forked from jengelh/sssd
sssd-2.3.0
OBS-URL: https://build.opensuse.org/package/show/network:ldap/sssd?expand=0&rev=233
This commit is contained in:
parent
c445b52558
commit
45570786c6
@ -1,114 +0,0 @@
|
|||||||
From 2143c7276c7603520e2575ef6c9d93a5fc031256 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Samuel Cabrero <scabrero@suse.de>
|
|
||||||
Date: Mon, 13 Jan 2020 13:52:34 +0100
|
|
||||||
Subject: [PATCH] AD: use getaddrinfo with AI_CANONNAME to find the FQDN
|
|
||||||
|
|
||||||
In systems where gethostbyname() does not return the FQDN try calling
|
|
||||||
getaddrinfo().
|
|
||||||
|
|
||||||
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
|
|
||||||
|
|
||||||
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
||||||
---
|
|
||||||
src/man/sssd-ad.5.xml | 14 ++++++------
|
|
||||||
src/providers/ad/ad_common.c | 42 ++++++++++++++++++++++++++++++++++++
|
|
||||||
2 files changed, 50 insertions(+), 6 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml
|
|
||||||
index c30e5b9db..23e351fc0 100644
|
|
||||||
--- a/src/man/sssd-ad.5.xml
|
|
||||||
+++ b/src/man/sssd-ad.5.xml
|
|
||||||
@@ -193,15 +193,17 @@ ad_enabled_domains = sales.example.com, eng.example.com
|
|
||||||
<term>ad_hostname (string)</term>
|
|
||||||
<listitem>
|
|
||||||
<para>
|
|
||||||
- Optional. May be set on machines where the
|
|
||||||
- hostname(5) does not reflect the fully qualified
|
|
||||||
- name used in the Active Directory domain to
|
|
||||||
- identify this host.
|
|
||||||
+ Optional. On machines where the hostname(5) does
|
|
||||||
+ not reflect the fully qualified name, sssd will try
|
|
||||||
+ to expand the short name. If it is not possible or
|
|
||||||
+ the short name should be really used instead, set
|
|
||||||
+ this parameter explicitly.
|
|
||||||
</para>
|
|
||||||
<para>
|
|
||||||
This field is used to determine the host principal
|
|
||||||
- in use in the keytab. It must match the hostname
|
|
||||||
- for which the keytab was issued.
|
|
||||||
+ in use in the keytab and to perform dynamic DNS
|
|
||||||
+ updates. It must match the hostname for which the
|
|
||||||
+ keytab was issued.
|
|
||||||
</para>
|
|
||||||
</listitem>
|
|
||||||
</varlistentry>
|
|
||||||
diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c
|
|
||||||
index 51300f5b2..e5fa83595 100644
|
|
||||||
--- a/src/providers/ad/ad_common.c
|
|
||||||
+++ b/src/providers/ad/ad_common.c
|
|
||||||
@@ -406,6 +406,34 @@ ad_create_1way_trust_options(TALLOC_CTX *mem_ctx,
|
|
||||||
return ad_options;
|
|
||||||
}
|
|
||||||
|
|
||||||
+static errno_t
|
|
||||||
+ad_try_to_get_fqdn(const char *hostname,
|
|
||||||
+ char *buf,
|
|
||||||
+ size_t buflen)
|
|
||||||
+{
|
|
||||||
+ int ret;
|
|
||||||
+ struct addrinfo *res;
|
|
||||||
+ struct addrinfo hints;
|
|
||||||
+
|
|
||||||
+ memset(&hints, 0, sizeof(struct addrinfo));
|
|
||||||
+ hints.ai_socktype = SOCK_DGRAM;
|
|
||||||
+ hints.ai_flags = AI_CANONNAME;
|
|
||||||
+
|
|
||||||
+ ret = getaddrinfo(hostname, NULL, &hints, &res);
|
|
||||||
+ if (ret != 0) {
|
|
||||||
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
|
||||||
+ "getaddrinfo failed: %s\n",
|
|
||||||
+ gai_strerror(ret));
|
|
||||||
+ return ret;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ strncpy(buf, res->ai_canonname, buflen);
|
|
||||||
+
|
|
||||||
+ freeaddrinfo(res);
|
|
||||||
+
|
|
||||||
+ return EOK;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
errno_t
|
|
||||||
ad_get_common_options(TALLOC_CTX *mem_ctx,
|
|
||||||
struct confdb_ctx *cdb,
|
|
||||||
@@ -421,6 +449,7 @@ ad_get_common_options(TALLOC_CTX *mem_ctx,
|
|
||||||
char *realm;
|
|
||||||
char *ad_hostname;
|
|
||||||
char hostname[HOST_NAME_MAX + 1];
|
|
||||||
+ char fqdn[HOST_NAME_MAX + 1];
|
|
||||||
char *case_sensitive_opt;
|
|
||||||
const char *opt_override;
|
|
||||||
|
|
||||||
@@ -468,6 +497,19 @@ ad_get_common_options(TALLOC_CTX *mem_ctx,
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
hostname[HOST_NAME_MAX] = '\0';
|
|
||||||
+
|
|
||||||
+ if (strchr(hostname, '.') == NULL) {
|
|
||||||
+ ret = ad_try_to_get_fqdn(hostname, fqdn, sizeof(fqdn));
|
|
||||||
+ if (ret == EOK) {
|
|
||||||
+ DEBUG(SSSDBG_CONF_SETTINGS,
|
|
||||||
+ "The hostname [%s] has been expanded to FQDN [%s]. "
|
|
||||||
+ "If sssd should really use the short hostname, please "
|
|
||||||
+ "set ad_hostname explicitly.\n", hostname, fqdn);
|
|
||||||
+ strncpy(hostname, fqdn, sizeof(hostname));
|
|
||||||
+ hostname[HOST_NAME_MAX] = '\0';
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
DEBUG(SSSDBG_CONF_SETTINGS,
|
|
||||||
"Setting ad_hostname to [%s].\n", hostname);
|
|
||||||
ret = dp_opt_set_string(opts->basic, AD_HOSTNAME, hostname);
|
|
||||||
--
|
|
||||||
2.25.1
|
|
||||||
|
|
@ -1,53 +0,0 @@
|
|||||||
From bc56b10aea999284458dcc293b54cf65288e325d Mon Sep 17 00:00:00 2001
|
|
||||||
From: Stephen Gallagher <sgallagh@redhat.com>
|
|
||||||
Date: Fri, 24 Jan 2020 15:17:39 +0100
|
|
||||||
Subject: [PATCH] Fix build failure against samba 4.12.0rc1
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
The ndr_pull_get_switch() function was dropped, but it was just a wrapper
|
|
||||||
around the ndr_token_peek() function, so we can use this approach on both
|
|
||||||
old and new versions of libndr.
