||
src/providers/files/files_ops.c | 35 +++++++++++++++++++++++------------
|
||||
1 file changed, 23 insertions(+), 12 deletions(-)
|
||||
|
||||
diff --git a/src/providers/files/files_ops.c b/src/providers/files/files_ops.c
|
||||
index a2a2798d3..95c4d2a06 100644
|
||||
--- a/src/providers/files/files_ops.c
|
||||
+++ b/src/providers/files/files_ops.c
|
||||
@@ -36,9 +36,6 @@
|
||||
#define GRP_MAXSIZE 2048
|
||||
|
||||
struct files_ctx {
|
||||
- struct snotify_ctx *pwd_watch;
|
||||
- struct snotify_ctx *grp_watch;
|
||||
-
|
||||
struct files_ops_ctx *ops;
|
||||
};
|
||||
|
||||
@@ -957,6 +954,7 @@ struct files_ctx *sf_init(TALLOC_CTX *mem_ctx,
|
||||
struct files_ctx *fctx;
|
||||
struct tevent_immediate *imm;
|
||||
int i;
|
||||
+ struct snotify_ctx *snctx;
|
||||
|
||||
fctx = talloc(mem_ctx, struct files_ctx);
|
||||
if (fctx == NULL) {
|
||||
@@ -964,18 +962,31 @@ struct files_ctx *sf_init(TALLOC_CTX *mem_ctx,
|
||||
}
|
||||
|
||||
for (i = 0; passwd_files[i]; i++) {
|
||||
- fctx->pwd_watch = sf_setup_watch(fctx, ev, passwd_files[i],
|
||||
- sf_passwd_cb, id_ctx);
|
||||
+ snctx = sf_setup_watch(fctx, ev, passwd_files[i],
|
||||
+ sf_passwd_cb, id_ctx);
|
||||
+ if (snctx == NULL) {
|
||||
+ DEBUG(SSSDBG_FATAL_FAILURE,
|
||||
+ "Cannot set watch for passwd file %s\n", passwd_files[i]);
|
||||
+ /* Rather than reporting incomplete or inconsistent information
|
||||
+ * in case e.g. group memberships span multiple files, just abort
|
||||
+ */
|
||||
+ talloc_free(fctx);
|
||||
+ return NULL;
|
||||
}
|
||||
-
|
||||
- for (i = 0; group_files[i]; i++) {
|
||||
- fctx->grp_watch = sf_setup_watch(fctx, ev, group_files[i],
|
||||
- sf_group_cb, id_ctx);
|
||||
}
|
||||
|
||||
- if (fctx->pwd_watch == NULL || fctx->grp_watch == NULL) {
|
||||
- talloc_free(fctx);
|
||||
- return NULL;
|
||||
+ for (i = 0; group_files[i]; i++) {
|
||||
+ snctx = sf_setup_watch(fctx, ev, group_files[i],
|
||||
+ sf_group_cb, id_ctx);
|
||||
+ if (snctx == NULL) {
|
||||
+ DEBUG(SSSDBG_FATAL_FAILURE,
|
||||
+ "Cannot set watch for group file %s\n", group_files[i]);
|
||||
+ /* Rather than reporting incomplete or inconsistent information
|
||||
+ * in case e.g. group memberships span multiple files, just abort
|
||||
+ */
|
||||
+ talloc_free(fctx);
|
||||
+ return NULL;
|
||||
+ }
|
||||
}
|
||||
|
||||
/* Enumerate users and groups on startup to process any changes when
|
||||
--
|
||||
2.14.3
|
||||
|
@ -1,41 +0,0 @@
|
||||
From 26866484a985adbc7edf2e79a1e95b3bb6b8624c Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||
Date: Fri, 2 Dec 2016 17:51:54 +0100
|
||||
Subject: [PATCH 48/79] RESPONDER: Include the files provider in
|
||||
NEEDS_CHECK_PROVIDER
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
It makes no sense to contact the Data Provider with the files provider
|
||||
except when the files provider is updating itself.
