diff --git a/SOURCES/0112-IPA-Handle-requests-for-netgroups-from-trusted-domai.patch b/SOURCES/0112-IPA-Handle-requests-for-netgroups-from-trusted-domai.patch new file mode 100644 index 0000000..e60a668 --- /dev/null +++ b/SOURCES/0112-IPA-Handle-requests-for-netgroups-from-trusted-domai.patch @@ -0,0 +1,62 @@ +From 18cbf559addfeb77ad83b81e23431295a3e5c6ae Mon Sep 17 00:00:00 2001 +From: Jakub Hrozek +Date: Fri, 6 May 2016 15:02:19 +0200 +Subject: [PATCH] IPA: Handle requests for netgroups from trusted domains + gracefully + +In ipa_account_info_handler we first check if the request is for a user +from a trusted domain and go that way for all request types. In +contrast, in the ipa_account_info_done we first check if the requested +object is a netgroup. If both are true, we first start a subdomain +lookup send but then call netgroup lookup recv, which results in talloc +type mismatch and crashes sssd_be. + +Resolves: +https://fedorahosted.org/sssd/ticket/3007 +--- + src/providers/ipa/ipa_id.c | 22 ++++++++++++++-------- + 1 file changed, 14 insertions(+), 8 deletions(-) + +diff --git a/src/providers/ipa/ipa_id.c b/src/providers/ipa/ipa_id.c +index 29e22982c415220c931f0422e10cd06dfa1a195b..dff4b23580d8c7502a1fbe9c57d21b8c555883be 100644 +--- a/src/providers/ipa/ipa_id.c ++++ b/src/providers/ipa/ipa_id.c +@@ -115,21 +115,27 @@ void ipa_account_info_handler(struct be_req *breq) + return sdap_handler_done(breq, DP_ERR_OK, EOK, "Success"); + } + +- if (strcasecmp(ar->domain, be_ctx->domain->name) != 0) { +- /* if domain names do not match, this is a subdomain case +- * subdomain lookups are handled differently on the server +- * and the client +- */ +- req = ipa_subdomain_account_send(breq, be_ctx->ev, ipa_ctx, breq, ar); +- +- } else if ((ar->entry_type & BE_REQ_TYPE_MASK) == BE_REQ_NETGROUP) { ++ if ((ar->entry_type & BE_REQ_TYPE_MASK) == BE_REQ_NETGROUP) { + /* netgroups are handled by a separate request function */ + if (ar->filter_type != BE_FILTER_NAME) { + return sdap_handler_done(breq, DP_ERR_FATAL, + EINVAL, "Invalid filter type"); + } ++ ++ if ((strcasecmp(ar->domain, be_ctx->domain->name) != 0)) { ++ return sdap_handler_done(breq, DP_ERR_OK, EOK, ++ "netgroups in subdomains are " ++ "not handled\n"); ++ } ++ + req = ipa_id_get_netgroup_send(breq, be_ctx->ev, + ipa_ctx, ar->filter_value); ++ } else if (strcasecmp(ar->domain, be_ctx->domain->name) != 0) { ++ /* if domain names do not match, this is a subdomain case ++ * subdomain lookups are handled differently on the server ++ * and the client ++ */ ++ req = ipa_subdomain_account_send(breq, be_ctx->ev, ipa_ctx, breq, ar); + } else { + /* any account request is handled by sdap, + * any invalid request is caught there. */ +-- +2.4.11 + diff --git a/SOURCES/0113-LDAP-Try-also-the-AD-access-control-for-IPA-users.patch b/SOURCES/0113-LDAP-Try-also-the-AD-access-control-for-IPA-users.patch new file mode 100644 index 0000000..ac735c0 --- /dev/null +++ b/SOURCES/0113-LDAP-Try-also-the-AD-access-control-for-IPA-users.patch @@ -0,0 +1,44 @@ +From 01598f563378f8cf85e7a7fb0c29e7bf32518c3f Mon Sep 17 00:00:00 2001 +From: Jakub Hrozek +Date: Fri, 22 Apr 2016 18:32:26 +0200 +Subject: [PATCH] LDAP: Try also the AD access control for IPA users + +Resolves: + https://fedorahosted.org/sssd/ticket/2927 + +If a user from an AD trusted domain is logging in, we should also check +their AD lockout status. This helps cases where the user might have been +disabled but is logging in with an SSH public key. +--- + src/providers/ldap/sdap_access.