diff --git a/SOURCES/0211-IPA-do-initgroups-if-extdom-exop-supports-it.patch b/SOURCES/0211-IPA-do-initgroups-if-extdom-exop-supports-it.patch new file mode 100644 index 0000000..6a61fb4 --- /dev/null +++ b/SOURCES/0211-IPA-do-initgroups-if-extdom-exop-supports-it.patch @@ -0,0 +1,100 @@ +From 215f988b07610ae55dfcb67f355bc864ddcbf72d Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Tue, 28 Apr 2015 17:18:48 +0200 +Subject: [PATCH 211/214] IPA: do initgroups if extdom exop supports it + +Newer versions of the extdom plugin return the full list of +group-memberships during a user lookup request. With these version there +is no need to reject a initgroups request for sub/trusted-domain users +anymore. This is e.g. useful for callers which call getgrouplist() +directly without calling getpwnam() before. Additionally it helps if for +some reasons the lifetime of the user entry and the lifetime of the +initgroups data is different. + +Related to https://fedorahosted.org/sssd/ticket/2633 + +Reviewed-by: Jakub Hrozek +(cherry picked from commit e87badc0f6fb20a443cf12bde9582ecbc2aef727) +(cherry picked from commit 24905d4ecbf210687e385449448f5a5ec97d2833) +--- + src/providers/ipa/ipa_s2n_exop.c | 3 --- + src/providers/ipa/ipa_subdomains.h | 4 ++++ + src/providers/ipa/ipa_subdomains_id.c | 24 +++++++++++++++++------- + 3 files changed, 21 insertions(+), 10 deletions(-) + +diff --git a/src/providers/ipa/ipa_s2n_exop.c b/src/providers/ipa/ipa_s2n_exop.c +index 8de46136d0bc9d1c26b44c532d7bd405880aca50..03264fcd7f6f42dfa68db4f331184da32529818f 100644 +--- a/src/providers/ipa/ipa_s2n_exop.c ++++ b/src/providers/ipa/ipa_s2n_exop.c +@@ -50,9 +50,6 @@ enum response_types { + }; + + /* ==Sid2Name Extended Operation============================================= */ +-#define EXOP_SID2NAME_OID "2.16.840.1.113730.3.8.10.4" +-#define EXOP_SID2NAME_V1_OID "2.16.840.1.113730.3.8.10.4.1" +- + struct ipa_s2n_exop_state { + struct sdap_handle *sh; + +diff --git a/src/providers/ipa/ipa_subdomains.h b/src/providers/ipa/ipa_subdomains.h +index ceb862226b504bca6c9c596554fb88e6df1d51c3..9b179792dcab7ea935fa7159ca879d12b561a55f 100644 +--- a/src/providers/ipa/ipa_subdomains.h ++++ b/src/providers/ipa/ipa_subdomains.h +@@ -28,6 +28,10 @@ + #include "providers/dp_backend.h" + #include "providers/ipa/ipa_common.h" + ++/* ==Sid2Name Extended Operation============================================= */ ++#define EXOP_SID2NAME_OID "2.16.840.1.113730.3.8.10.4" ++#define EXOP_SID2NAME_V1_OID "2.16.840.1.113730.3.8.10.4.1" ++ + struct be_ctx *ipa_get_subdomains_be_ctx(struct be_ctx *be_ctx); + + const char *get_flat_name_from_subdomain_name(struct be_ctx *be_ctx, +diff --git a/src/providers/ipa/ipa_subdomains_id.c b/src/providers/ipa/ipa_subdomains_id.c +index 0508e14b690c144f4bace9ed14a326ac724eb910..1020c8a0b9209fc7404c32963ad5622fc6958d6b 100644 +--- a/src/providers/ipa/ipa_subdomains_id.c ++++ b/src/providers/ipa/ipa_subdomains_id.c +@@ -375,15 +375,9 @@ struct tevent_req *ipa_get_subdom_acct_send(TALLOC_CTX *memctx, + case BE_REQ_GROUP: + case BE_REQ_BY_SECID: + case BE_REQ_USER_AND_GROUP: ++ case BE_REQ_INITGROUPS: + ret = EOK; + break; +- case BE_REQ_INITGROUPS: +- ret = ENOTSUP; +- DEBUG(SSSDBG_TRACE_FUNC, "Initgroups requests are not handled " \ +- "by the IPA provider but are resolved " \ +- "by the responder directly from the " \ +- "cache.