[sssd/f20] Include couple of patches from upstream 1.11 branch
Jakub Hrozek
jhrozek at fedoraproject.org
Tue Mar 11 13:06:57 UTC 2014
commit 63e61b1e966c3d4217594a114e932d920dea31fc
Author: Jakub Hrozek <jhrozek at redhat.com>
Date: Tue Mar 11 13:35:03 2014 +0100
Include couple of patches from upstream 1.11 branch
...-Don-t-call-tevent_req_post-outside-_send.patch | 29 +++++
...ail-if-apply_subdomain_homedir-returns-EN.patch | 27 ++++
...mode-use-lower-case-user-name-for-home-di.patch | 50 ++++++++
...PA-Do-not-save-intermediate-data-to-sysdb.patch | 101 ++++++++++++++++
...angepw-when-FAST-only-preauth-methods-are.patch | 127 ++++++++++++++++++++
0006-IPA-Use-GC-for-AD-initgroup-requests.patch | 46 +++++++
sssd.spec | 12 ++-
7 files changed, 391 insertions(+), 1 deletions(-)
---
diff --git a/0001-IPA-Don-t-call-tevent_req_post-outside-_send.patch b/0001-IPA-Don-t-call-tevent_req_post-outside-_send.patch
new file mode 100644
index 0000000..41ad079
--- /dev/null
+++ b/0001-IPA-Don-t-call-tevent_req_post-outside-_send.patch
@@ -0,0 +1,29 @@
+From 0c2004f594b219c39c684222a88226d7c2a3befb Mon Sep 17 00:00:00 2001
+From: Jakub Hrozek <jhrozek at redhat.com>
+Date: Wed, 19 Feb 2014 15:00:15 +0100
+Subject: [PATCH 1/6] IPA: Don't call tevent_req_post outside _send
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Reviewed-by: Pavel Březina <pbrezina at redhat.com>
+(cherry picked from commit 6d4574a8dd1a9cafbb15631e7d01bdf6e67f821b)
+---
+ src/providers/ipa/ipa_subdomains_id.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/src/providers/ipa/ipa_subdomains_id.c b/src/providers/ipa/ipa_subdomains_id.c
+index b61c6a5f4d7605f0cdfa182bbc933d35c4613a79..c15bdaa703835ab07a9b3b21d1304220a01eac10 100644
+--- a/src/providers/ipa/ipa_subdomains_id.c
++++ b/src/providers/ipa/ipa_subdomains_id.c
+@@ -580,7 +580,6 @@ ipa_get_ad_acct_ad_part_done(struct tevent_req *subreq)
+ fail:
+ state->dp_error = DP_ERR_FATAL;
+ tevent_req_error(req, ret);
+- tevent_req_post(req, state->ev);
+ return;
+ }
+
+--
+1.8.5.3
+
diff --git a/0002-IPA-Don-t-fail-if-apply_subdomain_homedir-returns-EN.patch b/0002-IPA-Don-t-fail-if-apply_subdomain_homedir-returns-EN.patch
new file mode 100644
index 0000000..d0f2a55
--- /dev/null
+++ b/0002-IPA-Don-t-fail-if-apply_subdomain_homedir-returns-EN.patch
@@ -0,0 +1,27 @@
+From 22926e00fdfb838e9bb9c5b32b16b499cd2ee5f3 Mon Sep 17 00:00:00 2001
+From: Jakub Hrozek <jhrozek at redhat.com>
+Date: Wed, 19 Feb 2014 15:34:34 +0100
+Subject: [PATCH 2/6] IPA: Don't fail if apply_subdomain_homedir returns ENOENT
+
+Reviewed-by: Pavel Reichl <preichl at redhat.com>
+(cherry picked from commit 26786da26706aeedbda4caea0383c143ed4e59dc)
+---
+ src/providers/ipa/ipa_subdomains_id.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/providers/ipa/ipa_subdomains_id.c b/src/providers/ipa/ipa_subdomains_id.c
+index c15bdaa703835ab07a9b3b21d1304220a01eac10..637dd61f9f272eb4ac4ecb8368d2210801bb0373 100644
+--- a/src/providers/ipa/ipa_subdomains_id.c
++++ b/src/providers/ipa/ipa_subdomains_id.c
+@@ -550,7 +550,7 @@ ipa_get_ad_acct_ad_part_done(struct tevent_req *subreq)
+ ret = apply_subdomain_homedir(state, state->user_dom,
+ state->ar->filter_type,
+ state->ar->filter_value);
+- if (ret != EOK) {
++ if (ret != EOK && ret != ENOENT) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ ("apply_subdomain_homedir failed: [%d]: [%s].\n",
+ ret, sss_strerror(ret)));
+--
+1.8.5.3
+
diff --git a/0003-ipa-server-mode-use-lower-case-user-name-for-home-di.patch b/0003-ipa-server-mode-use-lower-case-user-name-for-home-di.patch
new file mode 100644
index 0000000..81180fe
--- /dev/null
+++ b/0003-ipa-server-mode-use-lower-case-user-name-for-home-di.patch
@@ -0,0 +1,50 @@
+From 8ad066fb0ca6e543bd99b93bdd52866eddfceb12 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose at redhat.com>
+Date: Mon, 3 Mar 2014 12:40:43 +0100
+Subject: [PATCH 3/6] ipa-server-mode: use lower-case user name for home dir
+
+In older IPA server versions where the AD users where looked up by
+winbind the user name component of the home directory path was always
+lower case. This still holds for IPA clients as well. To avoid
+regression this patch makes the user name component lower case as well.
