[sssd] Apply a number of patches from upstream to fix issues found post-beta
Jakub Hrozek
jhrozek at fedoraproject.org
Sun Jun 16 11:20:02 UTC 2013
commit ba06c0ac1d440eaecdb6f94dba8236e0e217e907
Author: Jakub Hrozek <jhrozek at redhat.com>
Date: Sun Jun 16 13:12:37 2013 +0200
Apply a number of patches from upstream to fix issues found post-beta
In particular:
-- segfault with a high DEBUG level
-- Fix IPA password migration (upstream #1873)
-- Fix fail over when retrying SRV resolution (upstream #1886)
...ng-the-version-for-the-1.10-final-release.patch | 23 ++++
...nge-order-of-libraries-in-linking-process.patch | 31 +++++
...send-and-recv-shadow-a-global-declaration.patch | 92 +++++++++++++++
...send-and-recv-shadow-a-global-declaration.patch | 98 ++++++++++++++++
...rect-talloc-context-when-creating-AD-subd.patch | 28 +++++
0006-Fix-minor-typos.patch | 90 ++++++++++++++
...t-state-out-when-meta-server-remains-in-S.patch | 26 ++++
...-Handle-preauthentication-error-correctly.patch | 76 ++++++++++++
0009-AD-Fix-segfault-in-DEBUG-message.patch | 25 ++++
...-Remove-ad_options-auth-options-reference.patch | 26 ++++
...touch-krb5.conf-when-creating-new-domain-.patch | 122 ++++++++++++++++++++
0012-rpm-couple-of-small-fixes.patch | 39 ++++++
...ps-allocate-more-space-if-deref-returns-m.patch | 53 +++++++++
sssd.spec | 23 ++++-
14 files changed, 751 insertions(+), 1 deletions(-)
---
diff --git a/0001-Bumping-the-version-for-the-1.10-final-release.patch b/0001-Bumping-the-version-for-the-1.10-final-release.patch
new file mode 100644
index 0000000..d08f64c
--- /dev/null
+++ b/0001-Bumping-the-version-for-the-1.10-final-release.patch
@@ -0,0 +1,23 @@
+From 376e39bc7a7f49f08fd51b1a00aa5d2a456b2314 Mon Sep 17 00:00:00 2001
+From: Jakub Hrozek <jhrozek at redhat.com>
+Date: Tue, 11 Jun 2013 17:44:04 +0200
+Subject: [PATCH 01/12] Bumping the version for the 1.10 final release
+
+---
+ version.m4 | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/version.m4 b/version.m4
+index 1435f6999f6d4ffb06ad0dfd4261b03357fd0cfa..4066d317aae67fee317d13a67abec0dae3ce14aa 100644
+--- a/version.m4
++++ b/version.m4
+@@ -1,5 +1,5 @@
+ # Primary version number
+-m4_define([VERSION_NUMBER], [1.9.94])
++m4_define([VERSION_NUMBER], [1.9.95])
+
+ # If the PRERELEASE_VERSION_NUMBER is set, we'll append
+ # it to the release tag when creating an RPM or SRPM
+--
+1.8.2.1
+
diff --git a/0002-Change-order-of-libraries-in-linking-process.patch b/0002-Change-order-of-libraries-in-linking-process.patch
new file mode 100644
index 0000000..b5af64f
--- /dev/null
+++ b/0002-Change-order-of-libraries-in-linking-process.patch
@@ -0,0 +1,31 @@
+From fd98a28d6e94080e52bbedc789b06606a6019b10 Mon Sep 17 00:00:00 2001
+From: Lukas Slebodnik <lslebodn at redhat.com>
+Date: Wed, 12 Jun 2013 13:24:12 +0200
+Subject: [PATCH 02/12] Change order of libraries in linking process.
+
+It seems that some linkers have problem with wrong order of libraries.
+This commit only change order.