|
||||
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
---
|
||||
src/responder/common/responder.h | 9 +++++++--
|
||||
1 file changed, 7 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/responder/common/responder.h b/src/responder/common/responder.h
|
||||
index 748dec4301b4a018691d9b8c8fca0193d18167a5..3515f76d2bd0a553e7bf6b089b6d511255cf1e93 100644
|
||||
--- a/src/responder/common/responder.h
|
||||
+++ b/src/responder/common/responder.h
|
||||
@@ -48,9 +48,14 @@ extern hash_table_t *dp_requests;
|
||||
* So we set umask to 0111. */
|
||||
#define SCKT_RSP_UMASK 0111
|
||||
|
||||
-/* if there is a provider other than the special local */
|
||||
+/* Neither the local provider nor the files provider have a back
|
||||
+ * end in the traditional sense and can always just consult
|
||||
+ * the responder's cache
|
||||
+ */
|
||||
#define NEED_CHECK_PROVIDER(provider) \
|
||||
- (provider != NULL && strcmp(provider, "local") != 0)
|
||||
+ (provider != NULL && \
|
||||
+ (strcmp(provider, "local") != 0 && \
|
||||
+ strcmp(provider, "files") != 0))
|
||||
|
||||
/* needed until nsssrv.h is updated */
|
||||
struct cli_request {
|
||||
--
|
||||
2.9.3
|
||||
|
310
0049-FILES-Reduce-code-duplication.patch
Normal file
310
0049-FILES-Reduce-code-duplication.patch
Normal file
@ -0,0 +1,310 @@
|
||||
From 601e30e9d6e7c0da2e1648dc2d9bc37bddf512d8 Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||
Date: Tue, 17 Apr 2018 14:22:39 +0200
|
||||
Subject: [PATCH] FILES: Reduce code duplication
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
(cherry picked from commit 1f8bfb6975becda07ff29f557f82b6ac1eaa0be9)
|
||||
---
|
||||
src/providers/files/files_ops.c | 213 +++++++++++++++-------------------------
|
||||
1 file changed, 81 insertions(+), 132 deletions(-)
|
||||
|
||||
diff --git a/src/providers/files/files_ops.c b/src/providers/files/files_ops.c
|
||||
index 95c4d2a06..370af1274 100644
|
||||
--- a/src/providers/files/files_ops.c
|
||||
+++ b/src/providers/files/files_ops.c
|
||||
@@ -35,6 +35,10 @@
|
||||
#define PWD_MAXSIZE 1024
|
||||
#define GRP_MAXSIZE 2048
|
||||
|
||||
+#define SF_UPDATE_PASSWD 1<<0
|
||||
+#define SF_UPDATE_GROUP 1<<1
|
||||
+#define SF_UPDATE_BOTH (SF_UPDATE_PASSWD | SF_UPDATE_GROUP)
|
||||
+
|
||||
struct files_ctx {
|
||||
struct files_ops_ctx *ops;
|
||||
};
|
||||
@@ -708,6 +712,70 @@ done:
|
||||
return ret;
|
||||
}
|
||||
|
||||
+static errno_t sf_enum_files(struct files_id_ctx *id_ctx,
|
||||
+ uint8_t flags)
|
||||
+{
|
||||
+ errno_t ret;
|
||||
+ errno_t tret;
|
||||
+ bool in_transaction = false;
|
||||
+
|
||||
+ ret = sysdb_transaction_start(id_ctx->domain->sysdb);
|
||||
+ if (ret != EOK) {
|
||||
+ goto done;
|
||||
+ }
|
||||
+ in_transaction = true;
|
||||
+
|
||||
+ if (flags & SF_UPDATE_PASSWD) {
|
||||
+ ret = delete_all_users(id_ctx->domain);
|
||||
+ if (ret != EOK) {
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ /* All users were deleted, therefore we need to enumerate each file again */
