[freeipa] Unblock rawhide
abbra
abbra at fedoraproject.org
Mon Jan 19 09:23:47 UTC 2015
commit c504f905a4758a8c4fef43f9943d856bec0584ed
Author: Alexander Bokovoy <abokovoy at redhat.com>
Date: Mon Jan 19 11:22:49 2015 +0200
Unblock rawhide
- Support Samba PASSDB 0.2.0 with libsamba-passdb
- Fix marshalling of NETLOGON responses over CLDAP
- Use python-dateutil15 instead of python-dateutil 2.x until we validate
the new version
...mba-PASSDB-0.2.0-aka-interface-version-24.patch | 112 ++++++++++++++++++++
...port-NETLOGON_NT_VERSION_5EX_WITH_IP-pr-1.patch | 74 +++++++++++++
freeipa.spec | 8 ++-
3 files changed, 193 insertions(+), 1 deletions(-)
---
diff --git a/0001-Support-Samba-PASSDB-0.2.0-aka-interface-version-24.patch b/0001-Support-Samba-PASSDB-0.2.0-aka-interface-version-24.patch
new file mode 100644
index 0000000..f82ca6c
--- /dev/null
+++ b/0001-Support-Samba-PASSDB-0.2.0-aka-interface-version-24.patch
@@ -0,0 +1,112 @@
+From 8f9a26e11b8a7f023de85cf4069f7ab72b2c92f7 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy at redhat.com>
+Date: Mon, 12 Jan 2015 13:36:36 +0200
+Subject: [PATCH] Support Samba PASSDB 0.2.0 aka interface version 24
+
+1. Samba project renamed libpdb to libsamba-passdb
+ https://bugzilla.samba.org/show_bug.cgi?id=10355
+
+2. With interface version 24, Samba removed uid_to_sid()/gid_to_sid()
+ from the PASSDB interface and united them as id_to_sid().
+
+Make sure FreeIPA ipa_sam code supports new and old versions of
+the PASSDB API.
+
+https://fedorahosted.org/freeipa/ticket/4778
+---
+ daemons/configure.ac | 20 ++++++++++++++++----
+ daemons/ipa-sam/Makefile.am | 3 ++-
+ daemons/ipa-sam/ipa_sam.c | 21 +++++++++++++++++++++
+ 3 files changed, 39 insertions(+), 5 deletions(-)
+
+diff --git a/daemons/configure.ac b/daemons/configure.ac
+index e81aa60..a62897e 100644
+--- a/daemons/configure.ac
++++ b/daemons/configure.ac
+@@ -170,12 +170,24 @@ PKG_CHECK_MODULES([SAMBAUTIL], [samba-util])
+ SAMBA40EXTRA_LIBPATH="-L`$PKG_CONFIG --variable=libdir samba-util`/samba -Wl,-rpath=`$PKG_CONFIG --variable=libdir samba-util`/samba"
+ AC_SUBST(SAMBA40EXTRA_LIBPATH)
+
+-AC_CHECK_LIB([pdb],
++LIBPDB_NAME=""
++AC_CHECK_LIB([samba-passdb],
+ [make_pdb_method],
+- [HAVE_LIBPDB=1],
+- [AC_MSG_ERROR([libpdb does not have make_pdb_method])],
++ [LIBPDB_NAME="samba-passdb"; HAVE_LIBPDB=1],
++ [LIBPDB_NAME="pdb"],
+ [$SAMBA40EXTRA_LIBPATH])
+-AC_CHECK_LIB([pdb],[pdb_enum_upn_suffixes],
++
++if test "x$LIB_PDB_NAME" = "xpdb" ; then
++ AC_CHECK_LIB([$LIBPDB_NAME],
++ [make_pdb_method],
++ [HAVE_LIBPDB=1],
++ [AC_MSG_ERROR([Neither libpdb nor libsamba-passdb does have make_pdb_method])],
++ [$SAMBA40EXTRA_LIBPATH])
++fi
++
++AC_SUBST(LIBPDB_NAME)
++
++AC_CHECK_LIB([$LIBPDB_NAME],[pdb_enum_upn_suffixes],
+ [AC_DEFINE([HAVE_PDB_ENUM_UPN_SUFFIXES], [1], [Ability to enumerate UPN suffixes])],
+ [AC_MSG_WARN([libpdb does not have pdb_enum_upn_suffixes, no support for realm domains in ipasam])],
+ [$SAMBA40EXTRA_LIBPATH])
+diff --git a/daemons/ipa-sam/Makefile.am b/daemons/ipa-sam/Makefile.am
+index d55a187..46c813a 100644