|
|
||||||
|
|
||||||
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
|
|
||||||
|
|
||||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
||||||
---
|
|
||||||
src/providers/ad/ad_gpo_ndr.c | 6 +++---
|
|
||||||
1 file changed, 3 insertions(+), 3 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/providers/ad/ad_gpo_ndr.c b/src/providers/ad/ad_gpo_ndr.c
|
|
||||||
index d57303349..8f405aa62 100644
|
|
||||||
--- a/src/providers/ad/ad_gpo_ndr.c
|
|
||||||
+++ b/src/providers/ad/ad_gpo_ndr.c
|
|
||||||
@@ -105,7 +105,7 @@ ndr_pull_security_ace_object_type(struct ndr_pull *ndr,
|
|
||||||
union security_ace_object_type *r)
|
|
||||||
{
|
|
||||||
uint32_t level;
|
|
||||||
- level = ndr_pull_get_switch_value(ndr, r);
|
|
||||||
+ level = ndr_token_peek(&ndr->switch_list, r);
|
|
||||||
NDR_PULL_CHECK_FLAGS(ndr, ndr_flags);
|
|
||||||
if (ndr_flags & NDR_SCALARS) {
|
|
||||||
NDR_CHECK(ndr_pull_union_align(ndr, 4));
|
|
||||||
@@ -135,7 +135,7 @@ ndr_pull_security_ace_object_inherited_type(struct ndr_pull *ndr,
|
|
||||||
union security_ace_object_inherited_type *r)
|
|
||||||
{
|
|
||||||
uint32_t level;
|
|
||||||
- level = ndr_pull_get_switch_value(ndr, r);
|
|
||||||
+ level = ndr_token_peek(&ndr->switch_list, r);
|
|
||||||
NDR_PULL_CHECK_FLAGS(ndr, ndr_flags);
|
|
||||||
if (ndr_flags & NDR_SCALARS) {
|
|
||||||
NDR_CHECK(ndr_pull_union_align(ndr, 4));
|
|
||||||
@@ -198,7 +198,7 @@ ndr_pull_security_ace_object_ctr(struct ndr_pull *ndr,
|
|
||||||
union security_ace_object_ctr *r)
|
|
||||||
{
|
|
||||||
uint32_t level;
|
|
||||||
- level = ndr_pull_get_switch_value(ndr, r);
|
|
||||||
+ level = ndr_token_peek(&ndr->switch_list, r);
|
|
||||||
NDR_PULL_CHECK_FLAGS(ndr, ndr_flags);
|
|
||||||
if (ndr_flags & NDR_SCALARS) {
|
|
||||||
NDR_CHECK(ndr_pull_union_align(ndr, 4));
|
|
||||||
--
|
|
||||||
2.25.1
|
|
||||||
|
|
@ -1,45 +0,0 @@
|
|||||||
From 0ea7661eeb7783c45d7f0ec9d19d99ce9fe407cf Mon Sep 17 00:00:00 2001
|
|
||||||
From: David Mulder <dmulder@suse.com>
|
|
||||||
Date: Fri, 10 Jan 2020 18:21:05 +0000
|
|
||||||
Subject: [PATCH] Resolve computer lookup failure when sam!=cn
|
|
||||||
References: jsc#SLE-9298
|
|
||||||
Upstream: submitted
|
|
||||||
|
|
||||||
---
|
|
||||||
src/providers/ad/ad_gpo.c | 11 ++---------
|
|
||||||
1 file changed, 2 insertions(+), 9 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
|
|
||||||
index 90e1909f8..6dd850cc9 100644
|
|
||||||
--- a/src/providers/ad/ad_gpo.c
|
|
||||||
+++ b/src/providers/ad/ad_gpo.c
|
|
||||||
@@ -1947,7 +1947,6 @@ ad_gpo_target_dn_retrieval_done(struct tevent_req *subreq)
|
|
||||||
struct sysdb_attrs **reply;
|
|
||||||
const char *target_dn = NULL;
|
|
||||||
uint32_t uac;
|
|
||||||
- char *filter = NULL;
|
|
||||||
char *domain_dn;
|
|
||||||
const char *attrs[] = {AD_AT_SID, NULL};
|
|
||||||
struct ldb_message *msg;
|
|
||||||
@@ -2050,16 +2049,10 @@ ad_gpo_target_dn_retrieval_done(struct tevent_req *subreq)
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
|
|
||||||
- filter = talloc_asprintf(subreq, SYSDB_COMP_FILTER, state->ad_hostname);
|
|
||||||
- if (!filter) {
|
|
||||||
- ret = ENOMEM;
|
|
||||||
- goto done;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
subreq = sdap_get_generic_send(state, state->ev, state->opts,
|
|
||||||
sdap_id_op_handle(state->sdap_op),
|
|
||||||
- domain_dn, LDAP_SCOPE_SUBTREE,
|
|
||||||
- filter, attrs, NULL, 0,
|
|
||||||
+ state->target_dn, LDAP_SCOPE_BASE,
|
|
||||||
+ "(&)", attrs, NULL, 0,
|
|
||||||
state->timeout,
|
|
||||||
false);
|
|
||||||
|
|
||||||
--
|
|
||||||
2.24.0
|
|
||||||
|
|
@ -1,3 +0,0 @@
|
|||||||
version https://git-lfs.github.com/spec/v1
|
|
||||||
oid sha256:11565446290e7432dbd208c4db02fcb42ab17e853d8ba4f994af9a9c57bbbb11
|
|
||||||
size 6894302
|
|
@ -1,11 +0,0 @@
|
|||||||
-----BEGIN PGP SIGNATURE-----
|
|
||||||
|
|
||||||
iQEzBAABCAAdFiEEFvJCKUiOc2BIlSc3uogAD+Y5gnIFAl3i6dIACgkQuogAD+Y5
|
|
||||||
gnLovgf/QSNThIaVkCIC6doJNncuIaJuuu+GkihXe+4K6xHgksbMR7C7GyIEqxJQ
|
|
||||||
Dy2UAzH4FMUzbBoBwb9kW6Du2nt+9Rp2dVz/H/lmgNlKgX3siOVFJ4rwlCD3bJUi
|
|
||||||
eay5t9GTTQAUzpM1N1HdQPGk0ErT0mI77d3GLr7L8S64/SFI4aai58+T/VIRlbMQ
|
|
||||||
0t/BGo1yo4Ss97u9SrC62DSfev7Rl8mmdTMlJIYU2UAjEVYtJm5TViUDGy44eh+V
|
|
||||||
HM1l6EpMSGvEVrr6ALm4VNNntCjs37GJxyGrXFqljjs+tiBFpZT+5ENQl/X2RBsT
|
|
||||||
tRSZpATPjmRoYhLyqgPqLuAg5tXtaw==
|
|
||||||
=UpXd
|
|
||||||
-----END PGP SIGNATURE-----
|
|
3
sssd-2.3.0.tar.gz
Normal file
3
sssd-2.3.0.tar.gz
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
version https://git-lfs.github.com/spec/v1
|
||||||
|
oid sha256:f755a105433399fff0f5788ee04795e07299b9d7bf976d02c4910cb6dcbe3a99
|
||||||
|
size 6797766
|
11
sssd-2.3.0.tar.gz.asc
Normal file
11
sssd-2.3.0.tar.gz.asc
Normal file
@ -0,0 +1,11 @@
|
|||||||
|
-----BEGIN PGP SIGNATURE-----
|
||||||
|
|
||||||
|
iQEzBAABCAAdFiEEGkHcZ1BfiaMwgotmr/513ehQjhIFAl7DuF4ACgkQr/513ehQ
|
||||||
|
jhIDgAf/bnoW75HQWBMS6xOEP4ncEVXDjv/0r9tRwXke4xy3HLfMAmvS069fVnHe
|
||||||
|
dzpAquijN154qE7QArkfJtz8cuZl/IGuLFNp6W5UgVGifGgub4Uai+9wmpsO7Grb
|
||||||
|
T/bd1d4c/6EYksEtAfLYUnzsmVTcSvIMVvPpPkWbdfoAsbFbkMmi0rZvlxjdMtHl
|
||||||
|
hsJYsIGZbkugsNkUV5V4xPBz9b87CMbF9F7DikstJPhzlMeXGY9aVVnWlW8X/yMJ
|
||||||
|
BUmj2BE1jr7G0lLHVVb90tWXYvjCKzq/klxs7CPV7+4X3e3yoxLKz9HyukLx+xCo
|
||||||
|
Vlwn/XW6xksNeRTUs6S+yL7LKZJ2Sw==
|
||||||
|
=h1Bc
|
||||||
|
-----END PGP SIGNATURE-----
|
@ -1,809 +0,0 @@
|
|||||||
From dfeedc8ce8c484c317ff16c7460487ee3a1a4dde Mon Sep 17 00:00:00 2001
|
|
||||||
From: David Mulder <dmulder@suse.com>
|
|
||||||
Date: Fri, 4 Oct 2019 13:04:01 -0600
|
|
||||||
Subject: [PATCH 1/5] SSSD should accept host entries from GPO's security
|
|
||||||
filter
|
|
||||||
References: jsc#SLE-9298
|
|
||||||
Upstream: submitted
|
|
||||||
|
|
||||||
Not accepting host entries in the security filter
|
|
||||||
creates the need for sub-OU's, each with its own
|
|
||||||
GPO, otherwise one OU with an assigned GPO would
|
|
||||||
be sufficient.
