From 7db20e1826c1f5453391ec7c6df07c123ea33711 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Nov 06 2014 07:13:14 +0000 Subject: import sssd-1.11.2-68.el7_0.6 --- diff --git a/SOURCES/0127-IPA-handle-searches-by-SID-in-apply_subdomain_homedi.patch b/SOURCES/0127-IPA-handle-searches-by-SID-in-apply_subdomain_homedi.patch new file mode 100644 index 0000000..de65245 --- /dev/null +++ b/SOURCES/0127-IPA-handle-searches-by-SID-in-apply_subdomain_homedi.patch @@ -0,0 +1,75 @@ +From 5ecab6dc08ac35a400e067af09b49e7fcb0f17c0 Mon Sep 17 00:00:00 2001 +From: Jakub Hrozek +Date: Tue, 12 Aug 2014 10:32:33 +0200 +Subject: [PATCH 127/130] IPA: handle searches by SID in + apply_subdomain_homedir +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +https://fedorahosted.org/sssd/ticket/2391 + +apply_subdomain_homedir() didn't handle the situation where an entity +that doesn't match was requested from the cache. For user and group +lookups this wasn't a problem because the negative match was caught +sooner. + +But SID lookups can match either user or group. When a group SID was +requested, the preceding LDAP request matched the SID and stored the +group in the cache. Then apply_subdomain_homedir() only tried to search +user by SID, didn't find the entry and accessed a NULL pointer. + +A simple reproducer is: +$ python +>>> import pysss_nss_idmap +>>> pysss_nss_idmap.getnamebysid(group_sid) + +The group_sid can be anything, including Domain Users (XXX-513) + +Reviewed-by: Michal Židek +(cherry picked from commit 82347f452febe3cbffc36b0a3308ffb462515442) +--- + src/providers/ipa/ipa_subdomains_id.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/src/providers/ipa/ipa_subdomains_id.c b/src/providers/ipa/ipa_subdomains_id.c +index d8922a461fc1cbbec4bb65b8cd6e6cf25f2dc605..5517602a6e9c7d56406e42aa3afbd2527e2df7ea 100644 +--- a/src/providers/ipa/ipa_subdomains_id.c ++++ b/src/providers/ipa/ipa_subdomains_id.c +@@ -492,6 +492,9 @@ apply_subdomain_homedir(TALLOC_CTX *mem_ctx, struct sss_domain_info *dom, + + if (filter_type == BE_FILTER_NAME) { + ret = sysdb_getpwnam(mem_ctx, dom->sysdb, dom, filter_value, &res); ++ if (res && res->count == 0) { ++ ret = ENOENT; ++ } + } else if (filter_type == BE_FILTER_IDNUM) { + errno = 0; + uid = strtouint32(filter_value, NULL, 10); +@@ -500,6 +503,9 @@ apply_subdomain_homedir(TALLOC_CTX *mem_ctx, struct sss_domain_info *dom, + goto done; + } + ret = sysdb_getpwuid(mem_ctx, dom->sysdb, dom, uid, &res); ++ if (res && res->count == 0) { ++ ret = ENOENT; ++ } + } else if (filter_type == BE_FILTER_SECID) { + ret = sysdb_search_user_by_sid_str(mem_ctx, dom->sysdb, dom, + filter_value, attrs, &msg); +@@ -515,10 +521,9 @@ apply_subdomain_homedir(TALLOC_CTX *mem_ctx, struct sss_domain_info *dom, + ("Failed to make request to our cache: [%d]: [%s]\n", + ret, sss_strerror(ret))); + goto done; +- } +- +- if ((res && res->count == 0) || (msg && msg->num_elements == 0)) { +- ret = ENOENT; ++ } else if (ret == ENOENT) { ++ DEBUG(SSSDBG_TRACE_FUNC, ("Cannot find [%s] with search type [%d]\n", ++ filter_value, filter_type)); + goto done; + } + +-- +1.9.3 + diff --git a/SOURCES/0128-LDAP-Ignore-returned-referrals-if-referral-support-i.patch b/SOURCES/0128-LDAP-Ignore-returned-referrals-if-referral-support-i.patch new file mode 100644 index 0000000..3069a3b --- /dev/null +++ b/SOURCES/0128-LDAP-Ignore-returned-referrals-if-referral-support-i.patch @@ -0,0 +1,82 @@ +From b224c49b8f0a9cdf343a443fdf2190dc6f047508 Mon Sep 17 00:00:00 2001 +From: Jakub Hrozek +Date: Wed, 20 Aug 2014 14:00:38 +0200 +Subject: [PATCH 128/130] LDAP: Ignore returned referrals if referral support + is disabled + +Reviewed-by: Pavel Reichl +(cherry picked from commit a2ea3f5d9ef9f17efbb61e942c2bc6cff7d1ebf2) +--- + src/providers/ldap/sdap_async.c | 18 +++++++++++++++--- + src/util/util_errors.c | 1 + + src/util/util_errors.h | 2 ++ + 3 files changed, 18 insertions(+), 3 deletions(-) + +diff --git a/src/providers/ldap/sdap_async.c b/src/providers/ldap/sdap_async.c +index 1022a093f06ec7e9a50b13160fc9a4660a255e92..7db01d979ee81a3707126a4c3eb1f36006e8b392 100644 +--- a/src/providers/ldap/sdap_async.c ++++ b/src/providers/ldap/sdap_async.c +@@ -1404,6 +1404,10 @@ static void sdap_get_generic_ext_done(struct sdap_op *op, + ldap_memfree(errmsg); + tevent_req_error(req, ENOTSUP); + return; ++ } else if (result == LDAP_REFERRAL) { ++ ldap_memfree(errmsg); ++ tevent_req_error(req, ERR_REFERRAL); ++ return; + } else if (result != LDAP_SUCCESS && result != LDAP_NO_SUCH_OBJECT) { + DEBUG(SSSDBG_OP_FAILURE, + ("Unexpected result from ldap: %s(%d), %s\n", +@@ -1565,13 +1569,21 @@ static void sdap_get_generic_done(struct tevent_req *subreq) + { + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); ++ struct sdap_get_generic_state *state = ++ tevent_req_data(req, struct sdap_get_generic_state); + int ret; + + ret = sdap_get_generic_ext_recv(subreq); + talloc_zfree(subreq); +- if (ret) { +- DEBUG(4, ("sdap_get_generic_ext_recv failed [%d]: %s\n", +- ret, sss_strerror(ret))); ++ if (ret == ERR_REFERRAL) { ++ if (dp_opt_get_bool(state->opts->basic, SDAP_REFERRALS)) { ++ tevent_req_error(req, ret); ++ return; ++ } ++ } else if (ret) { ++ DEBUG(SSSDBG_CONF_SETTINGS, ++ ("sdap_get_generic_ext_recv failed [%d]: %s\n", ++ ret, sss_strerror(ret))); + tevent_req_error(req, ret); + return; + } +diff --git a/src/util/util_errors.c b/src/util/util_errors.c +index c9b507557da07555c719bb0dd18145e6799a53eb..eb7b1aec7b388e2509471cce8322cf38f9388151 100644 +--- a/src/util/util_errors.c ++++ b/src/util/util_errors.c +@@ -53,6 +53,7 @@ struct err_string error_to_str[] = { + { "Missing configuration file" }, /* ERR_MISSING_CONF */ + { "Malformed search filter" }, /* ERR_INVALID_FILTER, */ + { "No POSIX attributes detected" }, /* ERR_NO_POSIX */ ++ { "LDAP search returned a referral" }, /* ERR_REFERRAL */ + }; + + +diff --git a/src/util/util_errors.h b/src/util/util_errors.h +index 3dd94af1f304d65e22515c859c6f69a021fa7e92..2858311dec90ae0ea57dbcd7b6de4beb9fb19c50 100644 +--- a/src/util/util_errors.h ++++ b/src/util/util_errors.h +@@ -75,6 +75,8 @@ enum sssd_errors { + ERR_MISSING_CONF, + ERR_INVALID_FILTER, + ERR_NO_POSIX, ++ ERR_NO_SYSBUS, ++ ERR_REFERRAL, + ERR_LAST /* ALWAYS LAST */ + }; + +-- +1.9.3 + diff --git a/SOURCES/0129-Ignore-referrals-in-deref-and-ASQ-too.patch b/SOURCES/0129-Ignore-referrals-in-deref-and-ASQ-too.patch new file mode 100644 index 0000000..c2da9d5 --- /dev/null +++ b/SOURCES/0129-Ignore-referrals-in-deref-and-ASQ-too.patch @@ -0,0 +1,76 @@ +From 5b5cb000d63c3edad40ebb420776df2a18950fcb Mon Sep 17 00:00:00 2001 +From: Jakub Hrozek +Date: Wed, 10 Sep 2014 11:55:24 +0200 +Subject: [PATCH 129/130] Ignore referrals in deref and ASQ, too +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Reviewed-by: Michal Židek +--- + src/providers/ldap/sdap_async.c | 20 ++++++++++++++++++-- + 1 file changed, 18 insertions(+), 2 deletions(-) + +diff --git a/src/providers/ldap/sdap_async.c b/src/providers/ldap/sdap_async.c +index 7db01d979ee81a3707126a4c3eb1f36006e8b392..b06d94bfd9d1a60f587de5c807389c74f908af5e 100644 +--- a/src/providers/ldap/sdap_async.c ++++ b/src/providers/ldap/sdap_async.c +@@ -1622,6 +1622,7 @@ static errno_t sdap_x_deref_parse_entry(struct sdap_handle *sh, + struct sdap_x_deref_search_state { + struct sdap_handle *sh; + struct sdap_op *op; ++ struct sdap_options *opts; + struct sdap_attr_map_info *maps; + LDAPControl **ctrls; + +@@ -1647,6 +1648,7 @@ sdap_x_deref_search_send(TALLOC_CTX *memctx, struct tevent_context *ev, + state->sh = sh; + state->maps = maps; + state->op = NULL; ++ state->opts = opts; + state->num_maps = num_maps; + state->ctrls = talloc_zero_array(state, LDAPControl *, 2); + if (state->ctrls == NULL) { +@@ -1797,11 +1799,18 @@ static void sdap_x_deref_search_done(struct tevent_req *subreq) + { + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); ++ struct sdap_x_deref_search_state *state = tevent_req_data(req, ++ struct sdap_x_deref_search_state); + int ret; + + ret = sdap_get_generic_ext_recv(subreq); + talloc_zfree(subreq); +- if (ret) { ++ if (ret == ERR_REFERRAL) { ++ if (dp_opt_get_bool(state->opts->basic, SDAP_REFERRALS)) { ++ tevent_req_error(req, ret); ++ return; ++ } ++ } else if (ret) { + DEBUG(4, ("sdap_get_generic_ext_recv failed [%d]: %s\n", + ret, sss_strerror(ret))); + tevent_req_error(req, ret); +@@ -2056,11 +2065,18 @@ static void sdap_asq_search_done(struct tevent_req *subreq) + { + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); ++ struct sdap_asq_search_state *state = ++ tevent_req_data(req, struct sdap_asq_search_state); + int ret; + + ret = sdap_get_generic_ext_recv(subreq); + talloc_zfree(subreq); +- if (ret) { ++ if (ret == ERR_REFERRAL) { ++ if (dp_opt_get_bool(state->opts->basic, SDAP_REFERRALS)) { ++ tevent_req_error(req, ret); ++ return; ++ } ++ } else if (ret) { + DEBUG(4, ("sdap_get_generic_ext_recv failed [%d]: %s\n", + ret, sss_strerror(ret))); + tevent_req_error(req, ret); +-- +1.9.3 + diff --git a/SOURCES/0130-IPA-Use-GC-for-group-lookups-in-server-mode.patch b/SOURCES/0130-IPA-Use-GC-for-group-lookups-in-server-mode.patch new file mode 100644 index 0000000..b42b8e4 --- /dev/null +++ b/SOURCES/0130-IPA-Use-GC-for-group-lookups-in-server-mode.patch @@ -0,0 +1,52 @@ +From 756a944b898e55a83c212999b31ba6550af4b1ce Mon Sep 17 00:00:00 2001 +From: Jakub Hrozek +Date: Tue, 9 Sep 2014 22:13:52 +0200 +Subject: [PATCH 130/130] IPA: Use GC for group lookups in server mode + +https://fedorahosted.org/sssd/ticket/2412 + +Even though AD trusts often work with POSIX attributes which are +normally not replicated to GC, our group lookups are smart since commit +008e1ee835602023891ac45408483d87f41e4d5c and look up the group itself using +the LDAP connection and only use the GC connection to look up the members. + +Reviewed-by: Pavel Reichl +(cherry picked from commit a20ce8cd43d72c89e2ea1d65aefe24ba270f040f) +--- + src/providers/ipa/ipa_subdomains_id.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +diff --git a/src/providers/ipa/ipa_subdomains_id.c b/src/providers/ipa/ipa_subdomains_id.c +index 5517602a6e9c7d56406e42aa3afbd2527e2df7ea..9a90bc2d68561ce518bd31d74ec010c697036352 100644 +--- a/src/providers/ipa/ipa_subdomains_id.c ++++ b/src/providers/ipa/ipa_subdomains_id.c +@@ -304,17 +304,21 @@ ipa_get_ad_acct_send(TALLOC_CTX *mem_ctx, + } + sdap_id_ctx = ad_id_ctx->sdap_id_ctx; + +- /* Currently only LDAP port for AD is used because POSIX +- * attributes are not replicated to GC by default ++ /* We read users and groups from GC. From groups, we may switch to ++ * using LDAP connection in the group request itself, but in order ++ * to resolve Universal group memberships, we also need the GC ++ * connection + */ +- +- if ((state->ar->entry_type & BE_REQ_TYPE_MASK) == BE_REQ_INITGROUPS) { ++ switch (state->ar->entry_type & BE_REQ_TYPE_MASK) { ++ case BE_REQ_INITGROUPS: ++ case BE_REQ_GROUP: + clist = ad_gc_conn_list(req, ad_id_ctx, state->user_dom); + if (clist == NULL) { + ret = ENOMEM; + goto fail; + } +- } else { ++ break; ++ default: + clist = talloc_zero_array(req, struct sdap_id_conn_ctx *, 2); + if (clist == NULL) { + ret = ENOMEM; +-- +1.9.3 + diff --git a/SPECS/sssd.spec b/SPECS/sssd.spec index b268d74..82408f1 100644 --- a/SPECS/sssd.spec +++ b/SPECS/sssd.spec @@ -8,7 +8,7 @@ Name: sssd Version: 1.11.2 -Release: 68%{?dist}.5 +Release: 68%{?dist}.6 Group: Applications/System Summary: System Security Services Daemon License: GPLv3+ @@ -143,6 +143,10 @@ Patch0123: 0123-AD-Provider-bug-fix-uninitialized-variable.patch Patch0124: 0124-AD-Provider-bugfix-use-after-free.patch Patch0125: 0125-ipa-subdomains-provider-make-sure-search-by-SID-work.patch Patch0126: 0126-tests-Remove-tests-that-check-creating-public-direct.patch +Patch0127: 0127-IPA-handle-searches-by-SID-in-apply_subdomain_homedi.patch +Patch0128: 0128-LDAP-Ignore-returned-referrals-if-referral-support-i.patch +Patch0129: 0129-Ignore-referrals-in-deref-and-ASQ-too.patch +Patch0130: 0130-IPA-Use-GC-for-group-lookups-in-server-mode.patch ### Dependencies ### @@ -826,6 +830,10 @@ fi %postun -n libsss_idmap -p /sbin/ldconfig %changelog +* Tue Oct 14 2014 Jakub Hrozek - 1.11.2-68.6 +- Resolves: rhbz#1152200 - Error processing universal groups with + cross-domain membership in SSSD server mode + * Wed May 21 2014 Jakub Hrozek - 1.11.2-68.5 - Rebuild for a proper dist tag, yet again, now using the correct build options