diff options
author | Fabiano FidĂȘncio <fidencio@redhat.com> | 2017-08-14 15:46:10 +0200 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2017-08-28 20:54:47 +0200 |
commit | 1e7b7da3aa56060c26f8ba1c08318cdee77753ea (patch) | |
tree | f4bd062db9ad96f6d8122396385d7667dd372c5a /src/responder | |
parent | b54d79cf3c8017e186b5ea7cdc383746233db39b (diff) | |
download | sssd-1e7b7da3aa56060c26f8ba1c08318cdee77753ea.tar.gz sssd-1e7b7da3aa56060c26f8ba1c08318cdee77753ea.tar.xz sssd-1e7b7da3aa56060c26f8ba1c08318cdee77753ea.zip |
NEGCACHE: Always add "root" to the negative cache
The current code only adds "root" to the negative cache in case there's
any other user or group set up in to be added.
As SSSD doesn't handle "root", it should *always* be added to the
negative cache.
Related: https://pagure.io/SSSD/sssd/issue/3460
Signed-off-by: Fabiano FidĂȘncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Diffstat (limited to 'src/responder')
-rw-r--r-- | src/responder/common/negcache.c | 88 |
1 files changed, 54 insertions, 34 deletions
diff --git a/src/responder/common/negcache.c b/src/responder/common/negcache.c index 376c3e656..fc5ae76bc 100644 --- a/src/responder/common/negcache.c +++ b/src/responder/common/negcache.c @@ -771,8 +771,8 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache, struct resp_ctx *rctx) { errno_t ret; - bool filter_set = false; char **filter_list = NULL; + char **default_list = NULL; char *name = NULL; struct sss_domain_info *dom = NULL; struct sss_domain_info *domain_list = rctx->domains; @@ -801,7 +801,6 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache, &filter_list); if (ret == ENOENT) continue; if (ret != EOK) goto done; - filter_set = true; for (i = 0; (filter_list && filter_list[i]); i++) { ret = sss_parse_name_for_domains(tmpctx, domain_list, @@ -847,22 +846,9 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache, /* Populate non domain-specific negative cache user entries */ ret = confdb_get_string_as_list(cdb, tmpctx, CONFDB_NSS_CONF_ENTRY, CONFDB_NSS_FILTER_USERS, &filter_list); - if (ret == ENOENT) { - if (!filter_set) { - filter_list = talloc_array(tmpctx, char *, 2); - if (!filter_list) { - ret = ENOMEM; - goto done; - } - filter_list[0] = talloc_strdup(tmpctx, "root"); - if (!filter_list[0]) { - ret = ENOMEM; - goto done; - } - filter_list[1] = NULL; - } + if (ret != EOK && ret != ENOENT) { + goto done; } - else if (ret != EOK) goto done; for (i = 0; (filter_list && filter_list[i]); i++) { ret = sss_parse_name_for_domains(tmpctx, domain_list, @@ -922,7 +908,6 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache, } /* Populate domain-specific negative cache group entries */ - filter_set = false; for (dom = domain_list; dom; dom = get_next_domain(dom, 0)) { conf_path = talloc_asprintf(tmpctx, CONFDB_DOMAIN_PATH_TMPL, dom->name); if (!conf_path) { @@ -935,7 +920,6 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache, CONFDB_NSS_FILTER_GROUPS, &filter_list); if (ret == ENOENT) continue; if (ret != EOK) goto done; - filter_set = true; for (i = 0; (filter_list && filter_list[i]); i++) { ret = sss_parse_name(tmpctx, dom->names, filter_list[i], @@ -975,22 +959,9 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache, /* Populate non domain-specific negative cache group entries */ ret = confdb_get_string_as_list(cdb, tmpctx, CONFDB_NSS_CONF_ENTRY, CONFDB_NSS_FILTER_GROUPS, &filter_list); - if (ret == ENOENT) { - if (!filter_set) { - filter_list = talloc_array(tmpctx, char *, 2); - if (!filter_list) { - ret = ENOMEM; - goto done; - } - filter_list[0] = talloc_strdup(tmpctx, "root"); - if (!filter_list[0]) { - ret = ENOMEM; - goto done; - } - filter_list[1] = NULL; - } + if (ret != EOK && ret != ENOENT) { + goto done; } - else if (ret != EOK) goto done; for (i = 0; (filter_list && filter_list[i]); i++) { ret = sss_parse_name_for_domains(tmpctx, domain_list, @@ -1049,6 +1020,55 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache, } } + /* SSSD doesn't handle "root", thus it'll be added to the negative cache + * nonetheless what's already added there. */ + default_list = talloc_array(tmpctx, char *, 2); + if (default_list == NULL) { + ret= ENOMEM; + goto done; + } + default_list[0] = talloc_strdup(tmpctx, "root"); + if (default_list[0] == NULL) { + ret = ENOMEM; + goto done; + } + default_list[1] = NULL; + + /* Populate negative cache users and groups entries for the + * "default_list" */ + for (i = 0; (default_list != NULL && default_list[i] != NULL); i++) { + for (dom = domain_list; + dom != NULL; + dom = get_next_domain(dom, SSS_GND_ALL_DOMAINS)) { + fqname = sss_create_internal_fqname(tmpctx, + default_list[i], + dom->name); + if (fqname == NULL) { + continue; + } + + ret = sss_ncache_set_user(ncache, true, dom, fqname); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Failed to store permanent user filter for" + " [%s:%s] (%d [%s])\n", + dom->name, default_list[i], + ret, strerror(ret)); + continue; + } + + ret = sss_ncache_set_group(ncache, true, dom, fqname); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Failed to store permanent group filter for" + " [%s:%s] (%d [%s])\n", + dom->name, default_list[i], + ret, strerror(ret)); + continue; + } + } + } + ret = EOK; done: |