\n"); +- break; + default: + ret = EINVAL; + DEBUG(SSSDBG_OP_FAILURE, "Invalid sub-domain request type.\n"); +@@ -423,6 +417,22 @@ static void ipa_get_subdom_acct_connected(struct tevent_req *subreq) + return; + } + ++ if (state->entry_type == BE_REQ_INITGROUPS) { ++ /* With V1 of the extdom plugin a user lookup will resolve the full ++ * group membership of the user. */ ++ if (sdap_is_extension_supported(sdap_id_op_handle(state->op), ++ EXOP_SID2NAME_V1_OID)) { ++ state->entry_type = BE_REQ_USER; ++ } else { ++ DEBUG(SSSDBG_TRACE_FUNC, "Initgroups requests are not handled " \ ++ "by the IPA provider but are resolved " \ ++ "by the responder directly from the " \ ++ "cache.\n"); ++ tevent_req_error(req, ENOTSUP); ++ return; ++ } ++ } ++ + req_input = talloc(state, struct req_input); + if (req_input == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc failed.\n"); +-- +2.4.3 + diff --git a/SOURCES/0212-IPA-update-initgr-expire-timestamp-conditionally.patch b/SOURCES/0212-IPA-update-initgr-expire-timestamp-conditionally.patch new file mode 100644 index 0000000..62b7581 --- /dev/null +++ b/SOURCES/0212-IPA-update-initgr-expire-timestamp-conditionally.patch @@ -0,0 +1,105 @@ +From ab9cc3894af6fc0e768c631da23446287cd6e8e2 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Tue, 28 Apr 2015 17:20:05 +0200 +Subject: [PATCH 212/214] IPA: update initgr expire timestamp conditionally + +Newer versions of the extdom plugin return the full list of +group-memberships during user lookups. As a result the lifetime of the +group-membership data is updates in those cases. But if the user is not +looked up directly but is resolved as a group member during a group +lookup SSSD does not resolve all group-membership of the user to avoid +deep recursion and eventually a complete enumeration of the user and +group base. In this case the lifetime of the group-memberships should +not be updated because it might be incomplete. + +Related to https://fedorahosted.org/sssd/ticket/2633 + +Reviewed-by: Jakub Hrozek +(cherry picked from commit cffe3135f29c737f2598f3c1384bfba1694fb843) +(cherry picked from commit f643fadbd072a9d3725f5f750340d5b13628ce6a) +--- + src/providers/ipa/ipa_s2n_exop.c | 19 +++++++++++-------- + 1 file changed, 11 insertions(+), 8 deletions(-) + +diff --git a/src/providers/ipa/ipa_s2n_exop.c b/src/providers/ipa/ipa_s2n_exop.c +index 03264fcd7f6f42dfa68db4f331184da32529818f..2f1974d2c250ad2f8283659de4ddc319500ac6a5 100644 +--- a/src/providers/ipa/ipa_s2n_exop.c ++++ b/src/providers/ipa/ipa_s2n_exop.c +@@ -676,7 +676,8 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom, + struct resp_attrs *attrs, + struct resp_attrs *simple_attrs, + const char *view_name, +- struct sysdb_attrs *override_attrs); ++ struct sysdb_attrs *override_attrs, ++ bool update_initgr_timeout); + + static errno_t s2n_response_to_attrs(TALLOC_CTX *mem_ctx, + char *retoid, +@@ -1109,7 +1110,7 @@ static errno_t ipa_s2n_get_fqlist_save_step(struct tevent_req *req) + + ret = ipa_s2n_save_objects(state->dom, &state->req_input, state->attrs, + NULL, state->ipa_ctx->view_name, +- state->override_attrs); ++ state->override_attrs, false); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "ipa_s2n_save_objects failed.