[SSSD] [sssd PR#5494][comment] pam_sss_gss: support authentication indicators
URL: https://github.com/SSSD/sssd/pull/5494 Title: #5494: pam_sss_gss: support authentication indicators abbra commented: """ Thanks, @frozencemetery, I updated the code according to the suggestions. I also decided to unify a bit the man page example language -- I do talk about x.509-based certificates when describing authentication indicators in `sssd.conf(5)` right before the example where it is stated that these certificates can be stored in files or on smart cards. """ See the full comment at https://github.com/SSSD/sssd/pull/5494#issuecomment-775385675 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#5494][synchronized] pam_sss_gss: support authentication indicators
URL: https://github.com/SSSD/sssd/pull/5494 Author: abbra Title: #5494: pam_sss_gss: support authentication indicators Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5494/head:pr5494 git checkout pr5494 From f81a3718e04076dd40eb9b206b34d19f59d6e54e Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Fri, 5 Feb 2021 20:36:27 +0200 Subject: [PATCH] pam_sss_gss: support authentication indicators MIT Kerberos allows to associate authentication indicators with the issued ticket based on the way how the TGT was obtained. The indicators present in the TGT then copied to service tickets. There are two ways to check the authentication indicators: - when KDC issues a service ticket, a policy at KDC side can reject the ticket issuance based on a lack of certain indicator - when a server application presented with a service ticket from a client, it can verify that this ticket contains intended authentication indicators before authorizing access from the client. Add support to validate presence of a specific (set of) authentication indicator(s) in pam_sss_gss when validating a user's TGT. This concept can be used to only allow access to a PAM service when user is in possession of a ticket obtained using some of pre-authentication mechanisms that require multiple factors: smart-cards (PKINIT), 2FA tokens (otp/radius), etc. Resolves: https://github.com/SSSD/sssd/issues/5482 Signed-off-by: Alexander Bokovoy --- src/confdb/confdb.c | 13 ++ src/confdb/confdb.h | 3 + src/config/SSSDConfig/sssdoptions.py | 2 + src/config/SSSDConfigTest.py | 6 +- src/config/cfg_rules.ini | 3 + src/config/etc/sssd.api.conf | 2 + src/db/sysdb_subdomains.c| 11 ++ src/man/pam_sss_gss.8.xml| 13 ++ src/man/sssd.conf.5.xml | 53 +++ src/responder/pam/pamsrv_gssapi.c| 214 +++ 10 files changed, 318 insertions(+), 2 deletions(-) diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c index befcfff2db..4f00034044 100644 --- a/src/confdb/confdb.c +++ b/src/confdb/confdb.c @@ -1603,6 +1603,19 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb, } } +tmp = ldb_msg_find_attr_as_string(res->msgs[0], + CONFDB_PAM_GSSAPI_INDICATORS_MAP, + NULL); +if (tmp != NULL) { +ret = split_on_separator(domain, tmp, ',', true, true, + &domain->gssapi_indicators_map, NULL); +if (ret != 0) { +DEBUG(SSSDBG_FATAL_FAILURE, + "Cannot parse %s\n", CONFDB_PAM_GSSAPI_INDICATORS_MAP); +goto done; +} +} + domain->has_views = false; domain->view_name = NULL; diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h index 036f9ecadf..a2be227ddd 100644 --- a/src/confdb/confdb.h +++ b/src/confdb/confdb.h @@ -146,6 +146,7 @@ #define CONFDB_PAM_INITGROUPS_SCHEME "pam_initgroups_scheme" #define CONFDB_PAM_GSSAPI_SERVICES "pam_gssapi_services" #define CONFDB_PAM_GSSAPI_CHECK_UPN "pam_gssapi_check_upn" +#define CONFDB_PAM_GSSAPI_INDICATORS_MAP "pam_gssapi_indicators_map" /* SUDO */ #define CONFDB_SUDO_CONF_ENTRY "config/sudo" @@ -437,6 +438,8 @@ struct sss_domain_info { /* List of PAM services that are allowed to authenticate with GSSAPI. */ char **gssapi_services; char *gssapi_check_upn; /* true | false | NULL */ +/* List of indicators associated with the specific PAM service */ +char **gssapi_indicators_map; }; /** diff --git a/src/config/SSSDConfig/sssdoptions.py b/src/config/SSSDConfig/sssdoptions.py index fb9a9aa43c..5d9946ba8f 100644 --- a/src/config/SSSDConfig/sssdoptions.py +++ b/src/config/SSSDConfig/sssdoptions.py @@ -106,6 +106,8 @@ def __init__(self): 'pam_initgroups_scheme' : _('When shall the PAM responder force an initgroups request'), 'pam_gssapi_services' : _('List of PAM services that are allowed to authenticate with GSSAPI.'), 'pam_gssapi_check_upn' : _('Whether to match authenticated UPN with target user'), +'pam_gssapi_indicators_map' : _('List of pairs : that ' +'must be enforced for PAM access with GSSAPI authentication'), # [sudo] 'sudo_timed': _('Whether to evaluate the time-based attributes in sudo rules'), diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py index 6a95e63dd1..04c4b35baa 100755 --- a/src/config/SSSDConfigTest.py +++ b/src/config/SSSDConfigTest.py @@ -655,7 +655,8 @@ def testListOptions(self): 'cached_auth_timeout', 'auto_private_groups', 'pam_gssapi_services', -'pam_gssapi_check_upn'] +'pam_gssapi_check_upn', +'pam_gssapi_indicators_map'] self.assertT
[SSSD] [sssd PR#5494][comment] pam_sss_gss: support authentication indicators
URL: https://github.com/SSSD/sssd/pull/5494 Title: #5494: pam_sss_gss: support authentication indicators abbra commented: """ It now works for me. Here is a test on Fedora 33: ``` [admin@master ~]$ export KRB5CCNAME=/tmp/admin.cc [admin@master ~]$ sudo -l pam_sss_gss: Initializing GSSAPI authentication with SSSD pam_sss_gss: Switching euid from 0 to 116980 pam_sss_gss: Trying to establish security context pam_sss_gss: SSSD User name: ad...@ipa.test pam_sss_gss: User domain: ipa.test pam_sss_gss: User principal: pam_sss_gss: Target name: h...@master.ipa.test pam_sss_gss: Using ccache: /tmp/admin.cc pam_sss_gss: Acquiring credentials, principal name will be derived pam_sss_gss: Switching euid from 116980 to 0 pam_sss_gss: Authentication successful Matching Defaults entries for admin on master: !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/var/lib/snapd/snap/bin User admin may run the following commands on master: (root) ALL [admin@master ~]$ logout [root@master ~]# grep pam_gssapi /etc/sssd/sssd.conf pam_gssapi_services = sudo, sudo-i pam_gssapi_indicators_map = hardened, sudo:pkinit, sudo-i:otp [root@master ~]# fgrep gssapi_ /var/log/sssd/sssd_pam.log |tail -10 (2021-02-08 17:18:50): [pam] [pam_cmd_gssapi_init_done] (0x0400): Trying GSSAPI auth: User[ad...@ipa.test], Domain[ipa.test], UPN[], Target[h...@master.ipa.test] (2021-02-08 17:18:50): [pam] [pam_cmd_gssapi_init_done] (0x0400): Returning [0]: Success (2021-02-08 17:18:50): [pam] [gssapi_handshake] (0x0400): Security context established with [ad...@ipa.test] (2021-02-08 17:18:50): [pam] [gssapi_get_indicators] (0x0400): attribute's [auth-indicators] value [hardened] authenticated (2021-02-08 17:18:50): [pam] [gssapi_get_indicators] (0x0400): authentication indicators: [hardened] (2021-02-08 17:18:50): [pam] [pam_gssapi_check_indicators] (0x0400): indicator [hardened] is allowed for PAM service [sudo] (2021-02-08 17:18:50): [pam] [pam_cmd_gssapi_sec_ctx] (0x0400): Check if acquired service ticket has req. indicators: 0 (2021-02-08 17:18:50): [pam] [pam_cmd_gssapi_sec_ctx] (0x0400): Checking that target user matches UPN (2021-02-08 17:18:50): [pam] [pam_cmd_gssapi_sec_ctx_done] (0x0400): User [ad...@ipa.test] match UPN [ad...@ipa.test]. Authentication was successful. (2021-02-08 17:18:50): [pam] [pam_cmd_gssapi_sec_ctx_done] (0x0400): Returning [0]: Success ``` """ See the full comment at https://github.com/SSSD/sssd/pull/5494#issuecomment-775308547 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#5494][synchronized] pam_sss_gss: support authentication indicators
URL: https://github.com/SSSD/sssd/pull/5494 Author: abbra Title: #5494: pam_sss_gss: support authentication indicators Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5494/head:pr5494 git checkout pr5494 From 49c3ce894d3cd725e97c3bb2f1006dc7a471ad44 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Fri, 5 Feb 2021 20:36:27 +0200 Subject: [PATCH] pam_sss_gss: support authentication indicators MIT Kerberos allows to associate authentication indicators with the issued ticket based on the way how the TGT was obtained. The indicators present in the TGT then copied to service tickets. There are two ways to check the authentication indicators: - when KDC issues a service ticket, a policy at KDC side can reject the ticket issuance based on a lack of certain indicator - when a server application presented with a service ticket from a client, it can verify that this ticket contains intended authentication indicators before authorizing access from the client. Add support to validate presence of a specific (set of) authentication indicator(s) in pam_sss_gss when validating a user's TGT. This concept can be used to only allow access to a PAM service when user is in possession of a ticket obtained using some of pre-authentication mechanisms that require multiple factors: smart-cards (PKINIT), 2FA tokens (otp/radius), etc. Resolves: https://github.com/SSSD/sssd/issues/5482 Signed-off-by: Alexander Bokovoy --- src/confdb/confdb.c | 13 ++ src/confdb/confdb.h | 3 + src/config/SSSDConfig/sssdoptions.py | 2 + src/config/SSSDConfigTest.py | 6 +- src/config/cfg_rules.ini | 3 + src/config/etc/sssd.api.conf | 2 + src/db/sysdb_subdomains.c| 11 ++ src/man/pam_sss_gss.8.xml| 6 + src/man/sssd.conf.5.xml | 44 ++ src/responder/pam/pamsrv_gssapi.c| 218 +++ 10 files changed, 306 insertions(+), 2 deletions(-) diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c index befcfff2db..4f00034044 100644 --- a/src/confdb/confdb.c +++ b/src/confdb/confdb.c @@ -1603,6 +1603,19 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb, } } +tmp = ldb_msg_find_attr_as_string(res->msgs[0], + CONFDB_PAM_GSSAPI_INDICATORS_MAP, + NULL); +if (tmp != NULL) { +ret = split_on_separator(domain, tmp, ',', true, true, + &domain->gssapi_indicators_map, NULL); +if (ret != 0) { +DEBUG(SSSDBG_FATAL_FAILURE, + "Cannot