+---
+ Makefile.am | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/Makefile.am b/Makefile.am
+index 93e3a6fc0ce063cb3c874bd90e0b1773fe053386..88e29fff4f6f1f3686c02ca23b5a6f4725f22797 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -577,10 +577,10 @@ endif
+ libsss_util_la_LDFLAGS = -avoid-version
+
+ SSSD_INTERNAL_LTLIBS = \
++ libsss_util.la \
+ libsss_crypt.la \
+ libsss_debug.la \
+- libsss_child.la \
+- libsss_util.la
++ libsss_child.la
+
+ lib_LTLIBRARIES = libipa_hbac.la libsss_idmap.la libsss_nss_idmap.la
+ dist_pkgconfig_DATA += src/providers/ipa/ipa_hbac.pc
+--
+1.8.2.1
+
diff --git a/0003-be_ptask-send-and-recv-shadow-a-global-declaration.patch b/0003-be_ptask-send-and-recv-shadow-a-global-declaration.patch
new file mode 100644
index 0000000..5c0ab38
--- /dev/null
+++ b/0003-be_ptask-send-and-recv-shadow-a-global-declaration.patch
@@ -0,0 +1,92 @@
+From 460e43ee4dcc7a5860bcdc3c76ae51ed79921d79 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina at redhat.com>
+Date: Wed, 12 Jun 2013 09:50:54 +0200
+Subject: [PATCH 03/12] be_ptask: send and recv shadow a global declaration
+
+---
+ src/providers/dp_ptask.c | 18 +++++++++---------
+ src/providers/dp_ptask.h | 4 ++--
+ 2 files changed, 11 insertions(+), 11 deletions(-)
+
+diff --git a/src/providers/dp_ptask.c b/src/providers/dp_ptask.c
+index d3580981b4abea8471c280a647eb558341d738ef..d0f7c6d9700dd9d5cf588c9f72954590f65f82b5 100644
+--- a/src/providers/dp_ptask.c
++++ b/src/providers/dp_ptask.c
+@@ -39,8 +39,8 @@ struct be_ptask {
+ time_t enabled_delay;
+ time_t timeout;
+ enum be_ptask_offline offline;
+- be_ptask_send_t send;
+- be_ptask_recv_t recv;
++ be_ptask_send_t send_fn;
++ be_ptask_recv_t recv_fn;
+ void *pvt;
+ const char *name;
+
+@@ -139,7 +139,7 @@ static void be_ptask_execute(struct tevent_context *ev,
+
+ task->last_execution = time(NULL);
+
+- task->req = task->send(task, task->ev, task->be_ctx, task, task->pvt);
++ task->req = task->send_fn(task, task->ev, task->be_ctx, task, task->pvt);
+ if (task->req == NULL) {
+ /* skip this iteration and try again later */
+ DEBUG(SSSDBG_OP_FAILURE, ("Task [%s]: failed to execute task, "
+@@ -178,7 +178,7 @@ static void be_ptask_done(struct tevent_req *req)
+
+ task = tevent_req_callback_data(req, struct be_ptask);
+
+- ret = task->recv(req);
++ ret = task->recv_fn(req);
+ talloc_zfree(req);
+ task->req = NULL;
+ switch (ret) {
+@@ -246,8 +246,8 @@ errno_t be_ptask_create(TALLOC_CTX *mem_ctx,
+ time_t enabled_delay,
+ time_t timeout,
+ enum be_ptask_offline offline,
+- be_ptask_send_t send,
+- be_ptask_recv_t recv,
++ be_ptask_send_t send_fn,
++ be_ptask_recv_t recv_fn,
+ void *pvt,
+ const char *name,
+ struct be_ptask **_task)
+@@ -255,7 +255,7 @@ errno_t be_ptask_create(TALLOC_CTX *mem_ctx,
+ struct be_ptask *task = NULL;
+ errno_t ret;
+
+- if (be_ctx == NULL || period == 0 || send == NULL || recv == NULL
++ if (be_ctx == NULL || period == 0 || send_fn == NULL || recv_fn == NULL
+ || name == NULL) {
+ return EINVAL;
+ }
+@@ -272,8 +272,8 @@ errno_t be_ptask_create(TALLOC_CTX *mem_ctx,
+ task->enabled_delay = enabled_delay;
+ task->timeout = timeout;
+ task->offline = offline;
+- task->send = send;
+- task->recv = recv;
++ task->send_fn = send_fn;
++ task->recv_fn = recv_fn;
+ task->pvt = pvt;
+ task->name = talloc_strdup(task, name);
+ if (task->name == NULL) {
+diff --git a/src/providers/dp_ptask.h b/src/providers/dp_ptask.h
+index ae5f78d586df69bdcfa34bb35f032ad1dbd1b983..7e45862e46c5d9da4eaedca5312e25dcc0eb8abe 100644
+--- a/src/providers/dp_ptask.h
++++ b/src/providers/dp_ptask.h
+@@ -81,8 +81,8 @@ errno_t be_ptask_create(TALLOC_CTX *mem_ctx,
+ time_t enabled_delay,
+ time_t timeout,
+ enum be_ptask_offline offline,
+- be_ptask_send_t send,
+- be_ptask_recv_t recv,
++ be_ptask_send_t send_fn,
++ be_ptask_recv_t recv_fn,
+ void *pvt,
+ const char *name,
+ struct be_ptask **_task);
+--
+1.8.2.1
+
diff --git a/0004-be_refresh-send-and-recv-shadow-a-global-declaration.patch b/0004-be_refresh-send-and-recv-shadow-a-global-declaration.patch
