pgreco / rpms / ipa

Forked from forks/areguera/rpms/ipa 4 years ago
Clone
Source Code
GIT

Blame SOURCES/0005-ipasam-use-SID-formatting-calls-to-libsss_idmap.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8-beta-stream-DL1 c8-beta-stream-client c8-stream-DL1 c8-stream-client
  1.   8c31c52221c595a436aa06db0469753c63f2fb2f
  2.   SOURCES
  3.   0005-ipasam-use-SID-formatting-calls-to-libsss_idmap.patch
Blob History Raw
6ec482 
From 9cb4436694d2fa5f7a56fa774e5283f0b46cc18f Mon Sep 17 00:00:00 2001
6ec482 
From: Alexander Bokovoy <abokovoy@redhat.com>
6ec482 
Date: Sun, 31 Mar 2019 12:37:21 +0300
6ec482 
Subject: [PATCH 2/2] ipasam: use SID formatting calls to libsss_idmap
6ec482
6ec482 
Samba 4.10 moved away to private libraries two functions we used to
6ec482 
convert a binary SID structre to strings:
6ec482 
 - sid_talloc_string()
6ec482 
 - sid_string_dbg()
6ec482
6ec482 
We already used libsss_idmap to convert textual representation of SIDs
6ec482 
to a binary one, use the reverse function too.
6ec482
6ec482 
libsss_idmap code operates on talloc structures, so we need to adopt a
6ec482 
bit a place where sid_string_dbg() was used because it assumed a static
6ec482 
buffer was provided by sid_string_dbg().
6ec482
6ec482 
Finally, sid_talloc_string()'s replacement moves allocated memory to the
6ec482 
right context so that a memory will be freed earlier. Our SSSD idmap
6ec482 
context is a long-living one while in all cases where we were using
6ec482 
sid_talloc_string() we free the context much earlier.
6ec482
6ec482 
Resolves: https://pagure.io/freeipa/issue/7893
6ec482 
Reviewed-By: Christian Heimes <cheimes@redhat.com>
6ec482 
(cherry picked from commit 137af1d2c38925404dc92f70321ac0f5fb1cf5eb)
6ec482 
---
6ec482 
 daemons/ipa-sam/ipa_sam.c | 52 ++++++++++++++++++++++++++++-----------
6ec482 
 1 file changed, 37 insertions(+), 15 deletions(-)
6ec482
6ec482 
diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c
6ec482 
index 2f78f82f9..851cbc39a 100644
6ec482 
--- a/daemons/ipa-sam/ipa_sam.c
6ec482 
+++ b/daemons/ipa-sam/ipa_sam.c
6ec482 
@@ -104,8 +104,6 @@ enum ndr_err_code ndr_pull_trustAuthInOutBlob(struct ndr_pull *ndr, int ndr_flag
6ec482 
 bool sid_check_is_builtin(const struct dom_sid *sid); /* available in libpdb.so */
6ec482 
 /* available in libpdb.so, renamed from sid_check_is_domain() in c43505b621725c9a754f0ee98318d451b093f2ed */
6ec482 
 bool sid_linearize(char *outbuf, size_t len, const struct dom_sid *sid); /* available in libsmbconf.so */
6ec482 
-char *sid_string_talloc(TALLOC_CTX *mem_ctx, const struct dom_sid *sid); /* available in libsmbconf.so */
6ec482 
-char *sid_string_dbg(const struct dom_sid *sid); /* available in libsmbconf.so */
6ec482 
 char *escape_ldap_string(TALLOC_CTX *mem_ctx, const char *s); /* available in libsmbconf.so */
6ec482 
 bool secrets_store(const char *key, const void *data, size_t size); /* available in libpdb.so */
6ec482 
 void idmap_cache_set_sid2unixid(const struct dom_sid *sid, struct unixid *unix_id); /* available in libsmbconf.so */
6ec482 
@@ -261,6 +259,18 @@ static bool sid_compose(struct dom_sid *dst, const struct dom_sid *dom_sid,
6ec482 
 	return true;
6ec482 
 }
6ec482
6ec482 
+static char *sid_talloc_string(struct sss_idmap_ctx *ctx, void *final_ctx, const struct dom_sid *dom_sid)
6ec482 
+{
6ec482 
+	enum idmap_error_code ret;
6ec482 
+	char *result = NULL;
6ec482 
+	ret = sss_idmap_smb_sid_to_sid(ctx, discard_const(dom_sid), &result);
6ec482 
+	if (ret != IDMAP_SUCCESS) {
6ec482 
+		return NULL;
6ec482 
+	}
6ec482 
+
6ec482 
+	return talloc_move(final_ctx, &result);
6ec482 
+}
6ec482 
+
6ec482 
 static bool is_null_sid(const struct dom_sid *sid)
6ec482 
 {
6ec482 
 	size_t c;
6ec482 
@@ -519,8 +529,18 @@ static bool ldapsam_extract_rid_from_entry(LDAP *ldap_struct,
6ec482 
 	}
6ec482
6ec482 
 	if (dom_sid_compare_domain(sid, domain_sid) != 0) {
6ec482 
-		DEBUG(10, ("SID %s is not in expected domain %s\n",
6ec482 
-			   str, sid_string_dbg(domain_sid)));
6ec482 
+		char *debug_domain_sid = NULL;
6ec482 