+
+Fixes https://fedorahosted.org/sssd/ticket/2263
+
+Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
+(cherry picked from commit 48b1db73639135dd4a15ee153f958c912836c621)
+---
+ src/providers/ipa/ipa_subdomains_id.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/src/providers/ipa/ipa_subdomains_id.c b/src/providers/ipa/ipa_subdomains_id.c
+index 637dd61f9f272eb4ac4ecb8368d2210801bb0373..00993c496c1d100b37a780828c81492c2fac6157 100644
+--- a/src/providers/ipa/ipa_subdomains_id.c
++++ b/src/providers/ipa/ipa_subdomains_id.c
+@@ -358,6 +358,7 @@ get_subdomain_homedir_of_user(TALLOC_CTX *mem_ctx, struct sss_domain_info *dom,
+ {
+ errno_t ret;
+ char *name;
++ char *lc_name;
+ const char *homedir;
+ TALLOC_CTX *tmp_ctx;
+
+@@ -372,7 +373,15 @@ get_subdomain_homedir_of_user(TALLOC_CTX *mem_ctx, struct sss_domain_info *dom,
+ goto done;
+ }
+
+- homedir = expand_homedir_template(tmp_ctx, dom->subdomain_homedir, name,
++ /* To be compatible with the old winbind based user lookups and IPA
++ * clients the user name in the home directory path will be lower-case. */
++ lc_name = sss_tc_utf8_str_tolower(tmp_ctx, name);
++ if (lc_name == NULL) {
++ ret =ENOMEM;
++ goto done;
++ }
++
++ homedir = expand_homedir_template(tmp_ctx, dom->subdomain_homedir, lc_name,
+ uid, NULL, dom->name, dom->flat_name);
+
+ if (homedir == NULL) {
+--
+1.8.5.3
+
diff --git a/0004-IPA-Do-not-save-intermediate-data-to-sysdb.patch b/0004-IPA-Do-not-save-intermediate-data-to-sysdb.patch
new file mode 100644
index 0000000..946208c
--- /dev/null
+++ b/0004-IPA-Do-not-save-intermediate-data-to-sysdb.patch
@@ -0,0 +1,101 @@
+From e9383f540242084b9c61161642c1a62304607be5 Mon Sep 17 00:00:00 2001
+From: Jakub Hrozek <jhrozek at redhat.com>
+Date: Tue, 4 Mar 2014 13:48:36 +0100
+Subject: [PATCH 4/6] IPA: Do not save intermediate data to sysdb
+
+https://fedorahosted.org/sssd/ticket/2264
+
+Reviewed-by: Sumit Bose <sbose at redhat.com>
+---
+ src/providers/ipa/ipa_selinux.c | 68 ++++++++++++++++++++---------------------
+ 1 file changed, 34 insertions(+), 34 deletions(-)
+
+diff --git a/src/providers/ipa/ipa_selinux.c b/src/providers/ipa/ipa_selinux.c
+index c227db937a84228c0f3945dbe11ba904c7ad9744..2209ca188654d8c79ee402ba71beeadab2904093 100644
+--- a/src/providers/ipa/ipa_selinux.c
++++ b/src/providers/ipa/ipa_selinux.c
+@@ -251,6 +251,40 @@ static void ipa_selinux_handler_done(struct tevent_req *req)
+ goto fail;
+ }
+
++ ret = sysdb_transaction_start(sysdb);
++ if (ret != EOK) {
++ DEBUG(SSSDBG_CRIT_FAILURE, ("Failed to start transaction\n"));
++ goto fail;
++ }
++ in_transaction = true;
++
++ ret = sysdb_delete_usermaps(op_ctx->domain->sysdb, op_ctx->domain);
++ if (ret != EOK) {
++ DEBUG(SSSDBG_CRIT_FAILURE,
++ ("Cannot delete existing maps from sysdb\n"));
++ goto fail;
++ }
++
++ ret = sysdb_store_selinux_config(sysdb, op_ctx->domain,
++ default_user, map_order);
++ if (ret != EOK) {
++ goto fail;
++ }
++