new file mode 100644
index 0000000..2cf0e4b
--- /dev/null
+++ b/0004-be_refresh-send-and-recv-shadow-a-global-declaration.patch
@@ -0,0 +1,98 @@
+From d24f0493002037a5809c9fc5ae27fa2ceb81036e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina at redhat.com>
+Date: Wed, 12 Jun 2013 09:51:10 +0200
+Subject: [PATCH 04/12] be_refresh: send and recv shadow a global declaration
+
+---
+ src/providers/dp_refresh.c | 22 +++++++++++-----------
+ src/providers/dp_refresh.h | 4 ++--
+ 2 files changed, 13 insertions(+), 13 deletions(-)
+
+diff --git a/src/providers/dp_refresh.c b/src/providers/dp_refresh.c
+index 59d858549d94660e4abd4f5610eda13dabb9b495..c368668e1def76a7a63cee87d6720239830e7c6b 100644
+--- a/src/providers/dp_refresh.c
++++ b/src/providers/dp_refresh.c
+@@ -119,8 +119,8 @@ typedef errno_t
+ struct be_refresh_cb {
+ bool enabled;
+ be_refresh_get_values_t get_values;
+- be_refresh_send_t send;
+- be_refresh_recv_t recv;
++ be_refresh_send_t send_fn;
++ be_refresh_recv_t recv_fn;
+ void *pvt;
+ };
+
+@@ -145,11 +145,11 @@ struct be_refresh_ctx *be_refresh_ctx_init(TALLOC_CTX *mem_ctx)
+
+ errno_t be_refresh_add_cb(struct be_refresh_ctx *ctx,
+ enum be_refresh_type type,
+- be_refresh_send_t send,
+- be_refresh_recv_t recv,
++ be_refresh_send_t send_fn,
++ be_refresh_recv_t recv_fn,
+ void *pvt)
+ {
+- if (ctx == NULL || send == NULL || recv == NULL
++ if (ctx == NULL || send_fn == NULL || recv_fn == NULL
+ || type >= BE_REFRESH_TYPE_SENTINEL) {
+ return EINVAL;
+ }
+@@ -159,8 +159,8 @@ errno_t be_refresh_add_cb(struct be_refresh_ctx *ctx,
+ }
+
+ ctx->callbacks[type].enabled = true;
+- ctx->callbacks[type].send = send;
+- ctx->callbacks[type].recv = recv;
++ ctx->callbacks[type].send_fn = send_fn;
++ ctx->callbacks[type].recv_fn = recv_fn;
+ ctx->callbacks[type].pvt = pvt;
+
+ return EOK;
+@@ -246,8 +246,8 @@ static errno_t be_refresh_step(struct tevent_req *req)
+ goto done;
+ }
+
+- if (state->cb->get_values == NULL || state->cb->send == NULL
+- || state->cb->recv == NULL) {
++ if (state->cb->get_values == NULL || state->cb->send_fn == NULL
++ || state->cb->recv_fn == NULL) {
+ ret = EINVAL;
+ goto done;
+ }
+@@ -260,7 +260,7 @@ static errno_t be_refresh_step(struct tevent_req *req)
+ goto done;
+ }
+
+- subreq = state->cb->send(state, state->ev, state->be_ctx,
++ subreq = state->cb->send_fn(state, state->ev, state->be_ctx,
+ values, state->cb->pvt);
+ if (subreq == NULL) {
+ ret = ENOMEM;
+@@ -288,7 +288,7 @@ static void be_refresh_done(struct tevent_req *subreq)
+ req = tevent_req_callback_data(subreq, struct tevent_req);
+ state = tevent_req_data(req, struct be_refresh_state);
+
+- ret = state->cb->recv(subreq);
++ ret = state->cb->recv_fn(subreq);
+ talloc_zfree(subreq);
+ if (ret != EOK) {
+ goto done;
+diff --git a/src/providers/dp_refresh.h b/src/providers/dp_refresh.h
+index a7b324702b0546d8156e8fa395b39fa58b52812d..0dedbc3c14bfb661ebf296a9021fa397769dee66 100644
+--- a/src/providers/dp_refresh.h
++++ b/src/providers/dp_refresh.h
+@@ -54,8 +54,8 @@ struct be_refresh_ctx *be_refresh_ctx_init(TALLOC_CTX *mem_ctx);
+
+ errno_t be_refresh_add_cb(struct be_refresh_ctx *ctx,
+ enum be_refresh_type type,
+- be_refresh_send_t send,
+- be_refresh_recv_t recv,
++ be_refresh_send_t send_fn,
++ be_refresh_recv_t recv_fn,
+ void *pvt);
+
+ struct tevent_req *be_refresh_send(TALLOC_CTX *mem_ctx,
+--
+1.8.2.1
+
diff --git a/0005-Use-the-correct-talloc-context-when-creating-AD-subd.patch b/0005-Use-the-correct-talloc-context-when-creating-AD-subd.patch
new file mode 100644
index 0000000..ae6f3dd
--- /dev/null
+++ b/0005-Use-the-correct-talloc-context-when-creating-AD-subd.patch
@@ -0,0 +1,28 @@
+From 49f3aebcc8614d483c5753109a9d65aa33d301ea Mon Sep 17 00:00:00 2001
+From: Jakub Hrozek <jhrozek at redhat.com>
+Date: Tue, 11 Jun 2013 12:48:06 +0200
+Subject: [PATCH 05/12] Use the correct talloc context when creating AD
+ subdomains
+
+sdom was only ever guaranteed to be set when a new domain was being
+created. sditer is a valid pointer in both cases, so just use that.