parse %s\n", CONFDB_PAM_GSSAPI_INDICATORS_MAP); +goto done; +} +} + domain->has_views = false; domain->view_name = NULL; diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h index 036f9ecadf..a2be227ddd 100644 --- a/src/confdb/confdb.h +++ b/src/confdb/confdb.h @@ -146,6 +146,7 @@ #define CONFDB_PAM_INITGROUPS_SCHEME "pam_initgroups_scheme" #define CONFDB_PAM_GSSAPI_SERVICES "pam_gssapi_services" #define CONFDB_PAM_GSSAPI_CHECK_UPN "pam_gssapi_check_upn" +#define CONFDB_PAM_GSSAPI_INDICATORS_MAP "pam_gssapi_indicators_map" /* SUDO */ #define CONFDB_SUDO_CONF_ENTRY "config/sudo" @@ -437,6 +438,8 @@ struct sss_domain_info { /* List of PAM services that are allowed to authenticate with GSSAPI. */ char **gssapi_services; char *gssapi_check_upn; /* true | false | NULL */ +/* List of indicators associated with the specific PAM service */ +char **gssapi_indicators_map; }; /** diff --git a/src/config/SSSDConfig/sssdoptions.py b/src/config/SSSDConfig/sssdoptions.py index fb9a9aa43c..5d9946ba8f 100644 --- a/src/config/SSSDConfig/sssdoptions.py +++ b/src/config/SSSDConfig/sssdoptions.py @@ -106,6 +106,8 @@ def __init__(self): 'pam_initgroups_scheme' : _('When shall the PAM responder force an initgroups request'), 'pam_gssapi_services' : _('List of PAM services that are allowed to authenticate with GSSAPI.'), 'pam_gssapi_check_upn' : _('Whether to match authenticated UPN with target user'), +'pam_gssapi_indicators_map' : _('List of pairs : that ' +'must be enforced for PAM access with GSSAPI authentication'), # [sudo] 'sudo_timed': _('Whether to evaluate the time-based attributes in sudo rules'), diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py index 6a95e63dd1..04c4b35baa 100755 --- a/src/config/SSSDConfigTest.py +++ b/src/config/SSSDConfigTest.py @@ -655,7 +655,8 @@ def testListOptions(self): 'cached_auth_timeout', 'auto_private_groups', 'pam_gssapi_services', -'pam_gssapi_check_upn'] +'pam_gssapi_check_upn', +'pam_gssapi_indicators_map'] self.assertTru
[SSSD] [sssd PR#5493][+Waiting for review] Backport of a number of patches to fix build issues of 1-16 branch on modern platforms
URL: https://github.com/SSSD/sssd/pull/5493 Title: #5493: Backport of a number of patches to fix build issues of 1-16 branch on modern platforms Label: +Waiting for review ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#5485][+Bugzilla] sudo: do not search by low usn value to improve performance
URL: https://github.com/SSSD/sssd/pull/5485 Title: #5485: sudo: do not search by low usn value to improve performance Label: +Bugzilla ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#5485][+Waiting for review] sudo: do not search by low usn value to improve performance
URL: https://github.com/SSSD/sssd/pull/5485 Title: #5485: sudo: do not search by low usn value to improve performance Label: +Waiting for review ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#5493][synchronized] Backport of a number of patches to fix build issues of 1-16 branch on modern platforms