++ if (map_count > 0 && maps != NULL) {
++ ret = ipa_save_user_maps(sysdb, op_ctx->domain, map_count, maps);
++ if (ret != EOK) {
++ goto fail;
++ }
++ }
++
++ ret = sysdb_transaction_commit(sysdb);
++ if (ret != EOK) {
++ DEBUG(SSSDBG_OP_FAILURE, ("Could not commit transaction\n"));
++ goto fail;
++ }
++ in_transaction = false;
++
+ /* Process the maps and return list of best matches (maps with
+ * highest priority). The input maps are also parent memory
+ * context for the output list of best matches. The best match
+@@ -279,40 +313,6 @@ static void ipa_selinux_handler_done(struct tevent_req *req)
+ goto fail;
+ }
+
+- ret = sysdb_transaction_start(sysdb);
+- if (ret != EOK) {
+- DEBUG(SSSDBG_CRIT_FAILURE, ("Failed to start transaction\n"));
+- goto fail;
+- }
+- in_transaction = true;
+-
+- ret = sysdb_delete_usermaps(op_ctx->domain->sysdb, op_ctx->domain);
+- if (ret != EOK) {
+- DEBUG(SSSDBG_CRIT_FAILURE,
+- ("Cannot delete existing maps from sysdb\n"));
+- goto fail;
+- }
+-
+- ret = sysdb_store_selinux_config(sysdb, op_ctx->domain,
+- default_user, map_order);
+- if (ret != EOK) {
+- goto fail;
+- }
+-
+- if (map_count > 0 && maps != NULL) {
+- ret = ipa_save_user_maps(sysdb, op_ctx->domain, map_count, maps);
+- if (ret != EOK) {
+- goto fail;
+- }
+- }
+-
+- ret = sysdb_transaction_commit(sysdb);
+- if (ret != EOK) {
+- DEBUG(SSSDBG_OP_FAILURE, ("Could not commit transaction\n"));
+- goto fail;
+- }
+- in_transaction = false;
+-
+ /* If we got here in online mode, set last_update to current time */
+ if (!be_is_offline(be_ctx)) {
+ op_ctx->selinux_ctx->last_update = time(NULL);
+--
+1.8.5.3
+
diff --git a/0005-Fix-krb5-changepw-when-FAST-only-preauth-methods-are.patch b/0005-Fix-krb5-changepw-when-FAST-only-preauth-methods-are.patch
new file mode 100644
index 0000000..12745d1
--- /dev/null
+++ b/0005-Fix-krb5-changepw-when-FAST-only-preauth-methods-are.patch
@@ -0,0 +1,127 @@
+From 80e2cbb00c796a332cc5f13cfe17af9b040f8e57 Mon Sep 17 00:00:00 2001
+From: Nathaniel McCallum <npmccallum at redhat.com>
+Date: Fri, 7 Mar 2014 12:21:11 -0500
+Subject: [PATCH 5/6] Fix krb5 changepw when FAST-only preauth methods are used
+ (like OTP)
+
+Before this patch, a different set of options was used when calling
+krb5_get_init_creds_password() for the changepw principal. Because
+this set of options did not contain the same FAST settings as the
+options for normal requests, all authentication would fail when the
+password of a FAST-only account would expire.
+
+The two sets approach was cargo-cult from kinit where multiple
+requests could be issued using the same options set. However, in the
+case of krb5_child, only one request (or occasionally a well-defined
+second request) will be issued. Two option sets are therefore not
+required.
+
+To fix this problem we removed the second option set used for changepw
+requests. All requests now use a single option set which is modified,
+if needed, for well-defined subsequent requests.