+---
+ src/providers/ad/ad_subdomains.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c
+index f4eec6a48019d55436631487a6108be405254766..07b523df5466319739e1f44164b7f08156ea214b 100644
+--- a/src/providers/ad/ad_subdomains.c
++++ b/src/providers/ad/ad_subdomains.c
+@@ -120,7 +120,7 @@ ads_store_sdap_subdom(struct ad_subdomains_ctx *ctx,
+ }
+
+ /* Convert the domain name into search base */
+- ret = domain_to_basedn(sdom, sditer->dom->name, &basedn);
++ ret = domain_to_basedn(sditer, sditer->dom->name, &basedn);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ ("Cannot convert domain name [%s] to base DN [%d]: %s\n",
+--
+1.8.2.1
+
diff --git a/0006-Fix-minor-typos.patch b/0006-Fix-minor-typos.patch
new file mode 100644
index 0000000..6c5aa09
--- /dev/null
+++ b/0006-Fix-minor-typos.patch
@@ -0,0 +1,90 @@
+From 1091c0ae2f1596ceb161e5b765a91c23c413b369 Mon Sep 17 00:00:00 2001
+From: Yuri Chornoivan <yurchor at ukr.net>
+Date: Tue, 11 Jun 2013 19:12:41 +0300
+Subject: [PATCH 06/12] Fix minor typos
+
+---
+ src/man/sssd-krb5.5.xml | 2 +-
+ src/man/sssd-ldap.5.xml | 2 +-
+ src/man/sssd.conf.5.xml | 4 ++--
+ src/providers/ipa/ipa_hbac.h | 2 +-
+ src/tools/tools_mc_util.c | 2 +-
+ 5 files changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/src/man/sssd-krb5.5.xml b/src/man/sssd-krb5.5.xml
+index 906aee096d9815bcf32b992260a7f5254b93b947..df124b4d20f7f3b553d2eac554eaf5411c3c8436 100644
+--- a/src/man/sssd-krb5.5.xml
++++ b/src/man/sssd-krb5.5.xml
+@@ -455,7 +455,7 @@
+ <term>krb5_use_kdcinfo (boolean)</term>
+ <listitem>
+ <para>
+- Specifies if the SSSD should be instructing the Kerberos
++ Specifies if the SSSD should instruct the Kerberos
+ libraries what realm and which KDCs to use. This option
+ is on by default, if you disable it, you need to configure
+ the Kerberos library using the
+diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml
+index 9cd594c7bdcf682b8fd355e8e566229afcb18a43..fd29650e94db917b0afb3f3a73e4082773d1340f 100644
+--- a/src/man/sssd-ldap.5.xml
++++ b/src/man/sssd-ldap.5.xml
+@@ -1592,7 +1592,7 @@
+ <term>krb5_use_kdcinfo (boolean)</term>
+ <listitem>
+ <para>
+- Specifies if the SSSD should be instructing the Kerberos
++ Specifies if the SSSD should instruct the Kerberos
+ libraries what realm and which KDCs to use. This option
+ is on by default, if you disable it, you need to configure
+ the Kerberos library using the
+diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
+index d3e393c83e3ba130bab35a4d2153560710e16ba6..8df2bd97c4edb793e74a698b9531b3e7ab7c1abe 100644
+--- a/src/man/sssd.conf.5.xml
++++ b/src/man/sssd.conf.5.xml
+@@ -172,7 +172,7 @@
+ <para>
+ domain flat name. Mostly usable
+ for Active Directory domains, both
+- directly configured or disovered
++ directly configured or discovered
+ via IPA trusts.
+ </para>
+ </listitem>
+@@ -1605,7 +1605,7 @@ override_homedir = /home/%u
+ <para>
+ domain flat name. Mostly usable
+ for Active Directory domains, both
+- directly configured or disovered
++ directly configured or discovered
+ via IPA trusts.
+ </para>
+ </listitem>
+diff --git a/src/providers/ipa/ipa_hbac.h b/src/providers/ipa/ipa_hbac.h
+index 02077e37ebeebd99ba06a9d27311c0885c4e2b7f..8bc2c4f90f32a83d14240abb4979ae265913ae6a 100644
+--- a/src/providers/ipa/ipa_hbac.h
++++ b/src/providers/ipa/ipa_hbac.h
+@@ -212,7 +212,7 @@ enum hbac_error_code {
+ /** Unexpected error */
+ HBAC_ERROR_UNKNOWN = -1,
+
+- /** Succesful evaluation */
++ /** Successful evaluation */
+ HBAC_SUCCESS,
+
+ /** Function is not yet implemented */
+diff --git a/src/tools/tools_mc_util.c b/src/tools/tools_mc_util.c
+index 33d5d26dbefaa547da3a5c49947793b485896e83..5d4300fbe4c0fc8fd678d619277f1d8be18f0912 100644
+--- a/src/tools/tools_mc_util.c
++++ b/src/tools/tools_mc_util.c
+@@ -111,7 +111,7 @@ done:
+ /* Closing the file also releases the lock */
+ close(mc_fd);
+
+- /* Only unlink the file if invalidation was succesful */
++ /* Only unlink the file if invalidation was successful */
+ if (ret == EOK) {
+ pret = unlink(mc_filename);
+ if (pret == -1) {
+--
+1.8.2.1
+
diff --git a/0007-failover-set-state-out-when-meta-server-remains-in-S.patch b/0007-failover-set-state-out-when-meta-server-remains-in-S.patch
new file mode 100644
index 0000000..eae1849
--- /dev/null
+++ b/0007-failover-set-state-out-when-meta-server-remains-in-S.patch
@@ -0,0 +1,26 @@
+From d3b39cf07164b23d47bbce3d6e6541b13fc895f5 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina at redhat.com>
+Date: Thu, 13 Jun 2013 10:32:31 +0200
+Subject: [PATCH 07/12] failover: set state->out when meta server remains in
+ SRV_RESOLVE_ERROR
+
+https://fedorahosted.org/sssd/ticket/1886
+---
+ src/providers/fail_over.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/providers/fail_over.c b/src/providers/fail_over.c
+index 12b6c37828b7da0e68579bbb94668c21574974f1..1d2813589495ebb2ff56e93cddaed9d5172e128e 100644
+--- a/src/providers/fail_over.c
++++ b/src/providers/fail_over.c
+@@ -1207,6 +1207,7 @@ resolve_srv_send(TALLOC_CTX *mem_ctx, struct tevent_context *ev,
+ break;
+ case SRV_RESOLVE_ERROR: /* query could not be resolved but don't retry yet */
+ ret = EIO;
++ state->out = server;
+ goto done;
+ case SRV_RESOLVED: /* The query is resolved and valid. Return. */
+ state->out = server;
+--
+1.8.2.1
+
diff --git a/0008-KRB-Handle-preauthentication-error-correctly.patch b/0008-KRB-Handle-preauthentication-error-correctly.patch
new file mode 100644
index 0000000..97b041f
--- /dev/null
+++ b/0008-KRB-Handle-preauthentication-error-correctly.patch
@@ -0,0 +1,76 @@
+From 22a21e910fd216ec1468fe769dcc29f1621a52a4 Mon Sep 17 00:00:00 2001
+From: Ondrej Kos <okos at redhat.com>
+Date: Thu, 13 Jun 2013 15:28:23 +0200
+Subject: [PATCH 08/12] KRB: Handle preauthentication error correctly
+
+https://fedorahosted.org/sssd/ticket/1873
+
+KRB preauthentication error was later mishandled like authentication error.