+		err = sss_idmap_smb_sid_to_sid(idmap_ctx,
6ec482 
+					       discard_const(domain_sid),
6ec482 
+					       &debug_domain_sid);
6ec482 
+		if (err != IDMAP_SUCCESS) {
6ec482 
+			DEBUG(10, ("SID %s is not in expected domain.\n",
6ec482 
+				   str));
6ec482 
+		} else {
6ec482 
+			DEBUG(10, ("SID %s is not in expected domain %s\n",
6ec482 
+				   str, debug_domain_sid));
6ec482 
+			talloc_free(debug_domain_sid);
6ec482 
+		}
6ec482 
 		res = false;
6ec482 
 		goto done;
6ec482 
 	}
6ec482 
@@ -589,7 +609,7 @@ static NTSTATUS ldapsam_lookup_rids(struct pdb_methods *methods,
6ec482 
 		allsids = talloc_asprintf_append_buffer(
6ec482 
 			allsids, "(%s=%s)",
6ec482 
 			LDAP_ATTRIBUTE_SID,
6ec482 
-			sid_string_talloc(mem_ctx, &sid));
6ec482 
+			sid_talloc_string(ipasam_state->idmap_ctx, mem_ctx, &sid));
6ec482 
 		if (allsids == NULL) {
6ec482 
 			goto done;
6ec482 
 		}
6ec482 
@@ -790,7 +810,8 @@ static bool ldapsam_sid_to_id(struct pdb_methods *methods,
6ec482 
 	filter = talloc_asprintf(mem_ctx,
6ec482 
 				 "(&(%s=%s)"
6ec482 
 				 "(|(objectClass=%s)(objectClass=%s)))",
6ec482 
-				 LDAP_ATTRIBUTE_SID, sid_string_talloc(mem_ctx, sid),
6ec482 
+				 LDAP_ATTRIBUTE_SID,
6ec482 
+				 sid_talloc_string(priv->idmap_ctx, mem_ctx, sid),
6ec482 
 				 LDAP_OBJ_GROUPMAP, LDAP_OBJ_SAMBASAMACCOUNT);
6ec482 
 	if (filter == NULL) {
6ec482 
 		DEBUG(5, ("talloc_asprintf failed\n"));
6ec482 
@@ -936,7 +957,7 @@ static bool ipasam_uid_to_sid(struct pdb_methods *methods, uid_t uid,
6ec482 
 	err = sss_idmap_sid_to_smb_sid(priv->idmap_ctx,
6ec482 
 				       user_sid_string, &user_sid);
6ec482 
 	if (err != IDMAP_SUCCESS) {
6ec482 
-		DEBUG(3, ("Error calling sid_string_talloc for sid '%s'\n",
6ec482 
+		DEBUG(3, ("Error creating sid structure for sid '%s'\n",
6ec482 
 			  user_sid_string));
6ec482 
 		goto done;
6ec482 
 	}
6ec482 
@@ -1052,7 +1073,7 @@ found:
6ec482 
 	err = sss_idmap_sid_to_smb_sid(priv->idmap_ctx,
6ec482 
 				       group_sid_string, &group_sid);
6ec482 
 	if (err != IDMAP_SUCCESS) {
6ec482 
-		DEBUG(3, ("Error calling sid_string_talloc for sid '%s'\n",
6ec482 
+		DEBUG(3, ("Error creating sid structure for sid '%s'\n",
6ec482 
 			  group_sid_string));
6ec482 
 		goto done;
6ec482 
 	}
6ec482 
@@ -1595,11 +1616,11 @@ static bool ipasam_search_grouptype(struct pdb_methods *methods,
6ec482 
 	state->base = talloc_strdup(search, ipasam_state->base_dn);
6ec482 
 	state->connection = ipasam_state->ldap_state;
6ec482 
 	state->scope = LDAP_SCOPE_SUBTREE;
6ec482 
-	state->filter =	talloc_asprintf(search, "(&(objectclass=%s)"
6ec482 
-					"(%s=%s*))",
6ec482 
-					 LDAP_OBJ_GROUPMAP,
6ec482 
-					 LDAP_ATTRIBUTE_SID,
6ec482 
-					 sid_string_talloc(search, sid));
6ec482 
+	state->filter =	talloc_asprintf(search, "(&(objectclass=%s)(%s=%s*))",
6ec482 
+					LDAP_OBJ_GROUPMAP, LDAP_ATTRIBUTE_SID,
6ec482 
+					sid_talloc_string(
6ec482 
+						ipasam_state->idmap_ctx,
6ec482 
+						search, sid));
6ec482 
 	state->attrs = talloc_attrs(search, "cn", LDAP_ATTRIBUTE_SID,
6ec482 
 				    "displayName", "description",
6ec482 
 				     NULL);
6ec482 
@@ -2412,7 +2433,7 @@ static NTSTATUS ipasam_get_trusted_domain_by_sid(struct pdb_methods *methods,
6ec482 
 	char *sid_str;
6ec482 
 	bool ok;
6ec482
6ec482 
-	sid_str = sid_string_talloc(mem_ctx, sid);
6ec482 
+	sid_str = sid_talloc_string(ipasam_state->idmap_ctx, mem_ctx, sid);
6ec482 
 	if (sid_str == NULL) {
6ec482 
 		return NT_STATUS_NO_MEMORY;
6ec482 
 	}
6ec482 
@@ -2593,7 +2614,8 @@ static NTSTATUS ipasam_set_trusted_domain(struct pdb_methods *methods,
6ec482 
 	if (!is_null_sid(&td->security_identifier)) {
6ec482 
 		smbldap_make_mod(priv2ld(ipasam_state), entry, &mods,
6ec482 
 				 LDAP_ATTRIBUTE_TRUST_SID,
6ec482 
-				 sid_string_talloc(tmp_ctx, &td->security_identifier));
6ec482 
+				 sid_talloc_string(ipasam_state->idmap_ctx,
6ec482 
+						   tmp_ctx, &td->security_identifier));
6ec482 
 	}
6ec482
6ec482 
 	if (td->trust_type != 0) {
6ec482 
--
6ec482 
2.21.0
6ec482

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation