diff --git a/SOURCES/0034-TESTS-Add-a-unit-test-for-UPNs-stored-by-sss_ncache_.patch b/SOURCES/0034-TESTS-Add-a-unit-test-for-UPNs-stored-by-sss_ncache_.patch new file mode 100644 index 0000000..54e2e7a --- /dev/null +++ b/SOURCES/0034-TESTS-Add-a-unit-test-for-UPNs-stored-by-sss_ncache_.patch @@ -0,0 +1,207 @@ +From 05b37ac18ed8da00ce560ed52244c6ad7abfa6a9 Mon Sep 17 00:00:00 2001 +From: Jakub Hrozek +Date: Wed, 13 Mar 2019 17:41:29 +0100 +Subject: [PATCH 34/35] TESTS: Add a unit test for UPNs stored by + sss_ncache_prepopulate + +Reviewed-by: Sumit Bose +(cherry picked from commit 48c1e3ac34ec5b2d7cf27d7393d049c880bca319) +--- + src/tests/cmocka/test_negcache.c | 111 +++++++++++++++++++++++++------ + 1 file changed, 92 insertions(+), 19 deletions(-) + +diff --git a/src/tests/cmocka/test_negcache.c b/src/tests/cmocka/test_negcache.c +index a0210928b..9bddddd8d 100644 +--- a/src/tests/cmocka/test_negcache.c ++++ b/src/tests/cmocka/test_negcache.c +@@ -39,6 +39,7 @@ + #include "lib/idmap/sss_idmap.h" + #include "util/util.h" + #include "util/util_sss_idmap.h" ++#include "db/sysdb_private.h" + #include "responder/common/responder.h" + #include "responder/common/negcache.h" + +@@ -52,6 +53,7 @@ + #define TEST_CONF_DB "test_nss_conf.ldb" + #define TEST_DOM_NAME "nss_test" + #define TEST_ID_PROVIDER "ldap" ++#define TEST_SUBDOM_NAME "test.subdomain" + + /* register_cli_protocol_version is required in test since it links with + * responder_common.c module +@@ -582,6 +584,29 @@ static int check_gid_in_ncache(struct sss_nc_ctx *ctx, + return ret; + } + ++static int add_confdb_params(struct sss_test_conf_param params[], ++ struct confdb_ctx *cdb, const char *section) ++{ ++ const char *val[2]; ++ int ret; ++ ++ val[1] = NULL; ++ ++ for (int i = 0; params[i].key; i++) { ++ val[0] = params[i].value; ++ ret = confdb_add_param(cdb, true, section, params[i].key, val); ++ assert_int_equal(ret, EOK); ++ } ++ ++ return EOK; ++} ++ ++static int add_nss_params(struct sss_test_conf_param nss_params[], ++ struct confdb_ctx *cdb) ++{ ++ return add_confdb_params(nss_params, cdb, CONFDB_NSS_CONF_ENTRY); ++} ++ + static void test_sss_ncache_prepopulate(void **state) + { + int ret; +@@ -589,9 +614,14 @@ static void test_sss_ncache_prepopulate(void **state) + struct tevent_context *ev; + struct sss_nc_ctx *ncache; + struct sss_test_ctx *tc; +- struct sss_domain_info *dom; ++ const char *const testdom[4] = { TEST_SUBDOM_NAME, "TEST.SUB", "test", "S-3" }; ++ struct sss_domain_info *subdomain; + +- struct sss_test_conf_param params[] = { ++ struct sss_test_conf_param nss_params[] = { ++ { "filter_users", "testuser_nss@UPN.REALM, testuser_nss_short" }, ++ { NULL, NULL }, ++ }; ++ struct sss_test_conf_param dom_params[] = { + { "filter_users", "testuser1, testuser2@"TEST_DOM_NAME", testuser3@somedomain" }, + { "filter_groups", "testgroup1, testgroup2@"TEST_DOM_NAME", testgroup3@somedomain" }, + { NULL, NULL }, +@@ -602,22 +632,35 @@ static void test_sss_ncache_prepopulate(void **state) + ev = tevent_context_init(ts); + assert_non_null(ev); + +- dom = talloc_zero(ts, struct sss_domain_info); +- assert_non_null(dom); +- dom->name = discard_const_p(char, TEST_DOM_NAME); +- + ts->nctx = mock_nctx(ts); + assert_non_null(ts->nctx); + + tc = create_dom_test_ctx(ts, TESTS_PATH, TEST_CONF_DB, +- TEST_DOM_NAME, TEST_ID_PROVIDER, params); ++ TEST_DOM_NAME, TEST_ID_PROVIDER, dom_params); + assert_non_null(tc); + ++ ret = add_nss_params(nss_params, tc->confdb); ++ assert_int_equal(ret, EOK); ++ ++ subdomain = new_subdomain(tc, tc->dom, ++ testdom[0], testdom[1], testdom[2], testdom[3], ++ false, false, NULL, NULL, 0, ++ tc->confdb); ++ assert_non_null(subdomain); ++ ++ ret = sysdb_subdomain_store(tc->sysdb, ++ testdom[0], testdom[1], testdom[2], testdom[3], ++ false, false, NULL, 0, NULL); ++ assert_int_equal(ret, EOK); ++ ++ ret = sysdb_update_subdomains(tc->dom, tc->confdb); ++ assert_int_equal(ret, EOK); ++ + ncache = ts->ctx; +- ts->rctx = mock_rctx(ts, ev, dom, ts->nctx); ++ ts->rctx = mock_rctx(ts, ev, tc->dom, ts->nctx); + assert_non_null(ts->rctx); + +- ret = sss_names_init(ts, tc->confdb, TEST_DOM_NAME, &dom->names); ++ ret = sss_names_init(ts, tc->confdb, TEST_DOM_NAME, &tc->dom->names); + assert_int_equal(ret, EOK); + + ret = sss_ncache_prepopulate(ncache, tc->confdb, ts->rctx); +@@ -625,34 +668,37 @@ static void test_sss_ncache_prepopulate(void **state) + + sleep(SHORTSPAN); + +- ret = check_user_in_ncache(ncache, dom, "testuser1"); ++ ret = check_user_in_ncache(ncache, tc->dom, "testuser1"); + assert_int_equal(ret, EEXIST); + +- ret = check_group_in_ncache(ncache, dom, "testgroup1"); ++ ret = check_group_in_ncache(ncache, tc->dom, "testgroup1"); + assert_int_equal(ret, EEXIST); + +- ret = check_user_in_ncache(ncache, dom, "testuser2"); ++ ret = check_user_in_ncache(ncache, tc->dom, "testuser2"); + assert_int_equal(ret, EEXIST); + +- ret = check_group_in_ncache(ncache, dom, "testgroup2"); ++ ret = check_group_in_ncache(ncache, tc->dom, "testgroup2"); + assert_int_equal(ret, EEXIST); + +- ret = check_user_in_ncache(ncache, dom, "testuser3"); ++ ret = check_user_in_ncache(ncache, tc->dom, "testuser3"); + assert_int_equal(ret, ENOENT); + +- ret = check_group_in_ncache(ncache, dom, "testgroup3"); ++ ret = check_group_in_ncache(ncache, tc->dom, "testgroup3"); + assert_int_equal(ret, ENOENT); + +- ret = check_user_in_ncache(ncache, dom, "testuser3@somedomain"); ++ ret = check_user_in_ncache(ncache, tc->dom, "testuser3@somedomain"); + assert_int_equal(ret, ENOENT); + +- ret = check_group_in_ncache(ncache, dom, "testgroup3@somedomain"); ++ ret = sss_ncache_check_upn(ncache, tc->dom, "testuser3@somedomain"); ++ assert_int_equal(ret, EEXIST); ++ ++ ret = check_group_in_ncache(ncache, tc->dom, "testgroup3@somedomain"); + assert_int_equal(ret, ENOENT); + +- ret = check_user_in_ncache(ncache, dom, "root"); ++ ret = check_user_in_ncache(ncache, tc->dom, "root"); + assert_int_equal(ret, EEXIST); + +- ret = check_group_in_ncache(ncache, dom, "root"); ++ ret = check_group_in_ncache(ncache, tc->dom, "root"); + assert_int_equal(ret, EEXIST); + + ret = check_uid_in_ncache(ncache, 0); +@@ -660,6 +706,33 @@ static void test_sss_ncache_prepopulate(void **state) + + ret = check_gid_in_ncache(ncache, 0); + assert_int_equal(ret, EEXIST); ++ ++ ret = sss_ncache_check_upn(ncache, tc->dom, "testuser_nss@UPN.REALM"); ++ assert_int_equal(ret, EEXIST); ++ ++ ret = sss_ncache_check_upn(ncache, tc->dom->subdomains, "testuser_nss@UPN.REALM"); ++ assert_int_equal(ret, EEXIST); ++ ++ ret = sss_ncache_check_upn(ncache, tc->dom, "testuser_nss_short@" TEST_DOM_NAME); ++ assert_int_equal(ret, EEXIST); ++ ++ ret = sss_ncache_check_upn(ncache, tc->dom->subdomains, "testuser_nss_short@" TEST_SUBDOM_NAME); ++ assert_int_equal(ret, EEXIST); ++ ++ ret = check_user_in_ncache(ncache, tc->dom, "testuser_nss_short"); ++ assert_int_equal(ret, EEXIST); ++ ++ ret = check_user_in_ncache(ncache, tc->dom->subdomains, "testuser_nss_short"); ++ assert_int_equal(ret, EEXIST); ++ ++ ret = sss_ncache_check_upn(ncache, tc->dom, "testuser1@" TEST_DOM_NAME); ++ assert_int_equal(ret, EEXIST); ++ ++ ret = sss_ncache_check_upn(ncache, tc->dom, "testuser2@" TEST_DOM_NAME); ++ assert_int_equal(ret, EEXIST); ++ ++ ret = sss_ncache_check_upn(ncache, tc->dom, "testuser3@somedomain"); ++ assert_int_equal(ret, EEXIST); + } + + static void test_sss_ncache_default_domain_suffix(void **state) +-- +2.20.1 + diff --git a/SOURCES/0035-negcache-add-fq-usernames-of-know-domains-to-all-UPN.patch b/SOURCES/0035-negcache-add-fq-usernames-of-know-domains-to-all-UPN.patch new file mode 100644 index 0000000..fefd20d --- /dev/null +++ b/SOURCES/0035-negcache-add-fq-usernames-of-know-domains-to-all-UPN.patch @@ -0,0 +1,127 @@ +From 934341e1ef7cf2a763b604dd1fd347aa5aae7f60 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Mon, 24 Jun 2019 14:01:02 +0200 +Subject: [PATCH 35/35] negcache: add fq-usernames of know domains to all UPN + neg-caches + +The previous patch for this issue did not handle user with +fully-qualified names from known domains correctly. Here the user was +only added to the negative cache of the known domain but not to the +negative UPN caches for all domains. This patch fixes this. + +Related to https://pagure.io/SSSD/sssd/issue/3978 + +Reviewed-by: Jakub Hrozek +(cherry picked from commit e7e212b49bbd357129aab410cbbd5c7b1b0965a2) +--- + src/responder/common/negcache.c | 54 ++++++++++++++++---------------- + src/tests/cmocka/test_negcache.c | 17 +++++++++- + 2 files changed, 43 insertions(+), 28 deletions(-) + +diff --git a/src/responder/common/negcache.c b/src/responder/common/negcache.c +index d6f72d816..d9bf1417e 100644 +--- a/src/responder/common/negcache.c ++++ b/src/responder/common/negcache.c +@@ -1070,37 +1070,37 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache, + continue; + } + if (domainname) { +- dom = responder_get_domain(rctx, domainname); +- if (!dom) { +- DEBUG(SSSDBG_CRIT_FAILURE, +- "Unknown domain name [%s], assuming [%s] is UPN\n", +- domainname, filter_list[i]); +- for (dom = domain_list; +- dom != NULL; +- dom = get_next_domain(dom, SSS_GND_ALL_DOMAINS)) { +- ret = sss_ncache_set_upn(ncache, true, dom, filter_list[i]); +- if (ret != EOK) { +- DEBUG(SSSDBG_OP_FAILURE, +- "sss_ncache_set_upn failed (%d [%s]), ignored\n", +- ret, sss_strerror(ret)); +- } ++ DEBUG(SSSDBG_TRACE_ALL, ++ "Adding [%s] to UPN negative cache of all domains.\n", ++ filter_list[i]); ++ for (dom = domain_list; ++ dom != NULL; ++ dom = get_next_domain(dom, SSS_GND_ALL_DOMAINS)) { ++ ret = sss_ncache_set_upn(ncache, true, dom, filter_list[i]); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_OP_FAILURE, ++ "sss_ncache_set_upn failed (%d [%s]), ignored\n", ++ ret, sss_strerror(ret)); + } +- continue; + } + +- fqname = sss_create_internal_fqname(tmpctx, name, dom->name); +- if (fqname == NULL) { +- continue; +- } ++ /* Add name to domain specific cache for known domain names */ ++ dom = responder_get_domain(rctx, domainname); ++ if (dom != NULL) { ++ fqname = sss_create_internal_fqname(tmpctx, name, dom->name); ++ if (fqname == NULL) { ++ continue; ++ } + +- ret = sss_ncache_set_user(ncache, true, dom, fqname); +- talloc_zfree(fqname); +- if (ret != EOK) { +- DEBUG(SSSDBG_CRIT_FAILURE, +- "Failed to store permanent user filter for [%s]" +- " (%d [%s])\n", filter_list[i], +- ret, strerror(ret)); +- continue; ++ ret = sss_ncache_set_user(ncache, true, dom, fqname); ++ talloc_zfree(fqname); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_CRIT_FAILURE, ++ "Failed to store permanent user filter for [%s]" ++ " (%d [%s])\n", filter_list[i], ++ ret, strerror(ret)); ++ continue; ++ } + } + } else { + for (dom = domain_list; +diff --git a/src/tests/cmocka/test_negcache.c b/src/tests/cmocka/test_negcache.c +index 9bddddd8d..0a7e563e0 100644 +--- a/src/tests/cmocka/test_negcache.c ++++ b/src/tests/cmocka/test_negcache.c +@@ -618,7 +618,7 @@ static void test_sss_ncache_prepopulate(void **state) + struct sss_domain_info *subdomain; + + struct sss_test_conf_param nss_params[] = { +- { "filter_users", "testuser_nss@UPN.REALM, testuser_nss_short" }, ++ { "filter_users", "testuser_nss@UPN.REALM, testuser_nss_short, all_dom_upn@"TEST_DOM_NAME }, + { NULL, NULL }, + }; + struct sss_test_conf_param dom_params[] = { +@@ -733,6 +733,21 @@ static void test_sss_ncache_prepopulate(void **state) + + ret = sss_ncache_check_upn(ncache, tc->dom, "testuser3@somedomain"); + assert_int_equal(ret, EEXIST); ++ ++ /* Fully qualified names with a known domain part should be added to all ++ * negative UPN caches and to the negative cache of the know domain. */ ++ ret = sss_ncache_check_upn(ncache, tc->dom, "all_dom_upn@"TEST_DOM_NAME); ++ assert_int_equal(ret, EEXIST); ++ ++ ret = sss_ncache_check_upn(ncache, tc->dom->subdomains, ++ "all_dom_upn@"TEST_DOM_NAME); ++ assert_int_equal(ret, EEXIST); ++ ++ ret = check_user_in_ncache(ncache, tc->dom, "all_dom_upn"); ++ assert_int_equal(ret, EEXIST); ++ ++ ret = check_user_in_ncache(ncache, tc->dom->subdomains, "all_dom_upn"); ++ assert_int_equal(ret, ENOENT); + } + + static void test_sss_ncache_default_domain_suffix(void **state) +-- +2.20.1 + diff --git a/SPECS/sssd.spec b/SPECS/sssd.spec index 1db58d0..5dba468 100644 --- a/SPECS/sssd.spec +++ b/SPECS/sssd.spec @@ -48,7 +48,7 @@ Name: sssd Version: 1.16.4 -Release: 21%{?dist} +Release: 21%{?dist}.1 Group: Applications/System Summary: System Security Services Daemon License: GPLv3+ @@ -90,6 +90,8 @@ Patch0030: 0030-SDAP-allow-GSS-SPNEGO-for-LDAP-SASL-bind-as-well.patch Patch0031: 0031-sdap-inherit-SDAP_SASL_MECH-if-not-set-explicitly.patch Patch0032: 0032-Translation-Update-japanese-translation.patch Patch0033: 0033-Translation-Add-missing-newlines-in-the-ja-po-file.patch +Patch0034: 0034-TESTS-Add-a-unit-test-for-UPNs-stored-by-sss_ncache_.patch +Patch0035: 0035-negcache-add-fq-usernames-of-know-domains-to-all-UPN.patch #This patch should not be removed in RHEL-7 Patch999: 0999-NOUPSTREAM-Default-to-root-if-sssd-user-is-not-spec @@ -1247,6 +1249,10 @@ systemctl try-restart sssd >/dev/null 2>&1 || : } %changelog +* Wed Oct 09 2019 Michal Židek - 1.16.4-21.1 +- Resolves: rhbz#1758566 - negative cache does not use values from 'filter_users' + config option for known domains [rhel-7.7.z] + * Fri Jun 07 2019 Michal Židek - 1.16.4-21 - Resolves: rhbz#1714952 - [sssd] RHEL 7.7 Tier 0 Localization - Rebuild japanese gmo file explicitly