From 5ad689119c59ef3f43265b5a841356a4f4755990 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Oct 19 2017 13:25:30 +0000 Subject: import sssd-1.15.2-50.el7_4.6 --- diff --git a/SOURCES/0191-sudo-add-a-threshold-option-to-reduce-size-of-rules-.patch b/SOURCES/0191-sudo-add-a-threshold-option-to-reduce-size-of-rules-.patch new file mode 100644 index 0000000..54279f3 --- /dev/null +++ b/SOURCES/0191-sudo-add-a-threshold-option-to-reduce-size-of-rules-.patch @@ -0,0 +1,211 @@ +From 5c159808818fcea77822815b5f1131809c0e673c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Tue, 11 Jul 2017 12:41:57 +0200 +Subject: [PATCH 191/191] sudo: add a threshold option to reduce size of rules + refresh filter +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +If a large number of rules is expired at one time the ldap filter may +become too large to be processed by server. This commits adds a new +option "sudo_threshold" to sudo responder. If the threshold is +exceeded a full refreshed is done instead of rules refresh. + +Resolves: +https://pagure.io/SSSD/sssd/issue/3478 + +Reviewed-by: Jakub Hrozek +Reviewed-by: Fabiano Fidêncio +(cherry picked from commit a5f300adf19ec9c3087c62bd93a5175db799687a) +--- + src/confdb/confdb.h | 2 ++ + src/config/SSSDConfig/__init__.py.in | 1 + + src/config/cfg_rules.ini | 1 + + src/config/etc/sssd.api.conf | 1 + + src/man/sssd.conf.5.xml | 19 +++++++++++++++++++ + src/responder/sudo/sudosrv.c | 11 +++++++++++ + src/responder/sudo/sudosrv_get_sudorules.c | 25 ++++++++++++++++++++----- + src/responder/sudo/sudosrv_private.h | 1 + + 8 files changed, 56 insertions(+), 5 deletions(-) + +diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h +index 2ba1bc47ee11f699726cefaf7c3335d2a8afee49..884b5bd1a493ca9a71654536524125eb8c7c4533 100644 +--- a/src/confdb/confdb.h ++++ b/src/confdb/confdb.h +@@ -139,6 +139,8 @@ + #define CONFDB_DEFAULT_SUDO_TIMED false + #define CONFDB_SUDO_INVERSE_ORDER "sudo_inverse_order" + #define CONFDB_DEFAULT_SUDO_INVERSE_ORDER false ++#define CONFDB_SUDO_THRESHOLD "sudo_threshold" ++#define CONFDB_DEFAULT_SUDO_THRESHOLD 50 + + /* autofs */ + #define CONFDB_AUTOFS_CONF_ENTRY "config/autofs" +diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in +index 75515ab5c68822538728900482296b9159e1547e..137a8fa4d526cb10f3136c62f3c7104d9ecb7599 100644 +--- a/src/config/SSSDConfig/__init__.py.in ++++ b/src/config/SSSDConfig/__init__.py.in +@@ -107,6 +107,7 @@ option_strings = { + # [sudo] + 'sudo_timed' : _('Whether to evaluate the time-based attributes in sudo rules'), + 'sudo_inverse_order' : _('If true, SSSD will switch back to lower-wins ordering logic'), ++ 'sudo_threshold' : _('Maximum number of rules that can be refreshed at once. If this is exceeded, full refresh is performed.'), + + # [autofs] + 'autofs_negative_timeout' : _('Negative cache timeout length (seconds)'), +diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini +index d6506b7c3cee13f7c5400a546deb787e755abc8b..0bdcfdfbefd6cb24e0c01cb9746dbb98c63a31d2 100644 +--- a/src/config/cfg_rules.ini ++++ b/src/config/cfg_rules.ini +@@ -144,6 +144,7 @@ option = cache_first + # sudo service + option = sudo_timed + option = sudo_inverse_order ++option = sudo_threshold + + [rule/allowed_autofs_options] + validator = ini_allowed_options +diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf +index f86589ecefa0b9e046aba781ded107f8e94395d6..9d5eaaaa23c4c5395b155563de1cdf7752aa3dde 100644 +--- a/src/config/etc/sssd.api.conf ++++ b/src/config/etc/sssd.api.conf +@@ -79,6 +79,7 @@ pam_app_services = str, None, false + # sudo service + sudo_timed = bool, None, false + sudo_inverse_order = bool, None, false ++sudo_threshold = int, None, false + + [autofs] + # autofs service +diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml +index 89729575c724622af817f1c05a94d4ae8f1ece2d..d508df82d1d99af7835079c928839dc3cc7c28cb 100644 +--- a/src/man/sssd.conf.5.xml ++++ b/src/man/sssd.conf.5.xml +@@ -1376,6 +1376,25 @@ pam_account_locked_message = Account locked, please contact help desk. + + + ++ ++ ++ sudo_threshold (integer) ++ ++ ++ Maximum number of expired rules that can be ++ refreshed at once. If number of expired rules ++ is below threshold, those rules are refreshed ++ with rules refresh mechanism. If ++ the threshold is exceeded a ++ full refresh of sudo rules is ++ triggered instead. ++ ++ ++ Default: 50 ++ ++ ++ ++ + + + +diff --git a/src/responder/sudo/sudosrv.c b/src/responder/sudo/sudosrv.c +index b427878d4dbe9090824a01386a7475be88b699c0..dca70ea4afc0e6df6d1b1864338c7b1091a98fee 100644 +--- a/src/responder/sudo/sudosrv.c ++++ b/src/responder/sudo/sudosrv.c +@@ -148,6 +148,17 @@ int sudo_process_init(TALLOC_CTX *mem_ctx, + goto fail; + } + ++ /* Get sudo_inverse_order option */ ++ ret = confdb_get_int(sudo_ctx->rctx->cdb, ++ CONFDB_SUDO_CONF_ENTRY, CONFDB_SUDO_THRESHOLD, ++ CONFDB_DEFAULT_SUDO_THRESHOLD, ++ &sudo_ctx->threshold); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_FATAL_FAILURE, "Error reading from confdb (%d) [%s]\n", ++ ret, strerror(ret)); ++ goto fail; ++ } ++ + ret = schedule_get_domains_task(rctx, rctx->ev, rctx, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "schedule_get_domains_tasks failed.