URL: https://github.com/SSSD/sssd/pull/5493 Author: alexey-tikhonov Title: #5493: Backport of a number of patches to fix build issues of 1-16 branch on modern platforms Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5493/head:pr5493 git checkout pr5493 From 8b35d5d8073e861a3a4e72c3f1736467f84b4b24 Mon Sep 17 00:00:00 2001 From: Stephen Gallagher Date: Fri, 24 Jan 2020 15:17:39 +0100 Subject: [PATCH 01/15] Fix build failure against samba 4.12.0rc1 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The ndr_pull_get_switch() function was dropped, but it was just a wrapper around the ndr_token_peek() function, so we can use this approach on both old and new versions of libndr. Signed-off-by: Stephen Gallagher Reviewed-by: Pavel Březina (cherry picked from commit bc56b10aea999284458dcc293b54cf65288e325d) --- src/providers/ad/ad_gpo_ndr.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/providers/ad/ad_gpo_ndr.c b/src/providers/ad/ad_gpo_ndr.c index 0a8ebaee87..49c49d71b2 100644 --- a/src/providers/ad/ad_gpo_ndr.c +++ b/src/providers/ad/ad_gpo_ndr.c @@ -105,7 +105,7 @@ ndr_pull_security_ace_object_type(struct ndr_pull *ndr, union security_ace_object_type *r) { uint32_t level; -level = ndr_pull_get_switch_value(ndr, r); +level = ndr_token_peek(&ndr->switch_list, r); NDR_PULL_CHECK_FLAGS(ndr, ndr_flags); if (ndr_flags & NDR_SCALARS) { NDR_CHECK(ndr_pull_union_align(ndr, 4)); @@ -135,7 +135,7 @@ ndr_pull_security_ace_object_inherited_type(struct ndr_pull *ndr, union security_ace_object_inherited_type *r) { uint32_t level; -level = ndr_pull_get_switch_value(ndr, r); +level = ndr_token_peek(&ndr->switch_list, r); NDR_PULL_CHECK_FLAGS(ndr, ndr_flags); if (ndr_flags & NDR_SCALARS) { NDR_CHECK(ndr_pull_union_align(ndr, 4)); @@ -198,7 +198,7 @@ ndr_pull_security_ace_object_ctr(struct ndr_pull *ndr, union security_ace_object_ctr *r) { uint32_t level; -level = ndr_pull_get_switch_value(ndr, r); +level = ndr_token_peek(&ndr->switch_list, r); NDR_PULL_CHECK_FLAGS(ndr, ndr_flags); if (ndr_flags & NDR_SCALARS) { NDR_CHECK(ndr_pull_union_align(ndr, 4)); From ad0c77459f9e52de38b41d5a7099fef090f56e97 Mon Sep 17 00:00:00 2001 From: Noel Power Date: Tue, 24 Mar 2020 13:37:07 + Subject: [PATCH 02/15] Use ndr_pull_steal_switch_value for modern samba versions MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit commit bc56b10aea999284458dcc293b54cf65288e325d attempted to fix the build error resulting from removal of 'ndr_pull_get_switch' This change uses the new replacement method 'ndr_pull_steal_switch_value' however depending on the samba version the ndr_pull_steal_switch_value abi is different. Note: ndr_pull_steal_switch_value is used since samba 4.10 for the affected methods Note: the following methods have been refreshed from samba-4.12 generated code; o ndr_pull_security_ace_object_type o ndr_pull_security_ace_object_inherited_type o ndr_pull_security_ace_object_ctr Signed-off-by: Noel Power Reviewed-by: Pavel Březina (cherry picked from commit 1fdd8fa2fded1985fbfc6aa67394eebcdbb6a2fc) --- src/external/samba.m4 | 9 ++- src/providers/ad/ad_gpo_ndr.c | 45 --- 2 files changed, 34 insertions(+), 20 deletions(-) diff --git a/src/external/samba.m4 b/src/external/samba.m4 index 089f602a60..8e06174ead 100644 --- a/src/external/samba.m4 +++ b/src/external/samba.m4 @@ -132,10 +132,17 @@ int main(void) AC_DEFINE_UNQUOTED(SMB_IDMAP_DOMAIN_HAS_DOM_SID, 1, [Samba's struct idmap_domain has dom_sid member]) AC_MSG_NOTICE([Samba's struct idmap_domain has dom_sid member]) +if test $samba_minor_version -ge 12 ; then +AC_DEFINE_UNQUOTED(SMB_HAS_NEW_NDR_PULL_STEAL_SWITCH, 1, + [Samba's new push/pull switch functions]) +AC_MSG_NOTICE([Samba has support for new ndr_push_steal_switch_value and ndr_pull_steal_switch_value functions]) +else +AC_MSG_NOTICE([Samba supports old ndr_pull_steal_switch_value and ndr_pull_steal_switch_value functions]) +fi else AC_MSG_NOTICE([Samba's struct idmap_domain does not have dom_sid member]) +AC_MSG_NOTICE([Samba supports old ndr_pull_steal_switch_value and ndr_pull_steal_switch_value functions]) fi - fi SAVE_CFLAGS=$CFLAGS diff --git a/src/providers/ad/ad_gpo_ndr.c b/src/providers/ad/ad_gpo_ndr.c index 49c49d71b2..3d389e513d 100644 --- a/src/providers/ad/ad_gpo_ndr.c +++ b/src/providers/ad/ad_gpo_ndr.c @@ -105,9 +105,14 @@ ndr_pull_security_ace_object_type(struct nd
[SSSD] [sssd PR#5493][synchronized] Backport of a number of patches to fix build issues of 1-16 branch on modern platforms
URL: https://github.com/SSSD/sssd/pull/5493 Author: alexey-tikhonov Title: #5493: Backport of a number of patches to fix build issues of 1-16 branch on modern platforms Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5493/head:pr5493 git checkout pr5493 From 8b35d5d8073e861a3a4e72c3f1736467f84b4b24 Mon Sep 17 00:00:00 2001 From: Stephen Gallagher Date: Fri, 24 Jan 2020 15:17:39 +0100 Subject: [PATCH 01/15] Fix build failure against samba 4.12.0rc1 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The ndr_pull_get_switch() function was dropped, but it was just a wrapper around the ndr_token_peek() function, so we can use this approach on both old and new versions of libndr. Signed-off-by: Stephen Gallagher Reviewed-by: Pavel Březina (cherry picked from commit bc56b10aea999284458dcc293b54cf65288e325d) --- src/providers/ad/ad_gpo_ndr.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/providers/ad/ad_gpo_ndr.c b/src/providers/ad/ad_gpo_ndr.c index 0a8ebaee87..49c49d71b2 100644 --- a/src/providers/ad/ad_gpo_ndr.c +++ b/src/providers/ad/ad_gpo_ndr.c @@ -105,7 +105,7 @@ ndr_pull_security_ace_object_type(struct ndr_pull *ndr, union security_ace_object_type *r) { uint32_t level; -level = ndr_pull_get_switch_value(ndr, r); +level = ndr_token_peek(&ndr->switch_list, r); NDR_PULL_CHECK_FLAGS(ndr, ndr_flags); if (ndr_flags & NDR_SCALARS) { NDR_CHECK(ndr_pull_union_align(ndr, 4)); @@ -135,7 +135,7 @@ ndr_pull_security_ace_object_inherited_type(struct ndr_pull *ndr, union security_ace_object_inherited_type *r) { uint32_t level; -level = ndr_pull_get_switch_value(ndr, r); +level = ndr_token_peek(&ndr->switch_list, r); NDR_PULL_CHECK_FLAGS(ndr, ndr_flags); if (ndr_flags & NDR_SCALARS) { NDR_CHECK(ndr_pull_union_align(ndr, 4)); @@ -198,7 +198,7 @@ ndr_pull_security_ace_object_ctr(struct ndr_pull *ndr, union security_ace_object_ctr *r) { uint32_t level; -level = ndr_pull_get_switch_value(ndr, r); +level = ndr_token_peek(&ndr->switch_list, r); NDR_PULL_CHECK_FLAGS(ndr, ndr_flags); if (ndr_flags & NDR_SCALARS) { NDR_CHECK(ndr_pull_union_align(ndr, 4)); From ad0c77459f9e52de38b41d5a7099fef090f56e97 Mon Sep 17 00:00:00 2001 From: Noel Power Date: Tue, 24 Mar 2020 13:37:07 + Subject: [PATCH 02/15] Use ndr_pull_steal_switch_value for modern samba versions MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit commit bc56b10aea999284458dcc293b54cf65288e325d attempted to fix the build error resulting from removal of 'ndr_pull_get_switch' This change uses the new replacement method 'ndr_pull_steal_switch_value' however depending on the samba version the ndr_pull_steal_switch_value abi is different. Note: ndr_pull_steal_switch_value is used since samba 4.10 for the affected methods Note: the following methods have been refreshed from samba-4.12 generated code; o ndr_pull_security_ace_object_type o ndr_pull_security_ace_object_inherited_type o ndr_pull_security_ace_object_ctr Signed-off-by: Noel Power Reviewed-by: Pavel Březina (cherry picked from commit 1fdd8fa2fded1985fbfc6aa67394eebcdbb6a2fc) --- src/external/samba.m4 | 9 ++- src/providers/ad/ad_gpo_ndr.c | 45 --- 2 files changed, 34 insertions(+), 20 deletions(-) diff --git a/src/external/samba.m4 b/src/external/samba.m4 index 089f602a60..8e06174ead 100644 --- a/src/external/samba.m4 +++ b/src/external/samba.m4 @@ -132,10 +132,17 @@ int main(void) AC_DEFINE_UNQUOTED(SMB_IDMAP_DOMAIN_HAS_DOM_SID, 1, [Samba's struct idmap_domain has dom_sid member]) AC_MSG_NOTICE([Samba's struct idmap_domain has dom_sid member]) +if test $samba_minor_version -ge 12 ; then +AC_DEFINE_UNQUOTED(SMB_HAS_NEW_NDR_PULL_STEAL_SWITCH, 1, + [Samba's new push/pull switch functions]) +AC_MSG_NOTICE([Samba has support for new ndr_push_steal_switch_value and ndr_pull_steal_switch_value functions]) +else +AC_MSG_NOTICE([Samba supports old ndr_pull_steal_switch_value and ndr_pull_steal_switch_value functions]) +fi else AC_MSG_NOTICE([Samba's struct idmap_domain does not have dom_sid member]) +AC_MSG_NOTICE([Samba supports old ndr_pull_steal_switch_value and ndr_pull_steal_switch_value functions]) fi - fi SAVE_CFLAGS=$CFLAGS diff --git a/src/providers/ad/ad_gpo_ndr.c b/src/providers/ad/ad_gpo_ndr.c index 49c49d71b2..3d389e513d 100644 --- a/src/providers/ad/ad_gpo_ndr.c +++ b/src/providers/ad/ad_gpo_ndr.c @@ -105,9 +105,14 @@ ndr_pull_security_ace_object_type(struct nd
[SSSD] [sssd PR#5493][synchronized] Backport of a number of patches to fix build issues of 1-16 branch on modern platforms
URL: https://github.com/SSSD/sssd/pull/5493 Author: alexey-tikhonov Title: #5493: Backport of a number of patches to fix build issues of 1-16 branch on modern platforms Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5493/head:pr5493 git checkout pr5493 From 8b35d5d8073e861a3a4e72c3f1736467f84b4b24 Mon Sep 17 00:00:00 2001 From: Stephen Gallagher Date: Fri, 24 Jan 2020 15:17:39 +0100 Subject: [PATCH 01/15] Fix build failure against samba 4.12.0rc1 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The ndr_pull_get_switch() function was dropped, but it was just a wrapper around the ndr_token_peek() function, so we can use this approach on both old and new versions of libndr. Signed-off-by: Stephen Gallagher Reviewed-by: Pavel Březina (cherry picked from commit bc56b10aea999284458dcc293b54cf65288e325d) --- src/providers/ad/ad_gpo_ndr.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/providers/ad/ad_gpo_ndr.c b/src/providers/ad/ad_gpo_ndr.c index 0a8ebaee87..49c49d71b2 100644 --- a/src/providers/ad/ad_gpo_ndr.c +++ b/src/providers/ad/ad_gpo_ndr.c @@ -105,7 +105,7 @@ ndr_pull_security_ace_object_type(struct ndr_pull *ndr, union security_ace_object_type *r) { uint32_t level; -level = ndr_pull_get_switch_value(ndr, r); +level = ndr_token_peek(&ndr->switch_list, r); NDR_PULL_CHECK_FLAGS(ndr, ndr_flags); if (ndr_flags & NDR_SCALARS) { NDR_CHECK(ndr_pull_union_align(ndr, 