\n"); + return ret; +@@ -1607,7 +1608,7 @@ static void ipa_s2n_get_user_done(struct tevent_req *subreq) + || strcmp(state->ipa_ctx->view_name, + SYSDB_DEFAULT_VIEW_NAME) == 0) { + ret = ipa_s2n_save_objects(state->dom, state->req_input, state->attrs, +- state->simple_attrs, NULL, NULL); ++ state->simple_attrs, NULL, NULL, true); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "ipa_s2n_save_objects failed.\n"); + goto done; +@@ -1729,7 +1730,8 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom, + struct resp_attrs *attrs, + struct resp_attrs *simple_attrs, + const char *view_name, +- struct sysdb_attrs *override_attrs) ++ struct sysdb_attrs *override_attrs, ++ bool update_initgr_timeout) + { + int ret; + time_t now; +@@ -1929,7 +1931,8 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom, + } + } + +- if (attrs->response_type == RESP_USER_GROUPLIST) { ++ if (attrs->response_type == RESP_USER_GROUPLIST ++ && update_initgr_timeout) { + /* Since RESP_USER_GROUPLIST contains all group memberships it + * is effectively an initgroups request hence + * SYSDB_INITGR_EXPIRE will be set.*/ +@@ -2231,7 +2234,7 @@ static void ipa_s2n_get_fqlist_done(struct tevent_req *subreq) + &sid_str); + if (ret == ENOENT) { + ret = ipa_s2n_save_objects(state->dom, state->req_input, state->attrs, +- state->simple_attrs, NULL, NULL); ++ state->simple_attrs, NULL, NULL, true); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "ipa_s2n_save_objects failed.\n"); + goto fail; +@@ -2271,7 +2274,7 @@ static void ipa_s2n_get_fqlist_done(struct tevent_req *subreq) + ret = ipa_s2n_save_objects(state->dom, state->req_input, state->attrs, + state->simple_attrs, + state->ipa_ctx->view_name, +- state->override_attrs); ++ state->override_attrs, true); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "ipa_s2n_save_objects failed.\n"); + tevent_req_error(req, ret); +@@ -2307,7 +2310,7 @@ static void ipa_s2n_get_user_get_override_done(struct tevent_req *subreq) + + ret = ipa_s2n_save_objects(state->dom, state->req_input, state->attrs, + state->simple_attrs, state->ipa_ctx->view_name, +- override_attrs); ++ override_attrs, true); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "ipa_s2n_save_objects failed.\n"); + tevent_req_error(req, ret); +-- +2.4.3 + diff --git a/SOURCES/0213-IPA-enhance-ipa_initgr_get_overrides_send.patch b/SOURCES/0213-IPA-enhance-ipa_initgr_get_overrides_send.patch new file mode 100644 index 0000000..49524dc --- /dev/null +++ b/SOURCES/0213-IPA-enhance-ipa_initgr_get_overrides_send.patch @@ -0,0 +1,199 @@ +From 3d9560303f7c96abf36ff93abd85b2319808d3f6 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Tue, 28 Apr 2015 20:58:15 +0200 +Subject: [PATCH 213/214] IPA: enhance ipa_initgr_get_overrides_send() + +This patch makes ipa_initgr_get_overrides_send() public and add support +to search overrides by UUID or by SID. + +Related to https://fedorahosted.org/sssd/ticket/2633 + +Reviewed-by: Jakub Hrozek +(cherry picked from commit 145578006684481434ced78461ab8d1c3570f478) +(cherry picked from commit 58a19d50888b1a7da0ee78b49e7d3dcbebc8614d) +--- + src/db/sysdb_views.c | 5 ++++ + src/providers/ipa/ipa_id.c | 63 +++++++++++++++++++++++++++++++++------------- + src/providers/ipa/ipa_id.h | 10 ++++++++ + 3 files changed, 61 insertions(+), 17 deletions(-) + +diff --git a/src/db/sysdb_views.c b/src/db/sysdb_views.c +index 717edf20a447003568060cf4d32bf8d47bd93e63..58cad5426109f0fb37ef16fd1304b50a702cf44a 100644 +--- a/src/db/sysdb_views.c ++++ b/src/db/sysdb_views.c +@@ -733,6 +733,11 @@ errno_t sysdb_apply_default_override(struct sss_domain_info *domain, + NULL }; + bool override_attrs_found = false; + ++ if (override_attrs == NULL) { ++ /* nothing to do */ ++ return EOK; ++ } ++ + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n"); +diff --git a/src/providers/ipa/ipa_id.c b/src/providers/ipa/ipa_id.c +index cc6abcf8721e3f05526bf62063f0cbdc7c1c257b..02b59ab77a7408012efdd9a1538287e08de0af1e 100644 +--- a/src/providers/ipa/ipa_id.c ++++ b/src/providers/ipa/ipa_id.c +@@ -294,6 +294,7 @@ struct ipa_initgr_get_overrides_state { + + struct ldb_message **groups; + size_t group_count; ++ const char *groups_id_attr; + size_t group_idx; + struct be_acct_req *ar; + +@@ -302,13 +303,14 @@ struct ipa_initgr_get_overrides_state { + + static int ipa_initgr_get_overrides_step(struct tevent_req *req); + +-static struct tevent_req * ++struct tevent_req * + ipa_initgr_get_overrides_send(TALLOC_CTX *memctx, + struct tevent_context *ev, + struct ipa_id_ctx *ipa_ctx, + struct sss_domain_info *user_dom, + size_t groups_count, +- struct ldb_message **groups) ++ struct ldb_message **groups, ++ const char *groups_id_attr) + { + int ret; + struct tevent_req *req; +@@ -334,6 +336,12 @@ ipa_initgr_get_overrides_send(TALLOC_CTX *memctx, + ret = EINVAL; + goto done; + } ++ state->groups_id_attr = talloc_strdup(state, groups_id_attr); ++ if (state->groups_id_attr == NULL) { ++ DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n"); ++ ret = ENOMEM; ++ goto done; ++ } + + ret = ipa_initgr_get_overrides_step(req); + done: +@@ -366,7 +374,7 @@ static int ipa_initgr_get_overrides_step(struct tevent_req *req) + } + + ipa_uuid = ldb_msg_find_attr_as_string(state->groups[state->group_idx], +- SYSDB_UUID, NULL); ++ state->groups_id_attr, NULL); + if (ipa_uuid == NULL) { + /* This should never happen, the search filter used to get the list + * of groups includes "uuid=*" +@@ -377,11 +385,24 @@ static int ipa_initgr_get_overrides_step(struct tevent_req *req) + + talloc_free(state->ar); /* Avoid spiking memory with many groups */ + +- ret = get_be_acct_req_for_uuid(state, ipa_uuid, +- state->user_dom->name, &state->ar); +- if (ret != EOK) { +- DEBUG(SSSDBG_OP_FAILURE, "get_be_acct_req_for_sid failed.\n"); +- return ret; ++ if (strcmp(state->groups_id_attr, SYSDB_UUID) == 0) { ++ ret = get_be_acct_req_for_uuid(state, ipa_uuid, ++ state->user_dom->name, &state->ar); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_OP_FAILURE, "get_be_acct_req_for_sid failed.