From 2ad3a17831f33629faaa334804636ef367e2fafb Mon Sep 17 00:00:00 2001
From: Fabiano Fidêncio <fidencio@redhat.com>
Date: Aug 31 2017 10:11:21 +0000
Subject: NEGCACHE: Always add "root" to the negative cache


The current code only adds "root" to the negative cache in case there's
any other user or group set up in to be added.

As SSSD doesn't handle "root", it should *always* be added to the
negative cache.

Related: https://pagure.io/SSSD/sssd/issue/3460

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 1e7b7da3aa56060c26f8ba1c08318cdee77753ea)

---

diff --git a/src/responder/common/negcache.c b/src/responder/common/negcache.c
index 0f95e53..be3b622 100644
--- a/src/responder/common/negcache.c
+++ b/src/responder/common/negcache.c
@@ -679,8 +679,8 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache,
                                struct resp_ctx *rctx)
 {
     errno_t ret;
-    bool filter_set = false;
     char **filter_list = NULL;
+    char **default_list = NULL;
     char *name = NULL;
     struct sss_domain_info *dom = NULL;
     struct sss_domain_info *domain_list = rctx->domains;
@@ -709,7 +709,6 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache,
                                         &filter_list);
         if (ret == ENOENT) continue;
         if (ret != EOK) goto done;
-        filter_set = true;
 
         for (i = 0; (filter_list && filter_list[i]); i++) {
             ret = sss_parse_name_for_domains(tmpctx, domain_list,
@@ -755,22 +754,9 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache,
     /* Populate non domain-specific negative cache user entries */
     ret = confdb_get_string_as_list(cdb, tmpctx, CONFDB_NSS_CONF_ENTRY,
                                     CONFDB_NSS_FILTER_USERS, &filter_list);
-    if (ret == ENOENT) {
-        if (!filter_set) {
-            filter_list = talloc_array(tmpctx, char *, 2);
-            if (!filter_list) {
-                ret = ENOMEM;
-                goto done;
-            }
-            filter_list[0] = talloc_strdup(tmpctx, "root");
-            if (!filter_list[0]) {
-                ret = ENOMEM;
-                goto done;
-            }
-            filter_list[1] = NULL;
-        }
+    if (ret != EOK && ret != ENOENT) {
+        goto done;
     }
-    else if (ret != EOK) goto done;
 
     for (i = 0; (filter_list && filter_list[i]); i++) {
         ret = sss_parse_name_for_domains(tmpctx, domain_list,
@@ -830,7 +816,6 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache,
     }
 
     /* Populate domain-specific negative cache group entries */
-    filter_set = false;
     for (dom = domain_list; dom; dom = get_next_domain(dom, 0)) {
         conf_path = talloc_asprintf(tmpctx, CONFDB_DOMAIN_PATH_TMPL, dom->name);
         if (!conf_path) {
@@ -843,7 +828,6 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache,
                                         CONFDB_NSS_FILTER_GROUPS, &filter_list);
         if (ret == ENOENT) continue;
         if (ret != EOK) goto done;
-        filter_set = true;
 
         for (i = 0; (filter_list && filter_list[i]); i++) {
             ret = sss_parse_name(tmpctx, dom->names, filter_list[i],
@@ -883,22 +867,9 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache,
     /* Populate non domain-specific negative cache group entries */
     ret = confdb_get_string_as_list(cdb, tmpctx, CONFDB_NSS_CONF_ENTRY,
                                     CONFDB_NSS_FILTER_GROUPS, &filter_list);
-    if (ret == ENOENT) {
-        if (!filter_set) {
-            filter_list = talloc_array(tmpctx, char *, 2);
-            if (!filter_list) {
-                ret = ENOMEM;
-                goto done;
-            }
-            filter_list[0] = talloc_strdup(tmpctx, "root");
-            if (!filter_list[0]) {
-                ret = ENOMEM;
-                goto done;
-            }
-            filter_list[1] = NULL;
-        }
+    if (ret != EOK && ret != ENOENT) {
+        goto done;
     }
-    else if (ret != EOK) goto done;
 
     for (i = 0; (filter_list && filter_list[i]); i++) {
         ret = sss_parse_name_for_domains(tmpctx, domain_list,
@@ -957,6 +928,55 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache,
         }
     }
 
+    /* SSSD doesn't handle "root", thus it'll be added to the negative cache
+     * nonetheless what's already added there. */
+    default_list = talloc_array(tmpctx, char *, 2);
+    if (default_list == NULL) {
+        ret= ENOMEM;
+        goto done;
+    }
+    default_list[0] = talloc_strdup(tmpctx, "root");
+    if (default_list[0] == NULL) {
+        ret = ENOMEM;
+        goto done;
+    }
+    default_list[1] = NULL;
+
+    /* Populate negative cache users and groups entries for the
+     * "default_list" */
+    for (i = 0; (default_list != NULL && default_list[i] != NULL); i++) {
+        for (dom = domain_list;
+             dom != NULL;
+             dom = get_next_domain(dom, SSS_GND_ALL_DOMAINS)) {
+            fqname = sss_create_internal_fqname(tmpctx,
+                                                default_list[i],
+                                                dom->name);
+            if (fqname == NULL) {
+                continue;
+            }
+
+            ret = sss_ncache_set_user(ncache, true, dom, fqname);
+            if (ret != EOK) {
+                DEBUG(SSSDBG_MINOR_FAILURE,
+                      "Failed to store permanent user filter for"
+                      " [%s:%s] (%d [%s])\n",
+                      dom->name, default_list[i],
+                      ret, strerror(ret));
+                continue;
+            }
+
+            ret = sss_ncache_set_group(ncache, true, dom, fqname);
+            if (ret != EOK) {
+                DEBUG(SSSDBG_MINOR_FAILURE,
+                      "Failed to store permanent group filter for"
+                      " [%s:%s] (%d [%s])\n",
+                      dom->name, default_list[i],
+                      ret, strerror(ret));
+                continue;
+            }
+        }
+    }
+
     ret = EOK;
 
 done: