144 lines
5.4 KiB
Diff
144 lines
5.4 KiB
Diff
From 75dabe3ec5398359f4cccfcd616959cd921cced2 Mon Sep 17 00:00:00 2001
|
|
From: Sumit Bose <sbose@redhat.com>
|
|
Date: Thu, 18 Feb 2016 13:03:44 +0100
|
|
Subject: [PATCH 082/108] IPA: lookup idview name even if there is no master
|
|
domain record
|
|
|
|
Currently the IPA subdomain provider returns with a error if there is no
|
|
master domain record found. Since this record contains data which is
|
|
only needed to create a trust with AD, like e.g. the IPA domain SID,
|
|
this record is only created by ipa-adtrust-install. But the idview name
|
|
is read after the master domain record. To make the idview feature work
|
|
with a plain FreeIPA setup without running ipa-adtrust-install the
|
|
missing master domain record should be handled gracefully and the
|
|
following lookup should run as well.
|
|
|
|
Resolves https://fedorahosted.org/sssd/ticket/2960
|
|
|
|
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
(cherry picked from commit b25d33b0a775e2337014a334699156ac56b08f9b)
|
|
(cherry picked from commit 022e4575980324c2c68a05b3f250bd1a72bc9885)
|
|
---
|
|
src/providers/ipa/ipa_subdomains.c | 80 +++++++++++++++++++++-----------------
|
|
1 file changed, 44 insertions(+), 36 deletions(-)
|
|
|
|
diff --git a/src/providers/ipa/ipa_subdomains.c b/src/providers/ipa/ipa_subdomains.c
|
|
index f13847f12a7eae42b13a51e3fe1d09b60878633b..c888279229c891f1d5b8763aa851617a5daedd51 100644
|
|
--- a/src/providers/ipa/ipa_subdomains.c
|
|
+++ b/src/providers/ipa/ipa_subdomains.c
|
|
@@ -1219,6 +1219,9 @@ static void ipa_subdomains_handler_master_done(struct tevent_req *req)
|
|
size_t reply_count = 0;
|
|
struct sysdb_attrs **reply = NULL;
|
|
struct ipa_subdomains_req_ctx *ctx;
|
|
+ const char *flat = NULL;
|
|
+ const char *id = NULL;
|
|
+ const char *realm = NULL;
|
|
|
|
ctx = tevent_req_callback_data(req, struct ipa_subdomains_req_ctx);
|
|
|
|
@@ -1230,10 +1233,6 @@ static void ipa_subdomains_handler_master_done(struct tevent_req *req)
|
|
}
|
|
|
|
if (reply_count) {
|
|
- const char *flat = NULL;
|
|
- const char *id = NULL;
|
|
- const char *realm;
|
|
-
|
|
ret = sysdb_attrs_get_string(reply[0], IPA_FLATNAME, &flat);
|
|
if (ret != EOK) {
|
|
goto done;
|
|
@@ -1244,31 +1243,9 @@ static void ipa_subdomains_handler_master_done(struct tevent_req *req)
|
|
goto done;
|
|
}
|
|
|
|
- realm = dp_opt_get_string(ctx->sd_ctx->id_ctx->ipa_options->basic,
|
|
- IPA_KRB5_REALM);
|
|
- if (realm == NULL) {
|
|
- DEBUG(SSSDBG_CRIT_FAILURE, "No Kerberos realm for IPA?\n");
|
|
- ret = EINVAL;
|
|
- goto done;
|
|
- }
|
|
-
|
|
- ret = sysdb_master_domain_add_info(ctx->sd_ctx->be_ctx->domain,
|
|
- realm, flat, id, NULL);
|
|
- if (ret != EOK) {
|
|
- goto done;
|
|
- }
|
|
-
|
|
/* There is only one master record. Don't bother checking other IPA
|
|
* search bases; move to checking subdomains instead
|
|
*/
|
|
- ret = ipa_subdomains_handler_get_start(ctx,
|
|
- ctx->sd_ctx->search_bases,
|
|
- IPA_SUBDOMAINS_SLAVE);
|
|
- if (ret == EAGAIN) {
|
|
- return;
|
|
- }
|
|
-
|
|
- /* Either no search bases or an error. End the request in both cases */
|
|
} else {
|
|
ret = ipa_subdomains_handler_get_cont(ctx, IPA_SUBDOMAINS_MASTER);
|
|
if (ret == EAGAIN) {
|
|
@@ -1277,17 +1254,48 @@ static void ipa_subdomains_handler_master_done(struct tevent_req *req)
|
|
goto done;
|
|
}
|
|
|
|
- /* Right now we know there has been an error
|
|
- * and we don't have the master domain record
|
|
- */
|
|
- DEBUG(SSSDBG_CRIT_FAILURE, "Master domain record not found!\n");
|
|
-
|
|
- if (!ctx->sd_ctx->configured_explicit) {
|
|
- ctx->sd_ctx->disabled_until = time(NULL) +
|
|
- IPA_SUBDOMAIN_DISABLED_PERIOD;
|
|
+ /* All search paths are searched and no master domain record was
|
|
+ * found.
|
|
+ *
|
|
+ * A default IPA installation will not have a master domain record,
|
|
+ * this is only created by ipa-adtrust-install. Nevertheless we should
|
|
+ * continue to read other data like the idview on IPA clients. */
|
|
+
|
|
+ DEBUG(SSSDBG_TRACE_INTERNAL, "Master domain record not found!\n");
|
|
+
|
|
+ }
|
|
+
|
|
+ realm = dp_opt_get_string(ctx->sd_ctx->id_ctx->ipa_options->basic,
|
|
+ IPA_KRB5_REALM);
|
|
+ if (realm == NULL) {
|
|
+ DEBUG(SSSDBG_CRIT_FAILURE, "No Kerberos realm for IPA?\n");
|
|
+ ret = EINVAL;
|
|
+ goto done;
|
|
+ }
|
|
+
|
|
+ ret = sysdb_master_domain_add_info(ctx->sd_ctx->be_ctx->domain,
|
|
+ realm, flat, id, NULL);
|
|
+ if (ret != EOK) {
|
|
+ goto done;
|
|
+ }
|
|
+
|
|
+ ret = ipa_subdomains_handler_get_start(ctx,
|
|
+ ctx->sd_ctx->search_bases,
|
|
+ IPA_SUBDOMAINS_SLAVE);
|
|
+ if (ret == EAGAIN) {
|
|
+ return;
|
|
+ } else if (ret == EOK) {
|
|
+ /* If there are no search bases defined for subdomains try to get the
|
|
+ * idview before ending the request */
|
|
+ if (ctx->sd_ctx->id_ctx->server_mode == NULL) {
|
|
+ /* Only get view on clients, on servers it is always 'default' */
|
|
+ ret = ipa_get_view_name(ctx);
|
|
+ if (ret == EAGAIN) {
|
|
+ return;
|
|
+ } else if (ret != EOK) {
|
|
+ goto done;
|
|
+ }
|
|
}
|
|
-
|
|
- ret = EIO;
|
|
}
|
|
|
|
done:
|
|
--
|
|
2.7.3
|
|
|