+--- a/daemons/ipa-sam/Makefile.am
++++ b/daemons/ipa-sam/Makefile.am
+@@ -1,7 +1,8 @@
+ NULL =
++LIBPDB_NAME = @LIBPDB_NAME@
+ SAMBA40EXTRA_LIBS = $(SAMBA40EXTRA_LIBPATH) \
+ -lsmbldap \
+- -lpdb \
++ -l$(LIBPDB_NAME) \
+ -lsmbconf \
+ $(NULL)
+
+diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c
+index e711299..07249fd 100644
+--- a/daemons/ipa-sam/ipa_sam.c
++++ b/daemons/ipa-sam/ipa_sam.c
+@@ -1007,6 +1007,22 @@ done:
+ return ret;
+ }
+
++#if PASSDB_INTERFACE_VERSION >= 24
++/* Since version 24, uid_to_sid() and gid_to_sid() were removed in favor of id_to_sid() */
++static bool ipasam_id_to_sid(struct pdb_methods *methods, struct unixid *id, struct dom_sid *sid)
++{
++ bool result = false;
++
++ if (id->type != ID_TYPE_GID) {
++ result = ldapsam_uid_to_sid(methods, id->id, sid);
++ }
++ if (!result && id->type != ID_TYPE_UID) {
++ result = ldapsam_gid_to_sid(methods, id->id, sid);
++ }
++
++ return result;
++}
++#endif
+
+ static char *get_ldap_filter(TALLOC_CTX *mem_ctx, const char *username)
+ {
+@@ -4579,8 +4595,13 @@ static NTSTATUS pdb_init_ipasam(struct pdb_methods **pdb_method,
+ (*pdb_method)->search_aliases = ldapsam_search_aliases;
+ (*pdb_method)->lookup_rids = ldapsam_lookup_rids;
+ (*pdb_method)->sid_to_id = ldapsam_sid_to_id;
++#if PASSDB_INTERFACE_VERSION >= 24
++/* Since version 24, uid_to_sid() and gid_to_sid() were removed in favor of id_to_sid() */
++ (*pdb_method)->id_to_sid = ipasam_id_to_sid;
++#else
+ (*pdb_method)->uid_to_sid = ldapsam_uid_to_sid;
+ (*pdb_method)->gid_to_sid = ldapsam_gid_to_sid;
++#endif
+
+ (*pdb_method)->capabilities = pdb_ipasam_capabilities;
+ (*pdb_method)->get_domain_info = pdb_ipasam_get_domain_info;
+--
+2.1.0
+
diff --git a/0002-ipa-cldap-support-NETLOGON_NT_VERSION_5EX_WITH_IP-pr-1.patch b/0002-ipa-cldap-support-NETLOGON_NT_VERSION_5EX_WITH_IP-pr-1.patch
new file mode 100644
index 0000000..e05a2eb
--- /dev/null
+++ b/0002-ipa-cldap-support-NETLOGON_NT_VERSION_5EX_WITH_IP-pr-1.patch
@@ -0,0 +1,74 @@
+From f21579f3ce38656e6fb9ffeb1d14c28967d202cf Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy at redhat.com>
+Date: Thu, 15 Jan 2015 13:11:01 +0200
+Subject: [PATCH 2/3] ipa-cldap: support NETLOGON_NT_VERSION_5EX_WITH_IP
+ properly
+
+According to MS-ADTS 6.3.3.2, "Domain Controller Response to an LDAP Ping",
+if NETLOGON_NT_VERSION_5EX_WITH_IP is requested in NtVer, we should fill the
+socket address of the server and set the NtVer of the response accordingly.
+
+The behavior is a bit unclear from 6.3.3.2 but Samba expects LDAP ping to behave
+the same way as a mailslot ping, described in 6.3.5, where socket address of the
+server is included only if _WITH_IP variant was requested in NtVer. If NtVer
+only contains NETLOGON_NT_VERSION_5EX (without _WITH_IP bit), socket
+address should not be filled in.
+
+Additionally, this means we should use special variant of
+ndr_push_NETLOGON_SAM_LOGON_RESPONSE_EX helper named
+ndr_push_NETLOGON_SAM_LOGON_RESPONSE_EX_with_flags to properly handle optional
+existence of the socket address in the response.
+
+https://fedorahosted.org/freeipa/ticket/4827
+---
+ .../ipa-slapi-plugins/ipa-cldap/ipa_cldap_netlogon.c | 19 ++++++++++++-------
+ 1 file changed, 12 insertions(+), 7 deletions(-)
+
+diff --git a/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_netlogon.c b/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_netlogon.c
+index 1d16de7..5863f66 100644
+--- a/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_netlogon.c
++++ b/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_netlogon.c
+@@ -154,7 +154,7 @@ char *make_netbios_name(TALLOC_CTX *mem_ctx, const char *s)
+ }
+
+ #define NETLOGON_SAM_LOGON_RESPONSE_EX_pusher \
+- (ndr_push_flags_fn_t)ndr_push_NETLOGON_SAM_LOGON_RESPONSE_EX
++ (ndr_push_flags_fn_t)ndr_push_NETLOGON_SAM_LOGON_RESPONSE_EX_with_flags
+
+ static int ipa_cldap_encode_netlogon(char *fq_hostname, char *domain,
+ char *guid, char *sid, char *name,
+@@ -170,7 +170,7 @@ static int ipa_cldap_encode_netlogon(char *fq_hostname, char *domain,
+ return ENOMEM;
+ }
+
+- if (!(ntver & NETLOGON_NT_VERSION_5EX)) {
++ if (!(ntver & (NETLOGON_NT_VERSION_5EX|NETLOGON_NT_VERSION_5EX_WITH_IP))) {
+ ret = EINVAL;
+ goto done;
+ }
+@@ -197,12 +197,17 @@ static int ipa_cldap_encode_netlogon(char *fq_hostname, char *domain,
+ nlr->server_site = "Default-First-Site-Name";
+ nlr->client_site = "Default-First-Site-Name";
+ /* nlr->sockaddr_size (filled in by ndr_push) */
+- nlr->sockaddr.sockaddr_family = 2;
+- nlr->sockaddr.pdc_ip = "127.0.0.1";
+- nlr->sockaddr.remaining.length = 8;
+- nlr->sockaddr.remaining.data = talloc_zero_size(nlr, 8);
+- /* nlr->next_closest_site */
++
+ nlr->nt_version = NETLOGON_NT_VERSION_5EX|NETLOGON_NT_VERSION_1;
++ if (ntver & NETLOGON_NT_VERSION_5EX_WITH_IP) {
++ nlr->nt_version |= NETLOGON_NT_VERSION_5EX_WITH_IP;
++ nlr->sockaddr.sockaddr_family = 2;
++ nlr->sockaddr.pdc_ip = "127.0.0.1";
++ nlr->sockaddr.remaining.length = 8;
++ nlr->sockaddr.remaining.data = talloc_zero_size(nlr, 8);
++ }
++
++ /* nlr->next_closest_site */
+ nlr->lmnt_token = 0xFFFF;
+ nlr->lm20_token = 0xFFFF;
+
+--
+2.1.0
+
diff --git a/freeipa.spec b/freeipa.spec
index a85d39b..196d4ee 100644
--- a/freeipa.spec
+++ b/freeipa.spec
@@ -32,6 +32,8 @@ Group: System Environment/Base
License: GPLv3+
URL: http://www.freeipa.org/
Source0: http://www.freeipa.org/downloads/src/freeipa-%{VERSION}.tar.gz
+Patch0: 0001-Support-Samba-PASSDB-0.2.0-aka-interface-version-24.patch
+Patch1: 0002-ipa-cldap-support-NETLOGON_NT_VERSION_5EX_WITH_IP-pr-1.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
%if ! %{ONLY_CLIENT}
@@ -293,7 +295,7 @@ Requires: python-netaddr
Requires: libipa_hbac-python
Requires: python-qrcode-core >= 5.0.0
Requires: python-pyasn1
-Requires: python-dateutil
+Requires: python-dateutil15
Requires: python-yubico
Conflicts: %{alt_name}-python
@@ -930,6 +932,10 @@ fi
%endif # ONLY_CLIENT
%changelog
+* Mon Jan 19 2014 Alexander Bokovoy <abokovoy at redhat.com> - 4.1.2-2
+- Fix broken build after Samba ABI change and rename of libpdb to libsamba-passdb
+- Use python-dateutil15 until we validate python-dateutil 2.x
+
* Tue Nov 25 2014 Petr Vobornik <pvoborni at redhat.com> - 4.1.2-1
- Update to upstream 4.1.2 - see http://www.freeipa.org/page/Releases/4.1.2
- fix CVE-2014-7850
More information about the scm-commits
mailing list