rpms/realmd
7
0
Fork 0
Code Issues Pull Requests Releases Activity

LDAP socket timeout, fix duplicated logs and new Samba command line options

Browse Source 
Resolves: rhbz#2038260
Resolves: rhbz#2038268
Resolves: rhbz#2028530
This commit is contained in:
Sumit Bose 2022-01-11 10:13:52 +01:00
parent 01a6a13b36
commit 3df804058d
4 changed files with 261 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

78
0001-ldap-add-socket-timeout.patch Normal file
View File

@ -0,0 +1,78 @@
From 370bf84857d5674a092f46fa5932a0c92ad5bbf5 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 24 Nov 2021 17:25:18 +0100
Subject: [PATCH] ldap: add socket timeout
During the discovery phase realmd tries to open LDAP connections to
multiple DC addresses returned by DNS. When cleaning up we have to call
ldap_destroy() to release the resources allocated for the LDAP context.
ldap_destroy() tries to send a LDAP unbind request independent of the
connection state. If the related address is block by a firewall or a not
properly routed IPv6 address there might be no reply on the TCP level
and the request might be stuck for quite some tome in the kernel.
To avoid the unexpected long delays will block realmd this patch lowers
the timeout considerably to 5s. As multiple other timeouts this value is
currently hardcoded.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1817869
---
service/realm-ldap.c | 21 +++++++++++++++++++++
1 file changed, 21 insertions(+)
diff --git a/service/realm-ldap.c b/service/realm-ldap.c
index bdfb96c..f7b6d13 100644
--- a/service/realm-ldap.c
+++ b/service/realm-ldap.c
@@ -22,6 +22,7 @@
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
+#include <netinet/tcp.h>
#include <errno.h>
@@ -179,6 +180,7 @@ static GSourceFuncs socket_source_funcs = {
/* Not included in ldap.h but documented */
int ldap_init_fd (ber_socket_t fd, int proto, LDAP_CONST char *url, struct ldap **ldp);
+#define LDAP_SOCKET_TIMEOUT 5
GSource *
realm_ldap_connect_anonymous (GSocketAddress *address,
@@ -202,6 +204,8 @@ realm_ldap_connect_anonymous (GSocketAddress *address,
int opt_rc;
int ldap_opt_val;
const char *errmsg = NULL;
+ struct timeval tv = {LDAP_SOCKET_TIMEOUT, 0};
+ unsigned int milli = LDAP_SOCKET_TIMEOUT * 1000;
g_return_val_if_fail (G_IS_INET_SOCKET_ADDRESS (address), NULL);
@@ -244,6 +248,23 @@ realm_ldap_connect_anonymous (GSocketAddress *address,
if (!g_unix_set_fd_nonblocking (ls->sock, FALSE, NULL))
g_warning ("couldn't set to blocking");
+ /* Lower the kernel defaults which might be minutes to hours */
+ rc = setsockopt (ls->sock, SOL_SOCKET, SO_RCVTIMEO,
+ &tv, sizeof (tv));
+ if (rc != 0) {
+ g_warning ("couldn't set SO_RCVTIMEO");
+ }
+ rc = setsockopt (ls->sock, SOL_SOCKET, SO_SNDTIMEO,
+ &tv, sizeof (tv));
+ if (rc != 0) {
+ g_warning ("couldn't set SO_SNDTIMEO");
+ }
+ rc = setsockopt (ls->sock, IPPROTO_TCP, TCP_USER_TIMEOUT,
+ &milli, sizeof (milli));
+ if (rc != 0) {
+ g_warning ("couldn't set TCP_USER_TIMEOUT");
+ }
+
if (family == G_SOCKET_FAMILY_IPV4) {
url = g_strdup_printf ("%s://%s:%d",
use_ldaps ? "ldaps" : "ldap",
--
2.34.1

128
0001-samba-use-new-Samba-4.15-command-line-options.patch Normal file
View File