+---
+ src/providers/krb5/krb5_auth.c | 6 ++++++
+ src/providers/krb5/krb5_child.c | 4 +++-
+ src/util/util_errors.c | 1 +
+ src/util/util_errors.h | 1 +
+ 4 files changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
+index f65e5993d54a5a265e4217e7f23d9549915c6b32..f6acfb4891cf5e99878ccfa7994ffeddf5447e2c 100644
+--- a/src/providers/krb5/krb5_auth.c
++++ b/src/providers/krb5/krb5_auth.c
+@@ -1026,6 +1026,12 @@ static void krb5_auth_done(struct tevent_req *subreq)
+ ret = EOK;
+ goto done;
+
++ case ERR_CREDS_INVALID:
++ state->pam_status = PAM_CRED_ERR;
++ state->dp_err = DP_ERR_OK;
++ ret = EOK;
++ goto done;
++
+ case ERR_NO_CREDS:
+ state->pam_status = PAM_CRED_UNAVAIL;
+ state->dp_err = DP_ERR_OK;
+diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
+index 8f746a8db561928349ffed8b7434db2a113a1f86..74d730aaa2e84af111982a450dafd524d411f472 100644
+--- a/src/providers/krb5/krb5_child.c
++++ b/src/providers/krb5/krb5_child.c
+@@ -1172,9 +1172,11 @@ static errno_t map_krb5_error(krb5_error_code kerr)
+ return ERR_CREDS_EXPIRED;
+
+ case KRB5KRB_AP_ERR_BAD_INTEGRITY:
++ return ERR_AUTH_FAILED;
++
+ case KRB5_PREAUTH_FAILED:
+ case KRB5KDC_ERR_PREAUTH_FAILED:
+- return ERR_AUTH_FAILED;
++ return ERR_CREDS_INVALID;
+
+ default:
+ return ERR_INTERNAL;
+diff --git a/src/util/util_errors.c b/src/util/util_errors.c
+index b617f540691a245d1132469a1f019bcb0eb6e775..22a3045a6f9656d9ab8fe66673301a508e444771 100644
+--- a/src/util/util_errors.c
++++ b/src/util/util_errors.c
+@@ -31,6 +31,7 @@ struct err_string error_to_str[] = {
+ { "Invalid credential type" }, /* ERR_INVALID_CRED_TYPE */
+ { "No credentials available" }, /* ERR_NO_CREDS */
+ { "Credentials are expired" }, /* ERR_CREDS_EXPIRED */
++ { "Failure setting user credentials"}, /* ERR_CREDS_INVALID */
+ { "No cached credentials available" }, /* ERR_NO_CACHED_CREDS */
+ { "Cached credentials are expired" }, /* ERR_CACHED_CREDS_EXPIRED */
+ { "Authentication Denied" }, /* ERR_AUTH_DENIED */
+diff --git a/src/util/util_errors.h b/src/util/util_errors.h
+index a602a6ea92f72a51f5e21342940b2072bbe9296d..65d37aedb544bb303d7540fc59e1a802aee11898 100644
+--- a/src/util/util_errors.h
++++ b/src/util/util_errors.h
+@@ -53,6 +53,7 @@ enum sssd_errors {
+ ERR_INVALID_CRED_TYPE,
+ ERR_NO_CREDS,
+ ERR_CREDS_EXPIRED,
++ ERR_CREDS_INVALID,
+ ERR_NO_CACHED_CREDS,
+ ERR_CACHED_CREDS_EXPIRED,
+ ERR_AUTH_DENIED,
+--
+1.8.2.1
+
diff --git a/0009-AD-Fix-segfault-in-DEBUG-message.patch b/0009-AD-Fix-segfault-in-DEBUG-message.patch
new file mode 100644
index 0000000..7d2d064
--- /dev/null
+++ b/0009-AD-Fix-segfault-in-DEBUG-message.patch
@@ -0,0 +1,25 @@
+From bb4172259e04925ffc3a92e4450029634d295134 Mon Sep 17 00:00:00 2001
+From: Jakub Hrozek <jhrozek at redhat.com>
+Date: Fri, 14 Jun 2013 14:05:24 +0200
+Subject: [PATCH 09/12] AD: Fix segfault in DEBUG message
+
+---
+ src/providers/ad/ad_common.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c
+index 1aad85de337870ede08114490398dfbde32bf62f..d53acf9ee03a88c78bca58e664121142a7331ade 100644
+--- a/src/providers/ad/ad_common.c
++++ b/src/providers/ad/ad_common.c
+@@ -854,7 +854,7 @@ ad_get_auth_options(TALLOC_CTX *mem_ctx,
+ ad_opts->service->krb5_service->write_kdcinfo = \
+ dp_opt_get_bool(krb5_options, KRB5_USE_KDCINFO);
+ DEBUG(SSSDBG_CONF_SETTINGS, ("Option %s set to %s\n",
+- ad_opts->auth[KRB5_USE_KDCINFO].opt_name,
++ krb5_options[KRB5_USE_KDCINFO].opt_name,
+ ad_opts->service->krb5_service->write_kdcinfo ? "true" : "false"));
+