\n"); ++ return ret; ++ } ++ } else if (strcmp(state->groups_id_attr, SYSDB_SID_STR) == 0) { ++ ret = get_be_acct_req_for_sid(state, ipa_uuid, ++ state->user_dom->name, &state->ar); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_OP_FAILURE, "get_be_acct_req_for_sid failed.\n"); ++ return ret; ++ } ++ } else { ++ DEBUG(SSSDBG_CRIT_FAILURE, "Unsupported groups ID type [%s].\n", ++ state->groups_id_attr); ++ return EINVAL; + } + + DEBUG(SSSDBG_TRACE_LIBS, "Fetching group %s\n", ipa_uuid); +@@ -408,7 +429,7 @@ static void ipa_initgr_get_overrides_override_done(struct tevent_req *subreq) + struct ipa_initgr_get_overrides_state *state = tevent_req_data(req, + struct ipa_initgr_get_overrides_state); + int ret; +- struct sysdb_attrs *override_attrs; ++ struct sysdb_attrs *override_attrs = NULL; + + ret = ipa_get_ad_override_recv(subreq, &state->dp_error, state, + &override_attrs); +@@ -419,10 +440,16 @@ static void ipa_initgr_get_overrides_override_done(struct tevent_req *subreq) + return; + } + +- ret = sysdb_store_override(state->user_dom, state->ipa_ctx->view_name, +- SYSDB_MEMBER_GROUP, +- override_attrs, +- state->groups[state->group_idx]->dn); ++ if (strcmp(state->ipa_ctx->view_name, SYSDB_DEFAULT_VIEW_NAME) == 0) { ++ ret = sysdb_apply_default_override(state->user_dom, override_attrs, ++ state->groups[state->group_idx]->dn); ++ } else { ++ ret = sysdb_store_override(state->user_dom, ++ state->ipa_ctx->view_name, ++ SYSDB_MEMBER_GROUP, ++ override_attrs, ++ state->groups[state->group_idx]->dn); ++ } + talloc_free(override_attrs); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_store_override failed.\n"); +@@ -443,7 +470,7 @@ static void ipa_initgr_get_overrides_override_done(struct tevent_req *subreq) + tevent_req_done(req); + } + +-static int ipa_initgr_get_overrides_recv(struct tevent_req *req, int *dp_error) ++int ipa_initgr_get_overrides_recv(struct tevent_req *req, int *dp_error) + { + struct ipa_initgr_get_overrides_state *state = tevent_req_data(req, + struct ipa_initgr_get_overrides_state); +@@ -881,7 +908,8 @@ static void ipa_id_get_account_info_orig_done(struct tevent_req *subreq) + if (state->user_groups != NULL) { + subreq = ipa_initgr_get_overrides_send(state, state->ev, state->ipa_ctx, + state->domain, state->group_cnt, +- state->user_groups); ++ state->user_groups, ++ SYSDB_UUID); + if (subreq == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "ipa_resolve_user_list_send failed.\n"); + ret = ENOMEM; +@@ -959,8 +987,9 @@ static void ipa_id_get_account_info_done(struct tevent_req *subreq) + + if (state->user_groups != NULL) { + subreq = ipa_initgr_get_overrides_send(state, state->ev, state->ipa_ctx, +- state->domain, state->group_cnt, +- state->user_groups); ++ state->domain, state->group_cnt, ++ state->user_groups, ++ SYSDB_UUID); + if (subreq == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "ipa_resolve_user_list_send failed.\n"); + ret = ENOMEM; +diff --git a/src/providers/ipa/ipa_id.h b/src/providers/ipa/ipa_id.h +index 2bb5e0d38f42d4bbb04854dfb04804fecf6257e8..c03ca037a2850478a8f4933bac4fcf8bd70ada04 100644 +--- a/src/providers/ipa/ipa_id.h ++++ b/src/providers/ipa/ipa_id.h +@@ -119,4 +119,14 @@ errno_t get_object_from_cache(TALLOC_CTX *mem_ctx, + struct sss_domain_info *dom, + struct be_acct_req *ar, + struct ldb_message **_msg); ++ ++struct tevent_req * ++ipa_initgr_get_overrides_send(TALLOC_CTX *memctx, ++ struct tevent_context *ev, ++ struct ipa_id_ctx *ipa_ctx, ++ struct sss_domain_info *user_dom, ++ size_t groups_count, ++ struct ldb_message **groups, ++ const char *groups_id_attr); ++int ipa_initgr_get_overrides_recv(struct tevent_req *req, int *dp_error); + #endif +-- +2.4.3 + diff --git a/SOURCES/0214-IPA-search-for-overrides-during-initgroups-in-sever-.patch b/SOURCES/0214-IPA-search-for-overrides-during-initgroups-in-sever-.patch new file mode 100644 index 0000000..c7ceb75 --- /dev/null +++ b/SOURCES/0214-IPA-search-for-overrides-during-initgroups-in-sever-.patch @@ -0,0 +1,116 @@ +From 61964561654d86e1ba2179fc0afd7f93cafbc6ab Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Tue, 28 Apr 2015 20:59:43 +0200 +Subject: [PATCH 214/214] IPA: search for overrides during initgroups in sever + mode + +After the group memberships of a user from a trusted domain are read it +must be checked if there are overrides for the discovered groups to be +able to return the right gid or name to the caller. + +Related to https://fedorahosted.org/sssd/ticket/2633 + +Reviewed-by: Jakub Hrozek +(cherry picked from commit 2263c6dd1242c92253240f4998c86a04b6a0ca3a) +(cherry picked from commit eaf656843831d579f30f94154d88aba2201c1712) +--- + src/providers/ipa/ipa_subdomains_id.c | 69 +++++++++++++++++++++++++++++++++++ + 1 file changed, 69 insertions(+) + +diff --git a/src/providers/ipa/ipa_subdomains_id.c b/src/providers/ipa/ipa_subdomains_id.c +index 1020c8a0b9209fc7404c32963ad5622fc6958d6b..ffe2b18e8dda2137d2ebbfdb780c908eabcd4708 100644 +--- a/src/providers/ipa/ipa_subdomains_id.c ++++ b/src/providers/ipa/ipa_subdomains_id.c +@@ -558,6 +558,8 @@ struct ipa_get_ad_acct_state { + static void ipa_get_ad_acct_ad_part_done(struct tevent_req *subreq); + static void ipa_get_ad_override_done(struct tevent_req *subreq); + static errno_t ipa_get_ad_apply_override_step(struct tevent_req *req); ++static errno_t ipa_get_ad_ipa_membership_step(struct tevent_req *req); ++static void ipa_id_get_groups_overrides_done(struct tevent_req *subreq); + static void ipa_get_ad_acct_done(struct tevent_req *subreq); + static struct ad_id_ctx *ipa_get_ad_id_ctx(struct ipa_id_ctx *ipa_ctx, + struct sss_domain_info *dom); +@@ -1112,6 +1114,9 @@ static errno_t ipa_get_ad_apply_override_step(struct tevent_req *req) + struct tevent_req *subreq; + const char *obj_name; + int entry_type; ++ size_t groups_count = 0; ++ struct ldb_message **groups = NULL; ++ const char *attrs[] = SYSDB_INITGR_ATTRS; + + if (state->override_attrs != NULL) { + /* We are in ipa-server-mode, so the view is the default view by +@@ -1166,6 +1171,70 @@ static errno_t ipa_get_ad_apply_override_step(struct tevent_req *req) + state->ar->entry_type = BE_REQ_USER; + } + ++ /* Lookup all groups the user is a member of which do not have ORIGINALAD ++ * attributes set, i.e. where overrides might not have been applied. */ ++ ret = sysdb_asq_search(state, state->obj_dom, state->obj_msg->dn, ++ "(&("SYSDB_GC")("SYSDB_GIDNUM"=*)" \ ++ "(!