@ -0,0 +1,128 @@
From 68f73b78a34299ee37dd06e2ab3ede8985fa277b Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 14 Dec 2021 15:32:32 +0100
Subject: [PATCH] samba: use new Samba-4.15 command line options
Samba-4.15 changed a couple of command line options of the net utility.
This patch adds a configure option to select the new or the old style.
If the option is not used configure tries to call the net utility to
check for the options. If this fails the old style is used.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2028530
---
configure.ac | 34 ++++++++++++++++++++++++++++++++++
service/realm-samba-enroll.c | 18 +++++++++++++-----
2 files changed, 47 insertions(+), 5 deletions(-)
diff --git a/configure.ac b/configure.ac
index ea51f92..ddc25d0 100644
--- a/configure.ac
+++ b/configure.ac
@@ -227,6 +227,40 @@ LDAP_CFLAGS=""
AC_SUBST(LDAP_LIBS)
AC_SUBST(LDAP_CFLAGS)
+# -------------------------------------------------------------------
+# Samba
+
+AC_ARG_WITH(new-samba-cli-options,
+ AS_HELP_STRING([--with-new-samba-cli-options=yes/no],
+ [Use new command line options introduced with Samba-4.15,
+ if not provided the output of 'net help' is checked or old
+ style options are used]))
+
+if test "$with_new_samba_cli_options" = "no"; then
+ AC_MSG_RESULT([Using old Samba command line options])
+elif test "$with_new_samba_cli_options" = "yes"; then
+ AC_DEFINE_UNQUOTED(WITH_NEW_SAMBA_CLI_OPTS, 1,
+ [Use new command line options introduced with Samba-4.15])
+ AC_MSG_RESULT([Using new Samba command line options])
+else
+ AC_PATH_PROG([SAMBA_NET], [net])
+ if test ! -x "$SAMBA_NET"; then
+ AC_MSG_NOTICE([Could not find Samba's net utility, ]
+ [assuming old style command line options, ]
+ [please install the net utility for proper detection.])
+ else
+ AC_MSG_CHECKING([for --debug-stdout option of net])
+ if AC_RUN_LOG([$SAMBA_NET help 2>&1 |grep -- '--debug-stdout' > /dev/null]); then
+ AC_DEFINE_UNQUOTED(WITH_NEW_SAMBA_CLI_OPTS, 1,
+ [Use new command line options introduced with Samba-4.15])
+ AC_MSG_RESULT([yes])
+ else
+ AC_MSG_RESULT([no])
+ fi
+ fi
+fi
+
+
# -------------------------------------------------------------------
# Directories
diff --git a/service/realm-samba-enroll.c b/service/realm-samba-enroll.c
index 5624a08..8b2ee38 100644
--- a/service/realm-samba-enroll.c
+++ b/service/realm-samba-enroll.c
@@ -37,6 +37,14 @@
#include <sys/socket.h>
#include <netdb.h>
+#ifdef WITH_NEW_SAMBA_CLI_OPTS
+#define SMBCLI_KERBEROS "--use-kerberos=required"
+#define SMBCLI_CONF "--configfile"
+#else
+#define SMBCLI_KERBEROS "-k"
+#define SMBCLI_CONF "-s"
+#endif
+
typedef struct {
GDBusMethodInvocation *invocation;
gchar *join_args[8];
@@ -260,7 +268,7 @@ begin_net_process (JoinClosure *join,
/* Use our custom smb.conf */
g_ptr_array_add (args, (gpointer)realm_settings_path ("net"));
if (join->custom_smb_conf) {
- g_ptr_array_add (args, "-s");
+ g_ptr_array_add (args, SMBCLI_CONF);
g_ptr_array_add (args, join->custom_smb_conf);
}
@@ -370,7 +378,7 @@ on_join_do_keytab (GObject *source,
} else {
begin_net_process (join, NULL,
on_keytab_do_finish, g_object_ref (task),
- "-k", "ads", "keytab", "create", NULL);
+ SMBCLI_KERBEROS, "ads", "keytab", "create", NULL);
}
g_object_unref (task);
@@ -428,7 +436,7 @@ begin_join (GTask *task,
begin_net_process (join, join->password_input,
on_join_do_keytab, g_object_ref (task),
"-U", join->user_name,
- "-k", "ads", "join", join->disco->domain_name,
+ SMBCLI_KERBEROS, "ads", "join", join->disco->domain_name,
join->join_args[0], join->join_args[1],
join->join_args[2], join->join_args[3],
join->join_args[4], NULL);
@@ -437,7 +445,7 @@ begin_join (GTask *task,
} else {
begin_net_process (join, NULL,
on_join_do_keytab, g_object_ref (task),
- "-k", "ads", "join", join->disco->domain_name,
+ SMBCLI_KERBEROS, "ads", "join", join->disco->domain_name,
join->join_args[0], join->join_args[1],
join->join_args[2], join->join_args[3],
join->join_args[4], NULL);
@@ -543,7 +551,7 @@ realm_samba_enroll_leave_async (RealmDisco *disco,
join->envvar = g_strdup_printf ("KRB5CCNAME=%s", cred->x.ccache.file);
begin_net_process (join, NULL,
on_leave_complete, g_object_ref (task),
- "-k", "ads", "leave", NULL);
+ SMBCLI_KERBEROS, "ads", "leave", NULL);
break;
default:
g_return_if_reached ();
--
2.34.1

38
0001-syslog-avoid-duplicate-log-messages.patch Normal file
View File

@ -0,0 +1,38 @@
From 720ddd02100ab8592e081aed425c9455b397a462 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 25 Nov 2021 14:36:10 +0100
Subject: [PATCH] syslog: avoid duplicate log messages
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2024248
---
service/realm-diagnostics.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/service/realm-diagnostics.c b/service/realm-diagnostics.c
index 850b2e3..6aa5288 100644
--- a/service/realm-diagnostics.c
+++ b/service/realm-diagnostics.c
@@ -55,12 +55,20 @@ log_syslog_and_debug (GDBusMethodInvocation *invocation,
while ((ptr = memchr (at, '\n', length)) != NULL) {
*ptr = '\0';
if (line_buffer && line_buffer->len > 0) {
+#ifdef WITH_JOURNAL
+ /* Call realm_daemon_syslog directly to add
+ * REALMD_OPERATION to the jounrnal */
realm_daemon_syslog (operation, log_level, "%s%s", line_buffer->str, at);
+#else
g_log (G_LOG_DOMAIN, G_LOG_LEVEL_DEBUG, "%s%s", line_buffer->str, at);
+#endif
g_string_set_size (line_buffer, 0);
} else {
+#ifdef WITH_JOURNAL
realm_daemon_syslog (operation, log_level, "%s", at);
+#else
g_log (G_LOG_DOMAIN, G_LOG_LEVEL_DEBUG, "%s", at);
+#endif
}
*ptr = '\n';
--
2.34.1

18
realmd.spec
View File

@ -1,6 +1,6 @@
Name: realmd
Version: 0.17.0
Release: 7%{?dist}
Release: 8%{?dist}
Summary: Kerberos realm enrollment service
License: LGPLv2+
URL: https://gitlab.freedesktop.org/realmd/realmd
@ -14,6 +14,16 @@ Patch4: 0001-doc-add-computer-name-to-realm-man-page.patch
# rhbz#1978255 - regression in realmd/Sanity/realmd-service-sanity
Patch5: ipa-packages.patch
# rhbz#2038260 - realmd operations hang if a DC is unreachable
Patch6: 0001-ldap-add-socket-timeout.patch
# rhbz#2038268 - realmd logs are duplicated
Patch7: 0001-syslog-avoid-duplicate-log-messages.patch
# rhbz#2028530 - realm join needs to updated to use the command line options of
# Samba's net command
Patch8: 0001-samba-use-new-Samba-4.15-command-line-options.patch
BuildRequires: make
BuildRequires: gcc
BuildRequires: automake
@ -98,6 +108,12 @@ make install DESTDIR=%{buildroot}
%doc ChangeLog
%changelog
* Mon Jan 10 2022 Sumit Bose <sbose@redhat.com> - 0.17.0-8
- LDAP socket timeout, fix duplicated logs and new Samba command line options
Resolves: rhbz#2038260
Resolves: rhbz#2038268
Resolves: rhbz#2028530
* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 0.17.0-7
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688