+ *_opts = talloc_steal(mem_ctx, krb5_options);
+--
+1.8.2.1
+
diff --git a/0010-AD-Remove-ad_options-auth-options-reference.patch b/0010-AD-Remove-ad_options-auth-options-reference.patch
new file mode 100644
index 0000000..635af3d
--- /dev/null
+++ b/0010-AD-Remove-ad_options-auth-options-reference.patch
@@ -0,0 +1,26 @@
+From 9f1106573a4fca41b99a468d06fa392486faf43c Mon Sep 17 00:00:00 2001
+From: Jakub Hrozek <jhrozek at redhat.com>
+Date: Fri, 14 Jun 2013 14:19:25 +0200
+Subject: [PATCH 10/12] AD: Remove ad_options->auth options reference
+
+The options are stored in ad_options->auth_ctx->opts, this member was
+completely unused and confusing.
+---
+ src/providers/ad/ad_common.h | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/src/providers/ad/ad_common.h b/src/providers/ad/ad_common.h
+index 801815528c30ef05956eb51dce7cc6f8b161ffa8..1503059e87d60c90d33c00cdd3ebb55b4f4530f0 100644
+--- a/src/providers/ad/ad_common.h
++++ b/src/providers/ad/ad_common.h
+@@ -67,7 +67,6 @@ struct ad_options {
+ struct ad_id_ctx *id_ctx;
+
+ /* Auth and chpass Provider */
+- struct dp_option *auth;
+ struct krb5_ctx *auth_ctx;
+
+ /* Dynamic DNS updates */
+--
+1.8.2.1
+
diff --git a/0011-subdomains-touch-krb5.conf-when-creating-new-domain-.patch b/0011-subdomains-touch-krb5.conf-when-creating-new-domain-.patch
new file mode 100644
index 0000000..e403509
--- /dev/null
+++ b/0011-subdomains-touch-krb5.conf-when-creating-new-domain-.patch
@@ -0,0 +1,122 @@
+From 03713859dffacc7142393e53c73d8d4cf7dee8d5 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina at redhat.com>
+Date: Wed, 12 Jun 2013 13:44:19 +0200
+Subject: [PATCH 11/12] subdomains: touch krb5.conf when creating new
+ domain-realm mappings
+
+https://fedorahosted.org/sssd/ticket/1815
+---
+ configure.ac | 1 +
+ src/conf_macros.m4 | 13 +++++++++++++
+ src/providers/ipa/ipa_subdomains.c | 8 ++++++++
+ src/util/sss_krb5.c | 22 ++++++++++++++++++++++
+ src/util/sss_krb5.h | 3 +++
+ 5 files changed, 47 insertions(+)
+
+diff --git a/configure.ac b/configure.ac
+index e63e678705ee059b984612a6ffab1a10a4f7e7f8..7eeee2e2a069b2c4f7a3408798740cb7aba88513 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -110,6 +110,7 @@ WITH_XML_CATALOG
+ WITH_KRB5_PLUGIN_PATH
+ WITH_KRB5_RCACHE_DIR
+ WITH_KRB5AUTHDATA_PLUGIN_PATH
++WITH_KRB5_CONF
+ WITH_PYTHON_BINDINGS
+ WITH_SELINUX
+ WITH_NSCD
+diff --git a/src/conf_macros.m4 b/src/conf_macros.m4
+index c72b3dd73d5a3eac76c17d8ce2568088f78cfcb3..1dd296039719fb29b2dbd40710fe7428ef417e16 100644
+--- a/src/conf_macros.m4
++++ b/src/conf_macros.m4
+@@ -291,6 +291,19 @@ AC_DEFUN([WITH_KRB5AUTHDATA_PLUGIN_PATH],
+ AC_SUBST(krb5authdatapluginpath)
+ ])
+
++AC_DEFUN([WITH_KRB5_CONF],
++ [ AC_ARG_WITH([krb5_conf],
++ [AC_HELP_STRING([--with-krb5-conf=PATH], [Path to krb5.conf file [/etc/krb5.conf]])
++ ]
++ )
++
++ KRB5_CONF_PATH="${sysconfdir}/krb5.conf"
++ if test x"$with_krb5_conf" != x; then
++ KRB5_CONF_PATH=$with_krb5_conf
++ fi
++ AC_DEFINE_UNQUOTED([KRB5_CONF_PATH], ["$KRB5_CONF_PATH"], [KRB5 configuration file])
++ ])
++
+ AC_DEFUN([WITH_PYTHON_BINDINGS],
+ [ AC_ARG_WITH([python-bindings],
+ [AC_HELP_STRING([--with-python-bindings],
+diff --git a/src/providers/ipa/ipa_subdomains.c b/src/providers/ipa/ipa_subdomains.c
+index 18878ae33dc014639cfce0be54f9ca3a44c4ddbb..881f27c5d83f03a7e3bb1afb74fee765906e9148 100644
+--- a/src/providers/ipa/ipa_subdomains.c
++++ b/src/providers/ipa/ipa_subdomains.c
+@@ -382,6 +382,14 @@ ipa_subdomains_write_mappings(struct sss_domain_info *domain)
+ goto done;
+ }
+
++ /* touch krb5.conf to ensure that new mappings are loaded */
++ ret = sss_krb5_touch_config();
++ if (ret != EOK) {
++ DEBUG(SSSDBG_CRIT_FAILURE, ("Unable to change last modification time "
++ "of krb5.conf. Created mappings may not be loaded.\n"));
++ /* just continue */
++ }
++
+ ret = EOK;
+ done:
+ if (fstream) {
+diff --git a/src/util/sss_krb5.c b/src/util/sss_krb5.c
+index 674e9fcdd99e3d1df26b0db9854a80a6e3870d33..74db98fe9ee4cba858de5b459f0a5540003c63f8 100644
+--- a/src/util/sss_krb5.c
++++ b/src/util/sss_krb5.c
+@@ -20,6 +20,7 @@
+ #include <stdio.h>
+ #include <errno.h>
+ #include <talloc.h>
++#include <utime.h>
+
+ #include "config.h"
+
+@@ -1176,3 +1177,24 @@ done:
+ return ENOTSUP;
+ #endif
+ }
++
++errno_t sss_krb5_touch_config(void)
++{
++ const char *config = NULL;
++ errno_t ret;
++
++ config = getenv("KRB5_CONFIG");
++ if (config == NULL) {
++ config = KRB5_CONF_PATH;
++ }
++
++ ret = utime(config, NULL);
++ if (ret == -1) {
++ ret = errno;
++ DEBUG(SSSDBG_CRIT_FAILURE, ("Unable to change mtime of \"%s\" "
++ "[%d]: %s\n", config, strerror(ret)));
++ return ret;
++ }
++
++ return EOK;
++}
+diff --git a/src/util/sss_krb5.h b/src/util/sss_krb5.h
+index 5fe7178c1aed8afaa9d85be99dd91634e0cedb36..9bae2f92b6d132ffd2631773deee4e9c56ad483d 100644
+--- a/src/util/sss_krb5.h
++++ b/src/util/sss_krb5.h
+@@ -191,4 +191,7 @@ krb5_error_code sss_extract_pac(krb5_context ctx,
+ krb5_principal client_principal,
+ krb5_keytab keytab,
+ krb5_authdata ***_pac_authdata);
++
++errno_t sss_krb5_touch_config(void);
++
+ #endif /* __SSS_KRB5_H__ */
+--
+1.8.2.1
+
diff --git a/0012-rpm-couple-of-small-fixes.patch b/0012-rpm-couple-of-small-fixes.patch
new file mode 100644
index 0000000..45006a8
--- /dev/null
+++ b/0012-rpm-couple-of-small-fixes.patch
@@ -0,0 +1,39 @@
+From 47d19d62aaabb9e7f09353ecad9f48aa4054e3b1 Mon Sep 17 00:00:00 2001
+From: Jakub Hrozek <jhrozek at redhat.com>
+Date: Wed, 12 Jun 2013 14:14:41 +0200
+Subject: [PATCH 12/12] rpm: couple of small fixes
+
+* Include localized pam_sss manpages in sssd-client
+* Call ldconfig after libsss_nss_idmap is installed or removed
+---
+ contrib/sssd.spec.in | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
+index b9f852201dd9b9d53876c4dcd1c280bb5a31c73c..bee939092a135f5d7d97f9e361c3b4b8583a630c 100644
+--- a/contrib/sssd.spec.in
++++ b/contrib/sssd.spec.in
+@@ -471,6 +471,9 @@ do
+ sssd_krb5_*)
+ echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_client.lang
+ ;;
++ pam_sss*)
++ echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_client.lang
++ ;;
+ sssd-ldap*)
+ echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_ldap.lang
+ ;;
+@@ -775,6 +778,10 @@ fi
+
+ %postun -n libsss_idmap -p /sbin/ldconfig
+
++%post -n libsss_nss_idmap -p /sbin/ldconfig
++
++%postun -n libsss_nss_idmap -p /sbin/ldconfig
++
+ %changelog
+ * Mon Mar 15 2010 Stephen Gallagher <sgallagh at redhat.com> - @PACKAGE_VERSION at -0@PRERELEASE_VERSION@
+ - Automated build of the SSSD
+--
+1.8.2.1
+
diff --git a/0013-nested-groups-allocate-more-space-if-deref-returns-m.patch b/0013-nested-groups-allocate-more-space-if-deref-returns-m.patch
new file mode 100644
index 0000000..2665bf8
--- /dev/null
+++ b/0013-nested-groups-allocate-more-space-if-deref-returns-m.patch
@@ -0,0 +1,53 @@
+From 354febd0c5647e16c9ce5d3985600baa4b8a86ab Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina at redhat.com>
+Date: Fri, 14 Jun 2013 13:49:47 +0200
+Subject: [PATCH] nested groups: allocate more space if deref returns more