\n"); +diff --git a/src/responder/sudo/sudosrv_get_sudorules.c b/src/responder/sudo/sudosrv_get_sudorules.c +index cfdbfc9c9c66d96f774822d6a4d4aaaf1327abe3..3272e634d895acf4854309371779a00cf1525126 100644 +--- a/src/responder/sudo/sudosrv_get_sudorules.c ++++ b/src/responder/sudo/sudosrv_get_sudorules.c +@@ -479,6 +479,7 @@ sudosrv_refresh_rules_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct resp_ctx *rctx, + struct sss_domain_info *domain, ++ int threshold, + uid_t uid, + const char *username, + char **groups) +@@ -520,9 +521,20 @@ sudosrv_refresh_rules_send(TALLOC_CTX *mem_ctx, + DEBUG(SSSDBG_TRACE_INTERNAL, "Refreshing %d expired rules of [%s@%s]\n", + num_rules, username, domain->name); + +- subreq = sss_dp_get_sudoers_send(state, rctx, domain, false, +- SSS_DP_SUDO_REFRESH_RULES, +- username, num_rules, rules); ++ if (num_rules > threshold) { ++ DEBUG(SSSDBG_TRACE_INTERNAL, ++ "Rules threshold [%d] is reached, performing full refresh " ++ "instead.\n", threshold); ++ ++ subreq = sss_dp_get_sudoers_send(state, rctx, domain, false, ++ SSS_DP_SUDO_FULL_REFRESH, ++ username, 0, NULL); ++ } else { ++ subreq = sss_dp_get_sudoers_send(state, rctx, domain, false, ++ SSS_DP_SUDO_REFRESH_RULES, ++ username, num_rules, rules); ++ } ++ + if (subreq == NULL) { + ret = ENOMEM; + goto immediately; +@@ -609,6 +621,7 @@ struct sudosrv_get_rules_state { + struct sss_domain_info *domain; + char **groups; + bool inverse_order; ++ int threshold; + + struct sysdb_attrs **rules; + uint32_t num_rules; +@@ -640,6 +653,7 @@ struct tevent_req *sudosrv_get_rules_send(TALLOC_CTX *mem_ctx, + state->type = type; + state->uid = uid; + state->inverse_order = sudo_ctx->inverse_order; ++ state->threshold = sudo_ctx->threshold; + + DEBUG(SSSDBG_TRACE_FUNC, "Running initgroups for [%s]\n", username); + +@@ -696,8 +710,9 @@ static void sudosrv_get_rules_initgr_done(struct tevent_req *subreq) + } + + subreq = sudosrv_refresh_rules_send(state, state->ev, state->rctx, +- state->domain, state->uid, +- state->username, state->groups); ++ state->domain, state->threshold, ++ state->uid, state->username, ++ state->groups); + if (subreq == NULL) { + ret = ENOMEM; + goto done; +diff --git a/src/responder/sudo/sudosrv_private.h b/src/responder/sudo/sudosrv_private.h +index 94f3c4458ab20e64db3e0bfce726d5d30a70a202..c76bdd3955bc29b7ba2cda58c503a4c616d7e63a 100644 +--- a/src/responder/sudo/sudosrv_private.h ++++ b/src/responder/sudo/sudosrv_private.h +@@ -48,6 +48,7 @@ struct sudo_ctx { + */ + bool timed; + bool inverse_order; ++ int threshold; + }; + + struct sudo_cmd_ctx { +-- +2.13.5 + diff --git a/SOURCES/0192-libwbclient-Change-return-code-for-wbcAuthenticateUs.patch b/SOURCES/0192-libwbclient-Change-return-code-for-wbcAuthenticateUs.patch new file mode 100644 index 0000000..c33350b --- /dev/null +++ b/SOURCES/0192-libwbclient-Change-return-code-for-wbcAuthenticateUs.patch @@ -0,0 +1,57 @@ +From b9a2edea74ea04a09301f91fffb6835df72d8760 Mon Sep 17 00:00:00 2001 +From: Lukas Slebodnik +Date: Tue, 22 Aug 2017 13:09:18 +0200 +Subject: [PATCH 192/192] libwbclient: Change return code for + wbcAuthenticateUserEx + +Samba-4.6 change behaviour of few functions +New version of code make sure session info for user is stored in cache. +It is a performance optimisation to prevent contacting KDC for each +session. More details in samba bug +https://bugzilla.samba.org/show_bug.cgi?id=11259 + +Old return code WBC_SSSD_NOT_IMPLEMENTED was translated +to NT_STATUS_LOGON_FAILURE which caused many failures. + + [2017/08/21 11:34:15.044321, 5, pid=27742, effective(0, 0), real(0, 0)] + ../libcli/security/security_token.c:53(security_token_debug) + Security token: (NULL) + [2017/08/21 11:34:15.044330, 5, pid=27742, effective(0, 0), real(0, 0)] + ../source3/auth/token_util.c:640(debug_unix_user_token) + UNIX token of user 0 + Primary group is 0 and contains 0 supplementary groups + [2017/08/21 11:34:15.044349, 4, pid=27742, effective(0, 0), real(0, 0)] + ../source3/smbd/sec_ctx.c:439(pop_sec_ctx) + pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 + [2017/08/21 11:34:15.044360, 1, pid=27742, effective(0, 0), real(0, 0)] + ../source3/smbd/sesssetup.c:290(reply_sesssetup_and_X_spnego) + Failed to generate session_info (user and group token) for session + setup: NT_STATUS_LOGON_FAILURE + +Resolves: +https://pagure.io/SSSD/sssd/issue/3461 + +Reviewed-by: Sumit Bose +(cherry picked from commit 725d04cd21016dc6092a9f03cd363bb83d7c054c) +(cherry picked from commit aede6a1f4412f133e4b3fd76944f764d76fc4868) +(cherry picked from commit 260062d946e7cc265e2671f88b1662276431c0bb) +--- + src/sss_client/libwbclient/wbc_pam_sssd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/sss_client/libwbclient/wbc_pam_sssd.c