+
+Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
+Reviewed-by: Sumit Bose <sbose at redhat.com>
+---
+ src/providers/krb5/krb5_child.c | 40 ++++++----------------------------------
+ 1 file changed, 6 insertions(+), 34 deletions(-)
+
+diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
+index bd937e8081df4a5637a4267c356c1f9a08965b42..e9febe4756ca5b56f0b1c04d21d1fcf450315b8b 100644
+--- a/src/providers/krb5/krb5_child.c
++++ b/src/providers/krb5/krb5_child.c
+@@ -65,27 +65,14 @@ struct krb5_req {
+ static krb5_context krb5_error_ctx;
+ #define KRB5_CHILD_DEBUG(level, error) KRB5_DEBUG(level, krb5_error_ctx, error)
+
+-static krb5_error_code get_changepw_options(krb5_context ctx,
+- krb5_get_init_creds_opt **_options)
++static void set_changepw_options(krb5_context ctx,
++ krb5_get_init_creds_opt *options)
+ {
+- krb5_get_init_creds_opt *options;
+- krb5_error_code kerr;
+-
+- kerr = sss_krb5_get_init_creds_opt_alloc(ctx, &options);
+- if (kerr != 0) {
+- KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr);
+- return kerr;
+- }
+-
+ sss_krb5_get_init_creds_opt_set_canonicalize(options, 0);
+ krb5_get_init_creds_opt_set_forwardable(options, 0);
+ krb5_get_init_creds_opt_set_proxiable(options, 0);
+ krb5_get_init_creds_opt_set_renew_life(options, 0);
+ krb5_get_init_creds_opt_set_tkt_life(options, 5*60);
+-
+- *_options = options;
+-
+- return 0;
+ }
+
+ static errno_t sss_send_pac(krb5_authdata **pac_authdata)
+@@ -1023,7 +1010,6 @@ static errno_t changepw_child(struct krb5_req *kr, bool prelim)
+ krb5_prompter_fct prompter = NULL;
+ const char *realm_name;
+ int realm_length;
+- krb5_get_init_creds_opt *chagepw_options;
+ size_t msg_len;
+ uint8_t *msg;
+
+@@ -1041,12 +1027,7 @@ static errno_t changepw_child(struct krb5_req *kr, bool prelim)
+ prompter = sss_krb5_prompter;
+ }
+
+- kerr = get_changepw_options(kr->ctx, &chagepw_options);
+- if (kerr != 0) {
+- DEBUG(SSSDBG_OP_FAILURE, ("get_changepw_options failed.\n"));
+- return kerr;
+- }
+-
++ set_changepw_options(kr->ctx, kr->options);
+ sss_krb5_princ_realm(kr->ctx, kr->princ, &realm_name, &realm_length);
+
+ DEBUG(SSSDBG_TRACE_FUNC,
+@@ -1055,8 +1036,7 @@ static errno_t changepw_child(struct krb5_req *kr, bool prelim)
+ discard_const(password),
+ prompter, kr, 0,
+ SSSD_KRB5_CHANGEPW_PRINCIPAL,
+- chagepw_options);
+- sss_krb5_get_init_creds_opt_free(kr->ctx, chagepw_options);
++ kr->options);
+ if (kerr != 0) {
+ ret = pack_user_info_chpass_error(kr->pd, "Old password not accepted.",
+ &msg_len, &msg);
+@@ -1164,7 +1144,6 @@ static errno_t changepw_child(struct krb5_req *kr, bool prelim)
+
+ static errno_t tgt_req_child(struct krb5_req *kr)
+ {
+- krb5_get_init_creds_opt *chagepw_options;
+ const char *password = NULL;
+ krb5_error_code kerr;
+ int ret;
+@@ -1210,19 +1189,12 @@ static errno_t tgt_req_child(struct krb5_req *kr)
+ DEBUG(1, ("Failed to unset expire callback, continue ...\n"));
+ }
+
+- kerr = get_changepw_options(kr->ctx, &chagepw_options);
+- if (kerr != 0) {
+- DEBUG(SSSDBG_OP_FAILURE, ("get_changepw_options failed.\n"));
+- return kerr;
+- }
+-
++ set_changepw_options(kr->ctx, kr->options);
+ kerr = krb5_get_init_creds_password(kr->ctx, kr->creds, kr->princ,
+ discard_const(password),
+ sss_krb5_prompter, kr, 0,
+ SSSD_KRB5_CHANGEPW_PRINCIPAL,