+ members
+
+https://fedorahosted.org/sssd/ticket/1894
+---
+ src/providers/ldap/sdap_async_nested_groups.c | 21 +++++++++++++++++++++
+ 1 file changed, 21 insertions(+)
+
+diff --git a/src/providers/ldap/sdap_async_nested_groups.c b/src/providers/ldap/sdap_async_nested_groups.c
+index e8d5295cc31319599212f96d7b58c8f5bd38245a..4f8dca9f50cdd150bacc14b1e834847e940b5e75 100644
+--- a/src/providers/ldap/sdap_async_nested_groups.c
++++ b/src/providers/ldap/sdap_async_nested_groups.c
+@@ -2048,6 +2048,18 @@ sdap_nested_group_deref_direct_process(struct tevent_req *subreq)
+ DEBUG(SSSDBG_TRACE_INTERNAL, ("Received %d dereference results, "
+ "about to process them\n", num_entries));
+
++ if (num_entries != members->num_values) {
++ /* Dereference returned more values than obtained earlier. We need
++ * to adjust group array size. */
++ state->nested_groups = talloc_realloc(state, state->nested_groups,
++ struct sysdb_attrs *,
++ num_entries);
++ if (state->nested_groups == NULL) {
++ ret = ENOMEM;
++ goto done;
++ }
++ }
++
+ for (i = 0; i < num_entries; i++) {
+ ret = sysdb_attrs_get_string(entries[i]->attrs,
+ SYSDB_ORIG_DN, &orig_dn);
+@@ -2155,6 +2167,15 @@ sdap_nested_group_deref_direct_process(struct tevent_req *subreq)
+ }
+ }
+
++ /* adjust size of nested groups array */
++ state->nested_groups = talloc_realloc(state, state->nested_groups,
++ struct sysdb_attrs *,
++ state->num_groups);
++ if (state->nested_groups == NULL) {
++ ret = ENOMEM;
++ goto done;
++ }
++
+ ret = EOK;
+
+ done:
+--
+1.7.11.7
+
diff --git a/sssd.spec b/sssd.spec
index 52a2f29..a53bfe2 100644
--- a/sssd.spec
+++ b/sssd.spec
@@ -16,7 +16,7 @@
Name: sssd
Version: 1.10.0
-Release: 10%{?dist}.beta2
+Release: 11%{?dist}.beta2
Group: Applications/System
Summary: System Security Services Daemon
License: GPLv3+
@@ -25,6 +25,20 @@ Source0: https://fedorahosted.org/released/sssd/%{name}-%{version}beta2.tar.gz
BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
### Patches ###
+Patch0001: 0001-Bumping-the-version-for-the-1.10-final-release.patch
+Patch0002: 0002-Change-order-of-libraries-in-linking-process.patch
+Patch0003: 0003-be_ptask-send-and-recv-shadow-a-global-declaration.patch
+Patch0004: 0004-be_refresh-send-and-recv-shadow-a-global-declaration.patch
+Patch0005: 0005-Use-the-correct-talloc-context-when-creating-AD-subd.patch
+Patch0006: 0006-Fix-minor-typos.patch
+Patch0007: 0007-failover-set-state-out-when-meta-server-remains-in-S.patch
+Patch0008: 0008-KRB-Handle-preauthentication-error-correctly.patch
+Patch0009: 0009-AD-Fix-segfault-in-DEBUG-message.patch
+Patch0010: 0010-AD-Remove-ad_options-auth-options-reference.patch
+Patch0011: 0011-subdomains-touch-krb5.conf-when-creating-new-domain-.patch
+Patch0012: 0012-rpm-couple-of-small-fixes.patch
+Patch0013: 0013-nested-groups-allocate-more-space-if-deref-returns-m.patch
+
Patch0501: 0501-FEDORA-Switch-the-default-ccache-location.patch
### Dependencies ###
@@ -714,6 +728,13 @@ fi
%postun -n libsss_idmap -p /sbin/ldconfig
%changelog
+* Sun Jun 16 2013 Jakub Hrozek <jhrozek at redhat.com> - 1.10.0-11.beta2
+- Apply a number of patches from upstream to fix issues found post-beta,
+ in particular:
+ -- segfault with a high DEBUG level
+ -- Fix IPA password migration (upstream #1873)
+ -- Fix fail over when retrying SRV resolution (upstream #1886)
+
* Thu Jun 13 2013 Jakub Hrozek <jhrozek at redhat.com> - 1.10.0-10.beta2
- Only BuildRequire libcmocka on Fedora
More information about the scm-commits
mailing list