|
|
||||||
---
|
|
||||||
Makefile.am | 2
|
|
||||||
src/confdb/confdb.c | 11 ++
|
|
||||||
src/confdb/confdb.h | 2
|
|
||||||
src/config/cfg_rules.ini | 1
|
|
||||||
src/db/sysdb_computer.c | 185 ++++++++++++++++++++++++++++++++++++
|
|
||||||
src/db/sysdb_computer.h | 51 ++++++++++
|
|
||||||
src/man/sssd-ad.5.xml | 7 -
|
|
||||||
src/man/sssd.conf.5.xml | 13 ++
|
|
||||||
src/providers/ad/ad_gpo.c | 208 +++++++++++++++++++++++++++++++++++++++--
|
|
||||||
src/providers/ad/ad_gpo_ndr.c | 2
|
|
||||||
src/tests/cmocka/test_ad_gpo.c | 33 +++++-
|
|
||||||
11 files changed, 495 insertions(+), 20 deletions(-)
|
|
||||||
create mode 100644 src/db/sysdb_computer.c
|
|
||||||
create mode 100644 src/db/sysdb_computer.h
|
|
||||||
|
|
||||||
Index: sssd-2.2.3/Makefile.am
|
|
||||||
===================================================================
|
|
||||||
--- sssd-2.2.3.orig/Makefile.am
|
|
||||||
+++ sssd-2.2.3/Makefile.am
|
|
||||||
@@ -781,6 +781,7 @@ dist_noinst_HEADERS = \
|
|
||||||
src/db/sysdb_services.h \
|
|
||||||
src/db/sysdb_ssh.h \
|
|
||||||
src/db/sysdb_domain_resolution_order.h \
|
|
||||||
+ src/db/sysdb_computer.h \
|
|
||||||
src/confdb/confdb.h \
|
|
||||||
src/confdb/confdb_private.h \
|
|
||||||
src/confdb/confdb_setup.h \
|
|
||||||
@@ -1247,6 +1248,7 @@ libsss_util_la_SOURCES = \
|
|
||||||
src/db/sysdb_certmap.c \
|
|
||||||
src/db/sysdb_domain_resolution_order.c \
|
|
||||||
src/util/sss_pam_data.c \
|
|
||||||
+ src/db/sysdb_computer.c \
|
|
||||||
src/util/util.c \
|
|
||||||
src/util/util_ext.c \
|
|
||||||
src/util/util_preauth.c \
|
|
||||||
Index: sssd-2.2.3/src/confdb/confdb.c
|
|
||||||
===================================================================
|
|
||||||
--- sssd-2.2.3.orig/src/confdb/confdb.c
|
|
||||||
+++ sssd-2.2.3/src/confdb/confdb.c
|
|
||||||
@@ -1228,6 +1228,17 @@ static int confdb_get_domain_internal(st
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ /* Override the computer timeout, if specified */
|
|
||||||
+ ret = get_entry_as_uint32(res->msgs[0], &domain->computer_timeout,
|
|
||||||
+ CONFDB_DOMAIN_COMPUTER_CACHE_TIMEOUT,
|
|
||||||
+ entry_cache_timeout);
|
|
||||||
+ if (ret != EOK) {
|
|
||||||
+ DEBUG(SSSDBG_FATAL_FAILURE,
|
|
||||||
+ "Invalid value for [%s]\n",
|
|
||||||
+ CONFDB_DOMAIN_COMPUTER_CACHE_TIMEOUT);
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
/* Set refresh_expired_interval, if specified */
|
|
||||||
ret = get_entry_as_uint32(res->msgs[0], &domain->refresh_expired_interval,
|
|
||||||
CONFDB_DOMAIN_REFRESH_EXPIRED_INTERVAL,
|
|
||||||
Index: sssd-2.2.3/src/confdb/confdb.h
|
|
||||||
===================================================================
|
|
||||||
--- sssd-2.2.3.orig/src/confdb/confdb.h
|
|
||||||
+++ sssd-2.2.3/src/confdb/confdb.h
|
|
||||||
@@ -230,6 +230,7 @@
|
|
||||||
#define CONFDB_DOMAIN_AUTOFS_CACHE_TIMEOUT "entry_cache_autofs_timeout"
|
|
||||||
#define CONFDB_DOMAIN_SUDO_CACHE_TIMEOUT "entry_cache_sudo_timeout"
|
|
||||||
#define CONFDB_DOMAIN_SSH_HOST_CACHE_TIMEOUT "entry_cache_ssh_host_timeout"
|
|
||||||
+#define CONFDB_DOMAIN_COMPUTER_CACHE_TIMEOUT "entry_cache_computer_timeout"
|
|
||||||
#define CONFDB_DOMAIN_PWD_EXPIRATION_WARNING "pwd_expiration_warning"
|
|
||||||
#define CONFDB_DOMAIN_REFRESH_EXPIRED_INTERVAL "refresh_expired_interval"
|
|
||||||
#define CONFDB_DOMAIN_OFFLINE_TIMEOUT "offline_timeout"
|
|
||||||
@@ -373,6 +374,7 @@ struct sss_domain_info {
|
|
||||||
uint32_t autofsmap_timeout;
|
|
||||||
uint32_t sudo_timeout;
|
|
||||||
uint32_t ssh_host_timeout;
|
|
||||||
+ uint32_t computer_timeout;
|
|
||||||
|
|
||||||
uint32_t refresh_expired_interval;
|
|
||||||
uint32_t subdomain_refresh_interval;
|
|
||||||
Index: sssd-2.2.3/src/config/cfg_rules.ini
|
|
||||||
===================================================================
|
|
||||||
--- sssd-2.2.3.orig/src/config/cfg_rules.ini
|
|
||||||
+++ sssd-2.2.3/src/config/cfg_rules.ini
|
|
||||||
@@ -403,6 +403,7 @@ option = entry_cache_service_timeout
|
|
||||||
option = entry_cache_autofs_timeout
|
|
||||||
option = entry_cache_sudo_timeout
|
|
||||||
option = entry_cache_ssh_host_timeout
|
|
||||||
+option = entry_cache_computer_timeout
|
|
||||||
option = refresh_expired_interval
|
|
||||||
|
|
||||||
# Dynamic DNS updates
|
|
||||||
Index: sssd-2.2.3/src/db/sysdb_computer.c
|
|
||||||
===================================================================
|
|
||||||
--- /dev/null
|
|
||||||
+++ sssd-2.2.3/src/db/sysdb_computer.c
|
|
||||||
@@ -0,0 +1,185 @@
|
|
||||||
+/*
|
|
||||||
+ SSSD
|
|
||||||
+
|
|
||||||
+ Authors:
|
|
||||||
+ Samuel Cabrero <scabrero@suse.com>
|
|
||||||
+ David Mulder <dmulder@suse.com>
|
|
||||||
+
|
|
||||||
+ Copyright (C) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
|
|
||||||
+
|
|
||||||
+ This program is free software; you can redistribute it and/or modify
|
|
||||||
+ it under the terms of the GNU General Public License as published by
|
|
||||||
+ the Free Software Foundation; either version 3 of the License, or
|
|
||||||
+ (at your option) any later version.
|
|
||||||
+
|
|
||||||
+ This program is distributed in the hope that it will be useful,
|
|
||||||
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
||||||
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
||||||
+ GNU General Public License for more details.
