From 8cffd2a1435ab300bb5b7aa5a3d86b5e1f3ba63f Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Apr 27 2021 13:01:03 +0000 Subject: import ipa-4.6.8-5.el7_9.5 --- diff --git a/SOURCES/0020-ipa-kdb-fix-compiler-warnings.patch b/SOURCES/0020-ipa-kdb-fix-compiler-warnings.patch new file mode 100644 index 0000000..ec12f9a --- /dev/null +++ b/SOURCES/0020-ipa-kdb-fix-compiler-warnings.patch @@ -0,0 +1,105 @@ +From 02b0d44892a7c6953cfb70034dbfc1b77a2371fc Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Tue, 23 Feb 2021 10:06:25 +0200 +Subject: [PATCH] ipa-kdb: fix compiler warnings + +There are few fields in KDB structures that have 'conflicting' types but +need to be compared. They come from MIT Kerberos and we have no choice +here. + +In the same way, SID structures have own requirements. + +Signed-off-by: Alexander Bokovoy +Reviewed-By: Robbie Harwood +Reviewed-By: Rob Crittenden +Reviewed-By: Florence Blanc-Renaud +--- + daemons/ipa-kdb/ipa_kdb_audit_as.c | 4 ++-- + daemons/ipa-kdb/ipa_kdb_mspac.c | 4 ++-- + daemons/ipa-kdb/ipa_kdb_principals.c | 6 +++--- + daemons/ipa-kdb/ipa_kdb_pwdpolicy.c | 2 +- + 4 files changed, 8 insertions(+), 8 deletions(-) + +diff --git a/daemons/ipa-kdb/ipa_kdb_audit_as.c b/daemons/ipa-kdb/ipa_kdb_audit_as.c +index 77748a75d6b16ee4d080a5f53213cc58c81660dc..a5ffe29334509e23fe0f0b9973432166c254b484 100644 +--- a/daemons/ipa-kdb/ipa_kdb_audit_as.c ++++ b/daemons/ipa-kdb/ipa_kdb_audit_as.c +@@ -110,13 +110,13 @@ void ipadb_audit_as_req(krb5_context kcontext, + } + + if (client->last_failed + ied->pol->lockout_duration > authtime && +- (client->fail_auth_count >= ied->pol->max_fail && ++ (client->fail_auth_count >= (krb5_kvno) ied->pol->max_fail && + ied->pol->max_fail != 0)) { + /* client already locked, nothing more to do */ + break; + } + if (ied->pol->max_fail == 0 || +- client->fail_auth_count < ied->pol->max_fail) { ++ client->fail_auth_count < (krb5_kvno) ied->pol->max_fail) { + /* let's increase the fail counter */ + client->fail_auth_count++; + client->mask |= KMASK_FAIL_AUTH_COUNT; +diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c +index 74cbb77cccb45188f7bd8a1a33085f8ef964930f..9f95d0dc407df4566467f2b4a960086a7d940bcc 100644 +--- a/daemons/ipa-kdb/ipa_kdb_mspac.c ++++ b/daemons/ipa-kdb/ipa_kdb_mspac.c +@@ -158,9 +158,9 @@ int string_to_sid(const char *str, struct dom_sid *sid) + + char *dom_sid_string(TALLOC_CTX *memctx, const struct dom_sid *dom_sid) + { +- size_t c; ++ int8_t c; + size_t len; +- int ofs; ++ size_t ofs; + uint32_t ia; + char *buf; + +diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c +index 259a0d2563f4b9c038b041781b2580fe72d7ed7e..3b78970b118cb6d8bd97da82a79226d20ea784e1 100644 +--- a/daemons/ipa-kdb/ipa_kdb_principals.c ++++ b/daemons/ipa-kdb/ipa_kdb_principals.c +@@ -498,7 +498,7 @@ static krb5_error_code ipadb_get_ldap_auth_ind(krb5_context kcontext, + l = len; + for (i = 0; i < count; i++) { + ret = snprintf(ap, l, "%s ", authinds[i]); +- if (ret <= 0 || ret > l) { ++ if (ret <= 0 || ret > (int) l) { + ret = ENOMEM; + goto cleanup; + } +@@ -1867,7 +1867,7 @@ static krb5_error_code ipadb_get_ldap_mod_auth_ind(krb5_context kcontext, + char *s = NULL; + size_t ai_size = 0; + int cnt = 0; +- int i = 0; ++ size_t i = 0; + + ret = krb5_dbe_get_string(kcontext, entry, "require_auth", &ais); + if (ret) { +@@ -2248,7 +2248,7 @@ static krb5_error_code ipadb_entry_default_attrs(struct ipadb_mods *imods) + { + krb5_error_code kerr; + LDAPMod *m = NULL; +- int i; ++ size_t i; + + kerr = ipadb_mods_new(imods, &m); + if (kerr) { +diff --git a/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c b/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c +index 10f128700bfd01d6ed6b5dd224ea9226b6f0dd2e..a3be116f93458e7b1a50bbbc6bda916d0e11a47a 100644 +--- a/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c ++++ b/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c +@@ -328,7 +328,7 @@ krb5_error_code ipadb_check_policy_as(krb5_context kcontext, + } + + if (ied->pol->max_fail == 0 || +- client->fail_auth_count < ied->pol->max_fail) { ++ client->fail_auth_count < (krb5_kvno) ied->pol->max_fail) { + /* still within allowed failures range */ + return 0; + } +-- +2.26.3 + diff --git a/SOURCES/0021-ipa-kdb-add-missing-prototypes.patch b/SOURCES/0021-ipa-kdb-add-missing-prototypes.patch new file mode 100644 index 0000000..a997b67 --- /dev/null +++ b/SOURCES/0021-ipa-kdb-add-missing-prototypes.patch @@ -0,0 +1,88 @@ +From 0c9f411efb7fb7bd7df5f07f2225af3f75bdf342 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Wed, 24 Feb 2021 20:51:40 +0200 +Subject: [PATCH] ipa-kdb: add missing prototypes + +On Fedora 33 GCC defaults to -Wmissing-prototypes and emits warnings +about function prototypes missing. If -Werror is specified, this breaks +compilation. + +We also default to -Werror=implicit-function-declaration + +Signed-off-by: Alexander Bokovoy +Reviewed-By: Robbie Harwood +Reviewed-By: Rob Crittenden +Reviewed-By: Florence Blanc-Renaud +--- + daemons/ipa-kdb/ipa_kdb_mspac.c | 20 ++++++++++++-------- + daemons/ipa-kdb/ipa_kdb_mspac_private.h | 4 ++++ + 2 files changed, 16 insertions(+), 8 deletions(-) + +diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c +index 9f95d0dc407df4566467f2b4a960086a7d940bcc..b6e7516859ce59232364f6ae93dee3063914ecf4 100644 +--- a/daemons/ipa-kdb/ipa_kdb_mspac.c ++++ b/daemons/ipa-kdb/ipa_kdb_mspac.c +@@ -2325,9 +2325,10 @@ void ipadb_mspac_struct_free(struct ipadb_mspac **mspac) + *mspac = NULL; + } + +-krb5_error_code ipadb_adtrusts_fill_sid_blacklist(char **source_sid_blacklist, +- struct dom_sid **result_sids, +- int *result_length) ++static krb5_error_code ++ipadb_adtrusts_fill_sid_blacklist(char **source_sid_blacklist, ++ struct dom_sid **result_sids, ++ int *result_length) + { + int len, i; + char **source; +@@ -2358,9 +2359,10 @@ krb5_error_code ipadb_adtrusts_fill_sid_blacklist(char **source_sid_blacklist, + return 0; + } + +-krb5_error_code ipadb_adtrusts_fill_sid_blacklists(struct ipadb_adtrusts *adtrust, +- char **sid_blacklist_incoming, +- char **sid_blacklist_outgoing) ++static krb5_error_code ++ipadb_adtrusts_fill_sid_blacklists(struct ipadb_adtrusts *adtrust, ++ char **sid_blacklist_incoming, ++ char **sid_blacklist_outgoing) + { + krb5_error_code kerr; + +@@ -2381,7 +2383,8 @@ krb5_error_code ipadb_adtrusts_fill_sid_blacklists(struct ipadb_adtrusts *adtrus + return 0; + } + +-krb5_error_code ipadb_mspac_check_trusted_domains(struct ipadb_context *ipactx) ++static krb5_error_code ++ipadb_mspac_check_trusted_domains(struct ipadb_context *ipactx) + { + char *attrs[] = { NULL }; + char *filter = "(objectclass=ipaNTTrustedDomain)"; +@@ -2426,7 +2429,8 @@ static void ipadb_free_sid_blacklists(char ***sid_blacklist_incoming, char ***si + } + } + +-krb5_error_code ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx) ++static krb5_error_code ++ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx) + { + struct ipadb_adtrusts *t; + LDAP *lc = ipactx->lcontext; +diff --git a/daemons/ipa-kdb/ipa_kdb_mspac_private.h b/daemons/ipa-kdb/ipa_kdb_mspac_private.h +index 30382d2eefaeddc6d5aff38553fb4668e0173201..82397cc40febfef91f8f58cb643daaa5b9b1d6d9 100644 +--- a/daemons/ipa-kdb/ipa_kdb_mspac_private.h ++++ b/daemons/ipa-kdb/ipa_kdb_mspac_private.h +@@ -52,3 +52,7 @@ struct ipadb_adtrusts { + + int string_to_sid(const char *str, struct dom_sid *sid); + char *dom_sid_string(TALLOC_CTX *memctx, const struct dom_sid *dom_sid); ++krb5_error_code filter_logon_info(krb5_context context, TALLOC_CTX *memctx, ++ krb5_data realm, struct PAC_LOGON_INFO_CTR *info); ++void get_authz_data_types(krb5_context context, krb5_db_entry *entry, ++ bool *_with_pac, bool *_with_pad); +\ No newline at end of file +-- +2.26.3 + diff --git a/SOURCES/0022-ipa-kdb-reformat-ipa_kdb_certauth.patch b/SOURCES/0022-ipa-kdb-reformat-ipa_kdb_certauth.patch new file mode 100644 index 0000000..6a1f25d --- /dev/null +++ b/SOURCES/0022-ipa-kdb-reformat-ipa_kdb_certauth.patch @@ -0,0 +1,75 @@ +From 592a0eceb7e38fb41c815efa22229574bae177c6 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Wed, 24 Feb 2021 20:52:15 +0200 +Subject: [PATCH] ipa-kdb: reformat ipa_kdb_certauth + +Add prototype to the exported function + +Replace few tabs by spaces and mark static code as static. + +Signed-off-by: Alexander Bokovoy +Reviewed-By: Robbie Harwood +Reviewed-By: Rob Crittenden +Reviewed-By: Florence Blanc-Renaud +--- + daemons/ipa-kdb/ipa_kdb_certauth.c | 25 ++++++++++++++----------- + 1 file changed, 14 insertions(+), 11 deletions(-) + +diff --git a/daemons/ipa-kdb/ipa_kdb_certauth.c b/daemons/ipa-kdb/ipa_kdb_certauth.c +index 47911aa3ded56efe4d47acb78d94ccdbcdca7339..32d6710edb9f1547d1ffe628a5529357b2f593ab 100644 +--- a/daemons/ipa-kdb/ipa_kdb_certauth.c ++++ b/daemons/ipa-kdb/ipa_kdb_certauth.c +@@ -71,10 +71,13 @@ struct krb5_certauth_moddata_st { + time_t valid_until; + }; + +-void ipa_certmap_debug(void *private, +- const char *file, long line, +- const char *function, +- const char *format, ...) ++krb5_error_code certauth_ipakdb_initvt(krb5_context context, ++ int maj_ver, int min_ver, ++ krb5_plugin_vtable vtable); ++ ++static void ipa_certmap_debug(void *private, const char *file, long line, ++ const char *function, ++ const char *format, ...) + { + va_list ap; + char str[255] = { 0 }; +@@ -355,12 +358,12 @@ static krb5_error_code ipa_certauth_authorize(krb5_context context, + * so there is nothing more to add here. */ + auth_inds = calloc(2, sizeof(char *)); + if (auth_inds != NULL) { +- ret = asprintf(&auth_inds[0], "pkinit"); +- if (ret != -1) { ++ ret = asprintf(&auth_inds[0], "pkinit"); ++ if (ret != -1) { + auth_inds[1] = NULL; + *authinds_out = auth_inds; +- } else { +- free(auth_inds); ++ } else { ++ free(auth_inds); + } + } + +@@ -405,12 +408,12 @@ static void ipa_certauth_free_indicator(krb5_context context, + size_t i = 0; + + if ((authinds == NULL) || (moddata == NULL)) { +- return; ++ return; + } + + for(i=0; authinds[i]; i++) { +- free(authinds[i]); +- authinds[i] = NULL; ++ free(authinds[i]); ++ authinds[i] = NULL; + } + + free(authinds); +-- +2.26.3 + diff --git a/SOURCES/0023-ipa-kdb-mark-test-functions-as-static.patch b/SOURCES/0023-ipa-kdb-mark-test-functions-as-static.patch new file mode 100644 index 0000000..290e0d0 --- /dev/null +++ b/SOURCES/0023-ipa-kdb-mark-test-functions-as-static.patch @@ -0,0 +1,61 @@ +From 7423bf0192310509ff963d2b67c85409a501d4e3 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Wed, 24 Feb 2021 20:55:41 +0200 +Subject: [PATCH] ipa-kdb: mark test functions as static + +No need to define missing prototypes to single use test functions. + +Signed-off-by: Alexander Bokovoy +Reviewed-By: Robbie Harwood +Reviewed-By: Rob Crittenden +Reviewed-By: Florence Blanc-Renaud +--- + daemons/ipa-kdb/tests/ipa_kdb_tests.c | 11 ++++------- + 1 file changed, 4 insertions(+), 7 