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/src/providers/ldap/sdap_access.c b/src/providers/ldap/sdap_access.c +index 3ef45b717787058ec61c4d6875cb41bb2e8195fc..14ec34508636c19b288a57cd305d874705bdb842 100644 +--- a/src/providers/ldap/sdap_access.c ++++ b/src/providers/ldap/sdap_access.c +@@ -741,6 +741,21 @@ static errno_t sdap_account_expired(struct sdap_access_ctx *access_ctx, + DEBUG(SSSDBG_CRIT_FAILURE, + "sdap_account_expired_rhds failed.\n"); + } ++ ++ if (ret == EOK && ++ strcasecmp(expire, LDAP_ACCOUNT_EXPIRE_IPA) == 0) { ++ DEBUG(SSSDBG_TRACE_FUNC, ++ "IPA access control succeeded, checking AD " ++ "access control\n"); ++ ret = sdap_account_expired_ad(pd, user_entry); ++ if (ret == ERR_ACCOUNT_EXPIRED || ret == ERR_ACCESS_DENIED) { ++ DEBUG(SSSDBG_TRACE_FUNC, ++ "sdap_account_expired_ad: %s.\n", sss_strerror(ret)); ++ } else if (ret != EOK) { ++ DEBUG(SSSDBG_CRIT_FAILURE, ++ "sdap_account_expired_ad failed.\n"); ++ } ++ } + } else if (strcasecmp(expire, LDAP_ACCOUNT_EXPIRE_NDS) == 0) { + ret = sdap_account_expired_nds(pd, user_entry); + if (ret == ERR_ACCESS_DENIED) { +-- +2.4.11 + diff --git a/SOURCES/0114-NSS-Fix-memory-leak-netgroup.patch b/SOURCES/0114-NSS-Fix-memory-leak-netgroup.patch new file mode 100644 index 0000000..7b94d48 --- /dev/null +++ b/SOURCES/0114-NSS-Fix-memory-leak-netgroup.patch @@ -0,0 +1,106 @@ +From de876c0de1056008786f56aa56f1198479cb58d2 Mon Sep 17 00:00:00 2001 +From: Pavel Reichl +Date: Fri, 27 Nov 2015 07:53:00 -0500 +Subject: [PATCH] NSS: Fix memory leak netgroup + +Resolves: +https://fedorahosted.org/sssd/ticket/2865 + +Reviewed-by: Jakub Hrozek +(cherry picked from commit 4231a17e66e0809a9c3d42207b45f95429cbb46c) +--- + src/responder/nss/nsssrv_netgroup.c | 41 ++++++++++++++++++++++++++----------- + 1 file changed, 29 insertions(+), 12 deletions(-) + +diff --git a/src/responder/nss/nsssrv_netgroup.c b/src/responder/nss/nsssrv_netgroup.c +index c71043858988bbf6c66aaab1357d24d3701c777f..94fe3776d94a24dec03a5766c4026c3887b448aa 100644 +--- a/src/responder/nss/nsssrv_netgroup.c ++++ b/src/responder/nss/nsssrv_netgroup.c +@@ -435,14 +435,18 @@ static errno_t create_negcache_netgr(struct setent_step_ctx *step_ctx) + errno_t ret; + struct getent_ctx *netgr; + +- netgr = talloc_zero(step_ctx->nctx, struct getent_ctx); +- if (netgr == NULL) { +- DEBUG(SSSDBG_CRIT_FAILURE, "talloc_zero failed.\n"); +- ret = ENOMEM; +- goto done; +- } else { +- netgr->ready = true; +- netgr->found = false; ++ /* Is there already netgroup with such name? */ ++ ret = get_netgroup_entry(step_ctx->nctx, step_ctx->name, ++ &netgr); ++ if (ret != EOK || netgr == NULL) { ++ ++ netgr = talloc_zero(step_ctx->nctx, struct getent_ctx); ++ if (netgr == NULL) { ++ DEBUG(SSSDBG_CRIT_FAILURE, "talloc_zero failed.\n"); ++ ret = ENOMEM; ++ goto done; ++ } ++ + netgr->entries = NULL; + netgr->lookup_table = step_ctx->nctx->netgroups; + netgr->name = talloc_strdup(netgr, step_ctx->name); +@@ -457,13 +461,20 @@ static errno_t create_negcache_netgr(struct setent_step_ctx *step_ctx) + DEBUG(SSSDBG_CRIT_FAILURE, "set_netgroup_entry failed.\n"); + goto done; + } +- set_netgr_lifetime(step_ctx->nctx->neg_timeout, step_ctx, netgr); + } + ++ netgr->ready = true; ++ netgr->found = false; ++ ++ set_netgr_lifetime(step_ctx->nctx->neg_timeout, step_ctx, netgr); ++ ++ ret = EOK; ++ + done: + if (ret != EOK) { + talloc_free(netgr); + } ++ + return ret; + } + +@@ -474,6 +485,12 @@ static errno_t lookup_netgr_step(struct setent_step_ctx *step_ctx) + struct getent_ctx *netgr; + char *name = NULL; + uint32_t lifetime; ++ TALLOC_CTX *tmp_ctx; ++ ++ tmp_ctx = talloc_new(NULL); ++ if (tmp_ctx == NULL) { ++ return ENOMEM; ++ } + + /* Check each domain for this netgroup name */ + while (dom) { +@@ -494,8 +511,7 @@ static errno_t lookup_netgr_step(struct setent_step_ctx *step_ctx) + /* make sure to update the dctx if we changed domain */ + step_ctx->dctx->domain = dom; + +- talloc_free(name); +- name = sss_get_cased_name(step_ctx, step_ctx->name, ++ name = sss_get_cased_name(tmp_ctx, step_ctx->name, + dom->case_sensitive); + if (!name) { + DEBUG(SSSDBG_CRIT_FAILURE, "sss_get_cased_name failed\n"); +@@ -623,10 +639,11 @@ static errno_t lookup_netgr_step(struct setent_step_ctx *step_ctx) + "create_negcache_netgr failed with: %d:[%s], ignored.\n", + ret, sss_strerror(ret)); + } ++ + ret = ENOENT; + + done: +- talloc_free(name); ++ talloc_free(tmp_ctx); + return ret; + } + +-- +2.4.11 + diff --git a/SOURCES/0115-ipa_s2n_save_objects-use-configured-user-and-group-t.patch b/SOURCES/0115-ipa_s2n_save_objects-use-configured-user-and-group-t.patch new file mode 100644 index 0000000..2829467 --- /dev/null +++ b/SOURCES/0115-ipa_s2n_save_objects-use-configured-user-and-group-t.patch @@ -0,0 +1,69 @@ +From 8233ca6a64e673aad41f2aeb1f6152930fd16f72 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Tue, 5 Jan 2016 13:46:55 +0100 +Subject: [PATCH] ipa_s2n_save_objects(): use configured user and group timeout +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Resolves https://fedorahosted.org/sssd/ticket/2899 + +Reviewed-by: Lukáš Slebodník +(cherry picked from commit acce97e8d97e81a9e660d46c4e3c00bcb423c035) +(cherry picked from commit e8b5470df44c9f4eb0a4ccc0c79efe778c9658ba) +--- + src/providers/ipa/ipa_s2n_exop.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/src/providers/ipa/ipa_s2n_exop.c b/src/providers/ipa/ipa_s2n_exop.c +index bcd11749fbde4cae2a47b9b2182138ae04f2d6bc..d101a437dfaf2829013f9e3e3705a7161c654d78 100644 +--- a/src/providers/ipa/ipa_s2n_exop.c ++++ b/src/providers/ipa/ipa_s2n_exop.c +@@ -1743,7 +1743,6 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom, + { + int ret; + time_t now; +- uint64_t timeout = 10*60*60; /* FIXME: find a better timeout ! */ + struct sss_nss_homedir_ctx homedir_ctx; + char *name = NULL; + char *realm; +@@ -1947,7 +1946,7 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom, + * SYSDB_INITGR_EXPIRE will be set.*/ + ret = sysdb_attrs_add_time_t(attrs->sysdb_attrs, + SYSDB_INITGR_EXPIRE, +- time(NULL) + timeout); ++ time(NULL) + dom->user_timeout); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "sysdb_attrs_add_time_t failed.\n"); +@@ -2006,7 +2005,7 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom, + gid, attrs->a.user.pw_gecos, + attrs->a.user.pw_dir, attrs->a.user.pw_shell, + NULL, attrs->sysdb_attrs, NULL, +- timeout, now); ++ dom->user_timeout, now); + if (ret == EEXIST && dom->mpg == true) { + /* This handles the case where getgrgid() was called for + * this user, so a group was created in the cache +@@ -2034,7 +2033,7 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom, + attrs->a.user.pw_dir, + attrs->a.user.pw_shell, + NULL, attrs->sysdb_attrs, NULL, +- timeout, now); ++ dom->user_timeout, now); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "sysdb_store_user failed for MPG user [%d]: %s\n", +@@ -2174,7 +2173,8 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom, + } + + ret = sysdb_store_group(dom, name, attrs->a.group.gr_gid, +- attrs->sysdb_attrs, timeout, now); ++ attrs->sysdb_attrs, dom->group_timeout, ++ now); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_store_group failed.\n"); + goto done; +-- +2.4.11 + diff --git a/SOURCES/0116-IPA-use-forest-name-when-looking-up-the-Global-Catal.patch b/SOURCES/0116-IPA-use-forest-name-when-looking-up-the-Global-Catal.patch new file mode 100644 index 0000000..164e78d --- /dev/null +++ b/SOURCES/0116-IPA-use-forest-name-when-looking-up-the-Global-Catal.patch @@ -0,0 +1,29 @@ +From 0a7c43151c362bf8e7276fc1d08c49cb91fdb005 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Tue, 17 May 2016 11:54:10 +0200 +Subject: [PATCH] IPA: use forest name when looking up the Global Catalog + +Resolves https://fedorahosted.org/sssd/ticket/3015 + +Reviewed-by: Jakub Hrozek +(cherry picked from commit 149174acae677d1e72a0da431bf0850d55f2ccb4) +--- + src/providers/ipa/ipa_subdomains_server.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/providers/ipa/ipa_subdomains_server.c b/src/providers/ipa/ipa_subdomains_server.c +index c561118946e2ba76b2b4076e5057b1b5c0075a41..b75266701904d8bd1723bc277ae96d407f90f30d 100644 +--- a/src/providers/ipa/ipa_subdomains_server.c ++++ b/src/providers/ipa/ipa_subdomains_server.c +@@ -249,7 +249,7 @@ ipa_ad_ctx_new(struct be_ctx *be_ctx, + DEBUG(SSSDBG_TRACE_ALL, "No extra attrs set.\n"); + } + +- gc_service_name = talloc_asprintf(ad_options, "%s%s", "gc_", subdom->name); ++ gc_service_name = talloc_asprintf(ad_options, "%s%s", "gc_", subdom->forest); + if (gc_service_name == NULL) { + talloc_free(ad_options); + return ENOMEM; +-- +2.4.11 + diff --git a/SPECS/sssd.spec b/SPECS/sssd.spec index eff8ddf..de6504f 100644 --- a/SPECS/sssd.spec +++ b/SPECS/sssd.spec @@ -25,7 +25,7 @@ Name: sssd Version: 1.13.0 -Release: 40%{?dist}.4 +Release: 40%{?dist}.9 Group: Applications/System Summary: System Security Services Daemon License: GPLv3+ @@ -147,6 +147,11 @@ Patch0108: 0108-LDAP-Use-the-IPA-provider-interface-to-resolve-exter.patch Patch0109: 0109-memberof-Don-t-allocate-on-a-NULL-context.patch Patch0110: 0110-memberof-Fix-a-memory-leak-when-removing-ghost-users.patch Patch0111: 0111-memberof-Don-t-allocate-on-NULL-when-deleting-member.patch +Patch0112: 0112-IPA-Handle-requests-for-netgroups-from-trusted-domai.patch +Patch0113: 0113-LDAP-Try-also-the-AD-access-control-for-IPA-users.patch +Patch0114: 0114-NSS-Fix-memory-leak-netgroup.patch +Patch0115: 0115-ipa_s2n_save_objects-use-configured-user-and-group-t.patch +Patch0116: 0116-IPA-use-forest-name-when-looking-up-the-Global-Catal.patch #This patch should not be removed in RHEL-7 Patch999: 0999-NOUPSTREAM-Default-to-root-if-sssd-user-is-not-spec @@ -1079,6 +1084,26 @@ fi /usr/bin/rm -f /var/tmp/sssd.upgrade || : %changelog +* Tue May 24 2016 Jakub Hrozek - 1.13.0-40.9 +- Resolves: rhbz#1339509 - sssd tries to resolve global catalog servers + from AD forest sub-domains in AD-IPA trust setup + +* Tue May 24 2016 Jakub Hrozek - 1.13.0-40.8 +- Resolves: rhbz#1339258 - [sssd] Trusted (AD) user's info stays in sssd + cache for much more than expected. + +* Tue May 24 2016 Jakub Hrozek - 1.13.0-40.7 +- Resolves: rhbz#1339207 - sssd_nss memory usage keeps growing when trying + to retrieve non-existing netgroups + +* Thu May 19 2016 Jakub Hrozek - 1.13.0-40.6 +- Resolves: rhbz#1337292 - In IPA-AD trust environment access is granted + to AD user even if the user is disabled on AD. + +* Tue May 17 2016 Jakub Hrozek - 1.13.0-40.5 +- Resolves: rhbz#1336836 - IPA provider crashes if a netgroup from a + trusted domain is requested + * Mon Apr 18 2016 Jakub Hrozek - 1.13.0-40.4 - Resolves: rhbz#1324442 - sssd be memory leak in sssd's memberof plugin - More patches from upstream related to the memory leak