From 7db20e1826c1f5453391ec7c6df07c123ea33711 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Nov 06 2014 07:13:14 +0000
Subject: import sssd-1.11.2-68.el7_0.6


---

diff --git a/SOURCES/0127-IPA-handle-searches-by-SID-in-apply_subdomain_homedi.patch b/SOURCES/0127-IPA-handle-searches-by-SID-in-apply_subdomain_homedi.patch
new file mode 100644
index 0000000..de65245
--- /dev/null
+++ b/SOURCES/0127-IPA-handle-searches-by-SID-in-apply_subdomain_homedi.patch
@@ -0,0 +1,75 @@
+From 5ecab6dc08ac35a400e067af09b49e7fcb0f17c0 Mon Sep 17 00:00:00 2001
+From: Jakub Hrozek <jhrozek@redhat.com>
+Date: Tue, 12 Aug 2014 10:32:33 +0200
+Subject: [PATCH 127/130] IPA: handle searches by SID in
+ apply_subdomain_homedir
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+https://fedorahosted.org/sssd/ticket/2391
+
+apply_subdomain_homedir() didn't handle the situation where an entity
+that doesn't match was requested from the cache. For user and group
+lookups this wasn't a problem because the negative match was caught
+sooner.
+
+But SID lookups can match either user or group. When a group SID was
+requested, the preceding LDAP request matched the SID and stored the
+group in the cache. Then apply_subdomain_homedir() only tried to search
+user by SID, didn't find the entry and accessed a NULL pointer.
+
+A simple reproducer is:
+$ python
+>>> import pysss_nss_idmap
+>>> pysss_nss_idmap.getnamebysid(group_sid)
+
+The group_sid can be anything, including Domain Users (XXX-513)
+
+Reviewed-by: Michal Židek <mzidek@redhat.com>
+(cherry picked from commit 82347f452febe3cbffc36b0a3308ffb462515442)
+---
+ src/providers/ipa/ipa_subdomains_id.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/src/providers/ipa/ipa_subdomains_id.c b/src/providers/ipa/ipa_subdomains_id.c
+index d8922a461fc1cbbec4bb65b8cd6e6cf25f2dc605..5517602a6e9c7d56406e42aa3afbd2527e2df7ea 100644
+--- a/src/providers/ipa/ipa_subdomains_id.c
++++ b/src/providers/ipa/ipa_subdomains_id.c
+@@ -492,6 +492,9 @@ apply_subdomain_homedir(TALLOC_CTX *mem_ctx, struct sss_domain_info *dom,
+ 
+     if (filter_type == BE_FILTER_NAME) {
+         ret = sysdb_getpwnam(mem_ctx, dom->sysdb, dom, filter_value, &res);
++        if (res && res->count == 0) {
++            ret = ENOENT;
++        }
+     } else if (filter_type == BE_FILTER_IDNUM) {
+         errno = 0;
+         uid = strtouint32(filter_value, NULL, 10);
+@@ -500,6 +503,9 @@ apply_subdomain_homedir(TALLOC_CTX *mem_ctx, struct sss_domain_info *dom,
+             goto done;
+         }
+         ret = sysdb_getpwuid(mem_ctx, dom->sysdb, dom, uid, &res);
++        if (res && res->count == 0) {
++            ret = ENOENT;
++        }
+     } else if (filter_type == BE_FILTER_SECID) {
+         ret = sysdb_search_user_by_sid_str(mem_ctx, dom->sysdb, dom,
+                                            filter_value, attrs, &msg);
+@@ -515,10 +521,9 @@ apply_subdomain_homedir(TALLOC_CTX *mem_ctx, struct sss_domain_info *dom,
+               ("Failed to make request to our cache: [%d]: [%s]\n",
+                ret, sss_strerror(ret)));
+         goto done;
+-    }
+-
+-    if ((res && res->count == 0) || (msg && msg->num_elements == 0)) {
+-        ret = ENOENT;
++    } else if (ret == ENOENT) {
++        DEBUG(SSSDBG_TRACE_FUNC, ("Cannot find [%s] with search type [%d]\n",
++              filter_value, filter_type));
+         goto done;
+     }
+ 
+-- 
+1.9.3
+
diff --git a/SOURCES/0128-LDAP-Ignore-returned-referrals-if-referral-support-i.patch b/SOURCES/0128-LDAP-Ignore-returned-referrals-if-referral-support-i.patch
new file mode 100644
index 0000000..3069a3b
--- /dev/null
+++ b/SOURCES/0128-LDAP-Ignore-returned-referrals-if-referral-support-i.patch