deletions(-) + +diff --git a/daemons/ipa-kdb/tests/ipa_kdb_tests.c b/daemons/ipa-kdb/tests/ipa_kdb_tests.c +index 7f1ae7f66e233d779433eff4e5f32fe7fafc3f02..1f94afe486fd09c497ee8b8aa16880d1840603d0 100644 +--- a/daemons/ipa-kdb/tests/ipa_kdb_tests.c ++++ b/daemons/ipa-kdb/tests/ipa_kdb_tests.c +@@ -164,7 +164,7 @@ extern krb5_error_code filter_logon_info(krb5_context context, + krb5_data realm, + struct PAC_LOGON_INFO_CTR *info); + +-void test_filter_logon_info(void **state) ++static void test_filter_logon_info(void **state) + { + krb5_error_code kerr; + krb5_data realm = {KV5M_DATA, REALM_LEN, REALM}; +@@ -299,10 +299,7 @@ void test_filter_logon_info(void **state) + + } + +-extern void get_authz_data_types(krb5_context context, krb5_db_entry *entry, +- bool *with_pac, bool *with_pad); +- +-void test_get_authz_data_types(void **state) ++static void test_get_authz_data_types(void **state) + { + bool with_pac; + bool with_pad; +@@ -420,7 +417,7 @@ void test_get_authz_data_types(void **state) + krb5_free_principal(test_ctx->krb5_ctx, non_nfs_princ); + } + +-void test_string_to_sid(void **state) ++static void test_string_to_sid(void **state) + { + int ret; + struct dom_sid sid; +@@ -452,7 +449,7 @@ void test_string_to_sid(void **state) + assert_memory_equal(&exp_sid, &sid, sizeof(struct dom_sid)); + } + +-void test_dom_sid_string(void **state) ++static void test_dom_sid_string(void **state) + { + struct test_ctx *test_ctx; + char *str_sid; +-- +2.26.3 + diff --git a/SOURCES/0024-ipa-kdb-do-not-use-OpenLDAP-functions-with-NULL-LDAP.patch b/SOURCES/0024-ipa-kdb-do-not-use-OpenLDAP-functions-with-NULL-LDAP.patch new file mode 100644 index 0000000..f8fc36f --- /dev/null +++ b/SOURCES/0024-ipa-kdb-do-not-use-OpenLDAP-functions-with-NULL-LDAP.patch @@ -0,0 +1,238 @@ +From 022c2a55ec9578867b331e419fad547092d94192 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Fri, 19 Feb 2021 15:37:47 +0200 +Subject: [PATCH] ipa-kdb: do not use OpenLDAP functions with NULL LDAP context + +Calling to ipadb_get_connection() will remove LDAP context if any error +happens. This means upper layers must always verify that LDAP context +exists after such calls. + +ipadb_get_user_auth() may re-read global configuration and that may fail +and cause IPA context to have NULL LDAP context. + +Fixes: https://pagure.io/freeipa/issue/8681 + +Signed-off-by: Alexander Bokovoy +Reviewed-By: Robbie Harwood +Reviewed-By: Rob Crittenden +Reviewed-By: Florence Blanc-Renaud +--- + daemons/ipa-kdb/ipa_kdb.c | 1 + + daemons/ipa-kdb/ipa_kdb_mspac.c | 32 +++++++++++++++------------- + daemons/ipa-kdb/ipa_kdb_principals.c | 26 ++++++++++++++++------ + 3 files changed, 37 insertions(+), 22 deletions(-) + +diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c +index 0dcc74263263423da6b1f4d8441ee149bce24c58..eb18a037e41bd778b3f522644acf8d793ddf70e7 100644 +--- a/daemons/ipa-kdb/ipa_kdb.c ++++ b/daemons/ipa-kdb/ipa_kdb.c +@@ -56,6 +56,7 @@ static void ipadb_context_free(krb5_context kcontext, + /* ldap free lcontext */ + if ((*ctx)->lcontext) { + ldap_unbind_ext_s((*ctx)->lcontext, NULL, NULL); ++ (*ctx)->lcontext = NULL; + } + free((*ctx)->supp_encs); + free((*ctx)->def_encs); +diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c +index b6e7516859ce59232364f6ae93dee3063914ecf4..b231844250b8c65337bf4e7523d6a800dfe0767d 100644 +--- a/daemons/ipa-kdb/ipa_kdb_mspac.c ++++ b/daemons/ipa-kdb/ipa_kdb_mspac.c +@@ -386,7 +386,6 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx, + TALLOC_CTX *memctx, + struct netr_SamInfo3 *info3) + { +- LDAP *lcontext = ipactx->lcontext; + LDAPDerefRes *deref_results = NULL; + struct dom_sid sid; + gid_t prigid = -1; +@@ -403,7 +402,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx, + krb5_principal princ; + krb5_data *data; + +- ret = ipadb_ldap_attr_to_strlist(lcontext, lentry, "objectClass", ++ ret = ipadb_ldap_attr_to_strlist(ipactx->lcontext, lentry, "objectClass", + &objectclasses); + if (ret == 0 && objectclasses != NULL) { + for (c = 0; objectclasses[c] != NULL; c++) { +@@ -427,7 +426,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx, + } + + if (is_host) { +- ret = ipadb_ldap_attr_to_str(lcontext, lentry, "fqdn", &strres); ++ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry, "fqdn", &strres); + if (ret) { + /* fqdn is mandatory for hosts */ + return ret; +@@ -440,7 +439,8 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx, + return ENOENT; + } + } else if (is_service) { +- ret = ipadb_ldap_attr_to_str(lcontext, lentry, "krbPrincipalName", &strres); ++ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry, ++ "krbCanonicalName", &strres); + if (ret) { + /* krbPrincipalName is mandatory for services */ + return ret; +@@ -489,7 +489,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx, + return ENOENT; + } + } else { +- ret = ipadb_ldap_attr_to_str(lcontext, lentry, "uid", &strres); ++ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry, "uid", &strres); + if (ret) { + /* uid is mandatory */ + return ret; +@@ -502,7 +502,8 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx, + if (is_host || is_service) { + prigid = 515; /* Well known RID for domain computers group */ + } else { +- ret = ipadb_ldap_attr_to_int(lcontext, lentry, "gidNumber", &intres); ++ ret = ipadb_ldap_attr_to_int(ipactx->lcontext, lentry, ++ "gidNumber", &intres); + if (ret) { + /* gidNumber is mandatory */ + return ret; +@@ -533,7 +534,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx, + info3->base.kickoff_time = -1; + #endif + +- ret = ipadb_ldap_attr_to_time_t(lcontext, lentry, ++ ret = ipadb_ldap_attr_to_time_t(ipactx->lcontext, lentry, + "krbLastPwdChange", &timeres); + switch (ret) { + case 0: +@@ -550,7 +551,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx, + info3->base.allow_password_change = 0; + info3->base.force_password_change = -1; + +- ret = ipadb_ldap_attr_to_str(lcontext, lentry, "cn", &strres); ++ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry, "cn", &strres); + switch (ret) { + case 0: + info3->base.full_name.string = talloc_strdup(memctx, strres); +@@ -563,7 +564,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx, + return ret; + } + +- ret = ipadb_ldap_attr_to_str(lcontext, lentry, ++ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry, + "ipaNTLogonScript", &strres); + switch (ret) { + case 0: +@@ -577,7 +578,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx, + return ret; + } + +- ret = ipadb_ldap_attr_to_str(lcontext, lentry, ++ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry, + "ipaNTProfilePath", &strres); + switch (ret) { + case 0: +@@ -591,7 +592,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx, + return ret; + } + +- ret = ipadb_ldap_attr_to_str(lcontext, lentry, ++ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry, + "ipaNTHomeDirectory", &strres); + switch (ret) { + case 0: +@@ -605,7 +606,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx, + return ret; + } + +- ret = ipadb_ldap_attr_to_str(lcontext, lentry, ++ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry, + "ipaNTHomeDirectoryDrive", &strres); + switch (ret) { + case 0: +@@ -626,7 +627,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx, + /* Well know RID of domain controllers