b/src/sss_client/libwbclient/wbc_pam_sssd.c +index 174cf1310fad0243036fe591978cc89700903896..77698f523e6e7aeb37d4db50b469d1604d7ee595 100644 +--- a/src/sss_client/libwbclient/wbc_pam_sssd.c ++++ b/src/sss_client/libwbclient/wbc_pam_sssd.c +@@ -49,7 +49,7 @@ wbcErr wbcAuthenticateUserEx(const struct wbcAuthUserParams *params, + *error = NULL; + } + +- WBC_SSSD_NOT_IMPLEMENTED; ++ return WBC_ERR_WINBIND_NOT_AVAILABLE; + } + + /* Trigger a verification of the trust credentials of a specific domain */ +-- +2.9.4 + diff --git a/SOURCES/0193-IPA-fix-handling-of-certmap_ctx.patch b/SOURCES/0193-IPA-fix-handling-of-certmap_ctx.patch new file mode 100644 index 0000000..47b85fb --- /dev/null +++ b/SOURCES/0193-IPA-fix-handling-of-certmap_ctx.patch @@ -0,0 +1,666 @@ +From 2fca2f1b77c0e9ae82e1a24bbf89fbc3115a5e24 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Wed, 6 Sep 2017 16:42:20 +0200 +Subject: [PATCH 193/194] IPA: fix handling of certmap_ctx +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This patch fixes a use-after-free in the AD provider part and +initializes the certmap_ctx with data from the cache at startup. + +Related to https://pagure.io/SSSD/sssd/issue/3508 + +Reviewed-by: Lukáš Slebodník +Reviewed-by: Jakub Hrozek +(cherry picked from commit f2e70ec742cd7aab82b74d7e4b424ba3258da7aa) +--- + Makefile.am | 20 +++ + src/providers/ipa/ipa_init.c | 7 + + src/providers/ipa/ipa_subdomains.c | 53 +------ + src/providers/ipa/ipa_subdomains_server.c | 4 +- + src/providers/ldap/ldap_common.h | 5 + + src/providers/ldap/ldap_id.c | 5 +- + src/providers/ldap/sdap.h | 4 +- + src/providers/ldap/sdap_certmap.c | 152 +++++++++++++++++++ + src/tests/cmocka/test_sdap_certmap.c | 244 ++++++++++++++++++++++++++++++ + 9 files changed, 441 insertions(+), 53 deletions(-) + create mode 100644 src/providers/ldap/sdap_certmap.c + create mode 100644 src/tests/cmocka/test_sdap_certmap.c + +diff --git a/Makefile.am b/Makefile.am +index 503c8cfd795b503f566431c08a56a56147180322..907c3256a154ebe2aae5a1667744e1dfbe8abaae 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -257,6 +257,7 @@ if HAVE_CMOCKA + test_search_bases \ + test_ldap_auth \ + test_sdap_access \ ++ test_sdap_certmap \ + sdap-tests \ + test_sysdb_ts_cache \ + test_sysdb_views \ +@@ -2662,6 +2663,24 @@ test_sdap_access_LDADD = \ + libdlopen_test_providers.la \ + $(NULL) + ++test_sdap_certmap_SOURCES = \ ++ src/tests/cmocka/test_sdap_certmap.c \ ++ src/providers/ldap/sdap_certmap.c \ ++ $(NULL) ++test_sdap_certmap_CFLAGS = \ ++ $(AM_CFLAGS) \ ++ $(TALLOC_CFLAGS) \ ++ $(POPT_CFLAGS) \ ++ $(NULL) ++test_sdap_certmap_LDADD = \ ++ $(CMOCKA_LIBS) \ ++ $(TALLOC_LIBS) \ ++ $(POPT_LIBS) \ ++ $(SSSD_INTERNAL_LTLIBS) \ ++ libsss_test_common.la \ ++ libsss_certmap.la \ ++ $(NULL) ++ + ad_access_filter_tests_SOURCES = \ + src/tests/cmocka/test_ad_access_filter.c + ad_access_filter_tests_LDADD = \ +@@ -3706,6 +3725,7 @@ libsss_ldap_common_la_SOURCES = \ + src/providers/ldap/sdap_child_helpers.c \ + src/providers/ldap/sdap_fd_events.c \ + src/providers/ldap/sdap_id_op.c \ ++ src/providers/ldap/sdap_certmap.c \ + src/providers/ldap/sdap_idmap.c \ + src/providers/ldap/sdap_idmap.h \ + src/providers/ldap/sdap_range.c \ +diff --git a/src/providers/ipa/ipa_init.c b/src/providers/ipa/ipa_init.c +index 7dec4d1fb8541a48470d4e44f10838e5bea67ad5..2b58b1341463f8947d51dee2076dbe92e3093558 100644 +--- a/src/providers/ipa/ipa_init.c ++++ b/src/providers/ipa/ipa_init.c +@@ -649,6 +649,13 @@ static errno_t ipa_init_misc(struct be_ctx *be_ctx, + return ENOMEM; + } + ++ ret = sdap_init_certmap(sdap_id_ctx, sdap_id_ctx); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_CRIT_FAILURE, ++ "Failed to initialized certificate mapping.\n"); ++ return ret; ++ } ++ + return EOK; + } + +diff --git a/src/providers/ipa/ipa_subdomains.c b/src/providers/ipa/ipa_subdomains.c +index ef348adf4a36e870f44387bd700f5c2beea3bfd6..6f0ff50bde234f72d62f43635d9a787316c78430 100644 +--- a/src/providers/ipa/ipa_subdomains.c ++++ b/src/providers/ipa/ipa_subdomains.c +@@ -311,25 +311,6 @@ struct priv_sss_debug { + int level; + }; + +-void ext_debug(void *private, const char *file, long line, const char *function, +- const char *format, ...) +-{ +- va_list ap; +- struct priv_sss_debug *data = private; +- int level = SSSDBG_OP_FAILURE; +- +- if (data != NULL) { +- level = data->level; +- } +- +- if (DEBUG_IS_SET(level)) { +- va_start(ap, format); +- sss_vdebug_fn(file, line, function, level, APPEND_LINE_FEED, +- format, ap); +- va_end(ap); +- } +-} +- + static errno_t ipa_certmap_parse_results(TALLOC_CTX *mem_ctx, + struct sss_domain_info *domain, + struct sdap_options *sdap_opts, +@@ -344,7 +325,6 @@ static errno_t ipa_certmap_parse_results(TALLOC_CTX *mem_ctx, + size_t c; + size_t lc = 0; + int ret; +- struct sss_certmap_ctx *certmap_ctx = NULL; + const char **ocs = NULL; + bool user_name_hint = false; + +@@ -444,50 +424,29 @@ static errno_t ipa_certmap_parse_results(TALLOC_CTX *mem_ctx, + + certmap_list[lc] = NULL; + +- ret = sss_certmap_init(mem_ctx, ext_debug, NULL, &certmap_ctx); +- if (ret != 0) { +- DEBUG(SSSDBG_OP_FAILURE, "sss_certmap_init failed.\n"); ++ ret = sdap_setup_certmap(sdap_opts->sdap_certmap_ctx, certmap_list); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_OP_FAILURE, "sdap_setup_certmap failed.\n"); + goto done; + } + +- for (c = 0; certmap_list[c] != NULL; c++) { +- DEBUG(SSSDBG_TRACE_ALL, "Trying to add rule [%s][%d][%s][%s].\n", +- certmap_list[c]->name, +- certmap_list[c]->priority, +- certmap_list[c]->match_rule, +- certmap_list[c]->map_rule); +- +- ret = sss_certmap_add_rule(certmap_ctx, certmap_list[c]->priority, +- certmap_list[c]->match_rule, +- certmap_list[c]->map_rule, +- certmap_list[c]->domains); +- if (ret != 0) { +- DEBUG(SSSDBG_CRIT_FAILURE, +- "sss_certmap_add_rule failed for rule [%s], skipping. " +- "Please check for typos and if rule syntax is supported.\n", +- certmap_list[c]->name); +- goto done; +- } +- } +- + ret = sysdb_update_certmap(domain->sysdb, certmap_list, user_name_hint); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_update_certmap failed"); + goto done; + } + +- sss_certmap_free_ctx(sdap_opts->certmap_ctx); +- sdap_opts->certmap_ctx = talloc_steal(sdap_opts, certmap_ctx); +- + if (_certmap_list != NULL) { + *_certmap_list = certmap_list; ++ } else { ++ talloc_free(certmap_list); + } ++ + ret = EOK; + + done: + talloc_free(ocs); + if (ret != EOK) { +- sss_certmap_free_ctx(certmap_ctx); + talloc_free(certmap_list); + } + +diff --git a/src/providers/ipa/ipa_subdomains_server.c b/src/providers/ipa/ipa_subdomains_server.c +index 443d83824f329b9d8c3d8e820113e1029f832240..56470ac824feaa59eecbd9f442682220237c2412 100644 +--- a/src/providers/ipa/ipa_subdomains_server.c ++++ b/src/providers/ipa/ipa_subdomains_server.c +@@ -361,8 +361,8 @@ ipa_ad_ctx_new(struct be_ctx *be_ctx, + id_ctx->sdap_id_ctx->opts->idmap_ctx; + + /* Set up the certificate mapping context */ +- ad_id_ctx->sdap_id_ctx->opts->certmap_ctx = +- id_ctx->sdap_id_ctx->opts->certmap_ctx; ++ ad_id_ctx->sdap_id_ctx->opts->sdap_certmap_ctx = ++ id_ctx->sdap_id_ctx->opts->sdap_certmap_ctx; + + *_ad_id_ctx = ad_id_ctx; + return EOK; +diff --git a/src/providers/ldap/ldap_common.h b/src/providers/ldap/ldap_common.h +index 1acda4147576503b18f61e0bb56f8efd2263fd44..0510b7d5ab5121bd96f699e8e59520a2a18a604f 100644 +--- a/src/providers/ldap/ldap_common.h ++++ b/src/providers/ldap/ldap_common.h +@@ -362,4 +362,9 @@ sdap_id_ctx_new(TALLOC_CTX *mem_ctx, struct be_ctx *bectx, + errno_t sdap_refresh_init(struct be_refresh_ctx *refresh_ctx, + struct sdap_id_ctx *id_ctx); + ++errno_t sdap_init_certmap(TALLOC_CTX *mem_ctx, struct sdap_id_ctx *id_ctx); ++ ++errno_t sdap_setup_certmap(struct sdap_certmap_ctx *sdap_certmap_ctx, ++ struct certmap_info **certmap_list); ++struct sss_certmap_ctx *sdap_get_sss_certmap(struct sdap_certmap_ctx *ctx); + #endif /* _LDAP_COMMON_H_ */ +diff --git a/src/providers/ldap/ldap_id.c b/src/providers/ldap/ldap_id.c +index 557712e8dc2b2bde664b4054fa2f8eb39df84d73..93204d35ea3782c9aa5d622a962c295869472631 100644 +--- a/src/providers/ldap/ldap_id.c ++++ b/src/providers/ldap/ldap_id.c +@@ -252,9 +252,8 @@ struct tevent_req *users_get_send(TALLOC_CTX *memctx, + } + + ret = sss_cert_derb64_to_ldap_filter(state, filter_value, attr_name, +- ctx->opts->certmap_ctx, +- state->domain, +- &user_filter); ++ sdap_get_sss_certmap(ctx->opts->sdap_certmap_ctx), ++ state->domain, &user_filter); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "sss_cert_derb64_to_ldap_filter failed.\n"); +diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h +index afdc01948eefe9dda943c8c7ad01a42dd76a1da8..c85fbe9e78e5eefa7e33ea8055730118b0871a4c 100644 +--- a/src/providers/ldap/sdap.h ++++ b/src/providers/ldap/sdap.h +@@ -446,6 +446,8 @@ struct sdap_ext_member_ctx { + ext_member_recv_fn_t ext_member_resolve_recv; + }; + ++struct sdap_certmap_ctx; ++ + struct sdap_options { + struct dp_option *basic; + struct sdap_attr_map *gen_map; +@@ -481,7 +483,7 @@ struct sdap_options { + enum dc_functional_level dc_functional_level; + + /* Certificate mapping support */ +- struct sss_certmap_ctx *certmap_ctx; ++ struct sdap_certmap_ctx *sdap_certmap_ctx; + }; + + struct sdap_server_opts { +diff --git a/src/providers/ldap/sdap_certmap.c b/src/providers/ldap/sdap_certmap.c +new file mode 100644 +index 0000000000000000000000000000000000000000..fcf88a9c69482c8668d486cd2ab0ba37c847e46d +--- /dev/null ++++ b/src/providers/ldap/sdap_certmap.c +@@ -0,0 +1,152 @@ ++ ++/* ++ SSSD ++ ++ Authors: ++ Sumit Bose ++ ++ Copyright (C) 2017 Red Hat ++ ++ This program is free software; you can redistribute it and/or modify ++ it under the terms of the GNU General Public License as published by ++ the Free Software Foundation; either version 3 of the License, or ++ (at your option) any later version. ++ ++ This program is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ GNU General Public License for more details. ++ ++ You should have received a copy of the GNU General Public License ++ along with this program. If not, see . ++*/ ++ ++#include "util/util.h" ++#include "lib/certmap/sss_certmap.h" ++#include "providers/ldap/ldap_common.h" ++ ++struct sdap_certmap_ctx { ++ struct sss_certmap_ctx *certmap_ctx; ++}; ++ ++struct priv_sss_debug { ++ int level; ++}; ++ ++static void ext_debug(void *private, const char *file, long line, ++ const char *function, const char *format, ...) ++{ ++ va_list ap; ++ struct priv_sss_debug *data = private; ++ int level = SSSDBG_OP_FAILURE; ++ ++ if (data != NULL) { ++ level = data->level; ++ } ++ ++ if (DEBUG_IS_SET(level)) { ++ va_start(ap, format); ++ sss_vdebug_fn(file, line, function, level, APPEND_LINE_FEED, ++ format, ap); ++ va_end(ap); ++ } ++} ++ ++struct sss_certmap_ctx *sdap_get_sss_certmap(struct sdap_certmap_ctx *ctx) ++{ ++ return ctx == NULL ? NULL : ctx->certmap_ctx; ++} ++ ++errno_t sdap_setup_certmap(struct sdap_certmap_ctx *sdap_certmap_ctx, ++ struct certmap_info **certmap_list) ++{ ++ int ret; ++ struct sss_certmap_ctx *sss_certmap_ctx = NULL; ++ size_t c; ++ ++ if (sdap_certmap_ctx == NULL) { ++ DEBUG(SSSDBG_CRIT_FAILURE, "Missing sdap_certmap_ctx.\n"); ++ return EINVAL; ++ } ++ ++ if (certmap_list == NULL || *certmap_list == NULL) { ++ DEBUG(SSSDBG_TRACE_ALL, "No certmap data, nothing to do.\n"); ++ ret = EOK; ++ goto done; ++ } ++ ++ ret = sss_certmap_init(sdap_certmap_ctx, ext_debug, NULL, &sss_certmap_ctx); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_OP_FAILURE, "sss_certmap_init failed.\n"); ++ goto done; ++ } ++ ++ for (c = 0; certmap_list[c] != NULL; c++) { ++ DEBUG(SSSDBG_TRACE_ALL, "Trying to add rule [%s][%d][%s][%s].\n", ++ certmap_list[c]->name, ++ certmap_list[c]->priority, ++ certmap_list[c]->match_rule, ++ certmap_list[c]->map_rule); ++ ++ ret = sss_certmap_add_rule(sss_certmap_ctx, certmap_list[c]->priority, ++ certmap_list[c]->match_rule, ++ certmap_list[c]->map_rule, ++ certmap_list[c]->domains); ++ if (ret != 0) { ++ DEBUG(SSSDBG_CRIT_FAILURE, ++ "sss_certmap_add_rule failed for rule [%s] " ++ "with error [%d][%s], skipping. " ++ "Please check for typos and if rule syntax is supported.\n", ++ certmap_list[c]->name, ret, sss_strerror(ret)); ++ continue; ++ } ++ } ++ ++ ret = EOK; ++ ++done: ++ if (ret == EOK) { ++ sss_certmap_free_ctx(sdap_certmap_ctx->certmap_ctx); ++ sdap_certmap_ctx->certmap_ctx = sss_certmap_ctx; ++ } else { ++ sss_certmap_free_ctx(sss_certmap_ctx); ++ } ++ ++ return ret; ++} ++ ++errno_t sdap_init_certmap(TALLOC_CTX *mem_ctx, struct sdap_id_ctx *id_ctx) ++{ ++ int ret; ++ bool hint; ++ struct certmap_info **certmap_list = NULL; ++ ++ if (id_ctx->opts->sdap_certmap_ctx == NULL) { ++ id_ctx->opts->sdap_certmap_ctx = talloc_zero(mem_ctx, ++ struct sdap_certmap_ctx); ++ if (id_ctx->opts->sdap_certmap_ctx == NULL) { ++ DEBUG(SSSDBG_OP_FAILURE, "talloc_zero failed.\n"); ++ return ENOMEM; ++ } ++ } ++ ++ ret = sysdb_get_certmap(mem_ctx, id_ctx->be->domain->sysdb, ++ &certmap_list, &hint); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_OP_FAILURE, "sysdb_get_certmap failed.\n"); ++ goto done; ++ } ++ ++ ret = sdap_setup_certmap(id_ctx->opts->sdap_certmap_ctx, certmap_list); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_OP_FAILURE, "sdap_setup_certmap failed.\n"); ++ goto done; ++ } ++ ++ ret = EOK; ++ ++done: ++ talloc_free(certmap_list); ++ ++ return ret; ++} +diff --git a/src/tests/cmocka/test_sdap_certmap.c b/src/tests/cmocka/test_sdap_certmap.c +new file mode 100644 +index 0000000000000000000000000000000000000000..9df5666844c8582a3fdb5b086720f1f2819f53f3 +--- /dev/null ++++ b/src/tests/cmocka/test_sdap_certmap.c +@@ -0,0 +1,244 @@ ++/* ++ Authors: ++ Sumit Bose ++ ++ Copyright (C) 2017 Red Hat ++ ++ SSSD tests - sdap certmap ++ ++ This program is free software; you can redistribute it and/or modify ++ it under the terms of the GNU General Public License as published by ++ the Free Software Foundation; either version 3 of the License, or ++ (at your option) any later version. ++ ++ This program is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ GNU General Public License for more details. ++ ++ You should have received a copy of the GNU General Public License ++ along with this program. If not, see . ++*/ ++ ++#include ++#include ++#include ++#include ++#include ++#include ++ ++#include "providers/ldap/ldap_common.h" ++#include "tests/common.h" ++#include "db/sysdb.h" ++ ++#define TESTS_PATH "certmap_" BASE_FILE_STEM ++#define TEST_CONF_DB "test_sysdb_certmap.ldb" ++#define TEST_ID_PROVIDER "ldap" ++#define TEST_DOM_NAME "certmap_test" ++ ++struct certmap_info map_a = { discard_const("map_a"), 11, ++ NULL, discard_const("(abc=def)"), ++ NULL }; ++struct certmap_info map_b = { discard_const("map_b"), UINT_MAX, ++ NULL, NULL, NULL }; ++struct certmap_info *certmap[] = { &map_a, &map_b, NULL }; ++ ++struct certmap_test_ctx { ++ struct sss_test_ctx *tctx; ++ struct sdap_id_ctx *id_ctx; ++}; ++ ++static int test_sysdb_setup(void **state) ++{ ++ int ret; ++ struct certmap_test_ctx *test_ctx; ++ struct sss_test_conf_param params[] = { ++ { NULL, NULL }, /* Sentinel */ ++ }; ++ ++ assert_true(leak_check_setup()); ++ ++ test_ctx = talloc_zero(global_talloc_context, ++ struct certmap_test_ctx); ++ assert_non_null(test_ctx); ++ check_leaks_push(test_ctx); ++ ++ test_dom_suite_setup(TESTS_PATH); ++ ++ test_ctx->tctx = create_dom_test_ctx(test_ctx, TESTS_PATH, ++ TEST_CONF_DB, TEST_DOM_NAME, ++ TEST_ID_PROVIDER, params); ++ assert_non_null(test_ctx->tctx); ++ ++ ret = sysdb_update_certmap(test_ctx->tctx->sysdb, certmap, false); ++ assert_int_equal(ret, EOK); ++ ++ test_ctx->id_ctx = talloc_zero(test_ctx->tctx, struct sdap_id_ctx); ++ assert_non_null(test_ctx->id_ctx); ++ ++ test_ctx->id_ctx->opts = talloc_zero(test_ctx->tctx, struct sdap_options); ++ assert_non_null(test_ctx->id_ctx->opts); ++ ++ test_ctx->id_ctx->be = talloc_zero(test_ctx->tctx, struct be_ctx); ++ assert_non_null(test_ctx->id_ctx->be); ++ test_ctx->id_ctx->be->domain = test_ctx->tctx->dom; ++ ++ *state = test_ctx; ++ return 0; ++} ++ ++static int test_sysdb_teardown(void **state) ++{ ++ struct certmap_test_ctx *test_ctx = ++ talloc_get_type(*state, struct certmap_test_ctx); ++ ++ test_dom_suite_cleanup(TESTS_PATH, TEST_CONF_DB, TEST_DOM_NAME); ++ talloc_free(test_ctx->tctx); ++ assert_true(check_leaks_pop(test_ctx)); ++ talloc_free(test_ctx); ++ assert_true(leak_check_teardown()); ++ return 0; ++} ++ ++static void test_sdap_certmap_init(void **state) ++{ ++ int ret; ++ struct certmap_test_ctx *test_ctx = talloc_get_type(*state, ++ struct certmap_test_ctx); ++ ++ ret = sdap_init_certmap(test_ctx, test_ctx->id_ctx); ++ assert_int_equal(ret, EOK); ++ ++ talloc_free(test_ctx->id_ctx->opts->sdap_certmap_ctx); ++} ++ ++static void test_sdap_get_sss_certmap(void **state) ++{ ++ int ret; ++ struct certmap_test_ctx *test_ctx = talloc_get_type(*state, ++ struct certmap_test_ctx); ++ struct sss_certmap_ctx *sss_certmap_ctx; ++ ++ sss_certmap_ctx = sdap_get_sss_certmap(NULL); ++ assert_null(sss_certmap_ctx); ++ ++ ret = sdap_init_certmap(test_ctx, test_ctx->id_ctx); ++ assert_int_equal(ret, EOK); ++ ++ sss_certmap_ctx = sdap_get_sss_certmap( ++ test_ctx->id_ctx->opts->sdap_certmap_ctx); ++ assert_non_null(sss_certmap_ctx); ++ ++ talloc_free(test_ctx->id_ctx->opts->sdap_certmap_ctx); ++} ++ ++static void test_sdap_certmap_init_twice(void **state) ++{ ++ int ret; ++ struct certmap_test_ctx *test_ctx = talloc_get_type(*state, ++ struct certmap_test_ctx); ++ struct sdap_certmap_ctx *sdap_certmap_ref; ++ struct sss_certmap_ctx *sss_certmap_ref; ++ ++ ret = sdap_init_certmap(test_ctx, test_ctx->id_ctx); ++ assert_int_equal(ret, EOK); ++ ++ sdap_certmap_ref = test_ctx->id_ctx->opts->sdap_certmap_ctx; ++ sss_certmap_ref = sdap_get_sss_certmap(sdap_certmap_ref); ++ ++ ret = sdap_init_certmap(test_ctx, test_ctx->id_ctx); ++ assert_int_equal(ret, EOK); ++ ++ assert_ptr_equal(sdap_certmap_ref, ++ test_ctx->id_ctx->opts->sdap_certmap_ctx); ++ assert_ptr_not_equal(sss_certmap_ref, ++ sdap_get_sss_certmap(sdap_certmap_ref)); ++ ++ talloc_free(test_ctx->id_ctx->opts->sdap_certmap_ctx); ++} ++ ++ ++static void test_sdap_setup_certmap(void **state) ++{ ++ int ret; ++ struct certmap_test_ctx *test_ctx = talloc_get_type(*state, ++ struct certmap_test_ctx); ++ struct sdap_certmap_ctx *sdap_certmap_ref; ++ struct sss_certmap_ctx *sss_certmap_ref; ++ ++ ret = sdap_init_certmap(test_ctx, test_ctx->id_ctx); ++ assert_int_equal(ret, EOK); ++ ++ sdap_certmap_ref = test_ctx->id_ctx->opts->sdap_certmap_ctx; ++ sss_certmap_ref = sdap_get_sss_certmap(sdap_certmap_ref); ++ ++ ret = sdap_setup_certmap(NULL, NULL); ++ assert_int_equal(ret, EINVAL); ++ assert_ptr_equal(sdap_certmap_ref, ++ test_ctx->id_ctx->opts->sdap_certmap_ctx); ++ assert_ptr_equal(sss_certmap_ref, sdap_get_sss_certmap(sdap_certmap_ref)); ++ ++ ret = sdap_setup_certmap(NULL, certmap); ++ assert_int_equal(ret, EINVAL); ++ assert_ptr_equal(sdap_certmap_ref, ++ test_ctx->id_ctx->opts->sdap_certmap_ctx); ++ assert_ptr_equal(sss_certmap_ref, sdap_get_sss_certmap(sdap_certmap_ref)); ++ ++ ret = sdap_setup_certmap(sdap_certmap_ref, certmap); ++ assert_int_equal(ret, EOK); ++ assert_ptr_equal(sdap_certmap_ref, ++ test_ctx->id_ctx->opts->sdap_certmap_ctx); ++ assert_ptr_not_equal(sss_certmap_ref, ++ sdap_get_sss_certmap(sdap_certmap_ref)); ++ ++ talloc_free(test_ctx->id_ctx->opts->sdap_certmap_ctx); ++} ++ ++int main(int argc, const char *argv[]) ++{ ++ int rv; ++ poptContext pc; ++ int opt; ++ struct poptOption long_options[] = { ++ POPT_AUTOHELP ++ SSSD_DEBUG_OPTS ++ POPT_TABLEEND ++ }; ++ ++ const struct CMUnitTest tests[] = { ++ cmocka_unit_test_setup_teardown(test_sdap_certmap_init, ++ test_sysdb_setup, ++ test_sysdb_teardown), ++ cmocka_unit_test_setup_teardown(test_sdap_get_sss_certmap, ++ test_sysdb_setup, ++ test_sysdb_teardown), ++ cmocka_unit_test_setup_teardown(test_sdap_certmap_init_twice, ++ test_sysdb_setup, ++ test_sysdb_teardown), ++ cmocka_unit_test_setup_teardown(test_sdap_setup_certmap, ++ test_sysdb_setup, ++ test_sysdb_teardown), ++ }; ++ ++ /* Set debug level to invalid value so we can deside if -d 0 was used. */ ++ debug_level = SSSDBG_INVALID; ++ ++ pc = poptGetContext(argv[0], argc, argv, long_options, 0); ++ while((opt = poptGetNextOpt(pc)) != -1) { ++ switch(opt) { ++ default: ++ fprintf(stderr, "\nInvalid option %s: %s\n\n", ++ poptBadOption(pc, 0), poptStrerror(opt)); ++ poptPrintUsage(pc, stderr, 0); ++ return 1; ++ } ++ } ++ poptFreeContext(pc); ++ ++ DEBUG_CLI_INIT(debug_level); ++ ++ tests_set_cwd(); ++ rv = cmocka_run_group_tests(tests, NULL, NULL); ++ ++ return rv; ++} +-- +2.13.5 + diff --git a/SOURCES/0194-certmap-make-sure-eku_oid_list-is-always-allocated.patch b/SOURCES/0194-certmap-make-sure-eku_oid_list-is-always-allocated.patch new file mode 100644 index 0000000..c2f4d5d --- /dev/null +++ b/SOURCES/0194-certmap-make-sure-eku_oid_list-is-always-allocated.patch @@ -0,0 +1,95 @@ +From 27ef368b4105f19382360fe62f944b36ca74adb7 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Wed, 6 Sep 2017 12:20:25 +0200 +Subject: [PATCH 194/194] certmap: make sure eku_oid_list is always allocated +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +If there are only OIDs in a part of a matching rule a NULL pointer +dereference might occur. + +Related to https://pagure.io/SSSD/sssd/issue/3508 + +Reviewed-by: Lukáš Slebodník +Reviewed-by: Jakub Hrozek +(cherry picked from commit f5a8cd60c6f377af1954b58f007d16cf3f6dc846) +--- + src/lib/certmap/sss_certmap_krb5_match.c | 21 ++++++++++++--------- + src/tests/cmocka/test_certmap.c | 17 +++++++++++++++++ + 2 files changed, 29 insertions(+), 9 deletions(-) + +diff --git a/src/lib/certmap/sss_certmap_krb5_match.c b/src/lib/certmap/sss_certmap_krb5_match.c +index e40f17b8ace46e61087e0a2fa570a362a84cead2..0a77ac225d73f3506e102fdbdc9084faa0f19cf0 100644 +--- a/src/lib/certmap/sss_certmap_krb5_match.c ++++ b/src/lib/certmap/sss_certmap_krb5_match.c +@@ -179,19 +179,17 @@ static int parse_krb5_get_eku_value(TALLOC_CTX *mem_ctx, + goto done; + } + ++ comp->eku_oid_list = talloc_zero_array(comp, const char *, ++ eku_list_size + 1); ++ if (comp->eku_oid_list == NULL) { ++ ret = ENOMEM; ++ goto done; ++ } ++ + for (c = 0; eku_list[c] != NULL; c++) { + for (k = 0; ext_key_usage[k].name != NULL; k++) { + CM_DEBUG(ctx, "[%s][%s].", eku_list[c], ext_key_usage[k].name); + if (strcasecmp(eku_list[c], ext_key_usage[k].name) == 0) { +- if (comp->eku_oid_list == NULL) { +- comp->eku_oid_list = talloc_zero_array(comp, const char *, +- eku_list_size + 1); +- if (comp->eku_oid_list == NULL) { +- ret = ENOMEM; +- goto done; +- } +- } +- + comp->eku_oid_list[e] = talloc_strdup(comp->eku_oid_list, + ext_key_usage[k].oid); + if (comp->eku_oid_list[e] == NULL) { +@@ -225,6 +223,11 @@ CM_DEBUG(ctx, "[%s][%s].", eku_list[c], ext_key_usage[k].name); + } + } + ++ if (e == 0) { ++ talloc_free(comp->eku_oid_list); ++ comp->eku_oid_list = NULL; ++ } ++ + ret = 0; + + done: +diff --git a/src/tests/cmocka/test_certmap.c b/src/tests/cmocka/test_certmap.c +index c998443d086eaa72cc2a05c38ddfc5ba590a1ce7..e732bb214476943d0f723b318ab64d3b4156cace 100644 +--- a/src/tests/cmocka/test_certmap.c ++++ b/src/tests/cmocka/test_certmap.c +@@ -445,6 +445,23 @@ static void test_sss_certmap_add_matching_rule(void **state) + assert_null( + ctx->prio_list->rule_list->parsed_match_rule->eku->eku_oid_list[3]); + ++ ret = sss_certmap_add_rule(ctx, 96, ++ "KRB5:1.2.3", ++ NULL, NULL); ++ assert_int_equal(ret, 0); ++ assert_non_null(ctx->prio_list); ++ assert_non_null(ctx->prio_list->rule_list); ++ assert_non_null(ctx->prio_list->rule_list->parsed_match_rule); ++ assert_int_equal(ctx->prio_list->rule_list->parsed_match_rule->r, ++ relation_and); ++ assert_non_null(ctx->prio_list->rule_list->parsed_match_rule->eku); ++ assert_true(string_in_list("1.2.3", ++ discard_const( ++ ctx->prio_list->rule_list->parsed_match_rule->eku->eku_oid_list), ++ true)); ++ assert_null( ++ ctx->prio_list->rule_list->parsed_match_rule->eku->eku_oid_list[1]); ++ + /* SAN tests */ + ret = sss_certmap_add_rule(ctx, 89, "KRB5:abc", NULL, NULL); + assert_int_equal(ret, 0); +-- +2.13.5 + diff --git a/SOURCES/0195-cache_req-Look-for-name-attribute-also-in-nss_cmd_ge.patch b/SOURCES/0195-cache_req-Look-for-name-attribute-also-in-nss_cmd_ge.patch new file mode 100644 index 0000000..2841962 --- /dev/null +++ b/SOURCES/0195-cache_req-Look-for-name-attribute-also-in-nss_cmd_ge.patch @@ -0,0 +1,62 @@ +From cf75c30a42059480eca4c352598ceb3760c27e46 Mon Sep 17 00:00:00 2001 +From: Lukas Slebodnik +Date: Mon, 21 Aug 2017 11:42:43 +0200 +Subject: [PATCH 195/195] cache_req: Look for name attribute also in + nss_cmd_getsidbyid +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +We always check negcache after getting data from backend since commit +4c09cd008967c5c0ec358dc658ffc6fc1cef2697 because we usually do have a name +in begging of requests "* by ID". + +We were not interested in name in request sid by id before. However, function +cache_req_search_ncache_filter always expect name otherwise it returns +ERR_INTERNAL. + +[sssd[nss]] [cache_req_set_plugin] (0x2000): CR #8: Setting "Object by ID" plugin +[sssd[nss]] [cache_req_send] (0x0400): CR #8: New request 'Object by ID' +[sssd[nss]] [cache_req_select_domains] (0x0400): CR #8: Performing a multi-domain search +[sssd[nss]] [cache_req_search_domains] (0x0400): CR #8: Search will check the cache and check the data provider +[sssd[nss]] [cache_req_validate_domain_type] (0x2000): Request type POSIX-only for domain sssdad2012r2.com type POSIX is valid +[sssd[nss]] [cache_req_set_domain] (0x0400): CR #8: Using domain [sssdad2012r2.com] +[sssd[nss]] [cache_req_search_send] (0x0400): CR #8: Looking up ID:233600513@sssdad2012r2.com +[sssd[nss]] [cache_req_search_ncache] (0x0400): CR #8: Checking negative cache for [ID:233600513@sssdad2012r2.com] +[sssd[nss]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/UID/sssdad2012r2.com/233600513] +[sssd[nss]] [cache_req_search_ncache] (0x0400): CR #8: [ID:233600513@sssdad2012r2.com] is not present in negative cache +[sssd[nss]] [cache_req_search_cache] (0x0400): CR #8: Looking up [ID:233600513@sssdad2012r2.com] in cache +[sssd[nss]] [cache_req_search_send] (0x0400): CR #8: Returning [ID:233600513@sssdad2012r2.com] from cache +[sssd[nss]] [cache_req_search_ncache_filter] (0x0400): CR #8: Filtering out results by negative cache +[sssd[nss]] [cache_req_search_ncache_filter] (0x0020): CR #8: sss_get_name_from_msg() returned NULL, which should never happen in this scenario! +[sssd[nss]] [cache_req_process_result] (0x0400): CR #8: Finished: Error 1432158209: Internal Error +[sssd[nss]] [nss_protocol_done] (0x4000): Sending reply: error [1432158209]: Internal Error +[sssd[nss]] [client_recv] (0x0200): Client disconnected! + +Resolves: +https://pagure.io/SSSD/sssd/issue/3485 + +Reviewed-by: Pavel Březina +(cherry picked from commit 2e72ababbbadda4c4036f99528460c1d595e0941) +--- + src/responder/common/cache_req/cache_req_data.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/responder/common/cache_req/cache_req_data.c b/src/responder/common/cache_req/cache_req_data.c +index 5ab1493b81dbcd1529f1124a2bb1f99d3ae82281..3c365e2fe5826fd58c75f07b08193e5566db2563 100644 +--- a/src/responder/common/cache_req/cache_req_data.c ++++ b/src/responder/common/cache_req/cache_req_data.c +@@ -26,7 +26,9 @@ static const char ** + cache_req_data_create_attrs(TALLOC_CTX *mem_ctx, + const char **requested) + { +- static const char *defattrs[] = { SYSDB_DEFAULT_ATTRS }; ++ static const char *defattrs[] = { SYSDB_DEFAULT_ATTRS, SYSDB_NAME, ++ OVERRIDE_PREFIX SYSDB_NAME, ++ SYSDB_DEFAULT_OVERRIDE_NAME }; + static size_t defnum = sizeof(defattrs) / sizeof(defattrs[0]); + const char **attrs; + size_t reqnum; +-- +2.13.5 + diff --git a/SPECS/sssd.spec b/SPECS/sssd.spec index 8dfde90..af001cd 100644 --- a/SPECS/sssd.spec +++ b/SPECS/sssd.spec @@ -40,7 +40,7 @@ Name: sssd Version: 1.15.2 -Release: 50%{?dist}.2 +Release: 50%{?dist}.6 Group: Applications/System Summary: System Security Services Daemon License: GPLv3+ @@ -239,6 +239,11 @@ Patch0187: 0187-RESPONDERS-Fix-terminating-idle-connections.patch Patch0188: 0188-TESTS-Integration-test-for-idle-timeout.patch Patch0189: 0189-MAN-Document-that-client_idle_timeout-can-t-be-short.patch Patch0190: 0190-ad_account_can_shortcut-shortcut-if-ID-is-unknown.patch +Patch0191: 0191-sudo-add-a-threshold-option-to-reduce-size-of-rules-.patch +Patch0192: 0192-libwbclient-Change-return-code-for-wbcAuthenticateUs.patch +Patch0193: 0193-IPA-fix-handling-of-certmap_ctx.patch +Patch0194: 0194-certmap-make-sure-eku_oid_list-is-always-allocated.patch +Patch0195: 0195-cache_req-Look-for-name-attribute-also-in-nss_cmd_ge.patch #This patch should not be removed in RHEL-7 Patch999: 0999-NOUPSTREAM-Default-to-root-if-sssd-user-is-not-spec @@ -1375,6 +1380,22 @@ fi } %changelog +* Wed Sep 27 2017 Fabiano Fidêncio - 1.15.2-50.6 +- Add a patch that was missed in 1.15.2-50.4 +- Related: rhbz#1489290 - samba shares with sssd authentication broken + on 7.4 [rhel-7.4.z] + +* Thu Sep 21 2017 Fabiano Fidêncio - 1.15.2-50.5 +- Resolves: rhbz#1493916 - Issues with certificate mapping rules [rhel-7.4.z] + +* Mon Sep 11 2017 Jakub Hrozek - 1.15.2-50.4 +- Resolves: rhbz#1489290 - samba shares with sssd authentication broken + on 7.4 [rhel-7.4.z] + +* Fri Aug 18 2017 Fabiano Fidêncio - 1.15.2-50.3 +- Resolves: rhbz#1482927 - sssd_be is utilizing more CPU during sudoi + rules refresh [rhel-7.4.z] + * Sun Aug 6 2017 Jakub Hrozek - 1.15.2-50.2 - Resolves: rhbz#1478252 - Querying the AD domain for external domain's ID can mark the AD domain offline [rhel-7.4.z]