|
 |
d6181b |
From e7e212b49bbd357129aab410cbbd5c7b1b0965a2 Mon Sep 17 00:00:00 2001
|
|
|
d6181b |
From: Sumit Bose <sbose@redhat.com>
|
|
|
d6181b |
Date: Mon, 24 Jun 2019 14:01:02 +0200
|
|
|
d6181b |
Subject: [PATCH] negcache: add fq-usernames of know domains to all UPN
|
|
|
d6181b |
neg-caches
|
|
|
d6181b |
|
|
|
d6181b |
The previous patch for this issue did not handle user with
|
|
|
d6181b |
fully-qualified names from known domains correctly. Here the user was
|
|
|
d6181b |
only added to the negative cache of the known domain but not to the
|
|
|
d6181b |
negative UPN caches for all domains. This patch fixes this.
|
|
|
d6181b |
|
|
|
d6181b |
Related to https://pagure.io/SSSD/sssd/issue/3978
|
|
|
d6181b |
|
|
|
d6181b |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
d6181b |
---
|
|
|
d6181b |
src/responder/common/negcache.c | 54 ++++++++++++++++----------------
|
|
|
d6181b |
src/tests/cmocka/test_negcache.c | 17 +++++++++-
|
|
|
d6181b |
2 files changed, 43 insertions(+), 28 deletions(-)
|
|
|
d6181b |
|
|
|
d6181b |
diff --git a/src/responder/common/negcache.c b/src/responder/common/negcache.c
|
|
|
d6181b |
index d6f72d816..d9bf1417e 100644
|
|
|
d6181b |
--- a/src/responder/common/negcache.c
|
|
|
d6181b |
+++ b/src/responder/common/negcache.c
|
|
|
d6181b |
@@ -1070,37 +1070,37 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache,
|
|
|
d6181b |
continue;
|
|
|
d6181b |
}
|
|
|
d6181b |
if (domainname) {
|
|
|
d6181b |
- dom = responder_get_domain(rctx, domainname);
|
|
|
d6181b |
- if (!dom) {
|
|
|
d6181b |
- DEBUG(SSSDBG_CRIT_FAILURE,
|
|
|
d6181b |
- "Unknown domain name [%s], assuming [%s] is UPN\n",
|
|
|
d6181b |
- domainname, filter_list[i]);
|
|
|
d6181b |
- for (dom = domain_list;
|
|
|
d6181b |
- dom != NULL;
|
|
|
d6181b |
- dom = get_next_domain(dom, SSS_GND_ALL_DOMAINS)) {
|
|
|
d6181b |
- ret = sss_ncache_set_upn(ncache, true, dom, filter_list[i]);
|
|
|
d6181b |
- if (ret != EOK) {
|
|
|
d6181b |
- DEBUG(SSSDBG_OP_FAILURE,
|
|
|
d6181b |
- "sss_ncache_set_upn failed (%d [%s]), ignored\n",
|
|
|
d6181b |
- ret, sss_strerror(ret));
|
|
|
d6181b |
- }
|
|
|
d6181b |
+ DEBUG(SSSDBG_TRACE_ALL,
|
|
|
d6181b |
+ "Adding [%s] to UPN negative cache of all domains.\n",
|
|
|
d6181b |
+ filter_list[i]);
|
|
|
d6181b |
+ for (dom = domain_list;
|
|
|
d6181b |
+ dom != NULL;
|
|
|
d6181b |
+ dom = get_next_domain(dom, SSS_GND_ALL_DOMAINS)) {
|
|
|
d6181b |
+ ret = sss_ncache_set_upn(ncache, true, dom, filter_list[i]);
|
|
|
d6181b |
+ if (ret != EOK) {
|
|
|
d6181b |
+ DEBUG(SSSDBG_OP_FAILURE,
|
|
|
d6181b |
+ "sss_ncache_set_upn failed (%d [%s]), ignored\n",
|
|
|
d6181b |
+ ret, sss_strerror(ret));
|
|
|
d6181b |
}
|
|
|
d6181b |
- continue;
|
|
|
d6181b |
}
|
|
|
d6181b |
|
|
|
d6181b |
- fqname = sss_create_internal_fqname(tmpctx, name, dom->name);
|
|
|
d6181b |
- if (fqname == NULL) {
|
|
|
d6181b |
- continue;
|
|
|
d6181b |
- }
|
|
|
d6181b |
+ /* Add name to domain specific cache for known domain names */
|
|
|
d6181b |
+ dom = responder_get_domain(rctx, domainname);
|
|
|
d6181b |
+ if (dom != NULL) {
|
|
|
d6181b |
+ fqname = sss_create_internal_fqname(tmpctx, name, dom->name);
|
|
|
d6181b |
+ if (fqname == NULL) {
|
|
|
d6181b |
+ continue;
|
|
|
d6181b |
+ }
|
|
|
d6181b |
|
|
|
d6181b |
- ret = sss_ncache_set_user(ncache, true, dom, fqname);
|
|
|
d6181b |
- talloc_zfree(fqname);
|
|
|
d6181b |
- if (ret != EOK) {
|
|
|
d6181b |
- DEBUG(SSSDBG_CRIT_FAILURE,
|
|
|
d6181b |
- "Failed to store permanent user filter for [%s]"
|
|
|
d6181b |
- " (%d [%s])\n", filter_list[i],
|
|
|
d6181b |
- ret, strerror(ret));
|
|
|
d6181b |
- continue;
|
|
|
d6181b |
+ ret = sss_ncache_set_user(ncache, true, dom, fqname);
|
|
|
d6181b |
+ talloc_zfree(fqname);
|
|
|
d6181b |
+ if (ret != EOK) {
|
|
|
d6181b |
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
|
|
d6181b |
+ "Failed to store permanent user filter for [%s]"
|
|
|
d6181b |
+ " (%d [%s])\n", filter_list[i],
|
|
|
d6181b |
+ ret, strerror(ret));
|
|
|
d6181b |
+ continue;
|
|
|
d6181b |
+ }
|
|
|
d6181b |
}
|
|
|
d6181b |
} else {
|
|
|
d6181b |
for (dom = domain_list;
|
|
|
d6181b |
diff --git a/src/tests/cmocka/test_negcache.c b/src/tests/cmocka/test_negcache.c
|
|
|
d6181b |
index 7ab8a0981..9d4bdde14 100644
|
|
|
d6181b |
--- a/src/tests/cmocka/test_negcache.c
|
|
|
d6181b |
+++ b/src/tests/cmocka/test_negcache.c
|
|
|
d6181b |
@@ -637,7 +637,7 @@ static void test_sss_ncache_prepopulate(void **state)
|
|
|
d6181b |
struct sss_domain_info *subdomain;
|
|
|
d6181b |
|
|
|
d6181b |
struct sss_test_conf_param nss_params[] = {
|
|
|
d6181b |
- { "filter_users", "testuser_nss@UPN.REALM, testuser_nss_short" },
|
|
|
d6181b |
+ { "filter_users", "testuser_nss@UPN.REALM, testuser_nss_short, all_dom_upn@"TEST_DOM_NAME },
|
|
|
d6181b |
{ NULL, NULL },
|
|
|
d6181b |
};
|
|
|
d6181b |
struct sss_test_conf_param dom_params[] = {
|
|
|
d6181b |
@@ -752,6 +752,21 @@ static void test_sss_ncache_prepopulate(void **state)
|
|
|
d6181b |
|
|
|
d6181b |
ret = sss_ncache_check_upn(ncache, tc->dom, "testuser3@somedomain");
|
|
|
d6181b |
assert_int_equal(ret, EEXIST);
|
|
|
d6181b |
+
|
|
|
d6181b |
+ /* Fully qualified names with a known domain part should be added to all
|
|
|
d6181b |
+ * negative UPN caches and to the negative cache of the know domain. */
|
|
|
d6181b |
+ ret = sss_ncache_check_upn(ncache, tc->dom, "all_dom_upn@"TEST_DOM_NAME);
|
|
|
d6181b |
+ assert_int_equal(ret, EEXIST);
|
|
|
d6181b |
+
|
|
|
d6181b |
+ ret = sss_ncache_check_upn(ncache, tc->dom->subdomains,
|
|
|
d6181b |
+ "all_dom_upn@"TEST_DOM_NAME);
|
|
|
d6181b |
+ assert_int_equal(ret, EEXIST);
|
|
|
d6181b |
+
|
|
|
d6181b |
+ ret = check_user_in_ncache(ncache, tc->dom, "all_dom_upn");
|
|
|
d6181b |
+ assert_int_equal(ret, EEXIST);
|
|
|
d6181b |
+
|
|
|
d6181b |
+ ret = check_user_in_ncache(ncache, tc->dom->subdomains, "all_dom_upn");
|
|
|
d6181b |
+ assert_int_equal(ret, ENOENT);
|
|
|
d6181b |
}
|
|
|
d6181b |
|
|
|
d6181b |
static void test_sss_ncache_default_domain_suffix(void **state)
|
|
|
d6181b |
--
|
|
|
d6181b |
2.20.1
|
|
|
d6181b |
|