[sssd/f19] Backport fixes for rhbz#961278, rhbz#961278 and rhbz#961251
Jakub Hrozek
jhrozek at fedoraproject.org
Tue May 14 14:53:35 UTC 2013
commit b24f0d940d984eba3a8bb7cd6a7e4d34643b08cb
Author: Jakub Hrozek <jhrozek at redhat.com>
Date: Tue May 14 15:22:41 2013 +0200
Backport fixes for rhbz#961278, rhbz#961278 and rhbz#961251
- Resolves: rhbz#961357 - Missing dyndns_update entry in sssd.conf during
realm join
- Resolves: rhbz#961278 - Login failure: Enterprise Principal enabled by
default for AD Provider
- Resolves: rhbz#961251 - sssd does not create user's krb5 ccache dir/file
parent directory when logging in
...te-cached-upn-if-enterprise-principals-ar.patch | 39 +++++++++++++++++++
...ble-the-AD-dynamic-DNS-updates-by-default.patch | 40 ++++++++++++++++++++
sssd.spec | 12 +++++-
3 files changed, 90 insertions(+), 1 deletions(-)
---
diff --git a/0007-Always-update-cached-upn-if-enterprise-principals-ar.patch b/0007-Always-update-cached-upn-if-enterprise-principals-ar.patch
new file mode 100644
index 0000000..9b8ce53
--- /dev/null
+++ b/0007-Always-update-cached-upn-if-enterprise-principals-ar.patch
@@ -0,0 +1,39 @@
+From 517ba52c518eb747ccb2a76d75a7ec88fc870cf4 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose at redhat.com>
+Date: Mon, 13 May 2013 14:25:15 +0200
+Subject: [PATCH] Always update cached upn if enterprise principals are used
+
+Instead of continuing to use the initial upn if enterprise principals
+are used if should always be replaced. The enterprise principal
+is stored in the credential cache and without knowing it the
+ccache_for_princ() calls to determine the location of the credential
+cache will fail.
+
+Fixes https://fedorahosted.org/sssd/ticket/1921
+---
+ src/providers/krb5/krb5_auth.c | 7 ++++---
+ 1 files changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
+index 6d7494c..f65e599 100644
+--- a/src/providers/krb5/krb5_auth.c
++++ b/src/providers/krb5/krb5_auth.c
+@@ -913,11 +913,12 @@ static void krb5_auth_done(struct tevent_req *subreq)
+ KRB5_USE_ENTERPRISE_PRINCIPAL);
+
+ /* Check if the cases of our upn are correct and update it if needed.
+- * Fail if the upn differs by more than just the case. */
++ * Fail if the upn differs by more than just the case for non-enterprise
++ * principals. */
+ if (res->correct_upn != NULL &&
+- use_enterprise_principal == false &&
+ strcmp(kr->upn, res->correct_upn) != 0) {
+- if (strcasecmp(kr->upn, res->correct_upn) == 0) {
++ if (strcasecmp(kr->upn, res->correct_upn) == 0 ||
++ use_enterprise_principal == true) {
+ talloc_free(kr->upn);
+ kr->upn = talloc_strdup(kr, res->correct_upn);
+ if (kr->upn == NULL) {
+--
+1.7.7.6
+
diff --git a/0008-Enable-the-AD-dynamic-DNS-updates-by-default.patch b/0008-Enable-the-AD-dynamic-DNS-updates-by-default.patch
new file mode 100644
index 0000000..86ef52a
--- /dev/null
+++ b/0008-Enable-the-AD-dynamic-DNS-updates-by-default.patch
@@ -0,0 +1,40 @@
+From ad1be6fd04234f61f108773ff39aa7485abda47c Mon Sep 17 00:00:00 2001
+From: Jakub Hrozek <jhrozek at redhat.com>
+Date: Thu, 9 May 2013 16:41:47 +0200
+Subject: [PATCH] Enable the AD dynamic DNS updates by default
+
+https://fedorahosted.org/sssd/ticket/1915
+---
+ src/man/sssd-ad.5.xml | 2 +-
+ src/providers/ad/ad_opts.h | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml
+index 71e8a2075bc83bc814987f2ca738ddb138c14e5a..589dfd0b5f7514a8e17c9f04407476ccf7c33e88 100644
+--- a/src/man/sssd-ad.5.xml
++++ b/src/man/sssd-ad.5.xml
+@@ -170,7 +170,7 @@ ldap_id_mapping = False
+ realm must be set properly in /etc/krb5.conf
+ </para>
+ <para>
+- Default: false
++ Default: true
+ </para>
+ </listitem>
+ </varlistentry>
+diff --git a/src/providers/ad/ad_opts.h b/src/providers/ad/ad_opts.h
+index 32bbe3db2f4048056c7e96619eaf53ce22bf52f8..6e9d843c1f0a619fc3da26ae82bb15fe80eb4420 100644
+--- a/src/providers/ad/ad_opts.h
++++ b/src/providers/ad/ad_opts.h
+@@ -239,7 +239,7 @@ struct sdap_attr_map ad_autofs_entry_map[] = {
+ };
+
+ struct dp_option ad_dyndns_opts[] = {
+- { "dyndns_update", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
++ { "dyndns_update", DP_OPT_BOOL, BOOL_TRUE, BOOL_FALSE },
+ { "dyndns_refresh_interval", DP_OPT_NUMBER, { .number = 86400 }, NULL_NUMBER },
+ { "dyndns_iface", DP_OPT_STRING, NULL_STRING, NULL_STRING },
+ { "dyndns_ttl", DP_OPT_NUMBER, { .number = 3600 }, NULL_NUMBER },
+--
+1.8.2.1
+
diff --git a/sssd.spec b/sssd.spec
index f0e0173..18c9b0c 100644
--- a/sssd.spec
+++ b/sssd.spec
@@ -16,7 +16,7 @@
Name: sssd
Version: 1.10.0
-Release: 4%{?dist}.beta1
+Release: 5%{?dist}.beta1
Group: Applications/System
Summary: System Security Services Daemon
License: GPLv3+
@@ -31,6 +31,8 @@ Patch0003: 0003-UTIL-Add-function-sss_names_init_from_args.patch
Patch0004: 0004-SSH-Fix-parsing-of-names-from-client-requests.patch
Patch0005: 0005-SSH-Use-separate-field-for-domain-name-in-client-req.patch
Patch0006: 0006-SSH-Do-not-skip-domains-with-use_fully_qualified_nam.patch
+Patch0007: 0007-Always-update-cached-upn-if-enterprise-principals-ar.patch
+Patch0008: 0008-Enable-the-AD-dynamic-DNS-updates-by-default.patch
Patch0501: 0501-FEDORA-Switch-the-default-ccache-location.patch
@@ -603,6 +605,14 @@ fi
%postun -n libsss_sudo -p /sbin/ldconfig
%changelog
+* Tue May 14 2013 Jakub Hrozek <jhrozek at redhat.com> - 1.10.0-5.beta1
+- Resolves: rhbz#961357 - Missing dyndns_update entry in sssd.conf during
+ realm join
+- Resolves: rhbz#961278 - Login failure: Enterprise Principal enabled by
+ default for AD Provider
+- Resolves: rhbz#961251 - sssd does not create user's krb5 ccache dir/file
+ parent directory when logging in
+
* Tue May 7 2013 Jakub Hrozek <jhrozek at redhat.com> - 1.10.0-4.beta1
- Explicitly Require libini_config >= 1.0.0.1 to work around a SONAME bug
in ding-libs
More information about the scm-commits
mailing list