[sssd] Backport several patches from upstream.
Jakub Hrozek
jhrozek at fedoraproject.org
Wed Oct 22 11:14:14 UTC 2014
commit 3161db3512c4ceb4f1afc24256496fef75f54ba3
Author: Jakub Hrozek <jhrozek at redhat.com>
Date: Wed Oct 22 13:09:58 2014 +0200
Backport several patches from upstream.
- Fix a potential crash against old (pre-4.0) IPA servers
...ues-with-older-servers-not-supporting-vie.patch | 97 ++++++++++++++++++++
...rove-error-reporting-for-extdom-LDAP-exop.patch | 48 ++++++++++
...ins_handler_master_done-initialize-reply_.patch | 31 ++++++
...PA-Handle-NULL-members-in-process_members.patch | 40 ++++++++
sssd.spec | 10 ++-
5 files changed, 225 insertions(+), 1 deletions(-)
---
diff --git a/0001-ipa-fix-issues-with-older-servers-not-supporting-vie.patch b/0001-ipa-fix-issues-with-older-servers-not-supporting-vie.patch
new file mode 100644
index 0000000..e17af0b
--- /dev/null
+++ b/0001-ipa-fix-issues-with-older-servers-not-supporting-vie.patch
@@ -0,0 +1,97 @@
+From c61100799c7d8e46c82a862eca3f543a4320490c Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose at redhat.com>
+Date: Wed, 22 Oct 2014 10:03:09 +0200
+Subject: [PATCH 1/4] ipa: fix issues with older servers not supporting views
+
+Older FreeIPA servers which do not know about the ipaAssignedIDView
+attribute will return an error during the LDAP dereference request
+because SSSD marks LDAP extensions as critical. In this case we keep the
+view name empty and skip override lookups.
+
+Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
+---
+ src/providers/ipa/ipa_subdomains.c | 14 +++++++++++++-
+ src/providers/ipa/ipa_subdomains_id.c | 4 +++-
+ src/providers/ipa/ipa_views.c | 17 ++++++++++++-----
+ 3 files changed, 28 insertions(+), 7 deletions(-)
+
+diff --git a/src/providers/ipa/ipa_subdomains.c b/src/providers/ipa/ipa_subdomains.c
+index bedc0f1a50e8a35ea65de45247b1814c9abc0bcd..eb172fdfc05ac4e482174f01d89ad28db1498fc1 100644
+--- a/src/providers/ipa/ipa_subdomains.c
++++ b/src/providers/ipa/ipa_subdomains.c
+@@ -1002,7 +1002,19 @@ static void ipa_get_view_name_done(struct tevent_req *req)
+ ret = sdap_deref_search_with_filter_recv(req, ctx, &reply_count, &reply);
+ talloc_zfree(req);
+ if (ret != EOK) {
+- DEBUG(SSSDBG_OP_FAILURE, "get_view_name request failed.\n");
++ if (ret == EOPNOTSUPP) {
++ DEBUG(SSSDBG_TRACE_FUNC, "get_view_name request failed, looks " \
++ "like server does not support views.\n");
++ ret = ipa_check_master(ctx);
++ if (ret == EAGAIN) {
++ return;
++ } else if (ret != EOK) {
++ goto done;
++ }
++
++ } else {
++ DEBUG(SSSDBG_OP_FAILURE, "get_view_name request failed.\n");
++ }
+ goto done;
+ }
+
+diff --git a/src/providers/ipa/ipa_subdomains_id.c b/src/providers/ipa/ipa_subdomains_id.c
+index 36f8b239249e5f0146610cfab148be20c39c66c2..b67006ce6e0b4bf9c794016c1dfc923ac6da3624 100644
+--- a/src/providers/ipa/ipa_subdomains_id.c
++++ b/src/providers/ipa/ipa_subdomains_id.c
+@@ -106,11 +106,13 @@ struct tevent_req *ipa_subdomain_account_send(TALLOC_CTX *memctx,
+ * have to check first if the request matches an override in the given
+ * view. But there are cases where this can be skipped and the AD object
+ * can be searched directly:
++ * - if no view is defined, i.e. the server does not supprt views yet
+ * - searches by SID: because we do not override the SID
+ * - if the responder does not send the EXTRA_INPUT_MAYBE_WITH_VIEW flags,
+ * because in this case the entry was found in the cache and the
+ * original value is used for the search (e.g. during cache updates) */
+- if (state->ar->filter_type == BE_FILTER_SECID
++ if (state->ipa_ctx->view_name == NULL
++ || state->ar->filter_type == BE_FILTER_SECID
+ || (!state->ipa_server_mode
+ && state->ar->extra_value != NULL
+ && strcmp(state->ar->extra_value,
+diff --git a/src/providers/ipa/ipa_views.c b/src/providers/ipa/ipa_views.c
+index 33dbf7b1c17f188924ee7b50a77ab699f03392be..2eb77216ab9759d8b1d66fbdf0b2e90cd07a4604 100644
+--- a/src/providers/ipa/ipa_views.c
++++ b/src/providers/ipa/ipa_views.c
+@@ -208,16 +208,23 @@ struct tevent_req *ipa_get_ad_override_send(TALLOC_CTX *mem_ctx,
+ state->sdap_id_ctx = sdap_id_ctx;
+ state->ipa_options = ipa_options;
+ state->ipa_realm = ipa_realm;
+- if (strcmp(view_name, SYSDB_DEFAULT_VIEW_NAME) == 0) {
+- state->ipa_view_name = IPA_DEFAULT_VIEW_NAME;
+- } else {
+- state->ipa_view_name = view_name;
+- }
+ state->ar = ar;
+ state->dp_error = -1;
+ state->override_attrs = NULL;
+ state->filter = NULL;
+
++ if (view_name == NULL) {
++ DEBUG(SSSDBG_TRACE_ALL, "View not defined, nothing to do.\n");
++ ret = EOK;
++ goto done;
++ }
++
++ if (strcmp(view_name, SYSDB_DEFAULT_VIEW_NAME) == 0) {
++ state->ipa_view_name = IPA_DEFAULT_VIEW_NAME;
++ } else {
++ state->ipa_view_name = view_name;
++ }
++
+ state->sdap_op = sdap_id_op_create(state,
+ state->sdap_id_ctx->conn->conn_cache);
+ if (state->sdap_op == NULL) {
+--
+1.9.3
+
diff --git a/0002-ipa-improve-error-reporting-for-extdom-LDAP-exop.patch b/0002-ipa-improve-error-reporting-for-extdom-LDAP-exop.patch
new file mode 100644
index 0000000..9c80ef5
--- /dev/null
+++ b/0002-ipa-improve-error-reporting-for-extdom-LDAP-exop.patch
@@ -0,0 +1,48 @@
+From 2e39a7b8c58ed6cc6077bef490482dbbd1ed81ac Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose at redhat.com>
+Date: Mon, 20 Oct 2014 17:09:34 +0200
+Subject: [PATCH 2/4] ipa: improve error reporting for extdom LDAP exop
+
+This patch fixes a typo when calling ldap_parse_result() which prevented
+the server-side error message to be used and adds a hint that more
+information might be available on the server side.
+
+Fixes: https://fedorahosted.org/sssd/ticket/2456
+
+Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
+---
+ src/providers/ipa/ipa_s2n_exop.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/src/providers/ipa/ipa_s2n_exop.c b/src/providers/ipa/ipa_s2n_exop.c
+index 96528816a520b633f1f1caa975dee9b9515621c3..bd5c00b6a48018f8f904aaa03e8162425651b37a 100644
+--- a/src/providers/ipa/ipa_s2n_exop.c
++++ b/src/providers/ipa/ipa_s2n_exop.c
+@@ -133,7 +133,7 @@ static void ipa_s2n_exop_done(struct sdap_op *op,
+ }
+
+ ret = ldap_parse_result(state->sh->ldap, reply->msg,
+- &result, &errmsg, NULL, NULL,
++ &result, NULL, &errmsg, NULL,
+ NULL, 0);
+ if (ret != LDAP_SUCCESS) {
+ DEBUG(SSSDBG_OP_FAILURE, "ldap_parse_result failed (%d)\n",
+@@ -142,10 +142,13 @@ static void ipa_s2n_exop_done(struct sdap_op *op,
+ goto done;
+ }
+
+- DEBUG(SSSDBG_TRACE_FUNC, "ldap_extended_operation result: %s(%d), %s\n",
+- sss_ldap_err2string(result), result, errmsg);
++ DEBUG(result == LDAP_SUCCESS ? SSSDBG_TRACE_FUNC : SSSDBG_OP_FAILURE,
++ "ldap_extended_operation result: %s(%d), %s.\n",
++ sss_ldap_err2string(result), result, errmsg);
+
+ if (result != LDAP_SUCCESS) {
++ DEBUG(SSSDBG_OP_FAILURE, "ldap_extended_operation failed, " \
++ "server logs might contain more details.\n");
+ ret = ERR_NETWORK_IO;
+ goto done;
+ }
+--
+1.9.3
+
diff --git a/0003-ipa_subdomains_handler_master_done-initialize-reply_.patch b/0003-ipa_subdomains_handler_master_done-initialize-reply_.patch
new file mode 100644
index 0000000..c3fc6e0
--- /dev/null
+++ b/0003-ipa_subdomains_handler_master_done-initialize-reply_.patch
@@ -0,0 +1,31 @@
+From 13262a18f804638b40213a865e0a72e33123ccf1 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose at redhat.com>
+Date: Tue, 14 Oct 2014 16:52:04 +0200
+Subject: [PATCH 3/4] ipa_subdomains_handler_master_done: initialize
+ reply_count
+
+This patch should mainly silence a false-positive Coverity warning but
+since further processing depends on this variable I think it is a good
+idea anyways.
+
+Reviewed-by: Pavel Reichl <preichl at redhat.com>
+---
+ src/providers/ipa/ipa_subdomains.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/providers/ipa/ipa_subdomains.c b/src/providers/ipa/ipa_subdomains.c
+index eb172fdfc05ac4e482174f01d89ad28db1498fc1..c61c1c666908ec23f8a92e5568222e55ec47be0a 100644
+--- a/src/providers/ipa/ipa_subdomains.c
++++ b/src/providers/ipa/ipa_subdomains.c
+@@ -1276,7 +1276,7 @@ static void ipa_subdomains_handler_master_done(struct tevent_req *req)
+ {
+ errno_t ret;
+ int dp_error = DP_ERR_FATAL;
+- size_t reply_count;
++ size_t reply_count = 0;
+ struct sysdb_attrs **reply = NULL;
+ struct ipa_subdomains_req_ctx *ctx;
+
+--
+1.9.3
+
diff --git a/0004-IPA-Handle-NULL-members-in-process_members.patch b/0004-IPA-Handle-NULL-members-in-process_members.patch
new file mode 100644
index 0000000..1ab81b9
--- /dev/null
+++ b/0004-IPA-Handle-NULL-members-in-process_members.patch
@@ -0,0 +1,40 @@
+From 7bdd47bfbb558d948dd2afce0ae53d22046067ef Mon Sep 17 00:00:00 2001
+From: Jakub Hrozek <jhrozek at redhat.com>
+Date: Tue, 14 Oct 2014 14:15:25 +0200
+Subject: [PATCH 4/4] IPA: Handle NULL members in process_members()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Reviewed-by: Lukáš Slebodník <lslebodn at redhat.com>
+---
+ src/providers/ipa/ipa_s2n_exop.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/providers/ipa/ipa_s2n_exop.c b/src/providers/ipa/ipa_s2n_exop.c
+index bd5c00b6a48018f8f904aaa03e8162425651b37a..2c31120b196353df52c87ef5b924a80bda134a17 100644
+--- a/src/providers/ipa/ipa_s2n_exop.c
++++ b/src/providers/ipa/ipa_s2n_exop.c
+@@ -1196,6 +1196,11 @@ static errno_t process_members(struct sss_domain_info *domain,
+ struct sss_domain_info *obj_domain;
+ struct sss_domain_info *parent_domain;
+
++ if (members == NULL) {
++ DEBUG(SSSDBG_TRACE_INTERNAL, "No members\n");
++ return EOK;
++ }
++
+ tmp_ctx = talloc_new(NULL);
+ if (tmp_ctx == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n");
+@@ -1731,6 +1736,7 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom,
+ goto done;
+ }
+ }
++ DEBUG(SSSDBG_TRACE_FUNC, "Processing group %s\n", name);
+
+ ret = sysdb_attrs_add_lc_name_alias(attrs->sysdb_attrs, name);
+ if (ret != EOK) {
+--
+1.9.3
+
diff --git a/sssd.spec b/sssd.spec
index fa8af76..6b3c964 100644
--- a/sssd.spec
+++ b/sssd.spec
@@ -20,7 +20,7 @@
Name: sssd
Version: 1.12.2
-Release: 1%{?dist}
+Release: 2%{?dist}
Group: Applications/System
Summary: System Security Services Daemon
License: GPLv3+
@@ -29,6 +29,10 @@ Source0: https://fedorahosted.org/released/sssd/%{name}-%{version}.tar.gz
BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
### Patches ###
+Patch0001: 0001-ipa-fix-issues-with-older-servers-not-supporting-vie.patch
+Patch0002: 0002-ipa-improve-error-reporting-for-extdom-LDAP-exop.patch
+Patch0003: 0003-ipa_subdomains_handler_master_done-initialize-reply_.patch
+Patch0004: 0004-IPA-Handle-NULL-members-in-process_members.patch
### Dependencies ###
Requires: sssd-common = %{version}-%{release}
@@ -845,6 +849,10 @@ fi
%postun -n libsss_idmap -p /sbin/ldconfig
%changelog
+* Wed Oct 22 2014 Jakub Hrozek <jhrozek at redhat.com> - 1.12.2-2
+- Backport several patches from upstream.
+- Fix a potential crash against old (pre-4.0) IPA servers
+
* Mon Oct 20 2014 Jakub Hrozek <jhrozek at redhat.com> - 1.12.2-1
- New upstream release 1.12.2
- https://fedorahosted.org/sssd/wiki/Releases/Notes-1.12.2
More information about the scm-commits
mailing list