diff --git a/0058-SYSDB-Only-check-non-POSIX-groups-for-GID-conflicts.patch b/0058-SYSDB-Only-check-non-POSIX-groups-for-GID-conflicts.patch new file mode 100644 index 0000000..6088872 --- /dev/null +++ b/0058-SYSDB-Only-check-non-POSIX-groups-for-GID-conflicts.patch @@ -0,0 +1,144 @@ +From f2c1a2c4a209f1d8db13ec8a875b5787747dca61 Mon Sep 17 00:00:00 2001 +From: Jakub Hrozek +Date: Tue, 1 May 2018 21:05:21 +0200 +Subject: [PATCH] SYSDB: Only check non-POSIX groups for GID conflicts +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +When checking for a GID conflict, it doesn't make sense to check for one +when the group being added is a non-POSIX one, because then the GID will +always be 0. + +Reviewed-by: Fabiano FidĂȘncio +(cherry picked from commit 8a8285cf515c78709e16ec03b254c89466fe3ea2) +--- + src/db/sysdb_ops.c | 38 ++++++++++++++++--------------- + src/tests/sysdb-tests.c | 50 ++++++++++++++++++++++++++++++++++++++++- + 2 files changed, 69 insertions(+), 19 deletions(-) + +diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c +index 93b967e75..124c1285e 100644 +--- a/src/db/sysdb_ops.c ++++ b/src/db/sysdb_ops.c +@@ -2388,28 +2388,30 @@ int sysdb_add_incomplete_group(struct sss_domain_info *domain, + return ENOMEM; + } + +- ret = sysdb_search_group_by_gid(tmp_ctx, domain, gid, group_attrs, &msg); +- if (ret == EOK) { +- for (int i = 0; !same && group_attrs[i] != NULL; i++) { +- previous = ldb_msg_find_attr_as_string(msg, +- group_attrs[i], +- NULL); +- if (previous != NULL && values[i] != NULL) { +- same = strcmp(previous, values[i]) == 0; ++ if (posix) { ++ ret = sysdb_search_group_by_gid(tmp_ctx, domain, gid, group_attrs, &msg); ++ if (ret == EOK) { ++ for (int i = 0; !same && group_attrs[i] != NULL; i++) { ++ previous = ldb_msg_find_attr_as_string(msg, ++ group_attrs[i], ++ NULL); ++ if (previous != NULL && values[i] != NULL) { ++ same = strcmp(previous, values[i]) == 0; ++ } ++ } ++ ++ if (same == true) { ++ DEBUG(SSSDBG_TRACE_LIBS, ++ "The group with GID [%"SPRIgid"] was renamed\n", gid); ++ ret = ERR_GID_DUPLICATED; ++ goto done; + } +- } + +- if (same == true) { +- DEBUG(SSSDBG_TRACE_LIBS, +- "The group with GID [%"SPRIgid"] was renamed\n", gid); +- ret = ERR_GID_DUPLICATED; ++ DEBUG(SSSDBG_OP_FAILURE, ++ "Another group with GID [%"SPRIgid"] already exists\n", gid); ++ ret = EEXIST; + goto done; + } +- +- DEBUG(SSSDBG_OP_FAILURE, +- "Another group with GID [%"SPRIgid"] already exists\n", gid); +- ret = EEXIST; +- goto done; + } + + /* try to add the group */ +diff --git a/src/tests/sysdb-tests.c b/src/tests/sysdb-tests.c +index 416dedb5e..19cdcc2f8 100644 +--- a/src/tests/sysdb-tests.c ++++ b/src/tests/sysdb-tests.c +@@ -1557,6 +1557,53 @@ START_TEST (test_sysdb_add_nonposix_user) + } + END_TEST + ++static void add_nonposix_incomplete_group(struct sysdb_test_ctx *test_ctx, ++ const char *groupname) ++{ ++ const char *get_attrs[] = { SYSDB_GIDNUM, ++ SYSDB_POSIX, ++ NULL }; ++ struct ldb_message *msg; ++ const char *attrval; ++ const char *fq_name; ++ int ret; ++ uint64_t id; ++ ++ /* Create group */ ++ fq_name = sss_create_internal_fqname(test_ctx, groupname, test_ctx->domain->name); ++ fail_if(fq_name == NULL, "Failed to create fq name."); ++ ++ ret = sysdb_add_incomplete_group(test_ctx->domain, fq_name, 0, ++ NULL, NULL, NULL, false, 0); ++ fail_if(ret != EOK, "sysdb_add_group failed."); ++ ++ /* Test */ ++ ret = sysdb_search_group_by_name(test_ctx, test_ctx->domain, fq_name, get_attrs, &msg); ++ fail_if(ret != EOK, "sysdb_search_group_by_name failed."); ++ ++ attrval = ldb_msg_find_attr_as_string(msg, SYSDB_POSIX, NULL); ++ fail_if(strcasecmp(attrval, "false") != 0, "Got bad attribute value."); ++ ++ id = ldb_msg_find_attr_as_uint64(msg, SYSDB_GIDNUM, 123); ++ fail_unless(id == 0, "Wrong GID value"); ++} ++ ++START_TEST (test_sysdb_add_nonposix_group) ++{ ++ struct sysdb_test_ctx *test_ctx; ++ int ret; ++ ++ /* Setup */ ++ ret = setup_sysdb_tests(&test_ctx); ++ fail_if(ret != EOK, "Could not set up the test"); ++ ++ add_nonposix_incomplete_group(test_ctx, "nonposix1"); ++ add_nonposix_incomplete_group(test_ctx, "nonposix2"); ++ ++ talloc_free(test_ctx); ++} ++END_TEST ++ + START_TEST (test_sysdb_add_group_member) + { + struct sysdb_test_ctx *test_ctx; +@@ -7268,8 +7315,9 @@ Suite *create_sysdb_suite(void) + /* Test GetUserAttr with subdomain user */ + tcase_add_test(tc_sysdb, test_sysdb_get_user_attr_subdomain); + +- /* Test adding a non-POSIX user */ ++ /* Test adding a non-POSIX user and group */ + tcase_add_test(tc_sysdb, test_sysdb_add_nonposix_user); ++ tcase_add_test(tc_sysdb, test_sysdb_add_nonposix_group); + + /* ===== NETGROUP TESTS ===== */ + +-- +2.17.0 + diff --git a/sssd.spec b/sssd.spec index 03f0e20..1c2dd87 100644 --- a/sssd.spec +++ b/sssd.spec @@ -99,6 +99,7 @@ Patch0054: 0054-TESTS-replace-hardcoded-certificates.patch Patch0055: 0055-DYNDNS-Move-the-retry-logic-into-a-separate-function.patch Patch0056: 0056-DYNDNS-Retry-also-on-timeouts.patch Patch0057: 0057-AD-Warn-if-the-LDAP-schema-is-overriden-with-the-AD-.patch +Patch0058: 0058-SYSDB-Only-check-non-POSIX-groups-for-GID-conflicts.patch Patch0502: 0502-SYSTEMD-Use-capabilities.patch Patch0503: 0503-Disable-stopping-idle-socket-activated-responders.patch @@ -1308,6 +1309,8 @@ fi - Resolves: upstream#3726 - SSSD with ID provider 'ad' should give a warning in case the ldap schema is manually changed to something different than 'ad'. +- Related: upstream#2653 - Group renaming issue when "id_provider = ldap" is + set. * Sat May 05 2018 Fabiano FidĂȘncio - 1.16.1-4 - Resolves: rhbz#1574778 - sssd fails to download known_hosts from freeipa