4)); @@ -135,7 +135,7 @@ ndr_pull_security_ace_object_inherited_type(struct ndr_pull *ndr, union security_ace_object_inherited_type *r) { uint32_t level; -level = ndr_pull_get_switch_value(ndr, r); +level = ndr_token_peek(&ndr->switch_list, r); NDR_PULL_CHECK_FLAGS(ndr, ndr_flags); if (ndr_flags & NDR_SCALARS) { NDR_CHECK(ndr_pull_union_align(ndr, 4)); @@ -198,7 +198,7 @@ ndr_pull_security_ace_object_ctr(struct ndr_pull *ndr, union security_ace_object_ctr *r) { uint32_t level; -level = ndr_pull_get_switch_value(ndr, r); +level = ndr_token_peek(&ndr->switch_list, r); NDR_PULL_CHECK_FLAGS(ndr, ndr_flags); if (ndr_flags & NDR_SCALARS) { NDR_CHECK(ndr_pull_union_align(ndr, 4)); From ad0c77459f9e52de38b41d5a7099fef090f56e97 Mon Sep 17 00:00:00 2001 From: Noel Power Date: Tue, 24 Mar 2020 13:37:07 + Subject: [PATCH 02/15] Use ndr_pull_steal_switch_value for modern samba versions MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit commit bc56b10aea999284458dcc293b54cf65288e325d attempted to fix the build error resulting from removal of 'ndr_pull_get_switch' This change uses the new replacement method 'ndr_pull_steal_switch_value' however depending on the samba version the ndr_pull_steal_switch_value abi is different. Note: ndr_pull_steal_switch_value is used since samba 4.10 for the affected methods Note: the following methods have been refreshed from samba-4.12 generated code; o ndr_pull_security_ace_object_type o ndr_pull_security_ace_object_inherited_type o ndr_pull_security_ace_object_ctr Signed-off-by: Noel Power Reviewed-by: Pavel Březina (cherry picked from commit 1fdd8fa2fded1985fbfc6aa67394eebcdbb6a2fc) --- src/external/samba.m4 | 9 ++- src/providers/ad/ad_gpo_ndr.c | 45 --- 2 files changed, 34 insertions(+), 20 deletions(-) diff --git a/src/external/samba.m4 b/src/external/samba.m4 index 089f602a60..8e06174ead 100644 --- a/src/external/samba.m4 +++ b/src/external/samba.m4 @@ -132,10 +132,17 @@ int main(void) AC_DEFINE_UNQUOTED(SMB_IDMAP_DOMAIN_HAS_DOM_SID, 1, [Samba's struct idmap_domain has dom_sid member]) AC_MSG_NOTICE([Samba's struct idmap_domain has dom_sid member]) +if test $samba_minor_version -ge 12 ; then +AC_DEFINE_UNQUOTED(SMB_HAS_NEW_NDR_PULL_STEAL_SWITCH, 1, + [Samba's new push/pull switch functions]) +AC_MSG_NOTICE([Samba has support for new ndr_push_steal_switch_value and ndr_pull_steal_switch_value functions]) +else +AC_MSG_NOTICE([Samba supports old ndr_pull_steal_switch_value and ndr_pull_steal_switch_value functions]) +fi else AC_MSG_NOTICE([Samba's struct idmap_domain does not have dom_sid member]) +AC_MSG_NOTICE([Samba supports old ndr_pull_steal_switch_value and ndr_pull_steal_switch_value functions]) fi - fi SAVE_CFLAGS=$CFLAGS diff --git a/src/providers/ad/ad_gpo_ndr.c b/src/providers/ad/ad_gpo_ndr.c index 49c49d71b2..3d389e513d 100644 --- a/src/providers/ad/ad_gpo_ndr.c +++ b/src/providers/ad/ad_gpo_ndr.c @@ -105,9 +105,14 @@ ndr_pull_security_ace_object_type(struct nd
[SSSD] [sssd PR#5264][closed] Utils: White space replace with another character
URL: https://github.com/SSSD/sssd/pull/5264 Author: elkoniu Title: #5264: Utils: White space replace with another character Action: closed To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5264/head:pr5264 git checkout pr5264 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org