|
|
||||||
+
|
|
||||||
+ You should have received a copy of the GNU General Public License
|
|
||||||
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
||||||
+*/
|
|
||||||
+
|
|
||||||
+#include <arpa/inet.h>
|
|
||||||
+
|
|
||||||
+#include "db/sysdb.h"
|
|
||||||
+#include "db/sysdb_private.h"
|
|
||||||
+#include "db/sysdb_computer.h"
|
|
||||||
+
|
|
||||||
+static errno_t
|
|
||||||
+sysdb_search_computer(TALLOC_CTX *mem_ctx,
|
|
||||||
+ struct sss_domain_info *domain,
|
|
||||||
+ const char *filter,
|
|
||||||
+ const char **attrs,
|
|
||||||
+ size_t *_num_hosts,
|
|
||||||
+ struct ldb_message ***_hosts)
|
|
||||||
+{
|
|
||||||
+ errno_t ret;
|
|
||||||
+ TALLOC_CTX *tmp_ctx;
|
|
||||||
+ struct ldb_message **results;
|
|
||||||
+ size_t num_results;
|
|
||||||
+
|
|
||||||
+ tmp_ctx = talloc_new(NULL);
|
|
||||||
+ if (!tmp_ctx) {
|
|
||||||
+ return ENOMEM;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ ret = sysdb_search_custom(tmp_ctx, domain, filter,
|
|
||||||
+ COMPUTERS_SUBDIR, attrs,
|
|
||||||
+ &num_results, &results);
|
|
||||||
+ if (ret != EOK && ret != ENOENT) {
|
|
||||||
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
|
||||||
+ "Error looking up host [%d]: %s\n",
|
|
||||||
+ ret, strerror(ret));
|
|
||||||
+ goto done;
|
|
||||||
+ } else if (ret == ENOENT) {
|
|
||||||
+ DEBUG(SSSDBG_TRACE_FUNC, "No such host\n");
|
|
||||||
+ *_hosts = NULL;
|
|
||||||
+ *_num_hosts = 0;
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ *_hosts = talloc_steal(mem_ctx, results);
|
|
||||||
+ *_num_hosts = num_results;
|
|
||||||
+ ret = EOK;
|
|
||||||
+
|
|
||||||
+done:
|
|
||||||
+ talloc_free(tmp_ctx);
|
|
||||||
+
|
|
||||||
+ return ret;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+int
|
|
||||||
+sysdb_get_computer(TALLOC_CTX *mem_ctx,
|
|
||||||
+ struct sss_domain_info *domain,
|
|
||||||
+ const char *computer_name,
|
|
||||||
+ const char **attrs,
|
|
||||||
+ struct ldb_message **_computer)
|
|
||||||
+{
|
|
||||||
+ TALLOC_CTX *tmp_ctx;
|
|
||||||
+ errno_t ret;
|
|
||||||
+ const char *filter;
|
|
||||||
+ struct ldb_message **hosts;
|
|
||||||
+ size_t num_hosts;
|
|
||||||
+
|
|
||||||
+ tmp_ctx = talloc_new(NULL);
|
|
||||||
+ if (!tmp_ctx) {
|
|
||||||
+ return ENOMEM;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ filter = talloc_asprintf(tmp_ctx, SYSDB_COMP_FILTER, computer_name);
|
|
||||||
+ if (!filter) {
|
|
||||||
+ ret = ENOMEM;
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ ret = sysdb_search_computer(tmp_ctx, domain, filter, attrs,
|
|
||||||
+ &num_hosts, &hosts);
|
|
||||||
+ if (ret != EOK) {
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (num_hosts != 1) {
|
|
||||||
+ ret = EINVAL;
|
|
||||||
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
|
||||||
+ "Did not find a single host with name %s\n", computer_name);
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ *_computer = talloc_steal(mem_ctx, hosts[0]);
|
|
||||||
+ ret = EOK;
|
|
||||||
+
|
|
||||||
+done:
|
|
||||||
+ talloc_free(tmp_ctx);
|
|
||||||
+
|
|
||||||
+ return ret;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+int
|
|
||||||
+sysdb_set_computer(TALLOC_CTX *mem_ctx,
|
|
||||||
+ struct sss_domain_info *domain,
|
|
||||||
+ const char *computer_name,
|
|
||||||
+ const char *sid_str,
|
|
||||||
+ int cache_timeout,
|
|
||||||
+ time_t now)
|
|
||||||
+{
|
|
||||||
+ TALLOC_CTX *tmp_ctx;
|
|
||||||
+ int ret;
|
|
||||||
+ struct sysdb_attrs *attrs;
|
|
||||||
+
|
|
||||||
+ tmp_ctx = talloc_new(NULL);
|
|
||||||
+ if (!tmp_ctx) {
|
|
||||||
+ return ENOMEM;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ attrs = sysdb_new_attrs(tmp_ctx);
|
|
||||||
+ if (!attrs) {
|
|
||||||
+ ret = ENOMEM;
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ ret = sysdb_attrs_add_string(attrs, SYSDB_SID_STR, sid_str);
|
|
||||||
+ if (ret) goto done;
|
|
||||||
+
|
|
||||||
+ ret = sysdb_attrs_add_string(attrs, SYSDB_OBJECTCLASS, SYSDB_COMPUTER_CLASS);
|
|
||||||
+ if (ret) goto done;
|
|
||||||
+
|
|
||||||
+ ret = sysdb_attrs_add_string(attrs, SYSDB_NAME, computer_name);
|
|
||||||
+ if (ret) goto done;
|
|
||||||
+
|
|
||||||
+ /* creation time */
|
|
||||||
+ ret = sysdb_attrs_add_time_t(attrs, SYSDB_CREATE_TIME, now);
|
|
||||||
+ if (ret) goto done;
|
|
||||||
+
|
|
||||||
+ /* Set a cache expire time. There is a periodic task that cleans up
|
|
||||||
+ * expired entries from the cache even when enumeration is disabled */
|
|
||||||
+ ret = sysdb_attrs_add_time_t(attrs, SYSDB_CACHE_EXPIRE,
|
|
||||||
+ cache_timeout ? (now + cache_timeout) : 0);
|
|
||||||
+ if (ret != EOK) {
|
|
||||||
+ DEBUG(SSSDBG_OP_FAILURE, "Could not set sysdb cache expire [%d]: %s\n",
|
|
||||||
+ ret, strerror(ret));
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ ret = sysdb_store_custom(domain, computer_name, COMPUTERS_SUBDIR, attrs);
|
|
||||||
+ if (ret) goto done;
|
|
||||||
+
|
|
||||||
+ /* FIXME As a future improvement we have to extend domain enumeration.
|
|
||||||
+ * When 'enumerate = true' for a domain, sssd starts a periodic task
|
|
||||||
+ * that brings all users and groups to the cache, cleaning up
|
|
||||||
+ * stale objects after each run. If enumeration is disabled, the cleanup
|
|
||||||
+ * task for expired entries is started instead.
|
|
||||||
+ *
|
|
||||||
+ * We have to extend the enumeration task to fetch 'computer'
|
|
||||||
+ * objects as well (see ad_id_enumeration_send, the entry point of the
|
|
||||||
+ * enumeration task for the id provider).
|
|
||||||
+ */
|
|
||||||
+done:
|
|
||||||
+ if (ret) {
|
|
||||||
+ DEBUG(SSSDBG_TRACE_FUNC, "Error: %d (%s)\n", ret, strerror(ret));
|
|
||||||
+ }
|
|
||||||
+ talloc_zfree(tmp_ctx);
|
|
||||||
+
|
|
||||||
+ return ret;
|
|
||||||
+}
|
|
||||||
Index: sssd-2.2.3/src/db/sysdb_computer.h
|
|
||||||
===================================================================
|
|
||||||
--- /dev/null
|
|
||||||
+++ sssd-2.2.3/src/db/sysdb_computer.h
|
|
||||||
@@ -0,0 +1,51 @@
|
|
||||||
+/*
|
|
||||||
+ SSSD
|
|
||||||
+
|
|
||||||
+ Authors:
|
|
||||||
+ Samuel Cabrero <scabrero@suse.com>
|
|
||||||
+ David Mulder <dmulder@suse.com>
|
|
||||||
+
|
|
||||||
+ Copyright (C) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
|
|
||||||
+
|
|
||||||
+ This program is free software; you can redistribute it and/or modify
|
|
||||||
+ it under the terms of the GNU General Public License as published by
|
|
||||||
+ the Free Software Foundation; either version 3 of the License, or
|
|
||||||
+ (at your option) any later version.
|
|
||||||
+
|
|
||||||
+ This program is distributed in the hope that it will be useful,
|
|
||||||
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
||||||
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
||||||
+ GNU General Public License for more details.
|
|
||||||
+
|
|
||||||
+ You should have received a copy of the GNU General Public License
|
|
||||||
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
||||||
+*/
|
|
||||||
+
|
|
||||||
+#ifndef SYSDB_COMPUTERS_H_
|
|
||||||
+#define SYSDB_COMPUTERS_H_
|
|
||||||
+
|
|
||||||
+#include "db/sysdb.h"
|
|
||||||
+
|
|
||||||
+#define COMPUTERS_SUBDIR "computers"
|
|
||||||
+#define SYSDB_COMPUTER_CLASS "computer"
|
|
||||||
+#define SYSDB_COMPUTERS_CONTAINER "cn="COMPUTERS_SUBDIR
|
|
||||||
+#define SYSDB_TMPL_COMPUTER_BASE SYSDB_COMPUTERS_CONTAINER","SYSDB_DOM_BASE
|
|
||||||
+#define SYSDB_TMPL_COMPUTER SYSDB_NAME"=%s,"SYSDB_TMPL_COMPUTER_BASE
|
|
||||||
+#define SYSDB_COMP_FILTER "(&("SYSDB_NAME"=%s)("SYSDB_OBJECTCLASS"="SYSDB_COMPUTER_CLASS"))"
|
|
||||||
+
|
|
||||||
+int
|
|
||||||
+sysdb_get_computer(TALLOC_CTX *mem_ctx,
|
|
||||||
+ struct sss_domain_info *domain,
|
|
||||||
+ const char *computer_name,
|
|
||||||
+ const char **attrs,
|
|
||||||
+ struct ldb_message **computer);
|
|
||||||
+
|
|
||||||
+int
|
|
||||||
+sysdb_set_computer(TALLOC_CTX *mem_ctx,
|
|
||||||
+ struct sss_domain_info *domain,
|
|
||||||
+ const char *computer_name,
|
|
||||||
+ const char *sid_str,
|
|
||||||
+ int cache_timeout,
|
|
||||||
+ time_t now);
|
|
||||||
+
|
|
||||||
+#endif /* SYSDB_COMPUTERS_H_ */
|
|
||||||
Index: sssd-2.2.3/src/man/sssd-ad.5.xml
|
|
||||||
===================================================================
|
|
||||||
--- sssd-2.2.3.orig/src/man/sssd-ad.5.xml
|
|
||||||
+++ sssd-2.2.3/src/man/sssd-ad.5.xml
|
|
||||||
@@ -407,13 +407,6 @@ DOM:dom1:(memberOf:1.2.840.113556.1.4.19
|
|
||||||
always apply also to the user.
|
|
||||||
</para>
|
|
||||||
<para>
|
|
||||||
- NOTE: The current version of SSSD does not support
|
|
||||||
- host (computer) entries in the GPO 'Security
|
|
||||||
- Filtering' list. Only user and group entries are
|
|
||||||
- supported. Host entries in the list have no
|
|
||||||
- effect.
|
|
||||||
- </para>
|
|
||||||
- <para>
|
|
||||||
NOTE: If the operation mode is set to enforcing, it
|
|
||||||
is possible that users that were previously allowed
|
|
||||||
logon access will now be denied logon access (as
|
|
||||||
Index: sssd-2.2.3/src/man/sssd.conf.5.xml
|
|
||||||
===================================================================
|
|
||||||
--- sssd-2.2.3.orig/src/man/sssd.conf.5.xml
|
|
||||||
+++ sssd-2.2.3/src/man/sssd.conf.5.xml
|
|
||||||
@@ -2244,6 +2244,19 @@ p11_uri = library-description=OpenSC%20s
|
|
||||||
</varlistentry>
|
|
||||||
|
|
||||||
<varlistentry>
|
|
||||||
+ <term>entry_cache_computer_timeout (integer)</term>
|
|
||||||
+ <listitem>
|
|
||||||
+ <para>
|
|
||||||
+ How many seconds to keep the local computer
|
|
||||||
+ entry before asking the backend again
|
|
||||||
+ </para>
|
|
||||||
+ <para>
|
|
||||||
+ Default: entry_cache_timeout
|
|
||||||
+ </para>
|
|
||||||
+ </listitem>
|
|
||||||
+ </varlistentry>
|
|
||||||
+
|
|
||||||
+ <varlistentry>
|
|
||||||
<term>refresh_expired_interval (integer)</term>
|
|
||||||
<listitem>
|
|
||||||
<para>
|
|
||||||
Index: sssd-2.2.3/src/providers/ad/ad_gpo.c
|
|
||||||
===================================================================
|
|
||||||
--- sssd-2.2.3.orig/src/providers/ad/ad_gpo.c
|
|
||||||
+++ sssd-2.2.3/src/providers/ad/ad_gpo.c
|
|
||||||
@@ -51,6 +51,7 @@
|
|
||||||
#include "util/util_sss_idmap.h"
|
|
||||||
#include <ndr.h>
|
|
||||||
#include <gen_ndr/security.h>
|
|
||||||
+#include <db/sysdb_computer.h>
|
|
||||||
|
|
||||||
/* == gpo-ldap constants =================================================== */
|
|
||||||
|
|
||||||
@@ -65,6 +66,7 @@
|
|
||||||
#define AD_AT_MACHINE_EXT_NAMES "gPCMachineExtensionNames"
|
|
||||||
#define AD_AT_FUNC_VERSION "gPCFunctionalityVersion"
|
|
||||||
#define AD_AT_FLAGS "flags"
|
|
||||||
+#define AD_AT_SID "objectSid"
|
|
||||||
|
|
||||||
#define UAC_WORKSTATION_TRUST_ACCOUNT 0x00001000
|
|
||||||
#define UAC_SERVER_TRUST_ACCOUNT 0x00002000
|
|
||||||
@@ -654,6 +656,7 @@ ad_gpo_get_sids(TALLOC_CTX *mem_ctx,
|
|
||||||
*/
|
|
||||||
static errno_t
|
|
||||||
ad_gpo_ace_includes_client_sid(const char *user_sid,
|
|
||||||
+ const char *host_sid,
|
|
||||||
const char **group_sids,
|
|
||||||
int group_size,
|
|
||||||
struct dom_sid ace_dom_sid,
|
|
||||||
@@ -662,6 +665,7 @@ ad_gpo_ace_includes_client_sid(const cha
|
|
||||||
{
|
|
||||||
int i = 0;
|
|
||||||
struct dom_sid *user_dom_sid;
|
|
||||||
+ struct dom_sid *host_dom_sid;
|
|
||||||
struct dom_sid *group_dom_sid;
|
|
||||||
enum idmap_error_code err;
|
|
||||||
bool included = false;
|
|
||||||
@@ -679,6 +683,19 @@ ad_gpo_ace_includes_client_sid(const cha
|
|
||||||
return EOK;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ err = sss_idmap_sid_to_smb_sid(idmap_ctx, host_sid, &host_dom_sid);
|
|
||||||
+ if (err != IDMAP_SUCCESS) {
|
|
||||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Failed to initialize idmap context.\n");
|
|
||||||
+ return EFAULT;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ included = ad_gpo_dom_sid_equal(&ace_dom_sid, host_dom_sid);
|
|
||||||
+ sss_idmap_free_smb_sid(idmap_ctx, host_dom_sid);
|
|
||||||
+ if (included) {
|
|
||||||
+ *_included = true;
|
|
||||||
+ return EOK;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
for (i = 0; i < group_size; i++) {
|
|
||||||
err = sss_idmap_sid_to_smb_sid(idmap_ctx, group_sids[i], &group_dom_sid);
|
|
||||||
if (err != IDMAP_SUCCESS) {
|
|
||||||
@@ -728,6 +745,7 @@ ad_gpo_ace_includes_client_sid(const cha
|
|
||||||
static enum ace_eval_status ad_gpo_evaluate_ace(struct security_ace *ace,
|
|
||||||
struct sss_idmap_ctx *idmap_ctx,
|
|
||||||
const char *user_sid,
|
|
||||||
+ const char *host_sid,
|
|
||||||
const char **group_sids,
|
|
||||||
int group_size)
|
|
||||||
{
|
|
||||||
@@ -741,8 +759,9 @@ static enum ace_eval_status ad_gpo_evalu
|
|
||||||
return AD_GPO_ACE_NEUTRAL;
|
|
||||||
}
|
|
||||||
|
|
||||||
- ret = ad_gpo_ace_includes_client_sid(user_sid, group_sids, group_size,
|
|
||||||
- ace->trustee, idmap_ctx, &included);
|
|
||||||
+ ret = ad_gpo_ace_includes_client_sid(user_sid, host_sid, group_sids,
|
|
||||||
+ group_size, ace->trustee, idmap_ctx,
|
|
||||||
+ &included);
|
|
||||||
|
|
||||||
if (ret != EOK) {
|
|
||||||
return AD_GPO_ACE_DENIED;
|
|
||||||
@@ -786,6 +805,7 @@ static enum ace_eval_status ad_gpo_evalu
|
|
||||||
static errno_t ad_gpo_evaluate_dacl(struct security_acl *dacl,
|
|
||||||
struct sss_idmap_ctx *idmap_ctx,
|
|
||||||
const char *user_sid,
|
|
||||||
+ const char *host_sid,
|
|
||||||
const char **group_sids,
|
|
||||||
int group_size,
|
|
||||||
bool *_dacl_access_allowed)
|
|
||||||
@@ -810,7 +830,7 @@ static errno_t ad_gpo_evaluate_dacl(stru
|
|
||||||
for (i = 0; i < dacl->num_aces; i ++) {
|
|
||||||
ace = &dacl->aces[i];
|
|
||||||
|
|
||||||
- ace_status = ad_gpo_evaluate_ace(ace, idmap_ctx, user_sid,
|
|
||||||
+ ace_status = ad_gpo_evaluate_ace(ace, idmap_ctx, user_sid, host_sid,
|
|
||||||
group_sids, group_size);
|
|
||||||
|
|
||||||
switch (ace_status) {
|
|
||||||
@@ -838,6 +858,7 @@ static errno_t ad_gpo_evaluate_dacl(stru
|
|
||||||
static errno_t
|
|
||||||
ad_gpo_filter_gpos_by_dacl(TALLOC_CTX *mem_ctx,
|
|
||||||
const char *user,
|
|
||||||
+ const char *host_sid,
|
|
||||||
struct sss_domain_info *domain,
|
|
||||||
struct sss_idmap_ctx *idmap_ctx,
|
|
||||||
struct gp_gpo **candidate_gpos,
|
|
||||||
@@ -927,8 +948,8 @@ ad_gpo_filter_gpos_by_dacl(TALLOC_CTX *m
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
|
|
||||||
- ret = ad_gpo_evaluate_dacl(dacl, idmap_ctx, user_sid, group_sids,
|
|
||||||
- group_size, &access_allowed);
|
|
||||||
+ ret = ad_gpo_evaluate_dacl(dacl, idmap_ctx, user_sid, host_sid,
|
|
||||||
+ group_sids, group_size, &access_allowed);
|
|
||||||
if (ret != EOK) {
|
|
||||||
DEBUG(SSSDBG_MINOR_FAILURE, "Could not determine if GPO is applicable\n");
|
|
||||||
continue;
|
|
||||||
@@ -1602,6 +1623,7 @@ struct ad_gpo_access_state {
|
|
||||||
const char *user;
|
|
||||||
int gpo_timeout_option;
|
|
||||||
const char *ad_hostname;
|
|
||||||
+ const char *host_sid;
|
|
||||||
const char *target_dn;
|
|
||||||
struct gp_gpo **dacl_filtered_gpos;
|
|
||||||
int num_dacl_filtered_gpos;
|
|
||||||
@@ -1617,6 +1639,7 @@ static void ad_gpo_process_gpo_done(stru
|
|
||||||
|
|
||||||
static errno_t ad_gpo_cse_step(struct tevent_req *req);
|
|
||||||
static void ad_gpo_cse_done(struct tevent_req *subreq);
|
|
||||||
+static void ad_gpo_get_host_sid_retrieval_done(struct tevent_req *subreq);
|
|
||||||
|
|
||||||
struct tevent_req *
|
|
||||||
ad_gpo_access_send(TALLOC_CTX *mem_ctx,
|
|
||||||
@@ -1924,6 +1947,11 @@ ad_gpo_target_dn_retrieval_done(struct t
|
|
||||||
struct sysdb_attrs **reply;
|
|
||||||
const char *target_dn = NULL;
|
|
||||||
uint32_t uac;
|
|
||||||
+ char *filter = NULL;
|
|
||||||
+ char *domain_dn;
|
|
||||||
+ const char *attrs[] = {AD_AT_SID, NULL};
|
|
||||||
+ struct ldb_message *msg;
|
|
||||||
+ static const char *host_attrs[] = { SYSDB_SID_STR, NULL };
|
|
||||||
|
|
||||||
req = tevent_req_callback_data(subreq, struct tevent_req);
|
|
||||||
state = tevent_req_data(req, struct ad_gpo_access_state);
|
|
||||||
@@ -2008,6 +2036,173 @@ ad_gpo_target_dn_retrieval_done(struct t
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ /* Check if computer exists in cache */
|
|
||||||
+ ret = sysdb_get_computer(state, state->user_domain, state->ad_hostname,
|
|
||||||
+ host_attrs, &msg);
|
|
||||||
+ if (ret == ENOENT) {
|
|
||||||
+ /* The computer is not in cache so query LDAP server */
|
|
||||||
+ /* Convert the domain name into domain DN */
|
|
||||||
+ ret = domain_to_basedn(state, state->host_domain->name, &domain_dn);
|
|
||||||
+ if (ret != EOK) {
|
|
||||||
+ DEBUG(SSSDBG_OP_FAILURE,
|
|
||||||
+ "Cannot convert domain name [%s] to base DN [%d]: %s\n",
|
|
||||||
+ state->host_domain->name, ret, sss_strerror(ret));
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ filter = talloc_asprintf(subreq, SYSDB_COMP_FILTER, state->ad_hostname);
|
|
||||||
+ if (!filter) {
|
|
||||||
+ ret = ENOMEM;
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ subreq = sdap_get_generic_send(state, state->ev, state->opts,
|
|
||||||
+ sdap_id_op_handle(state->sdap_op),
|
|
||||||
+ domain_dn, LDAP_SCOPE_SUBTREE,
|
|
||||||
+ filter, attrs, NULL, 0,
|
|
||||||
+ state->timeout,
|
|
||||||
+ false);
|
|
||||||
+
|
|
||||||
+ if (subreq == NULL) {
|
|
||||||
+ DEBUG(SSSDBG_OP_FAILURE, "sdap_get_generic_send failed.\n");
|
|
||||||
+ ret = ENOMEM;
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ tevent_req_set_callback(subreq, ad_gpo_get_host_sid_retrieval_done, req);
|
|
||||||
+ return;
|
|
||||||
+ } else if (ret != EOK) {
|
|
||||||
+ ret = sdap_id_op_done(state->sdap_op, ret, &dp_error);
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ /* The computer exists in the cache, there is no need to query LDAP.
|
|
||||||
+ * Store the retrieved host sid from cache in the state to avoid querying
|
|
||||||
+ * the cache again in ad_gpo_get_sids.
|
|
||||||
+ */
|
|
||||||
+ state->host_sid = ldb_msg_find_attr_as_string(msg, SYSDB_SID_STR, NULL);
|
|
||||||
+ talloc_steal(state, state->host_sid);
|
|
||||||
+
|
|
||||||
+ subreq = ad_gpo_process_som_send(state,
|
|
||||||
+ state->ev,
|
|
||||||
+ state->conn,
|
|
||||||
+ state->ldb_ctx,
|
|
||||||
+ state->sdap_op,
|
|
||||||
+ state->opts,
|
|
||||||
+ state->access_ctx->ad_options,
|
|
||||||
+ state->timeout,
|
|
||||||
+ state->target_dn,
|
|
||||||
+ state->host_domain->name);
|
|
||||||
+ if (subreq == NULL) {
|
|
||||||
+ ret = ENOMEM;
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ tevent_req_set_callback(subreq, ad_gpo_process_som_done, req);
|
|
||||||
+
|
|
||||||
+ ret = EOK;
|
|
||||||
+
|
|
||||||
+ done:
|
|
||||||
+
|
|
||||||
+ if (ret != EOK) {
|
|
||||||
+ tevent_req_error(req, ret);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+enum ndr_err_code
|
|
||||||
+ndr_pull_dom_sid(struct ndr_pull *ndr,
|
|
||||||
+ int ndr_flags,
|
|
||||||
+ struct dom_sid *r);
|
|
||||||
+
|
|
||||||
+static void ad_gpo_get_host_sid_retrieval_done(struct tevent_req *subreq)
|
|
||||||
+{
|
|
||||||
+ struct tevent_req *req;
|
|
||||||
+ struct ad_gpo_access_state *state;
|
|
||||||
+ int ret;
|
|
||||||
+ int dp_error;
|
|
||||||
+ size_t reply_count;
|
|
||||||
+ struct sysdb_attrs **reply;
|
|
||||||
+ struct ldb_message_element *el = NULL;
|
|
||||||
+ enum ndr_err_code ndr_err;
|
|
||||||
+ struct dom_sid host_sid;
|
|
||||||
+ char *sid_str;
|
|
||||||
+
|
|
||||||
+ req = tevent_req_callback_data(subreq, struct tevent_req);
|
|
||||||
+ state = tevent_req_data(req, struct ad_gpo_access_state);
|
|
||||||
+
|
|
||||||
+ ret = sdap_get_generic_recv(subreq, state,
|
|
||||||
+ &reply_count, &reply);
|
|
||||||
+ talloc_zfree(subreq);
|
|
||||||
+
|
|
||||||
+ if (ret != EOK) {
|
|
||||||
+ ret = sdap_id_op_done(state->sdap_op, ret, &dp_error);
|
|
||||||
+
|
|
||||||
+ DEBUG(SSSDBG_OP_FAILURE,
|
|
||||||
+ "sdap_get_generic_recv failed: [%d](%s)\n",
|
|
||||||
+ ret, sss_strerror(ret));
|
|
||||||
+ ret = ENOENT;
|
|
||||||
+ tevent_req_error(req, ret);
|
|
||||||
+ return;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (reply_count == 0 || !reply) {
|
|
||||||
+ DEBUG(SSSDBG_OP_FAILURE,
|
|
||||||
+ "sdap_get_generic_recv failed to receive host sid\n");
|
|
||||||
+ ret = EIO;
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ /* reply[0] holds the requested attribute */
|
|
||||||
+ ret = sysdb_attrs_get_el(reply[0], AD_AT_SID, &el);
|
|
||||||
+ if (ret != EOK) {
|
|
||||||
+ DEBUG(SSSDBG_OP_FAILURE,
|
|
||||||
+ "sysdb_attrs_get_el failed: [%d](%s)\n",
|
|
||||||
+ ret, sss_strerror(ret));
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+ if (el->num_values != 1) {
|
|
||||||
+ DEBUG(SSSDBG_OP_FAILURE,
|
|
||||||
+ "ad_gpo_get_host_sid_retrieval_done failed: sid not present\n");
|
|
||||||
+ ret = EIO;
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ /* parse the dom_sid from the ldb blob */
|
|
||||||
+ ndr_err = ndr_pull_struct_blob_all((DATA_BLOB*)&(el->values[0]),
|
|
||||||
+ subreq, &host_sid,
|
|
||||||
+ (ndr_pull_flags_fn_t)ndr_pull_dom_sid);
|
|
||||||
+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
|
|
||||||
+ DEBUG(SSSDBG_OP_FAILURE,
|
|
||||||
+ "ndr_pull_struct_blob_all failed: [%d]\n",