group */ + info3->base.rid = 516; + } else { +- ret = ipadb_ldap_attr_to_str(lcontext, lentry, ++ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry, + "ipaNTSecurityIdentifier", &strres); + if (ret) { + /* SID is mandatory */ +@@ -643,7 +644,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx, + } + } + +- ret = ipadb_ldap_deref_results(lcontext, lentry, &deref_results); ++ ret = ipadb_ldap_deref_results(ipactx->lcontext, lentry, &deref_results); + switch (ret) { + LDAPDerefRes *dres; + LDAPDerefVal *dval; +@@ -2433,7 +2434,7 @@ static krb5_error_code + ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx) + { + struct ipadb_adtrusts *t; +- LDAP *lc = ipactx->lcontext; ++ LDAP *lc = NULL; + char *attrs[] = { "cn", "ipaNTTrustPartner", "ipaNTFlatName", + "ipaNTTrustedDomainSID", "ipaNTSIDBlacklistIncoming", + "ipaNTSIDBlacklistOutgoing", "ipaNTAdditionalSuffixes", NULL }; +@@ -2467,6 +2468,7 @@ ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx) + goto done; + } + ++ lc = ipactx->lcontext; + for (le = ldap_first_entry(lc, res); le; le = ldap_next_entry(lc, le)) { + dnstr = ldap_get_dn(lc, le); + +diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c +index 3b78970b118cb6d8bd97da82a79226d20ea784e1..e1e86a6102886051cdafa3d885bf75c2718b8575 100644 +--- a/daemons/ipa-kdb/ipa_kdb_principals.c ++++ b/daemons/ipa-kdb/ipa_kdb_principals.c +@@ -341,6 +341,11 @@ static enum ipadb_user_auth ipadb_get_user_auth(struct ipadb_context *ipactx, + if (gcfg != NULL) + gua = gcfg->user_auth; + ++ /* lcontext == NULL means ipadb_get_global_config() failed to load ++ * global config and cleared the ipactx */ ++ if (ipactx->lcontext == NULL) ++ return IPADB_USER_AUTH_NONE; ++ + /* Get the user's user_auth settings if not disabled. */ + if ((gua & IPADB_USER_AUTH_DISABLED) == 0) + ipadb_parse_user_auth(ipactx->lcontext, lentry, &ua); +@@ -555,8 +560,16 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext, + free(entry); + return KRB5_KDB_DBNOTINITED; + } +- lcontext = ipactx->lcontext; +- if (!lcontext) { ++ ++ entry->magic = KRB5_KDB_MAGIC_NUMBER; ++ entry->len = KRB5_KDB_V1_BASE_LENGTH; ++ ++ /* Get User Auth configuration. */ ++ ua = ipadb_get_user_auth(ipactx, lentry); ++ ++ /* ipadb_get_user_auth() calls into ipadb_get_global_config() ++ * and that might fail, causing lcontext to become NULL */ ++ if (!ipactx->lcontext) { + krb5_klog_syslog(LOG_INFO, + "No LDAP connection in ipadb_parse_ldap_entry(); retrying...\n"); + ret = ipadb_get_connection(ipactx); +@@ -568,11 +581,10 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext, + } + } + +- entry->magic = KRB5_KDB_MAGIC_NUMBER; +- entry->len = KRB5_KDB_V1_BASE_LENGTH; +- +- /* Get User Auth configuration. */ +- ua = ipadb_get_user_auth(ipactx, lentry); ++ /* If any code below would result in invalidating ipactx->lcontext, ++ * lcontext must be updated with the new ipactx->lcontext value. ++ * We rely on the fact that none of LDAP-parsing helpers does it. */ ++ lcontext = ipactx->lcontext; + + /* ignore mask for now */ + +-- +2.26.3 + diff --git a/SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch b/SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch index 76f9908..0cb4f84 100644 --- a/SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch +++ b/SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch @@ -1,4 +1,4 @@ -From 3cb7e1ad038a798f1fc88d2c1b116607fe04a806 Mon Sep 17 00:00:00 2001 +From cab573c5e2fb5631c9fd77a41ff77103ea51f9b3 Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Tue, 14 Mar 2017 15:48:07 +0000 Subject: [PATCH] Change branding to IPA and Identity Management @@ -1106,5 +1106,5 @@ index 643215985e932cae6e8d954596194032655b25d4..68baa0174ed88ede3f42092fb68150b5 """) + _(""" To enable the binddn run the following command to set the password: -- -2.26.2 +2.26.3 diff --git a/SOURCES/1002-Package-copy-schema-to-ca.py.patch b/SOURCES/1002-Package-copy-schema-to-ca.py.patch index fbe3870..6cc1d21 100644 --- a/SOURCES/1002-Package-copy-schema-to-ca.py.patch +++ b/SOURCES/1002-Package-copy-schema-to-ca.py.patch @@ -1,4 +1,4 @@ -From 6b729f724be49e4157a213e6b2c09fc3da5fc477 Mon Sep 17 00:00:00 2001 +From 514a42e4ea723e6630ac24ff3ea68a442137ab52 Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Tue, 14 Mar 2017 16:07:15 +0000 Subject: [PATCH] Package copy-schema-to-ca.py @@ -40,5 +40,5 @@ index 922185c4b948fa7a5d1bcab6b2be3b34e99f66d4..8fead26f50cb4f045db6d60f9ca71dd9 -- -2.26.2 +2.26.3 diff --git a/SOURCES/1003-Revert-Increased-mod_wsgi-socket-timeout.patch b/SOURCES/1003-Revert-Increased-mod_wsgi-socket-timeout.patch index aea1eac..8cea203 100644 --- a/SOURCES/1003-Revert-Increased-mod_wsgi-socket-timeout.patch +++ b/SOURCES/1003-Revert-Increased-mod_wsgi-socket-timeout.patch @@ -1,4 +1,4 @@ -From 5043712188408afa67ec062b213b9d6b8b0f10e5 Mon Sep 17 00:00:00 2001 +From 90ffaffce2db5467ac6fd773db53373adfff69b4 Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Wed, 22 Jun 2016 13:53:46 +0200 Subject: [PATCH] Revert "Increased mod_wsgi socket-timeout" @@ -24,5 +24,5 @@ index 912a63c2240e0681dfbeeac223a902b15b304716..c5fc518f803d379287043b405efeb46d WSGIImportScript /usr/share/ipa/wsgi.py process-group=ipa application-group=ipa WSGIScriptAlias /ipa /usr/share/ipa/wsgi.py -- -2.26.2 +2.26.3 diff --git a/SOURCES/1004-Remove-csrgen.patch b/SOURCES/1004-Remove-csrgen.patch index 68889b5..27f9930 100644 --- a/SOURCES/1004-Remove-csrgen.patch +++ b/SOURCES/1004-Remove-csrgen.patch @@ -1,4 +1,4 @@ -From d70975a40069c46b9d474de0e971d65606b6e6e3 Mon Sep 17 00:00:00 2001 +From e4ef3eb243d8e4fe26dee86529f90f8aaa8ab00f Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Thu, 16 Mar 2017 09:44:21 +0000 Subject: [PATCH] Remove csrgen @@ -403,5 +403,5 @@ index 79111ab686b4fe25227796509b3cd3fcb54af728..00000000000000000000000000000000 @@ -1 +0,0 @@ -{{ options|join(";") }} -- -2.26.2 +2.26.3 diff --git a/SOURCES/1005-Removing-filesystem-encoding-check.patch b/SOURCES/1005-Removing-filesystem-encoding-check.patch index 8657ddf..6da2669 100644 --- a/SOURCES/1005-Removing-filesystem-encoding-check.patch +++ b/SOURCES/1005-Removing-filesystem-encoding-check.patch @@ -1,4 +1,4 @@ -From 3e6b0431e88c39d8c130feaa27f1c9591f774864 Mon Sep 17 00:00:00 2001 +From 17675289caa161c6574d1afbc813bd91efe71064 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tibor=20Dudl=C3=A1k?= Date: Fri, 10 Aug 2018 13:16:38 +0200 Subject: [PATCH] Removing filesystem encoding check @@ -126,5 +126,5 @@ index b660532bd6e8db964b8287845ed1b5ebbcb43b9b..60309c58f250a263c8c3d13b0b47773b IPA_NOT_CONFIGURED = b'IPA is not configured on this system' IPA_CLIENT_NOT_CONFIGURED = b'IPA client is not configured on this system' -- -2.26.2 +2.26.3 diff --git a/SPECS/ipa.spec b/SPECS/ipa.spec index c05a853..b22cd72 100644 --- a/SPECS/ipa.spec +++ b/SPECS/ipa.spec @@ -102,7 +102,7 @@ Name: ipa Version: %{IPA_VERSION} -Release: 5%{?dist}.4 +Release: 5%{?dist}.5 Summary: The Identity, Policy and Audit system Group: System Environment/Base @@ -110,9 +110,9 @@ License: GPLv3+ URL: http://www.freeipa.org/ Source0: https://releases.pagure.org/freeipa/freeipa-%{version}.tar.gz # RHEL spec file only: START: Change branding to IPA and Identity Management -#Source1: header-logo.png -#Source2: login-screen-background.jpg -#Source4: product-name.png +Source1: header-logo.png +Source2: login-screen-background.jpg +Source4: product-name.png # RHEL spec file only: END: Change branding to IPA and Identity Management BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -136,6 +136,11 @@ Patch0016: 0016-Improve-PKI-subsystem-detection.patch Patch0017: 0017-ipatests-add-test-for-PKI-subsystem-detection.patch Patch0018: 0018-ipatest-fix-test_upgrade.py-TestUpgrade-test_kra_det.patch Patch0019: 0019-Add-more-indices.patch +Patch0020: 0020-ipa-kdb-fix-compiler-warnings.patch +Patch0021: 0021-ipa-kdb-add-missing-prototypes.patch +Patch0022: 0022-ipa-kdb-reformat-ipa_kdb_certauth.patch +Patch0023: 0023-ipa-kdb-mark-test-functions-as-static.patch +Patch0024: 0024-ipa-kdb-do-not-use-OpenLDAP-functions-with-NULL-LDAP.patch Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch Patch1002: 1002-Package-copy-schema-to-ca.py.patch Patch1003: 1003-Revert-Increased-mod_wsgi-socket-timeout.patch @@ -396,10 +401,7 @@ Requires: oddjob Requires: gssproxy >= 0.7.0-2 # 1.15.2: FindByNameAndCertificate (https://pagure.io/SSSD/sssd/issue/3050) Requires: sssd-dbus >= 1.15.2 - -%if 0%{?centos} == 0 Requires: system-logos >= 70.7.0 -%endif Provides: %{alt_name}-server = %{version} Conflicts: %{alt_name}-server @@ -956,9 +958,9 @@ cp -r %{_builddir}/freeipa-%{version} %{_builddir}/freeipa-%{version}-python3 # with_python3 # RHEL spec file only: START: Change branding to IPA and Identity Management -#cp %SOURCE1 install/ui/images/header-logo.png -#cp %SOURCE2 install/ui/images/login-screen-background.jpg -#cp %SOURCE4 install/ui/images/product-name.png +cp %SOURCE1 install/ui/images/header-logo.png +cp %SOURCE2 install/ui/images/login-screen-background.jpg +cp %SOURCE4 install/ui/images/product-name.png # RHEL spec file only: END: Change branding to IPA and Identity Management @@ -982,8 +984,7 @@ find \ %configure --with-vendor-suffix=-%{release} \ %{enable_server_option} \ %{with_ipatests_option} \ - %{linter_options} \ - --with-ipaplatform=rhel + %{linter_options} %make_build @@ -1004,8 +1005,7 @@ find \ %configure --with-vendor-suffix=-%{release} \ %{enable_server_option} \ %{with_ipatests_option} \ - %{linter_options} \ - --with-ipaplatform=rhel + %{linter_options} popd %endif # with_python3 @@ -1092,11 +1092,9 @@ ln -s %{_bindir}/ipa-test-task-%{python2_version} %{buildroot}%{_bindir}/ipa-tes # remove files which are useful only for make uninstall find %{buildroot} -wholename '*/site-packages/*/install_files.txt' -exec rm {} \; -%if 0%{?centos} == 0 # RHEL spec file only: START: Replace login-screen-logo.png with a symlink ln -sf %{_datadir}/pixmaps/fedora-gdm-logo.png %{buildroot}%{_usr}/share/ipa/ui/images/login-screen-logo.png # RHEL spec file only: END: Replace login-screen-logo.png with a symlink -%endif %find_lang %{gettext_domain} @@ -1753,8 +1751,15 @@ fi %changelog -* Tue Mar 16 2021 CentOS Sources - 4.6.8-5.el7.centos.4 -- Roll in CentOS Branding +* Tue Apr 6 2021 Florence Blanc-Renaud - 4.6.8-5.el7_9.5 +- Resolves: #1931405 krb5kdc crash - Segmentation fault in ldap_first_entry(). + - ipa-kdb: fix compiler warnings + - ipa-kdb: add missing prototypes + - ipa-kdb: reformat ipa_kdb_certauth + - ipa-kdb: mark test functions as static + - ipa-kdb: do not use OpenLDAP functions with NULL LDAP context +- Resolves: #1835741 krb5kdc crashing on ipa server +- Resolves: #1929372 krb5kdc is crashing intermittently on IPA server. * Fri Jan 29 2021 Florence Blanc-Renaud - 4.6.8-5.el7_9.4 - Resolves: #1897253 IPA WebUI inaccessible after upgrading to RHEL 8.3.- idoverride-memberof.js missing