("ORIGINALAD_PREFIX SYSDB_GIDNUM"=*))" \ ++ "(!("ORIGINALAD_PREFIX SYSDB_NAME"=*)))", ++ SYSDB_INITGR_ATTR, ++ attrs, &groups_count, &groups); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_OP_FAILURE, "ipa_get_ad_groups_without_orig failed.\n"); ++ return ret; ++ } ++ ++ if (groups != NULL) { ++ subreq = ipa_initgr_get_overrides_send(state, state->ev, state->ipa_ctx, ++ state->obj_dom, groups_count, ++ groups, SYSDB_SID_STR); ++ if (subreq == NULL) { ++ DEBUG(SSSDBG_OP_FAILURE, "ipa_initgr_get_overrides_send failed.\n"); ++ return ENOMEM; ++ } ++ tevent_req_set_callback(subreq, ipa_id_get_groups_overrides_done, req); ++ return EOK; ++ } ++ ++ ret = ipa_get_ad_ipa_membership_step(req); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_OP_FAILURE, "ipa_get_ad_ipa_membership_step failed.\n"); ++ return ret; ++ } ++ ++ return EOK; ++} ++ ++static void ipa_id_get_groups_overrides_done(struct tevent_req *subreq) ++{ ++ struct tevent_req *req = tevent_req_callback_data(subreq, ++ struct tevent_req); ++ errno_t ret; ++ ++ ret = ipa_initgr_get_overrides_recv(subreq, NULL); ++ talloc_zfree(subreq); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_OP_FAILURE, ++ "IPA resolve user groups overrides failed [%d].\n", ret); ++ tevent_req_error(req, ret); ++ return; ++ } ++ ++ ret = ipa_get_ad_ipa_membership_step(req); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_OP_FAILURE, "ipa_get_ad_ipa_membership_step failed.\n"); ++ tevent_req_error(req, ret); ++ return; ++ } ++ ++ return; ++} ++ ++static errno_t ipa_get_ad_ipa_membership_step(struct tevent_req *req) ++{ ++ struct ipa_get_ad_acct_state *state = tevent_req_data(req, ++ struct ipa_get_ad_acct_state); ++ struct tevent_req *subreq; + + /* For initgroups request we have to check IPA group memberships of AD + * users. This has to be done for other user-request as well to make sure +-- +2.4.3 + diff --git a/SPECS/sssd.spec b/SPECS/sssd.spec index 4eb7589..25a1229 100644 --- a/SPECS/sssd.spec +++ b/SPECS/sssd.spec @@ -23,7 +23,7 @@ Name: sssd Version: 1.12.2 -Release: 58%{?dist}.17 +Release: 58%{?dist}.18 Group: Applications/System Summary: System Security Services Daemon License: GPLv3+ @@ -242,7 +242,10 @@ Patch0207: 0207-subdomains-Inherit-cleanup-period-and-tokengroup-set.patch Patch0208: 0208-sudo-sanitize-filter-values.patch Patch0209: 0209-SYSDB-Index-the-objectSIDString-attribute.patch Patch0210: 0210-IPA-Remove-MPG-groups-if-getgrgid-was-called-before-.patch - +Patch0211: 0211-IPA-do-initgroups-if-extdom-exop-supports-it.patch +Patch0212: 0212-IPA-update-initgr-expire-timestamp-conditionally.patch +Patch0213: 0213-IPA-enhance-ipa_initgr_get_overrides_send.patch +Patch0214: 0214-IPA-search-for-overrides-during-initgroups-in-sever-.patch ### Dependencies ### Requires: sssd-common = %{version}-%{release} @@ -1106,6 +1109,10 @@ fi /usr/bin/rm -f /var/tmp/sssd.upgrade || : %changelog +* Fri Oct 2 2015 Jakub Hrozek - 1.12.2-58.18 +- Resolves: rhbz#1268205 - SSSD intermittently fails to resolve external + IPA group membership. + * Thu Sep 3 2015 Jakub Hrozek - 1.12.2-58.17 - Actually apply the patch for rhbz#1255442 - Resolves: rhbz#1255442 - getgrgid for user's UID on a trust client