-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/13/2010 11:48 AM, Stephen Gallagher wrote: > [PATCH 1/2] Initgroups on a non-cached user should go to the data provider > > We were accidentally returning an error when sysdb_getpwnam() > returned zero results internally in sysdb_initgroups(). The > correct behavior here is to return EOK and a result object with > zero entries. > > https://fedorahosted.org/sssd/ticket/620 > >
Sorry, noticed a tiny oversight on patch 0001. I had only fixed the DEBUG message for the add case, and missed the del case. The new patch 0001 corrects this. - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkyOdugACgkQeiVVYja6o6MyvgCdFilmqSUnJSAgfCMTrILYBxHb JP4An3RxJtIrzH16GZIJkRbCvI7dhDxL =n+f7 -----END PGP SIGNATURE-----
From 0b3f10fbb2f342577029eed8900713029acd3948 Mon Sep 17 00:00:00 2001 From: Stephen Gallagher <[email protected]> Date: Mon, 13 Sep 2010 11:42:36 -0400 Subject: [PATCH 1/2] Initgroups on a non-cached user should go to the data provider We were accidentally returning an error when sysdb_getpwnam() returned zero results internally in sysdb_initgroups(). The correct behavior here is to return EOK and a result object with zero entries. https://fedorahosted.org/sssd/ticket/620 --- src/db/sysdb_ops.c | 5 +++-- src/db/sysdb_search.c | 12 +++++++++++- src/responder/nss/nsssrv_cmd.c | 3 ++- 3 files changed, 16 insertions(+), 4 deletions(-) diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c index 017f8ebce9fefa4a747bf502c8c7f6ba61193ff8..3d660710b96b66c350625fae0b96b2917457ae16 100644 --- a/src/db/sysdb_ops.c +++ b/src/db/sysdb_ops.c @@ -1039,6 +1039,7 @@ int sysdb_mod_group_member(TALLOC_CTX *mem_ctx, } ret = ldb_modify(ctx->ldb, msg); + ret = sysdb_error_to_errno(ret); fail: @@ -2227,7 +2228,7 @@ errno_t sysdb_update_members(struct sysdb_ctx *sysdb, add_groups[i], user); if (ret != EOK) { DEBUG(1, ("Could not add user [%s] to group [%s]. " - "Skipping.\n")); + "Skipping.\n", user, add_groups[i])); /* Continue on, we should try to finish the rest */ } } @@ -2240,7 +2241,7 @@ errno_t sysdb_update_members(struct sysdb_ctx *sysdb, del_groups[i], user); if (ret != EOK) { DEBUG(1, ("Could not remove user [%s] from group [%s]. " - "Skipping\n")); + "Skipping\n", user, del_groups[i])); /* Continue on, we should try to finish the rest */ } } diff --git a/src/db/sysdb_search.c b/src/db/sysdb_search.c index 6029b99d810835d874d69bc5a60cad6529ce93e1..a24ea5b17103e1d190ec0a6d764fe378ed5b31af 100644 --- a/src/db/sysdb_search.c +++ b/src/db/sysdb_search.c @@ -383,10 +383,20 @@ int sysdb_initgroups(TALLOC_CTX *mem_ctx, ret = sysdb_getpwnam(tmpctx, ctx, domain, name, &res); if (ret != EOK) { + DEBUG(1, ("sysdb_getpwnam failed: [%d][%s]\n", + ret, strerror(ret))); goto done; } - if (res->count != 1) { + + if (res->count == 0) { + /* User is not cached yet */ + *_res = talloc_steal(mem_ctx, res); + ret = EOK; + goto done; + + } else if (res->count != 1) { ret = EIO; + DEBUG(1, ("sysdb_getpwnam returned count: [%d]\n", res->count)); goto done; } diff --git a/src/responder/nss/nsssrv_cmd.c b/src/responder/nss/nsssrv_cmd.c index 6df705fb6354dca0fe48c098264a6270d6160321..c3f35e13a48c9c00be9a6e5bde7968445c37e67f 100644 --- a/src/responder/nss/nsssrv_cmd.c +++ b/src/responder/nss/nsssrv_cmd.c @@ -2895,7 +2895,8 @@ static int nss_cmd_initgroups_search(struct nss_dom_ctx *dctx) ret = sysdb_initgroups(cmdctx, sysdb, dom, name, &dctx->res); if (ret != EOK) { - DEBUG(1, ("Failed to make request to our cache!\n")); + DEBUG(1, ("Failed to make request to our cache! [%d][%s]\n", + ret, strerror(ret))); return EIO; } -- 1.7.2.2
From 6383722f096a3486327a565f4e323440f6a406c8 Mon Sep 17 00:00:00 2001 From: Stephen Gallagher <[email protected]> Date: Mon, 13 Sep 2010 11:45:42 -0400 Subject: [PATCH 2/2] Request all group attributes during initgroups processing We tried to be too clever and only requested the name of the group, but we require the objectClass to validate the results. https://fedorahosted.org/sssd/ticket/622 --- src/providers/ldap/ldap_id.c | 1 + src/providers/ldap/sdap_async_accounts.c | 11 ++++++----- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/src/providers/ldap/ldap_id.c b/src/providers/ldap/ldap_id.c index d52dcec5b081ccca44e3995a3f7672390df33e5d..0c90773a50fc8a2dbb1ed9ddb58c26b2d8291360 100644 --- a/src/providers/ldap/ldap_id.c +++ b/src/providers/ldap/ldap_id.c @@ -619,6 +619,7 @@ static void groups_by_user_done(struct tevent_req *subreq) return; } + state->dp_error = DP_ERR_OK; tevent_req_done(req); } diff --git a/src/providers/ldap/sdap_async_accounts.c b/src/providers/ldap/sdap_async_accounts.c index 8999ba015fc8bf7c7884245cd055b10033b331f0..4db4a4ccd53a05670b63568ef504969a0d04a80a 100644 --- a/src/providers/ldap/sdap_async_accounts.c +++ b/src/providers/ldap/sdap_async_accounts.c @@ -1042,7 +1042,8 @@ struct tevent_req *sdap_initgr_rfc2307_send(TALLOC_CTX *memctx, struct tevent_req *req, *subreq; struct sdap_initgr_rfc2307_state *state; const char *filter; - const char *attrs[2]; + const char **attrs; + errno_t ret; req = tevent_req_create(memctx, &state, struct sdap_initgr_rfc2307_state); if (!req) return NULL; @@ -1059,12 +1060,12 @@ struct tevent_req *sdap_initgr_rfc2307_send(TALLOC_CTX *memctx, return NULL; } - attrs[0] = talloc_strdup(state, opts->group_map[SDAP_AT_GROUP_NAME].name); - if (!attrs[0]) { - talloc_zfree(req); + ret = build_attrs_from_map(state, opts->group_map, + SDAP_OPTS_GROUP, &attrs); + if (ret != EOK) { + talloc_free(req); return NULL; } - attrs[1] = NULL; filter = talloc_asprintf(state, "(&(%s=%s)(objectclass=%s))", opts->group_map[SDAP_AT_GROUP_MEMBER].name, -- 1.7.2.2
0001-Initgroups-on-a-non-cached-user-should-go-to-the-dat.patch.sig
Description: PGP signature
0002-Request-all-group-attributes-during-initgroups-proce.patch.sig
Description: PGP signature
_______________________________________________ sssd-devel mailing list [email protected] https://fedorahosted.org/mailman/listinfo/sssd-devel