+- chagepw_options);
+-
+- sss_krb5_get_init_creds_opt_free(kr->ctx, chagepw_options);
++ kr->options);
+
+ krb5_free_cred_contents(kr->ctx, kr->creds);
+ if (kerr == 0) {
+--
+1.8.5.3
+
diff --git a/0006-IPA-Use-GC-for-AD-initgroup-requests.patch b/0006-IPA-Use-GC-for-AD-initgroup-requests.patch
new file mode 100644
index 0000000..6407cc0
--- /dev/null
+++ b/0006-IPA-Use-GC-for-AD-initgroup-requests.patch
@@ -0,0 +1,46 @@
+From f87c0437c9c94a7f447688c0152220ad51dc3a0e Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose at redhat.com>
+Date: Thu, 6 Mar 2014 15:37:57 +0100
+Subject: [PATCH 6/6] IPA: Use GC for AD initgroup requests
+
+Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
+---
+ src/providers/ipa/ipa_subdomains_id.c | 21 +++++++++++++++------
+ 1 file changed, 15 insertions(+), 6 deletions(-)
+
+diff --git a/src/providers/ipa/ipa_subdomains_id.c b/src/providers/ipa/ipa_subdomains_id.c
+index 00993c496c1d100b37a780828c81492c2fac6157..978ccc261d7525662e835b867044b6a5238a29df 100644
+--- a/src/providers/ipa/ipa_subdomains_id.c
++++ b/src/providers/ipa/ipa_subdomains_id.c
+@@ -307,13 +307,22 @@ ipa_get_ad_acct_send(TALLOC_CTX *mem_ctx,
+ /* Currently only LDAP port for AD is used because POSIX
+ * attributes are not replicated to GC by default
+ */
+- clist = talloc_zero_array(req, struct sdap_id_conn_ctx *, 2);
+- if (clist == NULL) {
+- ret = ENOMEM;
+- goto fail;
++
++ if ((state->ar->entry_type & BE_REQ_TYPE_MASK) == BE_REQ_INITGROUPS) {
++ clist = ad_gc_conn_list(req, ad_id_ctx, state->user_dom);
++ if (clist == NULL) {
++ ret = ENOMEM;
++ goto fail;
++ }
++ } else {
++ clist = talloc_zero_array(req, struct sdap_id_conn_ctx *, 2);
++ if (clist == NULL) {
++ ret = ENOMEM;
++ goto fail;
++ }
++ clist[0] = ad_id_ctx->ldap_ctx;
++ clist[1] = NULL;
+ }
+- clist[0] = ad_id_ctx->ldap_ctx;
+- clist[1] = NULL;
+
+ /* Now we already need ad_id_ctx in particular sdap_id_conn_ctx */
+ sdom = sdap_domain_get(sdap_id_ctx->opts, state->user_dom);
+--
+1.8.5.3
+
diff --git a/sssd.spec b/sssd.spec
index 13e022f..cfd434a 100644
--- a/sssd.spec
+++ b/sssd.spec
@@ -14,7 +14,7 @@
Name: sssd
Version: 1.11.4
-Release: 1%{?dist}
+Release: 2%{?dist}
Group: Applications/System
Summary: System Security Services Daemon
License: GPLv3+
@@ -23,6 +23,13 @@ Source0: https://fedorahosted.org/released/sssd/%{name}-%{version}.tar.gz
BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
### Patches ###
+Patch0001: 0001-IPA-Don-t-call-tevent_req_post-outside-_send.patch
+Patch0002: 0002-IPA-Don-t-fail-if-apply_subdomain_homedir-returns-EN.patch
+Patch0003: 0003-ipa-server-mode-use-lower-case-user-name-for-home-di.patch
+Patch0004: 0004-IPA-Do-not-save-intermediate-data-to-sysdb.patch
+Patch0005: 0005-Fix-krb5-changepw-when-FAST-only-preauth-methods-are.patch
+Patch0006: 0006-IPA-Use-GC-for-AD-initgroup-requests.patch
+
Patch0602: 0602-FEDORA-Add-CIFS-idmap-plugin.patch
### Dependencies ###
@@ -730,6 +737,9 @@ fi
%postun -n libsss_idmap -p /sbin/ldconfig
%changelog
+* Mon Mar 11 2014 Jakub Hrozek <jhrozek at redhat.com> - 1.11.4-2
+- Include couple of patches from upstream 1.11 branch
+
* Mon Feb 17 2014 Jakub Hrozek <jhrozek at redhat.com> - 1.11.4-1
- New upstream release 1.11.4
- Remove upstreamed patch
More information about the scm-commits
mailing list