-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [PATCH 1/2] Initgroups on a non-cached user should go to the data provider
We were accidentally returning an error when sysdb_getpwnam() returned zero results internally in sysdb_initgroups(). The correct behavior here is to return EOK and a result object with zero entries. https://fedorahosted.org/sssd/ticket/620 [PATCH 2/2] Request all group attributes during initgroups processing We tried to be too clever and only requested the name of the group, but we require the objectClass to validate the results. https://fedorahosted.org/sssd/ticket/622 - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkyOR80ACgkQeiVVYja6o6OyTACeN+FQCO8kLEeWBdyedOc2x8DK H8wAn0fccxqM0ps2IU8vUNJhMzvA6jtC =iOXA -----END PGP SIGNATURE-----
From 74f97e2174f4388f1e1ca701f1ba8695e163f1ca Mon Sep 17 00:00:00 2001 From: Stephen Gallagher <[email protected]> Date: Mon, 13 Sep 2010 11:42:36 -0400 Subject: [PATCH 1/2] Initgroups on a non-cached user should go to the data provider We were accidentally returning an error when sysdb_getpwnam() returned zero results internally in sysdb_initgroups(). The correct behavior here is to return EOK and a result object with zero entries. https://fedorahosted.org/sssd/ticket/620 --- src/db/sysdb_ops.c | 2 +- src/db/sysdb_search.c | 12 +++++++++++- src/responder/nss/nsssrv_cmd.c | 3 ++- 3 files changed, 14 insertions(+), 3 deletions(-) diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c index 017f8ebce9fefa4a747bf502c8c7f6ba61193ff8..7b3442fa30850241c57bdbbc5427a4aa96f70625 100644 --- a/src/db/sysdb_ops.c +++ b/src/db/sysdb_ops.c @@ -2227,7 +2227,7 @@ errno_t sysdb_update_members(struct sysdb_ctx *sysdb, add_groups[i], user); if (ret != EOK) { DEBUG(1, ("Could not add user [%s] to group [%s]. " - "Skipping.\n")); + "Skipping.\n", user, add_groups[i])); /* Continue on, we should try to finish the rest */ } } diff --git a/src/db/sysdb_search.c b/src/db/sysdb_search.c index 6029b99d810835d874d69bc5a60cad6529ce93e1..a24ea5b17103e1d190ec0a6d764fe378ed5b31af 100644 --- a/src/db/sysdb_search.c +++ b/src/db/sysdb_search.c @@ -383,10 +383,20 @@ int sysdb_initgroups(TALLOC_CTX *mem_ctx, ret = sysdb_getpwnam(tmpctx, ctx, domain, name, &res); if (ret != EOK) { + DEBUG(1, ("sysdb_getpwnam failed: [%d][%s]\n", + ret, strerror(ret))); goto done; } - if (res->count != 1) { + + if (res->count == 0) { + /* User is not cached yet */ + *_res = talloc_steal(mem_ctx, res); + ret = EOK; + goto done; + + } else if (res->count != 1) { ret = EIO; + DEBUG(1, ("sysdb_getpwnam returned count: [%d]\n", res->count)); goto done; } diff --git a/src/responder/nss/nsssrv_cmd.c b/src/responder/nss/nsssrv_cmd.c index 6df705fb6354dca0fe48c098264a6270d6160321..c3f35e13a48c9c00be9a6e5bde7968445c37e67f 100644 --- a/src/responder/nss/nsssrv_cmd.c +++ b/src/responder/nss/nsssrv_cmd.c @@ -2895,7 +2895,8 @@ static int nss_cmd_initgroups_search(struct nss_dom_ctx *dctx) ret = sysdb_initgroups(cmdctx, sysdb, dom, name, &dctx->res); if (ret != EOK) { - DEBUG(1, ("Failed to make request to our cache!\n")); + DEBUG(1, ("Failed to make request to our cache! [%d][%s]\n", + ret, strerror(ret))); return EIO; } -- 1.7.2.2
From e834167206a4f770d1bc4f671df7de00245f4856 Mon Sep 17 00:00:00 2001 From: Stephen Gallagher <[email protected]> Date: Mon, 13 Sep 2010 11:45:42 -0400 Subject: [PATCH 2/2] Request all group attributes during initgroups processing We tried to be too clever and only requested the name of the group, but we require the objectClass to validate the results. https://fedorahosted.org/sssd/ticket/622 --- src/providers/ldap/ldap_id.c | 1 + src/providers/ldap/sdap_async_accounts.c | 11 ++++++----- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/src/providers/ldap/ldap_id.c b/src/providers/ldap/ldap_id.c index d52dcec5b081ccca44e3995a3f7672390df33e5d..0c90773a50fc8a2dbb1ed9ddb58c26b2d8291360 100644 --- a/src/providers/ldap/ldap_id.c +++ b/src/providers/ldap/ldap_id.c @@ -619,6 +619,7 @@ static void groups_by_user_done(struct tevent_req *subreq) return; } + state->dp_error = DP_ERR_OK; tevent_req_done(req); } diff --git a/src/providers/ldap/sdap_async_accounts.c b/src/providers/ldap/sdap_async_accounts.c index 8999ba015fc8bf7c7884245cd055b10033b331f0..4db4a4ccd53a05670b63568ef504969a0d04a80a 100644 --- a/src/providers/ldap/sdap_async_accounts.c +++ b/src/providers/ldap/sdap_async_accounts.c @@ -1042,7 +1042,8 @@ struct tevent_req *sdap_initgr_rfc2307_send(TALLOC_CTX *memctx, struct tevent_req *req, *subreq; struct sdap_initgr_rfc2307_state *state; const char *filter; - const char *attrs[2]; + const char **attrs; + errno_t ret; req = tevent_req_create(memctx, &state, struct sdap_initgr_rfc2307_state); if (!req) return NULL; @@ -1059,12 +1060,12 @@ struct tevent_req *sdap_initgr_rfc2307_send(TALLOC_CTX *memctx, return NULL; } - attrs[0] = talloc_strdup(state, opts->group_map[SDAP_AT_GROUP_NAME].name); - if (!attrs[0]) { - talloc_zfree(req); + ret = build_attrs_from_map(state, opts->group_map, + SDAP_OPTS_GROUP, &attrs); + if (ret != EOK) { + talloc_free(req); return NULL; } - attrs[1] = NULL; filter = talloc_asprintf(state, "(&(%s=%s)(objectclass=%s))", opts->group_map[SDAP_AT_GROUP_MEMBER].name, -- 1.7.2.2
0001-Initgroups-on-a-non-cached-user-should-go-to-the-dat.patch.sig
Description: PGP signature
0002-Request-all-group-attributes-during-initgroups-proce.patch.sig
Description: PGP signature
_______________________________________________ sssd-devel mailing list [email protected] https://fedorahosted.org/mailman/listinfo/sssd-devel