|
|
||||||
+ ndr_err);
|
|
||||||
+ ret = EIO;
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ /* Convert the dom_sid to a sid string */
|
|
||||||
+ ret = sss_idmap_smb_sid_to_sid(state->opts->idmap_ctx->map,
|
|
||||||
+ &host_sid, &sid_str);
|
|
||||||
+ if (ret != EOK) {
|
|
||||||
+ DEBUG(SSSDBG_OP_FAILURE,
|
|
||||||
+ "sss_idmap_smb_sid_to_sid failed: [%d](%s)\n",
|
|
||||||
+ ret, sss_strerror(ret));
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+ state->host_sid = talloc_steal(state, sid_str);
|
|
||||||
+
|
|
||||||
+ /* Put the sid string in the sysdb */
|
|
||||||
+ ret = sysdb_set_computer(subreq, state->user_domain,
|
|
||||||
+ state->ad_hostname, state->host_sid,
|
|
||||||
+ state->user_domain->computer_timeout,
|
|
||||||
+ time(NULL));
|
|
||||||
+ if (ret != EOK) {
|
|
||||||
+ DEBUG(SSSDBG_OP_FAILURE,
|
|
||||||
+ "sysdb_set_computer failed: [%d](%s)\n",
|
|
||||||
+ ret, sss_strerror(ret));
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
subreq = ad_gpo_process_som_send(state,
|
|
||||||
state->ev,
|
|
||||||
state->conn,
|
|
||||||
@@ -2143,7 +2338,8 @@ ad_gpo_process_gpo_done(struct tevent_re
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
|
|
||||||
- ret = ad_gpo_filter_gpos_by_dacl(state, state->user, state->user_domain,
|
|
||||||
+ ret = ad_gpo_filter_gpos_by_dacl(state, state->user, state->host_sid,
|
|
||||||
+ state->user_domain,
|
|
||||||
state->opts->idmap_ctx->map,
|
|
||||||
candidate_gpos, num_candidate_gpos,
|
|
||||||
&state->dacl_filtered_gpos,
|
|
||||||
Index: sssd-2.2.3/src/providers/ad/ad_gpo_ndr.c
|
|
||||||
===================================================================
|
|
||||||
--- sssd-2.2.3.orig/src/providers/ad/ad_gpo_ndr.c
|
|
||||||
+++ sssd-2.2.3/src/providers/ad/ad_gpo_ndr.c
|
|
||||||
@@ -248,7 +248,7 @@ ndr_pull_security_ace_object_ctr(struct
|
|
||||||
return NDR_ERR_SUCCESS;
|
|
||||||
}
|
|
||||||
|
|
||||||
-static enum ndr_err_code
|
|
||||||
+enum ndr_err_code
|
|
||||||
ndr_pull_dom_sid(struct ndr_pull *ndr,
|
|
||||||
int ndr_flags,
|
|
||||||
struct dom_sid *r)
|
|
||||||
Index: sssd-2.2.3/src/tests/cmocka/test_ad_gpo.c
|
|
||||||
===================================================================
|
|
||||||
--- sssd-2.2.3.orig/src/tests/cmocka/test_ad_gpo.c
|
|
||||||
+++ sssd-2.2.3/src/tests/cmocka/test_ad_gpo.c
|
|
||||||
@@ -267,6 +267,7 @@ void test_populate_gplink_list_malformed
|
|
||||||
* Test SID-matching logic
|
|
||||||
*/
|
|
||||||
static void test_ad_gpo_ace_includes_client_sid(const char *user_sid,
|
|
||||||
+ const char *host_sid,
|
|
||||||
const char **group_sids,
|
|
||||||
int group_size,
|
|
||||||
struct dom_sid ace_dom_sid,
|
|
||||||
@@ -286,8 +287,8 @@ static void test_ad_gpo_ace_includes_cli
|
|
||||||
&idmap_ctx);
|
|
||||||
assert_int_equal(err, IDMAP_SUCCESS);
|
|
||||||
|
|
||||||
- ret = ad_gpo_ace_includes_client_sid(user_sid, group_sids, group_size,
|
|
||||||
- ace_dom_sid, idmap_ctx,
|
|
||||||
+ ret = ad_gpo_ace_includes_client_sid(user_sid, host_sid, group_sids,
|
|
||||||
+ group_size, ace_dom_sid, idmap_ctx,
|
|
||||||
&includes_client_sid);
|
|
||||||
talloc_free(idmap_ctx);
|
|
||||||
|
|
||||||
@@ -305,13 +306,14 @@ void test_ad_gpo_ace_includes_client_sid
|
|
||||||
struct dom_sid ace_dom_sid = {1, 4, {0, 0, 0, 0, 0, 5}, {21, 2, 3, 4}};
|
|
||||||
|
|
||||||
const char *user_sid = "S-1-5-21-1175337206-4250576914-2321192831-1103";
|
|
||||||
+ const char *host_sid = "S-1-5-21-1898687337-2196588786-2775055786-2102";
|
|
||||||
|
|
||||||
int group_size = 2;
|
|
||||||
const char *group_sids[] = {"S-1-5-21-2-3-4",
|
|
||||||
"S-1-5-21-2-3-5"};
|
|
||||||
|
|
||||||
- test_ad_gpo_ace_includes_client_sid(user_sid, group_sids, group_size,
|
|
||||||
- ace_dom_sid, true);
|
|
||||||
+ test_ad_gpo_ace_includes_client_sid(user_sid, host_sid, group_sids,
|
|
||||||
+ group_size, ace_dom_sid, true);
|
|
||||||
}
|
|
||||||
|
|
||||||
void test_ad_gpo_ace_includes_client_sid_false(void **state)
|
|
||||||
@@ -320,13 +322,29 @@ void test_ad_gpo_ace_includes_client_sid
|
|
||||||
struct dom_sid ace_dom_sid = {1, 4, {0, 0, 0, 0, 0, 5}, {21, 2, 3, 4}};
|
|
||||||
|
|
||||||
const char *user_sid = "S-1-5-21-1175337206-4250576914-2321192831-1103";
|
|
||||||
+ const char *host_sid = "S-1-5-21-1898687337-2196588786-2775055786-2102";
|
|
||||||
|
|
||||||
int group_size = 2;
|
|
||||||
const char *group_sids[] = {"S-1-5-21-2-3-5",
|
|
||||||
"S-1-5-21-2-3-6"};
|
|
||||||
|
|
||||||
- test_ad_gpo_ace_includes_client_sid(user_sid, group_sids, group_size,
|
|
||||||
- ace_dom_sid, false);
|
|
||||||
+ test_ad_gpo_ace_includes_client_sid(user_sid, host_sid, group_sids,
|
|
||||||
+ group_size, ace_dom_sid, false);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+void test_ad_gpo_ace_includes_host_sid_true(void **state)
|
|
||||||
+{
|
|
||||||
+ /* ace_dom_sid represents "S-1-5-21-1898687337-2196588786-2775055786-2102" */
|
|
||||||
+ struct dom_sid ace_dom_sid = {1, 5, {0, 0, 0, 0, 0, 5}, {21, 1898687337, 2196588786, 2775055786, 2102}};
|
|
||||||
+
|
|
||||||
+ const char *user_sid = "S-1-5-21-1175337206-4250576914-2321192831-1103";
|
|
||||||
+ const char *host_sid = "S-1-5-21-1898687337-2196588786-2775055786-2102";
|
|
||||||
+
|
|
||||||
+ int group_size = 0;
|
|
||||||
+ const char *group_sids[] = {};
|
|
||||||
+
|
|
||||||
+ test_ad_gpo_ace_includes_client_sid(user_sid, host_sid, group_sids,
|
|
||||||
+ group_size, ace_dom_sid, true);
|
|
||||||
}
|
|
||||||
|
|
||||||
int main(int argc, const char *argv[])
|
|
||||||
@@ -364,6 +382,9 @@ int main(int argc, const char *argv[])
|
|
||||||
cmocka_unit_test_setup_teardown(test_ad_gpo_ace_includes_client_sid_false,
|
|
||||||
ad_gpo_test_setup,
|
|
||||||
ad_gpo_test_teardown),
|
|
||||||
+ cmocka_unit_test_setup_teardown(test_ad_gpo_ace_includes_host_sid_true,
|
|
||||||
+ ad_gpo_test_setup,
|
|
||||||
+ ad_gpo_test_teardown),
|
|
||||||
};
|
|
||||||
|
|
||||||
/* Set debug level to invalid value so we can decide if -d 0 was used. */
|
|
23
sssd.changes
23
sssd.changes
@ -1,3 +1,26 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue May 19 11:32:22 UTC 2020 - Jan Engelhardt <jengelh@inai.de>
|
||||||
|
|
||||||
|
- Update to release 2.3.0
|
||||||
|
* SSSD can now handle hosts and networks nsswitch databases
|
||||||
|
(see resolve_provider option).
|
||||||
|
* By default, authentication request only refresh user's
|
||||||
|
initgroups if it is expired or there is not active user's
|
||||||
|
session (see pam_initgroups_scheme option).
|
||||||
|
* OpenSSL is used as default crypto provider, NSS is deprecated.
|
||||||
|
* The AD provider now defaults to GSS-SPNEGO SASL mechanism
|
||||||
|
(see ldap_sasl_mech option).
|
||||||
|
* The AD provider can now be configured to use only ldaps port
|
||||||
|
(see ad_use_ldaps option).
|
||||||
|
* SSSD now accepts host entries from GPO's security filter.
|
||||||
|
* New debug level (0x10000) added for low level LDB messages
|
||||||
|
only (see sssd.conf man page).
|
||||||
|
- Drop sssd-gpo_host_security_filter-2.2.2.patch,
|
||||||
|
0001-Resolve-computer-lookup-failure-when-sam-cn.patch,
|
||||||
|
0001-AD-use-getaddrinfo-with-AI_CANONNAME-to-find-the-FQD.patch (merged)
|
||||||
|
- Drop 0001-Fix-build-failure-against-samba-4.12.0rc1.patch
|
||||||
|
(unapplicable)
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Tue Mar 24 10:49:17 UTC 2020 - Jan Engelhardt <jengelh@inai.de>
|
Tue Mar 24 10:49:17 UTC 2020 - Jan Engelhardt <jengelh@inai.de>
|
||||||
|
|
||||||
|
19
sssd.spec
19
sssd.spec
@ -18,22 +18,18 @@
|
|||||||
%define _buildshell /bin/bash
|
%define _buildshell /bin/bash
|
||||||
|
|
||||||
Name: sssd
|
Name: sssd
|
||||||
Version: 2.2.3
|
Version: 2.3.0
|
||||||
Release: 0
|
Release: 0
|
||||||
Summary: System Security Services Daemon
|
Summary: System Security Services Daemon
|
||||||
License: GPL-3.0-or-later and LGPL-3.0-or-later
|
License: GPL-3.0-or-later and LGPL-3.0-or-later
|
||||||
Group: System/Daemons
|
Group: System/Daemons
|
||||||
URL: https://pagure.io/SSSD/sssd
|
URL: https://pagure.io/SSSD/sssd
|
||||||
#Git-Clone: https://pagure.io/SSSD/sssd
|
#Git-Clone: https://pagure.io/SSSD/sssd
|
||||||
Source: https://releases.pagure.org/SSSD/sssd/%name-%version.tar.gz
|
Source: https://github.com/SSSD/sssd/releases/download/sssd-2_3_0/%name-%version.tar.gz
|
||||||
Source2: https://releases.pagure.org/SSSD/sssd/%name-%version.tar.gz.asc
|
Source2: https://github.com/SSSD/sssd/releases/download/sssd-2_3_0/%name-%version.tar.gz.asc
|
||||||
Source3: baselibs.conf
|
Source3: baselibs.conf
|
||||||
Source5: %name.keyring
|
Source5: %name.keyring
|
||||||
Patch1: krb-noversion.diff
|
Patch1: krb-noversion.diff
|
||||||
Patch2: sssd-gpo_host_security_filter-2.2.2.patch
|
|
||||||
Patch3: 0001-Resolve-computer-lookup-failure-when-sam-cn.patch
|
|
||||||
Patch4: 0001-AD-use-getaddrinfo-with-AI_CANONNAME-to-find-the-FQD.patch
|
|
||||||
Patch5: 0001-Fix-build-failure-against-samba-4.12.0rc1.patch
|
|
||||||
|
|
||||||
%define servicename sssd
|
%define servicename sssd
|
||||||
%define sssdstatedir %_localstatedir/lib/sss
|
%define sssdstatedir %_localstatedir/lib/sss
|
||||||
@ -45,23 +41,23 @@ Patch5: 0001-Fix-build-failure-against-samba-4.12.0rc1.patch
|
|||||||
BuildRequires: autoconf >= 2.59
|
BuildRequires: autoconf >= 2.59
|
||||||
BuildRequires: automake
|
BuildRequires: automake
|
||||||
BuildRequires: bind-utils
|
BuildRequires: bind-utils
|
||||||
|
BuildRequires: check-devel
|
||||||
BuildRequires: cifs-utils-devel
|
BuildRequires: cifs-utils-devel
|
||||||
BuildRequires: cyrus-sasl-devel
|
BuildRequires: cyrus-sasl-devel
|
||||||
BuildRequires: docbook-xsl-stylesheets
|
BuildRequires: docbook-xsl-stylesheets
|
||||||
BuildRequires: krb5-devel >= 1.12
|
BuildRequires: krb5-devel >= 1.12
|
||||||
|
BuildRequires: libcmocka-devel
|
||||||
BuildRequires: libsmbclient-devel
|
BuildRequires: libsmbclient-devel
|
||||||
BuildRequires: libtool
|
BuildRequires: libtool
|
||||||
BuildRequires: libxml2-tools
|
BuildRequires: libxml2-tools
|
||||||
BuildRequires: libxslt-tools
|
BuildRequires: libxslt-tools
|
||||||
BuildRequires: nscd
|
BuildRequires: nscd
|
||||||
|
BuildRequires: nss_wrapper
|
||||||
BuildRequires: openldap2-devel
|
BuildRequires: openldap2-devel
|
||||||
BuildRequires: pam-devel
|
BuildRequires: pam-devel
|
||||||
BuildRequires: pkg-config >= 0.21
|
BuildRequires: pkg-config >= 0.21
|
||||||
BuildRequires: systemd-rpm-macros
|
BuildRequires: systemd-rpm-macros
|
||||||
BuildRequires: libcmocka-devel
|
|
||||||
BuildRequires: nss_wrapper
|
|
||||||
BuildRequires: uid_wrapper
|
BuildRequires: uid_wrapper
|
||||||
BuildRequires: check-devel
|
|
||||||
BuildRequires: pkgconfig(augeas) >= 1.0.0
|
BuildRequires: pkgconfig(augeas) >= 1.0.0
|
||||||
BuildRequires: pkgconfig(collection) >= 0.5.1
|
BuildRequires: pkgconfig(collection) >= 0.5.1
|
||||||
BuildRequires: pkgconfig(dbus-1) >= 1.0.0
|
BuildRequires: pkgconfig(dbus-1) >= 1.0.0
|
||||||
@ -447,7 +443,7 @@ rm -Rfv "$b/usr/lib/debug/usr/lib/sssd/p11_child-1.16.2-0.x86_64.debug"
|
|||||||
|
|
||||||
%check
|
%check
|
||||||
# sss_config-tests fails
|
# sss_config-tests fails
|
||||||
make %{?_smp_mflags} check ||:
|
make %{?_smp_mflags} check || :
|
||||||
|
|
||||||
%pre
|
%pre
|
||||||
%service_add_pre sssd.service sssd-autofs.service sssd-autofs.socket sssd-nss.service sssd-nss.socket sssd-pac.service sssd-pac.socket sssd-pam-priv.socket sssd-pam.service sssd-pam.socket sssd-ssh.service sssd-ssh.socket sssd-sudo.service sssd-sudo.socket
|
%service_add_pre sssd.service sssd-autofs.service sssd-autofs.socket sssd-nss.service sssd-nss.socket sssd-pac.service sssd-pac.socket sssd-pam-priv.socket sssd-pam.service sssd-pam.socket sssd-ssh.service sssd-ssh.socket sssd-sudo.service sssd-sudo.socket
|
||||||
@ -606,7 +602,6 @@ rm -f /var/lib/sss/db/*.ldb
|
|||||||
%_libdir/cifs-utils/
|
%_libdir/cifs-utils/
|
||||||
%_libdir/krb5/
|
%_libdir/krb5/
|
||||||
%_libdir/%name/modules/sssd_krb5_localauth_plugin.so
|
%_libdir/%name/modules/sssd_krb5_localauth_plugin.so
|
||||||
%_mandir/??/man8/pam_sss.8*
|
|
||||||
%_mandir/??/man8/sssd_krb5_locator_plugin.8*
|
%_mandir/??/man8/sssd_krb5_locator_plugin.8*
|
||||||
%_mandir/man8/pam_sss.8*
|
%_mandir/man8/pam_sss.8*
|
||||||
%_mandir/man8/sssd_krb5_locator_plugin.8*
|
%_mandir/man8/sssd_krb5_locator_plugin.8*
|
||||||
|
Loading…
Reference in New Issue
Block a user