|
||||
+ for (size_t i = 0; id_ctx->passwd_files[i] != NULL; i++) {
|
||||
+ ret = sf_enum_users(id_ctx, id_ctx->passwd_files[i]);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "Cannot enumerate users\n");
|
||||
+ goto done;
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ if (flags & SF_UPDATE_GROUP) {
|
||||
+ ret = delete_all_groups(id_ctx->domain);
|
||||
+ if (ret != EOK) {
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ /* All groups were deleted, therefore we need to enumerate each file again */
|
||||
+ for (size_t i = 0; id_ctx->group_files[i] != NULL; i++) {
|
||||
+ ret = sf_enum_groups(id_ctx, id_ctx->group_files[i]);
|
||||
+ if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "Cannot enumerate groups\n");
|
||||
+ goto done;
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ ret = sysdb_transaction_commit(id_ctx->domain->sysdb);
|
||||
+ if (ret != EOK) {
|
||||
+ goto done;
|
||||
+ }
|
||||
+ in_transaction = false;
|
||||
+
|
||||
+ ret = EOK;
|
||||
+done:
|
||||
+ if (in_transaction) {
|
||||
+ tret = sysdb_transaction_cancel(id_ctx->domain->sysdb);
|
||||
+ if (tret != EOK) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
+ "Cannot cancel transaction: %d\n", ret);
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
static void sf_cb_done(struct files_id_ctx *id_ctx)
|
||||
{
|
||||
/* Only activate a domain when both callbacks are done */
|
||||
@@ -722,8 +790,6 @@ static int sf_passwd_cb(const char *filename, uint32_t flags, void *pvt)
|
||||
{
|
||||
struct files_id_ctx *id_ctx;
|
||||
errno_t ret;
|
||||
- errno_t tret;
|
||||
- bool in_transaction = false;
|
||||
|
||||
id_ctx = talloc_get_type(pvt, struct files_id_ctx);
|
||||
if (id_ctx == NULL) {
|
||||
@@ -740,49 +806,17 @@ static int sf_passwd_cb(const char *filename, uint32_t flags, void *pvt)
|
||||
dp_sbus_reset_users_memcache(id_ctx->be->provider);
|
||||
dp_sbus_reset_initgr_memcache(id_ctx->be->provider);
|
||||
|
||||
- ret = sysdb_transaction_start(id_ctx->domain->sysdb);
|
||||
- if (ret != EOK) {
|
||||
- goto done;
|
||||
- }
|
||||
- in_transaction = true;
|
||||
-
|
||||
- ret = delete_all_users(id_ctx->domain);
|
||||
- if (ret != EOK) {
|
||||
- goto done;
|
||||
- }
|
||||
-
|
||||
- /* All users were deleted, therefore we need to enumerate each file again */
|
||||
- for (size_t i = 0; id_ctx->passwd_files[i] != NULL; i++) {
|
||||
- ret = sf_enum_users(id_ctx, id_ctx->passwd_files[i]);
|
||||
- if (ret != EOK) {
|
||||
- DEBUG(SSSDBG_OP_FAILURE, "Cannot enumerate users\n");
|
||||
- goto done;
|
||||
- }
|
||||
- }
|
||||
-
|
||||
- /* Covers the case when someone edits /etc/group, adds a group member and
|
||||
+ /* Using SF_UDPATE_BOTH here the case when someone edits /etc/group, adds a group member and
|
||||
* only then edits passwd and adds the user. The reverse is not needed,
|
||||
* because member/memberof links are established when groups are saved.
|
||||
*/
|
||||
- ret = delete_all_groups(id_ctx->domain);
|
||||
- if (ret != EOK) {
|
||||
- goto done;
|
||||
- }
|
||||
-
|
||||
- /* All groups were deleted, therefore we need to enumerate each file again */
|
||||
- for (size_t i = 0; id_ctx->group_files[i] != NULL; i++) {
|
||||
- ret = sf_enum_groups(id_ctx, id_ctx->group_files[i]);
|
||||
- if (ret != EOK) {
|
||||
- DEBUG(SSSDBG_OP_FAILURE, "Cannot enumerate groups\n");
|
||||
- goto done;
|
||||
- }
|
||||
- }
|
||||
-
|
||||
- ret = sysdb_transaction_commit(id_ctx->domain->sysdb);
|
||||
+ ret = sf_enum_files(id_ctx, SF_UPDATE_BOTH);
|
||||
if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE,
|
||||
+ "Could not update files: [%d]: %s\n",
|
||||
+ ret, sss_strerror(ret));
|
||||
goto done;
|
||||
}
|
||||
- in_transaction = false;
|
||||
|
||||
id_ctx->updating_passwd = false;
|
||||
sf_cb_done(id_ctx);
|
||||
@@ -790,14 +824,6 @@ static int sf_passwd_cb(const char *filename, uint32_t flags, void *pvt)
|
||||
|
||||
ret = EOK;
|
||||
done:
|
||||
- if (in_transaction) {
|
||||
- tret = sysdb_transaction_cancel(id_ctx->domain->sysdb);
|
||||
- if (tret != EOK) {
|
||||
- DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
- "Cannot cancel transaction: %d\n", ret);
|
||||
- }
|
||||
- }
|
||||
-
|
||||
return ret;
|
||||
}
|
||||
|
||||
@@ -805,8 +831,6 @@ static int sf_group_cb(const char *filename, uint32_t flags, void *pvt)
|
||||
{
|
||||
struct files_id_ctx *id_ctx;
|
||||
errno_t ret;
|
||||
- errno_t tret;
|
||||
- bool in_transaction = false;
|
||||
|
||||
id_ctx = talloc_get_type(pvt, struct files_id_ctx);
|
||||
if (id_ctx == NULL) {
|
||||
@@ -823,47 +847,20 @@ static int sf_group_cb(const char *filename, uint32_t flags, void *pvt)
|
||||
dp_sbus_reset_groups_memcache(id_ctx->be->provider);
|
||||
dp_sbus_reset_initgr_memcache(id_ctx->be->provider);
|
||||
|
||||
- ret = sysdb_transaction_start(id_ctx->domain->sysdb);
|
||||
- if (ret != EOK) {
|
||||
- goto done;
|
||||
- }
|
||||
- in_transaction = true;
|
||||
-
|
||||
- ret = delete_all_groups(id_ctx->domain);
|
||||
- if (ret != EOK) {
|
||||
- goto done;
|
||||
- }
|
||||
-
|
||||
- /* All groups were deleted, therefore we need to enumerate each file again */
|
||||
- for (size_t i = 0; id_ctx->group_files[i] != NULL; i++) {
|
||||
- ret = sf_enum_groups(id_ctx, id_ctx->group_files[i]);
|
||||
- if (ret != EOK) {
|
||||
- DEBUG(SSSDBG_OP_FAILURE, "Cannot enumerate groups\n");
|
||||
- goto done;
|
||||
- }
|
||||
- }
|
||||
-
|
||||
- ret = sysdb_transaction_commit(id_ctx->domain->sysdb);
|
||||
+ ret = sf_enum_files(id_ctx, SF_UPDATE_GROUP);
|
||||
if (ret != EOK) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE,
|
||||
+ "Could not update files: [%d]: %s\n",
|
||||
+ ret, sss_strerror(ret));
|
||||
goto done;
|
||||
}
|
||||
- in_transaction = false;
|
||||
|
||||
id_ctx->updating_groups = false;
|
||||
sf_cb_done(id_ctx);
|
||||
files_account_info_finished(id_ctx, BE_REQ_GROUP, ret);
|
||||
|
||||
ret = EOK;
|
||||
-
|
||||
done:
|
||||
- if (in_transaction) {
|
||||
- tret = sysdb_transaction_cancel(id_ctx->domain->sysdb);
|
||||
- if (tret != EOK) {
|
||||
- DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
- "Cannot cancel transaction: %d\n", ret);
|
||||
- }
|
||||
- }
|
||||
-
|
||||
return ret;
|
||||
}
|
||||
|
||||
@@ -873,62 +870,14 @@ static void startup_enum_files(struct tevent_context *ev,
|
||||
{
|
||||
struct files_id_ctx *id_ctx = talloc_get_type(pvt, struct files_id_ctx);
|
||||
errno_t ret;
|
||||
- errno_t tret;
|
||||
- bool in_transaction = false;
|
||||
|
||||
talloc_zfree(imm);
|
||||
|
||||
- ret = sysdb_transaction_start(id_ctx->domain->sysdb);
|
||||
- if (ret != EOK) {
|
||||
- goto done;
|
||||
- }
|
||||
- in_transaction = true;
|
||||
-
|
||||
- ret = delete_all_users(id_ctx->domain);
|
||||
- if (ret != EOK) {
|
||||
- goto done;
|
||||
- }
|
||||
-
|
||||
- ret = delete_all_groups(id_ctx->domain);
|
||||
+ ret = sf_enum_files(id_ctx, SF_UPDATE_BOTH);
|
||||
if (ret != EOK) {
|
||||
- goto done;
|
||||
- }
|
||||
-
|
||||
- for (size_t i = 0; id_ctx->passwd_files[i] != NULL; i++) {
|
||||
- DEBUG(SSSDBG_TRACE_FUNC,
|
||||
- "Startup user enumeration of [%s]\n", id_ctx->passwd_files[i]);
|
||||
- ret = sf_enum_users(id_ctx, id_ctx->passwd_files[i]);
|
||||
- if (ret != EOK) {
|
||||
- DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
- "Enumerating users failed, data might be inconsistent!\n");
|
||||
- goto done;
|
||||
- }
|
||||
- }
|
||||
-
|
||||
- for (size_t i = 0; id_ctx->group_files[i] != NULL; i++) {
|
||||
- DEBUG(SSSDBG_TRACE_FUNC,
|
||||
- "Startup group enumeration of [%s]\n", id_ctx->group_files[i]);
|
||||
- ret = sf_enum_groups(id_ctx, id_ctx->group_files[i]);
|
||||
- if (ret != EOK) {
|
||||
- DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
- "Enumerating groups failed, data might be inconsistent!\n");
|
||||
- goto done;
|
||||
- }
|
||||
- }
|
||||
-
|
||||
- ret = sysdb_transaction_commit(id_ctx->domain->sysdb);
|
||||
- if (ret != EOK) {
|
||||
- goto done;
|
||||
- }
|
||||
- in_transaction = false;
|
||||
-
|
||||
-done:
|
||||
- if (in_transaction) {
|
||||
- tret = sysdb_transaction_cancel(id_ctx->domain->sysdb);
|
||||
- if (tret != EOK) {
|
||||
- DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
- "Cannot cancel transaction: %d\n", ret);
|
||||
- }
|
||||
+ DEBUG(SSSDBG_OP_FAILURE,
|
||||
+ "Could not update files after startup: [%d]: %s\n",
|
||||
+ ret, sss_strerror(ret));
|
||||
}
|
||||
}
|
||||
|
||||
--
|
||||
2.14.3
|
||||
|
@ -1,132 +0,0 @@
|
||||
From 50c740cbc2bb27cbe488fa8587e2901b8b85cf87 Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||
Date: Fri, 10 Feb 2017 14:39:43 +0100
|
||||
Subject: [PATCH 49/79] RESPONDER: Contact inconsistent domains
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
---
|
||||
src/providers/data_provider.h | 5 +++
|
||||
src/responder/common/responder_dp.c | 74 +++++++++++++++++++++++++++++++++++--
|
||||
2 files changed, 76 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/src/providers/data_provider.h b/src/providers/data_provider.h
|
||||
index 46d9910ddf9ef1c37da585bc33cf314341860332..5ccc0adbaffc6d50f128ae02fe6e5c77743f626b 100644
|
||||
--- a/src/providers/data_provider.h
|
||||
+++ b/src/providers/data_provider.h
|
||||
@@ -229,6 +229,11 @@ int dp_get_sbus_address(TALLOC_CTX *mem_ctx,
|
||||
char **address, const char *domain_name);
|
||||
|
||||
|
||||
+/* Reserved filter name for request which waits until the files provider finishes mirroring
|
||||
+ * the file content
|
||||
+ */
|
||||
+#define DP_REQ_OPT_FILES_INITGR "files_initgr_request"
|
||||
+
|
||||
/* Helpers */
|
||||
|
||||
#define NULL_STRING { .string = NULL }
|
||||
diff --git a/src/responder/common/responder_dp.c b/src/responder/common/responder_dp.c
|
||||
index cfd12569a5068d0ffaa7fee5a35e12fe4512fb50..080f70fd5945ffd234e0ef226d8139df071c4752 100644
|
||||
--- a/src/responder/common/responder_dp.c
|
||||
+++ b/src/responder/common/responder_dp.c
|
||||
@@ -453,6 +453,12 @@ sss_dp_req_recv(TALLOC_CTX *mem_ctx,
|
||||
*/
|
||||
static DBusMessage *sss_dp_get_account_msg(void *pvt);
|
||||
|
||||
+static int sss_dp_account_files_params(struct sss_domain_info *dom,
|
||||
+ enum sss_dp_acct_type type_in,
|
||||
+ const char *opt_name_in,
|
||||
+ enum sss_dp_acct_type *_type_out,
|
||||
+ const char **_opt_name_out);
|
||||
+
|
||||
struct sss_dp_account_info {
|
||||
struct sss_domain_info *dom;
|
||||
|
||||
@@ -496,9 +502,28 @@ sss_dp_get_account_send(TALLOC_CTX *mem_ctx,
|
||||
}
|
||||
|
||||
if (NEED_CHECK_PROVIDER(dom->provider) == false) {
|
||||
- DEBUG(SSSDBG_TRACE_INTERNAL, "Domain %s does not check DP\n", dom->name);
|
||||
- ret = EOK;
|
||||
- goto error;
|
||||
+ if (strcmp(dom->provider, "files") == 0) {
|
||||
+ /* This is a special case. If the files provider is just being updated,
|
||||
+ * we issue an enumeration request. We always use the same request type
|
||||
+ * (user enumeration) to make sure concurrent requests are just chained
|
||||
+ * in the Data Provider
|
||||
+ */
|
||||
+ ret = sss_dp_account_files_params(dom, type, opt_name,
|
||||
+ &type, &opt_name);
|
||||
+ if (ret == EOK) {
|
||||
+ goto error;
|
||||
+ } else if (ret != EAGAIN) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE,
|
||||
+ "Failed to set files provider update: %d: %s\n",
|
||||
+ ret, sss_strerror(ret));
|
||||
+ goto error;
|
||||
+ }
|
||||
+ /* EAGAIN, fall through to issuing the request */
|
||||
+ } else {
|
||||
+ DEBUG(SSSDBG_TRACE_INTERNAL, "Domain %s does not check DP\n", dom->name);
|
||||
+ ret = EOK;
|
||||
+ goto error;
|
||||
+ }
|
||||
}
|
||||
|
||||
info = talloc_zero(state, struct sss_dp_account_info);
|
||||
@@ -554,6 +579,49 @@ error:
|
||||
return req;
|
||||
}
|
||||
|
||||
+static int sss_dp_account_files_params(struct sss_domain_info *dom,
|
||||
+ enum sss_dp_acct_type type_in,
|
||||
+ const char *opt_name_in,
|
||||
+ enum sss_dp_acct_type *_type_out,
|
||||
+ const char **_opt_name_out)
|
||||
+{
|
||||
+#if 0
|
||||
+ if (sss_domain_get_state(dom) != DOM_INCONSISTENT) {
|
||||
+ return EOK;
|
||||
+ }
|
||||
+#endif
|
||||
+
|
||||
+ DEBUG(SSSDBG_TRACE_INTERNAL,
|
||||
+ "Domain files is not consistent, issuing update\n");
|
||||
+
|
||||
+ switch(type_in) {
|
||||
+ case SSS_DP_USER:
|
||||
+ case SSS_DP_GROUP:
|
||||
+ *_type_out = type_in;
|
||||
+ *_opt_name_out = NULL;
|
||||
+ return EAGAIN;
|
||||
+ case SSS_DP_INITGROUPS:
|
||||
+ /* There is no initgroups enumeration so let's use a dummy
|
||||
+ * name to let the DP chain the requests
|
||||
+ */
|
||||
+ *_type_out = type_in;
|
||||