@@ -0,0 +1,82 @@
+From b224c49b8f0a9cdf343a443fdf2190dc6f047508 Mon Sep 17 00:00:00 2001
+From: Jakub Hrozek <jhrozek@redhat.com>
+Date: Wed, 20 Aug 2014 14:00:38 +0200
+Subject: [PATCH 128/130] LDAP: Ignore returned referrals if referral support
+ is disabled
+
+Reviewed-by: Pavel Reichl <preichl@redhat.com>
+(cherry picked from commit a2ea3f5d9ef9f17efbb61e942c2bc6cff7d1ebf2)
+---
+ src/providers/ldap/sdap_async.c | 18 +++++++++++++++---
+ src/util/util_errors.c          |  1 +
+ src/util/util_errors.h          |  2 ++
+ 3 files changed, 18 insertions(+), 3 deletions(-)
+
+diff --git a/src/providers/ldap/sdap_async.c b/src/providers/ldap/sdap_async.c
+index 1022a093f06ec7e9a50b13160fc9a4660a255e92..7db01d979ee81a3707126a4c3eb1f36006e8b392 100644
+--- a/src/providers/ldap/sdap_async.c
++++ b/src/providers/ldap/sdap_async.c
+@@ -1404,6 +1404,10 @@ static void sdap_get_generic_ext_done(struct sdap_op *op,
+             ldap_memfree(errmsg);
+             tevent_req_error(req, ENOTSUP);
+             return;
++        } else if (result == LDAP_REFERRAL) {
++            ldap_memfree(errmsg);
++            tevent_req_error(req, ERR_REFERRAL);
++            return;
+         } else if (result != LDAP_SUCCESS && result != LDAP_NO_SUCH_OBJECT) {
+             DEBUG(SSSDBG_OP_FAILURE,
+                   ("Unexpected result from ldap: %s(%d), %s\n",
+@@ -1565,13 +1569,21 @@ static void sdap_get_generic_done(struct tevent_req *subreq)
+ {
+     struct tevent_req *req = tevent_req_callback_data(subreq,
+                                                       struct tevent_req);
++    struct sdap_get_generic_state *state =
++                tevent_req_data(req, struct sdap_get_generic_state);
+     int ret;
+ 
+     ret = sdap_get_generic_ext_recv(subreq);
+     talloc_zfree(subreq);
+-    if (ret) {
+-        DEBUG(4, ("sdap_get_generic_ext_recv failed [%d]: %s\n",
+-                  ret, sss_strerror(ret)));
++    if (ret == ERR_REFERRAL) {
++        if (dp_opt_get_bool(state->opts->basic, SDAP_REFERRALS)) {
++            tevent_req_error(req, ret);
++            return;
++        }
++    } else if (ret) {
++        DEBUG(SSSDBG_CONF_SETTINGS,
++              ("sdap_get_generic_ext_recv failed [%d]: %s\n",
++                ret, sss_strerror(ret)));
+         tevent_req_error(req, ret);
+         return;
+     }
+diff --git a/src/util/util_errors.c b/src/util/util_errors.c
+index c9b507557da07555c719bb0dd18145e6799a53eb..eb7b1aec7b388e2509471cce8322cf38f9388151 100644
+--- a/src/util/util_errors.c
++++ b/src/util/util_errors.c
+@@ -53,6 +53,7 @@ struct err_string error_to_str[] = {
+     { "Missing configuration file" }, /* ERR_MISSING_CONF */
+     { "Malformed search filter" }, /* ERR_INVALID_FILTER, */
+     { "No POSIX attributes detected" }, /* ERR_NO_POSIX */
++    { "LDAP search returned a referral" }, /* ERR_REFERRAL */
+ };
+ 
+ 
+diff --git a/src/util/util_errors.h b/src/util/util_errors.h
+index 3dd94af1f304d65e22515c859c6f69a021fa7e92..2858311dec90ae0ea57dbcd7b6de4beb9fb19c50 100644
+--- a/src/util/util_errors.h
++++ b/src/util/util_errors.h
+@@ -75,6 +75,8 @@ enum sssd_errors {
+     ERR_MISSING_CONF,
+     ERR_INVALID_FILTER,
+     ERR_NO_POSIX,
++    ERR_NO_SYSBUS,
++    ERR_REFERRAL,
+     ERR_LAST            /* ALWAYS LAST */
+ };
+ 
+-- 
+1.9.3
+
diff --git a/SOURCES/0129-Ignore-referrals-in-deref-and-ASQ-too.patch b/SOURCES/0129-Ignore-referrals-in-deref-and-ASQ-too.patch
new file mode 100644
index 0000000..c2da9d5
--- /dev/null
+++ b/SOURCES/0129-Ignore-referrals-in-deref-and-ASQ-too.patch
@@ -0,0 +1,76 @@
+From 5b5cb000d63c3edad40ebb420776df2a18950fcb Mon Sep 17 00:00:00 2001
+From: Jakub Hrozek <jhrozek@redhat.com>
+Date: Wed, 10 Sep 2014 11:55:24 +0200
+Subject: [PATCH 129/130] Ignore referrals in deref and ASQ, too
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Reviewed-by: Michal Židek <mzidek@redhat.com>
+---
+ src/providers/ldap/sdap_async.c | 20 ++++++++++++++++++--
+ 1 file changed, 18 insertions(+), 2 deletions(-)
+
+diff --git a/src/providers/ldap/sdap_async.c b/src/providers/ldap/sdap_async.c
+index 7db01d979ee81a3707126a4c3eb1f36006e8b392..b06d94bfd9d1a60f587de5c807389c74f908af5e 100644
+--- a/src/providers/ldap/sdap_async.c
++++ b/src/providers/ldap/sdap_async.c
+@@ -1622,6 +1622,7 @@ static errno_t sdap_x_deref_parse_entry(struct sdap_handle *sh,
+ struct sdap_x_deref_search_state {
+     struct sdap_handle *sh;
+     struct sdap_op *op;
++    struct sdap_options *opts;
+     struct sdap_attr_map_info *maps;
+     LDAPControl **ctrls;
+ 
+@@ -1647,6 +1648,7 @@ sdap_x_deref_search_send(TALLOC_CTX *memctx, struct tevent_context *ev,
+     state->sh = sh;
+     state->maps = maps;
+     state->op = NULL;
++    state->opts = opts;
+     state->num_maps = num_maps;
+     state->ctrls = talloc_zero_array(state, LDAPControl *, 2);
+     if (state->ctrls == NULL) {
+@@ -1797,11 +1799,18 @@ static void sdap_x_deref_search_done(struct tevent_req *subreq)
+ {
+     struct tevent_req *req = tevent_req_callback_data(subreq,
+                                                       struct tevent_req);
++    struct sdap_x_deref_search_state *state = tevent_req_data(req,
++                                            struct sdap_x_deref_search_state);
+     int ret;
+ 
+     ret = sdap_get_generic_ext_recv(subreq);
+     talloc_zfree(subreq);
+-    if (ret) {
++    if (ret == ERR_REFERRAL) {
++        if (dp_opt_get_bool(state->opts->basic, SDAP_REFERRALS)) {
++            tevent_req_error(req, ret);
++            return;
++        }
++    } else if (ret) {
+         DEBUG(4, ("sdap_get_generic_ext_recv failed [%d]: %s\n",
+                   ret, sss_strerror(ret)));
+         tevent_req_error(req, ret);
+@@ -2056,11 +2065,18 @@ static void sdap_asq_search_done(struct tevent_req *subreq)
+ {
+     struct tevent_req *req = tevent_req_callback_data(subreq,
+                                                       struct tevent_req);
++    struct sdap_asq_search_state *state =
++                tevent_req_data(req, struct sdap_asq_search_state);
+     int ret;
+ 
+     ret = sdap_get_generic_ext_recv(subreq);
+     talloc_zfree(subreq);
+-    if (ret) {
++    if (ret == ERR_REFERRAL) {
++        if (dp_opt_get_bool(state->opts->basic, SDAP_REFERRALS)) {
++            tevent_req_error(req, ret);
++            return;
++        }
++    } else if (ret) {
+         DEBUG(4, ("sdap_get_generic_ext_recv failed [%d]: %s\n",
+                   ret, sss_strerror(ret)));
+         tevent_req_error(req, ret);
+-- 
+1.9.3
+
diff --git a/SOURCES/0130-IPA-Use-GC-for-group-lookups-in-server-mode.patch b/SOURCES/0130-IPA-Use-GC-for-group-lookups-in-server-mode.patch
new file mode 100644
index 0000000..b42b8e4
--- /dev/null
+++ b/SOURCES/0130-IPA-Use-GC-for-group-lookups-in-server-mode.patch
@@ -0,0 +1,52 @@
+From 756a944b898e55a83c212999b31ba6550af4b1ce Mon Sep 17 00:00:00 2001
+From: Jakub Hrozek <jhrozek@redhat.com>
+Date: Tue, 9 Sep 2014 22:13:52 +0200
+Subject: [PATCH 130/130] IPA: Use GC for group lookups in server mode
+
+https://fedorahosted.org/sssd/ticket/2412
+
+Even though AD trusts often work with POSIX attributes which are
+normally not replicated to GC, our group lookups are smart since commit
+008e1ee835602023891ac45408483d87f41e4d5c and look up the group itself using
+the LDAP connection and only use the GC connection to look up the members.
+
+Reviewed-by: Pavel Reichl <preichl@redhat.com>
+(cherry picked from commit a20ce8cd43d72c89e2ea1d65aefe24ba270f040f)
+---
+ src/providers/ipa/ipa_subdomains_id.c | 14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+diff --git a/src/providers/ipa/ipa_subdomains_id.c b/src/providers/ipa/ipa_subdomains_id.c
+index 5517602a6e9c7d56406e42aa3afbd2527e2df7ea..9a90bc2d68561ce518bd31d74ec010c697036352 100644
+--- a/src/providers/ipa/ipa_subdomains_id.c
++++ b/src/providers/ipa/ipa_subdomains_id.c
+@@ -304,17 +304,21 @@ ipa_get_ad_acct_send(TALLOC_CTX *mem_ctx,
+     }
+     sdap_id_ctx = ad_id_ctx->sdap_id_ctx;
+ 
+-    /* Currently only LDAP port for AD is used because POSIX
+-     * attributes are not replicated to GC by default
++    /* We read users and groups from GC. From groups, we may switch to
++     * using LDAP connection in the group request itself, but in order
++     * to resolve Universal group memberships, we also need the GC
++     * connection
+      */
+-
+-    if ((state->ar->entry_type & BE_REQ_TYPE_MASK) == BE_REQ_INITGROUPS) {
++    switch (state->ar->entry_type & BE_REQ_TYPE_MASK) {
++    case BE_REQ_INITGROUPS:
++    case BE_REQ_GROUP:
+         clist = ad_gc_conn_list(req, ad_id_ctx, state->user_dom);
+         if (clist == NULL) {
+             ret = ENOMEM;
+             goto fail;
+         }
+-    } else {
++        break;
++    default:
+         clist = talloc_zero_array(req, struct sdap_id_conn_ctx *, 2);
+         if (clist == NULL) {
+             ret = ENOMEM;
+-- 
+1.9.3
+
diff --git a/SPECS/sssd.spec b/SPECS/sssd.spec
index b268d74..82408f1 100644
--- a/SPECS/sssd.spec
+++ b/SPECS/sssd.spec
@@ -8,7 +8,7 @@
 
 Name: sssd
 Version: 1.11.2
-Release: 68%{?dist}.5
+Release: 68%{?dist}.6
 Group: Applications/System
 Summary: System Security Services Daemon
 License: GPLv3+
@@ -143,6 +143,10 @@ Patch0123: 0123-AD-Provider-bug-fix-uninitialized-variable.patch
 Patch0124: 0124-AD-Provider-bugfix-use-after-free.patch
 Patch0125: 0125-ipa-subdomains-provider-make-sure-search-by-SID-work.patch
 Patch0126: 0126-tests-Remove-tests-that-check-creating-public-direct.patch
+Patch0127: 0127-IPA-handle-searches-by-SID-in-apply_subdomain_homedi.patch
+Patch0128: 0128-LDAP-Ignore-returned-referrals-if-referral-support-i.patch
+Patch0129: 0129-Ignore-referrals-in-deref-and-ASQ-too.patch
+Patch0130: 0130-IPA-Use-GC-for-group-lookups-in-server-mode.patch
 
 
 ### Dependencies ###
@@ -826,6 +830,10 @@ fi
 %postun -n libsss_idmap -p /sbin/ldconfig
 
 %changelog
+* Tue Oct 14 2014 Jakub Hrozek <jhrozek@redhat.com> - 1.11.2-68.6
+- Resolves: rhbz#1152200 - Error processing universal groups with
+                           cross-domain membership in SSSD server mode
+
 * Wed May 21 2014 Jakub Hrozek <jhrozek@redhat.com> - 1.11.2-68.5
 - Rebuild for a proper dist tag, yet again, now using the correct build
   options