+ *_opt_name_out = DP_REQ_OPT_FILES_INITGR;
|
||||
+ return EAGAIN;
|
||||
+ /* These are not handled by the files provider, just fall back */
|
||||
+ case SSS_DP_NETGR:
|
||||
+ case SSS_DP_SERVICES:
|
||||
+ case SSS_DP_SECID:
|
||||
+ case SSS_DP_USER_AND_GROUP:
|
||||
+ case SSS_DP_CERT:
|
||||
+ case SSS_DP_WILDCARD_USER:
|
||||
+ case SSS_DP_WILDCARD_GROUP:
|
||||
+ return EOK;
|
||||
+ }
|
||||
+
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unhandled type %d\n", type_in);
|
||||
+ return EINVAL;
|
||||
+}
|
||||
+
|
||||
static DBusMessage *
|
||||
sss_dp_get_account_msg(void *pvt)
|
||||
{
|
||||
--
|
||||
2.9.3
|
||||
|
75
0050-FILES-Reset-the-domain-status-back-even-on-errors.patch
Normal file
75
0050-FILES-Reset-the-domain-status-back-even-on-errors.patch
Normal file
@ -0,0 +1,75 @@
|
||||
From 12876995fe664ac05149fa5d843836aed5ce33e9 Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||
Date: Tue, 17 Apr 2018 14:38:03 +0200
|
||||
Subject: [PATCH] FILES: Reset the domain status back even on errors
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
The block that resets the domain status was only called on success, so
|
||||
on error, the domain would have been permanently stuck in an
|
||||
inconsistent state.
|
||||
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
(cherry picked from commit 81f16996c980a75e98538c7dd91baf9e0e635f58)
|
||||
---
|
||||
src/providers/files/files_ops.c | 16 ++++++----------
|
||||
1 file changed, 6 insertions(+), 10 deletions(-)
|
||||
|
||||
diff --git a/src/providers/files/files_ops.c b/src/providers/files/files_ops.c
|
||||
index 370af1274..b91078417 100644
|
||||
--- a/src/providers/files/files_ops.c
|
||||
+++ b/src/providers/files/files_ops.c
|
||||
@@ -793,8 +793,7 @@ static int sf_passwd_cb(const char *filename, uint32_t flags, void *pvt)
|
||||
|
||||
id_ctx = talloc_get_type(pvt, struct files_id_ctx);
|
||||
if (id_ctx == NULL) {
|
||||
- ret = EINVAL;
|
||||
- goto done;
|
||||
+ return EINVAL;
|
||||
}
|
||||
|
||||
DEBUG(SSSDBG_TRACE_FUNC, "passwd notification\n");
|
||||
@@ -818,12 +817,11 @@ static int sf_passwd_cb(const char *filename, uint32_t flags, void *pvt)
|
||||
goto done;
|
||||
}
|
||||
|
||||
+ ret = EOK;
|
||||
+done:
|
||||
id_ctx->updating_passwd = false;
|
||||
sf_cb_done(id_ctx);
|
||||
files_account_info_finished(id_ctx, BE_REQ_USER, ret);
|
||||
-
|
||||
- ret = EOK;
|
||||
-done:
|
||||
return ret;
|
||||
}
|
||||
|
||||
@@ -834,8 +832,7 @@ static int sf_group_cb(const char *filename, uint32_t flags, void *pvt)
|
||||
|
||||
id_ctx = talloc_get_type(pvt, struct files_id_ctx);
|
||||
if (id_ctx == NULL) {
|
||||
- ret = EINVAL;
|
||||
- goto done;
|
||||
+ return EINVAL;
|
||||
}
|
||||
|
||||
DEBUG(SSSDBG_TRACE_FUNC, "group notification\n");
|
||||
@@ -855,12 +852,11 @@ static int sf_group_cb(const char *filename, uint32_t flags, void *pvt)
|
||||
goto done;
|
||||
}
|
||||
|
||||
+ ret = EOK;
|
||||
+done:
|
||||
id_ctx->updating_groups = false;
|
||||
sf_cb_done(id_ctx);
|
||||
files_account_info_finished(id_ctx, BE_REQ_GROUP, ret);
|
||||
-
|
||||
- ret = EOK;
|
||||
-done:
|
||||
return ret;
|
||||
}
|
||||
|
||||
--
|
||||
2.14.3
|
||||
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user